Merge with http://kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
[linux-2.6] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *
11  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12  *
13  *      Added conditional policy language extensions
14  *
15  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
17  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License as published by
20  *      the Free Software Foundation, version 2.
21  */
22 #include <linux/kernel.h>
23 #include <linux/slab.h>
24 #include <linux/string.h>
25 #include <linux/spinlock.h>
26 #include <linux/errno.h>
27 #include <linux/in.h>
28 #include <linux/sched.h>
29 #include <linux/audit.h>
30 #include <asm/semaphore.h>
31 #include "flask.h"
32 #include "avc.h"
33 #include "avc_ss.h"
34 #include "security.h"
35 #include "context.h"
36 #include "policydb.h"
37 #include "sidtab.h"
38 #include "services.h"
39 #include "conditional.h"
40 #include "mls.h"
41
42 extern void selnl_notify_policyload(u32 seqno);
43 unsigned int policydb_loaded_version;
44
45 static DEFINE_RWLOCK(policy_rwlock);
46 #define POLICY_RDLOCK read_lock(&policy_rwlock)
47 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
48 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
49 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
50
51 static DECLARE_MUTEX(load_sem);
52 #define LOAD_LOCK down(&load_sem)
53 #define LOAD_UNLOCK up(&load_sem)
54
55 static struct sidtab sidtab;
56 struct policydb policydb;
57 int ss_initialized = 0;
58
59 /*
60  * The largest sequence number that has been used when
61  * providing an access decision to the access vector cache.
62  * The sequence number only changes when a policy change
63  * occurs.
64  */
65 static u32 latest_granting = 0;
66
67 /* Forward declaration. */
68 static int context_struct_to_string(struct context *context, char **scontext,
69                                     u32 *scontext_len);
70
71 /*
72  * Return the boolean value of a constraint expression
73  * when it is applied to the specified source and target
74  * security contexts.
75  *
76  * xcontext is a special beast...  It is used by the validatetrans rules
77  * only.  For these rules, scontext is the context before the transition,
78  * tcontext is the context after the transition, and xcontext is the context
79  * of the process performing the transition.  All other callers of
80  * constraint_expr_eval should pass in NULL for xcontext.
81  */
82 static int constraint_expr_eval(struct context *scontext,
83                                 struct context *tcontext,
84                                 struct context *xcontext,
85                                 struct constraint_expr *cexpr)
86 {
87         u32 val1, val2;
88         struct context *c;
89         struct role_datum *r1, *r2;
90         struct mls_level *l1, *l2;
91         struct constraint_expr *e;
92         int s[CEXPR_MAXDEPTH];
93         int sp = -1;
94
95         for (e = cexpr; e; e = e->next) {
96                 switch (e->expr_type) {
97                 case CEXPR_NOT:
98                         BUG_ON(sp < 0);
99                         s[sp] = !s[sp];
100                         break;
101                 case CEXPR_AND:
102                         BUG_ON(sp < 1);
103                         sp--;
104                         s[sp] &= s[sp+1];
105                         break;
106                 case CEXPR_OR:
107                         BUG_ON(sp < 1);
108                         sp--;
109                         s[sp] |= s[sp+1];
110                         break;
111                 case CEXPR_ATTR:
112                         if (sp == (CEXPR_MAXDEPTH-1))
113                                 return 0;
114                         switch (e->attr) {
115                         case CEXPR_USER:
116                                 val1 = scontext->user;
117                                 val2 = tcontext->user;
118                                 break;
119                         case CEXPR_TYPE:
120                                 val1 = scontext->type;
121                                 val2 = tcontext->type;
122                                 break;
123                         case CEXPR_ROLE:
124                                 val1 = scontext->role;
125                                 val2 = tcontext->role;
126                                 r1 = policydb.role_val_to_struct[val1 - 1];
127                                 r2 = policydb.role_val_to_struct[val2 - 1];
128                                 switch (e->op) {
129                                 case CEXPR_DOM:
130                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
131                                                                   val2 - 1);
132                                         continue;
133                                 case CEXPR_DOMBY:
134                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
135                                                                   val1 - 1);
136                                         continue;
137                                 case CEXPR_INCOMP:
138                                         s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
139                                                                      val2 - 1) &&
140                                                     !ebitmap_get_bit(&r2->dominates,
141                                                                      val1 - 1) );
142                                         continue;
143                                 default:
144                                         break;
145                                 }
146                                 break;
147                         case CEXPR_L1L2:
148                                 l1 = &(scontext->range.level[0]);
149                                 l2 = &(tcontext->range.level[0]);
150                                 goto mls_ops;
151                         case CEXPR_L1H2:
152                                 l1 = &(scontext->range.level[0]);
153                                 l2 = &(tcontext->range.level[1]);
154                                 goto mls_ops;
155                         case CEXPR_H1L2:
156                                 l1 = &(scontext->range.level[1]);
157                                 l2 = &(tcontext->range.level[0]);
158                                 goto mls_ops;
159                         case CEXPR_H1H2:
160                                 l1 = &(scontext->range.level[1]);
161                                 l2 = &(tcontext->range.level[1]);
162                                 goto mls_ops;
163                         case CEXPR_L1H1:
164                                 l1 = &(scontext->range.level[0]);
165                                 l2 = &(scontext->range.level[1]);
166                                 goto mls_ops;
167                         case CEXPR_L2H2:
168                                 l1 = &(tcontext->range.level[0]);
169                                 l2 = &(tcontext->range.level[1]);
170                                 goto mls_ops;
171 mls_ops:
172                         switch (e->op) {
173                         case CEXPR_EQ:
174                                 s[++sp] = mls_level_eq(l1, l2);
175                                 continue;
176                         case CEXPR_NEQ:
177                                 s[++sp] = !mls_level_eq(l1, l2);
178                                 continue;
179                         case CEXPR_DOM:
180                                 s[++sp] = mls_level_dom(l1, l2);
181                                 continue;
182                         case CEXPR_DOMBY:
183                                 s[++sp] = mls_level_dom(l2, l1);
184                                 continue;
185                         case CEXPR_INCOMP:
186                                 s[++sp] = mls_level_incomp(l2, l1);
187                                 continue;
188                         default:
189                                 BUG();
190                                 return 0;
191                         }
192                         break;
193                         default:
194                                 BUG();
195                                 return 0;
196                         }
197
198                         switch (e->op) {
199                         case CEXPR_EQ:
200                                 s[++sp] = (val1 == val2);
201                                 break;
202                         case CEXPR_NEQ:
203                                 s[++sp] = (val1 != val2);
204                                 break;
205                         default:
206                                 BUG();
207                                 return 0;
208                         }
209                         break;
210                 case CEXPR_NAMES:
211                         if (sp == (CEXPR_MAXDEPTH-1))
212                                 return 0;
213                         c = scontext;
214                         if (e->attr & CEXPR_TARGET)
215                                 c = tcontext;
216                         else if (e->attr & CEXPR_XTARGET) {
217                                 c = xcontext;
218                                 if (!c) {
219                                         BUG();
220                                         return 0;
221                                 }
222                         }
223                         if (e->attr & CEXPR_USER)
224                                 val1 = c->user;
225                         else if (e->attr & CEXPR_ROLE)
226                                 val1 = c->role;
227                         else if (e->attr & CEXPR_TYPE)
228                                 val1 = c->type;
229                         else {
230                                 BUG();
231                                 return 0;
232                         }
233
234                         switch (e->op) {
235                         case CEXPR_EQ:
236                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
237                                 break;
238                         case CEXPR_NEQ:
239                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
240                                 break;
241                         default:
242                                 BUG();
243                                 return 0;
244                         }
245                         break;
246                 default:
247                         BUG();
248                         return 0;
249                 }
250         }
251
252         BUG_ON(sp != 0);
253         return s[0];
254 }
255
256 /*
257  * Compute access vectors based on a context structure pair for
258  * the permissions in a particular class.
