Merge tag 'selinux-pr-20180130' of git://git.kernel.org/pub/scm/linux/kernel/git...
[sfrench/cifs-2.6.git] / security / selinux / ss / services.c
1 /*
2  * Implementation of the security services.
3  *
4  * Authors : Stephen Smalley, <sds@tycho.nsa.gov>
5  *           James Morris <jmorris@redhat.com>
6  *
7  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8  *
9  *      Support for enhanced MLS infrastructure.
10  *      Support for context based audit filters.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul@paul-moore.com>
17  *
18  *      Added support for NetLabel
19  *      Added support for the policy capability bitmap
20  *
21  * Updated: Chad Sellers <csellers@tresys.com>
22  *
23  *  Added validation of kernel classes and permissions
24  *
25  * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26  *
27  *  Added support for bounds domain and audit messaged on masked permissions
28  *
29  * Updated: Guido Trentalancia <guido@trentalancia.com>
30  *
31  *  Added support for runtime switching of the policy type
32  *
33  * Copyright (C) 2008, 2009 NEC Corporation
34  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
35  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
36  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
37  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
38  *      This program is free software; you can redistribute it and/or modify
39  *      it under the terms of the GNU General Public License as published by
40  *      the Free Software Foundation, version 2.
41  */
42 #include <linux/kernel.h>
43 #include <linux/slab.h>
44 #include <linux/string.h>
45 #include <linux/spinlock.h>
46 #include <linux/rcupdate.h>
47 #include <linux/errno.h>
48 #include <linux/in.h>
49 #include <linux/sched.h>
50 #include <linux/audit.h>
51 #include <linux/mutex.h>
52 #include <linux/selinux.h>
53 #include <linux/flex_array.h>
54 #include <linux/vmalloc.h>
55 #include <net/netlabel.h>
56
57 #include "flask.h"
58 #include "avc.h"
59 #include "avc_ss.h"
60 #include "security.h"
61 #include "context.h"
62 #include "policydb.h"
63 #include "sidtab.h"
64 #include "services.h"
65 #include "conditional.h"
66 #include "mls.h"
67 #include "objsec.h"
68 #include "netlabel.h"
69 #include "xfrm.h"
70 #include "ebitmap.h"
71 #include "audit.h"
72
73 /* Policy capability names */
74 char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
75         "network_peer_controls",
76         "open_perms",
77         "extended_socket_class",
78         "always_check_network",
79         "cgroup_seclabel",
80         "nnp_nosuid_transition"
81 };
82
83 int selinux_policycap_netpeer;
84 int selinux_policycap_openperm;
85 int selinux_policycap_extsockclass;
86 int selinux_policycap_alwaysnetwork;
87 int selinux_policycap_cgroupseclabel;
88 int selinux_policycap_nnp_nosuid_transition;
89
90 static DEFINE_RWLOCK(policy_rwlock);
91
92 static struct sidtab sidtab;
93 struct policydb policydb;
94 int ss_initialized;
95
96 /*
97  * The largest sequence number that has been used when
98  * providing an access decision to the access vector cache.
99  * The sequence number only changes when a policy change
100  * occurs.
101  */
102 static u32 latest_granting;
103
104 /* Forward declaration. */
105 static int context_struct_to_string(struct context *context, char **scontext,
106                                     u32 *scontext_len);
107
108 static void context_struct_compute_av(struct context *scontext,
109                                         struct context *tcontext,
110                                         u16 tclass,
111                                         struct av_decision *avd,
112                                         struct extended_perms *xperms);
113
114 struct selinux_mapping {
115         u16 value; /* policy value */
116         unsigned num_perms;
117         u32 perms[sizeof(u32) * 8];
118 };
119
120 static struct selinux_mapping *current_mapping;
121 static u16 current_mapping_size;
122
123 static int selinux_set_mapping(struct policydb *pol,
124                                struct security_class_mapping *map,
125                                struct selinux_mapping **out_map_p,
126                                u16 *out_map_size)
127 {
128         struct selinux_mapping *out_map = NULL;
129         size_t size = sizeof(struct selinux_mapping);
130         u16 i, j;
131         unsigned k;
132         bool print_unknown_handle = false;
133
134         /* Find number of classes in the input mapping */
135         if (!map)
136                 return -EINVAL;
137         i = 0;
138         while (map[i].name)
139                 i++;
140
141         /* Allocate space for the class records, plus one for class zero */
142         out_map = kcalloc(++i, size, GFP_ATOMIC);
143         if (!out_map)
144                 return -ENOMEM;
145
146         /* Store the raw class and permission values */
147         j = 0;
148         while (map[j].name) {
149                 struct security_class_mapping *p_in = map + (j++);
150                 struct selinux_mapping *p_out = out_map + j;
151
152                 /* An empty class string skips ahead */
153                 if (!strcmp(p_in->name, "")) {
154                         p_out->num_perms = 0;
155                         continue;
156                 }
157
158                 p_out->value = string_to_security_class(pol, p_in->name);
159                 if (!p_out->value) {
160                         printk(KERN_INFO
161                                "SELinux:  Class %s not defined in policy.\n",
162                                p_in->name);
163                         if (pol->reject_unknown)
164                                 goto err;
165                         p_out->num_perms = 0;
166                         print_unknown_handle = true;
167                         continue;
168                 }
169
170                 k = 0;
171                 while (p_in->perms[k]) {
172                         /* An empty permission string skips ahead */
173                         if (!*p_in->perms[k]) {
174                                 k++;
175                                 continue;
176                         }
177                         p_out->perms[k] = string_to_av_perm(pol, p_out->value,
178                                                             p_in->perms[k]);
179                         if (!p_out->perms[k]) {
180                                 printk(KERN_INFO
181                                        "SELinux:  Permission %s in class %s not defined in policy.\n",
182                                        p_in->perms[k], p_in->name);
183                                 if (pol->reject_unknown)
184                                         goto err;
185                                 print_unknown_handle = true;
186                         }
187
188                         k++;
189                 }
190                 p_out->num_perms = k;
191         }
192
193         if (print_unknown_handle)
194                 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
195                        pol->allow_unknown ? "allowed" : "denied");
196
197         *out_map_p = out_map;
198         *out_map_size = i;
199         return 0;
200 err:
201         kfree(out_map);
202         return -EINVAL;
203 }
204
205 /*
206  * Get real, policy values from mapped values
207  */
208
209 static u16 unmap_class(u16 tclass)
210 {
211         if (tclass < current_mapping_size)
212                 return current_mapping[tclass].value;
213
214         return tclass;
215 }
216
217 /*
218  * Get kernel value for class from its policy value
219  */
220 static u16 map_class(u16 pol_value)
221 {
222         u16 i;
223
224         for (i = 1; i < current_mapping_size; i++) {
225                 if (current_mapping[i].value == pol_value)
226                         return i;
227         }
228
229         return SECCLASS_NULL;
230 }
231
232 static void map_decision(u16 tclass, struct av_decision *avd,
233                          int allow_unknown)
234 {
235         if (tclass < current_mapping_size) {
236                 unsigned i, n = current_mapping[tclass].num_perms;
237                 u32 result;
238
239                 for (i = 0, result = 0; i < n; i++) {
240                         if (avd->allowed & current_mapping[tclass].perms[i])
241                                 result |= 1<<i;
242                         if (allow_unknown && !current_mapping[tclass].perms[i])
243                                 result |= 1<<i;
244                 }
245                 avd->allowed = result;
246
247                 for (i = 0, result = 0; i < n; i++)
248                         if (avd->auditallow & current_mapping[tclass].perms[i])
249                                 result |= 1<<i;
250                 avd->auditallow = result;
251
252                 for (i = 0, result = 0; i < n; i++) {
253                         if (avd->auditdeny & current_mapping[tclass].perms[i])
254                                 result |= 1<<i;
255                         if (!allow_unknown && !current_mapping[tclass].perms[i])
256                                 result |= 1<<i;
257                 }
258                 /*
259                  * In case the kernel has a bug and requests a permission
260                  * between num_perms and the maximum permission number, we
261                  * should audit that denial
262                  */
263                 for (; i < (sizeof(u32)*8); i++)
264                         result |= 1<<i;
265                 avd->auditdeny = result;
266         }
267 }
268
269 int security_mls_enabled(void)
270 {
271         return policydb.mls_enabled;
272 }
273
274 /*
275  * Return the boolean value of a constraint expression
276  * when it is applied to the specified source and target
277  * security contexts.
278  *
279  * xcontext is a special beast...  It is used by the validatetrans rules
280  * only.  For these rules, scontext is the context before the transition,
281  * tcontext is the context after the transition, and xcontext is the context
282  * of the process performing the transition.  All other callers of
283  * constraint_expr_eval should pass in NULL for xcontext.
284  */
285 static int constraint_expr_eval(struct context *scontext,
286                                 struct context *tcontext,
287                                 struct context *xcontext,
288                                 struct constraint_expr *cexpr)
289 {
290         u32 val1, val2;
291         struct context *c;
292         struct role_datum *r1, *r2;
293         struct mls_level *l1, *l2;
294         struct constraint_expr *e;
295         int s[CEXPR_MAXDEPTH];
296         int sp = -1;
297
298         for (e = cexpr; e; e = e->next) {
299                 switch (e->expr_type) {
300                 case CEXPR_NOT:
301                         BUG_ON(sp < 0);
302                         s[sp] = !s[sp];
303                         break;
304                 case CEXPR_AND:
305                         BUG_ON(sp < 1);
306                         sp--;
307                         s[sp] &= s[sp + 1];
308                         break;
309                 case CEXPR_OR:
310                         BUG_ON(sp < 1);
311                         sp--;
312                         s[sp] |= s[sp + 1];
313                         break;
314                 case CEXPR_ATTR:
315                         if (sp == (CEXPR_MAXDEPTH - 1))
316                                 return 0;
317                         switch (e->attr) {
318                         case CEXPR_USER:
319                                 val1 = scontext->user;
320                                 val2 = tcontext->user;
321                                 break;
322                         case CEXPR_TYPE:
323                                 val1 = scontext->type;
324                                 val2 = tcontext->type;
325                                 break;
326                         case CEXPR_ROLE:
327                                 val1 = scontext->role;
328                                 val2 = tcontext->role;
329                                 r1 = policydb.role_val_to_struct[val1 - 1];
330                                 r2 = policydb.role_val_to_struct[val2 - 1];
331                                 switch (e->op) {
332                                 case CEXPR_DOM:
333                                         s[++sp] = ebitmap_get_bit(&r1->dominates,
334                                                                   val2 - 1);
335                                         continue;
336                                 case CEXPR_DOMBY:
337                                         s[++sp] = ebitmap_get_bit(&r2->dominates,
338                                                                   val1 - 1);
339                                         continue;
340                                 case CEXPR_INCOMP:
341                                         s[++sp] = (!ebitmap_get_bit(&r1->dominates,
342                                                                     val2 - 1) &&
343                                                    !ebitmap_get_bit(&r2->dominates,
344                                                                     val1 - 1));
345                                         continue;
346                                 default:
347                                         break;
348                                 }
349                                 break;
350                         case CEXPR_L1L2:
351                                 l1 = &(scontext->range.level[0]);
352                                 l2 = &(tcontext->range.level[0]);
353                                 goto mls_ops;
354                         case CEXPR_L1H2:
355                                 l1 = &(scontext->range.level[0]);
356                                 l2 = &(tcontext->range.level[1]);
357                                 goto mls_ops;
358                         case CEXPR_H1L2:
359                                 l1 = &(scontext->range.level[1]);
360                                 l2 = &(tcontext->range.level[0]);
361                                 goto mls_ops;
362                         case CEXPR_H1H2:
363                                 l1 = &(scontext->range.level[1]);
364                                 l2 = &(tcontext->range.level[1]);
365                                 goto mls_ops;
366                         case CEXPR_L1H1:
367                                 l1 = &(scontext->range.level[0]);
368                                 l2 = &(scontext->range.level[1]);
369                                 goto mls_ops;
370                         case CEXPR_L2H2:
371                                 l1 = &(tcontext->range.level[0]);
372                                 l2 = &(tcontext->range.level[1]);
373                                 goto mls_ops;
374 mls_ops:
375                         switch (e->op) {
376                         case CEXPR_EQ:
377                                 s[++sp] = mls_level_eq(l1, l2);
378                                 continue;
379                         case CEXPR_NEQ:
380                                 s[++sp] = !mls_level_eq(l1, l2);
381                                 continue;
382                         case CEXPR_DOM:
383                                 s[++sp] = mls_level_dom(l1, l2);
384                                 continue;
385                         case CEXPR_DOMBY:
386                                 s[++sp] = mls_level_dom(l2, l1);
387                                 continue;
388                         case CEXPR_INCOMP:
389                                 s[++sp] = mls_level_incomp(l2, l1);
390                                 continue;
391                         default:
392                                 BUG();
393                                 return 0;
394                         }
395                         break;
396                         default:
397                                 BUG();
398                                 return 0;
399                         }
400
401                         switch (e->op) {
402                         case CEXPR_EQ:
403                                 s[++sp] = (val1 == val2);
404                                 break;
405                         case CEXPR_NEQ:
406                                 s[++sp] = (val1 != val2);
407                                 break;
408                         default:
409                                 BUG();
410                                 return 0;
411                         }
412                         break;
413                 case CEXPR_NAMES:
414                         if (sp == (CEXPR_MAXDEPTH-1))
415                                 return 0;
416                         c = scontext;
417                         if (e->attr & CEXPR_TARGET)
418                                 c = tcontext;
419                         else if (e->attr & CEXPR_XTARGET) {
420                                 c = xcontext;
421                                 if (!c) {
422                                         BUG();
423                                         return 0;
424                                 }
425                         }
426                         if (e->attr & CEXPR_USER)
427                                 val1 = c->user;
428                         else if (e->attr & CEXPR_ROLE)
429                                 val1 = c->role;
430                         else if (e->attr & CEXPR_TYPE)
431                                 val1 = c->type;
432                         else {
433                                 BUG();
434                                 return 0;
435                         }
436
437                         switch (e->op) {
438                         case CEXPR_EQ:
439                                 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
440                                 break;
441                         case CEXPR_NEQ:
442                                 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
443                                 break;
444                         default:
445                                 BUG();
446                                 return 0;
447                         }
448                         break;
449                 default:
450                         BUG();
451                         return 0;
452                 }
453         }
454
455         BUG_ON(sp != 0);
456         return s[0];
457 }
458
459 /*
460  * security_dump_masked_av - dumps masked permissions during
461  * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
462  */
463 static int dump_masked_av_helper(void *k, void *d, void *args)
464 {
465         struct perm_datum *pdatum = d;
466         char **permission_names = args;
467
468         BUG_ON(pdatum->value < 1 || pdatum->value > 32);
469
470         permission_names[pdatum->value - 1] = (char *)k;
471
472         return 0;
473 }
474
475 static void security_dump_masked_av(struct context *scontext,
476                                     struct context *tcontext,
477                                     u16 tclass,
478                                     u32 permissions,
479                                     const char *reason)
480 {
481         struct common_datum *common_dat;
482         struct class_datum *tclass_dat;
483         struct audit_buffer *ab;
484         char *tclass_name;
485         char *scontext_name = NULL;
486         char *tcontext_name = NULL;
487         char *permission_names[32];
488         int index;
489         u32 length;
490         bool need_comma = false;
491
492         if (!permissions)
493                 return;
494
495         tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
496         tclass_dat = policydb.class_val_to_struct[tclass - 1];
497         common_dat = tclass_dat->comdatum;
498
499         /* init permission_names */
500         if (common_dat &&
501             hashtab_map(common_dat->permissions.table,
502                         dump_masked_av_helper, permission_names) < 0)
503                 goto out;
504
505         if (hashtab_map(tclass_dat->permissions.table,
506                         dump_masked_av_helper, permission_names) < 0)
507                 goto out;
508
509         /* get scontext/tcontext in text form */
510         if (context_struct_to_string(scontext,
511                                      &scontext_name, &length) < 0)
512                 goto out;
513
514         if (context_struct_to_string(tcontext,
515                                      &tcontext_name, &length) < 0)
516                 goto out;
517
518         /* audit a message */
519         ab = audit_log_start(current->audit_context,
520                              GFP_ATOMIC, AUDIT_SELINUX_ERR);
521         if (!ab)
522                 goto out;
523
524         audit_log_format(ab, "op=security_compute_av reason=%s "
525                          "scontext=%s tcontext=%s tclass=%s perms=",
526                          reason, scontext_name, tcontext_name, tclass_name);
527
528         for (index = 0; index < 32; index++) {
529                 u32 mask = (1 << index);
530
531                 if ((mask & permissions) == 0)
532                         continue;
533
534                 audit_log_format(ab, "%s%s",
535                                  need_comma ? "," : "",
536                                  permission_names[index]
537                                  ? permission_names[index] : "????");
538                 need_comma = true;
539         }
540         audit_log_end(ab);
541 out:
542         /* release scontext/tcontext */
543         kfree(tcontext_name);
544         kfree(scontext_name);
545
546         return;
547 }
548
549 /*
550  * security_boundary_permission - drops violated permissions
551  * on boundary constraint.
552  */
553 static void type_attribute_bounds_av(struct context *scontext,
554                                      struct context *tcontext,
555                                      u16 tclass,
556                                      struct av_decision *avd)
557 {
558         struct context lo_scontext;
559         struct context lo_tcontext, *tcontextp = tcontext;
560         struct av_decision lo_avd;
561         struct type_datum *source;
562         struct type_datum *target;
563         u32 masked = 0;
564
565         source = flex_array_get_ptr(policydb.type_val_to_struct_array,
566                                     scontext->type - 1);
567         BUG_ON(!source);
568
569         if (!source->bounds)
570                 return;
571
572         target = flex_array_get_ptr(policydb.type_val_to_struct_array,
573                                     tcontext->type - 1);
574         BUG_ON(!target);
575
576         memset(&lo_avd, 0, sizeof(lo_avd));
577
578         memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
579         lo_scontext.type = source->bounds;
580
581         if (target->bounds) {
582                 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
583                 lo_tcontext.type = target->bounds;
584                 tcontextp = &lo_tcontext;
585         }
586
587         context_struct_compute_av(&lo_scontext,
588                                   tcontextp,
589                                   tclass,
590                                   &lo_avd,
591                                   NULL);
592
593         masked = ~lo_avd.allowed & avd->allowed;
594
595         if (likely(!masked))
596                 return;         /* no masked permission */
597
598         /* mask violated permissions */
599         avd->allowed &= ~masked;
600
601         /* audit masked permissions */
602         security_dump_masked_av(scontext, tcontext,
603                                 tclass, masked, "bounds");
604 }
605
606 /*
607  * flag which drivers have permissions
608  * only looking for ioctl based extended permssions
609  */
610 void services_compute_xperms_drivers(
611                 struct extended_perms *xperms,
612                 struct avtab_node *node)
613 {
614         unsigned int i;
615
616         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
617                 /* if one or more driver has all permissions allowed */
618                 for (i = 0; i < ARRAY_SIZE(xperms->drivers.p); i++)
619                         xperms->drivers.p[i] |= node->datum.u.xperms->perms.p[i];
620         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
621                 /* if allowing permissions within a driver */
622                 security_xperm_set(xperms->drivers.p,
623                                         node->datum.u.xperms->driver);
624         }
625
626         /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
627         if (node->key.specified & AVTAB_XPERMS_ALLOWED)
628                 xperms->len = 1;
629 }
630
631 /*
632  * Compute access vectors and extended permissions based on a context
633  * structure pair for the permissions in a particular class.
634  */
635 static void context_struct_compute_av(struct context *scontext,
636                                         struct context *tcontext,
637                                         u16 tclass,
638                                         struct av_decision *avd,
639                                         struct extended_perms *xperms)
640 {
641         struct constraint_node *constraint;
642         struct role_allow *ra;
643         struct avtab_key avkey;
644         struct avtab_node *node;
645         struct class_datum *tclass_datum;
646         struct ebitmap *sattr, *tattr;
647         struct ebitmap_node *snode, *tnode;
648         unsigned int i, j;
649
650         avd->allowed = 0;
651         avd->auditallow = 0;
652         avd->auditdeny = 0xffffffff;
653         if (xperms) {
654                 memset(&xperms->drivers, 0, sizeof(xperms->drivers));
655                 xperms->len = 0;
656         }
657
658         if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
659                 if (printk_ratelimit())
660                         printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
661                 return;
662         }
663
664         tclass_datum = policydb.class_val_to_struct[tclass - 1];
665
666         /*
667          * If a specific type enforcement rule was defined for
668          * this permission check, then use it.
669          */
670         avkey.target_class = tclass;
671         avkey.specified = AVTAB_AV | AVTAB_XPERMS;
672         sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
673         BUG_ON(!sattr);
674         tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
675         BUG_ON(!tattr);
676         ebitmap_for_each_positive_bit(sattr, snode, i) {
677                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
678                         avkey.source_type = i + 1;
679                         avkey.target_type = j + 1;
680                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
681                              node;
682                              node = avtab_search_node_next(node, avkey.specified)) {
683                                 if (node->key.specified == AVTAB_ALLOWED)
684                                         avd->allowed |= node->datum.u.data;
685                                 else if (node->key.specified == AVTAB_AUDITALLOW)
686                                         avd->auditallow |= node->datum.u.data;
687                                 else if (node->key.specified == AVTAB_AUDITDENY)
688                                         avd->auditdeny &= node->datum.u.data;
689                                 else if (xperms && (node->key.specified & AVTAB_XPERMS))
690                                         services_compute_xperms_drivers(xperms, node);
691                         }
692
693                         /* Check conditional av table for additional permissions */
694                         cond_compute_av(&policydb.te_cond_avtab, &avkey,
695                                         avd, xperms);
696
697                 }
698         }
699
700         /*
701          * Remove any permissions prohibited by a constraint (this includes
702          * the MLS policy).
703          */
704         constraint = tclass_datum->constraints;
705         while (constraint) {
706                 if ((constraint->permissions & (avd->allowed)) &&
707                     !constraint_expr_eval(scontext, tcontext, NULL,
708                                           constraint->expr)) {
709                         avd->allowed &= ~(constraint->permissions);
710                 }
711                 constraint = constraint->next;
712         }
713
714         /*
715          * If checking process transition permission and the
716          * role is changing, then check the (current_role, new_role)
717          * pair.
718          */
719         if (tclass == policydb.process_class &&
720             (avd->allowed & policydb.process_trans_perms) &&
721             scontext->role != tcontext->role) {
722                 for (ra = policydb.role_allow; ra; ra = ra->next) {
723                         if (scontext->role == ra->role &&
724                             tcontext->role == ra->new_role)
725                                 break;
726                 }
727                 if (!ra)
728                         avd->allowed &= ~policydb.process_trans_perms;
729         }
730
731         /*
732          * If the given source and target types have boundary
733          * constraint, lazy checks have to mask any violated
734          * permission and notice it to userspace via audit.
