1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * 20 * Updated: Chad Sellers <csellers@tresys.com> 21 * 22 * Added validation of kernel classes and permissions 23 * 24 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. 25 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 26 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * This program is free software; you can redistribute it and/or modify 29 * it under the terms of the GNU General Public License as published by 30 * the Free Software Foundation, version 2. 31 */ 32 #include <linux/kernel.h> 33 #include <linux/slab.h> 34 #include <linux/string.h> 35 #include <linux/spinlock.h> 36 #include <linux/rcupdate.h> 37 #include <linux/errno.h> 38 #include <linux/in.h> 39 #include <linux/sched.h> 40 #include <linux/audit.h> 41 #include <linux/mutex.h> 42 #include <net/netlabel.h> 43 44 #include "flask.h" 45 #include "avc.h" 46 #include "avc_ss.h" 47 #include "security.h" 48 #include "context.h" 49 #include "policydb.h" 50 #include "sidtab.h" 51 #include "services.h" 52 #include "conditional.h" 53 #include "mls.h" 54 #include "objsec.h" 55 #include "netlabel.h" 56 #include "xfrm.h" 57 #include "ebitmap.h" 58 59 extern void selnl_notify_policyload(u32 seqno); 60 unsigned int policydb_loaded_version; 61 62 /* 63 * This is declared in avc.c 64 */ 65 extern const struct selinux_class_perm selinux_class_perm; 66 67 static DEFINE_RWLOCK(policy_rwlock); 68 #define POLICY_RDLOCK read_lock(&policy_rwlock) 69 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock) 70 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock) 71 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock) 72 73 static DEFINE_MUTEX(load_mutex); 74 #define LOAD_LOCK mutex_lock(&load_mutex) 75 #define LOAD_UNLOCK mutex_unlock(&load_mutex) 76 77 static struct sidtab sidtab; 78 struct policydb policydb; 79 int ss_initialized = 0; 80 81 /* 82 * The largest sequence number that has been used when 83 * providing an access decision to the access vector cache. 84 * The sequence number only changes when a policy change 85 * occurs. 86 */ 87 static u32 latest_granting = 0; 88 89 /* Forward declaration. */ 90 static int context_struct_to_string(struct context *context, char **scontext, 91 u32 *scontext_len); 92 93 /* 94 * Return the boolean value of a constraint expression 95 * when it is applied to the specified source and target 96 * security contexts. 97 * 98 * xcontext is a special beast... It is used by the validatetrans rules 99 * only. For these rules, scontext is the context before the transition, 100 * tcontext is the context after the transition, and xcontext is the context 101 * of the process performing the transition. All other callers of 102 * constraint_expr_eval should pass in NULL for xcontext. 103 */ 104 static int constraint_expr_eval(struct context *scontext, 105 struct context *tcontext, 106 struct context *xcontext, 107 struct constraint_expr *cexpr) 108 { 109 u32 val1, val2; 110 struct context *c; 111 struct role_datum *r1, *r2; 112 struct mls_level *l1, *l2; 113 struct constraint_expr *e; 114 int s[CEXPR_MAXDEPTH]; 115 int sp = -1; 116 117 for (e = cexpr; e; e = e->next) { 118 switch (e->expr_type) { 119 case CEXPR_NOT: 120 BUG_ON(sp < 0); 121 s[sp] = !s[sp]; 122 break; 123 case CEXPR_AND: 124 BUG_ON(sp < 1); 125 sp--; 126 s[sp] &= s[sp+1]; 127 break; 128 case CEXPR_OR: 129 BUG_ON(sp < 1); 130 sp--; 131 s[sp] |= s[sp+1]; 132 break; 133 case CEXPR_ATTR: 134 if (sp == (CEXPR_MAXDEPTH-1)) 135 return 0; 136 switch (e->attr) { 137 case CEXPR_USER: 138 val1 = scontext->user; 139 val2 = tcontext->user; 140 break; 141 case CEXPR_TYPE: 142 val1 = scontext->type; 143 val2 = tcontext->type; 144 break; 145 case CEXPR_ROLE: 146 val1 = scontext->role; 147 val2 = tcontext->role; 148 r1 = policydb.role_val_to_struct[val1 - 1]; 149 r2 = policydb.role_val_to_struct[val2 - 1]; 150 switch (e->op) { 151 case CEXPR_DOM: 152 s[++sp] = ebitmap_get_bit(&r1->dominates, 153 val2 - 1); 154 continue; 155 case CEXPR_DOMBY: 156 s[++sp] = ebitmap_get_bit(&r2->dominates, 157 val1 - 1); 158 continue; 159 case CEXPR_INCOMP: 160 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 161 val2 - 1) && 162 !ebitmap_get_bit(&r2->dominates, 163 val1 - 1) ); 164 continue; 165 default: 166 break; 167 } 168 break; 169 case CEXPR_L1L2: 170 l1 = &(scontext->range.level[0]); 171 l2 = &(tcontext->range.level[0]); 172 goto mls_ops; 173 case CEXPR_L1H2: 174 l1 = &(scontext->range.level[0]); 175 l2 = &(tcontext->range.level[1]); 176 goto mls_ops; 177 case CEXPR_H1L2: 178 l1 = &(scontext->range.level[1]); 179 l2 = &(tcontext->range.level[0]); 180 goto mls_ops; 181 case CEXPR_H1H2: 182 l1 = &(scontext->range.level[1]); 183 l2 = &(tcontext->range.level[1]); 184 goto mls_ops; 185 case CEXPR_L1H1: 186 l1 = &(scontext->range.level[0]); 187 l2 = &(scontext->range.level[1]); 188 goto mls_ops; 189 case CEXPR_L2H2: 190 l1 = &(tcontext->range.level[0]); 191 l2 = &(tcontext->range.level[1]); 192 goto mls_ops; 193 mls_ops: 194 switch (e->op) { 195 case CEXPR_EQ: 196 s[++sp] = mls_level_eq(l1, l2); 197 continue; 198 case CEXPR_NEQ: 199 s[++sp] = !mls_level_eq(l1, l2); 200 continue; 201 case CEXPR_DOM: 202 s[++sp] = mls_level_dom(l1, l2); 203 continue; 204 case CEXPR_DOMBY: 205 s[++sp] = mls_level_dom(l2, l1); 206 continue; 207 case CEXPR_INCOMP: 208 s[++sp] = mls_level_incomp(l2, l1); 209 continue; 210 default: 211 BUG(); 212 return 0; 213 } 214 break; 215 default: 216 BUG(); 217 return 0; 218 } 219 220 switch (e->op) { 221 case CEXPR_EQ: 222 s[++sp] = (val1 == val2); 223 break; 224 case CEXPR_NEQ: 225 s[++sp] = (val1 != val2); 226 break; 227 default: 228 BUG(); 229 return 0; 230 } 231 break; 232 case CEXPR_NAMES: 233 if (sp == (CEXPR_MAXDEPTH-1)) 234 return 0; 235 c = scontext; 236 if (e->attr & CEXPR_TARGET) 237 c = tcontext; 238 else if (e->attr & CEXPR_XTARGET) { 239 c = xcontext; 240 if (!c) { 241 BUG(); 242 return 0; 243 } 244 } 245 if (e->attr & CEXPR_USER) 246 val1 = c->user; 247 else if (e->attr & CEXPR_ROLE) 248 val1 = c->role; 249 else if (e->attr & CEXPR_TYPE) 250 val1 = c->type; 251 else { 252 BUG(); 253 return 0; 254 } 255 256 switch (e->op) { 257 case CEXPR_EQ: 258 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 259 break; 260 case CEXPR_NEQ: 261 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 262 break; 263 default: 264 BUG(); 265 return 0; 266 } 267 break; 268 default: 269 BUG(); 270 return 0; 271 } 272 } 273 274 BUG_ON(sp != 0); 275 return s[0]; 276 } 277 278 /* 279 * Compute access vectors based on a context structure pair for 280 * the permissions in a particular class. 281 */ 282 static int context_struct_compute_av(struct context *scontext, 283 struct context *tcontext, 284 u16 tclass, 285 u32 requested, 286 struct av_decision *avd) 287 { 288 struct constraint_node *constraint; 289 struct role_allow *ra; 290 struct avtab_key avkey; 291 struct avtab_node *node; 292 struct class_datum *tclass_datum; 293 struct ebitmap *sattr, *tattr; 294 struct ebitmap_node *snode, *tnode; 295 unsigned int i, j; 296 297 /* 298 * Remap extended Netlink classes for old policy versions. 299 * Do this here rather than socket_type_to_security_class() 300 * in case a newer policy version is loaded, allowing sockets 301 * to remain in the correct class. 302 */ 303 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 304 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 305 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 306 tclass = SECCLASS_NETLINK_SOCKET; 307 308 if (!tclass || tclass > policydb.p_classes.nprim) { 309 printk(KERN_ERR "security_compute_av: unrecognized class %d\n", 310 tclass); 311 return -EINVAL; 312 } 313 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 314 315 /* 316 * Initialize the access vectors to the default values. 