/* * Implementation of the security services. * * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> *           James Morris <jmorris@redhat.com> * * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> * *	Support for enhanced MLS infrastructure. * * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * * 	Added conditional policy language extensions * * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> *	This program is free software; you can redistribute it and/or modify *  	it under the terms of the GNU General Public License as published by *	the Free Software Foundation, version 2. */#include <linux/kernel.h>#include <linux/slab.h>#include <linux/string.h>#include <linux/spinlock.h>#include <linux/errno.h>#include <linux/in.h>#include <linux/sched.h>#include <linux/audit.h>#include <asm/semaphore.h>#include "flask.h"#include "avc.h"#include "avc_ss.h"#include "security.h"#include "context.h"#include "policydb.h"#include "sidtab.h"#include "services.h"#include "conditional.h"#include "mls.h"extern void selnl_notify_policyload(u32 seqno);unsigned int policydb_loaded_version;static DEFINE_RWLOCK(policy_rwlock);#define POLICY_RDLOCK read_lock(&policy_rwlock)#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)static DECLARE_MUTEX(load_sem);#define LOAD_LOCK down(&load_sem)#define LOAD_UNLOCK up(&load_sem)static struct sidtab sidtab;struct policydb policydb;int ss_initialized = 0;/* * The largest sequence number that has been used when * providing an access decision to the access vector cache. * The sequence number only changes when a policy change * occurs. */static u32 latest_granting = 0;/* Forward declaration. */static int context_struct_to_string(struct context *context, char **scontext,				    u32 *scontext_len);/* * Return the boolean value of a constraint expression * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast...  It is used by the validatetrans rules * only.  For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition.  All other callers of * constraint_expr_eval should pass in NULL for xcontext. */static int constraint_expr_eval(struct context *scontext,				struct context *tcontext,				struct context *xcontext,				struct constraint_expr *cexpr){	u32 val1, val2;	struct context *c;	struct role_datum *r1, *r2;	struct mls_level *l1, *l2;	struct constraint_expr *e;	int s[CEXPR_MAXDEPTH];	int sp = -1;	for (e = cexpr; e; e = e->next) {		switch (e->expr_type) {		case CEXPR_NOT:			BUG_ON(sp < 0);			s[sp] = !s[sp];			break;		case CEXPR_AND:			BUG_ON(sp < 1);			sp--;			s[sp] &= s[sp+1];			break;		case CEXPR_OR:			BUG_ON(sp < 1);			sp--;			s[sp] |= s[sp+1];			break;		case CEXPR_ATTR:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			switch (e->attr) {			case CEXPR_USER:				val1 = scontext->user;				val2 = tcontext->user;				break;			case CEXPR_TYPE:				val1 = scontext->type;				val2 = tcontext->type;				break;			case CEXPR_ROLE:				val1 = scontext->role;				val2 = tcontext->role;				r1 = policydb.role_val_to_struct[val1 - 1];				r2 = policydb.role_val_to_struct[val2 - 1];				switch (e->op) {				case CEXPR_DOM:					s[++sp] = ebitmap_get_bit(&r1->dominates,								  val2 - 1);					continue;				case CEXPR_DOMBY:					s[++sp] = ebitmap_get_bit(&r2->dominates,								  val1 - 1);					continue;				case CEXPR_INCOMP:					s[++sp] = ( !ebitmap_get_bit(&r1->dominates,								     val2 - 1) &&						    !ebitmap_get_bit(&r2->dominates,								     val1 - 1) );					continue;				default:					break;				}				break;			case CEXPR_L1L2:				l1 = &(scontext->range.level[0]);				l2 = &(tcontext->range.level[0]);				goto mls_ops;			case CEXPR_L1H2:				l1 = &(scontext->range.level[0]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;			case CEXPR_H1L2:				l1 = &(scontext->range.level[1]);				l2 = &(tcontext->range.level[0]);				goto mls_ops;			case CEXPR_H1H2:				l1 = &(scontext->range.level[1]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;			case CEXPR_L1H1:				l1 = &(scontext->range.level[0]);				l2 = &(scontext->range.level[1]);				goto mls_ops;			case CEXPR_L2H2:				l1 = &(tcontext->range.level[0]);				l2 = &(tcontext->range.level[1]);				goto mls_ops;mls_ops:			switch (e->op) {			case CEXPR_EQ:				s[++sp] = mls_level_eq(l1, l2);				continue;			case CEXPR_NEQ:				s[++sp] = !mls_level_eq(l1, l2);				continue;			case CEXPR_DOM:				s[++sp] = mls_level_dom(l1, l2);				continue;			case CEXPR_DOMBY:				s[++sp] = mls_level_dom(l2, l1);				continue;			case CEXPR_INCOMP:				s[++sp] = mls_level_incomp(l2, l1);				continue;			default:				BUG();				return 0;			}			break;			default:				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = (val1 == val2);				break;			case CEXPR_NEQ:				s[++sp] = (val1 != val2);				break;			default:				BUG();				return 0;			}			break;		case CEXPR_NAMES:			if (sp == (CEXPR_MAXDEPTH-1))				return 0;			c = scontext;			if (e->attr & CEXPR_TARGET)				c = tcontext;			else if (e->attr & CEXPR_XTARGET) {				c = xcontext;				if (!c) {					BUG();					return 0;				}			}			if (e->attr & CEXPR_USER)				val1 = c->user;			else if (e->attr & CEXPR_ROLE)				val1 = c->role;			else if (e->attr & CEXPR_TYPE)				val1 = c->type;			else {				BUG();				return 0;			}			switch (e->op) {			case CEXPR_EQ:				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);				break;			case CEXPR_NEQ:				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);				break;			default:				BUG();				return 0;			}			break;		default:			BUG();			return 0;		}	}	BUG_ON(sp != 0);	return s[0];}/* * Compute access vectors based on a context structure pair for * the permissions in a particular class. */static int context_struct_compute_av(struct context *scontext,				     struct context *tcontext,				     u16 tclass,				     u32 requested,				     struct av_decision *avd){	struct constraint_node *constraint;	struct role_allow *ra;	struct avtab_key avkey;	struct avtab_node *node;	struct class_datum *tclass_datum;	struct ebitmap *sattr, *tattr;	struct ebitmap_node *snode, *tnode;	unsigned int i, j;	/*	 * Remap extended Netlink classes for old policy versions.	 * Do this here rather than socket_type_to_security_class()	 * in case a newer policy version is loaded, allowing sockets	 * to remain in the correct class.	 */	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)			tclass = SECCLASS_NETLINK_SOCKET;	if (!tclass || tclass > policydb.p_classes.nprim) {		printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",		       tclass);		return -EINVAL;	}	tclass_datum = policydb.class_val_to_struct[tclass - 1];	/*	 * Initialize the access vectors to the default values.	 */	avd->allowed = 0;	avd->decided = 0xffffffff;	avd->auditallow = 0;	avd->auditdeny = 0xffffffff;	avd->seqno = latest_granting;	/*	 * If a specific type enforcement rule was defined for	 * this permission check, then use it.	 */	avkey.target_class = tclass;	avkey.specified = AVTAB_AV;	sattr = &policydb.type_attr_map[scontext->type - 1];	tattr = &policydb.type_attr_map[tcontext->type - 1];	ebitmap_for_each_bit(sattr, snode, i) {		if (!ebitmap_node_get_bit(snode, i))			continue;		ebitmap_for_each_bit(tattr, tnode, j) {			if (!ebitmap_node_get_bit(tnode, j))				continue;			avkey.source_type = i + 1;			avkey.target_type = j + 1;			for (node = avtab_search_node(&policydb.te_avtab, &avkey);			     node != NULL;			     node = avtab_search_node_next(node, avkey.specified)) {				if (node->key.specified == AVTAB_ALLOWED)					avd->allowed |= node->datum.data;				else if (node->key.specified == AVTAB_AUDITALLOW)					avd->auditallow |= node->datum.data;				else if (node->key.specified == AVTAB_AUDITDENY)					avd->auditdeny &= node->datum.data;			}			/* Check conditional av table for additional permissions */			cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);		}	}	/*	 * Remove any permissions prohibited by a constraint (this includes	 * the MLS policy).	 */	constraint = tclass_datum->constraints;	while (constraint) {		if ((constraint->permissions & (avd->allowed)) &&		    !constraint_expr_eval(scontext, tcontext, NULL,					  constraint->expr)) {			avd->allowed = (avd->allowed) & ~(constraint->permissions);		}		constraint = constraint->next;	}	/*	 * If checking process transition permission and the	 * role is changing, then check the (current_role, new_role)	 * pair.	 */	if (tclass == SECCLASS_PROCESS &&	    (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&	    scontext->role != tcontext->role) {		for (ra = policydb.role_allow; ra; ra = ra->next) {			if (scontext->role == ra->role &&			    tcontext->role == ra->new_role)				break;		}		if (!ra)			avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |			                                PROCESS__DYNTRANSITION);	}	return 0;}static int security_validtrans_handle_fail(struct context *ocontext,                                           struct context *ncontext,                                           struct context *tcontext,                                           u16 tclass){	char *o = NULL, *n = NULL, *t = NULL;	u32 olen, nlen, tlen;	if (context_struct_to_string(ocontext, &o, &olen) < 0)		goto out;	if (context_struct_to_string(ncontext, &n, &nlen) < 0)		goto out;	if (context_struct_to_string(tcontext, &t, &tlen) < 0)		goto out;	audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,	          "security_validate_transition:  denied for"	          " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",	          o, n, t, policydb.p_class_val_to_name[tclass-1]);out:	kfree(o);	kfree(n);	kfree(t);	if (!selinux_enforcing)		return 0;	return -EPERM;}int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,                                 u16 tclass){	struct context *ocontext;	struct context *ncontext;	struct context *tcontext;	struct class_datum *tclass_datum;	struct constraint_node *constraint;	int rc = 0;	if (!ss_initialized)		return 0;	POLICY_RDLOCK;	/*	 * Remap extended Netlink classes for old policy versions.	 * Do this here rather than socket_type_to_security_class()	 * in case a newer policy version is loaded, allowing sockets	 * to remain in the correct class.	 */	if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)		if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&		    tclass <= SECCLASS_NETLINK_DNRT_SOCKET)			tclass = SECCLASS_NETLINK_SOCKET;	if (!tclass || tclass > policydb.p_classes.nprim) {		printk(KERN_ERR "security_validate_transition:  "		       "unrecognized class %d\n", tclass);		rc = -EINVAL;		goto out;	}	tclass_datum = policydb.class_val_to_struct[tclass - 1];	ocontext = sidtab_search(&sidtab, oldsid);	if (!ocontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", oldsid);		rc = -EINVAL;		goto out;	}	ncontext = sidtab_search(&sidtab, newsid);	if (!ncontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", newsid);		rc = -EINVAL;		goto out;	}	tcontext = sidtab_search(&sidtab, tasksid);	if (!tcontext) {		printk(KERN_ERR "security_validate_transition: "		       " unrecognized SID %d\n", tasksid);		rc = -EINVAL;		goto out;	}	constraint = tclass_datum->validatetrans;	while (constraint) {		if (!constraint_expr_eval(ocontext, ncontext, tcontext,		                          constraint->expr)) {			rc = security_validtrans_handle_fail(ocontext, ncontext,			                                     tcontext, tclass);			goto out;		}		constraint = constraint->next;	}out:	POLICY_RDUNLOCK;	return rc;}/** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions * @avd: access vector decisions * * Compute a set of access vector decisions based on the * SID pair (@ssid, @tsid) for the permissions in @tclass. * Return -%EINVAL if any of the parameters are invalid or %0 * if the access vector decisions were computed successfully. */int security_compute_av(u32 ssid,			u32 tsid,			u16 tclass,			u32 requested,			struct av_decision *avd){	struct context *scontext = NULL, *tcontext = NULL;	int rc = 0;	if (!ss_initialized) {		avd->allowed = 0xffffffff;		avd->decided = 0xffffffff;		avd->auditallow = 0;		avd->auditdeny = 0xffffffff;		avd->seqno = latest_granting;		return 0;	}	POLICY_RDLOCK;	scontext = sidtab_search(&sidtab, ssid);	if (!scontext) {		printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",		       ssid);		rc = -EINVAL;		goto out;	}	tcontext = sidtab_search(&sidtab, tsid);	if (!tcontext) {		printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",		       tsid);		rc = -EINVAL;		goto out;	}	rc = context_struct_compute_av(scontext, tcontext, tclass,				       requested, avd);out:	POLICY_RDUNLOCK;	return rc;}/* * Write the security context string representation of * the context structure `context' into a dynamically * allocated string of the correct size.  Set `*scontext' * to point to this string and set `*scontext_len' to * the length of the string. */static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len){	char *scontextp;	*scontext = NULL;	*scontext_len = 0;	/* Compute the size of the context. */	*scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;	*scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;	*scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;	*scontext_len += mls_compute_context_len(context);	/* Allocate space for the context; caller must free this space. */	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);	if (!scontextp) {		return -ENOMEM;	}	*scontext = scontextp;	/*	 * Copy the user name, role name and type name into the context.	 */	sprintf(scontextp, "%s:%s:%s",		policydb.p_user_val_to_name[context->user - 1],		policydb.p_role_val_to_name[context->role - 1],		policydb.p_type_val_to_name[context->type - 1]);	scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +	             1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +	             1 + strlen(policydb.p_type_val_to_name[context->type - 1]);	mls_sid_to_context(context, &scontextp);	*scontextp = 0;	return 0;}#include "initial_sid_to_string.h"/** * security_sid_to_context - Obtain a context for a given SID. * @sid: security identifier, SID * @scontext: security context * @scontext_len: length in bytes * * Write the string representation of the context associated with @sid * into a dynamically allocated string of the correct size.  Set @scontext * to point to this string and set @scontext_len to the length of the string. */int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len){	struct context *context;	int rc = 0;	if (!ss_initialized) {		if (sid <= SECINITSID_NUM) {			char *scontextp;			*scontext_len = strlen(initial_sid_to_string[sid]) + 1;			scontextp = kmalloc(*scontext_len,GFP_ATOMIC);			strcpy(scontextp, initial_sid_to_string[sid]);			*scontext = scontextp;			goto out;		}		printk(KERN_ERR "security_sid_to_context:  called before initial "		       "load_policy on unknown SID %d\n", sid);		rc = -EINVAL;		goto out;	}	POLICY_RDLOCK;	context = sidtab_search(&sidtab, sid);