259  */
260 static int context_struct_compute_av(struct context *scontext,
261                                      struct context *tcontext,
262                                      u16 tclass,
263                                      u32 requested,
264                                      struct av_decision *avd)
265 {
266         struct constraint_node *constraint;
267         struct role_allow *ra;
268         struct avtab_key avkey;
269         struct avtab_node *node;
270         struct class_datum *tclass_datum;
271         struct ebitmap *sattr, *tattr;
272         struct ebitmap_node *snode, *tnode;
273         unsigned int i, j;
274
275         /*
276          * Remap extended Netlink classes for old policy versions.
277          * Do this here rather than socket_type_to_security_class()
278          * in case a newer policy version is loaded, allowing sockets
279          * to remain in the correct class.
280          */
281         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
282                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
283                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
284                         tclass = SECCLASS_NETLINK_SOCKET;
285
286         if (!tclass || tclass > policydb.p_classes.nprim) {
287                 printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
288                        tclass);
289                 return -EINVAL;
290         }
291         tclass_datum = policydb.class_val_to_struct[tclass - 1];
292
293         /*
294          * Initialize the access vectors to the default values.
295          */
296         avd->allowed = 0;
297         avd->decided = 0xffffffff;
298         avd->auditallow = 0;
299         avd->auditdeny = 0xffffffff;
300         avd->seqno = latest_granting;
301
302         /*
303          * If a specific type enforcement rule was defined for
304          * this permission check, then use it.
305          */
306         avkey.target_class = tclass;
307         avkey.specified = AVTAB_AV;
308         sattr = &policydb.type_attr_map[scontext->type - 1];
309         tattr = &policydb.type_attr_map[tcontext->type - 1];
310         ebitmap_for_each_bit(sattr, snode, i) {
311                 if (!ebitmap_node_get_bit(snode, i))
312                         continue;
313                 ebitmap_for_each_bit(tattr, tnode, j) {
314                         if (!ebitmap_node_get_bit(tnode, j))
315                                 continue;
316                         avkey.source_type = i + 1;
317                         avkey.target_type = j + 1;
318                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
319                              node != NULL;
320                              node = avtab_search_node_next(node, avkey.specified)) {
321                                 if (node->key.specified == AVTAB_ALLOWED)
322                                         avd->allowed |= node->datum.data;
323                                 else if (node->key.specified == AVTAB_AUDITALLOW)
324                                         avd->auditallow |= node->datum.data;
325                                 else if (node->key.specified == AVTAB_AUDITDENY)
326                                         avd->auditdeny &= node->datum.data;
327                         }
328
329                         /* Check conditional av table for additional permissions */
330                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
331
332                 }
333         }
334
335         /*
336          * Remove any permissions prohibited by a constraint (this includes
337          * the MLS policy).
338          */
339         constraint = tclass_datum->constraints;
340         while (constraint) {
341                 if ((constraint->permissions & (avd->allowed)) &&
342                     !constraint_expr_eval(scontext, tcontext, NULL,
343                                           constraint->expr)) {
344                         avd->allowed = (avd->allowed) & ~(constraint->permissions);
345                 }
346                 constraint = constraint->next;
347         }
348
349         /*
350          * If checking process transition permission and the
351          * role is changing, then check the (current_role, new_role)
352          * pair.
353          */
354         if (tclass == SECCLASS_PROCESS &&
355             (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
356             scontext->role != tcontext->role) {
357                 for (ra = policydb.role_allow; ra; ra = ra->next) {
358                         if (scontext->role == ra->role &&
359                             tcontext->role == ra->new_role)
360                                 break;
361                 }
362                 if (!ra)
363                         avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
364                                                         PROCESS__DYNTRANSITION);
365         }
366
367         return 0;
368 }
369
370 static int security_validtrans_handle_fail(struct context *ocontext,
371                                            struct context *ncontext,
372                                            struct context *tcontext,
373                                            u16 tclass)
374 {
375         char *o = NULL, *n = NULL, *t = NULL;
376         u32 olen, nlen, tlen;
377
378         if (context_struct_to_string(ocontext, &o, &olen) < 0)
379                 goto out;
380         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
381                 goto out;
382         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
383                 goto out;
384         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
385                   "security_validate_transition:  denied for"
386                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
387                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
388 out:
389         kfree(o);
390         kfree(n);
391         kfree(t);
392
393         if (!selinux_enforcing)
394                 return 0;
395         return -EPERM;
396 }
397
398 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
399                                  u16 tclass)
400 {
401         struct context *ocontext;
402         struct context *ncontext;
403         struct context *tcontext;
404         struct class_datum *tclass_datum;
405         struct constraint_node *constraint;
406         int rc = 0;
407
408         if (!ss_initialized)
409                 return 0;
410
411         POLICY_RDLOCK;
412
413         /*
414          * Remap extended Netlink classes for old policy versions.
415          * Do this here rather than socket_type_to_security_class()
416          * in case a newer policy version is loaded, allowing sockets
417          * to remain in the correct class.
418          */
419         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
420                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
421                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
422                         tclass = SECCLASS_NETLINK_SOCKET;
423
424         if (!tclass || tclass > policydb.p_classes.nprim) {
425                 printk(KERN_ERR "security_validate_transition:  "
426                        "unrecognized class %d\n", tclass);
427                 rc = -EINVAL;
428                 goto out;
429         }
430         tclass_datum = policydb.class_val_to_struct[tclass - 1];
431
432         ocontext = sidtab_search(&sidtab, oldsid);
433         if (!ocontext) {
434                 printk(KERN_ERR "security_validate_transition: "
435                        " unrecognized SID %d\n", oldsid);
436                 rc = -EINVAL;
437                 goto out;
438         }
439
440         ncontext = sidtab_search(&sidtab, newsid);
441         if (!ncontext) {
442                 printk(KERN_ERR "security_validate_transition: "
443                        " unrecognized SID %d\n", newsid);
444                 rc = -EINVAL;
445                 goto out;
446         }
447
448         tcontext = sidtab_search(&sidtab, tasksid);
449         if (!tcontext) {
450                 printk(KERN_ERR "security_validate_transition: "
451                        " unrecognized SID %d\n", tasksid);
452                 rc = -EINVAL;
453                 goto out;
454         }
455
456         constraint = tclass_datum->validatetrans;
457         while (constraint) {
458                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
459                                           constraint->expr)) {
460                         rc = security_validtrans_handle_fail(ocontext, ncontext,
461                                                              tcontext, tclass);
462                         goto out;
463                 }
464                 constraint = constraint->next;
465         }
466
467 out:
468         POLICY_RDUNLOCK;
469         return rc;
470 }
471
472 /**
473  * security_compute_av - Compute access vector decisions.
474  * @ssid: source security identifier
475  * @tsid: target security identifier
476  * @tclass: target security class
477  * @requested: requested permissions
478  * @avd: access vector decisions
479  *
480  * Compute a set of access vector decisions based on the
481  * SID pair (@ssid, @tsid) for the permissions in @tclass.
482  * Return -%EINVAL if any of the parameters are invalid or %0
483  * if the access vector decisions were computed successfully.
484  */
485 int security_compute_av(u32 ssid,
486                         u32 tsid,
487                         u16 tclass,
488                         u32 requested,
489                         struct av_decision *avd)
490 {
491         struct context *scontext = NULL, *tcontext = NULL;
492         int rc = 0;
493
494         if (!ss_initialized) {
495                 avd->allowed = 0xffffffff;
496                 avd->decided = 0xffffffff;
497                 avd->auditallow = 0;
498                 avd->auditdeny = 0xffffffff;
499                 avd->seqno = latest_granting;
500                 return 0;
501         }
502
503         POLICY_RDLOCK;
504
505         scontext = sidtab_search(&sidtab, ssid);
506         if (!scontext) {
507                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
508                        ssid);
509                 rc = -EINVAL;
510                 goto out;
511         }
512         tcontext = sidtab_search(&sidtab, tsid);
513         if (!tcontext) {
514                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
515                        tsid);
516                 rc = -EINVAL;
517                 goto out;
518         }
519
520         rc = context_struct_compute_av(scontext, tcontext, tclass,
521                                        requested, avd);
522 out:
523         POLICY_RDUNLOCK;
524         return rc;
525 }
526
527 /*
528  * Write the security context string representation of
529  * the context structure `context' into a dynamically
530  * allocated string of the correct size.  Set `*scontext'
531  * to point to this string and set `*scontext_len' to
532  * the length of the string.
533  */
534 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
535 {
536         char *scontextp;
537
538         *scontext = NULL;
539         *scontext_len = 0;
540
541         /* Compute the size of the context. */
542         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
543         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
544         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
545         *scontext_len += mls_compute_context_len(context);
546
547         /* Allocate space for the context; caller must free this space. */
548         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
549         if (!scontextp) {
550                 return -ENOMEM;
551         }
552         *scontext = scontextp;
553
554         /*
555          * Copy the user name, role name and type name into the context.
556          */
557         sprintf(scontextp, "%s:%s:%s",
558                 policydb.p_user_val_to_name[context->user - 1],
559                 policydb.p_role_val_to_name[context->role - 1],
560                 policydb.p_type_val_to_name[context->type - 1]);
561         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
562                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
563                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
564
565         mls_sid_to_context(context, &scontextp);
566
567         *scontextp = 0;
568
569         return 0;
570 }
571
572 #include "initial_sid_to_string.h"
573
574 /**
575  * security_sid_to_context - Obtain a context for a given SID.
576  * @sid: security identifier, SID
577  * @scontext: security context
578  * @scontext_len: length in bytes
579  *
580  * Write the string representation of the context associated with @sid
581  * into a dynamically allocated string of the correct size.  Set @scontext
582  * to point to this string and set @scontext_len to the length of the string.
583  */
584 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
585 {
586         struct context *context;
587         int rc = 0;
588
589         if (!ss_initialized) {
590                 if (sid <= SECINITSID_NUM) {
591                         char *scontextp;
592
593                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
594                         scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
595                         strcpy(scontextp, initial_sid_to_string[sid]);
596                         *scontext = scontextp;
597                         goto out;
598                 }
599                 printk(KERN_ERR "security_sid_to_context:  called before initial "
600                        "load_policy on unknown SID %d\n", sid);
601                 rc = -EINVAL;
602                 goto out;
603         }
604         POLICY_RDLOCK;
605         context = sidtab_search(&sidtab, sid);
606         if (!context) {
607                 printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
608                        "%d\n", sid);
609                 rc = -EINVAL;
610                 goto out_unlock;
611         }
612         rc = context_struct_to_string(context, scontext, scontext_len);
613 out_unlock:
614         POLICY_RDUNLOCK;
615 out:
616         return rc;
617
618 }
619
620 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
621 {
622         char *scontext2;
623         struct context context;
624         struct role_datum *role;
625         struct type_datum *typdatum;
626         struct user_datum *usrdatum;
627         char *scontextp, *p, oldc;
628         int rc = 0;
629
630         if (!ss_initialized) {
631                 int i;
632
633                 for (i = 1; i < SECINITSID_NUM; i++) {
634                         if (!strcmp(initial_sid_to_string[i], scontext)) {
635                                 *sid = i;
636                                 goto out;
637                         }
638                 }
639                 *sid = SECINITSID_KERNEL;
640                 goto out;
641         }
642         *sid = SECSID_NULL;
643
644         /* Copy the string so that we can modify the copy as we parse it.
645            The string should already by null terminated, but we append a
646            null suffix to the copy to avoid problems with the existing
647            attr package, which doesn't view the null terminator as part
648            of the attribute value. */
649         scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
650         if (!scontext2) {
651                 rc = -ENOMEM;
652                 goto out;
653         }
654         memcpy(scontext2, scontext, scontext_len);
655         scontext2[scontext_len] = 0;
656
657         context_init(&context);
658         *sid = SECSID_NULL;
659
660         POLICY_RDLOCK;
661
662         /* Parse the security context. */
663
664         rc = -EINVAL;
665         scontextp = (char *) scontext2;
666
667         /* Extract the user. */
668         p = scontextp;
669         while (*p && *p != ':')
670                 p++;
671
672         if (*p == 0)
673                 goto out_unlock;
674
675         *p++ = 0;
676
677         usrdatum = hashtab_search(policydb.p_users.table, scontextp);
678         if (!usrdatum)
679                 goto out_unlock;
680
681         context.user = usrdatum->value;
682
683         /* Extract role. */
684         scontextp = p;
685         while (*p && *p != ':')
686                 p++;
687
688         if (*p == 0)
689                 goto out_unlock;
690
691         *p++ = 0;
692
693         role = hashtab_search(policydb.p_roles.table, scontextp);
694         if (!role)
695                 goto out_unlock;
696         context.role = role->value;
697
698         /* Extract type. */
699         scontextp = p;
700         while (*p && *p != ':')
701                 p++;
702         oldc = *p;
703         *p++ = 0;
704
705         typdatum = hashtab_search(policydb.p_types.table, scontextp);
706         if (!typdatum)
707                 goto out_unlock;
708
709         context.type = typdatum->value;
710
711         rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
712         if (rc)
713                 goto out_unlock;
714
715         if ((p - scontext2) < scontext_len) {
716                 rc = -EINVAL;
717                 goto out_unlock;
718         }
719
720         /* Check the validity of the new context. */
721         if (!policydb_context_isvalid(&policydb, &context)) {
722                 rc = -EINVAL;
723                 goto out_unlock;
724         }
725         /* Obtain the new sid. */
726         rc = sidtab_context_to_sid(&sidtab, &context, sid);
727 out_unlock:
728         POLICY_RDUNLOCK;
729         context_destroy(&context);
730         kfree(scontext2);
731 out:
732         return rc;
733 }
734
735 /**
736  * security_context_to_sid - Obtain a SID for a given security context.
737  * @scontext: security context
738  * @scontext_len: length in bytes
739  * @sid: security identifier, SID
740  *
741  * Obtains a SID associated with the security context that
742  * has the string representation specified by @scontext.
743  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
744  * memory is available, or 0 on success.
745  */
746 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
747 {
748         return security_context_to_sid_core(scontext, scontext_len,
749                                             sid, SECSID_NULL);
750 }
751
752 /**
753  * security_context_to_sid_default - Obtain a SID for a given security context,
754  * falling back to specified default if needed.
755  *
756  * @scontext: security context
757  * @scontext_len: length in bytes
758  * @sid: security identifier, SID
759  * @def_sid: default SID to assign on errror
760  *
761  * Obtains a SID associated with the security context that
762  * has the string representation specified by @scontext.
763  * The default SID is passed to the MLS layer to be used to allow
764  * kernel labeling of the MLS field if the MLS field is not present
765  * (for upgrading to MLS without full relabel).
766  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
767  * memory is available, or 0 on success.
768  */
769 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
770 {
771         return security_context_to_sid_core(scontext, scontext_len,
772                                             sid, def_sid);
773 }
774
775 static int compute_sid_handle_invalid_context(
776         struct context *scontext,
777         struct context *tcontext,
778         u16 tclass,
779         struct context *newcontext)
780 {
781         char *s = NULL, *t = NULL, *n = NULL;
782         u32 slen, tlen, nlen;
783
784         if (context_struct_to_string(scontext, &s, &slen) < 0)
785                 goto out;
786         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
787                 goto out;
788         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
789                 goto out;
790         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
791                   "security_compute_sid:  invalid context %s"
792                   " for scontext=%s"
793                   " tcontext=%s"
794                   " tclass=%s",
795                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
796 out:
797         kfree(s);
798         kfree(t);
799         kfree(n);
800         if (!selinux_enforcing)
801                 return 0;
802         return -EACCES;
803 }
804
805 static int security_compute_sid(u32 ssid,
806                                 u32 tsid,
807                                 u16 tclass,
808                                 u32 specified,
809                                 u32 *out_sid)
810 {
811         struct context *scontext = NULL, *tcontext = NULL, newcontext;
812         struct role_trans *roletr = NULL;
813         struct avtab_key avkey;
814         struct avtab_datum *avdatum;
815         struct avtab_node *node;
816         int rc = 0;
817
818         if (!ss_initialized) {
819                 switch (tclass) {
820                 case SECCLASS_PROCESS:
821                         *out_sid = ssid;
822                         break;
823                 default:
824                         *out_sid = tsid;
825                         break;
826                 }
827                 goto out;
828         }
829
830         POLICY_RDLOCK;
831
832         scontext = sidtab_search(&sidtab, ssid);
833         if (!scontext) {
834                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
835                        ssid);
836                 rc = -EINVAL;
837                 goto out_unlock;
838         }
839         tcontext = sidtab_search(&sidtab, tsid);
840         if (!tcontext) {
841                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
842                        tsid);
843                 rc = -EINVAL;
844                 goto out_unlock;
845         }
846
847         context_init(&newcontext);
848
849         /* Set the user identity. */
850         switch (specified) {
851         case AVTAB_TRANSITION:
852         case AVTAB_CHANGE:
853                 /* Use the process user identity. */
854                 newcontext.user = scontext->user;
855                 break;
856         case AVTAB_MEMBER:
857                 /* Use the related object owner. */
858                 newcontext.user = tcontext->user;
859                 break;
860         }
861
862         /* Set the role and type to default values. */
863         switch (tclass) {
864         case SECCLASS_PROCESS:
865                 /* Use the current role and type of process. */
866                 newcontext.role = scontext->role;
867                 newcontext.type = scontext->type;
868                 break;
869         default:
870                 /* Use the well-defined object role. */
871                 newcontext.role = OBJECT_R_VAL;
872                 /* Use the type of the related object. */
873                 newcontext.type = tcontext->type;
874         }
875
876         /* Look for a type transition/member/change rule. */
877         avkey.source_type = scontext->type;
878         avkey.target_type = tcontext->type;
879         avkey.target_class = tclass;
880         avkey.specified = specified;
881         avdatum = avtab_search(&policydb.te_avtab, &avkey);
882
883         /* If no permanent rule, also check for enabled conditional rules */
884         if(!avdatum) {
885                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
886                 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
887                         if (node->key.specified & AVTAB_ENABLED) {
888                                 avdatum = &node->datum;
889                                 break;
890                         }
891                 }
892         }
893
894         if (avdatum) {
895                 /* Use the type from the type transition/member/change rule. */
896                 newcontext.type = avdatum->data;
897         }
898
899         /* Check for class-specific changes. */
900         switch (tclass) {
901         case SECCLASS_PROCESS:
902                 if (specified & AVTAB_TRANSITION) {
903                         /* Look for a role transition rule. */
904                         for (roletr = policydb.role_tr; roletr;
905                              roletr = roletr->next) {
906                                 if (roletr->role == scontext->role &&
907                                     roletr->type == tcontext->type) {
908                                         /* Use the role transition rule. */
909                                         newcontext.role = roletr->new_role;
910                                         break;
911                                 }
912                         }
913                 }
914                 break;
915         default:
916                 break;
917         }
918
919         /* Set the MLS attributes.
