xref: /openbmc/linux/security/selinux/ss/services.c (revision d0b5e15f)
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *	     James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *	Support for enhanced MLS infrastructure.
10  *	Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *	Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul@paul-moore.com>
17  *
18  *      Added support for NetLabel
19  *      Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <csellers@tresys.com>
22  *
23  *  Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26  *
27  *  Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Updated: Guido Trentalancia <guido@trentalancia.com>
30  *
31  *  Added support for runtime switching of the policy type
32  *
33  * Copyright (C) 2008, 2009 NEC Corporation
34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
38  *	This program is free software; you can redistribute it and/or modify
39  *	it under the terms of the GNU General Public License as published by
40  *	the Free Software Foundation, version 2.
41  */
42 #include <linux/kernel.h>
43 #include <linux/slab.h>
44 #include <linux/string.h>
45 #include <linux/spinlock.h>
46 #include <linux/rcupdate.h>
47 #include <linux/errno.h>
48 #include <linux/in.h>
49 #include <linux/sched.h>
50 #include <linux/audit.h>
51 #include <linux/mutex.h>
52 #include <linux/selinux.h>
53 #include <linux/flex_array.h>
54 #include <linux/vmalloc.h>
55 #include <net/netlabel.h>
56 
57 #include "flask.h"
58 #include "avc.h"
59 #include "avc_ss.h"
60 #include "security.h"
61 #include "context.h"
62 #include "policydb.h"
63 #include "sidtab.h"
64 #include "services.h"
65 #include "conditional.h"
66 #include "mls.h"
67 #include "objsec.h"
68 #include "netlabel.h"
69 #include "xfrm.h"
70 #include "ebitmap.h"
71 #include "audit.h"
72 
73 int selinux_policycap_netpeer;
74 int selinux_policycap_openperm;
75 int selinux_policycap_alwaysnetwork;
76 
77 static DEFINE_RWLOCK(policy_rwlock);
78 
79 static struct sidtab sidtab;
80 struct policydb policydb;
81 int ss_initialized;
82 
83 /*
84  * The largest sequence number that has been used when
85  * providing an access decision to the access vector cache.
86  * The sequence number only changes when a policy change
87  * occurs.
88  */
89 static u32 latest_granting;
90 
91 /* Forward declaration. */
92 static int context_struct_to_string(struct context *context, char **scontext,
93 				    u32 *scontext_len);
94 
95 static void context_struct_compute_av(struct context *scontext,
96 				      struct context *tcontext,
97 				      u16 tclass,
98 				      struct av_decision *avd);
99 
100 struct selinux_mapping {
101 	u16 value; /* policy value */
102 	unsigned num_perms;
103 	u32 perms[sizeof(u32) * 8];
104 };
105 
106 static struct selinux_mapping *current_mapping;
107 static u16 current_mapping_size;
108 
109 static int selinux_set_mapping(struct policydb *pol,
110 			       struct security_class_mapping *map,
111 			       struct selinux_mapping **out_map_p,
112 			       u16 *out_map_size)
113 {
114 	struct selinux_mapping *out_map = NULL;
115 	size_t size = sizeof(struct selinux_mapping);
116 	u16 i, j;
117 	unsigned k;
118 	bool print_unknown_handle = false;
119 
120 	/* Find number of classes in the input mapping */
121 	if (!map)
122 		return -EINVAL;
123 	i = 0;
124 	while (map[i].name)
125 		i++;
126 
127 	/* Allocate space for the class records, plus one for class zero */
128 	out_map = kcalloc(++i, size, GFP_ATOMIC);
129 	if (!out_map)
130 		return -ENOMEM;
131 
132 	/* Store the raw class and permission values */
133 	j = 0;
134 	while (map[j].name) {
135 		struct security_class_mapping *p_in = map + (j++);
136 		struct selinux_mapping *p_out = out_map + j;
137 
138 		/* An empty class string skips ahead */
139 		if (!strcmp(p_in->name, "")) {
140 			p_out->num_perms = 0;
141 			continue;
142 		}
143 
144 		p_out->value = string_to_security_class(pol, p_in->name);
145 		if (!p_out->value) {
146 			printk(KERN_INFO
147 			       "SELinux:  Class %s not defined in policy.\n",
148 			       p_in->name);
149 			if (pol->reject_unknown)
150 				goto err;
151 			p_out->num_perms = 0;
152 			print_unknown_handle = true;
153 			continue;
154 		}
155 
156 		k = 0;
157 		while (p_in->perms && p_in->perms[k]) {
158 			/* An empty permission string skips ahead */
159 			if (!*p_in->perms[k]) {
160 				k++;
161 				continue;
162 			}
163 			p_out->perms[k] = string_to_av_perm(pol, p_out->value,
164 							    p_in->perms[k]);
165 			if (!p_out->perms[k]) {
166 				printk(KERN_INFO
167 				       "SELinux:  Permission %s in class %s not defined in policy.\n",
168 				       p_in->perms[k], p_in->name);
169 				if (pol->reject_unknown)
170 					goto err;
171 				print_unknown_handle = true;
172 			}
173 
174 			k++;
175 		}
176 		p_out->num_perms = k;
177 	}
178 
179 	if (print_unknown_handle)
180 		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
181 		       pol->allow_unknown ? "allowed" : "denied");
182 
183 	*out_map_p = out_map;
184 	*out_map_size = i;
185 	return 0;
186 err:
187 	kfree(out_map);
188 	return -EINVAL;
189 }
190 
191 /*
192  * Get real, policy values from mapped values
193  */
194 
195 static u16 unmap_class(u16 tclass)
196 {
197 	if (tclass < current_mapping_size)
198 		return current_mapping[tclass].value;
199 
200 	return tclass;
201 }
202 
203 /*
204  * Get kernel value for class from its policy value
205  */
206 static u16 map_class(u16 pol_value)
207 {
208 	u16 i;
209 
210 	for (i = 1; i < current_mapping_size; i++) {
211 		if (current_mapping[i].value == pol_value)
212 			return i;
213 	}
214 
215 	return SECCLASS_NULL;
216 }
217 
218 static void map_decision(u16 tclass, struct av_decision *avd,
219 			 int allow_unknown)
220 {
221 	if (tclass < current_mapping_size) {
222 		unsigned i, n = current_mapping[tclass].num_perms;
223 		u32 result;
224 
225 		for (i = 0, result = 0; i < n; i++) {
226 			if (avd->allowed & current_mapping[tclass].perms[i])
227 				result |= 1<<i;
228 			if (allow_unknown && !current_mapping[tclass].perms[i])
229 				result |= 1<<i;
230 		}
231 		avd->allowed = result;
232 
233 		for (i = 0, result = 0; i < n; i++)
234 			if (avd->auditallow & current_mapping[tclass].perms[i])
235 				result |= 1<<i;
236 		avd->auditallow = result;
237 
238 		for (i = 0, result = 0; i < n; i++) {
239 			if (avd->auditdeny & current_mapping[tclass].perms[i])
240 				result |= 1<<i;
241 			if (!allow_unknown && !current_mapping[tclass].perms[i])
242 				result |= 1<<i;
243 		}
244 		/*
245 		 * In case the kernel has a bug and requests a permission
246 		 * between num_perms and the maximum permission number, we
247 		 * should audit that denial
248 		 */
249 		for (; i < (sizeof(u32)*8); i++)
250 			result |= 1<<i;
251 		avd->auditdeny = result;
252 	}
253 }
254 
255 int security_mls_enabled(void)
256 {
257 	return policydb.mls_enabled;
258 }
259 
260 /*
261  * Return the boolean value of a constraint expression
262  * when it is applied to the specified source and target
263  * security contexts.
264  *
265  * xcontext is a special beast...  It is used by the validatetrans rules
266  * only.  For these rules, scontext is the context before the transition,
267  * tcontext is the context after the transition, and xcontext is the context
268  * of the process performing the transition.  All other callers of
269  * constraint_expr_eval should pass in NULL for xcontext.
270  */
271 static int constraint_expr_eval(struct context *scontext,
272 				struct context *tcontext,
273 				struct context *xcontext,
274 				struct constraint_expr *cexpr)
275 {
276 	u32 val1, val2;
277 	struct context *c;
278 	struct role_datum *r1, *r2;
279 	struct mls_level *l1, *l2;
280 	struct constraint_expr *e;
281 	int s[CEXPR_MAXDEPTH];
282 	int sp = -1;
283 
284 	for (e = cexpr; e; e = e->next) {
285 		switch (e->expr_type) {
286 		case CEXPR_NOT:
287 			BUG_ON(sp < 0);
288 			s[sp] = !s[sp];
289 			break;
290 		case CEXPR_AND:
291 			BUG_ON(sp < 1);
292 			sp--;
293 			s[sp] &= s[sp + 1];
294 			break;
295 		case CEXPR_OR:
296 			BUG_ON(sp < 1);
297 			sp--;
298 			s[sp] |= s[sp + 1];
299 			break;
300 		case CEXPR_ATTR:
301 			if (sp == (CEXPR_MAXDEPTH - 1))
302 				return 0;
303 			switch (e->attr) {
304 			case CEXPR_USER:
305 				val1 = scontext->user;
306 				val2 = tcontext->user;
307 				break;
308 			case CEXPR_TYPE:
309 				val1 = scontext->type;
310 				val2 = tcontext->type;
311 				break;
312 			case CEXPR_ROLE:
313 				val1 = scontext->role;
314 				val2 = tcontext->role;
315 				r1 = policydb.role_val_to_struct[val1 - 1];
316 				r2 = policydb.role_val_to_struct[val2 - 1];
317 				switch (e->op) {
318 				case CEXPR_DOM:
319 					s[++sp] = ebitmap_get_bit(&r1->dominates,
320 								  val2 - 1);
321 					continue;
322 				case CEXPR_DOMBY:
323 					s[++sp] = ebitmap_get_bit(&r2->dominates,
324 								  val1 - 1);
325 					continue;
326 				case CEXPR_INCOMP:
327 					s[++sp] = (!ebitmap_get_bit(&r1->dominates,
328 								    val2 - 1) &&
329 						   !ebitmap_get_bit(&r2->dominates,
330 								    val1 - 1));
331 					continue;
332 				default:
333 					break;
334 				}
335 				break;
336 			case CEXPR_L1L2:
337 				l1 = &(scontext->range.level[0]);
338 				l2 = &(tcontext->range.level[0]);
339 				goto mls_ops;
340 			case CEXPR_L1H2:
341 				l1 = &(scontext->range.level[0]);
342 				l2 = &(tcontext->range.level[1]);
343 				goto mls_ops;
344 			case CEXPR_H1L2:
345 				l1 = &(scontext->range.level[1]);
346 				l2 = &(tcontext->range.level[0]);
347 				goto mls_ops;
348 			case CEXPR_H1H2:
349 				l1 = &(scontext->range.level[1]);
350 				l2 = &(tcontext->range.level[1]);
351 				goto mls_ops;
352 			case CEXPR_L1H1:
353 				l1 = &(scontext->range.level[0]);
354 				l2 = &(scontext->range.level[1]);
355 				goto mls_ops;
356 			case CEXPR_L2H2:
357 				l1 = &(tcontext->range.level[0]);
358 				l2 = &(tcontext->range.level[1]);
359 				goto mls_ops;
360 mls_ops:
361 			switch (e->op) {
362 			case CEXPR_EQ:
363 				s[++sp] = mls_level_eq(l1, l2);
364 				continue;
365 			case CEXPR_NEQ:
366 				s[++sp] = !mls_level_eq(l1, l2);
367 				continue;
368 			case CEXPR_DOM:
369 				s[++sp] = mls_level_dom(l1, l2);
370 				continue;
371 			case CEXPR_DOMBY:
372 				s[++sp] = mls_level_dom(l2, l1);
373 				continue;
374 			case CEXPR_INCOMP:
375 				s[++sp] = mls_level_incomp(l2, l1);
376 				continue;
377 			default:
378 				BUG();
379 				return 0;
380 			}
381 			break;
382 			default:
383 				BUG();
384 				return 0;
385 			}
386 
387 			switch (e->op) {
388 			case CEXPR_EQ:
389 				s[++sp] = (val1 == val2);
390 				break;
391 			case CEXPR_NEQ:
392 				s[++sp] = (val1 != val2);
393 				break;
394 			default:
395 				BUG();
396 				return 0;
397 			}
398 			break;
399 		case CEXPR_NAMES:
400 			if (sp == (CEXPR_MAXDEPTH-1))
401 				return 0;
402 			c = scontext;
403 			if (e->attr & CEXPR_TARGET)
404 				c = tcontext;
405 			else if (e->attr & CEXPR_XTARGET) {
406 				c = xcontext;
407 				if (!c) {
408 					BUG();
409 					return 0;
410 				}
411 			}
412 			if (e->attr & CEXPR_USER)
413 				val1 = c->user;
414 			else if (e->attr & CEXPR_ROLE)
415 				val1 = c->role;
416 			else if (e->attr & CEXPR_TYPE)
417 				val1 = c->type;
418 			else {
419 				BUG();
420 				return 0;
421 			}
422 
423 			switch (e->op) {
424 			case CEXPR_EQ:
425 				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
426 				break;
427 			case CEXPR_NEQ:
428 				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
429 				break;
430 			default:
431 				BUG();
432 				return 0;
433 			}
434 			break;
435 		default:
436 			BUG();
437 			return 0;
438 		}
439 	}
440 
441 	BUG_ON(sp != 0);
442 	return s[0];
443 }
444 
445 /*
446  * security_dump_masked_av - dumps masked permissions during
447  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
448  */
449 static int dump_masked_av_helper(void *k, void *d, void *args)
450 {
451 	struct perm_datum *pdatum = d;
452 	char **permission_names = args;
453 
454 	BUG_ON(pdatum->value < 1 || pdatum->value > 32);
455 
456 	permission_names[pdatum->value - 1] = (char *)k;
457 
458 	return 0;
459 }
460 
461 static void security_dump_masked_av(struct context *scontext,
462 				    struct context *tcontext,
463 				    u16 tclass,
464 				    u32 permissions,
465 				    const char *reason)
466 {
467 	struct common_datum *common_dat;
468 	struct class_datum *tclass_dat;
469 	struct audit_buffer *ab;
470 	char *tclass_name;
471 	char *scontext_name = NULL;
472 	char *tcontext_name = NULL;
473 	char *permission_names[32];
474 	int index;
475 	u32 length;
476 	bool need_comma = false;
477 
478 	if (!permissions)
479 		return;
480 
481 	tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
482 	tclass_dat = policydb.class_val_to_struct[tclass - 1];
483 	common_dat = tclass_dat->comdatum;
484 
485 	/* init permission_names */
486 	if (common_dat &&
487 	    hashtab_map(common_dat->permissions.table,
488 			dump_masked_av_helper, permission_names) < 0)
489 		goto out;
490 
491 	if (hashtab_map(tclass_dat->permissions.table,
492 			dump_masked_av_helper, permission_names) < 0)
493 		goto out;
494 
495 	/* get scontext/tcontext in text form */
496 	if (context_struct_to_string(scontext,
497 				     &scontext_name, &length) < 0)
498 		goto out;
499 
500 	if (context_struct_to_string(tcontext,
501 				     &tcontext_name, &length) < 0)
502 		goto out;
503 
504 	/* audit a message */
505 	ab = audit_log_start(current->audit_context,
506 			     GFP_ATOMIC, AUDIT_SELINUX_ERR);
507 	if (!ab)
508 		goto out;
509 
510 	audit_log_format(ab, "op=security_compute_av reason=%s "
511 			 "scontext=%s tcontext=%s tclass=%s perms=",
512 			 reason, scontext_name, tcontext_name, tclass_name);
513 
514 	for (index = 0; index < 32; index++) {
515 		u32 mask = (1 << index);
516 
517 		if ((mask & permissions) == 0)
518 			continue;
519 
520 		audit_log_format(ab, "%s%s",
521 				 need_comma ? "," : "",
522 				 permission_names[index]
523 				 ? permission_names[index] : "????");
524 		need_comma = true;
525 	}
526 	audit_log_end(ab);
527 out:
528 	/* release scontext/tcontext */
529 	kfree(tcontext_name);
530 	kfree(scontext_name);
531 
532 	return;
533 }
534 
535 /*
536  * security_boundary_permission - drops violated permissions
537  * on boundary constraint.
538  */
539 static void type_attribute_bounds_av(struct context *scontext,
540 				     struct context *tcontext,
541 				     u16 tclass,
542 				     struct av_decision *avd)
543 {
544 	struct context lo_scontext;
545 	struct context lo_tcontext;
546 	struct av_decision lo_avd;
547 	struct type_datum *source;
548 	struct type_datum *target;
549 	u32 masked = 0;
550 
551 	source = flex_array_get_ptr(policydb.type_val_to_struct_array,
552 				    scontext->type - 1);
553 	BUG_ON(!source);
554 
555 	target = flex_array_get_ptr(policydb.type_val_to_struct_array,
556 				    tcontext->type - 1);
557 	BUG_ON(!target);
558 
559 	if (source->bounds) {
560 		memset(&lo_avd, 0, sizeof(lo_avd));
561 
562 		memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
563 		lo_scontext.type = source->bounds;
564 
565 		context_struct_compute_av(&lo_scontext,
566 					  tcontext,
567 					  tclass,
568 					  &lo_avd);
569 		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
570 			return;		/* no masked permission */
571 		masked = ~lo_avd.allowed & avd->allowed;
572 	}
573 
574 	if (target->bounds) {
575 		memset(&lo_avd, 0, sizeof(lo_avd));
576 
577 		memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
578 		lo_tcontext.type = target->bounds;
579 
580 		context_struct_compute_av(scontext,
581 					  &lo_tcontext,
582 					  tclass,
583 					  &lo_avd);
584 		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
585 			return;		/* no masked permission */
586 		masked = ~lo_avd.allowed & avd->allowed;
587 	}
588 
589 	if (source->bounds && target->bounds) {
590 		memset(&lo_avd, 0, sizeof(lo_avd));
591 		/*
592 		 * lo_scontext and lo_tcontext are already
593 		 * set up.
594 		 */
595 
596 		context_struct_compute_av(&lo_scontext,
597 					  &lo_tcontext,
598 					  tclass,
599 					  &lo_avd);
600 		if ((lo_avd.allowed & avd->allowed) == avd->allowed)
601 			return;		/* no masked permission */
602 		masked = ~lo_avd.allowed & avd->allowed;
603 	}
604 
605 	if (masked) {
606 		/* mask violated permissions */
607 		avd->allowed &= ~masked;
608 
609 		/* audit masked permissions */
610 		security_dump_masked_av(scontext, tcontext,
611 					tclass, masked, "bounds");
612 	}
613 }
614 
615 /*
616  * Compute access vectors based on a context structure pair for
617  * the permissions in a particular class.
618  */
619 static void context_struct_compute_av(struct context *scontext,
620 				      struct context *tcontext,
621 				      u16 tclass,
622 				      struct av_decision *avd)
623 {
624 	struct constraint_node *constraint;
625 	struct role_allow *ra;
626 	struct avtab_key avkey;
627 	struct avtab_node *node;
628 	struct class_datum *tclass_datum;
629 	struct ebitmap *sattr, *tattr;
630 	struct ebitmap_node *snode, *tnode;
631 	unsigned int i, j;
632 
633 	avd->allowed = 0;
634 	avd->auditallow = 0;
635 	avd->auditdeny = 0xffffffff;
636 
637 	if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
638 		if (printk_ratelimit())
639 			printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
640 		return;
641 	}
642 
643 	tclass_datum = policydb.class_val_to_struct[tclass - 1];
644 
645 	/*
646 	 * If a specific type enforcement rule was defined for
647 	 * this permission check, then use it.
648 	 */
649 	avkey.target_class = tclass;
650 	avkey.specified = AVTAB_AV;
651 	sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
652 	BUG_ON(!sattr);
653 	tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
654 	BUG_ON(!tattr);
655 	ebitmap_for_each_positive_bit(sattr, snode, i) {
656 		ebitmap_for_each_positive_bit(tattr, tnode, j) {
657 			avkey.source_type = i + 1;
658 			avkey.target_type = j + 1;
659 			for (node = avtab_search_node(&policydb.te_avtab, &avkey);
660 			     node;
661 			     node = avtab_search_node_next(node, avkey.specified)) {
662 				if (node->key.specified == AVTAB_ALLOWED)
663 					avd->allowed |= node->datum.data;
664 				else if (node->key.specified == AVTAB_AUDITALLOW)
665 					avd->auditallow |= node->datum.data;
666 				else if (node->key.specified == AVTAB_AUDITDENY)
667 					avd->auditdeny &= node->datum.data;
668 			}
669 
670 			/* Check conditional av table for additional permissions */
671 			cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
672 
673 		}
674 	}
675 
676 	/*
677 	 * Remove any permissions prohibited by a constraint (this includes
678 	 * the MLS policy).
679 	 */
680 	constraint = tclass_datum->constraints;
681 	while (constraint) {
682 		if ((constraint->permissions & (avd->allowed)) &&
683 		    !constraint_expr_eval(scontext, tcontext, NULL,
684 					  constraint->expr)) {
685 			avd->allowed &= ~(constraint->permissions);
686 		}
687 		constraint = constraint->next;
688 	}
689 
690 	/*
691 	 * If checking process transition permission and the
692 	 * role is changing, then check the (current_role, new_role)
693 	 * pair.
694 	 */
695 	if (tclass == policydb.process_class &&
696 	    (avd->allowed & policydb.process_trans_perms) &&
697 	    scontext->role != tcontext->role) {
698 		for (ra = policydb.role_allow; ra; ra = ra->next) {
699 			if (scontext->role == ra->role &&
700 			    tcontext->role == ra->new_role)
701 				break;
702 		}
703 		if (!ra)
704 			avd->allowed &= ~policydb.process_trans_perms;
705 	}
706 
707 	/*
708 	 * If the given source and target types have boundary
709 	 * constraint, lazy checks have to mask any violated
710 	 * permission and notice it to userspace via audit.
711 	 */
712 	type_attribute_bounds_av(scontext, tcontext,
713 				 tclass, avd);
714 }
715 
716 static int security_validtrans_handle_fail(struct context *ocontext,
717 					   struct context *ncontext,
718 					   struct context *tcontext,
719 					   u16 tclass)
720 {
721 	char *o = NULL, *n = NULL, *t = NULL;
722 	u32 olen, nlen, tlen;
723 
724 	if (context_struct_to_string(ocontext, &o, &olen))
725 		goto out;
726 	if (context_struct_to_string(ncontext, &n, &nlen))
727 		goto out;
728 	if (context_struct_to_string(tcontext, &t, &tlen))
729 		goto out;
730 	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
731 		  "op=security_validate_transition seresult=denied"
732 		  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
733 		  o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
734 out:
735 	kfree(o);
736 	kfree(n);
737 	kfree(t);
738 
739 	if (!selinux_enforcing)
740 		return 0;
741 	return -EPERM;
742 }
743 
744 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
745 				 u16 orig_tclass)
746 {
747 	struct context *ocontext;
748 	struct context *ncontext;
749 	struct context *tcontext;
750 	struct class_datum *tclass_datum;
751 	struct constraint_node *constraint;
752 	u16 tclass;
753 	int rc = 0;
754 
755 	if (!ss_initialized)
756 		return 0;
757 
758 	read_lock(&policy_rwlock);
759 
760 	tclass = unmap_class(orig_tclass);
761 
762 	if (!tclass || tclass > policydb.p_classes.nprim) {
763 		printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
764 			__func__, tclass);
765 		rc = -EINVAL;
766 		goto out;
767 	}
768 	tclass_datum = policydb.class_val_to_struct[tclass - 1];
769 
770 	ocontext = sidtab_search(&sidtab, oldsid);
771 	if (!ocontext) {
772 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
773 			__func__, oldsid);
774 		rc = -EINVAL;
775 		goto out;
776 	}
777 
778 	ncontext = sidtab_search(&sidtab, newsid);
779 	if (!ncontext) {
780 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
781 			__func__, newsid);
782 		rc = -EINVAL;
783 		goto out;
784 	}
785 
786 	tcontext = sidtab_search(&sidtab, tasksid);
787 	if (!tcontext) {
788 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
789 			__func__, tasksid);
790 		rc = -EINVAL;
791 		goto out;
792 	}
793 
794 	constraint = tclass_datum->validatetrans;
795 	while (constraint) {
796 		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
797 					  constraint->expr)) {
798 			rc = security_validtrans_handle_fail(ocontext, ncontext,
799 							     tcontext, tclass);
800 			goto out;
801 		}
802 		constraint = constraint->next;
803 	}
804 
805 out:
806 	read_unlock(&policy_rwlock);
807 	return rc;
808 }
809 
810 /*
811  * security_bounded_transition - check whether the given
812  * transition is directed to bounded, or not.
813  * It returns 0, if @newsid is bounded by @oldsid.
814  * Otherwise, it returns error code.
815  *
816  * @oldsid : current security identifier
817  * @newsid : destinated security identifier
818  */
819 int security_bounded_transition(u32 old_sid, u32 new_sid)
820 {
821 	struct context *old_context, *new_context;
822 	struct type_datum *type;
823 	int index;
824 	int rc;
825 
826 	read_lock(&policy_rwlock);
827 
828 	rc = -EINVAL;
829 	old_context = sidtab_search(&sidtab, old_sid);
830 	if (!old_context) {
831 		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
832 		       __func__, old_sid);
833 		goto out;
834 	}
835 
836 	rc = -EINVAL;
837 	new_context = sidtab_search(&sidtab, new_sid);
838 	if (!new_context) {
839 		printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
840 		       __func__, new_sid);
841 		goto out;
842 	}
843 
844 	rc = 0;
845 	/* type/domain unchanged */
846 	if (old_context->type == new_context->type)
847 		goto out;
848 
849 	index = new_context->type;
850 	while (true) {
851 		type = flex_array_get_ptr(policydb.type_val_to_struct_array,
852 					  index - 1);
853 		BUG_ON(!type);
854 
855 		/* not bounded anymore */
856 		rc = -EPERM;
857 		if (!type->bounds)
858 			break;
859 
860 		/* @newsid is bounded by @oldsid */
861 		rc = 0;
862 		if (type->bounds == old_context->type)
863 			break;
864 
865 		index = type->bounds;
866 	}
867 
868 	if (rc) {
869 		char *old_name = NULL;
870 		char *new_name = NULL;
871 		u32 length;
872 
873 		if (!context_struct_to_string(old_context,
874 					      &old_name, &length) &&
875 		    !context_struct_to_string(new_context,
876 					      &new_name, &length)) {
877 			audit_log(current->audit_context,
878 				  GFP_ATOMIC, AUDIT_SELINUX_ERR,
879 				  "op=security_bounded_transition "
880 				  "seresult=denied "
881 				  "oldcontext=%s newcontext=%s",
882 				  old_name, new_name);
883 		}
884 		kfree(new_name);
885 		kfree(old_name);
886 	}
887 out:
888 	read_unlock(&policy_rwlock);
889 
890 	return rc;
891 }
892 
893 static void avd_init(struct av_decision *avd)
894 {
895 	avd->allowed = 0;
896 	avd->auditallow = 0;
897 	avd->auditdeny = 0xffffffff;
898 	avd->seqno = latest_granting;
899 	avd->flags = 0;
900 }
901 
902 
903 /**
904  * security_compute_av - Compute access vector decisions.
905  * @ssid: source security identifier
906  * @tsid: target security identifier
907  * @tclass: target security class
908  * @avd: access vector decisions
909  *
910  * Compute a set of access vector decisions based on the
911  * SID pair (@ssid, @tsid) for the permissions in @tclass.
912  */
913 void security_compute_av(u32 ssid,
914 			 u32 tsid,
915 			 u16 orig_tclass,
916 			 struct av_decision *avd)
917 {
918 	u16 tclass;
919 	struct context *scontext = NULL, *tcontext = NULL;
920 
921 	read_lock(&policy_rwlock);
922 	avd_init(avd);
923 	if (!ss_initialized)
924 		goto allow;
925 
926 	scontext = sidtab_search(&sidtab, ssid);
927 	if (!scontext) {
928 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
929 		       __func__, ssid);
930 		goto out;
931 	}
932 
933 	/* permissive domain? */
934 	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
935 		avd->flags |= AVD_FLAGS_PERMISSIVE;
936 
937 	tcontext = sidtab_search(&sidtab, tsid);
938 	if (!tcontext) {
939 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
940 		       __func__, tsid);
941 		goto out;
942 	}
943 
944 	tclass = unmap_class(orig_tclass);
945 	if (unlikely(orig_tclass && !tclass)) {
946 		if (policydb.allow_unknown)
947 			goto allow;
948 		goto out;
949 	}
950 	context_struct_compute_av(scontext, tcontext, tclass, avd);
951 	map_decision(orig_tclass, avd, policydb.allow_unknown);
952 out:
953 	read_unlock(&policy_rwlock);
954 	return;
955 allow:
956 	avd->allowed = 0xffffffff;
957 	goto out;
958 }
959 
960 void security_compute_av_user(u32 ssid,
961 			      u32 tsid,
962 			      u16 tclass,
963 			      struct av_decision *avd)
964 {
965 	struct context *scontext = NULL, *tcontext = NULL;
966 
967 	read_lock(&policy_rwlock);
968 	avd_init(avd);
969 	if (!ss_initialized)
970 		goto allow;
971 
972 	scontext = sidtab_search(&sidtab, ssid);
973 	if (!scontext) {
974 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
975 		       __func__, ssid);
976 		goto out;
977 	}
978 
979 	/* permissive domain? */
980 	if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
981 		avd->flags |= AVD_FLAGS_PERMISSIVE;
982 
983 	tcontext = sidtab_search(&sidtab, tsid);
984 	if (!tcontext) {
985 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
986 		       __func__, tsid);
987 		goto out;
988 	}
989 
990 	if (unlikely(!tclass)) {
991 		if (policydb.allow_unknown)
992 			goto allow;
993 		goto out;
994 	}
995 
996 	context_struct_compute_av(scontext, tcontext, tclass, avd);
997  out:
998 	read_unlock(&policy_rwlock);
999 	return;
1000 allow:
1001 	avd->allowed = 0xffffffff;
1002 	goto out;
1003 }
1004 
1005 /*
1006  * Write the security context string representation of
1007  * the context structure `context' into a dynamically
1008  * allocated string of the correct size.  Set `*scontext'
1009  * to point to this string and set `*scontext_len' to
1010  * the length of the string.
1011  */
1012 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1013 {
1014 	char *scontextp;
1015 
1016 	if (scontext)
1017 		*scontext = NULL;
1018 	*scontext_len = 0;
1019 
1020 	if (context->len) {
1021 		*scontext_len = context->len;
1022 		if (scontext) {
1023 			*scontext = kstrdup(context->str, GFP_ATOMIC);
1024 			if (!(*scontext))
1025 				return -ENOMEM;
1026 		}
1027 		return 0;
1028 	}
1029 
1030 	/* Compute the size of the context. */
1031 	*scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1032 	*scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1033 	*scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1034 	*scontext_len += mls_compute_context_len(context);
1035 
1036 	if (!scontext)
1037 		return 0;
1038 
1039 	/* Allocate space for the context; caller must free this space. */
1040 	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1041 	if (!scontextp)
1042 		return -ENOMEM;
1043 	*scontext = scontextp;
1044 
1045 	/*
1046 	 * Copy the user name, role name and type name into the context.
1047 	 */
1048 	sprintf(scontextp, "%s:%s:%s",
1049 		sym_name(&policydb, SYM_USERS, context->user - 1),
1050 		sym_name(&policydb, SYM_ROLES, context->role - 1),
1051 		sym_name(&policydb, SYM_TYPES, context->type - 1));
1052 	scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) +
1053 		     1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) +
1054 		     1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1));
1055 
1056 	mls_sid_to_context(context, &scontextp);
1057 
1058 	*scontextp = 0;
1059 
1060 	return 0;
1061 }
1062 
1063 #include "initial_sid_to_string.h"
1064 
1065 const char *security_get_initial_sid_context(u32 sid)
1066 {
1067 	if (unlikely(sid > SECINITSID_NUM))
1068 		return NULL;
1069 	return initial_sid_to_string[sid];
1070 }
1071 
1072 static int security_sid_to_context_core(u32 sid, char **scontext,
1073 					u32 *scontext_len, int force)
1074 {
1075 	struct context *context;
1076 	int rc = 0;
1077 
1078 	if (scontext)
1079 		*scontext = NULL;
1080 	*scontext_len  = 0;
1081 
1082 	if (!ss_initialized) {
1083 		if (sid <= SECINITSID_NUM) {
1084 			char *scontextp;
1085 
1086 			*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1087 			if (!scontext)
1088 				goto out;
1089 			scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1090 			if (!scontextp) {
1091 				rc = -ENOMEM;
1092 				goto out;
1093 			}
1094 			strcpy(scontextp, initial_sid_to_string[sid]);
1095 			*scontext = scontextp;
1096 			goto out;
1097 		}
1098 		printk(KERN_ERR "SELinux: %s:  called before initial "
1099 		       "load_policy on unknown SID %d\n", __func__, sid);
1100 		rc = -EINVAL;
1101 		goto out;
1102 	}
1103 	read_lock(&policy_rwlock);
1104 	if (force)
1105 		context = sidtab_search_force(&sidtab, sid);
1106 	else
1107 		context = sidtab_search(&sidtab, sid);
1108 	if (!context) {
1109 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1110 			__func__, sid);
1111 		rc = -EINVAL;
1112 		goto out_unlock;
1113 	}
1114 	rc = context_struct_to_string(context, scontext, scontext_len);
1115 out_unlock:
1116 	read_unlock(&policy_rwlock);
1117 out:
1118 	return rc;
1119 
1120 }
1121 
1122 /**
1123  * security_sid_to_context - Obtain a context for a given SID.
1124  * @sid: security identifier, SID
1125  * @scontext: security context
1126  * @scontext_len: length in bytes
1127  *
1128  * Write the string representation of the context associated with @sid
1129  * into a dynamically allocated string of the correct size.  Set @scontext
1130  * to point to this string and set @scontext_len to the length of the string.
1131  */
1132 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1133 {
1134 	return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1135 }
1136 
1137 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1138 {
1139 	return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1140 }
1141 
1142 /*
1143  * Caveat:  Mutates scontext.
1144  */
1145 static int string_to_context_struct(struct policydb *pol,
1146 				    struct sidtab *sidtabp,
1147 				    char *scontext,
1148 				    u32 scontext_len,
1149 				    struct context *ctx,
1150 				    u32 def_sid)
1151 {
1152 	struct role_datum *role;
1153 	struct type_datum *typdatum;
1154 	struct user_datum *usrdatum;
1155 	char *scontextp, *p, oldc;
1156 	int rc = 0;
1157 
1158 	context_init(ctx);
1159 
1160 	/* Parse the security context. */
1161 
1162 	rc = -EINVAL;
1163 	scontextp = (char *) scontext;
1164 
1165 	/* Extract the user. */
1166 	p = scontextp;
1167 	while (*p && *p != ':')
1168 		p++;
1169 
1170 	if (*p == 0)
1171 		goto out;
1172 
1173 	*p++ = 0;
1174 
1175 	usrdatum = hashtab_search(pol->p_users.table, scontextp);
1176 	if (!usrdatum)
1177 		goto out;
1178 
1179 	ctx->user = usrdatum->value;
1180 
1181 	/* Extract role. */
1182 	scontextp = p;
1183 	while (*p && *p != ':')
1184 		p++;
1185 
1186 	if (*p == 0)
1187 		goto out;
1188 
1189 	*p++ = 0;
1190 
1191 	role = hashtab_search(pol->p_roles.table, scontextp);
1192 	if (!role)
1193 		goto out;
1194 	ctx->role = role->value;
1195 
1196 	/* Extract type. */
1197 	scontextp = p;
1198 	while (*p && *p != ':')
1199 		p++;
1200 	oldc = *p;
1201 	*p++ = 0;
1202 
1203 	typdatum = hashtab_search(pol->p_types.table, scontextp);
1204 	if (!typdatum || typdatum->attribute)
1205 		goto out;
1206 
1207 	ctx->type = typdatum->value;
1208 
1209 	rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1210 	if (rc)
1211 		goto out;
1212 
1213 	rc = -EINVAL;
1214 	if ((p - scontext) < scontext_len)
1215 		goto out;
1216 
1217 	/* Check the validity of the new context. */
1218 	if (!policydb_context_isvalid(pol, ctx))
1219 		goto out;
1220 	rc = 0;
1221 out:
1222 	if (rc)
1223 		context_destroy(ctx);
1224 	return rc;
1225 }
1226 
1227 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1228 					u32 *sid, u32 def_sid, gfp_t gfp_flags,
1229 					int force)
1230 {
1231 	char *scontext2, *str = NULL;
1232 	struct context context;
1233 	int rc = 0;
1234 
1235 	/* An empty security context is never valid. */
1236 	if (!scontext_len)
1237 		return -EINVAL;
1238 
1239 	if (!ss_initialized) {
1240 		int i;
1241 
1242 		for (i = 1; i < SECINITSID_NUM; i++) {
1243 			if (!strcmp(initial_sid_to_string[i], scontext)) {
1244 				*sid = i;
1245 				return 0;
1246 			}
1247 		}
1248 		*sid = SECINITSID_KERNEL;
1249 		return 0;
1250 	}
1251 	*sid = SECSID_NULL;
1252 
1253 	/* Copy the string so that we can modify the copy as we parse it. */
1254 	scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1255 	if (!scontext2)
1256 		return -ENOMEM;
1257 	memcpy(scontext2, scontext, scontext_len);
1258 	scontext2[scontext_len] = 0;
1259 
1260 	if (force) {
1261 		/* Save another copy for storing in uninterpreted form */
1262 		rc = -ENOMEM;
1263 		str = kstrdup(scontext2, gfp_flags);
1264 		if (!str)
1265 			goto out;
1266 	}
1267 
1268 	read_lock(&policy_rwlock);
1269 	rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1270 				      scontext_len, &context, def_sid);
1271 	if (rc == -EINVAL && force) {
1272 		context.str = str;
1273 		context.len = scontext_len;
1274 		str = NULL;
1275 	} else if (rc)
1276 		goto out_unlock;
1277 	rc = sidtab_context_to_sid(&sidtab, &context, sid);
1278 	context_destroy(&context);
1279 out_unlock:
1280 	read_unlock(&policy_rwlock);
1281 out:
1282 	kfree(scontext2);
1283 	kfree(str);
1284 	return rc;
1285 }
1286 
1287 /**
1288  * security_context_to_sid - Obtain a SID for a given security context.
1289  * @scontext: security context
1290  * @scontext_len: length in bytes
1291  * @sid: security identifier, SID
1292  * @gfp: context for the allocation
1293  *
1294  * Obtains a SID associated with the security context that
1295  * has the string representation specified by @scontext.
1296  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1297  * memory is available, or 0 on success.
1298  */
1299 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
1300 			    gfp_t gfp)
1301 {
1302 	return security_context_to_sid_core(scontext, scontext_len,
1303 					    sid, SECSID_NULL, gfp, 0);
1304 }
1305 
1306 /**
1307  * security_context_to_sid_default - Obtain a SID for a given security context,
1308  * falling back to specified default if needed.
1309  *
1310  * @scontext: security context
1311  * @scontext_len: length in bytes
1312  * @sid: security identifier, SID
1313  * @def_sid: default SID to assign on error
1314  *
1315  * Obtains a SID associated with the security context that
1316  * has the string representation specified by @scontext.
1317  * The default SID is passed to the MLS layer to be used to allow
1318  * kernel labeling of the MLS field if the MLS field is not present
1319  * (for upgrading to MLS without full relabel).
1320  * Implicitly forces adding of the context even if it cannot be mapped yet.
1321  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1322  * memory is available, or 0 on success.
1323  */
1324 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1325 				    u32 *sid, u32 def_sid, gfp_t gfp_flags)
1326 {
1327 	return security_context_to_sid_core(scontext, scontext_len,
1328 					    sid, def_sid, gfp_flags, 1);
1329 }
1330 
1331 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1332 				  u32 *sid)
1333 {
1334 	return security_context_to_sid_core(scontext, scontext_len,
1335 					    sid, SECSID_NULL, GFP_KERNEL, 1);
1336 }
1337 
1338 static int compute_sid_handle_invalid_context(
1339 	struct context *scontext,
1340 	struct context *tcontext,
1341 	u16 tclass,
1342 	struct context *newcontext)
1343 {
1344 	char *s = NULL, *t = NULL, *n = NULL;
1345 	u32 slen, tlen, nlen;
1346 
1347 	if (context_struct_to_string(scontext, &s, &slen))
1348 		goto out;
1349 	if (context_struct_to_string(tcontext, &t, &tlen))
1350 		goto out;
1351 	if (context_struct_to_string(newcontext, &n, &nlen))
1352 		goto out;
1353 	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1354 		  "op=security_compute_sid invalid_context=%s"
1355 		  " scontext=%s"
1356 		  " tcontext=%s"
1357 		  " tclass=%s",
1358 		  n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1359 out:
1360 	kfree(s);
1361 	kfree(t);
1362 	kfree(n);
1363 	if (!selinux_enforcing)
1364 		return 0;
1365 	return -EACCES;
1366 }
1367 
1368 static void filename_compute_type(struct policydb *p, struct context *newcontext,
1369 				  u32 stype, u32 ttype, u16 tclass,
1370 				  const char *objname)
1371 {
1372 	struct filename_trans ft;
1373 	struct filename_trans_datum *otype;
1374 
1375 	/*
1376 	 * Most filename trans rules are going to live in specific directories
1377 	 * like /dev or /var/run.  This bitmap will quickly skip rule searches
1378 	 * if the ttype does not contain any rules.
1379 	 */
1380 	if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
1381 		return;
1382 
1383 	ft.stype = stype;
1384 	ft.ttype = ttype;
1385 	ft.tclass = tclass;
1386 	ft.name = objname;
1387 
1388 	otype = hashtab_search(p->filename_trans, &ft);
1389 	if (otype)
1390 		newcontext->type = otype->otype;
1391 }
1392 
1393 static int security_compute_sid(u32 ssid,
1394 				u32 tsid,
1395 				u16 orig_tclass,
1396 				u32 specified,
1397 				const char *objname,
1398 				u32 *out_sid,
1399 				bool kern)
1400 {
1401 	struct class_datum *cladatum = NULL;
1402 	struct context *scontext = NULL, *tcontext = NULL, newcontext;
1403 	struct role_trans *roletr = NULL;
1404 	struct avtab_key avkey;
1405 	struct avtab_datum *avdatum;
1406 	struct avtab_node *node;
1407 	u16 tclass;
1408 	int rc = 0;
1409 	bool sock;
1410 
1411 	if (!ss_initialized) {
1412 		switch (orig_tclass) {
1413 		case SECCLASS_PROCESS: /* kernel value */
1414 			*out_sid = ssid;
1415 			break;
1416 		default:
1417 			*out_sid = tsid;
1418 			break;
1419 		}
1420 		goto out;
1421 	}
1422 
1423 	context_init(&newcontext);
1424 
1425 	read_lock(&policy_rwlock);
1426 
1427 	if (kern) {
1428 		tclass = unmap_class(orig_tclass);
1429 		sock = security_is_socket_class(orig_tclass);
1430 	} else {
1431 		tclass = orig_tclass;
1432 		sock = security_is_socket_class(map_class(tclass));
1433 	}
1434 
1435 	scontext = sidtab_search(&sidtab, ssid);
1436 	if (!scontext) {
1437 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1438 		       __func__, ssid);
1439 		rc = -EINVAL;
1440 		goto out_unlock;
1441 	}
1442 	tcontext = sidtab_search(&sidtab, tsid);
1443 	if (!tcontext) {
1444 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1445 		       __func__, tsid);
1446 		rc = -EINVAL;
1447 		goto out_unlock;
1448 	}
1449 
1450 	if (tclass && tclass <= policydb.p_classes.nprim)
1451 		cladatum = policydb.class_val_to_struct[tclass - 1];
1452 
1453 	/* Set the user identity. */
1454 	switch (specified) {
1455 	case AVTAB_TRANSITION:
1456 	case AVTAB_CHANGE:
1457 		if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1458 			newcontext.user = tcontext->user;
1459 		} else {
1460 			/* notice this gets both DEFAULT_SOURCE and unset */
1461 			/* Use the process user identity. */
1462 			newcontext.user = scontext->user;
1463 		}
1464 		break;
1465 	case AVTAB_MEMBER:
1466 		/* Use the related object owner. */
1467 		newcontext.user = tcontext->user;
1468 		break;
1469 	}
1470 
1471 	/* Set the role to default values. */
1472 	if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1473 		newcontext.role = scontext->role;
1474 	} else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1475 		newcontext.role = tcontext->role;
1476 	} else {
1477 		if ((tclass == policydb.process_class) || (sock == true))
1478 			newcontext.role = scontext->role;
1479 		else
1480 			newcontext.role = OBJECT_R_VAL;
1481 	}
1482 
1483 	/* Set the type to default values. */
1484 	if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1485 		newcontext.type = scontext->type;
1486 	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1487 		newcontext.type = tcontext->type;
1488 	} else {
1489 		if ((tclass == policydb.process_class) || (sock == true)) {
1490 			/* Use the type of process. */
1491 			newcontext.type = scontext->type;
1492 		} else {
1493 			/* Use the type of the related object. */
1494 			newcontext.type = tcontext->type;
1495 		}
1496 	}
1497 
1498 	/* Look for a type transition/member/change rule. */
1499 	avkey.source_type = scontext->type;
1500 	avkey.target_type = tcontext->type;
1501 	avkey.target_class = tclass;
1502 	avkey.specified = specified;
1503 	avdatum = avtab_search(&policydb.te_avtab, &avkey);
1504 
1505 	/* If no permanent rule, also check for enabled conditional rules */
1506 	if (!avdatum) {
1507 		node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1508 		for (; node; node = avtab_search_node_next(node, specified)) {
1509 			if (node->key.specified & AVTAB_ENABLED) {
1510 				avdatum = &node->datum;
1511 				break;
1512 			}
1513 		}
1514 	}
1515 
1516 	if (avdatum) {
1517 		/* Use the type from the type transition/member/change rule. */
1518 		newcontext.type = avdatum->data;
1519 	}
1520 
1521 	/* if we have a objname this is a file trans check so check those rules */
1522 	if (objname)
1523 		filename_compute_type(&policydb, &newcontext, scontext->type,
1524 				      tcontext->type, tclass, objname);
1525 
1526 	/* Check for class-specific changes. */
1527 	if (specified & AVTAB_TRANSITION) {
1528 		/* Look for a role transition rule. */
1529 		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
1530 			if ((roletr->role == scontext->role) &&
1531 			    (roletr->type == tcontext->type) &&
1532 			    (roletr->tclass == tclass)) {
1533 				/* Use the role transition rule. */
1534 				newcontext.role = roletr->new_role;
1535 				break;
1536 			}
1537 		}
1538 	}
1539 
1540 	/* Set the MLS attributes.
1541 	   This is done last because it may allocate memory. */
1542 	rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1543 			     &newcontext, sock);
1544 	if (rc)
1545 		goto out_unlock;
1546 
1547 	/* Check the validity of the context. */
1548 	if (!policydb_context_isvalid(&policydb, &newcontext)) {
1549 		rc = compute_sid_handle_invalid_context(scontext,
1550 							tcontext,
1551 							tclass,
1552 							&newcontext);
1553 		if (rc)
1554 			goto out_unlock;
1555 	}
1556 	/* Obtain the sid for the context. */
1557 	rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1558 out_unlock:
1559 	read_unlock(&policy_rwlock);
1560 	context_destroy(&newcontext);
1561 out:
1562 	return rc;
1563 }
1564 
1565 /**
1566  * security_transition_sid - Compute the SID for a new subject/object.
1567  * @ssid: source security identifier
1568  * @tsid: target security identifier
1569  * @tclass: target security class
1570  * @out_sid: security identifier for new subject/object
1571  *
1572  * Compute a SID to use for labeling a new subject or object in the
1573  * class @tclass based on a SID pair (@ssid, @tsid).
1574  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1575  * if insufficient memory is available, or %0 if the new SID was
1576  * computed successfully.
1577  */
1578 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1579 			    const struct qstr *qstr, u32 *out_sid)
1580 {
1581 	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1582 				    qstr ? qstr->name : NULL, out_sid, true);
1583 }
1584 
1585 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1586 				 const char *objname, u32 *out_sid)
1587 {
1588 	return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1589 				    objname, out_sid, false);
1590 }
1591 
1592 /**
1593  * security_member_sid - Compute the SID for member selection.
1594  * @ssid: source security identifier
1595  * @tsid: target security identifier
1596  * @tclass: target security class
1597  * @out_sid: security identifier for selected member
1598  *
1599  * Compute a SID to use when selecting a member of a polyinstantiated
1600  * object of class @tclass based on a SID pair (@ssid, @tsid).
1601  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1602  * if insufficient memory is available, or %0 if the SID was
1603  * computed successfully.
1604  */
1605 int security_member_sid(u32 ssid,
1606 			u32 tsid,
1607 			u16 tclass,
1608 			u32 *out_sid)
1609 {
1610 	return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1611 				    out_sid, false);
1612 }
1613 
1614 /**
1615  * security_change_sid - Compute the SID for object relabeling.
1616  * @ssid: source security identifier
1617  * @tsid: target security identifier
1618  * @tclass: target security class
1619  * @out_sid: security identifier for selected member
1620  *
1621  * Compute a SID to use for relabeling an object of class @tclass
1622  * based on a SID pair (@ssid, @tsid).
1623  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1624  * if insufficient memory is available, or %0 if the SID was
1625  * computed successfully.
1626  */
1627 int security_change_sid(u32 ssid,
1628 			u32 tsid,
1629 			u16 tclass,
1630 			u32 *out_sid)
1631 {
1632 	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1633 				    out_sid, false);
1634 }
1635 
1636 /* Clone the SID into the new SID table. */
1637 static int clone_sid(u32 sid,
1638 		     struct context *context,
1639 		     void *arg)
1640 {
1641 	struct sidtab *s = arg;
1642 
1643 	if (sid > SECINITSID_NUM)
1644 		return sidtab_insert(s, sid, context);
1645 	else
1646 		return 0;
1647 }
1648 
1649 static inline int convert_context_handle_invalid_context(struct context *context)
1650 {
1651 	char *s;
1652 	u32 len;
1653 
1654 	if (selinux_enforcing)
1655 		return -EINVAL;
1656 
1657 	if (!context_struct_to_string(context, &s, &len)) {
1658 		printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1659 		kfree(s);
1660 	}
1661 	return 0;
1662 }
1663 
1664 struct convert_context_args {
1665 	struct policydb *oldp;
1666 	struct policydb *newp;
1667 };
1668 
1669 /*
1670  * Convert the values in the security context
1671  * structure `c' from the values specified
1672  * in the policy `p->oldp' to the values specified
1673  * in the policy `p->newp'.  Verify that the
1674  * context is valid under the new policy.
