1 /* 2 * Implementation of the policy database. 3 * 4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil> 5 */ 6 7 /* 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 9 * 10 * Support for enhanced MLS infrastructure. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for the policy capability bitmap 19 * 20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 23 * This program is free software; you can redistribute it and/or modify 24 * it under the terms of the GNU General Public License as published by 25 * the Free Software Foundation, version 2. 26 */ 27 28 #include <linux/kernel.h> 29 #include <linux/sched.h> 30 #include <linux/slab.h> 31 #include <linux/string.h> 32 #include <linux/errno.h> 33 #include <linux/audit.h> 34 #include <linux/flex_array.h> 35 #include "security.h" 36 37 #include "policydb.h" 38 #include "conditional.h" 39 #include "mls.h" 40 41 #define _DEBUG_HASHES 42 43 #ifdef DEBUG_HASHES 44 static const char *symtab_name[SYM_NUM] = { 45 "common prefixes", 46 "classes", 47 "roles", 48 "types", 49 "users", 50 "bools", 51 "levels", 52 "categories", 53 }; 54 #endif 55 56 static unsigned int symtab_sizes[SYM_NUM] = { 57 2, 58 32, 59 16, 60 512, 61 128, 62 16, 63 16, 64 16, 65 }; 66 67 struct policydb_compat_info { 68 int version; 69 int sym_num; 70 int ocon_num; 71 }; 72 73 /* These need to be updated if SYM_NUM or OCON_NUM changes */ 74 static struct policydb_compat_info policydb_compat[] = { 75 { 76 .version = POLICYDB_VERSION_BASE, 77 .sym_num = SYM_NUM - 3, 78 .ocon_num = OCON_NUM - 1, 79 }, 80 { 81 .version = POLICYDB_VERSION_BOOL, 82 .sym_num = SYM_NUM - 2, 83 .ocon_num = OCON_NUM - 1, 84 }, 85 { 86 .version = POLICYDB_VERSION_IPV6, 87 .sym_num = SYM_NUM - 2, 88 .ocon_num = OCON_NUM, 89 }, 90 { 91 .version = POLICYDB_VERSION_NLCLASS, 92 .sym_num = SYM_NUM - 2, 93 .ocon_num = OCON_NUM, 94 }, 95 { 96 .version = POLICYDB_VERSION_MLS, 97 .sym_num = SYM_NUM, 98 .ocon_num = OCON_NUM, 99 }, 100 { 101 .version = POLICYDB_VERSION_AVTAB, 102 .sym_num = SYM_NUM, 103 .ocon_num = OCON_NUM, 104 }, 105 { 106 .version = POLICYDB_VERSION_RANGETRANS, 107 .sym_num = SYM_NUM, 108 .ocon_num = OCON_NUM, 109 }, 110 { 111 .version = POLICYDB_VERSION_POLCAP, 112 .sym_num = SYM_NUM, 113 .ocon_num = OCON_NUM, 114 }, 115 { 116 .version = POLICYDB_VERSION_PERMISSIVE, 117 .sym_num = SYM_NUM, 118 .ocon_num = OCON_NUM, 119 }, 120 { 121 .version = POLICYDB_VERSION_BOUNDARY, 122 .sym_num = SYM_NUM, 123 .ocon_num = OCON_NUM, 124 }, 125 }; 126 127 static struct policydb_compat_info *policydb_lookup_compat(int version) 128 { 129 int i; 130 struct policydb_compat_info *info = NULL; 131 132 for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { 133 if (policydb_compat[i].version == version) { 134 info = &policydb_compat[i]; 135 break; 136 } 137 } 138 return info; 139 } 140 141 /* 142 * Initialize the role table. 143 */ 144 static int roles_init(struct policydb *p) 145 { 146 char *key = NULL; 147 int rc; 148 struct role_datum *role; 149 150 role = kzalloc(sizeof(*role), GFP_KERNEL); 151 if (!role) { 152 rc = -ENOMEM; 153 goto out; 154 } 155 role->value = ++p->p_roles.nprim; 156 if (role->value != OBJECT_R_VAL) { 157 rc = -EINVAL; 158 goto out_free_role; 159 } 160 key = kstrdup(OBJECT_R, GFP_KERNEL); 161 if (!key) { 162 rc = -ENOMEM; 163 goto out_free_role; 164 } 165 rc = hashtab_insert(p->p_roles.table, key, role); 166 if (rc) 167 goto out_free_key; 168 out: 169 return rc; 170 171 out_free_key: 172 kfree(key); 173 out_free_role: 174 kfree(role); 175 goto out; 176 } 177 178 static u32 rangetr_hash(struct hashtab *h, const void *k) 179 { 180 const struct range_trans *key = k; 181 return (key->source_type + (key->target_type << 3) + 182 (key->target_class << 5)) & (h->size - 1); 183 } 184 185 static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2) 186 { 187 const struct range_trans *key1 = k1, *key2 = k2; 188 return (key1->source_type != key2->source_type || 189 key1->target_type != key2->target_type || 190 key1->target_class != key2->target_class); 191 } 192 193 /* 194 * Initialize a policy database structure. 195 */ 196 static int policydb_init(struct policydb *p) 197 { 198 int i, rc; 199 200 memset(p, 0, sizeof(*p)); 201 202 for (i = 0; i < SYM_NUM; i++) { 203 rc = symtab_init(&p->symtab[i], symtab_sizes[i]); 204 if (rc) 205 goto out_free_symtab; 206 } 207 208 rc = avtab_init(&p->te_avtab); 209 if (rc) 210 goto out_free_symtab; 211 212 rc = roles_init(p); 213 if (rc) 214 goto out_free_symtab; 215 216 rc = cond_policydb_init(p); 217 if (rc) 218 goto out_free_symtab; 219 220 p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256); 221 if (!p->range_tr) 222 goto out_free_symtab; 223 224 ebitmap_init(&p->policycaps); 225 ebitmap_init(&p->permissive_map); 226 227 out: 228 return rc; 229 230 out_free_symtab: 231 for (i = 0; i < SYM_NUM; i++) 232 hashtab_destroy(p->symtab[i].table); 233 goto out; 234 } 235 236 /* 237 * The following *_index functions are used to 238 * define the val_to_name and val_to_struct arrays 239 * in a policy database structure. The val_to_name 240 * arrays are used when converting security context 241 * structures into string representations. The 242 * val_to_struct arrays are used when the attributes 243 * of a class, role, or user are needed. 244 */ 245 246 static int common_index(void *key, void *datum, void *datap) 247 { 248 struct policydb *p; 249 struct common_datum *comdatum; 250 251 comdatum = datum; 252 p = datap; 253 if (!comdatum->value || comdatum->value > p->p_commons.nprim) 254 return -EINVAL; 255 p->p_common_val_to_name[comdatum->value - 1] = key; 256 return 0; 257 } 258 259 static int class_index(void *key, void *datum, void *datap) 260 { 261 struct policydb *p; 262 struct class_datum *cladatum; 263 264 cladatum = datum; 265 p = datap; 266 if (!cladatum->value || cladatum->value > p->p_classes.nprim) 267 return -EINVAL; 268 p->p_class_val_to_name[cladatum->value - 1] = key; 269 p->class_val_to_struct[cladatum->value - 1] = cladatum; 270 return 0; 271 } 272 273 static int role_index(void *key, void *datum, void *datap) 274 { 275 struct policydb *p; 276 struct role_datum *role; 277 278 role = datum; 279 p = datap; 280 if (!role->value 281 || role->value > p->p_roles.nprim 282 || role->bounds > p->p_roles.nprim) 283 return -EINVAL; 284 p->p_role_val_to_name[role->value - 1] = key; 285 p->role_val_to_struct[role->value - 1] = role; 286 return 0; 287 } 288 289 static int type_index(void *key, void *datum, void *datap) 290 { 291 struct policydb *p; 292 struct type_datum *typdatum; 293 294 typdatum = datum; 295 p = datap; 296 297 if (typdatum->primary) { 298 if (!typdatum->value 299 || typdatum->value > p->p_types.nprim 300 || typdatum->bounds > p->p_types.nprim) 301 return -EINVAL; 302 p->p_type_val_to_name[typdatum->value - 1] = key; 303 p->type_val_to_struct[typdatum->value - 1] = typdatum; 304 } 305 306 return 0; 307 } 308 309 static int user_index(void *key, void *datum, void *datap) 310 { 311 struct policydb *p; 312 struct user_datum *usrdatum; 313 314 usrdatum = datum; 315 p = datap; 316 if (!usrdatum->value 317 || usrdatum->value > p->p_users.nprim 318 || usrdatum->bounds > p->p_users.nprim) 319 return -EINVAL; 320 p->p_user_val_to_name[usrdatum->value - 1] = key; 321 p->user_val_to_struct[usrdatum->value - 1] = usrdatum; 322 return 0; 323 } 324 325 static int sens_index(void *key, void *datum, void *datap) 326 { 327 struct policydb *p; 328 struct level_datum *levdatum; 329 330 levdatum = datum; 331 p = datap; 332 333 if (!levdatum->isalias) { 334 if (!levdatum->level->sens || 335 levdatum->level->sens > p->p_levels.nprim) 336 return -EINVAL; 337 p->p_sens_val_to_name[levdatum->level->sens - 1] = key; 338 } 339 340 return 0; 341 } 342 343 static int cat_index(void *key, void *datum, void *datap) 344 { 345 struct policydb *p; 346 struct cat_datum *catdatum; 347 348 catdatum = datum; 349 p = datap; 350 351 if (!catdatum->isalias) { 352 if (!catdatum->value || catdatum->value > p->p_cats.nprim) 353 return -EINVAL; 354 p->p_cat_val_to_name[catdatum->value - 1] = key; 355 } 356 357 return 0; 358 } 359 360 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = 361 { 362 common_index, 363 class_index, 364 role_index, 365 type_index, 366 user_index, 367 cond_index_bool, 368 sens_index, 369 cat_index, 370 }; 371 372 /* 373 * Define the common val_to_name array and the class 374 * val_to_name and val_to_struct arrays in a policy 375 * database structure. 376 * 377 * Caller must clean up upon failure. 378 */ 379 static int policydb_index_classes(struct policydb *p) 380 { 381 int rc; 382 383 p->p_common_val_to_name = 384 kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL); 385 if (!p->p_common_val_to_name) { 386 rc = -ENOMEM; 387 goto out; 388 } 389 390 rc = hashtab_map(p->p_commons.table, common_index, p); 391 if (rc) 392 goto out; 393 394 p->class_val_to_struct = 395 kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL); 396 if (!p->class_val_to_struct) { 397 rc = -ENOMEM; 398 goto out; 399 } 400 401 p->p_class_val_to_name = 402 kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL); 403 if (!p->p_class_val_to_name) { 404 rc = -ENOMEM; 405 goto out; 406 } 407 408 rc = hashtab_map(p->p_classes.table, class_index, p); 409 out: 410 return rc; 411 } 412 413 #ifdef DEBUG_HASHES 414 static void symtab_hash_eval(struct symtab *s) 415 { 416 int i; 417 418 for (i = 0; i < SYM_NUM; i++) { 419 struct hashtab *h = s[i].table; 420 struct hashtab_info info; 421 422 hashtab_stat(h, &info); 423 printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " 424 "longest chain length %d\n", symtab_name[i], h->nel, 425 info.slots_used, h->size, info.max_chain_len); 426 } 427 } 428 429 static void rangetr_hash_eval(struct hashtab *h) 430 { 431 struct hashtab_info info; 432 433 hashtab_stat(h, &info); 434 printk(KERN_DEBUG "SELinux: rangetr: %d entries and %d/%d buckets used, " 435 "longest chain length %d\n", h->nel, 436 info.slots_used, h->size, info.max_chain_len); 437 } 438 #else 439 static inline void rangetr_hash_eval(struct hashtab *h) 440 { 441 } 442 #endif 443 444 /* 445 * Define the other val_to_name and val_to_struct arrays 446 * in a policy database structure. 447 * 448 * Caller must clean up on failure. 449 */ 450 static int policydb_index_others(struct policydb *p) 451 { 452 int i, rc = 0; 453 454 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools", 455 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); 456 if (p->mls_enabled) 457 printk(", %d sens, %d cats", p->p_levels.nprim, 458 p->p_cats.nprim); 459 printk("\n"); 460 461 printk(KERN_DEBUG "SELinux: %d classes, %d rules\n", 462 p->p_classes.nprim, p->te_avtab.nel); 463 464 #ifdef DEBUG_HASHES 465 avtab_hash_eval(&p->te_avtab, "rules"); 466 symtab_hash_eval(p->symtab); 467 #endif 468 469 p->role_val_to_struct = 470 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 471 GFP_KERNEL); 472 if (!p->role_val_to_struct) { 473 rc = -ENOMEM; 474 goto out; 475 } 476 477 p->user_val_to_struct = 478 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 479 GFP_KERNEL); 480 if (!p->user_val_to_struct) { 481 rc = -ENOMEM; 482 goto out; 483 } 484 485 p->type_val_to_struct = 486 kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)), 487 GFP_KERNEL); 488 if (!p->type_val_to_struct) { 489 rc = -ENOMEM; 490 goto out; 491 } 492 493 if (cond_init_bool_indexes(p)) { 494 rc = -ENOMEM; 495 goto out; 496 } 497 498 for (i = SYM_ROLES; i < SYM_NUM; i++) { 499 p->sym_val_to_name[i] = 500 kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL); 501 if (!p->sym_val_to_name[i]) { 502 rc = -ENOMEM; 503 goto out; 504 } 505 rc = hashtab_map(p->symtab[i].table, index_f[i], p); 506 if (rc) 507 goto out; 508 } 509 510 out: 511 return rc; 512 } 513 514 /* 515 * The following *_destroy functions are used to 516 * free any memory allocated for each kind of 517 * symbol data in the policy database. 518 */ 519 520 static int perm_destroy(void *key, void *datum, void *p) 521 { 522 kfree(key); 523 kfree(datum); 524 return 0; 525 } 526 527 static int common_destroy(void *key, void *datum, void *p) 528 { 529 struct common_datum *comdatum; 530 531 kfree(key); 532 comdatum = datum; 533 hashtab_map(comdatum->permissions.table, perm_destroy, NULL); 534 hashtab_destroy(comdatum->permissions.table); 535 kfree(datum); 536 return 0; 537 } 538 539 static int cls_destroy(void *key, void *datum, void *p) 540 { 541 struct class_datum *cladatum; 542 struct constraint_node *constraint, *ctemp; 543 struct constraint_expr *e, *etmp; 544 545 kfree(key); 546 cladatum = datum; 547 hashtab_map(cladatum->permissions.table, perm_destroy, NULL); 548 hashtab_destroy(cladatum->permissions.table); 549 constraint = cladatum->constraints; 550 while (constraint) { 551 e = constraint->expr; 552 while (e) { 553 ebitmap_destroy(&e->names); 554 etmp = e; 555 e = e->next; 556 kfree(etmp); 557 } 558 ctemp = constraint; 559 constraint = constraint->next; 560 kfree(ctemp); 561 } 562 563 constraint = cladatum->validatetrans; 564 while (constraint) { 565 e = constraint->expr; 566 while (e) { 567 ebitmap_destroy(&e->names); 568 etmp = e; 569 e = e->next; 570 kfree(etmp); 571 } 572 ctemp = constraint; 573 constraint = constraint->next; 574 kfree(ctemp); 575 } 576 577 kfree(cladatum->comkey); 578 kfree(datum); 579 return 0; 580 } 581 582 static int role_destroy(void *key, void *datum, void *p) 583 { 584 struct role_datum *role; 585 586 kfree(key); 