Merge tag 'jg-20061012-00' of git://electric-eye.fr.zoreil.com/home/romieu/linux...
[linux-2.6] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul.moore@hp.com>
17  *
18  *      Added support for NetLabel
19  *
20  * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
21  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
22  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
24  *      This program is free software; you can redistribute it and/or modify
25  *      it under the terms of the GNU General Public License as published by
26  *      the Free Software Foundation, version 2.
27  */
28 #include <linux/kernel.h>
29 #include <linux/slab.h>
30 #include <linux/string.h>
31 #include <linux/spinlock.h>
32 #include <linux/errno.h>
33 #include <linux/in.h>
34 #include <linux/sched.h>
35 #include <linux/audit.h>
36 #include <linux/mutex.h>
37 #include <net/sock.h>
38 #include <net/netlabel.h>
39
40 #include "flask.h"
41 #include "avc.h"
42 #include "avc_ss.h"
43 #include "security.h"
44 #include "context.h"
45 #include "policydb.h"
46 #include "sidtab.h"
47 #include "services.h"
48 #include "conditional.h"
49 #include "mls.h"
50 #include "objsec.h"
51 #include "selinux_netlabel.h"
52
53 extern void selnl_notify_policyload(u32 seqno);
54 unsigned int policydb_loaded_version;
55
56 static DEFINE_RWLOCK(policy_rwlock);
57 #define POLICY_RDLOCK read_lock(&policy_rwlock)
58 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
59 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
60 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
61
62 static DEFINE_MUTEX(load_mutex);
63 #define LOAD_LOCK mutex_lock(&load_mutex)
64 #define LOAD_UNLOCK mutex_unlock(&load_mutex)
65
66 static struct sidtab sidtab;
67 struct policydb policydb;
68 int ss_initialized = 0;
69
70 /*
71  * The largest sequence number that has been used when
72  * providing an access decision to the access vector cache.
73  * The sequence number only changes when a policy change
74  * occurs.
75  */
76 static u32 latest_granting = 0;
77
78 /* Forward declaration. */
79 static int context_struct_to_string(struct context *context, char **scontext,
80                                     u32 *scontext_len);
81
82 /*
83  * Return the boolean value of a constraint expression
84  * when it is applied to the specified source and target
85  * security contexts.
86  *
87  * xcontext is a special beast...  It is used by the validatetrans rules
88  * only.  For these rules, scontext is the context before the transition,
89  * tcontext is the context after the transition, and xcontext is the context
90  * of the process performing the transition.  All other callers of
91  * constraint_expr_eval should pass in NULL for xcontext.
92  */
93 static int constraint_expr_eval(struct context *scontext,
94                                 struct context *tcontext,
95                                 struct context *xcontext,
96                                 struct constraint_expr *cexpr)
97 {
98         u32 val1, val2;
99         struct context *c;
100         struct role_datum *r1, *r2;
101         struct mls_level *l1, *l2;
102         struct constraint_expr *e;
103         int s[CEXPR_MAXDEPTH];
104         int sp = -1;
105
106         for (e = cexpr; e; e = e->next) {
107                 switch (e->expr_type) {
108                 case CEXPR_NOT:
109                         BUG_ON(sp < 0);
110                         s[sp] = !s[sp];
111                         break;
112                 case CEXPR_AND:
113                         BUG_ON(sp < 1);
114                         sp--;
115                         s[sp] &= s[sp+1];
116                         break;
117                 case CEXPR_OR:
118                         BUG_ON(sp < 1);
119                         sp--;
120                         s[sp] |= s[sp+1];
121                         break;
122                 case CEXPR_ATTR:
123                         if (sp == (CEXPR_MAXDEPTH-1))
124                                 return 0;
125                         switch (e->attr) {
126                         case CEXPR_USER:
127                                 val1 = scontext->user;
128                                 val2 = tcontext->user;
129                                 break;
130                         case CEXPR_TYPE:
131                                 val1 = scontext->type;
132                                 val2 = tcontext->type;
133                                 break;
134                         case CEXPR_ROLE:
135                                 val1 = scontext->role;
136                                 val2 = tcontext->role;
137                                 r1 = policydb.role_val_to_struct[val1 - 1];
138                                 r2 = policydb.role_val_to_struct[val2 - 1];
139                                 switch (e->op) {
140                                 case CEXPR_DOM:
141                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
142                                                                   val2 - 1);
143                                         continue;
144                                 case CEXPR_DOMBY:
145                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
146                                                                   val1 - 1);
147                                         continue;
148                                 case CEXPR_INCOMP:
149                                         s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
150                                                                      val2 - 1) &&
151                                                     !ebitmap_get_bit(&r2->dominates,
152                                                                      val1 - 1) );
153                                         continue;
154                                 default:
155                                         break;
156                                 }
157                                 break;
158                         case CEXPR_L1L2:
159                                 l1 = &(scontext->range.level[0]);
160                                 l2 = &(tcontext->range.level[0]);
161                                 goto mls_ops;
162                         case CEXPR_L1H2:
163                                 l1 = &(scontext->range.level[0]);
164                                 l2 = &(tcontext->range.level[1]);
165                                 goto mls_ops;
166                         case CEXPR_H1L2:
167                                 l1 = &(scontext->range.level[1]);
168                                 l2 = &(tcontext->range.level[0]);
169                                 goto mls_ops;
170                         case CEXPR_H1H2:
171                                 l1 = &(scontext->range.level[1]);
172                                 l2 = &(tcontext->range.level[1]);
173                                 goto mls_ops;
174                         case CEXPR_L1H1:
175                                 l1 = &(scontext->range.level[0]);
176                                 l2 = &(scontext->range.level[1]);
177                                 goto mls_ops;
178                         case CEXPR_L2H2:
179                                 l1 = &(tcontext->range.level[0]);
180                                 l2 = &(tcontext->range.level[1]);
181                                 goto mls_ops;
182 mls_ops:
183                         switch (e->op) {
184                         case CEXPR_EQ:
185                                 s[++sp] = mls_level_eq(l1, l2);
186                                 continue;
187                         case CEXPR_NEQ:
188                                 s[++sp] = !mls_level_eq(l1, l2);
189                                 continue;
190                         case CEXPR_DOM:
191                                 s[++sp] = mls_level_dom(l1, l2);
192                                 continue;
193                         case CEXPR_DOMBY:
194                                 s[++sp] = mls_level_dom(l2, l1);
195                                 continue;
196                         case CEXPR_INCOMP:
197                                 s[++sp] = mls_level_incomp(l2, l1);
198                                 continue;
199                         default:
200                                 BUG();
201                                 return 0;
202                         }
203                         break;
204                         default:
205                                 BUG();
206                                 return 0;
207                         }
208
209                         switch (e->op) {
210                         case CEXPR_EQ:
211                                 s[++sp] = (val1 == val2);
212                                 break;
213                         case CEXPR_NEQ:
214                                 s[++sp] = (val1 != val2);
215                                 break;
216                         default:
217                                 BUG();
218                                 return 0;
219                         }
220                         break;
221                 case CEXPR_NAMES:
222                         if (sp == (CEXPR_MAXDEPTH-1))
223                                 return 0;
224                         c = scontext;
225                         if (e->attr & CEXPR_TARGET)
226                                 c = tcontext;
227                         else if (e->attr & CEXPR_XTARGET) {
228                                 c = xcontext;
229                                 if (!c) {
230                                         BUG();
231                                         return 0;
232                                 }
233                         }
234                         if (e->attr & CEXPR_USER)
235                                 val1 = c->user;
236                         else if (e->attr & CEXPR_ROLE)
237                                 val1 = c->role;
238                         else if (e->attr & CEXPR_TYPE)
239                                 val1 = c->type;
240                         else {
241                                 BUG();
242                                 return 0;
243                         }
244
245                         switch (e->op) {
246                         case CEXPR_EQ:
247                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
248                                 break;
249                         case CEXPR_NEQ:
250                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
251                                 break;
252                         default:
253                                 BUG();
254                                 return 0;
255                         }
256                         break;
257                 default:
258                         BUG();
259                         return 0;
260                 }
261         }
262
263         BUG_ON(sp != 0);
264         return s[0];
265 }
266
267 /*
268  * Compute access vectors based on a context structure pair for
269  * the permissions in a particular class.
270  */
271 static int context_struct_compute_av(struct context *scontext,
272                                      struct context *tcontext,
273                                      u16 tclass,
274                                      u32 requested,
275                                      struct av_decision *avd)
276 {
277         struct constraint_node *constraint;
278         struct role_allow *ra;
279         struct avtab_key avkey;
280         struct avtab_node *node;
281         struct class_datum *tclass_datum;
282         struct ebitmap *sattr, *tattr;
283         struct ebitmap_node *snode, *tnode;
284         unsigned int i, j;
285
286         /*
287          * Remap extended Netlink classes for old policy versions.
288          * Do this here rather than socket_type_to_security_class()
289          * in case a newer policy version is loaded, allowing sockets
290          * to remain in the correct class.
291          */
292         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
293                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
294                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
295                         tclass = SECCLASS_NETLINK_SOCKET;
296
297         if (!tclass || tclass > policydb.p_classes.nprim) {
298                 printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
299                        tclass);
300                 return -EINVAL;
301         }
302         tclass_datum = policydb.class_val_to_struct[tclass - 1];
303
304         /*
305          * Initialize the access vectors to the default values.
306          */
307         avd->allowed = 0;
308         avd->decided = 0xffffffff;
309         avd->auditallow = 0;
310         avd->auditdeny = 0xffffffff;
311         avd->seqno = latest_granting;
312
313         /*
314          * If a specific type enforcement rule was defined for
315          * this permission check, then use it.
316          */
317         avkey.target_class = tclass;
318         avkey.specified = AVTAB_AV;
319         sattr = &policydb.type_attr_map[scontext->type - 1];
320         tattr = &policydb.type_attr_map[tcontext->type - 1];
321         ebitmap_for_each_bit(sattr, snode, i) {
322                 if (!ebitmap_node_get_bit(snode, i))
323                         continue;
324                 ebitmap_for_each_bit(tattr, tnode, j) {
325                         if (!ebitmap_node_get_bit(tnode, j))
326                                 continue;
327                         avkey.source_type = i + 1;
328                         avkey.target_type = j + 1;
329                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
330                              node != NULL;
331                              node = avtab_search_node_next(node, avkey.specified)) {
332                                 if (node->key.specified == AVTAB_ALLOWED)
333                                         avd->allowed |= node->datum.data;
334                                 else if (node->key.specified == AVTAB_AUDITALLOW)
335                                         avd->auditallow |= node->datum.data;
336                                 else if (node->key.specified == AVTAB_AUDITDENY)
337                                         avd->auditdeny &= node->datum.data;
338                         }
339
340                         /* Check conditional av table for additional permissions */
341                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
342
343                 }
344         }
345
346         /*
347          * Remove any permissions prohibited by a constraint (this includes
348          * the MLS policy).