920            This is done last because it may allocate memory. */
921         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
922         if (rc)
923                 goto out_unlock;
924
925         /* Check the validity of the context. */
926         if (!policydb_context_isvalid(&policydb, &newcontext)) {
927                 rc = compute_sid_handle_invalid_context(scontext,
928                                                         tcontext,
929                                                         tclass,
930                                                         &newcontext);
931                 if (rc)
932                         goto out_unlock;
933         }
934         /* Obtain the sid for the context. */
935         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
936 out_unlock:
937         POLICY_RDUNLOCK;
938         context_destroy(&newcontext);
939 out:
940         return rc;
941 }
942
943 /**
944  * security_transition_sid - Compute the SID for a new subject/object.
945  * @ssid: source security identifier
946  * @tsid: target security identifier
947  * @tclass: target security class
948  * @out_sid: security identifier for new subject/object
949  *
950  * Compute a SID to use for labeling a new subject or object in the
951  * class @tclass based on a SID pair (@ssid, @tsid).
952  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
953  * if insufficient memory is available, or %0 if the new SID was
954  * computed successfully.
955  */
956 int security_transition_sid(u32 ssid,
957                             u32 tsid,
958                             u16 tclass,
959                             u32 *out_sid)
960 {
961         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
962 }
963
964 /**
965  * security_member_sid - Compute the SID for member selection.
966  * @ssid: source security identifier
967  * @tsid: target security identifier
968  * @tclass: target security class
969  * @out_sid: security identifier for selected member
970  *
971  * Compute a SID to use when selecting a member of a polyinstantiated
972  * object of class @tclass based on a SID pair (@ssid, @tsid).
973  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
974  * if insufficient memory is available, or %0 if the SID was
975  * computed successfully.
976  */
977 int security_member_sid(u32 ssid,
978                         u32 tsid,
979                         u16 tclass,
980                         u32 *out_sid)
981 {
982         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
983 }
984
985 /**
986  * security_change_sid - Compute the SID for object relabeling.
987  * @ssid: source security identifier
988  * @tsid: target security identifier
989  * @tclass: target security class
990  * @out_sid: security identifier for selected member
991  *
992  * Compute a SID to use for relabeling an object of class @tclass
993  * based on a SID pair (@ssid, @tsid).
994  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
995  * if insufficient memory is available, or %0 if the SID was
996  * computed successfully.
997  */
998 int security_change_sid(u32 ssid,
999                         u32 tsid,
1000                         u16 tclass,
1001                         u32 *out_sid)
1002 {
1003         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1004 }
1005
1006 /*
1007  * Verify that each permission that is defined under the
1008  * existing policy is still defined with the same value
1009  * in the new policy.
1010  */
1011 static int validate_perm(void *key, void *datum, void *p)
1012 {
1013         struct hashtab *h;
1014         struct perm_datum *perdatum, *perdatum2;
1015         int rc = 0;
1016
1017
1018         h = p;
1019         perdatum = datum;
1020
1021         perdatum2 = hashtab_search(h, key);
1022         if (!perdatum2) {
1023                 printk(KERN_ERR "security:  permission %s disappeared",
1024                        (char *)key);
1025                 rc = -ENOENT;
1026                 goto out;
1027         }
1028         if (perdatum->value != perdatum2->value) {
1029                 printk(KERN_ERR "security:  the value of permission %s changed",
1030                        (char *)key);
1031                 rc = -EINVAL;
1032         }
1033 out:
1034         return rc;
1035 }
1036
1037 /*
1038  * Verify that each class that is defined under the
1039  * existing policy is still defined with the same
1040  * attributes in the new policy.
1041  */
1042 static int validate_class(void *key, void *datum, void *p)
1043 {
1044         struct policydb *newp;
1045         struct class_datum *cladatum, *cladatum2;
1046         int rc;
1047
1048         newp = p;
1049         cladatum = datum;
1050
1051         cladatum2 = hashtab_search(newp->p_classes.table, key);
1052         if (!cladatum2) {
1053                 printk(KERN_ERR "security:  class %s disappeared\n",
1054                        (char *)key);
1055                 rc = -ENOENT;
1056                 goto out;
1057         }
1058         if (cladatum->value != cladatum2->value) {
1059                 printk(KERN_ERR "security:  the value of class %s changed\n",
1060                        (char *)key);
1061                 rc = -EINVAL;
1062                 goto out;
1063         }
1064         if ((cladatum->comdatum && !cladatum2->comdatum) ||
1065             (!cladatum->comdatum && cladatum2->comdatum)) {
1066                 printk(KERN_ERR "security:  the inherits clause for the access "
1067                        "vector definition for class %s changed\n", (char *)key);
1068                 rc = -EINVAL;
1069                 goto out;
1070         }
1071         if (cladatum->comdatum) {
1072                 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1073                                  cladatum2->comdatum->permissions.table);
1074                 if (rc) {
1075                         printk(" in the access vector definition for class "
1076                                "%s\n", (char *)key);
1077                         goto out;
1078                 }
1079         }
1080         rc = hashtab_map(cladatum->permissions.table, validate_perm,
1081                          cladatum2->permissions.table);
1082         if (rc)
1083                 printk(" in access vector definition for class %s\n",
1084                        (char *)key);
1085 out:
1086         return rc;
1087 }
1088
1089 /* Clone the SID into the new SID table. */
1090 static int clone_sid(u32 sid,
1091                      struct context *context,
1092                      void *arg)
1093 {
1094         struct sidtab *s = arg;
1095
1096         return sidtab_insert(s, sid, context);
1097 }
1098
1099 static inline int convert_context_handle_invalid_context(struct context *context)
1100 {
1101         int rc = 0;
1102
1103         if (selinux_enforcing) {
1104                 rc = -EINVAL;
1105         } else {
1106                 char *s;
1107                 u32 len;
1108
1109                 context_struct_to_string(context, &s, &len);
1110                 printk(KERN_ERR "security:  context %s is invalid\n", s);
1111                 kfree(s);
1112         }
1113         return rc;
1114 }
1115
1116 struct convert_context_args {
1117         struct policydb *oldp;
1118         struct policydb *newp;
1119 };
1120
1121 /*
1122  * Convert the values in the security context
1123  * structure `c' from the values specified
1124  * in the policy `p->oldp' to the values specified
1125  * in the policy `p->newp'.  Verify that the
1126  * context is valid under the new policy.
