diff options
Diffstat (limited to 'ANDROID_3.4.5/security/selinux')
48 files changed, 0 insertions, 23047 deletions
diff --git a/ANDROID_3.4.5/security/selinux/Kconfig b/ANDROID_3.4.5/security/selinux/Kconfig deleted file mode 100644 index bca1b74a..00000000 --- a/ANDROID_3.4.5/security/selinux/Kconfig +++ /dev/null @@ -1,133 +0,0 @@ -config SECURITY_SELINUX - bool "NSA SELinux Support" - depends on SECURITY_NETWORK && AUDIT && NET && INET - select NETWORK_SECMARK - default n - help - This selects NSA Security-Enhanced Linux (SELinux). - You will also need a policy configuration and a labeled filesystem. - If you are unsure how to answer this question, answer N. - -config SECURITY_SELINUX_BOOTPARAM - bool "NSA SELinux boot parameter" - depends on SECURITY_SELINUX - default n - help - This option adds a kernel parameter 'selinux', which allows SELinux - to be disabled at boot. If this option is selected, SELinux - functionality can be disabled with selinux=0 on the kernel - command line. The purpose of this option is to allow a single - kernel image to be distributed with SELinux built in, but not - necessarily enabled. - - If you are unsure how to answer this question, answer N. - -config SECURITY_SELINUX_BOOTPARAM_VALUE - int "NSA SELinux boot parameter default value" - depends on SECURITY_SELINUX_BOOTPARAM - range 0 1 - default 1 - help - This option sets the default value for the kernel parameter - 'selinux', which allows SELinux to be disabled at boot. If this - option is set to 0 (zero), the SELinux kernel parameter will - default to 0, disabling SELinux at bootup. If this option is - set to 1 (one), the SELinux kernel parameter will default to 1, - enabling SELinux at bootup. - - If you are unsure how to answer this question, answer 1. - -config SECURITY_SELINUX_DISABLE - bool "NSA SELinux runtime disable" - depends on SECURITY_SELINUX - default n - help - This option enables writing to a selinuxfs node 'disable', which - allows SELinux to be disabled at runtime prior to the policy load. - SELinux will then remain disabled until the next boot. - This option is similar to the selinux=0 boot parameter, but is to - support runtime disabling of SELinux, e.g. from /sbin/init, for - portability across platforms where boot parameters are difficult - to employ. - - If you are unsure how to answer this question, answer N. - -config SECURITY_SELINUX_DEVELOP - bool "NSA SELinux Development Support" - depends on SECURITY_SELINUX - default y - help - This enables the development support option of NSA SELinux, - which is useful for experimenting with SELinux and developing - policies. If unsure, say Y. With this option enabled, the - kernel will start in permissive mode (log everything, deny nothing) - unless you specify enforcing=1 on the kernel command line. You - can interactively toggle the kernel between enforcing mode and - permissive mode (if permitted by the policy) via /selinux/enforce. - -config SECURITY_SELINUX_AVC_STATS - bool "NSA SELinux AVC Statistics" - depends on SECURITY_SELINUX - default y - help - This option collects access vector cache statistics to - /selinux/avc/cache_stats, which may be monitored via - tools such as avcstat. - -config SECURITY_SELINUX_CHECKREQPROT_VALUE - int "NSA SELinux checkreqprot default value" - depends on SECURITY_SELINUX - range 0 1 - default 1 - help - This option sets the default value for the 'checkreqprot' flag - that determines whether SELinux checks the protection requested - by the application or the protection that will be applied by the - kernel (including any implied execute for read-implies-exec) for - mmap and mprotect calls. If this option is set to 0 (zero), - SELinux will default to checking the protection that will be applied - by the kernel. If this option is set to 1 (one), SELinux will - default to checking the protection requested by the application. - The checkreqprot flag may be changed from the default via the - 'checkreqprot=' boot parameter. It may also be changed at runtime - via /selinux/checkreqprot if authorized by policy. - - If you are unsure how to answer this question, answer 1. - -config SECURITY_SELINUX_POLICYDB_VERSION_MAX - bool "NSA SELinux maximum supported policy format version" - depends on SECURITY_SELINUX - default n - help - This option enables the maximum policy format version supported - by SELinux to be set to a particular value. This value is reported - to userspace via /selinux/policyvers and used at policy load time. - It can be adjusted downward to support legacy userland (init) that - does not correctly handle kernels that support newer policy versions. - - Examples: - For the Fedora Core 3 or 4 Linux distributions, enable this option - and set the value via the next option. For Fedora Core 5 and later, - do not enable this option. - - If you are unsure how to answer this question, answer N. - -config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE - int "NSA SELinux maximum supported policy format version value" - depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX - range 15 23 - default 19 - help - This option sets the value for the maximum policy format version - supported by SELinux. - - Examples: - For Fedora Core 3, use 18. - For Fedora Core 4, use 19. - - If you are unsure how to answer this question, look for the - policy format version supported by your policy toolchain, by - running 'checkpolicy -V'. Or look at what policy you have - installed under /etc/selinux/$SELINUXTYPE/policy, where - SELINUXTYPE is defined in your /etc/selinux/config. - diff --git a/ANDROID_3.4.5/security/selinux/Makefile b/ANDROID_3.4.5/security/selinux/Makefile deleted file mode 100644 index ad5cd76e..00000000 --- a/ANDROID_3.4.5/security/selinux/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# -# Makefile for building the SELinux module as part of the kernel tree. -# - -obj-$(CONFIG_SECURITY_SELINUX) := selinux.o - -selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ - netnode.o netport.o exports.o \ - ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ - ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o - -selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o - -selinux-$(CONFIG_NETLABEL) += netlabel.o - -ccflags-y := -Isecurity/selinux -Isecurity/selinux/include - -$(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h - -quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h - cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h - -targets += flask.h av_permissions.h -$(obj)/flask.h: $(src)/include/classmap.h FORCE - $(call if_changed,flask) diff --git a/ANDROID_3.4.5/security/selinux/avc.c b/ANDROID_3.4.5/security/selinux/avc.c deleted file mode 100644 index 8ee42b2a..00000000 --- a/ANDROID_3.4.5/security/selinux/avc.c +++ /dev/null @@ -1,886 +0,0 @@ -/* - * Implementation of the kernel access vector cache (AVC). - * - * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> - * James Morris <jmorris@redhat.com> - * - * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> - * Replaced the avc_lock spinlock by RCU. - * - * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/types.h> -#include <linux/stddef.h> -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/fs.h> -#include <linux/dcache.h> -#include <linux/init.h> -#include <linux/skbuff.h> -#include <linux/percpu.h> -#include <net/sock.h> -#include <linux/un.h> -#include <net/af_unix.h> -#include <linux/ip.h> -#include <linux/audit.h> -#include <linux/ipv6.h> -#include <net/ipv6.h> -#include "avc.h" -#include "avc_ss.h" -#include "classmap.h" - -#define AVC_CACHE_SLOTS 512 -#define AVC_DEF_CACHE_THRESHOLD 512 -#define AVC_CACHE_RECLAIM 16 - -#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS -#define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) -#else -#define avc_cache_stats_incr(field) do {} while (0) -#endif - -struct avc_entry { - u32 ssid; - u32 tsid; - u16 tclass; - struct av_decision avd; -}; - -struct avc_node { - struct avc_entry ae; - struct hlist_node list; /* anchored in avc_cache->slots[i] */ - struct rcu_head rhead; -}; - -struct avc_cache { - struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ - spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ - atomic_t lru_hint; /* LRU hint for reclaim scan */ - atomic_t active_nodes; - u32 latest_notif; /* latest revocation notification */ -}; - -struct avc_callback_node { - int (*callback) (u32 event, u32 ssid, u32 tsid, - u16 tclass, u32 perms, - u32 *out_retained); - u32 events; - u32 ssid; - u32 tsid; - u16 tclass; - u32 perms; - struct avc_callback_node *next; -}; - -/* Exported via selinufs */ -unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; - -#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS -DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; -#endif - -static struct avc_cache avc_cache; -static struct avc_callback_node *avc_callbacks; -static struct kmem_cache *avc_node_cachep; - -static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) -{ - return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); -} - -/** - * avc_dump_av - Display an access vector in human-readable form. - * @tclass: target security class - * @av: access vector - */ -static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) -{ - const char **perms; - int i, perm; - - if (av == 0) { - audit_log_format(ab, " null"); - return; - } - - perms = secclass_map[tclass-1].perms; - - audit_log_format(ab, " {"); - i = 0; - perm = 1; - while (i < (sizeof(av) * 8)) { - if ((perm & av) && perms[i]) { - audit_log_format(ab, " %s", perms[i]); - av &= ~perm; - } - i++; - perm <<= 1; - } - - if (av) - audit_log_format(ab, " 0x%x", av); - - audit_log_format(ab, " }"); -} - -/** - * avc_dump_query - Display a SID pair and a class in human-readable form. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - */ -static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) -{ - int rc; - char *scontext; - u32 scontext_len; - - rc = security_sid_to_context(ssid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, "ssid=%d", ssid); - else { - audit_log_format(ab, "scontext=%s", scontext); - kfree(scontext); - } - - rc = security_sid_to_context(tsid, &scontext, &scontext_len); - if (rc) - audit_log_format(ab, " tsid=%d", tsid); - else { - audit_log_format(ab, " tcontext=%s", scontext); - kfree(scontext); - } - - BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); - audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); -} - -/** - * avc_init - Initialize the AVC. - * - * Initialize the access vector cache. - */ -void __init avc_init(void) -{ - int i; - - for (i = 0; i < AVC_CACHE_SLOTS; i++) { - INIT_HLIST_HEAD(&avc_cache.slots[i]); - spin_lock_init(&avc_cache.slots_lock[i]); - } - atomic_set(&avc_cache.active_nodes, 0); - atomic_set(&avc_cache.lru_hint, 0); - - avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), - 0, SLAB_PANIC, NULL); - - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); -} - -int avc_get_hash_stats(char *page) -{ - int i, chain_len, max_chain_len, slots_used; - struct avc_node *node; - struct hlist_head *head; - - rcu_read_lock(); - - slots_used = 0; - max_chain_len = 0; - for (i = 0; i < AVC_CACHE_SLOTS; i++) { - head = &avc_cache.slots[i]; - if (!hlist_empty(head)) { - struct hlist_node *next; - - slots_used++; - chain_len = 0; - hlist_for_each_entry_rcu(node, next, head, list) - chain_len++; - if (chain_len > max_chain_len) - max_chain_len = chain_len; - } - } - - rcu_read_unlock(); - - return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" - "longest chain: %d\n", - atomic_read(&avc_cache.active_nodes), - slots_used, AVC_CACHE_SLOTS, max_chain_len); -} - -static void avc_node_free(struct rcu_head *rhead) -{ - struct avc_node *node = container_of(rhead, struct avc_node, rhead); - kmem_cache_free(avc_node_cachep, node); - avc_cache_stats_incr(frees); -} - -static void avc_node_delete(struct avc_node *node) -{ - hlist_del_rcu(&node->list); - call_rcu(&node->rhead, avc_node_free); - atomic_dec(&avc_cache.active_nodes); -} - -static void avc_node_kill(struct avc_node *node) -{ - kmem_cache_free(avc_node_cachep, node); - avc_cache_stats_incr(frees); - atomic_dec(&avc_cache.active_nodes); -} - -static void avc_node_replace(struct avc_node *new, struct avc_node *old) -{ - hlist_replace_rcu(&old->list, &new->list); - call_rcu(&old->rhead, avc_node_free); - atomic_dec(&avc_cache.active_nodes); -} - -static inline int avc_reclaim_node(void) -{ - struct avc_node *node; - int hvalue, try, ecx; - unsigned long flags; - struct hlist_head *head; - struct hlist_node *next; - spinlock_t *lock; - - for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { - hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); - head = &avc_cache.slots[hvalue]; - lock = &avc_cache.slots_lock[hvalue]; - - if (!spin_trylock_irqsave(lock, flags)) - continue; - - rcu_read_lock(); - hlist_for_each_entry(node, next, head, list) { - avc_node_delete(node); - avc_cache_stats_incr(reclaims); - ecx++; - if (ecx >= AVC_CACHE_RECLAIM) { - rcu_read_unlock(); - spin_unlock_irqrestore(lock, flags); - goto out; - } - } - rcu_read_unlock(); - spin_unlock_irqrestore(lock, flags); - } -out: - return ecx; -} - -static struct avc_node *avc_alloc_node(void) -{ - struct avc_node *node; - - node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC); - if (!node) - goto out; - - INIT_HLIST_NODE(&node->list); - avc_cache_stats_incr(allocations); - - if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) - avc_reclaim_node(); - -out: - return node; -} - -static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) -{ - node->ae.ssid = ssid; - node->ae.tsid = tsid; - node->ae.tclass = tclass; - memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); -} - -static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) -{ - struct avc_node *node, *ret = NULL; - int hvalue; - struct hlist_head *head; - struct hlist_node *next; - - hvalue = avc_hash(ssid, tsid, tclass); - head = &avc_cache.slots[hvalue]; - hlist_for_each_entry_rcu(node, next, head, list) { - if (ssid == node->ae.ssid && - tclass == node->ae.tclass && - tsid == node->ae.tsid) { - ret = node; - break; - } - } - - return ret; -} - -/** - * avc_lookup - Look up an AVC entry. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * - * Look up an AVC entry that is valid for the - * (@ssid, @tsid), interpreting the permissions - * based on @tclass. If a valid AVC entry exists, - * then this function returns the avc_node. - * Otherwise, this function returns NULL. - */ -static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) -{ - struct avc_node *node; - - avc_cache_stats_incr(lookups); - node = avc_search_node(ssid, tsid, tclass); - - if (node) - return node; - - avc_cache_stats_incr(misses); - return NULL; -} - -static int avc_latest_notif_update(int seqno, int is_insert) -{ - int ret = 0; - static DEFINE_SPINLOCK(notif_lock); - unsigned long flag; - - spin_lock_irqsave(¬if_lock, flag); - if (is_insert) { - if (seqno < avc_cache.latest_notif) { - printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", - seqno, avc_cache.latest_notif); - ret = -EAGAIN; - } - } else { - if (seqno > avc_cache.latest_notif) - avc_cache.latest_notif = seqno; - } - spin_unlock_irqrestore(¬if_lock, flag); - - return ret; -} - -/** - * avc_insert - Insert an AVC entry. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @avd: resulting av decision - * - * Insert an AVC entry for the SID pair - * (@ssid, @tsid) and class @tclass. - * The access vectors and the sequence number are - * normally provided by the security server in - * response to a security_compute_av() call. If the - * sequence number @avd->seqno is not less than the latest - * revocation notification, then the function copies - * the access vectors into a cache entry, returns - * avc_node inserted. Otherwise, this function returns NULL. - */ -static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) -{ - struct avc_node *pos, *node = NULL; - int hvalue; - unsigned long flag; - - if (avc_latest_notif_update(avd->seqno, 1)) - goto out; - - node = avc_alloc_node(); - if (node) { - struct hlist_head *head; - struct hlist_node *next; - spinlock_t *lock; - - hvalue = avc_hash(ssid, tsid, tclass); - avc_node_populate(node, ssid, tsid, tclass, avd); - - head = &avc_cache.slots[hvalue]; - lock = &avc_cache.slots_lock[hvalue]; - - spin_lock_irqsave(lock, flag); - hlist_for_each_entry(pos, next, head, list) { - if (pos->ae.ssid == ssid && - pos->ae.tsid == tsid && - pos->ae.tclass == tclass) { - avc_node_replace(node, pos); - goto found; - } - } - hlist_add_head_rcu(&node->list, head); -found: - spin_unlock_irqrestore(lock, flag); - } -out: - return node; -} - -/** - * avc_audit_pre_callback - SELinux specific information - * will be called by generic audit code - * @ab: the audit buffer - * @a: audit_data - */ -static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) -{ - struct common_audit_data *ad = a; - audit_log_format(ab, "avc: %s ", - ad->selinux_audit_data->slad->denied ? "denied" : "granted"); - avc_dump_av(ab, ad->selinux_audit_data->slad->tclass, - ad->selinux_audit_data->slad->audited); - audit_log_format(ab, " for "); -} - -/** - * avc_audit_post_callback - SELinux specific information - * will be called by generic audit code - * @ab: the audit buffer - * @a: audit_data - */ -static void avc_audit_post_callback(struct audit_buffer *ab, void *a) -{ - struct common_audit_data *ad = a; - audit_log_format(ab, " "); - avc_dump_query(ab, ad->selinux_audit_data->slad->ssid, - ad->selinux_audit_data->slad->tsid, - ad->selinux_audit_data->slad->tclass); -} - -/* This is the slow part of avc audit with big stack footprint */ -static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, - u32 requested, u32 audited, u32 denied, - struct common_audit_data *a, - unsigned flags) -{ - struct common_audit_data stack_data; - struct selinux_audit_data sad = {0,}; - struct selinux_late_audit_data slad; - - if (!a) { - a = &stack_data; - COMMON_AUDIT_DATA_INIT(a, NONE); - a->selinux_audit_data = &sad; - } - - /* - * When in a RCU walk do the audit on the RCU retry. This is because - * the collection of the dname in an inode audit message is not RCU - * safe. Note this may drop some audits when the situation changes - * during retry. However this is logically just as if the operation - * happened a little later. - */ - if ((a->type == LSM_AUDIT_DATA_INODE) && - (flags & MAY_NOT_BLOCK)) - return -ECHILD; - - slad.tclass = tclass; - slad.requested = requested; - slad.ssid = ssid; - slad.tsid = tsid; - slad.audited = audited; - slad.denied = denied; - - a->selinux_audit_data->slad = &slad; - common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); - return 0; -} - -/** - * avc_audit - Audit the granting or denial of permissions. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @requested: requested permissions - * @avd: access vector decisions - * @result: result from avc_has_perm_noaudit - * @a: auxiliary audit data - * @flags: VFS walk flags - * - * Audit the granting or denial of permissions in accordance - * with the policy. This function is typically called by - * avc_has_perm() after a permission check, but can also be - * called directly by callers who use avc_has_perm_noaudit() - * in order to separate the permission check from the auditing. - * For example, this separation is useful when the permission check must - * be performed under a lock, to allow the lock to be released - * before calling the auditing code. - */ -inline int avc_audit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd, int result, struct common_audit_data *a, - unsigned flags) -{ - u32 denied, audited; - denied = requested & ~avd->allowed; - if (unlikely(denied)) { - audited = denied & avd->auditdeny; - /* - * a->selinux_audit_data->auditdeny is TRICKY! Setting a bit in - * this field means that ANY denials should NOT be audited if - * the policy contains an explicit dontaudit rule for that - * permission. Take notice that this is unrelated to the - * actual permissions that were denied. As an example lets - * assume: - * - * denied == READ - * avd.auditdeny & ACCESS == 0 (not set means explicit rule) - * selinux_audit_data->auditdeny & ACCESS == 1 - * - * We will NOT audit the denial even though the denied - * permission was READ and the auditdeny checks were for - * ACCESS - */ - if (a && - a->selinux_audit_data->auditdeny && - !(a->selinux_audit_data->auditdeny & avd->auditdeny)) - audited = 0; - } else if (result) - audited = denied = requested; - else - audited = requested & avd->auditallow; - if (likely(!audited)) - return 0; - - return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, - a, flags); -} - -/** - * avc_add_callback - Register a callback for security events. - * @callback: callback function - * @events: security events - * @ssid: source security identifier or %SECSID_WILD - * @tsid: target security identifier or %SECSID_WILD - * @tclass: target security class - * @perms: permissions - * - * Register a callback function for events in the set @events - * related to the SID pair (@ssid, @tsid) - * and the permissions @perms, interpreting - * @perms based on @tclass. Returns %0 on success or - * -%ENOMEM if insufficient memory exists to add the callback. - */ -int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, - u16 tclass, u32 perms, - u32 *out_retained), - u32 events, u32 ssid, u32 tsid, - u16 tclass, u32 perms) -{ - struct avc_callback_node *c; - int rc = 0; - - c = kmalloc(sizeof(*c), GFP_ATOMIC); - if (!c) { - rc = -ENOMEM; - goto out; - } - - c->callback = callback; - c->events = events; - c->ssid = ssid; - c->tsid = tsid; - c->perms = perms; - c->next = avc_callbacks; - avc_callbacks = c; -out: - return rc; -} - -static inline int avc_sidcmp(u32 x, u32 y) -{ - return (x == y || x == SECSID_WILD || y == SECSID_WILD); -} - -/** - * avc_update_node Update an AVC entry - * @event : Updating event - * @perms : Permission mask bits - * @ssid,@tsid,@tclass : identifier of an AVC entry - * @seqno : sequence number when decision was made - * - * if a valid AVC entry doesn't exist,this function returns -ENOENT. - * if kmalloc() called internal returns NULL, this function returns -ENOMEM. - * otherwise, this function updates the AVC entry. The original AVC-entry object - * will release later by RCU. - */ -static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, - u32 seqno) -{ - int hvalue, rc = 0; - unsigned long flag; - struct avc_node *pos, *node, *orig = NULL; - struct hlist_head *head; - struct hlist_node *next; - spinlock_t *lock; - - node = avc_alloc_node(); - if (!node) { - rc = -ENOMEM; - goto out; - } - - /* Lock the target slot */ - hvalue = avc_hash(ssid, tsid, tclass); - - head = &avc_cache.slots[hvalue]; - lock = &avc_cache.slots_lock[hvalue]; - - spin_lock_irqsave(lock, flag); - - hlist_for_each_entry(pos, next, head, list) { - if (ssid == pos->ae.ssid && - tsid == pos->ae.tsid && - tclass == pos->ae.tclass && - seqno == pos->ae.avd.seqno){ - orig = pos; - break; - } - } - - if (!orig) { - rc = -ENOENT; - avc_node_kill(node); - goto out_unlock; - } - - /* - * Copy and replace original node. - */ - - avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); - - switch (event) { - case AVC_CALLBACK_GRANT: - node->ae.avd.allowed |= perms; - break; - case AVC_CALLBACK_TRY_REVOKE: - case AVC_CALLBACK_REVOKE: - node->ae.avd.allowed &= ~perms; - break; - case AVC_CALLBACK_AUDITALLOW_ENABLE: - node->ae.avd.auditallow |= perms; - break; - case AVC_CALLBACK_AUDITALLOW_DISABLE: - node->ae.avd.auditallow &= ~perms; - break; - case AVC_CALLBACK_AUDITDENY_ENABLE: - node->ae.avd.auditdeny |= perms; - break; - case AVC_CALLBACK_AUDITDENY_DISABLE: - node->ae.avd.auditdeny &= ~perms; - break; - } - avc_node_replace(node, orig); -out_unlock: - spin_unlock_irqrestore(lock, flag); -out: - return rc; -} - -/** - * avc_flush - Flush the cache - */ -static void avc_flush(void) -{ - struct hlist_head *head; - struct hlist_node *next; - struct avc_node *node; - spinlock_t *lock; - unsigned long flag; - int i; - - for (i = 0; i < AVC_CACHE_SLOTS; i++) { - head = &avc_cache.slots[i]; - lock = &avc_cache.slots_lock[i]; - - spin_lock_irqsave(lock, flag); - /* - * With preemptable RCU, the outer spinlock does not - * prevent RCU grace periods from ending. - */ - rcu_read_lock(); - hlist_for_each_entry(node, next, head, list) - avc_node_delete(node); - rcu_read_unlock(); - spin_unlock_irqrestore(lock, flag); - } -} - -/** - * avc_ss_reset - Flush the cache and revalidate migrated permissions. - * @seqno: policy sequence number - */ -int avc_ss_reset(u32 seqno) -{ - struct avc_callback_node *c; - int rc = 0, tmprc; - - avc_flush(); - - for (c = avc_callbacks; c; c = c->next) { - if (c->events & AVC_CALLBACK_RESET) { - tmprc = c->callback(AVC_CALLBACK_RESET, - 0, 0, 0, 0, NULL); - /* save the first error encountered for the return - value and continue processing the callbacks */ - if (!rc) - rc = tmprc; - } - } - - avc_latest_notif_update(seqno, 0); - return rc; -} - -/* - * Slow-path helper function for avc_has_perm_noaudit, - * when the avc_node lookup fails. We get called with - * the RCU read lock held, and need to return with it - * still held, but drop if for the security compute. - * - * Don't inline this, since it's the slow-path and just - * results in a bigger stack frame. - */ -static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, - u16 tclass, struct av_decision *avd) -{ - rcu_read_unlock(); - security_compute_av(ssid, tsid, tclass, avd); - rcu_read_lock(); - return avc_insert(ssid, tsid, tclass, avd); -} - -static noinline int avc_denied(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, - struct av_decision *avd) -{ - if (flags & AVC_STRICT) - return -EACCES; - - if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) - return -EACCES; - - avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, - tsid, tclass, avd->seqno); - return 0; -} - - -/** - * avc_has_perm_noaudit - Check permissions but perform no auditing. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @requested: requested permissions, interpreted based on @tclass - * @flags: AVC_STRICT or 0 - * @avd: access vector decisions - * - * Check the AVC to determine whether the @requested permissions are granted - * for the SID pair (@ssid, @tsid), interpreting the permissions - * based on @tclass, and call the security server on a cache miss to obtain - * a new decision and add it to the cache. Return a copy of the decisions - * in @avd. Return %0 if all @requested permissions are granted, - * -%EACCES if any permissions are denied, or another -errno upon - * other errors. This function is typically called by avc_has_perm(), - * but may also be called directly to separate permission checking from - * auditing, e.g. in cases where a lock must be held for the check but - * should be released for the auditing. - */ -inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, - struct av_decision *avd) -{ - struct avc_node *node; - int rc = 0; - u32 denied; - - BUG_ON(!requested); - - rcu_read_lock(); - - node = avc_lookup(ssid, tsid, tclass); - if (unlikely(!node)) { - node = avc_compute_av(ssid, tsid, tclass, avd); - } else { - memcpy(avd, &node->ae.avd, sizeof(*avd)); - avd = &node->ae.avd; - } - - denied = requested & ~(avd->allowed); - if (unlikely(denied)) - rc = avc_denied(ssid, tsid, tclass, requested, flags, avd); - - rcu_read_unlock(); - return rc; -} - -/** - * avc_has_perm - Check permissions and perform any appropriate auditing. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @requested: requested permissions, interpreted based on @tclass - * @auditdata: auxiliary audit data - * @flags: VFS walk flags - * - * Check the AVC to determine whether the @requested permissions are granted - * for the SID pair (@ssid, @tsid), interpreting the permissions - * based on @tclass, and call the security server on a cache miss to obtain - * a new decision and add it to the cache. Audit the granting or denial of - * permissions in accordance with the policy. Return %0 if all @requested - * permissions are granted, -%EACCES if any permissions are denied, or - * another -errno upon other errors. - */ -int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, - u32 requested, struct common_audit_data *auditdata, - unsigned flags) -{ - struct av_decision avd; - int rc, rc2; - - rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); - - rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, - flags); - if (rc2) - return rc2; - return rc; -} - -u32 avc_policy_seqno(void) -{ - return avc_cache.latest_notif; -} - -void avc_disable(void) -{ - /* - * If you are looking at this because you have realized that we are - * not destroying the avc_node_cachep it might be easy to fix, but - * I don't know the memory barrier semantics well enough to know. It's - * possible that some other task dereferenced security_ops when - * it still pointed to selinux operations. If that is the case it's - * possible that it is about to use the avc and is about to need the - * avc_node_cachep. I know I could wrap the security.c security_ops call - * in an rcu_lock, but seriously, it's not worth it. Instead I just flush - * the cache and get that memory back. - */ - if (avc_node_cachep) { - avc_flush(); - /* kmem_cache_destroy(avc_node_cachep); */ - } -} diff --git a/ANDROID_3.4.5/security/selinux/exports.c b/ANDROID_3.4.5/security/selinux/exports.c deleted file mode 100644 index e75dd94e..00000000 --- a/ANDROID_3.4.5/security/selinux/exports.c +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SELinux services exported to the rest of the kernel. - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/module.h> -#include <linux/selinux.h> - -#include "security.h" - -bool selinux_is_enabled(void) -{ - return selinux_enabled; -} -EXPORT_SYMBOL_GPL(selinux_is_enabled); diff --git a/ANDROID_3.4.5/security/selinux/hooks.c b/ANDROID_3.4.5/security/selinux/hooks.c deleted file mode 100644 index 581b8c71..00000000 --- a/ANDROID_3.4.5/security/selinux/hooks.c +++ /dev/null @@ -1,5923 +0,0 @@ -/* - * NSA Security-Enhanced Linux (SELinux) security module - * - * This file contains the SELinux hook function implementations. - * - * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> - * Chris Vance, <cvance@nai.com> - * Wayne Salamon, <wsalamon@nai.com> - * James Morris <jmorris@redhat.com> - * - * Copyright (C) 2001,2002 Networks Associates Technology, Inc. - * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Eric Paris <eparis@redhat.com> - * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * <dgoeddel@trustedcs.com> - * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. - * Paul Moore <paul@paul-moore.com> - * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. - * Yuichi Nakamura <ynakam@hitachisoft.jp> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ - -#include <linux/init.h> -#include <linux/kd.h> -#include <linux/kernel.h> -#include <linux/tracehook.h> -#include <linux/errno.h> -#include <linux/sched.h> -#include <linux/security.h> -#include <linux/xattr.h> -#include <linux/capability.h> -#include <linux/unistd.h> -#include <linux/mm.h> -#include <linux/mman.h> -#include <linux/slab.h> -#include <linux/pagemap.h> -#include <linux/proc_fs.h> -#include <linux/swap.h> -#include <linux/spinlock.h> -#include <linux/syscalls.h> -#include <linux/dcache.h> -#include <linux/file.h> -#include <linux/fdtable.h> -#include <linux/namei.h> -#include <linux/mount.h> -#include <linux/netfilter_ipv4.h> -#include <linux/netfilter_ipv6.h> -#include <linux/tty.h> -#include <net/icmp.h> -#include <net/ip.h> /* for local_port_range[] */ -#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ -#include <net/net_namespace.h> -#include <net/netlabel.h> -#include <linux/uaccess.h> -#include <asm/ioctls.h> -#include <linux/atomic.h> -#include <linux/bitops.h> -#include <linux/interrupt.h> -#include <linux/netdevice.h> /* for network interface checks */ -#include <linux/netlink.h> -#include <linux/tcp.h> -#include <linux/udp.h> -#include <linux/dccp.h> -#include <linux/quota.h> -#include <linux/un.h> /* for Unix socket types */ -#include <net/af_unix.h> /* for Unix socket types */ -#include <linux/parser.h> -#include <linux/nfs_mount.h> -#include <net/ipv6.h> -#include <linux/hugetlb.h> -#include <linux/personality.h> -#include <linux/audit.h> -#include <linux/string.h> -#include <linux/selinux.h> -#include <linux/mutex.h> -#include <linux/posix-timers.h> -#include <linux/syslog.h> -#include <linux/user_namespace.h> -#include <linux/export.h> -#include <linux/msg.h> -#include <linux/shm.h> - -#include "avc.h" -#include "objsec.h" -#include "netif.h" -#include "netnode.h" -#include "netport.h" -#include "xfrm.h" -#include "netlabel.h" -#include "audit.h" -#include "avc_ss.h" - -#define NUM_SEL_MNT_OPTS 5 - -extern struct security_operations *security_ops; - -/* SECMARK reference count */ -static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); - -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -int selinux_enforcing; - -static int __init enforcing_setup(char *str) -{ - unsigned long enforcing; - if (!strict_strtoul(str, 0, &enforcing)) - selinux_enforcing = enforcing ? 1 : 0; - return 1; -} -__setup("enforcing=", enforcing_setup); -#endif - -#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM -int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; - -static int __init selinux_enabled_setup(char *str) -{ - unsigned long enabled; - if (!strict_strtoul(str, 0, &enabled)) - selinux_enabled = enabled ? 1 : 0; - return 1; -} -__setup("selinux=", selinux_enabled_setup); -#else -int selinux_enabled = 1; -#endif - -static struct kmem_cache *sel_inode_cache; - -/** - * selinux_secmark_enabled - Check to see if SECMARK is currently enabled - * - * Description: - * This function checks the SECMARK reference counter to see if any SECMARK - * targets are currently configured, if the reference counter is greater than - * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is - * enabled, false (0) if SECMARK is disabled. - * - */ -static int selinux_secmark_enabled(void) -{ - return (atomic_read(&selinux_secmark_refcount) > 0); -} - -/* - * initialise the security for the init task - */ -static void cred_init_security(void) -{ - struct cred *cred = (struct cred *) current->real_cred; - struct task_security_struct *tsec; - - tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); - if (!tsec) - panic("SELinux: Failed to initialize initial task.\n"); - - tsec->osid = tsec->sid = SECINITSID_KERNEL; - cred->security = tsec; -} - -/* - * get the security ID of a set of credentials - */ -static inline u32 cred_sid(const struct cred *cred) -{ - const struct task_security_struct *tsec; - - tsec = cred->security; - return tsec->sid; -} - -/* - * get the objective security ID of a task - */ -static inline u32 task_sid(const struct task_struct *task) -{ - u32 sid; - - rcu_read_lock(); - sid = cred_sid(__task_cred(task)); - rcu_read_unlock(); - return sid; -} - -/* - * get the subjective security ID of the current task - */ -static inline u32 current_sid(void) -{ - const struct task_security_struct *tsec = current_security(); - - return tsec->sid; -} - -/* Allocate and free functions for each kind of security blob. */ - -static int inode_alloc_security(struct inode *inode) -{ - struct inode_security_struct *isec; - u32 sid = current_sid(); - - isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); - if (!isec) - return -ENOMEM; - - mutex_init(&isec->lock); - INIT_LIST_HEAD(&isec->list); - isec->inode = inode; - isec->sid = SECINITSID_UNLABELED; - isec->sclass = SECCLASS_FILE; - isec->task_sid = sid; - inode->i_security = isec; - - return 0; -} - -static void inode_free_security(struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - struct superblock_security_struct *sbsec = inode->i_sb->s_security; - - spin_lock(&sbsec->isec_lock); - if (!list_empty(&isec->list)) - list_del_init(&isec->list); - spin_unlock(&sbsec->isec_lock); - - inode->i_security = NULL; - kmem_cache_free(sel_inode_cache, isec); -} - -static int file_alloc_security(struct file *file) -{ - struct file_security_struct *fsec; - u32 sid = current_sid(); - - fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL); - if (!fsec) - return -ENOMEM; - - fsec->sid = sid; - fsec->fown_sid = sid; - file->f_security = fsec; - - return 0; -} - -static void file_free_security(struct file *file) -{ - struct file_security_struct *fsec = file->f_security; - file->f_security = NULL; - kfree(fsec); -} - -static int superblock_alloc_security(struct super_block *sb) -{ - struct superblock_security_struct *sbsec; - - sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); - if (!sbsec) - return -ENOMEM; - - mutex_init(&sbsec->lock); - INIT_LIST_HEAD(&sbsec->isec_head); - spin_lock_init(&sbsec->isec_lock); - sbsec->sb = sb; - sbsec->sid = SECINITSID_UNLABELED; - sbsec->def_sid = SECINITSID_FILE; - sbsec->mntpoint_sid = SECINITSID_UNLABELED; - sb->s_security = sbsec; - - return 0; -} - -static void superblock_free_security(struct super_block *sb) -{ - struct superblock_security_struct *sbsec = sb->s_security; - sb->s_security = NULL; - kfree(sbsec); -} - -/* The file system's label must be initialized prior to use. */ - -static const char *labeling_behaviors[6] = { - "uses xattr", - "uses transition SIDs", - "uses task SIDs", - "uses genfs_contexts", - "not configured for labeling", - "uses mountpoint labeling", -}; - -static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); - -static inline int inode_doinit(struct inode *inode) -{ - return inode_doinit_with_dentry(inode, NULL); -} - -enum { - Opt_error = -1, - Opt_context = 1, - Opt_fscontext = 2, - Opt_defcontext = 3, - Opt_rootcontext = 4, - Opt_labelsupport = 5, -}; - -static const match_table_t tokens = { - {Opt_context, CONTEXT_STR "%s"}, - {Opt_fscontext, FSCONTEXT_STR "%s"}, - {Opt_defcontext, DEFCONTEXT_STR "%s"}, - {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, - {Opt_labelsupport, LABELSUPP_STR}, - {Opt_error, NULL}, -}; - -#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" - -static int may_context_mount_sb_relabel(u32 sid, - struct superblock_security_struct *sbsec, - const struct cred *cred) -{ - const struct task_security_struct *tsec = cred->security; - int rc; - - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL); - if (rc) - return rc; - - rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELTO, NULL); - return rc; -} - -static int may_context_mount_inode_relabel(u32 sid, - struct superblock_security_struct *sbsec, - const struct cred *cred) -{ - const struct task_security_struct *tsec = cred->security; - int rc; - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__RELABELFROM, NULL); - if (rc) - return rc; - - rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, NULL); - return rc; -} - -static int sb_finish_set_opts(struct super_block *sb) -{ - struct superblock_security_struct *sbsec = sb->s_security; - struct dentry *root = sb->s_root; - struct inode *root_inode = root->d_inode; - int rc = 0; - - if (sbsec->behavior == SECURITY_FS_USE_XATTR) { - /* Make sure that the xattr handler exists and that no - error other than -ENODATA is returned by getxattr on - the root directory. -ENODATA is ok, as this may be - the first boot of the SELinux kernel before we have - assigned xattr values to the filesystem. */ - if (!root_inode->i_op->getxattr) { - printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " - "xattr support\n", sb->s_id, sb->s_type->name); - rc = -EOPNOTSUPP; - goto out; - } - rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0); - if (rc < 0 && rc != -ENODATA) { - if (rc == -EOPNOTSUPP) - printk(KERN_WARNING "SELinux: (dev %s, type " - "%s) has no security xattr handler\n", - sb->s_id, sb->s_type->name); - else - printk(KERN_WARNING "SELinux: (dev %s, type " - "%s) getxattr errno %d\n", sb->s_id, - sb->s_type->name, -rc); - goto out; - } - } - - sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); - - if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) - printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", - sb->s_id, sb->s_type->name); - else - printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", - sb->s_id, sb->s_type->name, - labeling_behaviors[sbsec->behavior-1]); - - if (sbsec->behavior == SECURITY_FS_USE_GENFS || - sbsec->behavior == SECURITY_FS_USE_MNTPOINT || - sbsec->behavior == SECURITY_FS_USE_NONE || - sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) - sbsec->flags &= ~SE_SBLABELSUPP; - - /* Special handling for sysfs. Is genfs but also has setxattr handler*/ - if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0) - sbsec->flags |= SE_SBLABELSUPP; - - /* Initialize the root inode. */ - rc = inode_doinit_with_dentry(root_inode, root); - - /* Initialize any other inodes associated with the superblock, e.g. - inodes created prior to initial policy load or inodes created - during get_sb by a pseudo filesystem that directly - populates itself. */ - spin_lock(&sbsec->isec_lock); -next_inode: - if (!list_empty(&sbsec->isec_head)) { - struct inode_security_struct *isec = - list_entry(sbsec->isec_head.next, - struct inode_security_struct, list); - struct inode *inode = isec->inode; - spin_unlock(&sbsec->isec_lock); - inode = igrab(inode); - if (inode) { - if (!IS_PRIVATE(inode)) - inode_doinit(inode); - iput(inode); - } - spin_lock(&sbsec->isec_lock); - list_del_init(&isec->list); - goto next_inode; - } - spin_unlock(&sbsec->isec_lock); -out: - return rc; -} - -/* - * This function should allow an FS to ask what it's mount security - * options were so it can use those later for submounts, displaying - * mount options, or whatever. - */ -static int selinux_get_mnt_opts(const struct super_block *sb, - struct security_mnt_opts *opts) -{ - int rc = 0, i; - struct superblock_security_struct *sbsec = sb->s_security; - char *context = NULL; - u32 len; - char tmp; - - security_init_mnt_opts(opts); - - if (!(sbsec->flags & SE_SBINITIALIZED)) - return -EINVAL; - - if (!ss_initialized) - return -EINVAL; - - tmp = sbsec->flags & SE_MNTMASK; - /* count the number of mount options for this sb */ - for (i = 0; i < 8; i++) { - if (tmp & 0x01) - opts->num_mnt_opts++; - tmp >>= 1; - } - /* Check if the Label support flag is set */ - if (sbsec->flags & SE_SBLABELSUPP) - opts->num_mnt_opts++; - - opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); - if (!opts->mnt_opts) { - rc = -ENOMEM; - goto out_free; - } - - opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { - rc = -ENOMEM; - goto out_free; - } - - i = 0; - if (sbsec->flags & FSCONTEXT_MNT) { - rc = security_sid_to_context(sbsec->sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; - } - if (sbsec->flags & CONTEXT_MNT) { - rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = CONTEXT_MNT; - } - if (sbsec->flags & DEFCONTEXT_MNT) { - rc = security_sid_to_context(sbsec->def_sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; - } - if (sbsec->flags & ROOTCONTEXT_MNT) { - struct inode *root = sbsec->sb->s_root->d_inode; - struct inode_security_struct *isec = root->i_security; - - rc = security_sid_to_context(isec->sid, &context, &len); - if (rc) - goto out_free; - opts->mnt_opts[i] = context; - opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; - } - if (sbsec->flags & SE_SBLABELSUPP) { - opts->mnt_opts[i] = NULL; - opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; - } - - BUG_ON(i != opts->num_mnt_opts); - - return 0; - -out_free: - security_free_mnt_opts(opts); - return rc; -} - -static int bad_option(struct superblock_security_struct *sbsec, char flag, - u32 old_sid, u32 new_sid) -{ - char mnt_flags = sbsec->flags & SE_MNTMASK; - - /* check if the old mount command had the same options */ - if (sbsec->flags & SE_SBINITIALIZED) - if (!(sbsec->flags & flag) || - (old_sid != new_sid)) - return 1; - - /* check if we were passed the same options twice, - * aka someone passed context=a,context=b - */ - if (!(sbsec->flags & SE_SBINITIALIZED)) - if (mnt_flags & flag) - return 1; - return 0; -} - -/* - * Allow filesystems with binary mount data to explicitly set mount point - * labeling information. - */ -static int selinux_set_mnt_opts(struct super_block *sb, - struct security_mnt_opts *opts) -{ - const struct cred *cred = current_cred(); - int rc = 0, i; - struct superblock_security_struct *sbsec = sb->s_security; - const char *name = sb->s_type->name; - struct inode *inode = sbsec->sb->s_root->d_inode; - struct inode_security_struct *root_isec = inode->i_security; - u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; - u32 defcontext_sid = 0; - char **mount_options = opts->mnt_opts; - int *flags = opts->mnt_opts_flags; - int num_opts = opts->num_mnt_opts; - - mutex_lock(&sbsec->lock); - - if (!ss_initialized) { - if (!num_opts) { - /* Defer initialization until selinux_complete_init, - after the initial policy is loaded and the security - server is ready to handle calls. */ - goto out; - } - rc = -EINVAL; - printk(KERN_WARNING "SELinux: Unable to set superblock options " - "before the security server is initialized\n"); - goto out; - } - - /* - * Binary mount data FS will come through this function twice. Once - * from an explicit call and once from the generic calls from the vfs. - * Since the generic VFS calls will not contain any security mount data - * we need to skip the double mount verification. - * - * This does open a hole in which we will not notice if the first - * mount using this sb set explict options and a second mount using - * this sb does not set any security options. (The first options - * will be used for both mounts) - */ - if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) - && (num_opts == 0)) - goto out; - - /* - * parse the mount options, check if they are valid sids. - * also check if someone is trying to mount the same sb more - * than once with different security options. - */ - for (i = 0; i < num_opts; i++) { - u32 sid; - - if (flags[i] == SE_SBLABELSUPP) - continue; - rc = security_context_to_sid(mount_options[i], - strlen(mount_options[i]), &sid); - if (rc) { - printk(KERN_WARNING "SELinux: security_context_to_sid" - "(%s) failed for (dev %s, type %s) errno=%d\n", - mount_options[i], sb->s_id, name, rc); - goto out; - } - switch (flags[i]) { - case FSCONTEXT_MNT: - fscontext_sid = sid; - - if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, - fscontext_sid)) - goto out_double_mount; - - sbsec->flags |= FSCONTEXT_MNT; - break; - case CONTEXT_MNT: - context_sid = sid; - - if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, - context_sid)) - goto out_double_mount; - - sbsec->flags |= CONTEXT_MNT; - break; - case ROOTCONTEXT_MNT: - rootcontext_sid = sid; - - if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, - rootcontext_sid)) - goto out_double_mount; - - sbsec->flags |= ROOTCONTEXT_MNT; - - break; - case DEFCONTEXT_MNT: - defcontext_sid = sid; - - if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, - defcontext_sid)) - goto out_double_mount; - - sbsec->flags |= DEFCONTEXT_MNT; - - break; - default: - rc = -EINVAL; - goto out; - } - } - - if (sbsec->flags & SE_SBINITIALIZED) { - /* previously mounted with options, but not on this attempt? */ - if ((sbsec->flags & SE_MNTMASK) && !num_opts) - goto out_double_mount; - rc = 0; - goto out; - } - - if (strcmp(sb->s_type->name, "proc") == 0) - sbsec->flags |= SE_SBPROC; - - /* Determine the labeling behavior to use for this filesystem type. */ - rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); - if (rc) { - printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", - __func__, sb->s_type->name, rc); - goto out; - } - - /* sets the context of the superblock for the fs being mounted. */ - if (fscontext_sid) { - rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); - if (rc) - goto out; - - sbsec->sid = fscontext_sid; - } - - /* - * Switch to using mount point labeling behavior. - * sets the label used on all file below the mountpoint, and will set - * the superblock context if not already set. - */ - if (context_sid) { - if (!fscontext_sid) { - rc = may_context_mount_sb_relabel(context_sid, sbsec, - cred); - if (rc) - goto out; - sbsec->sid = context_sid; - } else { - rc = may_context_mount_inode_relabel(context_sid, sbsec, - cred); - if (rc) - goto out; - } - if (!rootcontext_sid) - rootcontext_sid = context_sid; - - sbsec->mntpoint_sid = context_sid; - sbsec->behavior = SECURITY_FS_USE_MNTPOINT; - } - - if (rootcontext_sid) { - rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, - cred); - if (rc) - goto out; - - root_isec->sid = rootcontext_sid; - root_isec->initialized = 1; - } - - if (defcontext_sid) { - if (sbsec->behavior != SECURITY_FS_USE_XATTR) { - rc = -EINVAL; - printk(KERN_WARNING "SELinux: defcontext option is " - "invalid for this filesystem type\n"); - goto out; - } - - if (defcontext_sid != sbsec->def_sid) { - rc = may_context_mount_inode_relabel(defcontext_sid, - sbsec, cred); - if (rc) - goto out; - } - - sbsec->def_sid = defcontext_sid; - } - - rc = sb_finish_set_opts(sb); -out: - mutex_unlock(&sbsec->lock); - return rc; -out_double_mount: - rc = -EINVAL; - printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " - "security settings for (dev %s, type %s)\n", sb->s_id, name); - goto out; -} - -static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, - struct super_block *newsb) -{ - const struct superblock_security_struct *oldsbsec = oldsb->s_security; - struct superblock_security_struct *newsbsec = newsb->s_security; - - int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); - int set_context = (oldsbsec->flags & CONTEXT_MNT); - int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); - - /* - * if the parent was able to be mounted it clearly had no special lsm - * mount options. thus we can safely deal with this superblock later - */ - if (!ss_initialized) - return; - - /* how can we clone if the old one wasn't set up?? */ - BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); - - /* if fs is reusing a sb, just let its options stand... */ - if (newsbsec->flags & SE_SBINITIALIZED) - return; - - mutex_lock(&newsbsec->lock); - - newsbsec->flags = oldsbsec->flags; - - newsbsec->sid = oldsbsec->sid; - newsbsec->def_sid = oldsbsec->def_sid; - newsbsec->behavior = oldsbsec->behavior; - - if (set_context) { - u32 sid = oldsbsec->mntpoint_sid; - - if (!set_fscontext) - newsbsec->sid = sid; - if (!set_rootcontext) { - struct inode *newinode = newsb->s_root->d_inode; - struct inode_security_struct *newisec = newinode->i_security; - newisec->sid = sid; - } - newsbsec->mntpoint_sid = sid; - } - if (set_rootcontext) { - const struct inode *oldinode = oldsb->s_root->d_inode; - const struct inode_security_struct *oldisec = oldinode->i_security; - struct inode *newinode = newsb->s_root->d_inode; - struct inode_security_struct *newisec = newinode->i_security; - - newisec->sid = oldisec->sid; - } - - sb_finish_set_opts(newsb); - mutex_unlock(&newsbsec->lock); -} - -static int selinux_parse_opts_str(char *options, - struct security_mnt_opts *opts) -{ - char *p; - char *context = NULL, *defcontext = NULL; - char *fscontext = NULL, *rootcontext = NULL; - int rc, num_mnt_opts = 0; - - opts->num_mnt_opts = 0; - - /* Standard string-based options. */ - while ((p = strsep(&options, "|")) != NULL) { - int token; - substring_t args[MAX_OPT_ARGS]; - - if (!*p) - continue; - - token = match_token(p, tokens, args); - - switch (token) { - case Opt_context: - if (context || defcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - context = match_strdup(&args[0]); - if (!context) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_fscontext: - if (fscontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - fscontext = match_strdup(&args[0]); - if (!fscontext) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_rootcontext: - if (rootcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - rootcontext = match_strdup(&args[0]); - if (!rootcontext) { - rc = -ENOMEM; - goto out_err; - } - break; - - case Opt_defcontext: - if (context || defcontext) { - rc = -EINVAL; - printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); - goto out_err; - } - defcontext = match_strdup(&args[0]); - if (!defcontext) { - rc = -ENOMEM; - goto out_err; - } - break; - case Opt_labelsupport: - break; - default: - rc = -EINVAL; - printk(KERN_WARNING "SELinux: unknown mount option\n"); - goto out_err; - - } - } - - rc = -ENOMEM; - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); - if (!opts->mnt_opts) - goto out_err; - - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); - if (!opts->mnt_opts_flags) { - kfree(opts->mnt_opts); - goto out_err; - } - - if (fscontext) { - opts->mnt_opts[num_mnt_opts] = fscontext; - opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; - } - if (context) { - opts->mnt_opts[num_mnt_opts] = context; - opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; - } - if (rootcontext) { - opts->mnt_opts[num_mnt_opts] = rootcontext; - opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; - } - if (defcontext) { - opts->mnt_opts[num_mnt_opts] = defcontext; - opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; - } - - opts->num_mnt_opts = num_mnt_opts; - return 0; - -out_err: - kfree(context); - kfree(defcontext); - kfree(fscontext); - kfree(rootcontext); - return rc; -} -/* - * string mount options parsing and call set the sbsec - */ -static int superblock_doinit(struct super_block *sb, void *data) -{ - int rc = 0; - char *options = data; - struct security_mnt_opts opts; - - security_init_mnt_opts(&opts); - - if (!data) - goto out; - - BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); - - rc = selinux_parse_opts_str(options, &opts); - if (rc) - goto out_err; - -out: - rc = selinux_set_mnt_opts(sb, &opts); - -out_err: - security_free_mnt_opts(&opts); - return rc; -} - -static void selinux_write_opts(struct seq_file *m, - struct security_mnt_opts *opts) -{ - int i; - char *prefix; - - for (i = 0; i < opts->num_mnt_opts; i++) { - char *has_comma; - - if (opts->mnt_opts[i]) - has_comma = strchr(opts->mnt_opts[i], ','); - else - has_comma = NULL; - - switch (opts->mnt_opts_flags[i]) { - case CONTEXT_MNT: - prefix = CONTEXT_STR; - break; - case FSCONTEXT_MNT: - prefix = FSCONTEXT_STR; - break; - case ROOTCONTEXT_MNT: - prefix = ROOTCONTEXT_STR; - break; - case DEFCONTEXT_MNT: - prefix = DEFCONTEXT_STR; - break; - case SE_SBLABELSUPP: - seq_putc(m, ','); - seq_puts(m, LABELSUPP_STR); - continue; - default: - BUG(); - return; - }; - /* we need a comma before each option */ - seq_putc(m, ','); - seq_puts(m, prefix); - if (has_comma) - seq_putc(m, '\"'); - seq_puts(m, opts->mnt_opts[i]); - if (has_comma) - seq_putc(m, '\"'); - } -} - -static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) -{ - struct security_mnt_opts opts; - int rc; - - rc = selinux_get_mnt_opts(sb, &opts); - if (rc) { - /* before policy load we may get EINVAL, don't show anything */ - if (rc == -EINVAL) - rc = 0; - return rc; - } - - selinux_write_opts(m, &opts); - - security_free_mnt_opts(&opts); - - return rc; -} - -static inline u16 inode_mode_to_security_class(umode_t mode) -{ - switch (mode & S_IFMT) { - case S_IFSOCK: - return SECCLASS_SOCK_FILE; - case S_IFLNK: - return SECCLASS_LNK_FILE; - case S_IFREG: - return SECCLASS_FILE; - case S_IFBLK: - return SECCLASS_BLK_FILE; - case S_IFDIR: - return SECCLASS_DIR; - case S_IFCHR: - return SECCLASS_CHR_FILE; - case S_IFIFO: - return SECCLASS_FIFO_FILE; - - } - - return SECCLASS_FILE; -} - -static inline int default_protocol_stream(int protocol) -{ - return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); -} - -static inline int default_protocol_dgram(int protocol) -{ - return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); -} - -static inline u16 socket_type_to_security_class(int family, int type, int protocol) -{ - switch (family) { - case PF_UNIX: - switch (type) { - case SOCK_STREAM: - case SOCK_SEQPACKET: - return SECCLASS_UNIX_STREAM_SOCKET; - case SOCK_DGRAM: - return SECCLASS_UNIX_DGRAM_SOCKET; - } - break; - case PF_INET: - case PF_INET6: - switch (type) { - case SOCK_STREAM: - if (default_protocol_stream(protocol)) - return SECCLASS_TCP_SOCKET; - else - return SECCLASS_RAWIP_SOCKET; - case SOCK_DGRAM: - if (default_protocol_dgram(protocol)) - return SECCLASS_UDP_SOCKET; - else - return SECCLASS_RAWIP_SOCKET; - case SOCK_DCCP: - return SECCLASS_DCCP_SOCKET; - default: - return SECCLASS_RAWIP_SOCKET; - } - break; - case PF_NETLINK: - switch (protocol) { - case NETLINK_ROUTE: - return SECCLASS_NETLINK_ROUTE_SOCKET; - case NETLINK_FIREWALL: - return SECCLASS_NETLINK_FIREWALL_SOCKET; - case NETLINK_SOCK_DIAG: - return SECCLASS_NETLINK_TCPDIAG_SOCKET; - case NETLINK_NFLOG: - return SECCLASS_NETLINK_NFLOG_SOCKET; - case NETLINK_XFRM: - return SECCLASS_NETLINK_XFRM_SOCKET; - case NETLINK_SELINUX: - return SECCLASS_NETLINK_SELINUX_SOCKET; - case NETLINK_AUDIT: - return SECCLASS_NETLINK_AUDIT_SOCKET; - case NETLINK_IP6_FW: - return SECCLASS_NETLINK_IP6FW_SOCKET; - case NETLINK_DNRTMSG: - return SECCLASS_NETLINK_DNRT_SOCKET; - case NETLINK_KOBJECT_UEVENT: - return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; - default: - return SECCLASS_NETLINK_SOCKET; - } - case PF_PACKET: - return SECCLASS_PACKET_SOCKET; - case PF_KEY: - return SECCLASS_KEY_SOCKET; - case PF_APPLETALK: - return SECCLASS_APPLETALK_SOCKET; - } - - return SECCLASS_SOCKET; -} - -#ifdef CONFIG_PROC_FS -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - int rc; - char *buffer, *path; - - buffer = (char *)__get_free_page(GFP_KERNEL); - if (!buffer) - return -ENOMEM; - - path = dentry_path_raw(dentry, buffer, PAGE_SIZE); - if (IS_ERR(path)) - rc = PTR_ERR(path); - else { - /* each process gets a /proc/PID/ entry. Strip off the - * PID part to get a valid selinux labeling. - * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ - while (path[1] >= '0' && path[1] <= '9') { - path[1] = '/'; - path++; - } - rc = security_genfs_sid("proc", path, tclass, sid); - } - free_page((unsigned long)buffer); - return rc; -} -#else -static int selinux_proc_get_sid(struct dentry *dentry, - u16 tclass, - u32 *sid) -{ - return -EINVAL; -} -#endif - -/* The inode's security attributes must be initialized before first use. */ -static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) -{ - struct superblock_security_struct *sbsec = NULL; - struct inode_security_struct *isec = inode->i_security; - u32 sid; - struct dentry *dentry; -#define INITCONTEXTLEN 255 - char *context = NULL; - unsigned len = 0; - int rc = 0; - - if (isec->initialized) - goto out; - - mutex_lock(&isec->lock); - if (isec->initialized) - goto out_unlock; - - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SE_SBINITIALIZED)) { - /* Defer initialization until selinux_complete_init, - after the initial policy is loaded and the security - server is ready to handle calls. */ - spin_lock(&sbsec->isec_lock); - if (list_empty(&isec->list)) - list_add(&isec->list, &sbsec->isec_head); - spin_unlock(&sbsec->isec_lock); - goto out_unlock; - } - - switch (sbsec->behavior) { - case SECURITY_FS_USE_XATTR: - if (!inode->i_op->getxattr) { - isec->sid = sbsec->def_sid; - break; - } - - /* Need a dentry, since the xattr API requires one. - Life would be simpler if we could just pass the inode. */ - if (opt_dentry) { - /* Called from d_instantiate or d_splice_alias. */ - dentry = dget(opt_dentry); - } else { - /* Called from selinux_complete_init, try to find a dentry. */ - dentry = d_find_alias(inode); - } - if (!dentry) { - /* - * this is can be hit on boot when a file is accessed - * before the policy is loaded. When we load policy we - * may find inodes that have no dentry on the - * sbsec->isec_head list. No reason to complain as these - * will get fixed up the next time we go through - * inode_doinit with a dentry, before these inodes could - * be used again by userspace. - */ - goto out_unlock; - } - - len = INITCONTEXTLEN; - context = kmalloc(len+1, GFP_NOFS); - if (!context) { - rc = -ENOMEM; - dput(dentry); - goto out_unlock; - } - context[len] = '\0'; - rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, - context, len); - if (rc == -ERANGE) { - kfree(context); - - /* Need a larger buffer. Query for the right size. */ - rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, - NULL, 0); - if (rc < 0) { - dput(dentry); - goto out_unlock; - } - len = rc; - context = kmalloc(len+1, GFP_NOFS); - if (!context) { - rc = -ENOMEM; - dput(dentry); - goto out_unlock; - } - context[len] = '\0'; - rc = inode->i_op->getxattr(dentry, - XATTR_NAME_SELINUX, - context, len); - } - dput(dentry); - if (rc < 0) { - if (rc != -ENODATA) { - printk(KERN_WARNING "SELinux: %s: getxattr returned " - "%d for dev=%s ino=%ld\n", __func__, - -rc, inode->i_sb->s_id, inode->i_ino); - kfree(context); - goto out_unlock; - } - /* Map ENODATA to the default file SID */ - sid = sbsec->def_sid; - rc = 0; - } else { - rc = security_context_to_sid_default(context, rc, &sid, - sbsec->def_sid, - GFP_NOFS); - if (rc) { - char *dev = inode->i_sb->s_id; - unsigned long ino = inode->i_ino; - - if (rc == -EINVAL) { - if (printk_ratelimit()) - printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " - "context=%s. This indicates you may need to relabel the inode or the " - "filesystem in question.