Merge rsync://rsync.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6
[linux-2.6] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
17  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
18  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
19  *      This program is free software; you can redistribute it and/or modify
20  *      it under the terms of the GNU General Public License as published by
21  *      the Free Software Foundation, version 2.
22  */
23 #include <linux/kernel.h>
24 #include <linux/slab.h>
25 #include <linux/string.h>
26 #include <linux/spinlock.h>
27 #include <linux/errno.h>
28 #include <linux/in.h>
29 #include <linux/sched.h>
30 #include <linux/audit.h>
31 #include <linux/mutex.h>
32
33 #include "flask.h"
34 #include "avc.h"
35 #include "avc_ss.h"
36 #include "security.h"
37 #include "context.h"
38 #include "policydb.h"
39 #include "sidtab.h"
40 #include "services.h"
41 #include "conditional.h"
42 #include "mls.h"
43
44 extern void selnl_notify_policyload(u32 seqno);
45 unsigned int policydb_loaded_version;
46
47 static DEFINE_RWLOCK(policy_rwlock);
48 #define POLICY_RDLOCK read_lock(&policy_rwlock)
49 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
50 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
51 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
52
53 static DEFINE_MUTEX(load_mutex);
54 #define LOAD_LOCK mutex_lock(&load_mutex)
55 #define LOAD_UNLOCK mutex_unlock(&load_mutex)
56
57 static struct sidtab sidtab;
58 struct policydb policydb;
59 int ss_initialized = 0;
60
61 /*
62  * The largest sequence number that has been used when
63  * providing an access decision to the access vector cache.
64  * The sequence number only changes when a policy change
65  * occurs.
66  */
67 static u32 latest_granting = 0;
68
69 /* Forward declaration. */
70 static int context_struct_to_string(struct context *context, char **scontext,
71                                     u32 *scontext_len);
72
73 /*
74  * Return the boolean value of a constraint expression
75  * when it is applied to the specified source and target
76  * security contexts.
77  *
78  * xcontext is a special beast...  It is used by the validatetrans rules
79  * only.  For these rules, scontext is the context before the transition,
80  * tcontext is the context after the transition, and xcontext is the context
81  * of the process performing the transition.  All other callers of
82  * constraint_expr_eval should pass in NULL for xcontext.
83  */
84 static int constraint_expr_eval(struct context *scontext,
85                                 struct context *tcontext,
86                                 struct context *xcontext,
87                                 struct constraint_expr *cexpr)
88 {
89         u32 val1, val2;
90         struct context *c;
91         struct role_datum *r1, *r2;
92         struct mls_level *l1, *l2;
93         struct constraint_expr *e;
94         int s[CEXPR_MAXDEPTH];
95         int sp = -1;
96
97         for (e = cexpr; e; e = e->next) {
98                 switch (e->expr_type) {
99                 case CEXPR_NOT:
100                         BUG_ON(sp < 0);
101                         s[sp] = !s[sp];
102                         break;
103                 case CEXPR_AND:
104                         BUG_ON(sp < 1);
105                         sp--;
106                         s[sp] &= s[sp+1];
107                         break;
108                 case CEXPR_OR:
109                         BUG_ON(sp < 1);
110                         sp--;
111                         s[sp] |= s[sp+1];
112                         break;
113                 case CEXPR_ATTR:
114                         if (sp == (CEXPR_MAXDEPTH-1))
115                                 return 0;
116                         switch (e->attr) {
117                         case CEXPR_USER:
118                                 val1 = scontext->user;
119                                 val2 = tcontext->user;
120                                 break;
121                         case CEXPR_TYPE:
122                                 val1 = scontext->type;
123                                 val2 = tcontext->type;
124                                 break;
125                         case CEXPR_ROLE:
126                                 val1 = scontext->role;
127                                 val2 = tcontext->role;
128                                 r1 = policydb.role_val_to_struct[val1 - 1];
129                                 r2 = policydb.role_val_to_struct[val2 - 1];
130                                 switch (e->op) {
131                                 case CEXPR_DOM:
132                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
133                                                                   val2 - 1);
134                                         continue;
135                                 case CEXPR_DOMBY:
136                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
137                                                                   val1 - 1);
138                                         continue;
139                                 case CEXPR_INCOMP:
140                                         s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
141                                                                      val2 - 1) &&
142                                                     !ebitmap_get_bit(&r2->dominates,
143                                                                      val1 - 1) );
144                                         continue;
145                                 default:
146                                         break;
147                                 }
148                                 break;
149                         case CEXPR_L1L2:
150                                 l1 = &(scontext->range.level[0]);
151                                 l2 = &(tcontext->range.level[0]);
152                                 goto mls_ops;
153                         case CEXPR_L1H2:
154                                 l1 = &(scontext->range.level[0]);
155                                 l2 = &(tcontext->range.level[1]);
156                                 goto mls_ops;
157                         case CEXPR_H1L2:
158                                 l1 = &(scontext->range.level[1]);
159                                 l2 = &(tcontext->range.level[0]);
160                                 goto mls_ops;
161                         case CEXPR_H1H2:
162                                 l1 = &(scontext->range.level[1]);
163                                 l2 = &(tcontext->range.level[1]);
164                                 goto mls_ops;
165                         case CEXPR_L1H1:
166                                 l1 = &(scontext->range.level[0]);
167                                 l2 = &(scontext->range.level[1]);
168                                 goto mls_ops;
169                         case CEXPR_L2H2:
170                                 l1 = &(tcontext->range.level[0]);
171                                 l2 = &(tcontext->range.level[1]);
172                                 goto mls_ops;
173 mls_ops:
174                         switch (e->op) {
175                         case CEXPR_EQ:
176                                 s[++sp] = mls_level_eq(l1, l2);
177                                 continue;
178                         case CEXPR_NEQ:
179                                 s[++sp] = !mls_level_eq(l1, l2);
180                                 continue;
181                         case CEXPR_DOM:
182                                 s[++sp] = mls_level_dom(l1, l2);
183                                 continue;
184                         case CEXPR_DOMBY:
185                                 s[++sp] = mls_level_dom(l2, l1);
186                                 continue;
187                         case CEXPR_INCOMP:
188                                 s[++sp] = mls_level_incomp(l2, l1);
189                                 continue;
190                         default:
191                                 BUG();
192                                 return 0;
193                         }
194                         break;
195                         default:
196                                 BUG();
197                                 return 0;
198                         }
199
200                         switch (e->op) {
201                         case CEXPR_EQ:
202                                 s[++sp] = (val1 == val2);
203                                 break;
204                         case CEXPR_NEQ:
205                                 s[++sp] = (val1 != val2);
206                                 break;
207                         default:
208                                 BUG();
209                                 return 0;
210                         }
211                         break;
212                 case CEXPR_NAMES:
213                         if (sp == (CEXPR_MAXDEPTH-1))
214                                 return 0;
215                         c = scontext;
216                         if (e->attr & CEXPR_TARGET)
217                                 c = tcontext;
218                         else if (e->attr & CEXPR_XTARGET) {
219                                 c = xcontext;
220                                 if (!c) {
221                                         BUG();
222                                         return 0;
223                                 }
224                         }
225                         if (e->attr & CEXPR_USER)
226                                 val1 = c->user;
227                         else if (e->attr & CEXPR_ROLE)
228                                 val1 = c->role;
229                         else if (e->attr & CEXPR_TYPE)
230                                 val1 = c->type;
231                         else {
232                                 BUG();
233                                 return 0;
234                         }
235
236                         switch (e->op) {
237                         case CEXPR_EQ:
238                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
239                                 break;
240                         case CEXPR_NEQ:
241                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
242                                 break;
243                         default:
244                                 BUG();
245                                 return 0;
246                         }
247                         break;
248                 default:
249                         BUG();
250                         return 0;
251                 }
252         }
253
254         BUG_ON(sp != 0);
255         return s[0];
256 }
257
258 /*
259  * Compute access vectors based on a context structure pair for
260  * the permissions in a particular class.
