Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
services.c
Go to the documentation of this file.
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <[email protected]>
5  * James Morris <[email protected]>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <[email protected]>
8  *
9  * Support for enhanced MLS infrastructure.
10  * Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <[email protected]> and Karl MacMillan <[email protected]>
13  *
14  * Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <[email protected]>
17  *
18  * Added support for NetLabel
19  * Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <[email protected]>
22  *
23  * Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <[email protected]>
26  *
27  * Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Updated: Guido Trentalancia <[email protected]>
30  *
31  * Added support for runtime switching of the policy type
32  *
33  * Copyright (C) 2008, 2009 NEC Corporation
34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37  * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>
38  * This program is free software; you can redistribute it and/or modify
39  * it under the terms of the GNU General Public License as published by
40  * the Free Software Foundation, version 2.
41  */
42 #include <linux/kernel.h>
43 #include <linux/slab.h>
44 #include <linux/string.h>
45 #include <linux/spinlock.h>
46 #include <linux/rcupdate.h>
47 #include <linux/errno.h>
48 #include <linux/in.h>
49 #include <linux/sched.h>
50 #include <linux/audit.h>
51 #include <linux/mutex.h>
52 #include <linux/selinux.h>
53 #include <linux/flex_array.h>
54 #include <linux/vmalloc.h>
55 #include <net/netlabel.h>
56 
57 #include "flask.h"
58 #include "avc.h"
59 #include "avc_ss.h"
60 #include "security.h"
61 #include "context.h"
62 #include "policydb.h"
63 #include "sidtab.h"
64 #include "services.h"
65 #include "conditional.h"
66 #include "mls.h"
67 #include "objsec.h"
68 #include "netlabel.h"
69 #include "xfrm.h"
70 #include "ebitmap.h"
71 #include "audit.h"
72 
75 
76 static DEFINE_RWLOCK(policy_rwlock);
77 
78 static struct sidtab sidtab;
81 
82 /*
83  * The largest sequence number that has been used when
84  * providing an access decision to the access vector cache.
85  * The sequence number only changes when a policy change
86  * occurs.
87  */
88 static u32 latest_granting;
89 
90 /* Forward declaration. */
91 static int context_struct_to_string(struct context *context, char **scontext,
92  u32 *scontext_len);
93 
94 static void context_struct_compute_av(struct context *scontext,
95  struct context *tcontext,
96  u16 tclass,
97  struct av_decision *avd);
98 
100  u16 value; /* policy value */
101  unsigned num_perms;
102  u32 perms[sizeof(u32) * 8];
103 };
104 
105 static struct selinux_mapping *current_mapping;
106 static u16 current_mapping_size;
107 
108 static int selinux_set_mapping(struct policydb *pol,
109  struct security_class_mapping *map,
110  struct selinux_mapping **out_map_p,
111  u16 *out_map_size)
112 {
113  struct selinux_mapping *out_map = NULL;
114  size_t size = sizeof(struct selinux_mapping);
115  u16 i, j;
116  unsigned k;
117  bool print_unknown_handle = false;
118 
119  /* Find number of classes in the input mapping */
120  if (!map)
121  return -EINVAL;
122  i = 0;
123  while (map[i].name)
124  i++;
125 
126  /* Allocate space for the class records, plus one for class zero */
127  out_map = kcalloc(++i, size, GFP_ATOMIC);
128  if (!out_map)
129  return -ENOMEM;
130 
131  /* Store the raw class and permission values */
132  j = 0;
133  while (map[j].name) {
134  struct security_class_mapping *p_in = map + (j++);
135  struct selinux_mapping *p_out = out_map + j;
136 
137  /* An empty class string skips ahead */
138  if (!strcmp(p_in->name, "")) {
139  p_out->num_perms = 0;
140  continue;
141  }
142 
143  p_out->value = string_to_security_class(pol, p_in->name);
144  if (!p_out->value) {
146  "SELinux: Class %s not defined in policy.\n",
147  p_in->name);
148  if (pol->reject_unknown)
149  goto err;
150  p_out->num_perms = 0;
151  print_unknown_handle = true;
152  continue;
153  }
154 
155  k = 0;
156  while (p_in->perms && p_in->perms[k]) {
157  /* An empty permission string skips ahead */
158  if (!*p_in->perms[k]) {
159  k++;
160  continue;
161  }
162  p_out->perms[k] = string_to_av_perm(pol, p_out->value,
163  p_in->perms[k]);
164  if (!p_out->perms[k]) {
166  "SELinux: Permission %s in class %s not defined in policy.\n",
167  p_in->perms[k], p_in->name);
168  if (pol->reject_unknown)
169  goto err;
170  print_unknown_handle = true;
171  }
172 
173  k++;
174  }
175  p_out->num_perms = k;
176  }
177 
178  if (print_unknown_handle)
179  printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
180  pol->allow_unknown ? "allowed" : "denied");
181 
182  *out_map_p = out_map;
183  *out_map_size = i;
184  return 0;
185 err:
186  kfree(out_map);
187  return -EINVAL;
188 }
189 
190 /*
191  * Get real, policy values from mapped values
192  */
193 
194 static u16 unmap_class(u16 tclass)
195 {
196  if (tclass < current_mapping_size)
197  return current_mapping[tclass].value;
198 
199  return tclass;
200 }
201 
202 /*
203  * Get kernel value for class from its policy value
204  */
205 static u16 map_class(u16 pol_value)
206 {
207  u16 i;
208 
209  for (i = 1; i < current_mapping_size; i++) {
210  if (current_mapping[i].value == pol_value)
211  return i;
212  }
213 
214  return SECCLASS_NULL;
215 }
216 
217 static void map_decision(u16 tclass, struct av_decision *avd,
218  int allow_unknown)
219 {
220  if (tclass < current_mapping_size) {
221  unsigned i, n = current_mapping[tclass].num_perms;
222  u32 result;
223 
224  for (i = 0, result = 0; i < n; i++) {
225  if (avd->allowed & current_mapping[tclass].perms[i])
226  result |= 1<<i;
227  if (allow_unknown && !current_mapping[tclass].perms[i])
228  result |= 1<<i;
229  }
230  avd->allowed = result;
231 
232  for (i = 0, result = 0; i < n; i++)
233  if (avd->auditallow & current_mapping[tclass].perms[i])
234  result |= 1<<i;
235  avd->auditallow = result;
236 
237  for (i = 0, result = 0; i < n; i++) {
238  if (avd->auditdeny & current_mapping[tclass].perms[i])
239  result |= 1<<i;
240  if (!allow_unknown && !current_mapping[tclass].perms[i])
241  result |= 1<<i;
242  }
243  /*
244  * In case the kernel has a bug and requests a permission
245  * between num_perms and the maximum permission number, we
246  * should audit that denial
247  */
248  for (; i < (sizeof(u32)*8); i++)
249  result |= 1<<i;
250  avd->auditdeny = result;
251  }
252 }
253 
255 {
256  return policydb.mls_enabled;
257 }
258 
259 /*
260  * Return the boolean value of a constraint expression
261  * when it is applied to the specified source and target
262  * security contexts.
263  *
264  * xcontext is a special beast... It is used by the validatetrans rules
265  * only. For these rules, scontext is the context before the transition,
266  * tcontext is the context after the transition, and xcontext is the context
267  * of the process performing the transition. All other callers of
268  * constraint_expr_eval should pass in NULL for xcontext.
269  */
270 static int constraint_expr_eval(struct context *scontext,
271  struct context *tcontext,
272  struct context *xcontext,
273  struct constraint_expr *cexpr)
274 {
275  u32 val1, val2;
276  struct context *c;
277  struct role_datum *r1, *r2;
278  struct mls_level *l1, *l2;
279  struct constraint_expr *e;
280  int s[CEXPR_MAXDEPTH];
281  int sp = -1;
282 
283  for (e = cexpr; e; e = e->next) {
284  switch (e->expr_type) {
285  case CEXPR_NOT:
286  BUG_ON(sp < 0);
287  s[sp] = !s[sp];
288  break;
289  case CEXPR_AND:
290  BUG_ON(sp < 1);
291  sp--;
292  s[sp] &= s[sp + 1];
293  break;
294  case CEXPR_OR:
295  BUG_ON(sp < 1);
296  sp--;
297  s[sp] |= s[sp + 1];
298  break;
299  case CEXPR_ATTR:
300  if (sp == (CEXPR_MAXDEPTH - 1))
301  return 0;
302  switch (e->attr) {
303  case CEXPR_USER:
304  val1 = scontext->user;
305  val2 = tcontext->user;
306  break;
307  case CEXPR_TYPE:
308  val1 = scontext->type;
309  val2 = tcontext->type;
310  break;
311  case CEXPR_ROLE:
312  val1 = scontext->role;
313  val2 = tcontext->role;
314  r1 = policydb.role_val_to_struct[val1 - 1];
315  r2 = policydb.role_val_to_struct[val2 - 1];
316  switch (e->op) {
317  case CEXPR_DOM:
318  s[++sp] = ebitmap_get_bit(&r1->dominates,
319  val2 - 1);
320  continue;
321  case CEXPR_DOMBY:
322  s[++sp] = ebitmap_get_bit(&r2->dominates,
323  val1 - 1);
324  continue;
325  case CEXPR_INCOMP:
326  s[++sp] = (!ebitmap_get_bit(&r1->dominates,
327  val2 - 1) &&
329  val1 - 1));
330  continue;
331  default:
332  break;
333  }
334  break;
335  case CEXPR_L1L2:
336  l1 = &(scontext->range.level[0]);
337  l2 = &(tcontext->range.level[0]);
338  goto mls_ops;
339  case CEXPR_L1H2:
340  l1 = &(scontext->range.level[0]);
341  l2 = &(tcontext->range.level[1]);
342  goto mls_ops;
343  case CEXPR_H1L2:
344  l1 = &(scontext->range.level[1]);
345  l2 = &(tcontext->range.level[0]);
346  goto mls_ops;
347  case CEXPR_H1H2:
348  l1 = &(scontext->range.level[1]);
349  l2 = &(tcontext->range.level[1]);
350  goto mls_ops;
351  case CEXPR_L1H1:
352  l1 = &(scontext->range.level[0]);
353  l2 = &(scontext->range.level[1]);
354  goto mls_ops;
355  case CEXPR_L2H2:
356  l1 = &(tcontext->range.level[0]);
357  l2 = &(tcontext->range.level[1]);
358  goto mls_ops;
359 mls_ops:
360  switch (e->op) {
361  case CEXPR_EQ:
362  s[++sp] = mls_level_eq(l1, l2);
363  continue;
364  case CEXPR_NEQ:
365  s[++sp] = !mls_level_eq(l1, l2);
366  continue;
367  case CEXPR_DOM:
368  s[++sp] = mls_level_dom(l1, l2);
369  continue;
370  case CEXPR_DOMBY:
371  s[++sp] = mls_level_dom(l2, l1);
372  continue;
373  case CEXPR_INCOMP:
374  s[++sp] = mls_level_incomp(l2, l1);
375  continue;
376  default:
377  BUG();
378  return 0;
379  }
380  break;
381  default:
382  BUG();
383  return 0;
384  }
385 
386  switch (e->op) {
387  case CEXPR_EQ:
388  s[++sp] = (val1 == val2);
389  break;
390  case CEXPR_NEQ:
391  s[++sp] = (val1 != val2);
392  break;
393  default:
394  BUG();
395  return 0;
396  }
397  break;
398  case CEXPR_NAMES:
399  if (sp == (CEXPR_MAXDEPTH-1))
400  return 0;
401  c = scontext;
402  if (e->attr & CEXPR_TARGET)
403  c = tcontext;
404  else if (e->attr & CEXPR_XTARGET) {
405  c = xcontext;
406  if (!c) {
407  BUG();
408  return 0;
409  }
410  }
411  if (e->attr & CEXPR_USER)
412  val1 = c->user;
413  else if (e->attr & CEXPR_ROLE)
414  val1 = c->role;
415  else if (e->attr & CEXPR_TYPE)
416  val1 = c->type;
417  else {
418  BUG();
419  return 0;
420  }
421 
422  switch (e->op) {
423  case CEXPR_EQ:
424  s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
425  break;
426  case CEXPR_NEQ:
427  s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
428  break;
429  default:
430  BUG();
431  return 0;
432  }
433  break;
434  default:
435  BUG();
436  return 0;
437  }
438  }
439 
440  BUG_ON(sp != 0);
441  return s[0];
442 }
443 
444 /*
445  * security_dump_masked_av - dumps masked permissions during
446  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
447  */
448 static int dump_masked_av_helper(void *k, void *d, void *args)
449 {
450  struct perm_datum *pdatum = d;
451  char **permission_names = args;
452 
453  BUG_ON(pdatum->value < 1 || pdatum->value > 32);
454 
455  permission_names[pdatum->value - 1] = (char *)k;
456 
457  return 0;
458 }
459 
460 static void security_dump_masked_av(struct context *scontext,
461  struct context *tcontext,
462  u16 tclass,
464  const char *reason)
465 {
466  struct common_datum *common_dat;
467  struct class_datum *tclass_dat;
468  struct audit_buffer *ab;
469  char *tclass_name;
470  char *scontext_name = NULL;
471  char *tcontext_name = NULL;
472  char *permission_names[32];
473  int index;
474  u32 length;
475  bool need_comma = false;
476 
477  if (!permissions)
478  return;
479 
480  tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
481  tclass_dat = policydb.class_val_to_struct[tclass - 1];
482  common_dat = tclass_dat->comdatum;
483 
484  /* init permission_names */
485  if (common_dat &&
486  hashtab_map(common_dat->permissions.table,
487  dump_masked_av_helper, permission_names) < 0)
488  goto out;
489 
490  if (hashtab_map(tclass_dat->permissions.table,
491  dump_masked_av_helper, permission_names) < 0)
492  goto out;
493 
494  /* get scontext/tcontext in text form */
495  if (context_struct_to_string(scontext,
496  &scontext_name, &length) < 0)
497  goto out;
498 
499  if (context_struct_to_string(tcontext,
500  &tcontext_name, &length) < 0)
501  goto out;
502 
503  /* audit a message */
504  ab = audit_log_start(current->audit_context,
506  if (!ab)
507  goto out;
508 
509  audit_log_format(ab, "op=security_compute_av reason=%s "
510  "scontext=%s tcontext=%s tclass=%s perms=",
511  reason, scontext_name, tcontext_name, tclass_name);
512 
513  for (index = 0; index < 32; index++) {
514  u32 mask = (1 << index);
515 
516  if ((mask & permissions) == 0)
517  continue;
518 
519  audit_log_format(ab, "%s%s",
520  need_comma ? "," : "",
521  permission_names[index]
522  ? permission_names[index] : "????");
523  need_comma = true;
524  }
525  audit_log_end(ab);
526 out:
527  /* release scontext/tcontext */
528  kfree(tcontext_name);
529  kfree(scontext_name);
530 
531  return;
532 }
533 
534 /*
535  * security_boundary_permission - drops violated permissions
536  * on boundary constraint.
537  */
538 static void type_attribute_bounds_av(struct context *scontext,
539  struct context *tcontext,
540  u16 tclass,
541  struct av_decision *avd)
542 {
543  struct context lo_scontext;
544  struct context lo_tcontext;
545  struct av_decision lo_avd;
546  struct type_datum *source;
547  struct type_datum *target;
548  u32 masked = 0;
549 
551  scontext->type - 1);
552  BUG_ON(!source);
553 
555  tcontext->type - 1);
556  BUG_ON(!target);
557 
558  if (source->bounds) {
559  memset(&lo_avd, 0, sizeof(lo_avd));
560 
561  memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
562  lo_scontext.type = source->bounds;
563 
564  context_struct_compute_av(&lo_scontext,
565  tcontext,
566  tclass,
567  &lo_avd);
568  if ((lo_avd.allowed & avd->allowed) == avd->allowed)
569  return; /* no masked permission */
570  masked = ~lo_avd.allowed & avd->allowed;
571  }
572 
573  if (target->bounds) {
574  memset(&lo_avd, 0, sizeof(lo_avd));
575 
576  memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
577  lo_tcontext.type = target->bounds;
578 
579  context_struct_compute_av(scontext,
580  &lo_tcontext,
581  tclass,
582  &lo_avd);
583  if ((lo_avd.allowed & avd->allowed) == avd->allowed)
584  return; /* no masked permission */
585  masked = ~lo_avd.allowed & avd->allowed;
586  }
587 
588  if (source->bounds && target->bounds) {
589  memset(&lo_avd, 0, sizeof(lo_avd));
590  /*
591  * lo_scontext and lo_tcontext are already
592  * set up.
593  */
594 
595  context_struct_compute_av(&lo_scontext,
596  &lo_tcontext,
597  tclass,
598  &lo_avd);
599  if ((lo_avd.allowed & avd->allowed) == avd->allowed)
600  return; /* no masked permission */
601  masked = ~lo_avd.allowed & avd->allowed;
602  }
603 
604  if (masked) {
605  /* mask violated permissions */
606  avd->allowed &= ~masked;
607 
608  /* audit masked permissions */
609  security_dump_masked_av(scontext, tcontext,
610  tclass, masked, "bounds");
611  }
612 }
613 
614 /*
615  * Compute access vectors based on a context structure pair for
616  * the permissions in a particular class.
617  */
618 static void context_struct_compute_av(struct context *scontext,
619  struct context *tcontext,
620  u16 tclass,
621  struct av_decision *avd)
622 {
623  struct constraint_node *constraint;
624  struct role_allow *ra;
625  struct avtab_key avkey;
626  struct avtab_node *node;
627  struct class_datum *tclass_datum;
628  struct ebitmap *sattr, *tattr;
629  struct ebitmap_node *snode, *tnode;
630  unsigned int i, j;
631 
632  avd->allowed = 0;
633  avd->auditallow = 0;
634  avd->auditdeny = 0xffffffff;
635 
636  if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
637  if (printk_ratelimit())
638  printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
639  return;
640  }
641 
642  tclass_datum = policydb.class_val_to_struct[tclass - 1];
643 
644  /*
645  * If a specific type enforcement rule was defined for
646  * this permission check, then use it.
647  */
648  avkey.target_class = tclass;
649  avkey.specified = AVTAB_AV;
650  sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
651  BUG_ON(!sattr);
652  tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
653  BUG_ON(!tattr);
654  ebitmap_for_each_positive_bit(sattr, snode, i) {
655  ebitmap_for_each_positive_bit(tattr, tnode, j) {
656  avkey.source_type = i + 1;
657  avkey.target_type = j + 1;
658  for (node = avtab_search_node(&policydb.te_avtab, &avkey);
659  node;
660  node = avtab_search_node_next(node, avkey.specified)) {
661  if (node->key.specified == AVTAB_ALLOWED)
662  avd->allowed |= node->datum.data;
663  else if (node->key.specified == AVTAB_AUDITALLOW)
664  avd->auditallow |= node->datum.data;
665  else if (node->key.specified == AVTAB_AUDITDENY)
666  avd->auditdeny &= node->datum.data;
667  }
668 
669  /* Check conditional av table for additional permissions */
670  cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
671 
672  }
673  }
674 
675  /*
676  * Remove any permissions prohibited by a constraint (this includes
677  * the MLS policy).
678  */
679  constraint = tclass_datum->constraints;
680  while (constraint) {
681  if ((constraint->permissions & (avd->allowed)) &&
682  !constraint_expr_eval(scontext, tcontext, NULL,
683  constraint->expr)) {
684  avd->allowed &= ~(constraint->permissions);
685  }
686  constraint = constraint->next;
687  }
688 
689  /*
690  * If checking process transition permission and the
691  * role is changing, then check the (current_role, new_role)
692  * pair.
693  */
694  if (tclass == policydb.process_class &&
696  scontext->role != tcontext->role) {
697  for (ra = policydb.role_allow; ra; ra = ra->next) {
698  if (scontext->role == ra->role &&
699  tcontext->role == ra->new_role)
700  break;
701  }
702  if (!ra)
704  }
705 
706  /*
707  * If the given source and target types have boundary
708  * constraint, lazy checks have to mask any violated
709  * permission and notice it to userspace via audit.
