1 /* 2 * Implementation of the security services. 3 * 4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> 5 * James Morris <jmorris@redhat.com> 6 * 7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> 8 * 9 * Support for enhanced MLS infrastructure. 10 * Support for context based audit filters. 11 * 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 13 * 14 * Added conditional policy language extensions 15 * 16 * Updated: Hewlett-Packard <paul.moore@hp.com> 17 * 18 * Added support for NetLabel 19 * 20 * Updated: Chad Sellers <csellers@tresys.com> 21 * 22 * Added validation of kernel classes and permissions 23 * 24 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. 25 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 26 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 27 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> 28 * This program is free software; you can redistribute it and/or modify 29 * it under the terms of the GNU General Public License as published by 30 * the Free Software Foundation, version 2. 31 */ 32 #include <linux/kernel.h> 33 #include <linux/slab.h> 34 #include <linux/string.h> 35 #include <linux/spinlock.h> 36 #include <linux/rcupdate.h> 37 #include <linux/errno.h> 38 #include <linux/in.h> 39 #include <linux/sched.h> 40 #include <linux/audit.h> 41 #include <linux/mutex.h> 42 #include <net/sock.h> 43 #include <net/netlabel.h> 44 45 #include "flask.h" 46 #include "avc.h" 47 #include "avc_ss.h" 48 #include "security.h" 49 #include "context.h" 50 #include "policydb.h" 51 #include "sidtab.h" 52 #include "services.h" 53 #include "conditional.h" 54 #include "mls.h" 55 #include "objsec.h" 56 #include "selinux_netlabel.h" 57 #include "xfrm.h" 58 #include "ebitmap.h" 59 60 extern void selnl_notify_policyload(u32 seqno); 61 unsigned int policydb_loaded_version; 62 63 /* 64 * This is declared in avc.c 65 */ 66 extern const struct selinux_class_perm selinux_class_perm; 67 68 static DEFINE_RWLOCK(policy_rwlock); 69 #define POLICY_RDLOCK read_lock(&policy_rwlock) 70 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock) 71 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock) 72 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock) 73 74 static DEFINE_MUTEX(load_mutex); 75 #define LOAD_LOCK mutex_lock(&load_mutex) 76 #define LOAD_UNLOCK mutex_unlock(&load_mutex) 77 78 static struct sidtab sidtab; 79 struct policydb policydb; 80 int ss_initialized = 0; 81 82 /* 83 * The largest sequence number that has been used when 84 * providing an access decision to the access vector cache. 85 * The sequence number only changes when a policy change 86 * occurs. 87 */ 88 static u32 latest_granting = 0; 89 90 /* Forward declaration. */ 91 static int context_struct_to_string(struct context *context, char **scontext, 92 u32 *scontext_len); 93 94 /* 95 * Return the boolean value of a constraint expression 96 * when it is applied to the specified source and target 97 * security contexts. 98 * 99 * xcontext is a special beast... It is used by the validatetrans rules 100 * only. For these rules, scontext is the context before the transition, 101 * tcontext is the context after the transition, and xcontext is the context 102 * of the process performing the transition. All other callers of 103 * constraint_expr_eval should pass in NULL for xcontext. 104 */ 105 static int constraint_expr_eval(struct context *scontext, 106 struct context *tcontext, 107 struct context *xcontext, 108 struct constraint_expr *cexpr) 109 { 110 u32 val1, val2; 111 struct context *c; 112 struct role_datum *r1, *r2; 113 struct mls_level *l1, *l2; 114 struct constraint_expr *e; 115 int s[CEXPR_MAXDEPTH]; 116 int sp = -1; 117 118 for (e = cexpr; e; e = e->next) { 119 switch (e->expr_type) { 120 case CEXPR_NOT: 121 BUG_ON(sp < 0); 122 s[sp] = !s[sp]; 123 break; 124 case CEXPR_AND: 125 BUG_ON(sp < 1); 126 sp--; 127 s[sp] &= s[sp+1]; 128 break; 129 case CEXPR_OR: 130 BUG_ON(sp < 1); 131 sp--; 132 s[sp] |= s[sp+1]; 133 break; 134 case CEXPR_ATTR: 135 if (sp == (CEXPR_MAXDEPTH-1)) 136 return 0; 137 switch (e->attr) { 138 case CEXPR_USER: 139 val1 = scontext->user; 140 val2 = tcontext->user; 141 break; 142 case CEXPR_TYPE: 143 val1 = scontext->type; 144 val2 = tcontext->type; 145 break; 146 case CEXPR_ROLE: 147 val1 = scontext->role; 148 val2 = tcontext->role; 149 r1 = policydb.role_val_to_struct[val1 - 1]; 150 r2 = policydb.role_val_to_struct[val2 - 1]; 151 switch (e->op) { 152 case CEXPR_DOM: 153 s[++sp] = ebitmap_get_bit(&r1->dominates, 154 val2 - 1); 155 continue; 156 case CEXPR_DOMBY: 157 s[++sp] = ebitmap_get_bit(&r2->dominates, 158 val1 - 1); 159 continue; 160 case CEXPR_INCOMP: 161 s[++sp] = ( !ebitmap_get_bit(&r1->dominates, 162 val2 - 1) && 163 !ebitmap_get_bit(&r2->dominates, 164 val1 - 1) ); 165 continue; 166 default: 167 break; 168 } 169 break; 170 case CEXPR_L1L2: 171 l1 = &(scontext->range.level[0]); 172 l2 = &(tcontext->range.level[0]); 173 goto mls_ops; 174 case CEXPR_L1H2: 175 l1 = &(scontext->range.level[0]); 176 l2 = &(tcontext->range.level[1]); 177 goto mls_ops; 178 case CEXPR_H1L2: 179 l1 = &(scontext->range.level[1]); 180 l2 = &(tcontext->range.level[0]); 181 goto mls_ops; 182 case CEXPR_H1H2: 183 l1 = &(scontext->range.level[1]); 184 l2 = &(tcontext->range.level[1]); 185 goto mls_ops; 186 case CEXPR_L1H1: 187 l1 = &(scontext->range.level[0]); 188 l2 = &(scontext->range.level[1]); 189 goto mls_ops; 190 case CEXPR_L2H2: 191 l1 = &(tcontext->range.level[0]); 192 l2 = &(tcontext->range.level[1]); 193 goto mls_ops; 194 mls_ops: 195 switch (e->op) { 196 case CEXPR_EQ: 197 s[++sp] = mls_level_eq(l1, l2); 198 continue; 199 case CEXPR_NEQ: 200 s[++sp] = !mls_level_eq(l1, l2); 201 continue; 202 case CEXPR_DOM: 203 s[++sp] = mls_level_dom(l1, l2); 204 continue; 205 case CEXPR_DOMBY: 206 s[++sp] = mls_level_dom(l2, l1); 207 continue; 208 case CEXPR_INCOMP: 209 s[++sp] = mls_level_incomp(l2, l1); 210 continue; 211 default: 212 BUG(); 213 return 0; 214 } 215 break; 216 default: 217 BUG(); 218 return 0; 219 } 220 221 switch (e->op) { 222 case CEXPR_EQ: 223 s[++sp] = (val1 == val2); 224 break; 225 case CEXPR_NEQ: 226 s[++sp] = (val1 != val2); 227 break; 228 default: 229 BUG(); 230 return 0; 231 } 232 break; 233 case CEXPR_NAMES: 234 if (sp == (CEXPR_MAXDEPTH-1)) 235 return 0; 236 c = scontext; 237 if (e->attr & CEXPR_TARGET) 238 c = tcontext; 239 else if (e->attr & CEXPR_XTARGET) { 240 c = xcontext; 241 if (!c) { 242 BUG(); 243 return 0; 244 } 245 } 246 if (e->attr & CEXPR_USER) 247 val1 = c->user; 248 else if (e->attr & CEXPR_ROLE) 249 val1 = c->role; 250 else if (e->attr & CEXPR_TYPE) 251 val1 = c->type; 252 else { 253 BUG(); 254 return 0; 255 } 256 257 switch (e->op) { 258 case CEXPR_EQ: 259 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); 260 break; 261 case CEXPR_NEQ: 262 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); 263 break; 264 default: 265 BUG(); 266 return 0; 267 } 268 break; 269 default: 270 BUG(); 271 return 0; 272 } 273 } 274 275 BUG_ON(sp != 0); 276 return s[0]; 277 } 278 279 /* 280 * Compute access vectors based on a context structure pair for 281 * the permissions in a particular class. 282 */ 283 static int context_struct_compute_av(struct context *scontext, 284 struct context *tcontext, 285 u16 tclass, 286 u32 requested, 287 struct av_decision *avd) 288 { 289 struct constraint_node *constraint; 290 struct role_allow *ra; 291 struct avtab_key avkey; 292 struct avtab_node *node; 293 struct class_datum *tclass_datum; 294 struct ebitmap *sattr, *tattr; 295 struct ebitmap_node *snode, *tnode; 296 unsigned int i, j; 297 298 /* 299 * Remap extended Netlink classes for old policy versions. 300 * Do this here rather than socket_type_to_security_class() 301 * in case a newer policy version is loaded, allowing sockets 302 * to remain in the correct class. 303 */ 304 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 305 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 306 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 307 tclass = SECCLASS_NETLINK_SOCKET; 308 309 if (!tclass || tclass > policydb.p_classes.nprim) { 310 printk(KERN_ERR "security_compute_av: unrecognized class %d\n", 311 tclass); 312 return -EINVAL; 313 } 314 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 315 316 /* 317 * Initialize the access vectors to the default values. 318 */ 319 avd->allowed = 0; 320 avd->decided = 0xffffffff; 321 avd->auditallow = 0; 322 avd->auditdeny = 0xffffffff; 323 avd->seqno = latest_granting; 324 325 /* 326 * If a specific type enforcement rule was defined for 327 * this permission check, then use it. 328 */ 329 avkey.target_class = tclass; 330 avkey.specified = AVTAB_AV; 331 sattr = &policydb.type_attr_map[scontext->type - 1]; 332 tattr = &policydb.type_attr_map[tcontext->type - 1]; 333 ebitmap_for_each_bit(sattr, snode, i) { 334 if (!ebitmap_node_get_bit(snode, i)) 335 continue; 336 ebitmap_for_each_bit(tattr, tnode, j) { 337 if (!ebitmap_node_get_bit(tnode, j)) 338 continue; 339 avkey.source_type = i + 1; 340 avkey.target_type = j + 1; 341 for (node = avtab_search_node(&policydb.te_avtab, &avkey); 342 node != NULL; 343 node = avtab_search_node_next(node, avkey.specified)) { 344 if (node->key.specified == AVTAB_ALLOWED) 345 avd->allowed |= node->datum.data; 346 else if (node->key.specified == AVTAB_AUDITALLOW) 347 avd->auditallow |= node->datum.data; 348 else if (node->key.specified == AVTAB_AUDITDENY) 349 avd->auditdeny &= node->datum.data; 350 } 351 352 /* Check conditional av table for additional permissions */ 353 cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); 354 355 } 356 } 357 358 /* 359 * Remove any permissions prohibited by a constraint (this includes 360 * the MLS policy). 