261  */
262 static int context_struct_compute_av(struct context *scontext,
263                                      struct context *tcontext,
264                                      u16 tclass,
265                                      u32 requested,
266                                      struct av_decision *avd)
267 {
268         struct constraint_node *constraint;
269         struct role_allow *ra;
270         struct avtab_key avkey;
271         struct avtab_node *node;
272         struct class_datum *tclass_datum;
273         struct ebitmap *sattr, *tattr;
274         struct ebitmap_node *snode, *tnode;
275         unsigned int i, j;
276
277         /*
278          * Remap extended Netlink classes for old policy versions.
279          * Do this here rather than socket_type_to_security_class()
280          * in case a newer policy version is loaded, allowing sockets
281          * to remain in the correct class.
282          */
283         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
284                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
285                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
286                         tclass = SECCLASS_NETLINK_SOCKET;
287
288         if (!tclass || tclass > policydb.p_classes.nprim) {
289                 printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
290                        tclass);
291                 return -EINVAL;
292         }
293         tclass_datum = policydb.class_val_to_struct[tclass - 1];
294
295         /*
296          * Initialize the access vectors to the default values.
297          */
298         avd->allowed = 0;
299         avd->decided = 0xffffffff;
300         avd->auditallow = 0;
301         avd->auditdeny = 0xffffffff;
302         avd->seqno = latest_granting;
303
304         /*
305          * If a specific type enforcement rule was defined for
306          * this permission check, then use it.
307          */
308         avkey.target_class = tclass;
309         avkey.specified = AVTAB_AV;
310         sattr = &policydb.type_attr_map[scontext->type - 1];
311         tattr = &policydb.type_attr_map[tcontext->type - 1];
312         ebitmap_for_each_bit(sattr, snode, i) {
313                 if (!ebitmap_node_get_bit(snode, i))
314                         continue;
315                 ebitmap_for_each_bit(tattr, tnode, j) {
316                         if (!ebitmap_node_get_bit(tnode, j))
317                                 continue;
318                         avkey.source_type = i + 1;
319                         avkey.target_type = j + 1;
320                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
321                              node != NULL;
322                              node = avtab_search_node_next(node, avkey.specified)) {
323                                 if (node->key.specified == AVTAB_ALLOWED)
324                                         avd->allowed |= node->datum.data;
325                                 else if (node->key.specified == AVTAB_AUDITALLOW)
326                                         avd->auditallow |= node->datum.data;
327                                 else if (node->key.specified == AVTAB_AUDITDENY)
328                                         avd->auditdeny &= node->datum.data;
329                         }
330
331                         /* Check conditional av table for additional permissions */
332                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
333
334                 }
335         }
336
337         /*
338          * Remove any permissions prohibited by a constraint (this includes
339          * the MLS policy).
340          */
341         constraint = tclass_datum->constraints;
342         while (constraint) {
343                 if ((constraint->permissions & (avd->allowed)) &&
344                     !constraint_expr_eval(scontext, tcontext, NULL,
345                                           constraint->expr)) {
346                         avd->allowed = (avd->allowed) & ~(constraint->permissions);
347                 }
348                 constraint = constraint->next;
349         }
350
351         /*
352          * If checking process transition permission and the
353          * role is changing, then check the (current_role, new_role)
354          * pair.
355          */
356         if (tclass == SECCLASS_PROCESS &&
357             (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
358             scontext->role != tcontext->role) {
359                 for (ra = policydb.role_allow; ra; ra = ra->next) {
360                         if (scontext->role == ra->role &&
361                             tcontext->role == ra->new_role)
362                                 break;
363                 }
364                 if (!ra)
365                         avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
366                                                         PROCESS__DYNTRANSITION);
367         }
368
369         return 0;
370 }
371
372 static int security_validtrans_handle_fail(struct context *ocontext,
373                                            struct context *ncontext,
374                                            struct context *tcontext,
375                                            u16 tclass)
376 {
377         char *o = NULL, *n = NULL, *t = NULL;
378         u32 olen, nlen, tlen;
379
380         if (context_struct_to_string(ocontext, &o, &olen) < 0)
381                 goto out;
382         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
383                 goto out;
384         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
385                 goto out;
386         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
387                   "security_validate_transition:  denied for"
388                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
389                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
390 out:
391         kfree(o);
392         kfree(n);
393         kfree(t);
394
395         if (!selinux_enforcing)
396                 return 0;
397         return -EPERM;
398 }
399
400 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
401                                  u16 tclass)
402 {
403         struct context *ocontext;
404         struct context *ncontext;
405         struct context *tcontext;
406         struct class_datum *tclass_datum;
407         struct constraint_node *constraint;
408         int rc = 0;
409
410         if (!ss_initialized)
411                 return 0;
412
413         POLICY_RDLOCK;
414
415         /*
416          * Remap extended Netlink classes for old policy versions.
417          * Do this here rather than socket_type_to_security_class()
418          * in case a newer policy version is loaded, allowing sockets
419          * to remain in the correct class.
420          */
421         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
422                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
423                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
424                         tclass = SECCLASS_NETLINK_SOCKET;
425
426         if (!tclass || tclass > policydb.p_classes.nprim) {
427                 printk(KERN_ERR "security_validate_transition:  "
428                        "unrecognized class %d\n", tclass);
429                 rc = -EINVAL;
430                 goto out;
431         }
432         tclass_datum = policydb.class_val_to_struct[tclass - 1];
433
434         ocontext = sidtab_search(&sidtab, oldsid);
435         if (!ocontext) {
436                 printk(KERN_ERR "security_validate_transition: "
437                        " unrecognized SID %d\n", oldsid);
438                 rc = -EINVAL;
439                 goto out;
440         }
441
442         ncontext = sidtab_search(&sidtab, newsid);
443         if (!ncontext) {
444                 printk(KERN_ERR "security_validate_transition: "
445                        " unrecognized SID %d\n", newsid);
446                 rc = -EINVAL;
447                 goto out;
448         }
449
450         tcontext = sidtab_search(&sidtab, tasksid);
451         if (!tcontext) {
452                 printk(KERN_ERR "security_validate_transition: "
453                        " unrecognized SID %d\n", tasksid);
454                 rc = -EINVAL;
455                 goto out;
456         }
457
458         constraint = tclass_datum->validatetrans;
459         while (constraint) {
460                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
461                                           constraint->expr)) {
462                         rc = security_validtrans_handle_fail(ocontext, ncontext,
463                                                              tcontext, tclass);
464                         goto out;
465                 }
466                 constraint = constraint->next;
467         }
468
469 out:
470         POLICY_RDUNLOCK;
471         return rc;
472 }
473
474 /**
475  * security_compute_av - Compute access vector decisions.
476  * @ssid: source security identifier
477  * @tsid: target security identifier
478  * @tclass: target security class
479  * @requested: requested permissions
480  * @avd: access vector decisions
481  *
482  * Compute a set of access vector decisions based on the
483  * SID pair (@ssid, @tsid) for the permissions in @tclass.
484  * Return -%EINVAL if any of the parameters are invalid or %0
485  * if the access vector decisions were computed successfully.
