aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss/services.c
diff options
context:
space:
mode:
authorAndrea Bastoni <bastoni@cs.unc.edu>2010-05-30 19:16:45 -0400
committerAndrea Bastoni <bastoni@cs.unc.edu>2010-05-30 19:16:45 -0400
commitada47b5fe13d89735805b566185f4885f5a3f750 (patch)
tree644b88f8a71896307d71438e9b3af49126ffb22b /security/selinux/ss/services.c
parent43e98717ad40a4ae64545b5ba047c7b86aa44f4f (diff)
parent3280f21d43ee541f97f8cda5792150d2dbec20d5 (diff)
Merge branch 'wip-2.6.34' into old-private-masterarchived-private-master
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r--security/selinux/ss/services.c665
1 files changed, 360 insertions, 305 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..cf27b3ee1a95 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -26,6 +26,10 @@
26 * 26 *
27 * Added support for bounds domain and audit messaged on masked permissions 27 * Added support for bounds domain and audit messaged on masked permissions
28 * 28 *
29 * Updated: Guido Trentalancia <guido@trentalancia.com>
30 *
31 * Added support for runtime switching of the policy type
32 *
29 * Copyright (C) 2008, 2009 NEC Corporation 33 * Copyright (C) 2008, 2009 NEC Corporation
30 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
31 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -65,16 +69,10 @@
65#include "audit.h" 69#include "audit.h"
66 70
67extern void selnl_notify_policyload(u32 seqno); 71extern void selnl_notify_policyload(u32 seqno);
68unsigned int policydb_loaded_version;
69 72
70int selinux_policycap_netpeer; 73int selinux_policycap_netpeer;
71int selinux_policycap_openperm; 74int selinux_policycap_openperm;
72 75
73/*
74 * This is declared in avc.c
75 */
76extern const struct selinux_class_perm selinux_class_perm;
77
78static DEFINE_RWLOCK(policy_rwlock); 76static DEFINE_RWLOCK(policy_rwlock);
79 77
80static struct sidtab sidtab; 78static struct sidtab sidtab;
@@ -93,11 +91,156 @@ static u32 latest_granting;
93static int context_struct_to_string(struct context *context, char **scontext, 91static int context_struct_to_string(struct context *context, char **scontext,
94 u32 *scontext_len); 92 u32 *scontext_len);
95 93
96static int context_struct_compute_av(struct context *scontext, 94static void context_struct_compute_av(struct context *scontext,
97 struct context *tcontext, 95 struct context *tcontext,
98 u16 tclass, 96 u16 tclass,
99 u32 requested, 97 struct av_decision *avd);
100 struct av_decision *avd); 98
99struct selinux_mapping {
100 u16 value; /* policy value */
101 unsigned num_perms;
102 u32 perms[sizeof(u32) * 8];
103};
104
105static struct selinux_mapping *current_mapping;
106static u16 current_mapping_size;
107
108static int selinux_set_mapping(struct policydb *pol,
109 struct security_class_mapping *map,
110 struct selinux_mapping **out_map_p,
111 u16 *out_map_size)
112{
113 struct selinux_mapping *out_map = NULL;
114 size_t size = sizeof(struct selinux_mapping);
115 u16 i, j;
116 unsigned k;
117 bool print_unknown_handle = false;
118
119 /* Find number of classes in the input mapping */
120 if (!map)
121 return -EINVAL;
122 i = 0;
123 while (map[i].name)
124 i++;
125
126 /* Allocate space for the class records, plus one for class zero */
127 out_map = kcalloc(++i, size, GFP_ATOMIC);
128 if (!out_map)
129 return -ENOMEM;
130
131 /* Store the raw class and permission values */
132 j = 0;
133 while (map[j].name) {
134 struct security_class_mapping *p_in = map + (j++);
135 struct selinux_mapping *p_out = out_map + j;
136
137 /* An empty class string skips ahead */
138 if (!strcmp(p_in->name, "")) {
139 p_out->num_perms = 0;
140 continue;
141 }
142
143 p_out->value = string_to_security_class(pol, p_in->name);
144 if (!p_out->value) {
145 printk(KERN_INFO
146 "SELinux: Class %s not defined in policy.\n",
147 p_in->name);
148 if (pol->reject_unknown)
149 goto err;
150 p_out->num_perms = 0;
151 print_unknown_handle = true;
152 continue;
153 }
154
155 k = 0;
156 while (p_in->perms && p_in->perms[k]) {
157 /* An empty permission string skips ahead */
158 if (!*p_in->perms[k]) {
159 k++;
160 continue;
161 }
162 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
163 p_in->perms[k]);
164 if (!p_out->perms[k]) {
165 printk(KERN_INFO
166 "SELinux: Permission %s in class %s not defined in policy.\n",
167 p_in->perms[k], p_in->name);
168 if (pol->reject_unknown)
169 goto err;
170 print_unknown_handle = true;
171 }
172
173 k++;
174 }
175 p_out->num_perms = k;
176 }
177
178 if (print_unknown_handle)
179 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
180 pol->allow_unknown ? "allowed" : "denied");
181
182 *out_map_p = out_map;
183 *out_map_size = i;
184 return 0;
185err:
186 kfree(out_map);
187 return -EINVAL;
188}
189
190/*
191 * Get real, policy values from mapped values
192 */
193
194static u16 unmap_class(u16 tclass)
195{
196 if (tclass < current_mapping_size)
197 return current_mapping[tclass].value;
198
199 return tclass;
200}
201
202static void map_decision(u16 tclass, struct av_decision *avd,
203 int allow_unknown)
204{
205 if (tclass < current_mapping_size) {
206 unsigned i, n = current_mapping[tclass].num_perms;