317 */ 318 avd->allowed = 0; 319 avd->decided = 0xffffffff; 320 avd->auditallow = 0; 321 avd->auditdeny = 0xffffffff; 322 avd->seqno = latest_granting; 323 324 /* 325 * If a specific type enforcement rule was defined for 326 * this permission check, then use it. 327 */ 328 avkey.target_class = tclass; 329 avkey.specified = AVTAB_AV; 330 sattr = &policydb.type_attr_map[scontext->type - 1]; 331 tattr = &policydb.type_attr_map[tcontext->type - 1]; 332 ebitmap_for_each_bit(sattr, snode, i) { 333 if (!ebitmap_node_get_bit(snode, i)) 334 continue; 335 ebitmap_for_each_bit(tattr, tnode, j) { 336 if (!ebitmap_node_get_bit(tnode, j)) 337 continue; 338 avkey.source_type = i + 1; 339 avkey.target_type = j + 1; 340 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 341 node != NULL; 342 node = avtab_search_node_next(node, avkey.specified)) { 343 if (node->key.specified == AVTAB_ALLOWED) 344 avd->allowed |= node->datum.data; 345 else if (node->key.specified == AVTAB_AUDITALLOW) 346 avd->auditallow |= node->datum.data; 347 else if (node->key.specified == AVTAB_AUDITDENY) 348 avd->auditdeny &= node->datum.data; 349 } 350 351 /* Check conditional av table for additional permissions */ 352 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 353 354 } 355 } 356 357 /* 358 * Remove any permissions prohibited by a constraint (this includes 359 * the MLS policy). 360 */ 361 constraint = tclass_datum->constraints; 362 while (constraint) { 363 if ((constraint->permissions & (avd->allowed)) && 364 !constraint_expr_eval(scontext, tcontext, NULL, 365 constraint->expr)) { 366 avd->allowed = (avd->allowed) & ~(constraint->permissions); 367 } 368 constraint = constraint->next; 369 } 370 371 /* 372 * If checking process transition permission and the 373 * role is changing, then check the (current_role, new_role) 374 * pair. 375 */ 376 if (tclass == SECCLASS_PROCESS && 377 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 378 scontext->role != tcontext->role) { 379 for (ra = policydb.role_allow; ra; ra = ra->next) { 380 if (scontext->role == ra->role && 381 tcontext->role == ra->new_role) 382 break; 383 } 384 if (!ra) 385 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 386 PROCESS__DYNTRANSITION); 387 } 388 389 return 0; 390 } 391 392 static int security_validtrans_handle_fail(struct context *ocontext, 393 struct context *ncontext, 394 struct context *tcontext, 395 u16 tclass) 396 { 397 char *o = NULL, *n = NULL, *t = NULL; 398 u32 olen, nlen, tlen; 399 400 if (context_struct_to_string(ocontext, &o, &olen) < 0) 401 goto out; 402 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 403 goto out; 404 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 405 goto out; 406 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 407 "security_validate_transition: denied for" 408 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 409 o, n, t, policydb.p_class_val_to_name[tclass-1]); 410 out: 411 kfree(o); 412 kfree(n); 413 kfree(t); 414 415 if (!selinux_enforcing) 416 return 0; 417 return -EPERM; 418 } 419 420 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 421 u16 tclass) 422 { 423 struct context *ocontext; 424 struct context *ncontext; 425 struct context *tcontext; 426 struct class_datum *tclass_datum; 427 struct constraint_node *constraint; 428 int rc = 0; 429 430 if (!ss_initialized) 431 return 0; 432 433 POLICY_RDLOCK; 434 435 /* 436 * Remap extended Netlink classes for old policy versions. 437 * Do this here rather than socket_type_to_security_class() 438 * in case a newer policy version is loaded, allowing sockets 439 * to remain in the correct class. 440 */ 441 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 442 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 443 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 444 tclass = SECCLASS_NETLINK_SOCKET; 445 446 if (!tclass || tclass > policydb.p_classes.nprim) { 447 printk(KERN_ERR "security_validate_transition: " 448 "unrecognized class %d\n", tclass); 449 rc = -EINVAL; 450 goto out; 451 } 452 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 453 454 ocontext = sidtab_search(&sidtab, oldsid); 455 if (!ocontext) { 456 printk(KERN_ERR "security_validate_transition: " 457 " unrecognized SID %d\n", oldsid); 458 rc = -EINVAL; 459 goto out; 460 } 461 462 ncontext = sidtab_search(&sidtab, newsid); 463 if (!ncontext) { 464 printk(KERN_ERR "security_validate_transition: " 465 " unrecognized SID %d\n", newsid); 466 rc = -EINVAL; 467 goto out; 468 } 469 470 tcontext = sidtab_search(&sidtab, tasksid); 471 if (!tcontext) { 472 printk(KERN_ERR "security_validate_transition: " 473 " unrecognized SID %d\n", tasksid); 474 rc = -EINVAL; 475 goto out; 476 } 477 478 constraint = tclass_datum->validatetrans; 479 while (constraint) { 480 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 481 constraint->expr)) { 482 rc = security_validtrans_handle_fail(ocontext, ncontext, 483 tcontext, tclass); 484 goto out; 485 } 486 constraint = constraint->next; 487 } 488 489 out: 490 POLICY_RDUNLOCK; 491 return rc; 492 } 493 494 /** 495 * security_compute_av - Compute access vector decisions. 496 * @ssid: source security identifier 497 * @tsid: target security identifier 498 * @tclass: target security class 499 * @requested: requested permissions 500 * @avd: access vector decisions 501 * 502 * Compute a set of access vector decisions based on the 503 * SID pair (@ssid, @tsid) for the permissions in @tclass. 504 * Return -%EINVAL if any of the parameters are invalid or %0 505 * if the access vector decisions were computed successfully. 506 */ 507 int security_compute_av(u32 ssid, 508 u32 tsid, 509 u16 tclass, 510 u32 requested, 511 struct av_decision *avd) 512 { 513 struct context *scontext = NULL, *tcontext = NULL; 514 int rc = 0; 515 516 if (!ss_initialized) { 517 avd->allowed = 0xffffffff; 518 avd->decided = 0xffffffff; 519 avd->auditallow = 0; 520 avd->auditdeny = 0xffffffff; 521 avd->seqno = latest_granting; 522 return 0; 523 } 524 525 POLICY_RDLOCK; 526 527 scontext = sidtab_search(&sidtab, ssid); 528 if (!scontext) { 529 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 530 ssid); 531 rc = -EINVAL; 532 goto out; 533 } 534 tcontext = sidtab_search(&sidtab, tsid); 535 if (!tcontext) { 536 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 537 tsid); 538 rc = -EINVAL; 539 goto out; 540 } 541 542 rc = context_struct_compute_av(scontext, tcontext, tclass, 543 requested, avd); 544 out: 545 POLICY_RDUNLOCK; 546 return rc; 547 } 548 549 /* 550 * Write the security context string representation of 551 * the context structure `context' into a dynamically 552 * allocated string of the correct size. Set `*scontext' 553 * to point to this string and set `*scontext_len' to 554 * the length of the string. 555 */ 556 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 557 { 558 char *scontextp; 559 560 *scontext = NULL; 561 *scontext_len = 0; 562 563 /* Compute the size of the context. */ 564 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 565 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 566 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 567 *scontext_len += mls_compute_context_len(context); 568 569 /* Allocate space for the context; caller must free this space. */ 570 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 571 if (!scontextp) { 572 return -ENOMEM; 573 } 574 *scontext = scontextp; 575 576 /* 577 * Copy the user name, role name and type name into the context. 578 */ 579 sprintf(scontextp, "%s:%s:%s", 580 policydb.p_user_val_to_name[context->user - 1], 581 policydb.p_role_val_to_name[context->role - 1], 582 policydb.p_type_val_to_name[context->type - 1]); 583 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 584 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 585 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 586 587 mls_sid_to_context(context, &scontextp); 588 589 *scontextp = 0; 590 591 return 0; 592 } 593 594 #include "initial_sid_to_string.h" 595 596 const char *security_get_initial_sid_context(u32 sid) 597 { 598 if (unlikely(sid > SECINITSID_NUM)) 599 return NULL; 600 return initial_sid_to_string[sid]; 601 } 602 603 /** 604 * security_sid_to_context - Obtain a context for a given SID. 605 * @sid: security identifier, SID 606 * @scontext: security context 607 * @scontext_len: length in bytes 608 * 609 * Write the string representation of the context associated with @sid 610 * into a dynamically allocated string of the correct size. Set @scontext 611 * to point to this string and set @scontext_len to the length of the string. 612 */ 613 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 614 { 615 struct context *context; 616 int rc = 0; 617 618 *scontext = NULL; 619 *scontext_len = 0; 620 621 if (!ss_initialized) { 622 if (sid <= SECINITSID_NUM) { 623 char *scontextp; 624 625 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 626 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 627 if (!scontextp) { 628 rc = -ENOMEM; 629 goto out; 630 } 631 strcpy(scontextp, initial_sid_to_string[sid]); 632 *scontext = scontextp; 633 goto out; 634 } 635 printk(KERN_ERR "security_sid_to_context: called before initial " 636 "load_policy on unknown SID %d\n", sid); 637 rc = -EINVAL; 638 goto out; 639 } 640 POLICY_RDLOCK; 641 context = sidtab_search(&sidtab, sid); 642 if (!context) { 643 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 644 "%d\n", sid); 645 rc = -EINVAL; 646 goto out_unlock; 647 } 648 rc = context_struct_to_string(context, scontext, scontext_len); 649 out_unlock: 650 POLICY_RDUNLOCK; 651 out: 652 return rc; 653 654 } 655 656 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 657 { 658 char *scontext2; 659 struct context context; 660 struct role_datum *role; 661 struct type_datum *typdatum; 662 struct user_datum *usrdatum; 663 char *scontextp, *p, oldc; 664 int rc = 0; 665 666 if (!ss_initialized) { 667 int i; 668 669 for (i = 1; i < SECINITSID_NUM; i++) { 670 if (!strcmp(initial_sid_to_string[i], scontext)) { 671 *sid = i; 672 goto out; 673 } 674 } 675 *sid = SECINITSID_KERNEL; 676 goto out; 677 } 678 *sid = SECSID_NULL; 679 680 /* Copy the string so that we can modify the copy as we parse it. 681 The string should already by null terminated, but we append a 682 null suffix to the copy to avoid problems with the existing 683 attr package, which doesn't view the null terminator as part 684 of the attribute value. */ 685 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 686 if (!scontext2) { 687 rc = -ENOMEM; 688 goto out; 689 } 690 memcpy(scontext2, scontext, scontext_len); 691 scontext2[scontext_len] = 0; 692 693 context_init(&context); 694 *sid = SECSID_NULL; 695 696 POLICY_RDLOCK; 697 698 /* Parse the security context. */ 699 700 rc = -EINVAL; 701 scontextp = (char *) scontext2; 702 703 /* Extract the user. */ 704 p = scontextp; 705 while (*p && *p != ':') 706 p++; 707 708 if (*p == 0) 709 goto out_unlock; 710 711 *p++ = 0; 712 713 usrdatum = hashtab_search(policydb.p_users.table, scontextp); 714 if (!usrdatum) 715 goto out_unlock; 716 717 context.user = usrdatum->value; 718 719 /* Extract role. */ 720 scontextp = p; 721 while (*p && *p != ':') 722 p++; 723 724 if (*p == 0) 725 goto out_unlock; 726 727 *p++ = 0; 728 729 role = hashtab_search(policydb.p_roles.table, scontextp); 730 if (!role) 731 goto out_unlock; 732 context.role = role->value; 733 734 /* Extract type. */ 735 scontextp = p; 736 while (*p && *p != ':') 737 p++; 738 oldc = *p; 739 *p++ = 0; 740 741 typdatum = hashtab_search(policydb.p_types.table, scontextp); 742 if (!typdatum) 743 goto out_unlock; 744 745 context.type = typdatum->value; 746 747 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); 748 if (rc) 749 goto out_unlock; 750 751 if ((p - scontext2) < scontext_len) { 752 rc = -EINVAL; 753 goto out_unlock; 754 } 755 756 /* Check the validity of the new context. */ 757 if (!policydb_context_isvalid(&policydb, &context)) { 758 rc = -EINVAL; 759 goto out_unlock; 760 } 761 /* Obtain the new sid. */ 762 rc = sidtab_context_to_sid(&sidtab, &context, sid); 763 out_unlock: 764 POLICY_RDUNLOCK; 765 context_destroy(&context); 766 kfree(scontext2); 767 out: 768 return rc; 769 } 770 771 /** 772 * security_context_to_sid - Obtain a SID for a given security context. 773 * @scontext: security context 774 * @scontext_len: length in bytes 775 * @sid: security identifier, SID 776 * 777 * Obtains a SID associated with the security context that 778 * has the string representation specified by @scontext. 779 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 780 * memory is available, or 0 on success. 781 */ 782 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 783 { 784 return security_context_to_sid_core(scontext, scontext_len, 785 sid, SECSID_NULL); 786 } 787 788 /** 789 * security_context_to_sid_default - Obtain a SID for a given security context, 790 * falling back to specified default if needed. 791 * 792 * @scontext: security context 793 * @scontext_len: length in bytes 794 * @sid: security identifier, SID 795 * @def_sid: default SID to assign on errror 796 * 797 * Obtains a SID associated with the security context that 798 * has the string representation specified by @scontext. 799 * The default SID is passed to the MLS layer to be used to allow 800 * kernel labeling of the MLS field if the MLS field is not present 801 * (for upgrading to MLS without full relabel). 802 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 803 * memory is available, or 0 on success. 804 */ 805 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 806 { 807 return security_context_to_sid_core(scontext, scontext_len, 808 sid, def_sid); 809 } 810 811 static int compute_sid_handle_invalid_context( 812 struct context *scontext, 813 struct context *tcontext, 814 u16 tclass, 815 struct context *newcontext) 816 { 817 char *s = NULL, *t = NULL, *n = NULL; 818 u32 slen, tlen, nlen; 819 820 if (context_struct_to_string(scontext, &s, &slen) < 0) 821 goto out; 822 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 823 goto out; 824 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 825 goto out; 826 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 827 "security_compute_sid: invalid context %s" 828 " for scontext=%s" 829 " tcontext=%s" 830 " tclass=%s", 831 n, s, t, policydb.p_class_val_to_name[tclass-1]); 832 out: 833 kfree(s); 834 kfree(t); 835 kfree(n); 836 if (!selinux_enforcing) 837 return 0; 838 return -EACCES; 839 } 840 841 static int security_compute_sid(u32 ssid, 842 u32 tsid, 843 u16 tclass, 844 u32 specified, 845 u32 *out_sid) 846 { 847 struct context *scontext = NULL, *tcontext = NULL, newcontext; 848 struct role_trans *roletr = NULL; 849 struct avtab_key avkey; 850 struct avtab_datum *avdatum; 851 struct avtab_node *node; 852 int rc = 0; 853 854 if (!ss_initialized) { 855 switch (tclass) { 856 case SECCLASS_PROCESS: 857 *out_sid = ssid; 858 break; 859 default: 860 *out_sid = tsid; 861 break; 862 } 863 goto out; 864 } 865 866 context_init(&newcontext); 867 868 POLICY_RDLOCK; 869 870 scontext = sidtab_search(&sidtab, ssid); 871 if (!scontext) { 872 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 873 ssid); 874 rc = -EINVAL; 875 goto out_unlock; 876 } 877 tcontext = sidtab_search(&sidtab, tsid); 878 if (!tcontext) { 879 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 880 tsid); 881 rc = -EINVAL; 882 goto out_unlock; 883 } 884 885 /* Set the user identity. */ 886 switch (specified) { 887 case AVTAB_TRANSITION: 888 case AVTAB_CHANGE: 889 /* Use the process user identity. */ 890 newcontext.user = scontext->user; 891 break; 892 case AVTAB_MEMBER: 893 /* Use the related object owner. */ 894 newcontext.user = tcontext->user; 895 break; 896 } 897 898 /* Set the role and type to default values. */ 899 switch (tclass) { 900 case SECCLASS_PROCESS: 901 /* Use the current role and type of process. */ 902 newcontext.role = scontext->role; 903 newcontext.type = scontext->type; 904 break; 905 default: 906 /* Use the well-defined object role. */ 907 newcontext.role = OBJECT_R_VAL; 908 /* Use the type of the related object. */ 909 newcontext.type = tcontext->type; 910 } 911 912 /* Look for a type transition/member/change rule. */ 913 avkey.source_type = scontext->type; 914 avkey.target_type = tcontext->type; 915 avkey.target_class = tclass; 916 avkey.specified = specified; 917 avdatum = avtab_search(&policydb.te_avtab, &avkey); 918 919 /* If no permanent rule, also check for enabled conditional rules */ 920 if(!avdatum) { 921 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 922 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 923 if (node->key.specified & AVTAB_ENABLED) { 924 avdatum = &node->datum; 925 break; 926 } 927 } 928 } 929 930 if (avdatum) { 931 /* Use the type from the type transition/member/change rule. */ 932 newcontext.type = avdatum->data; 933 } 934 935 /* Check for class-specific changes. */ 936 switch (tclass) { 937 case SECCLASS_PROCESS: 938 if (specified & AVTAB_TRANSITION) { 939 /* Look for a role transition rule. */ 940 for (roletr = policydb.role_tr; roletr; 941 roletr = roletr->next) { 942 if (roletr->role == scontext->role && 943 roletr->type == tcontext->type) { 944 /* Use the role transition rule. */ 945 newcontext.role = roletr->new_role; 946 break; 947 } 948 } 949 } 950 break; 951 default: 952 break; 953 } 954 955 /* Set the MLS attributes. 