486  */
487 int security_compute_av(u32 ssid,
488                         u32 tsid,
489                         u16 tclass,
490                         u32 requested,
491                         struct av_decision *avd)
492 {
493         struct context *scontext = NULL, *tcontext = NULL;
494         int rc = 0;
495
496         if (!ss_initialized) {
497                 avd->allowed = 0xffffffff;
498                 avd->decided = 0xffffffff;
499                 avd->auditallow = 0;
500                 avd->auditdeny = 0xffffffff;
501                 avd->seqno = latest_granting;
502                 return 0;
503         }
504
505         POLICY_RDLOCK;
506
507         scontext = sidtab_search(&sidtab, ssid);
508         if (!scontext) {
509                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
510                        ssid);
511                 rc = -EINVAL;
512                 goto out;
513         }
514         tcontext = sidtab_search(&sidtab, tsid);
515         if (!tcontext) {
516                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
517                        tsid);
518                 rc = -EINVAL;
519                 goto out;
520         }
521
522         rc = context_struct_compute_av(scontext, tcontext, tclass,
523                                        requested, avd);
524 out:
525         POLICY_RDUNLOCK;
526         return rc;
527 }
528
529 /*
530  * Write the security context string representation of
531  * the context structure `context' into a dynamically
532  * allocated string of the correct size.  Set `*scontext'
533  * to point to this string and set `*scontext_len' to
534  * the length of the string.
535  */
536 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
537 {
538         char *scontextp;
539
540         *scontext = NULL;
541         *scontext_len = 0;
542
543         /* Compute the size of the context. */
544         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
545         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
546         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
547         *scontext_len += mls_compute_context_len(context);
548
549         /* Allocate space for the context; caller must free this space. */
550         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
551         if (!scontextp) {
552                 return -ENOMEM;
553         }
554         *scontext = scontextp;
555
556         /*
557          * Copy the user name, role name and type name into the context.
558          */
559         sprintf(scontextp, "%s:%s:%s",
560                 policydb.p_user_val_to_name[context->user - 1],
561                 policydb.p_role_val_to_name[context->role - 1],
562                 policydb.p_type_val_to_name[context->type - 1]);
563         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
564                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
565                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
566
567         mls_sid_to_context(context, &scontextp);
568
569         *scontextp = 0;
570
571         return 0;
572 }
573
574 #include "initial_sid_to_string.h"
575
576 /**
577  * security_sid_to_context - Obtain a context for a given SID.
578  * @sid: security identifier, SID
579  * @scontext: security context
580  * @scontext_len: length in bytes
581  *
582  * Write the string representation of the context associated with @sid
583  * into a dynamically allocated string of the correct size.  Set @scontext
584  * to point to this string and set @scontext_len to the length of the string.
585  */
586 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
587 {
588         struct context *context;
589         int rc = 0;
590
591         if (!ss_initialized) {
592                 if (sid <= SECINITSID_NUM) {
593                         char *scontextp;
594
595                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
596                         scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
597                         if (!scontextp) {
598                                 rc = -ENOMEM;
599                                 goto out;
600                         }
601                         strcpy(scontextp, initial_sid_to_string[sid]);
602                         *scontext = scontextp;
603                         goto out;
604                 }
605                 printk(KERN_ERR "security_sid_to_context:  called before initial "
606                        "load_policy on unknown SID %d\n", sid);
607                 rc = -EINVAL;
608                 goto out;
609         }
610         POLICY_RDLOCK;
611         context = sidtab_search(&sidtab, sid);
612         if (!context) {
613                 printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
614                        "%d\n", sid);
615                 rc = -EINVAL;
616                 goto out_unlock;
617         }
618         rc = context_struct_to_string(context, scontext, scontext_len);
619 out_unlock:
620         POLICY_RDUNLOCK;
621 out:
622         return rc;
623
624 }
625
626 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
627 {
628         char *scontext2;
629         struct context context;
630         struct role_datum *role;
631         struct type_datum *typdatum;
632         struct user_datum *usrdatum;
633         char *scontextp, *p, oldc;
634         int rc = 0;
635
636         if (!ss_initialized) {
637                 int i;
638
639                 for (i = 1; i < SECINITSID_NUM; i++) {
640                         if (!strcmp(initial_sid_to_string[i], scontext)) {
641                                 *sid = i;
642                                 goto out;
643                         }
644                 }
645                 *sid = SECINITSID_KERNEL;
646                 goto out;
647         }
648         *sid = SECSID_NULL;
649
650         /* Copy the string so that we can modify the copy as we parse it.
651            The string should already by null terminated, but we append a
652            null suffix to the copy to avoid problems with the existing
653            attr package, which doesn't view the null terminator as part
654            of the attribute value. */
655         scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
656         if (!scontext2) {
657                 rc = -ENOMEM;
658                 goto out;
659         }
660         memcpy(scontext2, scontext, scontext_len);
661         scontext2[scontext_len] = 0;
662
663         context_init(&context);
664         *sid = SECSID_NULL;
665
666         POLICY_RDLOCK;
667
668         /* Parse the security context. */
669
670         rc = -EINVAL;
671         scontextp = (char *) scontext2;
672
673         /* Extract the user. */
674         p = scontextp;
675         while (*p && *p != ':')
676                 p++;
677
678         if (*p == 0)
679                 goto out_unlock;
680
681         *p++ = 0;
682
683         usrdatum = hashtab_search(policydb.p_users.table, scontextp);
684         if (!usrdatum)
685                 goto out_unlock;
686
687         context.user = usrdatum->value;
688
689         /* Extract role. */
690         scontextp = p;
691         while (*p && *p != ':')
692                 p++;
693
694         if (*p == 0)
695                 goto out_unlock;
696
697         *p++ = 0;
698
699         role = hashtab_search(policydb.p_roles.table, scontextp);
700         if (!role)
701                 goto out_unlock;
702         context.role = role->value;
703
704         /* Extract type. */
705         scontextp = p;
706         while (*p && *p != ':')
707                 p++;
708         oldc = *p;
709         *p++ = 0;
710
711         typdatum = hashtab_search(policydb.p_types.table, scontextp);
712         if (!typdatum)
713                 goto out_unlock;
714
715         context.type = typdatum->value;
716
717         rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
718         if (rc)
719                 goto out_unlock;
720
721         if ((p - scontext2) < scontext_len) {
722                 rc = -EINVAL;
723                 goto out_unlock;
724         }
725
726         /* Check the validity of the new context. */
727         if (!policydb_context_isvalid(&policydb, &context)) {
728                 rc = -EINVAL;
729                 goto out_unlock;
730         }
731         /* Obtain the new sid. */
732         rc = sidtab_context_to_sid(&sidtab, &context, sid);
733 out_unlock:
734         POLICY_RDUNLOCK;
735         context_destroy(&context);
736         kfree(scontext2);
737 out:
738         return rc;
739 }
740
741 /**
742  * security_context_to_sid - Obtain a SID for a given security context.
743  * @scontext: security context
744  * @scontext_len: length in bytes
745  * @sid: security identifier, SID
746  *
747  * Obtains a SID associated with the security context that
748  * has the string representation specified by @scontext.
749  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
750  * memory is available, or 0 on success.
751  */
752 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
753 {
754         return security_context_to_sid_core(scontext, scontext_len,
755                                             sid, SECSID_NULL);
756 }
757
758 /**
759  * security_context_to_sid_default - Obtain a SID for a given security context,
760  * falling back to specified default if needed.
761  *
762  * @scontext: security context
763  * @scontext_len: length in bytes
764  * @sid: security identifier, SID
765  * @def_sid: default SID to assign on errror
766  *
767  * Obtains a SID associated with the security context that
768  * has the string representation specified by @scontext.
769  * The default SID is passed to the MLS layer to be used to allow
770  * kernel labeling of the MLS field if the MLS field is not present
771  * (for upgrading to MLS without full relabel).
772  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
773  * memory is available, or 0 on success.
