1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * Support for context based audit filters. 12 * 13 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 14 * 15 * Added conditional policy language extensions 16 * 17 * Updated: Hewlett-Packard <paul@paul-moore.com> 18 * 19 * Added support for NetLabel 20 * Added support for the policy capability bitmap 21 * 22 * Updated: Chad Sellers <csellers@tresys.com> 23 * 24 * Added validation of kernel classes and permissions 25 * 26 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 27 * 28 * Added support for bounds domain and audit messaged on masked permissions 29 * 30 * Updated: Guido Trentalancia <guido@trentalancia.com> 31 * 32 * Added support for runtime switching of the policy type 33 * 34 * Copyright (C) 2008, 2009 NEC Corporation 35 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 36 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 37 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 38 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 39 */ 40 #include <linux/kernel.h> 41 #include <linux/slab.h> 42 #include <linux/string.h> 43 #include <linux/spinlock.h> 44 #include <linux/rcupdate.h> 45 #include <linux/errno.h> 46 #include <linux/in.h> 47 #include <linux/sched.h> 48 #include <linux/audit.h> 49 #include <linux/vmalloc.h> 50 #include <net/netlabel.h> 51 52 #include "flask.h" 53 #include "avc.h" 54 #include "avc_ss.h" 55 #include "security.h" 56 #include "context.h" 57 #include "policydb.h" 58 #include "sidtab.h" 59 #include "services.h" 60 #include "conditional.h" 61 #include "mls.h" 62 #include "objsec.h" 63 #include "netlabel.h" 64 #include "xfrm.h" 65 #include "ebitmap.h" 66 #include "audit.h" 67 #include "policycap_names.h" 68 #include "ima.h" 69 70 struct convert_context_args { 71 struct selinux_state *state; 72 struct policydb *oldp; 73 struct policydb *newp; 74 }; 75 76 struct selinux_policy_convert_data { 77 struct convert_context_args args; 78 struct sidtab_convert_params sidtab_params; 79 }; 80 81 /* Forward declaration. */ 82 static int context_struct_to_string(struct policydb *policydb, 83 struct context *context, 84 char **scontext, 85 u32 *scontext_len); 86 87 static int sidtab_entry_to_string(struct policydb *policydb, 88 struct sidtab *sidtab, 89 struct sidtab_entry *entry, 90 char **scontext, 91 u32 *scontext_len); 92 93 static void context_struct_compute_av(struct policydb *policydb, 94 struct context *scontext, 95 struct context *tcontext, 96 u16 tclass, 97 struct av_decision *avd, 98 struct extended_perms *xperms); 99 100 static int selinux_set_mapping(struct policydb *pol, 101 struct security_class_mapping *map, 102 struct selinux_map *out_map) 103 { 104 u16 i, j; 105 unsigned k; 106 bool print_unknown_handle = false; 107 108 /* Find number of classes in the input mapping */ 109 if (!map) 110 return -EINVAL; 111 i = 0; 112 while (map[i].name) 113 i++; 114 115 /* Allocate space for the class records, plus one for class zero */ 116 out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC); 117 if (!out_map->mapping) 118 return -ENOMEM; 119 120 /* Store the raw class and permission values */ 121 j = 0; 122 while (map[j].name) { 123 struct security_class_mapping *p_in = map + (j++); 124 struct selinux_mapping *p_out = out_map->mapping + j; 125 126 /* An empty class string skips ahead */ 127 if (!strcmp(p_in->name, "")) { 128 p_out->num_perms = 0; 129 continue; 130 } 131 132 p_out->value = string_to_security_class(pol, p_in->name); 133 if (!p_out->value) { 134 pr_info("SELinux: Class %s not defined in policy.\n", 135 p_in->name); 136 if (pol->reject_unknown) 137 goto err; 138 p_out->num_perms = 0; 139 print_unknown_handle = true; 140 continue; 141 } 142 143 k = 0; 144 while (p_in->perms[k]) { 145 /* An empty permission string skips ahead */ 146 if (!*p_in->perms[k]) { 147 k++; 148 continue; 149 } 150 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 151 p_in->perms[k]); 152 if (!p_out->perms[k]) { 153 pr_info("SELinux: Permission %s in class %s not defined in policy.\n", 154 p_in->perms[k], p_in->name); 155 if (pol->reject_unknown) 156 goto err; 157 print_unknown_handle = true; 158 } 159 160 k++; 161 } 162 p_out->num_perms = k; 163 } 164 165 if (print_unknown_handle) 166 pr_info("SELinux: the above unknown classes and permissions will be %s\n", 167 pol->allow_unknown ? "allowed" : "denied"); 168 169 out_map->size = i; 170 return 0; 171 err: 172 kfree(out_map->mapping); 173 out_map->mapping = NULL; 174 return -EINVAL; 175 } 176 177 /* 178 * Get real, policy values from mapped values 179 */ 180 181 static u16 unmap_class(struct selinux_map *map, u16 tclass) 182 { 183 if (tclass < map->size) 184 return map->mapping[tclass].value; 185 186 return tclass; 187 } 188 189 /* 190 * Get kernel value for class from its policy value 191 */ 192 static u16 map_class(struct selinux_map *map, u16 pol_value) 193 { 194 u16 i; 195 196 for (i = 1; i < map->size; i++) { 197 if (map->mapping[i].value == pol_value) 198 return i; 199 } 200 201 return SECCLASS_NULL; 202 } 203 204 static void map_decision(struct selinux_map *map, 205 u16 tclass, struct av_decision *avd, 206 int allow_unknown) 207 { 208 if (tclass < map->size) { 209 struct selinux_mapping *mapping = &map->mapping[tclass]; 210 unsigned int i, n = mapping->num_perms; 211 u32 result; 212 213 for (i = 0, result = 0; i < n; i++) { 214 if (avd->allowed & mapping->perms[i]) 215 result |= 1<<i; 216 if (allow_unknown && !mapping->perms[i]) 217 result |= 1<<i; 218 } 219 avd->allowed = result; 220 221 for (i = 0, result = 0; i < n; i++) 222 if (avd->auditallow & mapping->perms[i]) 223 result |= 1<<i; 224 avd->auditallow = result; 225 226 for (i = 0, result = 0; i < n; i++) { 227 if (avd->auditdeny & mapping->perms[i]) 228 result |= 1<<i; 229 if (!allow_unknown && !mapping->perms[i]) 230 result |= 1<<i; 231 } 232 /* 233 * In case the kernel has a bug and requests a permission 234 * between num_perms and the maximum permission number, we 235 * should audit that denial 236 */ 237 for (; i < (sizeof(u32)*8); i++) 238 result |= 1<<i; 239 avd->auditdeny = result; 240 } 241 } 242 243 int security_mls_enabled(struct selinux_state *state) 244 { 245 int mls_enabled; 246 struct selinux_policy *policy; 247 248 if (!selinux_initialized(state)) 249 return 0; 250 251 rcu_read_lock(); 252 policy = rcu_dereference(state->policy); 253 mls_enabled = policy->policydb.mls_enabled; 254 rcu_read_unlock(); 255 return mls_enabled; 256 } 257 258 /* 259 * Return the boolean value of a constraint expression 260 * when it is applied to the specified source and target 261 * security contexts. 262 * 263 * xcontext is a special beast... It is used by the validatetrans rules 264 * only. For these rules, scontext is the context before the transition, 265 * tcontext is the context after the transition, and xcontext is the context 266 * of the process performing the transition. All other callers of 267 * constraint_expr_eval should pass in NULL for xcontext. 268 */ 269 static int constraint_expr_eval(struct policydb *policydb, 270 struct context *scontext, 271 struct context *tcontext, 272 struct context *xcontext, 273 struct constraint_expr *cexpr) 274 { 275 u32 val1, val2; 276 struct context *c; 277 struct role_datum *r1, *r2; 278 struct mls_level *l1, *l2; 279 struct constraint_expr *e; 280 int s[CEXPR_MAXDEPTH]; 281 int sp = -1; 282 283 for (e = cexpr; e; e = e->next) { 284 switch (e->expr_type) { 285 case CEXPR_NOT: 286 BUG_ON(sp < 0); 287 s[sp] = !s[sp]; 288 break; 289 case CEXPR_AND: 290 BUG_ON(sp < 1); 291 sp--; 292 s[sp] &= s[sp + 1]; 293 break; 294 case CEXPR_OR: 295 BUG_ON(sp < 1); 296 sp--; 297 s[sp] |= s[sp + 1]; 298 break; 299 case CEXPR_ATTR: 300 if (sp == (CEXPR_MAXDEPTH - 1)) 301 return 0; 302 switch (e->attr) { 303 case CEXPR_USER: 304 val1 = scontext->user; 305 val2 = tcontext->user; 306 break; 307 case CEXPR_TYPE: 308 val1 = scontext->type; 309 val2 = tcontext->type; 310 break; 311 case CEXPR_ROLE: 312 val1 = scontext->role; 313 val2 = tcontext->role; 314 r1 = policydb->role_val_to_struct[val1 - 1]; 315 r2 = policydb->role_val_to_struct[val2 - 1]; 316 switch (e->op) { 317 case CEXPR_DOM: 318 s[++sp] = ebitmap_get_bit(&r1->dominates, 319 val2 - 1); 320 continue; 321 case CEXPR_DOMBY: 322 s[++sp] = ebitmap_get_bit(&r2->dominates, 323 val1 - 1); 324 continue; 325 case CEXPR_INCOMP: 326 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 327 val2 - 1) && 328 !ebitmap_get_bit(&r2->dominates, 329 val1 - 1)); 330 continue; 331 default: 332 break; 333 } 334 break; 335 case CEXPR_L1L2: 336 l1 = &(scontext->range.level[0]); 337 l2 = &(tcontext->range.level[0]); 338 goto mls_ops; 339 case CEXPR_L1H2: 340 l1 = &(scontext->range.level[0]); 341 l2 = &(tcontext->range.level[1]); 342 goto mls_ops; 343 case CEXPR_H1L2: 344 l1 = &(scontext->range.level[1]); 345 l2 = &(tcontext->range.level[0]); 346 goto mls_ops; 347 case CEXPR_H1H2: 348 l1 = &(scontext->range.level[1]); 349 l2 = &(tcontext->range.level[1]); 350 goto mls_ops; 351 case CEXPR_L1H1: 352 l1 = &(scontext->range.level[0]); 353 l2 = &(scontext->range.level[1]); 354 goto mls_ops; 355 case CEXPR_L2H2: 356 l1 = &(tcontext->range.level[0]); 357 l2 = &(tcontext->range.level[1]); 358 goto mls_ops; 359 mls_ops: 360 switch (e->op) { 361 case CEXPR_EQ: 362 s[++sp] = mls_level_eq(l1, l2); 363 continue; 364 case CEXPR_NEQ: 365 s[++sp] = !mls_level_eq(l1, l2); 366 continue; 367 case CEXPR_DOM: 368 s[++sp] = mls_level_dom(l1, l2); 369 continue; 370 case CEXPR_DOMBY: 371 s[++sp] = mls_level_dom(l2, l1); 372 continue; 373 case CEXPR_INCOMP: 374 s[++sp] = mls_level_incomp(l2, l1); 375 continue; 376 default: 377 BUG(); 378 return 0; 379 } 380 break; 381 default: 382 BUG(); 383 return 0; 384 } 385 386 switch (e->op) { 387 case CEXPR_EQ: 388 s[++sp] = (val1 == val2); 389 break; 390 case CEXPR_NEQ: 391 s[++sp] = (val1 != val2); 392 break; 393 default: 394 BUG(); 395 return 0; 396 } 397 break; 398 case CEXPR_NAMES: 399 if (sp == (CEXPR_MAXDEPTH-1)) 400 return 0; 401 c = scontext; 402 if (e->attr & CEXPR_TARGET) 403 c = tcontext; 404 else if (e->attr & CEXPR_XTARGET) { 405 c = xcontext; 406 if (!c) { 407 BUG(); 408 return 0; 409 } 410 } 411 if (e->attr & CEXPR_USER) 412 val1 = c->user; 413 else if (e->attr & CEXPR_ROLE) 414 val1 = c->role; 415 else if (e->attr & CEXPR_TYPE) 416 val1 = c->type; 417 else { 418 BUG(); 419 return 0; 420 } 421 422 switch (e->op) { 423 case CEXPR_EQ: 424 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 425 break; 426 case CEXPR_NEQ: 427 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 428 break; 429 default: 430 BUG(); 431 return 0; 432 } 433 break; 434 default: 435 BUG(); 436 return 0; 437 } 438 } 439 440 BUG_ON(sp != 0); 441 return s[0]; 442 } 443 444 /* 445 * security_dump_masked_av - dumps masked permissions during 446 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 447 */ 448 static int dump_masked_av_helper(void *k, void *d, void *args) 449 { 450 struct perm_datum *pdatum = d; 451 char **permission_names = args; 452 453 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 454 455 permission_names[pdatum->value - 1] = (char *)k; 456 457 return 0; 458 } 459 460 static void security_dump_masked_av(struct policydb *policydb, 461 struct context *scontext, 462 struct context *tcontext, 463 u16 tclass, 464 u32 permissions, 465 const char *reason) 466 { 467 struct common_datum *common_dat; 468 struct class_datum *tclass_dat; 469 struct audit_buffer *ab; 470 char *tclass_name; 471 char *scontext_name = NULL; 472 char *tcontext_name = NULL; 473 char *permission_names[32]; 474 int index; 475 u32 length; 476 bool need_comma = false; 477 478 if (!permissions) 479 return; 480 481 tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1); 482 tclass_dat = policydb->class_val_to_struct[tclass - 1]; 483 common_dat = tclass_dat->comdatum; 484 485 /* init permission_names */ 486 if (common_dat && 487 hashtab_map(&common_dat->permissions.table, 488 dump_masked_av_helper, permission_names) < 0) 489 goto out; 490 491 if (hashtab_map(&tclass_dat->permissions.table, 492 dump_masked_av_helper, permission_names) < 0) 493 goto out; 494 495 /* get scontext/tcontext in text form */ 496 if (context_struct_to_string(policydb, scontext, 497 &scontext_name, &length) < 0) 498 goto out; 499 500 if (context_struct_to_string(policydb, tcontext, 501 &tcontext_name, &length) < 0) 502 goto out; 503 504 /* audit a message */ 505 ab = audit_log_start(audit_context(), 506 GFP_ATOMIC, AUDIT_SELINUX_ERR); 507 if (!ab) 508 goto out; 509 510 audit_log_format(ab, "op=security_compute_av reason=%s " 511 "scontext=%s tcontext=%s tclass=%s perms=", 512 reason, scontext_name, tcontext_name, tclass_name); 513 514 for (index = 0; index < 32; index++) { 515 u32 mask = (1 << index); 516 517 if ((mask & permissions) == 0) 518 continue; 519 520 audit_log_format(ab, "%s%s", 521 need_comma ? "," : "", 522 permission_names[index] 523 ? permission_names[index] : "????"); 524 need_comma = true; 525 } 526 audit_log_end(ab); 527 out: 528 /* release scontext/tcontext */ 529 kfree(tcontext_name); 530 kfree(scontext_name); 531 532 return; 533 } 534 535 /* 536 * security_boundary_permission - drops violated permissions 537 * on boundary constraint. 