361 */ 362 constraint = tclass_datum->constraints; 363 while (constraint) { 364 if ((constraint->permissions & (avd->allowed)) && 365 !constraint_expr_eval(scontext, tcontext, NULL, 366 constraint->expr)) { 367 avd->allowed = (avd->allowed) & ~(constraint->permissions); 368 } 369 constraint = constraint->next; 370 } 371 372 /* 373 * If checking process transition permission and the 374 * role is changing, then check the (current_role, new_role) 375 * pair. 376 */ 377 if (tclass == SECCLASS_PROCESS && 378 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 379 scontext->role != tcontext->role) { 380 for (ra = policydb.role_allow; ra; ra = ra->next) { 381 if (scontext->role == ra->role && 382 tcontext->role == ra->new_role) 383 break; 384 } 385 if (!ra) 386 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 387 PROCESS__DYNTRANSITION); 388 } 389 390 return 0; 391 } 392 393 static int security_validtrans_handle_fail(struct context *ocontext, 394 struct context *ncontext, 395 struct context *tcontext, 396 u16 tclass) 397 { 398 char *o = NULL, *n = NULL, *t = NULL; 399 u32 olen, nlen, tlen; 400 401 if (context_struct_to_string(ocontext, &o, &olen) < 0) 402 goto out; 403 if (context_struct_to_string(ncontext, &n, &nlen) < 0) 404 goto out; 405 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 406 goto out; 407 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 408 "security_validate_transition: denied for" 409 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 410 o, n, t, policydb.p_class_val_to_name[tclass-1]); 411 out: 412 kfree(o); 413 kfree(n); 414 kfree(t); 415 416 if (!selinux_enforcing) 417 return 0; 418 return -EPERM; 419 } 420 421 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 422 u16 tclass) 423 { 424 struct context *ocontext; 425 struct context *ncontext; 426 struct context *tcontext; 427 struct class_datum *tclass_datum; 428 struct constraint_node *constraint; 429 int rc = 0; 430 431 if (!ss_initialized) 432 return 0; 433 434 POLICY_RDLOCK; 435 436 /* 437 * Remap extended Netlink classes for old policy versions. 438 * Do this here rather than socket_type_to_security_class() 439 * in case a newer policy version is loaded, allowing sockets 440 * to remain in the correct class. 441 */ 442 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 443 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 444 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 445 tclass = SECCLASS_NETLINK_SOCKET; 446 447 if (!tclass || tclass > policydb.p_classes.nprim) { 448 printk(KERN_ERR "security_validate_transition: " 449 "unrecognized class %d\n", tclass); 450 rc = -EINVAL; 451 goto out; 452 } 453 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 454 455 ocontext = sidtab_search(&sidtab, oldsid); 456 if (!ocontext) { 457 printk(KERN_ERR "security_validate_transition: " 458 " unrecognized SID %d\n", oldsid); 459 rc = -EINVAL; 460 goto out; 461 } 462 463 ncontext = sidtab_search(&sidtab, newsid); 464 if (!ncontext) { 465 printk(KERN_ERR "security_validate_transition: " 466 " unrecognized SID %d\n", newsid); 467 rc = -EINVAL; 468 goto out; 469 } 470 471 tcontext = sidtab_search(&sidtab, tasksid); 472 if (!tcontext) { 473 printk(KERN_ERR "security_validate_transition: " 474 " unrecognized SID %d\n", tasksid); 475 rc = -EINVAL; 476 goto out; 477 } 478 479 constraint = tclass_datum->validatetrans; 480 while (constraint) { 481 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 482 constraint->expr)) { 483 rc = security_validtrans_handle_fail(ocontext, ncontext, 484 tcontext, tclass); 485 goto out; 486 } 487 constraint = constraint->next; 488 } 489 490 out: 491 POLICY_RDUNLOCK; 492 return rc; 493 } 494 495 /** 496 * security_compute_av - Compute access vector decisions. 497 * @ssid: source security identifier 498 * @tsid: target security identifier 499 * @tclass: target security class 500 * @requested: requested permissions 501 * @avd: access vector decisions 502 * 503 * Compute a set of access vector decisions based on the 504 * SID pair (@ssid, @tsid) for the permissions in @tclass. 505 * Return -%EINVAL if any of the parameters are invalid or %0 506 * if the access vector decisions were computed successfully. 507 */ 508 int security_compute_av(u32 ssid, 509 u32 tsid, 510 u16 tclass, 511 u32 requested, 512 struct av_decision *avd) 513 { 514 struct context *scontext = NULL, *tcontext = NULL; 515 int rc = 0; 516 517 if (!ss_initialized) { 518 avd->allowed = 0xffffffff; 519 avd->decided = 0xffffffff; 520 avd->auditallow = 0; 521 avd->auditdeny = 0xffffffff; 522 avd->seqno = latest_granting; 523 return 0; 524 } 525 526 POLICY_RDLOCK; 527 528 scontext = sidtab_search(&sidtab, ssid); 529 if (!scontext) { 530 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 531 ssid); 532 rc = -EINVAL; 533 goto out; 534 } 535 tcontext = sidtab_search(&sidtab, tsid); 536 if (!tcontext) { 537 printk(KERN_ERR "security_compute_av: unrecognized SID %d\n", 538 tsid); 539 rc = -EINVAL; 540 goto out; 541 } 542 543 rc = context_struct_compute_av(scontext, tcontext, tclass, 544 requested, avd); 545 out: 546 POLICY_RDUNLOCK; 547 return rc; 548 } 549 550 /* 551 * Write the security context string representation of 552 * the context structure `context' into a dynamically 553 * allocated string of the correct size. Set `*scontext' 554 * to point to this string and set `*scontext_len' to 555 * the length of the string. 556 */ 557 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) 558 { 559 char *scontextp; 560 561 *scontext = NULL; 562 *scontext_len = 0; 563 564 /* Compute the size of the context. */ 565 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 566 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 567 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 568 *scontext_len += mls_compute_context_len(context); 569 570 /* Allocate space for the context; caller must free this space. */ 571 scontextp = kmalloc(*scontext_len, GFP_ATOMIC); 572 if (!scontextp) { 573 return -ENOMEM; 574 } 575 *scontext = scontextp; 576 577 /* 578 * Copy the user name, role name and type name into the context. 579 */ 580 sprintf(scontextp, "%s:%s:%s", 581 policydb.p_user_val_to_name[context->user - 1], 582 policydb.p_role_val_to_name[context->role - 1], 583 policydb.p_type_val_to_name[context->type - 1]); 584 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 585 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 586 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 587 588 mls_sid_to_context(context, &scontextp); 589 590 *scontextp = 0; 591 592 return 0; 593 } 594 595 #include "initial_sid_to_string.h" 596 597 /** 598 * security_sid_to_context - Obtain a context for a given SID. 599 * @sid: security identifier, SID 600 * @scontext: security context 601 * @scontext_len: length in bytes 602 * 603 * Write the string representation of the context associated with @sid 604 * into a dynamically allocated string of the correct size. Set @scontext 605 * to point to this string and set @scontext_len to the length of the string. 606 */ 607 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) 608 { 609 struct context *context; 610 int rc = 0; 611 612 if (!ss_initialized) { 613 if (sid <= SECINITSID_NUM) { 614 char *scontextp; 615 616 *scontext_len = strlen(initial_sid_to_string[sid]) + 1; 617 scontextp = kmalloc(*scontext_len,GFP_ATOMIC); 618 if (!scontextp) { 619 rc = -ENOMEM; 620 goto out; 621 } 622 strcpy(scontextp, initial_sid_to_string[sid]); 623 *scontext = scontextp; 624 goto out; 625 } 626 printk(KERN_ERR "security_sid_to_context: called before initial " 627 "load_policy on unknown SID %d\n", sid); 628 rc = -EINVAL; 629 goto out; 630 } 631 POLICY_RDLOCK; 632 context = sidtab_search(&sidtab, sid); 633 if (!context) { 634 printk(KERN_ERR "security_sid_to_context: unrecognized SID " 635 "%d\n", sid); 636 rc = -EINVAL; 637 goto out_unlock; 638 } 639 rc = context_struct_to_string(context, scontext, scontext_len); 640 out_unlock: 641 POLICY_RDUNLOCK; 642 out: 643 return rc; 644 645 } 646 647 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 648 { 649 char *scontext2; 650 struct context context; 651 struct role_datum *role; 652 struct type_datum *typdatum; 653 struct user_datum *usrdatum; 654 char *scontextp, *p, oldc; 655 int rc = 0; 656 657 if (!ss_initialized) { 658 int i; 659 660 for (i = 1; i < SECINITSID_NUM; i++) { 661 if (!strcmp(initial_sid_to_string[i], scontext)) { 662 *sid = i; 663 goto out; 664 } 665 } 666 *sid = SECINITSID_KERNEL; 667 goto out; 668 } 669 *sid = SECSID_NULL; 670 671 /* Copy the string so that we can modify the copy as we parse it. 672 The string should already by null terminated, but we append a 673 null suffix to the copy to