61492485de84503f4ba87fff57326a3efde187a9
[linux-2.6.git] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *
11  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
12  *
13  *      Added conditional policy language extensions
14  *
15  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
17  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License as published by
20  *      the Free Software Foundation, version 2.
21  */
22 #include <linux/kernel.h>
23 #include <linux/slab.h>
24 #include <linux/string.h>
25 #include <linux/spinlock.h>
26 #include <linux/errno.h>
27 #include <linux/in.h>
28 #include <linux/sched.h>
29 #include <linux/audit.h>
30 #include <linux/mutex.h>
31
32 #include "flask.h"
33 #include "avc.h"
34 #include "avc_ss.h"
35 #include "security.h"
36 #include "context.h"
37 #include "policydb.h"
38 #include "sidtab.h"
39 #include "services.h"
40 #include "conditional.h"
41 #include "mls.h"
42
43 extern void selnl_notify_policyload(u32 seqno);
44 unsigned int policydb_loaded_version;
45
46 static DEFINE_RWLOCK(policy_rwlock);
47 #define POLICY_RDLOCK read_lock(&policy_rwlock)
48 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
49 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
50 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
51
52 static DEFINE_MUTEX(load_mutex);
53 #define LOAD_LOCK mutex_lock(&load_mutex)
54 #define LOAD_UNLOCK mutex_unlock(&load_mutex)
55
56 static struct sidtab sidtab;
57 struct policydb policydb;
58 int ss_initialized = 0;
59
60 /*
61  * The largest sequence number that has been used when
62  * providing an access decision to the access vector cache.
63  * The sequence number only changes when a policy change
64  * occurs.
65  */
66 static u32 latest_granting = 0;
67
68 /* Forward declaration. */
69 static int context_struct_to_string(struct context *context, char **scontext,
70                                     u32 *scontext_len);
71
72 /*
73  * Return the boolean value of a constraint expression
74  * when it is applied to the specified source and target
75  * security contexts.
76  *
77  * xcontext is a special beast...  It is used by the validatetrans rules
78  * only.  For these rules, scontext is the context before the transition,
79  * tcontext is the context after the transition, and xcontext is the context
80  * of the process performing the transition.  All other callers of
81  * constraint_expr_eval should pass in NULL for xcontext.
82  */
83 static int constraint_expr_eval(struct context *scontext,
84                                 struct context *tcontext,
85                                 struct context *xcontext,
86                                 struct constraint_expr *cexpr)
87 {
88         u32 val1, val2;
89         struct context *c;
90         struct role_datum *r1, *r2;
91         struct mls_level *l1, *l2;
92         struct constraint_expr *e;
93         int s[CEXPR_MAXDEPTH];
94         int sp = -1;
95
96         for (e = cexpr; e; e = e->next) {
97                 switch (e->expr_type) {
98                 case CEXPR_NOT:
99                         BUG_ON(sp < 0);
100                         s[sp] = !s[sp];
101                         break;
102                 case CEXPR_AND:
103                         BUG_ON(sp < 1);
104                         sp--;
105                         s[sp] &= s[sp+1];
106                         break;
107                 case CEXPR_OR:
108                         BUG_ON(sp < 1);
109                         sp--;
110                         s[sp] |= s[sp+1];
111                         break;
112                 case CEXPR_ATTR:
113                         if (sp == (CEXPR_MAXDEPTH-1))
114                                 return 0;
115                         switch (e->attr) {
116                         case CEXPR_USER:
117                                 val1 = scontext->user;
118                                 val2 = tcontext->user;
119                                 break;
120                         case CEXPR_TYPE:
121                                 val1 = scontext->type;
122                                 val2 = tcontext->type;
123                                 break;
124                         case CEXPR_ROLE:
125                                 val1 = scontext->role;
126                                 val2 = tcontext->role;
127                                 r1 = policydb.role_val_to_struct[val1 - 1];
128                                 r2 = policydb.role_val_to_struct[val2 - 1];
129                                 switch (e->op) {
130                                 case CEXPR_DOM:
131                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
132                                                                   val2 - 1);
133                                         continue;
134                                 case CEXPR_DOMBY:
135                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
136                                                                   val1 - 1);
137                                         continue;
138                                 case CEXPR_INCOMP:
139                                         s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
140                                                                      val2 - 1) &&
141                                                     !ebitmap_get_bit(&r2->dominates,
142                                                                      val1 - 1) );
143                                         continue;
144                                 default:
145                                         break;
146                                 }
147                                 break;
148                         case CEXPR_L1L2:
149                                 l1 = &(scontext->range.level[0]);
150                                 l2 = &(tcontext->range.level[0]);
151                                 goto mls_ops;
152                         case CEXPR_L1H2:
153                                 l1 = &(scontext->range.level[0]);
154                                 l2 = &(tcontext->range.level[1]);
155                                 goto mls_ops;
156                         case CEXPR_H1L2:
157                                 l1 = &(scontext->range.level[1]);
158                                 l2 = &(tcontext->range.level[0]);
159                                 goto mls_ops;
160                         case CEXPR_H1H2:
161                                 l1 = &(scontext->range.level[1]);
162                                 l2 = &(tcontext->range.level[1]);
163                                 goto mls_ops;
164                         case CEXPR_L1H1:
165                                 l1 = &(scontext->range.level[0]);
166                                 l2 = &(scontext->range.level[1]);
167                                 goto mls_ops;
168                         case CEXPR_L2H2:
169                                 l1 = &(tcontext->range.level[0]);
170                                 l2 = &(tcontext->range.level[1]);
171                                 goto mls_ops;
172 mls_ops:
173                         switch (e->op) {
174                         case CEXPR_EQ:
175                                 s[++sp] = mls_level_eq(l1, l2);
176                                 continue;
177                         case CEXPR_NEQ:
178                                 s[++sp] = !mls_level_eq(l1, l2);
179                                 continue;
180                         case CEXPR_DOM:
181                                 s[++sp] = mls_level_dom(l1, l2);
182                                 continue;
183                         case CEXPR_DOMBY:
184                                 s[++sp] = mls_level_dom(l2, l1);
185                                 continue;
186                         case CEXPR_INCOMP:
187                                 s[++sp] = mls_level_incomp(l2, l1);
188                                 continue;
189                         default:
190                                 BUG();
191                                 return 0;
192                         }
193                         break;
194                         default:
195                                 BUG();
196                                 return 0;
197                         }
198
199                         switch (e->op) {
200                         case CEXPR_EQ:
201                                 s[++sp] = (val1 == val2);
202                                 break;
203                         case CEXPR_NEQ:
204                                 s[++sp] = (val1 != val2);
205                                 break;
206                         default:
207                                 BUG();
208                                 return 0;
209                         }
210                         break;
211                 case CEXPR_NAMES:
212                         if (sp == (CEXPR_MAXDEPTH-1))
213                                 return 0;
214                         c = scontext;
215                         if (e->attr & CEXPR_TARGET)
216                                 c = tcontext;
217                         else if (e->attr & CEXPR_XTARGET) {
218                                 c = xcontext;
219                                 if (!c) {
220                                         BUG();
221                                         return 0;
222                                 }
223                         }
224                         if (e->attr & CEXPR_USER)
225                                 val1 = c->user;
226                         else if (e->attr & CEXPR_ROLE)
227                                 val1 = c->role;
228                         else if (e->attr & CEXPR_TYPE)
229                                 val1 = c->type;
230                         else {
231                                 BUG();
232                                 return 0;
233                         }
234
235                         switch (e->op) {
236                         case CEXPR_EQ:
237                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
238                                 break;
239                         case CEXPR_NEQ:
240                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
241                                 break;
242                         default:
243                                 BUG();
244                                 return 0;
245                         }
246                         break;
247                 default:
248                         BUG();
249                         return 0;
250                 }
251         }
252
253         BUG_ON(sp != 0);
254         return s[0];
255 }
256
257 /*
258  * Compute access vectors based on a context structure pair for
259  * the permissions in a particular class.
260  */
261 static int context_struct_compute_av(struct context *scontext,
262                                      struct context *tcontext,
263                                      u16 tclass,
264                                      u32 requested,
265                                      struct av_decision *avd)
266 {
267         struct constraint_node *constraint;
268         struct role_allow *ra;
269         struct avtab_key avkey;
270         struct avtab_node *node;
271         struct class_datum *tclass_datum;
272         struct ebitmap *sattr, *tattr;
273         struct ebitmap_node *snode, *tnode;
274         unsigned int i, j;
275
276         /*
277          * Remap extended Netlink classes for old policy versions.
278          * Do this here rather than socket_type_to_security_class()
279          * in case a newer policy version is loaded, allowing sockets
280          * to remain in the correct class.
281          */
282         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
283                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
284                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
285                         tclass = SECCLASS_NETLINK_SOCKET;
286
287         if (!tclass || tclass > policydb.p_classes.nprim) {
288                 printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
289                        tclass);
290                 return -EINVAL;
291         }
292         tclass_datum = policydb.class_val_to_struct[tclass - 1];
293
294         /*
295          * Initialize the access vectors to the default values.
296          */
297         avd->allowed = 0;
298         avd->decided = 0xffffffff;
299         avd->auditallow = 0;
300         avd->auditdeny = 0xffffffff;
301         avd->seqno = latest_granting;
302
303         /*
304          * If a specific type enforcement rule was defined for
305          * this permission check, then use it.
306          */
307         avkey.target_class = tclass;
308         avkey.specified = AVTAB_AV;
309         sattr = &policydb.type_attr_map[scontext->type - 1];
310         tattr = &policydb.type_attr_map[tcontext->type - 1];
311         ebitmap_for_each_bit(sattr, snode, i) {
312                 if (!ebitmap_node_get_bit(snode, i))
313                         continue;
314                 ebitmap_for_each_bit(tattr, tnode, j) {
315                         if (!ebitmap_node_get_bit(tnode, j))
316                                 continue;
317                         avkey.source_type = i + 1;
318                         avkey.target_type = j + 1;
319                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
320                              node != NULL;
321                              node = avtab_search_node_next(node, avkey.specified)) {
322                                 if (node->key.specified == AVTAB_ALLOWED)
323                                         avd->allowed |= node->datum.data;
324                                 else if (node->key.specified == AVTAB_AUDITALLOW)
325                                         avd->auditallow |= node->datum.data;
326                                 else if (node->key.specified == AVTAB_AUDITDENY)
327                                         avd->auditdeny &= node->datum.data;
328                         }
329
330                         /* Check conditional av table for additional permissions */
331                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
332
333                 }
334         }
335
336         /*
337          * Remove any permissions prohibited by a constraint (this includes
338          * the MLS policy).
339          */
340         constraint = tclass_datum->constraints;
341         while (constraint) {
342                 if ((constraint->permissions & (avd->allowed)) &&
343                     !constraint_expr_eval(scontext, tcontext, NULL,
344                                           constraint->expr)) {
345                         avd->allowed = (avd->allowed) & ~(constraint->permissions);
346                 }
347                 constraint = constraint->next;
348         }
349
350         /*
351          * If checking process transition permission and the
352          * role is changing, then check the (current_role, new_role)
353          * pair.
354          */
355         if (tclass == SECCLASS_PROCESS &&
356             (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
357             scontext->role != tcontext->role) {
358                 for (ra = policydb.role_allow; ra; ra = ra->next) {
359                         if (scontext->role == ra->role &&
360                             tcontext->role == ra->new_role)
361                                 break;
362                 }
363                 if (!ra)
364                         avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
365                                                         PROCESS__DYNTRANSITION);
366         }
367
368         return 0;
369 }
370
371 static int security_validtrans_handle_fail(struct context *ocontext,
372                                            struct context *ncontext,
373                                            struct context *tcontext,
374                                            u16 tclass)
375 {
376         char *o = NULL, *n = NULL, *t = NULL;
377         u32 olen, nlen, tlen;
378
379         if (context_struct_to_string(ocontext, &o, &olen) < 0)
380                 goto out;
381         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
382                 goto out;
383         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
384                 goto out;
385         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
386                   "security_validate_transition:  denied for"
387                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
388                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
389 out:
390         kfree(o);
391         kfree(n);
392         kfree(t);
393
394         if (!selinux_enforcing)
395                 return 0;
396         return -EPERM;
397 }
398
399 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
400                                  u16 tclass)
401 {
402         struct context *ocontext;
403         struct context *ncontext;
404         struct context *tcontext;
405         struct class_datum *tclass_datum;
406         struct constraint_node *constraint;
407         int rc = 0;
408
409         if (!ss_initialized)
410                 return 0;
411
412         POLICY_RDLOCK;
413
414         /*
415          * Remap extended Netlink classes for old policy versions.
416          * Do this here rather than socket_type_to_security_class()
417          * in case a newer policy version is loaded, allowing sockets
418          * to remain in the correct class.
419          */
420         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
421                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
422                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
423                         tclass = SECCLASS_NETLINK_SOCKET;
424
425         if (!tclass || tclass > policydb.p_classes.nprim) {
426                 printk(KERN_ERR "security_validate_transition:  "
427                        "unrecognized class %d\n", tclass);
428                 rc = -EINVAL;
429                 goto out;
430         }
431         tclass_datum = policydb.class_val_to_struct[tclass - 1];
432
433         ocontext = sidtab_search(&sidtab, oldsid);
434         if (!ocontext) {
435                 printk(KERN_ERR "security_validate_transition: "
436                        " unrecognized SID %d\n", oldsid);
437                 rc = -EINVAL;
438                 goto out;
439         }
440
441         ncontext = sidtab_search(&sidtab, newsid);
442         if (!ncontext) {
443                 printk(KERN_ERR "security_validate_transition: "
444                        " unrecognized SID %d\n", newsid);
445                 rc = -EINVAL;
446                 goto out;
447         }
448
449         tcontext = sidtab_search(&sidtab, tasksid);
450         if (!tcontext) {
451                 printk(KERN_ERR "security_validate_transition: "
452                        " unrecognized SID %d\n", tasksid);
453                 rc = -EINVAL;
454                 goto out;
455         }
456
457         constraint = tclass_datum->validatetrans;
458         while (constraint) {
459                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
460                                           constraint->expr)) {
461                         rc = security_validtrans_handle_fail(ocontext, ncontext,
462                                                              tcontext, tclass);
463                         goto out;
464                 }
465                 constraint = constraint->next;
466         }
467
468 out:
469         POLICY_RDUNLOCK;
470         return rc;
471 }
472
473 /**
474  * security_compute_av - Compute access vector decisions.
475  * @ssid: source security identifier
476  * @tsid: target security identifier
477  * @tclass: target security class
478  * @requested: requested permissions
479  * @avd: access vector decisions
480  *
481  * Compute a set of access vector decisions based on the
482  * SID pair (@ssid, @tsid) for the permissions in @tclass.
483  * Return -%EINVAL if any of the parameters are invalid or %0
484  * if the access vector decisions were computed successfully.
485  */
486 int security_compute_av(u32 ssid,
487                         u32 tsid,
488                         u16 tclass,
489                         u32 requested,
490                         struct av_decision *avd)
491 {
492         struct context *scontext = NULL, *tcontext = NULL;
493         int rc = 0;
494
495         if (!ss_initialized) {
496                 avd->allowed = 0xffffffff;
497                 avd->decided = 0xffffffff;
498                 avd->auditallow = 0;
499                 avd->auditdeny = 0xffffffff;
500                 avd->seqno = latest_granting;
501                 return 0;
502         }
503
504         POLICY_RDLOCK;
505
506         scontext = sidtab_search(&sidtab, ssid);
507         if (!scontext) {
508                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
509                        ssid);
510                 rc = -EINVAL;
511                 goto out;
512         }
513         tcontext = sidtab_search(&sidtab, tsid);
514         if (!tcontext) {
515                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
516                        tsid);
517                 rc = -EINVAL;
518                 goto out;
519         }
520
521         rc = context_struct_compute_av(scontext, tcontext, tclass,
522                                        requested, avd);
523 out:
524         POLICY_RDUNLOCK;
525         return rc;
526 }
527
528 /*
529  * Write the security context string representation of
530  * the context structure `context' into a dynamically
531  * allocated string of the correct size.  Set `*scontext'
532  * to point to this string and set `*scontext_len' to
533  * the length of the string.
534  */
535 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
536 {
537         char *scontextp;
538
539         *scontext = NULL;
540         *scontext_len = 0;
541
542         /* Compute the size of the context. */
543         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
544         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
545         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
546         *scontext_len += mls_compute_context_len(context);
547
548         /* Allocate space for the context; caller must free this space. */
549         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
550         if (!scontextp) {
551                 return -ENOMEM;
552         }
553         *scontext = scontextp;
554
555         /*
556          * Copy the user name, role name and type name into the context.
557          */
558         sprintf(scontextp, "%s:%s:%s",
559                 policydb.p_user_val_to_name[context->user - 1],
560                 policydb.p_role_val_to_name[context->role - 1],
561                 policydb.p_type_val_to_name[context->type - 1]);
562         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
563                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
564                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
565
566         mls_sid_to_context(context, &scontextp);
567
568         *scontextp = 0;
569
570         return 0;
571 }
572
573 #include "initial_sid_to_string.h"
574
575 /**
576  * security_sid_to_context - Obtain a context for a given SID.
577  * @sid: security identifier, SID
578  * @scontext: security context
579  * @scontext_len: length in bytes
580  *
581  * Write the string representation of the context associated with @sid
582  * into a dynamically allocated string of the correct size.  Set @scontext
583  * to point to this string and set @scontext_len to the length of the string.
584  */
585 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
586 {
587         struct context *context;
588         int rc = 0;
589
590         if (!ss_initialized) {
591                 if (sid <= SECINITSID_NUM) {
592                         char *scontextp;
593
594                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
595                         scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
596                         strcpy(scontextp, initial_sid_to_string[sid]);
597                         *scontext = scontextp;
598                         goto out;
599                 }
600                 printk(KERN_ERR "security_sid_to_context:  called before initial "
601                        "load_policy on unknown SID %d\n", sid);
602                 rc = -EINVAL;
603                 goto out;
604         }
605         POLICY_RDLOCK;
606         context = sidtab_search(&sidtab, sid);
607         if (!context) {
608                 printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
609                        "%d\n", sid);
610                 rc = -EINVAL;
611                 goto out_unlock;
612         }
613         rc = context_struct_to_string(context, scontext, scontext_len);
614 out_unlock:
615         POLICY_RDUNLOCK;
616 out:
617         return rc;
618
619 }
620
621 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
622 {
623         char *scontext2;
624         struct context context;
625         struct role_datum *role;
626         struct type_datum *typdatum;
627         struct user_datum *usrdatum;
628         char *scontextp, *p, oldc;
629         int rc = 0;
630
631         if (!ss_initialized) {
632                 int i;
633
634                 for (i = 1; i < SECINITSID_NUM; i++) {
635                         if (!strcmp(initial_sid_to_string[i], scontext)) {
636                                 *sid = i;
637                                 goto out;
638                         }
639                 }
640                 *sid = SECINITSID_KERNEL;
641                 goto out;
642         }
643         *sid = SECSID_NULL;
644
645         /* Copy the string so that we can modify the copy as we parse it.
646            The string should already by null terminated, but we append a
647            null suffix to the copy to avoid problems with the existing
648            attr package, which doesn't view the null terminator as part
649            of the attribute value. */
650         scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
651         if (!scontext2) {
652                 rc = -ENOMEM;
653                 goto out;
654         }
655         memcpy(scontext2, scontext, scontext_len);
656         scontext2[scontext_len] = 0;
657
658         context_init(&context);
659         *sid = SECSID_NULL;
660
661         POLICY_RDLOCK;
662
663         /* Parse the security context. */
664
665         rc = -EINVAL;
666         scontextp = (char *) scontext2;
667
668         /* Extract the user. */
669         p = scontextp;
670         while (*p && *p != ':')
671                 p++;
672
673         if (*p == 0)
674                 goto out_unlock;
675
676         *p++ = 0;
677
678         usrdatum = hashtab_search(policydb.p_users.table, scontextp);
679         if (!usrdatum)
680                 goto out_unlock;
681
682         context.user = usrdatum->value;
683
684         /* Extract role. */
685         scontextp = p;
686         while (*p && *p != ':')
687                 p++;
688
689         if (*p == 0)
690                 goto out_unlock;
691
692         *p++ = 0;
693
694         role = hashtab_search(policydb.p_roles.table, scontextp);
695         if (!role)
696                 goto out_unlock;
697         context.role = role->value;
698
699         /* Extract type. */
700         scontextp = p;
701         while (*p && *p != ':')
702                 p++;
703         oldc = *p;
704         *p++ = 0;
705
706         typdatum = hashtab_search(policydb.p_types.table, scontextp);
707         if (!typdatum)
708                 goto out_unlock;
709
710         context.type = typdatum->value;
711
712         rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
713         if (rc)
714                 goto out_unlock;
715
716         if ((p - scontext2) < scontext_len) {
717                 rc = -EINVAL;
718                 goto out_unlock;
719         }
720
721         /* Check the validity of the new context. */
722         if (!policydb_context_isvalid(&policydb, &context)) {
723                 rc = -EINVAL;
724                 goto out_unlock;
725         }
726         /* Obtain the new sid. */
727         rc = sidtab_context_to_sid(&sidtab, &context, sid);
728 out_unlock:
729         POLICY_RDUNLOCK;
730         context_destroy(&context);
731         kfree(scontext2);
732 out:
733         return rc;
734 }
735
736 /**
737  * security_context_to_sid - Obtain a SID for a given security context.
738  * @scontext: security context
739  * @scontext_len: length in bytes
740  * @sid: security identifier, SID
741  *
742  * Obtains a SID associated with the security context that
743  * has the string representation specified by @scontext.
744  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
745  * memory is available, or 0 on success.
746  */
747 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
748 {
749         return security_context_to_sid_core(scontext, scontext_len,
750                                             sid, SECSID_NULL);
751 }
752
753 /**
754  * security_context_to_sid_default - Obtain a SID for a given security context,
755  * falling back to specified default if needed.
756  *
757  * @scontext: security context
758  * @scontext_len: length in bytes
759  * @sid: security identifier, SID
760  * @def_sid: default SID to assign on errror
761  *
762  * Obtains a SID associated with the security context that
763  * has the string representation specified by @scontext.
764  * The default SID is passed to the MLS layer to be used to allow
765  * kernel labeling of the MLS field if the MLS field is not present
766  * (for upgrading to MLS without full relabel).
767  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
768  * memory is available, or 0 on success.
769  */
770 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
771 {
772         return security_context_to_sid_core(scontext, scontext_len,
773                                             sid, def_sid);
774 }
775
776 static int compute_sid_handle_invalid_context(
777         struct context *scontext,
778         struct context *tcontext,
779         u16 tclass,
780         struct context *newcontext)
781 {
782         char *s = NULL, *t = NULL, *n = NULL;
783         u32 slen, tlen, nlen;
784
785         if (context_struct_to_string(scontext, &s, &slen) < 0)
786                 goto out;
787         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
788                 goto out;
789         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
790                 goto out;
791         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
792                   "security_compute_sid:  invalid context %s"
793                   " for scontext=%s"
794                   " tcontext=%s"
795                   " tclass=%s",
796                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
797 out:
798         kfree(s);
799         kfree(t);
800         kfree(n);
801         if (!selinux_enforcing)
802                 return 0;
803         return -EACCES;
804 }
805
806 static int security_compute_sid(u32 ssid,
807                                 u32 tsid,
808                                 u16 tclass,
809                                 u32 specified,
810                                 u32 *out_sid)
811 {
812         struct context *scontext = NULL, *tcontext = NULL, newcontext;
813         struct role_trans *roletr = NULL;
814         struct avtab_key avkey;
815         struct avtab_datum *avdatum;
816         struct avtab_node *node;
817         int rc = 0;
818
819         if (!ss_initialized) {
820                 switch (tclass) {
821                 case SECCLASS_PROCESS:
822                         *out_sid = ssid;
823                         break;
824                 default:
825                         *out_sid = tsid;
826                         break;
827                 }
828                 goto out;
829         }
830
831         POLICY_RDLOCK;
832
833         scontext = sidtab_search(&sidtab, ssid);
834         if (!scontext) {
835                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
836                        ssid);
837                 rc = -EINVAL;
838                 goto out_unlock;
839         }
840         tcontext = sidtab_search(&sidtab, tsid);
841         if (!tcontext) {
842                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
843                        tsid);
844                 rc = -EINVAL;
845                 goto out_unlock;
846         }
847
848         context_init(&newcontext);
849
850         /* Set the user identity. */
851         switch (specified) {
852         case AVTAB_TRANSITION:
853         case AVTAB_CHANGE:
854                 /* Use the process user identity. */
855                 newcontext.user = scontext->user;
856                 break;
857         case AVTAB_MEMBER:
858                 /* Use the related object owner. */
859                 newcontext.user = tcontext->user;
860                 break;
861         }
862
863         /* Set the role and type to default values. */
864         switch (tclass) {
865         case SECCLASS_PROCESS:
866                 /* Use the current role and type of process. */
867                 newcontext.role = scontext->role;
868                 newcontext.type = scontext->type;
869                 break;
870         default:
871                 /* Use the well-defined object role. */
872                 newcontext.role = OBJECT_R_VAL;
873                 /* Use the type of the related object. */
874                 newcontext.type = tcontext->type;
875         }
876
877         /* Look for a type transition/member/change rule. */
878         avkey.source_type = scontext->type;
879         avkey.target_type = tcontext->type;
880         avkey.target_class = tclass;
881         avkey.specified = specified;
882         avdatum = avtab_search(&policydb.te_avtab, &avkey);
883
884         /* If no permanent rule, also check for enabled conditional rules */
885         if(!avdatum) {
886                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
887                 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
888                         if (node->key.specified & AVTAB_ENABLED) {
889                                 avdatum = &node->datum;
890                                 break;
891                         }
892                 }
893         }
894
895         if (avdatum) {
896                 /* Use the type from the type transition/member/change rule. */
897                 newcontext.type = avdatum->data;
898         }
899
900         /* Check for class-specific changes. */
901         switch (tclass) {
902         case SECCLASS_PROCESS:
903                 if (specified & AVTAB_TRANSITION) {
904                         /* Look for a role transition rule. */
905                         for (roletr = policydb.role_tr; roletr;
906                              roletr = roletr->next) {
907                                 if (roletr->role == scontext->role &&
908                                     roletr->type == tcontext->type) {
909                                         /* Use the role transition rule. */
910                                         newcontext.role = roletr->new_role;
911                                         break;
912                                 }
913                         }
914                 }
915                 break;
916         default:
917                 break;
918         }
919
920         /* Set the MLS attributes.
921            This is done last because it may allocate memory. */
922         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
923         if (rc)
924                 goto out_unlock;
925
926         /* Check the validity of the context. */
927         if (!policydb_context_isvalid(&policydb, &newcontext)) {
928                 rc = compute_sid_handle_invalid_context(scontext,
929                                                         tcontext,
930                                                         tclass,
931                                                         &newcontext);
932                 if (rc)
933                         goto out_unlock;
934         }
935         /* Obtain the sid for the context. */
936         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
937 out_unlock:
938         POLICY_RDUNLOCK;
939         context_destroy(&newcontext);
940 out:
941         return rc;
942 }
943
944 /**
945  * security_transition_sid - Compute the SID for a new subject/object.
946  * @ssid: source security identifier
947  * @tsid: target security identifier
948  * @tclass: target security class
949  * @out_sid: security identifier for new subject/object
950  *
951  * Compute a SID to use for labeling a new subject or object in the
952  * class @tclass based on a SID pair (@ssid, @tsid).
953  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
954  * if insufficient memory is available, or %0 if the new SID was
955  * computed successfully.
956  */
957 int security_transition_sid(u32 ssid,
958                             u32 tsid,
959                             u16 tclass,
960                             u32 *out_sid)
961 {
962         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
963 }
964
965 /**
966  * security_member_sid - Compute the SID for member selection.
967  * @ssid: source security identifier
968  * @tsid: target security identifier
969  * @tclass: target security class
970  * @out_sid: security identifier for selected member
971  *
972  * Compute a SID to use when selecting a member of a polyinstantiated
973  * object of class @tclass based on a SID pair (@ssid, @tsid).
974  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
975  * if insufficient memory is available, or %0 if the SID was
976  * computed successfully.
977  */
978 int security_member_sid(u32 ssid,
979                         u32 tsid,
980                         u16 tclass,
981                         u32 *out_sid)
982 {
983         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
984 }
985
986 /**
987  * security_change_sid - Compute the SID for object relabeling.
988  * @ssid: source security identifier
989  * @tsid: target security identifier
990  * @tclass: target security class
991  * @out_sid: security identifier for selected member
992  *
993  * Compute a SID to use for relabeling an object of class @tclass
994  * based on a SID pair (@ssid, @tsid).
995  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
996  * if insufficient memory is available, or %0 if the SID was
997  * computed successfully.
998  */
999 int security_change_sid(u32 ssid,
1000                         u32 tsid,
1001                         u16 tclass,
1002                         u32 *out_sid)
1003 {
1004         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1005 }
1006
1007 /*
1008  * Verify that each permission that is defined under the
1009  * existing policy is still defined with the same value
1010  * in the new policy.
1011  */
1012 static int validate_perm(void *key, void *datum, void *p)
1013 {
1014         struct hashtab *h;
1015         struct perm_datum *perdatum, *perdatum2;
1016         int rc = 0;
1017
1018
1019         h = p;
1020         perdatum = datum;
1021
1022         perdatum2 = hashtab_search(h, key);
1023         if (!perdatum2) {
1024                 printk(KERN_ERR "security:  permission %s disappeared",
1025                        (char *)key);
1026                 rc = -ENOENT;
1027                 goto out;
1028         }
1029         if (perdatum->value != perdatum2->value) {
1030                 printk(KERN_ERR "security:  the value of permission %s changed",
1031                        (char *)key);
1032                 rc = -EINVAL;
1033         }
1034 out:
1035         return rc;
1036 }
1037
1038 /*
1039  * Verify that each class that is defined under the
1040  * existing policy is still defined with the same
1041  * attributes in the new policy.
1042  */
1043 static int validate_class(void *key, void *datum, void *p)
1044 {
1045         struct policydb *newp;
1046         struct class_datum *cladatum, *cladatum2;
1047         int rc;
1048
1049         newp = p;
1050         cladatum = datum;
1051
1052         cladatum2 = hashtab_search(newp->p_classes.table, key);
1053         if (!cladatum2) {
1054                 printk(KERN_ERR "security:  class %s disappeared\n",
1055                        (char *)key);
1056                 rc = -ENOENT;
1057                 goto out;
1058         }
1059         if (cladatum->value != cladatum2->value) {
1060                 printk(KERN_ERR "security:  the value of class %s changed\n",
1061                        (char *)key);
1062                 rc = -EINVAL;
1063                 goto out;
1064         }
1065         if ((cladatum->comdatum && !cladatum2->comdatum) ||
1066             (!cladatum->comdatum && cladatum2->comdatum)) {
1067                 printk(KERN_ERR "security:  the inherits clause for the access "
1068                        "vector definition for class %s changed\n", (char *)key);
1069                 rc = -EINVAL;
1070                 goto out;
1071         }
1072         if (cladatum->comdatum) {
1073                 rc = hashtab_map(cladatum->comdatum->permissions.table, validate_perm,
1074                                  cladatum2->comdatum->permissions.table);
1075                 if (rc) {
1076                         printk(" in the access vector definition for class "
1077                                "%s\n", (char *)key);
1078                         goto out;
1079                 }
1080         }
1081         rc = hashtab_map(cladatum->permissions.table, validate_perm,
1082                          cladatum2->permissions.table);
1083         if (rc)
1084                 printk(" in access vector definition for class %s\n",
1085                        (char *)key);
1086 out:
1087         return rc;
1088 }
1089
1090 /* Clone the SID into the new SID table. */
1091 static int clone_sid(u32 sid,
1092                      struct context *context,
1093                      void *arg)
1094 {
1095         struct sidtab *s = arg;
1096
1097         return sidtab_insert(s, sid, context);
1098 }
1099
1100 static inline int convert_context_handle_invalid_context(struct context *context)
1101 {
1102         int rc = 0;
1103
1104         if (selinux_enforcing) {
1105                 rc = -EINVAL;
1106         } else {
1107                 char *s;
1108                 u32 len;
1109
1110                 context_struct_to_string(context, &s, &len);
1111                 printk(KERN_ERR "security:  context %s is invalid\n", s);
1112                 kfree(s);
1113         }
1114         return rc;
1115 }
1116
1117 struct convert_context_args {
1118         struct policydb *oldp;
1119         struct policydb *newp;
1120 };
1121
1122 /*
1123  * Convert the values in the security context
1124  * structure `c' from the values specified
1125  * in the policy `p->oldp' to the values specified
1126  * in the policy `p->newp'.  Verify that the
1127  * context is valid under the new policy.
1128  */
1129 static int convert_context(u32 key,
1130                            struct context *c,
1131                            void *p)
1132 {
1133         struct convert_context_args *args;
1134         struct context oldc;
1135         struct role_datum *role;
1136         struct type_datum *typdatum;
1137         struct user_datum *usrdatum;
1138         char *s;
1139         u32 len;
1140         int rc;
1141
1142         args = p;
1143
1144         rc = context_cpy(&oldc, c);
1145         if (rc)
1146                 goto out;
1147
1148         rc = -EINVAL;
1149
1150         /* Convert the user. */
1151         usrdatum = hashtab_search(args->newp->p_users.table,
1152                                   args->oldp->p_user_val_to_name[c->user - 1]);
1153         if (!usrdatum) {
1154                 goto bad;
1155         }
1156         c->user = usrdatum->value;
1157
1158         /* Convert the role. */
1159         role = hashtab_search(args->newp->p_roles.table,
1160                               args->oldp->p_role_val_to_name[c->role - 1]);
1161         if (!role) {
1162                 goto bad;
1163         }
1164         c->role = role->value;
1165
1166         /* Convert the type. */
1167         typdatum = hashtab_search(args->newp->p_types.table,
1168                                   args->oldp->p_type_val_to_name[c->type - 1]);
1169         if (!typdatum) {
1170                 goto bad;
1171         }
1172         c->type = typdatum->value;
1173
1174         rc = mls_convert_context(args->oldp, args->newp, c);
1175         if (rc)
1176                 goto bad;
1177
1178         /* Check the validity of the new context. */
1179         if (!policydb_context_isvalid(args->newp, c)) {
1180                 rc = convert_context_handle_invalid_context(&oldc);
1181                 if (rc)
1182                         goto bad;
1183         }
1184
1185         context_destroy(&oldc);
1186 out:
1187         return rc;
1188 bad:
1189         context_struct_to_string(&oldc, &s, &len);
1190         context_destroy(&oldc);
1191         printk(KERN_ERR "security:  invalidating context %s\n", s);
1192         kfree(s);
1193         goto out;
1194 }
1195
1196 extern void selinux_complete_init(void);
1197
1198 /**
1199  * security_load_policy - Load a security policy configuration.
1200  * @data: binary policy data
1201  * @len: length of data in bytes
1202  *
1203  * Load a new set of security policy configuration data,
1204  * validate it and convert the SID table as necessary.
1205  * This function will flush the access vector cache after
1206  * loading the new policy.
1207  */
1208 int security_load_policy(void *data, size_t len)
1209 {
1210         struct policydb oldpolicydb, newpolicydb;
1211         struct sidtab oldsidtab, newsidtab;
1212         struct convert_context_args args;
1213         u32 seqno;
1214         int rc = 0;
1215         struct policy_file file = { data, len }, *fp = &file;
1216
1217         LOAD_LOCK;
1218
1219         if (!ss_initialized) {
1220                 avtab_cache_init();
1221                 if (policydb_read(&policydb, fp)) {
1222                         LOAD_UNLOCK;
1223                         avtab_cache_destroy();
1224                         return -EINVAL;
1225                 }
1226                 if (policydb_load_isids(&policydb, &sidtab)) {
1227                         LOAD_UNLOCK;
1228                         policydb_destroy(&policydb);
1229                         avtab_cache_destroy();
1230                         return -EINVAL;
1231                 }
1232                 policydb_loaded_version = policydb.policyvers;
1233                 ss_initialized = 1;
1234                 seqno = ++latest_granting;
1235                 LOAD_UNLOCK;
1236                 selinux_complete_init();
1237                 avc_ss_reset(seqno);
1238                 selnl_notify_policyload(seqno);
1239                 return 0;
1240         }
1241
1242 #if 0
1243         sidtab_hash_eval(&sidtab, "sids");
1244 #endif
1245
1246         if (policydb_read(&newpolicydb, fp)) {
1247                 LOAD_UNLOCK;
1248                 return -EINVAL;
1249         }
1250
1251         sidtab_init(&newsidtab);
1252
1253         /* Verify that the existing classes did not change. */
1254         if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) {
1255                 printk(KERN_ERR "security:  the definition of an existing "
1256                        "class changed\n");
1257                 rc = -EINVAL;
1258                 goto err;
1259         }
1260
1261         /* Clone the SID table. */
1262         sidtab_shutdown(&sidtab);
1263         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1264                 rc = -ENOMEM;
1265                 goto err;
1266         }
1267
1268         /* Convert the internal representations of contexts
1269            in the new SID table and remove invalid SIDs. */
1270         args.oldp = &policydb;
1271         args.newp = &newpolicydb;
1272         sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1273
1274         /* Save the old policydb and SID table to free later. */
1275         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1276         sidtab_set(&oldsidtab, &sidtab);
1277
1278         /* Install the new policydb and SID table. */
1279         POLICY_WRLOCK;
1280         memcpy(&policydb, &newpolicydb, sizeof policydb);
1281         sidtab_set(&sidtab, &newsidtab);
1282         seqno = ++latest_granting;
1283         policydb_loaded_version = policydb.policyvers;
1284         POLICY_WRUNLOCK;
1285         LOAD_UNLOCK;
1286
1287         /* Free the old policydb and SID table. */
1288         policydb_destroy(&oldpolicydb);
1289         sidtab_destroy(&oldsidtab);
1290
1291         avc_ss_reset(seqno);
1292         selnl_notify_policyload(seqno);
1293
1294         return 0;
1295
1296 err:
1297         LOAD_UNLOCK;
1298         sidtab_destroy(&newsidtab);
1299         policydb_destroy(&newpolicydb);
1300         return rc;
1301
1302 }
1303
1304 /**
1305  * security_port_sid - Obtain the SID for a port.
1306  * @domain: communication domain aka address family
1307  * @type: socket type
1308  * @protocol: protocol number
1309  * @port: port number
1310  * @out_sid: security identifier
1311  */
1312 int security_port_sid(u16 domain,
1313                       u16 type,
1314                       u8 protocol,
1315                       u16 port,
1316                       u32 *out_sid)
1317 {
1318         struct ocontext *c;
1319         int rc = 0;
1320
1321         POLICY_RDLOCK;
1322
1323         c = policydb.ocontexts[OCON_PORT];
1324         while (c) {
1325                 if (c->u.port.protocol == protocol &&
1326                     c->u.port.low_port <= port &&
1327                     c->u.port.high_port >= port)
1328                         break;
1329                 c = c->next;
1330         }
1331
1332         if (c) {
1333                 if (!c->sid[0]) {
1334                         rc = sidtab_context_to_sid(&sidtab,
1335                                                    &c->context[0],
1336                                                    &c->sid[0]);
1337                         if (rc)
1338                                 goto out;
1339                 }
1340                 *out_sid = c->sid[0];
1341         } else {
1342                 *out_sid = SECINITSID_PORT;
1343         }
1344
1345 out:
1346         POLICY_RDUNLOCK;
1347         return rc;
1348 }
1349
1350 /**
1351  * security_netif_sid - Obtain the SID for a network interface.
1352  * @name: interface name
1353  * @if_sid: interface SID
1354  * @msg_sid: default SID for received packets
1355  */
1356 int security_netif_sid(char *name,
1357                        u32 *if_sid,
1358                        u32 *msg_sid)
1359 {
1360         int rc = 0;
1361         struct ocontext *c;
1362
1363         POLICY_RDLOCK;
1364
1365         c = policydb.ocontexts[OCON_NETIF];
1366         while (c) {
1367                 if (strcmp(name, c->u.name) == 0)
1368                         break;
1369                 c = c->next;
1370         }
1371
1372         if (c) {
1373                 if (!c->sid[0] || !c->sid[1]) {
1374                         rc = sidtab_context_to_sid(&sidtab,
1375                                                   &c->context[0],
1376                                                   &c->sid[0]);
1377                         if (rc)
1378                                 goto out;
1379                         rc = sidtab_context_to_sid(&sidtab,
1380                                                    &c->context[1],
1381                                                    &c->sid[1]);
1382                         if (rc)
1383                                 goto out;
1384                 }
1385                 *if_sid = c->sid[0];
1386                 *msg_sid = c->sid[1];
1387         } else {
1388                 *if_sid = SECINITSID_NETIF;
1389                 *msg_sid = SECINITSID_NETMSG;
1390         }
1391
1392 out:
1393         POLICY_RDUNLOCK;
1394         return rc;
1395 }
1396
1397 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1398 {
1399         int i, fail = 0;
1400
1401         for(i = 0; i < 4; i++)
1402                 if(addr[i] != (input[i] & mask[i])) {
1403                         fail = 1;
1404                         break;
1405                 }
1406
1407         return !fail;
1408 }
1409
1410 /**
1411  * security_node_sid - Obtain the SID for a node (host).
1412  * @domain: communication domain aka address family
1413  * @addrp: address
1414  * @addrlen: address length in bytes
1415  * @out_sid: security identifier
1416  */
1417 int security_node_sid(u16 domain,
1418                       void *addrp,
1419                       u32 addrlen,
1420                       u32 *out_sid)
1421 {
1422         int rc = 0;
1423         struct ocontext *c;
1424
1425         POLICY_RDLOCK;
1426
1427         switch (domain) {
1428         case AF_INET: {
1429                 u32 addr;
1430
1431                 if (addrlen != sizeof(u32)) {
1432                         rc = -EINVAL;
1433                         goto out;
1434                 }
1435
1436                 addr = *((u32 *)addrp);
1437
1438                 c = policydb.ocontexts[OCON_NODE];
1439                 while (c) {
1440                         if (c->u.node.addr == (addr & c->u.node.mask))
1441                                 break;
1442                         c = c->next;
1443                 }
1444                 break;
1445         }
1446
1447         case AF_INET6:
1448                 if (addrlen != sizeof(u64) * 2) {
1449                         rc = -EINVAL;
1450                         goto out;
1451                 }
1452                 c = policydb.ocontexts[OCON_NODE6];
1453                 while (c) {
1454                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1455                                                 c->u.node6.mask))
1456                                 break;
1457                         c = c->next;
1458                 }
1459                 break;
1460
1461         default:
1462                 *out_sid = SECINITSID_NODE;
1463                 goto out;
1464         }
1465
1466         if (c) {
1467                 if (!c->sid[0]) {
1468                         rc = sidtab_context_to_sid(&sidtab,
1469                                                    &c->context[0],
1470                                                    &c->sid[0]);
1471                         if (rc)
1472                                 goto out;
1473                 }
1474                 *out_sid = c->sid[0];
1475         } else {
1476                 *out_sid = SECINITSID_NODE;
1477         }
1478
1479 out:
1480         POLICY_RDUNLOCK;
1481         return rc;
1482 }
1483
1484 #define SIDS_NEL 25
1485
1486 /**
1487  * security_get_user_sids - Obtain reachable SIDs for a user.
1488  * @fromsid: starting SID
1489  * @username: username
1490  * @sids: array of reachable SIDs for user
1491  * @nel: number of elements in @sids
1492  *
1493  * Generate the set of SIDs for legal security contexts
1494  * for a given user that can be reached by @fromsid.
1495  * Set *@sids to point to a dynamically allocated
1496  * array containing the set of SIDs.  Set *@nel to the
1497  * number of elements in the array.
1498  */
1499
1500 int security_get_user_sids(u32 fromsid,
1501                            char *username,
1502                            u32 **sids,
1503                            u32 *nel)
1504 {
1505         struct context *fromcon, usercon;
1506         u32 *mysids, *mysids2, sid;
1507         u32 mynel = 0, maxnel = SIDS_NEL;
1508         struct user_datum *user;
1509         struct role_datum *role;
1510         struct av_decision avd;
1511         struct ebitmap_node *rnode, *tnode;
1512         int rc = 0, i, j;
1513
1514         if (!ss_initialized) {
1515                 *sids = NULL;
1516                 *nel = 0;
1517                 goto out;
1518         }
1519
1520         POLICY_RDLOCK;
1521
1522         fromcon = sidtab_search(&sidtab, fromsid);
1523         if (!fromcon) {
1524                 rc = -EINVAL;
1525                 goto out_unlock;
1526         }
1527
1528         user = hashtab_search(policydb.p_users.table, username);
1529         if (!user) {
1530                 rc = -EINVAL;
1531                 goto out_unlock;
1532         }
1533         usercon.user = user->value;
1534
1535         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1536         if (!mysids) {
1537                 rc = -ENOMEM;
1538                 goto out_unlock;
1539         }
1540
1541         ebitmap_for_each_bit(&user->roles, rnode, i) {
1542                 if (!ebitmap_node_get_bit(rnode, i))
1543                         continue;
1544                 role = policydb.role_val_to_struct[i];
1545                 usercon.role = i+1;
1546                 ebitmap_for_each_bit(&role->types, tnode, j) {
1547                         if (!ebitmap_node_get_bit(tnode, j))
1548                                 continue;
1549                         usercon.type = j+1;
1550
1551                         if (mls_setup_user_range(fromcon, user, &usercon))
1552                                 continue;
1553
1554                         rc = context_struct_compute_av(fromcon, &usercon,
1555                                                        SECCLASS_PROCESS,
1556                                                        PROCESS__TRANSITION,
1557                                                        &avd);
1558                         if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
1559                                 continue;
1560                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1561                         if (rc) {
1562                                 kfree(mysids);
1563                                 goto out_unlock;
1564                         }
1565                         if (mynel < maxnel) {
1566                                 mysids[mynel++] = sid;
1567                         } else {
1568                                 maxnel += SIDS_NEL;
1569                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1570                                 if (!mysids2) {
1571                                         rc = -ENOMEM;
1572                                         kfree(mysids);
1573                                         goto out_unlock;
1574                                 }
1575                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1576                                 kfree(mysids);
1577                                 mysids = mysids2;
1578                                 mysids[mynel++] = sid;
1579                         }
1580                 }
1581         }
1582
1583         *sids = mysids;
1584         *nel = mynel;
1585
1586 out_unlock:
1587         POLICY_RDUNLOCK;
1588 out:
1589         return rc;
1590 }
1591
1592 /**
1593  * security_genfs_sid - Obtain a SID for a file in a filesystem
1594  * @fstype: filesystem type
1595  * @path: path from root of mount
1596  * @sclass: file security class
1597  * @sid: SID for path
1598  *
1599  * Obtain a SID to use for a file in a filesystem that
1600  * cannot support xattr or use a fixed labeling behavior like
1601  * transition SIDs or task SIDs.
1602  */
1603 int security_genfs_sid(const char *fstype,
1604                        char *path,
1605                        u16 sclass,
1606                        u32 *sid)
1607 {
1608         int len;
1609         struct genfs *genfs;
1610         struct ocontext *c;
1611         int rc = 0, cmp = 0;
1612
1613         POLICY_RDLOCK;
1614
1615         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1616                 cmp = strcmp(fstype, genfs->fstype);
1617                 if (cmp <= 0)
1618                         break;
1619         }
1620
1621         if (!genfs || cmp) {
1622                 *sid = SECINITSID_UNLABELED;
1623                 rc = -ENOENT;
1624                 goto out;
1625         }
1626
1627         for (c = genfs->head; c; c = c->next) {
1628                 len = strlen(c->u.name);
1629                 if ((!c->v.sclass || sclass == c->v.sclass) &&
1630                     (strncmp(c->u.name, path, len) == 0))
1631                         break;
1632         }
1633
1634         if (!c) {
1635                 *sid = SECINITSID_UNLABELED;
1636                 rc = -ENOENT;
1637                 goto out;
1638         }
1639
1640         if (!c->sid[0]) {
1641                 rc = sidtab_context_to_sid(&sidtab,
1642                                            &c->context[0],
1643                                            &c->sid[0]);
1644                 if (rc)
1645                         goto out;
1646         }
1647
1648         *sid = c->sid[0];
1649 out:
1650         POLICY_RDUNLOCK;
1651         return rc;
1652 }
1653
1654 /**
1655  * security_fs_use - Determine how to handle labeling for a filesystem.
1656  * @fstype: filesystem type
1657  * @behavior: labeling behavior
1658  * @sid: SID for filesystem (superblock)
1659  */
1660 int security_fs_use(
1661         const char *fstype,
1662         unsigned int *behavior,
1663         u32 *sid)
1664 {
1665         int rc = 0;
1666         struct ocontext *c;
1667
1668         POLICY_RDLOCK;
1669
1670         c = policydb.ocontexts[OCON_FSUSE];
1671         while (c) {
1672                 if (strcmp(fstype, c->u.name) == 0)
1673                         break;
1674                 c = c->next;
1675         }
1676
1677         if (c) {
1678                 *behavior = c->v.behavior;
1679                 if (!c->sid[0]) {
1680                         rc = sidtab_context_to_sid(&sidtab,
1681                                                    &c->context[0],
1682                                                    &c->sid[0]);
1683                         if (rc)
1684                                 goto out;
1685                 }
1686                 *sid = c->sid[0];
1687         } else {
1688                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1689                 if (rc) {
1690                         *behavior = SECURITY_FS_USE_NONE;
1691                         rc = 0;
1692                 } else {
1693                         *behavior = SECURITY_FS_USE_GENFS;
1694                 }
1695         }
1696
1697 out:
1698         POLICY_RDUNLOCK;
1699         return rc;
1700 }
1701
1702 int security_get_bools(int *len, char ***names, int **values)
1703 {
1704         int i, rc = -ENOMEM;
1705
1706         POLICY_RDLOCK;
1707         *names = NULL;
1708         *values = NULL;
1709
1710         *len = policydb.p_bools.nprim;
1711         if (!*len) {
1712                 rc = 0;
1713                 goto out;
1714         }
1715
1716        *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1717         if (!*names)
1718                 goto err;
1719
1720        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
1721         if (!*values)
1722                 goto err;
1723
1724         for (i = 0; i < *len; i++) {
1725                 size_t name_len;
1726                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1727                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1728                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1729                 if (!(*names)[i])
1730                         goto err;
1731                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1732                 (*names)[i][name_len - 1] = 0;
1733         }
1734         rc = 0;
1735 out:
1736         POLICY_RDUNLOCK;
1737         return rc;
1738 err:
1739         if (*names) {
1740                 for (i = 0; i < *len; i++)
1741                         kfree((*names)[i]);
1742         }
1743         kfree(*values);
1744         goto out;
1745 }
1746
1747
1748 int security_set_bools(int len, int *values)
1749 {
1750         int i, rc = 0;
1751         int lenp, seqno = 0;
1752         struct cond_node *cur;
1753
1754         POLICY_WRLOCK;
1755
1756         lenp = policydb.p_bools.nprim;
1757         if (len != lenp) {
1758                 rc = -EFAULT;
1759                 goto out;
1760         }
1761
1762         for (i = 0; i < len; i++) {
1763                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1764                         audit_log(current->audit_context, GFP_ATOMIC,
1765                                 AUDIT_MAC_CONFIG_CHANGE,
1766                                 "bool=%s val=%d old_val=%d auid=%u",
1767                                 policydb.p_bool_val_to_name[i],
1768                                 !!values[i],
1769                                 policydb.bool_val_to_struct[i]->state,
1770                                 audit_get_loginuid(current->audit_context));
1771                 }
1772                 if (values[i]) {
1773                         policydb.bool_val_to_struct[i]->state = 1;
1774                 } else {
1775                         policydb.bool_val_to_struct[i]->state = 0;
1776                 }
1777         }
1778
1779         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1780                 rc = evaluate_cond_node(&policydb, cur);
1781                 if (rc)
1782                         goto out;
1783         }
1784
1785         seqno = ++latest_granting;
1786
1787 out:
1788         POLICY_WRUNLOCK;
1789         if (!rc) {
1790                 avc_ss_reset(seqno);
1791                 selnl_notify_policyload(seqno);
1792         }
1793         return rc;
1794 }
1795
1796 int security_get_bool_value(int bool)
1797 {
1798         int rc = 0;
1799         int len;
1800
1801         POLICY_RDLOCK;
1802
1803         len = policydb.p_bools.nprim;
1804         if (bool >= len) {
1805                 rc = -EFAULT;
1806                 goto out;
1807         }
1808
1809         rc = policydb.bool_val_to_struct[bool]->state;
1810 out:
1811         POLICY_RDUNLOCK;
1812         return rc;
1813 }