1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * Support for context based audit filters. 12 * 13 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 14 * 15 * Added conditional policy language extensions 16 * 17 * Updated: Hewlett-Packard <paul@paul-moore.com> 18 * 19 * Added support for NetLabel 20 * Added support for the policy capability bitmap 21 * 22 * Updated: Chad Sellers <csellers@tresys.com> 23 * 24 * Added validation of kernel classes and permissions 25 * 26 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 27 * 28 * Added support for bounds domain and audit messaged on masked permissions 29 * 30 * Updated: Guido Trentalancia <guido@trentalancia.com> 31 * 32 * Added support for runtime switching of the policy type 33 * 34 * Copyright (C) 2008, 2009 NEC Corporation 35 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 36 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 37 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 38 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 39 */ 40 #include <linux/kernel.h> 41 #include <linux/slab.h> 42 #include <linux/string.h> 43 #include <linux/spinlock.h> 44 #include <linux/rcupdate.h> 45 #include <linux/errno.h> 46 #include <linux/in.h> 47 #include <linux/sched.h> 48 #include <linux/audit.h> 49 #include <linux/mutex.h> 50 #include <linux/vmalloc.h> 51 #include <net/netlabel.h> 52 53 #include "flask.h" 54 #include "avc.h" 55 #include "avc_ss.h" 56 #include "security.h" 57 #include "context.h" 58 #include "policydb.h" 59 #include "sidtab.h" 60 #include "services.h" 61 #include "conditional.h" 62 #include "mls.h" 63 #include "objsec.h" 64 #include "netlabel.h" 65 #include "xfrm.h" 66 #include "ebitmap.h" 67 #include "audit.h" 68 69 /* Policy capability names */ 70 const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { 71 "network_peer_controls", 72 "open_perms", 73 "extended_socket_class", 74 "always_check_network", 75 "cgroup_seclabel", 76 "nnp_nosuid_transition" 77 }; 78 79 static struct selinux_ss selinux_ss; 80 81 void selinux_ss_init(struct selinux_ss **ss) 82 { 83 rwlock_init(&selinux_ss.policy_rwlock); 84 mutex_init(&selinux_ss.status_lock); 85 *ss = &selinux_ss; 86 } 87 88 /* Forward declaration. */ 89 static int context_struct_to_string(struct policydb *policydb, 90 struct context *context, 91 char **scontext, 92 u32 *scontext_len); 93 94 static void context_struct_compute_av(struct policydb *policydb, 95 struct context *scontext, 96 struct context *tcontext, 97 u16 tclass, 98 struct av_decision *avd, 99 struct extended_perms *xperms); 100 101 static int selinux_set_mapping(struct policydb *pol, 102 struct security_class_mapping *map, 103 struct selinux_map *out_map) 104 { 105 u16 i, j; 106 unsigned k; 107 bool print_unknown_handle = false; 108 109 /* Find number of classes in the input mapping */ 110 if (!map) 111 return -EINVAL; 112 i = 0; 113 while (map[i].name) 114 i++; 115 116 /* Allocate space for the class records, plus one for class zero */ 117 out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC); 118 if (!out_map->mapping) 119 return -ENOMEM; 120 121 /* Store the raw class and permission values */ 122 j = 0; 123 while (map[j].name) { 124 struct security_class_mapping *p_in = map + (j++); 125 struct selinux_mapping *p_out = out_map->mapping + j; 126 127 /* An empty class string skips ahead */ 128 if (!strcmp(p_in->name, "")) { 129 p_out->num_perms = 0; 130 continue; 131 } 132 133 p_out->value = string_to_security_class(pol, p_in->name); 134 if (!p_out->value) { 135 pr_info("SELinux: Class %s not defined in policy.\n", 136 p_in->name); 137 if (pol->reject_unknown) 138 goto err; 139 p_out->num_perms = 0; 140 print_unknown_handle = true; 141 continue; 142 } 143 144 k = 0; 145 while (p_in->perms[k]) { 146 /* An empty permission string skips ahead */ 147 if (!*p_in->perms[k]) { 148 k++; 149 continue; 150 } 151 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 152 p_in->perms[k]); 153 if (!p_out->perms[k]) { 154 pr_info("SELinux: Permission %s in class %s not defined in policy.\n", 155 p_in->perms[k], p_in->name); 156 if (pol->reject_unknown) 157 goto err; 158 print_unknown_handle = true; 159 } 160 161 k++; 162 } 163 p_out->num_perms = k; 164 } 165 166 if (print_unknown_handle) 167 pr_info("SELinux: the above unknown classes and permissions will be %s\n", 168 pol->allow_unknown ? "allowed" : "denied"); 169 170 out_map->size = i; 171 return 0; 172 err: 173 kfree(out_map->mapping); 174 out_map->mapping = NULL; 175 return -EINVAL; 176 } 177 178 /* 179 * Get real, policy values from mapped values 180 */ 181 182 static u16 unmap_class(struct selinux_map *map, u16 tclass) 183 { 184 if (tclass < map->size) 185 return map->mapping[tclass].value; 186 187 return tclass; 188 } 189 190 /* 191 * Get kernel value for class from its policy value 192 */ 193 static u16 map_class(struct selinux_map *map, u16 pol_value) 194 { 195 u16 i; 196 197 for (i = 1; i < map->size; i++) { 198 if (map->mapping[i].value == pol_value) 199 return i; 200 } 201 202 return SECCLASS_NULL; 203 } 204 205 static void map_decision(struct selinux_map *map, 206 u16 tclass, struct av_decision *avd, 207 int allow_unknown) 208 { 209 if (tclass < map->size) { 210 struct selinux_mapping *mapping = &map->mapping[tclass]; 211 unsigned int i, n = mapping->num_perms; 212 u32 result; 213 214 for (i = 0, result = 0; i < n; i++) { 215 if (avd->allowed & mapping->perms[i]) 216 result |= 1<<i; 217 if (allow_unknown && !mapping->perms[i]) 218 result |= 1<<i; 219 } 220 avd->allowed = result; 221 222 for (i = 0, result = 0; i < n; i++) 223 if (avd->auditallow & mapping->perms[i]) 224 result |= 1<<i; 225 avd->auditallow = result; 226 227 for (i = 0, result = 0; i < n; i++) { 228 if (avd->auditdeny & mapping->perms[i]) 229 result |= 1<<i; 230 if (!allow_unknown && !mapping->perms[i]) 231 result |= 1<<i; 232 } 233 /* 234 * In case the kernel has a bug and requests a permission 235 * between num_perms and the maximum permission number, we 236 * should audit that denial 237 */ 238 for (; i < (sizeof(u32)*8); i++) 239 result |= 1<<i; 240 avd->auditdeny = result; 241 } 242 } 243 244 int security_mls_enabled(struct selinux_state *state) 245 { 246 struct policydb *p = &state->ss->policydb; 247 248 return p->mls_enabled; 249 } 250 251 /* 252 * Return the boolean value of a constraint expression 253 * when it is applied to the specified source and target 254 * security contexts. 255 * 256 * xcontext is a special beast... It is used by the validatetrans rules 257 * only. For these rules, scontext is the context before the transition, 258 * tcontext is the context after the transition, and xcontext is the context 259 * of the process performing the transition. All other callers of 260 * constraint_expr_eval should pass in NULL for xcontext. 261 */ 262 static int constraint_expr_eval(struct policydb *policydb, 263 struct context *scontext, 264 struct context *tcontext, 265 struct context *xcontext, 266 struct constraint_expr *cexpr) 267 { 268 u32 val1, val2; 269 struct context *c; 270 struct role_datum *r1, *r2; 271 struct mls_level *l1, *l2; 272 struct constraint_expr *e; 273 int s[CEXPR_MAXDEPTH]; 274 int sp = -1; 275 276 for (e = cexpr; e; e = e->next) { 277 switch (e->expr_type) { 278 case CEXPR_NOT: 279 BUG_ON(sp < 0); 280 s[sp] = !s[sp]; 281 break; 282 case CEXPR_AND: 283 BUG_ON(sp < 1); 284 sp--; 285 s[sp] &= s[sp + 1]; 286 break; 287 case CEXPR_OR: 288 BUG_ON(sp < 1); 289 sp--; 290 s[sp] |= s[sp + 1]; 291 break; 292 case CEXPR_ATTR: 293 if (sp == (CEXPR_MAXDEPTH - 1)) 294 return 0; 295 switch (e->attr) { 296 case CEXPR_USER: 297 val1 = scontext->user; 298 val2 = tcontext->user; 299 break; 300 case CEXPR_TYPE: 301 val1 = scontext->type; 302 val2 = tcontext->type; 303 break; 304 case CEXPR_ROLE: 305 val1 = scontext->role; 306 val2 = tcontext->role; 307 r1 = policydb->role_val_to_struct[val1 - 1]; 308 r2 = policydb->role_val_to_struct[val2 - 1]; 309 switch (e->op) { 310 case CEXPR_DOM: 311 s[++sp] = ebitmap_get_bit(&r1->dominates, 312 val2 - 1); 313 continue; 314 case CEXPR_DOMBY: 315 s[++sp] = ebitmap_get_bit(&r2->dominates, 316 val1 - 1); 317 continue; 318 case CEXPR_INCOMP: 319 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 320 val2 - 1) && 321 !ebitmap_get_bit(&r2->dominates, 322 val1 - 1)); 323 continue; 324 default: 325 break; 326 } 327 break; 328 case CEXPR_L1L2: 329 l1 = &(scontext->range.level[0]); 330 l2 = &(tcontext->range.level[0]); 331 goto mls_ops; 332 case CEXPR_L1H2: 333 l1 = &(scontext->range.level[0]); 334 l2 = &(tcontext->range.level[1]); 335 goto mls_ops; 336 case CEXPR_H1L2: 337 l1 = &(scontext->range.level[1]); 338 l2 = &(tcontext->range.level[0]); 339 goto mls_ops; 340 case CEXPR_H1H2: 341 l1 = &(scontext->range.level[1]); 342 l2 = &(tcontext->range.level[1]); 343 goto mls_ops; 344 case CEXPR_L1H1: 345 l1 = &(scontext->range.level[0]); 346 l2 = &(scontext->range.level[1]); 347 goto mls_ops; 348 case CEXPR_L2H2: 349 l1 = &(tcontext->range.level[0]); 350 l2 = &(tcontext->range.level[1]); 351 goto mls_ops; 352 mls_ops: 353 switch (e->op) { 354 case CEXPR_EQ: 355 s[++sp] = mls_level_eq(l1, l2); 356 continue; 357 case CEXPR_NEQ: 358 s[++sp] = !mls_level_eq(l1, l2); 359 continue; 360 case CEXPR_DOM: 361 s[++sp] = mls_level_dom(l1, l2); 362 continue; 363 case CEXPR_DOMBY: 364 s[++sp] = mls_level_dom(l2, l1); 365 continue; 366 case CEXPR_INCOMP: 367 s[++sp] = mls_level_incomp(l2, l1); 368 continue; 369 default: 370 BUG(); 371 return 0; 372 } 373 break; 374 default: 375 BUG(); 376 return 0; 377 } 378 379 switch (e->op) { 380 case CEXPR_EQ: 381 s[++sp] = (val1 == val2); 382 break; 383 case CEXPR_NEQ: 384 s[++sp] = (val1 != val2); 385 break; 386 default: 387 BUG(); 388 return 0; 389 } 390 break; 391 case CEXPR_NAMES: 392 if (sp == (CEXPR_MAXDEPTH-1)) 393 return 0; 394 c = scontext; 395 if (e->attr & CEXPR_TARGET) 396 c = tcontext; 397 else if (e->attr & CEXPR_XTARGET) { 398 c = xcontext; 399 if (!c) { 400 BUG(); 401 return 0; 402 } 403 } 404 if (e->attr & CEXPR_USER) 405 val1 = c->user; 406 else if (e->attr & CEXPR_ROLE) 407 val1 = c->role; 408 else if (e->attr & CEXPR_TYPE) 409 val1 = c->type; 410 else { 411 BUG(); 412 return 0; 413 } 414 415 switch (e->op) { 416 case CEXPR_EQ: 417 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 418 break; 419 case CEXPR_NEQ: 420 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 421 break; 422 default: 423 BUG(); 424 return 0; 425 } 426 break; 427 default: 428 BUG(); 429 return 0; 430 } 431 } 432 433 BUG_ON(sp != 0); 434 return s[0]; 435 } 436 437 /* 438 * security_dump_masked_av - dumps masked permissions during 439 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 440 */ 441 static int dump_masked_av_helper(void *k, void *d, void *args) 442 { 443 struct perm_datum *pdatum = d; 444 char **permission_names = args; 445 446 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 447 448 permission_names[pdatum->value - 1] = (char *)k; 449 450 return 0; 451 } 452 453 static void security_dump_masked_av(struct policydb *policydb, 454 struct context *scontext, 455 struct context *tcontext, 456 u16 tclass, 457 u32 permissions, 458 const char *reason) 459 { 460 struct common_datum *common_dat; 461 struct class_datum *tclass_dat; 462 struct audit_buffer *ab; 463 char *tclass_name; 464 char *scontext_name = NULL; 465 char *tcontext_name = NULL; 466 char *permission_names[32]; 467 int index; 468 u32 length; 469 bool need_comma = false; 470 471 if (!permissions) 472 return; 473 474 tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1); 475 tclass_dat = policydb->class_val_to_struct[tclass - 1]; 476 common_dat = tclass_dat->comdatum; 477 478 /* init permission_names */ 479 if (common_dat && 480 hashtab_map(common_dat->permissions.table, 481 dump_masked_av_helper, permission_names) < 0) 482 goto out; 483 484 if (hashtab_map(tclass_dat->permissions.table, 485 dump_masked_av_helper, permission_names) < 0) 486 goto out; 487 488 /* get scontext/tcontext in text form */ 489 if (context_struct_to_string(policydb, scontext, 490 &scontext_name, &length) < 0) 491 goto out; 492 493 if (context_struct_to_string(policydb, tcontext, 494 &tcontext_name, &length) < 0) 495 goto out; 496 497 /* audit a message */ 498 ab = audit_log_start(audit_context(), 499 GFP_ATOMIC, AUDIT_SELINUX_ERR); 500 if (!ab) 501 goto out; 502 503 audit_log_format(ab, "op=security_compute_av reason=%s " 504 "scontext=%s tcontext=%s tclass=%s perms=", 505 reason, scontext_name, tcontext_name, tclass_name); 506 507 for (index = 0; index < 32; index++) { 508 u32 mask = (1 << index); 509 510 if ((mask & permissions) == 0) 511 continue; 512 513 audit_log_format(ab, "%s%s", 514 need_comma ? "," : "", 515 permission_names[index] 516 ? permission_names[index] : "????"); 517 need_comma = true; 518 } 519 audit_log_end(ab); 520 out: 521 /* release scontext/tcontext */ 522 kfree(tcontext_name); 523 kfree(scontext_name); 524 525 return; 526 } 527 528 /* 529 * security_boundary_permission - drops violated permissions 530 * on boundary constraint. 