1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * 11 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * 13 * Added conditional policy language extensions 14 * 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 17 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 18 * This program is free software; you can redistribute it and/or modify 19 * it under the terms of the GNU General Public License as published by 20 * the Free Software Foundation, version 2. 21 */ 22 #include <linux/kernel.h> 23 #include <linux/slab.h> 24 #include <linux/string.h> 25 #include <linux/spinlock.h> 26 #include <linux/errno.h> 27 #include <linux/in.h> 28 #include <linux/sched.h> 29 #include <linux/audit.h> 30 #include <asm/semaphore.h> 31 #include "flask.h" 32 #include "avc.h" 33 #include "avc_ss.h" 34 #include "security.h" 35 #include "context.h" 36 #include "policydb.h" 37 #include "sidtab.h" 38 #include "services.h" 39 #include "conditional.h" 40 #include "mls.h" 41 42 extern void selnl_notify_policyload(u32 seqno); 43 unsigned int policydb_loaded_version; 44 45 static DEFINE_RWLOCK(policy_rwlock); 46 #define POLICY_RDLOCK read_lock(&policy_rwlock) 47 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock) 48 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock) 49 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock) 50 51 static DECLARE_MUTEX(load_sem); 52 #define LOAD_LOCK down(&load_sem) 53 #define LOAD_UNLOCK up(&load_sem) 54 55 static struct sidtab sidtab; 56 struct policydb policydb; 57 int ss_initialized = 0; 58 59 /* 60 * The largest sequence number that has been used when 61 * providing an access decision to the access vector cache. 62 * The sequence number only changes when a policy change 63 * occurs. 64 */ 65 static u32 latest_granting = 0; 66 67 /* Forward declaration. */ 68 static int context_struct_to_string(struct context *context, char **scontext, 69 u32 *scontext_len); 70 71 /* 72 * Return the boolean value of a constraint expression 73 * when it is applied to the specified source and target 74 * security contexts. 75 * 76 * xcontext is a special beast... It is used by the validatetrans rules 77 * only. For these rules, scontext is the context before the transition, 78 * tcontext is the context after the transition, and xcontext is the context 79 * of the process performing the transition. All other callers of 80 * constraint_expr_eval should pass in NULL for xcontext. 81 */ 82 static int constraint_expr_eval(struct context *scontext, 83 struct context *tcontext, 84 struct context *xcontext, 85 struct constraint_expr *cexpr) 86 { 87 u32 val1, val2; 88 struct context *c; 89 struct role_datum *r1, *r2; 90 struct mls_level *l1, *l2; 91 struct constraint_expr *e; 92 int s[CEXPR_MAXDEPTH]; 93 int sp = -1; 94 95 for (e = cexpr; e; e = e->next) { 96 switch (e->expr_type) { 97 case CEXPR_NOT: 98 BUG_ON(sp < 0); 99 s[sp] = !s[sp]; 100 break; 101 case CEXPR_AND: 102 BUG_ON(sp < 1); 103 sp--; 104 s[sp] &= s[sp+1]; 105 break; 106 case CEXPR_OR: 107 BUG_ON(sp < 1); 108 sp--; 109 s[sp] |= s[sp+1]; 110 break; 111 case CEXPR_ATTR: 112 if (sp == (CEXPR_MAXDEPTH-1)) 113 return 0; 114 switch (e->attr) { 115 case CEXPR_USER: 116 val1 = scontext->user; 117 val2 = tcontext->user; 118 break; 119 case CEXPR_TYPE: 120 val1 = scontext->type; 121 val2 = tcontext->type; 122 break; 123 case CEXPR_ROLE: 124 val1 = scontext->role; 125 val2 = tcontext->role; 126 r1 = policydb.role_val_to_struct[val1 - 1]; 127 r2 = policydb.role_val_to_struct[val2 - 1]; 128 switch (e->op) { 129 case CEXPR_DOM: 130 s[++sp] = ebitmap_get_bit(&r1->dominates, 131 val2 - 1); 132 continue; 133 case CEXPR_DOMBY: 134 s[++sp] = ebitmap_get_bit(&r2->dominates, 135 val1 - 1); 136 continue; 137 case CEXPR_INCOMP: 138 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 139 val2 - 1) && 140 !ebitmap_get_bit(&r2->dominates, 141 val1 - 1) ); 142 continue; 143 default: 144 break; 145 } 146 break; 147 case CEXPR_L1L2: 148 l1 = &(scontext->range.level[0]); 149 l2 = &(tcontext->range.level[0]); 150 goto mls_ops; 151 case CEXPR_L1H2: 152 l1 = &(scontext->range.level[0]); 153 l2 = &(tcontext->range.level[1]); 154 goto mls_ops; 155 case CEXPR_H1L2: 156 l1 = &(scontext->range.level[1]); 157 l2 = &(tcontext->range.level[0]); 158 goto mls_ops; 159 case CEXPR_H1H2: 160 l1 = &(scontext->range.level[1]); 161 l2 = &(tcontext->range.level[1]); 162 goto mls_ops; 163 case CEXPR_L1H1: 164 l1 = &(scontext->range.level[0]); 165 l2 = &(scontext->range.level[1]); 166 goto mls_ops; 167 case CEXPR_L2H2: 168 l1 = &(tcontext->range.level[0]); 169 l2 = &(tcontext->range.level[1]); 170 goto mls_ops; 171 mls_ops: 172 switch (e->op) { 173 case CEXPR_EQ: 174 s[++sp] = mls_level_eq(l1, l2); 175 continue; 176 case CEXPR_NEQ: 177 s[++sp] = !mls_level_eq(l1, l2); 178 continue; 179 case CEXPR_DOM: 180 s[++sp] = mls_level_dom(l1, l2); 181 continue; 182 case CEXPR_DOMBY: 183 s[++sp] = mls_level_dom(l2, l1); 184 continue; 185 case CEXPR_INCOMP: 186 s[++sp] = mls_level_incomp(l2, l1); 187 continue; 188 default: 189 BUG(); 190 return 0; 191 } 192 break; 193 default: 194 BUG(); 195 return 0; 196 } 197 198 switch (e->op) { 199 case CEXPR_EQ: 200 s[++sp] = (val1 == val2); 201 break; 202 case CEXPR_NEQ: 203 s[++sp] = (val1 != val2); 204 break; 205 default: 206 BUG(); 207 return 0; 208 } 209 break; 210 case CEXPR_NAMES: 211 if (sp == (CEXPR_MAXDEPTH-1)) 212 return 0; 213 c = scontext; 214 if (e->attr & CEXPR_TARGET) 215 c = tcontext; 216 else if (e->attr & CEXPR_XTARGET) { 217 c = xcontext; 218 if (!c) { 219 BUG(); 220 return 0; 221 } 222 } 223 if (e->attr & CEXPR_USER) 224 val1 = c->user; 225 else if (e->attr & CEXPR_ROLE) 226 val1 = c->role; 227 else if (e->attr & CEXPR_TYPE) 228 val1 = c->type; 229 else { 230 BUG(); 231 return 0; 232 } 233 234 switch (e->op) { 235 case CEXPR_EQ: 236 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 237 break; 238 case CEXPR_NEQ: 239 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 240 break; 241 default: 242 BUG(); 243 return 0; 244 } 245 break; 246 default: 247 BUG(); 248 return 0; 249 } 250 } 251 252 BUG_ON(sp != 0); 253 return s[0]; 254 } 255 256 /* 257 * Compute access vectors based on a context structure pair for 258 * the permissions in a particular class. 