avoid problems with the existing 674 attr package, which doesn't view the null terminator as part 675 of the attribute value. */ 676 scontext2 = kmalloc(scontext_len+1,GFP_KERNEL); 677 if (!scontext2) { 678 rc = -ENOMEM; 679 goto out; 680 } 681 memcpy(scontext2, scontext, scontext_len); 682 scontext2[scontext_len] = 0; 683 684 context_init(&context); 685 *sid = SECSID_NULL; 686 687 POLICY_RDLOCK; 688 689 /* Parse the security context. */ 690 691 rc = -EINVAL; 692 scontextp = (char *) scontext2; 693 694 /* Extract the user. */ 695 p = scontextp; 696 while (*p && *p != ':') 697 p++; 698 699 if (*p == 0) 700 goto out_unlock; 701 702 *p++ = 0; 703 704 usrdatum = hashtab_search(policydb.p_users.table, scontextp); 705 if (!usrdatum) 706 goto out_unlock; 707 708 context.user = usrdatum->value; 709 710 /* Extract role. */ 711 scontextp = p; 712 while (*p && *p != ':') 713 p++; 714 715 if (*p == 0) 716 goto out_unlock; 717 718 *p++ = 0; 719 720 role = hashtab_search(policydb.p_roles.table, scontextp); 721 if (!role) 722 goto out_unlock; 723 context.role = role->value; 724 725 /* Extract type. */ 726 scontextp = p; 727 while (*p && *p != ':') 728 p++; 729 oldc = *p; 730 *p++ = 0; 731 732 typdatum = hashtab_search(policydb.p_types.table, scontextp); 733 if (!typdatum) 734 goto out_unlock; 735 736 context.type = typdatum->value; 737 738 rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid); 739 if (rc) 740 goto out_unlock; 741 742 if ((p - scontext2) < scontext_len) { 743 rc = -EINVAL; 744 goto out_unlock; 745 } 746 747 /* Check the validity of the new context. */ 748 if (!policydb_context_isvalid(&policydb, &context)) { 749 rc = -EINVAL; 750 goto out_unlock; 751 } 752 /* Obtain the new sid. */ 753 rc = sidtab_context_to_sid(&sidtab, &context, sid); 754 out_unlock: 755 POLICY_RDUNLOCK; 756 context_destroy(&context); 757 kfree(scontext2); 758 out: 759 return rc; 760 } 761 762 /** 763 * security_context_to_sid - Obtain a SID for a given security context. 764 * @scontext: security context 765 * @scontext_len: length in bytes 766 * @sid: security identifier, SID 767 * 768 * Obtains a SID associated with the security context that 769 * has the string representation specified by @scontext. 770 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 771 * memory is available, or 0 on success. 772 */ 773 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid) 774 { 775 return security_context_to_sid_core(scontext, scontext_len, 776 sid, SECSID_NULL); 777 } 778 779 /** 780 * security_context_to_sid_default - Obtain a SID for a given security context, 781 * falling back to specified default if needed. 782 * 783 * @scontext: security context 784 * @scontext_len: length in bytes 785 * @sid: security identifier, SID 786 * @def_sid: default SID to assign on errror 787 * 788 * Obtains a SID associated with the security context that 789 * has the string representation specified by @scontext. 790 * The default SID is passed to the MLS layer to be used to allow 791 * kernel labeling of the MLS field if the MLS field is not present 792 * (for upgrading to MLS without full relabel). 793 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient 794 * memory is available, or 0 on success. 795 */ 796 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid) 797 { 798 return security_context_to_sid_core(scontext, scontext_len, 799 sid, def_sid); 800 } 801 802 static int compute_sid_handle_invalid_context( 803 struct context *scontext, 804 struct context *tcontext, 805 u16 tclass, 806 struct context *newcontext) 807 { 808 char *s = NULL, *t = NULL, *n = NULL; 809 u32 slen, tlen, nlen; 810 811 if (context_struct_to_string(scontext, &s, &slen) < 0) 812 goto out; 813 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 814 goto out; 815 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 816 goto out; 817 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 818 "security_compute_sid: invalid context %s" 819 " for scontext=%s" 820 " tcontext=%s" 821 " tclass=%s", 822 n, s, t, policydb.p_class_val_to_name[tclass-1]); 823 out: 824 kfree(s); 825 kfree(t); 826 kfree(n); 827 if (!selinux_enforcing) 828 return 0; 829 return -EACCES; 830 } 831 832 static int security_compute_sid(u32 ssid, 833 u32 tsid, 834 u16 tclass, 835 u32 specified, 836 u32 *out_sid) 837 { 838 struct context *scontext = NULL, *tcontext = NULL, newcontext; 839 struct role_trans *roletr = NULL; 840 struct avtab_key avkey; 841 struct avtab_datum *avdatum; 842 struct avtab_node *node; 843 int rc = 0; 844 845 if (!ss_initialized) { 846 switch (tclass) { 847 case SECCLASS_PROCESS: 848 *out_sid = ssid; 849 break; 850 default: 851 *out_sid = tsid; 852 break; 853 } 854 goto out; 855 } 856 857 context_init(&newcontext); 858 859 POLICY_RDLOCK; 860 861 scontext = sidtab_search(&sidtab, ssid); 862 if (!scontext) { 863 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 864 ssid); 865 rc = -EINVAL; 866 goto out_unlock; 867 } 868 tcontext = sidtab_search(&sidtab, tsid); 869 if (!tcontext) { 870 printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", 871 tsid); 872 rc = -EINVAL; 873 goto out_unlock; 874 } 875 876 /* Set the user identity. */ 877 switch (specified) { 878 case AVTAB_TRANSITION: 879 case AVTAB_CHANGE: 880 /* Use the process user identity. */ 881 newcontext.user = scontext->user; 882 break; 883 case AVTAB_MEMBER: 884 /* Use the related object owner. */ 885 newcontext.user = tcontext->user; 886 break; 887 } 888 889 /* Set the role and type to default values. */ 890 switch (tclass) { 891 case SECCLASS_PROCESS: 892 /* Use the current role and type of process. */ 893 newcontext.role = scontext->role; 894 newcontext.type = scontext->type; 895 break; 896 default: 897 /* Use the well-defined object role. */ 898 newcontext.role = OBJECT_R_VAL; 899 /* Use the type of the related object. */ 900 newcontext.type = tcontext->type; 901 } 902 903 /* Look for a type transition/member/change rule. */ 904 avkey.source_type = scontext->type; 905 avkey.target_type = tcontext->type; 906 avkey.target_class = tclass; 907 avkey.specified = specified; 908 avdatum = avtab_search(&policydb.te_avtab, &avkey); 909 910 /* If no permanent rule, also check for enabled conditional rules */ 911 if(!avdatum) { 912 node = avtab_search_node(&policydb.te_cond_avtab, &avkey); 913 for (; node != NULL; node = avtab_search_node_next(node, specified)) { 914 if (node->key.specified & AVTAB_ENABLED) { 915 avdatum = &node->datum; 916 break; 917 } 918 } 919 } 920 921 if (avdatum) { 922 /* Use the type from the type transition/member/change rule. */ 923 newcontext.type = avdatum->data; 924 } 925 926 /* Check for class-specific changes. */ 927 switch (tclass) { 928 case SECCLASS_PROCESS: 929 if (specified & AVTAB_TRANSITION) { 930 /* Look for a role transition rule. */ 931 for (roletr = policydb.role_tr; roletr; 932 roletr = roletr->next) { 933 if (roletr->role == scontext->role && 934 roletr->type == tcontext->type) { 935 /* Use the role transition rule. */ 936 newcontext.role = roletr->new_role; 937 break; 938 } 939 } 940 } 941 break; 942 default: 943 break; 944 } 945 946 /* Set the MLS attributes. 947 This is done last because it may allocate memory. */ 948 rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext); 949 if (rc) 950 goto out_unlock; 951 952 /* Check the validity of the context. */ 953 if (!policydb_context_isvalid(&policydb, &newcontext)) { 954 rc = compute_sid_handle_invalid_context(scontext, 955 tcontext, 956 tclass, 957 &newcontext); 958 if (rc) 959 goto out_unlock; 960 } 961 /* Obtain the sid for the context. */ 962 rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); 963 out_unlock: 964 POLICY_RDUNLOCK; 965 context_destroy(&newcontext); 966 out: 967 return rc; 968 } 969 970 /** 971 * security_transition_sid - Compute the SID for a new subject/object. 972 * @ssid: source security identifier 973 * @tsid: target security identifier 974 * @tclass: target security class 975 * @out_sid: security identifier for new subject/object 976 * 977 * Compute a SID to use for labeling a new subject or object in the 978 * class @tclass based on a SID pair (@ssid, @tsid). 979 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 980 * if insufficient memory is available, or %0 if the new SID was 981 * computed successfully. 982 */ 983 int security_transition_sid(u32 ssid, 984 u32 tsid, 985 u16 tclass, 986 u32 *out_sid) 987 { 988 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 989 } 990 991 /** 992 * security_member_sid - Compute the SID for member selection. 993 * @ssid: source security identifier 994 * @tsid: target security identifier 995 * @tclass: target security class 996 * @out_sid: security identifier for selected member 997 * 998 * Compute a SID to use when selecting a member of a polyinstantiated 999 * object of class @tclass based on a SID pair (@ssid, @tsid). 1000 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1001 * if insufficient memory is available, or %0 if the SID was 1002 * computed successfully. 1003 */ 1004 int security_member_sid(u32 ssid, 1005 u32 tsid, 1006 u16 tclass, 1007 u32 *out_sid) 1008 { 1009 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1010 } 1011 1012 /** 1013 * security_change_sid - Compute the SID for object relabeling. 