207 u32 result;
208
209 for (i = 0, result = 0; i < n; i++) {
210 if (avd->allowed & current_mapping[tclass].perms[i])
211 result |= 1<<i;
212 if (allow_unknown && !current_mapping[tclass].perms[i])
213 result |= 1<<i;
214 }
215 avd->allowed = result;
216
217 for (i = 0, result = 0; i < n; i++)
218 if (avd->auditallow & current_mapping[tclass].perms[i])
219 result |= 1<<i;
220 avd->auditallow = result;
221
222 for (i = 0, result = 0; i < n; i++) {
223 if (avd->auditdeny & current_mapping[tclass].perms[i])
224 result |= 1<<i;
225 if (!allow_unknown && !current_mapping[tclass].perms[i])
226 result |= 1<<i;
227 }
228 /*
229 * In case the kernel has a bug and requests a permission
230 * between num_perms and the maximum permission number, we
231 * should audit that denial
232 */
233 for (; i < (sizeof(u32)*8); i++)
234 result |= 1<<i;
235 avd->auditdeny = result;
236 }
237}
238
239int security_mls_enabled(void)
240{
241 return policydb.mls_enabled;
242}
243
101/* 244/*
102 * Return the boolean value of a constraint expression 245 * Return the boolean value of a constraint expression
103 * when it is applied to the specified source and target 246 * when it is applied to the specified source and target
@@ -312,7 +455,8 @@ static void security_dump_masked_av(struct context *scontext,
312 char *scontext_name = NULL; 455 char *scontext_name = NULL;
313 char *tcontext_name = NULL; 456 char *tcontext_name = NULL;
314 char *permission_names[32]; 457 char *permission_names[32];
315 int index, length; 458 int index;
459 u32 length;
316 bool need_comma = false; 460 bool need_comma = false;
317 461
318 if (!permissions) 462 if (!permissions)
@@ -379,7 +523,6 @@ out:
379static void type_attribute_bounds_av(struct context *scontext, 523static void type_attribute_bounds_av(struct context *scontext,
380 struct context *tcontext, 524 struct context *tcontext,
381 u16 tclass, 525 u16 tclass,
382 u32 requested,
383 struct av_decision *avd) 526 struct av_decision *avd)
384{ 527{
385 struct context lo_scontext; 528 struct context lo_scontext;
@@ -400,7 +543,6 @@ static void type_attribute_bounds_av(struct context *scontext,
400 context_struct_compute_av(&lo_scontext, 543 context_struct_compute_av(&lo_scontext,
401 tcontext, 544 tcontext,
402 tclass, 545 tclass,
403 requested,
404 &lo_avd); 546 &lo_avd);
405 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 547 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
406 return; /* no masked permission */ 548 return; /* no masked permission */
@@ -416,7 +558,6 @@ static void type_attribute_bounds_av(struct context *scontext,
416 context_struct_compute_av(scontext, 558 context_struct_compute_av(scontext,
417 &lo_tcontext, 559 &lo_tcontext,
418 tclass, 560 tclass,
419 requested,
420 &lo_avd); 561 &lo_avd);
421 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 562 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
422 return; /* no masked permission */ 563 return; /* no masked permission */
@@ -433,7 +574,6 @@ static void type_attribute_bounds_av(struct context *scontext,
433 context_struct_compute_av(&lo_scontext, 574 context_struct_compute_av(&lo_scontext,
434 &lo_tcontext, 575 &lo_tcontext,
435 tclass, 576 tclass,
436 requested,
437 &lo_avd); 577 &lo_avd);
438 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 578 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
439 return; /* no masked permission */ 579 return; /* no masked permission */
@@ -454,11 +594,10 @@ static void type_attribute_bounds_av(struct context *scontext,
454 * Compute access vectors based on a context structure pair for 594 * Compute access vectors based on a context structure pair for
455 * the permissions in a particular class. 595 * the permissions in a particular class.
456 */ 596 */
457static int context_struct_compute_av(struct context *scontext, 597static void context_struct_compute_av(struct context *scontext,
458 struct context *tcontext, 598 struct context *tcontext,
459 u16 tclass, 599 u16 tclass,
460 u32 requested, 600 struct av_decision *avd)
461 struct av_decision *avd)
462{ 601{
463 struct constraint_node *constraint; 602 struct constraint_node *constraint;
464 struct role_allow *ra; 603 struct role_allow *ra;
@@ -467,56 +606,17 @@ static int context_struct_compute_av(struct context *scontext,
467 struct class_datum *tclass_datum; 606 struct class_datum *tclass_datum;
468 struct ebitmap *sattr, *tattr; 607 struct ebitmap *sattr, *tattr;
469 struct ebitmap_node *snode, *tnode; 608 struct ebitmap_node *snode, *tnode;
470 const struct selinux_class_perm *kdefs = &selinux_class_perm;
471 unsigned int i, j; 609 unsigned int i, j;
472 610
473 /*
474 * Remap extended Netlink classes for old policy versions.
475 * Do this here rather than socket_type_to_security_class()
476 * in case a newer policy version is loaded, allowing sockets
477 * to remain in the correct class.
478 */
479 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
480 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
481 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
482 tclass = SECCLASS_NETLINK_SOCKET;
483
484 /*
485 * Initialize the access vectors to the default values.
486 */
487 avd->allowed = 0; 611 avd->allowed = 0;
488 avd->auditallow = 0; 612 avd->auditallow = 0;
489 avd->auditdeny = 0xffffffff; 613 avd->auditdeny = 0xffffffff;
490 avd->seqno = latest_granting;
491 avd->flags = 0;
492 614
493 /* 615 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
494 * Check for all the invalid cases. 616 if (printk_ratelimit())
495 * - tclass 0 617 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
496 * - tclass > policy and > kernel 618 return;
497 * - tclass > policy but is a userspace class 619 }
498 * - tclass > policy but we do not allow unknowns
499 */
500 if (unlikely(!tclass))
501 goto inval_class;
502 if (unlikely(tclass > policydb.p_classes.nprim))
503 if (tclass > kdefs->cts_len ||
504 !kdefs->class_to_string[tclass] ||
505 !policydb.allow_unknown)
506 goto inval_class;
507
508 /*
509 * Kernel class and we allow unknown so pad the allow decision
510 * the pad will be all 1 for unknown classes.
511 */
512 if (tclass <= kdefs->cts_len && policydb.allow_unknown)
513 avd->allowed = policydb.undefined_perms[tclass - 1];
514
515 /*
516 * Not in policy. Since decision is completed (all 1 or all 0) return.
517 */
518 if (unlikely(tclass > policydb.p_classes.nprim))
519 return 0;
520 620
521 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 621 tclass_datum = policydb.class_val_to_struct[tclass - 1];
522 622
@@ -568,8 +668,8 @@ static int context_struct_compute_av(struct context *scontext,
568 * role is changing, then check the (current_role, new_role) 668 * role is changing, then check the (current_role, new_role)
569 * pair. 669 * pair.
570 */ 670 */
571 if (tclass == SECCLASS_PROCESS && 671 if (tclass == policydb.process_class &&
572 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 672 (avd->allowed & policydb.process_trans_perms) &&
573 scontext->role != tcontext->role) { 673 scontext->role != tcontext->role) {
574 for (ra = policydb.role_allow; ra; ra = ra->next) { 674 for (ra = policydb.role_allow; ra; ra = ra->next) {
575 if (scontext->role == ra->role && 675 if (scontext->role == ra->role &&
@@ -577,8 +677,7 @@ static int context_struct_compute_av(struct context *scontext,
577 break; 677 break;
578 } 678 }
579 if (!ra) 679 if (!ra)
580 avd->allowed &= ~(PROCESS__TRANSITION | 680 avd->allowed &= ~policydb.process_trans_perms;
581 PROCESS__DYNTRANSITION);
582 } 681 }
583 682
584 /* 683 /*
@@ -587,24 +686,7 @@ static int context_struct_compute_av(struct context *scontext,
587 * permission and notice it to userspace via audit. 686 * permission and notice it to userspace via audit.
588 */ 687 */
589 type_attribute_bounds_av(scontext, tcontext, 688 type_attribute_bounds_av(scontext, tcontext,
590 tclass, requested, avd); 689 tclass, avd);
591
592 return 0;
593
594inval_class:
595 if (!tclass || tclass > kdefs->cts_len ||
596 !kdefs->class_to_string[tclass]) {
597 if (printk_ratelimit())
598 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
599 __func__, tclass);
600 return -EINVAL;
601 }
602
603 /*
604 * Known to the kernel, but not to the policy.
605 * Handle as a denial (allowed is 0).
606 */
607 return 0;
608} 690}
609 691
610static int security_validtrans_handle_fail(struct context *ocontext, 692static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +718,14 @@ out:
636} 718}
637 719
638int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 720int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
639 u16 tclass) 721 u16 orig_tclass)
640{ 722{
641 struct context *ocontext; 723 struct context *ocontext;
642 struct context *ncontext; 724 struct context *ncontext;
643 struct context *tcontext; 725 struct context *tcontext;
644 struct class_datum *tclass_datum; 726 struct class_datum *tclass_datum;
645 struct constraint_node *constraint; 727 struct constraint_node *constraint;
728 u16 tclass;
646 int rc = 0; 729 int rc = 0;
647 730
648 if (!ss_initialized) 731 if (!ss_initialized)
@@ -650,16 +733,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
650 733
651 read_lock(&policy_rwlock); 734 read_lock(&policy_rwlock);
652 735
653 /* 736 tclass = unmap_class(orig_tclass);
654 * Remap extended Netlink classes for old policy versions.
655 * Do this here rather than socket_type_to_security_class()
656 * in case a newer policy version is loaded, allowing sockets
657 * to remain in the correct class.
658 */
659 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
660 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
661 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
662 tclass = SECCLASS_NETLINK_SOCKET;
663 737
664 if (!tclass || tclass > policydb.p_classes.nprim) { 738 if (!tclass || tclass > policydb.p_classes.nprim) {
665 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 739 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -741,7 +815,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
741 goto out; 815 goto out;
742 } 816 }
743 817
744 /* type/domain unchaned */ 818 /* type/domain unchanged */
745 if (old_context->type == new_context->type) { 819 if (old_context->type == new_context->type) {
746 rc = 0; 820 rc = 0;
747 goto out; 821 goto out;
@@ -769,7 +843,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
769 if (rc) { 843 if (rc) {
770 char *old_name = NULL; 844 char *old_name = NULL;
771 char *new_name = NULL; 845 char *new_name = NULL;
772 int length; 846 u32 length;
773 847
774 if (!context_struct_to_string(old_context, 848 if (!context_struct_to_string(old_context,
775 &old_name, &length) && 849 &old_name, &length) &&
@@ -791,63 +865,116 @@ out:
791 return rc; 865 return rc;
792} 866}
793 867
868static void avd_init(struct av_decision *avd)
869{
870 avd->allowed = 0;
871 avd->auditallow = 0;
872 avd->auditdeny = 0xffffffff;
873 avd->seqno = latest_granting;
874 avd->flags = 0;
875}
876
794 877
795/** 878/**
796 * security_compute_av - Compute access vector decisions. 879 * security_compute_av - Compute access vector decisions.
797 * @ssid: source security identifier 880 * @ssid: source security identifier
798 * @tsid: target security identifier 881 * @tsid: target security identifier
799 * @tclass: target security class 882 * @tclass: target security class
800 * @requested: requested permissions
801 * @avd: access vector decisions 883 * @avd: access vector decisions
802 * 884 *
803 * Compute a set of access vector decisions based on the 885 * Compute a set of access vector decisions based on the
804 * SID pair (@ssid, @tsid) for the permissions in @tclass. 886 * SID pair (@ssid, @tsid) for the permissions in @tclass.
805 * Return -%EINVAL if any of the parameters are invalid or %0
806 * if the access vector decisions were computed successfully.
807 */ 887 */
808int security_compute_av(u32 ssid, 888void security_compute_av(u32 ssid,
809 u32 tsid, 889 u32 tsid,
810 u16 tclass, 890 u16 orig_tclass,
811 u32 requested, 891 struct av_decision *avd)
812 struct av_decision *avd)
813{ 892{
893 u16 tclass;
814 struct context *scontext = NULL, *tcontext = NULL; 894 struct context *scontext = NULL, *tcontext = NULL;
815 int rc = 0;
816
817 if (!ss_initialized) {
818 avd->allowed = 0xffffffff;
819 avd->auditallow = 0;
820 avd->auditdeny = 0xffffffff;
821 avd->seqno = latest_granting;
822 return 0;
823 }
824 895
825 read_lock(&policy_rwlock); 896 read_lock(&policy_rwlock);
897 avd_init(avd);
898 if (!ss_initialized)
899 goto allow;
826 900
827 scontext = sidtab_search(&sidtab, ssid); 901 scontext = sidtab_search(&sidtab, ssid);
828 if (!scontext) { 902 if (!scontext) {
829 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 903 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
830 __func__, ssid); 904 __func__, ssid);
831 rc = -EINVAL;
832 goto out; 905 goto out;
833 } 906 }
907
908 /* permissive domain? */
909 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
910 avd->flags |= AVD_FLAGS_PERMISSIVE;
911
834 tcontext = sidtab_search(&sidtab, tsid); 912 tcontext = sidtab_search(&sidtab, tsid);
835 if (!tcontext) { 913 if (!tcontext) {
836 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 914 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
837 __func__, tsid); 915 __func__, tsid);
838 rc = -EINVAL;
839 goto out; 916 goto out;
840 } 917 }
841 918
842 rc = context_struct_compute_av(scontext, tcontext, tclass, 919 tclass = unmap_class(orig_tclass);
843 requested, avd); 920 if (unlikely(orig_tclass && !tclass)) {
921 if (policydb.allow_unknown)
922 goto allow;
923 goto out;
924 }
925 context_struct_compute_av(scontext, tcontext, tclass, avd);
926 map_decision(orig_tclass, avd, policydb.allow_unknown);
927out:
928 read_unlock(&policy_rwlock);
929 return;
930allow:
931 avd->allowed = 0xffffffff;
932 goto out;
933}
934
935void security_compute_av_user(u32 ssid,
936 u32 tsid,
937 u16 tclass,
938 struct av_decision *avd)
939{
940 struct context *scontext = NULL, *tcontext = NULL;
941
942 read_lock(&policy_rwlock);
943 avd_init(avd);
944 if (!ss_initialized)
945 goto allow;
946
947 scontext = sidtab_search(&sidtab, ssid);
948 if (!scontext) {
949 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
950 __func__, ssid);
951 goto out;
952 }
844 953
845 /* permissive domain? */ 954 /* permissive domain? */
846 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 955 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
847 avd->flags |= AVD_FLAGS_PERMISSIVE; 956 avd->flags |= AVD_FLAGS_PERMISSIVE;
848out: 957
958 tcontext = sidtab_search(&sidtab, tsid);
959 if (!tcontext) {
960 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
961 __func__, tsid);
962 goto out;
963 }
964
965 if (unlikely(!tclass)) {
966 if (policydb.allow_unknown)
967 goto allow;
968 goto out;
969 }
970
971 context_struct_compute_av(scontext, tcontext, tclass, avd);
972 out:
849 read_unlock(&policy_rwlock); 973 read_unlock(&policy_rwlock);
850 return rc; 974 return;
975allow:
976 avd->allowed = 0xffffffff;
977 goto out;
851} 978}
852 979
853/* 980/*
@@ -1204,20 +1331,22 @@ out:
1204 1331
1205static int security_compute_sid(u32 ssid, 1332static int security_compute_sid(u32 ssid,
1206 u32 tsid, 1333 u32 tsid,
1207 u16 tclass, 1334 u16 orig_tclass,
1208 u32 specified, 1335 u32 specified,
1209 u32 *out_sid) 1336 u32 *out_sid,
1337 bool kern)
1210{ 1338{
1211 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1339 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1212 struct role_trans *roletr = NULL; 1340 struct role_trans *roletr = NULL;
1213 struct avtab_key avkey; 1341 struct avtab_key avkey;
1214 struct avtab_datum *avdatum; 1342 struct avtab_datum *avdatum;
1215 struct avtab_node *node; 1343 struct avtab_node *node;
1344 u16 tclass;
1216 int rc = 0; 1345 int rc = 0;
1217 1346
1218 if (!ss_initialized) { 1347 if (!ss_initialized) {