710  */
711  type_attribute_bounds_av(scontext, tcontext,
712  tclass, avd);
713 }
714 
715 static int security_validtrans_handle_fail(struct context *ocontext,
716  struct context *ncontext,
717  struct context *tcontext,
718  u16 tclass)
719 {
720  char *o = NULL, *n = NULL, *t = NULL;
721  u32 olen, nlen, tlen;
722 
723  if (context_struct_to_string(ocontext, &o, &olen))
724  goto out;
725  if (context_struct_to_string(ncontext, &n, &nlen))
726  goto out;
727  if (context_struct_to_string(tcontext, &t, &tlen))
728  goto out;
730  "security_validate_transition: denied for"
731  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
732  o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
733 out:
734  kfree(o);
735  kfree(n);
736  kfree(t);
737 
738  if (!selinux_enforcing)
739  return 0;
740  return -EPERM;
741 }
742 
743 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
744  u16 orig_tclass)
745 {
746  struct context *ocontext;
747  struct context *ncontext;
748  struct context *tcontext;
749  struct class_datum *tclass_datum;
750  struct constraint_node *constraint;
751  u16 tclass;
752  int rc = 0;
753 
754  if (!ss_initialized)
755  return 0;
756 
757  read_lock(&policy_rwlock);
758 
759  tclass = unmap_class(orig_tclass);
760 
761  if (!tclass || tclass > policydb.p_classes.nprim) {
762  printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
763  __func__, tclass);
764  rc = -EINVAL;
765  goto out;
766  }
767  tclass_datum = policydb.class_val_to_struct[tclass - 1];
768 
769  ocontext = sidtab_search(&sidtab, oldsid);
770  if (!ocontext) {
771  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
772  __func__, oldsid);
773  rc = -EINVAL;
774  goto out;
775  }
776 
777  ncontext = sidtab_search(&sidtab, newsid);
778  if (!ncontext) {
779  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
780  __func__, newsid);
781  rc = -EINVAL;
782  goto out;
783  }
784 
785  tcontext = sidtab_search(&sidtab, tasksid);
786  if (!tcontext) {
787  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
788  __func__, tasksid);
789  rc = -EINVAL;
790  goto out;
791  }
792 
793  constraint = tclass_datum->validatetrans;
794  while (constraint) {
795  if (!constraint_expr_eval(ocontext, ncontext, tcontext,
796  constraint->expr)) {
797  rc = security_validtrans_handle_fail(ocontext, ncontext,
798  tcontext, tclass);
799  goto out;
800  }
801  constraint = constraint->next;
802  }
803 
804 out:
805  read_unlock(&policy_rwlock);
806  return rc;
807 }
808 
809 /*
810  * security_bounded_transition - check whether the given
811  * transition is directed to bounded, or not.
812  * It returns 0, if @newsid is bounded by @oldsid.
813  * Otherwise, it returns error code.
814  *
815  * @oldsid : current security identifier
816  * @newsid : destinated security identifier
817  */
818 int security_bounded_transition(u32 old_sid, u32 new_sid)
819 {
820  struct context *old_context, *new_context;
821  struct type_datum *type;
822  int index;
823  int rc;
824 
825  read_lock(&policy_rwlock);
826 
827  rc = -EINVAL;
828  old_context = sidtab_search(&sidtab, old_sid);
829  if (!old_context) {
830  printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
831  __func__, old_sid);
832  goto out;
833  }
834 
835  rc = -EINVAL;
836  new_context = sidtab_search(&sidtab, new_sid);
837  if (!new_context) {
838  printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
839  __func__, new_sid);
840  goto out;
841  }
842 
843  rc = 0;
844  /* type/domain unchanged */
845  if (old_context->type == new_context->type)
846  goto out;
847 
848  index = new_context->type;
849  while (true) {
851  index - 1);
852  BUG_ON(!type);
853 
854  /* not bounded anymore */
855  rc = -EPERM;
856  if (!type->bounds)
857  break;
858 
859  /* @newsid is bounded by @oldsid */
860  rc = 0;
861  if (type->bounds == old_context->type)
862  break;
863 
864  index = type->bounds;
865  }
866 
867  if (rc) {
868  char *old_name = NULL;
869  char *new_name = NULL;
870  u32 length;
871 
872  if (!context_struct_to_string(old_context,
873  &old_name, &length) &&
874  !context_struct_to_string(new_context,
875  &new_name, &length)) {
876  audit_log(current->audit_context,
878  "op=security_bounded_transition "
879  "result=denied "
880  "oldcontext=%s newcontext=%s",
881  old_name, new_name);
882  }
883  kfree(new_name);
884  kfree(old_name);
885  }
886 out:
887  read_unlock(&policy_rwlock);
888 
889  return rc;
890 }
891 
892 static void avd_init(struct av_decision *avd)
893 {
894  avd->allowed = 0;
895  avd->auditallow = 0;
896  avd->auditdeny = 0xffffffff;
897  avd->seqno = latest_granting;
898  avd->flags = 0;
899 }
900 
901 
913  u32 tsid,
914  u16 orig_tclass,
915  struct av_decision *avd)
916 {
917  u16 tclass;
918  struct context *scontext = NULL, *tcontext = NULL;
919 
920  read_lock(&policy_rwlock);
921  avd_init(avd);
922  if (!ss_initialized)
923  goto allow;
924 
925  scontext = sidtab_search(&sidtab, ssid);
926  if (!scontext) {
927  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
928  __func__, ssid);
929  goto out;
930  }
931 
932  /* permissive domain? */
933  if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
934  avd->flags |= AVD_FLAGS_PERMISSIVE;
935 
936  tcontext = sidtab_search(&sidtab, tsid);
937  if (!tcontext) {
938  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
939  __func__, tsid);
940  goto out;
941  }
942 
943  tclass = unmap_class(orig_tclass);
944  if (unlikely(orig_tclass && !tclass)) {
946  goto allow;
947  goto out;
948  }
949  context_struct_compute_av(scontext, tcontext, tclass, avd);
950  map_decision(orig_tclass, avd, policydb.allow_unknown);
951 out:
952  read_unlock(&policy_rwlock);
953  return;
954 allow:
955  avd->allowed = 0xffffffff;
956  goto out;
957 }
958 
960  u32 tsid,
961  u16 tclass,
962  struct av_decision *avd)
963 {
964  struct context *scontext = NULL, *tcontext = NULL;
965 
966  read_lock(&policy_rwlock);
967  avd_init(avd);
968  if (!ss_initialized)
969  goto allow;
970 
971  scontext = sidtab_search(&sidtab, ssid);
972  if (!scontext) {
973  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
974  __func__, ssid);
975  goto out;
976  }
977 
978  /* permissive domain? */
979  if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
980  avd->flags |= AVD_FLAGS_PERMISSIVE;
981 
982  tcontext = sidtab_search(&sidtab, tsid);
983  if (!tcontext) {
984  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
985  __func__, tsid);
986  goto out;
987  }
988 
989  if (unlikely(!tclass)) {
991  goto allow;
992  goto out;
993  }
994 
995  context_struct_compute_av(scontext, tcontext, tclass, avd);
996  out:
997  read_unlock(&policy_rwlock);
998  return;
999 allow:
1000  avd->allowed = 0xffffffff;
1001  goto out;
1002 }
1003 
1004 /*
1005  * Write the security context string representation of
1006  * the context structure `context' into a dynamically
1007  * allocated string of the correct size. Set `*scontext'
1008  * to point to this string and set `*scontext_len' to
1009  * the length of the string.
1010  */
1011 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1012 {
1013  char *scontextp;
1014 
1015  if (scontext)
1016  *scontext = NULL;
1017  *scontext_len = 0;
1018 
1019  if (context->len) {
1020  *scontext_len = context->len;
1021  if (scontext) {
1022  *scontext = kstrdup(context->str, GFP_ATOMIC);
1023  if (!(*scontext))
1024  return -ENOMEM;
1025  }
1026  return 0;
1027  }
1028 
1029  /* Compute the size of the context. */
1030  *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1031  *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1032  *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1033  *scontext_len += mls_compute_context_len(context);
1034 
1035  if (!scontext)
1036  return 0;
1037 
1038  /* Allocate space for the context; caller must free this space. */
1039  scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1040  if (!scontextp)
1041  return -ENOMEM;
1042  *scontext = scontextp;
1043 
1044  /*
1045  * Copy the user name, role name and type name into the context.
1046  */
1047  sprintf(scontextp, "%s:%s:%s",
1048  sym_name(&policydb, SYM_USERS, context->user - 1),
1049  sym_name(&policydb, SYM_ROLES, context->role - 1),
1050  sym_name(&policydb, SYM_TYPES, context->type - 1));
1051  scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) +
1052  1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) +
1053  1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1));
1054 
1055  mls_sid_to_context(context, &scontextp);
1056 
1057  *scontextp = 0;
1058 
1059  return 0;
1060 }
1061 
1062 #include "initial_sid_to_string.h"
1063 
1065 {
1066  if (unlikely(sid > SECINITSID_NUM))
1067  return NULL;
1068  return initial_sid_to_string[sid];
1069 }
1070 
1071 static int security_sid_to_context_core(u32 sid, char **scontext,
1072  u32 *scontext_len, int force)
1073 {
1074  struct context *context;
1075  int rc = 0;
1076 
1077  if (scontext)
1078  *scontext = NULL;
1079  *scontext_len = 0;
1080 
1081  if (!ss_initialized) {
1082  if (sid <= SECINITSID_NUM) {
1083  char *scontextp;
1084 
1085  *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1086  if (!scontext)
1087  goto out;
1088  scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1089  if (!scontextp) {
1090  rc = -ENOMEM;
1091  goto out;
1092  }
1093  strcpy(scontextp, initial_sid_to_string[sid]);
1094  *scontext = scontextp;
1095  goto out;
1096  }
1097  printk(KERN_ERR "SELinux: %s: called before initial "
1098  "load_policy on unknown SID %d\n", __func__, sid);
1099  rc = -EINVAL;
1100  goto out;
1101  }
1102  read_lock(&policy_rwlock);
1103  if (force)
1104  context = sidtab_search_force(&sidtab, sid);
1105  else
1106  context = sidtab_search(&sidtab, sid);
1107  if (!context) {
1108  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
1109  __func__, sid);
1110  rc = -EINVAL;
1111  goto out_unlock;
1112  }
1113  rc = context_struct_to_string(context, scontext, scontext_len);
1114 out_unlock:
1115  read_unlock(&policy_rwlock);
1116 out:
1117  return rc;
1118 
1119 }
1120 
1131 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1132 {
1133  return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1134 }
1135 
1136 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1137 {
1138  return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1139 }
1140 
1141 /*
1142  * Caveat: Mutates scontext.
1143  */
1144 static int string_to_context_struct(struct policydb *pol,
1145  struct sidtab *sidtabp,
1146  char *scontext,
1147  u32 scontext_len,
1148  struct context *ctx,
1149  u32 def_sid)
1150 {
1151  struct role_datum *role;
1152  struct type_datum *typdatum;
1153  struct user_datum *usrdatum;
1154  char *scontextp, *p, oldc;
1155  int rc = 0;
1156 
1157  context_init(ctx);
1158 
1159  /* Parse the security context. */
1160 
1161  rc = -EINVAL;
1162  scontextp = (char *) scontext;
1163 
1164  /* Extract the user. */
1165  p = scontextp;
1166  while (*p && *p != ':')
1167  p++;
1168 
1169  if (*p == 0)
1170  goto out;
1171 
1172  *p++ = 0;
1173 
1174  usrdatum = hashtab_search(pol->p_users.table, scontextp);
1175  if (!usrdatum)
1176  goto out;
1177 
1178  ctx->user = usrdatum->value;
1179 
1180  /* Extract role. */
1181  scontextp = p;
1182  while (*p && *p != ':')
1183  p++;
1184 
1185  if (*p == 0)
1186  goto out;
1187 
1188  *p++ = 0;
1189 
1190  role = hashtab_search(pol->p_roles.table, scontextp);
1191  if (!role)
1192  goto out;
1193  ctx->role = role->value;
1194 
1195  /* Extract type. */
1196  scontextp = p;
1197  while (*p && *p != ':')
1198  p++;
1199  oldc = *p;
1200  *p++ = 0;
1201 
1202  typdatum = hashtab_search(pol->p_types.table, scontextp);
1203  if (!typdatum || typdatum->attribute)
1204  goto out;
1205 
1206  ctx->type = typdatum->value;
1207 
1208  rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1209  if (rc)
1210  goto out;
1211 
1212  rc = -EINVAL;
1213  if ((p - scontext) < scontext_len)
1214  goto out;
1215 
1216  /* Check the validity of the new context. */
1217  if (!policydb_context_isvalid(pol, ctx))
1218  goto out;
1219  rc = 0;
1220 out:
1221  if (rc)
1222  context_destroy(ctx);
1223  return rc;
1224 }
1225 
1226 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1227  u32 *sid, u32 def_sid, gfp_t gfp_flags,
1228  int force)
1229 {
1230  char *scontext2, *str = NULL;
1231  struct context context;
1232  int rc = 0;
1233 
1234  if (!ss_initialized) {
1235  int i;
1236 
1237  for (i = 1; i < SECINITSID_NUM; i++) {
1238  if (!strcmp(initial_sid_to_string[i], scontext)) {
1239  *sid = i;
1240  return 0;
1241  }
1242  }
1243  *sid = SECINITSID_KERNEL;
1244  return 0;
1245  }
1246  *sid = SECSID_NULL;
1247 
1248  /* Copy the string so that we can modify the copy as we parse it. */
1249  scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1250  if (!scontext2)
1251  return -ENOMEM;
1252  memcpy(scontext2, scontext, scontext_len);
1253  scontext2[scontext_len] = 0;
1254 
1255  if (force) {
1256  /* Save another copy for storing in uninterpreted form */
1257  rc = -ENOMEM;
1258  str = kstrdup(scontext2, gfp_flags);
1259  if (!str)
1260  goto out;
1261  }
1262 
1263  read_lock(&policy_rwlock);
1264  rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1265  scontext_len, &context, def_sid);
1266  if (rc == -EINVAL && force) {
1267  context.str = str;
1268  context.len = scontext_len;
1269  str = NULL;
1270  } else if (rc)
1271  goto out_unlock;
1272  rc = sidtab_context_to_sid(&sidtab, &context, sid);
1273  context_destroy(&context);
1274 out_unlock:
1275  read_unlock(&policy_rwlock);
1276 out:
1277  kfree(scontext2);
1278  kfree(str);
1279  return rc;
1280 }
1281 
1293 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
1294 {
1295  return security_context_to_sid_core(scontext, scontext_len,
1296  sid, SECSID_NULL, GFP_KERNEL, 0);
1297 }
1298 
1317 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1318  u32 *sid, u32 def_sid, gfp_t gfp_flags)
1319 {
1320  return security_context_to_sid_core(scontext, scontext_len,
1321  sid, def_sid, gfp_flags, 1);
1322 }
1323 
1324 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1325  u32 *sid)
1326 {
1327  return security_context_to_sid_core(scontext, scontext_len,
1328  sid, SECSID_NULL, GFP_KERNEL, 1);
1329 }
1330 
1331 static int compute_sid_handle_invalid_context(
1332  struct context *scontext,
1333  struct context *tcontext,
1334  u16 tclass,
1335  struct context *newcontext)
1336 {
1337  char *s = NULL, *t = NULL, *n = NULL;
1338  u32 slen, tlen, nlen;
1339 
1340  if (context_struct_to_string(scontext, &s, &slen))
1341  goto out;
1342  if (context_struct_to_string(tcontext, &t, &tlen))
1343  goto out;
1344  if (context_struct_to_string(newcontext, &n, &nlen))
1345  goto out;
1346  audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1347  "security_compute_sid: invalid context %s"
1348  " for scontext=%s"
1349  " tcontext=%s"
1350  " tclass=%s",
1351  n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1352 out:
1353  kfree(s);
1354  kfree(t);
1355  kfree(n);
1356  if (!selinux_enforcing)
1357  return 0;
1358  return -EACCES;
1359 }
1360 
1361 static void filename_compute_type(struct policydb *p, struct context *newcontext,
1362  u32 stype, u32 ttype, u16 tclass,
1363  const char *objname)
1364 {
1365  struct filename_trans ft;
1366  struct filename_trans_datum *otype;
1367 
1368  /*
1369  * Most filename trans rules are going to live in specific directories
1370  * like /dev or /var/run. This bitmap will quickly skip rule searches
1371  * if the ttype does not contain any rules.
1372  */
1373  if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
1374  return;
1375 
1376  ft.stype = stype;
1377  ft.ttype = ttype;
1378  ft.tclass = tclass;
1379  ft.name = objname;
1380 
1381  otype = hashtab_search(p->filename_trans, &ft);
1382  if (otype)
1383  newcontext->type = otype->otype;
1384 }
1385 
1386 static int security_compute_sid(u32 ssid,
1387  u32 tsid,
1388  u16 orig_tclass,
1389  u32 specified,
1390  const char *objname,
1391  u32 *out_sid,
1392  bool kern)
1393 {
1394  struct class_datum *cladatum = NULL;
1395  struct context *scontext = NULL, *tcontext = NULL, newcontext;
1396  struct role_trans *roletr = NULL;
1397  struct avtab_key avkey;
1398  struct avtab_datum *avdatum;
1399  struct avtab_node *node;
1400  u16 tclass;
1401  int rc = 0;
1402  bool sock;
1403 
1404  if (!ss_initialized) {
1405  switch (orig_tclass) {
1406  case SECCLASS_PROCESS: /* kernel value */
1407  *out_sid = ssid;
1408  break;
1409  default:
1410  *out_sid = tsid;
1411  break;
1412  }
1413  goto out;
1414  }
1415 
1416  context_init(&newcontext);
1417 
1418  read_lock(&policy_rwlock);
1419 
1420  if (kern) {
1421  tclass = unmap_class(orig_tclass);
1422  sock = security_is_socket_class(orig_tclass);
1423  } else {
1424  tclass = orig_tclass;
1425  sock = security_is_socket_class(map_class(tclass));
1426  }
1427 
1428  scontext = sidtab_search(&sidtab, ssid);
1429  if (!scontext) {
1430  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
1431  __func__, ssid);
1432  rc = -EINVAL;
1433  goto out_unlock;
1434  }
1435  tcontext = sidtab_search(&sidtab, tsid);
1436  if (!tcontext) {
1437  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
1438  __func__, tsid);
1439  rc = -EINVAL;
1440  goto out_unlock;
1441  }
1442 
1443  if (tclass && tclass <= policydb.p_classes.nprim)
1444  cladatum = policydb.class_val_to_struct[tclass - 1];
1445 
1446  /* Set the user identity. */
1447  switch (specified) {
1448  case AVTAB_TRANSITION:
1449  case AVTAB_CHANGE:
1450  if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1451  newcontext.user = tcontext->user;
1452  } else {
1453  /* notice this gets both DEFAULT_SOURCE and unset */
1454  /* Use the process user identity. */
1455  newcontext.user = scontext->user;
1456  }
1457  break;
1458  case AVTAB_MEMBER:
1459  /* Use the related object owner. */
1460  newcontext.user = tcontext->user;
1461  break;
1462  }
1463 
1464  /* Set the role to default values. */
1465  if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1466  newcontext.role = scontext->role;
1467  } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1468  newcontext.role = tcontext->role;
1469  } else {
1470  if ((tclass == policydb.process_class) || (sock == true))
1471  newcontext.role = scontext->role;
1472  else
1473  newcontext.role = OBJECT_R_VAL;
1474  }
1475 
1476  /* Set the type to default values. */
1477  if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1478  newcontext.type = scontext->type;
1479  } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1480  newcontext.type = tcontext->type;
1481  } else {
1482  if ((tclass == policydb.process_class) || (sock == true)) {
1483  /* Use the type of process. */
1484  newcontext.type = scontext->type;
1485  } else {
1486  /* Use the type of the related object. */
1487  newcontext.type = tcontext->type;
1488  }
1489  }
1490 
1491  /* Look for a type transition/member/change rule. */
1492  avkey.source_type = scontext->type;
1493  avkey.target_type = tcontext->type;
1494  avkey.target_class = tclass;
1495  avkey.specified = specified;
1496  avdatum = avtab_search(&policydb.te_avtab, &avkey);
1497 
1498  /* If no permanent rule, also check for enabled conditional rules */
1499  if (!avdatum) {
1500  node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1501  for (; node; node = avtab_search_node_next(node, specified)) {
1502  if (node->key.specified & AVTAB_ENABLED) {
1503  avdatum = &node->datum;
1504  break;
1505  }
1506  }
1507  }
1508 
1509  if (avdatum) {
1510  /* Use the type from the type transition/member/change rule. */
1511  newcontext.type = avdatum->data;
1512  }
1513 
1514  /* if we have a objname this is a file trans check so check those rules */
1515  if (objname)
1516  filename_compute_type(&policydb, &newcontext, scontext->type,
1517  tcontext->type, tclass, objname);
1518 
1519  /* Check for class-specific changes. */
1520  if (specified & AVTAB_TRANSITION) {
1521  /* Look for a role transition rule. */
1522  for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
1523  if ((roletr->role == scontext->role) &&
1524  (roletr->type == tcontext->type) &&
1525  (roletr->tclass == tclass)) {
1526  /* Use the role transition rule. */
1527  newcontext.role = roletr->new_role;
1528  break;
1529  }
1530  }
1531  }
1532 
1533  /* Set the MLS attributes.
1534  This is done last because it may allocate memory. */
1535  rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1536  &newcontext, sock);
1537  if (rc)
1538  goto out_unlock;
1539 
1540  /* Check the validity of the context. */
1541  if (!policydb_context_isvalid(&policydb, &newcontext)) {
1542  rc = compute_sid_handle_invalid_context(scontext,
1543  tcontext,
1544  tclass,
1545  &newcontext);
1546  if (rc)
1547  goto out_unlock;
1548  }
1549  /* Obtain the sid for the context. */
1550  rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1551 out_unlock:
1552  read_unlock(&policy_rwlock);
1553  context_destroy(&newcontext);
1554 out:
1555  return rc;
1556 }
1557 
1571 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1572  const struct qstr *qstr, u32 *out_sid)
1573 {
1574  return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1575  qstr ? qstr->name : NULL, out_sid, true);
1576 }
1577 
1578 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1579  const char *objname, u32 *out_sid)
1580 {
1581  return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1582  objname, out_sid, false);
1583 }
1584 
1599  u32 tsid,
1600  u16 tclass,
1601  u32 *out_sid)
1602 {
1603  return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1604  out_sid, false);
1605 }
1606 
1621  u32 tsid,
1622  u16 tclass,
1623  u32 *out_sid)
1624 {
1625  return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1626  out_sid, false);
1627 }
1628 
1629 /* Clone the SID into the new SID table. */
1630 static int clone_sid(u32 sid,
1631  struct context *context,
1632  void *arg)
1633 {
1634  struct sidtab *s = arg;
1635 
1636  if (sid > SECINITSID_NUM)
1637  return sidtab_insert(s, sid, context);
1638  else
1639  return 0;
1640 }
1641 
1642 static inline int convert_context_handle_invalid_context(struct context *context)
1643 {
1644  char *s;
1645  u32 len;
1646 
1647  if (selinux_enforcing)
1648  return -EINVAL;
1649 
1650  if (!context_struct_to_string(context, &s, &len)) {
1651  printk(KERN_WARNING "SELinux: Context %s would be invalid if enforcing\n", s);
1652  kfree(s);
1653  }
1654  return 0;
1655 }
1656 
1658  struct policydb *oldp;
1659  struct policydb *newp;
1660 };
1661 
1662 /*
1663  * Convert the values in the security context
1664  * structure `c' from the values specified
1665  * in the policy `p->oldp' to the values specified
1666  * in the policy `p->newp'. Verify that the
1667  * context is valid under the new policy.
1668  */
1669 static int convert_context(u32 key,
1670  struct context *c,
1671  void *p)
1672 {
1673  struct convert_context_args *args;
1674  struct context oldc;
1675  struct ocontext *oc;
1676  struct mls_range *range;
1677  struct role_datum *role;
1678  struct type_datum *typdatum;
1679  struct user_datum *usrdatum;
1680  char *s;
1681  u32 len;
1682  int rc = 0;
1683 
1684  if (key <= SECINITSID_NUM)
1685  goto out;
1686 
1687  args = p;
1688 
1689  if (c->str) {
1690  struct context ctx;
1691 
1692  rc = -ENOMEM;
1693  s = kstrdup(c->str, GFP_KERNEL);
1694  if (!s)
1695  goto out;
1696 
1697  rc = string_to_context_struct(args->newp, NULL, s,
1698  c->len, &ctx, SECSID_NULL);
1699  kfree(s);
1700  if (!rc) {
1701  printk(KERN_INFO "SELinux: Context %s became valid (mapped).\n",
1702  c->str);
1703  /* Replace string with mapped representation. */
1704  kfree(c->str);
1705  memcpy(c, &ctx, sizeof(*c));
1706  goto out;
1707  } else if (rc == -EINVAL) {
1708  /* Retain string representation for later mapping. */
1709  rc = 0;
1710  goto out;
1711  } else {
1712  /* Other error condition, e.g. ENOMEM. */
1713  printk(KERN_ERR "SELinux: Unable to map context %s, rc = %d.\n",
1714  c->str, -rc);
1715  goto out;
1716  }
1717  }
1718 
1719  rc = context_cpy(&oldc, c);
1720  if (rc)
1721  goto out;
1722 
1723  /* Convert the user. */
1724  rc = -EINVAL;
1725  usrdatum = hashtab_search(args->newp->p_users.table,
1726  sym_name(args->oldp, SYM_USERS, c->user - 1));
1727  if (!usrdatum)
1728  goto bad;
1729  c->user = usrdatum->value;
1730 
1731  /* Convert the role. */
1732  rc = -EINVAL;
1733  role = hashtab_search(args->newp->p_roles.table,
1734  sym_name(args->oldp, SYM_ROLES, c->role - 1));
1735  if (!role)
1736  goto bad;
1737  c->role = role->value;
1738 
1739  /* Convert the type. */
1740  rc = -EINVAL;
1741  typdatum = hashtab_search(args->newp->p_types.table,
1742  sym_name(args->oldp, SYM_TYPES, c->type - 1));
1743  if (!typdatum)
1744  goto bad;
1745  c->type = typdatum->value;
1746 
1747  /* Convert the MLS fields if dealing with MLS policies */
1748  if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1749  rc = mls_convert_context(args->oldp, args->newp, c);
1750  if (rc)
1751  goto bad;
1752  } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1753  /*
1754  * Switching between MLS and non-MLS policy:
1755  * free any storage used by the MLS fields in the
1756  * context for all existing entries in the sidtab.
1757  */
1758  mls_context_destroy(c);
1759  } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1760  /*
1761  * Switching between non-MLS and MLS policy:
1762  * ensure that the MLS fields of the context for all
1763  * existing entries in the sidtab are filled in with a
1764  * suitable default value, likely taken from one of the
1765  * initial SIDs.
1766  */
1767  oc = args->newp->ocontexts[OCON_ISID];
1768  while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1769  oc = oc->next;
1770  rc = -EINVAL;
1771  if (!oc) {
1772  printk(KERN_ERR "SELinux: unable to look up"
1773  " the initial SIDs list\n");
1774  goto bad;
1775  }
1776  range = &oc->context[0].range;
1777  rc = mls_range_set(c, range);
1778  if (rc)
1779  goto bad;
1780  }
1781 
1782  /* Check the validity of the new context. */
1783  if (!policydb_context_isvalid(args->newp, c)) {
1784  rc = convert_context_handle_invalid_context(&oldc);
1785  if (rc)
1786  goto bad;
1787  }
1788 
1789  context_destroy(&oldc);
1790 
1791  rc = 0;
1792 out:
1793  return rc;
1794 bad:
1795  /* Map old representation to string and save it. */
1796  rc = context_struct_to_string(&oldc, &s, &len);
1797  if (rc)
1798  return rc;
1799  context_destroy(&oldc);
1800  context_destroy(c);
1801  c->str = s;
1802  c->len = len;
1803  printk(KERN_INFO "SELinux: Context %s became invalid (unmapped).\n",
1804  c->str);
1805  rc = 0;
1806  goto out;
1807 }
1808 
1809 static void security_load_policycaps(void)
1810 {
1815 }
1816 
1817 static int security_preserve_bools(struct policydb *p);
1818 
1829 int security_load_policy(void *data, size_t len)
1830 {
1831  struct policydb oldpolicydb, newpolicydb;
1832  struct sidtab oldsidtab, newsidtab;
1833  struct selinux_mapping *oldmap, *map = NULL;
1834  struct convert_context_args args;
1835  u32 seqno;
1836  u16 map_size;
1837  int rc = 0;
1838  struct policy_file file = { data, len }, *fp = &file;
1839 
1840  if (!ss_initialized) {
1841  avtab_cache_init();
1842  rc = policydb_read(&policydb, fp);
1843  if (rc) {
1845  return rc;
1846  }
1847 
1848  policydb.len = len;
1849  rc = selinux_set_mapping(&policydb, secclass_map,
1850  &current_mapping,
1851  &current_mapping_size);
1852  if (rc) {
1855  return rc;
1856  }
1857 
1859  if (rc) {
1862  return rc;
1863  }
1864 
1865  security_load_policycaps();
1866  ss_initialized = 1;
1867  seqno = ++latest_granting;
1869  avc_ss_reset(seqno);
1870  selnl_notify_policyload(seqno);
1873  selinux_xfrm_notify_policyload();
1874  return 0;
1875  }
1876 
1877 #if 0
1878  sidtab_hash_eval(&sidtab, "sids");
1879 #endif
1880 
1881  rc = policydb_read(&newpolicydb, fp);
1882  if (rc)
1883  return rc;
1884 
1885  newpolicydb.len = len;
1886  /* If switching between different policy types, log MLS status */
1887  if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1888  printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1889  else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
1890  printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1891 
1892  rc = policydb_load_isids(&newpolicydb, &newsidtab);
1893  if (rc) {
1894  printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
1895  policydb_destroy(&newpolicydb);
1896  return rc;
1897  }
1898 
1899  rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
1900  if (rc)
1901  goto err;
1902 
1903  rc = security_preserve_bools(&newpolicydb);
1904  if (rc) {
1905  printk(KERN_ERR "SELinux: unable to preserve booleans\n");
1906  goto err;
1907  }
1908 
1909  /* Clone the SID table. */
1911 
1912  rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
1913  if (rc)
1914  goto err;
1915 
1916  /*
1917  * Convert the internal representations of contexts
1918  * in the new SID table.
