~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/selinux/ss/services.c

Version: ~ [ linux-5.8-rc3 ] ~ [ linux-5.7.5 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.48 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.129 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.185 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.228 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.228 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Implementation of the security services.
  3  *
  4  * Authors : Stephen Smalley, <sds@tycho.nsa.gov>
  5  *           James Morris <jmorris@redhat.com>
  6  *
  7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
  8  *
  9  *      Support for enhanced MLS infrastructure.
 10  *      Support for context based audit filters.
 11  *
 12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
 13  *
 14  *      Added conditional policy language extensions
 15  *
 16  * Updated: Hewlett-Packard <paul@paul-moore.com>
 17  *
 18  *      Added support for NetLabel
 19  *      Added support for the policy capability bitmap
 20  *
 21  * Updated: Chad Sellers <csellers@tresys.com>
 22  *
 23  *  Added validation of kernel classes and permissions
 24  *
 25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
 26  *
 27  *  Added support for bounds domain and audit messaged on masked permissions
 28  *
 29  * Updated: Guido Trentalancia <guido@trentalancia.com>
 30  *
 31  *  Added support for runtime switching of the policy type
 32  *
 33  * Copyright (C) 2008, 2009 NEC Corporation
 34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
 35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
 36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
 37  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
 38  *      This program is free software; you can redistribute it and/or modify
 39  *      it under the terms of the GNU General Public License as published by
 40  *      the Free Software Foundation, version 2.
 41  */
 42 #include <linux/kernel.h>
 43 #include <linux/slab.h>
 44 #include <linux/string.h>
 45 #include <linux/spinlock.h>
 46 #include <linux/rcupdate.h>
 47 #include <linux/errno.h>
 48 #include <linux/in.h>
 49 #include <linux/sched.h>
 50 #include <linux/audit.h>
 51 #include <linux/mutex.h>
 52 #include <linux/selinux.h>
 53 #include <linux/flex_array.h>
 54 #include <linux/vmalloc.h>
 55 #include <net/netlabel.h>
 56 
 57 #include "flask.h"
 58 #include "avc.h"
 59 #include "avc_ss.h"
 60 #include "security.h"
 61 #include "context.h"
 62 #include "policydb.h"
 63 #include "sidtab.h"
 64 #include "services.h"
 65 #include "conditional.h"
 66 #include "mls.h"
 67 #include "objsec.h"
 68 #include "netlabel.h"
 69 #include "xfrm.h"
 70 #include "ebitmap.h"
 71 #include "audit.h"
 72 
 73 /* Policy capability names */
 74 char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
 75         "network_peer_controls",
 76         "open_perms",
 77         "extended_socket_class",
 78         "always_check_network",
 79         "cgroup_seclabel",
 80         "nnp_nosuid_transition"
 81 };
 82 
 83 static struct selinux_ss selinux_ss;
 84 
 85 void selinux_ss_init(struct selinux_ss **ss)
 86 {
 87         rwlock_init(&selinux_ss.policy_rwlock);
 88         mutex_init(&selinux_ss.status_lock);
 89         *ss = &selinux_ss;
 90 }
 91 
 92 /* Forward declaration. */
 93 static int context_struct_to_string(struct policydb *policydb,
 94                                     struct context *context,
 95                                     char **scontext,
 96                                     u32 *scontext_len);
 97 
 98 static void context_struct_compute_av(struct policydb *policydb,
 99                                       struct context *scontext,
100                                       struct context *tcontext,
101                                       u16 tclass,
102                                       struct av_decision *avd,
103                                       struct extended_perms *xperms);
104 
105 static int selinux_set_mapping(struct policydb *pol,
106                                struct security_class_mapping *map,
107                                struct selinux_map *out_map)
108 {
109         u16 i, j;
110         unsigned k;
111         bool print_unknown_handle = false;
112 
113         /* Find number of classes in the input mapping */
114         if (!map)
115                 return -EINVAL;
116         i = 0;
117         while (map[i].name)
118                 i++;
119 
120         /* Allocate space for the class records, plus one for class zero */
121         out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC);
122         if (!out_map->mapping)
123                 return -ENOMEM;
124 
125         /* Store the raw class and permission values */
126         j = 0;
127         while (map[j].name) {
128                 struct security_class_mapping *p_in = map + (j++);
129                 struct selinux_mapping *p_out = out_map->mapping + j;
130 
131                 /* An empty class string skips ahead */
132                 if (!strcmp(p_in->name, "")) {
133                         p_out->num_perms = 0;
134                         continue;
135                 }
136 
137                 p_out->value = string_to_security_class(pol, p_in->name);
138                 if (!p_out->value) {
139                         printk(KERN_INFO
140                                "SELinux:  Class %s not defined in policy.\n",
141                                p_in->name);
142                         if (pol->reject_unknown)
143                                 goto err;
144                         p_out->num_perms = 0;
145                         print_unknown_handle = true;
146                         continue;
147                 }
148 
149                 k = 0;
150                 while (p_in->perms[k]) {
151                         /* An empty permission string skips ahead */
152                         if (!*p_in->perms[k]) {
153                                 k++;
154                                 continue;
155                         }
156                         p_out->perms[k] = string_to_av_perm(pol, p_out->value,
157                                                             p_in->perms[k]);
158                         if (!p_out->perms[k]) {
159                                 printk(KERN_INFO
160                                        "SELinux:  Permission %s in class %s not defined in policy.\n",
161                                        p_in->perms[k], p_in->name);
162                                 if (pol->reject_unknown)
163                                         goto err;
164                                 print_unknown_handle = true;
165                         }
166 
167                         k++;
168                 }
169                 p_out->num_perms = k;
170         }
171 
172         if (print_unknown_handle)
173                 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
174                        pol->allow_unknown ? "allowed" : "denied");
175 
176         out_map->size = i;
177         return 0;
178 err:
179         kfree(out_map->mapping);
180         out_map->mapping = NULL;
181         return -EINVAL;
182 }
183 
184 /*
185  * Get real, policy values from mapped values
186  */
187 
188 static u16 unmap_class(struct selinux_map *map, u16 tclass)
189 {
190         if (tclass < map->size)
191                 return map->mapping[tclass].value;
192 
193         return tclass;
194 }
195 
196 /*
197  * Get kernel value for class from its policy value
198  */
199 static u16 map_class(struct selinux_map *map, u16 pol_value)
200 {
201         u16 i;
202 
203         for (i = 1; i < map->size; i++) {
204                 if (map->mapping[i].value == pol_value)
205                         return i;
206         }
207 
208         return SECCLASS_NULL;
209 }
210 
211 static void map_decision(struct selinux_map *map,
212                          u16 tclass, struct av_decision *avd,
213                          int allow_unknown)
214 {
215         if (tclass < map->size) {
216                 struct selinux_mapping *mapping = &map->mapping[tclass];
217                 unsigned int i, n = mapping->num_perms;
218                 u32 result;
219 
220                 for (i = 0, result = 0; i < n; i++) {
221                         if (avd->allowed & mapping->perms[i])
222                                 result |= 1<<i;
223                         if (allow_unknown && !mapping->perms[i])
224                                 result |= 1<<i;
225                 }
226                 avd->allowed = result;
227 
228                 for (i = 0, result = 0; i < n; i++)
229                         if (avd->auditallow & mapping->perms[i])
230                                 result |= 1<<i;
231                 avd->auditallow = result;
232 
233                 for (i = 0, result = 0; i < n; i++) {
234                         if (avd->auditdeny & mapping->perms[i])
235                                 result |= 1<<i;
236                         if (!allow_unknown && !mapping->perms[i])
237                                 result |= 1<<i;
238                 }
239                 /*
240                  * In case the kernel has a bug and requests a permission
241                  * between num_perms and the maximum permission number, we
242                  * should audit that denial
243                  */
244                 for (; i < (sizeof(u32)*8); i++)
245                         result |= 1<<i;
246                 avd->auditdeny = result;
247         }
248 }
249 
250 int security_mls_enabled(struct selinux_state *state)
251 {
252         struct policydb *p = &state->ss->policydb;
253 
254         return p->mls_enabled;
255 }
256 
257 /*
258  * Return the boolean value of a constraint expression
259  * when it is applied to the specified source and target
260  * security contexts.
261  *
262  * xcontext is a special beast...  It is used by the validatetrans rules
263  * only.  For these rules, scontext is the context before the transition,
264  * tcontext is the context after the transition, and xcontext is the context
265  * of the process performing the transition.  All other callers of
266  * constraint_expr_eval should pass in NULL for xcontext.
267  */
268 static int constraint_expr_eval(struct policydb *policydb,
269                                 struct context *scontext,
270                                 struct context *tcontext,
271                                 struct context *xcontext,
272                                 struct constraint_expr *cexpr)
273 {
274         u32 val1, val2;
275         struct context *c;
276         struct role_datum *r1, *r2;
277         struct mls_level *l1, *l2;
278         struct constraint_expr *e;
279         int s[CEXPR_MAXDEPTH];
280         int sp = -1;
281 
282         for (e = cexpr; e; e = e->next) {
283                 switch (e->expr_type) {
284                 case CEXPR_NOT:
285                         BUG_ON(sp < 0);
286                         s[sp] = !s[sp];
287                         break;
288                 case CEXPR_AND:
289                         BUG_ON(sp < 1);
290                         sp--;
291                         s[sp] &= s[sp + 1];
292                         break;
293                 case CEXPR_OR:
294                         BUG_ON(sp < 1);
295                         sp--;
296                         s[sp] |= s[sp + 1];
297                         break;
298                 case CEXPR_ATTR:
299                         if (sp == (CEXPR_MAXDEPTH - 1))
300                                 return 0;
301                         switch (e->attr) {
302                         case CEXPR_USER:
303                                 val1 = scontext->user;
304                                 val2 = tcontext->user;
305                                 break;
306                         case CEXPR_TYPE:
307                                 val1 = scontext->type;
308                                 val2 = tcontext->type;
309                                 break;
310                         case CEXPR_ROLE:
311                                 val1 = scontext->role;
312                                 val2 = tcontext->role;
313                                 r1 = policydb->role_val_to_struct[val1 - 1];
314                                 r2 = policydb->role_val_to_struct[val2 - 1];
315                                 switch (e->op) {
316                                 case CEXPR_DOM:
317                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
318                                                                   val2 - 1);
319                                         continue;
320                                 case CEXPR_DOMBY:
321                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
322                                                                   val1 - 1);
323                                         continue;
324                                 case CEXPR_INCOMP:
325                                         s[++sp] = (!ebitmap_get_bit(&r1->dominates,
326                                                                     val2 - 1) &&
327                                                    !ebitmap_get_bit(&r2->dominates,
328                                                                     val1 - 1));
329                                         continue;
330                                 default:
331                                         break;
332                                 }
333                                 break;
334                         case CEXPR_L1L2:
335                                 l1 = &(scontext->range.level[0]);
336                                 l2 = &(tcontext->range.level[0]);
337                                 goto mls_ops;
338                         case CEXPR_L1H2:
339                                 l1 = &(scontext->range.level[0]);
340                                 l2 = &(tcontext->range.level[1]);
341                                 goto mls_ops;
342                         case CEXPR_H1L2:
343                                 l1 = &(scontext->range.level[1]);
344                                 l2 = &(tcontext->range.level[0]);
345                                 goto mls_ops;
346                         case CEXPR_H1H2:
347                                 l1 = &(scontext->range.level[1]);
348                                 l2 = &(tcontext->range.level[1]);
349                                 goto mls_ops;
350                         case CEXPR_L1H1:
351                                 l1 = &(scontext->range.level[0]);
352                                 l2 = &(scontext->range.level[1]);
353                                 goto mls_ops;
354                         case CEXPR_L2H2:
355                                 l1 = &(tcontext->range.level[0]);
356                                 l2 = &(tcontext->range.level[1]);
357                                 goto mls_ops;
358 mls_ops:
359                         switch (e->op) {
360                         case CEXPR_EQ:
361                                 s[++sp] = mls_level_eq(l1, l2);
362                                 continue;
363                         case CEXPR_NEQ:
364                                 s[++sp] = !mls_level_eq(l1, l2);
365                                 continue;
366                         case CEXPR_DOM:
367                                 s[++sp] = mls_level_dom(l1, l2);
368                                 continue;
369                         case CEXPR_DOMBY:
370                                 s[++sp] = mls_level_dom(l2, l1);
371                                 continue;
372                         case CEXPR_INCOMP:
373                                 s[++sp] = mls_level_incomp(l2, l1);
374                                 continue;
375                         default:
376                                 BUG();
377                                 return 0;
378                         }
379                         break;
380                         default:
381                                 BUG();
382                                 return 0;
383                         }
384 
385                         switch (e->op) {
386                         case CEXPR_EQ:
387                                 s[++sp] = (val1 == val2);
388                                 break;
389                         case CEXPR_NEQ:
390                                 s[++sp] = (val1 != val2);
391                                 break;
392                         default:
393                                 BUG();
394                                 return 0;
395                         }
396                         break;
397                 case CEXPR_NAMES:
398                         if (sp == (CEXPR_MAXDEPTH-1))
399                                 return 0;
400                         c = scontext;
401                         if (e->attr & CEXPR_TARGET)
402                                 c = tcontext;
403                         else if (e->attr & CEXPR_XTARGET) {
404                                 c = xcontext;
405                                 if (!c) {
406                                         BUG();
407                                         return 0;
408                                 }
409                         }
410                         if (e->attr & CEXPR_USER)
411                                 val1 = c->user;
412                         else if (e->attr & CEXPR_ROLE)
413                                 val1 = c->role;
414                         else if (e->attr & CEXPR_TYPE)
415                                 val1 = c->type;
416                         else {
417                                 BUG();
418                                 return 0;
419                         }
420 
421                         switch (e->op) {
422                         case CEXPR_EQ:
423                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
424                                 break;
425                         case CEXPR_NEQ:
426                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
427                                 break;
428                         default:
429                                 BUG();
430                                 return 0;
431                         }
432                         break;
433                 default:
434                         BUG();
435                         return 0;
436                 }
437         }
438 
439         BUG_ON(sp != 0);
440         return s[0];
441 }
442 
443 /*
444  * security_dump_masked_av - dumps masked permissions during
445  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
446  */
447 static int dump_masked_av_helper(void *k, void *d, void *args)
448 {
449         struct perm_datum *pdatum = d;
450         char **permission_names = args;
451 
452         BUG_ON(pdatum->value < 1 || pdatum->value > 32);
453 
454         permission_names[pdatum->value - 1] = (char *)k;
455 
456         return 0;
457 }
458 
459 static void security_dump_masked_av(struct policydb *policydb,
460                                     struct context *scontext,
461                                     struct context *tcontext,
462                                     u16 tclass,
463                                     u32 permissions,
464                                     const char *reason)
465 {
466         struct common_datum *common_dat;
467         struct class_datum *tclass_dat;
468         struct audit_buffer *ab;
469         char *tclass_name;
470         char *scontext_name = NULL;
471         char *tcontext_name = NULL;
472         char *permission_names[32];
473         int index;
474         u32 length;
475         bool need_comma = false;
476 
477         if (!permissions)
478                 return;
479 
480         tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1);
481         tclass_dat = policydb->class_val_to_struct[tclass - 1];
482         common_dat = tclass_dat->comdatum;
483 
484         /* init permission_names */
485         if (common_dat &&
486             hashtab_map(common_dat->permissions.table,
487                         dump_masked_av_helper, permission_names) < 0)
488                 goto out;
489 
490         if (hashtab_map(tclass_dat->permissions.table,
491                         dump_masked_av_helper, permission_names) < 0)
492                 goto out;
493 
494         /* get scontext/tcontext in text form */
495         if (context_struct_to_string(policydb, scontext,
496                                      &scontext_name, &length) < 0)
497                 goto out;
498 
499         if (context_struct_to_string(policydb, tcontext,
500                                      &tcontext_name, &length) < 0)
501                 goto out;
502 
503         /* audit a message */
504         ab = audit_log_start(audit_context(),
505                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
506         if (!ab)
507                 goto out;
508 
509         audit_log_format(ab, "op=security_compute_av reason=%s "
510                          "scontext=%s tcontext=%s tclass=%s perms=",
511                          reason, scontext_name, tcontext_name, tclass_name);
512 
513         for (index = 0; index < 32; index++) {
514                 u32 mask = (1 << index);
515 
516                 if ((mask & permissions) == 0)
517                         continue;
518 
519                 audit_log_format(ab, "%s%s",
520                                  need_comma ? "," : "",
521                                  permission_names[index]
522                                  ? permission_names[index] : "????");
523                 need_comma = true;
524         }
525         audit_log_end(ab);
526 out:
527         /* release scontext/tcontext */
528         kfree(tcontext_name);
529         kfree(scontext_name);
530 
531         return;
532 }
533 
534 /*
535  * security_boundary_permission - drops violated permissions
536  * on boundary constraint.