1675  */
1676 static int convert_context(u32 key,
1677 			   struct context *c,
1678 			   void *p)
1679 {
1680 	struct convert_context_args *args;
1681 	struct context oldc;
1682 	struct ocontext *oc;
1683 	struct mls_range *range;
1684 	struct role_datum *role;
1685 	struct type_datum *typdatum;
1686 	struct user_datum *usrdatum;
1687 	char *s;
1688 	u32 len;
1689 	int rc = 0;
1690 
1691 	if (key <= SECINITSID_NUM)
1692 		goto out;
1693 
1694 	args = p;
1695 
1696 	if (c->str) {
1697 		struct context ctx;
1698 
1699 		rc = -ENOMEM;
1700 		s = kstrdup(c->str, GFP_KERNEL);
1701 		if (!s)
1702 			goto out;
1703 
1704 		rc = string_to_context_struct(args->newp, NULL, s,
1705 					      c->len, &ctx, SECSID_NULL);
1706 		kfree(s);
1707 		if (!rc) {
1708 			printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1709 			       c->str);
1710 			/* Replace string with mapped representation. */
1711 			kfree(c->str);
1712 			memcpy(c, &ctx, sizeof(*c));
1713 			goto out;
1714 		} else if (rc == -EINVAL) {
1715 			/* Retain string representation for later mapping. */
1716 			rc = 0;
1717 			goto out;
1718 		} else {
1719 			/* Other error condition, e.g. ENOMEM. */
1720 			printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1721 			       c->str, -rc);
1722 			goto out;
1723 		}
1724 	}
1725 
1726 	rc = context_cpy(&oldc, c);
1727 	if (rc)
1728 		goto out;
1729 
1730 	/* Convert the user. */
1731 	rc = -EINVAL;
1732 	usrdatum = hashtab_search(args->newp->p_users.table,
1733 				  sym_name(args->oldp, SYM_USERS, c->user - 1));
1734 	if (!usrdatum)
1735 		goto bad;
1736 	c->user = usrdatum->value;
1737 
1738 	/* Convert the role. */
1739 	rc = -EINVAL;
1740 	role = hashtab_search(args->newp->p_roles.table,
1741 			      sym_name(args->oldp, SYM_ROLES, c->role - 1));
1742 	if (!role)
1743 		goto bad;
1744 	c->role = role->value;
1745 
1746 	/* Convert the type. */
1747 	rc = -EINVAL;
1748 	typdatum = hashtab_search(args->newp->p_types.table,
1749 				  sym_name(args->oldp, SYM_TYPES, c->type - 1));
1750 	if (!typdatum)
1751 		goto bad;
1752 	c->type = typdatum->value;
1753 
1754 	/* Convert the MLS fields if dealing with MLS policies */
1755 	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1756 		rc = mls_convert_context(args->oldp, args->newp, c);
1757 		if (rc)
1758 			goto bad;
1759 	} else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1760 		/*
1761 		 * Switching between MLS and non-MLS policy:
1762 		 * free any storage used by the MLS fields in the
1763 		 * context for all existing entries in the sidtab.
1764 		 */
1765 		mls_context_destroy(c);
1766 	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1767 		/*
1768 		 * Switching between non-MLS and MLS policy:
1769 		 * ensure that the MLS fields of the context for all
1770 		 * existing entries in the sidtab are filled in with a
1771 		 * suitable default value, likely taken from one of the
1772 		 * initial SIDs.
1773 		 */
1774 		oc = args->newp->ocontexts[OCON_ISID];
1775 		while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1776 			oc = oc->next;
1777 		rc = -EINVAL;
1778 		if (!oc) {
1779 			printk(KERN_ERR "SELinux:  unable to look up"
1780 				" the initial SIDs list\n");
1781 			goto bad;
1782 		}
1783 		range = &oc->context[0].range;
1784 		rc = mls_range_set(c, range);
1785 		if (rc)
1786 			goto bad;
1787 	}
1788 
1789 	/* Check the validity of the new context. */
1790 	if (!policydb_context_isvalid(args->newp, c)) {
1791 		rc = convert_context_handle_invalid_context(&oldc);
1792 		if (rc)
1793 			goto bad;
1794 	}
1795 
1796 	context_destroy(&oldc);
1797 
1798 	rc = 0;
1799 out:
1800 	return rc;
1801 bad:
1802 	/* Map old representation to string and save it. */
1803 	rc = context_struct_to_string(&oldc, &s, &len);
1804 	if (rc)
1805 		return rc;
1806 	context_destroy(&oldc);
1807 	context_destroy(c);
1808 	c->str = s;
1809 	c->len = len;
1810 	printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
1811 	       c->str);
1812 	rc = 0;
1813 	goto out;
1814 }
1815 
1816 static void security_load_policycaps(void)
1817 {
1818 	selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
1819 						  POLICYDB_CAPABILITY_NETPEER);
1820 	selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1821 						  POLICYDB_CAPABILITY_OPENPERM);
1822 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
1823 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
1824 }
1825 
1826 static int security_preserve_bools(struct policydb *p);
1827 
1828 /**
1829  * security_load_policy - Load a security policy configuration.
1830  * @data: binary policy data
1831  * @len: length of data in bytes
1832  *
1833  * Load a new set of security policy configuration data,
1834  * validate it and convert the SID table as necessary.
1835  * This function will flush the access vector cache after
1836  * loading the new policy.
1837  */
1838 int security_load_policy(void *data, size_t len)
1839 {
1840 	struct policydb *oldpolicydb, *newpolicydb;
1841 	struct sidtab oldsidtab, newsidtab;
1842 	struct selinux_mapping *oldmap, *map = NULL;
1843 	struct convert_context_args args;
1844 	u32 seqno;
1845 	u16 map_size;
1846 	int rc = 0;
1847 	struct policy_file file = { data, len }, *fp = &file;
1848 
1849 	oldpolicydb = kzalloc(2 * sizeof(*oldpolicydb), GFP_KERNEL);
1850 	if (!oldpolicydb) {
1851 		rc = -ENOMEM;
1852 		goto out;
1853 	}
1854 	newpolicydb = oldpolicydb + 1;
1855 
1856 	if (!ss_initialized) {
1857 		avtab_cache_init();
1858 		rc = policydb_read(&policydb, fp);
1859 		if (rc) {
1860 			avtab_cache_destroy();
1861 			goto out;
1862 		}
1863 
1864 		policydb.len = len;
1865 		rc = selinux_set_mapping(&policydb, secclass_map,
1866 					 &current_mapping,
1867 					 &current_mapping_size);
1868 		if (rc) {
1869 			policydb_destroy(&policydb);
1870 			avtab_cache_destroy();
1871 			goto out;
1872 		}
1873 
1874 		rc = policydb_load_isids(&policydb, &sidtab);
1875 		if (rc) {
1876 			policydb_destroy(&policydb);
1877 			avtab_cache_destroy();
1878 			goto out;
1879 		}
1880 
1881 		security_load_policycaps();
1882 		ss_initialized = 1;
1883 		seqno = ++latest_granting;
1884 		selinux_complete_init();
1885 		avc_ss_reset(seqno);
1886 		selnl_notify_policyload(seqno);
1887 		selinux_status_update_policyload(seqno);
1888 		selinux_netlbl_cache_invalidate();
1889 		selinux_xfrm_notify_policyload();
1890 		goto out;
1891 	}
1892 
1893 #if 0
1894 	sidtab_hash_eval(&sidtab, "sids");
1895 #endif
1896 
1897 	rc = policydb_read(newpolicydb, fp);
1898 	if (rc)
1899 		goto out;
1900 
1901 	newpolicydb->len = len;
1902 	/* If switching between different policy types, log MLS status */
1903 	if (policydb.mls_enabled && !newpolicydb->mls_enabled)
1904 		printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1905 	else if (!policydb.mls_enabled && newpolicydb->mls_enabled)
1906 		printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1907 
1908 	rc = policydb_load_isids(newpolicydb, &newsidtab);
1909 	if (rc) {
1910 		printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
1911 		policydb_destroy(newpolicydb);
1912 		goto out;
1913 	}
1914 
1915 	rc = selinux_set_mapping(newpolicydb, secclass_map, &map, &map_size);
1916 	if (rc)
1917 		goto err;
1918 
1919 	rc = security_preserve_bools(newpolicydb);
1920 	if (rc) {
1921 		printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
1922 		goto err;
1923 	}
1924 
1925 	/* Clone the SID table. */
1926 	sidtab_shutdown(&sidtab);
1927 
1928 	rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
1929 	if (rc)
1930 		goto err;
1931 
1932 	/*
1933 	 * Convert the internal representations of contexts
1934 	 * in the new SID table.
1935 	 */
1936 	args.oldp = &policydb;
1937 	args.newp = newpolicydb;
1938 	rc = sidtab_map(&newsidtab, convert_context, &args);
1939 	if (rc) {
1940 		printk(KERN_ERR "SELinux:  unable to convert the internal"
1941 			" representation of contexts in the new SID"
1942 			" table\n");
1943 		goto err;
1944 	}
1945 
1946 	/* Save the old policydb and SID table to free later. */
1947 	memcpy(oldpolicydb, &policydb, sizeof(policydb));
1948 	sidtab_set(&oldsidtab, &sidtab);
1949 
1950 	/* Install the new policydb and SID table. */
1951 	write_lock_irq(&policy_rwlock);
1952 	memcpy(&policydb, newpolicydb, sizeof(policydb));
1953 	sidtab_set(&sidtab, &newsidtab);
1954 	security_load_policycaps();
1955 	oldmap = current_mapping;
1956 	current_mapping = map;
1957 	current_mapping_size = map_size;
1958 	seqno = ++latest_granting;
1959 	write_unlock_irq(&policy_rwlock);
1960 
1961 	/* Free the old policydb and SID table. */
1962 	policydb_destroy(oldpolicydb);
1963 	sidtab_destroy(&oldsidtab);
1964 	kfree(oldmap);
1965 
1966 	avc_ss_reset(seqno);
1967 	selnl_notify_policyload(seqno);
1968 	selinux_status_update_policyload(seqno);
1969 	selinux_netlbl_cache_invalidate();
1970 	selinux_xfrm_notify_policyload();
1971 
1972 	rc = 0;
1973 	goto out;
1974 
1975 err:
1976 	kfree(map);
1977 	sidtab_destroy(&newsidtab);
1978 	policydb_destroy(newpolicydb);
1979 
1980 out:
1981 	kfree(oldpolicydb);
1982 	return rc;
1983 }
1984 
1985 size_t security_policydb_len(void)
1986 {
1987 	size_t len;
1988 
1989 	read_lock(&policy_rwlock);
1990 	len = policydb.len;
1991 	read_unlock(&policy_rwlock);
1992 
1993 	return len;
1994 }
1995 
1996 /**
1997  * security_port_sid - Obtain the SID for a port.
1998  * @protocol: protocol number
1999  * @port: port number
2000  * @out_sid: security identifier
2001  */
2002 int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
2003 {
2004 	struct ocontext *c;
2005 	int rc = 0;
2006 
2007 	read_lock(&policy_rwlock);
2008 
2009 	c = policydb.ocontexts[OCON_PORT];
2010 	while (c) {
2011 		if (c->u.port.protocol == protocol &&
2012 		    c->u.port.low_port <= port &&
2013 		    c->u.port.high_port >= port)
2014 			break;
2015 		c = c->next;
2016 	}
2017 
2018 	if (c) {
2019 		if (!c->sid[0]) {
2020 			rc = sidtab_context_to_sid(&sidtab,
2021 						   &c->context[0],
2022 						   &c->sid[0]);
2023 			if (rc)
2024 				goto out;
2025 		}
2026 		*out_sid = c->sid[0];
2027 	} else {
2028 		*out_sid = SECINITSID_PORT;
2029 	}
2030 
2031 out:
2032 	read_unlock(&policy_rwlock);
2033 	return rc;
2034 }
2035 
2036 /**
2037  * security_netif_sid - Obtain the SID for a network interface.
2038  * @name: interface name
2039  * @if_sid: interface SID
2040  */
2041 int security_netif_sid(char *name, u32 *if_sid)
2042 {
2043 	int rc = 0;
2044 	struct ocontext *c;
2045 
2046 	read_lock(&policy_rwlock);
2047 
2048 	c = policydb.ocontexts[OCON_NETIF];
2049 	while (c) {
2050 		if (strcmp(name, c->u.name) == 0)
2051 			break;
2052 		c = c->next;
2053 	}
2054 
2055 	if (c) {
2056 		if (!c->sid[0] || !c->sid[1]) {
2057 			rc = sidtab_context_to_sid(&sidtab,
2058 						  &c->context[0],
2059 						  &c->sid[0]);
2060 			if (rc)
2061 				goto out;
2062 			rc = sidtab_context_to_sid(&sidtab,
2063 						   &c->context[1],
2064 						   &c->sid[1]);
2065 			if (rc)
2066 				goto out;
2067 		}
2068 		*if_sid = c->sid[0];
2069 	} else
2070 		*if_sid = SECINITSID_NETIF;
2071 
2072 out:
2073 	read_unlock(&policy_rwlock);
2074 	return rc;
2075 }
2076 
2077 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2078 {
2079 	int i, fail = 0;
2080 
2081 	for (i = 0; i < 4; i++)
2082 		if (addr[i] != (input[i] & mask[i])) {
2083 			fail = 1;
2084 			break;
2085 		}
2086 
2087 	return !fail;
2088 }
2089 
2090 /**
2091  * security_node_sid - Obtain the SID for a node (host).
2092  * @domain: communication domain aka address family
2093  * @addrp: address
2094  * @addrlen: address length in bytes
2095  * @out_sid: security identifier
2096  */
2097 int security_node_sid(u16 domain,
2098 		      void *addrp,
2099 		      u32 addrlen,
2100 		      u32 *out_sid)
2101 {
2102 	int rc;
2103 	struct ocontext *c;
2104 
2105 	read_lock(&policy_rwlock);
2106 
2107 	switch (domain) {
2108 	case AF_INET: {
2109 		u32 addr;
2110 
2111 		rc = -EINVAL;
2112 		if (addrlen != sizeof(u32))
2113 			goto out;
2114 
2115 		addr = *((u32 *)addrp);
2116 
2117 		c = policydb.ocontexts[OCON_NODE];
2118 		while (c) {
2119 			if (c->u.node.addr == (addr & c->u.node.mask))
2120 				break;
2121 			c = c->next;
2122 		}
2123 		break;
2124 	}
2125 
2126 	case AF_INET6:
2127 		rc = -EINVAL;
2128 		if (addrlen != sizeof(u64) * 2)
2129 			goto out;
2130 		c = policydb.ocontexts[OCON_NODE6];
2131 		while (c) {
2132 			if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2133 						c->u.node6.mask))
2134 				break;
2135 			c = c->next;
2136 		}
2137 		break;
2138 
2139 	default:
2140 		rc = 0;
2141 		*out_sid = SECINITSID_NODE;
2142 		goto out;
2143 	}
2144 
2145 	if (c) {
2146 		if (!c->sid[0]) {
2147 			rc = sidtab_context_to_sid(&sidtab,
2148 						   &c->context[0],
2149 						   &c->sid[0]);
2150 			if (rc)
2151 				goto out;
2152 		}
2153 		*out_sid = c->sid[0];
2154 	} else {
2155 		*out_sid = SECINITSID_NODE;
2156 	}
2157 
2158 	rc = 0;
2159 out:
2160 	read_unlock(&policy_rwlock);
2161 	return rc;
2162 }
2163 
2164 #define SIDS_NEL 25
2165 
2166 /**
2167  * security_get_user_sids - Obtain reachable SIDs for a user.
2168  * @fromsid: starting SID
2169  * @username: username
2170  * @sids: array of reachable SIDs for user
2171  * @nel: number of elements in @sids
2172  *
2173  * Generate the set of SIDs for legal security contexts
2174  * for a given user that can be reached by @fromsid.
2175  * Set *@sids to point to a dynamically allocated
2176  * array containing the set of SIDs.  Set *@nel to the
2177  * number of elements in the array.
2178  */
2179 
2180 int security_get_user_sids(u32 fromsid,
2181 			   char *username,
2182 			   u32 **sids,
2183 			   u32 *nel)
2184 {
2185 	struct context *fromcon, usercon;
2186 	u32 *mysids = NULL, *mysids2, sid;
2187 	u32 mynel = 0, maxnel = SIDS_NEL;
2188 	struct user_datum *user;
2189 	struct role_datum *role;
2190 	struct ebitmap_node *rnode, *tnode;
2191 	int rc = 0, i, j;
2192 
2193 	*sids = NULL;
2194 	*nel = 0;
2195 
2196 	if (!ss_initialized)
2197 		goto out;
2198 
2199 	read_lock(&policy_rwlock);
2200 
2201 	context_init(&usercon);
2202 
2203 	rc = -EINVAL;
2204 	fromcon = sidtab_search(&sidtab, fromsid);
2205 	if (!fromcon)
2206 		goto out_unlock;
2207 
2208 	rc = -EINVAL;
2209 	user = hashtab_search(policydb.p_users.table, username);
2210 	if (!user)
2211 		goto out_unlock;
2212 
2213 	usercon.user = user->value;
2214 
2215 	rc = -ENOMEM;
2216 	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2217 	if (!mysids)
2218 		goto out_unlock;
2219 
2220 	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2221 		role = policydb.role_val_to_struct[i];
2222 		usercon.role = i + 1;
2223 		ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2224 			usercon.type = j + 1;
2225 
2226 			if (mls_setup_user_range(fromcon, user, &usercon))
2227 				continue;
2228 
2229 			rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2230 			if (rc)
2231 				goto out_unlock;
2232 			if (mynel < maxnel) {
2233 				mysids[mynel++] = sid;
2234 			} else {
2235 				rc = -ENOMEM;
2236 				maxnel += SIDS_NEL;
2237 				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2238 				if (!mysids2)
2239 					goto out_unlock;
2240 				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2241 				kfree(mysids);
2242 				mysids = mysids2;
2243 				mysids[mynel++] = sid;
2244 			}
2245 		}
2246 	}
2247 	rc = 0;
2248 out_unlock:
2249 	read_unlock(&policy_rwlock);
2250 	if (rc || !mynel) {
2251 		kfree(mysids);
2252 		goto out;
2253 	}
2254 
2255 	rc = -ENOMEM;
2256 	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2257 	if (!mysids2) {
2258 		kfree(mysids);
2259 		goto out;
2260 	}
2261 	for (i = 0, j = 0; i < mynel; i++) {
2262 		struct av_decision dummy_avd;
2263 		rc = avc_has_perm_noaudit(fromsid, mysids[i],
2264 					  SECCLASS_PROCESS, /* kernel value */
2265 					  PROCESS__TRANSITION, AVC_STRICT,
2266 					  &dummy_avd);
2267 		if (!rc)
2268 			mysids2[j++] = mysids[i];
2269 		cond_resched();
2270 	}
2271 	rc = 0;
2272 	kfree(mysids);
2273 	*sids = mysids2;
2274 	*nel = j;
2275 out:
2276 	return rc;
2277 }
2278 
2279 /**
2280  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2281  * @fstype: filesystem type
2282  * @path: path from root of mount
2283  * @sclass: file security class
2284  * @sid: SID for path
2285  *
2286  * Obtain a SID to use for a file in a filesystem that
2287  * cannot support xattr or use a fixed labeling behavior like
2288  * transition SIDs or task SIDs.
2289  *
2290  * The caller must acquire the policy_rwlock before calling this function.
2291  */
2292 static inline int __security_genfs_sid(const char *fstype,
2293 				       char *path,
2294 				       u16 orig_sclass,
2295 				       u32 *sid)
2296 {
2297 	int len;
2298 	u16 sclass;
2299 	struct genfs *genfs;
2300 	struct ocontext *c;
2301 	int rc, cmp = 0;
2302 
2303 	while (path[0] == '/' && path[1] == '/')
2304 		path++;
2305 
2306 	sclass = unmap_class(orig_sclass);
2307 	*sid = SECINITSID_UNLABELED;
2308 
2309 	for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2310 		cmp = strcmp(fstype, genfs->fstype);
2311 		if (cmp <= 0)
2312 			break;
2313 	}
2314 
2315 	rc = -ENOENT;
2316 	if (!genfs || cmp)
2317 		goto out;
2318 
2319 	for (c = genfs->head; c; c = c->next) {
2320 		len = strlen(c->u.name);
2321 		if ((!c->v.sclass || sclass == c->v.sclass) &&
2322 		    (strncmp(c->u.name, path, len) == 0))
2323 			break;
2324 	}
2325 
2326 	rc = -ENOENT;
2327 	if (!c)
2328 		goto out;
2329 
2330 	if (!c->sid[0]) {
2331 		rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2332 		if (rc)
2333 			goto out;
2334 	}
2335 
2336 	*sid = c->sid[0];
2337 	rc = 0;
2338 out:
2339 	return rc;
2340 }
2341 
2342 /**
2343  * security_genfs_sid - Obtain a SID for a file in a filesystem
2344  * @fstype: filesystem type
2345  * @path: path from root of mount
2346  * @sclass: file security class
2347  * @sid: SID for path
2348  *
2349  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2350  * it afterward.
2351  */
2352 int security_genfs_sid(const char *fstype,
2353 		       char *path,
2354 		       u16 orig_sclass,
2355 		       u32 *sid)
2356 {
2357 	int retval;
2358 
2359 	read_lock(&policy_rwlock);
2360 	retval = __security_genfs_sid(fstype, path, orig_sclass, sid);
2361 	read_unlock(&policy_rwlock);
2362 	return retval;
2363 }
2364 
2365 /**
2366  * security_fs_use - Determine how to handle labeling for a filesystem.
2367  * @sb: superblock in question
2368  */
2369 int security_fs_use(struct super_block *sb)
2370 {
2371 	int rc = 0;
2372 	struct ocontext *c;
2373 	struct superblock_security_struct *sbsec = sb->s_security;
2374 	const char *fstype = sb->s_type->name;
2375 
2376 	read_lock(&policy_rwlock);
2377 
2378 	c = policydb.ocontexts[OCON_FSUSE];
2379 	while (c) {
2380 		if (strcmp(fstype, c->u.name) == 0)
2381 			break;
2382 		c = c->next;
2383 	}
2384 
2385 	if (c) {
2386 		sbsec->behavior = c->v.behavior;
2387 		if (!c->sid[0]) {
2388 			rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2389 						   &c->sid[0]);
2390 			if (rc)
2391 				goto out;
2392 		}
2393 		sbsec->sid = c->sid[0];
2394 	} else {
2395 		rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
2396 					  &sbsec->sid);
2397 		if (rc) {
2398 			sbsec->behavior = SECURITY_FS_USE_NONE;
2399 			rc = 0;
2400 		} else {
2401 			sbsec->behavior = SECURITY_FS_USE_GENFS;
2402 		}
2403 	}
2404 
2405 out:
2406 	read_unlock(&policy_rwlock);
2407 	return rc;
2408 }
2409 
2410 int security_get_bools(int *len, char ***names, int **values)
2411 {
2412 	int i, rc;
2413 
2414 	read_lock(&policy_rwlock);
2415 	*names = NULL;
2416 	*values = NULL;
2417 
2418 	rc = 0;
2419 	*len = policydb.p_bools.nprim;
2420 	if (!*len)
2421 		goto out;
2422 
2423 	rc = -ENOMEM;
2424 	*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2425 	if (!*names)
2426 		goto err;
2427 
2428 	rc = -ENOMEM;
2429 	*values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2430 	if (!*values)
2431 		goto err;
2432 
2433 	for (i = 0; i < *len; i++) {
2434 		size_t name_len;
2435 
2436 		(*values)[i] = policydb.bool_val_to_struct[i]->state;
2437 		name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1;
2438 
2439 		rc = -ENOMEM;
2440 		(*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2441 		if (!(*names)[i])
2442 			goto err;
2443 
2444 		strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len);
2445 		(*names)[i][name_len - 1] = 0;
2446 	}
2447 	rc = 0;
2448 out:
2449 	read_unlock(&policy_rwlock);
2450 	return rc;
2451 err:
2452 	if (*names) {
2453 		for (i = 0; i < *len; i++)
2454 			kfree((*names)[i]);
2455 	}
2456 	kfree(*values);
2457 	goto out;
2458 }
2459 
2460 
2461 int security_set_bools(int len, int *values)
2462 {
2463 	int i, rc;
2464 	int lenp, seqno = 0;
2465 	struct cond_node *cur;
2466 
2467 	write_lock_irq(&policy_rwlock);
2468 
2469 	rc = -EFAULT;
2470 	lenp = policydb.p_bools.nprim;
2471 	if (len != lenp)
2472 		goto out;
2473 
2474 	for (i = 0; i < len; i++) {
2475 		if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2476 			audit_log(current->audit_context, GFP_ATOMIC,
2477 				AUDIT_MAC_CONFIG_CHANGE,
2478 				"bool=%s val=%d old_val=%d auid=%u ses=%u",
2479 				sym_name(&policydb, SYM_BOOLS, i),
2480 				!!values[i],
2481 				policydb.bool_val_to_struct[i]->state,
2482 				from_kuid(&init_user_ns, audit_get_loginuid(current)),
2483 				audit_get_sessionid(current));
2484 		}
2485 		if (values[i])
2486 			policydb.bool_val_to_struct[i]->state = 1;
2487 		else
2488 			policydb.bool_val_to_struct[i]->state = 0;
2489 	}
2490 
2491 	for (cur = policydb.cond_list; cur; cur = cur->next) {
2492 		rc = evaluate_cond_node(&policydb, cur);
2493 		if (rc)
2494 			goto out;
2495 	}
2496 
2497 	seqno = ++latest_granting;
2498 	rc = 0;
2499 out:
2500 	write_unlock_irq(&policy_rwlock);
2501 	if (!rc) {
2502 		avc_ss_reset(seqno);
2503 		selnl_notify_policyload(seqno);
2504 		selinux_status_update_policyload(seqno);
2505 		selinux_xfrm_notify_policyload();
2506 	}
2507 	return rc;
2508 }
2509 
2510 int security_get_bool_value(int bool)
2511 {
2512 	int rc;
2513 	int len;
2514 
2515 	read_lock(&policy_rwlock);
2516 
2517 	rc = -EFAULT;
2518 	len = policydb.p_bools.nprim;
2519 	if (bool >= len)
2520 		goto out;
2521 
2522 	rc = policydb.bool_val_to_struct[bool]->state;
2523 out:
2524 	read_unlock(&policy_rwlock);
2525 	return rc;
2526 }
2527 
2528 static int security_preserve_bools(struct policydb *p)
2529 {
2530 	int rc, nbools = 0, *bvalues = NULL, i;
2531 	char **bnames = NULL;
2532 	struct cond_bool_datum *booldatum;
2533 	struct cond_node *cur;
2534 
2535 	rc = security_get_bools(&nbools, &bnames, &bvalues);
2536 	if (rc)
2537 		goto out;
2538 	for (i = 0; i < nbools; i++) {
2539 		booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2540 		if (booldatum)
2541 			booldatum->state = bvalues[i];
2542 	}
2543 	for (cur = p->cond_list; cur; cur = cur->next) {
2544 		rc = evaluate_cond_node(p, cur);
2545 		if (rc)
2546 			goto out;
2547 	}
2548 
2549 out:
2550 	if (bnames) {
2551 		for (i = 0; i < nbools; i++)
2552 			kfree(bnames[i]);
2553 	}
2554 	kfree(bnames);
2555 	kfree(bvalues);
2556 	return rc;
2557 }
2558 
2559 /*
2560  * security_sid_mls_copy() - computes a new sid based on the given
2561  * sid and the mls portion of mls_sid.
2562  */
2563 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2564 {
2565 	struct context *context1;
2566 	struct context *context2;
2567 	struct context newcon;
2568 	char *s;
2569 	u32 len;
2570 	int rc;
2571 
2572 	rc = 0;
2573 	if (!ss_initialized || !policydb.mls_enabled) {
2574 		*new_sid = sid;
2575 		goto out;
2576 	}
2577 
2578 	context_init(&newcon);
2579 
2580 	read_lock(&policy_rwlock);
2581 
2582 	rc = -EINVAL;
2583 	context1 = sidtab_search(&sidtab, sid);
2584 	if (!context1) {
2585 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2586 			__func__, sid);
2587 		goto out_unlock;
2588 	}
2589 
2590 	rc = -EINVAL;
2591 	context2 = sidtab_search(&sidtab, mls_sid);
2592 	if (!context2) {
2593 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2594 			__func__, mls_sid);
2595 		goto out_unlock;
2596 	}
2597 
2598 	newcon.user = context1->user;
2599 	newcon.role = context1->role;
2600 	newcon.type = context1->type;
2601 	rc = mls_context_cpy(&newcon, context2);
2602 	if (rc)
2603 		goto out_unlock;
2604 
2605 	/* Check the validity of the new context. */
2606 	if (!policydb_context_isvalid(&policydb, &newcon)) {
2607 		rc = convert_context_handle_invalid_context(&newcon);
2608 		if (rc) {
2609 			if (!context_struct_to_string(&newcon, &s, &len)) {
2610 				audit_log(current->audit_context,
2611 					  GFP_ATOMIC, AUDIT_SELINUX_ERR,
2612 					  "op=security_sid_mls_copy "
2613 					  "invalid_context=%s", s);
2614 				kfree(s);
2615 			}
2616 			goto out_unlock;
2617 		}
2618 	}
2619 
2620 	rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2621 out_unlock:
2622 	read_unlock(&policy_rwlock);
2623 	context_destroy(&newcon);
2624 out:
2625 	return rc;
2626 }
2627 
2628 /**
2629  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2630  * @nlbl_sid: NetLabel SID
2631  * @nlbl_type: NetLabel labeling protocol type
2632  * @xfrm_sid: XFRM SID
2633  *
2634  * Description:
2635  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2636  * resolved into a single SID it is returned via @peer_sid and the function
2637  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2638  * returns a negative value.  A table summarizing the behavior is below:
2639  *
2640  *                                 | function return |      @sid
2641  *   ------------------------------+-----------------+-----------------
2642  *   no peer labels                |        0        |    SECSID_NULL
2643  *   single peer label             |        0        |    <peer_label>
2644  *   multiple, consistent labels   |        0        |    <peer_label>
2645  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2646  *
2647  */
2648 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2649 				 u32 xfrm_sid,
2650 				 u32 *peer_sid)
2651 {
2652 	int rc;
2653 	struct context *nlbl_ctx;
2654 	struct context *xfrm_ctx;
2655 
2656 	*peer_sid = SECSID_NULL;
2657 
2658 	/* handle the common (which also happens to be the set of easy) cases
2659 	 * right away, these two if statements catch everything involving a
2660 	 * single or absent peer SID/label */
2661 	if (xfrm_sid == SECSID_NULL) {
2662 		*peer_sid = nlbl_sid;
2663 		return 0;
2664 	}
2665 	/* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2666 	 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2667 	 * is present */
2668 	if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2669 		*peer_sid = xfrm_sid;
2670 		return 0;
2671 	}
2672 
2673 	/* we don't need to check ss_initialized here since the only way both
2674 	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2675 	 * security server was initialized and ss_initialized was true */
2676 	if (!policydb.mls_enabled)
2677 		return 0;
2678 
2679 	read_lock(&policy_rwlock);
2680 
2681 	rc = -EINVAL;
2682 	nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2683 	if (!nlbl_ctx) {
2684 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2685 		       __func__, nlbl_sid);
2686 		goto out;
2687 	}
2688 	rc = -EINVAL;
2689 	xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2690 	if (!xfrm_ctx) {
2691 		printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2692 		       __func__, xfrm_sid);
2693 		goto out;
2694 	}
2695 	rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2696 	if (rc)
2697 		goto out;
2698 
2699 	/* at present NetLabel SIDs/labels really only carry MLS
2700 	 * information so if the MLS portion of the NetLabel SID
2701 	 * matches the MLS portion of the labeled XFRM SID/label
2702 	 * then pass along the XFRM SID as it is the most
2703 	 * expressive */
2704 	*peer_sid = xfrm_sid;
2705 out:
2706 	read_unlock(&policy_rwlock);
2707 	return rc;
2708 }
2709 
2710 static int get_classes_callback(void *k, void *d, void *args)
2711 {
2712 	struct class_datum *datum = d;
2713 	char *name = k, **classes = args;
2714 	int value = datum->value - 1;
2715 
2716 	classes[value] = kstrdup(name, GFP_ATOMIC);
2717 	if (!classes[value])
2718 		return -ENOMEM;
2719 
2720 	return 0;
2721 }
2722 
2723 int security_get_classes(char ***classes, int *nclasses)
2724 {
2725 	int rc;
2726 
2727 	read_lock(&policy_rwlock);
2728 
2729 	rc = -ENOMEM;
2730 	*nclasses = policydb.p_classes.nprim;
2731 	*classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2732 	if (!*classes)
2733 		goto out;
2734 
2735 	rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
2736 			*classes);
2737 	if (rc) {
2738 		int i;
2739 		for (i = 0; i < *nclasses; i++)
2740 			kfree((*classes)[i]);
2741 		kfree(*classes);
2742 	}
2743 
2744 out:
2745 	read_unlock(&policy_rwlock);
2746 	return rc;
2747 }
2748 
2749 static int get_permissions_callback(void *k, void *d, void *args)
2750 {
2751 	struct perm_datum *datum = d;
2752 	char *name = k, **perms = args;
2753 	int value = datum->value - 1;
2754 
2755 	perms[value] = kstrdup(name, GFP_ATOMIC);
2756 	if (!perms[value])
2757 		return -ENOMEM;
2758 
2759 	return 0;
2760 }
2761 
2762 int security_get_permissions(char *class, char ***perms, int *nperms)
2763 {
2764 	int rc, i;
2765 	struct class_datum *match;
2766 
2767 	read_lock(&policy_rwlock);
2768 
2769 	rc = -EINVAL;
2770 	match = hashtab_search(policydb.p_classes.table, class);
2771 	if (!match) {
2772 		printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
2773 			__func__, class);
2774 		goto out;
2775 	}
2776 
2777 	rc = -ENOMEM;
2778 	*nperms = match->permissions.nprim;
2779 	*perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2780 	if (!*perms)
2781 		goto out;
2782 
2783 	if (match->comdatum) {
2784 		rc = hashtab_map(match->comdatum->permissions.table,
2785 				get_permissions_callback, *perms);
2786 		if (rc)
2787 			goto err;
2788 	}
2789 
2790 	rc = hashtab_map(match->permissions.table, get_permissions_callback,
2791 			*perms);
2792 	if (rc)
2793 		goto err;
2794 
2795 out:
2796 	read_unlock(&policy_rwlock);
2797 	return rc;
2798 
2799 err:
2800 	read_unlock(&policy_rwlock);
2801 	for (i = 0; i < *nperms; i++)
2802 		kfree((*perms)[i]);
2803 	kfree(*perms);
2804 	return rc;
2805 }
2806 
2807 int security_get_reject_unknown(void)
2808 {
2809 	return policydb.reject_unknown;
2810 }
2811 
2812 int security_get_allow_unknown(void)
2813 {
2814 	return policydb.allow_unknown;
2815 }
2816 
2817 /**
2818  * security_policycap_supported - Check for a specific policy capability
2819  * @req_cap: capability
2820  *
2821  * Description:
2822  * This function queries the currently loaded policy to see if it supports the
2823  * capability specified by @req_cap.  Returns true (1) if the capability is
2824  * supported, false (0) if it isn't supported.
2825  *
2826  */
2827 int security_policycap_supported(unsigned int req_cap)
2828 {
2829 	int rc;
2830 
2831 	read_lock(&policy_rwlock);
2832 	rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
2833 	read_unlock(&policy_rwlock);
2834 
2835 	return rc;
2836 }
2837 
2838 struct selinux_audit_rule {
2839 	u32 au_seqno;
2840 	struct context au_ctxt;
2841 };
2842 
2843 void selinux_audit_rule_free(void *vrule)
2844 {
2845 	struct selinux_audit_rule *rule = vrule;
2846 
2847 	if (rule) {
2848 		context_destroy(&rule->au_ctxt);
2849 		kfree(rule);
2850 	}
2851 }
2852 
2853 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2854 {
2855 	struct selinux_audit_rule *tmprule;
2856 	struct role_datum *roledatum;
2857 	struct type_datum *typedatum;
2858 	struct user_datum *userdatum;
2859 	struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2860 	int rc = 0;
2861 
2862 	*rule = NULL;
2863 
2864 	if (!ss_initialized)
2865 		return -EOPNOTSUPP;
2866 
2867 	switch (field) {
2868 	case AUDIT_SUBJ_USER:
2869 	case AUDIT_SUBJ_ROLE:
2870 	case AUDIT_SUBJ_TYPE:
2871 	case AUDIT_OBJ_USER:
2872 	case AUDIT_OBJ_ROLE:
2873 	case AUDIT_OBJ_TYPE:
2874 		/* only 'equals' and 'not equals' fit user, role, and type */
2875 		if (op != Audit_equal && op != Audit_not_equal)
2876 			return -EINVAL;
2877 		break;
2878 	case AUDIT_SUBJ_SEN:
2879 	case AUDIT_SUBJ_CLR:
2880 	case AUDIT_OBJ_LEV_LOW:
2881 	case AUDIT_OBJ_LEV_HIGH:
2882 		/* we do not allow a range, indicated by the presence of '-' */
2883 		if (strchr(rulestr, '-'))
2884 			return -EINVAL;
2885 		break;
2886 	default:
2887 		/* only the above fields are valid */
2888 		return -EINVAL;
2889 	}
2890 
2891 	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
2892 	if (!tmprule)
2893 		return -ENOMEM;
2894 
2895 	context_init(&tmprule->au_ctxt);
2896 
2897 	read_lock(&policy_rwlock);
2898 
2899 	tmprule->au_seqno = latest_granting;
2900 
2901 	switch (field) {
2902 	case AUDIT_SUBJ_USER:
2903 	case AUDIT_OBJ_USER:
2904 		rc = -EINVAL;
2905 		userdatum = hashtab_search(policydb.p_users.table, rulestr);
2906 		if (!userdatum)
2907 			goto out;
2908 		tmprule->au_ctxt.user = userdatum->value;
2909 		break;
2910 	case AUDIT_SUBJ_ROLE:
2911 	case AUDIT_OBJ_ROLE:
2912 		rc = -EINVAL;
2913 		roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2914 		if (!roledatum)
2915 			goto out;
2916 		tmprule->au_ctxt.role = roledatum->value;
2917 		break;
2918 	case AUDIT_SUBJ_TYPE:
2919 	case AUDIT_OBJ_TYPE:
2920 		rc = -EINVAL;
2921 		typedatum = hashtab_search(policydb.p_types.table, rulestr);
2922 		if (!typedatum)
2923 			goto out;
2924 		tmprule->au_ctxt.type = typedatum->value;
2925 		break;
2926 	case AUDIT_SUBJ_SEN:
2927 	case AUDIT_SUBJ_CLR:
2928 	case AUDIT_OBJ_LEV_LOW:
2929 	case AUDIT_OBJ_LEV_HIGH:
2930 		rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2931 		if (rc)
2932 			goto out;
2933 		break;
2934 	}
2935 	rc = 0;
2936 out:
2937 	read_unlock(&policy_rwlock);
2938 
2939 	if (rc) {
2940 		selinux_audit_rule_free(tmprule);
2941 		tmprule = NULL;
2942 	}
2943 
2944 	*rule = tmprule;
2945 
2946 	return rc;
2947 }
2948 
2949 /* Check to see if the rule contains any selinux fields */
2950 int selinux_audit_rule_known(struct audit_krule *rule)
2951 {
2952 	int i;
2953 
2954 	for (i = 0; i < rule->field_count; i++) {
2955 		struct audit_field *f = &rule->fields[i];
2956 		switch (f->type) {
2957 		case AUDIT_SUBJ_USER:
2958 		case AUDIT_SUBJ_ROLE:
2959 		case AUDIT_SUBJ_TYPE:
2960 		case AUDIT_SUBJ_SEN:
2961 		case AUDIT_SUBJ_CLR:
2962 		case AUDIT_OBJ_USER:
2963 		case AUDIT_OBJ_ROLE:
2964 		case AUDIT_OBJ_TYPE:
2965 		case AUDIT_OBJ_LEV_LOW:
2966 		case AUDIT_OBJ_LEV_HIGH:
2967 			return 1;
2968 		}
2969 	}
2970 
2971 	return 0;
2972 }
2973 
2974 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2975 			     struct audit_context *actx)
2976 {
2977 	struct context *ctxt;
2978 	struct mls_level *level;
2979 	struct selinux_audit_rule *rule = vrule;
2980 	int match = 0;
2981 
2982 	if (unlikely(!rule)) {
2983 		WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
2984 		return -ENOENT;
2985 	}
2986 
2987 	read_lock(&policy_rwlock);
2988 
2989 	if (rule->au_seqno < latest_granting) {
2990 		match = -ESTALE;
2991 		goto out;
2992 	}
2993 
2994 	ctxt = sidtab_search(&sidtab, sid);
2995 	if (unlikely(!ctxt)) {
2996 		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
2997 			  sid);
2998 		match = -ENOENT;
2999 		goto out;
3000 	}
3001 
3002 	/* a field/op pair that is not caught here will simply fall through
3003 	   without a match */
3004 	switch (field) {
3005 	case AUDIT_SUBJ_USER:
3006 	case AUDIT_OBJ_USER:
3007 		switch (op) {
3008 		case Audit_equal:
3009 			match = (ctxt->user == rule->au_ctxt.user);
3010 			break;
3011 		case Audit_not_equal:
3012 			match = (ctxt->user != rule->au_ctxt.user);
3013 			break;
3014 		}
3015 		break;
3016 	case AUDIT_SUBJ_ROLE:
3017 	case AUDIT_OBJ_ROLE:
3018 		switch (op) {
3019 		case Audit_equal:
3020 			match = (ctxt->role == rule->au_ctxt.role);
3021 			break;
3022 		case Audit_not_equal:
3023 			match = (ctxt->role != rule->au_ctxt.role);
3024 			break;
3025 		}
3026 		break;
3027 	case AUDIT_SUBJ_TYPE:
3028 	case AUDIT_OBJ_TYPE:
3029 		switch (op) {
3030 		case Audit_equal:
3031 			match = (ctxt->type == rule->au_ctxt.type);
3032 			break;
3033 		case Audit_not_equal:
3034 			match = (ctxt->type != rule->au_ctxt.type);
3035 			break;
3036 		}
3037 		break;
3038 	case AUDIT_SUBJ_SEN:
3039 	case AUDIT_SUBJ_CLR:
3040 	case AUDIT_OBJ_LEV_LOW:
3041 	case AUDIT_OBJ_LEV_HIGH:
3042 		level = ((field == AUDIT_SUBJ_SEN ||
3043 			  field == AUDIT_OBJ_LEV_LOW) ?
3044 			 &ctxt->range.level[0] : &ctxt->range.level[1]);
3045 		switch (op) {
3046 		case Audit_equal:
3047 			match = mls_level_eq(&rule->au_ctxt.range.level[0],
3048 					     level);
3049 			break;
3050 		case Audit_not_equal:
3051 			match = !mls_level_eq(&rule->au_ctxt.range.level[0],
3052 					      level);
3053 			break;
3054 		case Audit_lt:
3055 			match = (mls_level_dom(&rule->au_ctxt.range.level[0],
3056 					       level) &&
3057 				 !mls_level_eq(&rule->au_ctxt.range.level[0],
3058 					       level));
3059 			break;
3060 		case Audit_le:
3061 			match = mls_level_dom(&rule->au_ctxt.range.level[0],
3062 					      level);
3063 			break;
3064 		case Audit_gt:
3065 			match = (mls_level_dom(level,
3066 					      &rule->au_ctxt.range.level[0]) &&
3067 				 !mls_level_eq(level,
3068 					       &rule->au_ctxt.range.level[0]));
3069 			break;
3070 		case Audit_ge:
3071 			match = mls_level_dom(level,
3072 					      &rule->au_ctxt.range.level[0]);
3073 			break;
3074 		}
3075 	}
3076 
3077 out:
3078 	read_unlock(&policy_rwlock);
3079 	return match;
3080 }
3081 
3082 static int (*aurule_callback)(void) = audit_update_lsm_rules;
3083 
3084 static int aurule_avc_callback(u32 event)
3085 {
3086 	int err = 0;
3087 
3088 	if (event == AVC_CALLBACK_RESET && aurule_callback)
3089 		err = aurule_callback();
3090 	return err;
3091 }
3092 
3093 static int __init aurule_init(void)
3094 {
3095 	int err;
3096 
3097 	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3098 	if (err)
3099 		panic("avc_add_callback() failed, error %d\n", err);
3100 
3101 	return err;
3102 }
3103 __initcall(aurule_init);
3104 
3105 #ifdef CONFIG_NETLABEL
3106 /**
3107  * security_netlbl_cache_add - Add an entry to the NetLabel cache
3108  * @secattr: the NetLabel packet security attributes
3109  * @sid: the SELinux SID
3110  *
3111  * Description:
3112  * Attempt to cache the context in @ctx, which was derived from the packet in
3113  * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
3114  * already been initialized.
3115  *
3116  */
3117 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3118 				      u32 sid)
3119 {
3120 	u32 *sid_cache;
3121 
3122 	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3123 	if (sid_cache == NULL)
3124 		return;
3125 	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3126 	if (secattr->cache == NULL) {
3127 		kfree(sid_cache);
3128 		return;
3129 	}
3130 
3131 	*sid_cache = sid;
3132 	secattr->cache->free = kfree;
3133 	secattr->cache->data = sid_cache;
3134 	secattr->flags |= NETLBL_SECATTR_CACHE;
3135 }
3136 
3137 /**
3138  * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3139  * @secattr: the NetLabel packet security attributes
3140  * @sid: the SELinux SID
3141  *
3142  * Description:
3143  * Convert the given NetLabel security attributes in @secattr into a
3144  * SELinux SID.  If the @secattr field does not contain a full SELinux
3145  * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
3146  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3147  * allow the @secattr to be used by NetLabel to cache the secattr to SID
3148  * conversion for future lookups.  Returns zero on success, negative values on
3149  * failure.
3150  *
3151  */
3152 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
3153 				   u32 *sid)
3154 {
3155 	int rc;
3156 	struct context *ctx;
3157 	struct context ctx_new;
3158 
3159 	if (!ss_initialized) {
3160 		*sid = SECSID_NULL;
3161 		return 0;
3162 	}
3163 
3164 	read_lock(&policy_rwlock);
3165 
3166 	if (secattr->flags & NETLBL_SECATTR_CACHE)
3167 		*sid = *(u32 *)secattr->cache->data;
3168 	else if (secattr->flags & NETLBL_SECATTR_SECID)
3169 		*sid = secattr->attr.secid;
3170 	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3171 		rc = -EIDRM;
3172 		ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
3173 		if (ctx == NULL)
3174 			goto out;
3175 
3176 		context_init(&ctx_new);
3177 		ctx_new.user = ctx->user;
3178 		ctx_new.role = ctx->role;
3179 		ctx_new.type = ctx->type;
3180 		mls_import_netlbl_lvl(&ctx_new, secattr);
3181 		if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3182 			rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
3183 						   secattr->attr.mls.cat);
3184 			if (rc)
3185 				goto out;
3186 			memcpy(&ctx_new.range.level[1].cat,
3187 			       &ctx_new.range.level[0].cat,
3188 			       sizeof(ctx_new.range.level[0].cat));
3189 		}
3190 		rc = -EIDRM;
3191 		if (!mls_context_isvalid(&policydb, &ctx_new))
3192 			goto out_free;
3193 
3194 		rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3195 		if (rc)
3196 			goto out_free;
3197 
3198 		security_netlbl_cache_add(secattr, *sid);
3199 
3200 		ebitmap_destroy(&ctx_new.range.level[0].cat);
3201 	} else
3202 		*sid = SECSID_NULL;
3203 
3204 	read_unlock(&policy_rwlock);
3205 	return 0;
3206 out_free:
3207 	ebitmap_destroy(&ctx_new.range.level[0].cat);
3208 out:
3209 	read_unlock(&policy_rwlock);
3210 	return rc;
3211 }
3212 
3213 /**
3214  * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3215  * @sid: the SELinux SID
3216  * @secattr: the NetLabel packet security attributes
3217  *
3218  * Description:
3219  * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3220  * Returns zero on success, negative values on failure.
3221  *
3222  */
3223 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3224 {
3225 	int rc;
3226 	struct context *ctx;
3227 
3228 	if (!ss_initialized)
3229 		return 0;
3230 
3231 	read_lock(&policy_rwlock);
3232 
3233 	rc = -ENOENT;
3234 	ctx = sidtab_search(&sidtab, sid);
3235 	if (ctx == NULL)
3236 		goto out;
3237 
3238 	rc = -ENOMEM;
3239 	secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1),
3240 				  GFP_ATOMIC);
3241 	if (secattr->domain == NULL)
3242 		goto out;
3243 
3244 	secattr->attr.secid = sid;
3245 	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3246 	mls_export_netlbl_lvl(ctx, secattr);
3247 	rc = mls_export_netlbl_cat(ctx, secattr);
3248 out:
3249 	read_unlock(&policy_rwlock);
3250 	return rc;
3251 }
3252 #endif /* CONFIG_NETLABEL */
3253 
3254 /**
3255  * security_read_policy - read the policy.
3256  * @data: binary policy data
3257  * @len: length of data in bytes
3258  *
3259  */
3260 int security_read_policy(void **data, size_t *len)
3261 {
3262 	int rc;
3263 	struct policy_file fp;
3264 
3265 	if (!ss_initialized)
3266 		return -EINVAL;
3267 
3268 	*len = security_policydb_len();
3269 
3270 	*data = vmalloc_user(*len);
3271 	if (!*data)
3272 		return -ENOMEM;
3273 
3274 	fp.data = *data;
3275 	fp.len = *len;
3276 
3277 	read_lock(&policy_rwlock);
3278 	rc = policydb_write(&policydb, &fp);
3279 	read_unlock(&policy_rwlock);
3280 
3281 	if (rc)
3282 		return rc;
3283 
3284 	*len = (unsigned long)fp.data - (unsigned long)*data;
3285 	return 0;
3286 
3287 }
3288