259 */ 260 static int context_struct_compute_av(struct context *scontext, 261 struct context *tcontext, 262 u16 tclass, 263 u32 requested, 264 struct av_decision *avd) 265 { 266 struct constraint_node *constraint; 267 struct role_allow *ra; 268 struct avtab_key avkey; 269 struct avtab_node *node; 270 struct class_datum *tclass_datum; 271 struct ebitmap *sattr, *tattr; 272 struct ebitmap_node *snode, *tnode; 273 unsigned int i, j; 274 275 /* 276 * Remap extended Netlink classes for old policy versions. 277 * Do this here rather than socket_type_to_security_class() 278 * in case a newer policy version is loaded, allowing sockets 279 * to remain in the correct class. 280 */ 281 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 282 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 283 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 284 tclass = SECCLASS_NETLINK_SOCKET; 285 286 if (!tclass || tclass > policydb.p_classes.nprim) { 287 printk(KERN_ERR "security_compute_av: unrecognized class %d\n", 288 tclass); 289 return -EINVAL; 290 } 291 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 292 293 /* 294 * Initialize the access vectors to the default values. 295 */ 296 avd->allowed = 0; 297 avd->decided = 0xffffffff; 298 avd->auditallow = 0; 299 avd->auditdeny = 0xffffffff; 300 avd->seqno = latest_granting; 301 302 /* 303 * If a specific type enforcement rule was defined for 304 * this permission check, then use it. 305 */ 306 avkey.target_class = tclass; 307 avkey.specified = AVTAB_AV; 308 sattr = &policydb.type_attr_map[scontext->type - 1]; 309 tattr = &policydb.type_attr_map[tcontext->type - 1]; 310 ebitmap_for_each_bit(sattr, snode, i) { 311 if (!ebitmap_node_get_bit(snode, i)) 312 continue; 313 ebitmap_for_each_bit(tattr, tnode, j) { 314 if (!ebitmap_node_get_bit(tnode, j)) 315 continue; 316 avkey.source_type = i + 1; 317 avkey.target_type = j + 1; 318 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 319 node != NULL; 320 node = avtab_search_node_next(node, avkey.specified)) { 321 if (node->key.specified == AVTAB_ALLOWED) 322 avd->allowed |= node->datum.data; 323 else if (node->key.specified == AVTAB_AUDITALLOW) 324 avd->auditallow |= node->datum.data; 325 else if (node->key.specified == AVTAB_AUDITDENY) 326 avd->auditdeny &= node->datum.data; 327 } 328 329 /* Check conditional av table for additional permissions */ 330 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 331 332 } 333 } 334 335 /* 336 * Remove any permissions prohibited by a constraint (this includes 337 * the MLS policy). 338 */ 339 constraint = tclass_datum->constraints; 340 while (constraint) { 341 if ((constraint->permissions & (avd->allowed)) && 342 !constraint_expr_eval(scontext, tcontext, NULL, 343 constraint->expr)) { 344 avd->allowed = (avd->allowed) & ~(constraint->permissions); 345 } 346 constraint = constraint->next; 347 } 348 349 /* 350 * If checking process transition permission and the 351 * role is changing, then check the (current_role, new_role) 352 * pair. 353 */ 354 if (tclass == SECCLASS_PROCESS && 355 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 356 scontext->role != tcontext->role) { 357 for (ra = policydb.role_allow; ra; ra = ra->next) { 358 if (scontext->role == ra->role && 359 tcontext->role == ra->new_role) 360 break; 361 } 362 if (!ra) 363 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 364 PROCESS__DYNTRANSITION); 365 } 366 367 return 0; 368 } 369 370 static int security_validtrans_handle_fail(struct context *ocontext, 371 struct context *ncontext, 372 struct context *tcontext, 373 u16 tclass) 374 { 375 char *o = NULL, *n = NULL, *t = NULL; 376 u32 olen, nlen, tlen; 377 378 if (context_struct_to_string(ocontext, &o, &olen) < 0) 379 goto out; 380 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 381 goto out; 382 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 383 goto out; 384 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 385 "security_validate_transition: denied for" 386 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 387 o, n, t, policydb.p_class_val_to_name[tclass-1]); 388 out: 389 kfree(o); 390 kfree(n); 391 kfree(t); 392 393 if (!selinux_enforcing) 394 return 0; 395 return -EPERM; 396 } 397 398 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 399 u16 tclass) 400 { 401 struct context *ocontext; 402 struct context *ncontext; 403 struct context *tcontext; 404 struct class_datum *tclass_datum; 405 struct constraint_node *constraint; 406 int rc = 0; 407 408 if (!ss_initialized) 409 return 0; 410 411 POLICY_RDLOCK; 412 413 /* 414 * Remap extended Netlink classes for old policy versions. 415 * Do this here rather than socket_type_to_security_class() 416 * in case a newer policy version is loaded, allowing sockets 417 * to remain in the correct class. 