1219 switch (tclass) { 1348 switch (orig_tclass) {
1220 case SECCLASS_PROCESS: 1349 case SECCLASS_PROCESS: /* kernel value */
1221 *out_sid = ssid; 1350 *out_sid = ssid;
1222 break; 1351 break;
1223 default: 1352 default:
@@ -1231,6 +1360,11 @@ static int security_compute_sid(u32 ssid,
1231 1360
1232 read_lock(&policy_rwlock); 1361 read_lock(&policy_rwlock);
1233 1362
1363 if (kern)
1364 tclass = unmap_class(orig_tclass);
1365 else
1366 tclass = orig_tclass;
1367
1234 scontext = sidtab_search(&sidtab, ssid); 1368 scontext = sidtab_search(&sidtab, ssid);
1235 if (!scontext) { 1369 if (!scontext) {
1236 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1370 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1260,13 +1394,11 @@ static int security_compute_sid(u32 ssid,
1260 } 1394 }
1261 1395
1262 /* Set the role and type to default values. */ 1396 /* Set the role and type to default values. */
1263 switch (tclass) { 1397 if (tclass == policydb.process_class) {
1264 case SECCLASS_PROCESS:
1265 /* Use the current role and type of process. */ 1398 /* Use the current role and type of process. */
1266 newcontext.role = scontext->role; 1399 newcontext.role = scontext->role;
1267 newcontext.type = scontext->type; 1400 newcontext.type = scontext->type;
1268 break; 1401 } else {
1269 default:
1270 /* Use the well-defined object role. */ 1402 /* Use the well-defined object role. */
1271 newcontext.role = OBJECT_R_VAL; 1403 newcontext.role = OBJECT_R_VAL;
1272 /* Use the type of the related object. */ 1404 /* Use the type of the related object. */
@@ -1297,8 +1429,7 @@ static int security_compute_sid(u32 ssid,
1297 } 1429 }
1298 1430
1299 /* Check for class-specific changes. */ 1431 /* Check for class-specific changes. */
1300 switch (tclass) { 1432 if (tclass == policydb.process_class) {
1301 case SECCLASS_PROCESS:
1302 if (specified & AVTAB_TRANSITION) { 1433 if (specified & AVTAB_TRANSITION) {
1303 /* Look for a role transition rule. */ 1434 /* Look for a role transition rule. */
1304 for (roletr = policydb.role_tr; roletr; 1435 for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1442,6 @@ static int security_compute_sid(u32 ssid,
1311 } 1442 }
1312 } 1443 }
1313 } 1444 }
1314 break;
1315 default:
1316 break;
1317 } 1445 }
1318 1446
1319 /* Set the MLS attributes. 1447 /* Set the MLS attributes.
@@ -1358,7 +1486,17 @@ int security_transition_sid(u32 ssid,
1358 u16 tclass, 1486 u16 tclass,
1359 u32 *out_sid) 1487 u32 *out_sid)
1360{ 1488{
1361 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1489 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1490 out_sid, true);
1491}
1492
1493int security_transition_sid_user(u32 ssid,
1494 u32 tsid,
1495 u16 tclass,
1496 u32 *out_sid)
1497{
1498 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1499 out_sid, false);
1362} 1500}
1363 1501
1364/** 1502/**
@@ -1379,7 +1517,8 @@ int security_member_sid(u32 ssid,
1379 u16 tclass, 1517 u16 tclass,
1380 u32 *out_sid) 1518 u32 *out_sid)
1381{ 1519{
1382 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1520 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1521 false);
1383} 1522}
1384 1523
1385/** 1524/**
@@ -1400,144 +1539,8 @@ int security_change_sid(u32 ssid,
1400 u16 tclass, 1539 u16 tclass,
1401 u32 *out_sid) 1540 u32 *out_sid)
1402{ 1541{
1403 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1542 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1404} 1543 false);
1405
1406/*
1407 * Verify that each kernel class that is defined in the
1408 * policy is correct
1409 */
1410static int validate_classes(struct policydb *p)
1411{
1412 int i, j;
1413 struct class_datum *cladatum;
1414 struct perm_datum *perdatum;
1415 u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1416 u16 class_val;
1417 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1418 const char *def_class, *def_perm, *pol_class;
1419 struct symtab *perms;
1420 bool print_unknown_handle = 0;
1421
1422 if (p->allow_unknown) {
1423 u32 num_classes = kdefs->cts_len;
1424 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1425 if (!p->undefined_perms)
1426 return -ENOMEM;
1427 }
1428
1429 for (i = 1; i < kdefs->cts_len; i++) {
1430 def_class = kdefs->class_to_string[i];
1431 if (!def_class)
1432 continue;
1433 if (i > p->p_classes.nprim) {
1434 printk(KERN_INFO
1435 "SELinux: class %s not defined in policy\n",
1436 def_class);
1437 if (p->reject_unknown)
1438 return -EINVAL;
1439 if (p->allow_unknown)
1440 p->undefined_perms[i-1] = ~0U;
1441 print_unknown_handle = 1;
1442 continue;
1443 }
1444 pol_class = p->p_class_val_to_name[i-1];
1445 if (strcmp(pol_class, def_class)) {
1446 printk(KERN_ERR
1447 "SELinux: class %d is incorrect, found %s but should be %s\n",
1448 i, pol_class, def_class);
1449 return -EINVAL;
1450 }
1451 }
1452 for (i = 0; i < kdefs->av_pts_len; i++) {
1453 class_val = kdefs->av_perm_to_string[i].tclass;
1454 perm_val = kdefs->av_perm_to_string[i].value;
1455 def_perm = kdefs->av_perm_to_string[i].name;
1456 if (class_val > p->p_classes.nprim)
1457 continue;
1458 pol_class = p->p_class_val_to_name[class_val-1];
1459 cladatum = hashtab_search(p->p_classes.table, pol_class);
1460 BUG_ON(!cladatum);
1461 perms = &cladatum->permissions;
1462 nprim = 1 << (perms->nprim - 1);
1463 if (perm_val > nprim) {
1464 printk(KERN_INFO
1465 "SELinux: permission %s in class %s not defined in policy\n",
1466 def_perm, pol_class);
1467 if (p->reject_unknown)
1468 return -EINVAL;
1469 if (p->allow_unknown)
1470 p->undefined_perms[class_val-1] |= perm_val;
1471 print_unknown_handle = 1;
1472 continue;
1473 }
1474 perdatum = hashtab_search(perms->table, def_perm);
1475 if (perdatum == NULL) {
1476 printk(KERN_ERR
1477 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1478 def_perm, pol_class);
1479 return -EINVAL;
1480 }
1481 pol_val = 1 << (perdatum->value - 1);
1482 if (pol_val != perm_val) {
1483 printk(KERN_ERR
1484 "SELinux: permission %s in class %s has incorrect value\n",
1485 def_perm, pol_class);
1486 return -EINVAL;
1487 }
1488 }
1489 for (i = 0; i < kdefs->av_inherit_len; i++) {
1490 class_val = kdefs->av_inherit[i].tclass;
1491 if (class_val > p->p_classes.nprim)
1492 continue;
1493 pol_class = p->p_class_val_to_name[class_val-1];
1494 cladatum = hashtab_search(p->p_classes.table, pol_class);
1495 BUG_ON(!cladatum);
1496 if (!cladatum->comdatum) {
1497 printk(KERN_ERR
1498 "SELinux: class %s should have an inherits clause but does not\n",
1499 pol_class);
1500 return -EINVAL;
1501 }
1502 tmp = kdefs->av_inherit[i].common_base;
1503 common_pts_len = 0;
1504 while (!(tmp & 0x01)) {
1505 common_pts_len++;
1506 tmp >>= 1;
1507 }
1508 perms = &cladatum->comdatum->permissions;
1509 for (j = 0; j < common_pts_len; j++) {
1510 def_perm = kdefs->av_inherit[i].common_pts[j];
1511 if (j >= perms->nprim) {
1512 printk(KERN_INFO
1513 "SELinux: permission %s in class %s not defined in policy\n",
1514 def_perm, pol_class);
1515 if (p->reject_unknown)
1516 return -EINVAL;
1517 if (p->allow_unknown)
1518 p->undefined_perms[class_val-1] |= (1 << j);
1519 print_unknown_handle = 1;
1520 continue;
1521 }
1522 perdatum = hashtab_search(perms->table, def_perm);
1523 if (perdatum == NULL) {
1524 printk(KERN_ERR
1525 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1526 def_perm, pol_class);
1527 return -EINVAL;
1528 }
1529 if (perdatum->value != j + 1) {
1530 printk(KERN_ERR
1531 "SELinux: permission %s in class %s has incorrect value\n",
1532 def_perm, pol_class);
1533 return -EINVAL;
1534 }
1535 }
1536 }
1537 if (print_unknown_handle)
1538 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1539 (security_get_allow_unknown() ? "allowed" : "denied"));
1540 return 0;
1541} 1544}
1542 1545
1543/* Clone the SID into the new SID table. */ 1546/* Clone the SID into the new SID table. */
@@ -1547,7 +1550,10 @@ static int clone_sid(u32 sid,
1547{ 1550{
1548 struct sidtab *s = arg; 1551 struct sidtab *s = arg;
1549 1552
1550 return sidtab_insert(s, sid, context); 1553 if (sid > SECINITSID_NUM)
1554 return sidtab_insert(s, sid, context);
1555 else
1556 return 0;
1551} 1557}
1552 1558
1553static inline int convert_context_handle_invalid_context(struct context *context) 1559static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1588,12 +1594,17 @@ static int convert_context(u32 key,
1588{ 1594{
1589 struct convert_context_args *args; 1595 struct convert_context_args *args;
1590 struct context oldc; 1596 struct context oldc;
1597 struct ocontext *oc;
1598 struct mls_range *range;
1591 struct role_datum *role; 1599 struct role_datum *role;
1592 struct type_datum *typdatum; 1600 struct type_datum *typdatum;
1593 struct user_datum *usrdatum; 1601 struct user_datum *usrdatum;
1594 char *s; 1602 char *s;
1595 u32 len; 1603 u32 len;
1596 int rc; 1604 int rc = 0;
1605
1606 if (key <= SECINITSID_NUM)
1607 goto out;
1597 1608
1598 args = p; 1609 args = p;
1599 1610
@@ -1655,9 +1666,39 @@ static int convert_context(u32 key,
1655 goto bad; 1666 goto bad;
1656 c->type = typdatum->value; 1667 c->type = typdatum->value;
1657 1668
1658 rc = mls_convert_context(args->oldp, args->newp, c); 1669 /* Convert the MLS fields if dealing with MLS policies */
1659 if (rc) 1670 if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1660 goto bad; 1671 rc = mls_convert_context(args->oldp, args->newp, c);
1672 if (rc)
1673 goto bad;
1674 } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1675 /*
1676 * Switching between MLS and non-MLS policy:
1677 * free any storage used by the MLS fields in the
1678 * context for all existing entries in the sidtab.
1679 */
1680 mls_context_destroy(c);
1681 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1682 /*
1683 * Switching between non-MLS and MLS policy:
1684 * ensure that the MLS fields of the context for all
1685 * existing entries in the sidtab are filled in with a
1686 * suitable default value, likely taken from one of the
1687 * initial SIDs.
1688 */
1689 oc = args->newp->ocontexts[OCON_ISID];
1690 while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1691 oc = oc->next;
1692 if (!oc) {
1693 printk(KERN_ERR "SELinux: unable to look up"
1694 " the initial SIDs list\n");
1695 goto bad;
1696 }
1697 range = &oc->context[0].range;
1698 rc = mls_range_set(c, range);
1699 if (rc)
1700 goto bad;
1701 }
1661 1702
1662 /* Check the validity of the new context. */ 1703 /* Check the validity of the new context. */
1663 if (!policydb_context_isvalid(args->newp, c)) { 1704 if (!policydb_context_isvalid(args->newp, c)) {
@@ -1710,8 +1751,10 @@ int security_load_policy(void *data, size_t len)
1710{ 1751{
1711 struct policydb oldpolicydb, newpolicydb; 1752 struct policydb oldpolicydb, newpolicydb;
1712 struct sidtab oldsidtab, newsidtab; 1753 struct sidtab oldsidtab, newsidtab;
1754 struct selinux_mapping *oldmap, *map = NULL;
1713 struct convert_context_args args; 1755 struct convert_context_args args;
1714 u32 seqno; 1756 u32 seqno;
1757 u16 map_size;
1715 int rc = 0; 1758 int rc = 0;
1716 struct policy_file file = { data, len }, *fp = &file; 1759 struct policy_file file = { data, len }, *fp = &file;
1717 1760
@@ -1721,22 +1764,19 @@ int security_load_policy(void *data, size_t len)
1721 avtab_cache_destroy(); 1764 avtab_cache_destroy();
1722 return -EINVAL; 1765 return -EINVAL;
1723 } 1766 }
1724 if (policydb_load_isids(&policydb, &sidtab)) { 1767 if (selinux_set_mapping(&policydb, secclass_map,
1768 &current_mapping,
1769 &current_mapping_size)) {
1725 policydb_destroy(&policydb); 1770 policydb_destroy(&policydb);
1726 avtab_cache_destroy(); 1771 avtab_cache_destroy();
1727 return -EINVAL; 1772 return -EINVAL;
1728 } 1773 }
1729 /* Verify that the kernel defined classes are correct. */ 1774 if (policydb_load_isids(&policydb, &sidtab)) {
1730 if (validate_classes(&policydb)) {
1731 printk(KERN_ERR
1732 "SELinux: the definition of a class is incorrect\n");
1733 sidtab_destroy(&sidtab);
1734 policydb_destroy(&policydb); 1775 policydb_destroy(&policydb);
1735 avtab_cache_destroy(); 1776 avtab_cache_destroy();
1736 return -EINVAL; 1777 return -EINVAL;
1737 } 1778 }
1738 security_load_policycaps(); 1779 security_load_policycaps();
1739 policydb_loaded_version = policydb.policyvers;
1740 ss_initialized = 1; 1780 ss_initialized = 1;
1741 seqno = ++latest_granting; 1781 seqno = ++latest_granting;
1742 selinux_complete_init(); 1782 selinux_complete_init();
@@ -1754,18 +1794,22 @@ int security_load_policy(void *data, size_t len)
1754 if (policydb_read(&newpolicydb, fp)) 1794 if (policydb_read(&newpolicydb, fp))
1755 return -EINVAL; 1795 return -EINVAL;
1756 1796
1757 if (sidtab_init(&newsidtab)) { 1797 /* If switching between different policy types, log MLS status */
1798 if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1799 printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1800 else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
1801 printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1802
1803 rc = policydb_load_isids(&newpolicydb, &newsidtab);
1804 if (rc) {
1805 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
1758 policydb_destroy(&newpolicydb); 1806 policydb_destroy(&newpolicydb);
1759 return -ENOMEM; 1807 return rc;
1760 } 1808 }
1761 1809
1762 /* Verify that the kernel defined classes are correct. */ 1810 if (selinux_set_mapping(&newpolicydb, secclass_map,
1763 if (validate_classes(&newpolicydb)) { 1811 &map, &map_size))
1764 printk(KERN_ERR
1765 "SELinux: the definition of a class is incorrect\n");
1766 rc = -EINVAL;
1767 goto err; 1812 goto err;
1768 }
1769 1813
1770 rc = security_preserve_bools(&newpolicydb); 1814 rc = security_preserve_bools(&newpolicydb);
1771 if (rc) { 1815 if (rc) {
@@ -1787,8 +1831,12 @@ int security_load_policy(void *data, size_t len)
1787 args.oldp = &policydb; 1831 args.oldp = &policydb;
1788 args.newp = &newpolicydb; 1832 args.newp = &newpolicydb;
1789 rc = sidtab_map(&newsidtab, convert_context, &args); 1833 rc = sidtab_map(&newsidtab, convert_context, &args);
1790 if (rc) 1834 if (rc) {
1835 printk(KERN_ERR "SELinux: unable to convert the internal"
1836 " representation of contexts in the new SID"
1837 " table\n");
1791 goto err; 1838 goto err;
1839 }
1792 1840
1793 /* Save the old policydb and SID table to free later. */ 1841 /* Save the old policydb and SID table to free later. */
1794 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1842 memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1799,13 +1847,16 @@ int security_load_policy(void *data, size_t len)
1799 memcpy(&policydb, &newpolicydb, sizeof policydb); 1847 memcpy(&policydb, &newpolicydb, sizeof policydb);
1800 sidtab_set(&sidtab, &newsidtab); 1848 sidtab_set(&sidtab, &newsidtab);
1801 security_load_policycaps(); 1849 security_load_policycaps();
1850 oldmap = current_mapping;
1851 current_mapping = map;
1852 current_mapping_size = map_size;
1802 seqno = ++latest_granting; 1853 seqno = ++latest_granting;
1803 policydb_loaded_version = policydb.policyvers;
1804 write_unlock_irq(&policy_rwlock); 1854 write_unlock_irq(&policy_rwlock);
1805 1855
1806 /* Free the old policydb and SID table. */ 1856 /* Free the old policydb and SID table. */
1807 policydb_destroy(&oldpolicydb); 1857 policydb_destroy(&oldpolicydb);
1808 sidtab_destroy(&oldsidtab); 1858 sidtab_destroy(&oldsidtab);
1859 kfree(oldmap);
1809 1860
1810 avc_ss_reset(seqno); 1861 avc_ss_reset(seqno);
1811 selnl_notify_policyload(seqno); 1862 selnl_notify_policyload(seqno);
@@ -1815,6 +1866,7 @@ int security_load_policy(void *data, size_t len)
1815 return 0; 1866 return 0;
1816 1867
1817err: 1868err:
1869 kfree(map);
1818 sidtab_destroy(&newsidtab); 1870 sidtab_destroy(&newsidtab);
1819 policydb_destroy(&newpolicydb); 1871 policydb_destroy(&newpolicydb);
1820 return rc; 1872 return rc;
@@ -2091,7 +2143,7 @@ out_unlock:
2091 } 2143 }
2092 for (i = 0, j = 0; i < mynel; i++) { 2144 for (i = 0, j = 0; i < mynel; i++) {
2093 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2145 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2094 SECCLASS_PROCESS, 2146 SECCLASS_PROCESS, /* kernel value */
2095 PROCESS__TRANSITION, AVC_STRICT, 2147 PROCESS__TRANSITION, AVC_STRICT,
2096 NULL); 2148 NULL);
2097 if (!rc) 2149 if (!rc)
@@ -2119,10 +2171,11 @@ out:
2119 */ 2171 */
2120int security_genfs_sid(const char *fstype, 2172int security_genfs_sid(const char *fstype,
2121 char *path, 2173 char *path,
2122 u16 sclass, 2174 u16 orig_sclass,
2123 u32 *sid) 2175 u32 *sid)
2124{ 2176{
2125 int len; 2177 int len;
2178 u16 sclass;
2126 struct genfs *genfs; 2179 struct genfs *genfs;
2127 struct ocontext *c; 2180 struct ocontext *c;
2128 int rc = 0, cmp = 0; 2181 int rc = 0, cmp = 0;
@@ -2132,6 +2185,8 @@ int security_genfs_sid(const char *fstype,
2132 2185
2133 read_lock(&policy_rwlock); 2186 read_lock(&policy_rwlock);
2134 2187
2188 sclass = unmap_class(orig_sclass);
2189
2135 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2190 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2136 cmp = strcmp(fstype, genfs->fstype); 2191 cmp = strcmp(fstype, genfs->fstype);
2137 if (cmp <= 0) 2192 if (cmp <= 0)
@@ -2377,7 +2432,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2377 u32 len; 2432 u32 len;
2378 int rc = 0; 2433 int rc = 0;
2379 2434
2380 if (!ss_initialized || !selinux_mls_enabled) { 2435 if (!ss_initialized || !policydb.mls_enabled) {
2381 *new_sid = sid; 2436 *new_sid = sid;
2382 goto out; 2437 goto out;
2383 } 2438 }
@@ -2478,7 +2533,7 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2478 /* we don't need to check ss_initialized here since the only way both 2533 /* we don't need to check ss_initialized here since the only way both
2479 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2534 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2480 * security server was initialized and ss_initialized was true */ 2535 * security server was initialized and ss_initialized was true */
2481 if (!selinux_mls_enabled) { 2536 if (!policydb.mls_enabled) {
2482 *peer_sid = SECSID_NULL; 2537 *peer_sid = SECSID_NULL;
2483 return 0; 2538 return 0;
2484 } 2539 }
@@ -2535,7 +2590,7 @@ int security_get_classes(char ***classes, int *nclasses)
2535 read_lock(&policy_rwlock); 2590 read_lock(&policy_rwlock);
2536 2591
2537 *nclasses = policydb.p_classes.nprim; 2592 *nclasses = policydb.p_classes.nprim;
2538 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2593 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2539 if (!*classes) 2594 if (!*classes)
2540 goto out; 2595 goto out;
2541 2596
@@ -2582,7 +2637,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2582 } 2637 }
2583 2638
2584 *nperms = match->permissions.nprim; 2639 *nperms = match->permissions.nprim;
2585 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2640 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2586 if (!*perms) 2641 if (!*perms)
2587 goto out; 2642 goto out;
2588 2643
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-13 20:20:19 -0400