349          */
350         constraint = tclass_datum->constraints;
351         while (constraint) {
352                 if ((constraint->permissions & (avd->allowed)) &&
353                     !constraint_expr_eval(scontext, tcontext, NULL,
354                                           constraint->expr)) {
355                         avd->allowed = (avd->allowed) & ~(constraint->permissions);
356                 }
357                 constraint = constraint->next;
358         }
359
360         /*
361          * If checking process transition permission and the
362          * role is changing, then check the (current_role, new_role)
363          * pair.
364          */
365         if (tclass == SECCLASS_PROCESS &&
366             (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
367             scontext->role != tcontext->role) {
368                 for (ra = policydb.role_allow; ra; ra = ra->next) {
369                         if (scontext->role == ra->role &&
370                             tcontext->role == ra->new_role)
371                                 break;
372                 }
373                 if (!ra)
374                         avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
375                                                         PROCESS__DYNTRANSITION);
376         }
377
378         return 0;
379 }
380
381 static int security_validtrans_handle_fail(struct context *ocontext,
382                                            struct context *ncontext,
383                                            struct context *tcontext,
384                                            u16 tclass)
385 {
386         char *o = NULL, *n = NULL, *t = NULL;
387         u32 olen, nlen, tlen;
388
389         if (context_struct_to_string(ocontext, &o, &olen) < 0)
390                 goto out;
391         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
392                 goto out;
393         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
394                 goto out;
395         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
396                   "security_validate_transition:  denied for"
397                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
398                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
399 out:
400         kfree(o);
401         kfree(n);
402         kfree(t);
403
404         if (!selinux_enforcing)
405                 return 0;
406         return -EPERM;
407 }
408
409 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
410                                  u16 tclass)
411 {
412         struct context *ocontext;
413         struct context *ncontext;
414         struct context *tcontext;
415         struct class_datum *tclass_datum;
416         struct constraint_node *constraint;
417         int rc = 0;
418
419         if (!ss_initialized)
420                 return 0;
421
422         POLICY_RDLOCK;
423
424         /*
425          * Remap extended Netlink classes for old policy versions.
426          * Do this here rather than socket_type_to_security_class()
427          * in case a newer policy version is loaded, allowing sockets
428          * to remain in the correct class.
429          */
430         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
431                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
432                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
433                         tclass = SECCLASS_NETLINK_SOCKET;
434
435         if (!tclass || tclass > policydb.p_classes.nprim) {
436                 printk(KERN_ERR "security_validate_transition:  "
437                        "unrecognized class %d\n", tclass);
438                 rc = -EINVAL;
439                 goto out;
440         }
441         tclass_datum = policydb.class_val_to_struct[tclass - 1];
442
443         ocontext = sidtab_search(&sidtab, oldsid);
444         if (!ocontext) {
445                 printk(KERN_ERR "security_validate_transition: "
446                        " unrecognized SID %d\n", oldsid);
447                 rc = -EINVAL;
448                 goto out;
449         }
450
451         ncontext = sidtab_search(&sidtab, newsid);
452         if (!ncontext) {
453                 printk(KERN_ERR "security_validate_transition: "
454                        " unrecognized SID %d\n", newsid);
455                 rc = -EINVAL;
456                 goto out;
457         }
458
459         tcontext = sidtab_search(&sidtab, tasksid);
460         if (!tcontext) {
461                 printk(KERN_ERR "security_validate_transition: "
462                        " unrecognized SID %d\n", tasksid);
463                 rc = -EINVAL;
464                 goto out;
465         }
466
467         constraint = tclass_datum->validatetrans;
468         while (constraint) {
469                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
470                                           constraint->expr)) {
471                         rc = security_validtrans_handle_fail(ocontext, ncontext,
472                                                              tcontext, tclass);
473                         goto out;
474                 }
475                 constraint = constraint->next;
476         }
477
478 out:
479         POLICY_RDUNLOCK;
480         return rc;
481 }
482
483 /**
484  * security_compute_av - Compute access vector decisions.
485  * @ssid: source security identifier
486  * @tsid: target security identifier
487  * @tclass: target security class
488  * @requested: requested permissions
489  * @avd: access vector decisions
490  *
491  * Compute a set of access vector decisions based on the
492  * SID pair (@ssid, @tsid) for the permissions in @tclass.
493  * Return -%EINVAL if any of the parameters are invalid or %0
494  * if the access vector decisions were computed successfully.
495  */
496 int security_compute_av(u32 ssid,
497                         u32 tsid,
498                         u16 tclass,
499                         u32 requested,
500                         struct av_decision *avd)
501 {
502         struct context *scontext = NULL, *tcontext = NULL;
503         int rc = 0;
504
505         if (!ss_initialized) {
506                 avd->allowed = 0xffffffff;
507                 avd->decided = 0xffffffff;
508                 avd->auditallow = 0;
509                 avd->auditdeny = 0xffffffff;
510                 avd->seqno = latest_granting;
511                 return 0;
512         }
513
514         POLICY_RDLOCK;
515
516         scontext = sidtab_search(&sidtab, ssid);
517         if (!scontext) {
518                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
519                        ssid);
520                 rc = -EINVAL;
521                 goto out;
522         }
523         tcontext = sidtab_search(&sidtab, tsid);
524         if (!tcontext) {
525                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
526                        tsid);
527                 rc = -EINVAL;
528                 goto out;
529         }
530
531         rc = context_struct_compute_av(scontext, tcontext, tclass,
532                                        requested, avd);
533 out:
534         POLICY_RDUNLOCK;
535         return rc;
536 }
537
538 /*
539  * Write the security context string representation of
540  * the context structure `context' into a dynamically
541  * allocated string of the correct size.  Set `*scontext'
542  * to point to this string and set `*scontext_len' to
543  * the length of the string.
544  */
545 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
546 {
547         char *scontextp;
548
549         *scontext = NULL;
550         *scontext_len = 0;
551
552         /* Compute the size of the context. */
553         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
554         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
555         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
556         *scontext_len += mls_compute_context_len(context);
557
558         /* Allocate space for the context; caller must free this space. */
559         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
560         if (!scontextp) {
561                 return -ENOMEM;
562         }
563         *scontext = scontextp;
564
565         /*
566          * Copy the user name, role name and type name into the context.
567          */
568         sprintf(scontextp, "%s:%s:%s",
569                 policydb.p_user_val_to_name[context->user - 1],
570                 policydb.p_role_val_to_name[context->role - 1],
571                 policydb.p_type_val_to_name[context->type - 1]);
572         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
573                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
574                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
575
576         mls_sid_to_context(context, &scontextp);
577
578         *scontextp = 0;
579
580         return 0;
581 }
582
583 #include "initial_sid_to_string.h"
584
585 /**
586  * security_sid_to_context - Obtain a context for a given SID.
587  * @sid: security identifier, SID
588  * @scontext: security context
589  * @scontext_len: length in bytes
590  *
591  * Write the string representation of the context associated with @sid
592  * into a dynamically allocated string of the correct size.  Set @scontext
593  * to point to this string and set @scontext_len to the length of the string.
594  */
595 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
596 {
597         struct context *context;
598         int rc = 0;
599
600         if (!ss_initialized) {
601                 if (sid <= SECINITSID_NUM) {
602                         char *scontextp;
603
604                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
605                         scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
606                         if (!scontextp) {
607                                 rc = -ENOMEM;
608                                 goto out;
609                         }
610                         strcpy(scontextp, initial_sid_to_string[sid]);
611                         *scontext = scontextp;
612                         goto out;
613                 }
614                 printk(KERN_ERR "security_sid_to_context:  called before initial "
615                        "load_policy on unknown SID %d\n", sid);
616                 rc = -EINVAL;
617                 goto out;
618         }
619         POLICY_RDLOCK;
620         context = sidtab_search(&sidtab, sid);
621         if (!context) {
622                 printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
623                        "%d\n", sid);
624                 rc = -EINVAL;
625                 goto out_unlock;
626         }
627         rc = context_struct_to_string(context, scontext, scontext_len);
628 out_unlock:
629         POLICY_RDUNLOCK;
630 out:
631         return rc;
632
633 }
634
635 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
636 {
637         char *scontext2;
638         struct context context;
639         struct role_datum *role;
640         struct type_datum *typdatum;
641         struct user_datum *usrdatum;
642         char *scontextp, *p, oldc;
643         int rc = 0;
644
645         if (!ss_initialized) {
646                 int i;
647
648                 for (i = 1; i < SECINITSID_NUM; i++) {
649                         if (!strcmp(initial_sid_to_string[i], scontext)) {
650                                 *sid = i;
651                                 goto out;
652                         }
653                 }
654                 *sid = SECINITSID_KERNEL;
655                 goto out;
656         }
657         *sid = SECSID_NULL;
658
659         /* Copy the string so that we can modify the copy as we parse it.