418 */ 419 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 420 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 421 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 422 tclass = SECCLASS_NETLINK_SOCKET; 423 424 if (!tclass || tclass > policydb.p_classes.nprim) { 425 printk(KERN_ERR "security_validate_transition: " 426 "unrecognized class %d\n", tclass); 427 rc = -EINVAL; 428 goto out; 429 } 430 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 431 432 ocontext = sidtab_search(&sidtab, oldsid); 433 if (!ocontext) { 434 printk(KERN_ERR "security_validate_transition: " 435 " unrecognized SID %d\n", oldsid); 436 rc = -EINVAL; 437 goto out; 438 } 439 440 ncontext = sidtab_search(&sidtab, newsid); 441 if (!ncontext) { 442 printk(KERN_ERR "security_validate_transition: " 443 " unrecognized SID %d\n", newsid); 444 rc = -EINVAL; 445 goto out; 446 } 447 448 tcontext = sidtab_search(&sidtab, tasksid); 449 if (!tcontext) { 450 printk(KERN_ERR "security_validate_transition: " 451 " unrecognized SID %d\n", tasksid); 452 rc = -EINVAL; 453 goto out; 454 } 455 456 constraint = tclass_datum->validatetrans; 457 while (constraint) { 458 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 459 constraint->expr)) { 460 rc = security_validtrans_handle_fail(ocontext, ncontext, 461 tcontext, tclass); 462 goto out; 463 } 464 constraint = constraint->next; 465 } 466 467 out: 468 POLICY_RDUNLOCK; 469 return rc; 470 } 471 472 /** 473 * security_compute_av - Compute access vector decisions. 474 * @ssid: source security identifier 475 * @tsid: target security identifier 476 * @tclass: target security class 477 * @requested: requested permissions 478 * @avd: access vector decisions 479 * 480 * Compute a set of access vector decisions based on the 481 * SID pair (@ssid, @tsid) for the permissions in @tclass. 482 * Return -%EINVAL if any of the parameters are invalid or %0 483 * if the access vector decisions were computed successfully. 484 */ 485 int security_compute_av(u32 ssid, 486 u32 tsid, 487 u16 tclass, 488 u32 requested, 489 struct av_decision *avd) 490 { 491 struct context *scontext = NULL, *tcontext = NULL; 492 int rc = 0; 493 494 if (!ss_initialized) { 495 avd->allowed = 0xffffffff; 496 avd->decided = 0xffffffff; 497 avd->auditallow = 0; 498 avd->auditdeny = 0xffffffff; 499 avd->seqno = latest_granting; 500 return 0; 501 } 502 503 POLICY_RDLOCK; 504 505 scontext = sidtab_search(&sidtab, ssid); 506 if (!scontext) { 507 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 508 ssid); 509 rc = -EINVAL; 510 goto out; 511 } 512 tcontext = sidtab_search(&sidtab, tsid); 513 if (!tcontext) { 514 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 515 tsid); 516 rc = -EINVAL; 517 goto out; 518 } 519 520 rc = context_struct_compute_av(scontext, tcontext, tclass, 521 requested, avd); 522 out: 523 POLICY_RDUNLOCK; 524 return rc; 525 } 526 527 /* 528 * Write the security context string representation of 529 * the context structure `context' into a dynamically 530 * allocated string of the correct size. Set `*scontext' 531 * to point to this string and set `*scontext_len' to 532 * the length of the string. 533 */ 534 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 535 { 536 char *scontextp; 537 538 *scontext = NULL; 539 *scontext_len = 0; 540 541 /* Compute the size of the context. */ 542 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 543 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 544 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 545 *scontext_len += mls_compute_context_len(context); 546 547 /* Allocate space for the context; caller must free this space. */ 548 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 549 if (!scontextp) { 550 return -ENOMEM; 551 } 552 *scontext = scontextp; 553 554 /* 555 * Copy the user name, role name and type name into the context. 556 */ 557 sprintf(scontextp, "%s:%s:%s", 558 policydb.p_user_val_to_name[context->user - 1], 559 policydb.p_role_val_to_name[context->role - 1], 560 policydb.p_type_val_to_name[context->type - 1]); 561 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 562 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 563 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 564 565 mls_sid_to_context(context, &scontextp); 566 567 *scontextp = 0; 568 569 return 0; 570 } 571 572 #include "initial_sid_to_string.h" 573 574 /** 575 * security_sid_to_context - Obtain a context for a given SID. 576 * @sid: security identifier, SID 577 * @scontext: security context 578 * @scontext_len: length in bytes 579 * 580 * Write the string representation of the context associated with @sid 581 * into a dynamically allocated string of the correct size. Set @scontext 582 * to point to this string and set @scontext_len to the length of the string. 583 */ 584 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 585 { 586 struct context *context; 587 int rc = 0; 588 589 if (!ss_initialized) { 590 if (sid <= SECINITSID_NUM) { 591 char *scontextp; 592 593 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 594 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 595 strcpy(scontextp, initial_sid_to_string[sid]); 596 *scontext = scontextp; 597 goto out; 598 } 599 printk(KERN_ERR "security_sid_to_context: called before initial " 600 "load_policy on unknown SID %d\n", sid); 601 rc = -EINVAL; 602 goto out; 603 } 604 POLICY_RDLOCK; 605 context = sidtab_search(&sidtab, sid); 606 if (!context) { 607 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 608 "%d\n", sid); 609 rc = -EINVAL; 610 goto out_unlock; 611 } 612 rc = context_struct_to_string(context, scontext, scontext_len); 613 out_unlock: 614 POLICY_RDUNLOCK; 615 out: 616 return rc; 617 618 } 619 620 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 621 { 622 char *scontext2; 623 struct context context; 624 struct role_datum *role; 625 struct type_datum *typdatum; 626 struct user_datum *usrdatum; 627 char *scontextp, *p, oldc; 628 int rc = 0; 629 630 if (!ss_initialized) { 631 int i; 632 633 for (i = 1; i < SECINITSID_NUM; i++) { 634 if (!strcmp(initial_sid_to_string[i], scontext)) { 635 *sid = i; 636 goto out; 637 } 638 } 639 *sid = SECINITSID_KERNEL; 640 goto out; 641 } 642 *sid = SECSID_NULL; 643 644 /* Copy the string so that we can modify the copy