1014 * @ssid: source security identifier 1015 * @tsid: target security identifier 1016 * @tclass: target security class 1017 * @out_sid: security identifier for selected member 1018 * 1019 * Compute a SID to use for relabeling an object of class @tclass 1020 * based on a SID pair (@ssid, @tsid). 1021 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM 1022 * if insufficient memory is available, or %0 if the SID was 1023 * computed successfully. 1024 */ 1025 int security_change_sid(u32 ssid, 1026 u32 tsid, 1027 u16 tclass, 1028 u32 *out_sid) 1029 { 1030 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1031 } 1032 1033 /* 1034 * Verify that each kernel class that is defined in the 1035 * policy is correct 1036 */ 1037 static int validate_classes(struct policydb *p) 1038 { 1039 int i, j; 1040 struct class_datum *cladatum; 1041 struct perm_datum *perdatum; 1042 u32 nprim, tmp, common_pts_len, perm_val, pol_val; 1043 u16 class_val; 1044 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1045 const char *def_class, *def_perm, *pol_class; 1046 struct symtab *perms; 1047 1048 for (i = 1; i < kdefs->cts_len; i++) { 1049 def_class = kdefs->class_to_string[i]; 1050 if (i > p->p_classes.nprim) { 1051 printk(KERN_INFO 1052 "security: class %s not defined in policy\n", 1053 def_class); 1054 continue; 1055 } 1056 pol_class = p->p_class_val_to_name[i-1]; 1057 if (strcmp(pol_class, def_class)) { 1058 printk(KERN_ERR 1059 "security: class %d is incorrect, found %s but should be %s\n", 1060 i, pol_class, def_class); 1061 return -EINVAL; 1062 } 1063 } 1064 for (i = 0; i < kdefs->av_pts_len; i++) { 1065 class_val = kdefs->av_perm_to_string[i].tclass; 1066 perm_val = kdefs->av_perm_to_string[i].value; 1067 def_perm = kdefs->av_perm_to_string[i].name; 1068 if (class_val > p->p_classes.nprim) 1069 continue; 1070 pol_class = p->p_class_val_to_name[class_val-1]; 1071 cladatum = hashtab_search(p->p_classes.table, pol_class); 1072 BUG_ON(!cladatum); 1073 perms = &cladatum->permissions; 1074 nprim = 1 << (perms->nprim - 1); 1075 if (perm_val > nprim) { 1076 printk(KERN_INFO 1077 "security: permission %s in class %s not defined in policy\n", 1078 def_perm, pol_class); 1079 continue; 1080 } 1081 perdatum = hashtab_search(perms->table, def_perm); 1082 if (perdatum == NULL) { 1083 printk(KERN_ERR 1084 "security: permission %s in class %s not found in policy\n", 1085 def_perm, pol_class); 1086 return -EINVAL; 1087 } 1088 pol_val = 1 << (perdatum->value - 1); 1089 if (pol_val != perm_val) { 1090 printk(KERN_ERR 1091 "security: permission %s in class %s has incorrect value\n", 1092 def_perm, pol_class); 1093 return -EINVAL; 1094 } 1095 } 1096 for (i = 0; i < kdefs->av_inherit_len; i++) { 1097 class_val = kdefs->av_inherit[i].tclass; 1098 if (class_val > p->p_classes.nprim) 1099 continue; 1100 pol_class = p->p_class_val_to_name[class_val-1]; 1101 cladatum = hashtab_search(p->p_classes.table, pol_class); 1102 BUG_ON(!cladatum); 1103 if (!cladatum->comdatum) { 1104 printk(KERN_ERR 1105 "security: class %s should have an inherits clause but does not\n", 1106 pol_class); 1107 return -EINVAL; 1108 } 1109 tmp = kdefs->av_inherit[i].common_base; 1110 common_pts_len = 0; 1111 while (!(tmp & 0x01)) { 1112 common_pts_len++; 1113 tmp >>= 1; 1114 } 1115 perms = &cladatum->comdatum->permissions; 1116 for (j = 0; j < common_pts_len; j++) { 1117 def_perm = kdefs->av_inherit[i].common_pts[j]; 1118 if (j >= perms->nprim) { 1119 printk(KERN_INFO 1120 "security: permission %s in class %s not defined in policy\n", 1121 def_perm, pol_class); 1122 continue; 1123 } 1124 perdatum = hashtab_search(perms->table, def_perm); 1125 if (perdatum == NULL) { 1126 printk(KERN_ERR 1127 "security: permission %s in class %s not found in policy\n", 1128 def_perm, pol_class); 1129 return -EINVAL; 1130 } 1131 if (perdatum->value != j + 1) { 1132 printk(KERN_ERR 1133 "security: permission %s in class %s has incorrect value\n", 1134 def_perm, pol_class); 1135 return -EINVAL; 1136 } 1137 } 1138 } 1139 return 0; 1140 } 1141 1142 /* Clone the SID into the new SID table. */ 1143 static int clone_sid(u32 sid, 1144 struct context *context, 1145 void *arg) 1146 { 1147 struct sidtab *s = arg; 1148 1149 return sidtab_insert(s, sid, context); 1150 } 1151 1152 static inline int convert_context_handle_invalid_context(struct context *context) 1153 { 1154 int rc = 0; 1155 1156 if (selinux_enforcing) { 1157 rc = -EINVAL; 1158 } else { 1159 char *s; 1160 u32 len; 1161 1162 context_struct_to_string(context, &s, &len); 1163 printk(KERN_ERR "security: context %s is invalid\n", s); 1164 kfree(s); 1165 } 1166 return rc; 1167 } 1168 1169 struct convert_context_args { 1170 struct policydb *oldp; 1171 struct policydb *newp; 1172 }; 1173 1174 /* 1175 * Convert the values in the security context 1176 * structure `c' from the values specified 1177 * in the policy `p->oldp' to the values specified 1178 * in the policy `p->newp'. Verify that the 1179 * context is valid under the new policy. 1180 */ 1181 static int convert_context(u32 key, 1182 struct context *c, 1183 void *p) 1184 { 1185 struct convert_context_args *args; 1186 struct context oldc; 1187 struct role_datum *role; 1188 struct type_datum *typdatum; 1189 struct user_datum *usrdatum; 1190 char *s; 1191 u32 len; 1192 int rc; 1193 1194 args = p; 1195 1196 rc = context_cpy(&oldc, c); 1197 if (rc) 1198 goto out; 1199 1200 rc = -EINVAL; 1201 1202 /* Convert the user. */ 1203 usrdatum = hashtab_search(args->newp->p_users.table, 1204 args->oldp->p_user_val_to_name[c->user - 1]); 1205 if (!usrdatum) { 1206 goto bad; 1207 } 1208 c->user = usrdatum->value; 1209 1210 /* Convert the role. */ 1211 role = hashtab_search(args->newp->p_roles.table, 1212 args->oldp->p_role_val_to_name[c->role - 1]); 1213 if (!role) { 1214 goto bad; 1215 } 1216 c->role = role->value; 1217 1218 /* Convert the type. */ 1219 typdatum = hashtab_search(args->newp->p_types.table, 1220 args->oldp->p_type_val_to_name[c->type - 1]); 1221 if (!typdatum) { 1222 goto bad; 1223 } 1224 c->type = typdatum->value; 1225 1226 rc = mls_convert_context(args->oldp, args->newp, c); 1227 if (rc) 1228 goto bad; 1229 1230 /* Check the validity of the new context. */ 1231 if (!policydb_context_isvalid(args->newp, c)) { 1232 rc = convert_context_handle_invalid_context(&oldc); 1233 if (rc) 1234 goto bad; 1235 } 1236 1237 context_destroy(&oldc); 1238 out: 1239 return rc; 1240 bad: 1241 context_struct_to_string(&oldc, &s, &len); 1242 context_destroy(&oldc); 1243 printk(KERN_ERR "security: invalidating context %s\n", s); 1244 kfree(s); 1245 goto out; 1246 } 1247 1248 extern void selinux_complete_init(void); 1249 1250 /** 1251 * security_load_policy - Load a security policy configuration. 1252 * @data: binary policy data 1253 * @len: length of data in bytes 1254 * 1255 * Load a new set of security policy configuration data, 1256 * validate it and convert the SID table as necessary. 1257 * This function will flush the access vector cache after 1258 * loading the new policy. 1259 */ 1260 int security_load_policy(void *data, size_t len) 1261 { 1262 struct policydb oldpolicydb, newpolicydb; 1263 struct sidtab oldsidtab, newsidtab; 1264 struct convert_context_args args; 1265 u32 seqno; 1266 int rc = 0; 1267 struct policy_file file = { data, len }, *fp = &file; 1268 1269 LOAD_LOCK; 1270 1271 if (!ss_initialized) { 1272 avtab_cache_init(); 1273 if (policydb_read(&policydb, fp)) { 1274 LOAD_UNLOCK; 1275 avtab_cache_destroy(); 1276 return -EINVAL; 1277 } 1278 if (policydb_load_isids(&policydb, &sidtab)) { 1279 LOAD_UNLOCK; 1280 policydb_destroy(&policydb); 1281 avtab_cache_destroy(); 1282 return -EINVAL; 1283 } 1284 /* Verify that the kernel defined classes are correct. */ 1285 if (validate_classes(&policydb)) { 1286 printk(KERN_ERR 1287 "security: the definition of a class is incorrect\n"); 1288 LOAD_UNLOCK; 1289 sidtab_destroy(&sidtab); 1290 policydb_destroy(&policydb); 1291 avtab_cache_destroy(); 1292 return -EINVAL; 1293 } 1294 policydb_loaded_version = policydb.policyvers; 1295 ss_initialized = 1; 1296 seqno = ++latest_granting; 1297 LOAD_UNLOCK; 1298 selinux_complete_init(); 1299 avc_ss_reset(seqno); 1300 selnl_notify_policyload(seqno); 1301 selinux_netlbl_cache_invalidate(); 1302 selinux_xfrm_notify_policyload(); 1303 return 0; 1304 } 1305 1306 #if 0 1307 sidtab_hash_eval(&sidtab, "sids"); 1308 #endif 1309 1310 if (policydb_read(&newpolicydb, fp)) { 1311 LOAD_UNLOCK; 1312 return -EINVAL; 1313 } 1314 1315 sidtab_init(&newsidtab); 1316 1317 /* Verify that the kernel defined classes are correct. */ 1318 if (validate_classes(&newpolicydb)) { 1319 printk(KERN_ERR 1320 "security: the definition of a class is incorrect\n"); 1321 rc = -EINVAL; 1322 goto err; 1323 } 1324 1325 /* Clone the SID table. */ 1326 sidtab_shutdown(&sidtab); 1327 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1328 rc = -ENOMEM; 1329 goto err; 1330 } 1331 1332 /* Convert the internal representations of contexts 1333 in the new SID table and remove invalid SIDs. */ 1334 args.oldp = &policydb; 1335 args.newp = &newpolicydb; 1336 sidtab_map_remove_on_error(&newsidtab, convert_context, &args); 1337 1338 /* Save the old policydb and SID