1919  */
1920  args.oldp = &policydb;
1921  args.newp = &newpolicydb;
1922  rc = sidtab_map(&newsidtab, convert_context, &args);
1923  if (rc) {
1924  printk(KERN_ERR "SELinux: unable to convert the internal"
1925  " representation of contexts in the new SID"
1926  " table\n");
1927  goto err;
1928  }
1929 
1930  /* Save the old policydb and SID table to free later. */
1931  memcpy(&oldpolicydb, &policydb, sizeof policydb);
1932  sidtab_set(&oldsidtab, &sidtab);
1933 
1934  /* Install the new policydb and SID table. */
1935  write_lock_irq(&policy_rwlock);
1936  memcpy(&policydb, &newpolicydb, sizeof policydb);
1937  sidtab_set(&sidtab, &newsidtab);
1938  security_load_policycaps();
1939  oldmap = current_mapping;
1940  current_mapping = map;
1941  current_mapping_size = map_size;
1942  seqno = ++latest_granting;
1943  write_unlock_irq(&policy_rwlock);
1944 
1945  /* Free the old policydb and SID table. */
1946  policydb_destroy(&oldpolicydb);
1947  sidtab_destroy(&oldsidtab);
1948  kfree(oldmap);
1949 
1950  avc_ss_reset(seqno);
1951  selnl_notify_policyload(seqno);
1954  selinux_xfrm_notify_policyload();
1955 
1956  return 0;
1957 
1958 err:
1959  kfree(map);
1960  sidtab_destroy(&newsidtab);
1961  policydb_destroy(&newpolicydb);
1962  return rc;
1963 
1964 }
1965 
1967 {
1968  size_t len;
1969 
1970  read_lock(&policy_rwlock);
1971  len = policydb.len;
1972  read_unlock(&policy_rwlock);
1973 
1974  return len;
1975 }
1976 
1984 {
1985  struct ocontext *c;
1986  int rc = 0;
1987 
1988  read_lock(&policy_rwlock);
1989 
1991  while (c) {
1992  if (c->u.port.protocol == protocol &&
1993  c->u.port.low_port <= port &&
1994  c->u.port.high_port >= port)
1995  break;
1996  c = c->next;
1997  }
1998 
1999  if (c) {
2000  if (!c->sid[0]) {
2002  &c->context[0],
2003  &c->sid[0]);
2004  if (rc)
2005  goto out;
2006  }
2007  *out_sid = c->sid[0];
2008  } else {
2009  *out_sid = SECINITSID_PORT;
2010  }
2011 
2012 out:
2013  read_unlock(&policy_rwlock);
2014  return rc;
2015 }
2016 
2022 int security_netif_sid(char *name, u32 *if_sid)
2023 {
2024  int rc = 0;
2025  struct ocontext *c;
2026 
2027  read_lock(&policy_rwlock);
2028 
2030  while (c) {
2031  if (strcmp(name, c->u.name) == 0)
2032  break;
2033  c = c->next;
2034  }
2035 
2036  if (c) {
2037  if (!c->sid[0] || !c->sid[1]) {
2039  &c->context[0],
2040  &c->sid[0]);
2041  if (rc)
2042  goto out;
2044  &c->context[1],
2045  &c->sid[1]);
2046  if (rc)
2047  goto out;
2048  }
2049  *if_sid = c->sid[0];
2050  } else
2051  *if_sid = SECINITSID_NETIF;
2052 
2053 out:
2054  read_unlock(&policy_rwlock);
2055  return rc;
2056 }
2057 
2058 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2059 {
2060  int i, fail = 0;
2061 
2062  for (i = 0; i < 4; i++)
2063  if (addr[i] != (input[i] & mask[i])) {
2064  fail = 1;
2065  break;
2066  }
2067 
2068  return !fail;
2069 }
2070 
2079  void *addrp,
2080  u32 addrlen,
2081  u32 *out_sid)
2082 {
2083  int rc;
2084  struct ocontext *c;
2085 
2086  read_lock(&policy_rwlock);
2087 
2088  switch (domain) {
2089  case AF_INET: {
2090  u32 addr;
2091 
2092  rc = -EINVAL;
2093  if (addrlen != sizeof(u32))
2094  goto out;
2095 
2096  addr = *((u32 *)addrp);
2097 
2099  while (c) {
2100  if (c->u.node.addr == (addr & c->u.node.mask))
2101  break;
2102  c = c->next;
2103  }
2104  break;
2105  }
2106 
2107  case AF_INET6:
2108  rc = -EINVAL;
2109  if (addrlen != sizeof(u64) * 2)
2110  goto out;
2112  while (c) {
2113  if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2114  c->u.node6.mask))
2115  break;
2116  c = c->next;
2117  }
2118  break;
2119 
2120  default:
2121  rc = 0;
2122  *out_sid = SECINITSID_NODE;
2123  goto out;
2124  }
2125 
2126  if (c) {
2127  if (!c->sid[0]) {
2129  &c->context[0],
2130  &c->sid[0]);
2131  if (rc)
2132  goto out;
2133  }
2134  *out_sid = c->sid[0];
2135  } else {
2136  *out_sid = SECINITSID_NODE;
2137  }
2138 
2139  rc = 0;
2140 out:
2141  read_unlock(&policy_rwlock);
2142  return rc;
2143 }
2144 
2145 #define SIDS_NEL 25
2146 
2162  char *username,
2163  u32 **sids,
2164  u32 *nel)
2165 {
2166  struct context *fromcon, usercon;
2167  u32 *mysids = NULL, *mysids2, sid;
2168  u32 mynel = 0, maxnel = SIDS_NEL;
2169  struct user_datum *user;
2170  struct role_datum *role;
2171  struct ebitmap_node *rnode, *tnode;
2172  int rc = 0, i, j;
2173 
2174  *sids = NULL;
2175  *nel = 0;
2176 
2177  if (!ss_initialized)
2178  goto out;
2179 
2180  read_lock(&policy_rwlock);
2181 
2182  context_init(&usercon);
2183 
2184  rc = -EINVAL;
2185  fromcon = sidtab_search(&sidtab, fromsid);
2186  if (!fromcon)
2187  goto out_unlock;
2188 
2189  rc = -EINVAL;
2190  user = hashtab_search(policydb.p_users.table, username);
2191  if (!user)
2192  goto out_unlock;
2193 
2194  usercon.user = user->value;
2195 
2196  rc = -ENOMEM;
2197  mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2198  if (!mysids)
2199  goto out_unlock;
2200 
2201  ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2202  role = policydb.role_val_to_struct[i];
2203  usercon.role = i + 1;
2204  ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2205  usercon.type = j + 1;
2206 
2207  if (mls_setup_user_range(fromcon, user, &usercon))
2208  continue;
2209 
2210  rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2211  if (rc)
2212  goto out_unlock;
2213  if (mynel < maxnel) {
2214  mysids[mynel++] = sid;
2215  } else {
2216  rc = -ENOMEM;
2217  maxnel += SIDS_NEL;
2218  mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2219  if (!mysids2)
2220  goto out_unlock;
2221  memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2222  kfree(mysids);
2223  mysids = mysids2;
2224  mysids[mynel++] = sid;
2225  }
2226  }
2227  }
2228  rc = 0;
2229 out_unlock:
2230  read_unlock(&policy_rwlock);
2231  if (rc || !mynel) {
2232  kfree(mysids);
2233  goto out;
2234  }
2235 
2236  rc = -ENOMEM;
2237  mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2238  if (!mysids2) {
2239  kfree(mysids);
2240  goto out;
2241  }
2242  for (i = 0, j = 0; i < mynel; i++) {
2243  struct av_decision dummy_avd;
2244  rc = avc_has_perm_noaudit(fromsid, mysids[i],
2245  SECCLASS_PROCESS, /* kernel value */
2246  PROCESS__TRANSITION, AVC_STRICT,
2247  &dummy_avd);
2248  if (!rc)
2249  mysids2[j++] = mysids[i];
2250  cond_resched();
2251  }
2252  rc = 0;
2253  kfree(mysids);
2254  *sids = mysids2;
2255  *nel = j;
2256 out:
2257  return rc;
2258 }
2259 
2271 int security_genfs_sid(const char *fstype,
2272  char *path,
2273  u16 orig_sclass,
2274  u32 *sid)
2275 {
2276  int len;
2277  u16 sclass;
2278  struct genfs *genfs;
2279  struct ocontext *c;
2280  int rc, cmp = 0;
2281 
2282  while (path[0] == '/' && path[1] == '/')
2283  path++;
2284 
2285  read_lock(&policy_rwlock);
2286 
2287  sclass = unmap_class(orig_sclass);
2288  *sid = SECINITSID_UNLABELED;
2289 
2290  for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2291  cmp = strcmp(fstype, genfs->fstype);
2292  if (cmp <= 0)
2293  break;
2294  }
2295 
2296  rc = -ENOENT;
2297  if (!genfs || cmp)
2298  goto out;
2299 
2300  for (c = genfs->head; c; c = c->next) {
2301  len = strlen(c->u.name);
2302  if ((!c->v.sclass || sclass == c->v.sclass) &&
2303  (strncmp(c->u.name, path, len) == 0))
2304  break;
2305  }
2306 
2307  rc = -ENOENT;
2308  if (!c)
2309  goto out;
2310 
2311  if (!c->sid[0]) {
2312  rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2313  if (rc)
2314  goto out;
2315  }
2316 
2317  *sid = c->sid[0];
2318  rc = 0;
2319 out:
2320  read_unlock(&policy_rwlock);
2321  return rc;
2322 }
2323 
2331  const char *fstype,
2332  unsigned int *behavior,
2333  u32 *sid)
2334 {
2335  int rc = 0;
2336  struct ocontext *c;
2337 
2338  read_lock(&policy_rwlock);
2339 
2341  while (c) {
2342  if (strcmp(fstype, c->u.name) == 0)
2343  break;
2344  c = c->next;
2345  }
2346 
2347  if (c) {
2348  *behavior = c->v.behavior;
2349  if (!c->sid[0]) {
2350  rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2351  &c->sid[0]);
2352  if (rc)
2353  goto out;
2354  }
2355  *sid = c->sid[0];
2356  } else {
2357  rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2358  if (rc) {
2359  *behavior = SECURITY_FS_USE_NONE;
2360  rc = 0;
2361  } else {
2362  *behavior = SECURITY_FS_USE_GENFS;
2363  }
2364  }
2365 
2366 out:
2367  read_unlock(&policy_rwlock);
2368  return rc;
2369 }
2370 
2371 int security_get_bools(int *len, char ***names, int **values)
2372 {
2373  int i, rc;
2374 
2375  read_lock(&policy_rwlock);
2376  *names = NULL;
2377  *values = NULL;
2378 
2379  rc = 0;
2380  *len = policydb.p_bools.nprim;
2381  if (!*len)
2382  goto out;
2383 
2384  rc = -ENOMEM;
2385  *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2386  if (!*names)
2387  goto err;
2388 
2389  rc = -ENOMEM;
2390  *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2391  if (!*values)
2392  goto err;
2393 
2394  for (i = 0; i < *len; i++) {
2395  size_t name_len;
2396 
2397  (*values)[i] = policydb.bool_val_to_struct[i]->state;
2398  name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1;
2399 
2400  rc = -ENOMEM;
2401  (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2402  if (!(*names)[i])
2403  goto err;
2404 
2405  strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len);
2406  (*names)[i][name_len - 1] = 0;
2407  }
2408  rc = 0;
2409 out:
2410  read_unlock(&policy_rwlock);
2411  return rc;
2412 err:
2413  if (*names) {
2414  for (i = 0; i < *len; i++)
2415  kfree((*names)[i]);
2416  }
2417  kfree(*values);
2418  goto out;
2419 }
2420 
2421 
2422 int security_set_bools(int len, int *values)
2423 {
2424  int i, rc;
2425  int lenp, seqno = 0;
2426  struct cond_node *cur;
2427 
2428  write_lock_irq(&policy_rwlock);
2429 
2430  rc = -EFAULT;
2431  lenp = policydb.p_bools.nprim;
2432  if (len != lenp)
2433  goto out;
2434 
2435  for (i = 0; i < len; i++) {
2436  if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2437  audit_log(current->audit_context, GFP_ATOMIC,
2439  "bool=%s val=%d old_val=%d auid=%u ses=%u",
2440  sym_name(&policydb, SYM_BOOLS, i),
2441  !!values[i],
2442  policydb.bool_val_to_struct[i]->state,
2443  from_kuid(&init_user_ns, audit_get_loginuid(current)),
2444  audit_get_sessionid(current));
2445  }
2446  if (values[i])
2447  policydb.bool_val_to_struct[i]->state = 1;
2448  else
2449  policydb.bool_val_to_struct[i]->state = 0;
2450  }
2451 
2452  for (cur = policydb.cond_list; cur; cur = cur->next) {
2453  rc = evaluate_cond_node(&policydb, cur);
2454  if (rc)
2455  goto out;
2456  }
2457 
2458  seqno = ++latest_granting;
2459  rc = 0;
2460 out:
2461  write_unlock_irq(&policy_rwlock);
2462  if (!rc) {
2463  avc_ss_reset(seqno);
2464  selnl_notify_policyload(seqno);
2466  selinux_xfrm_notify_policyload();
2467  }
2468  return rc;
2469 }
2470 
2472 {
2473  int rc;
2474  int len;
2475 
2476  read_lock(&policy_rwlock);
2477 
2478  rc = -EFAULT;
2479  len = policydb.p_bools.nprim;
2480  if (bool >= len)
2481  goto out;
2482 
2483  rc = policydb.bool_val_to_struct[bool]->state;
2484 out:
2485  read_unlock(&policy_rwlock);
2486  return rc;
2487 }
2488 
2489 static int security_preserve_bools(struct policydb *p)
2490 {
2491  int rc, nbools = 0, *bvalues = NULL, i;
2492  char **bnames = NULL;
2493  struct cond_bool_datum *booldatum;
2494  struct cond_node *cur;
2495 
2496  rc = security_get_bools(&nbools, &bnames, &bvalues);
2497  if (rc)
2498  goto out;
2499  for (i = 0; i < nbools; i++) {
2500  booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2501  if (booldatum)
2502  booldatum->state = bvalues[i];
2503  }
2504  for (cur = p->cond_list; cur; cur = cur->next) {
2505  rc = evaluate_cond_node(p, cur);
2506  if (rc)
2507  goto out;
2508  }
2509 
2510 out:
2511  if (bnames) {
2512  for (i = 0; i < nbools; i++)
2513  kfree(bnames[i]);
2514  }
2515  kfree(bnames);
2516  kfree(bvalues);
2517  return rc;
2518 }
2519 
2520 /*
2521  * security_sid_mls_copy() - computes a new sid based on the given
2522  * sid and the mls portion of mls_sid.