as we parse it. 645 The string should already by null terminated, but we append a 646 null suffix to the copy to avoid problems with the existing 647 attr package, which doesn't view the null terminator as part 648 of the attribute value. */ 649 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 650 if (!scontext2) { 651 rc = -ENOMEM; 652 goto out; 653 } 654 memcpy(scontext2, scontext, scontext_len); 655 scontext2[scontext_len] = 0; 656 657 context_init(&context); 658 *sid = SECSID_NULL; 659 660 POLICY_RDLOCK; 661 662 /* Parse the security context. */ 663 664 rc = -EINVAL; 665 scontextp = (char *) scontext2; 666 667 /* Extract the user. */ 668 p = scontextp; 669 while (*p && *p != ':') 670 p++; 671 672 if (*p == 0) 673 goto out_unlock; 674 675 *p++ = 0; 676 677 usrdatum = hashtab_search(policydb.p_users.table, scontextp); 678 if (!usrdatum) 679 goto out_unlock; 680 681 context.user = usrdatum->value; 682 683 /* Extract role. */ 684 scontextp = p; 685 while (*p && *p != ':') 686 p++; 687 688 if (*p == 0) 689 goto out_unlock; 690 691 *p++ = 0; 692 693 role = hashtab_search(policydb.p_roles.table, scontextp); 694 if (!role) 695 goto out_unlock; 696 context.role = role->value; 697 698 /* Extract type. */ 699 scontextp = p; 700 while (*p && *p != ':') 701 p++; 702 oldc = *p; 703 *p++ = 0; 704 705 typdatum = hashtab_search(policydb.p_types.table, scontextp); 706 if (!typdatum) 707 goto out_unlock; 708 709 context.type = typdatum->value; 710 711 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); 712 if (rc) 713 goto out_unlock; 714 715 if ((p - scontext2) < scontext_len) { 716 rc = -EINVAL; 717 goto out_unlock; 718 } 719 720 /* Check the validity of the new context. */ 721 if (!policydb_context_isvalid(&policydb, &context)) { 722 rc = -EINVAL; 723 goto out_unlock; 724 } 725 /* Obtain the new sid. */ 726 rc = sidtab_context_to_sid(&sidtab, &context, sid); 727 out_unlock: 728 POLICY_RDUNLOCK; 729 context_destroy(&context); 730 kfree(scontext2); 731 out: 732 return rc; 733 } 734 735 /** 736 * security_context_to_sid - Obtain a SID for a given security context. 737 * @scontext: security context 738 * @scontext_len: length in bytes 739 * @sid: security identifier, SID 740 * 741 * Obtains a SID associated with the security context that 742 * has the string representation specified by @scontext. 743 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 744 * memory is available, or 0 on success. 745 */ 746 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 747 { 748 return security_context_to_sid_core(scontext, scontext_len, 749 sid, SECSID_NULL); 750 } 751 752 /** 753 * security_context_to_sid_default - Obtain a SID for a given security context, 754 * falling back to specified default if needed. 755 * 756 * @scontext: security context 757 * @scontext_len: length in bytes 758 * @sid: security identifier, SID 759 * @def_sid: default SID to assign on errror 760 * 761 * Obtains a SID associated with the security context that 762 * has the string representation specified by @scontext. 763 * The default SID is passed to the MLS layer to be used to allow 764 * kernel labeling of the MLS field if the MLS field is not present 765 * (for upgrading to MLS without full relabel). 766 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 767 * memory is available, or 0 on success. 768 */ 769 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 770 { 771 return security_context_to_sid_core(scontext, scontext_len, 772 sid, def_sid); 773 } 774 775 static int compute_sid_handle_invalid_context( 776 struct context *scontext, 777 struct context *tcontext, 778 u16 tclass, 779 struct context *newcontext) 780 { 781 char *s = NULL, *t = NULL, *n = NULL; 782 u32 slen, tlen, nlen; 783 784 if (context_struct_to_string(scontext, &s, &slen) < 0) 785 goto out; 786 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 787 goto out; 788 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 789 goto out; 790 audit_log(current->audit_context, AUDIT_SELINUX_ERR, 791 "security_compute_sid: invalid context %s" 792 " for scontext=%s" 793 " tcontext=%s" 794 " tclass=%s", 795 n, s, t, policydb.p_class_val_to_name[tclass-1]); 796 out: 797 kfree(s); 798 kfree(t); 799 kfree(n); 800 if (!selinux_enforcing) 801 return 0; 802 return -EACCES; 803 } 804 805 static int security_compute_sid(u32 ssid, 806 u32 tsid, 807 u16 tclass, 808 u32 specified, 809 u32 *out_sid) 810 { 811 struct context *scontext = NULL, *tcontext = NULL, newcontext; 812 struct role_trans *roletr = NULL; 813 struct avtab_key avkey; 814 struct avtab_datum *avdatum; 815 struct avtab_node *node; 816 int rc = 0; 817 818 if (!ss_initialized) { 819 switch (tclass) { 820 case SECCLASS_PROCESS: 821 *out_sid = ssid; 822 break; 823 default: 824 *out_sid = tsid; 825 break; 826 } 827 goto out; 828 } 829 830 POLICY_RDLOCK; 831 832 scontext = sidtab_search(&sidtab, ssid); 833 if (!scontext) { 834 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 835 ssid); 836 rc = -EINVAL; 837 goto out_unlock; 838 } 839 tcontext = sidtab_search(&sidtab, tsid); 840 if (!tcontext) { 841 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 842 tsid); 843 rc = -EINVAL; 844 goto out_unlock; 845 } 846 847 context_init(&newcontext); 848 849 /* Set the user identity. */ 850 switch (specified) { 851 case AVTAB_TRANSITION: 852 case AVTAB_CHANGE: 853 /* Use the process user identity. */ 854 newcontext.user = scontext->user; 855 break; 856 case AVTAB_MEMBER: 857 /* Use the related object owner. */ 858 newcontext.user = tcontext->user; 859 break; 860 } 861 862 /* Set the role and type to default values. */ 863 switch (tclass) { 864 case SECCLASS_PROCESS: 865 /* Use the current role and type of process. */ 866 newcontext.role = scontext->role; 867 newcontext.type = scontext->type; 868 break; 869 default: 870 /* Use the well-defined object role. */ 871 newcontext.role = OBJECT_R_VAL; 872 /* Use the type of the related object. */ 873 newcontext.type = tcontext->type; 874 } 875 876 /* Look for a type transition/member/change rule. */ 877 avkey.source_type = scontext->type; 878 avkey.target_type = tcontext->type; 879 avkey.target_class = tclass; 880 avkey.specified = specified; 881 avdatum = avtab_search(&policydb.te_avtab, &avkey); 882 883 /* If no permanent rule, also check for enabled conditional rules */ 884 if(!avdatum) { 885 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 886 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 887 if (node->key.specified & AVTAB_ENABLED) { 888 avdatum = &node->datum; 889 break; 890 } 891 } 892 } 893 894 if (avdatum) { 895 /* Use the type from the type transition/member/change rule. */ 896 newcontext.type = avdatum->data; 897 } 898 899 /* Check for class-specific changes. */ 900 switch (tclass) { 901 case SECCLASS_PROCESS: 902 if (specified & AVTAB_TRANSITION) { 903 /* Look for a role transition rule. */ 904 for (roletr = policydb.role_tr; roletr; 905 roletr = roletr->next) { 906 if (roletr->role == scontext->role && 907 roletr->type == tcontext->type) { 908 /* Use the role transition rule. */ 909 newcontext.role = roletr->new_role; 910 break; 911 } 912 } 913 } 914 break; 915 default: 916 break; 917 } 918 919 /* Set the MLS attributes. 920 This is done last because it may allocate memory. */ 921 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 922 if (rc) 923 goto out_unlock; 924 925 /* Check the validity of the context. */ 926 if (!policydb_context_isvalid(&policydb, &newcontext)) { 927 rc = compute_sid_handle_invalid_context(scontext, 928 tcontext, 929 tclass, 930 &newcontext); 931 if (rc) 932 goto out_unlock; 933 } 934 /* Obtain the sid for the context. */ 935 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 936 out_unlock: 937 POLICY_RDUNLOCK; 938 context_destroy(&newcontext); 939 out: 940 return rc; 941 } 942 943 /** 944 * security_transition_sid - Compute the SID for a new subject/object. 945 * @ssid: source security identifier 946 * @tsid: target security identifier 947 * @tclass: target security class 948 * @out_sid: security identifier for new subject/object 949 * 950 * Compute a SID to use for labeling a new subject or object in the 951 * class @tclass based on a SID pair (@ssid, @tsid). 952 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 953 * if insufficient memory is available, or %0 if the new SID was 954 * computed successfully. 955 */ 956 int security_transition_sid(u32 ssid, 957 u32 tsid, 958 u16 tclass, 959 u32 *out_sid) 960 { 961 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 962 } 963 964 /** 965 * security_member_sid - Compute the SID for member selection. 966 * @ssid: source security identifier 967 * @tsid: target security identifier 968 * @tclass: target security class 969 * @out_sid: security identifier for selected member 970 * 971 * Compute a SID to use when selecting a member of a polyinstantiated 972 * object of class @tclass based on a SID pair (@ssid, @tsid). 973 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 974 * if insufficient memory is available, or %0 if the SID was 975 * computed successfully. 976 */ 977 int security_member_sid(u32 ssid, 978 u32 tsid, 979 u16 tclass, 980 u32 *out_sid) 981 { 982 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 983 } 984 985 /** 986 * security_change_sid - Compute the SID for object relabeling. 987 * @ssid: source security identifier 988 * @tsid: target security identifier 989 * @tclass: target security class 990 * @out_sid: security identifier for selected member 991 * 992 * Compute a SID to use for relabeling an object of class @tclass 993 * based on a SID pair (@ssid, @tsid). 994 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 995 * if insufficient memory is available, or %0 if the SID was 996 * computed successfully. 997 */ 998 int security_change_sid(u32 ssid, 999 u32 tsid, 1000 u16 tclass, 1001 u32 *out_sid) 1002 { 1003 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1004 } 1005 1006 /* 1007 * Verify that each permission that is defined under the 1008 * existing policy is still defined with the same value 1009 * in the new policy. 1010 */ 1011 static int validate_perm(void *key, void *datum, void *p) 1012 { 1013 struct hashtab *h; 1014 struct perm_datum *perdatum, *perdatum2; 1015 int rc = 0; 1016 1017 1018 h = p; 1019 perdatum = datum; 1020 1021 perdatum2 = hashtab_search(h, key); 1022 if (!perdatum2) { 1023 printk(KERN_ERR "security: permission %s disappeared", 1024 (char *)key); 1025 rc = -ENOENT; 1026 goto out; 1027 } 1028 if (perdatum->value != perdatum2->value) { 1029 printk(KERN_ERR "security: the value of permission %s changed", 1030 (char *)key); 1031 rc = -EINVAL; 1032 } 1033 out: 1034 return rc; 1035 } 1036 1037 /* 1038 * Verify that each class that is defined under the 1039 * existing policy is still defined with the same 1040 * attributes in the new policy. 1041 */ 1042 static int validate_class(void *key, void *datum, void *p) 1043 { 1044 struct policydb *newp; 1045 struct class_datum *cladatum, *cladatum2; 1046 int rc; 1047 1048 newp = p; 1049 cladatum = datum; 1050 1051 cladatum2 = hashtab_search(newp->p_classes.table, key); 1052 if (!cladatum2) { 1053 printk(KERN_ERR "security: class %s disappeared\n", 1054 (char *)key); 1055 rc = -ENOENT; 1056 goto out; 1057 } 1058 if (cladatum->value != cladatum2->value) { 1059 printk(KERN_ERR "security: the value of class %s changed\n", 1060 (char *)key); 1061 rc = -EINVAL; 1062 goto out; 1063 } 1064 if ((cladatum->comdatum && !cladatum2->comdatum) || 1065 (!cladatum->comdatum && cladatum2->comdatum)) { 1066 printk(KERN_ERR "security: the inherits clause for the access " 1067 "vector definition for class %s changed\n", (char *)key); 1068 rc = -EINVAL; 1069 goto out; 1070 } 1071 if (cladatum->comdatum) { 1072 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm, 1073 cladatum2->comdatum->permissions.table); 1074 if (rc) { 1075 printk(" in the access vector definition for class " 1076 "%s\n", (char *)key); 1077 goto out; 1078 } 1079 } 1080 rc = hashtab_map(cladatum->permissions.table, validate_perm, 1081 cladatum2->permissions.table); 1082 if (rc) 1083 printk(" in access vector definition for class %s\n", 1084 (char *)key); 1085 out: 1086 return rc; 1087 } 1088 1089 /* Clone the SID into the new SID table. */ 1090 static int clone_sid(u32 sid, 1091 struct context *context, 1092 void *arg) 1093 { 1094 struct sidtab *s = arg; 1095 1096 return sidtab_insert(s, sid, context); 1097 } 1098 1099 static inline int convert_context_handle_invalid_context(struct context *context) 1100 { 1101 int rc = 0; 1102 1103 if (selinux_enforcing) { 1104 rc = -EINVAL; 1105 } else { 1106 char *s; 1107 u32 len; 1108 1109 context_struct_to_string(context, &s, &len); 1110 printk(KERN_ERR "security: context %s is invalid\n", s); 1111 kfree(s); 1112 } 1113 return rc; 1114 } 1115 1116 struct convert_context_args { 1117 struct policydb *oldp; 1118 struct policydb *newp; 1119 }; 1120 1121 /* 1122 * Convert the values in the security context 1123 * structure `c' from the values specified 1124 * in the policy `p->oldp' to the values specified 1125 * in the policy `p->newp'. Verify that the 1126 * context is valid under the new policy. 1127 */ 1128 static int convert_context(u32 key, 1129 struct context *c, 1130 void *p) 1131 { 1132 struct convert_context_args *args; 1133 struct context oldc; 1134 struct role_datum *role; 1135 struct type_datum *typdatum; 1136 struct user_datum *usrdatum; 1137 char *s; 1138 u32 len; 1139 int rc; 1140 1141 args = p; 1142 1143 rc = context_cpy(&oldc, c); 1144 if (rc) 1145 goto out; 1146 1147 rc = -EINVAL; 1148 1149 /* Convert the user. */ 1150 usrdatum = hashtab_search(args->newp->p_users.table, 1151 args->oldp->p_user_val_to_name[c->user - 1]); 1152 if (!usrdatum) { 1153 goto bad; 1154 } 1155 c->user = usrdatum->value; 1156 1157 /* Convert the role. */ 1158 role = hashtab_search(args->newp->p_roles.table, 1159 args->oldp->p_role_val_to_name[c->role - 1]); 1160 if (!role) { 1161 goto bad; 1162 } 1163 c->role = role->value; 1164 1165 /* Convert the type. */ 1166 typdatum = hashtab_search(args->newp->p_types.table, 1167 args->oldp->p_type_val_to_name[c->type - 1]); 1168 if (!typdatum) { 1169 goto bad; 1170 } 1171 c->type = typdatum->value; 1172 1173 rc = mls_convert_context(args->oldp, args->newp, c); 1174 if (rc) 1175 goto bad; 1176 1177 /* Check the validity of the new context. */ 1178 if (!policydb_context_isvalid(args->newp, c)) { 1179 rc = convert_context_handle_invalid_context(&oldc); 1180 if (rc) 1181 goto bad; 1182 } 1183 1184 context_destroy(&oldc); 1185 out: 1186 return rc; 1187 bad: 1188 context_struct_to_string(&oldc, &s, &len); 1189 context_destroy(&oldc); 1190 printk(KERN_ERR "security: invalidating context %s\n", s); 1191 kfree(s); 1192 goto out; 1193 } 1194 1195 extern void selinux_complete_init(void); 1196 1197 /** 1198 * security_load_policy - Load a security policy configuration. 1199 * @data: binary policy data 1200 * @len: length of data in bytes 1201 * 1202 * Load a new set of security policy configuration data, 1203 * validate it and convert the SID table as necessary. 1204 * This function will flush the access vector cache after 1205 * loading the new policy. 1206 */ 1207 int security_load_policy(void *data, size_t len) 1208 { 1209 struct policydb oldpolicydb, newpolicydb; 1210 struct sidtab oldsidtab, newsidtab; 1211 struct convert_context_args args; 1212 u32 seqno; 1213 int rc = 0; 1214 struct policy_file file = { data, len }, *fp = &file; 1215 1216 LOAD_LOCK; 1217 1218 if (!ss_initialized) { 1219 avtab_cache_init(); 1220 if (policydb_read(&policydb, fp)) { 1221 LOAD_UNLOCK; 1222 avtab_cache_destroy(); 1223 return -EINVAL; 1224 } 1225 if (policydb_load_isids(&policydb, &sidtab)) { 1226 LOAD_UNLOCK; 1227 policydb_destroy(&policydb); 1228 avtab_cache_destroy(); 1229 return -EINVAL; 1230 } 1231 policydb_loaded_version = policydb.policyvers; 1232 ss_initialized = 1; 1233 seqno = ++latest_granting; 1234 LOAD_UNLOCK; 1235 selinux_complete_init(); 1236 avc_ss_reset(seqno); 1237 selnl_notify_policyload(seqno); 1238 return 0; 1239 } 1240 1241 #if 0 1242 sidtab_hash_eval(&sidtab, "sids"); 1243 #endif 1244 1245 if (policydb_read(&newpolicydb, fp)) { 1246 LOAD_UNLOCK; 1247 return -EINVAL; 1248 } 1249 1250 sidtab_init(&newsidtab); 1251 1252 /* Verify that the existing classes did not change. */ 1253 if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) { 1254 printk(KERN_ERR "security: the definition of an existing " 1255 "class changed\n"); 1256 rc = -EINVAL; 1257 goto err; 1258 } 1259 1260 /* Clone the SID table. */ 1261 sidtab_shutdown(&sidtab); 1262 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1263 rc = -ENOMEM; 1264 goto err; 1265 } 1266 1267 /* Convert the internal representations of contexts 1268 in the new SID table and remove invalid SIDs. */ 1269 args.oldp = &policydb; 1270 args.newp = &newpolicydb; 1271 sidtab_map_remove_on_error(&newsidtab, convert_context, &args); 1272 1273 /* Save the old policydb and SID table to free later. */ 1274 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1275 sidtab_set(&oldsidtab, &sidtab); 1276 1277 /* Install the new policydb and SID table. */ 1278 POLICY_WRLOCK; 1279 memcpy(&policydb, &newpolicydb, sizeof policydb); 1280 sidtab_set(&sidtab, &newsidtab); 1281 seqno = ++latest_granting; 1282 policydb_loaded_version = policydb.policyvers; 1283 POLICY_WRUNLOCK; 1284 LOAD_UNLOCK; 1285 1286 /* Free the old policydb and SID table. */ 1287 policydb_destroy(&oldpolicydb); 1288 sidtab_destroy(&oldsidtab); 1289 1290 avc_ss_reset(seqno); 1291 selnl_notify_policyload(seqno); 1292 1293 return 0; 1294 1295 err: 1296 LOAD_UNLOCK; 1297 sidtab_destroy(&newsidtab); 1298 policydb_destroy(&newpolicydb); 1299 return rc; 1300 1301 } 1302 1303 /** 1304 * security_port_sid - Obtain the SID for a port. 1305 * @domain: communication domain aka address family 1306 * @type: socket type 1307 * @protocol: protocol number 1308 * @port: port number 1309 * @out_sid: security identifier 1310 */ 1311 int security_port_sid(u16 domain, 1312 u16 type, 1313 u8 protocol, 1314 u16 port, 1315 u32 *out_sid) 1316 { 1317 struct ocontext *c; 1318 int rc = 0; 1319 1320 POLICY_RDLOCK; 1321 1322 c = policydb.ocontexts[OCON_PORT]; 1323 while (c) { 1324 if (c->u.port.protocol == protocol && 1325 c->u.port.low_port <= port && 1326 c->u.port.high_port >= port) 1327 break; 1328 c = c->next; 1329 } 1330 1331 if (c) { 1332 if (!c->sid[0]) { 1333 rc = sidtab_context_to_sid(&sidtab, 1334 &c->context[0], 1335 &c->sid[0]); 1336 if (rc) 1337 goto out; 1338 } 1339 *out_sid = c->sid[0]; 1340 } else { 1341 *out_sid = SECINITSID_PORT; 1342 } 1343 1344 out: 1345 POLICY_RDUNLOCK; 1346 return rc; 1347 } 1348 1349 /** 1350 * security_netif_sid - Obtain the SID for a network interface. 1351 * @name: interface name 1352 * @if_sid: interface SID 1353 * @msg_sid: default SID for received packets 1354 */ 1355 int security_netif_sid(char *name, 1356 u32 *if_sid, 1357 u32 *msg_sid) 1358 { 1359 int rc = 0; 1360 struct ocontext *c; 1361 1362 POLICY_RDLOCK; 1363 1364 c = policydb.ocontexts[OCON_NETIF]; 1365 while (c) { 1366 if (strcmp(name, c->u.name) == 0) 1367 break; 1368 c = c->next; 1369 } 1370 1371 if (c) { 1372 if (!c->sid[0] || !c->sid[1]) { 1373 rc = sidtab_context_to_sid(&sidtab, 1374 &c->context[0], 1375 &c->sid[0]); 1376 if (rc) 1377 goto out; 1378 rc = sidtab_context_to_sid(&sidtab, 1379 &c->context[1], 1380 &c->sid[1]); 1381 if (rc) 1382 goto out; 1383 } 1384 *if_sid = c->sid[0]; 1385 *msg_sid = c->sid[1]; 1386 } else { 1387 *if_sid = SECINITSID_NETIF; 1388 *msg_sid = SECINITSID_NETMSG; 1389 } 1390 1391 out: 1392 POLICY_RDUNLOCK; 1393 return rc; 1394 } 1395 1396 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1397 { 1398 int i, fail = 0; 1399 1400 for(i = 0; i < 4; i++) 1401 if(addr[i] != (input[i] & mask[i])) { 1402 fail = 1; 1403 break; 1404 } 1405 1406 return !fail; 1407 } 1408 1409 /** 1410 * security_node_sid - Obtain the SID for a node (host). 1411 * @domain: communication domain aka address family 1412 * @addrp: address 1413 * @addrlen: address length in bytes 1414 * @out_sid: security identifier 1415 */ 1416 int security_node_sid(u16 domain, 1417 void *addrp, 1418 u32 addrlen, 1419 u32 *out_sid) 1420 { 1421 int rc = 0; 1422 struct ocontext *c; 1423 1424 POLICY_RDLOCK; 1425 1426 switch (domain) { 1427 case AF_INET: { 1428 u32 addr; 1429 1430 if (addrlen != sizeof(u32)) { 1431 rc = -EINVAL; 1432 goto out; 1433 } 1434 1435 addr = *((u32 *)addrp); 1436 1437 c = policydb.ocontexts[OCON_NODE]; 1438 while (c) { 1439 if (c->u.node.addr == (addr & c->u.node.mask)) 1440 break; 1441 c = c->next; 1442 } 1443 break; 1444 } 1445 1446 case AF_INET6: 1447 if (addrlen != sizeof(u64) * 2) { 1448 rc = -EINVAL; 1449 goto out; 1450 } 1451 c = policydb.ocontexts[OCON_NODE6]; 1452 while (c) { 1453 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1454 c->u.node6.mask)) 1455 break; 1456 c = c->next; 1457 } 1458 break; 1459 1460 default: 1461 *out_sid = SECINITSID_NODE; 1462 goto out; 1463 } 1464 1465 if (c) { 1466 if (!c->sid[0]) { 1467 rc = sidtab_context_to_sid(&sidtab, 1468 &c->context[0], 1469 &c->sid[0]); 1470 if (rc) 1471 goto out; 1472 } 1473 *out_sid = c->sid[0]; 1474 } else { 1475 *out_sid = SECINITSID_NODE; 1476 } 1477 1478 out: 1479 POLICY_RDUNLOCK; 1480 return rc; 1481 } 1482 1483 #define SIDS_NEL 25 1484 1485 /** 1486 * security_get_user_sids - Obtain reachable SIDs for a user. 1487 * @fromsid: starting SID 1488 * @username: username 1489 * @sids: array of reachable SIDs for user 1490 * @nel: number of elements in @sids 1491 * 1492 * Generate the set of SIDs for legal security contexts 1493 * for a given user that can be reached by @fromsid. 1494 * Set *@sids to point to a dynamically allocated 1495 * array containing the set of SIDs. Set *@nel to the 1496 * number of elements in the array. 1497 */ 1498 1499 int security_get_user_sids(u32 fromsid, 1500 char *username, 1501 u32 **sids, 1502 u32 *nel) 1503 { 1504 struct context *fromcon, usercon; 1505 u32 *mysids, *mysids2, sid; 1506 u32 mynel = 0, maxnel = SIDS_NEL; 1507 struct user_datum *user; 1508 struct role_datum *role; 1509 struct av_decision avd; 1510 struct ebitmap_node *rnode, *tnode; 1511 int rc = 0, i, j; 1512 1513 if (!ss_initialized) { 1514 *sids = NULL; 1515 *nel = 0; 1516 goto out; 1517 } 1518 1519 POLICY_RDLOCK; 1520 1521 fromcon = sidtab_search(&sidtab, fromsid); 1522 if (!fromcon) { 1523 rc = -EINVAL; 1524 goto out_unlock; 1525 } 1526 1527 user = hashtab_search(policydb.p_users.table, username); 1528 if (!user) { 1529 rc = -EINVAL; 1530 goto out_unlock; 1531 } 1532 usercon.user = user->value; 1533 1534 mysids = kmalloc(maxnel*sizeof(*mysids), GFP_ATOMIC); 1535 if (!mysids) { 1536 rc = -ENOMEM; 1537 goto out_unlock; 1538 } 1539 memset(mysids, 0, maxnel*sizeof(*mysids)); 1540 1541 ebitmap_for_each_bit(&user->roles, rnode, i) { 1542 if (!ebitmap_node_get_bit(rnode, i)) 1543 continue; 1544 role = policydb.role_val_to_struct[i]; 1545 usercon.role = i+1; 1546 ebitmap_for_each_bit(&role->types, tnode, j) { 1547 if (!ebitmap_node_get_bit(tnode, j)) 1548 continue; 1549 usercon.type = j+1; 1550 1551 if (mls_setup_user_range(fromcon, user, &usercon)) 1552 continue; 1553 1554 rc = context_struct_compute_av(fromcon, &usercon, 1555 SECCLASS_PROCESS, 1556 PROCESS__TRANSITION, 1557 &avd); 1558 if (rc || !