587 role = datum; 588 ebitmap_destroy(&role->dominates); 589 ebitmap_destroy(&role->types); 590 kfree(datum); 591 return 0; 592 } 593 594 static int type_destroy(void *key, void *datum, void *p) 595 { 596 kfree(key); 597 kfree(datum); 598 return 0; 599 } 600 601 static int user_destroy(void *key, void *datum, void *p) 602 { 603 struct user_datum *usrdatum; 604 605 kfree(key); 606 usrdatum = datum; 607 ebitmap_destroy(&usrdatum->roles); 608 ebitmap_destroy(&usrdatum->range.level[0].cat); 609 ebitmap_destroy(&usrdatum->range.level[1].cat); 610 ebitmap_destroy(&usrdatum->dfltlevel.cat); 611 kfree(datum); 612 return 0; 613 } 614 615 static int sens_destroy(void *key, void *datum, void *p) 616 { 617 struct level_datum *levdatum; 618 619 kfree(key); 620 levdatum = datum; 621 ebitmap_destroy(&levdatum->level->cat); 622 kfree(levdatum->level); 623 kfree(datum); 624 return 0; 625 } 626 627 static int cat_destroy(void *key, void *datum, void *p) 628 { 629 kfree(key); 630 kfree(datum); 631 return 0; 632 } 633 634 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = 635 { 636 common_destroy, 637 cls_destroy, 638 role_destroy, 639 type_destroy, 640 user_destroy, 641 cond_destroy_bool, 642 sens_destroy, 643 cat_destroy, 644 }; 645 646 static int range_tr_destroy(void *key, void *datum, void *p) 647 { 648 struct mls_range *rt = datum; 649 kfree(key); 650 ebitmap_destroy(&rt->level[0].cat); 651 ebitmap_destroy(&rt->level[1].cat); 652 kfree(datum); 653 cond_resched(); 654 return 0; 655 } 656 657 static void ocontext_destroy(struct ocontext *c, int i) 658 { 659 if (!c) 660 return; 661 662 context_destroy(&c->context[0]); 663 context_destroy(&c->context[1]); 664 if (i == OCON_ISID || i == OCON_FS || 665 i == OCON_NETIF || i == OCON_FSUSE) 666 kfree(c->u.name); 667 kfree(c); 668 } 669 670 /* 671 * Free any memory allocated by a policy database structure. 672 */ 673 void policydb_destroy(struct policydb *p) 674 { 675 struct ocontext *c, *ctmp; 676 struct genfs *g, *gtmp; 677 int i; 678 struct role_allow *ra, *lra = NULL; 679 struct role_trans *tr, *ltr = NULL; 680 681 for (i = 0; i < SYM_NUM; i++) { 682 cond_resched(); 683 hashtab_map(p->symtab[i].table, destroy_f[i], NULL); 684 hashtab_destroy(p->symtab[i].table); 685 } 686 687 for (i = 0; i < SYM_NUM; i++) 688 kfree(p->sym_val_to_name[i]); 689 690 kfree(p->class_val_to_struct); 691 kfree(p->role_val_to_struct); 692 kfree(p->user_val_to_struct); 693 kfree(p->type_val_to_struct); 694 695 avtab_destroy(&p->te_avtab); 696 697 for (i = 0; i < OCON_NUM; i++) { 698 cond_resched(); 699 c = p->ocontexts[i]; 700 while (c) { 701 ctmp = c; 702 c = c->next; 703 ocontext_destroy(ctmp, i); 704 } 705 p->ocontexts[i] = NULL; 706 } 707 708 g = p->genfs; 709 while (g) { 710 cond_resched(); 711 kfree(g->fstype); 712 c = g->head; 713 while (c) { 714 ctmp = c; 715 c = c->next; 716 ocontext_destroy(ctmp, OCON_FSUSE); 717 } 718 gtmp = g; 719 g = g->next; 720 kfree(gtmp); 721 } 722 p->genfs = NULL; 723 724 cond_policydb_destroy(p); 725 726 for (tr = p->role_tr; tr; tr = tr->next) { 727 cond_resched(); 728 kfree(ltr); 729 ltr = tr; 730 } 731 kfree(ltr); 732 733 for (ra = p->role_allow; ra; ra = ra->next) { 734 cond_resched(); 735 kfree(lra); 736 lra = ra; 737 } 738 kfree(lra); 739 740 hashtab_map(p->range_tr, range_tr_destroy, NULL); 741 hashtab_destroy(p->range_tr); 742 743 if (p->type_attr_map_array) { 744 for (i = 0; i < p->p_types.nprim; i++) { 745 struct ebitmap *e; 746 747 e = flex_array_get(p->type_attr_map_array, i); 748 if (!e) 749 continue; 750 ebitmap_destroy(e); 751 } 752 flex_array_free(p->type_attr_map_array); 753 } 754 ebitmap_destroy(&p->policycaps); 755 ebitmap_destroy(&p->permissive_map); 756 757 return; 758 } 759 760 /* 761 * Load the initial SIDs specified in a policy database 762 * structure into a SID table. 763 */ 764 int policydb_load_isids(struct policydb *p, struct sidtab *s) 765 { 766 struct ocontext *head, *c; 767 int rc; 768 769 rc = sidtab_init(s); 770 if (rc) { 771 printk(KERN_ERR "SELinux: out of memory on SID table init\n"); 772 goto out; 773 } 774 775 head = p->ocontexts[OCON_ISID]; 776 for (c = head; c; c = c->next) { 777 if (!c->context[0].user) { 778 printk(KERN_ERR "SELinux: SID %s was never " 779 "defined.\n", c->u.name); 780 rc = -EINVAL; 781 goto out; 782 } 783 if (sidtab_insert(s, c->sid[0], &c->context[0])) { 784 printk(KERN_ERR "SELinux: unable to load initial " 785 "SID %s.\n", c->u.name); 786 rc = -EINVAL; 787 goto out; 788 } 789 } 790 out: 791 return rc; 792 } 793 794 int policydb_class_isvalid(struct policydb *p, unsigned int class) 795 { 796 if (!class || class > p->p_classes.nprim) 797 return 0; 798 return 1; 799 } 800 801 int policydb_role_isvalid(struct policydb *p, unsigned int role) 802 { 803 if (!role || role > p->p_roles.nprim) 804 return 0; 805 return 1; 806 } 807 808 int policydb_type_isvalid(struct policydb *p, unsigned int type) 809 { 810 if (!type || type > p->p_types.nprim) 811 return 0; 812 return 1; 813 } 814 815 /* 816 * Return 1 if the fields in the security context 817 * structure `c' are valid. Return 0 otherwise. 818 */ 819 int policydb_context_isvalid(struct policydb *p, struct context *c) 820 { 821 struct role_datum *role; 822 struct user_datum *usrdatum; 823 824 if (!c->role || c->role > p->p_roles.nprim) 825 return 0; 826 827 if (!c->user || c->user > p->p_users.nprim) 828 return 0; 829 830 if (!c->type || c->type > p->p_types.nprim) 831 return 0; 832 833 if (c->role != OBJECT_R_VAL) { 834 /* 835 * Role must be authorized for the type. 836 */ 837 role = p->role_val_to_struct[c->role - 1]; 838 if (!ebitmap_get_bit(&role->types, 839 c->type - 1)) 840 /* role may not be associated with type */ 841 return 0; 842 843 /* 844 * User must be authorized for the role. 845 */ 846 usrdatum = p->user_val_to_struct[c->user - 1]; 847 if (!usrdatum) 848 return 0; 849 850 if (!ebitmap_get_bit(&usrdatum->roles, 851 c->role - 1)) 852 /* user may not be associated with role */ 853 return 0; 854 } 855 856 if (!mls_context_isvalid(p, c)) 857 return 0; 858 859 return 1; 860 } 861 862 /* 863 * Read a MLS range structure from a policydb binary 864 * representation file. 865 */ 866 static int mls_read_range_helper(struct mls_range *r, void *fp) 867 { 868 __le32 buf[2]; 869 u32 items; 870 int rc; 871 872 rc = next_entry(buf, fp, sizeof(u32)); 873 if (rc < 0) 874 goto out; 875 876 items = le32_to_cpu(buf[0]); 877 if (items > ARRAY_SIZE(buf)) { 878 printk(KERN_ERR "SELinux: mls: range overflow\n"); 879 rc = -EINVAL; 880 goto out; 881 } 882 rc = next_entry(buf, fp, sizeof(u32) * items); 883 if (rc < 0) { 884 printk(KERN_ERR "SELinux: mls: truncated range\n"); 885 goto out; 886 } 887 r->level[0].sens = le32_to_cpu(buf[0]); 888 if (items > 1) 889 r->level[1].sens = le32_to_cpu(buf[1]); 890 else 891 r->level[1].sens = r->level[0].sens; 892 893 rc = ebitmap_read(&r->level[0].cat, fp); 894 if (rc) { 895 printk(KERN_ERR "SELinux: mls: error reading low " 896 "categories\n"); 897 goto out; 898 } 899 if (items > 1) { 900 rc = ebitmap_read(&r->level[1].cat, fp); 901 if (rc) { 902 printk(KERN_ERR "SELinux: mls: error reading high " 903 "categories\n"); 904 goto bad_high; 905 } 906 } else { 907 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); 908 if (rc) { 909 printk(KERN_ERR "SELinux: mls: out of memory\n"); 910 goto bad_high; 911 } 912 } 913 914 rc = 0; 915 out: 916 return rc; 917 bad_high: 918 ebitmap_destroy(&r->level[0].cat); 919 goto out; 920 } 921 922 /* 923 * Read and validate a security context structure 924 * from a policydb binary representation file. 925 */ 926 static int context_read_and_validate(struct context *c, 927 struct policydb *p, 928 void *fp) 929 { 930 __le32 buf[3]; 931 int rc; 932 933 rc = next_entry(buf, fp, sizeof buf); 934 if (rc < 0) { 935 printk(KERN_ERR "SELinux: context truncated\n"); 936 goto out; 937 } 938 c->user = le32_to_cpu(buf[0]); 939 c->role = le32_to_cpu(buf[1]); 940 c->type = le32_to_cpu(buf[2]); 941 if (p->policyvers >= POLICYDB_VERSION_MLS) { 942 if (mls_read_range_helper(&c->range, fp)) { 943 printk(KERN_ERR "SELinux: error reading MLS range of " 944 "context\n"); 945 rc = -EINVAL; 946 goto out; 947 } 948 } 949 950 if (!policydb_context_isvalid(p, c)) { 951 printk(KERN_ERR "SELinux: invalid security context\n"); 952 context_destroy(c); 953 rc = -EINVAL; 954 } 955 out: 956 return rc; 957 } 958 959 /* 960 * The following *_read functions are used to 961 * read the symbol data from a policy database 962 * binary representation file. 963 */ 964 965 static int perm_read(struct policydb *p, struct hashtab *h, void *fp) 966 { 967 char *key = NULL; 968 struct perm_datum *perdatum; 969 int rc; 970 __le32 buf[2]; 971 u32 len; 972 973 perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); 974 if (!perdatum) { 975 rc = -ENOMEM; 976 goto out; 977 } 978 979 rc = next_entry(buf, fp, sizeof buf); 980 if (rc < 0) 981 goto bad; 982 983 len = le32_to_cpu(buf[0]); 984 perdatum->value = le32_to_cpu(buf[1]); 985 986 key = kmalloc(len + 1, GFP_KERNEL); 987 if (!key) { 988 rc = -ENOMEM; 989 goto bad; 990 } 991 rc = next_entry(key, fp, len); 992 if (rc < 0) 993 goto bad; 994 key[len] = '\0'; 995 996 rc = hashtab_insert(h, key, perdatum); 997 if (rc) 998 goto bad; 999 out: 1000 return rc; 1001 bad: 1002 perm_destroy(key, perdatum, NULL); 1003 goto out; 1004 } 1005 1006 static int common_read(struct policydb *p, struct hashtab *h, void *fp) 1007 { 1008 char *key = NULL; 1009 struct common_datum *comdatum; 1010 __le32 buf[4]; 1011 u32 len, nel; 1012 int i, rc; 1013 1014 comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); 1015 if (!comdatum) { 1016 rc = -ENOMEM; 1017 goto out; 1018 } 1019 1020 rc = next_entry(buf, fp, sizeof buf); 1021 if (rc < 0) 1022 goto bad; 1023 1024 len = le32_to_cpu(buf[0]); 1025 comdatum->value = le32_to_cpu(buf[1]); 1026 1027 rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); 1028 if (rc) 1029 goto bad; 1030 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 1031 nel = le32_to_cpu(buf[3]); 1032 1033 key = kmalloc(len + 1, GFP_KERNEL); 1034 if (!key) { 1035 rc = -ENOMEM; 1036 goto bad; 1037 } 1038 rc = next_entry(key, fp, len); 1039 if (rc < 0) 1040 goto bad; 1041 key[len] = '\0'; 1042 1043 for (i = 0; i < nel; i++) { 1044 rc = perm_read(p, comdatum->permissions.table, fp); 1045 if (rc) 1046 goto bad; 1047 } 1048 1049 rc = hashtab_insert(h, key, comdatum); 1050 if (rc) 1051 goto bad; 1052 out: 1053 return rc; 1054 bad: 1055 common_destroy(key, comdatum, NULL); 1056 goto out; 1057 } 1058 1059 static int read_cons_helper(struct constraint_node **nodep, int ncons, 1060 int allowxtarget, void *fp) 1061 { 1062 struct constraint_node *c, *lc; 1063 struct constraint_expr *e, *le; 1064 __le32 buf[3]; 1065 u32 nexpr; 1066 int rc, i, j, depth; 1067 1068 lc = NULL; 1069 for (i = 0; i < ncons; i++) { 1070 c = kzalloc(sizeof(*c), GFP_KERNEL); 1071 if (!c) 1072 return -ENOMEM; 1073 1074 if (lc) 1075 lc->next = c; 1076 else 1077 *nodep = c; 1078 1079 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1080 if (rc < 0) 1081 return rc; 1082 c->permissions = le32_to_cpu(buf[0]); 1083 nexpr = le32_to_cpu(buf[1]); 1084 le = NULL; 1085 depth = -1; 1086 for (j = 0; j < nexpr; j++) { 1087 e = kzalloc(sizeof(*e), GFP_KERNEL); 1088 if (!e) 1089 return -ENOMEM; 1090 1091 if (le) 1092 le->next = e; 1093 else 1094 c->expr = e; 1095 1096 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1097 if (rc < 0) 1098 return rc; 1099 e->expr_type = le32_to_cpu(buf[0]); 1100 e->attr = le32_to_cpu(buf[1]); 1101 e->op = le32_to_cpu(buf[2]); 1102 1103 switch (e->expr_type) { 1104 case CEXPR_NOT: 1105 if (depth < 0) 1106 return -EINVAL; 1107 break; 1108 case CEXPR_AND: 1109 case CEXPR_OR: 1110 if (depth < 1) 1111 return -EINVAL; 1112 depth--; 1113 break; 1114 case CEXPR_ATTR: 1115 if (depth == (CEXPR_MAXDEPTH - 1)) 1116 return -EINVAL; 1117 depth++; 1118 break; 1119 case CEXPR_NAMES: 1120 if (!allowxtarget && (e->attr & CEXPR_XTARGET)) 1121 return -EINVAL; 1122 if (depth == (CEXPR_MAXDEPTH - 1)) 1123 return -EINVAL; 1124 depth++; 1125 if (ebitmap_read(&e->names, fp)) 1126 return -EINVAL; 1127 break; 1128 default: 1129 return -EINVAL; 1130 } 1131 le = e; 1132 } 1133 if (depth != 0) 1134 return -EINVAL; 1135 lc = c; 1136 } 1137 1138 return 0; 1139 } 1140 1141 static int class_read(struct policydb *p, struct hashtab *h, void *fp) 1142 { 1143 char *key = NULL; 1144 struct class_datum *cladatum; 1145 __le32 buf[6]; 1146 u32 len, len2, ncons, nel; 1147 int i, rc; 1148 1149 cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); 1150 if (!cladatum) { 1151 rc = -ENOMEM; 1152 goto out; 1153 } 1154 1155 rc = next_entry(buf, fp, sizeof(u32)*6); 1156 if (rc < 0) 1157 goto bad; 1158 1159 len = le32_to_cpu(buf[0]); 1160 len2 = le32_to_cpu(buf[1]); 1161 cladatum->value = le32_to_cpu(buf[2]); 1162 1163 rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); 1164 if (rc) 1165 goto bad; 1166 cladatum->permissions.nprim = le32_to_cpu(buf[3]); 1167 nel = le32_to_cpu(buf[4]); 1168 1169 ncons = le32_to_cpu(buf[5]); 1170 1171 key = kmalloc(len + 1, GFP_KERNEL); 1172 if (!key) { 1173 rc = -ENOMEM; 1174 goto bad; 1175 } 1176 rc = next_entry(key, fp, len); 1177 if (rc < 0) 1178 goto bad; 1179 key[len] = '\0'; 1180 1181 if (len2) { 1182 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); 1183 if (!cladatum->comkey) { 1184 rc = -ENOMEM; 1185 goto bad; 1186 } 1187 rc = next_entry(cladatum->comkey, fp, len2); 1188 if (rc < 0) 1189 goto bad; 1190 cladatum->comkey[len2] = '\0'; 1191 1192 cladatum->comdatum = hashtab_search(p->p_commons.table, 1193 cladatum->comkey); 1194 if (!cladatum->comdatum) { 1195 printk(KERN_ERR "SELinux: unknown common %s\n", 1196 cladatum->comkey); 1197 rc = -EINVAL; 1198 goto bad; 1199 } 1200 } 1201 for (i = 0; i < nel; i++) { 1202 rc = perm_read(p, cladatum->permissions.table, fp); 1203 if (rc) 1204 goto bad; 1205 } 1206 1207 rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); 1208 if (rc) 1209 goto bad; 1210 1211 if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) { 1212 /* grab the validatetrans rules */ 1213 rc = next_entry(buf, fp, sizeof(u32)); 1214 if (rc < 0) 1215 goto bad; 1216 ncons = le32_to_cpu(buf[0]); 1217 rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); 1218 if (rc) 1219 goto bad; 1220 } 1221 1222 rc = hashtab_insert(h, key, cladatum); 1223 if (rc) 1224 goto bad; 1225 1226 rc = 0; 1227 out: 1228 return rc; 1229 bad: 1230 cls_destroy(key, cladatum, NULL); 1231 goto out; 1232 } 1233 1234 static int role_read(struct policydb *p, struct hashtab *h, void *fp) 1235 { 1236 char *key = NULL; 1237 struct role_datum *role; 1238 int rc, to_read = 2; 1239 __le32 buf[3]; 1240 u32 len; 1241 1242 role = kzalloc(sizeof(*role), GFP_KERNEL); 1243 if (!role) { 1244 rc = -ENOMEM; 1245 goto out; 1246 } 1247 1248 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1249 to_read = 3; 1250 1251 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1252 if (rc < 0) 1253 goto bad; 1254 1255 len = le32_to_cpu(buf[0]); 1256 role->value = le32_to_cpu(buf[1]); 1257 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1258 role->bounds = le32_to_cpu(buf[2]); 1259 1260 key = kmalloc(len + 1, GFP_KERNEL); 1261 if (!key) { 1262 rc = -ENOMEM; 1263 goto bad; 1264 } 1265 rc = next_entry(key, fp, len); 1266 if (rc < 0) 1267 goto bad; 1268 key[len] = '\0'; 1269 1270 rc = ebitmap_read(&role->dominates, fp); 1271 if (rc) 1272 goto bad; 1273 1274 rc = ebitmap_read(&role->types, fp); 1275 if (rc) 1276 goto bad; 1277 1278 if (strcmp(key, OBJECT_R) == 0) { 1279 if (role->value != OBJECT_R_VAL) { 1280 printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", 1281 OBJECT_R, role->value); 1282 rc = -EINVAL; 1283 goto bad; 1284 } 1285 rc = 0; 1286 goto bad; 1287 } 1288 1289 rc = hashtab_insert(h, key, role); 1290 if (rc) 1291 goto bad; 1292 out: 1293 return rc; 1294 bad: 1295 role_destroy(key, role, NULL); 1296 goto out; 1297 } 1298 1299 static int type_read(struct policydb *p, struct hashtab *h, void *fp) 1300 { 1301 char *key = NULL; 1302 struct type_datum *typdatum; 1303 int rc, to_read = 3; 1304 __le32 buf[4]; 1305 u32 len; 1306 1307 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); 1308 if (!typdatum) { 1309 rc = -ENOMEM; 1310 return rc; 1311 } 1312 1313 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1314 to_read = 4; 1315 1316 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1317 if (rc < 0) 1318 goto bad; 1319 1320 len = le32_to_cpu(buf[0]); 1321 typdatum->value = le32_to_cpu(buf[1]); 1322 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) { 1323 u32 prop = le32_to_cpu(buf[2]); 1324 1325 if (prop & TYPEDATUM_PROPERTY_PRIMARY) 1326 typdatum->primary = 1; 1327 if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE) 1328 typdatum->attribute = 1; 1329 1330 typdatum->bounds = le32_to_cpu(buf[3]); 1331 } else { 1332 typdatum->primary = le32_to_cpu(buf[2]); 1333 } 1334 1335 key = kmalloc(len + 1, GFP_KERNEL); 1336 if (!key) { 1337 rc = -ENOMEM; 1338 goto bad; 1339 } 1340 rc = next_entry(key, fp, len); 1341 if (rc < 0) 1342 goto bad; 1343 key[len] = '\0'; 1344 1345 rc = hashtab_insert(h, key, typdatum); 1346 if (rc) 1347 goto bad; 1348 out: 1349 return rc; 1350 bad: 1351 type_destroy(key, typdatum, NULL); 1352 goto out; 1353 } 1354 1355 1356 /* 1357 * Read a MLS level structure from a policydb binary 1358 * representation file. 1359 */ 1360 static int mls_read_level(struct mls_level *lp, void *fp) 1361 { 1362 __le32 buf[1]; 1363 int rc; 1364 1365 memset(lp, 0, sizeof(*lp)); 1366 1367 rc = next_entry(buf, fp, sizeof buf); 1368 if (rc < 0) { 1369 printk(KERN_ERR "SELinux: mls: truncated level\n"); 1370 goto bad; 1371 } 1372 lp->sens = le32_to_cpu(buf[0]); 1373 1374 if (ebitmap_read(&lp->cat, fp)) { 1375 printk(KERN_ERR "SELinux: mls: error reading level " 1376 "categories\n"); 1377 goto bad; 1378 } 1379 1380 return 0; 1381 1382 bad: 1383 return -EINVAL; 1384 } 1385 1386 static int user_read(struct policydb *p, struct hashtab *h, void *fp) 1387 { 1388 char *key = NULL; 1389 struct user_datum *usrdatum; 1390 int rc, to_read = 2; 1391 __le32 buf[3]; 1392 u32 len; 1393 1394 usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); 1395 if (!usrdatum) { 1396 rc = -ENOMEM; 1397 goto out; 1398 } 1399 1400 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1401 to_read = 3; 1402 1403 rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); 1404 if (rc < 0) 1405 goto bad; 1406 1407 len = le32_to_cpu(buf[0]); 1408 usrdatum->value = le32_to_cpu(buf[1]); 1409 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1410 usrdatum->bounds = le32_to_cpu(buf[2]); 1411 1412 key = kmalloc(len + 1, GFP_KERNEL); 1413 if (!key) { 1414 rc = -ENOMEM; 1415 goto bad; 1416 } 1417 rc = next_entry(key, fp, len); 1418 if (rc < 0) 1419 goto bad; 1420 key[len] = '\0'; 1421 1422 rc = ebitmap_read(&usrdatum->roles, fp); 1423 if (rc) 1424 goto bad; 1425 1426 if (p->policyvers >= POLICYDB_VERSION_MLS) { 1427 rc = mls_read_range_helper(&usrdatum->range, fp); 1428 if (rc) 1429 goto bad; 1430 rc = mls_read_level(&usrdatum->dfltlevel, fp); 1431 if (rc) 1432 goto bad; 1433 } 1434 1435 rc = hashtab_insert(h, key, usrdatum); 1436 if (rc) 1437 goto bad; 1438 out: 1439 return rc; 1440 bad: 1441 user_destroy(key, usrdatum, NULL); 1442 goto out; 1443 } 1444 1445 static int sens_read(struct policydb *p, struct hashtab *h, void *fp) 1446 { 1447 char *key = NULL; 1448 struct level_datum *levdatum; 1449 int rc; 1450 __le32 buf[2]; 1451 u32 len; 1452 1453 levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); 1454 if (!levdatum) { 1455 rc = -ENOMEM; 1456 goto out; 1457 } 1458 1459 rc = next_entry(buf, fp, sizeof buf); 1460 if (rc < 0) 1461 goto bad; 1462 1463 len = le32_to_cpu(buf[0]); 1464 levdatum->isalias = le32_to_cpu(buf[1]); 1465 1466 key = kmalloc(len + 1, GFP_ATOMIC); 1467 if (!key) { 1468 rc = -ENOMEM; 1469 goto bad; 1470 } 1471 rc = next_entry(key, fp, len); 1472 if (rc < 0) 1473 goto bad; 1474 key[len] = '\0'; 1475 1476 levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); 1477 if (!levdatum->level) { 1478 rc = -ENOMEM; 1479 goto bad; 1480 } 1481 if (mls_read_level(levdatum->level, fp)) { 1482 rc = -EINVAL; 1483 goto bad; 1484 } 1485 1486 rc = hashtab_insert(h, key, levdatum); 1487 if (rc) 1488 goto bad; 1489 out: 1490 return rc; 1491 bad: 1492 sens_destroy(key, levdatum, NULL); 1493 goto out; 1494 } 1495 1496 static int cat_read(struct policydb *p, struct hashtab *h, void *fp) 1497 { 1498 char *key = NULL; 1499 struct cat_datum *catdatum; 1500 int rc; 1501 __le32 buf[3]; 1502 u32 len; 1503 1504 catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); 1505 if (!catdatum) { 1506 rc = -ENOMEM; 1507 goto out; 1508 } 1509 1510 rc = next_entry(buf, fp, sizeof buf); 1511 if (rc < 0) 1512 goto bad; 1513 1514 len = le32_to_cpu(buf[0]); 1515 catdatum->value = le32_to_cpu(buf[1]); 1516 catdatum->isalias = le32_to_cpu(buf[2]); 1517 1518 key = kmalloc(len + 1, GFP_ATOMIC); 1519 if (!key) { 1520 rc = -ENOMEM; 1521 goto bad; 1522 } 1523 rc = next_entry(key, fp, len); 1524 if (rc < 0) 1525 goto bad; 1526 key[len] = '\0'; 1527 1528 rc = hashtab_insert(h, key, catdatum); 1529 if (rc) 1530 goto bad; 1531 out: 1532 return rc; 1533 1534 bad: 1535 cat_destroy(key, catdatum, NULL); 1536 goto out; 1537 } 1538 1539 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) = 1540 { 1541 common_read, 1542 class_read, 1543 role_read, 1544 type_read, 1545 user_read, 1546 cond_read_bool, 1547 sens_read, 1548 cat_read, 1549 }; 1550 1551 static int user_bounds_sanity_check(void *key, void *datum, void *datap) 1552 { 1553 struct user_datum *upper, *user; 1554 struct policydb *p = datap; 1555 int depth = 0; 1556 1557 upper = user = datum; 1558 while (upper->bounds) { 1559 struct ebitmap_node *node; 1560 unsigned long bit; 1561 1562 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1563 printk(KERN_ERR "SELinux: user %s: " 1564 "too deep or looped boundary", 1565 (char *) key); 1566 return -EINVAL; 1567 } 1568 1569 upper = p->user_val_to_struct[upper->bounds - 1]; 1570 ebitmap_for_each_positive_bit(&user->roles, node, bit) { 1571 if (ebitmap_get_bit(&upper->roles, bit)) 1572 continue; 1573 1574 printk(KERN_ERR 1575 "SELinux: boundary violated policy: " 1576 "user=%s role=%s bounds=%s\n", 1577 p->p_user_val_to_name[user->value - 1], 1578 p->p_role_val_to_name[bit], 1579 p->p_user_val_to_name[upper->value - 1]); 1580 1581 return -EINVAL; 1582 } 1583 } 1584 1585 return 0; 1586 } 1587 1588 static int role_bounds_sanity_check(void *key, void *datum, void *datap) 1589 { 1590 struct role_datum *upper, *role; 1591 struct policydb *p = datap; 1592 int depth = 0; 1593 1594 upper = role = datum; 1595 while (upper->bounds) { 1596 struct ebitmap_node *node; 1597 unsigned long bit; 1598 1599 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1600 printk(KERN_ERR "SELinux: role %s: " 1601 "too deep or looped bounds\n", 1602 (char *) key); 1603 return -EINVAL; 1604 } 1605 1606 upper = p->role_val_to_struct[upper->bounds - 1]; 1607 ebitmap_for_each_positive_bit(&role->types, node, bit) { 1608 if (ebitmap_get_bit(&upper->types, bit)) 1609 continue; 1610 1611 printk(KERN_ERR 1612 "SELinux: boundary violated policy: " 1613 "role=%s type=%s bounds=%s\n", 1614 p->p_role_val_to_name[role->value - 1], 1615 p->p_type_val_to_name[bit], 1616 p->p_role_val_to_name[upper->value - 1]); 1617 1618 return -EINVAL; 1619 } 1620 } 1621 1622 return 0; 1623 } 1624 1625 static int type_bounds_sanity_check(void *key, void *datum, void *datap) 1626 { 1627 struct type_datum *upper, *type; 1628 struct policydb *p = datap; 1629 int depth = 0; 1630 1631 upper = type = datum; 1632 while (upper->bounds) { 1633 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { 1634 printk(KERN_ERR "SELinux: type %s: " 1635 "too deep or looped boundary\n", 1636 (char *) key); 1637 return -EINVAL; 1638 } 1639 1640 upper = p->type_val_to_struct[upper->bounds - 1]; 1641 if (upper->attribute) { 1642 printk(KERN_ERR "SELinux: type %s: " 1643 "bounded by attribute %s", 1644 (char *) key, 1645 p->p_type_val_to_name[upper->value - 1]); 1646 return -EINVAL; 1647 } 1648 } 1649 1650 return 0; 1651 } 1652 1653 static int policydb_bounds_sanity_check(struct policydb *p) 1654 { 1655 int rc; 1656 1657 if (p->policyvers < POLICYDB_VERSION_BOUNDARY) 1658 return 0; 1659 1660 rc = hashtab_map(p->p_users.table, 1661 user_bounds_sanity_check, p); 1662 if (rc) 1663 return rc; 1664 1665 rc = hashtab_map(p->p_roles.table, 1666 role_bounds_sanity_check, p); 1667 if (rc) 1668 return rc; 1669 1670 rc = hashtab_map(p->p_types.table, 1671 type_bounds_sanity_check, p); 1672 if (rc) 1673 return rc; 1674 1675 return 0; 1676 } 1677 1678 extern int ss_initialized; 1679 1680 u16 string_to_security_class(struct policydb *p, const char *name) 1681 { 1682 struct class_datum *cladatum; 1683 1684 cladatum = hashtab_search(p->p_classes.table, name); 1685 if (!cladatum) 1686 return 0; 1687 1688 return cladatum->value; 1689 } 1690 1691 u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) 1692 { 1693 struct class_datum *cladatum; 1694 struct perm_datum *perdatum = NULL; 1695 struct common_datum *comdatum; 1696 1697 if (!tclass || tclass > p->p_classes.nprim) 1698 return 0; 1699 1700 cladatum = p->class_val_to_struct[tclass-1]; 1701 comdatum = cladatum->comdatum; 1702 if (comdatum) 1703 perdatum = hashtab_search(comdatum->permissions.table, 1704 name); 1705 if (!perdatum) 1706 perdatum = hashtab_search(cladatum->permissions.table, 1707 name); 1708 if (!perdatum) 1709 return 0; 1710 1711 return 1U << (perdatum->value-1); 1712 } 1713 1714 static int range_read(struct policydb *p, void *fp) 1715 { 1716 struct range_trans *rt = NULL; 1717 struct mls_range *r = NULL; 1718 int i, rc; 1719 __le32 buf[2]; 1720 u32 nel; 1721 1722 if (p->policyvers < POLICYDB_VERSION_MLS) 1723 return 0; 1724 1725 rc = next_entry(buf, fp, sizeof(u32)); 1726 if (rc) 1727 goto out; 1728 1729 nel = le32_to_cpu(buf[0]); 1730 for (i = 0; i < nel; i++) { 1731 rc = -ENOMEM; 1732 rt = kzalloc(sizeof(*rt), GFP_KERNEL); 1733 if (!rt) 1734 goto out; 1735 1736 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1737 if (rc) 1738 goto out; 1739 1740 rt->source_type = le32_to_cpu(buf[0]); 1741 rt->target_type = le32_to_cpu(buf[1]); 1742 if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) { 1743 rc = next_entry(buf, fp, sizeof(u32)); 1744 if (rc) 1745 goto out; 1746 rt->target_class = le32_to_cpu(buf[0]); 1747 } else 1748 rt->target_class = p->process_class; 1749 1750 rc = -EINVAL; 1751 if (!policydb_type_isvalid(p, rt->source_type) || 1752 !policydb_type_isvalid(p, rt->target_type) || 1753 !policydb_class_isvalid(p, rt->target_class)) 1754 goto out; 1755 1756 rc = -ENOMEM; 1757 r = kzalloc(sizeof(*r), GFP_KERNEL); 1758 if (!r) 1759 goto out; 1760 1761 rc = mls_read_range_helper(r, fp); 1762 if (rc) 1763 goto out; 1764 1765 rc = -EINVAL; 1766 if (!mls_range_isvalid(p, r)) { 1767 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); 1768 goto out; 1769 } 1770 1771 rc = hashtab_insert(p->range_tr, rt, r); 1772 if (rc) 1773 goto out; 1774 1775 rt = NULL; 1776 r = NULL; 1777 } 1778 rangetr_hash_eval(p->range_tr); 1779 rc = 0; 1780 out: 1781 kfree(rt); 1782 kfree(r); 1783 return rc; 1784 } 1785 1786 static int genfs_read(struct policydb *p, void *fp) 1787 { 1788 int i, j, rc; 1789 u32 nel, nel2, len, len2; 1790 __le32 buf[1]; 1791 struct ocontext *l, *c; 1792 struct ocontext *newc = NULL; 1793 struct genfs *genfs_p, *genfs; 1794 struct genfs *newgenfs = NULL; 1795 1796 rc = next_entry(buf, fp, sizeof(u32)); 1797 if (rc) 1798 goto out; 1799 nel = le32_to_cpu(buf[0]); 1800 1801 for (i = 0; i < nel; i++) { 1802 rc = next_entry(buf, fp, sizeof(u32)); 1803 if (rc) 1804 goto out; 1805 len = le32_to_cpu(buf[0]); 1806 1807 rc = -ENOMEM; 1808 newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL); 1809 if (!newgenfs) 1810 goto out; 1811 1812 rc = -ENOMEM; 1813 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); 1814 if (!newgenfs->fstype) 1815 goto out; 1816 1817 rc = next_entry(newgenfs->fstype, fp, len); 1818 if (rc) 1819 goto out; 1820 1821 newgenfs->fstype[len] = 0; 1822 1823 for (genfs_p = NULL, genfs = p->genfs; genfs; 1824 genfs_p = genfs, genfs = genfs->next) { 1825 rc = -EINVAL; 1826 if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { 1827 printk(KERN_ERR "SELinux: dup genfs fstype %s\n", 1828 newgenfs->fstype); 1829 goto out; 1830 } 1831 if (strcmp(newgenfs->fstype, genfs->fstype) < 0) 1832 break; 1833 } 1834 newgenfs->next = genfs; 1835 if (genfs_p) 1836 genfs_p->next = newgenfs; 1837 else 1838 p->genfs = newgenfs; 1839 genfs = newgenfs; 1840 newgenfs = NULL; 1841 1842 rc = next_entry(buf, fp, sizeof(u32)); 1843 if (rc) 1844 goto out; 1845 1846 nel2 = le32_to_cpu(buf[0]); 1847 for (j = 0; j < nel2; j++) { 1848 rc = next_entry(buf, fp, sizeof(u32)); 1849 if (rc) 1850 goto out; 1851 len = le32_to_cpu(buf[0]); 1852 1853 rc = -ENOMEM; 1854 newc = kzalloc(sizeof(*newc), GFP_KERNEL); 1855 if (!newc) 1856 goto out; 1857 1858 rc = -ENOMEM; 1859 newc->u.name = kmalloc(len + 1, GFP_KERNEL); 1860 if (!newc->u.name) 1861 goto out; 1862 1863 rc = next_entry(newc->u.name, fp, len); 1864 if (rc) 1865 goto out; 1866 newc->u.name[len] = 0; 1867 1868 rc = next_entry(buf, fp, sizeof(u32)); 1869 if (rc) 1870 goto out; 1871 1872 newc->v.sclass = le32_to_cpu(buf[0]); 1873 rc = context_read_and_validate(&newc->context[0], p, fp); 1874 if (rc) 1875 goto out; 1876 1877 for (l = NULL, c = genfs->head; c; 1878 l = c, c = c->next) { 1879 rc = -EINVAL; 1880 if (!strcmp(newc->u.name, c->u.name) && 1881 (!c->v.sclass || !newc->v.sclass || 1882 newc->v.sclass == c->v.sclass)) { 1883 printk(KERN_ERR "SELinux: dup genfs entry (%s,%s)\n", 1884 genfs->fstype, c->u.name); 1885 goto out; 1886 } 1887 len = strlen(newc->u.name); 1888 len2 = strlen(c->u.name); 1889 if (len > len2) 1890 break; 1891 } 1892 1893 newc->next = c; 1894 if (l) 1895 l->next = newc; 1896 else 1897 genfs->head = newc; 1898 newc = NULL; 1899 } 1900 } 1901 rc = 0; 1902 out: 1903 if (newgenfs) 1904 kfree(newgenfs->fstype); 1905 kfree(newgenfs); 1906 ocontext_destroy(newc, OCON_FSUSE); 1907 1908 return rc; 1909 } 1910 1911 static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, 1912 void *fp) 1913 { 1914 int i, j, rc; 1915 u32 nel, len; 1916 __le32 buf[3]; 1917 struct ocontext *l, *c; 1918 u32 nodebuf[8]; 1919 1920 for (i = 0; i < info->ocon_num; i++) { 1921 rc = next_entry(buf, fp, sizeof(u32)); 1922 if (rc) 1923 goto out; 1924 nel = le32_to_cpu(buf[0]); 1925 1926 l = NULL; 1927 for (j = 0; j < nel; j++) { 1928 rc = -ENOMEM; 1929 c = kzalloc(sizeof(*c), GFP_KERNEL); 1930 if (!c) 1931 goto out; 1932 if (l) 1933 l->next = c; 1934 else 1935 p->ocontexts[i] = c; 1936 l = c; 1937 1938 switch (i) { 1939 case OCON_ISID: 1940 rc = next_entry(buf, fp, sizeof(u32)); 1941 if (rc) 1942 goto out; 1943 1944 c->sid[0] = le32_to_cpu(buf[0]); 1945 rc = context_read_and_validate(&c->context[0], p, fp); 1946 if (rc) 1947 goto out; 1948 break; 1949 case OCON_FS: 1950 case OCON_NETIF: 1951 rc = next_entry(buf, fp, sizeof(u32)); 1952 if (rc) 1953 goto out; 1954 len = le32_to_cpu(buf[0]); 1955 1956 rc = -ENOMEM; 1957 c->u.name = kmalloc(len + 1, GFP_KERNEL); 1958 if (!c->u.name) 1959 goto out; 1960 1961 rc = next_entry(c->u.name, fp, len); 1962 if (rc) 1963 goto out; 1964 1965 c->u.name[len] = 0; 1966 rc = context_read_and_validate(&c->context[0], p, fp); 1967 if (rc) 1968 goto out; 1969 rc = context_read_and_validate(&c->context[1], p, fp); 1970 if (rc) 1971 goto out; 1972 break; 1973 case OCON_PORT: 1974 rc = next_entry(buf, fp, sizeof(u32)*3); 1975 if (rc) 1976 goto out; 1977 c->u.port.protocol = le32_to_cpu(buf[0]); 1978 c->u.port.low_port = le32_to_cpu(buf[1]); 1979 c->u.port.high_port = le32_to_cpu(buf[2]); 1980 rc = context_read_and_validate(&c->context[0], p, fp); 1981 if (rc) 1982 goto out; 1983 break; 1984 case OCON_NODE: 1985 rc = next_entry(nodebuf, fp, sizeof(u32) * 2); 1986 if (rc) 1987 goto out; 1988 c->u.node.addr = nodebuf[0]; /* network order */ 1989 c->u.node.mask = nodebuf[1]; /* network order */ 1990 rc = context_read_and_validate(&c->context[0], p, fp); 1991 if (rc) 1992 goto out; 1993 break; 1994 case OCON_FSUSE: 1995 rc = next_entry(buf, fp, sizeof(u32)*2); 1996 if (rc) 1997 goto out; 1998 1999 rc = -EINVAL; 2000 c->v.behavior = le32_to_cpu(buf[0]); 2001 if (c->v.behavior > SECURITY_FS_USE_NONE) 2002 goto out; 2003 2004 rc = -ENOMEM; 2005 len = le32_to_cpu(buf[1]); 2006 c->u.name = kmalloc(len + 1, GFP_KERNEL); 2007 if (!c->u.name) 2008 goto out; 2009 2010 rc = next_entry(c->u.name, fp, len); 2011 if (rc) 2012 goto out; 2013 c->u.name[len] = 0; 2014 rc = context_read_and_validate(&c->context[0], p, fp); 2015 if (rc) 2016 goto out; 2017 break; 2018 case OCON_NODE6: { 2019 int k; 2020 2021 rc = next_entry(nodebuf, fp, sizeof(u32) * 8); 2022 if (rc) 2023 goto out; 2024 for (k = 0; k < 4; k++) 2025 c->u.node6.addr[k] = nodebuf[k]; 2026 for (k = 0; k < 4; k++) 2027 c->u.node6.mask[k] = nodebuf[k+4]; 2028 rc = context_read_and_validate(&c->context[0], p, fp); 2029 if (rc) 2030 goto out; 2031 break; 2032 } 2033 } 2034 } 2035 } 2036 rc = 0; 2037 out: 2038 return rc; 2039 } 2040 2041 /* 2042 * Read the configuration data from a policy database binary 2043 * representation file into a policy database structure. 2044 */ 2045 int policydb_read(struct policydb *p, void *fp) 2046 { 2047 struct role_allow *ra, *lra; 2048 struct role_trans *tr, *ltr; 2049 int i, j, rc; 2050 __le32 buf[4]; 2051 u32 len, nprim, nel; 2052 2053 char *policydb_str; 2054 struct policydb_compat_info *info; 2055 2056 rc = policydb_init(p); 2057 if (rc) 2058 goto out; 2059 2060 /* Read the magic number and string length. */ 2061 rc = next_entry(buf, fp, sizeof(u32) * 2); 2062 if (rc < 0) 2063 goto bad; 2064 2065 if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { 2066 printk(KERN_ERR "SELinux: policydb magic number 0x%x does " 2067 "not match expected magic number 0x%x\n", 2068 le32_to_cpu(buf[0]), POLICYDB_MAGIC); 2069 goto bad; 2070 } 2071 2072 len = le32_to_cpu(buf[1]); 2073 if (len != strlen(POLICYDB_STRING)) { 2074 printk(KERN_ERR "SELinux: policydb string length %d does not " 2075 "match expected length %Zu\n", 2076 len, strlen(POLICYDB_STRING)); 2077 goto bad; 2078 } 2079 policydb_str = kmalloc(len + 1, GFP_KERNEL); 2080 if (!policydb_str) { 2081 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 2082 "string of length %d\n", len); 2083 rc = -ENOMEM; 2084 goto bad; 2085 } 2086 rc = next_entry(policydb_str, fp, len); 2087 if (rc < 0) { 2088 printk(KERN_ERR "SELinux: truncated policydb string identifier\n"); 2089 kfree(policydb_str); 2090 goto bad; 2091 } 2092 policydb_str[len] = '\0'; 2093 if (strcmp(policydb_str, POLICYDB_STRING)) { 2094 printk(KERN_ERR "SELinux: policydb string %s does not match " 2095 "my string %s\n", policydb_str, POLICYDB_STRING); 2096 kfree(policydb_str); 2097 goto bad; 2098 } 2099 /* Done with policydb_str. */ 2100 kfree(policydb_str); 2101 policydb_str = NULL; 2102 2103 /* Read the version and table sizes. */ 2104 rc = next_entry(buf, fp, sizeof(u32)*4); 2105 if (rc < 0) 2106 goto bad; 2107 2108 p->policyvers = le32_to_cpu(buf[0]); 2109 if (p->policyvers < POLICYDB_VERSION_MIN || 2110 p->policyvers > POLICYDB_VERSION_MAX) { 2111 printk(KERN_ERR "SELinux: policydb version %d does not match " 2112 "my version range %d-%d\n", 2113 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 2114 goto bad; 2115 } 2116 2117 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 2118 p->mls_enabled = 1; 2119 2120 if (p->policyvers < POLICYDB_VERSION_MLS) { 2121 printk(KERN_ERR "SELinux: security policydb version %d " 2122 "(MLS) not backwards compatible\n", 2123 p->policyvers); 2124 goto bad; 2125 } 2126 } 2127 p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN); 2128 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN); 2129 2130 if (p->policyvers >= POLICYDB_VERSION_POLCAP && 2131 ebitmap_read(&p->policycaps, fp) != 0) 2132 goto bad; 2133 2134 if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE && 2135 ebitmap_read(&p->permissive_map, fp) != 0) 2136 goto bad; 2137 2138 info = policydb_lookup_compat(p->policyvers); 2139 if (!info) { 2140 printk(KERN_ERR "SELinux: unable to find policy compat info " 2141 "for version %d\n", p->policyvers); 2142 goto bad; 2143 } 2144 2145 if (le32_to_cpu(buf[2]) != info->sym_num || 2146 le32_to_cpu(buf[3]) != info->ocon_num) { 2147 printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do " 2148 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), 2149 le32_to_cpu(buf[3]), 2150 info->sym_num, info->ocon_num); 2151 goto bad; 2152 } 2153 2154 for (i = 0; i < info->sym_num; i++) { 2155 rc = next_entry(buf, fp, sizeof(u32)*2); 2156 if (rc < 0) 2157 goto bad; 2158 nprim = le32_to_cpu(buf[0]); 2159 nel = le32_to_cpu(buf[1]); 2160 for (j = 0; j < nel; j++) { 2161 rc = read_f[i](p, p->symtab[i].table, fp); 2162 if (rc) 2163 goto bad; 2164 } 2165 2166 p->symtab[i].nprim = nprim; 2167 } 2168 2169 rc = avtab_read(&p->te_avtab, fp, p); 2170 if (rc) 2171 goto bad; 2172 2173 if (p->policyvers >= POLICYDB_VERSION_BOOL) { 2174 rc = cond_read_list(p, fp); 2175 if (rc) 2176 goto bad; 2177 } 2178 2179 rc = next_entry(buf, fp, sizeof(u32)); 2180 if (rc < 0) 2181 goto bad; 2182 nel = le32_to_cpu(buf[0]); 2183 ltr = NULL; 2184 for (i = 0; i < nel; i++) { 2185 tr = kzalloc(sizeof(*tr), GFP_KERNEL); 2186 if (!tr) { 2187 rc = -ENOMEM; 2188 goto bad; 2189 } 2190 if (ltr) 2191 ltr->next = tr; 2192 else 2193 p->role_tr = tr; 2194 rc = next_entry(buf, fp, sizeof(u32)*3); 2195 if (rc < 0) 2196 goto bad; 2197 tr->role = le32_to_cpu(buf[0]); 2198 tr->type = le32_to_cpu(buf[1]); 2199 tr->new_role = le32_to_cpu(buf[2]); 2200 if (!policydb_role_isvalid(p, tr->role) || 2201 !policydb_type_isvalid(p, tr->type) || 2202 !policydb_role_isvalid(p, tr->new_role)) { 2203 rc = -EINVAL; 2204 goto bad; 2205 } 2206 ltr = tr; 2207 } 2208 2209 rc = next_entry(buf, fp, sizeof(u32)); 2210 if (rc < 0) 2211 goto bad; 2212 nel = le32_to_cpu(buf[0]); 2213 lra = NULL; 2214 for (i = 0; i < nel; i++) { 2215 ra = kzalloc(sizeof(*ra), GFP_KERNEL); 2216 if (!ra) { 2217 rc = -ENOMEM; 2218 goto bad; 2219 } 2220 if (lra) 2221 lra->next = ra; 2222 else 2223 p->role_allow = ra; 2224 rc = next_entry(buf, fp, sizeof(u32)*2); 2225 if (rc < 0) 2226 goto bad; 2227 ra->role = le32_to_cpu(buf[0]); 2228 ra->new_role = le32_to_cpu(buf[1]); 2229 if (!policydb_role_isvalid(p, ra->role) || 2230 !policydb_role_isvalid(p, ra->new_role)) { 2231 rc = -EINVAL; 2232 goto bad; 2233 } 2234 lra = ra; 2235 } 2236 2237 rc = policydb_index_classes(p); 2238 if (rc) 2239 goto bad; 2240 2241 rc = policydb_index_others(p); 2242 if (rc) 2243 goto bad; 2244 2245 p->process_class = string_to_security_class(p, "process"); 2246 if (!p->process_class) 2247 goto bad; 2248 p->process_trans_perms = string_to_av_perm(p, p->process_class, 2249 "transition"); 2250 p->process_trans_perms |= string_to_av_perm(p, p->process_class, 2251 "dyntransition"); 2252 if (!p->process_trans_perms) 2253 goto bad; 2254 2255 rc = ocontext_read(p, info, fp); 2256 if (rc) 2257 goto bad; 2258 2259 rc = genfs_read(p, fp); 2260 if (rc) 2261 goto bad; 2262 2263 rc = range_read(p, fp); 2264 if (rc) 2265 goto bad; 2266 2267 rc = -ENOMEM; 2268 p->type_attr_map_array = flex_array_alloc(sizeof(struct ebitmap), 2269 p->p_types.nprim, 2270 GFP_KERNEL | __GFP_ZERO); 2271 if (!p->type_attr_map_array) 2272 goto bad; 2273 2274 /* preallocate so we don't have to worry about the put ever failing */ 2275 rc = flex_array_prealloc(p->type_attr_map_array, 0, p->p_types.nprim - 1, 2276 GFP_KERNEL | __GFP_ZERO); 2277 if (rc) 2278 goto bad; 2279 2280 for (i = 0; i < p->p_types.nprim; i++) { 2281 struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); 2282 2283 BUG_ON(!e); 2284 ebitmap_init(e); 2285 if (p->policyvers >= POLICYDB_VERSION_AVTAB) { 2286 rc = ebitmap_read(e, fp); 2287 if (rc) 2288 goto bad; 2289 } 2290 /* add the type itself as the degenerate case */ 2291 rc = ebitmap_set_bit(e, i, 1); 2292 if (rc) 2293 goto bad; 2294 } 2295 2296 rc = policydb_bounds_sanity_check(p); 2297 if (rc) 2298 goto bad; 2299 2300 rc = 0; 2301 out: 2302 return rc; 2303 bad: 2304 if (!rc) 2305 rc = -EINVAL; 2306 policydb_destroy(p); 2307 goto out; 2308 } 2309