SELinux: fix locking issue introduced with c6d3aaa4e35c71a3
[linux-2.6.git] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul.moore@hp.com>
17  *
18  *      Added support for NetLabel
19  *      Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <csellers@tresys.com>
22  *
23  *  Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26  *
27  *  Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Copyright (C) 2008, 2009 NEC Corporation
30  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
31  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
32  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
33  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
34  *      This program is free software; you can redistribute it and/or modify
35  *      it under the terms of the GNU General Public License as published by
36  *      the Free Software Foundation, version 2.
37  */
38 #include <linux/kernel.h>
39 #include <linux/slab.h>
40 #include <linux/string.h>
41 #include <linux/spinlock.h>
42 #include <linux/rcupdate.h>
43 #include <linux/errno.h>
44 #include <linux/in.h>
45 #include <linux/sched.h>
46 #include <linux/audit.h>
47 #include <linux/mutex.h>
48 #include <linux/selinux.h>
49 #include <net/netlabel.h>
50
51 #include "flask.h"
52 #include "avc.h"
53 #include "avc_ss.h"
54 #include "security.h"
55 #include "context.h"
56 #include "policydb.h"
57 #include "sidtab.h"
58 #include "services.h"
59 #include "conditional.h"
60 #include "mls.h"
61 #include "objsec.h"
62 #include "netlabel.h"
63 #include "xfrm.h"
64 #include "ebitmap.h"
65 #include "audit.h"
66
67 extern void selnl_notify_policyload(u32 seqno);
68
69 int selinux_policycap_netpeer;
70 int selinux_policycap_openperm;
71
72 static DEFINE_RWLOCK(policy_rwlock);
73
74 static struct sidtab sidtab;
75 struct policydb policydb;
76 int ss_initialized;
77
78 /*
79  * The largest sequence number that has been used when
80  * providing an access decision to the access vector cache.
81  * The sequence number only changes when a policy change
82  * occurs.
83  */
84 static u32 latest_granting;
85
86 /* Forward declaration. */
87 static int context_struct_to_string(struct context *context, char **scontext,
88                                     u32 *scontext_len);
89
90 static int context_struct_compute_av(struct context *scontext,
91                                      struct context *tcontext,
92                                      u16 tclass,
93                                      u32 requested,
94                                      struct av_decision *avd);
95
96 struct selinux_mapping {
97         u16 value; /* policy value */
98         unsigned num_perms;
99         u32 perms[sizeof(u32) * 8];
100 };
101
102 static struct selinux_mapping *current_mapping;
103 static u16 current_mapping_size;
104
105 static int selinux_set_mapping(struct policydb *pol,
106                                struct security_class_mapping *map,
107                                struct selinux_mapping **out_map_p,
108                                u16 *out_map_size)
109 {
110         struct selinux_mapping *out_map = NULL;
111         size_t size = sizeof(struct selinux_mapping);
112         u16 i, j;
113         unsigned k;
114         bool print_unknown_handle = false;
115
116         /* Find number of classes in the input mapping */
117         if (!map)
118                 return -EINVAL;
119         i = 0;
120         while (map[i].name)
121                 i++;
122
123         /* Allocate space for the class records, plus one for class zero */
124         out_map = kcalloc(++i, size, GFP_ATOMIC);
125         if (!out_map)
126                 return -ENOMEM;
127
128         /* Store the raw class and permission values */
129         j = 0;
130         while (map[j].name) {
131                 struct security_class_mapping *p_in = map + (j++);
132                 struct selinux_mapping *p_out = out_map + j;
133
134                 /* An empty class string skips ahead */
135                 if (!strcmp(p_in->name, "")) {
136                         p_out->num_perms = 0;
137                         continue;
138                 }
139
140                 p_out->value = string_to_security_class(pol, p_in->name);
141                 if (!p_out->value) {
142                         printk(KERN_INFO
143                                "SELinux:  Class %s not defined in policy.\n",
144                                p_in->name);
145                         if (pol->reject_unknown)
146                                 goto err;
147                         p_out->num_perms = 0;
148                         print_unknown_handle = true;
149                         continue;
150                 }
151
152                 k = 0;
153                 while (p_in->perms && p_in->perms[k]) {
154                         /* An empty permission string skips ahead */
155                         if (!*p_in->perms[k]) {
156                                 k++;
157                                 continue;
158                         }
159                         p_out->perms[k] = string_to_av_perm(pol, p_out->value,
160                                                             p_in->perms[k]);
161                         if (!p_out->perms[k]) {
162                                 printk(KERN_INFO
163                                        "SELinux:  Permission %s in class %s not defined in policy.\n",
164                                        p_in->perms[k], p_in->name);
165                                 if (pol->reject_unknown)
166                                         goto err;
167                                 print_unknown_handle = true;
168                         }
169
170                         k++;
171                 }
172                 p_out->num_perms = k;
173         }
174
175         if (print_unknown_handle)
176                 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
177                        pol->allow_unknown ? "allowed" : "denied");
178
179         *out_map_p = out_map;
180         *out_map_size = i;
181         return 0;
182 err:
183         kfree(out_map);
184         return -EINVAL;
185 }
186
187 /*
188  * Get real, policy values from mapped values
189  */
190
191 static u16 unmap_class(u16 tclass)
192 {
193         if (tclass < current_mapping_size)
194                 return current_mapping[tclass].value;
195
196         return tclass;
197 }
198
199 static u32 unmap_perm(u16 tclass, u32 tperm)
200 {
201         if (tclass < current_mapping_size) {
202                 unsigned i;
203                 u32 kperm = 0;
204
205                 for (i = 0; i < current_mapping[tclass].num_perms; i++)
206                         if (tperm & (1<<i)) {
207                                 kperm |= current_mapping[tclass].perms[i];
208                                 tperm &= ~(1<<i);
209                         }
210                 return kperm;
211         }
212
213         return tperm;
214 }
215
216 static void map_decision(u16 tclass, struct av_decision *avd,
217                          int allow_unknown)
218 {
219         if (tclass < current_mapping_size) {
220                 unsigned i, n = current_mapping[tclass].num_perms;
221                 u32 result;
222
223                 for (i = 0, result = 0; i < n; i++) {
224                         if (avd->allowed & current_mapping[tclass].perms[i])
225                                 result |= 1<<i;
226                         if (allow_unknown && !current_mapping[tclass].perms[i])
227                                 result |= 1<<i;
228                 }
229                 avd->allowed = result;
230
231                 for (i = 0, result = 0; i < n; i++)
232                         if (avd->auditallow & current_mapping[tclass].perms[i])
233                                 result |= 1<<i;
234                 avd->auditallow = result;
235
236                 for (i = 0, result = 0; i < n; i++) {
237                         if (avd->auditdeny & current_mapping[tclass].perms[i])
238                                 result |= 1<<i;
239                         if (!allow_unknown && !current_mapping[tclass].perms[i])
240                                 result |= 1<<i;
241                 }
242                 avd->auditdeny = result;
243         }
244 }
245
246
247 /*
248  * Return the boolean value of a constraint expression
249  * when it is applied to the specified source and target
250  * security contexts.
251  *
252  * xcontext is a special beast...  It is used by the validatetrans rules
253  * only.  For these rules, scontext is the context before the transition,
254  * tcontext is the context after the transition, and xcontext is the context
255  * of the process performing the transition.  All other callers of
256  * constraint_expr_eval should pass in NULL for xcontext.
257  */
258 static int constraint_expr_eval(struct context *scontext,
259                                 struct context *tcontext,
260                                 struct context *xcontext,
261                                 struct constraint_expr *cexpr)
262 {
263         u32 val1, val2;
264         struct context *c;
265         struct role_datum *r1, *r2;
266         struct mls_level *l1, *l2;
267         struct constraint_expr *e;
268         int s[CEXPR_MAXDEPTH];
269         int sp = -1;
270
271         for (e = cexpr; e; e = e->next) {
272                 switch (e->expr_type) {
273                 case CEXPR_NOT:
274                         BUG_ON(sp < 0);
275                         s[sp] = !s[sp];
276                         break;
277                 case CEXPR_AND:
278                         BUG_ON(sp < 1);
279                         sp--;
280                         s[sp] &= s[sp+1];
281                         break;
282                 case CEXPR_OR:
283                         BUG_ON(sp < 1);
284                         sp--;
285                         s[sp] |= s[sp+1];
286                         break;
287                 case CEXPR_ATTR:
288                         if (sp == (CEXPR_MAXDEPTH-1))
289                                 return 0;
290                         switch (e->attr) {
291                         case CEXPR_USER:
292                                 val1 = scontext->user;
293                                 val2 = tcontext->user;
294                                 break;
295                         case CEXPR_TYPE:
296                                 val1 = scontext->type;
297                                 val2 = tcontext->type;
298                                 break;
299                         case CEXPR_ROLE:
300                                 val1 = scontext->role;
301                                 val2 = tcontext->role;
302                                 r1 = policydb.role_val_to_struct[val1 - 1];
303                                 r2 = policydb.role_val_to_struct[val2 - 1];
304                                 switch (e->op) {
305                                 case CEXPR_DOM:
306                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
307                                                                   val2 - 1);
308                                         continue;
309                                 case CEXPR_DOMBY:
310                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
311                                                                   val1 - 1);
312                                         continue;
313                                 case CEXPR_INCOMP:
314                                         s[++sp] = (!ebitmap_get_bit(&r1->dominates,
315                                                                     val2 - 1) &&
316                                                    !ebitmap_get_bit(&r2->dominates,
317                                                                     val1 - 1));
318                                         continue;
319                                 default:
320                                         break;
321                                 }
322                                 break;
323                         case CEXPR_L1L2:
324                                 l1 = &(scontext->range.level[0]);
325                                 l2 = &(tcontext->range.level[0]);
326                                 goto mls_ops;
327                         case CEXPR_L1H2:
328                                 l1 = &(scontext->range.level[0]);
329                                 l2 = &(tcontext->range.level[1]);
330                                 goto mls_ops;
331                         case CEXPR_H1L2:
332                                 l1 = &(scontext->range.level[1]);
333                                 l2 = &(tcontext->range.level[0]);
334                                 goto mls_ops;
335                         case CEXPR_H1H2:
336                                 l1 = &(scontext->range.level[1]);
337                                 l2 = &(tcontext->range.level[1]);
338                                 goto mls_ops;
339                         case CEXPR_L1H1:
340                                 l1 = &(scontext->range.level[0]);
341                                 l2 = &(scontext->range.level[1]);
342                                 goto mls_ops;
343                         case CEXPR_L2H2:
344                                 l1 = &(tcontext->range.level[0]);
345                                 l2 = &(tcontext->range.level[1]);
346                                 goto mls_ops;
347 mls_ops:
348                         switch (e->op) {
349                         case CEXPR_EQ:
350                                 s[++sp] = mls_level_eq(l1, l2);
351                                 continue;
352                         case CEXPR_NEQ:
353                                 s[++sp] = !mls_level_eq(l1, l2);
354                                 continue;
355                         case CEXPR_DOM:
356                                 s[++sp] = mls_level_dom(l1, l2);
357                                 continue;
358                         case CEXPR_DOMBY:
359                                 s[++sp] = mls_level_dom(l2, l1);
360                                 continue;
361                         case CEXPR_INCOMP:
362                                 s[++sp] = mls_level_incomp(l2, l1);
363                                 continue;
364                         default:
365                                 BUG();
366                                 return 0;
367                         }
368                         break;
369                         default:
370                                 BUG();
371                                 return 0;
372                         }
373
374                         switch (e->op) {
375                         case CEXPR_EQ:
376                                 s[++sp] = (val1 == val2);
377                                 break;
378                         case CEXPR_NEQ:
379                                 s[++sp] = (val1 != val2);
380                                 break;
381                         default:
382                                 BUG();
383                                 return 0;
384                         }
385                         break;
386                 case CEXPR_NAMES:
387                         if (sp == (CEXPR_MAXDEPTH-1))
388                                 return 0;
389                         c = scontext;
390                         if (e->attr & CEXPR_TARGET)
391                                 c = tcontext;
392                         else if (e->attr & CEXPR_XTARGET) {
393                                 c = xcontext;
394                                 if (!c) {
395                                         BUG();
396                                         return 0;
397                                 }
398                         }
399                         if (e->attr & CEXPR_USER)
400                                 val1 = c->user;