537  */
538 static void type_attribute_bounds_av(struct policydb *policydb,
539                                      struct context *scontext,
540                                      struct context *tcontext,
541                                      u16 tclass,
542                                      struct av_decision *avd)
543 {
544         struct context lo_scontext;
545         struct context lo_tcontext, *tcontextp = tcontext;
546         struct av_decision lo_avd;
547         struct type_datum *source;
548         struct type_datum *target;
549         u32 masked = 0;
550 
551         source = flex_array_get_ptr(policydb->type_val_to_struct_array,
552                                     scontext->type - 1);
553         BUG_ON(!source);
554 
555         if (!source->bounds)
556                 return;
557 
558         target = flex_array_get_ptr(policydb->type_val_to_struct_array,
559                                     tcontext->type - 1);
560         BUG_ON(!target);
561 
562         memset(&lo_avd, 0, sizeof(lo_avd));
563 
564         memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
565         lo_scontext.type = source->bounds;
566 
567         if (target->bounds) {
568                 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
569                 lo_tcontext.type = target->bounds;
570                 tcontextp = &lo_tcontext;
571         }
572 
573         context_struct_compute_av(policydb, &lo_scontext,
574                                   tcontextp,
575                                   tclass,
576                                   &lo_avd,
577                                   NULL);
578 
579         masked = ~lo_avd.allowed & avd->allowed;
580 
581         if (likely(!masked))
582                 return;         /* no masked permission */
583 
584         /* mask violated permissions */
585         avd->allowed &= ~masked;
586 
587         /* audit masked permissions */
588         security_dump_masked_av(policydb, scontext, tcontext,
589                                 tclass, masked, "bounds");
590 }
591 
592 /*
593  * flag which drivers have permissions
594  * only looking for ioctl based extended permssions
595  */
596 void services_compute_xperms_drivers(
597                 struct extended_perms *xperms,
598                 struct avtab_node *node)
599 {
600         unsigned int i;
601 
602         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
603                 /* if one or more driver has all permissions allowed */
604                 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
605                         xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
606         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
607                 /* if allowing permissions within a driver */
608                 security_xperm_set(xperms->drivers.p,
609                                         node->datum.u.xperms->driver);
610         }
611 
612         /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
613         if (node->key.specified & AVTAB_XPERMS_ALLOWED)
614                 xperms->len = 1;
615 }
616 
617 /*
618  * Compute access vectors and extended permissions based on a context
619  * structure pair for the permissions in a particular class.
620  */
621 static void context_struct_compute_av(struct policydb *policydb,
622                                       struct context *scontext,
623                                       struct context *tcontext,
624                                       u16 tclass,
625                                       struct av_decision *avd,
626                                       struct extended_perms *xperms)
627 {
628         struct constraint_node *constraint;
629         struct role_allow *ra;
630         struct avtab_key avkey;
631         struct avtab_node *node;
632         struct class_datum *tclass_datum;
633         struct ebitmap *sattr, *tattr;
634         struct ebitmap_node *snode, *tnode;
635         unsigned int i, j;
636 
637         avd->allowed = 0;
638         avd->auditallow = 0;
639         avd->auditdeny = 0xffffffff;
640         if (xperms) {
641                 memset(&xperms->drivers, 0, sizeof(xperms->drivers));
642                 xperms->len = 0;
643         }
644 
645         if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
646                 if (printk_ratelimit())
647                         printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
648                 return;
649         }
650 
651         tclass_datum = policydb->class_val_to_struct[tclass - 1];
652 
653         /*
654          * If a specific type enforcement rule was defined for
655          * this permission check, then use it.
656          */
657         avkey.target_class = tclass;
658         avkey.specified = AVTAB_AV | AVTAB_XPERMS;
659         sattr = flex_array_get(policydb->type_attr_map_array,
660                                scontext->type - 1);
661         BUG_ON(!sattr);
662         tattr = flex_array_get(policydb->type_attr_map_array,
663                                tcontext->type - 1);
664         BUG_ON(!tattr);
665         ebitmap_for_each_positive_bit(sattr, snode, i) {
666                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
667                         avkey.source_type = i + 1;
668                         avkey.target_type = j + 1;
669                         for (node = avtab_search_node(&policydb->te_avtab,
670                                                       &avkey);
671                              node;
672                              node = avtab_search_node_next(node, avkey.specified)) {
673                                 if (node->key.specified == AVTAB_ALLOWED)
674                                         avd->allowed |= node->datum.u.data;
675                                 else if (node->key.specified == AVTAB_AUDITALLOW)
676                                         avd->auditallow |= node->datum.u.data;
677                                 else if (node->key.specified == AVTAB_AUDITDENY)
678                                         avd->auditdeny &= node->datum.u.data;
679                                 else if (xperms && (node->key.specified & AVTAB_XPERMS))
680                                         services_compute_xperms_drivers(xperms, node);
681                         }
682 
683                         /* Check conditional av table for additional permissions */
684                         cond_compute_av(&policydb->te_cond_avtab, &avkey,
685                                         avd, xperms);
686 
687                 }
688         }
689 
690         /*
691          * Remove any permissions prohibited by a constraint (this includes
692          * the MLS policy).
693          */
694         constraint = tclass_datum->constraints;
695         while (constraint) {
696                 if ((constraint->permissions & (avd->allowed)) &&
697                     !constraint_expr_eval(policydb, scontext, tcontext, NULL,
698                                           constraint->expr)) {
699                         avd->allowed &= ~(constraint->permissions);
700                 }
701                 constraint = constraint->next;
702         }
703 
704         /*
705          * If checking process transition permission and the
706          * role is changing, then check the (current_role, new_role)
707          * pair.
708          */
709         if (tclass == policydb->process_class &&
710             (avd->allowed & policydb->process_trans_perms) &&
711             scontext->role != tcontext->role) {
712                 for (ra = policydb->role_allow; ra; ra = ra->next) {
713                         if (scontext->role == ra->role &&
714                             tcontext->role == ra->new_role)
715                                 break;
716                 }
717                 if (!ra)
718                         avd->allowed &= ~policydb->process_trans_perms;
719         }
720 
721         /*
722          * If the given source and target types have boundary
723          * constraint, lazy checks have to mask any violated
724          * permission and notice it to userspace via audit.
725          */
726         type_attribute_bounds_av(policydb, scontext, tcontext,
727                                  tclass, avd);
728 }
729 
730 static int security_validtrans_handle_fail(struct selinux_state *state,
731                                            struct context *ocontext,
732                                            struct context *ncontext,
733                                            struct context *tcontext,
734                                            u16 tclass)
735 {
736         struct policydb *p = &state->ss->policydb;
737         char *o = NULL, *n = NULL, *t = NULL;
738         u32 olen, nlen, tlen;
739 
740         if (context_struct_to_string(p, ocontext, &o, &olen))
741                 goto out;
742         if (context_struct_to_string(p, ncontext, &n, &nlen))
743                 goto out;
744         if (context_struct_to_string(p, tcontext, &t, &tlen))
745                 goto out;
746         audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
747                   "op=security_validate_transition seresult=denied"
748                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
749                   o, n, t, sym_name(p, SYM_CLASSES, tclass-1));
750 out:
751         kfree(o);
752         kfree(n);
753         kfree(t);
754 
755         if (!enforcing_enabled(state))
756                 return 0;
757         return -EPERM;
758 }
759 
760 static int security_compute_validatetrans(struct selinux_state *state,
761                                           u32 oldsid, u32 newsid, u32 tasksid,
762                                           u16 orig_tclass, bool user)
763 {
764         struct policydb *policydb;
765         struct sidtab *sidtab;
766         struct context *ocontext;
767         struct context *ncontext;
768         struct context *tcontext;
769         struct class_datum *tclass_datum;
770         struct constraint_node *constraint;
771         u16 tclass;
772         int rc = 0;
773 
774 
775         if (!state->initialized)
776                 return 0;
777 
778         read_lock(&state->ss->policy_rwlock);
779 
780         policydb = &state->ss->policydb;
781         sidtab = &state->ss->sidtab;
782 
783         if (!user)
784                 tclass = unmap_class(&state->ss->map, orig_tclass);
785         else
786                 tclass = orig_tclass;
787 
788         if (!tclass || tclass > policydb->p_classes.nprim) {
789                 rc = -EINVAL;
790                 goto out;
791         }
792         tclass_datum = policydb->class_val_to_struct[tclass - 1];
793 
794         ocontext = sidtab_search(sidtab, oldsid);
795         if (!ocontext) {
796                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
797                         __func__, oldsid);
798                 rc = -EINVAL;
799                 goto out;
800         }
801 
802         ncontext = sidtab_search(sidtab, newsid);
803         if (!ncontext) {
804                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
805                         __func__, newsid);
806                 rc = -EINVAL;
807                 goto out;
808         }
809 
810         tcontext = sidtab_search(sidtab, tasksid);
811         if (!tcontext) {
812                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
813                         __func__, tasksid);
814                 rc = -EINVAL;
815                 goto out;
816         }
817 
818         constraint = tclass_datum->validatetrans;
819         while (constraint) {
820                 if (!constraint_expr_eval(policydb, ocontext, ncontext,
821                                           tcontext, constraint->expr)) {
822                         if (user)
823                                 rc = -EPERM;
824                         else
825                                 rc = security_validtrans_handle_fail(state,
826                                                                      ocontext,
827                                                                      ncontext,
828                                                                      tcontext,
829                                                                      tclass);
830                         goto out;
831                 }
832                 constraint = constraint->next;
833         }
834 
835 out:
836         read_unlock(&state->ss->policy_rwlock);
837         return rc;
838 }
839 
840 int security_validate_transition_user(struct selinux_state *state,
841                                       u32 oldsid, u32 newsid, u32 tasksid,
842                                       u16 tclass)
843 {
844         return security_compute_validatetrans(state, oldsid, newsid, tasksid,
845                                               tclass, true);
846 }
847 
848 int security_validate_transition(struct selinux_state *state,
849                                  u32 oldsid, u32 newsid, u32 tasksid,
850                                  u16 orig_tclass)
851 {
852         return security_compute_validatetrans(state, oldsid, newsid, tasksid,
853                                               orig_tclass, false);
854 }
855 
856 /*
857  * security_bounded_transition - check whether the given
858  * transition is directed to bounded, or not.
859  * It returns 0, if @newsid is bounded by @oldsid.
860  * Otherwise, it returns error code.
861  *
862  * @oldsid : current security identifier
863  * @newsid : destinated security identifier
864  */
865 int security_bounded_transition(struct selinux_state *state,
866                                 u32 old_sid, u32 new_sid)
867 {
868         struct policydb *policydb;
869         struct sidtab *sidtab;
870         struct context *old_context, *new_context;
871         struct type_datum *type;
872         int index;
873         int rc;
874 
875         if (!state->initialized)
876                 return 0;
877 
878         read_lock(&state->ss->policy_rwlock);
879 
880         policydb = &state->ss->policydb;
881         sidtab = &state->ss->sidtab;
882 
883         rc = -EINVAL;
884         old_context = sidtab_search(sidtab, old_sid);
885         if (!old_context) {
886                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
887                        __func__, old_sid);
888                 goto out;
889         }
890 
891         rc = -EINVAL;
892         new_context = sidtab_search(sidtab, new_sid);
893         if (!new_context) {
894                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
895                        __func__, new_sid);
896                 goto out;
897         }
898 
899         rc = 0;
900         /* type/domain unchanged */
901         if (old_context->type == new_context->type)
902                 goto out;
903 
904         index = new_context->type;
905         while (true) {
906                 type = flex_array_get_ptr(policydb->type_val_to_struct_array,
907                                           index - 1);
908                 BUG_ON(!type);
909 
910                 /* not bounded anymore */
911                 rc = -EPERM;
912                 if (!type->bounds)
913                         break;
914 
915                 /* @newsid is bounded by @oldsid */
916                 rc = 0;
917                 if (type->bounds == old_context->type)
918                         break;
919 
920                 index = type->bounds;
921         }
922 
923         if (rc) {
924                 char *old_name = NULL;
925                 char *new_name = NULL;
926                 u32 length;
927 
928                 if (!context_struct_to_string(policydb, old_context,
929                                               &old_name, &length) &&
930                     !context_struct_to_string(policydb, new_context,
931                                               &new_name, &length)) {
932                         audit_log(audit_context(),
933                                   GFP_ATOMIC, AUDIT_SELINUX_ERR,
934                                   "op=security_bounded_transition "
935                                   "seresult=denied "
936                                   "oldcontext=%s newcontext=%s",
937                                   old_name, new_name);
938                 }
939                 kfree(new_name);
940                 kfree(old_name);
941         }
942 out:
943         read_unlock(&state->ss->policy_rwlock);
944 
945         return rc;
946 }
947 
948 static void avd_init(struct selinux_state *state, struct av_decision *avd)
949 {
950         avd->allowed = 0;
951         avd->auditallow = 0;
952         avd->auditdeny = 0xffffffff;
953         avd->seqno = state->ss->latest_granting;
954         avd->flags = 0;
955 }
956 
957 void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
958                                         struct avtab_node *node)
959 {
960         unsigned int i;
961 
962         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
963                 if (xpermd->driver != node->datum.u.xperms->driver)
964                         return;
965         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
966                 if (!security_xperm_test(node->datum.u.xperms->perms.p,
967                                         xpermd->driver))
968                         return;
969         } else {
970                 BUG();
971         }
972 
973         if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
974                 xpermd->used |= XPERMS_ALLOWED;
975                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
976                         memset(xpermd->allowed->p, 0xff,
977                                         sizeof(xpermd->allowed->p));
978                 }
979                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
980                         for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
981                                 xpermd->allowed->p[i] |=
982                                         node->datum.u.xperms->perms.p[i];
983                 }
984         } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
985                 xpermd->used |= XPERMS_AUDITALLOW;
986                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
987                         memset(xpermd->auditallow->p, 0xff,
988                                         sizeof(xpermd->auditallow->p));
989                 }
990                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
991                         for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
992                                 xpermd->auditallow->p[i] |=
993                                         node->datum.u.xperms->perms.p[i];
994                 }
995         } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
996                 xpermd->used |= XPERMS_DONTAUDIT;
997                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
998                         memset(xpermd->dontaudit->p, 0xff,
999                                         sizeof(xpermd->dontaudit->p));
1000                 }
1001                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
1002                         for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
1003                                 xpermd->dontaudit->p[i] |=
1004                                         node->datum.u.xperms->perms.p[i];
1005                 }
1006         } else {
1007                 BUG();
1008         }
1009 }
1010 
1011 void security_compute_xperms_decision(struct selinux_state *state,
1012                                       u32 ssid,
1013                                       u32 tsid,
1014                                       u16 orig_tclass,
1015                                       u8 driver,
1016                                       struct extended_perms_decision *xpermd)
1017 {
1018         struct policydb *policydb;
1019         struct sidtab *sidtab;
1020         u16 tclass;
1021         struct context *scontext, *tcontext;
1022         struct avtab_key avkey;
1023         struct avtab_node *node;
1024         struct ebitmap *sattr, *tattr;
1025         struct ebitmap_node *snode, *tnode;
1026         unsigned int i, j;
1027 
1028         xpermd->driver = driver;
1029         xpermd->used = 0;
1030         memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
1031         memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
1032         memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
1033 
1034         read_lock(&state->ss->policy_rwlock);
1035         if (!state->initialized)
1036                 goto allow;
1037 
1038         policydb = &state->ss->policydb;
1039         sidtab = &state->ss->sidtab;
1040 
1041         scontext = sidtab_search(sidtab, ssid);
1042         if (!scontext) {
1043                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1044                        __func__, ssid);
1045                 goto out;
1046         }
1047 
1048         tcontext = sidtab_search(sidtab, tsid);
1049         if (!tcontext) {
1050                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1051                        __func__, tsid);
1052                 goto out;
1053         }
1054 
1055         tclass = unmap_class(&state->ss->map, orig_tclass);
1056         if (unlikely(orig_tclass && !tclass)) {
1057                 if (policydb->allow_unknown)
1058                         goto allow;
1059                 goto out;
1060         }
1061 
1062 
1063         if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
1064                 pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);
1065                 goto out;
1066         }
1067 
1068         avkey.target_class = tclass;
1069         avkey.specified = AVTAB_XPERMS;
1070         sattr = flex_array_get(policydb->type_attr_map_array,
1071                                 scontext->type - 1);
1072         BUG_ON(!sattr);
1073         tattr = flex_array_get(policydb->type_attr_map_array,
1074                                 tcontext->type - 1);
1075         BUG_ON(!tattr);
1076         ebitmap_for_each_positive_bit(sattr, snode, i) {
1077                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
1078                         avkey.source_type = i + 1;
1079                         avkey.target_type = j + 1;
1080                         for (node = avtab_search_node(&policydb->te_avtab,
1081                                                       &avkey);
1082                              node;
1083                              node = avtab_search_node_next(node, avkey.specified))
1084                                 services_compute_xperms_decision(xpermd, node);
1085 
1086                         cond_compute_xperms(&policydb->te_cond_avtab,
1087                                                 &avkey, xpermd);
1088                 }
1089         }
1090 out:
1091         read_unlock(&state->ss->policy_rwlock);
1092         return;
1093 allow:
1094         memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
1095         goto out;
1096 }
1097 
1098 /**
1099  * security_compute_av - Compute access vector decisions.
1100  * @ssid: source security identifier
1101  * @tsid: target security identifier
1102  * @tclass: target security class
1103  * @avd: access vector decisions
1104  * @xperms: extended permissions
1105  *
1106  * Compute a set of access vector decisions based on the
1107  * SID pair (@ssid, @tsid) for the permissions in @tclass.
1108  */
1109 void security_compute_av(struct selinux_state *state,
1110                          u32 ssid,
1111                          u32 tsid,
1112                          u16 orig_tclass,
1113                          struct av_decision *avd,
1114                          struct extended_perms *xperms)
1115 {
1116         struct policydb *policydb;
1117         struct sidtab *sidtab;
1118         u16 tclass;
1119         struct context *scontext = NULL, *tcontext = NULL;
1120 
1121         read_lock(&state->ss->policy_rwlock);
1122         avd_init(state, avd);
1123         xperms->len = 0;
1124         if (!state->initialized)
1125                 goto allow;
1126 
1127         policydb = &state->ss->policydb;
1128         sidtab = &state->ss->sidtab;
1129 
1130         scontext = sidtab_search(sidtab, ssid);
1131         if (!scontext) {
1132                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1133                        __func__, ssid);
1134                 goto out;
1135         }
1136 
1137         /* permissive domain? */
1138         if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))
1139                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1140 
1141         tcontext = sidtab_search(sidtab, tsid);
1142         if (!tcontext) {
1143                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1144                        __func__, tsid);
1145                 goto out;
1146         }
1147 
1148         tclass = unmap_class(&state->ss->map, orig_tclass);
1149         if (unlikely(orig_tclass && !tclass)) {
1150                 if (policydb->allow_unknown)
1151                         goto allow;
1152                 goto out;
1153         }
1154         context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1155                                   xperms);
1156         map_decision(&state->ss->map, orig_tclass, avd,
1157                      policydb->allow_unknown);
1158 out:
1159         read_unlock(&state->ss->policy_rwlock);
1160         return;
1161 allow:
1162         avd->allowed = 0xffffffff;
1163         goto out;
1164 }
1165 
1166 void security_compute_av_user(struct selinux_state *state,
1167                               u32 ssid,
1168                               u32 tsid,
1169                               u16 tclass,
1170                               struct av_decision *avd)
1171 {
1172         struct policydb *policydb;
1173         struct sidtab *sidtab;
1174         struct context *scontext = NULL, *tcontext = NULL;
1175 
1176         read_lock(&state->ss->policy_rwlock);
1177         avd_init(state, avd);
1178         if (!state->initialized)
1179                 goto allow;
1180 
1181         policydb = &state->ss->policydb;
1182         sidtab = &state->ss->sidtab;
1183 
1184         scontext = sidtab_search(sidtab, ssid);
1185         if (!scontext) {
1186                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1187                        __func__, ssid);
1188                 goto out;
1189         }
1190 
1191         /* permissive domain? */
1192         if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))
1193                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1194 
1195         tcontext = sidtab_search(sidtab, tsid);
1196         if (!tcontext) {
1197                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1198                        __func__, tsid);
1199                 goto out;
1200         }
1201 
1202         if (unlikely(!tclass)) {
1203                 if (policydb->allow_unknown)
1204                         goto allow;
1205                 goto out;
1206         }
1207 
1208         context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1209                                   NULL);
1210  out:
1211         read_unlock(&state->ss->policy_rwlock);
1212         return;
1213 allow:
1214         avd->allowed = 0xffffffff;
1215         goto out;
1216 }
1217 
1218 /*
1219  * Write the security context string representation of
1220  * the context structure `context' into a dynamically
1221  * allocated string of the correct size.  Set `*scontext'
1222  * to point to this string and set `*scontext_len' to
1223  * the length of the string.
1224  */
1225 static int context_struct_to_string(struct policydb *p,
1226                                     struct context *context,
1227                                     char **scontext, u32 *scontext_len)
1228 {
1229         char *scontextp;
1230 
1231         if (scontext)
1232                 *scontext = NULL;
1233         *scontext_len = 0;
1234 
1235         if (context->len) {
1236                 *scontext_len = context->len;
1237                 if (scontext) {
1238                         *scontext = kstrdup(context->str, GFP_ATOMIC);
1239                         if (!(*scontext))
1240                                 return -ENOMEM;
1241                 }
1242                 return 0;
1243         }
1244 
1245         /* Compute the size of the context. */
1246         *scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
1247         *scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
1248         *scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
1249         *scontext_len += mls_compute_context_len(p, context);
1250 
1251         if (!scontext)
1252                 return 0;
1253 
1254         /* Allocate space for the context; caller must free this space. */
1255         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1256         if (!scontextp)
1257                 return -ENOMEM;
1258         *scontext = scontextp;
1259 
1260         /*
1261          * Copy the user name, role name and type name into the context.
1262          */
1263         scontextp += sprintf(scontextp, "%s:%s:%s",
1264                 sym_name(p, SYM_USERS, context->user - 1),
1265                 sym_name(p, SYM_ROLES, context->role - 1),
1266                 sym_name(p, SYM_TYPES, context->type - 1));
1267 
1268         mls_sid_to_context(p, context, &scontextp);
1269 
1270         *scontextp = 0;
1271 
1272         return 0;
1273 }
1274 
1275 #include "initial_sid_to_string.h"
1276 
1277 const char *security_get_initial_sid_context(u32 sid)
1278 {
1279         if (unlikely(sid > SECINITSID_NUM))
1280                 return NULL;
1281         return initial_sid_to_string[sid];
1282 }
1283 
1284 static int security_sid_to_context_core(struct selinux_state *state,
1285                                         u32 sid, char **scontext,
1286                                         u32 *scontext_len, int force)
1287 {
1288         struct policydb *policydb;
1289         struct sidtab *sidtab;
1290         struct context *context;
1291         int rc = 0;
1292 
1293         if (scontext)
1294                 *scontext = NULL;
1295         *scontext_len  = 0;
1296 
1297         if (!state->initialized) {
1298                 if (sid <= SECINITSID_NUM) {
1299                         char *scontextp;
1300 
1301                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1302                         if (!scontext)
1303                                 goto out;
1304                         scontextp = kmemdup(initial_sid_to_string[sid],
1305                                             *scontext_len, GFP_ATOMIC);
1306                         if (!scontextp) {
1307                                 rc = -ENOMEM;
1308                                 goto out;
1309                         }
1310                         *scontext = scontextp;
1311                         goto out;
1312                 }
1313                 printk(KERN_ERR "SELinux: %s:  called before initial "
1314                        "load_policy on unknown SID %d\n", __func__, sid);
1315                 rc = -EINVAL;
1316                 goto out;
1317         }
1318         read_lock(&state->ss->policy_rwlock);
1319         policydb = &state->ss->policydb;
1320         sidtab = &state->ss->sidtab;
1321         if (force)
1322                 context = sidtab_search_force(sidtab, sid);
1323         else
1324                 context = sidtab_search(sidtab, sid);
1325         if (!context) {
1326                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1327                         __func__, sid);
1328                 rc = -EINVAL;
1329                 goto out_unlock;
1330         }
1331         rc = context_struct_to_string(policydb, context, scontext,
1332                                       scontext_len);
1333 out_unlock:
1334         read_unlock(&state->ss->policy_rwlock);
1335 out:
1336         return rc;
1337 
1338 }
1339 
1340 /**
1341  * security_sid_to_context - Obtain a context for a given SID.
1342  * @sid: security identifier, SID
1343  * @scontext: security context
1344  * @scontext_len: length in bytes
1345  *
1346  * Write the string representation of the context associated with @sid
1347  * into a dynamically allocated string of the correct size.  Set @scontext
1348  * to point to this string and set @scontext_len to the length of the string.
1349  */
1350 int security_sid_to_context(struct selinux_state *state,
1351                             u32 sid, char **scontext, u32 *scontext_len)
1352 {
1353         return security_sid_to_context_core(state, sid, scontext,
1354                                             scontext_len, 0);
1355 }
1356 
1357 int security_sid_to_context_force(struct selinux_state *state, u32 sid,
1358                                   char **scontext, u32 *scontext_len)
1359 {
1360         return security_sid_to_context_core(state, sid, scontext,
1361                                             scontext_len, 1);
1362 }
1363 
1364 /*
1365  * Caveat:  Mutates scontext.
1366  */
1367 static int string_to_context_struct(struct policydb *pol,
1368                                     struct sidtab *sidtabp,
1369                                     char *scontext,
1370                                     u32 scontext_len,
1371                                     struct context *ctx,
1372                                     u32 def_sid)
1373 {
1374         struct role_datum *role;
1375         struct type_datum *typdatum;
1376         struct user_datum *usrdatum;
1377         char *scontextp, *p, oldc;
1378         int rc = 0;
1379 
1380         context_init(ctx);
1381 
1382         /* Parse the security context. */
1383 
1384         rc = -EINVAL;
1385         scontextp = (char *) scontext;
1386 
1387         /* Extract the user. */
1388         p = scontextp;
1389         while (*p && *p != ':')
1390                 p++;
1391 
1392         if (*p == 0)
1393                 goto out;
1394 
1395         *p++ = 0;
1396 
1397         usrdatum = hashtab_search(pol->p_users.table, scontextp);
1398         if (!usrdatum)
1399                 goto out;
1400 
1401         ctx->user = usrdatum->value;
1402 
1403         /* Extract role. */
1404         scontextp = p;
1405         while (*p && *p != ':')
1406                 p++;
1407 
1408         if (*p == 0)
1409                 goto out;
1410 
1411         *p++ = 0;
1412 
1413         role = hashtab_search(pol->p_roles.table, scontextp);
1414         if (!role)
1415                 goto out;
1416         ctx->role = role->value;
1417 
1418         /* Extract type. */
1419         scontextp = p;
1420         while (*p && *p != ':')
1421                 p++;
1422         oldc = *p;
1423         *p++ = 0;
1424 
1425         typdatum = hashtab_search(pol->p_types.table, scontextp);
1426         if (!typdatum || typdatum->attribute)
1427                 goto out;
1428 
1429         ctx->type = typdatum->value;
1430 
1431         rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1432         if (rc)
1433                 goto out;
1434 
1435         rc = -EINVAL;
1436         if ((p - scontext) < scontext_len)
1437                 goto out;
1438 
1439         /* Check the validity of the new context. */
1440         if (!policydb_context_isvalid(pol, ctx))
1441                 goto out;
1442         rc = 0;
1443 out:
1444         if (rc)
1445                 context_destroy(ctx);
1446         return rc;
1447 }
1448 
1449 static int security_context_to_sid_core(struct selinux_state *state,
1450                                         const char *scontext, u32 scontext_len,
1451                                         u32 *sid, u32 def_sid, gfp_t gfp_flags,
1452                                         int force)
1453 {
1454         struct policydb *policydb;
1455         struct sidtab *sidtab;
1456         char *scontext2, *str = NULL;
1457         struct context context;
1458         int rc = 0;
1459 
1460         /* An empty security context is never valid. */
1461         if (!scontext_len)
1462                 return -EINVAL;
1463 
1464         /* Copy the string to allow changes and ensure a NUL terminator */
1465         scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
1466         if (!scontext2)
1467                 return -ENOMEM;
1468 
1469         if (!state->initialized) {
1470                 int i;
1471 
1472                 for (i = 1; i < SECINITSID_NUM; i++) {
1473                         if (!strcmp(initial_sid_to_string[i], scontext2)) {
1474                                 *sid = i;
1475                                 goto out;
1476                         }
1477                 }
1478                 *sid = SECINITSID_KERNEL;
1479                 goto out;
1480         }
1481         *sid = SECSID_NULL;
1482 
1483         if (force) {
1484                 /* Save another copy for storing in uninterpreted form */
1485                 rc = -ENOMEM;
1486                 str = kstrdup(scontext2, gfp_flags);
1487                 if (!str)
1488                         goto out;
1489         }
1490         read_lock(&state->ss->policy_rwlock);
1491         policydb = &state->ss->policydb;
1492         sidtab = &state->ss->sidtab;
1493         rc = string_to_context_struct(policydb, sidtab, scontext2,
1494                                       scontext_len, &context, def_sid);
1495         if (rc == -EINVAL && force) {
1496                 context.str = str;
1497                 context.len = strlen(str) + 1;
1498                 str = NULL;
1499         } else if (rc)
1500                 goto out_unlock;
1501         rc = sidtab_context_to_sid(sidtab, &context, sid);
1502         context_destroy(&context);
1503 out_unlock:
1504         read_unlock(&state->ss->policy_rwlock);
1505 out:
1506         kfree(scontext2);
1507         kfree(str);
1508         return rc;
1509 }
1510 
1511 /**
1512  * security_context_to_sid - Obtain a SID for a given security context.
1513  * @scontext: security context
1514  * @scontext_len: length in bytes
1515  * @sid: security identifier, SID
1516  * @gfp: context for the allocation
1517  *
1518  * Obtains a SID associated with the security context that
1519  * has the string representation specified by @scontext.
1520  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1521  * memory is available, or 0 on success.
1522  */
1523 int security_context_to_sid(struct selinux_state *state,
1524                             const char *scontext, u32 scontext_len, u32 *sid,
1525                             gfp_t gfp)
1526 {
1527         return security_context_to_sid_core(state, scontext, scontext_len,
1528                                             sid, SECSID_NULL, gfp, 0);
1529 }
1530 
1531 int security_context_str_to_sid(struct selinux_state *state,
1532                                 const char *scontext, u32 *sid, gfp_t gfp)
1533 {
1534         return security_context_to_sid(state, scontext, strlen(scontext),
1535                                        sid, gfp);
1536 }
1537 
1538 /**
1539  * security_context_to_sid_default - Obtain a SID for a given security context,
1540  * falling back to specified default if needed.
1541  *
1542  * @scontext: security context
1543  * @scontext_len: length in bytes
1544  * @sid: security identifier, SID
1545  * @def_sid: default SID to assign on error
1546  *
1547  * Obtains a SID associated with the security context that
1548  * has the string representation specified by @scontext.
1549  * The default SID is passed to the MLS layer to be used to allow
1550  * kernel labeling of the MLS field if the MLS field is not present
1551  * (for upgrading to MLS without full relabel).
1552  * Implicitly forces adding of the context even if it cannot be mapped yet.
1553  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1554  * memory is available, or 0 on success.
1555  */
1556 int security_context_to_sid_default(struct selinux_state *state,
1557                                     const char *scontext, u32 scontext_len,
1558                                     u32 *sid, u32 def_sid, gfp_t gfp_flags)
1559 {
1560         return security_context_to_sid_core(state, scontext, scontext_len,
1561                                             sid, def_sid, gfp_flags, 1);
1562 }
1563 
1564 int security_context_to_sid_force(struct selinux_state *state,
1565                                   const char *scontext, u32 scontext_len,
1566                                   u32 *sid)
1567 {
1568         return security_context_to_sid_core(state, scontext, scontext_len,
1569                                             sid, SECSID_NULL, GFP_KERNEL, 1);
1570 }
1571 
1572 static int compute_sid_handle_invalid_context(
1573         struct selinux_state *state,
1574         struct context *scontext,
1575         struct context *tcontext,
1576         u16 tclass,
1577         struct context *newcontext)
1578 {
1579         struct policydb *policydb = &state->ss->policydb;
1580         char *s = NULL, *t = NULL, *n = NULL;
1581         u32 slen, tlen, nlen;
1582 
1583         if (context_struct_to_string(policydb, scontext, &s, &slen))
1584                 goto out;
1585         if (context_struct_to_string(policydb, tcontext, &t, &tlen))
1586                 goto out;
1587         if (context_struct_to_string(policydb, newcontext, &n, &nlen))
1588                 goto out;
1589         audit_log(audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
1590                   "op=security_compute_sid invalid_context=%s"
1591                   " scontext=%s"
1592                   " tcontext=%s"
1593                   " tclass=%s",
1594                   n, s, t, sym_name(policydb, SYM_CLASSES, tclass-1));
1595 out:
1596         kfree(s);
1597         kfree(t);
1598         kfree(n);
1599         if (!enforcing_enabled(state))
1600                 return 0;
1601         return -EACCES;
1602 }
1603 
1604 static void filename_compute_type(struct policydb *policydb,
1605                                   struct context *newcontext,
1606                                   u32 stype, u32 ttype, u16 tclass,
1607                                   const char *objname)
1608 {
1609         struct filename_trans ft;
1610         struct filename_trans_datum *otype;
1611 
1612         /*
1613          * Most filename trans rules are going to live in specific directories
1614          * like /dev or /var/run.  This bitmap will quickly skip rule searches
1615          * if the ttype does not contain any rules.
1616          */
1617         if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype))
1618                 return;
1619 
1620         ft.stype = stype;
1621         ft.ttype = ttype;
1622         ft.tclass = tclass;
1623         ft.name = objname;
1624 
1625         otype = hashtab_search(policydb->filename_trans, &ft);
1626         if (otype)
1627                 newcontext->type = otype->otype;
1628 }
1629 
1630 static int security_compute_sid(struct selinux_state *state,
1631                                 u32 ssid,
1632                                 u32 tsid,
1633                                 u16 orig_tclass,
1634                                 u32 specified,
1635                                 const char *objname,
1636                                 u32 *out_sid,
1637                                 bool kern)
1638 {
1639         struct policydb *policydb;
1640         struct sidtab *sidtab;
1641         struct class_datum *cladatum = NULL;
1642         struct context *scontext = NULL, *tcontext = NULL, newcontext;
1643         struct role_trans *roletr = NULL;
1644         struct avtab_key avkey;
1645         struct avtab_datum *avdatum;
1646         struct avtab_node *node;
1647         u16 tclass;
1648         int rc = 0;
1649         bool sock;
1650 
1651         if (!state->initialized) {
1652                 switch (orig_tclass) {
1653                 case SECCLASS_PROCESS: /* kernel value */
1654                         *out_sid = ssid;
1655                         break;
1656                 default:
1657                         *out_sid = tsid;
1658                         break;
1659                 }
1660                 goto out;
1661         }
1662 
1663         context_init(&newcontext);
1664 
1665         read_lock(&state->ss->policy_rwlock);
1666 
1667         if (kern) {
1668                 tclass = unmap_class(&state->ss->map, orig_tclass);
1669                 sock = security_is_socket_class(orig_tclass);
1670         } else {
1671                 tclass = orig_tclass;
1672                 sock = security_is_socket_class(map_class(&state->ss->map,
1673                                                           tclass));
1674         }
1675 
1676         policydb = &state->ss->policydb;
1677         sidtab = &state->ss->sidtab;
1678 
1679         scontext = sidtab_search(sidtab, ssid);
1680         if (!scontext) {
1681                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1682                        __func__, ssid);
1683                 rc = -EINVAL;
1684                 goto out_unlock;
1685         }
1686         tcontext = sidtab_search(sidtab, tsid);
1687         if (!tcontext) {
1688                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1689                        __func__, tsid);
1690                 rc = -EINVAL;
1691                 goto out_unlock;
1692         }
1693 
1694         if (tclass && tclass <= policydb->p_classes.nprim)
1695                 cladatum = policydb->class_val_to_struct[tclass - 1];
1696 
1697         /* Set the user identity. */
1698         switch (specified) {
1699         case AVTAB_TRANSITION:
1700         case AVTAB_CHANGE:
1701                 if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1702                         newcontext.user = tcontext->user;
1703                 } else {
1704                         /* notice this gets both DEFAULT_SOURCE and unset */
1705                         /* Use the process user identity. */
1706                         newcontext.user = scontext->user;
1707                 }
1708                 break;
1709         case AVTAB_MEMBER:
1710                 /* Use the related object owner. */
1711                 newcontext.user = tcontext->user;
1712                 break;
1713         }
1714 
1715         /* Set the role to default values. */
1716         if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1717                 newcontext.role = scontext->role;
1718         } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1719                 newcontext.role = tcontext->role;
1720         } else {
1721                 if ((tclass == policydb->process_class) || (sock == true))
1722                         newcontext.role = scontext->role;
1723                 else
1724                         newcontext.role = OBJECT_R_VAL;
1725         }
1726 
1727         /* Set the type to default values. */
1728         if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1729                 newcontext.type = scontext->type;
1730         } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1731                 newcontext.type = tcontext->type;
1732         } else {
1733                 if ((tclass == policydb->process_class) || (sock == true)) {
1734                         /* Use the type of process. */
1735                         newcontext.type = scontext->type;
1736                 } else {
1737                         /* Use the type of the related object. */
1738                         newcontext.type = tcontext->type;
1739                 }
1740         }
1741 
1742         /* Look for a type transition/member/change rule. */
1743         avkey.source_type = scontext->type;
1744         avkey.target_type = tcontext->type;
1745         avkey.target_class = tclass;
1746         avkey.specified = specified;
1747         avdatum = avtab_search(&policydb->te_avtab, &avkey);
1748 
1749         /* If no permanent rule, also check for enabled conditional rules */
1750         if (!avdatum) {
1751                 node = avtab_search_node(&policydb->te_cond_avtab, &avkey);
1752                 for (; node; node = avtab_search_node_next(node, specified)) {
1753                         if (node->key.specified & AVTAB_ENABLED) {
1754                                 avdatum = &node->datum;
1755                                 break;
1756                         }
1757                 }
1758         }
1759 
1760         if (avdatum) {
1761                 /* Use the type from the type transition/member/change rule. */
1762                 newcontext.type = avdatum->u.data;
1763         }
1764 
1765         /* if we have a objname this is a file trans check so check those rules */
1766         if (objname)
1767                 filename_compute_type(policydb, &newcontext, scontext->type,
1768                                       tcontext->type, tclass, objname);
1769 
1770         /* Check for class-specific changes. */
1771         if (specified & AVTAB_TRANSITION) {
1772                 /* Look for a role transition rule. */
1773                 for (roletr = policydb->role_tr; roletr;
1774                      roletr = roletr->next) {
1775                         if ((roletr->role == scontext->role) &&
1776                             (roletr->type == tcontext->type) &&
1777                             (roletr->tclass == tclass)) {
1778                                 /* Use the role transition rule. */
1779                                 newcontext.role = roletr->new_role;
1780                                 break;
1781                         }
1782                 }
1783         }
1784 
1785         /* Set the MLS attributes.
1786            This is done last because it may allocate memory. */
1787         rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,
1788                              &newcontext, sock);
1789         if (rc)
1790                 goto out_unlock;
1791 
1792         /* Check the validity of the context. */
1793         if (!policydb_context_isvalid(policydb, &newcontext)) {
1794                 rc = compute_sid_handle_invalid_context(state, scontext,
1795                                                         tcontext,
1796                                                         tclass,
1797                                                         &newcontext);
1798                 if (rc)
1799                         goto out_unlock;
1800         }
1801         /* Obtain the sid for the context. */
1802         rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid);
1803 out_unlock:
1804         read_unlock(&state->ss->policy_rwlock);
1805         context_destroy(&newcontext);
1806 out:
1807         return rc;
1808 }
1809 
1810 /**
1811  * security_transition_sid - Compute the SID for a new subject/object.
1812  * @ssid: source security identifier
1813  * @tsid: target security identifier
1814  * @tclass: target security class
1815  * @out_sid: security identifier for new subject/object
1816  *
1817  * Compute a SID to use for labeling a new subject or object in the
1818  * class @tclass based on a SID pair (@ssid, @tsid).
1819  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1820  * if insufficient memory is available, or %0 if the new SID was
1821  * computed successfully.
1822  */
1823 int security_transition_sid(struct selinux_state *state,
1824                             u32 ssid, u32 tsid, u16 tclass,
1825                             const struct qstr *qstr, u32 *out_sid)
1826 {
1827         return security_compute_sid(state, ssid, tsid, tclass,
1828                                     AVTAB_TRANSITION,
1829                                     qstr ? qstr->name : NULL, out_sid, true);
1830 }
1831 
1832 int security_transition_sid_user(struct selinux_state *state,
1833                                  u32 ssid, u32 tsid, u16 tclass,
1834                                  const char *objname, u32 *out_sid)
1835 {
1836         return security_compute_sid(state, ssid, tsid, tclass,
1837                                     AVTAB_TRANSITION,
1838                                     objname, out_sid, false);
1839 }
1840 
1841 /**
1842  * security_member_sid - Compute the SID for member selection.
1843  * @ssid: source security identifier
1844  * @tsid: target security identifier
1845  * @tclass: target security class
1846  * @out_sid: security identifier for selected member
1847  *
1848  * Compute a SID to use when selecting a member of a polyinstantiated
1849  * object of class @tclass based on a SID pair (@ssid, @tsid).
1850  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1851  * if insufficient memory is available, or %0 if the SID was
1852  * computed successfully.
1853  */
1854 int security_member_sid(struct selinux_state *state,
1855                         u32 ssid,
1856                         u32 tsid,
1857                         u16 tclass,
1858                         u32 *out_sid)
1859 {
1860         return security_compute_sid(state, ssid, tsid, tclass,
1861                                     AVTAB_MEMBER, NULL,
1862                                     out_sid, false);
1863 }
1864 
1865 /**
1866  * security_change_sid - Compute the SID for object relabeling.
1867  * @ssid: source security identifier
1868  * @tsid: target security identifier
1869  * @tclass: target security class
1870  * @out_sid: security identifier for selected member
1871  *
1872  * Compute a SID to use for relabeling an object of class @tclass
1873  * based on a SID pair (@ssid, @tsid).
1874  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1875  * if insufficient memory is available, or %0 if the SID was
1876  * computed successfully.
