/* * Implementation of the security services. * * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> *           James Morris <jmorris@redhat.com> * * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> * *    Support for enhanced MLS infrastructure. * * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * *     Added conditional policy language extensions * * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> *    This program is free software; you can redistribute it and/or modify *      it under the terms of the GNU General Public License as published by *    the Free Software Foundation, version 2. *//* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */#include <xen/lib.h>#include <xen/xmalloc.h>#include <xen/string.h>#include <xen/spinlock.h>#include <xen/errno.h>#include "flask.h"#include "avc.h"#include "avc_ss.h"#include "security.h"#include "context.h"#include "policydb.h"#include "sidtab.h"#include "services.h"#include "conditional.h"#include "mls.h"unsigned int policydb_loaded_version;static DEFINE_RWLOCK(policy_rwlock);#define POLICY_RDLOCK read_lock(&policy_rwlock)#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)static DEFINE_SPINLOCK(load_sem);#define LOAD_LOCK spin_lock(&load_sem)#define LOAD_UNLOCK spin_unlock(&load_sem)static struct sidtab sidtab;struct policydb policydb;int ss_initialized = 0;/* * The largest sequence number that has been used when * providing an access decision to the access vector cache. * The sequence number only changes when a policy change * occurs. */static u32 latest_granting = 0;/* Forward declaration. */static int context_struct_to_string(struct context *context, char **scontext,                                                            u32 *scontext_len);/* * Return the boolean value of a constraint expression * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast...  It is used by the validatetrans rules * only.  For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition.  All other callers of * constraint_expr_eval should pass in NULL for xcontext. */static int constraint_expr_eval(struct context *scontext,                            struct context *tcontext, struct context *xcontext,                                                 struct constraint_expr *cexpr){    u32 val1, val2;    struct context *c;    struct role_datum *r1, *r2;    struct mls_level *l1, *l2;    struct constraint_expr *e;    int s[CEXPR_MAXDEPTH];    int sp = -1;    for ( e = cexpr; e; e = e->next )    {        switch ( e->expr_type )        {            case CEXPR_NOT:                BUG_ON(sp < 0);                s[sp] = !s[sp];            break;            case CEXPR_AND:                BUG_ON(sp < 1);                sp--;                s[sp] &= s[sp+1];            break;            case CEXPR_OR:                BUG_ON(sp < 1);                sp--;                s[sp] |= s[sp+1];            break;            case CEXPR_ATTR:                if ( sp == (CEXPR_MAXDEPTH-1) )                    return 0;            switch ( e->attr )            {                case CEXPR_USER:                    val1 = scontext->user;                    val2 = tcontext->user;                    break;                case CEXPR_TYPE:                    val1 = scontext->type;                    val2 = tcontext->type;                    break;                case CEXPR_ROLE:                    val1 = scontext->role;                    val2 = tcontext->role;                    r1 = policydb.role_val_to_struct[val1 - 1];                    r2 = policydb.role_val_to_struct[val2 - 1];                switch ( e->op )                {                    case CEXPR_DOM:                        s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);                    continue;                    case CEXPR_DOMBY:                        s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);                    continue;                    case CEXPR_INCOMP:                        s[++sp] = ( !ebitmap_get_bit(&r1->dominates,                                         val2 - 1) &&                                !ebitmap_get_bit(&r2->dominates,                                         val1 - 1) );                    continue;                    default:                    break;                }                break;                case CEXPR_L1L2:                    l1 = &(scontext->range.level[0]);                    l2 = &(tcontext->range.level[0]);                    goto mls_ops;                case CEXPR_L1H2:                    l1 = &(scontext->range.level[0]);                    l2 = &(tcontext->range.level[1]);                    goto mls_ops;                case CEXPR_H1L2:                    l1 = &(scontext->range.level[1]);                    l2 = &(tcontext->range.level[0]);                    goto mls_ops;                case CEXPR_H1H2:                    l1 = &(scontext->range.level[1]);                    l2 = &(tcontext->range.level[1]);                    goto mls_ops;                case CEXPR_L1H1:                    l1 = &(scontext->range.level[0]);                    l2 = &(scontext->range.level[1]);                    goto mls_ops;                case CEXPR_L2H2:                    l1 = &(tcontext->range.level[0]);                    l2 = &(tcontext->range.level[1]);                    goto mls_ops;mls_ops:            switch ( e->op )            {                case CEXPR_EQ:                    s[++sp] = mls_level_eq(l1, l2);                