Merge branch 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
[sfrench/cifs-2.6.git] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@tycho.nsa.gov>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul@paul-moore.com>
17  *
18  *      Added support for NetLabel
19  *      Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <csellers@tresys.com>
22  *
23  *  Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26  *
27  *  Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Updated: Guido Trentalancia <guido@trentalancia.com>
30  *
31  *  Added support for runtime switching of the policy type
32  *
33  * Copyright (C) 2008, 2009 NEC Corporation
34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
38  *      This program is free software; you can redistribute it and/or modify
39  *      it under the terms of the GNU General Public License as published by
40  *      the Free Software Foundation, version 2.
41  */
42 #include <linux/kernel.h>
43 #include <linux/slab.h>
44 #include <linux/string.h>
45 #include <linux/spinlock.h>
46 #include <linux/rcupdate.h>
47 #include <linux/errno.h>
48 #include <linux/in.h>
49 #include <linux/sched.h>
50 #include <linux/audit.h>
51 #include <linux/mutex.h>
52 #include <linux/selinux.h>
53 #include <linux/flex_array.h>
54 #include <linux/vmalloc.h>
55 #include <net/netlabel.h>
56
57 #include "flask.h"
58 #include "avc.h"
59 #include "avc_ss.h"
60 #include "security.h"
61 #include "context.h"
62 #include "policydb.h"
63 #include "sidtab.h"
64 #include "services.h"
65 #include "conditional.h"
66 #include "mls.h"
67 #include "objsec.h"
68 #include "netlabel.h"
69 #include "xfrm.h"
70 #include "ebitmap.h"
71 #include "audit.h"
72
73 /* Policy capability names */
74 char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
75         "network_peer_controls",
76         "open_perms",
77         "extended_socket_class",
78         "always_check_network",
79         "cgroup_seclabel",
80         "nnp_nosuid_transition"
81 };
82
83 int selinux_policycap_netpeer;
84 int selinux_policycap_openperm;
85 int selinux_policycap_extsockclass;
86 int selinux_policycap_alwaysnetwork;
87 int selinux_policycap_cgroupseclabel;
88 int selinux_policycap_nnp_nosuid_transition;
89
90 static DEFINE_RWLOCK(policy_rwlock);
91
92 static struct sidtab sidtab;
93 struct policydb policydb;
94 int ss_initialized;
95
96 /*
97  * The largest sequence number that has been used when
98  * providing an access decision to the access vector cache.
99  * The sequence number only changes when a policy change
100  * occurs.
101  */
102 static u32 latest_granting;
103
104 /* Forward declaration. */
105 static int context_struct_to_string(struct context *context, char **scontext,
106                                     u32 *scontext_len);
107
108 static void context_struct_compute_av(struct context *scontext,
109                                         struct context *tcontext,
110                                         u16 tclass,
111                                         struct av_decision *avd,
112                                         struct extended_perms *xperms);
113
114 struct selinux_mapping {
115         u16 value; /* policy value */
116         unsigned num_perms;
117         u32 perms[sizeof(u32) * 8];
118 };
119
120 static struct selinux_mapping *current_mapping;
121 static u16 current_mapping_size;
122
123 static int selinux_set_mapping(struct policydb *pol,
124                                struct security_class_mapping *map,
125                                struct selinux_mapping **out_map_p,
126                                u16 *out_map_size)
127 {
128         struct selinux_mapping *out_map = NULL;
129         size_t size = sizeof(struct selinux_mapping);
130         u16 i, j;
131         unsigned k;
132         bool print_unknown_handle = false;
133
134         /* Find number of classes in the input mapping */
135         if (!map)
136                 return -EINVAL;
137         i = 0;
138         while (map[i].name)
139                 i++;
140
141         /* Allocate space for the class records, plus one for class zero */
142         out_map = kcalloc(++i, size, GFP_ATOMIC);
143         if (!out_map)
144                 return -ENOMEM;
145
146         /* Store the raw class and permission values */
147         j = 0;
148         while (map[j].name) {
149                 struct security_class_mapping *p_in = map + (j++);
150                 struct selinux_mapping *p_out = out_map + j;
151
152                 /* An empty class string skips ahead */
153                 if (!strcmp(p_in->name, "")) {
154                         p_out->num_perms = 0;
155                         continue;
156                 }
157
158                 p_out->value = string_to_security_class(pol, p_in->name);
159                 if (!p_out->value) {
160                         printk(KERN_INFO
161                                "SELinux:  Class %s not defined in policy.\n",
162                                p_in->name);
163                         if (pol->reject_unknown)
164                                 goto err;
165                         p_out->num_perms = 0;
166                         print_unknown_handle = true;
167                         continue;
168                 }
169
170                 k = 0;
171                 while (p_in->perms[k]) {
172                         /* An empty permission string skips ahead */
173                         if (!*p_in->perms[k]) {
174                                 k++;
175                                 continue;
176                         }
177                         p_out->perms[k] = string_to_av_perm(pol, p_out->value,
178                                                             p_in->perms[k]);
179                         if (!p_out->perms[k]) {
180                                 printk(KERN_INFO
181                                        "SELinux:  Permission %s in class %s not defined in policy.\n",
182                                        p_in->perms[k], p_in->name);
183                                 if (pol->reject_unknown)
184                                         goto err;
185                                 print_unknown_handle = true;
186                         }
187
188                         k++;
189                 }
190                 p_out->num_perms = k;
191         }
192
193         if (print_unknown_handle)
194                 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
195                        pol->allow_unknown ? "allowed" : "denied");
196
197         *out_map_p = out_map;
198         *out_map_size = i;
199         return 0;
200 err:
201         kfree(out_map);
202         return -EINVAL;
203 }
204
205 /*
206  * Get real, policy values from mapped values
207  */
208
209 static u16 unmap_class(u16 tclass)
210 {
211         if (tclass < current_mapping_size)
212                 return current_mapping[tclass].value;
213
214         return tclass;
215 }
216
217 /*
218  * Get kernel value for class from its policy value
219  */
220 static u16 map_class(u16 pol_value)
221 {
222         u16 i;
223
224         for (i = 1; i < current_mapping_size; i++) {
225                 if (current_mapping[i].value == pol_value)
226                         return i;
227         }
228
229         return SECCLASS_NULL;
230 }
231
232 static void map_decision(u16 tclass, struct av_decision *avd,
233                          int allow_unknown)
234 {
235         if (tclass < current_mapping_size) {
236                 unsigned i, n = current_mapping[tclass].num_perms;
237                 u32 result;
238
239                 for (i = 0, result = 0; i < n; i++) {
240                         if (avd->allowed & current_mapping[tclass].perms[i])
241                                 result |= 1<<i;
242                         if (allow_unknown && !current_mapping[tclass].perms[i])
243                                 result |= 1<<i;
244                 }
245                 avd->allowed = result;
246
247                 for (i = 0, result = 0; i < n; i++)
248                         if (avd->auditallow & current_mapping[tclass].perms[i])
249                                 result |= 1<<i;
250                 avd->auditallow = result;
251
252                 for (i = 0, result = 0; i < n; i++) {
253                         if (avd->auditdeny & current_mapping[tclass].perms[i])
254                                 result |= 1<<i;
255                         if (!allow_unknown && !current_mapping[tclass].perms[i])
256                                 result |= 1<<i;
257                 }
258                 /*
259                  * In case the kernel has a bug and requests a permission
260                  * between num_perms and the maximum permission number, we
261                  * should audit that denial
262                  */
263                 for (; i < (sizeof(u32)*8); i++)
264                         result |= 1<<i;
265                 avd->auditdeny = result;
266         }
267 }
268
269 int security_mls_enabled(void)
270 {
271         return policydb.mls_enabled;
272 }
273
274 /*
275  * Return the boolean value of a constraint expression
276  * when it is applied to the specified source and target
277  * security contexts.
278  *
279  * xcontext is a special beast...  It is used by the validatetrans rules
280  * only.  For these rules, scontext is the context before the transition,
281  * tcontext is the context after the transition, and xcontext is the context
282  * of the process performing the transition.  All other callers of
283  * constraint_expr_eval should pass in NULL for xcontext.
284  */
285 static int constraint_expr_eval(struct context *scontext,
286                                 struct context *tcontext,
287                                 struct context *xcontext,
288                                 struct constraint_expr *cexpr)
289 {
290         u32 val1, val2;
291         struct context *c;
292         struct role_datum *r1, *r2;
293         struct mls_level *l1, *l2;
294         struct constraint_expr *e;
295         int s[CEXPR_MAXDEPTH];
296         int sp = -1;
297
298         for (e = cexpr; e; e = e->next) {
299                 switch (e->expr_type) {
300                 case CEXPR_NOT:
301                         BUG_ON(sp < 0);
302                         s[sp] = !s[sp];
303                         break;
304                 case CEXPR_AND:
305                         BUG_ON(sp < 1);
306                         sp--;
307                         s[sp] &= s[sp + 1];
308                         break;
309                 case CEXPR_OR:
310                         BUG_ON(sp < 1);
311                         sp--;
312                         s[sp] |= s[sp + 1];
313                         break;
314                 case CEXPR_ATTR:
315                         if (sp == (CEXPR_MAXDEPTH - 1))
316                                 return 0;
317                         switch (e->attr) {
318                         case CEXPR_USER:
319                                 val1 = scontext->user;
320                                 val2 = tcontext->user;
321                                 break;
322                         case CEXPR_TYPE:
323                                 val1 = scontext->type;
324                                 val2 = tcontext->type;
325                                 break;
326                         case CEXPR_ROLE:
327                                 val1 = scontext->role;
328                                 val2 = tcontext->role;
329                                 r1 = policydb.role_val_to_struct[val1 - 1];
330                                 r2 = policydb.role_val_to_struct[val2 - 1];
331                                 switch (e->op) {
332                                 case CEXPR_DOM:
333                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
334                                                                   val2 - 1);
335                                         continue;
336                                 case CEXPR_DOMBY:
337                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
338                                                                   val1 - 1);
339                                         continue;
340                                 case CEXPR_INCOMP:
341                                         s[++sp] = (!ebitmap_get_bit(&r1->dominates,
342                                                                     val2 - 1) &&
343                                                    !ebitmap_get_bit(&r2->dominates,
344                                                                     val1 - 1));
345                                         continue;
346                                 default:
347                                         break;
348                                 }
349                                 break;
350                         case CEXPR_L1L2:
351                                 l1 = &(scontext->range.level[0]);
352                                 l2 = &(tcontext->range.level[0]);
353                                 goto mls_ops;
354                         case CEXPR_L1H2:
355                                 l1 = &(scontext->range.level[0]);
356                                 l2 = &(tcontext->range.level[1]);
357                                 goto mls_ops;
358                         case CEXPR_H1L2:
359                                 l1 = &(scontext->range.level[1]);
360                                 l2 = &(tcontext->range.level[0]);
361                                 goto mls_ops;
362                         case CEXPR_H1H2:
363                                 l1 = &(scontext->range.level[1]);
364                                 l2 = &(tcontext->range.level[1]);
365                                 goto mls_ops;
366                         case CEXPR_L1H1:
367                                 l1 = &(scontext->range.level[0]);
368                                 l2 = &(scontext->range.level[1]);
369                                 goto mls_ops;
370                         case CEXPR_L2H2:
371                                 l1 = &(tcontext->range.level[0]);
372                                 l2 = &(tcontext->range.level[1]);
373                                 goto mls_ops;
374 mls_ops:
375                         switch (e->op) {
376                         case CEXPR_EQ:
377                                 s[++sp] = mls_level_eq(l1, l2);
378                                 continue;
379                         case CEXPR_NEQ:
380                                 s[++sp] = !mls_level_eq(l1, l2);
381                                 continue;
382                         case CEXPR_DOM:
383                                 s[++sp] = mls_level_dom(l1, l2);
384                                 continue;
385                         case CEXPR_DOMBY:
386                                 s[++sp] = mls_level_dom(l2, l1);
387                                 continue;
388                         case CEXPR_INCOMP:
389                                 s[++sp] = mls_level_incomp(l2, l1);
390                                 continue;
391                         default:
392                                 BUG();
393                                 return 0;
394                         }
395                         break;
396                         default:
397                                 BUG();
398                                 return 0;
399                         }
400
401                         switch (e->op) {
402                         case CEXPR_EQ:
403                                 s[++sp] = (val1 == val2);
404                                 break;
405                         case CEXPR_NEQ:
406                                 s[++sp] = (val1 != val2);
407                                 break;
408                         default:
409                                 BUG();
410                                 return 0;
411                         }
412                         break;
413                 case CEXPR_NAMES:
414                         if (sp == (CEXPR_MAXDEPTH-1))
415                                 return 0;
416                         c = scontext;
417                         if (e->attr & CEXPR_TARGET)
418                                 c = tcontext;
419                         else if (e->attr & CEXPR_XTARGET) {
420                                 c = xcontext;
421                                 if (!c) {
422                                         BUG();
423                                         return 0;
424                                 }
425                         }
426                         if (e->attr & CEXPR_USER)
427                                 val1 = c->user;
428                         else if (e->attr & CEXPR_ROLE)
429                                 val1 = c->role;
430                         else if (e->attr & CEXPR_TYPE)
431                                 val1 = c->type;
432                         else {
433                                 BUG();
434                                 return 0;
435                         }
436
437                         switch (e->op) {
438                         case CEXPR_EQ:
439                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
440                                 break;
441                         case CEXPR_NEQ:
442                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
443                                 break;
444                         default:
445                                 BUG();
446                                 return 0;
447                         }
448                         break;
449                 default:
450                         BUG();
451                         return 0;
452                 }
453         }
454
455         BUG_ON(sp != 0);
456         return s[0];
457 }
458
459 /*
460  * security_dump_masked_av - dumps masked permissions during
461  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
462  */
463 static int dump_masked_av_helper(void *k, void *d, void *args)
464 {
465         struct perm_datum *pdatum = d;
466         char **permission_names = args;
467
468         BUG_ON(pdatum->value < 1 || pdatum->value > 32);
469
470         permission_names[pdatum->value - 1] = (char *)k;
471
472         return 0;
473 }
474
475 static void security_dump_masked_av(struct context *scontext,
476                                     struct context *tcontext,
477                                     u16 tclass,
478                                     u32 permissions,
479                                     const char *reason)
480 {
481         struct common_datum *common_dat;
482         struct class_datum *tclass_dat;
483         struct audit_buffer *ab;
484         char *tclass_name;
485         char *scontext_name = NULL;
486         char *tcontext_name = NULL;
487         char *permission_names[32];
488         int index;
489         u32 length;
490         bool need_comma = false;
491
492         if (!permissions)
493                 return;
494
495         tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
496         tclass_dat = policydb.class_val_to_struct[tclass - 1];
497         common_dat = tclass_dat->comdatum;
498
499         /* init permission_names */
500         if (common_dat &&
501             hashtab_map(common_dat->permissions.table,
502                         dump_masked_av_helper, permission_names) < 0)
503                 goto out;
504
505         if (hashtab_map(tclass_dat->permissions.table,
506                         dump_masked_av_helper, permission_names) < 0)
507                 goto out;
508
509         /* get scontext/tcontext in text form */
510         if (context_struct_to_string(scontext,
511                                      &scontext_name, &length) < 0)
512                 goto out;
513
514         if (context_struct_to_string(tcontext,
515                                      &tcontext_name, &length) < 0)
516                 goto out;
517
518         /* audit a message */
519         ab = audit_log_start(current->audit_context,
520                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
521         if (!ab)
522                 goto out;
523
524         audit_log_format(ab, "op=security_compute_av reason=%s "
525                          "scontext=%s tcontext=%s tclass=%s perms=",
526                          reason, scontext_name, tcontext_name, tclass_name);
527
528         for (index = 0; index < 32; index++) {
529                 u32 mask = (1 << index);
530
531                 if ((mask & permissions) == 0)
532                         continue;
533
534                 audit_log_format(ab, "%s%s",
535                                  need_comma ? "," : "",
536                                  permission_names[index]
537                                  ? permission_names[index] : "????");
538                 need_comma = true;
539         }
540         audit_log_end(ab);
541 out:
542         /* release scontext/tcontext */
543         kfree(tcontext_name);
544         kfree(scontext_name);
545
546         return;
547 }
548
549 /*
550  * security_boundary_permission - drops violated permissions
551  * on boundary constraint.
552  */
553 static void type_attribute_bounds_av(struct context *scontext,
554                                      struct context *tcontext,
555                                      u16 tclass,
556                                      struct av_decision *avd)
557 {
558         struct context lo_scontext;
559         struct context lo_tcontext, *tcontextp = tcontext;
560         struct av_decision lo_avd;
561         struct type_datum *source;
562         struct type_datum *target;
563         u32 masked = 0;
564
565         source = flex_array_get_ptr(policydb.type_val_to_struct_array,
566                                     scontext->type - 1);
567         BUG_ON(!source);
568
569         if (!source->bounds)
570                 return;
571
572         target = flex_array_get_ptr(policydb.type_val_to_struct_array,
573                                     tcontext->type - 1);
574         BUG_ON(!target);
575
576         memset(&lo_avd, 0, sizeof(lo_avd));
577
578         memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
579         lo_scontext.type = source->bounds;
580
581         if (target->bounds) {
582                 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
583                 lo_tcontext.type = target->bounds;
584                 tcontextp = &lo_tcontext;
585         }
586
587         context_struct_compute_av(&lo_scontext,
588                                   tcontextp,
589                                   tclass,
590                                   &lo_avd,
591                                   NULL);
592
593         masked = ~lo_avd.allowed & avd->allowed;
594
595         if (likely(!masked))
596                 return;         /* no masked permission */
597
598         /* mask violated permissions */
599         avd->allowed &= ~masked;
600
601         /* audit masked permissions */
602         security_dump_masked_av(scontext, tcontext,
603                                 tclass, masked, "bounds");
604 }
605
606 /*
607  * flag which drivers have permissions
608  * only looking for ioctl based extended permssions
609  */
610 void services_compute_xperms_drivers(
611                 struct extended_perms *xperms,
612                 struct avtab_node *node)
613 {
614         unsigned int i;
615
616         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
617                 /* if one or more driver has all permissions allowed */
618                 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
619                         xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
620         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
621                 /* if allowing permissions within a driver */
622                 security_xperm_set(xperms->drivers.p,
623                                         node->datum.u.xperms->driver);
624         }
625
626         /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
627         if (node->key.specified & AVTAB_XPERMS_ALLOWED)
628                 xperms->len = 1;
629 }
630
631 /*
632  * Compute access vectors and extended permissions based on a context
633  * structure pair for the permissions in a particular class.
634  */
635 static void context_struct_compute_av(struct context *scontext,
636                                         struct context *tcontext,
637                                         u16 tclass,
638                                         struct av_decision *avd,
639                                         struct extended_perms *xperms)
640 {
641         struct constraint_node *constraint;
642         struct role_allow *ra;
643         struct avtab_key avkey;
644         struct avtab_node *node;
645         struct class_datum *tclass_datum;
646         struct ebitmap *sattr, *tattr;
647         struct ebitmap_node *snode, *tnode;
648         unsigned int i, j;
649
650         avd->allowed = 0;
651         avd->auditallow = 0;
652         avd->auditdeny = 0xffffffff;
653         if (xperms) {
654                 memset(&xperms->drivers, 0, sizeof(xperms->drivers));
655                 xperms->len = 0;
656         }
657
658         if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
659                 if (printk_ratelimit())
660                         printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
661                 return;
662         }
663
664         tclass_datum = policydb.class_val_to_struct[tclass - 1];
665
666         /*
667          * If a specific type enforcement rule was defined for
668          * this permission check, then use it.
669          */
670         avkey.target_class = tclass;
671         avkey.specified = AVTAB_AV | AVTAB_XPERMS;
672         sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
673         BUG_ON(!sattr);
674         tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
675         BUG_ON(!tattr);
676         ebitmap_for_each_positive_bit(sattr, snode, i) {
677                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
678                         avkey.source_type = i + 1;
679                         avkey.target_type = j + 1;
680                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
681                              node;
682                              node = avtab_search_node_next(node, avkey.specified)) {
683                                 if (node->key.specified == AVTAB_ALLOWED)
684                                         avd->allowed |= node->datum.u.data;
685                                 else if (node->key.specified == AVTAB_AUDITALLOW)
686                                         avd->auditallow |= node->datum.u.data;
687                                 else if (node->key.specified == AVTAB_AUDITDENY)
688                                         avd->auditdeny &= node->datum.u.data;
689                                 else if (xperms && (node->key.specified & AVTAB_XPERMS))
690                                         services_compute_xperms_drivers(xperms, node);
691                         }
692
693                         /* Check conditional av table for additional permissions */
694                         cond_compute_av(&policydb.te_cond_avtab, &avkey,
695                                         avd, xperms);
696
697                 }
698         }
699
700         /*
701          * Remove any permissions prohibited by a constraint (this includes
702          * the MLS policy).
703          */
704         constraint = tclass_datum->constraints;
705         while (constraint) {
706                 if ((constraint->permissions & (avd->allowed)) &&
707                     !constraint_expr_eval(scontext, tcontext, NULL,
708                                           constraint->expr)) {
709                         avd->allowed &= ~(constraint->permissions);
710                 }
711                 constraint = constraint->next;
712         }
713
714         /*
715          * If checking process transition permission and the
716          * role is changing, then check the (current_role, new_role)
717          * pair.
718          */
719         if (tclass == policydb.process_class &&
720             (avd->allowed & policydb.process_trans_perms) &&
721             scontext->role != tcontext->role) {
722                 for (ra = policydb.role_allow; ra; ra = ra->next) {
723                         if (scontext->role == ra->role &&
724                             tcontext->role == ra->new_role)
725                                 break;
726                 }
727                 if (!ra)
728                         avd->allowed &= ~policydb.process_trans_perms;
729         }
730
731         /*
732          * If the given source and target types have boundary
733          * constraint, lazy checks have to mask any violated
734          * permission and notice it to userspace via audit.
735          */
736         type_attribute_bounds_av(scontext, tcontext,
737                                  tclass, avd);
738 }
739
740 static int security_validtrans_handle_fail(struct context *ocontext,
741                                            struct context *ncontext,
742                                            struct context *tcontext,
743                                            u16 tclass)
744 {
745         char *o = NULL, *n = NULL, *t = NULL;
746         u32 olen, nlen, tlen;
747
748         if (context_struct_to_string(ocontext, &o, &olen))
749                 goto out;
750         if (context_struct_to_string(ncontext, &n, &nlen))
751                 goto out;
752         if (context_struct_to_string(tcontext, &t, &tlen))
753                 goto out;
754         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
755                   "op=security_validate_transition seresult=denied"
756                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
757                   o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
758 out:
759         kfree(o);
760         kfree(n);
761         kfree(t);
762
763         if (!selinux_enforcing)
764                 return 0;
765         return -EPERM;
766 }
767
768 static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
769                                           u16 orig_tclass, bool user)
770 {
771         struct context *ocontext;
772         struct context *ncontext;
773         struct context *tcontext;
774         struct class_datum *tclass_datum;
775         struct constraint_node *constraint;
776         u16 tclass;
777         int rc = 0;
778
779         if (!ss_initialized)
780                 return 0;
781
782         read_lock(&policy_rwlock);
783
784         if (!user)
785                 tclass = unmap_class(orig_tclass);
786         else
787                 tclass = orig_tclass;
788
789         if (!tclass || tclass > policydb.p_classes.nprim) {
790                 rc = -EINVAL;
791                 goto out;
792         }
793         tclass_datum = policydb.class_val_to_struct[tclass - 1];
794
795         ocontext = sidtab_search(&sidtab, oldsid);
796         if (!ocontext) {
797                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
798                         __func__, oldsid);
799                 rc = -EINVAL;
800                 goto out;
801         }
802
803         ncontext = sidtab_search(&sidtab, newsid);
804         if (!ncontext) {
805                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
806                         __func__, newsid);
807                 rc = -EINVAL;
808                 goto out;
809         }
810
811         tcontext = sidtab_search(&sidtab, tasksid);
812         if (!tcontext) {
813                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
814                         __func__, tasksid);
815                 rc = -EINVAL;
816                 goto out;
817         }
818
819         constraint = tclass_datum->validatetrans;
820         while (constraint) {
821                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
822                                           constraint->expr)) {
823                         if (user)
824                                 rc = -EPERM;
825                         else
826                                 rc = security_validtrans_handle_fail(ocontext,
827                                                                      ncontext,
828                                                                      tcontext,
829                                                                      tclass);
830                         goto out;
831                 }
832                 constraint = constraint->next;
833         }
834
835 out:
836         read_unlock(&policy_rwlock);
837         return rc;
838 }
839
840 int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
841                                         u16 tclass)
842 {
843         return security_compute_validatetrans(oldsid, newsid, tasksid,
844                                                 tclass, true);
845 }
846
847 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
848                                  u16 orig_tclass)
849 {
850         return security_compute_validatetrans(oldsid, newsid, tasksid,
851                                                 orig_tclass, false);
852 }
853
854 /*
855  * security_bounded_transition - check whether the given
856  * transition is directed to bounded, or not.
857  * It returns 0, if @newsid is bounded by @oldsid.
858  * Otherwise, it returns error code.
859  *
860  * @oldsid : current security identifier
861  * @newsid : destinated security identifier
862  */
863 int security_bounded_transition(u32 old_sid, u32 new_sid)
864 {
865         struct context *old_context, *new_context;
866         struct type_datum *type;
867         int index;
868         int rc;
869
870         read_lock(&policy_rwlock);
871
872         rc = -EINVAL;
873         old_context = sidtab_search(&sidtab, old_sid);
874         if (!old_context) {
875                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
876                        __func__, old_sid);
877                 goto out;
878         }
879
880         rc = -EINVAL;
881         new_context = sidtab_search(&sidtab, new_sid);
882         if (!new_context) {
883                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
884                        __func__, new_sid);
885                 goto out;
886         }
887
888         rc = 0;
889         /* type/domain unchanged */
890         if (old_context->type == new_context->type)
891                 goto out;
892
893         index = new_context->type;
894         while (true) {
895                 type = flex_array_get_ptr(policydb.type_val_to_struct_array,
896                                           index - 1);
897                 BUG_ON(!type);
898
899                 /* not bounded anymore */
900                 rc = -EPERM;
901                 if (!type->bounds)
902                         break;
903
904                 /* @newsid is bounded by @oldsid */
905                 rc = 0;
906                 if (type->bounds == old_context->type)
907                         break;
908
909                 index = type->bounds;
910         }
911
912         if (rc) {
913                 char *old_name = NULL;
914                 char *new_name = NULL;
915                 u32 length;
916
917                 if (!context_struct_to_string(old_context,
918                                               &old_name, &length) &&
919                     !context_struct_to_string(new_context,
920                                               &new_name, &length)) {
921                         audit_log(current->audit_context,
922                                   GFP_ATOMIC, AUDIT_SELINUX_ERR,
923                                   "op=security_bounded_transition "
924                                   "seresult=denied "
925                                   "oldcontext=%s newcontext=%s",
926                                   old_name, new_name);
927                 }
928                 kfree(new_name);
929                 kfree(old_name);
930         }
931 out:
932         read_unlock(&policy_rwlock);
933
934         return rc;
935 }
936
937 static void avd_init(struct av_decision *avd)
938 {
939         avd->allowed = 0;
940         avd->auditallow = 0;
941         avd->auditdeny = 0xffffffff;
942         avd->seqno = latest_granting;
943         avd->flags = 0;
944 }
945
946 void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
947                                         struct avtab_node *node)
948 {
949         unsigned int i;
950
951         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
952                 if (xpermd->driver != node->datum.u.xperms->driver)
953                         return;
954         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
955                 if (!security_xperm_test(node->datum.u.xperms->perms.p,
956                                         xpermd->driver))
957                         return;
958         } else {
959                 BUG();
960         }
961
962         if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
963                 xpermd->used |= XPERMS_ALLOWED;
964                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
965                         memset(xpermd->allowed->p, 0xff,
966                                         sizeof(xpermd->allowed->p));
967                 }
968                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
969                         for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
970                                 xpermd->allowed->p[i] |=
971                                         node->datum.u.xperms->perms.p[i];
972                 }
973         } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
974                 xpermd->used |= XPERMS_AUDITALLOW;
975                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
976                         memset(xpermd->auditallow->p, 0xff,
977                                         sizeof(xpermd->auditallow->p));
978                 }
979                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
980                         for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
981                                 xpermd->auditallow->p[i] |=
982                                         node->datum.u.xperms->perms.p[i];
983                 }
984         } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
985                 xpermd->used |= XPERMS_DONTAUDIT;
986                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
987                         memset(xpermd->dontaudit->p, 0xff,
988                                         sizeof(xpermd->dontaudit->p));
989                 }
990                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
991                         for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
992                                 xpermd->dontaudit->p[i] |=
993                                         node->datum.u.xperms->perms.p[i];
994                 }
995         } else {
996                 BUG();
997         }
998 }
999
1000 void security_compute_xperms_decision(u32 ssid,
1001                                 u32 tsid,
1002                                 u16 orig_tclass,
1003                                 u8 driver,
1004                                 struct extended_perms_decision *xpermd)
1005 {
1006         u16 tclass;
1007         struct context *scontext, *tcontext;
1008         struct avtab_key avkey;
1009         struct avtab_node *node;
1010         struct ebitmap *sattr, *tattr;
1011         struct ebitmap_node *snode, *tnode;
1012         unsigned int i, j;
1013
1014         xpermd->driver = driver;
1015         xpermd->used = 0;
1016         memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
1017         memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
1018         memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
1019
1020         read_lock(&policy_rwlock);
1021         if (!ss_initialized)
1022                 goto allow;
1023
1024         scontext = sidtab_search(&sidtab, ssid);
1025         if (!scontext) {
1026                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1027                        __func__, ssid);
1028                 goto out;
1029         }
1030
1031         tcontext = sidtab_search(&sidtab, tsid);
1032         if (!tcontext) {
1033                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1034                        __func__, tsid);
1035                 goto out;
1036         }
1037
1038         tclass = unmap_class(orig_tclass);
1039         if (unlikely(orig_tclass && !tclass)) {
1040                 if (policydb.allow_unknown)
1041                         goto allow;
1042                 goto out;
1043         }
1044
1045
1046         if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
1047                 pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);
1048                 goto out;
1049         }
1050
1051         avkey.target_class = tclass;
1052         avkey.specified = AVTAB_XPERMS;
1053         sattr = flex_array_get(policydb.type_attr_map_array,
1054                                 scontext->type - 1);
1055         BUG_ON(!sattr);
1056         tattr = flex_array_get(policydb.type_attr_map_array,
1057                                 tcontext->type - 1);
1058         BUG_ON(!tattr);
1059         ebitmap_for_each_positive_bit(sattr, snode, i) {
1060                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
1061                         avkey.source_type = i + 1;
1062                         avkey.target_type = j + 1;
1063                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
1064                              node;
1065                              node = avtab_search_node_next(node, avkey.specified))
1066                                 services_compute_xperms_decision(xpermd, node);
1067
1068                         cond_compute_xperms(&policydb.te_cond_avtab,
1069                                                 &avkey, xpermd);
1070                 }
1071         }
1072 out:
1073         read_unlock(&policy_rwlock);
1074         return;
1075 allow:
1076         memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
1077         goto out;
1078 }
1079
1080 /**
1081  * security_compute_av - Compute access vector decisions.
1082  * @ssid: source security identifier
1083  * @tsid: target security identifier
1084  * @tclass: target security class
1085  * @avd: access vector decisions
1086  * @xperms: extended permissions
1087  *
1088  * Compute a set of access vector decisions based on the
1089  * SID pair (@ssid, @tsid) for the permissions in @tclass.
1090  */
1091 void security_compute_av(u32 ssid,
1092                          u32 tsid,
1093                          u16 orig_tclass,
1094                          struct av_decision *avd,
1095                          struct extended_perms *xperms)
1096 {
1097         u16 tclass;
1098         struct context *scontext = NULL, *tcontext = NULL;
1099
1100         read_lock(&policy_rwlock);
1101         avd_init(avd);
1102         xperms->len = 0;
1103         if (!ss_initialized)
1104                 goto allow;
1105
1106         scontext = sidtab_search(&sidtab, ssid);
1107         if (!scontext) {
1108                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1109                        __func__, ssid);
1110                 goto out;
1111         }
1112
1113         /* permissive domain? */
1114         if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1115                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1116
1117         tcontext = sidtab_search(&sidtab, tsid);
1118         if (!tcontext) {
1119                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1120                        __func__, tsid);
1121                 goto out;
1122         }
1123
1124         tclass = unmap_class(orig_tclass);
1125         if (unlikely(orig_tclass && !tclass)) {
1126                 if (policydb.allow_unknown)
1127                         goto allow;
1128                 goto out;
1129         }
1130         context_struct_compute_av(scontext, tcontext, tclass, avd, xperms);
1131         map_decision(orig_tclass, avd, policydb.allow_unknown);
1132 out:
1133         read_unlock(&policy_rwlock);
1134         return;
1135 allow:
1136         avd->allowed = 0xffffffff;
1137         goto out;
1138 }
1139
1140 void security_compute_av_user(u32 ssid,
1141                               u32 tsid,
1142                               u16 tclass,
1143                               struct av_decision *avd)
1144 {
1145         struct context *scontext = NULL, *tcontext = NULL;
1146
1147         read_lock(&policy_rwlock);
1148         avd_init(avd);
1149         if (!ss_initialized)
1150                 goto allow;
1151
1152         scontext = sidtab_search(&sidtab, ssid);
1153         if (!scontext) {
1154                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1155                        __func__, ssid);
1156                 goto out;
1157         }
1158
1159         /* permissive domain? */
1160         if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1161                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1162
1163         tcontext = sidtab_search(&sidtab, tsid);
1164         if (!tcontext) {
1165                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1166                        __func__, tsid);
1167                 goto out;
1168         }
1169
1170         if (unlikely(!tclass)) {
1171                 if (policydb.allow_unknown)
1172                         goto allow;
1173                 goto out;
1174         }
1175
1176         context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
1177  out:
1178         read_unlock(&policy_rwlock);
1179         return;
1180 allow:
1181         avd->allowed = 0xffffffff;
1182         goto out;
1183 }
1184
1185 /*
1186  * Write the security context string representation of
1187  * the context structure `context' into a dynamically
1188  * allocated string of the correct size.  Set `*scontext'
1189  * to point to this string and set `*scontext_len' to
1190  * the length of the string.
1191  */
1192 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1193 {
1194         char *scontextp;
1195
1196         if (scontext)
1197                 *scontext = NULL;
1198         *scontext_len = 0;
1199
1200         if (context->len) {
1201                 *scontext_len = context->len;
1202                 if (scontext) {
1203                         *scontext = kstrdup(context->str, GFP_ATOMIC);
1204                         if (!(*scontext))
1205                                 return -ENOMEM;
1206                 }
1207                 return 0;
1208         }
1209
1210         /* Compute the size of the context. */
1211         *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1212         *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1213         *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1214         *scontext_len += mls_compute_context_len(context);
1215
1216         if (!scontext)
1217                 return 0;
1218
1219         /* Allocate space for the context; caller must free this space. */
1220         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1221         if (!scontextp)
1222                 return -ENOMEM;
1223         *scontext = scontextp;
1224
1225         /*
1226          * Copy the user name, role name and type name into the context.
1227          */
1228         scontextp += sprintf(scontextp, "%s:%s:%s",
1229                 sym_name(&policydb, SYM_USERS, context->user - 1),
1230                 sym_name(&policydb, SYM_ROLES, context->role - 1),
1231                 sym_name(&policydb, SYM_TYPES, context->type - 1));
1232
1233         mls_sid_to_context(context, &scontextp);
1234
1235         *scontextp = 0;
1236
1237         return 0;
1238 }
1239
1240 #include "initial_sid_to_string.h"
1241
1242 const char *security_get_initial_sid_context(u32 sid)
1243 {
1244         if (unlikely(sid > SECINITSID_NUM))
1245                 return NULL;
1246         return initial_sid_to_string[sid];
1247 }
1248
1249 static int security_sid_to_context_core(u32 sid, char **scontext,
1250                                         u32 *scontext_len, int force)
1251 {
1252         struct context *context;
1253         int rc = 0;
1254
1255         if (scontext)
1256                 *scontext = NULL;
1257         *scontext_len  = 0;
1258
1259         if (!ss_initialized) {
1260                 if (sid <= SECINITSID_NUM) {
1261                         char *scontextp;
1262
1263                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1264                         if (!scontext)
1265                                 goto out;
1266                         scontextp = kmemdup(initial_sid_to_string[sid],
1267                                             *scontext_len, GFP_ATOMIC);
1268                         if (!scontextp) {
1269                                 rc = -ENOMEM;
1270                                 goto out;
1271                         }
1272                         *scontext = scontextp;
1273                         goto out;
1274                 }
1275                 printk(KERN_ERR "SELinux: %s:  called before initial "
1276                        "load_policy on unknown SID %d\n", __func__, sid);
1277                 rc = -EINVAL;
1278                 goto out;
1279         }
1280         read_lock(&policy_rwlock);
1281         if (force)
1282                 context = sidtab_search_force(&sidtab, sid);
1283         else
1284                 context = sidtab_search(&sidtab, sid);
1285         if (!context) {
1286                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1287                         __func__, sid);
1288                 rc = -EINVAL;
1289                 goto out_unlock;
1290         }
1291         rc = context_struct_to_string(context, scontext, scontext_len);
1292 out_unlock:
1293         read_unlock(&policy_rwlock);
1294 out:
1295         return rc;
1296
1297 }
1298
1299 /**
1300  * security_sid_to_context - Obtain a context for a given SID.
1301  * @sid: security identifier, SID
1302  * @scontext: security context
1303  * @scontext_len: length in bytes
1304  *
1305  * Write the string representation of the context associated with @sid
1306  * into a dynamically allocated string of the correct size.  Set @scontext
1307  * to point to this string and set @scontext_len to the length of the string.
1308  */
1309 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1310 {
1311         return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1312 }
1313
1314 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1315 {
1316         return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1317 }
1318
1319 /*
1320  * Caveat:  Mutates scontext.
1321  */
1322 static int string_to_context_struct(struct policydb *pol,
1323                                     struct sidtab *sidtabp,
1324                                     char *scontext,
1325                                     u32 scontext_len,
1326                                     struct context *ctx,
1327                                     u32 def_sid)
1328 {
1329         struct role_datum *role;
1330         struct type_datum *typdatum;
1331         struct user_datum *usrdatum;
1332         char *scontextp, *p, oldc;
1333         int rc = 0;
1334
1335         context_init(ctx);
1336
1337         /* Parse the security context. */
1338
1339         rc = -EINVAL;
1340         scontextp = (char *) scontext;
1341
1342         /* Extract the user. */
1343         p = scontextp;
1344         while (*p && *p != ':')
1345                 p++;
1346
1347         if (*p == 0)
1348                 goto out;
1349
1350         *p++ = 0;
1351
1352         usrdatum = hashtab_search(pol->p_users.table, scontextp);
1353         if (!usrdatum)
1354                 goto out;
1355
1356         ctx->user = usrdatum->value;
1357
1358         /* Extract role. */
1359         scontextp = p;
1360         while (*p && *p != ':')
1361                 p++;
1362
1363         if (*p == 0)
1364                 goto out;
1365
1366         *p++ = 0;
1367
1368         role = hashtab_search(pol->p_roles.table, scontextp);
1369         if (!role)
1370                 goto out;
1371         ctx->role = role->value;
1372
1373         /* Extract type. */
1374         scontextp = p;
1375         while (*p && *p != ':')
1376                 p++;
1377         oldc = *p;
1378         *p++ = 0;
1379
1380         typdatum = hashtab_search(pol->p_types.table, scontextp);
1381         if (!typdatum || typdatum->attribute)
1382                 goto out;
1383
1384         ctx->type = typdatum->value;
1385
1386         rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1387         if (rc)
1388                 goto out;
1389
1390         rc = -EINVAL;
1391         if ((p - scontext) < scontext_len)
1392                 goto out;
1393
1394         /* Check the validity of the new context. */
1395         if (!policydb_context_isvalid(pol, ctx))
1396                 goto out;
1397         rc = 0;
1398 out:
1399         if (rc)
1400                 context_destroy(ctx);
1401         return rc;
1402 }
1403
1404 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1405                                         u32 *sid, u32 def_sid, gfp_t gfp_flags,
1406                                         int force)
1407 {
1408         char *scontext2, *str = NULL;
1409         struct context context;
1410         int rc = 0;
1411
1412         /* An empty security context is never valid. */
1413         if (!scontext_len)
1414                 return -EINVAL;
1415
1416         if (!ss_initialized) {
1417                 int i;
1418
1419                 for (i = 1; i < SECINITSID_NUM; i++) {
1420                         if (!strcmp(initial_sid_to_string[i], scontext)) {
1421                                 *sid = i;
1422                                 return 0;
1423                         }
1424                 }
1425                 *sid = SECINITSID_KERNEL;
1426                 return 0;
1427         }
1428         *sid = SECSID_NULL;
1429
1430         /* Copy the string so that we can modify the copy as we parse it. */
1431         scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1432         if (!scontext2)
1433                 return -ENOMEM;
1434         memcpy(scontext2, scontext, scontext_len);
1435         scontext2[scontext_len] = 0;
1436
1437         if (force) {
1438                 /* Save another copy for storing in uninterpreted form */
1439                 rc = -ENOMEM;
1440                 str = kstrdup(scontext2, gfp_flags);
1441                 if (!str)
1442                         goto out;
1443         }
1444
1445         read_lock(&policy_rwlock);
1446         rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1447                                       scontext_len, &context, def_sid);
1448         if (rc == -EINVAL && force) {
1449                 context.str = str;
1450                 context.len = scontext_len;
1451                 str = NULL;
1452         } else if (rc)
1453                 goto out_unlock;
1454         rc = sidtab_context_to_sid(&sidtab, &context, sid);
1455         context_destroy(&context);
1456 out_unlock:
1457         read_unlock(&policy_rwlock);
1458 out:
1459         kfree(scontext2);
1460         kfree(str);
1461         return rc;
1462 }
1463
1464 /**
1465  * security_context_to_sid - Obtain a SID for a given security context.
1466  * @scontext: security context
1467  * @scontext_len: length in bytes
1468  * @sid: security identifier, SID
1469  * @gfp: context for the allocation
1470  *
1471  * Obtains a SID associated with the security context that
1472  * has the string representation specified by @scontext.
1473  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1474  * memory is available, or 0 on success.
1475  */
1476 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
1477                             gfp_t gfp)
1478 {
1479         return security_context_to_sid_core(scontext, scontext_len,
1480                                             sid, SECSID_NULL, gfp, 0);
1481 }
1482
1483 int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
1484 {
1485         return security_context_to_sid(scontext, strlen(scontext), sid, gfp);
1486 }
1487
1488 /**
1489  * security_context_to_sid_default - Obtain a SID for a given security context,
1490  * falling back to specified default if needed.
1491  *
1492  * @scontext: security context
1493  * @scontext_len: length in bytes
1494  * @sid: security identifier, SID
1495  * @def_sid: default SID to assign on error
1496  *
1497  * Obtains a SID associated with the security context that
1498  * has the string representation specified by @scontext.
1499  * The default SID is passed to the MLS layer to be used to allow
1500  * kernel labeling of the MLS field if the MLS field is not present
1501  * (for upgrading to MLS without full relabel).
1502  * Implicitly forces adding of the context even if it cannot be mapped yet.
1503  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1504  * memory is available, or 0 on success.
1505  */
1506 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1507                                     u32 *sid, u32 def_sid, gfp_t gfp_flags)
1508 {
1509         return security_context_to_sid_core(scontext, scontext_len,
1510                                             sid, def_sid, gfp_flags, 1);
1511 }
1512
1513 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1514                                   u32 *sid)
1515 {
1516         return security_context_to_sid_core(scontext, scontext_len,
1517                                             sid, SECSID_NULL, GFP_KERNEL, 1);
1518 }
1519
1520 static int compute_sid_handle_invalid_context(
1521         struct context *scontext,
1522         struct context *tcontext,
1523         u16 tclass,
1524         struct context *newcontext)
1525 {
1526         char *s = NULL, *t = NULL, *n = NULL;
1527         u32 slen, tlen, nlen;
1528
1529         if (context_struct_to_string(scontext, &s, &slen))
1530                 goto out;
1531         if (context_struct_to_string(tcontext, &t, &tlen))
1532                 goto out;
1533         if (context_struct_to_string(newcontext, &n, &nlen))
1534                 goto out;
1535         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1536                   "op=security_compute_sid invalid_context=%s"
1537                   " scontext=%s"
1538                   " tcontext=%s"
1539                   " tclass=%s",
1540                   n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1541 out:
1542         kfree(s);
1543         kfree(t);
1544         kfree(n);
1545         if (!selinux_enforcing)
1546                 return 0;
1547         return -EACCES;
1548 }
1549
1550 static void filename_compute_type(struct policydb *p, struct context *newcontext,
1551                                   u32 stype, u32 ttype, u16 tclass,
1552                                   const char *objname)
1553 {
1554         struct filename_trans ft;
1555         struct filename_trans_datum *otype;
1556
1557         /*
1558          * Most filename trans rules are going to live in specific directories
1559          * like /dev or /var/run.  This bitmap will quickly skip rule searches
1560          * if the ttype does not contain any rules.
1561          */
1562         if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
1563                 return;
1564
1565         ft.stype = stype;
1566         ft.ttype = ttype;
1567         ft.tclass = tclass;
1568         ft.name = objname;
1569
1570         otype = hashtab_search(p->filename_trans, &ft);
1571         if (otype)
1572                 newcontext->type = otype->otype;
1573 }
1574
1575 static int security_compute_sid(u32 ssid,
1576                                 u32 tsid,
1577                                 u16 orig_tclass,
1578                                 u32 specified,
1579                                 const char *objname,
1580                                 u32 *out_sid,
1581                                 bool kern)
1582 {
1583         struct class_datum *cladatum = NULL;
1584         struct context *scontext = NULL, *tcontext = NULL, newcontext;
1585         struct role_trans *roletr = NULL;
1586         struct avtab_key avkey;
1587         struct avtab_datum *avdatum;
1588         struct avtab_node *node;
1589         u16 tclass;
1590         int rc = 0;
1591         bool sock;
1592
1593         if (!ss_initialized) {
1594                 switch (orig_tclass) {
1595                 case SECCLASS_PROCESS: /* kernel value */
1596                         *out_sid = ssid;
1597                         break;
1598                 default:
1599                         *out_sid = tsid;
1600                         break;
1601                 }
1602                 goto out;
1603         }
1604
1605         context_init(&newcontext);
1606
1607         read_lock(&policy_rwlock);
1608
1609         if (kern) {
1610                 tclass = unmap_class(orig_tclass);
1611                 sock = security_is_socket_class(orig_tclass);
1612         } else {
1613                 tclass = orig_tclass;
1614                 sock = security_is_socket_class(map_class(tclass));
1615         }
1616
1617         scontext = sidtab_search(&sidtab, ssid);
1618         if (!scontext) {
1619                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1620                        __func__, ssid);
1621                 rc = -EINVAL;
1622                 goto out_unlock;
1623         }
1624         tcontext = sidtab_search(&sidtab, tsid);
1625         if (!tcontext) {
1626                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1627                        __func__, tsid);
1628                 rc = -EINVAL;
1629                 goto out_unlock;
1630         }
1631
1632         if (tclass && tclass <= policydb.p_classes.nprim)
1633                 cladatum = policydb.class_val_to_struct[tclass - 1];
1634
1635         /* Set the user identity. */
1636         switch (specified) {
1637         case AVTAB_TRANSITION:
1638         case AVTAB_CHANGE:
1639                 if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1640                         newcontext.user = tcontext->user;
1641                 } else {
1642                         /* notice this gets both DEFAULT_SOURCE and unset */
1643                         /* Use the process user identity. */
1644                         newcontext.user = scontext->user;
1645                 }
1646                 break;
1647         case AVTAB_MEMBER:
1648                 /* Use the related object owner. */
1649                 newcontext.user = tcontext->user;
1650                 break;
1651         }
1652
1653         /* Set the role to default values. */
1654         if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1655                 newcontext.role = scontext->role;
1656         } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1657                 newcontext.role = tcontext->role;
1658         } else {
1659                 if ((tclass == policydb.process_class) || (sock == true))
1660                         newcontext.role = scontext->role;
1661                 else
1662                         newcontext.role = OBJECT_R_VAL;
1663         }
1664
1665         /* Set the type to default values. */
1666         if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1667                 newcontext.type = scontext->type;
1668         } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1669                 newcontext.type = tcontext->type;
1670         } else {
1671                 if ((tclass == policydb.process_class) || (sock == true)) {
1672                         /* Use the type of process. */
1673                         newcontext.type = scontext->type;
1674                 } else {
1675                         /* Use the type of the related object. */
1676                         newcontext.type = tcontext->type;
1677                 }
1678         }
1679
1680         /* Look for a type transition/member/change rule. */
1681         avkey.source_type = scontext->type;
1682         avkey.target_type = tcontext->type;
1683         avkey.target_class = tclass;
1684         avkey.specified = specified;
1685         avdatum = avtab_search(&policydb.te_avtab, &avkey);
1686
1687         /* If no permanent rule, also check for enabled conditional rules */
1688         if (!avdatum) {
1689                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1690                 for (; node; node = avtab_search_node_next(node, specified)) {
1691                         if (node->key.specified & AVTAB_ENABLED) {
1692                                 avdatum = &node->datum;
1693                                 break;
1694                         }
1695                 }
1696         }
1697
1698         if (avdatum) {
1699                 /* Use the type from the type transition/member/change rule. */
1700                 newcontext.type = avdatum->u.data;
1701         }
1702
1703         /* if we have a objname this is a file trans check so check those rules */
1704         if (objname)
1705                 filename_compute_type(&policydb, &newcontext, scontext->type,
1706                                       tcontext->type, tclass, objname);
1707
1708         /* Check for class-specific changes. */
1709         if (specified & AVTAB_TRANSITION) {
1710                 /* Look for a role transition rule. */
1711                 for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
1712                         if ((roletr->role == scontext->role) &&
1713                             (roletr->type == tcontext->type) &&
1714                             (roletr->tclass == tclass)) {
1715                                 /* Use the role transition rule. */
1716                                 newcontext.role = roletr->new_role;
1717                                 break;
1718                         }
1719                 }
1720         }
1721
1722         /* Set the MLS attributes.
1723            This is done last because it may allocate memory. */
1724         rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1725                              &newcontext, sock);
1726         if (rc)
1727                 goto out_unlock;
1728
1729         /* Check the validity of the context. */
1730         if (!policydb_context_isvalid(&policydb, &newcontext)) {
1731                 rc = compute_sid_handle_invalid_context(scontext,
1732                                                         tcontext,
1733                                                         tclass,
1734                                                         &newcontext);
1735                 if (rc)
1736                         goto out_unlock;
1737         }
1738         /* Obtain the sid for the context. */
1739         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1740 out_unlock:
1741         read_unlock(&policy_rwlock);
1742         context_destroy(&newcontext);
1743 out:
1744         return rc;
1745 }
1746
1747 /**
1748  * security_transition_sid - Compute the SID for a new subject/object.
1749  * @ssid: source security identifier
1750  * @tsid: target security identifier
1751  * @tclass: target security class
1752  * @out_sid: security identifier for new subject/object
1753  *
1754  * Compute a SID to use for labeling a new subject or object in the
1755  * class @tclass based on a SID pair (@ssid, @tsid).
1756  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1757  * if insufficient memory is available, or %0 if the new SID was
1758  * computed successfully.
1759  */
1760 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1761                             const struct qstr *qstr, u32 *out_sid)
1762 {
1763         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1764                                     qstr ? qstr->name : NULL, out_sid, true);
1765 }
1766
1767 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1768                                  const char *objname, u32 *out_sid)
1769 {
1770         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1771                                     objname, out_sid, false);
1772 }
1773
1774 /**
1775  * security_member_sid - Compute the SID for member selection.
1776  * @ssid: source security identifier
1777  * @tsid: target security identifier
1778  * @tclass: target security class
1779  * @out_sid: security identifier for selected member
1780  *
1781  * Compute a SID to use when selecting a member of a polyinstantiated
1782  * object of class @tclass based on a SID pair (@ssid, @tsid).
1783  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1784  * if insufficient memory is available, or %0 if the SID was
1785  * computed successfully.
1786  */
1787 int security_member_sid(u32 ssid,
1788                         u32 tsid,
1789                         u16 tclass,
1790                         u32 *out_sid)
1791 {
1792         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1793                                     out_sid, false);
1794 }
1795
1796 /**
1797  * security_change_sid - Compute the SID for object relabeling.
1798  * @ssid: source security identifier
1799  * @tsid: target security identifier
1800  * @tclass: target security class
1801  * @out_sid: security identifier for selected member
1802  *
1803  * Compute a SID to use for relabeling an object of class @tclass
1804  * based on a SID pair (@ssid, @tsid).
1805  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1806  * if insufficient memory is available, or %0 if the SID was
1807  * computed successfully.
1808  */
1809 int security_change_sid(u32 ssid,
1810                         u32 tsid,
1811                         u16 tclass,
1812                         u32 *out_sid)
1813 {
1814         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1815                                     out_sid, false);
1816 }
1817
1818 /* Clone the SID into the new SID table. */
1819 static int clone_sid(u32 sid,
1820                      struct context *context,
1821                      void *arg)
1822 {
1823         struct sidtab *s = arg;
1824
1825         if (sid > SECINITSID_NUM)
1826                 return sidtab_insert(s, sid, context);
1827         else
1828                 return 0;
1829 }
1830
1831 static inline int convert_context_handle_invalid_context(struct context *context)
1832 {
1833         char *s;
1834         u32 len;
1835
1836         if (selinux_enforcing)
1837                 return -EINVAL;
1838
1839         if (!context_struct_to_string(context, &s, &len)) {
1840                 printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1841                 kfree(s);
1842         }
1843         return 0;
1844 }
1845
1846 struct convert_context_args {
1847         struct policydb *oldp;
1848         struct policydb *newp;
1849 };
1850
1851 /*
1852  * Convert the values in the security context
1853  * structure `c' from the values specified
1854  * in the policy `p->oldp' to the values specified
1855  * in the policy `p->newp'.  Verify that the
1856  * context is valid under the new policy.
1857  */
1858 static int convert_context(u32 key,
1859                            struct context *c,
1860                            void *p)
1861 {
1862         struct convert_context_args *args;
1863         struct context oldc;
1864         struct ocontext *oc;
1865         struct mls_range *range;
1866         struct role_datum *role;
1867         struct type_datum *typdatum;
1868         struct user_datum *usrdatum;
1869         char *s;
1870         u32 len;
1871         int rc = 0;
1872
1873         if (key <= SECINITSID_NUM)
1874                 goto out;
1875
1876         args = p;
1877
1878         if (c->str) {
1879                 struct context ctx;
1880
1881                 rc = -ENOMEM;
1882                 s = kstrdup(c->str, GFP_KERNEL);
1883                 if (!s)
1884                         goto out;
1885
1886                 rc = string_to_context_struct(args->newp, NULL, s,
1887                                               c->len, &ctx, SECSID_NULL);
1888                 kfree(s);
1889                 if (!rc) {
1890                         printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1891                                c->str);
1892                         /* Replace string with mapped representation. */
1893                         kfree(c->str);
1894                         memcpy(c, &ctx, sizeof(*c));
1895                         goto out;
1896                 } else if (rc == -EINVAL) {
1897                         /* Retain string representation for later mapping. */
1898                         rc = 0;
1899                         goto out;
1900                 } else {
1901                         /* Other error condition, e.g. ENOMEM. */
1902                         printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1903                                c->str, -rc);
1904                         goto out;
1905                 }
1906         }
1907
1908         rc = context_cpy(&oldc, c);
1909         if (rc)
1910                 goto out;
1911
1912         /* Convert the user. */
1913         rc = -EINVAL;
1914         usrdatum = hashtab_search(args->newp->p_users.table,
1915                                   sym_name(args->oldp, SYM_USERS, c->user - 1));
1916         if (!usrdatum)
1917                 goto bad;
1918         c->user = usrdatum->value;
1919
1920         /* Convert the role. */
1921         rc = -EINVAL;
1922         role = hashtab_search(args->newp->p_roles.table,
1923                               sym_name(args->oldp, SYM_ROLES, c->role - 1));
1924         if (!role)
1925                 goto bad;
1926         c->role = role->value;
1927
1928         /* Convert the type. */
1929         rc = -EINVAL;
1930         typdatum = hashtab_search(args->newp->p_types.table,
1931                                   sym_name(args->oldp, SYM_TYPES, c->type - 1));
1932         if (!typdatum)
1933                 goto bad;
1934         c->type = typdatum->value;
1935
1936         /* Convert the MLS fields if dealing with MLS policies */
1937         if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1938                 rc = mls_convert_context(args->oldp, args->newp, c);
1939                 if (rc)
1940                         goto bad;
1941         } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1942                 /*
1943                  * Switching between MLS and non-MLS policy:
1944                  * free any storage used by the MLS fields in the
1945                  * context for all existing entries in the sidtab.
1946                  */
1947                 mls_context_destroy(c);
1948         } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1949                 /*
1950                  * Switching between non-MLS and MLS policy:
1951                  * ensure that the MLS fields of the context for all
1952                  * existing entries in the sidtab are filled in with a
1953                  * suitable default value, likely taken from one of the
1954                  * initial SIDs.
1955                  */
1956                 oc = args->newp->ocontexts[OCON_ISID];
1957                 while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1958                         oc = oc->next;
1959                 rc = -EINVAL;
1960                 if (!oc) {
1961                         printk(KERN_ERR "SELinux:  unable to look up"
1962                                 " the initial SIDs list\n");
1963                         goto bad;
1964                 }
1965                 range = &oc->context[0].range;
1966                 rc = mls_range_set(c, range);
1967                 if (rc)
1968                         goto bad;
1969         }
1970
1971         /* Check the validity of the new context. */
1972         if (!policydb_context_isvalid(args->newp, c)) {
1973                 rc = convert_context_handle_invalid_context(&oldc);
1974                 if (rc)
1975                         goto bad;
1976         }
1977
1978         context_destroy(&oldc);
1979
1980         rc = 0;
1981 out:
1982         return rc;
1983 bad:
1984         /* Map old representation to string and save it. */
1985         rc = context_struct_to_string(&oldc, &s, &len);
1986         if (rc)
1987                 return rc;
1988         context_destroy(&oldc);
1989         context_destroy(c);
1990         c->str = s;
1991         c->len = len;
1992         printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
1993                c->str);
1994         rc = 0;
1995         goto out;
1996 }
1997
1998 static void security_load_policycaps(void)
1999 {
2000         unsigned int i;
2001         struct ebitmap_node *node;
2002
2003         selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
2004                                                   POLICYDB_CAPABILITY_NETPEER);
2005         selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
2006                                                   POLICYDB_CAPABILITY_OPENPERM);
2007         selinux_policycap_extsockclass = ebitmap_get_bit(&policydb.policycaps,
2008                                           POLICYDB_CAPABILITY_EXTSOCKCLASS);
2009         selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
2010                                                   POLICYDB_CAPABILITY_ALWAYSNETWORK);
2011         selinux_policycap_cgroupseclabel =
2012                 ebitmap_get_bit(&policydb.policycaps,
2013                                 POLICYDB_CAPABILITY_CGROUPSECLABEL);
2014         selinux_policycap_nnp_nosuid_transition =
2015                 ebitmap_get_bit(&policydb.policycaps,
2016                                 POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION);
2017
2018         for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
2019                 pr_info("SELinux:  policy capability %s=%d\n",
2020                         selinux_policycap_names[i],
2021                         ebitmap_get_bit(&policydb.policycaps, i));
2022
2023         ebitmap_for_each_positive_bit(&policydb.policycaps, node, i) {
2024                 if (i >= ARRAY_SIZE(selinux_policycap_names))
2025                         pr_info("SELinux:  unknown policy capability %u\n",
2026                                 i);
2027         }
2028 }
2029
2030 static int security_preserve_bools(struct policydb *p);
2031
2032 /**
2033  * security_load_policy - Load a security policy configuration.
2034  * @data: binary policy data
2035  * @len: length of data in bytes
2036  *
2037  * Load a new set of security policy configuration data,
2038  * validate it and convert the SID table as necessary.
2039  * This function will flush the access vector cache after
2040  * loading the new policy.
2041  */
2042 int security_load_policy(void *data, size_t len)
2043 {
2044         struct policydb *oldpolicydb, *newpolicydb;
2045         struct sidtab oldsidtab, newsidtab;
2046         struct selinux_mapping *oldmap, *map = NULL;
2047         struct convert_context_args args;
2048         u32 seqno;
2049         u16 map_size;
2050         int rc = 0;
2051         struct policy_file file = { data, len }, *fp = &file;
2052
2053         oldpolicydb = kzalloc(2 * sizeof(*oldpolicydb), GFP_KERNEL);
2054         if (!oldpolicydb) {
2055                 rc = -ENOMEM;
2056                 goto out;
2057         }
2058         newpolicydb = oldpolicydb + 1;
2059
2060         if (!ss_initialized) {
2061                 avtab_cache_init();
2062                 ebitmap_cache_init();
2063                 hashtab_cache_init();
2064                 rc = policydb_read(&policydb, fp);
2065                 if (rc) {
2066                         avtab_cache_destroy();
2067                         ebitmap_cache_destroy();
2068                         hashtab_cache_destroy();
2069                         goto out;
2070                 }
2071
2072                 policydb.len = len;
2073                 rc = selinux_set_mapping(&policydb, secclass_map,
2074                                          &current_mapping,
2075                                          &current_mapping_size);
2076                 if (rc) {
2077                         policydb_destroy(&policydb);
2078                         avtab_cache_destroy();
2079                         ebitmap_cache_destroy();
2080                         hashtab_cache_destroy();
2081                         goto out;
2082                 }
2083
2084                 rc = policydb_load_isids(&policydb, &sidtab);
2085                 if (rc) {
2086                         policydb_destroy(&policydb);
2087                         avtab_cache_destroy();
2088                         ebitmap_cache_destroy();
2089                         hashtab_cache_destroy();
2090                         goto out;
2091                 }
2092
2093                 security_load_policycaps();
2094                 ss_initialized = 1;
2095                 seqno = ++latest_granting;
2096                 selinux_complete_init();
2097                 avc_ss_reset(seqno);
2098                 selnl_notify_policyload(seqno);
2099                 selinux_status_update_policyload(seqno);
2100                 selinux_netlbl_cache_invalidate();
2101                 selinux_xfrm_notify_policyload();
2102                 goto out;
2103         }
2104
2105 #if 0
2106         sidtab_hash_eval(&sidtab, "sids");
2107 #endif
2108
2109         rc = policydb_read(newpolicydb, fp);
2110         if (rc)
2111                 goto out;
2112
2113         newpolicydb->len = len;
2114         /* If switching between different policy types, log MLS status */
2115         if (policydb.mls_enabled && !newpolicydb->mls_enabled)
2116                 printk(KERN_INFO "SELinux: Disabling MLS support...\n");
2117         else if (!policydb.mls_enabled && newpolicydb->mls_enabled)
2118                 printk(KERN_INFO "SELinux: Enabling MLS support...\n");
2119
2120         rc = policydb_load_isids(newpolicydb, &newsidtab);
2121         if (rc) {
2122                 printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
2123                 policydb_destroy(newpolicydb);
2124                 goto out;
2125         }
2126
2127         rc = selinux_set_mapping(newpolicydb, secclass_map, &map, &map_size);
2128         if (rc)
2129                 goto err;
2130
2131         rc = security_preserve_bools(newpolicydb);
2132         if (rc) {
2133                 printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
2134                 goto err;
2135         }
2136
2137         /* Clone the SID table. */
2138         sidtab_shutdown(&sidtab);
2139
2140         rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
2141         if (rc)
2142                 goto err;
2143
2144         /*
2145          * Convert the internal representations of contexts
2146          * in the new SID table.
2147          */
2148         args.oldp = &policydb;
2149         args.newp = newpolicydb;
2150         rc = sidtab_map(&newsidtab, convert_context, &args);
2151         if (rc) {
2152                 printk(KERN_ERR "SELinux:  unable to convert the internal"
2153                         " representation of contexts in the new SID"
2154                         " table\n");
2155                 goto err;
2156         }
2157
2158         /* Save the old policydb and SID table to free later. */
2159         memcpy(oldpolicydb, &policydb, sizeof(policydb));
2160         sidtab_set(&oldsidtab, &sidtab);
2161
2162         /* Install the new policydb and SID table. */
2163         write_lock_irq(&policy_rwlock);
2164         memcpy(&policydb, newpolicydb, sizeof(policydb));
2165         sidtab_set(&sidtab, &newsidtab);
2166         security_load_policycaps();
2167         oldmap = current_mapping;
2168         current_mapping = map;
2169         current_mapping_size = map_size;
2170         seqno = ++latest_granting;
2171         write_unlock_irq(&policy_rwlock);
2172
2173         /* Free the old policydb and SID table. */
2174         policydb_destroy(oldpolicydb);
2175         sidtab_destroy(&oldsidtab);
2176         kfree(oldmap);
2177
2178         avc_ss_reset(seqno);
2179         selnl_notify_policyload(seqno);
2180         selinux_status_update_policyload(seqno);
2181         selinux_netlbl_cache_invalidate();
2182         selinux_xfrm_notify_policyload();
2183
2184         rc = 0;
2185         goto out;
2186
2187 err:
2188         kfree(map);
2189         sidtab_destroy(&newsidtab);
2190         policydb_destroy(newpolicydb);
2191
2192 out:
2193         kfree(oldpolicydb);
2194         return rc;
2195 }
2196
2197 size_t security_policydb_len(void)
2198 {
2199         size_t len;
2200
2201         read_lock(&policy_rwlock);
2202         len = policydb.len;
2203         read_unlock(&policy_rwlock);
2204
2205         return len;
2206 }
2207
2208 /**
2209  * security_port_sid - Obtain the SID for a port.
2210  * @protocol: protocol number
2211  * @port: port number
2212  * @out_sid: security identifier
2213  */
2214 int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
2215 {
2216         struct ocontext *c;
2217         int rc = 0;
2218
2219         read_lock(&policy_rwlock);
2220
2221         c = policydb.ocontexts[OCON_PORT];
2222         while (c) {
2223                 if (c->u.port.protocol == protocol &&
2224                     c->u.port.low_port <= port &&
2225                     c->u.port.high_port >= port)
2226                         break;
2227                 c = c->next;
2228         }
2229
2230         if (c) {
2231                 if (!c->sid[0]) {
2232                         rc = sidtab_context_to_sid(&sidtab,
2233                                                    &c->context[0],
2234                                                    &c->sid[0]);
2235                         if (rc)
2236                                 goto out;
2237                 }
2238                 *out_sid = c->sid[0];
2239         } else {
2240                 *out_sid = SECINITSID_PORT;
2241         }
2242
2243 out:
2244         read_unlock(&policy_rwlock);
2245         return rc;
2246 }
2247
2248 /**
2249  * security_pkey_sid - Obtain the SID for a pkey.
2250  * @subnet_prefix: Subnet Prefix
2251  * @pkey_num: pkey number
2252  * @out_sid: security identifier
2253  */
2254 int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2255 {
2256         struct ocontext *c;
2257         int rc = 0;
2258
2259         read_lock(&policy_rwlock);
2260
2261         c = policydb.ocontexts[OCON_IBPKEY];
2262         while (c) {
2263                 if (c->u.ibpkey.low_pkey <= pkey_num &&
2264                     c->u.ibpkey.high_pkey >= pkey_num &&
2265                     c->u.ibpkey.subnet_prefix == subnet_prefix)
2266                         break;
2267
2268                 c = c->next;
2269         }
2270
2271         if (c) {
2272                 if (!c->sid[0]) {
2273                         rc = sidtab_context_to_sid(&sidtab,
2274                                                    &c->context[0],
2275                                                    &c->sid[0]);
2276                         if (rc)
2277                                 goto out;
2278                 }
2279                 *out_sid = c->sid[0];
2280         } else
2281                 *out_sid = SECINITSID_UNLABELED;
2282
2283 out:
2284         read_unlock(&policy_rwlock);
2285         return rc;
2286 }
2287
2288 /**
2289  * security_ib_endport_sid - Obtain the SID for a subnet management interface.
2290  * @dev_name: device name
2291  * @port: port number
2292  * @out_sid: security identifier
2293  */
2294 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
2295 {
2296         struct ocontext *c;
2297         int rc = 0;
2298
2299         read_lock(&policy_rwlock);
2300
2301         c = policydb.ocontexts[OCON_IBENDPORT];
2302         while (c) {
2303                 if (c->u.ibendport.port == port_num &&
2304                     !strncmp(c->u.ibendport.dev_name,
2305                              dev_name,
2306                              IB_DEVICE_NAME_MAX))
2307                         break;
2308
2309                 c = c->next;
2310         }
2311
2312         if (c) {
2313                 if (!c->sid[0]) {
2314                         rc = sidtab_context_to_sid(&sidtab,
2315                                                    &c->context[0],
2316                                                    &c->sid[0]);
2317                         if (rc)
2318                                 goto out;
2319                 }
2320                 *out_sid = c->sid[0];
2321         } else
2322                 *out_sid = SECINITSID_UNLABELED;
2323
2324 out:
2325         read_unlock(&policy_rwlock);
2326         return rc;
2327 }
2328
2329 /**
2330  * security_netif_sid - Obtain the SID for a network interface.
2331  * @name: interface name
2332  * @if_sid: interface SID
2333  */
2334 int security_netif_sid(char *name, u32 *if_sid)
2335 {
2336         int rc = 0;
2337         struct ocontext *c;
2338
2339         read_lock(&policy_rwlock);
2340
2341         c = policydb.ocontexts[OCON_NETIF];
2342         while (c) {
2343                 if (strcmp(name, c->u.name) == 0)
2344                         break;
2345                 c = c->next;
2346         }
2347
2348         if (c) {
2349                 if (!c->sid[0] || !c->sid[1]) {
2350                         rc = sidtab_context_to_sid(&sidtab,
2351                                                   &c->context[0],
2352                                                   &c->sid[0]);
2353                         if (rc)
2354                                 goto out;
2355                         rc = sidtab_context_to_sid(&sidtab,
2356                                                    &c->context[1],
2357                                                    &c->sid[1]);
2358                         if (rc)
2359                                 goto out;
2360                 }
2361                 *if_sid = c->sid[0];
2362         } else
2363                 *if_sid = SECINITSID_NETIF;
2364
2365 out:
2366         read_unlock(&policy_rwlock);
2367         return rc;
2368 }
2369
2370 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2371 {
2372         int i, fail = 0;
2373
2374         for (i = 0; i < 4; i++)
2375                 if (addr[i] != (input[i] & mask[i])) {
2376                         fail = 1;
2377                         break;
2378                 }
2379
2380         return !fail;
2381 }
2382
2383 /**
2384  * security_node_sid - Obtain the SID for a node (host).
2385  * @domain: communication domain aka address family
2386  * @addrp: address
2387  * @addrlen: address length in bytes
2388  * @out_sid: security identifier
2389  */
2390 int security_node_sid(u16 domain,
2391                       void *addrp,
2392                       u32 addrlen,
2393                       u32 *out_sid)
2394 {
2395         int rc;
2396         struct ocontext *c;
2397
2398         read_lock(&policy_rwlock);
2399
2400         switch (domain) {
2401         case AF_INET: {
2402                 u32 addr;
2403
2404                 rc = -EINVAL;
2405                 if (addrlen != sizeof(u32))
2406                         goto out;
2407
2408                 addr = *((u32 *)addrp);
2409
2410                 c = policydb.ocontexts[OCON_NODE];
2411                 while (c) {
2412                         if (c->u.node.addr == (addr & c->u.node.mask))
2413                                 break;
2414                         c = c->next;
2415                 }
2416                 break;
2417         }
2418
2419         case AF_INET6:
2420                 rc = -EINVAL;
2421                 if (addrlen != sizeof(u64) * 2)
2422                         goto out;
2423                 c = policydb.ocontexts[OCON_NODE6];
2424                 while (c) {
2425                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2426                                                 c->u.node6.mask))
2427                                 break;
2428                         c = c->next;
2429                 }
2430                 break;
2431
2432         default:
2433                 rc = 0;
2434                 *out_sid = SECINITSID_NODE;
2435                 goto out;
2436         }
2437
2438         if (c) {
2439                 if (!c->sid[0]) {
2440                         rc = sidtab_context_to_sid(&sidtab,
2441                                                    &c->context[0],
2442                                                    &c->sid[0]);
2443                         if (rc)
2444                                 goto out;
2445                 }
2446                 *out_sid = c->sid[0];
2447         } else {
2448                 *out_sid = SECINITSID_NODE;
2449         }
2450
2451         rc = 0;
2452 out:
2453         read_unlock(&policy_rwlock);
2454         return rc;
2455 }
2456
2457 #define SIDS_NEL 25
2458
2459 /**
2460  * security_get_user_sids - Obtain reachable SIDs for a user.
2461  * @fromsid: starting SID
2462  * @username: username
2463  * @sids: array of reachable SIDs for user
2464  * @nel: number of elements in @sids
2465  *
2466  * Generate the set of SIDs for legal security contexts
2467  * for a given user that can be reached by @fromsid.
2468  * Set *@sids to point to a dynamically allocated
2469  * array containing the set of SIDs.  Set *@nel to the
2470  * number of elements in the array.
2471  */
2472
2473 int security_get_user_sids(u32 fromsid,
2474                            char *username,
2475                            u32 **sids,
2476                            u32 *nel)
2477 {
2478         struct context *fromcon, usercon;
2479         u32 *mysids = NULL, *mysids2, sid;
2480         u32 mynel = 0, maxnel = SIDS_NEL;
2481         struct user_datum *user;
2482         struct role_datum *role;
2483         struct ebitmap_node *rnode, *tnode;
2484         int rc = 0, i, j;
2485
2486         *sids = NULL;
2487         *nel = 0;
2488
2489         if (!ss_initialized)
2490                 goto out;
2491
2492         read_lock(&policy_rwlock);
2493
2494         context_init(&usercon);
2495
2496         rc = -EINVAL;
2497         fromcon = sidtab_search(&sidtab, fromsid);
2498         if (!fromcon)
2499                 goto out_unlock;
2500
2501         rc = -EINVAL;
2502         user = hashtab_search(policydb.p_users.table, username);
2503         if (!user)
2504                 goto out_unlock;
2505
2506         usercon.user = user->value;
2507
2508         rc = -ENOMEM;
2509         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2510         if (!mysids)
2511                 goto out_unlock;
2512
2513         ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2514                 role = policydb.role_val_to_struct[i];
2515                 usercon.role = i + 1;
2516                 ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2517                         usercon.type = j + 1;
2518
2519                         if (mls_setup_user_range(fromcon, user, &usercon))
2520                                 continue;
2521
2522                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2523                         if (rc)
2524                                 goto out_unlock;
2525                         if (mynel < maxnel) {
2526                                 mysids[mynel++] = sid;
2527                         } else {
2528                                 rc = -ENOMEM;
2529                                 maxnel += SIDS_NEL;
2530                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2531                                 if (!mysids2)
2532                                         goto out_unlock;
2533                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2534                                 kfree(mysids);
2535                                 mysids = mysids2;
2536                                 mysids[mynel++] = sid;
2537                         }
2538                 }
2539         }
2540         rc = 0;
2541 out_unlock:
2542         read_unlock(&policy_rwlock);
2543         if (rc || !mynel) {
2544                 kfree(mysids);
2545                 goto out;
2546         }
2547
2548         rc = -ENOMEM;
2549         mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2550         if (!mysids2) {
2551                 kfree(mysids);
2552                 goto out;
2553         }
2554         for (i = 0, j = 0; i < mynel; i++) {
2555                 struct av_decision dummy_avd;
2556                 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2557                                           SECCLASS_PROCESS, /* kernel value */
2558                                           PROCESS__TRANSITION, AVC_STRICT,
2559                                           &dummy_avd);
2560                 if (!rc)
2561                         mysids2[j++] = mysids[i];
2562                 cond_resched();
2563         }
2564         rc = 0;
2565         kfree(mysids);
2566         *sids = mysids2;
2567         *nel = j;
2568 out:
2569         return rc;
2570 }
2571
2572 /**
2573  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2574  * @fstype: filesystem type
2575  * @path: path from root of mount
2576  * @sclass: file security class
2577  * @sid: SID for path
2578  *
2579  * Obtain a SID to use for a file in a filesystem that
2580  * cannot support xattr or use a fixed labeling behavior like
2581  * transition SIDs or task SIDs.
2582  *
2583  * The caller must acquire the policy_rwlock before calling this function.
2584  */
2585 static inline int __security_genfs_sid(const char *fstype,
2586                                        char *path,
2587                                        u16 orig_sclass,
2588                                        u32 *sid)
2589 {
2590         int len;
2591         u16 sclass;
2592         struct genfs *genfs;
2593         struct ocontext *c;
2594         int rc, cmp = 0;
2595
2596         while (path[0] == '/' && path[1] == '/')
2597                 path++;
2598
2599         sclass = unmap_class(orig_sclass);
2600         *sid = SECINITSID_UNLABELED;
2601
2602         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2603                 cmp = strcmp(fstype, genfs->fstype);
2604                 if (cmp <= 0)
2605                         break;
2606         }
2607
2608         rc = -ENOENT;
2609         if (!genfs || cmp)
2610                 goto out;
2611
2612         for (c = genfs->head; c; c = c->next) {
2613                 len = strlen(c->u.name);
2614                 if ((!c->v.sclass || sclass == c->v.sclass) &&
2615                     (strncmp(c->u.name, path, len) == 0))
2616                         break;
2617         }
2618
2619         rc = -ENOENT;
2620         if (!c)
2621                 goto out;
2622
2623         if (!c->sid[0]) {
2624                 rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2625                 if (rc)
2626                         goto out;
2627         }
2628
2629         *sid = c->sid[0];
2630         rc = 0;
2631 out:
2632         return rc;
2633 }
2634
2635 /**
2636  * security_genfs_sid - Obtain a SID for a file in a filesystem
2637  * @fstype: filesystem type
2638  * @path: path from root of mount
2639  * @sclass: file security class
2640  * @sid: SID for path
2641  *
2642  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2643  * it afterward.
2644  */
2645 int security_genfs_sid(const char *fstype,
2646                        char *path,
2647                        u16 orig_sclass,
2648                        u32 *sid)
2649 {
2650         int retval;
2651
2652         read_lock(&policy_rwlock);
2653         retval = __security_genfs_sid(fstype, path, orig_sclass, sid);
2654         read_unlock(&policy_rwlock);
2655         return retval;
2656 }
2657
2658 /**
2659  * security_fs_use - Determine how to handle labeling for a filesystem.
2660  * @sb: superblock in question
2661  */
2662 int security_fs_use(struct super_block *sb)
2663 {
2664         int rc = 0;
2665         struct ocontext *c;
2666         struct superblock_security_struct *sbsec = sb->s_security;
2667         const char *fstype = sb->s_type->name;
2668
2669         read_lock(&policy_rwlock);
2670
2671         c = policydb.ocontexts[OCON_FSUSE];
2672         while (c) {
2673                 if (strcmp(fstype, c->u.name) == 0)
2674                         break;
2675                 c = c->next;
2676         }
2677
2678         if (c) {
2679                 sbsec->behavior = c->v.behavior;
2680                 if (!c->sid[0]) {
2681                         rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2682                                                    &c->sid[0]);
2683                         if (rc)
2684                                 goto out;
2685                 }
2686                 sbsec->sid = c->sid[0];
2687         } else {
2688                 rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
2689                                           &sbsec->sid);
2690                 if (rc) {
2691                         sbsec->behavior = SECURITY_FS_USE_NONE;
2692                         rc = 0;
2693                 } else {
2694                         sbsec->behavior = SECURITY_FS_USE_GENFS;
2695                 }
2696         }
2697
2698 out:
2699         read_unlock(&policy_rwlock);
2700         return rc;
2701 }
2702
2703 int security_get_bools(int *len, char ***names, int **values)
2704 {
2705         int i, rc;
2706
2707         read_lock(&policy_rwlock);
2708         *names = NULL;
2709         *values = NULL;
2710
2711         rc = 0;
2712         *len = policydb.p_bools.nprim;
2713         if (!*len)
2714                 goto out;
2715
2716         rc = -ENOMEM;
2717         *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2718         if (!*names)
2719                 goto err;
2720
2721         rc = -ENOMEM;
2722         *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2723         if (!*values)
2724                 goto err;
2725
2726         for (i = 0; i < *len; i++) {
2727                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
2728
2729                 rc = -ENOMEM;
2730                 (*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), GFP_ATOMIC);
2731                 if (!(*names)[i])
2732                         goto err;
2733         }
2734         rc = 0;
2735 out:
2736         read_unlock(&policy_rwlock);
2737         return rc;
2738 err:
2739         if (*names) {
2740                 for (i = 0; i < *len; i++)
2741                         kfree((*names)[i]);
2742         }
2743         kfree(*values);
2744         goto out;
2745 }
2746
2747
2748 int security_set_bools(int len, int *values)
2749 {
2750         int i, rc;
2751         int lenp, seqno = 0;
2752         struct cond_node *cur;
2753
2754         write_lock_irq(&policy_rwlock);
2755
2756         rc = -EFAULT;
2757         lenp = policydb.p_bools.nprim;
2758         if (len != lenp)
2759                 goto out;
2760
2761         for (i = 0; i < len; i++) {
2762                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2763                         audit_log(current->audit_context, GFP_ATOMIC,
2764                                 AUDIT_MAC_CONFIG_CHANGE,
2765                                 "bool=%s val=%d old_val=%d auid=%u ses=%u",
2766                                 sym_name(&policydb, SYM_BOOLS, i),
2767                                 !!values[i],
2768                                 policydb.bool_val_to_struct[i]->state,
2769                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
2770                                 audit_get_sessionid(current));
2771                 }
2772                 if (values[i])
2773                         policydb.bool_val_to_struct[i]->state = 1;
2774                 else
2775                         policydb.bool_val_to_struct[i]->state = 0;
2776         }
2777
2778         for (cur = policydb.cond_list; cur; cur = cur->next) {
2779                 rc = evaluate_cond_node(&policydb, cur);
2780                 if (rc)
2781                         goto out;
2782         }
2783
2784         seqno = ++latest_granting;
2785         rc = 0;
2786 out:
2787         write_unlock_irq(&policy_rwlock);
2788         if (!rc) {
2789                 avc_ss_reset(seqno);
2790                 selnl_notify_policyload(seqno);
2791                 selinux_status_update_policyload(seqno);
2792                 selinux_xfrm_notify_policyload();
2793         }
2794         return rc;
2795 }
2796
2797 int security_get_bool_value(int index)
2798 {
2799         int rc;
2800         int len;
2801
2802         read_lock(&policy_rwlock);
2803
2804         rc = -EFAULT;
2805         len = policydb.p_bools.nprim;
2806         if (index >= len)
2807                 goto out;
2808
2809         rc = policydb.bool_val_to_struct[index]->state;
2810 out:
2811         read_unlock(&policy_rwlock);
2812         return rc;
2813 }
2814
2815 static int security_preserve_bools(struct policydb *p)
2816 {
2817         int rc, nbools = 0, *bvalues = NULL, i;
2818         char **bnames = NULL;
2819         struct cond_bool_datum *booldatum;
2820         struct cond_node *cur;
2821
2822         rc = security_get_bools(&nbools, &bnames, &bvalues);
2823         if (rc)
2824                 goto out;
2825         for (i = 0; i < nbools; i++) {
2826                 booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2827                 if (booldatum)
2828                         booldatum->state = bvalues[i];
2829         }
2830         for (cur = p->cond_list; cur; cur = cur->next) {
2831                 rc = evaluate_cond_node(p, cur);
2832                 if (rc)
2833                         goto out;
2834         }
2835
2836 out:
2837         if (bnames) {
2838                 for (i = 0; i < nbools; i++)
2839                         kfree(bnames[i]);
2840         }
2841         kfree(bnames);
2842         kfree(bvalues);
2843         return rc;
2844 }
2845
2846 /*
2847  * security_sid_mls_copy() - computes a new sid based on the given
2848  * sid and the mls portion of mls_sid.
2849  */
2850 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2851 {
2852         struct context *context1;
2853         struct context *context2;
2854         struct context newcon;
2855         char *s;
2856         u32 len;
2857         int rc;
2858
2859         rc = 0;
2860         if (!ss_initialized || !policydb.mls_enabled) {
2861                 *new_sid = sid;
2862                 goto out;
2863         }
2864
2865         context_init(&newcon);
2866
2867         read_lock(&policy_rwlock);
2868
2869         rc = -EINVAL;
2870         context1 = sidtab_search(&sidtab, sid);
2871         if (!context1) {
2872                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2873                         __func__, sid);
2874                 goto out_unlock;
2875         }
2876
2877         rc = -EINVAL;
2878         context2 = sidtab_search(&sidtab, mls_sid);
2879         if (!context2) {
2880                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2881                         __func__, mls_sid);
2882                 goto out_unlock;
2883         }
2884
2885         newcon.user = context1->user;
2886         newcon.role = context1->role;
2887         newcon.type = context1->type;
2888         rc = mls_context_cpy(&newcon, context2);
2889         if (rc)
2890                 goto out_unlock;
2891
2892         /* Check the validity of the new context. */
2893         if (!policydb_context_isvalid(&policydb, &newcon)) {
2894                 rc = convert_context_handle_invalid_context(&newcon);
2895                 if (rc) {
2896                         if (!context_struct_to_string(&newcon, &s, &len)) {
2897                                 audit_log(current->audit_context,
2898                                           GFP_ATOMIC, AUDIT_SELINUX_ERR,
2899                                           "op=security_sid_mls_copy "
2900                                           "invalid_context=%s", s);
2901                                 kfree(s);
2902                         }
2903                         goto out_unlock;
2904                 }
2905         }
2906
2907         rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2908 out_unlock:
2909         read_unlock(&policy_rwlock);
2910         context_destroy(&newcon);
2911 out:
2912         return rc;
2913 }
2914
2915 /**
2916  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2917  * @nlbl_sid: NetLabel SID
2918  * @nlbl_type: NetLabel labeling protocol type
2919  * @xfrm_sid: XFRM SID
2920  *
2921  * Description:
2922  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2923  * resolved into a single SID it is returned via @peer_sid and the function
2924  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2925  * returns a negative value.  A table summarizing the behavior is below:
2926  *
2927  *                                 | function return |      @sid
2928  *   ------------------------------+-----------------+-----------------
2929  *   no peer labels                |        0        |    SECSID_NULL
2930  *   single peer label             |        0        |    <peer_label>
2931  *   multiple, consistent labels   |        0        |    <peer_label>
2932  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2933  *
2934  */
2935 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2936                                  u32 xfrm_sid,
2937                                  u32 *peer_sid)
2938 {
2939         int rc;
2940         struct context *nlbl_ctx;
2941         struct context *xfrm_ctx;
2942
2943         *peer_sid = SECSID_NULL;
2944
2945         /* handle the common (which also happens to be the set of easy) cases
2946          * right away, these two if statements catch everything involving a
2947          * single or absent peer SID/label */
2948         if (xfrm_sid == SECSID_NULL) {
2949                 *peer_sid = nlbl_sid;
2950                 return 0;
2951         }
2952         /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2953          * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2954          * is present */
2955         if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2956                 *peer_sid = xfrm_sid;
2957                 return 0;
2958         }
2959
2960         /* we don't need to check ss_initialized here since the only way both
2961          * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2962          * security server was initialized and ss_initialized was true */
2963         if (!policydb.mls_enabled)
2964                 return 0;
2965
2966         read_lock(&policy_rwlock);
2967
2968         rc = -EINVAL;
2969         nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2970         if (!nlbl_ctx) {
2971                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2972                        __func__, nlbl_sid);
2973                 goto out;
2974         }
2975         rc = -EINVAL;
2976         xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2977         if (!xfrm_ctx) {
2978                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2979                        __func__, xfrm_sid);
2980                 goto out;
2981         }
2982         rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2983         if (rc)
2984                 goto out;
2985
2986         /* at present NetLabel SIDs/labels really only carry MLS
2987          * information so if the MLS portion of the NetLabel SID
2988          * matches the MLS portion of the labeled XFRM SID/label
2989          * then pass along the XFRM SID as it is the most
2990          * expressive */
2991         *peer_sid = xfrm_sid;
2992 out:
2993         read_unlock(&policy_rwlock);
2994         return rc;
2995 }
2996
2997 static int get_classes_callback(void *k, void *d, void *args)
2998 {
2999         struct class_datum *datum = d;
3000         char *name = k, **classes = args;
3001         int value = datum->value - 1;
3002
3003         classes[value] = kstrdup(name, GFP_ATOMIC);
3004         if (!classes[value])
3005                 return -ENOMEM;
3006
3007         return 0;
3008 }
3009
3010 int security_get_classes(char ***classes, int *nclasses)
3011 {
3012         int rc;
3013
3014         read_lock(&policy_rwlock);
3015
3016         rc = -ENOMEM;
3017         *nclasses = policydb.p_classes.nprim;
3018         *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
3019         if (!*classes)
3020                 goto out;
3021
3022         rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
3023                         *classes);
3024         if (rc) {
3025                 int i;
3026                 for (i = 0; i < *nclasses; i++)
3027                         kfree((*classes)[i]);
3028                 kfree(*classes);
3029         }
3030
3031 out:
3032         read_unlock(&policy_rwlock);
3033         return rc;
3034 }
3035
3036 static int get_permissions_callback(void *k, void *d, void *args)
3037 {
3038         struct perm_datum *datum = d;
3039         char *name = k, **perms = args;
3040         int value = datum->value - 1;
3041
3042         perms[value] = kstrdup(name, GFP_ATOMIC);
3043         if (!perms[value])
3044                 return -ENOMEM;
3045
3046         return 0;
3047 }
3048
3049 int security_get_permissions(char *class, char ***perms, int *nperms)
3050 {
3051         int rc, i;
3052         struct class_datum *match;
3053
3054         read_lock(&policy_rwlock);
3055
3056         rc = -EINVAL;
3057         match = hashtab_search(policydb.p_classes.table, class);
3058         if (!match) {
3059                 printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
3060                         __func__, class);
3061                 goto out;
3062         }
3063
3064         rc = -ENOMEM;
3065         *nperms = match->permissions.nprim;
3066         *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
3067         if (!*perms)
3068                 goto out;
3069
3070         if (match->comdatum) {
3071                 rc = hashtab_map(match->comdatum->permissions.table,
3072                                 get_permissions_callback, *perms);
3073                 if (rc)
3074                         goto err;
3075         }
3076
3077         rc = hashtab_map(match->permissions.table, get_permissions_callback,
3078                         *perms);
3079         if (rc)
3080                 goto err;
3081
3082 out:
3083         read_unlock(&policy_rwlock);
3084         return rc;
3085
3086 err:
3087         read_unlock(&policy_rwlock);
3088         for (i = 0; i < *nperms; i++)
3089                 kfree((*perms)[i]);
3090         kfree(*perms);
3091         return rc;
3092 }
3093
3094 int security_get_reject_unknown(void)