1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * Added support for the policy capability bitmap 20 * 21 * Updated: Chad Sellers <csellers@tresys.com> 22 * 23 * Added validation of kernel classes and permissions 24 * 25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> 26 * 27 * Added support for bounds domain and audit messaged on masked permissions 28 * 29 * Copyright (C) 2008, 2009 NEC Corporation 30 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 31 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 32 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 33 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 34 * This program is free software; you can redistribute it and/or modify 35 * it under the terms of the GNU General Public License as published by 36 * the Free Software Foundation, version 2. 37 */ 38 #include <linux/kernel.h> 39 #include <linux/slab.h> 40 #include <linux/string.h> 41 #include <linux/spinlock.h> 42 #include <linux/rcupdate.h> 43 #include <linux/errno.h> 44 #include <linux/in.h> 45 #include <linux/sched.h> 46 #include <linux/audit.h> 47 #include <linux/mutex.h> 48 #include <linux/selinux.h> 49 #include <net/netlabel.h> 50 51 #include "flask.h" 52 #include "avc.h" 53 #include "avc_ss.h" 54 #include "security.h" 55 #include "context.h" 56 #include "policydb.h" 57 #include "sidtab.h" 58 #include "services.h" 59 #include "conditional.h" 60 #include "mls.h" 61 #include "objsec.h" 62 #include "netlabel.h" 63 #include "xfrm.h" 64 #include "ebitmap.h" 65 #include "audit.h" 66 67 extern void selnl_notify_policyload(u32 seqno); 68 69 int selinux_policycap_netpeer; 70 int selinux_policycap_openperm; 71 72 static DEFINE_RWLOCK(policy_rwlock); 73 74 static struct sidtab sidtab; 75 struct policydb policydb; 76 int ss_initialized; 77 78 /* 79 * The largest sequence number that has been used when 80 * providing an access decision to the access vector cache. 81 * The sequence number only changes when a policy change 82 * occurs. 83 */ 84 static u32 latest_granting; 85 86 /* Forward declaration. */ 87 static int context_struct_to_string(struct context *context, char **scontext, 88 u32 *scontext_len); 89 90 static int context_struct_compute_av(struct context *scontext, 91 struct context *tcontext, 92 u16 tclass, 93 u32 requested, 94 struct av_decision *avd); 95 96 struct selinux_mapping { 97 u16 value; /* policy value */ 98 unsigned num_perms; 99 u32 perms[sizeof(u32) * 8]; 100 }; 101 102 static struct selinux_mapping *current_mapping; 103 static u16 current_mapping_size; 104 105 static int selinux_set_mapping(struct policydb *pol, 106 struct security_class_mapping *map, 107 struct selinux_mapping **out_map_p, 108 u16 *out_map_size) 109 { 110 struct selinux_mapping *out_map = NULL; 111 size_t size = sizeof(struct selinux_mapping); 112 u16 i, j; 113 unsigned k; 114 bool print_unknown_handle = false; 115 116 /* Find number of classes in the input mapping */ 117 if (!map) 118 return -EINVAL; 119 i = 0; 120 while (map[i].name) 121 i++; 122 123 /* Allocate space for the class records, plus one for class zero */ 124 out_map = kcalloc(++i, size, GFP_ATOMIC); 125 if (!out_map) 126 return -ENOMEM; 127 128 /* Store the raw class and permission values */ 129 j = 0; 130 while (map[j].name) { 131 struct security_class_mapping *p_in = map + (j++); 132 struct selinux_mapping *p_out = out_map + j; 133 134 /* An empty class string skips ahead */ 135 if (!strcmp(p_in->name, "")) { 136 p_out->num_perms = 0; 137 continue; 138 } 139 140 p_out->value = string_to_security_class(pol, p_in->name); 141 if (!p_out->value) { 142 printk(KERN_INFO 143 "SELinux: Class %s not defined in policy.\n", 144 p_in->name); 145 if (pol->reject_unknown) 146 goto err; 147 p_out->num_perms = 0; 148 print_unknown_handle = true; 149 continue; 150 } 151 152 k = 0; 153 while (p_in->perms && p_in->perms[k]) { 154 /* An empty permission string skips ahead */ 155 if (!*p_in->perms[k]) { 156 k++; 157 continue; 158 } 159 p_out->perms[k] = string_to_av_perm(pol, p_out->value, 160 p_in->perms[k]); 161 if (!p_out->perms[k]) { 162 printk(KERN_INFO 163 "SELinux: Permission %s in class %s not defined in policy.\n", 164 p_in->perms[k], p_in->name); 165 if (pol->reject_unknown) 166 goto err; 167 print_unknown_handle = true; 168 } 169 170 k++; 171 } 172 p_out->num_perms = k; 173 } 174 175 if (print_unknown_handle) 176 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", 177 pol->allow_unknown ? "allowed" : "denied"); 178 179 *out_map_p = out_map; 180 *out_map_size = i; 181 return 0; 182 err: 183 kfree(out_map); 184 return -EINVAL; 185 } 186 187 /* 188 * Get real, policy values from mapped values 189 */ 190 191 static u16 unmap_class(u16 tclass) 192 { 193 if (tclass < current_mapping_size) 194 return current_mapping[tclass].value; 195 196 return tclass; 197 } 198 199 static u32 unmap_perm(u16 tclass, u32 tperm) 200 { 201 if (tclass < current_mapping_size) { 202 unsigned i; 203 u32 kperm = 0; 204 205 for (i = 0; i < current_mapping[tclass].num_perms; i++) 206 if (tperm & (1<<i)) { 207 kperm |= current_mapping[tclass].perms[i]; 208 tperm &= ~(1<<i); 209 } 210 return kperm; 211 } 212 213 return tperm; 214 } 215 216 static void map_decision(u16 tclass, struct av_decision *avd, 217 int allow_unknown) 218 { 219 if (tclass < current_mapping_size) { 220 unsigned i, n = current_mapping[tclass].num_perms; 221 u32 result; 222 223 for (i = 0, result = 0; i < n; i++) { 224 if (avd->allowed & current_mapping[tclass].perms[i]) 225 result |= 1<<i; 226 if (allow_unknown && !current_mapping[tclass].perms[i]) 227 result |= 1<<i; 228 } 229 avd->allowed = result; 230 231 for (i = 0, result = 0; i < n; i++) 232 if (avd->auditallow & current_mapping[tclass].perms[i]) 233 result |= 1<<i; 234 avd->auditallow = result; 235 236 for (i = 0, result = 0; i < n; i++) { 237 if (avd->auditdeny & current_mapping[tclass].perms[i]) 238 result |= 1<<i; 239 if (!allow_unknown && !current_mapping[tclass].perms[i]) 240 result |= 1<<i; 241 } 242 /* 243 * In case the kernel has a bug and requests a permission 244 * between num_perms and the maximum permission number, we 245 * should audit that denial 246 */ 247 for (; i < (sizeof(u32)*8); i++) 248 result |= 1<<i; 249 avd->auditdeny = result; 250 } 251 } 252 253 254 /* 255 * Return the boolean value of a constraint expression 256 * when it is applied to the specified source and target 257 * security contexts. 258 * 259 * xcontext is a special beast... It is used by the validatetrans rules 260 * only. For these rules, scontext is the context before the transition, 261 * tcontext is the context after the transition, and xcontext is the context 262 * of the process performing the transition. All other callers of 263 * constraint_expr_eval should pass in NULL for xcontext. 264 */ 265 static int constraint_expr_eval(struct context *scontext, 266 struct context *tcontext, 267 struct context *xcontext, 268 struct constraint_expr *cexpr) 269 { 270 u32 val1, val2; 271 struct context *c; 272 struct role_datum *r1, *r2; 273 struct mls_level *l1, *l2; 274 struct constraint_expr *e; 275 int s[CEXPR_MAXDEPTH]; 276 int sp = -1; 277 278 for (e = cexpr; e; e = e->next) { 279 switch (e->expr_type) { 280 case CEXPR_NOT: 281 BUG_ON(sp < 0); 282 s[sp] = !s[sp]; 283 break; 284 case CEXPR_AND: 285 BUG_ON(sp < 1); 286 sp--; 287 s[sp] &= s[sp+1]; 288 break; 289 case CEXPR_OR: 290 BUG_ON(sp < 1); 291 sp--; 292 s[sp] |= s[sp+1]; 293 break; 294 case CEXPR_ATTR: 295 if (sp == (CEXPR_MAXDEPTH-1)) 296 return 0; 297 switch (e->attr) { 298 case CEXPR_USER: 299 val1 = scontext->user; 300 val2 = tcontext->user; 301 break; 302 case CEXPR_TYPE: 303 val1 = scontext->type; 304 val2 = tcontext->type; 305 break; 306 case CEXPR_ROLE: 307 val1 = scontext->role; 308 val2 = tcontext->role; 309 r1 = policydb.role_val_to_struct[val1 - 1]; 310 r2 = policydb.role_val_to_struct[val2 - 1]; 311 switch (e->op) { 312 case CEXPR_DOM: 313 s[++sp] = ebitmap_get_bit(&r1->dominates, 314 val2 - 1); 315 continue; 316 case CEXPR_DOMBY: 317 s[++sp] = ebitmap_get_bit(&r2->dominates, 318 val1 - 1); 319 continue; 320 case CEXPR_INCOMP: 321 s[++sp] = (!ebitmap_get_bit(&r1->dominates, 322 val2 - 1) && 323 !ebitmap_get_bit(&r2->dominates, 324 val1 - 1)); 325 continue; 326 default: 327 break; 328 } 329 break; 330 case CEXPR_L1L2: 331 l1 = &(scontext->range.level[0]); 332 l2 = &(tcontext->range.level[0]); 333 goto mls_ops; 334 case CEXPR_L1H2: 335 l1 = &(scontext->range.level[0]); 336 l2 = &(tcontext->range.level[1]); 337 goto mls_ops; 338 case CEXPR_H1L2: 339 l1 = &(scontext->range.level[1]); 340 l2 = &(tcontext->range.level[0]); 341 goto mls_ops; 342 case CEXPR_H1H2: 343 l1 = &(scontext->range.level[1]); 344 l2 = &(tcontext->range.level[1]); 345 goto mls_ops; 346 case CEXPR_L1H1: 347 l1 = &(scontext->range.level[0]); 348 l2 = &(scontext->range.level[1]); 349 goto mls_ops; 350 case CEXPR_L2H2: 351 l1 = &(tcontext->range.level[0]); 352 l2 = &(tcontext->range.level[1]); 353 goto mls_ops; 354 mls_ops: 355 switch (e->op) { 356 case CEXPR_EQ: 357 s[++sp] = mls_level_eq(l1, l2); 358 continue; 359 case CEXPR_NEQ: 360 s[++sp] = !mls_level_eq(l1, l2); 361 continue; 362 case CEXPR_DOM: 363 s[++sp] = mls_level_dom(l1, l2); 364 continue; 365 case CEXPR_DOMBY: 366 s[++sp] = mls_level_dom(l2, l1); 367 continue; 368 case CEXPR_INCOMP: 369 s[++sp] = mls_level_incomp(l2, l1); 370 continue; 371 default: 372 BUG(); 373 return 0; 374 } 375 break; 376 default: 377 BUG(); 378 return 0; 379 } 380 381 switch (e->op) { 382 case CEXPR_EQ: 383 s[++sp] = (val1 == val2); 384 break; 385 case CEXPR_NEQ: 386 s[++sp] = (val1 != val2); 387 break; 388 default: 389 BUG(); 390 return 0; 391 } 392 break; 393 case CEXPR_NAMES: 394 if (sp == (CEXPR_MAXDEPTH-1)) 395 return 0; 396 c = scontext; 397 if (e->attr & CEXPR_TARGET) 398 c = tcontext; 399 else if (e->attr & CEXPR_XTARGET) { 400 c = xcontext; 401 if (!c) { 402 BUG(); 403 return 0; 404 } 405 } 406 if (e->attr & CEXPR_USER) 407 val1 = c->user; 408 else if (e->attr & CEXPR_ROLE) 409 val1 = c->role; 410 else if (e->attr & CEXPR_TYPE) 411 val1 = c->type; 412 else { 413 BUG(); 414 return 0; 415 } 416 417 switch (e->op) { 418 case CEXPR_EQ: 419 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 420 break; 421 case CEXPR_NEQ: 422 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 423 break; 424 default: 425 BUG(); 426 return 0; 427 } 428 break; 429 default: 430 BUG(); 431 return 0; 432 } 433 } 434 435 BUG_ON(sp != 0); 436 return s[0]; 437 } 438 439 /* 440 * security_dump_masked_av - dumps masked permissions during 441 * security_compute_av due to RBAC, MLS/Constraint and Type bounds. 