table to free later. */ 1339 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1340 sidtab_set(&oldsidtab, &sidtab); 1341 1342 /* Install the new policydb and SID table. */ 1343 POLICY_WRLOCK; 1344 memcpy(&policydb, &newpolicydb, sizeof policydb); 1345 sidtab_set(&sidtab, &newsidtab); 1346 seqno = ++latest_granting; 1347 policydb_loaded_version = policydb.policyvers; 1348 POLICY_WRUNLOCK; 1349 LOAD_UNLOCK; 1350 1351 /* Free the old policydb and SID table. */ 1352 policydb_destroy(&oldpolicydb); 1353 sidtab_destroy(&oldsidtab); 1354 1355 avc_ss_reset(seqno); 1356 selnl_notify_policyload(seqno); 1357 selinux_netlbl_cache_invalidate(); 1358 selinux_xfrm_notify_policyload(); 1359 1360 return 0; 1361 1362 err: 1363 LOAD_UNLOCK; 1364 sidtab_destroy(&newsidtab); 1365 policydb_destroy(&newpolicydb); 1366 return rc; 1367 1368 } 1369 1370 /** 1371 * security_port_sid - Obtain the SID for a port. 1372 * @domain: communication domain aka address family 1373 * @type: socket type 1374 * @protocol: protocol number 1375 * @port: port number 1376 * @out_sid: security identifier 1377 */ 1378 int security_port_sid(u16 domain, 1379 u16 type, 1380 u8 protocol, 1381 u16 port, 1382 u32 *out_sid) 1383 { 1384 struct ocontext *c; 1385 int rc = 0; 1386 1387 POLICY_RDLOCK; 1388 1389 c = policydb.ocontexts[OCON_PORT]; 1390 while (c) { 1391 if (c->u.port.protocol == protocol && 1392 c->u.port.low_port <= port && 1393 c->u.port.high_port >= port) 1394 break; 1395 c = c->next; 1396 } 1397 1398 if (c) { 1399 if (!c->sid[0]) { 1400 rc = sidtab_context_to_sid(&sidtab, 1401 &c->context[0], 1402 &c->sid[0]); 1403 if (rc) 1404 goto out; 1405 } 1406 *out_sid = c->sid[0]; 1407 } else { 1408 *out_sid = SECINITSID_PORT; 1409 } 1410 1411 out: 1412 POLICY_RDUNLOCK; 1413 return rc; 1414 } 1415 1416 /** 1417 * security_netif_sid - Obtain the SID for a network interface. 1418 * @name: interface name 1419 * @if_sid: interface SID 1420 * @msg_sid: default SID for received packets 1421 */ 1422 int security_netif_sid(char *name, 1423 u32 *if_sid, 1424 u32 *msg_sid) 1425 { 1426 int rc = 0; 1427 struct ocontext *c; 1428 1429 POLICY_RDLOCK; 1430 1431 c = policydb.ocontexts[OCON_NETIF]; 1432 while (c) { 1433 if (strcmp(name, c->u.name) == 0) 1434 break; 1435 c = c->next; 1436 } 1437 1438 if (c) { 1439 if (!c->sid[0] || !c->sid[1]) { 1440 rc = sidtab_context_to_sid(&sidtab, 1441 &c->context[0], 1442 &c->sid[0]); 1443 if (rc) 1444 goto out; 1445 rc = sidtab_context_to_sid(&sidtab, 1446 &c->context[1], 1447 &c->sid[1]); 1448 if (rc) 1449 goto out; 1450 } 1451 *if_sid = c->sid[0]; 1452 *msg_sid = c->sid[1]; 1453 } else { 1454 *if_sid = SECINITSID_NETIF; 1455 *msg_sid = SECINITSID_NETMSG; 1456 } 1457 1458 out: 1459 POLICY_RDUNLOCK; 1460 return rc; 1461 } 1462 1463 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) 1464 { 1465 int i, fail = 0; 1466 1467 for(i = 0; i < 4; i++) 1468 if(addr[i] != (input[i] & mask[i])) { 1469 fail = 1; 1470 break; 1471 } 1472 1473 return !fail; 1474 } 1475 1476 /** 1477 * security_node_sid - Obtain the SID for a node (host). 1478 * @domain: communication domain aka address family 1479 * @addrp: address 1480 * @addrlen: address length in bytes 1481 * @out_sid: security identifier 1482 */ 1483 int security_node_sid(u16 domain, 1484 void *addrp, 1485 u32 addrlen, 1486 u32 *out_sid) 1487 { 1488 int rc = 0; 1489 struct ocontext *c; 1490 1491 POLICY_RDLOCK; 1492 1493 switch (domain) { 1494 case AF_INET: { 1495 u32 addr; 1496 1497 if (addrlen != sizeof(u32)) { 1498 rc = -EINVAL; 1499 goto out; 1500 } 1501 1502 addr = *((u32 *)addrp); 1503 1504 c = policydb.ocontexts[OCON_NODE]; 1505 while (c) { 1506 if (c->u.node.addr == (addr & c->u.node.mask)) 1507 break; 1508 c = c->next; 1509 } 1510 break; 1511 } 1512 1513 case AF_INET6: 1514 if (addrlen != sizeof(u64) * 2) { 1515 rc = -EINVAL; 1516 goto out; 1517 } 1518 c = policydb.ocontexts[OCON_NODE6]; 1519 while (c) { 1520 if (match_ipv6_addrmask(addrp, c->u.node6.addr, 1521 c->u.node6.mask)) 1522 break; 1523 c = c->next; 1524 } 1525 break; 1526 1527 default: 1528 *out_sid = SECINITSID_NODE; 1529 goto out; 1530 } 1531 1532 if (c) { 1533 if (!c->sid[0]) { 1534 rc = sidtab_context_to_sid(&sidtab, 1535 &c->context[0], 1536 &c->sid[0]); 1537 if (rc) 1538 goto out; 1539 } 1540 *out_sid = c->sid[0]; 1541 } else { 1542 *out_sid = SECINITSID_NODE; 1543 } 1544 1545 out: 1546 POLICY_RDUNLOCK; 1547 return rc; 1548 } 1549 1550 #define SIDS_NEL 25 1551 1552 /** 1553 * security_get_user_sids - Obtain reachable SIDs for a user. 1554 * @fromsid: starting SID 1555 * @username: username 1556 * @sids: array of reachable SIDs for user 1557 * @nel: number of elements in @sids 1558 * 1559 * Generate the set of SIDs for legal security contexts 1560 * for a given user that can be reached by @fromsid. 1561 * Set *@sids to point to a dynamically allocated 1562 * array containing the set of SIDs. Set *@nel to the 1563 * number of elements in the array. 1564 */ 1565 1566 int security_get_user_sids(u32 fromsid, 1567 char *username, 1568 u32 **sids, 1569 u32 *nel) 1570 { 1571 struct context *fromcon, usercon; 1572 u32 *mysids, *mysids2, sid; 1573 u32 mynel = 0, maxnel = SIDS_NEL; 1574 struct user_datum *user; 1575 struct role_datum *role; 1576 struct av_decision avd; 1577 struct ebitmap_node *rnode, *tnode; 1578 int rc = 0, i, j; 1579 1580 if (!ss_initialized) { 1581 *sids = NULL; 1582 *nel = 0; 1583 goto out; 1584 } 1585 1586 POLICY_RDLOCK; 1587 1588 fromcon = sidtab_search(&sidtab, fromsid); 1589 if (!fromcon) { 1590 rc = -EINVAL; 1591 goto out_unlock; 1592 } 1593 1594 user = hashtab_search(policydb.p_users.table, username); 1595 if (!user) { 1596 rc = -EINVAL; 1597 goto out_unlock; 1598 } 1599 usercon.user = user->value; 1600 1601 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 1602 if (!mysids) { 1603 rc = -ENOMEM; 1604 goto out_unlock; 1605 } 1606 1607 ebitmap_for_each_bit(&user->roles, rnode, i) { 1608 if (!ebitmap_node_get_bit(rnode, i)) 1609 continue; 1610 role = policydb.role_val_to_struct[i]; 1611 usercon.role = i+1; 1612 ebitmap_for_each_bit(&role->types, tnode, j) { 1613 if (!ebitmap_node_get_bit(tnode, j)) 1614 continue; 1615 usercon.type = j+1; 1616 1617 if (mls_setup_user_range(fromcon, user, &usercon)) 1618 continue; 1619 1620 rc = context_struct_compute_av(fromcon, &usercon, 1621 SECCLASS_PROCESS, 1622 PROCESS__TRANSITION, 1623 &avd); 1624 if (rc || !(avd.allowed & PROCESS__TRANSITION)) 1625 continue; 1626 rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); 1627 if (rc) { 1628 kfree(mysids); 1629 goto out_unlock; 1630 } 1631 if (mynel < maxnel) { 1632 mysids[mynel++] = sid; 1633 } else { 1634 maxnel += SIDS_NEL; 1635 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); 1636 if (!mysids2) { 1637 rc = -ENOMEM; 1638 kfree(mysids); 1639 goto out_unlock; 1640 } 1641 memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); 1642 kfree(mysids); 1643 mysids = mysids2; 1644 mysids[mynel++] = sid; 1645 } 1646 } 1647 } 1648 1649 *sids = mysids; 1650 *nel = mynel; 1651 1652 out_unlock: 1653 POLICY_RDUNLOCK; 1654 out: 1655 return rc; 1656 } 1657 1658 /** 1659 * security_genfs_sid - Obtain a SID for a file in a filesystem 1660 * @fstype: filesystem type 1661 * @path: path from root of mount 1662 * @sclass: file security class 1663 * @sid: SID for path 1664 * 1665 * Obtain a SID to use for a file in a filesystem that 1666 * cannot support xattr or use a fixed labeling behavior like 1667 * transition SIDs or task SIDs. 1668 */ 1669 int security_genfs_sid(const char *fstype, 1670 char *path, 1671 u16 sclass, 1672 u32 *sid) 1673 { 1674 int len; 1675 struct genfs *genfs; 1676 struct ocontext *c; 1677 int rc = 0, cmp = 0; 1678 1679 POLICY_RDLOCK; 1680 1681 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 1682 cmp = strcmp(fstype, genfs->fstype); 1683 if (cmp <= 0) 1684 break; 1685 } 1686 1687 if (!genfs || cmp) { 1688 *sid = SECINITSID_UNLABELED; 1689 rc = -ENOENT; 1690 goto out; 1691 } 1692 1693 for (c = genfs->head; c; c = c->next) { 1694 len = strlen(c->u.name); 1695 if ((!c->v.sclass || sclass == c->v.sclass) && 1696 (strncmp(c->u.name, path, len) == 0)) 1697 break; 1698 } 1699 1700 if (!c) { 1701 *sid = SECINITSID_UNLABELED; 1702 rc = -ENOENT; 1703 goto out; 1704 } 1705 1706 if (!c->sid[0]) { 1707 rc = sidtab_context_to_sid(&sidtab, 1708 &c->context[0], 1709 &c->sid[0]); 1710 if (rc) 1711 goto out; 1712 } 1713 1714 *sid = c->sid[0]; 1715 out: 1716 POLICY_RDUNLOCK; 1717 return rc; 1718 } 1719 1720 /** 1721 * security_fs_use - Determine how to handle labeling for a filesystem. 1722 * @fstype: filesystem type 1723 * @behavior: labeling behavior 1724 * @sid: SID for filesystem (superblock) 1725 */ 1726 int security_fs_use( 1727 const char *fstype, 1728 unsigned int *behavior, 1729 u32 *sid) 1730 { 1731 int rc = 0; 1732 struct ocontext *c; 1733 1734 POLICY_RDLOCK; 1735 1736 c = policydb.ocontexts[OCON_FSUSE]; 1737 while (c) { 1738 if (strcmp(fstype, c->u.name) == 0) 1739 break; 1740 c = c->next; 1741 } 1742 1743 if (c) { 1744 *behavior = c->v.behavior; 1745 if (!c->sid[0]) { 1746 rc = sidtab_context_to_sid(&sidtab, 1747 &c->context[0], 1748 &c->sid[0]); 1749 if (rc) 1750 goto out; 1751 } 1752 *sid = c->sid[0]; 1753 } else { 1754 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); 1755 if (rc) { 1756 *behavior = SECURITY_FS_USE_NONE; 1757 rc = 0; 1758 } else { 1759 *behavior = SECURITY_FS_USE_GENFS; 1760 } 1761 } 1762 1763 out: 1764 POLICY_RDUNLOCK; 1765 return rc; 1766 } 1767 1768 int security_get_bools(int *len, char ***names, int **values) 1769 { 1770 int i, rc = -ENOMEM; 1771 1772 POLICY_RDLOCK; 1773 *names = NULL; 1774 *values = NULL; 1775 1776 *len = policydb.p_bools.nprim; 1777 if (!