1
/*
2
 * Implementation of the multi-level security (MLS) policy.
3
 *
4
 * Author : Stephen Smalley, <[email protected]>
5
 */
6
/*
7
 * Updated: Trusted Computer Solutions, Inc. <[email protected]>
8
 *
9
 *	Support for enhanced MLS infrastructure.
10
 *
11
 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
12
 */
13
/*
14
 * Updated: Hewlett-Packard <[email protected]>
15
 *
16
 *      Added support to import/export the MLS label from NetLabel
17
 *
18
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
19
 */
20

21
#include <linux/kernel.h>
22
#include <linux/slab.h>
23
#include <linux/string.h>
24
#include <linux/errno.h>
25
#include <net/netlabel.h>
26
#include "sidtab.h"
27
#include "mls.h"
28
#include "policydb.h"
29
#include "services.h"
30

31
/*
32
 * Return the length in bytes for the MLS fields of the
33
 * security context string representation of `context'.
34
 */
35
int mls_compute_context_len(struct context *context)
36
{
37
	int i, l, len, head, prev;
38
	char *nm;
39
	struct ebitmap *e;
40
	struct ebitmap_node *node;
41

42
	if (!policydb.mls_enabled)
43
		return 0;
44

45
	len = 1; /* for the beginning ":" */
46
	for (l = 0; l < 2; l++) {
47
		int index_sens = context->range.level[l].sens;
48
		len += strlen(sym_name(&policydb, SYM_LEVELS, index_sens - 1));
49

50
		/* categories */
51
		head = -2;
52
		prev = -2;
53
		e = &context->range.level[l].cat;
54
		ebitmap_for_each_positive_bit(e, node, i) {
55
			if (i - prev > 1) {
56
				/* one or more negative bits are skipped */
57
				if (head != prev) {
58
					nm = sym_name(&policydb, SYM_CATS, prev);
59
					len += strlen(nm) + 1;
60
				}
61
				nm = sym_name(&policydb, SYM_CATS, i);
62
				len += strlen(nm) + 1;
63
				head = i;
64
			}
65
			prev = i;
66
		}
67
		if (prev != head) {
68
			nm = sym_name(&policydb, SYM_CATS, prev);
69
			len += strlen(nm) + 1;
70
		}
71
		if (l == 0) {
72
			if (mls_level_eq(&context->range.level[0],
73
					 &context->range.level[1]))
74
				break;
75
			else
76
				len++;
77
		}
78
	}
79

80
	return len;
81
}
82

83
/*
84
 * Write the security context string representation of
85
 * the MLS fields of `context' into the string `*scontext'.
86
 * Update `*scontext' to point to the end of the MLS fields.
87
 */
88
void mls_sid_to_context(struct context *context,
89
			char **scontext)
90
{
91
	char *scontextp, *nm;
92
	int i, l, head, prev;
93
	struct ebitmap *e;
94
	struct ebitmap_node *node;
95

96
	if (!policydb.mls_enabled)
97
		return;
98

99
	scontextp = *scontext;
100

101
	*scontextp = ':';
102
	scontextp++;
103

104
	for (l = 0; l < 2; l++) {
105
		strcpy(scontextp, sym_name(&policydb, SYM_LEVELS,
106
					   context->range.level[l].sens - 1));
107
		scontextp += strlen(scontextp);
108

109
		/* categories */
110
		head = -2;
111
		prev = -2;
112
		e = &context->range.level[l].cat;
113
		ebitmap_for_each_positive_bit(e, node, i) {
114
			if (i - prev > 1) {
115
				/* one or more negative bits are skipped */
116
				if (prev != head) {
117
					if (prev - head > 1)
118
						*scontextp++ = '.';
119
					else
120
						*scontextp++ = ',';
121
					nm = sym_name(&policydb, SYM_CATS, prev);
122
					strcpy(scontextp, nm);
123
					scontextp += strlen(nm);
124
				}
125
				if (prev < 0)
126
					*scontextp++ = ':';
127
				else
128
					*scontextp++ = ',';
129
				nm = sym_name(&policydb, SYM_CATS, i);
130
				strcpy(scontextp, nm);
131
				scontextp += strlen(nm);
132
				head = i;
133
			}
134
			prev = i;
135
		}
136