660            The string should already by null terminated, but we append a
661            null suffix to the copy to avoid problems with the existing
662            attr package, which doesn't view the null terminator as part
663            of the attribute value. */
664         scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
665         if (!scontext2) {
666                 rc = -ENOMEM;
667                 goto out;
668         }
669         memcpy(scontext2, scontext, scontext_len);
670         scontext2[scontext_len] = 0;
671
672         context_init(&context);
673         *sid = SECSID_NULL;
674
675         POLICY_RDLOCK;
676
677         /* Parse the security context. */
678
679         rc = -EINVAL;
680         scontextp = (char *) scontext2;
681
682         /* Extract the user. */
683         p = scontextp;
684         while (*p && *p != ':')
685                 p++;
686
687         if (*p == 0)
688                 goto out_unlock;
689
690         *p++ = 0;
691
692         usrdatum = hashtab_search(policydb.p_users.table, scontextp);
693         if (!usrdatum)
694                 goto out_unlock;
695
696         context.user = usrdatum->value;
697
698         /* Extract role. */
699         scontextp = p;
700         while (*p && *p != ':')
701                 p++;
702
703         if (*p == 0)
704                 goto out_unlock;
705
706         *p++ = 0;
707
708         role = hashtab_search(policydb.p_roles.table, scontextp);
709         if (!role)
710                 goto out_unlock;
711         context.role = role->value;
712
713         /* Extract type. */
714         scontextp = p;
715         while (*p && *p != ':')
716                 p++;
717         oldc = *p;
718         *p++ = 0;
719
720         typdatum = hashtab_search(policydb.p_types.table, scontextp);
721         if (!typdatum)
722                 goto out_unlock;
723
724         context.type = typdatum->value;
725
726         rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
727         if (rc)
728                 goto out_unlock;
729
730         if ((p - scontext2) < scontext_len) {
731                 rc = -EINVAL;
732                 goto out_unlock;
733         }
734
735         /* Check the validity of the new context. */
736         if (!policydb_context_isvalid(&policydb, &context)) {
737                 rc = -EINVAL;
738                 goto out_unlock;
739         }
740         /* Obtain the new sid. */
741         rc = sidtab_context_to_sid(&sidtab, &context, sid);
742 out_unlock:
743         POLICY_RDUNLOCK;
744         context_destroy(&context);
745         kfree(scontext2);
746 out:
747         return rc;
748 }
749
750 /**
751  * security_context_to_sid - Obtain a SID for a given security context.
752  * @scontext: security context
753  * @scontext_len: length in bytes
754  * @sid: security identifier, SID
755  *
756  * Obtains a SID associated with the security context that
757  * has the string representation specified by @scontext.
758  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
759  * memory is available, or 0 on success.
760  */
761 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
762 {
763         return security_context_to_sid_core(scontext, scontext_len,
764                                             sid, SECSID_NULL);
765 }
766
767 /**
768  * security_context_to_sid_default - Obtain a SID for a given security context,
769  * falling back to specified default if needed.
770  *
771  * @scontext: security context
772  * @scontext_len: length in bytes
773  * @sid: security identifier, SID
774  * @def_sid: default SID to assign on errror
775  *
776  * Obtains a SID associated with the security context that
777  * has the string representation specified by @scontext.
778  * The default SID is passed to the MLS layer to be used to allow
779  * kernel labeling of the MLS field if the MLS field is not present
780  * (for upgrading to MLS without full relabel).
781  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
782  * memory is available, or 0 on success.
783  */
784 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
785 {
786         return security_context_to_sid_core(scontext, scontext_len,
787                                             sid, def_sid);
788 }
789
790 static int compute_sid_handle_invalid_context(
791         struct context *scontext,
792         struct context *tcontext,
793         u16 tclass,
794         struct context *newcontext)
795 {
796         char *s = NULL, *t = NULL, *n = NULL;
797         u32 slen, tlen, nlen;
798
799         if (context_struct_to_string(scontext, &s, &slen) < 0)
800                 goto out;
801         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
802                 goto out;
803         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
804                 goto out;
805         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
806                   "security_compute_sid:  invalid context %s"
807                   " for scontext=%s"
808                   " tcontext=%s"
809                   " tclass=%s",
810                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
811 out:
812         kfree(s);
813         kfree(t);
814         kfree(n);
815         if (!selinux_enforcing)
816                 return 0;
817         return -EACCES;
818 }
819
820 static int security_compute_sid(u32 ssid,
821                                 u32 tsid,
822                                 u16 tclass,
823                                 u32 specified,
824                                 u32 *out_sid)
825 {
826         struct context *scontext = NULL, *tcontext = NULL, newcontext;
827         struct role_trans *roletr = NULL;
828         struct avtab_key avkey;
829         struct avtab_datum *avdatum;
830         struct avtab_node *node;
831         int rc = 0;
832
833         if (!ss_initialized) {
834                 switch (tclass) {
835                 case SECCLASS_PROCESS:
836                         *out_sid = ssid;
837                         break;
838                 default:
839                         *out_sid = tsid;
840                         break;
841                 }
842                 goto out;
843         }
844
845         context_init(&newcontext);
846
847         POLICY_RDLOCK;
848
849         scontext = sidtab_search(&sidtab, ssid);
850         if (!scontext) {
851                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
852                        ssid);
853                 rc = -EINVAL;
854                 goto out_unlock;
855         }
856         tcontext = sidtab_search(&sidtab, tsid);
857         if (!tcontext) {
858                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
859                        tsid);
860                 rc = -EINVAL;
861                 goto out_unlock;
862         }
863
864         /* Set the user identity. */
865         switch (specified) {
866         case AVTAB_TRANSITION:
867         case AVTAB_CHANGE:
868                 /* Use the process user identity. */
869                 newcontext.user = scontext->user;
870                 break;
871         case AVTAB_MEMBER:
872                 /* Use the related object owner. */
873                 newcontext.user = tcontext->user;
874                 break;
875         }
876
877         /* Set the role and type to default values. */
878         switch (tclass) {
879         case SECCLASS_PROCESS:
880                 /* Use the current role and type of process. */
881                 newcontext.role = scontext->role;
882                 newcontext.type = scontext->type;
883                 break;
884         default:
885                 /* Use the well-defined object role. */
886                 newcontext.role = OBJECT_R_VAL;
887                 /* Use the type of the related object. */
888                 newcontext.type = tcontext->type;
889         }
890
891         /* Look for a type transition/member/change rule. */
892         avkey.source_type = scontext->type;
893         avkey.target_type = tcontext->type;
894         avkey.target_class = tclass;
895         avkey.specified = specified;
896         avdatum = avtab_search(&policydb.te_avtab, &avkey);
897
898         /* If no permanent rule, also check for enabled conditional rules */
899         if(!avdatum) {
900                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
901                 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
902                         if (node->key.specified & AVTAB_ENABLED) {
903                                 avdatum = &node->datum;
904                                 break;
905                         }
906                 }
907         }
908
909         if (avdatum) {
910                 /* Use the type from the type transition/member/change rule. */
911                 newcontext.type = avdatum->data;
912         }
913
914         /* Check for class-specific changes. */
915         switch (tclass) {
916         case SECCLASS_PROCESS:
917                 if (specified & AVTAB_TRANSITION) {
918                         /* Look for a role transition rule. */
919                         for (roletr = policydb.role_tr; roletr;
920                              roletr = roletr->next) {
921                                 if (roletr->role == scontext->role &&
922                                     roletr->type == tcontext->type) {
923                                         /* Use the role transition rule. */
924                                         newcontext.role = roletr->new_role;
925                                         break;
926                                 }
927                         }
928                 }
929                 break;
930         default:
931                 break;
932         }
933
934         /* Set the MLS attributes.
935            This is done last because it may allocate memory. */
936         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
937         if (rc)
938                 goto out_unlock;
939
940         /* Check the validity of the context. */
941         if (!policydb_context_isvalid(&policydb, &newcontext)) {
942                 rc = compute_sid_handle_invalid_context(scontext,
943                                                         tcontext,
944                                                         tclass,
945                                                         &newcontext);
946                 if (rc)
947                         goto out_unlock;
948         }
949         /* Obtain the sid for the context. */
950         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
951 out_unlock:
952         POLICY_RDUNLOCK;
953         context_destroy(&newcontext);
954 out:
955         return rc;
956 }
957
958 /**
959  * security_transition_sid - Compute the SID for a new subject/object.
960  * @ssid: source security identifier
961  * @tsid: target security identifier
962  * @tclass: target security class
963  * @out_sid: security identifier for new subject/object
964  *
965  * Compute a SID to use for labeling a new subject or object in the
966  * class @tclass based on a SID pair (@ssid, @tsid).
967  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
968  * if insufficient memory is available, or %0 if the new SID was
969  * computed successfully.
970  */
971 int security_transition_sid(u32 ssid,
972                             u32 tsid,
973                             u16 tclass,
974                             u32 *out_sid)
975 {
976         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
977 }
978
979 /**
980  * security_member_sid - Compute the SID for member selection.
981  * @ssid: source security identifier
982  * @tsid: target security identifier
983  * @tclass: target security class
984  * @out_sid: security identifier for selected member
985  *
986  * Compute a SID to use when selecting a member of a polyinstantiated
987  * object of class @tclass based on a SID pair (@ssid, @tsid).
988  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
989  * if insufficient memory is available, or %0 if the SID was
990  * computed successfully.
991  */
992 int security_member_sid(u32 ssid,
993                         u32 tsid,
994                         u16 tclass,
995                         u32 *out_sid)
996 {
997         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
998 }
999
1000 /**
1001  * security_change_sid - Compute the SID for object relabeling.
1002  * @ssid: source security identifier
1003  * @tsid: target security identifier
1004  * @tclass: target security class
1005  * @out_sid: security identifier for selected member
1006  *
1007  * Compute a SID to use for relabeling an object of class @tclass
1008  * based on a SID pair (@ssid, @tsid).
1009  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1010  * if insufficient memory is available, or %0 if the SID was
1011  * computed successfully.
1012  */
1013 int security_change_sid(u32 ssid,
1014                         u32 tsid,
1015                         u16 tclass,
1016                         u32 *out_sid)
1017 {
1018         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1019 }
1020
1021 /*
1022  * Verify that each permission that is defined under the
1023  * existing policy is still defined with the same value
1024  * in the new policy.
1025  */
1026 static int validate_perm(void *key, void *datum, void *p)
1027 {
1028         struct hashtab *h;
1029         struct perm_datum *perdatum, *perdatum2;
1030         int rc = 0;
1031
1032
1033         h = p;
1034         perdatum = datum;
1035
1036         perdatum2 = hashtab_search(h, key);
1037         if (!perdatum2) {
1038                 printk(KERN_ERR "security:  permission %s disappeared",
1039                        (char *)key);
1040                 rc = -ENOENT;
1041                 goto out;
1042         }
1043         if (perdatum->value != perdatum2->value) {
1044                 printk(KERN_ERR "security:  the value of permission %s changed",
1045                        (char *)key);
1046                 rc = -EINVAL;
1047         }
1048 out:
1049         return rc;
1050 }
1051
1052 /*
1053  * Verify that each class that is defined under the
1054  * existing policy is still defined with the same
1055  * attributes in the new policy.
1056  */
1057 static int validate_class(void *key, void *datum, void *p)
1058 {
1059         struct policydb *newp;
1060         struct class_datum *cladatum, *cladatum2;
1061         int rc;
1062
1063         newp = p;
1064         cladatum = datum;
1065
1066         cladatum2 = hashtab_search(newp->p_classes.table, key);
1067         if (!cladatum2) {
1068                 printk(KERN_ERR "security:  class %s disappeared\n",
1069                        (char *)key);
1070                 rc = -ENOENT;
1071                 goto out;
1072         }
1073         if (cladatum->value != cladatum2->value) {
1074                 printk(KERN_ERR "security:  the value of class %s changed\n",
1075                        (char *)key);
1076                 rc = -EINVAL;
1077                 goto out;
1078         }
1079         if ((cladatum->comdatum && !cladatum2->comdatum) ||
1080             (!cladatum->comdatum && cladatum2->comdatum)) {
1081                 printk(KERN_ERR "security:  the inherits clause for the access "
1082                        "vector definition for class %s changed\n", (char *)key);
1083                 rc = -EINVAL;
1084                 goto out;
1085         }
1086         if (cladatum->comdatum) {
1087                 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1088                                  cladatum2->comdatum->permissions.table);
1089                 if (rc) {
1090                         printk(" in the access vector definition for class "
1091                                "%s\n", (char *)key);
1092                         goto out;
1093                 }
1094         }
1095         rc = hashtab_map(cladatum->permissions.table, validate_perm,
1096                          cladatum2->permissions.table);
1097         if (rc)
1098                 printk(" in access vector definition for class %s\n",
1099                        (char *)key);
1100 out:
1101         return rc;
1102 }
1103
1104 /* Clone the SID into the new SID table. */
1105 static int clone_sid(u32 sid,
1106                      struct context *context,
1107                      void *arg)
1108 {
1109         struct sidtab *s = arg;
1110
1111         return sidtab_insert(s, sid, context);
1112 }
1113
1114 static inline int convert_context_handle_invalid_context(struct context *context)
1115 {
1116         int rc = 0;
1117
1118         if (selinux_enforcing) {
1119                 rc = -EINVAL;
1120         } else {
1121                 char *s;
1122                 u32 len;
1123
1124                 context_struct_to_string(context, &s, &len);
1125                 printk(KERN_ERR "security:  context %s is invalid\n", s);
1126                 kfree(s);
1127         }
1128         return rc;
1129 }
1130
1131 struct convert_context_args {
1132         struct policydb *oldp;
1133         struct policydb *newp;
1134 };
1135
1136 /*
1137  * Convert the values in the security context
1138  * structure `c' from the values specified
1139  * in the policy `p->oldp' to the values specified
1140  * in the policy `p->newp'.  Verify that the
1141  * context is valid under the new policy.
1142  */
1143 static int convert_context(u32 key,
1144                            struct context *c,
1145                            void *p)
1146 {
1147         struct convert_context_args *args;
1148         struct context oldc;
1149         struct role_datum *role;
1150         struct type_datum *typdatum;
1151         struct user_datum *usrdatum;
1152         char *s;
1153         u32 len;
1154         int rc;
1155
1156         args = p;
1157
1158         rc = context_cpy(&oldc, c);
1159         if (rc)
1160                 goto out;
1161
1162         rc = -EINVAL;
1163
1164         /* Convert the user. */
1165         usrdatum = hashtab_search(args->newp->p_users.table,
1166                                   args->oldp->p_user_val_to_name[c->user - 1]);
1167         if (!usrdatum) {
1168                 goto bad;
1169         }
1170         c->user = usrdatum->value;
1171
1172         /* Convert the role. */
1173         role = hashtab_search(args->newp->p_roles.table,
1174                               args->oldp->p_role_val_to_name[c->role - 1]);
1175         if (!role) {
1176                 goto bad;
1177         }
1178         c->role = role->value;
1179
1180         /* Convert the type. */
1181         typdatum = hashtab_search(args->newp->p_types.table,
1182                                   args->oldp->p_type_val_to_name[c->type - 1]);
1183         if (!typdatum) {
1184                 goto bad;
1185         }
1186         c->type = typdatum->value;
1187
1188         rc = mls_convert_context(args->oldp, args->newp, c);
1189         if (rc)
1190                 goto bad;
1191
1192         /* Check the validity of the new context. */
1193         if (!policydb_context_isvalid(args->newp, c)) {
1194                 rc = convert_context_handle_invalid_context(&oldc);
1195                 if (rc)
1196                         goto bad;
1197         }
1198
1199         context_destroy(&oldc);
1200 out:
1201         return rc;
1202 bad:
1203         context_struct_to_string(&oldc, &s, &len);
1204         context_destroy(&oldc);
1205         printk(KERN_ERR "security:  invalidating context %s\n", s);
1206         kfree(s);
1207         goto out;
1208 }
1209
1210 extern void selinux_complete_init(void);
1211
1212 /**
1213  * security_load_policy - Load a security policy configuration.
1214  * @data: binary policy data
1215  * @len: length of data in bytes
1216  *
1217  * Load a new set of security policy configuration data,
1218  * validate it and convert the SID table as necessary.
1219  * This function will flush the access vector cache after
1220  * loading the new policy.
1221  */
1222 int security_load_policy(void *data, size_t len)
1223 {
1224         struct policydb oldpolicydb, newpolicydb;
1225         struct sidtab oldsidtab, newsidtab;
1226         struct convert_context_args args;
1227         u32 seqno;
1228         int rc = 0;
1229         struct policy_file file = { data, len }, *fp = &file;
1230
1231         LOAD_LOCK;
1232
1233         if (!ss_initialized) {
1234                 avtab_cache_init();
1235                 if (policydb_read(&policydb, fp)) {
1236                         LOAD_UNLOCK;
1237                         avtab_cache_destroy();
1238                         return -EINVAL;
1239                 }
1240                 if (policydb_load_isids(&policydb, &sidtab)) {
1241                         LOAD_UNLOCK;
1242                         policydb_destroy(&policydb);
1243                         avtab_cache_destroy();
1244                         return -EINVAL;
1245                 }
1246                 policydb_loaded_version = policydb.policyvers;
1247                 ss_initialized = 1;
1248                 seqno = ++latest_granting;
1249                 LOAD_UNLOCK;
1250                 selinux_complete_init();
1251                 avc_ss_reset(seqno);
1252                 selnl_notify_policyload(seqno);
1253                 selinux_netlbl_cache_invalidate();
1254                 return 0;
1255         }
1256
1257 #if 0
1258         sidtab_hash_eval(&sidtab, "sids");
1259 #endif
1260
1261         if (policydb_read(&newpolicydb, fp)) {
1262                 LOAD_UNLOCK;
1263                 return -EINVAL;
1264         }
1265
1266         sidtab_init(&newsidtab);
1267
1268         /* Verify that the existing classes did not change. */
1269         if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1270                 printk(KERN_ERR "security:  the definition of an existing "
1271                        "class changed\n");
1272                 rc = -EINVAL;
1273                 goto err;
1274         }
1275
1276         /* Clone the SID table. */
1277         sidtab_shutdown(&sidtab);
1278         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1279                 rc = -ENOMEM;
1280                 goto err;
1281         }
1282
1283         /* Convert the internal representations of contexts
1284            in the new SID table and remove invalid SIDs. */
1285         args.oldp = &policydb;
1286         args.newp = &newpolicydb;
1287         sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1288
1289         /* Save the old policydb and SID table to free later. */
1290         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1291         sidtab_set(&oldsidtab, &sidtab);
1292
1293         /* Install the new policydb and SID table. */
1294         POLICY_WRLOCK;
1295         memcpy(&policydb, &newpolicydb, sizeof policydb);
1296         sidtab_set(&sidtab, &newsidtab);
1297         seqno = ++latest_granting;
1298         policydb_loaded_version = policydb.policyvers;
1299         POLICY_WRUNLOCK;
1300         LOAD_UNLOCK;
1301
1302         /* Free the old policydb and SID table. */
1303         policydb_destroy(&oldpolicydb);
1304         sidtab_destroy(&oldsidtab);
1305
1306         avc_ss_reset(seqno);
1307         selnl_notify_policyload(seqno);
1308         selinux_netlbl_cache_invalidate();
1309
1310         return 0;
1311
1312 err:
1313         LOAD_UNLOCK;
1314         sidtab_destroy(&newsidtab);
1315         policydb_destroy(&newpolicydb);
1316         return rc;
1317
1318 }
1319
1320 /**
1321  * security_port_sid - Obtain the SID for a port.
1322  * @domain: communication domain aka address family
1323  * @type: socket type
1324  * @protocol: protocol number
1325  * @port: port number
1326  * @out_sid: security identifier
1327  */
1328 int security_port_sid(u16 domain,
1329                       u16 type,
1330                       u8 protocol,
1331                       u16 port,
1332                       u32 *out_sid)
1333 {
1334         struct ocontext *c;
1335         int rc = 0;
1336
1337         POLICY_RDLOCK;
1338
1339         c = policydb.ocontexts[OCON_PORT];
1340         while (c) {
1341                 if (c->u.port.protocol == protocol &&
1342                     c->u.port.low_port <= port &&
1343                     c->u.port.high_port >= port)
1344                         break;
1345                 c = c->next;
1346         }
1347
1348         if (c) {
1349                 if (!c->sid[0]) {
1350                         rc = sidtab_context_to_sid(&sidtab,
1351                                                    &c->context[0],
1352                                                    &c->sid[0]);
1353                         if (rc)
1354                                 goto out;
1355                 }
1356                 *out_sid = c->sid[0];
1357         } else {
1358                 *out_sid = SECINITSID_PORT;
1359         }
1360
1361 out:
1362         POLICY_RDUNLOCK;
1363         return rc;
1364 }
1365
1366 /**
1367  * security_netif_sid - Obtain the SID for a network interface.
1368  * @name: interface name
1369  * @if_sid: interface SID
1370  * @msg_sid: default SID for received packets
1371  */
1372 int security_netif_sid(char *name,
1373                        u32 *if_sid,
1374                        u32 *msg_sid)
1375 {
1376         int rc = 0;
1377         struct ocontext *c;
1378
1379         POLICY_RDLOCK;
1380
1381         c = policydb.ocontexts[OCON_NETIF];
1382         while (c) {
1383                 if (strcmp(name, c->u.name) == 0)
1384                         break;
1385                 c = c->next;
1386         }
1387
1388         if (c) {
1389                 if (!c->sid[0] || !c->sid[1]) {
1390                         rc = sidtab_context_to_sid(&sidtab,
1391                                                   &c->context[0],
1392                                                   &c->sid[0]);
1393                         if (rc)
1394                                 goto out;
1395                         rc = sidtab_context_to_sid(&sidtab,
1396                                                    &c->context[1],
1397                                                    &c->sid[1]);
1398                         if (rc)
1399                                 goto out;
1400                 }
1401                 *if_sid = c->sid[0];
1402                 *msg_sid = c->sid[1];
1403         } else {
1404                 *if_sid = SECINITSID_NETIF;
1405                 *msg_sid = SECINITSID_NETMSG;
1406         }
1407
1408 out:
1409         POLICY_RDUNLOCK;
1410         return rc;
1411 }
1412
1413 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1414 {
1415         int i, fail = 0;
1416
1417         for(i = 0; i < 4; i++)
1418                 if(addr[i] != (input[i] & mask[i])) {
1419                         fail = 1;
1420                         break;
1421                 }
1422
1423         return !fail;
1424 }
1425
1426 /**
1427  * security_node_sid - Obtain the SID for a node (host).
1428  * @domain: communication domain aka address family
1429  * @addrp: address
1430  * @addrlen: address length in bytes
1431  * @out_sid: security identifier
1432  */
1433 int security_node_sid(u16 domain,
1434                       void *addrp,
1435                       u32 addrlen,
1436                       u32 *out_sid)
1437 {
1438         int rc = 0;
1439         struct ocontext *c;
1440
1441         POLICY_RDLOCK;
1442
1443         switch (domain) {
1444         case AF_INET: {
1445                 u32 addr;
1446
1447                 if (addrlen != sizeof(u32)) {
1448                         rc = -EINVAL;
1449                         goto out;
1450                 }
1451
1452                 addr = *((u32 *)addrp);
1453
1454                 c = policydb.ocontexts[OCON_NODE];
1455                 while (c) {
1456                         if (c->u.node.addr == (addr & c->u.node.mask))
1457                                 break;
1458                         c = c->next;
1459                 }
1460                 break;
1461         }
1462
1463         case AF_INET6:
1464                 if (addrlen != sizeof(u64) * 2) {
1465                         rc = -EINVAL;
1466                         goto out;
1467                 }
1468                 c = policydb.ocontexts[OCON_NODE6];
1469                 while (c) {
1470                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1471                                                 c->u.node6.mask))
1472                                 break;
1473                         c = c->next;
1474                 }
1475                 break;
1476
1477         default:
1478                 *out_sid = SECINITSID_NODE;
1479                 goto out;
1480         }
1481
1482         if (c) {
1483                 if (!c->sid[0]) {
1484                         rc = sidtab_context_to_sid(&sidtab,
1485                                                    &c->context[0],
1486                                                    &c->sid[0]);
1487                         if (rc)
1488                                 goto out;
1489                 }
1490                 *out_sid = c->sid[0];
1491         } else {
1492                 *out_sid = SECINITSID_NODE;
1493         }
1494
1495 out:
1496         POLICY_RDUNLOCK;
1497         return rc;
1498 }
1499
1500 #define SIDS_NEL 25
1501
1502 /**
1503  * security_get_user_sids - Obtain reachable SIDs for a user.
1504  * @fromsid: starting SID
1505  * @username: username
1506  * @sids: array of reachable SIDs for user
1507  * @nel: number of elements in @sids
1508  *
1509  * Generate the set of SIDs for legal security contexts
1510  * for a given user that can be reached by @fromsid.
1511  * Set *@sids to point to a dynamically allocated
1512  * array containing the set of SIDs.  Set *@nel to the
1513  * number of elements in the array.
1514  */
1515
1516 int security_get_user_sids(u32 fromsid,
1517                            char *username,
1518                            u32 **sids,
1519                            u32 *nel)
1520 {
1521         struct context *fromcon, usercon;
1522         u32 *mysids, *mysids2, sid;
1523         u32 mynel = 0, maxnel = SIDS_NEL;
1524         struct user_datum *user;
1525         struct role_datum *role;
1526         struct av_decision avd;
1527         struct ebitmap_node *rnode, *tnode;
1528         int rc = 0, i, j;
1529
1530         if (!ss_initialized) {
1531                 *sids = NULL;
1532                 *nel = 0;
1533                 goto out;
1534         }
1535
1536         POLICY_RDLOCK;
1537
1538         fromcon = sidtab_search(&sidtab, fromsid);
1539         if (!fromcon) {
1540                 rc = -EINVAL;
1541                 goto out_unlock;
1542         }
1543
1544         user = hashtab_search(policydb.p_users.table, username);
1545         if (!user) {
1546                 rc = -EINVAL;
1547                 goto out_unlock;
1548         }
1549         usercon.user = user->value;
1550
1551         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1552         if (!mysids) {
1553                 rc = -ENOMEM;
1554                 goto out_unlock;
1555         }
1556
1557         ebitmap_for_each_bit(&user->roles, rnode, i) {
1558                 if (!ebitmap_node_get_bit(rnode, i))
1559                         continue;
1560                 role = policydb.role_val_to_struct[i];
1561                 usercon.role = i+1;
1562                 ebitmap_for_each_bit(&role->types, tnode, j) {
1563                         if (!ebitmap_node_get_bit(tnode, j))
1564                                 continue;
1565                         usercon.type = j+1;
1566
1567                         if (mls_setup_user_range(fromcon, user, &usercon))
1568                                 continue;
1569
1570                         rc = context_struct_compute_av(fromcon, &usercon,
1571                                                        SECCLASS_PROCESS,
1572                                                        PROCESS__TRANSITION,
1573                                                        &avd);
1574                         if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
1575                                 continue;
1576                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1577                         if (rc) {
1578                                 kfree(mysids);
1579                                 goto out_unlock;
1580                         }
1581                         if (mynel < maxnel) {
1582                                 mysids[mynel++] = sid;
1583                         } else {
1584                                 maxnel += SIDS_NEL;
1585                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1586                                 if (!mysids2) {
1587                                         rc = -ENOMEM;
1588                                         kfree(mysids);
1589                                         goto out_unlock;
1590                                 }
1591                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1592                                 kfree(mysids);
1593                                 mysids = mysids2;
1594                                 mysids[mynel++] = sid;
1595                         }
1596                 }
1597         }
1598
1599         *sids = mysids;
1600         *nel = mynel;
1601
1602 out_unlock:
1603         POLICY_RDUNLOCK;
1604 out:
1605         return rc;
1606 }
1607
1608 /**
1609  * security_genfs_sid - Obtain a SID for a file in a filesystem
1610  * @fstype: filesystem type
1611  * @path: path from root of mount
1612  * @sclass: file security class
1613  * @sid: SID for path
1614  *
1615  * Obtain a SID to use for a file in a filesystem that
1616  * cannot support xattr or use a fixed labeling behavior like
1617  * transition SIDs or task SIDs.
1618  */
1619 int security_genfs_sid(const char *fstype,
1620                        char *path,
1621                        u16 sclass,
1622                        u32 *sid)
1623 {
1624         int len;
1625         struct genfs *genfs;
1626         struct ocontext *c;
1627         int rc = 0, cmp = 0;
1628
1629         POLICY_RDLOCK;
1630
1631         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1632                 cmp = strcmp(fstype, genfs->fstype);
1633                 if (cmp <= 0)
1634                         break;
1635         }
1636
1637         if (!genfs || cmp) {
1638                 *sid = SECINITSID_UNLABELED;
1639                 rc = -ENOENT;
1640                 goto out;
1641         }
1642
1643         for (c = genfs->head; c; c = c->next) {
1644                 len = strlen(c->u.name);
1645                 if ((!c->v.sclass || sclass == c->v.sclass) &&
1646                     (strncmp(c->u.name, path, len) == 0))
1647                         break;
1648         }
1649
1650         if (!c) {
1651                 *sid = SECINITSID_UNLABELED;
1652                 rc = -ENOENT;
1653                 goto out;
1654         }
1655
1656         if (!c->sid[0]) {
1657                 rc = sidtab_context_to_sid(&sidtab,
1658                                            &c->context[0],
1659                                            &c->sid[0]);
1660                 if (rc)
1661                         goto out;
1662         }
1663
1664         *sid = c->sid[0];
1665 out:
1666         POLICY_RDUNLOCK;
1667         return rc;
1668 }
1669
1670 /**
1671  * security_fs_use - Determine how to handle labeling for a filesystem.
1672  * @fstype: filesystem type
1673  * @behavior: labeling behavior
1674  * @sid: SID for filesystem (superblock)
1675  */
1676 int security_fs_use(
1677         const char *fstype,
1678         unsigned int *behavior,
1679         u32 *sid)
1680 {
1681         int rc = 0;
1682         struct ocontext *c;
1683
1684         POLICY_RDLOCK;
1685
1686         c = policydb.ocontexts[OCON_FSUSE];
1687         while (c) {
1688                 if (strcmp(fstype, c->u.name) == 0)
1689                         break;
1690                 c = c->next;
1691         }
1692
1693         if (c) {
1694                 *behavior = c->v.behavior;
1695                 if (!c->sid[0]) {
1696                         rc = sidtab_context_to_sid(&sidtab,
1697                                                    &c->context[0],
1698                                                    &c->sid[0]);
1699                         if (rc)
1700                                 goto out;
1701                 }
1702                 *sid = c->sid[0];
1703         } else {
1704                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1705                 if (rc) {
1706                         *behavior = SECURITY_FS_USE_NONE;
1707                         rc = 0;
1708                 } else {
1709                         *behavior = SECURITY_FS_USE_GENFS;
1710                 }
1711         }
1712
1713 out:
1714         POLICY_RDUNLOCK;
1715         return rc;
1716 }
1717
1718 int security_get_bools(int *len, char ***names, int **values)
1719 {
1720         int i, rc = -ENOMEM;
1721
1722         POLICY_RDLOCK;
1723         *names = NULL;
1724         *values = NULL;
1725
1726         *len = policydb.p_bools.nprim;
1727         if (!*len) {
1728                 rc = 0;
1729                 goto out;
1730         }
1731
1732        *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1733         if (!*names)
1734                 goto err;
1735
1736        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
1737         if (!*values)
1738                 goto err;
1739
1740         for (i = 0; i < *len; i++) {
1741                 size_t name_len;
1742                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1743                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1744                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1745                 if (!(*names)[i])
1746                         goto err;
1747                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1748                 (*names)[i][name_len - 1] = 0;
1749         }
1750         rc = 0;
1751 out:
1752         POLICY_RDUNLOCK;
1753         return rc;
1754 err:
1755         if (*names) {
1756                 for (i = 0; i < *len; i++)
1757                         kfree((*names)[i]);
1758         }
1759         kfree(*values);
1760         goto out;
1761 }
1762
1763
1764 int security_set_bools(int len, int *values)
1765 {
1766         int i, rc = 0;
1767         int lenp, seqno = 0;
1768         struct cond_node *cur;
1769
1770         POLICY_WRLOCK;
1771
1772         lenp = policydb.p_bools.nprim;
1773         if (len != lenp) {
1774                 rc = -EFAULT;
1775                 goto out;
1776         }
1777
1778         for (i = 0; i < len; i++) {
1779                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1780                         audit_log(current->audit_context, GFP_ATOMIC,
1781                                 AUDIT_MAC_CONFIG_CHANGE,
1782                                 "bool=%s val=%d old_val=%d auid=%u",
1783                                 policydb.p_bool_val_to_name[i],
1784                                 !!values[i],
1785                                 policydb.bool_val_to_struct[i]->state,
1786                                 audit_get_loginuid(current->audit_context));
1787                 }
1788                 if (values[i]) {
1789                         policydb.bool_val_to_struct[i]->state = 1;
1790                 } else {
1791                         policydb.bool_val_to_struct[i]->state = 0;
1792                 }
1793         }
1794
1795         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1796                 rc = evaluate_cond_node(&policydb, cur);
1797                 if (rc)
1798                         goto out;
1799         }
1800
1801         seqno = ++latest_granting;
1802
1803 out:
1804         POLICY_WRUNLOCK;
1805         if (!rc) {
1806                 avc_ss_reset(seqno);
1807                 selnl_notify_policyload(seqno);
1808         }
1809         return rc;
1810 }
1811
1812 int security_get_bool_value(int bool)
1813 {
1814         int rc = 0;
1815         int len;
1816
1817         POLICY_RDLOCK;
1818
1819         len = policydb.p_bools.nprim;
1820         if (bool >= len) {
1821                 rc = -EFAULT;
1822                 goto out;
1823         }
1824
1825         rc = policydb.bool_val_to_struct[bool]->state;
1826 out:
1827         POLICY_RDUNLOCK;
1828         return rc;
1829 }
1830
1831 /*
1832  * security_sid_mls_copy() - computes a new sid based on the given
1833  * sid and the mls portion of mls_sid.
1834  */
1835 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
1836 {
1837         struct context *context1;
1838         struct context *context2;
1839         struct context newcon;
1840         char *s;
1841         u32 len;
1842         int rc = 0;
1843
1844         if (!ss_initialized || !selinux_mls_enabled) {
1845                 *new_sid = sid;
1846                 goto out;
1847         }
1848
1849         context_init(&newcon);
1850
1851         POLICY_RDLOCK;
1852         context1 = sidtab_search(&sidtab, sid);
1853         if (!context1) {
1854                 printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
1855                        "%d\n", sid);
1856                 rc = -EINVAL;
1857                 goto out_unlock;
1858         }
1859
1860         context2 = sidtab_search(&sidtab, mls_sid);
1861         if (!context2) {
1862                 printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
1863                        "%d\n", mls_sid);
1864                 rc = -EINVAL;
1865                 goto out_unlock;
1866         }
1867
1868         newcon.user = context1->user;
1869         newcon.role = context1->role;
1870         newcon.type = context1->type;
1871         rc = mls_copy_context(&newcon, context2);
1872         if (rc)
1873                 goto out_unlock;
1874
1875
1876         /* Check the validity of the new context. */
1877         if (!policydb_context_isvalid(&policydb, &newcon)) {
1878                 rc = convert_context_handle_invalid_context(&newcon);
1879                 if (rc)
1880                         goto bad;
1881         }
1882
1883         rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
1884         goto out_unlock;
1885
1886 bad:
1887         if (!context_struct_to_string(&newcon, &s, &len)) {
1888                 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1889                           "security_sid_mls_copy: invalid context %s", s);
1890                 kfree(s);
1891         }
1892
1893 out_unlock:
1894         POLICY_RDUNLOCK;
1895         context_destroy(&newcon);
1896 out:
1897         return rc;
1898 }
1899
1900 struct selinux_audit_rule {
1901         u32 au_seqno;
1902         struct context au_ctxt;
1903 };
1904
1905 void selinux_audit_rule_free(struct selinux_audit_rule *rule)
1906 {
1907         if (rule) {
1908                 context_destroy(&rule->au_ctxt);
1909                 kfree(rule);
1910         }
1911 }
1912
1913 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1914                             struct selinux_audit_rule **rule)
1915 {
1916         struct selinux_audit_rule *tmprule;
1917         struct role_datum *roledatum;
1918         struct type_datum *typedatum;
1919         struct user_datum *userdatum;
1920         int rc = 0;
1921
1922         *rule = NULL;
1923
1924         if (!ss_initialized)
1925                 return -ENOTSUPP;
1926
1927         switch (field) {
1928         case AUDIT_SUBJ_USER:
1929         case AUDIT_SUBJ_ROLE:
1930         case AUDIT_SUBJ_TYPE:
1931         case AUDIT_OBJ_USER:
1932         case AUDIT_OBJ_ROLE:
1933         case AUDIT_OBJ_TYPE:
1934                 /* only 'equals' and 'not equals' fit user, role, and type */
1935                 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
1936                         return -EINVAL;
1937                 break;
1938         case AUDIT_SUBJ_SEN:
1939         case AUDIT_SUBJ_CLR:
1940         case AUDIT_OBJ_LEV_LOW:
1941         case AUDIT_OBJ_LEV_HIGH:
1942                 /* we do not allow a range, indicated by the presense of '-' */
1943                 if (strchr(rulestr, '-'))
1944                         return -EINVAL;
1945                 break;
1946         default:
1947                 /* only the above fields are valid */
1948                 return -EINVAL;
1949         }
1950
1951         tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
1952         if (!tmprule)
1953                 return -ENOMEM;
1954
1955         context_init(&tmprule->au_ctxt);
1956
1957         POLICY_RDLOCK;
1958
1959         tmprule->au_seqno = latest_granting;
1960
1961         switch (field) {
1962         case AUDIT_SUBJ_USER:
1963         case AUDIT_OBJ_USER:
1964                 userdatum = hashtab_search(policydb.p_users.table, rulestr);
1965                 if (!userdatum)
1966                         rc = -EINVAL;
1967                 else
1968                         tmprule->au_ctxt.user = userdatum->value;
1969                 break;
1970         case AUDIT_SUBJ_ROLE:
1971         case AUDIT_OBJ_ROLE:
1972                 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
1973                 if (!roledatum)
1974                         rc = -EINVAL;
1975                 else
1976                         tmprule->au_ctxt.role = roledatum->value;
1977                 break;
1978         case AUDIT_SUBJ_TYPE:
1979         case AUDIT_OBJ_TYPE:
1980                 typedatum = hashtab_search(policydb.p_types.table, rulestr);
1981                 if (!typedatum)
1982                         rc = -EINVAL;
1983                 else
1984                         tmprule->au_ctxt.type = typedatum->value;
1985                 break;
1986         case AUDIT_SUBJ_SEN:
1987         case AUDIT_SUBJ_CLR:
1988         case AUDIT_OBJ_LEV_LOW:
1989         case AUDIT_OBJ_LEV_HIGH:
1990                 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
1991                 break;
1992         }
1993
1994         POLICY_RDUNLOCK;
1995
1996         if (rc) {
1997                 selinux_audit_rule_free(tmprule);
1998                 tmprule = NULL;
1999         }
2000
2001         *rule = tmprule;
2002
2003         return rc;
2004 }
2005
2006 int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
2007                              struct selinux_audit_rule *rule,
2008                              struct audit_context *actx)
2009 {
2010         struct context *ctxt;
2011         struct mls_level *level;
2012         int match = 0;
2013
2014         if (!rule) {
2015                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2016                           "selinux_audit_rule_match: missing rule\n");
2017                 return -ENOENT;
2018         }
2019
2020         POLICY_RDLOCK;
2021
2022         if (rule->au_seqno < latest_granting) {
2023                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2024                           "selinux_audit_rule_match: stale rule\n");
2025                 match = -ESTALE;
2026                 goto out;
2027         }
2028
2029         ctxt = sidtab_search(&sidtab, sid);
2030         if (!ctxt) {
2031                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2032                           "selinux_audit_rule_match: unrecognized SID %d\n",
2033                           sid);
2034                 match = -ENOENT;
2035                 goto out;
2036         }
2037
2038         /* a field/op pair that is not caught here will simply fall through
2039            without a match */
2040         switch (field) {
2041         case AUDIT_SUBJ_USER:
2042         case AUDIT_OBJ_USER:
2043                 switch (op) {
2044                 case AUDIT_EQUAL:
2045                         match = (ctxt->user == rule->au_ctxt.user);
2046                         break;
2047                 case AUDIT_NOT_EQUAL:
2048                         match = (ctxt->user != rule->au_ctxt.user);
2049                         break;
2050                 }
2051                 break;
2052         case AUDIT_SUBJ_ROLE:
2053         case AUDIT_OBJ_ROLE:
2054                 switch (op) {
2055                 case AUDIT_EQUAL:
2056                         match = (ctxt->role == rule->au_ctxt.role);
2057                         break;
2058                 case AUDIT_NOT_EQUAL:
2059                         match = (ctxt->role != rule->au_ctxt.role);
2060                         break;
2061                 }
2062                 break;
2063         case AUDIT_SUBJ_TYPE:
2064         case AUDIT_OBJ_TYPE:
2065                 switch (op) {
2066                 case AUDIT_EQUAL:
2067                         match = (ctxt->type == rule->au_ctxt.type);
2068                         break;
2069                 case AUDIT_NOT_EQUAL:
2070                         match = (ctxt->type != rule->au_ctxt.type);
2071                         break;
2072                 }
2073                 break;
2074         case AUDIT_SUBJ_SEN:
2075         case AUDIT_SUBJ_CLR:
2076         case AUDIT_OBJ_LEV_LOW:
2077         case AUDIT_OBJ_LEV_HIGH:
2078                 level = ((field == AUDIT_SUBJ_SEN ||
2079                           field == AUDIT_OBJ_LEV_LOW) ?
2080                          &ctxt->range.level[0] : &ctxt->range.level[1]);
2081                 switch (op) {
2082                 case AUDIT_EQUAL:
2083                         match = mls_level_eq(&rule->au_ctxt.range.level[0],
2084                                              level);
2085                         break;
2086                 case AUDIT_NOT_EQUAL:
2087                         match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2088                                               level);
2089                         break;
2090                 case AUDIT_LESS_THAN:
2091                         match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2092                                                level) &&
2093                                  !mls_level_eq(&rule->au_ctxt.range.level[0],
2094                                                level));
2095                         break;
2096                 case AUDIT_LESS_THAN_OR_EQUAL:
2097                         match = mls_level_dom(&rule->au_ctxt.range.level[0],
2098                                               level);
2099                         break;
2100                 case AUDIT_GREATER_THAN:
2101                         match = (mls_level_dom(level,
2102                                               &rule->au_ctxt.range.level[0]) &&
2103                                  !mls_level_eq(level,
2104                                                &rule->au_ctxt.range.level[0]));
2105                         break;
2106                 case AUDIT_GREATER_THAN_OR_EQUAL:
2107                         match = mls_level_dom(level,
2108                                               &rule->au_ctxt.range.level[0]);
2109                         break;
2110                 }
2111         }
2112
2113 out:
2114         POLICY_RDUNLOCK;
2115         return match;
2116 }
2117
2118 static int (*aurule_callback)(void) = NULL;
2119
2120 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2121                                u16 class, u32 perms, u32 *retained)
2122 {
2123         int err = 0;
2124
2125         if (event == AVC_CALLBACK_RESET && aurule_callback)
2126                 err = aurule_callback();
2127         return err;
2128 }
2129
2130 static int __init aurule_init(void)
2131 {
2132         int err;
2133
2134         err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2135                                SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2136         if (err)
2137                 panic("avc_add_callback() failed, error %d\n", err);
2138
2139         return err;
2140 }
2141 __initcall(aurule_init);
2142
2143 void selinux_audit_set_callback(int (*callback)(void))
2144 {
2145         aurule_callback = callback;
2146 }
2147
2148 #ifdef CONFIG_NETLABEL
2149 /*
2150  * This is the structure we store inside the NetLabel cache block.
2151  */
2152 #define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
2153 #define NETLBL_CACHE_T_NONE       0
2154 #define NETLBL_CACHE_T_SID        1
2155 #define NETLBL_CACHE_T_MLS        2
2156 struct netlbl_cache {
2157         u32 type;
2158         union {
2159                 u32 sid;
2160                 struct mls_range mls_label;
2161         } data;
2162 };
2163
2164 /**
2165  * selinux_netlbl_cache_free - Free the NetLabel cached data
2166  * @data: the data to free
2167  *
2168  * Description:
2169  * This function is intended to be used as the free() callback inside the
2170  * netlbl_lsm_cache structure.
2171  *
2172  */
2173 static void selinux_netlbl_cache_free(const void *data)
2174 {
2175         struct netlbl_cache *cache;
2176
2177         if (data == NULL)
2178                 return;
2179
2180         cache = NETLBL_CACHE(data);
2181         switch (cache->type) {
2182         case NETLBL_CACHE_T_MLS:
2183                 ebitmap_destroy(&cache->data.mls_label.level[0].cat);
2184                 break;
2185         }
2186         kfree(data);
2187 }
2188
2189 /**
2190  * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
2191  * @skb: the packet
2192  * @ctx: the SELinux context
2193  *
2194  * Description:
2195  * Attempt to cache the context in @ctx, which was derived from the packet in
2196  * @skb, in the NetLabel subsystem cache.
2197  *
2198  */
2199 static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
2200 {
2201         struct netlbl_cache *cache = NULL;
2202         struct netlbl_lsm_secattr secattr;
2203
2204         netlbl_secattr_init(&secattr);
2205         secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
2206         if (secattr.cache == NULL)
2207                 goto netlbl_cache_add_return;
2208
2209         cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
2210         if (cache == NULL)
2211                 goto netlbl_cache_add_return;
2212         secattr.cache->free = selinux_netlbl_cache_free;
2213         secattr.cache->data = (void *)cache;
2214
2215         cache->type = NETLBL_CACHE_T_MLS;
2216         if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
2217                         &ctx->range.level[0].cat) != 0)
2218                 goto netlbl_cache_add_return;
2219         cache->data.mls_label.level[1].cat.highbit =
2220                 cache->data.mls_label.level[0].cat.highbit;
2221         cache->data.mls_label.level[1].cat.node =
2222                 cache->data.mls_label.level[0].cat.node;
2223         cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
2224         cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
2225
2226         netlbl_cache_add(skb, &secattr);
2227
2228 netlbl_cache_add_return:
2229         netlbl_secattr_destroy(&secattr);
2230 }
2231
2232 /**
2233  * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
2234  *
2235  * Description:
2236  * Invalidate the NetLabel security attribute mapping cache.
2237  *
2238  */
2239 void selinux_netlbl_cache_invalidate(void)
2240 {
2241         netlbl_cache_invalidate();
2242 }
2243
2244 /**
2245  * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
2246  * @skb: the network packet
2247  * @secattr: the NetLabel packet security attributes
2248  * @base_sid: the SELinux SID to use as a context for MLS only attributes
2249  * @sid: the SELinux SID
2250  *
2251  * Description:
2252  * Convert the given NetLabel packet security attributes in @secattr into a
2253  * SELinux SID.  If the @secattr field does not contain a full SELinux
2254  * SID/context then use the context in @base_sid as the foundation.  If @skb
2255  * is not NULL attempt to cache as much data as possibile.  Returns zero on
2256  * success, negative values on failure.
2257  *
2258  */
2259 static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2260                                          struct netlbl_lsm_secattr *secattr,
2261                                          u32 base_sid,
2262                                          u32 *sid)
2263 {
2264         int rc = -EIDRM;
2265         struct context *ctx;
2266         struct context ctx_new;
2267         struct netlbl_cache *cache;
2268
2269         POLICY_RDLOCK;
2270
2271         if (secattr->cache) {
2272                 cache = NETLBL_CACHE(secattr->cache->data);
2273                 switch (cache->type) {
2274                 case NETLBL_CACHE_T_SID:
2275                         *sid = cache->data.sid;
2276                         rc = 0;
2277                         break;
2278                 case NETLBL_CACHE_T_MLS:
2279                         ctx = sidtab_search(&sidtab, base_sid);
2280                         if (ctx == NULL)
2281                                 goto netlbl_secattr_to_sid_return;
2282
2283                         ctx_new.user = ctx->user;
2284                         ctx_new.role = ctx->role;
2285                         ctx_new.type = ctx->type;
2286                         ctx_new.range.level[0].sens =
2287                                 cache->data.mls_label.level[0].sens;
2288                         ctx_new.range.level[0].cat.highbit =
2289                                 cache->data.mls_label.level[0].cat.highbit;
2290                         ctx_new.range.level[0].cat.node =
2291                                 cache->data.mls_label.level[0].cat.node;
2292                         ctx_new.range.level[1].sens =
2293                                 cache->data.mls_label.level[1].sens;
2294                         ctx_new.range.level[1].cat.highbit =
2295                                 cache->data.mls_label.level[1].cat.highbit;
2296                         ctx_new.range.level[1].cat.node =
2297                                 cache->data.mls_label.level[1].cat.node;
2298
2299                         rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
2300                         break;
2301                 default:
2302                         goto netlbl_secattr_to_sid_return;
2303                 }
2304         } else if (secattr->mls_lvl_vld) {
2305                 ctx = sidtab_search(&sidtab, base_sid);
2306                 if (ctx == NULL)
2307                         goto netlbl_secattr_to_sid_return;
2308
2309                 ctx_new.user = ctx->user;
2310                 ctx_new.role = ctx->role;
2311                 ctx_new.type = ctx->type;
2312                 mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
2313                 if (secattr->mls_cat) {
2314                         if (mls_import_cat(&ctx_new,
2315                                            secattr->mls_cat,
2316                                            secattr->mls_cat_len,
2317                                            NULL,
2318                                            0) != 0)
2319                                 goto netlbl_secattr_to_sid_return;
2320                         ctx_new.range.level[1].cat.highbit =
2321                                 ctx_new.range.level[0].cat.highbit;
2322                         ctx_new.range.level[1].cat.node =
2323                                 ctx_new.range.level[0].cat.node;
2324                 } else {
2325                         ebitmap_init(&ctx_new.range.level[0].cat);
2326                         ebitmap_init(&ctx_new.range.level[1].cat);
2327                 }
2328                 if (mls_context_isvalid(&policydb, &ctx_new) != 1)
2329                         goto netlbl_secattr_to_sid_return_cleanup;
2330
2331                 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
2332                 if (rc != 0)
2333                         goto netlbl_secattr_to_sid_return_cleanup;
2334
2335                 if (skb != NULL)
2336                         selinux_netlbl_cache_add(skb, &ctx_new);
2337                 ebitmap_destroy(&ctx_new.range.level[0].cat);
2338         } else {
2339                 *sid = SECSID_NULL;
2340                 rc = 0;
2341         }
2342
2343 netlbl_secattr_to_sid_return:
2344         POLICY_RDUNLOCK;
2345         return rc;
2346 netlbl_secattr_to_sid_return_cleanup:
2347         ebitmap_destroy(&ctx_new.range.level[0].cat);
2348         goto netlbl_secattr_to_sid_return;
2349 }
2350
2351 /**
2352  * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
2353  * @skb: the packet
2354  * @base_sid: the SELinux SID to use as a context for MLS only attributes
2355  * @sid: the SID
2356  *
2357  * Description:
2358  * Call the NetLabel mechanism to get the security attributes of the given
2359  * packet and use those attributes to determine the correct context/SID to
2360  * assign to the packet.  Returns zero on success, negative values on failure.