*len) { 1778 rc = 0; 1779 goto out; 1780 } 1781 1782 *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC); 1783 if (!*names) 1784 goto err; 1785 1786 *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); 1787 if (!*values) 1788 goto err; 1789 1790 for (i = 0; i < *len; i++) { 1791 size_t name_len; 1792 (*values)[i] = policydb.bool_val_to_struct[i]->state; 1793 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 1794 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 1795 if (!(*names)[i]) 1796 goto err; 1797 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 1798 (*names)[i][name_len - 1] = 0; 1799 } 1800 rc = 0; 1801 out: 1802 POLICY_RDUNLOCK; 1803 return rc; 1804 err: 1805 if (*names) { 1806 for (i = 0; i < *len; i++) 1807 kfree((*names)[i]); 1808 } 1809 kfree(*values); 1810 goto out; 1811 } 1812 1813 1814 int security_set_bools(int len, int *values) 1815 { 1816 int i, rc = 0; 1817 int lenp, seqno = 0; 1818 struct cond_node *cur; 1819 1820 POLICY_WRLOCK; 1821 1822 lenp = policydb.p_bools.nprim; 1823 if (len != lenp) { 1824 rc = -EFAULT; 1825 goto out; 1826 } 1827 1828 for (i = 0; i < len; i++) { 1829 if (!!values[i] != policydb.bool_val_to_struct[i]->state) { 1830 audit_log(current->audit_context, GFP_ATOMIC, 1831 AUDIT_MAC_CONFIG_CHANGE, 1832 "bool=%s val=%d old_val=%d auid=%u", 1833 policydb.p_bool_val_to_name[i], 1834 !!values[i], 1835 policydb.bool_val_to_struct[i]->state, 1836 audit_get_loginuid(current->audit_context)); 1837 } 1838 if (values[i]) { 1839 policydb.bool_val_to_struct[i]->state = 1; 1840 } else { 1841 policydb.bool_val_to_struct[i]->state = 0; 1842 } 1843 } 1844 1845 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1846 rc = evaluate_cond_node(&policydb, cur); 1847 if (rc) 1848 goto out; 1849 } 1850 1851 seqno = ++latest_granting; 1852 1853 out: 1854 POLICY_WRUNLOCK; 1855 if (!rc) { 1856 avc_ss_reset(seqno); 1857 selnl_notify_policyload(seqno); 1858 selinux_xfrm_notify_policyload(); 1859 } 1860 return rc; 1861 } 1862 1863 int security_get_bool_value(int bool) 1864 { 1865 int rc = 0; 1866 int len; 1867 1868 POLICY_RDLOCK; 1869 1870 len = policydb.p_bools.nprim; 1871 if (bool >= len) { 1872 rc = -EFAULT; 1873 goto out; 1874 } 1875 1876 rc = policydb.bool_val_to_struct[bool]->state; 1877 out: 1878 POLICY_RDUNLOCK; 1879 return rc; 1880 } 1881 1882 /* 1883 * security_sid_mls_copy() - computes a new sid based on the given 1884 * sid and the mls portion of mls_sid. 1885 */ 1886 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) 1887 { 1888 struct context *context1; 1889 struct context *context2; 1890 struct context newcon; 1891 char *s; 1892 u32 len; 1893 int rc = 0; 1894 1895 if (!ss_initialized || !selinux_mls_enabled) { 1896 *new_sid = sid; 1897 goto out; 1898 } 1899 1900 context_init(&newcon); 1901 1902 POLICY_RDLOCK; 1903 context1 = sidtab_search(&sidtab, sid); 1904 if (!context1) { 1905 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1906 "%d\n", sid); 1907 rc = -EINVAL; 1908 goto out_unlock; 1909 } 1910 1911 context2 = sidtab_search(&sidtab, mls_sid); 1912 if (!context2) { 1913 printk(KERN_ERR "security_sid_mls_copy: unrecognized SID " 1914 "%d\n", mls_sid); 1915 rc = -EINVAL; 1916 goto out_unlock; 1917 } 1918 1919 newcon.user = context1->user; 1920 newcon.role = context1->role; 1921 newcon.type = context1->type; 1922 rc = mls_context_cpy(&newcon, context2); 1923 if (rc) 1924 goto out_unlock; 1925 1926 /* Check the validity of the new context. */ 1927 if (!policydb_context_isvalid(&policydb, &newcon)) { 1928 rc = convert_context_handle_invalid_context(&newcon); 1929 if (rc) 1930 goto bad; 1931 } 1932 1933 rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); 1934 goto out_unlock; 1935 1936 bad: 1937 if (!context_struct_to_string(&newcon, &s, &len)) { 1938 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 1939 "security_sid_mls_copy: invalid context %s", s); 1940 kfree(s); 1941 } 1942 1943 out_unlock: 1944 POLICY_RDUNLOCK; 1945 context_destroy(&newcon); 1946 out: 1947 return rc; 1948 } 1949 1950 struct selinux_audit_rule { 1951 u32 au_seqno; 1952 struct context au_ctxt; 1953 }; 1954 1955 void selinux_audit_rule_free(struct selinux_audit_rule *rule) 1956 { 1957 if (rule) { 1958 context_destroy(&rule->au_ctxt); 1959 kfree(rule); 1960 } 1961 } 1962 1963 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, 1964 struct selinux_audit_rule **rule) 1965 { 1966 struct selinux_audit_rule *tmprule; 1967 struct role_datum *roledatum; 1968 struct type_datum *typedatum; 1969 struct user_datum *userdatum; 1970 int rc = 0; 1971 1972 *rule = NULL; 1973 1974 if (!ss_initialized) 1975 return -ENOTSUPP; 1976 1977 switch (field) { 1978 case AUDIT_SUBJ_USER: 1979 case AUDIT_SUBJ_ROLE: 1980 case AUDIT_SUBJ_TYPE: 1981 case AUDIT_OBJ_USER: 1982 case AUDIT_OBJ_ROLE: 1983 case AUDIT_OBJ_TYPE: 1984 /* only 'equals' and 'not equals' fit user, role, and type */ 1985 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) 1986 return -EINVAL; 1987 break; 1988 case AUDIT_SUBJ_SEN: 1989 case AUDIT_SUBJ_CLR: 1990 case AUDIT_OBJ_LEV_LOW: 1991 case AUDIT_OBJ_LEV_HIGH: 1992 /* we do not allow a range, indicated by the presense of '-' */ 1993 if (strchr(rulestr, '-')) 1994 return -EINVAL; 1995 break; 1996 default: 1997 /* only the above fields are valid */ 1998 return -EINVAL; 1999 } 2000 2001 tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 2002 if (!tmprule) 2003 return -ENOMEM; 2004 2005 context_init(&tmprule->au_ctxt); 2006 2007 POLICY_RDLOCK; 2008 2009 tmprule->au_seqno = latest_granting; 2010 2011 switch (field) { 2012 case AUDIT_SUBJ_USER: 2013 case AUDIT_OBJ_USER: 2014 userdatum = hashtab_search(policydb.p_users.table, rulestr); 2015 if (!userdatum) 2016 rc = -EINVAL; 2017 else 2018 tmprule->au_ctxt.user = userdatum->value; 2019 break; 2020 case AUDIT_SUBJ_ROLE: 2021 case AUDIT_OBJ_ROLE: 2022 roledatum = hashtab_search(policydb.p_roles.table, rulestr); 2023 if (!roledatum) 2024 rc = -EINVAL; 2025 else 2026 tmprule->au_ctxt.role = roledatum->value; 2027 break; 2028 case AUDIT_SUBJ_TYPE: 2029 case AUDIT_OBJ_TYPE: 2030 typedatum = hashtab_search(policydb.p_types.table, rulestr); 2031 if (!typedatum) 2032 rc = -EINVAL; 2033 else 2034 tmprule->au_ctxt.type = typedatum->value; 2035 break; 2036 case AUDIT_SUBJ_SEN: 2037 case AUDIT_SUBJ_CLR: 2038 case AUDIT_OBJ_LEV_LOW: 2039 case AUDIT_OBJ_LEV_HIGH: 2040 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); 2041 break; 2042 } 2043 2044 POLICY_RDUNLOCK; 2045 2046 if (rc) { 2047 selinux_audit_rule_free(tmprule); 2048 tmprule = NULL; 2049 } 2050 2051 *rule = tmprule; 2052 2053 return rc; 2054 } 2055 2056 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, 2057 struct selinux_audit_rule *rule, 2058 struct audit_context *actx) 2059 { 2060 struct context *ctxt; 2061 struct mls_level *level; 2062 int match = 0; 2063 2064 if (!rule) { 2065 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2066 "selinux_audit_rule_match: missing rule\n"); 2067 return -ENOENT; 2068 } 2069 2070 POLICY_RDLOCK; 2071 2072 if (rule->au_seqno < latest_granting) { 2073 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2074 "selinux_audit_rule_match: stale rule\n"); 2075 match = -ESTALE; 2076 goto out; 2077 } 2078 2079 ctxt = sidtab_search(&sidtab, sid); 2080 if (!ctxt) { 2081 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 2082 "selinux_audit_rule_match: unrecognized SID %d\n", 2083 sid); 2084 match = -ENOENT; 2085 goto out; 2086 } 2087 2088 /* a field/op pair that is not caught here will simply fall through 2089 without a match */ 2090 switch (field) { 2091 case AUDIT_SUBJ_USER: 2092 case AUDIT_OBJ_USER: 2093 switch (op) { 2094 case AUDIT_EQUAL: 2095 match = (ctxt->user == rule->au_ctxt.user); 2096 break; 2097 case AUDIT_NOT_EQUAL: 2098 match = (ctxt->user != rule->au_ctxt.user); 2099 break; 2100 } 2101 break; 2102 case AUDIT_SUBJ_ROLE: 2103 case AUDIT_OBJ_ROLE: 2104 switch (op) { 2105 case AUDIT_EQUAL: 2106 match = (ctxt->role == rule->au_ctxt.role); 2107 break; 2108 case AUDIT_NOT_EQUAL: 2109 match = (ctxt->role != rule->au_ctxt.role); 2110 break; 2111 } 2112 break; 2113 case AUDIT_SUBJ_TYPE: 2114 case AUDIT_OBJ_TYPE: 2115 switch (op) { 2116 case AUDIT_EQUAL: 2117 match = (ctxt->type == rule->au_ctxt.type); 2118 break; 2119 case AUDIT_NOT_EQUAL: 2120 match = (ctxt->type != rule->au_ctxt.type); 2121 break; 2122 } 2123 break; 2124 case AUDIT_SUBJ_SEN: 2125 case AUDIT_SUBJ_CLR: 2126 case AUDIT_OBJ_LEV_LOW: 2127 case AUDIT_OBJ_LEV_HIGH: 2128 level = ((field == AUDIT_SUBJ_SEN || 2129 field == AUDIT_OBJ_LEV_LOW) ? 