401                         else if (e->attr & CEXPR_ROLE)
402                                 val1 = c->role;
403                         else if (e->attr & CEXPR_TYPE)
404                                 val1 = c->type;
405                         else {
406                                 BUG();
407                                 return 0;
408                         }
409
410                         switch (e->op) {
411                         case CEXPR_EQ:
412                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
413                                 break;
414                         case CEXPR_NEQ:
415                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
416                                 break;
417                         default:
418                                 BUG();
419                                 return 0;
420                         }
421                         break;
422                 default:
423                         BUG();
424                         return 0;
425                 }
426         }
427
428         BUG_ON(sp != 0);
429         return s[0];
430 }
431
432 /*
433  * security_dump_masked_av - dumps masked permissions during
434  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
435  */
436 static int dump_masked_av_helper(void *k, void *d, void *args)
437 {
438         struct perm_datum *pdatum = d;
439         char **permission_names = args;
440
441         BUG_ON(pdatum->value < 1 || pdatum->value > 32);
442
443         permission_names[pdatum->value - 1] = (char *)k;
444
445         return 0;
446 }
447
448 static void security_dump_masked_av(struct context *scontext,
449                                     struct context *tcontext,
450                                     u16 tclass,
451                                     u32 permissions,
452                                     const char *reason)
453 {
454         struct common_datum *common_dat;
455         struct class_datum *tclass_dat;
456         struct audit_buffer *ab;
457         char *tclass_name;
458         char *scontext_name = NULL;
459         char *tcontext_name = NULL;
460         char *permission_names[32];
461         int index, length;
462         bool need_comma = false;
463
464         if (!permissions)
465                 return;
466
467         tclass_name = policydb.p_class_val_to_name[tclass - 1];
468         tclass_dat = policydb.class_val_to_struct[tclass - 1];
469         common_dat = tclass_dat->comdatum;
470
471         /* init permission_names */
472         if (common_dat &&
473             hashtab_map(common_dat->permissions.table,
474                         dump_masked_av_helper, permission_names) < 0)
475                 goto out;
476
477         if (hashtab_map(tclass_dat->permissions.table,
478                         dump_masked_av_helper, permission_names) < 0)
479                 goto out;
480
481         /* get scontext/tcontext in text form */
482         if (context_struct_to_string(scontext,
483                                      &scontext_name, &length) < 0)
484                 goto out;
485
486         if (context_struct_to_string(tcontext,
487                                      &tcontext_name, &length) < 0)
488                 goto out;
489
490         /* audit a message */
491         ab = audit_log_start(current->audit_context,
492                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
493         if (!ab)
494                 goto out;
495
496         audit_log_format(ab, "op=security_compute_av reason=%s "
497                          "scontext=%s tcontext=%s tclass=%s perms=",
498                          reason, scontext_name, tcontext_name, tclass_name);
499
500         for (index = 0; index < 32; index++) {
501                 u32 mask = (1 << index);
502
503                 if ((mask & permissions) == 0)
504                         continue;
505
506                 audit_log_format(ab, "%s%s",
507                                  need_comma ? "," : "",
508                                  permission_names[index]
509                                  ? permission_names[index] : "????");
510                 need_comma = true;
511         }
512         audit_log_end(ab);
513 out:
514         /* release scontext/tcontext */
515         kfree(tcontext_name);
516         kfree(scontext_name);
517
518         return;
519 }
520
521 /*
522  * security_boundary_permission - drops violated permissions
523  * on boundary constraint.
524  */
525 static void type_attribute_bounds_av(struct context *scontext,
526                                      struct context *tcontext,
527                                      u16 tclass,
528                                      u32 requested,
529                                      struct av_decision *avd)
530 {
531         struct context lo_scontext;
532         struct context lo_tcontext;
533         struct av_decision lo_avd;
534         struct type_datum *source
535                 = policydb.type_val_to_struct[scontext->type - 1];
536         struct type_datum *target
537                 = policydb.type_val_to_struct[tcontext->type - 1];
538         u32 masked = 0;
539
540         if (source->bounds) {
541                 memset(&lo_avd, 0, sizeof(lo_avd));
542
543                 memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
544                 lo_scontext.type = source->bounds;
545
546                 context_struct_compute_av(&lo_scontext,
547                                           tcontext,
548                                           tclass,
549                                           requested,
550                                           &lo_avd);
551                 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
552                         return;         /* no masked permission */
553                 masked = ~lo_avd.allowed & avd->allowed;
554         }
555
556         if (target->bounds) {
557                 memset(&lo_avd, 0, sizeof(lo_avd));
558
559                 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
560                 lo_tcontext.type = target->bounds;
561
562                 context_struct_compute_av(scontext,
563                                           &lo_tcontext,
564                                           tclass,
565                                           requested,
566                                           &lo_avd);
567                 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
568                         return;         /* no masked permission */
569                 masked = ~lo_avd.allowed & avd->allowed;
570         }
571
572         if (source->bounds && target->bounds) {
573                 memset(&lo_avd, 0, sizeof(lo_avd));
574                 /*
575                  * lo_scontext and lo_tcontext are already
576                  * set up.
577                  */
578
579                 context_struct_compute_av(&lo_scontext,
580                                           &lo_tcontext,
581                                           tclass,
582                                           requested,
583                                           &lo_avd);
584                 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
585                         return;         /* no masked permission */
586                 masked = ~lo_avd.allowed & avd->allowed;
587         }
588
589         if (masked) {
590                 /* mask violated permissions */
591                 avd->allowed &= ~masked;
592
593                 /* audit masked permissions */
594                 security_dump_masked_av(scontext, tcontext,
595                                         tclass, masked, "bounds");
596         }
597 }
598
599 /*
600  * Compute access vectors based on a context structure pair for
601  * the permissions in a particular class.
602  */
603 static int context_struct_compute_av(struct context *scontext,
604                                      struct context *tcontext,
605                                      u16 tclass,
606                                      u32 requested,
607                                      struct av_decision *avd)
608 {
609         struct constraint_node *constraint;
610         struct role_allow *ra;
611         struct avtab_key avkey;
612         struct avtab_node *node;
613         struct class_datum *tclass_datum;
614         struct ebitmap *sattr, *tattr;
615         struct ebitmap_node *snode, *tnode;
616         unsigned int i, j;
617
618         /*
619          * Initialize the access vectors to the default values.
620          */
621         avd->allowed = 0;
622         avd->auditallow = 0;
623         avd->auditdeny = 0xffffffff;
624         avd->seqno = latest_granting;
625         avd->flags = 0;
626
627         if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
628                 if (printk_ratelimit())
629                         printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
630                 return -EINVAL;
631         }
632
633         tclass_datum = policydb.class_val_to_struct[tclass - 1];
634
635         /*
636          * If a specific type enforcement rule was defined for
637          * this permission check, then use it.
638          */
639         avkey.target_class = tclass;
640         avkey.specified = AVTAB_AV;
641         sattr = &policydb.type_attr_map[scontext->type - 1];
642         tattr = &policydb.type_attr_map[tcontext->type - 1];
643         ebitmap_for_each_positive_bit(sattr, snode, i) {
644                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
645                         avkey.source_type = i + 1;
646                         avkey.target_type = j + 1;
647                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
648                              node;
649                              node = avtab_search_node_next(node, avkey.specified)) {
650                                 if (node->key.specified == AVTAB_ALLOWED)
651                                         avd->allowed |= node->datum.data;
652                                 else if (node->key.specified == AVTAB_AUDITALLOW)
653                                         avd->auditallow |= node->datum.data;
654                                 else if (node->key.specified == AVTAB_AUDITDENY)
655                                         avd->auditdeny &= node->datum.data;
656                         }
657
658                         /* Check conditional av table for additional permissions */
659                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
660
661                 }
662         }
663
664         /*
665          * Remove any permissions prohibited by a constraint (this includes
666          * the MLS policy).
667          */
668         constraint = tclass_datum->constraints;
669         while (constraint) {
670                 if ((constraint->permissions & (avd->allowed)) &&
671                     !constraint_expr_eval(scontext, tcontext, NULL,
672                                           constraint->expr)) {
673                         avd->allowed &= ~(constraint->permissions);
674                 }
675                 constraint = constraint->next;
676         }
677
678         /*
679          * If checking process transition permission and the
680          * role is changing, then check the (current_role, new_role)
681          * pair.
682          */
683         if (tclass == policydb.process_class &&
684             (avd->allowed & policydb.process_trans_perms) &&
685             scontext->role != tcontext->role) {
686                 for (ra = policydb.role_allow; ra; ra = ra->next) {
687                         if (scontext->role == ra->role &&
688                             tcontext->role == ra->new_role)
689                                 break;
690                 }
691                 if (!ra)
692                         avd->allowed &= ~policydb.process_trans_perms;
693         }
694
695         /*
696          * If the given source and target types have boundary
697          * constraint, lazy checks have to mask any violated
698          * permission and notice it to userspace via audit.
699          */
700         type_attribute_bounds_av(scontext, tcontext,
701                                  tclass, requested, avd);
702
703         return 0;
704 }
705
706 static int security_validtrans_handle_fail(struct context *ocontext,
707                                            struct context *ncontext,
708                                            struct context *tcontext,
709                                            u16 tclass)
710 {
711         char *o = NULL, *n = NULL, *t = NULL;
712         u32 olen, nlen, tlen;
713
714         if (context_struct_to_string(ocontext, &o, &olen) < 0)
715                 goto out;
716         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
717                 goto out;
718         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
719                 goto out;
720         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
721                   "security_validate_transition:  denied for"
722                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
723                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
724 out:
725         kfree(o);
726         kfree(n);
727         kfree(t);
728
729         if (!selinux_enforcing)
730                 return 0;
731         return -EPERM;
732 }
733
734 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
735                                  u16 orig_tclass)
736 {
737         struct context *ocontext;
738         struct context *ncontext;
739         struct context *tcontext;
740         struct class_datum *tclass_datum;
741         struct constraint_node *constraint;
742         u16 tclass;
743         int rc = 0;
744
745         if (!ss_initialized)
746                 return 0;
747
748         read_lock(&policy_rwlock);
749
750         tclass = unmap_class(orig_tclass);
751
752         if (!tclass || tclass > policydb.p_classes.nprim) {
753                 printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
754                         __func__, tclass);
755                 rc = -EINVAL;
756                 goto out;
757         }
758         tclass_datum = policydb.class_val_to_struct[tclass - 1];
759
760         ocontext = sidtab_search(&sidtab, oldsid);
761         if (!ocontext) {
762                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
763                         __func__, oldsid);
764                 rc = -EINVAL;
765                 goto out;
766         }
767
768         ncontext = sidtab_search(&sidtab, newsid);
769         if (!ncontext) {
770                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
771                         __func__, newsid);
772                 rc = -EINVAL;
773                 goto out;
774         }
775
776         tcontext = sidtab_search(&sidtab, tasksid);
777         if (!tcontext) {
778                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
779                         __func__, tasksid);
780                 rc = -EINVAL;
781                 goto out;
782         }
783
784         constraint = tclass_datum->validatetrans;
785         while (constraint) {
786                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
787                                           constraint->expr)) {
788                         rc = security_validtrans_handle_fail(ocontext, ncontext,
789                                                              tcontext, tclass);
790                         goto out;
791                 }
792                 constraint = constraint->next;
793         }
794
795 out:
796         read_unlock(&policy_rwlock);
797         return rc;
798 }
799
800 /*
801  * security_bounded_transition - check whether the given
802  * transition is directed to bounded, or not.
