1
2 /*
3 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
4 */
5 /*
6 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
7 *
8 * Support for enhanced MLS infrastructure.
9 *
10 * Updated: Frank Mayer <mayerf@tresys.com>
11 * and Karl MacMillan <kmacmillan@tresys.com>
12 *
13 * Added conditional policy language extensions
14 *
15 * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com>
16 *
17 * Fine-grained netlink support
18 * IPv6 support
19 * Code cleanup
20 *
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * Copyright (C) 2003 - 2004 Red Hat, Inc.
24 *
25 * This library is free software; you can redistribute it and/or
26 * modify it under the terms of the GNU Lesser General Public
27 * License as published by the Free Software Foundation; either
28 * version 2.1 of the License, or (at your option) any later version.
29 *
30 * This library is distributed in the hope that it will be useful,
31 * but WITHOUT ANY WARRANTY; without even the implied warranty of
32 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
33 * Lesser General Public License for more details.
34 *
35 * You should have received a copy of the GNU Lesser General Public
36 * License along with this library; if not, write to the Free Software
37 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
38 */
39
40 /* FLASK */
41
42 /*
43 * Implementation of the security services.
44 */
45
46 /* Initial sizes malloc'd for sepol_compute_av_reason_buffer() support */
47 #define REASON_BUF_SIZE 2048
48 #define EXPR_BUF_SIZE 1024
49 #define STACK_LEN 32
50
51 #include <stdlib.h>
52 #include <sys/types.h>
53 #include <sys/socket.h>
54 #include <netinet/in.h>
55 #include <arpa/inet.h>
56
57 #include <sepol/policydb/policydb.h>
58 #include <sepol/policydb/sidtab.h>
59 #include <sepol/policydb/services.h>
60 #include <sepol/policydb/conditional.h>
61 #include <sepol/policydb/flask.h>
62 #include <sepol/policydb/util.h>
63
64 #include "debug.h"
65 #include "private.h"
66 #include "context.h"
67 #include "av_permissions.h"
68 #include "dso.h"
69 #include "mls.h"
70
71 #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
72 #define BUG_ON(x) do { if (x) ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
73
74 static int selinux_enforcing = 1;
75
76 static sidtab_t mysidtab, *sidtab = &mysidtab;
77 static policydb_t mypolicydb, *policydb = &mypolicydb;
78
79 /* Used by sepol_compute_av_reason_buffer() to keep track of entries */
80 static int reason_buf_used;
81 static int reason_buf_len;
82
83 /* Stack services for RPN to infix conversion. */
84 static char **stack;
85 static int stack_len;
86 static int next_stack_entry;
87
push(char * expr_ptr)88 static void push(char *expr_ptr)
89 {
90 if (next_stack_entry >= stack_len) {
91 char **new_stack = stack;
92 int new_stack_len;
93
94 if (stack_len == 0)
95 new_stack_len = STACK_LEN;
96 else
97 new_stack_len = stack_len * 2;
98
99 new_stack = realloc(stack, new_stack_len * sizeof(*stack));
100 if (!new_stack) {
101 ERR(NULL, "unable to allocate stack space");
102 return;
103 }
104 stack_len = new_stack_len;
105 stack = new_stack;
106 }
107 stack[next_stack_entry] = expr_ptr;
108 next_stack_entry++;
109 }
110
pop(void)111 static char *pop(void)
112 {
113 next_stack_entry--;
114 if (next_stack_entry < 0) {
115 next_stack_entry = 0;
116 ERR(NULL, "pop called with no stack entries");
117 return NULL;
118 }
119 return stack[next_stack_entry];
120 }
121 /* End Stack services */
122
sepol_set_sidtab(sidtab_t * s)123 int hidden sepol_set_sidtab(sidtab_t * s)
124 {
125 sidtab = s;
126 return 0;
127 }
128
sepol_set_policydb(policydb_t * p)129 int hidden sepol_set_policydb(policydb_t * p)
130 {
131 policydb = p;
132 return 0;
133 }
134
sepol_set_policydb_from_file(FILE * fp)135 int sepol_set_policydb_from_file(FILE * fp)
136 {
137 struct policy_file pf;
138
139 policy_file_init(&pf);
140 pf.fp = fp;
141 pf.type = PF_USE_STDIO;
142 if (mypolicydb.policy_type)
143 policydb_destroy(&mypolicydb);
144 if (policydb_init(&mypolicydb)) {
145 ERR(NULL, "Out of memory!");
146 return -1;
147 }
148 if (policydb_read(&mypolicydb, &pf, 0)) {
149 policydb_destroy(&mypolicydb);
150 ERR(NULL, "can't read binary policy: %s", strerror(errno));
151 return -1;
152 }
153 policydb = &mypolicydb;
154 return sepol_sidtab_init(sidtab);
155 }
156
157 /*
158 * The largest sequence number that has been used when
159 * providing an access decision to the access vector cache.
160 * The sequence number only changes when a policy change
161 * occurs.
162 */
163 static uint32_t latest_granting = 0;
164
165 /*
166 * cat_expr_buf adds a string to an expression buffer and handles
167 * realloc's if buffer is too small. The array of expression text
168 * buffer pointers and its counter are globally defined here as
169 * constraint_expr_eval_reason() sets them up and cat_expr_buf
170 * updates the e_buf pointer.
171 */
172 static int expr_counter;
173 static char **expr_list;
174 static int expr_buf_used;
175 static int expr_buf_len;
176
cat_expr_buf(char * e_buf,char * string)177 static void cat_expr_buf(char *e_buf, char *string)
178 {
179 int len, new_buf_len;
180 char *p, *new_buf = e_buf;
181
182 while (1) {
183 p = e_buf + expr_buf_used;
184 len = snprintf(p, expr_buf_len - expr_buf_used, "%s", string);
185 if (len < 0 || len >= expr_buf_len - expr_buf_used) {
186 new_buf_len = expr_buf_len + EXPR_BUF_SIZE;
187 new_buf = realloc(e_buf, new_buf_len);
188 if (!new_buf) {
189 ERR(NULL, "failed to realloc expr buffer");
190 return;
191 }
192 /* Update new ptr in expr list and locally + new len */
193 expr_list[expr_counter] = new_buf;
194 e_buf = new_buf;
195 expr_buf_len = new_buf_len;
196 } else {
197 expr_buf_used += len;
198 return;
199 }
200 }
201 }
202
203 /*
204 * If the POLICY_KERN version is >= POLICYDB_VERSION_CONSTRAINT_NAMES,
205 * then for 'types' only, read the types_names->types list as it will
206 * contain a list of types and attributes that were defined in the
207 * policy source.
208 * For user and role plus types (for policy vers <
209 * POLICYDB_VERSION_CONSTRAINT_NAMES) just read the e->names list.
210 */
get_name_list(constraint_expr_t * e,int type,char * src,char * op,int failed)211 static void get_name_list(constraint_expr_t *e, int type,
212 char *src, char *op, int failed)
213 {
214 ebitmap_t *types;
215 int rc = 0;
216 unsigned int i;
217 char tmp_buf[128];
218 int counter = 0;
219
220 if (policydb->policy_type == POLICY_KERN &&
221 policydb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES &&
222 type == CEXPR_TYPE)
223 types = &e->type_names->types;
224 else
225 types = &e->names;
226
227 /* Find out how many entries */
228 for (i = ebitmap_startbit(types); i < ebitmap_length(types); i++) {
229 rc = ebitmap_get_bit(types, i);
230 if (rc == 0)
231 continue;
232 else
233 counter++;
234 }
235 snprintf(tmp_buf, sizeof(tmp_buf), "(%s%s", src, op);
236 cat_expr_buf(expr_list[expr_counter], tmp_buf);
237
238 if (counter == 0)
239 cat_expr_buf(expr_list[expr_counter], "<empty_set> ");
240 if (counter > 1)
241 cat_expr_buf(expr_list[expr_counter], " {");
242 if (counter >= 1) {
243 for (i = ebitmap_startbit(types); i < ebitmap_length(types); i++) {
244 rc = ebitmap_get_bit(types, i);
245 if (rc == 0)
246 continue;
247
248 /* Collect entries */
249 switch (type) {
250 case CEXPR_USER:
251 snprintf(tmp_buf, sizeof(tmp_buf), " %s",
252 policydb->p_user_val_to_name[i]);
253 break;
254 case CEXPR_ROLE:
255 snprintf(tmp_buf, sizeof(tmp_buf), " %s",
256 policydb->p_role_val_to_name[i]);
257 break;
258 case CEXPR_TYPE:
259 snprintf(tmp_buf, sizeof(tmp_buf), " %s",
260 policydb->p_type_val_to_name[i]);
261 break;
262 }
263 cat_expr_buf(expr_list[expr_counter], tmp_buf);
264 }
265 }
266 if (counter > 1)
267 cat_expr_buf(expr_list[expr_counter], " }");
268 if (failed)
269 cat_expr_buf(expr_list[expr_counter], " -Fail-) ");
270 else
271 cat_expr_buf(expr_list[expr_counter], ") ");
272
273 return;
274 }
275
msgcat(char * src,char * tgt,char * op,int failed)276 static void msgcat(char *src, char *tgt, char *op, int failed)
277 {
278 char tmp_buf[128];
279 if (failed)
280 snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-) ",
281 src, op, tgt);
282 else
283 snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s) ",
284 src, op, tgt);
285 cat_expr_buf(expr_list[expr_counter], tmp_buf);
286 }
287
288 /* Returns a buffer with class, statement type and permissions */
get_class_info(sepol_security_class_t tclass,constraint_node_t * constraint,context_struct_t * xcontext)289 static char *get_class_info(sepol_security_class_t tclass,
290 constraint_node_t *constraint,
291 context_struct_t *xcontext)
292 {
293 constraint_expr_t *e;
294 int mls, state_num;
295
296 /* Find if MLS statement or not */
297 mls = 0;
298 for (e = constraint->expr; e; e = e->next) {
299 if (e->attr >= CEXPR_L1L2) {
300 mls = 1;
301 break;
302 }
303 }
304
305 /* Determine statement type */
306 char *statements[] = {
307 "constrain ", /* 0 */
308 "mlsconstrain ", /* 1 */
309 "validatetrans ", /* 2 */
310 "mlsvalidatetrans ", /* 3 */
311 0 };
312
313 if (xcontext == NULL)
314 state_num = mls + 0;
315 else
316 state_num = mls + 2;
317
318 int class_buf_len = 0;
319 int new_class_buf_len;
320 int len, buf_used;
321 char *class_buf = NULL, *p;
322 char *new_class_buf = NULL;
323
324 while (1) {
325 new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
326 new_class_buf = realloc(class_buf, new_class_buf_len);
327 if (!new_class_buf)
328 return NULL;
329 class_buf_len = new_class_buf_len;
330 class_buf = new_class_buf;
331 buf_used = 0;
332 p = class_buf;
333
334 /* Add statement type */
335 len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
336 if (len < 0 || len >= class_buf_len - buf_used)
337 continue;
338
339 /* Add class entry */
340 p += len;
341 buf_used += len;
342 len = snprintf(p, class_buf_len - buf_used, "%s ",
343 policydb->p_class_val_to_name[tclass - 1]);
344 if (len < 0 || len >= class_buf_len - buf_used)
345 continue;
346
347 /* Add permission entries */
348 p += len;
349 buf_used += len;
350 len = snprintf(p, class_buf_len - buf_used, "{%s } (",
351 sepol_av_to_string(policydb, tclass, constraint->permissions));
352 if (len < 0 || len >= class_buf_len - buf_used)
353 continue;
354 break;
355 }
356 return class_buf;
357 }
358
359 /*
360 * Modified version of constraint_expr_eval that will process each
361 * constraint as before but adds the information to text buffers that
362 * will hold various components. The expression will be in RPN format,
363 * therefore there is a stack based RPN to infix converter to produce
364 * the final readable constraint.
365 *
366 * Return the boolean value of a constraint expression
367 * when it is applied to the specified source and target
368 * security contexts.
369 *
370 * xcontext is a special beast... It is used by the validatetrans rules
371 * only. For these rules, scontext is the context before the transition,
372 * tcontext is the context after the transition, and xcontext is the
373 * context of the process performing the transition. All other callers
374 * of constraint_expr_eval_reason should pass in NULL for xcontext.
375 *
376 * This function will also build a buffer as the constraint is processed
377 * for analysis. If this option is not required, then:
378 * 'tclass' should be '0' and r_buf MUST be NULL.
379 */
constraint_expr_eval_reason(context_struct_t * scontext,context_struct_t * tcontext,context_struct_t * xcontext,sepol_security_class_t tclass,constraint_node_t * constraint,char ** r_buf,unsigned int flags)380 static int constraint_expr_eval_reason(context_struct_t *scontext,
381 context_struct_t *tcontext,
382 context_struct_t *xcontext,
383 sepol_security_class_t tclass,
384 constraint_node_t *constraint,
385 char **r_buf,
386 unsigned int flags)
387 {
388 uint32_t val1, val2;
389 context_struct_t *c;
390 role_datum_t *r1, *r2;
391 mls_level_t *l1, *l2;
392 constraint_expr_t *e;
393 int s[CEXPR_MAXDEPTH];
394 int sp = -1;
395 char tmp_buf[128];
396
397 /*
398 * Define the s_t_x_num values that make up r1, t2 etc. in text strings
399 * Set 1 = source, 2 = target, 3 = xcontext for validatetrans
400 */
401 #define SOURCE 1
402 #define TARGET 2
403 #define XTARGET 3
404
405 int s_t_x_num = SOURCE;
406
407 /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */
408 int u_r_t = 0;
409
410 char *src = NULL;
411 char *tgt = NULL;
412 int rc = 0, x;
413 char *class_buf = NULL;
414
415 class_buf = get_class_info(tclass, constraint, xcontext);
416 if (!class_buf) {
417 ERR(NULL, "failed to allocate class buffer");
418 return -ENOMEM;
419 }
420
421 /* Original function but with buffer support */
422 int expr_list_len = 0;
423 expr_counter = 0;
424 expr_list = NULL;
425 for (e = constraint->expr; e; e = e->next) {
426 /* Allocate a stack to hold expression buffer entries */
427 if (expr_counter >= expr_list_len) {
428 char **new_expr_list = expr_list;
429 int new_expr_list_len;
430
431 if (expr_list_len == 0)
432 new_expr_list_len = STACK_LEN;
433 else
434 new_expr_list_len = expr_list_len * 2;
435
436 new_expr_list = realloc(expr_list,
437 new_expr_list_len * sizeof(*expr_list));
438 if (!new_expr_list) {
439 ERR(NULL, "failed to allocate expr buffer stack");
440 rc = -ENOMEM;
441 goto out;
442 }
443 expr_list_len = new_expr_list_len;
444 expr_list = new_expr_list;
445 }
446
447 /*
448 * malloc a buffer to store each expression text component. If
449 * buffer is too small cat_expr_buf() will realloc extra space.
450 */
451 expr_buf_len = EXPR_BUF_SIZE;
452 expr_list[expr_counter] = malloc(expr_buf_len);
453 if (!expr_list[expr_counter]) {
454 ERR(NULL, "failed to allocate expr buffer");
455 rc = -ENOMEM;
456 goto out;
457 }
458 expr_buf_used = 0;
459
460 /* Now process each expression of the constraint */
461 switch (e->expr_type) {
462 case CEXPR_NOT:
463 BUG_ON(sp < 0);
464 s[sp] = !s[sp];
465 cat_expr_buf(expr_list[expr_counter], "not");
466 break;
467 case CEXPR_AND:
468 BUG_ON(sp < 1);
469 sp--;
470 s[sp] &= s[sp + 1];
471 cat_expr_buf(expr_list[expr_counter], "and");
472 break;
473 case CEXPR_OR:
474 BUG_ON(sp < 1);
475 sp--;
476 s[sp] |= s[sp + 1];
477 cat_expr_buf(expr_list[expr_counter], "or");
478 break;
479 case CEXPR_ATTR:
480 if (sp == (CEXPR_MAXDEPTH - 1))
481 goto out;
482
483 switch (e->attr) {
484 case CEXPR_USER:
485 val1 = scontext->user;
486 val2 = tcontext->user;
487 free(src); src = strdup("u1");
488 free(tgt); tgt = strdup("u2");
489 break;
490 case CEXPR_TYPE:
491 val1 = scontext->type;
492 val2 = tcontext->type;
493 free(src); src = strdup("t1");
494 free(tgt); tgt = strdup("t2");
495 break;
496 case CEXPR_ROLE:
497 val1 = scontext->role;
498 val2 = tcontext->role;
499 r1 = policydb->role_val_to_struct[val1 - 1];
500 r2 = policydb->role_val_to_struct[val2 - 1];
501 free(src); src = strdup("r1");
502 free(tgt); tgt = strdup("r2");
503
504 switch (e->op) {
505 case CEXPR_DOM:
506 s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
507 msgcat(src, tgt, "dom", s[sp] == 0);
508 expr_counter++;
509 continue;
510 case CEXPR_DOMBY:
511 s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
512 msgcat(src, tgt, "domby", s[sp] == 0);
513 expr_counter++;
514 continue;
515 case CEXPR_INCOMP:
516 s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)
517 && !ebitmap_get_bit(&r2->dominates, val1 - 1));
518 msgcat(src, tgt, "incomp", s[sp] == 0);
519 expr_counter++;
520 continue;
521 default:
522 break;
523 }
524 break;
525 case CEXPR_L1L2:
526 l1 = &(scontext->range.level[0]);
527 l2 = &(tcontext->range.level[0]);
528 free(src); src = strdup("l1");
529 free(tgt); tgt = strdup("l2");
530 goto mls_ops;
531 case CEXPR_L1H2:
532 l1 = &(scontext->range.level[0]);
533 l2 = &(tcontext->range.level[1]);
534 free(src); src = strdup("l1");
535 free(tgt); tgt = strdup("h2");
536 goto mls_ops;
537 case CEXPR_H1L2:
538 l1 = &(scontext->range.level[1]);
539 l2 = &(tcontext->range.level[0]);
540 free(src); src = strdup("h1");
541 free(tgt); tgt = strdup("l2");
542 goto mls_ops;
543 case CEXPR_H1H2:
544 l1 = &(scontext->range.level[1]);
545 l2 = &(tcontext->range.level[1]);
546 free(src); src = strdup("h1");
547 free(tgt); tgt = strdup("h2");
548 goto mls_ops;
549 case CEXPR_L1H1:
550 l1 = &(scontext->range.level[0]);
551 l2 = &(scontext->range.level[1]);
552 free(src); src = strdup("l1");
553 free(tgt); tgt = strdup("h1");
554 goto mls_ops;
555 case CEXPR_L2H2:
556 l1 = &(tcontext->range.level[0]);
557 l2 = &(tcontext->range.level[1]);
558 free(src); src = strdup("l2");
559 free(tgt); tgt = strdup("h2");
560 mls_ops:
561 switch (e->op) {
562 case CEXPR_EQ:
563 s[++sp] = mls_level_eq(l1, l2);
564 msgcat(src, tgt, "eq", s[sp] == 0);
565 expr_counter++;
566 continue;
567 case CEXPR_NEQ:
568 s[++sp] = !mls_level_eq(l1, l2);
569 msgcat(src, tgt, "!=", s[sp] == 0);
570 expr_counter++;
571 continue;
572 case CEXPR_DOM:
573 s[++sp] = mls_level_dom(l1, l2);
574 msgcat(src, tgt, "dom", s[sp] == 0);
575 expr_counter++;
576 continue;
577 case CEXPR_DOMBY:
578 s[++sp] = mls_level_dom(l2, l1);
579 msgcat(src, tgt, "domby", s[sp] == 0);
580 expr_counter++;
581 continue;
582 case CEXPR_INCOMP:
583 s[++sp] = mls_level_incomp(l2, l1);
584 msgcat(src, tgt, "incomp", s[sp] == 0);
585 expr_counter++;
586 continue;
587 default:
588 BUG();
589 goto out;
590 }
591 break;
592 default:
593 BUG();
594 goto out;
595 }
596
597 switch (e->op) {
598 case CEXPR_EQ:
599 s[++sp] = (val1 == val2);
600 msgcat(src, tgt, "==", s[sp] == 0);
601 break;
602 case CEXPR_NEQ:
603 s[++sp] = (val1 != val2);
604 msgcat(src, tgt, "!=", s[sp] == 0);
605 break;
606 default:
607 BUG();
608 goto out;
609 }
610 break;
611 case CEXPR_NAMES:
612 if (sp == (CEXPR_MAXDEPTH - 1))
613 goto out;
614 s_t_x_num = SOURCE;
615 c = scontext;
616 if (e->attr & CEXPR_TARGET) {
617 s_t_x_num = TARGET;
618 c = tcontext;
619 } else if (e->attr & CEXPR_XTARGET) {
620 s_t_x_num = XTARGET;
621 c = xcontext;
622 }
623 if (!c) {
624 BUG();
625 goto out;
626 }
627 if (e->attr & CEXPR_USER) {
628 u_r_t = CEXPR_USER;
629 val1 = c->user;
630 snprintf(tmp_buf, sizeof(tmp_buf), "u%d ", s_t_x_num);
631 free(src); src = strdup(tmp_buf);
632 } else if (e->attr & CEXPR_ROLE) {
633 u_r_t = CEXPR_ROLE;
634 val1 = c->role;
635 snprintf(tmp_buf, sizeof(tmp_buf), "r%d ", s_t_x_num);
636 free(src); src = strdup(tmp_buf);
637 } else if (e->attr & CEXPR_TYPE) {
638 u_r_t = CEXPR_TYPE;
639 val1 = c->type;
640 snprintf(tmp_buf, sizeof(tmp_buf), "t%d ", s_t_x_num);
641 free(src); src = strdup(tmp_buf);
642 } else {
643 BUG();
644 goto out;
645 }
646
647 switch (e->op) {
648 case CEXPR_EQ:
649 s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
650 get_name_list(e, u_r_t, src, "==", s[sp] == 0);
651 break;
652
653 case CEXPR_NEQ:
654 s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
655 get_name_list(e, u_r_t, src, "!=", s[sp] == 0);
656 break;
657 default:
658 BUG();
659 goto out;
660 }
661 break;
662 default:
663 BUG();
664 goto out;
665 }
666 expr_counter++;
667 }
668
669 /*
670 * At this point each expression of the constraint is in
671 * expr_list[n+1] and in RPN format. Now convert to 'infix'
672 */
673
674 /*
675 * Save expr count but zero expr_counter to detect if
676 * 'BUG(); goto out;' was called as we need to release any used
677 * expr_list malloc's. Normally they are released by the RPN to
678 * infix code.
679 */
680 int expr_count = expr_counter;
681 expr_counter = 0;
682
683 /*
684 * The array of expression answer buffer pointers and counter.
685 * Generate the same number of answer buffer entries as expression
686 * buffers (as there will never be more).
687 */
688 char **answer_list;
689 int answer_counter = 0;
690
691 answer_list = malloc(expr_count * sizeof(*answer_list));
692 if (!answer_list) {
693 ERR(NULL, "failed to allocate answer stack");
694 rc = -ENOMEM;
695 goto out;
696 }
697
698 /* The pop operands */
699 char *a;
700 char *b;
701 int a_len, b_len;
702
703 /* Convert constraint from RPN to infix notation. */
704 for (x = 0; x != expr_count; x++) {
705 if (strncmp(expr_list[x], "and", 3) == 0 || strncmp(expr_list[x],
706 "or", 2) == 0) {
707 b = pop();
708 b_len = strlen(b);
709 a = pop();
710 a_len = strlen(a);
711
712 /* get a buffer to hold the answer */
713 answer_list[answer_counter] = malloc(a_len + b_len + 8);
714 if (!answer_list[answer_counter]) {
715 ERR(NULL, "failed to allocate answer buffer");
716 rc = -ENOMEM;
717 goto out;
718 }
719 memset(answer_list[answer_counter], '\0', a_len + b_len + 8);
720
721 sprintf(answer_list[answer_counter], "%s %s %s", a,
722 expr_list[x], b);
723 push(answer_list[answer_counter++]);
724 free(a);
725 free(b);
726 } else if (strncmp(expr_list[x], "not", 3) == 0) {
727 b = pop();
728 b_len = strlen(b);
729
730 answer_list[answer_counter] = malloc(b_len + 8);
731 if (!answer_list[answer_counter]) {
732 ERR(NULL, "failed to allocate answer buffer");
733 rc = -ENOMEM;
734 goto out;
735 }
736 memset(answer_list[answer_counter], '\0', b_len + 8);
737
738 if (strncmp(b, "not", 3) == 0)
739 sprintf(answer_list[answer_counter], "%s (%s)",
740 expr_list[x], b);
741 else
742 sprintf(answer_list[answer_counter], "%s%s",
743 expr_list[x], b);
744 push(answer_list[answer_counter++]);
745 free(b);
746 } else {
747 push(expr_list[x]);
748 }
749 }
750 /* Get the final answer from tos and build constraint text */
751 a = pop();
752
753 /* Constraint calculation: rc = 0 is denied, rc = 1 is granted */
754 sprintf(tmp_buf, "Constraint %s\n", s[0] ? "GRANTED" : "DENIED");
755
756 int len, new_buf_len;
757 char *p, **new_buf = r_buf;
758 /*
759 * These contain the constraint components that are added to the
760 * callers reason buffer.
761 */
762 char *buffers[] = { class_buf, a, "); ", tmp_buf, 0 };
763
764 /*
765 * This will add the constraints to the callers reason buffer (who is
766 * responsible for freeing the memory). It will handle any realloc's
767 * should the buffer be too short.
768 * The reason_buf_used and reason_buf_len counters are defined
769 * globally as multiple constraints can be in the buffer.
770 */
771
772 if (r_buf && ((s[0] == 0) || ((s[0] == 1 &&
773 (flags & SHOW_GRANTED) == SHOW_GRANTED)))) {
774 for (x = 0; buffers[x] != NULL; x++) {
775 while (1) {
776 p = *r_buf + reason_buf_used;
777 len = snprintf(p, reason_buf_len - reason_buf_used,
778 "%s", buffers[x]);
779 if (len < 0 || len >= reason_buf_len - reason_buf_used) {
780 new_buf_len = reason_buf_len + REASON_BUF_SIZE;
781 *new_buf = realloc(*r_buf, new_buf_len);
782 if (!new_buf) {
783 ERR(NULL, "failed to realloc reason buffer");
784 goto out1;
785 }
786 **r_buf = **new_buf;
787 reason_buf_len = new_buf_len;
788 continue;
789 } else {
790 reason_buf_used += len;
791 break;
792 }
793 }
794 }
795 }
796
797 out1:
798 rc = s[0];
799 free(a);
800
801 out:
802 free(class_buf);
803 free(src);
804 free(tgt);
805
806 if (expr_counter) {
807 for (x = 0; expr_list[x] != NULL; x++)
808 free(expr_list[x]);
809 }
810 return rc;
811 }
812
813 /*
814 * Compute access vectors based on a context structure pair for
815 * the permissions in a particular class.
816 */
context_struct_compute_av(context_struct_t * scontext,context_struct_t * tcontext,sepol_security_class_t tclass,sepol_access_vector_t requested,struct sepol_av_decision * avd,unsigned int * reason,char ** r_buf,unsigned int flags)817 static int context_struct_compute_av(context_struct_t * scontext,
818 context_struct_t * tcontext,
819 sepol_security_class_t tclass,
820 sepol_access_vector_t requested,
821 struct sepol_av_decision *avd,
822 unsigned int *reason,
823 char **r_buf,
824 unsigned int flags)
825 {
826 constraint_node_t *constraint;
827 struct role_allow *ra;
828 avtab_key_t avkey;
829 class_datum_t *tclass_datum;
830 avtab_ptr_t node;
831 ebitmap_t *sattr, *tattr;
832 ebitmap_node_t *snode, *tnode;
833 unsigned int i, j;
834
835 if (!tclass || tclass > policydb->p_classes.nprim) {
836 ERR(NULL, "unrecognized class %d", tclass);
837 return -EINVAL;
838 }
839 tclass_datum = policydb->class_val_to_struct[tclass - 1];
840
841 /*
842 * Initialize the access vectors to the default values.
843 */
844 avd->allowed = 0;
845 avd->decided = 0xffffffff;
846 avd->auditallow = 0;
847 avd->auditdeny = 0xffffffff;
848 avd->seqno = latest_granting;
849 *reason = 0;
850
851 /*
852 * If a specific type enforcement rule was defined for
853 * this permission check, then use it.
854 */
855 avkey.target_class = tclass;
856 avkey.specified = AVTAB_AV;
857 sattr = &policydb->type_attr_map[scontext->type - 1];
858 tattr = &policydb->type_attr_map[tcontext->type - 1];
859 ebitmap_for_each_bit(sattr, snode, i) {
860 if (!ebitmap_node_get_bit(snode, i))
861 continue;
862 ebitmap_for_each_bit(tattr, tnode, j) {
863 if (!ebitmap_node_get_bit(tnode, j))
864 continue;
865 avkey.source_type = i + 1;
866 avkey.target_type = j + 1;
867 for (node =
868 avtab_search_node(&policydb->te_avtab, &avkey);
869 node != NULL;
870 node =
871 avtab_search_node_next(node, avkey.specified)) {
872 if (node->key.specified == AVTAB_ALLOWED)
873 avd->allowed |= node->datum.data;
874 else if (node->key.specified ==
875 AVTAB_AUDITALLOW)
876 avd->auditallow |= node->datum.data;
877 else if (node->key.specified == AVTAB_AUDITDENY)
878 avd->auditdeny &= node->datum.data;
879 }
880
881 /* Check conditional av table for additional permissions */
882 cond_compute_av(&policydb->te_cond_avtab, &avkey, avd);
883
884 }
885 }
886
887 if (requested & ~avd->allowed) {
888 *reason |= SEPOL_COMPUTEAV_TE;
889 requested &= avd->allowed;
890 }
891
892 /*
893 * Remove any permissions prohibited by a constraint (this includes
894 * the MLS policy).
895 */
896 constraint = tclass_datum->constraints;
897 while (constraint) {
898 if ((constraint->permissions & (avd->allowed)) &&
899 !constraint_expr_eval_reason(scontext, tcontext, NULL,
900 tclass, constraint, r_buf, flags)) {
901 avd->allowed =
902 (avd->allowed) & ~(constraint->permissions);
903 }
904 constraint = constraint->next;
905 }
906
907 if (requested & ~avd->allowed) {
908 *reason |= SEPOL_COMPUTEAV_CONS;
909 requested &= avd->allowed;
910 }
911
912 /*
913 * If checking process transition permission and the
914 * role is changing, then check the (current_role, new_role)
915 * pair.
916 */
917 if (tclass == SECCLASS_PROCESS &&
918 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
919 scontext->role != tcontext->role) {
920 for (ra = policydb->role_allow; ra; ra = ra->next) {
921 if (scontext->role == ra->role &&
922 tcontext->role == ra->new_role)
923 break;
924 }
925 if (!ra)
926 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
927 PROCESS__DYNTRANSITION);
928 }
929
930 if (requested & ~avd->allowed) {
931 *reason |= SEPOL_COMPUTEAV_RBAC;
932 requested &= avd->allowed;
933 }
934
935 return 0;
936 }
937
sepol_validate_transition(sepol_security_id_t oldsid,sepol_security_id_t newsid,sepol_security_id_t tasksid,sepol_security_class_t tclass)938 int hidden sepol_validate_transition(sepol_security_id_t oldsid,
939 sepol_security_id_t newsid,
940 sepol_security_id_t tasksid,
941 sepol_security_class_t tclass)
942 {
943 context_struct_t *ocontext;
944 context_struct_t *ncontext;
945 context_struct_t *tcontext;
946 class_datum_t *tclass_datum;
947 constraint_node_t *constraint;
948
949 if (!tclass || tclass > policydb->p_classes.nprim) {
950 ERR(NULL, "unrecognized class %d", tclass);
951 return -EINVAL;
952 }
953 tclass_datum = policydb->class_val_to_struct[tclass - 1];
954
955 ocontext = sepol_sidtab_search(sidtab, oldsid);
956 if (!ocontext) {
957 ERR(NULL, "unrecognized SID %d", oldsid);
958 return -EINVAL;
959 }
960
961 ncontext = sepol_sidtab_search(sidtab, newsid);
962 if (!ncontext) {
963 ERR(NULL, "unrecognized SID %d", newsid);
964 return -EINVAL;
965 }
966
967 tcontext = sepol_sidtab_search(sidtab, tasksid);
968 if (!tcontext) {
969 ERR(NULL, "unrecognized SID %d", tasksid);
970 return -EINVAL;
971 }
972
973 constraint = tclass_datum->validatetrans;
974 while (constraint) {
975 if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
976 0, constraint, NULL, 0)) {
977 return -EPERM;
978 }
979 constraint = constraint->next;
980 }
981
982 return 0;
983 }
984
sepol_compute_av_reason(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_access_vector_t requested,struct sepol_av_decision * avd,unsigned int * reason)985 int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
986 sepol_security_id_t tsid,
987 sepol_security_class_t tclass,
988 sepol_access_vector_t requested,
989 struct sepol_av_decision *avd,
990 unsigned int *reason)
991 {
992 context_struct_t *scontext = 0, *tcontext = 0;
993 int rc = 0;
994
995 scontext = sepol_sidtab_search(sidtab, ssid);
996 if (!scontext) {
997 ERR(NULL, "unrecognized SID %d", ssid);
998 rc = -EINVAL;
999 goto out;
1000 }
1001 tcontext = sepol_sidtab_search(sidtab, tsid);
1002 if (!tcontext) {
1003 ERR(NULL, "unrecognized SID %d", tsid);
1004 rc = -EINVAL;
1005 goto out;
1006 }
1007
1008 rc = context_struct_compute_av(scontext, tcontext, tclass,
1009 requested, avd, reason, NULL, 0);
1010 out:
1011 return rc;
1012 }
1013
1014 /*
1015 * sepol_compute_av_reason_buffer - the reason buffer is malloc'd to
1016 * REASON_BUF_SIZE. If the buffer size is exceeded, then it is realloc'd
1017 * in the constraint_expr_eval_reason() function.
1018 */
sepol_compute_av_reason_buffer(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_access_vector_t requested,struct sepol_av_decision * avd,unsigned int * reason,char ** reason_buf,unsigned int flags)1019 int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
1020 sepol_security_id_t tsid,
1021 sepol_security_class_t tclass,
1022 sepol_access_vector_t requested,
1023 struct sepol_av_decision *avd,
1024 unsigned int *reason,
1025 char **reason_buf,
1026 unsigned int flags)
1027 {
1028 context_struct_t *scontext = 0, *tcontext = 0;
1029 int rc = 0;
1030
1031 scontext = sepol_sidtab_search(sidtab, ssid);
1032 if (!scontext) {
1033 ERR(NULL, "unrecognized SID %d", ssid);
1034 rc = -EINVAL;
1035 goto out;
1036 }
1037 tcontext = sepol_sidtab_search(sidtab, tsid);
1038 if (!tcontext) {
1039 ERR(NULL, "unrecognized SID %d", tsid);
1040 rc = -EINVAL;
1041 goto out;
1042 }
1043
1044 /*
1045 * Set the buffer to NULL as constraints may not be processed.
1046 * If a buffer is required, then the routines in
1047 * constraint_expr_eval_reason will realloc in REASON_BUF_SIZE
1048 * chunks (as it gets called for each constraint processed).
1049 * We just make sure these start from zero.
1050 */
1051 *reason_buf = NULL;
1052 reason_buf_used = 0;
1053 reason_buf_len = 0;
1054
1055 rc = context_struct_compute_av(scontext, tcontext, tclass,
1056 requested, avd, reason, reason_buf, flags);
1057 out:
1058 return rc;
1059 }
1060
sepol_compute_av(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_access_vector_t requested,struct sepol_av_decision * avd)1061 int hidden sepol_compute_av(sepol_security_id_t ssid,
1062 sepol_security_id_t tsid,
1063 sepol_security_class_t tclass,
1064 sepol_access_vector_t requested,
1065 struct sepol_av_decision *avd)
1066 {
1067 unsigned int reason = 0;
1068 return sepol_compute_av_reason(ssid, tsid, tclass, requested, avd,
1069 &reason);
1070 }
1071
1072 /*
1073 * Return a class ID associated with the class string specified by
1074 * class_name.
1075 */
sepol_string_to_security_class(const char * class_name,sepol_security_class_t * tclass)1076 int hidden sepol_string_to_security_class(const char *class_name,
1077 sepol_security_class_t *tclass)
1078 {
1079 char *class = NULL;
1080 sepol_security_class_t id;
1081
1082 for (id = 1;; id++) {
1083 class = policydb->p_class_val_to_name[id - 1];
1084 if (class == NULL) {
1085 ERR(NULL, "could not convert %s to class id", class_name);
1086 return STATUS_ERR;
1087 }
1088 if ((strcmp(class, class_name)) == 0) {
1089 *tclass = id;
1090 return STATUS_SUCCESS;
1091 }
1092 }
1093 }
1094
1095 /*
1096 * Return access vector bit associated with the class ID and permission
1097 * string.
1098 */
sepol_string_to_av_perm(sepol_security_class_t tclass,const char * perm_name,sepol_access_vector_t * av)1099 int hidden sepol_string_to_av_perm(sepol_security_class_t tclass,
1100 const char *perm_name,
1101 sepol_access_vector_t *av)
1102 {
1103 class_datum_t *tclass_datum;
1104 perm_datum_t *perm_datum;
1105
1106 if (!tclass || tclass > policydb->p_classes.nprim) {
1107 ERR(NULL, "unrecognized class %d", tclass);
1108 return -EINVAL;
1109 }
1110 tclass_datum = policydb->class_val_to_struct[tclass - 1];
1111
1112 /* Check for unique perms then the common ones (if any) */
1113 perm_datum = (perm_datum_t *)
1114 hashtab_search(tclass_datum->permissions.table,
1115 (hashtab_key_t)perm_name);
1116 if (perm_datum != NULL) {
1117 *av = 0x1 << (perm_datum->s.value - 1);
1118 return STATUS_SUCCESS;
1119 }
1120
1121 if (tclass_datum->comdatum == NULL)
1122 goto out;
1123
1124 perm_datum = (perm_datum_t *)
1125 hashtab_search(tclass_datum->comdatum->permissions.table,
1126 (hashtab_key_t)perm_name);
1127
1128 if (perm_datum != NULL) {
1129 *av = 0x1 << (perm_datum->s.value - 1);
1130 return STATUS_SUCCESS;
1131 }
1132 out:
1133 ERR(NULL, "could not convert %s to av bit", perm_name);
1134 return STATUS_ERR;
1135 }
1136
1137 /*
1138 * Write the security context string representation of
1139 * the context associated with `sid' into a dynamically
1140 * allocated string of the correct size. Set `*scontext'
1141 * to point to this string and set `*scontext_len' to
1142 * the length of the string.
1143 */
sepol_sid_to_context(sepol_security_id_t sid,sepol_security_context_t * scontext,size_t * scontext_len)1144 int hidden sepol_sid_to_context(sepol_security_id_t sid,
1145 sepol_security_context_t * scontext,
1146 size_t * scontext_len)
1147 {
1148 context_struct_t *context;
1149 int rc = 0;
1150
1151 context = sepol_sidtab_search(sidtab, sid);
1152 if (!context) {
1153 ERR(NULL, "unrecognized SID %d", sid);
1154 rc = -EINVAL;
1155 goto out;
1156 }
1157 rc = context_to_string(NULL, policydb, context, scontext, scontext_len);
1158 out:
1159 return rc;
1160
1161 }
1162
1163 /*
1164 * Return a SID associated with the security context that
1165 * has the string representation specified by `scontext'.
1166 */
sepol_context_to_sid(const sepol_security_context_t scontext,size_t scontext_len,sepol_security_id_t * sid)1167 int hidden sepol_context_to_sid(const sepol_security_context_t scontext,
1168 size_t scontext_len, sepol_security_id_t * sid)
1169 {
1170
1171 context_struct_t *context = NULL;
1172
1173 /* First, create the context */
1174 if (context_from_string(NULL, policydb, &context,
1175 scontext, scontext_len) < 0)
1176 goto err;
1177
1178 /* Obtain the new sid */
1179 if (sid && (sepol_sidtab_context_to_sid(sidtab, context, sid) < 0))
1180 goto err;
1181
1182 context_destroy(context);
1183 free(context);
1184 return STATUS_SUCCESS;
1185
1186 err:
1187 if (context) {
1188 context_destroy(context);
1189 free(context);
1190 }
1191 ERR(NULL, "could not convert %s to sid", scontext);
1192 return STATUS_ERR;
1193 }
1194
compute_sid_handle_invalid_context(context_struct_t * scontext,context_struct_t * tcontext,sepol_security_class_t tclass,context_struct_t * newcontext)1195 static inline int compute_sid_handle_invalid_context(context_struct_t *
1196 scontext,
1197 context_struct_t *
1198 tcontext,
1199 sepol_security_class_t
1200 tclass,
1201 context_struct_t *
1202 newcontext)
1203 {
1204 if (selinux_enforcing) {
1205 return -EACCES;
1206 } else {
1207 sepol_security_context_t s, t, n;
1208 size_t slen, tlen, nlen;
1209
1210 context_to_string(NULL, policydb, scontext, &s, &slen);
1211 context_to_string(NULL, policydb, tcontext, &t, &tlen);
1212 context_to_string(NULL, policydb, newcontext, &n, &nlen);
1213 ERR(NULL, "invalid context %s for "
1214 "scontext=%s tcontext=%s tclass=%s",
1215 n, s, t, policydb->p_class_val_to_name[tclass - 1]);
1216 free(s);
1217 free(t);
1218 free(n);
1219 return 0;
1220 }
1221 }
1222
sepol_compute_sid(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,uint32_t specified,sepol_security_id_t * out_sid)1223 static int sepol_compute_sid(sepol_security_id_t ssid,
1224 sepol_security_id_t tsid,
1225 sepol_security_class_t tclass,
1226 uint32_t specified, sepol_security_id_t * out_sid)
1227 {
1228 context_struct_t *scontext = 0, *tcontext = 0, newcontext;
1229 struct role_trans *roletr = 0;
1230 avtab_key_t avkey;
1231 avtab_datum_t *avdatum;
1232 avtab_ptr_t node;
1233 int rc = 0;
1234
1235 scontext = sepol_sidtab_search(sidtab, ssid);
1236 if (!scontext) {
1237 ERR(NULL, "unrecognized SID %d", ssid);
1238 rc = -EINVAL;
1239 goto out;
1240 }
1241 tcontext = sepol_sidtab_search(sidtab, tsid);
1242 if (!tcontext) {
1243 ERR(NULL, "unrecognized SID %d", tsid);
1244 rc = -EINVAL;
1245 goto out;
1246 }
1247
1248 context_init(&newcontext);
1249
1250 /* Set the user identity. */
1251 switch (specified) {
1252 case AVTAB_TRANSITION:
1253 case AVTAB_CHANGE:
1254 /* Use the process user identity. */
1255 newcontext.user = scontext->user;
1256 break;
1257 case AVTAB_MEMBER:
1258 /* Use the related object owner. */
1259 newcontext.user = tcontext->user;
1260 break;
1261 }
1262
1263 /* Set the role and type to default values. */
1264 switch (tclass) {
1265 case SECCLASS_PROCESS:
1266 /* Use the current role and type of process. */
1267 newcontext.role = scontext->role;
1268 newcontext.type = scontext->type;
1269 break;
1270 default:
1271 /* Use the well-defined object role. */
1272 newcontext.role = OBJECT_R_VAL;
1273 /* Use the type of the related object. */
1274 newcontext.type = tcontext->type;
1275 }
1276
1277 /* Look for a type transition/member/change rule. */
1278 avkey.source_type = scontext->type;
1279 avkey.target_type = tcontext->type;
1280 avkey.target_class = tclass;
1281 avkey.specified = specified;
1282 avdatum = avtab_search(&policydb->te_avtab, &avkey);
1283
1284 /* If no permanent rule, also check for enabled conditional rules */
1285 if (!avdatum) {
1286 node = avtab_search_node(&policydb->te_cond_avtab, &avkey);
1287 for (; node != NULL;
1288 node = avtab_search_node_next(node, specified)) {
1289 if (node->key.specified & AVTAB_ENABLED) {
1290 avdatum = &node->datum;
1291 break;
1292 }
1293 }
1294 }
1295
1296 if (avdatum) {
1297 /* Use the type from the type transition/member/change rule. */
1298 newcontext.type = avdatum->data;
1299 }
1300
1301 /* Check for class-specific changes. */
1302 switch (tclass) {
1303 case SECCLASS_PROCESS:
1304 if (specified & AVTAB_TRANSITION) {
1305 /* Look for a role transition rule. */
1306 for (roletr = policydb->role_tr; roletr;
1307 roletr = roletr->next) {
1308 if (roletr->role == scontext->role &&
1309 roletr->type == tcontext->type) {
1310 /* Use the role transition rule. */
1311 newcontext.role = roletr->new_role;
1312 break;
1313 }
1314 }
1315 }
1316 break;
1317 default:
1318 break;
1319 }
1320
1321 /* Set the MLS attributes.
1322 This is done last because it may allocate memory. */
1323 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,
1324 &newcontext);
1325 if (rc)
1326 goto out;
1327
1328 /* Check the validity of the context. */
1329 if (!policydb_context_isvalid(policydb, &newcontext)) {
1330 rc = compute_sid_handle_invalid_context(scontext,
1331 tcontext,
1332 tclass, &newcontext);
1333 if (rc)
1334 goto out;
1335 }
1336 /* Obtain the sid for the context. */
1337 rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
1338 out:
1339 context_destroy(&newcontext);
1340 return rc;
1341 }
1342
1343 /*
1344 * Compute a SID to use for labeling a new object in the
1345 * class `tclass' based on a SID pair.
1346 */
sepol_transition_sid(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_security_id_t * out_sid)1347 int hidden sepol_transition_sid(sepol_security_id_t ssid,
1348 sepol_security_id_t tsid,
1349 sepol_security_class_t tclass,
1350 sepol_security_id_t * out_sid)
1351 {
1352 return sepol_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
1353 }
1354
1355 /*
1356 * Compute a SID to use when selecting a member of a
1357 * polyinstantiated object of class `tclass' based on
1358 * a SID pair.
1359 */
sepol_member_sid(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_security_id_t * out_sid)1360 int hidden sepol_member_sid(sepol_security_id_t ssid,
1361 sepol_security_id_t tsid,
1362 sepol_security_class_t tclass,
1363 sepol_security_id_t * out_sid)
1364 {
1365 return sepol_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
1366 }
1367
1368 /*
1369 * Compute a SID to use for relabeling an object in the
1370 * class `tclass' based on a SID pair.
1371 */
sepol_change_sid(sepol_security_id_t ssid,sepol_security_id_t tsid,sepol_security_class_t tclass,sepol_security_id_t * out_sid)1372 int hidden sepol_change_sid(sepol_security_id_t ssid,
1373 sepol_security_id_t tsid,
1374 sepol_security_class_t tclass,
1375 sepol_security_id_t * out_sid)
1376 {
1377 return sepol_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
1378 }
1379
1380 /*
1381 * Verify that each permission that is defined under the
1382 * existing policy is still defined with the same value
1383 * in the new policy.
1384 */
validate_perm(hashtab_key_t key,hashtab_datum_t datum,void * p)1385 static int validate_perm(hashtab_key_t key, hashtab_datum_t datum, void *p)
1386 {
1387 hashtab_t h;
1388 perm_datum_t *perdatum, *perdatum2;
1389
1390 h = (hashtab_t) p;
1391 perdatum = (perm_datum_t *) datum;
1392
1393 perdatum2 = (perm_datum_t *) hashtab_search(h, key);
1394 if (!perdatum2) {
1395 ERR(NULL, "permission %s disappeared", key);
1396 return -1;
1397 }
1398 if (perdatum->s.value != perdatum2->s.value) {
1399 ERR(NULL, "the value of permissions %s changed", key);
1400 return -1;
1401 }
1402 return 0;
1403 }
1404
1405 /*
1406 * Verify that each class that is defined under the
1407 * existing policy is still defined with the same
1408 * attributes in the new policy.
1409 */
validate_class(hashtab_key_t key,hashtab_datum_t datum,void * p)1410 static int validate_class(hashtab_key_t key, hashtab_datum_t datum, void *p)
1411 {
1412 policydb_t *newp;
1413 class_datum_t *cladatum, *cladatum2;
1414
1415 newp = (policydb_t *) p;
1416 cladatum = (class_datum_t *) datum;
1417
1418 cladatum2 =
1419 (class_datum_t *) hashtab_search(newp->p_classes.table, key);
1420 if (!cladatum2) {
1421 ERR(NULL, "class %s disappeared", key);
1422 return -1;
1423 }
1424 if (cladatum->s.value != cladatum2->s.value) {
1425 ERR(NULL, "the value of class %s changed", key);
1426 return -1;
1427 }
1428 if ((cladatum->comdatum && !cladatum2->comdatum) ||
1429 (!cladatum->comdatum && cladatum2->comdatum)) {
1430 ERR(NULL, "the inherits clause for the access "
1431 "vector definition for class %s changed", key);
1432 return -1;
1433 }
1434 if (cladatum->comdatum) {
1435 if (hashtab_map
1436 (cladatum->comdatum->permissions.table, validate_perm,
1437 cladatum2->comdatum->permissions.table)) {
1438 ERR(NULL,
1439 " in the access vector definition "
1440 "for class %s\n", key);
1441 return -1;
1442 }
1443 }
1444 if (hashtab_map(cladatum->permissions.table, validate_perm,
1445 cladatum2->permissions.table)) {
1446 ERR(NULL, " in access vector definition for class %s", key);
1447 return -1;
1448 }
1449 return 0;
1450 }
1451
1452 /* Clone the SID into the new SID table. */
clone_sid(sepol_security_id_t sid,context_struct_t * context,void * arg)1453 static int clone_sid(sepol_security_id_t sid,
1454 context_struct_t * context, void *arg)
1455 {
1456 sidtab_t *s = arg;
1457
1458 return sepol_sidtab_insert(s, sid, context);
1459 }
1460
convert_context_handle_invalid_context(context_struct_t * context)1461 static inline int convert_context_handle_invalid_context(context_struct_t *
1462 context)
1463 {
1464 if (selinux_enforcing) {
1465 return -EINVAL;
1466 } else {
1467 sepol_security_context_t s;
1468 size_t len;
1469
1470 context_to_string(NULL, policydb, context, &s, &len);
1471 ERR(NULL, "context %s is invalid", s);
1472 free(s);
1473 return 0;
1474 }
1475 }
1476
1477 typedef struct {
1478 policydb_t *oldp;
1479 policydb_t *newp;
1480 } convert_context_args_t;
1481
1482 /*
1483 * Convert the values in the security context
1484 * structure `c' from the values specified
1485 * in the policy `p->oldp' to the values specified
1486 * in the policy `p->newp'. Verify that the
1487 * context is valid under the new policy.
1488 */
convert_context(sepol_security_id_t key,context_struct_t * c,void * p)1489 static int convert_context(sepol_security_id_t key __attribute__ ((unused)),
1490 context_struct_t * c, void *p)
1491 {
1492 convert_context_args_t *args;
1493 context_struct_t oldc;
1494 role_datum_t *role;
1495 type_datum_t *typdatum;
1496 user_datum_t *usrdatum;
1497 sepol_security_context_t s;
1498 size_t len;
1499 int rc = -EINVAL;
1500
1501 args = (convert_context_args_t *) p;
1502
1503 if (context_cpy(&oldc, c))
1504 return -ENOMEM;
1505
1506 /* Convert the user. */
1507 usrdatum = (user_datum_t *) hashtab_search(args->newp->p_users.table,
1508 args->oldp->
1509 p_user_val_to_name[c->user -
1510 1]);
1511
1512 if (!usrdatum) {
1513 goto bad;
1514 }
1515 c->user = usrdatum->s.value;
1516
1517 /* Convert the role. */
1518 role = (role_datum_t *) hashtab_search(args->newp->p_roles.table,
1519 args->oldp->
1520 p_role_val_to_name[c->role - 1]);
1521 if (!role) {
1522 goto bad;
1523 }
1524 c->role = role->s.value;
1525
1526 /* Convert the type. */
1527 typdatum = (type_datum_t *)
1528 hashtab_search(args->newp->p_types.table,
1529 args->oldp->p_type_val_to_name[c->type - 1]);
1530 if (!typdatum) {
1531 goto bad;
1532 }
1533 c->type = typdatum->s.value;
1534
1535 rc = mls_convert_context(args->oldp, args->newp, c);
1536 if (rc)
1537 goto bad;
1538
1539 /* Check the validity of the new context. */
1540 if (!policydb_context_isvalid(args->newp, c)) {
1541 rc = convert_context_handle_invalid_context(&oldc);
1542 if (rc)
1543 goto bad;
1544 }
1545
1546 context_destroy(&oldc);
1547 return 0;
1548
1549 bad:
1550 context_to_string(NULL, policydb, &oldc, &s, &len);
1551 context_destroy(&oldc);
1552 ERR(NULL, "invalidating context %s", s);
1553 free(s);
1554 return rc;
1555 }
1556
1557 /* Reading from a policy "file". */
next_entry(void * buf,struct policy_file * fp,size_t bytes)1558 int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
1559 {
1560 size_t nread;
1561
1562 switch (fp->type) {
1563 case PF_USE_STDIO:
1564 nread = fread(buf, bytes, 1, fp->fp);
1565
1566 if (nread != 1)
1567 return -1;
1568 break;
1569 case PF_USE_MEMORY:
1570 if (bytes > fp->len)
1571 return -1;
1572 memcpy(buf, fp->data, bytes);
1573 fp->data += bytes;
1574 fp->len -= bytes;
1575 break;
1576 default:
1577 return -1;
1578 }
1579 return 0;
1580 }
1581
put_entry(const void * ptr,size_t size,size_t n,struct policy_file * fp)1582 size_t hidden put_entry(const void *ptr, size_t size, size_t n,
1583 struct policy_file *fp)
1584 {
1585 size_t bytes = size * n;
1586
1587 switch (fp->type) {
1588 case PF_USE_STDIO:
1589 return fwrite(ptr, size, n, fp->fp);
1590 case PF_USE_MEMORY:
1591 if (bytes > fp->len) {
1592 errno = ENOSPC;
1593 return 0;
1594 }
1595
1596 memcpy(fp->data, ptr, bytes);
1597 fp->data += bytes;
1598 fp->len -= bytes;
1599 return n;
1600 case PF_LEN:
1601 fp->len += bytes;
1602 return n;
1603 default:
1604 return 0;
1605 }
1606 return 0;
1607 }
1608
1609 /*
1610 * Read a new set of configuration data from
1611 * a policy database binary representation file.
1612 *
1613 * Verify that each class that is defined under the
1614 * existing policy is still defined with the same
1615 * attributes in the new policy.
1616 *
1617 * Convert the context structures in the SID table to the
1618 * new representation and verify that all entries
1619 * in the SID table are valid under the new policy.
1620 *
1621 * Change the active policy database to use the new
1622 * configuration data.
1623 *
1624 * Reset the access vector cache.
1625 */
sepol_load_policy(void * data,size_t len)1626 int hidden sepol_load_policy(void *data, size_t len)
1627 {
1628 policydb_t oldpolicydb, newpolicydb;
1629 sidtab_t oldsidtab, newsidtab;
1630 convert_context_args_t args;
1631 int rc = 0;
1632 struct policy_file file, *fp;
1633
1634 policy_file_init(&file);
1635 file.type = PF_USE_MEMORY;
1636 file.data = data;
1637 file.len = len;
1638 fp = &file;
1639
1640 if (policydb_init(&newpolicydb))
1641 return -ENOMEM;
1642
1643 if (policydb_read(&newpolicydb, fp, 1)) {
1644 policydb_destroy(&mypolicydb);
1645 return -EINVAL;
1646 }
1647
1648 sepol_sidtab_init(&newsidtab);
1649
1650 /* Verify that the existing classes did not change. */
1651 if (hashtab_map
1652 (policydb->p_classes.table, validate_class, &newpolicydb)) {
1653 ERR(NULL, "the definition of an existing class changed");
1654 rc = -EINVAL;
1655 goto err;
1656 }
1657
1658 /* Clone the SID table. */
1659 sepol_sidtab_shutdown(sidtab);
1660 if (sepol_sidtab_map(sidtab, clone_sid, &newsidtab)) {
1661 rc = -ENOMEM;
1662 goto err;
1663 }
1664
1665 /* Convert the internal representations of contexts
1666 in the new SID table and remove invalid SIDs. */
1667 args.oldp = policydb;
1668 args.newp = &newpolicydb;
1669 sepol_sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
1670
1671 /* Save the old policydb and SID table to free later. */
1672 memcpy(&oldpolicydb, policydb, sizeof *policydb);
1673 sepol_sidtab_set(&oldsidtab, sidtab);
1674
1675 /* Install the new policydb and SID table. */
1676 memcpy(policydb, &newpolicydb, sizeof *policydb);
1677 sepol_sidtab_set(sidtab, &newsidtab);
1678
1679 /* Free the old policydb and SID table. */
1680 policydb_destroy(&oldpolicydb);
1681 sepol_sidtab_destroy(&oldsidtab);
1682
1683 return 0;
1684
1685 err:
1686 sepol_sidtab_destroy(&newsidtab);
1687 policydb_destroy(&newpolicydb);
1688 return rc;
1689
1690 }
1691
1692 /*
1693 * Return the SIDs to use for an unlabeled file system
1694 * that is being mounted from the device with the
1695 * the kdevname `name'. The `fs_sid' SID is returned for
1696 * the file system and the `file_sid' SID is returned
1697 * for all files within that file system.
1698 */
sepol_fs_sid(char * name,sepol_security_id_t * fs_sid,sepol_security_id_t * file_sid)1699 int hidden sepol_fs_sid(char *name,
1700 sepol_security_id_t * fs_sid,
1701 sepol_security_id_t * file_sid)
1702 {
1703 int rc = 0;
1704 ocontext_t *c;
1705
1706 c = policydb->ocontexts[OCON_FS];
1707 while (c) {
1708 if (strcmp(c->u.name, name) == 0)
1709 break;
1710 c = c->next;
1711 }
1712
1713 if (c) {
1714 if (!c->sid[0] || !c->sid[1]) {
1715 rc = sepol_sidtab_context_to_sid(sidtab,
1716 &c->context[0],
1717 &c->sid[0]);
1718 if (rc)
1719 goto out;
1720 rc = sepol_sidtab_context_to_sid(sidtab,
1721 &c->context[1],
1722 &c->sid[1]);
1723 if (rc)
1724 goto out;
1725 }
1726 *fs_sid = c->sid[0];
1727 *file_sid = c->sid[1];
1728 } else {
1729 *fs_sid = SECINITSID_FS;
1730 *file_sid = SECINITSID_FILE;
1731 }
1732
1733 out:
1734 return rc;
1735 }
1736
1737 /*
1738 * Return the SID of the port specified by
1739 * `domain', `type', `protocol', and `port'.
1740 */
sepol_port_sid(uint16_t domain,uint16_t type,uint8_t protocol,uint16_t port,sepol_security_id_t * out_sid)1741 int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
1742 uint16_t type __attribute__ ((unused)),
1743 uint8_t protocol,
1744 uint16_t port, sepol_security_id_t * out_sid)
1745 {
1746 ocontext_t *c;
1747 int rc = 0;
1748
1749 c = policydb->ocontexts[OCON_PORT];
1750 while (c) {
1751 if (c->u.port.protocol == protocol &&
1752 c->u.port.low_port <= port && c->u.port.high_port >= port)
1753 break;
1754 c = c->next;
1755 }
1756
1757 if (c) {
1758 if (!c->sid[0]) {
1759 rc = sepol_sidtab_context_to_sid(sidtab,
1760 &c->context[0],
1761 &c->sid[0]);
1762 if (rc)
1763 goto out;
1764 }
1765 *out_sid = c->sid[0];
1766 } else {
1767 *out_sid = SECINITSID_PORT;
1768 }
1769
1770 out:
1771 return rc;
1772 }
1773
1774 /*
1775 * Return the SIDs to use for a network interface
1776 * with the name `name'. The `if_sid' SID is returned for
1777 * the interface and the `msg_sid' SID is returned as
1778 * the default SID for messages received on the
1779 * interface.
1780 */
sepol_netif_sid(char * name,sepol_security_id_t * if_sid,sepol_security_id_t * msg_sid)1781 int hidden sepol_netif_sid(char *name,
1782 sepol_security_id_t * if_sid,
1783 sepol_security_id_t * msg_sid)
1784 {
1785 int rc = 0;
1786 ocontext_t *c;
1787
1788 c = policydb->ocontexts[OCON_NETIF];
1789 while (c) {
1790 if (strcmp(name, c->u.name) == 0)
1791 break;
1792 c = c->next;
1793 }
1794
1795 if (c) {
1796 if (!c->sid[0] || !c->sid[1]) {
1797 rc = sepol_sidtab_context_to_sid(sidtab,
1798 &c->context[0],
1799 &c->sid[0]);
1800 if (rc)
1801 goto out;
1802 rc = sepol_sidtab_context_to_sid(sidtab,
1803 &c->context[1],
1804 &c->sid[1]);
1805 if (rc)
1806 goto out;
1807 }
1808 *if_sid = c->sid[0];
1809 *msg_sid = c->sid[1];
1810 } else {
1811 *if_sid = SECINITSID_NETIF;
1812 *msg_sid = SECINITSID_NETMSG;
1813 }
1814
1815 out:
1816 return rc;
1817 }
1818
match_ipv6_addrmask(uint32_t * input,uint32_t * addr,uint32_t * mask)1819 static int match_ipv6_addrmask(uint32_t * input, uint32_t * addr,
1820 uint32_t * mask)
1821 {
1822 int i, fail = 0;
1823
1824 for (i = 0; i < 4; i++)
1825 if (addr[i] != (input[i] & mask[i])) {
1826 fail = 1;
1827 break;
1828 }
1829
1830 return !fail;
1831 }
1832
1833 /*
1834 * Return the SID of the node specified by the address
1835 * `addrp' where `addrlen' is the length of the address
1836 * in bytes and `domain' is the communications domain or
1837 * address family in which the address should be interpreted.
1838 */
sepol_node_sid(uint16_t domain,void * addrp,size_t addrlen,sepol_security_id_t * out_sid)1839 int hidden sepol_node_sid(uint16_t domain,
1840 void *addrp,
1841 size_t addrlen, sepol_security_id_t * out_sid)
1842 {
1843 int rc = 0;
1844 ocontext_t *c;
1845
1846 switch (domain) {
1847 case AF_INET:{
1848 uint32_t addr;
1849
1850 if (addrlen != sizeof(uint32_t)) {
1851 rc = -EINVAL;
1852 goto out;
1853 }
1854
1855 addr = *((uint32_t *) addrp);
1856
1857 c = policydb->ocontexts[OCON_NODE];
1858 while (c) {
1859 if (c->u.node.addr == (addr & c->u.node.mask))
1860 break;
1861 c = c->next;
1862 }
1863 break;
1864 }
1865
1866 case AF_INET6:
1867 if (addrlen != sizeof(uint64_t) * 2) {
1868 rc = -EINVAL;
1869 goto out;
1870 }
1871
1872 c = policydb->ocontexts[OCON_NODE6];
1873 while (c) {
1874 if (match_ipv6_addrmask(addrp, c->u.node6.addr,
1875 c->u.node6.mask))
1876 break;
1877 c = c->next;
1878 }
1879 break;
1880
1881 default:
1882 *out_sid = SECINITSID_NODE;
1883 goto out;
1884 }
1885
1886 if (c) {
1887 if (!c->sid[0]) {
1888 rc = sepol_sidtab_context_to_sid(sidtab,
1889 &c->context[0],
1890 &c->sid[0]);
1891 if (rc)
1892 goto out;
1893 }
1894 *out_sid = c->sid[0];
1895 } else {
1896 *out_sid = SECINITSID_NODE;
1897 }
1898
1899 out:
1900 return rc;
1901 }
1902
1903 /*
1904 * Generate the set of SIDs for legal security contexts
1905 * for a given user that can be reached by `fromsid'.
1906 * Set `*sids' to point to a dynamically allocated
1907 * array containing the set of SIDs. Set `*nel' to the
1908 * number of elements in the array.
1909 */
1910 #define SIDS_NEL 25
1911
sepol_get_user_sids(sepol_security_id_t fromsid,char * username,sepol_security_id_t ** sids,uint32_t * nel)1912 int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
1913 char *username,
1914 sepol_security_id_t ** sids, uint32_t * nel)
1915 {
1916 context_struct_t *fromcon, usercon;
1917 sepol_security_id_t *mysids, *mysids2, sid;
1918 uint32_t mynel = 0, maxnel = SIDS_NEL;
1919 user_datum_t *user;
1920 role_datum_t *role;
1921 struct sepol_av_decision avd;
1922 int rc = 0;
1923 unsigned int i, j, reason;
1924 ebitmap_node_t *rnode, *tnode;
1925
1926 fromcon = sepol_sidtab_search(sidtab, fromsid);
1927 if (!fromcon) {
1928 rc = -EINVAL;
1929 goto out;
1930 }
1931
1932 user = (user_datum_t *) hashtab_search(policydb->p_users.table,
1933 username);
1934 if (!user) {
1935 rc = -EINVAL;
1936 goto out;
1937 }
1938 usercon.user = user->s.value;
1939
1940 mysids = malloc(maxnel * sizeof(sepol_security_id_t));
1941 if (!mysids) {
1942 rc = -ENOMEM;
1943 goto out;
1944 }
1945 memset(mysids, 0, maxnel * sizeof(sepol_security_id_t));
1946
1947 ebitmap_for_each_bit(&user->roles.roles, rnode, i) {
1948 if (!ebitmap_node_get_bit(rnode, i))
1949 continue;
1950 role = policydb->role_val_to_struct[i];
1951 usercon.role = i + 1;
1952 ebitmap_for_each_bit(&role->types.types, tnode, j) {
1953 if (!ebitmap_node_get_bit(tnode, j))
1954 continue;
1955 usercon.type = j + 1;
1956 if (usercon.type == fromcon->type)
1957 continue;
1958
1959 if (mls_setup_user_range
1960 (fromcon, user, &usercon, policydb->mls))
1961 continue;
1962
1963 rc = context_struct_compute_av(fromcon, &usercon,
1964 SECCLASS_PROCESS,
1965 PROCESS__TRANSITION,
1966 &avd, &reason, NULL, 0);
1967 if (rc || !(avd.allowed & PROCESS__TRANSITION))
1968 continue;
1969 rc = sepol_sidtab_context_to_sid(sidtab, &usercon,
1970 &sid);
1971 if (rc) {
1972 free(mysids);
1973 goto out;
1974 }
1975 if (mynel < maxnel) {
1976 mysids[mynel++] = sid;
1977 } else {
1978 maxnel += SIDS_NEL;
1979 mysids2 =
1980 malloc(maxnel *
1981 sizeof(sepol_security_id_t));
1982
1983 if (!mysids2) {
1984 rc = -ENOMEM;
1985 free(mysids);
1986 goto out;
1987 }
1988 memset(mysids2, 0,
1989 maxnel * sizeof(sepol_security_id_t));
1990 memcpy(mysids2, mysids,
1991 mynel * sizeof(sepol_security_id_t));
1992 free(mysids);
1993 mysids = mysids2;
1994 mysids[mynel++] = sid;
1995 }
1996 }
1997 }
1998
1999 *sids = mysids;
2000 *nel = mynel;
2001
2002 out:
2003 return rc;
2004 }
2005
2006 /*
2007 * Return the SID to use for a file in a filesystem
2008 * that cannot support a persistent label mapping or use another
2009 * fixed labeling behavior like transition SIDs or task SIDs.
2010 */
sepol_genfs_sid(const char * fstype,char * path,sepol_security_class_t sclass,sepol_security_id_t * sid)2011 int hidden sepol_genfs_sid(const char *fstype,
2012 char *path,
2013 sepol_security_class_t sclass,
2014 sepol_security_id_t * sid)
2015 {
2016 size_t len;
2017 genfs_t *genfs;
2018 ocontext_t *c;
2019 int rc = 0, cmp = 0;
2020
2021 for (genfs = policydb->genfs; genfs; genfs = genfs->next) {
2022 cmp = strcmp(fstype, genfs->fstype);
2023 if (cmp <= 0)
2024 break;
2025 }
2026
2027 if (!genfs || cmp) {
2028 *sid = SECINITSID_UNLABELED;
2029 rc = -ENOENT;
2030 goto out;
2031 }
2032
2033 for (c = genfs->head; c; c = c->next) {
2034 len = strlen(c->u.name);
2035 if ((!c->v.sclass || sclass == c->v.sclass) &&
2036 (strncmp(c->u.name, path, len) == 0))
2037 break;
2038 }
2039
2040 if (!c) {
2041 *sid = SECINITSID_UNLABELED;
2042 rc = -ENOENT;
2043 goto out;
2044 }
2045
2046 if (!c->sid[0]) {
2047 rc = sepol_sidtab_context_to_sid(sidtab,
2048 &c->context[0], &c->sid[0]);
2049 if (rc)
2050 goto out;
2051 }
2052
2053 *sid = c->sid[0];
2054 out:
2055 return rc;
2056 }
2057
sepol_fs_use(const char * fstype,unsigned int * behavior,sepol_security_id_t * sid)2058 int hidden sepol_fs_use(const char *fstype,
2059 unsigned int *behavior, sepol_security_id_t * sid)
2060 {
2061 int rc = 0;
2062 ocontext_t *c;
2063
2064 c = policydb->ocontexts[OCON_FSUSE];
2065 while (c) {
2066 if (strcmp(fstype, c->u.name) == 0)
2067 break;
2068 c = c->next;
2069 }
2070
2071 if (c) {
2072 *behavior = c->v.behavior;
2073 if (!c->sid[0]) {
2074 rc = sepol_sidtab_context_to_sid(sidtab,
2075 &c->context[0],
2076 &c->sid[0]);
2077 if (rc)
2078 goto out;
2079 }
2080 *sid = c->sid[0];
2081 } else {
2082 rc = sepol_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
2083 if (rc) {
2084 *behavior = SECURITY_FS_USE_NONE;
2085 rc = 0;
2086 } else {
2087 *behavior = SECURITY_FS_USE_GENFS;
2088 }
2089 }
2090
2091 out:
2092 return rc;
2093 }
2094
2095 /* FLASK */
2096