956 This is done last because it may allocate memory. */ 957 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 958 if (rc) 959 goto out_unlock; 960 961 /* Check the validity of the context. */ 962 if (!policydb_context_isvalid(&policydb, &newcontext)) { 963 rc = compute_sid_handle_invalid_context(scontext, 964 tcontext, 965 tclass, 966 &newcontext); 967 if (rc) 968 goto out_unlock; 969 } 970 /* Obtain the sid for the context. */ 971 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 972 out_unlock: 973 POLICY_RDUNLOCK; 974 context_destroy(&newcontext); 975 out: 976 return rc; 977 } 978 979 /** 980 * security_transition_sid - Compute the SID for a new subject/object. 981 * @ssid: source security identifier 982 * @tsid: target security identifier 983 * @tclass: target security class 984 * @out_sid: security identifier for new subject/object 985 * 986 * Compute a SID to use for labeling a new subject or object in the 987 * class @tclass based on a SID pair (@ssid, @tsid). 988 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 989 * if insufficient memory is available, or %0 if the new SID was 990 * computed successfully. 991 */ 992 int security_transition_sid(u32 ssid, 993 u32 tsid, 994 u16 tclass, 995 u32 *out_sid) 996 { 997 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 998 } 999 1000 /** 1001 * security_member_sid - Compute the SID for member selection. 1002 * @ssid: source security identifier 1003 * @tsid: target security identifier 1004 * @tclass: target security class 1005 * @out_sid: security identifier for selected member 1006 * 1007 * Compute a SID to use when selecting a member of a polyinstantiated 1008 * object of class @tclass based on a SID pair (@ssid, @tsid). 1009 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1010 * if insufficient memory is available, or %0 if the SID was 1011 * computed successfully. 1012 */ 1013 int security_member_sid(u32 ssid, 1014 u32 tsid, 1015 u16 tclass, 1016 u32 *out_sid) 1017 { 1018 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1019 } 1020 1021 /** 1022 * security_change_sid - Compute the SID for object relabeling. 1023 * @ssid: source security identifier 1024 * @tsid: target security identifier 1025 * @tclass: target security class 1026 * @out_sid: security identifier for selected member 1027 * 1028 * Compute a SID to use for relabeling an object of class @tclass 1029 * based on a SID pair (@ssid, @tsid). 1030 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1031 * if insufficient memory is available, or %0 if the SID was 1032 * computed successfully. 1033 */ 1034 int security_change_sid(u32 ssid, 1035 u32 tsid, 1036 u16 tclass, 1037 u32 *out_sid) 1038 { 1039 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1040 } 1041 1042 /* 1043 * Verify that each kernel class that is defined in the 1044 * policy is correct 1045 */ 1046 static int validate_classes(struct policydb *p) 1047 { 1048 int i, j; 1049 struct class_datum *cladatum; 1050 struct perm_datum *perdatum; 1051 u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1052 u16 class_val; 1053 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1054 const char *def_class, *def_perm, *pol_class; 1055 struct symtab *perms; 1056 1057 for (i = 1; i < kdefs->cts_len; i++) { 1058 def_class = kdefs->class_to_string[i]; 1059 if (!def_class) 1060 continue; 1061 if (i > p->p_classes.nprim) { 1062 printk(KERN_INFO 1063 "security: class %s not defined in policy\n", 1064 def_class); 1065 continue; 1066 } 1067 pol_class = p->p_class_val_to_name[i-1]; 1068 if (strcmp(pol_class, def_class)) { 1069 printk(KERN_ERR 1070 "security: class %d is incorrect, found %s but should be %s\n", 1071 i, pol_class, def_class); 1072 return -EINVAL; 1073 } 1074 } 1075 for (i = 0; i < kdefs->av_pts_len; i++) { 1076 class_val = kdefs->av_perm_to_string[i].tclass; 1077 perm_val = kdefs->av_perm_to_string[i].value; 1078 def_perm = kdefs->av_perm_to_string[i].name; 1079 if (class_val > p->p_classes.nprim) 1080 continue; 1081 pol_class = p->p_class_val_to_name[class_val-1]; 1082 cladatum = hashtab_search(p->p_classes.table, pol_class); 1083 BUG_ON(!cladatum); 1084 perms = &cladatum->permissions; 1085 nprim = 1 << (perms->nprim - 1); 1086 if (perm_val > nprim) { 1087 printk(KERN_INFO 1088 "security: permission %s in class %s not defined in policy\n", 1089 def_perm, pol_class); 1090 continue; 1091 } 1092 perdatum = hashtab_search(perms->table, def_perm); 1093 if (perdatum == NULL) { 1094 printk(KERN_ERR 1095 "security: permission %s in class %s not found in policy\n", 1096 def_perm, pol_class); 1097 return -EINVAL; 1098 } 1099 pol_val = 1 << (perdatum->value - 1); 1100 if (pol_val != perm_val) { 1101 printk(KERN_ERR 1102 "security: permission %s in class %s has incorrect value\n", 1103 def_perm, pol_class); 1104 return -EINVAL; 1105 } 1106 } 1107 for (i = 0; i < kdefs->av_inherit_len; i++) { 1108 class_val = kdefs->av_inherit[i].tclass; 1109 if (class_val > p->p_classes.nprim) 1110 continue; 1111 pol_class = p->p_class_val_to_name[class_val-1]; 1112 cladatum = hashtab_search(p->p_classes.table, pol_class); 1113 BUG_ON(!cladatum); 1114 if (!cladatum->comdatum) { 1115 printk(KERN_ERR 1116 "security: class %s should have an inherits clause but does not\n", 1117 pol_class); 1118 return -EINVAL; 1119 } 1120 tmp = kdefs->av_inherit[i].common_base; 1121 common_pts_len = 0; 1122 while (!(tmp & 0x01)) { 1123 common_pts_len++; 1124 tmp >>= 1; 1125 } 1126 perms = &cladatum->comdatum->permissions; 1127 for (j = 0; j < common_pts_len; j++) { 1128 def_perm = kdefs->av_inherit[i].common_pts[j]; 1129 if (j >= perms->nprim) { 1130 printk(KERN_INFO 1131 "security: permission %s in class %s not defined in policy\n", 1132 def_perm, pol_class); 1133 continue; 1134 } 1135 perdatum = hashtab_search(perms->table, def_perm); 1136 if (perdatum == NULL) { 1137 printk(KERN_ERR 1138 "security: permission %s in class %s not found in policy\n", 1139 def_perm, pol_class); 1140 return -EINVAL; 1141 } 1142 if (perdatum->value != j + 1) { 1143 printk(KERN_ERR 1144 "security: permission %s in class %s has incorrect value\n", 1145 def_perm, pol_class); 1146 return -EINVAL; 1147 } 1148 } 1149 } 1150 return 0; 1151 } 1152 1153 /* Clone the SID into the new SID table. */ 1154 static int clone_sid(u32 sid, 1155 struct context *context, 1156 void *arg) 1157 { 1158 struct sidtab *s = arg; 1159 1160 return sidtab_insert(s, sid, context); 1161 } 1162 1163 static inline int convert_context_handle_invalid_context(struct context *context) 1164 { 1165 int rc = 0; 1166 1167 if (selinux_enforcing) { 1168 rc = -EINVAL; 1169 } else { 1170 char *s; 1171 u32 len; 1172 1173 context_struct_to_string(context, &s, &len); 1174 printk(KERN_ERR "security: context %s is invalid\n", s); 1175 kfree(s); 1176 } 1177 return rc; 1178 } 1179 1180 struct convert_context_args { 1181 struct policydb *oldp; 1182 struct policydb *newp; 1183 }; 1184 1185 /* 1186 * Convert the values in the security context 1187 * structure `c' from the values specified 1188 * in the policy `p->oldp' to the values specified 1189 * in the policy `p->newp'. Verify that the 1190 * context is valid under the new policy. 1191 */ 1192 static int convert_context(u32 key, 1193 struct context *c, 1194 void *p) 1195 { 1196 struct convert_context_args *args; 1197 struct context oldc; 1198 struct role_datum *role; 1199 struct type_datum *typdatum; 1200 struct user_datum *usrdatum; 1201 char *s; 1202 u32 len; 1203 int rc; 1204 1205 args = p; 1206 1207 rc = context_cpy(&oldc, c); 1208 if (rc) 1209 goto out; 1210 1211 rc = -EINVAL; 1212 1213 /* Convert the user. */ 1214 usrdatum = hashtab_search(args->newp->p_users.table, 1215 args->oldp->p_user_val_to_name[c->user - 1]); 1216 if (!usrdatum) { 1217 goto bad; 1218 } 1219 c->user = usrdatum->value; 1220 1221 /* Convert the role. */ 1222 role = hashtab_search(args->newp->p_roles.table, 1223 args->oldp->p_role_val_to_name[c->role - 1]); 1224 if (!role) { 1225 goto bad; 1226 } 1227 c->role = role->value; 1228 1229 /* Convert the type. */ 1230 typdatum = hashtab_search(args->newp->p_types.table, 1231 args->oldp->p_type_val_to_name[c->type - 1]); 1232 if (!typdatum) { 1233 goto bad; 1234 } 1235 c->type = typdatum->value; 1236 1237 rc = mls_convert_context(args->oldp, args->newp, c); 1238 if (rc) 1239 goto bad; 1240 1241 /* Check the validity of the new context. */ 1242 if (!policydb_context_isvalid(args->newp, c)) { 1243 rc = convert_context_handle_invalid_context(&oldc); 1244 if (rc) 1245 goto bad; 1246 } 1247 1248 context_destroy(&oldc); 1249 out: 1250 return rc; 1251 bad: 1252 context_struct_to_string(&oldc, &s, &len); 1253 context_destroy(&oldc); 1254 printk(KERN_ERR "security: invalidating context %s\n", s); 1255 kfree(s); 1256 goto out; 1257 } 1258 1259 extern void selinux_complete_init(void); 1260 static int security_preserve_bools(struct policydb *p); 1261 1262 /** 1263 * security_load_policy - Load a security policy configuration. 