774  */
775 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
776 {
777         return security_context_to_sid_core(scontext, scontext_len,
778                                             sid, def_sid);
779 }
780
781 static int compute_sid_handle_invalid_context(
782         struct context *scontext,
783         struct context *tcontext,
784         u16 tclass,
785         struct context *newcontext)
786 {
787         char *s = NULL, *t = NULL, *n = NULL;
788         u32 slen, tlen, nlen;
789
790         if (context_struct_to_string(scontext, &s, &slen) < 0)
791                 goto out;
792         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
793                 goto out;
794         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
795                 goto out;
796         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
797                   "security_compute_sid:  invalid context %s"
798                   " for scontext=%s"
799                   " tcontext=%s"
800                   " tclass=%s",
801                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
802 out:
803         kfree(s);
804         kfree(t);
805         kfree(n);
806         if (!selinux_enforcing)
807                 return 0;
808         return -EACCES;
809 }
810
811 static int security_compute_sid(u32 ssid,
812                                 u32 tsid,
813                                 u16 tclass,
814                                 u32 specified,
815                                 u32 *out_sid)
816 {
817         struct context *scontext = NULL, *tcontext = NULL, newcontext;
818         struct role_trans *roletr = NULL;
819         struct avtab_key avkey;
820         struct avtab_datum *avdatum;
821         struct avtab_node *node;
822         int rc = 0;
823
824         if (!ss_initialized) {
825                 switch (tclass) {
826                 case SECCLASS_PROCESS:
827                         *out_sid = ssid;
828                         break;
829                 default:
830                         *out_sid = tsid;
831                         break;
832                 }
833                 goto out;
834         }
835
836         POLICY_RDLOCK;
837
838         scontext = sidtab_search(&sidtab, ssid);
839         if (!scontext) {
840                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
841                        ssid);
842                 rc = -EINVAL;
843                 goto out_unlock;
844         }
845         tcontext = sidtab_search(&sidtab, tsid);
846         if (!tcontext) {
847                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
848                        tsid);
849                 rc = -EINVAL;
850                 goto out_unlock;
851         }
852
853         context_init(&newcontext);
854
855         /* Set the user identity. */
856         switch (specified) {
857         case AVTAB_TRANSITION:
858         case AVTAB_CHANGE:
859                 /* Use the process user identity. */
860                 newcontext.user = scontext->user;
861                 break;
862         case AVTAB_MEMBER:
863                 /* Use the related object owner. */
864                 newcontext.user = tcontext->user;
865                 break;
866         }
867
868         /* Set the role and type to default values. */
869         switch (tclass) {
870         case SECCLASS_PROCESS:
871                 /* Use the current role and type of process. */
872                 newcontext.role = scontext->role;
873                 newcontext.type = scontext->type;
874                 break;
875         default:
876                 /* Use the well-defined object role. */
877                 newcontext.role = OBJECT_R_VAL;
878                 /* Use the type of the related object. */
879                 newcontext.type = tcontext->type;
880         }
881
882         /* Look for a type transition/member/change rule. */
883         avkey.source_type = scontext->type;
884         avkey.target_type = tcontext->type;
885         avkey.target_class = tclass;
886         avkey.specified = specified;
887         avdatum = avtab_search(&policydb.te_avtab, &avkey);
888
889         /* If no permanent rule, also check for enabled conditional rules */
890         if(!avdatum) {
891                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
892                 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
893                         if (node->key.specified & AVTAB_ENABLED) {
894                                 avdatum = &node->datum;
895                                 break;
896                         }
897                 }
898         }
899
900         if (avdatum) {
901                 /* Use the type from the type transition/member/change rule. */
902                 newcontext.type = avdatum->data;
903         }
904
905         /* Check for class-specific changes. */
906         switch (tclass) {
907         case SECCLASS_PROCESS:
908                 if (specified & AVTAB_TRANSITION) {
909                         /* Look for a role transition rule. */
910                         for (roletr = policydb.role_tr; roletr;
911                              roletr = roletr->next) {
912                                 if (roletr->role == scontext->role &&
913                                     roletr->type == tcontext->type) {
914                                         /* Use the role transition rule. */
915                                         newcontext.role = roletr->new_role;
916                                         break;
917                                 }
918                         }
919                 }
920                 break;
921         default:
922                 break;
923         }
924
925         /* Set the MLS attributes.
926            This is done last because it may allocate memory. */
927         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
928         if (rc)
929                 goto out_unlock;
930
931         /* Check the validity of the context. */
932         if (!policydb_context_isvalid(&policydb, &newcontext)) {
933                 rc = compute_sid_handle_invalid_context(scontext,
934                                                         tcontext,
935                                                         tclass,
936                                                         &newcontext);
937                 if (rc)
938                         goto out_unlock;
939         }
940         /* Obtain the sid for the context. */
941         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
942 out_unlock:
943         POLICY_RDUNLOCK;
944         context_destroy(&newcontext);
945 out:
946         return rc;
947 }
948
949 /**
950  * security_transition_sid - Compute the SID for a new subject/object.
951  * @ssid: source security identifier
952  * @tsid: target security identifier
953  * @tclass: target security class
954  * @out_sid: security identifier for new subject/object
955  *
956  * Compute a SID to use for labeling a new subject or object in the
957  * class @tclass based on a SID pair (@ssid, @tsid).
958  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
959  * if insufficient memory is available, or %0 if the new SID was
960  * computed successfully.
961  */
962 int security_transition_sid(u32 ssid,
963                             u32 tsid,
964                             u16 tclass,
965                             u32 *out_sid)
966 {
967         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
968 }
969
970 /**
971  * security_member_sid - Compute the SID for member selection.
972  * @ssid: source security identifier
973  * @tsid: target security identifier
974  * @tclass: target security class
975  * @out_sid: security identifier for selected member
976  *
977  * Compute a SID to use when selecting a member of a polyinstantiated
978  * object of class @tclass based on a SID pair (@ssid, @tsid).
979  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
980  * if insufficient memory is available, or %0 if the SID was
981  * computed successfully.
982  */
983 int security_member_sid(u32 ssid,
984                         u32 tsid,
985                         u16 tclass,
986                         u32 *out_sid)
987 {
988         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
989 }
990
991 /**
992  * security_change_sid - Compute the SID for object relabeling.
993  * @ssid: source security identifier
994  * @tsid: target security identifier
995  * @tclass: target security class
996  * @out_sid: security identifier for selected member
997  *
998  * Compute a SID to use for relabeling an object of class @tclass
999  * based on a SID pair (@ssid, @tsid).
1000  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1001  * if insufficient memory is available, or %0 if the SID was
1002  * computed successfully.
1003  */
1004 int security_change_sid(u32 ssid,
1005                         u32 tsid,
1006                         u16 tclass,
1007                         u32 *out_sid)
1008 {
1009         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1010 }
1011
1012 /*
1013  * Verify that each permission that is defined under the
1014  * existing policy is still defined with the same value
1015  * in the new policy.
1016  */
1017 static int validate_perm(void *key, void *datum, void *p)
1018 {
1019         struct hashtab *h;
1020         struct perm_datum *perdatum, *perdatum2;
1021         int rc = 0;
1022
1023
1024         h = p;
1025         perdatum = datum;
1026
1027         perdatum2 = hashtab_search(h, key);
1028         if (!perdatum2) {
1029                 printk(KERN_ERR "security:  permission %s disappeared",
1030                        (char *)key);
1031                 rc = -ENOENT;
1032                 goto out;
1033         }
1034         if (perdatum->value != perdatum2->value) {
1035                 printk(KERN_ERR "security:  the value of permission %s changed",
1036                        (char *)key);
1037                 rc = -EINVAL;
1038         }
1039 out:
1040         return rc;
1041 }
1042
1043 /*
1044  * Verify that each class that is defined under the
1045  * existing policy is still defined with the same
1046  * attributes in the new policy.
1047  */
1048 static int validate_class(void *key, void *datum, void *p)
1049 {
1050         struct policydb *newp;
1051         struct class_datum *cladatum, *cladatum2;
1052         int rc;
1053
1054         newp = p;
1055         cladatum = datum;
1056
1057         cladatum2 = hashtab_search(newp->p_classes.table, key);
1058         if (!cladatum2) {
1059                 printk(KERN_ERR "security:  class %s disappeared\n",
1060                        (char *)key);
1061                 rc = -ENOENT;
1062                 goto out;
1063         }
1064         if (cladatum->value != cladatum2->value) {
1065                 printk(KERN_ERR "security:  the value of class %s changed\n",
1066                        (char *)key);
1067                 rc = -EINVAL;
1068                 goto out;
1069         }
1070         if ((cladatum->comdatum && !cladatum2->comdatum) ||
1071             (!cladatum->comdatum && cladatum2->comdatum)) {
1072                 printk(KERN_ERR "security:  the inherits clause for the access "
1073                        "vector definition for class %s changed\n", (char *)key);
1074                 rc = -EINVAL;
1075                 goto out;
1076         }
1077         if (cladatum->comdatum) {
1078                 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1079                                  cladatum2->comdatum->permissions.table);
1080                 if (rc) {
1081                         printk(" in the access vector definition for class "
1082                                "%s\n", (char *)key);
1083                         goto out;
1084                 }
1085         }
1086         rc = hashtab_map(cladatum->permissions.table, validate_perm,
1087                          cladatum2->permissions.table);
1088         if (rc)
1089                 printk(" in access vector definition for class %s\n",
1090                        (char *)key);
1091 out:
1092         return rc;
1093 }
1094
1095 /* Clone the SID into the new SID table. */
1096 static int clone_sid(u32 sid,
1097                      struct context *context,
1098                      void *arg)
1099 {
1100         struct sidtab *s = arg;
1101
1102         return sidtab_insert(s, sid, context);
1103 }
1104
1105 static inline int convert_context_handle_invalid_context(struct context *context)
1106 {
1107         int rc = 0;
1108
1109         if (selinux_enforcing) {
1110                 rc = -EINVAL;
1111         } else {
1112                 char *s;
1113                 u32 len;
1114
1115                 context_struct_to_string(context, &s, &len);
1116                 printk(KERN_ERR "security:  context %s is invalid\n", s);
1117                 kfree(s);
1118         }
1119         return rc;
1120 }
1121
1122 struct convert_context_args {
1123         struct policydb *oldp;
1124         struct policydb *newp;
1125 };
1126
1127 /*
1128  * Convert the values in the security context
1129  * structure `c' from the values specified
1130  * in the policy `p->oldp' to the values specified
1131  * in the policy `p->newp'.  Verify that the
1132  * context is valid under the new policy.
1133  */
1134 static int convert_context(u32 key,
1135                            struct context *c,
1136                            void *p)
1137 {
1138         struct convert_context_args *args;
1139         struct context oldc;
1140         struct role_datum *role;
1141         struct type_datum *typdatum;
1142         struct user_datum *usrdatum;
1143         char *s;
1144         u32 len;
1145         int rc;
1146
1147         args = p;
1148
1149         rc = context_cpy(&oldc, c);
1150         if (rc)
1151                 goto out;
1152
1153         rc = -EINVAL;
1154
1155         /* Convert the user. */
1156         usrdatum = hashtab_search(args->newp->p_users.table,
1157                                   args->oldp->p_user_val_to_name[c->user - 1]);
1158         if (!usrdatum) {
1159                 goto bad;
1160         }
1161         c->user = usrdatum->value;
1162
1163         /* Convert the role. */
1164         role = hashtab_search(args->newp->p_roles.table,
1165                               args->oldp->p_role_val_to_name[c->role - 1]);
1166         if (!role) {
1167                 goto bad;
1168         }
1169         c->role = role->value;
1170
1171         /* Convert the type. */
1172         typdatum = hashtab_search(args->newp->p_types.table,
1173                                   args->oldp->p_type_val_to_name[c->type - 1]);
1174         if (!typdatum) {
1175                 goto bad;
1176         }
1177         c->type = typdatum->value;
1178
1179         rc = mls_convert_context(args->oldp, args->newp, c);
1180         if (rc)
1181                 goto bad;
1182
1183         /* Check the validity of the new context. */
1184         if (!policydb_context_isvalid(args->newp, c)) {
1185                 rc = convert_context_handle_invalid_context(&oldc);
1186                 if (rc)
1187                         goto bad;
1188         }
1189
1190         context_destroy(&oldc);
1191 out:
1192         return rc;
1193 bad:
1194         context_struct_to_string(&oldc, &s, &len);
1195         context_destroy(&oldc);
1196         printk(KERN_ERR "security:  invalidating context %s\n", s);
1197         kfree(s);
1198         goto out;
1199 }
1200
1201 extern void selinux_complete_init(void);
1202
1203 /**
1204  * security_load_policy - Load a security policy configuration.
1205  * @data: binary policy data
1206  * @len: length of data in bytes
1207  *
1208  * Load a new set of security policy configuration data,
1209  * validate it and convert the SID table as necessary.
1210  * This function will flush the access vector cache after
1211  * loading the new policy.
1212  */
1213 int security_load_policy(void *data, size_t len)
1214 {
1215         struct policydb oldpolicydb, newpolicydb;
1216         struct sidtab oldsidtab, newsidtab;
1217         struct convert_context_args args;
1218         u32 seqno;
1219         int rc = 0;
1220         struct policy_file file = { data, len }, *fp = &file;
1221
1222         LOAD_LOCK;
1223
1224         if (!ss_initialized) {
1225                 avtab_cache_init();
1226                 if (policydb_read(&policydb, fp)) {
1227                         LOAD_UNLOCK;
1228                         avtab_cache_destroy();
1229                         return -EINVAL;
1230                 }
1231                 if (policydb_load_isids(&policydb, &sidtab)) {
1232                         LOAD_UNLOCK;
1233                         policydb_destroy(&policydb);
1234                         avtab_cache_destroy();
1235                         return -EINVAL;
1236                 }
1237                 policydb_loaded_version = policydb.policyvers;
1238                 ss_initialized = 1;
1239                 seqno = ++latest_granting;
1240                 LOAD_UNLOCK;
1241                 selinux_complete_init();
1242                 avc_ss_reset(seqno);
1243                 selnl_notify_policyload(seqno);
1244                 return 0;
1245         }
1246
1247 #if 0
1248         sidtab_hash_eval(&sidtab, "sids");
1249 #endif
1250
1251         if (policydb_read(&newpolicydb, fp)) {
1252                 LOAD_UNLOCK;
1253                 return -EINVAL;
1254         }
1255
1256         sidtab_init(&newsidtab);
1257
1258         /* Verify that the existing classes did not change. */
1259         if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1260                 printk(KERN_ERR "security:  the definition of an existing "
1261                        "class changed\n");
1262                 rc = -EINVAL;
1263                 goto err;
1264         }
1265
1266         /* Clone the SID table. */
1267         sidtab_shutdown(&sidtab);
1268         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1269                 rc = -ENOMEM;
1270                 goto err;
1271         }
1272
1273         /* Convert the internal representations of contexts
1274            in the new SID table and remove invalid SIDs. */
1275         args.oldp = &policydb;
1276         args.newp = &newpolicydb;
1277         sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1278
1279         /* Save the old policydb and SID table to free later. */
1280         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1281         sidtab_set(&oldsidtab, &sidtab);
1282
1283         /* Install the new policydb and SID table. */
1284         POLICY_WRLOCK;
1285         memcpy(&policydb, &newpolicydb, sizeof policydb);
1286         sidtab_set(&sidtab, &newsidtab);
1287         seqno = ++latest_granting;
1288         policydb_loaded_version = policydb.policyvers;
1289         POLICY_WRUNLOCK;
1290         LOAD_UNLOCK;
1291
1292         /* Free the old policydb and SID table. */
1293         policydb_destroy(&oldpolicydb);
1294         sidtab_destroy(&oldsidtab);
1295
1296         avc_ss_reset(seqno);
1297         selnl_notify_policyload(seqno);
1298
1299         return 0;
1300
1301 err:
1302         LOAD_UNLOCK;
1303         sidtab_destroy(&newsidtab);
1304         policydb_destroy(&newpolicydb);
1305         return rc;
1306
1307 }
1308
1309 /**
1310  * security_port_sid - Obtain the SID for a port.
1311  * @domain: communication domain aka address family
1312  * @type: socket type
1313  * @protocol: protocol number
1314  * @port: port number
1315  * @out_sid: security identifier
1316  */
1317 int security_port_sid(u16 domain,
1318                       u16 type,
1319                       u8 protocol,
1320                       u16 port,
1321                       u32 *out_sid)
1322 {
1323         struct ocontext *c;
1324         int rc = 0;
1325
1326         POLICY_RDLOCK;
1327
1328         c = policydb.ocontexts[OCON_PORT];
1329         while (c) {
1330                 if (c->u.port.protocol == protocol &&
1331                     c->u.port.low_port <= port &&
1332                     c->u.port.high_port >= port)
1333                         break;
1334                 c = c->next;
1335         }
1336
1337         if (c) {
1338                 if (!c->sid[0]) {
1339                         rc = sidtab_context_to_sid(&sidtab,
1340                                                    &c->context[0],
1341                                                    &c->sid[0]);
1342                         if (rc)
1343                                 goto out;
1344                 }
1345                 *out_sid = c->sid[0];
1346         } else {
1347                 *out_sid = SECINITSID_PORT;
1348         }
1349
1350 out:
1351         POLICY_RDUNLOCK;
1352         return rc;
1353 }
1354
1355 /**
1356  * security_netif_sid - Obtain the SID for a network interface.
1357  * @name: interface name
1358  * @if_sid: interface SID
1359  * @msg_sid: default SID for received packets
1360  */
1361 int security_netif_sid(char *name,
1362                        u32 *if_sid,
1363                        u32 *msg_sid)
1364 {
1365         int rc = 0;
1366         struct ocontext *c;
1367
1368         POLICY_RDLOCK;
1369
1370         c = policydb.ocontexts[OCON_NETIF];
1371         while (c) {
1372                 if (strcmp(name, c->u.name) == 0)
1373                         break;
1374                 c = c->next;
1375         }
1376
1377         if (c) {
1378                 if (!c->sid[0] || !c->sid[1]) {
1379                         rc = sidtab_context_to_sid(&sidtab,
1380                                                   &c->context[0],
1381                                                   &c->sid[0]);
1382                         if (rc)
1383                                 goto out;
1384                         rc = sidtab_context_to_sid(&sidtab,
1385                                                    &c->context[1],
1386                                                    &c->sid[1]);
1387                         if (rc)
1388                                 goto out;
1389                 }
1390                 *if_sid = c->sid[0];
1391                 *msg_sid = c->sid[1];
1392         } else {
1393                 *if_sid = SECINITSID_NETIF;
1394                 *msg_sid = SECINITSID_NETMSG;
1395         }
1396
1397 out:
1398         POLICY_RDUNLOCK;
1399         return rc;
1400 }
1401
1402 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1403 {
1404         int i, fail = 0;
1405
1406         for(i = 0; i < 4; i++)
1407                 if(addr[i] != (input[i] & mask[i])) {
1408                         fail = 1;
1409                         break;
1410                 }
1411
1412         return !fail;
1413 }
1414
1415 /**
1416  * security_node_sid - Obtain the SID for a node (host).
1417  * @domain: communication domain aka address family
1418  * @addrp: address
1419  * @addrlen: address length in bytes
1420  * @out_sid: security identifier
1421  */
1422 int security_node_sid(u16 domain,
1423                       void *addrp,
1424                       u32 addrlen,
1425                       u32 *out_sid)
1426 {
1427         int rc = 0;
1428         struct ocontext *c;
1429
1430         POLICY_RDLOCK;
1431
1432         switch (domain) {
1433         case AF_INET: {
1434                 u32 addr;
1435
1436                 if (addrlen != sizeof(u32)) {
1437                         rc = -EINVAL;
1438                         goto out;
1439                 }
1440
1441                 addr = *((u32 *)addrp);
1442
1443                 c = policydb.ocontexts[OCON_NODE];
1444                 while (c) {
1445                         if (c->u.node.addr == (addr & c->u.node.mask))
1446                                 break;
1447                         c = c->next;
1448                 }
1449                 break;
1450         }
1451
1452         case AF_INET6:
1453                 if (addrlen != sizeof(u64) * 2) {
1454                         rc = -EINVAL;
1455                         goto out;
1456                 }
1457                 c = policydb.ocontexts[OCON_NODE6];
1458                 while (c) {
1459                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1460                                                 c->u.node6.mask))
1461                                 break;
1462                         c = c->next;
1463                 }
1464                 break;
1465
1466         default:
1467                 *out_sid = SECINITSID_NODE;
1468                 goto out;
1469         }
1470
1471         if (c) {
1472                 if (!c->sid[0]) {
1473                         rc = sidtab_context_to_sid(&sidtab,
1474                                                    &c->context[0],
1475                                                    &c->sid[0]);
1476                         if (rc)
1477                                 goto out;
1478                 }
1479                 *out_sid = c->sid[0];
1480         } else {
1481                 *out_sid = SECINITSID_NODE;
1482         }
1483
1484 out:
1485         POLICY_RDUNLOCK;
1486         return rc;
1487 }
1488
1489 #define SIDS_NEL 25
1490
1491 /**
1492  * security_get_user_sids - Obtain reachable SIDs for a user.
1493  * @fromsid: starting SID
1494  * @username: username
1495  * @sids: array of reachable SIDs for user
1496  * @nel: number of elements in @sids
1497  *
1498  * Generate the set of SIDs for legal security contexts
1499  * for a given user that can be reached by @fromsid.
1500  * Set *@sids to point to a dynamically allocated
1501  * array containing the set of SIDs.  Set *@nel to the
1502  * number of elements in the array.
1503  */
1504
1505 int security_get_user_sids(u32 fromsid,
1506                            char *username,
1507                            u32 **sids,
1508                            u32 *nel)
1509 {
1510         struct context *fromcon, usercon;
1511         u32 *mysids, *mysids2, sid;
1512         u32 mynel = 0, maxnel = SIDS_NEL;
1513         struct user_datum *user;
1514         struct role_datum *role;
1515         struct av_decision avd;
1516         struct ebitmap_node *rnode, *tnode;
1517         int rc = 0, i, j;
1518
1519         if (!ss_initialized) {
1520                 *sids = NULL;
1521                 *nel = 0;
1522                 goto out;
1523         }
1524
1525         POLICY_RDLOCK;
1526
1527         fromcon = sidtab_search(&sidtab, fromsid);
1528         if (!fromcon) {
1529                 rc = -EINVAL;
1530                 goto out_unlock;
1531         }
1532
1533         user = hashtab_search(policydb.p_users.table, username);
1534         if (!user) {
1535                 rc = -EINVAL;
1536                 goto out_unlock;
1537         }
1538         usercon.user = user->value;
1539
1540         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1541         if (!mysids) {
1542                 rc = -ENOMEM;
1543                 goto out_unlock;
1544         }
1545
1546         ebitmap_for_each_bit(&user->roles, rnode, i) {
1547                 if (!ebitmap_node_get_bit(rnode, i))
1548                         continue;
1549                 role = policydb.role_val_to_struct[i];
1550                 usercon.role = i+1;
1551                 ebitmap_for_each_bit(&role->types, tnode, j) {
1552                         if (!ebitmap_node_get_bit(tnode, j))
1553                                 continue;
1554                         usercon.type = j+1;
1555
1556                         if (mls_setup_user_range(fromcon, user, &usercon))
1557                                 continue;
1558
1559                         rc = context_struct_compute_av(fromcon, &usercon,
1560                                                        SECCLASS_PROCESS,
1561                                                        PROCESS__TRANSITION,
1562                                                        &avd);
1563                         if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
1564                                 continue;
1565                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1566                         if (rc) {
1567                                 kfree(mysids);
1568                                 goto out_unlock;
1569                         }
1570                         if (mynel < maxnel) {
1571                                 mysids[mynel++] = sid;
1572                         } else {
1573                                 maxnel += SIDS_NEL;
1574                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1575                                 if (!mysids2) {
1576                                         rc = -ENOMEM;
1577                                         kfree(mysids);
1578                                         goto out_unlock;
1579                                 }
1580                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1581                                 kfree(mysids);
1582                                 mysids = mysids2;
1583                                 mysids[mynel++] = sid;
1584                         }
1585                 }
1586         }
1587
1588         *sids = mysids;
1589         *nel = mynel;
1590
1591 out_unlock:
1592         POLICY_RDUNLOCK;
1593 out:
1594         return rc;
1595 }
1596
1597 /**
1598  * security_genfs_sid - Obtain a SID for a file in a filesystem
1599  * @fstype: filesystem type
1600  * @path: path from root of mount
1601  * @sclass: file security class
1602  * @sid: SID for path
1603  *
1604  * Obtain a SID to use for a file in a filesystem that
1605  * cannot support xattr or use a fixed labeling behavior like
1606  * transition SIDs or task SIDs.
1607  */
1608 int security_genfs_sid(const char *fstype,
1609                        char *path,
1610                        u16 sclass,
1611                        u32 *sid)
1612 {
1613         int len;
1614         struct genfs *genfs;
1615         struct ocontext *c;
1616         int rc = 0, cmp = 0;
1617
1618         POLICY_RDLOCK;
1619
1620         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1621                 cmp = strcmp(fstype, genfs->fstype);
1622                 if (cmp <= 0)
1623                         break;
1624         }
1625
1626         if (!genfs || cmp) {
1627                 *sid = SECINITSID_UNLABELED;
1628                 rc = -ENOENT;
1629                 goto out;
1630         }
1631
1632         for (c = genfs->head; c; c = c->next) {
1633                 len = strlen(c->u.name);
1634                 if ((!c->v.sclass || sclass == c->v.sclass) &&
1635                     (strncmp(c->u.name, path, len) == 0))
1636                         break;
1637         }
1638
1639         if (!c) {
1640                 *sid = SECINITSID_UNLABELED;
1641                 rc = -ENOENT;
1642                 goto out;
1643         }
1644
1645         if (!c->sid[0]) {
1646                 rc = sidtab_context_to_sid(&sidtab,
1647                                            &c->context[0],
1648                                            &c->sid[0]);
1649                 if (rc)
1650                         goto out;
1651         }
1652
1653         *sid = c->sid[0];
1654 out:
1655         POLICY_RDUNLOCK;
1656         return rc;
1657 }
1658
1659 /**
1660  * security_fs_use - Determine how to handle labeling for a filesystem.
1661  * @fstype: filesystem type
1662  * @behavior: labeling behavior
1663  * @sid: SID for filesystem (superblock)
1664  */
1665 int security_fs_use(
1666         const char *fstype,
1667         unsigned int *behavior,
1668         u32 *sid)
1669 {
1670         int rc = 0;
1671         struct ocontext *c;
1672
1673         POLICY_RDLOCK;
1674
1675         c = policydb.ocontexts[OCON_FSUSE];
1676         while (c) {
1677                 if (strcmp(fstype, c->u.name) == 0)
1678                         break;
1679                 c = c->next;
1680         }
1681
1682         if (c) {
1683                 *behavior = c->v.behavior;
1684                 if (!c->sid[0]) {
1685                         rc = sidtab_context_to_sid(&sidtab,
1686                                                    &c->context[0],
1687                                                    &c->sid[0]);
1688                         if (rc)
1689                                 goto out;
1690                 }
1691                 *sid = c->sid[0];
1692         } else {
1693                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1694                 if (rc) {
1695                         *behavior = SECURITY_FS_USE_NONE;
1696                         rc = 0;
1697                 } else {
1698                         *behavior = SECURITY_FS_USE_GENFS;
1699                 }
1700         }
1701
1702 out:
1703         POLICY_RDUNLOCK;
1704         return rc;
1705 }
1706
1707 int security_get_bools(int *len, char ***names, int **values)
1708 {
1709         int i, rc = -ENOMEM;
1710
1711         POLICY_RDLOCK;
1712         *names = NULL;
1713         *values = NULL;
1714
1715         *len = policydb.p_bools.nprim;
1716         if (!*len) {
1717                 rc = 0;
1718                 goto out;
1719         }
1720
1721        *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1722         if (!*names)
1723                 goto err;
1724
1725        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
1726         if (!*values)
1727                 goto err;
1728
1729         for (i = 0; i < *len; i++) {
1730                 size_t name_len;
1731                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1732                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1733                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1734                 if (!(*names)[i])
1735                         goto err;
1736                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1737                 (*names)[i][name_len - 1] = 0;
1738         }
1739         rc = 0;
1740 out:
1741         POLICY_RDUNLOCK;
1742         return rc;
1743 err:
1744         if (*names) {
1745                 for (i = 0; i < *len; i++)
1746                         kfree((*names)[i]);
1747         }
1748         kfree(*values);
1749         goto out;
1750 }
1751
1752
1753 int security_set_bools(int len, int *values)
1754 {
1755         int i, rc = 0;
1756         int lenp, seqno = 0;
1757         struct cond_node *cur;
1758
1759         POLICY_WRLOCK;
1760
1761         lenp = policydb.p_bools.nprim;
1762         if (len != lenp) {
1763                 rc = -EFAULT;
1764                 goto out;
1765         }
1766
1767         for (i = 0; i < len; i++) {
1768                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1769                         audit_log(current->audit_context, GFP_ATOMIC,
1770                                 AUDIT_MAC_CONFIG_CHANGE,
1771                                 "bool=%s val=%d old_val=%d auid=%u",
1772                                 policydb.p_bool_val_to_name[i],
1773                                 !!values[i],
1774                                 policydb.bool_val_to_struct[i]->state,
1775                                 audit_get_loginuid(current->audit_context));
1776                 }
1777                 if (values[i]) {
1778                         policydb.bool_val_to_struct[i]->state = 1;
1779                 } else {
1780                         policydb.bool_val_to_struct[i]->state = 0;
1781                 }
1782         }
1783
1784         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1785                 rc = evaluate_cond_node(&policydb, cur);
1786                 if (rc)
1787                         goto out;
1788         }
1789
1790         seqno = ++latest_granting;
1791
1792 out:
1793         POLICY_WRUNLOCK;
1794         if (!rc) {
1795                 avc_ss_reset(seqno);
1796                 selnl_notify_policyload(seqno);
1797         }
1798         return rc;
1799 }
1800
1801 int security_get_bool_value(int bool)
1802 {
1803         int rc = 0;
1804         int len;
1805
1806         POLICY_RDLOCK;
1807
1808         len = policydb.p_bools.nprim;
1809         if (bool >= len) {
1810                 rc = -EFAULT;
1811                 goto out;
1812         }
1813
1814         rc = policydb.bool_val_to_struct[bool]->state;
1815 out:
1816         POLICY_RDUNLOCK;
1817         return rc;
1818 }
1819
1820 struct selinux_audit_rule {
1821         u32 au_seqno;
1822         struct context au_ctxt;
1823 };
1824
1825 void selinux_audit_rule_free(struct selinux_audit_rule *rule)
1826 {
1827         if (rule) {
1828                 context_destroy(&rule->au_ctxt);
1829                 kfree(rule);
1830         }
1831 }
1832
1833 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1834                             struct selinux_audit_rule **rule)
1835 {
1836         struct selinux_audit_rule *tmprule;
1837         struct role_datum *roledatum;
1838         struct type_datum *typedatum;
1839         struct user_datum *userdatum;
1840         int rc = 0;
1841
1842         *rule = NULL;
1843
1844         if (!ss_initialized)
1845                 return -ENOTSUPP;
1846
1847         switch (field) {
1848         case AUDIT_SE_USER:
1849         case AUDIT_SE_ROLE:
1850         case AUDIT_SE_TYPE:
1851                 /* only 'equals' and 'not equals' fit user, role, and type */
1852                 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
1853                         return -EINVAL;
1854                 break;
1855         case AUDIT_SE_SEN:
1856         case AUDIT_SE_CLR:
1857                 /* we do not allow a range, indicated by the presense of '-' */
1858                 if (strchr(rulestr, '-'))
1859                         return -EINVAL;
1860                 break;
1861         default:
1862                 /* only the above fields are valid */
1863                 return -EINVAL;
1864         }
1865
1866         tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
1867         if (!tmprule)
1868                 return -ENOMEM;
1869
1870         context_init(&tmprule->au_ctxt);
1871
1872         POLICY_RDLOCK;
1873
1874         tmprule->au_seqno = latest_granting;
1875
1876         switch (field) {
1877         case AUDIT_SE_USER:
1878                 userdatum = hashtab_search(policydb.p_users.table, rulestr);
1879                 if (!userdatum)
1880                         rc = -EINVAL;
1881                 else
1882                         tmprule->au_ctxt.user = userdatum->value;
1883                 break;
1884         case AUDIT_SE_ROLE:
1885                 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
1886                 if (!roledatum)
1887                         rc = -EINVAL;
1888                 else
1889                         tmprule->au_ctxt.role = roledatum->value;
1890                 break;
1891         case AUDIT_SE_TYPE:
1892                 typedatum = hashtab_search(policydb.p_types.table, rulestr);
1893                 if (!typedatum)
1894                         rc = -EINVAL;
1895                 else
1896                         tmprule->au_ctxt.type = typedatum->value;
1897                 break;
1898         case AUDIT_SE_SEN:
1899         case AUDIT_SE_CLR:
1900                 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
1901                 break;
1902         }
1903
1904         POLICY_RDUNLOCK;
1905
1906         if (rc) {
1907                 selinux_audit_rule_free(tmprule);
1908                 tmprule = NULL;
1909         }
1910
1911         *rule = tmprule;
1912
1913         return rc;
1914 }
1915
1916 int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
1917                              struct selinux_audit_rule *rule,
1918                              struct audit_context *actx)
1919 {
1920         struct context *ctxt;
1921         struct mls_level *level;
1922         int match = 0;
1923
1924         if (!rule) {
1925                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1926                           "selinux_audit_rule_match: missing rule\n");
1927                 return -ENOENT;
1928         }
1929
1930         POLICY_RDLOCK;
1931
1932         if (rule->au_seqno < latest_granting) {
1933                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1934                           "selinux_audit_rule_match: stale rule\n");
1935                 match = -ESTALE;
1936                 goto out;
1937         }
1938
1939         ctxt = sidtab_search(&sidtab, ctxid);
1940         if (!ctxt) {
1941                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1942                           "selinux_audit_rule_match: unrecognized SID %d\n",
1943                           ctxid);
1944                 match = -ENOENT;
1945                 goto out;
1946         }
1947
1948         /* a field/op pair that is not caught here will simply fall through
1949            without a match */
1950         switch (field) {
1951         case AUDIT_SE_USER:
1952                 switch (op) {
1953                 case AUDIT_EQUAL:
1954                         match = (ctxt->user == rule->au_ctxt.user);
1955                         break;
1956                 case AUDIT_NOT_EQUAL:
1957                         match = (ctxt->user != rule->au_ctxt.user);
1958                         break;
1959                 }
1960                 break;
1961         case AUDIT_SE_ROLE:
1962                 switch (op) {
1963                 case AUDIT_EQUAL:
1964                         match = (ctxt->role == rule->au_ctxt.role);
1965                         break;
1966                 case AUDIT_NOT_EQUAL:
1967                         match = (ctxt->role != rule->au_ctxt.role);
1968                         break;
1969                 }
1970                 break;
1971         case AUDIT_SE_TYPE:
1972                 switch (op) {
1973                 case AUDIT_EQUAL:
1974                         match = (ctxt->type == rule->au_ctxt.type);
1975                         break;
1976                 case AUDIT_NOT_EQUAL:
1977                         match = (ctxt->type != rule->au_ctxt.type);
1978                         break;
1979                 }
1980                 break;
1981         case AUDIT_SE_SEN:
1982         case AUDIT_SE_CLR:
1983                 level = (field == AUDIT_SE_SEN ?
1984                          &ctxt->range.level[0] : &ctxt->range.level[1]);
1985                 switch (op) {
1986                 case AUDIT_EQUAL:
1987                         match = mls_level_eq(&rule->au_ctxt.range.level[0],
1988                                              level);
1989                         break;
1990                 case AUDIT_NOT_EQUAL:
1991                         match = !mls_level_eq(&rule->au_ctxt.range.level[0],
1992                                               level);
1993                         break;
1994                 case AUDIT_LESS_THAN:
1995                         match = (mls_level_dom(&rule->au_ctxt.range.level[0],
1996                                                level) &&
1997                                  !mls_level_eq(&rule->au_ctxt.range.level[0],
1998                                                level));
1999                         break;
2000                 case AUDIT_LESS_THAN_OR_EQUAL:
2001                         match = mls_level_dom(&rule->au_ctxt.range.level[0],
2002                                               level);
2003                         break;
2004                 case AUDIT_GREATER_THAN:
2005                         match = (mls_level_dom(level,
2006                                               &rule->au_ctxt.range.level[0]) &&
2007                                  !mls_level_eq(level,
2008                                                &rule->au_ctxt.range.level[0]));
2009                         break;
2010                 case AUDIT_GREATER_THAN_OR_EQUAL:
2011                         match = mls_level_dom(level,
2012                                               &rule->au_ctxt.range.level[0]);
2013                         break;
2014                 }
2015         }
2016
2017 out:
2018         POLICY_RDUNLOCK;
2019         return match;
2020 }
2021
2022 static int (*aurule_callback)(void) = NULL;
2023
2024 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2025                                u16 class, u32 perms, u32 *retained)
2026 {
2027         int err = 0;
2028
2029         if (event == AVC_CALLBACK_RESET && aurule_callback)
2030                 err = aurule_callback();
2031         return err;
2032 }
2033
2034 static int __init aurule_init(void)
2035 {
2036         int err;
2037
2038         err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2039                                SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2040         if (err)
2041                 panic("avc_add_callback() failed, error %d\n", err);
2042
2043         return err;
2044 }
2045 __initcall(aurule_init);
2046
2047 void selinux_audit_set_callback(int (*callback)(void))
2048 {
2049         aurule_callback = callback;
2050 }