/* * Implementation of the security services. * * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> *           James Morris <jmorris@redhat.com> * *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * *	This program is free software; you can redistribute it and/or modify *	it under the terms of the GNU General Public License version 2, *      as published by the Free Software Foundation. * * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * * 	Added conditional policy language extensions * * Copyright (C) 2003 - 2004 Tresys Technology, LLC *	This program is free software; you can redistribute it and/or modify *  	it under the terms of the GNU General Public License as published by *	the Free Software Foundation, version 2. */#include <linux/kernel.h>#include <linux/slab.h>#include <linux/string.h>#include <linux/spinlock.h>#include <linux/errno.h>#include <linux/in.h>#include <linux/sched.h>#include <linux/audit.h>#include <asm/semaphore.h>#include "flask.h"#include "avc.h"#include "avc_ss.h"#include "security.h"#include "context.h"#include "policydb.h"#include "sidtab.h"#include "services.h"#include "conditional.h"#include "mls.h"extern void selnl_notify_policyload(u32 seqno);unsigned int policydb_loaded_version;static DEFINE_RWLOCK(policy_rwlock);#define POLICY_RDLOCK read_lock(&policy_rwlock)#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)static DECLARE_MUTEX(load_sem);#define LOAD_LOCK down(&load_sem)#define LOAD_UNLOCK up(&load_sem)struct sidtab sidtab;struct policydb policydb;int ss_initialized = 0;/* * The largest sequence number that has been used when * providing an access decision to the access vector cache. * The sequence number only changes when a policy change * occurs. */static u32 latest_granting = 0;/* * Return the boolean value of a constraint expression * when it is applied to the specified source and target * security contexts. */static int constraint_expr_eval(struct context *scontext,				struct context *tcontext,				struct constraint_expr *cexpr){	u32 val1, val2;	struct context *c;	struct role_datum *r1, *r2;	struct constraint_expr *e;	int s[CEXPR_MAXDEPTH];	int sp = -1;	for (e = cexpr; e; e = e->next) {		switch (e->expr_type) {		case CEXPR_NOT:			BUG_ON(sp < 0);			s[sp] = !s[sp];			break;		case CEXPR_AND:			BUG_ON(sp < 1);			sp--;			s[sp] &= s[sp+1];			break;		case CEXPR_OR:			BUG_ON(sp < 1);			sp--;			s[sp] |= s[sp+1];			break;		case CEXPR_ATTR:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			switch (e->attr) {			case CEXPR_USER:				val1 = scontext->user;				val2 = tcontext->user;				break;			case CEXPR_TYPE:				val1 = scontext->type;				val2 = tcontext->type;				break;			case CEXPR_ROLE:				val1 = scontext->role;				val2 = tcontext->role;				r1 = policydb.role_val_to_struct[val1 - 1];				r2 = policydb.role_val_to_struct[val2 - 1];				switch (e->op) {				case CEXPR_DOM:					s[++sp] = ebitmap_get_bit(&r1->dominates,								  val2 - 1);					continue;				case CEXPR_DOMBY:					s[++sp] = ebitmap_get_bit(&r2->dominates,								  val1 - 1);					continue;				case CEXPR_INCOMP:					s[++sp] = ( !ebitmap_get_bit(&r1->dominates,								     val2 - 1) &&						    !ebitmap_get_bit(&r2->dominates,								     val1 - 1) );					continue;				default:					break;				}				break;			default:				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = (val1 == val2);				break;			case CEXPR_NEQ:				s[++sp] = (val1 != val2);				break;			default:				BUG();				return 0;			}			break;		case CEXPR_NAMES:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			c = scontext;			if (e->attr & CEXPR_TARGET)				c = tcontext;			if (e->attr & CEXPR_USER)				val1 = c->user;			else if (e->attr & CEXPR_ROLE)				val1 = c->role;			else if (e->attr & CEXPR_TYPE)				val1 = c->type;			else {				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);				break;			case CEXPR_NEQ:				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);				break;			default:				BUG();				return 0;			}			break;		default:			BUG();			return 0;		}	}	BUG_ON(sp != 0);	return s[0];}/* * Compute access vectors based on a context structure pair for * the permissions in a particular class. */static int context_struct_compute_av(struct context *scontext,				     struct context *tcontext,				     u16 tclass,				     u32 requested,				     struct av_decision *avd){	struct constraint_node *constraint;	struct role_allow *ra;	struct avtab_key avkey;	struct avtab_datum *avdatum;	struct class_datum *tclass_datum;	/*	 * Remap extended Netlink classes for old policy versions.	 * Do this here rather than socket_type_to_security_class()	 * in case a newer policy version is loaded, allowing sockets	 * to remain in the correct class.	 */	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)			tclass = SECCLASS_NETLINK_SOCKET;	if (!tclass || tclass > policydb.p_classes.nprim) {		printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",		       tclass);		return -EINVAL;	}	tclass_datum = policydb.class_val_to_struct[tclass - 1];	/*	 * Initialize the access vectors to the default values.	 */	avd->allowed = 0;	avd->decided = 0xffffffff;	avd->auditallow = 0;	avd->auditdeny = 0xffffffff;	avd->seqno = latest_granting;	/*	 * If a specific type enforcement rule was defined for	 * this permission check, then use it.	 */	avkey.source_type = scontext->type;	avkey.target_type = tcontext->type;	avkey.target_class = tclass;	avdatum = avtab_search(&policydb.te_avtab, &avkey, AVTAB_AV);	if (avdatum) {		if (avdatum->specified & AVTAB_ALLOWED)			avd->allowed = avtab_allowed(avdatum);		if (avdatum->specified & AVTAB_AUDITDENY)			avd->auditdeny = avtab_auditdeny(avdatum);		if (avdatum->specified & AVTAB_AUDITALLOW)			avd->auditallow = avtab_auditallow(avdatum);	}	/* Check conditional av table for additional permissions */	cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);	/*	 * Remove any permissions prohibited by the MLS policy.	 */	mls_compute_av(scontext, tcontext, tclass_datum, &avd->allowed);	/*	 * Remove any permissions prohibited by a constraint.	 */	constraint = tclass_datum->constraints;	while (constraint) {		if ((constraint->permissions & (avd->allowed)) &&		    !constraint_expr_eval(scontext, tcontext,					  constraint->expr)) {			avd->allowed = (avd->allowed) & ~(constraint->permissions);		}		constraint = constraint->next;	}	/*	 * If checking process transition permission and the	 * role is changing, then check the (current_role, new_role)	 * pair.	 */	if (tclass == SECCLASS_PROCESS &&	    (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&	    scontext->role != tcontext->role) {		for (ra = policydb.role_allow; ra; ra = ra->next) {			if (scontext->role == ra->role &&			    tcontext->role == ra->new_role)				break;		}		if (!ra)			avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |			                                PROCESS__DYNTRANSITION);	}	return 0;}/** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions * @avd: access vector decisions * * Compute a set of access vector decisions based on the * SID pair (@ssid, @tsid) for the permissions in @tclass. * Return -%EINVAL if any of the parameters are invalid or %0 * if the access vector decisions were computed successfully. */int security_compute_av(u32 ssid,			u32 tsid,			u16 tclass,			u32 requested,			struct av_decision *avd){	struct context *scontext = NULL, *tcontext = NULL;	int rc = 0;	if (!ss_initialized) {		avd->allowed = requested;		avd->decided = requested;		avd->auditallow = 0;		avd->auditdeny = 0xffffffff;		avd->seqno = latest_granting;		return 0;	}	POLICY_RDLOCK;	scontext = sidtab_search(&sidtab, ssid);	if (!scontext) {		printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",		       ssid);		rc = -EINVAL;		goto out;	}	tcontext = sidtab_search(&sidtab, tsid);	if (!tcontext) {		printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",		       tsid);		rc = -EINVAL;		goto out;	}	rc = context_struct_compute_av(scontext, tcontext, tclass,				       requested, avd);out:	POLICY_RDUNLOCK;	return rc;}/* * Write the security context string representation of * the context structure `context' into a dynamically * allocated string of the correct size.  