services.c source code [Linux/security/selinux/ss/services.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Implementation of the security services.
4	*
5	* Authors : Stephen Smalley, <stephen.smalley.work@gmail.com>
6	* James Morris <jmorris@redhat.com>
7	*
8	* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9	*
10	* Support for enhanced MLS infrastructure.
11	* Support for context based audit filters.
12	*
13	* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14	*
15	* Added conditional policy language extensions
16	*
17	* Updated: Hewlett-Packard <paul@paul-moore.com>
18	*
19	* Added support for NetLabel
20	* Added support for the policy capability bitmap
21	*
22	* Updated: Chad Sellers <csellers@tresys.com>
23	*
24	* Added validation of kernel classes and permissions
25	*
26	* Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
27	*
28	* Added support for bounds domain and audit messaged on masked permissions
29	*
30	* Updated: Guido Trentalancia <guido@trentalancia.com>
31	*
32	* Added support for runtime switching of the policy type
33	*
34	* Copyright (C) 2008, 2009 NEC Corporation
35	* Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
36	* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
37	* Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
38	* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
39	*/
40	#include <linux/kernel.h>
41	#include <linux/slab.h>
42	#include <linux/string.h>
43	#include <linux/spinlock.h>
44	#include <linux/rcupdate.h>
45	#include <linux/errno.h>
46	#include <linux/in.h>
47	#include <linux/sched.h>
48	#include <linux/audit.h>
49	#include <linux/parser.h>
50	#include <linux/vmalloc.h>
51	#include <linux/lsm_hooks.h>
52	#include <net/netlabel.h>
53
54	#include "flask.h"
55	#include "avc.h"
56	#include "avc_ss.h"
57	#include "security.h"
58	#include "context.h"
59	#include "policydb.h"
60	#include "sidtab.h"
61	#include "services.h"
62	#include "conditional.h"
63	#include "mls.h"
64	#include "objsec.h"
65	#include "netlabel.h"
66	#include "xfrm.h"
67	#include "ebitmap.h"
68	#include "audit.h"
69	#include "policycap_names.h"
70	#include "ima.h"
71
72	struct selinux_policy_convert_data {
73	struct convert_context_args args;
74	struct sidtab_convert_params sidtab_params;
75	};
76
77	/ Forward declaration. /
78	static int context_struct_to_string(struct policydb *policydb,
79	struct context *context,
80	char **scontext,
81	u32 *scontext_len);
82
83	static int sidtab_entry_to_string(struct policydb *policydb,
84	struct sidtab *sidtab,
85	struct sidtab_entry *entry,
86	char **scontext,
87	u32 *scontext_len);
88
89	static void context_struct_compute_av(struct policydb *policydb,
90	struct context *scontext,
91	struct context *tcontext,
92	u16 tclass,
93	struct av_decision *avd,
94	struct extended_perms *xperms);
95
96	static int selinux_set_mapping(struct policydb *pol,
97	const struct security_class_mapping *map,
98	struct selinux_map *out_map)
99	{
100	u16 i, j;
101	bool print_unknown_handle = false;
102
103	/ Find number of classes in the input mapping /
104	if (!map)
105	return -EINVAL;
106	i = `0`;
107	while (map[i].name)
108	i++;
109
110	/ Allocate space for the class records, plus one for class zero /
111	out_map->mapping = kcalloc(++i, sizeof(*out_map->mapping), GFP_ATOMIC);
112	if (!out_map->mapping)
113	return -ENOMEM;
114
115	/ Store the raw class and permission values /
116	j = `0`;
117	while (map[j].name) {
118	const struct security_class_mapping *p_in = map + (j++);
119	struct selinux_mapping *p_out = out_map->mapping + j;
120	u16 k;
121
122	/ An empty class string skips ahead /
123	if (!strcmp(p_in->name, "")) {
124	p_out->num_perms = `0`;
125	continue;
126	}
127
128	p_out->value = string_to_security_class(p: pol, name: p_in->name);
129	if (!p_out->value) {
130	pr_info("SELinux: Class %s not defined in policy.\n",
131	p_in->name);
132	if (pol->reject_unknown)
133	goto err;
134	p_out->num_perms = `0`;
135	print_unknown_handle = true;
136	continue;
137	}
138
139	k = `0`;
140	while (p_in->perms[k]) {
141	/ An empty permission string skips ahead /
142	if (!*p_in->perms[k]) {
143	k++;
144	continue;
145	}
146	p_out->perms[k] = string_to_av_perm(p: pol, tclass: p_out->value,
147	name: p_in->perms[k]);
148	if (!p_out->perms[k]) {
149	pr_info("SELinux: Permission %s in class %s not defined in policy.\n",
150	p_in->perms[k], p_in->name);
151	if (pol->reject_unknown)
152	goto err;
153	print_unknown_handle = true;
154	}
155
156	k++;
157	}
158	p_out->num_perms = k;
159	}
160
161	if (print_unknown_handle)
162	pr_info("SELinux: the above unknown classes and permissions will be %s\n",
163	pol->allow_unknown ? "allowed" : "denied");
164
165	out_map->size = i;
166	return `0`;
167	err:
168	kfree(objp: out_map->mapping);
169	out_map->mapping = NULL;
170	return -EINVAL;
171	}
172
173	/*
174	* Get real, policy values from mapped values
175	*/
176
177	static u16 unmap_class(struct selinux_map *map, u16 tclass)
178	{
179	if (tclass < map->size)
180	return map->mapping[tclass].value;
181
182	return tclass;
183	}
184
185	/*
186	* Get kernel value for class from its policy value
187	*/
188	static u16 map_class(struct selinux_map *map, u16 pol_value)
189	{
190	u16 i;
191
192	for (i = `1`; i < map->size; i++) {
193	if (map->mapping[i].value == pol_value)
194	return i;
195	}
196
197	return SECCLASS_NULL;
198	}
199
200	static void map_decision(struct selinux_map *map,
201	u16 tclass, struct av_decision *avd,
202	int allow_unknown)
203	{
204	if (tclass < map->size) {
205	struct selinux_mapping *mapping = &map->mapping[tclass];
206	unsigned int i, n = mapping->num_perms;
207	u32 result;
208
209	for (i = `0`, result = `0`; i < n; i++) {
210	if (avd->allowed & mapping->perms[i])
211	result \|= (u32)`1`<<i;
212	if (allow_unknown && !mapping->perms[i])
213	result \|= (u32)`1`<<i;
214	}
215	avd->allowed = result;
216
217	for (i = `0`, result = `0`; i < n; i++)
218	if (avd->auditallow & mapping->perms[i])
219	result \|= (u32)`1`<<i;
220	avd->auditallow = result;
221
222	for (i = `0`, result = `0`; i < n; i++) {
223	if (avd->auditdeny & mapping->perms[i])
224	result \|= (u32)`1`<<i;
225	if (!allow_unknown && !mapping->perms[i])
226	result \|= (u32)`1`<<i;
227	}
228	/*
229	* In case the kernel has a bug and requests a permission
230	* between num_perms and the maximum permission number, we
231	* should audit that denial
232	*/
233	for (; i < (sizeof(u32)*`8`); i++)
234	result \|= (u32)`1`<<i;
235	avd->auditdeny = result;
236	}
237	}
238
239	int security_mls_enabled(void)
240	{
241	int mls_enabled;
242	struct selinux_policy *policy;
243
244	if (!selinux_initialized())
245	return `0`;
246
247	rcu_read_lock();
248	policy = rcu_dereference(selinux_state.policy);
249	mls_enabled = policy->policydb.mls_enabled;
250	rcu_read_unlock();
251	return mls_enabled;
252	}
253
254	/*
255	* Return the boolean value of a constraint expression
256	* when it is applied to the specified source and target
257	* security contexts.
258	*
259	* xcontext is a special beast... It is used by the validatetrans rules
260	* only. For these rules, scontext is the context before the transition,
261	* tcontext is the context after the transition, and xcontext is the context
262	* of the process performing the transition. All other callers of
263	* constraint_expr_eval should pass in NULL for xcontext.
264	*/
265	static int constraint_expr_eval(struct policydb *policydb,
266	struct context *scontext,
267	struct context *tcontext,
268	struct context *xcontext,
269	struct constraint_expr *cexpr)
270	{
271	u32 val1, val2;
272	struct context *c;
273	struct role_datum r1, r2;
274	struct mls_level l1, l2;
275	struct constraint_expr *e;
276	int s[CEXPR_MAXDEPTH];
277	int sp = -`1`;
278
279	for (e = cexpr; e; e = e->next) {
280	switch (e->expr_type) {
281	case CEXPR_NOT:
282	BUG_ON(sp < `0`);
283	s[sp] = !s[sp];
284	break;
285	case CEXPR_AND:
286	BUG_ON(sp < `1`);
287	sp--;
288	s[sp] &= s[sp + `1`];
289	break;
290	case CEXPR_OR:
291	BUG_ON(sp < `1`);
292	sp--;
293	s[sp] \|= s[sp + `1`];
294	break;
295	case CEXPR_ATTR:
296	if (sp == (CEXPR_MAXDEPTH - `1`))
297	return `0`;
298	switch (e->attr) {
299	case CEXPR_USER:
300	val1 = scontext->user;
301	val2 = tcontext->user;
302	break;
303	case CEXPR_TYPE:
304	val1 = scontext->type;
305	val2 = tcontext->type;
306	break;
307	case CEXPR_ROLE:
308	val1 = scontext->role;
309	val2 = tcontext->role;
310	r1 = policydb->role_val_to_struct[val1 - `1`];
311	r2 = policydb->role_val_to_struct[val2 - `1`];
312	switch (e->op) {
313	case CEXPR_DOM:
314	s[++sp] = ebitmap_get_bit(e: &r1->dominates,
315	bit: val2 - `1`);
316	continue;
317	case CEXPR_DOMBY:
318	s[++sp] = ebitmap_get_bit(e: &r2->dominates,
319	bit: val1 - `1`);
320	continue;
321	case CEXPR_INCOMP:
322	s[++sp] = (!ebitmap_get_bit(e: &r1->dominates,
323	bit: val2 - `1`) &&
324	!ebitmap_get_bit(e: &r2->dominates,
325	bit: val1 - `1`));
326	continue;
327	default:
328	break;
329	}
330	break;
331	case CEXPR_L1L2:
332	l1 = &(scontext->range.level[`0`]);
333	l2 = &(tcontext->range.level[`0`]);
334	goto mls_ops;
335	case CEXPR_L1H2:
336	l1 = &(scontext->range.level[`0`]);
337	l2 = &(tcontext->range.level[`1`]);
338	goto mls_ops;
339	case CEXPR_H1L2:
340	l1 = &(scontext->range.level[`1`]);
341	l2 = &(tcontext->range.level[`0`]);
342	goto mls_ops;
343	case CEXPR_H1H2:
344	l1 = &(scontext->range.level[`1`]);
345	l2 = &(tcontext->range.level[`1`]);
346	goto mls_ops;
347	case CEXPR_L1H1:
348	l1 = &(scontext->range.level[`0`]);
349	l2 = &(scontext->range.level[`1`]);
350	goto mls_ops;
351	case CEXPR_L2H2:
352	l1 = &(tcontext->range.level[`0`]);
353	l2 = &(tcontext->range.level[`1`]);
354	goto mls_ops;
355	mls_ops:
356	switch (e->op) {
357	case CEXPR_EQ:
358	s[++sp] = mls_level_eq(l1, l2);
359	continue;
360	case CEXPR_NEQ:
361	s[++sp] = !mls_level_eq(l1, l2);
362	continue;
363	case CEXPR_DOM:
364	s[++sp] = mls_level_dom(l1, l2);
365	continue;
366	case CEXPR_DOMBY:
367	s[++sp] = mls_level_dom(l1: l2, l2: l1);
368	continue;
369	case CEXPR_INCOMP:
370	s[++sp] = mls_level_incomp(l2, l1);
371	continue;
372	default:
373	BUG();
374	return `0`;
375	}
376	break;
377	default:
378	BUG();
379	return `0`;
380	}
381
382	switch (e->op) {
383	case CEXPR_EQ:
384	s[++sp] = (val1 == val2);
385	break;
386	case CEXPR_NEQ:
387	s[++sp] = (val1 != val2);
388	break;
389	default:
390	BUG();
391	return `0`;
392	}
393	break;
394	case CEXPR_NAMES:
395	if (sp == (CEXPR_MAXDEPTH-`1`))
396	return `0`;
397	c = scontext;
398	if (e->attr & CEXPR_TARGET)
399	c = tcontext;
400	else if (e->attr & CEXPR_XTARGET) {
401	c = xcontext;
402	if (!c) {
403	BUG();
404	return `0`;
405	}
406	}
407	if (e->attr & CEXPR_USER)
408	val1 = c->user;
409	else if (e->attr & CEXPR_ROLE)
410	val1 = c->role;
411	else if (e->attr & CEXPR_TYPE)
412	val1 = c->type;
413	else {
414	BUG();
415	return `0`;
416	}
417
418	switch (e->op) {
419	case CEXPR_EQ:
420	s[++sp] = ebitmap_get_bit(e: &e->names, bit: val1 - `1`);
421	break;
422	case CEXPR_NEQ:
423	s[++sp] = !ebitmap_get_bit(e: &e->names, bit: val1 - `1`);
424	break;
425	default:
426	BUG();
427	return `0`;
428	}
429	break;
430	default:
431	BUG();
432	return `0`;
433	}
434	}
435
436	BUG_ON(sp != `0`);
437	return s[`0`];
438	}
439
440	/*
441	* security_dump_masked_av - dumps masked permissions during
442	* security_compute_av due to RBAC, MLS/Constraint and Type bounds.
443	*/
444	static int dump_masked_av_helper(void k, void* d, void* *args)
445	{
446	struct perm_datum *pdatum = d;
447	char **permission_names = args;
448
449	BUG_ON(pdatum->value < `1` \|\| pdatum->value > `32`);
450
451	permission_names[pdatum->value - `1`] = (char *)k;
452
453	return `0`;
454	}
455
456	static void security_dump_masked_av(struct policydb *policydb,
457	struct context *scontext,
458	struct context *tcontext,
459	u16 tclass,
460	u32 permissions,
461	const char *reason)
462	{
463	struct common_datum *common_dat;
464	struct class_datum *tclass_dat;
465	struct audit_buffer *ab;
466	char *tclass_name;
467	char *scontext_name = NULL;
468	char *tcontext_name = NULL;
469	char *permission_names[`32`];
470	int index;
471	u32 length;
472	bool need_comma = false;
473
474	if (!permissions)
475	return;
476
477	tclass_name = sym_name(p: policydb, SYM_CLASSES, element_nr: tclass - `1`);
478	tclass_dat = policydb->class_val_to_struct[tclass - `1`];
479	common_dat = tclass_dat->comdatum;
480
481	/ init permission_names /
482	if (common_dat &&
483	hashtab_map(h: &common_dat->permissions.table,
484	apply: dump_masked_av_helper, args: permission_names) < `0`)
485	goto out;
486
487	if (hashtab_map(h: &tclass_dat->permissions.table,
488	apply: dump_masked_av_helper, args: permission_names) < `0`)
489	goto out;
490
491	/ get scontext/tcontext in text form /
492	if (context_struct_to_string(policydb, context: scontext,
493	scontext: &scontext_name, scontext_len: &length) < `0`)
494	goto out;
495
496	if (context_struct_to_string(policydb, context: tcontext,
497	scontext: &tcontext_name, scontext_len: &length) < `0`)
498	goto out;
499
500	/ audit a message /
501	ab = audit_log_start(ctx: audit_context(),
502	GFP_ATOMIC, AUDIT_SELINUX_ERR);
503	if (!ab)
504	goto out;
505
506	audit_log_format(ab, fmt: "op=security_compute_av reason=%s "
507	"scontext=%s tcontext=%s tclass=%s perms=",
508	reason, scontext_name, tcontext_name, tclass_name);
509
510	for (index = `0`; index < `32`; index++) {
511	u32 mask = (`1` << index);
512
513	if ((mask & permissions) == `0`)
514	continue;
515
516	audit_log_format(ab, fmt: "%s%s",
517	need_comma ? "," : "",
518	permission_names[index]
519	? permission_names[index] : "????");
520	need_comma = true;
521	}
522	audit_log_end(ab);
523	out:
524	/ release scontext/tcontext /
525	kfree(objp: tcontext_name);
526	kfree(objp: scontext_name);
527	}
528
529	/*
530	* security_boundary_permission - drops violated permissions
531	* on boundary constraint.
532	*/
533	static void type_attribute_bounds_av(struct policydb *policydb,
534	struct context *scontext,
535	struct context *tcontext,
536	u16 tclass,
537	struct av_decision *avd)
538	{
539	struct context lo_scontext;
540	struct context lo_tcontext, *tcontextp = tcontext;
541	struct av_decision lo_avd;
542	struct type_datum *source;
543	struct type_datum *target;
544	u32 masked = `0`;
545
546	source = policydb->type_val_to_struct[scontext->type - `1`];
547	BUG_ON(!source);
548
549	if (!source->bounds)
550	return;
551
552	target = policydb->type_val_to_struct[tcontext->type - `1`];
553	BUG_ON(!target);
554
555	memset(s: &lo_avd, c: `0`, n: sizeof(lo_avd));
556
557	memcpy(to: &lo_scontext, from: scontext, len: sizeof(lo_scontext));
558	lo_scontext.type = source->bounds;
559
560	if (target->bounds) {
561	memcpy(to: &lo_tcontext, from: tcontext, len: sizeof(lo_tcontext));
562	lo_tcontext.type = target->bounds;
563	tcontextp = &lo_tcontext;
564	}
565
566	context_struct_compute_av(policydb, scontext: &lo_scontext,
567	tcontext: tcontextp,
568	tclass,
569	avd: &lo_avd,
570	NULL);
571
572	masked = ~lo_avd.allowed & avd->allowed;
573
574	if (likely(!masked))
575	return; / no masked permission /
576
577	/ mask violated permissions /
578	avd->allowed &= ~masked;
579
580	/ audit masked permissions /
581	security_dump_masked_av(policydb, scontext, tcontext,
582	tclass, permissions: masked, reason: "bounds");
583	}
584
585	/*
586	* Flag which drivers have permissions and which base permissions are covered.
587	*/
588	void services_compute_xperms_drivers(
589	struct extended_perms *xperms,
590	struct avtab_node *node)
591	{
592	unsigned int i;
593
594	switch (node->datum.u.xperms->specified) {
595	case AVTAB_XPERMS_IOCTLDRIVER:
596	xperms->base_perms \|= AVC_EXT_IOCTL;
597	/ if one or more driver has all permissions allowed /
598	for (i = `0`; i < ARRAY_SIZE(xperms->drivers.p); i++)
599	xperms->drivers.p[i] \|= node->datum.u.xperms->perms.p[i];
600	break;
601	case AVTAB_XPERMS_IOCTLFUNCTION:
602	xperms->base_perms \|= AVC_EXT_IOCTL;
603	/ if allowing permissions within a driver /
604	security_xperm_set(xperms->drivers.p,
605	node->datum.u.xperms->driver);
606	break;
607	case AVTAB_XPERMS_NLMSG:
608	xperms->base_perms \|= AVC_EXT_NLMSG;
609	/ if allowing permissions within a driver /
610	security_xperm_set(xperms->drivers.p,
611	node->datum.u.xperms->driver);
612	break;
613	}
614
615	xperms->len = `1`;
616	}
617
618	/*
619	* Compute access vectors and extended permissions based on a context
620	* structure pair for the permissions in a particular class.
621	*/
622	static void context_struct_compute_av(struct policydb *policydb,
623	struct context *scontext,
624	struct context *tcontext,
625	u16 tclass,
626	struct av_decision *avd,
627	struct extended_perms *xperms)
628	{
629	struct constraint_node *constraint;
630	struct role_allow *ra;
631	struct avtab_key avkey;
632	struct avtab_node *node;
633	struct class_datum *tclass_datum;
634	struct ebitmap sattr, tattr;
635	struct ebitmap_node snode, tnode;
636	unsigned int i, j;
637
638	avd->allowed = `0`;
639	avd->auditallow = `0`;
640	avd->auditdeny = `0xffffffff`;
641	if (xperms) {
642	memset(s: xperms, c: `0`, n: sizeof(*xperms));
643	}
644
645	if (unlikely(!tclass \|\| tclass > policydb->p_classes.nprim)) {
646	pr_warn_ratelimited("SELinux: Invalid class %u\n", tclass);
647	return;
648	}
649
650	tclass_datum = policydb->class_val_to_struct[tclass - `1`];
651
652	/*
653	* If a specific type enforcement rule was defined for
654	* this permission check, then use it.
655	*/
656	avkey.target_class = tclass;
657	avkey.specified = AVTAB_AV \| AVTAB_XPERMS;
658	sattr = &policydb->type_attr_map_array[scontext->type - `1`];
659	tattr = &policydb->type_attr_map_array[tcontext->type - `1`];
660	ebitmap_for_each_positive_bit(sattr, snode, i) {
661	ebitmap_for_each_positive_bit(tattr, tnode, j) {
662	avkey.source_type = i + `1`;
663	avkey.target_type = j + `1`;
664	for (node = avtab_search_node(h: &policydb->te_avtab,
665	key: &avkey);
666	node;
667	node = avtab_search_node_next(node, specified: avkey.specified)) {
668	if (node->key.specified == AVTAB_ALLOWED)
669	avd->allowed \|= node->datum.u.data;
670	else if (node->key.specified == AVTAB_AUDITALLOW)
671	avd->auditallow \|= node->datum.u.data;
672	else if (node->key.specified == AVTAB_AUDITDENY)
673	avd->auditdeny &= node->datum.u.data;
674	else if (xperms && (node->key.specified & AVTAB_XPERMS))
675	services_compute_xperms_drivers(xperms, node);
676	}
677
678	/ Check conditional av table for additional permissions /
679	cond_compute_av(ctab: &policydb->te_cond_avtab, key: &avkey,
680	avd, xperms);
681
682	}
683	}
684
685	/*
686	* Remove any permissions prohibited by a constraint (this includes
687	* the MLS policy).
688	*/
689	constraint = tclass_datum->constraints;
690	while (constraint) {
691	if ((constraint->permissions & (avd->allowed)) &&
692	!constraint_expr_eval(policydb, scontext, tcontext, NULL,
693	cexpr: constraint->expr)) {
694	avd->allowed &= ~(constraint->permissions);
695	}
696	constraint = constraint->next;
697	}
698
699	/*
700	* If checking process transition permission and the
701	* role is changing, then check the (current_role, new_role)
702	* pair.
703	*/
704	if (tclass == policydb->process_class &&
705	(avd->allowed & policydb->process_trans_perms) &&
706	scontext->role != tcontext->role) {
707	for (ra = policydb->role_allow; ra; ra = ra->next) {
708	if (scontext->role == ra->role &&
709	tcontext->role == ra->new_role)
710	break;
711	}
712	if (!ra)
713	avd->allowed &= ~policydb->process_trans_perms;
714	}
715
716	/*
717	* If the given source and target types have boundary
718	* constraint, lazy checks have to mask any violated
719	* permission and notice it to userspace via audit.
720	*/
721	type_attribute_bounds_av(policydb, scontext, tcontext,
722	tclass, avd);
723	}
724
725	static int security_validtrans_handle_fail(struct selinux_policy *policy,
726	struct sidtab_entry *oentry,
727	struct sidtab_entry *nentry,
728	struct sidtab_entry *tentry,
729	u16 tclass)
730	{
731	struct policydb *p = &policy->policydb;
732	struct sidtab *sidtab = policy->sidtab;
733	char o = NULL, n = NULL, *t = NULL;
734	u32 olen, nlen, tlen;
735
736	if (sidtab_entry_to_string(policydb: p, sidtab, entry: oentry, scontext: &o, scontext_len: &olen))
737	goto out;
738	if (sidtab_entry_to_string(policydb: p, sidtab, entry: nentry, scontext: &n, scontext_len: &nlen))
739	goto out;
740	if (sidtab_entry_to_string(policydb: p, sidtab, entry: tentry, scontext: &t, scontext_len: &tlen))
741	goto out;
742	audit_log(ctx: audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR,
743	fmt: "op=security_validate_transition seresult=denied"
744	" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
745	o, n, t, sym_name(p, SYM_CLASSES, element_nr: tclass-`1`));
746	out:
747	kfree(objp: o);
748	kfree(objp: n);
749	kfree(objp: t);
750
751	if (!enforcing_enabled())
752	return `0`;
753	return -EPERM;
754	}
755
756	static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid,
757	u16 orig_tclass, bool user)
758	{
759	struct selinux_policy *policy;
760	struct policydb *policydb;
761	struct sidtab *sidtab;
762	struct sidtab_entry *oentry;
763	struct sidtab_entry *nentry;
764	struct sidtab_entry *tentry;
765	struct class_datum *tclass_datum;
766	struct constraint_node *constraint;
767	u16 tclass;
768	int rc = `0`;
769
770
771	if (!selinux_initialized())
772	return `0`;
773
774	rcu_read_lock();
775
776	policy = rcu_dereference(selinux_state.policy);
777	policydb = &policy->policydb;
778	sidtab = policy->sidtab;
779
780	if (!user)
781	tclass = unmap_class(map: &policy->map, tclass: orig_tclass);
782	else
783	tclass = orig_tclass;
784
785	if (!tclass \|\| tclass > policydb->p_classes.nprim) {
786	rc = -EINVAL;
787	goto out;
788	}
789	tclass_datum = policydb->class_val_to_struct[tclass - `1`];
790
791	oentry = sidtab_search_entry(s: sidtab, sid: oldsid);
792	if (!oentry) {
793	pr_err("SELinux: %s: unrecognized SID %d\n",
794	__func__, oldsid);
795	rc = -EINVAL;
796	goto out;
797	}
798
799	nentry = sidtab_search_entry(s: sidtab, sid: newsid);
800	if (!nentry) {
801	pr_err("SELinux: %s: unrecognized SID %d\n",
802	__func__, newsid);
803	rc = -EINVAL;
804	goto out;
805	}
806
807	tentry = sidtab_search_entry(s: sidtab, sid: tasksid);
808	if (!tentry) {
809	pr_err("SELinux: %s: unrecognized SID %d\n",
810	__func__, tasksid);
811	rc = -EINVAL;
812	goto out;
813	}
814
815	constraint = tclass_datum->validatetrans;
816	while (constraint) {
817	if (!constraint_expr_eval(policydb, scontext: &oentry->context,
818	tcontext: &nentry->context, xcontext: &tentry->context,
819	cexpr: constraint->expr)) {
820	if (user)
821	rc = -EPERM;
822	else
823	rc = security_validtrans_handle_fail(policy,
824	oentry,
825	nentry,
826	tentry,
827	tclass);
828	goto out;
829	}
830	constraint = constraint->next;
831	}
832
833	out:
834	rcu_read_unlock();
835	return rc;
836	}
837
838	int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid,
839	u16 tclass)
840	{
841	return security_compute_validatetrans(oldsid, newsid, tasksid,
842	orig_tclass: tclass, user: true);
843	}
844
845	int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
846	u16 orig_tclass)
847	{
848	return security_compute_validatetrans(oldsid, newsid, tasksid,
849	orig_tclass, user: false);
850	}
851
852	/*
853	* security_bounded_transition - check whether the given
854	* transition is directed to bounded, or not.
855	* It returns 0, if @newsid is bounded by @oldsid.
856	* Otherwise, it returns error code.
857	*
858	* @oldsid : current security identifier
859	* @newsid : destinated security identifier
860	*/
861	int security_bounded_transition(u32 old_sid, u32 new_sid)
862	{
863	struct selinux_policy *policy;
864	struct policydb *policydb;
865	struct sidtab *sidtab;
866	struct sidtab_entry old_entry, new_entry;
867	struct type_datum *type;
868	u32 index;
869	int rc;
870
871	if (!selinux_initialized())
872	return `0`;
873
874	rcu_read_lock();
875	policy = rcu_dereference(selinux_state.policy);
876	policydb = &policy->policydb;
877	sidtab = policy->sidtab;
878
879	rc = -EINVAL;
880	old_entry = sidtab_search_entry(s: sidtab, sid: old_sid);
881	if (!old_entry) {
882	pr_err("SELinux: %s: unrecognized SID %u\n",
883	__func__, old_sid);
884	goto out;
885	}
886
887	rc = -EINVAL;
888	new_entry = sidtab_search_entry(s: sidtab, sid: new_sid);
889	if (!new_entry) {
890	pr_err("SELinux: %s: unrecognized SID %u\n",
891	__func__, new_sid);
892	goto out;
893	}
894
895	rc = `0`;
896	/ type/domain unchanged /
897	if (old_entry->context.type == new_entry->context.type)
898	goto out;
899
900	index = new_entry->context.type;
901	while (true) {
902	type = policydb->type_val_to_struct[index - `1`];
903	BUG_ON(!type);
904
905	/ not bounded anymore /
906	rc = -EPERM;
907	if (!type->bounds)
908	break;
909
910	/ @newsid is bounded by @oldsid /
911	rc = `0`;
912	if (type->bounds == old_entry->context.type)
913	break;
914
915	index = type->bounds;
916	}
917
918	if (rc) {
919	char *old_name = NULL;
920	char *new_name = NULL;
921	u32 length;
922
923	if (!sidtab_entry_to_string(policydb, sidtab, entry: old_entry,
924	scontext: &old_name, scontext_len: &length) &&
925	!sidtab_entry_to_string(policydb, sidtab, entry: new_entry,
926	scontext: &new_name, scontext_len: &length)) {
927	audit_log(ctx: audit_context(),
928	GFP_ATOMIC, AUDIT_SELINUX_ERR,
929	fmt: "op=security_bounded_transition "
930	"seresult=denied "
931	"oldcontext=%s newcontext=%s",
932	old_name, new_name);
933	}
934	kfree(objp: new_name);
935	kfree(objp: old_name);
936	}
937	out:
938	rcu_read_unlock();
939
940	return rc;
941	}
942
943	static void avd_init(struct selinux_policy policy, struct* av_decision *avd)
944	{
945	avd->allowed = `0`;
946	avd->auditallow = `0`;
947	avd->auditdeny = `0xffffffff`;
948	if (policy)
949	avd->seqno = policy->latest_granting;
950	else
951	avd->seqno = `0`;
952	avd->flags = `0`;
953	}
954
955	static void update_xperms_extended_data(u8 specified,
956	const struct extended_perms_data *from,
957	struct extended_perms_data *xp_data)
958	{
959	unsigned int i;
960
961	switch (specified) {
962	case AVTAB_XPERMS_IOCTLDRIVER:
963	memset(s: xp_data->p, c: `0xff`, n: sizeof(xp_data->p));
964	break;
965	case AVTAB_XPERMS_IOCTLFUNCTION:
966	case AVTAB_XPERMS_NLMSG:
967	for (i = `0`; i < ARRAY_SIZE(xp_data->p); i++)
968	xp_data->p[i] \|= from->p[i];
969	break;
970	}
971
972	}
973
974	void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
975	struct avtab_node *node)
976	{
977	u16 specified;
978
979	switch (node->datum.u.xperms->specified) {
980	case AVTAB_XPERMS_IOCTLFUNCTION:
981	if (xpermd->base_perm != AVC_EXT_IOCTL \|\|
982	xpermd->driver != node->datum.u.xperms->driver)
983	return;
984	break;
985	case AVTAB_XPERMS_IOCTLDRIVER:
986	if (xpermd->base_perm != AVC_EXT_IOCTL \|\|
987	!security_xperm_test(node->datum.u.xperms->perms.p,
988	xpermd->driver))
989	return;
990	break;
991	case AVTAB_XPERMS_NLMSG:
992	if (xpermd->base_perm != AVC_EXT_NLMSG \|\|
993	xpermd->driver != node->datum.u.xperms->driver)
994	return;
995	break;
996	default:
997	pr_warn_once(
998	"SELinux: unknown extended permission (%u) will be ignored\n",
999	node->datum.u.xperms->specified);
1000	return;
1001	}
1002
1003	specified = node->key.specified & ~(AVTAB_ENABLED \| AVTAB_ENABLED_OLD);
1004
1005	if (specified == AVTAB_XPERMS_ALLOWED) {
1006	xpermd->used \|= XPERMS_ALLOWED;
1007	update_xperms_extended_data(specified: node->datum.u.xperms->specified,
1008	from: &node->datum.u.xperms->perms,
1009	xp_data: xpermd->allowed);
1010	} else if (specified == AVTAB_XPERMS_AUDITALLOW) {
1011	xpermd->used \|= XPERMS_AUDITALLOW;
1012	update_xperms_extended_data(specified: node->datum.u.xperms->specified,
1013	from: &node->datum.u.xperms->perms,
1014	xp_data: xpermd->auditallow);
1015	} else if (specified == AVTAB_XPERMS_DONTAUDIT) {
1016	xpermd->used \|= XPERMS_DONTAUDIT;
1017	update_xperms_extended_data(specified: node->datum.u.xperms->specified,
1018	from: &node->datum.u.xperms->perms,
1019	xp_data: xpermd->dontaudit);
1020	} else {
1021	pr_warn_once("SELinux: unknown specified key (%u)\n",
1022	node->key.specified);
1023	}
1024	}
1025
1026	void security_compute_xperms_decision(u32 ssid,
1027	u32 tsid,
1028	u16 orig_tclass,
1029	u8 driver,
1030	u8 base_perm,
1031	struct extended_perms_decision *xpermd)
1032	{
1033	struct selinux_policy *policy;
1034	struct policydb *policydb;
1035	struct sidtab *sidtab;
1036	u16 tclass;
1037	struct context scontext, tcontext;
1038	struct avtab_key avkey;
1039	struct avtab_node *node;
1040	struct ebitmap sattr, tattr;
1041	struct ebitmap_node snode, tnode;
1042	unsigned int i, j;
1043
1044	xpermd->base_perm = base_perm;
1045	xpermd->driver = driver;
1046	xpermd->used = `0`;
1047	memset(s: xpermd->allowed->p, c: `0`, n: sizeof(xpermd->allowed->p));
1048	memset(s: xpermd->auditallow->p, c: `0`, n: sizeof(xpermd->auditallow->p));
1049	memset(s: xpermd->dontaudit->p, c: `0`, n: sizeof(xpermd->dontaudit->p));
1050
1051	rcu_read_lock();
1052	if (!selinux_initialized())
1053	goto allow;
1054
1055	policy = rcu_dereference(selinux_state.policy);
1056	policydb = &policy->policydb;
1057	sidtab = policy->sidtab;
1058
1059	scontext = sidtab_search(s: sidtab, sid: ssid);
1060	if (!scontext) {
1061	pr_err("SELinux: %s: unrecognized SID %d\n",
1062	__func__, ssid);
1063	goto out;
1064	}
1065
1066	tcontext = sidtab_search(s: sidtab, sid: tsid);
1067	if (!tcontext) {
1068	pr_err("SELinux: %s: unrecognized SID %d\n",
1069	__func__, tsid);
1070	goto out;
1071	}
1072
1073	tclass = unmap_class(map: &policy->map, tclass: orig_tclass);
1074	if (unlikely(orig_tclass && !tclass)) {
1075	if (policydb->allow_unknown)
1076	goto allow;
1077	goto out;
1078	}
1079
1080
1081	if (unlikely(!tclass \|\| tclass > policydb->p_classes.nprim)) {
1082	pr_warn_ratelimited("SELinux: Invalid class %hu\n", tclass);
1083	goto out;
1084	}
1085
1086	avkey.target_class = tclass;
1087	avkey.specified = AVTAB_XPERMS;
1088	sattr = &policydb->type_attr_map_array[scontext->type - `1`];
1089	tattr = &policydb->type_attr_map_array[tcontext->type - `1`];
1090	ebitmap_for_each_positive_bit(sattr, snode, i) {
1091	ebitmap_for_each_positive_bit(tattr, tnode, j) {
1092	avkey.source_type = i + `1`;
1093	avkey.target_type = j + `1`;
1094	for (node = avtab_search_node(h: &policydb->te_avtab,
1095	key: &avkey);
1096	node;
1097	node = avtab_search_node_next(node, specified: avkey.specified))
1098	services_compute_xperms_decision(xpermd, node);
1099
1100	cond_compute_xperms(ctab: &policydb->te_cond_avtab,
1101	key: &avkey, xpermd);
1102	}
1103	}
1104	out:
1105	rcu_read_unlock();
1106	return;
1107	allow:
1108	memset(s: xpermd->allowed->p, c: `0xff`, n: sizeof(xpermd->allowed->p));
1109	goto out;
1110	}
1111
1112	/**
1113	* security_compute_av - Compute access vector decisions.
1114	* @ssid: source security identifier
1115	* @tsid: target security identifier
1116	* @orig_tclass: target security class
1117	* @avd: access vector decisions
1118	* @xperms: extended permissions
1119	*
1120	* Compute a set of access vector decisions based on the
1121	* SID pair (@ssid, @tsid) for the permissions in @tclass.
1122	*/
1123	void security_compute_av(u32 ssid,
1124	u32 tsid,
1125	u16 orig_tclass,
1126	struct av_decision *avd,
1127	struct extended_perms *xperms)
1128	{
1129	struct selinux_policy *policy;
1130	struct policydb *policydb;
1131	struct sidtab *sidtab;
1132	u16 tclass;
1133	struct context scontext = NULL, tcontext = NULL;
1134
1135	rcu_read_lock();
1136	policy = rcu_dereference(selinux_state.policy);
1137	avd_init(policy, avd);
1138	xperms->len = `0`;
1139	if (!selinux_initialized())
1140	goto allow;
1141
1142	policydb = &policy->policydb;
1143	sidtab = policy->sidtab;
1144
1145	scontext = sidtab_search(s: sidtab, sid: ssid);
1146	if (!scontext) {
1147	pr_err("SELinux: %s: unrecognized SID %d\n",
1148	__func__, ssid);
1149	goto out;
1150	}
1151
1152	/ permissive domain? /
1153	if (ebitmap_get_bit(e: &policydb->permissive_map, bit: scontext->type))
1154	avd->flags \|= AVD_FLAGS_PERMISSIVE;
1155
1156	/ neveraudit domain? /
1157	if (ebitmap_get_bit(e: &policydb->neveraudit_map, bit: scontext->type))
1158	avd->flags \|= AVD_FLAGS_NEVERAUDIT;
1159
1160	/ both permissive and neveraudit => allow /
1161	if (avd->flags == (AVD_FLAGS_PERMISSIVE\|AVD_FLAGS_NEVERAUDIT))
1162	goto allow;
1163
1164	tcontext = sidtab_search(s: sidtab, sid: tsid);
1165	if (!tcontext) {
1166	pr_err("SELinux: %s: unrecognized SID %d\n",
1167	__func__, tsid);
1168	goto out;
1169	}
1170
1171	tclass = unmap_class(map: &policy->map, tclass: orig_tclass);
1172	if (unlikely(orig_tclass && !tclass)) {
1173	if (policydb->allow_unknown)
1174	goto allow;
1175	goto out;
1176	}
1177	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1178	xperms);
1179	map_decision(map: &policy->map, tclass: orig_tclass, avd,
1180	allow_unknown: policydb->allow_unknown);
1181	out:
1182	rcu_read_unlock();
1183	if (avd->flags & AVD_FLAGS_NEVERAUDIT)
1184	avd->auditallow = avd->auditdeny = `0`;
1185	return;
1186	allow:
1187	avd->allowed = `0xffffffff`;
1188	goto out;
1189	}
1190
1191	void security_compute_av_user(u32 ssid,
1192	u32 tsid,
1193	u16 tclass,
1194	struct av_decision *avd)
1195	{
1196	struct selinux_policy *policy;
1197	struct policydb *policydb;
1198	struct sidtab *sidtab;
1199	struct context scontext = NULL, tcontext = NULL;
1200
1201	rcu_read_lock();
1202	policy = rcu_dereference(selinux_state.policy);
1203	avd_init(policy, avd);
1204	if (!selinux_initialized())
1205	goto allow;
1206
1207	policydb = &policy->policydb;
1208	sidtab = policy->sidtab;
1209
1210	scontext = sidtab_search(s: sidtab, sid: ssid);
1211	if (!scontext) {
1212	pr_err("SELinux: %s: unrecognized SID %d\n",
1213	__func__, ssid);
1214	goto out;
1215	}
1216
1217	/ permissive domain? /
1218	if (ebitmap_get_bit(e: &policydb->permissive_map, bit: scontext->type))
1219	avd->flags \|= AVD_FLAGS_PERMISSIVE;
1220
1221	/ neveraudit domain? /
1222	if (ebitmap_get_bit(e: &policydb->neveraudit_map, bit: scontext->type))
1223	avd->flags \|= AVD_FLAGS_NEVERAUDIT;
1224
1225	/ both permissive and neveraudit => allow /
1226	if (avd->flags == (AVD_FLAGS_PERMISSIVE\|AVD_FLAGS_NEVERAUDIT))
1227	goto allow;
1228
1229	tcontext = sidtab_search(s: sidtab, sid: tsid);
1230	if (!tcontext) {
1231	pr_err("SELinux: %s: unrecognized SID %d\n",
1232	__func__, tsid);
1233	goto out;
1234	}
1235
1236	if (unlikely(!tclass)) {
1237	if (policydb->allow_unknown)
1238	goto allow;
1239	goto out;
1240	}
1241
1242	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,
1243	NULL);
1244	out:
1245	rcu_read_unlock();
1246	if (avd->flags & AVD_FLAGS_NEVERAUDIT)
1247	avd->auditallow = avd->auditdeny = `0`;
1248	return;
1249	allow:
1250	avd->allowed = `0xffffffff`;
1251	goto out;
1252	}
1253
1254	/*
1255	* Write the security context string representation of
1256	* the context structure `context' into a dynamically
1257	* allocated string of the correct size. Set `*scontext'
1258	* to point to this string and set `*scontext_len' to
1259	* the length of the string.
1260	*/
1261	static int context_struct_to_string(struct policydb *p,
1262	struct context *context,
1263	char *scontext, u32 scontext_len)
1264	{
1265	char *scontextp;
1266
1267	if (scontext)
1268	*scontext = NULL;
1269	*scontext_len = `0`;
1270
1271	if (context->len) {
1272	*scontext_len = context->len;
1273	if (scontext) {
1274	*scontext = kstrdup(s: context->str, GFP_ATOMIC);
1275	if (!(*scontext))
1276	return -ENOMEM;
1277	}
1278	return `0`;
1279	}
1280
1281	/ Compute the size of the context. /
1282	*scontext_len += strlen(sym_name(p, SYM_USERS, element_nr: context->user - `1`)) + `1`;
1283	*scontext_len += strlen(sym_name(p, SYM_ROLES, element_nr: context->role - `1`)) + `1`;
1284	*scontext_len += strlen(sym_name(p, SYM_TYPES, element_nr: context->type - `1`)) + `1`;
1285	*scontext_len += mls_compute_context_len(p, context);
1286
1287	if (!scontext)
1288	return `0`;
1289
1290	/ Allocate space for the context; caller must free this space. /
1291	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
1292	if (!scontextp)
1293	return -ENOMEM;
1294	*scontext = scontextp;
1295
1296	/*
1297	* Copy the user name, role name and type name into the context.
1298	*/
1299	scontextp += sprintf(buf: scontextp, fmt: "%s:%s:%s",
1300	sym_name(p, SYM_USERS, element_nr: context->user - `1`),
1301	sym_name(p, SYM_ROLES, element_nr: context->role - `1`),
1302	sym_name(p, SYM_TYPES, element_nr: context->type - `1`));
1303
1304	mls_sid_to_context(p, context, scontext: &scontextp);
1305
1306	*scontextp = `0`;
1307
1308	return `0`;
1309	}
1310
1311	static int sidtab_entry_to_string(struct policydb *p,
1312	struct sidtab *sidtab,
1313	struct sidtab_entry *entry,
1314	char *scontext, u32 scontext_len)
1315	{
1316	int rc = sidtab_sid2str_get(s: sidtab, entry, out: scontext, out_len: scontext_len);
1317
1318	if (rc != -ENOENT)
1319	return rc;
1320
1321	rc = context_struct_to_string(p, context: &entry->context, scontext,
1322	scontext_len);
1323	if (!rc && scontext)
1324	sidtab_sid2str_put(s: sidtab, entry, str: scontext, str_len: scontext_len);
1325	return rc;
1326	}
1327
1328	#include "initial_sid_to_string.h"
1329
1330	int security_sidtab_hash_stats(char *page)
1331	{
1332	struct selinux_policy *policy;
1333	int rc;
1334
1335	if (!selinux_initialized()) {
1336	pr_err("SELinux: %s: called before initial load_policy\n",
1337	__func__);
1338	return -EINVAL;
1339	}
1340
1341	rcu_read_lock();
1342	policy = rcu_dereference(selinux_state.policy);
1343	rc = sidtab_hash_stats(sidtab: policy->sidtab, page);
1344	rcu_read_unlock();
1345
1346	return rc;
1347	}
1348
1349	const char *security_get_initial_sid_context(u32 sid)
1350	{
1351	if (unlikely(sid > SECINITSID_NUM))
1352	return NULL;
1353	return initial_sid_to_string[sid];
1354	}
1355
1356	static int security_sid_to_context_core(u32 sid, char **scontext,
1357	u32 scontext_len, int* force,
1358	int only_invalid)
1359	{
1360	struct selinux_policy *policy;
1361	struct policydb *policydb;
1362	struct sidtab *sidtab;
1363	struct sidtab_entry *entry;
1364	int rc = `0`;
1365
1366	if (scontext)
1367	*scontext = NULL;
1368	*scontext_len = `0`;
1369
1370	if (!selinux_initialized()) {
1371	if (sid <= SECINITSID_NUM) {
1372	char *scontextp;
1373	const char *s;
1374
1375	/*
1376	* Before the policy is loaded, translate
1377	* SECINITSID_INIT to "kernel", because systemd and
1378	* libselinux < 2.6 take a getcon_raw() result that is
1379	* both non-null and not "kernel" to mean that a policy
1380	* is already loaded.
1381	*/
1382	if (sid == SECINITSID_INIT)
1383	sid = SECINITSID_KERNEL;
1384
1385	s = initial_sid_to_string[sid];
1386	if (!s)
1387	return -EINVAL;
1388	*scontext_len = strlen(s) + `1`;
1389	if (!scontext)
1390	return `0`;
1391	scontextp = kmemdup(s, *scontext_len, GFP_ATOMIC);
1392	if (!scontextp)
1393	return -ENOMEM;
1394	*scontext = scontextp;
1395	return `0`;
1396	}
1397	pr_err("SELinux: %s: called before initial "
1398	"load_policy on unknown SID %d\n", __func__, sid);
1399	return -EINVAL;
1400	}
1401	rcu_read_lock();
1402	policy = rcu_dereference(selinux_state.policy);
1403	policydb = &policy->policydb;
1404	sidtab = policy->sidtab;
1405
1406	if (force)
1407	entry = sidtab_search_entry_force(s: sidtab, sid);
1408	else
1409	entry = sidtab_search_entry(s: sidtab, sid);
1410	if (!entry) {
1411	pr_err("SELinux: %s: unrecognized SID %d\n",
1412	__func__, sid);
1413	rc = -EINVAL;
1414	goto out_unlock;
1415	}
1416	if (only_invalid && !entry->context.len)
1417	goto out_unlock;
1418
1419	rc = sidtab_entry_to_string(p: policydb, sidtab, entry, scontext,
1420	scontext_len);
1421
1422	out_unlock:
1423	rcu_read_unlock();
1424	return rc;
1425
1426	}
1427
1428	/**
1429	* security_sid_to_context - Obtain a context for a given SID.
1430	* @sid: security identifier, SID
1431	* @scontext: security context
1432	* @scontext_len: length in bytes
1433	*
1434	* Write the string representation of the context associated with @sid
1435	* into a dynamically allocated string of the correct size. Set @scontext
1436	* to point to this string and set @scontext_len to the length of the string.
1437	*/
1438	int security_sid_to_context(u32 sid, char *scontext, u32 scontext_len)
1439	{
1440	return security_sid_to_context_core(sid, scontext,
1441	scontext_len, force: `0`, only_invalid: `0`);
1442	}
1443
1444	int security_sid_to_context_force(u32 sid,
1445	char *scontext, u32 scontext_len)
1446	{
1447	return security_sid_to_context_core(sid, scontext,
1448	scontext_len, force: `1`, only_invalid: `0`);
1449	}
1450
1451	/**
1452	* security_sid_to_context_inval - Obtain a context for a given SID if it
1453	* is invalid.
1454	* @sid: security identifier, SID
1455	* @scontext: security context
1456	* @scontext_len: length in bytes
1457	*
1458	* Write the string representation of the context associated with @sid
1459	* into a dynamically allocated string of the correct size, but only if the
1460	* context is invalid in the current policy. Set @scontext to point to
1461	* this string (or NULL if the context is valid) and set @scontext_len to
1462	* the length of the string (or 0 if the context is valid).
1463	*/
1464	int security_sid_to_context_inval(u32 sid,
1465	char *scontext, u32 scontext_len)
1466	{
1467	return security_sid_to_context_core(sid, scontext,
1468	scontext_len, force: `1`, only_invalid: `1`);
1469	}
1470
1471	/*
1472	* Caveat: Mutates scontext.
1473	*/
1474	static int string_to_context_struct(struct policydb *pol,
1475	struct sidtab *sidtabp,
1476	char *scontext,
1477	struct context *ctx,
1478	u32 def_sid)
1479	{
1480	struct role_datum *role;
1481	struct type_datum *typdatum;
1482	struct user_datum *usrdatum;
1483	char scontextp, p, oldc;
1484	int rc = `0`;
1485
1486	context_init(c: ctx);
1487
1488	/ Parse the security context. /
1489
1490	rc = -EINVAL;
1491	scontextp = scontext;
1492
1493	/ Extract the user. /
1494	p = scontextp;
1495	while (p && p != `':'`)
1496	p++;
1497
1498	if (*p == `0`)
1499	goto out;
1500
1501	*p++ = `0`;
1502
1503	usrdatum = symtab_search(s: &pol->p_users, name: scontextp);
1504	if (!usrdatum)
1505	goto out;
1506
1507	ctx->user = usrdatum->value;
1508
1509	/ Extract role. /
1510	scontextp = p;
1511	while (p && p != `':'`)
1512	p++;
1513
1514	if (*p == `0`)
1515	goto out;
1516
1517	*p++ = `0`;
1518
1519	role = symtab_search(s: &pol->p_roles, name: scontextp);
1520	if (!role)
1521	goto out;
1522	ctx->role = role->value;
1523
1524	/ Extract type. /
1525	scontextp = p;
1526	while (p && p != `':'`)
1527	p++;
1528	oldc = *p;
1529	*p++ = `0`;
1530
1531	typdatum = symtab_search(s: &pol->p_types, name: scontextp);
1532	if (!typdatum \|\| typdatum->attribute)
1533	goto out;
1534
1535	ctx->type = typdatum->value;
1536
1537	rc = mls_context_to_sid(p: pol, oldc, scontext: p, context: ctx, s: sidtabp, def_sid);
1538	if (rc)
1539	goto out;
1540
1541	/ Check the validity of the new context. /
1542	rc = -EINVAL;
1543	if (!policydb_context_isvalid(p: pol, c: ctx))
1544	goto out;
1545	rc = `0`;
1546	out:
1547	if (rc)
1548	context_destroy(c: ctx);
1549	return rc;
1550	}
1551
1552	static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1553	u32 *sid, u32 def_sid, gfp_t gfp_flags,
1554	int force)
1555	{
1556	struct selinux_policy *policy;
1557	struct policydb *policydb;
1558	struct sidtab *sidtab;
1559	char scontext2, str = NULL;
1560	struct context context;
1561	int rc = `0`;
1562
1563	/ An empty security context is never valid. /
1564	if (!scontext_len)
1565	return -EINVAL;
1566
1567	/ Copy the string to allow changes and ensure a NUL terminator /
1568	scontext2 = kmemdup_nul(s: scontext, len: scontext_len, gfp: gfp_flags);
1569	if (!scontext2)
1570	return -ENOMEM;
1571
1572	if (!selinux_initialized()) {
1573	u32 i;
1574
1575	for (i = `1`; i < SECINITSID_NUM; i++) {
1576	const char *s = initial_sid_to_string[i];
1577
1578	if (s && !strcmp(s, scontext2)) {
1579	*sid = i;
1580	goto out;
1581	}
1582	}
1583	*sid = SECINITSID_KERNEL;
1584	goto out;
1585	}
1586	*sid = SECSID_NULL;
1587
1588	if (force) {
1589	/ Save another copy for storing in uninterpreted form /
1590	rc = -ENOMEM;
1591	str = kstrdup(s: scontext2, gfp: gfp_flags);
1592	if (!str)
1593	goto out;
1594	}
1595	retry:
1596	rcu_read_lock();
1597	policy = rcu_dereference(selinux_state.policy);
1598	policydb = &policy->policydb;
1599	sidtab = policy->sidtab;
1600	rc = string_to_context_struct(pol: policydb, sidtabp: sidtab, scontext: scontext2,
1601	ctx: &context, def_sid);
1602	if (rc == -EINVAL && force) {
1603	context.str = str;
1604	context.len = strlen(str) + `1`;
1605	str = NULL;
1606	} else if (rc)
1607	goto out_unlock;
1608	rc = sidtab_context_to_sid(s: sidtab, context: &context, sid);
1609	if (rc == -ESTALE) {
1610	rcu_read_unlock();
1611	if (context.str) {
1612	str = context.str;
1613	context.str = NULL;
1614	}
1615	context_destroy(c: &context);
1616	goto retry;
1617	}
1618	context_destroy(c: &context);
1619	out_unlock:
1620	rcu_read_unlock();
1621	out:
1622	kfree(objp: scontext2);
1623	kfree(objp: str);
1624	return rc;
1625	}
1626
1627	/**
1628	* security_context_to_sid - Obtain a SID for a given security context.
1629	* @scontext: security context
1630	* @scontext_len: length in bytes
1631	* @sid: security identifier, SID
1632	* @gfp: context for the allocation
1633	*
1634	* Obtains a SID associated with the security context that
1635	* has the string representation specified by @scontext.
1636	* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1637	* memory is available, or 0 on success.
1638	*/
1639	int security_context_to_sid(const char scontext, u32 scontext_len, u32 sid,
1640	gfp_t gfp)
1641	{
1642	return security_context_to_sid_core(scontext, scontext_len,
1643	sid, SECSID_NULL, gfp_flags: gfp, force: `0`);
1644	}
1645
1646	int security_context_str_to_sid(const char scontext, u32 sid, gfp_t gfp)
1647	{
1648	return security_context_to_sid(scontext, scontext_len: strlen(scontext),
1649	sid, gfp);
1650	}
1651
1652	/**
1653	* security_context_to_sid_default - Obtain a SID for a given security context,
1654	* falling back to specified default if needed.
1655	*
1656	* @scontext: security context
1657	* @scontext_len: length in bytes
1658	* @sid: security identifier, SID
1659	* @def_sid: default SID to assign on error
1660	* @gfp_flags: the allocator get-free-page (GFP) flags
1661	*
1662	* Obtains a SID associated with the security context that
1663	* has the string representation specified by @scontext.
1664	* The default SID is passed to the MLS layer to be used to allow
1665	* kernel labeling of the MLS field if the MLS field is not present
1666	* (for upgrading to MLS without full relabel).
1667	* Implicitly forces adding of the context even if it cannot be mapped yet.
1668	* Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
1669	* memory is available, or 0 on success.
1670	*/
1671	int security_context_to_sid_default(const char *scontext, u32 scontext_len,
1672	u32 *sid, u32 def_sid, gfp_t gfp_flags)
1673	{
1674	return security_context_to_sid_core(scontext, scontext_len,
1675	sid, def_sid, gfp_flags, force: `1`);
1676	}
1677
1678	int security_context_to_sid_force(const char *scontext, u32 scontext_len,
1679	u32 *sid)
1680	{
1681	return security_context_to_sid_core(scontext, scontext_len,
1682	sid, SECSID_NULL, GFP_KERNEL, force: `1`);
1683	}
1684
1685	static int compute_sid_handle_invalid_context(
1686	struct selinux_policy *policy,
1687	struct sidtab_entry *sentry,
1688	struct sidtab_entry *tentry,
1689	u16 tclass,
1690	struct context *newcontext)
1691	{
1692	struct policydb *policydb = &policy->policydb;
1693	struct sidtab *sidtab = policy->sidtab;
1694	char s = NULL, t = NULL, *n = NULL;
1695	u32 slen, tlen, nlen;
1696	struct audit_buffer *ab;
1697
1698	if (sidtab_entry_to_string(p: policydb, sidtab, entry: sentry, scontext: &s, scontext_len: &slen))
1699	goto out;
1700	if (sidtab_entry_to_string(p: policydb, sidtab, entry: tentry, scontext: &t, scontext_len: &tlen))
1701	goto out;
1702	if (context_struct_to_string(p: policydb, context: newcontext, scontext: &n, scontext_len: &nlen))
1703	goto out;
1704	ab = audit_log_start(ctx: audit_context(), GFP_ATOMIC, AUDIT_SELINUX_ERR);
1705	if (!ab)
1706	goto out;
1707	audit_log_format(ab,
1708	fmt: "op=security_compute_sid invalid_context=");
1709	/ no need to record the NUL with untrusted strings /
1710	audit_log_n_untrustedstring(ab, string: n, n: nlen - `1`);
1711	audit_log_format(ab, fmt: " scontext=%s tcontext=%s tclass=%s",
1712	s, t, sym_name(p: policydb, SYM_CLASSES, element_nr: tclass-`1`));
1713	audit_log_end(ab);
1714	out:
1715	kfree(objp: s);
1716	kfree(objp: t);
1717	kfree(objp: n);
1718	if (!enforcing_enabled())
1719	return `0`;
1720	return -EACCES;
1721	}
1722
1723	static void filename_compute_type(struct policydb *policydb,
1724	struct context *newcontext,
1725	u32 stype, u32 ttype, u16 tclass,
1726	const char *objname)
1727	{
1728	struct filename_trans_key ft;
1729	struct filename_trans_datum *datum;
1730
1731	/*
1732	* Most filename trans rules are going to live in specific directories
1733	* like /dev or /var/run. This bitmap will quickly skip rule searches
1734	* if the ttype does not contain any rules.
1735	*/
1736	if (!ebitmap_get_bit(e: &policydb->filename_trans_ttypes, bit: ttype))
1737	return;
1738
1739	ft.ttype = ttype;
1740	ft.tclass = tclass;
1741	ft.name = objname;
1742
1743	datum = policydb_filenametr_search(p: policydb, key: &ft);
1744	while (datum) {
1745	if (ebitmap_get_bit(e: &datum->stypes, bit: stype - `1`)) {
1746	newcontext->type = datum->otype;
1747	return;
1748	}
1749	datum = datum->next;
1750	}
1751	}
1752
1753	static int security_compute_sid(u32 ssid,
1754	u32 tsid,
1755	u16 orig_tclass,
1756	u16 specified,
1757	const char *objname,
1758	u32 *out_sid,
1759	bool kern)
1760	{
1761	struct selinux_policy *policy;
1762	struct policydb *policydb;
1763	struct sidtab *sidtab;
1764	struct class_datum *cladatum;
1765	struct context scontext, tcontext, newcontext;
1766	struct sidtab_entry sentry, tentry;
1767	struct avtab_key avkey;
1768	struct avtab_node avnode, node;
1769	u16 tclass;
1770	int rc = `0`;
1771	bool sock;
1772
1773	if (!selinux_initialized()) {
1774	switch (orig_tclass) {
1775	case SECCLASS_PROCESS: / kernel value /
1776	*out_sid = ssid;
1777	break;
1778	default:
1779	*out_sid = tsid;
1780	break;
1781	}
1782	goto out;
1783	}
1784
1785	retry:
1786	cladatum = NULL;
1787	context_init(c: &newcontext);
1788
1789	rcu_read_lock();
1790
1791	policy = rcu_dereference(selinux_state.policy);
1792
1793	if (kern) {
1794	tclass = unmap_class(map: &policy->map, tclass: orig_tclass);
1795	sock = security_is_socket_class(kern_tclass: orig_tclass);
1796	} else {
1797	tclass = orig_tclass;
1798	sock = security_is_socket_class(kern_tclass: map_class(map: &policy->map,
1799	pol_value: tclass));
1800	}
1801
1802	policydb = &policy->policydb;
1803	sidtab = policy->sidtab;
1804
1805	sentry = sidtab_search_entry(s: sidtab, sid: ssid);
1806	if (!sentry) {
1807	pr_err("SELinux: %s: unrecognized SID %d\n",
1808	__func__, ssid);
1809	rc = -EINVAL;
1810	goto out_unlock;
1811	}
1812	tentry = sidtab_search_entry(s: sidtab, sid: tsid);
1813	if (!tentry) {
1814	pr_err("SELinux: %s: unrecognized SID %d\n",
1815	__func__, tsid);
1816	rc = -EINVAL;
1817	goto out_unlock;
1818	}
1819
1820	scontext = &sentry->context;
1821	tcontext = &tentry->context;
1822
1823	if (tclass && tclass <= policydb->p_classes.nprim)
1824	cladatum = policydb->class_val_to_struct[tclass - `1`];
1825
1826	/ Set the user identity. /
1827	switch (specified) {
1828	case AVTAB_TRANSITION:
1829	case AVTAB_CHANGE:
1830	if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1831	newcontext.user = tcontext->user;
1832	} else {
1833	/ notice this gets both DEFAULT_SOURCE and unset /
1834	/ Use the process user identity. /
1835	newcontext.user = scontext->user;
1836	}
1837	break;
1838	case AVTAB_MEMBER:
1839	/ Use the related object owner. /
1840	newcontext.user = tcontext->user;
1841	break;
1842	}
1843
1844	/ Set the role to default values. /
1845	if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1846	newcontext.role = scontext->role;
1847	} else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1848	newcontext.role = tcontext->role;
1849	} else {
1850	if ((tclass == policydb->process_class) \|\| sock)
1851	newcontext.role = scontext->role;
1852	else
1853	newcontext.role = OBJECT_R_VAL;
1854	}
1855
1856	/ Set the type.*
1857	* Look for a type transition/member/change rule.
1858	*/
1859	avkey.source_type = scontext->type;
1860	avkey.target_type = tcontext->type;
1861	avkey.target_class = tclass;
1862	avkey.specified = specified;
1863	avnode = avtab_search_node(h: &policydb->te_avtab, key: &avkey);
1864
1865	/ If no permanent rule, also check for enabled conditional rules /
1866	if (!avnode) {
1867	node = avtab_search_node(h: &policydb->te_cond_avtab, key: &avkey);
1868	for (; node; node = avtab_search_node_next(node, specified)) {
1869	if (node->key.specified & AVTAB_ENABLED) {
1870	avnode = node;
1871	break;
1872	}
1873	}
1874	}
1875
1876	/ If a permanent rule is found, use the type from*
1877	* the type transition/member/change rule. Otherwise,
1878	* set the type to its default values.
1879	*/
1880	if (avnode) {
1881	newcontext.type = avnode->datum.u.data;
1882	} else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1883	newcontext.type = scontext->type;
1884	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1885	newcontext.type = tcontext->type;
1886	} else {
1887	if ((tclass == policydb->process_class) \|\| sock) {
1888	/ Use the type of process. /
1889	newcontext.type = scontext->type;
1890	} else {
1891	/ Use the type of the related object. /
1892	newcontext.type = tcontext->type;
1893	}
1894	}
1895
1896	/ if we have a objname this is a file trans check so check those rules /
1897	if (objname)
1898	filename_compute_type(policydb, newcontext: &newcontext, stype: scontext->type,
1899	ttype: tcontext->type, tclass, objname);
1900
1901	/ Check for class-specific changes. /
1902	if (specified & AVTAB_TRANSITION) {
1903	/ Look for a role transition rule. /
1904	struct role_trans_datum *rtd;
1905	struct role_trans_key rtk = {
1906	.role = scontext->role,
1907	.type = tcontext->type,
1908	.tclass = tclass,
1909	};
1910
1911	rtd = policydb_roletr_search(p: policydb, key: &rtk);
1912	if (rtd)
1913	newcontext.role = rtd->new_role;
1914	}
1915
1916	/ Set the MLS attributes.*
1917	This is done last because it may allocate memory. /*
1918	rc = mls_compute_sid(p: policydb, scontext, tcontext, tclass, specified,
1919	newcontext: &newcontext, sock);
1920	if (rc)
1921	goto out_unlock;
1922
1923	/ Check the validity of the context. /
1924	if (!policydb_context_isvalid(p: policydb, c: &newcontext)) {
1925	rc = compute_sid_handle_invalid_context(policy, sentry,
1926	tentry, tclass,
1927	newcontext: &newcontext);
1928	if (rc)
1929	goto out_unlock;
1930	}
1931	/ Obtain the sid for the context. /
1932	if (context_equal(c1: scontext, c2: &newcontext))
1933	*out_sid = ssid;
1934	else if (context_equal(c1: tcontext, c2: &newcontext))
1935	*out_sid = tsid;
1936	else {
1937	rc = sidtab_context_to_sid(s: sidtab, context: &newcontext, sid: out_sid);
1938	if (rc == -ESTALE) {
1939	rcu_read_unlock();
1940	context_destroy(c: &newcontext);
1941	goto retry;
1942	}
1943	}
1944	out_unlock:
1945	rcu_read_unlock();
1946	context_destroy(c: &newcontext);
1947	out:
1948	return rc;
1949	}
1950
1951	/**
1952	* security_transition_sid - Compute the SID for a new subject/object.
1953	* @ssid: source security identifier
1954	* @tsid: target security identifier
1955	* @tclass: target security class
1956	* @qstr: object name
1957	* @out_sid: security identifier for new subject/object
1958	*
1959	* Compute a SID to use for labeling a new subject or object in the
1960	* class @tclass based on a SID pair (@ssid, @tsid).
1961	* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1962	* if insufficient memory is available, or %0 if the new SID was
1963	* computed successfully.
1964	*/
1965	int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
1966	const struct qstr qstr, u32 out_sid)
1967	{
1968	return security_compute_sid(ssid, tsid, orig_tclass: tclass,
1969	AVTAB_TRANSITION,
1970	objname: qstr ? qstr->name : NULL, out_sid, kern: true);
1971	}
1972
1973	int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
1974	const char objname, u32 out_sid)
1975	{
1976	return security_compute_sid(ssid, tsid, orig_tclass: tclass,
1977	AVTAB_TRANSITION,
1978	objname, out_sid, kern: false);
1979	}
1980
1981	/**
1982	* security_member_sid - Compute the SID for member selection.
1983	* @ssid: source security identifier
1984	* @tsid: target security identifier
1985	* @tclass: target security class
1986	* @out_sid: security identifier for selected member
1987	*
1988	* Compute a SID to use when selecting a member of a polyinstantiated
1989	* object of class @tclass based on a SID pair (@ssid, @tsid).
1990	* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
1991	* if insufficient memory is available, or %0 if the SID was
1992	* computed successfully.
1993	*/
1994	int security_member_sid(u32 ssid,
1995	u32 tsid,
1996	u16 tclass,
1997	u32 *out_sid)
1998	{
1999	return security_compute_sid(ssid, tsid, orig_tclass: tclass,
2000	AVTAB_MEMBER, NULL,
2001	out_sid, kern: false);
2002	}
2003
2004	/**
2005	* security_change_sid - Compute the SID for object relabeling.
2006	* @ssid: source security identifier
2007	* @tsid: target security identifier
2008	* @tclass: target security class
2009	* @out_sid: security identifier for selected member
2010	*
2011	* Compute a SID to use for relabeling an object of class @tclass
2012	* based on a SID pair (@ssid, @tsid).
2013	* Return -%EINVAL if any of the parameters are invalid, -%ENOMEM
2014	* if insufficient memory is available, or %0 if the SID was
2015	* computed successfully.
2016	*/
2017	int security_change_sid(u32 ssid,
2018	u32 tsid,
2019	u16 tclass,
2020	u32 *out_sid)
2021	{
2022	return security_compute_sid(ssid, tsid, orig_tclass: tclass, AVTAB_CHANGE, NULL,
2023	out_sid, kern: false);
2024	}
2025
2026	static inline int convert_context_handle_invalid_context(
2027	struct policydb *policydb,
2028	struct context *context)
2029	{
2030	char *s;
2031	u32 len;
2032
2033	if (enforcing_enabled())
2034	return -EINVAL;
2035
2036	if (!context_struct_to_string(p: policydb, context, scontext: &s, scontext_len: &len)) {
2037	pr_warn("SELinux: Context %s would be invalid if enforcing\n",
2038	s);
2039	kfree(objp: s);
2040	}
2041	return `0`;
2042	}
2043
2044	/**
2045	* services_convert_context - Convert a security context across policies.
2046	* @args: populated convert_context_args struct
2047	* @oldc: original context
2048	* @newc: converted context
2049	* @gfp_flags: allocation flags
2050	*
2051	* Convert the values in the security context structure @oldc from the values
2052	* specified in the policy @args->oldp to the values specified in the policy
2053	* @args->newp, storing the new context in @newc, and verifying that the
2054	* context is valid under the new policy.
2055	*/
2056	int services_convert_context(struct convert_context_args *args,
2057	struct context oldc, struct* context *newc,
2058	gfp_t gfp_flags)
2059	{
2060	struct ocontext *oc;
2061	struct role_datum *role;
2062	struct type_datum *typdatum;
2063	struct user_datum *usrdatum;
2064	char *s;
2065	u32 len;
2066	int rc;
2067
2068	if (oldc->str) {
2069	s = kstrdup(s: oldc->str, gfp: gfp_flags);
2070	if (!s)
2071	return -ENOMEM;
2072
2073	rc = string_to_context_struct(pol: args->newp, NULL, scontext: s, ctx: newc, SECSID_NULL);
2074	if (rc == -EINVAL) {
2075	/*
2076	* Retain string representation for later mapping.
2077	*
2078	* IMPORTANT: We need to copy the contents of oldc->str
2079	* back into s again because string_to_context_struct()
2080	* may have garbled it.
2081	*/
2082	memcpy(to: s, from: oldc->str, len: oldc->len);
2083	context_init(c: newc);
2084	newc->str = s;
2085	newc->len = oldc->len;
2086	return `0`;
2087	}
2088	kfree(objp: s);
2089	if (rc) {
2090	/ Other error condition, e.g. ENOMEM. /
2091	pr_err("SELinux: Unable to map context %s, rc = %d.\n",
2092	oldc->str, -rc);
2093	return rc;
2094	}
2095	pr_info("SELinux: Context %s became valid (mapped).\n",
2096	oldc->str);
2097	return `0`;
2098	}
2099
2100	context_init(c: newc);
2101
2102	/ Convert the user. /
2103	usrdatum = symtab_search(s: &args->newp->p_users,
2104	name: sym_name(p: args->oldp, SYM_USERS, element_nr: oldc->user - `1`));
2105	if (!usrdatum)
2106	goto bad;
2107	newc->user = usrdatum->value;
2108
2109	/ Convert the role. /
2110	role = symtab_search(s: &args->newp->p_roles,
2111	name: sym_name(p: args->oldp, SYM_ROLES, element_nr: oldc->role - `1`));
2112	if (!role)
2113	goto bad;
2114	newc->role = role->value;
2115
2116	/ Convert the type. /
2117	typdatum = symtab_search(s: &args->newp->p_types,
2118	name: sym_name(p: args->oldp, SYM_TYPES, element_nr: oldc->type - `1`));
2119	if (!typdatum)
2120	goto bad;
2121	newc->type = typdatum->value;
2122
2123	/ Convert the MLS fields if dealing with MLS policies /
2124	if (args->oldp->mls_enabled && args->newp->mls_enabled) {
2125	rc = mls_convert_context(oldp: args->oldp, newp: args->newp, oldc, newc);
2126	if (rc)
2127	goto bad;
2128	} else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
2129	/*
2130	* Switching between non-MLS and MLS policy:
2131	* ensure that the MLS fields of the context for all
2132	* existing entries in the sidtab are filled in with a
2133	* suitable default value, likely taken from one of the
2134	* initial SIDs.
2135	*/
2136	oc = args->newp->ocontexts[OCON_ISID];
2137	while (oc && oc->sid[`0`] != SECINITSID_UNLABELED)
2138	oc = oc->next;
2139	if (!oc) {
2140	pr_err("SELinux: unable to look up"
2141	" the initial SIDs list\n");
2142	goto bad;
2143	}
2144	rc = mls_range_set(context: newc, range: &oc->context[`0`].range);
2145	if (rc)
2146	goto bad;
2147	}
2148
2149	/ Check the validity of the new context. /
2150	if (!policydb_context_isvalid(p: args->newp, c: newc)) {
2151	rc = convert_context_handle_invalid_context(policydb: args->oldp, context: oldc);
2152	if (rc)
2153	goto bad;
2154	}
2155
2156	return `0`;
2157	bad:
2158	/ Map old representation to string and save it. /
2159	rc = context_struct_to_string(p: args->oldp, context: oldc, scontext: &s, scontext_len: &len);
2160	if (rc)
2161	return rc;
2162	context_destroy(c: newc);
2163	newc->str = s;
2164	newc->len = len;
2165	pr_info("SELinux: Context %s became invalid (unmapped).\n",
2166	newc->str);
2167	return `0`;
2168	}
2169
2170	static void security_load_policycaps(struct selinux_policy *policy)
2171	{
2172	struct policydb *p;
2173	unsigned int i;
2174	struct ebitmap_node *node;
2175
2176	p = &policy->policydb;
2177
2178	for (i = `0`; i < ARRAY_SIZE(selinux_state.policycap); i++)
2179	WRITE_ONCE(selinux_state.policycap[i],
2180	ebitmap_get_bit(&p->policycaps, i));
2181
2182	for (i = `0`; i < ARRAY_SIZE(selinux_policycap_names); i++)
2183	pr_info("SELinux: policy capability %s=%d\n",
2184	selinux_policycap_names[i],
2185	ebitmap_get_bit(&p->policycaps, i));
2186
2187	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
2188	if (i >= ARRAY_SIZE(selinux_policycap_names))
2189	pr_info("SELinux: unknown policy capability %u\n",
2190	i);
2191	}
2192	}
2193
2194	static int security_preserve_bools(struct selinux_policy *oldpolicy,
2195	struct selinux_policy *newpolicy);
2196
2197	static void selinux_policy_free(struct selinux_policy *policy)
2198	{
2199	if (!policy)
2200	return;
2201
2202	sidtab_destroy(s: policy->sidtab);
2203	kfree(objp: policy->map.mapping);
2204	policydb_destroy(p: &policy->policydb);
2205	kfree(objp: policy->sidtab);
2206	kfree(objp: policy);
2207	}
2208
2209	static void selinux_policy_cond_free(struct selinux_policy *policy)
2210	{
2211	cond_policydb_destroy_dup(p: &policy->policydb);
2212	kfree(objp: policy);
2213	}
2214
2215	void selinux_policy_cancel(struct selinux_load_state *load_state)
2216	{
2217	struct selinux_state *state = &selinux_state;
2218	struct selinux_policy *oldpolicy;
2219
2220	oldpolicy = rcu_dereference_protected(state->policy,
2221	lockdep_is_held(&state->policy_mutex));
2222
2223	sidtab_cancel_convert(s: oldpolicy->sidtab);
2224	selinux_policy_free(policy: load_state->policy);
2225	kfree(objp: load_state->convert_data);
2226	}
2227
2228	static void selinux_notify_policy_change(u32 seqno)
2229	{
2230	/ Flush external caches and notify userspace of policy load /
2231	avc_ss_reset(seqno);
2232	selnl_notify_policyload(seqno);
2233	selinux_status_update_policyload(seqno);
2234	selinux_netlbl_cache_invalidate();
2235	selinux_xfrm_notify_policyload();
2236	selinux_ima_measure_state_locked();
2237	}
2238
2239	void selinux_policy_commit(struct selinux_load_state *load_state)
2240	{
2241	struct selinux_state *state = &selinux_state;
2242	struct selinux_policy oldpolicy, newpolicy = load_state->policy;
2243	unsigned long flags;
2244	u32 seqno;
2245
2246	oldpolicy = rcu_dereference_protected(state->policy,
2247	lockdep_is_held(&state->policy_mutex));
2248
2249	/ If switching between different policy types, log MLS status /
2250	if (oldpolicy) {
2251	if (oldpolicy->policydb.mls_enabled && !newpolicy->policydb.mls_enabled)
2252	pr_info("SELinux: Disabling MLS support...\n");
2253	else if (!oldpolicy->policydb.mls_enabled && newpolicy->policydb.mls_enabled)
2254	pr_info("SELinux: Enabling MLS support...\n");
2255	}
2256
2257	/ Set latest granting seqno for new policy. /
2258	if (oldpolicy)
2259	newpolicy->latest_granting = oldpolicy->latest_granting + `1`;
2260	else
2261	newpolicy->latest_granting = `1`;
2262	seqno = newpolicy->latest_granting;
2263
2264	/ Install the new policy. /
2265	if (oldpolicy) {
2266	sidtab_freeze_begin(s: oldpolicy->sidtab, flags: &flags);
2267	rcu_assign_pointer(state->policy, newpolicy);
2268	sidtab_freeze_end(s: oldpolicy->sidtab, flags: &flags);
2269	} else {
2270	rcu_assign_pointer(state->policy, newpolicy);
2271	}
2272
2273	/ Load the policycaps from the new policy /
2274	security_load_policycaps(policy: newpolicy);
2275
2276	if (!selinux_initialized()) {
2277	/*
2278	* After first policy load, the security server is
2279	* marked as initialized and ready to handle requests and
2280	* any objects created prior to policy load are then labeled.
2281	*/
2282	selinux_mark_initialized();
2283	selinux_complete_init();
2284	}
2285
2286	/ Free the old policy /
2287	synchronize_rcu();
2288	selinux_policy_free(policy: oldpolicy);
2289	kfree(objp: load_state->convert_data);
2290
2291	/ Notify others of the policy change /
2292	selinux_notify_policy_change(seqno);
2293	}
2294
2295	/**
2296	* security_load_policy - Load a security policy configuration.
2297	* @data: binary policy data
2298	* @len: length of data in bytes
2299	* @load_state: policy load state
2300	*
2301	* Load a new set of security policy configuration data,
2302	* validate it and convert the SID table as necessary.
2303	* This function will flush the access vector cache after
2304	* loading the new policy.
2305	*/
2306	int security_load_policy(void *data, size_t len,
2307	struct selinux_load_state *load_state)
2308	{
2309	struct selinux_state *state = &selinux_state;
2310	struct selinux_policy newpolicy, oldpolicy;
2311	struct selinux_policy_convert_data *convert_data;
2312	int rc = `0`;
2313	struct policy_file file = { data, len }, *fp = &file;
2314
2315	newpolicy = kzalloc(sizeof(*newpolicy), GFP_KERNEL);
2316	if (!newpolicy)
2317	return -ENOMEM;
2318
2319	newpolicy->sidtab = kzalloc(sizeof(*newpolicy->sidtab), GFP_KERNEL);
2320	if (!newpolicy->sidtab) {
2321	rc = -ENOMEM;
2322	goto err_policy;
2323	}
2324
2325	rc = policydb_read(p: &newpolicy->policydb, fp);
2326	if (rc)
2327	goto err_sidtab;
2328
2329	newpolicy->policydb.len = len;
2330	rc = selinux_set_mapping(pol: &newpolicy->policydb, map: secclass_map,
2331	out_map: &newpolicy->map);
2332	if (rc)
2333	goto err_policydb;
2334
2335	rc = policydb_load_isids(p: &newpolicy->policydb, s: newpolicy->sidtab);
2336	if (rc) {
2337	pr_err("SELinux: unable to load the initial SIDs\n");
2338	goto err_mapping;
2339	}
2340
2341	if (!selinux_initialized()) {
2342	/ First policy load, so no need to preserve state from old policy /
2343	load_state->policy = newpolicy;
2344	load_state->convert_data = NULL;
2345	return `0`;
2346	}
2347
2348	oldpolicy = rcu_dereference_protected(state->policy,
2349	lockdep_is_held(&state->policy_mutex));
2350
2351	/ Preserve active boolean values from the old policy /
2352	rc = security_preserve_bools(oldpolicy, newpolicy);
2353	if (rc) {
2354	pr_err("SELinux: unable to preserve booleans\n");
2355	goto err_free_isids;
2356	}
2357
2358	/*
2359	* Convert the internal representations of contexts
2360	* in the new SID table.
2361	*/
2362
2363	convert_data = kmalloc(sizeof(*convert_data), GFP_KERNEL);
2364	if (!convert_data) {
2365	rc = -ENOMEM;
2366	goto err_free_isids;
2367	}
2368
2369	convert_data->args.oldp = &oldpolicy->policydb;
2370	convert_data->args.newp = &newpolicy->policydb;
2371
2372	convert_data->sidtab_params.args = &convert_data->args;
2373	convert_data->sidtab_params.target = newpolicy->sidtab;
2374
2375	rc = sidtab_convert(s: oldpolicy->sidtab, params: &convert_data->sidtab_params);
2376	if (rc) {
2377	pr_err("SELinux: unable to convert the internal"
2378	" representation of contexts in the new SID"
2379	" table\n");
2380	goto err_free_convert_data;
2381	}
2382
2383	load_state->policy = newpolicy;
2384	load_state->convert_data = convert_data;
2385	return `0`;
2386
2387	err_free_convert_data:
2388	kfree(objp: convert_data);
2389	err_free_isids:
2390	sidtab_destroy(s: newpolicy->sidtab);
2391	err_mapping:
2392	kfree(objp: newpolicy->map.mapping);
2393	err_policydb:
2394	policydb_destroy(p: &newpolicy->policydb);
2395	err_sidtab:
2396	kfree(objp: newpolicy->sidtab);
2397	err_policy:
2398	kfree(objp: newpolicy);
2399
2400	return rc;
2401	}
2402
2403	/**
2404	* ocontext_to_sid - Helper to safely get sid for an ocontext
2405	* @sidtab: SID table
2406	* @c: ocontext structure
2407	* @index: index of the context entry (0 or 1)
2408	* @out_sid: pointer to the resulting SID value
2409	*
2410	* For all ocontexts except OCON_ISID the SID fields are populated
2411	* on-demand when needed. Since updating the SID value is an SMP-sensitive
2412	* operation, this helper must be used to do that safely.
2413	*
2414	* WARNING: This function may return -ESTALE, indicating that the caller
2415	* must retry the operation after re-acquiring the policy pointer!
2416	*/
2417	static int ocontext_to_sid(struct sidtab sidtab, struct* ocontext *c,
2418	size_t index, u32 *out_sid)
2419	{
2420	int rc;
2421	u32 sid;
2422
2423	/ Ensure the associated sidtab entry is visible to this thread. /
2424	sid = smp_load_acquire(&c->sid[index]);
2425	if (!sid) {
2426	rc = sidtab_context_to_sid(s: sidtab, context: &c->context[index], sid: &sid);
2427	if (rc)
2428	return rc;
2429
2430	/*
2431	* Ensure the new sidtab entry is visible to other threads
2432	* when they see the SID.
2433	*/
2434	smp_store_release(&c->sid[index], sid);
2435	}
2436	*out_sid = sid;
2437	return `0`;
2438	}
2439
2440	/**
2441	* security_port_sid - Obtain the SID for a port.
2442	* @protocol: protocol number
2443	* @port: port number
2444	* @out_sid: security identifier
2445	*/
2446	int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
2447	{
2448	struct selinux_policy *policy;
2449	struct policydb *policydb;
2450	struct sidtab *sidtab;
2451	struct ocontext *c;
2452	int rc;
2453
2454	if (!selinux_initialized()) {
2455	*out_sid = SECINITSID_PORT;
2456	return `0`;
2457	}
2458
2459	retry:
2460	rc = `0`;
2461	rcu_read_lock();
2462	policy = rcu_dereference(selinux_state.policy);
2463	policydb = &policy->policydb;
2464	sidtab = policy->sidtab;
2465
2466	c = policydb->ocontexts[OCON_PORT];
2467	while (c) {
2468	if (c->u.port.protocol == protocol &&
2469	c->u.port.low_port <= port &&
2470	c->u.port.high_port >= port)
2471	break;
2472	c = c->next;
2473	}
2474
2475	if (c) {
2476	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid);
2477	if (rc == -ESTALE) {
2478	rcu_read_unlock();
2479	goto retry;
2480	}
2481	if (rc)
2482	goto out;
2483	} else {
2484	*out_sid = SECINITSID_PORT;
2485	}
2486
2487	out:
2488	rcu_read_unlock();
2489	return rc;
2490	}
2491
2492	/**
2493	* security_ib_pkey_sid - Obtain the SID for a pkey.
2494	* @subnet_prefix: Subnet Prefix
2495	* @pkey_num: pkey number
2496	* @out_sid: security identifier
2497	*/
2498	int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
2499	{
2500	struct selinux_policy *policy;
2501	struct policydb *policydb;
2502	struct sidtab *sidtab;
2503	struct ocontext *c;
2504	int rc;
2505
2506	if (!selinux_initialized()) {
2507	*out_sid = SECINITSID_UNLABELED;
2508	return `0`;
2509	}
2510
2511	retry:
2512	rc = `0`;
2513	rcu_read_lock();
2514	policy = rcu_dereference(selinux_state.policy);
2515	policydb = &policy->policydb;
2516	sidtab = policy->sidtab;
2517
2518	c = policydb->ocontexts[OCON_IBPKEY];
2519	while (c) {
2520	if (c->u.ibpkey.low_pkey <= pkey_num &&
2521	c->u.ibpkey.high_pkey >= pkey_num &&
2522	c->u.ibpkey.subnet_prefix == subnet_prefix)
2523	break;
2524
2525	c = c->next;
2526	}
2527
2528	if (c) {
2529	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid);
2530	if (rc == -ESTALE) {
2531	rcu_read_unlock();
2532	goto retry;
2533	}
2534	if (rc)
2535	goto out;
2536	} else
2537	*out_sid = SECINITSID_UNLABELED;
2538
2539	out:
2540	rcu_read_unlock();
2541	return rc;
2542	}
2543
2544	/**
2545	* security_ib_endport_sid - Obtain the SID for a subnet management interface.
2546	* @dev_name: device name
2547	* @port_num: port number
2548	* @out_sid: security identifier
2549	*/
2550	int security_ib_endport_sid(const char dev_name, u8 port_num, u32 out_sid)
2551	{
2552	struct selinux_policy *policy;
2553	struct policydb *policydb;
2554	struct sidtab *sidtab;
2555	struct ocontext *c;
2556	int rc;
2557
2558	if (!selinux_initialized()) {
2559	*out_sid = SECINITSID_UNLABELED;
2560	return `0`;
2561	}
2562
2563	retry:
2564	rc = `0`;
2565	rcu_read_lock();
2566	policy = rcu_dereference(selinux_state.policy);
2567	policydb = &policy->policydb;
2568	sidtab = policy->sidtab;
2569
2570	c = policydb->ocontexts[OCON_IBENDPORT];
2571	while (c) {
2572	if (c->u.ibendport.port == port_num &&
2573	!strncmp(c->u.ibendport.dev_name,
2574	dev_name,
2575	IB_DEVICE_NAME_MAX))
2576	break;
2577
2578	c = c->next;
2579	}
2580
2581	if (c) {
2582	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid);
2583	if (rc == -ESTALE) {
2584	rcu_read_unlock();
2585	goto retry;
2586	}
2587	if (rc)
2588	goto out;
2589	} else
2590	*out_sid = SECINITSID_UNLABELED;
2591
2592	out:
2593	rcu_read_unlock();
2594	return rc;
2595	}
2596
2597	/**
2598	* security_netif_sid - Obtain the SID for a network interface.
2599	* @name: interface name
2600	* @if_sid: interface SID
2601	*/
2602	int security_netif_sid(const char name, u32 if_sid)
2603	{
2604	struct selinux_policy *policy;
2605	struct policydb *policydb;
2606	struct sidtab *sidtab;
2607	int rc;
2608	struct ocontext *c;
2609	bool wildcard_support;
2610
2611	if (!selinux_initialized()) {
2612	*if_sid = SECINITSID_NETIF;
2613	return `0`;
2614	}
2615
2616	retry:
2617	rc = `0`;
2618	rcu_read_lock();
2619	policy = rcu_dereference(selinux_state.policy);
2620	policydb = &policy->policydb;
2621	sidtab = policy->sidtab;
2622	wildcard_support = ebitmap_get_bit(e: &policydb->policycaps, bit: POLICYDB_CAP_NETIF_WILDCARD);
2623
2624	c = policydb->ocontexts[OCON_NETIF];
2625	while (c) {
2626	if (wildcard_support) {
2627	if (match_wildcard(pattern: c->u.name, str: name))
2628	break;
2629	} else {
2630	if (strcmp(c->u.name, name) == `0`)
2631	break;
2632	}
2633
2634	c = c->next;
2635	}
2636
2637	if (c) {
2638	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid: if_sid);
2639	if (rc == -ESTALE) {
2640	rcu_read_unlock();
2641	goto retry;
2642	}
2643	if (rc)
2644	goto out;
2645	} else
2646	*if_sid = SECINITSID_NETIF;
2647
2648	out:
2649	rcu_read_unlock();
2650	return rc;
2651	}
2652
2653	static bool match_ipv6_addrmask(const u32 input[`4`], const u32 addr[`4`], const u32 mask[`4`])
2654	{
2655	int i;
2656
2657	for (i = `0`; i < `4`; i++)
2658	if (addr[i] != (input[i] & mask[i]))
2659	return false;
2660
2661	return true;
2662	}
2663
2664	/**
2665	* security_node_sid - Obtain the SID for a node (host).
2666	* @domain: communication domain aka address family
2667	* @addrp: address
2668	* @addrlen: address length in bytes
2669	* @out_sid: security identifier
2670	*/
2671	int security_node_sid(u16 domain,
2672	const void *addrp,
2673	u32 addrlen,
2674	u32 *out_sid)
2675	{
2676	struct selinux_policy *policy;
2677	struct policydb *policydb;
2678	struct sidtab *sidtab;
2679	int rc;
2680	struct ocontext *c;
2681
2682	if (!selinux_initialized()) {
2683	*out_sid = SECINITSID_NODE;
2684	return `0`;
2685	}
2686
2687	retry:
2688	rcu_read_lock();
2689	policy = rcu_dereference(selinux_state.policy);
2690	policydb = &policy->policydb;
2691	sidtab = policy->sidtab;
2692
2693	switch (domain) {
2694	case AF_INET: {
2695	u32 addr;
2696
2697	rc = -EINVAL;
2698	if (addrlen != sizeof(u32))
2699	goto out;
2700
2701	addr = ((const* u32 *)addrp);
2702
2703	c = policydb->ocontexts[OCON_NODE];
2704	while (c) {
2705	if (c->u.node.addr == (addr & c->u.node.mask))
2706	break;
2707	c = c->next;
2708	}
2709	break;
2710	}
2711
2712	case AF_INET6:
2713	rc = -EINVAL;
2714	if (addrlen != sizeof(u64) * `2`)
2715	goto out;
2716	c = policydb->ocontexts[OCON_NODE6];
2717	while (c) {
2718	if (match_ipv6_addrmask(input: addrp, addr: c->u.node6.addr,
2719	mask: c->u.node6.mask))
2720	break;
2721	c = c->next;
2722	}
2723	break;
2724
2725	default:
2726	rc = `0`;
2727	*out_sid = SECINITSID_NODE;
2728	goto out;
2729	}
2730
2731	if (c) {
2732	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid);
2733	if (rc == -ESTALE) {
2734	rcu_read_unlock();
2735	goto retry;
2736	}
2737	if (rc)
2738	goto out;
2739	} else {
2740	*out_sid = SECINITSID_NODE;
2741	}
2742
2743	rc = `0`;
2744	out:
2745	rcu_read_unlock();
2746	return rc;
2747	}
2748
2749	#define SIDS_NEL 25
2750
2751	/**
2752	* security_get_user_sids - Obtain reachable SIDs for a user.
2753	* @fromsid: starting SID
2754	* @username: username
2755	* @sids: array of reachable SIDs for user
2756	* @nel: number of elements in @sids
2757	*
2758	* Generate the set of SIDs for legal security contexts
2759	* for a given user that can be reached by @fromsid.
2760	* Set *@sids to point to a dynamically allocated
2761	* array containing the set of SIDs. Set *@nel to the
2762	* number of elements in the array.
2763	*/
2764
2765	int security_get_user_sids(u32 fromsid,
2766	const char *username,
2767	u32 **sids,
2768	u32 *nel)
2769	{
2770	struct selinux_policy *policy;
2771	struct policydb *policydb;
2772	struct sidtab *sidtab;
2773	struct context *fromcon, usercon;
2774	u32 mysids = NULL, mysids2, sid;
2775	u32 i, j, mynel, maxnel = SIDS_NEL;
2776	struct user_datum *user;
2777	struct role_datum *role;
2778	struct ebitmap_node rnode, tnode;
2779	int rc;
2780
2781	*sids = NULL;
2782	*nel = `0`;
2783
2784	if (!selinux_initialized())
2785	return `0`;
2786
2787	mysids = kcalloc(maxnel, sizeof(*mysids), GFP_KERNEL);
2788	if (!mysids)
2789	return -ENOMEM;
2790
2791	retry:
2792	mynel = `0`;
2793	rcu_read_lock();
2794	policy = rcu_dereference(selinux_state.policy);
2795	policydb = &policy->policydb;
2796	sidtab = policy->sidtab;
2797
2798	context_init(c: &usercon);
2799
2800	rc = -EINVAL;
2801	fromcon = sidtab_search(s: sidtab, sid: fromsid);
2802	if (!fromcon)
2803	goto out_unlock;
2804
2805	rc = -EINVAL;
2806	user = symtab_search(s: &policydb->p_users, name: username);
2807	if (!user)
2808	goto out_unlock;
2809
2810	usercon.user = user->value;
2811
2812	ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
2813	role = policydb->role_val_to_struct[i];
2814	usercon.role = i + `1`;
2815	ebitmap_for_each_positive_bit(&role->types, tnode, j) {
2816	usercon.type = j + `1`;
2817
2818	if (mls_setup_user_range(p: policydb, fromcon, user,
2819	usercon: &usercon))
2820	continue;
2821
2822	rc = sidtab_context_to_sid(s: sidtab, context: &usercon, sid: &sid);
2823	if (rc == -ESTALE) {
2824	rcu_read_unlock();
2825	goto retry;
2826	}
2827	if (rc)
2828	goto out_unlock;
2829	if (mynel < maxnel) {
2830	mysids[mynel++] = sid;
2831	} else {
2832	rc = -ENOMEM;
2833	maxnel += SIDS_NEL;
2834	mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
2835	if (!mysids2)
2836	goto out_unlock;
2837	memcpy(to: mysids2, from: mysids, len: mynel * sizeof(*mysids2));
2838	kfree(objp: mysids);
2839	mysids = mysids2;
2840	mysids[mynel++] = sid;
2841	}
2842	}
2843	}
2844	rc = `0`;
2845	out_unlock:
2846	rcu_read_unlock();
2847	if (rc \|\| !mynel) {
2848	kfree(objp: mysids);
2849	return rc;
2850	}
2851
2852	rc = -ENOMEM;
2853	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
2854	if (!mysids2) {
2855	kfree(objp: mysids);
2856	return rc;
2857	}
2858	for (i = `0`, j = `0`; i < mynel; i++) {
2859	struct av_decision dummy_avd;
2860	rc = avc_has_perm_noaudit(ssid: fromsid, tsid: mysids[i],
2861	SECCLASS_PROCESS, / kernel value /
2862	PROCESS__TRANSITION, AVC_STRICT,
2863	avd: &dummy_avd);
2864	if (!rc)
2865	mysids2[j++] = mysids[i];
2866	cond_resched();
2867	}
2868	kfree(objp: mysids);
2869	*sids = mysids2;
2870	*nel = j;
2871	return `0`;
2872	}
2873
2874	/**
2875	* __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2876	* @policy: policy
2877	* @fstype: filesystem type
2878	* @path: path from root of mount
2879	* @orig_sclass: file security class
2880	* @sid: SID for path
2881	*
2882	* Obtain a SID to use for a file in a filesystem that
2883	* cannot support xattr or use a fixed labeling behavior like
2884	* transition SIDs or task SIDs.
2885	*
2886	* WARNING: This function may return -ESTALE, indicating that the caller
2887	* must retry the operation after re-acquiring the policy pointer!
2888	*/
2889	static inline int __security_genfs_sid(struct selinux_policy *policy,
2890	const char *fstype,
2891	const char *path,
2892	u16 orig_sclass,
2893	u32 *sid)
2894	{
2895	struct policydb *policydb = &policy->policydb;
2896	struct sidtab *sidtab = policy->sidtab;
2897	u16 sclass;
2898	struct genfs *genfs;
2899	struct ocontext *c;
2900	int cmp = `0`;
2901	bool wildcard;
2902
2903	while (path[`0`] == `'/'` && path[`1`] == `'/'`)
2904	path++;
2905
2906	sclass = unmap_class(map: &policy->map, tclass: orig_sclass);
2907	*sid = SECINITSID_UNLABELED;
2908
2909	for (genfs = policydb->genfs; genfs; genfs = genfs->next) {
2910	cmp = strcmp(fstype, genfs->fstype);
2911	if (cmp <= `0`)
2912	break;
2913	}
2914
2915	if (!genfs \|\| cmp)
2916	return -ENOENT;
2917
2918	wildcard = ebitmap_get_bit(e: &policy->policydb.policycaps,
2919	bit: POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
2920	for (c = genfs->head; c; c = c->next) {
2921	if (!c->v.sclass \|\| sclass == c->v.sclass) {
2922	if (wildcard) {
2923	if (match_wildcard(pattern: c->u.name, str: path))
2924	break;
2925	} else {
2926	size_t len = strlen(c->u.name);
2927
2928	if ((strncmp(c->u.name, path, len)) == `0`)
2929	break;
2930	}
2931	}
2932	}
2933
2934	if (!c)
2935	return -ENOENT;
2936
2937	return ocontext_to_sid(sidtab, c, index: `0`, out_sid: sid);
2938	}
2939
2940	/**
2941	* security_genfs_sid - Obtain a SID for a file in a filesystem
2942	* @fstype: filesystem type
2943	* @path: path from root of mount
2944	* @orig_sclass: file security class
2945	* @sid: SID for path
2946	*
2947	* Acquire policy_rwlock before calling __security_genfs_sid() and release
2948	* it afterward.
2949	*/
2950	int security_genfs_sid(const char *fstype,
2951	const char *path,
2952	u16 orig_sclass,
2953	u32 *sid)
2954	{
2955	struct selinux_policy *policy;
2956	int retval;
2957
2958	if (!selinux_initialized()) {
2959	*sid = SECINITSID_UNLABELED;
2960	return `0`;
2961	}
2962
2963	do {
2964	rcu_read_lock();
2965	policy = rcu_dereference(selinux_state.policy);
2966	retval = __security_genfs_sid(policy, fstype, path,
2967	orig_sclass, sid);
2968	rcu_read_unlock();
2969	} while (retval == -ESTALE);
2970	return retval;
2971	}
2972
2973	int selinux_policy_genfs_sid(struct selinux_policy *policy,
2974	const char *fstype,
2975	const char *path,
2976	u16 orig_sclass,
2977	u32 *sid)
2978	{
2979	/ no lock required, policy is not yet accessible by other threads /
2980	return __security_genfs_sid(policy, fstype, path, orig_sclass, sid);
2981	}
2982
2983	/**
2984	* security_fs_use - Determine how to handle labeling for a filesystem.
2985	* @sb: superblock in question
2986	*/
2987	int security_fs_use(struct super_block *sb)
2988	{
2989	struct selinux_policy *policy;
2990	struct policydb *policydb;
2991	struct sidtab *sidtab;
2992	int rc;
2993	struct ocontext *c;
2994	struct superblock_security_struct *sbsec = selinux_superblock(superblock: sb);
2995	const char *fstype = sb->s_type->name;
2996
2997	if (!selinux_initialized()) {
2998	sbsec->behavior = SECURITY_FS_USE_NONE;
2999	sbsec->sid = SECINITSID_UNLABELED;
3000	return `0`;
3001	}
3002
3003	retry:
3004	rcu_read_lock();
3005	policy = rcu_dereference(selinux_state.policy);
3006	policydb = &policy->policydb;
3007	sidtab = policy->sidtab;
3008
3009	c = policydb->ocontexts[OCON_FSUSE];
3010	while (c) {
3011	if (strcmp(fstype, c->u.name) == `0`)
3012	break;
3013	c = c->next;
3014	}
3015
3016	if (c) {
3017	sbsec->behavior = c->v.behavior;
3018	rc = ocontext_to_sid(sidtab, c, index: `0`, out_sid: &sbsec->sid);
3019	if (rc == -ESTALE) {
3020	rcu_read_unlock();
3021	goto retry;
3022	}
3023	if (rc)
3024	goto out;
3025	} else {
3026	rc = __security_genfs_sid(policy, fstype, path: "/",
3027	SECCLASS_DIR, sid: &sbsec->sid);
3028	if (rc == -ESTALE) {
3029	rcu_read_unlock();
3030	goto retry;
3031	}
3032	if (rc) {
3033	sbsec->behavior = SECURITY_FS_USE_NONE;
3034	rc = `0`;
3035	} else {
3036	sbsec->behavior = SECURITY_FS_USE_GENFS;
3037	}
3038	}
3039
3040	out:
3041	rcu_read_unlock();
3042	return rc;
3043	}
3044
3045	int security_get_bools(struct selinux_policy *policy,
3046	u32 len, char* **names, int* **values)
3047	{
3048	struct policydb *policydb;
3049	u32 i;
3050	int rc;
3051
3052	policydb = &policy->policydb;
3053
3054	*names = NULL;
3055	*values = NULL;
3056
3057	rc = `0`;
3058	*len = policydb->p_bools.nprim;
3059	if (!*len)
3060	goto out;
3061
3062	rc = -ENOMEM;
3063	names = kcalloc(len, sizeof(char *), GFP_ATOMIC);
3064	if (!*names)
3065	goto err;
3066
3067	rc = -ENOMEM;
3068	values = kcalloc(len, sizeof(int), GFP_ATOMIC);
3069	if (!*values)
3070	goto err;
3071
3072	for (i = `0`; i < *len; i++) {
3073	(*values)[i] = policydb->bool_val_to_struct[i]->state;
3074
3075	rc = -ENOMEM;
3076	(*names)[i] = kstrdup(s: sym_name(p: policydb, SYM_BOOLS, element_nr: i),
3077	GFP_ATOMIC);
3078	if (!(*names)[i])
3079	goto err;
3080	}
3081	rc = `0`;
3082	out:
3083	return rc;
3084	err:
3085	if (*names) {
3086	for (i = `0`; i < *len; i++)
3087	kfree(objp: (*names)[i]);
3088	kfree(objp: *names);
3089	}
3090	kfree(objp: *values);
3091	*len = `0`;
3092	*names = NULL;
3093	*values = NULL;
3094	goto out;
3095	}
3096
3097
3098	int security_set_bools(u32 len, const int *values)
3099	{
3100	struct selinux_state *state = &selinux_state;
3101	struct selinux_policy newpolicy, oldpolicy;
3102	int rc;
3103	u32 i, seqno = `0`;
3104
3105	if (!selinux_initialized())
3106	return -EINVAL;
3107
3108	oldpolicy = rcu_dereference_protected(state->policy,
3109	lockdep_is_held(&state->policy_mutex));
3110
3111	/ Consistency check on number of booleans, should never fail /
3112	if (WARN_ON(len != oldpolicy->policydb.p_bools.nprim))
3113	return -EINVAL;
3114
3115	newpolicy = kmemdup(oldpolicy, sizeof(*newpolicy), GFP_KERNEL);
3116	if (!newpolicy)
3117	return -ENOMEM;
3118
3119	/*
3120	* Deep copy only the parts of the policydb that might be
3121	* modified as a result of changing booleans.
3122	*/
3123	rc = cond_policydb_dup(new: &newpolicy->policydb, orig: &oldpolicy->policydb);
3124	if (rc) {
3125	kfree(objp: newpolicy);
3126	return -ENOMEM;
3127	}
3128
3129	/ Update the boolean states in the copy /
3130	for (i = `0`; i < len; i++) {
3131	int new_state = !!values[i];
3132	int old_state = newpolicy->policydb.bool_val_to_struct[i]->state;
3133
3134	if (new_state != old_state) {
3135	audit_log(ctx: audit_context(), GFP_ATOMIC,
3136	AUDIT_MAC_CONFIG_CHANGE,
3137	fmt: "bool=%s val=%d old_val=%d auid=%u ses=%u",
3138	sym_name(p: &newpolicy->policydb, SYM_BOOLS, element_nr: i),
3139	new_state,
3140	old_state,
3141	from_kuid(to: &init_user_ns, kuid: audit_get_loginuid(current)),
3142	audit_get_sessionid(current));
3143	newpolicy->policydb.bool_val_to_struct[i]->state = new_state;
3144	}
3145	}
3146
3147	/ Re-evaluate the conditional rules in the copy /
3148	evaluate_cond_nodes(p: &newpolicy->policydb);
3149
3150	/ Set latest granting seqno for new policy /
3151	newpolicy->latest_granting = oldpolicy->latest_granting + `1`;
3152	seqno = newpolicy->latest_granting;
3153
3154	/ Install the new policy /
3155	rcu_assign_pointer(state->policy, newpolicy);
3156
3157	/*
3158	* Free the conditional portions of the old policydb
3159	* that were copied for the new policy, and the oldpolicy
3160	* structure itself but not what it references.
3161	*/
3162	synchronize_rcu();
3163	selinux_policy_cond_free(policy: oldpolicy);
3164
3165	/ Notify others of the policy change /
3166	selinux_notify_policy_change(seqno);
3167	return `0`;
3168	}
3169
3170	int security_get_bool_value(u32 index)
3171	{
3172	struct selinux_policy *policy;
3173	struct policydb *policydb;
3174	int rc;
3175	u32 len;
3176
3177	if (!selinux_initialized())
3178	return `0`;
3179
3180	rcu_read_lock();
3181	policy = rcu_dereference(selinux_state.policy);
3182	policydb = &policy->policydb;
3183
3184	rc = -EFAULT;
3185	len = policydb->p_bools.nprim;
3186	if (index >= len)
3187	goto out;
3188
3189	rc = policydb->bool_val_to_struct[index]->state;
3190	out:
3191	rcu_read_unlock();
3192	return rc;
3193	}
3194
3195	static int security_preserve_bools(struct selinux_policy *oldpolicy,
3196	struct selinux_policy *newpolicy)
3197	{
3198	int rc, *bvalues = NULL;
3199	char **bnames = NULL;
3200	struct cond_bool_datum *booldatum;
3201	u32 i, nbools = `0`;
3202
3203	rc = security_get_bools(policy: oldpolicy, len: &nbools, names: &bnames, values: &bvalues);
3204	if (rc)
3205	goto out;
3206	for (i = `0`; i < nbools; i++) {
3207	booldatum = symtab_search(s: &newpolicy->policydb.p_bools,
3208	name: bnames[i]);
3209	if (booldatum)
3210	booldatum->state = bvalues[i];
3211	}
3212	evaluate_cond_nodes(p: &newpolicy->policydb);
3213
3214	out:
3215	if (bnames) {
3216	for (i = `0`; i < nbools; i++)
3217	kfree(objp: bnames[i]);
3218	}
3219	kfree(objp: bnames);
3220	kfree(objp: bvalues);
3221	return rc;
3222	}
3223
3224	/*
3225	* security_sid_mls_copy() - computes a new sid based on the given
3226	* sid and the mls portion of mls_sid.
3227	*/
3228	int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
3229	{
3230	struct selinux_policy *policy;
3231	struct policydb *policydb;
3232	struct sidtab *sidtab;
3233	struct context *context1;
3234	struct context *context2;
3235	struct context newcon;
3236	char *s;
3237	u32 len;
3238	int rc;
3239
3240	if (!selinux_initialized()) {
3241	*new_sid = sid;
3242	return `0`;
3243	}
3244
3245	retry:
3246	rc = `0`;
3247	context_init(c: &newcon);
3248
3249	rcu_read_lock();
3250	policy = rcu_dereference(selinux_state.policy);
3251	policydb = &policy->policydb;
3252	sidtab = policy->sidtab;
3253
3254	if (!policydb->mls_enabled) {
3255	*new_sid = sid;
3256	goto out_unlock;
3257	}
3258
3259	rc = -EINVAL;
3260	context1 = sidtab_search(s: sidtab, sid);
3261	if (!context1) {
3262	pr_err("SELinux: %s: unrecognized SID %d\n",
3263	__func__, sid);
3264	goto out_unlock;
3265	}
3266
3267	rc = -EINVAL;
3268	context2 = sidtab_search(s: sidtab, sid: mls_sid);
3269	if (!context2) {
3270	pr_err("SELinux: %s: unrecognized SID %d\n",
3271	__func__, mls_sid);
3272	goto out_unlock;
3273	}
3274
3275	newcon.user = context1->user;
3276	newcon.role = context1->role;
3277	newcon.type = context1->type;
3278	rc = mls_context_cpy(dst: &newcon, src: context2);
3279	if (rc)
3280	goto out_unlock;
3281
3282	/ Check the validity of the new context. /
3283	if (!policydb_context_isvalid(p: policydb, c: &newcon)) {
3284	rc = convert_context_handle_invalid_context(policydb,
3285	context: &newcon);
3286	if (rc) {
3287	if (!context_struct_to_string(p: policydb, context: &newcon, scontext: &s,
3288	scontext_len: &len)) {
3289	struct audit_buffer *ab;
3290
3291	ab = audit_log_start(ctx: audit_context(),
3292	GFP_ATOMIC,
3293	AUDIT_SELINUX_ERR);
3294	audit_log_format(ab,
3295	fmt: "op=security_sid_mls_copy invalid_context=");
3296	/ don't record NUL with untrusted strings /
3297	audit_log_n_untrustedstring(ab, string: s, n: len - `1`);
3298	audit_log_end(ab);
3299	kfree(objp: s);
3300	}
3301	goto out_unlock;
3302	}
3303	}
3304	rc = sidtab_context_to_sid(s: sidtab, context: &newcon, sid: new_sid);
3305	if (rc == -ESTALE) {
3306	rcu_read_unlock();
3307	context_destroy(c: &newcon);
3308	goto retry;
3309	}
3310	out_unlock:
3311	rcu_read_unlock();
3312	context_destroy(c: &newcon);
3313	return rc;
3314	}
3315
3316	/**
3317	* security_net_peersid_resolve - Compare and resolve two network peer SIDs
3318	* @nlbl_sid: NetLabel SID
3319	* @nlbl_type: NetLabel labeling protocol type
3320	* @xfrm_sid: XFRM SID
3321	* @peer_sid: network peer sid
3322	*
3323	* Description:
3324	* Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
3325	* resolved into a single SID it is returned via @peer_sid and the function
3326	* returns zero. Otherwise @peer_sid is set to SECSID_NULL and the function
3327	* returns a negative value. A table summarizing the behavior is below:
3328	*
3329	* \| function return \| @sid
3330	* ------------------------------+-----------------+-----------------
3331	* no peer labels \| 0 \| SECSID_NULL
3332	* single peer label \| 0 \| <peer_label>
3333	* multiple, consistent labels \| 0 \| <peer_label>
3334	* multiple, inconsistent labels \| -<errno> \| SECSID_NULL
3335	*
3336	*/
3337	int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
3338	u32 xfrm_sid,
3339	u32 *peer_sid)
3340	{
3341	struct selinux_policy *policy;
3342	struct policydb *policydb;
3343	struct sidtab *sidtab;
3344	int rc;
3345	struct context *nlbl_ctx;
3346	struct context *xfrm_ctx;
3347
3348	*peer_sid = SECSID_NULL;
3349
3350	/ handle the common (which also happens to be the set of easy) cases*
3351	* right away, these two if statements catch everything involving a
3352	* single or absent peer SID/label */
3353	if (xfrm_sid == SECSID_NULL) {
3354	*peer_sid = nlbl_sid;
3355	return `0`;
3356	}
3357	/ NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label*
3358	* and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
3359	* is present */
3360	if (nlbl_sid == SECSID_NULL \|\| nlbl_type == NETLBL_NLTYPE_UNLABELED) {
3361	*peer_sid = xfrm_sid;
3362	return `0`;
3363	}
3364
3365	if (!selinux_initialized())
3366	return `0`;
3367
3368	rcu_read_lock();
3369	policy = rcu_dereference(selinux_state.policy);
3370	policydb = &policy->policydb;
3371	sidtab = policy->sidtab;
3372
3373	/*
3374	* We don't need to check initialized here since the only way both
3375	* nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
3376	* security server was initialized and state->initialized was true.
3377	*/
3378	if (!policydb->mls_enabled) {
3379	rc = `0`;
3380	goto out;
3381	}
3382
3383	rc = -EINVAL;
3384	nlbl_ctx = sidtab_search(s: sidtab, sid: nlbl_sid);
3385	if (!nlbl_ctx) {
3386	pr_err("SELinux: %s: unrecognized SID %d\n",
3387	__func__, nlbl_sid);
3388	goto out;
3389	}
3390	rc = -EINVAL;
3391	xfrm_ctx = sidtab_search(s: sidtab, sid: xfrm_sid);
3392	if (!xfrm_ctx) {
3393	pr_err("SELinux: %s: unrecognized SID %d\n",
3394	__func__, xfrm_sid);
3395	goto out;
3396	}
3397	rc = (mls_context_equal(c1: nlbl_ctx, c2: xfrm_ctx) ? `0` : -EACCES);
3398	if (rc)
3399	goto out;
3400
3401	/ at present NetLabel SIDs/labels really only carry MLS*
3402	* information so if the MLS portion of the NetLabel SID
3403	* matches the MLS portion of the labeled XFRM SID/label
3404	* then pass along the XFRM SID as it is the most
3405	* expressive */
3406	*peer_sid = xfrm_sid;
3407	out:
3408	rcu_read_unlock();
3409	return rc;
3410	}
3411
3412	static int get_classes_callback(void k, void* d, void* *args)
3413	{
3414	struct class_datum *datum = d;
3415	char name = k, *classes = args;
3416	u32 value = datum->value - `1`;
3417
3418	classes[value] = kstrdup(s: name, GFP_ATOMIC);
3419	if (!classes[value])
3420	return -ENOMEM;
3421
3422	return `0`;
3423	}
3424
3425	int security_get_classes(struct selinux_policy *policy,
3426	char **classes, u32 nclasses)
3427	{
3428	struct policydb *policydb;
3429	int rc;
3430
3431	policydb = &policy->policydb;
3432
3433	rc = -ENOMEM;
3434	*nclasses = policydb->p_classes.nprim;
3435	classes = kcalloc(nclasses, sizeof(**classes), GFP_ATOMIC);
3436	if (!*classes)
3437	goto out;
3438
3439	rc = hashtab_map(h: &policydb->p_classes.table, apply: get_classes_callback,
3440	args: *classes);
3441	if (rc) {
3442	u32 i;
3443
3444	for (i = `0`; i < *nclasses; i++)
3445	kfree(objp: (*classes)[i]);
3446	kfree(objp: *classes);
3447	}
3448
3449	out:
3450	return rc;
3451	}
3452
3453	static int get_permissions_callback(void k, void* d, void* *args)
3454	{
3455	struct perm_datum *datum = d;
3456	char name = k, *perms = args;
3457	u32 value = datum->value - `1`;
3458
3459	perms[value] = kstrdup(s: name, GFP_ATOMIC);
3460	if (!perms[value])
3461	return -ENOMEM;
3462
3463	return `0`;
3464	}
3465
3466	int security_get_permissions(struct selinux_policy *policy,
3467	const char class, char* **perms, u32 nperms)
3468	{
3469	struct policydb *policydb;
3470	u32 i;
3471	int rc;
3472	struct class_datum *match;
3473
3474	policydb = &policy->policydb;
3475
3476	rc = -EINVAL;
3477	match = symtab_search(s: &policydb->p_classes, name: class);
3478	if (!match) {
3479	pr_err("SELinux: %s: unrecognized class %s\n",
3480	__func__, class);
3481	goto out;
3482	}
3483
3484	rc = -ENOMEM;
3485	*nperms = match->permissions.nprim;
3486	perms = kcalloc(nperms, sizeof(**perms), GFP_ATOMIC);
3487	if (!*perms)
3488	goto out;
3489
3490	if (match->comdatum) {
3491	rc = hashtab_map(h: &match->comdatum->permissions.table,
3492	apply: get_permissions_callback, args: *perms);
3493	if (rc)
3494	goto err;
3495	}
3496
3497	rc = hashtab_map(h: &match->permissions.table, apply: get_permissions_callback,
3498	args: *perms);
3499	if (rc)
3500	goto err;
3501
3502	out:
3503	return rc;
3504
3505	err:
3506	for (i = `0`; i < *nperms; i++)
3507	kfree(objp: (*perms)[i]);
3508	kfree(objp: *perms);
3509	return rc;
3510	}
3511
3512	int security_get_reject_unknown(void)
3513	{
3514	struct selinux_policy *policy;
3515	int value;
3516
3517	if (!selinux_initialized())
3518	return `0`;
3519
3520	rcu_read_lock();
3521	policy = rcu_dereference(selinux_state.policy);
3522	value = policy->policydb.reject_unknown;
3523	rcu_read_unlock();
3524	return value;
3525	}
3526
3527	int security_get_allow_unknown(void)
3528	{
3529	struct selinux_policy *policy;
3530	int value;
3531
3532	if (!selinux_initialized())
3533	return `0`;
3534
3535	rcu_read_lock();
3536	policy = rcu_dereference(selinux_state.policy);
3537	value = policy->policydb.allow_unknown;
3538	rcu_read_unlock();
3539	return value;
3540	}
3541
3542	/**
3543	* security_policycap_supported - Check for a specific policy capability
3544	* @req_cap: capability
3545	*
3546	* Description:
3547	* This function queries the currently loaded policy to see if it supports the
3548	* capability specified by @req_cap. Returns true (1) if the capability is
3549	* supported, false (0) if it isn't supported.
3550	*
3551	*/
3552	int security_policycap_supported(unsigned int req_cap)
3553	{
3554	struct selinux_policy *policy;
3555	int rc;
3556
3557	if (!selinux_initialized())
3558	return `0`;
3559
3560	rcu_read_lock();
3561	policy = rcu_dereference(selinux_state.policy);
3562	rc = ebitmap_get_bit(e: &policy->policydb.policycaps, bit: req_cap);
3563	rcu_read_unlock();
3564
3565	return rc;
3566	}
3567
3568	struct selinux_audit_rule {
3569	u32 au_seqno;
3570	struct context au_ctxt;
3571	};
3572
3573	void selinux_audit_rule_free(void *vrule)
3574	{
3575	struct selinux_audit_rule *rule = vrule;
3576
3577	if (rule) {
3578	context_destroy(c: &rule->au_ctxt);
3579	kfree(objp: rule);
3580	}
3581	}
3582
3583	int selinux_audit_rule_init(u32 field, u32 op, char rulestr, void* **vrule,
3584	gfp_t gfp)
3585	{
3586	struct selinux_state *state = &selinux_state;
3587	struct selinux_policy *policy;
3588	struct policydb *policydb;
3589	struct selinux_audit_rule *tmprule;
3590	struct role_datum *roledatum;
3591	struct type_datum *typedatum;
3592	struct user_datum *userdatum;
3593	struct selinux_audit_rule rule = (struct selinux_audit_rule )vrule;
3594	int rc = `0`;
3595
3596	*rule = NULL;
3597
3598	if (!selinux_initialized())
3599	return -EOPNOTSUPP;
3600
3601	switch (field) {
3602	case AUDIT_SUBJ_USER:
3603	case AUDIT_SUBJ_ROLE:
3604	case AUDIT_SUBJ_TYPE:
3605	case AUDIT_OBJ_USER:
3606	case AUDIT_OBJ_ROLE:
3607	case AUDIT_OBJ_TYPE:
3608	/ only 'equals' and 'not equals' fit user, role, and type /
3609	if (op != Audit_equal && op != Audit_not_equal)
3610	return -EINVAL;
3611	break;
3612	case AUDIT_SUBJ_SEN:
3613	case AUDIT_SUBJ_CLR:
3614	case AUDIT_OBJ_LEV_LOW:
3615	case AUDIT_OBJ_LEV_HIGH:
3616	/ we do not allow a range, indicated by the presence of '-' /
3617	if (strchr(rulestr, `'-'`))
3618	return -EINVAL;
3619	break;
3620	default:
3621	/ only the above fields are valid /
3622	return -EINVAL;
3623	}
3624
3625	tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp);
3626	if (!tmprule)
3627	return -ENOMEM;
3628	context_init(c: &tmprule->au_ctxt);
3629
3630	rcu_read_lock();
3631	policy = rcu_dereference(state->policy);
3632	policydb = &policy->policydb;
3633	tmprule->au_seqno = policy->latest_granting;
3634	switch (field) {
3635	case AUDIT_SUBJ_USER:
3636	case AUDIT_OBJ_USER:
3637	userdatum = symtab_search(s: &policydb->p_users, name: rulestr);
3638	if (!userdatum) {
3639	rc = -EINVAL;
3640	goto err;
3641	}
3642	tmprule->au_ctxt.user = userdatum->value;
3643	break;
3644	case AUDIT_SUBJ_ROLE:
3645	case AUDIT_OBJ_ROLE:
3646	roledatum = symtab_search(s: &policydb->p_roles, name: rulestr);
3647	if (!roledatum) {
3648	rc = -EINVAL;
3649	goto err;
3650	}
3651	tmprule->au_ctxt.role = roledatum->value;
3652	break;
3653	case AUDIT_SUBJ_TYPE:
3654	case AUDIT_OBJ_TYPE:
3655	typedatum = symtab_search(s: &policydb->p_types, name: rulestr);
3656	if (!typedatum) {
3657	rc = -EINVAL;
3658	goto err;
3659	}
3660	tmprule->au_ctxt.type = typedatum->value;
3661	break;
3662	case AUDIT_SUBJ_SEN:
3663	case AUDIT_SUBJ_CLR:
3664	case AUDIT_OBJ_LEV_LOW:
3665	case AUDIT_OBJ_LEV_HIGH:
3666	rc = mls_from_string(p: policydb, str: rulestr, context: &tmprule->au_ctxt,
3667	GFP_ATOMIC);
3668	if (rc)
3669	goto err;
3670	break;
3671	}
3672	rcu_read_unlock();
3673
3674	*rule = tmprule;
3675	return `0`;
3676
3677	err:
3678	rcu_read_unlock();
3679	selinux_audit_rule_free(vrule: tmprule);
3680	*rule = NULL;
3681	return rc;
3682	}
3683
3684	/ Check to see if the rule contains any selinux fields /
3685	int selinux_audit_rule_known(struct audit_krule *rule)
3686	{
3687	u32 i;
3688
3689	for (i = `0`; i < rule->field_count; i++) {
3690	struct audit_field *f = &rule->fields[i];
3691	switch (f->type) {
3692	case AUDIT_SUBJ_USER:
3693	case AUDIT_SUBJ_ROLE:
3694	case AUDIT_SUBJ_TYPE:
3695	case AUDIT_SUBJ_SEN:
3696	case AUDIT_SUBJ_CLR:
3697	case AUDIT_OBJ_USER:
3698	case AUDIT_OBJ_ROLE:
3699	case AUDIT_OBJ_TYPE:
3700	case AUDIT_OBJ_LEV_LOW:
3701	case AUDIT_OBJ_LEV_HIGH:
3702	return `1`;
3703	}
3704	}
3705
3706	return `0`;
3707	}
3708
3709	int selinux_audit_rule_match(struct lsm_prop prop, u32 field, u32 op, void* *vrule)
3710	{
3711	struct selinux_state *state = &selinux_state;
3712	struct selinux_policy *policy;
3713	struct context *ctxt;
3714	struct mls_level *level;
3715	struct selinux_audit_rule *rule = vrule;
3716	int match = `0`;
3717
3718	if (unlikely(!rule)) {
3719	WARN_ONCE(`1`, "selinux_audit_rule_match: missing rule\n");
3720	return -ENOENT;
3721	}
3722
3723	if (!selinux_initialized())
3724	return `0`;
3725
3726	rcu_read_lock();
3727
3728	policy = rcu_dereference(state->policy);
3729
3730	if (rule->au_seqno < policy->latest_granting) {
3731	match = -ESTALE;
3732	goto out;
3733	}
3734
3735	ctxt = sidtab_search(s: policy->sidtab, sid: prop->selinux.secid);
3736	if (unlikely(!ctxt)) {
3737	WARN_ONCE(`1`, "selinux_audit_rule_match: unrecognized SID %d\n",
3738	prop->selinux.secid);
3739	match = -ENOENT;
3740	goto out;
3741	}
3742
3743	/ a field/op pair that is not caught here will simply fall through*
3744	without a match /*
3745	switch (field) {
3746	case AUDIT_SUBJ_USER:
3747	case AUDIT_OBJ_USER:
3748	switch (op) {
3749	case Audit_equal:
3750	match = (ctxt->user == rule->au_ctxt.user);
3751	break;
3752	case Audit_not_equal:
3753	match = (ctxt->user != rule->au_ctxt.user);
3754	break;
3755	}
3756	break;
3757	case AUDIT_SUBJ_ROLE:
3758	case AUDIT_OBJ_ROLE:
3759	switch (op) {
3760	case Audit_equal:
3761	match = (ctxt->role == rule->au_ctxt.role);
3762	break;
3763	case Audit_not_equal:
3764	match = (ctxt->role != rule->au_ctxt.role);
3765	break;
3766	}
3767	break;
3768	case AUDIT_SUBJ_TYPE:
3769	case AUDIT_OBJ_TYPE:
3770	switch (op) {
3771	case Audit_equal:
3772	match = (ctxt->type == rule->au_ctxt.type);
3773	break;
3774	case Audit_not_equal:
3775	match = (ctxt->type != rule->au_ctxt.type);
3776	break;
3777	}
3778	break;
3779	case AUDIT_SUBJ_SEN:
3780	case AUDIT_SUBJ_CLR:
3781	case AUDIT_OBJ_LEV_LOW:
3782	case AUDIT_OBJ_LEV_HIGH:
3783	level = ((field == AUDIT_SUBJ_SEN \|\|
3784	field == AUDIT_OBJ_LEV_LOW) ?
3785	&ctxt->range.level[`0`] : &ctxt->range.level[`1`]);
3786	switch (op) {
3787	case Audit_equal:
3788	match = mls_level_eq(l1: &rule->au_ctxt.range.level[`0`],
3789	l2: level);
3790	break;
3791	case Audit_not_equal:
3792	match = !mls_level_eq(l1: &rule->au_ctxt.range.level[`0`],
3793	l2: level);
3794	break;
3795	case Audit_lt:
3796	match = (mls_level_dom(l1: &rule->au_ctxt.range.level[`0`],
3797	l2: level) &&
3798	!mls_level_eq(l1: &rule->au_ctxt.range.level[`0`],
3799	l2: level));
3800	break;
3801	case Audit_le:
3802	match = mls_level_dom(l1: &rule->au_ctxt.range.level[`0`],
3803	l2: level);
3804	break;
3805	case Audit_gt:
3806	match = (mls_level_dom(l1: level,
3807	l2: &rule->au_ctxt.range.level[`0`]) &&
3808	!mls_level_eq(l1: level,
3809	l2: &rule->au_ctxt.range.level[`0`]));
3810	break;
3811	case Audit_ge:
3812	match = mls_level_dom(l1: level,
3813	l2: &rule->au_ctxt.range.level[`0`]);
3814	break;
3815	}
3816	}
3817
3818	out:
3819	rcu_read_unlock();
3820	return match;
3821	}
3822
3823	static int aurule_avc_callback(u32 event)
3824	{
3825	if (event == AVC_CALLBACK_RESET)
3826	return audit_update_lsm_rules();
3827	return `0`;
3828	}
3829
3830	static int __init aurule_init(void)
3831	{
3832	int err;
3833
3834	err = avc_add_callback(callback: aurule_avc_callback, AVC_CALLBACK_RESET);
3835	if (err)
3836	panic(fmt: "avc_add_callback() failed, error %d\n", err);
3837
3838	return err;
3839	}
3840	__initcall(aurule_init);
3841
3842	#ifdef CONFIG_NETLABEL
3843	/**
3844	* security_netlbl_cache_add - Add an entry to the NetLabel cache
3845	* @secattr: the NetLabel packet security attributes
3846	* @sid: the SELinux SID
3847	*
3848	* Description:
3849	* Attempt to cache the context in @ctx, which was derived from the packet in
3850	* @skb, in the NetLabel subsystem cache. This function assumes @secattr has
3851	* already been initialized.
3852	*
3853	*/
3854	static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3855	u32 sid)
3856	{
3857	u32 *sid_cache;
3858
3859	sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
3860	if (sid_cache == NULL)
3861	return;
3862	secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
3863	if (secattr->cache == NULL) {
3864	kfree(objp: sid_cache);
3865	return;
3866	}
3867
3868	*sid_cache = sid;
3869	secattr->cache->free = kfree;
3870	secattr->cache->data = sid_cache;
3871	secattr->flags \|= NETLBL_SECATTR_CACHE;
3872	}
3873
3874	/**
3875	* security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
3876	* @secattr: the NetLabel packet security attributes
3877	* @sid: the SELinux SID
3878	*
3879	* Description:
3880	* Convert the given NetLabel security attributes in @secattr into a
3881	* SELinux SID. If the @secattr field does not contain a full SELinux
3882	* SID/context then use SECINITSID_NETMSG as the foundation. If possible the
3883	* 'cache' field of @secattr is set and the CACHE flag is set; this is to
3884	* allow the @secattr to be used by NetLabel to cache the secattr to SID
3885	* conversion for future lookups. Returns zero on success, negative values on
3886	* failure.
3887	*
3888	*/
3889	int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
3890	u32 *sid)
3891	{
3892	struct selinux_policy *policy;
3893	struct policydb *policydb;
3894	struct sidtab *sidtab;
3895	int rc;
3896	struct context *ctx;
3897	struct context ctx_new;
3898
3899	if (!selinux_initialized()) {
3900	*sid = SECSID_NULL;
3901	return `0`;
3902	}
3903
3904	retry:
3905	rc = `0`;
3906	rcu_read_lock();
3907	policy = rcu_dereference(selinux_state.policy);
3908	policydb = &policy->policydb;
3909	sidtab = policy->sidtab;
3910
3911	if (secattr->flags & NETLBL_SECATTR_CACHE)
3912	sid = (u32 *)secattr->cache->data;
3913	else if (secattr->flags & NETLBL_SECATTR_SECID)
3914	*sid = secattr->attr.secid;
3915	else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
3916	rc = -EIDRM;
3917	ctx = sidtab_search(s: sidtab, SECINITSID_NETMSG);
3918	if (ctx == NULL)
3919	goto out;
3920
3921	context_init(c: &ctx_new);
3922	ctx_new.user = ctx->user;
3923	ctx_new.role = ctx->role;
3924	ctx_new.type = ctx->type;
3925	mls_import_netlbl_lvl(p: policydb, context: &ctx_new, secattr);
3926	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
3927	rc = mls_import_netlbl_cat(p: policydb, context: &ctx_new, secattr);
3928	if (rc)
3929	goto out;
3930	}
3931	rc = -EIDRM;
3932	if (!mls_context_isvalid(p: policydb, c: &ctx_new)) {
3933	ebitmap_destroy(e: &ctx_new.range.level[`0`].cat);
3934	goto out;
3935	}
3936
3937	rc = sidtab_context_to_sid(s: sidtab, context: &ctx_new, sid);
3938	ebitmap_destroy(e: &ctx_new.range.level[`0`].cat);
3939	if (rc == -ESTALE) {
3940	rcu_read_unlock();
3941	goto retry;
3942	}
3943	if (rc)
3944	goto out;
3945
3946	security_netlbl_cache_add(secattr, sid: *sid);
3947	} else
3948	*sid = SECSID_NULL;
3949
3950	out:
3951	rcu_read_unlock();
3952	return rc;
3953	}
3954
3955	/**
3956	* security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
3957	* @sid: the SELinux SID
3958	* @secattr: the NetLabel packet security attributes
3959	*
3960	* Description:
3961	* Convert the given SELinux SID in @sid into a NetLabel security attribute.
3962	* Returns zero on success, negative values on failure.
3963	*
3964	*/
3965	int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3966	{
3967	struct selinux_policy *policy;
3968	struct policydb *policydb;
3969	int rc;
3970	struct context *ctx;
3971
3972	if (!selinux_initialized())
3973	return `0`;
3974
3975	rcu_read_lock();
3976	policy = rcu_dereference(selinux_state.policy);
3977	policydb = &policy->policydb;
3978
3979	rc = -ENOENT;
3980	ctx = sidtab_search(s: policy->sidtab, sid);
3981	if (ctx == NULL)
3982	goto out;
3983
3984	rc = -ENOMEM;
3985	secattr->domain = kstrdup(s: sym_name(p: policydb, SYM_TYPES, element_nr: ctx->type - `1`),
3986	GFP_ATOMIC);
3987	if (secattr->domain == NULL)
3988	goto out;
3989
3990	secattr->attr.secid = sid;
3991	secattr->flags \|= NETLBL_SECATTR_DOMAIN_CPY \| NETLBL_SECATTR_SECID;
3992	mls_export_netlbl_lvl(p: policydb, context: ctx, secattr);
3993	rc = mls_export_netlbl_cat(p: policydb, context: ctx, secattr);
3994	out:
3995	rcu_read_unlock();
3996	return rc;
3997	}
3998	#endif /* CONFIG_NETLABEL */
3999
4000	/**
4001	* __security_read_policy - read the policy.
4002	* @policy: SELinux policy
4003	* @data: binary policy data
4004	* @len: length of data in bytes
4005	*
4006	*/
4007	static int __security_read_policy(struct selinux_policy *policy,
4008	void data, size_t len)
4009	{
4010	int rc;
4011	struct policy_file fp;
4012
4013	fp.data = data;
4014	fp.len = *len;
4015
4016	rc = policydb_write(p: &policy->policydb, fp: &fp);
4017	if (rc)
4018	return rc;
4019
4020	len = (unsigned* long)fp.data - (unsigned long)data;
4021	return `0`;
4022	}
4023
4024	/**
4025	* security_read_policy - read the policy.
4026	* @data: binary policy data
4027	* @len: length of data in bytes
4028	*
4029	*/
4030	int security_read_policy(void *data, size_t len)
4031	{
4032	struct selinux_state *state = &selinux_state;
4033	struct selinux_policy *policy;
4034
4035	policy = rcu_dereference_protected(
4036	state->policy, lockdep_is_held(&state->policy_mutex));
4037	if (!policy)
4038	return -EINVAL;
4039
4040	*len = policy->policydb.len;
4041	data = vmalloc_user(len);
4042	if (!*data)
4043	return -ENOMEM;
4044
4045	return __security_read_policy(policy, data: *data, len);
4046	}
4047
4048	/**
4049	* security_read_state_kernel - read the policy.
4050	* @data: binary policy data
4051	* @len: length of data in bytes
4052	*
4053	* Allocates kernel memory for reading SELinux policy.
4054	* This function is for internal use only and should not
4055	* be used for returning data to user space.
4056	*
4057	* This function must be called with policy_mutex held.
4058	*/
4059	int security_read_state_kernel(void *data, size_t len)
4060	{
4061	int err;
4062	struct selinux_state *state = &selinux_state;
4063	struct selinux_policy *policy;
4064
4065	policy = rcu_dereference_protected(
4066	state->policy, lockdep_is_held(&state->policy_mutex));
4067	if (!policy)
4068	return -EINVAL;
4069
4070	*len = policy->policydb.len;
4071	data = vmalloc(len);
4072	if (!*data)
4073	return -ENOMEM;
4074
4075	err = __security_read_policy(policy, data: *data, len);
4076	if (err) {
4077	vfree(addr: *data);
4078	*data = NULL;
4079	*len = `0`;
4080	}
4081	return err;
4082	}
4083

Browse the source code of Linux/security/selinux/ss/services.c