(avd.allowed & PROCESS__TRANSITION)) 1559 continue; 1560 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1561 if (rc) { 1562 kfree(mysids); 1563 goto out_unlock; 1564 } 1565 if (mynel < maxnel) { 1566 mysids[mynel++] = sid; 1567 } else { 1568 maxnel += SIDS_NEL; 1569 mysids2 = kmalloc(maxnel*sizeof(*mysids2), GFP_ATOMIC); 1570 if (!mysids2) { 1571 rc = -ENOMEM; 1572 kfree(mysids); 1573 goto out_unlock; 1574 } 1575 memset(mysids2, 0, maxnel*sizeof(*mysids2)); 1576 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1577 kfree(mysids); 1578 mysids = mysids2; 1579 mysids[mynel++] = sid; 1580 } 1581 } 1582 } 1583 1584 *sids = mysids; 1585 *nel = mynel; 1586 1587 out_unlock: 1588 POLICY_RDUNLOCK; 1589 out: 1590 return rc; 1591 } 1592 1593 /** 1594 * security_genfs_sid - Obtain a SID for a file in a filesystem 1595 * @fstype: filesystem type 1596 * @path: path from root of mount 1597 * @sclass: file security class 1598 * @sid: SID for path 1599 * 1600 * Obtain a SID to use for a file in a filesystem that 1601 * cannot support xattr or use a fixed labeling behavior like 1602 * transition SIDs or task SIDs. 1603 */ 1604 int security_genfs_sid(const char *fstype, 1605 char *path, 1606 u16 sclass, 1607 u32 *sid) 1608 { 1609 int len; 1610 struct genfs *genfs; 1611 struct ocontext *c; 1612 int rc = 0, cmp = 0; 1613 1614 POLICY_RDLOCK; 1615 1616 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1617 cmp = strcmp(fstype, genfs->fstype); 1618 if (cmp <= 0) 1619 break; 1620 } 1621 1622 if (!genfs || cmp) { 1623 *sid = SECINITSID_UNLABELED; 1624 rc = -ENOENT; 1625 goto out; 1626 } 1627 1628 for (c = genfs->head; c; c = c->next) { 1629 len = strlen(c->u.name); 1630 if ((!c->v.sclass || sclass == c->v.sclass) && 1631 (strncmp(c->u.name, path, len) == 0)) 1632 break; 1633 } 1634 1635 if (!c) { 1636 *sid = SECINITSID_UNLABELED; 1637 rc = -ENOENT; 1638 goto out; 1639 } 1640 1641 if (!c->sid[0]) { 1642 rc = sidtab_context_to_sid(&sidtab, 1643 &c->context[0], 1644 &c->sid[0]); 1645 if (rc) 1646 goto out; 1647 } 1648 1649 *sid = c->sid[0]; 1650 out: 1651 POLICY_RDUNLOCK; 1652 return rc; 1653 } 1654 1655 /** 1656 * security_fs_use - Determine how to handle labeling for a filesystem. 1657 * @fstype: filesystem type 1658 * @behavior: labeling behavior 1659 * @sid: SID for filesystem (superblock) 1660 */ 1661 int security_fs_use( 1662 const char *fstype, 1663 unsigned int *behavior, 1664 u32 *sid) 1665 { 1666 int rc = 0; 1667 struct ocontext *c; 1668 1669 POLICY_RDLOCK; 1670 1671 c = policydb.ocontexts[OCON_FSUSE]; 1672 while (c) { 1673 if (strcmp(fstype, c->u.name) == 0) 1674 break; 1675 c = c->next; 1676 } 1677 1678 if (c) { 1679 *behavior = c->v.behavior; 1680 if (!c->sid[0]) { 1681 rc = sidtab_context_to_sid(&sidtab, 1682 &c->context[0], 1683 &c->sid[0]); 1684 if (rc) 1685 goto out; 1686 } 1687 *sid = c->sid[0]; 1688 } else { 1689 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1690 if (rc) { 1691 *behavior = SECURITY_FS_USE_NONE; 1692 rc = 0; 1693 } else { 1694 *behavior = SECURITY_FS_USE_GENFS; 1695 } 1696 } 1697 1698 out: 1699 POLICY_RDUNLOCK; 1700 return rc; 1701 } 1702 1703 int security_get_bools(int *len, char ***names, int **values) 1704 { 1705 int i, rc = -ENOMEM; 1706 1707 POLICY_RDLOCK; 1708 *names = NULL; 1709 *values = NULL; 1710 1711 *len = policydb.p_bools.nprim; 1712 if (!*len) { 1713 rc = 0; 1714 goto out; 1715 } 1716 1717 *names = (char**)kmalloc(sizeof(char*) * *len, GFP_ATOMIC); 1718 if (!*names) 1719 goto err; 1720 memset(*names, 0, sizeof(char*) * *len); 1721 1722 *values = (int*)kmalloc(sizeof(int) * *len, GFP_ATOMIC); 1723 if (!*values) 1724 goto err; 1725 1726 for (i = 0; i < *len; i++) { 1727 size_t name_len; 1728 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1729 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1730 (*names)[i] = (char*)kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1731 if (!(*names)[i]) 1732 goto err; 1733 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1734 (*names)[i][name_len - 1] = 0; 1735 } 1736 rc = 0; 1737 out: 1738 POLICY_RDUNLOCK; 1739 return rc; 1740 err: 1741 if (*names) { 1742 for (i = 0; i < *len; i++) 1743 kfree((*names)[i]); 1744 } 1745 kfree(*values); 1746 goto out; 1747 } 1748 1749 1750 int security_set_bools(int len, int *values) 1751 { 1752 int i, rc = 0; 1753 int lenp, seqno = 0; 1754 struct cond_node *cur; 1755 1756 POLICY_WRLOCK; 1757 1758 lenp = policydb.p_bools.nprim; 1759 if (len != lenp) { 1760 rc = -EFAULT; 1761 goto out; 1762 } 1763 1764 printk(KERN_INFO "security: committed booleans { "); 1765 for (i = 0; i < len; i++) { 1766 if (values[i]) { 1767 policydb.bool_val_to_struct[i]->state = 1; 1768 } else { 1769 policydb.bool_val_to_struct[i]->state = 0; 1770 } 1771 if (i != 0) 1772 printk(", "); 1773 printk("%s:%d", policydb.p_bool_val_to_name[i], 1774 policydb.bool_val_to_struct[i]->state); 1775 } 1776 printk(" }\n"); 1777 1778 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1779 rc = evaluate_cond_node(&policydb, cur); 1780 if (rc) 1781 goto out; 1782 } 1783 1784 seqno = ++latest_granting; 1785 1786 out: 1787 POLICY_WRUNLOCK; 1788 if (!rc) { 1789 avc_ss_reset(seqno); 1790 selnl_notify_policyload(seqno); 1791 } 1792 return rc; 1793 } 1794 1795 int security_get_bool_value(int bool) 1796 { 1797 int rc = 0; 1798 int len; 1799 1800 POLICY_RDLOCK; 1801 1802 len = policydb.p_bools.nprim; 1803 if (bool >= len) { 1804 rc = -EFAULT; 1805 goto out; 1806 } 1807 1808 rc = policydb.bool_val_to_struct[bool]->state; 1809 out: 1810 POLICY_RDUNLOCK; 1811 return rc; 1812 } 1813