aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c76
-rw-r--r--security/selinux/include/av_inherit.h34
-rw-r--r--security/selinux/include/av_perm_to_string.h183
-rw-r--r--security/selinux/include/av_permissions.h44
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h80
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h40
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/mls.c2
-rw-r--r--security/selinux/ss/policydb.c47
-rw-r--r--security/selinux/ss/policydb.h7
-rw-r--r--security/selinux/ss/services.c540
15 files changed, 555 insertions, 744 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b4b5da1c0a42..18f4103e02b7 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
31#include <net/ipv6.h> 31#include <net/ipv6.h>
32#include "avc.h" 32#include "avc.h"
33#include "avc_ss.h" 33#include "avc_ss.h"
34 34#include "classmap.h"
35static const struct av_perm_to_string av_perm_to_string[] = {
36#define S_(c, v, s) { c, v, s },
37#include "av_perm_to_string.h"
38#undef S_
39};
40
41static const char *class_to_string[] = {
42#define S_(s) s,
43#include "class_to_string.h"
44#undef S_
45};
46
47#define TB_(s) static const char *s[] = {
48#define TE_(s) };
49#define S_(s) s,
50#include "common_perm_to_string.h"
51#undef TB_
52#undef TE_
53#undef S_
54
55static const struct av_inherit av_inherit[] = {
56#define S_(c, i, b) { .tclass = c,\
57 .common_pts = common_##i##_perm_to_string,\
58 .common_base = b },
59#include "av_inherit.h"
60#undef S_
61};
62
63const struct selinux_class_perm selinux_class_perm = {
64 .av_perm_to_string = av_perm_to_string,
65 .av_pts_len = ARRAY_SIZE(av_perm_to_string),
66 .class_to_string = class_to_string,
67 .cts_len = ARRAY_SIZE(class_to_string),
68 .av_inherit = av_inherit,
69 .av_inherit_len = ARRAY_SIZE(av_inherit)
70};
71 35
72#define AVC_CACHE_SLOTS 512 36#define AVC_CACHE_SLOTS 512
73#define AVC_DEF_CACHE_THRESHOLD 512 37#define AVC_DEF_CACHE_THRESHOLD 512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
139 */ 103 */
140static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 104static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
141{ 105{
142 const char **common_pts = NULL; 106 const char **perms;
143 u32 common_base = 0; 107 int i, perm;
144 int i, i2, perm;
145 108
146 if (av == 0) { 109 if (av == 0) {
147 audit_log_format(ab, " null"); 110 audit_log_format(ab, " null");
148 return; 111 return;
149 } 112 }
150 113
151 for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { 114 perms = secclass_map[tclass-1].perms;
152 if (av_inherit[i].tclass == tclass) {
153 common_pts = av_inherit[i].common_pts;
154 common_base = av_inherit[i].common_base;
155 break;
156 }
157 }
158 115
159 audit_log_format(ab, " {"); 116 audit_log_format(ab, " {");
160 i = 0; 117 i = 0;
161 perm = 1; 118 perm = 1;
162 while (perm < common_base) { 119 while (i < (sizeof(av) * 8)) {
163 if (perm & av) { 120 if (perm & av) {
164 audit_log_format(ab, " %s", common_pts[i]); 121 audit_log_format(ab, " %s", perms[i]);
165 av &= ~perm; 122 av &= ~perm;
166 } 123 }
167 i++; 124 i++;
168 perm <<= 1; 125 perm <<= 1;
169 } 126 }
170 127
171 while (i < sizeof(av) * 8) {
172 if (perm & av) {
173 for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
174 if ((av_perm_to_string[i2].tclass == tclass) &&
175 (av_perm_to_string[i2].value == perm))
176 break;
177 }
178 if (i2 < ARRAY_SIZE(av_perm_to_string)) {
179 audit_log_format(ab, " %s",
180 av_perm_to_string[i2].name);
181 av &= ~perm;
182 }
183 }
184 i++;
185 perm <<= 1;
186 }
187
188 if (av) 128 if (av)
189 audit_log_format(ab, " 0x%x", av); 129 audit_log_format(ab, " 0x%x", av);
190 130
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
219 kfree(scontext); 159 kfree(scontext);
220 } 160 }
221 161
222 BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 162 BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
223 audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 163 audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
224} 164}
225 165
226/** 166/**
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704dae..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_DIR, file, 0x00020000UL)
3 S_(SECCLASS_FILE, file, 0x00020000UL)
4 S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
5 S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
6 S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
7 S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
8 S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
9 S_(SECCLASS_SOCKET, socket, 0x00400000UL)
10 S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
11 S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
12 S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
13 S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
14 S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
15 S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
16 S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
17 S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
18 S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
19 S_(SECCLASS_IPC, ipc, 0x00000200UL)
20 S_(SECCLASS_SEM, ipc, 0x00000200UL)
21 S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
22 S_(SECCLASS_SHM, ipc, 0x00000200UL)
23 S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
24 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
25 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
26 S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
27 S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
28 S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
29 S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
30 S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
31 S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
32 S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
33 S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
34 S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d21..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
3 S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
4 S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
5 S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
6 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
7 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
8 S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
9 S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
10 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
11 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
12 S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
13 S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15 S_(SECCLASS_DIR, DIR__SEARCH, "search")
16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17 S_(SECCLASS_DIR, DIR__OPEN, "open")
18 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
19 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
20 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21 S_(SECCLASS_FILE, FILE__OPEN, "open")
22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
23 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
24 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25 S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26 S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27 S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
28 S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
29 S_(SECCLASS_FD, FD__USE, "use")
30 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
31 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
32 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
33 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
34 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
35 S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
36 S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
37 S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
38 S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
39 S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
40 S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
41 S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
42 S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
43 S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
44 S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
45 S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
46 S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
47 S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
48 S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
49 S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
50 S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
51 S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
