Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/selinux/ss/services.c
26436 views
1
// SPDX-License-Identifier: GPL-2.0-only

2
/*

3
 * Implementation of the security services.

4
 *

5
 * Authors : Stephen Smalley, <[email protected]>

6
 *	     James Morris <[email protected]>

7
 *

8
 * Updated: Trusted Computer Solutions, Inc. <[email protected]>

9
 *

10
 *	Support for enhanced MLS infrastructure.

11
 *	Support for context based audit filters.

12
 *

13
 * Updated: Frank Mayer <[email protected]> and Karl MacMillan <[email protected]>

14
 *

15
 *	Added conditional policy language extensions

16
 *

17
 * Updated: Hewlett-Packard <[email protected]>

18
 *

19
 *      Added support for NetLabel

20
 *      Added support for the policy capability bitmap

21
 *

22
 * Updated: Chad Sellers <[email protected]>

23
 *

24
 *  Added validation of kernel classes and permissions

25
 *

26
 * Updated: KaiGai Kohei <[email protected]>

27
 *

28
 *  Added support for bounds domain and audit messaged on masked permissions

29
 *

30
 * Updated: Guido Trentalancia <[email protected]>

31
 *

32
 *  Added support for runtime switching of the policy type

33
 *

34
 * Copyright (C) 2008, 2009 NEC Corporation

35
 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.

36
 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.

37
 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC

38
 * Copyright (C) 2003 Red Hat, Inc., James Morris <[email protected]>

39
 */

40
#include <linux/kernel.h>

41
#include <linux/slab.h>

42
#include <linux/string.h>

43
#include <linux/spinlock.h>

44
#include <linux/rcupdate.h>

45
#include <linux/errno.h>

46
#include <linux/in.h>

47
#include <linux/sched.h>

48
#include <linux/audit.h>

49
#include <linux/parser.h>

50
#include <linux/vmalloc.h>

51
#include <linux/lsm_hooks.h>

52
#include <net/netlabel.h>

53


54
#include "flask.h"

55
#include "avc.h"

56
#include "avc_ss.h"

57
#include "security.h"

58
#include "context.h"

59
#include "policydb.h"

60
#include "sidtab.h"

61
#include "services.h"

62
#include "conditional.h"

63
#include "mls.h"

64
#include "objsec.h"

65
#include "netlabel.h"

66
#include "xfrm.h"

67
#include "ebitmap.h"

68
#include "audit.h"

69
#include "policycap_names.h"

70
#include "ima.h"

71


72
struct selinux_policy_convert_data {

73
	struct convert_context_args args;

74
	struct sidtab_convert_params sidtab_params;

75
};

76


77
/* Forward declaration. */

78
static int context_struct_to_string(struct policydb *policydb,

79
				    struct context *context,

80
				    char **scontext,

81
				    u32 *scontext_len);

82


83
static int sidtab_entry_to_string(struct policydb *policydb,

84
				  struct sidtab *sidtab,

85
				  struct sidtab_entry *entry,

86
				  char **scontext,

87
				  u32 *scontext_len);

88


89
static void context_struct_compute_av(struct policydb *policydb,

90
				      struct context *scontext,

91
				      struct context *tcontext,

92
				      u16 tclass,

93
				      struct av_decision *avd,

94
				      struct extended_perms *xperms);

95


96
static int selinux_set_mapping(struct policydb *pol,

97
			       const struct security_class_mapping *map,

98
			       struct selinux_map *out_map)

99
{

100
	u16 i, j;

101
	bool print_unknown_handle = false;

102


103
	/* Find number of classes in the input mapping */

104
	if (!map)

105
		return -EINVAL;

106
	i = 0;

107
	while (map[i].name)

108
		i++;

109


110
	/* Allocate space for the class records, plus one for class zero */

111
	out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC);

112
	if (!out_map->mapping)

113
		return -ENOMEM;

114


115
	/* Store the raw class and permission values */

116
	j = 0;

117
	while (map[j].name) {

118
		const struct security_class_mapping *p_in = map + (j++);

119
		struct selinux_mapping *p_out = out_map->mapping + j;

120
		u16 k;

121


122
		/* An empty class string skips ahead */

123
		if (!strcmp(p_in->name, "")) {

124
			p_out->num_perms = 0;

125
			continue;

126
		}

127


128
		p_out->value = string_to_security_class(pol, p_in->name);

129
		if (!p_out->value) {

130
			pr_info("SELinux:  Class %s not defined in policy.\n",

131
			       p_in->name);

132
			if (pol->reject_unknown)

133
				goto err;

134
			p_out->num_perms = 0;

135
			print_unknown_handle = true;

136
			continue;

137
		}

138


139
		k = 0;

140
		while (p_in->perms[k]) {

141
			/* An empty permission string skips ahead */

142
			if (!*p_in->perms[k]) {

143
				k++;

144
				continue;

145
			}

146
			p_out->perms[k] = string_to_av_perm(pol, p_out->value,

147
							    p_in->perms[k]);

148
			if (!p_out->perms[k]) {

149
				pr_info("SELinux:  Permission %s in class %s not defined in policy.\n",

150
				       p_in->perms[k], p_in->name);

151
				if (pol->reject_unknown)

152
					goto err;

153
				print_unknown_handle = true;

154
			}

155


156
			k++;

157
		}

158
		p_out->num_perms = k;

159
	}

160


161
	if (print_unknown_handle)

162
		pr_info("SELinux: the above unknown classes and permissions will be %s\n",

163
		       pol->allow_unknown ? "allowed" : "denied");

164


165
	out_map->size = i;

166
	return 0;

167
err:

168
	kfree(out_map->mapping);

169
	out_map->mapping = NULL;

170
	return -EINVAL;

171
}

172


173
/*

174
 * Get real, policy values from mapped values

175
 */

176


177
static u16 unmap_class(struct selinux_map *map, u16 tclass)

178
{

179
	if (tclass < map->size)

180
		return map->mapping[tclass].value;

181


182
	return tclass;

183
}

184


185
/*

186
 * Get kernel value for class from its policy value

187
 */

188
static u16 map_class(struct selinux_map *map, u16 pol_value)

189
{

190
	u16 i;

191


192
	for (i = 1; i < map->size; i++) {

193
		if (map->mapping[i].value == pol_value)

194
			return i;

195
	}

196


197
	return SECCLASS_NULL;

198
}

199


200
static void map_decision(struct selinux_map *map,

201
			 u16 tclass, struct av_decision *avd,

202
			 int allow_unknown)

203
{

204
	if (tclass < map->size) {

205
		struct selinux_mapping *mapping = &map->mapping[tclass];

206
		unsigned int i, n = mapping->num_perms;

207
		u32 result;

208


209
		for (i = 0, result = 0; i < n; i++) {

210
			if (avd->allowed & mapping->perms[i])

211
				result |= (u32)1<<i;

212
			if (allow_unknown && !mapping->perms[i])

213
				result |= (u32)1<<i;

214
		}

215
		avd->allowed = result;

216


217
		for (i = 0, result = 0; i < n; i++)

218
			if (avd->auditallow & mapping->perms[i])

219
				result |= (u32)1<<i;

220
		avd->auditallow = result;

221


222
		for (i = 0, result = 0; i < n; i++) {

223
			if (avd->auditdeny & mapping->perms[i])

224
				result |= (u32)1<<i;

225
			if (!allow_unknown && !mapping->perms[i])

226
				result |= (u32)1<<i;

227
		}

228
		/*

229
		 * In case the kernel has a bug and requests a permission

230
		 * between num_perms and the maximum permission number, we

231
		 * should audit that denial

232
		 */

233
		for (; i < (sizeof(u32)*8); i++)

234
			result |= (u32)1<<i;

235
		avd->auditdeny = result;

236
	}

237
}

238


239
int security_mls_enabled(void)

240
{

241
	int mls_enabled;

242
	struct selinux_policy *policy;

243


244
	if (!selinux_initialized())

245
		return 0;

246


247
	rcu_read_lock();

248
	policy = rcu_dereference(selinux_state.policy);

249
	mls_enabled = policy->policydb.mls_enabled;

250
	rcu_read_unlock();

251
	return mls_enabled;

252
}

253


254
/*

255
 * Return the boolean value of a constraint expression

256
 * when it is applied to the specified source and target

257
 * security contexts.

258
 *

259
 * xcontext is a special beast...  It is used by the validatetrans rules

260
 * only.  For these rules, scontext is the context before the transition,

261
 * tcontext is the context after the transition, and xcontext is the context

262
 * of the process performing the transition.  All other callers of

263
 * constraint_expr_eval should pass in NULL for xcontext.

264
 */

265
static int constraint_expr_eval(struct policydb *policydb,

266
				struct context *scontext,

267
				struct context *tcontext,

268
				struct context *xcontext,

269
				struct constraint_expr *cexpr)

270
{

271
	u32 val1, val2;

272
	struct context *c;

273
	struct role_datum *r1, *r2;

274
	struct mls_level *l1, *l2;

275
	struct constraint_expr *e;

276
	int s[CEXPR_MAXDEPTH];

277
	int sp = -1;

278


279
	for (e = cexpr; e; e = e->next) {

280
		switch (e->expr_type) {

281
		case CEXPR_NOT:

282
			BUG_ON(sp < 0);

283
			s[sp] = !s[sp];

284
			break;

285
		case CEXPR_AND:

286
			BUG_ON(sp < 1);

287
			sp--;

288
			s[sp] &= s[sp + 1];

289
			break;

290
		case CEXPR_OR:

291
			BUG_ON(sp < 1);

292
			sp--;

293
			s[sp] |= s[sp + 1];

294
			break;

295
		case CEXPR_ATTR:

296
			if (sp == (CEXPR_MAXDEPTH - 1))

297
				return 0;

298
			switch (e->attr) {

299
			case CEXPR_USER:

300
				val1 = scontext->user;

301
				val2 = tcontext->user;

302
				break;

303
			case CEXPR_TYPE:

304
				val1 = scontext->type;

305
				val2 = tcontext->type;

306
				break;

307
			case CEXPR_ROLE:

308
				val1 = scontext->role;

309
				val2 = tcontext->role;

310
				r1 = policydb->role_val_to_struct[val1 - 1];

311
				r2 = policydb->role_val_to_struct[val2 - 1];

312
				switch (e->op) {

313
				case CEXPR_DOM:

314
					s[++sp] = ebitmap_get_bit(&r1->dominates,

315
								  val2 - 1);

316
					continue;

317
				case CEXPR_DOMBY:

318
					s[++sp] = ebitmap_get_bit(&r2->dominates,

319
								  val1 - 1);

320
					continue;

321
				case CEXPR_INCOMP:

322
					s[++sp] = (!ebitmap_get_bit(&r1->dominates,

323
								    val2 - 1) &&

324
						   !ebitmap_get_bit(&r2->dominates,

325
								    val1 - 1));

326
					continue;

327
				default:

328
					break;

329
				}

330
				break;

331
			case CEXPR_L1L2:

332
				l1 = &(scontext->range.level[0]);

333
				l2 = &(tcontext->range.level[0]);

334
				goto mls_ops;

335
			case CEXPR_L1H2:

336
				l1 = &(scontext->range.level[0]);

337
				l2 = &(tcontext->range.level[1]);

338
				goto mls_ops;

339
			case CEXPR_H1L2:

340
				l1 = &(scontext->range.level[1]);

341
				l2 = &(tcontext->range.level[0]);

342
				goto mls_ops;

343
			case CEXPR_H1H2:

344
				l1 = &(scontext->range.level[1]);

345
				l2 = &(tcontext->range.level[1]);

346
				goto mls_ops;

347
			case CEXPR_L1H1:

348
				l1 = &(scontext->range.level[0]);

349
				l2 = &(scontext->range.level[1]);

350
				goto mls_ops;

351
			case CEXPR_L2H2:

352
				l1 = &(tcontext->range.level[0]);

353
				l2 = &(tcontext->range.level[1]);

354
				goto mls_ops;

355
mls_ops:

356
				switch (e->op) {

357
				case CEXPR_EQ:

358
					s[++sp] = mls_level_eq(l1, l2);

359
					continue;

360
				case CEXPR_NEQ:

361
					s[++sp] = !mls_level_eq(l1, l2);

362
					continue;

363
				case CEXPR_DOM:

364
					s[++sp] = mls_level_dom(l1, l2);

365
					continue;

366
				case CEXPR_DOMBY:

367
					s[++sp] = mls_level_dom(l2, l1);

368
					continue;

369
				case CEXPR_INCOMP:

370
					s[++sp] = mls_level_incomp(l2, l1);

371
					continue;

372
				default:

373
					BUG();

374
					return 0;

375
				}

376
				break;

377
			default:

378
				BUG();

379
				return 0;

380
			}

381


382
			switch (e->op) {

383
			case CEXPR_EQ:

384
				s[++sp] = (val1 == val2);

385
				break;

386
			case CEXPR_NEQ:

387
				s[++sp] = (val1 != val2);

388
				break;

389
			default:

390
				BUG();

391
				return 0;

392
			}

393
			break;

394
		case CEXPR_NAMES:

395
			if (sp == (CEXPR_MAXDEPTH-1))

396
				return 0;

397
			c = scontext;

398
			if (e->attr & CEXPR_TARGET)

399
				c = tcontext;

400
			else if (e->attr & CEXPR_XTARGET) {

401
				c = xcontext;

402
				if (!c) {

403
					BUG();

404
					return 0;

405
				}

406
			}

407
			if (e->attr & CEXPR_USER)

408
				val1 = c->user;

409
			else if (e->attr & CEXPR_ROLE)

410
				val1 = c->role;

411
			else if (e->attr & CEXPR_TYPE)

412
				val1 = c->type;

413
			else {

414
				BUG();

415
				return 0;

416
			}

417


418
			switch (e->op) {

419
			case CEXPR_EQ:

420
				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);

421
				break;

422
			case CEXPR_NEQ:

423
				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);

424
				break;

425
			default:

426
				BUG();

427
				return 0;

428
			}

429
			break;

430
		default:

431
			BUG();

432
			return 0;

433
		}

434
	}

435


436
	BUG_ON(sp != 0);

437
	return s[0];

438
}

439


440
/*

441
 * security_dump_masked_av - dumps masked permissions during

442
 * security_compute_av due to RBAC, MLS/Constraint and Type bounds.

443
 */

444
static int dump_masked_av_helper(void *k, void *d, void *args)

445
{

446
	struct perm_datum *pdatum = d;

447
	char **permission_names = args;

448


449
	BUG_ON(pdatum->value < 1 || pdatum->value > 32);

450


451
	permission_names[pdatum->value - 1] = (char *)k;

452


453
	return 0;

454
}

455


456
static void security_dump_masked_av(struct policydb *policydb,

457
				    struct context *scontext,

458
				    struct context *tcontext,

459
				    u16 tclass,

460
				    u32 permissions,

461
				    const char *reason)

462
{

463
	struct common_datum *common_dat;

464
	struct class_datum *tclass_dat;

465
	struct audit_buffer *ab;

466
	char *tclass_name;

467
	char *scontext_name = NULL;

468
	char *tcontext_name = NULL;

469
	char *permission_names[32];

470
	int index;

471
	u32 length;

472
	bool need_comma = false;

473


474
	if (!permissions)

475
		return;

476


477
	tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1);

478
	tclass_dat = policydb->class_val_to_struct[tclass - 1];

479
	common_dat = tclass_dat->comdatum;

480


481
	/* init permission_names */

482
	if (common_dat &&

483
	    hashtab_map(&common_dat->permissions.table,

484
			dump_masked_av_helper, permission_names) < 0)

485
		goto out;

486


487
	if (hashtab_map(&tclass_dat->permissions.table,

488
			dump_masked_av_helper, permission_names) < 0)

489
		goto out;

490


491
	/* get scontext/tcontext in text form */

492
	if (context_struct_to_string(policydb, scontext,

493
				     &scontext_name, &length) < 0)

494
		goto out;

495


496
	if (context_struct_to_string(policydb, tcontext,

497
				     &tcontext_name, &length) < 0)

498
		goto out;

499


500
	/* audit a message */

501
	ab = audit_log_start(audit_context(),

502
			     GFP_ATOMIC, AUDIT_SELINUX_ERR);

503
	if (!ab)

504
		goto out;

505


506
	audit_log_format(ab, "op=security_compute_av reason=%s "

507
			 "scontext=%s tcontext=%s tclass=%s perms=",

508
			 reason, scontext_name, tcontext_name, tclass_name);

509


510
	for (index = 0; index < 32; index++) {

511
		u32 mask = (1 << index);

512


513
		if ((mask & permissions) == 0)

514
			continue;

515


516
		audit_log_format(ab, "%s%s",

517
				 need_comma ? "," : "",

518
				 permission_names[index]

519
				 ? permission_names[index] : "????");

520
		need_comma = true;

521
	}

522
	audit_log_end(ab);

523
out:

524
	/* release scontext/tcontext */

525
	kfree(tcontext_name);

526
	kfree(scontext_name);

527
}

528


529
/*

530
 * security_boundary_permission - drops violated permissions

531
 * on boundary constraint.

