search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 2.6.17-rc6
[linux-2.6/next.git] / security / selinux / ss / services.c
blobc284dbb8b8c02fbba51aa562d5e4fd4551e641f3
1 /*
2 * Implementation of the security services.
3 *
4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5 * James Morris <jmorris@redhat.com>
6 *
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 *
9 * Support for enhanced MLS infrastructure.
10 * Support for context based audit filters.
11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 *
14 * Added conditional policy language extensions
15 *
16 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
17 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
18 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation, version 2.
22 */
23 #include <linux/kernel.h>
24 #include <linux/slab.h>
25 #include <linux/string.h>
26 #include <linux/spinlock.h>
27 #include <linux/errno.h>
28 #include <linux/in.h>
29 #include <linux/sched.h>
30 #include <linux/audit.h>
31 #include <linux/mutex.h>
32
33 #include "flask.h"
34 #include "avc.h"
35 #include "avc_ss.h"
36 #include "security.h"
37 #include "context.h"
38 #include "policydb.h"
39 #include "sidtab.h"
40 #include "services.h"
41 #include "conditional.h"
42 #include "mls.h"
43
44 extern void selnl_notify_policyload(u32 seqno);
45 unsigned int policydb_loaded_version;
46
47 static DEFINE_RWLOCK(policy_rwlock);
48 #define POLICY_RDLOCK read_lock(&policy_rwlock)
49 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
50 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
51 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
52
53 static DEFINE_MUTEX(load_mutex);
54 #define LOAD_LOCK mutex_lock(&load_mutex)
55 #define LOAD_UNLOCK mutex_unlock(&load_mutex)
56
57 static struct sidtab sidtab;
58 struct policydb policydb;
59 int ss_initialized = 0;
60
61 /*
62 * The largest sequence number that has been used when
63 * providing an access decision to the access vector cache.
64 * The sequence number only changes when a policy change
65 * occurs.
66 */
67 static u32 latest_granting = 0;
68
69 /* Forward declaration. */
70 static int context_struct_to_string(struct context *context, char **scontext,
71 u32 *scontext_len);
72
73 /*
74 * Return the boolean value of a constraint expression
75 * when it is applied to the specified source and target
76 * security contexts.
77 *
78 * xcontext is a special beast... It is used by the validatetrans rules
79 * only. For these rules, scontext is the context before the transition,
80 * tcontext is the context after the transition, and xcontext is the context
81 * of the process performing the transition. All other callers of
82 * constraint_expr_eval should pass in NULL for xcontext.
83 */
84 static int constraint_expr_eval(struct context *scontext,
85 struct context *tcontext,
86 struct context *xcontext,
87 struct constraint_expr *cexpr)
88 {
89 u32 val1, val2;
90 struct context *c;
91 struct role_datum *r1, *r2;
92 struct mls_level *l1, *l2;
93 struct constraint_expr *e;
94 int s[CEXPR_MAXDEPTH];
95 int sp = -1;
96
97 for (e = cexpr; e; e = e->next) {
98 switch (e->expr_type) {
99 case CEXPR_NOT:
100 BUG_ON(sp < 0);
101 s[sp] = !s[sp];
102 break;
103 case CEXPR_AND:
104 BUG_ON(sp < 1);
105 sp--;
106 s[sp] &= s[sp+1];
107 break;
108 case CEXPR_OR:
109 BUG_ON(sp < 1);
110 sp--;
111 s[sp] |= s[sp+1];
112 break;
113 case CEXPR_ATTR:
114 if (sp == (CEXPR_MAXDEPTH-1))
115 return 0;
116 switch (e->attr) {
117 case CEXPR_USER:
118 val1 = scontext->user;
119 val2 = tcontext->user;
120 break;
121 case CEXPR_TYPE:
122 val1 = scontext->type;
123 val2 = tcontext->type;
124 break;
125 case CEXPR_ROLE:
126 val1 = scontext->role;
127 val2 = tcontext->role;
128 r1 = policydb.role_val_to_struct[val1 - 1];
129 r2 = policydb.role_val_to_struct[val2 - 1];
130 switch (e->op) {
131 case CEXPR_DOM:
132 s[++sp] = ebitmap_get_bit(&r1->dominates,
133 val2 - 1);
134 continue;
135 case CEXPR_DOMBY:
136 s[++sp] = ebitmap_get_bit(&r2->dominates,
137 val1 - 1);
138 continue;
139 case CEXPR_INCOMP:
140 s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
141 val2 - 1) &&
142 !ebitmap_get_bit(&r2->dominates,
143 val1 - 1) );
144 continue;
145 default:
146 break;
147 }
148 break;
149 case CEXPR_L1L2:
150 l1 = &(scontext->range.level[0]);
151 l2 = &(tcontext->range.level[0]);
152 goto mls_ops;
153 case CEXPR_L1H2:
154 l1 = &(scontext->range.level[0]);
155 l2 = &(tcontext->range.level[1]);
156 goto mls_ops;
157 case CEXPR_H1L2:
158 l1 = &(scontext->range.level[1]);
159 l2 = &(tcontext->range.level[0]);
160 goto mls_ops;
161 case CEXPR_H1H2:
162 l1 = &(scontext->range.level[1]);
163 l2 = &(tcontext->range.level[1]);
164 goto mls_ops;
165 case CEXPR_L1H1:
166 l1 = &(scontext->range.level[0]);
167 l2 = &(scontext->range.level[1]);
168 goto mls_ops;
169 case CEXPR_L2H2:
170 l1 = &(tcontext->range.level[0]);
171 l2 = &(tcontext->range.level[1]);
172 goto mls_ops;
173 mls_ops:
174 switch (e->op) {
175 case CEXPR_EQ:
176 s[++sp] = mls_level_eq(l1, l2);
177 continue;
178 case CEXPR_NEQ:
179 s[++sp] = !mls_level_eq(l1, l2);
180 continue;
181 case CEXPR_DOM:
182 s[++sp] = mls_level_dom(l1, l2);
183 continue;
184 case CEXPR_DOMBY:
185 s[++sp] = mls_level_dom(l2, l1);
186 continue;
187 case CEXPR_INCOMP:
188 s[++sp] = mls_level_incomp(l2, l1);
189 continue;
190 default:
191 BUG();
192 return 0;
193 }
194 break;
195 default:
196 BUG();
197 return 0;
198 }
199
200 switch (e->op) {
201 case CEXPR_EQ:
202 s[++sp] = (val1 == val2);
203 break;
204 case CEXPR_NEQ:
205 s[++sp] = (val1 != val2);
206 break;
207 default:
208 BUG();
209 return 0;
210 }
211 break;
212 case CEXPR_NAMES:
213 if (sp == (CEXPR_MAXDEPTH-1))
214 return 0;
215 c = scontext;
216 if (e->attr & CEXPR_TARGET)
217 c = tcontext;
218 else if (e->attr & CEXPR_XTARGET) {
219 c = xcontext;
220 if (!c) {
221 BUG();
222 return 0;
223 }
224 }
225 if (e->attr & CEXPR_USER)
226 val1 = c->user;
227 else if (e->attr & CEXPR_ROLE)
228 val1 = c->role;
229 else if (e->attr & CEXPR_TYPE)
230 val1 = c->type;
231 else {
232 BUG();
233 return 0;
234 }
235
236 switch (e->op) {
237 case CEXPR_EQ:
238 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
239 break;
240 case CEXPR_NEQ:
241 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
242 break;
243 default:
244 BUG();
245 return 0;
246 }
247 break;
248 default:
249 BUG();
250 return 0;
251 }
252 }
253
254 BUG_ON(sp != 0);
255 return s[0];
256 }
257
258 /*
259 * Compute access vectors based on a context structure pair for
260 * the permissions in a particular class.