\n", ino, dev, context); - } else { - printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " - "returned %d for dev=%s ino=%ld\n", - __func__, context, -rc, dev, ino); - } - kfree(context); - /* Leave with the unlabeled SID */ - rc = 0; - break; - } - } - kfree(context); - isec->sid = sid; - break; - case SECURITY_FS_USE_TASK: - isec->sid = isec->task_sid; - break; - case SECURITY_FS_USE_TRANS: - /* Default to the fs SID. */ - isec->sid = sbsec->sid; - - /* Try to obtain a transition SID. */ - isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = security_transition_sid(isec->task_sid, sbsec->sid, - isec->sclass, NULL, &sid); - if (rc) - goto out_unlock; - isec->sid = sid; - break; - case SECURITY_FS_USE_MNTPOINT: - isec->sid = sbsec->mntpoint_sid; - break; - default: - /* Default to the fs superblock SID. */ - isec->sid = sbsec->sid; - - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { - if (opt_dentry) { - isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_proc_get_sid(opt_dentry, - isec->sclass, - &sid); - if (rc) - goto out_unlock; - isec->sid = sid; - } - } - break; - } - - isec->initialized = 1; - -out_unlock: - mutex_unlock(&isec->lock); -out: - if (isec->sclass == SECCLASS_FILE) - isec->sclass = inode_mode_to_security_class(inode->i_mode); - return rc; -} - -/* Convert a Linux signal to an access vector. */ -static inline u32 signal_to_av(int sig) -{ - u32 perm = 0; - - switch (sig) { - case SIGCHLD: - /* Commonly granted from child to parent. */ - perm = PROCESS__SIGCHLD; - break; - case SIGKILL: - /* Cannot be caught or ignored */ - perm = PROCESS__SIGKILL; - break; - case SIGSTOP: - /* Cannot be caught or ignored */ - perm = PROCESS__SIGSTOP; - break; - default: - /* All other signals. */ - perm = PROCESS__SIGNAL; - break; - } - - return perm; -} - -/* - * Check permission between a pair of credentials - * fork check, ptrace check, etc. - */ -static int cred_has_perm(const struct cred *actor, - const struct cred *target, - u32 perms) -{ - u32 asid = cred_sid(actor), tsid = cred_sid(target); - - return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); -} - -/* - * Check permission between a pair of tasks, e.g. signal checks, - * fork check, ptrace check, etc. - * tsk1 is the actor and tsk2 is the target - * - this uses the default subjective creds of tsk1 - */ -static int task_has_perm(const struct task_struct *tsk1, - const struct task_struct *tsk2, - u32 perms) -{ - const struct task_security_struct *__tsec1, *__tsec2; - u32 sid1, sid2; - - rcu_read_lock(); - __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; - __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; - rcu_read_unlock(); - return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); -} - -/* - * Check permission between current and another task, e.g. signal checks, - * fork check, ptrace check, etc. - * current is the actor and tsk2 is the target - * - this uses current's subjective creds - */ -static int current_has_perm(const struct task_struct *tsk, - u32 perms) -{ - u32 sid, tsid; - - sid = current_sid(); - tsid = task_sid(tsk); - return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); -} - -#if CAP_LAST_CAP > 63 -#error Fix SELinux to handle capabilities > 63. -#endif - -/* Check whether a task is allowed to use a capability. */ -static int cred_has_capability(const struct cred *cred, - int cap, int audit) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct av_decision avd; - u16 sclass; - u32 sid = cred_sid(cred); - u32 av = CAP_TO_MASK(cap); - int rc; - - COMMON_AUDIT_DATA_INIT(&ad, CAP); - ad.selinux_audit_data = &sad; - ad.tsk = current; - ad.u.cap = cap; - - switch (CAP_TO_INDEX(cap)) { - case 0: - sclass = SECCLASS_CAPABILITY; - break; - case 1: - sclass = SECCLASS_CAPABILITY2; - break; - default: - printk(KERN_ERR - "SELinux: out of range capability %d\n", cap); - BUG(); - return -EINVAL; - } - - rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); - if (audit == SECURITY_CAP_AUDIT) { - int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); - if (rc2) - return rc2; - } - return rc; -} - -/* Check whether a task is allowed to use a system operation. */ -static int task_has_system(struct task_struct *tsk, - u32 perms) -{ - u32 sid = task_sid(tsk); - - return avc_has_perm(sid, SECINITSID_KERNEL, - SECCLASS_SYSTEM, perms, NULL); -} - -/* Check whether a task has a particular permission to an inode. - The 'adp' parameter is optional and allows other audit - data to be passed (e.g. the dentry). */ -static int inode_has_perm(const struct cred *cred, - struct inode *inode, - u32 perms, - struct common_audit_data *adp, - unsigned flags) -{ - struct inode_security_struct *isec; - u32 sid; - - validate_creds(cred); - - if (unlikely(IS_PRIVATE(inode))) - return 0; - - sid = cred_sid(cred); - isec = inode->i_security; - - return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); -} - -static int inode_has_perm_noadp(const struct cred *cred, - struct inode *inode, - u32 perms, - unsigned flags) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.u.inode = inode; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, perms, &ad, flags); -} - -/* Same as inode_has_perm, but pass explicit audit data containing - the dentry to help the auditing code to more easily generate the - pathname if needed. */ -static inline int dentry_has_perm(const struct cred *cred, - struct dentry *dentry, - u32 av) -{ - struct inode *inode = dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, av, &ad, 0); -} - -/* Same as inode_has_perm, but pass explicit audit data containing - the path to help the auditing code to more easily generate the - pathname if needed. */ -static inline int path_has_perm(const struct cred *cred, - struct path *path, - u32 av) -{ - struct inode *inode = path->dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.u.path = *path; - ad.selinux_audit_data = &sad; - return inode_has_perm(cred, inode, av, &ad, 0); -} - -/* Check whether a task can use an open file descriptor to - access an inode in a given way. Check access to the - descriptor itself, and then use dentry_has_perm to - check a particular permission to the file. - Access to the descriptor is implicitly granted if it - has the same SID as the process. If av is zero, then - access to the file is not checked, e.g. for cases - where only the descriptor is affected like seek. */ -static int file_has_perm(const struct cred *cred, - struct file *file, - u32 av) -{ - struct file_security_struct *fsec = file->f_security; - struct inode *inode = file->f_path.dentry->d_inode; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = cred_sid(cred); - int rc; - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.u.path = file->f_path; - ad.selinux_audit_data = &sad; - - if (sid != fsec->sid) { - rc = avc_has_perm(sid, fsec->sid, - SECCLASS_FD, - FD__USE, - &ad); - if (rc) - goto out; - } - - /* av is zero if only checking access to the descriptor. */ - rc = 0; - if (av) - rc = inode_has_perm(cred, inode, av, &ad, 0); - -out: - return rc; -} - -/* Check whether a task can create a file. */ -static int may_create(struct inode *dir, - struct dentry *dentry, - u16 tclass) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *dsec; - struct superblock_security_struct *sbsec; - u32 sid, newsid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - int rc; - - dsec = dir->i_security; - sbsec = dir->i_sb->s_security; - - sid = tsec->sid; - newsid = tsec->create_sid; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - - rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, - DIR__ADD_NAME | DIR__SEARCH, - &ad); - if (rc) - return rc; - - if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { - rc = security_transition_sid(sid, dsec->sid, tclass, - &dentry->d_name, &newsid); - if (rc) - return rc; - } - - rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); - if (rc) - return rc; - - return avc_has_perm(newsid, sbsec->sid, - SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, &ad); -} - -/* Check whether a task can create a key. */ -static int may_create_key(u32 ksid, - struct task_struct *ctx) -{ - u32 sid = task_sid(ctx); - - return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); -} - -#define MAY_LINK 0 -#define MAY_UNLINK 1 -#define MAY_RMDIR 2 - -/* Check whether a task can link, unlink, or rmdir a file/directory. */ -static int may_link(struct inode *dir, - struct dentry *dentry, - int kind) - -{ - struct inode_security_struct *dsec, *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - u32 av; - int rc; - - dsec = dir->i_security; - isec = dentry->d_inode->i_security; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.u.dentry = dentry; - ad.selinux_audit_data = &sad; - - av = DIR__SEARCH; - av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); - rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); - if (rc) - return rc; - - switch (kind) { - case MAY_LINK: - av = FILE__LINK; - break; - case MAY_UNLINK: - av = FILE__UNLINK; - break; - case MAY_RMDIR: - av = DIR__RMDIR; - break; - default: - printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", - __func__, kind); - return 0; - } - - rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); - return rc; -} - -static inline int may_rename(struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ - struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - u32 av; - int old_is_dir, new_is_dir; - int rc; - - old_dsec = old_dir->i_security; - old_isec = old_dentry->d_inode->i_security; - old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); - new_dsec = new_dir->i_security; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - - ad.u.dentry = old_dentry; - rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, - DIR__REMOVE_NAME | DIR__SEARCH, &ad); - if (rc) - return rc; - rc = avc_has_perm(sid, old_isec->sid, - old_isec->sclass, FILE__RENAME, &ad); - if (rc) - return rc; - if (old_is_dir && new_dir != old_dir) { - rc = avc_has_perm(sid, old_isec->sid, - old_isec->sclass, DIR__REPARENT, &ad); - if (rc) - return rc; - } - - ad.u.dentry = new_dentry; - av = DIR__ADD_NAME | DIR__SEARCH; - if (new_dentry->d_inode) - av |= DIR__REMOVE_NAME; - rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); - if (rc) - return rc; - if (new_dentry->d_inode) { - new_isec = new_dentry->d_inode->i_security; - new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode); - rc = avc_has_perm(sid, new_isec->sid, - new_isec->sclass, - (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); - if (rc) - return rc; - } - - return 0; -} - -/* Check whether a task can perform a filesystem operation. */ -static int superblock_has_perm(const struct cred *cred, - struct super_block *sb, - u32 perms, - struct common_audit_data *ad) -{ - struct superblock_security_struct *sbsec; - u32 sid = cred_sid(cred); - - sbsec = sb->s_security; - return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); -} - -/* Convert a Linux mode and permission mask to an access vector. */ -static inline u32 file_mask_to_av(int mode, int mask) -{ - u32 av = 0; - - if (!S_ISDIR(mode)) { - if (mask & MAY_EXEC) - av |= FILE__EXECUTE; - if (mask & MAY_READ) - av |= FILE__READ; - - if (mask & MAY_APPEND) - av |= FILE__APPEND; - else if (mask & MAY_WRITE) - av |= FILE__WRITE; - - } else { - if (mask & MAY_EXEC) - av |= DIR__SEARCH; - if (mask & MAY_WRITE) - av |= DIR__WRITE; - if (mask & MAY_READ) - av |= DIR__READ; - } - - return av; -} - -/* Convert a Linux file to an access vector. */ -static inline u32 file_to_av(struct file *file) -{ - u32 av = 0; - - if (file->f_mode & FMODE_READ) - av |= FILE__READ; - if (file->f_mode & FMODE_WRITE) { - if (file->f_flags & O_APPEND) - av |= FILE__APPEND; - else - av |= FILE__WRITE; - } - if (!av) { - /* - * Special file opened with flags 3 for ioctl-only use. - */ - av = FILE__IOCTL; - } - - return av; -} - -/* - * Convert a file to an access vector and include the correct open - * open permission. - */ -static inline u32 open_file_to_av(struct file *file) -{ - u32 av = file_to_av(file); - - if (selinux_policycap_openperm) - av |= FILE__OPEN; - - return av; -} - -/* Hook functions begin here. */ - -static int selinux_ptrace_access_check(struct task_struct *child, - unsigned int mode) -{ - int rc; - - rc = cap_ptrace_access_check(child, mode); - if (rc) - return rc; - - if (mode & PTRACE_MODE_READ) { - u32 sid = current_sid(); - u32 csid = task_sid(child); - return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); - } - - return current_has_perm(child, PROCESS__PTRACE); -} - -static int selinux_ptrace_traceme(struct task_struct *parent) -{ - int rc; - - rc = cap_ptrace_traceme(parent); - if (rc) - return rc; - - return task_has_perm(parent, current, PROCESS__PTRACE); -} - -static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) -{ - int error; - - error = current_has_perm(target, PROCESS__GETCAP); - if (error) - return error; - - return cap_capget(target, effective, inheritable, permitted); -} - -static int selinux_capset(struct cred *new, const struct cred *old, - const kernel_cap_t *effective, - const kernel_cap_t *inheritable, - const kernel_cap_t *permitted) -{ - int error; - - error = cap_capset(new, old, - effective, inheritable, permitted); - if (error) - return error; - - return cred_has_perm(old, new, PROCESS__SETCAP); -} - -/* - * (This comment used to live with the selinux_task_setuid hook, - * which was removed). - * - * Since setuid only affects the current process, and since the SELinux - * controls are not based on the Linux identity attributes, SELinux does not - * need to control this operation. However, SELinux does control the use of - * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. - */ - -static int selinux_capable(const struct cred *cred, struct user_namespace *ns, - int cap, int audit) -{ - int rc; - - rc = cap_capable(cred, ns, cap, audit); - if (rc) - return rc; - - return cred_has_capability(cred, cap, audit); -} - -static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) -{ - const struct cred *cred = current_cred(); - int rc = 0; - - if (!sb) - return 0; - - switch (cmds) { - case Q_SYNC: - case Q_QUOTAON: - case Q_QUOTAOFF: - case Q_SETINFO: - case Q_SETQUOTA: - rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); - break; - case Q_GETFMT: - case Q_GETINFO: - case Q_GETQUOTA: - rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); - break; - default: - rc = 0; /* let the kernel handle invalid cmds */ - break; - } - return rc; -} - -static int selinux_quota_on(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__QUOTAON); -} - -static int selinux_syslog(int type) -{ - int rc; - - switch (type) { - case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ - case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ - rc = task_has_system(current, SYSTEM__SYSLOG_READ); - break; - case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ - case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ - /* Set level of messages printed to console */ - case SYSLOG_ACTION_CONSOLE_LEVEL: - rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); - break; - case SYSLOG_ACTION_CLOSE: /* Close log */ - case SYSLOG_ACTION_OPEN: /* Open log */ - case SYSLOG_ACTION_READ: /* Read from log */ - case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ - case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ - default: - rc = task_has_system(current, SYSTEM__SYSLOG_MOD); - break; - } - return rc; -} - -/* - * Check that a process has enough memory to allocate a new virtual - * mapping. 0 means there is enough memory for the allocation to - * succeed and -ENOMEM implies there is not. - * - * Do not audit the selinux permission check, as this is applied to all - * processes that allocate mappings. - */ -static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) -{ - int rc, cap_sys_admin = 0; - - rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, - SECURITY_CAP_NOAUDIT); - if (rc == 0) - cap_sys_admin = 1; - - return __vm_enough_memory(mm, pages, cap_sys_admin); -} - -/* binprm security operations */ - -static int selinux_bprm_set_creds(struct linux_binprm *bprm) -{ - const struct task_security_struct *old_tsec; - struct task_security_struct *new_tsec; - struct inode_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct inode *inode = bprm->file->f_path.dentry->d_inode; - int rc; - - rc = cap_bprm_set_creds(bprm); - if (rc) - return rc; - - /* SELinux context only depends on initial program or script and not - * the script interpreter */ - if (bprm->cred_prepared) - return 0; - - old_tsec = current_security(); - new_tsec = bprm->cred->security; - isec = inode->i_security; - - /* Default to the current task SID. */ - new_tsec->sid = old_tsec->sid; - new_tsec->osid = old_tsec->sid; - - /* Reset fs, key, and sock SIDs on execve. */ - new_tsec->create_sid = 0; - new_tsec->keycreate_sid = 0; - new_tsec->sockcreate_sid = 0; - - if (old_tsec->exec_sid) { - new_tsec->sid = old_tsec->exec_sid; - /* Reset exec SID on execve. */ - new_tsec->exec_sid = 0; - } else { - /* Check for a default transition on this program. */ - rc = security_transition_sid(old_tsec->sid, isec->sid, - SECCLASS_PROCESS, NULL, - &new_tsec->sid); - if (rc) - return rc; - } - - COMMON_AUDIT_DATA_INIT(&ad, PATH); - ad.selinux_audit_data = &sad; - ad.u.path = bprm->file->f_path; - - if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) - new_tsec->sid = old_tsec->sid; - - if (new_tsec->sid == old_tsec->sid) { - rc = avc_has_perm(old_tsec->sid, isec->sid, - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); - if (rc) - return rc; - } else { - /* Check permissions for the transition. */ - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, - SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); - if (rc) - return rc; - - rc = avc_has_perm(new_tsec->sid, isec->sid, - SECCLASS_FILE, FILE__ENTRYPOINT, &ad); - if (rc) - return rc; - - /* Check for shared state */ - if (bprm->unsafe & LSM_UNSAFE_SHARE) { - rc = avc_has_perm(old_tsec->sid, new_tsec->sid, - SECCLASS_PROCESS, PROCESS__SHARE, - NULL); - if (rc) - return -EPERM; - } - - /* Make sure that anyone attempting to ptrace over a task that - * changes its SID has the appropriate permit */ - if (bprm->unsafe & - (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { - struct task_struct *tracer; - struct task_security_struct *sec; - u32 ptsid = 0; - - rcu_read_lock(); - tracer = ptrace_parent(current); - if (likely(tracer != NULL)) { - sec = __task_cred(tracer)->security; - ptsid = sec->sid; - } - rcu_read_unlock(); - - if (ptsid != 0) { - rc = avc_has_perm(ptsid, new_tsec->sid, - SECCLASS_PROCESS, - PROCESS__PTRACE, NULL); - if (rc) - return -EPERM; - } - } - - /* Clear any possibly unsafe personality bits on exec: */ - bprm->per_clear |= PER_CLEAR_ON_SETID; - } - - return 0; -} - -static int selinux_bprm_secureexec(struct linux_binprm *bprm) -{ - const struct task_security_struct *tsec = current_security(); - u32 sid, osid; - int atsecure = 0; - - sid = tsec->sid; - osid = tsec->osid; - - if (osid != sid) { - /* Enable secure mode for SIDs transitions unless - the noatsecure permission is granted between - the two SIDs, i.e. ahp returns 0. */ - atsecure = avc_has_perm(osid, sid, - SECCLASS_PROCESS, - PROCESS__NOATSECURE, NULL); - } - - return (atsecure || cap_bprm_secureexec(bprm)); -} - -/* Derived from fs/exec.c:flush_old_files. */ -static inline void flush_unauthorized_files(const struct cred *cred, - struct files_struct *files) -{ - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct file *file, *devnull = NULL; - struct tty_struct *tty; - struct fdtable *fdt; - long j = -1; - int drop_tty = 0; - - tty = get_current_tty(); - if (tty) { - spin_lock(&tty_files_lock); - if (!list_empty(&tty->tty_files)) { - struct tty_file_private *file_priv; - struct inode *inode; - - /* Revalidate access to controlling tty. - Use inode_has_perm on the tty inode directly rather - than using file_has_perm, as this particular open - file may belong to another process and we are only - interested in the inode-based check here. */ - file_priv = list_first_entry(&tty->tty_files, - struct tty_file_private, list); - file = file_priv->file; - inode = file->f_path.dentry->d_inode; - if (inode_has_perm_noadp(cred, inode, - FILE__READ | FILE__WRITE, 0)) { - drop_tty = 1; - } - } - spin_unlock(&tty_files_lock); - tty_kref_put(tty); - } - /* Reset controlling tty. */ - if (drop_tty) - no_tty(); - - /* Revalidate access to inherited open files. */ - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.selinux_audit_data = &sad; - - spin_lock(&files->file_lock); - for (;;) { - unsigned long set, i; - int fd; - - j++; - i = j * __NFDBITS; - fdt = files_fdtable(files); - if (i >= fdt->max_fds) - break; - set = fdt->open_fds[j]; - if (!set) - continue; - spin_unlock(&files->file_lock); - for ( ; set ; i++, set >>= 1) { - if (set & 1) { - file = fget(i); - if (!file) - continue; - if (file_has_perm(cred, - file, - file_to_av(file))) { - sys_close(i); - fd = get_unused_fd(); - if (fd != i) { - if (fd >= 0) - put_unused_fd(fd); - fput(file); - continue; - } - if (devnull) { - get_file(devnull); - } else { - devnull = dentry_open( - dget(selinux_null), - mntget(selinuxfs_mount), - O_RDWR, cred); - if (IS_ERR(devnull)) { - devnull = NULL; - put_unused_fd(fd); - fput(file); - continue; - } - } - fd_install(fd, devnull); - } - fput(file); - } - } - spin_lock(&files->file_lock); - - } - spin_unlock(&files->file_lock); -} - -/* - * Prepare a process for imminent new credential changes due to exec - */ -static void selinux_bprm_committing_creds(struct linux_binprm *bprm) -{ - struct task_security_struct *new_tsec; - struct rlimit *rlim, *initrlim; - int rc, i; - - new_tsec = bprm->cred->security; - if (new_tsec->sid == new_tsec->osid) - return; - - /* Close files for which the new task SID is not authorized. */ - flush_unauthorized_files(bprm->cred, current->files); - - /* Always clear parent death signal on SID transitions. */ - current->pdeath_signal = 0; - - /* Check whether the new SID can inherit resource limits from the old - * SID. If not, reset all soft limits to the lower of the current - * task's hard limit and the init task's soft limit. - * - * Note that the setting of hard limits (even to lower them) can be - * controlled by the setrlimit check. The inclusion of the init task's - * soft limit into the computation is to avoid resetting soft limits - * higher than the default soft limit for cases where the default is - * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. - */ - rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, - PROCESS__RLIMITINH, NULL); - if (rc) { - /* protect against do_prlimit() */ - task_lock(current); - for (i = 0; i < RLIM_NLIMITS; i++) { - rlim = current->signal->rlim + i; - initrlim = init_task.signal->rlim + i; - rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); - } - task_unlock(current); - update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); - } -} - -/* - * Clean up the process immediately after the installation of new credentials - * due to exec - */ -static void selinux_bprm_committed_creds(struct linux_binprm *bprm) -{ - const struct task_security_struct *tsec = current_security(); - struct itimerval itimer; - u32 osid, sid; - int rc, i; - - osid = tsec->osid; - sid = tsec->sid; - - if (sid == osid) - return; - - /* Check whether the new SID can inherit signal state from the old SID. - * If not, clear itimers to avoid subsequent signal generation and - * flush and unblock signals. - * - * This must occur _after_ the task SID has been updated so that any - * kill done after the flush will be checked against the new SID. - */ - rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); - if (rc) { - memset(&itimer, 0, sizeof itimer); - for (i = 0; i < 3; i++) - do_setitimer(i, &itimer, NULL); - spin_lock_irq(¤t->sighand->siglock); - if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) { - __flush_signals(current); - flush_signal_handlers(current, 1); - sigemptyset(¤t->blocked); - } - spin_unlock_irq(¤t->sighand->siglock); - } - - /* Wake up the parent if it is waiting so that it can recheck - * wait permission to the new task SID. */ - read_lock(&tasklist_lock); - __wake_up_parent(current, current->real_parent); - read_unlock(&tasklist_lock); -} - -/* superblock security operations */ - -static int selinux_sb_alloc_security(struct super_block *sb) -{ - return superblock_alloc_security(sb); -} - -static void selinux_sb_free_security(struct super_block *sb) -{ - superblock_free_security(sb); -} - -static inline int match_prefix(char *prefix, int plen, char *option, int olen) -{ - if (plen > olen) - return 0; - - return !memcmp(prefix, option, plen); -} - -static inline int selinux_option(char *option, int len) -{ - return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || - match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || - match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || - match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || - match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); -} - -static inline void take_option(char **to, char *from, int *first, int len) -{ - if (!*first) { - **to = ','; - *to += 1; - } else - *first = 0; - memcpy(*to, from, len); - *to += len; -} - -static inline void take_selinux_option(char **to, char *from, int *first, - int len) -{ - int current_size = 0; - - if (!*first) { - **to = '|'; - *to += 1; - } else - *first = 0; - - while (current_size < len) { - if (*from != '"') { - **to = *from; - *to += 1; - } - from += 1; - current_size += 1; - } -} - -static int selinux_sb_copy_data(char *orig, char *copy) -{ - int fnosec, fsec, rc = 0; - char *in_save, *in_curr, *in_end; - char *sec_curr, *nosec_save, *nosec; - int open_quote = 0; - - in_curr = orig; - sec_curr = copy; - - nosec = (char *)get_zeroed_page(GFP_KERNEL); - if (!nosec) { - rc = -ENOMEM; - goto out; - } - - nosec_save = nosec; - fnosec = fsec = 1; - in_save = in_end = orig; - - do { - if (*in_end == '"') - open_quote = !open_quote; - if ((*in_end == ',' && open_quote == 0) || - *in_end == '\0') { - int len = in_end - in_curr; - - if (selinux_option(in_curr, len)) - take_selinux_option(&sec_curr, in_curr, &fsec, len); - else - take_option(&nosec, in_curr, &fnosec, len); - - in_curr = in_end + 1; - } - } while (*in_end++); - - strcpy(in_save, nosec_save); - free_page((unsigned long)nosec_save); -out: - return rc; -} - -static int selinux_sb_remount(struct super_block *sb, void *data) -{ - int rc, i, *flags; - struct security_mnt_opts opts; - char *secdata, **mount_options; - struct superblock_security_struct *sbsec = sb->s_security; - - if (!(sbsec->flags & SE_SBINITIALIZED)) - return 0; - - if (!data) - return 0; - - if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) - return 0; - - security_init_mnt_opts(&opts); - secdata = alloc_secdata(); - if (!secdata) - return -ENOMEM; - rc = selinux_sb_copy_data(data, secdata); - if (rc) - goto out_free_secdata; - - rc = selinux_parse_opts_str(secdata, &opts); - if (rc) - goto out_free_secdata; - - mount_options = opts.mnt_opts; - flags = opts.mnt_opts_flags; - - for (i = 0; i < opts.num_mnt_opts; i++) { - u32 sid; - size_t len; - - if (flags[i] == SE_SBLABELSUPP) - continue; - len = strlen(mount_options[i]); - rc = security_context_to_sid(mount_options[i], len, &sid); - if (rc) { - printk(KERN_WARNING "SELinux: security_context_to_sid" - "(%s) failed for (dev %s, type %s) errno=%d\n", - mount_options[i], sb->s_id, sb->s_type->name, rc); - goto out_free_opts; - } - rc = -EINVAL; - switch (flags[i]) { - case FSCONTEXT_MNT: - if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) - goto out_bad_option; - break; - case CONTEXT_MNT: - if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) - goto out_bad_option; - break; - case ROOTCONTEXT_MNT: { - struct inode_security_struct *root_isec; - root_isec = sb->s_root->d_inode->i_security; - - if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) - goto out_bad_option; - break; - } - case DEFCONTEXT_MNT: - if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) - goto out_bad_option; - break; - default: - goto out_free_opts; - } - } - - rc = 0; -out_free_opts: - security_free_mnt_opts(&opts); -out_free_secdata: - free_secdata(secdata); - return rc; -out_bad_option: - printk(KERN_WARNING "SELinux: unable to change security options " - "during remount (dev %s, type=%s)\n", sb->s_id, - sb->s_type->name); - goto out_free_opts; -} - -static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - int rc; - - rc = superblock_doinit(sb, data); - if (rc) - return rc; - - /* Allow all mounts performed by the kernel */ - if (flags & MS_KERNMOUNT) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = sb->s_root; - return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); -} - -static int selinux_sb_statfs(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = dentry->d_sb->s_root; - return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); -} - -static int selinux_mount(char *dev_name, - struct path *path, - char *type, - unsigned long flags, - void *data) -{ - const struct cred *cred = current_cred(); - - if (flags & MS_REMOUNT) - return superblock_has_perm(cred, path->dentry->d_sb, - FILESYSTEM__REMOUNT, NULL); - else - return path_has_perm(cred, path, FILE__MOUNTON); -} - -static int selinux_umount(struct vfsmount *mnt, int flags) -{ - const struct cred *cred = current_cred(); - - return superblock_has_perm(cred, mnt->mnt_sb, - FILESYSTEM__UNMOUNT, NULL); -} - -/* inode security operations */ - -static int selinux_inode_alloc_security(struct inode *inode) -{ - return inode_alloc_security(inode); -} - -static void selinux_inode_free_security(struct inode *inode) -{ - inode_free_security(inode); -} - -static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *dsec; - struct superblock_security_struct *sbsec; - u32 sid, newsid, clen; - int rc; - char *namep = NULL, *context; - - dsec = dir->i_security; - sbsec = dir->i_sb->s_security; - - sid = tsec->sid; - newsid = tsec->create_sid; - - if ((sbsec->flags & SE_SBINITIALIZED) && - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) - newsid = sbsec->mntpoint_sid; - else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { - rc = security_transition_sid(sid, dsec->sid, - inode_mode_to_security_class(inode->i_mode), - qstr, &newsid); - if (rc) { - printk(KERN_WARNING "%s: " - "security_transition_sid failed, rc=%d (dev=%s " - "ino=%ld)\n", - __func__, - -rc, inode->i_sb->s_id, inode->i_ino); - return rc; - } - } - - /* Possibly defer initialization to selinux_complete_init. */ - if (sbsec->flags & SE_SBINITIALIZED) { - struct inode_security_struct *isec = inode->i_security; - isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = newsid; - isec->initialized = 1; - } - - if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) - return -EOPNOTSUPP; - - if (name) { - namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS); - if (!namep) - return -ENOMEM; - *name = namep; - } - - if (value && len) { - rc = security_sid_to_context_force(newsid, &context, &clen); - if (rc) { - kfree(namep); - return rc; - } - *value = context; - *len = clen; - } - - return 0; -} - -static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) -{ - return may_create(dir, dentry, SECCLASS_FILE); -} - -static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) -{ - return may_link(dir, old_dentry, MAY_LINK); -} - -static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) -{ - return may_link(dir, dentry, MAY_UNLINK); -} - -static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) -{ - return may_create(dir, dentry, SECCLASS_LNK_FILE); -} - -static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) -{ - return may_create(dir, dentry, SECCLASS_DIR); -} - -static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) -{ - return may_link(dir, dentry, MAY_RMDIR); -} - -static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) -{ - return may_create(dir, dentry, inode_mode_to_security_class(mode)); -} - -static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) -{ - return may_rename(old_inode, old_dentry, new_inode, new_dentry); -} - -static int selinux_inode_readlink(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__READ); -} - -static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__READ); -} - -static int selinux_inode_permission(struct inode *inode, int mask) -{ - const struct cred *cred = current_cred(); - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 perms; - bool from_access; - unsigned flags = mask & MAY_NOT_BLOCK; - - from_access = mask & MAY_ACCESS; - mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); - - /* No permission to check. Existence test. */ - if (!mask) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, INODE); - ad.selinux_audit_data = &sad; - ad.u.inode = inode; - - if (from_access) - ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS; - - perms = file_mask_to_av(inode->i_mode, mask); - - return inode_has_perm(cred, inode, perms, &ad, flags); -} - -static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) -{ - const struct cred *cred = current_cred(); - unsigned int ia_valid = iattr->ia_valid; - - /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ - if (ia_valid & ATTR_FORCE) { - ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | - ATTR_FORCE); - if (!ia_valid) - return 0; - } - - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | - ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) - return dentry_has_perm(cred, dentry, FILE__SETATTR); - - return dentry_has_perm(cred, dentry, FILE__WRITE); -} - -static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - struct path path; - - path.dentry = dentry; - path.mnt = mnt; - - return path_has_perm(cred, &path, FILE__GETATTR); -} - -static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) -{ - const struct cred *cred = current_cred(); - - if (!strncmp(name, XATTR_SECURITY_PREFIX, - sizeof XATTR_SECURITY_PREFIX - 1)) { - if (!strcmp(name, XATTR_NAME_CAPS)) { - if (!capable(CAP_SETFCAP)) - return -EPERM; - } else if (!capable(CAP_SYS_ADMIN)) { - /* A different attribute in the security namespace. - Restrict to administrator. */ - return -EPERM; - } - } - - /* Not an attribute we recognize, so just check the - ordinary setattr permission. */ - return dentry_has_perm(cred, dentry, FILE__SETATTR); -} - -static int selinux_inode_setxattr(struct dentry *dentry, const char *name, - const void *value, size_t size, int flags) -{ - struct inode *inode = dentry->d_inode; - struct inode_security_struct *isec = inode->i_security; - struct superblock_security_struct *sbsec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 newsid, sid = current_sid(); - int rc = 0; - - if (strcmp(name, XATTR_NAME_SELINUX)) - return selinux_inode_setotherxattr(dentry, name); - - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SE_SBLABELSUPP)) - return -EOPNOTSUPP; - - if (!inode_owner_or_capable(inode)) - return -EPERM; - - COMMON_AUDIT_DATA_INIT(&ad, DENTRY); - ad.selinux_audit_data = &sad; - ad.u.dentry = dentry; - - rc = avc_has_perm(sid, isec->sid, isec->sclass, - FILE__RELABELFROM, &ad); - if (rc) - return rc; - - rc = security_context_to_sid(value, size, &newsid); - if (rc == -EINVAL) { - if (!capable(CAP_MAC_ADMIN)) - return rc; - rc = security_context_to_sid_force(value, size, &newsid); - } - if (rc) - return rc; - - rc = avc_has_perm(sid, newsid, isec->sclass, - FILE__RELABELTO, &ad); - if (rc) - return rc; - - rc = security_validate_transition(isec->sid, newsid, sid, - isec->sclass); - if (rc) - return rc; - - return avc_has_perm(newsid, - sbsec->sid, - SECCLASS_FILESYSTEM, - FILESYSTEM__ASSOCIATE, - &ad); -} - -static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, - const void *value, size_t size, - int flags) -{ - struct inode *inode = dentry->d_inode; - struct inode_security_struct *isec = inode->i_security; - u32 newsid; - int rc; - - if (strcmp(name, XATTR_NAME_SELINUX)) { - /* Not an attribute we recognize, so nothing to do. */ - return; - } - - rc = security_context_to_sid_force(value, size, &newsid); - if (rc) { - printk(KERN_ERR "SELinux: unable to map context to SID" - "for (%s, %lu), rc=%d\n", - inode->i_sb->s_id, inode->i_ino, -rc); - return; - } - - isec->sid = newsid; - return; -} - -static int selinux_inode_getxattr(struct dentry *dentry, const char *name) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__GETATTR); -} - -static int selinux_inode_listxattr(struct dentry *dentry) -{ - const struct cred *cred = current_cred(); - - return dentry_has_perm(cred, dentry, FILE__GETATTR); -} - -static int selinux_inode_removexattr(struct dentry *dentry, const char *name) -{ - if (strcmp(name, XATTR_NAME_SELINUX)) - return selinux_inode_setotherxattr(dentry, name); - - /* No one is allowed to remove a SELinux security label. - You can change the label, but all data must be labeled. */ - return -EACCES; -} - -/* - * Copy the inode security context value to the user. - * - * Permission check is handled by selinux_inode_getxattr hook. - */ -static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) -{ - u32 size; - int error; - char *context = NULL; - struct inode_security_struct *isec = inode->i_security; - - if (strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - /* - * If the caller has CAP_MAC_ADMIN, then get the raw context - * value even if it is not defined by current policy; otherwise, - * use the in-core value under current policy. - * Use the non-auditing forms of the permission checks since - * getxattr may be called by unprivileged processes commonly - * and lack of permission just means that we fall back to the - * in-core context value, not a denial. - */ - error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, - SECURITY_CAP_NOAUDIT); - if (!error) - error = security_sid_to_context_force(isec->sid, &context, - &size); - else - error = security_sid_to_context(isec->sid, &context, &size); - if (error) - return error; - error = size; - if (alloc) { - *buffer = context; - goto out_nofree; - } - kfree(context); -out_nofree: - return error; -} - -static int selinux_inode_setsecurity(struct inode *inode, const char *name, - const void *value, size_t size, int flags) -{ - struct inode_security_struct *isec = inode->i_security; - u32 newsid; - int rc; - - if (strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - if (!value || !size) - return -EACCES; - - rc = security_context_to_sid((void *)value, size, &newsid); - if (rc) - return rc; - - isec->sid = newsid; - isec->initialized = 1; - return 0; -} - -static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) -{ - const int len = sizeof(XATTR_NAME_SELINUX); - if (buffer && len <= buffer_size) - memcpy(buffer, XATTR_NAME_SELINUX, len); - return len; -} - -static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) -{ - struct inode_security_struct *isec = inode->i_security; - *secid = isec->sid; -} - -/* file security operations */ - -static int selinux_revalidate_file_permission(struct file *file, int mask) -{ - const struct cred *cred = current_cred(); - struct inode *inode = file->f_path.dentry->d_inode; - - /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ - if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) - mask |= MAY_APPEND; - - return file_has_perm(cred, file, - file_mask_to_av(inode->i_mode, mask)); -} - -static int selinux_file_permission(struct file *file, int mask) -{ - struct inode *inode = file->f_path.dentry->d_inode; - struct file_security_struct *fsec = file->f_security; - struct inode_security_struct *isec = inode->i_security; - u32 sid = current_sid(); - - if (!mask) - /* No permission to check. Existence test. */ - return 0; - - if (sid == fsec->sid && fsec->isid == isec->sid && - fsec->pseqno == avc_policy_seqno()) - /* No change since dentry_open check. */ - return 0; - - return selinux_revalidate_file_permission(file, mask); -} - -static int selinux_file_alloc_security(struct file *file) -{ - return file_alloc_security(file); -} - -static void selinux_file_free_security(struct file *file) -{ - file_free_security(file); -} - -static int selinux_file_ioctl(struct file *file, unsigned int cmd, - unsigned long arg) -{ - const struct cred *cred = current_cred(); - int error = 0; - - switch (cmd) { - case FIONREAD: - /* fall through */ - case FIBMAP: - /* fall through */ - case FIGETBSZ: - /* fall through */ - case FS_IOC_GETFLAGS: - /* fall through */ - case FS_IOC_GETVERSION: - error = file_has_perm(cred, file, FILE__GETATTR); - break; - - case FS_IOC_SETFLAGS: - /* fall through */ - case FS_IOC_SETVERSION: - error = file_has_perm(cred, file, FILE__SETATTR); - break; - - /* sys_ioctl() checks */ - case FIONBIO: - /* fall through */ - case FIOASYNC: - error = file_has_perm(cred, file, 0); - break; - - case KDSKBENT: - case KDSKBSENT: - error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, - SECURITY_CAP_AUDIT); - break; - - /* default case assumes that the command will go - * to the file's ioctl() function. - */ - default: - error = file_has_perm(cred, file, FILE__IOCTL); - } - return error; -} - -static int default_noexec; - -static int file_map_prot_check(struct file *file, unsigned long prot, int shared) -{ - const struct cred *cred = current_cred(); - int rc = 0; - - if (default_noexec && - (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) { - /* - * We are making executable an anonymous mapping or a - * private file mapping that will also be writable. - * This has an additional check. - */ - rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); - if (rc) - goto error; - } - - if (file) { - /* read access is always possible with a mapping */ - u32 av = FILE__READ; - - /* write access only matters if the mapping is shared */ - if (shared && (prot & PROT_WRITE)) - av |= FILE__WRITE; - - if (prot & PROT_EXEC) - av |= FILE__EXECUTE; - - return file_has_perm(cred, file, av); - } - -error: - return rc; -} - -static int selinux_file_mmap(struct file *file, unsigned long reqprot, - unsigned long prot, unsigned long flags, - unsigned long addr, unsigned long addr_only) -{ - int rc = 0; - u32 sid = current_sid(); - - /* - * notice that we are intentionally putting the SELinux check before - * the secondary cap_file_mmap check. This is such a likely attempt - * at bad behaviour/exploit that we always want to get the AVC, even - * if DAC would have also denied the operation. - */ - if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { - rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, - MEMPROTECT__MMAP_ZERO, NULL); - if (rc) - return rc; - } - - /* do DAC check on address space usage */ - rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); - if (rc || addr_only) - return rc; - - if (selinux_checkreqprot) - prot = reqprot; - - return file_map_prot_check(file, prot, - (flags & MAP_TYPE) == MAP_SHARED); -} - -static int selinux_file_mprotect(struct vm_area_struct *vma, - unsigned long reqprot, - unsigned long prot) -{ - const struct cred *cred = current_cred(); - - if (selinux_checkreqprot) - prot = reqprot; - - if (default_noexec && - (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { - int rc = 0; - if (vma->vm_start >= vma->vm_mm->start_brk && - vma->vm_end <= vma->vm_mm->brk) { - rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); - } else if (!vma->vm_file && - vma->vm_start <= vma->vm_mm->start_stack && - vma->vm_end >= vma->vm_mm->start_stack) { - rc = current_has_perm(current, PROCESS__EXECSTACK); - } else if (vma->vm_file && vma->anon_vma) { - /* - * We are making executable a file mapping that has - * had some COW done. Since pages might have been - * written, check ability to execute the possibly - * modified content. This typically should only - * occur for text relocations. - */ - rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); - } - if (rc) - return rc; - } - - return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); -} - -static int selinux_file_lock(struct file *file, unsigned int cmd) -{ - const struct cred *cred = current_cred(); - - return file_has_perm(cred, file, FILE__LOCK); -} - -static int selinux_file_fcntl(struct file *file, unsigned int cmd, - unsigned long arg) -{ - const struct cred *cred = current_cred(); - int err = 0; - - switch (cmd) { - case F_SETFL: - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - - if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { - err = file_has_perm(cred, file, FILE__WRITE); - break; - } - /* fall through */ - case F_SETOWN: - case F_SETSIG: - case F_GETFL: - case F_GETOWN: - case F_GETSIG: - /* Just check FD__USE permission */ - err = file_has_perm(cred, file, 0); - break; - case F_GETLK: - case F_SETLK: - case F_SETLKW: -#if BITS_PER_LONG == 32 - case F_GETLK64: - case F_SETLK64: - case F_SETLKW64: -#endif - if (!file->f_path.dentry || !file->f_path.dentry->d_inode) { - err = -EINVAL; - break; - } - err = file_has_perm(cred, file, FILE__LOCK); - break; - } - - return err; -} - -static int selinux_file_set_fowner(struct file *file) -{ - struct file_security_struct *fsec; - - fsec = file->f_security; - fsec->fown_sid = current_sid(); - - return 0; -} - -static int selinux_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, int signum) -{ - struct file *file; - u32 sid = task_sid(tsk); - u32 perm; - struct file_security_struct *fsec; - - /* struct fown_struct is never outside the context of a struct file */ - file = container_of(fown, struct file, f_owner); - - fsec = file->f_security; - - if (!signum) - perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ - else - perm = signal_to_av(signum); - - return avc_has_perm(fsec->fown_sid, sid, - SECCLASS_PROCESS, perm, NULL); -} - -static int selinux_file_receive(struct file *file) -{ - const struct cred *cred = current_cred(); - - return file_has_perm(cred, file, file_to_av(file)); -} - -static int selinux_dentry_open(struct file *file, const struct cred *cred) -{ - struct file_security_struct *fsec; - struct inode *inode; - struct inode_security_struct *isec; - - inode = file->f_path.dentry->d_inode; - fsec = file->f_security; - isec = inode->i_security; - /* - * Save inode label and policy sequence number - * at open-time so that selinux_file_permission - * can determine whether revalidation is necessary. - * Task label is already saved in the file security - * struct as its SID. - */ - fsec->isid = isec->sid; - fsec->pseqno = avc_policy_seqno(); - /* - * Since the inode label or policy seqno may have changed - * between the selinux_inode_permission check and the saving - * of state above, recheck that access is still permitted. - * Otherwise, access might never be revalidated against the - * new inode label or new policy. - * This check is not redundant - do not remove. - */ - return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); -} - -/* task security operations */ - -static int selinux_task_create(unsigned long clone_flags) -{ - return current_has_perm(current, PROCESS__FORK); -} - -/* - * allocate the SELinux part of blank credentials - */ -static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) -{ - struct task_security_struct *tsec; - - tsec = kzalloc(sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; - - cred->security = tsec; - return 0; -} - -/* - * detach and free the LSM part of a set of credentials - */ -static void selinux_cred_free(struct cred *cred) -{ - struct task_security_struct *tsec = cred->security; - - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); - cred->security = (void *) 0x7UL; - kfree(tsec); -} - -/* - * prepare a new set of credentials for modification - */ -static int selinux_cred_prepare(struct cred *new, const struct cred *old, - gfp_t gfp) -{ - const struct task_security_struct *old_tsec; - struct task_security_struct *tsec; - - old_tsec = old->security; - - tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); - if (!tsec) - return -ENOMEM; - - new->security = tsec; - return 0; -} - -/* - * transfer the SELinux data to a blank set of creds - */ -static void selinux_cred_transfer(struct cred *new, const struct cred *old) -{ - const struct task_security_struct *old_tsec = old->security; - struct task_security_struct *tsec = new->security; - - *tsec = *old_tsec; -} - -/* - * set the security data for a kernel service - * - all the creation contexts are set to unlabelled - */ -static int selinux_kernel_act_as(struct cred *new, u32 secid) -{ - struct task_security_struct *tsec = new->security; - u32 sid = current_sid(); - int ret; - - ret = avc_has_perm(sid, secid, - SECCLASS_KERNEL_SERVICE, - KERNEL_SERVICE__USE_AS_OVERRIDE, - NULL); - if (ret == 0) { - tsec->sid = secid; - tsec->create_sid = 0; - tsec->keycreate_sid = 0; - tsec->sockcreate_sid = 0; - } - return ret; -} - -/* - * set the file creation context in a security record to the same as the - * objective context of the specified inode - */ -static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - struct task_security_struct *tsec = new->security; - u32 sid = current_sid(); - int ret; - - ret = avc_has_perm(sid, isec->sid, - SECCLASS_KERNEL_SERVICE, - KERNEL_SERVICE__CREATE_FILES_AS, - NULL); - - if (ret == 0) - tsec->create_sid = isec->sid; - return ret; -} - -static int selinux_kernel_module_request(char *kmod_name) -{ - u32 sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - - sid = task_sid(current); - - COMMON_AUDIT_DATA_INIT(&ad, KMOD); - ad.selinux_audit_data = &sad; - ad.u.kmod_name = kmod_name; - - return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, - SYSTEM__MODULE_REQUEST, &ad); -} - -static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) -{ - return current_has_perm(p, PROCESS__SETPGID); -} - -static int selinux_task_getpgid(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETPGID); -} - -static int selinux_task_getsid(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSESSION); -} - -static void selinux_task_getsecid(struct task_struct *p, u32 *secid) -{ - *secid = task_sid(p); -} - -static int selinux_task_setnice(struct task_struct *p, int nice) -{ - int rc; - - rc = cap_task_setnice(p, nice); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_setioprio(struct task_struct *p, int ioprio) -{ - int rc; - - rc = cap_task_setioprio(p, ioprio); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_getioprio(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSCHED); -} - -static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, - struct rlimit *new_rlim) -{ - struct rlimit *old_rlim = p->signal->rlim + resource; - - /* Control the ability to change the hard limit (whether - lowering or raising it), so that the hard limit can - later be used as a safe reset point for the soft limit - upon context transitions. See selinux_bprm_committing_creds. */ - if (old_rlim->rlim_max != new_rlim->rlim_max) - return current_has_perm(p, PROCESS__SETRLIMIT); - - return 0; -} - -static int selinux_task_setscheduler(struct task_struct *p) -{ - int rc; - - rc = cap_task_setscheduler(p); - if (rc) - return rc; - - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_getscheduler(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__GETSCHED); -} - -static int selinux_task_movememory(struct task_struct *p) -{ - return current_has_perm(p, PROCESS__SETSCHED); -} - -static int selinux_task_kill(struct task_struct *p, struct siginfo *info, - int sig, u32 secid) -{ - u32 perm; - int rc; - - if (!sig) - perm = PROCESS__SIGNULL; /* null signal; existence test */ - else - perm = signal_to_av(sig); - if (secid) - rc = avc_has_perm(secid, task_sid(p), - SECCLASS_PROCESS, perm, NULL); - else - rc = current_has_perm(p, perm); - return rc; -} - -static int selinux_task_wait(struct task_struct *p) -{ - return task_has_perm(p, current, PROCESS__SIGCHLD); -} - -static void selinux_task_to_inode(struct task_struct *p, - struct inode *inode) -{ - struct inode_security_struct *isec = inode->i_security; - u32 sid = task_sid(p); - - isec->sid = sid; - isec->initialized = 1; -} - -/* Returns error only if unable to parse addresses */ -static int selinux_parse_skb_ipv4(struct sk_buff *skb, - struct common_audit_data *ad, u8 *proto) -{ - int offset, ihlen, ret = -EINVAL; - struct iphdr _iph, *ih; - - offset = skb_network_offset(skb); - ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); - if (ih == NULL) - goto out; - - ihlen = ih->ihl * 4; - if (ihlen < sizeof(_iph)) - goto out; - - ad->u.net->v4info.saddr = ih->saddr; - ad->u.net->v4info.daddr = ih->daddr; - ret = 0; - - if (proto) - *proto = ih->protocol; - - switch (ih->protocol) { - case IPPROTO_TCP: { - struct tcphdr _tcph, *th; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); - if (th == NULL) - break; - - ad->u.net->sport = th->source; - ad->u.net->dport = th->dest; - break; - } - - case IPPROTO_UDP: { - struct udphdr _udph, *uh; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); - if (uh == NULL) - break; - - ad->u.net->sport = uh->source; - ad->u.net->dport = uh->dest; - break; - } - - case IPPROTO_DCCP: { - struct dccp_hdr _dccph, *dh; - - if (ntohs(ih->frag_off) & IP_OFFSET) - break; - - offset += ihlen; - dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); - if (dh == NULL) - break; - - ad->u.net->sport = dh->dccph_sport; - ad->u.net->dport = dh->dccph_dport; - break; - } - - default: - break; - } -out: - return ret; -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - -/* Returns error only if unable to parse addresses */ -static int selinux_parse_skb_ipv6(struct sk_buff *skb, - struct common_audit_data *ad, u8 *proto) -{ - u8 nexthdr; - int ret = -EINVAL, offset; - struct ipv6hdr _ipv6h, *ip6; - __be16 frag_off; - - offset = skb_network_offset(skb); - ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); - if (ip6 == NULL) - goto out; - - ad->u.net->v6info.saddr = ip6->saddr; - ad->u.net->v6info.daddr = ip6->daddr; - ret = 0; - - nexthdr = ip6->nexthdr; - offset += sizeof(_ipv6h); - offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); - if (offset < 0) - goto out; - - if (proto) - *proto = nexthdr; - - switch (nexthdr) { - case IPPROTO_TCP: { - struct tcphdr _tcph, *th; - - th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); - if (th == NULL) - break; - - ad->u.net->sport = th->source; - ad->u.net->dport = th->dest; - break; - } - - case IPPROTO_UDP: { - struct udphdr _udph, *uh; - - uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); - if (uh == NULL) - break; - - ad->u.net->sport = uh->source; - ad->u.net->dport = uh->dest; - break; - } - - case IPPROTO_DCCP: { - struct dccp_hdr _dccph, *dh; - - dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); - if (dh == NULL) - break; - - ad->u.net->sport = dh->dccph_sport; - ad->u.net->dport = dh->dccph_dport; - break; - } - - /* includes fragments */ - default: - break; - } -out: - return ret; -} - -#endif /* IPV6 */ - -static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, - char **_addrp, int src, u8 *proto) -{ - char *addrp; - int ret; - - switch (ad->u.net->family) { - case PF_INET: - ret = selinux_parse_skb_ipv4(skb, ad, proto); - if (ret) - goto parse_error; - addrp = (char *)(src ? &ad->u.net->v4info.saddr : - &ad->u.net->v4info.daddr); - goto okay; - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - case PF_INET6: - ret = selinux_parse_skb_ipv6(skb, ad, proto); - if (ret) - goto parse_error; - addrp = (char *)(src ? &ad->u.net->v6info.saddr : - &ad->u.net->v6info.daddr); - goto okay; -#endif /* IPV6 */ - default: - addrp = NULL; - goto okay; - } - -parse_error: - printk(KERN_WARNING - "SELinux: failure in selinux_parse_skb()," - " unable to parse packet\n"); - return ret; - -okay: - if (_addrp) - *_addrp = addrp; - return 0; -} - -/** - * selinux_skb_peerlbl_sid - Determine the peer label of a packet - * @skb: the packet - * @family: protocol family - * @sid: the packet's peer label SID - * - * Description: - * Check the various different forms of network peer labeling and determine - * the peer label/SID for the packet; most of the magic actually occurs in - * the security server function security_net_peersid_cmp(). The function - * returns zero if the value in @sid is valid (although it may be SECSID_NULL) - * or -EACCES if @sid is invalid due to inconsistencies with the different - * peer labels. - * - */ -static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) -{ - int err; - u32 xfrm_sid; - u32 nlbl_sid; - u32 nlbl_type; - - selinux_skb_xfrm_sid(skb, &xfrm_sid); - selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); - - err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); - if (unlikely(err)) { - printk(KERN_WARNING - "SELinux: failure in selinux_skb_peerlbl_sid()," - " unable to determine packet's peer label\n"); - return -EACCES; - } - - return 0; -} - -/* socket security operations */ - -static int socket_sockcreate_sid(const struct task_security_struct *tsec, - u16 secclass, u32 *socksid) -{ - if (tsec->sockcreate_sid > SECSID_NULL) { - *socksid = tsec->sockcreate_sid; - return 0; - } - - return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, - socksid); -} - -static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) -{ - struct sk_security_struct *sksec = sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - u32 tsid = task_sid(task); - - if (sksec->sid == SECINITSID_KERNEL) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = sk; - - return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); -} - -static int selinux_socket_create(int family, int type, - int protocol, int kern) -{ - const struct task_security_struct *tsec = current_security(); - u32 newsid; - u16 secclass; - int rc; - - if (kern) - return 0; - - secclass = socket_type_to_security_class(family, type, protocol); - rc = socket_sockcreate_sid(tsec, secclass, &newsid); - if (rc) - return rc; - - return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); -} - -static int selinux_socket_post_create(struct socket *sock, int family, - int type, int protocol, int kern) -{ - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; - struct sk_security_struct *sksec; - int err = 0; - - isec->sclass = socket_type_to_security_class(family, type, protocol); - - if (kern) - isec->sid = SECINITSID_KERNEL; - else { - err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); - if (err) - return err; - } - - isec->initialized = 1; - - if (sock->sk) { - sksec = sock->sk->sk_security; - sksec->sid = isec->sid; - sksec->sclass = isec->sclass; - err = selinux_netlbl_socket_post_create(sock->sk, family); - } - - return err; -} - -/* Range of port numbers used to automatically bind. - Need to determine whether we should perform a name_bind - permission check between the socket and the port number. */ - -static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) -{ - struct sock *sk = sock->sk; - u16 family; - int err; - - err = sock_has_perm(current, sk, SOCKET__BIND); - if (err) - goto out; - - /* - * If PF_INET or PF_INET6, check name_bind permission for the port. - * Multiple address binding for SCTP is not supported yet: we just - * check the first address now. - */ - family = sk->sk_family; - if (family == PF_INET || family == PF_INET6) { - char *addrp; - struct sk_security_struct *sksec = sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - struct sockaddr_in *addr4 = NULL; - struct sockaddr_in6 *addr6 = NULL; - unsigned short snum; - u32 sid, node_perm; - - if (family == PF_INET) { - addr4 = (struct sockaddr_in *)address; - snum = ntohs(addr4->sin_port); - addrp = (char *)&addr4->sin_addr.s_addr; - } else { - addr6 = (struct sockaddr_in6 *)address; - snum = ntohs(addr6->sin6_port); - addrp = (char *)&addr6->sin6_addr.s6_addr; - } - - if (snum) { - int low, high; - - inet_get_local_port_range(&low, &high); - - if (snum < max(PROT_SOCK, low) || snum > high) { - err = sel_netport_sid(sk->sk_protocol, - snum, &sid); - if (err) - goto out; - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sport = htons(snum); - ad.u.net->family = family; - err = avc_has_perm(sksec->sid, sid, - sksec->sclass, - SOCKET__NAME_BIND, &ad); - if (err) - goto out; - } - } - - switch (sksec->sclass) { - case SECCLASS_TCP_SOCKET: - node_perm = TCP_SOCKET__NODE_BIND; - break; - - case SECCLASS_UDP_SOCKET: - node_perm = UDP_SOCKET__NODE_BIND; - break; - - case SECCLASS_DCCP_SOCKET: - node_perm = DCCP_SOCKET__NODE_BIND; - break; - - default: - node_perm = RAWIP_SOCKET__NODE_BIND; - break; - } - - err = sel_netnode_sid(addrp, family, &sid); - if (err) - goto out; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sport = htons(snum); - ad.u.net->family = family; - - if (family == PF_INET) - ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; - else - ad.u.net->v6info.saddr = addr6->sin6_addr; - - err = avc_has_perm(sksec->sid, sid, - sksec->sclass, node_perm, &ad); - if (err) - goto out; - } -out: - return err; -} - -static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) -{ - struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; - int err; - - err = sock_has_perm(current, sk, SOCKET__CONNECT); - if (err) - return err; - - /* - * If a TCP or DCCP socket, check name_connect permission for the port. - */ - if (sksec->sclass == SECCLASS_TCP_SOCKET || - sksec->sclass == SECCLASS_DCCP_SOCKET) { - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - struct sockaddr_in *addr4 = NULL; - struct sockaddr_in6 *addr6 = NULL; - unsigned short snum; - u32 sid, perm; - - if (sk->sk_family == PF_INET) { - addr4 = (struct sockaddr_in *)address; - if (addrlen < sizeof(struct sockaddr_in)) - return -EINVAL; - snum = ntohs(addr4->sin_port); - } else { - addr6 = (struct sockaddr_in6 *)address; - if (addrlen < SIN6_LEN_RFC2133) - return -EINVAL; - snum = ntohs(addr6->sin6_port); - } - - err = sel_netport_sid(sk->sk_protocol, snum, &sid); - if (err) - goto out; - - perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? - TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->dport = htons(snum); - ad.u.net->family = sk->sk_family; - err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); - if (err) - goto out; - } - - err = selinux_netlbl_socket_connect(sk, address); - -out: - return err; -} - -static int selinux_socket_listen(struct socket *sock, int backlog) -{ - return sock_has_perm(current, sock->sk, SOCKET__LISTEN); -} - -static int selinux_socket_accept(struct socket *sock, struct socket *newsock) -{ - int err; - struct inode_security_struct *isec; - struct inode_security_struct *newisec; - - err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); - if (err) - return err; - - newisec = SOCK_INODE(newsock)->i_security; - - isec = SOCK_INODE(sock)->i_security; - newisec->sclass = isec->sclass; - newisec->sid = isec->sid; - newisec->initialized = 1; - - return 0; -} - -static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, - int size) -{ - return sock_has_perm(current, sock->sk, SOCKET__WRITE); -} - -static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, - int size, int flags) -{ - return sock_has_perm(current, sock->sk, SOCKET__READ); -} - -static int selinux_socket_getsockname(struct socket *sock) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETATTR); -} - -static int selinux_socket_getpeername(struct socket *sock) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETATTR); -} - -static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) -{ - int err; - - err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); - if (err) - return err; - - return selinux_netlbl_socket_setsockopt(sock, level, optname); -} - -static int selinux_socket_getsockopt(struct socket *sock, int level, - int optname) -{ - return sock_has_perm(current, sock->sk, SOCKET__GETOPT); -} - -static int selinux_socket_shutdown(struct socket *sock, int how) -{ - return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); -} - -static int selinux_socket_unix_stream_connect(struct sock *sock, - struct sock *other, - struct sock *newsk) -{ - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - int err; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = other; - - err = avc_has_perm(sksec_sock->sid, sksec_other->sid, - sksec_other->sclass, - UNIX_STREAM_SOCKET__CONNECTTO, &ad); - if (err) - return err; - - /* server child socket */ - sksec_new->peer_sid = sksec_sock->sid; - err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, - &sksec_new->sid); - if (err) - return err; - - /* connecting socket */ - sksec_sock->peer_sid = sksec_new->sid; - - return 0; -} - -static int selinux_socket_unix_may_send(struct socket *sock, - struct socket *other) -{ - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->sk = other->sk; - - return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, - &ad); -} - -static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, - u32 peer_sid, - struct common_audit_data *ad) -{ - int err; - u32 if_sid; - u32 node_sid; - - err = sel_netif_sid(ifindex, &if_sid); - if (err) - return err; - err = avc_has_perm(peer_sid, if_sid, - SECCLASS_NETIF, NETIF__INGRESS, ad); - if (err) - return err; - - err = sel_netnode_sid(addrp, family, &node_sid); - if (err) - return err; - return avc_has_perm(peer_sid, node_sid, - SECCLASS_NODE, NODE__RECVFROM, ad); -} - -static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, - u16 family) -{ - int err = 0; - struct sk_security_struct *sksec = sk->sk_security; - u32 sk_sid = sksec->sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = skb->skb_iif; - ad.u.net->family = family; - err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); - if (err) - return err; - - if (selinux_secmark_enabled()) { - err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); - if (err) - return err; - } - - err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); - if (err) - return err; - err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); - - return err; -} - -static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) -{ - int err; - struct sk_security_struct *sksec = sk->sk_security; - u16 family = sk->sk_family; - u32 sk_sid = sksec->sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 secmark_active; - u8 peerlbl_active; - - if (family != PF_INET && family != PF_INET6) - return 0; - - /* Handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - /* If any sort of compatibility mode is enabled then handoff processing - * to the selinux_sock_rcv_skb_compat() function to deal with the - * special handling. We do this in an attempt to keep this function - * as fast and as clean as possible. */ - if (!selinux_policycap_netpeer) - return selinux_sock_rcv_skb_compat(sk, skb, family); - - secmark_active = selinux_secmark_enabled(); - peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return 0; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = skb->skb_iif; - ad.u.net->family = family; - err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); - if (err) - return err; - - if (peerlbl_active) { - u32 peer_sid; - - err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); - if (err) - return err; - err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family, - peer_sid, &ad); - if (err) { - selinux_netlbl_err(skb, err, 0); - return err; - } - err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, - PEER__RECV, &ad); - if (err) - selinux_netlbl_err(skb, err, 0); - } - - if (secmark_active) { - err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, - PACKET__RECV, &ad); - if (err) - return err; - } - - return err; -} - -static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) -{ - int err = 0; - char *scontext; - u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; - u32 peer_sid = SECSID_NULL; - - if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || - sksec->sclass == SECCLASS_TCP_SOCKET) - peer_sid = sksec->peer_sid; - if (peer_sid == SECSID_NULL) - return -ENOPROTOOPT; - - err = security_sid_to_context(peer_sid, &scontext, &scontext_len); - if (err) - return err; - - if (scontext_len > len) { - err = -ERANGE; - goto out_len; - } - - if (copy_to_user(optval, scontext, scontext_len)) - err = -EFAULT; - -out_len: - if (put_user(scontext_len, optlen)) - err = -EFAULT; - kfree(scontext); - return err; -} - -static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) -{ - u32 peer_secid = SECSID_NULL; - u16 family; - - if (skb && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - else if (skb && skb->protocol == htons(ETH_P_IPV6)) - family = PF_INET6; - else if (sock) - family = sock->sk->sk_family; - else - goto out; - - if (sock && family == PF_UNIX) - selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid); - else if (skb) - selinux_skb_peerlbl_sid(skb, family, &peer_secid); - -out: - *secid = peer_secid; - if (peer_secid == SECSID_NULL) - return -EINVAL; - return 0; -} - -static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) -{ - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; - - sksec->peer_sid = SECINITSID_UNLABELED; - sksec->sid = SECINITSID_UNLABELED; - selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; - - return 0; -} - -static void selinux_sk_free_security(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - - sk->sk_security = NULL; - selinux_netlbl_sk_security_free(sksec); - kfree(sksec); -} - -static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) -{ - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; - - newsksec->sid = sksec->sid; - newsksec->peer_sid = sksec->peer_sid; - newsksec->sclass = sksec->sclass; - - selinux_netlbl_sk_security_reset(newsksec); -} - -static void selinux_sk_getsecid(struct sock *sk, u32 *secid) -{ - if (!sk) - *secid = SECINITSID_ANY_SOCKET; - else { - struct sk_security_struct *sksec = sk->sk_security; - - *secid = sksec->sid; - } -} - -static void selinux_sock_graft(struct sock *sk, struct socket *parent) -{ - struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; - struct sk_security_struct *sksec = sk->sk_security; - - if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || - sk->sk_family == PF_UNIX) - isec->sid = sksec->sid; - sksec->sclass = isec->sclass; -} - -static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, - struct request_sock *req) -{ - struct sk_security_struct *sksec = sk->sk_security; - int err; - u16 family = sk->sk_family; - u32 newsid; - u32 peersid; - - /* handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - err = selinux_skb_peerlbl_sid(skb, family, &peersid); - if (err) - return err; - if (peersid == SECSID_NULL) { - req->secid = sksec->sid; - req->peer_secid = SECSID_NULL; - } else { - err = security_sid_mls_copy(sksec->sid, peersid, &newsid); - if (err) - return err; - req->secid = newsid; - req->peer_secid = peersid; - } - - return selinux_netlbl_inet_conn_request(req, family); -} - -static void selinux_inet_csk_clone(struct sock *newsk, - const struct request_sock *req) -{ - struct sk_security_struct *newsksec = newsk->sk_security; - - newsksec->sid = req->secid; - newsksec->peer_sid = req->peer_secid; - /* NOTE: Ideally, we should also get the isec->sid for the - new socket in sync, but we don't have the isec available yet. - So we will wait until sock_graft to do it, by which - time it will have been created and available. */ - - /* We don't need to take any sort of lock here as we are the only - * thread with access to newsksec */ - selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); -} - -static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) -{ - u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; - - /* handle mapped IPv4 packets arriving via IPv6 sockets */ - if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) - family = PF_INET; - - selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); -} - -static int selinux_secmark_relabel_packet(u32 sid) -{ - const struct task_security_struct *__tsec; - u32 tsid; - - __tsec = current_security(); - tsid = __tsec->sid; - - return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); -} - -static void selinux_secmark_refcount_inc(void) -{ - atomic_inc(&selinux_secmark_refcount); -} - -static void selinux_secmark_refcount_dec(void) -{ - atomic_dec(&selinux_secmark_refcount); -} - -static void selinux_req_classify_flow(const struct request_sock *req, - struct flowi *fl) -{ - fl->flowi_secid = req->secid; -} - -static int selinux_tun_dev_create(void) -{ - u32 sid = current_sid(); - - /* we aren't taking into account the "sockcreate" SID since the socket - * that is being created here is not a socket in the traditional sense, - * instead it is a private sock, accessible only to the kernel, and - * representing a wide range of network traffic spanning multiple - * connections unlike traditional sockets - check the TUN driver to - * get a better understanding of why this socket is special */ - - return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, - NULL); -} - -static void selinux_tun_dev_post_create(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - - /* we don't currently perform any NetLabel based labeling here and it - * isn't clear that we would want to do so anyway; while we could apply - * labeling without the support of the TUN user the resulting labeled - * traffic from the other end of the connection would almost certainly - * cause confusion to the TUN user that had no idea network labeling - * protocols were being used */ - - /* see the comments in selinux_tun_dev_create() about why we don't use - * the sockcreate SID here */ - - sksec->sid = current_sid(); - sksec->sclass = SECCLASS_TUN_SOCKET; -} - -static int selinux_tun_dev_attach(struct sock *sk) -{ - struct sk_security_struct *sksec = sk->sk_security; - u32 sid = current_sid(); - int err; - - err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET, - TUN_SOCKET__RELABELFROM, NULL); - if (err) - return err; - err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, - TUN_SOCKET__RELABELTO, NULL); - if (err) - return err; - - sksec->sid = sid; - - return 0; -} - -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; - u32 perm; - struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; - - if (skb->len < NLMSG_SPACE(0)) { - err = -EINVAL; - goto out; - } - nlh = nlmsg_hdr(skb); - - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); - if (err) { - if (err == -EINVAL) { - audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR, - "SELinux: unrecognized netlink message" - " type=%hu for sclass=%hu\n", - nlh->nlmsg_type, sksec->sclass); - if (!selinux_enforcing || security_get_allow_unknown()) - err = 0; - } - - /* Ignore */ - if (err == -ENOENT) - err = 0; - goto out; - } - - err = sock_has_perm(current, sk, perm); -out: - return err; -} - -#ifdef CONFIG_NETFILTER - -static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex, - u16 family) -{ - int err; - char *addrp; - u32 peer_sid; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - u8 secmark_active; - u8 netlbl_active; - u8 peerlbl_active; - - if (!selinux_policycap_netpeer) - return NF_ACCEPT; - - secmark_active = selinux_secmark_enabled(); - netlbl_active = netlbl_enabled(); - peerlbl_active = netlbl_active || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return NF_ACCEPT; - - if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) - return NF_DROP; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) - return NF_DROP; - - if (peerlbl_active) { - err = selinux_inet_sys_rcv_skb(ifindex, addrp, family, - peer_sid, &ad); - if (err) { - selinux_netlbl_err(skb, err, 1); - return NF_DROP; - } - } - - if (secmark_active) - if (avc_has_perm(peer_sid, skb->secmark, - SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) - return NF_DROP; - - if (netlbl_active) - /* we do this in the FORWARD path and not the POST_ROUTING - * path because we want to make sure we apply the necessary - * labeling before IPsec is applied so we can leverage AH - * protection */ - if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) - return NF_DROP; - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_forward(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_forward(skb, in->ifindex, PF_INET); -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -static unsigned int selinux_ipv6_forward(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_forward(skb, in->ifindex, PF_INET6); -} -#endif /* IPV6 */ - -static unsigned int selinux_ip_output(struct sk_buff *skb, - u16 family) -{ - u32 sid; - - if (!netlbl_enabled()) - return NF_ACCEPT; - - /* we do this in the LOCAL_OUT path and not the POST_ROUTING path - * because we want to make sure we apply the necessary labeling - * before IPsec is applied so we can leverage AH protection */ - if (skb->sk) { - struct sk_security_struct *sksec = skb->sk->sk_security; - sid = sksec->sid; - } else - sid = SECINITSID_KERNEL; - if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) - return NF_DROP; - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_output(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_output(skb, PF_INET); -} - -static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, - int ifindex, - u16 family) -{ - struct sock *sk = skb->sk; - struct sk_security_struct *sksec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 proto; - - if (sk == NULL) - return NF_ACCEPT; - sksec = sk->sk_security; - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) - return NF_DROP; - - if (selinux_secmark_enabled()) - if (avc_has_perm(sksec->sid, skb->secmark, - SECCLASS_PACKET, PACKET__SEND, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) - return NF_DROP_ERR(-ECONNREFUSED); - - return NF_ACCEPT; -} - -static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex, - u16 family) -{ - u32 secmark_perm; - u32 peer_sid; - struct sock *sk; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - struct lsm_network_audit net = {0,}; - char *addrp; - u8 secmark_active; - u8 peerlbl_active; - - /* If any sort of compatibility mode is enabled then handoff processing - * to the selinux_ip_postroute_compat() function to deal with the - * special handling. We do this in an attempt to keep this function - * as fast and as clean as possible. */ - if (!selinux_policycap_netpeer) - return selinux_ip_postroute_compat(skb, ifindex, family); -#ifdef CONFIG_XFRM - /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec - * packet transformation so allow the packet to pass without any checks - * since we'll have another chance to perform access control checks - * when the packet is on it's final way out. - * NOTE: there appear to be some IPv6 multicast cases where skb->dst - * is NULL, in this case go ahead and apply access control. */ - if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL) - return NF_ACCEPT; -#endif - secmark_active = selinux_secmark_enabled(); - peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled(); - if (!secmark_active && !peerlbl_active) - return NF_ACCEPT; - - /* if the packet is being forwarded then get the peer label from the - * packet itself; otherwise check to see if it is from a local - * application or the kernel, if from an application get the peer label - * from the sending socket, otherwise use the kernel's sid */ - sk = skb->sk; - if (sk == NULL) { - if (skb->skb_iif) { - secmark_perm = PACKET__FORWARD_OUT; - if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) - return NF_DROP; - } else { - secmark_perm = PACKET__SEND; - peer_sid = SECINITSID_KERNEL; - } - } else { - struct sk_security_struct *sksec = sk->sk_security; - peer_sid = sksec->sid; - secmark_perm = PACKET__SEND; - } - - COMMON_AUDIT_DATA_INIT(&ad, NET); - ad.selinux_audit_data = &sad; - ad.u.net = &net; - ad.u.net->netif = ifindex; - ad.u.net->family = family; - if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) - return NF_DROP; - - if (secmark_active) - if (avc_has_perm(peer_sid, skb->secmark, - SECCLASS_PACKET, secmark_perm, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (peerlbl_active) { - u32 if_sid; - u32 node_sid; - - if (sel_netif_sid(ifindex, &if_sid)) - return NF_DROP; - if (avc_has_perm(peer_sid, if_sid, - SECCLASS_NETIF, NETIF__EGRESS, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - - if (sel_netnode_sid(addrp, family, &node_sid)) - return NF_DROP; - if (avc_has_perm(peer_sid, node_sid, - SECCLASS_NODE, NODE__SENDTO, &ad)) - return NF_DROP_ERR(-ECONNREFUSED); - } - - return NF_ACCEPT; -} - -static unsigned int selinux_ipv4_postroute(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_postroute(skb, out->ifindex, PF_INET); -} - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -static unsigned int selinux_ipv6_postroute(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return selinux_ip_postroute(skb, out->ifindex, PF_INET6); -} -#endif /* IPV6 */ - -#endif /* CONFIG_NETFILTER */ - -static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - int err; - - err = cap_netlink_send(sk, skb); - if (err) - return err; - - return selinux_nlmsg_perm(sk, skb); -} - -static int ipc_alloc_security(struct task_struct *task, - struct kern_ipc_perm *perm, - u16 sclass) -{ - struct ipc_security_struct *isec; - u32 sid; - - isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); - if (!isec) - return -ENOMEM; - - sid = task_sid(task); - isec->sclass = sclass; - isec->sid = sid; - perm->security = isec; - - return 0; -} - -static void ipc_free_security(struct kern_ipc_perm *perm) -{ - struct ipc_security_struct *isec = perm->security; - perm->security = NULL; - kfree(isec); -} - -static int msg_msg_alloc_security(struct msg_msg *msg) -{ - struct msg_security_struct *msec; - - msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); - if (!msec) - return -ENOMEM; - - msec->sid = SECINITSID_UNLABELED; - msg->security = msec; - - return 0; -} - -static void msg_msg_free_security(struct msg_msg *msg) -{ - struct msg_security_struct *msec = msg->security; - - msg->security = NULL; - kfree(msec); -} - -static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, - u32 perms) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = ipc_perms->security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = ipc_perms->key; - - return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); -} - -static int selinux_msg_msg_alloc_security(struct msg_msg *msg) -{ - return msg_msg_alloc_security(msg); -} - -static void selinux_msg_msg_free_security(struct msg_msg *msg) -{ - msg_msg_free_security(msg); -} - -/* message queue security operations */ -static int selinux_msg_queue_alloc_security(struct msg_queue *msq) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); - if (rc) - return rc; - - isec = msq->q_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__CREATE, &ad); - if (rc) { - ipc_free_security(&msq->q_perm); - return rc; - } - return 0; -} - -static void selinux_msg_queue_free_security(struct msg_queue *msq) -{ - ipc_free_security(&msq->q_perm); -} - -static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = msq->q_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__ASSOCIATE, &ad); -} - -static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) -{ - int err; - int perms; - - switch (cmd) { - case IPC_INFO: - case MSG_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case IPC_STAT: - case MSG_STAT: - perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; - break; - case IPC_SET: - perms = MSGQ__SETATTR; - break; - case IPC_RMID: - perms = MSGQ__DESTROY; - break; - default: - return 0; - } - - err = ipc_has_perm(&msq->q_perm, perms); - return err; -} - -static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) -{ - struct ipc_security_struct *isec; - struct msg_security_struct *msec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - isec = msq->q_perm.security; - msec = msg->security; - - /* - * First time through, need to assign label to the message - */ - if (msec->sid == SECINITSID_UNLABELED) { - /* - * Compute new sid based on current process and - * message queue this message will be stored in - */ - rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, - NULL, &msec->sid); - if (rc) - return rc; - } - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - /* Can this process write to the queue? */ - rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, - MSGQ__WRITE, &ad); - if (!rc) - /* Can this process send the message */ - rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, - MSG__SEND, &ad); - if (!rc) - /* Can the message be put in the queue? */ - rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, - MSGQ__ENQUEUE, &ad); - - return rc; -} - -static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, - struct task_struct *target, - long type, int mode) -{ - struct ipc_security_struct *isec; - struct msg_security_struct *msec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = task_sid(target); - int rc; - - isec = msq->q_perm.security; - msec = msg->security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = msq->q_perm.key; - - rc = avc_has_perm(sid, isec->sid, - SECCLASS_MSGQ, MSGQ__READ, &ad); - if (!rc) - rc = avc_has_perm(sid, msec->sid, - SECCLASS_MSG, MSG__RECEIVE, &ad); - return rc; -} - -/* Shared Memory security operations */ -static int selinux_shm_alloc_security(struct shmid_kernel *shp) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); - if (rc) - return rc; - - isec = shp->shm_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = shp->shm_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, - SHM__CREATE, &ad); - if (rc) { - ipc_free_security(&shp->shm_perm); - return rc; - } - return 0; -} - -static void selinux_shm_free_security(struct shmid_kernel *shp) -{ - ipc_free_security(&shp->shm_perm); -} - -static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = shp->shm_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = shp->shm_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_SHM, - SHM__ASSOCIATE, &ad); -} - -/* Note, at this point, shp is locked down */ -static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) -{ - int perms; - int err; - - switch (cmd) { - case IPC_INFO: - case SHM_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case IPC_STAT: - case SHM_STAT: - perms = SHM__GETATTR | SHM__ASSOCIATE; - break; - case IPC_SET: - perms = SHM__SETATTR; - break; - case SHM_LOCK: - case SHM_UNLOCK: - perms = SHM__LOCK; - break; - case IPC_RMID: - perms = SHM__DESTROY; - break; - default: - return 0; - } - - err = ipc_has_perm(&shp->shm_perm, perms); - return err; -} - -static int selinux_shm_shmat(struct shmid_kernel *shp, - char __user *shmaddr, int shmflg) -{ - u32 perms; - - if (shmflg & SHM_RDONLY) - perms = SHM__READ; - else - perms = SHM__READ | SHM__WRITE; - - return ipc_has_perm(&shp->shm_perm, perms); -} - -/* Semaphore security operations */ -static int selinux_sem_alloc_security(struct sem_array *sma) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - int rc; - - rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); - if (rc) - return rc; - - isec = sma->sem_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = sma->sem_perm.key; - - rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, - SEM__CREATE, &ad); - if (rc) { - ipc_free_security(&sma->sem_perm); - return rc; - } - return 0; -} - -static void selinux_sem_free_security(struct sem_array *sma) -{ - ipc_free_security(&sma->sem_perm); -} - -static int selinux_sem_associate(struct sem_array *sma, int semflg) -{ - struct ipc_security_struct *isec; - struct common_audit_data ad; - struct selinux_audit_data sad = {0,}; - u32 sid = current_sid(); - - isec = sma->sem_perm.security; - - COMMON_AUDIT_DATA_INIT(&ad, IPC); - ad.selinux_audit_data = &sad; - ad.u.ipc_id = sma->sem_perm.key; - - return avc_has_perm(sid, isec->sid, SECCLASS_SEM, - SEM__ASSOCIATE, &ad); -} - -/* Note, at this point, sma is locked down */ -static int selinux_sem_semctl(struct sem_array *sma, int cmd) -{ - int err; - u32 perms; - - switch (cmd) { - case IPC_INFO: - case SEM_INFO: - /* No specific object, just general system-wide information. */ - return task_has_system(current, SYSTEM__IPC_INFO); - case GETPID: - case GETNCNT: - case GETZCNT: - perms = SEM__GETATTR; - break; - case GETVAL: - case GETALL: - perms = SEM__READ; - break; - case SETVAL: - case SETALL: - perms = SEM__WRITE; - break; - case IPC_RMID: - perms = SEM__DESTROY; - break; - case IPC_SET: - perms = SEM__SETATTR; - break; - case IPC_STAT: - case SEM_STAT: - perms = SEM__GETATTR | SEM__ASSOCIATE; - break; - default: - return 0; - } - - err = ipc_has_perm(&sma->sem_perm, perms); - return err; -} - -static int selinux_sem_semop(struct sem_array *sma, - struct sembuf *sops, unsigned nsops, int alter) -{ - u32 perms; - - if (alter) - perms = SEM__READ | SEM__WRITE; - else - perms = SEM__READ; - - return ipc_has_perm(&sma->sem_perm, perms); -} - -static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) -{ - u32 av = 0; - - av = 0; - if (flag & S_IRUGO) - av |= IPC__UNIX_READ; - if (flag & S_IWUGO) - av |= IPC__UNIX_WRITE; - - if (av == 0) - return 0; - - return ipc_has_perm(ipcp, av); -} - -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) -{ - struct ipc_security_struct *isec = ipcp->security; - *secid = isec->sid; -} - -static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) -{ - if (inode) - inode_doinit_with_dentry(inode, dentry); -} - -static int selinux_getprocattr(struct task_struct *p, - char *name, char **value) -{ - const struct task_security_struct *__tsec; - u32 sid; - int error; - unsigned len; - - if (current != p) { - error = current_has_perm(p, PROCESS__GETATTR); - if (error) - return error; - } - - rcu_read_lock(); - __tsec = __task_cred(p)->security; - - if (!strcmp(name, "current")) - sid = __tsec->sid; - else if (!strcmp(name, "prev")) - sid = __tsec->osid; - else if (!strcmp(name, "exec")) - sid = __tsec->exec_sid; - else if (!strcmp(name, "fscreate")) - sid = __tsec->create_sid; - else if (!strcmp(name, "keycreate")) - sid = __tsec->keycreate_sid; - else if (!strcmp(name, "sockcreate")) - sid = __tsec->sockcreate_sid; - else - goto invalid; - rcu_read_unlock(); - - if (!sid) - return 0; - - error = security_sid_to_context(sid, value, &len); - if (error) - return error; - return len; - -invalid: - rcu_read_unlock(); - return -EINVAL; -} - -static int selinux_setprocattr(struct task_struct *p, - char *name, void *value, size_t size) -{ - struct task_security_struct *tsec; - struct task_struct *tracer; - struct cred *new; - u32 sid = 0, ptsid; - int error; - char *str = value; - - if (current != p) { - /* SELinux only allows a process to change its own - security attributes. */ - return -EACCES; - } - - /* - * Basic control over ability to set these attributes at all. - * current == p, but we'll pass them separately in case the - * above restriction is ever removed. - */ - if (!strcmp(name, "exec")) - error = current_has_perm(p, PROCESS__SETEXEC); - else if (!strcmp(name, "fscreate")) - error = current_has_perm(p, PROCESS__SETFSCREATE); - else if (!strcmp(name, "keycreate")) - error = current_has_perm(p, PROCESS__SETKEYCREATE); - else if (!strcmp(name, "sockcreate")) - error = current_has_perm(p, PROCESS__SETSOCKCREATE); - else if (!strcmp(name, "current")) - error = current_has_perm(p, PROCESS__SETCURRENT); - else - error = -EINVAL; - if (error) - return error; - - /* Obtain a SID for the context, if one was specified. */ - if (size && str[1] && str[1] != '\n') { - if (str[size-1] == '\n') { - str[size-1] = 0; - size--; - } - error = security_context_to_sid(value, size, &sid); - if (error == -EINVAL && !strcmp(name, "fscreate")) { - if (!capable(CAP_MAC_ADMIN)) - return error; - error = security_context_to_sid_force(value, size, - &sid); - } - if (error) - return error; - } - - new = prepare_creds(); - if (!new) - return -ENOMEM; - - /* Permission checking based on the specified context is - performed during the actual operation (execve, - open/mkdir/...), when we know the full context of the - operation. See selinux_bprm_set_creds for the execve - checks and may_create for the file creation checks. The - operation will then fail if the context is not permitted. */ - tsec = new->security; - if (!strcmp(name, "exec")) { - tsec->exec_sid = sid; - } else if (!strcmp(name, "fscreate")) { - tsec->create_sid = sid; - } else if (!strcmp(name, "keycreate")) { - error = may_create_key(sid, p); - if (error) - goto abort_change; - tsec->keycreate_sid = sid; - } else if (!strcmp(name, "sockcreate")) { - tsec->sockcreate_sid = sid; - } else if (!strcmp(name, "current")) { - error = -EINVAL; - if (sid == 0) - goto abort_change; - - /* Only allow single threaded processes to change context */ - error = -EPERM; - if (!current_is_single_threaded()) { - error = security_bounded_transition(tsec->sid, sid); - if (error) - goto abort_change; - } - - /* Check permissions for the transition. */ - error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, - PROCESS__DYNTRANSITION, NULL); - if (error) - goto abort_change; - - /* Check for ptracing, and update the task SID if ok. - Otherwise, leave SID unchanged and fail. */ - ptsid = 0; - task_lock(p); - tracer = ptrace_parent(p); - if (tracer) - ptsid = task_sid(tracer); - task_unlock(p); - - if (tracer) { - error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, - PROCESS__PTRACE, NULL); - if (error) - goto abort_change; - } - - tsec->sid = sid; - } else { - error = -EINVAL; - goto abort_change; - } - - commit_creds(new); - return size; - -abort_change: - abort_creds(new); - return error; -} - -static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) -{ - return security_sid_to_context(secid, secdata, seclen); -} - -static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) -{ - return security_context_to_sid(secdata, seclen, secid); -} - -static void selinux_release_secctx(char *secdata, u32 seclen) -{ - kfree(secdata); -} - -/* - * called with inode->i_mutex locked - */ -static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) -{ - return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); -} - -/* - * called with inode->i_mutex locked - */ -static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) -{ - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); -} - -static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -{ - int len = 0; - len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, - ctx, true); - if (len < 0) - return len; - *ctxlen = len; - return 0; -} -#ifdef CONFIG_KEYS - -static int selinux_key_alloc(struct key *k, const struct cred *cred, - unsigned long flags) -{ - const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; - - tsec = cred->security; - if (tsec->keycreate_sid) - ksec->sid = tsec->keycreate_sid; - else - ksec->sid = tsec->sid; - - k->security = ksec; - return 0; -} - -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - -static int selinux_key_permission(key_ref_t key_ref, - const struct cred *cred, - key_perm_t perm) -{ - struct key *key; - struct key_security_struct *ksec; - u32 sid; - - /* if no specific permissions are requested, we skip the - permission check. No serious, additional covert channels - appear to be created. */ - if (perm == 0) - return 0; - - sid = cred_sid(cred); - - key = key_ref_to_ptr(key_ref); - ksec = key->security; - - return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); -} - -static int selinux_key_getsecurity(struct key *key, char **_buffer) -{ - struct key_security_struct *ksec = key->security; - char *context = NULL; - unsigned len; - int rc; - - rc = security_sid_to_context(ksec->sid, &context, &len); - if (!rc) - rc = len; - *_buffer = context; - return rc; -} - -#endif - -static struct security_operations selinux_ops = { - .name = "selinux", - - .ptrace_access_check = selinux_ptrace_access_check, - .ptrace_traceme = selinux_ptrace_traceme, - .capget = selinux_capget, - .capset = selinux_capset, - .capable = selinux_capable, - .quotactl = selinux_quotactl, - .quota_on = selinux_quota_on, - .syslog = selinux_syslog, - .vm_enough_memory = selinux_vm_enough_memory, - - .netlink_send = selinux_netlink_send, - - .bprm_set_creds = selinux_bprm_set_creds, - .bprm_committing_creds = selinux_bprm_committing_creds, - .bprm_committed_creds = selinux_bprm_committed_creds, - .bprm_secureexec = selinux_bprm_secureexec, - - .sb_alloc_security = selinux_sb_alloc_security, - .sb_free_security = selinux_sb_free_security, - .sb_copy_data = selinux_sb_copy_data, - .sb_remount = selinux_sb_remount, - .sb_kern_mount = selinux_sb_kern_mount, - .sb_show_options = selinux_sb_show_options, - .sb_statfs = selinux_sb_statfs, - .sb_mount = selinux_mount, - .sb_umount = selinux_umount, - .sb_set_mnt_opts = selinux_set_mnt_opts, - .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts, - .sb_parse_opts_str = selinux_parse_opts_str, - - - .inode_alloc_security = selinux_inode_alloc_security, - .inode_free_security = selinux_inode_free_security, - .inode_init_security = selinux_inode_init_security, - .inode_create = selinux_inode_create, - .inode_link = selinux_inode_link, - .inode_unlink = selinux_inode_unlink, - .inode_symlink = selinux_inode_symlink, - .inode_mkdir = selinux_inode_mkdir, - .inode_rmdir = selinux_inode_rmdir, - .inode_mknod = selinux_inode_mknod, - .inode_rename = selinux_inode_rename, - .inode_readlink = selinux_inode_readlink, - .inode_follow_link = selinux_inode_follow_link, - .inode_permission = selinux_inode_permission, - .inode_setattr = selinux_inode_setattr, - .inode_getattr = selinux_inode_getattr, - .inode_setxattr = selinux_inode_setxattr, - .inode_post_setxattr = selinux_inode_post_setxattr, - .inode_getxattr = selinux_inode_getxattr, - .inode_listxattr = selinux_inode_listxattr, - .inode_removexattr = selinux_inode_removexattr, - .inode_getsecurity = selinux_inode_getsecurity, - .inode_setsecurity = selinux_inode_setsecurity, - .inode_listsecurity = selinux_inode_listsecurity, - .inode_getsecid = selinux_inode_getsecid, - - .file_permission = selinux_file_permission, - .file_alloc_security = selinux_file_alloc_security, - .file_free_security = selinux_file_free_security, - .file_ioctl = selinux_file_ioctl, - .file_mmap = selinux_file_mmap, - .file_mprotect = selinux_file_mprotect, - .file_lock = selinux_file_lock, - .file_fcntl = selinux_file_fcntl, - .file_set_fowner = selinux_file_set_fowner, - .file_send_sigiotask = selinux_file_send_sigiotask, - .file_receive = selinux_file_receive, - - .dentry_open = selinux_dentry_open, - - .task_create = selinux_task_create, - .cred_alloc_blank = selinux_cred_alloc_blank, - .cred_free = selinux_cred_free, - .cred_prepare = selinux_cred_prepare, - .cred_transfer = selinux_cred_transfer, - .kernel_act_as = selinux_kernel_act_as, - .kernel_create_files_as = selinux_kernel_create_files_as, - .kernel_module_request = selinux_kernel_module_request, - .task_setpgid = selinux_task_setpgid, - .task_getpgid = selinux_task_getpgid, - .task_getsid = selinux_task_getsid, - .task_getsecid = selinux_task_getsecid, - .task_setnice = selinux_task_setnice, - .task_setioprio = selinux_task_setioprio, - .task_getioprio = selinux_task_getioprio, - .task_setrlimit = selinux_task_setrlimit, - .task_setscheduler = selinux_task_setscheduler, - .task_getscheduler = selinux_task_getscheduler, - .task_movememory = selinux_task_movememory, - .task_kill = selinux_task_kill, - .task_wait = selinux_task_wait, - .task_to_inode = selinux_task_to_inode, - - .ipc_permission = selinux_ipc_permission, - .ipc_getsecid = selinux_ipc_getsecid, - - .msg_msg_alloc_security = selinux_msg_msg_alloc_security, - .msg_msg_free_security = selinux_msg_msg_free_security, - - .msg_queue_alloc_security = selinux_msg_queue_alloc_security, - .msg_queue_free_security = selinux_msg_queue_free_security, - .msg_queue_associate = selinux_msg_queue_associate, - .msg_queue_msgctl = selinux_msg_queue_msgctl, - .msg_queue_msgsnd = selinux_msg_queue_msgsnd, - .msg_queue_msgrcv = selinux_msg_queue_msgrcv, - - .shm_alloc_security = selinux_shm_alloc_security, - .shm_free_security = selinux_shm_free_security, - .shm_associate = selinux_shm_associate, - .shm_shmctl = selinux_shm_shmctl, - .shm_shmat = selinux_shm_shmat, - - .sem_alloc_security = selinux_sem_alloc_security, - .sem_free_security = selinux_sem_free_security, - .sem_associate = selinux_sem_associate, - .sem_semctl = selinux_sem_semctl, - .sem_semop = selinux_sem_semop, - - .d_instantiate = selinux_d_instantiate, - - .getprocattr = selinux_getprocattr, - .setprocattr = selinux_setprocattr, - - .secid_to_secctx = selinux_secid_to_secctx, - .secctx_to_secid = selinux_secctx_to_secid, - .release_secctx = selinux_release_secctx, - .inode_notifysecctx = selinux_inode_notifysecctx, - .inode_setsecctx = selinux_inode_setsecctx, - .inode_getsecctx = selinux_inode_getsecctx, - - .unix_stream_connect = selinux_socket_unix_stream_connect, - .unix_may_send = selinux_socket_unix_may_send, - - .socket_create = selinux_socket_create, - .socket_post_create = selinux_socket_post_create, - .socket_bind = selinux_socket_bind, - .socket_connect = selinux_socket_connect, - .socket_listen = selinux_socket_listen, - .socket_accept = selinux_socket_accept, - .socket_sendmsg = selinux_socket_sendmsg, - .socket_recvmsg = selinux_socket_recvmsg, - .socket_getsockname = selinux_socket_getsockname, - .socket_getpeername = selinux_socket_getpeername, - .socket_getsockopt = selinux_socket_getsockopt, - .socket_setsockopt = selinux_socket_setsockopt, - .socket_shutdown = selinux_socket_shutdown, - .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb, - .socket_getpeersec_stream = selinux_socket_getpeersec_stream, - .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram, - .sk_alloc_security = selinux_sk_alloc_security, - .sk_free_security = selinux_sk_free_security, - .sk_clone_security = selinux_sk_clone_security, - .sk_getsecid = selinux_sk_getsecid, - .sock_graft = selinux_sock_graft, - .inet_conn_request = selinux_inet_conn_request, - .inet_csk_clone = selinux_inet_csk_clone, - .inet_conn_established = selinux_inet_conn_established, - .secmark_relabel_packet = selinux_secmark_relabel_packet, - .secmark_refcount_inc = selinux_secmark_refcount_inc, - .secmark_refcount_dec = selinux_secmark_refcount_dec, - .req_classify_flow = selinux_req_classify_flow, - .tun_dev_create = selinux_tun_dev_create, - .tun_dev_post_create = selinux_tun_dev_post_create, - .tun_dev_attach = selinux_tun_dev_attach, - -#ifdef CONFIG_SECURITY_NETWORK_XFRM - .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, - .xfrm_policy_clone_security = selinux_xfrm_policy_clone, - .xfrm_policy_free_security = selinux_xfrm_policy_free, - .xfrm_policy_delete_security = selinux_xfrm_policy_delete, - .xfrm_state_alloc_security = selinux_xfrm_state_alloc, - .xfrm_state_free_security = selinux_xfrm_state_free, - .xfrm_state_delete_security = selinux_xfrm_state_delete, - .xfrm_policy_lookup = selinux_xfrm_policy_lookup, - .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match, - .xfrm_decode_session = selinux_xfrm_decode_session, -#endif - -#ifdef CONFIG_KEYS - .key_alloc = selinux_key_alloc, - .key_free = selinux_key_free, - .key_permission = selinux_key_permission, - .key_getsecurity = selinux_key_getsecurity, -#endif - -#ifdef CONFIG_AUDIT - .audit_rule_init = selinux_audit_rule_init, - .audit_rule_known = selinux_audit_rule_known, - .audit_rule_match = selinux_audit_rule_match, - .audit_rule_free = selinux_audit_rule_free, -#endif -}; - -extern int wmt_getsyspara(char *varname, unsigned char *varval, int *varlen); - -static __init int selinux_init(void) -{ - // 2013-12-10 YJChen: Add Begin - char selinux_env_name[] = "wmt.selinux.param"; - char selinux_env_buf[32] = "0"; - int varlen = 32; - unsigned int nEnable = 0; - - if (wmt_getsyspara(selinux_env_name, selinux_env_buf, &varlen) == 0) { - sscanf(selinux_env_buf, "%x", &nEnable); - printk("wmt.selinux.param = %x\n", nEnable); - if (nEnable != 0x1) { - printk("setting disable selinux\n"); - selinux_enabled = 0; - return 0; - } - } - else { - // not define wmt.selinux.param, default disable - printk("default disable selinux\n"); - selinux_enabled = 0; - return 0; - } - // 2013-12-10 YJChen: Add End - - if (!security_module_enable(&selinux_ops)) { - selinux_enabled = 0; - return 0; - } - - if (!selinux_enabled) { - printk(KERN_INFO "SELinux: Disabled at boot.\n"); - return 0; - } - - printk(KERN_INFO "SELinux: Initializing.\n"); - - /* Set the security state for the initial task. */ - cred_init_security(); - - default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); - - sel_inode_cache = kmem_cache_create("selinux_inode_security", - sizeof(struct inode_security_struct), - 0, SLAB_PANIC, NULL); - avc_init(); - - if (register_security(&selinux_ops)) - panic("SELinux: Unable to register with kernel.\n"); - - if (selinux_enforcing) - printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); - else - printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); - - return 0; -} - -static void delayed_superblock_init(struct super_block *sb, void *unused) -{ - superblock_doinit(sb, NULL); -} - -void selinux_complete_init(void) -{ - printk(KERN_DEBUG "SELinux: Completing initialization.\n"); - - /* Set up any superblocks initialized prior to the policy load. */ - printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); - iterate_supers(delayed_superblock_init, NULL); -} - -/* SELinux requires early initialization in order to label - all processes and objects when they are created. */ -security_initcall(selinux_init); - -#if defined(CONFIG_NETFILTER) - -static struct nf_hook_ops selinux_ipv4_ops[] = { - { - .hook = selinux_ipv4_postroute, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP_PRI_SELINUX_LAST, - }, - { - .hook = selinux_ipv4_forward, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_FORWARD, - .priority = NF_IP_PRI_SELINUX_FIRST, - }, - { - .hook = selinux_ipv4_output, - .owner = THIS_MODULE, - .pf = PF_INET, - .hooknum = NF_INET_LOCAL_OUT, - .priority = NF_IP_PRI_SELINUX_FIRST, - } -}; - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - -static struct nf_hook_ops selinux_ipv6_ops[] = { - { - .hook = selinux_ipv6_postroute, - .owner = THIS_MODULE, - .pf = PF_INET6, - .hooknum = NF_INET_POST_ROUTING, - .priority = NF_IP6_PRI_SELINUX_LAST, - }, - { - .hook = selinux_ipv6_forward, - .owner = THIS_MODULE, - .pf = PF_INET6, - .hooknum = NF_INET_FORWARD, - .priority = NF_IP6_PRI_SELINUX_FIRST, - } -}; - -#endif /* IPV6 */ - -static int __init selinux_nf_ip_init(void) -{ - int err = 0; - - if (!selinux_enabled) - goto out; - - printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); - - err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); - if (err) - panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); - -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); - if (err) - panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); -#endif /* IPV6 */ - -out: - return err; -} - -__initcall(selinux_nf_ip_init); - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -static void selinux_nf_ip_exit(void) -{ - printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); - - nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); -#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) - nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); -#endif /* IPV6 */ -} -#endif - -#else /* CONFIG_NETFILTER */ - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -#define selinux_nf_ip_exit() -#endif - -#endif /* CONFIG_NETFILTER */ - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -static int selinux_disabled; - -int selinux_disable(void) -{ - if (ss_initialized) { - /* Not permitted after initial policy load. */ - return -EINVAL; - } - - if (selinux_disabled) { - /* Only do this once. */ - return -EINVAL; - } - - printk(KERN_INFO "SELinux: Disabled at runtime.\n"); - - selinux_disabled = 1; - selinux_enabled = 0; - - reset_security_ops(); - - /* Try to destroy the avc node cache */ - avc_disable(); - - /* Unregister netfilter hooks. */ - selinux_nf_ip_exit(); - - /* Unregister selinuxfs. */ - exit_sel_fs(); - - return 0; -} -#endif diff --git a/ANDROID_3.4.5/security/selinux/include/audit.h b/ANDROID_3.4.5/security/selinux/include/audit.h deleted file mode 100644 index 1bdf9734..00000000 --- a/ANDROID_3.4.5/security/selinux/include/audit.h +++ /dev/null @@ -1,65 +0,0 @@ -/* - * SELinux support for the Audit LSM hooks - * - * Most of below header was moved from include/linux/selinux.h which - * is released under below copyrights: - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ - -#ifndef _SELINUX_AUDIT_H -#define _SELINUX_AUDIT_H - -/** - * selinux_audit_rule_init - alloc/init an selinux audit rule structure. - * @field: the field this rule refers to - * @op: the operater the rule uses - * @rulestr: the text "target" of the rule - * @rule: pointer to the new rule structure returned via this - * - * Returns 0 if successful, -errno if not. On success, the rule structure - * will be allocated internally. The caller must free this structure with - * selinux_audit_rule_free() after use. - */ -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); - -/** - * selinux_audit_rule_free - free an selinux audit rule structure. - * @rule: pointer to the audit rule to be freed - * - * This will free all memory associated with the given rule. - * If @rule is NULL, no operation is performed. - */ -void selinux_audit_rule_free(void *rule); - -/** - * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check - * @field: the field this rule refers to - * @op: the operater the rule uses - * @rule: pointer to the audit rule to check against - * @actx: the audit context (can be NULL) associated with the check - * - * Returns 1 if the context id matches the rule, 0 if it does not, and - * -errno on failure. - */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, - struct audit_context *actx); - -/** - * selinux_audit_rule_known - check to see if rule contains selinux fields. - * @rule: rule to be checked - * Returns 1 if there are selinux fields specified in the rule, 0 otherwise. - */ -int selinux_audit_rule_known(struct audit_krule *krule); - -#endif /* _SELINUX_AUDIT_H */ - diff --git a/ANDROID_3.4.5/security/selinux/include/avc.h b/ANDROID_3.4.5/security/selinux/include/avc.h deleted file mode 100644 index 19313702..00000000 --- a/ANDROID_3.4.5/security/selinux/include/avc.h +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Access vector cache interface for object managers. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SELINUX_AVC_H_ -#define _SELINUX_AVC_H_ - -#include <linux/stddef.h> -#include <linux/errno.h> -#include <linux/kernel.h> -#include <linux/kdev_t.h> -#include <linux/spinlock.h> -#include <linux/init.h> -#include <linux/audit.h> -#include <linux/lsm_audit.h> -#include <linux/in6.h> -#include "flask.h" -#include "av_permissions.h" -#include "security.h" - -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -extern int selinux_enforcing; -#else -#define selinux_enforcing 1 -#endif - -/* - * An entry in the AVC. - */ -struct avc_entry; - -struct task_struct; -struct inode; -struct sock; -struct sk_buff; - -/* - * AVC statistics - */ -struct avc_cache_stats { - unsigned int lookups; - unsigned int misses; - unsigned int allocations; - unsigned int reclaims; - unsigned int frees; -}; - -/* - * We only need this data after we have decided to send an audit message. - */ -struct selinux_late_audit_data { - u32 ssid; - u32 tsid; - u16 tclass; - u32 requested; - u32 audited; - u32 denied; - int result; -}; - -/* - * We collect this at the beginning or during an selinux security operation - */ -struct selinux_audit_data { - /* - * auditdeny is a bit tricky and unintuitive. See the - * comments in avc.c for it's meaning and usage. - */ - u32 auditdeny; - struct selinux_late_audit_data *slad; -}; - -/* - * AVC operations - */ - -void __init avc_init(void); - -int avc_audit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd, - int result, - struct common_audit_data *a, unsigned flags); - -#define AVC_STRICT 1 /* Ignore permissive mode. */ -int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, - struct av_decision *avd); - -int avc_has_perm_flags(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct common_audit_data *auditdata, - unsigned); - -static inline int avc_has_perm(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct common_audit_data *auditdata) -{ - return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0); -} - -u32 avc_policy_seqno(void); - -#define AVC_CALLBACK_GRANT 1 -#define AVC_CALLBACK_TRY_REVOKE 2 -#define AVC_CALLBACK_REVOKE 4 -#define AVC_CALLBACK_RESET 8 -#define AVC_CALLBACK_AUDITALLOW_ENABLE 16 -#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 -#define AVC_CALLBACK_AUDITDENY_ENABLE 64 -#define AVC_CALLBACK_AUDITDENY_DISABLE 128 - -int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, - u16 tclass, u32 perms, - u32 *out_retained), - u32 events, u32 ssid, u32 tsid, - u16 tclass, u32 perms); - -/* Exported to selinuxfs */ -int avc_get_hash_stats(char *page); -extern unsigned int avc_cache_threshold; - -/* Attempt to free avc node cache */ -void avc_disable(void); - -#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS -DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); -#endif - -#endif /* _SELINUX_AVC_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/include/avc_ss.h b/ANDROID_3.4.5/security/selinux/include/avc_ss.h deleted file mode 100644 index d5c32845..00000000 --- a/ANDROID_3.4.5/security/selinux/include/avc_ss.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Access vector cache interface for the security server. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SELINUX_AVC_SS_H_ -#define _SELINUX_AVC_SS_H_ - -#include "flask.h" - -int avc_ss_reset(u32 seqno); - -/* Class/perm mapping support */ -struct security_class_mapping { - const char *name; - const char *perms[sizeof(u32) * 8 + 1]; -}; - -extern struct security_class_mapping secclass_map[]; - -/* - * The security server must be initialized before - * any labeling or access decisions can be provided. - */ -extern int ss_initialized; - -#endif /* _SELINUX_AVC_SS_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/include/classmap.h b/ANDROID_3.4.5/security/selinux/include/classmap.h deleted file mode 100644 index c9275002..00000000 --- a/ANDROID_3.4.5/security/selinux/include/classmap.h +++ /dev/null @@ -1,155 +0,0 @@ -#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ - "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" - -#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ - "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \ - "open", "execmod" - -#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ - "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ - "sendto", "recv_msg", "send_msg", "name_bind" - -#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ - "write", "associate", "unix_read", "unix_write" - -/* - * Note: The name for any socket class should be suffixed by "socket", - * and doesn't contain more than one substr of "socket". - */ -struct security_class_mapping secclass_map[] = { - { "security", - { "compute_av", "compute_create", "compute_member", - "check_context", "load_policy", "compute_relabel", - "compute_user", "setenforce", "setbool", "setsecparam", - "setcheckreqprot", "read_policy", NULL } }, - { "process", - { "fork", "transition", "sigchld", "sigkill", - "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", - "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", - "getattr", "setexec", "setfscreate", "noatsecure", "siginh", - "setrlimit", "rlimitinh", "dyntransition", "setcurrent", - "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", NULL } }, - { "system", - { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", NULL } }, - { "capability", - { "chown", "dac_override", "dac_read_search", - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", - "linux_immutable", "net_bind_service", "net_broadcast", - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", - "sys_boot", "sys_nice", "sys_resource", "sys_time", - "sys_tty_config", "mknod", "lease", "audit_write", - "audit_control", "setfcap", NULL } }, - { "filesystem", - { "mount", "remount", "unmount", "getattr", - "relabelfrom", "relabelto", "transition", "associate", "quotamod", - "quotaget", NULL } }, - { "file", - { COMMON_FILE_PERMS, - "execute_no_trans", "entrypoint", NULL } }, - { "dir", - { COMMON_FILE_PERMS, "add_name", "remove_name", - "reparent", "search", "rmdir", NULL } }, - { "fd", { "use", NULL } }, - { "lnk_file", - { COMMON_FILE_PERMS, NULL } }, - { "chr_file", - { COMMON_FILE_PERMS, NULL } }, - { "blk_file", - { COMMON_FILE_PERMS, NULL } }, - { "sock_file", - { COMMON_FILE_PERMS, NULL } }, - { "fifo_file", - { COMMON_FILE_PERMS, NULL } }, - { "socket", - { COMMON_SOCK_PERMS, NULL } }, - { "tcp_socket", - { COMMON_SOCK_PERMS, - "connectto", "newconn", "acceptfrom", "node_bind", "name_connect", - NULL } }, - { "udp_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "rawip_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "node", - { "tcp_recv", "tcp_send", "udp_recv", "udp_send", - "rawip_recv", "rawip_send", "enforce_dest", - "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } }, - { "netif", - { "tcp_recv", "tcp_send", "udp_recv", "udp_send", - "rawip_recv", "rawip_send", "dccp_recv", "dccp_send", - "ingress", "egress", NULL } }, - { "netlink_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "packet_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "key_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "unix_stream_socket", - { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL - } }, - { "unix_dgram_socket", - { COMMON_SOCK_PERMS, NULL - } }, - { "sem", - { COMMON_IPC_PERMS, NULL } }, - { "msg", { "send", "receive", NULL } }, - { "msgq", - { COMMON_IPC_PERMS, "enqueue", NULL } }, - { "shm", - { COMMON_IPC_PERMS, "lock", NULL } }, - { "ipc", - { COMMON_IPC_PERMS, NULL } }, - { "netlink_route_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_firewall_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_tcpdiag_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_nflog_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_xfrm_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_selinux_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_audit_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", - "nlmsg_tty_audit", NULL } }, - { "netlink_ip6fw_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_dnrt_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "association", - { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, - { "netlink_kobject_uevent_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "appletalk_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "packet", - { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, - { "key", - { "view", "read", "write", "search", "link", "setattr", "create", - NULL } }, - { "dccp_socket", - { COMMON_SOCK_PERMS, - "node_bind", "name_connect", NULL } }, - { "memprotect", { "mmap_zero", NULL } }, - { "peer", { "recv", NULL } }, - { "capability2", - { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", - NULL } }, - { "kernel_service", { "use_as_override", "create_files_as", NULL } }, - { "tun_socket", - { COMMON_SOCK_PERMS, NULL } }, - { NULL } - }; diff --git a/ANDROID_3.4.5/security/selinux/include/conditional.h b/ANDROID_3.4.5/security/selinux/include/conditional.h deleted file mode 100644 index 67ce7a8d..00000000 --- a/ANDROID_3.4.5/security/selinux/include/conditional.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Interface to booleans in the security server. This is exported - * for the selinuxfs. - * - * Author: Karl MacMillan <kmacmillan@tresys.com> - * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#ifndef _SELINUX_CONDITIONAL_H_ -#define _SELINUX_CONDITIONAL_H_ - -int security_get_bools(int *len, char ***names, int **values); - -int security_set_bools(int len, int *values); - -int security_get_bool_value(int bool); - -#endif diff --git a/ANDROID_3.4.5/security/selinux/include/initial_sid_to_string.h b/ANDROID_3.4.5/security/selinux/include/initial_sid_to_string.h deleted file mode 100644 index a59b64e3..00000000 --- a/ANDROID_3.4.5/security/selinux/include/initial_sid_to_string.h +++ /dev/null @@ -1,33 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -static const char *initial_sid_to_string[] = -{ - "null", - "kernel", - "security", - "unlabeled", - "fs", - "file", - "file_labels", - "init", - "any_socket", - "port", - "netif", - "netmsg", - "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", - "devnull", -}; - diff --git a/ANDROID_3.4.5/security/selinux/include/netif.h b/ANDROID_3.4.5/security/selinux/include/netif.h deleted file mode 100644 index 43d50724..00000000 --- a/ANDROID_3.4.5/security/selinux/include/netif.h +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Network interface table. - * - * Network interfaces (devices) do not have a security field, so we - * maintain a table associating each interface with a SID. - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. - * Paul Moore <paul@paul-moore.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#ifndef _SELINUX_NETIF_H_ -#define _SELINUX_NETIF_H_ - -int sel_netif_sid(int ifindex, u32 *sid); - -#endif /* _SELINUX_NETIF_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/include/netlabel.h b/ANDROID_3.4.5/security/selinux/include/netlabel.h deleted file mode 100644 index 8c59b8f1..00000000 --- a/ANDROID_3.4.5/security/selinux/include/netlabel.h +++ /dev/null @@ -1,149 +0,0 @@ -/* - * SELinux interface to the NetLabel subsystem - * - * Author: Paul Moore <paul@paul-moore.com> - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See - * the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - */ - -#ifndef _SELINUX_NETLABEL_H_ -#define _SELINUX_NETLABEL_H_ - -#include <linux/types.h> -#include <linux/fs.h> -#include <linux/net.h> -#include <linux/skbuff.h> -#include <net/sock.h> -#include <net/request_sock.h> - -#include "avc.h" -#include "objsec.h" - -#ifdef CONFIG_NETLABEL -void selinux_netlbl_cache_invalidate(void); - -void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); - -void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec); -void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec); - -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, - u16 family, - u32 *type, - u32 *sid); -int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, - u16 family, - u32 sid); - -int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family); -void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family); -int selinux_netlbl_socket_post_create(struct sock *sk, u16 family); -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - u16 family, - struct common_audit_data *ad); -int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, - int optname); -int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr); - -#else -static inline void selinux_netlbl_cache_invalidate(void) -{ - return; -} - -static inline void selinux_netlbl_err(struct sk_buff *skb, - int error, - int gateway) -{ - return; -} - -static inline void selinux_netlbl_sk_security_free( - struct sk_security_struct *sksec) -{ - return; -} - -static inline void selinux_netlbl_sk_security_reset( - struct sk_security_struct *sksec) -{ - return; -} - -static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, - u16 family, - u32 *type, - u32 *sid) -{ - *type = NETLBL_NLTYPE_NONE; - *sid = SECSID_NULL; - return 0; -} -static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, - u16 family, - u32 sid) -{ - return 0; -} - -static inline int selinux_netlbl_conn_setsid(struct sock *sk, - struct sockaddr *addr) -{ - return 0; -} - -static inline int selinux_netlbl_inet_conn_request(struct request_sock *req, - u16 family) -{ - return 0; -} -static inline void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) -{ - return; -} -static inline int selinux_netlbl_socket_post_create(struct sock *sk, - u16 family) -{ - return 0; -} -static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - u16 family, - struct common_audit_data *ad) -{ - return 0; -} -static inline int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, - int optname) -{ - return 0; -} -static inline int selinux_netlbl_socket_connect(struct sock *sk, - struct sockaddr *addr) -{ - return 0; -} -#endif /* CONFIG_NETLABEL */ - -#endif diff --git a/ANDROID_3.4.5/security/selinux/include/netnode.h b/ANDROID_3.4.5/security/selinux/include/netnode.h deleted file mode 100644 index df7a5ed6..00000000 --- a/ANDROID_3.4.5/security/selinux/include/netnode.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Network node table - * - * SELinux must keep a mapping of network nodes to labels/SIDs. This - * mapping is maintained as part of the normal policy but a fast cache is - * needed to reduce the lookup overhead since most of these queries happen on - * a per-packet basis. - * - * Author: Paul Moore <paul@paul-moore.com> - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of version 2 of the GNU General Public License as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - */ - -#ifndef _SELINUX_NETNODE_H -#define _SELINUX_NETNODE_H - -int sel_netnode_sid(void *addr, u16 family, u32 *sid); - -#endif diff --git a/ANDROID_3.4.5/security/selinux/include/netport.h b/ANDROID_3.4.5/security/selinux/include/netport.h deleted file mode 100644 index 4d965b83..00000000 --- a/ANDROID_3.4.5/security/selinux/include/netport.h +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Network port table - * - * SELinux must keep a mapping of network ports to labels/SIDs. This - * mapping is maintained as part of the normal policy but a fast cache is - * needed to reduce the lookup overhead. - * - * Author: Paul Moore <paul@paul-moore.com> - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2008 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of version 2 of the GNU General Public License as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - */ - -#ifndef _SELINUX_NETPORT_H -#define _SELINUX_NETPORT_H - -int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid); - -#endif diff --git a/ANDROID_3.4.5/security/selinux/include/objsec.h b/ANDROID_3.4.5/security/selinux/include/objsec.h deleted file mode 100644 index 26c7eee1..00000000 --- a/ANDROID_3.4.5/security/selinux/include/objsec.h +++ /dev/null @@ -1,119 +0,0 @@ -/* - * NSA Security-Enhanced Linux (SELinux) security module - * - * This file contains the SELinux security data structures for kernel objects. - * - * Author(s): Stephen Smalley, <sds@epoch.ncsc.mil> - * Chris Vance, <cvance@nai.com> - * Wayne Salamon, <wsalamon@nai.com> - * James Morris <jmorris@redhat.com> - * - * Copyright (C) 2001,2002 Networks Associates Technology, Inc. - * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#ifndef _SELINUX_OBJSEC_H_ -#define _SELINUX_OBJSEC_H_ - -#include <linux/list.h> -#include <linux/sched.h> -#include <linux/fs.h> -#include <linux/binfmts.h> -#include <linux/in.h> -#include <linux/spinlock.h> -#include "flask.h" -#include "avc.h" - -struct task_security_struct { - u32 osid; /* SID prior to last execve */ - u32 sid; /* current SID */ - u32 exec_sid; /* exec SID */ - u32 create_sid; /* fscreate SID */ - u32 keycreate_sid; /* keycreate SID */ - u32 sockcreate_sid; /* fscreate SID */ -}; - -struct inode_security_struct { - struct inode *inode; /* back pointer to inode object */ - struct list_head list; /* list of inode_security_struct */ - u32 task_sid; /* SID of creating task */ - u32 sid; /* SID of this object */ - u16 sclass; /* security class of this object */ - unsigned char initialized; /* initialization flag */ - struct mutex lock; -}; - -struct file_security_struct { - u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ - u32 isid; /* SID of inode at the time of file open */ - u32 pseqno; /* Policy seqno at the time of file open */ -}; - -struct superblock_security_struct { - struct super_block *sb; /* back pointer to sb object */ - u32 sid; /* SID of file system superblock */ - u32 def_sid; /* default SID for labeling */ - u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ - unsigned int behavior; /* labeling behavior */ - unsigned char flags; /* which mount options were specified */ - struct mutex lock; - struct list_head isec_head; - spinlock_t isec_lock; -}; - -struct msg_security_struct { - u32 sid; /* SID of message */ -}; - -struct ipc_security_struct { - u16 sclass; /* security class of this object */ - u32 sid; /* SID of IPC resource */ -}; - -struct netif_security_struct { - int ifindex; /* device index */ - u32 sid; /* SID for this interface */ -}; - -struct netnode_security_struct { - union { - __be32 ipv4; /* IPv4 node address */ - struct in6_addr ipv6; /* IPv6 node address */ - } addr; - u32 sid; /* SID for this node */ - u16 family; /* address family */ -}; - -struct netport_security_struct { - u32 sid; /* SID for this node */ - u16 port; /* port number */ - u8 protocol; /* transport protocol */ -}; - -struct sk_security_struct { -#ifdef CONFIG_NETLABEL - enum { /* NetLabel state */ - NLBL_UNSET = 0, - NLBL_REQUIRE, - NLBL_LABELED, - NLBL_REQSKB, - NLBL_CONNLABELED, - } nlbl_state; - struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */ -#endif - u32 sid; /* SID of this object */ - u32 peer_sid; /* SID of peer */ - u16 sclass; /* sock security class */ -}; - -struct key_security_struct { - u32 sid; /* SID of key */ -}; - -extern unsigned int selinux_checkreqprot; - -#endif /* _SELINUX_OBJSEC_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/include/security.h b/ANDROID_3.4.5/security/selinux/include/security.h deleted file mode 100644 index d871e8ad..00000000 --- a/ANDROID_3.4.5/security/selinux/include/security.h +++ /dev/null @@ -1,229 +0,0 @@ -/* - * Security server interface. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - * - */ - -#ifndef _SELINUX_SECURITY_H_ -#define _SELINUX_SECURITY_H_ - -#include <linux/dcache.h> -#include <linux/magic.h> -#include <linux/types.h> -#include "flask.h" - -#define SECSID_NULL 0x00000000 /* unspecified SID */ -#define SECSID_WILD 0xffffffff /* wildcard SID */ -#define SECCLASS_NULL 0x0000 /* no class */ - -/* Identify specific policy version changes */ -#define POLICYDB_VERSION_BASE 15 -#define POLICYDB_VERSION_BOOL 16 -#define POLICYDB_VERSION_IPV6 17 -#define POLICYDB_VERSION_NLCLASS 18 -#define POLICYDB_VERSION_VALIDATETRANS 19 -#define POLICYDB_VERSION_MLS 19 -#define POLICYDB_VERSION_AVTAB 20 -#define POLICYDB_VERSION_RANGETRANS 21 -#define POLICYDB_VERSION_POLCAP 22 -#define POLICYDB_VERSION_PERMISSIVE 23 -#define POLICYDB_VERSION_BOUNDARY 24 -#define POLICYDB_VERSION_FILENAME_TRANS 25 -#define POLICYDB_VERSION_ROLETRANS 26 - -/* Range of policy versions we understand*/ -#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX -#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE -#else -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS -#endif - -/* Mask for just the mount related flags */ -#define SE_MNTMASK 0x0f -/* Super block security struct flags for mount options */ -#define CONTEXT_MNT 0x01 -#define FSCONTEXT_MNT 0x02 -#define ROOTCONTEXT_MNT 0x04 -#define DEFCONTEXT_MNT 0x08 -/* Non-mount related flags */ -#define SE_SBINITIALIZED 0x10 -#define SE_SBPROC 0x20 -#define SE_SBLABELSUPP 0x40 - -#define CONTEXT_STR "context=" -#define FSCONTEXT_STR "fscontext=" -#define ROOTCONTEXT_STR "rootcontext=" -#define DEFCONTEXT_STR "defcontext=" -#define LABELSUPP_STR "seclabel" - -struct netlbl_lsm_secattr; - -extern int selinux_enabled; - -/* Policy capabilities */ -enum { - POLICYDB_CAPABILITY_NETPEER, - POLICYDB_CAPABILITY_OPENPERM, - __POLICYDB_CAPABILITY_MAX -}; -#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) - -extern int selinux_policycap_netpeer; -extern int selinux_policycap_openperm; - -/* - * type_datum properties - * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY - */ -#define TYPEDATUM_PROPERTY_PRIMARY 0x0001 -#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002 - -/* limitation of boundary depth */ -#define POLICYDB_BOUNDS_MAXDEPTH 4 - -int security_mls_enabled(void); - -int security_load_policy(void *data, size_t len); -int security_read_policy(void **data, size_t *len); -size_t security_policydb_len(void); - -int security_policycap_supported(unsigned int req_cap); - -#define SEL_VEC_MAX 32 -struct av_decision { - u32 allowed; - u32 auditallow; - u32 auditdeny; - u32 seqno; - u32 flags; -}; - -/* definitions of av_decision.flags */ -#define AVD_FLAGS_PERMISSIVE 0x0001 - -void security_compute_av(u32 ssid, u32 tsid, - u16 tclass, struct av_decision *avd); - -void security_compute_av_user(u32 ssid, u32 tsid, - u16 tclass, struct av_decision *avd); - -int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, - const struct qstr *qstr, u32 *out_sid); - -int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, - const char *objname, u32 *out_sid); - -int security_member_sid(u32 ssid, u32 tsid, - u16 tclass, u32 *out_sid); - -int security_change_sid(u32 ssid, u32 tsid, - u16 tclass, u32 *out_sid); - -int security_sid_to_context(u32 sid, char **scontext, - u32 *scontext_len); - -int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len); - -int security_context_to_sid(const char *scontext, u32 scontext_len, - u32 *out_sid); - -int security_context_to_sid_default(const char *scontext, u32 scontext_len, - u32 *out_sid, u32 def_sid, gfp_t gfp_flags); - -int security_context_to_sid_force(const char *scontext, u32 scontext_len, - u32 *sid); - -int security_get_user_sids(u32 callsid, char *username, - u32 **sids, u32 *nel); - -int security_port_sid(u8 protocol, u16 port, u32 *out_sid); - -int security_netif_sid(char *name, u32 *if_sid); - -int security_node_sid(u16 domain, void *addr, u32 addrlen, - u32 *out_sid); - -int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, - u16 tclass); - -int security_bounded_transition(u32 oldsid, u32 newsid); - -int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid); - -int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, - u32 xfrm_sid, - u32 *peer_sid); - -int security_get_classes(char ***classes, int *nclasses); -int security_get_permissions(char *class, char ***perms, int *nperms); -int security_get_reject_unknown(void); -int security_get_allow_unknown(void); - -#define SECURITY_FS_USE_XATTR 1 /* use xattr */ -#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ -#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */ -#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */ -#define SECURITY_FS_USE_NONE 5 /* no labeling support */ -#define SECURITY_FS_USE_MNTPOINT 6 /* use mountpoint labeling */ - -int security_fs_use(const char *fstype, unsigned int *behavior, - u32 *sid); - -int security_genfs_sid(const char *fstype, char *name, u16 sclass, - u32 *sid); - -#ifdef CONFIG_NETLABEL -int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, - u32 *sid); - -int security_netlbl_sid_to_secattr(u32 sid, - struct netlbl_lsm_secattr *secattr); -#else -static inline int security_netlbl_secattr_to_sid( - struct netlbl_lsm_secattr *secattr, - u32 *sid) -{ - return -EIDRM; -} - -static inline int security_netlbl_sid_to_secattr(u32 sid, - struct netlbl_lsm_secattr *secattr) -{ - return -ENOENT; -} -#endif /* CONFIG_NETLABEL */ - -const char *security_get_initial_sid_context(u32 sid); - -/* - * status notifier using mmap interface - */ -extern struct page *selinux_kernel_status_page(void); - -#define SELINUX_KERNEL_STATUS_VERSION 1 -struct selinux_kernel_status { - u32 version; /* version number of thie structure */ - u32 sequence; /* sequence number of seqlock logic */ - u32 enforcing; /* current setting of enforcing mode */ - u32 policyload; /* times of policy reloaded */ - u32 deny_unknown; /* current setting of deny_unknown */ - /* - * The version > 0 supports above members. - */ -} __attribute__((packed)); - -extern void selinux_status_update_setenforce(int enforcing); -extern void selinux_status_update_policyload(int seqno); -extern void selinux_complete_init(void); -extern int selinux_disable(void); -extern void exit_sel_fs(void); -extern struct dentry *selinux_null; -extern struct vfsmount *selinuxfs_mount; -extern void selnl_notify_setenforce(int val); -extern void selnl_notify_policyload(u32 seqno); -extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); - -#endif /* _SELINUX_SECURITY_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/include/xfrm.h b/ANDROID_3.4.5/security/selinux/include/xfrm.h deleted file mode 100644 index c220f314..00000000 --- a/ANDROID_3.4.5/security/selinux/include/xfrm.h +++ /dev/null @@ -1,90 +0,0 @@ -/* - * SELinux support for the XFRM LSM hooks - * - * Author : Trent Jaeger, <jaegert@us.ibm.com> - * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com> - */ -#ifndef _SELINUX_XFRM_H_ -#define _SELINUX_XFRM_H_ - -#include <net/flow.h> - -int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *sec_ctx); -int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, - struct xfrm_sec_ctx **new_ctxp); -void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx); -int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); -int selinux_xfrm_state_alloc(struct xfrm_state *x, - struct xfrm_user_sec_ctx *sec_ctx, u32 secid); -void selinux_xfrm_state_free(struct xfrm_state *x); -int selinux_xfrm_state_delete(struct xfrm_state *x); -int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); -int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, - struct xfrm_policy *xp, const struct flowi *fl); - -/* - * Extract the security blob from the sock (it's actually on the socket) - */ -static inline struct inode_security_struct *get_sock_isec(struct sock *sk) -{ - if (!sk->sk_socket) - return NULL; - - return SOCK_INODE(sk->sk_socket)->i_security; -} - -#ifdef CONFIG_SECURITY_NETWORK_XFRM -extern atomic_t selinux_xfrm_refcount; - -static inline int selinux_xfrm_enabled(void) -{ - return (atomic_read(&selinux_xfrm_refcount) > 0); -} - -int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, - struct common_audit_data *ad); -int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, - struct common_audit_data *ad, u8 proto); -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); - -static inline void selinux_xfrm_notify_policyload(void) -{ - atomic_inc(&flow_cache_genid); -} -#else -static inline int selinux_xfrm_enabled(void) -{ - return 0; -} - -static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, - struct common_audit_data *ad) -{ - return 0; -} - -static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, - struct common_audit_data *ad, u8 proto) -{ - return 0; -} - -static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) -{ - *sid = SECSID_NULL; - return 0; -} - -static inline void selinux_xfrm_notify_policyload(void) -{ -} -#endif - -static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid) -{ - int err = selinux_xfrm_decode_session(skb, sid, 0); - BUG_ON(err); -} - -#endif /* _SELINUX_XFRM_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/netif.c b/ANDROID_3.4.5/security/selinux/netif.c deleted file mode 100644 index 326f22cb..00000000 --- a/ANDROID_3.4.5/security/selinux/netif.c +++ /dev/null @@ -1,304 +0,0 @@ -/* - * Network interface table. - * - * Network interfaces (devices) do not have a security field, so we - * maintain a table associating each interface with a SID. - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> - * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. - * Paul Moore <paul@paul-moore.