1 /* 2 * Implementation of the kernel access vector cache (AVC). 3 * 4 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> 8 * Replaced the avc_lock spinlock by RCU. 9 * 10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 11 * 12 * This program is free software; you can redistribute it and/or modify 13 * it under the terms of the GNU General Public License version 2, 14 * as published by the Free Software Foundation. 15 */ 16 #include <linux/types.h> 17 #include <linux/stddef.h> 18 #include <linux/kernel.h> 19 #include <linux/slab.h> 20 #include <linux/fs.h> 21 #include <linux/dcache.h> 22 #include <linux/init.h> 23 #include <linux/skbuff.h> 24 #include <linux/percpu.h> 25 #include <linux/list.h> 26 #include <net/sock.h> 27 #include <linux/un.h> 28 #include <net/af_unix.h> 29 #include <linux/ip.h> 30 #include <linux/audit.h> 31 #include <linux/ipv6.h> 32 #include <net/ipv6.h> 33 #include "avc.h" 34 #include "avc_ss.h" 35 #include "classmap.h" 36 37 #define AVC_CACHE_SLOTS 512 38 #define AVC_DEF_CACHE_THRESHOLD 512 39 #define AVC_CACHE_RECLAIM 16 40 41 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 42 #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) 43 #else 44 #define avc_cache_stats_incr(field) do {} while (0) 45 #endif 46 47 struct avc_entry { 48 u32 ssid; 49 u32 tsid; 50 u16 tclass; 51 struct av_decision avd; 52 struct avc_xperms_node *xp_node; 53 }; 54 55 struct avc_node { 56 struct avc_entry ae; 57 struct hlist_node list; /* anchored in avc_cache->slots[i] */ 58 struct rcu_head rhead; 59 }; 60 61 struct avc_xperms_decision_node { 62 struct extended_perms_decision xpd; 63 struct list_head xpd_list; /* list of extended_perms_decision */ 64 }; 65 66 struct avc_xperms_node { 67 struct extended_perms xp; 68 struct list_head xpd_head; /* list head of extended_perms_decision */ 69 }; 70 71 struct avc_cache { 72 struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ 73 spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ 74 atomic_t lru_hint; /* LRU hint for reclaim scan */ 75 atomic_t active_nodes; 76 u32 latest_notif; /* latest revocation notification */ 77 }; 78 79 struct avc_callback_node { 80 int (*callback) (u32 event); 81 u32 events; 82 struct avc_callback_node *next; 83 }; 84 85 /* Exported via selinufs */ 86 unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; 87 88 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 89 DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; 90 #endif 91 92 static struct avc_cache avc_cache; 93 static struct avc_callback_node *avc_callbacks; 94 static struct kmem_cache *avc_node_cachep; 95 static struct kmem_cache *avc_xperms_data_cachep; 96 static struct kmem_cache *avc_xperms_decision_cachep; 97 static struct kmem_cache *avc_xperms_cachep; 98 99 static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) 100 { 101 return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); 102 } 103 104 /** 105 * avc_dump_av - Display an access vector in human-readable form. 106 * @tclass: target security class 107 * @av: access vector 108 */ 109 static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 110 { 111 const char **perms; 112 int i, perm; 113 114 if (av == 0) { 115 audit_log_format(ab, " null"); 116 return; 117 } 118 119 BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); 120 perms = secclass_map[tclass-1].perms; 121 122 audit_log_format(ab, " {"); 123 i = 0; 124 perm = 1; 125 while (i < (sizeof(av) * 8)) { 126 if ((perm & av) && perms[i]) { 127 audit_log_format(ab, " %s", perms[i]); 128 av &= ~perm; 129 } 130 i++; 131 perm <<= 1; 132 } 133 134 if (av) 135 audit_log_format(ab, " 0x%x", av); 136 137 audit_log_format(ab, " }"); 138 } 139 140 /** 141 * avc_dump_query - Display a SID pair and a class in human-readable form. 142 * @ssid: source security identifier 143 * @tsid: target security identifier 144 * @tclass: target security class 145 */ 146 static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) 147 { 148 int rc; 149 char *scontext; 150 u32 scontext_len; 151 152 rc = security_sid_to_context(ssid, &scontext, &scontext_len); 153 if (rc) 154 audit_log_format(ab, "ssid=%d", ssid); 155 else { 156 audit_log_format(ab, "scontext=%s", scontext); 157 kfree(scontext); 158 } 159 160 rc = security_sid_to_context(tsid, &scontext, &scontext_len); 161 if (rc) 162 audit_log_format(ab, " tsid=%d", tsid); 163 else { 164 audit_log_format(ab, " tcontext=%s", scontext); 165 kfree(scontext); 166 } 167 168 BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); 169 audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); 170 } 171 172 /** 173 * avc_init - Initialize the AVC. 174 * 175 * Initialize the access vector cache. 