continue;                case CEXPR_NEQ:                    s[++sp] = !mls_level_eq(l1, l2);                continue;                case CEXPR_DOM:                    s[++sp] = mls_level_dom(l1, l2);                continue;                case CEXPR_DOMBY:                    s[++sp] = mls_level_dom(l2, l1);                continue;                case CEXPR_INCOMP:                    s[++sp] = mls_level_incomp(l2, l1);                continue;                default:                    BUG();                    return 0;            }            break;            default:                BUG();                return 0;            }            switch ( e->op )            {                case CEXPR_EQ:                    s[++sp] = (val1 == val2);                break;                case CEXPR_NEQ:                    s[++sp] = (val1 != val2);                break;                default:                    BUG();                    return 0;            }            break;            case CEXPR_NAMES:                if ( sp == (CEXPR_MAXDEPTH-1) )                    return 0;                c = scontext;                if ( e->attr & CEXPR_TARGET )                    c = tcontext;                else if ( e->attr & CEXPR_XTARGET )                {                    c = xcontext;                    if ( !c )                    {                        BUG();                        return 0;                    }                }                if ( e->attr & CEXPR_USER )                    val1 = c->user;                else if ( e->attr & CEXPR_ROLE )                    val1 = c->role;                else if ( e->attr & CEXPR_TYPE )                    val1 = c->type;                else                {                    BUG();                    return 0;                }            switch ( e->op )            {                case CEXPR_EQ:                    s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);                break;                case CEXPR_NEQ:                    s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);                break;                default:                    BUG();                    return 0;            }            break;            default:                BUG();                return 0;        }    }    BUG_ON(sp != 0);    return s[0];}/* * Compute access vectors based on a context structure pair for * the permissions in a particular class. */static int context_struct_compute_av(struct context *scontext,                            struct context *tcontext, u16 tclass, u32 requested,                                                         struct av_decision *avd){    struct constraint_node *constraint;    struct role_allow *ra;    struct avtab_key avkey;    struct avtab_node *node;    struct class_datum *tclass_datum;    struct ebitmap *sattr, *tattr;    struct ebitmap_node *snode, *tnode;    unsigned int i, j;    if ( !tclass || tclass > policydb.p_classes.nprim )    {        printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",               tclass);        return -EINVAL;    }    tclass_datum = policydb.class_val_to_struct[tclass - 1];    /*     * Initialize the access vectors to the default values.     */    avd->allowed = 0;    avd->decided = 0xffffffff;    avd->auditallow = 0;    avd->auditdeny = 0xffffffff;    avd->seqno = latest_granting;    /*     * If a specific type enforcement rule was defined for     * this permission check, then use it.     */    avkey.target_class = tclass;    avkey.specified = AVTAB_AV;    sattr = &policydb.type_attr_map[scontext->type - 1];    tattr = &policydb.type_attr_map[tcontext->type - 1];    ebitmap_for_each_bit(sattr, snode, i)    {        if ( !ebitmap_node_get_bit(snode, i) )            continue;        ebitmap_for_each_bit(tattr, tnode, j)        {            if ( !ebitmap_node_get_bit(tnode, j) )                continue;            avkey.source_type = i + 1;            avkey.target_type = j + 1;            for ( node = avtab_search_node(&policydb.te_avtab, &avkey);                 node != NULL;                 node = avtab_search_node_next(node, avkey.specified) )            {                if ( node->key.specified == AVTAB_ALLOWED )                    avd->allowed |= node->datum.data;                else if ( node->key.specified == AVTAB_AUDITALLOW )                    avd->auditallow |= node->datum.data;                else if ( node->key.specified == AVTAB_AUDITDENY )                    avd->auditdeny &= node->datum.data;            }            /* Check conditional av table for additional permissions */            cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);        }    }    /*     * Remove any permissions prohibited by a constraint (this includes     * the MLS policy).     */    constraint = tclass_datum->constraints;    while ( constraint )    {        if ( (constraint->permissions & (avd->allowed) ) &&            !constraint_expr_eval(scontext, tcontext, NULL, constraint->expr))        {            avd->allowed = (avd->allowed) & ~(constraint->permissions);        }        constraint = constraint->next;    }    /*     * If checking process transition permission and the     * role is changing, then check the (current_role, new_role)     * pair.     */    if ( tclass == SECCLASS_DOMAIN &&/* removed until future dynamic domain capability        (avd->allowed & (DOMAIN__TRANSITION | DOMAIN__DYNTRANSITION)) &&*/                                            scontext->role != tcontext->role )        {        for ( ra = policydb.role_allow; ra; ra = ra->next )        {            if ( scontext->role == ra->role && tcontext->role == ra->new_role )                break;        }/* removed until future dynamic domain capability            if (!ra)            avd->allowed = (avd->allowed) & ~(DOMAIN__TRANSITION |                                            DOMAIN__DYNTRANSITION);*/    }    return 0;}static int security_validtrans_handle_fail(struct context *ocontext,                struct context *ncontext, struct context *tcontext, u16 tclass){    char *o = NULL, *n = NULL, *t = NULL;    u32 olen, nlen, tlen;    if ( context_struct_to_string(ocontext, &o, &olen) < 0 )        goto out;    if ( context_struct_to_string(ncontext, &n, &nlen) < 0 )        goto out;    if ( context_struct_to_string(tcontext, &t, &tlen) < 0 )        goto out;    printk("security_validate_transition:  denied for"              " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",              o, n, t, policydb.p_class_val_to_name[tclass-1]);out:    xfree(o);    xfree(n);    xfree(t);    if ( !flask_enforcing )        return 0;    return -EPERM;}int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,                                 u16 tclass){    struct context *ocontext;    struct context *ncontext;    struct context *tcontext;    struct class_datum *tclass_datum;    struct constraint_node *constraint;    int rc = 0;    if ( !ss_initialized )        return 0;    POLICY_RDLOCK;    if ( !tclass || tclass > policydb.p_classes.nprim )    {        printk(KERN_ERR "security_validate_transition: "                                            "unrecognized class %d\n", tclass);        rc = -EINVAL;        goto out;    }    tclass_datum = policydb.class_val_to_struct[tclass - 1];    ocontext = sidtab_search(&sidtab, oldsid);    if ( !ocontext )    {        printk(KERN_ERR "security_validate_transition: "               " unrecognized SID %d\n", oldsid);        rc = -EINVAL;        goto out;    }    ncontext = sidtab_search(&sidtab, newsid);    if ( !ncontext )    {        printk(KERN_ERR "security_validate_transition: "               " unrecognized SID %d\n", newsid);        rc = -EINVAL;        goto out;    }    tcontext = sidtab_search(&sidtab, tasksid);    if ( !tcontext )    {        printk(KERN_ERR "security_validate_transition: "               " unrecognized SID %d\n", tasksid);        rc = -EINVAL;        goto out;    }    constraint = tclass_datum->validatetrans;    while ( constraint )    {        if ( !constraint_expr_eval(ocontext, ncontext, tcontext,                                                            constraint->expr) )        {            rc = security_validtrans_handle_fail(ocontext, ncontext,                                                 tcontext, tclass);            goto out;        }        constraint = constraint->next;    }out:    POLICY_RDUNLOCK;    return rc;}/** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions * @avd: access vector decisions * * Compute a set of access vector decisions based on the * SID pair (@ssid, @tsid) for the permissions in @tclass. * Return -%EINVAL if any of the parameters are invalid or %0 * if the access vector decisions were computed successfully. */int security_compute_av(u32 ssid, u32 tsid, u16 tclass, u32 requested,                                                    struct av_decision *avd){    struct context *scontext = NULL, *tcontext = NULL;    int rc = 0;    if ( !ss_initialized )    {        avd->allowed = 0xffffffff;        avd->decided = 0xffffffff;        avd->auditallow = 0;        avd->auditdeny = 0xffffffff;        avd->seqno = latest_granting;        return 0;    }    POLICY_RDLOCK;    scontext = sidtab_search(&sidtab, ssid);    if ( !scontext )    {        printk("security_compute_av:  unrecognized SID %d\n", ssid);        rc = -EINVAL;        goto out;    }    tcontext = sidtab_search(&sidtab, tsid);    if ( !tcontext )    {        printk("security_compute_av:  unrecognized SID %d\n", tsid);        rc = -EINVAL;        goto out;    }    rc = context_struct_compute_av(scontext, tcontext, tclass, requested, avd);out:    POLICY_RDUNLOCK;    return rc;}/* * Write the security context string representation of * the context structure `context' into a dynamically * allocated string of the correct size.  Set `*scontext' * to point to this string and set `*scontext_len' to * the length of the string. */static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len){    char *scontextp;    *scontext = NULL;    *scontext_len = 0;    /* Compute the size of the context. */    *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;    *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;    *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;    *scontext_len += mls_compute_context_len(context);    /* Allocate space for the context; caller must free this space. */    scontextp = xmalloc_array(char, *scontext_len);    if ( !scontextp )        return -ENOMEM;    *scontext = scontextp;    /*     * Copy the user name, role name and type name into the context.     */    snprintf(scontextp, *scontext_len, "%s:%s:%s",        policydb.p_user_val_to_name[context->user - 1],        policydb.p_role_val_to_name[context->role - 1],        policydb.p_type_val_to_name[context->type - 1]);    scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +                 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +