xref: /openbmc/linux/security/selinux/ss/services.c (revision c0d3b831)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Implementation of the security services.
4  *
5  * Authors : Stephen Smalley, <sds@tycho.nsa.gov>
6  *	     James Morris <jmorris@redhat.com>
7  *
8  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9  *
10  *	Support for enhanced MLS infrastructure.
11  *	Support for context based audit filters.
12  *
13  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14  *
15  *	Added conditional policy language extensions
16  *
17  * Updated: Hewlett-Packard <paul@paul-moore.com>
18  *
19  *      Added support for NetLabel
20  *      Added support for the policy capability bitmap
21  *
22  * Updated: Chad Sellers <csellers@tresys.com>
23  *
24  *  Added validation of kernel classes and permissions
25  *
26  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
27  *
28  *  Added support for bounds domain and audit messaged on masked permissions
29  *
30  * Updated: Guido Trentalancia <guido@trentalancia.com>
31  *
32  *  Added support for runtime switching of the policy type
33  *
34  * Copyright (C) 2008, 2009 NEC Corporation
35  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
36  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
37  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
38  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
39  */
40 #include <linux/kernel.h>
41 #include <linux/slab.h>
42 #include <linux/string.h>
43 #include <linux/spinlock.h>
44 #include <linux/rcupdate.h>
45 #include <linux/errno.h>
46 #include <linux/in.h>
47 #include <linux/sched.h>
48 #include <linux/audit.h>
49 #include <linux/vmalloc.h>
50 #include <linux/lsm_hooks.h>
51 #include <net/netlabel.h>
52 
53 #include "flask.h"
54 #include "avc.h"
55 #include "avc_ss.h"
56 #include "security.h"
57 #include "context.h"
58 #include "policydb.h"
59 #include "sidtab.h"
60 #include "services.h"
61 #include "conditional.h"
62 #include "mls.h"
63 #include "objsec.h"
64 #include "netlabel.h"
65 #include "xfrm.h"
66 #include "ebitmap.h"
67 #include "audit.h"
68 #include "policycap_names.h"
69 #include "ima.h"
70 
71 struct selinux_policy_convert_data {
72 	struct convert_context_args args;
73 	struct sidtab_convert_params sidtab_params;
74 };
75 
76 /* Forward declaration. */
77 static int context_struct_to_string(struct policydb *policydb,
78 				    struct context *context,
79 				    char **scontext,
80 				    u32 *scontext_len);
81 
82 static int sidtab_entry_to_string(struct policydb *policydb,
83 				  struct sidtab *sidtab,
84 				  struct sidtab_entry *entry,
85 				  char **scontext,
86 				  u32 *scontext_len);
87 
88 static void context_struct_compute_av(struct policydb *policydb,
89 				      struct context *scontext,
90 				      struct context *tcontext,
91 				      u16 tclass,
92 				      struct av_decision *avd,
93 				      struct extended_perms *xperms);
94 
95 static int selinux_set_mapping(struct policydb *pol,
96 			       const struct security_class_mapping *map,
97 			       struct selinux_map *out_map)
98 {
99 	u16 i, j;
100 	unsigned k;
101 	bool print_unknown_handle = false;
102 
103 	/* Find number of classes in the input mapping */
104 	if (!map)
105 		return -EINVAL;
106 	i = 0;
107 	while (map[i].name)
108 		i++;
109 
110 	/* Allocate space for the class records, plus one for class zero */
111 	out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC);
112 	if (!out_map->mapping)
113 		return -ENOMEM;
114 
115 	/* Store the raw class and permission values */
116 	j = 0;
117 	while (map[j].name) {
118 		const struct security_class_mapping *p_in = map + (j++);
119 		struct selinux_mapping *p_out = out_map->mapping + j;
120 
121 		/* An empty class string skips ahead */
122 		if (!strcmp(p_in->name, "")) {
123 			p_out->num_perms = 0;
124 			continue;
125 		}
126 
127 		p_out->value = string_to_security_class(pol, p_in->name);
128 		if (!p_out->value) {
129 			pr_info("SELinux:  Class %s not defined in policy.\n",
130 			       p_in->name);
131 			if (pol->reject_unknown)
132 				goto err;
133 			p_out->num_perms = 0;
134 			print_unknown_handle = true;
135 			continue;
136 		}
137 
138 		k = 0;
139 		while (p_in->perms[k]) {
140 			/* An empty permission string skips ahead */
141 			if (!*p_in->perms[k]) {
142 				k++;
143 				continue;
144 			}
145 			p_out->perms[k] = string_to_av_perm(pol, p_out->value,
146 							    p_in->perms[k]);
147 			if (!p_out->perms[k]) {
148 				pr_info("SELinux:  Permission %s in class %s not defined in policy.\n",
149 				       p_in->perms[k], p_in->name);
150 				if (pol->reject_unknown)
151 					goto err;
152 				print_unknown_handle = true;
153 			}
154 
155 			k++;
156 		}
157 		p_out->num_perms = k;
158 	}
159 
160 	if (print_unknown_handle)
161 		pr_info("SELinux: the above unknown classes and permissions will be %s\n",
162 		       pol->allow_unknown ? "allowed" : "denied");
163 
164 	out_map->size = i;
165 	return 0;
166 err:
167 	kfree(out_map->mapping);
168 	out_map->mapping = NULL;
169 	return -EINVAL;
170 }
171 
172 /*
173  * Get real, policy values from mapped values
174  */
175 
176 static u16 unmap_class(struct selinux_map *map, u16 tclass)
177 {
178 	if (tclass < map->size)
179 		return map->mapping[tclass].value;
180 
181 	return tclass;
182 }
183 
184 /*
185  * Get kernel value for class from its policy value
186  */
187 static u16 map_class(struct selinux_map *map, u16 pol_value)
188 {
189 	u16 i;
190 
191 	for (i = 1; i < map->size; i++) {
192 		if (map->mapping[i].value == pol_value)
193 			return i;
194 	}
195 
196 	return SECCLASS_NULL;
197 }
198 
199 static void map_decision(struct selinux_map *map,
200 			 u16 tclass, struct av_decision *avd,
201 			 int allow_unknown)
202 {
203 	if (tclass < map->size) {
204 		struct selinux_mapping *mapping = &map->mapping[tclass];
205 		unsigned int i, n = mapping->num_perms;
206 		u32 result;
207 
208 		for (i = 0, result = 0; i < n; i++) {
209 			if (avd->allowed & mapping->perms[i])
210 				result |= 1<<i;
211 			if (allow_unknown && !mapping->perms[i])
212 				result |= 1<<i;
213 		}
214 		avd->allowed = result;
215 
216 		for (i = 0, result = 0; i < n; i++)
217 			if (avd->auditallow & mapping->perms[i])
218 				result |= 1<<i;
219 		avd->auditallow = result;
220 
221 		for (i = 0, result = 0; i < n; i++) {
222 			if (avd->auditdeny & mapping->perms[i])
223 				result |= 1<<i;
224 			if (!allow_unknown && !mapping->perms[i])
225 				result |= 1<<i;
226 		}
227 		/*
228 		 * In case the kernel has a bug and requests a permission
229 		 * between num_perms and the maximum permission number, we
230 		 * should audit that denial
231 		 */
232 		for (; i < (sizeof(u32)*8); i++)
233 			result |= 1<<i;
234 		avd->auditdeny = result;
235 	}
236 }
237 
238 int security_mls_enabled(struct selinux_state *state)
239 {
240 	int mls_enabled;
241 	struct selinux_policy *policy;
242 
243 	if (!selinux_initialized(state))
244 		return 0;
245 
246 	rcu_read_lock();
247 	policy = rcu_dereference(state->policy);
248 	mls_enabled = policy->policydb.mls_enabled;
249 	rcu_read_unlock();
250 	return mls_enabled;
251 }
252 
253 /*
254  * Return the boolean value of a constraint expression
255  * when it is applied to the specified source and target
256  * security contexts.
257  *
258  * xcontext is a special beast...  It is used by the validatetrans rules
259  * only.  For these rules, scontext is the context before the transition,
260  * tcontext is the context after the transition, and xcontext is the context
261  * of the process performing the transition.  All other callers of
262  * constraint_expr_eval should pass in NULL for xcontext.
263  */
264 static int constraint_expr_eval(struct policydb *policydb,
265 				struct context *scontext,
266 				struct context *tcontext,
267 				struct context *xcontext,
268 				struct constraint_expr *cexpr)
269 {
270 	u32 val1, val2;
271 	struct context *c;
272 	struct role_datum *r1, *r2;
273 	struct mls_level *l1, *l2;
274 	struct constraint_expr *e;
275 	int s[CEXPR_MAXDEPTH];
276 	int sp = -1;
277 
278 	for (e = cexpr; e; e = e->next) {
279 		switch (e->expr_type) {
280 		case CEXPR_NOT:
281 			BUG_ON(sp < 0);
282 			s[sp] = !s[sp];
283 			break;
284 		case CEXPR_AND:
285 			BUG_ON(sp < 1);
286 			sp--;
287 			s[sp] &= s[sp + 1];
288 			break;
289 		case CEXPR_OR:
290 			BUG_ON(sp < 1);
291 			sp--;
292 			s[sp] |= s[sp + 1];
293 			break;
294 		case CEXPR_ATTR:
295 			if (sp == (CEXPR_MAXDEPTH - 1))
296 				return 0;
297 			switch (e->attr) {
298 			case CEXPR_USER:
299 				val1 = scontext->user;
300 				val2 = tcontext->user;
301 				break;
302 			case CEXPR_TYPE:
303 				val1 = scontext->type;
304 				val2 = tcontext->type;
305 				break;
306 			case CEXPR_ROLE:
307 				val1 = scontext->role;
308 				val2 = tcontext->role;
309 				r1 = policydb->role_val_to_struct[val1 - 1];
310 				r2 = policydb->role_val_to_struct[val2 - 1];
311 				switch (e->op) {
312 				case CEXPR_DOM:
313 					s[++sp] = ebitmap_get_bit(&r1->dominates,
314 								  val2 - 1);
315 					continue;
316 				case CEXPR_DOMBY:
317 					s[++sp] = ebitmap_get_bit(&r2->dominates,
318 								  val1 - 1);
319 					continue;
320 				case CEXPR_INCOMP:
321 					s[++sp] = (!ebitmap_get_bit(&r1->dominates,
322 								    val2 - 1) &&
323 						   !ebitmap_get_bit(&r2->dominates,
324 								    val1 - 1));
325 					continue;
326 				default:
327 					break;
328 				}
329 				break;
330 			case CEXPR_L1L2:
331 				l1 = &(scontext->range.level[0]);
332 				l2 = &(tcontext->range.level[0]);
333 				goto mls_ops;
334 			case CEXPR_L1H2:
335 				l1 = &(scontext->range.level[0]);
336 				l2 = &(tcontext->range.level[1]);
337 				goto mls_ops;
338 			case CEXPR_H1L2:
339 				l1 = &(scontext->range.level[1]);
340 				l2 = &(tcontext->range.level[0]);
341 				goto mls_ops;
342 			case CEXPR_H1H2:
343 				l1 = &(scontext->range.level[1]);
344 				l2 = &(tcontext->range.level[1]);
345 				goto mls_ops;
346 			case CEXPR_L1H1:
347 				l1 = &(scontext->range.level[0]);
348 				l2 = &(scontext->range.level[1]);
349 				goto mls_ops;
350 			case CEXPR_L2H2:
351 				l1 = &(tcontext->range.level[0]);
352 				l2 = &(tcontext->range.level[1]);
353 				goto mls_ops;
354 mls_ops:
355 				switch (e->op) {
356 				case CEXPR_EQ:
357 					s[++sp] = mls_level_eq(l1, l2);
358 					continue;
359 				case CEXPR_NEQ:
360 					s[++sp] = !mls_level_eq(l1, l2);
361 					continue;
362 				case CEXPR_DOM:
363 					s[++sp] = mls_level_dom(l1, l2);
364 					continue;
365 				case CEXPR_DOMBY:
366 					s[++sp] = mls_level_dom(l2, l1);
367 					continue;
368 				case CEXPR_INCOMP:
369 					s[++sp] = mls_level_incomp(l2, l1);
370 					continue;
371 				default:
372 					BUG();
373 					return 0;
374 				}
375 				break;
376 			default:
377 				BUG();
378 				return 0;
379 			}
380 
381 			switch (e->op) {
382 			case CEXPR_EQ:
383 				s[++sp] = (val1 == val2);
384 				break;
385 			case CEXPR_NEQ:
386 				s[++sp] = (val1 != val2);
387 				break;
388 			default:
389 				BUG();
390 				return 0;
391 			}
392 			break;
393 		case CEXPR_NAMES:
394 			if (sp == (CEXPR_MAXDEPTH-1))
395 				return 0;
396 			c = scontext;
397 			if (e->attr & CEXPR_TARGET)
398 				c = tcontext;
399 			else if (e->attr & CEXPR_XTARGET) {
400 				c = xcontext;
401 				if (!c) {
402 					BUG();
403 					return 0;
404 				}
405 			}
406 			if (e->attr & CEXPR_USER)
407 				val1 = c->user;
408 			else if (e->attr & CEXPR_ROLE)
409 				val1 = c->role;
410 			else if (e->attr & CEXPR_TYPE)
411 				val1 = c->type;
412 			else {
413 				BUG();
414 				return 0;
415 			}
416 
417 			switch (e->op) {
418 			case CEXPR_EQ:
419 				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
420 				break;
421 			case CEXPR_NEQ:
422 				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
423 				break;
424 			default:
425 				BUG();
426 				return 0;
427 			}
428 			break;
429 		default:
430 			BUG();
431 			return 0;
432 		}
433 	}
434 
435 	BUG_ON(sp != 0);
436 	return s[0];
437 }
438 
439 /*
440  * security_dump_masked_av - dumps masked permissions during
441  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
442  */
443 static int dump_masked_av_helper(void *k, void *d, void *args)
444 {
445 	struct perm_datum *pdatum = d;
446 	char **permission_names = args;
447 
448 	BUG_ON(pdatum->value < 1 || pdatum->value > 32);
449 
450 	permission_names[pdatum->value - 1] = (char *)k;
451 
452 	return 0;
453 }
454 
455 static void security_dump_masked_av(struct policydb *policydb,
456 				    struct context *scontext,
457 				    struct context *tcontext,
458 				    u16 tclass,
459 				    u32 permissions,
460 				    const char *reason)
461 {
462 	struct common_datum *common_dat;
463 	struct class_datum *tclass_dat;
464 	struct audit_buffer *ab;
465 	char *tclass_name;
466 	char *scontext_name = NULL;
467 	char *tcontext_name = NULL;
468 	char *permission_names[32];
469 	int index;
470 	u32 length;
471 	bool need_comma = false;
472 
473 	if (!permissions)
474 		return;
475 
476 	tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1);
477 	tclass_dat = policydb->class_val_to_struct[tclass - 1];
478 	common_dat = tclass_dat->comdatum;
479 
480 	/* init permission_names */
481 	if (common_dat &&
482 	    hashtab_map(&common_dat->permissions.table,
483 			dump_masked_av_helper, permission_names) < 0)
484 		goto out;
485 
486 	if (hashtab_map(&tclass_dat->permissions.table,
487 			dump_masked_av_helper, permission_names) < 0)
488 		goto out;
489 
490 	/* get scontext/tcontext in text form */
491 	if (context_struct_to_string(policydb, scontext,
492 				     &scontext_name, &length) < 0)
493 		goto out;
494 
495 	if (context_struct_to_string(policydb, tcontext,
496 				     &tcontext_name, &length) < 0)
497 		goto out;
498 
499 	/* audit a message */
500 	ab = audit_log_start(audit_context(),
501 			     GFP_ATOMIC, AUDIT_SELINUX_ERR);
502 	if (!ab)
503 		goto out;
504 
505 	audit_log_format(ab, "op=security_compute_av reason=%s "
506 			 "scontext=%s tcontext=%s tclass=%s perms=",
507 			 reason, scontext_name, tcontext_name, tclass_name);
508 
509 	for (index = 0; index < 32; index++) {
510 		u32 mask = (1 << index);
511 
512 		if ((mask & permissions) == 0)
513 			continue;
514 
515 		audit_log_format(ab, "%s%s",
516 				 need_comma ? "," : "",
517 				 permission_names[index]
518 				 ? permission_names[index] : "????");
519 		need_comma = true;
520 	}
521 	audit_log_end(ab);
522 out:
523 	/* release scontext/tcontext */
524 	kfree(tcontext_name);
525 	kfree(scontext_name);
526 }
527 
528 /*
529  * security_boundary_permission - drops violated permissions
530  * on boundary constraint.
531  */
532 static void type_attribute_bounds_av(struct policydb *policydb,
533 				     struct context *scontext,
534 				     struct context *tcontext,
535 				     u16 tclass,
536 				     struct av_decision *avd)
537 {
538 	struct context lo_scontext;
539 	struct context lo_tcontext, *tcontextp = tcontext;
540 	struct av_decision lo_avd;
541 	struct type_datum *source;
542 	struct type_datum *target;
543 	u32 masked = 0;
544 
545 	source = policydb->type_val_to_struct[scontext->type - 1];
546 	BUG_ON(!source);
547 
548 	if (!source->bounds)
549 		return;
550 
551 	target = policydb->type_val_to_struct[tcontext->type - 1];
552 	BUG_ON(!target);
553 
554 	memset(&lo_avd, 0, sizeof(lo_avd));
555 
556 	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
557 	lo_scontext.type = source->bounds;
558 
559 	if (target->bounds) {
560 		memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
561 		lo_tcontext.type = target->bounds;
562 		tcontextp = &lo_tcontext;
563 	}
564 
565 	context_struct_compute_av(policydb, &lo_scontext,
566 				  tcontextp,
567 				  tclass,
568 				  &lo_avd,
569 				  NULL);
570 
571 	masked = ~lo_avd.allowed & avd->allowed;
572 
573 	if (likely(!masked))
574 		return;		/* no masked permission */
575 
576 	/* mask violated permissions */
577 	avd->allowed &= ~masked;
578 
579 	/* audit masked permissions */
580 	security_dump_masked_av(policydb, scontext, tcontext,
581 				tclass, masked, "bounds");
582 }
583 
584 /*
585  * flag which drivers have permissions
586  * only looking for ioctl based extended permssions
587  */
588 void services_compute_xperms_drivers(
589 		struct extended_perms *xperms,
590 		struct avtab_node *node)
591 {
592 	unsigned int i;
593 
594 	if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
595 		/* if one or more driver has all permissions allowed */
596 		for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
597 			xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
598 	} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
599 		/* if allowing permissions within a driver */
600 		security_xperm_set(xperms->drivers.p,
601 					node->datum.u.xperms->driver);
602 	}
603 
604 	xperms->len = 1;
605 }
606 
607 /*
608  * Compute access vectors and extended permissions based on a context
609  * structure pair for the permissions in a particular class.
610  */
611 static void context_struct_compute_av(struct policydb *policydb,
612 				      struct context *scontext,
613 				      struct context *tcontext,
614 				      u16 tclass,
615 				      struct av_decision *avd,
616 				      struct extended_perms *xperms)
617 {
618 	struct constraint_node *constraint;
619 	struct role_allow *ra;
620 	struct avtab_key avkey;
621 	struct avtab_node *node;
622 	struct class_datum *tclass_datum;
623 	struct ebitmap *sattr, *tattr;
624 	struct ebitmap_node *snode, *tnode;
625 	unsigned int i, j;
626 
627 	avd->allowed = 0;
628 	avd->auditallow = 0;
629 	avd->auditdeny = 0xffffffff;
630 	if (xperms) {
631 		memset(&xperms->drivers, 0, sizeof(xperms->drivers));
632 		xperms->len = 0;
633 	}
634 
635 	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
636 		if (printk_ratelimit())
637 			pr_warn("SELinux:  Invalid class %hu\n", tclass);
638 		return;
639 	}
640 
641 	tclass_datum = policydb->class_val_to_struct[tclass - 1];
642 
643 	/*
644 	 * If a specific type enforcement rule was defined for
645 	 * this permission check, then use it.
646 	 */
647 	avkey.target_class = tclass;
648 	avkey.specified = AVTAB_AV | AVTAB_XPERMS;
649 	sattr = &policydb->type_attr_map_array[scontext->type - 1];
650 	tattr = &policydb->type_attr_map_array[tcontext->type - 1];
651 	ebitmap_for_each_positive_bit(sattr, snode, i) {
652 		ebitmap_for_each_positive_bit(tattr, tnode, j) {
653 			avkey.source_type = i + 1;
654 			avkey.target_type = j + 1;
655 			for (node = avtab_search_node(&policydb->te_avtab,
656 						      &avkey);
657 			     node;
658 			     node = avtab_search_node_next(node, avkey.specified)) {
659 				if (node->key.specified == AVTAB_ALLOWED)
660 					avd->allowed |= node->datum.u.data;
661 				else if (node->key.specified == AVTAB_AUDITALLOW)
662 					avd->auditallow |= node->datum.u.data;
663 				else if (node->key.specified == AVTAB_AUDITDENY)
664 					avd->auditdeny &= node->datum.u.data;
665 				else if (xperms && (node->key.specified & AVTAB_XPERMS))
666 					services_compute_xperms_drivers(xperms, node);
667 			}
668 
669 			/* Check conditional av table for additional permissions */
670 			cond_compute_av(&policydb->te_cond_avtab, &avkey,
671 					avd, xperms);
672 
673 		}
674 	}
675 
676 	/*
677 	 * Remove any permissions prohibited by a constraint (this includes
678 	 * the MLS policy).
679 	 */
680 	constraint = tclass_datum->constraints;
681 	while (constraint) {
682 		if ((constraint->permissions & (avd->allowed)) &&
683 		    !constraint_expr_eval(policydb, scontext, tcontext, NULL,
684 					  constraint->expr)) {
685 			avd->allowed &= ~(constraint->permissions);
686 		}
687 		constraint = constraint->next;
688 	}
689 
690 	/*
691 	 * If checking process transition permission and the
692 	 * role is changing, then check the (current_role, new_role)
693 	 * pair.
694 	 */
695 	if (tclass == policydb->process_class &&
696 	    (avd->allowed & policydb->process_trans_perms) &&
697 	    scontext->role != tcontext->role) {
698 		for (ra = policydb->role_allow; ra; ra = ra->next) {
699 			if (scontext->role == ra->role &&
700 			    tcontext->role == ra->new_role)
701 				break;
702 		}
703 		if (!ra)
704 			avd->allowed &= ~policydb->process_trans_perms;
705 	}
706 
707 	/*
708 	 * If the given source and target types have boundary
709 	 * constraint, lazy checks have to mask any violated
710 	 * permission and notice it to userspace via audit.
711 	 */
712 	type_attribute_bounds_av(policydb, scontext, tcontext,
713 				 tclass, avd);
714 }
715 
716 static int security_validtrans_handle_fail(struct selinux_state *state,
717 					struct selinux_policy *policy,
718 					struct sidtab_entry *oentry,
719 					struct sidtab_entry *nentry,
720 					struct sidtab_entry *tentry,
721 					u16 tclass)
722 {
723 	struct policydb *p = &policy->policydb;
724 	struct sidtab *sidtab = policy->sidtab;
725 	char *o = NULL, *n = NULL, *t = NULL;
726 	u32 olen, nlen, tlen;
727 
728 	if (sidtab_entry_to_string(p, sidtab, oentry, &o, &olen))
729 		goto out;
730 	if (sidtab_entry_to_string(p, sidtab, nentry, &n, &nlen))
731 		goto out;
732 	if (sidtab_entry_to_string(p, sidtab, tentry, &t, &tlen))
733 		goto out;
734 	audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
735 		  "op=security_validate_transition seresult=denied"
736 		  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
737 		  o, n, t, sym_name(p, SYM_CLASSES, tclass-1));
738 out:
739 	kfree(o);
740 	kfree(n);
741 	kfree(t);
742 
743 	if (!enforcing_enabled(state))
744 		return 0;
745 	return -EPERM;
746 }
747 
748 static int security_compute_validatetrans(struct selinux_state *state,
749 					  u32 oldsid, u32 newsid, u32 tasksid,
750 					  u16 orig_tclass, bool user)
751 {
752 	struct selinux_policy *policy;
753 	struct policydb *policydb;
754 	struct sidtab *sidtab;
755 	struct sidtab_entry *oentry;
756 	struct sidtab_entry *nentry;
757 	struct sidtab_entry *tentry;
758 	struct class_datum *tclass_datum;
759 	struct constraint_node *constraint;
760 	u16 tclass;
761 	int rc = 0;
762 
763 
764 	if (!selinux_initialized(state))
765 		return 0;
766 
767 	rcu_read_lock();
768 
769 	policy = rcu_dereference(state->policy);
770 	policydb = &policy->policydb;
771 	sidtab = policy->sidtab;
772 
773 	if (!user)
774 		tclass = unmap_class(&policy->map, orig_tclass);
775 	else
776 		tclass = orig_tclass;
777 
778 	if (!tclass || tclass > policydb->p_classes.nprim) {
779 		rc = -EINVAL;
780 		goto out;
781 	}
782 	tclass_datum = policydb->class_val_to_struct[tclass - 1];
783 
784 	oentry = sidtab_search_entry(sidtab, oldsid);
785 	if (!oentry) {
786 		pr_err("SELinux: %s:  unrecognized SID %d\n",
787 			__func__, oldsid);
788 		rc = -EINVAL;
789 		goto out;
790 	}
791 
792 	nentry = sidtab_search_entry(sidtab, newsid);
793 	if (!nentry) {
794 		pr_err("SELinux: %s:  unrecognized SID %d\n",
795 			__func__, newsid);
796 		rc = -EINVAL;
797 		goto out;
798 	}
799 
800 	tentry = sidtab_search_entry(sidtab, tasksid);
801 	if (!tentry) {
802 		pr_err("SELinux: %s:  unrecognized SID %d\n",
803 			__func__, tasksid);
804 		rc = -EINVAL;
805 		goto out;
806 	}
807 
808 	constraint = tclass_datum->validatetrans;
809 	while (constraint) {
810 		if (!constraint_expr_eval(policydb, &oentry->context,
811 					  &nentry->context, &tentry->context,
812 					  constraint->expr)) {
813 			if (user)
814 				rc = -EPERM;
815 			else
816 				rc = security_validtrans_handle_fail(state,
817 								policy,
818 								oentry,
819 								nentry,
820 								tentry,
821 								tclass);
822 			goto out;
823 		}
824 		constraint = constraint->next;
825 	}
826 
827 out:
828 	rcu_read_unlock();
829 	return rc;
830 }
831 
832 int security_validate_transition_user(struct selinux_state *state,
833 				      u32 oldsid, u32 newsid, u32 tasksid,
834 				      u16 tclass)
835 {
836 	return security_compute_validatetrans(state, oldsid, newsid, tasksid,
837 					      tclass, true);
838 }
839 
840 int security_validate_transition(struct selinux_state *state,
841 				 u32 oldsid, u32 newsid, u32 tasksid,
842 				 u16 orig_tclass)
843 {
844 	return security_compute_validatetrans(state, oldsid, newsid, tasksid,
845 					      orig_tclass, false);
846 }
847 
848 /*
849  * security_bounded_transition - check whether the given
850  * transition is directed to bounded, or not.
851  * It returns 0, if @newsid is bounded by @oldsid.
852  * Otherwise, it returns error code.
853  *
854  * @state: SELinux state
855  * @oldsid : current security identifier
856  * @newsid : destinated security identifier
857  */
858 int security_bounded_transition(struct selinux_state *state,
859 				u32 old_sid, u32 new_sid)
860 {
861 	struct selinux_policy *policy;
862 	struct policydb *policydb;
863 	struct sidtab *sidtab;
864 	struct sidtab_entry *old_entry, *new_entry;
865 	struct type_datum *type;
866 	int index;
867 	int rc;
868 
869 	if (!selinux_initialized(state))
870 		return 0;
871 
872 	rcu_read_lock();
873 	policy = rcu_dereference(state->policy);
874 	policydb = &policy->policydb;
875 	sidtab = policy->sidtab;
876 
877 	rc = -EINVAL;
878 	old_entry = sidtab_search_entry(sidtab, old_sid);
879 	if (!old_entry) {
880 		pr_err("SELinux: %s: unrecognized SID %u\n",
881 		       __func__, old_sid);
882 		goto out;
883 	}
884 
885 	rc = -EINVAL;
886 	new_entry = sidtab_search_entry(sidtab, new_sid);
887 	if (!new_entry) {
888 		pr_err("SELinux: %s: unrecognized SID %u\n",
889 		       __func__, new_sid);
890 		goto out;
891 	}
892 
893 	rc = 0;
894 	/* type/domain unchanged */
895 	if (old_entry->context.type == new_entry->context.type)
896 		goto out;
897 
898 	index = new_entry->context.type;
899 	while (true) {
900 		type = policydb->type_val_to_struct[index - 1];
901 		BUG_ON(!type);
902 
903 		/* not bounded anymore */
904 		rc = -EPERM;
905 		if (!type->bounds)
906 			break;
907 
908 		/* @newsid is bounded by @oldsid */
909 		rc = 0;
910 		if (type->bounds == old_entry->context.type)
911 			break;
912 
913 		index = type->bounds;
914 	}
915 
916 	if (rc) {
917 		char *old_name = NULL;
918 		char *new_name = NULL;
919 		u32 length;
920 
921 		if (!sidtab_entry_to_string(policydb, sidtab, old_entry,
922 					    &old_name, &length) &&
923 		    !sidtab_entry_to_string(policydb, sidtab, new_entry,
924 					    &new_name, &length)) {
925 			audit_log(audit_context(),
926 				  GFP_ATOMIC, AUDIT_SELINUX_ERR,
927 				  "op=security_bounded_transition "
928 				  "seresult=denied "
929 				  "oldcontext=%s newcontext=%s",
930 				  old_name, new_name);
931 		}
932 		kfree(new_name);
933 		kfree(old_name);
934 	}
935 out:
936 	rcu_read_unlock();
937 
938 	return rc;
939 }
940 
941 static void avd_init(struct selinux_policy *policy, struct av_decision *avd)
942 {
943 	avd->allowed = 0;
944 	avd->auditallow = 0;
945 	avd->auditdeny = 0xffffffff;
946 	if (policy)
947 		avd->seqno = policy->latest_granting;
948 	else
949 		avd->seqno = 0;
950 	avd->flags = 0;
951 }
952 
953 void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
954 					struct avtab_node *node)
955 {
956 	unsigned int i;
957 
958 	if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
959 		if (xpermd->driver != node->datum.u.xperms->driver)
960 			return;
961 	} else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
962 		if (!security_xperm_test(node->datum.u.xperms->perms.p,
963 					xpermd->driver))
964 			return;
965 	} else {
966 		BUG();
967 	}
968 
969 	if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
970 		xpermd->used |= XPERMS_ALLOWED;
971 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
972 			memset(xpermd->allowed->p, 0xff,
973 					sizeof(xpermd->allowed->p));
974 		}
975 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
976 			for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
977 				xpermd->allowed->p[i] |=
978 					node->datum.u.xperms->perms.p[i];
979 		}
980 	} else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
981 		xpermd->used |= XPERMS_AUDITALLOW;
982 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
983 			memset(xpermd->auditallow->p, 0xff,
984 					sizeof(xpermd->auditallow->p));
985 		}
986 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
987 			for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
988 				xpermd->auditallow->p[i] |=
989 					node->datum.u.xperms->perms.p[i];
990 		}
991 	} else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
992 		xpermd->used |= XPERMS_DONTAUDIT;
993 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
994 			memset(xpermd->dontaudit->p, 0xff,
995 					sizeof(xpermd->dontaudit->p));
996 		}
997 		if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
998 			for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
999 				xpermd->dontaudit->p[i] |=
1000 					node->datum.u.xperms->perms.p[i];
1001 		}
1002 	} else {
1003 		BUG();
1004 	}
1005 }
1006 
1007 void security_compute_xperms_decision(struct selinux_state *state,
1008 				      u32 ssid,
1009 				      u32 tsid,
1010 				      u16 orig_tclass,
1011 				      u8 driver,
1012 				      struct extended_perms_decision *xpermd)
1013 {
1014 	struct selinux_policy *policy;
1015 	struct policydb *policydb;
1016 	struct sidtab *sidtab;
1017 	u16 tclass;
1018 	struct context *scontext, *tcontext;
1019 	struct avtab_key avkey;
1020 	struct avtab_node *node;
1021 	struct ebitmap *sattr, *tattr;
1022 	struct ebitmap_node *snode, *tnode;
1023 	unsigned int i, j;
1024 
1025 	xpermd->driver = driver;
1026 	xpermd->used = 0;
1027 	memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
1028 	memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
1029 	memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
1030 
1031 	rcu_read_lock();
1032 	if (!selinux_initialized(state))
1033 		goto allow;
1034 
1035 	policy = rcu_dereference(state->policy);
1036 	policydb = &policy->policydb;
1037 	sidtab = policy->sidtab;
1038 
1039 	scontext = sidtab_search(sidtab, ssid);
1040 	if (!scontext) {
1041 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1042 		       __func__, ssid);
1043 		goto out;
1044 	}
1045 
1046 	tcontext = sidtab_search(sidtab, tsid);
1047 	if (!tcontext) {
1048 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1049 		       __func__, tsid);
1050 		goto out;
1051 	}
1052 
1053 	tclass = unmap_class(&policy->map, orig_tclass);
1054 	if (unlikely(orig_tclass && !tclass)) {
1055 		if (policydb->allow_unknown)
1056 			goto allow;
1057 		goto out;
1058 	}
1059 
1060 
1061 	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
1062 		pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);
1063 		goto out;
1064 	}
1065 
1066 	avkey.target_class = tclass;
1067 	avkey.specified = AVTAB_XPERMS;
1068 	sattr = &policydb->type_attr_map_array[scontext->type - 1];
1069 	tattr = &policydb->type_attr_map_array[tcontext->type - 1];
1070 	ebitmap_for_each_positive_bit(sattr, snode, i) {
1071 		ebitmap_for_each_positive_bit(tattr, tnode, j) {
1072 			avkey.source_type = i + 1;
1073 			avkey.target_type = j + 1;
1074 			for (node = avtab_search_node(&policydb->te_avtab,
1075 						      &avkey);
1076 			     node;
1077 			     node = avtab_search_node_next(node, avkey.specified))
1078 				services_compute_xperms_decision(xpermd, node);
1079 
1080 			cond_compute_xperms(&policydb->te_cond_avtab,
1081 						&avkey, xpermd);
1082 		}
1083 	}
1084 out:
1085 	rcu_read_unlock();
1086 	return;
1087 allow:
1088 	memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
1089 	goto out;
1090 }
1091 
1092 /**
1093  * security_compute_av - Compute access vector decisions.
1094  * @state: SELinux state
1095  * @ssid: source security identifier
1096  * @tsid: target security identifier
1097  * @orig_tclass: target security class
1098  * @avd: access vector decisions
1099  * @xperms: extended permissions
1100  *
1101  * Compute a set of access vector decisions based on the
1102  * SID pair (@ssid, @tsid) for the permissions in @tclass.
1103  */
1104 void security_compute_av(struct selinux_state *state,
1105 			 u32 ssid,
1106 			 u32 tsid,
1107 			 u16 orig_tclass,
1108 			 struct av_decision *avd,
1109 			 struct extended_perms *xperms)
1110 {
1111 	struct selinux_policy *policy;
1112 	struct policydb *policydb;
1113 	struct sidtab *sidtab;
1114 	u16 tclass;
1115 	struct context *scontext = NULL, *tcontext = NULL;
1116 
1117 	rcu_read_lock();
1118 	policy = rcu_dereference(state->policy);
1119 	avd_init(policy, avd);
1120 	xperms->len = 0;
1121 	if (!selinux_initialized(state))
1122 		goto allow;
1123 
1124 	policydb = &policy->policydb;
1125 	sidtab = policy->sidtab;
1126 
1127 	scontext = sidtab_search(sidtab, ssid);
1128 	if (!scontext) {
1129 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1130 		       __func__, ssid);
1131 		goto out;
1132 	}
1133 
1134 	/* permissive domain? */
1135 	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))
1136 		avd->flags |= AVD_FLAGS_PERMISSIVE;
1137 
1138 	tcontext = sidtab_search(sidtab, tsid);
1139 	if (!tcontext) {
1140 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1141 		       __func__, tsid);
1142 		goto out;
1143 	}
1144 
1145 	tclass = unmap_class(&policy->map, orig_tclass);
1146 	if (unlikely(orig_tclass && !tclass)) {
1147 		if (policydb->allow_unknown)
1148 			goto allow;
1149 		goto out;
1150 	}
1151 	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1152 				  xperms);
1153 	map_decision(&policy->map, orig_tclass, avd,
1154 		     policydb->allow_unknown);
1155 out:
1156 	rcu_read_unlock();
1157 	return;
1158 allow:
1159 	avd->allowed = 0xffffffff;
1160 	goto out;
1161 }
1162 
1163 void security_compute_av_user(struct selinux_state *state,
1164 			      u32 ssid,
1165 			      u32 tsid,
1166 			      u16 tclass,
1167 			      struct av_decision *avd)
1168 {
1169 	struct selinux_policy *policy;
1170 	struct policydb *policydb;
1171 	struct sidtab *sidtab;
1172 	struct context *scontext = NULL, *tcontext = NULL;
1173 
1174 	rcu_read_lock();
1175 	policy = rcu_dereference(state->policy);
1176 	avd_init(policy, avd);
1177 	if (!selinux_initialized(state))
1178 		goto allow;
1179 
1180 	policydb = &policy->policydb;
1181 	sidtab = policy->sidtab;
1182 
1183 	scontext = sidtab_search(sidtab, ssid);
1184 	if (!scontext) {
1185 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1186 		       __func__, ssid);
1187 		goto out;
1188 	}
1189 
1190 	/* permissive domain? */
1191 	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))
1192 		avd->flags |= AVD_FLAGS_PERMISSIVE;
1193 
1194 	tcontext = sidtab_search(sidtab, tsid);
1195 	if (!tcontext) {
1196 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1197 		       __func__, tsid);
1198 		goto out;
1199 	}
1200 
1201 	if (unlikely(!tclass)) {
1202 		if (policydb->allow_unknown)
1203 			goto allow;
1204 		goto out;
1205 	}
1206 
1207 	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1208 				  NULL);
1209  out:
1210 	rcu_read_unlock();
1211 	return;
1212 allow:
1213 	avd->allowed = 0xffffffff;
1214 	goto out;
1215 }
1216 
1217 /*
1218  * Write the security context string representation of
1219  * the context structure `context' into a dynamically
1220  * allocated string of the correct size.  Set `*scontext'
1221  * to point to this string and set `*scontext_len' to
1222  * the length of the string.
1223  */
1224 static int context_struct_to_string(struct policydb *p,
1225 				    struct context *context,
1226 				    char **scontext, u32 *scontext_len)
1227 {
1228 	char *scontextp;
1229 
1230 	if (scontext)
1231 		*scontext = NULL;
1232 	*scontext_len = 0;
1233 
1234 	if (context->len) {
1235 		*scontext_len = context->len;
1236 		if (scontext) {
1237 			*scontext = kstrdup(context->str, GFP_ATOMIC);
1238 			if (!(*scontext))
1239 				return -ENOMEM;
1240 		}
1241 		return 0;
1242 	}
1243 
1244 	/* Compute the size of the context. */
1245 	*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
1246 	*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
1247 	*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
1248 	*scontext_len += mls_compute_context_len(p, context);
1249 
1250 	if (!scontext)
1251 		return 0;
1252 
1253 	/* Allocate space for the context; caller must free this space. */
1254 	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1255 	if (!scontextp)
1256 		return -ENOMEM;
1257 	*scontext = scontextp;
1258 
1259 	/*
1260 	 * Copy the user name, role name and type name into the context.
1261 	 */
1262 	scontextp += sprintf(scontextp, "%s:%s:%s",
1263 		sym_name(p, SYM_USERS, context->user - 1),
1264 		sym_name(p, SYM_ROLES, context->role - 1),
1265 		sym_name(p, SYM_TYPES, context->type - 1));
1266 
1267 	mls_sid_to_context(p, context, &scontextp);
1268 
1269 	*scontextp = 0;
1270 
1271 	return 0;
1272 }
1273 
1274 static int sidtab_entry_to_string(struct policydb *p,
1275 				  struct sidtab *sidtab,
1276 				  struct sidtab_entry *entry,
1277 				  char **scontext, u32 *scontext_len)
1278 {
1279 	int rc = sidtab_sid2str_get(sidtab, entry, scontext, scontext_len);
1280 
1281 	if (rc != -ENOENT)
1282 		return rc;
1283 
1284 	rc = context_struct_to_string(p, &entry->context, scontext,
1285 				      scontext_len);
1286 	if (!rc && scontext)
1287 		sidtab_sid2str_put(sidtab, entry, *scontext, *scontext_len);
1288 	return rc;
1289 }
1290 
1291 #include "initial_sid_to_string.h"
1292 
1293 int security_sidtab_hash_stats(struct selinux_state *state, char *page)
1294 {
1295 	struct selinux_policy *policy;
1296 	int rc;
1297 
1298 	if (!selinux_initialized(state)) {
1299 		pr_err("SELinux: %s:  called before initial load_policy\n",
1300 		       __func__);
1301 		return -EINVAL;
1302 	}
1303 
1304 	rcu_read_lock();
1305 	policy = rcu_dereference(state->policy);
1306 	rc = sidtab_hash_stats(policy->sidtab, page);
1307 	rcu_read_unlock();
1308 
1309 	return rc;
1310 }
1311 
1312 const char *security_get_initial_sid_context(u32 sid)
1313 {
1314 	if (unlikely(sid > SECINITSID_NUM))
1315 		return NULL;
1316 	return initial_sid_to_string[sid];
1317 }
1318 
1319 static int security_sid_to_context_core(struct selinux_state *state,
1320 					u32 sid, char **scontext,
1321 					u32 *scontext_len, int force,
1322 					int only_invalid)
1323 {
1324 	struct selinux_policy *policy;
1325 	struct policydb *policydb;
1326 	struct sidtab *sidtab;
1327 	struct sidtab_entry *entry;
1328 	int rc = 0;
1329 
1330 	if (scontext)
1331 		*scontext = NULL;
1332 	*scontext_len  = 0;
1333 
1334 	if (!selinux_initialized(state)) {
1335 		if (sid <= SECINITSID_NUM) {
1336 			char *scontextp;
1337 			const char *s = initial_sid_to_string[sid];
1338 
1339 			if (!s)
1340 				return -EINVAL;
1341 			*scontext_len = strlen(s) + 1;
1342 			if (!scontext)
1343 				return 0;
1344 			scontextp = kmemdup(s, *scontext_len, GFP_ATOMIC);
1345 			if (!scontextp)
1346 				return -ENOMEM;
1347 			*scontext = scontextp;
1348 			return 0;
1349 		}
1350 		pr_err("SELinux: %s:  called before initial "
1351 		       "load_policy on unknown SID %d\n", __func__, sid);
1352 		return -EINVAL;
1353 	}
1354 	rcu_read_lock();
1355 	policy = rcu_dereference(state->policy);
1356 	policydb = &policy->policydb;
1357 	sidtab = policy->sidtab;
1358 
1359 	if (force)
1360 		entry = sidtab_search_entry_force(sidtab, sid);
1361 	else
1362 		entry = sidtab_search_entry(sidtab, sid);
1363 	if (!entry) {
1364 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1365 			__func__, sid);
1366 		rc = -EINVAL;
1367 		goto out_unlock;
1368 	}
1369 	if (only_invalid && !entry->context.len)
1370 		goto out_unlock;
1371 
1372 	rc = sidtab_entry_to_string(policydb, sidtab, entry, scontext,
1373 				    scontext_len);
1374 
1375 out_unlock:
1376 	rcu_read_unlock();
1377 	return rc;
1378 
1379 }
1380 
1381 /**
1382  * security_sid_to_context - Obtain a context for a given SID.
1383  * @state: SELinux state
1384  * @sid: security identifier, SID
1385  * @scontext: security context
1386  * @scontext_len: length in bytes
1387  *
1388  * Write the string representation of the context associated with @sid
1389  * into a dynamically allocated string of the correct size.  Set @scontext
1390  * to point to this string and set @scontext_len to the length of the string.
1391  */
1392 int security_sid_to_context(struct selinux_state *state,
1393 			    u32 sid, char **scontext, u32 *scontext_len)
1394 {
1395 	return security_sid_to_context_core(state, sid, scontext,
1396 					    scontext_len, 0, 0);
1397 }
1398 
1399 int security_sid_to_context_force(struct selinux_state *state, u32 sid,
1400 				  char **scontext, u32 *scontext_len)
1401 {
1402 	return security_sid_to_context_core(state, sid, scontext,
1403 					    scontext_len, 1, 0);
1404 }
1405 
1406 /**
1407  * security_sid_to_context_inval - Obtain a context for a given SID if it
1408  *                                 is invalid.
1409  * @state: SELinux state
1410  * @sid: security identifier, SID
1411  * @scontext: security context
1412  * @scontext_len: length in bytes
1413  *
1414  * Write the string representation of the context associated with @sid
1415  * into a dynamically allocated string of the correct size, but only if the
1416  * context is invalid in the current policy.  Set @scontext to point to
1417  * this string (or NULL if the context is valid) and set @scontext_len to
1418  * the length of the string (or 0 if the context is valid).
1419  */
1420 int security_sid_to_context_inval(struct selinux_state *state, u32 sid,
1421 				  char **scontext, u32 *scontext_len)
1422 {
1423 	return security_sid_to_context_core(state, sid, scontext,
1424 					    scontext_len, 1, 1);
1425 }
1426 
1427 /*
1428  * Caveat:  Mutates scontext.
1429  */
1430 static int string_to_context_struct(struct policydb *pol,
1431 				    struct sidtab *sidtabp,
1432 				    char *scontext,
1433 				    struct context *ctx,
1434 				    u32 def_sid)
1435 {
1436 	struct role_datum *role;
1437 	struct type_datum *typdatum;
1438 	struct user_datum *usrdatum;
1439 	char *scontextp, *p, oldc;
1440 	int rc = 0;
1441 
1442 	context_init(ctx);
1443 
1444 	/* Parse the security context. */
1445 
1446 	rc = -EINVAL;
1447 	scontextp = scontext;
1448 
1449 	/* Extract the user. */
1450 	p = scontextp;
1451 	while (*p && *p != ':')
1452 		p++;
1453 
1454 	if (*p == 0)
1455 		goto out;
1456 
1457 	*p++ = 0;
1458 
1459 	usrdatum = symtab_search(&pol->p_users, scontextp);
1460 	if (!usrdatum)
1461 		goto out;
1462 
1463 	ctx->user = usrdatum->value;
1464 
1465 	/* Extract role. */
1466 	scontextp = p;
1467 	while (*p && *p != ':')
1468 		p++;
1469 
1470 	if (*p == 0)
1471 		goto out;
1472 
1473 	*p++ = 0;
1474 
1475 	role = symtab_search(&pol->p_roles, scontextp);
1476 	if (!role)
1477 		goto out;
1478 	ctx->role = role->value;
1479 
1480 	/* Extract type. */
1481 	scontextp = p;
1482 	while (*p && *p != ':')
1483 		p++;
1484 	oldc = *p;
1485 	*p++ = 0;
1486 
1487 	typdatum = symtab_search(&pol->p_types, scontextp);
1488 	if (!typdatum || typdatum->attribute)
1489 		goto out;
1490 
1491 	ctx->type = typdatum->value;
1492 
1493 	rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid);
1494 	if (rc)
1495 		goto out;
1496 
1497 	/* Check the validity of the new context. */
1498 	rc = -EINVAL;
1499 	if (!policydb_context_isvalid(pol, ctx))
1500 		goto out;
1501 	rc = 0;
1502 out:
1503 	if (rc)
1504 		context_destroy(ctx);
1505 	return rc;
1506 }
1507 
1508 static int security_context_to_sid_core(struct selinux_state *state,
1509 					const char *scontext, u32 scontext_len,
1510 					u32 *sid, u32 def_sid, gfp_t gfp_flags,
1511 					int force)
1512 {
1513 	struct selinux_policy *policy;
1514 	struct policydb *policydb;
1515 	struct sidtab *sidtab;
1516 	char *scontext2, *str = NULL;
1517 	struct context context;
1518 	int rc = 0;
1519 
1520 	/* An empty security context is never valid. */
1521 	if (!scontext_len)
1522 		return -EINVAL;
1523 
1524 	/* Copy the string to allow changes and ensure a NUL terminator */
1525 	scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
1526 	if (!scontext2)
1527 		return -ENOMEM;
1528 
1529 	if (!selinux_initialized(state)) {
1530 		int i;
1531 
1532 		for (i = 1; i < SECINITSID_NUM; i++) {
1533 			const char *s = initial_sid_to_string[i];
1534 
1535 			if (s && !strcmp(s, scontext2)) {
1536 				*sid = i;
1537 				goto out;
1538 			}
1539 		}
1540 		*sid = SECINITSID_KERNEL;
1541 		goto out;
1542 	}
1543 	*sid = SECSID_NULL;
1544 
1545 	if (force) {
1546 		/* Save another copy for storing in uninterpreted form */
1547 		rc = -ENOMEM;
1548 		str = kstrdup(scontext2, gfp_flags);
1549 		if (!str)
1550 			goto out;
1551 	}
1552 retry:
1553 	rcu_read_lock();
1554 	policy = rcu_dereference(state->policy);
1555 	policydb = &policy->policydb;
1556 	sidtab = policy->sidtab;
1557 	rc = string_to_context_struct(policydb, sidtab, scontext2,
1558 				      &context, def_sid);
1559 	if (rc == -EINVAL && force) {
1560 		context.str = str;
1561 		context.len = strlen(str) + 1;
1562 		str = NULL;
1563 	} else if (rc)
1564 		goto out_unlock;
1565 	rc = sidtab_context_to_sid(sidtab, &context, sid);
1566 	if (rc == -ESTALE) {
1567 		rcu_read_unlock();
1568 		if (context.str) {
1569 			str = context.str;
1570 			context.str = NULL;
1571 		}
1572 		context_destroy(&context);
1573 		goto retry;
1574 	}
1575 	context_destroy(&context);
1576 out_unlock:
1577 	rcu_read_unlock();
1578 out:
1579 	kfree(scontext2);
1580 	kfree(str);
1581 	return rc;
1582 }
1583 
1584 /**
1585  * security_context_to_sid - Obtain a SID for a given security context.
1586  * @state: SELinux state
1587  * @scontext: security context
1588  * @scontext_len: length in bytes
1589  * @sid: security identifier, SID
1590  * @gfp: context for the allocation
1591  *
1592  * Obtains a SID associated with the security context that
1593  * has the string representation specified by @scontext.
1594  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1595  * memory is available, or 0 on success.
1596  */
1597 int security_context_to_sid(struct selinux_state *state,
1598 			    const char *scontext, u32 scontext_len, u32 *sid,
1599 			    gfp_t gfp)
1600 {
1601 	return security_context_to_sid_core(state, scontext, scontext_len,
1602 					    sid, SECSID_NULL, gfp, 0);
1603 }
1604 
1605 int security_context_str_to_sid(struct selinux_state *state,
1606 				const char *scontext, u32 *sid, gfp_t gfp)
1607 {
1608 	return security_context_to_sid(state, scontext, strlen(scontext),
1609 				       sid, gfp);
1610 }
1611 
1612 /**
1613  * security_context_to_sid_default - Obtain a SID for a given security context,
1614  * falling back to specified default if needed.
1615  *
1616  * @state: SELinux state
1617  * @scontext: security context
1618  * @scontext_len: length in bytes
1619  * @sid: security identifier, SID
1620  * @def_sid: default SID to assign on error
1621  * @gfp_flags: the allocator get-free-page (GFP) flags
1622  *
1623  * Obtains a SID associated with the security context that
1624  * has the string representation specified by @scontext.
1625  * The default SID is passed to the MLS layer to be used to allow
1626  * kernel labeling of the MLS field if the MLS field is not present
1627  * (for upgrading to MLS without full relabel).
1628  * Implicitly forces adding of the context even if it cannot be mapped yet.
1629  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1630  * memory is available, or 0 on success.
1631  */
1632 int security_context_to_sid_default(struct selinux_state *state,
1633 				    const char *scontext, u32 scontext_len,
1634 				    u32 *sid, u32 def_sid, gfp_t gfp_flags)
1635 {
1636 	return security_context_to_sid_core(state, scontext, scontext_len,
1637 					    sid, def_sid, gfp_flags, 1);
1638 }
1639 
1640 int security_context_to_sid_force(struct selinux_state *state,
1641 				  const char *scontext, u32 scontext_len,
1642 				  u32 *sid)
1643 {
1644 	return security_context_to_sid_core(state, scontext, scontext_len,
1645 					    sid, SECSID_NULL, GFP_KERNEL, 1);
1646 }
1647 
1648 static int compute_sid_handle_invalid_context(
1649 	struct selinux_state *state,
1650 	struct selinux_policy *policy,
1651 	struct sidtab_entry *sentry,
1652 	struct sidtab_entry *tentry,
1653 	u16 tclass,
1654 	struct context *newcontext)
1655 {
1656 	struct policydb *policydb = &policy->policydb;
1657 	struct sidtab *sidtab = policy->sidtab;
1658 	char *s = NULL, *t = NULL, *n = NULL;
1659 	u32 slen, tlen, nlen;
1660 	struct audit_buffer *ab;
1661 
1662 	if (sidtab_entry_to_string(policydb, sidtab, sentry, &s, &slen))
1663 		goto out;
1664 	if (sidtab_entry_to_string(policydb, sidtab, tentry, &t, &tlen))
1665 		goto out;
1666 	if (context_struct_to_string(policydb, newcontext, &n, &nlen))
1667 		goto out;
1668 	ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
1669 	if (!ab)
1670 		goto out;
1671 	audit_log_format(ab,
1672 			 "op=security_compute_sid invalid_context=");
1673 	/* no need to record the NUL with untrusted strings */
1674 	audit_log_n_untrustedstring(ab, n, nlen - 1);
1675 	audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",
1676 			 s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
1677 	audit_log_end(ab);
1678 out:
1679 	kfree(s);
1680 	kfree(t);
1681 	kfree(n);
1682 	if (!enforcing_enabled(state))
1683 		return 0;
1684 	return -EACCES;
1685 }
1686 
1687 static void filename_compute_type(struct policydb *policydb,
1688 				  struct context *newcontext,
1689 				  u32 stype, u32 ttype, u16 tclass,
1690 				  const char *objname)
1691 {
1692 	struct filename_trans_key ft;
1693 	struct filename_trans_datum *datum;
1694 
1695 	/*
1696 	 * Most filename trans rules are going to live in specific directories
1697 	 * like /dev or /var/run.  This bitmap will quickly skip rule searches
1698 	 * if the ttype does not contain any rules.
1699 	 */
1700 	if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype))
1701 		return;
1702 
1703 	ft.ttype = ttype;
1704 	ft.tclass = tclass;
1705 	ft.name = objname;
1706 
1707 	datum = policydb_filenametr_search(policydb, &ft);
1708 	while (datum) {
1709 		if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
1710 			newcontext->type = datum->otype;
1711 			return;
1712 		}
1713 		datum = datum->next;
1714 	}
1715 }
1716 
1717 static int security_compute_sid(struct selinux_state *state,
1718 				u32 ssid,
1719 				u32 tsid,
1720 				u16 orig_tclass,
1721 				u32 specified,
1722 				const char *objname,
1723 				u32 *out_sid,
1724 				bool kern)
1725 {
1726 	struct selinux_policy *policy;
1727 	struct policydb *policydb;
1728 	struct sidtab *sidtab;
1729 	struct class_datum *cladatum;
1730 	struct context *scontext, *tcontext, newcontext;
1731 	struct sidtab_entry *sentry, *tentry;
1732 	struct avtab_key avkey;
1733 	struct avtab_datum *avdatum;
1734 	struct avtab_node *node;
1735 	u16 tclass;
1736 	int rc = 0;
1737 	bool sock;
1738 
1739 	if (!selinux_initialized(state)) {
1740 		switch (orig_tclass) {
1741 		case SECCLASS_PROCESS: /* kernel value */
1742 			*out_sid = ssid;
1743 			break;
1744 		default:
1745 			*out_sid = tsid;
1746 			break;
1747 		}
1748 		goto out;
1749 	}
1750 
1751 retry:
1752 	cladatum = NULL;
1753 	context_init(&newcontext);
1754 
1755 	rcu_read_lock();
1756 
1757 	policy = rcu_dereference(state->policy);
1758 
1759 	if (kern) {
1760 		tclass = unmap_class(&policy->map, orig_tclass);
1761 		sock = security_is_socket_class(orig_tclass);
1762 	} else {
1763 		tclass = orig_tclass;
1764 		sock = security_is_socket_class(map_class(&policy->map,
1765 							  tclass));
1766 	}
1767 
1768 	policydb = &policy->policydb;
1769 	sidtab = policy->sidtab;
1770 
1771 	sentry = sidtab_search_entry(sidtab, ssid);
1772 	if (!sentry) {
1773 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1774 		       __func__, ssid);
1775 		rc = -EINVAL;
1776 		goto out_unlock;
1777 	}
1778 	tentry = sidtab_search_entry(sidtab, tsid);
1779 	if (!tentry) {
1780 		pr_err("SELinux: %s:  unrecognized SID %d\n",
1781 		       __func__, tsid);
1782 		rc = -EINVAL;
1783 		goto out_unlock;
1784 	}
1785 
1786 	scontext = &sentry->context;
1787 	tcontext = &tentry->context;
1788 
1789 	if (tclass && tclass <= policydb->p_classes.nprim)
1790 		cladatum = policydb->class_val_to_struct[tclass - 1];
1791 
1792 	/* Set the user identity. */
1793 	switch (specified) {
1794 	case AVTAB_TRANSITION:
1795 	case AVTAB_CHANGE:
1796 		if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1797 			newcontext.user = tcontext->user;
1798 		} else {
1799 			/* notice this gets both DEFAULT_SOURCE and unset */
1800 			/* Use the process user identity. */
1801 			newcontext.user = scontext->user;
1802 		}
1803 		break;
1804 	case AVTAB_MEMBER:
1805 		/* Use the related object owner. */
1806 		newcontext.user = tcontext->user;
1807 		break;
1808 	}
1809 
1810 	/* Set the role to default values. */
1811 	if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1812 		newcontext.role = scontext->role;
1813 	} else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1814 		newcontext.role = tcontext->role;
1815 	} else {
1816 		if ((tclass == policydb->process_class) || sock)
1817 			newcontext.role = scontext->role;
1818 		else
1819 			newcontext.role = OBJECT_R_VAL;
1820 	}
1821 
1822 	/* Set the type to default values. */
1823 	if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1824 		newcontext.type = scontext->type;
1825 	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1826 		newcontext.type = tcontext->type;
1827 	} else {
1828 		if ((tclass == policydb->process_class) || sock) {
1829 			/* Use the type of process. */
1830 			newcontext.type = scontext->type;
1831 		} else {
1832 			/* Use the type of the related object. */
1833 			newcontext.type = tcontext->type;
1834 		}
1835 	}
1836 
1837 	/* Look for a type transition/member/change rule. */
1838 	avkey.source_type = scontext->type;
1839 	avkey.target_type = tcontext->type;
1840 	avkey.target_class = tclass;
1841 	avkey.specified = specified;
1842 	avdatum = avtab_search(&policydb->te_avtab, &avkey);
1843 
1844 	/* If no permanent rule, also check for enabled conditional rules */
1845 	if (!avdatum) {
1846 		node = avtab_search_node(&policydb->te_cond_avtab, &avkey);
1847 		for (; node; node = avtab_search_node_next(node, specified)) {
1848 			if (node->key.specified & AVTAB_ENABLED) {
1849 				avdatum = &node->datum;
1850 				break;
1851 			}
1852 		}
1853 	}
1854 
1855 	if (avdatum) {
1856 		/* Use the type from the type transition/member/change rule. */
1857 		newcontext.type = avdatum->u.data;
1858 	}
1859 
1860 	/* if we have a objname this is a file trans check so check those rules */
1861 	if (objname)
1862 		filename_compute_type(policydb, &newcontext, scontext->type,
1863 				      tcontext->type, tclass, objname);
1864 
1865 	/* Check for class-specific changes. */
1866 	if (specified & AVTAB_TRANSITION) {
1867 		/* Look for a role transition rule. */
1868 		struct role_trans_datum *rtd;
1869 		struct role_trans_key rtk = {
1870 			.role = scontext->role,
1871 			.type = tcontext->type,
1872 			.tclass = tclass,
1873 		};
1874 
1875 		rtd = policydb_roletr_search(policydb, &rtk);
1876 		if (rtd)
1877 			newcontext.role = rtd->new_role;
1878 	}
1879 
1880 	/* Set the MLS attributes.
1881 	   This is done last because it may allocate memory. */
1882 	rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,
1883 			     &newcontext, sock);
1884 	if (rc)
1885 		goto out_unlock;
1886 
1887 	/* Check the validity of the context. */
1888 	if (!policydb_context_isvalid(policydb, &newcontext)) {
1889 		rc = compute_sid_handle_invalid_context(state, policy, sentry,
1890 							tentry, tclass,
1891 							&newcontext);
1892 		if (rc)
1893 			goto out_unlock;
1894 	}
1895 	/* Obtain the sid for the context. */
1896 	rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
1897 	if (rc == -ESTALE) {
1898 		rcu_read_unlock();
1899 		context_destroy(&newcontext);
1900 		goto retry;
1901 	}
1902 out_unlock:
1903 	rcu_read_unlock();
1904 	context_destroy(&newcontext);
1905 out:
1906 	return rc;
1907 }
1908 
1909 /**
1910  * security_transition_sid - Compute the SID for a new subject/object.
1911  * @state: SELinux state
1912  * @ssid: source security identifier
1913  * @tsid: target security identifier
1914  * @tclass: target security class
1915  * @qstr: object name
1916  * @out_sid: security identifier for new subject/object
1917  *
1918  * Compute a SID to use for labeling a new subject or object in the
1919  * class @tclass based on a SID pair (@ssid, @tsid).
1920  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1921  * if insufficient memory is available, or %0 if the new SID was
1922  * computed successfully.
1923  */
1924 int security_transition_sid(struct selinux_state *state,
1925 			    u32 ssid, u32 tsid, u16 tclass,
1926 			    const struct qstr *qstr, u32 *out_sid)
1927 {
1928 	return security_compute_sid(state, ssid, tsid, tclass,
1929 				    AVTAB_TRANSITION,
1930 				    qstr ? qstr->name : NULL, out_sid, true);
1931 }
1932 
1933 int security_transition_sid_user(struct selinux_state *state,
1934 				 u32 ssid, u32 tsid, u16 tclass,
1935 				 const char *objname, u32 *out_sid)
1936 {
1937 	return security_compute_sid(state, ssid, tsid, tclass,
1938 				    AVTAB_TRANSITION,
1939 				    objname, out_sid, false);
1940 }
1941 
1942 /**
1943  * security_member_sid - Compute the SID for member selection.
1944  * @state: SELinux state
1945  * @ssid: source security identifier
1946  * @tsid: target security identifier
1947  * @tclass: target security class
1948  * @out_sid: security identifier for selected member
1949  *
1950  * Compute a SID to use when selecting a member of a polyinstantiated
1951  * object of class @tclass based on a SID pair (@ssid, @tsid).
1952  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1953  * if insufficient memory is available, or %0 if the SID was
1954  * computed successfully.
1955  */
1956 int security_member_sid(struct selinux_state *state,
1957 			u32 ssid,
1958 			u32 tsid,
1959 			u16 tclass,
1960 			u32 *out_sid)
1961 {
1962 	return security_compute_sid(state, ssid, tsid, tclass,
1963 				    AVTAB_MEMBER, NULL,
1964 				    out_sid, false);
1965 }
1966 
1967 /**
1968  * security_change_sid - Compute the SID for object relabeling.
1969  * @state: SELinux state
1970  * @ssid: source security identifier
1971  * @tsid: target security identifier
1972  * @tclass: target security class
1973  * @out_sid: security identifier for selected member
1974  *
1975  * Compute a SID to use for relabeling an object of class @tclass
1976  * based on a SID pair (@ssid, @tsid).
1977  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1978  * if insufficient memory is available, or %0 if the SID was
1979  * computed successfully.
1980  */
1981 int security_change_sid(struct selinux_state *state,
1982 			u32 ssid,
1983 			u32 tsid,
1984 			u16 tclass,
1985 			u32 *out_sid)
1986 {
1987 	return security_compute_sid(state,
1988 				    ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1989 				    out_sid, false);
1990 }
1991 
1992 static inline int convert_context_handle_invalid_context(
1993 	struct selinux_state *state,
1994 	struct policydb *policydb,
1995 	struct context *context)
1996 {
1997 	char *s;
1998 	u32 len;
1999 
2000 	if (enforcing_enabled(state))
2001 		return -EINVAL;
2002 
2003 	if (!context_struct_to_string(policydb, context, &s, &len)) {
2004 		pr_warn("SELinux:  Context %s would be invalid if enforcing\n",
2005 			s);
2006 		kfree(s);
2007 	}
2008 	return 0;
2009 }
2010 
2011 /**
2012  * services_convert_context - Convert a security context across policies.
2013  * @args: populated convert_context_args struct
2014  * @oldc: original context
2015  * @newc: converted context
2016  * @gfp_flags: allocation flags
2017  *
2018  * Convert the values in the security context structure @oldc from the values
2019  * specified in the policy @args->oldp to the values specified in the policy
2020  * @args->newp, storing the new context in @newc, and verifying that the
2021  * context is valid under the new policy.
2022  */
2023 int services_convert_context(struct convert_context_args *args,
2024 			     struct context *oldc, struct context *newc,
2025 			     gfp_t gfp_flags)
2026 {
2027 	struct ocontext *oc;
2028 	struct role_datum *role;
2029 	struct type_datum *typdatum;
2030 	struct user_datum *usrdatum;
2031 	char *s;
2032 	u32 len;
2033 	int rc;
2034 
2035 	if (oldc->str) {
2036 		s = kstrdup(oldc->str, gfp_flags);
2037 		if (!s)
2038 			return -ENOMEM;
2039 
2040 		rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL);
2041 		if (rc == -EINVAL) {
2042 			/*
2043 			 * Retain string representation for later mapping.
2044 			 *
2045 			 * IMPORTANT: We need to copy the contents of oldc->str
2046 			 * back into s again because string_to_context_struct()
2047 			 * may have garbled it.
2048 			 */
2049 			memcpy(s, oldc->str, oldc->len);
2050 			context_init(newc);
2051 			newc->str = s;
2052 			newc->len = oldc->len;
2053 			return 0;
2054 		}
2055 		kfree(s);
2056 		if (rc) {
2057 			/* Other error condition, e.g. ENOMEM. */
2058 			pr_err("SELinux:   Unable to map context %s, rc = %d.\n",
2059 			       oldc->str, -rc);
2060 			return rc;
2061 		}
2062 		pr_info("SELinux:  Context %s became valid (mapped).\n",
2063 			oldc->str);
2064 		return 0;
2065 	}
2066 
2067 	context_init(newc);
2068 
2069 	/* Convert the user. */
2070 	usrdatum = symtab_search(&args->newp->p_users,
2071 				 sym_name(args->oldp, SYM_USERS, oldc->user - 1));
2072 	if (!usrdatum)
2073 		goto bad;
2074 	newc->user = usrdatum->value;
2075 
2076 	/* Convert the role. */
2077 	role = symtab_search(&args->newp->p_roles,
2078 			     sym_name(args->oldp, SYM_ROLES, oldc->role - 1));
2079 	if (!role)
2080 		goto bad;
2081 	newc->role = role->value;
2082 
2083 	/* Convert the type. */
2084 	typdatum = symtab_search(&args->newp->p_types,
2085 				 sym_name(args->oldp, SYM_TYPES, oldc->type - 1));
2086 	if (!typdatum)
2087 		goto bad;
2088 	newc->type = typdatum->value;
2089 
2090 	/* Convert the MLS fields if dealing with MLS policies */
2091 	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
2092 		rc = mls_convert_context(args->oldp, args->newp, oldc, newc);
2093 		if (rc)
2094 			goto bad;
2095 	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
2096 		/*
2097 		 * Switching between non-MLS and MLS policy:
2098 		 * ensure that the MLS fields of the context for all
2099 		 * existing entries in the sidtab are filled in with a
2100 		 * suitable default value, likely taken from one of the
2101 		 * initial SIDs.
2102 		 */
2103 		oc = args->newp->ocontexts[OCON_ISID];
2104 		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
2105 			oc = oc->next;
2106 		if (!oc) {
2107 			pr_err("SELinux:  unable to look up"
2108 				" the initial SIDs list\n");
2109 			goto bad;
2110 		}
2111 		rc = mls_range_set(newc, &oc->context[0].range);
2112 		if (rc)
2113 			goto bad;
2114 	}
2115 
2116 	/* Check the validity of the new context. */
2117 	if (!policydb_context_isvalid(args->newp, newc)) {
2118 		rc = convert_context_handle_invalid_context(args->state,
2119 							    args->oldp, oldc);
2120 		if (rc)
2121 			goto bad;
2122 	}
2123 
2124 	return 0;
2125 bad:
2126 	/* Map old representation to string and save it. */
2127 	rc = context_struct_to_string(args->oldp, oldc, &s, &len);
2128 	if (rc)
2129 		return rc;
2130 	context_destroy(newc);
2131 	newc->str = s;
2132 	newc->len = len;
2133 	pr_info("SELinux:  Context %s became invalid (unmapped).\n",
2134 		newc->str);
2135 	return 0;
2136 }
2137 
2138 static void security_load_policycaps(struct selinux_state *state,
2139 				struct selinux_policy *policy)
2140 {
2141 	struct policydb *p;
2142 	unsigned int i;
2143 	struct ebitmap_node *node;
2144 
2145 	p = &policy->policydb;
2146 
2147 	for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
2148 		WRITE_ONCE(state->policycap[i],
2149 			ebitmap_get_bit(&p->policycaps, i));
2150 
2151 	for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
2152 		pr_info("SELinux:  policy capability %s=%d\n",
2153 			selinux_policycap_names[i],
2154 			ebitmap_get_bit(&p->policycaps, i));
2155 
2156 	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
2157 		if (i >= ARRAY_SIZE(selinux_policycap_names))
2158 			pr_info("SELinux:  unknown policy capability %u\n",
2159 				i);
2160 	}
2161 }
2162 
2163 static int security_preserve_bools(struct selinux_policy *oldpolicy,
2164 				struct selinux_policy *newpolicy);
2165 
2166 static void selinux_policy_free(struct selinux_policy *policy)
2167 {
2168 	if (!policy)
2169 		return;
2170 
2171 	sidtab_destroy(policy->sidtab);
2172 	kfree(policy->map.mapping);
2173 	policydb_destroy(&policy->policydb);
2174 	kfree(policy->sidtab);
2175 	kfree(policy);
2176 }
2177 
2178 static void selinux_policy_cond_free(struct selinux_policy *policy)
2179 {
2180 	cond_policydb_destroy_dup(&policy->policydb);
2181 	kfree(policy);
2182 }
2183 
2184 void selinux_policy_cancel(struct selinux_state *state,
2185 			   struct selinux_load_state *load_state)
2186 {
2187 	struct selinux_policy *oldpolicy;
2188 
2189 	oldpolicy = rcu_dereference_protected(state->policy,
2190 					lockdep_is_held(&state->policy_mutex));
2191 
2192 	sidtab_cancel_convert(oldpolicy->sidtab);
2193 	selinux_policy_free(load_state->policy);
2194 	kfree(load_state->convert_data);
2195 }
2196 
2197 static void selinux_notify_policy_change(struct selinux_state *state,
2198 					u32 seqno)
2199 {
2200 	/* Flush external caches and notify userspace of policy load */
2201 	avc_ss_reset(state->avc, seqno);
2202 	selnl_notify_policyload(seqno);
2203 	selinux_status_update_policyload(state, seqno);
2204 	selinux_netlbl_cache_invalidate();
2205 	selinux_xfrm_notify_policyload();
2206 	selinux_ima_measure_state_locked(state);
2207 }
2208 
2209 void selinux_policy_commit(struct selinux_state *state,
2210 			   struct selinux_load_state *load_state)
2211 {
2212 	struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;
2213 	unsigned long flags;
2214 	u32 seqno;
2215 
2216 	oldpolicy = rcu_dereference_protected(state->policy,
2217 					lockdep_is_held(&state->policy_mutex));
2218 
2219 	/* If switching between different policy types, log MLS status */
2220 	if (oldpolicy) {
2221 		if (oldpolicy->policydb.mls_enabled && !newpolicy->policydb.mls_enabled)
2222 			pr_info("SELinux: Disabling MLS support...\n");
2223 		else if (!oldpolicy->policydb.mls_enabled && newpolicy->policydb.mls_enabled)
2224 			pr_info("SELinux: Enabling MLS support...\n");
2225 	}
2226 
2227 	/* Set latest granting seqno for new policy. */
2228 	if (oldpolicy)
2229 		newpolicy->latest_granting = oldpolicy->latest_granting + 1;
2230 	else
2231 		newpolicy->latest_granting = 1;
2232 	seqno = newpolicy->latest_granting;
2233 
2234 	/* Install the new policy. */
2235 	if (oldpolicy) {
2236 		sidtab_freeze_begin(oldpolicy->sidtab, &flags);
2237 		rcu_assign_pointer(state->policy, newpolicy);
2238 		sidtab_freeze_end(oldpolicy->sidtab, &flags);
2239 	} else {
2240 		rcu_assign_pointer(state->policy, newpolicy);
2241 	}
2242 
2243 	/* Load the policycaps from the new policy */
2244 	security_load_policycaps(state, newpolicy);
2245 
2246 	if (!selinux_initialized(state)) {
2247 		/*
2248 		 * After first policy load, the security server is
2249 		 * marked as initialized and ready to handle requests and
2250 		 * any objects created prior to policy load are then labeled.
2251 		 */
2252 		selinux_mark_initialized(state);
2253 		selinux_complete_init();
2254 	}
2255 
2256 	/* Free the old policy */
2257 	synchronize_rcu();
2258 	selinux_policy_free(oldpolicy);
2259 	kfree(load_state->convert_data);
2260 
2261 	/* Notify others of the policy change */
2262 	selinux_notify_policy_change(state, seqno);
2263 }
2264 
2265 /**
2266  * security_load_policy - Load a security policy configuration.
2267  * @state: SELinux state
2268  * @data: binary policy data
2269  * @len: length of data in bytes
2270  * @load_state: policy load state
2271  *
2272  * Load a new set of security policy configuration data,
2273  * validate it and convert the SID table as necessary.
2274  * This function will flush the access vector cache after
2275  * loading the new policy.
2276  */
2277 int security_load_policy(struct selinux_state *state, void *data, size_t len,
2278 			 struct selinux_load_state *load_state)
2279 {
2280 	struct selinux_policy *newpolicy, *oldpolicy;
2281 	struct selinux_policy_convert_data *convert_data;
2282 	int rc = 0;
2283 	struct policy_file file = { data, len }, *fp = &file;
2284 
2285 	newpolicy = kzalloc(sizeof(*newpolicy), GFP_KERNEL);
2286 	if (!newpolicy)
2287 		return -ENOMEM;
2288 
2289 	newpolicy->sidtab = kzalloc(sizeof(*newpolicy->sidtab), GFP_KERNEL);
2290 	if (!newpolicy->sidtab) {
2291 		rc = -ENOMEM;
2292 		goto err_policy;
2293 	}
2294 
2295 	rc = policydb_read(&newpolicy->policydb, fp);
2296 	if (rc)
2297 		goto err_sidtab;
2298 
2299 	newpolicy->policydb.len = len;
2300 	rc = selinux_set_mapping(&newpolicy->policydb, secclass_map,
2301 				&newpolicy->map);
2302 	if (rc)
2303 		goto err_policydb;
2304 
2305 	rc = policydb_load_isids(&newpolicy->policydb, newpolicy->sidtab);
2306 	if (rc) {
2307 		pr_err("SELinux:  unable to load the initial SIDs\n");
2308 		goto err_mapping;
2309 	}
2310 
2311 	if (!selinux_initialized(state)) {
2312 		/* First policy load, so no need to preserve state from old policy */
2313 		load_state->policy = newpolicy;
2314 		load_state->convert_data = NULL;
2315 		return 0;
2316 	}
2317 
2318 	oldpolicy = rcu_dereference_protected(state->policy,
2319 					lockdep_is_held(&state->policy_mutex));
2320 
2321 	/* Preserve active boolean values from the old policy */
2322 	rc = security_preserve_bools(oldpolicy, newpolicy);
2323 	if (rc) {
2324 		pr_err("SELinux:  unable to preserve booleans\n");
2325 		goto err_free_isids;
2326 	}
2327 
2328 	/*
2329 	 * Convert the internal representations of contexts
2330 	 * in the new SID table.
2331 	 */
2332 
2333 	convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL);
2334 	if (!convert_data) {
2335 		rc = -ENOMEM;
2336 		goto err_free_isids;
2337 	}
2338 
2339 	convert_data->args.state = state;
2340 	convert_data->args.oldp = &oldpolicy->policydb;
2341 	convert_data->args.newp = &newpolicy->policydb;
2342 
2343 	convert_data->sidtab_params.args = &convert_data->args;
2344 	convert_data->sidtab_params.target = newpolicy->sidtab;
2345 
2346 	rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params);
2347 	if (rc) {
2348 		pr_err("SELinux:  unable to convert the internal"
2349 			" representation of contexts in the new SID"
2350 			" table\n");
2351 		goto err_free_convert_data;
2352 	}
2353 
2354 	load_state->policy = newpolicy;
2355 	load_state->convert_data = convert_data;
2356 	return 0;
2357 
2358 err_free_convert_data:
2359 	kfree(convert_data);
2360 err_free_isids:
2361 	sidtab_destroy(newpolicy->sidtab);
2362 err_mapping:
2363 	kfree(newpolicy->map.mapping);
2364 err_policydb:
2365 	policydb_destroy(&newpolicy->policydb);
2366 err_sidtab:
2367 	kfree(newpolicy->sidtab);
2368 err_policy:
2369 	kfree(newpolicy);
2370 
2371 	return rc;
2372 }
2373 
2374 /**
2375  * ocontext_to_sid - Helper to safely get sid for an ocontext
2376  * @sidtab: SID table
2377  * @c: ocontext structure
2378  * @index: index of the context entry (0 or 1)
2379  * @out_sid: pointer to the resulting SID value
2380  *
2381  * For all ocontexts except OCON_ISID the SID fields are populated
2382  * on-demand when needed. Since updating the SID value is an SMP-sensitive
2383  * operation, this helper must be used to do that safely.
2384  *
2385  * WARNING: This function may return -ESTALE, indicating that the caller
2386  * must retry the operation after re-acquiring the policy pointer!
2387  */
2388 static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c,
2389 			   size_t index, u32 *out_sid)
2390 {
2391 	int rc;
2392 	u32 sid;
2393 
2394 	/* Ensure the associated sidtab entry is visible to this thread. */
2395 	sid = smp_load_acquire(&c->sid[index]);
2396 	if (!sid) {
2397 		rc = sidtab_context_to_sid(sidtab, &c->context[index], &sid);
2398 		if (rc)
2399 			return rc;
2400 
2401 		/*
2402 		 * Ensure the new sidtab entry is visible to other threads
2403 		 * when they see the SID.
2404 		 */
2405 		smp_store_release(&c->sid[index], sid);
2406 	}
2407 	*out_sid = sid;
2408 	return 0;
2409 }
2410 
2411 /**
2412  * security_port_sid - Obtain the SID for a port.
2413  * @state: SELinux state
2414  * @protocol: protocol number
2415  * @port: port number
2416  * @out_sid: security identifier
2417  */
2418 int security_port_sid(struct selinux_state *state,
2419 		      u8 protocol, u16 port, u32 *out_sid)
2420 {
2421 	struct selinux_policy *policy;
2422 	struct policydb *policydb;
2423 	struct sidtab *sidtab;
2424 	struct ocontext *c;
2425 	int rc;
2426 
2427 	if (!selinux_initialized(state)) {
2428 		*out_sid = SECINITSID_PORT;
2429 		return 0;
2430 	}
2431 
2432 retry:
2433 	rc = 0;
2434 	rcu_read_lock();
2435 	policy = rcu_dereference(state->policy);
2436 	policydb = &policy->policydb;
2437 	sidtab = policy->sidtab;
2438 
2439 	c = policydb->ocontexts[OCON_PORT];
2440 	while (c) {
2441 		if (c->u.port.protocol == protocol &&
2442 		    c->u.port.low_port <= port &&
2443 		    c->u.port.high_port >= port)
2444 			break;
2445 		c = c->next;
2446 	}
2447 
2448 	if (c) {
2449 		rc = ocontext_to_sid(sidtab, c, 0, out_sid);
2450 		if (rc == -ESTALE) {
2451 			rcu_read_unlock();
2452 			goto retry;
2453 		}
2454 		if (rc)
2455 			goto out;
2456 	} else {
2457 		*out_sid = SECINITSID_PORT;
2458 	}
2459 
2460 out:
2461 	rcu_read_unlock();
2462 	return rc;
2463 }
2464 
2465 /**
2466  * security_ib_pkey_sid - Obtain the SID for a pkey.
2467  * @state: SELinux state
2468  * @subnet_prefix: Subnet Prefix
2469  * @pkey_num: pkey number
2470  * @out_sid: security identifier
2471  */
2472 int security_ib_pkey_sid(struct selinux_state *state,
2473 			 u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2474 {
2475 	struct selinux_policy *policy;
2476 	struct policydb *policydb;
2477 	struct sidtab *sidtab;
2478 	struct ocontext *c;
2479 	int rc;
2480 
2481 	if (!selinux_initialized(state)) {
2482 		*out_sid = SECINITSID_UNLABELED;
2483 		return 0;
2484 	}
2485 
2486 retry:
2487 	rc = 0;
2488 	rcu_read_lock();
2489 	policy = rcu_dereference(state->policy);
2490 	policydb = &policy->policydb;
2491 	sidtab = policy->sidtab;
2492 
2493 	c = policydb->ocontexts[OCON_IBPKEY];
2494 	while (c) {
2495 		if (c->u.ibpkey.low_pkey <= pkey_num &&
2496 		    c->u.ibpkey.high_pkey >= pkey_num &&
2497 		    c->u.ibpkey.subnet_prefix == subnet_prefix)
2498 			break;
2499 
2500 		c = c->next;
2501 	}
2502 
2503 	if (c) {
2504 		rc = ocontext_to_sid(sidtab, c, 0, out_sid);
2505 		if (rc == -ESTALE) {
2506 			rcu_read_unlock();
2507 			goto retry;
2508 		}
2509 		if (rc)
2510 			goto out;
2511 	} else
2512 		*out_sid = SECINITSID_UNLABELED;
2513 
2514 out:
2515 	rcu_read_unlock();
2516 	return rc;
2517 }
2518 
2519 /**
2520  * security_ib_endport_sid - Obtain the SID for a subnet management interface.
2521  * @state: SELinux state
2522  * @dev_name: device name
2523  * @port_num: port number
2524  * @out_sid: security identifier
2525  */
2526 int security_ib_endport_sid(struct selinux_state *state,
2527 			    const char *dev_name, u8 port_num, u32 *out_sid)
2528 {
2529 	struct selinux_policy *policy;
2530 	struct policydb *policydb;
2531 	struct sidtab *sidtab;
2532 	struct ocontext *c;
2533 	int rc;
2534 
2535 	if (!selinux_initialized(state)) {
2536 		*out_sid = SECINITSID_UNLABELED;
2537 		return 0;
2538 	}
2539 
2540 retry:
2541 	rc = 0;
2542 	rcu_read_lock();
2543 	policy = rcu_dereference(state->policy);
2544 	policydb = &policy->policydb;
2545 	sidtab = policy->sidtab;
2546 
2547 	c = policydb->ocontexts[OCON_IBENDPORT];
2548 	while (c) {
2549 		if (c->u.ibendport.port == port_num &&
2550 		    !strncmp(c->u.ibendport.dev_name,
2551 			     dev_name,
2552 			     IB_DEVICE_NAME_MAX))
2553 			break;
2554 
2555 		c = c->next;
2556 	}
2557 
2558 	if (c) {
2559 		rc = ocontext_to_sid(sidtab, c, 0, out_sid);
2560 		if (rc == -ESTALE) {
2561 			rcu_read_unlock();
2562 			goto retry;
2563 		}
2564 		if (rc)
2565 			goto out;
2566 	} else
2567 		*out_sid = SECINITSID_UNLABELED;
2568 
2569 out:
2570 	rcu_read_unlock();
2571 	return rc;
2572 }
2573 
2574 /**
2575  * security_netif_sid - Obtain the SID for a network interface.
2576  * @state: SELinux state
2577  * @name: interface name
2578  * @if_sid: interface SID
2579  */
2580 int security_netif_sid(struct selinux_state *state,
2581 		       char *name, u32 *if_sid)
2582 {
2583 	struct selinux_policy *policy;
2584 	struct policydb *policydb;
2585 	struct sidtab *sidtab;
2586 	int rc;
2587 	struct ocontext *c;
2588 
2589 	if (!selinux_initialized(state)) {
2590 		*if_sid = SECINITSID_NETIF;
2591 		return 0;
2592 	}
2593 
2594 retry:
2595 	rc = 0;
2596 	rcu_read_lock();
2597 	policy = rcu_dereference(state->policy);
2598 	policydb = &policy->policydb;
2599 	sidtab = policy->sidtab;
2600 
2601 	c = policydb->ocontexts[OCON_NETIF];
2602 	while (c) {
2603 		if (strcmp(name, c->u.name) == 0)
2604 			break;
2605 		c = c->next;
2606 	}
2607 
2608 	if (c) {
2609 		rc = ocontext_to_sid(sidtab, c, 0, if_sid);
2610 		if (rc == -ESTALE) {
2611 			rcu_read_unlock();
2612 			goto retry;
2613 		}
2614 		if (rc)
2615 			goto out;
2616 	} else
2617 		*if_sid = SECINITSID_NETIF;
2618 
2619 out:
2620 	rcu_read_unlock();
2621 	return rc;
2622 }
2623 
2624 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2625 {
2626 	int i, fail = 0;
2627 
2628 	for (i = 0; i < 4; i++)
2629 		if (addr[i] != (input[i] & mask[i])) {
2630 			fail = 1;
2631 			break;
2632 		}
2633 
2634 	return !fail;
2635 }
2636 
2637 /**
2638  * security_node_sid - Obtain the SID for a node (host).
2639  * @state: SELinux state
2640  * @domain: communication domain aka address family
2641  * @addrp: address
2642  * @addrlen: address length in bytes
2643  * @out_sid: security identifier
2644  */
2645 int security_node_sid(struct selinux_state *state,
2646 		      u16 domain,
2647 		      void *addrp,
2648 		      u32 addrlen,
2649 		      u32 *out_sid)
2650 {
2651 	struct selinux_policy *policy;
2652 	struct policydb *policydb;
2653 	struct sidtab *sidtab;
2654 	int rc;
2655 	struct ocontext *c;
2656 
2657 	if (!selinux_initialized(state)) {
2658 		*out_sid = SECINITSID_NODE;
2659 		return 0;
2660 	}
2661 
2662 retry:
2663 	rcu_read_lock();
2664 	policy = rcu_dereference(state->policy);
2665 	policydb = &policy->policydb;
2666 	sidtab = policy->sidtab;
2667 
2668 	switch (domain) {
2669 	case AF_INET: {
2670 		u32 addr;
2671 
2672 		rc = -EINVAL;
2673 		if (addrlen != sizeof(u32))
2674 			goto out;
2675 
2676 		addr = *((u32 *)addrp);
2677 
2678 		c = policydb->ocontexts[OCON_NODE];
2679 		while (c) {
2680 			if (c->u.node.addr == (addr & c->u.node.mask))
2681 				break;
2682 			c = c->next;
2683 		}
2684 		break;
2685 	}
2686 
2687 	case AF_INET6:
2688 		rc = -EINVAL;
2689 		if (addrlen != sizeof(u64) * 2)
2690 			goto out;
2691 		c = policydb->ocontexts[OCON_NODE6];
2692 		while (c) {
2693 			if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2694 						c->u.node6.mask))
2695 				break;
2696 			c = c->next;
2697 		}
2698 		break;
2699 
2700 	default:
2701 		rc = 0;
2702 		*out_sid = SECINITSID_NODE;
2703 		goto out;
2704 	}
2705 
2706 	if (c) {
2707 		rc = ocontext_to_sid(sidtab, c, 0, out_sid);
2708 		if (rc == -ESTALE) {
2709 			rcu_read_unlock();
2710 			goto retry;
2711 		}
2712 		if (rc)
2713 			goto out;
2714 	} else {
2715 		*out_sid = SECINITSID_NODE;
2716 	}
2717 
2718 	rc = 0;
2719 out:
2720 	rcu_read_unlock();
2721 	return rc;
2722 }
2723 
2724 #define SIDS_NEL 25
2725 
2726 /**
2727  * security_get_user_sids - Obtain reachable SIDs for a user.
2728  * @state: SELinux state
2729  * @fromsid: starting SID
2730  * @username: username
2731  * @sids: array of reachable SIDs for user
2732  * @nel: number of elements in @sids
2733  *
2734  * Generate the set of SIDs for legal security contexts
2735  * for a given user that can be reached by @fromsid.
2736  * Set *@sids to point to a dynamically allocated
2737  * array containing the set of SIDs.  Set *@nel to the
2738  * number of elements in the array.
2739  */
2740 
2741 int security_get_user_sids(struct selinux_state *state,
2742 			   u32 fromsid,
2743 			   char *username,
2744 			   u32 **sids,
2745 			   u32 *nel)
2746 {
2747 	struct selinux_policy *policy;
2748 	struct policydb *policydb;
2749 	struct sidtab *sidtab;
2750 	struct context *fromcon, usercon;
2751 	u32 *mysids = NULL, *mysids2, sid;
2752 	u32 i, j, mynel, maxnel = SIDS_NEL;
2753 	struct user_datum *user;
2754 	struct role_datum *role;
2755 	struct ebitmap_node *rnode, *tnode;
2756 	int rc;
2757 
2758 	*sids = NULL;
2759 	*nel = 0;
2760 
2761 	if (!selinux_initialized(state))
2762 		return 0;
2763 
2764 	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
2765 	if (!mysids)
2766 		return -ENOMEM;
2767 
2768 retry:
2769 	mynel = 0;
2770 	rcu_read_lock();
2771 	policy = rcu_dereference(state->policy);
2772 	policydb = &policy->policydb;
2773 	sidtab = policy->sidtab;
2774 
2775 	context_init(&usercon);
2776 
2777 	rc = -EINVAL;
2778 	fromcon = sidtab_search(sidtab, fromsid);
2779 	if (!fromcon)
2780 		goto out_unlock;
2781 
2782 	rc = -EINVAL;
2783 	user = symtab_search(&policydb->p_users, username);
2784 	if (!user)
2785 		goto out_unlock;
2786 
2787 	usercon.user = user->value;
2788 
2789 	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2790 		role = policydb->role_val_to_struct[i];
2791 		usercon.role = i + 1;
2792 		ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2793 			usercon.type = j + 1;
2794 
2795 			if (mls_setup_user_range(policydb, fromcon, user,
2796 						 &usercon))
2797 				continue;
2798 
2799 			rc = sidtab_context_to_sid(sidtab, &usercon, &sid);
2800 			if (rc == -ESTALE) {
2801 				rcu_read_unlock();
2802 				goto retry;
2803 			}
2804 			if (rc)
2805 				goto out_unlock;
2806 			if (mynel < maxnel) {
2807 				mysids[mynel++] = sid;
2808 			} else {
2809 				rc = -ENOMEM;
2810 				maxnel += SIDS_NEL;
2811 				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2812 				if (!mysids2)
2813 					goto out_unlock;
2814 				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2815 				kfree(mysids);
2816 				mysids = mysids2;
2817 				mysids[mynel++] = sid;
2818 			}
2819 		}
2820 	}
2821 	rc = 0;
2822 out_unlock:
2823 	rcu_read_unlock();
2824 	if (rc || !mynel) {
2825 		kfree(mysids);
2826 		return rc;
2827 	}
2828 
2829 	rc = -ENOMEM;
2830 	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2831 	if (!mysids2) {
2832 		kfree(mysids);
2833 		return rc;
2834 	}
2835 	for (i = 0, j = 0; i < mynel; i++) {
2836 		struct av_decision dummy_avd;
2837 		rc = avc_has_perm_noaudit(state,
2838 					  fromsid, mysids[i],
2839 					  SECCLASS_PROCESS, /* kernel value */
2840 					  PROCESS__TRANSITION, AVC_STRICT,
2841 					  &dummy_avd);
2842 		if (!rc)
2843 			mysids2[j++] = mysids[i];
2844 		cond_resched();
2845 	}
2846 	kfree(mysids);
2847 	*sids = mysids2;
2848 	*nel = j;
2849 	return 0;
2850 }
2851 
2852 /**
2853  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2854  * @policy: policy
2855  * @fstype: filesystem type
2856  * @path: path from root of mount
2857  * @orig_sclass: file security class
2858  * @sid: SID for path
2859  *
2860  * Obtain a SID to use for a file in a filesystem that
2861  * cannot support xattr or use a fixed labeling behavior like
2862  * transition SIDs or task SIDs.
2863  *
2864  * WARNING: This function may return -ESTALE, indicating that the caller
2865  * must retry the operation after re-acquiring the policy pointer!
2866  */
2867 static inline int __security_genfs_sid(struct selinux_policy *policy,
2868 				       const char *fstype,
2869 				       const char *path,
2870 				       u16 orig_sclass,
2871 				       u32 *sid)
2872 {
2873 	struct policydb *policydb = &policy->policydb;
2874 	struct sidtab *sidtab = policy->sidtab;
2875 	int len;
2876 	u16 sclass;
2877 	struct genfs *genfs;
2878 	struct ocontext *c;
2879 	int cmp = 0;
2880 
2881 	while (path[0] == '/' && path[1] == '/')
2882 		path++;
2883 
2884 	sclass = unmap_class(&policy->map, orig_sclass);
2885 	*sid = SECINITSID_UNLABELED;
2886 
2887 	for (genfs = policydb->genfs; genfs; genfs = genfs->next) {
2888 		cmp = strcmp(fstype, genfs->fstype);
2889 		if (cmp <= 0)
2890 			break;
2891 	}
2892 
2893 	if (!genfs || cmp)
2894 		return -ENOENT;
2895 
2896 	for (c = genfs->head; c; c = c->next) {
2897 		len = strlen(c->u.name);
2898 		if ((!c->v.sclass || sclass == c->v.sclass) &&
2899 		    (strncmp(c->u.name, path, len) == 0))
2900 			break;
2901 	}
2902 
2903 	if (!c)
2904 		return -ENOENT;
2905 
2906 	return ocontext_to_sid(sidtab, c, 0, sid);
2907 }
2908 
2909 /**
2910  * security_genfs_sid - Obtain a SID for a file in a filesystem
2911  * @state: SELinux state
2912  * @fstype: filesystem type
2913  * @path: path from root of mount
2914  * @orig_sclass: file security class
2915  * @sid: SID for path
2916  *
2917  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2918  * it afterward.
2919  */
2920 int security_genfs_sid(struct selinux_state *state,
2921 		       const char *fstype,
2922 		       const char *path,
2923 		       u16 orig_sclass,
2924 		       u32 *sid)
2925 {
2926 	struct selinux_policy *policy;
2927 	int retval;
2928 
2929 	if (!selinux_initialized(state)) {
2930 		*sid = SECINITSID_UNLABELED;
2931 		return 0;
2932 	}
2933 
2934 	do {
2935 		rcu_read_lock();
2936 		policy = rcu_dereference(state->policy);
2937 		retval = __security_genfs_sid(policy, fstype, path,
2938 					      orig_sclass, sid);
2939 		rcu_read_unlock();
2940 	} while (retval == -ESTALE);
2941 	return retval;
2942 }
2943 
2944 int selinux_policy_genfs_sid(struct selinux_policy *policy,
2945 			const char *fstype,
2946 			const char *path,
2947 			u16 orig_sclass,
2948 			u32 *sid)
2949 {
2950 	/* no lock required, policy is not yet accessible by other threads */
2951 	return __security_genfs_sid(policy, fstype, path, orig_sclass, sid);
2952 }
2953 
2954 /**
2955  * security_fs_use - Determine how to handle labeling for a filesystem.
2956  * @state: SELinux state
2957  * @sb: superblock in question
2958  */
2959 int security_fs_use(struct selinux_state *state, struct super_block *sb)
2960 {
2961 	struct selinux_policy *policy;
2962 	struct policydb *policydb;
2963 	struct sidtab *sidtab;
2964 	int rc;
2965 	struct ocontext *c;
2966 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
2967 	const char *fstype = sb->s_type->name;
2968 
2969 	if (!selinux_initialized(state)) {
2970 		sbsec->behavior = SECURITY_FS_USE_NONE;
2971 		sbsec->sid = SECINITSID_UNLABELED;
2972 		return 0;
2973 	}
2974 
2975 retry:
2976 	rcu_read_lock();
2977 	policy = rcu_dereference(state->policy);
2978 	policydb = &policy->policydb;
2979 	sidtab = policy->sidtab;
2980 
2981 	c = policydb->ocontexts[OCON_FSUSE];
2982 	while (c) {
2983 		if (strcmp(fstype, c->u.name) == 0)
2984 			break;
2985 		c = c->next;
2986 	}
2987 
2988 	if (c) {
2989 		sbsec->behavior = c->v.behavior;
2990 		rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid);
2991 		if (rc == -ESTALE) {
2992 			rcu_read_unlock();
2993 			goto retry;
2994 		}
2995 		if (rc)
2996 			goto out;
2997 	} else {
2998 		rc = __security_genfs_sid(policy, fstype, "/",
2999 					SECCLASS_DIR, &sbsec->sid);
3000 		if (rc == -ESTALE) {
3001 			rcu_read_unlock();
3002 			goto retry;
3003 		}
3004 		if (rc) {
3005 			sbsec->behavior = SECURITY_FS_USE_NONE;
3006 			rc = 0;
3007 		} else {
3008 			sbsec->behavior = SECURITY_FS_USE_GENFS;
3009 		}
3010 	}
3011 
3012 out:
3013 	rcu_read_unlock();
3014 	return rc;
3015 }
3016 
3017 int security_get_bools(struct selinux_policy *policy,
3018 		       u32 *len, char ***names, int **values)
3019 {
3020 	struct policydb *policydb;
3021 	u32 i;
3022 	int rc;
3023 
3024 	policydb = &policy->policydb;
3025 
3026 	*names = NULL;
3027 	*values = NULL;
3028 
3029 	rc = 0;
3030 	*len = policydb->p_bools.nprim;
3031 	if (!*len)
3032 		goto out;
3033 
3034 	rc = -ENOMEM;
3035 	*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
3036 	if (!*names)
3037 		goto err;
3038 
3039 	rc = -ENOMEM;
3040 	*values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
3041 	if (!*values)
3042 		goto err;
3043 
3044 	for (i = 0; i < *len; i++) {
3045 		(*values)[i] = policydb->bool_val_to_struct[i]->state;
3046 
3047 		rc = -ENOMEM;
3048 		(*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i),
3049 				      GFP_ATOMIC);
3050 		if (!(*names)[i])
3051 			goto err;
3052 	}
3053 	rc = 0;
3054 out:
3055 	return rc;
3056 err:
3057 	if (*names) {
3058 		for (i = 0; i < *len; i++)
3059 			kfree((*names)[i]);
3060 		kfree(*names);
3061 	}
3062 	kfree(*values);
3063 	*len = 0;
3064 	*names = NULL;
3065 	*values = NULL;
3066 	goto out;
3067 }
3068 
3069 
3070 int security_set_bools(struct selinux_state *state, u32 len, int *values)
3071 {
3072 	struct selinux_policy *newpolicy, *oldpolicy;
3073 	int rc;
3074 	u32 i, seqno = 0;
3075 
3076 	if (!selinux_initialized(state))
3077 		return -EINVAL;
3078 
3079 	oldpolicy = rcu_dereference_protected(state->policy,
3080 					lockdep_is_held(&state->policy_mutex));
3081 
3082 	/* Consistency check on number of booleans, should never fail */
3083 	if (WARN_ON(len != oldpolicy->policydb.p_bools.nprim))
3084 		return -EINVAL;
3085 
3086 	newpolicy = kmemdup(oldpolicy, sizeof(*newpolicy), GFP_KERNEL);
3087 	if (!newpolicy)
3088 		return -ENOMEM;
3089 
3090 	/*
3091 	 * Deep copy only the parts of the policydb that might be
3092 	 * modified as a result of changing booleans.
3093 	 */
3094 	rc = cond_policydb_dup(&newpolicy->policydb, &oldpolicy->policydb);
3095 	if (rc) {
3096 		kfree(newpolicy);
3097 		return -ENOMEM;
3098 	}
3099 
3100 	/* Update the boolean states in the copy */
3101 	for (i = 0; i < len; i++) {
3102 		int new_state = !!values[i];
3103 		int old_state = newpolicy->policydb.bool_val_to_struct[i]->state;
3104 
3105 		if (new_state != old_state) {
3106 			audit_log(audit_context(), GFP_ATOMIC,
3107 				AUDIT_MAC_CONFIG_CHANGE,
3108 				"bool=%s val=%d old_val=%d auid=%u ses=%u",
3109 				sym_name(&newpolicy->policydb, SYM_BOOLS, i),
3110 				new_state,
3111 				old_state,
3112 				from_kuid(&init_user_ns, audit_get_loginuid(current)),
3113 				audit_get_sessionid(current));
3114 			newpolicy->policydb.bool_val_to_struct[i]->state = new_state;
3115 		}
3116 	}
3117 
3118 	/* Re-evaluate the conditional rules in the copy */
3119 	evaluate_cond_nodes(&newpolicy->policydb);
3120 
3121 	/* Set latest granting seqno for new policy */
3122 	newpolicy->latest_granting = oldpolicy->latest_granting + 1;
3123 	seqno = newpolicy->latest_granting;
3124 
3125 	/* Install the new policy */
3126 	rcu_assign_pointer(state->policy, newpolicy);
3127 
3128 	/*
3129 	 * Free the conditional portions of the old policydb
3130 	 * that were copied for the new policy, and the oldpolicy
3131 	 * structure itself but not what it references.
3132 	 */
3133 	synchronize_rcu();
3134 	selinux_policy_cond_free(oldpolicy);
3135 
3136 	/* Notify others of the policy change */
3137 	selinux_notify_policy_change(state, seqno);
3138 	return 0;
3139 }
3140 
3141 int security_get_bool_value(struct selinux_state *state,
3142 			    u32 index)
3143 {
3144 	struct selinux_policy *policy;
3145 	struct policydb *policydb;
3146 	int rc;
3147 	u32 len;
3148 
3149 	if (!selinux_initialized(state))
3150 		return 0;
3151 
3152 	rcu_read_lock();
3153 	policy = rcu_dereference(state->policy);
3154 	policydb = &policy->policydb;
3155 
3156 	rc = -EFAULT;
3157 	len = policydb->p_bools.nprim;
3158 	if (index >= len)
3159 		goto out;
3160 
3161 	rc = policydb->bool_val_to_struct[index]->state;
3162 out:
3163 	rcu_read_unlock();
3164 	return rc;
3165 }
3166 
3167 static int security_preserve_bools(struct selinux_policy *oldpolicy,
3168 				struct selinux_policy *newpolicy)
3169 {
3170 	int rc, *bvalues = NULL;
3171 	char **bnames = NULL;
3172 	struct cond_bool_datum *booldatum;
3173 	u32 i, nbools = 0;
3174 
3175 	rc = security_get_bools(oldpolicy, &nbools, &bnames, &bvalues);
3176 	if (rc)
3177 		goto out;
3178 	for (i = 0; i < nbools; i++) {
3179 		booldatum = symtab_search(&newpolicy->policydb.p_bools,
3180 					bnames[i]);
3181 		if (booldatum)
3182 			booldatum->state = bvalues[i];
3183 	}
3184 	evaluate_cond_nodes(&newpolicy->policydb);
3185 
3186 out:
3187 	if (bnames) {
3188 		for (i = 0; i < nbools; i++)
3189 			kfree(bnames[i]);
3190 	}
3191 	kfree(bnames);
3192 	kfree(bvalues);
3193 	return rc;
3194 }
3195 
3196 /*
3197  * security_sid_mls_copy() - computes a new sid based on the given
3198  * sid and the mls portion of mls_sid.
3199  */
3200 int security_sid_mls_copy(struct selinux_state *state,
3201 			  u32 sid, u32 mls_sid, u32 *new_sid)
3202 {
3203 	struct selinux_policy *policy;
3204 	struct policydb *policydb;
3205 	struct sidtab *sidtab;
3206 	struct context *context1;
3207 	struct context *context2;
3208 	struct context newcon;
3209 	char *s;
3210 	u32 len;
3211 	int rc;
3212 
3213 	if (!selinux_initialized(state)) {
3214 		*new_sid = sid;
3215 		return 0;
3216 	}
3217 
3218 retry:
3219 	rc = 0;
3220 	context_init(&newcon);
3221 
3222 	rcu_read_lock();
3223 	policy = rcu_dereference(state->policy);
3224 	policydb = &policy->policydb;
3225 	sidtab = policy->sidtab;
3226 
3227 	if (!policydb->mls_enabled) {
3228 		*new_sid = sid;
3229 		goto out_unlock;
3230 	}
3231 
3232 	rc = -EINVAL;
3233 	context1 = sidtab_search(sidtab, sid);
3234 	if (!context1) {
3235 		pr_err("SELinux: %s:  unrecognized SID %d\n",
3236 			__func__, sid);
3237 		goto out_unlock;
3238 	}
3239 
3240 	rc = -EINVAL;
3241 	context2 = sidtab_search(sidtab, mls_sid);
3242 	if (!context2) {
3243 		pr_err("SELinux: %s:  unrecognized SID %d\n",
3244 			__func__, mls_sid);
3245 		goto out_unlock;
3246 	}
3247 
3248 	newcon.user = context1->user;
3249 	newcon.role = context1->role;
3250 	newcon.type = context1->type;
3251 	rc = mls_context_cpy(&newcon, context2);
3252 	if (rc)
3253 		goto out_unlock;
3254 
3255 	/* Check the validity of the new context. */
3256 	if (!policydb_context_isvalid(policydb, &newcon)) {
3257 		rc = convert_context_handle_invalid_context(state, policydb,
3258 							&newcon);
3259 		if (rc) {
3260 			if (!context_struct_to_string(policydb, &newcon, &s,
3261 						      &len)) {
3262 				struct audit_buffer *ab;
3263 
3264 				ab = audit_log_start(audit_context(),
3265 						     GFP_ATOMIC,
3266 						     AUDIT_SELINUX_ERR);
3267 				audit_log_format(ab,
3268 						 "op=security_sid_mls_copy invalid_context=");
3269 				/* don't record NUL with untrusted strings */
3270 				audit_log_n_untrustedstring(ab, s, len - 1);
3271 				audit_log_end(ab);
3272 				kfree(s);
3273 			}
3274 			goto out_unlock;
3275 		}
3276 	}
3277 	rc = sidtab_context_to_sid(sidtab, &newcon, new_sid);
3278 	if (rc == -ESTALE) {
3279 		rcu_read_unlock();
3280 		context_destroy(&newcon);
3281 		goto retry;
3282 	}
3283 out_unlock:
3284 	rcu_read_unlock();
3285 	context_destroy(&newcon);
3286 	return rc;
3287 }
3288 
3289 /**
3290  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
3291  * @state: SELinux state
3292  * @nlbl_sid: NetLabel SID
3293  * @nlbl_type: NetLabel labeling protocol type
3294  * @xfrm_sid: XFRM SID
3295  * @peer_sid: network peer sid
3296  *
3297  * Description:
3298  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
3299  * resolved into a single SID it is returned via @peer_sid and the function
3300  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
3301  * returns a negative value.  A table summarizing the behavior is below:
3302  *
3303  *                                 | function return |      @sid
3304  *   ------------------------------+-----------------+-----------------
3305  *   no peer labels                |        0        |    SECSID_NULL
3306  *   single peer label             |        0        |    <peer_label>
3307  *   multiple, consistent labels   |        0        |    <peer_label>
3308  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
3309  *
3310  */
3311 int security_net_peersid_resolve(struct selinux_state *state,
3312 				 u32 nlbl_sid, u32 nlbl_type,
3313 				 u32 xfrm_sid,
3314 				 u32 *peer_sid)
3315 {
3316 	struct selinux_policy *policy;
3317 	struct policydb *policydb;
3318 	struct sidtab *sidtab;
3319 	int rc;
3320 	struct context *nlbl_ctx;
3321 	struct context *xfrm_ctx;
3322 
3323 	*peer_sid = SECSID_NULL;
3324 
3325 	/* handle the common (which also happens to be the set of easy) cases
3326 	 * right away, these two if statements catch everything involving a
3327 	 * single or absent peer SID/label */
3328 	if (xfrm_sid == SECSID_NULL) {
3329 		*peer_sid = nlbl_sid;
3330 		return 0;
3331 	}
3332 	/* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
3333 	 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
3334 	 * is present */
3335 	if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
3336 		*peer_sid = xfrm_sid;
3337 		return 0;
3338 	}
3339 
3340 	if (!selinux_initialized(state))
3341 		return 0;
3342 
3343 	rcu_read_lock();
3344 	policy = rcu_dereference(state->policy);
3345 	policydb = &policy->policydb;
3346 	sidtab = policy->sidtab;
3347 
3348 	/*
3349 	 * We don't need to check initialized here since the only way both
3350 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
3351 	 * security server was initialized and state->initialized was true.
3352 	 */
3353 	if (!policydb->mls_enabled) {
3354 		rc = 0;
3355 		goto out;
3356 	}
3357 
3358 	rc = -EINVAL;
3359 	nlbl_ctx = sidtab_search(sidtab, nlbl_sid);
3360 	if (!nlbl_ctx) {
3361 		pr_err("SELinux: %s:  unrecognized SID %d\n",
3362 		       __func__, nlbl_sid);
3363 		goto out;
3364 	}
3365 	rc = -EINVAL;
3366 	xfrm_ctx = sidtab_search(sidtab, xfrm_sid);
3367 	if (!xfrm_ctx) {
3368 		pr_err("SELinux: %s:  unrecognized SID %d\n",
3369 		       __func__, xfrm_sid);
3370 		goto out;
3371 	}
3372 	rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
3373 	if (rc)
3374 		goto out;
3375 
3376 	/* at present NetLabel SIDs/labels really only carry MLS
3377 	 * information so if the MLS portion of the NetLabel SID
3378 	 * matches the MLS portion of the labeled XFRM SID/label
3379 	 * then pass along the XFRM SID as it is the most
3380 	 * expressive */
3381 	*peer_sid = xfrm_sid;
3382 out:
3383 	rcu_read_unlock();
3384 	return rc;
3385 }
3386 
3387 static int get_classes_callback(void *k, void *d, void *args)
3388 {
3389 	struct class_datum *datum = d;
3390 	char *name = k, **classes = args;
3391 	int value = datum->value - 1;
3392 
3393 	classes[value] = kstrdup(name, GFP_ATOMIC);
3394 	if (!classes[value])
3395 		return -ENOMEM;
3396 
3397 	return 0;
3398 }
3399 
3400 int security_get_classes(struct selinux_policy *policy,
3401 			 char ***classes, int *nclasses)
3402 {
3403 	struct policydb *policydb;
3404 	int rc;
3405 
3406 	policydb = &policy->policydb;
3407 
3408 	rc = -ENOMEM;
3409 	*nclasses = policydb->p_classes.nprim;
3410 	*classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
3411 	if (!*classes)
3412 		goto out;
3413 
3414 	rc = hashtab_map(&policydb->p_classes.table, get_classes_callback,
3415 			 *classes);
3416 	if (rc) {
3417 		int i;
3418 		for (i = 0; i < *nclasses; i++)
3419 			kfree((*classes)[i]);
3420 		kfree(*classes);
3421 	}
3422 
3423 out:
3424 	return rc;
3425 }
3426 
3427 static int get_permissions_callback(void *k, void *d, void *args)
3428 {
3429 	struct perm_datum *datum = d;
3430 	char *name = k, **perms = args;
3431 	int value = datum->value - 1;
3432 
3433 	perms[value] = kstrdup(name, GFP_ATOMIC);
3434 	if (!perms[value])
3435 		return -ENOMEM;
3436 
3437 	return 0;
3438 }
3439 
3440 int security_get_permissions(struct selinux_policy *policy,
3441 			     char *class, char ***perms, int *nperms)
3442 {
3443 	struct policydb *policydb;
3444 	int rc, i;
3445 	struct class_datum *match;
3446 
3447 	policydb = &policy->policydb;
3448 
3449 	rc = -EINVAL;
3450 	match = symtab_search(&policydb->p_classes, class);
3451 	if (!match) {
3452 		pr_err("SELinux: %s:  unrecognized class %s\n",
3453 			__func__, class);
3454 		goto out;
3455 	}
3456 
3457 	rc = -ENOMEM;
3458 	*nperms = match->permissions.nprim;
3459 	*perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
3460 	if (!*perms)
3461 		goto out;
3462 
3463 	if (match->comdatum) {
3464 		rc = hashtab_map(&match->comdatum->permissions.table,
3465 				 get_permissions_callback, *perms);
3466 		if (rc)
3467 			goto err;
3468 	}
3469 
3470 	rc = hashtab_map(&match->permissions.table, get_permissions_callback,
3471 			 *perms);
3472 	if (rc)
3473 		goto err;
3474 
3475 out:
3476 	return rc;
3477 
3478 err:
3479 	for (i = 0; i < *nperms; i++)
3480 		kfree((*perms)[i]);
3481 	kfree(*perms);
3482 	return rc;
3483 }
3484 
3485 int security_get_reject_unknown(struct selinux_state *state)
3486 {
3487 	struct selinux_policy *policy;
3488 	int value;
3489 
3490 	if (!selinux_initialized(state))
3491 		return 0;
3492 
3493 	rcu_read_lock();
3494 	policy = rcu_dereference(state->policy);
3495 	value = policy->policydb.reject_unknown;
3496 	rcu_read_unlock();
3497 	return value;
3498 }
3499 
3500 int security_get_allow_unknown(struct selinux_state *state)
3501 {
3502 	struct selinux_policy *policy;
3503 	int value;
3504 
3505 	if (!selinux_initialized(state))
3506 		return 0;
3507 
3508 	rcu_read_lock();
3509 	policy = rcu_dereference(state->policy);
3510 	value = policy->policydb.allow_unknown;
3511 	rcu_read_unlock();
3512 	return value;
3513 }
3514 
3515 /**
3516  * security_policycap_supported - Check for a specific policy capability
3517  * @state: SELinux state
3518  * @req_cap: capability
3519  *
3520  * Description:
3521  * This function queries the currently loaded policy to see if it supports the
3522  * capability specified by @req_cap.  Returns true (1) if the capability is
3523  * supported, false (0) if it isn't supported.
3524  *
3525  */
3526 int security_policycap_supported(struct selinux_state *state,
3527 				 unsigned int req_cap)
3528 {
3529 	struct selinux_policy *policy;
3530 	int rc;
3531 
3532 	if (!selinux_initialized(state))
3533 		return 0;
3534 
3535 	rcu_read_lock();
3536 	policy = rcu_dereference(state->policy);
3537 	rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap);
3538 	rcu_read_unlock();
3539 
3540 	return rc;
3541 }
3542 
3543 struct selinux_audit_rule {
3544 	u32 au_seqno;
3545 	struct context au_ctxt;
3546 };
3547 
3548 void selinux_audit_rule_free(void *vrule)
3549 {
3550 	struct selinux_audit_rule *rule = vrule;
3551 
3552 	if (rule) {
3553 		context_destroy(&rule->au_ctxt);
3554 		kfree(rule);
3555 	}
3556 }
3557 
3558 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
3559 {
3560 	struct selinux_state *state = &selinux_state;
3561 	struct selinux_policy *policy;
3562 	struct policydb *policydb;
3563 	struct selinux_audit_rule *tmprule;
3564 	struct role_datum *roledatum;
3565 	struct type_datum *typedatum;
3566 	struct user_datum *userdatum;
3567 	struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
3568 	int rc = 0;
3569 
3570 	*rule = NULL;
3571 
3572 	if (!selinux_initialized(state))
3573 		return -EOPNOTSUPP;
3574 
3575 	switch (field) {
3576 	case AUDIT_SUBJ_USER:
3577 	case AUDIT_SUBJ_ROLE:
3578 	case AUDIT_SUBJ_TYPE:
3579 	case AUDIT_OBJ_USER:
3580 	case AUDIT_OBJ_ROLE:
3581 	case AUDIT_OBJ_TYPE:
3582 		/* only 'equals' and 'not equals' fit user, role, and type */
3583 		if (op != Audit_equal && op != Audit_not_equal)
3584 			return -EINVAL;
3585 		break;
3586 	case AUDIT_SUBJ_SEN:
3587 	case AUDIT_SUBJ_CLR:
3588 	case AUDIT_OBJ_LEV_LOW:
3589 	case AUDIT_OBJ_LEV_HIGH:
3590 		/* we do not allow a range, indicated by the presence of '-' */
3591 		if (strchr(rulestr, '-'))
3592 			return -EINVAL;
3593 		break;
3594 	default:
3595 		/* only the above fields are valid */
3596 		return -EINVAL;
3597 	}
3598 
3599 	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
3600 	if (!tmprule)
3601 		return -ENOMEM;
3602 
3603 	context_init(&tmprule->au_ctxt);
3604 
3605 	rcu_read_lock();
3606 	policy = rcu_dereference(state->policy);
3607 	policydb = &policy->policydb;
3608 
3609 	tmprule->au_seqno = policy->latest_granting;
3610 
3611 	switch (field) {
3612 	case AUDIT_SUBJ_USER:
3613 	case AUDIT_OBJ_USER:
3614 		rc = -EINVAL;
3615 		userdatum = symtab_search(&policydb->p_users, rulestr);
3616 		if (!userdatum)
3617 			goto out;
3618 		tmprule->au_ctxt.user = userdatum->value;
3619 		break;
3620 	case AUDIT_SUBJ_ROLE:
3621 	case AUDIT_OBJ_ROLE:
3622 		rc = -EINVAL;
3623 		roledatum = symtab_search(&policydb->p_roles, rulestr);
3624 		if (!roledatum)
3625 			goto out;
3626 		tmprule->au_ctxt.role = roledatum->value;
3627 		break;
3628 	case AUDIT_SUBJ_TYPE:
3629 	case AUDIT_OBJ_TYPE:
3630 		rc = -EINVAL;
3631 		typedatum = symtab_search(&policydb->p_types, rulestr);
3632 		if (!typedatum)
3633 			goto out;
3634 		tmprule->au_ctxt.type = typedatum->value;
3635 		break;
3636 	case AUDIT_SUBJ_SEN:
3637 	case AUDIT_SUBJ_CLR:
3638 	case AUDIT_OBJ_LEV_LOW:
3639 	case AUDIT_OBJ_LEV_HIGH:
3640 		rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt,
3641 				     GFP_ATOMIC);
3642 		if (rc)
3643 			goto out;
3644 		break;
3645 	}
3646 	rc = 0;
3647 out:
3648 	rcu_read_unlock();
3649 
3650 	if (rc) {
3651 		selinux_audit_rule_free(tmprule);
3652 		tmprule = NULL;
3653 	}
3654 
3655 	*rule = tmprule;
3656 
3657 	return rc;
3658 }
3659 
3660 /* Check to see if the rule contains any selinux fields */
3661 int selinux_audit_rule_known(struct audit_krule *rule)
3662 {
3663 	int i;
3664 
3665 	for (i = 0; i < rule->field_count; i++) {
3666 		struct audit_field *f = &rule->fields[i];
3667 		switch (f->type) {
3668 		case AUDIT_SUBJ_USER:
3669 		case AUDIT_SUBJ_ROLE:
3670 		case AUDIT_SUBJ_TYPE:
3671 		case AUDIT_SUBJ_SEN:
3672 		case AUDIT_SUBJ_CLR:
3673 		case AUDIT_OBJ_USER:
3674 		case AUDIT_OBJ_ROLE:
3675 		case AUDIT_OBJ_TYPE:
3676 		case AUDIT_OBJ_LEV_LOW:
3677 		case AUDIT_OBJ_LEV_HIGH:
3678 			return 1;
3679 		}
3680 	}
3681 
3682 	return 0;
3683 }
3684 
3685 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
3686 {
3687 	struct selinux_state *state = &selinux_state;
3688 	struct selinux_policy *policy;
3689 	struct context *ctxt;
3690 	struct mls_level *level;
3691 	struct selinux_audit_rule *rule = vrule;
3692 	int match = 0;
3693 
3694 	if (unlikely(!rule)) {
3695 		WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
3696 		return -ENOENT;
3697 	}
3698 
3699 	if (!selinux_initialized(state))
3700 		return 0;
3701 
3702 	rcu_read_lock();
3703 
3704 	policy = rcu_dereference(state->policy);
3705 
3706 	if (rule->au_seqno < policy->latest_granting) {
3707 		match = -ESTALE;
3708 		goto out;
3709 	}
3710 
3711 	ctxt = sidtab_search(policy->sidtab, sid);
3712 	if (unlikely(!ctxt)) {
3713 		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
3714 			  sid);
3715 		match = -ENOENT;
3716 		goto out;
3717 	}
3718 
3719 	/* a field/op pair that is not caught here will simply fall through
3720 	   without a match */
3721 	switch (field) {
3722 	case AUDIT_SUBJ_USER:
3723 	case AUDIT_OBJ_USER:
3724 		switch (op) {
3725 		case Audit_equal:
3726 			match = (ctxt->user == rule->au_ctxt.user);
3727 			break;
3728 		case Audit_not_equal:
3729 			match = (ctxt->user != rule->au_ctxt.user);
3730 			break;
3731 		}
3732 		break;
3733 	case AUDIT_SUBJ_ROLE:
3734 	case AUDIT_OBJ_ROLE:
3735 		switch (op) {
3736 		case Audit_equal:
3737 			match = (ctxt->role == rule->au_ctxt.role);
3738 			break;
3739 		case Audit_not_equal:
3740 			match = (ctxt->role != rule->au_ctxt.role);
3741 			break;
3742 		}
3743 		break;
3744 	case AUDIT_SUBJ_TYPE:
3745 	case AUDIT_OBJ_TYPE:
3746 		switch (op) {
3747 		case Audit_equal:
3748 			match = (ctxt->type == rule->au_ctxt.type);
3749 			break;
3750 		case Audit_not_equal:
3751 			match = (ctxt->type != rule->au_ctxt.type);
3752 			break;
3753 		}
3754 		break;
3755 	case AUDIT_SUBJ_SEN:
3756 	case AUDIT_SUBJ_CLR:
3757 	case AUDIT_OBJ_LEV_LOW:
3758 	case AUDIT_OBJ_LEV_HIGH:
3759 		level = ((field == AUDIT_SUBJ_SEN ||
3760 			  field == AUDIT_OBJ_LEV_LOW) ?
3761 			 &ctxt->range.level[0] : &ctxt->range.level[1]);
3762 		switch (op) {
3763 		case Audit_equal:
3764 			match = mls_level_eq(&rule->au_ctxt.range.level[0],
3765 					     level);
3766 			break;
3767 		case Audit_not_equal:
3768 			match = !mls_level_eq(&rule->au_ctxt.range.level[0],
3769 					      level);
3770 			break;
3771 		case Audit_lt:
3772 			match = (mls_level_dom(&rule->au_ctxt.range.level[0],
3773 					       level) &&
3774 				 !mls_level_eq(&rule->au_ctxt.range.level[0],
3775 					       level));
3776 			break;
3777 		case Audit_le:
3778 			match = mls_level_dom(&rule->au_ctxt.range.level[0],
3779 					      level);
3780 			break;
3781 		case Audit_gt:
3782 			match = (mls_level_dom(level,
3783 					      &rule->au_ctxt.range.level[0]) &&
3784 				 !mls_level_eq(level,
3785 					       &rule->au_ctxt.range.level[0]));
3786 			break;
3787 		case Audit_ge:
3788 			match = mls_level_dom(level,
3789 					      &rule->au_ctxt.range.level[0]);
3790 			break;
3791 		}
3792 	}
3793 
3794 out:
3795 	rcu_read_unlock();
3796 	return match;
3797 }
3798 
3799 static int aurule_avc_callback(u32 event)
3800 {
3801 	if (event == AVC_CALLBACK_RESET)
3802 		return audit_update_lsm_rules();
3803 	return 0;
3804 }
3805 
3806 static int __init aurule_init(void)
3807 {
3808 	int err;
3809 
3810 	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3811 	if (err)
3812 		panic("avc_add_callback() failed, error %d\n", err);
3813 
3814 	return err;
3815 }
3816 __initcall(aurule_init);
3817 
3818 #ifdef CONFIG_NETLABEL
3819 /**
3820  * security_netlbl_cache_add - Add an entry to the NetLabel cache
3821  * @secattr: the NetLabel packet security attributes
3822  * @sid: the SELinux SID
3823  *
3824  * Description:
3825  * Attempt to cache the context in @ctx, which was derived from the packet in
3826  * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
3827  * already been initialized.
3828  *
3829  */
3830 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3831 				      u32 sid)
3832 {
3833 	u32 *sid_cache;
3834 
3835 	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3836 	if (sid_cache == NULL)
3837 		return;
3838 	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3839 	if (secattr->cache == NULL) {
3840 		kfree(sid_cache);
3841 		return;
3842 	}
3843 
3844 	*sid_cache = sid;
3845 	secattr->cache->free = kfree;
3846 	secattr->cache->data = sid_cache;
3847 	secattr->flags |= NETLBL_SECATTR_CACHE;
3848 }
3849 
3850 /**
3851  * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3852  * @state: SELinux state
3853  * @secattr: the NetLabel packet security attributes
3854  * @sid: the SELinux SID
3855  *
3856  * Description:
3857  * Convert the given NetLabel security attributes in @secattr into a
3858  * SELinux SID.  If the @secattr field does not contain a full SELinux
3859  * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
3860  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3861  * allow the @secattr to be used by NetLabel to cache the secattr to SID
3862  * conversion for future lookups.  Returns zero on success, negative values on
3863  * failure.
3864  *
3865  */
3866 int security_netlbl_secattr_to_sid(struct selinux_state *state,
3867 				   struct netlbl_lsm_secattr *secattr,
3868 				   u32 *sid)
3869 {
3870 	struct selinux_policy *policy;
3871 	struct policydb *policydb;
3872 	struct sidtab *sidtab;
3873 	int rc;
3874 	struct context *ctx;
3875 	struct context ctx_new;
3876 
3877 	if (!selinux_initialized(state)) {
3878 		*sid = SECSID_NULL;
3879 		return 0;
3880 	}
3881 
3882 retry:
3883 	rc = 0;
3884 	rcu_read_lock();
3885 	policy = rcu_dereference(state->policy);
3886 	policydb = &policy->policydb;
3887 	sidtab = policy->sidtab;
3888 
3889 	if (secattr->flags & NETLBL_SECATTR_CACHE)
3890 		*sid = *(u32 *)secattr->cache->data;
3891 	else if (secattr->flags & NETLBL_SECATTR_SECID)
3892 		*sid = secattr->attr.secid;
3893 	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3894 		rc = -EIDRM;
3895 		ctx = sidtab_search(sidtab, SECINITSID_NETMSG);
3896 		if (ctx == NULL)
3897 			goto out;
3898 
3899 		context_init(&ctx_new);
3900 		ctx_new.user = ctx->user;
3901 		ctx_new.role = ctx->role;
3902 		ctx_new.type = ctx->type;
3903 		mls_import_netlbl_lvl(policydb, &ctx_new, secattr);
3904 		if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3905 			rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr);
3906 			if (rc)
3907 				goto out;
3908 		}
3909 		rc = -EIDRM;
3910 		if (!mls_context_isvalid(policydb, &ctx_new)) {
3911 			ebitmap_destroy(&ctx_new.range.level[0].cat);
3912 			goto out;
3913 		}
3914 
3915 		rc = sidtab_context_to_sid(sidtab, &ctx_new, sid);
3916 		ebitmap_destroy(&ctx_new.range.level[0].cat);
3917 		if (rc == -ESTALE) {
3918 			rcu_read_unlock();
3919 			goto retry;
3920 		}
3921 		if (rc)
3922 			goto out;
3923 
3924 		security_netlbl_cache_add(secattr, *sid);
3925 	} else
3926 		*sid = SECSID_NULL;
3927 
3928 out:
3929 	rcu_read_unlock();
3930 	return rc;
3931 }
3932 
3933 /**
3934  * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3935  * @state: SELinux state
3936  * @sid: the SELinux SID
3937  * @secattr: the NetLabel packet security attributes
3938  *
3939  * Description:
3940  * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3941  * Returns zero on success, negative values on failure.
3942  *
3943  */
3944 int security_netlbl_sid_to_secattr(struct selinux_state *state,
3945 				   u32 sid, struct netlbl_lsm_secattr *secattr)
3946 {
3947 	struct selinux_policy *policy;
3948 	struct policydb *policydb;
3949 	int rc;
3950 	struct context *ctx;
3951 
3952 	if (!selinux_initialized(state))
3953 		return 0;
3954 
3955 	rcu_read_lock();
3956 	policy = rcu_dereference(state->policy);
3957 	policydb = &policy->policydb;
3958 
3959 	rc = -ENOENT;
3960 	ctx = sidtab_search(policy->sidtab, sid);
3961 	if (ctx == NULL)
3962 		goto out;
3963 
3964 	rc = -ENOMEM;
3965 	secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1),
3966 				  GFP_ATOMIC);
3967 	if (secattr->domain == NULL)
3968 		goto out;
3969 
3970 	secattr->attr.secid = sid;
3971 	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3972 	mls_export_netlbl_lvl(policydb, ctx, secattr);
3973 	rc = mls_export_netlbl_cat(policydb, ctx, secattr);
3974 out:
3975 	rcu_read_unlock();
3976 	return rc;
3977 }
3978 #endif /* CONFIG_NETLABEL */
3979 
3980 /**
3981  * __security_read_policy - read the policy.
3982  * @policy: SELinux policy
3983  * @data: binary policy data
3984  * @len: length of data in bytes
3985  *
3986  */
3987 static int __security_read_policy(struct selinux_policy *policy,
3988 				  void *data, size_t *len)
3989 {
3990 	int rc;
3991 	struct policy_file fp;
3992 
3993 	fp.data = data;
3994 	fp.len = *len;
3995 
3996 	rc = policydb_write(&policy->policydb, &fp);
3997 	if (rc)
3998 		return rc;
3999 
4000 	*len = (unsigned long)fp.data - (unsigned long)data;
4001 	return 0;
4002 }
4003 
4004 /**
4005  * security_read_policy - read the policy.
4006  * @state: selinux_state
4007  * @data: binary policy data
4008  * @len: length of data in bytes
4009  *
4010  */
4011 int security_read_policy(struct selinux_state *state,
4012 			 void **data, size_t *len)
4013 {
4014 	struct selinux_policy *policy;
4015 
4016 	policy = rcu_dereference_protected(
4017 			state->policy, lockdep_is_held(&state->policy_mutex));
4018 	if (!policy)
4019 		return -EINVAL;
4020 
4021 	*len = policy->policydb.len;
4022 	*data = vmalloc_user(*len);
4023 	if (!*data)
4024 		return -ENOMEM;
4025 
4026 	return __security_read_policy(policy, *data, len);
4027 }
4028 
4029 /**
4030  * security_read_state_kernel - read the policy.
4031  * @state: selinux_state
4032  * @data: binary policy data
4033  * @len: length of data in bytes
4034  *
4035  * Allocates kernel memory for reading SELinux policy.
4036  * This function is for internal use only and should not
4037  * be used for returning data to user space.
4038  *
4039  * This function must be called with policy_mutex held.
4040  */
4041 int security_read_state_kernel(struct selinux_state *state,
4042 			       void **data, size_t *len)
4043 {
4044 	int err;
4045 	struct selinux_policy *policy;
4046 
4047 	policy = rcu_dereference_protected(
4048 			state->policy, lockdep_is_held(&state->policy_mutex));
4049 	if (!policy)
4050 		return -EINVAL;
4051 
4052 	*len = policy->policydb.len;
4053 	*data = vmalloc(*len);
4054 	if (!*data)
4055 		return -ENOMEM;
4056 
4057 	err = __security_read_policy(policy, *data, len);
4058 	if (err) {
4059 		vfree(*data);
4060 		*data = NULL;
4061 		*len = 0;
4062 	}
4063 	return err;
4064 }
4065