531 */ 532 static void type_attribute_bounds_av(struct policydb *policydb, 533 struct context *scontext, 534 struct context *tcontext, 535 u16 tclass, 536 struct av_decision *avd) 537 { 538 struct context lo_scontext; 539 struct context lo_tcontext, *tcontextp = tcontext; 540 struct av_decision lo_avd; 541 struct type_datum *source; 542 struct type_datum *target; 543 u32 masked = 0; 544 545 source = policydb->type_val_to_struct[scontext->type - 1]; 546 BUG_ON(!source); 547 548 if (!source->bounds) 549 return; 550 551 target = policydb->type_val_to_struct[tcontext->type - 1]; 552 BUG_ON(!target); 553 554 memset(&lo_avd, 0, sizeof(lo_avd)); 555 556 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 557 lo_scontext.type = source->bounds; 558 559 if (target->bounds) { 560 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 561 lo_tcontext.type = target->bounds; 562 tcontextp = &lo_tcontext; 563 } 564 565 context_struct_compute_av(policydb, &lo_scontext, 566 tcontextp, 567 tclass, 568 &lo_avd, 569 NULL); 570 571 masked = ~lo_avd.allowed & avd->allowed; 572 573 if (likely(!masked)) 574 return; /* no masked permission */ 575 576 /* mask violated permissions */ 577 avd->allowed &= ~masked; 578 579 /* audit masked permissions */ 580 security_dump_masked_av(policydb, scontext, tcontext, 581 tclass, masked, "bounds"); 582 } 583 584 /* 585 * flag which drivers have permissions 586 * only looking for ioctl based extended permssions 587 */ 588 void services_compute_xperms_drivers( 589 struct extended_perms *xperms, 590 struct avtab_node *node) 591 { 592 unsigned int i; 593 594 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 595 /* if one or more driver has all permissions allowed */ 596 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++) 597 xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i]; 598 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 599 /* if allowing permissions within a driver */ 600 security_xperm_set(xperms->drivers.p, 601 node->datum.u.xperms->driver); 602 } 603 604 /* If no ioctl commands are allowed, ignore auditallow and auditdeny */ 605 if (node->key.specified & AVTAB_XPERMS_ALLOWED) 606 xperms->len = 1; 607 } 608 609 /* 610 * Compute access vectors and extended permissions based on a context 611 * structure pair for the permissions in a particular class. 612 */ 613 static void context_struct_compute_av(struct policydb *policydb, 614 struct context *scontext, 615 struct context *tcontext, 616 u16 tclass, 617 struct av_decision *avd, 618 struct extended_perms *xperms) 619 { 620 struct constraint_node *constraint; 621 struct role_allow *ra; 622 struct avtab_key avkey; 623 struct avtab_node *node; 624 struct class_datum *tclass_datum; 625 struct ebitmap *sattr, *tattr; 626 struct ebitmap_node *snode, *tnode; 627 unsigned int i, j; 628 629 avd->allowed = 0; 630 avd->auditallow = 0; 631 avd->auditdeny = 0xffffffff; 632 if (xperms) { 633 memset(&xperms->drivers, 0, sizeof(xperms->drivers)); 634 xperms->len = 0; 635 } 636 637 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 638 if (printk_ratelimit()) 639 pr_warn("SELinux: Invalid class %hu\n", tclass); 640 return; 641 } 642 643 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 644 645 /* 646 * If a specific type enforcement rule was defined for 647 * this permission check, then use it. 648 */ 649 avkey.target_class = tclass; 650 avkey.specified = AVTAB_AV | AVTAB_XPERMS; 651 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 652 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 653 ebitmap_for_each_positive_bit(sattr, snode, i) { 654 ebitmap_for_each_positive_bit(tattr, tnode, j) { 655 avkey.source_type = i + 1; 656 avkey.target_type = j + 1; 657 for (node = avtab_search_node(&policydb->te_avtab, 658 &avkey); 659 node; 660 node = avtab_search_node_next(node, avkey.specified)) { 661 if (node->key.specified == AVTAB_ALLOWED) 662 avd->allowed |= node->datum.u.data; 663 else if (node->key.specified == AVTAB_AUDITALLOW) 664 avd->auditallow |= node->datum.u.data; 665 else if (node->key.specified == AVTAB_AUDITDENY) 666 avd->auditdeny &= node->datum.u.data; 667 else if (xperms && (node->key.specified & AVTAB_XPERMS)) 668 services_compute_xperms_drivers(xperms, node); 669 } 670 671 /* Check conditional av table for additional permissions */ 672 cond_compute_av(&policydb->te_cond_avtab, &avkey, 673 avd, xperms); 674 675 } 676 } 677 678 /* 679 * Remove any permissions prohibited by a constraint (this includes 680 * the MLS policy). 681 */ 682 constraint = tclass_datum->constraints; 683 while (constraint) { 684 if ((constraint->permissions & (avd->allowed)) && 685 !constraint_expr_eval(policydb, scontext, tcontext, NULL, 686 constraint->expr)) { 687 avd->allowed &= ~(constraint->permissions); 688 } 689 constraint = constraint->next; 690 } 691 692 /* 693 * If checking process transition permission and the 694 * role is changing, then check the (current_role, new_role) 695 * pair. 696 */ 697 if (tclass == policydb->process_class && 698 (avd->allowed & policydb->process_trans_perms) && 699 scontext->role != tcontext->role) { 700 for (ra = policydb->role_allow; ra; ra = ra->next) { 701 if (scontext->role == ra->role && 702 tcontext->role == ra->new_role) 703 break; 704 } 705 if (!ra) 706 avd->allowed &= ~policydb->process_trans_perms; 707 } 708 709 /* 710 * If the given source and target types have boundary 711 * constraint, lazy checks have to mask any violated 712 * permission and notice it to userspace via audit. 713 */ 714 type_attribute_bounds_av(policydb, scontext, tcontext, 715 tclass, avd); 716 } 717 718 static int security_validtrans_handle_fail(struct selinux_state *state, 719 struct context *ocontext, 720 struct context *ncontext, 721 struct context *tcontext, 722 u16 tclass) 723 { 724 struct policydb *p = &state->ss->policydb; 725 char *o = NULL, *n = NULL, *t = NULL; 726 u32 olen, nlen, tlen; 727 728 if (context_struct_to_string(p, ocontext, &o, &olen)) 729 goto out; 730 if (context_struct_to_string(p, ncontext, &n, &nlen)) 731 goto out; 732 if (context_struct_to_string(p, tcontext, &t, &tlen)) 733 goto out; 734 audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, 735 "op=security_validate_transition seresult=denied" 736 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 737 o, n, t, sym_name(p, SYM_CLASSES, tclass-1)); 738 out: 739 kfree(o); 740 kfree(n); 741 kfree(t); 742 743 if (!enforcing_enabled(state)) 744 return 0; 745 return -EPERM; 746 } 747 748 static int security_compute_validatetrans(struct selinux_state *state, 749 u32 oldsid, u32 newsid, u32 tasksid, 750 u16 orig_tclass, bool user) 751 { 752 struct policydb *policydb; 753 struct sidtab *sidtab; 754 struct context *ocontext; 755 struct context *ncontext; 756 struct context *tcontext; 757 struct class_datum *tclass_datum; 758 struct constraint_node *constraint; 759 u16 tclass; 760 int rc = 0; 761 762 763 if (!state->initialized) 764 return 0; 765 766 read_lock(&state->ss->policy_rwlock); 767 768 policydb = &state->ss->policydb; 769 sidtab = state->ss->sidtab; 770 771 if (!user) 772 tclass = unmap_class(&state->ss->map, orig_tclass); 773 else 774 tclass = orig_tclass; 775 776 if (!tclass || tclass > policydb->p_classes.nprim) { 777 rc = -EINVAL; 778 goto out; 779 } 780 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 781 782 ocontext = sidtab_search(sidtab, oldsid); 783 if (!ocontext) { 784 pr_err("SELinux: %s: unrecognized SID %d\n", 785 __func__, oldsid); 786 rc = -EINVAL; 787 goto out; 788 } 789 790 ncontext = sidtab_search(sidtab, newsid); 791 if (!ncontext) { 792 pr_err("SELinux: %s: unrecognized SID %d\n", 793 __func__, newsid); 794 rc = -EINVAL; 795 goto out; 796 } 797 798 tcontext = sidtab_search(sidtab, tasksid); 799 if (!tcontext) { 800 pr_err("SELinux: %s: unrecognized SID %d\n", 801 __func__, tasksid); 802 rc = -EINVAL; 803 goto out; 804 } 805 806 constraint = tclass_datum->validatetrans; 807 while (constraint) { 808 if (!constraint_expr_eval(policydb, ocontext, ncontext, 809 tcontext, constraint->expr)) { 810 if (user) 811 rc = -EPERM; 812 else 813 rc = security_validtrans_handle_fail(state, 814 ocontext, 815 ncontext, 816 tcontext, 817 tclass); 818 goto out; 819 } 820 constraint = constraint->next; 821 } 822 823 out: 824 read_unlock(&state->ss->policy_rwlock); 825 return rc; 826 } 827 828 int security_validate_transition_user(struct selinux_state *state, 829 u32 oldsid, u32 newsid, u32 tasksid, 830 u16 tclass) 831 { 832 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 833 tclass, true); 834 } 835 836 int security_validate_transition(struct selinux_state *state, 837 u32 oldsid, u32 newsid, u32 tasksid, 838 u16 orig_tclass) 839 { 840 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 841 orig_tclass, false); 842 } 843 844 /* 845 * security_bounded_transition - check whether the given 846 * transition is directed to bounded, or not. 847 * It returns 0, if @newsid is bounded by @oldsid. 848 * Otherwise, it returns error code. 849 * 850 * @oldsid : current security identifier 851 * @newsid : destinated security identifier 852 */ 853 int security_bounded_transition(struct selinux_state *state, 854 u32 old_sid, u32 new_sid) 855 { 856 struct policydb *policydb; 857 struct sidtab *sidtab; 858 struct context *old_context, *new_context; 859 struct type_datum *type; 860 int index; 861 int rc; 862 863 if (!state->initialized) 864 return 0; 865 866 read_lock(&state->ss->policy_rwlock); 867 868 policydb = &state->ss->policydb; 869 sidtab = state->ss->sidtab; 870 871 rc = -EINVAL; 872 old_context = sidtab_search(sidtab, old_sid); 873 if (!old_context) { 874 pr_err("SELinux: %s: unrecognized SID %u\n", 875 __func__, old_sid); 876 goto out; 877 } 878 879 rc = -EINVAL; 880 new_context = sidtab_search(sidtab, new_sid); 881 if (!new_context) { 882 pr_err("SELinux: %s: unrecognized SID %u\n", 883 __func__, new_sid); 884 goto out; 885 } 886 887 rc = 0; 888 /* type/domain unchanged */ 889 if (old_context->type == new_context->type) 890 goto out; 891 892 index = new_context->type; 893 while (true) { 894 type = policydb->type_val_to_struct[index - 1]; 895 BUG_ON(!type); 896 897 /* not bounded anymore */ 898 rc = -EPERM; 899 if (!type->bounds) 900 break; 901 902 /* @newsid is bounded by @oldsid */ 903 rc = 0; 904 if (type->bounds == old_context->type) 905 break; 906 907 index = type->bounds; 908 } 909 910 if (rc) { 911 char *old_name = NULL; 912 char *new_name = NULL; 913 u32 length; 914 915 if (!context_struct_to_string(policydb, old_context, 916 &old_name, &length) && 917 !context_struct_to_string(policydb, new_context, 918 &new_name, &length)) { 919 audit_log(audit_context(), 920 GFP_ATOMIC, AUDIT_SELINUX_ERR, 921 "op=security_bounded_transition " 922 "seresult=denied " 923 "oldcontext=%s newcontext=%s", 924 old_name, new_name); 925 } 926 kfree(new_name); 927 kfree(old_name); 928 } 929 out: 930 read_unlock(&state->ss->policy_rwlock); 931 932 return rc; 933 } 934 935 static void avd_init(struct selinux_state *state, struct av_decision *avd) 936 { 937 avd->allowed = 0; 938 avd->auditallow = 0; 939 avd->auditdeny = 0xffffffff; 940 avd->seqno = state->ss->latest_granting; 941 avd->flags = 0; 942 } 943 944 void services_compute_xperms_decision(struct extended_perms_decision *xpermd, 945 struct avtab_node *node) 946 { 947 unsigned int i; 948 949 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 950 if (xpermd->driver != node->datum.u.xperms->driver) 951 return; 952 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 953 if (!security_xperm_test(node->datum.u.xperms->perms.p, 954 xpermd->driver)) 955 return; 956 } else { 957 BUG(); 958 } 959 960 if (node->key.specified == AVTAB_XPERMS_ALLOWED) { 961 xpermd->used |= XPERMS_ALLOWED; 962 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 963 memset(xpermd->allowed->p, 0xff, 964 