538 */ 539 static void type_attribute_bounds_av(struct policydb *policydb, 540 struct context *scontext, 541 struct context *tcontext, 542 u16 tclass, 543 struct av_decision *avd) 544 { 545 struct context lo_scontext; 546 struct context lo_tcontext, *tcontextp = tcontext; 547 struct av_decision lo_avd; 548 struct type_datum *source; 549 struct type_datum *target; 550 u32 masked = 0; 551 552 source = policydb->type_val_to_struct[scontext->type - 1]; 553 BUG_ON(!source); 554 555 if (!source->bounds) 556 return; 557 558 target = policydb->type_val_to_struct[tcontext->type - 1]; 559 BUG_ON(!target); 560 561 memset(&lo_avd, 0, sizeof(lo_avd)); 562 563 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 564 lo_scontext.type = source->bounds; 565 566 if (target->bounds) { 567 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 568 lo_tcontext.type = target->bounds; 569 tcontextp = &lo_tcontext; 570 } 571 572 context_struct_compute_av(policydb, &lo_scontext, 573 tcontextp, 574 tclass, 575 &lo_avd, 576 NULL); 577 578 masked = ~lo_avd.allowed & avd->allowed; 579 580 if (likely(!masked)) 581 return; /* no masked permission */ 582 583 /* mask violated permissions */ 584 avd->allowed &= ~masked; 585 586 /* audit masked permissions */ 587 security_dump_masked_av(policydb, scontext, tcontext, 588 tclass, masked, "bounds"); 589 } 590 591 /* 592 * flag which drivers have permissions 593 * only looking for ioctl based extended permssions 594 */ 595 void services_compute_xperms_drivers( 596 struct extended_perms *xperms, 597 struct avtab_node *node) 598 { 599 unsigned int i; 600 601 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 602 /* if one or more driver has all permissions allowed */ 603 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++) 604 xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i]; 605 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 606 /* if allowing permissions within a driver */ 607 security_xperm_set(xperms->drivers.p, 608 node->datum.u.xperms->driver); 609 } 610 611 xperms->len = 1; 612 } 613 614 /* 615 * Compute access vectors and extended permissions based on a context 616 * structure pair for the permissions in a particular class. 617 */ 618 static void context_struct_compute_av(struct policydb *policydb, 619 struct context *scontext, 620 struct context *tcontext, 621 u16 tclass, 622 struct av_decision *avd, 623 struct extended_perms *xperms) 624 { 625 struct constraint_node *constraint; 626 struct role_allow *ra; 627 struct avtab_key avkey; 628 struct avtab_node *node; 629 struct class_datum *tclass_datum; 630 struct ebitmap *sattr, *tattr; 631 struct ebitmap_node *snode, *tnode; 632 unsigned int i, j; 633 634 avd->allowed = 0; 635 avd->auditallow = 0; 636 avd->auditdeny = 0xffffffff; 637 if (xperms) { 638 memset(&xperms->drivers, 0, sizeof(xperms->drivers)); 639 xperms->len = 0; 640 } 641 642 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 643 if (printk_ratelimit()) 644 pr_warn("SELinux: Invalid class %hu\n", tclass); 645 return; 646 } 647 648 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 649 650 /* 651 * If a specific type enforcement rule was defined for 652 * this permission check, then use it. 653 */ 654 avkey.target_class = tclass; 655 avkey.specified = AVTAB_AV | AVTAB_XPERMS; 656 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 657 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 658 ebitmap_for_each_positive_bit(sattr, snode, i) { 659 ebitmap_for_each_positive_bit(tattr, tnode, j) { 660 avkey.source_type = i + 1; 661 avkey.target_type = j + 1; 662 for (node = avtab_search_node(&policydb->te_avtab, 663 &avkey); 664 node; 665 node = avtab_search_node_next(node, avkey.specified)) { 666 if (node->key.specified == AVTAB_ALLOWED) 667 avd->allowed |= node->datum.u.data; 668 else if (node->key.specified == AVTAB_AUDITALLOW) 669 avd->auditallow |= node->datum.u.data; 670 else if (node->key.specified == AVTAB_AUDITDENY) 671 avd->auditdeny &= node->datum.u.data; 672 else if (xperms && (node->key.specified & AVTAB_XPERMS)) 673 services_compute_xperms_drivers(xperms, node); 674 } 675 676 /* Check conditional av table for additional permissions */ 677 cond_compute_av(&policydb->te_cond_avtab, &avkey, 678 avd, xperms); 679 680 } 681 } 682 683 /* 684 * Remove any permissions prohibited by a constraint (this includes 685 * the MLS policy). 686 */ 687 constraint = tclass_datum->constraints; 688 while (constraint) { 689 if ((constraint->permissions & (avd->allowed)) && 690 !constraint_expr_eval(policydb, scontext, tcontext, NULL, 691 constraint->expr)) { 692 avd->allowed &= ~(constraint->permissions); 693 } 694 constraint = constraint->next; 695 } 696 697 /* 698 * If checking process transition permission and the 699 * role is changing, then check the (current_role, new_role) 700 * pair. 701 */ 702 if (tclass == policydb->process_class && 703 (avd->allowed & policydb->process_trans_perms) && 704 scontext->role != tcontext->role) { 705 for (ra = policydb->role_allow; ra; ra = ra->next) { 706 if (scontext->role == ra->role && 707 tcontext->role == ra->new_role) 708 break; 709 } 710 if (!ra) 711 avd->allowed &= ~policydb->process_trans_perms; 712 } 713 714 /* 715 * If the given source and target types have boundary 716 * constraint, lazy checks have to mask any violated 717 * permission and notice it to userspace via audit. 718 */ 719 type_attribute_bounds_av(policydb, scontext, tcontext, 720 tclass, avd); 721 } 722 723 static int security_validtrans_handle_fail(struct selinux_state *state, 724 struct selinux_policy *policy, 725 struct sidtab_entry *oentry, 726 struct sidtab_entry *nentry, 727 struct sidtab_entry *tentry, 728 u16 tclass) 729 { 730 struct policydb *p = &policy->policydb; 731 struct sidtab *sidtab = policy->sidtab; 732 char *o = NULL, *n = NULL, *t = NULL; 733 u32 olen, nlen, tlen; 734 735 if (sidtab_entry_to_string(p, sidtab, oentry, &o, &olen)) 736 goto out; 737 if (sidtab_entry_to_string(p, sidtab, nentry, &n, &nlen)) 738 goto out; 739 if (sidtab_entry_to_string(p, sidtab, tentry, &t, &tlen)) 740 goto out; 741 audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR, 742 "op=security_validate_transition seresult=denied" 743 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 744 o, n, t, sym_name(p, SYM_CLASSES, tclass-1)); 745 out: 746 kfree(o); 747 kfree(n); 748 kfree(t); 749 750 if (!enforcing_enabled(state)) 751 return 0; 752 return -EPERM; 753 } 754 755 static int security_compute_validatetrans(struct selinux_state *state, 756 u32 oldsid, u32 newsid, u32 tasksid, 757 u16 orig_tclass, bool user) 758 { 759 struct selinux_policy *policy; 760 struct policydb *policydb; 761 struct sidtab *sidtab; 762 struct sidtab_entry *oentry; 763 struct sidtab_entry *nentry; 764 struct sidtab_entry *tentry; 765 struct class_datum *tclass_datum; 766 struct constraint_node *constraint; 767 u16 tclass; 768 int rc = 0; 769 770 771 if (!selinux_initialized(state)) 772 return 0; 773 774 rcu_read_lock(); 775 776 policy = rcu_dereference(state->policy); 777 policydb = &policy->policydb; 778 sidtab = policy->sidtab; 779 780 if (!user) 781 tclass = unmap_class(&policy->map, orig_tclass); 782 else 783 tclass = orig_tclass; 784 785 if (!tclass || tclass > policydb->p_classes.nprim) { 786 rc = -EINVAL; 787 goto out; 788 } 789 tclass_datum = policydb->class_val_to_struct[tclass - 1]; 790 791 oentry = sidtab_search_entry(sidtab, oldsid); 792 if (!oentry) { 793 pr_err("SELinux: %s: unrecognized SID %d\n", 794 __func__, oldsid); 795 rc = -EINVAL; 796 goto out; 797 } 798 799 nentry = sidtab_search_entry(sidtab, newsid); 800 if (!nentry) { 801 pr_err("SELinux: %s: unrecognized SID %d\n", 802 __func__, newsid); 803 rc = -EINVAL; 804 goto out; 805 } 806 807 tentry = sidtab_search_entry(sidtab, tasksid); 808 if (!tentry) { 809 pr_err("SELinux: %s: unrecognized SID %d\n", 810 __func__, tasksid); 811 rc = -EINVAL; 812 goto out; 813 } 814 815 constraint = tclass_datum->validatetrans; 816 while (constraint) { 817 if (!constraint_expr_eval(policydb, &oentry->context, 818 &nentry->context, &tentry->context, 819 constraint->expr)) { 820 if (user) 821 rc = -EPERM; 822 else 823 rc = security_validtrans_handle_fail(state, 824 policy, 825 oentry, 826 nentry, 827 tentry, 828 tclass); 829 goto out; 830 } 831 constraint = constraint->next; 832 } 833 834 out: 835 rcu_read_unlock(); 836 return rc; 837 } 838 839 int security_validate_transition_user(struct selinux_state *state, 840 u32 oldsid, u32 newsid, u32 tasksid, 841 u16 tclass) 842 { 843 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 844 tclass, true); 845 } 846 847 int security_validate_transition(struct selinux_state *state, 848 u32 oldsid, u32 newsid, u32 tasksid, 849 u16 orig_tclass) 850 { 851 return security_compute_validatetrans(state, oldsid, newsid, tasksid, 852 orig_tclass, false); 853 } 854 855 /* 856 * security_bounded_transition - check whether the given 857 * transition is directed to bounded, or not. 858 * It returns 0, if @newsid is bounded by @oldsid. 859 * Otherwise, it returns error code. 860 * 861 * @oldsid : current security identifier 862 * @newsid : destinated security identifier 863 */ 864 int security_bounded_transition(struct selinux_state *state, 865 u32 old_sid, u32 new_sid) 866 { 867 struct selinux_policy *policy; 868 struct policydb *policydb; 869 struct sidtab *sidtab; 870 struct sidtab_entry *old_entry, *new_entry; 871 struct type_datum *type; 872 int index; 873 int rc; 874 875 if (!selinux_initialized(state)) 876 return 0; 877 878 rcu_read_lock(); 879 policy = rcu_dereference(state->policy); 880 policydb = &policy->policydb; 881 sidtab = policy->sidtab; 882 883 rc = -EINVAL; 884 old_entry = sidtab_search_entry(sidtab, old_sid); 885 if (!old_entry) { 886 pr_err("SELinux: %s: unrecognized SID %u\n", 887 __func__, old_sid); 888 goto out; 889 } 890 891 rc = -EINVAL; 892 new_entry = sidtab_search_entry(sidtab, new_sid); 893 if (!new_entry) { 894 pr_err("SELinux: %s: unrecognized SID %u\n", 895 __func__, new_sid); 896 goto out; 897 } 898 899 rc = 0; 900 /* type/domain unchanged */ 901 if (old_entry->context.type == new_entry->context.type) 902 goto out; 903 904 index = new_entry->context.type; 905 while (true) { 906 type = policydb->type_val_to_struct[index - 1]; 907 BUG_ON(!type); 908 909 /* not bounded anymore */ 910 rc = -EPERM; 911 if (!type->bounds) 912 break; 913 914 /* @newsid is bounded by @oldsid */ 915 rc = 0; 916 if (type->bounds == old_entry->context.type) 917 break; 918 919 index = type->bounds; 920 } 921 922 if (rc) { 923 char *old_name = NULL; 924 char *new_name = NULL; 925 u32 length; 926 927 if (!sidtab_entry_to_string(policydb, sidtab, old_entry, 928 &old_name, &length) && 929 !sidtab_entry_to_string(policydb, sidtab, new_entry, 930 &new_name, &length)) { 931 audit_log(audit_context(), 932 GFP_ATOMIC, AUDIT_SELINUX_ERR, 933 "op=security_bounded_transition " 934 "seresult=denied " 935 "oldcontext=%s newcontext=%s", 936 old_name, new_name); 937 } 938 kfree(new_name); 939 kfree(old_name); 940 } 941 out: 942 rcu_read_unlock(); 943 944 return rc; 945 } 946 947 static void avd_init(struct selinux_policy *policy, struct av_decision *avd) 948 { 949 avd->allowed = 0; 950 avd->auditallow = 0; 951 avd->auditdeny = 0xffffffff; 952 if (policy) 953 avd->seqno = policy->latest_granting; 954 else 955 avd->seqno = 0; 956 avd->flags = 0; 957 } 958 959 void services_compute_xperms_decision(struct extended_perms_decision *xpermd, 960 struct avtab_node *node) 961 { 962 unsigned int i; 963 964 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 965 if (xpermd->driver != node->datum.u.xperms->driver) 966 return; 967 } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 968 if (!security_xperm_test(node->datum.u.xperms->perms.p, 969 xpermd->driver)) 970 return; 971 } else { 972 BUG(); 973 } 974 975 if (node->key.specified == AVTAB_XPERMS_ALLOWED) { 976 xpermd->used |= XPERMS_ALLOWED; 977 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 978 memset(xpermd->allowed->p, 0xff, 979 sizeof(xpermd->allowed->p)); 980 } 981 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 982 for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++) 983 xpermd->allowed->p[i] |= 984 node->datum.u.xperms->perms.p[i]; 985 } 986 } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) { 987 xpermd->used |= XPERMS_AUDITALLOW; 988 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 989 memset(xpermd->auditallow->p, 0xff, 990 sizeof(xpermd->auditallow->p)); 991 } 992 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 993 for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++) 994 xpermd->auditallow->p[i] |= 995 node->datum.u.xperms->perms.p[i]; 996 } 997 } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) { 998 xpermd->used |= XPERMS_DONTAUDIT; 999 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) { 1000 memset(xpermd->dontaudit->p, 0xff, 1001 sizeof(xpermd->dontaudit->p)); 1002 } 1003 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) { 1004 for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++) 1005 xpermd->dontaudit->p[i] |= 1006 node->datum.u.xperms->perms.p[i]; 1007 } 1008 } else { 1009 BUG(); 1010 } 1011 } 1012 1013 void security_compute_xperms_decision(struct selinux_state *state, 1014 u32 ssid, 1015 u32 tsid, 1016 u16 orig_tclass, 1017 u8 driver, 1018 struct extended_perms_decision *xpermd) 1019 { 