2523  */
2524 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2525 {
2526  struct context *context1;
2527  struct context *context2;
2528  struct context newcon;
2529  char *s;
2530  u32 len;
2531  int rc;
2532 
2533  rc = 0;
2534  if (!ss_initialized || !policydb.mls_enabled) {
2535  *new_sid = sid;
2536  goto out;
2537  }
2538 
2539  context_init(&newcon);
2540 
2541  read_lock(&policy_rwlock);
2542 
2543  rc = -EINVAL;
2544  context1 = sidtab_search(&sidtab, sid);
2545  if (!context1) {
2546  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2547  __func__, sid);
2548  goto out_unlock;
2549  }
2550 
2551  rc = -EINVAL;
2552  context2 = sidtab_search(&sidtab, mls_sid);
2553  if (!context2) {
2554  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2555  __func__, mls_sid);
2556  goto out_unlock;
2557  }
2558 
2559  newcon.user = context1->user;
2560  newcon.role = context1->role;
2561  newcon.type = context1->type;
2562  rc = mls_context_cpy(&newcon, context2);
2563  if (rc)
2564  goto out_unlock;
2565 
2566  /* Check the validity of the new context. */
2567  if (!policydb_context_isvalid(&policydb, &newcon)) {
2568  rc = convert_context_handle_invalid_context(&newcon);
2569  if (rc) {
2570  if (!context_struct_to_string(&newcon, &s, &len)) {
2571  audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2572  "security_sid_mls_copy: invalid context %s", s);
2573  kfree(s);
2574  }
2575  goto out_unlock;
2576  }
2577  }
2578 
2579  rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2580 out_unlock:
2581  read_unlock(&policy_rwlock);
2582  context_destroy(&newcon);
2583 out:
2584  return rc;
2585 }
2586 
2607 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2608  u32 xfrm_sid,
2609  u32 *peer_sid)
2610 {
2611  int rc;
2612  struct context *nlbl_ctx;
2613  struct context *xfrm_ctx;
2614 
2615  *peer_sid = SECSID_NULL;
2616 
2617  /* handle the common (which also happens to be the set of easy) cases
2618  * right away, these two if statements catch everything involving a
2619  * single or absent peer SID/label */
2620  if (xfrm_sid == SECSID_NULL) {
2621  *peer_sid = nlbl_sid;
2622  return 0;
2623  }
2624  /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2625  * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2626  * is present */
2627  if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2628  *peer_sid = xfrm_sid;
2629  return 0;
2630  }
2631 
2632  /* we don't need to check ss_initialized here since the only way both
2633  * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2634  * security server was initialized and ss_initialized was true */
2635  if (!policydb.mls_enabled)
2636  return 0;
2637 
2638  read_lock(&policy_rwlock);
2639 
2640  rc = -EINVAL;
2641  nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2642  if (!nlbl_ctx) {
2643  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2644  __func__, nlbl_sid);
2645  goto out;
2646  }
2647  rc = -EINVAL;
2648  xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2649  if (!xfrm_ctx) {
2650  printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
2651  __func__, xfrm_sid);
2652  goto out;
2653  }
2654  rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2655  if (rc)
2656  goto out;
2657 
2658  /* at present NetLabel SIDs/labels really only carry MLS
2659  * information so if the MLS portion of the NetLabel SID
2660  * matches the MLS portion of the labeled XFRM SID/label
2661  * then pass along the XFRM SID as it is the most
2662  * expressive */
2663  *peer_sid = xfrm_sid;
2664 out:
2665  read_unlock(&policy_rwlock);
2666  return rc;
2667 }
2668 
2669 static int get_classes_callback(void *k, void *d, void *args)
2670 {
2671  struct class_datum *datum = d;
2672  char *name = k, **classes = args;
2673  int value = datum->value - 1;
2674 
2675  classes[value] = kstrdup(name, GFP_ATOMIC);
2676  if (!classes[value])
2677  return -ENOMEM;
2678 
2679  return 0;
2680 }
2681 
2682 int security_get_classes(char ***classes, int *nclasses)
2683 {
2684  int rc;
2685 
2686  read_lock(&policy_rwlock);
2687 
2688  rc = -ENOMEM;
2689  *nclasses = policydb.p_classes.nprim;
2690  *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2691  if (!*classes)
2692  goto out;
2693 
2694  rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
2695  *classes);
2696  if (rc) {
2697  int i;
2698  for (i = 0; i < *nclasses; i++)
2699  kfree((*classes)[i]);
2700  kfree(*classes);
2701  }
2702 
2703 out:
2704  read_unlock(&policy_rwlock);
2705  return rc;
2706 }
2707 
2708 static int get_permissions_callback(void *k, void *d, void *args)
2709 {
2710  struct perm_datum *datum = d;
2711  char *name = k, **perms = args;
2712  int value = datum->value - 1;
2713 
2714  perms[value] = kstrdup(name, GFP_ATOMIC);
2715  if (!perms[value])
2716  return -ENOMEM;
2717 
2718  return 0;
2719 }
2720 
2721 int security_get_permissions(char *class, char ***perms, int *nperms)
2722 {
2723  int rc, i;
2724  struct class_datum *match;
2725 
2726  read_lock(&policy_rwlock);
2727 
2728  rc = -EINVAL;
2729  match = hashtab_search(policydb.p_classes.table, class);
2730  if (!match) {
2731  printk(KERN_ERR "SELinux: %s: unrecognized class %s\n",
2732  __func__, class);
2733  goto out;
2734  }
2735 
2736  rc = -ENOMEM;
2737  *nperms = match->permissions.nprim;
2738  *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2739  if (!*perms)
2740  goto out;
2741 
2742  if (match->comdatum) {
2743  rc = hashtab_map(match->comdatum->permissions.table,
2744  get_permissions_callback, *perms);
2745  if (rc)
2746  goto err;
2747  }
2748 
2749  rc = hashtab_map(match->permissions.table, get_permissions_callback,
2750  *perms);
2751  if (rc)
2752  goto err;
2753 
2754 out:
2755  read_unlock(&policy_rwlock);
2756  return rc;
2757 
2758 err:
2759  read_unlock(&policy_rwlock);
2760  for (i = 0; i < *nperms; i++)
2761  kfree((*perms)[i]);
2762  kfree(*perms);
2763  return rc;
2764 }
2765 
2767 {
2768  return policydb.reject_unknown;
2769 }
2770 
2772 {
2773  return policydb.allow_unknown;
2774 }
2775 
2786 int security_policycap_supported(unsigned int req_cap)
2787 {
2788  int rc;
2789 
2790  read_lock(&policy_rwlock);
2791  rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
2792  read_unlock(&policy_rwlock);
2793 
2794  return rc;
2795 }
2796 
2799  struct context au_ctxt;
2800 };
2801 
2802 void selinux_audit_rule_free(void *vrule)
2803 {
2804  struct selinux_audit_rule *rule = vrule;
2805 
2806  if (rule) {
2807  context_destroy(&rule->au_ctxt);
2808  kfree(rule);
2809  }
2810 }
2811 
2812 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2813 {
2814  struct selinux_audit_rule *tmprule;
2815  struct role_datum *roledatum;
2816  struct type_datum *typedatum;
2817  struct user_datum *userdatum;
2818  struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2819  int rc = 0;
2820 
2821  *rule = NULL;
2822 
2823  if (!ss_initialized)
2824  return -EOPNOTSUPP;
2825 
2826  switch (field) {
2827  case AUDIT_SUBJ_USER:
2828  case AUDIT_SUBJ_ROLE:
2829  case AUDIT_SUBJ_TYPE:
2830  case AUDIT_OBJ_USER:
2831  case AUDIT_OBJ_ROLE:
2832  case AUDIT_OBJ_TYPE:
2833  /* only 'equals' and 'not equals' fit user, role, and type */
2834  if (op != Audit_equal && op != Audit_not_equal)
2835  return -EINVAL;
2836  break;
2837  case AUDIT_SUBJ_SEN:
2838  case AUDIT_SUBJ_CLR:
2839  case AUDIT_OBJ_LEV_LOW:
2840  case AUDIT_OBJ_LEV_HIGH:
2841  /* we do not allow a range, indicated by the presence of '-' */
2842  if (strchr(rulestr, '-'))
2843  return -EINVAL;
2844  break;
2845  default:
2846  /* only the above fields are valid */
2847  return -EINVAL;
2848  }
2849 
2850  tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
2851  if (!tmprule)
2852  return -ENOMEM;
2853 
2854  context_init(&tmprule->au_ctxt);
2855 
2856  read_lock(&policy_rwlock);
2857 
2858  tmprule->au_seqno = latest_granting;
2859 
2860  switch (field) {
2861  case AUDIT_SUBJ_USER:
2862  case AUDIT_OBJ_USER:
2863  rc = -EINVAL;
2864  userdatum = hashtab_search(policydb.p_users.table, rulestr);
2865  if (!userdatum)
2866  goto out;
2867  tmprule->au_ctxt.user = userdatum->value;
2868  break;
2869  case AUDIT_SUBJ_ROLE:
2870  case AUDIT_OBJ_ROLE:
2871  rc = -EINVAL;
2872  roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2873  if (!roledatum)
2874  goto out;
2875  tmprule->au_ctxt.role = roledatum->value;
2876  break;
2877  case AUDIT_SUBJ_TYPE:
2878  case AUDIT_OBJ_TYPE:
2879  rc = -EINVAL;
2880  typedatum = hashtab_search(policydb.p_types.table, rulestr);
2881  if (!typedatum)
2882  goto out;
2883  tmprule->au_ctxt.type = typedatum->value;
2884  break;
2885  case AUDIT_SUBJ_SEN:
2886  case AUDIT_SUBJ_CLR:
2887  case AUDIT_OBJ_LEV_LOW:
2888  case AUDIT_OBJ_LEV_HIGH:
2889  rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2890  if (rc)
2891  goto out;
2892  break;
2893  }
2894  rc = 0;
2895 out:
2896  read_unlock(&policy_rwlock);
2897 
2898  if (rc) {
2899  selinux_audit_rule_free(tmprule);
2900  tmprule = NULL;
2901  }
2902 
2903  *rule = tmprule;
2904 
2905  return rc;
2906 }
2907 
2908 /* Check to see if the rule contains any selinux fields */
2910 {
2911  int i;
2912 
2913  for (i = 0; i < rule->field_count; i++) {
2914  struct audit_field *f = &rule->fields[i];
2915  switch (f->type) {
2916  case AUDIT_SUBJ_USER:
2917  case AUDIT_SUBJ_ROLE:
2918  case AUDIT_SUBJ_TYPE:
2919  case AUDIT_SUBJ_SEN:
2920  case AUDIT_SUBJ_CLR:
2921  case AUDIT_OBJ_USER:
2922  case AUDIT_OBJ_ROLE:
2923  case AUDIT_OBJ_TYPE:
2924  case AUDIT_OBJ_LEV_LOW:
2925  case AUDIT_OBJ_LEV_HIGH:
2926  return 1;
2927  }
2928  }
2929 
2930  return 0;
2931 }
2932 
2933 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2934  struct audit_context *actx)
2935 {
2936  struct context *ctxt;
2937  struct mls_level *level;
2938  struct selinux_audit_rule *rule = vrule;
2939  int match = 0;
2940 
2941  if (!rule) {
2943  "selinux_audit_rule_match: missing rule\n");
2944  return -ENOENT;
2945  }
2946 
2947  read_lock(&policy_rwlock);
2948 
2949  if (rule->au_seqno < latest_granting) {
2951  "selinux_audit_rule_match: stale rule\n");
2952  match = -ESTALE;
2953  goto out;
2954  }
2955 
2956  ctxt = sidtab_search(&sidtab, sid);
2957  if (!ctxt) {
2959  "selinux_audit_rule_match: unrecognized SID %d\n",
2960  sid);
2961  match = -ENOENT;
2962  goto out;
2963  }
2964 
2965  /* a field/op pair that is not caught here will simply fall through
2966  without a match */
2967  switch (field) {
2968  case AUDIT_SUBJ_USER:
2969  case AUDIT_OBJ_USER:
2970  switch (op) {
2971  case Audit_equal:
2972  match = (ctxt->user == rule->au_ctxt.user);
2973  break;
2974  case Audit_not_equal:
2975  match = (ctxt->user != rule->au_ctxt.user);
2976  break;
2977  }
2978  break;
2979  case AUDIT_SUBJ_ROLE:
2980  case AUDIT_OBJ_ROLE:
2981  switch (op) {
2982  case Audit_equal:
2983  match = (ctxt->role == rule->au_ctxt.role);
2984  break;
2985  case Audit_not_equal:
2986  match = (ctxt->role != rule->au_ctxt.role);
2987  break;
2988  }
2989  break;
2990  case AUDIT_SUBJ_TYPE:
2991  case AUDIT_OBJ_TYPE:
2992  switch (op) {
2993  case Audit_equal:
2994  match = (ctxt->type == rule->au_ctxt.type);
2995  break;
2996  case Audit_not_equal:
2997  match = (ctxt->type != rule->au_ctxt.type);
2998  break;
2999  }
3000  break;
3001  case AUDIT_SUBJ_SEN:
3002  case AUDIT_SUBJ_CLR:
3003  case AUDIT_OBJ_LEV_LOW:
3004  case AUDIT_OBJ_LEV_HIGH:
3005  level = ((field == AUDIT_SUBJ_SEN ||
3006  field == AUDIT_OBJ_LEV_LOW) ?
3007  &ctxt->range.level[0] : &ctxt->range.level[1]);
3008  switch (op) {
3009  case Audit_equal:
3010  match = mls_level_eq(&rule->au_ctxt.range.level[0],
3011  level);
3012  break;
3013  case Audit_not_equal:
3014  match = !mls_level_eq(&rule->au_ctxt.range.level[0],
3015  level);
3016  break;
3017  case Audit_lt:
3018  match = (mls_level_dom(&rule->au_ctxt.range.level[0],
3019  level) &&
3020  !mls_level_eq(&rule->au_ctxt.range.level[0],
3021  level));
3022  break;
3023  case Audit_le:
3024  match = mls_level_dom(&rule->au_ctxt.range.level[0],
3025  level);
3026  break;
3027  case Audit_gt:
3028  match = (mls_level_dom(level,
3029  &rule->au_ctxt.range.level[0]) &&
3030  !mls_level_eq(level,
3031  &rule->au_ctxt.range.level[0]));
3032  break;
3033  case Audit_ge:
3034  match = mls_level_dom(level,
3035  &rule->au_ctxt.range.level[0]);
3036  break;
3037  }
3038  }
3039 
3040 out:
3041  read_unlock(&policy_rwlock);
3042  return match;
3043 }
3044 
3045 static int (*aurule_callback)(void) = audit_update_lsm_rules;
3046 
3047 static int aurule_avc_callback(u32 event)
3048 {
3049  int err = 0;
3050 
3051  if (event == AVC_CALLBACK_RESET && aurule_callback)
3052  err = aurule_callback();
3053  return err;
3054 }
3055 
3056 static int __init aurule_init(void)
3057 {
3058  int err;
3059 
3060  err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3061  if (err)
3062  panic("avc_add_callback() failed, error %d\n", err);
3063 
3064  return err;
3065 }
3066 __initcall(aurule_init);
3067 
3068 #ifdef CONFIG_NETLABEL
3069 
3080 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3081  u32 sid)
3082 {
3083  u32 *sid_cache;
3084 
3085  sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3086  if (sid_cache == NULL)
3087  return;
3088  secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3089  if (secattr->cache == NULL) {
3090  kfree(sid_cache);
3091  return;
3092  }
3093 
3094  *sid_cache = sid;
3095  secattr->cache->free = kfree;
3096  secattr->cache->data = sid_cache;
3097  secattr->flags |= NETLBL_SECATTR_CACHE;
3098 }
3099 
3115 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
3116  u32 *sid)
3117 {
3118  int rc;
3119  struct context *ctx;
3120  struct context ctx_new;
3121 
3122  if (!ss_initialized) {
3123  *sid = SECSID_NULL;
3124  return 0;
3125  }
3126 
3127  read_lock(&policy_rwlock);
3128 
3129  if (secattr->flags & NETLBL_SECATTR_CACHE)
3130  *sid = *(u32 *)secattr->cache->data;
3131  else if (secattr->flags & NETLBL_SECATTR_SECID)
3132  *sid = secattr->attr.secid;
3133  else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3134  rc = -EIDRM;
3135  ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
3136  if (ctx == NULL)
3137  goto out;
3138 
3139  context_init(&ctx_new);
3140  ctx_new.user = ctx->user;
3141  ctx_new.role = ctx->role;
3142  ctx_new.type = ctx->type;
3143  mls_import_netlbl_lvl(&ctx_new, secattr);
3144  if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3145  rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
3146  secattr->attr.mls.cat);
3147  if (rc)
3148  goto out;
3149  memcpy(&ctx_new.range.level[1].cat,
3150  &ctx_new.range.level[0].cat,
3151  sizeof(ctx_new.range.level[0].cat));
3152  }
3153  rc = -EIDRM;
3154  if (!mls_context_isvalid(&policydb, &ctx_new))
3155  goto out_free;
3156 
3157  rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3158  if (rc)
3159  goto out_free;
3160 
3161  security_netlbl_cache_add(secattr, *sid);
3162 
3163  ebitmap_destroy(&ctx_new.range.level[0].cat);
3164  } else
3165  *sid = SECSID_NULL;
3166 
3167  read_unlock(&policy_rwlock);
3168  return 0;
3169 out_free:
3170  ebitmap_destroy(&ctx_new.range.level[0].cat);
3171 out:
3172  read_unlock(&policy_rwlock);
3173  return rc;
3174 }
3175 
3186 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3187 {
3188  int rc;
3189  struct context *ctx;
3190 
3191  if (!ss_initialized)
3192  return 0;
3193 
3194  read_lock(&policy_rwlock);
3195 
3196  rc = -ENOENT;
3197  ctx = sidtab_search(&sidtab, sid);
3198  if (ctx == NULL)
3199  goto out;
3200 
3201  rc = -ENOMEM;
3202  secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1),
3203  GFP_ATOMIC);
3204  if (secattr->domain == NULL)
3205  goto out;
3206 
3207  secattr->attr.secid = sid;
3209  mls_export_netlbl_lvl(ctx, secattr);
3210  rc = mls_export_netlbl_cat(ctx, secattr);
3211 out:
3212  read_unlock(&policy_rwlock);
3213  return rc;
3214 }
3215 #endif /* CONFIG_NETLABEL */
3216 
3223 int security_read_policy(void **data, size_t *len)
3224 {
3225  int rc;
3226  struct policy_file fp;
3227 
3228  if (!ss_initialized)
3229  return -EINVAL;
3230 
3231  *len = security_policydb_len();
3232 
3233  *data = vmalloc_user(*len);
3234  if (!*data)
3235  return -ENOMEM;
3236 
3237  fp.data = *data;
3238  fp.len = *len;
3239 
3240  read_lock(&policy_rwlock);
3241  rc = policydb_write(&policydb, &fp);
3242  read_unlock(&policy_rwlock);
3243 
3244  if (rc)
3245  return rc;
3246 
3247  *len = (unsigned long)fp.data - (unsigned long)*data;
3248  return 0;
3249 
3250 }