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/init.h> -#include <linux/types.h> -#include <linux/slab.h> -#include <linux/stddef.h> -#include <linux/kernel.h> -#include <linux/list.h> -#include <linux/notifier.h> -#include <linux/netdevice.h> -#include <linux/rcupdate.h> -#include <net/net_namespace.h> - -#include "security.h" -#include "objsec.h" -#include "netif.h" - -#define SEL_NETIF_HASH_SIZE 64 -#define SEL_NETIF_HASH_MAX 1024 - -struct sel_netif { - struct list_head list; - struct netif_security_struct nsec; - struct rcu_head rcu_head; -}; - -static u32 sel_netif_total; -static LIST_HEAD(sel_netif_list); -static DEFINE_SPINLOCK(sel_netif_lock); -static struct list_head sel_netif_hash[SEL_NETIF_HASH_SIZE]; - -/** - * sel_netif_hashfn - Hashing function for the interface table - * @ifindex: the network interface - * - * Description: - * This is the hashing function for the network interface table, it returns the - * bucket number for the given interface. - * - */ -static inline u32 sel_netif_hashfn(int ifindex) -{ - return (ifindex & (SEL_NETIF_HASH_SIZE - 1)); -} - -/** - * sel_netif_find - Search for an interface record - * @ifindex: the network interface - * - * Description: - * Search the network interface table and return the record matching @ifindex. - * If an entry can not be found in the table return NULL. - * - */ -static inline struct sel_netif *sel_netif_find(int ifindex) -{ - int idx = sel_netif_hashfn(ifindex); - struct sel_netif *netif; - - list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) - /* all of the devices should normally fit in the hash, so we - * optimize for that case */ - if (likely(netif->nsec.ifindex == ifindex)) - return netif; - - return NULL; -} - -/** - * sel_netif_insert - Insert a new interface into the table - * @netif: the new interface record - * - * Description: - * Add a new interface record to the network interface hash table. Returns - * zero on success, negative values on failure. - * - */ -static int sel_netif_insert(struct sel_netif *netif) -{ - int idx; - - if (sel_netif_total >= SEL_NETIF_HASH_MAX) - return -ENOSPC; - - idx = sel_netif_hashfn(netif->nsec.ifindex); - list_add_rcu(&netif->list, &sel_netif_hash[idx]); - sel_netif_total++; - - return 0; -} - -/** - * sel_netif_destroy - Remove an interface record from the table - * @netif: the existing interface record - * - * Description: - * Remove an existing interface record from the network interface table. - * - */ -static void sel_netif_destroy(struct sel_netif *netif) -{ - list_del_rcu(&netif->list); - sel_netif_total--; - kfree_rcu(netif, rcu_head); -} - -/** - * sel_netif_sid_slow - Lookup the SID of a network interface using the policy - * @ifindex: the network interface - * @sid: interface SID - * - * Description: - * This function determines the SID of a network interface by quering the - * security policy. The result is added to the network interface table to - * speedup future queries. Returns zero on success, negative values on - * failure. - * - */ -static int sel_netif_sid_slow(int ifindex, u32 *sid) -{ - int ret; - struct sel_netif *netif; - struct sel_netif *new = NULL; - struct net_device *dev; - - /* NOTE: we always use init's network namespace since we don't - * currently support containers */ - - dev = dev_get_by_index(&init_net, ifindex); - if (unlikely(dev == NULL)) { - printk(KERN_WARNING - "SELinux: failure in sel_netif_sid_slow()," - " invalid network interface (%d)\n", ifindex); - return -ENOENT; - } - - spin_lock_bh(&sel_netif_lock); - netif = sel_netif_find(ifindex); - if (netif != NULL) { - *sid = netif->nsec.sid; - ret = 0; - goto out; - } - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) { - ret = -ENOMEM; - goto out; - } - ret = security_netif_sid(dev->name, &new->nsec.sid); - if (ret != 0) - goto out; - new->nsec.ifindex = ifindex; - ret = sel_netif_insert(new); - if (ret != 0) - goto out; - *sid = new->nsec.sid; - -out: - spin_unlock_bh(&sel_netif_lock); - dev_put(dev); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netif_sid_slow()," - " unable to determine network interface label (%d)\n", - ifindex); - kfree(new); - } - return ret; -} - -/** - * sel_netif_sid - Lookup the SID of a network interface - * @ifindex: the network interface - * @sid: interface SID - * - * Description: - * This function determines the SID of a network interface using the fastest - * method possible. First the interface table is queried, but if an entry - * can't be found then the policy is queried and the result is added to the - * table to speedup future queries. Returns zero on success, negative values - * on failure. - * - */ -int sel_netif_sid(int ifindex, u32 *sid) -{ - struct sel_netif *netif; - - rcu_read_lock(); - netif = sel_netif_find(ifindex); - if (likely(netif != NULL)) { - *sid = netif->nsec.sid; - rcu_read_unlock(); - return 0; - } - rcu_read_unlock(); - - return sel_netif_sid_slow(ifindex, sid); -} - -/** - * sel_netif_kill - Remove an entry from the network interface table - * @ifindex: the network interface - * - * Description: - * This function removes the entry matching @ifindex from the network interface - * table if it exists. - * - */ -static void sel_netif_kill(int ifindex) -{ - struct sel_netif *netif; - - rcu_read_lock(); - spin_lock_bh(&sel_netif_lock); - netif = sel_netif_find(ifindex); - if (netif) - sel_netif_destroy(netif); - spin_unlock_bh(&sel_netif_lock); - rcu_read_unlock(); -} - -/** - * sel_netif_flush - Flush the entire network interface table - * - * Description: - * Remove all entries from the network interface table. - * - */ -static void sel_netif_flush(void) -{ - int idx; - struct sel_netif *netif; - - spin_lock_bh(&sel_netif_lock); - for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) - list_for_each_entry(netif, &sel_netif_hash[idx], list) - sel_netif_destroy(netif); - spin_unlock_bh(&sel_netif_lock); -} - -static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, - u16 class, u32 perms, u32 *retained) -{ - if (event == AVC_CALLBACK_RESET) { - sel_netif_flush(); - synchronize_net(); - } - return 0; -} - -static int sel_netif_netdev_notifier_handler(struct notifier_block *this, - unsigned long event, void *ptr) -{ - struct net_device *dev = ptr; - - if (dev_net(dev) != &init_net) - return NOTIFY_DONE; - - if (event == NETDEV_DOWN) - sel_netif_kill(dev->ifindex); - - return NOTIFY_DONE; -} - -static struct notifier_block sel_netif_netdev_notifier = { - .notifier_call = sel_netif_netdev_notifier_handler, -}; - -static __init int sel_netif_init(void) -{ - int i, err; - - if (!selinux_enabled) - return 0; - - for (i = 0; i < SEL_NETIF_HASH_SIZE; i++) - INIT_LIST_HEAD(&sel_netif_hash[i]); - - register_netdevice_notifier(&sel_netif_netdev_notifier); - - err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, - SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); - if (err) - panic("avc_add_callback() failed, error %d\n", err); - - return err; -} - -__initcall(sel_netif_init); - diff --git a/ANDROID_3.4.5/security/selinux/netlabel.c b/ANDROID_3.4.5/security/selinux/netlabel.c deleted file mode 100644 index da4b8b23..00000000 --- a/ANDROID_3.4.5/security/selinux/netlabel.c +++ /dev/null @@ -1,470 +0,0 @@ -/* - * SELinux NetLabel Support - * - * This file provides the necessary glue to tie NetLabel into the SELinux - * subsystem. - * - * Author: Paul Moore <paul@paul-moore.com> - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See - * the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - */ - -#include <linux/spinlock.h> -#include <linux/rcupdate.h> -#include <linux/gfp.h> -#include <linux/ip.h> -#include <linux/ipv6.h> -#include <net/sock.h> -#include <net/netlabel.h> -#include <net/ip.h> -#include <net/ipv6.h> - -#include "objsec.h" -#include "security.h" -#include "netlabel.h" - -/** - * selinux_netlbl_sidlookup_cached - Cache a SID lookup - * @skb: the packet - * @secattr: the NetLabel security attributes - * @sid: the SID - * - * Description: - * Query the SELinux security server to lookup the correct SID for the given - * security attributes. If the query is successful, cache the result to speed - * up future lookups. Returns zero on success, negative values on failure. - * - */ -static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, - struct netlbl_lsm_secattr *secattr, - u32 *sid) -{ - int rc; - - rc = security_netlbl_secattr_to_sid(secattr, sid); - if (rc == 0 && - (secattr->flags & NETLBL_SECATTR_CACHEABLE) && - (secattr->flags & NETLBL_SECATTR_CACHE)) - netlbl_cache_add(skb, secattr); - - return rc; -} - -/** - * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr - * @sk: the socket - * - * Description: - * Generate the NetLabel security attributes for a socket, making full use of - * the socket's attribute cache. Returns a pointer to the security attributes - * on success, NULL on failure. - * - */ -static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) -{ - int rc; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr *secattr; - - if (sksec->nlbl_secattr != NULL) - return sksec->nlbl_secattr; - - secattr = netlbl_secattr_alloc(GFP_ATOMIC); - if (secattr == NULL) - return NULL; - rc = security_netlbl_sid_to_secattr(sksec->sid, secattr); - if (rc != 0) { - netlbl_secattr_free(secattr); - return NULL; - } - sksec->nlbl_secattr = secattr; - - return secattr; -} - -/** - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache - * - * Description: - * Invalidate the NetLabel security attribute mapping cache. - * - */ -void selinux_netlbl_cache_invalidate(void) -{ - netlbl_cache_invalidate(); -} - -/** - * selinux_netlbl_err - Handle a NetLabel packet error - * @skb: the packet - * @error: the error code - * @gateway: true if host is acting as a gateway, false otherwise - * - * Description: - * When a packet is dropped due to a call to avc_has_perm() pass the error - * code to the NetLabel subsystem so any protocol specific processing can be - * done. This is safe to call even if you are unsure if NetLabel labeling is - * present on the packet, NetLabel is smart enough to only act when it should. - * - */ -void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway) -{ - netlbl_skbuff_err(skb, error, gateway); -} - -/** - * selinux_netlbl_sk_security_free - Free the NetLabel fields - * @sksec: the sk_security_struct - * - * Description: - * Free all of the memory in the NetLabel fields of a sk_security_struct. - * - */ -void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec) -{ - if (sksec->nlbl_secattr != NULL) - netlbl_secattr_free(sksec->nlbl_secattr); -} - -/** - * selinux_netlbl_sk_security_reset - Reset the NetLabel fields - * @sksec: the sk_security_struct - * @family: the socket family - * - * Description: - * Called when the NetLabel state of a sk_security_struct needs to be reset. - * The caller is responsible for all the NetLabel sk_security_struct locking. - * - */ -void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec) -{ - sksec->nlbl_state = NLBL_UNSET; -} - -/** - * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel - * @skb: the packet - * @family: protocol family - * @type: NetLabel labeling protocol type - * @sid: the SID - * - * Description: - * Call the NetLabel mechanism to get the security attributes of the given - * packet and use those attributes to determine the correct context/SID to - * assign to the packet. Returns zero on success, negative values on failure. - * - */ -int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, - u16 family, - u32 *type, - u32 *sid) -{ - int rc; - struct netlbl_lsm_secattr secattr; - - if (!netlbl_enabled()) { - *sid = SECSID_NULL; - return 0; - } - - netlbl_secattr_init(&secattr); - rc = netlbl_skbuff_getattr(skb, family, &secattr); - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) - rc = selinux_netlbl_sidlookup_cached(skb, &secattr, sid); - else - *sid = SECSID_NULL; - *type = secattr.type; - netlbl_secattr_destroy(&secattr); - - return rc; -} - -/** - * selinux_netlbl_skbuff_setsid - Set the NetLabel on a packet given a sid - * @skb: the packet - * @family: protocol family - * @sid: the SID - * - * Description - * Call the NetLabel mechanism to set the label of a packet using @sid. - * Returns zero on success, negative values on failure. - * - */ -int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, - u16 family, - u32 sid) -{ - int rc; - struct netlbl_lsm_secattr secattr_storage; - struct netlbl_lsm_secattr *secattr = NULL; - struct sock *sk; - - /* if this is a locally generated packet check to see if it is already - * being labeled by it's parent socket, if it is just exit */ - sk = skb->sk; - if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; - if (sksec->nlbl_state != NLBL_REQSKB) - return 0; - secattr = sksec->nlbl_secattr; - } - if (secattr == NULL) { - secattr = &secattr_storage; - netlbl_secattr_init(secattr); - rc = security_netlbl_sid_to_secattr(sid, secattr); - if (rc != 0) - goto skbuff_setsid_return; - } - - rc = netlbl_skbuff_setattr(skb, family, secattr); - -skbuff_setsid_return: - if (secattr == &secattr_storage) - netlbl_secattr_destroy(secattr); - return rc; -} - -/** - * selinux_netlbl_inet_conn_request - Label an incoming stream connection - * @req: incoming connection request socket - * - * Description: - * A new incoming connection request is represented by @req, we need to label - * the new request_sock here and the stack will ensure the on-the-wire label - * will get preserved when a full sock is created once the connection handshake - * is complete. Returns zero on success, negative values on failure. - * - */ -int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) -{ - int rc; - struct netlbl_lsm_secattr secattr; - - if (family != PF_INET) - return 0; - - netlbl_secattr_init(&secattr); - rc = security_netlbl_sid_to_secattr(req->secid, &secattr); - if (rc != 0) - goto inet_conn_request_return; - rc = netlbl_req_setattr(req, &secattr); -inet_conn_request_return: - netlbl_secattr_destroy(&secattr); - return rc; -} - -/** - * selinux_netlbl_inet_csk_clone - Initialize the newly created sock - * @sk: the new sock - * - * Description: - * A new connection has been established using @sk, we've already labeled the - * socket via the request_sock struct in selinux_netlbl_inet_conn_request() but - * we need to set the NetLabel state here since we now have a sock structure. - * - */ -void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) -{ - struct sk_security_struct *sksec = sk->sk_security; - - if (family == PF_INET) - sksec->nlbl_state = NLBL_LABELED; - else - sksec->nlbl_state = NLBL_UNSET; -} - -/** - * selinux_netlbl_socket_post_create - Label a socket using NetLabel - * @sock: the socket to label - * @family: protocol family - * - * Description: - * Attempt to label a socket using the NetLabel mechanism using the given - * SID. Returns zero values on success, negative values on failure. - * - */ -int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) -{ - int rc; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr *secattr; - - if (family != PF_INET) - return 0; - - secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) - return -ENOMEM; - rc = netlbl_sock_setattr(sk, family, secattr); - switch (rc) { - case 0: - sksec->nlbl_state = NLBL_LABELED; - break; - case -EDESTADDRREQ: - sksec->nlbl_state = NLBL_REQSKB; - rc = 0; - break; - } - - return rc; -} - -/** - * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel - * @sksec: the sock's sk_security_struct - * @skb: the packet - * @family: protocol family - * @ad: the audit data - * - * Description: - * Fetch the NetLabel security attributes from @skb and perform an access check - * against the receiving socket. Returns zero on success, negative values on - * error. - * - */ -int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, - struct sk_buff *skb, - u16 family, - struct common_audit_data *ad) -{ - int rc; - u32 nlbl_sid; - u32 perm; - struct netlbl_lsm_secattr secattr; - - if (!netlbl_enabled()) - return 0; - - netlbl_secattr_init(&secattr); - rc = netlbl_skbuff_getattr(skb, family, &secattr); - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) - rc = selinux_netlbl_sidlookup_cached(skb, &secattr, &nlbl_sid); - else - nlbl_sid = SECINITSID_UNLABELED; - netlbl_secattr_destroy(&secattr); - if (rc != 0) - return rc; - - switch (sksec->sclass) { - case SECCLASS_UDP_SOCKET: - perm = UDP_SOCKET__RECVFROM; - break; - case SECCLASS_TCP_SOCKET: - perm = TCP_SOCKET__RECVFROM; - break; - default: - perm = RAWIP_SOCKET__RECVFROM; - } - - rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad); - if (rc == 0) - return 0; - - if (nlbl_sid != SECINITSID_UNLABELED) - netlbl_skbuff_err(skb, rc, 0); - return rc; -} - -/** - * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel - * @sock: the socket - * @level: the socket level or protocol - * @optname: the socket option name - * - * Description: - * Check the setsockopt() call and if the user is trying to replace the IP - * options on a socket and a NetLabel is in place for the socket deny the - * access; otherwise allow the access. Returns zero when the access is - * allowed, -EACCES when denied, and other negative values on error. - * - */ -int selinux_netlbl_socket_setsockopt(struct socket *sock, - int level, - int optname) -{ - int rc = 0; - struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr secattr; - - if (level == IPPROTO_IP && optname == IP_OPTIONS && - (sksec->nlbl_state == NLBL_LABELED || - sksec->nlbl_state == NLBL_CONNLABELED)) { - netlbl_secattr_init(&secattr); - lock_sock(sk); - rc = netlbl_sock_getattr(sk, &secattr); - release_sock(sk); - if (rc == 0) - rc = -EACCES; - else if (rc == -ENOMSG) - rc = 0; - netlbl_secattr_destroy(&secattr); - } - - return rc; -} - -/** - * selinux_netlbl_socket_connect - Label a client-side socket on connect - * @sk: the socket to label - * @addr: the destination address - * - * Description: - * Attempt to label a connected socket with NetLabel using the given address. - * Returns zero values on success, negative values on failure. - * - */ -int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr) -{ - int rc; - struct sk_security_struct *sksec = sk->sk_security; - struct netlbl_lsm_secattr *secattr; - - if (sksec->nlbl_state != NLBL_REQSKB && - sksec->nlbl_state != NLBL_CONNLABELED) - return 0; - - local_bh_disable(); - bh_lock_sock_nested(sk); - - /* connected sockets are allowed to disconnect when the address family - * is set to AF_UNSPEC, if that is what is happening we want to reset - * the socket */ - if (addr->sa_family == AF_UNSPEC) { - netlbl_sock_delattr(sk); - sksec->nlbl_state = NLBL_REQSKB; - rc = 0; - goto socket_connect_return; - } - secattr = selinux_netlbl_sock_genattr(sk); - if (secattr == NULL) { - rc = -ENOMEM; - goto socket_connect_return; - } - rc = netlbl_conn_setattr(sk, addr, secattr); - if (rc == 0) - sksec->nlbl_state = NLBL_CONNLABELED; - -socket_connect_return: - bh_unlock_sock(sk); - local_bh_enable(); - return rc; -} diff --git a/ANDROID_3.4.5/security/selinux/netlink.c b/ANDROID_3.4.5/security/selinux/netlink.c deleted file mode 100644 index 161e01a6..00000000 --- a/ANDROID_3.4.5/security/selinux/netlink.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Netlink event notifications for SELinux. - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/init.h> -#include <linux/types.h> -#include <linux/slab.h> -#include <linux/stddef.h> -#include <linux/kernel.h> -#include <linux/export.h> -#include <linux/skbuff.h> -#include <linux/netlink.h> -#include <linux/selinux_netlink.h> -#include <net/net_namespace.h> - -#include "security.h" - -static struct sock *selnl; - -static int selnl_msglen(int msgtype) -{ - int ret = 0; - - switch (msgtype) { - case SELNL_MSG_SETENFORCE: - ret = sizeof(struct selnl_msg_setenforce); - break; - - case SELNL_MSG_POLICYLOAD: - ret = sizeof(struct selnl_msg_policyload); - break; - - default: - BUG(); - } - return ret; -} - -static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *data) -{ - switch (msgtype) { - case SELNL_MSG_SETENFORCE: { - struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); - - memset(msg, 0, len); - msg->val = *((int *)data); - break; - } - - case SELNL_MSG_POLICYLOAD: { - struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); - - memset(msg, 0, len); - msg->seqno = *((u32 *)data); - break; - } - - default: - BUG(); - } -} - -static void selnl_notify(int msgtype, void *data) -{ - int len; - sk_buff_data_t tmp; - struct sk_buff *skb; - struct nlmsghdr *nlh; - - len = selnl_msglen(msgtype); - - skb = alloc_skb(NLMSG_SPACE(len), GFP_USER); - if (!skb) - goto oom; - - tmp = skb->tail; - nlh = NLMSG_PUT(skb, 0, 0, msgtype, len); - selnl_add_payload(nlh, len, msgtype, data); - nlh->nlmsg_len = skb->tail - tmp; - NETLINK_CB(skb).dst_group = SELNLGRP_AVC; - netlink_broadcast(selnl, skb, 0, SELNLGRP_AVC, GFP_USER); -out: - return; - -nlmsg_failure: - kfree_skb(skb); -oom: - printk(KERN_ERR "SELinux: OOM in %s\n", __func__); - goto out; -} - -void selnl_notify_setenforce(int val) -{ - selnl_notify(SELNL_MSG_SETENFORCE, &val); -} - -void selnl_notify_policyload(u32 seqno) -{ - selnl_notify(SELNL_MSG_POLICYLOAD, &seqno); -} - -static int __init selnl_init(void) -{ - selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX, - SELNLGRP_MAX, NULL, NULL, THIS_MODULE); - if (selnl == NULL) - panic("SELinux: Cannot create netlink socket."); - netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); - return 0; -} - -__initcall(selnl_init); diff --git a/ANDROID_3.4.5/security/selinux/netnode.c b/ANDROID_3.4.5/security/selinux/netnode.c deleted file mode 100644 index 86365857..00000000 --- a/ANDROID_3.4.5/security/selinux/netnode.c +++ /dev/null @@ -1,331 +0,0 @@ -/* - * Network node table - * - * SELinux must keep a mapping of network nodes to labels/SIDs. This - * mapping is maintained as part of the normal policy but a fast cache is - * needed to reduce the lookup overhead since most of these queries happen on - * a per-packet basis. - * - * Author: Paul Moore <paul@paul-moore.com> - * - * This code is heavily based on the "netif" concept originally developed by - * James Morris <jmorris@redhat.com> - * (see security/selinux/netif.c for more information) - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of version 2 of the GNU General Public License as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - */ - -#include <linux/types.h> -#include <linux/rcupdate.h> -#include <linux/list.h> -#include <linux/slab.h> -#include <linux/spinlock.h> -#include <linux/in.h> -#include <linux/in6.h> -#include <linux/ip.h> -#include <linux/ipv6.h> -#include <net/ip.h> -#include <net/ipv6.h> - -#include "netnode.h" -#include "objsec.h" - -#define SEL_NETNODE_HASH_SIZE 256 -#define SEL_NETNODE_HASH_BKT_LIMIT 16 - -struct sel_netnode_bkt { - unsigned int size; - struct list_head list; -}; - -struct sel_netnode { - struct netnode_security_struct nsec; - - struct list_head list; - struct rcu_head rcu; -}; - -/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason - * for this is that I suspect most users will not make heavy use of both - * address families at the same time so one table will usually end up wasted, - * if this becomes a problem we can always add a hash table for each address - * family later */ - -static LIST_HEAD(sel_netnode_list); -static DEFINE_SPINLOCK(sel_netnode_lock); -static struct sel_netnode_bkt sel_netnode_hash[SEL_NETNODE_HASH_SIZE]; - -/** - * sel_netnode_hashfn_ipv4 - IPv4 hashing function for the node table - * @addr: IPv4 address - * - * Description: - * This is the IPv4 hashing function for the node interface table, it returns - * the bucket number for the given IP address. - * - */ -static unsigned int sel_netnode_hashfn_ipv4(__be32 addr) -{ - /* at some point we should determine if the mismatch in byte order - * affects the hash function dramatically */ - return (addr & (SEL_NETNODE_HASH_SIZE - 1)); -} - -/** - * sel_netnode_hashfn_ipv6 - IPv6 hashing function for the node table - * @addr: IPv6 address - * - * Description: - * This is the IPv6 hashing function for the node interface table, it returns - * the bucket number for the given IP address. - * - */ -static unsigned int sel_netnode_hashfn_ipv6(const struct in6_addr *addr) -{ - /* just hash the least significant 32 bits to keep things fast (they - * are the most likely to be different anyway), we can revisit this - * later if needed */ - return (addr->s6_addr32[3] & (SEL_NETNODE_HASH_SIZE - 1)); -} - -/** - * sel_netnode_find - Search for a node record - * @addr: IP address - * @family: address family - * - * Description: - * Search the network node table and return the record matching @addr. If an - * entry can not be found in the table return NULL. - * - */ -static struct sel_netnode *sel_netnode_find(const void *addr, u16 family) -{ - unsigned int idx; - struct sel_netnode *node; - - switch (family) { - case PF_INET: - idx = sel_netnode_hashfn_ipv4(*(__be32 *)addr); - break; - case PF_INET6: - idx = sel_netnode_hashfn_ipv6(addr); - break; - default: - BUG(); - return NULL; - } - - list_for_each_entry_rcu(node, &sel_netnode_hash[idx].list, list) - if (node->nsec.family == family) - switch (family) { - case PF_INET: - if (node->nsec.addr.ipv4 == *(__be32 *)addr) - return node; - break; - case PF_INET6: - if (ipv6_addr_equal(&node->nsec.addr.ipv6, - addr)) - return node; - break; - } - - return NULL; -} - -/** - * sel_netnode_insert - Insert a new node into the table - * @node: the new node record - * - * Description: - * Add a new node record to the network address hash table. - * - */ -static void sel_netnode_insert(struct sel_netnode *node) -{ - unsigned int idx; - - switch (node->nsec.family) { - case PF_INET: - idx = sel_netnode_hashfn_ipv4(node->nsec.addr.ipv4); - break; - case PF_INET6: - idx = sel_netnode_hashfn_ipv6(&node->nsec.addr.ipv6); - break; - default: - BUG(); - } - - /* we need to impose a limit on the growth of the hash table so check - * this bucket to make sure it is within the specified bounds */ - list_add_rcu(&node->list, &sel_netnode_hash[idx].list); - if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) { - struct sel_netnode *tail; - tail = list_entry( - rcu_dereference(sel_netnode_hash[idx].list.prev), - struct sel_netnode, list); - list_del_rcu(&tail->list); - kfree_rcu(tail, rcu); - } else - sel_netnode_hash[idx].size++; -} - -/** - * sel_netnode_sid_slow - Lookup the SID of a network address using the policy - * @addr: the IP address - * @family: the address family - * @sid: node SID - * - * Description: - * This function determines the SID of a network address by quering the - * security policy. The result is added to the network address table to - * speedup future queries. Returns zero on success, negative values on - * failure. - * - */ -static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) -{ - int ret = -ENOMEM; - struct sel_netnode *node; - struct sel_netnode *new = NULL; - - spin_lock_bh(&sel_netnode_lock); - node = sel_netnode_find(addr, family); - if (node != NULL) { - *sid = node->nsec.sid; - spin_unlock_bh(&sel_netnode_lock); - return 0; - } - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) - goto out; - switch (family) { - case PF_INET: - ret = security_node_sid(PF_INET, - addr, sizeof(struct in_addr), sid); - new->nsec.addr.ipv4 = *(__be32 *)addr; - break; - case PF_INET6: - ret = security_node_sid(PF_INET6, - addr, sizeof(struct in6_addr), sid); - new->nsec.addr.ipv6 = *(struct in6_addr *)addr; - break; - default: - BUG(); - } - if (ret != 0) - goto out; - - new->nsec.family = family; - new->nsec.sid = *sid; - sel_netnode_insert(new); - -out: - spin_unlock_bh(&sel_netnode_lock); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netnode_sid_slow()," - " unable to determine network node label\n"); - kfree(new); - } - return ret; -} - -/** - * sel_netnode_sid - Lookup the SID of a network address - * @addr: the IP address - * @family: the address family - * @sid: node SID - * - * Description: - * This function determines the SID of a network address using the fastest - * method possible. First the address table is queried, but if an entry - * can't be found then the policy is queried and the result is added to the - * table to speedup future queries. Returns zero on success, negative values - * on failure. - * - */ -int sel_netnode_sid(void *addr, u16 family, u32 *sid) -{ - struct sel_netnode *node; - - rcu_read_lock(); - node = sel_netnode_find(addr, family); - if (node != NULL) { - *sid = node->nsec.sid; - rcu_read_unlock(); - return 0; - } - rcu_read_unlock(); - - return sel_netnode_sid_slow(addr, family, sid); -} - -/** - * sel_netnode_flush - Flush the entire network address table - * - * Description: - * Remove all entries from the network address table. - * - */ -static void sel_netnode_flush(void) -{ - unsigned int idx; - struct sel_netnode *node, *node_tmp; - - spin_lock_bh(&sel_netnode_lock); - for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) { - list_for_each_entry_safe(node, node_tmp, - &sel_netnode_hash[idx].list, list) { - list_del_rcu(&node->list); - kfree_rcu(node, rcu); - } - sel_netnode_hash[idx].size = 0; - } - spin_unlock_bh(&sel_netnode_lock); -} - -static int sel_netnode_avc_callback(u32 event, u32 ssid, u32 tsid, - u16 class, u32 perms, u32 *retained) -{ - if (event == AVC_CALLBACK_RESET) { - sel_netnode_flush(); - synchronize_net(); - } - return 0; -} - -static __init int sel_netnode_init(void) -{ - int iter; - int ret; - - if (!selinux_enabled) - return 0; - - for (iter = 0; iter < SEL_NETNODE_HASH_SIZE; iter++) { - INIT_LIST_HEAD(&sel_netnode_hash[iter].list); - sel_netnode_hash[iter].size = 0; - } - - ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, - SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); - if (ret != 0) - panic("avc_add_callback() failed, error %d\n", ret); - - return ret; -} - -__initcall(sel_netnode_init); diff --git a/ANDROID_3.4.5/security/selinux/netport.c b/ANDROID_3.4.5/security/selinux/netport.c deleted file mode 100644 index 7b9eb1fa..00000000 --- a/ANDROID_3.4.5/security/selinux/netport.c +++ /dev/null @@ -1,268 +0,0 @@ -/* - * Network port table - * - * SELinux must keep a mapping of network ports to labels/SIDs. This - * mapping is maintained as part of the normal policy but a fast cache is - * needed to reduce the lookup overhead. - * - * Author: Paul Moore <paul@paul-moore.com> - * - * This code is heavily based on the "netif" concept originally developed by - * James Morris <jmorris@redhat.com> - * (see security/selinux/netif.c for more information) - * - */ - -/* - * (c) Copyright Hewlett-Packard Development Company, L.P., 2008 - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of version 2 of the GNU General Public License as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - */ - -#include <linux/types.h> -#include <linux/rcupdate.h> -#include <linux/list.h> -#include <linux/slab.h> -#include <linux/spinlock.h> -#include <linux/in.h> -#include <linux/in6.h> -#include <linux/ip.h> -#include <linux/ipv6.h> -#include <net/ip.h> -#include <net/ipv6.h> - -#include "netport.h" -#include "objsec.h" - -#define SEL_NETPORT_HASH_SIZE 256 -#define SEL_NETPORT_HASH_BKT_LIMIT 16 - -struct sel_netport_bkt { - int size; - struct list_head list; -}; - -struct sel_netport { - struct netport_security_struct psec; - - struct list_head list; - struct rcu_head rcu; -}; - -/* NOTE: we are using a combined hash table for both IPv4 and IPv6, the reason - * for this is that I suspect most users will not make heavy use of both - * address families at the same time so one table will usually end up wasted, - * if this becomes a problem we can always add a hash table for each address - * family later */ - -static LIST_HEAD(sel_netport_list); -static DEFINE_SPINLOCK(sel_netport_lock); -static struct sel_netport_bkt sel_netport_hash[SEL_NETPORT_HASH_SIZE]; - -/** - * sel_netport_hashfn - Hashing function for the port table - * @pnum: port number - * - * Description: - * This is the hashing function for the port table, it returns the bucket - * number for the given port. - * - */ -static unsigned int sel_netport_hashfn(u16 pnum) -{ - return (pnum & (SEL_NETPORT_HASH_SIZE - 1)); -} - -/** - * sel_netport_find - Search for a port record - * @protocol: protocol - * @port: pnum - * - * Description: - * Search the network port table and return the matching record. If an entry - * can not be found in the table return NULL. - * - */ -static struct sel_netport *sel_netport_find(u8 protocol, u16 pnum) -{ - unsigned int idx; - struct sel_netport *port; - - idx = sel_netport_hashfn(pnum); - list_for_each_entry_rcu(port, &sel_netport_hash[idx].list, list) - if (port->psec.port == pnum && port->psec.protocol == protocol) - return port; - - return NULL; -} - -/** - * sel_netport_insert - Insert a new port into the table - * @port: the new port record - * - * Description: - * Add a new port record to the network address hash table. - * - */ -static void sel_netport_insert(struct sel_netport *port) -{ - unsigned int idx; - - /* we need to impose a limit on the growth of the hash table so check - * this bucket to make sure it is within the specified bounds */ - idx = sel_netport_hashfn(port->psec.port); - list_add_rcu(&port->list, &sel_netport_hash[idx].list); - if (sel_netport_hash[idx].size == SEL_NETPORT_HASH_BKT_LIMIT) { - struct sel_netport *tail; - tail = list_entry( - rcu_dereference_protected( - sel_netport_hash[idx].list.prev, - lockdep_is_held(&sel_netport_lock)), - struct sel_netport, list); - list_del_rcu(&tail->list); - kfree_rcu(tail, rcu); - } else - sel_netport_hash[idx].size++; -} - -/** - * sel_netport_sid_slow - Lookup the SID of a network address using the policy - * @protocol: protocol - * @pnum: port - * @sid: port SID - * - * Description: - * This function determines the SID of a network port by quering the security - * policy. The result is added to the network port table to speedup future - * queries. Returns zero on success, negative values on failure. - * - */ -static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) -{ - int ret = -ENOMEM; - struct sel_netport *port; - struct sel_netport *new = NULL; - - spin_lock_bh(&sel_netport_lock); - port = sel_netport_find(protocol, pnum); - if (port != NULL) { - *sid = port->psec.sid; - spin_unlock_bh(&sel_netport_lock); - return 0; - } - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (new == NULL) - goto out; - ret = security_port_sid(protocol, pnum, sid); - if (ret != 0) - goto out; - - new->psec.port = pnum; - new->psec.protocol = protocol; - new->psec.sid = *sid; - sel_netport_insert(new); - -out: - spin_unlock_bh(&sel_netport_lock); - if (unlikely(ret)) { - printk(KERN_WARNING - "SELinux: failure in sel_netport_sid_slow()," - " unable to determine network port label\n"); - kfree(new); - } - return ret; -} - -/** - * sel_netport_sid - Lookup the SID of a network port - * @protocol: protocol - * @pnum: port - * @sid: port SID - * - * Description: - * This function determines the SID of a network port using the fastest method - * possible. First the port table is queried, but if an entry can't be found - * then the policy is queried and the result is added to the table to speedup - * future queries. Returns zero on success, negative values on failure. - * - */ -int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid) -{ - struct sel_netport *port; - - rcu_read_lock(); - port = sel_netport_find(protocol, pnum); - if (port != NULL) { - *sid = port->psec.sid; - rcu_read_unlock(); - return 0; - } - rcu_read_unlock(); - - return sel_netport_sid_slow(protocol, pnum, sid); -} - -/** - * sel_netport_flush - Flush the entire network port table - * - * Description: - * Remove all entries from the network address table. - * - */ -static void sel_netport_flush(void) -{ - unsigned int idx; - struct sel_netport *port, *port_tmp; - - spin_lock_bh(&sel_netport_lock); - for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) { - list_for_each_entry_safe(port, port_tmp, - &sel_netport_hash[idx].list, list) { - list_del_rcu(&port->list); - kfree_rcu(port, rcu); - } - sel_netport_hash[idx].size = 0; - } - spin_unlock_bh(&sel_netport_lock); -} - -static int sel_netport_avc_callback(u32 event, u32 ssid, u32 tsid, - u16 class, u32 perms, u32 *retained) -{ - if (event == AVC_CALLBACK_RESET) { - sel_netport_flush(); - synchronize_net(); - } - return 0; -} - -static __init int sel_netport_init(void) -{ - int iter; - int ret; - - if (!selinux_enabled) - return 0; - - for (iter = 0; iter < SEL_NETPORT_HASH_SIZE; iter++) { - INIT_LIST_HEAD(&sel_netport_hash[iter].list); - sel_netport_hash[iter].size = 0; - } - - ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET, - SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); - if (ret != 0) - panic("avc_add_callback() failed, error %d\n", ret); - - return ret; -} - -__initcall(sel_netport_init); diff --git a/ANDROID_3.4.5/security/selinux/nlmsgtab.c b/ANDROID_3.4.5/security/selinux/nlmsgtab.c deleted file mode 100644 index 0920ea3b..00000000 --- a/ANDROID_3.4.5/security/selinux/nlmsgtab.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Netlink message type permission tables, for user generated messages. - * - * Author: James Morris <jmorris@redhat.com> - * - * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/types.h> -#include <linux/kernel.h> -#include <linux/netlink.h> -#include <linux/rtnetlink.h> -#include <linux/if.h> -#include <linux/netfilter_ipv4/ip_queue.h> -#include <linux/inet_diag.h> -#include <linux/xfrm.h> -#include <linux/audit.h> - -#include "flask.h" -#include "av_permissions.h" -#include "security.h" - -struct nlmsg_perm { - u16 nlmsg_type; - u32 perm; -}; - -static struct nlmsg_perm nlmsg_route_perms[] = -{ - { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, - { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, - { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, -}; - -static struct nlmsg_perm nlmsg_firewall_perms[] = -{ - { IPQM_MODE, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE }, - { IPQM_VERDICT, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE }, -}; - -static struct nlmsg_perm nlmsg_tcpdiag_perms[] = -{ - { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, - { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, -}; - -static struct nlmsg_perm nlmsg_xfrm_perms[] = -{ - { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ }, - { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ }, - { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, - { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ }, -}; - -static struct nlmsg_perm nlmsg_audit_perms[] = -{ - { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, - { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, - { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, - { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, - { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, - { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, - { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, - { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, -}; - - -static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize) -{ - int i, err = -EINVAL; - - for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++) - if (nlmsg_type == tab[i].nlmsg_type) { - *perm = tab[i].perm; - err = 0; - break; - } - - return err; -} - -int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) -{ - int err = 0; - - switch (sclass) { - case SECCLASS_NETLINK_ROUTE_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, - sizeof(nlmsg_route_perms)); - break; - - case SECCLASS_NETLINK_FIREWALL_SOCKET: - case SECCLASS_NETLINK_IP6FW_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_firewall_perms, - sizeof(nlmsg_firewall_perms)); - break; - - case SECCLASS_NETLINK_TCPDIAG_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms, - sizeof(nlmsg_tcpdiag_perms)); - break; - - case SECCLASS_NETLINK_XFRM_SOCKET: - err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, - sizeof(nlmsg_xfrm_perms)); - break; - - case SECCLASS_NETLINK_AUDIT_SOCKET: - if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && - nlmsg_type <= AUDIT_LAST_USER_MSG) || - (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && - nlmsg_type <= AUDIT_LAST_USER_MSG2)) { - *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; - } else { - err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, - sizeof(nlmsg_audit_perms)); - } - break; - - /* No messaging from userspace, or class unknown/unhandled */ - default: - err = -ENOENT; - break; - } - - return err; -} diff --git a/ANDROID_3.4.5/security/selinux/selinuxfs.c b/ANDROID_3.4.5/security/selinux/selinuxfs.c deleted file mode 100644 index 3068d16c..00000000 --- a/ANDROID_3.4.5/security/selinux/selinuxfs.c +++ /dev/null @@ -1,1960 +0,0 @@ -/* Updated: Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support for the policy capability bitmap - * - * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#include <linux/kernel.h> -#include <linux/pagemap.h> -#include <linux/slab.h> -#include <linux/vmalloc.h> -#include <linux/fs.h> -#include <linux/mutex.h> -#include <linux/init.h> -#include <linux/string.h> -#include <linux/security.h> -#include <linux/major.h> -#include <linux/seq_file.h> -#include <linux/percpu.h> -#include <linux/audit.h> -#include <linux/uaccess.h> -#include <linux/kobject.h> -#include <linux/ctype.h> - -/* selinuxfs pseudo filesystem for exporting the security policy API. - Based on the proc code and the fs/nfsd/nfsctl.c code. */ - -#include "flask.h" -#include "avc.h" -#include "avc_ss.h" -#include "security.h" -#include "objsec.h" -#include "conditional.h" - -/* Policy capability filenames */ -static char *policycap_names[] = { - "network_peer_controls", - "open_perms" -}; - -unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; - -static int __init checkreqprot_setup(char *str) -{ - unsigned long checkreqprot; - if (!strict_strtoul(str, 0, &checkreqprot)) - selinux_checkreqprot = checkreqprot ? 1 : 0; - return 1; -} -__setup("checkreqprot=", checkreqprot_setup); - -static DEFINE_MUTEX(sel_mutex); - -/* global data for booleans */ -static struct dentry *bool_dir; -static int bool_num; -static char **bool_pending_names; -static int *bool_pending_values; - -/* global data for classes */ -static struct dentry *class_dir; -static unsigned long last_class_ino; - -static char policy_opened; - -/* global data for policy capabilities */ -static struct dentry *policycap_dir; - -/* Check whether a task is allowed to use a security operation. */ -static int task_has_security(struct task_struct *tsk, - u32 perms) -{ - const struct task_security_struct *tsec; - u32 sid = 0; - - rcu_read_lock(); - tsec = __task_cred(tsk)->security; - if (tsec) - sid = tsec->sid; - rcu_read_unlock(); - if (!tsec) - return -EACCES; - - return avc_has_perm(sid, SECINITSID_SECURITY, - SECCLASS_SECURITY, perms, NULL); -} - -enum sel_inos { - SEL_ROOT_INO = 2, - SEL_LOAD, /* load policy */ - SEL_ENFORCE, /* get or set enforcing status */ - SEL_CONTEXT, /* validate context */ - SEL_ACCESS, /* compute access decision */ - SEL_CREATE, /* compute create labeling decision */ - SEL_RELABEL, /* compute relabeling decision */ - SEL_USER, /* compute reachable user contexts */ - SEL_POLICYVERS, /* return policy version for this kernel */ - SEL_COMMIT_BOOLS, /* commit new boolean values */ - SEL_MLS, /* return if MLS policy is enabled */ - SEL_DISABLE, /* disable SELinux until next reboot */ - SEL_MEMBER, /* compute polyinstantiation membership decision */ - SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */ - SEL_COMPAT_NET, /* whether to use old compat network packet controls */ - SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */ - SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */ - SEL_STATUS, /* export current status using mmap() */ - SEL_POLICY, /* allow userspace to read the in kernel policy */ - SEL_INO_NEXT, /* The next inode number to use */ -}; - -static unsigned long sel_last_ino = SEL_INO_NEXT - 1; - -#define SEL_INITCON_INO_OFFSET 0x01000000 -#define SEL_BOOL_INO_OFFSET 0x02000000 -#define SEL_CLASS_INO_OFFSET 0x04000000 -#define SEL_POLICYCAP_INO_OFFSET 0x08000000 -#define SEL_INO_MASK 0x00ffffff - -#define TMPBUFLEN 12 -static ssize_t sel_read_enforce(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -#ifdef CONFIG_SECURITY_SELINUX_DEVELOP -static ssize_t sel_write_enforce(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) - -{ - char *page = NULL; - ssize_t length; - int new_value; - - length = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - length = EINVAL; - if (*ppos != 0) - goto out; - - length = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) - goto out; - - if (new_value != selinux_enforcing) { - length = task_has_security(current, SECURITY__SETENFORCE); - if (length) - goto out; - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, - "enforcing=%d old_enforcing=%d auid=%u ses=%u", - new_value, selinux_enforcing, - audit_get_loginuid(current), - audit_get_sessionid(current)); - selinux_enforcing = new_value; - if (selinux_enforcing) - avc_ss_reset(0); - selnl_notify_setenforce(selinux_enforcing); - selinux_status_update_setenforce(selinux_enforcing); - } - length = count; -out: - free_page((unsigned long) page); - return length; -} -#else -#define sel_write_enforce NULL -#endif - -static const struct file_operations sel_enforce_ops = { - .read = sel_read_enforce, - .write = sel_write_enforce, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - ino_t ino = filp->f_path.dentry->d_inode->i_ino; - int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ? - security_get_reject_unknown() : !security_get_allow_unknown(); - - length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static const struct file_operations sel_handle_unknown_ops = { - .read = sel_read_handle_unknown, - .llseek = generic_file_llseek, -}; - -static int sel_open_handle_status(struct inode *inode, struct file *filp) -{ - struct page *status = selinux_kernel_status_page(); - - if (!status) - return -ENOMEM; - - filp->private_data = status; - - return 0; -} - -static ssize_t sel_read_handle_status(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - struct page *status = filp->private_data; - - BUG_ON(!status); - - return simple_read_from_buffer(buf, count, ppos, - page_address(status), - sizeof(struct selinux_kernel_status)); -} - -static int sel_mmap_handle_status(struct file *filp, - struct vm_area_struct *vma) -{ - struct page *status = filp->private_data; - unsigned long size = vma->vm_end - vma->vm_start; - - BUG_ON(!status); - - /* only allows one page from the head */ - if (vma->vm_pgoff > 0 || size != PAGE_SIZE) - return -EIO; - /* disallow writable mapping */ - if (vma->vm_flags & VM_WRITE) - return -EPERM; - /* disallow mprotect() turns it into writable */ - vma->vm_flags &= ~VM_MAYWRITE; - - return remap_pfn_range(vma, vma->vm_start, - page_to_pfn(status), - size, vma->vm_page_prot); -} - -static const struct file_operations sel_handle_status_ops = { - .open = sel_open_handle_status, - .read = sel_read_handle_status, - .mmap = sel_mmap_handle_status, - .llseek = generic_file_llseek, -}; - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -static ssize_t sel_write_disable(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) - -{ - char *page = NULL; - ssize_t length; - int new_value; - - length = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - length = -EINVAL; - if (*ppos != 0) - goto out; - - length = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) - goto out; - - if (new_value) { - length = selinux_disable(); - if (length) - goto out; - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, - "selinux=0 auid=%u ses=%u", - audit_get_loginuid(current), - audit_get_sessionid(current)); - } - - length = count; -out: - free_page((unsigned long) page); - return length; -} -#else -#define sel_write_disable NULL -#endif - -static const struct file_operations sel_disable_ops = { - .write = sel_write_disable, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static const struct file_operations sel_policyvers_ops = { - .read = sel_read_policyvers, - .llseek = generic_file_llseek, -}; - -/* declaration for sel_write_load */ -static int sel_make_bools(void); -static int sel_make_classes(void); -static int sel_make_policycap(void); - -/* declaration for sel_make_class_dirs */ -static struct dentry *sel_make_dir(struct dentry *dir, const char *name, - unsigned long *ino); - -static ssize_t sel_read_mls(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%d", - security_mls_enabled()); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static const struct file_operations sel_mls_ops = { - .read = sel_read_mls, - .llseek = generic_file_llseek, -}; - -struct policy_load_memory { - size_t len; - void *data; -}; - -static int sel_open_policy(struct inode *inode, struct file *filp) -{ - struct policy_load_memory *plm = NULL; - int rc; - - BUG_ON(filp->private_data); - - mutex_lock(&sel_mutex); - - rc = task_has_security(current, SECURITY__READ_POLICY); - if (rc) - goto err; - - rc = -EBUSY; - if (policy_opened) - goto err; - - rc = -ENOMEM; - plm = kzalloc(sizeof(*plm), GFP_KERNEL); - if (!plm) - goto err; - - if (i_size_read(inode) != security_policydb_len()) { - mutex_lock(&inode->i_mutex); - i_size_write(inode, security_policydb_len()); - mutex_unlock(&inode->i_mutex); - } - - rc = security_read_policy(&plm->data, &plm->len); - if (rc) - goto err; - - policy_opened = 1; - - filp->private_data = plm; - - mutex_unlock(&sel_mutex); - - return 0; -err: - mutex_unlock(&sel_mutex); - - if (plm) - vfree(plm->data); - kfree(plm); - return rc; -} - -static int sel_release_policy(struct inode *inode, struct file *filp) -{ - struct policy_load_memory *plm = filp->private_data; - - BUG_ON(!plm); - - policy_opened = 0; - - vfree(plm->data); - kfree(plm); - - return 0; -} - -static ssize_t sel_read_policy(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - struct policy_load_memory *plm = filp->private_data; - int ret; - - mutex_lock(&sel_mutex); - - ret = task_has_security(current, SECURITY__READ_POLICY); - if (ret) - goto out; - - ret = simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); -out: - mutex_unlock(&sel_mutex); - return ret; -} - -static int sel_mmap_policy_fault(struct vm_area_struct *vma, - struct vm_fault *vmf) -{ - struct policy_load_memory *plm = vma->vm_file->private_data; - unsigned long offset; - struct page *page; - - if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE)) - return VM_FAULT_SIGBUS; - - offset = vmf->pgoff << PAGE_SHIFT; - if (offset >= roundup(plm->len, PAGE_SIZE)) - return VM_FAULT_SIGBUS; - - page = vmalloc_to_page(plm->data + offset); - get_page(page); - - vmf->page = page; - - return 0; -} - -static struct vm_operations_struct sel_mmap_policy_ops = { - .fault = sel_mmap_policy_fault, - .page_mkwrite = sel_mmap_policy_fault, -}; - -static int sel_mmap_policy(struct file *filp, struct vm_area_struct *vma) -{ - if (vma->vm_flags & VM_SHARED) { - /* do not allow mprotect to make mapping writable */ - vma->vm_flags &= ~VM_MAYWRITE; - - if (vma->vm_flags & VM_WRITE) - return -EACCES; - } - - vma->vm_flags |= VM_RESERVED; - vma->vm_ops = &sel_mmap_policy_ops; - - return 0; -} - -static const struct file_operations sel_policy_ops = { - .open = sel_open_policy, - .read = sel_read_policy, - .mmap = sel_mmap_policy, - .release = sel_release_policy, -}; - -static ssize_t sel_write_load(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) - -{ - ssize_t length; - void *data = NULL; - - mutex_lock(&sel_mutex); - - length = task_has_security(current, SECURITY__LOAD_POLICY); - if (length) - goto out; - - /* No partial writes. */ - length = -EINVAL; - if (*ppos != 0) - goto out; - - length = -EFBIG; - if (count > 64 * 1024 * 1024) - goto out; - - length = -ENOMEM; - data = vmalloc(count); - if (!data) - goto out; - - length = -EFAULT; - if (copy_from_user(data, buf, count) != 0) - goto out; - - length = security_load_policy(data, count); - if (length) - goto out; - - length = sel_make_bools(); - if (length) - goto out1; - - length = sel_make_classes(); - if (length) - goto out1; - - length = sel_make_policycap(); - if (length) - goto out1; - - length = count; - -out1: - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, - "policy loaded auid=%u ses=%u", - audit_get_loginuid(current), - audit_get_sessionid(current)); -out: - mutex_unlock(&sel_mutex); - vfree(data); - return length; -} - -static const struct file_operations sel_load_ops = { - .write = sel_write_load, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_write_context(struct file *file, char *buf, size_t size) -{ - char *canon = NULL; - u32 sid, len; - ssize_t length; - - length = task_has_security(current, SECURITY__CHECK_CONTEXT); - if (length) - goto out; - - length = security_context_to_sid(buf, size, &sid); - if (length) - goto out; - - length = security_sid_to_context(sid, &canon, &len); - if (length) - goto out; - - length = -ERANGE; - if (len > SIMPLE_TRANSACTION_LIMIT) { - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " - "payload max\n", __func__, len); - goto out; - } - - memcpy(buf, canon, len); - length = len; -out: - kfree(canon); - return length; -} - -static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_checkreqprot); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) -{ - char *page = NULL; - ssize_t length; - unsigned int new_value; - - length = task_has_security(current, SECURITY__SETCHECKREQPROT); - if (length) - goto out; - - length = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - length = -EINVAL; - if (*ppos != 0) - goto out; - - length = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%u", &new_value) != 1) - goto out; - - selinux_checkreqprot = new_value ? 1 : 0; - length = count; -out: - free_page((unsigned long) page); - return length; -} -static const struct file_operations sel_checkreqprot_ops = { - .read = sel_read_checkreqprot, - .write = sel_write_checkreqprot, - .llseek = generic_file_llseek, -}; - -/* - * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c - */ -static ssize_t sel_write_access(struct file *file, char *buf, size_t size); -static ssize_t sel_write_create(struct file *file, char *buf, size_t size); -static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size); -static ssize_t sel_write_user(struct file *file, char *buf, size_t size); -static ssize_t sel_write_member(struct file *file, char *buf, size_t size); - -static ssize_t (*write_op[])(struct file *, char *, size_t) = { - [SEL_ACCESS] = sel_write_access, - [SEL_CREATE] = sel_write_create, - [SEL_RELABEL] = sel_write_relabel, - [SEL_USER] = sel_write_user, - [SEL_MEMBER] = sel_write_member, - [SEL_CONTEXT] = sel_write_context, -}; - -static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) -{ - ino_t ino = file->f_path.dentry->d_inode->i_ino; - char *data; - ssize_t rv; - - if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) - return -EINVAL; - - data = simple_transaction_get(file, buf, size); - if (IS_ERR(data)) - return PTR_ERR(data); - - rv = write_op[ino](file, data, size); - if (rv > 0) { - simple_transaction_set(file, rv); - rv = size; - } - return rv; -} - -static const struct file_operations transaction_ops = { - .write = selinux_transaction_write, - .read = simple_transaction_read, - .release = simple_transaction_release, - .llseek = generic_file_llseek, -}; - -/* - * payload - write methods - * If the method has a response, the response should be put in buf, - * and the length returned. Otherwise return 0 or and -error. - */ - -static ssize_t sel_write_access(struct file *file, char *buf, size_t size) -{ - char *scon = NULL, *tcon = NULL; - u32 ssid, tsid; - u16 tclass; - struct av_decision avd; - ssize_t length; - - length = task_has_security(current, SECURITY__COMPUTE_AV); - if (length) - goto out; - - length = -ENOMEM; - scon = kzalloc(size + 1, GFP_KERNEL); - if (!scon) - goto out; - - length = -ENOMEM; - tcon = kzalloc(size + 1, GFP_KERNEL); - if (!tcon) - goto out; - - length = -EINVAL; - if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) - goto out; - - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); - if (length) - goto out; - - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); - if (length) - goto out; - - security_compute_av_user(ssid, tsid, tclass, &avd); - - length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, - "%x %x %x %x %u %x", - avd.allowed, 0xffffffff, - avd.auditallow, avd.auditdeny, - avd.seqno, avd.flags); -out: - kfree(tcon); - kfree(scon); - return length; -} - -static ssize_t sel_write_create(struct file *file, char *buf, size_t size) -{ - char *scon = NULL, *tcon = NULL; - char *namebuf = NULL, *objname = NULL; - u32 ssid, tsid, newsid; - u16 tclass; - ssize_t length; - char *newcon = NULL; - u32 len; - int nargs; - - length = task_has_security(current, SECURITY__COMPUTE_CREATE); - if (length) - goto out; - - length = -ENOMEM; - scon = kzalloc(size + 1, GFP_KERNEL); - if (!scon) - goto out; - - length = -ENOMEM; - tcon = kzalloc(size + 1, GFP_KERNEL); - if (!tcon) - goto out; - - length = -ENOMEM; - namebuf = kzalloc(size + 1, GFP_KERNEL); - if (!namebuf) - goto out; - - length = -EINVAL; - nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf); - if (nargs < 3 || nargs > 4) - goto out; - if (nargs == 4) { - /* - * If and when the name of new object to be queried contains - * either whitespace or multibyte characters, they shall be - * encoded based on the percentage-encoding rule. - * If not encoded, the sscanf logic picks up only left-half - * of the supplied name; splitted by a whitespace unexpectedly. - */ - char *r, *w; - int c1, c2; - - r = w = namebuf; - do { - c1 = *r++; - if (c1 == '+') - c1 = ' '; - else if (c1 == '%') { - c1 = hex_to_bin(*r++); - if (c1 < 0) - goto out; - c2 = hex_to_bin(*r++); - if (c2 < 0) - goto out; - c1 = (c1 << 4) | c2; - } - *w++ = c1; - } while (c1 != '\0'); - - objname = namebuf; - } - - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); - if (length) - goto out; - - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); - if (length) - goto out; - - length = security_transition_sid_user(ssid, tsid, tclass, - objname, &newsid); - if (length) - goto out; - - length = security_sid_to_context(newsid, &newcon, &len); - if (length) - goto out; - - length = -ERANGE; - if (len > SIMPLE_TRANSACTION_LIMIT) { - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " - "payload max\n", __func__, len); - goto out; - } - - memcpy(buf, newcon, len); - length = len; -out: - kfree(newcon); - kfree(namebuf); - kfree(tcon); - kfree(scon); - return length; -} - -static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) -{ - char *scon = NULL, *tcon = NULL; - u32 ssid, tsid, newsid; - u16 tclass; - ssize_t length; - char *newcon = NULL; - u32 len; - - length = task_has_security(current, SECURITY__COMPUTE_RELABEL); - if (length) - goto out; - - length = -ENOMEM; - scon = kzalloc(size + 1, GFP_KERNEL); - if (!scon) - goto out; - - length = -ENOMEM; - tcon = kzalloc(size + 1, GFP_KERNEL); - if (!tcon) - goto out; - - length = -EINVAL; - if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) - goto out; - - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); - if (length) - goto out; - - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); - if (length) - goto out; - - length = security_change_sid(ssid, tsid, tclass, &newsid); - if (length) - goto out; - - length = security_sid_to_context(newsid, &newcon, &len); - if (length) - goto out; - - length = -ERANGE; - if (len > SIMPLE_TRANSACTION_LIMIT) - goto out; - - memcpy(buf, newcon, len); - length = len; -out: - kfree(newcon); - kfree(tcon); - kfree(scon); - return length; -} - -static ssize_t sel_write_user(struct file *file, char *buf, size_t size) -{ - char *con = NULL, *user = NULL, *ptr; - u32 sid, *sids = NULL; - ssize_t length; - char *newcon; - int i, rc; - u32 len, nsids; - - length = task_has_security(current, SECURITY__COMPUTE_USER); - if (length) - goto out; - - length = -ENOMEM; - con = kzalloc(size + 1, GFP_KERNEL); - if (!con) - goto out; - - length = -ENOMEM; - user = kzalloc(size + 1, GFP_KERNEL); - if (!user) - goto out; - - length = -EINVAL; - if (sscanf(buf, "%s %s", con, user) != 2) - goto out; - - length = security_context_to_sid(con, strlen(con) + 1, &sid); - if (length) - goto out; - - length = security_get_user_sids(sid, user, &sids, &nsids); - if (length) - goto out; - - length = sprintf(buf, "%u", nsids) + 1; - ptr = buf + length; - for (i = 0; i < nsids; i++) { - rc = security_sid_to_context(sids[i], &newcon, &len); - if (rc) { - length = rc; - goto out; - } - if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) { - kfree(newcon); - length = -ERANGE; - goto out; - } - memcpy(ptr, newcon, len); - kfree(newcon); - ptr += len; - length += len; - } -out: - kfree(sids); - kfree(user); - kfree(con); - return length; -} - -static ssize_t sel_write_member(struct file *file, char *buf, size_t size) -{ - char *scon = NULL, *tcon = NULL; - u32 ssid, tsid, newsid; - u16 tclass; - ssize_t length; - char *newcon = NULL; - u32 len; - - length = task_has_security(current, SECURITY__COMPUTE_MEMBER); - if (length) - goto out; - - length = -ENOMEM; - scon = kzalloc(size + 1, GFP_KERNEL); - if (!scon) - goto out; - - length = -ENOMEM; - tcon = kzalloc(size + 1, GFP_KERNEL); - if (!tcon) - goto out; - - length = -EINVAL; - if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) - goto out; - - length = security_context_to_sid(scon, strlen(scon) + 1, &ssid); - if (length) - goto out; - - length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid); - if (length) - goto out; - - length = security_member_sid(ssid, tsid, tclass, &newsid); - if (length) - goto out; - - length = security_sid_to_context(newsid, &newcon, &len); - if (length) - goto out; - - length = -ERANGE; - if (len > SIMPLE_TRANSACTION_LIMIT) { - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds " - "payload max\n", __func__, len); - goto out; - } - - memcpy(buf, newcon, len); - length = len; -out: - kfree(newcon); - kfree(tcon); - kfree(scon); - return length; -} - -static struct inode *sel_make_inode(struct super_block *sb, int mode) -{ - struct inode *ret = new_inode(sb); - - if (ret) { - ret->i_mode = mode; - ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; - } - return ret; -} - -static ssize_t sel_read_bool(struct file *filep, char __user *buf, - size_t count, loff_t *ppos) -{ - char *page = NULL; - ssize_t length; - ssize_t ret; - int cur_enforcing; - struct inode *inode = filep->f_path.dentry->d_inode; - unsigned index = inode->i_ino & SEL_INO_MASK; - const char *name = filep->f_path.dentry->d_name.name; - - mutex_lock(&sel_mutex); - - ret = -EINVAL; - if (index >= bool_num || strcmp(name, bool_pending_names[index])) - goto out; - - ret = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - cur_enforcing = security_get_bool_value(index); - if (cur_enforcing < 0) { - ret = cur_enforcing; - goto out; - } - length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, - bool_pending_values[index]); - ret = simple_read_from_buffer(buf, count, ppos, page, length); -out: - mutex_unlock(&sel_mutex); - free_page((unsigned long)page); - return ret; -} - -static ssize_t sel_write_bool(struct file *filep, const char __user *buf, - size_t count, loff_t *ppos) -{ - char *page = NULL; - ssize_t length; - int new_value; - struct inode *inode = filep->f_path.dentry->d_inode; - unsigned index = inode->i_ino & SEL_INO_MASK; - const char *name = filep->f_path.dentry->d_name.name; - - mutex_lock(&sel_mutex); - - length = task_has_security(current, SECURITY__SETBOOL); - if (length) - goto out; - - length = -EINVAL; - if (index >= bool_num || strcmp(name, bool_pending_names[index])) - goto out; - - length = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - length = -EINVAL; - if (*ppos != 0) - goto out; - - length = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) - goto out; - - if (new_value) - new_value = 1; - - bool_pending_values[index] = new_value; - length = count; - -out: - mutex_unlock(&sel_mutex); - free_page((unsigned long) page); - return length; -} - -static const struct file_operations sel_bool_ops = { - .read = sel_read_bool, - .write = sel_write_bool, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_commit_bools_write(struct file *filep, - const char __user *buf, - size_t count, loff_t *ppos) -{ - char *page = NULL; - ssize_t length; - int new_value; - - mutex_lock(&sel_mutex); - - length = task_has_security(current, SECURITY__SETBOOL); - if (length) - goto out; - - length = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - length = -EINVAL; - if (*ppos != 0) - goto out; - - length = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - length = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - length = -EINVAL; - if (sscanf(page, "%d", &new_value) != 1) - goto out; - - length = 0; - if (new_value && bool_pending_values) - length = security_set_bools(bool_num, bool_pending_values); - - if (!length) - length = count; - -out: - mutex_unlock(&sel_mutex); - free_page((unsigned long) page); - return length; -} - -static const struct file_operations sel_commit_bools_ops = { - .write = sel_commit_bools_write, - .llseek = generic_file_llseek, -}; - -static void sel_remove_entries(struct dentry *de) -{ - struct list_head *node; - - spin_lock(&de->d_lock); - node = de->d_subdirs.next; - while (node != &de->d_subdirs) { - struct dentry *d = list_entry(node, struct dentry, d_u.d_child); - - spin_lock_nested(&d->d_lock, DENTRY_D_LOCK_NESTED); - list_del_init(node); - - if (d->d_inode) { - dget_dlock(d); - spin_unlock(&de->d_lock); - spin_unlock(&d->d_lock); - d_delete(d); - simple_unlink(de->d_inode, d); - dput(d); - spin_lock(&de->d_lock); - } else - spin_unlock(&d->d_lock); - node = de->d_subdirs.next; - } - - spin_unlock(&de->d_lock); -} - -#define BOOL_DIR_NAME "booleans" - -static int sel_make_bools(void) -{ - int i, ret; - ssize_t len; - struct dentry *dentry = NULL; - struct dentry *dir = bool_dir; - struct inode *inode = NULL; - struct inode_security_struct *isec; - char **names = NULL, *page; - int num; - int *values = NULL; - u32 sid; - - /* remove any existing files */ - for (i = 0; i < bool_num; i++) - kfree(bool_pending_names[i]); - kfree(bool_pending_names); - kfree(bool_pending_values); - bool_num = 0; - bool_pending_names = NULL; - bool_pending_values = NULL; - - sel_remove_entries(dir); - - ret = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - ret = security_get_bools(&num, &names, &values); - if (ret) - goto out; - - for (i = 0; i < num; i++) { - ret = -ENOMEM; - dentry = d_alloc_name(dir, names[i]); - if (!dentry) - goto out; - - ret = -ENOMEM; - inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); - if (!inode) - goto out; - - ret = -EINVAL; - len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); - if (len < 0) - goto out; - - ret = -ENAMETOOLONG; - if (len >= PAGE_SIZE) - goto out; - - isec = (struct inode_security_struct *)inode->i_security; - ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid); - if (ret) - goto out; - - isec->sid = sid; - isec->initialized = 1; - inode->i_fop = &sel_bool_ops; - inode->i_ino = i|SEL_BOOL_INO_OFFSET; - d_add(dentry, inode); - } - bool_num = num; - bool_pending_names = names; - bool_pending_values = values; - - free_page((unsigned long)page); - return 0; -out: - free_page((unsigned long)page); - - if (names) { - for (i = 0; i < num; i++) - kfree(names[i]); - kfree(names); - } - kfree(values); - sel_remove_entries(dir); - - return ret; -} - -#define NULL_FILE_NAME "null" - -struct dentry *selinux_null; - -static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char tmpbuf[TMPBUFLEN]; - ssize_t length; - - length = scnprintf(tmpbuf, TMPBUFLEN, "%u", avc_cache_threshold); - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static ssize_t sel_write_avc_cache_threshold(struct file *file, - const char __user *buf, - size_t count, loff_t *ppos) - -{ - char *page = NULL; - ssize_t ret; - int new_value; - - ret = task_has_security(current, SECURITY__SETSECPARAM); - if (ret) - goto out; - - ret = -ENOMEM; - if (count >= PAGE_SIZE) - goto out; - - /* No partial writes. */ - ret = -EINVAL; - if (*ppos != 0) - goto out; - - ret = -ENOMEM; - page = (char *)get_zeroed_page(GFP_KERNEL); - if (!page) - goto out; - - ret = -EFAULT; - if (copy_from_user(page, buf, count)) - goto out; - - ret = -EINVAL; - if (sscanf(page, "%u", &new_value) != 1) - goto out; - - avc_cache_threshold = new_value; - - ret = count; -out: - free_page((unsigned long)page); - return ret; -} - -static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char *page; - ssize_t length; - - page = (char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - length = avc_get_hash_stats(page); - if (length >= 0) - length = simple_read_from_buffer(buf, count, ppos, page, length); - free_page((unsigned long)page); - - return length; -} - -static const struct file_operations sel_avc_cache_threshold_ops = { - .read = sel_read_avc_cache_threshold, - .write = sel_write_avc_cache_threshold, - .llseek = generic_file_llseek, -}; - -static const struct file_operations sel_avc_hash_stats_ops = { - .read = sel_read_avc_hash_stats, - .llseek = generic_file_llseek, -}; - -#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS -static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) -{ - int cpu; - - for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) { - if (!cpu_possible(cpu)) - continue; - *idx = cpu + 1; - return &per_cpu(avc_cache_stats, cpu); - } - return NULL; -} - -static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos) -{ - loff_t n = *pos - 1; - - if (*pos == 0) - return SEQ_START_TOKEN; - - return sel_avc_get_stat_idx(&n); -} - -static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos) -{ - return sel_avc_get_stat_idx(pos); -} - -static int sel_avc_stats_seq_show(struct seq_file *seq, void *v) -{ - struct avc_cache_stats *st = v; - - if (v == SEQ_START_TOKEN) - seq_printf(seq, "lookups hits misses allocations reclaims " - "frees\n"); - else { - unsigned int lookups = st->lookups; - unsigned int misses = st->misses; - unsigned int hits = lookups - misses; - seq_printf(seq, "%u %u %u %u %u %u\n", lookups, - hits, misses, st->allocations, - st->reclaims, st->frees); - } - return 0; -} - -static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v) -{ } - -static const struct seq_operations sel_avc_cache_stats_seq_ops = { - .start = sel_avc_stats_seq_start, - .next = sel_avc_stats_seq_next, - .show = sel_avc_stats_seq_show, - .stop = sel_avc_stats_seq_stop, -}; - -static int sel_open_avc_cache_stats(struct inode *inode, struct file *file) -{ - return seq_open(file, &sel_avc_cache_stats_seq_ops); -} - -static const struct file_operations sel_avc_cache_stats_ops = { - .open = sel_open_avc_cache_stats, - .read = seq_read, - .llseek = seq_lseek, - .release = seq_release, -}; -#endif - -static int sel_make_avc_files(struct dentry *dir) -{ - int i; - static struct tree_descr files[] = { - { "cache_threshold", - &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR }, - { "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO }, -#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS - { "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO }, -#endif - }; - - for (i = 0; i < ARRAY_SIZE(files); i++) { - struct inode *inode; - struct dentry *dentry; - - dentry = d_alloc_name(dir, files[i].name); - if (!dentry) - return -ENOMEM; - - inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); - if (!inode) - return -ENOMEM; - - inode->i_fop = files[i].ops; - inode->i_ino = ++sel_last_ino; - d_add(dentry, inode); - } - - return 0; -} - -static ssize_t sel_read_initcon(struct file *file, char __user *buf, - size_t count, loff_t *ppos) -{ - struct inode *inode; - char *con; - u32 sid, len; - ssize_t ret; - - inode = file->f_path.dentry->d_inode; - sid = inode->i_ino&SEL_INO_MASK; - ret = security_sid_to_context(sid, &con, &len); - if (ret) - return ret; - - ret = simple_read_from_buffer(buf, count, ppos, con, len); - kfree(con); - return ret; -} - -static const struct file_operations sel_initcon_ops = { - .read = sel_read_initcon, - .llseek = generic_file_llseek, -}; - -static int sel_make_initcon_files(struct dentry *dir) -{ - int i; - - for (i = 1; i <= SECINITSID_NUM; i++) { - struct inode *inode; - struct dentry *dentry; - dentry = d_alloc_name(dir, security_get_initial_sid_context(i)); - if (!dentry) - return -ENOMEM; - - inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); - if (!inode) - return -ENOMEM; - - inode->i_fop = &sel_initcon_ops; - inode->i_ino = i|SEL_INITCON_INO_OFFSET; - d_add(dentry, inode); - } - - return 0; -} - -static inline unsigned int sel_div(unsigned long a, unsigned long b) -{ - return a / b - (a % b < 0); -} - -static inline unsigned long sel_class_to_ino(u16 class) -{ - return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET; -} - -static inline u16 sel_ino_to_class(unsigned long ino) -{ - return sel_div(ino & SEL_INO_MASK, SEL_VEC_MAX + 1); -} - -static inline unsigned long sel_perm_to_ino(u16 class, u32 perm) -{ - return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET; -} - -static inline u32 sel_ino_to_perm(unsigned long ino) -{ - return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); -} - -static ssize_t sel_read_class(struct file *file, char __user *buf, - size_t count, loff_t *ppos) -{ - ssize_t rc, len; - char *page; - unsigned long ino = file->f_path.dentry->d_inode->i_ino; - - page = (char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_class(ino)); - rc = simple_read_from_buffer(buf, count, ppos, page, len); - free_page((unsigned long)page); - - return rc; -} - -static const struct file_operations sel_class_ops = { - .read = sel_read_class, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_read_perm(struct file *file, char __user *buf, - size_t count, loff_t *ppos) -{ - ssize_t rc, len; - char *page; - unsigned long ino = file->f_path.dentry->d_inode->i_ino; - - page = (char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; - - len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino)); - rc = simple_read_from_buffer(buf, count, ppos, page, len); - free_page((unsigned long)page); - - return rc; -} - -static const struct file_operations sel_perm_ops = { - .read = sel_read_perm, - .llseek = generic_file_llseek, -}; - -static ssize_t sel_read_policycap(struct file *file, char __user *buf, - size_t count, loff_t *ppos) -{ - int value; - char tmpbuf[TMPBUFLEN]; - ssize_t length; - unsigned long i_ino = file->f_path.dentry->d_inode->i_ino; - - value = security_policycap_supported(i_ino & SEL_INO_MASK); - length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value); - - return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); -} - -static const struct file_operations sel_policycap_ops = { - .read = sel_read_policycap, - .llseek = generic_file_llseek, -}; - -static int sel_make_perm_files(char *objclass, int classvalue, - struct dentry *dir) -{ - int i, rc, nperms; - char **perms; - - rc = security_get_permissions(objclass, &perms, &nperms); - if (rc) - return rc; - - for (i = 0; i < nperms; i++) { - struct inode *inode; - struct dentry *dentry; - - rc = -ENOMEM; - dentry = d_alloc_name(dir, perms[i]); - if (!dentry) - goto out; - - rc = -ENOMEM; - inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); - if (!inode) - goto out; - - inode->i_fop = &sel_perm_ops; - /* i+1 since perm values are 1-indexed */ - inode->i_ino = sel_perm_to_ino(classvalue, i + 1); - d_add(dentry, inode); - } - rc = 0; -out: - for (i = 0; i < nperms; i++) - kfree(perms[i]); - kfree(perms); - return rc; -} - -static int sel_make_class_dir_entries(char *classname, int index, - struct dentry *dir) -{ - struct dentry *dentry = NULL; - struct inode *inode = NULL; - int rc; - - dentry = d_alloc_name(dir, "index"); - if (!dentry) - return -ENOMEM; - - inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); - if (!inode) - return -ENOMEM; - - inode->i_fop = &sel_class_ops; - inode->i_ino = sel_class_to_ino(index); - d_add(dentry, inode); - - dentry = sel_make_dir(dir, "perms", &last_class_ino); - if (IS_ERR(dentry)) - return PTR_ERR(dentry); - - rc = sel_make_perm_files(classname, index, dentry); - - return rc; -} - -static void sel_remove_classes(void) -{ - struct list_head *class_node; - - list_for_each(class_node, &class_dir->d_subdirs) { - struct dentry *class_subdir = list_entry(class_node, - struct dentry, d_u.d_child); - struct list_head *class_subdir_node; - - list_for_each(class_subdir_node, &class_subdir->d_subdirs) { - struct dentry *d = list_entry(class_subdir_node, - struct dentry, d_u.d_child); - - if (d->d_inode) - if (d->d_inode->i_mode & S_IFDIR) - sel_remove_entries(d); - } - - sel_remove_entries(class_subdir); - } - - sel_remove_entries(class_dir); -} - -static int sel_make_classes(void) -{ - int rc, nclasses, i; - char **classes; - - /* delete any existing entries */ - sel_remove_classes(); - - rc = security_get_classes(&classes, &nclasses); - if (rc) - return rc; - - /* +2 since classes are 1-indexed */ - last_class_ino = sel_class_to_ino(nclasses + 2); - - for (i = 0; i < nclasses; i++) { - struct dentry *class_name_dir; - - class_name_dir = sel_make_dir(class_dir, classes[i], - &last_class_ino); - if (IS_ERR(class_name_dir)) { - rc = PTR_ERR(class_name_dir); - goto out; - } - - /* i+1 since class values are 1-indexed */ - rc = sel_make_class_dir_entries(classes[i], i + 1, - class_name_dir); - if (rc) - goto out; - } - rc = 0; -out: - for (i = 0; i < nclasses; i++) - kfree(classes[i]); - kfree(classes); - return rc; -} - -static int sel_make_policycap(void) -{ - unsigned int iter; - struct dentry *dentry = NULL; - struct inode *inode = NULL; - - sel_remove_entries(policycap_dir); - - for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) { - if (iter < ARRAY_SIZE(policycap_names)) - dentry = d_alloc_name(policycap_dir, - policycap_names[iter]); - else - dentry = d_alloc_name(policycap_dir, "unknown"); - - if (dentry == NULL) - return -ENOMEM; - - inode = sel_make_inode(policycap_dir->d_sb, S_IFREG | S_IRUGO); - if (inode == NULL) - return -ENOMEM; - - inode->i_fop = &sel_policycap_ops; - inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET; - d_add(dentry, inode); - } - - return 0; -} - -static struct dentry *sel_make_dir(struct dentry *dir, const char *name, - unsigned long *ino) -{ - struct dentry *dentry = d_alloc_name(dir, name); - struct inode *inode; - - if (!dentry) - return ERR_PTR(-ENOMEM); - - inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO); - if (!inode) { - dput(dentry); - return ERR_PTR(-ENOMEM); - } - - inode->i_op = &simple_dir_inode_operations; - inode->i_fop = &simple_dir_operations; - inode->i_ino = ++(*ino); - /* directory inodes start off with i_nlink == 2 (for "." entry) */ - inc_nlink(inode); - d_add(dentry, inode); - /* bump link count on parent directory, too */ - inc_nlink(dir->d_inode); - - return dentry; -} - -static int sel_fill_super(struct super_block *sb, void *data, int silent) -{ - int ret; - struct dentry *dentry; - struct inode *inode; - struct inode_security_struct *isec; - - static struct tree_descr selinux_files[] = { - [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR}, - [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR}, - [SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO}, - [SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR}, - [SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO}, - [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, - [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, - [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, - [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, - [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, - [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, - [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUSR}, - /* last one */ {""} - }; - ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); - if (ret) - goto err; - - bool_dir = sel_make_dir(sb->s_root, BOOL_DIR_NAME, &sel_last_ino); - if (IS_ERR(bool_dir)) { - ret = PTR_ERR(bool_dir); - bool_dir = NULL; - goto err; - } - - ret = -ENOMEM; - dentry = d_alloc_name(sb->s_root, NULL_FILE_NAME); - if (!dentry) - goto err; - - ret = -ENOMEM; - inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); - if (!inode) - goto err; - - inode->i_ino = ++sel_last_ino; - isec = (struct inode_security_struct *)inode->i_security; - isec->sid = SECINITSID_DEVNULL; - isec->sclass = SECCLASS_CHR_FILE; - isec->initialized = 1; - - init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); - d_add(dentry, inode); - selinux_null = dentry; - - dentry = sel_make_dir(sb->s_root, "avc", &sel_last_ino); - if (IS_ERR(dentry)) { - ret = PTR_ERR(dentry); - goto err; - } - - ret = sel_make_avc_files(dentry); - if (ret) - goto err; - - dentry = sel_make_dir(sb->s_root, "initial_contexts", &sel_last_ino); - if (IS_ERR(dentry)) { - ret = PTR_ERR(dentry); - goto err; - } - - ret = sel_make_initcon_files(dentry); - if (ret) - goto err; - - class_dir = sel_make_dir(sb->s_root, "class", &sel_last_ino); - if (IS_ERR(class_dir)) { - ret = PTR_ERR(class_dir); - class_dir = NULL; - goto err; - } - - policycap_dir = sel_make_dir(sb->s_root, "policy_capabilities", &sel_last_ino); - if (IS_ERR(policycap_dir)) { - ret = PTR_ERR(policycap_dir); - policycap_dir = NULL; - goto err; - } - return 0; -err: - printk(KERN_ERR "SELinux: %s: failed while creating inodes\n", - __func__); - return ret; -} - -static struct dentry *sel_mount(struct file_system_type *fs_type, - int flags, const char *dev_name, void *data) -{ - return mount_single(fs_type, flags, data, sel_fill_super); -} - -static struct file_system_type sel_fs_type = { - .name = "selinuxfs", - .mount = sel_mount, - .kill_sb = kill_litter_super, -}; - -struct vfsmount *selinuxfs_mount; -static struct kobject *selinuxfs_kobj; - -static int __init init_sel_fs(void) -{ - int err; - - if (!selinux_enabled) - return 0; - - selinuxfs_kobj = kobject_create_and_add("selinux", fs_kobj); - if (!selinuxfs_kobj) - return -ENOMEM; - - err = register_filesystem(&sel_fs_type); - if (err) { - kobject_put(selinuxfs_kobj); - return err; - } - - selinuxfs_mount = kern_mount(&sel_fs_type); - if (IS_ERR(selinuxfs_mount)) { - printk(KERN_ERR "selinuxfs: could not mount!\n"); - err = PTR_ERR(selinuxfs_mount); - selinuxfs_mount = NULL; - } - - return err; -} - -__initcall(init_sel_fs); - -#ifdef CONFIG_SECURITY_SELINUX_DISABLE -void exit_sel_fs(void) -{ - kobject_put(selinuxfs_kobj); - kern_unmount(selinuxfs_mount); - unregister_filesystem(&sel_fs_type); -} -#endif diff --git a/ANDROID_3.4.5/security/selinux/ss/avtab.c b/ANDROID_3.4.5/security/selinux/ss/avtab.c deleted file mode 100644 index a3dd9faa..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/avtab.c +++ /dev/null @@ -1,556 +0,0 @@ -/* - * Implementation of the access vector table type. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ - -/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Copyright (C) 2003 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - * - * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> - * Tuned number of hash slots for avtab to reduce memory usage - */ - -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/errno.h> -#include "avtab.h" -#include "policydb.h" - -static struct kmem_cache *avtab_node_cachep; - -static inline int avtab_hash(struct avtab_key *keyp, u16 mask) -{ - return ((keyp->target_class + (keyp->target_type << 2) + - (keyp->source_type << 9)) & mask); -} - -static struct avtab_node* -avtab_insert_node(struct avtab *h, int hvalue, - struct avtab_node *prev, struct avtab_node *cur, - struct avtab_key *key, struct avtab_datum *datum) -{ - struct avtab_node *newnode; - newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL); - if (newnode == NULL) - return NULL; - newnode->key = *key; - newnode->datum = *datum; - if (prev) { - newnode->next = prev->next; - prev->next = newnode; - } else { - newnode->next = h->htable[hvalue]; - h->htable[hvalue] = newnode; - } - - h->nel++; - return newnode; -} - -static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum) -{ - int hvalue; - struct avtab_node *prev, *cur, *newnode; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); - - if (!h || !h->htable) - return -EINVAL; - - hvalue = avtab_hash(key, h->mask); - for (prev = NULL, cur = h->htable[hvalue]; - cur; - prev = cur, cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) - return -EEXIST; - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) - break; - } - - newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); - if (!newnode) - return -ENOMEM; - - return 0; -} - -/* Unlike avtab_insert(), this function allow multiple insertions of the same - * key/specified mask into the table, as needed by the conditional avtab. - * It also returns a pointer to the node inserted. - */ -struct avtab_node * -avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum) -{ - int hvalue; - struct avtab_node *prev, *cur; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); - - if (!h || !h->htable) - return NULL; - hvalue = avtab_hash(key, h->mask); - for (prev = NULL, cur = h->htable[hvalue]; - cur; - prev = cur, cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) - break; - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) - break; - } - return avtab_insert_node(h, hvalue, prev, cur, key, datum); -} - -struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key) -{ - int hvalue; - struct avtab_node *cur; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); - - if (!h || !h->htable) - return NULL; - - hvalue = avtab_hash(key, h->mask); - for (cur = h->htable[hvalue]; cur; cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) - return &cur->datum; - - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) - break; - } - - return NULL; -} - -/* This search function returns a node pointer, and can be used in - * conjunction with avtab_search_next_node() - */ -struct avtab_node* -avtab_search_node(struct avtab *h, struct avtab_key *key) -{ - int hvalue; - struct avtab_node *cur; - u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); - - if (!h || !h->htable) - return NULL; - - hvalue = avtab_hash(key, h->mask); - for (cur = h->htable[hvalue]; cur; cur = cur->next) { - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class == cur->key.target_class && - (specified & cur->key.specified)) - return cur; - - if (key->source_type < cur->key.source_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type < cur->key.target_type) - break; - if (key->source_type == cur->key.source_type && - key->target_type == cur->key.target_type && - key->target_class < cur->key.target_class) - break; - } - return NULL; -} - -struct avtab_node* -avtab_search_node_next(struct avtab_node *node, int specified) -{ - struct avtab_node *cur; - - if (!node) - return NULL; - - specified &= ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); - for (cur = node->next; cur; cur = cur->next) { - if (node->key.source_type == cur->key.source_type && - node->key.target_type == cur->key.target_type && - node->key.target_class == cur->key.target_class && - (specified & cur->key.specified)) - return cur; - - if (node->key.source_type < cur->key.source_type) - break; - if (node->key.source_type == cur->key.source_type && - node->key.target_type < cur->key.target_type) - break; - if (node->key.source_type == cur->key.source_type && - node->key.target_type == cur->key.target_type && - node->key.target_class < cur->key.target_class) - break; - } - return NULL; -} - -void avtab_destroy(struct avtab *h) -{ - int i; - struct avtab_node *cur, *temp; - - if (!h || !h->htable) - return; - - for (i = 0; i < h->nslot; i++) { - cur = h->htable[i]; - while (cur) { - temp = cur; - cur = cur->next; - kmem_cache_free(avtab_node_cachep, temp); - } - h->htable[i] = NULL; - } - kfree(h->htable); - h->htable = NULL; - h->nslot = 0; - h->mask = 0; -} - -int avtab_init(struct avtab *h) -{ - h->htable = NULL; - h->nel = 0; - return 0; -} - -int avtab_alloc(struct avtab *h, u32 nrules) -{ - u16 mask = 0; - u32 shift = 0; - u32 work = nrules; - u32 nslot = 0; - - if (nrules == 0) - goto avtab_alloc_out; - - while (work) { - work = work >> 1; - shift++; - } - if (shift > 2) - shift = shift - 2; - nslot = 1 << shift; - if (nslot > MAX_AVTAB_HASH_BUCKETS) - nslot = MAX_AVTAB_HASH_BUCKETS; - mask = nslot - 1; - - h->htable = kcalloc(nslot, sizeof(*(h->htable)), GFP_KERNEL); - if (!h->htable) - return -ENOMEM; - - avtab_alloc_out: - h->nel = 0; - h->nslot = nslot; - h->mask = mask; - printk(KERN_DEBUG "SELinux: %d avtab hash slots, %d rules.\n", - h->nslot, nrules); - return 0; -} - -void avtab_hash_eval(struct avtab *h, char *tag) -{ - int i, chain_len, slots_used, max_chain_len; - unsigned long long chain2_len_sum; - struct avtab_node *cur; - - slots_used = 0; - max_chain_len = 0; - chain2_len_sum = 0; - for (i = 0; i < h->nslot; i++) { - cur = h->htable[i]; - if (cur) { - slots_used++; - chain_len = 0; - while (cur) { - chain_len++; - cur = cur->next; - } - - if (chain_len > max_chain_len) - max_chain_len = chain_len; - chain2_len_sum += chain_len * chain_len; - } - } - - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " - "longest chain length %d sum of chain length^2 %llu\n", - tag, h->nel, slots_used, h->nslot, max_chain_len, - chain2_len_sum); -} - -static uint16_t spec_order[] = { - AVTAB_ALLOWED, - AVTAB_AUDITDENY, - AVTAB_AUDITALLOW, - AVTAB_TRANSITION, - AVTAB_CHANGE, - AVTAB_MEMBER -}; - -int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, - int (*insertf)(struct avtab *a, struct avtab_key *k, - struct avtab_datum *d, void *p), - void *p) -{ - __le16 buf16[4]; - u16 enabled; - __le32 buf32[7]; - u32 items, items2, val, vers = pol->policyvers; - struct avtab_key key; - struct avtab_datum datum; - int i, rc; - unsigned set; - - memset(&key, 0, sizeof(struct avtab_key)); - memset(&datum, 0, sizeof(struct avtab_datum)); - - if (vers < POLICYDB_VERSION_AVTAB) { - rc = next_entry(buf32, fp, sizeof(u32)); - if (rc) { - printk(KERN_ERR "SELinux: avtab: truncated entry\n"); - return rc; - } - items2 = le32_to_cpu(buf32[0]); - if (items2 > ARRAY_SIZE(buf32)) { - printk(KERN_ERR "SELinux: avtab: entry overflow\n"); - return -EINVAL; - - } - rc = next_entry(buf32, fp, sizeof(u32)*items2); - if (rc) { - printk(KERN_ERR "SELinux: avtab: truncated entry\n"); - return rc; - } - items = 0; - - val = le32_to_cpu(buf32[items++]); - key.source_type = (u16)val; - if (key.source_type != val) { - printk(KERN_ERR "SELinux: avtab: truncated source type\n"); - return -EINVAL; - } - val = le32_to_cpu(buf32[items++]); - key.target_type = (u16)val; - if (key.target_type != val) { - printk(KERN_ERR "SELinux: avtab: truncated target type\n"); - return -EINVAL; - } - val = le32_to_cpu(buf32[items++]); - key.target_class = (u16)val; - if (key.target_class != val) { - printk(KERN_ERR "SELinux: avtab: truncated target class\n"); - return -EINVAL; - } - - val = le32_to_cpu(buf32[items++]); - enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0; - - if (!(val & (AVTAB_AV | AVTAB_TYPE))) { - printk(KERN_ERR "SELinux: avtab: null entry\n"); - return -EINVAL; - } - if ((val & AVTAB_AV) && - (val & AVTAB_TYPE)) { - printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n"); - return -EINVAL; - } - - for (i = 0; i < ARRAY_SIZE(spec_order); i++) { - if (val & spec_order[i]) { - key.specified = spec_order[i] | enabled; - datum.data = le32_to_cpu(buf32[items++]); - rc = insertf(a, &key, &datum, p); - if (rc) - return rc; - } - } - - if (items != items2) { - printk(KERN_ERR "SELinux: avtab: entry only had %d items, expected %d\n", items2, items); - return -EINVAL; - } - return 0; - } - - rc = next_entry(buf16, fp, sizeof(u16)*4); - if (rc) { - printk(KERN_ERR "SELinux: avtab: truncated entry\n"); - return rc; - } - - items = 0; - key.source_type = le16_to_cpu(buf16[items++]); - key.target_type = le16_to_cpu(buf16[items++]); - key.target_class = le16_to_cpu(buf16[items++]); - key.specified = le16_to_cpu(buf16[items++]); - - if (!policydb_type_isvalid(pol, key.source_type) || - !policydb_type_isvalid(pol, key.target_type) || - !policydb_class_isvalid(pol, key.target_class)) { - printk(KERN_ERR "SELinux: avtab: invalid type or class\n"); - return -EINVAL; - } - - set = 0; - for (i = 0; i < ARRAY_SIZE(spec_order); i++) { - if (key.specified & spec_order[i]) - set++; - } - if (!set || set > 1) { - printk(KERN_ERR "SELinux: avtab: more than one specifier\n"); - return -EINVAL; - } - - rc = next_entry(buf32, fp, sizeof(u32)); - if (rc) { - printk(KERN_ERR "SELinux: avtab: truncated entry\n"); - return rc; - } - datum.data = le32_to_cpu(*buf32); - if ((key.specified & AVTAB_TYPE) && - !policydb_type_isvalid(pol, datum.data)) { - printk(KERN_ERR "SELinux: avtab: invalid type\n"); - return -EINVAL; - } - return insertf(a, &key, &datum, p); -} - -static int avtab_insertf(struct avtab *a, struct avtab_key *k, - struct avtab_datum *d, void *p) -{ - return avtab_insert(a, k, d); -} - -int avtab_read(struct avtab *a, void *fp, struct policydb *pol) -{ - int rc; - __le32 buf[1]; - u32 nel, i; - - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc < 0) { - printk(KERN_ERR "SELinux: avtab: truncated table\n"); - goto bad; - } - nel = le32_to_cpu(buf[0]); - if (!nel) { - printk(KERN_ERR "SELinux: avtab: table is empty\n"); - rc = -EINVAL; - goto bad; - } - - rc = avtab_alloc(a, nel); - if (rc) - goto bad; - - for (i = 0; i < nel; i++) { - rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); - if (rc) { - if (rc == -ENOMEM) - printk(KERN_ERR "SELinux: avtab: out of memory\n"); - else if (rc == -EEXIST) - printk(KERN_ERR "SELinux: avtab: duplicate entry\n"); - - goto bad; - } - } - - rc = 0; -out: - return rc; - -bad: - avtab_destroy(a); - goto out; -} - -int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp) -{ - __le16 buf16[4]; - __le32 buf32[1]; - int rc; - - buf16[0] = cpu_to_le16(cur->key.source_type); - buf16[1] = cpu_to_le16(cur->key.target_type); - buf16[2] = cpu_to_le16(cur->key.target_class); - buf16[3] = cpu_to_le16(cur->key.specified); - rc = put_entry(buf16, sizeof(u16), 4, fp); - if (rc) - return rc; - buf32[0] = cpu_to_le32(cur->datum.data); - rc = put_entry(buf32, sizeof(u32), 1, fp); - if (rc) - return rc; - return 0; -} - -int avtab_write(struct policydb *p, struct avtab *a, void *fp) -{ - unsigned int i; - int rc = 0; - struct avtab_node *cur; - __le32 buf[1]; - - buf[0] = cpu_to_le32(a->nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - rc = avtab_write_item(p, cur, fp); - if (rc) - return rc; - } - } - - return rc; -} -void avtab_cache_init(void) -{ - avtab_node_cachep = kmem_cache_create("avtab_node", - sizeof(struct avtab_node), - 0, SLAB_PANIC, NULL); -} - -void avtab_cache_destroy(void) -{ - kmem_cache_destroy(avtab_node_cachep); -} diff --git a/ANDROID_3.4.5/security/selinux/ss/avtab.h b/ANDROID_3.4.5/security/selinux/ss/avtab.h deleted file mode 100644 index 63ce2f9e..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/avtab.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * An access vector table (avtab) is a hash table - * of access vectors and transition types indexed - * by a type pair and a class. An access vector - * table is used to represent the type enforcement - * tables. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ - -/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Copyright (C) 2003 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - * - * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp> - * Tuned number of hash slots for avtab to reduce memory usage - */ -#ifndef _SS_AVTAB_H_ -#define _SS_AVTAB_H_ - -struct avtab_key { - u16 source_type; /* source type */ - u16 target_type; /* target type */ - u16 target_class; /* target object class */ -#define AVTAB_ALLOWED 0x0001 -#define AVTAB_AUDITALLOW 0x0002 -#define AVTAB_AUDITDENY 0x0004 -#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) -#define AVTAB_TRANSITION 0x0010 -#define AVTAB_MEMBER 0x0020 -#define AVTAB_CHANGE 0x0040 -#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) -#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */ -#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */ - u16 specified; /* what field is specified */ -}; - -struct avtab_datum { - u32 data; /* access vector or type value */ -}; - -struct avtab_node { - struct avtab_key key; - struct avtab_datum datum; - struct avtab_node *next; -}; - -struct avtab { - struct avtab_node **htable; - u32 nel; /* number of elements */ - u32 nslot; /* number of hash slots */ - u16 mask; /* mask to compute hash func */ - -}; - -int avtab_init(struct avtab *); -int avtab_alloc(struct avtab *, u32); -struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k); -void avtab_destroy(struct avtab *h); -void avtab_hash_eval(struct avtab *h, char *tag); - -struct policydb; -int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, - int (*insert)(struct avtab *a, struct avtab_key *k, - struct avtab_datum *d, void *p), - void *p); - -int avtab_read(struct avtab *a, void *fp, struct policydb *pol); -int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp); -int avtab_write(struct policydb *p, struct avtab *a, void *fp); - -struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, - struct avtab_datum *datum); - -struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key); - -struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified); - -void avtab_cache_init(void); -void avtab_cache_destroy(void); - -#define MAX_AVTAB_HASH_BITS 11 -#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) - -#endif /* _SS_AVTAB_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/ss/conditional.c b/ANDROID_3.4.5/security/selinux/ss/conditional.c deleted file mode 100644 index 377d148e..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/conditional.c +++ /dev/null @@ -1,648 +0,0 @@ -/* Authors: Karl MacMillan <kmacmillan@tresys.com> - * Frank Mayer <mayerf@tresys.com> - * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#include <linux/kernel.h> -#include <linux/errno.h> -#include <linux/string.h> -#include <linux/spinlock.h> -#include <linux/slab.h> - -#include "security.h" -#include "conditional.h" - -/* - * cond_evaluate_expr evaluates a conditional expr - * in reverse polish notation. It returns true (1), false (0), - * or undefined (-1). Undefined occurs when the expression - * exceeds the stack depth of COND_EXPR_MAXDEPTH. - */ -static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) -{ - - struct cond_expr *cur; - int s[COND_EXPR_MAXDEPTH]; - int sp = -1; - - for (cur = expr; cur; cur = cur->next) { - switch (cur->expr_type) { - case COND_BOOL: - if (sp == (COND_EXPR_MAXDEPTH - 1)) - return -1; - sp++; - s[sp] = p->bool_val_to_struct[cur->bool - 1]->state; - break; - case COND_NOT: - if (sp < 0) - return -1; - s[sp] = !s[sp]; - break; - case COND_OR: - if (sp < 1) - return -1; - sp--; - s[sp] |= s[sp + 1]; - break; - case COND_AND: - if (sp < 1) - return -1; - sp--; - s[sp] &= s[sp + 1]; - break; - case COND_XOR: - if (sp < 1) - return -1; - sp--; - s[sp] ^= s[sp + 1]; - break; - case COND_EQ: - if (sp < 1) - return -1; - sp--; - s[sp] = (s[sp] == s[sp + 1]); - break; - case COND_NEQ: - if (sp < 1) - return -1; - sp--; - s[sp] = (s[sp] != s[sp + 1]); - break; - default: - return -1; - } - } - return s[0]; -} - -/* - * evaluate_cond_node evaluates the conditional stored in - * a struct cond_node and if the result is different than the - * current state of the node it sets the rules in the true/false - * list appropriately. If the result of the expression is undefined - * all of the rules are disabled for safety. - */ -int evaluate_cond_node(struct policydb *p, struct cond_node *node) -{ - int new_state; - struct cond_av_list *cur; - - new_state = cond_evaluate_expr(p, node->expr); - if (new_state != node->cur_state) { - node->cur_state = new_state; - if (new_state == -1) - printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); - /* turn the rules on or off */ - for (cur = node->true_list; cur; cur = cur->next) { - if (new_state <= 0) - cur->node->key.specified &= ~AVTAB_ENABLED; - else - cur->node->key.specified |= AVTAB_ENABLED; - } - - for (cur = node->false_list; cur; cur = cur->next) { - /* -1 or 1 */ - if (new_state) - cur->node->key.specified &= ~AVTAB_ENABLED; - else - cur->node->key.specified |= AVTAB_ENABLED; - } - } - return 0; -} - -int cond_policydb_init(struct policydb *p) -{ - int rc; - - p->bool_val_to_struct = NULL; - p->cond_list = NULL; - - rc = avtab_init(&p->te_cond_avtab); - if (rc) - return rc; - - return 0; -} - -static void cond_av_list_destroy(struct cond_av_list *list) -{ - struct cond_av_list *cur, *next; - for (cur = list; cur; cur = next) { - next = cur->next; - /* the avtab_ptr_t node is destroy by the avtab */ - kfree(cur); - } -} - -static void cond_node_destroy(struct cond_node *node) -{ - struct cond_expr *cur_expr, *next_expr; - - for (cur_expr = node->expr; cur_expr; cur_expr = next_expr) { - next_expr = cur_expr->next; - kfree(cur_expr); - } - cond_av_list_destroy(node->true_list); - cond_av_list_destroy(node->false_list); - kfree(node); -} - -static void cond_list_destroy(struct cond_node *list) -{ - struct cond_node *next, *cur; - - if (list == NULL) - return; - - for (cur = list; cur; cur = next) { - next = cur->next; - cond_node_destroy(cur); - } -} - -void cond_policydb_destroy(struct policydb *p) -{ - kfree(p->bool_val_to_struct); - avtab_destroy(&p->te_cond_avtab); - cond_list_destroy(p->cond_list); -} - -int cond_init_bool_indexes(struct policydb *p) -{ - kfree(p->bool_val_to_struct); - p->bool_val_to_struct = - kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL); - if (!p->bool_val_to_struct) - return -ENOMEM; - return 0; -} - -int cond_destroy_bool(void *key, void *datum, void *p) -{ - kfree(key); - kfree(datum); - return 0; -} - -int cond_index_bool(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct cond_bool_datum *booldatum; - struct flex_array *fa; - - booldatum = datum; - p = datap; - - if (!booldatum->value || booldatum->value > p->p_bools.nprim) - return -EINVAL; - - fa = p->sym_val_to_name[SYM_BOOLS]; - if (flex_array_put_ptr(fa, booldatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - p->bool_val_to_struct[booldatum->value - 1] = booldatum; - - return 0; -} - -static int bool_isvalid(struct cond_bool_datum *b) -{ - if (!(b->state == 0 || b->state == 1)) - return 0; - return 1; -} - -int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct cond_bool_datum *booldatum; - __le32 buf[3]; - u32 len; - int rc; - - booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL); - if (!booldatum) - return -ENOMEM; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - goto err; - - booldatum->value = le32_to_cpu(buf[0]); - booldatum->state = le32_to_cpu(buf[1]); - - rc = -EINVAL; - if (!bool_isvalid(booldatum)) - goto err; - - len = le32_to_cpu(buf[2]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto err; - rc = next_entry(key, fp, len); - if (rc) - goto err; - key[len] = '\0'; - rc = hashtab_insert(h, key, booldatum); - if (rc) - goto err; - - return 0; -err: - cond_destroy_bool(key, booldatum, NULL); - return rc; -} - -struct cond_insertf_data { - struct policydb *p; - struct cond_av_list *other; - struct cond_av_list *head; - struct cond_av_list *tail; -}; - -static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr) -{ - struct cond_insertf_data *data = ptr; - struct policydb *p = data->p; - struct cond_av_list *other = data->other, *list, *cur; - struct avtab_node *node_ptr; - u8 found; - int rc = -EINVAL; - - /* - * For type rules we have to make certain there aren't any - * conflicting rules by searching the te_avtab and the - * cond_te_avtab. - */ - if (k->specified & AVTAB_TYPE) { - if (avtab_search(&p->te_avtab, k)) { - printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n"); - goto err; - } - /* - * If we are reading the false list other will be a pointer to - * the true list. We can have duplicate entries if there is only - * 1 other entry and it is in our true list. - * - * If we are reading the true list (other == NULL) there shouldn't - * be any other entries. - */ - if (other) { - node_ptr = avtab_search_node(&p->te_cond_avtab, k); - if (node_ptr) { - if (avtab_search_node_next(node_ptr, k->specified)) { - printk(KERN_ERR "SELinux: too many conflicting type rules.\n"); - goto err; - } - found = 0; - for (cur = other; cur; cur = cur->next) { - if (cur->node == node_ptr) { - found = 1; - break; - } - } - if (!found) { - printk(KERN_ERR "SELinux: conflicting type rules.\n"); - goto err; - } - } - } else { - if (avtab_search(&p->te_cond_avtab, k)) { - printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n"); - goto err; - } - } - } - - node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); - if (!node_ptr) { - printk(KERN_ERR "SELinux: could not insert rule.\n"); - rc = -ENOMEM; - goto err; - } - - list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL); - if (!list) { - rc = -ENOMEM; - goto err; - } - - list->node = node_ptr; - if (!data->head) - data->head = list; - else - data->tail->next = list; - data->tail = list; - return 0; - -err: - cond_av_list_destroy(data->head); - data->head = NULL; - return rc; -} - -static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list, struct cond_av_list *other) -{ - int i, rc; - __le32 buf[1]; - u32 len; - struct cond_insertf_data data; - - *ret_list = NULL; - - len = 0; - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - return rc; - - len = le32_to_cpu(buf[0]); - if (len == 0) - return 0; - - data.p = p; - data.other = other; - data.head = NULL; - data.tail = NULL; - for (i = 0; i < len; i++) { - rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf, - &data); - if (rc) - return rc; - } - - *ret_list = data.head; - return 0; -} - -static int expr_isvalid(struct policydb *p, struct cond_expr *expr) -{ - if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { - printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n"); - return 0; - } - - if (expr->bool > p->p_bools.nprim) { - printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n"); - return 0; - } - return 1; -} - -static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) -{ - __le32 buf[2]; - u32 len, i; - int rc; - struct cond_expr *expr = NULL, *last = NULL; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - return rc; - - node->cur_state = le32_to_cpu(buf[0]); - - len = 0; - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - return rc; - - /* expr */ - len = le32_to_cpu(buf[0]); - - for (i = 0; i < len; i++) { - rc = next_entry(buf, fp, sizeof(u32) * 2); - if (rc) - goto err; - - rc = -ENOMEM; - expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); - if (!expr) - goto err; - - expr->expr_type = le32_to_cpu(buf[0]); - expr->bool = le32_to_cpu(buf[1]); - - if (!expr_isvalid(p, expr)) { - rc = -EINVAL; - kfree(expr); - goto err; - } - - if (i == 0) - node->expr = expr; - else - last->next = expr; - last = expr; - } - - rc = cond_read_av_list(p, fp, &node->true_list, NULL); - if (rc) - goto err; - rc = cond_read_av_list(p, fp, &node->false_list, node->true_list); - if (rc) - goto err; - return 0; -err: - cond_node_destroy(node); - return rc; -} - -int cond_read_list(struct policydb *p, void *fp) -{ - struct cond_node *node, *last = NULL; - __le32 buf[1]; - u32 i, len; - int rc; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - return rc; - - len = le32_to_cpu(buf[0]); - - rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel); - if (rc) - goto err; - - for (i = 0; i < len; i++) { - rc = -ENOMEM; - node = kzalloc(sizeof(struct cond_node), GFP_KERNEL); - if (!node) - goto err; - - rc = cond_read_node(p, node, fp); - if (rc) - goto err; - - if (i == 0) - p->cond_list = node; - else - last->next = node; - last = node; - } - return 0; -err: - cond_list_destroy(p->cond_list); - p->cond_list = NULL; - return rc; -} - -int cond_write_bool(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct cond_bool_datum *booldatum = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - __le32 buf[3]; - u32 len; - int rc; - - len = strlen(key); - buf[0] = cpu_to_le32(booldatum->value); - buf[1] = cpu_to_le32(booldatum->state); - buf[2] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - return 0; -} - -/* - * cond_write_cond_av_list doesn't write out the av_list nodes. - * Instead it writes out the key/value pairs from the avtab. This - * is necessary because there is no way to uniquely identifying rules - * in the avtab so it is not possible to associate individual rules - * in the avtab with a conditional without saving them as part of - * the conditional. This means that the avtab with the conditional - * rules will not be saved but will be rebuilt on policy load. - */ -static int cond_write_av_list(struct policydb *p, - struct cond_av_list *list, struct policy_file *fp) -{ - __le32 buf[1]; - struct cond_av_list *cur_list; - u32 len; - int rc; - - len = 0; - for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) - len++; - - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - if (len == 0) - return 0; - - for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) { - rc = avtab_write_item(p, cur_list->node, fp); - if (rc) - return rc; - } - - return 0; -} - -static int cond_write_node(struct policydb *p, struct cond_node *node, - struct policy_file *fp) -{ - struct cond_expr *cur_expr; - __le32 buf[2]; - int rc; - u32 len = 0; - - buf[0] = cpu_to_le32(node->cur_state); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) - len++; - - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) { - buf[0] = cpu_to_le32(cur_expr->expr_type); - buf[1] = cpu_to_le32(cur_expr->bool); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - } - - rc = cond_write_av_list(p, node->true_list, fp); - if (rc) - return rc; - rc = cond_write_av_list(p, node->false_list, fp); - if (rc) - return rc; - - return 0; -} - -int cond_write_list(struct policydb *p, struct cond_node *list, void *fp) -{ - struct cond_node *cur; - u32 len; - __le32 buf[1]; - int rc; - - len = 0; - for (cur = list; cur != NULL; cur = cur->next) - len++; - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - for (cur = list; cur != NULL; cur = cur->next) { - rc = cond_write_node(p, cur, fp); - if (rc) - return rc; - } - - return 0; -} -/* Determine whether additional permissions are granted by the conditional - * av table, and if so, add them to the result - */ -void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd) -{ - struct avtab_node *node; - - if (!ctab || !key || !avd) - return; - - for (node = avtab_search_node(ctab, key); node; - node = avtab_search_node_next(node, key->specified)) { - if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) == - (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) - avd->allowed |= node->datum.data; - if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) == - (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) - /* Since a '0' in an auditdeny mask represents a - * permission we do NOT want to audit (dontaudit), we use - * the '&' operand to ensure that all '0's in the mask - * are retained (much unlike the allow and auditallow cases). - */ - avd->auditdeny &= node->datum.data; - if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == - (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) - avd->auditallow |= node->datum.data; - } - return; -} diff --git a/ANDROID_3.4.5/security/selinux/ss/conditional.h b/ANDROID_3.4.5/security/selinux/ss/conditional.h deleted file mode 100644 index 4d1f8746..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/conditional.h +++ /dev/null @@ -1,80 +0,0 @@ -/* Authors: Karl MacMillan <kmacmillan@tresys.com> - * Frank Mayer <mayerf@tresys.com> - * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#ifndef _CONDITIONAL_H_ -#define _CONDITIONAL_H_ - -#include "avtab.h" -#include "symtab.h" -#include "policydb.h" -#include "../include/conditional.h" - -#define COND_EXPR_MAXDEPTH 10 - -/* - * A conditional expression is a list of operators and operands - * in reverse polish notation. - */ -struct cond_expr { -#define COND_BOOL 1 /* plain bool */ -#define COND_NOT 2 /* !bool */ -#define COND_OR 3 /* bool || bool */ -#define COND_AND 4 /* bool && bool */ -#define COND_XOR 5 /* bool ^ bool */ -#define COND_EQ 6 /* bool == bool */ -#define COND_NEQ 7 /* bool != bool */ -#define COND_LAST COND_NEQ - __u32 expr_type; - __u32 bool; - struct cond_expr *next; -}; - -/* - * Each cond_node contains a list of rules to be enabled/disabled - * depending on the current value of the conditional expression. This - * struct is for that list. - */ -struct cond_av_list { - struct avtab_node *node; - struct cond_av_list *next; -}; - -/* - * A cond node represents a conditional block in a policy. It - * contains a conditional expression, the current state of the expression, - * two lists of rules to enable/disable depending on the value of the - * expression (the true list corresponds to if and the false list corresponds - * to else).. - */ -struct cond_node { - int cur_state; - struct cond_expr *expr; - struct cond_av_list *true_list; - struct cond_av_list *false_list; - struct cond_node *next; -}; - -int cond_policydb_init(struct policydb *p); -void cond_policydb_destroy(struct policydb *p); - -int cond_init_bool_indexes(struct policydb *p); -int cond_destroy_bool(void *key, void *datum, void *p); - -int cond_index_bool(void *key, void *datum, void *datap); - -int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp); -int cond_read_list(struct policydb *p, void *fp); -int cond_write_bool(void *key, void *datum, void *ptr); -int cond_write_list(struct policydb *p, struct cond_node *list, void *fp); - -void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd); - -int evaluate_cond_node(struct policydb *p, struct cond_node *node); - -#endif /* _CONDITIONAL_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/ss/constraint.h b/ANDROID_3.4.5/security/selinux/ss/constraint.h deleted file mode 100644 index 149dda73..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/constraint.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * A constraint is a condition that must be satisfied in - * order for one or more permissions to be granted. - * Constraints are used to impose additional restrictions - * beyond the type-based rules in `te' or the role-based - * transition rules in `rbac'. Constraints are typically - * used to prevent a process from transitioning to a new user - * identity or role unless it is in a privileged type. - * Constraints are likewise typically used to prevent a - * process from labeling an object with a different user - * identity. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_CONSTRAINT_H_ -#define _SS_CONSTRAINT_H_ - -#include "ebitmap.h" - -#define CEXPR_MAXDEPTH 5 - -struct constraint_expr { -#define CEXPR_NOT 1 /* not expr */ -#define CEXPR_AND 2 /* expr and expr */ -#define CEXPR_OR 3 /* expr or expr */ -#define CEXPR_ATTR 4 /* attr op attr */ -#define CEXPR_NAMES 5 /* attr op names */ - u32 expr_type; /* expression type */ - -#define CEXPR_USER 1 /* user */ -#define CEXPR_ROLE 2 /* role */ -#define CEXPR_TYPE 4 /* type */ -#define CEXPR_TARGET 8 /* target if set, source otherwise */ -#define CEXPR_XTARGET 16 /* special 3rd target for validatetrans rule */ -#define CEXPR_L1L2 32 /* low level 1 vs. low level 2 */ -#define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */ -#define CEXPR_H1L2 128 /* high level 1 vs. low level 2 */ -#define CEXPR_H1H2 256 /* high level 1 vs. high level 2 */ -#define CEXPR_L1H1 512 /* low level 1 vs. high level 1 */ -#define CEXPR_L2H2 1024 /* low level 2 vs. high level 2 */ - u32 attr; /* attribute */ - -#define CEXPR_EQ 1 /* == or eq */ -#define CEXPR_NEQ 2 /* != */ -#define CEXPR_DOM 3 /* dom */ -#define CEXPR_DOMBY 4 /* domby */ -#define CEXPR_INCOMP 5 /* incomp */ - u32 op; /* operator */ - - struct ebitmap names; /* names */ - - struct constraint_expr *next; /* next expression */ -}; - -struct constraint_node { - u32 permissions; /* constrained permissions */ - struct constraint_expr *expr; /* constraint on permissions */ - struct constraint_node *next; /* next constraint */ -}; - -#endif /* _SS_CONSTRAINT_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/ss/context.h b/ANDROID_3.4.5/security/selinux/ss/context.h deleted file mode 100644 index 45e8fb05..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/context.h +++ /dev/null @@ -1,143 +0,0 @@ -/* - * A security context is a set of security attributes - * associated with each subject and object controlled - * by the security policy. Security contexts are - * externally represented as variable-length strings - * that can be interpreted by a user or application - * with an understanding of the security policy. - * Internally, the security server uses a simple - * structure. This structure is private to the - * security server and can be changed without affecting - * clients of the security server. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_CONTEXT_H_ -#define _SS_CONTEXT_H_ - -#include "ebitmap.h" -#include "mls_types.h" -#include "security.h" - -/* - * A security context consists of an authenticated user - * identity, a role, a type and a MLS range. - */ -struct context { - u32 user; - u32 role; - u32 type; - u32 len; /* length of string in bytes */ - struct mls_range range; - char *str; /* string representation if context cannot be mapped. */ -}; - -static inline void mls_context_init(struct context *c) -{ - memset(&c->range, 0, sizeof(c->range)); -} - -static inline int mls_context_cpy(struct context *dst, struct context *src) -{ - int rc; - - dst->range.level[0].sens = src->range.level[0].sens; - rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); - if (rc) - goto out; - - dst->range.level[1].sens = src->range.level[1].sens; - rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); - if (rc) - ebitmap_destroy(&dst->range.level[0].cat); -out: - return rc; -} - -/* - * Sets both levels in the MLS range of 'dst' to the low level of 'src'. - */ -static inline int mls_context_cpy_low(struct context *dst, struct context *src) -{ - int rc; - - dst->range.level[0].sens = src->range.level[0].sens; - rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); - if (rc) - goto out; - - dst->range.level[1].sens = src->range.level[0].sens; - rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[0].cat); - if (rc) - ebitmap_destroy(&dst->range.level[0].cat); -out: - return rc; -} - -static inline int mls_context_cmp(struct context *c1, struct context *c2) -{ - return ((c1->range.level[0].sens == c2->range.level[0].sens) && - ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) && - (c1->range.level[1].sens == c2->range.level[1].sens) && - ebitmap_cmp(&c1->range.level[1].cat, &c2->range.level[1].cat)); -} - -static inline void mls_context_destroy(struct context *c) -{ - ebitmap_destroy(&c->range.level[0].cat); - ebitmap_destroy(&c->range.level[1].cat); - mls_context_init(c); -} - -static inline void context_init(struct context *c) -{ - memset(c, 0, sizeof(*c)); -} - -static inline int context_cpy(struct context *dst, struct context *src) -{ - int rc; - - dst->user = src->user; - dst->role = src->role; - dst->type = src->type; - if (src->str) { - dst->str = kstrdup(src->str, GFP_ATOMIC); - if (!dst->str) - return -ENOMEM; - dst->len = src->len; - } else { - dst->str = NULL; - dst->len = 0; - } - rc = mls_context_cpy(dst, src); - if (rc) { - kfree(dst->str); - return rc; - } - return 0; -} - -static inline void context_destroy(struct context *c) -{ - c->user = c->role = c->type = 0; - kfree(c->str); - c->str = NULL; - c->len = 0; - mls_context_destroy(c); -} - -static inline int context_cmp(struct context *c1, struct context *c2) -{ - if (c1->len && c2->len) - return (c1->len == c2->len && !strcmp(c1->str, c2->str)); - if (c1->len || c2->len) - return 0; - return ((c1->user == c2->user) && - (c1->role == c2->role) && - (c1->type == c2->type) && - mls_context_cmp(c1, c2)); -} - -#endif /* _SS_CONTEXT_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/ss/ebitmap.c b/ANDROID_3.4.5/security/selinux/ss/ebitmap.c deleted file mode 100644 index 30f119b1..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/ebitmap.c +++ /dev/null @@ -1,525 +0,0 @@ -/* - * Implementation of the extensible bitmap type. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -/* - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support to import/export the NetLabel category bitmap - * - * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - */ -/* - * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> - * Applied standard bit operations to improve bitmap scanning. - */ - -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/errno.h> -#include <net/netlabel.h> -#include "ebitmap.h" -#include "policydb.h" - -#define BITS_PER_U64 (sizeof(u64) * 8) - -int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2) -{ - struct ebitmap_node *n1, *n2; - - if (e1->highbit != e2->highbit) - return 0; - - n1 = e1->node; - n2 = e2->node; - while (n1 && n2 && - (n1->startbit == n2->startbit) && - !memcmp(n1->maps, n2->maps, EBITMAP_SIZE / 8)) { - n1 = n1->next; - n2 = n2->next; - } - - if (n1 || n2) - return 0; - - return 1; -} - -int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src) -{ - struct ebitmap_node *n, *new, *prev; - - ebitmap_init(dst); - n = src->node; - prev = NULL; - while (n) { - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (!new) { - ebitmap_destroy(dst); - return -ENOMEM; - } - new->startbit = n->startbit; - memcpy(new->maps, n->maps, EBITMAP_SIZE / 8); - new->next = NULL; - if (prev) - prev->next = new; - else - dst->node = new; - prev = new; - n = n->next; - } - - dst->highbit = src->highbit; - return 0; -} - -#ifdef CONFIG_NETLABEL -/** - * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap - * @ebmap: the ebitmap to export - * @catmap: the NetLabel category bitmap - * - * Description: - * Export a SELinux extensibile bitmap into a NetLabel category bitmap. - * Returns zero on success, negative values on error. - * - */ -int ebitmap_netlbl_export(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap **catmap) -{ - struct ebitmap_node *e_iter = ebmap->node; - struct netlbl_lsm_secattr_catmap *c_iter; - u32 cmap_idx, cmap_sft; - int i; - - /* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64, - * however, it is not always compatible with an array of unsigned long - * in ebitmap_node. - * In addition, you should pay attention the following implementation - * assumes unsigned long has a width equal with or less than 64-bit. - */ - - if (e_iter == NULL) { - *catmap = NULL; - return 0; - } - - c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC); - if (c_iter == NULL) - return -ENOMEM; - *catmap = c_iter; - c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1); - - while (e_iter) { - for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { - unsigned int delta, e_startbit, c_endbit; - - e_startbit = e_iter->startbit + i * EBITMAP_UNIT_SIZE; - c_endbit = c_iter->startbit + NETLBL_CATMAP_SIZE; - if (e_startbit >= c_endbit) { - c_iter->next - = netlbl_secattr_catmap_alloc(GFP_ATOMIC); - if (c_iter->next == NULL) - goto netlbl_export_failure; - c_iter = c_iter->next; - c_iter->startbit - = e_startbit & ~(NETLBL_CATMAP_SIZE - 1); - } - delta = e_startbit - c_iter->startbit; - cmap_idx = delta / NETLBL_CATMAP_MAPSIZE; - cmap_sft = delta % NETLBL_CATMAP_MAPSIZE; - c_iter->bitmap[cmap_idx] - |= e_iter->maps[i] << cmap_sft; - } - e_iter = e_iter->next; - } - - return 0; - -netlbl_export_failure: - netlbl_secattr_catmap_free(*catmap); - return -ENOMEM; -} - -/** - * ebitmap_netlbl_import - Import a NetLabel category bitmap into an ebitmap - * @ebmap: the ebitmap to import - * @catmap: the NetLabel category bitmap - * - * Description: - * Import a NetLabel category bitmap into a SELinux extensibile bitmap. - * Returns zero on success, negative values on error. - * - */ -int ebitmap_netlbl_import(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap *catmap) -{ - struct ebitmap_node *e_iter = NULL; - struct ebitmap_node *emap_prev = NULL; - struct netlbl_lsm_secattr_catmap *c_iter = catmap; - u32 c_idx, c_pos, e_idx, e_sft; - - /* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64, - * however, it is not always compatible with an array of unsigned long - * in ebitmap_node. - * In addition, you should pay attention the following implementation - * assumes unsigned long has a width equal with or less than 64-bit. - */ - - do { - for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) { - unsigned int delta; - u64 map = c_iter->bitmap[c_idx]; - - if (!map) - continue; - - c_pos = c_iter->startbit - + c_idx * NETLBL_CATMAP_MAPSIZE; - if (!e_iter - || c_pos >= e_iter->startbit + EBITMAP_SIZE) { - e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC); - if (!e_iter) - goto netlbl_import_failure; - e_iter->startbit - = c_pos - (c_pos % EBITMAP_SIZE); - if (emap_prev == NULL) - ebmap->node = e_iter; - else - emap_prev->next = e_iter; - emap_prev = e_iter; - } - delta = c_pos - e_iter->startbit; - e_idx = delta / EBITMAP_UNIT_SIZE; - e_sft = delta % EBITMAP_UNIT_SIZE; - while (map) { - e_iter->maps[e_idx++] |= map & (-1UL); - map = EBITMAP_SHIFT_UNIT_SIZE(map); - } - } - c_iter = c_iter->next; - } while (c_iter); - if (e_iter != NULL) - ebmap->highbit = e_iter->startbit + EBITMAP_SIZE; - else - ebitmap_destroy(ebmap); - - return 0; - -netlbl_import_failure: - ebitmap_destroy(ebmap); - return -ENOMEM; -} -#endif /* CONFIG_NETLABEL */ - -int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2) -{ - struct ebitmap_node *n1, *n2; - int i; - - if (e1->highbit < e2->highbit) - return 0; - - n1 = e1->node; - n2 = e2->node; - while (n1 && n2 && (n1->startbit <= n2->startbit)) { - if (n1->startbit < n2->startbit) { - n1 = n1->next; - continue; - } - for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { - if ((n1->maps[i] & n2->maps[i]) != n2->maps[i]) - return 0; - } - - n1 = n1->next; - n2 = n2->next; - } - - if (n2) - return 0; - - return 1; -} - -int ebitmap_get_bit(struct ebitmap *e, unsigned long bit) -{ - struct ebitmap_node *n; - - if (e->highbit < bit) - return 0; - - n = e->node; - while (n && (n->startbit <= bit)) { - if ((n->startbit + EBITMAP_SIZE) > bit) - return ebitmap_node_get_bit(n, bit); - n = n->next; - } - - return 0; -} - -int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value) -{ - struct ebitmap_node *n, *prev, *new; - - prev = NULL; - n = e->node; - while (n && n->startbit <= bit) { - if ((n->startbit + EBITMAP_SIZE) > bit) { - if (value) { - ebitmap_node_set_bit(n, bit); - } else { - unsigned int s; - - ebitmap_node_clr_bit(n, bit); - - s = find_first_bit(n->maps, EBITMAP_SIZE); - if (s < EBITMAP_SIZE) - return 0; - - /* drop this node from the bitmap */ - if (!n->next) { - /* - * this was the highest map - * within the bitmap - */ - if (prev) - e->highbit = prev->startbit - + EBITMAP_SIZE; - else - e->highbit = 0; - } - if (prev) - prev->next = n->next; - else - e->node = n->next; - kfree(n); - } - return 0; - } - prev = n; - n = n->next; - } - - if (!value) - return 0; - - new = kzalloc(sizeof(*new), GFP_ATOMIC); - if (!new) - return -ENOMEM; - - new->startbit = bit - (bit % EBITMAP_SIZE); - ebitmap_node_set_bit(new, bit); - - if (!n) - /* this node will be the highest map within the bitmap */ - e->highbit = new->startbit + EBITMAP_SIZE; - - if (prev) { - new->next = prev->next; - prev->next = new; - } else { - new->next = e->node; - e->node = new; - } - - return 0; -} - -void ebitmap_destroy(struct ebitmap *e) -{ - struct ebitmap_node *n, *temp; - - if (!e) - return; - - n = e->node; - while (n) { - temp = n; - n = n->next; - kfree(temp); - } - - e->highbit = 0; - e->node = NULL; - return; -} - -int ebitmap_read(struct ebitmap *e, void *fp) -{ - struct ebitmap_node *n = NULL; - u32 mapunit, count, startbit, index; - u64 map; - __le32 buf[3]; - int rc, i; - - ebitmap_init(e); - - rc = next_entry(buf, fp, sizeof buf); - if (rc < 0) - goto out; - - mapunit = le32_to_cpu(buf[0]); - e->highbit = le32_to_cpu(buf[1]); - count = le32_to_cpu(buf[2]); - - if (mapunit != BITS_PER_U64) { - printk(KERN_ERR "SELinux: ebitmap: map size %u does not " - "match my size %Zd (high bit was %d)\n", - mapunit, BITS_PER_U64, e->highbit); - goto bad; - } - - /* round up e->highbit */ - e->highbit += EBITMAP_SIZE - 1; - e->highbit -= (e->highbit % EBITMAP_SIZE); - - if (!e->highbit) { - e->node = NULL; - goto ok; - } - - for (i = 0; i < count; i++) { - rc = next_entry(&startbit, fp, sizeof(u32)); - if (rc < 0) { - printk(KERN_ERR "SELinux: ebitmap: truncated map\n"); - goto bad; - } - startbit = le32_to_cpu(startbit); - - if (startbit & (mapunit - 1)) { - printk(KERN_ERR "SELinux: ebitmap start bit (%d) is " - "not a multiple of the map unit size (%u)\n", - startbit, mapunit); - goto bad; - } - if (startbit > e->highbit - mapunit) { - printk(KERN_ERR "SELinux: ebitmap start bit (%d) is " - "beyond the end of the bitmap (%u)\n", - startbit, (e->highbit - mapunit)); - goto bad; - } - - if (!n || startbit >= n->startbit + EBITMAP_SIZE) { - struct ebitmap_node *tmp; - tmp = kzalloc(sizeof(*tmp), GFP_KERNEL); - if (!tmp) { - printk(KERN_ERR - "SELinux: ebitmap: out of memory\n"); - rc = -ENOMEM; - goto bad; - } - /* round down */ - tmp->startbit = startbit - (startbit % EBITMAP_SIZE); - if (n) - n->next = tmp; - else - e->node = tmp; - n = tmp; - } else if (startbit <= n->startbit) { - printk(KERN_ERR "SELinux: ebitmap: start bit %d" - " comes after start bit %d\n", - startbit, n->startbit); - goto bad; - } - - rc = next_entry(&map, fp, sizeof(u64)); - if (rc < 0) { - printk(KERN_ERR "SELinux: ebitmap: truncated map\n"); - goto bad; - } - map = le64_to_cpu(map); - - index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE; - while (map) { - n->maps[index++] = map & (-1UL); - map = EBITMAP_SHIFT_UNIT_SIZE(map); - } - } -ok: - rc = 0; -out: - return rc; -bad: - if (!rc) - rc = -EINVAL; - ebitmap_destroy(e); - goto out; -} - -int ebitmap_write(struct ebitmap *e, void *fp) -{ - struct ebitmap_node *n; - u32 count; - __le32 buf[3]; - u64 map; - int bit, last_bit, last_startbit, rc; - - buf[0] = cpu_to_le32(BITS_PER_U64); - - count = 0; - last_bit = 0; - last_startbit = -1; - ebitmap_for_each_positive_bit(e, n, bit) { - if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) { - count++; - last_startbit = rounddown(bit, BITS_PER_U64); - } - last_bit = roundup(bit + 1, BITS_PER_U64); - } - buf[1] = cpu_to_le32(last_bit); - buf[2] = cpu_to_le32(count); - - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - - map = 0; - last_startbit = INT_MIN; - ebitmap_for_each_positive_bit(e, n, bit) { - if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) { - __le64 buf64[1]; - - /* this is the very first bit */ - if (!map) { - last_startbit = rounddown(bit, BITS_PER_U64); - map = (u64)1 << (bit - last_startbit); - continue; - } - - /* write the last node */ - buf[0] = cpu_to_le32(last_startbit); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - buf64[0] = cpu_to_le64(map); - rc = put_entry(buf64, sizeof(u64), 1, fp); - if (rc) - return rc; - - /* set up for the next node */ - map = 0; - last_startbit = rounddown(bit, BITS_PER_U64); - } - map |= (u64)1 << (bit - last_startbit); - } - /* write the last node */ - if (map) { - __le64 buf64[1]; - - /* write the last node */ - buf[0] = cpu_to_le32(last_startbit); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - buf64[0] = cpu_to_le64(map); - rc = put_entry(buf64, sizeof(u64), 1, fp); - if (rc) - return rc; - } - return 0; -} diff --git a/ANDROID_3.4.5/security/selinux/ss/ebitmap.h b/ANDROID_3.4.5/security/selinux/ss/ebitmap.h deleted file mode 100644 index 922f8afa..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/ebitmap.h +++ /dev/null @@ -1,145 +0,0 @@ -/* - * An extensible bitmap is a bitmap that supports an - * arbitrary number of bits. Extensible bitmaps are - * used to represent sets of values, such as types, - * roles, categories, and classes. - * - * Each extensible bitmap is implemented as a linked - * list of bitmap nodes, where each bitmap node has - * an explicitly specified starting bit position within - * the total bitmap. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_EBITMAP_H_ -#define _SS_EBITMAP_H_ - -#include <net/netlabel.h> - -#define EBITMAP_UNIT_NUMS ((32 - sizeof(void *) - sizeof(u32)) \ - / sizeof(unsigned long)) -#define EBITMAP_UNIT_SIZE BITS_PER_LONG -#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE) -#define EBITMAP_BIT 1ULL -#define EBITMAP_SHIFT_UNIT_SIZE(x) \ - (((x) >> EBITMAP_UNIT_SIZE / 2) >> EBITMAP_UNIT_SIZE / 2) - -struct ebitmap_node { - struct ebitmap_node *next; - unsigned long maps[EBITMAP_UNIT_NUMS]; - u32 startbit; -}; - -struct ebitmap { - struct ebitmap_node *node; /* first node in the bitmap */ - u32 highbit; /* highest position in the total bitmap */ -}; - -#define ebitmap_length(e) ((e)->highbit) - -static inline unsigned int ebitmap_start_positive(struct ebitmap *e, - struct ebitmap_node **n) -{ - unsigned int ofs; - - for (*n = e->node; *n; *n = (*n)->next) { - ofs = find_first_bit((*n)->maps, EBITMAP_SIZE); - if (ofs < EBITMAP_SIZE) - return (*n)->startbit + ofs; - } - return ebitmap_length(e); -} - -static inline void ebitmap_init(struct ebitmap *e) -{ - memset(e, 0, sizeof(*e)); -} - -static inline unsigned int ebitmap_next_positive(struct ebitmap *e, - struct ebitmap_node **n, - unsigned int bit) -{ - unsigned int ofs; - - ofs = find_next_bit((*n)->maps, EBITMAP_SIZE, bit - (*n)->startbit + 1); - if (ofs < EBITMAP_SIZE) - return ofs + (*n)->startbit; - - for (*n = (*n)->next; *n; *n = (*n)->next) { - ofs = find_first_bit((*n)->maps, EBITMAP_SIZE); - if (ofs < EBITMAP_SIZE) - return ofs + (*n)->startbit; - } - return ebitmap_length(e); -} - -#define EBITMAP_NODE_INDEX(node, bit) \ - (((bit) - (node)->startbit) / EBITMAP_UNIT_SIZE) -#define EBITMAP_NODE_OFFSET(node, bit) \ - (((bit) - (node)->startbit) % EBITMAP_UNIT_SIZE) - -static inline int ebitmap_node_get_bit(struct ebitmap_node *n, - unsigned int bit) -{ - unsigned int index = EBITMAP_NODE_INDEX(n, bit); - unsigned int ofs = EBITMAP_NODE_OFFSET(n, bit); - - BUG_ON(index >= EBITMAP_UNIT_NUMS); - if ((n->maps[index] & (EBITMAP_BIT << ofs))) - return 1; - return 0; -} - -static inline void ebitmap_node_set_bit(struct ebitmap_node *n, - unsigned int bit) -{ - unsigned int index = EBITMAP_NODE_INDEX(n, bit); - unsigned int ofs = EBITMAP_NODE_OFFSET(n, bit); - - BUG_ON(index >= EBITMAP_UNIT_NUMS); - n->maps[index] |= (EBITMAP_BIT << ofs); -} - -static inline void ebitmap_node_clr_bit(struct ebitmap_node *n, - unsigned int bit) -{ - unsigned int index = EBITMAP_NODE_INDEX(n, bit); - unsigned int ofs = EBITMAP_NODE_OFFSET(n, bit); - - BUG_ON(index >= EBITMAP_UNIT_NUMS); - n->maps[index] &= ~(EBITMAP_BIT << ofs); -} - -#define ebitmap_for_each_positive_bit(e, n, bit) \ - for (bit = ebitmap_start_positive(e, &n); \ - bit < ebitmap_length(e); \ - bit = ebitmap_next_positive(e, &n, bit)) \ - -int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2); -int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src); -int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2); -int ebitmap_get_bit(struct ebitmap *e, unsigned long bit); -int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value); -void ebitmap_destroy(struct ebitmap *e); -int ebitmap_read(struct ebitmap *e, void *fp); -int ebitmap_write(struct ebitmap *e, void *fp); - -#ifdef CONFIG_NETLABEL -int ebitmap_netlbl_export(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap **catmap); -int ebitmap_netlbl_import(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap *catmap); -#else -static inline int ebitmap_netlbl_export(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap **catmap) -{ - return -ENOMEM; -} -static inline int ebitmap_netlbl_import(struct ebitmap *ebmap, - struct netlbl_lsm_secattr_catmap *catmap) -{ - return -ENOMEM; -} -#endif - -#endif /* _SS_EBITMAP_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/ss/hashtab.c b/ANDROID_3.4.5/security/selinux/ss/hashtab.c deleted file mode 100644 index 933e735b..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/hashtab.c +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Implementation of the hash table type. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/errno.h> -#include "hashtab.h" - -struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), - int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), - u32 size) -{ - struct hashtab *p; - u32 i; - - p = kzalloc(sizeof(*p), GFP_KERNEL); - if (p == NULL) - return p; - - p->size = size; - p->nel = 0; - p->hash_value = hash_value; - p->keycmp = keycmp; - p->htable = kmalloc(sizeof(*(p->htable)) * size, GFP_KERNEL); - if (p->htable == NULL) { - kfree(p); - return NULL; - } - - for (i = 0; i < size; i++) - p->htable[i] = NULL; - - return p; -} - -int hashtab_insert(struct hashtab *h, void *key, void *datum) -{ - u32 hvalue; - struct hashtab_node *prev, *cur, *newnode; - - if (!h || h->nel == HASHTAB_MAX_NODES) - return -EINVAL; - - hvalue = h->hash_value(h, key); - prev = NULL; - cur = h->htable[hvalue]; - while (cur && h->keycmp(h, key, cur->key) > 0) { - prev = cur; - cur = cur->next; - } - - if (cur && (h->keycmp(h, key, cur->key) == 0)) - return -EEXIST; - - newnode = kzalloc(sizeof(*newnode), GFP_KERNEL); - if (newnode == NULL) - return -ENOMEM; - newnode->key = key; - newnode->datum = datum; - if (prev) { - newnode->next = prev->next; - prev->next = newnode; - } else { - newnode->next = h->htable[hvalue]; - h->htable[hvalue] = newnode; - } - - h->nel++; - return 0; -} - -void *hashtab_search(struct hashtab *h, const void *key) -{ - u32 hvalue; - struct hashtab_node *cur; - - if (!h) - return NULL; - - hvalue = h->hash_value(h, key); - cur = h->htable[hvalue]; - while (cur && h->keycmp(h, key, cur->key) > 0) - cur = cur->next; - - if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) - return NULL; - - return cur->datum; -} - -void hashtab_destroy(struct hashtab *h) -{ - u32 i; - struct hashtab_node *cur, *temp; - - if (!h) - return; - - for (i = 0; i < h->size; i++) { - cur = h->htable[i]; - while (cur) { - temp = cur; - cur = cur->next; - kfree(temp); - } - h->htable[i] = NULL; - } - - kfree(h->htable); - h->htable = NULL; - - kfree(h); -} - -int hashtab_map(struct hashtab *h, - int (*apply)(void *k, void *d, void *args), - void *args) -{ - u32 i; - int ret; - struct hashtab_node *cur; - - if (!h) - return 0; - - for (i = 0; i < h->size; i++) { - cur = h->htable[i]; - while (cur) { - ret = apply(cur->key, cur->datum, args); - if (ret) - return ret; - cur = cur->next; - } - } - return 0; -} - - -void hashtab_stat(struct hashtab *h, struct hashtab_info *info) -{ - u32 i, chain_len, slots_used, max_chain_len; - struct hashtab_node *cur; - - slots_used = 0; - max_chain_len = 0; - for (slots_used = max_chain_len = i = 0; i < h->size; i++) { - cur = h->htable[i]; - if (cur) { - slots_used++; - chain_len = 0; - while (cur) { - chain_len++; - cur = cur->next; - } - - if (chain_len > max_chain_len) - max_chain_len = chain_len; - } - } - - info->slots_used = slots_used; - info->max_chain_len = max_chain_len; -} diff --git a/ANDROID_3.4.5/security/selinux/ss/hashtab.h b/ANDROID_3.4.5/security/selinux/ss/hashtab.h deleted file mode 100644 index 953872cd..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/hashtab.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * A hash table (hashtab) maintains associations between - * key values and datum values. The type of the key values - * and the type of the datum values is arbitrary. The - * functions for hash computation and key comparison are - * provided by the creator of the table. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_HASHTAB_H_ -#define _SS_HASHTAB_H_ - -#define HASHTAB_MAX_NODES 0xffffffff - -struct hashtab_node { - void *key; - void *datum; - struct hashtab_node *next; -}; - -struct hashtab { - struct hashtab_node **htable; /* hash table */ - u32 size; /* number of slots in hash table */ - u32 nel; /* number of elements in hash table */ - u32 (*hash_value)(struct hashtab *h, const void *key); - /* hash function */ - int (*keycmp)(struct hashtab *h, const void *key1, const void *key2); - /* key comparison function */ -}; - -struct hashtab_info { - u32 slots_used; - u32 max_chain_len; -}; - -/* - * Creates a new hash table with the specified characteristics. - * - * Returns NULL if insufficent space is available or - * the new hash table otherwise. - */ -struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), - int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), - u32 size); - -/* - * Inserts the specified (key, datum) pair into the specified hash table. - * - * Returns -ENOMEM on memory allocation error, - * -EEXIST if there is already an entry with the same key, - * -EINVAL for general errors or - 0 otherwise. - */ -int hashtab_insert(struct hashtab *h, void *k, void *d); - -/* - * Searches for the entry with the specified key in the hash table. - * - * Returns NULL if no entry has the specified key or - * the datum of the entry otherwise. - */ -void *hashtab_search(struct hashtab *h, const void *k); - -/* - * Destroys the specified hash table. - */ -void hashtab_destroy(struct hashtab *h); - -/* - * Applies the specified apply function to (key,datum,args) - * for each entry in the specified hash table. - * - * The order in which the function is applied to the entries - * is dependent upon the internal structure of the hash table. - * - * If apply returns a non-zero status, then hashtab_map will cease - * iterating through the hash table and will propagate the error - * return to its caller. - */ -int hashtab_map(struct hashtab *h, - int (*apply)(void *k, void *d, void *args), - void *args); - -/* Fill info with some hash table statistics */ -void hashtab_stat(struct hashtab *h, struct hashtab_info *info); - -#endif /* _SS_HASHTAB_H */ diff --git a/ANDROID_3.4.5/security/selinux/ss/mls.c b/ANDROID_3.4.5/security/selinux/ss/mls.c deleted file mode 100644 index fbf9c581..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/mls.c +++ /dev/null @@ -1,654 +0,0 @@ -/* - * Implementation of the multi-level security (MLS) policy. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -/* - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * - * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. - */ -/* - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support to import/export the MLS label from NetLabel - * - * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - */ - -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/string.h> -#include <linux/errno.h> -#include <net/netlabel.h> -#include "sidtab.h" -#include "mls.h" -#include "policydb.h" -#include "services.h" - -/* - * Return the length in bytes for the MLS fields of the - * security context string representation of `context'. - */ -int mls_compute_context_len(struct context *context) -{ - int i, l, len, head, prev; - char *nm; - struct ebitmap *e; - struct ebitmap_node *node; - - if (!policydb.mls_enabled) - return 0; - - len = 1; /* for the beginning ":" */ - for (l = 0; l < 2; l++) { - int index_sens = context->range.level[l].sens; - len += strlen(sym_name(&policydb, SYM_LEVELS, index_sens - 1)); - - /* categories */ - head = -2; - prev = -2; - e = &context->range.level[l].cat; - ebitmap_for_each_positive_bit(e, node, i) { - if (i - prev > 1) { - /* one or more negative bits are skipped */ - if (head != prev) { - nm = sym_name(&policydb, SYM_CATS, prev); - len += strlen(nm) + 1; - } - nm = sym_name(&policydb, SYM_CATS, i); - len += strlen(nm) + 1; - head = i; - } - prev = i; - } - if (prev != head) { - nm = sym_name(&policydb, SYM_CATS, prev); - len += strlen(nm) + 1; - } - if (l == 0) { - if (mls_level_eq(&context->range.level[0], - &context->range.level[1])) - break; - else - len++; - } - } - - return len; -} - -/* - * Write the security context string representation of - * the MLS fields of `context' into the string `*scontext'. - * Update `*scontext' to point to the end of the MLS fields. - */ -void mls_sid_to_context(struct context *context, - char **scontext) -{ - char *scontextp, *nm; - int i, l, head, prev; - struct ebitmap *e; - struct ebitmap_node *node; - - if (!policydb.mls_enabled) - return; - - scontextp = *scontext; - - *scontextp = ':'; - scontextp++; - - for (l = 0; l < 2; l++) { - strcpy(scontextp, sym_name(&policydb, SYM_LEVELS, - context->range.level[l].sens - 1)); - scontextp += strlen(scontextp); - - /* categories */ - head = -2; - prev = -2; - e = &context->range.level[l].cat; - ebitmap_for_each_positive_bit(e, node, i) { - if (i - prev > 1) { - /* one or more negative bits are skipped */ - if (prev != head) { - if (prev - head > 1) - *scontextp++ = '.'; - else - *scontextp++ = ','; - nm = sym_name(&policydb, SYM_CATS, prev); - strcpy(scontextp, nm); - scontextp += strlen(nm); - } - if (prev < 0) - *scontextp++ = ':'; - else - *scontextp++ = ','; - nm = sym_name(&policydb, SYM_CATS, i); - strcpy(scontextp, nm); - scontextp += strlen(nm); - head = i; - } - prev = i; - } - - if (prev != head) { - if (prev - head > 1) - *scontextp++ = '.'; - else - *scontextp++ = ','; - nm = sym_name(&policydb, SYM_CATS, prev); - strcpy(scontextp, nm); - scontextp += strlen(nm); - } - - if (l == 0) { - if (mls_level_eq(&context->range.level[0], - &context->range.level[1])) - break; - else - *scontextp++ = '-'; - } - } - - *scontext = scontextp; - return; -} - -int mls_level_isvalid(struct policydb *p, struct mls_level *l) -{ - struct level_datum *levdatum; - struct ebitmap_node *node; - int i; - - if (!l->sens || l->sens > p->p_levels.nprim) - return 0; - levdatum = hashtab_search(p->p_levels.table, - sym_name(p, SYM_LEVELS, l->sens - 1)); - if (!levdatum) - return 0; - - ebitmap_for_each_positive_bit(&l->cat, node, i) { - if (i > p->p_cats.nprim) - return 0; - if (!ebitmap_get_bit(&levdatum->level->cat, i)) { - /* - * Category may not be associated with - * sensitivity. - */ - return 0; - } - } - - return 1; -} - -int mls_range_isvalid(struct policydb *p, struct mls_range *r) -{ - return (mls_level_isvalid(p, &r->level[0]) && - mls_level_isvalid(p, &r->level[1]) && - mls_level_dom(&r->level[1], &r->level[0])); -} - -/* - * Return 1 if the MLS fields in the security context - * structure `c' are valid. Return 0 otherwise. - */ -int mls_context_isvalid(struct policydb *p, struct context *c) -{ - struct user_datum *usrdatum; - - if (!p->mls_enabled) - return 1; - - if (!mls_range_isvalid(p, &c->range)) - return 0; - - if (c->role == OBJECT_R_VAL) - return 1; - - /* - * User must be authorized for the MLS range. - */ - if (!c->user || c->user > p->p_users.nprim) - return 0; - usrdatum = p->user_val_to_struct[c->user - 1]; - if (!mls_range_contains(usrdatum->range, c->range)) - return 0; /* user may not be associated with range */ - - return 1; -} - -/* - * Set the MLS fields in the security context structure - * `context' based on the string representation in - * the string `*scontext'. Update `*scontext' to - * point to the end of the string representation of - * the MLS fields. - * - * This function modifies the string in place, inserting - * NULL characters to terminate the MLS fields. - * - * If a def_sid is provided and no MLS field is present, - * copy the MLS field of the associated default context. - * Used for upgraded to MLS systems where objects may lack - * MLS fields. - * - * Policy read-lock must be held for sidtab lookup. - * - */ -int mls_context_to_sid(struct policydb *pol, - char oldc, - char **scontext, - struct context *context, - struct sidtab *s, - u32 def_sid) -{ - - char delim; - char *scontextp, *p, *rngptr; - struct level_datum *levdatum; - struct cat_datum *catdatum, *rngdatum; - int l, rc = -EINVAL; - - if (!pol->mls_enabled) { - if (def_sid != SECSID_NULL && oldc) - *scontext += strlen(*scontext) + 1; - return 0; - } - - /* - * No MLS component to the security context, try and map to - * default if provided. - */ - if (!oldc) { - struct context *defcon; - - if (def_sid == SECSID_NULL) - goto out; - - defcon = sidtab_search(s, def_sid); - if (!defcon) - goto out; - - rc = mls_context_cpy(context, defcon); - goto out; - } - - /* Extract low sensitivity. */ - scontextp = p = *scontext; - while (*p && *p != ':' && *p != '-') - p++; - - delim = *p; - if (delim != '\0') - *p++ = '\0'; - - for (l = 0; l < 2; l++) { - levdatum = hashtab_search(pol->p_levels.table, scontextp); - if (!levdatum) { - rc = -EINVAL; - goto out; - } - - context->range.level[l].sens = levdatum->level->sens; - - if (delim == ':') { - /* Extract category set. */ - while (1) { - scontextp = p; - while (*p && *p != ',' && *p != '-') - p++; - delim = *p; - if (delim != '\0') - *p++ = '\0'; - - /* Separate into range if exists */ - rngptr = strchr(scontextp, '.'); - if (rngptr != NULL) { - /* Remove '.' */ - *rngptr++ = '\0'; - } - - catdatum = hashtab_search(pol->p_cats.table, - scontextp); - if (!catdatum) { - rc = -EINVAL; - goto out; - } - - rc = ebitmap_set_bit(&context->range.level[l].cat, - catdatum->value - 1, 1); - if (rc) - goto out; - - /* If range, set all categories in range */ - if (rngptr) { - int i; - - rngdatum = hashtab_search(pol->p_cats.table, rngptr); - if (!rngdatum) { - rc = -EINVAL; - goto out; - } - - if (catdatum->value >= rngdatum->value) { - rc = -EINVAL; - goto out; - } - - for (i = catdatum->value; i < rngdatum->value; i++) { - rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1); - if (rc) - goto out; - } - } - - if (delim != ',') - break; - } - } - if (delim == '-') { - /* Extract high sensitivity. */ - scontextp = p; - while (*p && *p != ':') - p++; - - delim = *p; - if (delim != '\0') - *p++ = '\0'; - } else - break; - } - - if (l == 0) { - context->range.level[1].sens = context->range.level[0].sens; - rc = ebitmap_cpy(&context->range.level[1].cat, - &context->range.level[0].cat); - if (rc) - goto out; - } - *scontext = ++p; - rc = 0; -out: - return rc; -} - -/* - * Set the MLS fields in the security context structure - * `context' based on the string representation in - * the string `str'. This function will allocate temporary memory with the - * given constraints of gfp_mask. - */ -int mls_from_string(char *str, struct context *context, gfp_t gfp_mask) -{ - char *tmpstr, *freestr; - int rc; - - if (!policydb.mls_enabled) - return -EINVAL; - - /* we need freestr because mls_context_to_sid will change - the value of tmpstr */ - tmpstr = freestr = kstrdup(str, gfp_mask); - if (!tmpstr) { - rc = -ENOMEM; - } else { - rc = mls_context_to_sid(&policydb, ':', &tmpstr, context, - NULL, SECSID_NULL); - kfree(freestr); - } - - return rc; -} - -/* - * Copies the MLS range `range' into `context'. - */ -int mls_range_set(struct context *context, - struct mls_range *range) -{ - int l, rc = 0; - - /* Copy the MLS range into the context */ - for (l = 0; l < 2; l++) { - context->range.level[l].sens = range->level[l].sens; - rc = ebitmap_cpy(&context->range.level[l].cat, - &range->level[l].cat); - if (rc) - break; - } - - return rc; -} - -int mls_setup_user_range(struct context *fromcon, struct user_datum *user, - struct context *usercon) -{ - if (policydb.mls_enabled) { - struct mls_level *fromcon_sen = &(fromcon->range.level[0]); - struct mls_level *fromcon_clr = &(fromcon->range.level[1]); - struct mls_level *user_low = &(user->range.level[0]); - struct mls_level *user_clr = &(user->range.level[1]); - struct mls_level *user_def = &(user->dfltlevel); - struct mls_level *usercon_sen = &(usercon->range.level[0]); - struct mls_level *usercon_clr = &(usercon->range.level[1]); - - /* Honor the user's default level if we can */ - if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) - *usercon_sen = *user_def; - else if (mls_level_between(fromcon_sen, user_def, user_clr)) - *usercon_sen = *fromcon_sen; - else if (mls_level_between(fromcon_clr, user_low, user_def)) - *usercon_sen = *user_low; - else - return -EINVAL; - - /* Lower the clearance of available contexts - if the clearance of "fromcon" is lower than - that of the user's default clearance (but - only if the "fromcon" clearance dominates - the user's computed sensitivity level) */ - if (mls_level_dom(user_clr, fromcon_clr)) - *usercon_clr = *fromcon_clr; - else if (mls_level_dom(fromcon_clr, user_clr)) - *usercon_clr = *user_clr; - else - return -EINVAL; - } - - return 0; -} - -/* - * Convert the MLS fields in the security context - * structure `c' from the values specified in the - * policy `oldp' to the values specified in the policy `newp'. - */ -int mls_convert_context(struct policydb *oldp, - struct policydb *newp, - struct context *c) -{ - struct level_datum *levdatum; - struct cat_datum *catdatum; - struct ebitmap bitmap; - struct ebitmap_node *node; - int l, i; - - if (!policydb.mls_enabled) - return 0; - - for (l = 0; l < 2; l++) { - levdatum = hashtab_search(newp->p_levels.table, - sym_name(oldp, SYM_LEVELS, - c->range.level[l].sens - 1)); - - if (!levdatum) - return -EINVAL; - c->range.level[l].sens = levdatum->level->sens; - - ebitmap_init(&bitmap); - ebitmap_for_each_positive_bit(&c->range.level[l].cat, node, i) { - int rc; - - catdatum = hashtab_search(newp->p_cats.table, - sym_name(oldp, SYM_CATS, i)); - if (!catdatum) - return -EINVAL; - rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); - if (rc) - return rc; - } - ebitmap_destroy(&c->range.level[l].cat); - c->range.level[l].cat = bitmap; - } - - return 0; -} - -int mls_compute_sid(struct context *scontext, - struct context *tcontext, - u16 tclass, - u32 specified, - struct context *newcontext, - bool sock) -{ - struct range_trans rtr; - struct mls_range *r; - - if (!policydb.mls_enabled) - return 0; - - switch (specified) { - case AVTAB_TRANSITION: - /* Look for a range transition rule. */ - rtr.source_type = scontext->type; - rtr.target_type = tcontext->type; - rtr.target_class = tclass; - r = hashtab_search(policydb.range_tr, &rtr); - if (r) - return mls_range_set(newcontext, r); - /* Fallthrough */ - case AVTAB_CHANGE: - if ((tclass == policydb.process_class) || (sock == true)) - /* Use the process MLS attributes. */ - return mls_context_cpy(newcontext, scontext); - else - /* Use the process effective MLS attributes. */ - return mls_context_cpy_low(newcontext, scontext); - case AVTAB_MEMBER: - /* Use the process effective MLS attributes. */ - return mls_context_cpy_low(newcontext, scontext); - - /* fall through */ - } - return -EINVAL; -} - -#ifdef CONFIG_NETLABEL -/** - * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel - * @context: the security context - * @secattr: the NetLabel security attributes - * - * Description: - * Given the security context copy the low MLS sensitivity level into the - * NetLabel MLS sensitivity level field. - * - */ -void mls_export_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - if (!policydb.mls_enabled) - return; - - secattr->attr.mls.lvl = context->range.level[0].sens - 1; - secattr->flags |= NETLBL_SECATTR_MLS_LVL; -} - -/** - * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels - * @context: the security context - * @secattr: the NetLabel security attributes - * - * Description: - * Given the security context and the NetLabel security attributes, copy the - * NetLabel MLS sensitivity level into the context. - * - */ -void mls_import_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - if (!policydb.mls_enabled) - return; - - context->range.level[0].sens = secattr->attr.mls.lvl + 1; - context->range.level[1].sens = context->range.level[0].sens; -} - -/** - * mls_export_netlbl_cat - Export the MLS categories to NetLabel - * @context: the security context - * @secattr: the NetLabel security attributes - * - * Description: - * Given the security context copy the low MLS categories into the NetLabel - * MLS category field. Returns zero on success, negative values on failure. - * - */ -int mls_export_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - int rc; - - if (!policydb.mls_enabled) - return 0; - - rc = ebitmap_netlbl_export(&context->range.level[0].cat, - &secattr->attr.mls.cat); - if (rc == 0 && secattr->attr.mls.cat != NULL) - secattr->flags |= NETLBL_SECATTR_MLS_CAT; - - return rc; -} - -/** - * mls_import_netlbl_cat - Import the MLS categories from NetLabel - * @context: the security context - * @secattr: the NetLabel security attributes - * - * Description: - * Copy the NetLabel security attributes into the SELinux context; since the - * NetLabel security attribute only contains a single MLS category use it for - * both the low and high categories of the context. Returns zero on success, - * negative values on failure. - * - */ -int mls_import_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - int rc; - - if (!policydb.mls_enabled) - return 0; - - rc = ebitmap_netlbl_import(&context->range.level[0].cat, - secattr->attr.mls.cat); - if (rc != 0) - goto import_netlbl_cat_failure; - - rc = ebitmap_cpy(&context->range.level[1].cat, - &context->range.level[0].cat); - if (rc != 0) - goto import_netlbl_cat_failure; - - return 0; - -import_netlbl_cat_failure: - ebitmap_destroy(&context->range.level[0].cat); - ebitmap_destroy(&context->range.level[1].cat); - return rc; -} -#endif /* CONFIG_NETLABEL */ diff --git a/ANDROID_3.4.5/security/selinux/ss/mls.h b/ANDROID_3.4.5/security/selinux/ss/mls.h deleted file mode 100644 index e4369e3e..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/mls.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Multi-level security (MLS) policy operations. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -/* - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * - * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. - */ -/* - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support to import/export the MLS label from NetLabel - * - * (c) Copyright Hewlett-Packard Development Company, L.P., 2006 - */ - -#ifndef _SS_MLS_H_ -#define _SS_MLS_H_ - -#include "context.h" -#include "policydb.h" - -int mls_compute_context_len(struct context *context); -void mls_sid_to_context(struct context *context, char **scontext); -int mls_context_isvalid(struct policydb *p, struct context *c); -int mls_range_isvalid(struct policydb *p, struct mls_range *r); -int mls_level_isvalid(struct policydb *p, struct mls_level *l); - -int mls_context_to_sid(struct policydb *p, - char oldc, - char **scontext, - struct context *context, - struct sidtab *s, - u32 def_sid); - -int mls_from_string(char *str, struct context *context, gfp_t gfp_mask); - -int mls_range_set(struct context *context, struct mls_range *range); - -int mls_convert_context(struct policydb *oldp, - struct policydb *newp, - struct context *context); - -int mls_compute_sid(struct context *scontext, - struct context *tcontext, - u16 tclass, - u32 specified, - struct context *newcontext, - bool sock); - -int mls_setup_user_range(struct context *fromcon, struct user_datum *user, - struct context *usercon); - -#ifdef CONFIG_NETLABEL -void mls_export_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr); -void mls_import_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr); -int mls_export_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr); -int mls_import_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr); -#else -static inline void mls_export_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - return; -} -static inline void mls_import_netlbl_lvl(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - return; -} -static inline int mls_export_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - return -ENOMEM; -} -static inline int mls_import_netlbl_cat(struct context *context, - struct netlbl_lsm_secattr *secattr) -{ - return -ENOMEM; -} -#endif - -#endif /* _SS_MLS_H */ - diff --git a/ANDROID_3.4.5/security/selinux/ss/mls_types.h b/ANDROID_3.4.5/security/selinux/ss/mls_types.h deleted file mode 100644 index 03bed52a..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/mls_types.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Type definitions for the multi-level security (MLS) policy. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -/* - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * - * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - */ - -#ifndef _SS_MLS_TYPES_H_ -#define _SS_MLS_TYPES_H_ - -#include "security.h" -#include "ebitmap.h" - -struct mls_level { - u32 sens; /* sensitivity */ - struct ebitmap cat; /* category set */ -}; - -struct mls_range { - struct mls_level level[2]; /* low == level[0], high == level[1] */ -}; - -static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2) -{ - return ((l1->sens == l2->sens) && - ebitmap_cmp(&l1->cat, &l2->cat)); -} - -static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) -{ - return ((l1->sens >= l2->sens) && - ebitmap_contains(&l1->cat, &l2->cat)); -} - -#define mls_level_incomp(l1, l2) \ -(!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1))) - -#define mls_level_between(l1, l2, l3) \ -(mls_level_dom((l1), (l2)) && mls_level_dom((l3), (l1))) - -#define mls_range_contains(r1, r2) \ -(mls_level_dom(&(r2).level[0], &(r1).level[0]) && \ - mls_level_dom(&(r1).level[1], &(r2).level[1])) - -#endif /* _SS_MLS_TYPES_H_ */ diff --git a/ANDROID_3.4.5/security/selinux/ss/policydb.c b/ANDROID_3.4.5/security/selinux/ss/policydb.c deleted file mode 100644 index a7f61d52..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/policydb.c +++ /dev/null @@ -1,3379 +0,0 @@ -/* - * Implementation of the policy database. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ - -/* - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * - * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support for the policy capability bitmap - * - * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. - * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#include <linux/kernel.h> -#include <linux/sched.h> -#include <linux/slab.h> -#include <linux/string.h> -#include <linux/errno.h> -#include <linux/audit.h> -#include <linux/flex_array.h> -#include "security.h" - -#include "policydb.h" -#include "conditional.h" -#include "mls.h" -#include "services.h" - -#define _DEBUG_HASHES - -#ifdef DEBUG_HASHES -static const char *symtab_name[SYM_NUM] = { - "common prefixes", - "classes", - "roles", - "types", - "users", - "bools", - "levels", - "categories", -}; -#endif - -static unsigned int symtab_sizes[SYM_NUM] = { - 2, - 32, - 16, - 512, - 128, - 16, - 16, - 16, -}; - -struct policydb_compat_info { - int version; - int sym_num; - int ocon_num; -}; - -/* These need to be updated if SYM_NUM or OCON_NUM changes */ -static struct policydb_compat_info policydb_compat[] = { - { - .version = POLICYDB_VERSION_BASE, - .sym_num = SYM_NUM - 3, - .ocon_num = OCON_NUM - 1, - }, - { - .version = POLICYDB_VERSION_BOOL, - .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM - 1, - }, - { - .version = POLICYDB_VERSION_IPV6, - .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_NLCLASS, - .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_MLS, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_AVTAB, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_RANGETRANS, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_POLCAP, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_PERMISSIVE, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_BOUNDARY, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_FILENAME_TRANS, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, - { - .version = POLICYDB_VERSION_ROLETRANS, - .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, - }, -}; - -static struct policydb_compat_info *policydb_lookup_compat(int version) -{ - int i; - struct policydb_compat_info *info = NULL; - - for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { - if (policydb_compat[i].version == version) { - info = &policydb_compat[i]; - break; - } - } - return info; -} - -/* - * Initialize the role table. - */ -static int roles_init(struct policydb *p) -{ - char *key = NULL; - int rc; - struct role_datum *role; - - rc = -ENOMEM; - role = kzalloc(sizeof(*role), GFP_KERNEL); - if (!role) - goto out; - - rc = -EINVAL; - role->value = ++p->p_roles.nprim; - if (role->value != OBJECT_R_VAL) - goto out; - - rc = -ENOMEM; - key = kstrdup(OBJECT_R, GFP_KERNEL); - if (!key) - goto out; - - rc = hashtab_insert(p->p_roles.table, key, role); - if (rc) - goto out; - - return 0; -out: - kfree(key); - kfree(role); - return rc; -} - -static u32 filenametr_hash(struct hashtab *h, const void *k) -{ - const struct filename_trans *ft = k; - unsigned long hash; - unsigned int byte_num; - unsigned char focus; - - hash = ft->stype ^ ft->ttype ^ ft->tclass; - - byte_num = 0; - while ((focus = ft->name[byte_num++])) - hash = partial_name_hash(focus, hash); - return hash & (h->size - 1); -} - -static int filenametr_cmp(struct hashtab *h, const void *k1, const void *k2) -{ - const struct filename_trans *ft1 = k1; - const struct filename_trans *ft2 = k2; - int v; - - v = ft1->stype - ft2->stype; - if (v) - return v; - - v = ft1->ttype - ft2->ttype; - if (v) - return v; - - v = ft1->tclass - ft2->tclass; - if (v) - return v; - - return strcmp(ft1->name, ft2->name); - -} - -static u32 rangetr_hash(struct hashtab *h, const void *k) -{ - const struct range_trans *key = k; - return (key->source_type + (key->target_type << 3) + - (key->target_class << 5)) & (h->size - 1); -} - -static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2) -{ - const struct range_trans *key1 = k1, *key2 = k2; - int v; - - v = key1->source_type - key2->source_type; - if (v) - return v; - - v = key1->target_type - key2->target_type; - if (v) - return v; - - v = key1->target_class - key2->target_class; - - return v; -} - -/* - * Initialize a policy database structure. - */ -static int policydb_init(struct policydb *p) -{ - int i, rc; - - memset(p, 0, sizeof(*p)); - - for (i = 0; i < SYM_NUM; i++) { - rc = symtab_init(&p->symtab[i], symtab_sizes[i]); - if (rc) - goto out; - } - - rc = avtab_init(&p->te_avtab); - if (rc) - goto out; - - rc = roles_init(p); - if (rc) - goto out; - - rc = cond_policydb_init(p); - if (rc) - goto out; - - p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, (1 << 10)); - if (!p->filename_trans) - goto out; - - p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256); - if (!p->range_tr) - goto out; - - ebitmap_init(&p->filename_trans_ttypes); - ebitmap_init(&p->policycaps); - ebitmap_init(&p->permissive_map); - - return 0; -out: - hashtab_destroy(p->filename_trans); - hashtab_destroy(p->range_tr); - for (i = 0; i < SYM_NUM; i++) - hashtab_destroy(p->symtab[i].table); - return rc; -} - -/* - * The following *_index functions are used to - * define the val_to_name and val_to_struct arrays - * in a policy database structure. The val_to_name - * arrays are used when converting security context - * structures into string representations. The - * val_to_struct arrays are used when the attributes - * of a class, role, or user are needed. - */ - -static int common_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct common_datum *comdatum; - struct flex_array *fa; - - comdatum = datum; - p = datap; - if (!comdatum->value || comdatum->value > p->p_commons.nprim) - return -EINVAL; - - fa = p->sym_val_to_name[SYM_COMMONS]; - if (flex_array_put_ptr(fa, comdatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - return 0; -} - -static int class_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct class_datum *cladatum; - struct flex_array *fa; - - cladatum = datum; - p = datap; - if (!cladatum->value || cladatum->value > p->p_classes.nprim) - return -EINVAL; - fa = p->sym_val_to_name[SYM_CLASSES]; - if (flex_array_put_ptr(fa, cladatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - p->class_val_to_struct[cladatum->value - 1] = cladatum; - return 0; -} - -static int role_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct role_datum *role; - struct flex_array *fa; - - role = datum; - p = datap; - if (!role->value - || role->value > p->p_roles.nprim - || role->bounds > p->p_roles.nprim) - return -EINVAL; - - fa = p->sym_val_to_name[SYM_ROLES]; - if (flex_array_put_ptr(fa, role->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - p->role_val_to_struct[role->value - 1] = role; - return 0; -} - -static int type_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct type_datum *typdatum; - struct flex_array *fa; - - typdatum = datum; - p = datap; - - if (typdatum->primary) { - if (!typdatum->value - || typdatum->value > p->p_types.nprim - || typdatum->bounds > p->p_types.nprim) - return -EINVAL; - fa = p->sym_val_to_name[SYM_TYPES]; - if (flex_array_put_ptr(fa, typdatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - - fa = p->type_val_to_struct_array; - if (flex_array_put_ptr(fa, typdatum->value - 1, typdatum, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - } - - return 0; -} - -static int user_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct user_datum *usrdatum; - struct flex_array *fa; - - usrdatum = datum; - p = datap; - if (!usrdatum->value - || usrdatum->value > p->p_users.nprim - || usrdatum->bounds > p->p_users.nprim) - return -EINVAL; - - fa = p->sym_val_to_name[SYM_USERS]; - if (flex_array_put_ptr(fa, usrdatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - p->user_val_to_struct[usrdatum->value - 1] = usrdatum; - return 0; -} - -static int sens_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct level_datum *levdatum; - struct flex_array *fa; - - levdatum = datum; - p = datap; - - if (!levdatum->isalias) { - if (!levdatum->level->sens || - levdatum->level->sens > p->p_levels.nprim) - return -EINVAL; - fa = p->sym_val_to_name[SYM_LEVELS]; - if (flex_array_put_ptr(fa, levdatum->level->sens - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - } - - return 0; -} - -static int cat_index(void *key, void *datum, void *datap) -{ - struct policydb *p; - struct cat_datum *catdatum; - struct flex_array *fa; - - catdatum = datum; - p = datap; - - if (!catdatum->isalias) { - if (!catdatum->value || catdatum->value > p->p_cats.nprim) - return -EINVAL; - fa = p->sym_val_to_name[SYM_CATS]; - if (flex_array_put_ptr(fa, catdatum->value - 1, key, - GFP_KERNEL | __GFP_ZERO)) - BUG(); - } - - return 0; -} - -static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = -{ - common_index, - class_index, - role_index, - type_index, - user_index, - cond_index_bool, - sens_index, - cat_index, -}; - -#ifdef DEBUG_HASHES -static void hash_eval(struct hashtab *h, const char *hash_name) -{ - struct hashtab_info info; - - hashtab_stat(h, &info); - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, " - "longest chain length %d\n", hash_name, h->nel, - info.slots_used, h->size, info.max_chain_len); -} - -static void symtab_hash_eval(struct symtab *s) -{ - int i; - - for (i = 0; i < SYM_NUM; i++) - hash_eval(s[i].table, symtab_name[i]); -} - -#else -static inline void hash_eval(struct hashtab *h, char *hash_name) -{ -} -#endif - -/* - * Define the other val_to_name and val_to_struct arrays - * in a policy database structure. - * - * Caller must clean up on failure. - */ -static int policydb_index(struct policydb *p) -{ - int i, rc; - - printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools", - p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); - if (p->mls_enabled) - printk(", %d sens, %d cats", p->p_levels.nprim, - p->p_cats.nprim); - printk("\n"); - - printk(KERN_DEBUG "SELinux: %d classes, %d rules\n", - p->p_classes.nprim, p->te_avtab.nel); - -#ifdef DEBUG_HASHES - avtab_hash_eval(&p->te_avtab, "rules"); - symtab_hash_eval(p->symtab); -#endif - - rc = -ENOMEM; - p->class_val_to_struct = - kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), - GFP_KERNEL); - if (!p->class_val_to_struct) - goto out; - - rc = -ENOMEM; - p->role_val_to_struct = - kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), - GFP_KERNEL); - if (!p->role_val_to_struct) - goto out; - - rc = -ENOMEM; - p->user_val_to_struct = - kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), - GFP_KERNEL); - if (!p->user_val_to_struct) - goto out; - - /* Yes, I want the sizeof the pointer, not the structure */ - rc = -ENOMEM; - p->type_val_to_struct_array = flex_array_alloc(sizeof(struct type_datum *), - p->p_types.nprim, - GFP_KERNEL | __GFP_ZERO); - if (!p->type_val_to_struct_array) - goto out; - - rc = flex_array_prealloc(p->type_val_to_struct_array, 0, - p->p_types.nprim, GFP_KERNEL | __GFP_ZERO); - if (rc) - goto out; - - rc = cond_init_bool_indexes(p); - if (rc) - goto out; - - for (i = 0; i < SYM_NUM; i++) { - rc = -ENOMEM; - p->sym_val_to_name[i] = flex_array_alloc(sizeof(char *), - p->symtab[i].nprim, - GFP_KERNEL | __GFP_ZERO); - if (!p->sym_val_to_name[i]) - goto out; - - rc = flex_array_prealloc(p->sym_val_to_name[i], - 0, p->symtab[i].nprim, - GFP_KERNEL | __GFP_ZERO); - if (rc) - goto out; - - rc = hashtab_map(p->symtab[i].table, index_f[i], p); - if (rc) - goto out; - } - rc = 0; -out: - return rc; -} - -/* - * The following *_destroy functions are used to - * free any memory allocated for each kind of - * symbol data in the policy database. - */ - -static int perm_destroy(void *key, void *datum, void *p) -{ - kfree(key); - kfree(datum); - return 0; -} - -static int common_destroy(void *key, void *datum, void *p) -{ - struct common_datum *comdatum; - - kfree(key); - if (datum) { - comdatum = datum; - hashtab_map(comdatum->permissions.table, perm_destroy, NULL); - hashtab_destroy(comdatum->permissions.table); - } - kfree(datum); - return 0; -} - -static int cls_destroy(void *key, void *datum, void *p) -{ - struct class_datum *cladatum; - struct constraint_node *constraint, *ctemp; - struct constraint_expr *e, *etmp; - - kfree(key); - if (datum) { - cladatum = datum; - hashtab_map(cladatum->permissions.table, perm_destroy, NULL); - hashtab_destroy(cladatum->permissions.table); - constraint = cladatum->constraints; - while (constraint) { - e = constraint->expr; - while (e) { - ebitmap_destroy(&e->names); - etmp = e; - e = e->next; - kfree(etmp); - } - ctemp = constraint; - constraint = constraint->next; - kfree(ctemp); - } - - constraint = cladatum->validatetrans; - while (constraint) { - e = constraint->expr; - while (e) { - ebitmap_destroy(&e->names); - etmp = e; - e = e->next; - kfree(etmp); - } - ctemp = constraint; - constraint = constraint->next; - kfree(ctemp); - } - - kfree(cladatum->comkey); - } - kfree(datum); - return 0; -} - -static int role_destroy(void *key, void *datum, void *p) -{ - struct role_datum *role; - - kfree(key); - if (datum) { - role = datum; - ebitmap_destroy(&role->dominates); - ebitmap_destroy(&role->types); - } - kfree(datum); - return 0; -} - -static int type_destroy(void *key, void *datum, void *p) -{ - kfree(key); - kfree(datum); - return 0; -} - -static int user_destroy(void *key, void *datum, void *p) -{ - struct user_datum *usrdatum; - - kfree(key); - if (datum) { - usrdatum = datum; - ebitmap_destroy(&usrdatum->roles); - ebitmap_destroy(&usrdatum->range.level[0].cat); - ebitmap_destroy(&usrdatum->range.level[1].cat); - ebitmap_destroy(&usrdatum->dfltlevel.cat); - } - kfree(datum); - return 0; -} - -static int sens_destroy(void *key, void *datum, void *p) -{ - struct level_datum *levdatum; - - kfree(key); - if (datum) { - levdatum = datum; - ebitmap_destroy(&levdatum->level->cat); - kfree(levdatum->level); - } - kfree(datum); - return 0; -} - -static int cat_destroy(void *key, void *datum, void *p) -{ - kfree(key); - kfree(datum); - return 0; -} - -static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = -{ - common_destroy, - cls_destroy, - role_destroy, - type_destroy, - user_destroy, - cond_destroy_bool, - sens_destroy, - cat_destroy, -}; - -static int filenametr_destroy(void *key, void *datum, void *p) -{ - struct filename_trans *ft = key; - kfree(ft->name); - kfree(key); - kfree(datum); - cond_resched(); - return 0; -} - -static int range_tr_destroy(void *key, void *datum, void *p) -{ - struct mls_range *rt = datum; - kfree(key); - ebitmap_destroy(&rt->level[0].cat); - ebitmap_destroy(&rt->level[1].cat); - kfree(datum); - cond_resched(); - return 0; -} - -static void ocontext_destroy(struct ocontext *c, int i) -{ - if (!c) - return; - - context_destroy(&c->context[0]); - context_destroy(&c->context[1]); - if (i == OCON_ISID || i == OCON_FS || - i == OCON_NETIF || i == OCON_FSUSE) - kfree(c->u.name); - kfree(c); -} - -/* - * Free any memory allocated by a policy database structure. - */ -void policydb_destroy(struct policydb *p) -{ - struct ocontext *c, *ctmp; - struct genfs *g, *gtmp; - int i; - struct role_allow *ra, *lra = NULL; - struct role_trans *tr, *ltr = NULL; - - for (i = 0; i < SYM_NUM; i++) { - cond_resched(); - hashtab_map(p->symtab[i].table, destroy_f[i], NULL); - hashtab_destroy(p->symtab[i].table); - } - - for (i = 0; i < SYM_NUM; i++) { - if (p->sym_val_to_name[i]) - flex_array_free(p->sym_val_to_name[i]); - } - - kfree(p->class_val_to_struct); - kfree(p->role_val_to_struct); - kfree(p->user_val_to_struct); - if (p->type_val_to_struct_array) - flex_array_free(p->type_val_to_struct_array); - - avtab_destroy(&p->te_avtab); - - for (i = 0; i < OCON_NUM; i++) { - cond_resched(); - c = p->ocontexts[i]; - while (c) { - ctmp = c; - c = c->next; - ocontext_destroy(ctmp, i); - } - p->ocontexts[i] = NULL; - } - - g = p->genfs; - while (g) { - cond_resched(); - kfree(g->fstype); - c = g->head; - while (c) { - ctmp = c; - c = c->next; - ocontext_destroy(ctmp, OCON_FSUSE); - } - gtmp = g; - g = g->next; - kfree(gtmp); - } - p->genfs = NULL; - - cond_policydb_destroy(p); - - for (tr = p->role_tr; tr; tr = tr->next) { - cond_resched(); - kfree(ltr); - ltr = tr; - } - kfree(ltr); - - for (ra = p->role_allow; ra; ra = ra->next) { - cond_resched(); - kfree(lra); - lra = ra; - } - kfree(lra); - - hashtab_map(p->filename_trans, filenametr_destroy, NULL); - hashtab_destroy(p->filename_trans); - - hashtab_map(p->range_tr, range_tr_destroy, NULL); - hashtab_destroy(p->range_tr); - - if (p->type_attr_map_array) { - for (i = 0; i < p->p_types.nprim; i++) { - struct ebitmap *e; - - e = flex_array_get(p->type_attr_map_array, i); - if (!e) - continue; - ebitmap_destroy(e); - } - flex_array_free(p->type_attr_map_array); - } - - ebitmap_destroy(&p->filename_trans_ttypes); - ebitmap_destroy(&p->policycaps); - ebitmap_destroy(&p->permissive_map); - - return; -} - -/* - * Load the initial SIDs specified in a policy database - * structure into a SID table. - */ -int policydb_load_isids(struct policydb *p, struct sidtab *s) -{ - struct ocontext *head, *c; - int rc; - - rc = sidtab_init(s); - if (rc) { - printk(KERN_ERR "SELinux: out of memory on SID table init\n"); - goto out; - } - - head = p->ocontexts[OCON_ISID]; - for (c = head; c; c = c->next) { - rc = -EINVAL; - if (!c->context[0].user) { - printk(KERN_ERR "SELinux: SID %s was never defined.\n", - c->u.name); - goto out; - } - - rc = sidtab_insert(s, c->sid[0], &c->context[0]); - if (rc) { - printk(KERN_ERR "SELinux: unable to load initial SID %s.\n", - c->u.name); - goto out; - } - } - rc = 0; -out: - return rc; -} - -int policydb_class_isvalid(struct policydb *p, unsigned int class) -{ - if (!class || class > p->p_classes.nprim) - return 0; - return 1; -} - -int policydb_role_isvalid(struct policydb *p, unsigned int role) -{ - if (!role || role > p->p_roles.nprim) - return 0; - return 1; -} - -int policydb_type_isvalid(struct policydb *p, unsigned int type) -{ - if (!type || type > p->p_types.nprim) - return 0; - return 1; -} - -/* - * Return 1 if the fields in the security context - * structure `c' are valid. Return 0 otherwise. - */ -int policydb_context_isvalid(struct policydb *p, struct context *c) -{ - struct role_datum *role; - struct user_datum *usrdatum; - - if (!c->role || c->role > p->p_roles.nprim) - return 0; - - if (!c->user || c->user > p->p_users.nprim) - return 0; - - if (!c->type || c->type > p->p_types.nprim) - return 0; - - if (c->role != OBJECT_R_VAL) { - /* - * Role must be authorized for the type. - */ - role = p->role_val_to_struct[c->role - 1]; - if (!ebitmap_get_bit(&role->types, c->type - 1)) - /* role may not be associated with type */ - return 0; - - /* - * User must be authorized for the role. - */ - usrdatum = p->user_val_to_struct[c->user - 1]; - if (!usrdatum) - return 0; - - if (!ebitmap_get_bit(&usrdatum->roles, c->role - 1)) - /* user may not be associated with role */ - return 0; - } - - if (!mls_context_isvalid(p, c)) - return 0; - - return 1; -} - -/* - * Read a MLS range structure from a policydb binary - * representation file. - */ -static int mls_read_range_helper(struct mls_range *r, void *fp) -{ - __le32 buf[2]; - u32 items; - int rc; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - - rc = -EINVAL; - items = le32_to_cpu(buf[0]); - if (items > ARRAY_SIZE(buf)) { - printk(KERN_ERR "SELinux: mls: range overflow\n"); - goto out; - } - - rc = next_entry(buf, fp, sizeof(u32) * items); - if (rc) { - printk(KERN_ERR "SELinux: mls: truncated range\n"); - goto out; - } - - r->level[0].sens = le32_to_cpu(buf[0]); - if (items > 1) - r->level[1].sens = le32_to_cpu(buf[1]); - else - r->level[1].sens = r->level[0].sens; - - rc = ebitmap_read(&r->level[0].cat, fp); - if (rc) { - printk(KERN_ERR "SELinux: mls: error reading low categories\n"); - goto out; - } - if (items > 1) { - rc = ebitmap_read(&r->level[1].cat, fp); - if (rc) { - printk(KERN_ERR "SELinux: mls: error reading high categories\n"); - goto bad_high; - } - } else { - rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat); - if (rc) { - printk(KERN_ERR "SELinux: mls: out of memory\n"); - goto bad_high; - } - } - - return 0; -bad_high: - ebitmap_destroy(&r->level[0].cat); -out: - return rc; -} - -/* - * Read and validate a security context structure - * from a policydb binary representation file. - */ -static int context_read_and_validate(struct context *c, - struct policydb *p, - void *fp) -{ - __le32 buf[3]; - int rc; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) { - printk(KERN_ERR "SELinux: context truncated\n"); - goto out; - } - c->user = le32_to_cpu(buf[0]); - c->role = le32_to_cpu(buf[1]); - c->type = le32_to_cpu(buf[2]); - if (p->policyvers >= POLICYDB_VERSION_MLS) { - rc = mls_read_range_helper(&c->range, fp); - if (rc) { - printk(KERN_ERR "SELinux: error reading MLS range of context\n"); - goto out; - } - } - - rc = -EINVAL; - if (!policydb_context_isvalid(p, c)) { - printk(KERN_ERR "SELinux: invalid security context\n"); - context_destroy(c); - goto out; - } - rc = 0; -out: - return rc; -} - -/* - * The following *_read functions are used to - * read the symbol data from a policy database - * binary representation file. - */ - -static int perm_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct perm_datum *perdatum; - int rc; - __le32 buf[2]; - u32 len; - - rc = -ENOMEM; - perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL); - if (!perdatum) - goto bad; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - perdatum->value = le32_to_cpu(buf[1]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = hashtab_insert(h, key, perdatum); - if (rc) - goto bad; - - return 0; -bad: - perm_destroy(key, perdatum, NULL); - return rc; -} - -static int common_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct common_datum *comdatum; - __le32 buf[4]; - u32 len, nel; - int i, rc; - - rc = -ENOMEM; - comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL); - if (!comdatum) - goto bad; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - comdatum->value = le32_to_cpu(buf[1]); - - rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); - if (rc) - goto bad; - comdatum->permissions.nprim = le32_to_cpu(buf[2]); - nel = le32_to_cpu(buf[3]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - for (i = 0; i < nel; i++) { - rc = perm_read(p, comdatum->permissions.table, fp); - if (rc) - goto bad; - } - - rc = hashtab_insert(h, key, comdatum); - if (rc) - goto bad; - return 0; -bad: - common_destroy(key, comdatum, NULL); - return rc; -} - -static int read_cons_helper(struct constraint_node **nodep, int ncons, - int allowxtarget, void *fp) -{ - struct constraint_node *c, *lc; - struct constraint_expr *e, *le; - __le32 buf[3]; - u32 nexpr; - int rc, i, j, depth; - - lc = NULL; - for (i = 0; i < ncons; i++) { - c = kzalloc(sizeof(*c), GFP_KERNEL); - if (!c) - return -ENOMEM; - - if (lc) - lc->next = c; - else - *nodep = c; - - rc = next_entry(buf, fp, (sizeof(u32) * 2)); - if (rc) - return rc; - c->permissions = le32_to_cpu(buf[0]); - nexpr = le32_to_cpu(buf[1]); - le = NULL; - depth = -1; - for (j = 0; j < nexpr; j++) { - e = kzalloc(sizeof(*e), GFP_KERNEL); - if (!e) - return -ENOMEM; - - if (le) - le->next = e; - else - c->expr = e; - - rc = next_entry(buf, fp, (sizeof(u32) * 3)); - if (rc) - return rc; - e->expr_type = le32_to_cpu(buf[0]); - e->attr = le32_to_cpu(buf[1]); - e->op = le32_to_cpu(buf[2]); - - switch (e->expr_type) { - case CEXPR_NOT: - if (depth < 0) - return -EINVAL; - break; - case CEXPR_AND: - case CEXPR_OR: - if (depth < 1) - return -EINVAL; - depth--; - break; - case CEXPR_ATTR: - if (depth == (CEXPR_MAXDEPTH - 1)) - return -EINVAL; - depth++; - break; - case CEXPR_NAMES: - if (!allowxtarget && (e->attr & CEXPR_XTARGET)) - return -EINVAL; - if (depth == (CEXPR_MAXDEPTH - 1)) - return -EINVAL; - depth++; - rc = ebitmap_read(&e->names, fp); - if (rc) - return rc; - break; - default: - return -EINVAL; - } - le = e; - } - if (depth != 0) - return -EINVAL; - lc = c; - } - - return 0; -} - -static int class_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct class_datum *cladatum; - __le32 buf[6]; - u32 len, len2, ncons, nel; - int i, rc; - - rc = -ENOMEM; - cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL); - if (!cladatum) - goto bad; - - rc = next_entry(buf, fp, sizeof(u32)*6); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - len2 = le32_to_cpu(buf[1]); - cladatum->value = le32_to_cpu(buf[2]); - - rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); - if (rc) - goto bad; - cladatum->permissions.nprim = le32_to_cpu(buf[3]); - nel = le32_to_cpu(buf[4]); - - ncons = le32_to_cpu(buf[5]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - if (len2) { - rc = -ENOMEM; - cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL); - if (!cladatum->comkey) - goto bad; - rc = next_entry(cladatum->comkey, fp, len2); - if (rc) - goto bad; - cladatum->comkey[len2] = '\0'; - - rc = -EINVAL; - cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey); - if (!cladatum->comdatum) { - printk(KERN_ERR "SELinux: unknown common %s\n", cladatum->comkey); - goto bad; - } - } - for (i = 0; i < nel; i++) { - rc = perm_read(p, cladatum->permissions.table, fp); - if (rc) - goto bad; - } - - rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp); - if (rc) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) { - /* grab the validatetrans rules */ - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto bad; - ncons = le32_to_cpu(buf[0]); - rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp); - if (rc) - goto bad; - } - - rc = hashtab_insert(h, key, cladatum); - if (rc) - goto bad; - - return 0; -bad: - cls_destroy(key, cladatum, NULL); - return rc; -} - -static int role_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct role_datum *role; - int rc, to_read = 2; - __le32 buf[3]; - u32 len; - - rc = -ENOMEM; - role = kzalloc(sizeof(*role), GFP_KERNEL); - if (!role) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - to_read = 3; - - rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - role->value = le32_to_cpu(buf[1]); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - role->bounds = le32_to_cpu(buf[2]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = ebitmap_read(&role->dominates, fp); - if (rc) - goto bad; - - rc = ebitmap_read(&role->types, fp); - if (rc) - goto bad; - - if (strcmp(key, OBJECT_R) == 0) { - rc = -EINVAL; - if (role->value != OBJECT_R_VAL) { - printk(KERN_ERR "SELinux: Role %s has wrong value %d\n", - OBJECT_R, role->value); - goto bad; - } - rc = 0; - goto bad; - } - - rc = hashtab_insert(h, key, role); - if (rc) - goto bad; - return 0; -bad: - role_destroy(key, role, NULL); - return rc; -} - -static int type_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct type_datum *typdatum; - int rc, to_read = 3; - __le32 buf[4]; - u32 len; - - rc = -ENOMEM; - typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL); - if (!typdatum) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - to_read = 4; - - rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - typdatum->value = le32_to_cpu(buf[1]); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) { - u32 prop = le32_to_cpu(buf[2]); - - if (prop & TYPEDATUM_PROPERTY_PRIMARY) - typdatum->primary = 1; - if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE) - typdatum->attribute = 1; - - typdatum->bounds = le32_to_cpu(buf[3]); - } else { - typdatum->primary = le32_to_cpu(buf[2]); - } - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = hashtab_insert(h, key, typdatum); - if (rc) - goto bad; - return 0; -bad: - type_destroy(key, typdatum, NULL); - return rc; -} - - -/* - * Read a MLS level structure from a policydb binary - * representation file. - */ -static int mls_read_level(struct mls_level *lp, void *fp) -{ - __le32 buf[1]; - int rc; - - memset(lp, 0, sizeof(*lp)); - - rc = next_entry(buf, fp, sizeof buf); - if (rc) { - printk(KERN_ERR "SELinux: mls: truncated level\n"); - return rc; - } - lp->sens = le32_to_cpu(buf[0]); - - rc = ebitmap_read(&lp->cat, fp); - if (rc) { - printk(KERN_ERR "SELinux: mls: error reading level categories\n"); - return rc; - } - return 0; -} - -static int user_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct user_datum *usrdatum; - int rc, to_read = 2; - __le32 buf[3]; - u32 len; - - rc = -ENOMEM; - usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL); - if (!usrdatum) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - to_read = 3; - - rc = next_entry(buf, fp, sizeof(buf[0]) * to_read); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - usrdatum->value = le32_to_cpu(buf[1]); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - usrdatum->bounds = le32_to_cpu(buf[2]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto bad; - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = ebitmap_read(&usrdatum->roles, fp); - if (rc) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_MLS) { - rc = mls_read_range_helper(&usrdatum->range, fp); - if (rc) - goto bad; - rc = mls_read_level(&usrdatum->dfltlevel, fp); - if (rc) - goto bad; - } - - rc = hashtab_insert(h, key, usrdatum); - if (rc) - goto bad; - return 0; -bad: - user_destroy(key, usrdatum, NULL); - return rc; -} - -static int sens_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct level_datum *levdatum; - int rc; - __le32 buf[2]; - u32 len; - - rc = -ENOMEM; - levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC); - if (!levdatum) - goto bad; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - levdatum->isalias = le32_to_cpu(buf[1]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_ATOMIC); - if (!key) - goto bad; - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = -ENOMEM; - levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); - if (!levdatum->level) - goto bad; - - rc = mls_read_level(levdatum->level, fp); - if (rc) - goto bad; - - rc = hashtab_insert(h, key, levdatum); - if (rc) - goto bad; - return 0; -bad: - sens_destroy(key, levdatum, NULL); - return rc; -} - -static int cat_read(struct policydb *p, struct hashtab *h, void *fp) -{ - char *key = NULL; - struct cat_datum *catdatum; - int rc; - __le32 buf[3]; - u32 len; - - rc = -ENOMEM; - catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC); - if (!catdatum) - goto bad; - - rc = next_entry(buf, fp, sizeof buf); - if (rc) - goto bad; - - len = le32_to_cpu(buf[0]); - catdatum->value = le32_to_cpu(buf[1]); - catdatum->isalias = le32_to_cpu(buf[2]); - - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_ATOMIC); - if (!key) - goto bad; - rc = next_entry(key, fp, len); - if (rc) - goto bad; - key[len] = '\0'; - - rc = hashtab_insert(h, key, catdatum); - if (rc) - goto bad; - return 0; -bad: - cat_destroy(key, catdatum, NULL); - return rc; -} - -static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) = -{ - common_read, - class_read, - role_read, - type_read, - user_read, - cond_read_bool, - sens_read, - cat_read, -}; - -static int user_bounds_sanity_check(void *key, void *datum, void *datap) -{ - struct user_datum *upper, *user; - struct policydb *p = datap; - int depth = 0; - - upper = user = datum; - while (upper->bounds) { - struct ebitmap_node *node; - unsigned long bit; - - if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { - printk(KERN_ERR "SELinux: user %s: " - "too deep or looped boundary", - (char *) key); - return -EINVAL; - } - - upper = p->user_val_to_struct[upper->bounds - 1]; - ebitmap_for_each_positive_bit(&user->roles, node, bit) { - if (ebitmap_get_bit(&upper->roles, bit)) - continue; - - printk(KERN_ERR - "SELinux: boundary violated policy: " - "user=%s role=%s bounds=%s\n", - sym_name(p, SYM_USERS, user->value - 1), - sym_name(p, SYM_ROLES, bit), - sym_name(p, SYM_USERS, upper->value - 1)); - - return -EINVAL; - } - } - - return 0; -} - -static int role_bounds_sanity_check(void *key, void *datum, void *datap) -{ - struct role_datum *upper, *role; - struct policydb *p = datap; - int depth = 0; - - upper = role = datum; - while (upper->bounds) { - struct ebitmap_node *node; - unsigned long bit; - - if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { - printk(KERN_ERR "SELinux: role %s: " - "too deep or looped bounds\n", - (char *) key); - return -EINVAL; - } - - upper = p->role_val_to_struct[upper->bounds - 1]; - ebitmap_for_each_positive_bit(&role->types, node, bit) { - if (ebitmap_get_bit(&upper->types, bit)) - continue; - - printk(KERN_ERR - "SELinux: boundary violated policy: " - "role=%s type=%s bounds=%s\n", - sym_name(p, SYM_ROLES, role->value - 1), - sym_name(p, SYM_TYPES, bit), - sym_name(p, SYM_ROLES, upper->value - 1)); - - return -EINVAL; - } - } - - return 0; -} - -static int type_bounds_sanity_check(void *key, void *datum, void *datap) -{ - struct type_datum *upper; - struct policydb *p = datap; - int depth = 0; - - upper = datum; - while (upper->bounds) { - if (++depth == POLICYDB_BOUNDS_MAXDEPTH) { - printk(KERN_ERR "SELinux: type %s: " - "too deep or looped boundary\n", - (char *) key); - return -EINVAL; - } - - upper = flex_array_get_ptr(p->type_val_to_struct_array, - upper->bounds - 1); - BUG_ON(!upper); - - if (upper->attribute) { - printk(KERN_ERR "SELinux: type %s: " - "bounded by attribute %s", - (char *) key, - sym_name(p, SYM_TYPES, upper->value - 1)); - return -EINVAL; - } - } - - return 0; -} - -static int policydb_bounds_sanity_check(struct policydb *p) -{ - int rc; - - if (p->policyvers < POLICYDB_VERSION_BOUNDARY) - return 0; - - rc = hashtab_map(p->p_users.table, - user_bounds_sanity_check, p); - if (rc) - return rc; - - rc = hashtab_map(p->p_roles.table, - role_bounds_sanity_check, p); - if (rc) - return rc; - - rc = hashtab_map(p->p_types.table, - type_bounds_sanity_check, p); - if (rc) - return rc; - - return 0; -} - -u16 string_to_security_class(struct policydb *p, const char *name) -{ - struct class_datum *cladatum; - - cladatum = hashtab_search(p->p_classes.table, name); - if (!cladatum) - return 0; - - return cladatum->value; -} - -u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name) -{ - struct class_datum *cladatum; - struct perm_datum *perdatum = NULL; - struct common_datum *comdatum; - - if (!tclass || tclass > p->p_classes.nprim) - return 0; - - cladatum = p->class_val_to_struct[tclass-1]; - comdatum = cladatum->comdatum; - if (comdatum) - perdatum = hashtab_search(comdatum->permissions.table, - name); - if (!perdatum) - perdatum = hashtab_search(cladatum->permissions.table, - name); - if (!perdatum) - return 0; - - return 1U << (perdatum->value-1); -} - -static int range_read(struct policydb *p, void *fp) -{ - struct range_trans *rt = NULL; - struct mls_range *r = NULL; - int i, rc; - __le32 buf[2]; - u32 nel; - - if (p->policyvers < POLICYDB_VERSION_MLS) - return 0; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - - nel = le32_to_cpu(buf[0]); - for (i = 0; i < nel; i++) { - rc = -ENOMEM; - rt = kzalloc(sizeof(*rt), GFP_KERNEL); - if (!rt) - goto out; - - rc = next_entry(buf, fp, (sizeof(u32) * 2)); - if (rc) - goto out; - - rt->source_type = le32_to_cpu(buf[0]); - rt->target_type = le32_to_cpu(buf[1]); - if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) { - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - rt->target_class = le32_to_cpu(buf[0]); - } else - rt->target_class = p->process_class; - - rc = -EINVAL; - if (!policydb_type_isvalid(p, rt->source_type) || - !policydb_type_isvalid(p, rt->target_type) || - !policydb_class_isvalid(p, rt->target_class)) - goto out; - - rc = -ENOMEM; - r = kzalloc(sizeof(*r), GFP_KERNEL); - if (!r) - goto out; - - rc = mls_read_range_helper(r, fp); - if (rc) - goto out; - - rc = -EINVAL; - if (!mls_range_isvalid(p, r)) { - printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); - goto out; - } - - rc = hashtab_insert(p->range_tr, rt, r); - if (rc) - goto out; - - rt = NULL; - r = NULL; - } - hash_eval(p->range_tr, "rangetr"); - rc = 0; -out: - kfree(rt); - kfree(r); - return rc; -} - -static int filename_trans_read(struct policydb *p, void *fp) -{ - struct filename_trans *ft; - struct filename_trans_datum *otype; - char *name; - u32 nel, len; - __le32 buf[4]; - int rc, i; - - if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS) - return 0; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - return rc; - nel = le32_to_cpu(buf[0]); - - for (i = 0; i < nel; i++) { - ft = NULL; - otype = NULL; - name = NULL; - - rc = -ENOMEM; - ft = kzalloc(sizeof(*ft), GFP_KERNEL); - if (!ft) - goto out; - - rc = -ENOMEM; - otype = kmalloc(sizeof(*otype), GFP_KERNEL); - if (!otype) - goto out; - - /* length of the path component string */ - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - len = le32_to_cpu(buf[0]); - - rc = -ENOMEM; - name = kmalloc(len + 1, GFP_KERNEL); - if (!name) - goto out; - - ft->name = name; - - /* path component string */ - rc = next_entry(name, fp, len); - if (rc) - goto out; - name[len] = 0; - - rc = next_entry(buf, fp, sizeof(u32) * 4); - if (rc) - goto out; - - ft->stype = le32_to_cpu(buf[0]); - ft->ttype = le32_to_cpu(buf[1]); - ft->tclass = le32_to_cpu(buf[2]); - - otype->otype = le32_to_cpu(buf[3]); - - rc = ebitmap_set_bit(&p->filename_trans_ttypes, ft->ttype, 1); - if (rc) - goto out; - - hashtab_insert(p->filename_trans, ft, otype); - } - hash_eval(p->filename_trans, "filenametr"); - return 0; -out: - kfree(ft); - kfree(name); - kfree(otype); - - return rc; -} - -static int genfs_read(struct policydb *p, void *fp) -{ - int i, j, rc; - u32 nel, nel2, len, len2; - __le32 buf[1]; - struct ocontext *l, *c; - struct ocontext *newc = NULL; - struct genfs *genfs_p, *genfs; - struct genfs *newgenfs = NULL; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - nel = le32_to_cpu(buf[0]); - - for (i = 0; i < nel; i++) { - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - len = le32_to_cpu(buf[0]); - - rc = -ENOMEM; - newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL); - if (!newgenfs) - goto out; - - rc = -ENOMEM; - newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL); - if (!newgenfs->fstype) - goto out; - - rc = next_entry(newgenfs->fstype, fp, len); - if (rc) - goto out; - - newgenfs->fstype[len] = 0; - - for (genfs_p = NULL, genfs = p->genfs; genfs; - genfs_p = genfs, genfs = genfs->next) { - rc = -EINVAL; - if (strcmp(newgenfs->fstype, genfs->fstype) == 0) { - printk(KERN_ERR "SELinux: dup genfs fstype %s\n", - newgenfs->fstype); - goto out; - } - if (strcmp(newgenfs->fstype, genfs->fstype) < 0) - break; - } - newgenfs->next = genfs; - if (genfs_p) - genfs_p->next = newgenfs; - else - p->genfs = newgenfs; - genfs = newgenfs; - newgenfs = NULL; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - - nel2 = le32_to_cpu(buf[0]); - for (j = 0; j < nel2; j++) { - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - len = le32_to_cpu(buf[0]); - - rc = -ENOMEM; - newc = kzalloc(sizeof(*newc), GFP_KERNEL); - if (!newc) - goto out; - - rc = -ENOMEM; - newc->u.name = kmalloc(len + 1, GFP_KERNEL); - if (!newc->u.name) - goto out; - - rc = next_entry(newc->u.name, fp, len); - if (rc) - goto out; - newc->u.name[len] = 0; - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - - newc->v.sclass = le32_to_cpu(buf[0]); - rc = context_read_and_validate(&newc->context[0], p, fp); - if (rc) - goto out; - - for (l = NULL, c = genfs->head; c; - l = c, c = c->next) { - rc = -EINVAL; - if (!strcmp(newc->u.name, c->u.name) && - (!c->v.sclass || !newc->v.sclass || - newc->v.sclass == c->v.sclass)) { - printk(KERN_ERR "SELinux: dup genfs entry (%s,%s)\n", - genfs->fstype, c->u.name); - goto out; - } - len = strlen(newc->u.name); - len2 = strlen(c->u.name); - if (len > len2) - break; - } - - newc->next = c; - if (l) - l->next = newc; - else - genfs->head = newc; - newc = NULL; - } - } - rc = 0; -out: - if (newgenfs) - kfree(newgenfs->fstype); - kfree(newgenfs); - ocontext_destroy(newc, OCON_FSUSE); - - return rc; -} - -static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, - void *fp) -{ - int i, j, rc; - u32 nel, len; - __le32 buf[3]; - struct ocontext *l, *c; - u32 nodebuf[8]; - - for (i = 0; i < info->ocon_num; i++) { - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - nel = le32_to_cpu(buf[0]); - - l = NULL; - for (j = 0; j < nel; j++) { - rc = -ENOMEM; - c = kzalloc(sizeof(*c), GFP_KERNEL); - if (!c) - goto out; - if (l) - l->next = c; - else - p->ocontexts[i] = c; - l = c; - - switch (i) { - case OCON_ISID: - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - - c->sid[0] = le32_to_cpu(buf[0]); - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - break; - case OCON_FS: - case OCON_NETIF: - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto out; - len = le32_to_cpu(buf[0]); - - rc = -ENOMEM; - c->u.name = kmalloc(len + 1, GFP_KERNEL); - if (!c->u.name) - goto out; - - rc = next_entry(c->u.name, fp, len); - if (rc) - goto out; - - c->u.name[len] = 0; - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - rc = context_read_and_validate(&c->context[1], p, fp); - if (rc) - goto out; - break; - case OCON_PORT: - rc = next_entry(buf, fp, sizeof(u32)*3); - if (rc) - goto out; - c->u.port.protocol = le32_to_cpu(buf[0]); - c->u.port.low_port = le32_to_cpu(buf[1]); - c->u.port.high_port = le32_to_cpu(buf[2]); - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - break; - case OCON_NODE: - rc = next_entry(nodebuf, fp, sizeof(u32) * 2); - if (rc) - goto out; - c->u.node.addr = nodebuf[0]; /* network order */ - c->u.node.mask = nodebuf[1]; /* network order */ - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - break; - case OCON_FSUSE: - rc = next_entry(buf, fp, sizeof(u32)*2); - if (rc) - goto out; - - rc = -EINVAL; - c->v.behavior = le32_to_cpu(buf[0]); - if (c->v.behavior > SECURITY_FS_USE_NONE) - goto out; - - rc = -ENOMEM; - len = le32_to_cpu(buf[1]); - c->u.name = kmalloc(len + 1, GFP_KERNEL); - if (!c->u.name) - goto out; - - rc = next_entry(c->u.name, fp, len); - if (rc) - goto out; - c->u.name[len] = 0; - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - break; - case OCON_NODE6: { - int k; - - rc = next_entry(nodebuf, fp, sizeof(u32) * 8); - if (rc) - goto out; - for (k = 0; k < 4; k++) - c->u.node6.addr[k] = nodebuf[k]; - for (k = 0; k < 4; k++) - c->u.node6.mask[k] = nodebuf[k+4]; - rc = context_read_and_validate(&c->context[0], p, fp); - if (rc) - goto out; - break; - } - } - } - } - rc = 0; -out: - return rc; -} - -/* - * Read the configuration data from a policy database binary - * representation file into a policy database structure. - */ -int policydb_read(struct policydb *p, void *fp) -{ - struct role_allow *ra, *lra; - struct role_trans *tr, *ltr; - int i, j, rc; - __le32 buf[4]; - u32 len, nprim, nel; - - char *policydb_str; - struct policydb_compat_info *info; - - rc = policydb_init(p); - if (rc) - return rc; - - /* Read the magic number and string length. */ - rc = next_entry(buf, fp, sizeof(u32) * 2); - if (rc) - goto bad; - - rc = -EINVAL; - if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) { - printk(KERN_ERR "SELinux: policydb magic number 0x%x does " - "not match expected magic number 0x%x\n", - le32_to_cpu(buf[0]), POLICYDB_MAGIC); - goto bad; - } - - rc = -EINVAL; - len = le32_to_cpu(buf[1]); - if (len != strlen(POLICYDB_STRING)) { - printk(KERN_ERR "SELinux: policydb string length %d does not " - "match expected length %Zu\n", - len, strlen(POLICYDB_STRING)); - goto bad; - } - - rc = -ENOMEM; - policydb_str = kmalloc(len + 1, GFP_KERNEL); - if (!policydb_str) { - printk(KERN_ERR "SELinux: unable to allocate memory for policydb " - "string of length %d\n", len); - goto bad; - } - - rc = next_entry(policydb_str, fp, len); - if (rc) { - printk(KERN_ERR "SELinux: truncated policydb string identifier\n"); - kfree(policydb_str); - goto bad; - } - - rc = -EINVAL; - policydb_str[len] = '\0'; - if (strcmp(policydb_str, POLICYDB_STRING)) { - printk(KERN_ERR "SELinux: policydb string %s does not match " - "my string %s\n", policydb_str, POLICYDB_STRING); - kfree(policydb_str); - goto bad; - } - /* Done with policydb_str. */ - kfree(policydb_str); - policydb_str = NULL; - - /* Read the version and table sizes. */ - rc = next_entry(buf, fp, sizeof(u32)*4); - if (rc) - goto bad; - - rc = -EINVAL; - p->policyvers = le32_to_cpu(buf[0]); - if (p->policyvers < POLICYDB_VERSION_MIN || - p->policyvers > POLICYDB_VERSION_MAX) { - printk(KERN_ERR "SELinux: policydb version %d does not match " - "my version range %d-%d\n", - le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); - goto bad; - } - - if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { - p->mls_enabled = 1; - - rc = -EINVAL; - if (p->policyvers < POLICYDB_VERSION_MLS) { - printk(KERN_ERR "SELinux: security policydb version %d " - "(MLS) not backwards compatible\n", - p->policyvers); - goto bad; - } - } - p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN); - p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN); - - if (p->policyvers >= POLICYDB_VERSION_POLCAP) { - rc = ebitmap_read(&p->policycaps, fp); - if (rc) - goto bad; - } - - if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) { - rc = ebitmap_read(&p->permissive_map, fp); - if (rc) - goto bad; - } - - rc = -EINVAL; - info = policydb_lookup_compat(p->policyvers); - if (!info) { - printk(KERN_ERR "SELinux: unable to find policy compat info " - "for version %d\n", p->policyvers); - goto bad; - } - - rc = -EINVAL; - if (le32_to_cpu(buf[2]) != info->sym_num || - le32_to_cpu(buf[3]) != info->ocon_num) { - printk(KERN_ERR "SELinux: policydb table sizes (%d,%d) do " - "not match mine (%d,%d)\n", le32_to_cpu(buf[2]), - le32_to_cpu(buf[3]), - info->sym_num, info->ocon_num); - goto bad; - } - - for (i = 0; i < info->sym_num; i++) { - rc = next_entry(buf, fp, sizeof(u32)*2); - if (rc) - goto bad; - nprim = le32_to_cpu(buf[0]); - nel = le32_to_cpu(buf[1]); - for (j = 0; j < nel; j++) { - rc = read_f[i](p, p->symtab[i].table, fp); - if (rc) - goto bad; - } - - p->symtab[i].nprim = nprim; - } - - rc = -EINVAL; - p->process_class = string_to_security_class(p, "process"); - if (!p->process_class) - goto bad; - - rc = avtab_read(&p->te_avtab, fp, p); - if (rc) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_BOOL) { - rc = cond_read_list(p, fp); - if (rc) - goto bad; - } - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto bad; - nel = le32_to_cpu(buf[0]); - ltr = NULL; - for (i = 0; i < nel; i++) { - rc = -ENOMEM; - tr = kzalloc(sizeof(*tr), GFP_KERNEL); - if (!tr) - goto bad; - if (ltr) - ltr->next = tr; - else - p->role_tr = tr; - rc = next_entry(buf, fp, sizeof(u32)*3); - if (rc) - goto bad; - - rc = -EINVAL; - tr->role = le32_to_cpu(buf[0]); - tr->type = le32_to_cpu(buf[1]); - tr->new_role = le32_to_cpu(buf[2]); - if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) { - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto bad; - tr->tclass = le32_to_cpu(buf[0]); - } else - tr->tclass = p->process_class; - - if (!policydb_role_isvalid(p, tr->role) || - !policydb_type_isvalid(p, tr->type) || - !policydb_class_isvalid(p, tr->tclass) || - !policydb_role_isvalid(p, tr->new_role)) - goto bad; - ltr = tr; - } - - rc = next_entry(buf, fp, sizeof(u32)); - if (rc) - goto bad; - nel = le32_to_cpu(buf[0]); - lra = NULL; - for (i = 0; i < nel; i++) { - rc = -ENOMEM; - ra = kzalloc(sizeof(*ra), GFP_KERNEL); - if (!ra) - goto bad; - if (lra) - lra->next = ra; - else - p->role_allow = ra; - rc = next_entry(buf, fp, sizeof(u32)*2); - if (rc) - goto bad; - - rc = -EINVAL; - ra->role = le32_to_cpu(buf[0]); - ra->new_role = le32_to_cpu(buf[1]); - if (!policydb_role_isvalid(p, ra->role) || - !policydb_role_isvalid(p, ra->new_role)) - goto bad; - lra = ra; - } - - rc = filename_trans_read(p, fp); - if (rc) - goto bad; - - rc = policydb_index(p); - if (rc) - goto bad; - - rc = -EINVAL; - p->process_trans_perms = string_to_av_perm(p, p->process_class, "transition"); - p->process_trans_perms |= string_to_av_perm(p, p->process_class, "dyntransition"); - if (!p->process_trans_perms) - goto bad; - - rc = ocontext_read(p, info, fp); - if (rc) - goto bad; - - rc = genfs_read(p, fp); - if (rc) - goto bad; - - rc = range_read(p, fp); - if (rc) - goto bad; - - rc = -ENOMEM; - p->type_attr_map_array = flex_array_alloc(sizeof(struct ebitmap), - p->p_types.nprim, - GFP_KERNEL | __GFP_ZERO); - if (!p->type_attr_map_array) - goto bad; - - /* preallocate so we don't have to worry about the put ever failing */ - rc = flex_array_prealloc(p->type_attr_map_array, 0, p->p_types.nprim, - GFP_KERNEL | __GFP_ZERO); - if (rc) - goto bad; - - for (i = 0; i < p->p_types.nprim; i++) { - struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); - - BUG_ON(!e); - ebitmap_init(e); - if (p->policyvers >= POLICYDB_VERSION_AVTAB) { - rc = ebitmap_read(e, fp); - if (rc) - goto bad; - } - /* add the type itself as the degenerate case */ - rc = ebitmap_set_bit(e, i, 1); - if (rc) - goto bad; - } - - rc = policydb_bounds_sanity_check(p); - if (rc) - goto bad; - - rc = 0; -out: - return rc; -bad: - policydb_destroy(p); - goto out; -} - -/* - * Write a MLS level structure to a policydb binary - * representation file. - */ -static int mls_write_level(struct mls_level *l, void *fp) -{ - __le32 buf[1]; - int rc; - - buf[0] = cpu_to_le32(l->sens); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - rc = ebitmap_write(&l->cat, fp); - if (rc) - return rc; - - return 0; -} - -/* - * Write a MLS range structure to a policydb binary - * representation file. - */ -static int mls_write_range_helper(struct mls_range *r, void *fp) -{ - __le32 buf[3]; - size_t items; - int rc, eq; - - eq = mls_level_eq(&r->level[1], &r->level[0]); - - if (eq) - items = 2; - else - items = 3; - buf[0] = cpu_to_le32(items-1); - buf[1] = cpu_to_le32(r->level[0].sens); - if (!eq) - buf[2] = cpu_to_le32(r->level[1].sens); - - BUG_ON(items > (sizeof(buf)/sizeof(buf[0]))); - - rc = put_entry(buf, sizeof(u32), items, fp); - if (rc) - return rc; - - rc = ebitmap_write(&r->level[0].cat, fp); - if (rc) - return rc; - if (!eq) { - rc = ebitmap_write(&r->level[1].cat, fp); - if (rc) - return rc; - } - - return 0; -} - -static int sens_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct level_datum *levdatum = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - __le32 buf[2]; - size_t len; - int rc; - - len = strlen(key); - buf[0] = cpu_to_le32(len); - buf[1] = cpu_to_le32(levdatum->isalias); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - rc = mls_write_level(levdatum->level, fp); - if (rc) - return rc; - - return 0; -} - -static int cat_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct cat_datum *catdatum = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - __le32 buf[3]; - size_t len; - int rc; - - len = strlen(key); - buf[0] = cpu_to_le32(len); - buf[1] = cpu_to_le32(catdatum->value); - buf[2] = cpu_to_le32(catdatum->isalias); - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - return 0; -} - -static int role_trans_write(struct policydb *p, void *fp) -{ - struct role_trans *r = p->role_tr; - struct role_trans *tr; - u32 buf[3]; - size_t nel; - int rc; - - nel = 0; - for (tr = r; tr; tr = tr->next) - nel++; - buf[0] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - for (tr = r; tr; tr = tr->next) { - buf[0] = cpu_to_le32(tr->role); - buf[1] = cpu_to_le32(tr->type); - buf[2] = cpu_to_le32(tr->new_role); - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) { - buf[0] = cpu_to_le32(tr->tclass); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - } - } - - return 0; -} - -static int role_allow_write(struct role_allow *r, void *fp) -{ - struct role_allow *ra; - u32 buf[2]; - size_t nel; - int rc; - - nel = 0; - for (ra = r; ra; ra = ra->next) - nel++; - buf[0] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - for (ra = r; ra; ra = ra->next) { - buf[0] = cpu_to_le32(ra->role); - buf[1] = cpu_to_le32(ra->new_role); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - } - return 0; -} - -/* - * Write a security context structure - * to a policydb binary representation file. - */ -static int context_write(struct policydb *p, struct context *c, - void *fp) -{ - int rc; - __le32 buf[3]; - - buf[0] = cpu_to_le32(c->user); - buf[1] = cpu_to_le32(c->role); - buf[2] = cpu_to_le32(c->type); - - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - - rc = mls_write_range_helper(&c->range, fp); - if (rc) - return rc; - - return 0; -} - -/* - * The following *_write functions are used to - * write the symbol data to a policy database - * binary representation file. - */ - -static int perm_write(void *vkey, void *datum, void *fp) -{ - char *key = vkey; - struct perm_datum *perdatum = datum; - __le32 buf[2]; - size_t len; - int rc; - - len = strlen(key); - buf[0] = cpu_to_le32(len); - buf[1] = cpu_to_le32(perdatum->value); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - return 0; -} - -static int common_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct common_datum *comdatum = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - __le32 buf[4]; - size_t len; - int rc; - - len = strlen(key); - buf[0] = cpu_to_le32(len); - buf[1] = cpu_to_le32(comdatum->value); - buf[2] = cpu_to_le32(comdatum->permissions.nprim); - buf[3] = cpu_to_le32(comdatum->permissions.table->nel); - rc = put_entry(buf, sizeof(u32), 4, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - rc = hashtab_map(comdatum->permissions.table, perm_write, fp); - if (rc) - return rc; - - return 0; -} - -static int write_cons_helper(struct policydb *p, struct constraint_node *node, - void *fp) -{ - struct constraint_node *c; - struct constraint_expr *e; - __le32 buf[3]; - u32 nel; - int rc; - - for (c = node; c; c = c->next) { - nel = 0; - for (e = c->expr; e; e = e->next) - nel++; - buf[0] = cpu_to_le32(c->permissions); - buf[1] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - for (e = c->expr; e; e = e->next) { - buf[0] = cpu_to_le32(e->expr_type); - buf[1] = cpu_to_le32(e->attr); - buf[2] = cpu_to_le32(e->op); - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - - switch (e->expr_type) { - case CEXPR_NAMES: - rc = ebitmap_write(&e->names, fp); - if (rc) - return rc; - break; - default: - break; - } - } - } - - return 0; -} - -static int class_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct class_datum *cladatum = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - struct policydb *p = pd->p; - struct constraint_node *c; - __le32 buf[6]; - u32 ncons; - size_t len, len2; - int rc; - - len = strlen(key); - if (cladatum->comkey) - len2 = strlen(cladatum->comkey); - else - len2 = 0; - - ncons = 0; - for (c = cladatum->constraints; c; c = c->next) - ncons++; - - buf[0] = cpu_to_le32(len); - buf[1] = cpu_to_le32(len2); - buf[2] = cpu_to_le32(cladatum->value); - buf[3] = cpu_to_le32(cladatum->permissions.nprim); - if (cladatum->permissions.table) - buf[4] = cpu_to_le32(cladatum->permissions.table->nel); - else - buf[4] = 0; - buf[5] = cpu_to_le32(ncons); - rc = put_entry(buf, sizeof(u32), 6, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - if (cladatum->comkey) { - rc = put_entry(cladatum->comkey, 1, len2, fp); - if (rc) - return rc; - } - - rc = hashtab_map(cladatum->permissions.table, perm_write, fp); - if (rc) - return rc; - - rc = write_cons_helper(p, cladatum->constraints, fp); - if (rc) - return rc; - - /* write out the validatetrans rule */ - ncons = 0; - for (c = cladatum->validatetrans; c; c = c->next) - ncons++; - - buf[0] = cpu_to_le32(ncons); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - rc = write_cons_helper(p, cladatum->validatetrans, fp); - if (rc) - return rc; - - return 0; -} - -static int role_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct role_datum *role = datum; - struct policy_data *pd = ptr; - void *fp = pd->fp; - struct policydb *p = pd->p; - __le32 buf[3]; - size_t items, len; - int rc; - - len = strlen(key); - items = 0; - buf[items++] = cpu_to_le32(len); - buf[items++] = cpu_to_le32(role->value); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - buf[items++] = cpu_to_le32(role->bounds); - - BUG_ON(items > (sizeof(buf)/sizeof(buf[0]))); - - rc = put_entry(buf, sizeof(u32), items, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - rc = ebitmap_write(&role->dominates, fp); - if (rc) - return rc; - - rc = ebitmap_write(&role->types, fp); - if (rc) - return rc; - - return 0; -} - -static int type_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct type_datum *typdatum = datum; - struct policy_data *pd = ptr; - struct policydb *p = pd->p; - void *fp = pd->fp; - __le32 buf[4]; - int rc; - size_t items, len; - - len = strlen(key); - items = 0; - buf[items++] = cpu_to_le32(len); - buf[items++] = cpu_to_le32(typdatum->value); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) { - u32 properties = 0; - - if (typdatum->primary) - properties |= TYPEDATUM_PROPERTY_PRIMARY; - - if (typdatum->attribute) - properties |= TYPEDATUM_PROPERTY_ATTRIBUTE; - - buf[items++] = cpu_to_le32(properties); - buf[items++] = cpu_to_le32(typdatum->bounds); - } else { - buf[items++] = cpu_to_le32(typdatum->primary); - } - BUG_ON(items > (sizeof(buf) / sizeof(buf[0]))); - rc = put_entry(buf, sizeof(u32), items, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - return 0; -} - -static int user_write(void *vkey, void *datum, void *ptr) -{ - char *key = vkey; - struct user_datum *usrdatum = datum; - struct policy_data *pd = ptr; - struct policydb *p = pd->p; - void *fp = pd->fp; - __le32 buf[3]; - size_t items, len; - int rc; - - len = strlen(key); - items = 0; - buf[items++] = cpu_to_le32(len); - buf[items++] = cpu_to_le32(usrdatum->value); - if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) - buf[items++] = cpu_to_le32(usrdatum->bounds); - BUG_ON(items > (sizeof(buf) / sizeof(buf[0]))); - rc = put_entry(buf, sizeof(u32), items, fp); - if (rc) - return rc; - - rc = put_entry(key, 1, len, fp); - if (rc) - return rc; - - rc = ebitmap_write(&usrdatum->roles, fp); - if (rc) - return rc; - - rc = mls_write_range_helper(&usrdatum->range, fp); - if (rc) - return rc; - - rc = mls_write_level(&usrdatum->dfltlevel, fp); - if (rc) - return rc; - - return 0; -} - -static int (*write_f[SYM_NUM]) (void *key, void *datum, - void *datap) = -{ - common_write, - class_write, - role_write, - type_write, - user_write, - cond_write_bool, - sens_write, - cat_write, -}; - -static int ocontext_write(struct policydb *p, struct policydb_compat_info *info, - void *fp) -{ - unsigned int i, j, rc; - size_t nel, len; - __le32 buf[3]; - u32 nodebuf[8]; - struct ocontext *c; - for (i = 0; i < info->ocon_num; i++) { - nel = 0; - for (c = p->ocontexts[i]; c; c = c->next) - nel++; - buf[0] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - for (c = p->ocontexts[i]; c; c = c->next) { - switch (i) { - case OCON_ISID: - buf[0] = cpu_to_le32(c->sid[0]); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - break; - case OCON_FS: - case OCON_NETIF: - len = strlen(c->u.name); - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - rc = put_entry(c->u.name, 1, len, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - rc = context_write(p, &c->context[1], fp); - if (rc) - return rc; - break; - case OCON_PORT: - buf[0] = cpu_to_le32(c->u.port.protocol); - buf[1] = cpu_to_le32(c->u.port.low_port); - buf[2] = cpu_to_le32(c->u.port.high_port); - rc = put_entry(buf, sizeof(u32), 3, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - break; - case OCON_NODE: - nodebuf[0] = c->u.node.addr; /* network order */ - nodebuf[1] = c->u.node.mask; /* network order */ - rc = put_entry(nodebuf, sizeof(u32), 2, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - break; - case OCON_FSUSE: - buf[0] = cpu_to_le32(c->v.behavior); - len = strlen(c->u.name); - buf[1] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - rc = put_entry(c->u.name, 1, len, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - break; - case OCON_NODE6: - for (j = 0; j < 4; j++) - nodebuf[j] = c->u.node6.addr[j]; /* network order */ - for (j = 0; j < 4; j++) - nodebuf[j + 4] = c->u.node6.mask[j]; /* network order */ - rc = put_entry(nodebuf, sizeof(u32), 8, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - break; - } - } - } - return 0; -} - -static int genfs_write(struct policydb *p, void *fp) -{ - struct genfs *genfs; - struct ocontext *c; - size_t len; - __le32 buf[1]; - int rc; - - len = 0; - for (genfs = p->genfs; genfs; genfs = genfs->next) - len++; - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - for (genfs = p->genfs; genfs; genfs = genfs->next) { - len = strlen(genfs->fstype); - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - rc = put_entry(genfs->fstype, 1, len, fp); - if (rc) - return rc; - len = 0; - for (c = genfs->head; c; c = c->next) - len++; - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - for (c = genfs->head; c; c = c->next) { - len = strlen(c->u.name); - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - rc = put_entry(c->u.name, 1, len, fp); - if (rc) - return rc; - buf[0] = cpu_to_le32(c->v.sclass); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - rc = context_write(p, &c->context[0], fp); - if (rc) - return rc; - } - } - return 0; -} - -static int hashtab_cnt(void *key, void *data, void *ptr) -{ - int *cnt = ptr; - *cnt = *cnt + 1; - - return 0; -} - -static int range_write_helper(void *key, void *data, void *ptr) -{ - __le32 buf[2]; - struct range_trans *rt = key; - struct mls_range *r = data; - struct policy_data *pd = ptr; - void *fp = pd->fp; - struct policydb *p = pd->p; - int rc; - - buf[0] = cpu_to_le32(rt->source_type); - buf[1] = cpu_to_le32(rt->target_type); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) { - buf[0] = cpu_to_le32(rt->target_class); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - } - rc = mls_write_range_helper(r, fp); - if (rc) - return rc; - - return 0; -} - -static int range_write(struct policydb *p, void *fp) -{ - size_t nel; - __le32 buf[1]; - int rc; - struct policy_data pd; - - pd.p = p; - pd.fp = fp; - - /* count the number of entries in the hashtab */ - nel = 0; - rc = hashtab_map(p->range_tr, hashtab_cnt, &nel); - if (rc) - return rc; - - buf[0] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - /* actually write all of the entries */ - rc = hashtab_map(p->range_tr, range_write_helper, &pd); - if (rc) - return rc; - - return 0; -} - -static int filename_write_helper(void *key, void *data, void *ptr) -{ - __le32 buf[4]; - struct filename_trans *ft = key; - struct filename_trans_datum *otype = data; - void *fp = ptr; - int rc; - u32 len; - - len = strlen(ft->name); - buf[0] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - rc = put_entry(ft->name, sizeof(char), len, fp); - if (rc) - return rc; - - buf[0] = ft->stype; - buf[1] = ft->ttype; - buf[2] = ft->tclass; - buf[3] = otype->otype; - - rc = put_entry(buf, sizeof(u32), 4, fp); - if (rc) - return rc; - - return 0; -} - -static int filename_trans_write(struct policydb *p, void *fp) -{ - u32 nel; - __le32 buf[1]; - int rc; - - if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS) - return 0; - - nel = 0; - rc = hashtab_map(p->filename_trans, hashtab_cnt, &nel); - if (rc) - return rc; - - buf[0] = cpu_to_le32(nel); - rc = put_entry(buf, sizeof(u32), 1, fp); - if (rc) - return rc; - - rc = hashtab_map(p->filename_trans, filename_write_helper, fp); - if (rc) - return rc; - - return 0; -} - -/* - * Write the configuration data in a policy database - * structure to a policy database binary representation - * file. - */ -int policydb_write(struct policydb *p, void *fp) -{ - unsigned int i, num_syms; - int rc; - __le32 buf[4]; - u32 config; - size_t len; - struct policydb_compat_info *info; - - /* - * refuse to write policy older than compressed avtab - * to simplify the writer. There are other tests dropped - * since we assume this throughout the writer code. Be - * careful if you ever try to remove this restriction - */ - if (p->policyvers < POLICYDB_VERSION_AVTAB) { - printk(KERN_ERR "SELinux: refusing to write policy version %d." - " Because it is less than version %d\n", p->policyvers, - POLICYDB_VERSION_AVTAB); - return -EINVAL; - } - - config = 0; - if (p->mls_enabled) - config |= POLICYDB_CONFIG_MLS; - - if (p->reject_unknown) - config |= REJECT_UNKNOWN; - if (p->allow_unknown) - config |= ALLOW_UNKNOWN; - - /* Write the magic number and string identifiers. */ - buf[0] = cpu_to_le32(POLICYDB_MAGIC); - len = strlen(POLICYDB_STRING); - buf[1] = cpu_to_le32(len); - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - rc = put_entry(POLICYDB_STRING, 1, len, fp); - if (rc) - return rc; - - /* Write the version, config, and table sizes. */ - info = policydb_lookup_compat(p->policyvers); - if (!info) { - printk(KERN_ERR "SELinux: compatibility lookup failed for policy " - "version %d", p->policyvers); - return -EINVAL; - } - - buf[0] = cpu_to_le32(p->policyvers); - buf[1] = cpu_to_le32(config); - buf[2] = cpu_to_le32(info->sym_num); - buf[3] = cpu_to_le32(info->ocon_num); - - rc = put_entry(buf, sizeof(u32), 4, fp); - if (rc) - return rc; - - if (p->policyvers >= POLICYDB_VERSION_POLCAP) { - rc = ebitmap_write(&p->policycaps, fp); - if (rc) - return rc; - } - - if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) { - rc = ebitmap_write(&p->permissive_map, fp); - if (rc) - return rc; - } - - num_syms = info->sym_num; - for (i = 0; i < num_syms; i++) { - struct policy_data pd; - - pd.fp = fp; - pd.p = p; - - buf[0] = cpu_to_le32(p->symtab[i].nprim); - buf[1] = cpu_to_le32(p->symtab[i].table->nel); - - rc = put_entry(buf, sizeof(u32), 2, fp); - if (rc) - return rc; - rc = hashtab_map(p->symtab[i].table, write_f[i], &pd); - if (rc) - return rc; - } - - rc = avtab_write(p, &p->te_avtab, fp); - if (rc) - return rc; - - rc = cond_write_list(p, p->cond_list, fp); - if (rc) - return rc; - - rc = role_trans_write(p, fp); - if (rc) - return rc; - - rc = role_allow_write(p->role_allow, fp); - if (rc) - return rc; - - rc = filename_trans_write(p, fp); - if (rc) - return rc; - - rc = ocontext_write(p, info, fp); - if (rc) - return rc; - - rc = genfs_write(p, fp); - if (rc) - return rc; - - rc = range_write(p, fp); - if (rc) - return rc; - - for (i = 0; i < p->p_types.nprim; i++) { - struct ebitmap *e = flex_array_get(p->type_attr_map_array, i); - - BUG_ON(!e); - rc = ebitmap_write(e, fp); - if (rc) - return rc; - } - - return 0; -} diff --git a/ANDROID_3.4.5/security/selinux/ss/policydb.h b/ANDROID_3.4.5/security/selinux/ss/policydb.h deleted file mode 100644 index b846c038..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/policydb.h +++ /dev/null @@ -1,345 +0,0 @@ -/* - * A policy database (policydb) specifies the - * configuration data for the security policy. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ - -/* - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * - * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ - -#ifndef _SS_POLICYDB_H_ -#define _SS_POLICYDB_H_ - -#include <linux/flex_array.h> - -#include "symtab.h" -#include "avtab.h" -#include "sidtab.h" -#include "ebitmap.h" -#include "mls_types.h" -#include "context.h" -#include "constraint.h" - -/* - * A datum type is defined for each kind of symbol - * in the configuration data: individual permissions, - * common prefixes for access vectors, classes, - * users, roles, types, sensitivities, categories, etc. - */ - -/* Permission attributes */ -struct perm_datum { - u32 value; /* permission bit + 1 */ -}; - -/* Attributes of a common prefix for access vectors */ -struct common_datum { - u32 value; /* internal common value */ - struct symtab permissions; /* common permissions */ -}; - -/* Class attributes */ -struct class_datum { - u32 value; /* class value */ - char *comkey; /* common name */ - struct common_datum *comdatum; /* common datum */ - struct symtab permissions; /* class-specific permission symbol table */ - struct constraint_node *constraints; /* constraints on class permissions */ - struct constraint_node *validatetrans; /* special transition rules */ -}; - -/* Role attributes */ -struct role_datum { - u32 value; /* internal role value */ - u32 bounds; /* boundary of role */ - struct ebitmap dominates; /* set of roles dominated by this role */ - struct ebitmap types; /* set of authorized types for role */ -}; - -struct role_trans { - u32 role; /* current role */ - u32 type; /* program executable type, or new object type */ - u32 tclass; /* process class, or new object class */ - u32 new_role; /* new role */ - struct role_trans *next; -}; - -struct filename_trans { - u32 stype; /* current process */ - u32 ttype; /* parent dir context */ - u16 tclass; /* class of new object */ - const char *name; /* last path component */ -}; - -struct filename_trans_datum { - u32 otype; /* expected of new object */ -}; - -struct role_allow { - u32 role; /* current role */ - u32 new_role; /* new role */ - struct role_allow *next; -}; - -/* Type attributes */ -struct type_datum { - u32 value; /* internal type value */ - u32 bounds; /* boundary of type */ - unsigned char primary; /* primary name? */ - unsigned char attribute;/* attribute ?*/ -}; - -/* User attributes */ -struct user_datum { - u32 value; /* internal user value */ - u32 bounds; /* bounds of user */ - struct ebitmap roles; /* set of authorized roles for user */ - struct mls_range range; /* MLS range (min - max) for user */ - struct mls_level dfltlevel; /* default login MLS level for user */ -}; - - -/* Sensitivity attributes */ -struct level_datum { - struct mls_level *level; /* sensitivity and associated categories */ - unsigned char isalias; /* is this sensitivity an alias for another? */ -}; - -/* Category attributes */ -struct cat_datum { - u32 value; /* internal category bit + 1 */ - unsigned char isalias; /* is this category an alias for another? */ -}; - -struct range_trans { - u32 source_type; - u32 target_type; - u32 target_class; -}; - -/* Boolean data type */ -struct cond_bool_datum { - __u32 value; /* internal type value */ - int state; -}; - -struct cond_node; - -/* - * The configuration data includes security contexts for - * initial SIDs, unlabeled file systems, TCP and UDP port numbers, - * network interfaces, and nodes. This structure stores the - * relevant data for one such entry. Entries of the same kind - * (e.g. all initial SIDs) are linked together into a list. - */ -struct ocontext { - union { - char *name; /* name of initial SID, fs, netif, fstype, path */ - struct { - u8 protocol; - u16 low_port; - u16 high_port; - } port; /* TCP or UDP port information */ - struct { - u32 addr; - u32 mask; - } node; /* node information */ - struct { - u32 addr[4]; - u32 mask[4]; - } node6; /* IPv6 node information */ - } u; - union { - u32 sclass; /* security class for genfs */ - u32 behavior; /* labeling behavior for fs_use */ - } v; - struct context context[2]; /* security context(s) */ - u32 sid[2]; /* SID(s) */ - struct ocontext *next; -}; - -struct genfs { - char *fstype; - struct ocontext *head; - struct genfs *next; -}; - -/* symbol table array indices */ -#define SYM_COMMONS 0 -#define SYM_CLASSES 1 -#define SYM_ROLES 2 -#define SYM_TYPES 3 -#define SYM_USERS 4 -#define SYM_BOOLS 5 -#define SYM_LEVELS 6 -#define SYM_CATS 7 -#define SYM_NUM 8 - -/* object context array indices */ -#define OCON_ISID 0 /* initial SIDs */ -#define OCON_FS 1 /* unlabeled file systems */ -#define OCON_PORT 2 /* TCP and UDP port numbers */ -#define OCON_NETIF 3 /* network interfaces */ -#define OCON_NODE 4 /* nodes */ -#define OCON_FSUSE 5 /* fs_use */ -#define OCON_NODE6 6 /* IPv6 nodes */ -#define OCON_NUM 7 - -/* The policy database */ -struct policydb { - int mls_enabled; - - /* symbol tables */ - struct symtab symtab[SYM_NUM]; -#define p_commons symtab[SYM_COMMONS] -#define p_classes symtab[SYM_CLASSES] -#define p_roles symtab[SYM_ROLES] -#define p_types symtab[SYM_TYPES] -#define p_users symtab[SYM_USERS] -#define p_bools symtab[SYM_BOOLS] -#define p_levels symtab[SYM_LEVELS] -#define p_cats symtab[SYM_CATS] - - /* symbol names indexed by (value - 1) */ - struct flex_array *sym_val_to_name[SYM_NUM]; - - /* class, role, and user attributes indexed by (value - 1) */ - struct class_datum **class_val_to_struct; - struct role_datum **role_val_to_struct; - struct user_datum **user_val_to_struct; - struct flex_array *type_val_to_struct_array; - - /* type enforcement access vectors and transitions */ - struct avtab te_avtab; - - /* role transitions */ - struct role_trans *role_tr; - - /* file transitions with the last path component */ - /* quickly exclude lookups when parent ttype has no rules */ - struct ebitmap filename_trans_ttypes; - /* actual set of filename_trans rules */ - struct hashtab *filename_trans; - - /* bools indexed by (value - 1) */ - struct cond_bool_datum **bool_val_to_struct; - /* type enforcement conditional access vectors and transitions */ - struct avtab te_cond_avtab; - /* linked list indexing te_cond_avtab by conditional */ - struct cond_node *cond_list; - - /* role allows */ - struct role_allow *role_allow; - - /* security contexts of initial SIDs, unlabeled file systems, - TCP or UDP port numbers, network interfaces and nodes */ - struct ocontext *ocontexts[OCON_NUM]; - - /* security contexts for files in filesystems that cannot support - a persistent label mapping or use another - fixed labeling behavior. */ - struct genfs *genfs; - - /* range transitions table (range_trans_key -> mls_range) */ - struct hashtab *range_tr; - - /* type -> attribute reverse mapping */ - struct flex_array *type_attr_map_array; - - struct ebitmap policycaps; - - struct ebitmap permissive_map; - - /* length of this policy when it was loaded */ - size_t len; - - unsigned int policyvers; - - unsigned int reject_unknown : 1; - unsigned int allow_unknown : 1; - - u16 process_class; - u32 process_trans_perms; -}; - -extern void policydb_destroy(struct policydb *p); -extern int policydb_load_isids(struct policydb *p, struct sidtab *s); -extern int policydb_context_isvalid(struct policydb *p, struct context *c); -extern int policydb_class_isvalid(struct policydb *p, unsigned int class); -extern int policydb_type_isvalid(struct policydb *p, unsigned int type); -extern int policydb_role_isvalid(struct policydb *p, unsigned int role); -extern int policydb_read(struct policydb *p, void *fp); -extern int policydb_write(struct policydb *p, void *fp); - -#define PERM_SYMTAB_SIZE 32 - -#define POLICYDB_CONFIG_MLS 1 - -/* the config flags related to unknown classes/perms are bits 2 and 3 */ -#define REJECT_UNKNOWN 0x00000002 -#define ALLOW_UNKNOWN 0x00000004 - -#define OBJECT_R "object_r" -#define OBJECT_R_VAL 1 - -#define POLICYDB_MAGIC SELINUX_MAGIC -#define POLICYDB_STRING "SE Linux" - -struct policy_file { - char *data; - size_t len; -}; - -struct policy_data { - struct policydb *p; - void *fp; -}; - -static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes) -{ - if (bytes > fp->len) - return -EINVAL; - - memcpy(buf, fp->data, bytes); - fp->data += bytes; - fp->len -= bytes; - return 0; -} - -static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp) -{ - size_t len = bytes * num; - - memcpy(fp->data, buf, len); - fp->data += len; - fp->len -= len; - - return 0; -} - -static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr) -{ - struct flex_array *fa = p->sym_val_to_name[sym_num]; - - return flex_array_get_ptr(fa, element_nr); -} - -extern u16 string_to_security_class(struct policydb *p, const char *name); -extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); - -#endif /* _SS_POLICYDB_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/ss/services.c b/ANDROID_3.4.5/security/selinux/ss/services.c deleted file mode 100644 index 185f849a..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/services.c +++ /dev/null @@ -1,3226 +0,0 @@ -/* - * Implementation of the security services. - * - * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> - * James Morris <jmorris@redhat.com> - * - * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> - * - * Support for enhanced MLS infrastructure. - * Support for context based audit filters. - * - * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Updated: Hewlett-Packard <paul@paul-moore.com> - * - * Added support for NetLabel - * Added support for the policy capability bitmap - * - * Updated: Chad Sellers <csellers@tresys.com> - * - * Added validation of kernel classes and permissions - * - * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com> - * - * Added support for bounds domain and audit messaged on masked permissions - * - * Updated: Guido Trentalancia <guido@trentalancia.com> - * - * Added support for runtime switching of the policy type - * - * Copyright (C) 2008, 2009 NEC Corporation - * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. - * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. - * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC - * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/string.h> -#include <linux/spinlock.h> -#include <linux/rcupdate.h> -#include <linux/errno.h> -#include <linux/in.h> -#include <linux/sched.h> -#include <linux/audit.h> -#include <linux/mutex.h> -#include <linux/selinux.h> -#include <linux/flex_array.h> -#include <linux/vmalloc.h> -#include <net/netlabel.h> - -#include "flask.h" -#include "avc.h" -#include "avc_ss.h" -#include "security.h" -#include "context.h" -#include "policydb.h" -#include "sidtab.h" -#include "services.h" -#include "conditional.h" -#include "mls.h" -#include "objsec.h" -#include "netlabel.h" -#include "xfrm.h" -#include "ebitmap.h" -#include "audit.h" - -int selinux_policycap_netpeer; -int selinux_policycap_openperm; - -static DEFINE_RWLOCK(policy_rwlock); - -static struct sidtab sidtab; -struct policydb policydb; -int ss_initialized; - -/* - * The largest sequence number that has been used when - * providing an access decision to the access vector cache. - * The sequence number only changes when a policy change - * occurs. - */ -static u32 latest_granting; - -/* Forward declaration. */ -static int context_struct_to_string(struct context *context, char **scontext, - u32 *scontext_len); - -static void context_struct_compute_av(struct context *scontext, - struct context *tcontext, - u16 tclass, - struct av_decision *avd); - -struct selinux_mapping { - u16 value; /* policy value */ - unsigned num_perms; - u32 perms[sizeof(u32) * 8]; -}; - -static struct selinux_mapping *current_mapping; -static u16 current_mapping_size; - -static int selinux_set_mapping(struct policydb *pol, - struct security_class_mapping *map, - struct selinux_mapping **out_map_p, - u16 *out_map_size) -{ - struct selinux_mapping *out_map = NULL; - size_t size = sizeof(struct selinux_mapping); - u16 i, j; - unsigned k; - bool print_unknown_handle = false; - - /* Find number of classes in the input mapping */ - if (!map) - return -EINVAL; - i = 0; - while (map[i].name) - i++; - - /* Allocate space for the class records, plus one for class zero */ - out_map = kcalloc(++i, size, GFP_ATOMIC); - if (!out_map) - return -ENOMEM; - - /* Store the raw class and permission values */ - j = 0; - while (map[j].name) { - struct security_class_mapping *p_in = map + (j++); - struct selinux_mapping *p_out = out_map + j; - - /* An empty class string skips ahead */ - if (!strcmp(p_in->name, "")) { - p_out->num_perms = 0; - continue; - } - - p_out->value = string_to_security_class(pol, p_in->name); - if (!p_out->value) { - printk(KERN_INFO - "SELinux: Class %s not defined in policy.\n", - p_in->name); - if (pol->reject_unknown) - goto err; - p_out->num_perms = 0; - print_unknown_handle = true; - continue; - } - - k = 0; - while (p_in->perms && p_in->perms[k]) { - /* An empty permission string skips ahead */ - if (!*p_in->perms[k]) { - k++; - continue; - } - p_out->perms[k] = string_to_av_perm(pol, p_out->value, - p_in->perms[k]); - if (!p_out->perms[k]) { - printk(KERN_INFO - "SELinux: Permission %s in class %s not defined in policy.\n", - p_in->perms[k], p_in->name); - if (pol->reject_unknown) - goto err; - print_unknown_handle = true; - } - - k++; - } - p_out->num_perms = k; - } - - if (print_unknown_handle) - printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", - pol->allow_unknown ? "allowed" : "denied"); - - *out_map_p = out_map; - *out_map_size = i; - return 0; -err: - kfree(out_map); - return -EINVAL; -} - -/* - * Get real, policy values from mapped values - */ - -static u16 unmap_class(u16 tclass) -{ - if (tclass < current_mapping_size) - return current_mapping[tclass].value; - - return tclass; -} - -/* - * Get kernel value for class from its policy value - */ -static u16 map_class(u16 pol_value) -{ - u16 i; - - for (i = 1; i < current_mapping_size; i++) { - if (current_mapping[i].value == pol_value) - return i; - } - - return SECCLASS_NULL; -} - -static void map_decision(u16 tclass, struct av_decision *avd, - int allow_unknown) -{ - if (tclass < current_mapping_size) { - unsigned i, n = current_mapping[tclass].num_perms; - u32 result; - - for (i = 0, result = 0; i < n; i++) { - if (avd->allowed & current_mapping[tclass].perms[i]) - result |= 1<<i; - if (allow_unknown && !current_mapping[tclass].perms[i]) - result |= 1<<i; - } - avd->allowed = result; - - for (i = 0, result = 0; i < n; i++) - if (avd->auditallow & current_mapping[tclass].perms[i]) - result |= 1<<i; - avd->auditallow = result; - - for (i = 0, result = 0; i < n; i++) { - if (avd->auditdeny & current_mapping[tclass].perms[i]) - result |= 1<<i; - if (!allow_unknown && !current_mapping[tclass].perms[i]) - result |= 1<<i; - } - /* - * In case the kernel has a bug and requests a permission - * between num_perms and the maximum permission number, we - * should audit that denial - */ - for (; i < (sizeof(u32)*8); i++) - result |= 1<<i; - avd->auditdeny = result; - } -} - -int security_mls_enabled(void) -{ - return policydb.mls_enabled; -} - -/* - * Return the boolean value of a constraint expression - * when it is applied to the specified source and target - * security contexts. - * - * xcontext is a special beast... It is used by the validatetrans rules - * only. For these rules, scontext is the context before the transition, - * tcontext is the context after the transition, and xcontext is the context - * of the process performing the transition. All other callers of - * constraint_expr_eval should pass in NULL for xcontext. - */ -static int constraint_expr_eval(struct context *scontext, - struct context *tcontext, - struct context *xcontext, - struct constraint_expr *cexpr) -{ - u32 val1, val2; - struct context *c; - struct role_datum *r1, *r2; - struct mls_level *l1, *l2; - struct constraint_expr *e; - int s[CEXPR_MAXDEPTH]; - int sp = -1; - - for (e = cexpr; e; e = e->next) { - switch (e->expr_type) { - case CEXPR_NOT: - BUG_ON(sp < 0); - s[sp] = !s[sp]; - break; - case CEXPR_AND: - BUG_ON(sp < 1); - sp--; - s[sp] &= s[sp + 1]; - break; - case CEXPR_OR: - BUG_ON(sp < 1); - sp--; - s[sp] |= s[sp + 1]; - break; - case CEXPR_ATTR: - if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; - switch (e->attr) { - case CEXPR_USER: - val1 = scontext->user; - val2 = tcontext->user; - break; - case CEXPR_TYPE: - val1 = scontext->type; - val2 = tcontext->type; - break; - case CEXPR_ROLE: - val1 = scontext->role; - val2 = tcontext->role; - r1 = policydb.role_val_to_struct[val1 - 1]; - r2 = policydb.role_val_to_struct[val2 - 1]; - switch (e->op) { - case CEXPR_DOM: - s[++sp] = ebitmap_get_bit(&r1->dominates, - val2 - 1); - continue; - case CEXPR_DOMBY: - s[++sp] = ebitmap_get_bit(&r2->dominates, - val1 - 1); - continue; - case CEXPR_INCOMP: - s[++sp] = (!ebitmap_get_bit(&r1->dominates, - val2 - 1) && - !ebitmap_get_bit(&r2->dominates, - val1 - 1)); - continue; - default: - break; - } - break; - case CEXPR_L1L2: - l1 = &(scontext->range.level[0]); - l2 = &(tcontext->range.level[0]); - goto mls_ops; - case CEXPR_L1H2: - l1 = &(scontext->range.level[0]); - l2 = &(tcontext->range.level[1]); - goto mls_ops; - case CEXPR_H1L2: - l1 = &(scontext->range.level[1]); - l2 = &(tcontext->range.level[0]); - goto mls_ops; - case CEXPR_H1H2: - l1 = &(scontext->range.level[1]); - l2 = &(tcontext->range.level[1]); - goto mls_ops; - case CEXPR_L1H1: - l1 = &(scontext->range.level[0]); - l2 = &(scontext->range.level[1]); - goto mls_ops; - case CEXPR_L2H2: - l1 = &(tcontext->range.level[0]); - l2 = &(tcontext->range.level[1]); - goto mls_ops; -mls_ops: - switch (e->op) { - case CEXPR_EQ: - s[++sp] = mls_level_eq(l1, l2); - continue; - case CEXPR_NEQ: - s[++sp] = !mls_level_eq(l1, l2); - continue; - case CEXPR_DOM: - s[++sp] = mls_level_dom(l1, l2); - continue; - case CEXPR_DOMBY: - s[++sp] = mls_level_dom(l2, l1); - continue; - case CEXPR_INCOMP: - s[++sp] = mls_level_incomp(l2, l1); - continue; - default: - BUG(); - return 0; - } - break; - default: - BUG(); - return 0; - } - - switch (e->op) { - case CEXPR_EQ: - s[++sp] = (val1 == val2); - break; - case CEXPR_NEQ: - s[++sp] = (val1 != val2); - break; - default: - BUG(); - return 0; - } - break; - case CEXPR_NAMES: - if (sp == (CEXPR_MAXDEPTH-1)) - return 0; - c = scontext; - if (e->attr & CEXPR_TARGET) - c = tcontext; - else if (e->attr & CEXPR_XTARGET) { - c = xcontext; - if (!c) { - BUG(); - return 0; - } - } - if (e->attr & CEXPR_USER) - val1 = c->user; - else if (e->attr & CEXPR_ROLE) - val1 = c->role; - else if (e->attr & CEXPR_TYPE) - val1 = c->type; - else { - BUG(); - return 0; - } - - switch (e->op) { - case CEXPR_EQ: - s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); - break; - case CEXPR_NEQ: - s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); - break; - default: - BUG(); - return 0; - } - break; - default: - BUG(); - return 0; - } - } - - BUG_ON(sp != 0); - return s[0]; -} - -/* - * security_dump_masked_av - dumps masked permissions during - * security_compute_av due to RBAC, MLS/Constraint and Type bounds. - */ -static int dump_masked_av_helper(void *k, void *d, void *args) -{ - struct perm_datum *pdatum = d; - char **permission_names = args; - - BUG_ON(pdatum->value < 1 || pdatum->value > 32); - - permission_names[pdatum->value - 1] = (char *)k; - - return 0; -} - -static void security_dump_masked_av(struct context *scontext, - struct context *tcontext, - u16 tclass, - u32 permissions, - const char *reason) -{ - struct common_datum *common_dat; - struct class_datum *tclass_dat; - struct audit_buffer *ab; - char *tclass_name; - char *scontext_name = NULL; - char *tcontext_name = NULL; - char *permission_names[32]; - int index; - u32 length; - bool need_comma = false; - - if (!permissions) - return; - - tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1); - tclass_dat = policydb.class_val_to_struct[tclass - 1]; - common_dat = tclass_dat->comdatum; - - /* init permission_names */ - if (common_dat && - hashtab_map(common_dat->permissions.table, - dump_masked_av_helper, permission_names) < 0) - goto out; - - if (hashtab_map(tclass_dat->permissions.table, - dump_masked_av_helper, permission_names) < 0) - goto out; - - /* get scontext/tcontext in text form */ - if (context_struct_to_string(scontext, - &scontext_name, &length) < 0) - goto out; - - if (context_struct_to_string(tcontext, - &tcontext_name, &length) < 0) - goto out; - - /* audit a message */ - ab = audit_log_start(current->audit_context, - GFP_ATOMIC, AUDIT_SELINUX_ERR); - if (!ab) - goto out; - - audit_log_format(ab, "op=security_compute_av reason=%s " - "scontext=%s tcontext=%s tclass=%s perms=", - reason, scontext_name, tcontext_name, tclass_name); - - for (index = 0; index < 32; index++) { - u32 mask = (1 << index); - - if ((mask & permissions) == 0) - continue; - - audit_log_format(ab, "%s%s", - need_comma ? "," : "", - permission_names[index] - ? permission_names[index] : "????"); - need_comma = true; - } - audit_log_end(ab); -out: - /* release scontext/tcontext */ - kfree(tcontext_name); - kfree(scontext_name); - - return; -} - -/* - * security_boundary_permission - drops violated permissions - * on boundary constraint. - */ -static void type_attribute_bounds_av(struct context *scontext, - struct context *tcontext, - u16 tclass, - struct av_decision *avd) -{ - struct context lo_scontext; - struct context lo_tcontext; - struct av_decision lo_avd; - struct type_datum *source; - struct type_datum *target; - u32 masked = 0; - - source = flex_array_get_ptr(policydb.type_val_to_struct_array, - scontext->type - 1); - BUG_ON(!source); - - target = flex_array_get_ptr(policydb.type_val_to_struct_array, - tcontext->type - 1); - BUG_ON(!target); - - if (source->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); - - memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); - lo_scontext.type = source->bounds; - - context_struct_compute_av(&lo_scontext, - tcontext, - tclass, - &lo_avd); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } - - if (target->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); - - memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext)); - lo_tcontext.type = target->bounds; - - context_struct_compute_av(scontext, - &lo_tcontext, - tclass, - &lo_avd); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } - - if (source->bounds && target->bounds) { - memset(&lo_avd, 0, sizeof(lo_avd)); - /* - * lo_scontext and lo_tcontext are already - * set up. - */ - - context_struct_compute_av(&lo_scontext, - &lo_tcontext, - tclass, - &lo_avd); - if ((lo_avd.allowed & avd->allowed) == avd->allowed) - return; /* no masked permission */ - masked = ~lo_avd.allowed & avd->allowed; - } - - if (masked) { - /* mask violated permissions */ - avd->allowed &= ~masked; - - /* audit masked permissions */ - security_dump_masked_av(scontext, tcontext, - tclass, masked, "bounds"); - } -} - -/* - * Compute access vectors based on a context structure pair for - * the permissions in a particular class. - */ -static void context_struct_compute_av(struct context *scontext, - struct context *tcontext, - u16 tclass, - struct av_decision *avd) -{ - struct constraint_node *constraint; - struct role_allow *ra; - struct avtab_key avkey; - struct avtab_node *node; - struct class_datum *tclass_datum; - struct ebitmap *sattr, *tattr; - struct ebitmap_node *snode, *tnode; - unsigned int i, j; - - avd->allowed = 0; - avd->auditallow = 0; - avd->auditdeny = 0xffffffff; - - if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) { - if (printk_ratelimit()) - printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass); - return; - } - - tclass_datum = policydb.class_val_to_struct[tclass - 1]; - - /* - * If a specific type enforcement rule was defined for - * this permission check, then use it. - */ - avkey.target_class = tclass; - avkey.specified = AVTAB_AV; - sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1); - BUG_ON(!sattr); - tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1); - BUG_ON(!tattr); - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { - avkey.source_type = i + 1; - avkey.target_type = j + 1; - for (node = avtab_search_node(&policydb.te_avtab, &avkey); - node; - node = avtab_search_node_next(node, avkey.specified)) { - if (node->key.specified == AVTAB_ALLOWED) - avd->allowed |= node->datum.data; - else if (node->key.specified == AVTAB_AUDITALLOW) - avd->auditallow |= node->datum.data; - else if (node->key.specified == AVTAB_AUDITDENY) - avd->auditdeny &= node->datum.data; - } - - /* Check conditional av table for additional permissions */ - cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); - - } - } - - /* - * Remove any permissions prohibited by a constraint (this includes - * the MLS policy). - */ - constraint = tclass_datum->constraints; - while (constraint) { - if ((constraint->permissions & (avd->allowed)) && - !constraint_expr_eval(scontext, tcontext, NULL, - constraint->expr)) { - avd->allowed &= ~(constraint->permissions); - } - constraint = constraint->next; - } - - /* - * If checking process transition permission and the - * role is changing, then check the (current_role, new_role) - * pair. - */ - if (tclass == policydb.process_class && - (avd->allowed & policydb.process_trans_perms) && - scontext->role != tcontext->role) { - for (ra = policydb.role_allow; ra; ra = ra->next) { - if (scontext->role == ra->role && - tcontext->role == ra->new_role) - break; - } - if (!ra) - avd->allowed &= ~policydb.process_trans_perms; - } - - /* - * If the given source and target types have boundary - * constraint, lazy checks have to mask any violated - * permission and notice it to userspace via audit. - */ - type_attribute_bounds_av(scontext, tcontext, - tclass, avd); -} - -static int security_validtrans_handle_fail(struct context *ocontext, - struct context *ncontext, - struct context *tcontext, - u16 tclass) -{ - char *o = NULL, *n = NULL, *t = NULL; - u32 olen, nlen, tlen; - - if (context_struct_to_string(ocontext, &o, &olen)) - goto out; - if (context_struct_to_string(ncontext, &n, &nlen)) - goto out; - if (context_struct_to_string(tcontext, &t, &tlen)) - goto out; - audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "security_validate_transition: denied for" - " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", - o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); -out: - kfree(o); - kfree(n); - kfree(t); - - if (!selinux_enforcing) - return 0; - return -EPERM; -} - -int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, - u16 orig_tclass) -{ - struct context *ocontext; - struct context *ncontext; - struct context *tcontext; - struct class_datum *tclass_datum; - struct constraint_node *constraint; - u16 tclass; - int rc = 0; - - if (!ss_initialized) - return 0; - - read_lock(&policy_rwlock); - - tclass = unmap_class(orig_tclass); - - if (!tclass || tclass > policydb.p_classes.nprim) { - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", - __func__, tclass); - rc = -EINVAL; - goto out; - } - tclass_datum = policydb.class_val_to_struct[tclass - 1]; - - ocontext = sidtab_search(&sidtab, oldsid); - if (!ocontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, oldsid); - rc = -EINVAL; - goto out; - } - - ncontext = sidtab_search(&sidtab, newsid); - if (!ncontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, newsid); - rc = -EINVAL; - goto out; - } - - tcontext = sidtab_search(&sidtab, tasksid); - if (!tcontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, tasksid); - rc = -EINVAL; - goto out; - } - - constraint = tclass_datum->validatetrans; - while (constraint) { - if (!constraint_expr_eval(ocontext, ncontext, tcontext, - constraint->expr)) { - rc = security_validtrans_handle_fail(ocontext, ncontext, - tcontext, tclass); - goto out; - } - constraint = constraint->next; - } - -out: - read_unlock(&policy_rwlock); - return rc; -} - -/* - * security_bounded_transition - check whether the given - * transition is directed to bounded, or not. - * It returns 0, if @newsid is bounded by @oldsid. - * Otherwise, it returns error code. - * - * @oldsid : current security identifier - * @newsid : destinated security identifier - */ -int security_bounded_transition(u32 old_sid, u32 new_sid) -{ - struct context *old_context, *new_context; - struct type_datum *type; - int index; - int rc; - - read_lock(&policy_rwlock); - - rc = -EINVAL; - old_context = sidtab_search(&sidtab, old_sid); - if (!old_context) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", - __func__, old_sid); - goto out; - } - - rc = -EINVAL; - new_context = sidtab_search(&sidtab, new_sid); - if (!new_context) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n", - __func__, new_sid); - goto out; - } - - rc = 0; - /* type/domain unchanged */ - if (old_context->type == new_context->type) - goto out; - - index = new_context->type; - while (true) { - type = flex_array_get_ptr(policydb.type_val_to_struct_array, - index - 1); - BUG_ON(!type); - - /* not bounded anymore */ - rc = -EPERM; - if (!type->bounds) - break; - - /* @newsid is bounded by @oldsid */ - rc = 0; - if (type->bounds == old_context->type) - break; - - index = type->bounds; - } - - if (rc) { - char *old_name = NULL; - char *new_name = NULL; - u32 length; - - if (!context_struct_to_string(old_context, - &old_name, &length) && - !context_struct_to_string(new_context, - &new_name, &length)) { - audit_log(current->audit_context, - GFP_ATOMIC, AUDIT_SELINUX_ERR, - "op=security_bounded_transition " - "result=denied " - "oldcontext=%s newcontext=%s", - old_name, new_name); - } - kfree(new_name); - kfree(old_name); - } -out: - read_unlock(&policy_rwlock); - - return rc; -} - -static void avd_init(struct av_decision *avd) -{ - avd->allowed = 0; - avd->auditallow = 0; - avd->auditdeny = 0xffffffff; - avd->seqno = latest_granting; - avd->flags = 0; -} - - -/** - * security_compute_av - Compute access vector decisions. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @avd: access vector decisions - * - * Compute a set of access vector decisions based on the - * SID pair (@ssid, @tsid) for the permissions in @tclass. - */ -void security_compute_av(u32 ssid, - u32 tsid, - u16 orig_tclass, - struct av_decision *avd) -{ - u16 tclass; - struct context *scontext = NULL, *tcontext = NULL; - - read_lock(&policy_rwlock); - avd_init(avd); - if (!ss_initialized) - goto allow; - - scontext = sidtab_search(&sidtab, ssid); - if (!scontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, ssid); - goto out; - } - - /* permissive domain? */ - if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) - avd->flags |= AVD_FLAGS_PERMISSIVE; - - tcontext = sidtab_search(&sidtab, tsid); - if (!tcontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, tsid); - goto out; - } - - tclass = unmap_class(orig_tclass); - if (unlikely(orig_tclass && !tclass)) { - if (policydb.allow_unknown) - goto allow; - goto out; - } - context_struct_compute_av(scontext, tcontext, tclass, avd); - map_decision(orig_tclass, avd, policydb.allow_unknown); -out: - read_unlock(&policy_rwlock); - return; -allow: - avd->allowed = 0xffffffff; - goto out; -} - -void security_compute_av_user(u32 ssid, - u32 tsid, - u16 tclass, - struct av_decision *avd) -{ - struct context *scontext = NULL, *tcontext = NULL; - - read_lock(&policy_rwlock); - avd_init(avd); - if (!ss_initialized) - goto allow; - - scontext = sidtab_search(&sidtab, ssid); - if (!scontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, ssid); - goto out; - } - - /* permissive domain? */ - if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) - avd->flags |= AVD_FLAGS_PERMISSIVE; - - tcontext = sidtab_search(&sidtab, tsid); - if (!tcontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, tsid); - goto out; - } - - if (unlikely(!tclass)) { - if (policydb.allow_unknown) - goto allow; - goto out; - } - - context_struct_compute_av(scontext, tcontext, tclass, avd); - out: - read_unlock(&policy_rwlock); - return; -allow: - avd->allowed = 0xffffffff; - goto out; -} - -/* - * Write the security context string representation of - * the context structure `context' into a dynamically - * allocated string of the correct size. Set `*scontext' - * to point to this string and set `*scontext_len' to - * the length of the string. - */ -static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len) -{ - char *scontextp; - - if (scontext) - *scontext = NULL; - *scontext_len = 0; - - if (context->len) { - *scontext_len = context->len; - *scontext = kstrdup(context->str, GFP_ATOMIC); - if (!(*scontext)) - return -ENOMEM; - return 0; - } - - /* Compute the size of the context. */ - *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1; - *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1; - *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1; - *scontext_len += mls_compute_context_len(context); - - if (!scontext) - return 0; - - /* Allocate space for the context; caller must free this space. */ - scontextp = kmalloc(*scontext_len, GFP_ATOMIC); - if (!scontextp) - return -ENOMEM; - *scontext = scontextp; - - /* - * Copy the user name, role name and type name into the context. - */ - sprintf(scontextp, "%s:%s:%s", - sym_name(&policydb, SYM_USERS, context->user - 1), - sym_name(&policydb, SYM_ROLES, context->role - 1), - sym_name(&policydb, SYM_TYPES, context->type - 1)); - scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + - 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + - 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); - - mls_sid_to_context(context, &scontextp); - - *scontextp = 0; - - return 0; -} - -#include "initial_sid_to_string.h" - -const char *security_get_initial_sid_context(u32 sid) -{ - if (unlikely(sid > SECINITSID_NUM)) - return NULL; - return initial_sid_to_string[sid]; -} - -static int security_sid_to_context_core(u32 sid, char **scontext, - u32 *scontext_len, int force) -{ - struct context *context; - int rc = 0; - - if (scontext) - *scontext = NULL; - *scontext_len = 0; - - if (!ss_initialized) { - if (sid <= SECINITSID_NUM) { - char *scontextp; - - *scontext_len = strlen(initial_sid_to_string[sid]) + 1; - if (!scontext) - goto out; - scontextp = kmalloc(*scontext_len, GFP_ATOMIC); - if (!scontextp) { - rc = -ENOMEM; - goto out; - } - strcpy(scontextp, initial_sid_to_string[sid]); - *scontext = scontextp; - goto out; - } - printk(KERN_ERR "SELinux: %s: called before initial " - "load_policy on unknown SID %d\n", __func__, sid); - rc = -EINVAL; - goto out; - } - read_lock(&policy_rwlock); - if (force) - context = sidtab_search_force(&sidtab, sid); - else - context = sidtab_search(&sidtab, sid); - if (!context) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, sid); - rc = -EINVAL; - goto out_unlock; - } - rc = context_struct_to_string(context, scontext, scontext_len); -out_unlock: - read_unlock(&policy_rwlock); -out: - return rc; - -} - -/** - * security_sid_to_context - Obtain a context for a given SID. - * @sid: security identifier, SID - * @scontext: security context - * @scontext_len: length in bytes - * - * Write the string representation of the context associated with @sid - * into a dynamically allocated string of the correct size. Set @scontext - * to point to this string and set @scontext_len to the length of the string. - */ -int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len) -{ - return security_sid_to_context_core(sid, scontext, scontext_len, 0); -} - -int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len) -{ - return security_sid_to_context_core(sid, scontext, scontext_len, 1); -} - -/* - * Caveat: Mutates scontext. - */ -static int string_to_context_struct(struct policydb *pol, - struct sidtab *sidtabp, - char *scontext, - u32 scontext_len, - struct context *ctx, - u32 def_sid) -{ - struct role_datum *role; - struct type_datum *typdatum; - struct user_datum *usrdatum; - char *scontextp, *p, oldc; - int rc = 0; - - context_init(ctx); - - /* Parse the security context. */ - - rc = -EINVAL; - scontextp = (char *) scontext; - - /* Extract the user. */ - p = scontextp; - while (*p && *p != ':') - p++; - - if (*p == 0) - goto out; - - *p++ = 0; - - usrdatum = hashtab_search(pol->p_users.table, scontextp); - if (!usrdatum) - goto out; - - ctx->user = usrdatum->value; - - /* Extract role. */ - scontextp = p; - while (*p && *p != ':') - p++; - - if (*p == 0) - goto out; - - *p++ = 0; - - role = hashtab_search(pol->p_roles.table, scontextp); - if (!role) - goto out; - ctx->role = role->value; - - /* Extract type. */ - scontextp = p; - while (*p && *p != ':') - p++; - oldc = *p; - *p++ = 0; - - typdatum = hashtab_search(pol->p_types.table, scontextp); - if (!typdatum || typdatum->attribute) - goto out; - - ctx->type = typdatum->value; - - rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid); - if (rc) - goto out; - - rc = -EINVAL; - if ((p - scontext) < scontext_len) - goto out; - - /* Check the validity of the new context. */ - if (!policydb_context_isvalid(pol, ctx)) - goto out; - rc = 0; -out: - if (rc) - context_destroy(ctx); - return rc; -} - -static int security_context_to_sid_core(const char *scontext, u32 scontext_len, - u32 *sid, u32 def_sid, gfp_t gfp_flags, - int force) -{ - char *scontext2, *str = NULL; - struct context context; - int rc = 0; - - if (!ss_initialized) { - int i; - - for (i = 1; i < SECINITSID_NUM; i++) { - if (!strcmp(initial_sid_to_string[i], scontext)) { - *sid = i; - return 0; - } - } - *sid = SECINITSID_KERNEL; - return 0; - } - *sid = SECSID_NULL; - - /* Copy the string so that we can modify the copy as we parse it. */ - scontext2 = kmalloc(scontext_len + 1, gfp_flags); - if (!scontext2) - return -ENOMEM; - memcpy(scontext2, scontext, scontext_len); - scontext2[scontext_len] = 0; - - if (force) { - /* Save another copy for storing in uninterpreted form */ - rc = -ENOMEM; - str = kstrdup(scontext2, gfp_flags); - if (!str) - goto out; - } - - read_lock(&policy_rwlock); - rc = string_to_context_struct(&policydb, &sidtab, scontext2, - scontext_len, &context, def_sid); - if (rc == -EINVAL && force) { - context.str = str; - context.len = scontext_len; - str = NULL; - } else if (rc) - goto out_unlock; - rc = sidtab_context_to_sid(&sidtab, &context, sid); - context_destroy(&context); -out_unlock: - read_unlock(&policy_rwlock); -out: - kfree(scontext2); - kfree(str); - return rc; -} - -/** - * security_context_to_sid - Obtain a SID for a given security context. - * @scontext: security context - * @scontext_len: length in bytes - * @sid: security identifier, SID - * - * Obtains a SID associated with the security context that - * has the string representation specified by @scontext. - * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient - * memory is available, or 0 on success. - */ -int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) -{ - return security_context_to_sid_core(scontext, scontext_len, - sid, SECSID_NULL, GFP_KERNEL, 0); -} - -/** - * security_context_to_sid_default - Obtain a SID for a given security context, - * falling back to specified default if needed. - * - * @scontext: security context - * @scontext_len: length in bytes - * @sid: security identifier, SID - * @def_sid: default SID to assign on error - * - * Obtains a SID associated with the security context that - * has the string representation specified by @scontext. - * The default SID is passed to the MLS layer to be used to allow - * kernel labeling of the MLS field if the MLS field is not present - * (for upgrading to MLS without full relabel). - * Implicitly forces adding of the context even if it cannot be mapped yet. - * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient - * memory is available, or 0 on success. - */ -int security_context_to_sid_default(const char *scontext, u32 scontext_len, - u32 *sid, u32 def_sid, gfp_t gfp_flags) -{ - return security_context_to_sid_core(scontext, scontext_len, - sid, def_sid, gfp_flags, 1); -} - -int security_context_to_sid_force(const char *scontext, u32 scontext_len, - u32 *sid) -{ - return security_context_to_sid_core(scontext, scontext_len, - sid, SECSID_NULL, GFP_KERNEL, 1); -} - -static int compute_sid_handle_invalid_context( - struct context *scontext, - struct context *tcontext, - u16 tclass, - struct context *newcontext) -{ - char *s = NULL, *t = NULL, *n = NULL; - u32 slen, tlen, nlen; - - if (context_struct_to_string(scontext, &s, &slen)) - goto out; - if (context_struct_to_string(tcontext, &t, &tlen)) - goto out; - if (context_struct_to_string(newcontext, &n, &nlen)) - goto out; - audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "security_compute_sid: invalid context %s" - " for scontext=%s" - " tcontext=%s" - " tclass=%s", - n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); -out: - kfree(s); - kfree(t); - kfree(n); - if (!selinux_enforcing) - return 0; - return -EACCES; -} - -static void filename_compute_type(struct policydb *p, struct context *newcontext, - u32 stype, u32 ttype, u16 tclass, - const char *objname) -{ - struct filename_trans ft; - struct filename_trans_datum *otype; - - /* - * Most filename trans rules are going to live in specific directories - * like /dev or /var/run. This bitmap will quickly skip rule searches - * if the ttype does not contain any rules. - */ - if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype)) - return; - - ft.stype = stype; - ft.ttype = ttype; - ft.tclass = tclass; - ft.name = objname; - - otype = hashtab_search(p->filename_trans, &ft); - if (otype) - newcontext->type = otype->otype; -} - -static int security_compute_sid(u32 ssid, - u32 tsid, - u16 orig_tclass, - u32 specified, - const char *objname, - u32 *out_sid, - bool kern) -{ - struct context *scontext = NULL, *tcontext = NULL, newcontext; - struct role_trans *roletr = NULL; - struct avtab_key avkey; - struct avtab_datum *avdatum; - struct avtab_node *node; - u16 tclass; - int rc = 0; - bool sock; - - if (!ss_initialized) { - switch (orig_tclass) { - case SECCLASS_PROCESS: /* kernel value */ - *out_sid = ssid; - break; - default: - *out_sid = tsid; - break; - } - goto out; - } - - context_init(&newcontext); - - read_lock(&policy_rwlock); - - if (kern) { - tclass = unmap_class(orig_tclass); - sock = security_is_socket_class(orig_tclass); - } else { - tclass = orig_tclass; - sock = security_is_socket_class(map_class(tclass)); - } - - scontext = sidtab_search(&sidtab, ssid); - if (!scontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, ssid); - rc = -EINVAL; - goto out_unlock; - } - tcontext = sidtab_search(&sidtab, tsid); - if (!tcontext) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, tsid); - rc = -EINVAL; - goto out_unlock; - } - - /* Set the user identity. */ - switch (specified) { - case AVTAB_TRANSITION: - case AVTAB_CHANGE: - /* Use the process user identity. */ - newcontext.user = scontext->user; - break; - case AVTAB_MEMBER: - /* Use the related object owner. */ - newcontext.user = tcontext->user; - break; - } - - /* Set the role and type to default values. */ - if ((tclass == policydb.process_class) || (sock == true)) { - /* Use the current role and type of process. */ - newcontext.role = scontext->role; - newcontext.type = scontext->type; - } else { - /* Use the well-defined object role. */ - newcontext.role = OBJECT_R_VAL; - /* Use the type of the related object. */ - newcontext.type = tcontext->type; - } - - /* Look for a type transition/member/change rule. */ - avkey.source_type = scontext->type; - avkey.target_type = tcontext->type; - avkey.target_class = tclass; - avkey.specified = specified; - avdatum = avtab_search(&policydb.te_avtab, &avkey); - - /* If no permanent rule, also check for enabled conditional rules */ - if (!avdatum) { - node = avtab_search_node(&policydb.te_cond_avtab, &avkey); - for (; node; node = avtab_search_node_next(node, specified)) { - if (node->key.specified & AVTAB_ENABLED) { - avdatum = &node->datum; - break; - } - } - } - - if (avdatum) { - /* Use the type from the type transition/member/change rule. */ - newcontext.type = avdatum->data; - } - - /* if we have a objname this is a file trans check so check those rules */ - if (objname) - filename_compute_type(&policydb, &newcontext, scontext->type, - tcontext->type, tclass, objname); - - /* Check for class-specific changes. */ - if (specified & AVTAB_TRANSITION) { - /* Look for a role transition rule. */ - for (roletr = policydb.role_tr; roletr; roletr = roletr->next) { - if ((roletr->role == scontext->role) && - (roletr->type == tcontext->type) && - (roletr->tclass == tclass)) { - /* Use the role transition rule. */ - newcontext.role = roletr->new_role; - break; - } - } - } - - /* Set the MLS attributes. - This is done last because it may allocate memory. */ - rc = mls_compute_sid(scontext, tcontext, tclass, specified, - &newcontext, sock); - if (rc) - goto out_unlock; - - /* Check the validity of the context. */ - if (!policydb_context_isvalid(&policydb, &newcontext)) { - rc = compute_sid_handle_invalid_context(scontext, - tcontext, - tclass, - &newcontext); - if (rc) - goto out_unlock; - } - /* Obtain the sid for the context. */ - rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); -out_unlock: - read_unlock(&policy_rwlock); - context_destroy(&newcontext); -out: - return rc; -} - -/** - * security_transition_sid - Compute the SID for a new subject/object. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @out_sid: security identifier for new subject/object - * - * Compute a SID to use for labeling a new subject or object in the - * class @tclass based on a SID pair (@ssid, @tsid). - * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM - * if insufficient memory is available, or %0 if the new SID was - * computed successfully. - */ -int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, - const struct qstr *qstr, u32 *out_sid) -{ - return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, - qstr ? qstr->name : NULL, out_sid, true); -} - -int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, - const char *objname, u32 *out_sid) -{ - return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, - objname, out_sid, false); -} - -/** - * security_member_sid - Compute the SID for member selection. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @out_sid: security identifier for selected member - * - * Compute a SID to use when selecting a member of a polyinstantiated - * object of class @tclass based on a SID pair (@ssid, @tsid). - * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM - * if insufficient memory is available, or %0 if the SID was - * computed successfully. - */ -int security_member_sid(u32 ssid, - u32 tsid, - u16 tclass, - u32 *out_sid) -{ - return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL, - out_sid, false); -} - -/** - * security_change_sid - Compute the SID for object relabeling. - * @ssid: source security identifier - * @tsid: target security identifier - * @tclass: target security class - * @out_sid: security identifier for selected member - * - * Compute a SID to use for relabeling an object of class @tclass - * based on a SID pair (@ssid, @tsid). - * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM - * if insufficient memory is available, or %0 if the SID was - * computed successfully. - */ -int security_change_sid(u32 ssid, - u32 tsid, - u16 tclass, - u32 *out_sid) -{ - return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL, - out_sid, false); -} - -/* Clone the SID into the new SID table. */ -static int clone_sid(u32 sid, - struct context *context, - void *arg) -{ - struct sidtab *s = arg; - - if (sid > SECINITSID_NUM) - return sidtab_insert(s, sid, context); - else - return 0; -} - -static inline int convert_context_handle_invalid_context(struct context *context) -{ - char *s; - u32 len; - - if (selinux_enforcing) - return -EINVAL; - - if (!context_struct_to_string(context, &s, &len)) { - printk(KERN_WARNING "SELinux: Context %s would be invalid if enforcing\n", s); - kfree(s); - } - return 0; -} - -struct convert_context_args { - struct policydb *oldp; - struct policydb *newp; -}; - -/* - * Convert the values in the security context - * structure `c' from the values specified - * in the policy `p->oldp' to the values specified - * in the policy `p->newp'. Verify that the - * context is valid under the new policy. - */ -static int convert_context(u32 key, - struct context *c, - void *p) -{ - struct convert_context_args *args; - struct context oldc; - struct ocontext *oc; - struct mls_range *range; - struct role_datum *role; - struct type_datum *typdatum; - struct user_datum *usrdatum; - char *s; - u32 len; - int rc = 0; - - if (key <= SECINITSID_NUM) - goto out; - - args = p; - - if (c->str) { - struct context ctx; - - rc = -ENOMEM; - s = kstrdup(c->str, GFP_KERNEL); - if (!s) - goto out; - - rc = string_to_context_struct(args->newp, NULL, s, - c->len, &ctx, SECSID_NULL); - kfree(s); - if (!rc) { - printk(KERN_INFO "SELinux: Context %s became valid (mapped).\n", - c->str); - /* Replace string with mapped representation. */ - kfree(c->str); - memcpy(c, &ctx, sizeof(*c)); - goto out; - } else if (rc == -EINVAL) { - /* Retain string representation for later mapping. */ - rc = 0; - goto out; - } else { - /* Other error condition, e.g. ENOMEM. */ - printk(KERN_ERR "SELinux: Unable to map context %s, rc = %d.\n", - c->str, -rc); - goto out; - } - } - - rc = context_cpy(&oldc, c); - if (rc) - goto out; - - /* Convert the user. */ - rc = -EINVAL; - usrdatum = hashtab_search(args->newp->p_users.table, - sym_name(args->oldp, SYM_USERS, c->user - 1)); - if (!usrdatum) - goto bad; - c->user = usrdatum->value; - - /* Convert the role. */ - rc = -EINVAL; - role = hashtab_search(args->newp->p_roles.table, - sym_name(args->oldp, SYM_ROLES, c->role - 1)); - if (!role) - goto bad; - c->role = role->value; - - /* Convert the type. */ - rc = -EINVAL; - typdatum = hashtab_search(args->newp->p_types.table, - sym_name(args->oldp, SYM_TYPES, c->type - 1)); - if (!typdatum) - goto bad; - c->type = typdatum->value; - - /* Convert the MLS fields if dealing with MLS policies */ - if (args->oldp->mls_enabled && args->newp->mls_enabled) { - rc = mls_convert_context(args->oldp, args->newp, c); - if (rc) - goto bad; - } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) { - /* - * Switching between MLS and non-MLS policy: - * free any storage used by the MLS fields in the - * context for all existing entries in the sidtab. - */ - mls_context_destroy(c); - } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) { - /* - * Switching between non-MLS and MLS policy: - * ensure that the MLS fields of the context for all - * existing entries in the sidtab are filled in with a - * suitable default value, likely taken from one of the - * initial SIDs. - */ - oc = args->newp->ocontexts[OCON_ISID]; - while (oc && oc->sid[0] != SECINITSID_UNLABELED) - oc = oc->next; - rc = -EINVAL; - if (!oc) { - printk(KERN_ERR "SELinux: unable to look up" - " the initial SIDs list\n"); - goto bad; - } - range = &oc->context[0].range; - rc = mls_range_set(c, range); - if (rc) - goto bad; - } - - /* Check the validity of the new context. */ - if (!policydb_context_isvalid(args->newp, c)) { - rc = convert_context_handle_invalid_context(&oldc); - if (rc) - goto bad; - } - - context_destroy(&oldc); - - rc = 0; -out: - return rc; -bad: - /* Map old representation to string and save it. */ - rc = context_struct_to_string(&oldc, &s, &len); - if (rc) - return rc; - context_destroy(&oldc); - context_destroy(c); - c->str = s; - c->len = len; - printk(KERN_INFO "SELinux: Context %s became invalid (unmapped).\n", - c->str); - rc = 0; - goto out; -} - -static void security_load_policycaps(void) -{ - selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps, - POLICYDB_CAPABILITY_NETPEER); - selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, - POLICYDB_CAPABILITY_OPENPERM); -} - -static int security_preserve_bools(struct policydb *p); - -/** - * security_load_policy - Load a security policy configuration. - * @data: binary policy data - * @len: length of data in bytes - * - * Load a new set of security policy configuration data, - * validate it and convert the SID table as necessary. - * This function will flush the access vector cache after - * loading the new policy. - */ -int security_load_policy(void *data, size_t len) -{ - struct policydb oldpolicydb, newpolicydb; - struct sidtab oldsidtab, newsidtab; - struct selinux_mapping *oldmap, *map = NULL; - struct convert_context_args args; - u32 seqno; - u16 map_size; - int rc = 0; - struct policy_file file = { data, len }, *fp = &file; - - if (!ss_initialized) { - avtab_cache_init(); - rc = policydb_read(&policydb, fp); - if (rc) { - avtab_cache_destroy(); - return rc; - } - - policydb.len = len; - rc = selinux_set_mapping(&policydb, secclass_map, - ¤t_mapping, - ¤t_mapping_size); - if (rc) { - policydb_destroy(&policydb); - avtab_cache_destroy(); - return rc; - } - - rc = policydb_load_isids(&policydb, &sidtab); - if (rc) { - policydb_destroy(&policydb); - avtab_cache_destroy(); - return rc; - } - - security_load_policycaps(); - ss_initialized = 1; - seqno = ++latest_granting; - selinux_complete_init(); - avc_ss_reset(seqno); - selnl_notify_policyload(seqno); - selinux_status_update_policyload(seqno); - selinux_netlbl_cache_invalidate(); - selinux_xfrm_notify_policyload(); - return 0; - } - -#if 0 - sidtab_hash_eval(&sidtab, "sids"); -#endif - - rc = policydb_read(&newpolicydb, fp); - if (rc) - return rc; - - newpolicydb.len = len; - /* If switching between different policy types, log MLS status */ - if (policydb.mls_enabled && !newpolicydb.mls_enabled) - printk(KERN_INFO "SELinux: Disabling MLS support...\n"); - else if (!policydb.mls_enabled && newpolicydb.mls_enabled) - printk(KERN_INFO "SELinux: Enabling MLS support...\n"); - - rc = policydb_load_isids(&newpolicydb, &newsidtab); - if (rc) { - printk(KERN_ERR "SELinux: unable to load the initial SIDs\n"); - policydb_destroy(&newpolicydb); - return rc; - } - - rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size); - if (rc) - goto err; - - rc = security_preserve_bools(&newpolicydb); - if (rc) { - printk(KERN_ERR "SELinux: unable to preserve booleans\n"); - goto err; - } - - /* Clone the SID table. */ - sidtab_shutdown(&sidtab); - - rc = sidtab_map(&sidtab, clone_sid, &newsidtab); - if (rc) - goto err; - - /* - * Convert the internal representations of contexts - * in the new SID table. - */ - args.oldp = &policydb; - args.newp = &newpolicydb; - rc = sidtab_map(&newsidtab, convert_context, &args); - if (rc) { - printk(KERN_ERR "SELinux: unable to convert the internal" - " representation of contexts in the new SID" - " table\n"); - goto err; - } - - /* Save the old policydb and SID table to free later. */ - memcpy(&oldpolicydb, &policydb, sizeof policydb); - sidtab_set(&oldsidtab, &sidtab); - - /* Install the new policydb and SID table. */ - write_lock_irq(&policy_rwlock); - memcpy(&policydb, &newpolicydb, sizeof policydb); - sidtab_set(&sidtab, &newsidtab); - security_load_policycaps(); - oldmap = current_mapping; - current_mapping = map; - current_mapping_size = map_size; - seqno = ++latest_granting; - write_unlock_irq(&policy_rwlock); - - /* Free the old policydb and SID table. */ - policydb_destroy(&oldpolicydb); - sidtab_destroy(&oldsidtab); - kfree(oldmap); - - avc_ss_reset(seqno); - selnl_notify_policyload(seqno); - selinux_status_update_policyload(seqno); - selinux_netlbl_cache_invalidate(); - selinux_xfrm_notify_policyload(); - - return 0; - -err: - kfree(map); - sidtab_destroy(&newsidtab); - policydb_destroy(&newpolicydb); - return rc; - -} - -size_t security_policydb_len(void) -{ - size_t len; - - read_lock(&policy_rwlock); - len = policydb.len; - read_unlock(&policy_rwlock); - - return len; -} - -/** - * security_port_sid - Obtain the SID for a port. - * @protocol: protocol number - * @port: port number - * @out_sid: security identifier - */ -int security_port_sid(u8 protocol, u16 port, u32 *out_sid) -{ - struct ocontext *c; - int rc = 0; - - read_lock(&policy_rwlock); - - c = policydb.ocontexts[OCON_PORT]; - while (c) { - if (c->u.port.protocol == protocol && - c->u.port.low_port <= port && - c->u.port.high_port >= port) - break; - c = c->next; - } - - if (c) { - if (!c->sid[0]) { - rc = sidtab_context_to_sid(&sidtab, - &c->context[0], - &c->sid[0]); - if (rc) - goto out; - } - *out_sid = c->sid[0]; - } else { - *out_sid = SECINITSID_PORT; - } - -out: - read_unlock(&policy_rwlock); - return rc; -} - -/** - * security_netif_sid - Obtain the SID for a network interface. - * @name: interface name - * @if_sid: interface SID - */ -int security_netif_sid(char *name, u32 *if_sid) -{ - int rc = 0; - struct ocontext *c; - - read_lock(&policy_rwlock); - - c = policydb.ocontexts[OCON_NETIF]; - while (c) { - if (strcmp(name, c->u.name) == 0) - break; - c = c->next; - } - - if (c) { - if (!c->sid[0] || !c->sid[1]) { - rc = sidtab_context_to_sid(&sidtab, - &c->context[0], - &c->sid[0]); - if (rc) - goto out; - rc = sidtab_context_to_sid(&sidtab, - &c->context[1], - &c->sid[1]); - if (rc) - goto out; - } - *if_sid = c->sid[0]; - } else - *if_sid = SECINITSID_NETIF; - -out: - read_unlock(&policy_rwlock); - return rc; -} - -static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask) -{ - int i, fail = 0; - - for (i = 0; i < 4; i++) - if (addr[i] != (input[i] & mask[i])) { - fail = 1; - break; - } - - return !fail; -} - -/** - * security_node_sid - Obtain the SID for a node (host). - * @domain: communication domain aka address family - * @addrp: address - * @addrlen: address length in bytes - * @out_sid: security identifier - */ -int security_node_sid(u16 domain, - void *addrp, - u32 addrlen, - u32 *out_sid) -{ - int rc; - struct ocontext *c; - - read_lock(&policy_rwlock); - - switch (domain) { - case AF_INET: { - u32 addr; - - rc = -EINVAL; - if (addrlen != sizeof(u32)) - goto out; - - addr = *((u32 *)addrp); - - c = policydb.ocontexts[OCON_NODE]; - while (c) { - if (c->u.node.addr == (addr & c->u.node.mask)) - break; - c = c->next; - } - break; - } - - case AF_INET6: - rc = -EINVAL; - if (addrlen != sizeof(u64) * 2) - goto out; - c = policydb.ocontexts[OCON_NODE6]; - while (c) { - if (match_ipv6_addrmask(addrp, c->u.node6.addr, - c->u.node6.mask)) - break; - c = c->next; - } - break; - - default: - rc = 0; - *out_sid = SECINITSID_NODE; - goto out; - } - - if (c) { - if (!c->sid[0]) { - rc = sidtab_context_to_sid(&sidtab, - &c->context[0], - &c->sid[0]); - if (rc) - goto out; - } - *out_sid = c->sid[0]; - } else { - *out_sid = SECINITSID_NODE; - } - - rc = 0; -out: - read_unlock(&policy_rwlock); - return rc; -} - -#define SIDS_NEL 25 - -/** - * security_get_user_sids - Obtain reachable SIDs for a user. - * @fromsid: starting SID - * @username: username - * @sids: array of reachable SIDs for user - * @nel: number of elements in @sids - * - * Generate the set of SIDs for legal security contexts - * for a given user that can be reached by @fromsid. - * Set *@sids to point to a dynamically allocated - * array containing the set of SIDs. Set *@nel to the - * number of elements in the array. - */ - -int security_get_user_sids(u32 fromsid, - char *username, - u32 **sids, - u32 *nel) -{ - struct context *fromcon, usercon; - u32 *mysids = NULL, *mysids2, sid; - u32 mynel = 0, maxnel = SIDS_NEL; - struct user_datum *user; - struct role_datum *role; - struct ebitmap_node *rnode, *tnode; - int rc = 0, i, j; - - *sids = NULL; - *nel = 0; - - if (!ss_initialized) - goto out; - - read_lock(&policy_rwlock); - - context_init(&usercon); - - rc = -EINVAL; - fromcon = sidtab_search(&sidtab, fromsid); - if (!fromcon) - goto out_unlock; - - rc = -EINVAL; - user = hashtab_search(policydb.p_users.table, username); - if (!user) - goto out_unlock; - - usercon.user = user->value; - - rc = -ENOMEM; - mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); - if (!mysids) - goto out_unlock; - - ebitmap_for_each_positive_bit(&user->roles, rnode, i) { - role = policydb.role_val_to_struct[i]; - usercon.role = i + 1; - ebitmap_for_each_positive_bit(&role->types, tnode, j) { - usercon.type = j + 1; - - if (mls_setup_user_range(fromcon, user, &usercon)) - continue; - - rc = sidtab_context_to_sid(&sidtab, &usercon, &sid); - if (rc) - goto out_unlock; - if (mynel < maxnel) { - mysids[mynel++] = sid; - } else { - rc = -ENOMEM; - maxnel += SIDS_NEL; - mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); - if (!mysids2) - goto out_unlock; - memcpy(mysids2, mysids, mynel * sizeof(*mysids2)); - kfree(mysids); - mysids = mysids2; - mysids[mynel++] = sid; - } - } - } - rc = 0; -out_unlock: - read_unlock(&policy_rwlock); - if (rc || !mynel) { - kfree(mysids); - goto out; - } - - rc = -ENOMEM; - mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL); - if (!mysids2) { - kfree(mysids); - goto out; - } - for (i = 0, j = 0; i < mynel; i++) { - struct av_decision dummy_avd; - rc = avc_has_perm_noaudit(fromsid, mysids[i], - SECCLASS_PROCESS, /* kernel value */ - PROCESS__TRANSITION, AVC_STRICT, - &dummy_avd); - if (!rc) - mysids2[j++] = mysids[i]; - cond_resched(); - } - rc = 0; - kfree(mysids); - *sids = mysids2; - *nel = j; -out: - return rc; -} - -/** - * security_genfs_sid - Obtain a SID for a file in a filesystem - * @fstype: filesystem type - * @path: path from root of mount - * @sclass: file security class - * @sid: SID for path - * - * Obtain a SID to use for a file in a filesystem that - * cannot support xattr or use a fixed labeling behavior like - * transition SIDs or task SIDs. - */ -int security_genfs_sid(const char *fstype, - char *path, - u16 orig_sclass, - u32 *sid) -{ - int len; - u16 sclass; - struct genfs *genfs; - struct ocontext *c; - int rc, cmp = 0; - - while (path[0] == '/' && path[1] == '/') - path++; - - read_lock(&policy_rwlock); - - sclass = unmap_class(orig_sclass); - *sid = SECINITSID_UNLABELED; - - for (genfs = policydb.genfs; genfs; genfs = genfs->next) { - cmp = strcmp(fstype, genfs->fstype); - if (cmp <= 0) - break; - } - - rc = -ENOENT; - if (!genfs || cmp) - goto out; - - for (c = genfs->head; c; c = c->next) { - len = strlen(c->u.name); - if ((!c->v.sclass || sclass == c->v.sclass) && - (strncmp(c->u.name, path, len) == 0)) - break; - } - - rc = -ENOENT; - if (!c) - goto out; - - if (!c->sid[0]) { - rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]); - if (rc) - goto out; - } - - *sid = c->sid[0]; - rc = 0; -out: - read_unlock(&policy_rwlock); - return rc; -} - -/** - * security_fs_use - Determine how to handle labeling for a filesystem. - * @fstype: filesystem type - * @behavior: labeling behavior - * @sid: SID for filesystem (superblock) - */ -int security_fs_use( - const char *fstype, - unsigned int *behavior, - u32 *sid) -{ - int rc = 0; - struct ocontext *c; - - read_lock(&policy_rwlock); - - c = policydb.ocontexts[OCON_FSUSE]; - while (c) { - if (strcmp(fstype, c->u.name) == 0) - break; - c = c->next; - } - - if (c) { - *behavior = c->v.behavior; - if (!c->sid[0]) { - rc = sidtab_context_to_sid(&sidtab, &c->context[0], - &c->sid[0]); - if (rc) - goto out; - } - *sid = c->sid[0]; - } else { - rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid); - if (rc) { - *behavior = SECURITY_FS_USE_NONE; - rc = 0; - } else { - *behavior = SECURITY_FS_USE_GENFS; - } - } - -out: - read_unlock(&policy_rwlock); - return rc; -} - -int security_get_bools(int *len, char ***names, int **values) -{ - int i, rc; - - read_lock(&policy_rwlock); - *names = NULL; - *values = NULL; - - rc = 0; - *len = policydb.p_bools.nprim; - if (!*len) - goto out; - - rc = -ENOMEM; - *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC); - if (!*names) - goto err; - - rc = -ENOMEM; - *values = kcalloc(*len, sizeof(int), GFP_ATOMIC); - if (!*values) - goto err; - - for (i = 0; i < *len; i++) { - size_t name_len; - - (*values)[i] = policydb.bool_val_to_struct[i]->state; - name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; - - rc = -ENOMEM; - (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); - if (!(*names)[i]) - goto err; - - strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); - (*names)[i][name_len - 1] = 0; - } - rc = 0; -out: - read_unlock(&policy_rwlock); - return rc; -err: - if (*names) { - for (i = 0; i < *len; i++) - kfree((*names)[i]); - } - kfree(*values); - goto out; -} - - -int security_set_bools(int len, int *values) -{ - int i, rc; - int lenp, seqno = 0; - struct cond_node *cur; - - write_lock_irq(&policy_rwlock); - - rc = -EFAULT; - lenp = policydb.p_bools.nprim; - if (len != lenp) - goto out; - - for (i = 0; i < len; i++) { - if (!!values[i] != policydb.bool_val_to_struct[i]->state) { - audit_log(current->audit_context, GFP_ATOMIC, - AUDIT_MAC_CONFIG_CHANGE, - "bool=%s val=%d old_val=%d auid=%u ses=%u", - sym_name(&policydb, SYM_BOOLS, i), - !!values[i], - policydb.bool_val_to_struct[i]->state, - audit_get_loginuid(current), - audit_get_sessionid(current)); - } - if (values[i]) - policydb.bool_val_to_struct[i]->state = 1; - else - policydb.bool_val_to_struct[i]->state = 0; - } - - for (cur = policydb.cond_list; cur; cur = cur->next) { - rc = evaluate_cond_node(&policydb, cur); - if (rc) - goto out; - } - - seqno = ++latest_granting; - rc = 0; -out: - write_unlock_irq(&policy_rwlock); - if (!rc) { - avc_ss_reset(seqno); - selnl_notify_policyload(seqno); - selinux_status_update_policyload(seqno); - selinux_xfrm_notify_policyload(); - } - return rc; -} - -int security_get_bool_value(int bool) -{ - int rc; - int len; - - read_lock(&policy_rwlock); - - rc = -EFAULT; - len = policydb.p_bools.nprim; - if (bool >= len) - goto out; - - rc = policydb.bool_val_to_struct[bool]->state; -out: - read_unlock(&policy_rwlock); - return rc; -} - -static int security_preserve_bools(struct policydb *p) -{ - int rc, nbools = 0, *bvalues = NULL, i; - char **bnames = NULL; - struct cond_bool_datum *booldatum; - struct cond_node *cur; - - rc = security_get_bools(&nbools, &bnames, &bvalues); - if (rc) - goto out; - for (i = 0; i < nbools; i++) { - booldatum = hashtab_search(p->p_bools.table, bnames[i]); - if (booldatum) - booldatum->state = bvalues[i]; - } - for (cur = p->cond_list; cur; cur = cur->next) { - rc = evaluate_cond_node(p, cur); - if (rc) - goto out; - } - -out: - if (bnames) { - for (i = 0; i < nbools; i++) - kfree(bnames[i]); - } - kfree(bnames); - kfree(bvalues); - return rc; -} - -/* - * security_sid_mls_copy() - computes a new sid based on the given - * sid and the mls portion of mls_sid. - */ -int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid) -{ - struct context *context1; - struct context *context2; - struct context newcon; - char *s; - u32 len; - int rc; - - rc = 0; - if (!ss_initialized || !policydb.mls_enabled) { - *new_sid = sid; - goto out; - } - - context_init(&newcon); - - read_lock(&policy_rwlock); - - rc = -EINVAL; - context1 = sidtab_search(&sidtab, sid); - if (!context1) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, sid); - goto out_unlock; - } - - rc = -EINVAL; - context2 = sidtab_search(&sidtab, mls_sid); - if (!context2) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, mls_sid); - goto out_unlock; - } - - newcon.user = context1->user; - newcon.role = context1->role; - newcon.type = context1->type; - rc = mls_context_cpy(&newcon, context2); - if (rc) - goto out_unlock; - - /* Check the validity of the new context. */ - if (!policydb_context_isvalid(&policydb, &newcon)) { - rc = convert_context_handle_invalid_context(&newcon); - if (rc) { - if (!context_struct_to_string(&newcon, &s, &len)) { - audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "security_sid_mls_copy: invalid context %s", s); - kfree(s); - } - goto out_unlock; - } - } - - rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); -out_unlock: - read_unlock(&policy_rwlock); - context_destroy(&newcon); -out: - return rc; -} - -/** - * security_net_peersid_resolve - Compare and resolve two network peer SIDs - * @nlbl_sid: NetLabel SID - * @nlbl_type: NetLabel labeling protocol type - * @xfrm_sid: XFRM SID - * - * Description: - * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be - * resolved into a single SID it is returned via @peer_sid and the function - * returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function - * returns a negative value. A table summarizing the behavior is below: - * - * | function return | @sid - * ------------------------------+-----------------+----------------- - * no peer labels | 0 | SECSID_NULL - * single peer label | 0 | <peer_label> - * multiple, consistent labels | 0 | <peer_label> - * multiple, inconsistent labels | -<errno> | SECSID_NULL - * - */ -int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type, - u32 xfrm_sid, - u32 *peer_sid) -{ - int rc; - struct context *nlbl_ctx; - struct context *xfrm_ctx; - - *peer_sid = SECSID_NULL; - - /* handle the common (which also happens to be the set of easy) cases - * right away, these two if statements catch everything involving a - * single or absent peer SID/label */ - if (xfrm_sid == SECSID_NULL) { - *peer_sid = nlbl_sid; - return 0; - } - /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label - * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label - * is present */ - if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) { - *peer_sid = xfrm_sid; - return 0; - } - - /* we don't need to check ss_initialized here since the only way both - * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the - * security server was initialized and ss_initialized was true */ - if (!policydb.mls_enabled) - return 0; - - read_lock(&policy_rwlock); - - rc = -EINVAL; - nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); - if (!nlbl_ctx) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, nlbl_sid); - goto out; - } - rc = -EINVAL; - xfrm_ctx = sidtab_search(&sidtab, xfrm_sid); - if (!xfrm_ctx) { - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", - __func__, xfrm_sid); - goto out; - } - rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES); - if (rc) - goto out; - - /* at present NetLabel SIDs/labels really only carry MLS - * information so if the MLS portion of the NetLabel SID - * matches the MLS portion of the labeled XFRM SID/label - * then pass along the XFRM SID as it is the most - * expressive */ - *peer_sid = xfrm_sid; -out: - read_unlock(&policy_rwlock); - return rc; -} - -static int get_classes_callback(void *k, void *d, void *args) -{ - struct class_datum *datum = d; - char *name = k, **classes = args; - int value = datum->value - 1; - - classes[value] = kstrdup(name, GFP_ATOMIC); - if (!classes[value]) - return -ENOMEM; - - return 0; -} - -int security_get_classes(char ***classes, int *nclasses) -{ - int rc; - - read_lock(&policy_rwlock); - - rc = -ENOMEM; - *nclasses = policydb.p_classes.nprim; - *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); - if (!*classes) - goto out; - - rc = hashtab_map(policydb.p_classes.table, get_classes_callback, - *classes); - if (rc) { - int i; - for (i = 0; i < *nclasses; i++) - kfree((*classes)[i]); - kfree(*classes); - } - -out: - read_unlock(&policy_rwlock); - return rc; -} - -static int get_permissions_callback(void *k, void *d, void *args) -{ - struct perm_datum *datum = d; - char *name = k, **perms = args; - int value = datum->value - 1; - - perms[value] = kstrdup(name, GFP_ATOMIC); - if (!perms[value]) - return -ENOMEM; - - return 0; -} - -int security_get_permissions(char *class, char ***perms, int *nperms) -{ - int rc, i; - struct class_datum *match; - - read_lock(&policy_rwlock); - - rc = -EINVAL; - match = hashtab_search(policydb.p_classes.table, class); - if (!match) { - printk(KERN_ERR "SELinux: %s: unrecognized class %s\n", - __func__, class); - goto out; - } - - rc = -ENOMEM; - *nperms = match->permissions.nprim; - *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); - if (!*perms) - goto out; - - if (match->comdatum) { - rc = hashtab_map(match->comdatum->permissions.table, - get_permissions_callback, *perms); - if (rc) - goto err; - } - - rc = hashtab_map(match->permissions.table, get_permissions_callback, - *perms); - if (rc) - goto err; - -out: - read_unlock(&policy_rwlock); - return rc; - -err: - read_unlock(&policy_rwlock); - for (i = 0; i < *nperms; i++) - kfree((*perms)[i]); - kfree(*perms); - return rc; -} - -int security_get_reject_unknown(void) -{ - return policydb.reject_unknown; -} - -int security_get_allow_unknown(void) -{ - return policydb.allow_unknown; -} - -/** - * security_policycap_supported - Check for a specific policy capability - * @req_cap: capability - * - * Description: - * This function queries the currently loaded policy to see if it supports the - * capability specified by @req_cap. Returns true (1) if the capability is - * supported, false (0) if it isn't supported. - * - */ -int security_policycap_supported(unsigned int req_cap) -{ - int rc; - - read_lock(&policy_rwlock); - rc = ebitmap_get_bit(&policydb.policycaps, req_cap); - read_unlock(&policy_rwlock); - - return rc; -} - -struct selinux_audit_rule { - u32 au_seqno; - struct context au_ctxt; -}; - -void selinux_audit_rule_free(void *vrule) -{ - struct selinux_audit_rule *rule = vrule; - - if (rule) { - context_destroy(&rule->au_ctxt); - kfree(rule); - } -} - -int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) -{ - struct selinux_audit_rule *tmprule; - struct role_datum *roledatum; - struct type_datum *typedatum; - struct user_datum *userdatum; - struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule; - int rc = 0; - - *rule = NULL; - - if (!ss_initialized) - return -EOPNOTSUPP; - - switch (field) { - case AUDIT_SUBJ_USER: - case AUDIT_SUBJ_ROLE: - case AUDIT_SUBJ_TYPE: - case AUDIT_OBJ_USER: - case AUDIT_OBJ_ROLE: - case AUDIT_OBJ_TYPE: - /* only 'equals' and 'not equals' fit user, role, and type */ - if (op != Audit_equal && op != Audit_not_equal) - return -EINVAL; - break; - case AUDIT_SUBJ_SEN: - case AUDIT_SUBJ_CLR: - case AUDIT_OBJ_LEV_LOW: - case AUDIT_OBJ_LEV_HIGH: - /* we do not allow a range, indicated by the presence of '-' */ - if (strchr(rulestr, '-')) - return -EINVAL; - break; - default: - /* only the above fields are valid */ - return -EINVAL; - } - - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); - if (!tmprule) - return -ENOMEM; - - context_init(&tmprule->au_ctxt); - - read_lock(&policy_rwlock); - - tmprule->au_seqno = latest_granting; - - switch (field) { - case AUDIT_SUBJ_USER: - case AUDIT_OBJ_USER: - rc = -EINVAL; - userdatum = hashtab_search(policydb.p_users.table, rulestr); - if (!userdatum) - goto out; - tmprule->au_ctxt.user = userdatum->value; - break; - case AUDIT_SUBJ_ROLE: - case AUDIT_OBJ_ROLE: - rc = -EINVAL; - roledatum = hashtab_search(policydb.p_roles.table, rulestr); - if (!roledatum) - goto out; - tmprule->au_ctxt.role = roledatum->value; - break; - case AUDIT_SUBJ_TYPE: - case AUDIT_OBJ_TYPE: - rc = -EINVAL; - typedatum = hashtab_search(policydb.p_types.table, rulestr); - if (!typedatum) - goto out; - tmprule->au_ctxt.type = typedatum->value; - break; - case AUDIT_SUBJ_SEN: - case AUDIT_SUBJ_CLR: - case AUDIT_OBJ_LEV_LOW: - case AUDIT_OBJ_LEV_HIGH: - rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); - if (rc) - goto out; - break; - } - rc = 0; -out: - read_unlock(&policy_rwlock); - - if (rc) { - selinux_audit_rule_free(tmprule); - tmprule = NULL; - } - - *rule = tmprule; - - return rc; -} - -/* Check to see if the rule contains any selinux fields */ -int selinux_audit_rule_known(struct audit_krule *rule) -{ - int i; - - for (i = 0; i < rule->field_count; i++) { - struct audit_field *f = &rule->fields[i]; - switch (f->type) { - case AUDIT_SUBJ_USER: - case AUDIT_SUBJ_ROLE: - case AUDIT_SUBJ_TYPE: - case AUDIT_SUBJ_SEN: - case AUDIT_SUBJ_CLR: - case AUDIT_OBJ_USER: - case AUDIT_OBJ_ROLE: - case AUDIT_OBJ_TYPE: - case AUDIT_OBJ_LEV_LOW: - case AUDIT_OBJ_LEV_HIGH: - return 1; - } - } - - return 0; -} - -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, - struct audit_context *actx) -{ - struct context *ctxt; - struct mls_level *level; - struct selinux_audit_rule *rule = vrule; - int match = 0; - - if (!rule) { - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "selinux_audit_rule_match: missing rule\n"); - return -ENOENT; - } - - read_lock(&policy_rwlock); - - if (rule->au_seqno < latest_granting) { - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "selinux_audit_rule_match: stale rule\n"); - match = -ESTALE; - goto out; - } - - ctxt = sidtab_search(&sidtab, sid); - if (!ctxt) { - audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, - "selinux_audit_rule_match: unrecognized SID %d\n", - sid); - match = -ENOENT; - goto out; - } - - /* a field/op pair that is not caught here will simply fall through - without a match */ - switch (field) { - case AUDIT_SUBJ_USER: - case AUDIT_OBJ_USER: - switch (op) { - case Audit_equal: - match = (ctxt->user == rule->au_ctxt.user); - break; - case Audit_not_equal: - match = (ctxt->user != rule->au_ctxt.user); - break; - } - break; - case AUDIT_SUBJ_ROLE: - case AUDIT_OBJ_ROLE: - switch (op) { - case Audit_equal: - match = (ctxt->role == rule->au_ctxt.role); - break; - case Audit_not_equal: - match = (ctxt->role != rule->au_ctxt.role); - break; - } - break; - case AUDIT_SUBJ_TYPE: - case AUDIT_OBJ_TYPE: - switch (op) { - case Audit_equal: - match = (ctxt->type == rule->au_ctxt.type); - break; - case Audit_not_equal: - match = (ctxt->type != rule->au_ctxt.type); - break; - } - break; - case AUDIT_SUBJ_SEN: - case AUDIT_SUBJ_CLR: - case AUDIT_OBJ_LEV_LOW: - case AUDIT_OBJ_LEV_HIGH: - level = ((field == AUDIT_SUBJ_SEN || - field == AUDIT_OBJ_LEV_LOW) ? - &ctxt->range.level[0] : &ctxt->range.level[1]); - switch (op) { - case Audit_equal: - match = mls_level_eq(&rule->au_ctxt.range.level[0], - level); - break; - case Audit_not_equal: - match = !mls_level_eq(&rule->au_ctxt.range.level[0], - level); - break; - case Audit_lt: - match = (mls_level_dom(&rule->au_ctxt.range.level[0], - level) && - !mls_level_eq(&rule->au_ctxt.range.level[0], - level)); - break; - case Audit_le: - match = mls_level_dom(&rule->au_ctxt.range.level[0], - level); - break; - case Audit_gt: - match = (mls_level_dom(level, - &rule->au_ctxt.range.level[0]) && - !mls_level_eq(level, - &rule->au_ctxt.range.level[0])); - break; - case Audit_ge: - match = mls_level_dom(level, - &rule->au_ctxt.range.level[0]); - break; - } - } - -out: - read_unlock(&policy_rwlock); - return match; -} - -static int (*aurule_callback)(void) = audit_update_lsm_rules; - -static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, - u16 class, u32 perms, u32 *retained) -{ - int err = 0; - - if (event == AVC_CALLBACK_RESET && aurule_callback) - err = aurule_callback(); - return err; -} - -static int __init aurule_init(void) -{ - int err; - - err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, - SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); - if (err) - panic("avc_add_callback() failed, error %d\n", err); - - return err; -} -__initcall(aurule_init); - -#ifdef CONFIG_NETLABEL -/** - * security_netlbl_cache_add - Add an entry to the NetLabel cache - * @secattr: the NetLabel packet security attributes - * @sid: the SELinux SID - * - * Description: - * Attempt to cache the context in @ctx, which was derived from the packet in - * @skb, in the NetLabel subsystem cache. This function assumes @secattr has - * already been initialized. - * - */ -static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, - u32 sid) -{ - u32 *sid_cache; - - sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC); - if (sid_cache == NULL) - return; - secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); - if (secattr->cache == NULL) { - kfree(sid_cache); - return; - } - - *sid_cache = sid; - secattr->cache->free = kfree; - secattr->cache->data = sid_cache; - secattr->flags |= NETLBL_SECATTR_CACHE; -} - -/** - * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID - * @secattr: the NetLabel packet security attributes - * @sid: the SELinux SID - * - * Description: - * Convert the given NetLabel security attributes in @secattr into a - * SELinux SID. If the @secattr field does not contain a full SELinux - * SID/context then use SECINITSID_NETMSG as the foundation. If possible the - * 'cache' field of @secattr is set and the CACHE flag is set; this is to - * allow the @secattr to be used by NetLabel to cache the secattr to SID - * conversion for future lookups. Returns zero on success, negative values on - * failure. - * - */ -int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, - u32 *sid) -{ - int rc; - struct context *ctx; - struct context ctx_new; - - if (!ss_initialized) { - *sid = SECSID_NULL; - return 0; - } - - read_lock(&policy_rwlock); - - if (secattr->flags & NETLBL_SECATTR_CACHE) - *sid = *(u32 *)secattr->cache->data; - else if (secattr->flags & NETLBL_SECATTR_SECID) - *sid = secattr->attr.secid; - else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { - rc = -EIDRM; - ctx = sidtab_search(&sidtab, SECINITSID_NETMSG); - if (ctx == NULL) - goto out; - - context_init(&ctx_new); - ctx_new.user = ctx->user; - ctx_new.role = ctx->role; - ctx_new.type = ctx->type; - mls_import_netlbl_lvl(&ctx_new, secattr); - if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { - rc = ebitmap_netlbl_import(&ctx_new.range.level[0].cat, - secattr->attr.mls.cat); - if (rc) - goto out; - memcpy(&ctx_new.range.level[1].cat, - &ctx_new.range.level[0].cat, - sizeof(ctx_new.range.level[0].cat)); - } - rc = -EIDRM; - if (!mls_context_isvalid(&policydb, &ctx_new)) - goto out_free; - - rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); - if (rc) - goto out_free; - - security_netlbl_cache_add(secattr, *sid); - - ebitmap_destroy(&ctx_new.range.level[0].cat); - } else - *sid = SECSID_NULL; - - read_unlock(&policy_rwlock); - return 0; -out_free: - ebitmap_destroy(&ctx_new.range.level[0].cat); -out: - read_unlock(&policy_rwlock); - return rc; -} - -/** - * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr - * @sid: the SELinux SID - * @secattr: the NetLabel packet security attributes - * - * Description: - * Convert the given SELinux SID in @sid into a NetLabel security attribute. - * Returns zero on success, negative values on failure. - * - */ -int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) -{ - int rc; - struct context *ctx; - - if (!ss_initialized) - return 0; - - read_lock(&policy_rwlock); - - rc = -ENOENT; - ctx = sidtab_search(&sidtab, sid); - if (ctx == NULL) - goto out; - - rc = -ENOMEM; - secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1), - GFP_ATOMIC); - if (secattr->domain == NULL) - goto out; - - secattr->attr.secid = sid; - secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID; - mls_export_netlbl_lvl(ctx, secattr); - rc = mls_export_netlbl_cat(ctx, secattr); -out: - read_unlock(&policy_rwlock); - return rc; -} -#endif /* CONFIG_NETLABEL */ - -/** - * security_read_policy - read the policy. - * @data: binary policy data - * @len: length of data in bytes - * - */ -int security_read_policy(void **data, size_t *len) -{ - int rc; - struct policy_file fp; - - if (!ss_initialized) - return -EINVAL; - - *len = security_policydb_len(); - - *data = vmalloc_user(*len); - if (!*data) - return -ENOMEM; - - fp.data = *data; - fp.len = *len; - - read_lock(&policy_rwlock); - rc = policydb_write(&policydb, &fp); - read_unlock(&policy_rwlock); - - if (rc) - return rc; - - *len = (unsigned long)fp.data - (unsigned long)*data; - return 0; - -} diff --git a/ANDROID_3.4.5/security/selinux/ss/services.h b/ANDROID_3.4.5/security/selinux/ss/services.h deleted file mode 100644 index e8d907e9..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/services.h +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Implementation of the security services. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_SERVICES_H_ -#define _SS_SERVICES_H_ - -#include "policydb.h" -#include "sidtab.h" - -extern struct policydb policydb; - -#endif /* _SS_SERVICES_H_ */ - diff --git a/ANDROID_3.4.5/security/selinux/ss/sidtab.c b/ANDROID_3.4.5/security/selinux/ss/sidtab.c deleted file mode 100644 index 5840a351..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/sidtab.c +++ /dev/null @@ -1,313 +0,0 @@ -/* - * Implementation of the SID table type. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/spinlock.h> -#include <linux/errno.h> -#include "flask.h" -#include "security.h" -#include "sidtab.h" - -#define SIDTAB_HASH(sid) \ -(sid & SIDTAB_HASH_MASK) - -int sidtab_init(struct sidtab *s) -{ - int i; - - s->htable = kmalloc(sizeof(*(s->htable)) * SIDTAB_SIZE, GFP_ATOMIC); - if (!s->htable) - return -ENOMEM; - for (i = 0; i < SIDTAB_SIZE; i++) - s->htable[i] = NULL; - s->nel = 0; - s->next_sid = 1; - s->shutdown = 0; - spin_lock_init(&s->lock); - return 0; -} - -int sidtab_insert(struct sidtab *s, u32 sid, struct context *context) -{ - int hvalue, rc = 0; - struct sidtab_node *prev, *cur, *newnode; - - if (!s) { - rc = -ENOMEM; - goto out; - } - - hvalue = SIDTAB_HASH(sid); - prev = NULL; - cur = s->htable[hvalue]; - while (cur && sid > cur->sid) { - prev = cur; - cur = cur->next; - } - - if (cur && sid == cur->sid) { - rc = -EEXIST; - goto out; - } - - newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC); - if (newnode == NULL) { - rc = -ENOMEM; - goto out; - } - newnode->sid = sid; - if (context_cpy(&newnode->context, context)) { - kfree(newnode); - rc = -ENOMEM; - goto out; - } - - if (prev) { - newnode->next = prev->next; - wmb(); - prev->next = newnode; - } else { - newnode->next = s->htable[hvalue]; - wmb(); - s->htable[hvalue] = newnode; - } - - s->nel++; - if (sid >= s->next_sid) - s->next_sid = sid + 1; -out: - return rc; -} - -static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force) -{ - int hvalue; - struct sidtab_node *cur; - - if (!s) - return NULL; - - hvalue = SIDTAB_HASH(sid); - cur = s->htable[hvalue]; - while (cur && sid > cur->sid) - cur = cur->next; - - if (force && cur && sid == cur->sid && cur->context.len) - return &cur->context; - - if (cur == NULL || sid != cur->sid || cur->context.len) { - /* Remap invalid SIDs to the unlabeled SID. */ - sid = SECINITSID_UNLABELED; - hvalue = SIDTAB_HASH(sid); - cur = s->htable[hvalue]; - while (cur && sid > cur->sid) - cur = cur->next; - if (!cur || sid != cur->sid) - return NULL; - } - - return &cur->context; -} - -struct context *sidtab_search(struct sidtab *s, u32 sid) -{ - return sidtab_search_core(s, sid, 0); -} - -struct context *sidtab_search_force(struct sidtab *s, u32 sid) -{ - return sidtab_search_core(s, sid, 1); -} - -int sidtab_map(struct sidtab *s, - int (*apply) (u32 sid, - struct context *context, - void *args), - void *args) -{ - int i, rc = 0; - struct sidtab_node *cur; - - if (!s) - goto out; - - for (i = 0; i < SIDTAB_SIZE; i++) { - cur = s->htable[i]; - while (cur) { - rc = apply(cur->sid, &cur->context, args); - if (rc) - goto out; - cur = cur->next; - } - } -out: - return rc; -} - -static void sidtab_update_cache(struct sidtab *s, struct sidtab_node *n, int loc) -{ - BUG_ON(loc >= SIDTAB_CACHE_LEN); - - while (loc > 0) { - s->cache[loc] = s->cache[loc - 1]; - loc--; - } - s->cache[0] = n; -} - -static inline u32 sidtab_search_context(struct sidtab *s, - struct context *context) -{ - int i; - struct sidtab_node *cur; - - for (i = 0; i < SIDTAB_SIZE; i++) { - cur = s->htable[i]; - while (cur) { - if (context_cmp(&cur->context, context)) { - sidtab_update_cache(s, cur, SIDTAB_CACHE_LEN - 1); - return cur->sid; - } - cur = cur->next; - } - } - return 0; -} - -static inline u32 sidtab_search_cache(struct sidtab *s, struct context *context) -{ - int i; - struct sidtab_node *node; - - for (i = 0; i < SIDTAB_CACHE_LEN; i++) { - node = s->cache[i]; - if (unlikely(!node)) - return 0; - if (context_cmp(&node->context, context)) { - sidtab_update_cache(s, node, i); - return node->sid; - } - } - return 0; -} - -int sidtab_context_to_sid(struct sidtab *s, - struct context *context, - u32 *out_sid) -{ - u32 sid; - int ret = 0; - unsigned long flags; - - *out_sid = SECSID_NULL; - - sid = sidtab_search_cache(s, context); - if (!sid) - sid = sidtab_search_context(s, context); - if (!sid) { - spin_lock_irqsave(&s->lock, flags); - /* Rescan now that we hold the lock. */ - sid = sidtab_search_context(s, context); - if (sid) - goto unlock_out; - /* No SID exists for the context. Allocate a new one. */ - if (s->next_sid == UINT_MAX || s->shutdown) { - ret = -ENOMEM; - goto unlock_out; - } - sid = s->next_sid++; - if (context->len) - printk(KERN_INFO - "SELinux: Context %s is not valid (left unmapped).\n", - context->str); - ret = sidtab_insert(s, sid, context); - if (ret) - s->next_sid--; -unlock_out: - spin_unlock_irqrestore(&s->lock, flags); - } - - if (ret) - return ret; - - *out_sid = sid; - return 0; -} - -void sidtab_hash_eval(struct sidtab *h, char *tag) -{ - int i, chain_len, slots_used, max_chain_len; - struct sidtab_node *cur; - - slots_used = 0; - max_chain_len = 0; - for (i = 0; i < SIDTAB_SIZE; i++) { - cur = h->htable[i]; - if (cur) { - slots_used++; - chain_len = 0; - while (cur) { - chain_len++; - cur = cur->next; - } - - if (chain_len > max_chain_len) - max_chain_len = chain_len; - } - } - - printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " - "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE, - max_chain_len); -} - -void sidtab_destroy(struct sidtab *s) -{ - int i; - struct sidtab_node *cur, *temp; - - if (!s) - return; - - for (i = 0; i < SIDTAB_SIZE; i++) { - cur = s->htable[i]; - while (cur) { - temp = cur; - cur = cur->next; - context_destroy(&temp->context); - kfree(temp); - } - s->htable[i] = NULL; - } - kfree(s->htable); - s->htable = NULL; - s->nel = 0; - s->next_sid = 1; -} - -void sidtab_set(struct sidtab *dst, struct sidtab *src) -{ - unsigned long flags; - int i; - - spin_lock_irqsave(&src->lock, flags); - dst->htable = src->htable; - dst->nel = src->nel; - dst->next_sid = src->next_sid; - dst->shutdown = 0; - for (i = 0; i < SIDTAB_CACHE_LEN; i++) - dst->cache[i] = NULL; - spin_unlock_irqrestore(&src->lock, flags); -} - -void sidtab_shutdown(struct sidtab *s) -{ - unsigned long flags; - - spin_lock_irqsave(&s->lock, flags); - s->shutdown = 1; - spin_unlock_irqrestore(&s->lock, flags); -} diff --git a/ANDROID_3.4.5/security/selinux/ss/sidtab.h b/ANDROID_3.4.5/security/selinux/ss/sidtab.h deleted file mode 100644 index 84dc154d..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/sidtab.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * A security identifier table (sidtab) is a hash table - * of security context structures indexed by SID value. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_SIDTAB_H_ -#define _SS_SIDTAB_H_ - -#include "context.h" - -struct sidtab_node { - u32 sid; /* security identifier */ - struct context context; /* security context structure */ - struct sidtab_node *next; -}; - -#define SIDTAB_HASH_BITS 7 -#define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS) -#define SIDTAB_HASH_MASK (SIDTAB_HASH_BUCKETS-1) - -#define SIDTAB_SIZE SIDTAB_HASH_BUCKETS - -struct sidtab { - struct sidtab_node **htable; - unsigned int nel; /* number of elements */ - unsigned int next_sid; /* next SID to allocate */ - unsigned char shutdown; -#define SIDTAB_CACHE_LEN 3 - struct sidtab_node *cache[SIDTAB_CACHE_LEN]; - spinlock_t lock; -}; - -int sidtab_init(struct sidtab *s); -int sidtab_insert(struct sidtab *s, u32 sid, struct context *context); -struct context *sidtab_search(struct sidtab *s, u32 sid); -struct context *sidtab_search_force(struct sidtab *s, u32 sid); - -int sidtab_map(struct sidtab *s, - int (*apply) (u32 sid, - struct context *context, - void *args), - void *args); - -int sidtab_context_to_sid(struct sidtab *s, - struct context *context, - u32 *sid); - -void sidtab_hash_eval(struct sidtab *h, char *tag); -void sidtab_destroy(struct sidtab *s); -void sidtab_set(struct sidtab *dst, struct sidtab *src); -void sidtab_shutdown(struct sidtab *s); - -#endif /* _SS_SIDTAB_H_ */ - - diff --git a/ANDROID_3.4.5/security/selinux/ss/status.c b/ANDROID_3.4.5/security/selinux/ss/status.c deleted file mode 100644 index d982365f..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/status.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * mmap based event notifications for SELinux - * - * Author: KaiGai Kohei <kaigai@ak.jp.nec.com> - * - * Copyright (C) 2010 NEC corporation - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ -#include <linux/kernel.h> -#include <linux/gfp.h> -#include <linux/mm.h> -#include <linux/mutex.h> -#include "avc.h" -#include "services.h" - -/* - * The selinux_status_page shall be exposed to userspace applications - * using mmap interface on /selinux/status. - * It enables to notify applications a few events that will cause reset - * of userspace access vector without context switching. - * - * The selinux_kernel_status structure on the head of status page is - * protected from concurrent accesses using seqlock logic, so userspace - * application should reference the status page according to the seqlock - * logic. - * - * Typically, application checks status->sequence at the head of access - * control routine. If it is odd-number, kernel is updating the status, - * so please wait for a moment. If it is changed from the last sequence - * number, it means something happen, so application will reset userspace - * avc, if needed. - * In most cases, application shall confirm the kernel status is not - * changed without any system call invocations. - */ -static struct page *selinux_status_page; -static DEFINE_MUTEX(selinux_status_lock); - -/* - * selinux_kernel_status_page - * - * It returns a reference to selinux_status_page. If the status page is - * not allocated yet, it also tries to allocate it at the first time. - */ -struct page *selinux_kernel_status_page(void) -{ - struct selinux_kernel_status *status; - struct page *result = NULL; - - mutex_lock(&selinux_status_lock); - if (!selinux_status_page) { - selinux_status_page = alloc_page(GFP_KERNEL|__GFP_ZERO); - - if (selinux_status_page) { - status = page_address(selinux_status_page); - - status->version = SELINUX_KERNEL_STATUS_VERSION; - status->sequence = 0; - status->enforcing = selinux_enforcing; - /* - * NOTE: the next policyload event shall set - * a positive value on the status->policyload, - * although it may not be 1, but never zero. - * So, application can know it was updated. - */ - status->policyload = 0; - status->deny_unknown = !security_get_allow_unknown(); - } - } - result = selinux_status_page; - mutex_unlock(&selinux_status_lock); - - return result; -} - -/* - * selinux_status_update_setenforce - * - * It updates status of the current enforcing/permissive mode. - */ -void selinux_status_update_setenforce(int enforcing) -{ - struct selinux_kernel_status *status; - - mutex_lock(&selinux_status_lock); - if (selinux_status_page) { - status = page_address(selinux_status_page); - - status->sequence++; - smp_wmb(); - - status->enforcing = enforcing; - - smp_wmb(); - status->sequence++; - } - mutex_unlock(&selinux_status_lock); -} - -/* - * selinux_status_update_policyload - * - * It updates status of the times of policy reloaded, and current - * setting of deny_unknown. - */ -void selinux_status_update_policyload(int seqno) -{ - struct selinux_kernel_status *status; - - mutex_lock(&selinux_status_lock); - if (selinux_status_page) { - status = page_address(selinux_status_page); - - status->sequence++; - smp_wmb(); - - status->policyload = seqno; - status->deny_unknown = !security_get_allow_unknown(); - - smp_wmb(); - status->sequence++; - } - mutex_unlock(&selinux_status_lock); -} diff --git a/ANDROID_3.4.5/security/selinux/ss/symtab.c b/ANDROID_3.4.5/security/selinux/ss/symtab.c deleted file mode 100644 index 160326ee..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/symtab.c +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Implementation of the symbol table type. - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#include <linux/kernel.h> -#include <linux/string.h> -#include <linux/errno.h> -#include "symtab.h" - -static unsigned int symhash(struct hashtab *h, const void *key) -{ - const char *p, *keyp; - unsigned int size; - unsigned int val; - - val = 0; - keyp = key; - size = strlen(keyp); - for (p = keyp; (p - keyp) < size; p++) - val = (val << 4 | (val >> (8*sizeof(unsigned int)-4))) ^ (*p); - return val & (h->size - 1); -} - -static int symcmp(struct hashtab *h, const void *key1, const void *key2) -{ - const char *keyp1, *keyp2; - - keyp1 = key1; - keyp2 = key2; - return strcmp(keyp1, keyp2); -} - - -int symtab_init(struct symtab *s, unsigned int size) -{ - s->table = hashtab_create(symhash, symcmp, size); - if (!s->table) - return -ENOMEM; - s->nprim = 0; - return 0; -} - diff --git a/ANDROID_3.4.5/security/selinux/ss/symtab.h b/ANDROID_3.4.5/security/selinux/ss/symtab.h deleted file mode 100644 index ca422b42..00000000 --- a/ANDROID_3.4.5/security/selinux/ss/symtab.h +++ /dev/null @@ -1,23 +0,0 @@ -/* - * A symbol table (symtab) maintains associations between symbol - * strings and datum values. The type of the datum values - * is arbitrary. The symbol table type is implemented - * using the hash table type (hashtab). - * - * Author : Stephen Smalley, <sds@epoch.ncsc.mil> - */ -#ifndef _SS_SYMTAB_H_ -#define _SS_SYMTAB_H_ - -#include "hashtab.h" - -struct symtab { - struct hashtab *table; /* hash table (keyed on a string) */ - u32 nprim; /* number of primary names in table */ -}; - -int symtab_init(struct symtab *s, unsigned int size); - -#endif /* _SS_SYMTAB_H_ */ - - diff --git a/ANDROID_3.4.5/security/selinux/xfrm.c b/ANDROID_3.4.5/security/selinux/xfrm.c deleted file mode 100644 index 48665ecd..00000000 --- a/ANDROID_3.4.5/security/selinux/xfrm.c +++ /dev/null @@ -1,490 +0,0 @@ -/* - * NSA Security-Enhanced Linux (SELinux) security module - * - * This file contains the SELinux XFRM hook function implementations. - * - * Authors: Serge Hallyn <sergeh@us.ibm.com> - * Trent Jaeger <jaegert@us.ibm.com> - * - * Updated: Venkat Yekkirala <vyekkirala@TrustedCS.com> - * - * Granular IPSec Associations for use in MLS environments. - * - * Copyright (C) 2005 International Business Machines Corporation - * Copyright (C) 2006 Trusted Computer Solutions, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2, - * as published by the Free Software Foundation. - */ - -/* - * USAGE: - * NOTES: - * 1. Make sure to enable the following options in your kernel config: - * CONFIG_SECURITY=y - * CONFIG_SECURITY_NETWORK=y - * CONFIG_SECURITY_NETWORK_XFRM=y - * CONFIG_SECURITY_SELINUX=m/y - * ISSUES: - * 1. Caching packets, so they are not dropped during negotiation - * 2. Emulating a reasonable SO_PEERSEC across machines - * 3. Testing addition of sk_policy's with security context via setsockopt - */ -#include <linux/kernel.h> -#include <linux/init.h> -#include <linux/security.h> -#include <linux/types.h> -#include <linux/netfilter.h> -#include <linux/netfilter_ipv4.h> -#include <linux/netfilter_ipv6.h> -#include <linux/slab.h> -#include <linux/ip.h> -#include <linux/tcp.h> -#include <linux/skbuff.h> -#include <linux/xfrm.h> -#include <net/xfrm.h> -#include <net/checksum.h> -#include <net/udp.h> -#include <linux/atomic.h> - -#include "avc.h" -#include "objsec.h" -#include "xfrm.h" - -/* Labeled XFRM instance counter */ -atomic_t selinux_xfrm_refcount = ATOMIC_INIT(0); - -/* - * Returns true if an LSM/SELinux context - */ -static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx) -{ - return (ctx && - (ctx->ctx_doi == XFRM_SC_DOI_LSM) && - (ctx->ctx_alg == XFRM_SC_ALG_SELINUX)); -} - -/* - * Returns true if the xfrm contains a security blob for SELinux - */ -static inline int selinux_authorizable_xfrm(struct xfrm_state *x) -{ - return selinux_authorizable_ctx(x->security); -} - -/* - * LSM hook implementation that authorizes that a flow can use - * a xfrm policy rule. - */ -int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) -{ - int rc; - u32 sel_sid; - - /* Context sid is either set to label or ANY_ASSOC */ - if (ctx) { - if (!selinux_authorizable_ctx(ctx)) - return -EINVAL; - - sel_sid = ctx->ctx_sid; - } else - /* - * All flows should be treated as polmatch'ing an - * otherwise applicable "non-labeled" policy. This - * would prevent inadvertent "leaks". - */ - return 0; - - rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__POLMATCH, - NULL); - - if (rc == -EACCES) - return -ESRCH; - - return rc; -} - -/* - * LSM hook implementation that authorizes that a state matches - * the given policy, flow combo. - */ - -int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, - const struct flowi *fl) -{ - u32 state_sid; - int rc; - - if (!xp->security) - if (x->security) - /* unlabeled policy and labeled SA can't match */ - return 0; - else - /* unlabeled policy and unlabeled SA match all flows */ - return 1; - else - if (!x->security) - /* unlabeled SA and labeled policy can't match */ - return 0; - else - if (!selinux_authorizable_xfrm(x)) - /* Not a SELinux-labeled SA */ - return 0; - - state_sid = x->security->ctx_sid; - - if (fl->flowi_secid != state_sid) - return 0; - - rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__SENDTO, - NULL)? 0:1; - - /* - * We don't need a separate SA Vs. policy polmatch check - * since the SA is now of the same label as the flow and - * a flow Vs. policy polmatch check had already happened - * in selinux_xfrm_policy_lookup() above. - */ - - return rc; -} - -/* - * LSM hook implementation that checks and/or returns the xfrm sid for the - * incoming packet. - */ - -int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall) -{ - struct sec_path *sp; - - *sid = SECSID_NULL; - - if (skb == NULL) - return 0; - - sp = skb->sp; - if (sp) { - int i, sid_set = 0; - - for (i = sp->len-1; i >= 0; i--) { - struct xfrm_state *x = sp->xvec[i]; - if (selinux_authorizable_xfrm(x)) { - struct xfrm_sec_ctx *ctx = x->security; - - if (!sid_set) { - *sid = ctx->ctx_sid; - sid_set = 1; - - if (!ckall) - break; - } else if (*sid != ctx->ctx_sid) - return -EINVAL; - } - } - } - - return 0; -} - -/* - * Security blob allocation for xfrm_policy and xfrm_state - * CTX does not have a meaningful value on input - */ -static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *uctx, u32 sid) -{ - int rc = 0; - const struct task_security_struct *tsec = current_security(); - struct xfrm_sec_ctx *ctx = NULL; - char *ctx_str = NULL; - u32 str_len; - - BUG_ON(uctx && sid); - - if (!uctx) - goto not_from_user; - - if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX) - return -EINVAL; - - str_len = uctx->ctx_len; - if (str_len >= PAGE_SIZE) - return -ENOMEM; - - *ctxp = ctx = kmalloc(sizeof(*ctx) + - str_len + 1, - GFP_KERNEL); - - if (!ctx) - return -ENOMEM; - - ctx->ctx_doi = uctx->ctx_doi; - ctx->ctx_len = str_len; - ctx->ctx_alg = uctx->ctx_alg; - - memcpy(ctx->ctx_str, - uctx+1, - str_len); - ctx->ctx_str[str_len] = 0; - rc = security_context_to_sid(ctx->ctx_str, - str_len, - &ctx->ctx_sid); - - if (rc) - goto out; - - /* - * Does the subject have permission to set security context? - */ - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__SETCONTEXT, NULL); - if (rc) - goto out; - - return rc; - -not_from_user: - rc = security_sid_to_context(sid, &ctx_str, &str_len); - if (rc) - goto out; - - *ctxp = ctx = kmalloc(sizeof(*ctx) + - str_len, - GFP_ATOMIC); - - if (!ctx) { - rc = -ENOMEM; - goto out; - } - - ctx->ctx_doi = XFRM_SC_DOI_LSM; - ctx->ctx_alg = XFRM_SC_ALG_SELINUX; - ctx->ctx_sid = sid; - ctx->ctx_len = str_len; - memcpy(ctx->ctx_str, - ctx_str, - str_len); - - goto out2; - -out: - *ctxp = NULL; - kfree(ctx); -out2: - kfree(ctx_str); - return rc; -} - -/* - * LSM hook implementation that allocs and transfers uctx spec to - * xfrm_policy. - */ -int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *uctx) -{ - int err; - - BUG_ON(!uctx); - - err = selinux_xfrm_sec_ctx_alloc(ctxp, uctx, 0); - if (err == 0) - atomic_inc(&selinux_xfrm_refcount); - - return err; -} - - -/* - * LSM hook implementation that copies security data structure from old to - * new for policy cloning. - */ -int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, - struct xfrm_sec_ctx **new_ctxp) -{ - struct xfrm_sec_ctx *new_ctx; - - if (old_ctx) { - new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, - GFP_KERNEL); - if (!new_ctx) - return -ENOMEM; - - memcpy(new_ctx, old_ctx, sizeof(*new_ctx)); - memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len); - *new_ctxp = new_ctx; - } - return 0; -} - -/* - * LSM hook implementation that frees xfrm_sec_ctx security information. - */ -void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) -{ - kfree(ctx); -} - -/* - * LSM hook implementation that authorizes deletion of labeled policies. - */ -int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) -{ - const struct task_security_struct *tsec = current_security(); - int rc = 0; - - if (ctx) { - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__SETCONTEXT, NULL); - if (rc == 0) - atomic_dec(&selinux_xfrm_refcount); - } - - return rc; -} - -/* - * LSM hook implementation that allocs and transfers sec_ctx spec to - * xfrm_state. - */ -int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *uctx, - u32 secid) -{ - int err; - - BUG_ON(!x); - - err = selinux_xfrm_sec_ctx_alloc(&x->security, uctx, secid); - if (err == 0) - atomic_inc(&selinux_xfrm_refcount); - return err; -} - -/* - * LSM hook implementation that frees xfrm_state security information. - */ -void selinux_xfrm_state_free(struct xfrm_state *x) -{ - struct xfrm_sec_ctx *ctx = x->security; - kfree(ctx); -} - - /* - * LSM hook implementation that authorizes deletion of labeled SAs. - */ -int selinux_xfrm_state_delete(struct xfrm_state *x) -{ - const struct task_security_struct *tsec = current_security(); - struct xfrm_sec_ctx *ctx = x->security; - int rc = 0; - - if (ctx) { - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, - SECCLASS_ASSOCIATION, - ASSOCIATION__SETCONTEXT, NULL); - if (rc == 0) - atomic_dec(&selinux_xfrm_refcount); - } - - return rc; -} - -/* - * LSM hook that controls access to unlabelled packets. If - * a xfrm_state is authorizable (defined by macro) then it was - * already authorized by the IPSec process. If not, then - * we need to check for unlabelled access since this may not have - * gone thru the IPSec process. - */ -int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, - struct common_audit_data *ad) -{ - int i, rc = 0; - struct sec_path *sp; - u32 sel_sid = SECINITSID_UNLABELED; - - sp = skb->sp; - - if (sp) { - for (i = 0; i < sp->len; i++) { - struct xfrm_state *x = sp->xvec[i]; - - if (x && selinux_authorizable_xfrm(x)) { - struct xfrm_sec_ctx *ctx = x->security; - sel_sid = ctx->ctx_sid; - break; - } - } - } - - /* - * This check even when there's no association involved is - * intended, according to Trent Jaeger, to make sure a - * process can't engage in non-ipsec communication unless - * explicitly allowed by policy. - */ - - rc = avc_has_perm(isec_sid, sel_sid, SECCLASS_ASSOCIATION, - ASSOCIATION__RECVFROM, ad); - - return rc; -} - -/* - * POSTROUTE_LAST hook's XFRM processing: - * If we have no security association, then we need to determine - * whether the socket is allowed to send to an unlabelled destination. - * If we do have a authorizable security association, then it has already been - * checked in the selinux_xfrm_state_pol_flow_match hook above. - */ -int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, - struct common_audit_data *ad, u8 proto) -{ - struct dst_entry *dst; - int rc = 0; - - dst = skb_dst(skb); - - if (dst) { - struct dst_entry *dst_test; - - for (dst_test = dst; dst_test != NULL; - dst_test = dst_test->child) { - struct xfrm_state *x = dst_test->xfrm; - - if (x && selinux_authorizable_xfrm(x)) - goto out; - } - } - - switch (proto) { - case IPPROTO_AH: - case IPPROTO_ESP: - case IPPROTO_COMP: - /* - * We should have already seen this packet once before - * it underwent xfrm(s). No need to subject it to the - * unlabeled check. - */ - goto out; - default: - break; - } - - /* - * This check even when there's no association involved is - * intended, according to Trent Jaeger, to make sure a - * process can't engage in non-ipsec communication unless - * explicitly allowed by policy. - */ - - rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION, - ASSOCIATION__SENDTO, ad); -out: - return rc; -} |