52 S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
53 S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
54 S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
55 S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
56 S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
57 S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
58 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
59 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
60 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
61 S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
62 S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
63 S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
64 S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
65 S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
66 S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
67 S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
68 S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
69 S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
70 S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
71 S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
72 S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
73 S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
74 S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
75 S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
76 S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
77 S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
78 S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
79 S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
80 S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
81 S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
82 S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
83 S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
84 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
85 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
86 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
87 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
88 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
89 S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
90 S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
91 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
92 S_(SECCLASS_MSG, MSG__SEND, "send")
93 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
94 S_(SECCLASS_SHM, SHM__LOCK, "lock")
95 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
96 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
97 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
98 S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
99 S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
100 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
101 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
102 S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
103 S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
104 S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
105 S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
106 S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
107 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
108 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
109 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
110 S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
111 S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
112 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
113 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
114 S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
115 S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
116 S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
117 S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
118 S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
119 S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
120 S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
121 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
122 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
123 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
124 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
125 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
126 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
127 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
128 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
129 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
130 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
131 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
132 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
133 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
134 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
135 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
136 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
137 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
138 S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
139 S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
140 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
141 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
142 S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
143 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
144 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
145 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
146 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
147 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
148 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
149 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
150 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
151 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
152 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
153 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
154 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
155 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
156 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
157 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
158 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
159 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
160 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
161 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
162 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
163 S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
164 S_(SECCLASS_PACKET, PACKET__SEND, "send")
165 S_(SECCLASS_PACKET, PACKET__RECV, "recv")
166 S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
167 S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
168 S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
169 S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
170 S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
171 S_(SECCLASS_KEY, KEY__VIEW, "view")
172 S_(SECCLASS_KEY, KEY__READ, "read")
173 S_(SECCLASS_KEY, KEY__WRITE, "write")
174 S_(SECCLASS_KEY, KEY__SEARCH, "search")
175 S_(SECCLASS_KEY, KEY__LINK, "link")
176 S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
177 S_(SECCLASS_KEY, KEY__CREATE, "create")
178 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
179 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
180 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
181 S_(SECCLASS_PEER, PEER__RECV, "recv")
182 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
183 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 0546d616ccac..fef2582b734d 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -423,28 +423,6 @@
423#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL 423#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
424#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL 424#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
425#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL 425#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
426#define TUN_SOCKET__IOCTL 0x00000001UL
427#define TUN_SOCKET__READ 0x00000002UL
428#define TUN_SOCKET__WRITE 0x00000004UL
429#define TUN_SOCKET__CREATE 0x00000008UL
430#define TUN_SOCKET__GETATTR 0x00000010UL
431#define TUN_SOCKET__SETATTR 0x00000020UL
432#define TUN_SOCKET__LOCK 0x00000040UL
433#define TUN_SOCKET__RELABELFROM 0x00000080UL
434#define TUN_SOCKET__RELABELTO 0x00000100UL
435#define TUN_SOCKET__APPEND 0x00000200UL
436#define TUN_SOCKET__BIND 0x00000400UL
437#define TUN_SOCKET__CONNECT 0x00000800UL
438#define TUN_SOCKET__LISTEN 0x00001000UL
439#define TUN_SOCKET__ACCEPT 0x00002000UL
440#define TUN_SOCKET__GETOPT 0x00004000UL
