2
* Implementation of the security services.
4
* Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
5
* James Morris <jmorris@redhat.com>
7
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9
* Support for enhanced MLS infrastructure.
11
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13
* Added conditional policy language extensions
15
* Updated: Hewlett-Packard <paul.moore@hp.com>
17
* Added support for the policy capability bitmap
19
* Updated: Chad Sellers <csellers@tresys.com>
21
* Added validation of kernel classes and permissions
23
* Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
25
* Added support for bounds domain and audit messaged on masked permissions
27
* Copyright (C) 2008, 2009 NEC Corporation
28
* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
29
* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
30
* Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
31
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
32
* This program is free software; you can redistribute it and/or modify
33
* it under the terms of the GNU General Public License as published by
34
* the Free Software Foundation, version 2.
37
/* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */
40
#include <xen/xmalloc.h>
41
#include <xen/string.h>
42
#include <xen/spinlock.h>
43
#include <xen/errno.h>
52
#include "conditional.h"
55
unsigned int policydb_loaded_version;
57
static DEFINE_RWLOCK(policy_rwlock);
58
#define POLICY_RDLOCK read_lock(&policy_rwlock)
59
#define POLICY_WRLOCK write_lock(&policy_rwlock)
60
#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
61
#define POLICY_WRUNLOCK write_unlock(&policy_rwlock)
63
static DEFINE_SPINLOCK(load_sem);
64
#define LOAD_LOCK spin_lock(&load_sem)
65
#define LOAD_UNLOCK spin_unlock(&load_sem)
67
static struct sidtab sidtab;
68
struct policydb policydb;
69
int ss_initialized = 0;
72
* The largest sequence number that has been used when
73
* providing an access decision to the access vector cache.
74
* The sequence number only changes when a policy change
77
static u32 latest_granting = 0;
79
/* Forward declaration. */
80
static int context_struct_to_string(struct context *context, char **scontext,
83
static int context_struct_compute_av(struct context *scontext,
84
struct context *tcontext,
87
struct av_decision *avd);
90
* Return the boolean value of a constraint expression
91
* when it is applied to the specified source and target
94
* xcontext is a special beast... It is used by the validatetrans rules
95
* only. For these rules, scontext is the context before the transition,
96
* tcontext is the context after the transition, and xcontext is the context
97
* of the process performing the transition. All other callers of
98
* constraint_expr_eval should pass in NULL for xcontext.
100
static int constraint_expr_eval(struct context *scontext,
101
struct context *tcontext, struct context *xcontext,
102
struct constraint_expr *cexpr)
106
struct role_datum *r1, *r2;
107
struct mls_level *l1, *l2;
108
struct constraint_expr *e;
109
int s[CEXPR_MAXDEPTH];
112
for ( e = cexpr; e; e = e->next )
114
switch ( e->expr_type )
131
if ( sp == (CEXPR_MAXDEPTH-1) )
136
val1 = scontext->user;
137
val2 = tcontext->user;
140
val1 = scontext->type;
141
val2 = tcontext->type;
144
val1 = scontext->role;
145
val2 = tcontext->role;
146
r1 = policydb.role_val_to_struct[val1 - 1];
147
r2 = policydb.role_val_to_struct[val2 - 1];
151
s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
154
s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
157
s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
159
!ebitmap_get_bit(&r2->dominates,
167
l1 = &(scontext->range.level[0]);
168
l2 = &(tcontext->range.level[0]);
171
l1 = &(scontext->range.level[0]);
172
l2 = &(tcontext->range.level[1]);
175
l1 = &(scontext->range.level[1]);
176
l2 = &(tcontext->range.level[0]);
179
l1 = &(scontext->range.level[1]);
180
l2 = &(tcontext->range.level[1]);
183
l1 = &(scontext->range.level[0]);
184
l2 = &(scontext->range.level[1]);
187
l1 = &(tcontext->range.level[0]);
188
l2 = &(tcontext->range.level[1]);
194
s[++sp] = mls_level_eq(l1, l2);
197
s[++sp] = !mls_level_eq(l1, l2);
200
s[++sp] = mls_level_dom(l1, l2);
203
s[++sp] = mls_level_dom(l2, l1);
206
s[++sp] = mls_level_incomp(l2, l1);
221
s[++sp] = (val1 == val2);
224
s[++sp] = (val1 != val2);
232
if ( sp == (CEXPR_MAXDEPTH-1) )
235
if ( e->attr & CEXPR_TARGET )
237
else if ( e->attr & CEXPR_XTARGET )
246
if ( e->attr & CEXPR_USER )
248
else if ( e->attr & CEXPR_ROLE )
250
else if ( e->attr & CEXPR_TYPE )
261
s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
264
s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
282
* security_dump_masked_av - dumps masked permissions during
283
* security_compute_av due to RBAC, MLS/Constraint and Type bounds.
285
static int dump_masked_av_helper(void *k, void *d, void *args)
287
struct perm_datum *pdatum = d;
288
char **permission_names = args;
290
BUG_ON(pdatum->value < 1 || pdatum->value > 32);
292
permission_names[pdatum->value - 1] = (char *)k;
297
static void security_dump_masked_av(struct context *scontext,
298
struct context *tcontext,
303
struct common_datum *common_dat;
304
struct class_datum *tclass_dat;
306
char *scontext_name = NULL;
307
char *tcontext_name = NULL;
308
char *permission_names[32];
311
unsigned char need_comma = 0;
316
tclass_name = policydb.p_class_val_to_name[tclass - 1];
317
tclass_dat = policydb.class_val_to_struct[tclass - 1];
318
common_dat = tclass_dat->comdatum;
320
/* init permission_names */
322
hashtab_map(common_dat->permissions.table,
323
dump_masked_av_helper, permission_names) < 0 )
326
if ( hashtab_map(tclass_dat->permissions.table,
327
dump_masked_av_helper, permission_names) < 0 )
330
/* get scontext/tcontext in text form */
331
if ( context_struct_to_string(scontext,
332
&scontext_name, &length) < 0 )
335
if ( context_struct_to_string(tcontext,
336
&tcontext_name, &length) < 0 )
339
printk("Flask: op=security_compute_av reason=%s "
340
"scontext=%s tcontext=%s tclass=%s perms=",
341
reason, scontext_name, tcontext_name, tclass_name);
343
for ( index = 0; index < 32; index++ )
345
u32 mask = (1 << index);
347
if ( (mask & permissions) == 0 )
351
need_comma ? "," : "",
352
permission_names[index]
353
? permission_names[index] : "????");
358
/* release scontext/tcontext */
359
xfree(tcontext_name);
360
xfree(scontext_name);
366
* security_boundary_permission - drops violated permissions
367
* on boundary constraint.
369
static void type_attribute_bounds_av(struct context *scontext,
370
struct context *tcontext,
373
struct av_decision *avd)
375
struct context lo_scontext;
376
struct context lo_tcontext;
377
struct av_decision lo_avd;
378
struct type_datum *source
379
= policydb.type_val_to_struct[scontext->type - 1];
380
struct type_datum *target
381
= policydb.type_val_to_struct[tcontext->type - 1];
384
if ( source->bounds )
386
memset(&lo_avd, 0, sizeof(lo_avd));
388
memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
389
lo_scontext.type = source->bounds;
391
context_struct_compute_av(&lo_scontext,
396
if ( (lo_avd.allowed & avd->allowed) == avd->allowed )
397
return; /* no masked permission */
398
masked = ~lo_avd.allowed & avd->allowed;
401
if ( target->bounds )
403
memset(&lo_avd, 0, sizeof(lo_avd));
405
memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
406
lo_tcontext.type = target->bounds;
408
context_struct_compute_av(scontext,
413
if ( (lo_avd.allowed & avd->allowed) == avd->allowed )
414
return; /* no masked permission */
415
masked = ~lo_avd.allowed & avd->allowed;
418
if ( source->bounds && target->bounds )
420
memset(&lo_avd, 0, sizeof(lo_avd));
422
* lo_scontext and lo_tcontext are already
426
context_struct_compute_av(&lo_scontext,
431
if ( (lo_avd.allowed & avd->allowed) == avd->allowed )
432
return; /* no masked permission */
433
masked = ~lo_avd.allowed & avd->allowed;
438
/* mask violated permissions */
439
avd->allowed &= ~masked;
441
/* audit masked permissions */
442
security_dump_masked_av(scontext, tcontext,
443
tclass, masked, "bounds");
448
* Compute access vectors based on a context structure pair for
449
* the permissions in a particular class.
451
static int context_struct_compute_av(struct context *scontext,
452
struct context *tcontext,
455
struct av_decision *avd)
457
struct constraint_node *constraint;
458
struct role_allow *ra;
459
struct avtab_key avkey;
460
struct avtab_node *node;
461
struct class_datum *tclass_datum;
462
struct ebitmap *sattr, *tattr;
463
struct ebitmap_node *snode, *tnode;
467
* Initialize the access vectors to the default values.
471
avd->auditdeny = 0xffffffff;
472
avd->seqno = latest_granting;
476
* We do not presently support policydb.handle_unknown == allow in Xen.
478
if ( !tclass || tclass > policydb.p_classes.nprim )
481
tclass_datum = policydb.class_val_to_struct[tclass - 1];
484
* If a specific type enforcement rule was defined for
485
* this permission check, then use it.
487
avkey.target_class = tclass;
488
avkey.specified = AVTAB_AV;
489
sattr = &policydb.type_attr_map[scontext->type - 1];
490
tattr = &policydb.type_attr_map[tcontext->type - 1];
491
ebitmap_for_each_positive_bit(sattr, snode, i)
493
ebitmap_for_each_positive_bit(tattr, tnode, j)
495
avkey.source_type = i + 1;
496
avkey.target_type = j + 1;
497
for ( node = avtab_search_node(&policydb.te_avtab, &avkey);
499
node = avtab_search_node_next(node, avkey.specified) )
501
if ( node->key.specified == AVTAB_ALLOWED )
502
avd->allowed |= node->datum.data;
503
else if ( node->key.specified == AVTAB_AUDITALLOW )
504
avd->auditallow |= node->datum.data;
505
else if ( node->key.specified == AVTAB_AUDITDENY )
506
avd->auditdeny &= node->datum.data;
509
/* Check conditional av table for additional permissions */
510
cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
516
* Remove any permissions prohibited by a constraint (this includes
519
constraint = tclass_datum->constraints;
522
if ( (constraint->permissions & (avd->allowed) ) &&
523
!constraint_expr_eval(scontext, tcontext, NULL, constraint->expr))
525
avd->allowed &= ~(constraint->permissions);
527
constraint = constraint->next;
531
* If checking process transition permission and the
532
* role is changing, then check the (current_role, new_role)
535
if ( tclass == SECCLASS_DOMAIN &&
536
(avd->allowed & DOMAIN__TRANSITION) &&
537
scontext->role != tcontext->role )
539
for ( ra = policydb.role_allow; ra; ra = ra->next )
541
if ( scontext->role == ra->role && tcontext->role == ra->new_role )
545
avd->allowed &= ~DOMAIN__TRANSITION;
549
* If the given source and target types have boundary
550
* constraint, lazy checks have to mask any violated
551
* permission and notice it to userspace via audit.