2361  *
2362  */
2363 static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
2364                                         u32 base_sid,
2365                                         u32 *sid)
2366 {
2367         int rc;
2368         struct netlbl_lsm_secattr secattr;
2369
2370         netlbl_secattr_init(&secattr);
2371         rc = netlbl_skbuff_getattr(skb, &secattr);
2372         if (rc == 0)
2373                 rc = selinux_netlbl_secattr_to_sid(skb,
2374                                                    &secattr,
2375                                                    base_sid,
2376                                                    sid);
2377         netlbl_secattr_destroy(&secattr);
2378
2379         return rc;
2380 }
2381
2382 /**
2383  * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
2384  * @sock: the socket to label
2385  * @sid: the SID to use
2386  *
2387  * Description:
2388  * Attempt to label a socket using the NetLabel mechanism using the given
2389  * SID.  Returns zero values on success, negative values on failure.
2390  *
2391  */
2392 static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2393 {
2394         int rc = -ENOENT;
2395         struct sk_security_struct *sksec = sock->sk->sk_security;
2396         struct netlbl_lsm_secattr secattr;
2397         struct context *ctx;
2398
2399         if (!ss_initialized)
2400                 return 0;
2401
2402         netlbl_secattr_init(&secattr);
2403
2404         POLICY_RDLOCK;
2405
2406         ctx = sidtab_search(&sidtab, sid);
2407         if (ctx == NULL)
2408                 goto netlbl_socket_setsid_return;
2409
2410         secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2411                                  GFP_ATOMIC);
2412         mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
2413         secattr.mls_lvl_vld = 1;
2414         rc = mls_export_cat(ctx,
2415                             &secattr.mls_cat,
2416                             &secattr.mls_cat_len,
2417                             NULL,
2418                             NULL);
2419         if (rc != 0)
2420                 goto netlbl_socket_setsid_return;
2421
2422         rc = netlbl_socket_setattr(sock, &secattr);
2423         if (rc == 0)
2424                 sksec->nlbl_state = NLBL_LABELED;
2425
2426 netlbl_socket_setsid_return:
2427         POLICY_RDUNLOCK;
2428         netlbl_secattr_destroy(&secattr);
2429         return rc;
2430 }
2431
2432 /**
2433  * selinux_netlbl_sk_security_init - Setup the NetLabel fields
2434  * @ssec: the sk_security_struct
2435  * @family: the socket family
2436  *
2437  * Description:
2438  * Called when a new sk_security_struct is allocated to initialize the NetLabel
2439  * fields.
2440  *
2441  */
2442 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
2443                                      int family)
2444 {
2445         if (family == PF_INET)
2446                 ssec->nlbl_state = NLBL_REQUIRE;
2447         else
2448                 ssec->nlbl_state = NLBL_UNSET;
2449 }
2450
2451 /**
2452  * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
2453  * @ssec: the original sk_security_struct
2454  * @newssec: the cloned sk_security_struct
2455  *
2456  * Description:
2457  * Clone the NetLabel specific sk_security_struct fields from @ssec to
2458  * @newssec.
2459  *
2460  */
2461 void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
2462                                       struct sk_security_struct *newssec)
2463 {
2464         newssec->sclass = ssec->sclass;
2465         if (ssec->nlbl_state != NLBL_UNSET)
2466                 newssec->nlbl_state = NLBL_REQUIRE;
2467         else
2468                 newssec->nlbl_state = NLBL_UNSET;
2469 }
2470
2471 /**
2472  * selinux_netlbl_socket_post_create - Label a socket using NetLabel
2473  * @sock: the socket to label
2474  * @sock_family: the socket family
2475  * @sid: the SID to use
2476  *
2477  * Description:
2478  * Attempt to label a socket using the NetLabel mechanism using the given
2479  * SID.  Returns zero values on success, negative values on failure.
2480  *
2481  */
2482 int selinux_netlbl_socket_post_create(struct socket *sock,
2483                                       int sock_family,
2484                                       u32 sid)
2485 {
2486         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2487         struct sk_security_struct *sksec = sock->sk->sk_security;
2488
2489         sksec->sclass = isec->sclass;
2490
2491         if (sock_family != PF_INET)
2492                 return 0;
2493
2494         sksec->nlbl_state = NLBL_REQUIRE;
2495         return selinux_netlbl_socket_setsid(sock, sid);
2496 }
2497
2498 /**
2499  * selinux_netlbl_sock_graft - Netlabel the new socket
2500  * @sk: the new connection
2501  * @sock: the new socket
2502  *
2503  * Description:
2504  * The connection represented by @sk is being grafted onto @sock so set the
2505  * socket's NetLabel to match the SID of @sk.
2506  *
2507  */
2508 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2509 {
2510         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2511         struct sk_security_struct *sksec = sk->sk_security;
2512         struct netlbl_lsm_secattr secattr;
2513         u32 nlbl_peer_sid;
2514
2515         sksec->sclass = isec->sclass;
2516
2517         if (sk->sk_family != PF_INET)
2518                 return;
2519
2520         netlbl_secattr_init(&secattr);
2521         if (netlbl_sock_getattr(sk, &secattr) == 0 &&
2522             selinux_netlbl_secattr_to_sid(NULL,
2523                                           &secattr,
2524                                           SECINITSID_UNLABELED,
2525                                           &nlbl_peer_sid) == 0)
2526                 sksec->peer_sid = nlbl_peer_sid;
2527         netlbl_secattr_destroy(&secattr);
2528
2529         sksec->nlbl_state = NLBL_REQUIRE;
2530
2531         /* Try to set the NetLabel on the socket to save time later, if we fail
2532          * here we will pick up the pieces in later calls to
2533          * selinux_netlbl_inode_permission(). */
2534         selinux_netlbl_socket_setsid(sock, sksec->sid);
2535 }
2536
2537 /**
2538  * selinux_netlbl_inet_conn_request - Handle a new connection request
2539  * @skb: the packet
2540  * @sock_sid: the SID of the parent socket
2541  *
2542  * Description:
2543  * If present, use the security attributes of the packet in @skb and the
2544  * parent sock's SID to arrive at a SID for the new child sock.  Returns the
2545  * SID of the connection or SECSID_NULL on failure.
2546  *
2547  */
2548 u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
2549 {
2550         int rc;
2551         u32 peer_sid;
2552
2553         rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
2554         if (rc != 0)
2555                 return SECSID_NULL;
2556
2557         return peer_sid;
2558 }
2559
2560 /**
2561  * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
2562  * @inode: the file descriptor's inode
2563  * @mask: the permission mask
2564  *
2565  * Description:
2566  * Looks at a file's inode and if it is marked as a socket protected by
2567  * NetLabel then verify that the socket has been labeled, if not try to label
2568  * the socket now with the inode's SID.  Returns zero on success, negative
2569  * values on failure.
2570  *
2571  */
2572 int selinux_netlbl_inode_permission(struct inode *inode, int mask)
2573 {
2574         int rc;
2575         struct inode_security_struct *isec;
2576         struct sk_security_struct *sksec;
2577         struct socket *sock;
2578
2579         if (!S_ISSOCK(inode->i_mode))
2580                 return 0;
2581
2582         sock = SOCKET_I(inode);
2583         isec = inode->i_security;
2584         sksec = sock->sk->sk_security;
2585         mutex_lock(&isec->lock);
2586         if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
2587                      (mask & (MAY_WRITE | MAY_APPEND)))) {
2588                 lock_sock(sock->sk);
2589                 rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
2590                 release_sock(sock->sk);
2591         } else
2592                 rc = 0;
2593         mutex_unlock(&isec->lock);
2594
2595         return rc;
2596 }
2597
2598 /**
2599  * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
2600  * @sksec: the sock's sk_security_struct
2601  * @skb: the packet
2602  * @ad: the audit data
2603  *
2604  * Description:
2605  * Fetch the NetLabel security attributes from @skb and perform an access check
2606  * against the receiving socket.  Returns zero on success, negative values on
2607  * error.
2608  *
2609  */
2610 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
2611                                 struct sk_buff *skb,
2612                                 struct avc_audit_data *ad)
2613 {
2614         int rc;
2615         u32 netlbl_sid;
2616         u32 recv_perm;
2617
2618         rc = selinux_netlbl_skbuff_getsid(skb,
2619                                           SECINITSID_UNLABELED,
2620                                           &netlbl_sid);
2621         if (rc != 0)
2622                 return rc;
2623
2624         if (netlbl_sid == SECSID_NULL)
2625                 return 0;
2626
2627         switch (sksec->sclass) {
2628         case SECCLASS_UDP_SOCKET:
2629                 recv_perm = UDP_SOCKET__RECVFROM;
2630                 break;
2631         case SECCLASS_TCP_SOCKET:
2632                 recv_perm = TCP_SOCKET__RECVFROM;
2633                 break;
2634         default:
2635                 recv_perm = RAWIP_SOCKET__RECVFROM;
2636         }
2637
2638         rc = avc_has_perm(sksec->sid,
2639                           netlbl_sid,
2640                           sksec->sclass,
2641                           recv_perm,
2642                           ad);
2643         if (rc == 0)
2644                 return 0;
2645
2646         netlbl_skbuff_err(skb, rc);
2647         return rc;
2648 }
2649
2650 /**
2651  * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
2652  * @sock: the socket
2653  *
2654  * Description:
2655  * Examine @sock to find the connected peer's SID.  Returns the SID on success
2656  * or SECSID_NULL on error.
2657  *
2658  */
2659 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
2660 {
2661         struct sk_security_struct *sksec = sock->sk->sk_security;
2662         return sksec->peer_sid;
2663 }
2664
2665 /**
2666  * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
2667  * @skb: the packet
2668  *
2669  * Description:
2670  * Examine @skb to find the SID assigned to it by NetLabel.  Returns the SID on
2671  * success, SECSID_NULL on error.
2672  *
2673  */
2674 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
2675 {
2676         int peer_sid;
2677
2678         if (selinux_netlbl_skbuff_getsid(skb,
2679                                          SECINITSID_UNLABELED,
2680                                          &peer_sid) != 0)
2681                 return SECSID_NULL;
2682
2683         return peer_sid;
2684 }
2685 #endif /* CONFIG_NETLABEL */