/* * Implementation of the security services. * * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> *           James Morris <jmorris@redhat.com> * * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> * *	Support for enhanced MLS infrastructure. *	Support for context based audit filters. * * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * * 	Added conditional policy language extensions * * Updated: Hewlett-Packard <paul.moore@hp.com> * *      Added support for NetLabel * * Updated: Chad Sellers <csellers@tresys.com> * *  Added validation of kernel classes and permissions * * Copyright (C) 2006 Hewlett-Packard Development Company, L.P. * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> *	This program is free software; you can redistribute it and/or modify *  	it under the terms of the GNU General Public License as published by *	the Free Software Foundation, version 2. */#include <linux/kernel.h>#include <linux/slab.h>#include <linux/string.h>#include <linux/spinlock.h>#include <linux/rcupdate.h>#include <linux/errno.h>#include <linux/in.h>#include <linux/sched.h>#include <linux/audit.h>#include <linux/mutex.h>#include <net/netlabel.h>#include "flask.h"#include "avc.h"#include "avc_ss.h"#include "security.h"#include "context.h"#include "policydb.h"#include "sidtab.h"#include "services.h"#include "conditional.h"#include "mls.h"#include "objsec.h"#include "netlabel.h"#include "xfrm.h"#include "ebitmap.h"extern void selnl_notify_policyload(u32 seqno);unsigned int policydb_loaded_version;/* * This is declared in avc.c */extern const struct selinux_class_perm selinux_class_perm;static DEFINE_RWLOCK(policy_rwlock);#define POLICY_RDLOCK read_lock(&policy_rwlock)#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)static DEFINE_MUTEX(load_mutex);#define LOAD_LOCK mutex_lock(&load_mutex)#define LOAD_UNLOCK mutex_unlock(&load_mutex)static struct sidtab sidtab;struct policydb policydb;int ss_initialized = 0;/* * The largest sequence number that has been used when * providing an access decision to the access vector cache. * The sequence number only changes when a policy change * occurs. */static u32 latest_granting = 0;/* Forward declaration. */static int context_struct_to_string(struct context *context, char **scontext,				    u32 *scontext_len);/* * Return the boolean value of a constraint expression * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast...  It is used by the validatetrans rules * only.  For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition.  All other callers of * constraint_expr_eval should pass in NULL for xcontext. */static int constraint_expr_eval(struct context *scontext,				struct context *tcontext,				struct context *xcontext,				struct constraint_expr *cexpr){	u32 val1, val2;	struct context *c;	struct role_datum *r1, *r2;	struct mls_level *l1, *l2;	struct constraint_expr *e;	int s[CEXPR_MAXDEPTH];	int sp = -1;	for (e = cexpr; e; e = e->next) {		switch (e->expr_type) {		case CEXPR_NOT:			BUG_ON(sp < 0);			s[sp] = !s[sp];			break;		case CEXPR_AND:			BUG_ON(sp < 1);			sp--;			s[sp] &= s[sp+1];			break;		case CEXPR_OR:			BUG_ON(sp < 1);			sp--;			s[sp] |= s[sp+1];			break;		case CEXPR_ATTR:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			switch (e->attr) {			case CEXPR_USER:				val1 = scontext->user;				val2 = tcontext->user;				break;			case CEXPR_TYPE:				val1 = scontext->type;				val2 = tcontext->type;				break;			case CEXPR_ROLE:				val1 = scontext->role;				val2 = tcontext->role;				r1 = policydb.role_val_to_struct[val1 - 1];				r2 = policydb.role_val_to_struct[val2 - 1];				switch (e->op) {				case CEXPR_DOM:					s[++sp] = ebitmap_get_bit(&r1->dominates,								  val2 - 1);					continue;				case CEXPR_DOMBY:					s[++sp] = ebitmap_get_bit(&r2->dominates,								  val1 - 1);					continue;				case CEXPR_INCOMP:					s[++sp] = ( !ebitmap_get_bit(&r1->dominates,								     val2 - 1) &&						    !ebitmap_get_bit(&r2->dominates,								     val1 - 1) );					continue;				default:					break;				}				break;			case CEXPR_L1L2:				l1 = &(scontext->range.level[0]);				l2 = &(tcontext->range.level[0]);				goto mls_ops;			case CEXPR_L1H2:				l1 = &(scontext->range.level[0]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;			case CEXPR_H1L2:				l1 = &(scontext->range.level[1]);				l2 = &(tcontext->range.level[0]);				goto mls_ops;			case CEXPR_H1H2:				l1 = &(scontext->range.level[1]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;			case CEXPR_L1H1:				l1 = &(scontext->range.level[0]);				l2 = &(scontext->range.level[1]);				goto mls_ops;			case CEXPR_L2H2:				l1 = &(tcontext->range.level[0]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;mls_ops:			switch (e->op) {			case CEXPR_EQ:				s[++sp] = mls_level_eq(l1, l2);				continue;			case CEXPR_NEQ:				s[++sp] = !mls_level_eq(l1, l2);				continue;			case CEXPR_DOM:				s[++sp] = mls_level_dom(l1, l2);				continue;			case CEXPR_DOMBY:				s[++sp] = mls_level_dom(l2, l1);				continue;			case CEXPR_INCOMP:				s[++sp] = mls_level_incomp(l2, l1);				continue;			default:				BUG();				return 0;			}			break;			default:				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = (val1 == val2);				break;			case CEXPR_NEQ:				s[++sp] = (val1 != val2);				break;			default:				BUG();				return 0;			}			break;		case CEXPR_NAMES:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			c = scontext;			if (e->attr & CEXPR_TARGET)				c = tcontext;			else if (e->attr & CEXPR_XTARGET) {				c = xcontext;				if (!c) {					BUG();					return 0;				}			}			if (e->attr & CEXPR_USER)				val1 = c->user;			else if (e->attr & CEXPR_ROLE)				val1 = c->role;			else if (e->attr & CEXPR_TYPE)				val1 = c->type;			else {				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);				break;			case CEXPR_NEQ:				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);				break;			default:				BUG();				return 0;			}			break;		default:			BUG();			return 0;		}	}	BUG_ON(sp != 0);	return s[0];}/* * Compute access vectors based on a context structure pair for * the permissions in a particular class. */static int context_struct_compute_av(struct context *scontext,				     struct context *tcontext,				     u16 tclass,				     u32 requested,				     struct av_decision *avd){	struct constraint_node *constraint;	struct role_allow *ra;	struct avtab_key avkey;	struct avtab_node *node;	struct class_datum *tclass_datum;	struct ebitmap *sattr, *tattr;	struct ebitmap_node *snode, *tnode;	const struct selinux_class_perm *kdefs = &selinux_class_perm;	unsigned int i, j;	/*	 * Remap extended Netlink classes for old policy versions.	 * Do this here rather than socket_type_to_security_class()	 * in case a newer policy version is loaded, allowing sockets	 * to remain in the correct class.	 */	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)			tclass = SECCLASS_NETLINK_SOCKET;	/*	 * Initialize the access vectors to the default values.	 */	avd->allowed = 0;	avd->decided = 0xffffffff;	avd->auditallow = 0;	avd->auditdeny = 0xffffffff;	avd->seqno = latest_granting;	/*	 * Check for all the invalid cases.	 * - tclass 0	 * - tclass > policy and > kernel	 * - tclass > policy but is a userspace class	 * - tclass > policy but we do not allow unknowns	 */	if (unlikely(!tclass))		goto inval_class;	if (unlikely(tclass > policydb.p_classes.nprim))		if (tclass > kdefs->cts_len ||		    !kdefs->class_to_string[tclass - 1] ||		    !policydb.allow_unknown)			goto inval_class;	/*	 * Kernel class and we allow unknown so pad the allow decision	 * the pad will be all 1 for unknown classes.	 */	if (tclass <= kdefs->cts_len && policydb.allow_unknown)		avd->allowed = policydb.undefined_perms[tclass - 1];	/*	 * Not in policy. Since decision is completed (all 1 or all 0) return.	 */	if (unlikely(tclass > policydb.p_classes.nprim))		return 0;	tclass_datum = policydb.class_val_to_struct[tclass - 1];	/*	 * If a specific type enforcement rule was defined for	 * this permission check, then use it.	 */	avkey.target_class = tclass;	avkey.specified = AVTAB_AV;	sattr = &policydb.type_attr_map[scontext->type - 1];	tattr = &policydb.type_attr_map[tcontext->type - 1];	ebitmap_for_each_positive_bit(sattr, snode, i) {		ebitmap_for_each_positive_bit(tattr, tnode, j) {			avkey.source_type = i + 1;			avkey.target_type = j + 1;			for (node = avtab_search_node(&policydb.te_avtab, &avkey);			     node != NULL;			     node = avtab_search_node_next(node, avkey.specified)) {				if (node->key.specified == AVTAB_ALLOWED)					avd->allowed |= node->datum.data;				else if (node->key.specified == AVTAB_AUDITALLOW)					avd->auditallow |= node->datum.data;				else if (node->key.specified == AVTAB_AUDITDENY)					avd->auditdeny &= node->datum.data;			}			/* Check conditional av table for additional permissions */			cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);		}	}	/*	 * Remove any permissions prohibited by a constraint (this includes	 * the MLS policy).	 */	constraint = tclass_datum->constraints;	while (constraint) {		if ((constraint->permissions & (avd->allowed)) &&		    !constraint_expr_eval(scontext, tcontext, NULL,					  constraint->expr)) {			avd->allowed = (avd->allowed) & ~(constraint->permissions);		}		constraint = constraint->next;	}	/*	 * If checking process transition permission and the	 * role is changing, then check the (current_role, new_role)	 * pair.	 */	if (tclass == SECCLASS_PROCESS &&	    (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&	    scontext->role != tcontext->role) {		for (ra = policydb.role_allow; ra; ra = ra->next) {			if (scontext->role == ra->role &&			    tcontext->role == ra->new_role)				break;		}		if (!ra)			avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |			                                PROCESS__DYNTRANSITION);	}	return 0;inval_class:	printk(KERN_ERR "%s:  unrecognized class %d\n", __FUNCTION__, tclass);	return -EINVAL;}static int security_validtrans_handle_fail(struct context *ocontext,                                           struct context *ncontext,                                           struct context *tcontext,                                           u16 tclass){	char *o = NULL, *n = NULL, *t = NULL;	u32 olen, nlen, tlen;	if (context_struct_to_string(ocontext, &o, &olen) < 0)		goto out;	if (context_struct_to_string(ncontext, &n, &nlen) < 0)		goto out;	if (context_struct_to_string(tcontext, &t, &tlen) < 0)		goto out;	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,	          "security_validate_transition:  denied for"	          " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",	          o, n, t, policydb.p_class_val_to_name[tclass-1]);out:	kfree(o);	kfree(n);	kfree(t);	if (!selinux_enforcing)		return 0;	return -EPERM;}int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,                                 u16 tclass){	struct context *ocontext;	struct context *ncontext;	struct context *tcontext;	struct class_datum *tclass_datum;	struct constraint_node *constraint;	int rc = 0;	if (!ss_initialized)		return 0;	POLICY_RDLOCK;	/*	 * Remap extended Netlink classes for old policy versions.	 * Do this here rather than socket_type_to_security_class()	 * in case a newer policy version is loaded, allowing sockets	 * to remain in the correct class.	 */	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)			tclass = SECCLASS_NETLINK_SOCKET;	if (!tclass || tclass > policydb.p_classes.nprim) {		printk(KERN_ERR "security_validate_transition:  "		       "unrecognized class %d\n", tclass);		rc = -EINVAL;		goto out;	}	tclass_datum = policydb.class_val_to_struct[tclass - 1];	ocontext = sidtab_search(&sidtab, oldsid);	if (!ocontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", oldsid);		rc = -EINVAL;		goto out;	}	ncontext = sidtab_search(&sidtab, newsid);	if (!ncontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", newsid);		rc = -EINVAL;		goto out;	}	tcontext = sidtab_search(&sidtab, tasksid);	if (!tcontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", tasksid);		rc = -EINVAL;		goto out;	}	constraint = tclass_datum->validatetrans;	while (constraint) {		if (!constraint_expr_eval(ocontext, ncontext, tcontext,		                          constraint->expr)) {			rc = security_validtrans_handle_fail(ocontext, ncontext,			                                     tcontext, tclass);			goto out;		}		constraint = constraint->next;	}out:	POLICY_RDUNLOCK;	return rc;}/** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions * @avd: access vector decisions * * Compute a set of access vector decisions based on the * SID pair (@ssid, @tsid) for the permissions in @tclass. * Return -%EINVAL if any of the parameters are invalid or %0