261 */
262 static int context_struct_compute_av(struct context *scontext,
263 struct context *tcontext,
264 u16 tclass,
265 u32 requested,
266 struct av_decision *avd)
267 {
268 struct constraint_node *constraint;
269 struct role_allow *ra;
270 struct avtab_key avkey;
271 struct avtab_node *node;
272 struct class_datum *tclass_datum;
273 struct ebitmap *sattr, *tattr;
274 struct ebitmap_node *snode, *tnode;
275 unsigned int i, j;
276
277 /*
278 * Remap extended Netlink classes for old policy versions.
279 * Do this here rather than socket_type_to_security_class()
280 * in case a newer policy version is loaded, allowing sockets
281 * to remain in the correct class.
282 */
283 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
284 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
285 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
286 tclass = SECCLASS_NETLINK_SOCKET;
287
288 if (!tclass || tclass > policydb.p_classes.nprim) {
289 printk(KERN_ERR "security_compute_av: unrecognized class %d\n",
290 tclass);
291 return -EINVAL;
292 }
293 tclass_datum = policydb.class_val_to_struct[tclass - 1];
294
295 /*
296 * Initialize the access vectors to the default values.
297 */
298 avd->allowed = 0;
299 avd->decided = 0xffffffff;
300 avd->auditallow = 0;
301 avd->auditdeny = 0xffffffff;
302 avd->seqno = latest_granting;
303
304 /*
305 * If a specific type enforcement rule was defined for
306 * this permission check, then use it.
307 */
308 avkey.target_class = tclass;
309 avkey.specified = AVTAB_AV;
310 sattr = &policydb.type_attr_map[scontext->type - 1];
311 tattr = &policydb.type_attr_map[tcontext->type - 1];
312 ebitmap_for_each_bit(sattr, snode, i) {
313 if (!ebitmap_node_get_bit(snode, i))
314 continue;
315 ebitmap_for_each_bit(tattr, tnode, j) {
316 if (!ebitmap_node_get_bit(tnode, j))
317 continue;
318 avkey.source_type = i + 1;
319 avkey.target_type = j + 1;
320 for (node = avtab_search_node(&policydb.te_avtab, &avkey);
321 node != NULL;
322 node = avtab_search_node_next(node, avkey.specified)) {
323 if (node->key.specified == AVTAB_ALLOWED)
324 avd->allowed |= node->datum.data;
325 else if (node->key.specified == AVTAB_AUDITALLOW)
326 avd->auditallow |= node->datum.data;
327 else if (node->key.specified == AVTAB_AUDITDENY)
328 avd->auditdeny &= node->datum.data;
329 }
330
331 /* Check conditional av table for additional permissions */
332 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
333
334 }
335 }
336
337 /*
338 * Remove any permissions prohibited by a constraint (this includes
339 * the MLS policy).
340 */
341 constraint = tclass_datum->constraints;
342 while (constraint) {
343 if ((constraint->permissions & (avd->allowed)) &&
344 !constraint_expr_eval(scontext, tcontext, NULL,
345 constraint->expr)) {
346 avd->allowed = (avd->allowed) & ~(constraint->permissions);
347 }
348 constraint = constraint->next;
349 }
350
351 /*
352 * If checking process transition permission and the
353 * role is changing, then check the (current_role, new_role)
354 * pair.
355 */
356 if (tclass == SECCLASS_PROCESS &&
357 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
358 scontext->role != tcontext->role) {
359 for (ra = policydb.role_allow; ra; ra = ra->next) {
360 if (scontext->role == ra->role &&
361 tcontext->role == ra->new_role)
362 break;
363 }
364 if (!ra)
365 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
366 PROCESS__DYNTRANSITION);
367 }
368
369 return 0;
370 }
371
372 static int security_validtrans_handle_fail(struct context *ocontext,
373 struct context *ncontext,
374 struct context *tcontext,
375 u16 tclass)
376 {
377 char *o = NULL, *n = NULL, *t = NULL;
378 u32 olen, nlen, tlen;
379
380 if (context_struct_to_string(ocontext, &o, &olen) < 0)
381 goto out;
382 if (context_struct_to_string(ncontext, &n, &nlen) < 0)
383 goto out;
384 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
385 goto out;
386 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
387 "security_validate_transition: denied for"
388 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
389 o, n, t, policydb.p_class_val_to_name[tclass-1]);
390 out:
391 kfree(o);
392 kfree(n);
393 kfree(t);
394
395 if (!selinux_enforcing)
396 return 0;
397 return -EPERM;
398 }
399
400 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
401 u16 tclass)
402 {
403 struct context *ocontext;
404 struct context *ncontext;
405 struct context *tcontext;
406 struct class_datum *tclass_datum;
407 struct constraint_node *constraint;
408 int rc = 0;
409
410 if (!ss_initialized)
411 return 0;
412
413 POLICY_RDLOCK;
414
415 /*
416 * Remap extended Netlink classes for old policy versions.
417 * Do this here rather than socket_type_to_security_class()
418 * in case a newer policy version is loaded, allowing sockets
419 * to remain in the correct class.
420 */
421 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
422 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
423 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
424 tclass = SECCLASS_NETLINK_SOCKET;
425
426 if (!tclass || tclass > policydb.p_classes.nprim) {
427 printk(KERN_ERR "security_validate_transition: "
428 "unrecognized class %d\n", tclass);
429 rc = -EINVAL;
430 goto out;
431 }
432 tclass_datum = policydb.class_val_to_struct[tclass - 1];
433
434 ocontext = sidtab_search(&sidtab, oldsid);
435 if (!ocontext) {
436 printk(KERN_ERR "security_validate_transition: "
437 " unrecognized SID %d\n", oldsid);
438 rc = -EINVAL;
439 goto out;
440 }
441
442 ncontext = sidtab_search(&sidtab, newsid);
443 if (!ncontext) {
444 printk(KERN_ERR "security_validate_transition: "
445 " unrecognized SID %d\n", newsid);
446 rc = -EINVAL;
447 goto out;
448 }
449
450 tcontext = sidtab_search(&sidtab, tasksid);
451 if (!tcontext) {
452 printk(KERN_ERR "security_validate_transition: "
453 " unrecognized SID %d\n", tasksid);
454 rc = -EINVAL;
455 goto out;
456 }
457
458 constraint = tclass_datum->validatetrans;
459 while (constraint) {
460 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
461 constraint->expr)) {
462 rc = security_validtrans_handle_fail(ocontext, ncontext,
463 tcontext, tclass);
464 goto out;
465 }
466 constraint = constraint->next;
467 }
468
469 out:
470 POLICY_RDUNLOCK;
471 return rc;
472 }
473
474 /**
475 * security_compute_av - Compute access vector decisions.
476 * @ssid: source security identifier
477 * @tsid: target security identifier
478 * @tclass: target security class
479 * @requested: requested permissions
480 * @avd: access vector decisions
481 *
482 * Compute a set of access vector decisions based on the
483 * SID pair (@ssid, @tsid) for the permissions in @tclass.
484 * Return -%EINVAL if any of the parameters are invalid or %0
485 * if the access vector decisions were computed successfully.
486 */
487 int security_compute_av(u32 ssid,
488 u32 tsid,
489 u16 tclass,
490 u32 requested,
491 struct av_decision *avd)
492 {
493 struct context *scontext = NULL, *tcontext = NULL;
494 int rc = 0;
495
496 if (!ss_initialized) {
497 avd->allowed = 0xffffffff;
498 avd->decided = 0xffffffff;
499 avd->auditallow = 0;
500 avd->auditdeny = 0xffffffff;
501 avd->seqno = latest_granting;
502 return 0;
503 }
504
505 POLICY_RDLOCK;
506
507 scontext = sidtab_search(&sidtab, ssid);
508 if (!scontext) {
509 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
510 ssid);
511 rc = -EINVAL;
512 goto out;
513 }
514 tcontext = sidtab_search(&sidtab, tsid);
515 if (!tcontext) {
516 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n",
517 tsid);
518 rc = -EINVAL;
519 goto out;
520 }
521
522 rc = context_struct_compute_av(scontext, tcontext, tclass,
523 requested, avd);
524 out:
525 POLICY_RDUNLOCK;
526 return rc;
527 }
528
529 /*
530 * Write the security context string representation of
531 * the context structure `context' into a dynamically
532 * allocated string of the correct size. Set `*scontext'
533 * to point to this string and set `*scontext_len' to
534 * the length of the string.
535 */
536 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
537 {
538 char *scontextp;
539
540 *scontext = NULL;
541 *scontext_len = 0;
542
543 /* Compute the size of the context. */
544 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
545 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
546 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
547 *scontext_len += mls_compute_context_len(context);
548
549 /* Allocate space for the context; caller must free this space. */
550 scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
551 if (!scontextp) {
552 return -ENOMEM;
553 }
554 *scontext = scontextp;
555
556 /*
557 * Copy the user name, role name and type name into the context.
558 */
559 sprintf(scontextp, "%s:%s:%s",
560 policydb.p_user_val_to_name[context->user - 1],
561 policydb.p_role_val_to_name[context->role - 1],
562 policydb.p_type_val_to_name[context->type - 1]);
563 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
564 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
565 1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
566
567 mls_sid_to_context(context, &scontextp);
568
569 *scontextp = 0;
570
571 return 0;
572 }
573
574 #include "initial_sid_to_string.h"
575
576 /**
577 * security_sid_to_context - Obtain a context for a given SID.
578 * @sid: security identifier, SID
579 * @scontext: security context
580 * @scontext_len: length in bytes
581 *
582 * Write the string representation of the context associated with @sid
583 * into a dynamically allocated string of the correct size. Set @scontext
584 * to point to this string and set @scontext_len to the length of the string.
585 */
586 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
587 {
588 struct context *context;
589 int rc = 0;
590
591 if (!ss_initialized) {
592 if (sid <= SECINITSID_NUM) {
593 char *scontextp;
594
595 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
596 scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
597 if (!scontextp) {
598 rc = -ENOMEM;
599 goto out;
600 }
601 strcpy(scontextp, initial_sid_to_string[sid]);
602 *scontext = scontextp;
603 goto out;
604 }
605 printk(KERN_ERR "security_sid_to_context: called before initial "
606 "load_policy on unknown SID %d\n", sid);
607 rc = -EINVAL;
608 goto out;
609 }
610 POLICY_RDLOCK;
611 context = sidtab_search(&sidtab, sid);
612 if (!context) {
613 printk(KERN_ERR "security_sid_to_context: unrecognized SID "
614 "%d\n", sid);
615 rc = -EINVAL;
616 goto out_unlock;
617 }
618 rc = context_struct_to_string(context, scontext, scontext_len);
619 out_unlock:
620 POLICY_RDUNLOCK;
621 out:
622 return rc;
623
624 }
625
626 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
627 {
628 char *scontext2;
629 struct context context;
630 struct role_datum *role;
631 struct type_datum *typdatum;
632 struct user_datum *usrdatum;
633 char *scontextp, *p, oldc;
634 int rc = 0;
635
636 if (!ss_initialized) {
637 int i;
638
639 for (i = 1; i < SECINITSID_NUM; i++) {
640 if (!strcmp(initial_sid_to_string[i], scontext)) {
641 *sid = i;
642 goto out;
643 }
644 }
645 *sid = SECINITSID_KERNEL;
646 goto out;
647 }
648 *sid = SECSID_NULL;
649
650 /* Copy the string so that we can modify the copy as we parse it.
651 The string should already by null terminated, but we append a
652 null suffix to the copy to avoid problems with the existing
653 attr package, which doesn't view the null terminator as part
654 of the attribute value. */
655 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
656 if (!scontext2) {
657 rc = -ENOMEM;
658 goto out;
659 }
660 memcpy(scontext2, scontext, scontext_len);
661 scontext2[scontext_len] = 0;
662
663 context_init(&context);
664 *sid = SECSID_NULL;
665
666 POLICY_RDLOCK;
667
668 /* Parse the security context. */
669
670 rc = -EINVAL;
671 scontextp = (char *) scontext2;
672
673 /* Extract the user. */
674 p = scontextp;
675 while (*p && *p != ':')
676 p++;
677
678 if (*p == 0)
679 goto out_unlock;
680
681 *p++ = 0;
682
683 usrdatum = hashtab_search(policydb.p_users.table, scontextp);
684 if (!usrdatum)
685 goto out_unlock;
686
687 context.user = usrdatum->value;
688
689 /* Extract role. */
690 scontextp = p;
691 while (*p && *p != ':')
692 p++;
693
694 if (*p == 0)
695 goto out_unlock;
696
697 *p++ = 0;
698
699 role = hashtab_search(policydb.p_roles.table, scontextp);
700 if (!role)
701 goto out_unlock;
702 context.role = role->value;
703
704 /* Extract type. */
705 scontextp = p;
706 while (*p && *p != ':')
707 p++;
708 oldc = *p;
709 *p++ = 0;
710
711 typdatum = hashtab_search(policydb.p_types.table, scontextp);
712 if (!typdatum)
713 goto out_unlock;
714
715 context.type = typdatum->value;
716
717 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
718 if (rc)
719 goto out_unlock;
720
721 if ((p - scontext2) < scontext_len) {
722 rc = -EINVAL;
723 goto out_unlock;
724 }
725
726 /* Check the validity of the new context. */
727 if (!policydb_context_isvalid(&policydb, &context)) {
728 rc = -EINVAL;
729 goto out_unlock;
730 }
731 /* Obtain the new sid. */
732 rc = sidtab_context_to_sid(&sidtab, &context, sid);
733 out_unlock:
734 POLICY_RDUNLOCK;
735 context_destroy(&context);
736 kfree(scontext2);
737 out:
738 return rc;
739 }
740
741 /**
742 * security_context_to_sid - Obtain a SID for a given security context.
743 * @scontext: security context
744 * @scontext_len: length in bytes
745 * @sid: security identifier, SID
746 *
747 * Obtains a SID associated with the security context that
748 * has the string representation specified by @scontext.
749 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
750 * memory is available, or 0 on success.
751 */
752 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
753 {
754 return security_context_to_sid_core(scontext, scontext_len,
755 sid, SECSID_NULL);
756 }
757
758 /**
759 * security_context_to_sid_default - Obtain a SID for a given security context,
760 * falling back to specified default if needed.
761 *
762 * @scontext: security context
763 * @scontext_len: length in bytes
764 * @sid: security identifier, SID
765 * @def_sid: default SID to assign on errror
766 *
767 * Obtains a SID associated with the security context that
768 * has the string representation specified by @scontext.
769 * The default SID is passed to the MLS layer to be used to allow
770 * kernel labeling of the MLS field if the MLS field is not present
771 * (for upgrading to MLS without full relabel).