1264 * @data: binary policy data 1265 * @len: length of data in bytes 1266 * 1267 * Load a new set of security policy configuration data, 1268 * validate it and convert the SID table as necessary. 1269 * This function will flush the access vector cache after 1270 * loading the new policy. 1271 */ 1272 int security_load_policy(void *data, size_t len) 1273 { 1274 struct policydb oldpolicydb, newpolicydb; 1275 struct sidtab oldsidtab, newsidtab; 1276 struct convert_context_args args; 1277 u32 seqno; 1278 int rc = 0; 1279 struct policy_file file = { data, len }, *fp = &file; 1280 1281 LOAD_LOCK; 1282 1283 if (!ss_initialized) { 1284 avtab_cache_init(); 1285 if (policydb_read(&policydb, fp)) { 1286 LOAD_UNLOCK; 1287 avtab_cache_destroy(); 1288 return -EINVAL; 1289 } 1290 if (policydb_load_isids(&policydb, &sidtab)) { 1291 LOAD_UNLOCK; 1292 policydb_destroy(&policydb); 1293 avtab_cache_destroy(); 1294 return -EINVAL; 1295 } 1296 /* Verify that the kernel defined classes are correct. */ 1297 if (validate_classes(&policydb)) { 1298 printk(KERN_ERR 1299 "security: the definition of a class is incorrect\n"); 1300 LOAD_UNLOCK; 1301 sidtab_destroy(&sidtab); 1302 policydb_destroy(&policydb); 1303 avtab_cache_destroy(); 1304 return -EINVAL; 1305 } 1306 policydb_loaded_version = policydb.policyvers; 1307 ss_initialized = 1; 1308 seqno = ++latest_granting; 1309 LOAD_UNLOCK; 1310 selinux_complete_init(); 1311 avc_ss_reset(seqno); 1312 selnl_notify_policyload(seqno); 1313 selinux_netlbl_cache_invalidate(); 1314 selinux_xfrm_notify_policyload(); 1315 return 0; 1316 } 1317 1318 #if 0 1319 sidtab_hash_eval(&sidtab, "sids"); 1320 #endif 1321 1322 if (policydb_read(&newpolicydb, fp)) { 1323 LOAD_UNLOCK; 1324 return -EINVAL; 1325 } 1326 1327 sidtab_init(&newsidtab); 1328 1329 /* Verify that the kernel defined classes are correct. */ 1330 if (validate_classes(&newpolicydb)) { 1331 printk(KERN_ERR 1332 "security: the definition of a class is incorrect\n"); 1333 rc = -EINVAL; 1334 goto err; 1335 } 1336 1337 rc = security_preserve_bools(&newpolicydb); 1338 if (rc) { 1339 printk(KERN_ERR "security: unable to preserve booleans\n"); 1340 goto err; 1341 } 1342 1343 /* Clone the SID table. */ 1344 sidtab_shutdown(&sidtab); 1345 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1346 rc = -ENOMEM; 1347 goto err; 1348 } 1349 1350 /* Convert the internal representations of contexts 1351 in the new SID table and remove invalid SIDs. */ 1352 args.oldp = &policydb; 1353 args.newp = &newpolicydb; 1354 sidtab_map_remove_on_error(&newsidtab, convert_context, &args); 1355 1356 /* Save the old policydb and SID table to free later. */ 1357 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1358 sidtab_set(&oldsidtab, &sidtab); 1359 1360 /* Install the new policydb and SID table. */ 1361 POLICY_WRLOCK; 1362 memcpy(&policydb, &newpolicydb, sizeof policydb); 1363 sidtab_set(&sidtab, &newsidtab); 1364 seqno = ++latest_granting; 1365 policydb_loaded_version = policydb.policyvers; 1366 POLICY_WRUNLOCK; 1367 LOAD_UNLOCK; 1368 1369 /* Free the old policydb and SID table. */ 1370 policydb_destroy(&oldpolicydb); 1371 sidtab_destroy(&oldsidtab); 1372 1373 avc_ss_reset(seqno); 1374 selnl_notify_policyload(seqno); 1375 selinux_netlbl_cache_invalidate(); 1376 selinux_xfrm_notify_policyload(); 1377 1378 return 0; 1379 1380 err: 1381 LOAD_UNLOCK; 1382 sidtab_destroy(&newsidtab); 1383 policydb_destroy(&newpolicydb); 1384 return rc; 1385 1386 } 1387 1388 /** 1389 * security_port_sid - Obtain the SID for a port. 1390 * @domain: communication domain aka address family 1391 * @type: socket type 1392 * @protocol: protocol number 1393 * @port: port number 1394 * @out_sid: security identifier 1395 */ 1396 int security_port_sid(u16 domain, 1397 u16 type, 1398 u8 protocol, 1399 u16 port, 1400 u32 *out_sid) 1401 { 1402 struct ocontext *c; 1403 int rc = 0; 1404 1405 POLICY_RDLOCK; 1406 1407 c = policydb.ocontexts[OCON_PORT]; 1408 while (c) { 1409 if (c->u.port.protocol == protocol && 1410 c->u.port.low_port <= port && 1411 c->u.port.high_port >= port) 1412 break; 1413 c = c->next; 1414 } 1415 1416 if (c) { 1417 if (!c->sid[0]) { 1418 rc = sidtab_context_to_sid(&sidtab, 1419 &c->context[0], 1420 &c->sid[0]); 1421 if (rc) 1422 goto out; 1423 } 1424 *out_sid = c->sid[0]; 1425 } else { 1426 *out_sid = SECINITSID_PORT; 1427 } 1428 1429 out: 1430 POLICY_RDUNLOCK; 1431 return rc; 1432 } 1433 1434 /** 1435 * security_netif_sid - Obtain the SID for a network interface. 1436 * @name: interface name 1437 * @if_sid: interface SID 1438 * @msg_sid: default SID for received packets 1439 */ 1440 int security_netif_sid(char *name, 1441 u32 *if_sid, 1442 u32 *msg_sid) 1443 { 1444 int rc = 0; 1445 struct ocontext *c; 1446 1447 POLICY_RDLOCK; 1448 1449 c = policydb.ocontexts[OCON_NETIF]; 1450 while (c) { 1451 if (strcmp(name, c->u.name) == 0) 1452 break; 1453 c = c->next; 1454 } 1455 1456 if (c) { 1457 if (!c->sid[0] || !c->sid[1]) { 1458 rc = sidtab_context_to_sid(&sidtab, 1459 &c->context[0], 1460 &c->sid[0]); 1461 if (rc) 1462 goto out; 1463 rc = sidtab_context_to_sid(&sidtab, 1464 &c->context[1], 1465 &c->sid[1]); 1466 if (rc) 1467 goto out; 1468 } 1469 *if_sid = c->sid[0]; 1470 *msg_sid = c->sid[1]; 1471 } else { 1472 *if_sid = SECINITSID_NETIF; 1473 *msg_sid = SECINITSID_NETMSG; 1474 } 1475 1476 out: 1477 POLICY_RDUNLOCK; 1478 return rc; 1479 } 1480 1481 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1482 { 1483 int i, fail = 0; 1484 1485 for(i = 0; i < 4; i++) 1486 if(addr[i] != (input[i] & mask[i])) { 1487 fail = 1; 1488 break; 1489 } 1490 1491 return !fail; 1492 } 1493 1494 /** 1495 * security_node_sid - Obtain the SID for a node (host). 1496 * @domain: communication domain aka address family 1497 * @addrp: address 1498 * @addrlen: address length in bytes 1499 * @out_sid: security identifier 1500 */ 1501 int security_node_sid(u16 domain, 1502 void *addrp, 1503 u32 addrlen, 1504 u32 *out_sid) 1505 { 1506 int rc = 0; 1507 struct ocontext *c; 1508 1509 POLICY_RDLOCK; 1510 1511 switch (domain) { 1512 case AF_INET: { 1513 u32 addr; 1514 1515 if (addrlen != sizeof(u32)) { 1516 rc = -EINVAL; 1517 goto out; 1518 } 1519 1520 addr = *((u32 *)addrp); 1521 1522 c = policydb.ocontexts[OCON_NODE]; 1523 while (c) { 1524 if (c->u.node.addr == (addr & c->u.node.mask)) 1525 break; 1526 c = c->next; 1527 } 1528 break; 1529 } 1530 1531 case AF_INET6: 1532 if (addrlen != sizeof(u64) * 2) { 1533 rc = -EINVAL; 1534 goto out; 1535 } 1536 c = policydb.ocontexts[OCON_NODE6]; 1537 while (c) { 1538 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1539 c->u.node6.mask)) 1540 break; 1541 c = c->next; 1542 } 1543 break; 1544 1545 default: 1546 *out_sid = SECINITSID_NODE; 1547 goto out; 1548 } 1549 1550 if (c) { 1551 if (!c->sid[0]) { 1552 rc = sidtab_context_to_sid(&sidtab, 1553 &c->context[0], 1554 &c->sid[0]); 1555 if (rc) 1556 goto out; 1557 } 1558 *out_sid = c->sid[0]; 1559 } else { 1560 *out_sid = SECINITSID_NODE; 1561 } 1562 1563 out: 1564 POLICY_RDUNLOCK; 1565 return rc; 1566 } 1567 1568 #define SIDS_NEL 25 1569 1570 /** 1571 * security_get_user_sids - Obtain reachable SIDs for a user. 1572 * @fromsid: starting SID 1573 * @username: username 1574 * @sids: array of reachable SIDs for user 1575 * @nel: number of elements in @sids 1576 * 1577 * Generate the set of SIDs for legal security contexts 1578 * for a given user that can be reached by @fromsid. 1579 * Set *@sids to point to a dynamically allocated 1580 * array containing the set of SIDs. Set *@nel to the 1581 * number of elements in the array. 