1020 struct selinux_policy *policy; 1021 struct policydb *policydb; 1022 struct sidtab *sidtab; 1023 u16 tclass; 1024 struct context *scontext, *tcontext; 1025 struct avtab_key avkey; 1026 struct avtab_node *node; 1027 struct ebitmap *sattr, *tattr; 1028 struct ebitmap_node *snode, *tnode; 1029 unsigned int i, j; 1030 1031 xpermd->driver = driver; 1032 xpermd->used = 0; 1033 memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p)); 1034 memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p)); 1035 memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p)); 1036 1037 rcu_read_lock(); 1038 if (!selinux_initialized(state)) 1039 goto allow; 1040 1041 policy = rcu_dereference(state->policy); 1042 policydb = &policy->policydb; 1043 sidtab = policy->sidtab; 1044 1045 scontext = sidtab_search(sidtab, ssid); 1046 if (!scontext) { 1047 pr_err("SELinux: %s: unrecognized SID %d\n", 1048 __func__, ssid); 1049 goto out; 1050 } 1051 1052 tcontext = sidtab_search(sidtab, tsid); 1053 if (!tcontext) { 1054 pr_err("SELinux: %s: unrecognized SID %d\n", 1055 __func__, tsid); 1056 goto out; 1057 } 1058 1059 tclass = unmap_class(&policy->map, orig_tclass); 1060 if (unlikely(orig_tclass && !tclass)) { 1061 if (policydb->allow_unknown) 1062 goto allow; 1063 goto out; 1064 } 1065 1066 1067 if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) { 1068 pr_warn_ratelimited("SELinux: Invalid class %hu\n", tclass); 1069 goto out; 1070 } 1071 1072 avkey.target_class = tclass; 1073 avkey.specified = AVTAB_XPERMS; 1074 sattr = &policydb->type_attr_map_array[scontext->type - 1]; 1075 tattr = &policydb->type_attr_map_array[tcontext->type - 1]; 1076 ebitmap_for_each_positive_bit(sattr, snode, i) { 1077 ebitmap_for_each_positive_bit(tattr, tnode, j) { 1078 avkey.source_type = i + 1; 1079 avkey.target_type = j + 1; 1080 for (node = avtab_search_node(&policydb->te_avtab, 1081 &avkey); 1082 node; 1083 node = avtab_search_node_next(node, avkey.specified)) 1084 services_compute_xperms_decision(xpermd, node); 1085 1086 cond_compute_xperms(&policydb->te_cond_avtab, 1087 &avkey, xpermd); 1088 } 1089 } 1090 out: 1091 rcu_read_unlock(); 1092 return; 1093 allow: 1094 memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p)); 1095 goto out; 1096 } 1097 1098 /** 1099 * security_compute_av - Compute access vector decisions. 1100 * @ssid: source security identifier 1101 * @tsid: target security identifier 1102 * @tclass: target security class 1103 * @avd: access vector decisions 1104 * @xperms: extended permissions 1105 * 1106 * Compute a set of access vector decisions based on the 1107 * SID pair (@ssid, @tsid) for the permissions in @tclass. 1108 */ 1109 void security_compute_av(struct selinux_state *state, 1110 u32 ssid, 1111 u32 tsid, 1112 u16 orig_tclass, 1113 struct av_decision *avd, 1114 struct extended_perms *xperms) 1115 { 1116 struct selinux_policy *policy; 1117 struct policydb *policydb; 1118 struct sidtab *sidtab; 1119 u16 tclass; 1120 struct context *scontext = NULL, *tcontext = NULL; 1121 1122 rcu_read_lock(); 1123 policy = rcu_dereference(state->policy); 1124 avd_init(policy, avd); 1125 xperms->len = 0; 1126 if (!selinux_initialized(state)) 1127 goto allow; 1128 1129 policydb = &policy->policydb; 1130 sidtab = policy->sidtab; 1131 1132 scontext = sidtab_search(sidtab, ssid); 1133 if (!scontext) { 1134 pr_err("SELinux: %s: unrecognized SID %d\n", 1135 __func__, ssid); 1136 goto out; 1137 } 1138 1139 /* permissive domain? */ 1140 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1141 avd->flags |= AVD_FLAGS_PERMISSIVE; 1142 1143 tcontext = sidtab_search(sidtab, tsid); 1144 if (!tcontext) { 1145 pr_err("SELinux: %s: unrecognized SID %d\n", 1146 __func__, tsid); 1147 goto out; 1148 } 1149 1150 tclass = unmap_class(&policy->map, orig_tclass); 1151 if (unlikely(orig_tclass && !tclass)) { 1152 if (policydb->allow_unknown) 1153 goto allow; 1154 goto out; 1155 } 1156 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1157 xperms); 1158 map_decision(&policy->map, orig_tclass, avd, 1159 policydb->allow_unknown); 1160 out: 1161 rcu_read_unlock(); 1162 return; 1163 allow: 1164 avd->allowed = 0xffffffff; 1165 goto out; 1166 } 1167 1168 void security_compute_av_user(struct selinux_state *state, 1169 u32 ssid, 1170 u32 tsid, 1171 u16 tclass, 1172 struct av_decision *avd) 1173 { 1174 struct selinux_policy *policy; 1175 struct policydb *policydb; 1176 struct sidtab *sidtab; 1177 struct context *scontext = NULL, *tcontext = NULL; 1178 1179 rcu_read_lock(); 1180 policy = rcu_dereference(state->policy); 1181 avd_init(policy, avd); 1182 if (!selinux_initialized(state)) 1183 goto allow; 1184 1185 policydb = &policy->policydb; 1186 sidtab = policy->sidtab; 1187 1188 scontext = sidtab_search(sidtab, ssid); 1189 if (!scontext) { 1190 pr_err("SELinux: %s: unrecognized SID %d\n", 1191 __func__, ssid); 1192 goto out; 1193 } 1194 1195 /* permissive domain? */ 1196 if (ebitmap_get_bit(&policydb->permissive_map, scontext->type)) 1197 avd->flags |= AVD_FLAGS_PERMISSIVE; 1198 1199 tcontext = sidtab_search(sidtab, tsid); 1200 if (!tcontext) { 1201 pr_err("SELinux: %s: unrecognized SID %d\n", 1202 __func__, tsid); 1203 goto out; 1204 } 1205 1206 if (unlikely(!tclass)) { 1207 if (policydb->allow_unknown) 1208 goto allow; 1209 goto out; 1210 } 1211 1212 context_struct_compute_av(policydb, scontext, tcontext, tclass, avd, 1213 NULL); 1214 out: 1215 rcu_read_unlock(); 1216 return; 1217 allow: 1218 avd->allowed = 0xffffffff; 1219 goto out; 1220 } 1221 1222 /* 1223 * Write the security context string representation of 1224 * the context structure `context' into a dynamically 1225 * allocated string of the correct size. Set `*scontext' 1226 * to point to this string and set `*scontext_len' to 1227 * the length of the string. 1228 */ 1229 static int context_struct_to_string(struct policydb *p, 1230 struct context *context, 1231 char **scontext, u32 *scontext_len) 1232 { 1233 char *scontextp; 1234 1235 if (scontext) 1236 *scontext = NULL; 1237 *scontext_len = 0; 1238 1239 if (context->len) { 1240 *scontext_len = context->len; 1241 if (scontext) { 1242 *scontext = kstrdup(context->str, GFP_ATOMIC); 1243 if (!(*scontext)) 1244 return -ENOMEM; 1245 } 1246 return 0; 1247 } 1248 1249 /* Compute the size of the context. */ 1250 *scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1; 1251 *scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1; 1252 *scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1; 1253 *scontext_len += mls_compute_context_len(p, context); 1254 1255 if (!scontext) 1256 return 0; 1257 1258 /* Allocate space for the context; caller must free this space. */ 1259 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1260 if (!scontextp) 1261 return -ENOMEM; 1262 *scontext = scontextp; 1263 1264 /* 1265 * Copy the user name, role name and type name into the context. 1266 */ 1267 scontextp += sprintf(scontextp, "%s:%s:%s", 1268 sym_name(p, SYM_USERS, context->user - 1), 1269 sym_name(p, SYM_ROLES, context->role - 1), 1270 sym_name(p, SYM_TYPES, context->type - 1)); 1271 1272 mls_sid_to_context(p, context, &scontextp); 1273 1274 *scontextp = 0; 1275 1276 return 0; 1277 } 1278 1279 static int sidtab_entry_to_string(struct policydb *p, 1280 struct sidtab *sidtab, 1281 struct sidtab_entry *entry, 1282 char **scontext, u32 *scontext_len) 1283 { 1284 int rc = sidtab_sid2str_get(sidtab, entry, scontext, scontext_len); 1285 1286 if (rc != -ENOENT) 1287 return rc; 1288 1289 rc = context_struct_to_string(p, &entry->context, scontext, 1290 scontext_len); 1291 if (!rc && scontext) 1292 sidtab_sid2str_put(sidtab, entry, *scontext, *scontext_len); 1293 return rc; 1294 } 1295 1296 #include "initial_sid_to_string.h" 1297 1298 int security_sidtab_hash_stats(struct selinux_state *state, char *page) 1299 { 1300 struct selinux_policy *policy; 1301 int rc; 1302 1303 if (!selinux_initialized(state)) { 1304 pr_err("SELinux: %s: called before initial load_policy\n", 1305 __func__); 1306 return -EINVAL; 1307 } 1308 1309 rcu_read_lock(); 1310 policy = rcu_dereference(state->policy); 1311 rc = sidtab_hash_stats(policy->sidtab, page); 1312 rcu_read_unlock(); 1313 1314 return rc; 1315 } 1316 1317 const char *security_get_initial_sid_context(u32 sid) 1318 { 1319 if (unlikely(sid > SECINITSID_NUM)) 1320 return NULL; 1321 return initial_sid_to_string[sid]; 1322 } 1323 1324 static int security_sid_to_context_core(struct selinux_state *state, 1325 u32 sid, char **scontext, 1326 u32 *scontext_len, int force, 1327 int only_invalid) 1328 { 1329 struct selinux_policy *policy; 1330 struct policydb *policydb; 1331 struct sidtab *sidtab; 1332 struct sidtab_entry *entry; 1333 int rc = 0; 1334 1335 if (scontext) 1336 *scontext = NULL; 1337 *scontext_len = 0; 1338 1339 if (!selinux_initialized(state)) { 1340 if (sid <= SECINITSID_NUM) { 1341 char *scontextp; 1342 const char *s = initial_sid_to_string[sid]; 1343 1344 if (!s) 1345 return -EINVAL; 1346 *scontext_len = strlen(s) + 1; 1347 if (!scontext) 1348 return 0; 1349 scontextp = kmemdup(s, *scontext_len, GFP_ATOMIC); 1350 if (!scontextp) 1351 return -ENOMEM; 1352 *scontext = scontextp; 1353 return 0; 1354 } 1355 pr_err("SELinux: %s: called before initial " 1356 "load_policy on unknown SID %d\n", __func__, sid); 1357 return -EINVAL; 1358 } 1359 rcu_read_lock(); 1360 policy = rcu_dereference(state->policy); 1361 policydb = &policy->policydb; 1362 sidtab = policy->sidtab; 1363 1364 if (force) 1365 entry = sidtab_search_entry_force(sidtab, sid); 1366 else 1367 entry = sidtab_search_entry(sidtab, sid); 1368 if (!entry) { 1369 pr_err("SELinux: %s: unrecognized SID %d\n", 1370 __func__, sid); 1371 rc = -EINVAL; 1372 goto out_unlock; 1373 } 1374 if (only_invalid && !entry->context.len) 1375 goto out_unlock; 1376 1377 rc = sidtab_entry_to_string(policydb, sidtab, entry, scontext, 1378 scontext_len); 1379 1380 out_unlock: 1381 rcu_read_unlock(); 1382 return rc; 1383 1384 } 1385 1386 /** 1387 * security_sid_to_context - Obtain a context for a given SID. 1388 * @sid: security identifier, SID 1389 * @scontext: security context 1390 * @scontext_len: length in bytes 1391 * 1392 * Write the string representation of the context associated with @sid 1393 * into a dynamically allocated string of the correct size. Set @scontext 1394 * to point to this string and set @scontext_len to the length of the string. 1395 */ 1396 int security_sid_to_context(struct selinux_state *state, 1397 u32 sid, char **scontext, u32 *scontext_len) 1398 { 1399 return security_sid_to_context_core(state, sid, scontext, 1400 scontext_len, 0, 0); 1401 } 1402 1403 int security_sid_to_context_force(struct selinux_state *state, u32 sid, 1404 char **scontext, u32 *scontext_len) 1405 { 1406 return security_sid_to_context_core(state, sid, scontext, 1407 scontext_len, 1, 0); 1408 } 1409 1410 /** 1411 * security_sid_to_context_inval - Obtain a context for a given SID if it 1412 * is invalid. 1413 * @sid: security identifier, SID 1414 * @scontext: security context 1415 * @scontext_len: length in bytes 1416 * 1417 * Write the string representation of the context associated with @sid 1418 * into a dynamically allocated string of the correct size, but only if the 1419 * context is invalid in the current policy. Set @scontext to point to 1420 * this string (or NULL if the context is valid) and set @scontext_len to 1421 * the length of the string (or 0 if the context is valid). 1422 */ 1423 int security_sid_to_context_inval(struct selinux_state *state, u32 sid, 1424 char **scontext, u32 *scontext_len) 1425 { 1426 return security_sid_to_context_core(state, sid, scontext, 1427 scontext_len, 1, 1); 1428 } 1429 1430 /* 1431 * Caveat: Mutates scontext. 1432 */ 1433 static int string_to_context_struct(struct policydb *pol, 1434 struct sidtab *sidtabp, 1435 char *scontext, 1436 struct context *ctx, 1437 u32 def_sid) 1438 { 1439 struct role_datum *role; 1440 struct type_datum *typdatum; 1441 struct user_datum *usrdatum; 1442 char *scontextp, *p, oldc; 1443 int rc = 0; 1444 1445 context_init(ctx); 1446 1447 /* Parse the security context. */ 1448 1449 rc = -EINVAL; 1450 scontextp = (char *) scontext; 1451 1452 /* Extract the user. */ 1453 p = scontextp; 1454 while (*p && *p != ':') 1455 p++; 1456 1457 if (*p == 0) 1458 goto out; 1459 1460 *p++ = 0; 1461 1462 usrdatum = symtab_search(&pol->p_users, scontextp); 1463 if (!usrdatum) 1464 goto out; 1465 1466 ctx->user = usrdatum->value; 1467 1468 /* Extract role. */ 1469 scontextp = p; 1470 while (*p && *p != ':') 1471 p++; 1472 1473 if (*p == 0) 1474 goto out; 1475 1476 *p++ = 0; 1477 1478 role = symtab_search(&pol->p_roles, scontextp); 1479 if (!role) 1480 goto out; 1481 ctx->role = role->value; 1482 1483 /* Extract type. */ 1484 scontextp = p; 1485 while (*p && *p != ':') 1486 p++; 1487 oldc = *p; 1488 *p++ = 0; 1489 1490 typdatum = symtab_search(&pol->p_types, scontextp); 1491 if (!typdatum || typdatum->attribute) 1492 goto out; 1493 1494 ctx->type = typdatum->value; 1495 1496 rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); 1497 if (rc) 1498 goto out; 1499 1500 /* Check the validity of the new context. */ 1501 rc = -EINVAL; 1502 if (!policydb_context_isvalid(pol, ctx)) 1503 goto out; 1504 rc = 0; 1505 out: 1506 if (rc) 1507 context_destroy(ctx); 1508 return rc; 1509 } 1510 1511 static int security_context_to_sid_core(struct selinux_state *state, 1512 const char *scontext, u32 scontext_len, 1513 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1514 int force) 1515 { 1516 struct selinux_policy *policy; 1517 struct policydb *policydb; 1518 struct sidtab *sidtab; 1519 char *scontext2, *str = NULL; 1520 struct context context; 1521 int rc = 0; 1522 1523 /* An empty security context is never valid. */ 1524 if (!scontext_len) 1525 return -EINVAL; 1526 1527 /* Copy the string to allow changes and ensure a NUL terminator */ 1528 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); 1529 if (!scontext2) 1530 return -ENOMEM; 1531 1532 if (!selinux_initialized(state)) { 1533 int i; 1534 1535 for (i = 1; i < SECINITSID_NUM; i++) { 1536 const char *s = initial_sid_to_string[i]; 1537 1538 if (s && !strcmp(s, scontext2)) { 1539 *sid = i; 1540 goto out; 1541 } 1542 } 1543 *sid = SECINITSID_KERNEL; 1544 goto out; 1545 } 1546 *sid = SECSID_NULL; 1547 1548 if (force) { 1549 /* Save another copy for storing in uninterpreted form */ 1550 rc = -ENOMEM; 1551 str = kstrdup(scontext2, gfp_flags); 1552 if (!str) 1553 goto out; 1554 } 1555 rcu_read_lock(); 1556 policy = rcu_dereference(state->policy); 1557 policydb = &policy->policydb; 1558 sidtab = policy->sidtab; 1559 rc = string_to_context_struct(policydb, sidtab, scontext2, 1560 &context, def_sid); 1561 if (rc == -EINVAL && force) { 1562 context.str = str; 1563 context.len = strlen(str) + 1; 1564 str = NULL; 1565 } else if (rc) 1566 goto out_unlock; 1567 rc = sidtab_context_to_sid(sidtab, &context, sid); 1568 context_destroy(&context); 1569 out_unlock: 1570 rcu_read_unlock(); 1571 out: 1572 kfree(scontext2); 1573 kfree(str); 1574 return rc; 1575 } 1576 1577 /** 1578 * security_context_to_sid - Obtain a SID for a given security context. 1579 * @scontext: security context 1580 * @scontext_len: length in bytes 1581 * @sid: security identifier, SID 1582 * @gfp: context for the allocation 1583 * 1584 * Obtains a SID associated with the security context that 1585 * has the string representation specified by @scontext. 1586 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1587 * memory is available, or 0 on success. 1588 */ 1589 int security_context_to_sid(struct selinux_state *state, 1590 const char *scontext, u32 scontext_len, u32 *sid, 1591 gfp_t gfp) 1592 { 1593 return security_context_to_sid_core(state, scontext, scontext_len, 1594 sid, SECSID_NULL, gfp, 0); 1595 } 1596 1597 int security_context_str_to_sid(struct selinux_state *state, 1598 const char *scontext, u32 *sid, gfp_t gfp) 1599 { 1600 return security_context_to_sid(state, scontext, strlen(scontext), 1601 sid, gfp); 1602 } 1603 1604 /** 1605 * security_context_to_sid_default - Obtain a SID for a given security context, 1606 * falling back to specified default if needed. 1607 * 1608 * @scontext: security context 1609 * @scontext_len: length in bytes 1610 * @sid: security identifier, SID 1611 * @def_sid: default SID to assign on error 1612 * 1613 * Obtains a SID associated with the security context that 1614 * has the string representation specified by @scontext. 1615 * The default SID is passed to the MLS layer to be used to allow 1616 * kernel labeling of the MLS field if the MLS field is not present 1617 * (for upgrading to MLS without full relabel). 1618 * Implicitly forces adding of the context even if it cannot be mapped yet. 1619 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1620 * memory is available, or 0 on success. 1621 */ 1622 int security_context_to_sid_default(struct selinux_state *state, 1623 const char *scontext, u32 scontext_len, 1624 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1625 { 1626 return security_context_to_sid_core(state, scontext, scontext_len, 1627 sid, def_sid, gfp_flags, 1); 1628 } 1629 1630 int security_context_to_sid_force(struct selinux_state *state, 1631 const char *scontext, u32 scontext_len, 1632 u32 *sid) 1633 { 1634 return security_context_to_sid_core(state, scontext, scontext_len, 1635 sid, SECSID_NULL, GFP_KERNEL, 1); 1636 } 1637 1638 static int compute_sid_handle_invalid_context( 1639 struct selinux_state *state, 1640 struct selinux_policy *policy, 1641 struct sidtab_entry *sentry, 1642 struct sidtab_entry *tentry, 1643 u16 tclass, 1644 struct context *newcontext) 1645 { 1646 struct policydb *policydb = &policy->policydb; 1647 struct sidtab *sidtab = policy->sidtab; 1648 char *s = NULL, *t = NULL, *n = NULL; 1649 u32 slen, tlen, nlen; 1650 struct audit_buffer *ab; 1651 1652 if (sidtab_entry_to_string(policydb, sidtab, sentry, &s, &slen)) 1653 goto out; 1654 if (sidtab_entry_to_string(policydb, sidtab, tentry, &t, &tlen)) 1655 goto out; 1656 if (context_struct_to_string(policydb, newcontext, &n, &nlen)) 1657 goto out; 1658 ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR); 1659 audit_log_format(ab, 1660 "op=security_compute_sid invalid_context="); 1661 /* no need to record the NUL with untrusted strings */ 1662 audit_log_n_untrustedstring(ab, n, nlen - 1); 1663 audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s", 1664 s, t, sym_name(policydb, SYM_CLASSES, tclass-1)); 1665 audit_log_end(ab); 1666 out: 1667 kfree(s); 1668 kfree(t); 1669 kfree(n); 1670 if (!enforcing_enabled(state)) 1671 return 0; 1672 return -EACCES; 1673 } 1674 1675 static void filename_compute_type(struct policydb *policydb, 1676 struct context *newcontext, 1677 u32 stype, u32 ttype, u16 tclass, 1678 const char *objname) 1679 { 1680 struct filename_trans_key ft; 1681 struct filename_trans_datum *datum; 1682 1683 /* 1684 * Most filename trans rules are going to live in specific directories 1685 * like /dev or /var/run. This bitmap will quickly skip rule searches 1686 * if the ttype does not contain any rules. 1687 */ 1688 if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype)) 1689 return; 1690 1691 ft.ttype = ttype; 1692 ft.tclass = tclass; 1693 ft.name = objname; 1694 1695 datum = policydb_filenametr_search(policydb, &ft); 1696 while (datum) { 1697 if (ebitmap_get_bit(&datum->stypes, stype - 1)) { 1698 newcontext->type = datum->otype; 1699 return; 1700 } 1701 datum = datum->next; 1702 } 1703 } 1704 1705 static int security_compute_sid(struct selinux_state *state, 1706 u32 ssid, 1707 u32 tsid, 1708 u16 orig_tclass, 1709 u32 specified, 1710 const char *objname, 1711 u32 *out_sid, 1712 bool kern) 1713 { 1714 struct selinux_policy *policy; 1715 struct policydb *policydb; 1716 struct sidtab *sidtab; 1717 struct class_datum *cladatum = NULL; 1718 struct context *scontext, *tcontext, newcontext; 1719 struct sidtab_entry *sentry, *tentry; 1720 struct avtab_key avkey; 1721 struct avtab_datum *avdatum; 1722 struct avtab_node *node; 1723 u16 tclass; 1724 int rc = 0; 1725 bool sock; 1726 1727 if (!selinux_initialized(state)) { 1728 switch (orig_tclass) { 1729 case SECCLASS_PROCESS: /* kernel value */ 1730 *out_sid = ssid; 1731 break; 1732 default: 1733 *out_sid = tsid; 1734 break; 1735 } 1736 goto out; 1737 } 1738 1739 context_init(&newcontext); 1740 1741 rcu_read_lock(); 1742 1743 policy = rcu_dereference(state->policy); 1744 1745 if (kern) { 1746 tclass = unmap_class(&policy->map, orig_tclass); 1747 sock = security_is_socket_class(orig_tclass); 1748 } else { 1749 tclass = orig_tclass; 1750 sock = security_is_socket_class(map_class(&policy->map, 1751 tclass)); 1752 } 1753 1754 policydb = &policy->policydb; 1755 sidtab = policy->sidtab; 1756 1757 sentry = sidtab_search_entry(sidtab, ssid); 1758 if (!sentry) { 1759 pr_err("SELinux: %s: unrecognized SID %d\n", 1760 __func__, ssid); 1761 rc = -EINVAL; 1762 goto out_unlock; 1763 } 1764 tentry = sidtab_search_entry(sidtab, tsid); 1765 if (!tentry) { 1766 pr_err("SELinux: %s: unrecognized SID %d\n", 1767 __func__, tsid); 1768 rc = -EINVAL; 1769 goto out_unlock; 1770 } 1771 1772 scontext = &sentry->context; 1773 tcontext = &tentry->context; 1774 1775 if (tclass && tclass <= policydb->p_classes.nprim) 1776 cladatum = policydb->class_val_to_struct[tclass - 1]; 1777 1778 /* Set the user identity. */ 1779 switch (specified) { 1780 case AVTAB_TRANSITION: 1781 case AVTAB_CHANGE: 1782 if (cladatum && cladatum->default_user == DEFAULT_TARGET) { 1783 newcontext.user = tcontext->user; 1784 } else { 1785 /* notice this gets both DEFAULT_SOURCE and unset */ 1786 /* Use the process user identity. */ 1787 newcontext.user = scontext->user; 1788 } 1789 break; 1790 case AVTAB_MEMBER: 1791 /* Use the related object owner. */ 1792 newcontext.user = tcontext->user; 1793 break; 1794 } 1795 1796 /* Set the role to default values. */ 1797 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { 1798 newcontext.role = scontext->role; 1799 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { 1800 newcontext.role = tcontext->role; 1801 } else { 1802 if ((tclass == policydb->process_class) || sock) 1803 newcontext.role = scontext->role; 1804 else 1805 newcontext.role = OBJECT_R_VAL; 1806 } 1807 1808 /* Set the type to default values. */ 1809 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { 1810 newcontext.type = scontext->type; 1811 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { 1812 newcontext.type = tcontext->type; 1813 } else { 1814 if ((tclass == policydb->process_class) || sock) { 1815 /* Use the type of process. */ 1816 newcontext.type = scontext->type; 1817 } else { 1818 /* Use the type of the related object. */ 1819 newcontext.type = tcontext->type; 1820 } 1821 } 1822 1823 /* Look for a type transition/member/change rule. */ 1824 avkey.source_type = scontext->type; 1825 avkey.target_type = tcontext->type; 1826 avkey.target_class = tclass; 1827 avkey.specified = specified; 1828 avdatum = avtab_search(&policydb->te_avtab, &avkey); 1829 1830 /* If no permanent rule, also check for enabled conditional rules */ 1831 if (!avdatum) { 1832 node = avtab_search_node(&policydb->te_cond_avtab, &avkey); 1833 for (; node; node = avtab_search_node_next(node, specified)) { 1834 if (node->key.specified & AVTAB_ENABLED) { 1835 avdatum = &node->datum; 1836 break; 1837 } 1838 } 1839 } 1840 1841 if (avdatum) { 1842 /* Use the type from the type transition/member/change rule. */ 1843 newcontext.type = avdatum->u.data; 1844 } 1845 1846 /* if we have a objname this is a file trans check so check those rules */ 1847 if (objname) 1848 filename_compute_type(policydb, &newcontext, scontext->type, 1849 tcontext->type, tclass, objname); 1850 1851 /* Check for class-specific changes. */ 1852 if (specified & AVTAB_TRANSITION) { 1853 /* Look for a role transition rule. */ 1854 struct role_trans_datum *rtd; 1855 struct role_trans_key rtk = { 1856 .role = scontext->role, 1857 .type = tcontext->type, 1858 .tclass = tclass, 1859 }; 1860 1861 rtd = policydb_roletr_search(policydb, &rtk); 1862 if (rtd) 1863 newcontext.role = rtd->new_role; 1864 } 1865 1866 /* Set the MLS attributes. 1867 This is done last because it may allocate memory. */ 1868 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified, 1869 &newcontext, sock); 1870 if (rc) 1871 goto out_unlock; 1872 1873 /* Check the validity of the context. */ 1874 if (!policydb_context_isvalid(policydb, &newcontext)) { 1875 rc = compute_sid_handle_invalid_context(state, policy, sentry, 1876 tentry, tclass, 1877 &newcontext); 1878 if (rc) 1879 goto out_unlock; 1880 } 1881 /* Obtain the sid for the context. */ 1882 rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid); 1883 out_unlock: 1884 rcu_read_unlock(); 1885 context_destroy(&newcontext); 1886 out: 1887 return rc; 1888 } 1889 1890 /** 1891 * security_transition_sid - Compute the SID for a new subject/object. 1892 * @ssid: source security identifier 1893 * @tsid: target security identifier 1894 * @tclass: target security class 1895 * @out_sid: security identifier for new subject/object 1896 * 1897 * Compute a SID to use for labeling a new subject or object in the 1898 * class @tclass based on a SID pair (@ssid, @tsid). 1899 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1900 * if insufficient memory is available, or %0 if the new SID was 1901 * computed successfully. 1902 */ 1903 int security_transition_sid(struct selinux_state *state, 1904 u32 ssid, u32 tsid, u16 tclass, 1905 const struct qstr *qstr, u32 *out_sid) 1906 { 1907 return security_compute_sid(state, ssid, tsid, tclass, 1908 AVTAB_TRANSITION, 1909 qstr ? qstr->name : NULL, out_sid, true); 1910 } 1911 1912 int security_transition_sid_user(struct selinux_state *state, 1913 u32 ssid, u32 tsid, u16 tclass, 1914 const char *objname, u32 *out_sid) 1915 { 1916 return security_compute_sid(state, ssid, tsid, tclass, 1917 AVTAB_TRANSITION, 1918 objname, out_sid, false); 1919 } 1920 1921 /** 1922 * security_member_sid - Compute the SID for member selection. 1923 * @ssid: source security identifier 1924 * @tsid: target security identifier 1925 * @tclass: target security class 1926 * @out_sid: security identifier for selected member 1927 * 1928 * Compute a SID to use when selecting a member of a polyinstantiated 1929 * object of class @tclass based on a SID pair (@ssid, @tsid). 1930 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1931 * if insufficient memory is available, or %0 if the SID was 1932 * computed successfully. 1933 */ 1934 int security_member_sid(struct selinux_state *state, 1935 u32 ssid, 1936 u32 tsid, 1937 u16 tclass, 1938 u32 *out_sid) 1939 { 1940 return security_compute_sid(state, ssid, tsid, tclass, 1941 AVTAB_MEMBER, NULL, 1942 out_sid, false); 1943 } 1944 1945 /** 1946 * security_change_sid - Compute the SID for object relabeling. 1947 * @ssid: source security identifier 1948 * @tsid: target security identifier 1949 * @tclass: target security class 1950 * @out_sid: security identifier for selected member 1951 * 1952 * Compute a SID to use for relabeling an object of class @tclass 1953 * based on a SID pair (@ssid, @tsid). 1954 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1955 * if insufficient memory is available, or %0 if the SID was 1956 * computed successfully. 1957 */ 1958 int security_change_sid(struct selinux_state *state, 1959 u32 ssid, 1960 u32 tsid, 1961 u16 tclass, 1962 u32 *out_sid) 1963 { 1964 return security_compute_sid(state, 1965 ssid, tsid, tclass, AVTAB_CHANGE, NULL, 1966 out_sid, false); 1967 } 1968 1969 static inline int convert_context_handle_invalid_context( 1970 struct selinux_state *state, 1971 struct policydb *policydb, 1972 struct context *context) 1973 { 1974 char *s; 1975 u32 len; 1976 1977 if (enforcing_enabled(state)) 1978 return -EINVAL; 1979 1980 if (!context_struct_to_string(policydb, context, &s, &len)) { 1981 pr_warn("SELinux: Context %s would be invalid if enforcing\n", 1982 s); 1983 kfree(s); 1984 } 1985 return 0; 1986 } 1987 1988 /* 1989 * Convert the values in the security context 1990 * structure `oldc' from the values specified 1991 * in the policy `p->oldp' to the values specified 1992 * in the policy `p->newp', storing the new context 1993 * in `newc'. Verify that the context is valid 1994 * under the new policy. 1995 */ 1996 static int convert_context(struct context *oldc, struct context *newc, void *p) 1997 { 1998 struct convert_context_args *args; 1999 struct ocontext *oc; 2000 struct role_datum *role; 2001 struct type_datum *typdatum; 2002 struct user_datum *usrdatum; 2003 char *s; 2004 u32 len; 2005 int rc; 2006 2007 args = p; 2008 2009 if (oldc->str) { 2010 s = kstrdup(oldc->str, GFP_KERNEL); 2011 if (!s) 2012 return -ENOMEM; 2013 2014 rc = string_to_context_struct(args->newp, NULL, s, 2015 newc, SECSID_NULL); 2016 if (rc == -EINVAL) { 2017 /* 2018 * Retain string representation for later mapping. 2019 * 2020 * IMPORTANT: We need to copy the contents of oldc->str 2021 * back into s again because string_to_context_struct() 2022 * may have garbled it. 2023 */ 2024 memcpy(s, oldc->str, oldc->len); 2025 context_init(newc); 2026 newc->str = s; 2027 newc->len = oldc->len; 2028 return 0; 2029 } 2030 kfree(s); 2031 if (rc) { 2032 /* Other error condition, e.g. ENOMEM. */ 2033 pr_err("SELinux: Unable to map context %s, rc = %d.\n", 2034 oldc->str, -rc); 2035 return rc; 2036 } 2037 pr_info("SELinux: Context %s became valid (mapped).\n", 2038 oldc->str); 2039 return 0; 2040 } 2041 2042 context_init(newc); 2043 2044 /* Convert the user. */ 2045 rc = -EINVAL; 2046 usrdatum = symtab_search(&args->newp->p_users, 2047 sym_name(args->oldp, 2048 SYM_USERS, oldc->user - 1)); 2049 if (!usrdatum) 2050 goto bad; 2051 newc->user = usrdatum->value; 2052 2053 /* Convert the role. */ 2054 rc = -EINVAL; 2055 role = symtab_search(&args->newp->p_roles, 2056 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); 2057 if (!role) 2058 goto bad; 2059 newc->role = role->value; 2060 2061 /* Convert the type. */ 2062 rc = -EINVAL; 2063 typdatum = symtab_search(&args->newp->p_types, 2064 sym_name(args->oldp, 2065 SYM_TYPES, oldc->type - 1)); 2066 if (!typdatum) 2067 goto bad; 2068 newc->type = typdatum->value; 2069 2070 /* Convert the MLS fields if dealing with MLS policies */ 2071 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2072 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2073 if (rc) 2074 goto bad; 2075 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { 2076 /* 2077 * Switching between non-MLS and MLS policy: 2078 * ensure that the MLS fields of the context for all 2079 * existing entries in the sidtab are filled in with a 2080 * suitable default value, likely taken from one of the 2081 * initial SIDs. 2082 */ 2083 oc = args->newp->ocontexts[OCON_ISID]; 2084 while (oc && oc->sid[0] != SECINITSID_UNLABELED) 2085 oc = oc->next; 2086 rc = -EINVAL; 2087 if (!oc) { 2088 pr_err("SELinux: unable to look up" 2089 " the initial SIDs list\n"); 2090 goto bad; 2091 } 2092 rc = mls_range_set(newc, &oc->context[0].range); 2093 if (rc) 2094 goto bad; 2095 } 2096 2097 /* Check the validity of the new context. */ 2098 if (!policydb_context_isvalid(args->newp, newc)) { 2099 rc = convert_context_handle_invalid_context(args->state, 2100 args->oldp, 2101 oldc); 2102 if (rc) 2103 goto bad; 2104 } 2105 2106 return 0; 2107 bad: 2108 /* Map old representation to string and save it. */ 2109 rc = context_struct_to_string(args->oldp, oldc, &s, &len); 2110 if (rc) 2111 return rc; 2112 context_destroy(newc); 2113 newc->str = s; 2114 newc->len = len; 2115 pr_info("SELinux: Context %s became invalid (unmapped).\n", 2116 newc->str); 2117 return 0; 2118 } 2119 2120 static void security_load_policycaps(struct selinux_state *state, 2121 struct selinux_policy *policy) 2122 { 2123 struct policydb *p; 2124 unsigned int i; 2125 struct ebitmap_node *node; 2126 2127 p = &policy->policydb; 2128 2129 for (i = 0; i < ARRAY_SIZE(state->policycap); i++) 2130 WRITE_ONCE(state->policycap[i], 2131 ebitmap_get_bit(&p->policycaps, i)); 2132 2133 for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) 2134 pr_info("SELinux: policy capability %s=%d\n", 2135 selinux_policycap_names[i], 2136 ebitmap_get_bit(&p->policycaps, i)); 2137 2138 ebitmap_for_each_positive_bit(&p->policycaps, node, i) { 2139 if (i >= ARRAY_SIZE(selinux_policycap_names)) 2140 pr_info("SELinux: unknown policy capability %u\n", 2141 i); 2142 } 2143 } 2144 2145 static int security_preserve_bools(struct selinux_policy *oldpolicy, 2146 struct selinux_policy *newpolicy); 2147 2148 static void selinux_policy_free(struct selinux_policy *policy) 2149 { 2150 if (!policy) 2151 return; 2152 2153 sidtab_destroy(policy->sidtab); 2154 kfree(policy->map.mapping); 2155 policydb_destroy(&policy->policydb); 2156 kfree(policy->sidtab); 2157 kfree(policy); 2158 } 2159 2160 static void selinux_policy_cond_free(struct selinux_policy *policy) 2161 { 2162 cond_policydb_destroy_dup(&policy->policydb); 2163 kfree(policy); 2164 } 2165 2166 void selinux_policy_cancel(struct selinux_state *state, 2167 struct selinux_load_state *load_state) 2168 { 2169 struct selinux_policy *oldpolicy; 2170 2171 oldpolicy = rcu_dereference_protected(state->policy, 2172 lockdep_is_held(&state->policy_mutex)); 2173 2174 sidtab_cancel_convert(oldpolicy->sidtab); 2175 selinux_policy_free(load_state->policy); 2176 kfree(load_state->convert_data); 2177 } 2178 2179 static void selinux_notify_policy_change(struct selinux_state *state, 2180 u32 seqno) 2181 { 2182 /* Flush external caches and notify userspace of policy load */ 2183 avc_ss_reset(state->avc, seqno); 2184 selnl_notify_policyload(seqno); 2185 selinux_status_update_policyload(state, seqno); 2186 selinux_netlbl_cache_invalidate(); 2187 selinux_xfrm_notify_policyload(); 2188 selinux_ima_measure_state(state); 2189 } 2190 2191 void selinux_policy_commit(struct selinux_state *state, 2192 struct selinux_load_state *load_state) 2193 { 2194 struct selinux_policy *oldpolicy, *newpolicy = load_state->policy; 2195 u32 seqno; 2196 2197 oldpolicy = rcu_dereference_protected(state->policy, 2198 lockdep_is_held(&state->policy_mutex)); 2199 2200 /* If switching between different policy types, log MLS status */ 2201 if (oldpolicy) { 2202 if (oldpolicy->policydb.mls_enabled && !newpolicy->policydb.mls_enabled) 2203 pr_info("SELinux: Disabling MLS support...\n"); 2204 else if (!oldpolicy->policydb.mls_enabled && newpolicy->policydb.mls_enabled) 2205 pr_info("SELinux: Enabling MLS support...\n"); 2206 } 2207 2208 /* Set latest granting seqno for new policy. */ 2209 if (oldpolicy) 2210 newpolicy->latest_granting = oldpolicy->latest_granting + 1; 2211 else 2212 newpolicy->latest_granting = 1; 2213 seqno = newpolicy->latest_granting; 2214 2215 /* Install the new policy. */ 2216 rcu_assign_pointer(state->policy, newpolicy); 2217 2218 /* Load the policycaps from the new policy */ 2219 security_load_policycaps(state, newpolicy); 2220 2221 if (!selinux_initialized(state)) { 2222 /* 2223 * After first policy load, the security server is 2224 * marked as initialized and ready to handle requests and 2225 * any objects created prior to policy load are then labeled. 2226 */ 2227 selinux_mark_initialized(state); 2228 selinux_complete_init(); 2229 } 2230 2231 /* Free the old policy */ 2232 synchronize_rcu(); 2233 selinux_policy_free(oldpolicy); 2234 kfree(load_state->convert_data); 2235 2236 /* Notify others of the policy change */ 2237 selinux_notify_policy_change(state, seqno); 2238 } 2239 2240 /** 2241 * security_load_policy - Load a security policy configuration. 2242 * @data: binary policy data 2243 * @len: length of data in bytes 2244 * 2245 * Load a new set of security policy configuration data, 2246 * validate it and convert the SID table as necessary. 2247 * This function will flush the access vector cache after 2248 * loading the new policy. 2249 */ 2250 int security_load_policy(struct selinux_state *state, void *data, size_t len, 2251 struct selinux_load_state *load_state) 2252 { 2253 struct selinux_policy *newpolicy, *oldpolicy; 2254 struct selinux_policy_convert_data *convert_data; 2255 int rc = 0; 2256 struct policy_file file = { data, len }, *fp = &file; 2257 2258 newpolicy = kzalloc(sizeof(*newpolicy), GFP_KERNEL); 2259 if (!newpolicy) 2260 return -ENOMEM; 2261 2262 newpolicy->sidtab = kzalloc(sizeof(*newpolicy->sidtab), GFP_KERNEL); 2263 if (!newpolicy->sidtab) { 2264 rc = -ENOMEM; 2265 goto err_policy; 2266 } 2267 2268 rc = policydb_read(&newpolicy->policydb, fp); 2269 if (rc) 2270 goto err_sidtab; 2271 2272 newpolicy->policydb.len = len; 2273 rc = selinux_set_mapping(&newpolicy->policydb, secclass_map, 2274 &newpolicy->map); 2275 if (rc) 2276 goto err_policydb; 2277 2278 rc = policydb_load_isids(&newpolicy->policydb, newpolicy->sidtab); 2279 if (rc) { 2280 pr_err("SELinux: unable to load the initial SIDs\n"); 2281 goto err_mapping; 2282 } 2283 2284 if (!selinux_initialized(state)) { 2285 /* First policy load, so no need to preserve state from old policy */ 2286 load_state->policy = newpolicy; 2287 load_state->convert_data = NULL; 2288 return 0; 2289 } 2290 2291 oldpolicy = rcu_dereference_protected(state->policy, 2292 lockdep_is_held(&state->policy_mutex)); 2293 2294 /* Preserve active boolean values from the old policy */ 2295 rc = security_preserve_bools(oldpolicy, newpolicy); 2296 if (rc) { 2297 pr_err("SELinux: unable to preserve booleans\n"); 2298 goto err_free_isids; 2299 } 2300 2301 convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL); 2302 if (!convert_data) { 2303 rc = -ENOMEM; 2304 goto err_free_isids; 2305 } 2306 2307 /* 2308 * Convert the internal representations of contexts 2309 * in the new SID table. 2310 */ 2311 convert_data->args.state = state; 2312 convert_data->args.oldp = &oldpolicy->policydb; 2313 convert_data->args.newp = &newpolicy->policydb; 2314 2315 convert_data->sidtab_params.func = convert_context; 2316 convert_data->sidtab_params.args = &convert_data->args; 2317 convert_data->sidtab_params.target = newpolicy->sidtab; 2318 2319 rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params); 2320 if (rc) { 2321 pr_err("SELinux: unable to convert the internal" 2322 " representation of contexts in the new SID" 2323 " table\n"); 2324 goto err_free_convert_data; 2325 } 2326 2327 load_state->policy = newpolicy; 2328 load_state->convert_data = convert_data; 2329 return 0; 2330 2331 err_free_convert_data: 2332 kfree(convert_data); 2333 err_free_isids: 2334 sidtab_destroy(newpolicy->sidtab); 2335 err_mapping: 2336 kfree(newpolicy->map.mapping); 2337 err_policydb: 2338 policydb_destroy(&newpolicy->policydb); 2339 err_sidtab: 2340 kfree(newpolicy->sidtab); 2341 err_policy: 2342 kfree(newpolicy); 2343 2344 return rc; 2345 } 2346 2347 /** 2348 * security_port_sid - Obtain the SID for a port. 2349 * @protocol: protocol number 2350 * @port: port number 2351 * @out_sid: security identifier 2352 */ 2353 int security_port_sid(struct selinux_state *state, 2354 u8 protocol, u16 port, u32 *out_sid) 2355 { 2356 struct selinux_policy *policy; 2357 struct policydb *policydb; 2358 struct sidtab *sidtab; 2359 struct ocontext *c; 2360 int rc = 0; 2361 2362 if (!selinux_initialized(state)) { 2363 *out_sid = SECINITSID_PORT; 2364 return 0; 2365 } 2366 2367 rcu_read_lock(); 2368 policy = rcu_dereference(state->policy); 2369 policydb = &policy->policydb; 2370 sidtab = policy->sidtab; 2371 2372 c = policydb->ocontexts[OCON_PORT]; 2373 while (c) { 2374 if (c->u.port.protocol == protocol && 2375 c->u.port.low_port <= port && 2376 c->u.port.high_port >= port) 2377 break; 2378 c = c->next; 2379 } 2380 2381 if (c) { 2382 if (!c->sid[0]) { 2383 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2384 &c->sid[0]); 2385 if (rc) 2386 goto out; 2387 } 2388 *out_sid = c->sid[0]; 2389 } else { 2390 *out_sid = SECINITSID_PORT; 2391 } 2392 2393 out: 2394 rcu_read_unlock(); 2395 return rc; 2396 } 2397 2398 /** 2399 * security_pkey_sid - Obtain the SID for a pkey. 2400 * @subnet_prefix: Subnet Prefix 2401 * @pkey_num: pkey number 2402 * @out_sid: security identifier 2403 */ 2404 int security_ib_pkey_sid(struct selinux_state *state, 2405 u64 subnet_prefix, u16 pkey_num, u32 *out_sid) 2406 { 2407 struct selinux_policy *policy; 2408 struct policydb *policydb; 2409 struct sidtab *sidtab; 2410 struct ocontext *c; 2411 int rc = 0; 2412 2413 if (!selinux_initialized(state)) { 2414 *out_sid = SECINITSID_UNLABELED; 2415 return 0; 2416 } 2417 2418 rcu_read_lock(); 2419 policy = rcu_dereference(state->policy); 2420 policydb = &policy->policydb; 2421 sidtab = policy->sidtab; 2422 2423 c = policydb->ocontexts[OCON_IBPKEY]; 2424 while (c) { 2425 if (c->u.ibpkey.low_pkey <= pkey_num && 2426 c->u.ibpkey.high_pkey >= pkey_num && 2427 c->u.ibpkey.subnet_prefix == subnet_prefix) 2428 break; 2429 2430 c = c->next; 2431 } 2432 2433 if (c) { 2434 if (!c->sid[0]) { 2435 rc = sidtab_context_to_sid(sidtab, 2436 &c->context[0], 2437 &c->sid[0]); 2438 if (rc) 2439 goto out; 2440 } 2441 *out_sid = c->sid[0]; 2442 } else 2443 *out_sid = SECINITSID_UNLABELED; 2444 2445 out: 2446 rcu_read_unlock(); 2447 return rc; 2448 } 2449 2450 /** 2451 * security_ib_endport_sid - Obtain the SID for a subnet management interface. 