176 */ 177 void __init avc_init(void) 178 { 179 int i; 180 181 for (i = 0; i < AVC_CACHE_SLOTS; i++) { 182 INIT_HLIST_HEAD(&avc_cache.slots[i]); 183 spin_lock_init(&avc_cache.slots_lock[i]); 184 } 185 atomic_set(&avc_cache.active_nodes, 0); 186 atomic_set(&avc_cache.lru_hint, 0); 187 188 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 189 0, SLAB_PANIC, NULL); 190 avc_xperms_cachep = kmem_cache_create("avc_xperms_node", 191 sizeof(struct avc_xperms_node), 192 0, SLAB_PANIC, NULL); 193 avc_xperms_decision_cachep = kmem_cache_create( 194 "avc_xperms_decision_node", 195 sizeof(struct avc_xperms_decision_node), 196 0, SLAB_PANIC, NULL); 197 avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", 198 sizeof(struct extended_perms_data), 199 0, SLAB_PANIC, NULL); 200 } 201 202 int avc_get_hash_stats(char *page) 203 { 204 int i, chain_len, max_chain_len, slots_used; 205 struct avc_node *node; 206 struct hlist_head *head; 207 208 rcu_read_lock(); 209 210 slots_used = 0; 211 max_chain_len = 0; 212 for (i = 0; i < AVC_CACHE_SLOTS; i++) { 213 head = &avc_cache.slots[i]; 214 if (!hlist_empty(head)) { 215 slots_used++; 216 chain_len = 0; 217 hlist_for_each_entry_rcu(node, head, list) 218 chain_len++; 219 if (chain_len > max_chain_len) 220 max_chain_len = chain_len; 221 } 222 } 223 224 rcu_read_unlock(); 225 226 return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" 227 "longest chain: %d\n", 228 atomic_read(&avc_cache.active_nodes), 229 slots_used, AVC_CACHE_SLOTS, max_chain_len); 230 } 231 232 /* 233 * using a linked list for extended_perms_decision lookup because the list is 234 * always small. i.e. less than 5, typically 1 235 */ 236 static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver, 237 struct avc_xperms_node *xp_node) 238 { 239 struct avc_xperms_decision_node *xpd_node; 240 241 list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) { 242 if (xpd_node->xpd.driver == driver) 243 return &xpd_node->xpd; 244 } 245 return NULL; 246 } 247 248 static inline unsigned int 249 avc_xperms_has_perm(struct extended_perms_decision *xpd, 250 u8 perm, u8 which) 251 { 252 unsigned int rc = 0; 253 254 if ((which == XPERMS_ALLOWED) && 255 (xpd->used & XPERMS_ALLOWED)) 256 rc = security_xperm_test(xpd->allowed->p, perm); 257 else if ((which == XPERMS_AUDITALLOW) && 258 (xpd->used & XPERMS_AUDITALLOW)) 259 rc = security_xperm_test(xpd->auditallow->p, perm); 260 else if ((which == XPERMS_DONTAUDIT) && 261 (xpd->used & XPERMS_DONTAUDIT)) 262 rc = security_xperm_test(xpd->dontaudit->p, perm); 263 return rc; 264 } 265 266 static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node, 267 u8 driver, u8 perm) 268 { 269 struct extended_perms_decision *xpd; 270 security_xperm_set(xp_node->xp.drivers.p, driver); 271 xpd = avc_xperms_decision_lookup(driver, xp_node); 272 if (xpd && xpd->allowed) 273 security_xperm_set(xpd->allowed->p, perm); 274 } 275 276 static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node) 277 { 278 struct extended_perms_decision *xpd; 279 280 xpd = &xpd_node->xpd; 281 if (xpd->allowed) 282 kmem_cache_free(avc_xperms_data_cachep, xpd->allowed); 283 if (xpd->auditallow) 284 kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow); 285 if (xpd->dontaudit) 286 kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit); 287 kmem_cache_free(avc_xperms_decision_cachep, xpd_node); 288 } 289 290 static void avc_xperms_free(struct avc_xperms_node *xp_node) 291 { 292 struct avc_xperms_decision_node *xpd_node, *tmp; 293 294 if (!xp_node) 295 return; 296 297 list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) { 298 list_del(&xpd_node->xpd_list); 299 avc_xperms_decision_free(xpd_node); 300 } 301 kmem_cache_free(avc_xperms_cachep, xp_node); 302 } 303 304 static void avc_copy_xperms_decision(struct extended_perms_decision *dest, 305 struct extended_perms_decision *src) 306 { 307 dest->driver = src->driver; 