1582 */ 1583 1584 int security_get_user_sids(u32 fromsid, 1585 char *username, 1586 u32 **sids, 1587 u32 *nel) 1588 { 1589 struct context *fromcon, usercon; 1590 u32 *mysids = NULL, *mysids2, sid; 1591 u32 mynel = 0, maxnel = SIDS_NEL; 1592 struct user_datum *user; 1593 struct role_datum *role; 1594 struct ebitmap_node *rnode, *tnode; 1595 int rc = 0, i, j; 1596 1597 *sids = NULL; 1598 *nel = 0; 1599 1600 if (!ss_initialized) 1601 goto out; 1602 1603 POLICY_RDLOCK; 1604 1605 fromcon = sidtab_search(&sidtab, fromsid); 1606 if (!fromcon) { 1607 rc = -EINVAL; 1608 goto out_unlock; 1609 } 1610 1611 user = hashtab_search(policydb.p_users.table, username); 1612 if (!user) { 1613 rc = -EINVAL; 1614 goto out_unlock; 1615 } 1616 usercon.user = user->value; 1617 1618 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 1619 if (!mysids) { 1620 rc = -ENOMEM; 1621 goto out_unlock; 1622 } 1623 1624 ebitmap_for_each_bit(&user->roles, rnode, i) { 1625 if (!ebitmap_node_get_bit(rnode, i)) 1626 continue; 1627 role = policydb.role_val_to_struct[i]; 1628 usercon.role = i+1; 1629 ebitmap_for_each_bit(&role->types, tnode, j) { 1630 if (!ebitmap_node_get_bit(tnode, j)) 1631 continue; 1632 usercon.type = j+1; 1633 1634 if (mls_setup_user_range(fromcon, user, &usercon)) 1635 continue; 1636 1637 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1638 if (rc) 1639 goto out_unlock; 1640 if (mynel < maxnel) { 1641 mysids[mynel++] = sid; 1642 } else { 1643 maxnel += SIDS_NEL; 1644 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 1645 if (!mysids2) { 1646 rc = -ENOMEM; 1647 goto out_unlock; 1648 } 1649 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1650 kfree(mysids); 1651 mysids = mysids2; 1652 mysids[mynel++] = sid; 1653 } 1654 } 1655 } 1656 1657 out_unlock: 1658 POLICY_RDUNLOCK; 1659 if (rc || !mynel) { 1660 kfree(mysids); 1661 goto out; 1662 } 1663 1664 mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); 1665 if (!mysids2) { 1666 rc = -ENOMEM; 1667 kfree(mysids); 1668 goto out; 1669 } 1670 for (i = 0, j = 0; i < mynel; i++) { 1671 rc = avc_has_perm_noaudit(fromsid, mysids[i], 1672 SECCLASS_PROCESS, 1673 PROCESS__TRANSITION, AVC_STRICT, 1674 NULL); 1675 if (!rc) 1676 mysids2[j++] = mysids[i]; 1677 cond_resched(); 1678 } 1679 rc = 0; 1680 kfree(mysids); 1681 *sids = mysids2; 1682 *nel = j; 1683 out: 1684 return rc; 1685 } 1686 1687 /** 1688 * security_genfs_sid - Obtain a SID for a file in a filesystem 1689 * @fstype: filesystem type 1690 * @path: path from root of mount 1691 * @sclass: file security class 1692 * @sid: SID for path 1693 * 1694 * Obtain a SID to use for a file in a filesystem that 1695 * cannot support xattr or use a fixed labeling behavior like 1696 * transition SIDs or task SIDs. 1697 */ 1698 int security_genfs_sid(const char *fstype, 1699 char *path, 1700 u16 sclass, 1701 u32 *sid) 1702 { 1703 int len; 1704 struct genfs *genfs; 1705 struct ocontext *c; 1706 int rc = 0, cmp = 0; 1707 1708 POLICY_RDLOCK; 1709 1710 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1711 cmp = strcmp(fstype, genfs->fstype); 1712 if (cmp <= 0) 1713 break; 1714 } 1715 1716 if (!genfs || cmp) { 1717 *sid = SECINITSID_UNLABELED; 1718 rc = -ENOENT; 1719 goto out; 1720 } 1721 1722 for (c = genfs->head; c; c = c->next) { 1723 len = strlen(c->u.name); 1724 if ((!c->v.sclass || sclass == c->v.sclass) && 1725 (strncmp(c->u.name, path, len) == 0)) 1726 break; 1727 } 1728 1729 if (!c) { 1730 *sid = SECINITSID_UNLABELED; 1731 rc = -ENOENT; 1732 goto out; 1733 } 1734 1735 if (!c->sid[0]) { 1736 rc = sidtab_context_to_sid(&sidtab, 1737 &c->context[0], 1738 &c->sid[0]); 1739 if (rc) 1740 goto out; 1741 } 1742 1743 *sid = c->sid[0]; 1744 out: 1745 POLICY_RDUNLOCK; 1746 return rc; 1747 } 1748 1749 /** 1750 * security_fs_use - Determine how to handle labeling for a filesystem. 1751 * @fstype: filesystem type 1752 * @behavior: labeling behavior 1753 * @sid: SID for filesystem (superblock) 1754 */ 1755 int security_fs_use( 1756 const char *fstype, 1757 unsigned int *behavior, 1758 u32 *sid) 1759 { 1760 int rc = 0; 1761 struct ocontext *c; 1762 1763 POLICY_RDLOCK; 1764 1765 c = policydb.ocontexts[OCON_FSUSE]; 1766 while (c) { 1767 if (strcmp(fstype, c->u.name) == 0) 1768 break; 1769 c = c->next; 1770 } 1771 1772 if (c) { 1773 *behavior = c->v.behavior; 1774 if (!c->sid[0]) { 1775 rc = sidtab_context_to_sid(&sidtab, 1776 &c->context[0], 1777 &c->sid[0]); 1778 if (rc) 1779 goto out; 1780 } 1781 *sid = c->sid[0]; 1782 } else { 1783 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1784 if (rc) { 1785 *behavior = SECURITY_FS_USE_NONE; 1786 rc = 0; 1787 } else { 1788 *behavior = SECURITY_FS_USE_GENFS; 1789 } 1790 } 1791 1792 out: 1793 POLICY_RDUNLOCK; 1794 return rc; 1795 } 1796 1797 int security_get_bools(int *len, char ***names, int **values) 1798 { 1799 int i, rc = -ENOMEM; 1800 1801 POLICY_RDLOCK; 1802 *names = NULL; 1803 *values = NULL; 1804 1805 *len = policydb.p_bools.nprim; 1806 if (!*len) { 1807 rc = 0; 1808 goto out; 1809 } 1810 1811 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1812 if (!*names) 1813 goto err; 1814 1815 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 1816 if (!*values) 1817 goto err; 1818 1819 for (i = 0; i < *len; i++) { 1820 size_t name_len; 1821 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1822 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1823 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1824 if (!(*names)[i]) 1825 goto err; 1826 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1827 (*names)[i][name_len - 1] = 0; 1828 } 1829 rc = 0; 1830 out: 1831 POLICY_RDUNLOCK; 1832 return rc; 1833 err: 1834 if (*names) { 1835 for (i = 0; i < *len; i++) 1836 kfree((*names)[i]); 1837 } 1838 kfree(*values); 1839 goto out; 1840 } 1841 1842 1843 int security_set_bools(int len, int *values) 1844 { 1845 int i, rc = 0; 1846 int lenp, seqno = 0; 1847 struct cond_node *cur; 1848 1849 POLICY_WRLOCK; 1850 1851 lenp = policydb.p_bools.nprim; 1852 if (len != lenp) { 1853 rc = -EFAULT; 1854 goto out; 1855 } 1856 1857 for (i = 0; i < len; i++) { 1858 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 1859 audit_log(current->audit_context, GFP_ATOMIC, 1860 AUDIT_MAC_CONFIG_CHANGE, 1861 "bool=%s val=%d old_val=%d auid=%u", 1862 policydb.p_bool_val_to_name[i], 1863 !!values[i], 1864 policydb.bool_val_to_struct[i]->state, 1865 audit_get_loginuid(current->audit_context)); 1866 } 1867 if (values[i]) { 1868 policydb.bool_val_to_struct[i]->state = 1; 1869 } else { 1870 policydb.bool_val_to_struct[i]->state = 0; 1871 } 1872 } 1873 1874 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1875 rc = evaluate_cond_node(&policydb, cur); 1876 if (rc) 1877 goto out; 1878 } 1879 1880 seqno = ++latest_granting; 1881 1882 out: 1883 POLICY_WRUNLOCK; 1884 if (!rc) { 1885 avc_ss_reset(seqno); 1886 selnl_notify_policyload(seqno); 1887 selinux_xfrm_notify_policyload(); 1888 } 1889 return rc; 1890 } 1891 1892 int security_get_bool_value(int bool) 1893 { 1894 int rc = 0; 1895 int len; 1896 1897 POLICY_RDLOCK; 1898 1899 len = policydb.p_bools.nprim; 1900 if (bool >= len) { 1901 rc = -EFAULT; 1902 goto out; 1903 } 1904 1905 rc = policydb.bool_val_to_struct[bool]->state; 1906 out: 1907 POLICY_RDUNLOCK; 1908 return rc; 1909 } 1910 1911 static int security_preserve_bools(struct policydb *p) 1912 { 1913 int rc, nbools = 0, *bvalues = NULL, i; 1914 char **bnames = NULL; 1915 struct cond_bool_datum *booldatum; 1916 struct cond_node *cur; 1917 1918 rc = security_get_bools(&nbools, &bnames, &bvalues); 1919 if (rc) 1920 goto out; 1921 for (i = 0; i < nbools; i++) { 1922 booldatum = hashtab_search(p->p_bools.table, bnames[i]); 1923 if (booldatum) 1924 booldatum->state = bvalues[i]; 1925 } 1926 for (cur = p->cond_list; cur != NULL; cur = cur->next) { 1927 rc = evaluate_cond_node(p, cur); 1928 if (rc) 1929 goto out; 1930 } 1931 1932 out: 1933 if (bnames) { 1934 for (i = 0; i < nbools; i++) 1935 kfree(bnames[i]); 1936 } 1937 kfree(bnames); 1938 kfree(bvalues); 1939 return rc; 1940 } 1941 1942 /* 1943 * security_sid_mls_copy() - computes a new sid based on the given 1944 * sid and the mls portion of mls_sid. 1945 */ 1946 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 1947 { 1948 struct context *context1; 1949 struct context *context2; 1950 struct context newcon; 1951 char *s; 1952 u32 len; 1953 int rc = 0; 1954 1955 if (!ss_initialized || !selinux_mls_enabled) { 1956 *new_sid = sid; 1957 goto out; 1958 } 1959 1960 context_init(&newcon); 1961 1962 POLICY_RDLOCK; 1963 context1 = sidtab_search(&sidtab, sid); 1964 if (!context1) { 1965 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1966 "%d\n", sid); 1967 rc = -EINVAL; 1968 goto out_unlock; 1969 } 1970 1971 context2 = sidtab_search(&sidtab, mls_sid); 1972 if (!context2) { 1973 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1974 "%d\n", mls_sid); 1975 rc = -EINVAL; 1976 goto out_unlock; 1977 } 1978 1979 newcon.user = context1->user; 1980 newcon.role = context1->role; 1981 newcon.type = context1->type; 1982 rc = mls_context_cpy(&newcon, context2); 1983 if (rc) 1984 goto out_unlock; 1985 1986 /* Check the validity of the new context. */ 1987 if (!policydb_context_isvalid(&policydb, &newcon)) { 1988 rc = convert_context_handle_invalid_context(&newcon); 1989 if (rc) 1990 goto bad; 1991 } 1992 1993 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 1994 goto out_unlock; 1995 1996 bad: 1997 if (!context_struct_to_string(&newcon, &s, &len)) { 1998 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1999 "security_sid_mls_copy: invalid context %s", s); 2000 kfree(s); 2001 } 2002 2003 out_unlock: 2004 POLICY_RDUNLOCK; 2005 context_destroy(&newcon); 2006 out: 2007 return rc; 2008 } 2009 2010 static int get_classes_callback(void *k, void *d, void *args) 2011 { 2012 struct class_datum *datum = d; 2013 char *name = k, **classes = args; 2014 int value = datum->value - 1; 2015 2016 classes[value] = kstrdup(name, GFP_ATOMIC); 2017 if (!classes[value]) 2018 return -ENOMEM; 2019 2020 return 0; 2021 } 2022 2023 int security_get_classes(char ***classes, int *nclasses) 2024 { 2025 int rc = -ENOMEM; 2026 2027 POLICY_RDLOCK; 2028 2029 *nclasses = policydb.p_classes.nprim; 2030 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2031 if (!*classes) 2032 goto out; 2033 2034 rc = hashtab_map(policydb.p_classes.table, get_classes_callback, 2035 *classes); 2036 if (rc < 0) { 2037 int i; 2038 for (i = 0; i < *nclasses; i++) 2039 kfree((*classes)[i]); 2040 kfree(*classes); 2041 } 2042 2043 out: 2044 POLICY_RDUNLOCK; 2045 return rc; 2046 } 2047 2048 static int get_permissions_callback(void *k, void *d, void *args) 2049 { 2050 struct perm_datum *datum = d; 2051 char *name = k, **perms = args; 2052 int value = datum->value - 1; 2053 2054 perms[value] = kstrdup(name, GFP_ATOMIC); 2055 if (!perms[value]) 2056 return -ENOMEM; 2057 2058 return 0; 2059 } 2060 2061 int security_get_permissions(char *class, char ***perms, int *nperms) 2062 { 2063 int rc = -ENOMEM, i; 2064 struct class_datum *match; 2065 2066 POLICY_RDLOCK; 2067 2068 match = hashtab_search(policydb.p_classes.table, class); 2069 if (!match) { 2070 printk(KERN_ERR "%s: unrecognized class %s\n", 2071 __FUNCTION__, class); 2072 rc = -EINVAL; 2073 goto out; 2074 } 2075 2076 *nperms = match->permissions.nprim; 2077 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2078 if (!*perms) 2079 goto out; 2080 2081 if (match->comdatum) { 2082 rc = hashtab_map(match->comdatum->permissions.table, 2083 get_permissions_callback, *perms); 2084 if (rc < 0) 2085 goto err; 2086 } 2087 2088 rc = hashtab_map(match->permissions.table, get_permissions_callback, 2089 *perms); 2090 if (rc < 0) 2091 goto err; 2092 2093 out: 2094 POLICY_RDUNLOCK; 2095 return rc; 2096 2097 err: 2098 POLICY_RDUNLOCK; 2099 for (i = 0; i < *nperms; i++) 2100 kfree((*perms)[i]); 2101 kfree(*perms); 2102 return rc; 2103 } 2104 2105 struct selinux_audit_rule { 2106 u32 au_seqno; 2107 struct context au_ctxt; 2108 }; 2109 2110 void selinux_audit_rule_free(struct selinux_audit_rule *rule) 2111 { 2112 if (rule) { 2113 context_destroy(&rule->au_ctxt); 2114 kfree(rule); 2115 } 2116 } 2117 2118 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, 2119 struct selinux_audit_rule **rule) 2120 { 2121 struct selinux_audit_rule *tmprule; 2122 struct role_datum *roledatum; 2123 struct type_datum *typedatum; 2124 struct user_datum *userdatum; 2125 int rc = 0; 2126 2127 *rule = NULL; 2128 2129 if (!ss_initialized) 2130 return -ENOTSUPP; 2131 2132 switch (field) { 2133 case AUDIT_SUBJ_USER: 2134 case AUDIT_SUBJ_ROLE: 2135 case AUDIT_SUBJ_TYPE: 2136 case AUDIT_OBJ_USER: 2137 case AUDIT_OBJ_ROLE: 2138 case AUDIT_OBJ_TYPE: 2139 /* only 'equals' and 'not equals' fit user, role, and type */ 2140 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 2141 return -EINVAL; 2142 break; 2143 case AUDIT_SUBJ_SEN: 2144 case AUDIT_SUBJ_CLR: 2145 case AUDIT_OBJ_LEV_LOW: 2146 case AUDIT_OBJ_LEV_HIGH: 2147 /* we do not allow a range, indicated by the presense of '-' */ 2148 if (strchr(rulestr, '-')) 2149 return -EINVAL; 2150 break; 2151 default: 2152 /* only the above fields are valid */ 2153 return -EINVAL; 2154 } 2155 2156 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2157 if (!tmprule) 2158 return -ENOMEM; 2159 2160 context_init(&tmprule->au_ctxt); 2161 2162 POLICY_RDLOCK; 2163 2164 tmprule->au_seqno = latest_granting; 2165 2166 switch (field) { 2167 case AUDIT_SUBJ_USER: 2168 case AUDIT_OBJ_USER: 2169 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2170 if (!userdatum) 2171 rc = -EINVAL; 2172 else 2173 tmprule->au_ctxt.user = userdatum->value; 2174 break; 2175 case AUDIT_SUBJ_ROLE: 2176 case AUDIT_OBJ_ROLE: 2177 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2178 if (!roledatum) 2179 rc = -EINVAL; 2180 else 2181 tmprule->au_ctxt.role = roledatum->value; 2182 break; 2183 case AUDIT_SUBJ_TYPE: 2184 case AUDIT_OBJ_TYPE: 2185 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2186 if (!typedatum) 2187 rc = -EINVAL; 2188 else 2189 tmprule->au_ctxt.type = typedatum->value; 2190 break; 2191 case AUDIT_SUBJ_SEN: 2192 case AUDIT_SUBJ_CLR: 2193 case AUDIT_OBJ_LEV_LOW: 2194 case AUDIT_OBJ_LEV_HIGH: 2195 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2196 break; 2197 } 2198 2199 POLICY_RDUNLOCK; 2200 2201 if (rc) { 2202 selinux_audit_rule_free(tmprule); 2203 tmprule = NULL; 2204 } 2205 2206 *rule = tmprule; 2207 2208 return rc; 2209 } 2210 2211 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, 2212 struct selinux_audit_rule *rule, 2213 struct audit_context *actx) 2214 { 2215 struct context *ctxt; 2216 struct mls_level *level; 2217 int match = 0; 2218 2219 if (!rule) { 2220 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2221 "selinux_audit_rule_match: missing rule\n"); 2222 return -ENOENT; 2223 } 2224 2225 POLICY_RDLOCK; 2226 2227 if (rule->au_seqno < latest_granting) { 2228 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2229 "selinux_audit_rule_match: stale rule\n"); 2230 match = -ESTALE; 2231 goto out; 2232 } 2233 2234 ctxt = sidtab_search(&sidtab, sid); 2235 if (!ctxt) { 2236 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2237 "selinux_audit_rule_match: unrecognized SID %d\n", 2238 sid); 2239 match = -ENOENT; 2240 goto out; 2241 } 2242 2243 /* a field/op pair that is not caught here will simply fall through 2244 without a match */ 2245 switch (field) { 2246 case AUDIT_SUBJ_USER: 2247 case AUDIT_OBJ_USER: 2248 switch (op) { 2249 case AUDIT_EQUAL: 2250 match = (ctxt->user == rule->au_ctxt.user); 2251 break; 2252 case AUDIT_NOT_EQUAL: 2253 match = (ctxt->user != rule->au_ctxt.user); 2254 break; 2255 } 2256 break; 2257 case AUDIT_SUBJ_ROLE: 2258 case AUDIT_OBJ_ROLE: 2259 switch (op) { 2260 case AUDIT_EQUAL: 2261 match = (ctxt->role == rule->au_ctxt.role); 2262 break; 2263 case AUDIT_NOT_EQUAL: 2264 match = (ctxt->role != rule->au_ctxt.role); 2265 break; 2266 } 2267 break; 2268 case AUDIT_SUBJ_TYPE: 2269 case AUDIT_OBJ_TYPE: 2270 switch (op) { 2271 case AUDIT_EQUAL: 2272 match = (ctxt->type == rule->au_ctxt.type); 2273 break; 2274 case AUDIT_NOT_EQUAL: 2275 match = (ctxt->type != rule->au_ctxt.type); 2276 break; 2277 } 2278 break; 2279 case AUDIT_SUBJ_SEN: 2280 case AUDIT_SUBJ_CLR: 2281 case AUDIT_OBJ_LEV_LOW: 2282 case AUDIT_OBJ_LEV_HIGH: 2283 level = ((field == AUDIT_SUBJ_SEN || 2284 field == AUDIT_OBJ_LEV_LOW) ? 2285 &ctxt->range.level[0] : &ctxt->range.level[1]); 2286 switch (op) { 2287 case AUDIT_EQUAL: 2288 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2289 level); 2290 break; 2291 case AUDIT_NOT_EQUAL: 2292 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2293 level); 2294 break; 2295 case AUDIT_LESS_THAN: 2296 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2297 level) && 2298 !mls_level_eq(&rule->au_ctxt.range.level[0], 2299 level)); 2300 break; 2301 case AUDIT_LESS_THAN_OR_EQUAL: 2302 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2303 level); 2304 break; 2305 case AUDIT_GREATER_THAN: 2306 match = (mls_level_dom(level, 2307 &rule->au_ctxt.range.level[0]) && 2308 !mls_level_eq(level, 2309 &rule->au_ctxt.range.level[0])); 2310 break; 2311 case AUDIT_GREATER_THAN_OR_EQUAL: 2312 match = mls_level_dom(level, 2313 &rule->au_ctxt.range.level[0]); 2314 break; 2315 } 2316 } 2317 2318 out: 2319 POLICY_RDUNLOCK; 2320 return match; 2321 } 2322 2323 static int (*aurule_callback)(void) = NULL; 2324 2325 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2326 u16 class, u32 perms, u32 *retained) 2327 { 2328 int err = 0; 2329 2330 if (event == AVC_CALLBACK_RESET && aurule_callback) 2331 err = aurule_callback(); 2332 return err; 2333 } 2334 2335 static int __init aurule_init(void) 2336 { 2337 int err; 2338 2339 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2340 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2341 if (err) 2342 panic("avc_add_callback() failed, error %d\n", err); 2343 2344 return err; 2345 } 2346 __initcall(aurule_init); 2347 2348 void selinux_audit_set_callback(int (*callback)(void)) 2349 { 2350 aurule_callback = callback; 2351 } 2352 2353 #ifdef CONFIG_NETLABEL 2354 /* 2355 * NetLabel cache structure 2356 */ 2357 #define NETLBL_CACHE(x) ((struct selinux_netlbl_cache *)(x)) 2358 #define NETLBL_CACHE_T_NONE 0 2359 #define NETLBL_CACHE_T_SID 1 2360 #define NETLBL_CACHE_T_MLS 2 2361 struct selinux_netlbl_cache { 2362 u32 type; 2363 union { 2364 u32 sid; 2365 struct mls_range mls_label; 2366 } data; 2367 }; 2368 2369 /** 2370 * security_netlbl_cache_free - Free the NetLabel cached data 2371 * @data: the data to free 2372 * 2373 * Description: 2374 * This function is intended to be used as the free() callback inside the 2375 * netlbl_lsm_cache structure. 2376 * 2377 */ 2378 static void security_netlbl_cache_free(const void *data) 2379 { 2380 struct selinux_netlbl_cache *cache; 2381 2382 if (data == NULL) 2383 return; 2384 2385 cache = NETLBL_CACHE(data); 2386 switch (cache->type) { 2387 case NETLBL_CACHE_T_MLS: 2388 ebitmap_destroy(&cache->data.mls_label.level[0].cat); 2389 break; 2390 } 2391 kfree(data); 2392 } 2393 2394 /** 2395 * security_netlbl_cache_add - Add an entry to the NetLabel cache 2396 * @secattr: the NetLabel packet security attributes 2397 * @ctx: the SELinux context 2398 * 2399 * Description: 2400 * Attempt to cache the context in @ctx, which was derived from the packet in 2401 * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2402 * already been initialized. 2403 * 2404 */ 2405 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2406 struct context *ctx) 2407 { 2408 struct selinux_netlbl_cache *cache = NULL; 2409 2410 secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2411 if (secattr->cache == NULL) 2412 return; 2413 2414 cache = kzalloc(sizeof(*cache), GFP_ATOMIC); 2415 if (cache == NULL) 2416 return; 2417 2418 cache->type = NETLBL_CACHE_T_MLS; 2419 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, 2420 &ctx->range.level[0].cat) != 0) { 2421 kfree(cache); 2422 return; 2423 } 2424 cache->data.mls_label.level[1].cat.highbit = 2425 cache->data.mls_label.level[0].cat.highbit; 2426 cache->data.mls_label.level[1].cat.node = 2427 cache->data.mls_label.level[0].cat.node; 2428 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; 2429 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; 2430 2431 secattr->cache->free = security_netlbl_cache_free; 2432 secattr->cache->data = (void *)cache; 2433 secattr->flags |= NETLBL_SECATTR_CACHE; 2434 } 2435 2436 /** 2437 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2438 * @secattr: the NetLabel packet security attributes 2439 * @base_sid: the SELinux SID to use as a context for MLS only attributes 2440 * @sid: the SELinux SID 2441 * 2442 * Description: 2443 * Convert the given NetLabel security attributes in @secattr into a 2444 * SELinux SID. If the @secattr field does not contain a full SELinux 2445 * SID/context then use the context in @base_sid as the foundation. If 2446 * possibile the 'cache' field of @secattr is set and the CACHE flag is set; 2447 * this is to allow the @secattr to be used by NetLabel to cache the secattr to 2448 * SID conversion for future lookups. Returns zero on success, negative 2449 * values on failure. 2450 * 2451 */ 2452 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2453 u32 base_sid, 2454 u32 *sid) 2455 { 2456 int rc = -EIDRM; 2457 struct context *ctx; 2458 struct context ctx_new; 2459 struct selinux_netlbl_cache *cache; 2460 2461 if (!ss_initialized) { 2462 *sid = SECSID_NULL; 2463 return 0; 2464 } 2465 2466 POLICY_RDLOCK; 2467 2468 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2469 cache = NETLBL_CACHE(secattr->cache->data); 2470 switch (cache->type) { 2471 case NETLBL_CACHE_T_SID: 2472 *sid = cache->data.sid; 2473 rc = 0; 2474 break; 2475 case NETLBL_CACHE_T_MLS: 2476 ctx = sidtab_search(&sidtab, base_sid); 2477 if (ctx == NULL) 2478 goto netlbl_secattr_to_sid_return; 2479 2480 ctx_new.user = ctx->user; 2481 ctx_new.role = ctx->role; 2482 ctx_new.type = ctx->type; 2483 ctx_new.range.level[0].sens = 2484 cache->data.mls_label.level[0].sens; 2485 ctx_new.range.level[0].cat.highbit = 2486 cache->data.mls_label.level[0].cat.highbit; 2487 ctx_new.range.level[0].cat.node = 2488 cache->data.mls_label.level[0].cat.node; 2489 ctx_new.range.level[1].sens = 2490 cache->data.mls_label.level[1].sens; 2491 ctx_new.range.level[1].cat.highbit = 2492 cache->data.mls_label.level[1].cat.highbit; 2493 ctx_new.range.level[1].cat.node = 2494 cache->data.mls_label.level[1].cat.node; 2495 2496 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2497 break; 2498 default: 2499 goto netlbl_secattr_to_sid_return; 2500 } 2501 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 2502 ctx = sidtab_search(&sidtab, base_sid); 2503 if (ctx == NULL) 2504 goto netlbl_secattr_to_sid_return; 2505 2506 ctx_new.user = ctx->user; 2507 ctx_new.role = ctx->role; 2508 ctx_new.type = ctx->type; 2509 mls_import_netlbl_lvl(&ctx_new, secattr); 2510 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2511 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 2512 secattr->mls_cat) != 0) 2513 goto netlbl_secattr_to_sid_return; 2514 ctx_new.range.level[1].cat.highbit = 2515 ctx_new.range.level[0].cat.highbit; 2516 ctx_new.range.level[1].cat.node = 2517 ctx_new.range.level[0].cat.node; 2518 } else { 2519 ebitmap_init(&ctx_new.range.level[0].cat); 2520 ebitmap_init(&ctx_new.range.level[1].cat); 2521 } 2522 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 2523 goto netlbl_secattr_to_sid_return_cleanup; 2524 2525 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2526 if (rc != 0) 2527 goto netlbl_secattr_to_sid_return_cleanup; 2528 2529 security_netlbl_cache_add(secattr, &ctx_new); 2530 2531 ebitmap_destroy(&ctx_new.range.level[0].cat); 2532 } else { 2533 *sid = SECSID_NULL; 2534 rc = 0; 2535 } 2536 2537 netlbl_secattr_to_sid_return: 2538 POLICY_RDUNLOCK; 2539 return rc; 2540 netlbl_secattr_to_sid_return_cleanup: 2541 ebitmap_destroy(&ctx_new.range.level[0].cat); 2542 goto netlbl_secattr_to_sid_return; 2543 } 2544 2545 /** 2546 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 2547 * @sid: the SELinux SID 2548 * @secattr: the NetLabel packet security attributes 2549 * 2550 * Description: 2551 * Convert the given SELinux SID in @sid into a NetLabel security attribute. 2552 * Returns zero on success, negative values on failure. 2553 * 2554 */ 2555 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 2556 { 2557 int rc = -ENOENT; 2558 struct context *ctx; 2559 2560 netlbl_secattr_init(secattr); 2561 2562 if (!ss_initialized) 2563 return 0; 2564 2565 POLICY_RDLOCK; 2566 ctx = sidtab_search(&sidtab, sid); 2567 if (ctx == NULL) 2568 goto netlbl_sid_to_secattr_failure; 2569 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2570 GFP_ATOMIC); 2571 secattr->flags |= NETLBL_SECATTR_DOMAIN; 2572 mls_export_netlbl_lvl(ctx, secattr); 2573 rc = mls_export_netlbl_cat(ctx, secattr); 2574 if (rc != 0) 2575 goto netlbl_sid_to_secattr_failure; 2576 POLICY_RDUNLOCK; 2577 2578 return 0; 2579 2580 netlbl_sid_to_secattr_failure: 2581 POLICY_RDUNLOCK; 2582 netlbl_secattr_destroy(secattr); 2583 return rc; 2584 } 2585 #endif /* CONFIG_NETLABEL */ 2586