735          */
736         type_attribute_bounds_av(scontext, tcontext,
737                                  tclass, avd);
738 }
739
740 static int security_validtrans_handle_fail(struct context *ocontext,
741                                            struct context *ncontext,
742                                            struct context *tcontext,
743                                            u16 tclass)
744 {
745         char *o = NULL, *n = NULL, *t = NULL;
746         u32 olen, nlen, tlen;
747
748         if (context_struct_to_string(ocontext, &o, &olen))
749                 goto out;
750         if (context_struct_to_string(ncontext, &n, &nlen))
751                 goto out;
752         if (context_struct_to_string(tcontext, &t, &tlen))
753                 goto out;
754         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
755                   "op=security_validate_transition seresult=denied"
756                   " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
757                   o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
758 out:
759         kfree(o);
760         kfree(n);
761         kfree(t);
762
763         if (!selinux_enforcing)
764                 return 0;
765         return -EPERM;
766 }
767
768 static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
769                                           u16 orig_tclass, bool user)
770 {
771         struct context *ocontext;
772         struct context *ncontext;
773         struct context *tcontext;
774         struct class_datum *tclass_datum;
775         struct constraint_node *constraint;
776         u16 tclass;
777         int rc = 0;
778
779         if (!ss_initialized)
780                 return 0;
781
782         read_lock(&policy_rwlock);
783
784         if (!user)
785                 tclass = unmap_class(orig_tclass);
786         else
787                 tclass = orig_tclass;
788
789         if (!tclass || tclass > policydb.p_classes.nprim) {
790                 rc = -EINVAL;
791                 goto out;
792         }
793         tclass_datum = policydb.class_val_to_struct[tclass - 1];
794
795         ocontext = sidtab_search(&sidtab, oldsid);
796         if (!ocontext) {
797                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
798                         __func__, oldsid);
799                 rc = -EINVAL;
800                 goto out;
801         }
802
803         ncontext = sidtab_search(&sidtab, newsid);
804         if (!ncontext) {
805                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
806                         __func__, newsid);
807                 rc = -EINVAL;
808                 goto out;
809         }
810
811         tcontext = sidtab_search(&sidtab, tasksid);
812         if (!tcontext) {
813                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
814                         __func__, tasksid);
815                 rc = -EINVAL;
816                 goto out;
817         }
818
819         constraint = tclass_datum->validatetrans;
820         while (constraint) {
821                 if (!constraint_expr_eval(ocontext, ncontext, tcontext,
822                                           constraint->expr)) {
823                         if (user)
824                                 rc = -EPERM;
825                         else
826                                 rc = security_validtrans_handle_fail(ocontext,
827                                                                      ncontext,
828                                                                      tcontext,
829                                                                      tclass);
830                         goto out;
831                 }
832                 constraint = constraint->next;
833         }
834
835 out:
836         read_unlock(&policy_rwlock);
837         return rc;
838 }
839
840 int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
841                                         u16 tclass)
842 {
843         return security_compute_validatetrans(oldsid, newsid, tasksid,
844                                                 tclass, true);
845 }
846
847 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
848                                  u16 orig_tclass)
849 {
850         return security_compute_validatetrans(oldsid, newsid, tasksid,
851                                                 orig_tclass, false);
852 }
853
854 /*
855  * security_bounded_transition - check whether the given
856  * transition is directed to bounded, or not.
857  * It returns 0, if @newsid is bounded by @oldsid.
858  * Otherwise, it returns error code.
859  *
860  * @oldsid : current security identifier
861  * @newsid : destinated security identifier
862  */
863 int security_bounded_transition(u32 old_sid, u32 new_sid)
864 {
865         struct context *old_context, *new_context;
866         struct type_datum *type;
867         int index;
868         int rc;
869
870         if (!ss_initialized)
871                 return 0;
872
873         read_lock(&policy_rwlock);
874
875         rc = -EINVAL;
876         old_context = sidtab_search(&sidtab, old_sid);
877         if (!old_context) {
878                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
879                        __func__, old_sid);
880                 goto out;
881         }
882
883         rc = -EINVAL;
884         new_context = sidtab_search(&sidtab, new_sid);
885         if (!new_context) {
886                 printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
887                        __func__, new_sid);
888                 goto out;
889         }
890
891         rc = 0;
892         /* type/domain unchanged */
893         if (old_context->type == new_context->type)
894                 goto out;
895
896         index = new_context->type;
897         while (true) {
898                 type = flex_array_get_ptr(policydb.type_val_to_struct_array,
899                                           index - 1);
900                 BUG_ON(!type);
901
902                 /* not bounded anymore */
903                 rc = -EPERM;
904                 if (!type->bounds)
905                         break;
906
907                 /* @newsid is bounded by @oldsid */
908                 rc = 0;
909                 if (type->bounds == old_context->type)
910                         break;
911
912                 index = type->bounds;
913         }
914
915         if (rc) {
916                 char *old_name = NULL;
917                 char *new_name = NULL;
918                 u32 length;
919
920                 if (!context_struct_to_string(old_context,
921                                               &old_name, &length) &&
922                     !context_struct_to_string(new_context,
923                                               &new_name, &length)) {
924                         audit_log(current->audit_context,
925                                   GFP_ATOMIC, AUDIT_SELINUX_ERR,
926                                   "op=security_bounded_transition "
927                                   "seresult=denied "
928                                   "oldcontext=%s newcontext=%s",
929                                   old_name, new_name);
930                 }
931                 kfree(new_name);
932                 kfree(old_name);
933         }
934 out:
935         read_unlock(&policy_rwlock);
936
937         return rc;
938 }
939
940 static void avd_init(struct av_decision *avd)
941 {
942         avd->allowed = 0;
943         avd->auditallow = 0;
944         avd->auditdeny = 0xffffffff;
945         avd->seqno = latest_granting;
946         avd->flags = 0;
947 }
948
949 void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
950                                         struct avtab_node *node)
951 {
952         unsigned int i;
953
954         if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
955                 if (xpermd->driver != node->datum.u.xperms->driver)
956                         return;
957         } else if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
958                 if (!security_xperm_test(node->datum.u.xperms->perms.p,
959                                         xpermd->driver))
960                         return;
961         } else {
962                 BUG();
963         }
964
965         if (node->key.specified == AVTAB_XPERMS_ALLOWED) {
966                 xpermd->used |= XPERMS_ALLOWED;
967                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
968                         memset(xpermd->allowed->p, 0xff,
969                                         sizeof(xpermd->allowed->p));
970                 }
971                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
972                         for (i = 0; i < ARRAY_SIZE(xpermd->allowed->p); i++)
973                                 xpermd->allowed->p[i] |=
974                                         node->datum.u.xperms->perms.p[i];
975                 }
976         } else if (node->key.specified == AVTAB_XPERMS_AUDITALLOW) {
977                 xpermd->used |= XPERMS_AUDITALLOW;
978                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
979                         memset(xpermd->auditallow->p, 0xff,
980                                         sizeof(xpermd->auditallow->p));
981                 }
982                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
983                         for (i = 0; i < ARRAY_SIZE(xpermd->auditallow->p); i++)
984                                 xpermd->auditallow->p[i] |=
985                                         node->datum.u.xperms->perms.p[i];
986                 }
987         } else if (node->key.specified == AVTAB_XPERMS_DONTAUDIT) {
988                 xpermd->used |= XPERMS_DONTAUDIT;
989                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLDRIVER) {
990                         memset(xpermd->dontaudit->p, 0xff,
991                                         sizeof(xpermd->dontaudit->p));
992                 }
993                 if (node->datum.u.xperms->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
994                         for (i = 0; i < ARRAY_SIZE(xpermd->dontaudit->p); i++)
995                                 xpermd->dontaudit->p[i] |=
996                                         node->datum.u.xperms->perms.p[i];
997                 }
998         } else {
999                 BUG();
1000         }
1001 }
1002
1003 void security_compute_xperms_decision(u32 ssid,
1004                                 u32 tsid,
1005                                 u16 orig_tclass,
1006                                 u8 driver,
1007                                 struct extended_perms_decision *xpermd)
1008 {
1009         u16 tclass;
1010         struct context *scontext, *tcontext;
1011         struct avtab_key avkey;
1012         struct avtab_node *node;
1013         struct ebitmap *sattr, *tattr;
1014         struct ebitmap_node *snode, *tnode;
1015         unsigned int i, j;
1016
1017         xpermd->driver = driver;
1018         xpermd->used = 0;
1019         memset(xpermd->allowed->p, 0, sizeof(xpermd->allowed->p));
1020         memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
1021         memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
1022
1023         read_lock(&policy_rwlock);
1024         if (!ss_initialized)
1025                 goto allow;
1026
1027         scontext = sidtab_search(&sidtab, ssid);
1028         if (!scontext) {
1029                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1030                        __func__, ssid);
1031                 goto out;
1032         }
1033
1034         tcontext = sidtab_search(&sidtab, tsid);
1035         if (!tcontext) {
1036                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1037                        __func__, tsid);
1038                 goto out;
1039         }
1040
1041         tclass = unmap_class(orig_tclass);
1042         if (unlikely(orig_tclass && !tclass)) {
1043                 if (policydb.allow_unknown)
1044                         goto allow;
1045                 goto out;
1046         }
1047
1048
1049         if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
1050                 pr_warn_ratelimited("SELinux:  Invalid class %hu\n", tclass);
1051                 goto out;
1052         }
1053
1054         avkey.target_class = tclass;
1055         avkey.specified = AVTAB_XPERMS;
1056         sattr = flex_array_get(policydb.type_attr_map_array,
1057                                 scontext->type - 1);
1058         BUG_ON(!sattr);
1059         tattr = flex_array_get(policydb.type_attr_map_array,
1060                                 tcontext->type - 1);
1061         BUG_ON(!tattr);
1062         ebitmap_for_each_positive_bit(sattr, snode, i) {
1063                 ebitmap_for_each_positive_bit(tattr, tnode, j) {
1064                         avkey.source_type = i + 1;
1065                         avkey.target_type = j + 1;
1066                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
1067                              node;
1068                              node = avtab_search_node_next(node, avkey.specified))
1069                                 services_compute_xperms_decision(xpermd, node);
1070
1071                         cond_compute_xperms(&policydb.te_cond_avtab,
1072                                                 &avkey, xpermd);
1073                 }
1074         }
1075 out:
1076         read_unlock(&policy_rwlock);
1077         return;
1078 allow:
1079         memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
1080         goto out;
1081 }
1082
1083 /**
1084  * security_compute_av - Compute access vector decisions.
1085  * @ssid: source security identifier
1086  * @tsid: target security identifier
1087  * @tclass: target security class
1088  * @avd: access vector decisions
1089  * @xperms: extended permissions
1090  *
1091  * Compute a set of access vector decisions based on the
1092  * SID pair (@ssid, @tsid) for the permissions in @tclass.
1093  */
1094 void security_compute_av(u32 ssid,
1095                          u32 tsid,
1096                          u16 orig_tclass,
1097                          struct av_decision *avd,
1098                          struct extended_perms *xperms)
1099 {
1100         u16 tclass;
1101         struct context *scontext = NULL, *tcontext = NULL;
1102
1103         read_lock(&policy_rwlock);
1104         avd_init(avd);
1105         xperms->len = 0;
1106         if (!ss_initialized)
1107                 goto allow;
1108
1109         scontext = sidtab_search(&sidtab, ssid);
1110         if (!scontext) {
1111                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1112                        __func__, ssid);
1113                 goto out;
1114         }
1115
1116         /* permissive domain? */
1117         if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1118                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1119
1120         tcontext = sidtab_search(&sidtab, tsid);
1121         if (!tcontext) {
1122                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1123                        __func__, tsid);
1124                 goto out;
1125         }
1126
1127         tclass = unmap_class(orig_tclass);
1128         if (unlikely(orig_tclass && !tclass)) {
1129                 if (policydb.allow_unknown)
1130                         goto allow;
1131                 goto out;
1132         }
1133         context_struct_compute_av(scontext, tcontext, tclass, avd, xperms);
1134         map_decision(orig_tclass, avd, policydb.allow_unknown);
1135 out:
1136         read_unlock(&policy_rwlock);
1137         return;
1138 allow:
1139         avd->allowed = 0xffffffff;
1140         goto out;
1141 }
1142
1143 void security_compute_av_user(u32 ssid,
1144                               u32 tsid,
1145                               u16 tclass,
1146                               struct av_decision *avd)
1147 {
1148         struct context *scontext = NULL, *tcontext = NULL;
1149
1150         read_lock(&policy_rwlock);
1151         avd_init(avd);
1152         if (!ss_initialized)
1153                 goto allow;
1154
1155         scontext = sidtab_search(&sidtab, ssid);
1156         if (!scontext) {
1157                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1158                        __func__, ssid);
1159                 goto out;
1160         }
1161
1162         /* permissive domain? */
1163         if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
1164                 avd->flags |= AVD_FLAGS_PERMISSIVE;
1165
1166         tcontext = sidtab_search(&sidtab, tsid);
1167         if (!tcontext) {
1168                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1169                        __func__, tsid);
1170                 goto out;
1171         }
1172
1173         if (unlikely(!tclass)) {
1174                 if (policydb.allow_unknown)
1175                         goto allow;
1176                 goto out;
1177         }
1178
1179         context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
1180  out:
1181         read_unlock(&policy_rwlock);
1182         return;
1183 allow:
1184         avd->allowed = 0xffffffff;
1185         goto out;
1186 }
1187
1188 /*
1189  * Write the security context string representation of
1190  * the context structure `context' into a dynamically
1191  * allocated string of the correct size.  Set `*scontext'
1192  * to point to this string and set `*scontext_len' to
1193  * the length of the string.
1194  */
1195 static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len)
1196 {
1197         char *scontextp;
1198
1199         if (scontext)
1200                 *scontext = NULL;
1201         *scontext_len = 0;
1202
1203         if (context->len) {
1204                 *scontext_len = context->len;
1205                 if (scontext) {
1206                         *scontext = kstrdup(context->str, GFP_ATOMIC);
1207                         if (!(*scontext))
1208                                 return -ENOMEM;
1209                 }
1210                 return 0;
1211         }
1212
1213         /* Compute the size of the context. */
1214         *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1215         *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1216         *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1217         *scontext_len += mls_compute_context_len(context);
1218
1219         if (!scontext)
1220                 return 0;
1221
1222         /* Allocate space for the context; caller must free this space. */
1223         scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1224         if (!scontextp)
1225                 return -ENOMEM;
1226         *scontext = scontextp;
1227
1228         /*
1229          * Copy the user name, role name and type name into the context.
1230          */
1231         scontextp += sprintf(scontextp, "%s:%s:%s",
1232                 sym_name(&policydb, SYM_USERS, context->user - 1),
1233                 sym_name(&policydb, SYM_ROLES, context->role - 1),
1234                 sym_name(&policydb, SYM_TYPES, context->type - 1));
1235
1236         mls_sid_to_context(context, &scontextp);
1237
1238         *scontextp = 0;
1239
1240         return 0;
1241 }
1242
1243 #include "initial_sid_to_string.h"
1244
1245 const char *security_get_initial_sid_context(u32 sid)
1246 {
1247         if (unlikely(sid > SECINITSID_NUM))
1248                 return NULL;
1249         return initial_sid_to_string[sid];
1250 }
1251
1252 static int security_sid_to_context_core(u32 sid, char **scontext,
1253                                         u32 *scontext_len, int force)
1254 {
1255         struct context *context;
1256         int rc = 0;
1257
1258         if (scontext)
1259                 *scontext = NULL;
1260         *scontext_len  = 0;
1261
1262         if (!ss_initialized) {
1263                 if (sid <= SECINITSID_NUM) {
1264                         char *scontextp;
1265
1266                         *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
1267                         if (!scontext)
1268                                 goto out;
1269                         scontextp = kmemdup(initial_sid_to_string[sid],
1270                                             *scontext_len, GFP_ATOMIC);
1271                         if (!scontextp) {
1272                                 rc = -ENOMEM;
1273                                 goto out;
1274                         }
1275                         *scontext = scontextp;
1276                         goto out;
1277                 }
1278                 printk(KERN_ERR "SELinux: %s:  called before initial "
1279                        "load_policy on unknown SID %d\n", __func__, sid);
1280                 rc = -EINVAL;
1281                 goto out;
1282         }
1283         read_lock(&policy_rwlock);
1284         if (force)
1285                 context = sidtab_search_force(&sidtab, sid);
1286         else
1287                 context = sidtab_search(&sidtab, sid);
1288         if (!context) {
1289                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1290                         __func__, sid);
1291                 rc = -EINVAL;
1292                 goto out_unlock;
1293         }
1294         rc = context_struct_to_string(context, scontext, scontext_len);
1295 out_unlock:
1296         read_unlock(&policy_rwlock);
1297 out:
1298         return rc;
1299
1300 }
1301
1302 /**
1303  * security_sid_to_context - Obtain a context for a given SID.
1304  * @sid: security identifier, SID
1305  * @scontext: security context
1306  * @scontext_len: length in bytes
1307  *
1308  * Write the string representation of the context associated with @sid
1309  * into a dynamically allocated string of the correct size.  Set @scontext
1310  * to point to this string and set @scontext_len to the length of the string.
1311  */
1312 int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
1313 {
1314         return security_sid_to_context_core(sid, scontext, scontext_len, 0);
1315 }
1316
1317 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
1318 {
1319         return security_sid_to_context_core(sid, scontext, scontext_len, 1);
1320 }
1321
1322 /*
1323  * Caveat:  Mutates scontext.
1324  */
1325 static int string_to_context_struct(struct policydb *pol,
1326                                     struct sidtab *sidtabp,
1327                                     char *scontext,
1328                                     u32 scontext_len,
1329                                     struct context *ctx,
1330                                     u32 def_sid)
1331 {
1332         struct role_datum *role;
1333         struct type_datum *typdatum;
1334         struct user_datum *usrdatum;
1335         char *scontextp, *p, oldc;
1336         int rc = 0;
1337
1338         context_init(ctx);
1339
1340         /* Parse the security context. */
1341
1342         rc = -EINVAL;
1343         scontextp = (char *) scontext;
1344
1345         /* Extract the user. */
1346         p = scontextp;
1347         while (*p && *p != ':')
1348                 p++;
1349
1350         if (*p == 0)
1351                 goto out;
1352
1353         *p++ = 0;
1354
1355         usrdatum = hashtab_search(pol->p_users.table, scontextp);
1356         if (!usrdatum)
1357                 goto out;
1358
1359         ctx->user = usrdatum->value;
1360
1361         /* Extract role. */
1362         scontextp = p;
1363         while (*p && *p != ':')
1364                 p++;
1365
1366         if (*p == 0)
1367                 goto out;
1368
1369         *p++ = 0;
1370
1371         role = hashtab_search(pol->p_roles.table, scontextp);
1372         if (!role)
1373                 goto out;
1374         ctx->role = role->value;
1375
1376         /* Extract type. */
1377         scontextp = p;
1378         while (*p && *p != ':')
1379                 p++;
1380         oldc = *p;
1381         *p++ = 0;
1382
1383         typdatum = hashtab_search(pol->p_types.table, scontextp);
1384         if (!typdatum || typdatum->attribute)
1385                 goto out;
1386
1387         ctx->type = typdatum->value;
1388
1389         rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
1390         if (rc)
1391                 goto out;
1392
1393         rc = -EINVAL;
1394         if ((p - scontext) < scontext_len)
1395                 goto out;
1396
1397         /* Check the validity of the new context. */
1398         if (!policydb_context_isvalid(pol, ctx))
1399                 goto out;
1400         rc = 0;
1401 out:
1402         if (rc)
1403                 context_destroy(ctx);
1404         return rc;
1405 }
1406
1407 static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1408                                         u32 *sid, u32 def_sid, gfp_t gfp_flags,
1409                                         int force)
1410 {
1411         char *scontext2, *str = NULL;
1412         struct context context;
1413         int rc = 0;
1414
1415         /* An empty security context is never valid. */
1416         if (!scontext_len)
1417                 return -EINVAL;
1418
1419         /* Copy the string to allow changes and ensure a NUL terminator */
1420         scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
1421         if (!scontext2)
1422                 return -ENOMEM;
1423
1424         if (!ss_initialized) {
1425                 int i;
1426
1427                 for (i = 1; i < SECINITSID_NUM; i++) {
1428                         if (!strcmp(initial_sid_to_string[i], scontext2)) {
1429                                 *sid = i;
1430                                 goto out;
1431                         }
1432                 }
1433                 *sid = SECINITSID_KERNEL;
1434                 goto out;
1435         }
1436         *sid = SECSID_NULL;
1437
1438         if (force) {
1439                 /* Save another copy for storing in uninterpreted form */
1440                 rc = -ENOMEM;
1441                 str = kstrdup(scontext2, gfp_flags);
1442                 if (!str)
1443                         goto out;
1444         }
1445
1446         read_lock(&policy_rwlock);
1447         rc = string_to_context_struct(&policydb, &sidtab, scontext2,
1448                                       scontext_len, &context, def_sid);
1449         if (rc == -EINVAL && force) {
1450                 context.str = str;
1451                 context.len = scontext_len;
1452                 str = NULL;
1453         } else if (rc)
1454                 goto out_unlock;
1455         rc = sidtab_context_to_sid(&sidtab, &context, sid);
1456         context_destroy(&context);
1457 out_unlock:
1458         read_unlock(&policy_rwlock);
1459 out:
1460         kfree(scontext2);
1461         kfree(str);
1462         return rc;
1463 }
1464
1465 /**
1466  * security_context_to_sid - Obtain a SID for a given security context.
1467  * @scontext: security context
1468  * @scontext_len: length in bytes
1469  * @sid: security identifier, SID
1470  * @gfp: context for the allocation
1471  *
1472  * Obtains a SID associated with the security context that
1473  * has the string representation specified by @scontext.
1474  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1475  * memory is available, or 0 on success.
1476  */
1477 int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
1478                             gfp_t gfp)
1479 {
1480         return security_context_to_sid_core(scontext, scontext_len,
1481                                             sid, SECSID_NULL, gfp, 0);
1482 }
1483
1484 int security_context_str_to_sid(const char *scontext, u32 *sid, gfp_t gfp)
1485 {
1486         return security_context_to_sid(scontext, strlen(scontext), sid, gfp);
1487 }
1488
1489 /**
1490  * security_context_to_sid_default - Obtain a SID for a given security context,
1491  * falling back to specified default if needed.
1492  *
1493  * @scontext: security context
1494  * @scontext_len: length in bytes
1495  * @sid: security identifier, SID
1496  * @def_sid: default SID to assign on error
1497  *
1498  * Obtains a SID associated with the security context that
1499  * has the string representation specified by @scontext.
1500  * The default SID is passed to the MLS layer to be used to allow
1501  * kernel labeling of the MLS field if the MLS field is not present
1502  * (for upgrading to MLS without full relabel).
1503  * Implicitly forces adding of the context even if it cannot be mapped yet.
1504  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1505  * memory is available, or 0 on success.
1506  */
1507 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1508                                     u32 *sid, u32 def_sid, gfp_t gfp_flags)
1509 {
1510         return security_context_to_sid_core(scontext, scontext_len,
1511                                             sid, def_sid, gfp_flags, 1);
1512 }
1513
1514 int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1515                                   u32 *sid)
1516 {
1517         return security_context_to_sid_core(scontext, scontext_len,
1518                                             sid, SECSID_NULL, GFP_KERNEL, 1);
1519 }
1520
1521 static int compute_sid_handle_invalid_context(
1522         struct context *scontext,
1523         struct context *tcontext,
1524         u16 tclass,
1525         struct context *newcontext)
1526 {
1527         char *s = NULL, *t = NULL, *n = NULL;
1528         u32 slen, tlen, nlen;
1529
1530         if (context_struct_to_string(scontext, &s, &slen))
1531                 goto out;
1532         if (context_struct_to_string(tcontext, &t, &tlen))
1533                 goto out;
1534         if (context_struct_to_string(newcontext, &n, &nlen))
1535                 goto out;
1536         audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
1537                   "op=security_compute_sid invalid_context=%s"
1538                   " scontext=%s"
1539                   " tcontext=%s"
1540                   " tclass=%s",
1541                   n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1542 out:
1543         kfree(s);
1544         kfree(t);
1545         kfree(n);
1546         if (!selinux_enforcing)
1547                 return 0;
1548         return -EACCES;
1549 }
1550
1551 static void filename_compute_type(struct policydb *p, struct context *newcontext,
1552                                   u32 stype, u32 ttype, u16 tclass,
1553                                   const char *objname)
1554 {
1555         struct filename_trans ft;
1556         struct filename_trans_datum *otype;
1557
1558         /*
1559          * Most filename trans rules are going to live in specific directories
1560          * like /dev or /var/run.  This bitmap will quickly skip rule searches
1561          * if the ttype does not contain any rules.
1562          */
1563         if (!ebitmap_get_bit(&p->filename_trans_ttypes, ttype))
1564                 return;
1565
1566         ft.stype = stype;
1567         ft.ttype = ttype;
1568         ft.tclass = tclass;
1569         ft.name = objname;
1570
1571         otype = hashtab_search(p->filename_trans, &ft);
1572         if (otype)
1573                 newcontext->type = otype->otype;
1574 }
1575
1576 static int security_compute_sid(u32 ssid,
1577                                 u32 tsid,
1578                                 u16 orig_tclass,
1579                                 u32 specified,
1580                                 const char *objname,
1581                                 u32 *out_sid,
1582                                 bool kern)
1583 {
1584         struct class_datum *cladatum = NULL;
1585         struct context *scontext = NULL, *tcontext = NULL, newcontext;
1586         struct role_trans *roletr = NULL;
1587         struct avtab_key avkey;
1588         struct avtab_datum *avdatum;
1589         struct avtab_node *node;
1590         u16 tclass;
1591         int rc = 0;
1592         bool sock;
1593
1594         if (!ss_initialized) {
1595                 switch (orig_tclass) {
1596                 case SECCLASS_PROCESS: /* kernel value */
1597                         *out_sid = ssid;
1598                         break;
1599                 default:
1600                         *out_sid = tsid;
1601                         break;
1602                 }
1603                 goto out;
1604         }
1605
1606         context_init(&newcontext);
1607
1608         read_lock(&policy_rwlock);
1609
1610         if (kern) {
1611                 tclass = unmap_class(orig_tclass);
1612                 sock = security_is_socket_class(orig_tclass);
1613         } else {
1614                 tclass = orig_tclass;
1615                 sock = security_is_socket_class(map_class(tclass));
1616         }
1617
1618         scontext = sidtab_search(&sidtab, ssid);
1619         if (!scontext) {
1620                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1621                        __func__, ssid);
1622                 rc = -EINVAL;
1623                 goto out_unlock;
1624         }
1625         tcontext = sidtab_search(&sidtab, tsid);
1626         if (!tcontext) {
1627                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
1628                        __func__, tsid);
1629                 rc = -EINVAL;
1630                 goto out_unlock;
1631         }
1632
1633         if (tclass && tclass <= policydb.p_classes.nprim)
1634                 cladatum = policydb.class_val_to_struct[tclass - 1];
1635
1636         /* Set the user identity. */
1637         switch (specified) {
1638         case AVTAB_TRANSITION:
1639         case AVTAB_CHANGE:
1640                 if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1641                         newcontext.user = tcontext->user;
1642                 } else {
1643                         /* notice this gets both DEFAULT_SOURCE and unset */
1644                         /* Use the process user identity. */
1645                         newcontext.user = scontext->user;
1646                 }
1647                 break;
1648         case AVTAB_MEMBER:
1649                 /* Use the related object owner. */
1650                 newcontext.user = tcontext->user;
1651                 break;
1652         }
1653
1654         /* Set the role to default values. */
1655         if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1656                 newcontext.role = scontext->role;
1657         } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1658                 newcontext.role = tcontext->role;
1659         } else {
1660                 if ((tclass == policydb.process_class) || (sock == true))
1661                         newcontext.role = scontext->role;
1662                 else
1663                         newcontext.role = OBJECT_R_VAL;
1664         }
1665
1666         /* Set the type to default values. */
1667         if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1668                 newcontext.type = scontext->type;
1669         } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1670                 newcontext.type = tcontext->type;
1671         } else {
1672                 if ((tclass == policydb.process_class) || (sock == true)) {
1673                         /* Use the type of process. */
1674                         newcontext.type = scontext->type;
1675                 } else {
1676                         /* Use the type of the related object. */
1677                         newcontext.type = tcontext->type;
1678                 }
1679         }
1680
1681         /* Look for a type transition/member/change rule. */
1682         avkey.source_type = scontext->type;
1683         avkey.target_type = tcontext->type;
1684         avkey.target_class = tclass;
1685         avkey.specified = specified;
1686         avdatum = avtab_search(&policydb.te_avtab, &avkey);
1687
1688         /* If no permanent rule, also check for enabled conditional rules */
1689         if (!avdatum) {
1690                 node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
1691                 for (; node; node = avtab_search_node_next(node, specified)) {
1692                         if (node->key.specified & AVTAB_ENABLED) {
1693                                 avdatum = &node->datum;
1694                                 break;
1695                         }
1696                 }
1697         }
1698
1699         if (avdatum) {
1700                 /* Use the type from the type transition/member/change rule. */
1701                 newcontext.type = avdatum->u.data;
1702         }
1703
1704         /* if we have a objname this is a file trans check so check those rules */
1705         if (objname)
1706                 filename_compute_type(&policydb, &newcontext, scontext->type,
1707                                       tcontext->type, tclass, objname);
1708
1709         /* Check for class-specific changes. */
1710         if (specified & AVTAB_TRANSITION) {
1711                 /* Look for a role transition rule. */
1712                 for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
1713                         if ((roletr->role == scontext->role) &&
1714                             (roletr->type == tcontext->type) &&
1715                             (roletr->tclass == tclass)) {
1716                                 /* Use the role transition rule. */
1717                                 newcontext.role = roletr->new_role;
1718                                 break;
1719                         }
1720                 }
1721         }
1722
1723         /* Set the MLS attributes.
1724            This is done last because it may allocate memory. */
1725         rc = mls_compute_sid(scontext, tcontext, tclass, specified,
1726                              &newcontext, sock);
1727         if (rc)
1728                 goto out_unlock;
1729
1730         /* Check the validity of the context. */
1731         if (!policydb_context_isvalid(&policydb, &newcontext)) {
1732                 rc = compute_sid_handle_invalid_context(scontext,
1733                                                         tcontext,
1734                                                         tclass,
1735                                                         &newcontext);
1736                 if (rc)
1737                         goto out_unlock;
1738         }
1739         /* Obtain the sid for the context. */
1740         rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
1741 out_unlock:
1742         read_unlock(&policy_rwlock);
1743         context_destroy(&newcontext);
1744 out:
1745         return rc;
1746 }
1747
1748 /**
1749  * security_transition_sid - Compute the SID for a new subject/object.
1750  * @ssid: source security identifier
1751  * @tsid: target security identifier
1752  * @tclass: target security class
1753  * @out_sid: security identifier for new subject/object
1754  *
1755  * Compute a SID to use for labeling a new subject or object in the
1756  * class @tclass based on a SID pair (@ssid, @tsid).
1757  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1758  * if insufficient memory is available, or %0 if the new SID was
1759  * computed successfully.
1760  */
1761 int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1762                             const struct qstr *qstr, u32 *out_sid)
1763 {
1764         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1765                                     qstr ? qstr->name : NULL, out_sid, true);
1766 }
1767
1768 int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1769                                  const char *objname, u32 *out_sid)
1770 {
1771         return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1772                                     objname, out_sid, false);
1773 }
1774
1775 /**
1776  * security_member_sid - Compute the SID for member selection.
1777  * @ssid: source security identifier
1778  * @tsid: target security identifier
1779  * @tclass: target security class
1780  * @out_sid: security identifier for selected member
1781  *
1782  * Compute a SID to use when selecting a member of a polyinstantiated
1783  * object of class @tclass based on a SID pair (@ssid, @tsid).
1784  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1785  * if insufficient memory is available, or %0 if the SID was
1786  * computed successfully.
1787  */
1788 int security_member_sid(u32 ssid,
1789                         u32 tsid,
1790                         u16 tclass,
1791                         u32 *out_sid)
1792 {
1793         return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
1794                                     out_sid, false);
1795 }
1796
1797 /**
1798  * security_change_sid - Compute the SID for object relabeling.
1799  * @ssid: source security identifier
1800  * @tsid: target security identifier
1801  * @tclass: target security class
1802  * @out_sid: security identifier for selected member
1803  *
1804  * Compute a SID to use for relabeling an object of class @tclass
1805  * based on a SID pair (@ssid, @tsid).
1806  * Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1807  * if insufficient memory is available, or %0 if the SID was
1808  * computed successfully.
1809  */
1810 int security_change_sid(u32 ssid,
1811                         u32 tsid,
1812                         u16 tclass,
1813                         u32 *out_sid)
1814 {
1815         return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
1816                                     out_sid, false);
1817 }
1818
1819 /* Clone the SID into the new SID table. */
1820 static int clone_sid(u32 sid,
1821                      struct context *context,
1822                      void *arg)
1823 {
1824         struct sidtab *s = arg;
1825
1826         if (sid > SECINITSID_NUM)
1827                 return sidtab_insert(s, sid, context);
1828         else
1829                 return 0;
1830 }
1831
1832 static inline int convert_context_handle_invalid_context(struct context *context)
1833 {
1834         char *s;
1835         u32 len;
1836
1837         if (selinux_enforcing)
1838                 return -EINVAL;
1839
1840         if (!context_struct_to_string(context, &s, &len)) {
1841                 printk(KERN_WARNING "SELinux:  Context %s would be invalid if enforcing\n", s);
1842                 kfree(s);
1843         }
1844         return 0;
1845 }
1846
1847 struct convert_context_args {
1848         struct policydb *oldp;
1849         struct policydb *newp;
1850 };
1851
1852 /*
1853  * Convert the values in the security context
1854  * structure `c' from the values specified
1855  * in the policy `p->oldp' to the values specified
1856  * in the policy `p->newp'.  Verify that the
1857  * context is valid under the new policy.
1858  */
1859 static int convert_context(u32 key,
1860                            struct context *c,
1861                            void *p)
1862 {
1863         struct convert_context_args *args;
1864         struct context oldc;
1865         struct ocontext *oc;
1866         struct mls_range *range;
1867         struct role_datum *role;
1868         struct type_datum *typdatum;
1869         struct user_datum *usrdatum;
1870         char *s;
1871         u32 len;
1872         int rc = 0;
1873
1874         if (key <= SECINITSID_NUM)
1875                 goto out;
1876
1877         args = p;
1878
1879         if (c->str) {
1880                 struct context ctx;
1881
1882                 rc = -ENOMEM;
1883                 s = kstrdup(c->str, GFP_KERNEL);
1884                 if (!s)
1885                         goto out;
1886
1887                 rc = string_to_context_struct(args->newp, NULL, s,
1888                                               c->len, &ctx, SECSID_NULL);
1889                 kfree(s);
1890                 if (!rc) {
1891                         printk(KERN_INFO "SELinux:  Context %s became valid (mapped).\n",
1892                                c->str);
1893                         /* Replace string with mapped representation. */
1894                         kfree(c->str);
1895                         memcpy(c, &ctx, sizeof(*c));
1896                         goto out;
1897                 } else if (rc == -EINVAL) {
1898                         /* Retain string representation for later mapping. */
1899                         rc = 0;
1900                         goto out;
1901                 } else {
1902                         /* Other error condition, e.g. ENOMEM. */
1903                         printk(KERN_ERR "SELinux:   Unable to map context %s, rc = %d.\n",
1904                                c->str, -rc);
1905                         goto out;
1906                 }
1907         }
1908
1909         rc = context_cpy(&oldc, c);
1910         if (rc)
1911                 goto out;
1912
1913         /* Convert the user. */
1914         rc = -EINVAL;
1915         usrdatum = hashtab_search(args->newp->p_users.table,
1916                                   sym_name(args->oldp, SYM_USERS, c->user - 1));
1917         if (!usrdatum)
1918                 goto bad;
1919         c->user = usrdatum->value;
1920
1921         /* Convert the role. */
1922         rc = -EINVAL;
1923         role = hashtab_search(args->newp->p_roles.table,
1924                               sym_name(args->oldp, SYM_ROLES, c->role - 1));
1925         if (!role)
1926                 goto bad;
1927         c->role = role->value;
1928
1929         /* Convert the type. */
1930         rc = -EINVAL;
1931         typdatum = hashtab_search(args->newp->p_types.table,
1932                                   sym_name(args->oldp, SYM_TYPES, c->type - 1));
1933         if (!typdatum)
1934                 goto bad;
1935         c->type = typdatum->value;
1936
1937         /* Convert the MLS fields if dealing with MLS policies */
1938         if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1939                 rc = mls_convert_context(args->oldp, args->newp, c);
1940                 if (rc)
1941                         goto bad;
1942         } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1943                 /*
1944                  * Switching between MLS and non-MLS policy:
1945                  * free any storage used by the MLS fields in the
1946                  * context for all existing entries in the sidtab.
1947                  */
1948                 mls_context_destroy(c);
1949         } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1950                 /*
1951                  * Switching between non-MLS and MLS policy:
1952                  * ensure that the MLS fields of the context for all
1953                  * existing entries in the sidtab are filled in with a
1954                  * suitable default value, likely taken from one of the
1955                  * initial SIDs.
1956                  */
1957                 oc = args->newp->ocontexts[OCON_ISID];
1958                 while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1959                         oc = oc->next;
1960                 rc = -EINVAL;
1961                 if (!oc) {
1962                         printk(KERN_ERR "SELinux:  unable to look up"
1963                                 " the initial SIDs list\n");
1964                         goto bad;
1965                 }
1966                 range = &oc->context[0].range;
1967                 rc = mls_range_set(c, range);
1968                 if (rc)
1969                         goto bad;
1970         }
1971
1972         /* Check the validity of the new context. */
1973         if (!policydb_context_isvalid(args->newp, c)) {
1974                 rc = convert_context_handle_invalid_context(&oldc);
1975                 if (rc)
1976                         goto bad;
1977         }
1978
1979         context_destroy(&oldc);
1980
1981         rc = 0;
1982 out:
1983         return rc;
1984 bad:
1985         /* Map old representation to string and save it. */
1986         rc = context_struct_to_string(&oldc, &s, &len);
1987         if (rc)
1988                 return rc;
1989         context_destroy(&oldc);
1990         context_destroy(c);
1991         c->str = s;
1992         c->len = len;
1993         printk(KERN_INFO "SELinux:  Context %s became invalid (unmapped).\n",
1994                c->str);
1995         rc = 0;
1996         goto out;
1997 }
1998
1999 static void security_load_policycaps(void)
2000 {
2001         unsigned int i;
2002         struct ebitmap_node *node;
2003
2004         selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
2005                                                   POLICYDB_CAPABILITY_NETPEER);
2006         selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
2007                                                   POLICYDB_CAPABILITY_OPENPERM);
2008         selinux_policycap_extsockclass = ebitmap_get_bit(&policydb.policycaps,
2009                                           POLICYDB_CAPABILITY_EXTSOCKCLASS);
2010         selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
2011                                                   POLICYDB_CAPABILITY_ALWAYSNETWORK);
2012         selinux_policycap_cgroupseclabel =
2013                 ebitmap_get_bit(&policydb.policycaps,
2014                                 POLICYDB_CAPABILITY_CGROUPSECLABEL);
2015         selinux_policycap_nnp_nosuid_transition =
2016                 ebitmap_get_bit(&policydb.policycaps,
2017                                 POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION);
2018
2019         for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
2020                 pr_info("SELinux:  policy capability %s=%d\n",
2021                         selinux_policycap_names[i],
2022                         ebitmap_get_bit(&policydb.policycaps, i));
2023
2024         ebitmap_for_each_positive_bit(&policydb.policycaps, node, i) {
2025                 if (i >= ARRAY_SIZE(selinux_policycap_names))
2026                         pr_info("SELinux:  unknown policy capability %u\n",
2027                                 i);
2028         }
2029 }
2030
2031 static int security_preserve_bools(struct policydb *p);
2032
2033 /**
2034  * security_load_policy - Load a security policy configuration.
2035  * @data: binary policy data
2036  * @len: length of data in bytes
2037  *
2038  * Load a new set of security policy configuration data,
2039  * validate it and convert the SID table as necessary.
2040  * This function will flush the access vector cache after
2041  * loading the new policy.
2042  */
2043 int security_load_policy(void *data, size_t len)
2044 {
2045         struct policydb *oldpolicydb, *newpolicydb;
2046         struct sidtab oldsidtab, newsidtab;
2047         struct selinux_mapping *oldmap, *map = NULL;
2048         struct convert_context_args args;
2049         u32 seqno;
2050         u16 map_size;
2051         int rc = 0;
2052         struct policy_file file = { data, len }, *fp = &file;
2053
2054         oldpolicydb = kzalloc(2 * sizeof(*oldpolicydb), GFP_KERNEL);
2055         if (!oldpolicydb) {
2056                 rc = -ENOMEM;
2057                 goto out;
2058         }
2059         newpolicydb = oldpolicydb + 1;
2060
2061         if (!ss_initialized) {
2062                 avtab_cache_init();
2063                 ebitmap_cache_init();
2064                 hashtab_cache_init();
2065                 rc = policydb_read(&policydb, fp);
2066                 if (rc) {
2067                         avtab_cache_destroy();
2068                         ebitmap_cache_destroy();
2069                         hashtab_cache_destroy();
2070                         goto out;
2071                 }
2072
2073                 policydb.len = len;
2074                 rc = selinux_set_mapping(&policydb, secclass_map,
2075                                          &current_mapping,
2076                                          &current_mapping_size);
2077                 if (rc) {
2078                         policydb_destroy(&policydb);
2079                         avtab_cache_destroy();
2080                         ebitmap_cache_destroy();
2081                         hashtab_cache_destroy();
2082                         goto out;
2083                 }
2084
2085                 rc = policydb_load_isids(&policydb, &sidtab);
2086                 if (rc) {
2087                         policydb_destroy(&policydb);
2088                         avtab_cache_destroy();
2089                         ebitmap_cache_destroy();
2090                         hashtab_cache_destroy();
2091                         goto out;
2092                 }
2093
2094                 security_load_policycaps();
2095                 ss_initialized = 1;
2096                 seqno = ++latest_granting;
2097                 selinux_complete_init();
2098                 avc_ss_reset(seqno);
2099                 selnl_notify_policyload(seqno);
2100                 selinux_status_update_policyload(seqno);
2101                 selinux_netlbl_cache_invalidate();
2102                 selinux_xfrm_notify_policyload();
2103                 goto out;
2104         }
2105
2106 #if 0
2107         sidtab_hash_eval(&sidtab, "sids");
2108 #endif
2109
2110         rc = policydb_read(newpolicydb, fp);
2111         if (rc)
2112                 goto out;
2113
2114         newpolicydb->len = len;
2115         /* If switching between different policy types, log MLS status */
2116         if (policydb.mls_enabled && !newpolicydb->mls_enabled)
2117                 printk(KERN_INFO "SELinux: Disabling MLS support...\n");
2118         else if (!policydb.mls_enabled && newpolicydb->mls_enabled)
2119                 printk(KERN_INFO "SELinux: Enabling MLS support...\n");
2120
2121         rc = policydb_load_isids(newpolicydb, &newsidtab);
2122         if (rc) {
2123                 printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
2124                 policydb_destroy(newpolicydb);
2125                 goto out;
2126         }
2127
2128         rc = selinux_set_mapping(newpolicydb, secclass_map, &map, &map_size);
2129         if (rc)
2130                 goto err;
2131
2132         rc = security_preserve_bools(newpolicydb);
2133         if (rc) {
2134                 printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
2135                 goto err;
2136         }
2137
2138         /* Clone the SID table. */
2139         sidtab_shutdown(&sidtab);
2140
2141         rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
2142         if (rc)
2143                 goto err;
2144
2145         /*
2146          * Convert the internal representations of contexts
2147          * in the new SID table.
2148          */
2149         args.oldp = &policydb;
2150         args.newp = newpolicydb;
2151         rc = sidtab_map(&newsidtab, convert_context, &args);
2152         if (rc) {
2153                 printk(KERN_ERR "SELinux:  unable to convert the internal"
2154                         " representation of contexts in the new SID"
2155                         " table\n");
2156                 goto err;
2157         }
2158
2159         /* Save the old policydb and SID table to free later. */
2160         memcpy(oldpolicydb, &policydb, sizeof(policydb));
2161         sidtab_set(&oldsidtab, &sidtab);
2162
2163         /* Install the new policydb and SID table. */
2164         write_lock_irq(&policy_rwlock);
2165         memcpy(&policydb, newpolicydb, sizeof(policydb));
2166         sidtab_set(&sidtab, &newsidtab);
2167         security_load_policycaps();
2168         oldmap = current_mapping;
2169         current_mapping = map;
2170         current_mapping_size = map_size;
2171         seqno = ++latest_granting;
2172         write_unlock_irq(&policy_rwlock);
2173
2174         /* Free the old policydb and SID table. */
2175         policydb_destroy(oldpolicydb);
2176         sidtab_destroy(&oldsidtab);
2177         kfree(oldmap);
2178
2179         avc_ss_reset(seqno);
2180         selnl_notify_policyload(seqno);
2181         selinux_status_update_policyload(seqno);
2182         selinux_netlbl_cache_invalidate();
2183         selinux_xfrm_notify_policyload();
2184
2185         rc = 0;
2186         goto out;
2187
2188 err:
2189         kfree(map);
2190         sidtab_destroy(&newsidtab);
2191         policydb_destroy(newpolicydb);
2192
2193 out:
2194         kfree(oldpolicydb);
2195         return rc;
2196 }
2197
2198 size_t security_policydb_len(void)
2199 {
2200         size_t len;
2201
2202         read_lock(&policy_rwlock);
2203         len = policydb.len;
2204         read_unlock(&policy_rwlock);
2205
2206         return len;
2207 }
2208
2209 /**
2210  * security_port_sid - Obtain the SID for a port.
2211  * @protocol: protocol number
2212  * @port: port number
2213  * @out_sid: security identifier
2214  */
2215 int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
2216 {
2217         struct ocontext *c;
2218         int rc = 0;
2219
2220         read_lock(&policy_rwlock);
2221
2222         c = policydb.ocontexts[OCON_PORT];
2223         while (c) {
2224                 if (c->u.port.protocol == protocol &&
2225                     c->u.port.low_port <= port &&
2226                     c->u.port.high_port >= port)
2227                         break;
2228                 c = c->next;
2229         }
2230
2231         if (c) {
2232                 if (!c->sid[0]) {
2233                         rc = sidtab_context_to_sid(&sidtab,
2234                                                    &c->context[0],
2235                                                    &c->sid[0]);
2236                         if (rc)
2237                                 goto out;
2238                 }
2239                 *out_sid = c->sid[0];
2240         } else {
2241                 *out_sid = SECINITSID_PORT;
2242         }
2243
2244 out:
2245         read_unlock(&policy_rwlock);
2246         return rc;
2247 }
2248
2249 /**
2250  * security_pkey_sid - Obtain the SID for a pkey.
2251  * @subnet_prefix: Subnet Prefix
2252  * @pkey_num: pkey number
2253  * @out_sid: security identifier
2254  */
2255 int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2256 {
2257         struct ocontext *c;
2258         int rc = 0;
2259
2260         read_lock(&policy_rwlock);
2261
2262         c = policydb.ocontexts[OCON_IBPKEY];
2263         while (c) {
2264                 if (c->u.ibpkey.low_pkey <= pkey_num &&
2265                     c->u.ibpkey.high_pkey >= pkey_num &&
2266                     c->u.ibpkey.subnet_prefix == subnet_prefix)
2267                         break;
2268
2269                 c = c->next;
2270         }
2271
2272         if (c) {
2273                 if (!c->sid[0]) {
2274                         rc = sidtab_context_to_sid(&sidtab,
2275                                                    &c->context[0],
2276                                                    &c->sid[0]);
2277                         if (rc)
2278                                 goto out;
2279                 }
2280                 *out_sid = c->sid[0];
2281         } else
2282                 *out_sid = SECINITSID_UNLABELED;
2283
2284 out:
2285         read_unlock(&policy_rwlock);
2286         return rc;
2287 }
2288
2289 /**
2290  * security_ib_endport_sid - Obtain the SID for a subnet management interface.
2291  * @dev_name: device name
2292  * @port: port number
2293  * @out_sid: security identifier
2294  */
2295 int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
2296 {
2297         struct ocontext *c;
2298         int rc = 0;
2299
2300         read_lock(&policy_rwlock);
2301
2302         c = policydb.ocontexts[OCON_IBENDPORT];
2303         while (c) {
2304                 if (c->u.ibendport.port == port_num &&
2305                     !strncmp(c->u.ibendport.dev_name,
2306                              dev_name,
2307                              IB_DEVICE_NAME_MAX))
2308                         break;
2309
2310                 c = c->next;
2311         }
2312
2313         if (c) {
2314                 if (!c->sid[0]) {
2315                         rc = sidtab_context_to_sid(&sidtab,
2316                                                    &c->context[0],
2317                                                    &c->sid[0]);
2318                         if (rc)
2319                                 goto out;
2320                 }
2321                 *out_sid = c->sid[0];
2322         } else
2323                 *out_sid = SECINITSID_UNLABELED;
2324
2325 out:
2326         read_unlock(&policy_rwlock);
2327         return rc;
2328 }
2329
2330 /**
2331  * security_netif_sid - Obtain the SID for a network interface.
2332  * @name: interface name
2333  * @if_sid: interface SID
2334  */
2335 int security_netif_sid(char *name, u32 *if_sid)
2336 {
2337         int rc = 0;
2338         struct ocontext *c;
2339
2340         read_lock(&policy_rwlock);
2341
2342         c = policydb.ocontexts[OCON_NETIF];
2343         while (c) {
2344                 if (strcmp(name, c->u.name) == 0)
2345                         break;
2346                 c = c->next;
2347         }
2348
2349         if (c) {
2350                 if (!c->sid[0] || !c->sid[1]) {
2351                         rc = sidtab_context_to_sid(&sidtab,
2352                                                   &c->context[0],
2353                                                   &c->sid[0]);
2354                         if (rc)
2355                                 goto out;
2356                         rc = sidtab_context_to_sid(&sidtab,
2357                                                    &c->context[1],
2358                                                    &c->sid[1]);
2359                         if (rc)
2360                                 goto out;
2361                 }
2362                 *if_sid = c->sid[0];
2363         } else
2364                 *if_sid = SECINITSID_NETIF;
2365
2366 out:
2367         read_unlock(&policy_rwlock);
2368         return rc;
2369 }
2370
2371 static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
2372 {
2373         int i, fail = 0;
2374
2375         for (i = 0; i < 4; i++)
2376                 if (addr[i] != (input[i] & mask[i])) {
2377                         fail = 1;
2378                         break;
2379                 }
2380
2381         return !fail;
2382 }
2383
2384 /**
2385  * security_node_sid - Obtain the SID for a node (host).
2386  * @domain: communication domain aka address family
2387  * @addrp: address
2388  * @addrlen: address length in bytes
2389  * @out_sid: security identifier
2390  */
2391 int security_node_sid(u16 domain,
2392                       void *addrp,
2393                       u32 addrlen,
2394                       u32 *out_sid)
2395 {
2396         int rc;
2397         struct ocontext *c;
2398
2399         read_lock(&policy_rwlock);
2400
2401         switch (domain) {
2402         case AF_INET: {
2403                 u32 addr;
2404
2405                 rc = -EINVAL;
2406                 if (addrlen != sizeof(u32))
2407                         goto out;
2408
2409                 addr = *((u32 *)addrp);
2410
2411                 c = policydb.ocontexts[OCON_NODE];
2412                 while (c) {
2413                         if (c->u.node.addr == (addr & c->u.node.mask))
2414                                 break;
2415                         c = c->next;
2416                 }
2417                 break;
2418         }
2419
2420         case AF_INET6:
2421                 rc = -EINVAL;
2422                 if (addrlen != sizeof(u64) * 2)
2423                         goto out;
2424                 c = policydb.ocontexts[OCON_NODE6];
2425                 while (c) {
2426                         if (match_ipv6_addrmask(addrp, c->u.node6.addr,
2427                                                 c->u.node6.mask))
2428                                 break;
2429                         c = c->next;
2430                 }
2431                 break;
2432
2433         default:
2434                 rc = 0;
2435                 *out_sid = SECINITSID_NODE;
2436                 goto out;
2437         }
2438
2439         if (c) {
2440                 if (!c->sid[0]) {
2441                         rc = sidtab_context_to_sid(&sidtab,
2442                                                    &c->context[0],
2443                                                    &c->sid[0]);
2444                         if (rc)
2445                                 goto out;
2446                 }
2447                 *out_sid = c->sid[0];
2448         } else {
2449                 *out_sid = SECINITSID_NODE;
2450         }
2451
2452         rc = 0;
2453 out:
2454         read_unlock(&policy_rwlock);
2455         return rc;
2456 }
2457
2458 #define SIDS_NEL 25
2459
2460 /**
2461  * security_get_user_sids - Obtain reachable SIDs for a user.
2462  * @fromsid: starting SID
2463  * @username: username
2464  * @sids: array of reachable SIDs for user
2465  * @nel: number of elements in @sids
2466  *
2467  * Generate the set of SIDs for legal security contexts
2468  * for a given user that can be reached by @fromsid.
2469  * Set *@sids to point to a dynamically allocated
2470  * array containing the set of SIDs.  Set *@nel to the
2471  * number of elements in the array.
2472  */
2473
2474 int security_get_user_sids(u32 fromsid,
2475                            char *username,
2476                            u32 **sids,
2477                            u32 *nel)
2478 {
2479         struct context *fromcon, usercon;
2480         u32 *mysids = NULL, *mysids2, sid;
2481         u32 mynel = 0, maxnel = SIDS_NEL;
2482         struct user_datum *user;
2483         struct role_datum *role;
2484         struct ebitmap_node *rnode, *tnode;
2485         int rc = 0, i, j;
2486
2487         *sids = NULL;
2488         *nel = 0;
2489
2490         if (!ss_initialized)
2491                 goto out;
2492
2493         read_lock(&policy_rwlock);
2494
2495         context_init(&usercon);
2496
2497         rc = -EINVAL;
2498         fromcon = sidtab_search(&sidtab, fromsid);
2499         if (!fromcon)
2500                 goto out_unlock;
2501
2502         rc = -EINVAL;
2503         user = hashtab_search(policydb.p_users.table, username);
2504         if (!user)
2505                 goto out_unlock;
2506
2507         usercon.user = user->value;
2508
2509         rc = -ENOMEM;
2510         mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC);
2511         if (!mysids)
2512                 goto out_unlock;
2513
2514         ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2515                 role = policydb.role_val_to_struct[i];
2516                 usercon.role = i + 1;
2517                 ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2518                         usercon.type = j + 1;
2519
2520                         if (mls_setup_user_range(fromcon, user, &usercon))
2521                                 continue;
2522
2523                         rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
2524                         if (rc)
2525                                 goto out_unlock;
2526                         if (mynel < maxnel) {
2527                                 mysids[mynel++] = sid;
2528                         } else {
2529                                 rc = -ENOMEM;
2530                                 maxnel += SIDS_NEL;
2531                                 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2532                                 if (!mysids2)
2533                                         goto out_unlock;
2534                                 memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
2535                                 kfree(mysids);
2536                                 mysids = mysids2;
2537                                 mysids[mynel++] = sid;
2538                         }
2539                 }
2540         }
2541         rc = 0;
2542 out_unlock:
2543         read_unlock(&policy_rwlock);
2544         if (rc || !mynel) {
2545                 kfree(mysids);
2546                 goto out;
2547         }
2548
2549         rc = -ENOMEM;
2550         mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2551         if (!mysids2) {
2552                 kfree(mysids);
2553                 goto out;
2554         }
2555         for (i = 0, j = 0; i < mynel; i++) {
2556                 struct av_decision dummy_avd;
2557                 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2558                                           SECCLASS_PROCESS, /* kernel value */
2559                                           PROCESS__TRANSITION, AVC_STRICT,
2560                                           &dummy_avd);
2561                 if (!rc)
2562                         mysids2[j++] = mysids[i];
2563                 cond_resched();
2564         }
2565         rc = 0;
2566         kfree(mysids);
2567         *sids = mysids2;
2568         *nel = j;
2569 out:
2570         return rc;
2571 }
2572
2573 /**
2574  * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2575  * @fstype: filesystem type
2576  * @path: path from root of mount
2577  * @sclass: file security class
2578  * @sid: SID for path
2579  *
2580  * Obtain a SID to use for a file in a filesystem that
2581  * cannot support xattr or use a fixed labeling behavior like
2582  * transition SIDs or task SIDs.
2583  *
2584  * The caller must acquire the policy_rwlock before calling this function.
2585  */
2586 static inline int __security_genfs_sid(const char *fstype,
2587                                        char *path,
2588                                        u16 orig_sclass,
2589                                        u32 *sid)
2590 {
2591         int len;
2592         u16 sclass;
2593         struct genfs *genfs;
2594         struct ocontext *c;
2595         int rc, cmp = 0;
2596
2597         while (path[0] == '/' && path[1] == '/')
2598                 path++;
2599
2600         sclass = unmap_class(orig_sclass);
2601         *sid = SECINITSID_UNLABELED;
2602
2603         for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2604                 cmp = strcmp(fstype, genfs->fstype);
2605                 if (cmp <= 0)
2606                         break;
2607         }
2608
2609         rc = -ENOENT;
2610         if (!genfs || cmp)
2611                 goto out;
2612
2613         for (c = genfs->head; c; c = c->next) {
2614                 len = strlen(c->u.name);
2615                 if ((!c->v.sclass || sclass == c->v.sclass) &&
2616                     (strncmp(c->u.name, path, len) == 0))
2617                         break;
2618         }
2619
2620         rc = -ENOENT;
2621         if (!c)
2622                 goto out;
2623
2624         if (!c->sid[0]) {
2625                 rc = sidtab_context_to_sid(&sidtab, &c->context[0], &c->sid[0]);
2626                 if (rc)
2627                         goto out;
2628         }
2629
2630         *sid = c->sid[0];
2631         rc = 0;
2632 out:
2633         return rc;
2634 }
2635
2636 /**
2637  * security_genfs_sid - Obtain a SID for a file in a filesystem
2638  * @fstype: filesystem type
2639  * @path: path from root of mount
2640  * @sclass: file security class
2641  * @sid: SID for path
2642  *
2643  * Acquire policy_rwlock before calling __security_genfs_sid() and release
2644  * it afterward.
2645  */
2646 int security_genfs_sid(const char *fstype,
2647                        char *path,
2648                        u16 orig_sclass,
2649                        u32 *sid)
2650 {
2651         int retval;
2652
2653         read_lock(&policy_rwlock);
2654         retval = __security_genfs_sid(fstype, path, orig_sclass, sid);
2655         read_unlock(&policy_rwlock);
2656         return retval;
2657 }
2658
2659 /**
2660  * security_fs_use - Determine how to handle labeling for a filesystem.
2661  * @sb: superblock in question
2662  */
2663 int security_fs_use(struct super_block *sb)
2664 {
2665         int rc = 0;
2666         struct ocontext *c;
2667         struct superblock_security_struct *sbsec = sb->s_security;
2668         const char *fstype = sb->s_type->name;
2669
2670         read_lock(&policy_rwlock);
2671
2672         c = policydb.ocontexts[OCON_FSUSE];
2673         while (c) {
2674                 if (strcmp(fstype, c->u.name) == 0)
2675                         break;
2676                 c = c->next;
2677         }
2678
2679         if (c) {
2680                 sbsec->behavior = c->v.behavior;
2681                 if (!c->sid[0]) {
2682                         rc = sidtab_context_to_sid(&sidtab, &c->context[0],
2683                                                    &c->sid[0]);
2684                         if (rc)
2685                                 goto out;
2686                 }
2687                 sbsec->sid = c->sid[0];
2688         } else {
2689                 rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
2690                                           &sbsec->sid);
2691                 if (rc) {
2692                         sbsec->behavior = SECURITY_FS_USE_NONE;
2693                         rc = 0;
2694                 } else {
2695                         sbsec->behavior = SECURITY_FS_USE_GENFS;
2696                 }
2697         }
2698
2699 out:
2700         read_unlock(&policy_rwlock);
2701         return rc;
2702 }
2703
2704 int security_get_bools(int *len, char ***names, int **values)
2705 {
2706         int i, rc;
2707
2708         read_lock(&policy_rwlock);
2709         *names = NULL;
2710         *values = NULL;
2711
2712         rc = 0;
2713         *len = policydb.p_bools.nprim;
2714         if (!*len)
2715                 goto out;
2716
2717         rc = -ENOMEM;
2718         *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
2719         if (!*names)
2720                 goto err;
2721
2722         rc = -ENOMEM;
2723         *values = kcalloc(*len, sizeof(int), GFP_ATOMIC);
2724         if (!*values)
2725                 goto err;
2726
2727         for (i = 0; i < *len; i++) {
2728                 (*values)[i] = policydb.bool_val_to_struct[i]->state;
2729
2730                 rc = -ENOMEM;
2731                 (*names)[i] = kstrdup(sym_name(&policydb, SYM_BOOLS, i), GFP_ATOMIC);
2732                 if (!(*names)[i])
2733                         goto err;
2734         }
2735         rc = 0;
2736 out:
2737         read_unlock(&policy_rwlock);
2738         return rc;
2739 err:
2740         if (*names) {
2741                 for (i = 0; i < *len; i++)
2742                         kfree((*names)[i]);
2743         }
2744         kfree(*values);
2745         goto out;
2746 }
2747
2748
2749 int security_set_bools(int len, int *values)
2750 {
2751         int i, rc;
2752         int lenp, seqno = 0;
2753         struct cond_node *cur;
2754
2755         write_lock_irq(&policy_rwlock);
2756
2757         rc = -EFAULT;
2758         lenp = policydb.p_bools.nprim;
2759         if (len != lenp)
2760                 goto out;
2761
2762         for (i = 0; i < len; i++) {
2763                 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
2764                         audit_log(current->audit_context, GFP_ATOMIC,
2765                                 AUDIT_MAC_CONFIG_CHANGE,
2766                                 "bool=%s val=%d old_val=%d auid=%u ses=%u",
2767                                 sym_name(&policydb, SYM_BOOLS, i),
2768                                 !!values[i],
2769                                 policydb.bool_val_to_struct[i]->state,
2770                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
2771                                 audit_get_sessionid(current));
2772                 }
2773                 if (values[i])
2774                         policydb.bool_val_to_struct[i]->state = 1;
2775                 else
2776                         policydb.bool_val_to_struct[i]->state = 0;
2777         }
2778
2779         for (cur = policydb.cond_list; cur; cur = cur->next) {
2780                 rc = evaluate_cond_node(&policydb, cur);
2781                 if (rc)
2782                         goto out;
2783         }
2784
2785         seqno = ++latest_granting;
2786         rc = 0;
2787 out:
2788         write_unlock_irq(&policy_rwlock);
2789         if (!rc) {
2790                 avc_ss_reset(seqno);
2791                 selnl_notify_policyload(seqno);
2792                 selinux_status_update_policyload(seqno);
2793                 selinux_xfrm_notify_policyload();
2794         }
2795         return rc;
2796 }
2797
2798 int security_get_bool_value(int index)
2799 {
2800         int rc;
2801         int len;
2802
2803         read_lock(&policy_rwlock);
2804
2805         rc = -EFAULT;
2806         len = policydb.p_bools.nprim;
2807         if (index >= len)
2808                 goto out;
2809
2810         rc = policydb.bool_val_to_struct[index]->state;
2811 out:
2812         read_unlock(&policy_rwlock);
2813         return rc;
2814 }
2815
2816 static int security_preserve_bools(struct policydb *p)
2817 {
2818         int rc, nbools = 0, *bvalues = NULL, i;
2819         char **bnames = NULL;
2820         struct cond_bool_datum *booldatum;
2821         struct cond_node *cur;
2822
2823         rc = security_get_bools(&nbools, &bnames, &bvalues);
2824         if (rc)
2825                 goto out;
2826         for (i = 0; i < nbools; i++) {
2827                 booldatum = hashtab_search(p->p_bools.table, bnames[i]);
2828                 if (booldatum)
2829                         booldatum->state = bvalues[i];
2830         }
2831         for (cur = p->cond_list; cur; cur = cur->next) {
2832                 rc = evaluate_cond_node(p, cur);
2833                 if (rc)
2834                         goto out;
2835         }
2836
2837 out:
2838         if (bnames) {
2839                 for (i = 0; i < nbools; i++)
2840                         kfree(bnames[i]);
2841         }
2842         kfree(bnames);
2843         kfree(bvalues);
2844         return rc;
2845 }
2846
2847 /*
2848  * security_sid_mls_copy() - computes a new sid based on the given
2849  * sid and the mls portion of mls_sid.
2850  */
2851 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2852 {
2853         struct context *context1;
2854         struct context *context2;
2855         struct context newcon;
2856         char *s;
2857         u32 len;
2858         int rc;
2859
2860         rc = 0;
2861         if (!ss_initialized || !policydb.mls_enabled) {
2862                 *new_sid = sid;
2863                 goto out;
2864         }
2865
2866         context_init(&newcon);
2867
2868         read_lock(&policy_rwlock);
2869
2870         rc = -EINVAL;
2871         context1 = sidtab_search(&sidtab, sid);
2872         if (!context1) {
2873                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2874                         __func__, sid);
2875                 goto out_unlock;
2876         }
2877
2878         rc = -EINVAL;
2879         context2 = sidtab_search(&sidtab, mls_sid);
2880         if (!context2) {
2881                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2882                         __func__, mls_sid);
2883                 goto out_unlock;
2884         }
2885
2886         newcon.user = context1->user;
2887         newcon.role = context1->role;
2888         newcon.type = context1->type;
2889         rc = mls_context_cpy(&newcon, context2);
2890         if (rc)
2891                 goto out_unlock;
2892
2893         /* Check the validity of the new context. */
2894         if (!policydb_context_isvalid(&policydb, &newcon)) {
2895                 rc = convert_context_handle_invalid_context(&newcon);
2896                 if (rc) {
2897                         if (!context_struct_to_string(&newcon, &s, &len)) {
2898                                 audit_log(current->audit_context,
2899                                           GFP_ATOMIC, AUDIT_SELINUX_ERR,
2900                                           "op=security_sid_mls_copy "
2901                                           "invalid_context=%s", s);
2902                                 kfree(s);
2903                         }
2904                         goto out_unlock;
2905                 }
2906         }
2907
2908         rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
2909 out_unlock:
2910         read_unlock(&policy_rwlock);
2911         context_destroy(&newcon);
2912 out:
2913         return rc;
2914 }
2915
2916 /**
2917  * security_net_peersid_resolve - Compare and resolve two network peer SIDs
2918  * @nlbl_sid: NetLabel SID
2919  * @nlbl_type: NetLabel labeling protocol type
2920  * @xfrm_sid: XFRM SID
2921  *
2922  * Description:
2923  * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
2924  * resolved into a single SID it is returned via @peer_sid and the function
2925  * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
2926  * returns a negative value.  A table summarizing the behavior is below:
2927  *
2928  *                                 | function return |      @sid
2929  *   ------------------------------+-----------------+-----------------
2930  *   no peer labels                |        0        |    SECSID_NULL
2931  *   single peer label             |        0        |    <peer_label>
2932  *   multiple, consistent labels   |        0        |    <peer_label>
2933  *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
2934  *
2935  */
2936 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2937                                  u32 xfrm_sid,
2938                                  u32 *peer_sid)
2939 {
2940         int rc;
2941         struct context *nlbl_ctx;
2942         struct context *xfrm_ctx;
2943
2944         *peer_sid = SECSID_NULL;
2945
2946         /* handle the common (which also happens to be the set of easy) cases
2947          * right away, these two if statements catch everything involving a
2948          * single or absent peer SID/label */
2949         if (xfrm_sid == SECSID_NULL) {
2950                 *peer_sid = nlbl_sid;
2951                 return 0;
2952         }
2953         /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
2954          * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
2955          * is present */
2956         if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
2957                 *peer_sid = xfrm_sid;
2958                 return 0;
2959         }
2960
2961         /* we don't need to check ss_initialized here since the only way both
2962          * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2963          * security server was initialized and ss_initialized was true */
2964         if (!policydb.mls_enabled)
2965                 return 0;
2966
2967         read_lock(&policy_rwlock);
2968
2969         rc = -EINVAL;
2970         nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
2971         if (!nlbl_ctx) {
2972                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2973                        __func__, nlbl_sid);
2974                 goto out;
2975         }
2976         rc = -EINVAL;
2977         xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
2978         if (!xfrm_ctx) {
2979                 printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
2980                        __func__, xfrm_sid);
2981                 goto out;
2982         }
2983         rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
2984         if (rc)
2985                 goto out;
2986
2987         /* at present NetLabel SIDs/labels really only carry MLS
2988          * information so if the MLS portion of the NetLabel SID
2989          * matches the MLS portion of the labeled XFRM SID/label
2990          * then pass along the XFRM SID as it is the most
2991          * expressive */
2992         *peer_sid = xfrm_sid;
2993 out:
2994         read_unlock(&policy_rwlock);
2995         return rc;
2996 }
2997
2998 static int get_classes_callback(void *k, void *d, void *args)
2999 {
3000         struct class_datum *datum = d;
3001         char *name = k, **classes = args;
3002         int value = datum->value - 1;
3003
3004         classes[value] = kstrdup(name, GFP_ATOMIC);
3005         if (!classes[value])
3006                 return -ENOMEM;
3007
3008         return 0;
3009 }
3010
3011 int security_get_classes(char ***classes, int *nclasses)
3012 {
3013         int rc;
3014
3015         read_lock(&policy_rwlock);
3016
3017         rc = -ENOMEM;
3018         *nclasses = policydb.p_classes.nprim;
3019         *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
3020         if (!*classes)
3021                 goto out;
3022
3023         rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
3024                         *classes);
3025         if (rc) {
3026                 int i;
3027                 for (i = 0; i < *nclasses; i++)
3028                         kfree((*classes)[i]);
3029                 kfree(*classes);
3030         }
3031
3032 out:
3033         read_unlock(&policy_rwlock);
3034         return rc;
3035 }
3036
3037 static int get_permissions_callback(void *k, void *d, void *args)
3038 {
3039         struct perm_datum *datum = d;
3040         char *name = k, **perms = args;
3041         int value = datum->value - 1;
3042
3043         perms[value] = kstrdup(name, GFP_ATOMIC);
3044         if (!perms[value])
3045                 return -ENOMEM;
3046
3047         return 0;
3048 }
3049
3050 int security_get_permissions(char *class, char ***perms, int *nperms)
3051 {
3052         int rc, i;
3053         struct class_datum *match;
3054
3055         read_lock(&policy_rwlock);
3056
3057         rc = -EINVAL;
3058         match = hashtab_search(policydb.p_classes.table, class);
3059         if (!match) {
3060                 printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
3061                         __func__, class);
3062                 goto out;
3063         }
3064
3065         rc = -ENOMEM;
3066         *nperms = match->permissions.nprim;
3067         *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
3068         if (!*perms)
3069                 goto out;
3070
3071         if (match->comdatum) {
3072                 rc = hashtab_map(match->comdatum->permissions.table,
3073                                 get_permissions_callback, *perms);
3074                 if (rc)
3075                         goto err;
3076         }
3077
3078         rc = hashtab_map(match->permissions.table, get_permissions_callback,
3079                         *perms);
3080         if (rc)
3081                 goto err;
3082
3083 out:
3084         read_unlock(&policy_rwlock);
3085         return rc;
3086
3087 err:
3088         read_unlock(&policy_rwlock);
3089         for (i = 0; i < *nperms; i++)
3090                 kfree((*perms)[i]);
3091         kfree(*perms);
3092         return rc;
3093 }
3094