1877  */
1878 int security_change_sid(struct selinux_state *state,
1879                         u32 ssid,
1880                         u32 tsid,
1881                         u16 tclass,
1882                         u32 *out_sid)
1883 {
1884         return security_compute_sid(state,
1885                                     ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1886                                     out_sid, false);
1887 }
1888 
1889 /* Clone the SID into the new SID table. */
1890 static int clone_sid(u32 sid,
1891                      struct context *context,
1892                      void *arg)
1893 {
1894         struct sidtab *s = arg;
1895 
1896         if (sid > SECINITSID_NUM)
1897                 return sidtab_insert(s, sid, context);
1898         else
1899                 return 0;
1900 }
1901 
1902 static inline int convert_context_handle_invalid_context(
1903         struct selinux_state *state,
1904         struct context *context)
1905 {
1906         struct policydb *policydb = &state->ss->policydb;
1907         char *s;
1908         u32 len;
1909 
1910         if (enforcing_enabled(state))
1911                 return -EINVAL;
1912 
1913         if (!context_struct_to_string(policydb, context, &s, &len)) {
1914                 printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1915                 kfree(s);
1916         }
1917         return 0;
1918 }
1919 
1920 struct convert_context_args {
1921         struct selinux_state *state;
1922         struct policydb *oldp;
1923         struct policydb *newp;
1924 };
1925 
1926 /*
1927  * Convert the values in the security context
1928  * structure `c' from the values specified
1929  * in the policy `p->oldp' to the values specified
1930  * in the policy `p->newp'.  Verify that the
1931  * context is valid under the new policy.
1932  */
1933 static int convert_context(u32 key,
1934                            struct context *c,
1935                            void *p)
1936 {
1937         struct convert_context_args *args;
1938         struct context oldc;
1939         struct ocontext *oc;
1940         struct mls_range *range;
1941         struct role_datum *role;
1942         struct type_datum *typdatum;
1943         struct user_datum *usrdatum;
1944         char *s;
1945         u32 len;
1946         int rc = 0;
1947 
1948         if (key <= SECINITSID_NUM)
1949                 goto out;
1950 
1951         args = p;
1952 
1953         if (c->str) {
1954                 struct context ctx;
1955 
1956                 rc = -ENOMEM;
1957                 s = kstrdup(c->str, GFP_KERNEL);
1958                 if (!s)
1959                         goto out;
1960 
1961                 rc = string_to_context_struct(args->newp, NULL, s,
1962                                               c->len, &ctx, SECSID_NULL);
1963                 kfree(s);
1964                 if (!rc) {
1965                         printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1966                                c->str);
1967                         /* Replace string with mapped representation. */
1968                         kfree(c->str);
1969                         memcpy(c, &ctx, sizeof(*c));
1970                         goto out;
1971                 } else if (rc == -EINVAL) {
1972                         /* Retain string representation for later mapping. */
1973                         rc = 0;
1974                         goto out;
1975                 } else {
1976                         /* Other error condition, e.g. ENOMEM. */
1977                         printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1978                                c->str, -rc);
1979                         goto out;
1980                 }
1981         }
1982 
1983         rc = context_cpy(&oldc, c);
1984         if (rc)
1985                 goto out;
1986 
1987         /* Convert the user. */
1988         rc = -EINVAL;
1989         usrdatum = hashtab_search(args->newp->p_users.table,
1990                                   sym_name(args->oldp, SYM_USERS, c->user - 1));
1991         if (!usrdatum)
1992                 goto bad;
1993         c->user = usrdatum->value;
1994 
1995         /* Convert the role. */
1996         rc = -EINVAL;
1997         role = hashtab_search(args->newp->p_roles.table,
1998                               sym_name(args->oldp, SYM_ROLES, c->role - 1));
1999         if (!role)
2000                 goto bad;
2001         c->role = role->value;
2002 
2003         /* Convert the type. */
2004         rc = -EINVAL;
2005         typdatum = hashtab_search(args->newp->p_types.table,
2006                                   sym_name(args->oldp, SYM_TYPES, c->type - 1));
2007         if (!typdatum)
2008                 goto bad;
2009         c->type = typdatum->value;
2010 
2011         /* Convert the MLS fields if dealing with MLS policies */
2012         if (args->oldp->mls_enabled && args->newp->mls_enabled) {
2013                 rc = mls_convert_context(args->oldp, args->newp, c);
2014                 if (rc)
2015                         goto bad;
2016         } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
2017                 /*
2018                  * Switching between MLS and non-MLS policy:
2019                  * free any storage used by the MLS fields in the
2020                  * context for all existing entries in the sidtab.
2021                  */
2022                 mls_context_destroy(c);
2023         } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
2024                 /*
2025                  * Switching between non-MLS and MLS policy:
2026                  * ensure that the MLS fields of the context for all
2027                  * existing entries in the sidtab are filled in with a
2028                  * suitable default value, likely taken from one of the
2029                  * initial SIDs.
2030                  */
2031                 oc = args->newp->ocontexts[OCON_ISID];
2032                 while (oc && oc->sid[0] != SECINITSID_UNLABELED)
2033                         oc = oc->next;
2034                 rc = -EINVAL;
2035                 if (!oc) {
2036                         printk(KERN_ERR "SELinux:  unable to look up"
2037                                 " the initial SIDs list\n");
2038                         goto bad;
2039                 }
2040                 range = &oc->context[0].range;
2041                 rc = mls_range_set(c, range);
2042                 if (rc)
2043                         goto bad;
2044         }
2045 
2046         /* Check the validity of the new context. */
2047         if (!policydb_context_isvalid(args->newp, c)) {
2048                 rc = convert_context_handle_invalid_context(args->state,
2049                                                             &oldc);
2050                 if (rc)
2051                         goto bad;
2052         }
2053 
2054         context_destroy(&oldc);
2055 
2056         rc = 0;
2057 out:
2058         return rc;
2059 bad:
2060         /* Map old representation to string and save it. */
2061         rc = context_struct_to_string(args->oldp, &oldc, &s, &len);
2062         if (rc)
2063                 return rc;
2064         context_destroy(&oldc);
2065         context_destroy(c);
2066         c->str = s;
2067         c->len = len;
2068         printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
2069                c->str);
2070         rc = 0;
2071         goto out;
2072 }
2073 
2074 static void security_load_policycaps(struct selinux_state *state)
2075 {
2076         struct policydb *p = &state->ss->policydb;
2077         unsigned int i;
2078         struct ebitmap_node *node;
2079 
2080         for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
2081                 state->policycap[i] = ebitmap_get_bit(&p->policycaps, i);
2082 
2083         for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
2084                 pr_info("SELinux:  policy capability %s=%d\n",
2085                         selinux_policycap_names[i],
2086                         ebitmap_get_bit(&p->policycaps, i));
2087 
2088         ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
2089                 if (i >= ARRAY_SIZE(selinux_policycap_names))
2090                         pr_info("SELinux:  unknown policy capability %u\n",
2091                                 i);
2092         }
2093 }
2094 
2095 static int security_preserve_bools(struct selinux_state *state,
2096                                    struct policydb *newpolicydb);
2097 
2098 /**
2099  * security_load_policy - Load a security policy configuration.
2100  * @data: binary policy data
2101  * @len: length of data in bytes
2102  *
2103  * Load a new set of security policy configuration data,
2104  * validate it and convert the SID table as necessary.
2105  * This function will flush the access vector cache after
2106  * loading the new policy.
2107  */
2108 int security_load_policy(struct selinux_state *state, void *data, size_t len)
2109 {
2110         struct policydb *policydb;
2111         struct sidtab *sidtab;
2112         struct policydb *oldpolicydb, *newpolicydb;
2113         struct sidtab oldsidtab, newsidtab;
2114         struct selinux_mapping *oldmapping;
2115         struct selinux_map newmap;
2116         struct convert_context_args args;
2117         u32 seqno;
2118         int rc = 0;
2119         struct policy_file file = { data, len }, *fp = &file;
2120 
2121         oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL);
2122         if (!oldpolicydb) {
2123                 rc = -ENOMEM;
2124                 goto out;
2125         }
2126         newpolicydb = oldpolicydb + 1;
2127 
2128         policydb = &state->ss->policydb;
2129         sidtab = &state->ss->sidtab;
2130 
2131         if (!state->initialized) {
2132                 rc = policydb_read(policydb, fp);
2133                 if (rc)
2134                         goto out;
2135 
2136                 policydb->len = len;
2137                 rc = selinux_set_mapping(policydb, secclass_map,
2138                                          &state->ss->map);
2139                 if (rc) {
2140                         policydb_destroy(policydb);
2141                         goto out;
2142                 }
2143 
2144                 rc = policydb_load_isids(policydb, sidtab);
2145                 if (rc) {
2146                         policydb_destroy(policydb);
2147                         goto out;
2148                 }
2149 
2150                 security_load_policycaps(state);
2151                 state->initialized = 1;
2152                 seqno = ++state->ss->latest_granting;
2153                 selinux_complete_init();
2154                 avc_ss_reset(state->avc, seqno);
2155                 selnl_notify_policyload(seqno);
2156                 selinux_status_update_policyload(state, seqno);
2157                 selinux_netlbl_cache_invalidate();
2158                 selinux_xfrm_notify_policyload();
2159                 goto out;
2160         }
2161 
2162 #if 0
2163         sidtab_hash_eval(sidtab, "sids");
2164 #endif
2165 
2166         rc = policydb_read(newpolicydb, fp);
2167         if (rc)
2168                 goto out;
2169 
2170         newpolicydb->len = len;
2171         /* If switching between different policy types, log MLS status */
2172         if (policydb->mls_enabled && !newpolicydb->mls_enabled)
2173                 printk(KERN_INFO "SELinux: Disabling MLS support...\n");
2174         else if (!policydb->mls_enabled && newpolicydb->mls_enabled)
2175                 printk(KERN_INFO "SELinux: Enabling MLS support...\n");
2176 
2177         rc = policydb_load_isids(newpolicydb, &newsidtab);
2178         if (rc) {
2179                 printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
2180                 policydb_destroy(newpolicydb);
2181                 goto out;
2182         }
2183 
2184         rc = selinux_set_mapping(newpolicydb, secclass_map, &newmap);
2185         if (rc)
2186                 goto err;
2187 
2188         rc = security_preserve_bools(state, newpolicydb);
2189         if (rc) {
2190                 printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
2191                 goto err;
2192         }
2193 
2194         /* Clone the SID table. */
2195         sidtab_shutdown(sidtab);
2196 
2197         rc = sidtab_map(sidtab, clone_sid, &newsidtab);
2198         if (rc)
2199                 goto err;
2200 
2201         /*
2202          * Convert the internal representations of contexts
2203          * in the new SID table.
2204          */
2205         args.state = state;
2206         args.oldp = policydb;
2207         args.newp = newpolicydb;
2208         rc = sidtab_map(&newsidtab, convert_context, &args);
2209         if (rc) {
2210                 printk(KERN_ERR "SELinux:  unable to convert the internal"
2211                         " representation of contexts in the new SID"
2212                         " table\n");
2213                 goto err;
2214         }
2215 
2216         /* Save the old policydb and SID table to free later. */
2217         memcpy(oldpolicydb, policydb, sizeof(*policydb));
2218         sidtab_set(&oldsidtab, sidtab);
2219 
2220         /* Install the new policydb and SID table. */
2221         write_lock_irq(&state->ss->policy_rwlock);
2222         memcpy(policydb, newpolicydb, sizeof(*policydb));
2223         sidtab_set(sidtab, &newsidtab);
2224         security_load_policycaps(state);
2225         oldmapping = state->ss->map.mapping;
2226         state->ss->map.mapping = newmap.mapping;
2227         state->ss->map.size = newmap.size;
2228         seqno = ++state->ss->latest_granting;
2229         write_unlock_irq(&state->ss->policy_rwlock);
2230 
2231         /* Free the old policydb and SID table. */
2232         policydb_destroy(oldpolicydb);
2233         sidtab_destroy(&oldsidtab);
2234         kfree(oldmapping);
2235 
2236         avc_ss_reset(state->avc, seqno);
2237         selnl_notify_policyload(seqno);
2238         selinux_status_update_policyload(state, seqno);
2239         selinux_netlbl_cache_invalidate();
2240         selinux_xfrm_notify_policyload();
2241 
2242         rc = 0;
2243         goto out;
2244 
2245 err:
2246         kfree(newmap.mapping);
2247         sidtab_destroy(&newsidtab);
2248         policydb_destroy(newpolicydb);
2249 
2250 out:
2251         kfree(oldpolicydb);
2252         return rc;
2253 }
2254 
2255 size_t security_policydb_len(struct selinux_state *state)
2256 {
2257         struct policydb *p = &state->ss->policydb;
2258         size_t len;
2259 
2260         read_lock(&state->ss->policy_rwlock);
2261         len = p->len;
2262         read_unlock(&state->ss->policy_rwlock);
2263 
2264         return len;
2265 }
2266 
2267 /**
2268  * security_port_sid - Obtain the SID for a port.
2269  * @protocol: protocol number
2270  * @port: port number
2271  * @out_sid: security identifier
2272  */
2273 int security_port_sid(struct selinux_state *state,
2274                       u8 protocol, u16 port, u32 *out_sid)
2275 {
2276         struct policydb *policydb;
2277         struct sidtab *sidtab;
2278         struct ocontext *c;
2279         int rc = 0;
2280 
2281         read_lock(&state->ss->policy_rwlock);
2282 
2283         policydb = &state->ss->policydb;
2284         sidtab = &state->ss->sidtab;
2285 
2286         c = policydb->ocontexts[OCON_PORT];
2287         while (c) {
2288                 if (c->u.port.protocol == protocol &&
2289                     c->u.port.low_port <= port &&
2290                     c->u.port.high_port >= port)
2291                         break;
2292                 c = c->next;
2293         }
2294 
2295         if (c) {
2296                 if (!c->sid[0]) {
2297                         rc = sidtab_context_to_sid(sidtab,
2298                                                    &c->context[0],
2299                                                    &c->sid[0]);
2300                         if (rc)
2301                                 goto out;
2302                 }
2303                 *out_sid = c->sid[0];
2304         } else {
2305                 *out_sid = SECINITSID_PORT;
2306         }
2307 
2308 out:
2309         read_unlock(&state->ss->policy_rwlock);
2310         return rc;
2311 }
2312 
2313 /**
2314  * security_pkey_sid - Obtain the SID for a pkey.