137
		if (prev != head) {
138
			if (prev - head > 1)
139
				*scontextp++ = '.';
140
			else
141
				*scontextp++ = ',';
142
			nm = sym_name(&policydb, SYM_CATS, prev);
143
			strcpy(scontextp, nm);
144
			scontextp += strlen(nm);
145
		}
146

147
		if (l == 0) {
148
			if (mls_level_eq(&context->range.level[0],
149
					 &context->range.level[1]))
150
				break;
151
			else
152
				*scontextp++ = '-';
153
		}
154
	}
155

156
	*scontext = scontextp;
157
	return;
158
}
159

160
int mls_level_isvalid(struct policydb *p, struct mls_level *l)
161
{
162
	struct level_datum *levdatum;
163
	struct ebitmap_node *node;
164
	int i;
165

166
	if (!l->sens || l->sens > p->p_levels.nprim)
167
		return 0;
168
	levdatum = hashtab_search(p->p_levels.table,
169
				  sym_name(p, SYM_LEVELS, l->sens - 1));
170
	if (!levdatum)
171
		return 0;
172

173
	ebitmap_for_each_positive_bit(&l->cat, node, i) {
174
		if (i > p->p_cats.nprim)
175
			return 0;
176
		if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
177
			/*
178
			 * Category may not be associated with
179
			 * sensitivity.
180
			 */
181
			return 0;
182
		}
183
	}
184

185
	return 1;
186
}
187

188
int mls_range_isvalid(struct policydb *p, struct mls_range *r)
189
{
190
	return (mls_level_isvalid(p, &r->level[0]) &&
191
		mls_level_isvalid(p, &r->level[1]) &&
192
		mls_level_dom(&r->level[1], &r->level[0]));
193
}
194

195
/*
196
 * Return 1 if the MLS fields in the security context
197
 * structure `c' are valid.  Return 0 otherwise.
198
 */
199
int mls_context_isvalid(struct policydb *p, struct context *c)
200
{
201
	struct user_datum *usrdatum;
202

203
	if (!p->mls_enabled)
204
		return 1;
205

206
	if (!mls_range_isvalid(p, &c->range))
207
		return 0;
208

209
	if (c->role == OBJECT_R_VAL)
210
		return 1;
211

212
	/*
213
	 * User must be authorized for the MLS range.
214
	 */
215
	if (!c->user || c->user > p->p_users.nprim)
216
		return 0;
217
	usrdatum = p->user_val_to_struct[c->user - 1];
218
	if (!mls_range_contains(usrdatum->range, c->range))
219
		return 0; /* user may not be associated with range */
220

221
	return 1;
222
}
223

224
/*
225
 * Set the MLS fields in the security context structure
226
 * `context' based on the string representation in
227
 * the string `*scontext'.  Update `*scontext' to
228
 * point to the end of the string representation of
229
 * the MLS fields.
230
 *
231
 * This function modifies the string in place, inserting
232
 * NULL characters to terminate the MLS fields.
233
 *
234
 * If a def_sid is provided and no MLS field is present,
235
 * copy the MLS field of the associated default context.
236
 * Used for upgraded to MLS systems where objects may lack
237
 * MLS fields.
238
 *
239
 * Policy read-lock must be held for sidtab lookup.
240
 *
241
 */
242
int mls_context_to_sid(struct policydb *pol,
243
		       char oldc,
244
		       char **scontext,
245
		       struct context *context,
246
		       struct sidtab *s,
247
		       u32 def_sid)
248
{
249

250
	char delim;
251
	char *scontextp, *p, *rngptr;
252
	struct level_datum *levdatum;
253
	struct cat_datum *catdatum, *rngdatum;
254
	int l, rc = -EINVAL;
255

256
	if (!pol->mls_enabled) {
257
		if (def_sid != SECSID_NULL && oldc)
258
			*scontext += strlen(*scontext) + 1;
259
		return 0;
260
	}
261

262
	/*
263
	 * No MLS component to the security context, try and map to
264
	 * default if provided.
265
	 */
266
	if (!oldc) {
267
		struct context *defcon;
268