308 dest->used = src->used; 309 if (dest->used & XPERMS_ALLOWED) 310 memcpy(dest->allowed->p, src->allowed->p, 311 sizeof(src->allowed->p)); 312 if (dest->used & XPERMS_AUDITALLOW) 313 memcpy(dest->auditallow->p, src->auditallow->p, 314 sizeof(src->auditallow->p)); 315 if (dest->used & XPERMS_DONTAUDIT) 316 memcpy(dest->dontaudit->p, src->dontaudit->p, 317 sizeof(src->dontaudit->p)); 318 } 319 320 /* 321 * similar to avc_copy_xperms_decision, but only copy decision 322 * information relevant to this perm 323 */ 324 static inline void avc_quick_copy_xperms_decision(u8 perm, 325 struct extended_perms_decision *dest, 326 struct extended_perms_decision *src) 327 { 328 /* 329 * compute index of the u32 of the 256 bits (8 u32s) that contain this 330 * command permission 331 */ 332 u8 i = perm >> 5; 333 334 dest->used = src->used; 335 if (dest->used & XPERMS_ALLOWED) 336 dest->allowed->p[i] = src->allowed->p[i]; 337 if (dest->used & XPERMS_AUDITALLOW) 338 dest->auditallow->p[i] = src->auditallow->p[i]; 339 if (dest->used & XPERMS_DONTAUDIT) 340 dest->dontaudit->p[i] = src->dontaudit->p[i]; 341 } 342 343 static struct avc_xperms_decision_node 344 *avc_xperms_decision_alloc(u8 which) 345 { 346 struct avc_xperms_decision_node *xpd_node; 347 struct extended_perms_decision *xpd; 348 349 xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, 350 GFP_ATOMIC | __GFP_NOMEMALLOC); 351 if (!xpd_node) 352 return NULL; 353 354 xpd = &xpd_node->xpd; 355 if (which & XPERMS_ALLOWED) { 356 xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, 357 GFP_ATOMIC | __GFP_NOMEMALLOC); 358 if (!xpd->allowed) 359 goto error; 360 } 361 if (which & XPERMS_AUDITALLOW) { 362 xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, 363 GFP_ATOMIC | __GFP_NOMEMALLOC); 364 if (!xpd->auditallow) 365 goto error; 366 } 367 if (which & XPERMS_DONTAUDIT) { 368 xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, 369 GFP_ATOMIC | __GFP_NOMEMALLOC); 370 if (!xpd->dontaudit) 371 goto error; 372 } 373 return xpd_node; 374 error: 375 avc_xperms_decision_free(xpd_node); 376 return NULL; 377 } 378 379 static int avc_add_xperms_decision(struct avc_node *node, 380 struct extended_perms_decision *src) 381 { 382 struct avc_xperms_decision_node *dest_xpd; 383 384 node->ae.xp_node->xp.len++; 385 dest_xpd = avc_xperms_decision_alloc(src->used); 386 if (!dest_xpd) 387 return -ENOMEM; 388 avc_copy_xperms_decision(&dest_xpd->xpd, src); 389 list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); 390 return 0; 391 } 392 393 static struct avc_xperms_node *avc_xperms_alloc(void) 394 { 395 struct avc_xperms_node *xp_node; 396 397 xp_node = kmem_cache_zalloc(avc_xperms_cachep, 398 GFP_ATOMIC|__GFP_NOMEMALLOC); 399 if (!xp_node) 400 return xp_node; 401 INIT_LIST_HEAD(&xp_node->xpd_head); 402 return xp_node; 403 } 404 405 static int avc_xperms_populate(struct avc_node *node, 406 struct avc_xperms_node *src) 407 { 408 struct avc_xperms_node *dest; 409 struct avc_xperms_decision_node *dest_xpd; 410 struct avc_xperms_decision_node *src_xpd; 411 412 if (src->xp.len == 0) 413 return 0; 414 dest = avc_xperms_alloc(); 415 if (!dest) 416 return -ENOMEM; 417 418 memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p)); 419 dest->xp.len = src->xp.len; 420 421 /* for each source xpd allocate a destination xpd and copy */ 422 list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) { 423 dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used); 424 if (!dest_xpd) 425 goto error; 426 avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd); 427 list_add(&dest_xpd->xpd_list, &dest->xpd_head); 428 } 429 node->ae.xp_node = dest; 430 return 0; 431 error: 432 avc_xperms_free(dest); 433 return -ENOMEM; 434 435 } 436 437 static inline u32 avc_xperms_audit_required(u32 requested, 438 struct av_decision *avd, 439 struct extended_perms_decision *xpd, 440 u8 perm, 441 int result, 442 u32 *deniedp) 443 { 444 u32 denied, audited; 445 446 denied = requested & ~avd->allowed; 447 if (unlikely(denied)) { 448 audited = denied & avd->auditdeny; 449 if (audited && xpd) { 450 if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) 451 audited &= ~requested; 452 } 453 } else if (result) { 454 audited = denied = requested; 455 } else { 456 audited = requested & avd->auditallow; 457 