772 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
773 * memory is available, or 0 on success.
774 */
775 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
776 {
777 return security_context_to_sid_core(scontext, scontext_len,
778 sid, def_sid);
779 }
780
781 static int compute_sid_handle_invalid_context(
782 struct context *scontext,
783 struct context *tcontext,
784 u16 tclass,
785 struct context *newcontext)
786 {
787 char *s = NULL, *t = NULL, *n = NULL;
788 u32 slen, tlen, nlen;
789
790 if (context_struct_to_string(scontext, &s, &slen) < 0)
791 goto out;
792 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
793 goto out;
794 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
795 goto out;
796 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
797 "security_compute_sid: invalid context %s"
798 " for scontext=%s"
799 " tcontext=%s"
800 " tclass=%s",
801 n, s, t, policydb.p_class_val_to_name[tclass-1]);
802 out:
803 kfree(s);
804 kfree(t);
805 kfree(n);
806 if (!selinux_enforcing)
807 return 0;
808 return -EACCES;
809 }
810
811 static int security_compute_sid(u32 ssid,
812 u32 tsid,
813 u16 tclass,
814 u32 specified,
815 u32 *out_sid)
816 {
817 struct context *scontext = NULL, *tcontext = NULL, newcontext;
818 struct role_trans *roletr = NULL;
819 struct avtab_key avkey;
820 struct avtab_datum *avdatum;
821 struct avtab_node *node;
822 int rc = 0;
823
824 if (!ss_initialized) {
825 switch (tclass) {
826 case SECCLASS_PROCESS:
827 *out_sid = ssid;
828 break;
829 default:
830 *out_sid = tsid;
831 break;
832 }
833 goto out;
834 }
835
836 POLICY_RDLOCK;
837
838 scontext = sidtab_search(&sidtab, ssid);
839 if (!scontext) {
840 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
841 ssid);
842 rc = -EINVAL;
843 goto out_unlock;
844 }
845 tcontext = sidtab_search(&sidtab, tsid);
846 if (!tcontext) {
847 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n",
848 tsid);
849 rc = -EINVAL;
850 goto out_unlock;
851 }
852
853 context_init(&newcontext);
854
855 /* Set the user identity. */
856 switch (specified) {
857 case AVTAB_TRANSITION:
858 case AVTAB_CHANGE:
859 /* Use the process user identity. */
860 newcontext.user = scontext->user;
861 break;
862 case AVTAB_MEMBER:
863 /* Use the related object owner. */
864 newcontext.user = tcontext->user;
865 break;
866 }
867
868 /* Set the role and type to default values. */
869 switch (tclass) {
870 case SECCLASS_PROCESS:
871 /* Use the current role and type of process. */
872 newcontext.role = scontext->role;
873 newcontext.type = scontext->type;
874 break;
875 default:
876 /* Use the well-defined object role. */
877 newcontext.role = OBJECT_R_VAL;
878 /* Use the type of the related object. */
879 newcontext.type = tcontext->type;
880 }
881
882 /* Look for a type transition/member/change rule. */
883 avkey.source_type = scontext->type;
884 avkey.target_type = tcontext->type;
885 avkey.target_class = tclass;
886 avkey.specified = specified;
887 avdatum = avtab_search(&policydb.te_avtab, &avkey);
888
889 /* If no permanent rule, also check for enabled conditional rules */
890 if(!avdatum) {
891 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
892 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
893 if (node->key.specified & AVTAB_ENABLED) {
894 avdatum = &node->datum;
895 break;
896 }
897 }
898 }
899
900 if (avdatum) {
901 /* Use the type from the type transition/member/change rule. */
902 newcontext.type = avdatum->data;
903 }
904
905 /* Check for class-specific changes. */
906 switch (tclass) {
907 case SECCLASS_PROCESS:
908 if (specified & AVTAB_TRANSITION) {
909 /* Look for a role transition rule. */
910 for (roletr = policydb.role_tr; roletr;
911 roletr = roletr->next) {
912 if (roletr->role == scontext->role &&
913 roletr->type == tcontext->type) {
914 /* Use the role transition rule. */
915 newcontext.role = roletr->new_role;
916 break;
917 }
918 }
919 }
920 break;
921 default:
922 break;
923 }
924
925 /* Set the MLS attributes.
926 This is done last because it may allocate memory. */
927 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
928 if (rc)
929 goto out_unlock;
930
931 /* Check the validity of the context. */
932 if (!policydb_context_isvalid(&policydb, &newcontext)) {
933 rc = compute_sid_handle_invalid_context(scontext,
934 tcontext,
935 tclass,
936 &newcontext);
937 if (rc)
938 goto out_unlock;
939 }
940 /* Obtain the sid for the context. */
941 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
942 out_unlock:
943 POLICY_RDUNLOCK;
944 context_destroy(&newcontext);
945 out:
946 return rc;
947 }
948
949 /**
950 * security_transition_sid - Compute the SID for a new subject/object.
951 * @ssid: source security identifier
952 * @tsid: target security identifier
953 * @tclass: target security class
954 * @out_sid: security identifier for new subject/object
955 *
956 * Compute a SID to use for labeling a new subject or object in the
957 * class @tclass based on a SID pair (@ssid, @tsid).
958 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
959 * if insufficient memory is available, or %0 if the new SID was
960 * computed successfully.
961 */
962 int security_transition_sid(u32 ssid,
963 u32 tsid,
964 u16 tclass,
965 u32 *out_sid)
966 {
967 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
968 }
969
970 /**
971 * security_member_sid - Compute the SID for member selection.
972 * @ssid: source security identifier
973 * @tsid: target security identifier
974 * @tclass: target security class
975 * @out_sid: security identifier for selected member
976 *
977 * Compute a SID to use when selecting a member of a polyinstantiated
978 * object of class @tclass based on a SID pair (@ssid, @tsid).
979 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
980 * if insufficient memory is available, or %0 if the SID was
981 * computed successfully.
982 */
983 int security_member_sid(u32 ssid,
984 u32 tsid,
985 u16 tclass,
986 u32 *out_sid)
987 {
988 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
989 }
990
991 /**
992 * security_change_sid - Compute the SID for object relabeling.
993 * @ssid: source security identifier
994 * @tsid: target security identifier
995 * @tclass: target security class
996 * @out_sid: security identifier for selected member
997 *
998 * Compute a SID to use for relabeling an object of class @tclass
999 * based on a SID pair (@ssid, @tsid).
1000 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1001 * if insufficient memory is available, or %0 if the SID was
1002 * computed successfully.
1003 */
1004 int security_change_sid(u32 ssid,
1005 u32 tsid,
1006 u16 tclass,
1007 u32 *out_sid)
1008 {
1009 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1010 }
1011
1012 /*
1013 * Verify that each permission that is defined under the
1014 * existing policy is still defined with the same value
1015 * in the new policy.
1016 */
1017 static int validate_perm(void *key, void *datum, void *p)
1018 {
1019 struct hashtab *h;
1020 struct perm_datum *perdatum, *perdatum2;
1021 int rc = 0;
1022
1023
1024 h = p;
1025 perdatum = datum;
1026
1027 perdatum2 = hashtab_search(h, key);
1028 if (!perdatum2) {
1029 printk(KERN_ERR "security: permission %s disappeared",
1030 (char *)key);
1031 rc = -ENOENT;
1032 goto out;
1033 }
1034 if (perdatum->value != perdatum2->value) {
1035 printk(KERN_ERR "security: the value of permission %s changed",
1036 (char *)key);
1037 rc = -EINVAL;
1038 }
1039 out:
1040 return rc;
1041 }
1042
1043 /*
1044 * Verify that each class that is defined under the
1045 * existing policy is still defined with the same
1046 * attributes in the new policy.
1047 */
1048 static int validate_class(void *key, void *datum, void *p)
1049 {
1050 struct policydb *newp;
1051 struct class_datum *cladatum, *cladatum2;
1052 int rc;
1053
1054 newp = p;
1055 cladatum = datum;
1056
1057 cladatum2 = hashtab_search(newp->p_classes.table, key);
1058 if (!cladatum2) {
1059 printk(KERN_ERR "security: class %s disappeared\n",
1060 (char *)key);
1061 rc = -ENOENT;
1062 goto out;
1063 }
1064 if (cladatum->value != cladatum2->value) {
1065 printk(KERN_ERR "security: the value of class %s changed\n",
1066 (char *)key);
1067 rc = -EINVAL;
1068 goto out;
1069 }
1070 if ((cladatum->comdatum && !cladatum2->comdatum) ||
1071 (!cladatum->comdatum && cladatum2->comdatum)) {
1072 printk(KERN_ERR "security: the inherits clause for the access "
1073 "vector definition for class %s changed\n", (char *)key);
1074 rc = -EINVAL;
1075 goto out;
1076 }
1077 if (cladatum->comdatum) {
1078 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1079 cladatum2->comdatum->permissions.table);
1080 if (rc) {
1081 printk(" in the access vector definition for class "
1082 "%s\n", (char *)key);
1083 goto out;
1084 }
1085 }
1086 rc = hashtab_map(cladatum->permissions.table, validate_perm,
1087 cladatum2->permissions.table);
1088 if (rc)
1089 printk(" in access vector definition for class %s\n",
1090 (char *)key);
1091 out:
1092 return rc;
1093 }
1094
1095 /* Clone the SID into the new SID table. */
1096 static int clone_sid(u32 sid,
1097 struct context *context,
1098 void *arg)
1099 {
1100 struct sidtab *s = arg;
1101
1102 return sidtab_insert(s, sid, context);
1103 }
1104
1105 static inline int convert_context_handle_invalid_context(struct context *context)
1106 {
1107 int rc = 0;
1108
1109 if (selinux_enforcing) {
1110 rc = -EINVAL;
1111 } else {
1112 char *s;
1113 u32 len;
1114
1115 context_struct_to_string(context, &s, &len);
1116 printk(KERN_ERR "security: context %s is invalid\n", s);
1117 kfree(s);
1118 }
1119 return rc;
1120 }
1121
1122 struct convert_context_args {
1123 struct policydb *oldp;
1124 struct policydb *newp;
1125 };
1126
1127 /*
1128 * Convert the values in the security context
1129 * structure `c' from the values specified
1130 * in the policy `p->oldp' to the values specified
1131 * in the policy `p->newp'. Verify that the
1132 * context is valid under the new policy.
1133 */
1134 static int convert_context(u32 key,
1135 struct context *c,
1136 void *p)
1137 {
1138 struct convert_context_args *args;
1139 struct context oldc;
1140 struct role_datum *role;
1141 struct type_datum *typdatum;
1142 struct user_datum *usrdatum;
1143 char *s;
1144 u32 len;
1145 int rc;
1146
1147 args = p;
1148
1149 rc = context_cpy(&oldc, c);
1150 if (rc)
1151 goto out;
1152
1153 rc = -EINVAL;
1154
1155 /* Convert the user. */
1156 usrdatum = hashtab_search(args->newp->p_users.table,
1157 args->oldp->p_user_val_to_name[c->user - 1]);
1158 if (!usrdatum) {
1159 goto bad;
1160 }
1161 c->user = usrdatum->value;
1162
1163 /* Convert the role. */
1164 role = hashtab_search(args->newp->p_roles.table,
1165 args->oldp->p_role_val_to_name[c->role - 1]);
1166 if (!role) {
1167 goto bad;
1168 }
1169 c->role = role->value;
1170
1171 /* Convert the type. */
1172 typdatum = hashtab_search(args->newp->p_types.table,
1173 args->oldp->p_type_val_to_name[c->type - 1]);
1174 if (!typdatum) {
1175 goto bad;
1176 }
1177 c->type = typdatum->value;
1178
1179 rc = mls_convert_context(args->oldp, args->newp, c);
1180 if (rc)
1181 goto bad;
1182
1183 /* Check the validity of the new context. */
1184 if (!policydb_context_isvalid(args->newp, c)) {
1185 rc = convert_context_handle_invalid_context(&oldc);
1186 if (rc)
1187 goto bad;
1188 }
1189
1190 context_destroy(&oldc);
1191 out:
1192 return rc;
1193 bad:
1194 context_struct_to_string(&oldc, &s, &len);
1195 context_destroy(&oldc);
1196 printk(KERN_ERR "security: invalidating context %s\n", s);
1197 kfree(s);
1198 goto out;
1199 }
1200
1201 extern void selinux_complete_init(void);
1202
1203 /**
1204 * security_load_policy - Load a security policy configuration.
1205 * @data: binary policy data
1206 * @len: length of data in bytes
1207 *
1208 * Load a new set of security policy configuration data,
1209 * validate it and convert the SID table as necessary.
1210 * This function will flush the access vector cache after
1211 * loading the new policy.
1212 */
1213 int security_load_policy(void *data, size_t len)
1214 {
1215 struct policydb oldpolicydb, newpolicydb;
1216 struct sidtab oldsidtab, newsidtab;
1217 struct convert_context_args args;
1218 u32 seqno;
1219 int rc = 0;
1220 struct policy_file file = { data, len }, *fp = &file;
1221
1222 LOAD_LOCK;
1223
1224 if (!ss_initialized) {
1225 avtab_cache_init();
1226 if (policydb_read(&policydb, fp)) {
1227 LOAD_UNLOCK;
1228 avtab_cache_destroy();
1229 return -EINVAL;
1230 }
1231 if (policydb_load_isids(&policydb, &sidtab)) {
1232 LOAD_UNLOCK;
1233 policydb_destroy(&policydb);
1234 avtab_cache_destroy();
1235 return -EINVAL;
1236 }
1237 policydb_loaded_version = policydb.policyvers;
1238 ss_initialized = 1;
1239 seqno = ++latest_granting;
1240 LOAD_UNLOCK;
1241 selinux_complete_init();
1242 avc_ss_reset(seqno);
1243 selnl_notify_policyload(seqno);
1244 return 0;
1245 }
1246
1247 #if 0
1248 sidtab_hash_eval(&sidtab, "sids");
1249 #endif
1250
1251 if (policydb_read(&newpolicydb, fp)) {
1252 LOAD_UNLOCK;
1253 return -EINVAL;
1254 }
1255
1256 sidtab_init(&newsidtab);
1257
1258 /* Verify that the existing classes did not change. */
1259 if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1260 printk(KERN_ERR "security: the definition of an existing "
1261 "class changed\n");
1262 rc = -EINVAL;
1263 goto err;
1264 }
1265
1266 /* Clone the SID table. */
1267 sidtab_shutdown(&sidtab);
1268 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1269 rc = -ENOMEM;
1270 goto err;
1271 }
1272
1273 /* Convert the internal representations of contexts
1274 in the new SID table and remove invalid SIDs. */
1275 args.oldp = &policydb;
1276 args.newp = &newpolicydb;
1277 sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1278
1279 /* Save the old policydb and SID table to free later. */
1280 memcpy(&oldpolicydb, &policydb, sizeof policydb);
1281 sidtab_set(&oldsidtab, &sidtab);
1282
1283 /* Install the new policydb and SID table. */
1284 POLICY_WRLOCK;
1285 memcpy(&policydb, &newpolicydb, sizeof policydb);
1286 sidtab_set(&sidtab, &newsidtab);
1287 seqno = ++latest_granting;
1288 policydb_loaded_version = policydb.policyvers;
1289 POLICY_WRUNLOCK;
1290 LOAD_UNLOCK;
1291
1292 /* Free the old policydb and SID table. */
1293 policydb_destroy(&oldpolicydb);
1294 sidtab_destroy(&oldsidtab);
1295
1296 avc_ss_reset(seqno);
1297 selnl_notify_policyload(seqno);
1298
1299 return 0;
1300
1301 err:
1302 LOAD_UNLOCK;
1303 sidtab_destroy(&newsidtab);
1304 policydb_destroy(&newpolicydb);
1305 return rc;
1306
1307 }
1308
1309 /**
1310 * security_port_sid - Obtain the SID for a port.
1311 * @domain: communication domain aka address family
1312 * @type: socket type
1313 * @protocol: protocol number
1314 * @port: port number
1315 * @out_sid: security identifier
1316 */
1317 int security_port_sid(u16 domain,
1318 u16 type,
1319 u8 protocol,
1320 u16 port,
1321 u32 *out_sid)
1322 {
1323 struct ocontext *c;
1324 int rc = 0;
1325
1326 POLICY_RDLOCK;
1327
1328 c = policydb.ocontexts[OCON_PORT];
1329 while (c) {
1330 if (c->u.port.protocol == protocol &&
1331 c->u.port.low_port <= port &&
1332 c->u.port.high_port >= port)
1333 break;
1334 c = c->next;
1335 }
1336
1337 if (c) {
1338 if (!c->sid[0]) {
1339 rc = sidtab_context_to_sid(&sidtab,
1340 &c->context[0],
1341 &c->sid[0]);
1342 if (rc)
1343 goto out;
1344 }
1345 *out_sid = c->sid[0];
1346 } else {
1347 *out_sid = SECINITSID_PORT;
1348 }
1349
1350 out:
1351 POLICY_RDUNLOCK;
1352 return rc;
1353 }
1354
1355 /**
1356 * security_netif_sid - Obtain the SID for a network interface.
1357 * @name: interface name
1358 * @if_sid: interface SID
1359 * @msg_sid: default SID for received packets
1360 */
1361 int security_netif_sid(char *name,
1362 u32 *if_sid,
1363 u32 *msg_sid)
1364 {
1365 int rc = 0;
1366 struct ocontext *c;
1367
1368 POLICY_RDLOCK;
1369
1370 c = policydb.ocontexts[OCON_NETIF];
1371 while (c) {
1372 if (strcmp(name, c->u.name) == 0)
1373 break;
1374 c = c->next;
1375 }
1376
1377 if (c) {
1378 if (!c->sid[0] || !c->sid[1]) {
1379 rc = sidtab_context_to_sid(&sidtab,
1380 &c->context[0],
1381 &c->sid[0]);
1382 if (rc)
1383 goto out;
1384 rc = sidtab_context_to_sid(&sidtab,
1385 &c->context[1],
1386 &c->sid[1]);
1387 if (rc)
1388 goto out;
1389 }
1390 *if_sid = c->sid[0];
1391 *msg_sid = c->sid[1];
1392 } else {
1393 *if_sid = SECINITSID_NETIF;
1394 *msg_sid = SECINITSID_NETMSG;
1395 }
1396
1397 out:
1398 POLICY_RDUNLOCK;
1399 return rc;
1400 }
1401
1402 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1403 {
1404 int i, fail = 0;
1405
1406 for(i = 0; i < 4; i++)
1407 if(addr[i] != (input[i] & mask[i])) {
1408 fail = 1;
1409 break;
1410 }
1411
1412 return !fail;
1413 }
1414
1415 /**
1416 * security_node_sid - Obtain the SID for a node (host).
1417 * @domain: communication domain aka address family
1418 * @addrp: address
1419 * @addrlen: address length in bytes
1420 * @out_sid: security identifier
1421 */
1422 int security_node_sid(u16 domain,
1423 void *addrp,
1424 u32 addrlen,
1425 u32 *out_sid)
1426 {
1427 int rc = 0;
1428 struct ocontext *c;
1429
1430 POLICY_RDLOCK;
1431
1432 switch (domain) {
1433 case AF_INET: {
1434 u32 addr;
1435
1436 if (addrlen != sizeof(u32)) {
1437 rc = -EINVAL;
1438 goto out;
1439 }
1440
1441 addr = *((u32 *)addrp);
1442
1443 c = policydb.ocontexts[OCON_NODE];
1444 while (c) {
1445 if (c->u.node.addr == (addr & c->u.node.mask))
1446 break;
1447 c = c->next;
1448 }
1449 break;
1450 }
1451
1452 case AF_INET6:
1453 if (addrlen != sizeof(u64) * 2) {
1454 rc = -EINVAL;
1455 goto out;
1456 }
1457 c = policydb.ocontexts[OCON_NODE6];
1458 while (c) {
1459 if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1460 c->u.node6.mask))
1461 break;
1462 c = c->next;
1463 }
1464 break;
1465
1466 default:
1467 *out_sid = SECINITSID_NODE;
1468 goto out;
1469 }
1470
1471 if (c) {
1472 if (!c->sid[0]) {
1473 rc = sidtab_context_to_sid(&sidtab,
1474 &c->context[0],
1475 &c->sid[0]);
1476 if (rc)
1477 goto out;
1478 }
1479 *out_sid = c->sid[0];
1480 } else {
1481 *out_sid = SECINITSID_NODE;
1482 }
1483
1484 out:
1485 POLICY_RDUNLOCK;
1486 return rc;
1487 }
1488
1489 #define SIDS_NEL 25
1490
1491 /**
1492 * security_get_user_sids - Obtain reachable SIDs for a user.
1493 * @fromsid: starting SID
1494 * @username: username
1495 * @sids: array of reachable SIDs for user
1496 * @nel: number of elements in @sids
1497 *
1498 * Generate the set of SIDs for legal security contexts
1499 * for a given user that can be reached by @fromsid.
1500 * Set *@sids to point to a dynamically allocated
1501 * array containing the set of SIDs. Set *@nel to the
1502 * number of elements in the array.
1503 */
1504
1505 int security_get_user_sids(u32 fromsid,
1506 char *username,
1507 u32 **sids,
1508 u32 *nel)
1509 {
1510 struct context *fromcon, usercon;
1511 u32 *mysids, *mysids2, sid;
1512 u32 mynel = 0, maxnel = SIDS_NEL;
1513 struct user_datum *user;
1514 struct role_datum *role;
1515 struct av_decision avd;
1516 struct ebitmap_node *rnode, *tnode;
1517 int rc = 0, i, j;
1518
1519 if (!ss_initialized) {
1520 *sids = NULL;
1521 *nel = 0;
1522 goto out;
1523 }
1524
1525 POLICY_RDLOCK;
1526
1527 fromcon = sidtab_search(&sidtab, fromsid);
1528 if (!fromcon) {
1529 rc = -EINVAL;
1530 goto out_unlock;
1531 }
1532
1533 user = hashtab_search(policydb.p_users.table, username);
1534 if (!user) {
1535 rc = -EINVAL;
1536 goto out_unlock;
1537 }
1538 usercon.user = user->value;
1539
1540 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1541 if (!mysids) {
1542 rc = -ENOMEM;
1543 goto out_unlock;
1544 }
1545
1546 ebitmap_for_each_bit(&user->roles, rnode, i) {
1547 if (!ebitmap_node_get_bit(rnode, i))
1548 continue;
1549 role = policydb.role_val_to_struct[i];
1550 usercon.role = i+1;
1551 ebitmap_for_each_bit(&role->types, tnode, j) {
1552 if (!ebitmap_node_get_bit(tnode, j))
1553 continue;
1554 usercon.type = j+1;
1555
1556 if (mls_setup_user_range(fromcon, user, &usercon))
1557 continue;
1558
1559 rc = context_struct_compute_av(fromcon, &usercon,
1560 SECCLASS_PROCESS,
1561 PROCESS__TRANSITION,
1562 &avd);
1563 if (rc || !(avd.allowed & PROCESS__TRANSITION))
1564 continue;
1565 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1566 if (rc) {
1567 kfree(mysids);
1568 goto out_unlock;
1569 }
1570 if (mynel < maxnel) {
1571 mysids[mynel++] = sid;
1572 } else {
1573 maxnel += SIDS_NEL;
1574 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1575 if (!mysids2) {
1576 rc = -ENOMEM;
1577 kfree(mysids);
1578 goto out_unlock;
1579 }
1580 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1581 kfree(mysids);
1582 mysids = mysids2;
1583 mysids[mynel++] = sid;
1584 }
1585 }
1586 }
1587
1588 *sids = mysids;
1589 *nel = mynel;
1590
1591 out_unlock:
1592 POLICY_RDUNLOCK;
1593 out:
1594 return rc;
1595 }
1596
1597 /**
1598 * security_genfs_sid - Obtain a SID for a file in a filesystem
1599 * @fstype: filesystem type
1600 * @path: path from root of mount
1601 * @sclass: file security class
1602 * @sid: SID for path
1603 *
1604 * Obtain a SID to use for a file in a filesystem that
1605 * cannot support xattr or use a fixed labeling behavior like
1606 * transition SIDs or task SIDs.
1607 */
1608 int security_genfs_sid(const char *fstype,
1609 char *path,
1610 u16 sclass,
1611 u32 *sid)
1612 {
1613 int len;
1614 struct genfs *genfs;
1615 struct ocontext *c;
1616 int rc = 0, cmp = 0;
1617
1618 POLICY_RDLOCK;
1619
1620 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1621 cmp = strcmp(fstype, genfs->fstype);
1622 if (cmp <= 0)
1623 break;
1624 }
1625
1626 if (!genfs || cmp) {
1627 *sid = SECINITSID_UNLABELED;
1628 rc = -ENOENT;
1629 goto out;
1630 }
1631
1632 for (c = genfs->head; c; c = c->next) {
1633 len = strlen(c->u.name);
1634 if ((!c->v.sclass || sclass == c->v.sclass) &&
1635 (strncmp(c->u.name, path, len) == 0))
1636 break;
1637 }
1638
1639 if (!c) {
1640 *sid = SECINITSID_UNLABELED;
1641 rc = -ENOENT;
1642 goto out;
1643 }
1644
1645 if (!c->sid[0]) {
1646 rc = sidtab_context_to_sid(&sidtab,
1647 &c->context[0],
1648 &c->sid[0]);
1649 if (rc)
1650 goto out;
1651 }
1652
1653 *sid = c->sid[0];
1654 out:
1655 POLICY_RDUNLOCK;
1656 return rc;
1657 }
1658
1659 /**
1660 * security_fs_use - Determine how to handle labeling for a filesystem.
1661 * @fstype: filesystem type
1662 * @behavior: labeling behavior
1663 * @sid: SID for filesystem (superblock)
1664 */
1665 int security_fs_use(
1666 const char *fstype,
1667 unsigned int *behavior,
1668 u32 *sid)
1669 {
1670 int rc = 0;
1671 struct ocontext *c;
1672
1673 POLICY_RDLOCK;
1674
1675 c = policydb.ocontexts[OCON_FSUSE];
1676 while (c) {
1677 if (strcmp(fstype, c->u.name) == 0)
1678 break;
1679 c = c->next;
1680 }
1681
1682 if (c) {
1683 *behavior = c->v.behavior;
1684 if (!c->sid[0]) {
1685 rc = sidtab_context_to_sid(&sidtab,
1686 &c->context[0],
1687 &c->sid[0]);
1688 if (rc)
1689 goto out;
1690 }
1691 *sid = c->sid[0];
1692 } else {
1693 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1694 if (rc) {
1695 *behavior = SECURITY_FS_USE_NONE;
1696 rc = 0;
1697 } else {
1698 *behavior = SECURITY_FS_USE_GENFS;
1699 }
1700 }
1701
1702 out:
1703 POLICY_RDUNLOCK;
1704 return rc;
1705 }
1706
1707 int security_get_bools(int *len, char ***names, int **values)
1708 {
1709 int i, rc = -ENOMEM;
1710
1711 POLICY_RDLOCK;
1712 *names = NULL;
1713 *values = NULL;
1714
1715 *len = policydb.p_bools.nprim;
1716 if (!*len) {
1717 rc = 0;
1718 goto out;
1719 }
1720
1721 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1722 if (!*names)
1723 goto err;
1724
1725 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
1726 if (!*values)
1727 goto err;
1728
1729 for (i = 0; i < *len; i++) {
1730 size_t name_len;
1731 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1732 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1733 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1734 if (!(*names)[i])
1735 goto err;
1736 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1737 (*names)[i][name_len - 1] = 0;
1738 }
1739 rc = 0;
1740 out:
1741 POLICY_RDUNLOCK;
1742 return rc;
1743 err:
1744 if (*names) {
1745 for (i = 0; i < *len; i++)
1746 kfree((*names)[i]);
1747 }
1748 kfree(*values);
1749 goto out;
1750 }
1751
1752
1753 int security_set_bools(int len, int *values)
1754 {
1755 int i, rc = 0;
1756 int lenp, seqno = 0;
1757 struct cond_node *cur;
1758
1759 POLICY_WRLOCK;
1760
1761 lenp = policydb.p_bools.nprim;
1762 if (len != lenp) {
1763 rc = -EFAULT;
1764 goto out;
1765 }
1766
1767 for (i = 0; i < len; i++) {
1768 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1769 audit_log(current->audit_context, GFP_ATOMIC,
1770 AUDIT_MAC_CONFIG_CHANGE,
1771 "bool=%s val=%d old_val=%d auid=%u",
1772 policydb.p_bool_val_to_name[i],
1773 !!values[i],
1774 policydb.bool_val_to_struct[i]->state,
1775 audit_get_loginuid(current->audit_context));
1776 }
1777 if (values[i]) {
1778 policydb.bool_val_to_struct[i]->state = 1;
1779 } else {
1780 policydb.bool_val_to_struct[i]->state = 0;
1781 }
1782 }
1783