442 */ 443 static int dump_masked_av_helper(void *k, void *d, void *args) 444 { 445 struct perm_datum *pdatum = d; 446 char **permission_names = args; 447 448 BUG_ON(pdatum->value < 1 || pdatum->value > 32); 449 450 permission_names[pdatum->value - 1] = (char *)k; 451 452 return 0; 453 } 454 455 static void security_dump_masked_av(struct context *scontext, 456 struct context *tcontext, 457 u16 tclass, 458 u32 permissions, 459 const char *reason) 460 { 461 struct common_datum *common_dat; 462 struct class_datum *tclass_dat; 463 struct audit_buffer *ab; 464 char *tclass_name; 465 char *scontext_name = NULL; 466 char *tcontext_name = NULL; 467 char *permission_names[32]; 468 int index, length; 469 bool need_comma = false; 470 471 if (!permissions) 472 return; 473 474 tclass_name = policydb.p_class_val_to_name[tclass - 1]; 475 tclass_dat = policydb.class_val_to_struct[tclass - 1]; 476 common_dat = tclass_dat->comdatum; 477 478 /* init permission_names */ 479 if (common_dat && 480 hashtab_map(common_dat->permissions.table, 481 dump_masked_av_helper, permission_names) < 0) 482 goto out; 483 484 if (hashtab_map(tclass_dat->permissions.table, 485 dump_masked_av_helper, permission_names) < 0) 486 goto out; 487 488 /* get scontext/tcontext in text form */ 489 if (context_struct_to_string(scontext, 490 &scontext_name, &length) < 0) 491 goto out; 492 493 if (context_struct_to_string(tcontext, 494 &tcontext_name, &length) < 0) 495 goto out; 496 497 /* audit a message */ 498 ab = audit_log_start(current->audit_context, 499 GFP_ATOMIC, AUDIT_SELINUX_ERR); 500 if (!ab) 501 goto out; 502 503 audit_log_format(ab, "op=security_compute_av reason=%s " 504 "scontext=%s tcontext=%s tclass=%s perms=", 505 reason, scontext_name, tcontext_name, tclass_name); 506 507 for (index = 0; index < 32; index++) { 508 u32 mask = (1 << index); 509 510 if ((mask & permissions) == 0) 511 continue; 512 513 audit_log_format(ab, "%s%s", 514 need_comma ? "," : "", 515 permission_names[index] 516 ? permission_names[index] : "????"); 517 need_comma = true; 518 } 519 audit_log_end(ab); 520 out: 521 /* release scontext/tcontext */ 522 kfree(tcontext_name); 523 kfree(scontext_name); 524 525 return; 526 } 527 528 /* 529 * security_boundary_permission - drops violated permissions 530 * on boundary constraint. 531 */ 532 static void type_attribute_bounds_av(struct context *scontext, 533 struct context *tcontext, 534 u16 tclass, 535 u32 requested, 536 struct av_decision *avd) 537 { 538 struct context lo_scontext; 539 struct context lo_tcontext; 540 struct av_decision lo_avd; 541 struct type_datum *source 542 = policydb.type_val_to_struct[scontext->type - 1]; 543 struct type_datum *target 544 = policydb.type_val_to_struct[tcontext->type - 1]; 545 u32 masked = 0; 546 547 if (source->bounds) { 548 memset(&lo_avd, 0, sizeof(lo_avd)); 549 550 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 551 lo_scontext.type = source->bounds; 552 553 context_struct_compute_av(&lo_scontext, 554 tcontext, 555 tclass, 556 requested, 557 &lo_avd); 558 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 559 return; /* no masked permission */ 560 masked = ~lo_avd.allowed & avd->allowed; 561 } 562 563 if (target->bounds) { 564 memset(&lo_avd, 0, sizeof(lo_avd)); 565 566 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); 567 lo_tcontext.type = target->bounds; 568 569 context_struct_compute_av(scontext, 570 &lo_tcontext, 571 tclass, 572 requested, 573 &lo_avd); 574 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 575 return; /* no masked permission */ 576 masked = ~lo_avd.allowed & avd->allowed; 577 } 578 579 if (source->bounds && target->bounds) { 580 memset(&lo_avd, 0, sizeof(lo_avd)); 581 /* 582 * lo_scontext and lo_tcontext are already 583 * set up. 584 */ 585 586 context_struct_compute_av(&lo_scontext, 587 &lo_tcontext, 588 tclass, 589 requested, 590 &lo_avd); 591 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 592 return; /* no masked permission */ 593 masked = ~lo_avd.allowed & avd->allowed; 594 } 595 596 if (masked) { 597 /* mask violated permissions */ 598 avd->allowed &= ~masked; 599 600 /* audit masked permissions */ 601 security_dump_masked_av(scontext, tcontext, 602 tclass, masked, "bounds"); 603 } 604 } 605 606 /* 607 * Compute access vectors based on a context structure pair for 608 * the permissions in a particular class. 609 */ 610 static int context_struct_compute_av(struct context *scontext, 611 struct context *tcontext, 612 u16 tclass, 613 u32 requested, 614 struct av_decision *avd) 615 { 616 struct constraint_node *constraint; 617 struct role_allow *ra; 618 struct avtab_key avkey; 619 struct avtab_node *node; 620 struct class_datum *tclass_datum; 621 struct ebitmap *sattr, *tattr; 622 struct ebitmap_node *snode, *tnode; 623 unsigned int i, j; 624 625 /* 626 * Initialize the access vectors to the default values. 627 */ 628 avd->allowed = 0; 629 avd->auditallow = 0; 630 avd->auditdeny = 0xffffffff; 631 avd->seqno = latest_granting; 632 avd->flags = 0; 633 634 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { 635 if (printk_ratelimit()) 636 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); 637 return -EINVAL; 638 } 639 640 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 641 642 /* 643 * If a specific type enforcement rule was defined for 644 * this permission check, then use it. 645 */ 646 avkey.target_class = tclass; 647 avkey.specified = AVTAB_AV; 648 sattr = &policydb.type_attr_map[scontext->type - 1]; 649 tattr = &policydb.type_attr_map[tcontext->type - 1]; 650 ebitmap_for_each_positive_bit(sattr, snode, i) { 651 ebitmap_for_each_positive_bit(tattr, tnode, j) { 652 avkey.source_type = i + 1; 653 avkey.target_type = j + 1; 654 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 655 node; 656 node = avtab_search_node_next(node, avkey.specified)) { 657 if (node->key.specified == AVTAB_ALLOWED) 658 avd->allowed |= node->datum.data; 659 else if (node->key.specified == AVTAB_AUDITALLOW) 660 avd->auditallow |= node->datum.data; 661 else if (node->key.specified == AVTAB_AUDITDENY) 662 avd->auditdeny &= node->datum.data; 663 } 664 665 /* Check conditional av table for additional permissions */ 666 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 667 668 } 669 } 670 671 /* 672 * Remove any permissions prohibited by a constraint (this includes 673 * the MLS policy). 674 */ 675 constraint = tclass_datum->constraints; 676 while (constraint) { 677 if ((constraint->permissions & (avd->allowed)) && 678 !constraint_expr_eval(scontext, tcontext, NULL, 679 constraint->expr)) { 680 avd->allowed &= ~(constraint->permissions); 681 } 682 constraint = constraint->next; 683 } 684 685 /* 686 * If checking process transition permission and the 687 * role is changing, then check the (current_role, new_role) 688 * pair. 689 */ 690 if (tclass == policydb.process_class && 691 (avd->allowed & policydb.process_trans_perms) && 692 scontext->role != tcontext->role) { 693 for (ra = policydb.role_allow; ra; ra = ra->next) { 694 if (scontext->role == ra->role && 695 tcontext->role == ra->new_role) 696 break; 697 } 698 if (!ra) 699 avd->allowed &= ~policydb.process_trans_perms; 700 } 701 702 /* 703 * If the given source and target types have boundary 704 * constraint, lazy checks have to mask any violated 705 * permission and notice it to userspace via audit. 706 */ 707 type_attribute_bounds_av(scontext, tcontext, 708 tclass, requested, avd); 709 710 return 0; 711 } 712 713 static int security_validtrans_handle_fail(struct context *ocontext, 714 struct context *ncontext, 715 struct context *tcontext, 716 u16 tclass) 717 { 718 char *o = NULL, *n = NULL, *t = NULL; 719 u32 olen, nlen, tlen; 720 721 if (context_struct_to_string(ocontext, &o, &olen) < 0) 722 goto out; 723 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 724 goto out; 725 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 726 goto out; 727 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 728 "security_validate_transition: denied for" 729 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 730 o, n, t, policydb.p_class_val_to_name[tclass-1]); 731 out: 732 kfree(o); 733 kfree(n); 734 kfree(t); 735 736 if (!selinux_enforcing) 737 return 0; 738 return -EPERM; 739 } 740 741 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 742 u16 orig_tclass) 743 { 744 struct context *ocontext; 745 struct context *ncontext; 746 struct context *tcontext; 747 struct class_datum *tclass_datum; 748 struct constraint_node *constraint; 749 u16 tclass; 750 int rc = 0; 751 752 if (!ss_initialized) 753 return 0; 754 755 read_lock(&policy_rwlock); 756 757 tclass = unmap_class(orig_tclass); 758 759 if (!tclass || tclass > policydb.p_classes.nprim) { 760 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 761 __func__, tclass); 762 rc = -EINVAL; 763 goto out; 764 } 765 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 766 767 ocontext = sidtab_search(&sidtab, oldsid); 768 if (!ocontext) { 769 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 770 __func__, oldsid); 771 rc = -EINVAL; 772 goto out; 773 } 774 775 ncontext = sidtab_search(&sidtab, newsid); 776 if (!ncontext) { 777 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 778 __func__, newsid); 779 rc = -EINVAL; 780 goto out; 781 } 782 783 tcontext = sidtab_search(&sidtab, tasksid); 784 if (!tcontext) { 785 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 786 __func__, tasksid); 787 rc = -EINVAL; 788 goto out; 789 } 790 791 constraint = tclass_datum->validatetrans; 792 while (constraint) { 793 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 794 constraint->expr)) { 795 rc = security_validtrans_handle_fail(ocontext, ncontext, 796 tcontext, tclass); 797 goto out; 798 } 799 constraint = constraint->next; 800 } 801 802 out: 803 read_unlock(&policy_rwlock); 804 return rc; 805 } 806 807 /* 808 * security_bounded_transition - check whether the given 809 * transition is directed to bounded, or not. 810 * It returns 0, if @newsid is bounded by @oldsid. 811 * Otherwise, it returns error code. 812 * 813 * @oldsid : current security identifier 814 * @newsid : destinated security identifier 815 */ 816 int security_bounded_transition(u32 old_sid, u32 new_sid) 817 { 818 struct context *old_context, *new_context; 819 struct type_datum *type; 820 int index; 821 int rc = -EINVAL; 822 823 read_lock(&policy_rwlock); 824 825 old_context = sidtab_search(&sidtab, old_sid); 826 if (!old_context) { 827 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 828 __func__, old_sid); 829 goto out; 830 } 831 832 new_context = sidtab_search(&sidtab, new_sid); 833 if (!new_context) { 834 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", 835 __func__, new_sid); 836 goto out; 837 } 838 839 /* type/domain unchanged */ 840 if (old_context->type == new_context->type) { 841 rc = 0; 842 goto out; 843 } 844 845 index = new_context->type; 846 while (true) { 847 type = policydb.type_val_to_struct[index - 1]; 848 BUG_ON(!type); 849 850 /* not bounded anymore */ 851 if (!type->bounds) { 852 rc = -EPERM; 853 break; 854 } 855 856 /* @newsid is bounded by @oldsid */ 857 if (type->bounds == old_context->type) { 858 rc = 0; 859 break; 860 } 861 index = type->bounds; 862 } 863 864 if (rc) { 865 char *old_name = NULL; 866 char *new_name = NULL; 867 int length; 868 869 if (!context_struct_to_string(old_context, 870 &old_name, &length) && 871 !context_struct_to_string(new_context, 872 &new_name, &length)) { 873 audit_log(current->audit_context, 874 GFP_ATOMIC, AUDIT_SELINUX_ERR, 875 "op=security_bounded_transition " 876 "result=denied " 877 "oldcontext=%s newcontext=%s", 878 old_name, new_name); 879 } 880 kfree(new_name); 881 kfree(old_name); 882 } 883 out: 884 read_unlock(&policy_rwlock); 885 886 return rc; 887 } 888 889 890 static int security_compute_av_core(u32 ssid, 891 u32 tsid, 892 u16 tclass, 893 u32 requested, 894 struct av_decision *avd) 895 { 896 struct context *scontext = NULL, *tcontext = NULL; 897 int rc = 0; 898 899 scontext = sidtab_search(&sidtab, ssid); 900 if (!scontext) { 901 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 902 __func__, ssid); 903 return -EINVAL; 904 } 905 tcontext = sidtab_search(&sidtab, tsid); 906 if (!tcontext) { 907 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 908 __func__, tsid); 909 return -EINVAL; 910 } 911 912 rc = context_struct_compute_av(scontext, tcontext, tclass, 913 requested, avd); 914 915 /* permissive domain? */ 916 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 917 avd->flags |= AVD_FLAGS_PERMISSIVE; 918 919 return rc; 920 } 921 922 /** 923 * security_compute_av - Compute access vector decisions. 924 * @ssid: source security identifier 925 * @tsid: target security identifier 926 * @tclass: target security class 927 * @requested: requested permissions 928 * @avd: access vector decisions 929 * 930 * Compute a set of access vector decisions based on the 931 * SID pair (@ssid, @tsid) for the permissions in @tclass. 932 * Return -%EINVAL if any of the parameters are invalid or %0 933 * if the access vector decisions were computed successfully. 934 */ 935 int security_compute_av(u32 ssid, 936 u32 tsid, 937 u16 orig_tclass, 938 u32 orig_requested, 939 struct av_decision *avd) 940 { 941 u16 tclass; 942 u32 requested; 943 int rc; 944 945 read_lock(&policy_rwlock); 946 947 if (!ss_initialized) 948 goto allow; 949 950 requested = unmap_perm(orig_tclass, orig_requested); 951 tclass = unmap_class(orig_tclass); 952 if (unlikely(orig_tclass && !tclass)) { 953 if (policydb.allow_unknown) 954 goto allow; 955 rc = -EINVAL; 956 goto out; 957 } 958 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); 959 map_decision(orig_tclass, avd, policydb.allow_unknown); 960 out: 961 read_unlock(&policy_rwlock); 962 return rc; 963 allow: 964 avd->allowed = 0xffffffff; 965 avd->auditallow = 0; 966 avd->auditdeny = 0xffffffff; 967 avd->seqno = latest_granting; 968 avd->flags = 0; 969 rc = 0; 970 goto out; 971 } 972 973 int security_compute_av_user(u32 ssid, 974 u32 tsid, 975 u16 tclass, 976 u32 requested, 977 struct av_decision *avd) 978 { 979 int rc; 980 981 if (!ss_initialized) { 982 avd->allowed = 0xffffffff; 983 avd->auditallow = 0; 984 avd->auditdeny = 0xffffffff; 985 avd->seqno = latest_granting; 986 return 0; 987 } 988 989 read_lock(&policy_rwlock); 990 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd); 991 read_unlock(&policy_rwlock); 992 return rc; 993 } 994 995 /* 996 * Write the security context string representation of 997 * the context structure `context' into a dynamically 998 * allocated string of the correct size. Set `*scontext' 999 * to point to this string and set `*scontext_len' to 1000 * the length of the string. 1001 */ 1002 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 1003 { 1004 char *scontextp; 1005 1006 *scontext = NULL; 1007 *scontext_len = 0; 1008 1009 if (context->len) { 1010 *scontext_len = context->len; 1011 *scontext = kstrdup(context->str, GFP_ATOMIC); 1012 if (!(*scontext)) 1013 return -ENOMEM; 1014 return 0; 1015 } 1016 1017 /* Compute the size of the context. */ 1018 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 1019 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 1020 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 1021 *scontext_len += mls_compute_context_len(context); 1022 1023 /* Allocate space for the context; caller must free this space. */ 1024 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1025 if (!scontextp) 1026 return -ENOMEM; 1027 *scontext = scontextp; 1028 1029 /* 1030 * Copy the user name, role name and type name into the context. 1031 */ 1032 sprintf(scontextp, "%s:%s:%s", 1033 policydb.p_user_val_to_name[context->user - 1], 1034 policydb.p_role_val_to_name[context->role - 1], 1035 policydb.p_type_val_to_name[context->type - 1]); 1036 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1037 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 1038 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 1039 1040 mls_sid_to_context(context, &scontextp); 1041 1042 *scontextp = 0; 1043 1044 return 0; 1045 } 1046 1047 #include "initial_sid_to_string.h" 1048 1049 const char *security_get_initial_sid_context(u32 sid) 1050 { 1051 if (unlikely(sid > SECINITSID_NUM)) 1052 return NULL; 1053 return initial_sid_to_string[sid]; 1054 } 1055 1056 static int security_sid_to_context_core(u32 sid, char **scontext, 1057 u32 *scontext_len, int force) 1058 { 1059 struct context *context; 1060 int rc = 0; 1061 1062 *scontext = NULL; 1063 *scontext_len = 0; 1064 1065 if (!ss_initialized) { 1066 if (sid <= SECINITSID_NUM) { 1067 char *scontextp; 1068 1069 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 1070 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 1071 if (!scontextp) { 1072 rc = -ENOMEM; 1073 goto out; 1074 } 1075 strcpy(scontextp, initial_sid_to_string[sid]); 1076 *scontext = scontextp; 1077 goto out; 1078 } 1079 printk(KERN_ERR "SELinux: %s: called before initial " 1080 "load_policy on unknown SID %d\n", __func__, sid); 1081 rc = -EINVAL; 1082 goto out; 1083 } 1084 read_lock(&policy_rwlock); 1085 if (force) 1086 context = sidtab_search_force(&sidtab, sid); 1087 else 1088 context = sidtab_search(&sidtab, sid); 1089 if (!context) { 1090 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1091 __func__, sid); 1092 rc = -EINVAL; 1093 goto out_unlock; 1094 } 1095 rc = context_struct_to_string(context, scontext, scontext_len); 1096 out_unlock: 1097 read_unlock(&policy_rwlock); 1098 out: 1099 return rc; 1100 1101 } 1102 1103 /** 1104 * security_sid_to_context - Obtain a context for a given SID. 1105 * @sid: security identifier, SID 1106 * @scontext: security context 1107 * @scontext_len: length in bytes 1108 * 1109 * Write the string representation of the context associated with @sid 1110 * into a dynamically allocated string of the correct size. Set @scontext 1111 * to point to this string and set @scontext_len to the length of the string. 1112 */ 1113 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 1114 { 1115 return security_sid_to_context_core(sid, scontext, scontext_len, 0); 1116 } 1117 1118 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) 1119 { 1120 return security_sid_to_context_core(sid, scontext, scontext_len, 1); 1121 } 1122 1123 /* 1124 * Caveat: Mutates scontext. 1125 */ 1126 static int string_to_context_struct(struct policydb *pol, 1127 struct sidtab *sidtabp, 1128 char *scontext, 1129 u32 scontext_len, 1130 struct context *ctx, 1131 u32 def_sid) 1132 { 1133 struct role_datum *role; 1134 struct type_datum *typdatum; 1135 struct user_datum *usrdatum; 1136 char *scontextp, *p, oldc; 1137 int rc = 0; 1138 1139 context_init(ctx); 1140 1141 /* Parse the security context. */ 1142 1143 rc = -EINVAL; 1144 scontextp = (char *) scontext; 1145 1146 /* Extract the user. */ 1147 p = scontextp; 1148 while (*p && *p != ':') 1149 p++; 1150 1151 if (*p == 0) 1152 goto out; 1153 1154 *p++ = 0; 1155 1156 usrdatum = hashtab_search(pol->p_users.table, scontextp); 1157 if (!usrdatum) 1158 goto out; 1159 1160 ctx->user = usrdatum->value; 1161 1162 /* Extract role. */ 1163 scontextp = p; 1164 while (*p && *p != ':') 1165 p++; 1166 1167 if (*p == 0) 1168 goto out; 1169 1170 *p++ = 0; 1171 1172 role = hashtab_search(pol->p_roles.table, scontextp); 1173 if (!role) 1174 goto out; 1175 ctx->role = role->value; 1176 1177 /* Extract type. */ 1178 scontextp = p; 1179 while (*p && *p != ':') 1180 p++; 1181 oldc = *p; 1182 *p++ = 0; 1183 1184 typdatum = hashtab_search(pol->p_types.table, scontextp); 1185 if (!typdatum || typdatum->attribute) 1186 goto out; 1187 1188 ctx->type = typdatum->value; 1189 1190 rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid); 1191 if (rc) 1192 goto out; 1193 1194 if ((p - scontext) < scontext_len) { 1195 rc = -EINVAL; 1196 goto out; 1197 } 1198 1199 /* Check the validity of the new context. */ 1200 if (!policydb_context_isvalid(pol, ctx)) { 1201 rc = -EINVAL; 1202 goto out; 1203 } 1204 rc = 0; 1205 out: 1206 if (rc) 1207 context_destroy(ctx); 1208 return rc; 1209 } 1210 1211 static int security_context_to_sid_core(const char *scontext, u32 scontext_len, 1212 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1213 int force) 1214 { 1215 char *scontext2, *str = NULL; 1216 struct context context; 1217 int rc = 0; 1218 1219 if (!ss_initialized) { 1220 int i; 1221 1222 for (i = 1; i < SECINITSID_NUM; i++) { 1223 if (!strcmp(initial_sid_to_string[i], scontext)) { 1224 *sid = i; 1225 return 0; 1226 } 1227 } 1228 *sid = SECINITSID_KERNEL; 1229 return 0; 1230 } 1231 *sid = SECSID_NULL; 1232 1233 /* Copy the string so that we can modify the copy as we parse it. */ 1234 scontext2 = kmalloc(scontext_len+1, gfp_flags); 1235 if (!scontext2) 1236 return -ENOMEM; 1237 memcpy(scontext2, scontext, scontext_len); 1238 scontext2[scontext_len] = 0; 1239 1240 if (force) { 1241 /* Save another copy for storing in uninterpreted form */ 1242 str = kstrdup(scontext2, gfp_flags); 1243 if (!str) { 1244 kfree(scontext2); 1245 return -ENOMEM; 1246 } 1247 } 1248 1249 read_lock(&policy_rwlock); 1250 rc = string_to_context_struct(&policydb, &sidtab, 1251 scontext2, scontext_len, 1252 &context, def_sid); 1253 if (rc == -EINVAL && force) { 1254 context.str = str; 1255 context.len = scontext_len; 1256 str = NULL; 1257 } else if (rc) 1258 goto out; 1259 rc = sidtab_context_to_sid(&sidtab, &context, sid); 1260 context_destroy(&context); 1261 out: 1262 read_unlock(&policy_rwlock); 1263 kfree(scontext2); 1264 kfree(str); 1265 return rc; 1266 } 1267 1268 /** 1269 * security_context_to_sid - Obtain a SID for a given security context. 1270 * @scontext: security context 1271 * @scontext_len: length in bytes 1272 * @sid: security identifier, SID 1273 * 1274 * Obtains a SID associated with the security context that 1275 * has the string representation specified by @scontext. 1276 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1277 * memory is available, or 0 on success. 1278 */ 1279 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) 1280 { 1281 return security_context_to_sid_core(scontext, scontext_len, 1282 sid, SECSID_NULL, GFP_KERNEL, 0); 1283 } 1284 1285 /** 1286 * security_context_to_sid_default - Obtain a SID for a given security context, 1287 * falling back to specified default if needed. 1288 * 1289 * @scontext: security context 1290 * @scontext_len: length in bytes 1291 * @sid: security identifier, SID 1292 * @def_sid: default SID to assign on error 1293 * 1294 * Obtains a SID associated with the security context that 1295 * has the string representation specified by @scontext. 1296 * The default SID is passed to the MLS layer to be used to allow 1297 * kernel labeling of the MLS field if the MLS field is not present 1298 * (for upgrading to MLS without full relabel). 1299 * Implicitly forces adding of the context even if it cannot be mapped yet. 1300 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 1301 * memory is available, or 0 on success. 1302 */ 1303 int security_context_to_sid_default(const char *scontext, u32 scontext_len, 1304 u32 *sid, u32 def_sid, gfp_t gfp_flags) 1305 { 1306 return security_context_to_sid_core(scontext, scontext_len, 1307 sid, def_sid, gfp_flags, 1); 1308 } 1309 1310 int security_context_to_sid_force(const char *scontext, u32 scontext_len, 1311 u32 *sid) 1312 { 1313 return security_context_to_sid_core(scontext, scontext_len, 1314 sid, SECSID_NULL, GFP_KERNEL, 1); 1315 } 1316 1317 static int compute_sid_handle_invalid_context( 1318 struct context *scontext, 1319 struct context *tcontext, 1320 u16 tclass, 1321 struct context *newcontext) 1322 { 1323 char *s = NULL, *t = NULL, *n = NULL; 1324 u32 slen, tlen, nlen; 1325 1326 if (context_struct_to_string(scontext, &s, &slen) < 0) 1327 goto out; 1328 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 1329 goto out; 1330 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 1331 goto out; 1332 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1333 "security_compute_sid: invalid context %s" 1334 " for scontext=%s" 1335 " tcontext=%s" 1336 " tclass=%s", 1337 n, s, t, policydb.p_class_val_to_name[tclass-1]); 1338 out: 1339 kfree(s); 1340 kfree(t); 1341 kfree(n); 1342 if (!selinux_enforcing) 1343 return 0; 1344 return -EACCES; 1345 } 1346 1347 static int security_compute_sid(u32 ssid, 1348 u32 tsid, 1349 u16 orig_tclass, 1350 u32 specified, 1351 u32 *out_sid, 1352 bool kern) 1353 { 1354 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1355 struct role_trans *roletr = NULL; 1356 struct avtab_key avkey; 1357 struct avtab_datum *avdatum; 1358 struct avtab_node *node; 1359 u16 tclass; 1360 int rc = 0; 1361 1362 if (!ss_initialized) { 1363 switch (orig_tclass) { 1364 case SECCLASS_PROCESS: /* kernel value */ 1365 *out_sid = ssid; 1366 break; 1367 default: 1368 *out_sid = tsid; 1369 break; 1370 } 1371 goto out; 1372 } 1373 1374 context_init(&newcontext); 1375 1376 read_lock(&policy_rwlock); 1377 1378 if (kern) 1379 tclass = unmap_class(orig_tclass); 1380 else 1381 tclass = orig_tclass; 1382 1383 scontext = sidtab_search(&sidtab, ssid); 1384 if (!scontext) { 1385 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1386 __func__, ssid); 1387 rc = -EINVAL; 1388 goto out_unlock; 1389 } 1390 tcontext = sidtab_search(&sidtab, tsid); 1391 if (!tcontext) { 1392 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1393 __func__, tsid); 1394 rc = -EINVAL; 1395 goto out_unlock; 1396 } 1397 1398 /* Set the user identity. */ 1399 switch (specified) { 1400 case AVTAB_TRANSITION: 1401 case AVTAB_CHANGE: 1402 /* Use the process user identity. */ 1403 newcontext.user = scontext->user; 1404 break; 1405 case AVTAB_MEMBER: 1406 /* Use the related object owner. */ 1407 newcontext.user = tcontext->user; 1408 break; 1409 } 1410 1411 /* Set the role and type to default values. */ 1412 if (tclass == policydb.process_class) { 1413 /* Use the current role and type of process. */ 1414 newcontext.role = scontext->role; 1415 newcontext.type = scontext->type; 1416 } else { 1417 /* Use the well-defined object role. */ 1418 newcontext.role = OBJECT_R_VAL; 1419 /* Use the type of the related object. */ 1420 newcontext.type = tcontext->type; 1421 } 1422 1423 /* Look for a type transition/member/change rule. */ 1424 avkey.source_type = scontext->type; 1425 avkey.target_type = tcontext->type; 1426 avkey.target_class = tclass; 1427 avkey.specified = specified; 1428 avdatum = avtab_search(&policydb.te_avtab, &avkey); 1429 1430 /* If no permanent rule, also check for enabled conditional rules */ 1431 if (!avdatum) { 1432 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 1433 for (; node; node = avtab_search_node_next(node, specified)) { 1434 if (node->key.specified & AVTAB_ENABLED) { 1435 avdatum = &node->datum; 1436 break; 1437 } 1438 } 1439 } 1440 1441 if (avdatum) { 1442 /* Use the type from the type transition/member/change rule. */ 1443 newcontext.type = avdatum->data; 1444 } 1445 1446 /* Check for class-specific changes. */ 1447 if (tclass == policydb.process_class) { 1448 if (specified & AVTAB_TRANSITION) { 1449 /* Look for a role transition rule. */ 1450 for (roletr = policydb.role_tr; roletr; 1451 roletr = roletr->next) { 1452 if (roletr->role == scontext->role && 1453 roletr->type == tcontext->type) { 1454 /* Use the role transition rule. */ 1455 newcontext.role = roletr->new_role; 1456 break; 1457 } 1458 } 1459 } 1460 } 1461 1462 /* Set the MLS attributes. 1463 This is done last because it may allocate memory. */ 1464 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 1465 if (rc) 1466 goto out_unlock; 1467 1468 /* Check the validity of the context. */ 1469 if (!policydb_context_isvalid(&policydb, &newcontext)) { 1470 rc = compute_sid_handle_invalid_context(scontext, 1471 tcontext, 1472 tclass, 1473 &newcontext); 1474 if (rc) 1475 goto out_unlock; 1476 } 1477 /* Obtain the sid for the context. */ 1478 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 1479 out_unlock: 1480 read_unlock(&policy_rwlock); 1481 context_destroy(&newcontext); 1482 out: 1483 return rc; 1484 } 1485 1486 /** 1487 * security_transition_sid - Compute the SID for a new subject/object. 1488 * @ssid: source security identifier 1489 * @tsid: target security identifier 1490 * @tclass: target security class 1491 * @out_sid: security identifier for new subject/object 1492 * 1493 * Compute a SID to use for labeling a new subject or object in the 1494 * class @tclass based on a SID pair (@ssid, @tsid). 1495 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1496 * if insufficient memory is available, or %0 if the new SID was 1497 * computed successfully. 1498 */ 1499 int security_transition_sid(u32 ssid, 1500 u32 tsid, 1501 u16 tclass, 1502 u32 *out_sid) 1503 { 1504 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1505 out_sid, true); 1506 } 1507 1508 int security_transition_sid_user(u32 ssid, 1509 u32 tsid, 1510 u16 tclass, 1511 u32 *out_sid) 1512 { 1513 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, 1514 out_sid, false); 1515 } 1516 1517 /** 1518 * security_member_sid - Compute the SID for member selection. 1519 * @ssid: source security identifier 1520 * @tsid: target security identifier 1521 * @tclass: target security class 1522 * @out_sid: security identifier for selected member 1523 * 1524 * Compute a SID to use when selecting a member of a polyinstantiated 1525 * object of class @tclass based on a SID pair (@ssid, @tsid). 1526 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1527 * if insufficient memory is available, or %0 if the SID was 1528 * computed successfully. 1529 */ 1530 int security_member_sid(u32 ssid, 1531 u32 tsid, 1532 u16 tclass, 1533 u32 *out_sid) 1534 { 1535 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid, 1536 false); 1537 } 1538 1539 /** 1540 * security_change_sid - Compute the SID for object relabeling. 1541 * @ssid: source security identifier 1542 * @tsid: target security identifier 1543 * @tclass: target security class 1544 * @out_sid: security identifier for selected member 1545 * 1546 * Compute a SID to use for relabeling an object of class @tclass 1547 * based on a SID pair (@ssid, @tsid). 1548 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1549 * if insufficient memory is available, or %0 if the SID was 1550 * computed successfully. 1551 */ 1552 int security_change_sid(u32 ssid, 1553 u32 tsid, 1554 u16 tclass, 1555 u32 *out_sid) 1556 { 1557 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid, 1558 false); 1559 } 1560 1561 /* Clone the SID into the new SID table. */ 1562 static int clone_sid(u32 sid, 1563 struct context *context, 1564 void *arg) 1565 { 1566 struct sidtab *s = arg; 1567 1568 return sidtab_insert(s, sid, context); 1569 } 1570 1571 static inline int convert_context_handle_invalid_context(struct context *context) 1572 { 1573 int rc = 0; 1574 1575 if (selinux_enforcing) { 1576 rc = -EINVAL; 1577 } else { 1578 char *s; 1579 u32 len; 1580 1581 if (!context_struct_to_string(context, &s, &len)) { 1582 printk(KERN_WARNING 1583 "SELinux: Context %s would be invalid if enforcing\n", 1584 s); 1585 kfree(s); 1586 } 1587 } 1588 return rc; 1589 } 1590 1591 struct convert_context_args { 1592 struct policydb *oldp; 1593 struct policydb *newp; 1594 }; 1595 1596 /* 1597 * Convert the values in the security context 1598 * structure `c' from the values specified 1599 * in the policy `p->oldp' to the values specified 1600 * in the policy `p->newp'. Verify that the 1601 * context is valid under the new policy. 1602 */ 1603 static int convert_context(u32 key, 1604 struct context *c, 1605 void *p) 1606 { 1607 struct convert_context_args *args; 1608 struct context oldc; 1609 struct role_datum *role; 1610 struct type_datum *typdatum; 1611 struct user_datum *usrdatum; 1612 char *s; 1613 u32 len; 1614 int rc; 1615 1616 args = p; 1617 1618 if (c->str) { 1619 struct context ctx; 1620 s = kstrdup(c->str, GFP_KERNEL); 1621 if (!s) { 1622 rc = -ENOMEM; 1623 goto out; 1624 } 1625 rc = string_to_context_struct(args->newp, NULL, s, 1626 c->len, &ctx, SECSID_NULL); 1627 kfree(s); 1628 if (!rc) { 1629 printk(KERN_INFO 1630 "SELinux: Context %s became valid (mapped).\n", 1631 c->str); 1632 /* Replace string with mapped representation. */ 1633 kfree(c->str); 1634 memcpy(c, &ctx, sizeof(*c)); 1635 goto out; 1636 } else if (rc == -EINVAL) { 1637 /* Retain string representation for later mapping. */ 1638 rc = 0; 1639 goto out; 1640 } else { 1641 /* Other error condition, e.g. ENOMEM. */ 1642 printk(KERN_ERR 1643 "SELinux: Unable to map context %s, rc = %d.\n", 1644 c->str, -rc); 1645 goto out; 1646 } 1647 } 1648 1649 rc = context_cpy(&oldc, c); 1650 if (rc) 1651 goto out; 1652 1653 rc = -EINVAL; 1654 1655 /* Convert the user. */ 1656 usrdatum = hashtab_search(args->newp->p_users.table, 1657 args->oldp->p_user_val_to_name[c->user - 1]); 1658 if (!usrdatum) 1659 goto bad; 1660 c->user = usrdatum->value; 1661 1662 /* Convert the role. */ 1663 role = hashtab_search(args->newp->p_roles.table, 1664 args->oldp->p_role_val_to_name[c->role - 1]); 1665 if (!role) 1666 goto bad; 1667 c->role = role->value; 1668 1669 /* Convert the type. */ 1670 typdatum = hashtab_search(args->newp->p_types.table, 1671 args->oldp->p_type_val_to_name[c->type - 1]); 1672 if (!typdatum) 1673 goto bad; 1674 c->type = typdatum->value; 1675 1676 rc = mls_convert_context(args->oldp, args->newp, c); 1677 if (rc) 1678 goto bad; 1679 1680 /* Check the validity of the new context. */ 1681 if (!policydb_context_isvalid(args->newp, c)) { 1682 rc = convert_context_handle_invalid_context(&oldc); 1683 if (rc) 1684 goto bad; 1685 } 1686 1687 context_destroy(&oldc); 1688 rc = 0; 1689 out: 1690 return rc; 1691 bad: 1692 /* Map old representation to string and save it. */ 1693 if (context_struct_to_string(&oldc, &s, &len)) 1694 return -ENOMEM; 1695 context_destroy(&oldc); 1696 context_destroy(c); 1697 c->str = s; 1698 c->len = len; 1699 printk(KERN_INFO 1700 "SELinux: Context %s became invalid (unmapped).\n", 1701 c->str); 1702 rc = 0; 1703 goto out; 1704 } 1705 1706 static void security_load_policycaps(void) 1707 { 1708 selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, 1709 POLICYDB_CAPABILITY_NETPEER); 1710 selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, 1711 POLICYDB_CAPABILITY_OPENPERM); 1712 } 1713 1714 extern void selinux_complete_init(void); 1715 static int security_preserve_bools(struct policydb *p); 1716 1717 /** 1718 * security_load_policy - Load a security policy configuration. 1719 * @data: binary policy data 1720 * @len: length of data in bytes 1721 * 1722 * Load a new set of security policy configuration data, 1723 * validate it and convert the SID table as necessary. 1724 * This function will flush the access vector cache after 1725 * loading the new policy. 1726 */ 1727 int security_load_policy(void *data, size_t len) 1728 { 1729 struct policydb oldpolicydb, newpolicydb; 1730 struct sidtab oldsidtab, newsidtab; 1731 struct selinux_mapping *oldmap, *map = NULL; 1732 struct convert_context_args args; 1733 u32 seqno; 1734 u16 map_size; 1735 int rc = 0; 1736 struct policy_file file = { data, len }, *fp = &file; 1737 1738 if (!ss_initialized) { 1739 avtab_cache_init(); 1740 if (policydb_read(&policydb, fp)) { 1741 avtab_cache_destroy(); 1742 return -EINVAL; 1743 } 1744 if (selinux_set_mapping(&policydb, secclass_map, 1745 ¤t_mapping, 1746 ¤t_mapping_size)) { 1747 policydb_destroy(&policydb); 1748 avtab_cache_destroy(); 1749 return -EINVAL; 1750 } 1751 if (policydb_load_isids(&policydb, &sidtab)) { 1752 policydb_destroy(&policydb); 1753 avtab_cache_destroy(); 1754 return -EINVAL; 1755 } 1756 security_load_policycaps(); 1757 ss_initialized = 1; 1758 seqno = ++latest_granting; 1759 selinux_complete_init(); 1760 avc_ss_reset(seqno); 1761 selnl_notify_policyload(seqno); 1762 selinux_netlbl_cache_invalidate(); 1763 selinux_xfrm_notify_policyload(); 1764 return 0; 1765 } 1766 1767 #if 0 1768 sidtab_hash_eval(&sidtab, "sids"); 1769 #endif 1770 1771 if (policydb_read(&newpolicydb, fp)) 1772 return -EINVAL; 1773 1774 if (sidtab_init(&newsidtab)) { 1775 policydb_destroy(&newpolicydb); 1776 return -ENOMEM; 1777 } 1778 1779 if (selinux_set_mapping(&newpolicydb, secclass_map, 1780 &map, &map_size)) 1781 goto err; 1782 1783 rc = security_preserve_bools(&newpolicydb); 1784 if (rc) { 1785 printk(KERN_ERR "SELinux: unable to preserve booleans\n"); 1786 goto err; 1787 } 1788 1789 /* Clone the SID table. */ 1790 sidtab_shutdown(&sidtab); 1791 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1792 rc = -ENOMEM; 1793 goto err; 1794 } 1795 1796 /* 1797 * Convert the internal representations of contexts 1798 * in the new SID table. 1799 */ 1800 args.oldp = &policydb; 1801 args.newp = &newpolicydb; 1802 rc = sidtab_map(&newsidtab, convert_context, &args); 1803 if (rc) 1804 goto err; 1805 1806 /* Save the old policydb and SID table to free later. */ 1807 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1808 sidtab_set(&oldsidtab, &sidtab); 1809 1810 /* Install the new policydb and SID table. */ 1811 write_lock_irq(&policy_rwlock); 1812 memcpy(&policydb, &newpolicydb, sizeof policydb); 1813 sidtab_set(&sidtab, &newsidtab); 1814 security_load_policycaps(); 1815 oldmap = current_mapping; 1816 current_mapping = map; 1817 current_mapping_size = map_size; 1818 seqno = ++latest_granting; 1819 write_unlock_irq(&policy_rwlock); 1820 1821 /* Free the old policydb and SID table. */ 1822 policydb_destroy(&oldpolicydb); 1823 sidtab_destroy(&oldsidtab); 1824 kfree(oldmap); 1825 1826 avc_ss_reset(seqno); 1827 selnl_notify_policyload(seqno); 1828 selinux_netlbl_cache_invalidate(); 1829 selinux_xfrm_notify_policyload(); 1830 1831 return 0; 1832 1833 err: 1834 kfree(map); 1835 sidtab_destroy(&newsidtab); 1836 policydb_destroy(&newpolicydb); 1837 return rc; 1838 1839 } 1840 1841 /** 1842 * security_port_sid - Obtain the SID for a port. 1843 * @protocol: protocol number 1844 * @port: port number 1845 * @out_sid: security identifier 1846 */ 1847 int security_port_sid(u8 protocol, u16 port, u32 *out_sid) 1848 { 1849 struct ocontext *c; 1850 int rc = 0; 1851 1852 read_lock(&policy_rwlock); 1853 1854 c = policydb.ocontexts[OCON_PORT]; 1855 while (c) { 1856 if (c->u.port.protocol == protocol && 1857 c->u.port.low_port <= port && 1858 c->u.port.high_port >= port) 1859 break; 1860 c = c->next; 1861 } 1862 1863 if (c) { 1864 if (!c->sid[0]) { 1865 rc = sidtab_context_to_sid(&sidtab, 1866 &c->context[0], 1867 &c->sid[0]); 1868 if (rc) 1869 goto out; 1870 } 1871 *out_sid = c->sid[0]; 1872 } else { 1873 *out_sid = SECINITSID_PORT; 1874 } 1875 1876 out: 1877 read_unlock(&policy_rwlock); 1878 return rc; 1879 } 1880 1881 /** 1882 * security_netif_sid - Obtain the SID for a network interface. 1883 * @name: interface name 1884 * @if_sid: interface SID 1885 */ 1886 int security_netif_sid(char *name, u32 *if_sid) 1887 { 1888 int rc = 0; 1889 struct ocontext *c; 1890 1891 read_lock(&policy_rwlock); 1892 1893 c = policydb.ocontexts[OCON_NETIF]; 1894 while (c) { 1895 if (strcmp(name, c->u.name) == 0) 1896 break; 1897 c = c->next; 1898 } 1899 1900 if (c) { 1901 if (!c->sid[0] || !c->sid[1]) { 1902 rc = sidtab_context_to_sid(&sidtab, 1903 &c->context[0], 1904 &c->sid[0]); 1905 if (rc) 1906 goto out; 1907 rc = sidtab_context_to_sid(&sidtab, 1908 &c->context[1], 1909 &c->sid[1]); 1910 if (rc) 1911 goto out; 1912 } 1913 *if_sid = c->sid[0]; 1914 } else 1915 *if_sid = SECINITSID_NETIF; 1916 1917 out: 1918 read_unlock(&policy_rwlock); 1919 return rc; 1920 } 1921 1922 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1923 { 1924 int i, fail = 0; 1925 1926 for (i = 0; i < 4; i++) 1927 if (addr[i] != (input[i] & mask[i])) { 1928 fail = 1; 1929 break; 1930 } 1931 1932 return !fail; 1933 } 1934 1935 /** 1936 * security_node_sid - Obtain the SID for a node (host). 1937 * @domain: communication domain aka address family 1938 * @addrp: address 1939 * @addrlen: address length in bytes 1940 * @out_sid: security identifier 1941 */ 1942 int security_node_sid(u16 domain, 1943 void *addrp, 1944 u32 addrlen, 1945 u32 *out_sid) 1946 { 1947 int rc = 0; 1948 struct ocontext *c; 1949 1950 read_lock(&policy_rwlock); 1951 1952 switch (domain) { 1953 case AF_INET: { 1954 u32 addr; 1955 1956 if (addrlen != sizeof(u32)) { 1957 rc = -EINVAL; 1958 goto out; 1959 } 1960 1961 addr = *((u32 *)addrp); 1962 1963 c = policydb.ocontexts[OCON_NODE]; 1964 while (c) { 1965 if (c->u.node.addr == (addr & c->u.node.mask)) 1966 break; 1967 c = c->next; 1968 } 1969 break; 1970 } 1971 1972 case AF_INET6: 1973 if (addrlen != sizeof(u64) * 2) { 1974 rc = -EINVAL; 1975 goto out; 1976 } 1977 c = policydb.ocontexts[OCON_NODE6]; 1978 while (c) { 1979 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1980 c->u.node6.mask)) 1981 break; 1982 c = c->next; 1983 } 1984 break; 1985 1986 default: 1987 *out_sid = SECINITSID_NODE; 1988 goto out; 1989 } 1990 1991 if (c) { 1992 if (!c->sid[0]) { 1993 rc = sidtab_context_to_sid(&sidtab, 1994 &c->context[0], 1995 &c->sid[0]); 1996 if (rc) 1997 goto out; 1998 } 1999 *out_sid = c->sid[0]; 2000 } else { 2001 *out_sid = SECINITSID_NODE; 2002 } 2003 2004 out: 2005 read_unlock(&policy_rwlock); 2006 return rc; 2007 } 2008 2009 #define SIDS_NEL 25 2010 2011 /** 2012 * security_get_user_sids - Obtain reachable SIDs for a user. 2013 * @fromsid: starting SID 2014 * @username: username 2015 * @sids: array of reachable SIDs for user 2016 * @nel: number of elements in @sids 2017 * 2018 * Generate the set of SIDs for legal security contexts 2019 * for a given user that can be reached by @fromsid. 2020 * Set *@sids to point to a dynamically allocated 2021 * array containing the set of SIDs. Set *@nel to the 2022 * number of elements in the array. 2023 */ 2024 2025 int security_get_user_sids(u32 fromsid, 2026 char *username, 2027 u32 **sids, 2028 u32 *nel) 2029 { 2030 struct context *fromcon, usercon; 2031 u32 *mysids = NULL, *mysids2, sid; 2032 u32 mynel = 0, maxnel = SIDS_NEL; 2033 struct user_datum *user; 2034 struct role_datum *role; 2035 struct ebitmap_node *rnode, *tnode; 2036 int rc = 0, i, j; 2037 2038 *sids = NULL; 2039 *nel = 0; 2040 2041 if (!ss_initialized) 2042 goto out; 2043 2044 read_lock(&policy_rwlock); 2045 2046 context_init(&usercon); 2047 2048 fromcon = sidtab_search(&sidtab, fromsid); 2049 if (!fromcon) { 2050 rc = -EINVAL; 2051 goto out_unlock; 2052 } 2053 2054 user = hashtab_search(policydb.p_users.table, username); 2055 if (!user) { 2056 rc = -EINVAL; 2057 goto out_unlock; 2058 } 2059 usercon.user = user->value; 2060 2061 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2062 if (!mysids) { 2063 rc = -ENOMEM; 2064 goto out_unlock; 2065 } 2066 2067 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2068 role = policydb.role_val_to_struct[i]; 2069 usercon.role = i+1; 2070 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2071 usercon.type = j+1; 2072 2073 if (mls_setup_user_range(fromcon, user, &usercon)) 2074 continue; 2075 2076 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 2077 if (rc) 2078 goto out_unlock; 2079 if (mynel < maxnel) { 2080 mysids[mynel++] = sid; 2081 } else { 2082 maxnel += SIDS_NEL; 2083 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 2084 if (!mysids2) { 2085 rc = -ENOMEM; 2086 goto out_unlock; 2087 } 2088 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 2089 kfree(mysids); 2090 mysids = mysids2; 2091 mysids[mynel++] = sid; 2092 } 2093 } 2094 } 2095 2096 out_unlock: 2097 read_unlock(&policy_rwlock); 2098 if (rc || !mynel) { 2099 kfree(mysids); 2100 goto out; 2101 } 2102 2103 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 2104 if (!mysids2) { 2105 rc = -ENOMEM; 2106 kfree(mysids); 2107 goto out; 2108 } 2109 for (i = 0, j = 0; i < mynel; i++) { 2110 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2111 SECCLASS_PROCESS, /* kernel value */ 2112 PROCESS__TRANSITION, AVC_STRICT, 2113 NULL); 2114 if (!rc) 2115 mysids2[j++] = mysids[i]; 2116 cond_resched(); 2117 } 2118 rc = 0; 2119 kfree(mysids); 2120 *sids = mysids2; 2121 *nel = j; 2122 out: 2123 return rc; 2124 } 2125 2126 /** 2127 * security_genfs_sid - Obtain a SID for a file in a filesystem 2128 * @fstype: filesystem type 2129 * @path: path from root of mount 2130 * @sclass: file security class 2131 * @sid: SID for path 2132 * 2133 * Obtain a SID to use for a file in a filesystem that 2134 * cannot support xattr or use a fixed labeling behavior like 2135 * transition SIDs or task SIDs. 2136 */ 2137 int security_genfs_sid(const char *fstype, 2138 char *path, 2139 u16 orig_sclass, 2140 u32 *sid) 2141 { 2142 int len; 2143 u16 sclass; 2144 struct genfs *genfs; 2145 struct ocontext *c; 2146 int rc = 0, cmp = 0; 2147 2148 while (path[0] == '/' && path[1] == '/') 2149 path++; 2150 2151 read_lock(&policy_rwlock); 2152 2153 sclass = unmap_class(orig_sclass); 2154 2155 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2156 cmp = strcmp(fstype, genfs->fstype); 2157 if (cmp <= 0) 2158 break; 2159 } 2160 2161 if (!genfs || cmp) { 2162 *sid = SECINITSID_UNLABELED; 2163 rc = -ENOENT; 2164 goto out; 2165 } 2166 2167 for (c = genfs->head; c; c = c->next) { 2168 len = strlen(c->u.name); 2169 if ((!c->v.sclass || sclass == c->v.sclass) && 2170 (strncmp(c->u.name, path, len) == 0)) 2171 break; 2172 } 2173 2174 if (!c) { 2175 *sid = SECINITSID_UNLABELED; 2176 rc = -ENOENT; 2177 goto out; 2178 } 2179 2180 if (!c->sid[0]) { 2181 rc = sidtab_context_to_sid(&sidtab, 2182 &c->context[0], 2183 &c->sid[0]); 2184 if (rc) 2185 goto out; 2186 } 2187 2188 *sid = c->sid[0]; 2189 out: 2190 read_unlock(&policy_rwlock); 2191 return rc; 2192 } 2193 2194 /** 2195 * security_fs_use - Determine how to handle labeling for a filesystem. 2196 * @fstype: filesystem type 2197 * @behavior: labeling behavior 2198 * @sid: SID for filesystem (superblock) 2199 */ 2200 int security_fs_use( 2201 const char *fstype, 2202 unsigned int *behavior, 2203 u32 *sid) 2204 { 2205 int rc = 0; 2206 struct ocontext *c; 2207 2208 read_lock(&policy_rwlock); 2209 2210 c = policydb.ocontexts[OCON_FSUSE]; 2211 while (c) { 2212 if (strcmp(fstype, c->u.name) == 0) 2213 break; 2214 c = c->next; 2215 } 2216 2217 if (c) { 2218 *behavior = c->v.behavior; 2219 if (!c->sid[0]) { 2220 rc = sidtab_context_to_sid(&sidtab, 2221 &c->context[0], 2222 &c->sid[0]); 2223 if (rc) 2224 goto out; 2225 } 2226 *sid = c->sid[0]; 2227 } else { 2228 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 2229 if (rc) { 2230 *behavior = SECURITY_FS_USE_NONE; 2231 rc = 0; 2232 } else { 2233 *behavior = SECURITY_FS_USE_GENFS; 2234 } 2235 } 2236 2237 out: 2238 read_unlock(&policy_rwlock); 2239 return rc; 2240 } 2241 2242 int security_get_bools(int *len, char ***names, int **values) 2243 { 2244 int i, rc = -ENOMEM; 2245 2246 read_lock(&policy_rwlock); 2247 *names = NULL; 2248 *values = NULL; 2249 2250 *len = policydb.p_bools.nprim; 2251 if (!*len) { 2252 rc = 0; 2253 goto out; 2254 } 2255 2256 *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); 2257 if (!*names) 2258 goto err; 2259 2260 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 2261 if (!*values) 2262 goto err; 2263 2264 for (i = 0; i < *len; i++) { 2265 size_t name_len; 2266 (*values)[i] = policydb.bool_val_to_struct[i]->state; 2267 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 2268 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 2269 if (!(*names)[i]) 2270 goto err; 2271 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 2272 (*names)[i][name_len - 1] = 0; 2273 } 2274 rc = 0; 2275 out: 2276 read_unlock(&policy_rwlock); 2277 return rc; 2278 err: 2279 if (*names) { 2280 for (i = 0; i < *len; i++) 2281 kfree((*names)[i]); 2282 } 2283 kfree(*values); 2284 goto out; 2285 } 2286 2287 2288 int security_set_bools(int len, int *values) 2289 { 2290 int i, rc = 0; 2291 int lenp, seqno = 0; 2292 struct cond_node *cur; 2293 2294 write_lock_irq(&policy_rwlock); 2295 2296 lenp = policydb.p_bools.nprim; 2297 if (len != lenp) { 2298 rc = -EFAULT; 2299 goto out; 2300 } 2301 2302 for (i = 0; i < len; i++) { 2303 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 2304 audit_log(current->audit_context, GFP_ATOMIC, 2305 AUDIT_MAC_CONFIG_CHANGE, 2306 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2307 policydb.p_bool_val_to_name[i], 2308 !!values[i], 2309 policydb.bool_val_to_struct[i]->state, 2310 audit_get_loginuid(current), 2311 audit_get_sessionid(current)); 2312 } 2313 if (values[i]) 2314 policydb.bool_val_to_struct[i]->state = 1; 2315 else 2316 policydb.bool_val_to_struct[i]->state = 0; 2317 } 2318 2319 for (cur = policydb.cond_list; cur; cur = cur->next) { 2320 rc = evaluate_cond_node(&policydb, cur); 2321 if (rc) 2322 goto out; 2323 } 2324 2325 seqno = ++latest_granting; 2326 2327 out: 2328 write_unlock_irq(&policy_rwlock); 2329 if (!rc) { 2330 avc_ss_reset(seqno); 2331 selnl_notify_policyload(seqno); 2332 selinux_xfrm_notify_policyload(); 2333 } 2334 return rc; 2335 } 2336 2337 int security_get_bool_value(int bool) 2338 { 2339 int rc = 0; 2340 int len; 2341 2342 read_lock(&policy_rwlock); 2343 2344 len = policydb.p_bools.nprim; 2345 if (bool >= len) { 2346 rc = -EFAULT; 2347 goto out; 2348 } 2349 2350 rc = policydb.bool_val_to_struct[bool]->state; 2351 out: 2352 read_unlock(&policy_rwlock); 2353 return rc; 2354 } 2355 2356 static int security_preserve_bools(struct policydb *p) 2357 { 2358 int rc, nbools = 0, *bvalues = NULL, i; 2359 char **bnames = NULL; 2360 struct cond_bool_datum *booldatum; 2361 struct cond_node *cur; 2362 2363 rc = security_get_bools(&nbools, &bnames, &bvalues); 2364 if (rc) 2365 goto out; 2366 for (i = 0; i < nbools; i++) { 2367 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 2368 if (booldatum) 2369 booldatum->state = bvalues[i]; 2370 } 2371 for (cur = p->cond_list; cur; cur = cur->next) { 2372 rc = evaluate_cond_node(p, cur); 2373 if (rc) 2374 goto out; 2375 } 2376 2377 out: 2378 if (bnames) { 2379 for (i = 0; i < nbools; i++) 2380 kfree(bnames[i]); 2381 } 2382 kfree(bnames); 2383 kfree(bvalues); 2384 return rc; 2385 } 2386 2387 /* 2388 * security_sid_mls_copy() - computes a new sid based on the given 2389 * sid and the mls portion of mls_sid. 2390 */ 2391 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 2392 { 2393 struct context *context1; 2394 struct context *context2; 2395 struct context newcon; 2396 char *s; 2397 u32 len; 2398 int rc = 0; 2399 2400 if (!ss_initialized || !selinux_mls_enabled) { 2401 *new_sid = sid; 2402 goto out; 2403 } 2404 2405 context_init(&newcon); 2406 2407 read_lock(&policy_rwlock); 2408 context1 = sidtab_search(&sidtab, sid); 2409 if (!context1) { 2410 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2411 __func__, sid); 2412 rc = -EINVAL; 2413 goto out_unlock; 2414 } 2415 2416 context2 = sidtab_search(&sidtab, mls_sid); 2417 if (!context2) { 2418 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2419 __func__, mls_sid); 2420 rc = -EINVAL; 2421 goto out_unlock; 2422 } 2423 2424 newcon.user = context1->user; 2425 newcon.role = context1->role; 2426 newcon.type = context1->type; 2427 rc = mls_context_cpy(&newcon, context2); 2428 if (rc) 2429 goto out_unlock; 2430 2431 /* Check the validity of the new context. */ 2432 if (!policydb_context_isvalid(&policydb, &newcon)) { 2433 rc = convert_context_handle_invalid_context(&newcon); 2434 if (rc) 2435 goto bad; 2436 } 2437 2438 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 2439 goto out_unlock; 2440 2441 bad: 2442 if (!context_struct_to_string(&newcon, &s, &len)) { 2443 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2444 "security_sid_mls_copy: invalid context %s", s); 2445 kfree(s); 2446 } 2447 2448 out_unlock: 2449 read_unlock(&policy_rwlock); 2450 context_destroy(&newcon); 2451 out: 2452 return rc; 2453 } 2454 2455 /** 2456 * security_net_peersid_resolve - Compare and resolve two network peer SIDs 2457 * @nlbl_sid: NetLabel SID 2458 * @nlbl_type: NetLabel labeling protocol type 2459 * @xfrm_sid: XFRM SID 2460 * 2461 * Description: 2462 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be 2463 * resolved into a single SID it is returned via @peer_sid and the function 2464 * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function 2465 * returns a negative value. A table summarizing the behavior is below: 2466 * 2467 * | function return | @sid 2468 * ------------------------------+-----------------+----------------- 2469 * no peer labels | 0 | SECSID_NULL 2470 * single peer label | 0 | <peer_label> 2471 * multiple, consistent labels | 0 | <peer_label> 2472 * multiple, inconsistent labels | -<errno> | SECSID_NULL 2473 * 2474 */ 2475 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, 2476 u32 xfrm_sid, 2477 u32 *peer_sid) 2478 { 2479 int rc; 2480 struct context *nlbl_ctx; 2481 struct context *xfrm_ctx; 2482 2483 /* handle the common (which also happens to be the set of easy) cases 2484 * right away, these two if statements catch everything involving a 2485 * single or absent peer SID/label */ 2486 if (xfrm_sid == SECSID_NULL) { 2487 *peer_sid = nlbl_sid; 2488 return 0; 2489 } 2490 /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label 2491 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label 2492 * is present */ 2493 if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { 2494 *peer_sid = xfrm_sid; 2495 return 0; 2496 } 2497 2498 /* we don't need to check ss_initialized here since the only way both 2499 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2500 * security server was initialized and ss_initialized was true */ 2501 if (!selinux_mls_enabled) { 2502 *peer_sid = SECSID_NULL; 2503 return 0; 2504 } 2505 2506 read_lock(&policy_rwlock); 2507 2508 nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); 2509 if (!nlbl_ctx) { 2510 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2511 __func__, nlbl_sid); 2512 rc = -EINVAL; 2513 goto out_slowpath; 2514 } 2515 xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); 2516 if (!xfrm_ctx) { 2517 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 2518 __func__, xfrm_sid); 2519 rc = -EINVAL; 2520 goto out_slowpath; 2521 } 2522 rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); 2523 2524 out_slowpath: 2525 read_unlock(&policy_rwlock); 2526 if (rc == 0) 2527 /* at present NetLabel SIDs/labels really only carry MLS 2528 * information so if the MLS portion of the NetLabel SID 2529 * matches the MLS portion of the labeled XFRM SID/label 2530 * then pass along the XFRM SID as it is the most 2531 * expressive */ 2532 *peer_sid = xfrm_sid; 2533 else 2534 *peer_sid = SECSID_NULL; 2535 return rc; 2536 } 2537 2538 static int get_classes_callback(void *k, void *d, void *args) 2539 { 2540 struct class_datum *datum = d; 2541 char *name = k, **classes = args; 2542 int value = datum->value - 1; 2543 2544 classes[value] = kstrdup(name, GFP_ATOMIC); 2545 if (!classes[value]) 2546 return -ENOMEM; 2547 2548 return 0; 2549 } 2550 2551 int security_get_classes(char ***classes, int *nclasses) 2552 { 2553 int rc = -ENOMEM; 2554 2555 read_lock(&policy_rwlock); 2556 2557 *nclasses = policydb.p_classes.nprim; 2558 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2559 if (!*classes) 2560 goto out; 2561 2562 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2563 *classes); 2564 if (rc < 0) { 2565 int i; 2566 for (i = 0; i < *nclasses; i++) 2567 kfree((*classes)[i]); 2568 kfree(*classes); 2569 } 2570 2571 out: 2572 read_unlock(&policy_rwlock); 2573 return rc; 2574 } 2575 2576 static int get_permissions_callback(void *k, void *d, void *args) 2577 { 2578 struct perm_datum *datum = d; 2579 char *name = k, **perms = args; 2580 int value = datum->value - 1; 2581 2582 perms[value] = kstrdup(name, GFP_ATOMIC); 2583 if (!perms[value]) 2584 return -ENOMEM; 2585 2586 return 0; 2587 } 2588 2589 int security_get_permissions(char *class, char ***perms, int *nperms) 2590 { 2591 int rc = -ENOMEM, i; 2592 struct class_datum *match; 2593 2594 read_lock(&policy_rwlock); 2595 2596 match = hashtab_search(policydb.p_classes.table, class); 2597 if (!match) { 2598 printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", 2599 __func__, class); 2600 rc = -EINVAL; 2601 goto out; 2602 } 2603 2604 *nperms = match->permissions.nprim; 2605 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2606 if (!*perms) 2607 goto out; 2608 2609 if (match->comdatum) { 2610 rc = hashtab_map(match->comdatum->permissions.table, 2611 get_permissions_callback, *perms); 2612 if (rc < 0) 2613 goto err; 2614 } 2615 2616 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2617 *perms); 2618 if (rc < 0) 2619 goto err; 2620 2621 out: 2622 read_unlock(&policy_rwlock); 2623 return rc; 2624 2625 err: 2626 read_unlock(&policy_rwlock); 2627 for (i = 0; i < *nperms; i++) 2628 kfree((*perms)[i]); 2629 kfree(*perms); 2630 return rc; 2631 } 2632 2633 int security_get_reject_unknown(void) 2634 { 2635 return policydb.reject_unknown; 2636 } 2637 2638 int security_get_allow_unknown(void) 2639 { 2640 return policydb.allow_unknown; 2641 } 2642 2643 /** 2644 * security_policycap_supported - Check for a specific policy capability 2645 * @req_cap: capability 2646 * 2647 * Description: 2648 * This function queries the currently loaded policy to see if it supports the 2649 * capability specified by @req_cap. Returns true (1) if the capability is 2650 * supported, false (0) if it isn't supported. 2651 * 2652 */ 2653 int security_policycap_supported(unsigned int req_cap) 2654 { 2655 int rc; 2656 2657 read_lock(&policy_rwlock); 2658 rc = ebitmap_get_bit(&policydb.policycaps, req_cap); 2659 read_unlock(&policy_rwlock); 2660 2661 return rc; 2662 } 2663 2664 struct selinux_audit_rule { 2665 u32 au_seqno; 2666 struct context au_ctxt; 2667 }; 2668 2669 void selinux_audit_rule_free(void *vrule) 2670 { 2671 struct selinux_audit_rule *rule = vrule; 2672 2673 if (rule) { 2674 context_destroy(&rule->au_ctxt); 2675 kfree(rule); 2676 } 2677 } 2678 2679 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2680 { 2681 struct selinux_audit_rule *tmprule; 2682 struct role_datum *roledatum; 2683 struct type_datum *typedatum; 2684 struct user_datum *userdatum; 2685 struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; 2686 int rc = 0; 2687 2688 *rule = NULL; 2689 2690 if (!ss_initialized) 2691 return -EOPNOTSUPP; 2692 2693 switch (field) { 2694 case AUDIT_SUBJ_USER: 2695 case AUDIT_SUBJ_ROLE: 2696 case AUDIT_SUBJ_TYPE: 2697 case AUDIT_OBJ_USER: 2698 case AUDIT_OBJ_ROLE: 2699 case AUDIT_OBJ_TYPE: 2700 /* only 'equals' and 'not equals' fit user, role, and type */ 2701 if (op != Audit_equal && op != Audit_not_equal) 2702 return -EINVAL; 2703 break; 2704 case AUDIT_SUBJ_SEN: 2705 case AUDIT_SUBJ_CLR: 2706 case AUDIT_OBJ_LEV_LOW: 2707 case AUDIT_OBJ_LEV_HIGH: 2708 /* we do not allow a range, indicated by the presense of '-' */ 2709 if (strchr(rulestr, '-')) 2710 return -EINVAL; 2711 break; 2712 default: 2713 /* only the above fields are valid */ 2714 return -EINVAL; 2715 } 2716 2717 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2718 if (!tmprule) 2719 return -ENOMEM; 2720 2721 context_init(&tmprule->au_ctxt); 2722 2723 read_lock(&policy_rwlock); 2724 2725 tmprule->au_seqno = latest_granting; 2726 2727 switch (field) { 2728 case AUDIT_SUBJ_USER: 2729 case AUDIT_OBJ_USER: 2730 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2731 if (!userdatum) 2732 rc = -EINVAL; 2733 else 2734 tmprule->au_ctxt.user = userdatum->value; 2735 break; 2736 case AUDIT_SUBJ_ROLE: 2737 case AUDIT_OBJ_ROLE: 2738 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2739 if (!roledatum) 2740 rc = -EINVAL; 2741 else 2742 tmprule->au_ctxt.role = roledatum->value; 2743 break; 2744 case AUDIT_SUBJ_TYPE: 2745 case AUDIT_OBJ_TYPE: 2746 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2747 if (!typedatum) 2748 rc = -EINVAL; 2749 else 2750 tmprule->au_ctxt.type = typedatum->value; 2751 break; 2752 case AUDIT_SUBJ_SEN: 2753 case AUDIT_SUBJ_CLR: 2754 case AUDIT_OBJ_LEV_LOW: 2755 case AUDIT_OBJ_LEV_HIGH: 2756 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2757 break; 2758 } 2759 2760 read_unlock(&policy_rwlock); 2761 2762 if (rc) { 2763 selinux_audit_rule_free(tmprule); 2764 tmprule = NULL; 2765 } 2766 2767 *rule = tmprule; 2768 2769 return rc; 2770 } 2771 2772 /* Check to see if the rule contains any selinux fields */ 2773 int selinux_audit_rule_known(struct audit_krule *rule) 2774 { 2775 int i; 2776 2777 for (i = 0; i < rule->field_count; i++) { 2778 struct audit_field *f = &rule->fields[i]; 2779 switch (f->type) { 2780 case AUDIT_SUBJ_USER: 2781 case AUDIT_SUBJ_ROLE: 2782 case AUDIT_SUBJ_TYPE: 2783 case AUDIT_SUBJ_SEN: 2784 case AUDIT_SUBJ_CLR: 2785 case AUDIT_OBJ_USER: 2786 case AUDIT_OBJ_ROLE: 2787 case AUDIT_OBJ_TYPE: 2788 case AUDIT_OBJ_LEV_LOW: 2789 case AUDIT_OBJ_LEV_HIGH: 2790 return 1; 2791 } 2792 } 2793 2794 return 0; 2795 } 2796 2797 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 2798 struct audit_context *actx) 2799 { 2800 struct context *ctxt; 2801 struct mls_level *level; 2802 struct selinux_audit_rule *rule = vrule; 2803 int match = 0; 2804 2805 if (!rule) { 2806 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2807 "selinux_audit_rule_match: missing rule\n"); 2808 return -ENOENT; 2809 } 2810 2811 read_lock(&policy_rwlock); 2812 2813 if (rule->au_seqno < latest_granting) { 2814 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2815 "selinux_audit_rule_match: stale rule\n"); 2816 match = -ESTALE; 2817 goto out; 2818 } 2819 2820 ctxt = sidtab_search(&sidtab, sid); 2821 if (!ctxt) { 2822 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2823 "selinux_audit_rule_match: unrecognized SID %d\n", 2824 sid); 2825 match = -ENOENT; 2826 goto out; 2827 } 2828 2829 /* a field/op pair that is not caught here will simply fall through 2830 without a match */ 2831 switch (field) { 2832 case AUDIT_SUBJ_USER: 2833 case AUDIT_OBJ_USER: 2834 switch (op) { 2835 case Audit_equal: 2836 match = (ctxt->user == rule->au_ctxt.user); 2837 break; 2838 case Audit_not_equal: 2839 match = (ctxt->user != rule->au_ctxt.user); 2840 break; 2841 } 2842 break; 2843 case AUDIT_SUBJ_ROLE: 2844 case AUDIT_OBJ_ROLE: 2845 switch (op) { 2846 case Audit_equal: 2847 match = (ctxt->role == rule->au_ctxt.role); 2848 break; 2849 case Audit_not_equal: 2850 match = (ctxt->role != rule->au_ctxt.role); 2851 break; 2852 } 2853 break; 2854 case AUDIT_SUBJ_TYPE: 2855 case AUDIT_OBJ_TYPE: 2856 switch (op) { 2857 case Audit_equal: 2858 match = (ctxt->type == rule->au_ctxt.type); 2859 break; 2860 case Audit_not_equal: 2861 match = (ctxt->type != rule->au_ctxt.type); 2862 break; 2863 } 2864 break; 2865 case AUDIT_SUBJ_SEN: 2866 case AUDIT_SUBJ_CLR: 2867 case AUDIT_OBJ_LEV_LOW: 2868 case AUDIT_OBJ_LEV_HIGH: 2869 level = ((field == AUDIT_SUBJ_SEN || 2870 field == AUDIT_OBJ_LEV_LOW) ? 2871 &ctxt->range.level[0] : &ctxt->range.level[1]); 2872 switch (op) { 2873 case Audit_equal: 2874 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2875 level); 2876 break; 2877 case Audit_not_equal: 2878 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2879 level); 2880 break; 2881 case Audit_lt: 2882 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2883 level) && 2884 !mls_level_eq(&rule->au_ctxt.range.level[0], 2885 level)); 2886 break; 2887 case Audit_le: 2888 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2889 level); 2890 break; 2891 case Audit_gt: 2892 match = (mls_level_dom(level, 2893 &rule->au_ctxt.range.level[0]) && 2894 !mls_level_eq(level, 2895 &rule->au_ctxt.range.level[0])); 2896 break; 2897 case Audit_ge: 2898 match = mls_level_dom(level, 2899 &rule->au_ctxt.range.level[0]); 2900 break; 2901 } 2902 } 2903 2904 out: 2905 read_unlock(&policy_rwlock); 2906 return match; 2907 } 2908 2909 static int (*aurule_callback)(void) = audit_update_lsm_rules; 2910 2911 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2912 u16 class, u32 perms, u32 *retained) 2913 { 2914 int err = 0; 2915 2916 if (event == AVC_CALLBACK_RESET && aurule_callback) 2917 err = aurule_callback(); 2918 return err; 2919 } 2920 2921 static int __init aurule_init(void) 2922 { 2923 int err; 2924 2925 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2926 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2927 if (err) 2928 panic("avc_add_callback() failed, error %d\n", err); 2929 2930 return err; 2931 } 2932 __initcall(aurule_init); 2933 2934 #ifdef CONFIG_NETLABEL 2935 /** 2936 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2937 * @secattr: the NetLabel packet security attributes 2938 * @sid: the SELinux SID 2939 * 2940 * Description: 2941 * Attempt to cache the context in @ctx, which was derived from the packet in 2942 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2943 * already been initialized. 2944 * 2945 */ 2946 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2947 u32 sid) 2948 { 2949 u32 *sid_cache; 2950 2951 sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); 2952 if (sid_cache == NULL) 2953 return; 2954 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2955 if (secattr->cache == NULL) { 2956 kfree(sid_cache); 2957 return; 2958 } 2959 2960 *sid_cache = sid; 2961 secattr->cache->free = kfree; 2962 secattr->cache->data = sid_cache; 2963 secattr->flags |= NETLBL_SECATTR_CACHE; 2964 } 2965 2966 /** 2967 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2968 * @secattr: the NetLabel packet security attributes 2969 * @sid: the SELinux SID 2970 * 2971 * Description: 2972 * Convert the given NetLabel security attributes in @secattr into a 2973 * SELinux SID. If the @secattr field does not contain a full SELinux 2974 * SID/context then use SECINITSID_NETMSG as the foundation. If possibile the 2975 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 2976 * allow the @secattr to be used by NetLabel to cache the secattr to SID 2977 * conversion for future lookups. Returns zero on success, negative values on 2978 * failure. 2979 * 2980 */ 2981 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2982 u32 *sid) 2983 { 2984 int rc = -EIDRM; 2985 struct context *ctx; 2986 struct context ctx_new; 2987 2988 if (!ss_initialized) { 2989 *sid = SECSID_NULL; 2990 return 0; 2991 } 2992 2993 read_lock(&policy_rwlock); 2994 2995 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2996 *sid = *(u32 *)secattr->cache->data; 2997 rc = 0; 2998 } else if (secattr->flags & NETLBL_SECATTR_SECID) { 2999 *sid = secattr->attr.secid; 3000 rc = 0; 3001 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 3002 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); 3003 if (ctx == NULL) 3004 goto netlbl_secattr_to_sid_return; 3005 3006 context_init(&ctx_new); 3007 ctx_new.user = ctx->user; 3008 ctx_new.role = ctx->role; 3009 ctx_new.type = ctx->type; 3010 mls_import_netlbl_lvl(&ctx_new, secattr); 3011 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 3012 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 3013 secattr->attr.mls.cat) != 0) 3014 goto netlbl_secattr_to_sid_return; 3015 memcpy(&ctx_new.range.level[1].cat, 3016 &ctx_new.range.level[0].cat, 3017 sizeof(ctx_new.range.level[0].cat)); 3018 } 3019 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 3020 goto netlbl_secattr_to_sid_return_cleanup; 3021 3022 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 3023 if (rc != 0) 3024 goto netlbl_secattr_to_sid_return_cleanup; 3025 3026 security_netlbl_cache_add(secattr, *sid); 3027 3028 ebitmap_destroy(&ctx_new.range.level[0].cat); 3029 } else { 3030 *sid = SECSID_NULL; 3031 rc = 0; 3032 } 3033 3034 netlbl_secattr_to_sid_return: 3035 read_unlock(&policy_rwlock); 3036 return rc; 3037 netlbl_secattr_to_sid_return_cleanup: 3038 ebitmap_destroy(&ctx_new.range.level[0].cat); 3039 goto netlbl_secattr_to_sid_return; 3040 } 3041 3042 /** 3043 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 3044 * @sid: the SELinux SID 3045 * @secattr: the NetLabel packet security attributes 3046 * 3047 * Description: 3048 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 3049 * Returns zero on success, negative values on failure. 3050 * 3051 */ 3052 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 3053 { 3054 int rc; 3055 struct context *ctx; 3056 3057 if (!ss_initialized) 3058 return 0; 3059 3060 read_lock(&policy_rwlock); 3061 ctx = sidtab_search(&sidtab, sid); 3062 if (ctx == NULL) { 3063 rc = -ENOENT; 3064 goto netlbl_sid_to_secattr_failure; 3065 } 3066 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 3067 GFP_ATOMIC); 3068 if (secattr->domain == NULL) { 3069 rc = -ENOMEM; 3070 goto netlbl_sid_to_secattr_failure; 3071 } 3072 secattr->attr.secid = sid; 3073 secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; 3074 mls_export_netlbl_lvl(ctx, secattr); 3075 rc = mls_export_netlbl_cat(ctx, secattr); 3076 if (rc != 0) 3077 goto netlbl_sid_to_secattr_failure; 3078 read_unlock(&policy_rwlock); 3079 3080 return 0; 3081 3082 netlbl_sid_to_secattr_failure: 3083 read_unlock(&policy_rwlock); 3084 return rc; 3085 } 3086 #endif /* CONFIG_NETLABEL */ 3087