1f5bbb246d28a84333340d46df44f3ef9cfb858c
[linux-3.10.git] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul.moore@hp.com>
17  *
18  *      Added support for NetLabel
19  *
20  * Updated: Chad Sellers <csellers@tresys.com>
21  *
22  *  Added validation of kernel classes and permissions
23  *
24  * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
25  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
26  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
27  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
28  *      This program is free software; you can redistribute it and/or modify
29  *      it under the terms of the GNU General Public License as published by
30  *      the Free Software Foundation, version 2.
31  */
32 #include <linux/kernel.h>
33 #include <linux/slab.h>
34 #include <linux/string.h>
35 #include <linux/spinlock.h>
36 #include <linux/errno.h>
37 #include <linux/in.h>
38 #include <linux/sched.h>
39 #include <linux/audit.h>
40 #include <linux/mutex.h>
41 #include <net/sock.h>
42 #include <net/netlabel.h>
43
44 #include "flask.h"
45 #include "avc.h"
46 #include "avc_ss.h"
47 #include "security.h"
48 #include "context.h"
49 #include "policydb.h"
50 #include "sidtab.h"
51 #include "services.h"
52 #include "conditional.h"
53 #include "mls.h"
54 #include "objsec.h"
55 #include "selinux_netlabel.h"
56
57 extern void selnl_notify_policyload(u32 seqno);
58 unsigned int policydb_loaded_version;
59
60 /*
61  * This is declared in avc.c
62  */
63 extern const struct selinux_class_perm selinux_class_perm;
64
65 static DEFINE_RWLOCK(policy_rwlock);
66 #define POLICY_RDLOCK read_lock(&policy_rwlock)
67 #define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
68 #define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
69 #define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
70
71 static DEFINE_MUTEX(load_mutex);
72 #define LOAD_LOCK mutex_lock(&load_mutex)
73 #define LOAD_UNLOCK mutex_unlock(&load_mutex)
74
75 static struct sidtab sidtab;
76 struct policydb policydb;
77 int ss_initialized = 0;
78
79 /*
80  * The largest sequence number that has been used when
81  * providing an access decision to the access vector cache.
82  * The sequence number only changes when a policy change
83  * occurs.
84  */
85 static u32 latest_granting = 0;
86
87 /* Forward declaration. */
88 static int context_struct_to_string(struct context *context, char **scontext,
89                                     u32 *scontext_len);
90
91 /*
92  * Return the boolean value of a constraint expression
93  * when it is applied to the specified source and target
94  * security contexts.
95  *
96  * xcontext is a special beast...  It is used by the validatetrans rules
97  * only.  For these rules, scontext is the context before the transition,
98  * tcontext is the context after the transition, and xcontext is the context
99  * of the process performing the transition.  All other callers of
100  * constraint_expr_eval should pass in NULL for xcontext.
101  */
102 static int constraint_expr_eval(struct context *scontext,
103                                 struct context *tcontext,
104                                 struct context *xcontext,
105                                 struct constraint_expr *cexpr)
106 {
107         u32 val1, val2;
108         struct context *c;
109         struct role_datum *r1, *r2;
110         struct mls_level *l1, *l2;
111         struct constraint_expr *e;
112         int s[CEXPR_MAXDEPTH];
113         int sp = -1;
114
115         for (e = cexpr; e; e = e->next) {
116                 switch (e->expr_type) {
117                 case CEXPR_NOT:
118                         BUG_ON(sp < 0);
119                         s[sp] = !s[sp];
120                         break;
121                 case CEXPR_AND:
122                         BUG_ON(sp < 1);
123                         sp--;
124                         s[sp] &= s[sp+1];
125                         break;
126                 case CEXPR_OR:
127                         BUG_ON(sp < 1);
128                         sp--;
129                         s[sp] |= s[sp+1];
130                         break;
131                 case CEXPR_ATTR:
132                         if (sp == (CEXPR_MAXDEPTH-1))
133                                 return 0;
134                         switch (e->attr) {
135                         case CEXPR_USER:
136                                 val1 = scontext->user;
137                                 val2 = tcontext->user;
138                                 break;
139                         case CEXPR_TYPE:
140                                 val1 = scontext->type;
141                                 val2 = tcontext->type;
142                                 break;
143                         case CEXPR_ROLE:
144                                 val1 = scontext->role;
145                                 val2 = tcontext->role;
146                                 r1 = policydb.role_val_to_struct[val1 - 1];
147                                 r2 = policydb.role_val_to_struct[val2 - 1];
148                                 switch (e->op) {
149                                 case CEXPR_DOM:
150                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
151                                                                   val2 - 1);
152                                         continue;
153                                 case CEXPR_DOMBY:
154                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
155                                                                   val1 - 1);
156                                         continue;
157                                 case CEXPR_INCOMP:
158                                         s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
159                                                                      val2 - 1) &&
160                                                     !ebitmap_get_bit(&r2->dominates,
161                                                                      val1 - 1) );
162                                         continue;
163                                 default:
164                                         break;
165                                 }
166                                 break;
167                         case CEXPR_L1L2:
168                                 l1 = &(scontext->range.level[0]);
169                                 l2 = &(tcontext->range.level[0]);
170                                 goto mls_ops;
171                         case CEXPR_L1H2:
172                                 l1 = &(scontext->range.level[0]);
173                                 l2 = &(tcontext->range.level[1]);
174                                 goto mls_ops;
175                         case CEXPR_H1L2:
176                                 l1 = &(scontext->range.level[1]);
177                                 l2 = &(tcontext->range.level[0]);
178                                 goto mls_ops;
179                         case CEXPR_H1H2:
180                                 l1 = &(scontext->range.level[1]);
181                                 l2 = &(tcontext->range.level[1]);
182                                 goto mls_ops;
183                         case CEXPR_L1H1:
184                                 l1 = &(scontext->range.level[0]);
185                                 l2 = &(scontext->range.level[1]);
186                                 goto mls_ops;
187                         case CEXPR_L2H2:
188                                 l1 = &(tcontext->range.level[0]);
189                                 l2 = &(tcontext->range.level[1]);
190                                 goto mls_ops;
191 mls_ops:
192                         switch (e->op) {
193                         case CEXPR_EQ:
194                                 s[++sp] = mls_level_eq(l1, l2);
195                                 continue;
196                         case CEXPR_NEQ:
197                                 s[++sp] = !mls_level_eq(l1, l2);
198                                 continue;
199                         case CEXPR_DOM:
200                                 s[++sp] = mls_level_dom(l1, l2);
201                                 continue;
202                         case CEXPR_DOMBY:
203                                 s[++sp] = mls_level_dom(l2, l1);
204                                 continue;
205                         case CEXPR_INCOMP:
206                                 s[++sp] = mls_level_incomp(l2, l1);
207                                 continue;
208                         default:
209                                 BUG();
210                                 return 0;
211                         }
212                         break;
213                         default:
214                                 BUG();
215                                 return 0;
216                         }
217
218                         switch (e->op) {
219                         case CEXPR_EQ:
220                                 s[++sp] = (val1 == val2);
221                                 break;
222                         case CEXPR_NEQ:
223                                 s[++sp] = (val1 != val2);
224                                 break;
225                         default:
226                                 BUG();
227                                 return 0;
228                         }
229                         break;
230                 case CEXPR_NAMES:
231                         if (sp == (CEXPR_MAXDEPTH-1))
232                                 return 0;
233                         c = scontext;
234                         if (e->attr & CEXPR_TARGET)
235                                 c = tcontext;
236                         else if (e->attr & CEXPR_XTARGET) {
237                                 c = xcontext;
238                                 if (!c) {
239                                         BUG();
240                                         return 0;
241                                 }
242                         }
243                         if (e->attr & CEXPR_USER)
244                                 val1 = c->user;
245                         else if (e->attr & CEXPR_ROLE)
246                                 val1 = c->role;
247                         else if (e->attr & CEXPR_TYPE)
248                                 val1 = c->type;
249                         else {
250                                 BUG();
251                                 return 0;
252                         }
253
254                         switch (e->op) {
255                         case CEXPR_EQ:
256                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
257                                 break;
258                         case CEXPR_NEQ:
259                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
260                                 break;
261                         default:
262                                 BUG();
263                                 return 0;
264                         }
265                         break;
266                 default:
267                         BUG();
268                         return 0;
269                 }
270         }
271
272         BUG_ON(sp != 0);
273         return s[0];
274 }
275
276 /*
277  * Compute access vectors based on a context structure pair for
278  * the permissions in a particular class.
279  */
280 static int context_struct_compute_av(struct context *scontext,
281                                      struct context *tcontext,
282                                      u16 tclass,
283                                      u32 requested,
284                                      struct av_decision *avd)
285 {
286         struct constraint_node *constraint;
287         struct role_allow *ra;
288         struct avtab_key avkey;
289         struct avtab_node *node;
290         struct class_datum *tclass_datum;
291         struct ebitmap *sattr, *tattr;
292         struct ebitmap_node *snode, *tnode;
293         unsigned int i, j;
294
295         /*
296          * Remap extended Netlink classes for old policy versions.
297          * Do this here rather than socket_type_to_security_class()
298          * in case a newer policy version is loaded, allowing sockets
299          * to remain in the correct class.
300          */
301         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
302                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
303                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
304                         tclass = SECCLASS_NETLINK_SOCKET;
305
306         if (!tclass || tclass > policydb.p_classes.nprim) {
307                 printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
308                        tclass);
309                 return -EINVAL;
310         }
311         tclass_datum = policydb.class_val_to_struct[tclass - 1];
312
313         /*
314          * Initialize the access vectors to the default values.
315          */
316         avd->allowed = 0;
317         avd->decided = 0xffffffff;
318         avd->auditallow = 0;
319         avd->auditdeny = 0xffffffff;
320         avd->seqno = latest_granting;
321
322         /*
323          * If a specific type enforcement rule was defined for
324          * this permission check, then use it.
325          */
326         avkey.target_class = tclass;
327         avkey.specified = AVTAB_AV;
328         sattr = &policydb.type_attr_map[scontext->type - 1];
329         tattr = &policydb.type_attr_map[tcontext->type - 1];
330         ebitmap_for_each_bit(sattr, snode, i) {
331                 if (!ebitmap_node_get_bit(snode, i))
332                         continue;
333                 ebitmap_for_each_bit(tattr, tnode, j) {
334                         if (!ebitmap_node_get_bit(tnode, j))
335                                 continue;
336                         avkey.source_type = i + 1;
337                         avkey.target_type = j + 1;
338                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
339                              node != NULL;
340                              node = avtab_search_node_next(node, avkey.specified)) {
341                                 if (node->key.specified == AVTAB_ALLOWED)
342                                         avd->allowed |= node->datum.data;
343                                 else if (node->key.specified == AVTAB_AUDITALLOW)
344                                         avd->auditallow |= node->datum.data;
345                                 else if (node->key.specified == AVTAB_AUDITDENY)
346                                         avd->auditdeny &= node->datum.data;
347                         }
348
349                         /* Check conditional av table for additional permissions */
350                         cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
351
352                 }
353         }
354
355         /*
356          * Remove any permissions prohibited by a constraint (this includes
357          * the MLS policy).