sizeof(xpermd->allowed->p)); 965 } 966 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 967 for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++) 968 xpermd->allowed->p[i] |= 969 node->datum.u.xperms->perms.p[i]; 970 } 971 } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) { 972 xpermd->used |= XPERMS_AUDITALLOW; 973 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 974 memset(xpermd->auditallow->p, 0xff, 975 sizeof(xpermd->auditallow->p)); 976 } 977 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 978 for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++) 979 xpermd->auditallow->p[i] |= 980 node->datum.u.xperms->perms.p[i]; 981 } 982 } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) { 983 xpermd->used |= XPERMS_DONTAUDIT; 984 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 985 memset(xpermd->dontaudit->p, 0xff, 986 sizeof(xpermd->dontaudit->p)); 987 } 988 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 989 for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++) 990 xpermd->dontaudit->p[i] |= 991 node->datum.u.xperms->perms.p[i]; 992 } 993 } else { 994 BUG(); 995 } 996 } 997 998 void security_compute_xperms_decision(struct selinux_state *state, 999 u32 ssid, 1000 u32 tsid, 1001 u16 orig_tclass, 1002 u8 driver, 1003 struct extended_perms_decision *xpermd) 1004 { 1005 struct policydb *policydb; 1006 struct sidtab *sidtab; 1007 u16 tclass; 1008 struct context *scontext, *tcontext; 1009 struct avtab_key avkey; 1010 struct avtab_node *node; 1011 struct ebitmap *sattr, *tattr; 1012 struct ebitmap_node *snode, *tnode; 1013 unsigned int i, j; 1014 1015 xpermd->driver = driver; 1016 xpermd->used = 0; 1017 memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p)); 1018 memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p)); 1019 memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p)); 1020 1021 read_lock(&state->ss->policy_rwlock); 1022 if (!state->initialized) 1023 goto allow; 1024 1025 policydb = &state->ss->policydb; 1026 sidtab = state->ss->sidtab; 1027 1028 scontext = sidtab_search(sidtab, ssid); 1029 if (!scontext) { 1030 pr_err("SELinux: %s: unrecognized SID %d\n", 1031 __func__, ssid); 1032 goto out; 1033 } 1034 1035 tcontext = sidtab_search(sidtab, tsid); 1036 if (!tcontext) { 1037 pr_err("SELinux: %s: unrecognized SID %d\n", 1038 __func__, tsid); 1039 goto out; 1040 } 1041 1042 tclass = unmap_class(&state->ss->map, orig_tclass); 1043 if (unlikely(orig_tclass && !tclass)) { 1044 if (policydb->allow_unknown) 1045 goto allow; 1046 goto out; 1047 } 1048 1049 1050 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 1051 pr_warn_ratelimited("SELinux: Invalid class %hu\n", tclass); 1052 goto out; 1053 } 1054 1055 avkey.target_class = tclass; 1056 avkey.specified = AVTAB_XPERMS; 1057 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 1058 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 1059 ebitmap_for_each_positive_bit(sattr, snode, i) { 1060 ebitmap_for_each_positive_bit(tattr, tnode, j) { 1061 avkey.source_type = i + 1; 1062 avkey.target_type = j + 1; 1063 for (node = avtab_search_node(&policydb->te_avtab, 1064 &avkey); 1065 node; 1066 node = avtab_search_node_next(node, avkey.specified)) 1067 services_compute_xperms_decision(xpermd, node); 1068 1069 cond_compute_xperms(&policydb->te_cond_avtab, 1070 &avkey, xpermd); 1071 } 1072 } 1073 out: 1074 read_unlock(&state->ss->policy_rwlock); 1075 return; 1076 allow: 1077 memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p)); 1078 goto out; 1079 } 1080 1081 /** 1082 * security_compute_av - Compute access vector decisions. 1083 * @ssid: source security identifier 1084 * @tsid: target security identifier 1085 * @tclass: target security class 1086 * @avd: access vector decisions 1087 * @xperms: extended permissions 1088 * 1089 * Compute a set of access vector decisions based on the 1090 * SID pair (@ssid, @tsid) for the permissions in @tclass. 1091 */ 1092 void security_compute_av(struct selinux_state *state, 1093 u32 ssid, 1094 u32 tsid, 1095 u16 orig_tclass, 1096 struct av_decision *avd, 1097 struct extended_perms *xperms) 1098 { 1099 struct policydb *policydb; 1100 struct sidtab *sidtab; 1101 u16 tclass; 1102 struct context *scontext = NULL, *tcontext = NULL; 1103 1104 read_lock(&state->ss->policy_rwlock); 1105 avd_init(state, avd); 1106 xperms->len = 0; 1107 if (!state->initialized) 1108 goto allow; 1109 1110 policydb = &state->ss->policydb; 1111 sidtab = state->ss->sidtab; 1112 1113 scontext = sidtab_search(sidtab, ssid); 1114 if (!scontext) { 1115 pr_err("SELinux: %s: unrecognized SID %d\n", 1116 __func__, ssid); 1117 goto out; 1118 } 1119 1120 /* permissive domain? */ 1121 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1122 avd->flags |= AVD_FLAGS_PERMISSIVE; 1123 1124 tcontext = sidtab_search(sidtab, tsid); 1125 if (!tcontext) { 1126 pr_err("SELinux: %s: unrecognized SID %d\n", 1127 __func__, tsid); 1128 goto out; 1129 } 1130 1131 tclass = unmap_class(&state->ss->map, orig_tclass); 1132 if (unlikely(orig_tclass && !tclass)) { 1133 if (policydb->allow_unknown) 1134 goto allow; 1135 goto out; 1136 } 1137 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1138 xperms); 1139 map_decision(&state->ss->map, orig_tclass, avd, 1140 policydb->allow_unknown); 1141 out: 1142 read_unlock(&state->ss->policy_rwlock); 1143 return; 1144 allow: 1145 avd->allowed = 0xffffffff; 1146 goto out; 1147 } 1148 1149 void security_compute_av_user(struct selinux_state *state, 1150 u32 ssid, 1151 u32 tsid, 1152 u16 tclass, 1153 struct av_decision *avd) 1154 { 1155 struct policydb *policydb; 1156 struct sidtab *sidtab; 1157 struct context *scontext = NULL, *tcontext = NULL; 1158 1159 read_lock(&state->ss->policy_rwlock); 1160 avd_init(state, avd); 1161 if (!state->initialized) 1162 goto allow; 1163 1164 policydb = &state->ss->policydb; 1165 sidtab = state->ss->sidtab; 1166 1167 scontext = sidtab_search(sidtab, ssid); 1168 if (!scontext) { 1169 pr_err("SELinux: %s: unrecognized SID %d\n", 1170 __func__, ssid); 1171 goto out; 1172 } 1173 1174 /* permissive domain? */ 1175 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1176 avd->flags |= AVD_FLAGS_PERMISSIVE; 1177 1178 tcontext = sidtab_search(sidtab, tsid); 1179 if (!tcontext) { 1180 pr_err("SELinux: %s: unrecognized SID %d\n", 1181 __func__, tsid); 1182 goto out; 1183 } 1184 1185 if (unlikely(!tclass)) { 1186 if (policydb->allow_unknown) 1187 goto allow; 1188 goto out; 1189 } 1190 1191 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1192 NULL); 1193 out: 1194 read_unlock(&state->ss->policy_rwlock); 1195 return; 1196 allow: 1197 avd->allowed = 0xffffffff; 1198 goto out; 1199 } 1200 1201 /* 1202 * Write the security context string representation of 1203 * the context structure `context' into a dynamically 1204 * allocated string of the correct size. Set `*scontext' 1205 * to point to this string and set `*scontext_len' to 1206 * the length of the string. 1207 */ 1208 static int context_struct_to_string(struct policydb *p, 1209 struct context *context, 1210 char **scontext, u32 *scontext_len) 1211 { 1212 char *scontextp; 1213 1214 if (scontext) 1215 *scontext = NULL; 1216 *scontext_len = 0; 1217 1218 if (context->len) { 1219 *scontext_len = context->len; 1220 if (scontext) { 1221 *scontext = kstrdup(context->str, GFP_ATOMIC); 1222 if (!(*scontext)) 1223 return -ENOMEM; 1224 } 1225 return 0; 1226 } 1227 1228 /* Compute the size of the context. */ 1229 *scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1; 1230 *scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1; 1231 *scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1; 1232 *scontext_len += mls_compute_context_len(p, context); 1233 1234 if (!scontext) 1235 return 0; 1236 1237 /* Allocate space for the context; caller must free this space. */ 1238 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1239 if (!scontextp) 1240 return -ENOMEM; 1241 *scontext = scontextp; 1242 1243 /* 1244 * Copy the user name, role name and type name into the context. 1245 */ 1246 scontextp += sprintf(scontextp, "%s:%s:%s", 1247 sym_name(p, SYM_USERS, context->user - 1), 1248 sym_name(p, SYM_ROLES, context->role - 1), 1249 sym_name(p, SYM_TYPES, context->type - 1)); 1250 1251 mls_sid_to_context(p, context, &scontextp); 1252 1253 *scontextp = 0; 1254 1255 return 0; 1256 } 1257 1258 #include "initial_sid_to_string.h" 1259 1260 const char *security_get_initial_sid_context(u32 sid) 1261 { 1262 if (unlikely(sid > SECINITSID_NUM)) 1263 return NULL; 1264 return initial_sid_to_string[sid]; 1265 } 1266 1267 static int security_sid_to_context_core(struct selinux_state *state, 1268 u32 sid, char **scontext, 1269 u32 *scontext_len, int force, 1270 int only_invalid) 1271 { 1272 struct policydb *policydb; 1273 struct sidtab *sidtab; 1274 struct context *context; 1275 int rc = 0; 1276 1277 if (scontext) 1278 *scontext = NULL; 1279 *scontext_len = 0; 1280 1281 if (!state->initialized) { 1282 if (sid <= SECINITSID_NUM) { 1283 char *scontextp; 1284 1285 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1286 if (!scontext) 1287 goto out; 1288 scontextp = kmemdup(initial_sid_to_string[sid], 1289 *scontext_len, GFP_ATOMIC); 1290 if (!scontextp) { 1291 rc = -ENOMEM; 1292 goto out; 1293 } 1294 *scontext = scontextp; 1295 goto out; 1296 } 1297 pr_err("SELinux: %s: called before initial " 1298 "load_policy on unknown SID %d\n", __func__, sid); 1299 rc = -EINVAL; 1300 goto out; 1301 } 1302 read_lock(&state->ss->policy_rwlock); 1303 policydb = &state->ss->policydb; 1304 sidtab = state->ss->sidtab; 1305 if (force) 1306 context = sidtab_search_force(sidtab, sid); 1307 else 1308 context = sidtab_search(sidtab, sid); 1309 if (!context) { 1310 pr_err("SELinux: %s: unrecognized SID %d\n", 1311 __func__, sid); 1312 rc = -EINVAL; 1313 goto out_unlock; 1314 } 1315 if (only_invalid && !context->len) 1316 rc = 0; 1317 else 1318 rc = context_struct_to_string(policydb, context, scontext, 1319 scontext_len); 1320 out_unlock: 1321 read_unlock(&state->ss->policy_rwlock); 1322 out: 1323 return rc; 1324 1325 } 1326 1327 /** 1328 * security_sid_to_context - Obtain a context for a given SID. 1329 * @sid: security identifier, SID 1330 * @scontext: security context 1331 * @scontext_len: length in bytes 1332 * 1333 * Write the string representation of the context associated with @sid 1334 * into a dynamically allocated string of the correct size. Set @scontext 1335 * to point to this string and set @scontext_len to the length of the string. 1336 */ 1337 int security_sid_to_context(struct selinux_state *state, 1338 u32 sid, char **scontext, u32 *scontext_len) 1339 { 1340 return security_sid_to_context_core(state, sid, scontext, 1341 scontext_len, 0, 0); 1342 } 1343 1344 int security_sid_to_context_force(struct selinux_state *state, u32 sid, 1345 char **scontext, u32 *scontext_len) 1346 { 1347 return security_sid_to_context_core(state, sid, scontext, 1348 scontext_len, 1, 0); 1349 } 1350 1351 /** 1352 * security_sid_to_context_inval - Obtain a context for a given SID if it 1353 * is invalid. 1354 * @sid: security identifier, SID 1355 * @scontext: security context 1356 * @scontext_len: length in bytes 1357 * 1358 * Write the string representation of the context associated with @sid 1359 * into a dynamically allocated string of the correct size, but only if the 1360 * context is invalid in the current policy. Set @scontext to point to 1361 * this string (or NULL if the context is valid) and set @scontext_len to 1362 * the length of the string (or 0 if the context is valid). 1363 */ 1364 int security_sid_to_context_inval(struct selinux_state *state, u32 sid, 1365 char **scontext, u32 *scontext_len) 1366 { 1367 return security_sid_to_context_core(state, sid, scontext, 1368 scontext_len, 1, 1); 1369 } 1370 1371 /* 1372 * Caveat: Mutates scontext. 