532
 */

533
static void type_attribute_bounds_av(struct policydb *policydb,

534
				     struct context *scontext,

535
				     struct context *tcontext,

536
				     u16 tclass,

537
				     struct av_decision *avd)

538
{

539
	struct context lo_scontext;

540
	struct context lo_tcontext, *tcontextp = tcontext;

541
	struct av_decision lo_avd;

542
	struct type_datum *source;

543
	struct type_datum *target;

544
	u32 masked = 0;

545


546
	source = policydb->type_val_to_struct[scontext->type - 1];

547
	BUG_ON(!source);

548


549
	if (!source->bounds)

550
		return;

551


552
	target = policydb->type_val_to_struct[tcontext->type - 1];

553
	BUG_ON(!target);

554


555
	memset(&lo_avd, 0, sizeof(lo_avd));

556


557
	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));

558
	lo_scontext.type = source->bounds;

559


560
	if (target->bounds) {

561
		memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));

562
		lo_tcontext.type = target->bounds;

563
		tcontextp = &lo_tcontext;

564
	}

565


566
	context_struct_compute_av(policydb, &lo_scontext,

567
				  tcontextp,

568
				  tclass,

569
				  &lo_avd,

570
				  NULL);

571


572
	masked = ~lo_avd.allowed & avd->allowed;

573


574
	if (likely(!masked))

575
		return;		/* no masked permission */

576


577
	/* mask violated permissions */

578
	avd->allowed &= ~masked;

579


580
	/* audit masked permissions */

581
	security_dump_masked_av(policydb, scontext, tcontext,

582
				tclass, masked, "bounds");

583
}

584


585
/*

586
 * Flag which drivers have permissions and which base permissions are covered.

587
 */

588
void services_compute_xperms_drivers(

589
		struct extended_perms *xperms,

590
		struct avtab_node *node)

591
{

592
	unsigned int i;

593


594
	switch (node->datum.u.xperms->specified) {

595
	case AVTAB_XPERMS_IOCTLDRIVER:

596
		xperms->base_perms |= AVC_EXT_IOCTL;

597
		/* if one or more driver has all permissions allowed */

598
		for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)

599
			xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];

600
		break;

601
	case AVTAB_XPERMS_IOCTLFUNCTION:

602
		xperms->base_perms |= AVC_EXT_IOCTL;

603
		/* if allowing permissions within a driver */

604
		security_xperm_set(xperms->drivers.p,

605
					node->datum.u.xperms->driver);

606
		break;

607
	case AVTAB_XPERMS_NLMSG:

608
		xperms->base_perms |= AVC_EXT_NLMSG;

609
		/* if allowing permissions within a driver */

610
		security_xperm_set(xperms->drivers.p,

611
					node->datum.u.xperms->driver);

612
		break;

613
	}

614


615
	xperms->len = 1;

616
}

617


618
/*

619
 * Compute access vectors and extended permissions based on a context

620
 * structure pair for the permissions in a particular class.

621
 */

622
static void context_struct_compute_av(struct policydb *policydb,

623
				      struct context *scontext,

624
				      struct context *tcontext,

625
				      u16 tclass,

626
				      struct av_decision *avd,

627
				      struct extended_perms *xperms)

628
{

629
	struct constraint_node *constraint;

630
	struct role_allow *ra;

631
	struct avtab_key avkey;

632
	struct avtab_node *node;

633
	struct class_datum *tclass_datum;

634
	struct ebitmap *sattr, *tattr;

635
	struct ebitmap_node *snode, *tnode;

636
	unsigned int i, j;

637


638
	avd->allowed = 0;

639
	avd->auditallow = 0;

640
	avd->auditdeny = 0xffffffff;

641
	if (xperms) {

642
		memset(xperms, 0, sizeof(*xperms));

643
	}

644


645
	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {

646
		pr_warn_ratelimited("SELinux:  Invalid class %u\n", tclass);

647
		return;

648
	}

649


650
	tclass_datum = policydb->class_val_to_struct[tclass - 1];

651


652
	/*

653
	 * If a specific type enforcement rule was defined for

654
	 * this permission check, then use it.

655
	 */

656
	avkey.target_class = tclass;

657
	avkey.specified = AVTAB_AV | AVTAB_XPERMS;

658
	sattr = &policydb->type_attr_map_array[scontext->type - 1];

659
	tattr = &policydb->type_attr_map_array[tcontext->type - 1];

660
	ebitmap_for_each_positive_bit(sattr, snode, i) {

661
		ebitmap_for_each_positive_bit(tattr, tnode, j) {

662
			avkey.source_type = i + 1;

663
			avkey.target_type = j + 1;

664
			for (node = avtab_search_node(&policydb->te_avtab,

665
						      &avkey);

666
			     node;

667
			     node = avtab_search_node_next(node, avkey.specified)) {

668
				if (node->key.specified == AVTAB_ALLOWED)

669
					avd->allowed |= node->datum.u.data;

670
				else if (node->key.specified == AVTAB_AUDITALLOW)

671
					avd->auditallow |= node->datum.u.data;

672
				else if (node->key.specified == AVTAB_AUDITDENY)

673
					avd->auditdeny &= node->datum.u.data;

674
				else if (xperms && (node->key.specified & AVTAB_XPERMS))

675
					services_compute_xperms_drivers(xperms, node);

676
			}

677


678
			/* Check conditional av table for additional permissions */

679
			cond_compute_av(&policydb->te_cond_avtab, &avkey,

680
					avd, xperms);

681


682
		}

683
	}

684


685
	/*

686
	 * Remove any permissions prohibited by a constraint (this includes

687
	 * the MLS policy).

688
	 */

689
	constraint = tclass_datum->constraints;

690
	while (constraint) {

691
		if ((constraint->permissions & (avd->allowed)) &&

692
		    !constraint_expr_eval(policydb, scontext, tcontext, NULL,

693
					  constraint->expr)) {

694
			avd->allowed &= ~(constraint->permissions);

695
		}

696
		constraint = constraint->next;

697
	}

698


699
	/*

700
	 * If checking process transition permission and the

701
	 * role is changing, then check the (current_role, new_role)

702
	 * pair.

703
	 */

704
	if (tclass == policydb->process_class &&

705
	    (avd->allowed & policydb->process_trans_perms) &&

706
	    scontext->role != tcontext->role) {

707
		for (ra = policydb->role_allow; ra; ra = ra->next) {

708
			if (scontext->role == ra->role &&

709
			    tcontext->role == ra->new_role)

710
				break;

711
		}

712
		if (!ra)

713
			avd->allowed &= ~policydb->process_trans_perms;

714
	}

715


716
	/*

717
	 * If the given source and target types have boundary

718
	 * constraint, lazy checks have to mask any violated

719
	 * permission and notice it to userspace via audit.

720
	 */

721
	type_attribute_bounds_av(policydb, scontext, tcontext,

722
				 tclass, avd);

723
}

724


725
static int security_validtrans_handle_fail(struct selinux_policy *policy,

726
					struct sidtab_entry *oentry,

727
					struct sidtab_entry *nentry,

728
					struct sidtab_entry *tentry,

729
					u16 tclass)

730
{

731
	struct policydb *p = &policy->policydb;

732
	struct sidtab *sidtab = policy->sidtab;

733
	char *o = NULL, *n = NULL, *t = NULL;

734
	u32 olen, nlen, tlen;

735


736
	if (sidtab_entry_to_string(p, sidtab, oentry, &o, &olen))

737
		goto out;

738
	if (sidtab_entry_to_string(p, sidtab, nentry, &n, &nlen))

739
		goto out;

740
	if (sidtab_entry_to_string(p, sidtab, tentry, &t, &tlen))

741
		goto out;

742
	audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,

743
		  "op=security_validate_transition seresult=denied"

744
		  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",

745
		  o, n, t, sym_name(p, SYM_CLASSES, tclass-1));

746
out:

747
	kfree(o);

748
	kfree(n);

749
	kfree(t);

750


751
	if (!enforcing_enabled())

752
		return 0;

753
	return -EPERM;

754
}

755


756
static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,

757
					  u16 orig_tclass, bool user)

758
{

759
	struct selinux_policy *policy;

760
	struct policydb *policydb;

761
	struct sidtab *sidtab;

762
	struct sidtab_entry *oentry;

763
	struct sidtab_entry *nentry;

764
	struct sidtab_entry *tentry;

765
	struct class_datum *tclass_datum;

766
	struct constraint_node *constraint;

767
	u16 tclass;

768
	int rc = 0;

769


770


771
	if (!selinux_initialized())

772
		return 0;

773


774
	rcu_read_lock();

775


776
	policy = rcu_dereference(selinux_state.policy);

777
	policydb = &policy->policydb;

778
	sidtab = policy->sidtab;

779


780
	if (!user)

781
		tclass = unmap_class(&policy->map, orig_tclass);

782
	else

783
		tclass = orig_tclass;

784


785
	if (!tclass || tclass > policydb->p_classes.nprim) {

786
		rc = -EINVAL;

787
		goto out;

788
	}

789
	tclass_datum = policydb->class_val_to_struct[tclass - 1];

790


791
	oentry = sidtab_search_entry(sidtab, oldsid);

792
	if (!oentry) {

793
		pr_err("SELinux: %s:  unrecognized SID %d\n",

794
			__func__, oldsid);

795
		rc = -EINVAL;

796
		goto out;

797
	}

798


799
	nentry = sidtab_search_entry(sidtab, newsid);

800
	if (!nentry) {

801
		pr_err("SELinux: %s:  unrecognized SID %d\n",

802
			__func__, newsid);

803
		rc = -EINVAL;

804
		goto out;

805
	}

806


807
	tentry = sidtab_search_entry(sidtab, tasksid);

808
	if (!tentry) {

809
		pr_err("SELinux: %s:  unrecognized SID %d\n",

810
			__func__, tasksid);

811
		rc = -EINVAL;

812
		goto out;

813
	}

814


815
	constraint = tclass_datum->validatetrans;

816
	while (constraint) {

817
		if (!constraint_expr_eval(policydb, &oentry->context,

818
					  &nentry->context, &tentry->context,

819
					  constraint->expr)) {

820
			if (user)

821
				rc = -EPERM;

822
			else

823
				rc = security_validtrans_handle_fail(policy,

824
								oentry,

825
								nentry,

826
								tentry,

827
								tclass);

828
			goto out;

829
		}

830
		constraint = constraint->next;

831
	}

832


833
out:

834
	rcu_read_unlock();

835
	return rc;

836
}

837


838
int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,

839
				      u16 tclass)

840
{

841
	return security_compute_validatetrans(oldsid, newsid, tasksid,

842
					      tclass, true);

843
}

844


845
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,

846
				 u16 orig_tclass)

847
{

848
	return security_compute_validatetrans(oldsid, newsid, tasksid,

849
					      orig_tclass, false);

850
}

851


852
/*

853
 * security_bounded_transition - check whether the given

854
 * transition is directed to bounded, or not.

855
 * It returns 0, if @newsid is bounded by @oldsid.

856
 * Otherwise, it returns error code.

857
 *

858
 * @oldsid : current security identifier

859
 * @newsid : destinated security identifier

860
 */

861
int security_bounded_transition(u32 old_sid, u32 new_sid)

862
{

863
	struct selinux_policy *policy;

864
	struct policydb *policydb;

865
	struct sidtab *sidtab;

866
	struct sidtab_entry *old_entry, *new_entry;

867
	struct type_datum *type;

868
	u32 index;

869
	int rc;

870


871
	if (!selinux_initialized())

872
		return 0;

873


874
	rcu_read_lock();

875
	policy = rcu_dereference(selinux_state.policy);

876
	policydb = &policy->policydb;

877
	sidtab = policy->sidtab;

878


879
	rc = -EINVAL;

880
	old_entry = sidtab_search_entry(sidtab, old_sid);

881
	if (!old_entry) {

882
		pr_err("SELinux: %s: unrecognized SID %u\n",

883
		       __func__, old_sid);

884
		goto out;

885
	}

886


887
	rc = -EINVAL;

888
	new_entry = sidtab_search_entry(sidtab, new_sid);

889
	if (!new_entry) {

890
		pr_err("SELinux: %s: unrecognized SID %u\n",

891
		       __func__, new_sid);

892
		goto out;

893
	}

894


895
	rc = 0;

896
	/* type/domain unchanged */

897
	if (old_entry->context.type == new_entry->context.type)

898
		goto out;

899


900
	index = new_entry->context.type;

901
	while (true) {

902
		type = policydb->type_val_to_struct[index - 1];

903
		BUG_ON(!type);

904


905
		/* not bounded anymore */

906
		rc = -EPERM;

907
		if (!type->bounds)

908
			break;

909


910
		/* @newsid is bounded by @oldsid */

911
		rc = 0;

912
		if (type->bounds == old_entry->context.type)

913
			break;

914


915
		index = type->bounds;

916
	}

917


918
	if (rc) {

919
		char *old_name = NULL;

920
		char *new_name = NULL;

921
		u32 length;

922


923
		if (!sidtab_entry_to_string(policydb, sidtab, old_entry,

924
					    &old_name, &length) &&

925
		    !sidtab_entry_to_string(policydb, sidtab, new_entry,

926
					    &new_name, &length)) {

927
			audit_log(audit_context(),

928
				  GFP_ATOMIC, AUDIT_SELINUX_ERR,

929
				  "op=security_bounded_transition "

930
				  "seresult=denied "

931
				  "oldcontext=%s newcontext=%s",

932
				  old_name, new_name);

933
		}

934
		kfree(new_name);

935
		kfree(old_name);

936
	}

937
out:

938
	rcu_read_unlock();

939


940
	return rc;

941
}

942


943
static void avd_init(struct selinux_policy *policy, struct av_decision *avd)

944
{

945
	avd->allowed = 0;

946
	avd->auditallow = 0;

947
	avd->auditdeny = 0xffffffff;

948
	if (policy)

949
		avd->seqno = policy->latest_granting;

950
	else

951
		avd->seqno = 0;

952
	avd->flags = 0;

953
}

954


955
static void update_xperms_extended_data(u8 specified,

956
					const struct extended_perms_data *from,

957
					struct extended_perms_data *xp_data)

958
{

959
	unsigned int i;

960


961
	switch (specified) {

962
	case AVTAB_XPERMS_IOCTLDRIVER:

963
		memset(xp_data->p, 0xff, sizeof(xp_data->p));

964
		break;

965
	case AVTAB_XPERMS_IOCTLFUNCTION:

966
	case AVTAB_XPERMS_NLMSG:

967
		for (i = 0; i < ARRAY_SIZE(xp_data->p); i++)

968
			xp_data->p[i] |= from->p[i];

969
		break;

970
	}

971


972
}

973


974
void services_compute_xperms_decision(struct extended_perms_decision *xpermd,

975
					struct avtab_node *node)

976
{

977
	u16 specified;

978


979
	switch (node->datum.u.xperms->specified) {

980
	case AVTAB_XPERMS_IOCTLFUNCTION:

981
		if (xpermd->base_perm != AVC_EXT_IOCTL ||

982
		    xpermd->driver != node->datum.u.xperms->driver)

983
			return;

984
		break;

985
	case AVTAB_XPERMS_IOCTLDRIVER:

986
		if (xpermd->base_perm != AVC_EXT_IOCTL ||

987
		    !security_xperm_test(node->datum.u.xperms->perms.p,

988
					 xpermd->driver))

989
			return;

990
		break;

991
	case AVTAB_XPERMS_NLMSG:

992
		if (xpermd->base_perm != AVC_EXT_NLMSG ||

993
		    xpermd->driver != node->datum.u.xperms->driver)

994
			return;

995
		break;

996
	default:

997
		pr_warn_once(

998
			"SELinux: unknown extended permission (%u) will be ignored\n",

999
			node->datum.u.xperms->specified);

1000
		return;

1001
	}

1002


1003
	specified = node->key.specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);

1004


1005
	if (specified == AVTAB_XPERMS_ALLOWED) {

1006
		xpermd->used |= XPERMS_ALLOWED;

1007
		update_xperms_extended_data(node->datum.u.xperms->specified,

1008
					    &node->datum.u.xperms->perms,

1009
					    xpermd->allowed);

1010
	} else if (specified == AVTAB_XPERMS_AUDITALLOW) {

1011
		xpermd->used |= XPERMS_AUDITALLOW;

1012
		update_xperms_extended_data(node->datum.u.xperms->specified,

1013
					    &node->datum.u.xperms->perms,

1014
					    xpermd->auditallow);

1015
	} else if (specified == AVTAB_XPERMS_DONTAUDIT) {

1016
		xpermd->used |= XPERMS_DONTAUDIT;

1017
		update_xperms_extended_data(node->datum.u.xperms->specified,

1018
					    &node->datum.u.xperms->perms,

1019
					    xpermd->dontaudit);

1020
	} else {

1021
		pr_warn_once("SELinux: unknown specified key (%u)\n",

1022
			     node->key.specified);

1023
	}

1024
}

1025


1026
void security_compute_xperms_decision(u32 ssid,

1027
				      u32 tsid,

1028
				      u16 orig_tclass,

1029
				      u8 driver,

1030
				      u8 base_perm,

1031
				      struct extended_perms_decision *xpermd)

1032
{

1033
	struct selinux_policy *policy;

1034
	struct policydb *policydb;

1035
	struct sidtab *sidtab;

1036
	u16 tclass;

1037
	struct context *scontext, *tcontext;

1038
	struct avtab_key avkey;

1039
	struct avtab_node *node;

1040
	struct ebitmap *sattr, *tattr;

1041
	struct ebitmap_node *snode, *tnode;

1042
	unsigned int i, j;

1043


1044
	xpermd->base_perm = base_perm;

1045
	xpermd->driver = driver;

1046
	xpermd->used = 0;

1047
	memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));

1048
	memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));

1049
	memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));

1050


1051
	rcu_read_lock();

1052
	if (!selinux_initialized())

1053
		goto allow;

1054


1055
	policy = rcu_dereference(selinux_state.policy);

1056
	policydb = &policy->policydb;

1057
	sidtab = policy->sidtab;

1058


1059
	scontext = sidtab_search(sidtab, ssid);

1060
	if (!scontext) {

1061
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1062
		       __func__, ssid);

1063
		goto out;

1064
	}

1065


1066
	tcontext = sidtab_search(sidtab, tsid);

1067
	if (!tcontext) {

1068
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1069
		       __func__, tsid);

1070
		goto out;

1071
	}

1072


1073
	tclass = unmap_class(&policy->map, orig_tclass);

1074
	if (unlikely(orig_tclass && !tclass)) {

1075
		if (policydb->allow_unknown)

1076
			goto allow;

1077
		goto out;

1078
	}

1079


1080


1081
	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {

1082
		pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);

1083
		goto out;

1084
	}

1085


1086
	avkey.target_class = tclass;

1087
	avkey.specified = AVTAB_XPERMS;

1088
	sattr = &policydb->type_attr_map_array[scontext->type - 1];

1089
	tattr = &policydb->type_attr_map_array[tcontext->type - 1];

1090
	ebitmap_for_each_positive_bit(sattr, snode, i) {

1091
		ebitmap_for_each_positive_bit(tattr, tnode, j) {

1092
			avkey.source_type = i + 1;

1093
			avkey.target_type = j + 1;

1094
			for (node = avtab_search_node(&policydb->te_avtab,

1095
						      &avkey);

1096
			     node;

1097
			     node = avtab_search_node_next(node, avkey.specified))

1098
				services_compute_xperms_decision(xpermd, node);

1099


1100
			cond_compute_xperms(&policydb->te_cond_avtab,

1101
						&avkey, xpermd);

1102
		}

1103
	}

1104
out:

1105
	rcu_read_unlock();

1106
	return;

1107
allow:

1108
	memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));

1109
	goto out;

1110
}

1111


1112
/**

1113
 * security_compute_av - Compute access vector decisions.

1114
 * @ssid: source security identifier

1115
 * @tsid: target security identifier

1116
 * @orig_tclass: target security class

1117
 * @avd: access vector decisions

1118
 * @xperms: extended permissions

1119
 *

1120
 * Compute a set of access vector decisions based on the

1121
 * SID pair (@ssid, @tsid) for the permissions in @tclass.

1122
 */

1123
void security_compute_av(u32 ssid,

1124
			 u32 tsid,

1125
			 u16 orig_tclass,

1126
			 struct av_decision *avd,

1127
			 struct extended_perms *xperms)

1128
{

1129
	struct selinux_policy *policy;

1130
	struct policydb *policydb;

1131
	struct sidtab *sidtab;

1132
	u16 tclass;

1133
	struct context *scontext = NULL, *tcontext = NULL;

1134


1135
	rcu_read_lock();

1136
	policy = rcu_dereference(selinux_state.policy);

1137
	avd_init(policy, avd);

1138
	xperms->len = 0;

1139
	if (!selinux_initialized())

1140
		goto allow;

1141


1142
	policydb = &policy->policydb;

1143
	sidtab = policy->sidtab;

1144


1145
	scontext = sidtab_search(sidtab, ssid);

1146
	if (!scontext) {

1147
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1148
		       __func__, ssid);

1149
		goto out;

1150
	}

1151


1152
	/* permissive domain? */

1153
	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))

1154
		avd->flags |= AVD_FLAGS_PERMISSIVE;

1155


1156
	/* neveraudit domain? */

1157
	if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type))

1158
		avd->flags |= AVD_FLAGS_NEVERAUDIT;

1159


1160
	/* both permissive and neveraudit => allow */

1161
	if (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT))

1162
		goto allow;

1163


1164
	tcontext = sidtab_search(sidtab, tsid);

1165
	if (!tcontext) {

1166
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1167
		       __func__, tsid);

1168
		goto out;

1169
	}

1170


1171
	tclass = unmap_class(&policy->map, orig_tclass);

1172
	if (unlikely(orig_tclass && !tclass)) {

1173
		if (policydb->allow_unknown)

1174
			goto allow;

1175
		goto out;

1176
	}

1177
	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,

1178
				  xperms);

1179
	map_decision(&policy->map, orig_tclass, avd,

1180
		     policydb->allow_unknown);

1181
out:

1182
	rcu_read_unlock();

1183
	if (avd->flags & AVD_FLAGS_NEVERAUDIT)

1184
		avd->auditallow = avd->auditdeny = 0;

1185
	return;

1186
allow:

1187
	avd->allowed = 0xffffffff;

1188
	goto out;

1189
}

1190


1191
void security_compute_av_user(u32 ssid,

1192
			      u32 tsid,

1193
			      u16 tclass,

1194
			      struct av_decision *avd)

1195
{

1196
	struct selinux_policy *policy;

1197
	struct policydb *policydb;

1198
	struct sidtab *sidtab;

1199
	struct context *scontext = NULL, *tcontext = NULL;

1200


1201
	rcu_read_lock();

1202
	policy = rcu_dereference(selinux_state.policy);

1203
	avd_init(policy, avd);

1204
	if (!selinux_initialized())

1205
		goto allow;

1206


1207
	policydb = &policy->policydb;

1208
	sidtab = policy->sidtab;

1209


1210
	scontext = sidtab_search(sidtab, ssid);

1211
	if (!scontext) {

1212
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1213
		       __func__, ssid);

1214
		goto out;

1215
	}

1216


1217
	/* permissive domain? */

1218
	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))

1219
		avd->flags |= AVD_FLAGS_PERMISSIVE;

1220


1221
	/* neveraudit domain? */

1222
	if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type))

1223
		avd->flags |= AVD_FLAGS_NEVERAUDIT;

1224


1225
	/* both permissive and neveraudit => allow */

1226
	if (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT))

1227
		goto allow;

1228


1229
	tcontext = sidtab_search(sidtab, tsid);

1230
	if (!tcontext) {

1231
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1232
		       __func__, tsid);

1233
		goto out;

1234
	}

1235


1236
	if (unlikely(!tclass)) {

1237
		if (policydb->allow_unknown)

1238
			goto allow;

1239
		goto out;

1240
	}

1241


1242
	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,

1243
				  NULL);

1244
 out:

1245
	rcu_read_unlock();

1246
	if (avd->flags & AVD_FLAGS_NEVERAUDIT)

1247
		avd->auditallow = avd->auditdeny = 0;

1248
	return;

1249
allow:

1250
	avd->allowed = 0xffffffff;

1251
	goto out;

1252
}

1253


1254
/*

1255
 * Write the security context string representation of

1256
 * the context structure `context' into a dynamically

1257
 * allocated string of the correct size.  Set `*scontext'

1258
 * to point to this string and set `*scontext_len' to

1259
 * the length of the string.

1260
 */

1261
static int context_struct_to_string(struct policydb *p,

1262
				    struct context *context,

1263
				    char **scontext, u32 *scontext_len)

1264
{

1265
	char *scontextp;

1266


1267
	if (scontext)

1268
		*scontext = NULL;

1269
	*scontext_len = 0;

1270


1271
	if (context->len) {

1272
		*scontext_len = context->len;

1273
		if (scontext) {

1274
			*scontext = kstrdup(context->str, GFP_ATOMIC);

1275
			if (!(*scontext))

1276
				return -ENOMEM;

1277
		}

1278
		return 0;

1279
	}

1280


1281
	/* Compute the size of the context. */

1282
	*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;

1283
	*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;

1284
	*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;

1285
	*scontext_len += mls_compute_context_len(p, context);

1286


1287
	if (!scontext)

1288
		return 0;

1289


1290
	/* Allocate space for the context; caller must free this space. */

1291
	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);

1292
	if (!scontextp)

1293
		return -ENOMEM;

1294
	*scontext = scontextp;

1295


1296
	/*

1297
	 * Copy the user name, role name and type name into the context.

1298
	 */

1299
	scontextp += sprintf(scontextp, "%s:%s:%s",

1300
		sym_name(p, SYM_USERS, context->user - 1),

1301
		sym_name(p, SYM_ROLES, context->role - 1),

1302
		sym_name(p, SYM_TYPES, context->type - 1));

1303


1304
	mls_sid_to_context(p, context, &scontextp);

1305


1306
	*scontextp = 0;

1307


1308
	return 0;

1309
}

1310


1311
static int sidtab_entry_to_string(struct policydb *p,

1312
				  struct sidtab *sidtab,

1313
				  struct sidtab_entry *entry,

1314
				  char **scontext, u32 *scontext_len)

1315
{

1316
	int rc = sidtab_sid2str_get(sidtab, entry, scontext, scontext_len);

1317


1318
	if (rc != -ENOENT)

1319
		return rc;

1320


1321
	rc = context_struct_to_string(p, &entry->context, scontext,

1322
				      scontext_len);

1323
	if (!rc && scontext)

1324
		sidtab_sid2str_put(sidtab, entry, *scontext, *scontext_len);

1325
	return rc;

1326
}

1327


1328
#include "initial_sid_to_string.h"

1329


1330
int security_sidtab_hash_stats(char *page)

1331
{

1332
	struct selinux_policy *policy;

1333
	int rc;

1334


1335
	if (!selinux_initialized()) {

1336
		pr_err("SELinux: %s:  called before initial load_policy\n",

1337
		       __func__);

1338
		return -EINVAL;

1339
	}

1340


1341
	rcu_read_lock();

1342
	policy = rcu_dereference(selinux_state.policy);

1343
	rc = sidtab_hash_stats(policy->sidtab, page);

1344
	rcu_read_unlock();

1345


1346
	return rc;

1347
}

1348


1349
const char *security_get_initial_sid_context(u32 sid)

1350
{

1351
	if (unlikely(sid > SECINITSID_NUM))

1352
		return NULL;

1353
	return initial_sid_to_string[sid];

1354
}

1355


1356
static int security_sid_to_context_core(u32 sid, char **scontext,

1357
					u32 *scontext_len, int force,

1358
					int only_invalid)

1359
{

1360
	struct selinux_policy *policy;

1361
	struct policydb *policydb;

1362
	struct sidtab *sidtab;

1363
	struct sidtab_entry *entry;

1364
	int rc = 0;

1365


1366
	if (scontext)

1367
		*scontext = NULL;

1368
	*scontext_len  = 0;

1369


1370
	if (!selinux_initialized()) {

1371
		if (sid <= SECINITSID_NUM) {

1372
			char *scontextp;

1373
			const char *s;

1374


1375
			/*

1376
			 * Before the policy is loaded, translate

1377
			 * SECINITSID_INIT to "kernel", because systemd and

1378
			 * libselinux < 2.6 take a getcon_raw() result that is

1379
			 * both non-null and not "kernel" to mean that a policy

1380
			 * is already loaded.

1381
			 */

1382
			if (sid == SECINITSID_INIT)

1383
				sid = SECINITSID_KERNEL;

1384


1385
			s = initial_sid_to_string[sid];

1386
			if (!s)

1387
				return -EINVAL;

1388
			*scontext_len = strlen(s) + 1;

1389
			if (!scontext)

1390
				return 0;

1391
			scontextp = kmemdup(s, *scontext_len, GFP_ATOMIC);

1392
			if (!scontextp)

1393
				return -ENOMEM;

1394
			*scontext = scontextp;

1395
			return 0;

1396
		}

1397
		pr_err("SELinux: %s:  called before initial "

1398
		       "load_policy on unknown SID %d\n", __func__, sid);

1399
		return -EINVAL;

1400
	}

1401
	rcu_read_lock();

1402
	policy = rcu_dereference(selinux_state.policy);

1403
	policydb = &policy->policydb;

1404
	sidtab = policy->sidtab;

1405


1406
	if (force)

1407
		entry = sidtab_search_entry_force(sidtab, sid);

1408
	else

1409
		entry = sidtab_search_entry(sidtab, sid);

1410
	if (!entry) {

1411
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1412
			__func__, sid);

1413
		rc = -EINVAL;

1414
		goto out_unlock;

1415
	}

1416
	if (only_invalid && !entry->context.len)

1417
		goto out_unlock;

1418


1419
	rc = sidtab_entry_to_string(policydb, sidtab, entry, scontext,

1420
				    scontext_len);

1421


1422
out_unlock:

1423
	rcu_read_unlock();

1424
	return rc;

1425


1426
}

1427


1428
/**

1429
 * security_sid_to_context - Obtain a context for a given SID.

1430
 * @sid: security identifier, SID

1431
 * @scontext: security context

1432
 * @scontext_len: length in bytes

1433
 *

1434
 * Write the string representation of the context associated with @sid

1435
 * into a dynamically allocated string of the correct size.  Set @scontext

1436
 * to point to this string and set @scontext_len to the length of the string.

1437
 */

1438
int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)

1439
{

1440
	return security_sid_to_context_core(sid, scontext,

1441
					    scontext_len, 0, 0);

1442
}

1443


1444
int security_sid_to_context_force(u32 sid,

1445
				  char **scontext, u32 *scontext_len)

1446
{

1447
	return security_sid_to_context_core(sid, scontext,

1448
					    scontext_len, 1, 0);

1449
}

1450


1451
/**

1452
 * security_sid_to_context_inval - Obtain a context for a given SID if it

1453
 *                                 is invalid.

1454
 * @sid: security identifier, SID

1455
 * @scontext: security context

1456
 * @scontext_len: length in bytes

1457
 *

1458
 * Write the string representation of the context associated with @sid

1459
 * into a dynamically allocated string of the correct size, but only if the

1460
 * context is invalid in the current policy.  Set @scontext to point to

1461
 * this string (or NULL if the context is valid) and set @scontext_len to

1462
 * the length of the string (or 0 if the context is valid).

1463
 */

1464
int security_sid_to_context_inval(u32 sid,

1465
				  char **scontext, u32 *scontext_len)

1466
{

1467
	return security_sid_to_context_core(sid, scontext,

1468
					    scontext_len, 1, 1);

1469
}

1470


1471
/*

1472
 * Caveat:  Mutates scontext.

1473
 */

1474
static int string_to_context_struct(struct policydb *pol,

1475
				    struct sidtab *sidtabp,

1476
				    char *scontext,

1477
				    struct context *ctx,

1478
				    u32 def_sid)

1479
{

1480
	struct role_datum *role;

1481
	struct type_datum *typdatum;

1482
	struct user_datum *usrdatum;

1483
	char *scontextp, *p, oldc;

1484
	int rc = 0;

1485


1486
	context_init(ctx);

1487


1488
	/* Parse the security context. */

1489


1490
	rc = -EINVAL;

1491
	scontextp = scontext;

1492


1493
	/* Extract the user. */

1494
	p = scontextp;

1495
	while (*p && *p != ':')

1496
		p++;

1497


1498
	if (*p == 0)

1499
		goto out;

1500


1501
	*p++ = 0;

1502


1503
	usrdatum = symtab_search(&pol->p_users, scontextp);

1504
	if (!usrdatum)

1505
		goto out;

1506


1507
	ctx->user = usrdatum->value;

1508


1509
	/* Extract role. */

1510
	scontextp = p;

1511
	while (*p && *p != ':')

1512
		p++;

1513


1514
	if (*p == 0)

1515
		goto out;

1516


1517
	*p++ = 0;

1518


1519
	role = symtab_search(&pol->p_roles, scontextp);

1520
	if (!role)

1521
		goto out;

1522
	ctx->role = role->value;

1523


1524
	/* Extract type. */

1525
	scontextp = p;

1526
	while (*p && *p != ':')

1527
		p++;

1528
	oldc = *p;

1529
	*p++ = 0;

1530


1531
	typdatum = symtab_search(&pol->p_types, scontextp);

1532
	if (!typdatum || typdatum->attribute)

1533
		goto out;

1534


1535
	ctx->type = typdatum->value;

1536


1537
	rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid);

1538
	if (rc)

1539
		goto out;

1540


1541
	/* Check the validity of the new context. */

1542
	rc = -EINVAL;

1543
	if (!policydb_context_isvalid(pol, ctx))

1544
		goto out;

1545
	rc = 0;

1546
out:

1547
	if (rc)

1548
		context_destroy(ctx);

1549
	return rc;

1550
}

1551


1552
static int security_context_to_sid_core(const char *scontext, u32 scontext_len,

1553
					u32 *sid, u32 def_sid, gfp_t gfp_flags,

1554
					int force)

1555
{

1556
	struct selinux_policy *policy;

1557
	struct policydb *policydb;

1558
	struct sidtab *sidtab;

1559
	char *scontext2, *str = NULL;

1560
	struct context context;

1561
	int rc = 0;

1562


1563
	/* An empty security context is never valid. */

1564
	if (!scontext_len)

1565
		return -EINVAL;

1566


1567
	/* Copy the string to allow changes and ensure a NUL terminator */

1568
	scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);

1569
	if (!scontext2)

1570
		return -ENOMEM;

1571


1572
	if (!selinux_initialized()) {

1573
		u32 i;

1574


1575
		for (i = 1; i < SECINITSID_NUM; i++) {

1576
			const char *s = initial_sid_to_string[i];

1577


1578
			if (s && !strcmp(s, scontext2)) {

1579
				*sid = i;

1580
				goto out;

1581
			}

1582
		}

1583
		*sid = SECINITSID_KERNEL;

1584
		goto out;

1585
	}

1586
	*sid = SECSID_NULL;

1587


1588
	if (force) {

1589
		/* Save another copy for storing in uninterpreted form */

1590
		rc = -ENOMEM;

1591
		str = kstrdup(scontext2, gfp_flags);

1592
		if (!str)

1593
			goto out;

1594
	}

1595
retry:

1596
	rcu_read_lock();

1597
	policy = rcu_dereference(selinux_state.policy);

1598
	policydb = &policy->policydb;

1599
	sidtab = policy->sidtab;

1600
	rc = string_to_context_struct(policydb, sidtab, scontext2,

1601
				      &context, def_sid);

1602
	if (rc == -EINVAL && force) {

1603
		context.str = str;

1604
		context.len = strlen(str) + 1;

1605
		str = NULL;

1606
	} else if (rc)

1607
		goto out_unlock;

1608
	rc = sidtab_context_to_sid(sidtab, &context, sid);

1609
	if (rc == -ESTALE) {

1610
		rcu_read_unlock();

1611
		if (context.str) {

1612
			str = context.str;

1613
			context.str = NULL;

1614
		}

1615
		context_destroy(&context);

1616
		goto retry;

1617
	}

1618
	context_destroy(&context);

1619
out_unlock:

1620
	rcu_read_unlock();

1621
out:

1622
	kfree(scontext2);

1623
	kfree(str);

1624
	return rc;

1625
}

1626


1627
/**

1628
 * security_context_to_sid - Obtain a SID for a given security context.

1629
 * @scontext: security context

1630
 * @scontext_len: length in bytes

1631
 * @sid: security identifier, SID

1632
 * @gfp: context for the allocation

1633
 *

1634
 * Obtains a SID associated with the security context that

1635
 * has the string representation specified by @scontext.

1636
 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient

1637
 * memory is available, or 0 on success.

1638
 */

1639
int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,

1640
			    gfp_t gfp)

1641
{

1642
	return security_context_to_sid_core(scontext, scontext_len,

1643
					    sid, SECSID_NULL, gfp, 0);

1644
}

1645


1646
int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)

1647
{

1648
	return security_context_to_sid(scontext, strlen(scontext),

1649
				       sid, gfp);

1650
}

1651


1652
/**

1653
 * security_context_to_sid_default - Obtain a SID for a given security context,

1654
 * falling back to specified default if needed.

1655
 *

1656
 * @scontext: security context

1657
 * @scontext_len: length in bytes

1658
 * @sid: security identifier, SID

1659
 * @def_sid: default SID to assign on error

1660
 * @gfp_flags: the allocator get-free-page (GFP) flags

1661
 *

1662
 * Obtains a SID associated with the security context that

1663
 * has the string representation specified by @scontext.

1664
 * The default SID is passed to the MLS layer to be used to allow

1665
 * kernel labeling of the MLS field if the MLS field is not present

1666
 * (for upgrading to MLS without full relabel).

1667
 * Implicitly forces adding of the context even if it cannot be mapped yet.

1668
 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient

1669
 * memory is available, or 0 on success.

1670
 */

1671
int security_context_to_sid_default(const char *scontext, u32 scontext_len,

1672
				    u32 *sid, u32 def_sid, gfp_t gfp_flags)

1673
{

1674
	return security_context_to_sid_core(scontext, scontext_len,

1675
					    sid, def_sid, gfp_flags, 1);

1676
}

1677


1678
int security_context_to_sid_force(const char *scontext, u32 scontext_len,

1679
				  u32 *sid)

1680
{

1681
	return security_context_to_sid_core(scontext, scontext_len,

1682
					    sid, SECSID_NULL, GFP_KERNEL, 1);

1683
}

1684


1685
static int compute_sid_handle_invalid_context(

1686
	struct selinux_policy *policy,

1687
	struct sidtab_entry *sentry,

1688
	struct sidtab_entry *tentry,

1689
	u16 tclass,

1690
	struct context *newcontext)

1691
{

1692
	struct policydb *policydb = &policy->policydb;

1693
	struct sidtab *sidtab = policy->sidtab;

1694
	char *s = NULL, *t = NULL, *n = NULL;

1695
	u32 slen, tlen, nlen;

1696
	struct audit_buffer *ab;

1697


1698
	if (sidtab_entry_to_string(policydb, sidtab, sentry, &s, &slen))

1699
		goto out;

1700
	if (sidtab_entry_to_string(policydb, sidtab, tentry, &t, &tlen))

1701
		goto out;

1702
	if (context_struct_to_string(policydb, newcontext, &n, &nlen))

1703
		goto out;

1704
	ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);

1705
	if (!ab)

1706
		goto out;

1707
	audit_log_format(ab,

1708
			 "op=security_compute_sid invalid_context=");

1709
	/* no need to record the NUL with untrusted strings */

1710
	audit_log_n_untrustedstring(ab, n, nlen - 1);

1711
	audit_log_format(ab, " scontext=%s tcontext=%s tclass=%s",

1712
			 s, t, sym_name(policydb, SYM_CLASSES, tclass-1));

1713
	audit_log_end(ab);

1714
out:

1715
	kfree(s);

1716
	kfree(t);

1717
	kfree(n);

1718
	if (!enforcing_enabled())

1719
		return 0;

1720
	return -EACCES;

1721
}

1722


1723
static void filename_compute_type(struct policydb *policydb,

1724
				  struct context *newcontext,

1725
				  u32 stype, u32 ttype, u16 tclass,

1726
				  const char *objname)

1727
{

1728
	struct filename_trans_key ft;

1729
	struct filename_trans_datum *datum;

1730


1731
	/*

1732
	 * Most filename trans rules are going to live in specific directories

1733
	 * like /dev or /var/run.  This bitmap will quickly skip rule searches

1734
	 * if the ttype does not contain any rules.

1735
	 */

1736
	if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype))

1737
		return;

1738


1739
	ft.ttype = ttype;

1740
	ft.tclass = tclass;

1741
	ft.name = objname;

1742


1743
	datum = policydb_filenametr_search(policydb, &ft);

1744
	while (datum) {

1745
		if (ebitmap_get_bit(&datum->stypes, stype - 1)) {

1746
			newcontext->type = datum->otype;

1747
			return;

1748
		}

1749
		datum = datum->next;

1750
	}

1751
}

1752


1753
static int security_compute_sid(u32 ssid,

1754
				u32 tsid,

1755
				u16 orig_tclass,

1756
				u16 specified,

1757
				const char *objname,

1758
				u32 *out_sid,

1759
				bool kern)

1760
{

1761
	struct selinux_policy *policy;

1762
	struct policydb *policydb;

1763
	struct sidtab *sidtab;

1764
	struct class_datum *cladatum;

1765
	struct context *scontext, *tcontext, newcontext;

1766
	struct sidtab_entry *sentry, *tentry;

1767
	struct avtab_key avkey;

1768
	struct avtab_node *avnode, *node;

1769
	u16 tclass;

1770
	int rc = 0;

1771
	bool sock;

1772


1773
	if (!selinux_initialized()) {

1774
		switch (orig_tclass) {

1775
		case SECCLASS_PROCESS: /* kernel value */

1776
			*out_sid = ssid;

1777
			break;

1778
		default:

1779
			*out_sid = tsid;

1780
			break;

1781
		}

1782
		goto out;

1783
	}

1784


1785
retry:

1786
	cladatum = NULL;

1787
	context_init(&newcontext);

1788


1789
	rcu_read_lock();

1790


1791
	policy = rcu_dereference(selinux_state.policy);

1792


1793
	if (kern) {

1794
		tclass = unmap_class(&policy->map, orig_tclass);

1795
		sock = security_is_socket_class(orig_tclass);

1796
	} else {

1797
		tclass = orig_tclass;

1798
		sock = security_is_socket_class(map_class(&policy->map,

1799
							  tclass));

1800
	}

1801


1802
	policydb = &policy->policydb;

1803
	sidtab = policy->sidtab;

1804


1805
	sentry = sidtab_search_entry(sidtab, ssid);

1806
	if (!sentry) {

1807
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1808
		       __func__, ssid);

1809
		rc = -EINVAL;

1810
		goto out_unlock;

1811
	}

1812
	tentry = sidtab_search_entry(sidtab, tsid);

1813
	if (!tentry) {

1814
		pr_err("SELinux: %s:  unrecognized SID %d\n",

1815
		       __func__, tsid);

1816
		rc = -EINVAL;

1817
		goto out_unlock;

1818
	}

1819


1820
	scontext = &sentry->context;

1821
	tcontext = &tentry->context;

1822


1823
	if (tclass && tclass <= policydb->p_classes.nprim)

1824
		cladatum = policydb->class_val_to_struct[tclass - 1];

1825


1826
	/* Set the user identity. */

1827
	switch (specified) {

1828
	case AVTAB_TRANSITION:

1829
	case AVTAB_CHANGE:

1830
		if (cladatum && cladatum->default_user == DEFAULT_TARGET) {

1831
			newcontext.user = tcontext->user;

1832
		} else {

1833
			/* notice this gets both DEFAULT_SOURCE and unset */

1834
			/* Use the process user identity. */

1835
			newcontext.user = scontext->user;

1836
		}

1837
		break;

1838
	case AVTAB_MEMBER:

1839
		/* Use the related object owner. */

1840
		newcontext.user = tcontext->user;

1841
		break;

1842
	}

1843


1844
	/* Set the role to default values. */

1845
	if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {

1846
		newcontext.role = scontext->role;

1847
	} else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {

1848
		newcontext.role = tcontext->role;

1849
	} else {

1850
		if ((tclass == policydb->process_class) || sock)

1851
			newcontext.role = scontext->role;

1852
		else

1853
			newcontext.role = OBJECT_R_VAL;

1854
	}

1855


1856
	/* Set the type.

1857
	 * Look for a type transition/member/change rule.

1858
	 */

1859
	avkey.source_type = scontext->type;

1860
	avkey.target_type = tcontext->type;

1861
	avkey.target_class = tclass;

1862
	avkey.specified = specified;

1863
	avnode = avtab_search_node(&policydb->te_avtab, &avkey);

1864


1865
	/* If no permanent rule, also check for enabled conditional rules */

1866
	if (!avnode) {

1867
		node = avtab_search_node(&policydb->te_cond_avtab, &avkey);

1868
		for (; node; node = avtab_search_node_next(node, specified)) {

1869
			if (node->key.specified & AVTAB_ENABLED) {

1870
				avnode = node;

1871
				break;

1872
			}

1873
		}

1874
	}

1875


1876
	/* If a permanent rule is found, use the type from

1877
	 * the type transition/member/change rule. Otherwise,

1878
	 * set the type to its default values.

1879
	 */

1880
	if (avnode) {

1881
		newcontext.type = avnode->datum.u.data;

1882
	} else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {

1883
		newcontext.type = scontext->type;

1884
	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {

1885
		newcontext.type = tcontext->type;

1886
	} else {

1887
		if ((tclass == policydb->process_class) || sock) {

1888
			/* Use the type of process. */

1889
			newcontext.type = scontext->type;

1890
		} else {

1891
			/* Use the type of the related object. */

1892
			newcontext.type = tcontext->type;

1893
		}

1894
	}

1895


1896
	/* if we have a objname this is a file trans check so check those rules */

1897
	if (objname)

1898
		filename_compute_type(policydb, &newcontext, scontext->type,

1899
				      tcontext->type, tclass, objname);

1900


1901
	/* Check for class-specific changes. */

1902
	if (specified & AVTAB_TRANSITION) {

1903
		/* Look for a role transition rule. */

1904
		struct role_trans_datum *rtd;

1905
		struct role_trans_key rtk = {

1906
			.role = scontext->role,

1907
			.type = tcontext->type,

1908
			.tclass = tclass,

1909
		};

1910


1911
		rtd = policydb_roletr_search(policydb, &rtk);

1912
		if (rtd)

1913
			newcontext.role = rtd->new_role;

1914
	}

1915


1916
	/* Set the MLS attributes.

1917
	   This is done last because it may allocate memory. */

1918
	rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,

1919
			     &newcontext, sock);

1920
	if (rc)

1921
		goto out_unlock;

1922


1923
	/* Check the validity of the context. */

1924
	if (!policydb_context_isvalid(policydb, &newcontext)) {

1925
		rc = compute_sid_handle_invalid_context(policy, sentry,

1926
							tentry, tclass,

1927
							&newcontext);

1928
		if (rc)

1929
			goto out_unlock;

1930
	}

1931
	/* Obtain the sid for the context. */

1932
	if (context_equal(scontext, &newcontext))

1933
		*out_sid = ssid;

1934
	else if (context_equal(tcontext, &newcontext))

1935
		*out_sid = tsid;

1936
	else {

1937
		rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);

1938
		if (rc == -ESTALE) {

1939
			rcu_read_unlock();

1940
			context_destroy(&newcontext);

1941
			goto retry;

1942
		}

1943
	}

1944
out_unlock:

1945
	rcu_read_unlock();

1946
	context_destroy(&newcontext);

1947
out:

1948
	return rc;

1949
}

1950


1951
/**

1952
 * security_transition_sid - Compute the SID for a new subject/object.

1953
 * @ssid: source security identifier

1954
 * @tsid: target security identifier

1955
 * @tclass: target security class

1956
 * @qstr: object name

1957
 * @out_sid: security identifier for new subject/object

1958
 *

1959
 * Compute a SID to use for labeling a new subject or object in the

1960
 * class @tclass based on a SID pair (@ssid, @tsid).

1961
 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM

1962
 * if insufficient memory is available, or %0 if the new SID was

1963
 * computed successfully.

1964
 */

1965
int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,

1966
			    const struct qstr *qstr, u32 *out_sid)

1967
{

1968
	return security_compute_sid(ssid, tsid, tclass,

1969
				    AVTAB_TRANSITION,

1970
				    qstr ? qstr->name : NULL, out_sid, true);

1971
}

1972


1973
int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,

1974
				 const char *objname, u32 *out_sid)

1975
{

1976
	return security_compute_sid(ssid, tsid, tclass,

1977
				    AVTAB_TRANSITION,

1978
				    objname, out_sid, false);

1979
}

1980


1981
/**

1982
 * security_member_sid - Compute the SID for member selection.

1983
 * @ssid: source security identifier

1984
 * @tsid: target security identifier

1985
 * @tclass: target security class

1986
 * @out_sid: security identifier for selected member

1987
 *

1988
 * Compute a SID to use when selecting a member of a polyinstantiated

1989
 * object of class @tclass based on a SID pair (@ssid, @tsid).

1990
 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM

1991
 * if insufficient memory is available, or %0 if the SID was

1992
 * computed successfully.

1993
 */

1994
int security_member_sid(u32 ssid,

1995
			u32 tsid,

1996
			u16 tclass,

1997
			u32 *out_sid)

1998
{

1999
	return security_compute_sid(ssid, tsid, tclass,

2000
				    AVTAB_MEMBER, NULL,

2001
				    out_sid, false);

2002
}

2003


2004
/**

2005
 * security_change_sid - Compute the SID for object relabeling.

2006
 * @ssid: source security identifier

2007
 * @tsid: target security identifier

2008
 * @tclass: target security class

2009
 * @out_sid: security identifier for selected member

2010
 *

2011
 * Compute a SID to use for relabeling an object of class @tclass

2012
 * based on a SID pair (@ssid, @tsid).

2013
 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM

2014
 * if insufficient memory is available, or %0 if the SID was

2015
 * computed successfully.

2016
 */

2017
int security_change_sid(u32 ssid,

2018
			u32 tsid,

2019
			u16 tclass,

2020
			u32 *out_sid)

2021
{

2022
	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,

2023
				    out_sid, false);

2024
}

2025


2026
static inline int convert_context_handle_invalid_context(

2027
	struct policydb *policydb,

2028
	struct context *context)

2029
{

2030
	char *s;

2031
	u32 len;

2032


2033
	if (enforcing_enabled())

2034
		return -EINVAL;

2035


2036
	if (!context_struct_to_string(policydb, context, &s, &len)) {

2037
		pr_warn("SELinux:  Context %s would be invalid if enforcing\n",

2038
			s);

2039
		kfree(s);

2040
	}

2041
	return 0;

2042
}

2043


2044
/**

2045
 * services_convert_context - Convert a security context across policies.

2046
 * @args: populated convert_context_args struct

2047
 * @oldc: original context

2048
 * @newc: converted context

2049
 * @gfp_flags: allocation flags

2050
 *

2051
 * Convert the values in the security context structure @oldc from the values

2052
 * specified in the policy @args->oldp to the values specified in the policy

2053
 * @args->newp, storing the new context in @newc, and verifying that the

2054
 * context is valid under the new policy.

2055
 */

2056
int services_convert_context(struct convert_context_args *args,

2057
			     struct context *oldc, struct context *newc,

2058
			     gfp_t gfp_flags)

2059
{

2060
	struct ocontext *oc;

2061
	struct role_datum *role;

2062
	struct type_datum *typdatum;

2063
	struct user_datum *usrdatum;

2064
	char *s;

2065
	u32 len;

2066
	int rc;

2067


2068
	if (oldc->str) {

2069
		s = kstrdup(oldc->str, gfp_flags);

2070
		if (!s)

2071
			return -ENOMEM;

2072


2073
		rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL);

2074
		if (rc == -EINVAL) {

2075
			/*

2076
			 * Retain string representation for later mapping.

2077
			 *

2078
			 * IMPORTANT: We need to copy the contents of oldc->str

2079
			 * back into s again because string_to_context_struct()

2080
			 * may have garbled it.

2081
			 */

2082
			memcpy(s, oldc->str, oldc->len);

2083
			context_init(newc);

2084
			newc->str = s;

2085
			newc->len = oldc->len;

2086
			return 0;

2087
		}

2088
		kfree(s);

2089
		if (rc) {

2090
			/* Other error condition, e.g. ENOMEM. */

2091
			pr_err("SELinux:   Unable to map context %s, rc = %d.\n",

2092
			       oldc->str, -rc);

2093
			return rc;

2094
		}

2095
		pr_info("SELinux:  Context %s became valid (mapped).\n",

2096
			oldc->str);

2097
		return 0;

2098
	}

2099


2100
	context_init(newc);

2101


2102
	/* Convert the user. */

2103
	usrdatum = symtab_search(&args->newp->p_users,

2104
				 sym_name(args->oldp, SYM_USERS, oldc->user - 1));

2105
	if (!usrdatum)

2106
		goto bad;

2107
	newc->user = usrdatum->value;

2108


2109
	/* Convert the role. */

2110
	role = symtab_search(&args->newp->p_roles,

2111
			     sym_name(args->oldp, SYM_ROLES, oldc->role - 1));

2112
	if (!role)

2113
		goto bad;

2114
	newc->role = role->value;

2115


2116
	/* Convert the type. */

2117
	typdatum = symtab_search(&args->newp->p_types,

2118
				 sym_name(args->oldp, SYM_TYPES, oldc->type - 1));

2119
	if (!typdatum)

2120
		goto bad;

2121
	newc->type = typdatum->value;

2122


2123
	/* Convert the MLS fields if dealing with MLS policies */

2124
	if (args->oldp->mls_enabled && args->newp->mls_enabled) {

2125
		rc = mls_convert_context(args->oldp, args->newp, oldc, newc);

2126
		if (rc)

2127
			goto bad;

2128
	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {

2129
		/*

2130
		 * Switching between non-MLS and MLS policy:

2131
		 * ensure that the MLS fields of the context for all

2132
		 * existing entries in the sidtab are filled in with a

2133
		 * suitable default value, likely taken from one of the

2134
		 * initial SIDs.

2135
		 */

2136
		oc = args->newp->ocontexts[OCON_ISID];

2137
		while (oc && oc->sid[0] != SECINITSID_UNLABELED)

2138
			oc = oc->next;

2139
		if (!oc) {

2140
			pr_err("SELinux:  unable to look up"

2141
				" the initial SIDs list\n");

2142
			goto bad;

2143
		}

2144
		rc = mls_range_set(newc, &oc->context[0].range);

2145
		if (rc)

2146
			goto bad;

2147
	}

2148


2149
	/* Check the validity of the new context. */

2150
	if (!policydb_context_isvalid(args->newp, newc)) {

2151
		rc = convert_context_handle_invalid_context(args->oldp, oldc);

2152
		if (rc)

2153
			goto bad;

2154
	}

2155


2156
	return 0;

2157
bad:

2158
	/* Map old representation to string and save it. */

2159
	rc = context_struct_to_string(args->oldp, oldc, &s, &len);

2160
	if (rc)

2161
		return rc;

2162
	context_destroy(newc);

2163
	newc->str = s;

2164
	newc->len = len;

2165
	pr_info("SELinux:  Context %s became invalid (unmapped).\n",

2166
		newc->str);

2167
	return 0;

2168
}

2169


2170
static void security_load_policycaps(struct selinux_policy *policy)

2171
{

2172
	struct policydb *p;

2173
	unsigned int i;

2174
	struct ebitmap_node *node;

2175


2176
	p = &policy->policydb;

2177


2178
	for (i = 0; i < ARRAY_SIZE(selinux_state.policycap); i++)

2179
		WRITE_ONCE(selinux_state.policycap[i],

2180
			ebitmap_get_bit(&p->policycaps, i));

2181


2182
	for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)

2183
		pr_info("SELinux:  policy capability %s=%d\n",

2184
			selinux_policycap_names[i],

2185
			ebitmap_get_bit(&p->policycaps, i));

2186


2187
	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {

2188
		if (i >= ARRAY_SIZE(selinux_policycap_names))

2189
			pr_info("SELinux:  unknown policy capability %u\n",

2190
				i);

2191
	}

2192
}

2193


2194
static int security_preserve_bools(struct selinux_policy *oldpolicy,

2195
				struct selinux_policy *newpolicy);

2196


2197
static void selinux_policy_free(struct selinux_policy *policy)

2198
{

2199
	if (!policy)

2200
		return;

2201


2202
	sidtab_destroy(policy->sidtab);

2203
	kfree(policy->map.mapping);

2204
	policydb_destroy(&policy->policydb);

2205
	kfree(policy->sidtab);

2206
	kfree(policy);

2207
}

2208


2209
static void selinux_policy_cond_free(struct selinux_policy *policy)

2210
{

2211
	cond_policydb_destroy_dup(&policy->policydb);

2212
	kfree(policy);

2213
}

2214


2215
void selinux_policy_cancel(struct selinux_load_state *load_state)

2216
{

2217
	struct selinux_state *state = &selinux_state;

2218
	struct selinux_policy *oldpolicy;

2219


2220
	oldpolicy = rcu_dereference_protected(state->policy,

2221
					lockdep_is_held(&state->policy_mutex));

2222


2223
	sidtab_cancel_convert(oldpolicy->sidtab);

2224
	selinux_policy_free(load_state->policy);

2225
	kfree(load_state->convert_data);

2226
}

2227


2228
static void selinux_notify_policy_change(u32 seqno)

2229
{

2230
	/* Flush external caches and notify userspace of policy load */

2231
	avc_ss_reset(seqno);

2232
	selnl_notify_policyload(seqno);

2233
	selinux_status_update_policyload(seqno);

2234
	selinux_netlbl_cache_invalidate();

2235
	selinux_xfrm_notify_policyload();

2236
	selinux_ima_measure_state_locked();

2237
}

2238


2239
void selinux_policy_commit(struct selinux_load_state *load_state)

2240
{

2241
	struct selinux_state *state = &selinux_state;

2242
	struct selinux_policy *oldpolicy, *newpolicy = load_state->policy;

2243
	unsigned long flags;

2244
	u32 seqno;

2245


2246
	oldpolicy = rcu_dereference_protected(state->policy,

2247
					lockdep_is_held(&state->policy_mutex));

2248


2249
	/* If switching between different policy types, log MLS status */

2250
	if (oldpolicy) {

2251
		if (oldpolicy->policydb.mls_enabled && !newpolicy->policydb.mls_enabled)

2252
			pr_info("SELinux: Disabling MLS support...\n");

2253
		else if (!oldpolicy->policydb.mls_enabled && newpolicy->policydb.mls_enabled)

2254
			pr_info("SELinux: Enabling MLS support...\n");

2255
	}

2256


2257
	/* Set latest granting seqno for new policy. */

2258
	if (oldpolicy)

2259
		newpolicy->latest_granting = oldpolicy->latest_granting + 1;

2260
	else

2261
		newpolicy->latest_granting = 1;

2262
	seqno = newpolicy->latest_granting;

2263


2264
	/* Install the new policy. */

2265
	if (oldpolicy) {

2266
		sidtab_freeze_begin(oldpolicy->sidtab, &flags);

2267
		rcu_assign_pointer(state->policy, newpolicy);

2268
		sidtab_freeze_end(oldpolicy->sidtab, &flags);

2269
	} else {

2270
		rcu_assign_pointer(state->policy, newpolicy);

2271
	}

2272


2273
	/* Load the policycaps from the new policy */

2274
	security_load_policycaps(newpolicy);

2275


2276
	if (!selinux_initialized()) {

2277
		/*

2278
		 * After first policy load, the security server is

2279
		 * marked as initialized and ready to handle requests and

2280
		 * any objects created prior to policy load are then labeled.

2281
		 */

2282
		selinux_mark_initialized();

2283
		selinux_complete_init();

2284
	}

2285


2286
	/* Free the old policy */

2287
	synchronize_rcu();

2288
	selinux_policy_free(oldpolicy);

2289
	kfree(load_state->convert_data);

2290


2291
	/* Notify others of the policy change */

2292
	selinux_notify_policy_change(seqno);

2293
}

2294


2295
/**

2296
 * security_load_policy - Load a security policy configuration.

2297
 * @data: binary policy data

2298
 * @len: length of data in bytes

2299
 * @load_state: policy load state

2300
 *

2301
 * Load a new set of security policy configuration data,

2302
 * validate it and convert the SID table as necessary.

2303
 * This function will flush the access vector cache after

2304
 * loading the new policy.

2305
 */

2306
int security_load_policy(void *data, size_t len,

2307
			 struct selinux_load_state *load_state)

2308
{

2309
	struct selinux_state *state = &selinux_state;

2310
	struct selinux_policy *newpolicy, *oldpolicy;

2311
	struct selinux_policy_convert_data *convert_data;

2312
	int rc = 0;

2313
	struct policy_file file = { data, len }, *fp = &file;

2314


2315
	newpolicy = kzalloc(sizeof(*newpolicy), GFP_KERNEL);

2316
	if (!newpolicy)

2317
		return -ENOMEM;

2318


2319
	newpolicy->sidtab = kzalloc(sizeof(*newpolicy->sidtab), GFP_KERNEL);

2320
	if (!newpolicy->sidtab) {

2321
		rc = -ENOMEM;

2322
		goto err_policy;

2323
	}

2324


2325
	rc = policydb_read(&newpolicy->policydb, fp);

2326
	if (rc)

2327
		goto err_sidtab;

2328


2329
	newpolicy->policydb.len = len;

2330
	rc = selinux_set_mapping(&newpolicy->policydb, secclass_map,

2331
				&newpolicy->map);

2332
	if (rc)

2333
		goto err_policydb;

2334


2335
	rc = policydb_load_isids(&newpolicy->policydb, newpolicy->sidtab);

2336
	if (rc) {

2337
		pr_err("SELinux:  unable to load the initial SIDs\n");

2338
		goto err_mapping;

2339
	}

2340


2341
	if (!selinux_initialized()) {

2342
		/* First policy load, so no need to preserve state from old policy */

2343
		load_state->policy = newpolicy;

2344
		load_state->convert_data = NULL;

2345
		return 0;

2346
	}

2347


2348
	oldpolicy = rcu_dereference_protected(state->policy,

2349
					lockdep_is_held(&state->policy_mutex));

2350


2351
	/* Preserve active boolean values from the old policy */

2352
	rc = security_preserve_bools(oldpolicy, newpolicy);

2353
	if (rc) {

2354
		pr_err("SELinux:  unable to preserve booleans\n");

2355
		goto err_free_isids;

2356
	}

2357


2358
	/*

2359
	 * Convert the internal representations of contexts

2360
	 * in the new SID table.

2361
	 */

2362


2363
	convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL);

2364
	if (!convert_data) {

2365
		rc = -ENOMEM;

2366
		goto err_free_isids;

2367
	}

2368


2369
	convert_data->args.oldp = &oldpolicy->policydb;

2370
	convert_data->args.newp = &newpolicy->policydb;

2371


2372
	convert_data->sidtab_params.args = &convert_data->args;

2373
	convert_data->sidtab_params.target = newpolicy->sidtab;

2374


2375
	rc = sidtab_convert(oldpolicy->sidtab, &convert_data->sidtab_params);

2376
	if (rc) {

2377
		pr_err("SELinux:  unable to convert the internal"

2378
			" representation of contexts in the new SID"

2379
			" table\n");

2380
		goto err_free_convert_data;

2381
	}

2382


2383
	load_state->policy = newpolicy;

2384
	load_state->convert_data = convert_data;

2385
	return 0;

2386


2387
err_free_convert_data:

2388
	kfree(convert_data);

2389
err_free_isids:

2390
	sidtab_destroy(newpolicy->sidtab);

2391
err_mapping:

2392
	kfree(newpolicy->map.mapping);

2393
err_policydb:

2394
	policydb_destroy(&newpolicy->policydb);

2395
err_sidtab:

2396
	kfree(newpolicy->sidtab);

2397
err_policy:

2398
	kfree(newpolicy);

2399


2400
	return rc;

2401
}

2402


2403
/**

2404
 * ocontext_to_sid - Helper to safely get sid for an ocontext

2405
 * @sidtab: SID table

2406
 * @c: ocontext structure

2407
 * @index: index of the context entry (0 or 1)

2408
 * @out_sid: pointer to the resulting SID value

2409
 *

2410
 * For all ocontexts except OCON_ISID the SID fields are populated

2411
 * on-demand when needed. Since updating the SID value is an SMP-sensitive

2412
 * operation, this helper must be used to do that safely.

2413
 *

2414
 * WARNING: This function may return -ESTALE, indicating that the caller

2415
 * must retry the operation after re-acquiring the policy pointer!

2416
 */

2417
static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c,

2418
			   size_t index, u32 *out_sid)

2419
{

2420
	int rc;

2421
	u32 sid;

2422


2423
	/* Ensure the associated sidtab entry is visible to this thread. */

2424
	sid = smp_load_acquire(&c->sid[index]);

2425
	if (!sid) {

2426
		rc = sidtab_context_to_sid(sidtab, &c->context[index], &sid);

2427
		if (rc)

2428
			return rc;

2429


2430
		/*

2431
		 * Ensure the new sidtab entry is visible to other threads

2432
		 * when they see the SID.

2433
		 */

2434
		smp_store_release(&c->sid[index], sid);

2435
	}

2436
	*out_sid = sid;

2437
	return 0;

2438
}

2439


2440
/**

2441
 * security_port_sid - Obtain the SID for a port.

2442
 * @protocol: protocol number

2443
 * @port: port number

2444
 * @out_sid: security identifier

2445
 */

2446
int security_port_sid(u8 protocol, u16 port, u32 *out_sid)

2447
{

2448
	struct selinux_policy *policy;

2449
	struct policydb *policydb;

2450
	struct sidtab *sidtab;

2451
	struct ocontext *c;

2452
	int rc;

2453


2454
	if (!selinux_initialized()) {

2455
		*out_sid = SECINITSID_PORT;

2456
		return 0;

2457
	}

2458


2459
retry:

2460
	rc = 0;

2461
	rcu_read_lock();

2462
	policy = rcu_dereference(selinux_state.policy);

2463
	policydb = &policy->policydb;

2464
	sidtab = policy->sidtab;

2465


2466
	c = policydb->ocontexts[OCON_PORT];

2467
	while (c) {

2468
		if (c->u.port.protocol == protocol &&

2469
		    c->u.port.low_port <= port &&

2470
		    c->u.port.high_port >= port)

2471
			break;

2472
		c = c->next;

2473
	}

2474


2475
	if (c) {

2476
		rc = ocontext_to_sid(sidtab, c, 0, out_sid);

2477
		if (rc == -ESTALE) {

2478
			rcu_read_unlock();

2479
			goto retry;

2480
		}

2481
		if (rc)

2482
			goto out;

2483
	} else {

2484
		*out_sid = SECINITSID_PORT;

2485
	}

2486


2487
out:

2488
	rcu_read_unlock();

2489
	return rc;

2490
}

2491


2492
/**

2493
 * security_ib_pkey_sid - Obtain the SID for a pkey.

2494
 * @subnet_prefix: Subnet Prefix

2495
 * @pkey_num: pkey number

2496
 * @out_sid: security identifier

2497
 */

2498
int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)

2499
{

2500
	struct selinux_policy *policy;

2501
	struct policydb *policydb;

2502
	struct sidtab *sidtab;

2503
	struct ocontext *c;

2504
	int rc;

2505


2506
	if (!selinux_initialized()) {

2507
		*out_sid = SECINITSID_UNLABELED;

2508
		return 0;

2509
	}

2510


2511
retry:

2512
	rc = 0;

2513
	rcu_read_lock();

2514
	policy = rcu_dereference(selinux_state.policy);

2515
	policydb = &policy->policydb;

2516
	sidtab = policy->sidtab;

2517


2518
	c = policydb->ocontexts[OCON_IBPKEY];

2519
	while (c) {

2520
		if (c->u.ibpkey.low_pkey <= pkey_num &&

2521
		    c->u.ibpkey.high_pkey >= pkey_num &&

2522
		    c->u.ibpkey.subnet_prefix == subnet_prefix)

2523
			break;

2524


2525
		c = c->next;

2526
	}

2527


2528
	if (c) {

2529
		rc = ocontext_to_sid(sidtab, c, 0, out_sid);

2530
		if (rc == -ESTALE) {

2531
			rcu_read_unlock();

2532
			goto retry;

2533
		}

2534
		if (rc)

2535
			goto out;

2536
	} else

2537
		*out_sid = SECINITSID_UNLABELED;

2538


2539
out:

2540
	rcu_read_unlock();

2541
	return rc;

2542
}

2543


2544
/**

2545
 * security_ib_endport_sid - Obtain the SID for a subnet management interface.

2546
 * @dev_name: device name

2547
 * @port_num: port number

2548
 * @out_sid: security identifier

2549
 */

2550
int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)

2551
{

2552
	struct selinux_policy *policy;

2553
	struct policydb *policydb;

2554
	struct sidtab *sidtab;

2555
	struct ocontext *c;

2556
	int rc;

2557


2558
	if (!selinux_initialized()) {

2559
		*out_sid = SECINITSID_UNLABELED;

2560
		return 0;

2561
	}

2562


2563
retry:

2564
	rc = 0;

2565
	rcu_read_lock();

2566
	policy = rcu_dereference(selinux_state.policy);

2567
	policydb = &policy->policydb;

2568
	sidtab = policy->sidtab;

2569


2570
	c = policydb->ocontexts[OCON_IBENDPORT];

2571
	while (c) {

2572
		if (c->u.ibendport.port == port_num &&

2573
		    !strncmp(c->u.ibendport.dev_name,

2574
			     dev_name,

2575
			     IB_DEVICE_NAME_MAX))

2576
			break;

2577


2578
		c = c->next;

2579
	}

2580


2581
	if (c) {

2582
		rc = ocontext_to_sid(sidtab, c, 0, out_sid);

2583
		if (rc == -ESTALE) {

2584
			rcu_read_unlock();

2585
			goto retry;

2586
		}

2587
		if (rc)

2588
			goto out;

2589
	} else

2590
		*out_sid = SECINITSID_UNLABELED;

2591


2592
out:

2593
	rcu_read_unlock();

2594
	return rc;

2595
}

2596


2597
/**

2598
 * security_netif_sid - Obtain the SID for a network interface.

2599
 * @name: interface name

2600
 * @if_sid: interface SID

2601
 */

2602
int security_netif_sid(const char *name, u32 *if_sid)

2603
{

2604
	struct selinux_policy *policy;

2605
	struct policydb *policydb;

2606
	struct sidtab *sidtab;

2607
	int rc;

2608
	struct ocontext *c;

2609
	bool wildcard_support;

2610


2611
	if (!selinux_initialized()) {

2612
		*if_sid = SECINITSID_NETIF;

2613
		return 0;

2614
	}

2615


2616
retry:

2617
	rc = 0;

2618
	rcu_read_lock();

2619
	policy = rcu_dereference(selinux_state.policy);

2620
	policydb = &policy->policydb;

2621
	sidtab = policy->sidtab;

2622
	wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);

2623


2624
	c = policydb->ocontexts[OCON_NETIF];

2625
	while (c) {

2626
		if (wildcard_support) {

2627
			if (match_wildcard(c->u.name, name))

2628
				break;

2629
		} else {

2630
			if (strcmp(c->u.name, name) == 0)

2631
				break;

2632
		}

2633


2634
		c = c->next;

2635
	}

2636


2637
	if (c) {

2638
		rc = ocontext_to_sid(sidtab, c, 0, if_sid);

2639
		if (rc == -ESTALE) {

2640
			rcu_read_unlock();

2641
			goto retry;

2642
		}

2643
		if (rc)

2644
			goto out;

2645
	} else

2646
		*if_sid = SECINITSID_NETIF;

2647


2648
out:

2649
	rcu_read_unlock();

2650
	return rc;

2651
}

2652


2653
static bool match_ipv6_addrmask(const u32 input[4], const u32 addr[4], const u32 mask[4])

2654
{

2655
	int i;

2656


2657
	for (i = 0; i < 4; i++)

2658
		if (addr[i] != (input[i] & mask[i]))

2659
			return false;

2660


2661
	return true;

2662
}

2663


2664
/**

2665
 * security_node_sid - Obtain the SID for a node (host).

2666
 * @domain: communication domain aka address family

2667
 * @addrp: address

2668
 * @addrlen: address length in bytes

2669
 * @out_sid: security identifier

2670
 */

2671
int security_node_sid(u16 domain,

2672
		      const void *addrp,

2673
		      u32 addrlen,

2674
		      u32 *out_sid)

2675
{

2676
	struct selinux_policy *policy;

2677
	struct policydb *policydb;

2678
	struct sidtab *sidtab;

2679
	int rc;

2680
	struct ocontext *c;

2681


2682
	if (!selinux_initialized()) {

2683
		*out_sid = SECINITSID_NODE;

2684
		return 0;

2685
	}

2686


2687
retry:

2688
	rcu_read_lock();

2689
	policy = rcu_dereference(selinux_state.policy);

2690
	policydb = &policy->policydb;

2691
	sidtab = policy->sidtab;

2692


2693
	switch (domain) {

2694
	case AF_INET: {

2695
		u32 addr;

2696


2697
		rc = -EINVAL;

2698
		if (addrlen != sizeof(u32))

2699
			goto out;

2700


2701
		addr = *((const u32 *)addrp);

2702


2703
		c = policydb->ocontexts[OCON_NODE];

2704
		while (c) {

2705
			if (c->u.node.addr == (addr & c->u.node.mask))

2706
				break;

2707
			c = c->next;

2708
		}

2709
		break;

2710
	}

2711


2712
	case AF_INET6:

2713
		rc = -EINVAL;

2714
		if (addrlen != sizeof(u64) * 2)

2715
			goto out;

2716
		c = policydb->ocontexts[OCON_NODE6];

2717
		while (c) {

2718
			if (match_ipv6_addrmask(addrp, c->u.node6.addr,

2719
						c->u.node6.mask))

2720
				break;

2721
			c = c->next;

2722
		}

2723
		break;

2724


2725
	default:

2726
		rc = 0;

2727
		*out_sid = SECINITSID_NODE;

2728
		goto out;

2729
	}

2730


2731
	if (c) {

2732
		rc = ocontext_to_sid(sidtab, c, 0, out_sid);

2733
		if (rc == -ESTALE) {

2734
			rcu_read_unlock();

2735
			goto retry;

2736
		}

2737
		if (rc)

2738
			goto out;

2739
	} else {

2740
		*out_sid = SECINITSID_NODE;

2741
	}

2742


2743
	rc = 0;

2744
out:

2745
	rcu_read_unlock();

2746
	return rc;

2747
}

2748


2749
#define SIDS_NEL 25

2750


2751
/**

2752
 * security_get_user_sids - Obtain reachable SIDs for a user.

2753
 * @fromsid: starting SID

2754
 * @username: username

2755
 * @sids: array of reachable SIDs for user

2756
 * @nel: number of elements in @sids

2757
 *

2758
 * Generate the set of SIDs for legal security contexts

2759
 * for a given user that can be reached by @fromsid.

2760
 * Set *@sids to point to a dynamically allocated

2761
 * array containing the set of SIDs.  Set *@nel to the

2762
 * number of elements in the array.

2763
 */

2764


2765
int security_get_user_sids(u32 fromsid,

2766
			   const char *username,

2767
			   u32 **sids,

2768
			   u32 *nel)

2769
{

2770
	struct selinux_policy *policy;

2771
	struct policydb *policydb;

2772
	struct sidtab *sidtab;

2773
	struct context *fromcon, usercon;

2774
	u32 *mysids = NULL, *mysids2, sid;

2775
	u32 i, j, mynel, maxnel = SIDS_NEL;

2776
	struct user_datum *user;

2777
	struct role_datum *role;

2778
	struct ebitmap_node *rnode, *tnode;

2779
	int rc;

2780


2781
	*sids = NULL;

2782
	*nel = 0;

2783


2784
	if (!selinux_initialized())

2785
		return 0;

2786


2787
	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);

2788
	if (!mysids)

2789
		return -ENOMEM;

2790


2791
retry:

2792
	mynel = 0;

2793
	rcu_read_lock();

2794
	policy = rcu_dereference(selinux_state.policy);

2795
	policydb = &policy->policydb;

2796
	sidtab = policy->sidtab;

2797


2798
	context_init(&usercon);

2799


2800
	rc = -EINVAL;

2801
	fromcon = sidtab_search(sidtab, fromsid);

2802
	if (!fromcon)

2803
		goto out_unlock;

2804


2805
	rc = -EINVAL;

2806
	user = symtab_search(&policydb->p_users, username);

2807
	if (!user)

2808
		goto out_unlock;

2809


2810
	usercon.user = user->value;

2811


2812
	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {

2813
		role = policydb->role_val_to_struct[i];

2814
		usercon.role = i + 1;

2815
		ebitmap_for_each_positive_bit(&role->types, tnode, j) {

2816
			usercon.type = j + 1;

2817


2818
			if (mls_setup_user_range(policydb, fromcon, user,

2819
						 &usercon))

2820
				continue;

2821


2822
			rc = sidtab_context_to_sid(sidtab, &usercon, &sid);

2823
			if (rc == -ESTALE) {

2824
				rcu_read_unlock();

2825
				goto retry;

2826
			}

2827
			if (rc)

2828
				goto out_unlock;

2829
			if (mynel < maxnel) {

2830
				mysids[mynel++] = sid;

2831
			} else {

2832
				rc = -ENOMEM;

2833
				maxnel += SIDS_NEL;

2834
				mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);

2835
				if (!mysids2)

2836
					goto out_unlock;

2837
				memcpy(mysids2, mysids, mynel * sizeof(*mysids2));

2838
				kfree(mysids);

2839
				mysids = mysids2;

2840
				mysids[mynel++] = sid;

2841
			}

2842
		}

2843
	}

2844
	rc = 0;

2845
out_unlock:

2846
	rcu_read_unlock();

2847
	if (rc || !mynel) {

2848
		kfree(mysids);

2849
		return rc;

2850
	}

2851


2852
	rc = -ENOMEM;

2853
	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);

2854
	if (!mysids2) {

2855
		kfree(mysids);

2856
		return rc;

2857
	}

2858
	for (i = 0, j = 0; i < mynel; i++) {

2859
		struct av_decision dummy_avd;

2860
		rc = avc_has_perm_noaudit(fromsid, mysids[i],

2861
					  SECCLASS_PROCESS, /* kernel value */

2862
					  PROCESS__TRANSITION, AVC_STRICT,

2863
					  &dummy_avd);

2864
		if (!rc)

2865
			mysids2[j++] = mysids[i];

2866
		cond_resched();

2867
	}

2868
	kfree(mysids);

2869
	*sids = mysids2;

2870
	*nel = j;

2871
	return 0;

2872
}

2873


2874
/**

2875
 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem

2876
 * @policy: policy

2877
 * @fstype: filesystem type

2878
 * @path: path from root of mount

2879
 * @orig_sclass: file security class

2880
 * @sid: SID for path

2881
 *

2882
 * Obtain a SID to use for a file in a filesystem that

2883
 * cannot support xattr or use a fixed labeling behavior like

2884
 * transition SIDs or task SIDs.

2885
 *

2886
 * WARNING: This function may return -ESTALE, indicating that the caller

2887
 * must retry the operation after re-acquiring the policy pointer!

2888
 */

2889
static inline int __security_genfs_sid(struct selinux_policy *policy,

2890
				       const char *fstype,

2891
				       const char *path,

2892
				       u16 orig_sclass,

2893
				       u32 *sid)

2894
{

2895
	struct policydb *policydb = &policy->policydb;

2896
	struct sidtab *sidtab = policy->sidtab;

2897
	u16 sclass;

2898
	struct genfs *genfs;

2899
	struct ocontext *c;

2900
	int cmp = 0;

2901
	bool wildcard;

2902


2903
	while (path[0] == '/' && path[1] == '/')

2904
		path++;

2905


2906
	sclass = unmap_class(&policy->map, orig_sclass);

2907
	*sid = SECINITSID_UNLABELED;

2908


2909
	for (genfs = policydb->genfs; genfs; genfs = genfs->next) {

2910
		cmp = strcmp(fstype, genfs->fstype);

2911
		if (cmp <= 0)

2912
			break;

2913
	}

2914


2915
	if (!genfs || cmp)

2916
		return -ENOENT;

2917


2918
	wildcard = ebitmap_get_bit(&policy->policydb.policycaps,

2919
				   POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);

2920
	for (c = genfs->head; c; c = c->next) {

2921
		if (!c->v.sclass || sclass == c->v.sclass) {

2922
			if (wildcard) {

2923
				if (match_wildcard(c->u.name, path))

2924
					break;

2925
			} else {

2926
				size_t len = strlen(c->u.name);

2927


2928
				if ((strncmp(c->u.name, path, len)) == 0)

2929
					break;

2930
			}

2931
		}

2932
	}

2933


2934
	if (!c)

2935
		return -ENOENT;

2936


2937
	return ocontext_to_sid(sidtab, c, 0, sid);

2938
}

2939


2940
/**

2941
 * security_genfs_sid - Obtain a SID for a file in a filesystem

2942
 * @fstype: filesystem type

2943
 * @path: path from root of mount

2944
 * @orig_sclass: file security class

2945
 * @sid: SID for path

2946
 *

2947
 * Acquire policy_rwlock before calling __security_genfs_sid() and release

2948
 * it afterward.

2949
 */

2950
int security_genfs_sid(const char *fstype,

2951
		       const char *path,

2952
		       u16 orig_sclass,

2953
		       u32 *sid)

2954
{

2955
	struct selinux_policy *policy;

2956
	int retval;

2957


2958
	if (!selinux_initialized()) {

2959
		*sid = SECINITSID_UNLABELED;

2960
		return 0;

2961
	}

2962


2963
	do {

2964
		rcu_read_lock();

2965
		policy = rcu_dereference(selinux_state.policy);

2966
		retval = __security_genfs_sid(policy, fstype, path,

2967
					      orig_sclass, sid);

2968
		rcu_read_unlock();

2969
	} while (retval == -ESTALE);

2970
	return retval;

2971
}

2972


2973
int selinux_policy_genfs_sid(struct selinux_policy *policy,

2974
			const char *fstype,

2975
			const char *path,

2976
			u16 orig_sclass,

2977
			u32 *sid)

2978
{

2979
	/* no lock required, policy is not yet accessible by other threads */

2980
	return __security_genfs_sid(policy, fstype, path, orig_sclass, sid);

2981
}

2982


2983
/**

2984
 * security_fs_use - Determine how to handle labeling for a filesystem.

2985
 * @sb: superblock in question

2986
 */

2987
int security_fs_use(struct super_block *sb)

2988
{

2989
	struct selinux_policy *policy;

2990
	struct policydb *policydb;

2991
	struct sidtab *sidtab;

2992
	int rc;

2993
	struct ocontext *c;

2994
	struct superblock_security_struct *sbsec = selinux_superblock(sb);

2995
	const char *fstype = sb->s_type->name;

2996


2997
	if (!selinux_initialized()) {

2998
		sbsec->behavior = SECURITY_FS_USE_NONE;

2999
		sbsec->sid = SECINITSID_UNLABELED;

3000
		return 0;

3001
	}

3002


3003
retry:

3004
	rcu_read_lock();

3005
	policy = rcu_dereference(selinux_state.policy);

3006
	policydb = &policy->policydb;

3007
	sidtab = policy->sidtab;

3008


3009
	c = policydb->ocontexts[OCON_FSUSE];

3010
	while (c) {

3011
		if (strcmp(fstype, c->u.name) == 0)

3012
			break;

3013
		c = c->next;

3014
	}

3015


3016
	if (c) {

3017
		sbsec->behavior = c->v.behavior;

3018
		rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid);

3019
		if (rc == -ESTALE) {

3020
			rcu_read_unlock();

3021
			goto retry;

3022
		}

3023
		if (rc)

3024
			goto out;

3025
	} else {

3026
		rc = __security_genfs_sid(policy, fstype, "/",

3027
					SECCLASS_DIR, &sbsec->sid);

3028
		if (rc == -ESTALE) {

3029
			rcu_read_unlock();

3030
			goto retry;

3031
		}

3032
		if (rc) {

3033
			sbsec->behavior = SECURITY_FS_USE_NONE;

3034
			rc = 0;

3035
		} else {

3036
			sbsec->behavior = SECURITY_FS_USE_GENFS;

3037
		}

3038
	}

3039


3040
out:

3041
	rcu_read_unlock();

3042
	return rc;

3043
}

3044


3045
int security_get_bools(struct selinux_policy *policy,

3046
		       u32 *len, char ***names, int **values)

3047
{

3048
	struct policydb *policydb;

3049
	u32 i;

3050
	int rc;

3051


3052
	policydb = &policy->policydb;

3053


3054
	*names = NULL;

3055
	*values = NULL;

3056


3057
	rc = 0;

3058
	*len = policydb->p_bools.nprim;

3059
	if (!*len)

3060
		goto out;

3061


3062
	rc = -ENOMEM;

3063
	*names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);

3064
	if (!*names)

3065
		goto err;

3066


3067
	rc = -ENOMEM;

3068
	*values = kcalloc(*len, sizeof(int), GFP_ATOMIC);

3069
	if (!*values)

3070
		goto err;

3071


3072
	for (i = 0; i < *len; i++) {

3073
		(*values)[i] = policydb->bool_val_to_struct[i]->state;

3074


3075
		rc = -ENOMEM;

3076
		(*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i),

3077
				      GFP_ATOMIC);

3078
		if (!(*names)[i])

3079
			goto err;

3080
	}

3081
	rc = 0;

3082
out:

3083
	return rc;

3084
err:

3085
	if (*names) {

3086
		for (i = 0; i < *len; i++)

3087
			kfree((*names)[i]);

3088
		kfree(*names);

3089
	}

3090
	kfree(*values);

3091
	*len = 0;

3092
	*names = NULL;

3093
	*values = NULL;

3094
	goto out;

3095
}

3096


3097


3098
int security_set_bools(u32 len, const int *values)

3099
{

3100
	struct selinux_state *state = &selinux_state;

3101
	struct selinux_policy *newpolicy, *oldpolicy;

3102
	int rc;

3103
	u32 i, seqno = 0;

3104


3105
	if (!selinux_initialized())

3106
		return -EINVAL;

3107


3108
	oldpolicy = rcu_dereference_protected(state->policy,

3109
					lockdep_is_held(&state->policy_mutex));

3110


3111
	/* Consistency check on number of booleans, should never fail */

3112
	if (WARN_ON(len != oldpolicy->policydb.p_bools.nprim))

3113
		return -EINVAL;

3114


3115
	newpolicy = kmemdup(oldpolicy, sizeof(*newpolicy), GFP_KERNEL);

3116
	if (!newpolicy)

3117
		return -ENOMEM;

3118


3119
	/*

3120
	 * Deep copy only the parts of the policydb that might be

3121
	 * modified as a result of changing booleans.

3122
	 */

3123
	rc = cond_policydb_dup(&newpolicy->policydb, &oldpolicy->policydb);

3124
	if (rc) {

3125
		kfree(newpolicy);

3126
		return -ENOMEM;

3127
	}

3128


3129
	/* Update the boolean states in the copy */

3130
	for (i = 0; i < len; i++) {

3131
		int new_state = !!values[i];

3132
		int old_state = newpolicy->policydb.bool_val_to_struct[i]->state;

3133


3134
		if (new_state != old_state) {

3135
			audit_log(audit_context(), GFP_ATOMIC,

3136
				AUDIT_MAC_CONFIG_CHANGE,

3137
				"bool=%s val=%d old_val=%d auid=%u ses=%u",

3138
				sym_name(&newpolicy->policydb, SYM_BOOLS, i),

3139
				new_state,

3140
				old_state,

3141
				from_kuid(&init_user_ns, audit_get_loginuid(current)),

3142
				audit_get_sessionid(current));

3143
			newpolicy->policydb.bool_val_to_struct[i]->state = new_state;

3144
		}

3145
	}

3146


3147
	/* Re-evaluate the conditional rules in the copy */

3148
	evaluate_cond_nodes(&newpolicy->policydb);

3149


3150
	/* Set latest granting seqno for new policy */

3151
	newpolicy->latest_granting = oldpolicy->latest_granting + 1;

3152
	seqno = newpolicy->latest_granting;

3153


3154
	/* Install the new policy */

3155
	rcu_assign_pointer(state->policy, newpolicy);

3156


3157
	/*

3158
	 * Free the conditional portions of the old policydb

3159
	 * that were copied for the new policy, and the oldpolicy

3160
	 * structure itself but not what it references.

3161
	 */

3162
	synchronize_rcu();

3163
	selinux_policy_cond_free(oldpolicy);

3164


3165
	/* Notify others of the policy change */

3166
	selinux_notify_policy_change(seqno);

3167
	return 0;

3168
}

3169


3170
int security_get_bool_value(u32 index)

3171
{

3172
	struct selinux_policy *policy;

3173
	struct policydb *policydb;

3174
	int rc;

3175
	u32 len;

3176


3177
	if (!selinux_initialized())

3178
		return 0;

3179


3180
	rcu_read_lock();

3181
	policy = rcu_dereference(selinux_state.policy);

3182
	policydb = &policy->policydb;

3183


3184
	rc = -EFAULT;

3185
	len = policydb->p_bools.nprim;

3186
	if (index >= len)

3187
		goto out;

3188


3189
	rc = policydb->bool_val_to_struct[index]->state;

3190
out:

3191
	rcu_read_unlock();

3192
	return rc;

3193
}

3194


3195
static int security_preserve_bools(struct selinux_policy *oldpolicy,

3196
				struct selinux_policy *newpolicy)

3197
{

3198
	int rc, *bvalues = NULL;

3199
	char **bnames = NULL;

3200
	struct cond_bool_datum *booldatum;

3201
	u32 i, nbools = 0;

3202


3203
	rc = security_get_bools(oldpolicy, &nbools, &bnames, &bvalues);

3204
	if (rc)

3205
		goto out;

3206
	for (i = 0; i < nbools; i++) {

3207
		booldatum = symtab_search(&newpolicy->policydb.p_bools,

3208
					bnames[i]);

3209
		if (booldatum)

3210
			booldatum->state = bvalues[i];

3211
	}

3212
	evaluate_cond_nodes(&newpolicy->policydb);

3213


3214
out:

3215
	if (bnames) {

3216
		for (i = 0; i < nbools; i++)

3217
			kfree(bnames[i]);

3218
	}

3219
	kfree(bnames);

3220
	kfree(bvalues);

3221
	return rc;

3222
}

3223


3224
/*

3225
 * security_sid_mls_copy() - computes a new sid based on the given

3226
 * sid and the mls portion of mls_sid.

3227
 */

3228
int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)

3229
{

3230
	struct selinux_policy *policy;

3231
	struct policydb *policydb;

3232
	struct sidtab *sidtab;

3233
	struct context *context1;

3234
	struct context *context2;

3235
	struct context newcon;

3236
	char *s;

3237
	u32 len;

3238
	int rc;

3239


3240
	if (!selinux_initialized()) {

3241
		*new_sid = sid;

3242
		return 0;

3243
	}

3244


3245
retry:

3246
	rc = 0;

3247
	context_init(&newcon);

3248


3249
	rcu_read_lock();

3250
	policy = rcu_dereference(selinux_state.policy);

3251
	policydb = &policy->policydb;

3252
	sidtab = policy->sidtab;

3253


3254
	if (!policydb->mls_enabled) {

3255
		*new_sid = sid;

3256
		goto out_unlock;

3257
	}

3258


3259
	rc = -EINVAL;

3260
	context1 = sidtab_search(sidtab, sid);

3261
	if (!context1) {

3262
		pr_err("SELinux: %s:  unrecognized SID %d\n",

3263
			__func__, sid);

3264
		goto out_unlock;

3265
	}

3266


3267
	rc = -EINVAL;

3268
	context2 = sidtab_search(sidtab, mls_sid);

3269
	if (!context2) {

3270
		pr_err("SELinux: %s:  unrecognized SID %d\n",

3271
			__func__, mls_sid);

3272
		goto out_unlock;

3273
	}

3274


3275
	newcon.user = context1->user;

3276
	newcon.role = context1->role;

3277
	newcon.type = context1->type;

3278
	rc = mls_context_cpy(&newcon, context2);

3279
	if (rc)

3280
		goto out_unlock;

3281


3282
	/* Check the validity of the new context. */

3283
	if (!policydb_context_isvalid(policydb, &newcon)) {

3284
		rc = convert_context_handle_invalid_context(policydb,

3285
							&newcon);

3286
		if (rc) {

3287
			if (!context_struct_to_string(policydb, &newcon, &s,

3288
						      &len)) {

3289
				struct audit_buffer *ab;

3290


3291
				ab = audit_log_start(audit_context(),

3292
						     GFP_ATOMIC,

3293
						     AUDIT_SELINUX_ERR);

3294
				audit_log_format(ab,

3295
						 "op=security_sid_mls_copy invalid_context=");

3296
				/* don't record NUL with untrusted strings */

3297
				audit_log_n_untrustedstring(ab, s, len - 1);

3298
				audit_log_end(ab);

3299
				kfree(s);

3300
			}

3301
			goto out_unlock;

3302
		}

3303
	}

3304
	rc = sidtab_context_to_sid(sidtab, &newcon, new_sid);

3305
	if (rc == -ESTALE) {

3306
		rcu_read_unlock();

3307
		context_destroy(&newcon);

3308
		goto retry;

3309
	}

3310
out_unlock:

3311
	rcu_read_unlock();

3312
	context_destroy(&newcon);

3313
	return rc;

3314
}

3315


3316
/**

3317
 * security_net_peersid_resolve - Compare and resolve two network peer SIDs

3318
 * @nlbl_sid: NetLabel SID

3319
 * @nlbl_type: NetLabel labeling protocol type

3320
 * @xfrm_sid: XFRM SID

3321
 * @peer_sid: network peer sid

3322
 *

3323
 * Description:

3324
 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be

3325
 * resolved into a single SID it is returned via @peer_sid and the function

3326
 * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function

3327
 * returns a negative value.  A table summarizing the behavior is below:

3328
 *

3329
 *                                 | function return |      @sid

3330
 *   ------------------------------+-----------------+-----------------

3331
 *   no peer labels                |        0        |    SECSID_NULL

3332
 *   single peer label             |        0        |    <peer_label>

3333
 *   multiple, consistent labels   |        0        |    <peer_label>

3334
 *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL

3335
 *

3336
 */

3337
int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,

3338
				 u32 xfrm_sid,

3339
				 u32 *peer_sid)

3340
{

3341
	struct selinux_policy *policy;

3342
	struct policydb *policydb;

3343
	struct sidtab *sidtab;

3344
	int rc;

3345
	struct context *nlbl_ctx;

3346
	struct context *xfrm_ctx;

3347


3348
	*peer_sid = SECSID_NULL;

3349


3350
	/* handle the common (which also happens to be the set of easy) cases

3351
	 * right away, these two if statements catch everything involving a

3352
	 * single or absent peer SID/label */

3353
	if (xfrm_sid == SECSID_NULL) {

3354
		*peer_sid = nlbl_sid;

3355
		return 0;

3356
	}

3357
	/* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label

3358
	 * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label

3359
	 * is present */

3360
	if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {

3361
		*peer_sid = xfrm_sid;

3362
		return 0;

3363
	}

3364


3365
	if (!selinux_initialized())

3366
		return 0;

3367


3368
	rcu_read_lock();

3369
	policy = rcu_dereference(selinux_state.policy);

3370
	policydb = &policy->policydb;

3371
	sidtab = policy->sidtab;

3372


3373
	/*

3374
	 * We don't need to check initialized here since the only way both

3375
	 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the

3376
	 * security server was initialized and state->initialized was true.

3377
	 */

3378
	if (!policydb->mls_enabled) {

3379
		rc = 0;

3380
		goto out;

3381
	}

3382


3383
	rc = -EINVAL;

3384
	nlbl_ctx = sidtab_search(sidtab, nlbl_sid);

3385
	if (!nlbl_ctx) {

3386
		pr_err("SELinux: %s:  unrecognized SID %d\n",

3387
		       __func__, nlbl_sid);

3388
		goto out;

3389
	}

3390
	rc = -EINVAL;

3391
	xfrm_ctx = sidtab_search(sidtab, xfrm_sid);

3392
	if (!xfrm_ctx) {

3393
		pr_err("SELinux: %s:  unrecognized SID %d\n",

3394
		       __func__, xfrm_sid);

3395
		goto out;

3396
	}

3397
	rc = (mls_context_equal(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);

3398
	if (rc)

3399
		goto out;

3400


3401
	/* at present NetLabel SIDs/labels really only carry MLS

3402
	 * information so if the MLS portion of the NetLabel SID

3403
	 * matches the MLS portion of the labeled XFRM SID/label

3404
	 * then pass along the XFRM SID as it is the most

3405
	 * expressive */

3406
	*peer_sid = xfrm_sid;

3407
out:

3408
	rcu_read_unlock();

3409
	return rc;

3410
}

3411


3412
static int get_classes_callback(void *k, void *d, void *args)

3413
{

3414
	struct class_datum *datum = d;

3415
	char *name = k, **classes = args;

3416
	u32 value = datum->value - 1;

3417


3418
	classes[value] = kstrdup(name, GFP_ATOMIC);

3419
	if (!classes[value])

3420
		return -ENOMEM;

3421


3422
	return 0;

3423
}

3424


3425
int security_get_classes(struct selinux_policy *policy,

3426
			 char ***classes, u32 *nclasses)

3427
{

3428
	struct policydb *policydb;

3429
	int rc;

3430


3431
	policydb = &policy->policydb;

3432


3433
	rc = -ENOMEM;

3434
	*nclasses = policydb->p_classes.nprim;

3435
	*classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);

3436
	if (!*classes)

3437
		goto out;

3438


3439
	rc = hashtab_map(&policydb->p_classes.table, get_classes_callback,

3440
			 *classes);

3441
	if (rc) {

3442
		u32 i;

3443


3444
		for (i = 0; i < *nclasses; i++)

3445
			kfree((*classes)[i]);

3446
		kfree(*classes);

3447
	}

3448


3449
out:

3450
	return rc;

3451
}

3452


3453
static int get_permissions_callback(void *k, void *d, void *args)

3454
{

3455
	struct perm_datum *datum = d;

3456
	char *name = k, **perms = args;

3457
	u32 value = datum->value - 1;

3458


3459
	perms[value] = kstrdup(name, GFP_ATOMIC);

3460
	if (!perms[value])

3461
		return -ENOMEM;

3462


3463
	return 0;

3464
}

3465


3466
int security_get_permissions(struct selinux_policy *policy,

3467
			     const char *class, char ***perms, u32 *nperms)

3468
{

3469
	struct policydb *policydb;

3470
	u32 i;

3471
	int rc;

3472
	struct class_datum *match;

3473


3474
	policydb = &policy->policydb;

3475


3476
	rc = -EINVAL;

3477
	match = symtab_search(&policydb->p_classes, class);

3478
	if (!match) {

3479
		pr_err("SELinux: %s:  unrecognized class %s\n",

3480
			__func__, class);

3481
		goto out;

3482
	}

3483


3484
	rc = -ENOMEM;

3485
	*nperms = match->permissions.nprim;

3486
	*perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);

3487
	if (!*perms)

3488
		goto out;

3489


3490
	if (match->comdatum) {

3491
		rc = hashtab_map(&match->comdatum->permissions.table,

3492
				 get_permissions_callback, *perms);

3493
		if (rc)

3494
			goto err;

3495
	}

3496


3497
	rc = hashtab_map(&match->permissions.table, get_permissions_callback,

3498
			 *perms);

3499
	if (rc)

3500
		goto err;

3501


3502
out:

3503
	return rc;

3504


3505
err:

3506
	for (i = 0; i < *nperms; i++)

3507
		kfree((*perms)[i]);

3508
	kfree(*perms);

3509
	return rc;

3510
}

3511


3512
int security_get_reject_unknown(void)

3513
{

3514
	struct selinux_policy *policy;

3515
	int value;

3516


3517
	if (!selinux_initialized())

3518
		return 0;

3519


3520
	rcu_read_lock();

3521
	policy = rcu_dereference(selinux_state.policy);

3522
	value = policy->policydb.reject_unknown;

3523
	rcu_read_unlock();

3524
	return value;

3525
}

3526


3527
int security_get_allow_unknown(void)

3528
{

3529
	struct selinux_policy *policy;

3530
	int value;

3531


3532
	if (!selinux_initialized())

3533
		return 0;

3534


3535
	rcu_read_lock();

3536
	policy = rcu_dereference(selinux_state.policy);

3537
	value = policy->policydb.allow_unknown;

3538
	rcu_read_unlock();

3539
	return value;

3540
}

3541


3542
/**

3543
 * security_policycap_supported - Check for a specific policy capability

3544
 * @req_cap: capability

3545
 *

3546
 * Description:

3547
 * This function queries the currently loaded policy to see if it supports the

3548
 * capability specified by @req_cap.  Returns true (1) if the capability is

3549
 * supported, false (0) if it isn't supported.