1784 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1785 rc = evaluate_cond_node(&policydb, cur);
1786 if (rc)
1787 goto out;
1788 }
1789
1790 seqno = ++latest_granting;
1791
1792 out:
1793 POLICY_WRUNLOCK;
1794 if (!rc) {
1795 avc_ss_reset(seqno);
1796 selnl_notify_policyload(seqno);
1797 }
1798 return rc;
1799 }
1800
1801 int security_get_bool_value(int bool)
1802 {
1803 int rc = 0;
1804 int len;
1805
1806 POLICY_RDLOCK;
1807
1808 len = policydb.p_bools.nprim;
1809 if (bool >= len) {
1810 rc = -EFAULT;
1811 goto out;
1812 }
1813
1814 rc = policydb.bool_val_to_struct[bool]->state;
1815 out:
1816 POLICY_RDUNLOCK;
1817 return rc;
1818 }
1819
1820 struct selinux_audit_rule {
1821 u32 au_seqno;
1822 struct context au_ctxt;
1823 };
1824
1825 void selinux_audit_rule_free(struct selinux_audit_rule *rule)
1826 {
1827 if (rule) {
1828 context_destroy(&rule->au_ctxt);
1829 kfree(rule);
1830 }
1831 }
1832
1833 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1834 struct selinux_audit_rule **rule)
1835 {
1836 struct selinux_audit_rule *tmprule;
1837 struct role_datum *roledatum;
1838 struct type_datum *typedatum;
1839 struct user_datum *userdatum;
1840 int rc = 0;
1841
1842 *rule = NULL;
1843
1844 if (!ss_initialized)
1845 return -ENOTSUPP;
1846
1847 switch (field) {
1848 case AUDIT_SE_USER:
1849 case AUDIT_SE_ROLE:
1850 case AUDIT_SE_TYPE:
1851 /* only 'equals' and 'not equals' fit user, role, and type */
1852 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
1853 return -EINVAL;
1854 break;
1855 case AUDIT_SE_SEN:
1856 case AUDIT_SE_CLR:
1857 /* we do not allow a range, indicated by the presense of '-' */
1858 if (strchr(rulestr, '-'))
1859 return -EINVAL;
1860 break;
1861 default:
1862 /* only the above fields are valid */
1863 return -EINVAL;
1864 }
1865
1866 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
1867 if (!tmprule)
1868 return -ENOMEM;
1869
1870 context_init(&tmprule->au_ctxt);
1871
1872 POLICY_RDLOCK;
1873
1874 tmprule->au_seqno = latest_granting;
1875
1876 switch (field) {
1877 case AUDIT_SE_USER:
1878 userdatum = hashtab_search(policydb.p_users.table, rulestr);
1879 if (!userdatum)
1880 rc = -EINVAL;
1881 else
1882 tmprule->au_ctxt.user = userdatum->value;
1883 break;
1884 case AUDIT_SE_ROLE:
1885 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
1886 if (!roledatum)
1887 rc = -EINVAL;
1888 else
1889 tmprule->au_ctxt.role = roledatum->value;
1890 break;
1891 case AUDIT_SE_TYPE:
1892 typedatum = hashtab_search(policydb.p_types.table, rulestr);
1893 if (!typedatum)
1894 rc = -EINVAL;
1895 else
1896 tmprule->au_ctxt.type = typedatum->value;
1897 break;
1898 case AUDIT_SE_SEN:
1899 case AUDIT_SE_CLR:
1900 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
1901 break;
1902 }
1903
1904 POLICY_RDUNLOCK;
1905
1906 if (rc) {
1907 selinux_audit_rule_free(tmprule);
1908 tmprule = NULL;
1909 }
1910
1911 *rule = tmprule;
1912
1913 return rc;
1914 }
1915
1916 int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1917 struct selinux_audit_rule *rule,
1918 struct audit_context *actx)
1919 {
1920 struct context *ctxt;
1921 struct mls_level *level;
1922 int match = 0;
1923
1924 if (!rule) {
1925 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1926 "selinux_audit_rule_match: missing rule\n");
1927 return -ENOENT;
1928 }
1929
1930 POLICY_RDLOCK;
1931
1932 if (rule->au_seqno < latest_granting) {
1933 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1934 "selinux_audit_rule_match: stale rule\n");
1935 match = -ESTALE;
1936 goto out;
1937 }
1938
1939 ctxt = sidtab_search(&sidtab, ctxid);
1940 if (!ctxt) {
1941 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1942 "selinux_audit_rule_match: unrecognized SID %d\n",
1943 ctxid);
1944 match = -ENOENT;
1945 goto out;
1946 }
1947
1948 /* a field/op pair that is not caught here will simply fall through
1949 without a match */
1950 switch (field) {
1951 case AUDIT_SE_USER:
1952 switch (op) {
1953 case AUDIT_EQUAL:
1954 match = (ctxt->user == rule->au_ctxt.user);
1955 break;
1956 case AUDIT_NOT_EQUAL:
1957 match = (ctxt->user != rule->au_ctxt.user);
1958 break;
1959 }
1960 break;
1961 case AUDIT_SE_ROLE:
1962 switch (op) {
1963 case AUDIT_EQUAL:
1964 match = (ctxt->role == rule->au_ctxt.role);
1965 break;
1966 case AUDIT_NOT_EQUAL:
1967 match = (ctxt->role != rule->au_ctxt.role);
1968 break;
1969 }
1970 break;
1971 case AUDIT_SE_TYPE:
1972 switch (op) {
1973 case AUDIT_EQUAL:
1974 match = (ctxt->type == rule->au_ctxt.type);
1975 break;
1976 case AUDIT_NOT_EQUAL:
1977 match = (ctxt->type != rule->au_ctxt.type);
1978 break;
1979 }
1980 break;
1981 case AUDIT_SE_SEN:
1982 case AUDIT_SE_CLR:
1983 level = (op == AUDIT_SE_SEN ?
1984 &ctxt->range.level[0] : &ctxt->range.level[1]);
1985 switch (op) {
1986 case AUDIT_EQUAL:
1987 match = mls_level_eq(&rule->au_ctxt.range.level[0],
1988 level);
1989 break;
1990 case AUDIT_NOT_EQUAL:
1991 match = !mls_level_eq(&rule->au_ctxt.range.level[0],
1992 level);
1993 break;
1994 case AUDIT_LESS_THAN:
1995 match = (mls_level_dom(&rule->au_ctxt.range.level[0],
1996 level) &&
1997 !mls_level_eq(&rule->au_ctxt.range.level[0],
1998 level));
1999 break;
2000 case AUDIT_LESS_THAN_OR_EQUAL:
2001 match = mls_level_dom(&rule->au_ctxt.range.level[0],
2002 level);
2003 break;
2004 case AUDIT_GREATER_THAN:
2005 match = (mls_level_dom(level,
2006 &rule->au_ctxt.range.level[0]) &&
2007 !mls_level_eq(level,
2008 &rule->au_ctxt.range.level[0]));
2009 break;
2010 case AUDIT_GREATER_THAN_OR_EQUAL:
2011 match = mls_level_dom(level,
2012 &rule->au_ctxt.range.level[0]);
2013 break;
2014 }
2015 }
2016
2017 out:
2018 POLICY_RDUNLOCK;
2019 return match;
2020 }
2021
2022 static int (*aurule_callback)(void) = NULL;
2023
2024 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2025 u16 class, u32 perms, u32 *retained)
2026 {
2027 int err = 0;
2028
2029 if (event == AVC_CALLBACK_RESET && aurule_callback)
2030 err = aurule_callback();
2031 return err;
2032 }
2033
2034 static int __init aurule_init(void)
2035 {
2036 int err;
2037
2038 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2039 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2040 if (err)
2041 panic("avc_add_callback() failed, error %d\n", err);
2042
2043 return err;
2044 }
2045 __initcall(aurule_init);
2046
2047 void selinux_audit_set_callback(int (*callback)(void))
2048 {
2049 aurule_callback = callback;
2050 }
linux-next