269
		if (def_sid == SECSID_NULL)
270
			goto out;
271

272
		defcon = sidtab_search(s, def_sid);
273
		if (!defcon)
274
			goto out;
275

276
		rc = mls_context_cpy(context, defcon);
277
		goto out;
278
	}
279

280
	/* Extract low sensitivity. */
281
	scontextp = p = *scontext;
282
	while (*p && *p != ':' && *p != '-')
283
		p++;
284

285
	delim = *p;
286
	if (delim != '\0')
287
		*p++ = '\0';
288

289
	for (l = 0; l < 2; l++) {
290
		levdatum = hashtab_search(pol->p_levels.table, scontextp);
291
		if (!levdatum) {
292
			rc = -EINVAL;
293
			goto out;
294
		}
295

296
		context->range.level[l].sens = levdatum->level->sens;
297

298
		if (delim == ':') {
299
			/* Extract category set. */
300
			while (1) {
301
				scontextp = p;
302
				while (*p && *p != ',' && *p != '-')
303
					p++;
304
				delim = *p;
305
				if (delim != '\0')
306
					*p++ = '\0';
307

308
				/* Separate into range if exists */
309
				rngptr = strchr(scontextp, '.');
310
				if (rngptr != NULL) {
311
					/* Remove '.' */
312
					*rngptr++ = '\0';
313
				}
314

315
				catdatum = hashtab_search(pol->p_cats.table,
316
							  scontextp);
317
				if (!catdatum) {
318
					rc = -EINVAL;
319
					goto out;
320
				}
321

322
				rc = ebitmap_set_bit(&context->range.level[l].cat,
323
						     catdatum->value - 1, 1);
324
				if (rc)
325
					goto out;
326

327
				/* If range, set all categories in range */
328
				if (rngptr) {
329
					int i;
330

331
					rngdatum = hashtab_search(pol->p_cats.table, rngptr);
332
					if (!rngdatum) {
333
						rc = -EINVAL;
334
						goto out;
335
					}
336

337
					if (catdatum->value >= rngdatum->value) {
338
						rc = -EINVAL;
339
						goto out;
340
					}
341

342
					for (i = catdatum->value; i < rngdatum->value; i++) {
343
						rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1);
344
						if (rc)
345
							goto out;
346
					}
347
				}
348

349
				if (delim != ',')
350
					break;
351
			}
352
		}
353
		if (delim == '-') {
354
			/* Extract high sensitivity. */
355
			scontextp = p;
356
			while (*p && *p != ':')
357
				p++;
358

359
			delim = *p;
360
			if (delim != '\0')
361
				*p++ = '\0';
362
		} else
363
			break;
364
	}
365

366
	if (l == 0) {
367
		context->range.level[1].sens = context->range.level[0].sens;
368
		rc = ebitmap_cpy(&context->range.level[1].cat,
369
				 &context->range.level[0].cat);
370
		if (rc)
371
			goto out;
372
	}
373
	*scontext = ++p;
374
	rc = 0;
375
out:
376
	return rc;
377
}
378

379
/*
380
 * Set the MLS fields in the security context structure
381
 * `context' based on the string representation in
382
 * the string `str'.  This function will allocate temporary memory with the
383
 * given constraints of gfp_mask.
384
 */
385
int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
386
{
387
	char *tmpstr, *freestr;
388
	int rc;
389

390
	if (!policydb.mls_enabled)
391
		return -EINVAL;
392

393
	/* we need freestr because mls_context_to_sid will change
394
	   the value of tmpstr */
395
	tmpstr = freestr = kstrdup(str, gfp_mask);
396
	if (!tmpstr) {
397
		rc = -ENOMEM;
398
	} else {
399
		rc = mls_context_to_sid(&policydb, ':', &tmpstr, context,
400
					NULL, SECSID_NULL);
401
		kfree(freestr);
402
	}
403

404
	return rc;
405
}
406

407
/*
408
 * Copies the MLS range `range' into `context'.
409
 */
410
int mls_range_set(struct context *context,
411
				struct mls_range *range)
412
{
413
	int l, rc = 0;
414

415
	/* Copy the MLS range into the  context */
416
	for (l = 0; l < 2; l++) {
417
		context->range.level[l].sens = range->level[l].sens;
418
		rc = ebitmap_cpy(&context->range.level[l].cat,
419
				 &range->level[l].cat);
420
		if (rc)
421
			break;
422
	}
423

424
	return rc;
425
}
426

427
int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
428
			 struct context *usercon)
429
{
430
	if (policydb.mls_enabled) {
431
		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
432
		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
433
		struct mls_level *user_low = &(user->range.level[0]);
434
		struct mls_level *user_clr = &(user->range.level[1]);
435
		struct mls_level *user_def = &(user->dfltlevel);
436
		struct mls_level *usercon_sen = &(usercon->range.level[0]);
437
		struct mls_level *usercon_clr = &(usercon->range.level[1]);
438

439
		/* Honor the user's default level if we can */
440
		if (mls_level_between(user_def, fromcon_sen, fromcon_clr))
441
			*usercon_sen = *user_def;
442
		else if (mls_level_between(fromcon_sen, user_def, user_clr))
443
			*usercon_sen = *fromcon_sen;
444
		else if (mls_level_between(fromcon_clr, user_low, user_def))
445
			*usercon_sen = *user_low;
446
		else
447
			return -EINVAL;
448

449
		/* Lower the clearance of available contexts
450
		   if the clearance of "fromcon" is lower than
451
		   that of the user's default clearance (but
452
		   only if the "fromcon" clearance dominates
453
		   the user's computed sensitivity level) */
454
		if (mls_level_dom(user_clr, fromcon_clr))
455
			*usercon_clr = *fromcon_clr;
456
		else if (mls_level_dom(fromcon_clr, user_clr))
457
			*usercon_clr = *user_clr;
458
		else
459
			return -EINVAL;
460
	}
461

462
	return 0;
463
}
464

465
/*
466
 * Convert the MLS fields in the security context
467
 * structure `c' from the values specified in the
468
 * policy `oldp' to the values specified in the policy `newp'.
469
 */
470
int mls_convert_context(struct policydb *oldp,
471
			struct policydb *newp,
472
			struct context *c)
473
{
474
	struct level_datum *levdatum;
475
	struct cat_datum *catdatum;
476
	struct ebitmap bitmap;
477
	struct ebitmap_node *node;
478
	int l, i;
479

480
	if (!policydb.mls_enabled)
481
		return 0;
482

483
	for (l = 0; l < 2; l++) {
484
		levdatum = hashtab_search(newp->p_levels.table,
485
					  sym_name(oldp, SYM_LEVELS,
486
						   c->range.level[l].sens - 1));
487

488
		if (!levdatum)
489
			return -EINVAL;
490
		c->range.level[l].sens = levdatum->level->sens;
491

492
		ebitmap_init(&bitmap);
493
		ebitmap_for_each_positive_bit(&c->range.level[l].cat, node, i) {
494
			int rc;
495

496
			catdatum = hashtab_search(newp->p_cats.table,
497
						  sym_name(oldp, SYM_CATS, i));
498
			if (!catdatum)
499
				return -EINVAL;
500
			rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1);
501
			if (rc)
502
				return rc;
503
		}
504
		ebitmap_destroy(&c->range.level[l].cat);
505
		c->range.level[l].cat = bitmap;
506
	}
507

508
	return 0;
509
}
510

511
int mls_compute_sid(struct context *scontext,
512
		    struct context *tcontext,
513
		    u16 tclass,
514
		    u32 specified,
515
		    struct context *newcontext,
516
		    bool sock)
517
{
518
	struct range_trans rtr;
519
	struct mls_range *r;
520

521
	if (!policydb.mls_enabled)
522
		return 0;
523

524
	switch (specified) {
525
	case AVTAB_TRANSITION:
526
		/* Look for a range transition rule. */
527
		rtr.source_type = scontext->type;
528
		rtr.target_type = tcontext->type;
529
		rtr.target_class = tclass;
530
		r = hashtab_search(policydb.range_tr, &rtr);
531
		if (r)
532
			return mls_range_set(newcontext, r);
533
		/* Fallthrough */
534
	case AVTAB_CHANGE:
535
		if ((tclass == policydb.process_class) || (sock == true))
536
			/* Use the process MLS attributes. */
537
			return mls_context_cpy(newcontext, scontext);
538
		else
539
			/* Use the process effective MLS attributes. */
540
			return mls_context_cpy_low(newcontext, scontext);
541
	case AVTAB_MEMBER:
542
		/* Use the process effective MLS attributes. */
543
		return mls_context_cpy_low(newcontext, scontext);
544

545
	/* fall through */
546
	}
547
	return -EINVAL;
548
}
549

550
#ifdef CONFIG_NETLABEL
551
/**
552
 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
553
 * @context: the security context
554
 * @secattr: the NetLabel security attributes
555
 *
556
 * Description:
557
 * Given the security context copy the low MLS sensitivity level into the
558
 * NetLabel MLS sensitivity level field.
559
 *
560
 */
561
void mls_export_netlbl_lvl(struct context *context,
562
			   struct netlbl_lsm_secattr *secattr)
563
{
564
	if (!policydb.mls_enabled)
565
		return;
566

567
	secattr->attr.mls.lvl = context->range.level[0].sens - 1;
568
	secattr->flags |= NETLBL_SECATTR_MLS_LVL;
569
}
570

571
/**
572
 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
573
 * @context: the security context
574
 * @secattr: the NetLabel security attributes
575
 *
576
 * Description:
577
 * Given the security context and the NetLabel security attributes, copy the
578
 * NetLabel MLS sensitivity level into the context.
579
 *
580
 */
581
void mls_import_netlbl_lvl(struct context *context,
582
			   struct netlbl_lsm_secattr *secattr)
583
{
584
	if (!policydb.mls_enabled)
585
		return;
586

587
	context->range.level[0].sens = secattr->attr.mls.lvl + 1;
588
	context->range.level[1].sens = context->range.level[0].sens;
589
}
590

591
/**
592
 * mls_export_netlbl_cat - Export the MLS categories to NetLabel
593
 * @context: the security context
594
 * @secattr: the NetLabel security attributes
595
 *
596
 * Description:
597
 * Given the security context copy the low MLS categories into the NetLabel
598
 * MLS category field.  Returns zero on success, negative values on failure.
599
 *
600
 */
601
int mls_export_netlbl_cat(struct context *context,
602
			  struct netlbl_lsm_secattr *secattr)
603
{
604
	int rc;
605

606
	if (!policydb.mls_enabled)
607
		return 0;
608

609
	rc = ebitmap_netlbl_export(&context->range.level[0].cat,
610
				   &secattr->attr.mls.cat);
611
	if (rc == 0 && secattr->attr.mls.cat != NULL)
612
		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
613

614
	return rc;
615
}
616

617
/**
618
 * mls_import_netlbl_cat - Import the MLS categories from NetLabel
619
 * @context: the security context
620
 * @secattr: the NetLabel security attributes
621
 *
622
 * Description:
623
 * Copy the NetLabel security attributes into the SELinux context; since the
624
 * NetLabel security attribute only contains a single MLS category use it for
625
 * both the low and high categories of the context.  Returns zero on success,
626
 * negative values on failure.
627
 *
628
 */
629
int mls_import_netlbl_cat(struct context *context,
630
			  struct netlbl_lsm_secattr *secattr)
631
{
632
	int rc;
633

634
	if (!policydb.mls_enabled)
635
		return 0;
636

637
	rc = ebitmap_netlbl_import(&context->range.level[0].cat,
638
				   secattr->attr.mls.cat);
639
	if (rc != 0)
640
		goto import_netlbl_cat_failure;
641

642
	rc = ebitmap_cpy(&context->range.level[1].cat,
643
			 &context->range.level[0].cat);
644
	if (rc != 0)
645
		goto import_netlbl_cat_failure;
646

647
	return 0;
648

649
import_netlbl_cat_failure:
650
	ebitmap_destroy(&context->range.level[0].cat);
651
	ebitmap_destroy(&context->range.level[1].cat);
652
	return rc;
653
}
654
#endif /* CONFIG_NETLABEL */
655

656