803  * It returns 0, if @newsid is bounded by @oldsid.
804  * Otherwise, it returns error code.
805  *
806  * @oldsid : current security identifier
807  * @newsid : destinated security identifier
808  */
809 int security_bounded_transition(u32 old_sid, u32 new_sid)
810 {
811         struct context *old_context, *new_context;
812         struct type_datum *type;
813         int index;
814         int rc = -EINVAL;
815
816         read_lock(&policy_rwlock);
817
818         old_context = sidtab_search(&sidtab, old_sid);
819         if (!old_context) {
820                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
821                        __func__, old_sid);
822                 goto out;
823         }
824
825         new_context = sidtab_search(&sidtab, new_sid);
826         if (!new_context) {
827                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
828                        __func__, new_sid);
829                 goto out;
830         }
831
832         /* type/domain unchaned */
833         if (old_context->type == new_context->type) {
834                 rc = 0;
835                 goto out;
836         }
837
838         index = new_context->type;
839         while (true) {
840                 type = policydb.type_val_to_struct[index - 1];
841                 BUG_ON(!type);
842
843                 /* not bounded anymore */
844                 if (!type->bounds) {
845                         rc = -EPERM;
846                         break;
847                 }
848
849                 /* @newsid is bounded by @oldsid */
850                 if (type->bounds == old_context->type) {
851                         rc = 0;
852                         break;
853                 }
854                 index = type->bounds;
855         }
856
857         if (rc) {
858                 char *old_name = NULL;
859                 char *new_name = NULL;
860                 int length;
861
862                 if (!context_struct_to_string(old_context,
863                                               &old_name, &length) &&
864                     !context_struct_to_string(new_context,
865                                               &new_name, &length)) {
866                         audit_log(current->audit_context,
867                                   GFP_ATOMIC, AUDIT_SELINUX_ERR,
868                                   "op=security_bounded_transition "
869                                   "result=denied "
870                                   "oldcontext=%s newcontext=%s",
871                                   old_name, new_name);
872                 }
873                 kfree(new_name);
874                 kfree(old_name);
875         }
876 out:
877         read_unlock(&policy_rwlock);
878
879         return rc;
880 }
881
882
883 static int security_compute_av_core(u32 ssid,
884                                     u32 tsid,
885                                     u16 tclass,
886                                     u32 requested,
887                                     struct av_decision *avd)
888 {
889         struct context *scontext = NULL, *tcontext = NULL;
890         int rc = 0;
891
892         scontext = sidtab_search(&sidtab, ssid);
893         if (!scontext) {
894                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
895                        __func__, ssid);
896                 return -EINVAL;
897         }
898         tcontext = sidtab_search(&sidtab, tsid);
899         if (!tcontext) {
900                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
901                        __func__, tsid);
902                 return -EINVAL;
903         }
904
905         rc = context_struct_compute_av(scontext, tcontext, tclass,
906                                        requested, avd);
907
908         /* permissive domain? */
909         if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
910                 avd->flags |= AVD_FLAGS_PERMISSIVE;
911
912         return rc;
913 }
914
915 /**
916  * security_compute_av - Compute access vector decisions.
917  * @ssid: source security identifier
918  * @tsid: target security identifier
919  * @tclass: target security class
920  * @requested: requested permissions
921  * @avd: access vector decisions
922  *
923  * Compute a set of access vector decisions based on the
924  * SID pair (@ssid, @tsid) for the permissions in @tclass.
925  * Return -%EINVAL if any of the parameters are invalid or %0
926  * if the access vector decisions were computed successfully.
927  */
928 int security_compute_av(u32 ssid,
929                         u32 tsid,
930                         u16 orig_tclass,
931                         u32 orig_requested,
932                         struct av_decision *avd)
933 {
934         u16 tclass;
935         u32 requested;
936         int rc;
937
938         read_lock(&policy_rwlock);
939
940         if (!ss_initialized)
941                 goto allow;
942
943         requested = unmap_perm(orig_tclass, orig_requested);
944         tclass = unmap_class(orig_tclass);
945         if (unlikely(orig_tclass && !tclass)) {
946                 if (policydb.allow_unknown)
947                         goto allow;
948                 rc = -EINVAL;
949                 goto out;
950         }
951         rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
952         map_decision(orig_tclass, avd, policydb.allow_unknown);
953 out:
954         read_unlock(&policy_rwlock);
955         return rc;
956 allow:
957         avd->allowed = 0xffffffff;
958         avd->auditallow = 0;
959         avd->auditdeny = 0xffffffff;
960         avd->seqno = latest_granting;
961         avd->flags = 0;
962         rc = 0;
963         goto out;
964 }
965
966 int security_compute_av_user(u32 ssid,
967                              u32 tsid,
968                              u16 tclass,
969                              u32 requested,
970                              struct av_decision *avd)
971 {
972         int rc;
973
974         if (!ss_initialized) {
975                 avd->allowed = 0xffffffff;
976                 avd->auditallow = 0;
977                 avd->auditdeny = 0xffffffff;
978                 avd->seqno = latest_granting;
979                 return 0;
980         }
981
982         read_lock(&policy_rwlock);
983         rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
984         read_unlock(&policy_rwlock);
985         return rc;
986 }
987
988 /*
989  * Write the security context string representation of
990  * the context structure `context' into a dynamically
991  * allocated string of the correct size.  Set `*scontext'
992  * to point to this string and set `*scontext_len' to
993  * the length of the string.
994  */
995 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
996 {
997         char *scontextp;
998
999         *scontext = NULL;
1000         *scontext_len = 0;
1001
1002         if (context->len) {
1003                 *scontext_len = context->len;
1004                 *scontext = kstrdup(context->str, GFP_ATOMIC);
1005                 if (!(*scontext))
1006                         return -ENOMEM;
1007                 return 0;
1008         }
1009
1010         /* Compute the size of the context. */
1011         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
1012         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
1013         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
1014         *scontext_len += mls_compute_context_len(context);
1015
1016         /* Allocate space for the context; caller must free this space. */
1017         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1018         if (!scontextp)
1019                 return -ENOMEM;
1020         *scontext = scontextp;
1021
1022         /*
1023          * Copy the user name, role name and type name into the context.
1024          */
1025         sprintf(scontextp, "%s:%s:%s",
1026                 policydb.p_user_val_to_name[context->user - 1],
1027                 policydb.p_role_val_to_name[context->role - 1],
1028                 policydb.p_type_val_to_name[context->type - 1]);
1029         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
1030                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
1031                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
1032
1033         mls_sid_to_context(context, &scontextp);
1034
1035         *scontextp = 0;
1036
1037         return 0;
1038 }
1039
1040 #include "initial_sid_to_string.h"
1041
1042 const char *security_get_initial_sid_context(u32 sid)
1043 {
1044         if (unlikely(sid > SECINITSID_NUM))
1045                 return NULL;
1046         return initial_sid_to_string[sid];
1047 }
1048
1049 static int security_sid_to_context_core(u32 sid, char **scontext,
1050                                         u32 *scontext_len, int force)
1051 {
1052         struct context *context;
1053         int rc = 0;
1054
1055         *scontext = NULL;
1056         *scontext_len  = 0;
1057
1058         if (!ss_initialized) {
1059                 if (sid <= SECINITSID_NUM) {
1060                         char *scontextp;
1061
1062                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1063                         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1064                         if (!scontextp) {
1065                                 rc = -ENOMEM;
1066                                 goto out;
1067                         }
1068                         strcpy(scontextp, initial_sid_to_string[sid]);
1069                         *scontext = scontextp;
1070                         goto out;
1071                 }
1072                 printk(KERN_ERR "SELinux: %s:  called before initial "
1073                        "load_policy on unknown SID %d\n", __func__, sid);
1074                 rc = -EINVAL;
1075                 goto out;
1076         }
1077         read_lock(&policy_rwlock);
1078         if (force)
1079                 context = sidtab_search_force(&sidtab, sid);
1080         else
1081                 context = sidtab_search(&sidtab, sid);
1082         if (!context) {
1083                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1084                         __func__, sid);
1085                 rc = -EINVAL;
1086                 goto out_unlock;
1087         }
1088         rc = context_struct_to_string(context, scontext, scontext_len);
1089 out_unlock:
1090         read_unlock(&policy_rwlock);
1091 out:
1092         return rc;
1093
1094 }
1095
1096 /**
1097  * security_sid_to_context - Obtain a context for a given SID.
1098  * @sid: security identifier, SID
1099  * @scontext: security context
1100  * @scontext_len: length in bytes
1101  *
1102  * Write the string representation of the context associated with @sid
1103  * into a dynamically allocated string of the correct size.  Set @scontext
1104  * to point to this string and set @scontext_len to the length of the string.
1105  */
1106 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1107 {
1108         return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1109 }
1110
1111 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1112 {
1113         return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1114 }
1115
1116 /*
1117  * Caveat:  Mutates scontext.
1118  */
1119 static int string_to_context_struct(struct policydb *pol,
1120                                     struct sidtab *sidtabp,
1121                                     char *scontext,
1122                                     u32 scontext_len,
1123                                     struct context *ctx,
1124                                     u32 def_sid)
1125 {
1126         struct role_datum *role;
1127         struct type_datum *typdatum;
1128         struct user_datum *usrdatum;
1129         char *scontextp, *p, oldc;
1130         int rc = 0;
1131
1132         context_init(ctx);
1133
1134         /* Parse the security context. */
1135
1136         rc = -EINVAL;
1137         scontextp = (char *) scontext;
1138
1139         /* Extract the user. */
1140         p = scontextp;
1141         while (*p && *p != ':')
1142                 p++;
1143
1144         if (*p == 0)
1145                 goto out;
1146
1147         *p++ = 0;
1148
1149         usrdatum = hashtab_search(pol->p_users.table, scontextp);
1150         if (!usrdatum)
1151                 goto out;
1152
1153         ctx->user = usrdatum->value;
1154
1155         /* Extract role. */
1156         scontextp = p;
1157         while (*p && *p != ':')
1158                 p++;
1159
1160         if (*p == 0)
1161                 goto out;
1162
1163         *p++ = 0;
1164
1165         role = hashtab_search(pol->p_roles.table, scontextp);
1166         if (!role)
1167                 goto out;
1168         ctx->role = role->value;
1169
1170         /* Extract type. */
1171         scontextp = p;
1172         while (*p && *p != ':')
1173                 p++;
1174         oldc = *p;
1175         *p++ = 0;
1176
1177         typdatum = hashtab_search(pol->p_types.table, scontextp);
1178         if (!typdatum || typdatum->attribute)
1179                 goto out;
1180
1181         ctx->type = typdatum->value;
1182
1183         rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1184         if (rc)
1185                 goto out;
1186
1187         if ((p - scontext) < scontext_len) {
1188                 rc = -EINVAL;
1189                 goto out;
1190         }
1191
1192         /* Check the validity of the new context. */
1193         if (!policydb_context_isvalid(pol, ctx)) {
1194                 rc = -EINVAL;
1195                 goto out;
1196         }
1197         rc = 0;
1198 out:
1199         if (rc)
1200                 context_destroy(ctx);
1201         return rc;
1202 }
1203
1204 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1205                                         u32 *sid, u32 def_sid, gfp_t gfp_flags,
1206                                         int force)
1207 {
1208         char *scontext2, *str = NULL;
1209         struct context context;
1210         int rc = 0;
1211
1212         if (!ss_initialized) {
1213                 int i;
1214
1215                 for (i = 1; i < SECINITSID_NUM; i++) {
1216                         if (!strcmp(initial_sid_to_string[i], scontext)) {
1217                                 *sid = i;
1218                                 return 0;
1219                         }
1220                 }
1221                 *sid = SECINITSID_KERNEL;
1222                 return 0;
1223         }
1224         *sid = SECSID_NULL;
1225
1226         /* Copy the string so that we can modify the copy as we parse it. */
1227         scontext2 = kmalloc(scontext_len+1, gfp_flags);
1228         if (!scontext2)
1229                 return -ENOMEM;
1230         memcpy(scontext2, scontext, scontext_len);
1231         scontext2[scontext_len] = 0;
1232
1233         if (force) {
1234                 /* Save another copy for storing in uninterpreted form */
1235                 str = kstrdup(scontext2, gfp_flags);
1236                 if (!str) {
1237                         kfree(scontext2);
1238                         return -ENOMEM;
1239                 }
1240         }
1241
1242         read_lock(&policy_rwlock);
1243         rc = string_to_context_struct(&policydb, &sidtab,
1244                                       scontext2, scontext_len,
1245                                       &context, def_sid);
1246         if (rc == -EINVAL && force) {
1247                 context.str = str;
1248                 context.len = scontext_len;
1249                 str = NULL;
1250         } else if (rc)
1251                 goto out;
1252         rc = sidtab_context_to_sid(&sidtab, &context, sid);
1253         context_destroy(&context);
1254 out:
1255         read_unlock(&policy_rwlock);
1256         kfree(scontext2);
1257         kfree(str);
1258         return rc;
1259 }
1260
1261 /**
1262  * security_context_to_sid - Obtain a SID for a given security context.
1263  * @scontext: security context
1264  * @scontext_len: length in bytes
1265  * @sid: security identifier, SID
1266  *
1267  * Obtains a SID associated with the security context that
1268  * has the string representation specified by @scontext.
1269  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1270  * memory is available, or 0 on success.
1271  */
1272 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
1273 {
1274         return security_context_to_sid_core(scontext, scontext_len,
1275                                             sid, SECSID_NULL, GFP_KERNEL, 0);
1276 }
1277
1278 /**
1279  * security_context_to_sid_default - Obtain a SID for a given security context,
1280  * falling back to specified default if needed.
1281  *
1282  * @scontext: security context
1283  * @scontext_len: length in bytes
1284  * @sid: security identifier, SID
1285  * @def_sid: default SID to assign on error
1286  *
1287  * Obtains a SID associated with the security context that
1288  * has the string representation specified by @scontext.
1289  * The default SID is passed to the MLS layer to be used to allow
1290  * kernel labeling of the MLS field if the MLS field is not present
1291  * (for upgrading to MLS without full relabel).
1292  * Implicitly forces adding of the context even if it cannot be mapped yet.
1293  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1294  * memory is available, or 0 on success.
1295  */
1296 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1297                                     u32 *sid, u32 def_sid, gfp_t gfp_flags)
1298 {
1299         return security_context_to_sid_core(scontext, scontext_len,
1300                                             sid, def_sid, gfp_flags, 1);
1301 }
1302
1303 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1304                                   u32 *sid)
1305 {
1306         return security_context_to_sid_core(scontext, scontext_len,
1307                                             sid, SECSID_NULL, GFP_KERNEL, 1);
1308 }
1309
1310 static int compute_sid_handle_invalid_context(
1311         struct context *scontext,
1312         struct context *tcontext,
1313         u16 tclass,
1314         struct context *newcontext)
1315 {
1316         char *s = NULL, *t = NULL, *n = NULL;
1317         u32 slen, tlen, nlen;
1318
1319         if (context_struct_to_string(scontext, &s, &slen) < 0)
1320                 goto out;
1321         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
1322                 goto out;
1323         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
1324                 goto out;
1325         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1326                   "security_compute_sid:  invalid context %s"
1327                   " for scontext=%s"
1328                   " tcontext=%s"
1329                   " tclass=%s",
1330                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
1331 out:
1332         kfree(s);
1333         kfree(t);
1334         kfree(n);
1335         if (!selinux_enforcing)
1336                 return 0;
1337         return -EACCES;
1338 }
1339
1340 static int security_compute_sid(u32 ssid,
1341                                 u32 tsid,
1342                                 u16 orig_tclass,
1343                                 u32 specified,
1344                                 u32 *out_sid,
1345                                 bool kern)
1346 {
1347         struct context *scontext = NULL, *tcontext = NULL, newcontext;
1348         struct role_trans *roletr = NULL;
1349         struct avtab_key avkey;
1350         struct avtab_datum *avdatum;
1351         struct avtab_node *node;
1352         u16 tclass;
1353         int rc = 0;
1354
1355         if (!ss_initialized) {
1356                 switch (orig_tclass) {
1357                 case SECCLASS_PROCESS: /* kernel value */
1358                         *out_sid = ssid;
1359                         break;
1360                 default:
1361                         *out_sid = tsid;
1362                         break;
1363                 }
1364                 goto out;
1365         }
1366
1367         context_init(&newcontext);
1368
1369         read_lock(&policy_rwlock);
1370
1371         if (kern)
1372                 tclass = unmap_class(orig_tclass);
1373         else
1374                 tclass = orig_tclass;
1375
1376         scontext = sidtab_search(&sidtab, ssid);
1377         if (!scontext) {
1378                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1379                        __func__, ssid);
1380                 rc = -EINVAL;
1381                 goto out_unlock;
1382         }
1383         tcontext = sidtab_search(&sidtab, tsid);
1384         if (!tcontext) {
1385                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1386                        __func__, tsid);
1387                 rc = -EINVAL;
1388                 goto out_unlock;
1389         }
1390
1391         /* Set the user identity. */
1392         switch (specified) {
1393         case AVTAB_TRANSITION:
1394         case AVTAB_CHANGE:
1395                 /* Use the process user identity. */
1396                 newcontext.user = scontext->user;
1397                 break;
1398         case AVTAB_MEMBER:
1399                 /* Use the related object owner. */
1400                 newcontext.user = tcontext->user;
1401                 break;
1402         }
1403
1404         /* Set the role and type to default values. */
1405         if (tclass == policydb.process_class) {
1406                 /* Use the current role and type of process. */
1407                 newcontext.role = scontext->role;
1408                 newcontext.type = scontext->type;
1409         } else {
1410                 /* Use the well-defined object role. */
1411                 newcontext.role = OBJECT_R_VAL;
1412                 /* Use the type of the related object. */
1413                 newcontext.type = tcontext->type;
1414         }
1415
1416         /* Look for a type transition/member/change rule. */
1417         avkey.source_type = scontext->type;
1418         avkey.target_type = tcontext->type;
1419         avkey.target_class = tclass;
1420         avkey.specified = specified;
1421         avdatum = avtab_search(&policydb.te_avtab, &avkey);
1422
1423         /* If no permanent rule, also check for enabled conditional rules */
1424         if (!avdatum) {
1425                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1426                 for (; node; node = avtab_search_node_next(node, specified)) {
1427                         if (node->key.specified & AVTAB_ENABLED) {
1428                                 avdatum = &node->datum;
1429                                 break;
1430                         }
1431                 }
1432         }
1433
1434         if (avdatum) {
1435                 /* Use the type from the type transition/member/change rule. */
1436                 newcontext.type = avdatum->data;
1437         }
1438
1439         /* Check for class-specific changes. */
1440         if  (tclass == policydb.process_class) {
1441                 if (specified & AVTAB_TRANSITION) {
1442                         /* Look for a role transition rule. */
1443                         for (roletr = policydb.role_tr; roletr;
1444                              roletr = roletr->next) {
1445                                 if (roletr->role == scontext->role &&
1446                                     roletr->type == tcontext->type) {
1447                                         /* Use the role transition rule. */
1448                                         newcontext.role = roletr->new_role;
1449                                         break;
1450                                 }
1451                         }
1452                 }
1453         }
1454
1455         /* Set the MLS attributes.
1456            This is done last because it may allocate memory. */
1457         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
1458         if (rc)
1459                 goto out_unlock;
1460
1461         /* Check the validity of the context. */
1462         if (!policydb_context_isvalid(&policydb, &newcontext)) {
1463                 rc = compute_sid_handle_invalid_context(scontext,
1464                                                         tcontext,
1465                                                         tclass,
1466                                                         &newcontext);
1467                 if (rc)
1468                         goto out_unlock;
1469         }
1470         /* Obtain the sid for the context. */
1471         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1472 out_unlock:
1473         read_unlock(&policy_rwlock);
1474         context_destroy(&newcontext);
1475 out:
1476         return rc;
1477 }
1478
1479 /**
1480  * security_transition_sid - Compute the SID for a new subject/object.
1481  * @ssid: source security identifier
1482  * @tsid: target security identifier
1483  * @tclass: target security class
1484  * @out_sid: security identifier for new subject/object
1485  *
1486  * Compute a SID to use for labeling a new subject or object in the
1487  * class @tclass based on a SID pair (@ssid, @tsid).
1488  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1489  * if insufficient memory is available, or %0 if the new SID was
1490  * computed successfully.
1491  */
1492 int security_transition_sid(u32 ssid,
1493                             u32 tsid,
1494                             u16 tclass,
1495                             u32 *out_sid)
1496 {
1497         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1498                                     out_sid, true);
1499 }
1500
1501 int security_transition_sid_user(u32 ssid,
1502                                  u32 tsid,
1503                                  u16 tclass,
1504                                  u32 *out_sid)
1505 {
1506         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1507                                     out_sid, false);
1508 }
1509
1510 /**
1511  * security_member_sid - Compute the SID for member selection.
1512  * @ssid: source security identifier
1513  * @tsid: target security identifier
1514  * @tclass: target security class
1515  * @out_sid: security identifier for selected member
1516  *
1517  * Compute a SID to use when selecting a member of a polyinstantiated
1518  * object of class @tclass based on a SID pair (@ssid, @tsid).
1519  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1520  * if insufficient memory is available, or %0 if the SID was
1521  * computed successfully.
1522  */
1523 int security_member_sid(u32 ssid,
1524                         u32 tsid,
1525                         u16 tclass,
1526                         u32 *out_sid)
1527 {
1528         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1529                                     false);
1530 }
1531
1532 /**
1533  * security_change_sid - Compute the SID for object relabeling.
1534  * @ssid: source security identifier
1535  * @tsid: target security identifier
1536  * @tclass: target security class
1537  * @out_sid: security identifier for selected member
1538  *
1539  * Compute a SID to use for relabeling an object of class @tclass
1540  * based on a SID pair (@ssid, @tsid).
1541  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1542  * if insufficient memory is available, or %0 if the SID was
1543  * computed successfully.
1544  */
1545 int security_change_sid(u32 ssid,
1546                         u32 tsid,
1547                         u16 tclass,
1548                         u32 *out_sid)
1549 {
1550         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1551                                     false);
1552 }
1553
1554 /* Clone the SID into the new SID table. */
1555 static int clone_sid(u32 sid,
1556                      struct context *context,
1557                      void *arg)
1558 {
1559         struct sidtab *s = arg;
1560
1561         return sidtab_insert(s, sid, context);
1562 }
1563
1564 static inline int convert_context_handle_invalid_context(struct context *context)
1565 {
1566         int rc = 0;
1567
1568         if (selinux_enforcing) {
1569                 rc = -EINVAL;
1570         } else {
1571                 char *s;
1572                 u32 len;
1573
1574                 if (!context_struct_to_string(context, &s, &len)) {
1575                         printk(KERN_WARNING
1576                        "SELinux:  Context %s would be invalid if enforcing\n",
1577                                s);
1578                         kfree(s);
1579                 }
1580         }
1581         return rc;
1582 }
1583
1584 struct convert_context_args {
1585         struct policydb *oldp;
1586         struct policydb *newp;
1587 };
1588
1589 /*
1590  * Convert the values in the security context
1591  * structure `c' from the values specified
1592  * in the policy `p->oldp' to the values specified
1593  * in the policy `p->newp'.  Verify that the
1594  * context is valid under the new policy.
1595  */
1596 static int convert_context(u32 key,
1597                            struct context *c,
1598                            void *p)
1599 {
1600         struct convert_context_args *args;
1601         struct context oldc;
1602         struct role_datum *role;
1603         struct type_datum *typdatum;
1604         struct user_datum *usrdatum;
1605         char *s;
1606         u32 len;
1607         int rc;
1608
1609         args = p;
1610
1611         if (c->str) {
1612                 struct context ctx;
1613                 s = kstrdup(c->str, GFP_KERNEL);
1614                 if (!s) {
1615                         rc = -ENOMEM;
1616                         goto out;
1617                 }
1618                 rc = string_to_context_struct(args->newp, NULL, s,
1619                                               c->len, &ctx, SECSID_NULL);
1620                 kfree(s);
1621                 if (!rc) {
1622                         printk(KERN_INFO
1623                        "SELinux:  Context %s became valid (mapped).\n",
1624                                c->str);
1625                         /* Replace string with mapped representation. */
1626                         kfree(c->str);
1627                         memcpy(c, &ctx, sizeof(*c));
1628                         goto out;
1629                 } else if (rc == -EINVAL) {
1630                         /* Retain string representation for later mapping. */
1631                         rc = 0;
1632                         goto out;
1633                 } else {
1634                         /* Other error condition, e.g. ENOMEM. */
1635                         printk(KERN_ERR
1636                        "SELinux:   Unable to map context %s, rc = %d.\n",
1637                                c->str, -rc);
1638                         goto out;
1639                 }
1640         }
1641
1642         rc = context_cpy(&oldc, c);
1643         if (rc)
1644                 goto out;
1645
1646         rc = -EINVAL;
1647
1648         /* Convert the user. */
1649         usrdatum = hashtab_search(args->newp->p_users.table,
1650                                   args->oldp->p_user_val_to_name[c->user - 1]);
1651         if (!usrdatum)
1652                 goto bad;
1653         c->user = usrdatum->value;
1654
1655         /* Convert the role. */
1656         role = hashtab_search(args->newp->p_roles.table,
1657                               args->oldp->p_role_val_to_name[c->role - 1]);
1658         if (!role)
1659                 goto bad;
1660         c->role = role->value;
1661
1662         /* Convert the type. */
1663         typdatum = hashtab_search(args->newp->p_types.table,
1664                                   args->oldp->p_type_val_to_name[c->type - 1]);
1665         if (!typdatum)
1666                 goto bad;
1667         c->type = typdatum->value;
1668
1669         rc = mls_convert_context(args->oldp, args->newp, c);
1670         if (rc)
1671                 goto bad;
1672
1673         /* Check the validity of the new context. */
1674         if (!policydb_context_isvalid(args->newp, c)) {
1675                 rc = convert_context_handle_invalid_context(&oldc);
1676                 if (rc)
1677                         goto bad;
1678         }
1679
1680         context_destroy(&oldc);
1681         rc = 0;
1682 out:
1683         return rc;
1684 bad:
1685         /* Map old representation to string and save it. */
1686         if (context_struct_to_string(&oldc, &s, &len))
1687                 return -ENOMEM;
1688         context_destroy(&oldc);
1689         context_destroy(c);
1690         c->str = s;
1691         c->len = len;
1692         printk(KERN_INFO
1693                "SELinux:  Context %s became invalid (unmapped).\n",
1694                c->str);
1695         rc = 0;
1696         goto out;
1697 }
1698
1699 static void security_load_policycaps(void)
1700 {
1701         selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
1702                                                   POLICYDB_CAPABILITY_NETPEER);
1703         selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1704                                                   POLICYDB_CAPABILITY_OPENPERM);
1705 }
1706
1707 extern void selinux_complete_init(void);
1708 static int security_preserve_bools(struct policydb *p);
1709
1710 /**
1711  * security_load_policy - Load a security policy configuration.
1712  * @data: binary policy data
1713  * @len: length of data in bytes
1714  *
1715  * Load a new set of security policy configuration data,
1716  * validate it and convert the SID table as necessary.
1717  * This function will flush the access vector cache after
1718  * loading the new policy.
1719  */
1720 int security_load_policy(void *data, size_t len)
1721 {
1722         struct policydb oldpolicydb, newpolicydb;
1723         struct sidtab oldsidtab, newsidtab;
1724         struct selinux_mapping *oldmap, *map = NULL;
1725         struct convert_context_args args;
1726         u32 seqno;
1727         u16 map_size;
1728         int rc = 0;
1729         struct policy_file file = { data, len }, *fp = &file;
1730
1731         if (!ss_initialized) {
1732                 avtab_cache_init();
1733                 if (policydb_read(&policydb, fp)) {
1734                         avtab_cache_destroy();
1735                         return -EINVAL;
1736                 }
1737                 if (selinux_set_mapping(&policydb, secclass_map,
1738                                         &current_mapping,
1739                                         &current_mapping_size)) {
1740                         policydb_destroy(&policydb);
1741                         avtab_cache_destroy();
1742                         return -EINVAL;
1743                 }
1744                 if (policydb_load_isids(&policydb, &sidtab)) {
1745                         policydb_destroy(&policydb);
1746                         avtab_cache_destroy();
1747                         return -EINVAL;
1748                 }
1749                 security_load_policycaps();
1750                 ss_initialized = 1;
1751                 seqno = ++latest_granting;
1752                 selinux_complete_init();
1753                 avc_ss_reset(seqno);
1754                 selnl_notify_policyload(seqno);
1755                 selinux_netlbl_cache_invalidate();
1756                 selinux_xfrm_notify_policyload();
1757                 return 0;
1758         }
1759
1760 #if 0
1761         sidtab_hash_eval(&sidtab, "sids");
1762 #endif
1763
1764         if (policydb_read(&newpolicydb, fp))
1765                 return -EINVAL;
1766
1767         if (sidtab_init(&newsidtab)) {
1768                 policydb_destroy(&newpolicydb);
1769                 return -ENOMEM;
1770         }
1771
1772         if (selinux_set_mapping(&newpolicydb, secclass_map,
1773                                 &map, &map_size))
1774                 goto err;
1775
1776         rc = security_preserve_bools(&newpolicydb);
1777         if (rc) {
1778                 printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
1779                 goto err;
1780         }
1781
1782         /* Clone the SID table. */
1783         sidtab_shutdown(&sidtab);
1784         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1785                 rc = -ENOMEM;
1786                 goto err;
1787         }
1788
1789         /*
1790          * Convert the internal representations of contexts
1791          * in the new SID table.
1792          */
1793         args.oldp = &policydb;
1794         args.newp = &newpolicydb;
1795         rc = sidtab_map(&newsidtab, convert_context, &args);
1796         if (rc)
1797                 goto err;
1798
1799         /* Save the old policydb and SID table to free later. */
1800         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1801         sidtab_set(&oldsidtab, &sidtab);
1802
1803         /* Install the new policydb and SID table. */
1804         write_lock_irq(&policy_rwlock);
1805         memcpy(&policydb, &newpolicydb, sizeof policydb);
1806         sidtab_set(&sidtab, &newsidtab);
1807         security_load_policycaps();
1808         oldmap = current_mapping;
1809         current_mapping = map;
1810         current_mapping_size = map_size;
1811         seqno = ++latest_granting;
1812         write_unlock_irq(&policy_rwlock);
1813
1814         /* Free the old policydb and SID table. */
1815         policydb_destroy(&oldpolicydb);
1816         sidtab_destroy(&oldsidtab);
1817         kfree(oldmap);
1818
1819         avc_ss_reset(seqno);
1820         selnl_notify_policyload(seqno);
1821         selinux_netlbl_cache_invalidate();
1822         selinux_xfrm_notify_policyload();
1823
1824         return 0;
1825
1826 err:
1827         kfree(map);
1828         sidtab_destroy(&newsidtab);
1829         policydb_destroy(&newpolicydb);
1830         return rc;
1831
1832 }
1833
1834 /**
1835  * security_port_sid - Obtain the SID for a port.
1836  * @protocol: protocol number
1837  * @port: port number
1838  * @out_sid: security identifier
1839  */
1840 int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1841 {
1842         struct ocontext *c;
1843         int rc = 0;
1844
1845         read_lock(&policy_rwlock);
1846
1847         c = policydb.ocontexts[OCON_PORT];
1848         while (c) {
1849                 if (c->u.port.protocol == protocol &&
1850                     c->u.port.low_port <= port &&
1851                     c->u.port.high_port >= port)
1852                         break;
1853                 c = c->next;
1854         }
1855
1856         if (c) {
1857                 if (!c->sid[0]) {
1858                         rc = sidtab_context_to_sid(&sidtab,
1859                                                    &c->context[0],
1860                                                    &c->sid[0]);
1861                         if (rc)
1862                                 goto out;
1863                 }
1864                 *out_sid = c->sid[0];
1865         } else {
1866                 *out_sid = SECINITSID_PORT;
1867         }
1868
1869 out:
1870         read_unlock(&policy_rwlock);
1871         return rc;
1872 }
1873
1874 /**
1875  * security_netif_sid - Obtain the SID for a network interface.
1876  * @name: interface name
1877  * @if_sid: interface SID
1878  */
1879 int security_netif_sid(char *name, u32 *if_sid)
1880 {
1881         int rc = 0;
1882         struct ocontext *c;
1883
1884         read_lock(&policy_rwlock);
1885
1886         c = policydb.ocontexts[OCON_NETIF];
1887         while (c) {
1888                 if (strcmp(name, c->u.name) == 0)
1889                         break;
1890                 c = c->next;
1891         }
1892
1893         if (c) {
1894                 if (!c->sid[0] || !c->sid[1]) {
1895                         rc = sidtab_context_to_sid(&sidtab,
1896                                                   &c->context[0],
1897                                                   &c->sid[0]);
1898                         if (rc)
1899                                 goto out;
1900                         rc = sidtab_context_to_sid(&sidtab,
1901                                                    &c->context[1],
1902                                                    &c->sid[1]);
1903                         if (rc)
1904                                 goto out;
1905                 }
1906                 *if_sid = c->sid[0];
1907         } else
1908                 *if_sid = SECINITSID_NETIF;
1909
1910 out:
1911         read_unlock(&policy_rwlock);
1912         return rc;
1913 }
1914
1915 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1916 {
1917         int i, fail = 0;
1918
1919         for (i = 0; i < 4; i++)
1920                 if (addr[i] != (input[i] & mask[i])) {
1921                         fail = 1;
1922                         break;
1923                 }
1924
1925         return !fail;
1926 }
1927
1928 /**
1929  * security_node_sid - Obtain the SID for a node (host).
1930  * @domain: communication domain aka address family
1931  * @addrp: address
1932  * @addrlen: address length in bytes
1933  * @out_sid: security identifier
1934  */
1935 int security_node_sid(u16 domain,
1936                       void *addrp,
1937                       u32 addrlen,
1938                       u32 *out_sid)
1939 {
1940         int rc = 0;
1941         struct ocontext *c;
1942
1943         read_lock(&policy_rwlock);
1944
1945         switch (domain) {
1946         case AF_INET: {
1947                 u32 addr;
1948
1949                 if (addrlen != sizeof(u32)) {
1950                         rc = -EINVAL;
1951                         goto out;
1952                 }
1953
1954                 addr = *((u32 *)addrp);
1955
1956                 c = policydb.ocontexts[OCON_NODE];
1957                 while (c) {
1958                         if (c->u.node.addr == (addr & c->u.node.mask))
1959                                 break;
1960                         c = c->next;
1961                 }
1962                 break;
1963         }
1964
1965         case AF_INET6:
1966                 if (addrlen != sizeof(u64) * 2) {
1967                         rc = -EINVAL;
1968                         goto out;
1969                 }
1970                 c = policydb.ocontexts[OCON_NODE6];
1971                 while (c) {
1972                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1973                                                 c->u.node6.mask))
1974                                 break;
1975                         c = c->next;
1976                 }
1977                 break;
1978
1979         default:
1980                 *out_sid = SECINITSID_NODE;
1981                 goto out;
1982         }
1983
1984         if (c) {
1985                 if (!c->sid[0]) {
1986                         rc = sidtab_context_to_sid(&sidtab,
1987                                                    &c->context[0],
1988                                                    &c->sid[0]);
1989                         if (rc)
1990                                 goto out;
1991                 }
1992                 *out_sid = c->sid[0];
1993         } else {
1994                 *out_sid = SECINITSID_NODE;
1995         }
1996
1997 out:
1998         read_unlock(&policy_rwlock);
1999         return rc;
2000 }
2001
2002 #define SIDS_NEL 25
2003
2004 /**
2005  * security_get_user_sids - Obtain reachable SIDs for a user.
2006  * @fromsid: starting SID
2007  * @username: username
2008  * @sids: array of reachable SIDs for user
2009  * @nel: number of elements in @sids
2010  *
2011  * Generate the set of SIDs for legal security contexts
2012  * for a given user that can be reached by @fromsid.
2013  * Set *@sids to point to a dynamically allocated
2014  * array containing the set of SIDs.  Set *@nel to the
2015  * number of elements in the array.
2016  */
2017
2018 int security_get_user_sids(u32 fromsid,
2019                            char *username,
2020                            u32 **sids,
2021                            u32 *nel)
2022 {
2023         struct context *fromcon, usercon;
2024         u32 *mysids = NULL, *mysids2, sid;
2025         u32 mynel = 0, maxnel = SIDS_NEL;
2026         struct user_datum *user;
2027         struct role_datum *role;
2028         struct ebitmap_node *rnode, *tnode;
2029         int rc = 0, i, j;
2030
2031         *sids = NULL;
2032         *nel = 0;
2033
2034         if (!ss_initialized)
2035                 goto out;
2036
2037         read_lock(&policy_rwlock);
2038
2039         context_init(&usercon);
2040
2041         fromcon = sidtab_search(&sidtab, fromsid);
2042         if (!fromcon) {
2043                 rc = -EINVAL;
2044                 goto out_unlock;
2045         }
2046
2047         user = hashtab_search(policydb.p_users.table, username);
2048         if (!user) {
2049                 rc = -EINVAL;
2050                 goto out_unlock;
2051         }
2052         usercon.user = user->value;
2053
2054         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2055         if (!mysids) {
2056                 rc = -ENOMEM;
2057                 goto out_unlock;
2058         }
2059
2060         ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2061                 role = policydb.role_val_to_struct[i];
2062                 usercon.role = i+1;
2063                 ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2064                         usercon.type = j+1;
2065
2066                         if (mls_setup_user_range(fromcon, user, &usercon))
2067                                 continue;
2068
2069                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2070                         if (rc)
2071                                 goto out_unlock;
2072                         if (mynel < maxnel) {
2073                                 mysids[mynel++] = sid;
2074                         } else {
2075                                 maxnel += SIDS_NEL;
2076                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2077                                 if (!mysids2) {
2078                                         rc = -ENOMEM;
2079                                         goto out_unlock;
2080                                 }
2081                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2082                                 kfree(mysids);
2083                                 mysids = mysids2;
2084                                 mysids[mynel++] = sid;
2085                         }
2086                 }
2087         }
2088
2089 out_unlock:
2090         read_unlock(&policy_rwlock);
2091         if (rc || !mynel) {
2092                 kfree(mysids);
2093                 goto out;
2094         }
2095
2096         mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2097         if (!mysids2) {
2098                 rc = -ENOMEM;
2099                 kfree(mysids);
2100                 goto out;
2101         }
2102         for (i = 0, j = 0; i < mynel; i++) {
2103                 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2104                                           SECCLASS_PROCESS, /* kernel value */
2105                                           PROCESS__TRANSITION, AVC_STRICT,
2106                                           NULL);
2107                 if (!rc)
2108                         mysids2[j++] = mysids[i];
2109                 cond_resched();
2110         }
2111         rc = 0;
2112         kfree(mysids);
2113         *sids = mysids2;
2114         *nel = j;
2115 out:
2116         return rc;
2117 }
2118
2119 /**
2120  * security_genfs_sid - Obtain a SID for a file in a filesystem
2121  * @fstype: filesystem type
2122  * @path: path from root of mount
2123  * @sclass: file security class
2124  * @sid: SID for path
2125  *
2126  * Obtain a SID to use for a file in a filesystem that
2127  * cannot support xattr or use a fixed labeling behavior like
2128  * transition SIDs or task SIDs.
2129  */
2130 int security_genfs_sid(const char *fstype,
2131                        char *path,
2132                        u16 orig_sclass,
2133                        u32 *sid)
2134 {
2135         int len;
2136         u16 sclass;
2137         struct genfs *genfs;
2138         struct ocontext *c;
2139         int rc = 0, cmp = 0;
2140
2141         while (path[0] == '/' && path[1] == '/')
2142                 path++;
2143
2144         read_lock(&policy_rwlock);
2145
2146         sclass = unmap_class(orig_sclass);
2147
2148         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2149                 cmp = strcmp(fstype, genfs->fstype);
2150                 if (cmp <= 0)
2151                         break;
2152         }
2153
2154         if (!genfs || cmp) {
2155                 *sid = SECINITSID_UNLABELED;
2156                 rc = -ENOENT;
2157                 goto out;
2158         }
2159
2160         for (c = genfs->head; c; c = c->next) {
2161                 len = strlen(c->u.name);
2162                 if ((!c->v.sclass || sclass == c->v.sclass) &&
2163                     (strncmp(c->u.name, path, len) == 0))
2164                         break;
2165         }
2166
2167         if (!c) {
2168                 *sid = SECINITSID_UNLABELED;
2169                 rc = -ENOENT;
2170                 goto out;
2171         }
2172
2173         if (!c->sid[0]) {
2174                 rc = sidtab_context_to_sid(&sidtab,
2175                                            &c->context[0],
2176                                            &c->sid[0]);
2177                 if (rc)
2178                         goto out;
2179         }
2180
2181         *sid = c->sid[0];
2182 out:
2183         read_unlock(&policy_rwlock);
2184         return rc;
2185 }
2186
2187 /**
2188  * security_fs_use - Determine how to handle labeling for a filesystem.
2189  * @fstype: filesystem type
2190  * @behavior: labeling behavior
2191  * @sid: SID for filesystem (superblock)
2192  */
2193 int security_fs_use(
2194         const char *fstype,
2195         unsigned int *behavior,
2196         u32 *sid)
2197 {
2198         int rc = 0;
2199         struct ocontext *c;
2200
2201         read_lock(&policy_rwlock);
2202
2203         c = policydb.ocontexts[OCON_FSUSE];
2204         while (c) {
2205                 if (strcmp(fstype, c->u.name) == 0)
2206                         break;
2207                 c = c->next;
2208         }
2209
2210         if (c) {
2211                 *behavior = c->v.behavior;
2212                 if (!c->sid[0]) {
2213                         rc = sidtab_context_to_sid(&sidtab,
2214                                                    &c->context[0],
2215                                                    &c->sid[0]);
2216                         if (rc)
2217                                 goto out;
2218                 }
2219                 *sid = c->sid[0];
2220         } else {
2221                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2222                 if (rc) {
2223                         *behavior = SECURITY_FS_USE_NONE;
2224                         rc = 0;
2225                 } else {
2226                         *behavior = SECURITY_FS_USE_GENFS;
2227                 }
2228         }
2229
2230 out:
2231         read_unlock(&policy_rwlock);
2232         return rc;
2233 }
2234
2235 int security_get_bools(int *len, char ***names, int **values)
2236 {
2237         int i, rc = -ENOMEM;
2238
2239         read_lock(&policy_rwlock);
2240         *names = NULL;
2241         *values = NULL;
2242
2243         *len = policydb.p_bools.nprim;
2244         if (!*len) {
2245                 rc = 0;
2246                 goto out;
2247         }
2248
2249        *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2250         if (!*names)
2251                 goto err;
2252
2253        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2254         if (!*values)
2255                 goto err;
2256
2257         for (i = 0; i < *len; i++) {
2258                 size_t name_len;
2259                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
2260                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
2261                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2262                 if (!(*names)[i])
2263                         goto err;
2264                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
2265                 (*names)[i][name_len - 1] = 0;
2266         }
2267         rc = 0;
2268 out:
2269         read_unlock(&policy_rwlock);
2270         return rc;
2271 err:
2272         if (*names) {
2273                 for (i = 0; i < *len; i++)
2274                         kfree((*names)[i]);
2275         }
2276         kfree(*values);
2277         goto out;
2278 }
2279
2280
2281 int security_set_bools(int len, int *values)
2282 {
2283         int i, rc = 0;
2284         int lenp, seqno = 0;
2285         struct cond_node *cur;
2286
2287         write_lock_irq(&policy_rwlock);
2288
2289         lenp = policydb.p_bools.nprim;
2290         if (len != lenp) {
2291                 rc = -EFAULT;
2292                 goto out;
2293         }
2294
2295         for (i = 0; i < len; i++) {
2296                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2297                         audit_log(current->audit_context, GFP_ATOMIC,
2298                                 AUDIT_MAC_CONFIG_CHANGE,
2299                                 "bool=%s val=%d old_val=%d auid=%u ses=%u",
2300                                 policydb.p_bool_val_to_name[i],
2301                                 !!values[i],
2302                                 policydb.bool_val_to_struct[i]->state,
2303                                 audit_get_loginuid(current),
2304                                 audit_get_sessionid(current));
2305                 }
2306                 if (values[i])
2307                         policydb.bool_val_to_struct[i]->state = 1;
2308                 else
2309                         policydb.bool_val_to_struct[i]->state = 0;
2310         }
2311
2312         for (cur = policydb.cond_list; cur; cur = cur->next) {
2313                 rc = evaluate_cond_node(&policydb, cur);
2314                 if (rc)
2315                         goto out;
2316         }
2317
2318         seqno = ++latest_granting;
2319
2320 out:
2321         write_unlock_irq(&policy_rwlock);
2322         if (!rc) {
2323                 avc_ss_reset(seqno);
2324                 selnl_notify_policyload(seqno);
2325                 selinux_xfrm_notify_policyload();
2326         }
2327         return rc;
2328 }
2329
2330 int security_get_bool_value(int bool)
2331 {
2332         int rc = 0;
2333         int len;
2334
2335         read_lock(&policy_rwlock);
2336
2337         len = policydb.p_bools.nprim;
2338         if (bool >= len) {
2339                 rc = -EFAULT;
2340                 goto out;
2341         }
2342
2343         rc = policydb.bool_val_to_struct[bool]->state;
2344 out:
2345         read_unlock(&policy_rwlock);
2346         return rc;
2347 }
2348
2349 static int security_preserve_bools(struct policydb *p)
2350 {
2351         int rc, nbools = 0, *bvalues = NULL, i;
2352         char **bnames = NULL;
2353         struct cond_bool_datum *booldatum;
2354         struct cond_node *cur;
2355
2356         rc = security_get_bools(&nbools, &bnames, &bvalues);
2357         if (rc)
2358                 goto out;
2359         for (i = 0; i < nbools; i++) {
2360                 booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2361                 if (booldatum)
2362                         booldatum->state = bvalues[i];
2363         }
2364         for (cur = p->cond_list; cur; cur = cur->next) {
2365                 rc = evaluate_cond_node(p, cur);
2366                 if (rc)
2367                         goto out;
2368         }
2369
2370 out:
2371         if (bnames) {
2372                 for (i = 0; i < nbools; i++)
2373                         kfree(bnames[i]);
2374         }
2375         kfree(bnames);
2376         kfree(bvalues);
2377         return rc;
2378 }
2379
2380 /*
2381  * security_sid_mls_copy() - computes a new sid based on the given
2382  * sid and the mls portion of mls_sid.
2383  */
2384 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2385 {
2386         struct context *context1;
2387         struct context *context2;
2388         struct context newcon;
2389         char *s;
2390         u32 len;
2391         int rc = 0;
2392
2393         if (!ss_initialized || !selinux_mls_enabled) {
2394                 *new_sid = sid;
2395                 goto out;
2396         }
2397
2398         context_init(&newcon);
2399
2400         read_lock(&policy_rwlock);
2401         context1 = sidtab_search(&sidtab, sid);
2402         if (!context1) {
2403                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2404                         __func__, sid);
2405                 rc = -EINVAL;
2406                 goto out_unlock;
2407         }
2408
2409         context2 = sidtab_search(&sidtab, mls_sid);
2410         if (!context2) {
2411                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2412                         __func__, mls_sid);
2413                 rc = -EINVAL;
2414                 goto out_unlock;
2415         }
2416
2417         newcon.user = context1->user;
2418         newcon.role = context1->role;
2419         newcon.type = context1->type;
2420         rc = mls_context_cpy(&newcon, context2);
2421         if (rc)
2422                 goto out_unlock;
2423
2424         /* Check the validity of the new context. */
2425         if (!policydb_context_isvalid(&policydb, &newcon)) {
2426                 rc = convert_context_handle_invalid_context(&newcon);
2427                 if (rc)
2428                         goto bad;
2429         }
2430
2431         rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2432         goto out_unlock;
2433
2434 bad:
2435         if (!context_struct_to_string(&newcon, &s, &len)) {
2436                 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2437                           "security_sid_mls_copy: invalid context %s", s);
2438                 kfree(s);
2439         }
2440
2441 out_unlock:
2442         read_unlock(&policy_rwlock);
2443         context_destroy(&newcon);
2444 out:
2445         return rc;
2446 }
2447
2448 /**
2449  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2450  * @nlbl_sid: NetLabel SID
2451  * @nlbl_type: NetLabel labeling protocol type
2452  * @xfrm_sid: XFRM SID
2453  *
2454  * Description:
2455  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2456  * resolved into a single SID it is returned via @peer_sid and the function
2457  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2458  * returns a negative value.  A table summarizing the behavior is below:
2459  *
2460  *                                 | function return |      @sid
2461  *   ------------------------------+-----------------+-----------------
2462  *   no peer labels                |        0        |    SECSID_NULL
2463  *   single peer label             |        0        |    <peer_label>
2464  *   multiple, consistent labels   |        0        |    <peer_label>
2465  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2466  *
2467  */
2468 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2469                                  u32 xfrm_sid,
2470                                  u32 *peer_sid)
2471 {
2472         int rc;
2473         struct context *nlbl_ctx;
2474         struct context *xfrm_ctx;
2475
2476         /* handle the common (which also happens to be the set of easy) cases
2477          * right away, these two if statements catch everything involving a
2478          * single or absent peer SID/label */
2479         if (xfrm_sid == SECSID_NULL) {
2480                 *peer_sid = nlbl_sid;
2481                 return 0;
2482         }
2483         /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2484          * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2485          * is present */
2486         if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2487                 *peer_sid = xfrm_sid;
2488                 return 0;
2489         }
2490
2491         /* we don't need to check ss_initialized here since the only way both
2492          * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2493          * security server was initialized and ss_initialized was true */
2494         if (!selinux_mls_enabled) {
2495                 *peer_sid = SECSID_NULL;
2496                 return 0;
2497         }
2498
2499         read_lock(&policy_rwlock);
2500
2501         nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2502         if (!nlbl_ctx) {
2503                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2504                        __func__, nlbl_sid);
2505                 rc = -EINVAL;
2506                 goto out_slowpath;
2507         }
2508         xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2509         if (!xfrm_ctx) {
2510                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2511                        __func__, xfrm_sid);
2512                 rc = -EINVAL;
2513                 goto out_slowpath;
2514         }
2515         rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2516
2517 out_slowpath:
2518         read_unlock(&policy_rwlock);
2519         if (rc == 0)
2520                 /* at present NetLabel SIDs/labels really only carry MLS
2521                  * information so if the MLS portion of the NetLabel SID
2522                  * matches the MLS portion of the labeled XFRM SID/label
2523                  * then pass along the XFRM SID as it is the most
2524                  * expressive */
2525                 *peer_sid = xfrm_sid;
2526         else
2527                 *peer_sid = SECSID_NULL;
2528         return rc;
2529 }
2530
2531 static int get_classes_callback(void *k, void *d, void *args)
2532 {
2533         struct class_datum *datum = d;
2534         char *name = k, **classes = args;
2535         int value = datum->value - 1;
2536
2537         classes[value] = kstrdup(name, GFP_ATOMIC);
2538         if (!classes[value])
2539                 return -ENOMEM;
2540
2541         return 0;
2542 }
2543
2544 int security_get_classes(char ***classes, int *nclasses)
2545 {
2546         int rc = -ENOMEM;
2547
2548         read_lock(&policy_rwlock);
2549
2550         *nclasses = policydb.p_classes.nprim;
2551         *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC);
2552         if (!*classes)
2553                 goto out;
2554
2555         rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
2556                         *classes);
2557         if (rc < 0) {
2558                 int i;
2559                 for (i = 0; i < *nclasses; i++)
2560                         kfree((*classes)[i]);
2561                 kfree(*classes);
2562         }
2563
2564 out:
2565         read_unlock(&policy_rwlock);
2566         return rc;
2567 }
2568
2569 static int get_permissions_callback(void *k, void *d, void *args)
2570 {
2571         struct perm_datum *datum = d;
2572         char *name = k, **perms = args;
2573         int value = datum->value - 1;
2574
2575         perms[value] = kstrdup(name, GFP_ATOMIC);
2576         if (!perms[value])
2577                 return -ENOMEM;
2578
2579         return 0;
2580 }
2581
2582 int security_get_permissions(char *class, char ***perms, int *nperms)
2583 {
2584         int rc = -ENOMEM, i;
2585         struct class_datum *match;
2586
2587         read_lock(&policy_rwlock);
2588
2589         match = hashtab_search(policydb.p_classes.table, class);
2590         if (!match) {
2591                 printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
2592                         __func__, class);
2593                 rc = -EINVAL;
2594                 goto out;
2595         }
2596
2597         *nperms = match->permissions.nprim;
2598         *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC);
2599         if (!*perms)
2600                 goto out;
2601
2602         if (match->comdatum) {
2603                 rc = hashtab_map(match->comdatum->permissions.table,
2604                                 get_permissions_callback, *perms);
2605                 if (rc < 0)
2606                         goto err;
2607         }
2608
2609         rc = hashtab_map(match->permissions.table, get_permissions_callback,
2610                         *perms);
2611         if (rc < 0)
2612                 goto err;
2613
2614 out:
2615         read_unlock(&policy_rwlock);
2616         return rc;
2617
2618 err:
2619         read_unlock(&policy_rwlock);
2620         for (i = 0; i < *nperms; i++)
2621                 kfree((*perms)[i]);
2622         kfree(*perms);
2623         return rc;
2624 }
2625
2626 int security_get_reject_unknown(void)
2627 {
2628         return policydb.reject_unknown;
2629 }
2630
2631 int security_get_allow_unknown(void)
2632 {
2633         return policydb.allow_unknown;
2634 }
2635
2636 /**
2637  * security_policycap_supported - Check for a specific policy capability
2638  * @req_cap: capability
2639  *
2640  * Description:
2641  * This function queries the currently loaded policy to see if it supports the
2642  * capability specified by @req_cap.  Returns true (1) if the capability is
2643  * supported, false (0) if it isn't supported.
2644  *
2645  */
2646 int security_policycap_supported(unsigned int req_cap)
2647 {
2648         int rc;
2649
2650         read_lock(&policy_rwlock);
2651         rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
2652         read_unlock(&policy_rwlock);
2653
2654         return rc;
2655 }
2656
2657 struct selinux_audit_rule {
2658         u32 au_seqno;
2659         struct context au_ctxt;
2660 };
2661
2662 void selinux_audit_rule_free(void *vrule)
2663 {
2664         struct selinux_audit_rule *rule = vrule;
2665
2666         if (rule) {
2667                 context_destroy(&rule->au_ctxt);
2668                 kfree(rule);
2669         }
2670 }
2671
2672 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2673 {
2674         struct selinux_audit_rule *tmprule;
2675         struct role_datum *roledatum;
2676         struct type_datum *typedatum;
2677         struct user_datum *userdatum;
2678         struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2679         int rc = 0;
2680
2681         *rule = NULL;
2682
2683         if (!ss_initialized)
2684                 return -EOPNOTSUPP;
2685
2686         switch (field) {
2687         case AUDIT_SUBJ_USER:
2688         case AUDIT_SUBJ_ROLE:
2689         case AUDIT_SUBJ_TYPE:
2690         case AUDIT_OBJ_USER:
2691         case AUDIT_OBJ_ROLE:
2692         case AUDIT_OBJ_TYPE:
2693                 /* only 'equals' and 'not equals' fit user, role, and type */
2694                 if (op != Audit_equal && op != Audit_not_equal)
2695                         return -EINVAL;
2696                 break;
2697         case AUDIT_SUBJ_SEN:
2698         case AUDIT_SUBJ_CLR:
2699         case AUDIT_OBJ_LEV_LOW:
2700         case AUDIT_OBJ_LEV_HIGH:
2701                 /* we do not allow a range, indicated by the presense of '-' */
2702                 if (strchr(rulestr, '-'))
2703                         return -EINVAL;
2704                 break;
2705         default:
2706                 /* only the above fields are valid */
2707                 return -EINVAL;
2708         }
2709
2710         tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
2711         if (!tmprule)
2712                 return -ENOMEM;
2713
2714         context_init(&tmprule->au_ctxt);
2715
2716         read_lock(&policy_rwlock);
2717
2718         tmprule->au_seqno = latest_granting;
2719
2720         switch (field) {
2721         case AUDIT_SUBJ_USER:
2722         case AUDIT_OBJ_USER:
2723                 userdatum = hashtab_search(policydb.p_users.table, rulestr);
2724                 if (!userdatum)
2725                         rc = -EINVAL;
2726                 else
2727                         tmprule->au_ctxt.user = userdatum->value;
2728                 break;
2729         case AUDIT_SUBJ_ROLE:
2730         case AUDIT_OBJ_ROLE:
2731                 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2732                 if (!roledatum)
2733                         rc = -EINVAL;
2734                 else
2735                         tmprule->au_ctxt.role = roledatum->value;
2736                 break;
2737         case AUDIT_SUBJ_TYPE:
2738         case AUDIT_OBJ_TYPE:
2739                 typedatum = hashtab_search(policydb.p_types.table, rulestr);
2740                 if (!typedatum)
2741                         rc = -EINVAL;
2742                 else
2743                         tmprule->au_ctxt.type = typedatum->value;
2744                 break;
2745         case AUDIT_SUBJ_SEN:
2746         case AUDIT_SUBJ_CLR:
2747         case AUDIT_OBJ_LEV_LOW:
2748         case AUDIT_OBJ_LEV_HIGH:
2749                 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2750                 break;
2751         }
2752
2753         read_unlock(&policy_rwlock);
2754
2755         if (rc) {
2756                 selinux_audit_rule_free(tmprule);
2757                 tmprule = NULL;
2758         }
2759
2760         *rule = tmprule;
2761
2762         return rc;
2763 }
2764
2765 /* Check to see if the rule contains any selinux fields */
2766 int selinux_audit_rule_known(struct audit_krule *rule)
2767 {
2768         int i;
2769
2770         for (i = 0; i < rule->field_count; i++) {
2771                 struct audit_field *f = &rule->fields[i];
2772                 switch (f->type) {
2773                 case AUDIT_SUBJ_USER:
2774                 case AUDIT_SUBJ_ROLE:
2775                 case AUDIT_SUBJ_TYPE:
2776                 case AUDIT_SUBJ_SEN:
2777                 case AUDIT_SUBJ_CLR:
2778                 case AUDIT_OBJ_USER:
2779                 case AUDIT_OBJ_ROLE:
2780                 case AUDIT_OBJ_TYPE:
2781                 case AUDIT_OBJ_LEV_LOW:
2782                 case AUDIT_OBJ_LEV_HIGH:
2783                         return 1;
2784                 }
2785         }
2786
2787         return 0;
2788 }
2789
2790 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2791                              struct audit_context *actx)
2792 {
2793         struct context *ctxt;
2794         struct mls_level *level;
2795         struct selinux_audit_rule *rule = vrule;
2796         int match = 0;
2797
2798         if (!rule) {
2799                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2800                           "selinux_audit_rule_match: missing rule\n");
2801                 return -ENOENT;
2802         }
2803
2804         read_lock(&policy_rwlock);
2805
2806         if (rule->au_seqno < latest_granting) {
2807                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2808                           "selinux_audit_rule_match: stale rule\n");
2809                 match = -ESTALE;
2810                 goto out;
2811         }
2812
2813         ctxt = sidtab_search(&sidtab, sid);
2814         if (!ctxt) {
2815                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2816                           "selinux_audit_rule_match: unrecognized SID %d\n",
2817                           sid);
2818                 match = -ENOENT;
2819                 goto out;
2820         }
2821
2822         /* a field/op pair that is not caught here will simply fall through
2823            without a match */
2824         switch (field) {
2825         case AUDIT_SUBJ_USER:
2826         case AUDIT_OBJ_USER:
2827                 switch (op) {
2828                 case Audit_equal:
2829                         match = (ctxt->user == rule->au_ctxt.user);
2830                         break;
2831                 case Audit_not_equal:
2832                         match = (ctxt->user != rule->au_ctxt.user);
2833                         break;
2834                 }
2835                 break;
2836         case AUDIT_SUBJ_ROLE:
2837         case AUDIT_OBJ_ROLE:
2838                 switch (op) {
2839                 case Audit_equal:
2840                         match = (ctxt->role == rule->au_ctxt.role);
2841                         break;
2842                 case Audit_not_equal:
2843                         match = (ctxt->role != rule->au_ctxt.role);
2844                         break;
2845                 }
2846                 break;
2847         case AUDIT_SUBJ_TYPE:
2848         case AUDIT_OBJ_TYPE:
2849                 switch (op) {
2850                 case Audit_equal:
2851                         match = (ctxt->type == rule->au_ctxt.type);
2852                         break;
2853                 case Audit_not_equal:
2854                         match = (ctxt->type != rule->au_ctxt.type);
2855                         break;
2856                 }
2857                 break;
2858         case AUDIT_SUBJ_SEN:
2859         case AUDIT_SUBJ_CLR:
2860         case AUDIT_OBJ_LEV_LOW:
2861         case AUDIT_OBJ_LEV_HIGH:
2862                 level = ((field == AUDIT_SUBJ_SEN ||
2863                           field == AUDIT_OBJ_LEV_LOW) ?
2864                          &ctxt->range.level[0] : &ctxt->range.level[1]);
2865                 switch (op) {
2866                 case Audit_equal:
2867                         match = mls_level_eq(&rule->au_ctxt.range.level[0],
2868                                              level);
2869                         break;
2870                 case Audit_not_equal:
2871                         match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2872                                               level);
2873                         break;
2874                 case Audit_lt:
2875                         match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2876                                                level) &&
2877                                  !mls_level_eq(&rule->au_ctxt.range.level[0],
2878                                                level));
2879                         break;
2880                 case Audit_le:
2881                         match = mls_level_dom(&rule->au_ctxt.range.level[0],
2882                                               level);
2883                         break;
2884                 case Audit_gt:
2885                         match = (mls_level_dom(level,
2886                                               &rule->au_ctxt.range.level[0]) &&
2887                                  !mls_level_eq(level,
2888                                                &rule->au_ctxt.range.level[0]));
2889                         break;
2890                 case Audit_ge:
2891                         match = mls_level_dom(level,
2892                                               &rule->au_ctxt.range.level[0]);
2893                         break;
2894                 }
2895         }
2896
2897 out:
2898         read_unlock(&policy_rwlock);
2899         return match;
2900 }
2901
2902 static int (*aurule_callback)(void) = audit_update_lsm_rules;
2903
2904 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2905                                u16 class, u32 perms, u32 *retained)
2906 {
2907         int err = 0;
2908
2909         if (event == AVC_CALLBACK_RESET && aurule_callback)
2910                 err = aurule_callback();
2911         return err;
2912 }
2913
2914 static int __init aurule_init(void)
2915 {
2916         int err;
2917
2918         err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2919                                SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2920         if (err)
2921                 panic("avc_add_callback() failed, error %d\n", err);
2922
2923         return err;
2924 }
2925 __initcall(aurule_init);
2926
2927 #ifdef CONFIG_NETLABEL
2928 /**
2929  * security_netlbl_cache_add - Add an entry to the NetLabel cache
2930  * @secattr: the NetLabel packet security attributes
2931  * @sid: the SELinux SID
2932  *
2933  * Description:
2934  * Attempt to cache the context in @ctx, which was derived from the packet in
2935  * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
2936  * already been initialized.
2937  *
2938  */
2939 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
2940                                       u32 sid)
2941 {
2942         u32 *sid_cache;
2943
2944         sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
2945         if (sid_cache == NULL)
2946                 return;
2947         secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
2948         if (secattr->cache == NULL) {
2949                 kfree(sid_cache);
2950                 return;
2951         }
2952
2953         *sid_cache = sid;
2954         secattr->cache->free = kfree;
2955         secattr->cache->data = sid_cache;
2956         secattr->flags |= NETLBL_SECATTR_CACHE;
2957 }
2958
2959 /**
2960  * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
2961  * @secattr: the NetLabel packet security attributes
2962  * @sid: the SELinux SID
2963  *
2964  * Description:
2965  * Convert the given NetLabel security attributes in @secattr into a
2966  * SELinux SID.  If the @secattr field does not contain a full SELinux
2967  * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
2968  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
2969  * allow the @secattr to be used by NetLabel to cache the secattr to SID
2970  * conversion for future lookups.  Returns zero on success, negative values on
2971  * failure.
2972  *
2973  */
2974 int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
2975                                    u32 *sid)
2976 {
2977         int rc = -EIDRM;
2978         struct context *ctx;
2979         struct context ctx_new;
2980
2981         if (!ss_initialized) {
2982                 *sid = SECSID_NULL;
2983                 return 0;
2984         }
2985
2986         read_lock(&policy_rwlock);
2987
2988         if (secattr->flags & NETLBL_SECATTR_CACHE) {
2989                 *sid = *(u32 *)secattr->cache->data;
2990                 rc = 0;
2991         } else if (secattr->flags & NETLBL_SECATTR_SECID) {
2992                 *sid = secattr->attr.secid;
2993                 rc = 0;
2994         } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
2995                 ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
2996                 if (ctx == NULL)
2997                         goto netlbl_secattr_to_sid_return;
2998
2999                 context_init(&ctx_new);
3000                 ctx_new.user = ctx->user;
3001                 ctx_new.role = ctx->role;
3002                 ctx_new.type = ctx->type;
3003                 mls_import_netlbl_lvl(&ctx_new, secattr);
3004                 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3005                         if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
3006                                                   secattr->attr.mls.cat) != 0)
3007                                 goto netlbl_secattr_to_sid_return;
3008                         memcpy(&ctx_new.range.level[1].cat,
3009                                &ctx_new.range.level[0].cat,
3010                                sizeof(ctx_new.range.level[0].cat));
3011                 }
3012                 if (mls_context_isvalid(&policydb, &ctx_new) != 1)
3013                         goto netlbl_secattr_to_sid_return_cleanup;
3014
3015                 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3016                 if (rc != 0)
3017                         goto netlbl_secattr_to_sid_return_cleanup;
3018
3019                 security_netlbl_cache_add(secattr, *sid);
3020
3021                 ebitmap_destroy(&ctx_new.range.level[0].cat);
3022         } else {
3023                 *sid = SECSID_NULL;
3024                 rc = 0;
3025         }
3026
3027 netlbl_secattr_to_sid_return:
3028         read_unlock(&policy_rwlock);
3029         return rc;
3030 netlbl_secattr_to_sid_return_cleanup:
3031         ebitmap_destroy(&ctx_new.range.level[0].cat);
3032         goto netlbl_secattr_to_sid_return;
3033 }
3034
3035 /**
3036  * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3037  * @sid: the SELinux SID
3038  * @secattr: the NetLabel packet security attributes
3039  *
3040  * Description:
3041  * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3042  * Returns zero on success, negative values on failure.
3043  *
3044  */
3045 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3046 {
3047         int rc;
3048         struct context *ctx;
3049
3050         if (!ss_initialized)
3051                 return 0;
3052
3053         read_lock(&policy_rwlock);
3054         ctx = sidtab_search(&sidtab, sid);
3055         if (ctx == NULL) {
3056                 rc = -ENOENT;
3057                 goto netlbl_sid_to_secattr_failure;
3058         }
3059         secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
3060                                   GFP_ATOMIC);
3061         if (secattr->domain == NULL) {
3062                 rc = -ENOMEM;
3063                 goto netlbl_sid_to_secattr_failure;
3064         }
3065         secattr->attr.secid = sid;
3066         secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3067         mls_export_netlbl_lvl(ctx, secattr);
3068         rc = mls_export_netlbl_cat(ctx, secattr);
3069         if (rc != 0)
3070                 goto netlbl_sid_to_secattr_failure;
3071         read_unlock(&policy_rwlock);
3072
3073         return 0;
3074
3075 netlbl_sid_to_secattr_failure:
3076         read_unlock(&policy_rwlock);
3077         return rc;
3078 }
3079 #endif /* CONFIG_NETLABEL */