358          */
359         constraint = tclass_datum->constraints;
360         while (constraint) {
361                 if ((constraint->permissions & (avd->allowed)) &&
362                     !constraint_expr_eval(scontext, tcontext, NULL,
363                                           constraint->expr)) {
364                         avd->allowed = (avd->allowed) & ~(constraint->permissions);
365                 }
366                 constraint = constraint->next;
367         }
368
369         /*
370          * If checking process transition permission and the
371          * role is changing, then check the (current_role, new_role)
372          * pair.
373          */
374         if (tclass == SECCLASS_PROCESS &&
375             (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
376             scontext->role != tcontext->role) {
377                 for (ra = policydb.role_allow; ra; ra = ra->next) {
378                         if (scontext->role == ra->role &&
379                             tcontext->role == ra->new_role)
380                                 break;
381                 }
382                 if (!ra)
383                         avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
384                                                         PROCESS__DYNTRANSITION);
385         }
386
387         return 0;
388 }
389
390 static int security_validtrans_handle_fail(struct context *ocontext,
391                                            struct context *ncontext,
392                                            struct context *tcontext,
393                                            u16 tclass)
394 {
395         char *o = NULL, *n = NULL, *t = NULL;
396         u32 olen, nlen, tlen;
397
398         if (context_struct_to_string(ocontext, &o, &olen) < 0)
399                 goto out;
400         if (context_struct_to_string(ncontext, &n, &nlen) < 0)
401                 goto out;
402         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
403                 goto out;
404         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
405                   "security_validate_transition:  denied for"
406                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
407                   o, n, t, policydb.p_class_val_to_name[tclass-1]);
408 out:
409         kfree(o);
410         kfree(n);
411         kfree(t);
412
413         if (!selinux_enforcing)
414                 return 0;
415         return -EPERM;
416 }
417
418 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
419                                  u16 tclass)
420 {
421         struct context *ocontext;
422         struct context *ncontext;
423         struct context *tcontext;
424         struct class_datum *tclass_datum;
425         struct constraint_node *constraint;
426         int rc = 0;
427
428         if (!ss_initialized)
429                 return 0;
430
431         POLICY_RDLOCK;
432
433         /*
434          * Remap extended Netlink classes for old policy versions.
435          * Do this here rather than socket_type_to_security_class()
436          * in case a newer policy version is loaded, allowing sockets
437          * to remain in the correct class.
438          */
439         if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
440                 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
441                     tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
442                         tclass = SECCLASS_NETLINK_SOCKET;
443
444         if (!tclass || tclass > policydb.p_classes.nprim) {
445                 printk(KERN_ERR "security_validate_transition:  "
446                        "unrecognized class %d\n", tclass);
447                 rc = -EINVAL;
448                 goto out;
449         }
450         tclass_datum = policydb.class_val_to_struct[tclass - 1];
451
452         ocontext = sidtab_search(&sidtab, oldsid);
453         if (!ocontext) {
454                 printk(KERN_ERR "security_validate_transition: "
455                        " unrecognized SID %d\n", oldsid);
456                 rc = -EINVAL;
457                 goto out;
458         }
459
460         ncontext = sidtab_search(&sidtab, newsid);
461         if (!ncontext) {
462                 printk(KERN_ERR "security_validate_transition: "
463                        " unrecognized SID %d\n", newsid);
464                 rc = -EINVAL;
465                 goto out;
466         }
467
468         tcontext = sidtab_search(&sidtab, tasksid);
469         if (!tcontext) {
470                 printk(KERN_ERR "security_validate_transition: "
471                        " unrecognized SID %d\n", tasksid);
472                 rc = -EINVAL;
473                 goto out;
474         }
475
476         constraint = tclass_datum->validatetrans;
477         while (constraint) {
478                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
479                                           constraint->expr)) {
480                         rc = security_validtrans_handle_fail(ocontext, ncontext,
481                                                              tcontext, tclass);
482                         goto out;
483                 }
484                 constraint = constraint->next;
485         }
486
487 out:
488         POLICY_RDUNLOCK;
489         return rc;
490 }
491
492 /**
493  * security_compute_av - Compute access vector decisions.
494  * @ssid: source security identifier
495  * @tsid: target security identifier
496  * @tclass: target security class
497  * @requested: requested permissions
498  * @avd: access vector decisions
499  *
500  * Compute a set of access vector decisions based on the
501  * SID pair (@ssid, @tsid) for the permissions in @tclass.
502  * Return -%EINVAL if any of the parameters are invalid or %0
503  * if the access vector decisions were computed successfully.
504  */
505 int security_compute_av(u32 ssid,
506                         u32 tsid,
507                         u16 tclass,
508                         u32 requested,
509                         struct av_decision *avd)
510 {
511         struct context *scontext = NULL, *tcontext = NULL;
512         int rc = 0;
513
514         if (!ss_initialized) {
515                 avd->allowed = 0xffffffff;
516                 avd->decided = 0xffffffff;
517                 avd->auditallow = 0;
518                 avd->auditdeny = 0xffffffff;
519                 avd->seqno = latest_granting;
520                 return 0;
521         }
522
523         POLICY_RDLOCK;
524
525         scontext = sidtab_search(&sidtab, ssid);
526         if (!scontext) {
527                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
528                        ssid);
529                 rc = -EINVAL;
530                 goto out;
531         }
532         tcontext = sidtab_search(&sidtab, tsid);
533         if (!tcontext) {
534                 printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
535                        tsid);
536                 rc = -EINVAL;
537                 goto out;
538         }
539
540         rc = context_struct_compute_av(scontext, tcontext, tclass,
541                                        requested, avd);
542 out:
543         POLICY_RDUNLOCK;
544         return rc;
545 }
546
547 /*
548  * Write the security context string representation of
549  * the context structure `context' into a dynamically
550  * allocated string of the correct size.  Set `*scontext'
551  * to point to this string and set `*scontext_len' to
552  * the length of the string.
553  */
554 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
555 {
556         char *scontextp;
557
558         *scontext = NULL;
559         *scontext_len = 0;
560
561         /* Compute the size of the context. */
562         *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
563         *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
564         *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
565         *scontext_len += mls_compute_context_len(context);
566
567         /* Allocate space for the context; caller must free this space. */
568         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
569         if (!scontextp) {
570                 return -ENOMEM;
571         }
572         *scontext = scontextp;
573
574         /*
575          * Copy the user name, role name and type name into the context.
576          */
577         sprintf(scontextp, "%s:%s:%s",
578                 policydb.p_user_val_to_name[context->user - 1],
579                 policydb.p_role_val_to_name[context->role - 1],
580                 policydb.p_type_val_to_name[context->type - 1]);
581         scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
582                      1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
583                      1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
584
585         mls_sid_to_context(context, &scontextp);
586
587         *scontextp = 0;
588
589         return 0;
590 }
591
592 #include "initial_sid_to_string.h"
593
594 /**
595  * security_sid_to_context - Obtain a context for a given SID.
596  * @sid: security identifier, SID
597  * @scontext: security context
598  * @scontext_len: length in bytes
599  *
600  * Write the string representation of the context associated with @sid
601  * into a dynamically allocated string of the correct size.  Set @scontext
602  * to point to this string and set @scontext_len to the length of the string.
603  */
604 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
605 {
606         struct context *context;
607         int rc = 0;
608
609         if (!ss_initialized) {
610                 if (sid <= SECINITSID_NUM) {
611                         char *scontextp;
612
613                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
614                         scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
615                         if (!scontextp) {
616                                 rc = -ENOMEM;
617                                 goto out;
618                         }
619                         strcpy(scontextp, initial_sid_to_string[sid]);
620                         *scontext = scontextp;
621                         goto out;
622                 }
623                 printk(KERN_ERR "security_sid_to_context:  called before initial "
624                        "load_policy on unknown SID %d\n", sid);
625                 rc = -EINVAL;
626                 goto out;
627         }
628         POLICY_RDLOCK;
629         context = sidtab_search(&sidtab, sid);
630         if (!context) {
631                 printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
632                        "%d\n", sid);
633                 rc = -EINVAL;
634                 goto out_unlock;
635         }
636         rc = context_struct_to_string(context, scontext, scontext_len);
637 out_unlock:
638         POLICY_RDUNLOCK;
639 out:
640         return rc;
641
642 }
643
644 static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
645 {
646         char *scontext2;
647         struct context context;
648         struct role_datum *role;
649         struct type_datum *typdatum;
650         struct user_datum *usrdatum;
651         char *scontextp, *p, oldc;
652         int rc = 0;
653
654         if (!ss_initialized) {
655                 int i;
656
657                 for (i = 1; i < SECINITSID_NUM; i++) {
658                         if (!strcmp(initial_sid_to_string[i], scontext)) {
659                                 *sid = i;
660                                 goto out;
661                         }
662                 }
663                 *sid = SECINITSID_KERNEL;
664                 goto out;
665         }
666         *sid = SECSID_NULL;
667
668         /* Copy the string so that we can modify the copy as we parse it.
669            The string should already by null terminated, but we append a
670            null suffix to the copy to avoid problems with the existing
671            attr package, which doesn't view the null terminator as part
672            of the attribute value. */
673         scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
674         if (!scontext2) {
675                 rc = -ENOMEM;
676                 goto out;
677         }
678         memcpy(scontext2, scontext, scontext_len);
679         scontext2[scontext_len] = 0;
680
681         context_init(&context);
682         *sid = SECSID_NULL;
683
684         POLICY_RDLOCK;
685
686         /* Parse the security context. */
687
688         rc = -EINVAL;
689         scontextp = (char *) scontext2;
690
691         /* Extract the user. */
692         p = scontextp;
693         while (*p && *p != ':')
694                 p++;
695
696         if (*p == 0)
697                 goto out_unlock;
698
699         *p++ = 0;
700
701         usrdatum = hashtab_search(policydb.p_users.table, scontextp);
702         if (!usrdatum)
703                 goto out_unlock;
704
705         context.user = usrdatum->value;
706
707         /* Extract role. */
708         scontextp = p;
709         while (*p && *p != ':')
710                 p++;
711
712         if (*p == 0)
713                 goto out_unlock;
714
715         *p++ = 0;
716
717         role = hashtab_search(policydb.p_roles.table, scontextp);
718         if (!role)
719                 goto out_unlock;
720         context.role = role->value;
721
722         /* Extract type. */
723         scontextp = p;
724         while (*p && *p != ':')
725                 p++;
726         oldc = *p;
727         *p++ = 0;
728
729         typdatum = hashtab_search(policydb.p_types.table, scontextp);
730         if (!typdatum)
731                 goto out_unlock;
732
733         context.type = typdatum->value;
734
735         rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
736         if (rc)
737                 goto out_unlock;
738
739         if ((p - scontext2) < scontext_len) {
740                 rc = -EINVAL;
741                 goto out_unlock;
742         }
743
744         /* Check the validity of the new context. */
745         if (!policydb_context_isvalid(&policydb, &context)) {
746                 rc = -EINVAL;
747                 goto out_unlock;
748         }
749         /* Obtain the new sid. */
750         rc = sidtab_context_to_sid(&sidtab, &context, sid);
751 out_unlock:
752         POLICY_RDUNLOCK;
753         context_destroy(&context);
754         kfree(scontext2);
755 out:
756         return rc;
757 }
758
759 /**
760  * security_context_to_sid - Obtain a SID for a given security context.
761  * @scontext: security context
762  * @scontext_len: length in bytes
763  * @sid: security identifier, SID
764  *
765  * Obtains a SID associated with the security context that
766  * has the string representation specified by @scontext.
767  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
768  * memory is available, or 0 on success.
769  */
770 int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
771 {
772         return security_context_to_sid_core(scontext, scontext_len,
773                                             sid, SECSID_NULL);
774 }
775
776 /**
777  * security_context_to_sid_default - Obtain a SID for a given security context,
778  * falling back to specified default if needed.
779  *
780  * @scontext: security context
781  * @scontext_len: length in bytes
782  * @sid: security identifier, SID
783  * @def_sid: default SID to assign on errror
784  *
785  * Obtains a SID associated with the security context that
786  * has the string representation specified by @scontext.
787  * The default SID is passed to the MLS layer to be used to allow
788  * kernel labeling of the MLS field if the MLS field is not present
789  * (for upgrading to MLS without full relabel).
790  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
791  * memory is available, or 0 on success.
792  */
793 int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
794 {
795         return security_context_to_sid_core(scontext, scontext_len,
796                                             sid, def_sid);
797 }
798
799 static int compute_sid_handle_invalid_context(
800         struct context *scontext,
801         struct context *tcontext,
802         u16 tclass,
803         struct context *newcontext)
804 {
805         char *s = NULL, *t = NULL, *n = NULL;
806         u32 slen, tlen, nlen;
807
808         if (context_struct_to_string(scontext, &s, &slen) < 0)
809                 goto out;
810         if (context_struct_to_string(tcontext, &t, &tlen) < 0)
811                 goto out;
812         if (context_struct_to_string(newcontext, &n, &nlen) < 0)
813                 goto out;
814         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
815                   "security_compute_sid:  invalid context %s"
816                   " for scontext=%s"
817                   " tcontext=%s"
818                   " tclass=%s",
819                   n, s, t, policydb.p_class_val_to_name[tclass-1]);
820 out:
821         kfree(s);
822         kfree(t);
823         kfree(n);
824         if (!selinux_enforcing)
825                 return 0;
826         return -EACCES;
827 }
828
829 static int security_compute_sid(u32 ssid,
830                                 u32 tsid,
831                                 u16 tclass,
832                                 u32 specified,
833                                 u32 *out_sid)
834 {
835         struct context *scontext = NULL, *tcontext = NULL, newcontext;
836         struct role_trans *roletr = NULL;
837         struct avtab_key avkey;
838         struct avtab_datum *avdatum;
839         struct avtab_node *node;
840         int rc = 0;
841
842         if (!ss_initialized) {
843                 switch (tclass) {
844                 case SECCLASS_PROCESS:
845                         *out_sid = ssid;
846                         break;
847                 default:
848                         *out_sid = tsid;
849                         break;
850                 }
851                 goto out;
852         }
853
854         context_init(&newcontext);
855
856         POLICY_RDLOCK;
857
858         scontext = sidtab_search(&sidtab, ssid);
859         if (!scontext) {
860                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
861                        ssid);
862                 rc = -EINVAL;
863                 goto out_unlock;
864         }
865         tcontext = sidtab_search(&sidtab, tsid);
866         if (!tcontext) {
867                 printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
868                        tsid);
869                 rc = -EINVAL;
870                 goto out_unlock;
871         }
872
873         /* Set the user identity. */
874         switch (specified) {
875         case AVTAB_TRANSITION:
876         case AVTAB_CHANGE:
877                 /* Use the process user identity. */
878                 newcontext.user = scontext->user;
879                 break;
880         case AVTAB_MEMBER:
881                 /* Use the related object owner. */
882                 newcontext.user = tcontext->user;
883                 break;
884         }
885
886         /* Set the role and type to default values. */
887         switch (tclass) {
888         case SECCLASS_PROCESS:
889                 /* Use the current role and type of process. */
890                 newcontext.role = scontext->role;
891                 newcontext.type = scontext->type;
892                 break;
893         default:
894                 /* Use the well-defined object role. */
895                 newcontext.role = OBJECT_R_VAL;
896                 /* Use the type of the related object. */
897                 newcontext.type = tcontext->type;
898         }
899
900         /* Look for a type transition/member/change rule. */
901         avkey.source_type = scontext->type;
902         avkey.target_type = tcontext->type;
903         avkey.target_class = tclass;
904         avkey.specified = specified;
905         avdatum = avtab_search(&policydb.te_avtab, &avkey);
906
907         /* If no permanent rule, also check for enabled conditional rules */
908         if(!avdatum) {
909                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
910                 for (; node != NULL; node = avtab_search_node_next(node, specified)) {
911                         if (node->key.specified & AVTAB_ENABLED) {
912                                 avdatum = &node->datum;
913                                 break;
914                         }
915                 }
916         }
917
918         if (avdatum) {
919                 /* Use the type from the type transition/member/change rule. */
920                 newcontext.type = avdatum->data;
921         }
922
923         /* Check for class-specific changes. */
924         switch (tclass) {
925         case SECCLASS_PROCESS:
926                 if (specified & AVTAB_TRANSITION) {
927                         /* Look for a role transition rule. */
928                         for (roletr = policydb.role_tr; roletr;
929                              roletr = roletr->next) {
930                                 if (roletr->role == scontext->role &&
931                                     roletr->type == tcontext->type) {
932                                         /* Use the role transition rule. */
933                                         newcontext.role = roletr->new_role;
934                                         break;
935                                 }
936                         }
937                 }
938                 break;
939         default:
940                 break;
941         }
942
943         /* Set the MLS attributes.
944            This is done last because it may allocate memory. */
945         rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
946         if (rc)
947                 goto out_unlock;
948
949         /* Check the validity of the context. */
950         if (!policydb_context_isvalid(&policydb, &newcontext)) {
951                 rc = compute_sid_handle_invalid_context(scontext,
952                                                         tcontext,
953                                                         tclass,
954                                                         &newcontext);
955                 if (rc)
956                         goto out_unlock;
957         }
958         /* Obtain the sid for the context. */
959         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
960 out_unlock:
961         POLICY_RDUNLOCK;
962         context_destroy(&newcontext);
963 out:
964         return rc;
965 }
966
967 /**
968  * security_transition_sid - Compute the SID for a new subject/object.
969  * @ssid: source security identifier
970  * @tsid: target security identifier
971  * @tclass: target security class
972  * @out_sid: security identifier for new subject/object
973  *
974  * Compute a SID to use for labeling a new subject or object in the
975  * class @tclass based on a SID pair (@ssid, @tsid).
976  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
977  * if insufficient memory is available, or %0 if the new SID was
978  * computed successfully.
979  */
980 int security_transition_sid(u32 ssid,
981                             u32 tsid,
982                             u16 tclass,
983                             u32 *out_sid)
984 {
985         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
986 }
987
988 /**
989  * security_member_sid - Compute the SID for member selection.
990  * @ssid: source security identifier
991  * @tsid: target security identifier
992  * @tclass: target security class
993  * @out_sid: security identifier for selected member
994  *
995  * Compute a SID to use when selecting a member of a polyinstantiated
996  * object of class @tclass based on a SID pair (@ssid, @tsid).
997  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
998  * if insufficient memory is available, or %0 if the SID was
999  * computed successfully.
1000  */
1001 int security_member_sid(u32 ssid,
1002                         u32 tsid,
1003                         u16 tclass,
1004                         u32 *out_sid)
1005 {
1006         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
1007 }
1008
1009 /**
1010  * security_change_sid - Compute the SID for object relabeling.
1011  * @ssid: source security identifier
1012  * @tsid: target security identifier
1013  * @tclass: target security class
1014  * @out_sid: security identifier for selected member
1015  *
1016  * Compute a SID to use for relabeling an object of class @tclass
1017  * based on a SID pair (@ssid, @tsid).
1018  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1019  * if insufficient memory is available, or %0 if the SID was
1020  * computed successfully.