3550
 *

3551
 */

3552
int security_policycap_supported(unsigned int req_cap)

3553
{

3554
	struct selinux_policy *policy;

3555
	int rc;

3556


3557
	if (!selinux_initialized())

3558
		return 0;

3559


3560
	rcu_read_lock();

3561
	policy = rcu_dereference(selinux_state.policy);

3562
	rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap);

3563
	rcu_read_unlock();

3564


3565
	return rc;

3566
}

3567


3568
struct selinux_audit_rule {

3569
	u32 au_seqno;

3570
	struct context au_ctxt;

3571
};

3572


3573
void selinux_audit_rule_free(void *vrule)

3574
{

3575
	struct selinux_audit_rule *rule = vrule;

3576


3577
	if (rule) {

3578
		context_destroy(&rule->au_ctxt);

3579
		kfree(rule);

3580
	}

3581
}

3582


3583
int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,

3584
			    gfp_t gfp)

3585
{

3586
	struct selinux_state *state = &selinux_state;

3587
	struct selinux_policy *policy;

3588
	struct policydb *policydb;

3589
	struct selinux_audit_rule *tmprule;

3590
	struct role_datum *roledatum;

3591
	struct type_datum *typedatum;

3592
	struct user_datum *userdatum;

3593
	struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;

3594
	int rc = 0;

3595


3596
	*rule = NULL;

3597


3598
	if (!selinux_initialized())

3599
		return -EOPNOTSUPP;

3600


3601
	switch (field) {

3602
	case AUDIT_SUBJ_USER:

3603
	case AUDIT_SUBJ_ROLE:

3604
	case AUDIT_SUBJ_TYPE:

3605
	case AUDIT_OBJ_USER:

3606
	case AUDIT_OBJ_ROLE:

3607
	case AUDIT_OBJ_TYPE:

3608
		/* only 'equals' and 'not equals' fit user, role, and type */

3609
		if (op != Audit_equal && op != Audit_not_equal)

3610
			return -EINVAL;

3611
		break;

3612
	case AUDIT_SUBJ_SEN:

3613
	case AUDIT_SUBJ_CLR:

3614
	case AUDIT_OBJ_LEV_LOW:

3615
	case AUDIT_OBJ_LEV_HIGH:

3616
		/* we do not allow a range, indicated by the presence of '-' */

3617
		if (strchr(rulestr, '-'))

3618
			return -EINVAL;

3619
		break;

3620
	default:

3621
		/* only the above fields are valid */

3622
		return -EINVAL;

3623
	}

3624


3625
	tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp);

3626
	if (!tmprule)

3627
		return -ENOMEM;

3628
	context_init(&tmprule->au_ctxt);

3629


3630
	rcu_read_lock();

3631
	policy = rcu_dereference(state->policy);

3632
	policydb = &policy->policydb;

3633
	tmprule->au_seqno = policy->latest_granting;

3634
	switch (field) {

3635
	case AUDIT_SUBJ_USER:

3636
	case AUDIT_OBJ_USER:

3637
		userdatum = symtab_search(&policydb->p_users, rulestr);

3638
		if (!userdatum) {

3639
			rc = -EINVAL;

3640
			goto err;

3641
		}

3642
		tmprule->au_ctxt.user = userdatum->value;

3643
		break;

3644
	case AUDIT_SUBJ_ROLE:

3645
	case AUDIT_OBJ_ROLE:

3646
		roledatum = symtab_search(&policydb->p_roles, rulestr);

3647
		if (!roledatum) {

3648
			rc = -EINVAL;

3649
			goto err;

3650
		}

3651
		tmprule->au_ctxt.role = roledatum->value;

3652
		break;

3653
	case AUDIT_SUBJ_TYPE:

3654
	case AUDIT_OBJ_TYPE:

3655
		typedatum = symtab_search(&policydb->p_types, rulestr);

3656
		if (!typedatum) {

3657
			rc = -EINVAL;

3658
			goto err;

3659
		}

3660
		tmprule->au_ctxt.type = typedatum->value;

3661
		break;

3662
	case AUDIT_SUBJ_SEN:

3663
	case AUDIT_SUBJ_CLR:

3664
	case AUDIT_OBJ_LEV_LOW:

3665
	case AUDIT_OBJ_LEV_HIGH:

3666
		rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt,

3667
				     GFP_ATOMIC);

3668
		if (rc)

3669
			goto err;

3670
		break;

3671
	}

3672
	rcu_read_unlock();

3673


3674
	*rule = tmprule;

3675
	return 0;

3676


3677
err:

3678
	rcu_read_unlock();

3679
	selinux_audit_rule_free(tmprule);

3680
	*rule = NULL;

3681
	return rc;

3682
}

3683


3684
/* Check to see if the rule contains any selinux fields */

3685
int selinux_audit_rule_known(struct audit_krule *rule)

3686
{

3687
	u32 i;

3688


3689
	for (i = 0; i < rule->field_count; i++) {

3690
		struct audit_field *f = &rule->fields[i];

3691
		switch (f->type) {

3692
		case AUDIT_SUBJ_USER:

3693
		case AUDIT_SUBJ_ROLE:

3694
		case AUDIT_SUBJ_TYPE:

3695
		case AUDIT_SUBJ_SEN:

3696
		case AUDIT_SUBJ_CLR:

3697
		case AUDIT_OBJ_USER:

3698
		case AUDIT_OBJ_ROLE:

3699
		case AUDIT_OBJ_TYPE:

3700
		case AUDIT_OBJ_LEV_LOW:

3701
		case AUDIT_OBJ_LEV_HIGH:

3702
			return 1;

3703
		}

3704
	}

3705


3706
	return 0;

3707
}

3708


3709
int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vrule)

3710
{

3711
	struct selinux_state *state = &selinux_state;

3712
	struct selinux_policy *policy;

3713
	struct context *ctxt;

3714
	struct mls_level *level;

3715
	struct selinux_audit_rule *rule = vrule;

3716
	int match = 0;

3717


3718
	if (unlikely(!rule)) {

3719
		WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");

3720
		return -ENOENT;

3721
	}

3722


3723
	if (!selinux_initialized())

3724
		return 0;

3725


3726
	rcu_read_lock();

3727


3728
	policy = rcu_dereference(state->policy);

3729


3730
	if (rule->au_seqno < policy->latest_granting) {

3731
		match = -ESTALE;

3732
		goto out;

3733
	}

3734


3735
	ctxt = sidtab_search(policy->sidtab, prop->selinux.secid);

3736
	if (unlikely(!ctxt)) {

3737
		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",

3738
			  prop->selinux.secid);

3739
		match = -ENOENT;

3740
		goto out;

3741
	}

3742


3743
	/* a field/op pair that is not caught here will simply fall through

3744
	   without a match */

3745
	switch (field) {

3746
	case AUDIT_SUBJ_USER:

3747
	case AUDIT_OBJ_USER:

3748
		switch (op) {

3749
		case Audit_equal:

3750
			match = (ctxt->user == rule->au_ctxt.user);

3751
			break;

3752
		case Audit_not_equal:

3753
			match = (ctxt->user != rule->au_ctxt.user);

3754
			break;

3755
		}

3756
		break;

3757
	case AUDIT_SUBJ_ROLE:

3758
	case AUDIT_OBJ_ROLE:

3759
		switch (op) {

3760
		case Audit_equal:

3761
			match = (ctxt->role == rule->au_ctxt.role);

3762
			break;

3763
		case Audit_not_equal:

3764
			match = (ctxt->role != rule->au_ctxt.role);

3765
			break;

3766
		}

3767
		break;

3768
	case AUDIT_SUBJ_TYPE:

3769
	case AUDIT_OBJ_TYPE:

3770
		switch (op) {

3771
		case Audit_equal:

3772
			match = (ctxt->type == rule->au_ctxt.type);

3773
			break;

3774
		case Audit_not_equal:

3775
			match = (ctxt->type != rule->au_ctxt.type);

3776
			break;

3777
		}

3778
		break;

3779
	case AUDIT_SUBJ_SEN:

3780
	case AUDIT_SUBJ_CLR:

3781
	case AUDIT_OBJ_LEV_LOW:

3782
	case AUDIT_OBJ_LEV_HIGH:

3783
		level = ((field == AUDIT_SUBJ_SEN ||

3784
			  field == AUDIT_OBJ_LEV_LOW) ?

3785
			 &ctxt->range.level[0] : &ctxt->range.level[1]);

3786
		switch (op) {

3787
		case Audit_equal:

3788
			match = mls_level_eq(&rule->au_ctxt.range.level[0],

3789
					     level);

3790
			break;

3791
		case Audit_not_equal:

3792
			match = !mls_level_eq(&rule->au_ctxt.range.level[0],

3793
					      level);

3794
			break;

3795
		case Audit_lt:

3796
			match = (mls_level_dom(&rule->au_ctxt.range.level[0],

3797
					       level) &&

3798
				 !mls_level_eq(&rule->au_ctxt.range.level[0],

3799
					       level));

3800
			break;

3801
		case Audit_le:

3802
			match = mls_level_dom(&rule->au_ctxt.range.level[0],

3803
					      level);

3804
			break;

3805
		case Audit_gt:

3806
			match = (mls_level_dom(level,

3807
					      &rule->au_ctxt.range.level[0]) &&

3808
				 !mls_level_eq(level,

3809
					       &rule->au_ctxt.range.level[0]));

3810
			break;

3811
		case Audit_ge:

3812
			match = mls_level_dom(level,

3813
					      &rule->au_ctxt.range.level[0]);

3814
			break;

3815
		}

3816
	}

3817


3818
out:

3819
	rcu_read_unlock();

3820
	return match;

3821
}

3822


3823
static int aurule_avc_callback(u32 event)

3824
{

3825
	if (event == AVC_CALLBACK_RESET)

3826
		return audit_update_lsm_rules();

3827
	return 0;

3828
}

3829


3830
static int __init aurule_init(void)

3831
{

3832
	int err;

3833


3834
	err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);

3835
	if (err)

3836
		panic("avc_add_callback() failed, error %d\n", err);

3837


3838
	return err;

3839
}

3840
__initcall(aurule_init);

3841


3842
#ifdef CONFIG_NETLABEL

3843
/**

3844
 * security_netlbl_cache_add - Add an entry to the NetLabel cache

3845
 * @secattr: the NetLabel packet security attributes

3846
 * @sid: the SELinux SID

3847
 *

3848
 * Description:

3849
 * Attempt to cache the context in @ctx, which was derived from the packet in

3850
 * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has

3851
 * already been initialized.

3852
 *

3853
 */

3854
static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,

3855
				      u32 sid)

3856
{

3857
	u32 *sid_cache;

3858


3859
	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);

3860
	if (sid_cache == NULL)

3861
		return;

3862
	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);

3863
	if (secattr->cache == NULL) {

3864
		kfree(sid_cache);

3865
		return;

3866
	}

3867


3868
	*sid_cache = sid;

3869
	secattr->cache->free = kfree;

3870
	secattr->cache->data = sid_cache;

3871
	secattr->flags |= NETLBL_SECATTR_CACHE;

3872
}

3873


3874
/**

3875
 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID

3876
 * @secattr: the NetLabel packet security attributes

3877
 * @sid: the SELinux SID

3878
 *

3879
 * Description:

3880
 * Convert the given NetLabel security attributes in @secattr into a

3881
 * SELinux SID.  If the @secattr field does not contain a full SELinux

3882
 * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the

3883
 * 'cache' field of @secattr is set and the CACHE flag is set; this is to

3884
 * allow the @secattr to be used by NetLabel to cache the secattr to SID

3885
 * conversion for future lookups.  Returns zero on success, negative values on

3886
 * failure.

3887
 *

3888
 */

3889
int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,

3890
				   u32 *sid)

3891
{

3892
	struct selinux_policy *policy;

3893
	struct policydb *policydb;

3894
	struct sidtab *sidtab;

3895
	int rc;

3896
	struct context *ctx;

3897
	struct context ctx_new;

3898


3899
	if (!selinux_initialized()) {

3900
		*sid = SECSID_NULL;

3901
		return 0;

3902
	}

3903


3904
retry:

3905
	rc = 0;

3906
	rcu_read_lock();

3907
	policy = rcu_dereference(selinux_state.policy);

3908
	policydb = &policy->policydb;

3909
	sidtab = policy->sidtab;

3910


3911
	if (secattr->flags & NETLBL_SECATTR_CACHE)

3912
		*sid = *(u32 *)secattr->cache->data;

3913
	else if (secattr->flags & NETLBL_SECATTR_SECID)

3914
		*sid = secattr->attr.secid;

3915
	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {

3916
		rc = -EIDRM;

3917
		ctx = sidtab_search(sidtab, SECINITSID_NETMSG);

3918
		if (ctx == NULL)

3919
			goto out;

3920


3921
		context_init(&ctx_new);

3922
		ctx_new.user = ctx->user;

3923
		ctx_new.role = ctx->role;

3924
		ctx_new.type = ctx->type;

3925
		mls_import_netlbl_lvl(policydb, &ctx_new, secattr);

3926
		if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {

3927
			rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr);

3928
			if (rc)

3929
				goto out;

3930
		}

3931
		rc = -EIDRM;

3932
		if (!mls_context_isvalid(policydb, &ctx_new)) {

3933
			ebitmap_destroy(&ctx_new.range.level[0].cat);

3934
			goto out;

3935
		}

3936


3937
		rc = sidtab_context_to_sid(sidtab, &ctx_new, sid);

3938
		ebitmap_destroy(&ctx_new.range.level[0].cat);

3939
		if (rc == -ESTALE) {

3940
			rcu_read_unlock();

3941
			goto retry;

3942
		}

3943
		if (rc)

3944
			goto out;

3945


3946
		security_netlbl_cache_add(secattr, *sid);

3947
	} else

3948
		*sid = SECSID_NULL;

3949


3950
out:

3951
	rcu_read_unlock();

3952
	return rc;

3953
}

3954


3955
/**

3956
 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr

3957
 * @sid: the SELinux SID

3958
 * @secattr: the NetLabel packet security attributes

3959
 *

3960
 * Description:

3961
 * Convert the given SELinux SID in @sid into a NetLabel security attribute.

3962
 * Returns zero on success, negative values on failure.

3963
 *

3964
 */

3965
int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)

3966
{

3967
	struct selinux_policy *policy;

3968
	struct policydb *policydb;

3969
	int rc;

3970
	struct context *ctx;

3971


3972
	if (!selinux_initialized())

3973
		return 0;

3974


3975
	rcu_read_lock();

3976
	policy = rcu_dereference(selinux_state.policy);

3977
	policydb = &policy->policydb;

3978


3979
	rc = -ENOENT;

3980
	ctx = sidtab_search(policy->sidtab, sid);

3981
	if (ctx == NULL)

3982
		goto out;

3983


3984
	rc = -ENOMEM;

3985
	secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1),

3986
				  GFP_ATOMIC);

3987
	if (secattr->domain == NULL)

3988
		goto out;

3989


3990
	secattr->attr.secid = sid;

3991
	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;

3992
	mls_export_netlbl_lvl(policydb, ctx, secattr);

3993
	rc = mls_export_netlbl_cat(policydb, ctx, secattr);

3994
out:

3995
	rcu_read_unlock();

3996
	return rc;

3997
}

3998
#endif /* CONFIG_NETLABEL */

3999


4000
/**

4001
 * __security_read_policy - read the policy.

4002
 * @policy: SELinux policy

4003
 * @data: binary policy data

4004
 * @len: length of data in bytes

4005
 *

4006
 */

4007
static int __security_read_policy(struct selinux_policy *policy,

4008
				  void *data, size_t *len)

4009
{

4010
	int rc;

4011
	struct policy_file fp;

4012


4013
	fp.data = data;

4014
	fp.len = *len;

4015


4016
	rc = policydb_write(&policy->policydb, &fp);

4017
	if (rc)

4018
		return rc;

4019


4020
	*len = (unsigned long)fp.data - (unsigned long)data;

4021
	return 0;

4022
}

4023


4024
/**

4025
 * security_read_policy - read the policy.

4026
 * @data: binary policy data

4027
 * @len: length of data in bytes

4028
 *

4029
 */

4030
int security_read_policy(void **data, size_t *len)

4031
{

4032
	struct selinux_state *state = &selinux_state;

4033
	struct selinux_policy *policy;

4034


4035
	policy = rcu_dereference_protected(

4036
			state->policy, lockdep_is_held(&state->policy_mutex));

4037
	if (!policy)

4038
		return -EINVAL;

4039


4040
	*len = policy->policydb.len;

4041
	*data = vmalloc_user(*len);

4042
	if (!*data)

4043
		return -ENOMEM;

4044


4045
	return __security_read_policy(policy, *data, len);

4046
}

4047


4048
/**

4049
 * security_read_state_kernel - read the policy.

4050
 * @data: binary policy data

4051
 * @len: length of data in bytes

4052
 *

4053
 * Allocates kernel memory for reading SELinux policy.

4054
 * This function is for internal use only and should not

4055
 * be used for returning data to user space.

4056
 *

4057
 * This function must be called with policy_mutex held.

4058
 */

4059
int security_read_state_kernel(void **data, size_t *len)

4060
{

4061
	int err;

4062
	struct selinux_state *state = &selinux_state;

4063
	struct selinux_policy *policy;

4064


4065
	policy = rcu_dereference_protected(

4066
			state->policy, lockdep_is_held(&state->policy_mutex));

4067
	if (!policy)

4068
		return -EINVAL;

4069


4070
	*len = policy->policydb.len;

4071
	*data = vmalloc(*len);

4072
	if (!*data)

4073
		return -ENOMEM;

4074


4075
	err = __security_read_policy(policy, *data, len);

4076
	if (err) {

4077
		vfree(*data);

4078
		*data = NULL;

4079
		*len = 0;

4080
	}

4081
	return err;

4082
}

4083


4084