1127  */
1128 static int convert_context(u32 key,
1129                            struct context *c,
1130                            void *p)
1131 {
1132         struct convert_context_args *args;
1133         struct context oldc;
1134         struct role_datum *role;
1135         struct type_datum *typdatum;
1136         struct user_datum *usrdatum;
1137         char *s;
1138         u32 len;
1139         int rc;
1140
1141         args = p;
1142
1143         rc = context_cpy(&oldc, c);
1144         if (rc)
1145                 goto out;
1146
1147         rc = -EINVAL;
1148
1149         /* Convert the user. */
1150         usrdatum = hashtab_search(args->newp->p_users.table,
1151                                   args->oldp->p_user_val_to_name[c->user - 1]);
1152         if (!usrdatum) {
1153                 goto bad;
1154         }
1155         c->user = usrdatum->value;
1156
1157         /* Convert the role. */
1158         role = hashtab_search(args->newp->p_roles.table,
1159                               args->oldp->p_role_val_to_name[c->role - 1]);
1160         if (!role) {
1161                 goto bad;
1162         }
1163         c->role = role->value;
1164
1165         /* Convert the type. */
1166         typdatum = hashtab_search(args->newp->p_types.table,
1167                                   args->oldp->p_type_val_to_name[c->type - 1]);
1168         if (!typdatum) {
1169                 goto bad;
1170         }
1171         c->type = typdatum->value;
1172
1173         rc = mls_convert_context(args->oldp, args->newp, c);
1174         if (rc)
1175                 goto bad;
1176
1177         /* Check the validity of the new context. */
1178         if (!policydb_context_isvalid(args->newp, c)) {
1179                 rc = convert_context_handle_invalid_context(&oldc);
1180                 if (rc)
1181                         goto bad;
1182         }
1183
1184         context_destroy(&oldc);
1185 out:
1186         return rc;
1187 bad:
1188         context_struct_to_string(&oldc, &s, &len);
1189         context_destroy(&oldc);
1190         printk(KERN_ERR "security:  invalidating context %s\n", s);
1191         kfree(s);
1192         goto out;
1193 }
1194
1195 extern void selinux_complete_init(void);
1196
1197 /**
1198  * security_load_policy - Load a security policy configuration.
1199  * @data: binary policy data
1200  * @len: length of data in bytes
1201  *
1202  * Load a new set of security policy configuration data,
1203  * validate it and convert the SID table as necessary.
1204  * This function will flush the access vector cache after
1205  * loading the new policy.
1206  */
1207 int security_load_policy(void *data, size_t len)
1208 {
1209         struct policydb oldpolicydb, newpolicydb;
1210         struct sidtab oldsidtab, newsidtab;
1211         struct convert_context_args args;
1212         u32 seqno;
1213         int rc = 0;
1214         struct policy_file file = { data, len }, *fp = &file;
1215
1216         LOAD_LOCK;
1217
1218         if (!ss_initialized) {
1219                 avtab_cache_init();
1220                 if (policydb_read(&policydb, fp)) {
1221                         LOAD_UNLOCK;
1222                         avtab_cache_destroy();
1223                         return -EINVAL;
1224                 }
1225                 if (policydb_load_isids(&policydb, &sidtab)) {
1226                         LOAD_UNLOCK;
1227                         policydb_destroy(&policydb);
1228                         avtab_cache_destroy();
1229                         return -EINVAL;
1230                 }
1231                 policydb_loaded_version = policydb.policyvers;
1232                 ss_initialized = 1;
1233                 seqno = ++latest_granting;
1234                 LOAD_UNLOCK;
1235                 selinux_complete_init();
1236                 avc_ss_reset(seqno);
1237                 selnl_notify_policyload(seqno);
1238                 return 0;
1239         }
1240
1241 #if 0
1242         sidtab_hash_eval(&sidtab, "sids");
1243 #endif
1244
1245         if (policydb_read(&newpolicydb, fp)) {
1246                 LOAD_UNLOCK;
1247                 return -EINVAL;
1248         }
1249
1250         sidtab_init(&newsidtab);
1251
1252         /* Verify that the existing classes did not change. */
1253         if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1254                 printk(KERN_ERR "security:  the definition of an existing "
1255                        "class changed\n");
1256                 rc = -EINVAL;
1257                 goto err;
1258         }
1259
1260         /* Clone the SID table. */
1261         sidtab_shutdown(&sidtab);
1262         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1263                 rc = -ENOMEM;
1264                 goto err;
1265         }
1266
1267         /* Convert the internal representations of contexts
1268            in the new SID table and remove invalid SIDs. */
1269         args.oldp = &policydb;
1270         args.newp = &newpolicydb;
1271         sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1272
1273         /* Save the old policydb and SID table to free later. */
1274         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1275         sidtab_set(&oldsidtab, &sidtab);
1276
1277         /* Install the new policydb and SID table. */
1278         POLICY_WRLOCK;
1279         memcpy(&policydb, &newpolicydb, sizeof policydb);
1280         sidtab_set(&sidtab, &newsidtab);
1281         seqno = ++latest_granting;
1282         policydb_loaded_version = policydb.policyvers;
1283         POLICY_WRUNLOCK;
1284         LOAD_UNLOCK;
1285
1286         /* Free the old policydb and SID table. */
1287         policydb_destroy(&oldpolicydb);
1288         sidtab_destroy(&oldsidtab);
1289
1290         avc_ss_reset(seqno);
1291         selnl_notify_policyload(seqno);
1292
1293         return 0;
1294
1295 err:
1296         LOAD_UNLOCK;
1297         sidtab_destroy(&newsidtab);
1298         policydb_destroy(&newpolicydb);
1299         return rc;
1300
1301 }
1302
1303 /**
1304  * security_port_sid - Obtain the SID for a port.
1305  * @domain: communication domain aka address family
1306  * @type: socket type
1307  * @protocol: protocol number
1308  * @port: port number
1309  * @out_sid: security identifier
1310  */
1311 int security_port_sid(u16 domain,
1312                       u16 type,
1313                       u8 protocol,
1314                       u16 port,
1315                       u32 *out_sid)
1316 {
1317         struct ocontext *c;
1318         int rc = 0;
1319
1320         POLICY_RDLOCK;
1321
1322         c = policydb.ocontexts[OCON_PORT];
1323         while (c) {
1324                 if (c->u.port.protocol == protocol &&
1325                     c->u.port.low_port <= port &&
1326                     c->u.port.high_port >= port)
1327                         break;
1328                 c = c->next;
1329         }
1330
1331         if (c) {
1332                 if (!c->sid[0]) {
1333                         rc = sidtab_context_to_sid(&sidtab,
1334                                                    &c->context[0],
1335                                                    &c->sid[0]);
1336                         if (rc)
1337                                 goto out;
1338                 }
1339                 *out_sid = c->sid[0];
1340         } else {
1341                 *out_sid = SECINITSID_PORT;
1342         }
1343
1344 out:
1345         POLICY_RDUNLOCK;
1346         return rc;
1347 }
1348
1349 /**
1350  * security_netif_sid - Obtain the SID for a network interface.