Set `*scontext' * to point to this string and set `*scontext_len' to * the length of the string. */int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len){	char *scontextp;	*scontext = NULL;	*scontext_len = 0;	/* Compute the size of the context. */	*scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;	*scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;	*scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;	*scontext_len += mls_compute_context_len(context);	/* Allocate space for the context; caller must free this space. */	scontextp = kmalloc(*scontext_len+1,GFP_ATOMIC);	if (!scontextp) {		return -ENOMEM;	}	*scontext = scontextp;	/*	 * Copy the user name, role name and type name into the context.	 */	sprintf(scontextp, "%s:%s:%s:",		policydb.p_user_val_to_name[context->user - 1],		policydb.p_role_val_to_name[context->role - 1],		policydb.p_type_val_to_name[context->type - 1]);	scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +	             1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +	             1 + strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;	mls_sid_to_context(context, &scontextp);	scontextp--;	*scontextp = 0;	return 0;}#include "initial_sid_to_string.h"/** * security_sid_to_context - Obtain a context for a given SID. * @sid: security identifier, SID * @scontext: security context * @scontext_len: length in bytes * * Write the string representation of the context associated with @sid * into a dynamically allocated string of the correct size.  Set @scontext * to point to this string and set @scontext_len to the length of the string. */int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len){	struct context *context;	int rc = 0;	if (!ss_initialized) {		if (sid <= SECINITSID_NUM) {			char *scontextp;			*scontext_len = strlen(initial_sid_to_string[sid]) + 1;			scontextp = kmalloc(*scontext_len,GFP_ATOMIC);			strcpy(scontextp, initial_sid_to_string[sid]);			*scontext = scontextp;			goto out;		}		printk(KERN_ERR "security_sid_to_context:  called before initial "		       "load_policy on unknown SID %d\n", sid);		rc = -EINVAL;		goto out;	}	POLICY_RDLOCK;	context = sidtab_search(&sidtab, sid);	if (!context) {		printk(KERN_ERR "security_sid_to_context:  unrecognized SID "		       "%d\n", sid);		rc = -EINVAL;		goto out_unlock;	}	rc = context_struct_to_string(context, scontext, scontext_len);out_unlock:	POLICY_RDUNLOCK;out:	return rc;}/** * security_context_to_sid - Obtain a SID for a given security context. * @scontext: security context * @scontext_len: length in bytes * @sid: security identifier, SID * * Obtains a SID associated with the security context that * has the string representation specified by @scontext. * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient * memory is available, or 0 on success. */int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid){	char *scontext2;	struct context context;	struct role_datum *role;	struct type_datum *typdatum;	struct user_datum *usrdatum;	char *scontextp, *p, oldc;	int rc = 0;	if (!ss_initialized) {		int i;		for (i = 1; i < SECINITSID_NUM; i++) {			if (!strcmp(initial_sid_to_string[i], scontext)) {				*sid = i;				goto out;			}		}		*sid = SECINITSID_KERNEL;		goto out;	}	*sid = SECSID_NULL;	/* Copy the string so that we can modify the copy as we parse it.	   The string should already by null terminated, but we append a	   null suffix to the copy to avoid problems with the existing	   attr package, which doesn't view the null terminator as part	   of the attribute value. */	scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);	if (!scontext2) {		rc = -ENOMEM;		goto out;	}	memcpy(scontext2, scontext, scontext_len);	scontext2[scontext_len] = 0;	context_init(&context);	*sid = SECSID_NULL;	POLICY_RDLOCK;	/* Parse the security context. */	rc = -EINVAL;	scontextp = (char *) scontext2;	/* Extract the user. */	p = scontextp;	while (*p && *p != ':')		p++;	if (*p == 0)		goto out_unlock;	*p++ = 0;	usrdatum = hashtab_search(policydb.p_users.table, scontextp);	if (!usrdatum)		goto out_unlock;	context.user = usrdatum->value;	/* Extract role. */	scontextp = p;	while (*p && *p != ':')		p++;	if (*p == 0)		goto out_unlock;	*p++ = 0;	role = hashtab_search(policydb.p_roles.table, scontextp);	if (!role)		goto out_unlock;	context.role = role->value;	/* Extract type. */	scontextp = p;	while (*p && *p != ':')		p++;	oldc = *p;	*p++ = 0;	typdatum = hashtab_search(policydb.p_types.table, scontextp);	if (!typdatum)		goto out_unlock;	context.type = typdatum->value;	rc = mls_context_to_sid(oldc, &p, &context);