441#define TUN_SOCKET__SETOPT 0x00008000UL
442#define TUN_SOCKET__SHUTDOWN 0x00010000UL
443#define TUN_SOCKET__RECVFROM 0x00020000UL
444#define TUN_SOCKET__SENDTO 0x00040000UL
445#define TUN_SOCKET__RECV_MSG 0x00080000UL
446#define TUN_SOCKET__SEND_MSG 0x00100000UL
447#define TUN_SOCKET__NAME_BIND 0x00200000UL
448#define PROCESS__FORK 0x00000001UL 426#define PROCESS__FORK 0x00000001UL
449#define PROCESS__TRANSITION 0x00000002UL 427#define PROCESS__TRANSITION 0x00000002UL
450#define PROCESS__SIGCHLD 0x00000004UL 428#define PROCESS__SIGCHLD 0x00000004UL
@@ -868,3 +846,25 @@
868#define PEER__RECV 0x00000001UL 846#define PEER__RECV 0x00000001UL
869#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL 847#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
870#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL 848#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
849#define TUN_SOCKET__IOCTL 0x00000001UL
850#define TUN_SOCKET__READ 0x00000002UL
851#define TUN_SOCKET__WRITE 0x00000004UL
852#define TUN_SOCKET__CREATE 0x00000008UL
853#define TUN_SOCKET__GETATTR 0x00000010UL
854#define TUN_SOCKET__SETATTR 0x00000020UL
855#define TUN_SOCKET__LOCK 0x00000040UL
856#define TUN_SOCKET__RELABELFROM 0x00000080UL
857#define TUN_SOCKET__RELABELTO 0x00000100UL
858#define TUN_SOCKET__APPEND 0x00000200UL
859#define TUN_SOCKET__BIND 0x00000400UL
860#define TUN_SOCKET__CONNECT 0x00000800UL
861#define TUN_SOCKET__LISTEN 0x00001000UL
862#define TUN_SOCKET__ACCEPT 0x00002000UL
863#define TUN_SOCKET__GETOPT 0x00004000UL
864#define TUN_SOCKET__SETOPT 0x00008000UL
865#define TUN_SOCKET__SHUTDOWN 0x00010000UL
866#define TUN_SOCKET__RECVFROM 0x00020000UL
867#define TUN_SOCKET__SENDTO 0x00040000UL
868#define TUN_SOCKET__RECV_MSG 0x00080000UL
869#define TUN_SOCKET__SEND_MSG 0x00100000UL
870#define TUN_SOCKET__NAME_BIND 0x00200000UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
10 10
11int avc_ss_reset(u32 seqno); 11int avc_ss_reset(u32 seqno);
12 12
13struct av_perm_to_string { 13/* Class/perm mapping support */
14 u16 tclass; 14struct security_class_mapping {
15 u32 value;
16 const char *name; 15 const char *name;
16 const char *perms[sizeof(u32) * 8 + 1];
17}; 17};
18 18
19struct av_inherit { 19extern struct security_class_mapping secclass_map[];
20 const char **common_pts;
21 u32 common_base;
22 u16 tclass;
23};
24
25struct selinux_class_perm {
26 const struct av_perm_to_string *av_perm_to_string;
27 u32 av_pts_len;
28 u32 cts_len;
29 const char **class_to_string;
30 const struct av_inherit *av_inherit;
31 u32 av_inherit_len;
32};
33 20
34#endif /* _SELINUX_AVC_SS_H_ */ 21#endif /* _SELINUX_AVC_SS_H_ */
35 22
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6b..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2/*
3 * Security object class definitions
4 */
5 S_(NULL)
6 S_("security")
7 S_("process")
8 S_("system")
9 S_("capability")
10 S_("filesystem")
11 S_("file")
12 S_("dir")
13 S_("fd")
14 S_("lnk_file")
15 S_("chr_file")
16 S_("blk_file")
17 S_("sock_file")
18 S_("fifo_file")
19 S_("socket")
20 S_("tcp_socket")
21 S_("udp_socket")
22 S_("rawip_socket")
23 S_("node")
24 S_("netif")
25 S_("netlink_socket")
26 S_("packet_socket")
27 S_("key_socket")
28 S_("unix_stream_socket")
29 S_("unix_dgram_socket")
30 S_("sem")
31 S_("msg")
32 S_("msgq")
33 S_("shm")
34 S_("ipc")
35 S_(NULL)
36 S_(NULL)
37 S_(NULL)
38 S_(NULL)
39 S_(NULL)
40 S_(NULL)
41 S_(NULL)
42 S_(NULL)
43 S_(NULL)
44 S_(NULL)
45 S_(NULL)
46 S_(NULL)
47 S_(NULL)
48 S_("netlink_route_socket")
49 S_("netlink_firewall_socket")
50 S_("netlink_tcpdiag_socket")
51 S_("netlink_nflog_socket")
52 S_("netlink_xfrm_socket")
53 S_("netlink_selinux_socket")
54 S_("netlink_audit_socket")
55 S_("netlink_ip6fw_socket")
56 S_("netlink_dnrt_socket")
57 S_(NULL)
58 S_(NULL)
59 S_("association")
60 S_("netlink_kobject_uevent_socket")
61 S_("appletalk_socket")
62 S_("packet")
63 S_("key")
64 S_(NULL)
65 S_("dccp_socket")
66 S_("memprotect")
67 S_(NULL)
68 S_(NULL)
69 S_(NULL)
70 S_(NULL)
71 S_(NULL)
72 S_(NULL)
73 S_("peer")
74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
80 S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
1#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
2 "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
3
4#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
5 "rename", "execute", "swapon", "quotaon", "mounton"
6
7#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
8 "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
9 "sendto", "recv_msg", "send_msg", "name_bind"
10
11#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
12 "write", "associate", "unix_read", "unix_write"
13
14struct security_class_mapping secclass_map[] = {
15 { "security",
16 { "compute_av", "compute_create", "compute_member",
17 "check_context", "load_policy", "compute_relabel",
18 "compute_user", "setenforce", "setbool", "setsecparam",
19 "setcheckreqprot", NULL } },
20 { "process",
21 { "fork", "transition", "sigchld", "sigkill",
22 "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
23 "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
24 "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
25 "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
26 "execmem", "execstack", "execheap", "setkeycreate",
27 "setsockcreate", NULL } },
28 { "system",
29 { "ipc_info", "syslog_read", "syslog_mod",
30 "syslog_console", "module_request", NULL } },
31 { "capability",
32 { "chown", "dac_override", "dac_read_search",
33 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
34 "linux_immutable", "net_bind_service", "net_broadcast",
35 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
36 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
37 "sys_boot", "sys_nice", "sys_resource", "sys_time",
38 "sys_tty_config", "mknod", "lease", "audit_write",
39 "audit_control", "setfcap", NULL } },
40 { "filesystem",
41 { "mount", "remount", "unmount", "getattr",
42 "relabelfrom", "relabelto", "transition", "associate", "quotamod",
43 "quotaget", NULL } },
44 { "file",
45 { COMMON_FILE_PERMS,
46 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
47 { "dir",
48 { COMMON_FILE_PERMS, "add_name", "remove_name",
49 "reparent", "search", "rmdir", "open", NULL } },
50 { "fd", { "use", NULL } },
51 { "lnk_file",
52 { COMMON_FILE_PERMS, NULL } },
53 { "chr_file",
54 { COMMON_FILE_PERMS,
55 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
56 { "blk_file",
57 { COMMON_FILE_PERMS, "open", NULL } },
58 { "sock_file",
59 { COMMON_FILE_PERMS, "open", NULL } },
60 { "fifo_file",
61 { COMMON_FILE_PERMS, "open", NULL } },
62 { "socket",
63 { COMMON_SOCK_PERMS, NULL } },
64 { "tcp_socket",
65 { COMMON_SOCK_PERMS,
66 "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
67 NULL } },
68 { "udp_socket",
69 { COMMON_SOCK_PERMS,
70 "node_bind", NULL } },
71 { "rawip_socket",
72 { COMMON_SOCK_PERMS,
73 "node_bind", NULL } },
74 { "node",
75 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
76 "rawip_recv", "rawip_send", "enforce_dest",
77 "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
78 { "netif",
79 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
80 "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
81 "ingress", "egress", NULL } },
82 { "netlink_socket",
83 { COMMON_SOCK_PERMS, NULL } },
84 { "packet_socket",
85 { COMMON_SOCK_PERMS, NULL } },
86 { "key_socket",
87 { COMMON_SOCK_PERMS, NULL } },
88 { "unix_stream_socket",
89 { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
90 } },
91 { "unix_dgram_socket",
92 { COMMON_SOCK_PERMS, NULL
93 } },
94 { "sem",
95 { COMMON_IPC_PERMS, NULL } },
96 { "msg", { "send", "receive", NULL } },
97 { "msgq",
98 { COMMON_IPC_PERMS, "enqueue", NULL } },
99 { "shm",
100 { COMMON_IPC_PERMS, "lock", NULL } },
101 { "ipc",
102 { COMMON_IPC_PERMS, NULL } },
103 { "netlink_route_socket",
104 { COMMON_SOCK_PERMS,
105 "nlmsg_read", "nlmsg_write", NULL } },
106 { "netlink_firewall_socket",
107 { COMMON_SOCK_PERMS,
108 "nlmsg_read", "nlmsg_write", NULL } },
109 { "netlink_tcpdiag_socket",
110 { COMMON_SOCK_PERMS,
111 "nlmsg_read", "nlmsg_write", NULL } },
112 { "netlink_nflog_socket",
113 { COMMON_SOCK_PERMS, NULL } },
114 { "netlink_xfrm_socket",
115 { COMMON_SOCK_PERMS,
116 "nlmsg_read", "nlmsg_write", NULL } },
117 { "netlink_selinux_socket",
118 { COMMON_SOCK_PERMS, NULL } },
119 { "netlink_audit_socket",
120 { COMMON_SOCK_PERMS,
121 "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
122 "nlmsg_tty_audit", NULL } },
123 { "netlink_ip6fw_socket",
124 { COMMON_SOCK_PERMS,
125 "nlmsg_read", "nlmsg_write", NULL } },
126 { "netlink_dnrt_socket",
127 { COMMON_SOCK_PERMS, NULL } },
128 { "association",
129 { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
130 { "netlink_kobject_uevent_socket",
131 { COMMON_SOCK_PERMS, NULL } },
132 { "appletalk_socket",
133 { COMMON_SOCK_PERMS, NULL } },
134 { "packet",
135 { "send", "recv", "relabelto", "flow_in", "flow_out",
136 "forward_in", "forward_out", NULL } },
137 { "key",
138 { "view", "read", "write", "search", "link", "setattr", "create",
139 NULL } },
140 { "dccp_socket",
141 { COMMON_SOCK_PERMS,
142 "node_bind", "name_connect", NULL } },
143 { "memprotect", { "mmap_zero", NULL } },
144 { "peer", { "recv", NULL } },
145 { "capability2", { "mac_override", "mac_admin", NULL } },
146 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
147 { "tun_socket",
148 { COMMON_SOCK_PERMS, NULL } },
149 { NULL }
150 };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2TB_(common_file_perm_to_string)
3 S_("ioctl")
4 S_("read")
5 S_("write")
6 S_("create")
7 S_("getattr")
8 S_("setattr")
9 S_("lock")
10 S_("relabelfrom")
11 S_("relabelto")
12 S_("append")
13 S_("unlink")
14 S_("link")
15 S_("rename")
16 S_("execute")
17 S_("swapon")
18 S_("quotaon")
19 S_("mounton")
20TE_(common_file_perm_to_string)
21
22TB_(common_socket_perm_to_string)
23 S_("ioctl")
24 S_("read")
25 S_("write")
26 S_("create")
27 S_("getattr")
28 S_("setattr")
29 S_("lock")
30 S_("relabelfrom")
31 S_("relabelto")
32 S_("append")
33 S_("bind")
34 S_("connect")
35 S_("listen")
36 S_("accept")
37 S_("getopt")
38 S_("setopt")
39 S_("shutdown")
40 S_("recvfrom")
41 S_("sendto")
42 S_("recv_msg")
43 S_("send_msg")
44 S_("name_bind")
45TE_(common_socket_perm_to_string)
46
47TB_(common_ipc_perm_to_string)
48 S_("create")
49 S_("destroy")
50 S_("getattr")
51 S_("setattr")
52 S_("read")
53 S_("write")
54 S_("associate")
55 S_("unix_read")
56 S_("unix_write")
57TE_(common_ipc_perm_to_string)
58
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index f248500a1e3c..5359ca2abf21 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -34,26 +34,26 @@
34#define SECCLASS_MSGQ 27 34#define SECCLASS_MSGQ 27
35#define SECCLASS_SHM 28 35#define SECCLASS_SHM 28
36#define SECCLASS_IPC 29 36#define SECCLASS_IPC 29
37#define SECCLASS_NETLINK_ROUTE_SOCKET 43 37#define SECCLASS_NETLINK_ROUTE_SOCKET 30
38#define SECCLASS_NETLINK_FIREWALL_SOCKET 44 38#define SECCLASS_NETLINK_FIREWALL_SOCKET 31
39#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 39#define SECCLASS_NETLINK_TCPDIAG_SOCKET 32
40#define SECCLASS_NETLINK_NFLOG_SOCKET 46 40#define SECCLASS_NETLINK_NFLOG_SOCKET 33
41#define SECCLASS_NETLINK_XFRM_SOCKET 47 41#define SECCLASS_NETLINK_XFRM_SOCKET 34
42#define SECCLASS_NETLINK_SELINUX_SOCKET 48 42#define SECCLASS_NETLINK_SELINUX_SOCKET 35
43#define SECCLASS_NETLINK_AUDIT_SOCKET 49 43#define SECCLASS_NETLINK_AUDIT_SOCKET 36
44#define SECCLASS_NETLINK_IP6FW_SOCKET 50 44#define SECCLASS_NETLINK_IP6FW_SOCKET 37
45#define SECCLASS_NETLINK_DNRT_SOCKET 51 45#define SECCLASS_NETLINK_DNRT_SOCKET 38
46#define SECCLASS_ASSOCIATION 54 46#define SECCLASS_ASSOCIATION 39
47#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 47#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40
48#define SECCLASS_APPLETALK_SOCKET 56 48#define SECCLASS_APPLETALK_SOCKET 41
49#define SECCLASS_PACKET 57 49#define SECCLASS_PACKET 42
50#define SECCLASS_KEY 58 50#define SECCLASS_KEY 43
51#define SECCLASS_DCCP_SOCKET 60 51#define SECCLASS_DCCP_SOCKET 44
52#define SECCLASS_MEMPROTECT 61 52#define SECCLASS_MEMPROTECT 45
53#define SECCLASS_PEER 68 53#define SECCLASS_PEER 46
54#define SECCLASS_CAPABILITY2 69 54#define SECCLASS_CAPABILITY2 47
55#define SECCLASS_KERNEL_SERVICE 74 55#define SECCLASS_KERNEL_SERVICE 48
56#define SECCLASS_TUN_SOCKET 75 56#define SECCLASS_TUN_SOCKET 49
57 57
58/* 58/*
59 * Security identifier indices for initial entities 59 * Security identifier indices for initial entities
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..2553266ad793 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
97#define AVD_FLAGS_PERMISSIVE 0x0001 97#define AVD_FLAGS_PERMISSIVE 0x0001
98 98
99int security_compute_av(u32 ssid, u32 tsid, 99int security_compute_av(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 100 u16 tclass, u32 requested,
101 struct av_decision *avd); 101 struct av_decision *avd);
102
103int security_compute_av_user(u32 ssid, u32 tsid,
104 u16 tclass, u32 requested,
105 struct av_decision *avd);
102 106
103int security_transition_sid(u32 ssid, u32 tsid, 107int security_transition_sid(u32 ssid, u32 tsid,
104 u16 tclass, u32 *out_sid); 108 u16 tclass, u32 *out_sid);
109
110int security_transition_sid_user(u32 ssid, u32 tsid,
111 u16 tclass, u32 *out_sid);
105 112
106int security_member_sid(u32 ssid, u32 tsid, 113int security_member_sid(u32 ssid, u32 tsid,
107 u16 tclass, u32 *out_sid); 114 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..fab36fdf2769 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
522 if (length < 0) 522 if (length < 0)
523 goto out2; 523 goto out2;
524 524
525 length = security_compute_av(ssid, tsid, tclass, req, &avd); 525 length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
526 if (length < 0) 526 if (length < 0)
527 goto out2; 527 goto out2;
528 528
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
571 if (length < 0) 571 if (length < 0)
572 goto out2; 572 goto out2;
573 573
574 length = security_transition_sid(ssid, tsid, tclass, &newsid); 574 length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
575 if (length < 0) 575 if (length < 0)
576 goto out2; 576 goto out2;
577 577
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..3f2b2706b5bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
532 } 532 }
533 /* Fallthrough */ 533 /* Fallthrough */
534 case AVTAB_CHANGE: 534 case AVTAB_CHANGE:
535 if (tclass == SECCLASS_PROCESS) 535 if (tclass == policydb.process_class)
536 /* Use the process MLS attributes. */ 536 /* Use the process MLS attributes. */
537 return mls_context_cpy(newcontext, scontext); 537 return mls_context_cpy(newcontext, scontext);
538 else 538 else
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..f03667213ea8 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
713 ebitmap_destroy(&p->type_attr_map[i]); 713 ebitmap_destroy(&p->type_attr_map[i]);
714 } 714 }
715 kfree(p->type_attr_map); 715 kfree(p->type_attr_map);
716 kfree(p->undefined_perms);
717 ebitmap_destroy(&p->policycaps); 716 ebitmap_destroy(&p->policycaps);
718 ebitmap_destroy(&p->permissive_map); 717 ebitmap_destroy(&p->permissive_map);
719 718
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
1640 1639
1641extern int ss_initialized; 1640extern int ss_initialized;
1642 1641
1642u16 string_to_security_class(struct policydb *p, const char *name)
1643{
1644 struct class_datum *cladatum;
1645
1646 cladatum = hashtab_search(p->p_classes.table, name);
1647 if (!cladatum)
1648 return 0;
1649
1650 return cladatum->value;
1651}
1652
1653u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1654{
1655 struct class_datum *cladatum;
1656 struct perm_datum *perdatum = NULL;
1657 struct common_datum *comdatum;
1658
1659 if (!tclass || tclass > p->p_classes.nprim)
1660 return 0;
1661
1662 cladatum = p->class_val_to_struct[tclass-1];
1663 comdatum = cladatum->comdatum;
1664 if (comdatum)
1665 perdatum = hashtab_search(comdatum->permissions.table,
1666 name);
1667 if (!perdatum)
1668 perdatum = hashtab_search(cladatum->permissions.table,
1669 name);
1670 if (!perdatum)
1671 return 0;
1672
1673 return 1U << (perdatum->value-1);
1674}
1675
1643/* 1676/*
1644 * Read the configuration data from a policy database binary 1677 * Read the configuration data from a policy database binary
1645 * representation file into a policy database structure. 1678 * representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
1861 if (rc) 1894 if (rc)
1862 goto bad; 1895 goto bad;
1863 1896
1897 p->process_class = string_to_security_class(p, "process");
1898 if (!p->process_class)
1899 goto bad;
1900 p->process_trans_perms = string_to_av_perm(p, p->process_class,
1901 "transition");
1902 p->process_trans_perms |= string_to_av_perm(p, p->process_class,
1903 "dyntransition");
1904 if (!p->process_trans_perms)
1905 goto bad;
1906
1864 for (i = 0; i < info->ocon_num; i++) { 1907 for (i = 0; i < info->ocon_num; i++) {
1865 rc = next_entry(buf, fp, sizeof(u32)); 1908 rc = next_entry(buf, fp, sizeof(u32));
1866 if (rc < 0) 1909 if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
2101 goto bad; 2144 goto bad;
2102 rt->target_class = le32_to_cpu(buf[0]); 2145 rt->target_class = le32_to_cpu(buf[0]);
2103 } else 2146 } else
2104 rt->target_class = SECCLASS_PROCESS; 2147 rt->target_class = p->process_class;
2105 if (!policydb_type_isvalid(p, rt->source_type) || 2148 if (!policydb_type_isvalid(p, rt->source_type) ||
2106 !policydb_type_isvalid(p, rt->target_type) || 2149 !policydb_type_isvalid(p, rt->target_type) ||
2107 !policydb_class_isvalid(p, rt->target_class)) { 2150 !policydb_class_isvalid(p, rt->target_class)) {
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..cdcc5700946f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -254,7 +254,9 @@ struct policydb {
254 254
255 unsigned int reject_unknown : 1; 255 unsigned int reject_unknown : 1;
256 unsigned int allow_unknown : 1; 256 unsigned int allow_unknown : 1;
257 u32 *undefined_perms; 257
258 u16 process_class;
259 u32 process_trans_perms;
258}; 260};
259 261
260extern void policydb_destroy(struct policydb *p); 262extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
295 return 0; 297 return 0;
296} 298}
297 299
300extern u16 string_to_security_class(struct policydb *p, const char *name);
301extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
302
298#endif /* _SS_POLICYDB_H_ */ 303#endif /* _SS_POLICYDB_H_ */
299 304
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..e19baa81fdec 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -70,11 +70,6 @@ unsigned int policydb_loaded_version;
70int selinux_policycap_netpeer; 70int selinux_policycap_netpeer;
71int selinux_policycap_openperm; 71int selinux_policycap_openperm;
72 72
73/*
74 * This is declared in avc.c
75 */
76extern const struct selinux_class_perm selinux_class_perm;
77
78static DEFINE_RWLOCK(policy_rwlock); 73static DEFINE_RWLOCK(policy_rwlock);
79 74
80static struct sidtab sidtab; 75static struct sidtab sidtab;
@@ -98,6 +93,158 @@ static int context_struct_compute_av(struct context *scontext,
98 u16 tclass, 93 u16 tclass,
99 u32 requested, 94 u32 requested,
100 struct av_decision *avd); 95 struct av_decision *avd);
96
97struct selinux_mapping {
98 u16 value; /* policy value */
99 unsigned num_perms;
100 u32 perms[sizeof(u32) * 8];
101};
102
103static struct selinux_mapping *current_mapping;
104static u16 current_mapping_size;
105
106static int selinux_set_mapping(struct policydb *pol,
107 struct security_class_mapping *map,
108 struct selinux_mapping **out_map_p,
109 u16 *out_map_size)
110{
111 struct selinux_mapping *out_map = NULL;
112 size_t size = sizeof(struct selinux_mapping);
113 u16 i, j;
114 unsigned k;
115 bool print_unknown_handle = false;
116
117 /* Find number of classes in the input mapping */
118 if (!map)
119 return -EINVAL;
120 i = 0;
121 while (map[i].name)
122 i++;
123
124 /* Allocate space for the class records, plus one for class zero */
125 out_map = kcalloc(++i, size, GFP_ATOMIC);
126 if (!out_map)
127 return -ENOMEM;
128
129 /* Store the raw class and permission values */
130 j = 0;
131 while (map[j].name) {
132 struct security_class_mapping *p_in = map + (j++);
133 struct selinux_mapping *p_out = out_map + j;
134
135 /* An empty class string skips ahead */
136 if (!strcmp(p_in->name, "")) {
137 p_out->num_perms = 0;
138 continue;
139 }
140
141 p_out->value = string_to_security_class(pol, p_in->name);
142 if (!p_out->value) {
143 printk(KERN_INFO
144 "SELinux: Class %s not defined in policy.\n",
145 p_in->name);
146 if (pol->reject_unknown)
147 goto err;
148 p_out->num_perms = 0;
149 print_unknown_handle = true;
150 continue;
151 }
152
153 k = 0;
154 while (p_in->perms && p_in->perms[k]) {
155 /* An empty permission string skips ahead */
156 if (!*p_in->perms[k]) {
157 k++;
158 continue;
159 }
160 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
161 p_in->perms[k]);
162 if (!p_out->perms[k]) {
163 printk(KERN_INFO
164 "SELinux: Permission %s in class %s not defined in policy.\n",
165 p_in->perms[k], p_in->name);
166 if (pol->reject_unknown)
167 goto err;
168 print_unknown_handle = true;
169 }
170
171 k++;
172 }
173 p_out->num_perms = k;
174 }
175
176 if (print_unknown_handle)
177 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
178 pol->allow_unknown ? "allowed" : "denied");
179
180 *out_map_p = out_map;
181 *out_map_size = i;
182 return 0;
183err:
184 kfree(out_map);
185 return -EINVAL;
186}
187
188/*
189 * Get real, policy values from mapped values
190 */
191
192static u16 unmap_class(u16 tclass)
193{
194 if (tclass < current_mapping_size)
195 return current_mapping[tclass].value;
196
197 return tclass;
198}
199
200static u32 unmap_perm(u16 tclass, u32 tperm)
201{
202 if (tclass < current_mapping_size) {
203 unsigned i;
204 u32 kperm = 0;
205
206 for (i = 0; i < current_mapping[tclass].num_perms; i++)
207 if (tperm & (1<<i)) {
208 kperm |= current_mapping[tclass].perms[i];
209 tperm &= ~(1<<i);
210 }
211 return kperm;
212 }
213
214 return tperm;
215}
216
217static void map_decision(u16 tclass, struct av_decision *avd,
218 int allow_unknown)
219{
220 if (tclass < current_mapping_size) {
221 unsigned i, n = current_mapping[tclass].num_perms;
222 u32 result;
223
224 for (i = 0, result = 0; i < n; i++) {
225 if (avd->allowed & current_mapping[tclass].perms[i])
226 result |= 1<<i;
227 if (allow_unknown && !current_mapping[tclass].perms[i])
228 result |= 1<<i;
229 }
230 avd->allowed = result;
231
232 for (i = 0, result = 0; i < n; i++)
233 if (avd->auditallow & current_mapping[tclass].perms[i])
234 result |= 1<<i;
235 avd->auditallow = result;
236
237 for (i = 0, result = 0; i < n; i++) {
238 if (avd->auditdeny & current_mapping[tclass].perms[i])
239 result |= 1<<i;
240 if (!allow_unknown && !current_mapping[tclass].perms[i])
241 result |= 1<<i;
242 }
243 avd->auditdeny = result;
244 }
245}
246
247
101/* 248/*
102 * Return the boolean value of a constraint expression 249 * Return the boolean value of a constraint expression
103 * when it is applied to the specified source and target 250 * when it is applied to the specified source and target
@@ -467,7 +614,6 @@ static int context_struct_compute_av(struct context *scontext,
467 struct class_datum *tclass_datum; 614 struct class_datum *tclass_datum;
468 struct ebitmap *sattr, *tattr; 615 struct ebitmap *sattr, *tattr;
469 struct ebitmap_node *snode, *tnode; 616 struct ebitmap_node *snode, *tnode;
470 const struct selinux_class_perm *kdefs = &selinux_class_perm;
471 unsigned int i, j; 617 unsigned int i, j;
472 618
473 /* 619 /*
@@ -477,9 +623,9 @@ static int context_struct_compute_av(struct context *scontext,
477 * to remain in the correct class. 623 * to remain in the correct class.
478 */ 624 */
479 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 625 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
480 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 626 if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
481 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 627 tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
482 tclass = SECCLASS_NETLINK_SOCKET; 628 tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
483 629
484 /* 630 /*
485 * Initialize the access vectors to the default values. 631 * Initialize the access vectors to the default values.
@@ -490,33 +636,11 @@ static int context_struct_compute_av(struct context *scontext,
490 avd->seqno = latest_granting; 636 avd->seqno = latest_granting;
491 avd->flags = 0; 637 avd->flags = 0;
492 638
493 /* 639 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
494 * Check for all the invalid cases. 640 if (printk_ratelimit())
495 * - tclass 0 641 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
496 * - tclass > policy and > kernel 642 return -EINVAL;
497 * - tclass > policy but is a userspace class 643 }
498 * - tclass > policy but we do not allow unknowns
499 */
500 if (unlikely(!tclass))
501 goto inval_class;
502 if (unlikely(tclass > policydb.p_classes.nprim))
503 if (tclass > kdefs->cts_len ||
504 !kdefs->class_to_string[tclass] ||
505 !policydb.allow_unknown)
506 goto inval_class;
507
508 /*
509 * Kernel class and we allow unknown so pad the allow decision
510 * the pad will be all 1 for unknown classes.
511 */
512 if (tclass <= kdefs->cts_len && policydb.allow_unknown)
513 avd->allowed = policydb.undefined_perms[tclass - 1];
514
515 /*
516 * Not in policy. Since decision is completed (all 1 or all 0) return.
517 */
518 if (unlikely(tclass > policydb.p_classes.nprim))
519 return 0;
520 644
521 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 645 tclass_datum = policydb.class_val_to_struct[tclass - 1];
522 646
@@ -568,8 +692,8 @@ static int context_struct_compute_av(struct context *scontext,
568 * role is changing, then check the (current_role, new_role) 692 * role is changing, then check the (current_role, new_role)
569 * pair. 693 * pair.
570 */ 694 */
571 if (tclass == SECCLASS_PROCESS && 695 if (tclass == policydb.process_class &&
572 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 696 (avd->allowed & policydb.process_trans_perms) &&
573 scontext->role != tcontext->role) { 697 scontext->role != tcontext->role) {
574 for (ra = policydb.role_allow; ra; ra = ra->next) { 698 for (ra = policydb.role_allow; ra; ra = ra->next) {
575 if (scontext->role == ra->role && 699 if (scontext->role == ra->role &&
@@ -577,8 +701,7 @@ static int context_struct_compute_av(struct context *scontext,
577 break; 701 break;
578 } 702 }
579 if (!ra) 703 if (!ra)
580 avd->allowed &= ~(PROCESS__TRANSITION | 704 avd->allowed &= ~policydb.process_trans_perms;
581 PROCESS__DYNTRANSITION);
582 } 705 }
583 706
584 /* 707 /*
@@ -590,21 +713,6 @@ static int context_struct_compute_av(struct context *scontext,
590 tclass, requested, avd); 713 tclass, requested, avd);
591 714
592 return 0; 715 return 0;
593
594inval_class:
595 if (!tclass || tclass > kdefs->cts_len ||
596 !kdefs->class_to_string[tclass]) {
597 if (printk_ratelimit())
598 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
599 __func__, tclass);
600 return -EINVAL;
601 }
602
603 /*
604 * Known to the kernel, but not to the policy.
605 * Handle as a denial (allowed is 0).
606 */
607 return 0;
608} 716}
609 717
610static int security_validtrans_handle_fail(struct context *ocontext, 718static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +744,14 @@ out:
636} 744}
637 745
638int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 746int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
639 u16 tclass) 747 u16 orig_tclass)
640{ 748{
641 struct context *ocontext; 749 struct context *ocontext;
642 struct context *ncontext; 750 struct context *ncontext;
643 struct context *tcontext; 751 struct context *tcontext;
644 struct class_datum *tclass_datum; 752 struct class_datum *tclass_datum;
645 struct constraint_node *constraint; 753 struct constraint_node *constraint;
754 u16 tclass;
646 int rc = 0; 755 int rc = 0;
647 756
648 if (!ss_initialized) 757 if (!ss_initialized)
@@ -650,6 +759,8 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
650 759
651 read_lock(&policy_rwlock); 760 read_lock(&policy_rwlock);
652 761
762 tclass = unmap_class(orig_tclass);
763
653 /* 764 /*
654 * Remap extended Netlink classes for old policy versions. 765 * Remap extended Netlink classes for old policy versions.
655 * Do this here rather than socket_type_to_security_class() 766 * Do this here rather than socket_type_to_security_class()
@@ -657,9 +768,9 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
657 * to remain in the correct class. 768 * to remain in the correct class.
658 */ 769 */
659 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) 770 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
660 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && 771 if (tclass >= unmap_class(SECCLASS_NETLINK_ROUTE_SOCKET) &&
661 tclass <= SECCLASS_NETLINK_DNRT_SOCKET) 772 tclass <= unmap_class(SECCLASS_NETLINK_DNRT_SOCKET))
662 tclass = SECCLASS_NETLINK_SOCKET; 773 tclass = unmap_class(SECCLASS_NETLINK_SOCKET);
663 774
664 if (!tclass || tclass > policydb.p_classes.nprim) { 775 if (!tclass || tclass > policydb.p_classes.nprim) {
665 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 776 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -792,6 +903,38 @@ out:
792} 903}
793 904
794 905
906static int security_compute_av_core(u32 ssid,
907 u32 tsid,
908 u16 tclass,
909 u32 requested,
910 struct av_decision *avd)
911{
912 struct context *scontext = NULL, *tcontext = NULL;
913 int rc = 0;
914
915 scontext = sidtab_search(&sidtab, ssid);
916 if (!scontext) {
917 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
918 __func__, ssid);
919 return -EINVAL;
920 }
921 tcontext = sidtab_search(&sidtab, tsid);
922 if (!tcontext) {
923 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
924 __func__, tsid);
925 return -EINVAL;
926 }
927
928 rc = context_struct_compute_av(scontext, tcontext, tclass,
929 requested, avd);
930
931 /* permissive domain? */
932 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
933 avd->flags |= AVD_FLAGS_PERMISSIVE;
934
935 return rc;
936}
937
795/** 938/**
796 * security_compute_av - Compute access vector decisions. 939 * security_compute_av - Compute access vector decisions.
797 * @ssid: source security identifier 940 * @ssid: source security identifier
@@ -807,12 +950,45 @@ out:
807 */ 950 */
808int security_compute_av(u32 ssid, 951int security_compute_av(u32 ssid,
809 u32 tsid, 952 u32 tsid,
810 u16 tclass, 953 u16 orig_tclass,
811 u32 requested, 954 u32 orig_requested,
812 struct av_decision *avd) 955 struct av_decision *avd)
813{ 956{
814 struct context *scontext = NULL, *tcontext = NULL; 957 u16 tclass;
815 int rc = 0; 958 u32 requested;
959 int rc;
960
961 if (!ss_initialized)
962 goto allow;
963
964 read_lock(&policy_rwlock);
965 requested = unmap_perm(orig_tclass, orig_requested);
966 tclass = unmap_class(orig_tclass);
967 if (unlikely(orig_tclass && !tclass)) {
968 if (policydb.allow_unknown)
969 goto allow;
970 return -EINVAL;
971 }
972 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
973 map_decision(orig_tclass, avd, policydb.allow_unknown);
974 read_unlock(&policy_rwlock);
975 return rc;
976allow:
977 avd->allowed = 0xffffffff;
978 avd->auditallow = 0;
979 avd->auditdeny = 0xffffffff;
980 avd->seqno = latest_granting;
981 avd->flags = 0;
982 return 0;
983}
984
985int security_compute_av_user(u32 ssid,
986 u32 tsid,
987 u16 tclass,
988 u32 requested,
989 struct av_decision *avd)
990{
991 int rc;
816 992
817 if (!ss_initialized) { 993 if (!ss_initialized) {
818 avd->allowed = 0xffffffff; 994 avd->allowed = 0xffffffff;
@@ -823,29 +999,7 @@ int security_compute_av(u32 ssid,
823 } 999 }
824 1000
825 read_lock(&policy_rwlock); 1001 read_lock(&policy_rwlock);
826 1002 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
827 scontext = sidtab_search(&sidtab, ssid);
828 if (!scontext) {
829 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
830 __func__, ssid);
831 rc = -EINVAL;
832 goto out;
833 }
834 tcontext = sidtab_search(&sidtab, tsid);
835 if (!tcontext) {
836 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
837 __func__, tsid);
838 rc = -EINVAL;
839 goto out;
840 }
841
842 rc = context_struct_compute_av(scontext, tcontext, tclass,
843 requested, avd);
844
845 /* permissive domain? */
846 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
847 avd->flags |= AVD_FLAGS_PERMISSIVE;
848out:
849 read_unlock(&policy_rwlock); 1003 read_unlock(&policy_rwlock);
850 return rc; 1004 return rc;
851} 1005}
@@ -1204,20 +1358,22 @@ out:
1204 1358
1205static int security_compute_sid(u32 ssid, 1359static int security_compute_sid(u32 ssid,
1206 u32 tsid, 1360 u32 tsid,
1207 u16 tclass, 1361 u16 orig_tclass,
1208 u32 specified, 1362 u32 specified,
1209 u32 *out_sid) 1363 u32 *out_sid,
1364 bool kern)
1210{ 1365{
1211 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1366 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1212 struct role_trans *roletr = NULL; 1367 struct role_trans *roletr = NULL;
1213 struct avtab_key avkey; 1368 struct avtab_key avkey;
1214 struct avtab_datum *avdatum; 1369 struct avtab_datum *avdatum;
1215 struct avtab_node *node; 1370 struct avtab_node *node;
1371 u16 tclass;
1216 int rc = 0; 1372 int rc = 0;
1217 1373
1218 if (!ss_initialized) { 1374 if (!ss_initialized) {
1219 switch (tclass) { 1375 switch (orig_tclass) {
1220 case SECCLASS_PROCESS: 1376 case SECCLASS_PROCESS: /* kernel value */
1221 *out_sid = ssid; 1377 *out_sid = ssid;
1222 break; 1378 break;
1223 default: 1379 default:
@@ -1231,6 +1387,11 @@ static int security_compute_sid(u32 ssid,
1231 1387
1232 read_lock(&policy_rwlock); 1388 read_lock(&policy_rwlock);
1233 1389
1390 if (kern)
1391 tclass = unmap_class(orig_tclass);
1392 else
1393 tclass = orig_tclass;
1394
1234 scontext = sidtab_search(&sidtab, ssid); 1395 scontext = sidtab_search(&sidtab, ssid);
1235 if (!scontext) { 1396 if (!scontext) {
1236 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1397 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1260,13 +1421,11 @@ static int security_compute_sid(u32 ssid,
1260 } 1421 }
1261 1422
1262 /* Set the role and type to default values. */ 1423 /* Set the role and type to default values. */
1263 switch (tclass) { 1424 if (tclass == policydb.process_class) {
1264 case SECCLASS_PROCESS:
1265 /* Use the current role and type of process. */ 1425 /* Use the current role and type of process. */
1266 newcontext.role = scontext->role; 1426 newcontext.role = scontext->role;
1267 newcontext.type = scontext->type; 1427 newcontext.type = scontext->type;
1268 break; 1428 } else {
1269 default:
1270 /* Use the well-defined object role. */ 1429 /* Use the well-defined object role. */
1271 newcontext.role = OBJECT_R_VAL; 1430 newcontext.role = OBJECT_R_VAL;
1272 /* Use the type of the related object. */ 1431 /* Use the type of the related object. */
@@ -1297,8 +1456,7 @@ static int security_compute_sid(u32 ssid,
1297 } 1456 }
1298 1457
1299 /* Check for class-specific changes. */ 1458 /* Check for class-specific changes. */
1300 switch (tclass) { 1459 if (tclass == policydb.process_class) {
1301 case SECCLASS_PROCESS:
1302 if (specified & AVTAB_TRANSITION) { 1460 if (specified & AVTAB_TRANSITION) {
1303 /* Look for a role transition rule. */ 1461 /* Look for a role transition rule. */
1304 for (roletr = policydb.role_tr; roletr; 1462 for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1469,6 @@ static int security_compute_sid(u32 ssid,
1311 } 1469 }
1312 } 1470 }
1313 } 1471 }
1314 break;
1315 default:
1316 break;
1317 } 1472 }
1318 1473
1319 /* Set the MLS attributes. 1474 /* Set the MLS attributes.
@@ -1358,7 +1513,17 @@ int security_transition_sid(u32 ssid,
1358 u16 tclass, 1513 u16 tclass,
1359 u32 *out_sid) 1514 u32 *out_sid)
1360{ 1515{
1361 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1516 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1517 out_sid, true);
1518}
1519
1520int security_transition_sid_user(u32 ssid,
1521 u32 tsid,
1522 u16 tclass,
1523 u32 *out_sid)
1524{
1525 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1526 out_sid, false);
1362} 1527}
1363 1528
1364/** 1529/**
@@ -1379,7 +1544,8 @@ int security_member_sid(u32 ssid,
1379 u16 tclass, 1544 u16 tclass,
1380 u32 *out_sid) 1545 u32 *out_sid)
1381{ 1546{
1382 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1547 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1548 false);
1383} 1549}
1384 1550
1385/** 1551/**
@@ -1400,144 +1566,8 @@ int security_change_sid(u32 ssid,
1400 u16 tclass, 1566 u16 tclass,
1401 u32 *out_sid) 1567 u32 *out_sid)
1402{ 1568{
1403 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1569 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1404} 1570 false);
1405
1406/*
1407 * Verify that each kernel class that is defined in the
1408 * policy is correct
1409 */
1410static int validate_classes(struct policydb *p)
1411{
1412 int i, j;
1413 struct class_datum *cladatum;
1414 struct perm_datum *perdatum;
1415 u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1416 u16 class_val;
1417 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1418 const char *def_class, *def_perm, *pol_class;
1419 struct symtab *perms;
1420 bool print_unknown_handle = 0;
1421
1422 if (p->allow_unknown) {
1423 u32 num_classes = kdefs->cts_len;
1424 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1425 if (!p->undefined_perms)
1426 return -ENOMEM;
1427 }
1428
1429 for (i = 1; i < kdefs->cts_len; i++) {
1430 def_class = kdefs->class_to_string[i];
1431 if (!def_class)
1432 continue;
1433 if (i > p->p_classes.nprim) {
1434 printk(KERN_INFO
1435 "SELinux: class %s not defined in policy\n",
1436 def_class);
1437 if (p->reject_unknown)
1438 return -EINVAL;
1439 if (p->allow_unknown)
1440 p->undefined_perms[i-1] = ~0U;
1441 print_unknown_handle = 1;
1442 continue;
1443 }
1444 pol_class = p->p_class_val_to_name[i-1];
1445 if (strcmp(pol_class, def_class)) {
1446 printk(KERN_ERR
1447 "SELinux: class %d is incorrect, found %s but should be %s\n",
1448 i, pol_class, def_class);
1449 return -EINVAL;
1450 }
1451 }
1452 for (i = 0; i < kdefs->av_pts_len; i++) {
1453 class_val = kdefs->av_perm_to_string[i].tclass;
1454 perm_val = kdefs->av_perm_to_string[i].value;
1455 def_perm = kdefs->av_perm_to_string[i].name;
1456 if (class_val > p->p_classes.nprim)
1457 continue;
1458 pol_class = p->p_class_val_to_name[class_val-1];
1459 cladatum = hashtab_search(p->p_classes.table, pol_class);
1460 BUG_ON(!cladatum);
1461 perms = &cladatum->permissions;
1462 nprim = 1 << (perms->nprim - 1);
1463 if (perm_val > nprim) {
1464 printk(KERN_INFO
1465 "SELinux: permission %s in class %s not defined in policy\n",
1466 def_perm, pol_class);
1467 if (p->reject_unknown)
1468 return -EINVAL;
1469 if (p->allow_unknown)
1470 p->undefined_perms[class_val-1] |= perm_val;
1471 print_unknown_handle = 1;
1472 continue;
1473 }
1474 perdatum = hashtab_search(perms->table, def_perm);
1475 if (perdatum == NULL) {
1476 printk(KERN_ERR
1477 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1478 def_perm, pol_class);
1479 return -EINVAL;
1480 }
1481 pol_val = 1 << (perdatum->value - 1);
1482 if (pol_val != perm_val) {
1483 printk(KERN_ERR
1484 "SELinux: permission %s in class %s has incorrect value\n",
1485 def_perm, pol_class);
1486 return -EINVAL;
1487 }
1488 }
1489 for (i = 0; i < kdefs->av_inherit_len; i++) {
1490 class_val = kdefs->av_inherit[i].tclass;
1491 if (class_val > p->p_classes.nprim)
1492 continue;
1493 pol_class = p->p_class_val_to_name[class_val-1];
1494 cladatum = hashtab_search(p->p_classes.table, pol_class);
1495 BUG_ON(!cladatum);
1496 if (!cladatum->comdatum) {
1497 printk(KERN_ERR
1498 "SELinux: class %s should have an inherits clause but does not\n",
1499 pol_class);
1500 return -EINVAL;
1501 }
1502 tmp = kdefs->av_inherit[i].common_base;
1503 common_pts_len = 0;
1504 while (!(tmp & 0x01)) {
1505 common_pts_len++;
1506 tmp >>= 1;
1507 }
1508 perms = &cladatum->comdatum->permissions;
1509 for (j = 0; j < common_pts_len; j++) {
1510 def_perm = kdefs->av_inherit[i].common_pts[j];
1511 if (j >= perms->nprim) {
1512 printk(KERN_INFO
1513 "SELinux: permission %s in class %s not defined in policy\n",
1514 def_perm, pol_class);
1515 if (p->reject_unknown)
1516 return -EINVAL;
1517 if (p->allow_unknown)
1518 p->undefined_perms[class_val-1] |= (1 << j);
1519 print_unknown_handle = 1;
1520 continue;
1521 }
1522 perdatum = hashtab_search(perms->table, def_perm);
1523 if (perdatum == NULL) {
1524 printk(KERN_ERR
1525 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1526 def_perm, pol_class);
1527 return -EINVAL;
1528 }
1529 if (perdatum->value != j + 1) {
1530 printk(KERN_ERR
1531 "SELinux: permission %s in class %s has incorrect value\n",
1532 def_perm, pol_class);
1533 return -EINVAL;
1534 }
1535 }
1536 }
1537 if (print_unknown_handle)
1538 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1539 (security_get_allow_unknown() ? "allowed" : "denied"));
1540 return 0;
1541} 1571}
1542 1572
1543/* Clone the SID into the new SID table. */ 1573/* Clone the SID into the new SID table. */
@@ -1710,8 +1740,10 @@ int security_load_policy(void *data, size_t len)
1710{ 1740{
1711 struct policydb oldpolicydb, newpolicydb; 1741 struct policydb oldpolicydb, newpolicydb;
1712 struct sidtab oldsidtab, newsidtab; 1742 struct sidtab oldsidtab, newsidtab;
1743 struct selinux_mapping *oldmap, *map = NULL;
1713 struct convert_context_args args; 1744 struct convert_context_args args;
1714 u32 seqno; 1745 u32 seqno;
1746 u16 map_size;
1715 int rc = 0; 1747 int rc = 0;
1716 struct policy_file file = { data, len }, *fp = &file; 1748 struct policy_file file = { data, len }, *fp = &file;
1717 1749
@@ -1721,16 +1753,14 @@ int security_load_policy(void *data, size_t len)
1721 avtab_cache_destroy(); 1753 avtab_cache_destroy();
1722 return -EINVAL; 1754 return -EINVAL;
1723 } 1755 }
1724 if (policydb_load_isids(&policydb, &sidtab)) { 1756 if (selinux_set_mapping(&policydb, secclass_map,
1757 &current_mapping,
1758 &current_mapping_size)) {
1725 policydb_destroy(&policydb); 1759 policydb_destroy(&policydb);
1726 avtab_cache_destroy(); 1760 avtab_cache_destroy();
1727 return -EINVAL; 1761 return -EINVAL;
1728 } 1762 }
1729 /* Verify that the kernel defined classes are correct. */ 1763 if (policydb_load_isids(&policydb, &sidtab)) {
1730 if (validate_classes(&policydb)) {
1731 printk(KERN_ERR
1732 "SELinux: the definition of a class is incorrect\n");
1733 sidtab_destroy(&sidtab);
1734 policydb_destroy(&policydb); 1764 policydb_destroy(&policydb);
1735 avtab_cache_destroy(); 1765 avtab_cache_destroy();
1736 return -EINVAL; 1766 return -EINVAL;
@@ -1759,13 +1789,9 @@ int security_load_policy(void *data, size_t len)
1759 return -ENOMEM; 1789 return -ENOMEM;
1760 } 1790 }
1761 1791
1762 /* Verify that the kernel defined classes are correct. */ 1792 if (selinux_set_mapping(&newpolicydb, secclass_map,
1763 if (validate_classes(&newpolicydb)) { 1793 &map, &map_size))
1764 printk(KERN_ERR
1765 "SELinux: the definition of a class is incorrect\n");
1766 rc = -EINVAL;
1767 goto err; 1794 goto err;
1768 }
1769 1795
1770 rc = security_preserve_bools(&newpolicydb); 1796 rc = security_preserve_bools(&newpolicydb);
1771 if (rc) { 1797 if (rc) {
@@ -1799,6 +1825,9 @@ int security_load_policy(void *data, size_t len)
1799 memcpy(&policydb, &newpolicydb, sizeof policydb); 1825 memcpy(&policydb, &newpolicydb, sizeof policydb);
1800 sidtab_set(&sidtab, &newsidtab); 1826 sidtab_set(&sidtab, &newsidtab);
1801 security_load_policycaps(); 1827 security_load_policycaps();
1828 oldmap = current_mapping;
1829 current_mapping = map;
1830 current_mapping_size = map_size;
1802 seqno = ++latest_granting; 1831 seqno = ++latest_granting;
1803 policydb_loaded_version = policydb.policyvers; 1832 policydb_loaded_version = policydb.policyvers;
1804 write_unlock_irq(&policy_rwlock); 1833 write_unlock_irq(&policy_rwlock);
@@ -1806,6 +1835,7 @@ int security_load_policy(void *data, size_t len)
1806 /* Free the old policydb and SID table. */ 1835 /* Free the old policydb and SID table. */
1807 policydb_destroy(&oldpolicydb); 1836 policydb_destroy(&oldpolicydb);
1808 sidtab_destroy(&oldsidtab); 1837 sidtab_destroy(&oldsidtab);
1838 kfree(oldmap);
1809 1839
1810 avc_ss_reset(seqno); 1840 avc_ss_reset(seqno);
1811 selnl_notify_policyload(seqno); 1841 selnl_notify_policyload(seqno);
@@ -1815,6 +1845,7 @@ int security_load_policy(void *data, size_t len)
1815 return 0; 1845 return 0;
1816 1846
1817err: 1847err:
1848 kfree(map);
1818 sidtab_destroy(&newsidtab); 1849 sidtab_destroy(&newsidtab);
1819 policydb_destroy(&newpolicydb); 1850 policydb_destroy(&newpolicydb);
1820 return rc; 1851 return rc;
@@ -2091,7 +2122,7 @@ out_unlock:
2091 } 2122 }
2092 for (i = 0, j = 0; i < mynel; i++) { 2123 for (i = 0, j = 0; i < mynel; i++) {
2093 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2124 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2094 SECCLASS_PROCESS, 2125 SECCLASS_PROCESS, /* kernel value */
2095 PROCESS__TRANSITION, AVC_STRICT, 2126 PROCESS__TRANSITION, AVC_STRICT,
2096 NULL); 2127 NULL);
2097 if (!rc) 2128 if (!rc)
@@ -2119,10 +2150,11 @@ out:
2119 */ 2150 */
2120int security_genfs_sid(const char *fstype, 2151int security_genfs_sid(const char *fstype,
2121 char *path, 2152 char *path,
2122 u16 sclass, 2153 u16 orig_sclass,
2123 u32 *sid) 2154 u32 *sid)
2124{ 2155{
2125 int len; 2156 int len;
2157 u16 sclass;
2126 struct genfs *genfs; 2158 struct genfs *genfs;
2127 struct ocontext *c; 2159 struct ocontext *c;
2128 int rc = 0, cmp = 0; 2160 int rc = 0, cmp = 0;
@@ -2132,6 +2164,8 @@ int security_genfs_sid(const char *fstype,
2132 2164
2133 read_lock(&policy_rwlock); 2165 read_lock(&policy_rwlock);
2134 2166
2167 sclass = unmap_class(orig_sclass);
2168
2135 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2169 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2136 cmp = strcmp(fstype, genfs->fstype); 2170 cmp = strcmp(fstype, genfs->fstype);
2137 if (cmp <= 0) 2171 if (cmp <= 0)