if (audited && xpd) { 458 if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) 459 audited &= ~requested; 460 } 461 } 462 463 *deniedp = denied; 464 return audited; 465 } 466 467 static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, 468 u32 requested, struct av_decision *avd, 469 struct extended_perms_decision *xpd, 470 u8 perm, int result, 471 struct common_audit_data *ad) 472 { 473 u32 audited, denied; 474 475 audited = avc_xperms_audit_required( 476 requested, avd, xpd, perm, result, &denied); 477 if (likely(!audited)) 478 return 0; 479 return slow_avc_audit(ssid, tsid, tclass, requested, 480 audited, denied, result, ad, 0); 481 } 482 483 static void avc_node_free(struct rcu_head *rhead) 484 { 485 struct avc_node *node = container_of(rhead, struct avc_node, rhead); 486 avc_xperms_free(node->ae.xp_node); 487 kmem_cache_free(avc_node_cachep, node); 488 avc_cache_stats_incr(frees); 489 } 490 491 static void avc_node_delete(struct avc_node *node) 492 { 493 hlist_del_rcu(&node->list); 494 call_rcu(&node->rhead, avc_node_free); 495 atomic_dec(&avc_cache.active_nodes); 496 } 497 498 static void avc_node_kill(struct avc_node *node) 499 { 500 avc_xperms_free(node->ae.xp_node); 501 kmem_cache_free(avc_node_cachep, node); 502 avc_cache_stats_incr(frees); 503 atomic_dec(&avc_cache.active_nodes); 504 } 505 506 static void avc_node_replace(struct avc_node *new, struct avc_node *old) 507 { 508 hlist_replace_rcu(&old->list, &new->list); 509 call_rcu(&old->rhead, avc_node_free); 510 atomic_dec(&avc_cache.active_nodes); 511 } 512 513 static inline int avc_reclaim_node(void) 514 { 515 struct avc_node *node; 516 int hvalue, try, ecx; 517 unsigned long flags; 518 struct hlist_head *head; 519 spinlock_t *lock; 520 521 for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { 522 hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); 523 head = &avc_cache.slots[hvalue]; 524 lock = &avc_cache.slots_lock[hvalue]; 525 526 if (!spin_trylock_irqsave(lock, flags)) 527 continue; 528 529 rcu_read_lock(); 530 hlist_for_each_entry(node, head, list) { 531 avc_node_delete(node); 532 avc_cache_stats_incr(reclaims); 533 ecx++; 534 if (ecx >= AVC_CACHE_RECLAIM) { 535 rcu_read_unlock(); 536 spin_unlock_irqrestore(lock, flags); 537 goto out; 538 } 539 } 540 rcu_read_unlock(); 541 spin_unlock_irqrestore(lock, flags); 542 } 543 out: 544 return ecx; 545 } 546 547 static struct avc_node *avc_alloc_node(void) 548 { 549 struct avc_node *node; 550 551 node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC|__GFP_NOMEMALLOC); 552 if (!node) 553 goto out; 554 555 INIT_HLIST_NODE(&node->list); 556 avc_cache_stats_incr(allocations); 557 558 if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) 559 avc_reclaim_node(); 560 561 out: 562 return node; 563 } 564 565 static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) 566 { 567 node->ae.ssid = ssid; 568 node->ae.tsid = tsid; 569 node->ae.tclass = tclass; 570 memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); 571 } 572 573 static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) 574 { 575 struct avc_node *node, *ret = NULL; 576 int hvalue; 577 struct hlist_head *head; 578 579 hvalue = avc_hash(ssid, tsid, tclass); 580 head = &avc_cache.slots[hvalue]; 581 hlist_for_each_entry_rcu(node, head, list) { 582 if (ssid == node->ae.ssid && 583 tclass == node->ae.tclass && 584 tsid == node->ae.tsid) { 585 ret = node; 586 break; 587 } 588 } 589 590 return ret; 591 } 592 593 /** 594 * avc_lookup - Look up an AVC entry. 595 * @ssid: source security identifier 596 * @tsid: target security identifier 597 * @tclass: target security class 598 * 599 * Look up an AVC entry that is valid for the 600 * (@ssid, @tsid), interpreting the permissions 601 * based on @tclass. If a valid AVC entry exists, 602 * then this function returns the avc_node. 603 * Otherwise, this function returns NULL. 604 */ 605 static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) 606 { 607 struct avc_node *node; 608 609 avc_cache_stats_incr(lookups); 610 node = avc_search_node(ssid, tsid, tclass); 611 612 if (node) 613 return node; 614 615 avc_cache_stats_incr(misses); 616 return NULL; 617 } 618 619 static int avc_latest_notif_update(int seqno, int is_insert) 620 { 621 int ret = 0; 622 static DEFINE_SPINLOCK(notif_lock); 623 unsigned long flag; 624 625 spin_lock_irqsave(¬if_lock, flag); 626 if (is_insert) { 627 if (seqno < avc_cache.latest_notif) { 628 printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", 629 seqno, avc_cache.latest_notif); 630 ret = -EAGAIN; 631 } 632 } else { 633 if (seqno > avc_cache.latest_notif) 634 avc_cache.latest_notif = seqno; 635 } 636 spin_unlock_irqrestore(¬if_lock, flag); 637 638 return ret; 639 } 640 641 /** 642 * avc_insert - Insert an AVC entry. 643 * @ssid: source security identifier 644 * @tsid: target security identifier 645 * @tclass: target security class 646 * @avd: resulting av decision 647 * @xp_node: resulting extended permissions 648 * 649 * Insert an AVC entry for the SID pair 650 * (@ssid, @tsid) and class @tclass. 651 * The access vectors and the sequence number are 652 * normally provided by the security server in 653 * response to a security_compute_av() call. If the 654 * sequence number @avd->seqno is not less than the latest 655 * revocation notification, then the function copies 656 * the access vectors into a cache entry, returns 657 * avc_node inserted. Otherwise, this function returns NULL. 658 */ 659 static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, 660 struct av_decision *avd, 661 struct avc_xperms_node *xp_node) 662 { 663 struct avc_node *pos, *node = NULL; 664 int hvalue; 665 unsigned long flag; 666 667 if (avc_latest_notif_update(avd->seqno, 1)) 668 goto out; 669 670 node = avc_alloc_node(); 671 if (node) { 672 struct hlist_head *head; 673 spinlock_t *lock; 674 int rc = 0; 675 676 hvalue = avc_hash(ssid, tsid, tclass); 677 avc_node_populate(node, ssid, tsid, tclass, avd); 678 rc = avc_xperms_populate(node, xp_node); 679 if (rc) { 680 kmem_cache_free(avc_node_cachep, node); 681 return NULL; 682 } 683 head = &avc_cache.slots[hvalue]; 684 lock = &avc_cache.slots_lock[hvalue]; 685 686 spin_lock_irqsave(lock, flag); 687 hlist_for_each_entry(pos, head, list) { 688 if (pos->ae.ssid == ssid && 689 pos->ae.tsid == tsid && 690 pos->ae.tclass == tclass) { 691 avc_node_replace(node, pos); 692 goto found; 693 } 694 } 695 hlist_add_head_rcu(&node->list, head); 696 found: 697 spin_unlock_irqrestore(lock, flag); 698 } 699 out: 700 return node; 701 } 702 703 /** 704 * avc_audit_pre_callback - SELinux specific information 705 * will be called by generic audit code 706 * @ab: the audit buffer 707 * @a: audit_data 708 */ 709 static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) 710 { 711 struct common_audit_data *ad = a; 712 audit_log_format(ab, "avc: %s ", 713 ad->selinux_audit_data->denied ? "denied" : "granted"); 714 avc_dump_av(ab, ad->selinux_audit_data->tclass, 715 ad->selinux_audit_data->audited); 716 audit_log_format(ab, " for "); 717 } 718 719 /** 720 * avc_audit_post_callback - SELinux specific information 721 * will be called by generic audit code 722 * @ab: the audit buffer 723 * @a: audit_data 724 */ 725 static void avc_audit_post_callback(struct audit_buffer *ab, void *a) 726 { 727 struct common_audit_data *ad = a; 728 audit_log_format(ab, " "); 729 avc_dump_query(ab, ad->selinux_audit_data->ssid, 730 ad->selinux_audit_data->tsid, 731 ad->selinux_audit_data->tclass); 732 if (ad->selinux_audit_data->denied) { 733 audit_log_format(ab, " permissive=%u", 734 ad->selinux_audit_data->result ? 0 : 1); 735 } 736 } 737 738 /* This is the slow part of avc audit with big stack footprint */ 739 noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, 740 u32 requested, u32 audited, u32 denied, int result, 741 struct common_audit_data *a, 742 unsigned flags) 743 { 744 struct common_audit_data stack_data; 745 struct selinux_audit_data sad; 746 747 if (!a) { 748 a = &stack_data; 749 a->type = LSM_AUDIT_DATA_NONE; 750 } 751 752 /* 753 * When in a RCU walk do the audit on the RCU retry. This is because 754 * the collection of the dname in an inode audit message is not RCU 755 * safe. Note this may drop some audits when the situation changes 756 * during retry. However this is logically just as if the operation 757 * happened a little later. 758 */ 759 if ((a->type == LSM_AUDIT_DATA_INODE) && 760 (flags & MAY_NOT_BLOCK)) 761 return -ECHILD; 762 763 sad.tclass = tclass; 764 sad.requested = requested; 765 sad.ssid = ssid; 766 sad.tsid = tsid; 767 sad.audited = audited; 768 sad.denied = denied; 769 sad.result = result; 770 771 a->selinux_audit_data = &sad; 772 773 common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); 774 return 0; 775 } 776 777 /** 778 * avc_add_callback - Register a callback for security events. 779 * @callback: callback function 780 * @events: security events 781 * 782 * Register a callback function for events in the set @events. 783 * Returns %0 on success or -%ENOMEM if insufficient memory 784 * exists to add the callback. 785 */ 786 int __init avc_add_callback(int (*callback)(u32 event), u32 events) 787 { 788 struct avc_callback_node *c; 789 int rc = 0; 790 791 c = kmalloc(sizeof(*c), GFP_KERNEL); 792 if (!c) { 793 rc = -ENOMEM; 794 goto out; 795 } 796 797 c->callback = callback; 798 c->events = events; 799 c->next = avc_callbacks; 800 avc_callbacks = c; 801 out: 802 return rc; 803 } 804 805 /** 806 * avc_update_node Update an AVC entry 807 * @event : Updating event 808 * @perms : Permission mask bits 809 * @ssid,@tsid,@tclass : identifier of an AVC entry 810 * @seqno : sequence number when decision was made 811 * @xpd: extended_perms_decision to be added to the node 812 * 813 * if a valid AVC entry doesn't exist,this function returns -ENOENT. 814 * if kmalloc() called internal returns NULL, this function returns -ENOMEM. 815 * otherwise, this function updates the AVC entry. The original AVC-entry object 816 * will release later by RCU. 817 */ 818 static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, 819 u32 tsid, u16 tclass, u32 seqno, 820 struct extended_perms_decision *xpd, 821 u32 flags) 822 { 823 int hvalue, rc = 0; 824 unsigned long flag; 825 struct avc_node *pos, *node, *orig = NULL; 826 struct hlist_head *head; 827 spinlock_t *lock; 828 829 node = avc_alloc_node(); 830 if (!node) { 831 rc = -ENOMEM; 832 goto out; 833 } 834 835 /* Lock the target slot */ 836 hvalue = avc_hash(ssid, tsid, tclass); 837 838 head = &avc_cache.slots[hvalue]; 839 lock = &avc_cache.slots_lock[hvalue]; 840 841 spin_lock_irqsave(lock, flag); 842 843 hlist_for_each_entry(pos, head, list) { 844 if (ssid == pos->ae.ssid && 845 tsid == pos->ae.tsid && 846 tclass == pos->ae.tclass && 847 seqno == pos->ae.avd.seqno){ 848 orig = pos; 849 break; 850 } 851 } 852 853 if (!orig) { 854 rc = -ENOENT; 855 avc_node_kill(node); 856 goto out_unlock; 857 } 858 859 /* 860 * Copy and replace original node. 861 */ 862 863 avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); 864 865 if (orig->ae.xp_node) { 866 rc = avc_xperms_populate(node, orig->ae.xp_node); 867 if (rc) { 868 kmem_cache_free(avc_node_cachep, node); 869 goto out_unlock; 870 } 871 } 872 873 switch (event) { 874 case AVC_CALLBACK_GRANT: 875 node->ae.avd.allowed |= perms; 876 if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS)) 877 avc_xperms_allow_perm(node->ae.xp_node, driver, xperm); 878 break; 879 case AVC_CALLBACK_TRY_REVOKE: 880 case AVC_CALLBACK_REVOKE: 881 node->ae.avd.allowed &= ~perms; 882 break; 883 case AVC_CALLBACK_AUDITALLOW_ENABLE: 884 node->ae.avd.auditallow |= perms; 885 break; 886 case AVC_CALLBACK_AUDITALLOW_DISABLE: 887 node->ae.avd.auditallow &= ~perms; 888 break; 889 case AVC_CALLBACK_AUDITDENY_ENABLE: 890 node->ae.avd.auditdeny |= perms; 891 break; 892 case AVC_CALLBACK_AUDITDENY_DISABLE: 893 node->ae.avd.auditdeny &= ~perms; 894 break; 895 case AVC_CALLBACK_ADD_XPERMS: 896 avc_add_xperms_decision(node, xpd); 897 break; 898 } 899 avc_node_replace(node, orig); 900 out_unlock: 901 spin_unlock_irqrestore(lock, flag); 902 out: 903 return rc; 904 } 905 906 /** 907 * avc_flush - Flush the cache 908 */ 909 static void avc_flush(void) 910 { 911 struct hlist_head *head; 912 struct avc_node *node; 913 spinlock_t *lock; 914 unsigned long flag; 915 int i; 916 917 for (i = 0; i < AVC_CACHE_SLOTS; i++) { 918 head = &avc_cache.slots[i]; 919 lock = &avc_cache.slots_lock[i]; 920 921 spin_lock_irqsave(lock, flag); 922 /* 923 * With preemptable RCU, the outer spinlock does not 924 * prevent RCU grace periods from ending. 925 */ 926 rcu_read_lock(); 927 hlist_for_each_entry(node, head, list) 928 avc_node_delete(node); 929 rcu_read_unlock(); 930 spin_unlock_irqrestore(lock, flag); 931 } 932 } 933 934 /** 935 * avc_ss_reset - Flush the cache and revalidate migrated permissions. 936 * @seqno: policy sequence number 937 */ 938 int avc_ss_reset(u32 seqno) 939 { 940 struct avc_callback_node *c; 941 int rc = 0, tmprc; 942 943 avc_flush(); 944 945 for (c = avc_callbacks; c; c = c->next) { 946 if (c->events & AVC_CALLBACK_RESET) { 947 tmprc = c->callback(AVC_CALLBACK_RESET); 948 /* save the first error encountered for the return 949 value and continue processing the callbacks */ 950 if (!rc) 951 rc = tmprc; 952 } 953 } 954 955 avc_latest_notif_update(seqno, 0); 956 return rc; 957 } 958 959 /* 960 * Slow-path helper function for avc_has_perm_noaudit, 961 * when the avc_node lookup fails. We get called with 962 * the RCU read lock held, and need to return with it 963 * still held, but drop if for the security compute. 964 * 965 * Don't inline this, since it's the slow-path and just 966 * results in a bigger stack frame. 967 */ 968 static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, 969 u16 tclass, struct av_decision *avd, 970 struct avc_xperms_node *xp_node) 971 { 972 rcu_read_unlock(); 973 INIT_LIST_HEAD(&xp_node->xpd_head); 974 security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp); 975 rcu_read_lock(); 976 return avc_insert(ssid, tsid, tclass, avd, xp_node); 977 } 978 979 static noinline int avc_denied(u32 ssid, u32 tsid, 980 u16 tclass, u32 requested, 981 u8 driver, u8 xperm, unsigned flags, 982 struct av_decision *avd) 983 { 984 if (flags & AVC_STRICT) 985 return -EACCES; 986 987 if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) 988 return -EACCES; 989 990 avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, 991 tsid, tclass, avd->seqno, NULL, flags); 992 return 0; 993 } 994 995 /* 996 * The avc extended permissions logic adds an additional 256 bits of 997 * permissions to an avc node when extended permissions for that node are 998 * specified in the avtab. If the additional 256 permissions is not adequate, 999 * as-is the case with ioctls, then multiple may be chained together and the 1000 * driver field is used to specify which set contains the permission. 1001 */ 1002 int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, 1003 u8 driver, u8 xperm, struct common_audit_data *ad) 1004 { 1005 struct avc_node *node; 1006 struct av_decision avd; 1007 u32 denied; 1008 struct extended_perms_decision local_xpd; 1009 struct extended_perms_decision *xpd = NULL; 1010 struct extended_perms_data allowed; 1011 struct extended_perms_data auditallow; 1012 struct extended_perms_data dontaudit; 1013 struct avc_xperms_node local_xp_node; 1014 struct avc_xperms_node *xp_node; 1015 int rc = 0, rc2; 1016 1017 xp_node = &local_xp_node; 1018 BUG_ON(!requested); 1019 1020 rcu_read_lock(); 1021 1022 node = avc_lookup(ssid, tsid, tclass); 1023 if (unlikely(!node)) { 1024 node = avc_compute_av(ssid, tsid, tclass, &avd, xp_node); 1025 } else { 1026 memcpy(&avd, &node->ae.avd, sizeof(avd)); 1027 xp_node = node->ae.xp_node; 1028 } 1029 /* if extended permissions are not defined, only consider av_decision */ 1030 if (!xp_node || !xp_node->xp.len) 1031 goto decision; 1032 1033 local_xpd.allowed = &allowed; 1034 local_xpd.auditallow = &auditallow; 1035 local_xpd.dontaudit = &dontaudit; 1036 1037 xpd = avc_xperms_decision_lookup(driver, xp_node); 1038 if (unlikely(!xpd)) { 1039 /* 1040 * Compute the extended_perms_decision only if the driver 1041 * is flagged 1042 */ 1043 if (!security_xperm_test(xp_node->xp.drivers.p, driver)) { 1044 avd.allowed &= ~requested; 1045 goto decision; 1046 } 1047 rcu_read_unlock(); 1048 security_compute_xperms_decision(ssid, tsid, tclass, driver, 1049 &local_xpd); 1050 rcu_read_lock(); 1051 avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm, 1052 ssid, tsid, tclass, avd.seqno, &local_xpd, 0); 1053 } else { 1054 avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd); 1055 } 1056 xpd = &local_xpd; 1057 1058 if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)) 1059 avd.allowed &= ~requested; 1060 1061 decision: 1062 denied = requested & ~(avd.allowed); 1063 if (unlikely(denied)) 1064 rc = avc_denied(ssid, tsid, tclass, requested, driver, xperm, 1065 AVC_EXTENDED_PERMS, &avd); 1066 1067 rcu_read_unlock(); 1068 1069 rc2 = avc_xperms_audit(ssid, tsid, tclass, requested, 1070 &avd, xpd, xperm, rc, ad); 1071 if (rc2) 1072 return rc2; 1073 return rc; 1074 } 1075 1076 /** 1077 * avc_has_perm_noaudit - Check permissions but perform no auditing. 1078 * @ssid: source security identifier 1079 * @tsid: target security identifier 1080 * @tclass: target security class 1081 * @requested: requested permissions, interpreted based on @tclass 1082 * @flags: AVC_STRICT or 0 1083 * @avd: access vector decisions 1084 * 1085 * Check the AVC to determine whether the @requested permissions are granted 1086 * for the SID pair (@ssid, @tsid), interpreting the permissions 1087 * based on @tclass, and call the security server on a cache miss to obtain 1088 * a new decision and add it to the cache. Return a copy of the decisions 1089 * in @avd. Return %0 if all @requested permissions are granted, 1090 * -%EACCES if any permissions are denied, or another -errno upon 1091 * other errors. This function is typically called by avc_has_perm(), 1092 * but may also be called directly to separate permission checking from 1093 * auditing, e.g. in cases where a lock must be held for the check but 1094 * should be released for the auditing. 1095 */ 1096 inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, 1097 u16 tclass, u32 requested, 1098 unsigned flags, 1099 struct av_decision *avd) 1100 { 1101 struct avc_node *node; 1102 struct avc_xperms_node xp_node; 1103 int rc = 0; 1104 u32 denied; 1105 1106 BUG_ON(!requested); 1107 1108 rcu_read_lock(); 1109 1110 node = avc_lookup(ssid, tsid, tclass); 1111 if (unlikely(!node)) 1112 node = avc_compute_av(ssid, tsid, tclass, avd, &xp_node); 1113 else 1114 memcpy(avd, &node->ae.avd, sizeof(*avd)); 1115 1116 denied = requested & ~(avd->allowed); 1117 if (unlikely(denied)) 1118 rc = avc_denied(ssid, tsid, tclass, requested, 0, 0, flags, avd); 1119 1120 rcu_read_unlock(); 1121 return rc; 1122 } 1123 1124 /** 1125 * avc_has_perm - Check permissions and perform any appropriate auditing. 1126 * @ssid: source security identifier 1127 * @tsid: target security identifier 1128 * @tclass: target security class 1129 * @requested: requested permissions, interpreted based on @tclass 1130 * @auditdata: auxiliary audit data 1131 * 1132 * Check the AVC to determine whether the @requested permissions are granted 1133 * for the SID pair (@ssid, @tsid), interpreting the permissions 1134 * based on @tclass, and call the security server on a cache miss to obtain 1135 * a new decision and add it to the cache. Audit the granting or denial of 1136 * permissions in accordance with the policy. Return %0 if all @requested 1137 * permissions are granted, -%EACCES if any permissions are denied, or 1138 * another -errno upon other errors. 1139 */ 1140 int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 1141 u32 requested, struct common_audit_data *auditdata) 1142 { 1143 struct av_decision avd; 1144 int rc, rc2; 1145 1146 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); 1147 1148 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0); 1149 if (rc2) 1150 return rc2; 1151 return rc; 1152 } 1153 1154 int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, 1155 u32 requested, struct common_audit_data *auditdata, 1156 int flags) 1157 { 1158 struct av_decision avd; 1159 int rc, rc2; 1160 1161 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); 1162 1163 rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, 1164 auditdata, flags); 1165 if (rc2) 1166 return rc2; 1167 return rc; 1168 } 1169 1170 u32 avc_policy_seqno(void) 1171 { 1172 return avc_cache.latest_notif; 1173 } 1174 1175 void avc_disable(void) 1176 { 1177 /* 1178 * If you are looking at this because you have realized that we are 1179 * not destroying the avc_node_cachep it might be easy to fix, but 1180 * I don't know the memory barrier semantics well enough to know. It's 1181 * possible that some other task dereferenced security_ops when 1182 * it still pointed to selinux operations. If that is the case it's 1183 * possible that it is about to use the avc and is about to need the 1184 * avc_node_cachep. I know I could wrap the security.c security_ops call 1185 * in an rcu_lock, but seriously, it's not worth it. Instead I just flush 1186 * the cache and get that memory back. 1187 */ 1188 if (avc_node_cachep) { 1189 avc_flush(); 1190 /* kmem_cache_destroy(avc_node_cachep); */ 1191 } 1192 } 1193