1351  * @name: interface name
1352  * @if_sid: interface SID
1353  * @msg_sid: default SID for received packets
1354  */
1355 int security_netif_sid(char *name,
1356                        u32 *if_sid,
1357                        u32 *msg_sid)
1358 {
1359         int rc = 0;
1360         struct ocontext *c;
1361
1362         POLICY_RDLOCK;
1363
1364         c = policydb.ocontexts[OCON_NETIF];
1365         while (c) {
1366                 if (strcmp(name, c->u.name) == 0)
1367                         break;
1368                 c = c->next;
1369         }
1370
1371         if (c) {
1372                 if (!c->sid[0] || !c->sid[1]) {
1373                         rc = sidtab_context_to_sid(&sidtab,
1374                                                   &c->context[0],
1375                                                   &c->sid[0]);
1376                         if (rc)
1377                                 goto out;
1378                         rc = sidtab_context_to_sid(&sidtab,
1379                                                    &c->context[1],
1380                                                    &c->sid[1]);
1381                         if (rc)
1382                                 goto out;
1383                 }
1384                 *if_sid = c->sid[0];
1385                 *msg_sid = c->sid[1];
1386         } else {
1387                 *if_sid = SECINITSID_NETIF;
1388                 *msg_sid = SECINITSID_NETMSG;
1389         }
1390
1391 out:
1392         POLICY_RDUNLOCK;
1393         return rc;
1394 }
1395
1396 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1397 {
1398         int i, fail = 0;
1399
1400         for(i = 0; i < 4; i++)
1401                 if(addr[i] != (input[i] & mask[i])) {
1402                         fail = 1;
1403                         break;
1404                 }
1405
1406         return !fail;
1407 }
1408
1409 /**
1410  * security_node_sid - Obtain the SID for a node (host).
1411  * @domain: communication domain aka address family
1412  * @addrp: address
1413  * @addrlen: address length in bytes
1414  * @out_sid: security identifier
1415  */
1416 int security_node_sid(u16 domain,
1417                       void *addrp,
1418                       u32 addrlen,
1419                       u32 *out_sid)
1420 {
1421         int rc = 0;
1422         struct ocontext *c;
1423
1424         POLICY_RDLOCK;
1425
1426         switch (domain) {
1427         case AF_INET: {
1428                 u32 addr;
1429
1430                 if (addrlen != sizeof(u32)) {
1431                         rc = -EINVAL;
1432                         goto out;
1433                 }
1434
1435                 addr = *((u32 *)addrp);
1436
1437                 c = policydb.ocontexts[OCON_NODE];
1438                 while (c) {
1439                         if (c->u.node.addr == (addr & c->u.node.mask))
1440                                 break;
1441                         c = c->next;
1442                 }
1443                 break;
1444         }
1445
1446         case AF_INET6:
1447                 if (addrlen != sizeof(u64) * 2) {
1448                         rc = -EINVAL;
1449                         goto out;
1450                 }
1451                 c = policydb.ocontexts[OCON_NODE6];
1452                 while (c) {
1453                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1454                                                 c->u.node6.mask))
1455                                 break;
1456                         c = c->next;
1457                 }
1458                 break;
1459
1460         default:
1461                 *out_sid = SECINITSID_NODE;
1462                 goto out;
1463         }
1464
1465         if (c) {
1466                 if (!c->sid[0]) {
1467                         rc = sidtab_context_to_sid(&sidtab,
1468                                                    &c->context[0],
1469                                                    &c->sid[0]);
1470                         if (rc)
1471                                 goto out;
1472                 }
1473                 *out_sid = c->sid[0];
1474         } else {
1475                 *out_sid = SECINITSID_NODE;
1476         }
1477
1478 out:
1479         POLICY_RDUNLOCK;
1480         return rc;
1481 }
1482
1483 #define SIDS_NEL 25
1484
1485 /**
1486  * security_get_user_sids - Obtain reachable SIDs for a user.
1487  * @fromsid: starting SID
1488  * @username: username
1489  * @sids: array of reachable SIDs for user
1490  * @nel: number of elements in @sids
1491  *
1492  * Generate the set of SIDs for legal security contexts
1493  * for a given user that can be reached by @fromsid.
1494  * Set *@sids to point to a dynamically allocated
1495  * array containing the set of SIDs.  Set *@nel to the
1496  * number of elements in the array.
1497  */
1498
1499 int security_get_user_sids(u32 fromsid,
1500                            char *username,
1501                            u32 **sids,
1502                            u32 *nel)
1503 {
1504         struct context *fromcon, usercon;
1505         u32 *mysids, *mysids2, sid;
1506         u32 mynel = 0, maxnel = SIDS_NEL;
1507         struct user_datum *user;
1508         struct role_datum *role;
1509         struct av_decision avd;
1510         struct ebitmap_node *rnode, *tnode;
1511         int rc = 0, i, j;
1512
1513         if (!ss_initialized) {
1514                 *sids = NULL;
1515                 *nel = 0;
1516                 goto out;
1517         }
1518
1519         POLICY_RDLOCK;
1520
1521         fromcon = sidtab_search(&sidtab, fromsid);
1522         if (!fromcon) {
1523                 rc = -EINVAL;
1524                 goto out_unlock;
1525         }
1526
1527         user = hashtab_search(policydb.p_users.table, username);
1528         if (!user) {
1529                 rc = -EINVAL;
1530                 goto out_unlock;
1531         }
1532         usercon.user = user->value;
1533
1534         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1535         if (!mysids) {
1536                 rc = -ENOMEM;
1537                 goto out_unlock;
1538         }
1539
1540         ebitmap_for_each_bit(&user->roles, rnode, i) {
1541                 if (!ebitmap_node_get_bit(rnode, i))
1542                         continue;
1543                 role = policydb.role_val_to_struct[i];
1544                 usercon.role = i+1;
1545                 ebitmap_for_each_bit(&role->types, tnode, j) {
1546                         if (!ebitmap_node_get_bit(tnode, j))
1547                                 continue;
1548                         usercon.type = j+1;
1549
1550                         if (mls_setup_user_range(fromcon, user, &usercon))
1551                                 continue;
1552
1553                         rc = context_struct_compute_av(fromcon, &usercon,
1554                                                        SECCLASS_PROCESS,
1555                                                        PROCESS__TRANSITION,
1556                                                        &avd);
1557                         if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
1558                                 continue;
1559                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1560                         if (rc) {
1561                                 kfree(mysids);
1562                                 goto out_unlock;
1563                         }
1564                         if (mynel < maxnel) {
1565                                 mysids[mynel++] = sid;
1566                         } else {
1567                                 maxnel += SIDS_NEL;
1568                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1569                                 if (!mysids2) {
1570                                         rc = -ENOMEM;
1571                                         kfree(mysids);
1572                                         goto out_unlock;
1573                                 }
1574                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1575                                 kfree(mysids);
1576                                 mysids = mysids2;
1577                                 mysids[mynel++] = sid;
1578                         }
1579                 }
1580         }
1581
1582         *sids = mysids;
1583         *nel = mynel;
1584
1585 out_unlock:
1586         POLICY_RDUNLOCK;
1587 out:
1588         return rc;
1589 }
1590
1591 /**
1592  * security_genfs_sid - Obtain a SID for a file in a filesystem
1593  * @fstype: filesystem type
1594  * @path: path from root of mount
1595  * @sclass: file security class
1596  * @sid: SID for path
1597  *
1598  * Obtain a SID to use for a file in a filesystem that
1599  * cannot support xattr or use a fixed labeling behavior like
1600  * transition SIDs or task SIDs.