1373 */ 1374 static int string_to_context_struct(struct policydb *pol, 1375 struct sidtab *sidtabp, 1376 char *scontext, 1377 struct context *ctx, 1378 u32 def_sid) 1379 { 1380 struct role_datum *role; 1381 struct type_datum *typdatum; 1382 struct user_datum *usrdatum; 1383 char *scontextp, *p, oldc; 1384 int rc = 0; 1385 1386 context_init(ctx); 1387 1388 /* Parse the security context. */ 1389 1390 rc = -EINVAL; 1391 scontextp = (char *) scontext; 1392 1393 /* Extract the user. */ 1394 p = scontextp; 1395 while (*p && *p != ':') 1396 p++; 1397 1398 if (*p == 0) 1399 goto out; 1400 1401 *p++ = 0; 1402 1403 usrdatum = hashtab_search(pol->p_users.table, scontextp); 1404 if (!usrdatum) 1405 goto out; 1406 1407 ctx->user = usrdatum->value; 1408 1409 /* Extract role. */ 1410 scontextp = p; 1411 while (*p && *p != ':') 1412 p++; 1413 1414 if (*p == 0) 1415 goto out; 1416 1417 *p++ = 0; 1418 1419 role = hashtab_search(pol->p_roles.table, scontextp); 1420 if (!role) 1421 goto out; 1422 ctx->role = role->value; 1423 1424 /* Extract type. */ 1425 scontextp = p; 1426 while (*p && *p != ':') 1427 p++; 1428 oldc = *p; 1429 *p++ = 0; 1430 1431 typdatum = hashtab_search(pol->p_types.table, scontextp); 1432 if (!typdatum || typdatum->attribute) 1433 goto out; 1434 1435 ctx->type = typdatum->value; 1436 1437 rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); 1438 if (rc) 1439 goto out; 1440 1441 /* Check the validity of the new context. */ 1442 rc = -EINVAL; 1443 if (!policydb_context_isvalid(pol, ctx)) 1444 goto out; 1445 rc = 0; 1446 out: 1447 if (rc) 1448 context_destroy(ctx); 1449 return rc; 1450 } 1451 1452 static int security_context_to_sid_core(struct selinux_state *state, 1453 const char *scontext, u32 scontext_len, 1454 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1455 int force) 1456 { 1457 struct policydb *policydb; 1458 struct sidtab *sidtab; 1459 char *scontext2, *str = NULL; 1460 struct context context; 1461 int rc = 0; 1462 1463 /* An empty security context is never valid. */ 1464 if (!scontext_len) 1465 return -EINVAL; 1466 1467 /* Copy the string to allow changes and ensure a NUL terminator */ 1468 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); 1469 if (!scontext2) 1470 return -ENOMEM; 1471 1472 if (!state->initialized) { 1473 int i; 1474 1475 for (i = 1; i < SECINITSID_NUM; i++) { 1476 if (!strcmp(initial_sid_to_string[i], scontext2)) { 1477 *sid = i; 1478 goto out; 1479 } 1480 } 1481 *sid = SECINITSID_KERNEL; 1482 goto out; 1483 } 1484 *sid = SECSID_NULL; 1485 1486 if (force) { 1487 /* Save another copy for storing in uninterpreted form */ 1488 rc = -ENOMEM; 1489 str = kstrdup(scontext2, gfp_flags); 1490 if (!str) 1491 goto out; 1492 } 1493 read_lock(&state->ss->policy_rwlock); 1494 policydb = &state->ss->policydb; 1495 sidtab = state->ss->sidtab; 1496 rc = string_to_context_struct(policydb, sidtab, scontext2, 1497 &context, def_sid); 1498 if (rc == -EINVAL && force) { 1499 context.str = str; 1500 context.len = strlen(str) + 1; 1501 str = NULL; 1502 } else if (rc) 1503 goto out_unlock; 1504 rc = sidtab_context_to_sid(sidtab, &context, sid); 1505 context_destroy(&context); 1506 out_unlock: 1507 read_unlock(&state->ss->policy_rwlock); 1508 out: 1509 kfree(scontext2); 1510 kfree(str); 1511 return rc; 1512 } 1513 1514 /** 1515 * security_context_to_sid - Obtain a SID for a given security context. 1516 * @scontext: security context 1517 * @scontext_len: length in bytes 1518 * @sid: security identifier, SID 1519 * @gfp: context for the allocation 1520 * 1521 * Obtains a SID associated with the security context that 1522 * has the string representation specified by @scontext. 1523 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1524 * memory is available, or 0 on success. 1525 */ 1526 int security_context_to_sid(struct selinux_state *state, 1527 const char *scontext, u32 scontext_len, u32 *sid, 1528 gfp_t gfp) 1529 { 1530 return security_context_to_sid_core(state, scontext, scontext_len, 1531 sid, SECSID_NULL, gfp, 0); 1532 } 1533 1534 int security_context_str_to_sid(struct selinux_state *state, 1535 const char *scontext, u32 *sid, gfp_t gfp) 1536 { 1537 return security_context_to_sid(state, scontext, strlen(scontext), 1538 sid, gfp); 1539 } 1540 1541 /** 1542 * security_context_to_sid_default - Obtain a SID for a given security context, 1543 * falling back to specified default if needed. 1544 * 1545 * @scontext: security context 1546 * @scontext_len: length in bytes 1547 * @sid: security identifier, SID 1548 * @def_sid: default SID to assign on error 1549 * 1550 * Obtains a SID associated with the security context that 1551 * has the string representation specified by @scontext. 1552 * The default SID is passed to the MLS layer to be used to allow 1553 * kernel labeling of the MLS field if the MLS field is not present 1554 * (for upgrading to MLS without full relabel). 1555 * Implicitly forces adding of the context even if it cannot be mapped yet. 1556 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1557 * memory is available, or 0 on success. 1558 */ 1559 int security_context_to_sid_default(struct selinux_state *state, 1560 const char *scontext, u32 scontext_len, 1561 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1562 { 1563 return security_context_to_sid_core(state, scontext, scontext_len, 1564 sid, def_sid, gfp_flags, 1); 1565 } 1566 1567 int security_context_to_sid_force(struct selinux_state *state, 1568 const char *scontext, u32 scontext_len, 1569 u32 *sid) 1570 { 1571 return security_context_to_sid_core(state, scontext, scontext_len, 1572 sid, SECSID_NULL, GFP_KERNEL, 1); 1573 } 1574 1575 static int compute_sid_handle_invalid_context( 1576 struct selinux_state *state, 1577 struct context *scontext, 1578 struct context *tcontext, 1579 u16 tclass, 1580 struct context *newcontext) 1581 { 1582 struct policydb *policydb = &state->ss->policydb; 1583 char *s = NULL, *t = NULL, *n = NULL; 1584 u32 slen, tlen, nlen; 1585 struct audit_buffer *ab; 1586 1587 if (context_struct_to_string(policydb, scontext, &s, &slen)) 1588 goto out; 1589 if (context_struct_to_string(policydb, tcontext, &t, &tlen)) 1590 goto out; 1591 if (context_struct_to_string(policydb, newcontext, &n, &nlen)) 1592 goto out; 1593 ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR); 1594 audit_log_format(ab, 1595 "op=security_compute_sid invalid_context="); 1596 /* no need to record the NUL with untrusted strings */ 1597 audit_log_n_untrustedstring(ab, n, nlen - 1); 1598 audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s", 1599 s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); 1600 audit_log_end(ab); 1601 out: 1602 kfree(s); 1603 kfree(t); 1604 kfree(n); 1605 if (!enforcing_enabled(state)) 1606 return 0; 1607 return -EACCES; 1608 } 1609 1610 static void filename_compute_type(struct policydb *policydb, 1611 struct context *newcontext, 1612 u32 stype, u32 ttype, u16 tclass, 1613 const char *objname) 1614 { 1615 struct filename_trans ft; 1616 struct filename_trans_datum *otype; 1617 1618 /* 1619 * Most filename trans rules are going to live in specific directories 1620 * like /dev or /var/run. This bitmap will quickly skip rule searches 1621 * if the ttype does not contain any rules. 1622 */ 1623 if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype)) 1624 return; 1625 1626 ft.stype = stype; 1627 ft.ttype = ttype; 1628 ft.tclass = tclass; 1629 ft.name = objname; 1630 1631 otype = hashtab_search(policydb->filename_trans, &ft); 1632 if (otype) 1633 newcontext->type = otype->otype; 1634 } 1635 1636 static int security_compute_sid(struct selinux_state *state, 1637 u32 ssid, 1638 u32 tsid, 1639 u16 orig_tclass, 1640 u32 specified, 1641 const char *objname, 1642 u32 *out_sid, 1643 bool kern) 1644 { 1645 struct policydb *policydb; 1646 struct sidtab *sidtab; 1647 struct class_datum *cladatum = NULL; 1648 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1649 struct role_trans *roletr = NULL; 1650 struct avtab_key avkey; 1651 struct avtab_datum *avdatum; 1652 struct avtab_node *node; 1653 u16 tclass; 1654 int rc = 0; 1655 bool sock; 1656 1657 if (!state->initialized) { 1658 switch (orig_tclass) { 1659 case SECCLASS_PROCESS: /* kernel value */ 1660 *out_sid = ssid; 1661 break; 1662 default: 1663 *out_sid = tsid; 1664 break; 1665 } 1666 goto out; 1667 } 1668 1669 context_init(&newcontext); 1670 1671 read_lock(&state->ss->policy_rwlock); 1672 1673 if (kern) { 1674 tclass = unmap_class(&state->ss->map, orig_tclass); 1675 sock = security_is_socket_class(orig_tclass); 1676 } else { 1677 tclass = orig_tclass; 1678 sock = security_is_socket_class(map_class(&state->ss->map, 1679 tclass)); 1680 } 1681 1682 policydb = &state->ss->policydb; 1683 sidtab = state->ss->sidtab; 1684 1685 scontext = sidtab_search(sidtab, ssid); 1686 if (!scontext) { 1687 pr_err("SELinux: %s: unrecognized SID %d\n", 1688 __func__, ssid); 1689 rc = -EINVAL; 1690 goto out_unlock; 1691 } 1692 tcontext = sidtab_search(sidtab, tsid); 1693 if (!tcontext) { 1694 pr_err("SELinux: %s: unrecognized SID %d\n", 1695 __func__, tsid); 1696 rc = -EINVAL; 1697 goto out_unlock; 1698 } 1699 1700 if (tclass && tclass <= policydb->p_classes.nprim) 1701 cladatum = policydb->class_val_to_struct[tclass - 1]; 1702 1703 /* Set the user identity. */ 1704 switch (specified) { 1705 case AVTAB_TRANSITION: 1706 case AVTAB_CHANGE: 1707 if (cladatum && cladatum->default_user == DEFAULT_TARGET) { 1708 newcontext.user = tcontext->user; 1709 } else { 1710 /* notice this gets both DEFAULT_SOURCE and unset */ 1711 /* Use the process user identity. */ 1712 newcontext.user = scontext->user; 1713 } 1714 break; 1715 case AVTAB_MEMBER: 1716 /* Use the related object owner. */ 1717 newcontext.user = tcontext->user; 1718 break; 1719 } 1720 1721 /* Set the role to default values. */ 1722 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { 1723 newcontext.role = scontext->role; 1724 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { 1725 newcontext.role = tcontext->role; 1726 } else { 1727 if ((tclass == policydb->process_class) || (sock == true)) 1728 newcontext.role = scontext->role; 1729 else 1730 newcontext.role = OBJECT_R_VAL; 1731 } 1732 1733 /* Set the type to default values. */ 1734 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { 1735 newcontext.type = scontext->type; 1736 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { 1737 newcontext.type = tcontext->type; 1738 } else { 1739 if ((tclass == policydb->process_class) || (sock == true)) { 1740 /* Use the type of process. */ 1741 newcontext.type = scontext->type; 1742 } else { 1743 /* Use the type of the related object. */ 1744 newcontext.type = tcontext->type; 1745 } 1746 } 1747 1748 /* Look for a type transition/member/change rule. */ 1749 avkey.source_type = scontext->type; 1750 avkey.target_type = tcontext->type; 1751 avkey.target_class = tclass; 1752 avkey.specified = specified; 1753 avdatum = avtab_search(&policydb->te_avtab, &avkey); 1754 1755 /* If no permanent rule, also check for enabled conditional rules */ 1756 if (!avdatum) { 1757 node = avtab_search_node(&policydb->te_cond_avtab, &avkey); 1758 for (; node; node = avtab_search_node_next(node, specified)) { 1759 if (node->key.specified & AVTAB_ENABLED) { 1760 avdatum = &node->datum; 1761 break; 1762 } 1763 } 1764 } 1765 1766 if (avdatum) { 1767 /* Use the type from the type transition/member/change rule. */ 1768 newcontext.type = avdatum->u.data; 1769 } 1770 1771 /* if we have a objname this is a file trans check so check those rules */ 1772 if (objname) 1773 filename_compute_type(policydb, &newcontext, scontext->type, 1774 tcontext->type, tclass, objname); 1775 1776 /* Check for class-specific changes. */ 1777 if (specified & AVTAB_TRANSITION) { 1778 /* Look for a role transition rule. */ 1779 for (roletr = policydb->role_tr; roletr; 1780 roletr = roletr->next) { 1781 if ((roletr->role == scontext->role) && 1782 (roletr->type == tcontext->type) && 1783 (roletr->tclass == tclass)) { 1784 /* Use the role transition rule. */ 1785 newcontext.role = roletr->new_role; 1786 break; 1787 } 1788 } 1789 } 1790 1791 /* Set the MLS attributes. 1792 This is done last because it may allocate memory. */ 1793 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified, 1794 &newcontext, sock); 1795 if (rc) 1796 goto out_unlock; 1797 1798 /* Check the validity of the context. */ 1799 if (!policydb_context_isvalid(policydb, &newcontext)) { 1800 rc = compute_sid_handle_invalid_context(state, scontext, 1801 tcontext, 1802 tclass, 1803 &newcontext); 1804 if (rc) 1805 goto out_unlock; 1806 } 1807 /* Obtain the sid for the context. */ 1808 rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid); 1809 out_unlock: 1810 read_unlock(&state->ss->policy_rwlock); 1811 context_destroy(&newcontext); 1812 out: 1813 return rc; 1814 } 1815 1816 /** 1817 * security_transition_sid - Compute the SID for a new subject/object. 1818 * @ssid: source security identifier 1819 * @tsid: target security identifier 1820 * @tclass: target security class 1821 * @out_sid: security identifier for new subject/object 1822 * 1823 * Compute a SID to use for labeling a new subject or object in the 1824 * class @tclass based on a SID pair (@ssid, @tsid). 1825 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1826 * if insufficient memory is available, or %0 if the new SID was 1827 * computed successfully. 1828 */ 1829 int security_transition_sid(struct selinux_state *state, 1830 u32 ssid, u32 tsid, u16 tclass, 1831 const struct qstr *qstr, u32 *out_sid) 1832 { 1833 return security_compute_sid(state, ssid, tsid, tclass, 1834 AVTAB_TRANSITION, 1835 qstr ? qstr->name : NULL, out_sid, true); 1836 } 1837 1838 int security_transition_sid_user(struct selinux_state *state, 1839 u32 ssid, u32 tsid, u16 tclass, 1840 const char *objname, u32 *out_sid) 1841 { 1842 return security_compute_sid(state, ssid, tsid, tclass, 1843 AVTAB_TRANSITION, 1844 objname, out_sid, false); 1845 } 1846 1847 /** 1848 * security_member_sid - Compute the SID for member selection. 1849 * @ssid: source security identifier 1850 * @tsid: target security identifier 1851 * @tclass: target security class 1852 * @out_sid: security identifier for selected member 1853 * 1854 * Compute a SID to use when selecting a member of a polyinstantiated 1855 * object of class @tclass based on a SID pair (@ssid, @tsid). 1856 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1857 * if insufficient memory is available, or %0 if the SID was 1858 * computed successfully. 1859 */ 1860 int security_member_sid(struct selinux_state *state, 1861 u32 ssid, 1862 u32 tsid, 1863 u16 tclass, 1864 u32 *out_sid) 1865 { 1866 return security_compute_sid(state, ssid, tsid, tclass, 1867 AVTAB_MEMBER, NULL, 1868 out_sid, false); 1869 } 1870 1871 /** 1872 * security_change_sid - Compute the SID for object relabeling. 1873 * @ssid: source security identifier 1874 * @tsid: target security identifier 1875 * @tclass: target security class 1876 * @out_sid: security identifier for selected member 1877 * 1878 * Compute a SID to use for relabeling an object of class @tclass 1879 * based on a SID pair (@ssid, @tsid). 1880 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1881 * if insufficient memory is available, or %0 if the SID was 1882 * computed successfully. 1883 */ 1884 int security_change_sid(struct selinux_state *state, 1885 u32 ssid, 1886 u32 tsid, 1887 u16 tclass, 1888 u32 *out_sid) 1889 { 1890 return security_compute_sid(state, 1891 ssid, tsid, tclass, AVTAB_CHANGE, NULL, 1892 out_sid, false); 1893 } 1894 1895 static inline int convert_context_handle_invalid_context( 1896 struct selinux_state *state, 1897 struct context *context) 1898 { 1899 struct policydb *policydb = &state->ss->policydb; 1900 char *s; 1901 u32 len; 1902 1903 if (enforcing_enabled(state)) 1904 return -EINVAL; 1905 1906 if (!context_struct_to_string(policydb, context, &s, &len)) { 1907 pr_warn("SELinux: Context %s would be invalid if enforcing\n", 1908 s); 1909 kfree(s); 1910 } 1911 return 0; 1912 } 1913 1914 struct convert_context_args { 1915 struct selinux_state *state; 1916 struct policydb *oldp; 1917 struct policydb *newp; 1918 }; 1919 1920 /* 1921 * Convert the values in the security context 1922 * structure `oldc' from the values specified 1923 * in the policy `p->oldp' to the values specified 1924 * in the policy `p->newp', storing the new context 1925 * in `newc'. Verify that the context is valid 1926 * under the new policy. 1927 */ 1928 static int convert_context(struct context *oldc, struct context *newc, void *p) 1929 { 1930 struct convert_context_args *args; 1931 struct ocontext *oc; 1932 struct role_datum *role; 1933 struct type_datum *typdatum; 1934 struct user_datum *usrdatum; 1935 char *s; 1936 u32 len; 1937 int rc; 1938 1939 args = p; 1940 1941 if (oldc->str) { 1942 s = kstrdup(oldc->str, GFP_KERNEL); 1943 if (!s) 1944 return -ENOMEM; 1945 1946 rc = string_to_context_struct(args->newp, NULL, s, 1947 newc, SECSID_NULL); 1948 if (rc == -EINVAL) { 1949 /* Retain string representation for later mapping. */ 1950 context_init(newc); 1951 newc->str = s; 1952 newc->len = oldc->len; 1953 return 0; 1954 } 1955 kfree(s); 1956 if (rc) { 1957 /* Other error condition, e.g. ENOMEM. */ 1958 pr_err("SELinux: Unable to map context %s, rc = %d.\n", 1959 oldc->str, -rc); 1960 return rc; 1961 } 1962 pr_info("SELinux: Context %s became valid (mapped).\n", 1963 oldc->str); 1964 return 0; 1965 } 1966 1967 context_init(newc); 1968 1969 /* Convert the user. */ 1970 rc = -EINVAL; 1971 usrdatum = hashtab_search(args->newp->p_users.table, 1972 sym_name(args->oldp, 1973 SYM_USERS, oldc->user - 1)); 1974 if (!usrdatum) 1975 goto bad; 1976 newc->user = usrdatum->value; 1977 1978 /* Convert the role. */ 1979 rc = -EINVAL; 1980 role = hashtab_search(args->newp->p_roles.table, 1981 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); 1982 if (!role) 1983 goto bad; 1984 newc->role = role->value; 1985 1986 /* Convert the type. */ 1987 rc = -EINVAL; 1988 typdatum = hashtab_search(args->newp->p_types.table, 1989 sym_name(args->oldp, 1990 SYM_TYPES, oldc->type - 1)); 1991 if (!typdatum) 1992 goto bad; 1993 newc->type = typdatum->value; 1994 1995 /* Convert the MLS fields if dealing with MLS policies */ 1996 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 1997 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 1998 if (rc) 1999 goto bad; 2000 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { 2001 /* 2002 * Switching between non-MLS and MLS policy: 2003 * ensure that the MLS fields of the context for all 2004 * existing entries in the sidtab are filled in with a 2005 * suitable default value, likely taken from one of the 2006 * initial SIDs. 2007 */ 2008 oc = args->newp->ocontexts[OCON_ISID]; 2009 while (oc && oc->sid[0] != SECINITSID_UNLABELED) 2010 oc = oc->next; 2011 rc = -EINVAL; 2012 if (!oc) { 2013 pr_err("SELinux: unable to look up" 2014 " the initial SIDs list\n"); 2015 goto bad; 2016 } 2017 rc = mls_range_set(newc, &oc->context[0].range); 2018 if (rc) 2019 goto bad; 2020 } 2021 2022 /* Check the validity of the new context. */ 2023 if (!policydb_context_isvalid(args->newp, newc)) { 2024 rc = convert_context_handle_invalid_context(args->state, oldc); 2025 if (rc) 2026 goto bad; 2027 } 2028 2029 return 0; 2030 bad: 2031 /* Map old representation to string and save it. */ 2032 rc = context_struct_to_string(args->oldp, oldc, &s, &len); 2033 if (rc) 2034 return rc; 2035 context_destroy(newc); 2036 newc->str = s; 2037 newc->len = len; 2038 pr_info("SELinux: Context %s became invalid (unmapped).\n", 2039 newc->str); 2040 return 0; 2041 } 2042 2043 static void security_load_policycaps(struct selinux_state *state) 2044 { 2045 struct policydb *p = &state->ss->policydb; 2046 unsigned int i; 2047 struct ebitmap_node *node; 2048 2049 for (i = 0; i < ARRAY_SIZE(state->policycap); i++) 2050 state->policycap[i] = ebitmap_get_bit(&p->policycaps, i); 2051 2052 for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) 2053 pr_info("SELinux: policy capability %s=%d\n", 2054 selinux_policycap_names[i], 2055 ebitmap_get_bit(&p->policycaps, i)); 2056 2057 ebitmap_for_each_positive_bit(&p->policycaps, node, i) { 2058 if (i >= ARRAY_SIZE(selinux_policycap_names)) 2059 pr_info("SELinux: unknown policy capability %u\n", 2060 i); 2061 } 2062 } 2063 2064 static int security_preserve_bools(struct selinux_state *state, 2065 struct policydb *newpolicydb); 2066 2067 /** 2068 * security_load_policy - Load a security policy configuration. 2069 * @data: binary policy data 2070 * @len: length of data in bytes 2071 * 2072 * Load a new set of security policy configuration data, 2073 * validate it and convert the SID table as necessary. 2074 * This function will flush the access vector cache after 2075 * loading the new policy. 2076 */ 2077 int security_load_policy(struct selinux_state *state, void *data, size_t len) 2078 { 2079 struct policydb *policydb; 2080 struct sidtab *oldsidtab, *newsidtab; 2081 struct policydb *oldpolicydb, *newpolicydb; 2082 struct selinux_mapping *oldmapping; 2083 struct selinux_map newmap; 2084 struct sidtab_convert_params convert_params; 2085 struct convert_context_args args; 2086 u32 seqno; 2087 int rc = 0; 2088 struct policy_file file = { data, len }, *fp = &file; 2089 2090 oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL); 2091 if (!oldpolicydb) { 2092 rc = -ENOMEM; 2093 goto out; 2094 } 2095 newpolicydb = oldpolicydb + 1; 2096 2097 policydb = &state->ss->policydb; 2098 2099 newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); 2100 if (!newsidtab) { 2101 rc = -ENOMEM; 2102 goto out; 2103 } 2104 2105 if (!state->initialized) { 2106 rc = policydb_read(policydb, fp); 2107 if (rc) { 2108 kfree(newsidtab); 2109 goto out; 2110 } 2111 2112 policydb->len = len; 2113 rc = selinux_set_mapping(policydb, secclass_map, 2114 &state->ss->map); 2115 if (rc) { 2116 kfree(newsidtab); 2117 policydb_destroy(policydb); 2118 goto out; 2119 } 2120 2121 rc = policydb_load_isids(policydb, newsidtab); 2122 if (rc) { 2123 kfree(newsidtab); 2124 policydb_destroy(policydb); 2125 goto out; 2126 } 2127 2128 state->ss->sidtab = newsidtab; 2129 security_load_policycaps(state); 2130 state->initialized = 1; 2131 seqno = ++state->ss->latest_granting; 2132 selinux_complete_init(); 2133 avc_ss_reset(state->avc, seqno); 2134 selnl_notify_policyload(seqno); 2135 selinux_status_update_policyload(state, seqno); 2136 selinux_netlbl_cache_invalidate(); 2137 selinux_xfrm_notify_policyload(); 2138 goto out; 2139 } 2140 2141 rc = policydb_read(newpolicydb, fp); 2142 if (rc) { 2143 kfree(newsidtab); 2144 goto out; 2145 } 2146 2147 newpolicydb->len = len; 2148 /* If switching between different policy types, log MLS status */ 2149 if (policydb->mls_enabled && !newpolicydb->mls_enabled) 2150 pr_info("SELinux: Disabling MLS support...\n"); 2151 else if (!policydb->mls_enabled && newpolicydb->mls_enabled) 2152 pr_info("SELinux: Enabling MLS support...\n"); 2153 2154 rc = policydb_load_isids(newpolicydb, newsidtab); 2155 if (rc) { 2156 pr_err("SELinux: unable to load the initial SIDs\n"); 2157 policydb_destroy(newpolicydb); 2158 kfree(newsidtab); 2159 goto out; 2160 } 2161 2162 rc = selinux_set_mapping(newpolicydb, secclass_map, &newmap); 2163 if (rc) 2164 goto err; 2165 2166 rc = security_preserve_bools(state, newpolicydb); 2167 if (rc) { 2168 pr_err("SELinux: unable to preserve booleans\n"); 2169 goto err; 2170 } 2171 2172 oldsidtab = state->ss->sidtab; 2173 2174 /* 2175 * Convert the internal representations of contexts 2176 * in the new SID table. 2177 */ 2178 args.state = state; 2179 args.oldp = policydb; 2180 args.newp = newpolicydb; 2181 2182 convert_params.func = convert_context; 2183 convert_params.args = &args; 2184 convert_params.target = newsidtab; 2185 2186 rc = sidtab_convert(oldsidtab, &convert_params); 2187 if (rc) { 2188 pr_err("SELinux: unable to convert the internal" 2189 " representation of contexts in the new SID" 2190 " table\n"); 2191 goto err; 2192 } 2193 2194 /* Save the old policydb and SID table to free later. */ 2195 memcpy(oldpolicydb, policydb, sizeof(*policydb)); 2196 2197 /* Install the new policydb and SID table. */ 2198 write_lock_irq(&state->ss->policy_rwlock); 2199 memcpy(policydb, newpolicydb, sizeof(*policydb)); 2200 state->ss->sidtab = newsidtab; 2201 security_load_policycaps(state); 2202 oldmapping = state->ss->map.mapping; 2203 state->ss->map.mapping = newmap.mapping; 2204 state->ss->map.size = newmap.size; 2205 seqno = ++state->ss->latest_granting; 2206 write_unlock_irq(&state->ss->policy_rwlock); 2207 2208 /* Free the old policydb and SID table. */ 2209 policydb_destroy(oldpolicydb); 2210 sidtab_destroy(oldsidtab); 2211 kfree(oldsidtab); 2212 kfree(oldmapping); 2213 2214 avc_ss_reset(state->avc, seqno); 2215 selnl_notify_policyload(seqno); 2216 selinux_status_update_policyload(state, seqno); 2217 selinux_netlbl_cache_invalidate(); 2218 selinux_xfrm_notify_policyload(); 2219 2220 rc = 0; 2221 goto out; 2222 2223 err: 2224 kfree(newmap.mapping); 2225 sidtab_destroy(newsidtab); 2226 kfree(newsidtab); 2227 policydb_destroy(newpolicydb); 2228 2229 out: 2230 kfree(oldpolicydb); 2231 return rc; 2232 } 2233 2234 size_t security_policydb_len(struct selinux_state *state) 2235 { 2236 struct policydb *p = &state->ss->policydb; 2237 size_t len; 2238 2239 read_lock(&state->ss->policy_rwlock); 2240 len = p->len; 2241 read_unlock(&state->ss->policy_rwlock); 2242 2243 return len; 2244 } 2245 2246 /** 2247 * security_port_sid - Obtain the SID for a port. 2248 * @protocol: protocol number 2249 * @port: port number 2250 * @out_sid: security identifier 2251 */ 2252 int security_port_sid(struct selinux_state *state, 2253 u8 protocol, u16 port, u32 *out_sid) 2254 { 2255 struct policydb *policydb; 2256 struct sidtab *sidtab; 2257 struct ocontext *c; 2258 int rc = 0; 2259 2260 read_lock(&state->ss->policy_rwlock); 2261 2262 policydb = &state->ss->policydb; 2263 sidtab = state->ss->sidtab; 2264 2265 c = policydb->ocontexts[OCON_PORT]; 2266 while (c) { 2267 if (c->u.port.protocol == protocol && 2268 c->u.port.low_port <= port && 2269 c->u.port.high_port >= port) 2270 break; 2271 c = c->next; 2272 } 2273 2274 if (c) { 2275 if (!c->sid[0]) { 2276 rc = sidtab_context_to_sid(sidtab, 2277 &c->context[0], 2278 &c->sid[0]); 2279 if (rc) 2280 goto out; 2281 } 2282 *out_sid = c->sid[0]; 2283 } else { 2284 *out_sid = SECINITSID_PORT; 2285 } 2286 2287 out: 2288 read_unlock(&state->ss->policy_rwlock); 2289 return rc; 2290 } 2291 2292 /** 2293 * security_pkey_sid - Obtain the SID for a pkey. 2294 * @subnet_prefix: Subnet Prefix 2295 * @pkey_num: pkey number 2296 * @out_sid: security identifier 2297 */ 2298 int security_ib_pkey_sid(struct selinux_state *state, 2299 u64 subnet_prefix, u16 pkey_num, u32 *out_sid) 2300 { 2301 struct policydb *policydb; 2302 struct sidtab *sidtab; 2303 struct ocontext *c; 2304 int rc = 0; 2305 2306 read_lock(&state->ss->policy_rwlock); 2307 2308 policydb = &state->ss->policydb; 2309 sidtab = state->ss->sidtab; 2310 2311 c = policydb->ocontexts[OCON_IBPKEY]; 2312 while (c) { 2313 if (c->u.ibpkey.low_pkey <= pkey_num && 2314 c->u.ibpkey.high_pkey >= pkey_num && 2315 c->u.ibpkey.subnet_prefix == subnet_prefix) 2316 break; 2317 2318 c = c->next; 2319 } 2320 2321 if (c) { 2322 if (!c->sid[0]) { 2323 rc = sidtab_context_to_sid(sidtab, 2324 &c->context[0], 2325 &c->sid[0]); 2326 if (rc) 2327 goto out; 2328 } 2329 *out_sid = c->sid[0]; 2330 } else 2331 *out_sid = SECINITSID_UNLABELED; 2332 2333 out: 2334 read_unlock(&state->ss->policy_rwlock); 2335 return rc; 2336 } 2337 2338 /** 2339 * security_ib_endport_sid - Obtain the SID for a subnet management interface. 2340 * @dev_name: device name 2341 * @port: port number 2342 * @out_sid: security identifier 2343 */ 2344 int security_ib_endport_sid(struct selinux_state *state, 2345 const char *dev_name, u8 port_num, u32 *out_sid) 2346 { 2347 struct policydb *policydb; 2348 struct sidtab *sidtab; 2349 struct ocontext *c; 2350 int rc = 0; 2351 2352 read_lock(&state->ss->policy_rwlock); 2353 2354 policydb = &state->ss->policydb; 2355 sidtab = state->ss->sidtab; 2356 2357 c = policydb->ocontexts[OCON_IBENDPORT]; 2358 while (c) { 2359 if (c->u.ibendport.port == port_num && 2360 !strncmp(c->u.ibendport.dev_name, 2361 dev_name, 2362 IB_DEVICE_NAME_MAX)) 2363 break; 2364 2365 c = c->next; 2366 } 2367 2368 if (c) { 2369 if (!c->sid[0]) { 2370 rc = sidtab_context_to_sid(sidtab, 2371 &c->context[0], 2372 &c->sid[0]); 2373 if (rc) 2374 goto out; 2375 } 2376 *out_sid = c->sid[0]; 2377 } else 2378 *out_sid = SECINITSID_UNLABELED; 2379 2380 out: 2381 read_unlock(&state->ss->policy_rwlock); 2382 return rc; 2383 } 2384 2385 /** 2386 * security_netif_sid - Obtain the SID for a network interface. 2387 * @name: interface name 2388 * @if_sid: interface SID 2389 */ 2390 int security_netif_sid(struct selinux_state *state, 2391 char *name, u32 *if_sid) 2392 { 2393 struct policydb *policydb; 2394 struct sidtab *sidtab; 2395 int rc = 0; 2396 struct ocontext *c; 2397 2398 read_lock(&state->ss->policy_rwlock); 2399 2400 policydb = &state->ss->policydb; 2401 sidtab = state->ss->sidtab; 2402 2403 c = policydb->ocontexts[OCON_NETIF]; 2404 while (c) { 2405 if (strcmp(name, c->u.name) == 0) 2406 break; 2407 c = c->next; 2408 } 2409 2410 if (c) { 2411 if (!c->sid[0] || !c->sid[1]) { 2412 rc = sidtab_context_to_sid(sidtab, 2413 &c->context[0], 2414 &c->sid[0]); 2415 if (rc) 2416 goto out; 2417 rc = sidtab_context_to_sid(sidtab, 2418 &c->context[1], 2419 &c->sid[1]); 2420 if (rc) 2421 goto out; 2422 } 2423 *if_sid = c->sid[0]; 2424 } else 2425 *if_sid = SECINITSID_NETIF; 2426 2427 out: 2428 read_unlock(&state->ss->policy_rwlock); 2429 return rc; 2430 } 2431 2432 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 2433 { 2434 int i, fail = 0; 2435 2436 for (i = 0; i < 4; i++) 2437 if (addr[i] != (input[i] & mask[i])) { 2438 fail = 1; 2439 break; 2440 } 2441 2442 return !fail; 2443 } 2444 2445 /** 2446 * security_node_sid - Obtain the SID for a node (host). 2447 * @domain: communication domain aka address family 2448 * @addrp: address 2449 * @addrlen: address length in bytes 2450 * @out_sid: security identifier 2451 */ 2452 int security_node_sid(struct selinux_state *state, 2453 u16 domain, 2454 void *addrp, 2455 u32 addrlen, 2456 u32 *out_sid) 2457 { 2458 struct policydb *policydb; 2459 struct sidtab *sidtab; 2460 int rc; 2461 struct ocontext *c; 2462 2463 read_lock(&state->ss->policy_rwlock); 2464 2465 policydb = &state->ss->policydb; 2466 sidtab = state->ss->sidtab; 2467 2468 switch (domain) { 2469 case AF_INET: { 2470 u32 addr; 2471 2472 rc = -EINVAL; 2473 if (addrlen != sizeof(u32)) 2474 goto out; 2475 2476 addr = *((u32 *)addrp); 2477 2478 c = policydb->ocontexts[OCON_NODE]; 2479 while (c) { 2480 if (c->u.node.addr == (addr & c->u.node.mask)) 2481 break; 2482 c = c->next; 2483 } 2484 break; 2485 } 2486 2487 case AF_INET6: 2488 rc = -EINVAL; 2489 if (addrlen != sizeof(u64) * 2) 2490 goto out; 2491 c = policydb->ocontexts[OCON_NODE6]; 2492 while (c) { 2493 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 2494 c->u.node6.mask)) 2495 break; 2496 c = c->next; 2497 } 2498 break; 2499 2500 default: 2501 rc = 0; 2502 *out_sid = SECINITSID_NODE; 2503 goto out; 2504 } 2505 2506 if (c) { 2507 if (!c->sid[0]) { 2508 rc = sidtab_context_to_sid(sidtab, 2509 &c->context[0], 2510 &c->sid[0]); 2511 if (rc) 2512 goto out; 2513 } 2514 *out_sid = c->sid[0]; 2515 } else { 2516 *out_sid = SECINITSID_NODE; 2517 } 2518 2519 rc = 0; 2520 out: 2521 read_unlock(&state->ss->policy_rwlock); 2522 return rc; 2523 } 2524 2525 #define SIDS_NEL 25 2526 2527 /** 2528 * security_get_user_sids - Obtain reachable SIDs for a user. 2529 * @fromsid: starting SID 2530 * @username: username 2531 * @sids: array of reachable SIDs for user 2532 * @nel: number of elements in @sids 2533 * 2534 * Generate the set of SIDs for legal security contexts 2535 * for a given user that can be reached by @fromsid. 2536 * Set *@sids to point to a dynamically allocated 2537 * array containing the set of SIDs. Set *@nel to the 2538 * number of elements in the array. 2539 */ 2540 2541 int security_get_user_sids(struct selinux_state *state, 2542 u32 fromsid, 2543 char *username, 2544 u32 **sids, 2545 u32 *nel) 2546 { 2547 struct policydb *policydb; 2548 struct sidtab *sidtab; 2549 struct context *fromcon, usercon; 2550 u32 *mysids = NULL, *mysids2, sid; 2551 u32 mynel = 0, maxnel = SIDS_NEL; 2552 struct user_datum *user; 2553 struct role_datum *role; 2554 struct ebitmap_node *rnode, *tnode; 2555 int rc = 0, i, j; 2556 2557 *sids = NULL; 2558 *nel = 0; 2559 2560 if (!state->initialized) 2561 goto out; 2562 2563 read_lock(&state->ss->policy_rwlock); 2564 2565 policydb = &state->ss->policydb; 2566 sidtab = state->ss->sidtab; 2567 2568 context_init(&usercon); 2569 2570 rc = -EINVAL; 2571 fromcon = sidtab_search(sidtab, fromsid); 2572 if (!fromcon) 2573 goto out_unlock; 2574 2575 rc = -EINVAL; 2576 user = hashtab_search(policydb->p_users.table, username); 2577 if (!user) 2578 goto out_unlock; 2579 2580 usercon.user = user->value; 2581 2582 rc = -ENOMEM; 2583 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2584 if (!mysids) 2585 goto out_unlock; 2586 2587 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2588 role = policydb->role_val_to_struct[i]; 2589 usercon.role = i + 1; 2590 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2591 usercon.type = j + 1; 2592 2593 if (mls_setup_user_range(policydb, fromcon, user, 2594 &usercon)) 2595 continue; 2596 2597 rc = sidtab_context_to_sid(sidtab, &usercon, &sid); 2598 if (rc) 2599 goto out_unlock; 2600 if (mynel < maxnel) { 2601 mysids[mynel++] = sid; 2602 } else { 2603 rc = -ENOMEM; 2604 maxnel += SIDS_NEL; 2605 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2606 if (!mysids2) 2607 goto out_unlock; 2608 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2609 kfree(mysids); 2610 mysids = mysids2; 2611 mysids[mynel++] = sid; 2612 } 2613 } 2614 } 2615 rc = 0; 2616 out_unlock: 2617 read_unlock(&state->ss->policy_rwlock); 2618 if (rc || !mynel) { 2619 kfree(mysids); 2620 goto out; 2621 } 2622 2623 rc = -ENOMEM; 2624 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2625 if (!mysids2) { 2626 kfree(mysids); 2627 goto out; 2628 } 2629 for (i = 0, j = 0; i < mynel; i++) { 2630 struct av_decision dummy_avd; 2631 rc = avc_has_perm_noaudit(state, 2632 fromsid, mysids[i], 2633 SECCLASS_PROCESS, /* kernel value */ 2634 PROCESS__TRANSITION, AVC_STRICT, 2635 &dummy_avd); 2636 if (!rc) 2637 mysids2[j++] = mysids[i]; 2638 cond_resched(); 2639 } 2640 rc = 0; 2641 kfree(mysids); 2642 *sids = mysids2; 2643 *nel = j; 2644 out: 2645 return rc; 2646 } 2647 2648 /** 2649 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem 2650 * @fstype: filesystem type 2651 * @path: path from root of mount 2652 * @sclass: file security class 2653 * @sid: SID for path 2654 * 2655 * Obtain a SID to use for a file in a filesystem that 2656 * cannot support xattr or use a fixed labeling behavior like 2657 * transition SIDs or task SIDs. 2658 * 2659 * The caller must acquire the policy_rwlock before calling this function. 2660 */ 2661 static inline int __security_genfs_sid(struct selinux_state *state, 2662 const char *fstype, 2663 char *path, 2664 u16 orig_sclass, 2665 u32 *sid) 2666 { 2667 struct policydb *policydb = &state->ss->policydb; 2668 struct sidtab *sidtab = state->ss->sidtab; 2669 int len; 2670 u16 sclass; 2671 struct genfs *genfs; 2672 struct ocontext *c; 2673 int rc, cmp = 0; 2674 2675 while (path[0] == '/' && path[1] == '/') 2676 path++; 2677 2678 sclass = unmap_class(&state->ss->map, orig_sclass); 2679 *sid = SECINITSID_UNLABELED; 2680 2681 for (genfs = policydb->genfs; genfs; genfs = genfs->next) { 2682 cmp = strcmp(fstype, genfs->fstype); 2683 if (cmp <= 0) 2684 break; 2685 } 2686 2687 rc = -ENOENT; 2688 if (!genfs || cmp) 2689 goto out; 2690 2691 for (c = genfs->head; c; c = c->next) { 2692 len = strlen(c->u.name); 2693 if ((!c->v.sclass || sclass == c->v.sclass) && 2694 (strncmp(c->u.name, path, len) == 0)) 2695 break; 2696 } 2697 2698 rc = -ENOENT; 2699 if (!c) 2700 goto out; 2701 2702 if (!c->sid[0]) { 2703 rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); 2704 if (rc) 2705 goto out; 2706 } 2707 2708 *sid = c->sid[0]; 2709 rc = 0; 2710 out: 2711 return rc; 2712 } 2713 2714 /** 2715 * security_genfs_sid - Obtain a SID for a file in a filesystem 2716 * @fstype: filesystem type 2717 * @path: path from root of mount 2718 * @sclass: file security class 2719 * @sid: SID for path 2720 * 2721 * Acquire policy_rwlock before calling __security_genfs_sid() and release 2722 * it afterward. 2723 */ 2724 int security_genfs_sid(struct selinux_state *state, 2725 const char *fstype, 2726 char *path, 2727 u16 orig_sclass, 2728 u32 *sid) 2729 { 2730 int retval; 2731 2732 read_lock(&state->ss->policy_rwlock); 2733 retval = __security_genfs_sid(state, fstype, path, orig_sclass, sid); 2734 read_unlock(&state->ss->policy_rwlock); 2735 return retval; 2736 } 2737 2738 /** 2739 * security_fs_use - Determine how to handle labeling for a filesystem. 2740 * @sb: superblock in question 2741 */ 2742 int security_fs_use(struct selinux_state *state, struct super_block *sb) 2743 { 2744 struct policydb *policydb; 2745 struct sidtab *sidtab; 2746 int rc = 0; 2747 struct ocontext *c; 2748 struct superblock_security_struct *sbsec = sb->s_security; 2749 const char *fstype = sb->s_type->name; 2750 2751 read_lock(&state->ss->policy_rwlock); 2752 2753 policydb = &state->ss->policydb; 2754 sidtab = state->ss->sidtab; 2755 2756 c = policydb->ocontexts[OCON_FSUSE]; 2757 while (c) { 2758 if (strcmp(fstype, c->u.name) == 0) 2759 break; 2760 c = c->next; 2761 } 2762 2763 if (c) { 2764 sbsec->behavior = c->v.behavior; 2765 if (!c->sid[0]) { 2766 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2767 &c->sid[0]); 2768 if (rc) 2769 goto out; 2770 } 2771 sbsec->sid = c->sid[0]; 2772 } else { 2773 rc = __security_genfs_sid(state, fstype, "/", SECCLASS_DIR, 2774 &sbsec->sid); 2775 if (rc) { 2776 sbsec->behavior = SECURITY_FS_USE_NONE; 2777 rc = 0; 2778 } else { 2779 sbsec->behavior = SECURITY_FS_USE_GENFS; 2780 } 2781 } 2782 2783 out: 2784 read_unlock(&state->ss->policy_rwlock); 2785 return rc; 2786 } 2787 2788 int security_get_bools(struct selinux_state *state, 2789 int *len, char ***names, int **values) 2790 { 2791 struct policydb *policydb; 2792 int i, rc; 2793 2794 if (!state->initialized) { 2795 *len = 0; 2796 *names = NULL; 2797 *values = NULL; 2798 return 0; 2799 } 2800 2801 read_lock(&state->ss->policy_rwlock); 2802 2803 policydb = &state->ss->policydb; 2804 2805 *names = NULL; 2806 *values = NULL; 2807 2808 rc = 0; 2809 *len = policydb->p_bools.nprim; 2810 if (!*len) 2811 goto out; 2812 2813 rc = -ENOMEM; 2814 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2815 if (!*names) 2816 goto err; 2817 2818 rc = -ENOMEM; 2819 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2820 if (!*values) 2821 goto err; 2822 2823 for (i = 0; i < *len; i++) { 2824 (*values)[i] = policydb->bool_val_to_struct[i]->state; 2825 2826 rc = -ENOMEM; 2827 (*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i), 2828 GFP_ATOMIC); 2829 if (!(*names)[i]) 2830 goto err; 2831 } 2832 rc = 0; 2833 out: 2834 read_unlock(&state->ss->policy_rwlock); 2835 return rc; 2836 err: 2837 if (*names) { 2838 for (i = 0; i < *len; i++) 2839 kfree((*names)[i]); 2840 } 2841 kfree(*values); 2842 goto out; 2843 } 2844 2845 2846 int security_set_bools(struct selinux_state *state, int len, int *values) 2847 { 2848 struct policydb *policydb; 2849 int i, rc; 2850 int lenp, seqno = 0; 2851 struct cond_node *cur; 2852 2853 write_lock_irq(&state->ss->policy_rwlock); 2854 2855 policydb = &state->ss->policydb; 2856 2857 rc = -EFAULT; 2858 lenp = policydb->p_bools.nprim; 2859 if (len != lenp) 2860 goto out; 2861 2862 for (i = 0; i < len; i++) { 2863 if (!!values[i] != policydb->bool_val_to_struct[i]->state) { 2864 audit_log(audit_context(), GFP_ATOMIC, 2865 AUDIT_MAC_CONFIG_CHANGE, 2866 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2867 sym_name(policydb, SYM_BOOLS, i), 2868 !!values[i], 2869 policydb->bool_val_to_struct[i]->state, 2870 from_kuid(&init_user_ns, audit_get_loginuid(current)), 2871 audit_get_sessionid(current)); 2872 } 2873 if (values[i]) 2874 policydb->bool_val_to_struct[i]->state = 1; 2875 else 2876 policydb->bool_val_to_struct[i]->state = 0; 2877 } 2878 2879 for (cur = policydb->cond_list; cur; cur = cur->next) { 2880 rc = evaluate_cond_node(policydb, cur); 2881 if (rc) 2882 goto out; 2883 } 2884 2885 seqno = ++state->ss->latest_granting; 2886 rc = 0; 2887 out: 2888 write_unlock_irq(&state->ss->policy_rwlock); 2889 if (!rc) { 2890 avc_ss_reset(state->avc, seqno); 2891 selnl_notify_policyload(seqno); 2892 selinux_status_update_policyload(state, seqno); 2893 selinux_xfrm_notify_policyload(); 2894 } 2895 return rc; 2896 } 2897 2898 int security_get_bool_value(struct selinux_state *state, 2899 int index) 2900 { 2901 struct policydb *policydb; 2902 int rc; 2903 int len; 2904 2905 read_lock(&state->ss->policy_rwlock); 2906 2907 policydb = &state->ss->policydb; 2908 2909 rc = -EFAULT; 2910 len = policydb->p_bools.nprim; 2911 if (index >= len) 2912 goto out; 2913 2914 rc = policydb->bool_val_to_struct[index]->state; 2915 out: 2916 read_unlock(&state->ss->policy_rwlock); 2917 return rc; 2918 } 2919 2920 static int security_preserve_bools(struct selinux_state *state, 2921 struct policydb *policydb) 2922 { 2923 int rc, nbools = 0, *bvalues = NULL, i; 2924 char **bnames = NULL; 2925 struct cond_bool_datum *booldatum; 2926 struct cond_node *cur; 2927 2928 rc = security_get_bools(state, &nbools, &bnames, &bvalues); 2929 if (rc) 2930 goto out; 2931 for (i = 0; i < nbools; i++) { 2932 booldatum = hashtab_search(policydb->p_bools.table, bnames[i]); 2933 if (booldatum) 2934 booldatum->state = bvalues[i]; 2935 } 2936 for (cur = policydb->cond_list; cur; cur = cur->next) { 2937 rc = evaluate_cond_node(policydb, cur); 2938 if (rc) 2939 goto out; 2940 } 2941 2942 out: 2943 if (bnames) { 2944 for (i = 0; i < nbools; i++) 2945 kfree(bnames[i]); 2946 } 2947 kfree(bnames); 2948 kfree(bvalues); 2949 return rc; 2950 } 2951 2952 /* 2953 * security_sid_mls_copy() - computes a new sid based on the given 2954 * sid and the mls portion of mls_sid. 2955 */ 2956 int security_sid_mls_copy(struct selinux_state *state, 2957 u32 sid, u32 mls_sid, u32 *new_sid) 2958 { 2959 struct policydb *policydb = &state->ss->policydb; 2960 struct sidtab *sidtab = state->ss->sidtab; 2961 struct context *context1; 2962 struct context *context2; 2963 struct context newcon; 2964 char *s; 2965 u32 len; 2966 int rc; 2967 2968 rc = 0; 2969 if (!state->initialized || !policydb->mls_enabled) { 2970 *new_sid = sid; 2971 goto out; 2972 } 2973 2974 context_init(&newcon); 2975 2976 read_lock(&state->ss->policy_rwlock); 2977 2978 rc = -EINVAL; 2979 context1 = sidtab_search(sidtab, sid); 2980 if (!context1) { 2981 pr_err("SELinux: %s: unrecognized SID %d\n", 2982 __func__, sid); 2983 goto out_unlock; 2984 } 2985 2986 rc = -EINVAL; 2987 context2 = sidtab_search(sidtab, mls_sid); 2988 if (!context2) { 2989 pr_err("SELinux: %s: unrecognized SID %d\n", 2990 __func__, mls_sid); 2991 goto out_unlock; 2992 } 2993 2994 newcon.user = context1->user; 2995 newcon.role = context1->role; 2996 newcon.type = context1->type; 2997 rc = mls_context_cpy(&newcon, context2); 2998 if (rc) 2999 goto out_unlock; 3000 3001 /* Check the validity of the new context. */ 3002 if (!policydb_context_isvalid(policydb, &newcon)) { 3003 rc = convert_context_handle_invalid_context(state, &newcon); 3004 if (rc) { 3005 if (!context_struct_to_string(policydb, &newcon, &s, 3006 &len)) { 3007 struct audit_buffer *ab; 3008 3009 ab = audit_log_start(audit_context(), 3010 GFP_ATOMIC, 3011 AUDIT_SELINUX_ERR); 3012 audit_log_format(ab, 3013 "op=security_sid_mls_copy invalid_context="); 3014 /* don't record NUL with untrusted strings */ 3015 audit_log_n_untrustedstring(ab, s, len - 1); 3016 audit_log_end(ab); 3017 kfree(s); 3018 } 3019 goto out_unlock; 3020 } 3021 } 3022 3023 rc = sidtab_context_to_sid(sidtab, &newcon, new_sid); 3024 out_unlock: 3025 read_unlock(&state->ss->policy_rwlock); 3026 context_destroy(&newcon); 3027 out: 3028 return rc; 3029 } 3030 3031 /** 3032 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 3033 * @nlbl_sid: NetLabel SID 3034 * @nlbl_type: NetLabel labeling protocol type 3035 * @xfrm_sid: XFRM SID 3036 * 3037 * Description: 3038 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 3039 * resolved into a single SID it is returned via @peer_sid and the function 3040 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 3041 * returns a negative value. A table summarizing the behavior is below: 3042 * 3043 * | function return | @sid 3044 * ------------------------------+-----------------+----------------- 3045 * no peer labels | 0 | SECSID_NULL 3046 * single peer label | 0 | <peer_label> 3047 * multiple, consistent labels | 0 | <peer_label> 3048 * multiple, inconsistent labels | -<errno> | SECSID_NULL 3049 * 3050 */ 3051 int security_net_peersid_resolve(struct selinux_state *state, 3052 u32 nlbl_sid, u32 nlbl_type, 3053 u32 xfrm_sid, 3054 u32 *peer_sid) 3055 { 3056 struct policydb *policydb = &state->ss->policydb; 3057 struct sidtab *sidtab = state->ss->sidtab; 3058 int rc; 3059 struct context *nlbl_ctx; 3060 struct context *xfrm_ctx; 3061 3062 *peer_sid = SECSID_NULL; 3063 3064 /* handle the common (which also happens to be the set of easy) cases 3065 * right away, these two if statements catch everything involving a 3066 * single or absent peer SID/label */ 3067 if (xfrm_sid == SECSID_NULL) { 3068 *peer_sid = nlbl_sid; 3069 return 0; 3070 } 3071 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 3072 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 3073 * is present */ 3074 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 3075 *peer_sid = xfrm_sid; 3076 return 0; 3077 } 3078 3079 /* 3080 * We don't need to check initialized here since the only way both 3081 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 3082 * security server was initialized and state->initialized was true. 3083 */ 3084 if (!policydb->mls_enabled) 3085 return 0; 3086 3087 read_lock(&state->ss->policy_rwlock); 3088 3089 rc = -EINVAL; 3090 nlbl_ctx = sidtab_search(sidtab, nlbl_sid); 3091 if (!nlbl_ctx) { 3092 pr_err("SELinux: %s: unrecognized SID %d\n", 3093 __func__, nlbl_sid); 3094 goto out; 3095 } 3096 rc = -EINVAL; 3097 xfrm_ctx = sidtab_search(sidtab, xfrm_sid); 3098 if (!xfrm_ctx) { 3099 pr_err("SELinux: %s: unrecognized SID %d\n", 3100 __func__, xfrm_sid); 3101 goto out; 3102 } 3103 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 3104 if (rc) 3105 goto out; 3106 3107 /* at present NetLabel SIDs/labels really only carry MLS 3108 * information so if the MLS portion of the NetLabel SID 3109 * matches the MLS portion of the labeled XFRM SID/label 3110 * then pass along the XFRM SID as it is the most 3111 * expressive */ 3112 *peer_sid = xfrm_sid; 3113 out: 3114 read_unlock(&state->ss->policy_rwlock); 3115 return rc; 3116 } 3117 3118 static int get_classes_callback(void *k, void *d, void *args) 3119 { 3120 struct class_datum *datum = d; 3121 char *name = k, **classes = args; 3122 int value = datum->value - 1; 3123 3124 classes[value] = kstrdup(name, GFP_ATOMIC); 3125 if (!classes[value]) 3126 return -ENOMEM; 3127 3128 return 0; 3129 } 3130 3131 int security_get_classes(struct selinux_state *state, 3132 char ***classes, int *nclasses) 3133 { 3134 struct policydb *policydb = &state->ss->policydb; 3135 int rc; 3136 3137 if (!state->initialized) { 3138 *nclasses = 0; 3139 *classes = NULL; 3140 return 0; 3141 } 3142 3143 read_lock(&state->ss->policy_rwlock); 3144 3145 rc = -ENOMEM; 3146 *nclasses = policydb->p_classes.nprim; 3147 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 3148 if (!*classes) 3149 goto out; 3150 3151 rc = hashtab_map(policydb->p_classes.table, get_classes_callback, 3152 *classes); 3153 if (rc) { 3154 int i; 3155 for (i = 0; i < *nclasses; i++) 3156 kfree((*classes)[i]); 3157 kfree(*classes); 3158 } 3159 3160 out: 3161 read_unlock(&state->ss->policy_rwlock); 3162 return rc; 3163 } 3164 3165 static int get_permissions_callback(void *k, void *d, void *args) 3166 { 3167 struct perm_datum *datum = d; 3168 char *name = k, **perms = args; 3169 int value = datum->value - 1; 3170 3171 perms[value] = kstrdup(name, GFP_ATOMIC); 3172 if (!perms[value]) 3173 return -ENOMEM; 3174 3175 return 0; 3176 } 3177 3178 int security_get_permissions(struct selinux_state *state, 3179 char *class, char ***perms, int *nperms) 3180 { 3181 struct policydb *policydb = &state->ss->policydb; 3182 int rc, i; 3183 struct class_datum *match; 3184 3185 read_lock(&state->ss->policy_rwlock); 3186 3187 rc = -EINVAL; 3188 match = hashtab_search(policydb->p_classes.table, class); 3189 if (!match) { 3190 pr_err("SELinux: %s: unrecognized class %s\n", 3191 __func__, class); 3192 goto out; 3193 } 3194 3195 rc = -ENOMEM; 3196 *nperms = match->permissions.nprim; 3197 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 3198 if (!*perms) 3199 goto out; 3200 3201 if (match->comdatum) { 3202 rc = hashtab_map(match->comdatum->permissions.table, 3203 get_permissions_callback, *perms); 3204 if (rc) 3205 goto err; 3206 } 3207 3208 rc = hashtab_map(match->permissions.table, get_permissions_callback, 3209 *perms); 3210 if (rc) 3211 goto err; 3212 3213 out: 3214 read_unlock(&state->ss->policy_rwlock); 3215 return rc; 3216 3217 err: 3218 read_unlock(&state->ss->policy_rwlock); 3219 for (i = 0; i < *nperms; i++) 3220 kfree((*perms)[i]); 3221 kfree(*perms); 3222 return rc; 3223 } 3224 3225 int security_get_reject_unknown(struct selinux_state *state) 3226 { 3227 return state->ss->policydb.reject_unknown; 3228 } 3229 3230 int security_get_allow_unknown(struct selinux_state *state) 3231 { 3232 return state->ss->policydb.allow_unknown; 3233 } 3234 3235 /** 3236 * security_policycap_supported - Check for a specific policy capability 3237 * @req_cap: capability 3238 * 3239 * Description: 3240 * This function queries the currently loaded policy to see if it supports the 3241 * capability specified by @req_cap. Returns true (1) if the capability is 3242 * supported, false (0) if it isn't supported. 3243 * 3244 */ 3245 int security_policycap_supported(struct selinux_state *state, 3246 unsigned int req_cap) 3247 { 3248 struct policydb *policydb = &state->ss->policydb; 3249 int rc; 3250 3251 read_lock(&state->ss->policy_rwlock); 3252 rc = ebitmap_get_bit(&policydb->policycaps, req_cap); 3253 read_unlock(&state->ss->policy_rwlock); 3254 3255 return rc; 3256 } 3257 3258 struct selinux_audit_rule { 3259 u32 au_seqno; 3260 struct context au_ctxt; 3261 }; 3262 3263 void selinux_audit_rule_free(void *vrule) 3264 { 3265 struct selinux_audit_rule *rule = vrule; 3266 3267 if (rule) { 3268 context_destroy(&rule->au_ctxt); 3269 kfree(rule); 3270 } 3271 } 3272 3273 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3274 { 3275 struct selinux_state *state = &selinux_state; 3276 struct policydb *policydb = &state->ss->policydb; 3277 struct selinux_audit_rule *tmprule; 3278 struct role_datum *roledatum; 3279 struct type_datum *typedatum; 3280 struct user_datum *userdatum; 3281 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 3282 int rc = 0; 3283 3284 *rule = NULL; 3285 3286 if (!state->initialized) 3287 return -EOPNOTSUPP; 3288 3289 switch (field) { 3290 case AUDIT_SUBJ_USER: 3291 case AUDIT_SUBJ_ROLE: 3292 case AUDIT_SUBJ_TYPE: 3293 case AUDIT_OBJ_USER: 3294 case AUDIT_OBJ_ROLE: 3295 case AUDIT_OBJ_TYPE: 3296 /* only 'equals' and 'not equals' fit user, role, and type */ 3297 if (op != Audit_equal && op != Audit_not_equal) 3298 return -EINVAL; 3299 break; 3300 case AUDIT_SUBJ_SEN: 3301 case AUDIT_SUBJ_CLR: 3302 case AUDIT_OBJ_LEV_LOW: 3303 case AUDIT_OBJ_LEV_HIGH: 3304 /* we do not allow a range, indicated by the presence of '-' */ 3305 if (strchr(rulestr, '-')) 3306 return -EINVAL; 3307 break; 3308 default: 3309 /* only the above fields are valid */ 3310 return -EINVAL; 3311 } 3312 3313 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 3314 if (!tmprule) 3315 return -ENOMEM; 3316 3317 context_init(&tmprule->au_ctxt); 3318 3319 read_lock(&state->ss->policy_rwlock); 3320 3321 tmprule->au_seqno = state->ss->latest_granting; 3322 3323 switch (field) { 3324 case AUDIT_SUBJ_USER: 3325 case AUDIT_OBJ_USER: 3326 rc = -EINVAL; 3327 userdatum = hashtab_search(policydb->p_users.table, rulestr); 3328 if (!userdatum) 3329 goto out; 3330 tmprule->au_ctxt.user = userdatum->value; 3331 break; 3332 case AUDIT_SUBJ_ROLE: 3333 case AUDIT_OBJ_ROLE: 3334 rc = -EINVAL; 3335 roledatum = hashtab_search(policydb->p_roles.table, rulestr); 3336 if (!roledatum) 3337 goto out; 3338 tmprule->au_ctxt.role = roledatum->value; 3339 break; 3340 case AUDIT_SUBJ_TYPE: 3341 case AUDIT_OBJ_TYPE: 3342 rc = -EINVAL; 3343 typedatum = hashtab_search(policydb->p_types.table, rulestr); 3344 if (!typedatum) 3345 goto out; 3346 tmprule->au_ctxt.type = typedatum->value; 3347 break; 3348 case AUDIT_SUBJ_SEN: 3349 case AUDIT_SUBJ_CLR: 3350 case AUDIT_OBJ_LEV_LOW: 3351 case AUDIT_OBJ_LEV_HIGH: 3352 rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt, 3353 GFP_ATOMIC); 3354 if (rc) 3355 goto out; 3356 break; 3357 } 3358 rc = 0; 3359 out: 3360 read_unlock(&state->ss->policy_rwlock); 3361 3362 if (rc) { 3363 selinux_audit_rule_free(tmprule); 3364 tmprule = NULL; 3365 } 3366 3367 *rule = tmprule; 3368 3369 return rc; 3370 } 3371 3372 /* Check to see if the rule contains any selinux fields */ 3373 int selinux_audit_rule_known(struct audit_krule *rule) 3374 { 3375 int i; 3376 3377 for (i = 0; i < rule->field_count; i++) { 3378 struct audit_field *f = &rule->fields[i]; 3379 switch (f->type) { 3380 case AUDIT_SUBJ_USER: 3381 case AUDIT_SUBJ_ROLE: 3382 case AUDIT_SUBJ_TYPE: 3383 case AUDIT_SUBJ_SEN: 3384 case AUDIT_SUBJ_CLR: 3385 case AUDIT_OBJ_USER: 3386 case AUDIT_OBJ_ROLE: 3387 case AUDIT_OBJ_TYPE: 3388 case AUDIT_OBJ_LEV_LOW: 3389 case AUDIT_OBJ_LEV_HIGH: 3390 return 1; 3391 } 3392 } 3393 3394 return 0; 3395 } 3396 3397 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 3398 { 3399 struct selinux_state *state = &selinux_state; 3400 struct context *ctxt; 3401 struct mls_level *level; 3402 struct selinux_audit_rule *rule = vrule; 3403 int match = 0; 3404 3405 if (unlikely(!rule)) { 3406 WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n"); 3407 return -ENOENT; 3408 } 3409 3410 read_lock(&state->ss->policy_rwlock); 3411 3412 if (rule->au_seqno < state->ss->latest_granting) { 3413 match = -ESTALE; 3414 goto out; 3415 } 3416 3417 ctxt = sidtab_search(state->ss->sidtab, sid); 3418 if (unlikely(!ctxt)) { 3419 WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", 3420 sid); 3421 match = -ENOENT; 3422 goto out; 3423 } 3424 3425 /* a field/op pair that is not caught here will simply fall through 3426 without a match */ 3427 switch (field) { 3428 case AUDIT_SUBJ_USER: 3429 case AUDIT_OBJ_USER: 3430 switch (op) { 3431 case Audit_equal: 3432 match = (ctxt->user == rule->au_ctxt.user); 3433 break; 3434 case Audit_not_equal: 3435 match = (ctxt->user != rule->au_ctxt.user); 3436 break; 3437 } 3438 break; 3439 case AUDIT_SUBJ_ROLE: 3440 case AUDIT_OBJ_ROLE: 3441 switch (op) { 3442 case Audit_equal: 3443 match = (ctxt->role == rule->au_ctxt.role); 3444 break; 3445 case Audit_not_equal: 3446 match = (ctxt->role != rule->au_ctxt.role); 3447 break; 3448 } 3449 break; 3450 case AUDIT_SUBJ_TYPE: 3451 case AUDIT_OBJ_TYPE: 3452 switch (op) { 3453 case Audit_equal: 3454 match = (ctxt->type == rule->au_ctxt.type); 3455 break; 3456 case Audit_not_equal: 3457 match = (ctxt->type != rule->au_ctxt.type); 3458 break; 3459 } 3460 break; 3461 case AUDIT_SUBJ_SEN: 3462 case AUDIT_SUBJ_CLR: 3463 case AUDIT_OBJ_LEV_LOW: 3464 case AUDIT_OBJ_LEV_HIGH: 3465 level = ((field == AUDIT_SUBJ_SEN || 3466 field == AUDIT_OBJ_LEV_LOW) ? 3467 &ctxt->range.level[0] : &ctxt->range.level[1]); 3468 switch (op) { 3469 case Audit_equal: 3470 match = mls_level_eq(&rule->au_ctxt.range.level[0], 3471 level); 3472 break; 3473 case Audit_not_equal: 3474 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 3475 level); 3476 break; 3477 case Audit_lt: 3478 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 3479 level) && 3480 !mls_level_eq(&rule->au_ctxt.range.level[0], 3481 level)); 3482 break; 3483 case Audit_le: 3484 match = mls_level_dom(&rule->au_ctxt.range.level[0], 3485 level); 3486 break; 3487 case Audit_gt: 3488 match = (mls_level_dom(level, 3489 &rule->au_ctxt.range.level[0]) && 3490 !mls_level_eq(level, 3491 &rule->au_ctxt.range.level[0])); 3492 break; 3493 case Audit_ge: 3494 match = mls_level_dom(level, 3495 &rule->au_ctxt.range.level[0]); 3496 break; 3497 } 3498 } 3499 3500 out: 3501 read_unlock(&state->ss->policy_rwlock); 3502 return match; 3503 } 3504 3505 static int (*aurule_callback)(void) = audit_update_lsm_rules; 3506 3507 static int aurule_avc_callback(u32 event) 3508 { 3509 int err = 0; 3510 3511 if (event == AVC_CALLBACK_RESET && aurule_callback) 3512 err = aurule_callback(); 3513 return err; 3514 } 3515 3516 static int __init aurule_init(void) 3517 { 3518 int err; 3519 3520 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); 3521 if (err) 3522 panic("avc_add_callback() failed, error %d\n", err); 3523 3524 return err; 3525 } 3526 __initcall(aurule_init); 3527 3528 #ifdef CONFIG_NETLABEL 3529 /** 3530 * security_netlbl_cache_add - Add an entry to the NetLabel cache 3531 * @secattr: the NetLabel packet security attributes 3532 * @sid: the SELinux SID 3533 * 3534 * Description: 3535 * Attempt to cache the context in @ctx, which was derived from the packet in 3536 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 3537 * already been initialized. 3538 * 3539 */ 3540 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 3541 u32 sid) 3542 { 3543 u32 *sid_cache; 3544 3545 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 3546 if (sid_cache == NULL) 3547 return; 3548 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 3549 if (secattr->cache == NULL) { 3550 kfree(sid_cache); 3551 return; 3552 } 3553 3554 *sid_cache = sid; 3555 secattr->cache->free = kfree; 3556 secattr->cache->data = sid_cache; 3557 secattr->flags |= NETLBL_SECATTR_CACHE; 3558 } 3559 3560 /** 3561 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 3562 * @secattr: the NetLabel packet security attributes 3563 * @sid: the SELinux SID 3564 * 3565 * Description: 3566 * Convert the given NetLabel security attributes in @secattr into a 3567 * SELinux SID. If the @secattr field does not contain a full SELinux 3568 * SID/context then use SECINITSID_NETMSG as the foundation. If possible the 3569 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3570 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3571 * conversion for future lookups. Returns zero on success, negative values on 3572 * failure. 3573 * 3574 */ 3575 int security_netlbl_secattr_to_sid(struct selinux_state *state, 3576 struct netlbl_lsm_secattr *secattr, 3577 u32 *sid) 3578 { 3579 struct policydb *policydb = &state->ss->policydb; 3580 struct sidtab *sidtab = state->ss->sidtab; 3581 int rc; 3582 struct context *ctx; 3583 struct context ctx_new; 3584 3585 if (!state->initialized) { 3586 *sid = SECSID_NULL; 3587 return 0; 3588 } 3589 3590 read_lock(&state->ss->policy_rwlock); 3591 3592 if (secattr->flags & NETLBL_SECATTR_CACHE) 3593 *sid = *(u32 *)secattr->cache->data; 3594 else if (secattr->flags & NETLBL_SECATTR_SECID) 3595 *sid = secattr->attr.secid; 3596 else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3597 rc = -EIDRM; 3598 ctx = sidtab_search(sidtab, SECINITSID_NETMSG); 3599 if (ctx == NULL) 3600 goto out; 3601 3602 context_init(&ctx_new); 3603 ctx_new.user = ctx->user; 3604 ctx_new.role = ctx->role; 3605 ctx_new.type = ctx->type; 3606 mls_import_netlbl_lvl(policydb, &ctx_new, secattr); 3607 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3608 rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr); 3609 if (rc) 3610 goto out; 3611 } 3612 rc = -EIDRM; 3613 if (!mls_context_isvalid(policydb, &ctx_new)) 3614 goto out_free; 3615 3616 rc = sidtab_context_to_sid(sidtab, &ctx_new, sid); 3617 if (rc) 3618 goto out_free; 3619 3620 security_netlbl_cache_add(secattr, *sid); 3621 3622 ebitmap_destroy(&ctx_new.range.level[0].cat); 3623 } else 3624 *sid = SECSID_NULL; 3625 3626 read_unlock(&state->ss->policy_rwlock); 3627 return 0; 3628 out_free: 3629 ebitmap_destroy(&ctx_new.range.level[0].cat); 3630 out: 3631 read_unlock(&state->ss->policy_rwlock); 3632 return rc; 3633 } 3634 3635 /** 3636 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3637 * @sid: the SELinux SID 3638 * @secattr: the NetLabel packet security attributes 3639 * 3640 * Description: 3641 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3642 * Returns zero on success, negative values on failure. 3643 * 3644 */ 3645 int security_netlbl_sid_to_secattr(struct selinux_state *state, 3646 u32 sid, struct netlbl_lsm_secattr *secattr) 3647 { 3648 struct policydb *policydb = &state->ss->policydb; 3649 int rc; 3650 struct context *ctx; 3651 3652 if (!state->initialized) 3653 return 0; 3654 3655 read_lock(&state->ss->policy_rwlock); 3656 3657 rc = -ENOENT; 3658 ctx = sidtab_search(state->ss->sidtab, sid); 3659 if (ctx == NULL) 3660 goto out; 3661 3662 rc = -ENOMEM; 3663 secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1), 3664 GFP_ATOMIC); 3665 if (secattr->domain == NULL) 3666 goto out; 3667 3668 secattr->attr.secid = sid; 3669 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3670 mls_export_netlbl_lvl(policydb, ctx, secattr); 3671 rc = mls_export_netlbl_cat(policydb, ctx, secattr); 3672 out: 3673 read_unlock(&state->ss->policy_rwlock); 3674 return rc; 3675 } 3676 #endif /* CONFIG_NETLABEL */ 3677 3678 /** 3679 * security_read_policy - read the policy. 3680 * @data: binary policy data 3681 * @len: length of data in bytes 3682 * 3683 */ 3684 int security_read_policy(struct selinux_state *state, 3685 void **data, size_t *len) 3686 { 3687 struct policydb *policydb = &state->ss->policydb; 3688 int rc; 3689 struct policy_file fp; 3690 3691 if (!state->initialized) 3692 return -EINVAL; 3693 3694 *len = security_policydb_len(state); 3695 3696 *data = vmalloc_user(*len); 3697 if (!*data) 3698 return -ENOMEM; 3699 3700 fp.data = *data; 3701 fp.len = *len; 3702 3703 read_lock(&state->ss->policy_rwlock); 3704 rc = policydb_write(policydb, &fp); 3705 read_unlock(&state->ss->policy_rwlock); 3706 3707 if (rc) 3708 return rc; 3709 3710 *len = (unsigned long)fp.data - (unsigned long)*data; 3711 return 0; 3712 3713 } 3714