1021  */
1022 int security_change_sid(u32 ssid,
1023                         u32 tsid,
1024                         u16 tclass,
1025                         u32 *out_sid)
1026 {
1027         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1028 }
1029
1030 /*
1031  * Verify that each kernel class that is defined in the
1032  * policy is correct
1033  */
1034 static int validate_classes(struct policydb *p)
1035 {
1036         int i, j;
1037         struct class_datum *cladatum;
1038         struct perm_datum *perdatum;
1039         u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1040         u16 class_val;
1041         const struct selinux_class_perm *kdefs = &selinux_class_perm;
1042         const char *def_class, *def_perm, *pol_class;
1043         struct symtab *perms;
1044
1045         for (i = 1; i < kdefs->cts_len; i++) {
1046                 def_class = kdefs->class_to_string[i];
1047                 if (i > p->p_classes.nprim) {
1048                         printk(KERN_INFO
1049                                "security:  class %s not defined in policy\n",
1050                                def_class);
1051                         continue;
1052                 }
1053                 pol_class = p->p_class_val_to_name[i-1];
1054                 if (strcmp(pol_class, def_class)) {
1055                         printk(KERN_ERR
1056                                "security:  class %d is incorrect, found %s but should be %s\n",
1057                                i, pol_class, def_class);
1058                         return -EINVAL;
1059                 }
1060         }
1061         for (i = 0; i < kdefs->av_pts_len; i++) {
1062                 class_val = kdefs->av_perm_to_string[i].tclass;
1063                 perm_val = kdefs->av_perm_to_string[i].value;
1064                 def_perm = kdefs->av_perm_to_string[i].name;
1065                 if (class_val > p->p_classes.nprim)
1066                         continue;
1067                 pol_class = p->p_class_val_to_name[class_val-1];
1068                 cladatum = hashtab_search(p->p_classes.table, pol_class);
1069                 BUG_ON(!cladatum);
1070                 perms = &cladatum->permissions;
1071                 nprim = 1 << (perms->nprim - 1);
1072                 if (perm_val > nprim) {
1073                         printk(KERN_INFO
1074                                "security:  permission %s in class %s not defined in policy\n",
1075                                def_perm, pol_class);
1076                         continue;
1077                 }
1078                 perdatum = hashtab_search(perms->table, def_perm);
1079                 if (perdatum == NULL) {
1080                         printk(KERN_ERR
1081                                "security:  permission %s in class %s not found in policy\n",
1082                                def_perm, pol_class);
1083                         return -EINVAL;
1084                 }
1085                 pol_val = 1 << (perdatum->value - 1);
1086                 if (pol_val != perm_val) {
1087                         printk(KERN_ERR
1088                                "security:  permission %s in class %s has incorrect value\n",
1089                                def_perm, pol_class);
1090                         return -EINVAL;
1091                 }
1092         }
1093         for (i = 0; i < kdefs->av_inherit_len; i++) {
1094                 class_val = kdefs->av_inherit[i].tclass;
1095                 if (class_val > p->p_classes.nprim)
1096                         continue;
1097                 pol_class = p->p_class_val_to_name[class_val-1];
1098                 cladatum = hashtab_search(p->p_classes.table, pol_class);
1099                 BUG_ON(!cladatum);
1100                 if (!cladatum->comdatum) {
1101                         printk(KERN_ERR
1102                                "security:  class %s should have an inherits clause but does not\n",
1103                                pol_class);
1104                         return -EINVAL;
1105                 }
1106                 tmp = kdefs->av_inherit[i].common_base;
1107                 common_pts_len = 0;
1108                 while (!(tmp & 0x01)) {
1109                         common_pts_len++;
1110                         tmp >>= 1;
1111                 }
1112                 perms = &cladatum->comdatum->permissions;
1113                 for (j = 0; j < common_pts_len; j++) {
1114                         def_perm = kdefs->av_inherit[i].common_pts[j];
1115                         if (j >= perms->nprim) {
1116                                 printk(KERN_INFO
1117                                        "security:  permission %s in class %s not defined in policy\n",
1118                                        def_perm, pol_class);
1119                                 continue;
1120                         }
1121                         perdatum = hashtab_search(perms->table, def_perm);
1122                         if (perdatum == NULL) {
1123                                 printk(KERN_ERR
1124                                        "security:  permission %s in class %s not found in policy\n",
1125                                        def_perm, pol_class);
1126                                 return -EINVAL;
1127                         }
1128                         if (perdatum->value != j + 1) {
1129                                 printk(KERN_ERR
1130                                        "security:  permission %s in class %s has incorrect value\n",
1131                                        def_perm, pol_class);
1132                                 return -EINVAL;
1133                         }
1134                 }
1135         }
1136         return 0;
1137 }
1138
1139 /* Clone the SID into the new SID table. */
1140 static int clone_sid(u32 sid,
1141                      struct context *context,
1142                      void *arg)
1143 {
1144         struct sidtab *s = arg;
1145
1146         return sidtab_insert(s, sid, context);
1147 }
1148
1149 static inline int convert_context_handle_invalid_context(struct context *context)
1150 {
1151         int rc = 0;
1152
1153         if (selinux_enforcing) {
1154                 rc = -EINVAL;
1155         } else {
1156                 char *s;
1157                 u32 len;
1158
1159                 context_struct_to_string(context, &s, &len);
1160                 printk(KERN_ERR "security:  context %s is invalid\n", s);
1161                 kfree(s);
1162         }
1163         return rc;
1164 }
1165
1166 struct convert_context_args {
1167         struct policydb *oldp;
1168         struct policydb *newp;
1169 };
1170
1171 /*
1172  * Convert the values in the security context
1173  * structure `c' from the values specified
1174  * in the policy `p->oldp' to the values specified
1175  * in the policy `p->newp'.  Verify that the
1176  * context is valid under the new policy.
1177  */
1178 static int convert_context(u32 key,
1179                            struct context *c,
1180                            void *p)
1181 {
1182         struct convert_context_args *args;
1183         struct context oldc;
1184         struct role_datum *role;
1185         struct type_datum *typdatum;
1186         struct user_datum *usrdatum;
1187         char *s;
1188         u32 len;
1189         int rc;
1190
1191         args = p;
1192
1193         rc = context_cpy(&oldc, c);
1194         if (rc)
1195                 goto out;
1196
1197         rc = -EINVAL;
1198
1199         /* Convert the user. */
1200         usrdatum = hashtab_search(args->newp->p_users.table,
1201                                   args->oldp->p_user_val_to_name[c->user - 1]);
1202         if (!usrdatum) {
1203                 goto bad;
1204         }
1205         c->user = usrdatum->value;
1206
1207         /* Convert the role. */
1208         role = hashtab_search(args->newp->p_roles.table,
1209                               args->oldp->p_role_val_to_name[c->role - 1]);
1210         if (!role) {
1211                 goto bad;
1212         }
1213         c->role = role->value;
1214
1215         /* Convert the type. */
1216         typdatum = hashtab_search(args->newp->p_types.table,
1217                                   args->oldp->p_type_val_to_name[c->type - 1]);
1218         if (!typdatum) {
1219                 goto bad;
1220         }
1221         c->type = typdatum->value;
1222
1223         rc = mls_convert_context(args->oldp, args->newp, c);
1224         if (rc)
1225                 goto bad;
1226
1227         /* Check the validity of the new context. */
1228         if (!policydb_context_isvalid(args->newp, c)) {
1229                 rc = convert_context_handle_invalid_context(&oldc);
1230                 if (rc)
1231                         goto bad;
1232         }
1233
1234         context_destroy(&oldc);
1235 out:
1236         return rc;
1237 bad:
1238         context_struct_to_string(&oldc, &s, &len);
1239         context_destroy(&oldc);
1240         printk(KERN_ERR "security:  invalidating context %s\n", s);
1241         kfree(s);
1242         goto out;
1243 }
1244
1245 extern void selinux_complete_init(void);
1246
1247 /**
1248  * security_load_policy - Load a security policy configuration.
1249  * @data: binary policy data
1250  * @len: length of data in bytes
1251  *
1252  * Load a new set of security policy configuration data,
1253  * validate it and convert the SID table as necessary.
1254  * This function will flush the access vector cache after
1255  * loading the new policy.
1256  */
1257 int security_load_policy(void *data, size_t len)
1258 {
1259         struct policydb oldpolicydb, newpolicydb;
1260         struct sidtab oldsidtab, newsidtab;
1261         struct convert_context_args args;
1262         u32 seqno;
1263         int rc = 0;
1264         struct policy_file file = { data, len }, *fp = &file;
1265
1266         LOAD_LOCK;
1267
1268         if (!ss_initialized) {
1269                 avtab_cache_init();
1270                 if (policydb_read(&policydb, fp)) {
1271                         LOAD_UNLOCK;
1272                         avtab_cache_destroy();
1273                         return -EINVAL;
1274                 }
1275                 if (policydb_load_isids(&policydb, &sidtab)) {
1276                         LOAD_UNLOCK;
1277                         policydb_destroy(&policydb);
1278                         avtab_cache_destroy();
1279                         return -EINVAL;
1280                 }
1281                 /* Verify that the kernel defined classes are correct. */
1282                 if (validate_classes(&policydb)) {
1283                         printk(KERN_ERR
1284                                "security:  the definition of a class is incorrect\n");
1285                         LOAD_UNLOCK;
1286                         sidtab_destroy(&sidtab);
1287                         policydb_destroy(&policydb);
1288                         avtab_cache_destroy();
1289                         return -EINVAL;
1290                 }
1291                 policydb_loaded_version = policydb.policyvers;
1292                 ss_initialized = 1;
1293                 seqno = ++latest_granting;
1294                 LOAD_UNLOCK;
1295                 selinux_complete_init();
1296                 avc_ss_reset(seqno);
1297                 selnl_notify_policyload(seqno);
1298                 selinux_netlbl_cache_invalidate();
1299                 return 0;
1300         }
1301
1302 #if 0
1303         sidtab_hash_eval(&sidtab, "sids");
1304 #endif
1305
1306         if (policydb_read(&newpolicydb, fp)) {
1307                 LOAD_UNLOCK;
1308                 return -EINVAL;
1309         }
1310
1311         sidtab_init(&newsidtab);
1312
1313         /* Verify that the kernel defined classes are correct. */
1314         if (validate_classes(&newpolicydb)) {
1315                 printk(KERN_ERR
1316                        "security:  the definition of a class is incorrect\n");
1317                 rc = -EINVAL;
1318                 goto err;
1319         }
1320
1321         /* Clone the SID table. */
1322         sidtab_shutdown(&sidtab);
1323         if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
1324                 rc = -ENOMEM;
1325                 goto err;
1326         }
1327
1328         /* Convert the internal representations of contexts
1329            in the new SID table and remove invalid SIDs. */
1330         args.oldp = &policydb;
1331         args.newp = &newpolicydb;
1332         sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1333
1334         /* Save the old policydb and SID table to free later. */
1335         memcpy(&oldpolicydb, &policydb, sizeof policydb);
1336         sidtab_set(&oldsidtab, &sidtab);
1337
1338         /* Install the new policydb and SID table. */
1339         POLICY_WRLOCK;
1340         memcpy(&policydb, &newpolicydb, sizeof policydb);
1341         sidtab_set(&sidtab, &newsidtab);
1342         seqno = ++latest_granting;
1343         policydb_loaded_version = policydb.policyvers;
1344         POLICY_WRUNLOCK;
1345         LOAD_UNLOCK;
1346
1347         /* Free the old policydb and SID table. */
1348         policydb_destroy(&oldpolicydb);
1349         sidtab_destroy(&oldsidtab);
1350
1351         avc_ss_reset(seqno);
1352         selnl_notify_policyload(seqno);
1353         selinux_netlbl_cache_invalidate();
1354
1355         return 0;
1356
1357 err:
1358         LOAD_UNLOCK;
1359         sidtab_destroy(&newsidtab);
1360         policydb_destroy(&newpolicydb);
1361         return rc;
1362
1363 }
1364
1365 /**
1366  * security_port_sid - Obtain the SID for a port.
1367  * @domain: communication domain aka address family
1368  * @type: socket type
1369  * @protocol: protocol number
1370  * @port: port number
1371  * @out_sid: security identifier
1372  */
1373 int security_port_sid(u16 domain,
1374                       u16 type,
1375                       u8 protocol,
1376                       u16 port,
1377                       u32 *out_sid)
1378 {
1379         struct ocontext *c;
1380         int rc = 0;
1381
1382         POLICY_RDLOCK;
1383
1384         c = policydb.ocontexts[OCON_PORT];
1385         while (c) {
1386                 if (c->u.port.protocol == protocol &&
1387                     c->u.port.low_port <= port &&
1388                     c->u.port.high_port >= port)
1389                         break;
1390                 c = c->next;
1391         }
1392
1393         if (c) {
1394                 if (!c->sid[0]) {
1395                         rc = sidtab_context_to_sid(&sidtab,
1396                                                    &c->context[0],
1397                                                    &c->sid[0]);
1398                         if (rc)
1399                                 goto out;
1400                 }
1401                 *out_sid = c->sid[0];
1402         } else {
1403                 *out_sid = SECINITSID_PORT;
1404         }
1405
1406 out:
1407         POLICY_RDUNLOCK;
1408         return rc;
1409 }
1410
1411 /**
1412  * security_netif_sid - Obtain the SID for a network interface.
1413  * @name: interface name
1414  * @if_sid: interface SID
1415  * @msg_sid: default SID for received packets
1416  */
1417 int security_netif_sid(char *name,
1418                        u32 *if_sid,
1419                        u32 *msg_sid)
1420 {
1421         int rc = 0;
1422         struct ocontext *c;
1423
1424         POLICY_RDLOCK;
1425
1426         c = policydb.ocontexts[OCON_NETIF];
1427         while (c) {
1428                 if (strcmp(name, c->u.name) == 0)
1429                         break;
1430                 c = c->next;
1431         }
1432
1433         if (c) {
1434                 if (!c->sid[0] || !c->sid[1]) {
1435                         rc = sidtab_context_to_sid(&sidtab,
1436                                                   &c->context[0],
1437                                                   &c->sid[0]);
1438                         if (rc)
1439                                 goto out;
1440                         rc = sidtab_context_to_sid(&sidtab,
1441                                                    &c->context[1],
1442                                                    &c->sid[1]);
1443                         if (rc)
1444                                 goto out;
1445                 }
1446                 *if_sid = c->sid[0];
1447                 *msg_sid = c->sid[1];
1448         } else {
1449                 *if_sid = SECINITSID_NETIF;
1450                 *msg_sid = SECINITSID_NETMSG;
1451         }
1452
1453 out:
1454         POLICY_RDUNLOCK;
1455         return rc;
1456 }
1457
1458 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
1459 {
1460         int i, fail = 0;
1461
1462         for(i = 0; i < 4; i++)
1463                 if(addr[i] != (input[i] & mask[i])) {
1464                         fail = 1;
1465                         break;
1466                 }
1467
1468         return !fail;
1469 }
1470
1471 /**
1472  * security_node_sid - Obtain the SID for a node (host).
1473  * @domain: communication domain aka address family
1474  * @addrp: address
1475  * @addrlen: address length in bytes
1476  * @out_sid: security identifier
1477  */
1478 int security_node_sid(u16 domain,
1479                       void *addrp,
1480                       u32 addrlen,
1481                       u32 *out_sid)
1482 {
1483         int rc = 0;
1484         struct ocontext *c;
1485
1486         POLICY_RDLOCK;
1487
1488         switch (domain) {
1489         case AF_INET: {
1490                 u32 addr;
1491
1492                 if (addrlen != sizeof(u32)) {
1493                         rc = -EINVAL;
1494                         goto out;
1495                 }
1496
1497                 addr = *((u32 *)addrp);
1498
1499                 c = policydb.ocontexts[OCON_NODE];
1500                 while (c) {
1501                         if (c->u.node.addr == (addr & c->u.node.mask))
1502                                 break;
1503                         c = c->next;
1504                 }
1505                 break;
1506         }
1507
1508         case AF_INET6:
1509                 if (addrlen != sizeof(u64) * 2) {
1510                         rc = -EINVAL;
1511                         goto out;
1512                 }
1513                 c = policydb.ocontexts[OCON_NODE6];
1514                 while (c) {
1515                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1516                                                 c->u.node6.mask))
1517                                 break;
1518                         c = c->next;
1519                 }
1520                 break;
1521
1522         default:
1523                 *out_sid = SECINITSID_NODE;
1524                 goto out;
1525         }
1526
1527         if (c) {
1528                 if (!c->sid[0]) {
1529                         rc = sidtab_context_to_sid(&sidtab,
1530                                                    &c->context[0],
1531                                                    &c->sid[0]);
1532                         if (rc)
1533                                 goto out;
1534                 }
1535                 *out_sid = c->sid[0];
1536         } else {
1537                 *out_sid = SECINITSID_NODE;
1538         }
1539
1540 out:
1541         POLICY_RDUNLOCK;
1542         return rc;
1543 }
1544
1545 #define SIDS_NEL 25
1546
1547 /**
1548  * security_get_user_sids - Obtain reachable SIDs for a user.
1549  * @fromsid: starting SID
1550  * @username: username
1551  * @sids: array of reachable SIDs for user
1552  * @nel: number of elements in @sids
1553  *
1554  * Generate the set of SIDs for legal security contexts
1555  * for a given user that can be reached by @fromsid.
1556  * Set *@sids to point to a dynamically allocated
1557  * array containing the set of SIDs.  Set *@nel to the
1558  * number of elements in the array.
1559  */
1560
1561 int security_get_user_sids(u32 fromsid,
1562                            char *username,
1563                            u32 **sids,
1564                            u32 *nel)
1565 {
1566         struct context *fromcon, usercon;
1567         u32 *mysids, *mysids2, sid;
1568         u32 mynel = 0, maxnel = SIDS_NEL;
1569         struct user_datum *user;
1570         struct role_datum *role;
1571         struct av_decision avd;
1572         struct ebitmap_node *rnode, *tnode;
1573         int rc = 0, i, j;
1574
1575         if (!ss_initialized) {
1576                 *sids = NULL;
1577                 *nel = 0;
1578                 goto out;
1579         }
1580
1581         POLICY_RDLOCK;
1582
1583         fromcon = sidtab_search(&sidtab, fromsid);
1584         if (!fromcon) {
1585                 rc = -EINVAL;
1586                 goto out_unlock;
1587         }
1588
1589         user = hashtab_search(policydb.p_users.table, username);
1590         if (!user) {
1591                 rc = -EINVAL;
1592                 goto out_unlock;
1593         }
1594         usercon.user = user->value;
1595
1596         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
1597         if (!mysids) {
1598                 rc = -ENOMEM;
1599                 goto out_unlock;
1600         }
1601
1602         ebitmap_for_each_bit(&user->roles, rnode, i) {
1603                 if (!ebitmap_node_get_bit(rnode, i))
1604                         continue;
1605                 role = policydb.role_val_to_struct[i];
1606                 usercon.role = i+1;
1607                 ebitmap_for_each_bit(&role->types, tnode, j) {
1608                         if (!ebitmap_node_get_bit(tnode, j))
1609                                 continue;
1610                         usercon.type = j+1;
1611
1612                         if (mls_setup_user_range(fromcon, user, &usercon))
1613                                 continue;
1614
1615                         rc = context_struct_compute_av(fromcon, &usercon,
1616                                                        SECCLASS_PROCESS,
1617                                                        PROCESS__TRANSITION,
1618                                                        &avd);
1619                         if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
1620                                 continue;
1621                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1622                         if (rc) {
1623                                 kfree(mysids);
1624                                 goto out_unlock;
1625                         }
1626                         if (mynel < maxnel) {
1627                                 mysids[mynel++] = sid;
1628                         } else {
1629                                 maxnel += SIDS_NEL;
1630                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1631                                 if (!mysids2) {
1632                                         rc = -ENOMEM;
1633                                         kfree(mysids);
1634                                         goto out_unlock;
1635                                 }
1636                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1637                                 kfree(mysids);
1638                                 mysids = mysids2;
1639                                 mysids[mynel++] = sid;
1640                         }
1641                 }
1642         }
1643
1644         *sids = mysids;
1645         *nel = mynel;
1646
1647 out_unlock:
1648         POLICY_RDUNLOCK;
1649 out:
1650         return rc;
1651 }
1652
1653 /**
1654  * security_genfs_sid - Obtain a SID for a file in a filesystem
1655  * @fstype: filesystem type
1656  * @path: path from root of mount
1657  * @sclass: file security class
1658  * @sid: SID for path
1659  *
1660  * Obtain a SID to use for a file in a filesystem that
1661  * cannot support xattr or use a fixed labeling behavior like
1662  * transition SIDs or task SIDs.
1663  */
1664 int security_genfs_sid(const char *fstype,
1665                        char *path,
1666                        u16 sclass,
1667                        u32 *sid)
1668 {
1669         int len;
1670         struct genfs *genfs;
1671         struct ocontext *c;
1672         int rc = 0, cmp = 0;
1673
1674         POLICY_RDLOCK;
1675
1676         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
1677                 cmp = strcmp(fstype, genfs->fstype);
1678                 if (cmp <= 0)
1679                         break;
1680         }
1681
1682         if (!genfs || cmp) {
1683                 *sid = SECINITSID_UNLABELED;
1684                 rc = -ENOENT;
1685                 goto out;
1686         }
1687
1688         for (c = genfs->head; c; c = c->next) {
1689                 len = strlen(c->u.name);
1690                 if ((!c->v.sclass || sclass == c->v.sclass) &&
1691                     (strncmp(c->u.name, path, len) == 0))
1692                         break;
1693         }
1694
1695         if (!c) {
1696                 *sid = SECINITSID_UNLABELED;
1697                 rc = -ENOENT;
1698                 goto out;
1699         }
1700
1701         if (!c->sid[0]) {
1702                 rc = sidtab_context_to_sid(&sidtab,
1703                                            &c->context[0],
1704                                            &c->sid[0]);
1705                 if (rc)
1706                         goto out;
1707         }
1708
1709         *sid = c->sid[0];
1710 out:
1711         POLICY_RDUNLOCK;
1712         return rc;
1713 }
1714
1715 /**
1716  * security_fs_use - Determine how to handle labeling for a filesystem.
1717  * @fstype: filesystem type
1718  * @behavior: labeling behavior
1719  * @sid: SID for filesystem (superblock)
1720  */
1721 int security_fs_use(
1722         const char *fstype,
1723         unsigned int *behavior,
1724         u32 *sid)
1725 {
1726         int rc = 0;
1727         struct ocontext *c;
1728
1729         POLICY_RDLOCK;
1730
1731         c = policydb.ocontexts[OCON_FSUSE];
1732         while (c) {
1733                 if (strcmp(fstype, c->u.name) == 0)
1734                         break;
1735                 c = c->next;
1736         }
1737
1738         if (c) {
1739                 *behavior = c->v.behavior;
1740                 if (!c->sid[0]) {
1741                         rc = sidtab_context_to_sid(&sidtab,
1742                                                    &c->context[0],
1743                                                    &c->sid[0]);
1744                         if (rc)
1745                                 goto out;
1746                 }
1747                 *sid = c->sid[0];
1748         } else {
1749                 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
1750                 if (rc) {
1751                         *behavior = SECURITY_FS_USE_NONE;
1752                         rc = 0;
1753                 } else {
1754                         *behavior = SECURITY_FS_USE_GENFS;
1755                 }
1756         }
1757
1758 out:
1759         POLICY_RDUNLOCK;
1760         return rc;
1761 }
1762
1763 int security_get_bools(int *len, char ***names, int **values)
1764 {
1765         int i, rc = -ENOMEM;
1766
1767         POLICY_RDLOCK;
1768         *names = NULL;
1769         *values = NULL;
1770
1771         *len = policydb.p_bools.nprim;
1772         if (!*len) {
1773                 rc = 0;
1774                 goto out;
1775         }
1776
1777        *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
1778         if (!*names)
1779                 goto err;
1780
1781        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
1782         if (!*values)
1783                 goto err;
1784
1785         for (i = 0; i < *len; i++) {
1786                 size_t name_len;
1787                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
1788                 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1789                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
1790                 if (!(*names)[i])
1791                         goto err;
1792                 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1793                 (*names)[i][name_len - 1] = 0;
1794         }
1795         rc = 0;
1796 out:
1797         POLICY_RDUNLOCK;
1798         return rc;
1799 err:
1800         if (*names) {
1801                 for (i = 0; i < *len; i++)
1802                         kfree((*names)[i]);
1803         }
1804         kfree(*values);
1805         goto out;
1806 }
1807
1808
1809 int security_set_bools(int len, int *values)
1810 {
1811         int i, rc = 0;
1812         int lenp, seqno = 0;
1813         struct cond_node *cur;
1814
1815         POLICY_WRLOCK;
1816
1817         lenp = policydb.p_bools.nprim;
1818         if (len != lenp) {
1819                 rc = -EFAULT;
1820                 goto out;
1821         }
1822
1823         for (i = 0; i < len; i++) {
1824                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1825                         audit_log(current->audit_context, GFP_ATOMIC,
1826                                 AUDIT_MAC_CONFIG_CHANGE,
1827                                 "bool=%s val=%d old_val=%d auid=%u",
1828                                 policydb.p_bool_val_to_name[i],
1829                                 !!values[i],
1830                                 policydb.bool_val_to_struct[i]->state,
1831                                 audit_get_loginuid(current->audit_context));
1832                 }
1833                 if (values[i]) {
1834                         policydb.bool_val_to_struct[i]->state = 1;
1835                 } else {
1836                         policydb.bool_val_to_struct[i]->state = 0;
1837                 }
1838         }
1839
1840         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1841                 rc = evaluate_cond_node(&policydb, cur);
1842                 if (rc)
1843                         goto out;
1844         }
1845
1846         seqno = ++latest_granting;
1847
1848 out:
1849         POLICY_WRUNLOCK;
1850         if (!rc) {
1851                 avc_ss_reset(seqno);
1852                 selnl_notify_policyload(seqno);
1853         }
1854         return rc;
1855 }
1856
1857 int security_get_bool_value(int bool)
1858 {
1859         int rc = 0;
1860         int len;
1861
1862         POLICY_RDLOCK;
1863
1864         len = policydb.p_bools.nprim;
1865         if (bool >= len) {
1866                 rc = -EFAULT;
1867                 goto out;
1868         }
1869
1870         rc = policydb.bool_val_to_struct[bool]->state;
1871 out:
1872         POLICY_RDUNLOCK;
1873         return rc;
1874 }
1875
1876 /*
1877  * security_sid_mls_copy() - computes a new sid based on the given
1878  * sid and the mls portion of mls_sid.
1879  */
1880 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
1881 {
1882         struct context *context1;
1883         struct context *context2;
1884         struct context newcon;
1885         char *s;
1886         u32 len;
1887         int rc = 0;
1888
1889         if (!ss_initialized || !selinux_mls_enabled) {
1890                 *new_sid = sid;
1891                 goto out;
1892         }
1893
1894         context_init(&newcon);
1895
1896         POLICY_RDLOCK;
1897         context1 = sidtab_search(&sidtab, sid);
1898         if (!context1) {
1899                 printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
1900                        "%d\n", sid);
1901                 rc = -EINVAL;
1902                 goto out_unlock;
1903         }
1904
1905         context2 = sidtab_search(&sidtab, mls_sid);
1906         if (!context2) {
1907                 printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
1908                        "%d\n", mls_sid);
1909                 rc = -EINVAL;
1910                 goto out_unlock;
1911         }
1912
1913         newcon.user = context1->user;
1914         newcon.role = context1->role;
1915         newcon.type = context1->type;
1916         rc = mls_copy_context(&newcon, context2);
1917         if (rc)
1918                 goto out_unlock;
1919
1920
1921         /* Check the validity of the new context. */
1922         if (!policydb_context_isvalid(&policydb, &newcon)) {
1923                 rc = convert_context_handle_invalid_context(&newcon);
1924                 if (rc)
1925                         goto bad;
1926         }
1927
1928         rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
1929         goto out_unlock;
1930
1931 bad:
1932         if (!context_struct_to_string(&newcon, &s, &len)) {
1933                 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1934                           "security_sid_mls_copy: invalid context %s", s);
1935                 kfree(s);
1936         }
1937
1938 out_unlock:
1939         POLICY_RDUNLOCK;
1940         context_destroy(&newcon);
1941 out:
1942         return rc;
1943 }
1944
1945 struct selinux_audit_rule {
1946         u32 au_seqno;
1947         struct context au_ctxt;
1948 };
1949
1950 void selinux_audit_rule_free(struct selinux_audit_rule *rule)
1951 {
1952         if (rule) {
1953                 context_destroy(&rule->au_ctxt);
1954                 kfree(rule);
1955         }
1956 }
1957
1958 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
1959                             struct selinux_audit_rule **rule)
1960 {
1961         struct selinux_audit_rule *tmprule;
1962         struct role_datum *roledatum;
1963         struct type_datum *typedatum;
1964         struct user_datum *userdatum;
1965         int rc = 0;
1966
1967         *rule = NULL;
1968
1969         if (!ss_initialized)
1970                 return -ENOTSUPP;
1971
1972         switch (field) {
1973         case AUDIT_SUBJ_USER:
1974         case AUDIT_SUBJ_ROLE:
1975         case AUDIT_SUBJ_TYPE:
1976         case AUDIT_OBJ_USER:
1977         case AUDIT_OBJ_ROLE:
1978         case AUDIT_OBJ_TYPE:
1979                 /* only 'equals' and 'not equals' fit user, role, and type */
1980                 if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
1981                         return -EINVAL;
1982                 break;
1983         case AUDIT_SUBJ_SEN:
1984         case AUDIT_SUBJ_CLR:
1985         case AUDIT_OBJ_LEV_LOW:
1986         case AUDIT_OBJ_LEV_HIGH:
1987                 /* we do not allow a range, indicated by the presense of '-' */
1988                 if (strchr(rulestr, '-'))
1989                         return -EINVAL;
1990                 break;
1991         default:
1992                 /* only the above fields are valid */
1993                 return -EINVAL;
1994         }
1995
1996         tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
1997         if (!tmprule)
1998                 return -ENOMEM;
1999
2000         context_init(&tmprule->au_ctxt);
2001
2002         POLICY_RDLOCK;
2003
2004         tmprule->au_seqno = latest_granting;
2005
2006         switch (field) {
2007         case AUDIT_SUBJ_USER:
2008         case AUDIT_OBJ_USER:
2009                 userdatum = hashtab_search(policydb.p_users.table, rulestr);
2010                 if (!userdatum)
2011                         rc = -EINVAL;
2012                 else
2013                         tmprule->au_ctxt.user = userdatum->value;
2014                 break;
2015         case AUDIT_SUBJ_ROLE:
2016         case AUDIT_OBJ_ROLE:
2017                 roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2018                 if (!roledatum)
2019                         rc = -EINVAL;
2020                 else
2021                         tmprule->au_ctxt.role = roledatum->value;
2022                 break;
2023         case AUDIT_SUBJ_TYPE:
2024         case AUDIT_OBJ_TYPE:
2025                 typedatum = hashtab_search(policydb.p_types.table, rulestr);
2026                 if (!typedatum)
2027                         rc = -EINVAL;
2028                 else
2029                         tmprule->au_ctxt.type = typedatum->value;
2030                 break;
2031         case AUDIT_SUBJ_SEN:
2032         case AUDIT_SUBJ_CLR:
2033         case AUDIT_OBJ_LEV_LOW:
2034         case AUDIT_OBJ_LEV_HIGH:
2035                 rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2036                 break;
2037         }
2038
2039         POLICY_RDUNLOCK;
2040
2041         if (rc) {
2042                 selinux_audit_rule_free(tmprule);
2043                 tmprule = NULL;
2044         }
2045
2046         *rule = tmprule;
2047
2048         return rc;
2049 }
2050
2051 int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
2052                              struct selinux_audit_rule *rule,
2053                              struct audit_context *actx)
2054 {
2055         struct context *ctxt;
2056         struct mls_level *level;
2057         int match = 0;
2058
2059         if (!rule) {
2060                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2061                           "selinux_audit_rule_match: missing rule\n");
2062                 return -ENOENT;
2063         }
2064
2065         POLICY_RDLOCK;
2066
2067         if (rule->au_seqno < latest_granting) {
2068                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2069                           "selinux_audit_rule_match: stale rule\n");
2070                 match = -ESTALE;
2071                 goto out;
2072         }
2073
2074         ctxt = sidtab_search(&sidtab, sid);
2075         if (!ctxt) {
2076                 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2077                           "selinux_audit_rule_match: unrecognized SID %d\n",
2078                           sid);
2079                 match = -ENOENT;
2080                 goto out;
2081         }
2082
2083         /* a field/op pair that is not caught here will simply fall through
2084            without a match */
2085         switch (field) {
2086         case AUDIT_SUBJ_USER:
2087         case AUDIT_OBJ_USER:
2088                 switch (op) {
2089                 case AUDIT_EQUAL:
2090                         match = (ctxt->user == rule->au_ctxt.user);
2091                         break;
2092                 case AUDIT_NOT_EQUAL:
2093                         match = (ctxt->user != rule->au_ctxt.user);
2094                         break;
2095                 }
2096                 break;
2097         case AUDIT_SUBJ_ROLE:
2098         case AUDIT_OBJ_ROLE:
2099                 switch (op) {
2100                 case AUDIT_EQUAL:
2101                         match = (ctxt->role == rule->au_ctxt.role);
2102                         break;
2103                 case AUDIT_NOT_EQUAL:
2104                         match = (ctxt->role != rule->au_ctxt.role);
2105                         break;
2106                 }
2107                 break;
2108         case AUDIT_SUBJ_TYPE:
2109         case AUDIT_OBJ_TYPE:
2110                 switch (op) {
2111                 case AUDIT_EQUAL:
2112                         match = (ctxt->type == rule->au_ctxt.type);
2113                         break;
2114                 case AUDIT_NOT_EQUAL:
2115                         match = (ctxt->type != rule->au_ctxt.type);
2116                         break;
2117                 }
2118                 break;
2119         case AUDIT_SUBJ_SEN:
2120         case AUDIT_SUBJ_CLR:
2121         case AUDIT_OBJ_LEV_LOW:
2122         case AUDIT_OBJ_LEV_HIGH:
2123                 level = ((field == AUDIT_SUBJ_SEN ||
2124                           field == AUDIT_OBJ_LEV_LOW) ?
2125                          &ctxt->range.level[0] : &ctxt->range.level[1]);
2126                 switch (op) {
2127                 case AUDIT_EQUAL:
2128                         match = mls_level_eq(&rule->au_ctxt.range.level[0],
2129                                              level);
2130                         break;
2131                 case AUDIT_NOT_EQUAL:
2132                         match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2133                                               level);
2134                         break;
2135                 case AUDIT_LESS_THAN:
2136                         match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2137                                                level) &&
2138                                  !mls_level_eq(&rule->au_ctxt.range.level[0],
2139                                                level));
2140                         break;
2141                 case AUDIT_LESS_THAN_OR_EQUAL:
2142                         match = mls_level_dom(&rule->au_ctxt.range.level[0],
2143                                               level);
2144                         break;
2145                 case AUDIT_GREATER_THAN:
2146                         match = (mls_level_dom(level,
2147                                               &rule->au_ctxt.range.level[0]) &&
2148                                  !mls_level_eq(level,
2149                                                &rule->au_ctxt.range.level[0]));
2150                         break;
2151                 case AUDIT_GREATER_THAN_OR_EQUAL:
2152                         match = mls_level_dom(level,
2153                                               &rule->au_ctxt.range.level[0]);
2154                         break;
2155                 }
2156         }
2157
2158 out:
2159         POLICY_RDUNLOCK;
2160         return match;
2161 }
2162
2163 static int (*aurule_callback)(void) = NULL;
2164
2165 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
2166                                u16 class, u32 perms, u32 *retained)
2167 {
2168         int err = 0;
2169
2170         if (event == AVC_CALLBACK_RESET && aurule_callback)
2171                 err = aurule_callback();
2172         return err;
2173 }
2174
2175 static int __init aurule_init(void)
2176 {
2177         int err;
2178
2179         err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
2180                                SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
2181         if (err)
2182                 panic("avc_add_callback() failed, error %d\n", err);
2183
2184         return err;
2185 }
2186 __initcall(aurule_init);
2187
2188 void selinux_audit_set_callback(int (*callback)(void))
2189 {
2190         aurule_callback = callback;
2191 }
2192
2193 #ifdef CONFIG_NETLABEL
2194 /*
2195  * This is the structure we store inside the NetLabel cache block.
2196  */
2197 #define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
2198 #define NETLBL_CACHE_T_NONE       0
2199 #define NETLBL_CACHE_T_SID        1
2200 #define NETLBL_CACHE_T_MLS        2
2201 struct netlbl_cache {
2202         u32 type;
2203         union {
2204                 u32 sid;
2205                 struct mls_range mls_label;
2206         } data;
2207 };
2208
2209 /**
2210  * selinux_netlbl_cache_free - Free the NetLabel cached data
2211  * @data: the data to free
2212  *
2213  * Description:
2214  * This function is intended to be used as the free() callback inside the
2215  * netlbl_lsm_cache structure.
2216  *
2217  */
2218 static void selinux_netlbl_cache_free(const void *data)
2219 {
2220         struct netlbl_cache *cache;
2221
2222         if (data == NULL)
2223                 return;
2224
2225         cache = NETLBL_CACHE(data);
2226         switch (cache->type) {
2227         case NETLBL_CACHE_T_MLS:
2228                 ebitmap_destroy(&cache->data.mls_label.level[0].cat);
2229                 break;
2230         }
2231         kfree(data);
2232 }
2233
2234 /**
2235  * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
2236  * @skb: the packet
2237  * @ctx: the SELinux context
2238  *
2239  * Description:
2240  * Attempt to cache the context in @ctx, which was derived from the packet in
2241  * @skb, in the NetLabel subsystem cache.
2242  *
2243  */
2244 static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
2245 {
2246         struct netlbl_cache *cache = NULL;
2247         struct netlbl_lsm_secattr secattr;
2248
2249         netlbl_secattr_init(&secattr);
2250         secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
2251         if (secattr.cache == NULL)
2252                 goto netlbl_cache_add_return;
2253
2254         cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
2255         if (cache == NULL)
2256                 goto netlbl_cache_add_return;
2257
2258         cache->type = NETLBL_CACHE_T_MLS;
2259         if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
2260                         &ctx->range.level[0].cat) != 0)
2261                 goto netlbl_cache_add_return;
2262         cache->data.mls_label.level[1].cat.highbit =
2263                 cache->data.mls_label.level[0].cat.highbit;
2264         cache->data.mls_label.level[1].cat.node =
2265                 cache->data.mls_label.level[0].cat.node;
2266         cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
2267         cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
2268
2269         secattr.cache->free = selinux_netlbl_cache_free;
2270         secattr.cache->data = (void *)cache;
2271         secattr.flags = NETLBL_SECATTR_CACHE;
2272
2273         netlbl_cache_add(skb, &secattr);
2274
2275 netlbl_cache_add_return:
2276         netlbl_secattr_destroy(&secattr);
2277 }
2278
2279 /**
2280  * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
2281  *
2282  * Description:
2283  * Invalidate the NetLabel security attribute mapping cache.
2284  *
2285  */
2286 void selinux_netlbl_cache_invalidate(void)
2287 {
2288         netlbl_cache_invalidate();
2289 }
2290
2291 /**
2292  * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
2293  * @skb: the network packet
2294  * @secattr: the NetLabel packet security attributes
2295  * @base_sid: the SELinux SID to use as a context for MLS only attributes
2296  * @sid: the SELinux SID
2297  *
2298  * Description:
2299  * Convert the given NetLabel packet security attributes in @secattr into a
2300  * SELinux SID.  If the @secattr field does not contain a full SELinux
2301  * SID/context then use the context in @base_sid as the foundation.  If @skb
2302  * is not NULL attempt to cache as much data as possibile.  Returns zero on
2303  * success, negative values on failure.
2304  *
2305  */
2306 static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2307                                          struct netlbl_lsm_secattr *secattr,
2308                                          u32 base_sid,
2309                                          u32 *sid)
2310 {
2311         int rc = -EIDRM;
2312         struct context *ctx;
2313         struct context ctx_new;
2314         struct netlbl_cache *cache;
2315
2316         POLICY_RDLOCK;
2317
2318         if (secattr->flags & NETLBL_SECATTR_CACHE) {
2319                 cache = NETLBL_CACHE(secattr->cache->data);
2320                 switch (cache->type) {
2321                 case NETLBL_CACHE_T_SID:
2322                         *sid = cache->data.sid;
2323                         rc = 0;
2324                         break;
2325                 case NETLBL_CACHE_T_MLS:
2326                         ctx = sidtab_search(&sidtab, base_sid);
2327                         if (ctx == NULL)
2328                                 goto netlbl_secattr_to_sid_return;
2329
2330                         ctx_new.user = ctx->user;
2331                         ctx_new.role = ctx->role;
2332                         ctx_new.type = ctx->type;
2333                         ctx_new.range.level[0].sens =
2334                                 cache->data.mls_label.level[0].sens;
2335                         ctx_new.range.level[0].cat.highbit =
2336                                 cache->data.mls_label.level[0].cat.highbit;
2337                         ctx_new.range.level[0].cat.node =
2338                                 cache->data.mls_label.level[0].cat.node;
2339                         ctx_new.range.level[1].sens =
2340                                 cache->data.mls_label.level[1].sens;
2341                         ctx_new.range.level[1].cat.highbit =
2342                                 cache->data.mls_label.level[1].cat.highbit;
2343                         ctx_new.range.level[1].cat.node =
2344                                 cache->data.mls_label.level[1].cat.node;
2345
2346                         rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
2347                         break;
2348                 default:
2349                         goto netlbl_secattr_to_sid_return;
2350                 }
2351         } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
2352                 ctx = sidtab_search(&sidtab, base_sid);
2353                 if (ctx == NULL)
2354                         goto netlbl_secattr_to_sid_return;
2355
2356                 ctx_new.user = ctx->user;
2357                 ctx_new.role = ctx->role;
2358                 ctx_new.type = ctx->type;
2359                 mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
2360                 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
2361                         if (mls_import_cat(&ctx_new,
2362                                            secattr->mls_cat,
2363                                            secattr->mls_cat_len,
2364                                            NULL,
2365                                            0) != 0)
2366                                 goto netlbl_secattr_to_sid_return;
2367                         ctx_new.range.level[1].cat.highbit =
2368                                 ctx_new.range.level[0].cat.highbit;
2369                         ctx_new.range.level[1].cat.node =
2370                                 ctx_new.range.level[0].cat.node;
2371                 } else {
2372                         ebitmap_init(&ctx_new.range.level[0].cat);
2373                         ebitmap_init(&ctx_new.range.level[1].cat);
2374                 }
2375                 if (mls_context_isvalid(&policydb, &ctx_new) != 1)
2376                         goto netlbl_secattr_to_sid_return_cleanup;
2377
2378                 rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
2379                 if (rc != 0)
2380                         goto netlbl_secattr_to_sid_return_cleanup;
2381
2382                 if (skb != NULL)
2383                         selinux_netlbl_cache_add(skb, &ctx_new);
2384                 ebitmap_destroy(&ctx_new.range.level[0].cat);
2385         } else {
2386                 *sid = SECSID_NULL;
2387                 rc = 0;
2388         }
2389
2390 netlbl_secattr_to_sid_return:
2391         POLICY_RDUNLOCK;
2392         return rc;
2393 netlbl_secattr_to_sid_return_cleanup:
2394         ebitmap_destroy(&ctx_new.range.level[0].cat);
2395         goto netlbl_secattr_to_sid_return;
2396 }
2397
2398 /**
2399  * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
2400  * @skb: the packet
2401  * @base_sid: the SELinux SID to use as a context for MLS only attributes
2402  * @sid: the SID
2403  *
2404  * Description:
2405  * Call the NetLabel mechanism to get the security attributes of the given
2406  * packet and use those attributes to determine the correct context/SID to
2407  * assign to the packet.  Returns zero on success, negative values on failure.
2408  *
2409  */
2410 static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
2411                                         u32 base_sid,
2412                                         u32 *sid)
2413 {
2414         int rc;
2415         struct netlbl_lsm_secattr secattr;
2416
2417         netlbl_secattr_init(&secattr);
2418         rc = netlbl_skbuff_getattr(skb, &secattr);
2419         if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2420                 rc = selinux_netlbl_secattr_to_sid(skb,
2421                                                    &secattr,
2422                                                    base_sid,
2423                                                    sid);
2424         else
2425                 *sid = SECSID_NULL;
2426         netlbl_secattr_destroy(&secattr);
2427
2428         return rc;
2429 }
2430
2431 /**
2432  * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
2433  * @sock: the socket to label
2434  * @sid: the SID to use
2435  *
2436  * Description:
2437  * Attempt to label a socket using the NetLabel mechanism using the given
2438  * SID.  Returns zero values on success, negative values on failure.
2439  *
2440  */
2441 static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2442 {
2443         int rc = -ENOENT;
2444         struct sk_security_struct *sksec = sock->sk->sk_security;
2445         struct netlbl_lsm_secattr secattr;
2446         struct context *ctx;
2447
2448         if (!ss_initialized)
2449                 return 0;
2450
2451         netlbl_secattr_init(&secattr);
2452
2453         POLICY_RDLOCK;
2454
2455         ctx = sidtab_search(&sidtab, sid);
2456         if (ctx == NULL)
2457                 goto netlbl_socket_setsid_return;
2458
2459         secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2460                                  GFP_ATOMIC);
2461         mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
2462         rc = mls_export_cat(ctx,
2463                             &secattr.mls_cat,
2464                             &secattr.mls_cat_len,
2465                             NULL,
2466                             NULL);
2467         if (rc != 0)
2468                 goto netlbl_socket_setsid_return;
2469
2470         secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2471         if (secattr.mls_cat)
2472                 secattr.flags |= NETLBL_SECATTR_MLS_CAT;
2473
2474         rc = netlbl_socket_setattr(sock, &secattr);
2475         if (rc == 0)
2476                 sksec->nlbl_state = NLBL_LABELED;
2477
2478 netlbl_socket_setsid_return:
2479         POLICY_RDUNLOCK;
2480         netlbl_secattr_destroy(&secattr);
2481         return rc;
2482 }
2483
2484 /**
2485  * selinux_netlbl_sk_security_init - Setup the NetLabel fields
2486  * @ssec: the sk_security_struct
2487  * @family: the socket family
2488  *
2489  * Description:
2490  * Called when a new sk_security_struct is allocated to initialize the NetLabel
2491  * fields.
2492  *
2493  */
2494 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
2495                                      int family)
2496 {
2497         if (family == PF_INET)
2498                 ssec->nlbl_state = NLBL_REQUIRE;
2499         else
2500                 ssec->nlbl_state = NLBL_UNSET;
2501 }
2502
2503 /**
2504  * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
2505  * @ssec: the original sk_security_struct
2506  * @newssec: the cloned sk_security_struct
2507  *
2508  * Description:
2509  * Clone the NetLabel specific sk_security_struct fields from @ssec to
2510  * @newssec.
2511  *
2512  */
2513 void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
2514                                       struct sk_security_struct *newssec)
2515 {
2516         newssec->sclass = ssec->sclass;
2517         if (ssec->nlbl_state != NLBL_UNSET)
2518                 newssec->nlbl_state = NLBL_REQUIRE;
2519         else
2520                 newssec->nlbl_state = NLBL_UNSET;
2521 }
2522
2523 /**
2524  * selinux_netlbl_socket_post_create - Label a socket using NetLabel
2525  * @sock: the socket to label
2526  * @sock_family: the socket family
2527  * @sid: the SID to use
2528  *
2529  * Description:
2530  * Attempt to label a socket using the NetLabel mechanism using the given
2531  * SID.  Returns zero values on success, negative values on failure.
2532  *
2533  */
2534 int selinux_netlbl_socket_post_create(struct socket *sock,
2535                                       int sock_family,
2536                                       u32 sid)
2537 {
2538         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2539         struct sk_security_struct *sksec = sock->sk->sk_security;
2540
2541         sksec->sclass = isec->sclass;
2542
2543         if (sock_family != PF_INET)
2544                 return 0;
2545
2546         sksec->nlbl_state = NLBL_REQUIRE;
2547         return selinux_netlbl_socket_setsid(sock, sid);
2548 }
2549
2550 /**
2551  * selinux_netlbl_sock_graft - Netlabel the new socket
2552  * @sk: the new connection
2553  * @sock: the new socket
2554  *
2555  * Description:
2556  * The connection represented by @sk is being grafted onto @sock so set the
2557  * socket's NetLabel to match the SID of @sk.
2558  *
2559  */
2560 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2561 {
2562         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2563         struct sk_security_struct *sksec = sk->sk_security;
2564         struct netlbl_lsm_secattr secattr;
2565         u32 nlbl_peer_sid;
2566
2567         sksec->sclass = isec->sclass;
2568
2569         if (sk->sk_family != PF_INET)
2570                 return;
2571
2572         netlbl_secattr_init(&secattr);
2573         if (netlbl_sock_getattr(sk, &secattr) == 0 &&
2574             secattr.flags != NETLBL_SECATTR_NONE &&
2575             selinux_netlbl_secattr_to_sid(NULL,
2576                                           &secattr,
2577                                           SECINITSID_UNLABELED,
2578                                           &nlbl_peer_sid) == 0)
2579                 sksec->peer_sid = nlbl_peer_sid;
2580         netlbl_secattr_destroy(&secattr);
2581
2582         sksec->nlbl_state = NLBL_REQUIRE;
2583
2584         /* Try to set the NetLabel on the socket to save time later, if we fail
2585          * here we will pick up the pieces in later calls to
2586          * selinux_netlbl_inode_permission(). */
2587         selinux_netlbl_socket_setsid(sock, sksec->sid);
2588 }
2589
2590 /**
2591  * selinux_netlbl_inet_conn_request - Handle a new connection request
2592  * @skb: the packet
2593  * @sock_sid: the SID of the parent socket
2594  *
2595  * Description:
2596  * If present, use the security attributes of the packet in @skb and the
2597  * parent sock's SID to arrive at a SID for the new child sock.  Returns the
2598  * SID of the connection or SECSID_NULL on failure.
2599  *
2600  */
2601 u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
2602 {
2603         int rc;
2604         u32 peer_sid;
2605
2606         rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
2607         if (rc != 0)
2608                 return SECSID_NULL;
2609
2610         return peer_sid;
2611 }
2612
2613 /**
2614  * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
2615  * @inode: the file descriptor's inode
2616  * @mask: the permission mask
2617  *
2618  * Description:
2619  * Looks at a file's inode and if it is marked as a socket protected by
2620  * NetLabel then verify that the socket has been labeled, if not try to label
2621  * the socket now with the inode's SID.  Returns zero on success, negative
2622  * values on failure.
2623  *
2624  */
2625 int selinux_netlbl_inode_permission(struct inode *inode, int mask)
2626 {
2627         int rc;
2628         struct inode_security_struct *isec;
2629         struct sk_security_struct *sksec;
2630         struct socket *sock;
2631
2632         if (!S_ISSOCK(inode->i_mode))
2633                 return 0;
2634
2635         sock = SOCKET_I(inode);
2636         isec = inode->i_security;
2637         sksec = sock->sk->sk_security;
2638         mutex_lock(&isec->lock);
2639         if (unlikely(sksec->nlbl_state == NLBL_REQUIRE &&
2640                      (mask & (MAY_WRITE | MAY_APPEND)))) {
2641                 lock_sock(sock->sk);
2642                 rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
2643                 release_sock(sock->sk);
2644         } else
2645                 rc = 0;
2646         mutex_unlock(&isec->lock);
2647
2648         return rc;
2649 }
2650
2651 /**
2652  * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
2653  * @sksec: the sock's sk_security_struct
2654  * @skb: the packet
2655  * @ad: the audit data
2656  *
2657  * Description:
2658  * Fetch the NetLabel security attributes from @skb and perform an access check
2659  * against the receiving socket.  Returns zero on success, negative values on
2660  * error.
2661  *
2662  */
2663 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
2664                                 struct sk_buff *skb,
2665                                 struct avc_audit_data *ad)
2666 {
2667         int rc;
2668         u32 netlbl_sid;
2669         u32 recv_perm;
2670
2671         rc = selinux_netlbl_skbuff_getsid(skb,
2672                                           SECINITSID_UNLABELED,
2673                                           &netlbl_sid);
2674         if (rc != 0)
2675                 return rc;
2676
2677         if (netlbl_sid == SECSID_NULL)
2678                 return 0;
2679
2680         switch (sksec->sclass) {
2681         case SECCLASS_UDP_SOCKET:
2682                 recv_perm = UDP_SOCKET__RECVFROM;
2683                 break;
2684         case SECCLASS_TCP_SOCKET:
2685                 recv_perm = TCP_SOCKET__RECVFROM;
2686                 break;
2687         default:
2688                 recv_perm = RAWIP_SOCKET__RECVFROM;
2689         }
2690
2691         rc = avc_has_perm(sksec->sid,
2692                           netlbl_sid,
2693                           sksec->sclass,
2694                           recv_perm,
2695                           ad);
2696         if (rc == 0)
2697                 return 0;
2698
2699         netlbl_skbuff_err(skb, rc);
2700         return rc;
2701 }
2702
2703 /**
2704  * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
2705  * @sock: the socket
2706  *
2707  * Description:
2708  * Examine @sock to find the connected peer's SID.  Returns the SID on success
2709  * or SECSID_NULL on error.
2710  *
2711  */
2712 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
2713 {
2714         struct sk_security_struct *sksec = sock->sk->sk_security;
2715         return sksec->peer_sid;
2716 }
2717
2718 /**
2719  * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
2720  * @skb: the packet
2721  *
2722  * Description:
2723  * Examine @skb to find the SID assigned to it by NetLabel.  Returns the SID on
2724  * success, SECSID_NULL on error.
2725  *
2726  */
2727 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
2728 {
2729         int peer_sid;
2730
2731         if (selinux_netlbl_skbuff_getsid(skb,
2732                                          SECINITSID_UNLABELED,
2733                                          &peer_sid) != 0)
2734                 return SECSID_NULL;
2735
2736         return peer_sid;
2737 }
2738
2739 /**
2740  * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
2741  * @sock: the socket
2742  * @level: the socket level or protocol
2743  * @optname: the socket option name
2744  *
2745  * Description:
2746  * Check the setsockopt() call and if the user is trying to replace the IP
2747  * options on a socket and a NetLabel is in place for the socket deny the
2748  * access; otherwise allow the access.  Returns zero when the access is
2749  * allowed, -EACCES when denied, and other negative values on error.
2750  *
2751  */
2752 int selinux_netlbl_socket_setsockopt(struct socket *sock,
2753                                      int level,
2754                                      int optname)
2755 {
2756         int rc = 0;
2757         struct inode *inode = SOCK_INODE(sock);
2758         struct sk_security_struct *sksec = sock->sk->sk_security;
2759         struct inode_security_struct *isec = inode->i_security;
2760         struct netlbl_lsm_secattr secattr;
2761
2762         mutex_lock(&isec->lock);
2763         if (level == IPPROTO_IP && optname == IP_OPTIONS &&
2764             sksec->nlbl_state == NLBL_LABELED) {
2765                 netlbl_secattr_init(&secattr);
2766                 rc = netlbl_socket_getattr(sock, &secattr);
2767                 if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2768                         rc = -EACCES;
2769                 netlbl_secattr_destroy(&secattr);
2770         }
2771         mutex_unlock(&isec->lock);
2772
2773         return rc;
2774 }
2775 #endif /* CONFIG_NETLABEL */