2452 * @dev_name: device name 2453 * @port: port number 2454 * @out_sid: security identifier 2455 */ 2456 int security_ib_endport_sid(struct selinux_state *state, 2457 const char *dev_name, u8 port_num, u32 *out_sid) 2458 { 2459 struct selinux_policy *policy; 2460 struct policydb *policydb; 2461 struct sidtab *sidtab; 2462 struct ocontext *c; 2463 int rc = 0; 2464 2465 if (!selinux_initialized(state)) { 2466 *out_sid = SECINITSID_UNLABELED; 2467 return 0; 2468 } 2469 2470 rcu_read_lock(); 2471 policy = rcu_dereference(state->policy); 2472 policydb = &policy->policydb; 2473 sidtab = policy->sidtab; 2474 2475 c = policydb->ocontexts[OCON_IBENDPORT]; 2476 while (c) { 2477 if (c->u.ibendport.port == port_num && 2478 !strncmp(c->u.ibendport.dev_name, 2479 dev_name, 2480 IB_DEVICE_NAME_MAX)) 2481 break; 2482 2483 c = c->next; 2484 } 2485 2486 if (c) { 2487 if (!c->sid[0]) { 2488 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2489 &c->sid[0]); 2490 if (rc) 2491 goto out; 2492 } 2493 *out_sid = c->sid[0]; 2494 } else 2495 *out_sid = SECINITSID_UNLABELED; 2496 2497 out: 2498 rcu_read_unlock(); 2499 return rc; 2500 } 2501 2502 /** 2503 * security_netif_sid - Obtain the SID for a network interface. 2504 * @name: interface name 2505 * @if_sid: interface SID 2506 */ 2507 int security_netif_sid(struct selinux_state *state, 2508 char *name, u32 *if_sid) 2509 { 2510 struct selinux_policy *policy; 2511 struct policydb *policydb; 2512 struct sidtab *sidtab; 2513 int rc = 0; 2514 struct ocontext *c; 2515 2516 if (!selinux_initialized(state)) { 2517 *if_sid = SECINITSID_NETIF; 2518 return 0; 2519 } 2520 2521 rcu_read_lock(); 2522 policy = rcu_dereference(state->policy); 2523 policydb = &policy->policydb; 2524 sidtab = policy->sidtab; 2525 2526 c = policydb->ocontexts[OCON_NETIF]; 2527 while (c) { 2528 if (strcmp(name, c->u.name) == 0) 2529 break; 2530 c = c->next; 2531 } 2532 2533 if (c) { 2534 if (!c->sid[0] || !c->sid[1]) { 2535 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2536 &c->sid[0]); 2537 if (rc) 2538 goto out; 2539 rc = sidtab_context_to_sid(sidtab, &c->context[1], 2540 &c->sid[1]); 2541 if (rc) 2542 goto out; 2543 } 2544 *if_sid = c->sid[0]; 2545 } else 2546 *if_sid = SECINITSID_NETIF; 2547 2548 out: 2549 rcu_read_unlock(); 2550 return rc; 2551 } 2552 2553 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 2554 { 2555 int i, fail = 0; 2556 2557 for (i = 0; i < 4; i++) 2558 if (addr[i] != (input[i] & mask[i])) { 2559 fail = 1; 2560 break; 2561 } 2562 2563 return !fail; 2564 } 2565 2566 /** 2567 * security_node_sid - Obtain the SID for a node (host). 2568 * @domain: communication domain aka address family 2569 * @addrp: address 2570 * @addrlen: address length in bytes 2571 * @out_sid: security identifier 2572 */ 2573 int security_node_sid(struct selinux_state *state, 2574 u16 domain, 2575 void *addrp, 2576 u32 addrlen, 2577 u32 *out_sid) 2578 { 2579 struct selinux_policy *policy; 2580 struct policydb *policydb; 2581 struct sidtab *sidtab; 2582 int rc; 2583 struct ocontext *c; 2584 2585 if (!selinux_initialized(state)) { 2586 *out_sid = SECINITSID_NODE; 2587 return 0; 2588 } 2589 2590 rcu_read_lock(); 2591 policy = rcu_dereference(state->policy); 2592 policydb = &policy->policydb; 2593 sidtab = policy->sidtab; 2594 2595 switch (domain) { 2596 case AF_INET: { 2597 u32 addr; 2598 2599 rc = -EINVAL; 2600 if (addrlen != sizeof(u32)) 2601 goto out; 2602 2603 addr = *((u32 *)addrp); 2604 2605 c = policydb->ocontexts[OCON_NODE]; 2606 while (c) { 2607 if (c->u.node.addr == (addr & c->u.node.mask)) 2608 break; 2609 c = c->next; 2610 } 2611 break; 2612 } 2613 2614 case AF_INET6: 2615 rc = -EINVAL; 2616 if (addrlen != sizeof(u64) * 2) 2617 goto out; 2618 c = policydb->ocontexts[OCON_NODE6]; 2619 while (c) { 2620 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 2621 c->u.node6.mask)) 2622 break; 2623 c = c->next; 2624 } 2625 break; 2626 2627 default: 2628 rc = 0; 2629 *out_sid = SECINITSID_NODE; 2630 goto out; 2631 } 2632 2633 if (c) { 2634 if (!c->sid[0]) { 2635 rc = sidtab_context_to_sid(sidtab, 2636 &c->context[0], 2637 &c->sid[0]); 2638 if (rc) 2639 goto out; 2640 } 2641 *out_sid = c->sid[0]; 2642 } else { 2643 *out_sid = SECINITSID_NODE; 2644 } 2645 2646 rc = 0; 2647 out: 2648 rcu_read_unlock(); 2649 return rc; 2650 } 2651 2652 #define SIDS_NEL 25 2653 2654 /** 2655 * security_get_user_sids - Obtain reachable SIDs for a user. 2656 * @fromsid: starting SID 2657 * @username: username 2658 * @sids: array of reachable SIDs for user 2659 * @nel: number of elements in @sids 2660 * 2661 * Generate the set of SIDs for legal security contexts 2662 * for a given user that can be reached by @fromsid. 2663 * Set *@sids to point to a dynamically allocated 2664 * array containing the set of SIDs. Set *@nel to the 2665 * number of elements in the array. 2666 */ 2667 2668 int security_get_user_sids(struct selinux_state *state, 2669 u32 fromsid, 2670 char *username, 2671 u32 **sids, 2672 u32 *nel) 2673 { 2674 struct selinux_policy *policy; 2675 struct policydb *policydb; 2676 struct sidtab *sidtab; 2677 struct context *fromcon, usercon; 2678 u32 *mysids = NULL, *mysids2, sid; 2679 u32 mynel = 0, maxnel = SIDS_NEL; 2680 struct user_datum *user; 2681 struct role_datum *role; 2682 struct ebitmap_node *rnode, *tnode; 2683 int rc = 0, i, j; 2684 2685 *sids = NULL; 2686 *nel = 0; 2687 2688 if (!selinux_initialized(state)) 2689 goto out; 2690 2691 rcu_read_lock(); 2692 policy = rcu_dereference(state->policy); 2693 policydb = &policy->policydb; 2694 sidtab = policy->sidtab; 2695 2696 context_init(&usercon); 2697 2698 rc = -EINVAL; 2699 fromcon = sidtab_search(sidtab, fromsid); 2700 if (!fromcon) 2701 goto out_unlock; 2702 2703 rc = -EINVAL; 2704 user = symtab_search(&policydb->p_users, username); 2705 if (!user) 2706 goto out_unlock; 2707 2708 usercon.user = user->value; 2709 2710 rc = -ENOMEM; 2711 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2712 if (!mysids) 2713 goto out_unlock; 2714 2715 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2716 role = policydb->role_val_to_struct[i]; 2717 usercon.role = i + 1; 2718 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2719 usercon.type = j + 1; 2720 2721 if (mls_setup_user_range(policydb, fromcon, user, 2722 &usercon)) 2723 continue; 2724 2725 rc = sidtab_context_to_sid(sidtab, &usercon, &sid); 2726 if (rc) 2727 goto out_unlock; 2728 if (mynel < maxnel) { 2729 mysids[mynel++] = sid; 2730 } else { 2731 rc = -ENOMEM; 2732 maxnel += SIDS_NEL; 2733 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2734 if (!mysids2) 2735 goto out_unlock; 2736 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2737 kfree(mysids); 2738 mysids = mysids2; 2739 mysids[mynel++] = sid; 2740 } 2741 } 2742 } 2743 rc = 0; 2744 out_unlock: 2745 rcu_read_unlock(); 2746 if (rc || !mynel) { 2747 kfree(mysids); 2748 goto out; 2749 } 2750 2751 rc = -ENOMEM; 2752 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2753 if (!mysids2) { 2754 kfree(mysids); 2755 goto out; 2756 } 2757 for (i = 0, j = 0; i < mynel; i++) { 2758 struct av_decision dummy_avd; 2759 rc = avc_has_perm_noaudit(state, 2760 fromsid, mysids[i], 2761 SECCLASS_PROCESS, /* kernel value */ 2762 PROCESS__TRANSITION, AVC_STRICT, 2763 &dummy_avd); 2764 if (!rc) 2765 mysids2[j++] = mysids[i]; 2766 cond_resched(); 2767 } 2768 rc = 0; 2769 kfree(mysids); 2770 *sids = mysids2; 2771 *nel = j; 2772 out: 2773 return rc; 2774 } 2775 2776 /** 2777 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem 2778 * @fstype: filesystem type 2779 * @path: path from root of mount 2780 * @sclass: file security class 2781 * @sid: SID for path 2782 * 2783 * Obtain a SID to use for a file in a filesystem that 2784 * cannot support xattr or use a fixed labeling behavior like 2785 * transition SIDs or task SIDs. 2786 */ 2787 static inline int __security_genfs_sid(struct selinux_policy *policy, 2788 const char *fstype, 2789 char *path, 2790 u16 orig_sclass, 2791 u32 *sid) 2792 { 2793 struct policydb *policydb = &policy->policydb; 2794 struct sidtab *sidtab = policy->sidtab; 2795 int len; 2796 u16 sclass; 2797 struct genfs *genfs; 2798 struct ocontext *c; 2799 int rc, cmp = 0; 2800 2801 while (path[0] == '/' && path[1] == '/') 2802 path++; 2803 2804 sclass = unmap_class(&policy->map, orig_sclass); 2805 *sid = SECINITSID_UNLABELED; 2806 2807 for (genfs = policydb->genfs; genfs; genfs = genfs->next) { 2808 cmp = strcmp(fstype, genfs->fstype); 2809 if (cmp <= 0) 2810 break; 2811 } 2812 2813 rc = -ENOENT; 2814 if (!genfs || cmp) 2815 goto out; 2816 2817 for (c = genfs->head; c; c = c->next) { 2818 len = strlen(c->u.name); 2819 if ((!c->v.sclass || sclass == c->v.sclass) && 2820 (strncmp(c->u.name, path, len) == 0)) 2821 break; 2822 } 2823 2824 rc = -ENOENT; 2825 if (!c) 2826 goto out; 2827 2828 if (!c->sid[0]) { 2829 rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); 2830 if (rc) 2831 goto out; 2832 } 2833 2834 *sid = c->sid[0]; 2835 rc = 0; 2836 out: 2837 return rc; 2838 } 2839 2840 /** 2841 * security_genfs_sid - Obtain a SID for a file in a filesystem 2842 * @fstype: filesystem type 2843 * @path: path from root of mount 2844 * @sclass: file security class 2845 * @sid: SID for path 2846 * 2847 * Acquire policy_rwlock before calling __security_genfs_sid() and release 2848 * it afterward. 2849 */ 2850 int security_genfs_sid(struct selinux_state *state, 2851 const char *fstype, 2852 char *path, 2853 u16 orig_sclass, 2854 u32 *sid) 2855 { 2856 struct selinux_policy *policy; 2857 int retval; 2858 2859 if (!selinux_initialized(state)) { 2860 *sid = SECINITSID_UNLABELED; 2861 return 0; 2862 } 2863 2864 rcu_read_lock(); 2865 policy = rcu_dereference(state->policy); 2866 retval = __security_genfs_sid(policy, 2867 fstype, path, orig_sclass, sid); 2868 rcu_read_unlock(); 2869 return retval; 2870 } 2871 2872 int selinux_policy_genfs_sid(struct selinux_policy *policy, 2873 const char *fstype, 2874 char *path, 2875 u16 orig_sclass, 2876 u32 *sid) 2877 { 2878 /* no lock required, policy is not yet accessible by other threads */ 2879 return __security_genfs_sid(policy, fstype, path, orig_sclass, sid); 2880 } 2881 2882 /** 2883 * security_fs_use - Determine how to handle labeling for a filesystem. 2884 * @sb: superblock in question 2885 */ 2886 int security_fs_use(struct selinux_state *state, struct super_block *sb) 2887 { 2888 struct selinux_policy *policy; 2889 struct policydb *policydb; 2890 struct sidtab *sidtab; 2891 int rc = 0; 2892 struct ocontext *c; 2893 struct superblock_security_struct *sbsec = sb->s_security; 2894 const char *fstype = sb->s_type->name; 2895 2896 if (!selinux_initialized(state)) { 2897 sbsec->behavior = SECURITY_FS_USE_NONE; 2898 sbsec->sid = SECINITSID_UNLABELED; 2899 return 0; 2900 } 2901 2902 rcu_read_lock(); 2903 policy = rcu_dereference(state->policy); 2904 policydb = &policy->policydb; 2905 sidtab = policy->sidtab; 2906 2907 c = policydb->ocontexts[OCON_FSUSE]; 2908 while (c) { 2909 if (strcmp(fstype, c->u.name) == 0) 2910 break; 2911 c = c->next; 2912 } 2913 2914 if (c) { 2915 sbsec->behavior = c->v.behavior; 2916 if (!c->sid[0]) { 2917 rc = sidtab_context_to_sid(sidtab, &c->context[0], 2918 &c->sid[0]); 2919 if (rc) 2920 goto out; 2921 } 2922 sbsec->sid = c->sid[0]; 2923 } else { 2924 rc = __security_genfs_sid(policy, fstype, "/", 2925 SECCLASS_DIR, &sbsec->sid); 2926 if (rc) { 2927 sbsec->behavior = SECURITY_FS_USE_NONE; 2928 rc = 0; 2929 } else { 2930 sbsec->behavior = SECURITY_FS_USE_GENFS; 2931 } 2932 } 2933 2934 out: 2935 rcu_read_unlock(); 2936 return rc; 2937 } 2938 2939 int security_get_bools(struct selinux_policy *policy, 2940 u32 *len, char ***names, int **values) 2941 { 2942 struct policydb *policydb; 2943 u32 i; 2944 int rc; 2945 2946 policydb = &policy->policydb; 2947 2948 *names = NULL; 2949 *values = NULL; 2950 2951 rc = 0; 2952 *len = policydb->p_bools.nprim; 2953 if (!*len) 2954 goto out; 2955 2956 rc = -ENOMEM; 2957 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2958 if (!*names) 2959 goto err; 2960 2961 rc = -ENOMEM; 2962 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2963 if (!*values) 2964 goto err; 2965 2966 for (i = 0; i < *len; i++) { 2967 (*values)[i] = policydb->bool_val_to_struct[i]->state; 2968 2969 rc = -ENOMEM; 2970 (*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i), 2971 GFP_ATOMIC); 2972 if (!(*names)[i]) 2973 goto err; 2974 } 2975 rc = 0; 2976 out: 2977 return rc; 2978 err: 2979 if (*names) { 2980 for (i = 0; i < *len; i++) 2981 kfree((*names)[i]); 2982 kfree(*names); 2983 } 2984 kfree(*values); 2985 *len = 0; 2986 *names = NULL; 2987 *values = NULL; 2988 goto out; 2989 } 2990 2991 2992 int security_set_bools(struct selinux_state *state, u32 len, int *values) 2993 { 2994 struct selinux_policy *newpolicy, *oldpolicy; 2995 int rc; 2996 u32 i, seqno = 0; 2997 2998 if (!selinux_initialized(state)) 2999 return -EINVAL; 3000 3001 oldpolicy = rcu_dereference_protected(state->policy, 3002 lockdep_is_held(&state->policy_mutex)); 3003 3004 /* Consistency check on number of booleans, should never fail */ 3005 if (WARN_ON(len != oldpolicy->policydb.p_bools.nprim)) 3006 return -EINVAL; 3007 3008 newpolicy = kmemdup(oldpolicy, sizeof(*newpolicy), GFP_KERNEL); 3009 if (!newpolicy) 3010 return -ENOMEM; 3011 3012 /* 3013 * Deep copy only the parts of the policydb that might be 3014 * modified as a result of changing booleans. 3015 */ 3016 rc = cond_policydb_dup(&newpolicy->policydb, &oldpolicy->policydb); 3017 if (rc) { 3018 kfree(newpolicy); 3019 return -ENOMEM; 3020 } 3021 3022 /* Update the boolean states in the copy */ 3023 for (i = 0; i < len; i++) { 3024 int new_state = !!values[i]; 3025 int old_state = newpolicy->policydb.bool_val_to_struct[i]->state; 3026 3027 if (new_state != old_state) { 3028 audit_log(audit_context(), GFP_ATOMIC, 3029 AUDIT_MAC_CONFIG_CHANGE, 3030 "bool=%s val=%d old_val=%d auid=%u ses=%u", 3031 sym_name(&newpolicy->policydb, SYM_BOOLS, i), 3032 new_state, 3033 old_state, 3034 from_kuid(&init_user_ns, audit_get_loginuid(current)), 3035 audit_get_sessionid(current)); 3036 newpolicy->policydb.bool_val_to_struct[i]->state = new_state; 3037 } 3038 } 3039 3040 /* Re-evaluate the conditional rules in the copy */ 3041 evaluate_cond_nodes(&newpolicy->policydb); 3042 3043 /* Set latest granting seqno for new policy */ 3044 newpolicy->latest_granting = oldpolicy->latest_granting + 1; 3045 seqno = newpolicy->latest_granting; 3046 3047 /* Install the new policy */ 3048 rcu_assign_pointer(state->policy, newpolicy); 3049 3050 /* 3051 * Free the conditional portions of the old policydb 3052 * that were copied for the new policy, and the oldpolicy 3053 * structure itself but not what it references. 3054 */ 3055 synchronize_rcu(); 3056 selinux_policy_cond_free(oldpolicy); 3057 3058 /* Notify others of the policy change */ 3059 selinux_notify_policy_change(state, seqno); 3060 return 0; 3061 } 3062 3063 int security_get_bool_value(struct selinux_state *state, 3064 u32 index) 3065 { 3066 struct selinux_policy *policy; 3067 struct policydb *policydb; 3068 int rc; 3069 u32 len; 3070 3071 if (!selinux_initialized(state)) 3072 return 0; 3073 3074 rcu_read_lock(); 3075 policy = rcu_dereference(state->policy); 3076 policydb = &policy->policydb; 3077 3078 rc = -EFAULT; 3079 len = policydb->p_bools.nprim; 3080 if (index >= len) 3081 goto out; 3082 3083 rc = policydb->bool_val_to_struct[index]->state; 3084 out: 3085 rcu_read_unlock(); 3086 return rc; 3087 } 3088 3089 static int security_preserve_bools(struct selinux_policy *oldpolicy, 3090 struct selinux_policy *newpolicy) 3091 { 3092 int rc, *bvalues = NULL; 3093 char **bnames = NULL; 3094 struct cond_bool_datum *booldatum; 3095 u32 i, nbools = 0; 3096 3097 rc = security_get_bools(oldpolicy, &nbools, &bnames, &bvalues); 3098 if (rc) 3099 goto out; 3100 for (i = 0; i < nbools; i++) { 3101 booldatum = symtab_search(&newpolicy->policydb.p_bools, 3102 bnames[i]); 3103 if (booldatum) 3104 booldatum->state = bvalues[i]; 3105 } 3106 evaluate_cond_nodes(&newpolicy->policydb); 3107 3108 out: 3109 if (bnames) { 3110 for (i = 0; i < nbools; i++) 3111 kfree(bnames[i]); 3112 } 3113 kfree(bnames); 3114 kfree(bvalues); 3115 return rc; 3116 } 3117 3118 /* 3119 * security_sid_mls_copy() - computes a new sid based on the given 3120 * sid and the mls portion of mls_sid. 3121 */ 3122 int security_sid_mls_copy(struct selinux_state *state, 3123 u32 sid, u32 mls_sid, u32 *new_sid) 3124 { 3125 struct selinux_policy *policy; 3126 struct policydb *policydb; 3127 struct sidtab *sidtab; 3128 struct context *context1; 3129 struct context *context2; 3130 struct context newcon; 3131 char *s; 3132 u32 len; 3133 int rc; 3134 3135 rc = 0; 3136 if (!selinux_initialized(state)) { 3137 *new_sid = sid; 3138 goto out; 3139 } 3140 3141 context_init(&newcon); 3142 3143 rcu_read_lock(); 3144 policy = rcu_dereference(state->policy); 3145 policydb = &policy->policydb; 3146 sidtab = policy->sidtab; 3147 3148 if (!policydb->mls_enabled) { 3149 *new_sid = sid; 3150 goto out_unlock; 3151 } 3152 3153 rc = -EINVAL; 3154 context1 = sidtab_search(sidtab, sid); 3155 if (!context1) { 3156 pr_err("SELinux: %s: unrecognized SID %d\n", 3157 __func__, sid); 3158 goto out_unlock; 3159 } 3160 3161 rc = -EINVAL; 3162 context2 = sidtab_search(sidtab, mls_sid); 3163 if (!context2) { 3164 pr_err("SELinux: %s: unrecognized SID %d\n", 3165 __func__, mls_sid); 3166 goto out_unlock; 3167 } 3168 3169 newcon.user = context1->user; 3170 newcon.role = context1->role; 3171 newcon.type = context1->type; 3172 rc = mls_context_cpy(&newcon, context2); 3173 if (rc) 3174 goto out_unlock; 3175 3176 /* Check the validity of the new context. */ 3177 if (!policydb_context_isvalid(policydb, &newcon)) { 3178 rc = convert_context_handle_invalid_context(state, policydb, 3179 &newcon); 3180 if (rc) { 3181 if (!context_struct_to_string(policydb, &newcon, &s, 3182 &len)) { 3183 struct audit_buffer *ab; 3184 3185 ab = audit_log_start(audit_context(), 3186 GFP_ATOMIC, 3187 AUDIT_SELINUX_ERR); 3188 audit_log_format(ab, 3189 "op=security_sid_mls_copy invalid_context="); 3190 /* don't record NUL with untrusted strings */ 3191 audit_log_n_untrustedstring(ab, s, len - 1); 3192 audit_log_end(ab); 3193 kfree(s); 3194 } 3195 goto out_unlock; 3196 } 3197 } 3198 rc = sidtab_context_to_sid(sidtab, &newcon, new_sid); 3199 out_unlock: 3200 rcu_read_unlock(); 3201 context_destroy(&newcon); 3202 out: 3203 return rc; 3204 } 3205 3206 /** 3207 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 3208 * @nlbl_sid: NetLabel SID 3209 * @nlbl_type: NetLabel labeling protocol type 3210 * @xfrm_sid: XFRM SID 3211 * 3212 * Description: 3213 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 3214 * resolved into a single SID it is returned via @peer_sid and the function 3215 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 3216 * returns a negative value. A table summarizing the behavior is below: 3217 * 3218 * | function return | @sid 3219 * ------------------------------+-----------------+----------------- 3220 * no peer labels | 0 | SECSID_NULL 3221 * single peer label | 0 | <peer_label> 3222 * multiple, consistent labels | 0 | <peer_label> 3223 * multiple, inconsistent labels | -<errno> | SECSID_NULL 3224 * 3225 */ 3226 int security_net_peersid_resolve(struct selinux_state *state, 3227 u32 nlbl_sid, u32 nlbl_type, 3228 u32 xfrm_sid, 3229 u32 *peer_sid) 3230 { 3231 struct selinux_policy *policy; 3232 struct policydb *policydb; 3233 struct sidtab *sidtab; 3234 int rc; 3235 struct context *nlbl_ctx; 3236 struct context *xfrm_ctx; 3237 3238 *peer_sid = SECSID_NULL; 3239 3240 /* handle the common (which also happens to be the set of easy) cases 3241 * right away, these two if statements catch everything involving a 3242 * single or absent peer SID/label */ 3243 if (xfrm_sid == SECSID_NULL) { 3244 *peer_sid = nlbl_sid; 3245 return 0; 3246 } 3247 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 3248 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 3249 * is present */ 3250 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 3251 *peer_sid = xfrm_sid; 3252 return 0; 3253 } 3254 3255 if (!selinux_initialized(state)) 3256 return 0; 3257 3258 rcu_read_lock(); 3259 policy = rcu_dereference(state->policy); 3260 policydb = &policy->policydb; 3261 sidtab = policy->sidtab; 3262 3263 /* 3264 * We don't need to check initialized here since the only way both 3265 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 3266 * security server was initialized and state->initialized was true. 3267 */ 3268 if (!policydb->mls_enabled) { 3269 rc = 0; 3270 goto out; 3271 } 3272 3273 rc = -EINVAL; 3274 nlbl_ctx = sidtab_search(sidtab, nlbl_sid); 3275 if (!nlbl_ctx) { 3276 pr_err("SELinux: %s: unrecognized SID %d\n", 3277 __func__, nlbl_sid); 3278 goto out; 3279 } 3280 rc = -EINVAL; 3281 xfrm_ctx = sidtab_search(sidtab, xfrm_sid); 3282 if (!xfrm_ctx) { 3283 pr_err("SELinux: %s: unrecognized SID %d\n", 3284 __func__, xfrm_sid); 3285 goto out; 3286 } 3287 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 3288 if (rc) 3289 goto out; 3290 3291 /* at present NetLabel SIDs/labels really only carry MLS 3292 * information so if the MLS portion of the NetLabel SID 3293 * matches the MLS portion of the labeled XFRM SID/label 3294 * then pass along the XFRM SID as it is the most 3295 * expressive */ 3296 *peer_sid = xfrm_sid; 3297 out: 3298 rcu_read_unlock(); 3299 return rc; 3300 } 3301 3302 static int get_classes_callback(void *k, void *d, void *args) 3303 { 3304 struct class_datum *datum = d; 3305 char *name = k, **classes = args; 3306 int value = datum->value - 1; 3307 3308 classes[value] = kstrdup(name, GFP_ATOMIC); 3309 if (!classes[value]) 3310 return -ENOMEM; 3311 3312 return 0; 3313 } 3314 3315 int security_get_classes(struct selinux_policy *policy, 3316 char ***classes, int *nclasses) 3317 { 3318 struct policydb *policydb; 3319 int rc; 3320 3321 policydb = &policy->policydb; 3322 3323 rc = -ENOMEM; 3324 *nclasses = policydb->p_classes.nprim; 3325 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 3326 if (!*classes) 3327 goto out; 3328 3329 rc = hashtab_map(&policydb->p_classes.table, get_classes_callback, 3330 *classes); 3331 if (rc) { 3332 int i; 3333 for (i = 0; i < *nclasses; i++) 3334 kfree((*classes)[i]); 3335 kfree(*classes); 3336 } 3337 3338 out: 3339 return rc; 3340 } 3341 3342 static int get_permissions_callback(void *k, void *d, void *args) 3343 { 3344 struct perm_datum *datum = d; 3345 char *name = k, **perms = args; 3346 int value = datum->value - 1; 3347 3348 perms[value] = kstrdup(name, GFP_ATOMIC); 3349 if (!perms[value]) 3350 return -ENOMEM; 3351 3352 return 0; 3353 } 3354 3355 int security_get_permissions(struct selinux_policy *policy, 3356 char *class, char ***perms, int *nperms) 3357 { 3358 struct policydb *policydb; 3359 int rc, i; 3360 struct class_datum *match; 3361 3362 policydb = &policy->policydb; 3363 3364 rc = -EINVAL; 3365 match = symtab_search(&policydb->p_classes, class); 3366 if (!match) { 3367 pr_err("SELinux: %s: unrecognized class %s\n", 3368 __func__, class); 3369 goto out; 3370 } 3371 3372 rc = -ENOMEM; 3373 *nperms = match->permissions.nprim; 3374 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 3375 if (!*perms) 3376 goto out; 3377 3378 if (match->comdatum) { 3379 rc = hashtab_map(&match->comdatum->permissions.table, 3380 get_permissions_callback, *perms); 3381 if (rc) 3382 goto err; 3383 } 3384 3385 rc = hashtab_map(&match->permissions.table, get_permissions_callback, 3386 *perms); 3387 if (rc) 3388 goto err; 3389 3390 out: 3391 return rc; 3392 3393 err: 3394 for (i = 0; i < *nperms; i++) 3395 kfree((*perms)[i]); 3396 kfree(*perms); 3397 return rc; 3398 } 3399 3400 int security_get_reject_unknown(struct selinux_state *state) 3401 { 3402 struct selinux_policy *policy; 3403 int value; 3404 3405 if (!selinux_initialized(state)) 3406 return 0; 3407 3408 rcu_read_lock(); 3409 policy = rcu_dereference(state->policy); 3410 value = policy->policydb.reject_unknown; 3411 rcu_read_unlock(); 3412 return value; 3413 } 3414 3415 int security_get_allow_unknown(struct selinux_state *state) 3416 { 3417 struct selinux_policy *policy; 3418 int value; 3419 3420 if (!selinux_initialized(state)) 3421 return 0; 3422 3423 rcu_read_lock(); 3424 policy = rcu_dereference(state->policy); 3425 value = policy->policydb.allow_unknown; 3426 rcu_read_unlock(); 3427 return value; 3428 } 3429 3430 /** 3431 * security_policycap_supported - Check for a specific policy capability 3432 * @req_cap: capability 3433 * 3434 * Description: 3435 * This function queries the currently loaded policy to see if it supports the 3436 * capability specified by @req_cap. Returns true (1) if the capability is 3437 * supported, false (0) if it isn't supported. 3438 * 3439 */ 3440 int security_policycap_supported(struct selinux_state *state, 3441 unsigned int req_cap) 3442 { 3443 struct selinux_policy *policy; 3444 int rc; 3445 3446 if (!selinux_initialized(state)) 3447 return 0; 3448 3449 rcu_read_lock(); 3450 policy = rcu_dereference(state->policy); 3451 rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap); 3452 rcu_read_unlock(); 3453 3454 return rc; 3455 } 3456 3457 struct selinux_audit_rule { 3458 u32 au_seqno; 3459 struct context au_ctxt; 3460 }; 3461 3462 void selinux_audit_rule_free(void *vrule) 3463 { 3464 struct selinux_audit_rule *rule = vrule; 3465 3466 if (rule) { 3467 context_destroy(&rule->au_ctxt); 3468 kfree(rule); 3469 } 3470 } 3471 3472 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3473 { 3474 struct selinux_state *state = &selinux_state; 3475 struct selinux_policy *policy; 3476 struct policydb *policydb; 3477 struct selinux_audit_rule *tmprule; 3478 struct role_datum *roledatum; 3479 struct type_datum *typedatum; 3480 struct user_datum *userdatum; 3481 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 3482 int rc = 0; 3483 3484 *rule = NULL; 3485 3486 if (!selinux_initialized(state)) 3487 return -EOPNOTSUPP; 3488 3489 switch (field) { 3490 case AUDIT_SUBJ_USER: 3491 case AUDIT_SUBJ_ROLE: 3492 case AUDIT_SUBJ_TYPE: 3493 case AUDIT_OBJ_USER: 3494 case AUDIT_OBJ_ROLE: 3495 case AUDIT_OBJ_TYPE: 3496 /* only 'equals' and 'not equals' fit user, role, and type */ 3497 if (op != Audit_equal && op != Audit_not_equal) 3498 return -EINVAL; 3499 break; 3500 case AUDIT_SUBJ_SEN: 3501 case AUDIT_SUBJ_CLR: 3502 case AUDIT_OBJ_LEV_LOW: 3503 case AUDIT_OBJ_LEV_HIGH: 3504 /* we do not allow a range, indicated by the presence of '-' */ 3505 if (strchr(rulestr, '-')) 3506 return -EINVAL; 3507 break; 3508 default: 3509 /* only the above fields are valid */ 3510 return -EINVAL; 3511 } 3512 3513 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 3514 if (!tmprule) 3515 return -ENOMEM; 3516 3517 context_init(&tmprule->au_ctxt); 3518 3519 rcu_read_lock(); 3520 policy = rcu_dereference(state->policy); 3521 policydb = &policy->policydb; 3522 3523 tmprule->au_seqno = policy->latest_granting; 3524 3525 switch (field) { 3526 case AUDIT_SUBJ_USER: 3527 case AUDIT_OBJ_USER: 3528 rc = -EINVAL; 3529 userdatum = symtab_search(&policydb->p_users, rulestr); 3530 if (!userdatum) 3531 goto out; 3532 tmprule->au_ctxt.user = userdatum->value; 3533 break; 3534 case AUDIT_SUBJ_ROLE: 3535 case AUDIT_OBJ_ROLE: 3536 rc = -EINVAL; 3537 roledatum = symtab_search(&policydb->p_roles, rulestr); 3538 if (!roledatum) 3539 goto out; 3540 tmprule->au_ctxt.role = roledatum->value; 3541 break; 3542 case AUDIT_SUBJ_TYPE: 3543 case AUDIT_OBJ_TYPE: 3544 rc = -EINVAL; 3545 typedatum = symtab_search(&policydb->p_types, rulestr); 3546 if (!typedatum) 3547 goto out; 3548 tmprule->au_ctxt.type = typedatum->value; 3549 break; 3550 case AUDIT_SUBJ_SEN: 3551 case AUDIT_SUBJ_CLR: 3552 case AUDIT_OBJ_LEV_LOW: 3553 case AUDIT_OBJ_LEV_HIGH: 3554 rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt, 3555 GFP_ATOMIC); 3556 if (rc) 3557 goto out; 3558 break; 3559 } 3560 rc = 0; 3561 out: 3562 rcu_read_unlock(); 3563 3564 if (rc) { 3565 selinux_audit_rule_free(tmprule); 3566 tmprule = NULL; 3567 } 3568 3569 *rule = tmprule; 3570 3571 return rc; 3572 } 3573 3574 /* Check to see if the rule contains any selinux fields */ 3575 int selinux_audit_rule_known(struct audit_krule *rule) 3576 { 3577 int i; 3578 3579 for (i = 0; i < rule->field_count; i++) { 3580 struct audit_field *f = &rule->fields[i]; 3581 switch (f->type) { 3582 case AUDIT_SUBJ_USER: 3583 case AUDIT_SUBJ_ROLE: 3584 case AUDIT_SUBJ_TYPE: 3585 case AUDIT_SUBJ_SEN: 3586 case AUDIT_SUBJ_CLR: 3587 case AUDIT_OBJ_USER: 3588 case AUDIT_OBJ_ROLE: 3589 case AUDIT_OBJ_TYPE: 3590 case AUDIT_OBJ_LEV_LOW: 3591 case AUDIT_OBJ_LEV_HIGH: 3592 return 1; 3593 } 3594 } 3595 3596 return 0; 3597 } 3598 3599 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 3600 { 3601 struct selinux_state *state = &selinux_state; 3602 struct selinux_policy *policy; 3603 struct context *ctxt; 3604 struct mls_level *level; 3605 struct selinux_audit_rule *rule = vrule; 3606 int match = 0; 3607 3608 if (unlikely(!rule)) { 3609 WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n"); 3610 return -ENOENT; 3611 } 3612 3613 if (!selinux_initialized(state)) 3614 return 0; 3615 3616 rcu_read_lock(); 3617 3618 policy = rcu_dereference(state->policy); 3619 3620 if (rule->au_seqno < policy->latest_granting) { 3621 match = -ESTALE; 3622 goto out; 3623 } 3624 3625 ctxt = sidtab_search(policy->sidtab, sid); 3626 if (unlikely(!ctxt)) { 3627 WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", 3628 sid); 3629 match = -ENOENT; 3630 goto out; 3631 } 3632 3633 /* a field/op pair that is not caught here will simply fall through 3634 without a match */ 3635 switch (field) { 3636 case AUDIT_SUBJ_USER: 3637 case AUDIT_OBJ_USER: 3638 switch (op) { 3639 case Audit_equal: 3640 match = (ctxt->user == rule->au_ctxt.user); 3641 break; 3642 case Audit_not_equal: 3643 match = (ctxt->user != rule->au_ctxt.user); 3644 break; 3645 } 3646 break; 3647 case AUDIT_SUBJ_ROLE: 3648 case AUDIT_OBJ_ROLE: 3649 switch (op) { 3650 case Audit_equal: 3651 match = (ctxt->role == rule->au_ctxt.role); 3652 break; 3653 case Audit_not_equal: 3654 match = (ctxt->role != rule->au_ctxt.role); 3655 break; 3656 } 3657 break; 3658 case AUDIT_SUBJ_TYPE: 3659 case AUDIT_OBJ_TYPE: 3660 switch (op) { 3661 case Audit_equal: 3662 match = (ctxt->type == rule->au_ctxt.type); 3663 break; 3664 case Audit_not_equal: 3665 match = (ctxt->type != rule->au_ctxt.type); 3666 break; 3667 } 3668 break; 3669 case AUDIT_SUBJ_SEN: 3670 case AUDIT_SUBJ_CLR: 3671 case AUDIT_OBJ_LEV_LOW: 3672 case AUDIT_OBJ_LEV_HIGH: 3673 level = ((field == AUDIT_SUBJ_SEN || 3674 field == AUDIT_OBJ_LEV_LOW) ? 3675 &ctxt->range.level[0] : &ctxt->range.level[1]); 3676 switch (op) { 3677 case Audit_equal: 3678 match = mls_level_eq(&rule->au_ctxt.range.level[0], 3679 level); 3680 break; 3681 case Audit_not_equal: 3682 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 3683 level); 3684 break; 3685 case Audit_lt: 3686 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 3687 level) && 3688 !mls_level_eq(&rule->au_ctxt.range.level[0], 3689 level)); 3690 break; 3691 case Audit_le: 3692 match = mls_level_dom(&rule->au_ctxt.range.level[0], 3693 level); 3694 break; 3695 case Audit_gt: 3696 match = (mls_level_dom(level, 3697 &rule->au_ctxt.range.level[0]) && 3698 !mls_level_eq(level, 3699 &rule->au_ctxt.range.level[0])); 3700 break; 3701 case Audit_ge: 3702 match = mls_level_dom(level, 3703 &rule->au_ctxt.range.level[0]); 3704 break; 3705 } 3706 } 3707 3708 out: 3709 rcu_read_unlock(); 3710 return match; 3711 } 3712 3713 static int aurule_avc_callback(u32 event) 3714 { 3715 if (event == AVC_CALLBACK_RESET) 3716 return audit_update_lsm_rules(); 3717 return 0; 3718 } 3719 3720 static int __init aurule_init(void) 3721 { 3722 int err; 3723 3724 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET); 3725 if (err) 3726 panic("avc_add_callback() failed, error %d\n", err); 3727 3728 return err; 3729 } 3730 __initcall(aurule_init); 3731 3732 #ifdef CONFIG_NETLABEL 3733 /** 3734 * security_netlbl_cache_add - Add an entry to the NetLabel cache 3735 * @secattr: the NetLabel packet security attributes 3736 * @sid: the SELinux SID 3737 * 3738 * Description: 3739 * Attempt to cache the context in @ctx, which was derived from the packet in 3740 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 3741 * already been initialized. 3742 * 3743 */ 3744 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 3745 u32 sid) 3746 { 3747 u32 *sid_cache; 3748 3749 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 3750 if (sid_cache == NULL) 3751 return; 3752 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 3753 if (secattr->cache == NULL) { 3754 kfree(sid_cache); 3755 return; 3756 } 3757 3758 *sid_cache = sid; 3759 secattr->cache->free = kfree; 3760 secattr->cache->data = sid_cache; 3761 secattr->flags |= NETLBL_SECATTR_CACHE; 3762 } 3763 3764 /** 3765 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 3766 * @secattr: the NetLabel packet security attributes 3767 * @sid: the SELinux SID 3768 * 3769 * Description: 3770 * Convert the given NetLabel security attributes in @secattr into a 3771 * SELinux SID. If the @secattr field does not contain a full SELinux 3772 * SID/context then use SECINITSID_NETMSG as the foundation. If possible the 3773 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3774 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3775 * conversion for future lookups. Returns zero on success, negative values on 3776 * failure. 3777 * 3778 */ 3779 int security_netlbl_secattr_to_sid(struct selinux_state *state, 3780 struct netlbl_lsm_secattr *secattr, 3781 u32 *sid) 3782 { 3783 struct selinux_policy *policy; 3784 struct policydb *policydb; 3785 struct sidtab *sidtab; 3786 int rc; 3787 struct context *ctx; 3788 struct context ctx_new; 3789 3790 if (!selinux_initialized(state)) { 3791 *sid = SECSID_NULL; 3792 return 0; 3793 } 3794 3795 rcu_read_lock(); 3796 policy = rcu_dereference(state->policy); 3797 policydb = &policy->policydb; 3798 sidtab = policy->sidtab; 3799 3800 if (secattr->flags & NETLBL_SECATTR_CACHE) 3801 *sid = *(u32 *)secattr->cache->data; 3802 else if (secattr->flags & NETLBL_SECATTR_SECID) 3803 *sid = secattr->attr.secid; 3804 else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3805 rc = -EIDRM; 3806 ctx = sidtab_search(sidtab, SECINITSID_NETMSG); 3807 if (ctx == NULL) 3808 goto out; 3809 3810 context_init(&ctx_new); 3811 ctx_new.user = ctx->user; 3812 ctx_new.role = ctx->role; 3813 ctx_new.type = ctx->type; 3814 mls_import_netlbl_lvl(policydb, &ctx_new, secattr); 3815 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3816 rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr); 3817 if (rc) 3818 goto out; 3819 } 3820 rc = -EIDRM; 3821 if (!mls_context_isvalid(policydb, &ctx_new)) 3822 goto out_free; 3823 3824 rc = sidtab_context_to_sid(sidtab, &ctx_new, sid); 3825 if (rc) 3826 goto out_free; 3827 3828 security_netlbl_cache_add(secattr, *sid); 3829 3830 ebitmap_destroy(&ctx_new.range.level[0].cat); 3831 } else 3832 *sid = SECSID_NULL; 3833 3834 rcu_read_unlock(); 3835 return 0; 3836 out_free: 3837 ebitmap_destroy(&ctx_new.range.level[0].cat); 3838 out: 3839 rcu_read_unlock(); 3840 return rc; 3841 } 3842 3843 /** 3844 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3845 * @sid: the SELinux SID 3846 * @secattr: the NetLabel packet security attributes 3847 * 3848 * Description: 3849 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3850 * Returns zero on success, negative values on failure. 3851 * 3852 */ 3853 int security_netlbl_sid_to_secattr(struct selinux_state *state, 3854 u32 sid, struct netlbl_lsm_secattr *secattr) 3855 { 3856 struct selinux_policy *policy; 3857 struct policydb *policydb; 3858 int rc; 3859 struct context *ctx; 3860 3861 if (!selinux_initialized(state)) 3862 return 0; 3863 3864 rcu_read_lock(); 3865 policy = rcu_dereference(state->policy); 3866 policydb = &policy->policydb; 3867 3868 rc = -ENOENT; 3869 ctx = sidtab_search(policy->sidtab, sid); 3870 if (ctx == NULL) 3871 goto out; 3872 3873 rc = -ENOMEM; 3874 secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1), 3875 GFP_ATOMIC); 3876 if (secattr->domain == NULL) 3877 goto out; 3878 3879 secattr->attr.secid = sid; 3880 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3881 mls_export_netlbl_lvl(policydb, ctx, secattr); 3882 rc = mls_export_netlbl_cat(policydb, ctx, secattr); 3883 out: 3884 rcu_read_unlock(); 3885 return rc; 3886 } 3887 #endif /* CONFIG_NETLABEL */ 3888 3889 /** 3890 * __security_read_policy - read the policy. 3891 * @policy: SELinux policy 3892 * @data: binary policy data 3893 * @len: length of data in bytes 3894 * 3895 */ 3896 static int __security_read_policy(struct selinux_policy *policy, 3897 void *data, size_t *len) 3898 { 3899 int rc; 3900 struct policy_file fp; 3901 3902 fp.data = data; 3903 fp.len = *len; 3904 3905 rc = policydb_write(&policy->policydb, &fp); 3906 if (rc) 3907 return rc; 3908 3909 *len = (unsigned long)fp.data - (unsigned long)data; 3910 return 0; 3911 } 3912 3913 /** 3914 * security_read_policy - read the policy. 3915 * @state: selinux_state 3916 * @data: binary policy data 3917 * @len: length of data in bytes 3918 * 3919 */ 3920 int security_read_policy(struct selinux_state *state, 3921 void **data, size_t *len) 3922 { 3923 struct selinux_policy *policy; 3924 3925 policy = rcu_dereference_protected( 3926 state->policy, lockdep_is_held(&state->policy_mutex)); 3927 if (!policy) 3928 return -EINVAL; 3929 3930 *len = policy->policydb.len; 3931 *data = vmalloc_user(*len); 3932 if (!*data) 3933 return -ENOMEM; 3934 3935 return __security_read_policy(policy, *data, len); 3936 } 3937 3938 /** 3939 * security_read_state_kernel - read the policy. 3940 * @state: selinux_state 3941 * @data: binary policy data 3942 * @len: length of data in bytes 3943 * 3944 * Allocates kernel memory for reading SELinux policy. 3945 * This function is for internal use only and should not 3946 * be used for returning data to user space. 3947 * 3948 * This function must be called with policy_mutex held. 3949 */ 3950 int security_read_state_kernel(struct selinux_state *state, 3951 void **data, size_t *len) 3952 { 3953 struct selinux_policy *policy; 3954 3955 policy = rcu_dereference_protected( 3956 state->policy, lockdep_is_held(&state->policy_mutex)); 3957 if (!policy) 3958 return -EINVAL; 3959 3960 *len = policy->policydb.len; 3961 *data = vmalloc(*len); 3962 if (!*data) 3963 return -ENOMEM; 3964 3965 return __security_read_policy(policy, *data, len); 3966 } 3967