1601  */
1602 int security_genfs_sid(const char *fstype,
1603                        char *path,
1604                        u16 sclass,
1605                        u32 *sid)
1606 {
1607         int len;
1608         struct genfs *genfs;
1609         struct ocontext *c;
1610         int rc = 0, cmp = 0;
1611
1612         POLICY_RDLOCK;
1613
1614         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1615                 cmp = strcmp(fstype, genfs->fstype);
1616                 if (cmp <= 0)
1617                         break;
1618         }
1619
1620         if (!genfs || cmp) {
1621                 *sid = SECINITSID_UNLABELED;
1622                 rc = -ENOENT;
1623                 goto out;
1624         }
1625
1626         for (c = genfs->head; c; c = c->next) {
1627                 len = strlen(c->u.name);
1628                 if ((!c->v.sclass || sclass == c->v.sclass) &&
1629                     (strncmp(c->u.name, path, len) == 0))
1630                         break;
1631         }
1632
1633         if (!c) {
1634                 *sid = SECINITSID_UNLABELED;
1635                 rc = -ENOENT;
1636                 goto out;
1637         }
1638
1639         if (!c->sid[0]) {
1640                 rc = sidtab_context_to_sid(&sidtab,
1641                                            &c->context[0],
1642                                            &c->sid[0]);
1643                 if (rc)
1644                         goto out;
1645         }
1646
1647         *sid = c->sid[0];
1648 out:
1649         POLICY_RDUNLOCK;
1650         return rc;
1651 }
1652
1653 /**
1654  * security_fs_use - Determine how to handle labeling for a filesystem.
1655  * @fstype: filesystem type
1656  * @behavior: labeling behavior
1657  * @sid: SID for filesystem (superblock)
1658  */
1659 int security_fs_use(
1660         const char *fstype,
1661         unsigned int *behavior,
1662         u32 *sid)
1663 {
1664         int rc = 0;
1665         struct ocontext *c;
1666
1667         POLICY_RDLOCK;
1668
1669         c = policydb.ocontexts[OCON_FSUSE];
1670         while (c) {
1671                 if (strcmp(fstype, c->u.name) == 0)
1672                         break;
1673                 c = c->next;
1674         }
1675
1676         if (c) {
1677                 *behavior = c->v.behavior;
1678                 if (!c->sid[0]) {
1679                         rc = sidtab_context_to_sid(&sidtab,
1680                                                    &c->context[0],
1681                                                    &c->sid[0]);
1682                         if (rc)
1683                                 goto out;
1684                 }
1685                 *sid = c->sid[0];
1686         } else {
1687                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1688                 if (rc) {
1689                         *behavior = SECURITY_FS_USE_NONE;
1690                         rc = 0;
1691                 } else {
1692                         *behavior = SECURITY_FS_USE_GENFS;
1693                 }
1694         }
1695
1696 out:
1697         POLICY_RDUNLOCK;
1698         return rc;
1699 }
1700
1701 int security_get_bools(int *len, char ***names, int **values)
1702 {
1703         int i, rc = -ENOMEM;
1704
1705         POLICY_RDLOCK;
1706         *names = NULL;
1707         *values = NULL;
1708
1709         *len = policydb.p_bools.nprim;
1710         if (!*len) {
1711                 rc = 0;
1712                 goto out;
1713         }
1714
1715         *names = (char**)kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1716         if (!*names)
1717                 goto err;
1718
1719         *values = (int*)kcalloc(*len, sizeof(int), GFP_ATOMIC);
1720         if (!*values)
1721                 goto err;
1722
1723         for (i = 0; i < *len; i++) {
1724                 size_t name_len;
1725                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1726                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1727                 (*names)[i] = (char*)kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1728                 if (!(*names)[i])
1729                         goto err;
1730                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1731                 (*names)[i][name_len - 1] = 0;
1732         }
1733         rc = 0;
1734 out:
1735         POLICY_RDUNLOCK;
1736         return rc;
1737 err:
1738         if (*names) {
1739                 for (i = 0; i < *len; i++)
1740                         kfree((*names)[i]);
1741         }
1742         kfree(*values);
1743         goto out;
1744 }
1745
1746
1747 int security_set_bools(int len, int *values)
1748 {
1749         int i, rc = 0;
1750         int lenp, seqno = 0;
1751         struct cond_node *cur;
1752
1753         POLICY_WRLOCK;
1754
1755         lenp = policydb.p_bools.nprim;
1756         if (len != lenp) {
1757                 rc = -EFAULT;
1758                 goto out;
1759         }
1760
1761         printk(KERN_INFO "security: committed booleans { ");
1762         for (i = 0; i < len; i++) {
1763                 if (values[i]) {
1764                         policydb.bool_val_to_struct[i]->state = 1;
1765                 } else {
1766                         policydb.bool_val_to_struct[i]->state = 0;
1767                 }
1768                 if (i != 0)
1769                         printk(", ");
1770                 printk("%s:%d", policydb.p_bool_val_to_name[i],
1771                        policydb.bool_val_to_struct[i]->state);
1772         }
1773         printk(" }\n");
1774
1775         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1776                 rc = evaluate_cond_node(&policydb, cur);
1777                 if (rc)
1778                         goto out;
1779         }
1780
1781         seqno = ++latest_granting;
1782
1783 out:
1784         POLICY_WRUNLOCK;
1785         if (!rc) {
1786                 avc_ss_reset(seqno);
1787                 selnl_notify_policyload(seqno);
1788         }
1789         return rc;
1790 }
1791
1792 int security_get_bool_value(int bool)
1793 {
1794         int rc = 0;
1795         int len;
1796
1797         POLICY_RDLOCK;
1798
1799         len = policydb.p_bools.nprim;
1800         if (bool >= len) {
1801                 rc = -EFAULT;
1802                 goto out;
1803         }
1804
1805         rc = policydb.bool_val_to_struct[bool]->state;
1806 out:
1807         POLICY_RDUNLOCK;
1808         return rc;
1809 }