2130 &ctxt->range.level[0] : &ctxt->range.level[1]); 2131 switch (op) { 2132 case AUDIT_EQUAL: 2133 match = mls_level_eq(&rule->au_ctxt.range.level[0], 2134 level); 2135 break; 2136 case AUDIT_NOT_EQUAL: 2137 match = !mls_level_eq(&rule->au_ctxt.range.level[0], 2138 level); 2139 break; 2140 case AUDIT_LESS_THAN: 2141 match = (mls_level_dom(&rule->au_ctxt.range.level[0], 2142 level) && 2143 !mls_level_eq(&rule->au_ctxt.range.level[0], 2144 level)); 2145 break; 2146 case AUDIT_LESS_THAN_OR_EQUAL: 2147 match = mls_level_dom(&rule->au_ctxt.range.level[0], 2148 level); 2149 break; 2150 case AUDIT_GREATER_THAN: 2151 match = (mls_level_dom(level, 2152 &rule->au_ctxt.range.level[0]) && 2153 !mls_level_eq(level, 2154 &rule->au_ctxt.range.level[0])); 2155 break; 2156 case AUDIT_GREATER_THAN_OR_EQUAL: 2157 match = mls_level_dom(level, 2158 &rule->au_ctxt.range.level[0]); 2159 break; 2160 } 2161 } 2162 2163 out: 2164 POLICY_RDUNLOCK; 2165 return match; 2166 } 2167 2168 static int (*aurule_callback)(void) = NULL; 2169 2170 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 2171 u16 class, u32 perms, u32 *retained) 2172 { 2173 int err = 0; 2174 2175 if (event == AVC_CALLBACK_RESET && aurule_callback) 2176 err = aurule_callback(); 2177 return err; 2178 } 2179 2180 static int __init aurule_init(void) 2181 { 2182 int err; 2183 2184 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 2185 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); 2186 if (err) 2187 panic("avc_add_callback() failed, error %d\n", err); 2188 2189 return err; 2190 } 2191 __initcall(aurule_init); 2192 2193 void selinux_audit_set_callback(int (*callback)(void)) 2194 { 2195 aurule_callback = callback; 2196 } 2197 2198 /** 2199 * security_skb_extlbl_sid - Determine the external label of a packet 2200 * @skb: the packet 2201 * @base_sid: the SELinux SID to use as a context for MLS only external labels 2202 * @sid: the packet's SID 2203 * 2204 * Description: 2205 * Check the various different forms of external packet labeling and determine 2206 * the external SID for the packet. 2207 * 2208 */ 2209 void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) 2210 { 2211 u32 xfrm_sid; 2212 u32 nlbl_sid; 2213 2214 selinux_skb_xfrm_sid(skb, &xfrm_sid); 2215 if (selinux_netlbl_skbuff_getsid(skb, 2216 (xfrm_sid == SECSID_NULL ? 2217 base_sid : xfrm_sid), 2218 &nlbl_sid) != 0) 2219 nlbl_sid = SECSID_NULL; 2220 2221 *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 2222 } 2223 2224 #ifdef CONFIG_NETLABEL 2225 /* 2226 * This is the structure we store inside the NetLabel cache block. 2227 */ 2228 #define NETLBL_CACHE(x) ((struct netlbl_cache *)(x)) 2229 #define NETLBL_CACHE_T_NONE 0 2230 #define NETLBL_CACHE_T_SID 1 2231 #define NETLBL_CACHE_T_MLS 2 2232 struct netlbl_cache { 2233 u32 type; 2234 union { 2235 u32 sid; 2236 struct mls_range mls_label; 2237 } data; 2238 }; 2239 2240 /** 2241 * selinux_netlbl_cache_free - Free the NetLabel cached data 2242 * @data: the data to free 2243 * 2244 * Description: 2245 * This function is intended to be used as the free() callback inside the 2246 * netlbl_lsm_cache structure. 2247 * 2248 */ 2249 static void selinux_netlbl_cache_free(const void *data) 2250 { 2251 struct netlbl_cache *cache; 2252 2253 if (data == NULL) 2254 return; 2255 2256 cache = NETLBL_CACHE(data); 2257 switch (cache->type) { 2258 case NETLBL_CACHE_T_MLS: 2259 ebitmap_destroy(&cache->data.mls_label.level[0].cat); 2260 break; 2261 } 2262 kfree(data); 2263 } 2264 2265 /** 2266 * selinux_netlbl_cache_add - Add an entry to the NetLabel cache 2267 * @skb: the packet 2268 * @ctx: the SELinux context 2269 * 2270 * Description: 2271 * Attempt to cache the context in @ctx, which was derived from the packet in 2272 * @skb, in the NetLabel subsystem cache. 2273 * 2274 */ 2275 static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) 2276 { 2277 struct netlbl_cache *cache = NULL; 2278 struct netlbl_lsm_secattr secattr; 2279 2280 netlbl_secattr_init(&secattr); 2281 secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2282 if (secattr.cache == NULL) 2283 goto netlbl_cache_add_return; 2284 2285 cache = kzalloc(sizeof(*cache), GFP_ATOMIC); 2286 if (cache == NULL) 2287 goto netlbl_cache_add_return; 2288 2289 cache->type = NETLBL_CACHE_T_MLS; 2290 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, 2291 &ctx->range.level[0].cat) != 0) 2292 goto netlbl_cache_add_return; 2293 cache->data.mls_label.level[1].cat.highbit = 2294 cache->data.mls_label.level[0].cat.highbit; 2295 cache->data.mls_label.level[1].cat.node = 2296 cache->data.mls_label.level[0].cat.node; 2297 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; 2298 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; 2299 2300 secattr.cache->free = selinux_netlbl_cache_free; 2301 secattr.cache->data = (void *)cache; 2302 secattr.flags = NETLBL_SECATTR_CACHE; 2303 2304 netlbl_cache_add(skb, &secattr); 2305 2306 netlbl_cache_add_return: 2307 netlbl_secattr_destroy(&secattr); 2308 } 2309 2310 /** 2311 * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache 2312 * 2313 * Description: 2314 * Invalidate the NetLabel security attribute mapping cache. 2315 * 2316 */ 2317 void selinux_netlbl_cache_invalidate(void) 2318 { 2319 netlbl_cache_invalidate(); 2320 } 2321 2322 /** 2323 * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2324 * @skb: the network packet 2325 * @secattr: the NetLabel packet security attributes 2326 * @base_sid: the SELinux SID to use as a context for MLS only attributes 2327 * @sid: the SELinux SID 2328 * 2329 * Description: 2330 * Convert the given NetLabel packet security attributes in @secattr into a 2331 * SELinux SID. If the @secattr field does not contain a full SELinux 2332 * SID/context then use the context in @base_sid as the foundation. If @skb 2333 * is not NULL attempt to cache as much data as possibile. Returns zero on 2334 * success, negative values on failure. 2335 * 2336 */ 2337 static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, 2338 struct netlbl_lsm_secattr *secattr, 2339 u32 base_sid, 2340 u32 *sid) 2341 { 2342 int rc = -EIDRM; 2343 struct context *ctx; 2344 struct context ctx_new; 2345 struct netlbl_cache *cache; 2346 2347 POLICY_RDLOCK; 2348 2349 if (secattr->flags & NETLBL_SECATTR_CACHE) { 2350 cache = NETLBL_CACHE(secattr->cache->data); 2351 switch (cache->type) { 2352 case NETLBL_CACHE_T_SID: 2353 *sid = cache->data.sid; 2354 rc = 0; 2355 break; 2356 case NETLBL_CACHE_T_MLS: 2357 ctx = sidtab_search(&sidtab, base_sid); 2358 if (ctx == NULL) 2359 goto netlbl_secattr_to_sid_return; 2360 2361 ctx_new.user = ctx->user; 2362 ctx_new.role = ctx->role; 2363 ctx_new.type = ctx->type; 2364 ctx_new.range.level[0].sens = 2365 cache->data.mls_label.level[0].sens; 2366 ctx_new.range.level[0].cat.highbit = 2367 cache->data.mls_label.level[0].cat.highbit; 2368 ctx_new.range.level[0].cat.node = 2369 cache->data.mls_label.level[0].cat.node; 2370 ctx_new.range.level[1].sens = 2371 cache->data.mls_label.level[1].sens; 2372 ctx_new.range.level[1].cat.highbit = 2373 cache->data.mls_label.level[1].cat.highbit; 2374 ctx_new.range.level[1].cat.node = 2375 cache->data.mls_label.level[1].cat.node; 2376 2377 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2378 break; 2379 default: 2380 goto netlbl_secattr_to_sid_return; 2381 } 2382 } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { 2383 ctx = sidtab_search(&sidtab, base_sid); 2384 if (ctx == NULL) 2385 goto netlbl_secattr_to_sid_return; 2386 2387 ctx_new.user = ctx->user; 2388 ctx_new.role = ctx->role; 2389 ctx_new.type = ctx->type; 2390 mls_import_netlbl_lvl(&ctx_new, secattr); 2391 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { 2392 if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, 2393 secattr->mls_cat) != 0) 2394 goto netlbl_secattr_to_sid_return; 2395 ctx_new.range.level[1].cat.highbit = 2396 ctx_new.range.level[0].cat.highbit; 2397 ctx_new.range.level[1].cat.node = 2398 ctx_new.range.level[0].cat.node; 2399 } else { 2400 ebitmap_init(&ctx_new.range.level[0].cat); 2401 ebitmap_init(&ctx_new.range.level[1].cat); 2402 } 2403 if (mls_context_isvalid(&policydb, &ctx_new) != 1) 2404 goto netlbl_secattr_to_sid_return_cleanup; 2405 2406 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); 2407 if (rc != 0) 2408 goto netlbl_secattr_to_sid_return_cleanup; 2409 2410 if (skb != NULL) 2411 selinux_netlbl_cache_add(skb, &ctx_new); 2412 ebitmap_destroy(&ctx_new.range.level[0].cat); 2413 } else { 2414 *sid = SECSID_NULL; 2415 rc = 0; 2416 } 2417 2418 netlbl_secattr_to_sid_return: 2419 POLICY_RDUNLOCK; 2420 return rc; 2421 netlbl_secattr_to_sid_return_cleanup: 2422 ebitmap_destroy(&ctx_new.range.level[0].cat); 2423 goto netlbl_secattr_to_sid_return; 2424 } 2425 2426 /** 2427 * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 2428 * @skb: the packet 2429 * @base_sid: the SELinux SID to use as a context for MLS only attributes 2430 * @sid: the SID 2431 * 2432 * Description: 2433 * Call the NetLabel mechanism to get the security attributes of the given 2434 * packet and use those attributes to determine the correct context/SID to 2435 * assign to the packet. Returns zero on success, negative values on failure. 2436 * 2437 */ 2438 int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) 2439 { 2440 int rc; 2441 struct netlbl_lsm_secattr secattr; 2442 2443 netlbl_secattr_init(&secattr); 2444 rc = netlbl_skbuff_getattr(skb, &secattr); 2445 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2446 rc = selinux_netlbl_secattr_to_sid(skb, 2447 &secattr, 2448 base_sid, 2449 sid); 2450 else 2451 *sid = SECSID_NULL; 2452 netlbl_secattr_destroy(&secattr); 2453 2454 return rc; 2455 } 2456 2457 /** 2458 * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 2459 * @sock: the socket to label 2460 * @sid: the SID to use 2461 * 2462 * Description: 2463 * Attempt to label a socket using the NetLabel mechanism using the given 2464 * SID. Returns zero values on success, negative values on failure. The 2465 * caller is responsibile for calling rcu_read_lock() before calling this 2466 * this function and rcu_read_unlock() after this function returns. 2467 * 2468 */ 2469 static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 2470 { 2471 int rc = -ENOENT; 2472 struct sk_security_struct *sksec = sock->sk->sk_security; 2473 struct netlbl_lsm_secattr secattr; 2474 struct context *ctx; 2475 2476 if (!ss_initialized) 2477 return 0; 2478 2479 netlbl_secattr_init(&secattr); 2480 2481 POLICY_RDLOCK; 2482 2483 ctx = sidtab_search(&sidtab, sid); 2484 if (ctx == NULL) 2485 goto netlbl_socket_setsid_return; 2486 2487 secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2488 GFP_ATOMIC); 2489 secattr.flags |= NETLBL_SECATTR_DOMAIN; 2490 mls_export_netlbl_lvl(ctx, &secattr); 2491 rc = mls_export_netlbl_cat(ctx, &secattr); 2492 if (rc != 0) 2493 goto netlbl_socket_setsid_return; 2494 2495 rc = netlbl_socket_setattr(sock, &secattr); 2496 if (rc == 0) { 2497 spin_lock_bh(&sksec->nlbl_lock); 2498 sksec->nlbl_state = NLBL_LABELED; 2499 spin_unlock_bh(&sksec->nlbl_lock); 2500 } 2501 2502 netlbl_socket_setsid_return: 2503 POLICY_RDUNLOCK; 2504 netlbl_secattr_destroy(&secattr); 2505 return rc; 2506 } 2507 2508 /** 2509 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 2510 * @ssec: the sk_security_struct 2511 * @family: the socket family 2512 * 2513 * Description: 2514 * Called when the NetLabel state of a sk_security_struct needs to be reset. 2515 * The caller is responsibile for all the NetLabel sk_security_struct locking. 2516 * 2517 */ 2518 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 2519 int family) 2520 { 2521 if (family == PF_INET) 2522 ssec->nlbl_state = NLBL_REQUIRE; 2523 else 2524 ssec->nlbl_state = NLBL_UNSET; 2525 } 2526 2527 /** 2528 * selinux_netlbl_sk_security_init - Setup the NetLabel fields 2529 * @ssec: the sk_security_struct 2530 * @family: the socket family 2531 * 2532 * Description: 2533 * Called when a new sk_security_struct is allocated to initialize the NetLabel 2534 * fields. 2535 * 2536 */ 2537 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 2538 int family) 2539 { 2540 /* No locking needed, we are the only one who has access to ssec */ 2541 selinux_netlbl_sk_security_reset(ssec, family); 2542 spin_lock_init(&ssec->nlbl_lock); 2543 } 2544 2545 /** 2546 * selinux_netlbl_sk_security_clone - Copy the NetLabel fields 2547 * @ssec: the original sk_security_struct 2548 * @newssec: the cloned sk_security_struct 2549 * 2550 * Description: 2551 * Clone the NetLabel specific sk_security_struct fields from @ssec to 2552 * @newssec. 2553 * 2554 */ 2555 void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 2556 struct sk_security_struct *newssec) 2557 { 2558 /* We don't need to take newssec->nlbl_lock because we are the only 2559 * thread with access to newssec, but we do need to take the RCU read 2560 * lock as other threads could have access to ssec */ 2561 rcu_read_lock(); 2562 selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); 2563 newssec->sclass = ssec->sclass; 2564 rcu_read_unlock(); 2565 } 2566 2567 /** 2568 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2569 * @sock: the socket to label 2570 * 2571 * Description: 2572 * Attempt to label a socket using the NetLabel mechanism using the given 2573 * SID. Returns zero values on success, negative values on failure. 2574 * 2575 */ 2576 int selinux_netlbl_socket_post_create(struct socket *sock) 2577 { 2578 int rc = 0; 2579 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2580 struct sk_security_struct *sksec = sock->sk->sk_security; 2581 2582 sksec->sclass = isec->sclass; 2583 2584 rcu_read_lock(); 2585 if (sksec->nlbl_state == NLBL_REQUIRE) 2586 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 2587 rcu_read_unlock(); 2588 2589 return rc; 2590 } 2591 2592 /** 2593 * selinux_netlbl_sock_graft - Netlabel the new socket 2594 * @sk: the new connection 2595 * @sock: the new socket 2596 * 2597 * Description: 2598 * The connection represented by @sk is being grafted onto @sock so set the 2599 * socket's NetLabel to match the SID of @sk. 2600 * 2601 */ 2602 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 2603 { 2604 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2605 struct sk_security_struct *sksec = sk->sk_security; 2606 struct netlbl_lsm_secattr secattr; 2607 u32 nlbl_peer_sid; 2608 2609 sksec->sclass = isec->sclass; 2610 2611 rcu_read_lock(); 2612 2613 if (sksec->nlbl_state != NLBL_REQUIRE) { 2614 rcu_read_unlock(); 2615 return; 2616 } 2617 2618 netlbl_secattr_init(&secattr); 2619 if (netlbl_sock_getattr(sk, &secattr) == 0 && 2620 secattr.flags != NETLBL_SECATTR_NONE && 2621 selinux_netlbl_secattr_to_sid(NULL, 2622 &secattr, 2623 SECINITSID_UNLABELED, 2624 &nlbl_peer_sid) == 0) 2625 sksec->peer_sid = nlbl_peer_sid; 2626 netlbl_secattr_destroy(&secattr); 2627 2628 /* Try to set the NetLabel on the socket to save time later, if we fail 2629 * here we will pick up the pieces in later calls to 2630 * selinux_netlbl_inode_permission(). */ 2631 selinux_netlbl_socket_setsid(sock, sksec->sid); 2632 2633 rcu_read_unlock(); 2634 } 2635 2636 /** 2637 * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2638 * @inode: the file descriptor's inode 2639 * @mask: the permission mask 2640 * 2641 * Description: 2642 * Looks at a file's inode and if it is marked as a socket protected by 2643 * NetLabel then verify that the socket has been labeled, if not try to label 2644 * the socket now with the inode's SID. Returns zero on success, negative 2645 * values on failure. 2646 * 2647 */ 2648 int selinux_netlbl_inode_permission(struct inode *inode, int mask) 2649 { 2650 int rc; 2651 struct sk_security_struct *sksec; 2652 struct socket *sock; 2653 2654 if (!S_ISSOCK(inode->i_mode) || 2655 ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 2656 return 0; 2657 sock = SOCKET_I(inode); 2658 sksec = sock->sk->sk_security; 2659 2660 rcu_read_lock(); 2661 if (sksec->nlbl_state != NLBL_REQUIRE) { 2662 rcu_read_unlock(); 2663 return 0; 2664 } 2665 local_bh_disable(); 2666 bh_lock_sock_nested(sock->sk); 2667 rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 2668 bh_unlock_sock(sock->sk); 2669 local_bh_enable(); 2670 rcu_read_unlock(); 2671 2672 return rc; 2673 } 2674 2675 /** 2676 * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel 2677 * @sksec: the sock's sk_security_struct 2678 * @skb: the packet 2679 * @ad: the audit data 2680 * 2681 * Description: 2682 * Fetch the NetLabel security attributes from @skb and perform an access check 2683 * against the receiving socket. Returns zero on success, negative values on 2684 * error. 2685 * 2686 */ 2687 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 2688 struct sk_buff *skb, 2689 struct avc_audit_data *ad) 2690 { 2691 int rc; 2692 u32 netlbl_sid; 2693 u32 recv_perm; 2694 2695 rc = selinux_netlbl_skbuff_getsid(skb, 2696 SECINITSID_UNLABELED, 2697 &netlbl_sid); 2698 if (rc != 0) 2699 return rc; 2700 2701 if (netlbl_sid == SECSID_NULL) 2702 return 0; 2703 2704 switch (sksec->sclass) { 2705 case SECCLASS_UDP_SOCKET: 2706 recv_perm = UDP_SOCKET__RECVFROM; 2707 break; 2708 case SECCLASS_TCP_SOCKET: 2709 recv_perm = TCP_SOCKET__RECVFROM; 2710 break; 2711 default: 2712 recv_perm = RAWIP_SOCKET__RECVFROM; 2713 } 2714 2715 rc = avc_has_perm(sksec->sid, 2716 netlbl_sid, 2717 sksec->sclass, 2718 recv_perm, 2719 ad); 2720 if (rc == 0) 2721 return 0; 2722 2723 netlbl_skbuff_err(skb, rc); 2724 return rc; 2725 } 2726 2727 /** 2728 * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2729 * @sock: the socket 2730 * @level: the socket level or protocol 2731 * @optname: the socket option name 2732 * 2733 * Description: 2734 * Check the setsockopt() call and if the user is trying to replace the IP 2735 * options on a socket and a NetLabel is in place for the socket deny the 2736 * access; otherwise allow the access. Returns zero when the access is 2737 * allowed, -EACCES when denied, and other negative values on error. 2738 * 2739 */ 2740 int selinux_netlbl_socket_setsockopt(struct socket *sock, 2741 int level, 2742 int optname) 2743 { 2744 int rc = 0; 2745 struct sk_security_struct *sksec = sock->sk->sk_security; 2746 struct netlbl_lsm_secattr secattr; 2747 2748 rcu_read_lock(); 2749 if (level == IPPROTO_IP && optname == IP_OPTIONS && 2750 sksec->nlbl_state == NLBL_LABELED) { 2751 netlbl_secattr_init(&secattr); 2752 rc = netlbl_socket_getattr(sock, &secattr); 2753 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2754 rc = -EACCES; 2755 netlbl_secattr_destroy(&secattr); 2756 } 2757 rcu_read_unlock(); 2758 2759 return rc; 2760 } 2761 #endif /* CONFIG_NETLABEL */ 2762