553
type_attribute_bounds_av(scontext, tcontext,
554
tclass, requested, avd);
558
static int security_validtrans_handle_fail(struct context *ocontext,
559
struct context *ncontext, struct context *tcontext, u16 tclass)
561
char *o = NULL, *n = NULL, *t = NULL;
562
u32 olen, nlen, tlen;
564
if ( context_struct_to_string(ocontext, &o, &olen) < 0 )
566
if ( context_struct_to_string(ncontext, &n, &nlen) < 0 )
568
if ( context_struct_to_string(tcontext, &t, &tlen) < 0 )
570
printk("security_validate_transition: denied for"
571
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
572
o, n, t, policydb.p_class_val_to_name[tclass-1]);
578
if ( !flask_enforcing )
583
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
586
struct context *ocontext;
587
struct context *ncontext;
588
struct context *tcontext;
589
struct class_datum *tclass_datum;
590
struct constraint_node *constraint;
593
if ( !ss_initialized )
598
if ( !tclass || tclass > policydb.p_classes.nprim )
600
printk(KERN_ERR "security_validate_transition: "
601
"unrecognized class %d\n", tclass);
605
tclass_datum = policydb.class_val_to_struct[tclass - 1];
607
ocontext = sidtab_search(&sidtab, oldsid);
610
printk(KERN_ERR "security_validate_transition: "
611
" unrecognized SID %d\n", oldsid);
616
ncontext = sidtab_search(&sidtab, newsid);
619
printk(KERN_ERR "security_validate_transition: "
620
" unrecognized SID %d\n", newsid);
625
tcontext = sidtab_search(&sidtab, tasksid);
628
printk(KERN_ERR "security_validate_transition: "
629
" unrecognized SID %d\n", tasksid);
634
constraint = tclass_datum->validatetrans;
637
if ( !constraint_expr_eval(ocontext, ncontext, tcontext,
640
rc = security_validtrans_handle_fail(ocontext, ncontext,
644
constraint = constraint->next;
653
* security_compute_av - Compute access vector decisions.
654
* @ssid: source security identifier
655
* @tsid: target security identifier
656
* @tclass: target security class
657
* @requested: requested permissions
658
* @avd: access vector decisions
660
* Compute a set of access vector decisions based on the
661
* SID pair (@ssid, @tsid) for the permissions in @tclass.
662
* Return -%EINVAL if any of the parameters are invalid or %0
663
* if the access vector decisions were computed successfully.
665
int security_compute_av(u32 ssid, u32 tsid, u16 tclass, u32 requested,
666
struct av_decision *avd)
668
struct context *scontext = NULL, *tcontext = NULL;
671
if ( !ss_initialized )
673
avd->allowed = 0xffffffff;
675
avd->auditdeny = 0xffffffff;
676
avd->seqno = latest_granting;
682
scontext = sidtab_search(&sidtab, ssid);
685
printk("security_compute_av: unrecognized SID %d\n", ssid);
689
tcontext = sidtab_search(&sidtab, tsid);
692
printk("security_compute_av: unrecognized SID %d\n", tsid);
697
rc = context_struct_compute_av(scontext, tcontext, tclass, requested, avd);
699
/* permissive domain? */
700
if ( ebitmap_get_bit(&policydb.permissive_map, scontext->type) )
701
avd->flags |= AVD_FLAGS_PERMISSIVE;
708
* Write the security context string representation of
709
* the context structure `context' into a dynamically
710
* allocated string of the correct size. Set `*scontext'
711
* to point to this string and set `*scontext_len' to
712
* the length of the string.
714
static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
721
/* Compute the size of the context. */
722
*scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
723
*scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
724
*scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
725
*scontext_len += mls_compute_context_len(context);
727
/* Allocate space for the context; caller must free this space. */
728
scontextp = xmalloc_array(char, *scontext_len);
732
*scontext = scontextp;
735
* Copy the user name, role name and type name into the context.
737
snprintf(scontextp, *scontext_len, "%s:%s:%s",
738
policydb.p_user_val_to_name[context->user - 1],
739
policydb.p_role_val_to_name[context->role - 1],
740
policydb.p_type_val_to_name[context->type - 1]);
741
scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
742
1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
743
1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
745
mls_sid_to_context(context, &scontextp);
752
#include "initial_sid_to_string.h"
755
* security_sid_to_context - Obtain a context for a given SID.
756
* @sid: security identifier, SID
757
* @scontext: security context
758
* @scontext_len: length in bytes
760
* Write the string representation of the context associated with @sid
761
* into a dynamically allocated string of the correct size. Set @scontext
762
* to point to this string and set @scontext_len to the length of the string.
764
int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
766
struct context *context;
769
if ( !ss_initialized )
771
if ( sid <= SECINITSID_NUM )
775
*scontext_len = strlen(initial_sid_to_string[sid]) + 1;
776
scontextp = xmalloc_array(char, *scontext_len);
777
strlcpy(scontextp, initial_sid_to_string[sid], *scontext_len);
778
*scontext = scontextp;
781
printk(KERN_ERR "security_sid_to_context: called before initial "
782
"load_policy on unknown SID %d\n", sid);
787
context = sidtab_search(&sidtab, sid);
790
printk(KERN_ERR "security_sid_to_context: unrecognized SID "
795
rc = context_struct_to_string(context, scontext, scontext_len);
804
* security_context_to_sid - Obtain a SID for a given security context.
805
* @scontext: security context
806
* @scontext_len: length in bytes
807
* @sid: security identifier, SID
809
* Obtains a SID associated with the security context that
810
* has the string representation specified by @scontext.
811
* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
812
* memory is available, or 0 on success.
814
int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
817
struct context context;
818
struct role_datum *role;
819
struct type_datum *typdatum;
820
struct user_datum *usrdatum;
821
char *scontextp, *p, oldc;
824
if ( !ss_initialized )
828
for ( i = 1; i < SECINITSID_NUM; i++ )
830
if ( !strcmp(initial_sid_to_string[i], scontext) )
836
*sid = SECINITSID_XEN;
841
/* Copy the string so that we can modify the copy as we parse it.
842
The string should already by null terminated, but we append a
843
null suffix to the copy to avoid problems with the existing
844
attr package, which doesn't view the null terminator as part
845
of the attribute value. */
846
scontext2 = xmalloc_array(char, scontext_len+1);
852
memcpy(scontext2, scontext, scontext_len);
853
scontext2[scontext_len] = 0;
855
context_init(&context);
860
/* Parse the security context. */
863
scontextp = (char *) scontext2;
865
/* Extract the user. */
867
while ( *p && *p != ':' )
875
usrdatum = hashtab_search(policydb.p_users.table, scontextp);
879
context.user = usrdatum->value;
883
while ( *p && *p != ':' )
891
role = hashtab_search(policydb.p_roles.table, scontextp);
894
context.role = role->value;
898
while ( *p && *p != ':' )
903
typdatum = hashtab_search(policydb.p_types.table, scontextp);
904
if ( !typdatum || typdatum->attribute )
907
context.type = typdatum->value;
909
rc = mls_context_to_sid(oldc, &p, &context, &sidtab);
913
if ( (p - scontext2) < scontext_len )
919
/* Check the validity of the new context. */
920
if ( !policydb_context_isvalid(&policydb, &context) )
925
/* Obtain the new sid. */
926
rc = sidtab_context_to_sid(&sidtab, &context, sid);
929
context_destroy(&context);
935
static int compute_sid_handle_invalid_context(
936
struct context *scontext, struct context *tcontext, u16 tclass,
937
struct context *newcontext)
939
char *s = NULL, *t = NULL, *n = NULL;
940
u32 slen, tlen, nlen;
942
if ( context_struct_to_string(scontext, &s, &slen) < 0 )
944
if ( context_struct_to_string(tcontext, &t, &tlen) < 0 )
946
if ( context_struct_to_string(newcontext, &n, &nlen) < 0 )
948
printk("security_compute_sid: invalid context %s"
952
n, s, t, policydb.p_class_val_to_name[tclass-1]);
957
if ( !flask_enforcing )
962
static int security_compute_sid(u32 ssid,
968
struct context *scontext = NULL, *tcontext = NULL, newcontext;
969
struct role_trans *roletr = NULL;
970
struct avtab_key avkey;
971
struct avtab_datum *avdatum;
972
struct avtab_node *node;
975
if ( !ss_initialized )
979
case SECCLASS_DOMAIN:
991
scontext = sidtab_search(&sidtab, ssid);
994
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", ssid);
998
tcontext = sidtab_search(&sidtab, tsid);
1001
printk(KERN_ERR "security_compute_sid: unrecognized SID %d\n", tsid);
1006
context_init(&newcontext);
1008
/* Set the user identity. */
1009
switch ( specified )
1011
case AVTAB_TRANSITION:
1013
/* Use the process user identity. */
1014
newcontext.user = scontext->user;
1017
/* Use the related object owner. */
1018
newcontext.user = tcontext->user;
1022
/* Set the role and type to default values. */
1025
case SECCLASS_DOMAIN:
1026
/* Use the current role and type of process. */
1027
newcontext.role = scontext->role;
1028
newcontext.type = scontext->type;
1031
/* Use the well-defined object role. */
1032
newcontext.role = OBJECT_R_VAL;
1033
/* Use the type of the related object. */
1034
newcontext.type = tcontext->type;
1037
/* Look for a type transition/member/change rule. */
1038
avkey.source_type = scontext->type;
1039
avkey.target_type = tcontext->type;
1040
avkey.target_class = tclass;
1041
avkey.specified = specified;
1042
avdatum = avtab_search(&policydb.te_avtab, &avkey);
1044
/* If no permanent rule, also check for enabled conditional rules */
1047
node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1048
for ( ; node != NULL; node = avtab_search_node_next(node, specified) )
1050
if ( node->key.specified & AVTAB_ENABLED )
1052
avdatum = &node->datum;
1060
/* Use the type from the type transition/member/change rule. */
1061
newcontext.type = avdatum->data;
1064
/* Check for class-specific changes. */
1067
case SECCLASS_DOMAIN:
1068
if ( specified & AVTAB_TRANSITION )
1070
/* Look for a role transition rule. */
1071
for ( roletr = policydb.role_tr; roletr; roletr = roletr->next )
1073
if ( roletr->role == scontext->role &&
1074
roletr->type == tcontext->type )
1076
/* Use the role transition rule. */
1077
newcontext.role = roletr->new_role;
1087
/* Set the MLS attributes.
1088
This is done last because it may allocate memory. */
1089
rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
1093
/* Check the validity of the context. */
1094
if ( !policydb_context_isvalid(&policydb, &newcontext) )
1096
rc = compute_sid_handle_invalid_context(scontext, tcontext, tclass,
1101
/* Obtain the sid for the context. */
1102
rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1105
context_destroy(&newcontext);
1111
* security_transition_sid - Compute the SID for a new subject/object.
1112
* @ssid: source security identifier
1113
* @tsid: target security identifier
1114
* @tclass: target security class
1115
* @out_sid: security identifier for new subject/object
1117
* Compute a SID to use for labeling a new subject or object in the
1118
* class @tclass based on a SID pair (@ssid, @tsid).
1119
* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1120
* if insufficient memory is available, or %0 if the new SID was
1121
* computed successfully.
1123
int security_transition_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
1125
return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
1129
* security_member_sid - Compute the SID for member selection.
1130
* @ssid: source security identifier
1131
* @tsid: target security identifier
1132
* @tclass: target security class
1133
* @out_sid: security identifier for selected member
1135
* Compute a SID to use when selecting a member of a polyinstantiated
1136
* object of class @tclass based on a SID pair (@ssid, @tsid).
1137
* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1138
* if insufficient memory is available, or %0 if the SID was
1139
* computed successfully.
1141
int security_member_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
1143
return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
1147
* security_change_sid - Compute the SID for object relabeling.
1148
* @ssid: source security identifier
1149
* @tsid: target security identifier
1150
* @tclass: target security class
1151
* @out_sid: security identifier for selected member
1153
* Compute a SID to use for relabeling an object of class @tclass
1154
* based on a SID pair (@ssid, @tsid).
1155
* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1156
* if insufficient memory is available, or %0 if the SID was
1157
* computed successfully.
1159
int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
1161
return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1165
* Verify that each kernel class that is defined in the
1168
static int validate_classes(struct policydb *p)
1171
struct class_datum *cladatum;
1172
struct perm_datum *perdatum;
1173
u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1175
const struct selinux_class_perm *kdefs = &selinux_class_perm;
1176
const char *def_class, *def_perm, *pol_class;
1177
struct symtab *perms;
1179
for ( i = 1; i < kdefs->cts_len; i++ )
1181
def_class = kdefs->class_to_string[i];
1184
if ( i > p->p_classes.nprim )
1187
"Flask: class %s not defined in policy\n",
1191
pol_class = p->p_class_val_to_name[i-1];
1192
if ( strcmp(pol_class, def_class) )
1195
"Flask: class %d is incorrect, found %s but should be %s\n",
1196
i, pol_class, def_class);
1200
for ( i = 0; i < kdefs->av_pts_len; i++ )
1202
class_val = kdefs->av_perm_to_string[i].tclass;
1203
perm_val = kdefs->av_perm_to_string[i].value;
1204
def_perm = kdefs->av_perm_to_string[i].name;
1205
if ( class_val > p->p_classes.nprim )
1207
pol_class = p->p_class_val_to_name[class_val-1];
1208
cladatum = hashtab_search(p->p_classes.table, pol_class);
1209
BUG_ON( !cladatum );
1210
perms = &cladatum->permissions;
1211
nprim = 1 << (perms->nprim - 1);
1212
if ( perm_val > nprim )
1215
"Flask: permission %s in class %s not defined in policy\n",
1216
def_perm, pol_class);
1219
perdatum = hashtab_search(perms->table, def_perm);
1220
if ( perdatum == NULL )
1223
"Flask: permission %s in class %s not found in policy\n",
1224
def_perm, pol_class);
1227
pol_val = 1 << (perdatum->value - 1);
1228
if ( pol_val != perm_val )
1231
"Flask: permission %s in class %s has incorrect value\n",
1232
def_perm, pol_class);
1236
for ( i = 0; i < kdefs->av_inherit_len; i++ )
1238
class_val = kdefs->av_inherit[i].tclass;
1239
if ( class_val > p->p_classes.nprim )
1241
pol_class = p->p_class_val_to_name[class_val-1];
1242
cladatum = hashtab_search(p->p_classes.table, pol_class);
1243
BUG_ON( !cladatum );
1244
if ( !cladatum->comdatum )
1247
"Flask: class %s should have an inherits clause but does not\n",
1251
tmp = kdefs->av_inherit[i].common_base;
1253
while ( !(tmp & 0x01) )
1258
perms = &cladatum->comdatum->permissions;
1259
for ( j = 0; j < common_pts_len; j++ )
1261
def_perm = kdefs->av_inherit[i].common_pts[j];
1262
if ( j >= perms->nprim )
1265
"Flask: permission %s in class %s not defined in policy\n",
1266
def_perm, pol_class);
1269
perdatum = hashtab_search(perms->table, def_perm);
1270
if ( perdatum == NULL )
1273
"Flask: permission %s in class %s not found in policy\n",
1274
def_perm, pol_class);
1277
if ( perdatum->value != j + 1 )
1280
"Flask: permission %s in class %s has incorrect value\n",
1281
def_perm, pol_class);
1289
/* Clone the SID into the new SID table. */
1290
static int clone_sid(u32 sid, struct context *context, void *arg)
1292
struct sidtab *s = arg;
1294
return sidtab_insert(s, sid, context);
1297
static inline int convert_context_handle_invalid_context(struct context *context)
1301
if ( flask_enforcing )
1308
context_struct_to_string(context, &s, &len);
1309
printk(KERN_ERR "Flask: context %s is invalid\n", s);
1315
struct convert_context_args {
1316
struct policydb *oldp;
1317
struct policydb *newp;
1321
* Convert the values in the security context
1322
* structure `c' from the values specified
1323
* in the policy `p->oldp' to the values specified
1324
* in the policy `p->newp'. Verify that the
1325
* context is valid under the new policy.
1327
static int convert_context(u32 key, struct context *c, void *p)
1329
struct convert_context_args *args;
1330
struct context oldc;
1331
struct role_datum *role;
1332
struct type_datum *typdatum;
1333
struct user_datum *usrdatum;
1340
rc = context_cpy(&oldc, c);
1346
/* Convert the user. */
1347
usrdatum = hashtab_search(args->newp->p_users.table,
1348
args->oldp->p_user_val_to_name[c->user - 1]);
1352
c->user = usrdatum->value;
1354
/* Convert the role. */
1355
role = hashtab_search(args->newp->p_roles.table,
1356
args->oldp->p_role_val_to_name[c->role - 1]);
1360
c->role = role->value;
1362
/* Convert the type. */
1363
typdatum = hashtab_search(args->newp->p_types.table,
1364
args->oldp->p_type_val_to_name[c->type - 1]);
1368
c->type = typdatum->value;
1370
rc = mls_convert_context(args->oldp, args->newp, c);
1374
/* Check the validity of the new context. */
1375
if ( !policydb_context_isvalid(args->newp, c) )
1377
rc = convert_context_handle_invalid_context(&oldc);
1382
context_destroy(&oldc);
1386
context_struct_to_string(&oldc, &s, &len);
1387
context_destroy(&oldc);
1388
printk(KERN_ERR "Flask: invalidating context %s\n", s);
1393
static int security_preserve_bools(struct policydb *p);
1396
* security_load_policy - Load a security policy configuration.
1397
* @data: binary policy data
1398
* @len: length of data in bytes
1400
* Load a new set of security policy configuration data,
1401
* validate it and convert the SID table as necessary.
1402
* This function will flush the access vector cache after
1403
* loading the new policy.
1405
int security_load_policy(void *data, size_t len)
1407
struct policydb oldpolicydb, newpolicydb;
1408
struct sidtab oldsidtab, newsidtab;
1409
struct convert_context_args args;
1412
struct policy_file file = { data, len }, *fp = &file;
1416
if ( !ss_initialized )
1418
if ( policydb_read(&policydb, fp) )
1423
if ( policydb_load_isids(&policydb, &sidtab) )
1426
policydb_destroy(&policydb);
1429
if ( validate_classes(&policydb) )
1432
"Flask: the definition of a class is incorrect\n");
1433
sidtab_destroy(&sidtab);
1434
policydb_destroy(&policydb);
1437
policydb_loaded_version = policydb.policyvers;
1439
seqno = ++latest_granting;
1441
avc_ss_reset(seqno);
1446
sidtab_hash_eval(&sidtab, "sids");
1449
if ( policydb_read(&newpolicydb, fp) )
1455
sidtab_init(&newsidtab);
1457
/* Verify that the kernel defined classes are correct. */
1458
if ( validate_classes(&newpolicydb) )
1461
"Flask: the definition of a class is incorrect\n");
1466
rc = security_preserve_bools(&newpolicydb);
1469
printk(KERN_ERR "Flask: unable to preserve booleans\n");
1473
/* Clone the SID table. */
1474
sidtab_shutdown(&sidtab);
1475
if ( sidtab_map(&sidtab, clone_sid, &newsidtab) )
1481
/* Convert the internal representations of contexts
1482
in the new SID table and remove invalid SIDs. */
1483
args.oldp = &policydb;
1484
args.newp = &newpolicydb;
1485
sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1487
/* Save the old policydb and SID table to free later. */
1488
memcpy(&oldpolicydb, &policydb, sizeof policydb);
1489
sidtab_set(&oldsidtab, &sidtab);
1491
/* Install the new policydb and SID table. */
1493
memcpy(&policydb, &newpolicydb, sizeof policydb);
1494
sidtab_set(&sidtab, &newsidtab);
1495
seqno = ++latest_granting;
1496
policydb_loaded_version = policydb.policyvers;
1500
/* Free the old policydb and SID table. */
1501
policydb_destroy(&oldpolicydb);
1502
sidtab_destroy(&oldsidtab);
1504
avc_ss_reset(seqno);
1510
sidtab_destroy(&newsidtab);
1511
policydb_destroy(&newpolicydb);
1517
* security_pirq_sid - Obtain the SID for a physical irq.
1518
* @pirq: physical irq
1519
* @out_sid: security identifier
1521
int security_pirq_sid(int pirq, u32 *out_sid)
1528
c = policydb.ocontexts[OCON_PIRQ];
1532
if ( c->u.pirq == pirq )
1541
rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
1545
*out_sid = c->sid[0];
1549
*out_sid = SECINITSID_PIRQ;
1558
* security_iomem_sid - Obtain the SID for a page of iomem.
1560
* @out_sid: security identifier
1562
int security_iomem_sid(unsigned long mfn, u32 *out_sid)
1569
c = policydb.ocontexts[OCON_IOMEM];
1572
if ( c->u.iomem.low_iomem <= mfn && c->u.iomem.high_iomem >= mfn )
1581
rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
1585
*out_sid = c->sid[0];
1589
*out_sid = SECINITSID_IOMEM;
1598
* security_ioport_sid - Obtain the SID for an ioport.
1600
* @out_sid: security identifier
1602
int security_ioport_sid(u32 ioport, u32 *out_sid)
1609
c = policydb.ocontexts[OCON_IOPORT];
1612
if ( c->u.ioport.low_ioport <= ioport &&
1613
c->u.ioport.high_ioport >= ioport )
1622
rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
1626
*out_sid = c->sid[0];
1630
*out_sid = SECINITSID_IOPORT;
1639
* security_device_sid - Obtain the SID for a PCI device.
1641
* @out_sid: security identifier
1643
int security_device_sid(u32 device, u32 *out_sid)
1650
c = policydb.ocontexts[OCON_DEVICE];
1653
if ( c->u.device == device )
1662
rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
1666
*out_sid = c->sid[0];
1670
*out_sid = SECINITSID_DEVICE;
1681
* security_get_user_sids - Obtain reachable SIDs for a user.
1682
* @fromsid: starting SID
1683
* @username: username
1684
* @sids: array of reachable SIDs for user
1685
* @nel: number of elements in @sids
1687
* Generate the set of SIDs for legal security contexts
1688
* for a given user that can be reached by @fromsid.
1689
* Set *@sids to point to a dynamically allocated
1690
* array containing the set of SIDs. Set *@nel to the
1691
* number of elements in the array.
1694
int security_get_user_sids(u32 fromsid, char *username, u32 **sids, u32 *nel)
1696
struct context *fromcon, usercon;
1697
u32 *mysids, *mysids2, sid;
1698
u32 mynel = 0, maxnel = SIDS_NEL;
1699
struct user_datum *user;
1700
struct role_datum *role;
1701
struct av_decision avd;
1702
struct ebitmap_node *rnode, *tnode;
1705
if ( !ss_initialized )
1714
fromcon = sidtab_search(&sidtab, fromsid);
1721
user = hashtab_search(policydb.p_users.table, username);
1727
usercon.user = user->value;
1729
mysids = xmalloc_array(u32, maxnel);
1735
memset(mysids, 0, maxnel*sizeof(*mysids));
1737
ebitmap_for_each_positive_bit(&user->roles, rnode, i)
1739
role = policydb.role_val_to_struct[i];
1741
ebitmap_for_each_positive_bit(&role->types, tnode, j) {
1744
if ( mls_setup_user_range(fromcon, user, &usercon) )
1747
rc = context_struct_compute_av(fromcon, &usercon,
1751
if ( rc || !(avd.allowed & DOMAIN__TRANSITION) )
1753
rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1759
if ( mynel < maxnel )
1761
mysids[mynel++] = sid;
1766
mysids2 = xmalloc_array(u32, maxnel);
1773
memset(mysids2, 0, maxnel*sizeof(*mysids2));
1774
memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
1777
mysids[mynel++] = sid;
1791
int security_get_bools(int *len, char ***names, int **values)
1793
int i, rc = -ENOMEM;
1799
*len = policydb.p_bools.nprim;
1806
*names = (char**)xmalloc_array(char*, *len);
1809
memset(*names, 0, sizeof(char*) * *len);
1811
*values = (int*)xmalloc_array(int, *len);
1815
for ( i = 0; i < *len; i++ )
1818
(*values)[i] = policydb.bool_val_to_struct[i]->state;
1819
name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
1820
(*names)[i] = (char*)xmalloc_array(char, name_len);
1823
strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
1824
(*names)[i][name_len - 1] = 0;
1833
for ( i = 0; i < *len; i++ )
1841
int security_set_bools(int len, int *values)
1844
int lenp, seqno = 0;
1845
struct cond_node *cur;
1849
lenp = policydb.p_bools.nprim;
1856
printk(KERN_INFO "Flask: committed booleans { ");
1857
for ( i = 0; i < len; i++ )
1861
policydb.bool_val_to_struct[i]->state = 1;
1865
policydb.bool_val_to_struct[i]->state = 0;
1869
printk("%s:%d", policydb.p_bool_val_to_name[i],
1870
policydb.bool_val_to_struct[i]->state);
1874
for ( cur = policydb.cond_list; cur != NULL; cur = cur->next )
1876
rc = evaluate_cond_node(&policydb, cur);
1881
seqno = ++latest_granting;
1887
avc_ss_reset(seqno);
1892
int security_get_bool_value(int bool)
1899
len = policydb.p_bools.nprim;
1906
rc = policydb.bool_val_to_struct[bool]->state;
1912
static int security_preserve_bools(struct policydb *p)
1914
int rc, nbools = 0, *bvalues = NULL, i;
1915
char **bnames = NULL;
1916
struct cond_bool_datum *booldatum;
1917
struct cond_node *cur;
1919
rc = security_get_bools(&nbools, &bnames, &bvalues);
1922
for ( i = 0; i < nbools; i++ )
1924
booldatum = hashtab_search(p->p_bools.table, bnames[i]);
1926
booldatum->state = bvalues[i];
1928
for ( cur = p->cond_list; cur; cur = cur->next )
1930
rc = evaluate_cond_node(p, cur);
1938
for ( i = 0; i < nbools; i++ )
1946
int determine_ocontext( char *ocontext )
1948
if ( strcmp(ocontext, "pirq") == 0 )
1950
else if ( strcmp(ocontext, "ioport") == 0 )
1952
else if ( strcmp(ocontext, "iomem") == 0 )
1954
else if ( strcmp(ocontext, "pcidevice") == 0 )
1960
int security_ocontext_add( char *ocontext, unsigned long low, unsigned long high
1966
struct ocontext *add;
1968
if ( (ocon = determine_ocontext(ocontext)) < 0 )
1970
if ( (add = xmalloc(struct ocontext)) == NULL )
1972
memset(add, 0, sizeof(struct ocontext));
1979
add->u.pirq = (u16)low;
1986
c = policydb.ocontexts[OCON_PIRQ];
1989
if ( c->u.pirq == add->u.pirq )
1991
printk("%s: Duplicate pirq %d\n", __FUNCTION__, add->u.pirq);
2000
add->next = policydb.ocontexts[OCON_PIRQ];
2001
policydb.ocontexts[OCON_PIRQ] = add;
2006
add->u.ioport.low_ioport = low;
2007
add->u.ioport.high_ioport = high;
2009
c = policydb.ocontexts[OCON_IOPORT];
2012
if ( c->u.ioport.low_ioport <= add->u.ioport.high_ioport &&
2013
add->u.ioport.low_ioport <= c->u.ioport.high_ioport )
2015
printk("%s: IO Port overlap with entry 0x%x - 0x%x\n",
2016
__FUNCTION__, c->u.ioport.low_ioport,
2017
c->u.ioport.high_ioport);
2026
add->next = policydb.ocontexts[OCON_IOPORT];
2027
policydb.ocontexts[OCON_IOPORT] = add;
2032
add->u.iomem.low_iomem = low;
2033
add->u.iomem.high_iomem = high;
2035
c = policydb.ocontexts[OCON_IOMEM];
2038
if ( c->u.iomem.low_iomem <= add->u.iomem.high_iomem &&
2039
add->u.iomem.low_iomem <= c->u.iomem.high_iomem )
2041
printk("%s: IO Memory overlap with entry 0x%x - 0x%x\n",
2042
__FUNCTION__, c->u.iomem.low_iomem,
2043
c->u.iomem.high_iomem);
2052
add->next = policydb.ocontexts[OCON_IOMEM];
2053
policydb.ocontexts[OCON_IOMEM] = add;
2058
add->u.device = low;
2065
c = policydb.ocontexts[OCON_DEVICE];
2068
if ( c->u.device == add->u.device )
2070
printk("%s: Duplicate PCI Device 0x%x\n", __FUNCTION__,
2080
add->next = policydb.ocontexts[OCON_DEVICE];
2081
policydb.ocontexts[OCON_DEVICE] = add;
2095
int security_ocontext_del( char *ocontext, unsigned int low, unsigned int high )
2099
struct ocontext *c, *before_c;
2101
if ( (ocon = determine_ocontext(ocontext)) < 0 )
2108
for ( before_c = NULL, c = policydb.ocontexts[OCON_PIRQ];
2109
c; before_c = c, c = c->next )
2111
if ( c->u.pirq == low )
2113
if ( before_c == NULL )
2115
policydb.ocontexts[OCON_PIRQ] = c->next;
2121
before_c->next = c->next;
2128
printk("%s: ocontext not found: pirq %d\n", __FUNCTION__, low);
2133
for ( before_c = NULL, c = policydb.ocontexts[OCON_IOPORT];
2134
c; before_c = c, c = c->next )
2136
if ( c->u.ioport.low_ioport == low &&
2137
c->u.ioport.high_ioport == high )
2139
if ( before_c == NULL )
2141
policydb.ocontexts[OCON_IOPORT] = c->next;
2147
before_c->next = c->next;
2154
printk("%s: ocontext not found: ioport 0x%x - 0x%x\n", __FUNCTION__,
2160
for ( before_c = NULL, c = policydb.ocontexts[OCON_IOMEM];
2161
c; before_c = c, c = c->next )
2163
if ( c->u.iomem.low_iomem == low &&
2164
c->u.iomem.high_iomem == high )
2166
if ( before_c == NULL )
2168
policydb.ocontexts[OCON_IOMEM] = c->next;
2174
before_c->next = c->next;
2181
printk("%s: ocontext not found: iomem 0x%x - 0x%x\n", __FUNCTION__,
2187
for ( before_c = NULL, c = policydb.ocontexts[OCON_DEVICE];
2188
c; before_c = c, c = c->next )
2190
if ( c->u.device == low )
2192
if ( before_c == NULL )
2194
policydb.ocontexts[OCON_DEVICE] = c->next;
2200
before_c->next = c->next;
2207
printk("%s: ocontext not found: pcidevice 0x%x\n", __FUNCTION__, low);