linux/security/selinux/ss/services.c
<<
>>
Prefs
   1/*
   2 * Implementation of the security services.
   3 *
   4 * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
   5 *           James Morris <jmorris@redhat.com>
   6 *
   7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
   8 *
   9 *      Support for enhanced MLS infrastructure.
  10 *      Support for context based audit filters.
  11 *
  12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  13 *
  14 *      Added conditional policy language extensions
  15 *
  16 * Updated: Hewlett-Packard <paul.moore@hp.com>
  17 *
  18 *      Added support for NetLabel
  19 *      Added support for the policy capability bitmap
  20 *
  21 * Updated: Chad Sellers <csellers@tresys.com>
  22 *
  23 *  Added validation of kernel classes and permissions
  24 *
  25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
  26 *
  27 *  Added support for bounds domain and audit messaged on masked permissions
  28 *
  29 * Updated: Guido Trentalancia <guido@trentalancia.com>
  30 *
  31 *  Added support for runtime switching of the policy type
  32 *
  33 * Copyright (C) 2008, 2009 NEC Corporation
  34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
  36 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
  37 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  38 *      This program is free software; you can redistribute it and/or modify
  39 *      it under the terms of the GNU General Public License as published by
  40 *      the Free Software Foundation, version 2.
  41 */
  42#include <linux/kernel.h>
  43#include <linux/slab.h>
  44#include <linux/string.h>
  45#include <linux/spinlock.h>
  46#include <linux/rcupdate.h>
  47#include <linux/errno.h>
  48#include <linux/in.h>
  49#include <linux/sched.h>
  50#include <linux/audit.h>
  51#include <linux/mutex.h>
  52#include <linux/selinux.h>
  53#include <linux/flex_array.h>
  54#include <linux/vmalloc.h>
  55#include <net/netlabel.h>
  56
  57#include "flask.h"
  58#include "avc.h"
  59#include "avc_ss.h"
  60#include "security.h"
  61#include "context.h"
  62#include "policydb.h"
  63#include "sidtab.h"
  64#include "services.h"
  65#include "conditional.h"
  66#include "mls.h"
  67#include "objsec.h"
  68#include "netlabel.h"
  69#include "xfrm.h"
  70#include "ebitmap.h"
  71#include "audit.h"
  72
  73extern void selnl_notify_policyload(u32 seqno);
  74
  75int selinux_policycap_netpeer;
  76int selinux_policycap_openperm;
  77
  78static DEFINE_RWLOCK(policy_rwlock);
  79
  80static struct sidtab sidtab;
  81struct policydb policydb;
  82int ss_initialized;
  83
  84/*
  85 * The largest sequence number that has been used when
  86 * providing an access decision to the access vector cache.
  87 * The sequence number only changes when a policy change
  88 * occurs.
  89 */
  90static u32 latest_granting;
  91
  92/* Forward declaration. */
  93static int context_struct_to_string(struct context *context, char **scontext,
  94                                    u32 *scontext_len);
  95
  96static void context_struct_compute_av(struct context *scontext,
  97                                      struct context *tcontext,
  98                                      u16 tclass,
  99                                      struct av_decision *avd);
 100
 101struct selinux_mapping {
 102        u16 value; /* policy value */
 103        unsigned num_perms;
 104        u32 perms[sizeof(u32) * 8];
 105};
 106
 107static struct selinux_mapping *current_mapping;
 108static u16 current_mapping_size;
 109
 110static int selinux_set_mapping(struct policydb *pol,
 111                               struct security_class_mapping *map,
 112                               struct selinux_mapping **out_map_p,
 113                               u16 *out_map_size)
 114{
 115        struct selinux_mapping *out_map = NULL;
 116        size_t size = sizeof(struct selinux_mapping);
 117        u16 i, j;
 118        unsigned k;
 119        bool print_unknown_handle = false;
 120
 121        /* Find number of classes in the input mapping */
 122        if (!map)
 123                return -EINVAL;
 124        i = 0;
 125        while (map[i].name)
 126                i++;
 127
 128        /* Allocate space for the class records, plus one for class zero */
 129        out_map = kcalloc(++i, size, GFP_ATOMIC);
 130        if (!out_map)
 131                return -ENOMEM;
 132
 133        /* Store the raw class and permission values */
 134        j = 0;
 135        while (map[j].name) {
 136                struct security_class_mapping *p_in = map + (j++);
 137                struct selinux_mapping *p_out = out_map + j;
 138
 139                /* An empty class string skips ahead */
 140                if (!strcmp(p_in->name, "")) {
 141                        p_out->num_perms = 0;
 142                        continue;
 143                }
 144
 145                p_out->value = string_to_security_class(pol, p_in->name);
 146                if (!p_out->value) {
 147                        printk(KERN_INFO
 148                               "SELinux:  Class %s not defined in policy.\n",
 149                               p_in->name);
 150                        if (pol->reject_unknown)
 151                                goto err;
 152                        p_out->num_perms = 0;
 153                        print_unknown_handle = true;
 154                        continue;
 155                }
 156
 157                k = 0;
 158                while (p_in->perms && p_in->perms[k]) {
 159                        /* An empty permission string skips ahead */
 160                        if (!*p_in->perms[k]) {
 161                                k++;
 162                                continue;
 163                        }
 164                        p_out->perms[k] = string_to_av_perm(pol, p_out->value,
 165                                                            p_in->perms[k]);
 166                        if (!p_out->perms[k]) {
 167                                printk(KERN_INFO
 168                                       "SELinux:  Permission %s in class %s not defined in policy.\n",
 169                                       p_in->perms[k], p_in->name);
 170                                if (pol->reject_unknown)
 171                                        goto err;
 172                                print_unknown_handle = true;
 173                        }
 174
 175                        k++;
 176                }
 177                p_out->num_perms = k;
 178        }
 179
 180        if (print_unknown_handle)
 181                printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
 182                       pol->allow_unknown ? "allowed" : "denied");
 183
 184        *out_map_p = out_map;
 185        *out_map_size = i;
 186        return 0;
 187err:
 188        kfree(out_map);
 189        return -EINVAL;
 190}
 191
 192/*
 193 * Get real, policy values from mapped values
 194 */
 195
 196static u16 unmap_class(u16 tclass)
 197{
 198        if (tclass < current_mapping_size)
 199                return current_mapping[tclass].value;
 200
 201        return tclass;
 202}
 203
 204/*
 205 * Get kernel value for class from its policy value
 206 */
 207static u16 map_class(u16 pol_value)
 208{
 209        u16 i;
 210
 211        for (i = 1; i < current_mapping_size; i++) {
 212                if (current_mapping[i].value == pol_value)
 213                        return i;
 214        }
 215
 216        return SECCLASS_NULL;
 217}
 218
 219static void map_decision(u16 tclass, struct av_decision *avd,
 220                         int allow_unknown)
 221{
 222        if (tclass < current_mapping_size) {
 223                unsigned i, n = current_mapping[tclass].num_perms;
 224                u32 result;
 225
 226                for (i = 0, result = 0; i < n; i++) {
 227                        if (avd->allowed & current_mapping[tclass].perms[i])
 228                                result |= 1<<i;
 229                        if (allow_unknown && !current_mapping[tclass].perms[i])
 230                                result |= 1<<i;
 231                }
 232                avd->allowed = result;
 233
 234                for (i = 0, result = 0; i < n; i++)
 235                        if (avd->auditallow & current_mapping[tclass].perms[i])
 236                                result |= 1<<i;
 237                avd->auditallow = result;
 238
 239                for (i = 0, result = 0; i < n; i++) {
 240                        if (avd->auditdeny & current_mapping[tclass].perms[i])
 241                                result |= 1<<i;
 242                        if (!allow_unknown && !current_mapping[tclass].perms[i])
 243                                result |= 1<<i;
 244                }
 245                /*
 246                 * In case the kernel has a bug and requests a permission
 247                 * between num_perms and the maximum permission number, we
 248                 * should audit that denial
 249                 */
 250                for (; i < (sizeof(u32)*8); i++)
 251                        result |= 1<<i;
 252                avd->auditdeny = result;
 253        }
 254}
 255
 256int security_mls_enabled(void)
 257{
 258        return policydb.mls_enabled;
 259}
 260
 261/*
 262 * Return the boolean value of a constraint expression
 263 * when it is applied to the specified source and target
 264 * security contexts.
 265 *
 266 * xcontext is a special beast...  It is used by the validatetrans rules
 267 * only.  For these rules, scontext is the context before the transition,
 268 * tcontext is the context after the transition, and xcontext is the context
 269 * of the process performing the transition.  All other callers of
 270 * constraint_expr_eval should pass in NULL for xcontext.
 271 */
 272static int constraint_expr_eval(struct context *scontext,
 273                                struct context *tcontext,
 274                                struct context *xcontext,
 275                                struct constraint_expr *cexpr)
 276{
 277        u32 val1, val2;
 278        struct context *c;
 279        struct role_datum *r1, *r2;
 280        struct mls_level *l1, *l2;
 281        struct constraint_expr *e;
 282        int s[CEXPR_MAXDEPTH];
 283        int sp = -1;
 284
 285        for (e = cexpr; e; e = e->next) {
 286                switch (e->expr_type) {
 287                case CEXPR_NOT:
 288                        BUG_ON(sp < 0);
 289                        s[sp] = !s[sp];
 290                        break;
 291                case CEXPR_AND:
 292                        BUG_ON(sp < 1);
 293                        sp--;
 294                        s[sp] &= s[sp + 1];
 295                        break;
 296                case CEXPR_OR:
 297                        BUG_ON(sp < 1);
 298                        sp--;
 299                        s[sp] |= s[sp + 1];
 300                        break;
 301                case CEXPR_ATTR:
 302                        if (sp == (CEXPR_MAXDEPTH - 1))
 303                                return 0;
 304                        switch (e->attr) {
 305                        case CEXPR_USER:
 306                                val1 = scontext->user;
 307                                val2 = tcontext->user;
 308                                break;
 309                        case CEXPR_TYPE:
 310                                val1 = scontext->type;
 311                                val2 = tcontext->type;
 312                                break;
 313                        case CEXPR_ROLE:
 314                                val1 = scontext->role;
 315                                val2 = tcontext->role;
 316                                r1 = policydb.role_val_to_struct[val1 - 1];
 317                                r2 = policydb.role_val_to_struct[val2 - 1];
 318                                switch (e->op) {
 319                                case CEXPR_DOM:
 320                                        s[++sp] = ebitmap_get_bit(&r1->dominates,
 321                                                                  val2 - 1);
 322                                        continue;
 323                                case CEXPR_DOMBY:
 324                                        s[++sp] = ebitmap_get_bit(&r2->dominates,
 325                                                                  val1 - 1);
 326                                        continue;
 327                                case CEXPR_INCOMP:
 328                                        s[++sp] = (!ebitmap_get_bit(&r1->dominates,
 329                                                                    val2 - 1) &&
 330                                                   !ebitmap_get_bit(&r2->dominates,
 331                                                                    val1 - 1));
 332                                        continue;
 333                                default:
 334                                        break;
 335                                }
 336                                break;
 337                        case CEXPR_L1L2:
 338                                l1 = &(scontext->range.level[0]);
 339                                l2 = &(tcontext->range.level[0]);
 340                                goto mls_ops;
 341                        case CEXPR_L1H2:
 342                                l1 = &(scontext->range.level[0]);
 343                                l2 = &(tcontext->range.level[1]);
 344                                goto mls_ops;
 345                        case CEXPR_H1L2:
 346                                l1 = &(scontext->range.level[1]);
 347                                l2 = &(tcontext->range.level[0]);
 348                                goto mls_ops;
 349                        case CEXPR_H1H2:
 350                                l1 = &(scontext->range.level[1]);
 351                                l2 = &(tcontext->range.level[1]);
 352                                goto mls_ops;
 353                        case CEXPR_L1H1:
 354                                l1 = &(scontext->range.level[0]);
 355                                l2 = &(scontext->range.level[1]);
 356                                goto mls_ops;
 357                        case CEXPR_L2H2:
 358                                l1 = &(tcontext->range.level[0]);
 359                                l2 = &(tcontext->range.level[1]);
 360                                goto mls_ops;
 361mls_ops:
 362                        switch (e->op) {
 363                        case CEXPR_EQ:
 364                                s[++sp] = mls_level_eq(l1, l2);
 365                                continue;
 366                        case CEXPR_NEQ:
 367                                s[++sp] = !mls_level_eq(l1, l2);
 368                                continue;
 369                        case CEXPR_DOM:
 370                                s[++sp] = mls_level_dom(l1, l2);
 371                                continue;
 372                        case CEXPR_DOMBY:
 373                                s[++sp] = mls_level_dom(l2, l1);
 374                                continue;
 375                        case CEXPR_INCOMP:
 376                                s[++sp] = mls_level_incomp(l2, l1);
 377                                continue;
 378                        default:
 379                                BUG();
 380                                return 0;
 381                        }
 382                        break;
 383                        default:
 384                                BUG();
 385                                return 0;
 386                        }
 387
 388                        switch (e->op) {
 389                        case CEXPR_EQ:
 390                                s[++sp] = (val1 == val2);
 391                                break;
 392                        case CEXPR_NEQ:
 393                                s[++sp] = (val1 != val2);
 394                                break;
 395                        default:
 396                                BUG();
 397                                return 0;
 398                        }
 399                        break;
 400                case CEXPR_NAMES:
 401                        if (sp == (CEXPR_MAXDEPTH-1))
 402                                return 0;
 403                        c = scontext;
 404                        if (e->attr & CEXPR_TARGET)
 405                                c = tcontext;
 406                        else if (e->attr & CEXPR_XTARGET) {
 407                                c = xcontext;
 408                                if (!c) {
 409                                        BUG();
 410                                        return 0;
 411                                }
 412                        }
 413                        if (e->attr & CEXPR_USER)
 414                                val1 = c->user;
 415                        else if (e->attr & CEXPR_ROLE)
 416                                val1 = c->role;
 417                        else if (e->attr & CEXPR_TYPE)
 418                                val1 = c->type;
 419                        else {
 420                                BUG();
 421                                return 0;
 422                        }
 423
 424                        switch (e->op) {
 425                        case CEXPR_EQ:
 426                                s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
 427                                break;
 428                        case CEXPR_NEQ:
 429                                s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
 430                                break;
 431                        default:
 432                                BUG();
 433                                return 0;
 434                        }
 435                        break;
 436                default:
 437                        BUG();
 438                        return 0;
 439                }
 440        }
 441
 442        BUG_ON(sp != 0);
 443        return s[0];
 444}
 445
 446/*
 447 * security_dump_masked_av - dumps masked permissions during
 448 * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
 449 */
 450static int dump_masked_av_helper(void *k, void *d, void *args)
 451{
 452        struct perm_datum *pdatum = d;
 453        char **permission_names = args;
 454
 455        BUG_ON(pdatum->value < 1 || pdatum->value > 32);
 456
 457        permission_names[pdatum->value - 1] = (char *)k;
 458
 459        return 0;
 460}
 461
 462static void security_dump_masked_av(struct context *scontext,
 463                                    struct context *tcontext,
 464                                    u16 tclass,
 465                                    u32 permissions,
 466                                    const char *reason)
 467{
 468        struct common_datum *common_dat;
 469        struct class_datum *tclass_dat;
 470        struct audit_buffer *ab;
 471        char *tclass_name;
 472        char *scontext_name = NULL;
 473        char *tcontext_name = NULL;
 474        char *permission_names[32];
 475        int index;
 476        u32 length;
 477        bool need_comma = false;
 478
 479        if (!permissions)
 480                return;
 481
 482        tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
 483        tclass_dat = policydb.class_val_to_struct[tclass - 1];
 484        common_dat = tclass_dat->comdatum;
 485
 486        /* init permission_names */
 487        if (common_dat &&
 488            hashtab_map(common_dat->permissions.table,
 489                        dump_masked_av_helper, permission_names) < 0)
 490                goto out;
 491
 492        if (hashtab_map(tclass_dat->permissions.table,
 493                        dump_masked_av_helper, permission_names) < 0)
 494                goto out;
 495
 496        /* get scontext/tcontext in text form */
 497        if (context_struct_to_string(scontext,
 498                                     &scontext_name, &length) < 0)
 499                goto out;
 500
 501        if (context_struct_to_string(tcontext,
 502                                     &tcontext_name, &length) < 0)
 503                goto out;
 504
 505        /* audit a message */
 506        ab = audit_log_start(current->audit_context,
 507                             GFP_ATOMIC, AUDIT_SELINUX_ERR);
 508        if (!ab)
 509                goto out;
 510
 511        audit_log_format(ab, "op=security_compute_av reason=%s "
 512                         "scontext=%s tcontext=%s tclass=%s perms=",
 513                         reason, scontext_name, tcontext_name, tclass_name);
 514
 515        for (index = 0; index < 32; index++) {
 516                u32 mask = (1 << index);
 517
 518                if ((mask & permissions) == 0)
 519                        continue;
 520
 521                audit_log_format(ab, "%s%s",
 522                                 need_comma ? "," : "",
 523                                 permission_names[index]
 524                                 ? permission_names[index] : "????");
 525                need_comma = true;
 526        }
 527        audit_log_end(ab);
 528out:
 529        /* release scontext/tcontext */
 530        kfree(tcontext_name);
 531        kfree(scontext_name);
 532
 533        return;
 534}
 535
 536/*
 537 * security_boundary_permission - drops violated permissions
 538 * on boundary constraint.
 539 */
 540static void type_attribute_bounds_av(struct context *scontext,
 541                                     struct context *tcontext,
 542                                     u16 tclass,
 543                                     struct av_decision *avd)
 544{
 545        struct context lo_scontext;
 546        struct context lo_tcontext;
 547        struct av_decision lo_avd;
 548        struct type_datum *source;
 549        struct type_datum *target;
 550        u32 masked = 0;
 551
 552        source = flex_array_get_ptr(policydb.type_val_to_struct_array,
 553                                    scontext->type - 1);
 554        BUG_ON(!source);
 555
 556        target = flex_array_get_ptr(policydb.type_val_to_struct_array,
 557                                    tcontext->type - 1);
 558        BUG_ON(!target);
 559
 560        if (source->bounds) {
 561                memset(&lo_avd, 0, sizeof(lo_avd));
 562
 563                memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
 564                lo_scontext.type = source->bounds;
 565
 566                context_struct_compute_av(&lo_scontext,
 567                                          tcontext,
 568                                          tclass,
 569                                          &lo_avd);
 570                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
 571                        return;         /* no masked permission */
 572                masked = ~lo_avd.allowed & avd->allowed;
 573        }
 574
 575        if (target->bounds) {
 576                memset(&lo_avd, 0, sizeof(lo_avd));
 577
 578                memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
 579                lo_tcontext.type = target->bounds;
 580
 581                context_struct_compute_av(scontext,
 582                                          &lo_tcontext,
 583                                          tclass,
 584                                          &lo_avd);
 585                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
 586                        return;         /* no masked permission */
 587                masked = ~lo_avd.allowed & avd->allowed;
 588        }
 589
 590        if (source->bounds && target->bounds) {
 591                memset(&lo_avd, 0, sizeof(lo_avd));
 592                /*
 593                 * lo_scontext and lo_tcontext are already
 594                 * set up.
 595                 */
 596
 597                context_struct_compute_av(&lo_scontext,
 598                                          &lo_tcontext,
 599                                          tclass,
 600                                          &lo_avd);
 601                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
 602                        return;         /* no masked permission */
 603                masked = ~lo_avd.allowed & avd->allowed;
 604        }
 605
 606        if (masked) {
 607                /* mask violated permissions */
 608                avd->allowed &= ~masked;
 609
 610                /* audit masked permissions */
 611                security_dump_masked_av(scontext, tcontext,
 612                                        tclass, masked, "bounds");
 613        }
 614}
 615
 616/*
 617 * Compute access vectors based on a context structure pair for
 618 * the permissions in a particular class.
 619 */
 620static void context_struct_compute_av(struct context *scontext,
 621                                      struct context *tcontext,
 622                                      u16 tclass,
 623                                      struct av_decision *avd)
 624{
 625        struct constraint_node *constraint;
 626        struct role_allow *ra;
 627        struct avtab_key avkey;
 628        struct avtab_node *node;
 629        struct class_datum *tclass_datum;
 630        struct ebitmap *sattr, *tattr;
 631        struct ebitmap_node *snode, *tnode;
 632        unsigned int i, j;
 633
 634        avd->allowed = 0;
 635        avd->auditallow = 0;
 636        avd->auditdeny = 0xffffffff;
 637
 638        if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
 639                if (printk_ratelimit())
 640                        printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
 641                return;
 642        }
 643
 644        tclass_datum = policydb.class_val_to_struct[tclass - 1];
 645
 646        /*
 647         * If a specific type enforcement rule was defined for
 648         * this permission check, then use it.
 649         */
 650        avkey.target_class = tclass;
 651        avkey.specified = AVTAB_AV;
 652        sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
 653        BUG_ON(!sattr);
 654        tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
 655        BUG_ON(!tattr);
 656        ebitmap_for_each_positive_bit(sattr, snode, i) {
 657                ebitmap_for_each_positive_bit(tattr, tnode, j) {
 658                        avkey.source_type = i + 1;
 659                        avkey.target_type = j + 1;
 660                        for (node = avtab_search_node(&policydb.te_avtab, &avkey);
 661                             node;
 662                             node = avtab_search_node_next(node, avkey.specified)) {
 663                                if (node->key.specified == AVTAB_ALLOWED)
 664                                        avd->allowed |= node->datum.data;
 665                                else if (node->key.specified == AVTAB_AUDITALLOW)
 666                                        avd->auditallow |= node->datum.data;
 667                                else if (node->key.specified == AVTAB_AUDITDENY)
 668                                        avd->auditdeny &= node->datum.data;
 669                        }
 670
 671                        /* Check conditional av table for additional permissions */
 672                        cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
 673
 674                }
 675        }
 676
 677        /*
 678         * Remove any permissions prohibited by a constraint (this includes
 679         * the MLS policy).
 680         */
 681        constraint = tclass_datum->constraints;
 682        while (constraint) {
 683                if ((constraint->permissions & (avd->allowed)) &&
 684                    !constraint_expr_eval(scontext, tcontext, NULL,
 685                                          constraint->expr)) {
 686                        avd->allowed &= ~(constraint->permissions);
 687                }
 688                constraint = constraint->next;
 689        }
 690
 691        /*
 692         * If checking process transition permission and the
 693         * role is changing, then check the (current_role, new_role)
 694         * pair.
 695         */
 696        if (tclass == policydb.process_class &&
 697            (avd->allowed & policydb.process_trans_perms) &&
 698            scontext->role != tcontext->role) {
 699                for (ra = policydb.role_allow; ra; ra = ra->next) {
 700                        if (scontext->role == ra->role &&
 701                            tcontext->role == ra->new_role)
 702                                break;
 703                }
 704                if (!ra)
 705                        avd->allowed &= ~policydb.process_trans_perms;
 706        }
 707
 708        /*
 709         * If the given source and target types have boundary
 710         * constraint, lazy checks have to mask any violated
 711         * permission and notice it to userspace via audit.
 712         */
 713        type_attribute_bounds_av(scontext, tcontext,
 714                                 tclass, avd);
 715}
 716
 717static int security_validtrans_handle_fail(struct context *ocontext,
 718                                           struct context *ncontext,
 719                                           struct context *tcontext,
 720                                           u16 tclass)
 721{
 722        char *o = NULL, *n = NULL, *t = NULL;
 723        u32 olen, nlen, tlen;
 724
 725        if (context_struct_to_string(ocontext, &o, &olen))
 726                goto out;
 727        if (context_struct_to_string(ncontext, &n, &nlen))
 728                goto out;
 729        if (context_struct_to_string(tcontext, &t, &tlen))
 730                goto out;
 731        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
 732                  "security_validate_transition:  denied for"
 733                  " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
 734                  o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
 735out:
 736        kfree(o);
 737        kfree(n);
 738        kfree(t);
 739
 740        if (!selinux_enforcing)
 741                return 0;
 742        return -EPERM;
 743}
 744
 745int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 746                                 u16 orig_tclass)
 747{
 748        struct context *ocontext;
 749        struct context *ncontext;
 750        struct context *tcontext;
 751        struct class_datum *tclass_datum;
 752        struct constraint_node *constraint;
 753        u16 tclass;
 754        int rc = 0;
 755
 756        if (!ss_initialized)
 757                return 0;
 758
 759        read_lock(&policy_rwlock);
 760
 761        tclass = unmap_class(orig_tclass);
 762
 763        if (!tclass || tclass > policydb.p_classes.nprim) {
 764                printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
 765                        __func__, tclass);
 766                rc = -EINVAL;
 767                goto out;
 768        }
 769        tclass_datum = policydb.class_val_to_struct[tclass - 1];
 770
 771        ocontext = sidtab_search(&sidtab, oldsid);
 772        if (!ocontext) {
 773                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 774                        __func__, oldsid);
 775                rc = -EINVAL;
 776                goto out;
 777        }
 778
 779        ncontext = sidtab_search(&sidtab, newsid);
 780        if (!ncontext) {
 781                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 782                        __func__, newsid);
 783                rc = -EINVAL;
 784                goto out;
 785        }
 786
 787        tcontext = sidtab_search(&sidtab, tasksid);
 788        if (!tcontext) {
 789                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 790                        __func__, tasksid);
 791                rc = -EINVAL;
 792                goto out;
 793        }
 794
 795        constraint = tclass_datum->validatetrans;
 796        while (constraint) {
 797                if (!constraint_expr_eval(ocontext, ncontext, tcontext,
 798                                          constraint->expr)) {
 799                        rc = security_validtrans_handle_fail(ocontext, ncontext,
 800                                                             tcontext, tclass);
 801                        goto out;
 802                }
 803                constraint = constraint->next;
 804        }
 805
 806out:
 807        read_unlock(&policy_rwlock);
 808        return rc;
 809}
 810
 811/*
 812 * security_bounded_transition - check whether the given
 813 * transition is directed to bounded, or not.
 814 * It returns 0, if @newsid is bounded by @oldsid.
 815 * Otherwise, it returns error code.
 816 *
 817 * @oldsid : current security identifier
 818 * @newsid : destinated security identifier
 819 */
 820int security_bounded_transition(u32 old_sid, u32 new_sid)
 821{
 822        struct context *old_context, *new_context;
 823        struct type_datum *type;
 824        int index;
 825        int rc;
 826
 827        read_lock(&policy_rwlock);
 828
 829        rc = -EINVAL;
 830        old_context = sidtab_search(&sidtab, old_sid);
 831        if (!old_context) {
 832                printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
 833                       __func__, old_sid);
 834                goto out;
 835        }
 836
 837        rc = -EINVAL;
 838        new_context = sidtab_search(&sidtab, new_sid);
 839        if (!new_context) {
 840                printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
 841                       __func__, new_sid);
 842                goto out;
 843        }
 844
 845        rc = 0;
 846        /* type/domain unchanged */
 847        if (old_context->type == new_context->type)
 848                goto out;
 849
 850        index = new_context->type;
 851        while (true) {
 852                type = flex_array_get_ptr(policydb.type_val_to_struct_array,
 853                                          index - 1);
 854                BUG_ON(!type);
 855
 856                /* not bounded anymore */
 857                rc = -EPERM;
 858                if (!type->bounds)
 859                        break;
 860
 861                /* @newsid is bounded by @oldsid */
 862                rc = 0;
 863                if (type->bounds == old_context->type)
 864                        break;
 865
 866                index = type->bounds;
 867        }
 868
 869        if (rc) {
 870                char *old_name = NULL;
 871                char *new_name = NULL;
 872                u32 length;
 873
 874                if (!context_struct_to_string(old_context,
 875                                              &old_name, &length) &&
 876                    !context_struct_to_string(new_context,
 877                                              &new_name, &length)) {
 878                        audit_log(current->audit_context,
 879                                  GFP_ATOMIC, AUDIT_SELINUX_ERR,
 880                                  "op=security_bounded_transition "
 881                                  "result=denied "
 882                                  "oldcontext=%s newcontext=%s",
 883                                  old_name, new_name);
 884                }
 885                kfree(new_name);
 886                kfree(old_name);
 887        }
 888out:
 889        read_unlock(&policy_rwlock);
 890
 891        return rc;
 892}
 893
 894static void avd_init(struct av_decision *avd)
 895{
 896        avd->allowed = 0;
 897        avd->auditallow = 0;
 898        avd->auditdeny = 0xffffffff;
 899        avd->seqno = latest_granting;
 900        avd->flags = 0;
 901}
 902
 903
 904/**
 905 * security_compute_av - Compute access vector decisions.
 906 * @ssid: source security identifier
 907 * @tsid: target security identifier
 908 * @tclass: target security class
 909 * @avd: access vector decisions
 910 *
 911 * Compute a set of access vector decisions based on the
 912 * SID pair (@ssid, @tsid) for the permissions in @tclass.
 913 */
 914void security_compute_av(u32 ssid,
 915                         u32 tsid,
 916                         u16 orig_tclass,
 917                         struct av_decision *avd)
 918{
 919        u16 tclass;
 920        struct context *scontext = NULL, *tcontext = NULL;
 921
 922        read_lock(&policy_rwlock);
 923        avd_init(avd);
 924        if (!ss_initialized)
 925                goto allow;
 926
 927        scontext = sidtab_search(&sidtab, ssid);
 928        if (!scontext) {
 929                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 930                       __func__, ssid);
 931                goto out;
 932        }
 933
 934        /* permissive domain? */
 935        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
 936                avd->flags |= AVD_FLAGS_PERMISSIVE;
 937
 938        tcontext = sidtab_search(&sidtab, tsid);
 939        if (!tcontext) {
 940                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 941                       __func__, tsid);
 942                goto out;
 943        }
 944
 945        tclass = unmap_class(orig_tclass);
 946        if (unlikely(orig_tclass && !tclass)) {
 947                if (policydb.allow_unknown)
 948                        goto allow;
 949                goto out;
 950        }
 951        context_struct_compute_av(scontext, tcontext, tclass, avd);
 952        map_decision(orig_tclass, avd, policydb.allow_unknown);
 953out:
 954        read_unlock(&policy_rwlock);
 955        return;
 956allow:
 957        avd->allowed = 0xffffffff;
 958        goto out;
 959}
 960
 961void security_compute_av_user(u32 ssid,
 962                              u32 tsid,
 963                              u16 tclass,
 964                              struct av_decision *avd)
 965{
 966        struct context *scontext = NULL, *tcontext = NULL;
 967
 968        read_lock(&policy_rwlock);
 969        avd_init(avd);
 970        if (!ss_initialized)
 971                goto allow;
 972
 973        scontext = sidtab_search(&sidtab, ssid);
 974        if (!scontext) {
 975                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 976                       __func__, ssid);
 977                goto out;
 978        }
 979
 980        /* permissive domain? */
 981        if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
 982                avd->flags |= AVD_FLAGS_PERMISSIVE;
 983
 984        tcontext = sidtab_search(&sidtab, tsid);
 985        if (!tcontext) {
 986                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
 987                       __func__, tsid);
 988                goto out;
 989        }
 990
 991        if (unlikely(!tclass)) {
 992                if (policydb.allow_unknown)
 993                        goto allow;
 994                goto out;
 995        }
 996
 997        context_struct_compute_av(scontext, tcontext, tclass, avd);
 998 out:
 999        read_unlock(&policy_rwlock);
1000        return;
1001allow:
1002        avd->allowed = 0xffffffff;
1003        goto out;
1004}
1005
1006/*
1007 * Write the security context string representation of
1008 * the context structure `context' into a dynamically
1009 * allocated string of the correct size.  Set `*scontext'
1010 * to point to this string and set `*scontext_len' to
1011 * the length of the string.
1012 */
1013static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1014{
1015        char *scontextp;
1016
1017        if (scontext)
1018                *scontext = NULL;
1019        *scontext_len = 0;
1020
1021        if (context->len) {
1022                *scontext_len = context->len;
1023                *scontext = kstrdup(context->str, GFP_ATOMIC);
1024                if (!(*scontext))
1025                        return -ENOMEM;
1026                return 0;
1027        }
1028
1029        /* Compute the size of the context. */
1030        *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1031        *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1032        *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1033        *scontext_len += mls_compute_context_len(context);
1034
1035        if (!scontext)
1036                return 0;
1037
1038        /* Allocate space for the context; caller must free this space. */
1039        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1040        if (!scontextp)
1041                return -ENOMEM;
1042        *scontext = scontextp;
1043
1044        /*
1045         * Copy the user name, role name and type name into the context.
1046         */
1047        sprintf(scontextp, "%s:%s:%s",
1048                sym_name(&policydb, SYM_USERS, context->user - 1),
1049                sym_name(&policydb, SYM_ROLES, context->role - 1),
1050                sym_name(&policydb, SYM_TYPES, context->type - 1));
1051        scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) +
1052                     1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) +
1053                     1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1));
1054
1055        mls_sid_to_context(context, &scontextp);
1056
1057        *scontextp = 0;
1058
1059        return 0;
1060}
1061
1062#include "initial_sid_to_string.h"
1063
1064const char *security_get_initial_sid_context(u32 sid)
1065{
1066        if (unlikely(sid > SECINITSID_NUM))
1067                return NULL;
1068        return initial_sid_to_string[sid];
1069}
1070
1071static int security_sid_to_context_core(u32 sid, char **scontext,
1072                                        u32 *scontext_len, int force)
1073{
1074        struct context *context;
1075        int rc = 0;
1076
1077        if (scontext)
1078                *scontext = NULL;
1079        *scontext_len  = 0;
1080
1081        if (!ss_initialized) {
1082                if (sid <= SECINITSID_NUM) {
1083                        char *scontextp;
1084
1085                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1086                        if (!scontext)
1087                                goto out;
1088                        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1089                        if (!scontextp) {
1090                                rc = -ENOMEM;
1091                                goto out;
1092                        }
1093                        strcpy(scontextp, initial_sid_to_string[sid]);
1094                        *scontext = scontextp;
1095                        goto out;
1096                }
1097                printk(KERN_ERR "SELinux: %s:  called before initial "
1098                       "load_policy on unknown SID %d\n", __func__, sid);
1099                rc = -EINVAL;
1100                goto out;
1101        }
1102        read_lock(&policy_rwlock);
1103        if (force)
1104                context = sidtab_search_force(&sidtab, sid);
1105        else
1106                context = sidtab_search(&sidtab, sid);
1107        if (!context) {
1108                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1109                        __func__, sid);
1110                rc = -EINVAL;
1111                goto out_unlock;
1112        }
1113        rc = context_struct_to_string(context, scontext, scontext_len);
1114out_unlock:
1115        read_unlock(&policy_rwlock);
1116out:
1117        return rc;
1118
1119}
1120
1121/**
1122 * security_sid_to_context - Obtain a context for a given SID.
1123 * @sid: security identifier, SID
1124 * @scontext: security context
1125 * @scontext_len: length in bytes
1126 *
1127 * Write the string representation of the context associated with @sid
1128 * into a dynamically allocated string of the correct size.  Set @scontext
1129 * to point to this string and set @scontext_len to the length of the string.
1130 */
1131int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1132{
1133        return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1134}
1135
1136int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1137{
1138        return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1139}
1140
1141/*
1142 * Caveat:  Mutates scontext.
1143 */
1144static int string_to_context_struct(struct policydb *pol,
1145                                    struct sidtab *sidtabp,
1146                                    char *scontext,
1147                                    u32 scontext_len,
1148                                    struct context *ctx,
1149                                    u32 def_sid)
1150{
1151        struct role_datum *role;
1152        struct type_datum *typdatum;
1153        struct user_datum *usrdatum;
1154        char *scontextp, *p, oldc;
1155        int rc = 0;
1156
1157        context_init(ctx);
1158
1159        /* Parse the security context. */
1160
1161        rc = -EINVAL;
1162        scontextp = (char *) scontext;
1163
1164        /* Extract the user. */
1165        p = scontextp;
1166        while (*p && *p != ':')
1167                p++;
1168
1169        if (*p == 0)
1170                goto out;
1171
1172        *p++ = 0;
1173
1174        usrdatum = hashtab_search(pol->p_users.table, scontextp);
1175        if (!usrdatum)
1176                goto out;
1177
1178        ctx->user = usrdatum->value;
1179
1180        /* Extract role. */
1181        scontextp = p;
1182        while (*p && *p != ':')
1183                p++;
1184
1185        if (*p == 0)
1186                goto out;
1187
1188        *p++ = 0;
1189
1190        role = hashtab_search(pol->p_roles.table, scontextp);
1191        if (!role)
1192                goto out;
1193        ctx->role = role->value;
1194
1195        /* Extract type. */
1196        scontextp = p;
1197        while (*p && *p != ':')
1198                p++;
1199        oldc = *p;
1200        *p++ = 0;
1201
1202        typdatum = hashtab_search(pol->p_types.table, scontextp);
1203        if (!typdatum || typdatum->attribute)
1204                goto out;
1205
1206        ctx->type = typdatum->value;
1207
1208        rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1209        if (rc)
1210                goto out;
1211
1212        rc = -EINVAL;
1213        if ((p - scontext) < scontext_len)
1214                goto out;
1215
1216        /* Check the validity of the new context. */
1217        if (!policydb_context_isvalid(pol, ctx))
1218                goto out;
1219        rc = 0;
1220out:
1221        if (rc)
1222                context_destroy(ctx);
1223        return rc;
1224}
1225
1226static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1227                                        u32 *sid, u32 def_sid, gfp_t gfp_flags,
1228                                        int force)
1229{
1230        char *scontext2, *str = NULL;
1231        struct context context;
1232        int rc = 0;
1233
1234        if (!ss_initialized) {
1235                int i;
1236
1237                for (i = 1; i < SECINITSID_NUM; i++) {
1238                        if (!strcmp(initial_sid_to_string[i], scontext)) {
1239                                *sid = i;
1240                                return 0;
1241                        }
1242                }
1243                *sid = SECINITSID_KERNEL;
1244                return 0;
1245        }
1246        *sid = SECSID_NULL;
1247
1248        /* Copy the string so that we can modify the copy as we parse it. */
1249        scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1250        if (!scontext2)
1251                return -ENOMEM;
1252        memcpy(scontext2, scontext, scontext_len);
1253        scontext2[scontext_len] = 0;
1254
1255        if (force) {
1256                /* Save another copy for storing in uninterpreted form */
1257                rc = -ENOMEM;
1258                str = kstrdup(scontext2, gfp_flags);
1259                if (!str)
1260                        goto out;
1261        }
1262
1263        read_lock(&policy_rwlock);
1264        rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1265                                      scontext_len, &context, def_sid);
1266        if (rc == -EINVAL && force) {
1267                context.str = str;
1268                context.len = scontext_len;
1269                str = NULL;
1270        } else if (rc)
1271                goto out_unlock;
1272        rc = sidtab_context_to_sid(&sidtab, &context, sid);
1273        context_destroy(&context);
1274out_unlock:
1275        read_unlock(&policy_rwlock);
1276out:
1277        kfree(scontext2);
1278        kfree(str);
1279        return rc;
1280}
1281
1282/**
1283 * security_context_to_sid - Obtain a SID for a given security context.
1284 * @scontext: security context
1285 * @scontext_len: length in bytes
1286 * @sid: security identifier, SID
1287 *
1288 * Obtains a SID associated with the security context that
1289 * has the string representation specified by @scontext.
1290 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1291 * memory is available, or 0 on success.
1292 */
1293int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
1294{
1295        return security_context_to_sid_core(scontext, scontext_len,
1296                                            sid, SECSID_NULL, GFP_KERNEL, 0);
1297}
1298
1299/**
1300 * security_context_to_sid_default - Obtain a SID for a given security context,
1301 * falling back to specified default if needed.
1302 *
1303 * @scontext: security context
1304 * @scontext_len: length in bytes
1305 * @sid: security identifier, SID
1306 * @def_sid: default SID to assign on error
1307 *
1308 * Obtains a SID associated with the security context that
1309 * has the string representation specified by @scontext.
1310 * The default SID is passed to the MLS layer to be used to allow
1311 * kernel labeling of the MLS field if the MLS field is not present
1312 * (for upgrading to MLS without full relabel).
1313 * Implicitly forces adding of the context even if it cannot be mapped yet.
1314 * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1315 * memory is available, or 0 on success.
1316 */
1317int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1318                                    u32 *sid, u32 def_sid, gfp_t gfp_flags)
1319{
1320        return security_context_to_sid_core(scontext, scontext_len,
1321                                            sid, def_sid, gfp_flags, 1);
1322}
1323
1324int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1325                                  u32 *sid)
1326{
1327        return security_context_to_sid_core(scontext, scontext_len,
1328                                            sid, SECSID_NULL, GFP_KERNEL, 1);
1329}
1330
1331static int compute_sid_handle_invalid_context(
1332        struct context *scontext,
1333        struct context *tcontext,
1334        u16 tclass,
1335        struct context *newcontext)
1336{
1337        char *s = NULL, *t = NULL, *n = NULL;
1338        u32 slen, tlen, nlen;
1339
1340        if (context_struct_to_string(scontext, &s, &slen))
1341                goto out;
1342        if (context_struct_to_string(tcontext, &t, &tlen))
1343                goto out;
1344        if (context_struct_to_string(newcontext, &n, &nlen))
1345                goto out;
1346        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1347                  "security_compute_sid:  invalid context %s"
1348                  " for scontext=%s"
1349                  " tcontext=%s"
1350                  " tclass=%s",
1351                  n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1352out:
1353        kfree(s);
1354        kfree(t);
1355        kfree(n);
1356        if (!selinux_enforcing)
1357                return 0;
1358        return -EACCES;
1359}
1360
1361static void filename_compute_type(struct policydb *p, struct context *newcontext,
1362                                  u32 scon, u32 tcon, u16 tclass,
1363                                  const struct qstr *qstr)
1364{
1365        struct filename_trans *ft;
1366        for (ft = p->filename_trans; ft; ft = ft->next) {
1367                if (ft->stype == scon &&
1368                    ft->ttype == tcon &&
1369                    ft->tclass == tclass &&
1370                    !strcmp(ft->name, qstr->name)) {
1371                        newcontext->type = ft->otype;
1372                        return;
1373                }
1374        }
1375}
1376
1377static int security_compute_sid(u32 ssid,
1378                                u32 tsid,
1379                                u16 orig_tclass,
1380                                u32 specified,
1381                                const struct qstr *qstr,
1382                                u32 *out_sid,
1383                                bool kern)
1384{
1385        struct context *scontext = NULL, *tcontext = NULL, newcontext;
1386        struct role_trans *roletr = NULL;
1387        struct avtab_key avkey;
1388        struct avtab_datum *avdatum;
1389        struct avtab_node *node;
1390        u16 tclass;
1391        int rc = 0;
1392        bool sock;
1393
1394        if (!ss_initialized) {
1395                switch (orig_tclass) {
1396                case SECCLASS_PROCESS: /* kernel value */
1397                        *out_sid = ssid;
1398                        break;
1399                default:
1400                        *out_sid = tsid;
1401                        break;
1402                }
1403                goto out;
1404        }
1405
1406        context_init(&newcontext);
1407
1408        read_lock(&policy_rwlock);
1409
1410        if (kern) {
1411                tclass = unmap_class(orig_tclass);
1412                sock = security_is_socket_class(orig_tclass);
1413        } else {
1414                tclass = orig_tclass;
1415                sock = security_is_socket_class(map_class(tclass));
1416        }
1417
1418        scontext = sidtab_search(&sidtab, ssid);
1419        if (!scontext) {
1420                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1421                       __func__, ssid);
1422                rc = -EINVAL;
1423                goto out_unlock;
1424        }
1425        tcontext = sidtab_search(&sidtab, tsid);
1426        if (!tcontext) {
1427                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1428                       __func__, tsid);
1429                rc = -EINVAL;
1430                goto out_unlock;
1431        }
1432
1433        /* Set the user identity. */
1434        switch (specified) {
1435        case AVTAB_TRANSITION:
1436        case AVTAB_CHANGE:
1437                /* Use the process user identity. */
1438                newcontext.user = scontext->user;
1439                break;
1440        case AVTAB_MEMBER:
1441                /* Use the related object owner. */
1442                newcontext.user = tcontext->user;
1443                break;
1444        }
1445
1446        /* Set the role and type to default values. */
1447        if ((tclass == policydb.process_class) || (sock == true)) {
1448                /* Use the current role and type of process. */
1449                newcontext.role = scontext->role;
1450                newcontext.type = scontext->type;
1451        } else {
1452                /* Use the well-defined object role. */
1453                newcontext.role = OBJECT_R_VAL;
1454                /* Use the type of the related object. */
1455                newcontext.type = tcontext->type;
1456        }
1457
1458        /* Look for a type transition/member/change rule. */
1459        avkey.source_type = scontext->type;
1460        avkey.target_type = tcontext->type;
1461        avkey.target_class = tclass;
1462        avkey.specified = specified;
1463        avdatum = avtab_search(&policydb.te_avtab, &avkey);
1464
1465        /* If no permanent rule, also check for enabled conditional rules */
1466        if (!avdatum) {
1467                node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1468                for (; node; node = avtab_search_node_next(node, specified)) {
1469                        if (node->key.specified & AVTAB_ENABLED) {
1470                                avdatum = &node->datum;
1471                                break;
1472                        }
1473                }
1474        }
1475
1476        if (avdatum) {
1477                /* Use the type from the type transition/member/change rule. */
1478                newcontext.type = avdatum->data;
1479        }
1480
1481        /* if we have a qstr this is a file trans check so check those rules */
1482        if (qstr)
1483                filename_compute_type(&policydb, &newcontext, scontext->type,
1484                                      tcontext->type, tclass, qstr);
1485
1486        /* Check for class-specific changes. */
1487        if  (tclass == policydb.process_class) {
1488                if (specified & AVTAB_TRANSITION) {
1489                        /* Look for a role transition rule. */
1490                        for (roletr = policydb.role_tr; roletr;
1491                             roletr = roletr->next) {
1492                                if (roletr->role == scontext->role &&
1493                                    roletr->type == tcontext->type) {
1494                                        /* Use the role transition rule. */
1495                                        newcontext.role = roletr->new_role;
1496                                        break;
1497                                }
1498                        }
1499                }
1500        }
1501
1502        /* Set the MLS attributes.
1503           This is done last because it may allocate memory. */
1504        rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1505                             &newcontext, sock);
1506        if (rc)
1507                goto out_unlock;
1508
1509        /* Check the validity of the context. */
1510        if (!policydb_context_isvalid(&policydb, &newcontext)) {
1511                rc = compute_sid_handle_invalid_context(scontext,
1512                                                        tcontext,
1513                                                        tclass,
1514                                                        &newcontext);
1515                if (rc)
1516                        goto out_unlock;
1517        }
1518        /* Obtain the sid for the context. */
1519        rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1520out_unlock:
1521        read_unlock(&policy_rwlock);
1522        context_destroy(&newcontext);
1523out:
1524        return rc;
1525}
1526
1527/**
1528 * security_transition_sid - Compute the SID for a new subject/object.
1529 * @ssid: source security identifier
1530 * @tsid: target security identifier
1531 * @tclass: target security class
1532 * @out_sid: security identifier for new subject/object
1533 *
1534 * Compute a SID to use for labeling a new subject or object in the
1535 * class @tclass based on a SID pair (@ssid, @tsid).
1536 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1537 * if insufficient memory is available, or %0 if the new SID was
1538 * computed successfully.
1539 */
1540int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1541                            const struct qstr *qstr, u32 *out_sid)
1542{
1543        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1544                                    qstr, out_sid, true);
1545}
1546
1547int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
1548{
1549        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1550                                    NULL, out_sid, false);
1551}
1552
1553/**
1554 * security_member_sid - Compute the SID for member selection.
1555 * @ssid: source security identifier
1556 * @tsid: target security identifier
1557 * @tclass: target security class
1558 * @out_sid: security identifier for selected member
1559 *
1560 * Compute a SID to use when selecting a member of a polyinstantiated
1561 * object of class @tclass based on a SID pair (@ssid, @tsid).
1562 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1563 * if insufficient memory is available, or %0 if the SID was
1564 * computed successfully.
1565 */
1566int security_member_sid(u32 ssid,
1567                        u32 tsid,
1568                        u16 tclass,
1569                        u32 *out_sid)
1570{
1571        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1572                                    out_sid, false);
1573}
1574
1575/**
1576 * security_change_sid - Compute the SID for object relabeling.
1577 * @ssid: source security identifier
1578 * @tsid: target security identifier
1579 * @tclass: target security class
1580 * @out_sid: security identifier for selected member
1581 *
1582 * Compute a SID to use for relabeling an object of class @tclass
1583 * based on a SID pair (@ssid, @tsid).
1584 * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1585 * if insufficient memory is available, or %0 if the SID was
1586 * computed successfully.
1587 */
1588int security_change_sid(u32 ssid,
1589                        u32 tsid,
1590                        u16 tclass,
1591                        u32 *out_sid)
1592{
1593        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1594                                    out_sid, false);
1595}
1596
1597/* Clone the SID into the new SID table. */
1598static int clone_sid(u32 sid,
1599                     struct context *context,
1600                     void *arg)
1601{
1602        struct sidtab *s = arg;
1603
1604        if (sid > SECINITSID_NUM)
1605                return sidtab_insert(s, sid, context);
1606        else
1607                return 0;
1608}
1609
1610static inline int convert_context_handle_invalid_context(struct context *context)
1611{
1612        char *s;
1613        u32 len;
1614
1615        if (selinux_enforcing)
1616                return -EINVAL;
1617
1618        if (!context_struct_to_string(context, &s, &len)) {
1619                printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1620                kfree(s);
1621        }
1622        return 0;
1623}
1624
1625struct convert_context_args {
1626        struct policydb *oldp;
1627        struct policydb *newp;
1628};
1629
1630/*
1631 * Convert the values in the security context
1632 * structure `c' from the values specified
1633 * in the policy `p->oldp' to the values specified
1634 * in the policy `p->newp'.  Verify that the
1635 * context is valid under the new policy.
1636 */
1637static int convert_context(u32 key,
1638                           struct context *c,
1639                           void *p)
1640{
1641        struct convert_context_args *args;
1642        struct context oldc;
1643        struct ocontext *oc;
1644        struct mls_range *range;
1645        struct role_datum *role;
1646        struct type_datum *typdatum;
1647        struct user_datum *usrdatum;
1648        char *s;
1649        u32 len;
1650        int rc = 0;
1651
1652        if (key <= SECINITSID_NUM)
1653                goto out;
1654
1655        args = p;
1656
1657        if (c->str) {
1658                struct context ctx;
1659
1660                rc = -ENOMEM;
1661                s = kstrdup(c->str, GFP_KERNEL);
1662                if (!s)
1663                        goto out;
1664
1665                rc = string_to_context_struct(args->newp, NULL, s,
1666                                              c->len, &ctx, SECSID_NULL);
1667                kfree(s);
1668                if (!rc) {
1669                        printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1670                               c->str);
1671                        /* Replace string with mapped representation. */
1672                        kfree(c->str);
1673                        memcpy(c, &ctx, sizeof(*c));
1674                        goto out;
1675                } else if (rc == -EINVAL) {
1676                        /* Retain string representation for later mapping. */
1677                        rc = 0;
1678                        goto out;
1679                } else {
1680                        /* Other error condition, e.g. ENOMEM. */
1681                        printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1682                               c->str, -rc);
1683                        goto out;
1684                }
1685        }
1686
1687        rc = context_cpy(&oldc, c);
1688        if (rc)
1689                goto out;
1690
1691        /* Convert the user. */
1692        rc = -EINVAL;
1693        usrdatum = hashtab_search(args->newp->p_users.table,
1694                                  sym_name(args->oldp, SYM_USERS, c->user - 1));
1695        if (!usrdatum)
1696                goto bad;
1697        c->user = usrdatum->value;
1698
1699        /* Convert the role. */
1700        rc = -EINVAL;
1701        role = hashtab_search(args->newp->p_roles.table,
1702                              sym_name(args->oldp, SYM_ROLES, c->role - 1));
1703        if (!role)
1704                goto bad;
1705        c->role = role->value;
1706
1707        /* Convert the type. */
1708        rc = -EINVAL;
1709        typdatum = hashtab_search(args->newp->p_types.table,
1710                                  sym_name(args->oldp, SYM_TYPES, c->type - 1));
1711        if (!typdatum)
1712                goto bad;
1713        c->type = typdatum->value;
1714
1715        /* Convert the MLS fields if dealing with MLS policies */
1716        if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1717                rc = mls_convert_context(args->oldp, args->newp, c);
1718                if (rc)
1719                        goto bad;
1720        } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1721                /*
1722                 * Switching between MLS and non-MLS policy:
1723                 * free any storage used by the MLS fields in the
1724                 * context for all existing entries in the sidtab.
1725                 */
1726                mls_context_destroy(c);
1727        } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1728                /*
1729                 * Switching between non-MLS and MLS policy:
1730                 * ensure that the MLS fields of the context for all
1731                 * existing entries in the sidtab are filled in with a
1732                 * suitable default value, likely taken from one of the
1733                 * initial SIDs.
1734                 */
1735                oc = args->newp->ocontexts[OCON_ISID];
1736                while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1737                        oc = oc->next;
1738                rc = -EINVAL;
1739                if (!oc) {
1740                        printk(KERN_ERR "SELinux:  unable to look up"
1741                                " the initial SIDs list\n");
1742                        goto bad;
1743                }
1744                range = &oc->context[0].range;
1745                rc = mls_range_set(c, range);
1746                if (rc)
1747                        goto bad;
1748        }
1749
1750        /* Check the validity of the new context. */
1751        if (!policydb_context_isvalid(args->newp, c)) {
1752                rc = convert_context_handle_invalid_context(&oldc);
1753                if (rc)
1754                        goto bad;
1755        }
1756
1757        context_destroy(&oldc);
1758
1759        rc = 0;
1760out:
1761        return rc;
1762bad:
1763        /* Map old representation to string and save it. */
1764        rc = context_struct_to_string(&oldc, &s, &len);
1765        if (rc)
1766                return rc;
1767        context_destroy(&oldc);
1768        context_destroy(c);
1769        c->str = s;
1770        c->len = len;
1771        printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
1772               c->str);
1773        rc = 0;
1774        goto out;
1775}
1776
1777static void security_load_policycaps(void)
1778{
1779        selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
1780                                                  POLICYDB_CAPABILITY_NETPEER);
1781        selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
1782                                                  POLICYDB_CAPABILITY_OPENPERM);
1783}
1784
1785extern void selinux_complete_init(void);
1786static int security_preserve_bools(struct policydb *p);
1787
1788/**
1789 * security_load_policy - Load a security policy configuration.
1790 * @data: binary policy data
1791 * @len: length of data in bytes
1792 *
1793 * Load a new set of security policy configuration data,
1794 * validate it and convert the SID table as necessary.
1795 * This function will flush the access vector cache after
1796 * loading the new policy.
1797 */
1798int security_load_policy(void *data, size_t len)
1799{
1800        struct policydb oldpolicydb, newpolicydb;
1801        struct sidtab oldsidtab, newsidtab;
1802        struct selinux_mapping *oldmap, *map = NULL;
1803        struct convert_context_args args;
1804        u32 seqno;
1805        u16 map_size;
1806        int rc = 0;
1807        struct policy_file file = { data, len }, *fp = &file;
1808
1809        if (!ss_initialized) {
1810                avtab_cache_init();
1811                rc = policydb_read(&policydb, fp);
1812                if (rc) {
1813                        avtab_cache_destroy();
1814                        return rc;
1815                }
1816
1817                policydb.len = len;
1818                rc = selinux_set_mapping(&policydb, secclass_map,
1819                                         &current_mapping,
1820                                         &current_mapping_size);
1821                if (rc) {
1822                        policydb_destroy(&policydb);
1823                        avtab_cache_destroy();
1824                        return rc;
1825                }
1826
1827                rc = policydb_load_isids(&policydb, &sidtab);
1828                if (rc) {
1829                        policydb_destroy(&policydb);
1830                        avtab_cache_destroy();
1831                        return rc;
1832                }
1833
1834                security_load_policycaps();
1835                ss_initialized = 1;
1836                seqno = ++latest_granting;
1837                selinux_complete_init();
1838                avc_ss_reset(seqno);
1839                selnl_notify_policyload(seqno);
1840                selinux_status_update_policyload(seqno);
1841                selinux_netlbl_cache_invalidate();
1842                selinux_xfrm_notify_policyload();
1843                return 0;
1844        }
1845
1846#if 0
1847        sidtab_hash_eval(&sidtab, "sids");
1848#endif
1849
1850        rc = policydb_read(&newpolicydb, fp);
1851        if (rc)
1852                return rc;
1853
1854        newpolicydb.len = len;
1855        /* If switching between different policy types, log MLS status */
1856        if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1857                printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1858        else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
1859                printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1860
1861        rc = policydb_load_isids(&newpolicydb, &newsidtab);
1862        if (rc) {
1863                printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
1864                policydb_destroy(&newpolicydb);
1865                return rc;
1866        }
1867
1868        rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
1869        if (rc)
1870                goto err;
1871
1872        rc = security_preserve_bools(&newpolicydb);
1873        if (rc) {
1874                printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
1875                goto err;
1876        }
1877
1878        /* Clone the SID table. */
1879        sidtab_shutdown(&sidtab);
1880
1881        rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
1882        if (rc)
1883                goto err;
1884
1885        /*
1886         * Convert the internal representations of contexts
1887         * in the new SID table.
1888         */
1889        args.oldp = &policydb;
1890        args.newp = &newpolicydb;
1891        rc = sidtab_map(&newsidtab, convert_context, &args);
1892        if (rc) {
1893                printk(KERN_ERR "SELinux:  unable to convert the internal"
1894                        " representation of contexts in the new SID"
1895                        " table\n");
1896                goto err;
1897        }
1898
1899        /* Save the old policydb and SID table to free later. */
1900        memcpy(&oldpolicydb, &policydb, sizeof policydb);
1901        sidtab_set(&oldsidtab, &sidtab);
1902
1903        /* Install the new policydb and SID table. */
1904        write_lock_irq(&policy_rwlock);
1905        memcpy(&policydb, &newpolicydb, sizeof policydb);
1906        sidtab_set(&sidtab, &newsidtab);
1907        security_load_policycaps();
1908        oldmap = current_mapping;
1909        current_mapping = map;
1910        current_mapping_size = map_size;
1911        seqno = ++latest_granting;
1912        write_unlock_irq(&policy_rwlock);
1913
1914        /* Free the old policydb and SID table. */
1915        policydb_destroy(&oldpolicydb);
1916        sidtab_destroy(&oldsidtab);
1917        kfree(oldmap);
1918
1919        avc_ss_reset(seqno);
1920        selnl_notify_policyload(seqno);
1921        selinux_status_update_policyload(seqno);
1922        selinux_netlbl_cache_invalidate();
1923        selinux_xfrm_notify_policyload();
1924
1925        return 0;
1926
1927err:
1928        kfree(map);
1929        sidtab_destroy(&newsidtab);
1930        policydb_destroy(&newpolicydb);
1931        return rc;
1932
1933}
1934
1935size_t security_policydb_len(void)
1936{
1937        size_t len;
1938
1939        read_lock(&policy_rwlock);
1940        len = policydb.len;
1941        read_unlock(&policy_rwlock);
1942
1943        return len;
1944}
1945
1946/**
1947 * security_port_sid - Obtain the SID for a port.
1948 * @protocol: protocol number
1949 * @port: port number
1950 * @out_sid: security identifier
1951 */
1952int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1953{
1954        struct ocontext *c;
1955        int rc = 0;
1956
1957        read_lock(&policy_rwlock);
1958
1959        c = policydb.ocontexts[OCON_PORT];
1960        while (c) {
1961                if (c->u.port.protocol == protocol &&
1962                    c->u.port.low_port <= port &&
1963                    c->u.port.high_port >= port)
1964                        break;
1965                c = c->next;
1966        }
1967
1968        if (c) {
1969                if (!c->sid[0]) {
1970                        rc = sidtab_context_to_sid(&sidtab,
1971                                                   &c->context[0],
1972                                                   &c->sid[0]);
1973                        if (rc)
1974                                goto out;
1975                }
1976                *out_sid = c->sid[0];
1977        } else {
1978                *out_sid = SECINITSID_PORT;
1979        }
1980
1981out:
1982        read_unlock(&policy_rwlock);
1983        return rc;
1984}
1985
1986/**
1987 * security_netif_sid - Obtain the SID for a network interface.
1988 * @name: interface name
1989 * @if_sid: interface SID
1990 */
1991int security_netif_sid(char *name, u32 *if_sid)
1992{
1993        int rc = 0;
1994        struct ocontext *c;
1995
1996        read_lock(&policy_rwlock);
1997
1998        c = policydb.ocontexts[OCON_NETIF];
1999        while (c) {
2000                if (strcmp(name, c->u.name) == 0)
2001                        break;
2002                c = c->next;
2003        }
2004
2005        if (c) {
2006                if (!c->sid[0] || !c->sid[1]) {
2007                        rc = sidtab_context_to_sid(&sidtab,
2008                                                  &c->context[0],
2009                                                  &c->sid[0]);
2010                        if (rc)
2011                                goto out;
2012                        rc = sidtab_context_to_sid(&sidtab,
2013                                                   &c->context[1],
2014                                                   &c->sid[1]);
2015                        if (rc)
2016                                goto out;
2017                }
2018                *if_sid = c->sid[0];
2019        } else
2020                *if_sid = SECINITSID_NETIF;
2021
2022out:
2023        read_unlock(&policy_rwlock);
2024        return rc;
2025}
2026
2027static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2028{
2029        int i, fail = 0;
2030
2031        for (i = 0; i < 4; i++)
2032                if (addr[i] != (input[i] & mask[i])) {
2033                        fail = 1;
2034                        break;
2035                }
2036
2037        return !fail;
2038}
2039
2040/**
2041 * security_node_sid - Obtain the SID for a node (host).
2042 * @domain: communication domain aka address family
2043 * @addrp: address
2044 * @addrlen: address length in bytes
2045 * @out_sid: security identifier
2046 */
2047int security_node_sid(u16 domain,
2048                      void *addrp,
2049                      u32 addrlen,
2050                      u32 *out_sid)
2051{
2052        int rc;
2053        struct ocontext *c;
2054
2055        read_lock(&policy_rwlock);
2056
2057        switch (domain) {
2058        case AF_INET: {
2059                u32 addr;
2060
2061                rc = -EINVAL;
2062                if (addrlen != sizeof(u32))
2063                        goto out;
2064
2065                addr = *((u32 *)addrp);
2066
2067                c = policydb.ocontexts[OCON_NODE];
2068                while (c) {
2069                        if (c->u.node.addr == (addr & c->u.node.mask))
2070                                break;
2071                        c = c->next;
2072                }
2073                break;
2074        }
2075
2076        case AF_INET6:
2077                rc = -EINVAL;
2078                if (addrlen != sizeof(u64) * 2)
2079                        goto out;
2080                c = policydb.ocontexts[OCON_NODE6];
2081                while (c) {
2082                        if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2083                                                c->u.node6.mask))
2084                                break;
2085                        c = c->next;
2086                }
2087                break;
2088
2089        default:
2090                rc = 0;
2091                *out_sid = SECINITSID_NODE;
2092                goto out;
2093        }
2094
2095        if (c) {
2096                if (!c->sid[0]) {
2097                        rc = sidtab_context_to_sid(&sidtab,
2098                                                   &c->context[0],
2099                                                   &c->sid[0]);
2100                        if (rc)
2101                                goto out;
2102                }
2103                *out_sid = c->sid[0];
2104        } else {
2105                *out_sid = SECINITSID_NODE;
2106        }
2107
2108        rc = 0;
2109out:
2110        read_unlock(&policy_rwlock);
2111        return rc;
2112}
2113
2114#define SIDS_NEL 25
2115
2116/**
2117 * security_get_user_sids - Obtain reachable SIDs for a user.
2118 * @fromsid: starting SID
2119 * @username: username
2120 * @sids: array of reachable SIDs for user
2121 * @nel: number of elements in @sids
2122 *
2123 * Generate the set of SIDs for legal security contexts
2124 * for a given user that can be reached by @fromsid.
2125 * Set *@sids to point to a dynamically allocated
2126 * array containing the set of SIDs.  Set *@nel to the
2127 * number of elements in the array.
2128 */
2129
2130int security_get_user_sids(u32 fromsid,
2131                           char *username,
2132                           u32 **sids,
2133                           u32 *nel)
2134{
2135        struct context *fromcon, usercon;
2136        u32 *mysids = NULL, *mysids2, sid;
2137        u32 mynel = 0, maxnel = SIDS_NEL;
2138        struct user_datum *user;
2139        struct role_datum *role;
2140        struct ebitmap_node *rnode, *tnode;
2141        int rc = 0, i, j;
2142
2143        *sids = NULL;
2144        *nel = 0;
2145
2146        if (!ss_initialized)
2147                goto out;
2148
2149        read_lock(&policy_rwlock);
2150
2151        context_init(&usercon);
2152
2153        rc = -EINVAL;
2154        fromcon = sidtab_search(&sidtab, fromsid);
2155        if (!fromcon)
2156                goto out_unlock;
2157
2158        rc = -EINVAL;
2159        user = hashtab_search(policydb.p_users.table, username);
2160        if (!user)
2161                goto out_unlock;
2162
2163        usercon.user = user->value;
2164
2165        rc = -ENOMEM;
2166        mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2167        if (!mysids)
2168                goto out_unlock;
2169
2170        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2171                role = policydb.role_val_to_struct[i];
2172                usercon.role = i + 1;
2173                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2174                        usercon.type = j + 1;
2175
2176                        if (mls_setup_user_range(fromcon, user, &usercon))
2177                                continue;
2178
2179                        rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2180                        if (rc)
2181                                goto out_unlock;
2182                        if (mynel < maxnel) {
2183                                mysids[mynel++] = sid;
2184                        } else {
2185                                rc = -ENOMEM;
2186                                maxnel += SIDS_NEL;
2187                                mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2188                                if (!mysids2)
2189                                        goto out_unlock;
2190                                memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2191                                kfree(mysids);
2192                                mysids = mysids2;
2193                                mysids[mynel++] = sid;
2194                        }
2195                }
2196        }
2197        rc = 0;
2198out_unlock:
2199        read_unlock(&policy_rwlock);
2200        if (rc || !mynel) {
2201                kfree(mysids);
2202                goto out;
2203        }
2204
2205        rc = -ENOMEM;
2206        mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2207        if (!mysids2) {
2208                kfree(mysids);
2209                goto out;
2210        }
2211        for (i = 0, j = 0; i < mynel; i++) {
2212                rc = avc_has_perm_noaudit(fromsid, mysids[i],
2213                                          SECCLASS_PROCESS, /* kernel value */
2214                                          PROCESS__TRANSITION, AVC_STRICT,
2215                                          NULL);
2216                if (!rc)
2217                        mysids2[j++] = mysids[i];
2218                cond_resched();
2219        }
2220        rc = 0;
2221        kfree(mysids);
2222        *sids = mysids2;
2223        *nel = j;
2224out:
2225        return rc;
2226}
2227
2228/**
2229 * security_genfs_sid - Obtain a SID for a file in a filesystem
2230 * @fstype: filesystem type
2231 * @path: path from root of mount
2232 * @sclass: file security class
2233 * @sid: SID for path
2234 *
2235 * Obtain a SID to use for a file in a filesystem that
2236 * cannot support xattr or use a fixed labeling behavior like
2237 * transition SIDs or task SIDs.
2238 */
2239int security_genfs_sid(const char *fstype,
2240                       char *path,
2241                       u16 orig_sclass,
2242                       u32 *sid)
2243{
2244        int len;
2245        u16 sclass;
2246        struct genfs *genfs;
2247        struct ocontext *c;
2248        int rc, cmp = 0;
2249
2250        while (path[0] == '/' && path[1] == '/')
2251                path++;
2252
2253        read_lock(&policy_rwlock);
2254
2255        sclass = unmap_class(orig_sclass);
2256        *sid = SECINITSID_UNLABELED;
2257
2258        for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2259                cmp = strcmp(fstype, genfs->fstype);
2260                if (cmp <= 0)
2261                        break;
2262        }
2263
2264        rc = -ENOENT;
2265        if (!genfs || cmp)
2266                goto out;
2267
2268        for (c = genfs->head; c; c = c->next) {
2269                len = strlen(c->u.name);
2270                if ((!c->v.sclass || sclass == c->v.sclass) &&
2271                    (strncmp(c->u.name, path, len) == 0))
2272                        break;
2273        }
2274
2275        rc = -ENOENT;
2276        if (!c)
2277                goto out;
2278
2279        if (!c->sid[0]) {
2280                rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2281                if (rc)
2282                        goto out;
2283        }
2284
2285        *sid = c->sid[0];
2286        rc = 0;
2287out:
2288        read_unlock(&policy_rwlock);
2289        return rc;
2290}
2291
2292/**
2293 * security_fs_use - Determine how to handle labeling for a filesystem.
2294 * @fstype: filesystem type
2295 * @behavior: labeling behavior
2296 * @sid: SID for filesystem (superblock)
2297 */
2298int security_fs_use(
2299        const char *fstype,
2300        unsigned int *behavior,
2301        u32 *sid)
2302{
2303        int rc = 0;
2304        struct ocontext *c;
2305
2306        read_lock(&policy_rwlock);
2307
2308        c = policydb.ocontexts[OCON_FSUSE];
2309        while (c) {
2310                if (strcmp(fstype, c->u.name) == 0)
2311                        break;
2312                c = c->next;
2313        }
2314
2315        if (c) {
2316                *behavior = c->v.behavior;
2317                if (!c->sid[0]) {
2318                        rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2319                                                   &c->sid[0]);
2320                        if (rc)
2321                                goto out;
2322                }
2323                *sid = c->sid[0];
2324        } else {
2325                rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2326                if (rc) {
2327                        *behavior = SECURITY_FS_USE_NONE;
2328                        rc = 0;
2329                } else {
2330                        *behavior = SECURITY_FS_USE_GENFS;
2331                }
2332        }
2333
2334out:
2335        read_unlock(&policy_rwlock);
2336        return rc;
2337}
2338
2339int security_get_bools(int *len, char ***names, int **values)
2340{
2341        int i, rc;
2342
2343        read_lock(&policy_rwlock);
2344        *names = NULL;
2345        *values = NULL;
2346
2347        rc = 0;
2348        *len = policydb.p_bools.nprim;
2349        if (!*len)
2350                goto out;
2351
2352        rc = -ENOMEM;
2353        *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2354        if (!*names)
2355                goto err;
2356
2357        rc = -ENOMEM;
2358        *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2359        if (!*values)
2360                goto err;
2361
2362        for (i = 0; i < *len; i++) {
2363                size_t name_len;
2364
2365                (*values)[i] = policydb.bool_val_to_struct[i]->state;
2366                name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1;
2367
2368                rc = -ENOMEM;
2369                (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2370                if (!(*names)[i])
2371                        goto err;
2372
2373                strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len);
2374                (*names)[i][name_len - 1] = 0;
2375        }
2376        rc = 0;
2377out:
2378        read_unlock(&policy_rwlock);
2379        return rc;
2380err:
2381        if (*names) {
2382                for (i = 0; i < *len; i++)
2383                        kfree((*names)[i]);
2384        }
2385        kfree(*values);
2386        goto out;
2387}
2388
2389
2390int security_set_bools(int len, int *values)
2391{
2392        int i, rc;
2393        int lenp, seqno = 0;
2394        struct cond_node *cur;
2395
2396        write_lock_irq(&policy_rwlock);
2397
2398        rc = -EFAULT;
2399        lenp = policydb.p_bools.nprim;
2400        if (len != lenp)
2401                goto out;
2402
2403        for (i = 0; i < len; i++) {
2404                if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2405                        audit_log(current->audit_context, GFP_ATOMIC,
2406                                AUDIT_MAC_CONFIG_CHANGE,
2407                                "bool=%s val=%d old_val=%d auid=%u ses=%u",
2408                                sym_name(&policydb, SYM_BOOLS, i),
2409                                !!values[i],
2410                                policydb.bool_val_to_struct[i]->state,
2411                                audit_get_loginuid(current),
2412                                audit_get_sessionid(current));
2413                }
2414                if (values[i])
2415                        policydb.bool_val_to_struct[i]->state = 1;
2416                else
2417                        policydb.bool_val_to_struct[i]->state = 0;
2418        }
2419
2420        for (cur = policydb.cond_list; cur; cur = cur->next) {
2421                rc = evaluate_cond_node(&policydb, cur);
2422                if (rc)
2423                        goto out;
2424        }
2425
2426        seqno = ++latest_granting;
2427        rc = 0;
2428out:
2429        write_unlock_irq(&policy_rwlock);
2430        if (!rc) {
2431                avc_ss_reset(seqno);
2432                selnl_notify_policyload(seqno);
2433                selinux_status_update_policyload(seqno);
2434                selinux_xfrm_notify_policyload();
2435        }
2436        return rc;
2437}
2438
2439int security_get_bool_value(int bool)
2440{
2441        int rc;
2442        int len;
2443
2444        read_lock(&policy_rwlock);
2445
2446        rc = -EFAULT;
2447        len = policydb.p_bools.nprim;
2448        if (bool >= len)
2449                goto out;
2450
2451        rc = policydb.bool_val_to_struct[bool]->state;
2452out:
2453        read_unlock(&policy_rwlock);
2454        return rc;
2455}
2456
2457static int security_preserve_bools(struct policydb *p)
2458{
2459        int rc, nbools = 0, *bvalues = NULL, i;
2460        char **bnames = NULL;
2461        struct cond_bool_datum *booldatum;
2462        struct cond_node *cur;
2463
2464        rc = security_get_bools(&nbools, &bnames, &bvalues);
2465        if (rc)
2466                goto out;
2467        for (i = 0; i < nbools; i++) {
2468                booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2469                if (booldatum)
2470                        booldatum->state = bvalues[i];
2471        }
2472        for (cur = p->cond_list; cur; cur = cur->next) {
2473                rc = evaluate_cond_node(p, cur);
2474                if (rc)
2475                        goto out;
2476        }
2477
2478out:
2479        if (bnames) {
2480                for (i = 0; i < nbools; i++)
2481                        kfree(bnames[i]);
2482        }
2483        kfree(bnames);
2484        kfree(bvalues);
2485        return rc;
2486}
2487
2488/*
2489 * security_sid_mls_copy() - computes a new sid based on the given
2490 * sid and the mls portion of mls_sid.
2491 */
2492int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2493{
2494        struct context *context1;
2495        struct context *context2;
2496        struct context newcon;
2497        char *s;
2498        u32 len;
2499        int rc;
2500
2501        rc = 0;
2502        if (!ss_initialized || !policydb.mls_enabled) {
2503                *new_sid = sid;
2504                goto out;
2505        }
2506
2507        context_init(&newcon);
2508
2509        read_lock(&policy_rwlock);
2510
2511        rc = -EINVAL;
2512        context1 = sidtab_search(&sidtab, sid);
2513        if (!context1) {
2514                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2515                        __func__, sid);
2516                goto out_unlock;
2517        }
2518
2519        rc = -EINVAL;
2520        context2 = sidtab_search(&sidtab, mls_sid);
2521        if (!context2) {
2522                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2523                        __func__, mls_sid);
2524                goto out_unlock;
2525        }
2526
2527        newcon.user = context1->user;
2528        newcon.role = context1->role;
2529        newcon.type = context1->type;
2530        rc = mls_context_cpy(&newcon, context2);
2531        if (rc)
2532                goto out_unlock;
2533
2534        /* Check the validity of the new context. */
2535        if (!policydb_context_isvalid(&policydb, &newcon)) {
2536                rc = convert_context_handle_invalid_context(&newcon);
2537                if (rc) {
2538                        if (!context_struct_to_string(&newcon, &s, &len)) {
2539                                audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2540                                          "security_sid_mls_copy: invalid context %s", s);
2541                                kfree(s);
2542                        }
2543                        goto out_unlock;
2544                }
2545        }
2546
2547        rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2548out_unlock:
2549        read_unlock(&policy_rwlock);
2550        context_destroy(&newcon);
2551out:
2552        return rc;
2553}
2554
2555/**
2556 * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2557 * @nlbl_sid: NetLabel SID
2558 * @nlbl_type: NetLabel labeling protocol type
2559 * @xfrm_sid: XFRM SID
2560 *
2561 * Description:
2562 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2563 * resolved into a single SID it is returned via @peer_sid and the function
2564 * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2565 * returns a negative value.  A table summarizing the behavior is below:
2566 *
2567 *                                 | function return |      @sid
2568 *   ------------------------------+-----------------+-----------------
2569 *   no peer labels                |        0        |    SECSID_NULL
2570 *   single peer label             |        0        |    <peer_label>
2571 *   multiple, consistent labels   |        0        |    <peer_label>
2572 *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2573 *
2574 */
2575int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2576                                 u32 xfrm_sid,
2577                                 u32 *peer_sid)
2578{
2579        int rc;
2580        struct context *nlbl_ctx;
2581        struct context *xfrm_ctx;
2582
2583        *peer_sid = SECSID_NULL;
2584
2585        /* handle the common (which also happens to be the set of easy) cases
2586         * right away, these two if statements catch everything involving a
2587         * single or absent peer SID/label */
2588        if (xfrm_sid == SECSID_NULL) {
2589                *peer_sid = nlbl_sid;
2590                return 0;
2591        }
2592        /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2593         * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2594         * is present */
2595        if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2596                *peer_sid = xfrm_sid;
2597                return 0;
2598        }
2599
2600        /* we don't need to check ss_initialized here since the only way both
2601         * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2602         * security server was initialized and ss_initialized was true */
2603        if (!policydb.mls_enabled)
2604                return 0;
2605
2606        read_lock(&policy_rwlock);
2607
2608        rc = -EINVAL;
2609        nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2610        if (!nlbl_ctx) {
2611                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2612                       __func__, nlbl_sid);
2613                goto out;
2614        }
2615        rc = -EINVAL;
2616        xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2617        if (!xfrm_ctx) {
2618                printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2619                       __func__, xfrm_sid);
2620                goto out;
2621        }
2622        rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2623        if (rc)
2624                goto out;
2625
2626        /* at present NetLabel SIDs/labels really only carry MLS
2627         * information so if the MLS portion of the NetLabel SID
2628         * matches the MLS portion of the labeled XFRM SID/label
2629         * then pass along the XFRM SID as it is the most
2630         * expressive */
2631        *peer_sid = xfrm_sid;
2632out:
2633        read_unlock(&policy_rwlock);
2634        return rc;
2635}
2636
2637static int get_classes_callback(void *k, void *d, void *args)
2638{
2639        struct class_datum *datum = d;
2640        char *name = k, **classes = args;
2641        int value = datum->value - 1;
2642
2643        classes[value] = kstrdup(name, GFP_ATOMIC);
2644        if (!classes[value])
2645                return -ENOMEM;
2646
2647        return 0;
2648}
2649
2650int security_get_classes(char ***classes, int *nclasses)
2651{
2652        int rc;
2653
2654        read_lock(&policy_rwlock);
2655
2656        rc = -ENOMEM;
2657        *nclasses = policydb.p_classes.nprim;
2658        *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2659        if (!*classes)
2660                goto out;
2661
2662        rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
2663                        *classes);
2664        if (rc) {
2665                int i;
2666                for (i = 0; i < *nclasses; i++)
2667                        kfree((*classes)[i]);
2668                kfree(*classes);
2669        }
2670
2671out:
2672        read_unlock(&policy_rwlock);
2673        return rc;
2674}
2675
2676static int get_permissions_callback(void *k, void *d, void *args)
2677{
2678        struct perm_datum *datum = d;
2679        char *name = k, **perms = args;
2680        int value = datum->value - 1;
2681
2682        perms[value] = kstrdup(name, GFP_ATOMIC);
2683        if (!perms[value])
2684                return -ENOMEM;
2685
2686        return 0;
2687}
2688
2689int security_get_permissions(char *class, char ***perms, int *nperms)
2690{
2691        int rc, i;
2692        struct class_datum *match;
2693
2694        read_lock(&policy_rwlock);
2695
2696        rc = -EINVAL;
2697        match = hashtab_search(policydb.p_classes.table, class);
2698        if (!match) {
2699                printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
2700                        __func__, class);
2701                goto out;
2702        }
2703
2704        rc = -ENOMEM;
2705        *nperms = match->permissions.nprim;
2706        *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2707        if (!*perms)
2708                goto out;
2709
2710        if (match->comdatum) {
2711                rc = hashtab_map(match->comdatum->permissions.table,
2712                                get_permissions_callback, *perms);
2713                if (rc)
2714                        goto err;
2715        }
2716
2717        rc = hashtab_map(match->permissions.table, get_permissions_callback,
2718                        *perms);
2719        if (rc)
2720                goto err;
2721
2722out:
2723        read_unlock(&policy_rwlock);
2724        return rc;
2725
2726err:
2727        read_unlock(&policy_rwlock);
2728        for (i = 0; i < *nperms; i++)
2729                kfree((*perms)[i]);
2730        kfree(*perms);
2731        return rc;
2732}
2733
2734int security_get_reject_unknown(void)
2735{
2736        return policydb.reject_unknown;
2737}
2738
2739int security_get_allow_unknown(void)
2740{
2741        return policydb.allow_unknown;
2742}
2743
2744/**
2745 * security_policycap_supported - Check for a specific policy capability
2746 * @req_cap: capability
2747 *
2748 * Description:
2749 * This function queries the currently loaded policy to see if it supports the
2750 * capability specified by @req_cap.  Returns true (1) if the capability is
2751 * supported, false (0) if it isn't supported.
2752 *
2753 */
2754int security_policycap_supported(unsigned int req_cap)
2755{
2756        int rc;
2757
2758        read_lock(&policy_rwlock);
2759        rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
2760        read_unlock(&policy_rwlock);
2761
2762        return rc;
2763}
2764
2765struct selinux_audit_rule {
2766        u32 au_seqno;
2767        struct context au_ctxt;
2768};
2769
2770void selinux_audit_rule_free(void *vrule)
2771{
2772        struct selinux_audit_rule *rule = vrule;
2773
2774        if (rule) {
2775                context_destroy(&rule->au_ctxt);
2776                kfree(rule);
2777        }
2778}
2779
2780int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2781{
2782        struct selinux_audit_rule *tmprule;
2783        struct role_datum *roledatum;
2784        struct type_datum *typedatum;
2785        struct user_datum *userdatum;
2786        struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
2787        int rc = 0;
2788
2789        *rule = NULL;
2790
2791        if (!ss_initialized)
2792                return -EOPNOTSUPP;
2793
2794        switch (field) {
2795        case AUDIT_SUBJ_USER:
2796        case AUDIT_SUBJ_ROLE:
2797        case AUDIT_SUBJ_TYPE:
2798        case AUDIT_OBJ_USER:
2799        case AUDIT_OBJ_ROLE:
2800        case AUDIT_OBJ_TYPE:
2801                /* only 'equals' and 'not equals' fit user, role, and type */
2802                if (op != Audit_equal && op != Audit_not_equal)
2803                        return -EINVAL;
2804                break;
2805        case AUDIT_SUBJ_SEN:
2806        case AUDIT_SUBJ_CLR:
2807        case AUDIT_OBJ_LEV_LOW:
2808        case AUDIT_OBJ_LEV_HIGH:
2809                /* we do not allow a range, indicated by the presence of '-' */
2810                if (strchr(rulestr, '-'))
2811                        return -EINVAL;
2812                break;
2813        default:
2814                /* only the above fields are valid */
2815                return -EINVAL;
2816        }
2817
2818        tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
2819        if (!tmprule)
2820                return -ENOMEM;
2821
2822        context_init(&tmprule->au_ctxt);
2823
2824        read_lock(&policy_rwlock);
2825
2826        tmprule->au_seqno = latest_granting;
2827
2828        switch (field) {
2829        case AUDIT_SUBJ_USER:
2830        case AUDIT_OBJ_USER:
2831                rc = -EINVAL;
2832                userdatum = hashtab_search(policydb.p_users.table, rulestr);
2833                if (!userdatum)
2834                        goto out;
2835                tmprule->au_ctxt.user = userdatum->value;
2836                break;
2837        case AUDIT_SUBJ_ROLE:
2838        case AUDIT_OBJ_ROLE:
2839                rc = -EINVAL;
2840                roledatum = hashtab_search(policydb.p_roles.table, rulestr);
2841                if (!roledatum)
2842                        goto out;
2843                tmprule->au_ctxt.role = roledatum->value;
2844                break;
2845        case AUDIT_SUBJ_TYPE:
2846        case AUDIT_OBJ_TYPE:
2847                rc = -EINVAL;
2848                typedatum = hashtab_search(policydb.p_types.table, rulestr);
2849                if (!typedatum)
2850                        goto out;
2851                tmprule->au_ctxt.type = typedatum->value;
2852                break;
2853        case AUDIT_SUBJ_SEN:
2854        case AUDIT_SUBJ_CLR:
2855        case AUDIT_OBJ_LEV_LOW:
2856        case AUDIT_OBJ_LEV_HIGH:
2857                rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC);
2858                if (rc)
2859                        goto out;
2860                break;
2861        }
2862        rc = 0;
2863out:
2864        read_unlock(&policy_rwlock);
2865
2866        if (rc) {
2867                selinux_audit_rule_free(tmprule);
2868                tmprule = NULL;
2869        }
2870
2871        *rule = tmprule;
2872
2873        return rc;
2874}
2875
2876/* Check to see if the rule contains any selinux fields */
2877int selinux_audit_rule_known(struct audit_krule *rule)
2878{
2879        int i;
2880
2881        for (i = 0; i < rule->field_count; i++) {
2882                struct audit_field *f = &rule->fields[i];
2883                switch (f->type) {
2884                case AUDIT_SUBJ_USER:
2885                case AUDIT_SUBJ_ROLE:
2886                case AUDIT_SUBJ_TYPE:
2887                case AUDIT_SUBJ_SEN:
2888                case AUDIT_SUBJ_CLR:
2889                case AUDIT_OBJ_USER:
2890                case AUDIT_OBJ_ROLE:
2891                case AUDIT_OBJ_TYPE:
2892                case AUDIT_OBJ_LEV_LOW:
2893                case AUDIT_OBJ_LEV_HIGH:
2894                        return 1;
2895                }
2896        }
2897
2898        return 0;
2899}
2900
2901int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
2902                             struct audit_context *actx)
2903{
2904        struct context *ctxt;
2905        struct mls_level *level;
2906        struct selinux_audit_rule *rule = vrule;
2907        int match = 0;
2908
2909        if (!rule) {
2910                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2911                          "selinux_audit_rule_match: missing rule\n");
2912                return -ENOENT;
2913        }
2914
2915        read_lock(&policy_rwlock);
2916
2917        if (rule->au_seqno < latest_granting) {
2918                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2919                          "selinux_audit_rule_match: stale rule\n");
2920                match = -ESTALE;
2921                goto out;
2922        }
2923
2924        ctxt = sidtab_search(&sidtab, sid);
2925        if (!ctxt) {
2926                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
2927                          "selinux_audit_rule_match: unrecognized SID %d\n",
2928                          sid);
2929                match = -ENOENT;
2930                goto out;
2931        }
2932
2933        /* a field/op pair that is not caught here will simply fall through
2934           without a match */
2935        switch (field) {
2936        case AUDIT_SUBJ_USER:
2937        case AUDIT_OBJ_USER:
2938                switch (op) {
2939                case Audit_equal:
2940                        match = (ctxt->user == rule->au_ctxt.user);
2941                        break;
2942                case Audit_not_equal:
2943                        match = (ctxt->user != rule->au_ctxt.user);
2944                        break;
2945                }
2946                break;
2947        case AUDIT_SUBJ_ROLE:
2948        case AUDIT_OBJ_ROLE:
2949                switch (op) {
2950                case Audit_equal:
2951                        match = (ctxt->role == rule->au_ctxt.role);
2952                        break;
2953                case Audit_not_equal:
2954                        match = (ctxt->role != rule->au_ctxt.role);
2955                        break;
2956                }
2957                break;
2958        case AUDIT_SUBJ_TYPE:
2959        case AUDIT_OBJ_TYPE:
2960                switch (op) {
2961                case Audit_equal:
2962                        match = (ctxt->type == rule->au_ctxt.type);
2963                        break;
2964                case Audit_not_equal:
2965                        match = (ctxt->type != rule->au_ctxt.type);
2966                        break;
2967                }
2968                break;
2969        case AUDIT_SUBJ_SEN:
2970        case AUDIT_SUBJ_CLR:
2971        case AUDIT_OBJ_LEV_LOW:
2972        case AUDIT_OBJ_LEV_HIGH:
2973                level = ((field == AUDIT_SUBJ_SEN ||
2974                          field == AUDIT_OBJ_LEV_LOW) ?
2975                         &ctxt->range.level[0] : &ctxt->range.level[1]);
2976                switch (op) {
2977                case Audit_equal:
2978                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
2979                                             level);
2980                        break;
2981                case Audit_not_equal:
2982                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
2983                                              level);
2984                        break;
2985                case Audit_lt:
2986                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
2987                                               level) &&
2988                                 !mls_level_eq(&rule->au_ctxt.range.level[0],
2989                                               level));
2990                        break;
2991                case Audit_le:
2992                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
2993                                              level);
2994                        break;
2995                case Audit_gt:
2996                        match = (mls_level_dom(level,
2997                                              &rule->au_ctxt.range.level[0]) &&
2998                                 !mls_level_eq(level,
2999                                               &rule->au_ctxt.range.level[0]));
3000                        break;
3001                case Audit_ge:
3002                        match = mls_level_dom(level,
3003                                              &rule->au_ctxt.range.level[0]);
3004                        break;
3005                }
3006        }
3007
3008out:
3009        read_unlock(&policy_rwlock);
3010        return match;
3011}
3012
3013static int (*aurule_callback)(void) = audit_update_lsm_rules;
3014
3015static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
3016                               u16 class, u32 perms, u32 *retained)
3017{
3018        int err = 0;
3019
3020        if (event == AVC_CALLBACK_RESET && aurule_callback)
3021                err = aurule_callback();
3022        return err;
3023}
3024
3025static int __init aurule_init(void)
3026{
3027        int err;
3028
3029        err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
3030                               SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
3031        if (err)
3032                panic("avc_add_callback() failed, error %d\n", err);
3033
3034        return err;
3035}
3036__initcall(aurule_init);
3037
3038#ifdef CONFIG_NETLABEL
3039/**
3040 * security_netlbl_cache_add - Add an entry to the NetLabel cache
3041 * @secattr: the NetLabel packet security attributes
3042 * @sid: the SELinux SID
3043 *
3044 * Description:
3045 * Attempt to cache the context in @ctx, which was derived from the packet in
3046 * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
3047 * already been initialized.
3048 *
3049 */
3050static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3051                                      u32 sid)
3052{
3053        u32 *sid_cache;
3054
3055        sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3056        if (sid_cache == NULL)
3057                return;
3058        secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3059        if (secattr->cache == NULL) {
3060                kfree(sid_cache);
3061                return;
3062        }
3063
3064        *sid_cache = sid;
3065        secattr->cache->free = kfree;
3066        secattr->cache->data = sid_cache;
3067        secattr->flags |= NETLBL_SECATTR_CACHE;
3068}
3069
3070/**
3071 * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3072 * @secattr: the NetLabel packet security attributes
3073 * @sid: the SELinux SID
3074 *
3075 * Description:
3076 * Convert the given NetLabel security attributes in @secattr into a
3077 * SELinux SID.  If the @secattr field does not contain a full SELinux
3078 * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
3079 * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3080 * allow the @secattr to be used by NetLabel to cache the secattr to SID
3081 * conversion for future lookups.  Returns zero on success, negative values on
3082 * failure.
3083 *
3084 */
3085int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
3086                                   u32 *sid)
3087{
3088        int rc;
3089        struct context *ctx;
3090        struct context ctx_new;
3091
3092        if (!ss_initialized) {
3093                *sid = SECSID_NULL;
3094                return 0;
3095        }
3096
3097        read_lock(&policy_rwlock);
3098
3099        if (secattr->flags & NETLBL_SECATTR_CACHE)
3100                *sid = *(u32 *)secattr->cache->data;
3101        else if (secattr->flags & NETLBL_SECATTR_SECID)
3102                *sid = secattr->attr.secid;
3103        else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3104                rc = -EIDRM;
3105                ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
3106                if (ctx == NULL)
3107                        goto out;
3108
3109                context_init(&ctx_new);
3110                ctx_new.user = ctx->user;
3111                ctx_new.role = ctx->role;
3112                ctx_new.type = ctx->type;
3113                mls_import_netlbl_lvl(&ctx_new, secattr);
3114                if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3115                        rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
3116                                                   secattr->attr.mls.cat);
3117                        if (rc)
3118                                goto out;
3119                        memcpy(&ctx_new.range.level[1].cat,
3120                               &ctx_new.range.level[0].cat,
3121                               sizeof(ctx_new.range.level[0].cat));
3122                }
3123                rc = -EIDRM;
3124                if (!mls_context_isvalid(&policydb, &ctx_new))
3125                        goto out_free;
3126
3127                rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
3128                if (rc)
3129                        goto out_free;
3130
3131                security_netlbl_cache_add(secattr, *sid);
3132
3133                ebitmap_destroy(&ctx_new.range.level[0].cat);
3134        } else
3135                *sid = SECSID_NULL;
3136
3137        read_unlock(&policy_rwlock);
3138        return 0;
3139out_free:
3140        ebitmap_destroy(&ctx_new.range.level[0].cat);
3141out:
3142        read_unlock(&policy_rwlock);
3143        return rc;
3144}
3145
3146/**
3147 * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3148 * @sid: the SELinux SID
3149 * @secattr: the NetLabel packet security attributes
3150 *
3151 * Description:
3152 * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3153 * Returns zero on success, negative values on failure.
3154 *
3155 */
3156int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3157{
3158        int rc;
3159        struct context *ctx;
3160
3161        if (!ss_initialized)
3162                return 0;
3163
3164        read_lock(&policy_rwlock);
3165
3166        rc = -ENOENT;
3167        ctx = sidtab_search(&sidtab, sid);
3168        if (ctx == NULL)
3169                goto out;
3170
3171        rc = -ENOMEM;
3172        secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1),
3173                                  GFP_ATOMIC);
3174        if (secattr->domain == NULL)
3175                goto out;
3176
3177        secattr->attr.secid = sid;
3178        secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3179        mls_export_netlbl_lvl(ctx, secattr);
3180        rc = mls_export_netlbl_cat(ctx, secattr);
3181out:
3182        read_unlock(&policy_rwlock);
3183        return rc;
3184}
3185#endif /* CONFIG_NETLABEL */
3186
3187/**
3188 * security_read_policy - read the policy.
3189 * @data: binary policy data
3190 * @len: length of data in bytes
3191 *
3192 */
3193int security_read_policy(void **data, ssize_t *len)
3194{
3195        int rc;
3196        struct policy_file fp;
3197
3198        if (!ss_initialized)
3199                return -EINVAL;
3200
3201        *len = security_policydb_len();
3202
3203        *data = vmalloc_user(*len);
3204        if (!*data)
3205                return -ENOMEM;
3206
3207        fp.data = *data;
3208        fp.len = *len;
3209
3210        read_lock(&policy_rwlock);
3211        rc = policydb_write(&policydb, &fp);
3212        read_unlock(&policy_rwlock);
3213
3214        if (rc)
3215                return rc;
3216
3217        *len = (unsigned long)fp.data - (unsigned long)*data;
3218        return 0;
3219
3220}
3221