2315  * @subnet_prefix: Subnet Prefix
2316  * @pkey_num: pkey number
2317  * @out_sid: security identifier
2318  */
2319 int security_ib_pkey_sid(struct selinux_state *state,
2320                          u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2321 {
2322         struct policydb *policydb;
2323         struct sidtab *sidtab;
2324         struct ocontext *c;
2325         int rc = 0;
2326 
2327         read_lock(&state->ss->policy_rwlock);
2328 
2329         policydb = &state->ss->policydb;
2330         sidtab = &state->ss->sidtab;
2331 
2332         c = policydb->ocontexts[OCON_IBPKEY];
2333         while (c) {
2334                 if (c->u.ibpkey.low_pkey <= pkey_num &&
2335                     c->u.ibpkey.high_pkey >= pkey_num &&
2336                     c->u.ibpkey.subnet_prefix == subnet_prefix)
2337                         break;
2338 
2339                 c = c->next;
2340         }
2341 
2342         if (c) {
2343                 if (!c->sid[0]) {
2344                         rc = sidtab_context_to_sid(sidtab,
2345                                                    &c->context[0],
2346                                                    &c->sid[0]);
2347                         if (rc)
2348                                 goto out;
2349                 }
2350                 *out_sid = c->sid[0];
2351         } else
2352                 *out_sid = SECINITSID_UNLABELED;
2353 
2354 out:
2355         read_unlock(&state->ss->policy_rwlock);
2356         return rc;
2357 }
2358 
2359 /**
2360  * security_ib_endport_sid - Obtain the SID for a subnet management interface.
2361  * @dev_name: device name
2362  * @port: port number
2363  * @out_sid: security identifier
2364  */
2365 int security_ib_endport_sid(struct selinux_state *state,
2366                             const char *dev_name, u8 port_num, u32 *out_sid)
2367 {
2368         struct policydb *policydb;
2369         struct sidtab *sidtab;
2370         struct ocontext *c;
2371         int rc = 0;
2372 
2373         read_lock(&state->ss->policy_rwlock);
2374 
2375         policydb = &state->ss->policydb;
2376         sidtab = &state->ss->sidtab;
2377 
2378         c = policydb->ocontexts[OCON_IBENDPORT];
2379         while (c) {
2380                 if (c->u.ibendport.port == port_num &&
2381                     !strncmp(c->u.ibendport.dev_name,
2382                              dev_name,
2383                              IB_DEVICE_NAME_MAX))
2384                         break;
2385 
2386                 c = c->next;
2387         }
2388 
2389         if (c) {
2390                 if (!c->sid[0]) {
2391                         rc = sidtab_context_to_sid(sidtab,
2392                                                    &c->context[0],
2393                                                    &c->sid[0]);
2394                         if (rc)
2395                                 goto out;
2396                 }
2397                 *out_sid = c->sid[0];
2398         } else
2399                 *out_sid = SECINITSID_UNLABELED;
2400 
2401 out:
2402         read_unlock(&state->ss->policy_rwlock);
2403         return rc;
2404 }
2405 
2406 /**
2407  * security_netif_sid - Obtain the SID for a network interface.
2408  * @name: interface name
2409  * @if_sid: interface SID
2410  */
2411 int security_netif_sid(struct selinux_state *state,
2412                        char *name, u32 *if_sid)
2413 {
2414         struct policydb *policydb;
2415         struct sidtab *sidtab;
2416         int rc = 0;
2417         struct ocontext *c;
2418 
2419         read_lock(&state->ss->policy_rwlock);
2420 
2421         policydb = &state->ss->policydb;
2422         sidtab = &state->ss->sidtab;
2423 
2424         c = policydb->ocontexts[OCON_NETIF];
2425         while (c) {
2426                 if (strcmp(name, c->u.name) == 0)
2427                         break;
2428                 c = c->next;
2429         }
2430 
2431         if (c) {
2432                 if (!c->sid[0] || !c->sid[1]) {
2433                         rc = sidtab_context_to_sid(sidtab,
2434                                                   &c->context[0],
2435                                                   &c->sid[0]);
2436                         if (rc)
2437                                 goto out;
2438                         rc = sidtab_context_to_sid(sidtab,
2439                                                    &c->context[1],
2440                                                    &c->sid[1]);
2441                         if (rc)
2442                                 goto out;
2443                 }
2444                 *if_sid = c->sid[0];
2445         } else
2446                 *if_sid = SECINITSID_NETIF;
2447 
2448 out:
2449         read_unlock(&state->ss->policy_rwlock);
2450         return rc;
2451 }
2452 
2453 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2454 {
2455         int i, fail = 0;
2456 
2457         for (i = 0; i < 4; i++)
2458                 if (addr[i] != (input[i] & mask[i])) {
2459                         fail = 1;
2460                         break;
2461                 }
2462 
2463         return !fail;
2464 }
2465 
2466 /**
2467  * security_node_sid - Obtain the SID for a node (host).
2468  * @domain: communication domain aka address family
2469  * @addrp: address
2470  * @addrlen: address length in bytes
2471  * @out_sid: security identifier
2472  */
2473 int security_node_sid(struct selinux_state *state,
2474                       u16 domain,
2475                       void *addrp,
2476                       u32 addrlen,
2477                       u32 *out_sid)
2478 {
2479         struct policydb *policydb;
2480         struct sidtab *sidtab;
2481         int rc;
2482         struct ocontext *c;
2483 
2484         read_lock(&state->ss->policy_rwlock);
2485 
2486         policydb = &state->ss->policydb;
2487         sidtab = &state->ss->sidtab;
2488 
2489         switch (domain) {
2490         case AF_INET: {
2491                 u32 addr;
2492 
2493                 rc = -EINVAL;
2494                 if (addrlen != sizeof(u32))
2495                         goto out;
2496 
2497                 addr = *((u32 *)addrp);
2498 
2499                 c = policydb->ocontexts[OCON_NODE];
2500                 while (c) {
2501                         if (c->u.node.addr == (addr & c->u.node.mask))
2502                                 break;
2503                         c = c->next;
2504                 }
2505                 break;
2506         }
2507 
2508         case AF_INET6:
2509                 rc = -EINVAL;
2510                 if (addrlen != sizeof(u64) * 2)
2511                         goto out;
2512                 c = policydb->ocontexts[OCON_NODE6];
2513                 while (c) {
2514                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2515                                                 c->u.node6.mask))
2516                                 break;
2517                         c = c->next;
2518                 }
2519                 break;
2520 
2521         default:
2522                 rc = 0;
2523                 *out_sid = SECINITSID_NODE;
2524                 goto out;
2525         }
2526 
2527         if (c) {
2528                 if (!c->sid[0]) {
2529                         rc = sidtab_context_to_sid(sidtab,
2530                                                    &c->context[0],
2531                                                    &c->sid[0]);
2532                         if (rc)
2533                                 goto out;
2534                 }
2535                 *out_sid = c->sid[0];
2536         } else {
2537                 *out_sid = SECINITSID_NODE;
2538         }
2539 
2540         rc = 0;
2541 out:
2542         read_unlock(&state->ss->policy_rwlock);
2543         return rc;
2544 }
2545 
2546 #define SIDS_NEL 25
2547 
2548 /**
2549  * security_get_user_sids - Obtain reachable SIDs for a user.
2550  * @fromsid: starting SID
2551  * @username: username
2552  * @sids: array of reachable SIDs for user
2553  * @nel: number of elements in @sids
2554  *
2555  * Generate the set of SIDs for legal security contexts
2556  * for a given user that can be reached by @fromsid.
2557  * Set *@sids to point to a dynamically allocated
2558  * array containing the set of SIDs.  Set *@nel to the
2559  * number of elements in the array.
2560  */
2561 
2562 int security_get_user_sids(struct selinux_state *state,
2563                            u32 fromsid,
2564                            char *username,
2565                            u32 **sids,
2566                            u32 *nel)
2567 {
2568         struct policydb *policydb;
2569         struct sidtab *sidtab;
2570         struct context *fromcon, usercon;
2571         u32 *mysids = NULL, *mysids2, sid;
2572         u32 mynel = 0, maxnel = SIDS_NEL;
2573         struct user_datum *user;
2574         struct role_datum *role;
2575         struct ebitmap_node *rnode, *tnode;
2576         int rc = 0, i, j;
2577 
2578         *sids = NULL;
2579         *nel = 0;
2580 
2581         if (!state->initialized)
2582                 goto out;
2583 
2584         read_lock(&state->ss->policy_rwlock);
2585 
2586         policydb = &state->ss->policydb;
2587         sidtab = &state->ss->sidtab;
2588 
2589         context_init(&usercon);
2590 
2591         rc = -EINVAL;
2592         fromcon = sidtab_search(sidtab, fromsid);
2593         if (!fromcon)
2594                 goto out_unlock;
2595 
2596         rc = -EINVAL;
2597         user = hashtab_search(policydb->p_users.table, username);
2598         if (!user)
2599                 goto out_unlock;
2600 
2601         usercon.user = user->value;
2602 
2603         rc = -ENOMEM;
2604         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2605         if (!mysids)
2606                 goto out_unlock;
2607 
2608         ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2609                 role = policydb->role_val_to_struct[i];
2610                 usercon.role = i + 1;
2611                 ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2612                         usercon.type = j + 1;
2613 
2614                         if (mls_setup_user_range(policydb, fromcon, user,
2615                                                  &usercon))
2616                                 continue;
2617 
2618                         rc = sidtab_context_to_sid(sidtab, &usercon, &sid);
2619                         if (rc)
2620                                 goto out_unlock;
2621                         if (mynel < maxnel) {
2622                                 mysids[mynel++] = sid;
2623                         } else {
2624                                 rc = -ENOMEM;
2625                                 maxnel += SIDS_NEL;
2626                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2627                                 if (!mysids2)
2628                                         goto out_unlock;
2629                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2630                                 kfree(mysids);
2631                                 mysids = mysids2;
2632                                 mysids[mynel++] = sid;
2633                         }
2634                 }
2635         }
2636         rc = 0;
2637 out_unlock:
2638         read_unlock(&state->ss->policy_rwlock);
2639         if (rc || !mynel) {
2640                 kfree(mysids);
2641                 goto out;
2642         }
2643 
2644         rc = -ENOMEM;
2645         mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2646         if (!mysids2) {
2647                 kfree(mysids);
2648                 goto out;
2649         }
2650         for (i = 0, j = 0; i < mynel; i++) {
2651                 struct av_decision dummy_avd;
2652                 rc = avc_has_perm_noaudit(state,
2653                                           fromsid, mysids[i],
2654                                           SECCLASS_PROCESS, /* kernel value */
2655                                           PROCESS__TRANSITION, AVC_STRICT,
2656                                           &dummy_avd);
2657                 if (!rc)
2658                         mysids2[j++] = mysids[i];
2659                 cond_resched();
2660         }
2661         rc = 0;
2662         kfree(mysids);
2663         *sids = mysids2;
2664         *nel = j;
2665 out:
2666         return rc;
2667 }
2668 
2669 /**
2670  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2671  * @fstype: filesystem type
2672  * @path: path from root of mount
2673  * @sclass: file security class
2674  * @sid: SID for path
2675  *
2676  * Obtain a SID to use for a file in a filesystem that
2677  * cannot support xattr or use a fixed labeling behavior like
2678  * transition SIDs or task SIDs.
2679  *
2680  * The caller must acquire the policy_rwlock before calling this function.
2681  */
2682 static inline int __security_genfs_sid(struct selinux_state *state,
2683                                        const char *fstype,
2684                                        char *path,
2685                                        u16 orig_sclass,
2686                                        u32 *sid)
2687 {
2688         struct policydb *policydb = &state->ss->policydb;
2689         struct sidtab *sidtab = &state->ss->sidtab;
2690         int len;
2691         u16 sclass;
2692         struct genfs *genfs;
2693         struct ocontext *c;
2694         int rc, cmp = 0;
2695 
2696         while (path[0] == '/' && path[1] == '/')
2697                 path++;
2698 
2699         sclass = unmap_class(&state->ss->map, orig_sclass);
2700         *sid = SECINITSID_UNLABELED;
2701 
2702         for (genfs = policydb->genfs; genfs; genfs = genfs->next) {
2703                 cmp = strcmp(fstype, genfs->fstype);
2704                 if (cmp <= 0)
2705                         break;
2706         }
2707 
2708         rc = -ENOENT;
2709         if (!genfs || cmp)
2710                 goto out;
2711 
2712         for (c = genfs->head; c; c = c->next) {
2713                 len = strlen(c->u.name);
2714                 if ((!c->v.sclass || sclass == c->v.sclass) &&
2715                     (strncmp(c->u.name, path, len) == 0))
2716                         break;
2717         }
2718 
2719         rc = -ENOENT;
2720         if (!c)
2721                 goto out;
2722 
2723         if (!c->sid[0]) {
2724                 rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]);
2725                 if (rc)
2726                         goto out;
2727         }
2728 
2729         *sid = c->sid[0];
2730         rc = 0;
2731 out:
2732         return rc;
2733 }
2734 
2735 /**
2736  * security_genfs_sid - Obtain a SID for a file in a filesystem
2737  * @fstype: filesystem type
2738  * @path: path from root of mount
2739  * @sclass: file security class
2740  * @sid: SID for path
2741  *
2742  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2743  * it afterward.
2744  */
2745 int security_genfs_sid(struct selinux_state *state,
2746                        const char *fstype,
2747                        char *path,
2748                        u16 orig_sclass,
2749                        u32 *sid)
2750 {
2751         int retval;
2752 
2753         read_lock(&state->ss->policy_rwlock);
2754         retval = __security_genfs_sid(state, fstype, path, orig_sclass, sid);
2755         read_unlock(&state->ss->policy_rwlock);
2756         return retval;
2757 }
2758 
2759 /**
2760  * security_fs_use - Determine how to handle labeling for a filesystem.
2761  * @sb: superblock in question
2762  */
2763 int security_fs_use(struct selinux_state *state, struct super_block *sb)
2764 {
2765         struct policydb *policydb;
2766         struct sidtab *sidtab;
2767         int rc = 0;
2768         struct ocontext *c;
2769         struct superblock_security_struct *sbsec = sb->s_security;
2770         const char *fstype = sb->s_type->name;
2771 
2772         read_lock(&state->ss->policy_rwlock);
2773 
2774         policydb = &state->ss->policydb;
2775         sidtab = &state->ss->sidtab;
2776 
2777         c = policydb->ocontexts[OCON_FSUSE];
2778         while (c) {
2779                 if (strcmp(fstype, c->u.name) == 0)
2780                         break;
2781                 c = c->next;
2782         }
2783 
2784         if (c) {
2785                 sbsec->behavior = c->v.behavior;
2786                 if (!c->sid[0]) {
2787                         rc = sidtab_context_to_sid(sidtab, &c->context[0],
2788                                                    &c->sid[0]);
2789                         if (rc)
2790                                 goto out;
2791                 }
2792                 sbsec->sid = c->sid[0];
2793         } else {
2794                 rc = __security_genfs_sid(state, fstype, "/", SECCLASS_DIR,
2795                                           &sbsec->sid);
2796                 if (rc) {
2797                         sbsec->behavior = SECURITY_FS_USE_NONE;
2798                         rc = 0;
2799                 } else {
2800                         sbsec->behavior = SECURITY_FS_USE_GENFS;
2801                 }
2802         }
2803 
2804 out:
2805         read_unlock(&state->ss->policy_rwlock);
2806         return rc;
2807 }
2808 
2809 int security_get_bools(struct selinux_state *state,
2810                        int *len, char ***names, int **values)
2811 {
2812         struct policydb *policydb;
2813         int i, rc;
2814 
2815         if (!state->initialized) {
2816                 *len = 0;
2817                 *names = NULL;
2818                 *values = NULL;
2819                 return 0;
2820         }
2821 
2822         read_lock(&state->ss->policy_rwlock);
2823 
2824         policydb = &state->ss->policydb;
2825 
2826         *names = NULL;
2827         *values = NULL;
2828 
2829         rc = 0;
2830         *len = policydb->p_bools.nprim;
2831         if (!*len)
2832                 goto out;
2833 
2834         rc = -ENOMEM;
2835         *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2836         if (!*names)
2837                 goto err;
2838 
2839         rc = -ENOMEM;
2840         *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2841         if (!*values)
2842                 goto err;
2843 
2844         for (i = 0; i < *len; i++) {
2845                 (*values)[i] = policydb->bool_val_to_struct[i]->state;
2846 
2847                 rc = -ENOMEM;
2848                 (*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i),
2849                                       GFP_ATOMIC);
2850                 if (!(*names)[i])
2851                         goto err;
2852         }
2853         rc = 0;
2854 out:
2855         read_unlock(&state->ss->policy_rwlock);
2856         return rc;
2857 err:
2858         if (*names) {
2859                 for (i = 0; i < *len; i++)
2860                         kfree((*names)[i]);
2861         }
2862         kfree(*values);
2863         goto out;
2864 }
2865 
2866 
2867 int security_set_bools(struct selinux_state *state, int len, int *values)
2868 {
2869         struct policydb *policydb;
2870         int i, rc;
2871         int lenp, seqno = 0;
2872         struct cond_node *cur;
2873 
2874         write_lock_irq(&state->ss->policy_rwlock);
2875 
2876         policydb = &state->ss->policydb;
2877 
2878         rc = -EFAULT;
2879         lenp = policydb->p_bools.nprim;
2880         if (len != lenp)
2881                 goto out;
2882 
2883         for (i = 0; i < len; i++) {
2884                 if (!!values[i] != policydb->bool_val_to_struct[i]->state) {
2885                         audit_log(audit_context(), GFP_ATOMIC,
2886                                 AUDIT_MAC_CONFIG_CHANGE,
2887                                 "bool=%s val=%d old_val=%d auid=%u ses=%u",
2888                                 sym_name(policydb, SYM_BOOLS, i),
2889                                 !!values[i],
2890                                 policydb->bool_val_to_struct[i]->state,
2891                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
2892                                 audit_get_sessionid(current));
2893                 }
2894                 if (values[i])
2895                         policydb->bool_val_to_struct[i]->state = 1;
2896                 else
2897                         policydb->bool_val_to_struct[i]->state = 0;
2898         }
2899 
2900         for (cur = policydb->cond_list; cur; cur = cur->next) {
2901                 rc = evaluate_cond_node(policydb, cur);
2902                 if (rc)
2903                         goto out;
2904         }
2905 
2906         seqno = ++state->ss->latest_granting;
2907         rc = 0;
2908 out:
2909         write_unlock_irq(&state->ss->policy_rwlock);
2910         if (!rc) {
2911                 avc_ss_reset(state->avc, seqno);
2912                 selnl_notify_policyload(seqno);
2913                 selinux_status_update_policyload(state, seqno);
2914                 selinux_xfrm_notify_policyload();
2915         }
2916         return rc;
2917 }
2918 
2919 int security_get_bool_value(struct selinux_state *state,
2920                             int index)
2921 {
2922         struct policydb *policydb;
2923         int rc;
2924         int len;
2925 
2926         read_lock(&state->ss->policy_rwlock);
2927 
2928         policydb = &state->ss->policydb;
2929 
2930         rc = -EFAULT;
2931         len = policydb->p_bools.nprim;
2932         if (index >= len)
2933                 goto out;
2934 
2935         rc = policydb->bool_val_to_struct[index]->state;
2936 out:
2937         read_unlock(&state->ss->policy_rwlock);
2938         return rc;
2939 }
2940 
2941 static int security_preserve_bools(struct selinux_state *state,
2942                                    struct policydb *policydb)
2943 {
2944         int rc, nbools = 0, *bvalues = NULL, i;
2945         char **bnames = NULL;
2946         struct cond_bool_datum *booldatum;
2947         struct cond_node *cur;
2948 
2949         rc = security_get_bools(state, &nbools, &bnames, &bvalues);
2950         if (rc)
2951                 goto out;
2952         for (i = 0; i < nbools; i++) {
2953                 booldatum = hashtab_search(policydb->p_bools.table, bnames[i]);
2954                 if (booldatum)
2955                         booldatum->state = bvalues[i];
2956         }
2957         for (cur = policydb->cond_list; cur; cur = cur->next) {
2958                 rc = evaluate_cond_node(policydb, cur);
2959                 if (rc)
2960                         goto out;
2961         }
2962 
2963 out:
2964         if (bnames) {
2965                 for (i = 0; i < nbools; i++)
2966                         kfree(bnames[i]);
2967         }
2968         kfree(bnames);
2969         kfree(bvalues);
2970         return rc;
2971 }
2972 
2973 /*
2974  * security_sid_mls_copy() - computes a new sid based on the given
2975  * sid and the mls portion of mls_sid.
2976  */
2977 int security_sid_mls_copy(struct selinux_state *state,
2978                           u32 sid, u32 mls_sid, u32 *new_sid)
2979 {
2980         struct policydb *policydb = &state->ss->policydb;
2981         struct sidtab *sidtab = &state->ss->sidtab;
2982         struct context *context1;
2983         struct context *context2;
2984         struct context newcon;
2985         char *s;
2986         u32 len;
2987         int rc;
2988 
2989         rc = 0;
2990         if (!state->initialized || !policydb->mls_enabled) {
2991                 *new_sid = sid;
2992                 goto out;
2993         }
2994 
2995         context_init(&newcon);
2996 
2997         read_lock(&state->ss->policy_rwlock);
2998 
2999         rc = -EINVAL;
3000         context1 = sidtab_search(sidtab, sid);
3001         if (!context1) {
3002                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
3003                         __func__, sid);
3004                 goto out_unlock;
3005         }
3006 
3007         rc = -EINVAL;
3008         context2 = sidtab_search(sidtab, mls_sid);
3009         if (!context2) {
3010                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
3011                         __func__, mls_sid);
3012                 goto out_unlock;
3013         }
3014 
3015         newcon.user = context1->user;
3016         newcon.role = context1->role;
3017         newcon.type = context1->type;
3018         rc = mls_context_cpy(&newcon, context2);
3019         if (rc)
3020                 goto out_unlock;
3021 
3022         /* Check the validity of the new context. */
3023         if (!policydb_context_isvalid(policydb, &newcon)) {
3024                 rc = convert_context_handle_invalid_context(state, &newcon);
3025                 if (rc) {
3026                         if (!context_struct_to_string(policydb, &newcon, &s,
3027                                                       &len)) {
3028                                 audit_log(audit_context(),
3029                                           GFP_ATOMIC, AUDIT_SELINUX_ERR,
3030                                           "op=security_sid_mls_copy "
3031                                           "invalid_context=%s", s);
3032                                 kfree(s);
3033                         }
3034                         goto out_unlock;
3035                 }
3036         }
3037 
3038         rc = sidtab_context_to_sid(sidtab, &newcon, new_sid);
3039 out_unlock:
3040         read_unlock(&state->ss->policy_rwlock);
3041         context_destroy(&newcon);
3042 out:
3043         return rc;
3044 }
3045 
3046 /**
3047  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
3048  * @nlbl_sid: NetLabel SID
3049  * @nlbl_type: NetLabel labeling protocol type
3050  * @xfrm_sid: XFRM SID
3051  *
3052  * Description:
3053  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
3054  * resolved into a single SID it is returned via @peer_sid and the function
3055  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
3056  * returns a negative value.  A table summarizing the behavior is below:
3057  *
3058  *                                 | function return |      @sid
3059  *   ------------------------------+-----------------+-----------------
3060  *   no peer labels                |        0        |    SECSID_NULL
3061  *   single peer label             |        0        |    <peer_label>
3062  *   multiple, consistent labels   |        0        |    <peer_label>
3063  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
3064  *
3065  */
3066 int security_net_peersid_resolve(struct selinux_state *state,
3067                                  u32 nlbl_sid, u32 nlbl_type,
3068                                  u32 xfrm_sid,
3069                                  u32 *peer_sid)
3070 {
3071         struct policydb *policydb = &state->ss->policydb;
3072         struct sidtab *sidtab = &state->ss->sidtab;
3073         int rc;
3074         struct context *nlbl_ctx;
3075         struct context *xfrm_ctx;
3076 
3077         *peer_sid = SECSID_NULL;
3078 
3079         /* handle the common (which also happens to be the set of easy) cases
3080          * right away, these two if statements catch everything involving a
3081          * single or absent peer SID/label */
3082         if (xfrm_sid == SECSID_NULL) {
3083                 *peer_sid = nlbl_sid;
3084                 return 0;
3085         }
3086         /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
3087          * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
3088          * is present */
3089         if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
3090                 *peer_sid = xfrm_sid;
3091                 return 0;
3092         }
3093 
3094         /*
3095          * We don't need to check initialized here since the only way both
3096          * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
3097          * security server was initialized and state->initialized was true.
3098          */
3099         if (!policydb->mls_enabled)
3100                 return 0;
3101 
3102         read_lock(&state->ss->policy_rwlock);
3103 
3104         rc = -EINVAL;
3105         nlbl_ctx = sidtab_search(sidtab, nlbl_sid);
3106         if (!nlbl_ctx) {
3107                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
3108                        __func__, nlbl_sid);
3109                 goto out;
3110         }
3111         rc = -EINVAL;
3112         xfrm_ctx = sidtab_search(sidtab, xfrm_sid);
3113         if (!xfrm_ctx) {
3114                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
3115                        __func__, xfrm_sid);
3116                 goto out;
3117         }
3118         rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
3119         if (rc)
3120                 goto out;
3121 
3122         /* at present NetLabel SIDs/labels really only carry MLS
3123          * information so if the MLS portion of the NetLabel SID
3124          * matches the MLS portion of the labeled XFRM SID/label
3125          * then pass along the XFRM SID as it is the most
3126          * expressive */
3127         *peer_sid = xfrm_sid;
3128 out:
3129         read_unlock(&state->ss->policy_rwlock);
3130         return rc;
3131 }
3132 
3133 static int get_classes_callback(void *k, void *d, void *args)
3134 {
3135         struct class_datum *datum = d;
3136         char *name = k, **classes = args;
3137         int value = datum->value - 1;
3138 
3139         classes[value] = kstrdup(name, GFP_ATOMIC);
3140         if (!classes[value])
3141                 return -ENOMEM;
3142 
3143         return 0;
3144 }
3145 
3146 int security_get_classes(struct selinux_state *state,
3147                          char ***classes, int *nclasses)
3148 {
3149         struct policydb *policydb = &state->ss->policydb;
3150         int rc;
3151 
3152         if (!state->initialized) {
3153                 *nclasses = 0;
3154                 *classes = NULL;
3155                 return 0;
3156         }
3157 
3158         read_lock(&state->ss->policy_rwlock);
3159 
3160         rc = -ENOMEM;
3161         *nclasses = policydb->p_classes.nprim;
3162         *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
3163         if (!*classes)
3164                 goto out;
3165 
3166         rc = hashtab_map(policydb->p_classes.table, get_classes_callback,
3167                         *classes);
3168         if (rc) {
3169                 int i;
3170                 for (i = 0; i < *nclasses; i++)
3171                         kfree((*classes)[i]);
3172                 kfree(*classes);
3173         }
3174 
3175 out:
3176         read_unlock(&state->ss->policy_rwlock);
3177         return rc;
3178 }
3179 
3180 static int get_permissions_callback(void *k, void *d, void *args)
3181 {
3182         struct perm_datum *datum = d;
3183         char *name = k, **perms = args;
3184         int value = datum->value - 1;
3185 
3186         perms[value] = kstrdup(name, GFP_ATOMIC);
3187         if (!perms[value])
3188                 return -ENOMEM;
3189 
3190         return 0;
3191 }
3192 
3193 int security_get_permissions(struct selinux_state *state,
3194                              char *class, char ***perms, int *nperms)
3195 {
3196         struct policydb *policydb = &state->ss->policydb;
3197         int rc, i;
3198         struct class_datum *match;
3199 
3200         read_lock(&state->ss->policy_rwlock);
3201 
3202         rc = -EINVAL;
3203         match = hashtab_search(policydb->p_classes.table, class);
3204         if (!match) {
3205                 printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
3206                         __func__, class);
3207                 goto out;
3208         }
3209 
3210         rc = -ENOMEM;
3211         *nperms = match->permissions.nprim;
3212         *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
3213         if (!*perms)
3214                 goto out;
3215 
3216         if (match->comdatum) {
3217                 rc = hashtab_map(match->comdatum->permissions.table,
3218                                 get_permissions_callback, *perms);
3219                 if (rc)
3220                         goto err;
3221         }
3222 
3223         rc = hashtab_map(match->permissions.table, get_permissions_callback,
3224                         *perms);
3225         if (rc)
3226                 goto err;
3227 
3228 out:
3229         read_unlock(&state->ss->policy_rwlock);
3230         return rc;
3231 
3232 err:
3233         read_unlock(&state->ss->policy_rwlock);
3234         for (i = 0; i < *nperms; i++)
3235                 kfree((*perms)[i]);
3236         kfree(*perms);
3237         return rc;
3238 }
3239 
3240 int security_get_reject_unknown(struct selinux_state *state)
3241 {
3242         return state->ss->policydb.reject_unknown;
3243 }
3244 
3245 int security_get_allow_unknown(struct selinux_state *state)
3246 {
3247         return state->ss->policydb.allow_unknown;
3248 }
3249 
3250 /**
3251  * security_policycap_supported - Check for a specific policy capability
3252  * @req_cap: capability
3253  *
3254  * Description:
3255  * This function queries the currently loaded policy to see if it supports the
3256  * capability specified by @req_cap.  Returns true (1) if the capability is
3257  * supported, false (0) if it isn't supported.
3258  *
3259  */
3260 int security_policycap_supported(struct selinux_state *state,
3261                                  unsigned int req_cap)
3262 {
3263         struct policydb *policydb = &state->ss->policydb;
3264         int rc;
3265 
3266         read_lock(&state->ss->policy_rwlock);
3267         rc = ebitmap_get_bit(&policydb->policycaps, req_cap);
3268         read_unlock(&state->ss->policy_rwlock);
3269 
3270         return rc;
3271 }
3272 
3273 struct selinux_audit_rule {
3274         u32 au_seqno;
3275         struct context au_ctxt;
3276 };
3277 
3278 void selinux_audit_rule_free(void *vrule)
3279 {
3280         struct selinux_audit_rule *rule = vrule;
3281 
3282         if (rule) {
3283                 context_destroy(&rule->au_ctxt);
3284                 kfree(rule);
3285         }
3286 }
3287 
3288 int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
3289 {
3290         struct selinux_state *state = &selinux_state;
3291         struct policydb *policydb = &state->ss->policydb;
3292         struct selinux_audit_rule *tmprule;
3293         struct role_datum *roledatum;
3294         struct type_datum *typedatum;
3295         struct user_datum *userdatum;
3296         struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
3297         int rc = 0;
3298 
3299         *rule = NULL;
3300 
3301         if (!state->initialized)
3302                 return -EOPNOTSUPP;
3303 
3304         switch (field) {
3305         case AUDIT_SUBJ_USER:
3306         case AUDIT_SUBJ_ROLE:
3307         case AUDIT_SUBJ_TYPE:
3308         case AUDIT_OBJ_USER:
3309         case AUDIT_OBJ_ROLE:
3310         case AUDIT_OBJ_TYPE:
3311                 /* only 'equals' and 'not equals' fit user, role, and type */
3312                 if (op != Audit_equal && op != Audit_not_equal)
3313                         return -EINVAL;
3314                 break;
3315         case AUDIT_SUBJ_SEN:
3316         case AUDIT_SUBJ_CLR:
3317         case AUDIT_OBJ_LEV_LOW:
3318         case AUDIT_OBJ_LEV_HIGH:
3319                 /* we do not allow a range, indicated by the presence of '-' */
3320                 if (strchr(rulestr, '-'))
3321                         return -EINVAL;
3322                 break;
3323         default:
3324                 /* only the above fields are valid */
3325                 return -EINVAL;
3326         }
3327 
3328         tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
3329         if (!tmprule)
3330                 return -ENOMEM;
3331 
3332         context_init(&tmprule->au_ctxt);
3333 
3334         read_lock(&state->ss->policy_rwlock);
3335 
3336         tmprule->au_seqno = state->ss->latest_granting;
3337 
3338         switch (field) {
3339         case AUDIT_SUBJ_USER:
3340         case AUDIT_OBJ_USER:
3341                 rc = -EINVAL;
3342                 userdatum = hashtab_search(policydb->p_users.table, rulestr);
3343                 if (!userdatum)
3344                         goto out;
3345                 tmprule->au_ctxt.user = userdatum->value;
3346                 break;
3347         case AUDIT_SUBJ_ROLE:
3348         case AUDIT_OBJ_ROLE:
3349                 rc = -EINVAL;
3350                 roledatum = hashtab_search(policydb->p_roles.table, rulestr);
3351                 if (!roledatum)
3352                         goto out;
3353                 tmprule->au_ctxt.role = roledatum->value;
3354                 break;
3355         case AUDIT_SUBJ_TYPE:
3356         case AUDIT_OBJ_TYPE:
3357                 rc = -EINVAL;
3358                 typedatum = hashtab_search(policydb->p_types.table, rulestr);
3359                 if (!typedatum)
3360                         goto out;
3361                 tmprule->au_ctxt.type = typedatum->value;
3362                 break;
3363         case AUDIT_SUBJ_SEN:
3364         case AUDIT_SUBJ_CLR:
3365         case AUDIT_OBJ_LEV_LOW:
3366         case AUDIT_OBJ_LEV_HIGH:
3367                 rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt,
3368                                      GFP_ATOMIC);
3369                 if (rc)
3370                         goto out;
3371                 break;
3372         }
3373         rc = 0;
3374 out:
3375         read_unlock(&state->ss->policy_rwlock);
3376 
3377         if (rc) {
3378                 selinux_audit_rule_free(tmprule);
3379                 tmprule = NULL;
3380         }
3381 
3382         *rule = tmprule;
3383 
3384         return rc;
3385 }
3386 
3387 /* Check to see if the rule contains any selinux fields */
3388 int selinux_audit_rule_known(struct audit_krule *rule)
3389 {
3390         int i;
3391 
3392         for (i = 0; i < rule->field_count; i++) {
3393                 struct audit_field *f = &rule->fields[i];
3394                 switch (f->type) {
3395                 case AUDIT_SUBJ_USER:
3396                 case AUDIT_SUBJ_ROLE:
3397                 case AUDIT_SUBJ_TYPE:
3398                 case AUDIT_SUBJ_SEN:
3399                 case AUDIT_SUBJ_CLR:
3400                 case AUDIT_OBJ_USER:
3401                 case AUDIT_OBJ_ROLE:
3402                 case AUDIT_OBJ_TYPE:
3403                 case AUDIT_OBJ_LEV_LOW:
3404                 case AUDIT_OBJ_LEV_HIGH:
3405                         return 1;
3406                 }
3407         }
3408 
3409         return 0;
3410 }
3411 
3412 int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
3413                              struct audit_context *actx)
3414 {
3415         struct selinux_state *state = &selinux_state;
3416         struct context *ctxt;
3417         struct mls_level *level;
3418         struct selinux_audit_rule *rule = vrule;
3419         int match = 0;
3420 
3421         if (unlikely(!rule)) {
3422                 WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
3423                 return -ENOENT;
3424         }
3425 
3426         read_lock(&state->ss->policy_rwlock);
3427 
3428         if (rule->au_seqno < state->ss->latest_granting) {
3429                 match = -ESTALE;
3430                 goto out;
3431         }
3432 
3433         ctxt = sidtab_search(&state->ss->sidtab, sid);
3434         if (unlikely(!ctxt)) {
3435                 WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
3436                           sid);
3437                 match = -ENOENT;
3438                 goto out;
3439         }
3440 
3441         /* a field/op pair that is not caught here will simply fall through
3442            without a match */
3443         switch (field) {
3444         case AUDIT_SUBJ_USER:
3445         case AUDIT_OBJ_USER:
3446                 switch (op) {
3447                 case Audit_equal:
3448                         match = (ctxt->user == rule->au_ctxt.user);
3449                         break;
3450                 case Audit_not_equal:
3451                         match = (ctxt->user != rule->au_ctxt.user);
3452                         break;
3453                 }
3454                 break;
3455         case AUDIT_SUBJ_ROLE:
3456         case AUDIT_OBJ_ROLE:
3457                 switch (op) {
3458                 case Audit_equal:
3459                         match = (ctxt->role == rule->au_ctxt.role);
3460                         break;
3461                 case Audit_not_equal:
3462                         match = (ctxt->role != rule->au_ctxt.role);
3463                         break;
3464                 }
3465                 break;
3466         case AUDIT_SUBJ_TYPE:
3467         case AUDIT_OBJ_TYPE:
3468                 switch (op) {
3469                 case Audit_equal:
3470                         match = (ctxt->type == rule->au_ctxt.type);
3471                         break;
3472                 case Audit_not_equal:
3473                         match = (ctxt->type != rule->au_ctxt.type);
3474                         break;
3475                 }
3476                 break;
3477         case AUDIT_SUBJ_SEN:
3478         case AUDIT_SUBJ_CLR:
3479         case AUDIT_OBJ_LEV_LOW:
3480         case AUDIT_OBJ_LEV_HIGH:
3481                 level = ((field == AUDIT_SUBJ_SEN ||
3482                           field == AUDIT_OBJ_LEV_LOW) ?
3483                          &ctxt->range.level[0] : &ctxt->range.level[1]);
3484                 switch (op) {
3485                 case Audit_equal:
3486                         match = mls_level_eq(&rule->au_ctxt.range.level[0],
3487                                              level);
3488                         break;
3489                 case Audit_not_equal:
3490                         match = !mls_level_eq(&rule->au_ctxt.range.level[0],
3491                                               level);
3492                         break;
3493                 case Audit_lt:
3494                         match = (mls_level_dom(&rule->au_ctxt.range.level[0],
3495                                                level) &&
3496                                  !mls_level_eq(&rule->au_ctxt.range.level[0],
3497                                                level));
3498                         break;
3499                 case Audit_le:
3500                         match = mls_level_dom(&rule->au_ctxt.range.level[0],
3501                                               level);
3502                         break;
3503                 case Audit_gt:
3504                         match = (mls_level_dom(level,
3505                                               &rule->au_ctxt.range.level[0]) &&
3506                                  !mls_level_eq(level,
3507                                                &rule->au_ctxt.range.level[0]));
3508                         break;
3509                 case Audit_ge:
3510                         match = mls_level_dom(level,
3511                                               &rule->au_ctxt.range.level[0]);
3512                         break;
3513                 }
3514         }
3515 
3516 out:
3517         read_unlock(&state->ss->policy_rwlock);
3518         return match;
3519 }
3520 
3521 static int (*aurule_callback)(void) = audit_update_lsm_rules;
3522 
3523 static int aurule_avc_callback(u32 event)
3524 {
3525         int err = 0;
3526 
3527         if (event == AVC_CALLBACK_RESET && aurule_callback)
3528                 err = aurule_callback();
3529         return err;
3530 }
3531 
3532 static int __init aurule_init(void)
3533 {
3534         int err;
3535 
3536         err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3537         if (err)
3538                 panic("avc_add_callback() failed, error %d\n", err);
3539 
3540         return err;
3541 }
3542 __initcall(aurule_init);
3543 
3544 #ifdef CONFIG_NETLABEL
3545 /**
3546  * security_netlbl_cache_add - Add an entry to the NetLabel cache
3547  * @secattr: the NetLabel packet security attributes
3548  * @sid: the SELinux SID
3549  *
3550  * Description:
3551  * Attempt to cache the context in @ctx, which was derived from the packet in
3552  * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
3553  * already been initialized.
3554  *
3555  */
3556 static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3557                                       u32 sid)
3558 {
3559         u32 *sid_cache;
3560 
3561         sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3562         if (sid_cache == NULL)
3563                 return;
3564         secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3565         if (secattr->cache == NULL) {
3566                 kfree(sid_cache);
3567                 return;
3568         }
3569 
3570         *sid_cache = sid;
3571         secattr->cache->free = kfree;
3572         secattr->cache->data = sid_cache;
3573         secattr->flags |= NETLBL_SECATTR_CACHE;
3574 }
3575 
3576 /**
3577  * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3578  * @secattr: the NetLabel packet security attributes
3579  * @sid: the SELinux SID
3580  *
3581  * Description:
3582  * Convert the given NetLabel security attributes in @secattr into a
3583  * SELinux SID.  If the @secattr field does not contain a full SELinux
3584  * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
3585  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3586  * allow the @secattr to be used by NetLabel to cache the secattr to SID
3587  * conversion for future lookups.  Returns zero on success, negative values on
3588  * failure.
3589  *
3590  */
3591 int security_netlbl_secattr_to_sid(struct selinux_state *state,
3592                                    struct netlbl_lsm_secattr *secattr,
3593                                    u32 *sid)
3594 {
3595         struct policydb *policydb = &state->ss->policydb;
3596         struct sidtab *sidtab = &state->ss->sidtab;
3597         int rc;
3598         struct context *ctx;
3599         struct context ctx_new;
3600 
3601         if (!state->initialized) {
3602                 *sid = SECSID_NULL;
3603                 return 0;
3604         }
3605 
3606         read_lock(&state->ss->policy_rwlock);
3607 
3608         if (secattr->flags & NETLBL_SECATTR_CACHE)
3609                 *sid = *(u32 *)secattr->cache->data;
3610         else if (secattr->flags & NETLBL_SECATTR_SECID)
3611                 *sid = secattr->attr.secid;
3612         else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3613                 rc = -EIDRM;
3614                 ctx = sidtab_search(sidtab, SECINITSID_NETMSG);
3615                 if (ctx == NULL)
3616                         goto out;
3617 
3618                 context_init(&ctx_new);
3619                 ctx_new.user = ctx->user;
3620                 ctx_new.role = ctx->role;
3621                 ctx_new.type = ctx->type;
3622                 mls_import_netlbl_lvl(policydb, &ctx_new, secattr);
3623                 if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3624                         rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr);
3625                         if (rc)
3626                                 goto out;
3627                 }
3628                 rc = -EIDRM;
3629                 if (!mls_context_isvalid(policydb, &ctx_new))
3630                         goto out_free;
3631 
3632                 rc = sidtab_context_to_sid(sidtab, &ctx_new, sid);
3633                 if (rc)
3634                         goto out_free;
3635 
3636                 security_netlbl_cache_add(secattr, *sid);
3637 
3638                 ebitmap_destroy(&ctx_new.range.level[0].cat);
3639         } else
3640                 *sid = SECSID_NULL;
3641 
3642         read_unlock(&state->ss->policy_rwlock);
3643         return 0;
3644 out_free:
3645         ebitmap_destroy(&ctx_new.range.level[0].cat);
3646 out:
3647         read_unlock(&state->ss->policy_rwlock);
3648         return rc;
3649 }
3650 
3651 /**
3652  * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3653  * @sid: the SELinux SID
3654  * @secattr: the NetLabel packet security attributes
3655  *
3656  * Description:
3657  * Convert the given SELinux SID in @sid into a NetLabel security attribute.
3658  * Returns zero on success, negative values on failure.
3659  *
3660  */
3661 int security_netlbl_sid_to_secattr(struct selinux_state *state,
3662                                    u32 sid, struct netlbl_lsm_secattr *secattr)
3663 {
3664         struct policydb *policydb = &state->ss->policydb;
3665         int rc;
3666         struct context *ctx;
3667 
3668         if (!state->initialized)
3669                 return 0;
3670 
3671         read_lock(&state->ss->policy_rwlock);
3672 
3673         rc = -ENOENT;
3674         ctx = sidtab_search(&state->ss->sidtab, sid);
3675         if (ctx == NULL)
3676                 goto out;
3677 
3678         rc = -ENOMEM;
3679         secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1),
3680                                   GFP_ATOMIC);
3681         if (secattr->domain == NULL)
3682                 goto out;
3683 
3684         secattr->attr.secid = sid;
3685         secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
3686         mls_export_netlbl_lvl(policydb, ctx, secattr);
3687         rc = mls_export_netlbl_cat(policydb, ctx, secattr);
3688 out:
3689         read_unlock(&state->ss->policy_rwlock);
3690         return rc;
3691 }
3692 #endif /* CONFIG_NETLABEL */
3693 
3694 /**
3695  * security_read_policy - read the policy.
3696  * @data: binary policy data
3697  * @len: length of data in bytes
3698  *
3699  */
3700 int security_read_policy(struct selinux_state *state,
3701                          void **data, size_t *len)
3702 {
3703         struct policydb *policydb = &state->ss->policydb;
3704         int rc;
3705         struct policy_file fp;
3706 
3707         if (!state->initialized)
3708                 return -EINVAL;
3709 
3710         *len = security_policydb_len(state);
3711 
3712         *data = vmalloc_user(*len);
3713         if (!*data)
3714                 return -ENOMEM;
3715 
3716         fp.data = *data;
3717         fp.len = *len;
3718 
3719         read_lock(&state->ss->policy_rwlock);
3720         rc = policydb_write(policydb, &fp);
3721         read_unlock(&state->ss->policy_rwlock);
3722 
3723         if (rc)
3724                 return rc;
3725 
3726         *len = (unsigned long)fp.data - (unsigned long)*data;
3727         return 0;
3728 
3729 }
3730 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp