1 /*
2 * Implementation of the userspace access vector cache (AVC).
3 *
4 * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
5 *
6 * Derived from the kernel AVC implementation by
7 * Stephen Smalley <sds@epoch.ncsc.mil> and
8 * James Morris <jmorris@redhat.com>.
9 */
10 #include <selinux/avc.h>
11 #include "selinux_internal.h"
12 #include <assert.h>
13 #include "avc_sidtab.h"
14 #include "avc_internal.h"
15
16 #define AVC_CACHE_SLOTS 512
17 #define AVC_CACHE_MAXNODES 410
18
19 struct avc_entry {
20 security_id_t ssid;
21 security_id_t tsid;
22 security_class_t tclass;
23 struct av_decision avd;
24 security_id_t create_sid;
25 int used; /* used recently */
26 };
27
28 struct avc_node {
29 struct avc_entry ae;
30 struct avc_node *next;
31 };
32
33 struct avc_cache {
34 struct avc_node *slots[AVC_CACHE_SLOTS];
35 uint32_t lru_hint; /* LRU hint for reclaim scan */
36 uint32_t active_nodes;
37 uint32_t latest_notif; /* latest revocation notification */
38 };
39
40 struct avc_callback_node {
41 int (*callback) (uint32_t event, security_id_t ssid,
42 security_id_t tsid,
43 security_class_t tclass, access_vector_t perms,
44 access_vector_t * out_retained);
45 uint32_t events;
46 security_id_t ssid;
47 security_id_t tsid;
48 security_class_t tclass;
49 access_vector_t perms;
50 struct avc_callback_node *next;
51 };
52
53 static void *avc_netlink_thread = NULL;
54 static void *avc_lock = NULL;
55 static void *avc_log_lock = NULL;
56 static struct avc_node *avc_node_freelist = NULL;
57 static struct avc_cache avc_cache;
58 static char *avc_audit_buf = NULL;
59 static struct avc_cache_stats cache_stats;
60 static struct avc_callback_node *avc_callbacks = NULL;
61 static struct sidtab avc_sidtab;
62
avc_hash(security_id_t ssid,security_id_t tsid,security_class_t tclass)63 static inline int avc_hash(security_id_t ssid,
64 security_id_t tsid, security_class_t tclass)
65 {
66 return ((uintptr_t) ssid ^ ((uintptr_t) tsid << 2) ^ tclass)
67 & (AVC_CACHE_SLOTS - 1);
68 }
69
avc_context_to_sid_raw(const char * ctx,security_id_t * sid)70 int avc_context_to_sid_raw(const char * ctx, security_id_t * sid)
71 {
72 int rc;
73 /* avc_init needs to be called before this function */
74 assert(avc_running);
75
76 avc_get_lock(avc_lock);
77 rc = sidtab_context_to_sid(&avc_sidtab, ctx, sid);
78 avc_release_lock(avc_lock);
79 return rc;
80 }
81
avc_context_to_sid(const char * ctx,security_id_t * sid)82 int avc_context_to_sid(const char * ctx, security_id_t * sid)
83 {
84 int ret;
85 char * rctx;
86
87 if (selinux_trans_to_raw_context(ctx, &rctx))
88 return -1;
89
90 ret = avc_context_to_sid_raw(rctx, sid);
91
92 freecon(rctx);
93
94 return ret;
95 }
96
avc_sid_to_context_raw(security_id_t sid,char ** ctx)97 int avc_sid_to_context_raw(security_id_t sid, char ** ctx)
98 {
99 int rc;
100 *ctx = NULL;
101 avc_get_lock(avc_lock);
102 *ctx = strdup(sid->ctx); /* caller must free via freecon */
103 rc = *ctx ? 0 : -1;
104 avc_release_lock(avc_lock);
105 return rc;
106 }
107
avc_sid_to_context(security_id_t sid,char ** ctx)108 int avc_sid_to_context(security_id_t sid, char ** ctx)
109 {
110 int ret;
111 char * rctx;
112
113 ret = avc_sid_to_context_raw(sid, &rctx);
114
115 if (ret == 0) {
116 ret = selinux_raw_to_trans_context(rctx, ctx);
117 freecon(rctx);
118 }
119
120 return ret;
121 }
122
sidget(security_id_t sid)123 int sidget(security_id_t sid __attribute__((unused)))
124 {
125 return 1;
126 }
127
sidput(security_id_t sid)128 int sidput(security_id_t sid __attribute__((unused)))
129 {
130 return 1;
131 }
132
avc_get_initial_sid(const char * name,security_id_t * sid)133 int avc_get_initial_sid(const char * name, security_id_t * sid)
134 {
135 int rc;
136 char * con;
137
138 rc = security_get_initial_context_raw(name, &con);
139 if (rc < 0)
140 return rc;
141 rc = avc_context_to_sid_raw(con, sid);
142
143 freecon(con);
144
145 return rc;
146 }
147
avc_open(struct selinux_opt * opts,unsigned nopts)148 int avc_open(struct selinux_opt *opts, unsigned nopts)
149 {
150 avc_setenforce = 0;
151
152 while (nopts--)
153 switch(opts[nopts].type) {
154 case AVC_OPT_SETENFORCE:
155 avc_setenforce = 1;
156 avc_enforcing = !!opts[nopts].value;
157 break;
158 }
159
160 return avc_init("avc", NULL, NULL, NULL, NULL);
161 }
162
avc_init(const char * prefix,const struct avc_memory_callback * mem_cb,const struct avc_log_callback * log_cb,const struct avc_thread_callback * thread_cb,const struct avc_lock_callback * lock_cb)163 int avc_init(const char *prefix,
164 const struct avc_memory_callback *mem_cb,
165 const struct avc_log_callback *log_cb,
166 const struct avc_thread_callback *thread_cb,
167 const struct avc_lock_callback *lock_cb)
168 {
169 struct avc_node *new;
170 int i, rc = 0;
171
172 if (avc_running)
173 return 0;
174
175 if (prefix)
176 strncpy(avc_prefix, prefix, AVC_PREFIX_SIZE - 1);
177
178 set_callbacks(mem_cb, log_cb, thread_cb, lock_cb);
179
180 avc_lock = avc_alloc_lock();
181 avc_log_lock = avc_alloc_lock();
182
183 memset(&cache_stats, 0, sizeof(cache_stats));
184
185 for (i = 0; i < AVC_CACHE_SLOTS; i++)
186 avc_cache.slots[i] = 0;
187 avc_cache.lru_hint = 0;
188 avc_cache.active_nodes = 0;
189 avc_cache.latest_notif = 0;
190
191 rc = sidtab_init(&avc_sidtab);
192 if (rc) {
193 avc_log(SELINUX_ERROR,
194 "%s: unable to initialize SID table\n",
195 avc_prefix);
196 goto out;
197 }
198
199 avc_audit_buf = (char *)avc_malloc(AVC_AUDIT_BUFSIZE);
200 if (!avc_audit_buf) {
201 avc_log(SELINUX_ERROR,
202 "%s: unable to allocate audit buffer\n",
203 avc_prefix);
204 rc = -1;
205 goto out;
206 }
207
208 for (i = 0; i < AVC_CACHE_MAXNODES; i++) {
209 new = avc_malloc(sizeof(*new));
210 if (!new) {
211 avc_log(SELINUX_WARNING,
212 "%s: warning: only got %d av entries\n",
213 avc_prefix, i);
214 break;
215 }
216 memset(new, 0, sizeof(*new));
217 new->next = avc_node_freelist;
218 avc_node_freelist = new;
219 }
220
221 if (!avc_setenforce) {
222 rc = security_getenforce();
223 if (rc < 0) {
224 avc_log(SELINUX_ERROR,
225 "%s: could not determine enforcing mode: %s\n",
226 avc_prefix,
227 strerror(errno));
228 goto out;
229 }
230 avc_enforcing = rc;
231 }
232
233 rc = avc_netlink_open(0);
234 if (rc < 0) {
235 avc_log(SELINUX_ERROR,
236 "%s: can't open netlink socket: %d (%s)\n",
237 avc_prefix, errno, strerror(errno));
238 goto out;
239 }
240 if (avc_using_threads) {
241 avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
242 avc_netlink_trouble = 0;
243 }
244 avc_running = 1;
245 out:
246 return rc;
247 }
248
avc_cache_stats(struct avc_cache_stats * p)249 void avc_cache_stats(struct avc_cache_stats *p)
250 {
251 memcpy(p, &cache_stats, sizeof(cache_stats));
252 }
253
avc_sid_stats(void)254 void avc_sid_stats(void)
255 {
256 /* avc_init needs to be called before this function */
257 assert(avc_running);
258 avc_get_lock(avc_log_lock);
259 avc_get_lock(avc_lock);
260 sidtab_sid_stats(&avc_sidtab, avc_audit_buf, AVC_AUDIT_BUFSIZE);
261 avc_release_lock(avc_lock);
262 avc_log(SELINUX_INFO, "%s", avc_audit_buf);
263 avc_release_lock(avc_log_lock);
264 }
265
avc_av_stats(void)266 void avc_av_stats(void)
267 {
268 int i, chain_len, max_chain_len, slots_used;
269 struct avc_node *node;
270
271 avc_get_lock(avc_lock);
272
273 slots_used = 0;
274 max_chain_len = 0;
275 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
276 node = avc_cache.slots[i];
277 if (node) {
278 slots_used++;
279 chain_len = 0;
280 while (node) {
281 chain_len++;
282 node = node->next;
283 }
284 if (chain_len > max_chain_len)
285 max_chain_len = chain_len;
286 }
287 }
288
289 avc_release_lock(avc_lock);
290
291 avc_log(SELINUX_INFO, "%s: %u AV entries and %d/%d buckets used, "
292 "longest chain length %d\n", avc_prefix,
293 avc_cache.active_nodes,
294 slots_used, AVC_CACHE_SLOTS, max_chain_len);
295 }
296
hidden_def(avc_av_stats)297 hidden_def(avc_av_stats)
298
299 static inline struct avc_node *avc_reclaim_node(void)
300 {
301 struct avc_node *prev, *cur;
302 int try;
303 uint32_t hvalue;
304
305 hvalue = avc_cache.lru_hint;
306 for (try = 0; try < 2; try++) {
307 do {
308 prev = NULL;
309 cur = avc_cache.slots[hvalue];
310 while (cur) {
311 if (!cur->ae.used)
312 goto found;
313
314 cur->ae.used = 0;
315
316 prev = cur;
317 cur = cur->next;
318 }
319 hvalue = (hvalue + 1) & (AVC_CACHE_SLOTS - 1);
320 } while (hvalue != avc_cache.lru_hint);
321 }
322
323 errno = ENOMEM; /* this was a panic in the kernel... */
324 return NULL;
325
326 found:
327 avc_cache.lru_hint = hvalue;
328
329 if (prev == NULL)
330 avc_cache.slots[hvalue] = cur->next;
331 else
332 prev->next = cur->next;
333
334 return cur;
335 }
336
avc_clear_avc_entry(struct avc_entry * ae)337 static inline void avc_clear_avc_entry(struct avc_entry *ae)
338 {
339 memset(ae, 0, sizeof(*ae));
340 }
341
avc_claim_node(security_id_t ssid,security_id_t tsid,security_class_t tclass)342 static inline struct avc_node *avc_claim_node(security_id_t ssid,
343 security_id_t tsid,
344 security_class_t tclass)
345 {
346 struct avc_node *new;
347 int hvalue;
348
349 if (!avc_node_freelist)
350 avc_cleanup();
351
352 if (avc_node_freelist) {
353 new = avc_node_freelist;
354 avc_node_freelist = avc_node_freelist->next;
355 avc_cache.active_nodes++;
356 } else {
357 new = avc_reclaim_node();
358 if (!new)
359 goto out;
360 }
361
362 hvalue = avc_hash(ssid, tsid, tclass);
363 avc_clear_avc_entry(&new->ae);
364 new->ae.used = 1;
365 new->ae.ssid = ssid;
366 new->ae.tsid = tsid;
367 new->ae.tclass = tclass;
368 new->next = avc_cache.slots[hvalue];
369 avc_cache.slots[hvalue] = new;
370
371 out:
372 return new;
373 }
374
avc_search_node(security_id_t ssid,security_id_t tsid,security_class_t tclass,int * probes)375 static inline struct avc_node *avc_search_node(security_id_t ssid,
376 security_id_t tsid,
377 security_class_t tclass,
378 int *probes)
379 {
380 struct avc_node *cur;
381 int hvalue;
382 int tprobes = 1;
383
384 hvalue = avc_hash(ssid, tsid, tclass);
385 cur = avc_cache.slots[hvalue];
386 while (cur != NULL &&
387 (ssid != cur->ae.ssid ||
388 tclass != cur->ae.tclass || tsid != cur->ae.tsid)) {
389 tprobes++;
390 cur = cur->next;
391 }
392
393 if (cur == NULL) {
394 /* cache miss */
395 goto out;
396 }
397
398 /* cache hit */
399 if (probes)
400 *probes = tprobes;
401
402 cur->ae.used = 1;
403
404 out:
405 return cur;
406 }
407
408 /**
409 * avc_lookup - Look up an AVC entry.
410 * @ssid: source security identifier
411 * @tsid: target security identifier
412 * @tclass: target security class
413 * @requested: requested permissions, interpreted based on @tclass
414 * @aeref: AVC entry reference
415 *
416 * Look up an AVC entry that is valid for the
417 * @requested permissions between the SID pair
418 * (@ssid, @tsid), interpreting the permissions
419 * based on @tclass. If a valid AVC entry exists,
420 * then this function updates @aeref to refer to the
421 * entry and returns %0. Otherwise, -1 is returned.
422 */
avc_lookup(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t requested,struct avc_entry_ref * aeref)423 static int avc_lookup(security_id_t ssid, security_id_t tsid,
424 security_class_t tclass,
425 access_vector_t requested, struct avc_entry_ref *aeref)
426 {
427 struct avc_node *node;
428 int probes, rc = 0;
429
430 avc_cache_stats_incr(cav_lookups);
431 node = avc_search_node(ssid, tsid, tclass, &probes);
432
433 if (node && ((node->ae.avd.decided & requested) == requested)) {
434 avc_cache_stats_incr(cav_hits);
435 avc_cache_stats_add(cav_probes, probes);
436 aeref->ae = &node->ae;
437 goto out;
438 }
439
440 avc_cache_stats_incr(cav_misses);
441 rc = -1;
442 out:
443 return rc;
444 }
445
446 /**
447 * avc_insert - Insert an AVC entry.
448 * @ssid: source security identifier
449 * @tsid: target security identifier
450 * @tclass: target security class
451 * @ae: AVC entry
452 * @aeref: AVC entry reference
453 *
454 * Insert an AVC entry for the SID pair
455 * (@ssid, @tsid) and class @tclass.
456 * The access vectors and the sequence number are
457 * normally provided by the security server in
458 * response to a security_compute_av() call. If the
459 * sequence number @ae->avd.seqno is not less than the latest
460 * revocation notification, then the function copies
461 * the access vectors into a cache entry, updates
462 * @aeref to refer to the entry, and returns %0.
463 * Otherwise, this function returns -%1 with @errno set to %EAGAIN.
464 */
avc_insert(security_id_t ssid,security_id_t tsid,security_class_t tclass,struct avc_entry * ae,struct avc_entry_ref * aeref)465 static int avc_insert(security_id_t ssid, security_id_t tsid,
466 security_class_t tclass,
467 struct avc_entry *ae, struct avc_entry_ref *aeref)
468 {
469 struct avc_node *node;
470 int rc = 0;
471
472 if (ae->avd.seqno < avc_cache.latest_notif) {
473 avc_log(SELINUX_WARNING,
474 "%s: seqno %u < latest_notif %u\n", avc_prefix,
475 ae->avd.seqno, avc_cache.latest_notif);
476 errno = EAGAIN;
477 rc = -1;
478 goto out;
479 }
480
481 node = avc_claim_node(ssid, tsid, tclass);
482 if (!node) {
483 rc = -1;
484 goto out;
485 }
486
487 memcpy(&node->ae.avd, &ae->avd, sizeof(ae->avd));
488 aeref->ae = &node->ae;
489 out:
490 return rc;
491 }
492
avc_cleanup(void)493 void avc_cleanup(void)
494 {
495 }
496
hidden_def(avc_cleanup)497 hidden_def(avc_cleanup)
498
499 int avc_reset(void)
500 {
501 struct avc_callback_node *c;
502 int i, ret, rc = 0, errsave = 0;
503 struct avc_node *node, *tmp;
504 errno = 0;
505
506 if (!avc_running)
507 return 0;
508
509 avc_get_lock(avc_lock);
510
511 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
512 node = avc_cache.slots[i];
513 while (node) {
514 tmp = node;
515 node = node->next;
516 avc_clear_avc_entry(&tmp->ae);
517 tmp->next = avc_node_freelist;
518 avc_node_freelist = tmp;
519 avc_cache.active_nodes--;
520 }
521 avc_cache.slots[i] = 0;
522 }
523 avc_cache.lru_hint = 0;
524
525 avc_release_lock(avc_lock);
526
527 memset(&cache_stats, 0, sizeof(cache_stats));
528
529 for (c = avc_callbacks; c; c = c->next) {
530 if (c->events & AVC_CALLBACK_RESET) {
531 ret = c->callback(AVC_CALLBACK_RESET, 0, 0, 0, 0, 0);
532 if (ret && !rc) {
533 rc = ret;
534 errsave = errno;
535 }
536 }
537 }
538 errno = errsave;
539 return rc;
540 }
541
hidden_def(avc_reset)542 hidden_def(avc_reset)
543
544 void avc_destroy(void)
545 {
546 struct avc_callback_node *c;
547 struct avc_node *node, *tmp;
548 int i;
549 /* avc_init needs to be called before this function */
550 assert(avc_running);
551
552 avc_get_lock(avc_lock);
553
554 if (avc_using_threads)
555 avc_stop_thread(avc_netlink_thread);
556 avc_netlink_close();
557
558 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
559 node = avc_cache.slots[i];
560 while (node) {
561 tmp = node;
562 node = node->next;
563 avc_free(tmp);
564 }
565 }
566 while (avc_node_freelist) {
567 tmp = avc_node_freelist;
568 avc_node_freelist = tmp->next;
569 avc_free(tmp);
570 }
571 avc_release_lock(avc_lock);
572
573 while (avc_callbacks) {
574 c = avc_callbacks;
575 avc_callbacks = c->next;
576 avc_free(c);
577 }
578 sidtab_destroy(&avc_sidtab);
579 avc_free_lock(avc_lock);
580 avc_free_lock(avc_log_lock);
581 avc_free(avc_audit_buf);
582 avc_running = 0;
583 }
584
585 /* ratelimit stuff put aside for now --EFW */
586 #if 0
587 /*
588 * Copied from net/core/utils.c:net_ratelimit and modified for
589 * use by the AVC audit facility.
590 */
591 #define AVC_MSG_COST 5*HZ
592 #define AVC_MSG_BURST 10*5*HZ
593
594 /*
595 * This enforces a rate limit: not more than one kernel message
596 * every 5secs to make a denial-of-service attack impossible.
597 */
598 static int avc_ratelimit(void)
599 {
600 static unsigned long toks = 10 * 5 * HZ;
601 static unsigned long last_msg;
602 static int missed, rc = 0;
603 unsigned long now = jiffies;
604 void *ratelimit_lock = avc_alloc_lock();
605
606 avc_get_lock(ratelimit_lock);
607 toks += now - last_msg;
608 last_msg = now;
609 if (toks > AVC_MSG_BURST)
610 toks = AVC_MSG_BURST;
611 if (toks >= AVC_MSG_COST) {
612 int lost = missed;
613 missed = 0;
614 toks -= AVC_MSG_COST;
615 avc_release_lock(ratelimit_lock);
616 if (lost) {
617 avc_log(SELINUX_WARNING,
618 "%s: %d messages suppressed.\n", avc_prefix,
619 lost);
620 }
621 rc = 1;
622 goto out;
623 }
624 missed++;
625 avc_release_lock(ratelimit_lock);
626 out:
627 avc_free_lock(ratelimit_lock);
628 return rc;
629 }
630
631 static inline int check_avc_ratelimit(void)
632 {
633 if (avc_enforcing)
634 return avc_ratelimit();
635 else {
636 /* If permissive, then never suppress messages. */
637 return 1;
638 }
639 }
640 #endif /* ratelimit stuff */
641
642 /**
643 * avc_dump_av - Display an access vector in human-readable form.
644 * @tclass: target security class
645 * @av: access vector
646 */
avc_dump_av(security_class_t tclass,access_vector_t av)647 static void avc_dump_av(security_class_t tclass, access_vector_t av)
648 {
649 const char *permstr;
650 access_vector_t bit = 1;
651
652 if (av == 0) {
653 log_append(avc_audit_buf, " null");
654 return;
655 }
656
657 log_append(avc_audit_buf, " {");
658
659 while (av) {
660 if (av & bit) {
661 permstr = security_av_perm_to_string(tclass, bit);
662 if (!permstr)
663 break;
664 log_append(avc_audit_buf, " %s", permstr);
665 av &= ~bit;
666 }
667 bit <<= 1;
668 }
669
670 if (av)
671 log_append(avc_audit_buf, " 0x%x", av);
672 log_append(avc_audit_buf, " }");
673 }
674
675 /**
676 * avc_dump_query - Display a SID pair and a class in human-readable form.
677 * @ssid: source security identifier
678 * @tsid: target security identifier
679 * @tclass: target security class
680 */
avc_dump_query(security_id_t ssid,security_id_t tsid,security_class_t tclass)681 static void avc_dump_query(security_id_t ssid, security_id_t tsid,
682 security_class_t tclass)
683 {
684 avc_get_lock(avc_lock);
685
686 log_append(avc_audit_buf, "scontext=%s tcontext=%s",
687 ssid->ctx, tsid->ctx);
688
689 avc_release_lock(avc_lock);
690 log_append(avc_audit_buf, " tclass=%s",
691 security_class_to_string(tclass));
692 }
693
avc_audit(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t requested,struct av_decision * avd,int result,void * a)694 void avc_audit(security_id_t ssid, security_id_t tsid,
695 security_class_t tclass, access_vector_t requested,
696 struct av_decision *avd, int result, void *a)
697 {
698 access_vector_t denied, audited;
699
700 denied = requested & ~avd->allowed;
701 if (denied)
702 audited = denied & avd->auditdeny;
703 else if (!requested || result)
704 audited = denied = requested;
705 else
706 audited = requested & avd->auditallow;
707 if (!audited)
708 return;
709 #if 0
710 if (!check_avc_ratelimit())
711 return;
712 #endif
713 /* prevent overlapping buffer writes */
714 avc_get_lock(avc_log_lock);
715 snprintf(avc_audit_buf, AVC_AUDIT_BUFSIZE,
716 "%s: %s ", avc_prefix, (denied || !requested) ? "denied" : "granted");
717 avc_dump_av(tclass, audited);
718 log_append(avc_audit_buf, " for ");
719
720 /* get any extra information printed by the callback */
721 avc_suppl_audit(a, tclass, avc_audit_buf + strlen(avc_audit_buf),
722 AVC_AUDIT_BUFSIZE - strlen(avc_audit_buf));
723
724 log_append(avc_audit_buf, " ");
725 avc_dump_query(ssid, tsid, tclass);
726
727 if (denied)
728 log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
729
730 log_append(avc_audit_buf, "\n");
731 avc_log(SELINUX_AVC, "%s", avc_audit_buf);
732
733 avc_release_lock(avc_log_lock);
734 }
735
hidden_def(avc_audit)736 hidden_def(avc_audit)
737
738
739 static void avd_init(struct av_decision *avd)
740 {
741 avd->allowed = 0;
742 avd->auditallow = 0;
743 avd->auditdeny = 0xffffffff;
744 avd->seqno = avc_cache.latest_notif;
745 avd->flags = 0;
746 }
747
avc_has_perm_noaudit(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t requested,struct avc_entry_ref * aeref,struct av_decision * avd)748 int avc_has_perm_noaudit(security_id_t ssid,
749 security_id_t tsid,
750 security_class_t tclass,
751 access_vector_t requested,
752 struct avc_entry_ref *aeref, struct av_decision *avd)
753 {
754 struct avc_entry *ae;
755 int rc = 0;
756 struct avc_entry entry;
757 access_vector_t denied;
758 struct avc_entry_ref ref;
759
760 if (avd)
761 avd_init(avd);
762
763 if (!avc_using_threads && !avc_app_main_loop) {
764 (void)avc_netlink_check_nb();
765 }
766
767 if (!aeref) {
768 avc_entry_ref_init(&ref);
769 aeref = &ref;
770 }
771
772 avc_get_lock(avc_lock);
773 avc_cache_stats_incr(entry_lookups);
774 ae = aeref->ae;
775 if (ae) {
776 if (ae->ssid == ssid &&
777 ae->tsid == tsid &&
778 ae->tclass == tclass &&
779 ((ae->avd.decided & requested) == requested)) {
780 avc_cache_stats_incr(entry_hits);
781 ae->used = 1;
782 } else {
783 avc_cache_stats_incr(entry_discards);
784 ae = 0;
785 }
786 }
787
788 if (!ae) {
789 avc_cache_stats_incr(entry_misses);
790 rc = avc_lookup(ssid, tsid, tclass, requested, aeref);
791 if (rc) {
792 rc = security_compute_av_flags_raw(ssid->ctx, tsid->ctx,
793 tclass, requested,
794 &entry.avd);
795 if (rc && errno == EINVAL && !avc_enforcing) {
796 rc = errno = 0;
797 goto out;
798 }
799 if (rc)
800 goto out;
801 rc = avc_insert(ssid, tsid, tclass, &entry, aeref);
802 if (rc)
803 goto out;
804 }
805 ae = aeref->ae;
806 }
807
808 if (avd)
809 memcpy(avd, &ae->avd, sizeof(*avd));
810
811 denied = requested & ~(ae->avd.allowed);
812
813 if (!requested || denied) {
814 if (!avc_enforcing ||
815 (ae->avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE))
816 ae->avd.allowed |= requested;
817 else {
818 errno = EACCES;
819 rc = -1;
820 }
821 }
822
823 out:
824 avc_release_lock(avc_lock);
825 return rc;
826 }
827
hidden_def(avc_has_perm_noaudit)828 hidden_def(avc_has_perm_noaudit)
829
830 int avc_has_perm(security_id_t ssid, security_id_t tsid,
831 security_class_t tclass, access_vector_t requested,
832 struct avc_entry_ref *aeref, void *auditdata)
833 {
834 struct av_decision avd;
835 int errsave, rc;
836
837 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, aeref, &avd);
838 errsave = errno;
839 avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
840 errno = errsave;
841 return rc;
842 }
843
avc_compute_create(security_id_t ssid,security_id_t tsid,security_class_t tclass,security_id_t * newsid)844 int avc_compute_create(security_id_t ssid, security_id_t tsid,
845 security_class_t tclass, security_id_t *newsid)
846 {
847 int rc;
848 struct avc_entry_ref aeref;
849 struct avc_entry entry;
850 char * ctx;
851
852 *newsid = NULL;
853 avc_entry_ref_init(&aeref);
854
855 avc_get_lock(avc_lock);
856
857 /* check for a cached entry */
858 rc = avc_lookup(ssid, tsid, tclass, 0, &aeref);
859 if (rc) {
860 /* need to make a cache entry for this tuple */
861 rc = security_compute_av_flags_raw(ssid->ctx, tsid->ctx,
862 tclass, 0, &entry.avd);
863 if (rc)
864 goto out;
865 rc = avc_insert(ssid, tsid, tclass, &entry, &aeref);
866 if (rc)
867 goto out;
868 }
869
870 /* check for a saved compute_create value */
871 if (!aeref.ae->create_sid) {
872 /* need to query the kernel policy */
873 rc = security_compute_create_raw(ssid->ctx, tsid->ctx, tclass,
874 &ctx);
875 if (rc)
876 goto out;
877 rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
878 freecon(ctx);
879 if (rc)
880 goto out;
881
882 aeref.ae->create_sid = *newsid;
883 } else {
884 /* found saved value */
885 *newsid = aeref.ae->create_sid;
886 }
887
888 rc = 0;
889 out:
890 avc_release_lock(avc_lock);
891 return rc;
892 }
893
avc_compute_member(security_id_t ssid,security_id_t tsid,security_class_t tclass,security_id_t * newsid)894 int avc_compute_member(security_id_t ssid, security_id_t tsid,
895 security_class_t tclass, security_id_t *newsid)
896 {
897 int rc;
898 char * ctx = NULL;
899 *newsid = NULL;
900 /* avc_init needs to be called before this function */
901 assert(avc_running);
902 avc_get_lock(avc_lock);
903
904 rc = security_compute_member_raw(ssid->ctx, tsid->ctx, tclass, &ctx);
905 if (rc)
906 goto out;
907 rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
908 freecon(ctx);
909 out:
910 avc_release_lock(avc_lock);
911 return rc;
912 }
913
avc_add_callback(int (* callback)(uint32_t event,security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,access_vector_t * out_retained),uint32_t events,security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms)914 int avc_add_callback(int (*callback) (uint32_t event, security_id_t ssid,
915 security_id_t tsid,
916 security_class_t tclass,
917 access_vector_t perms,
918 access_vector_t * out_retained),
919 uint32_t events, security_id_t ssid,
920 security_id_t tsid,
921 security_class_t tclass, access_vector_t perms)
922 {
923 struct avc_callback_node *c;
924 int rc = 0;
925
926 c = avc_malloc(sizeof(*c));
927 if (!c) {
928 rc = -1;
929 goto out;
930 }
931
932 c->callback = callback;
933 c->events = events;
934 c->ssid = ssid;
935 c->tsid = tsid;
936 c->tclass = tclass;
937 c->perms = perms;
938 c->next = avc_callbacks;
939 avc_callbacks = c;
940 out:
941 return rc;
942 }
943
avc_sidcmp(security_id_t x,security_id_t y)944 static inline int avc_sidcmp(security_id_t x, security_id_t y)
945 {
946 return (x == y || x == SECSID_WILD || y == SECSID_WILD);
947 }
948
avc_update_node(uint32_t event,struct avc_node * node,access_vector_t perms)949 static inline void avc_update_node(uint32_t event, struct avc_node *node,
950 access_vector_t perms)
951 {
952 switch (event) {
953 case AVC_CALLBACK_GRANT:
954 node->ae.avd.allowed |= perms;
955 break;
956 case AVC_CALLBACK_TRY_REVOKE:
957 case AVC_CALLBACK_REVOKE:
958 node->ae.avd.allowed &= ~perms;
959 break;
960 case AVC_CALLBACK_AUDITALLOW_ENABLE:
961 node->ae.avd.auditallow |= perms;
962 break;
963 case AVC_CALLBACK_AUDITALLOW_DISABLE:
964 node->ae.avd.auditallow &= ~perms;
965 break;
966 case AVC_CALLBACK_AUDITDENY_ENABLE:
967 node->ae.avd.auditdeny |= perms;
968 break;
969 case AVC_CALLBACK_AUDITDENY_DISABLE:
970 node->ae.avd.auditdeny &= ~perms;
971 break;
972 }
973 }
974
avc_update_cache(uint32_t event,security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms)975 static int avc_update_cache(uint32_t event, security_id_t ssid,
976 security_id_t tsid, security_class_t tclass,
977 access_vector_t perms)
978 {
979 struct avc_node *node;
980 int i;
981
982 avc_get_lock(avc_lock);
983
984 if (ssid == SECSID_WILD || tsid == SECSID_WILD) {
985 /* apply to all matching nodes */
986 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
987 for (node = avc_cache.slots[i]; node; node = node->next) {
988 if (avc_sidcmp(ssid, node->ae.ssid) &&
989 avc_sidcmp(tsid, node->ae.tsid) &&
990 tclass == node->ae.tclass) {
991 avc_update_node(event, node, perms);
992 }
993 }
994 }
995 } else {
996 /* apply to one node */
997 node = avc_search_node(ssid, tsid, tclass, 0);
998 if (node) {
999 avc_update_node(event, node, perms);
1000 }
1001 }
1002
1003 avc_release_lock(avc_lock);
1004
1005 return 0;
1006 }
1007
1008 /* avc_control - update cache and call callbacks
1009 *
1010 * This should not be called directly; use the individual event
1011 * functions instead.
1012 */
avc_control(uint32_t event,security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno,access_vector_t * out_retained)1013 static int avc_control(uint32_t event, security_id_t ssid,
1014 security_id_t tsid, security_class_t tclass,
1015 access_vector_t perms,
1016 uint32_t seqno, access_vector_t * out_retained)
1017 {
1018 struct avc_callback_node *c;
1019 access_vector_t tretained = 0, cretained = 0;
1020 int ret, rc = 0, errsave = 0;
1021 errno = 0;
1022
1023 /*
1024 * try_revoke only removes permissions from the cache
1025 * state if they are not retained by the object manager.
1026 * Hence, try_revoke must wait until after the callbacks have
1027 * been invoked to update the cache state.
1028 */
1029 if (event != AVC_CALLBACK_TRY_REVOKE)
1030 avc_update_cache(event, ssid, tsid, tclass, perms);
1031
1032 for (c = avc_callbacks; c; c = c->next) {
1033 if ((c->events & event) &&
1034 avc_sidcmp(c->ssid, ssid) &&
1035 avc_sidcmp(c->tsid, tsid) &&
1036 c->tclass == tclass && (c->perms & perms)) {
1037 cretained = 0;
1038 ret = c->callback(event, ssid, tsid, tclass,
1039 (c->perms & perms), &cretained);
1040 if (ret && !rc) {
1041 rc = ret;
1042 errsave = errno;
1043 }
1044 if (!ret)
1045 tretained |= cretained;
1046 }
1047 }
1048
1049 if (event == AVC_CALLBACK_TRY_REVOKE) {
1050 /* revoke any unretained permissions */
1051 perms &= ~tretained;
1052 avc_update_cache(event, ssid, tsid, tclass, perms);
1053 *out_retained = tretained;
1054 }
1055
1056 avc_get_lock(avc_lock);
1057 if (seqno > avc_cache.latest_notif)
1058 avc_cache.latest_notif = seqno;
1059 avc_release_lock(avc_lock);
1060
1061 errno = errsave;
1062 return rc;
1063 }
1064
1065 /**
1066 * avc_ss_grant - Grant previously denied permissions.
1067 * @ssid: source security identifier or %SECSID_WILD
1068 * @tsid: target security identifier or %SECSID_WILD
1069 * @tclass: target security class
1070 * @perms: permissions to grant
1071 * @seqno: policy sequence number
1072 */
avc_ss_grant(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno)1073 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
1074 security_class_t tclass, access_vector_t perms,
1075 uint32_t seqno)
1076 {
1077 return avc_control(AVC_CALLBACK_GRANT,
1078 ssid, tsid, tclass, perms, seqno, 0);
1079 }
1080
1081 /**
1082 * avc_ss_try_revoke - Try to revoke previously granted permissions.
1083 * @ssid: source security identifier or %SECSID_WILD
1084 * @tsid: target security identifier or %SECSID_WILD
1085 * @tclass: target security class
1086 * @perms: permissions to grant
1087 * @seqno: policy sequence number
1088 * @out_retained: subset of @perms that are retained
1089 *
1090 * Try to revoke previously granted permissions, but
1091 * only if they are not retained as migrated permissions.
1092 * Return the subset of permissions that are retained via @out_retained.
1093 */
avc_ss_try_revoke(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno,access_vector_t * out_retained)1094 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
1095 security_class_t tclass,
1096 access_vector_t perms, uint32_t seqno,
1097 access_vector_t * out_retained)
1098 {
1099 return avc_control(AVC_CALLBACK_TRY_REVOKE,
1100 ssid, tsid, tclass, perms, seqno, out_retained);
1101 }
1102
1103 /**
1104 * avc_ss_revoke - Revoke previously granted permissions.
1105 * @ssid: source security identifier or %SECSID_WILD
1106 * @tsid: target security identifier or %SECSID_WILD
1107 * @tclass: target security class
1108 * @perms: permissions to grant
1109 * @seqno: policy sequence number
1110 *
1111 * Revoke previously granted permissions, even if
1112 * they are retained as migrated permissions.
1113 */
avc_ss_revoke(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno)1114 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
1115 security_class_t tclass, access_vector_t perms,
1116 uint32_t seqno)
1117 {
1118 return avc_control(AVC_CALLBACK_REVOKE,
1119 ssid, tsid, tclass, perms, seqno, 0);
1120 }
1121
1122 /**
1123 * avc_ss_reset - Flush the cache and revalidate migrated permissions.
1124 * @seqno: policy sequence number
1125 */
avc_ss_reset(uint32_t seqno)1126 int avc_ss_reset(uint32_t seqno)
1127 {
1128 int rc;
1129
1130 rc = avc_reset();
1131
1132 avc_get_lock(avc_lock);
1133 if (seqno > avc_cache.latest_notif)
1134 avc_cache.latest_notif = seqno;
1135 avc_release_lock(avc_lock);
1136
1137 return rc;
1138 }
1139
1140 /**
1141 * avc_ss_set_auditallow - Enable or disable auditing of granted permissions.
1142 * @ssid: source security identifier or %SECSID_WILD
1143 * @tsid: target security identifier or %SECSID_WILD
1144 * @tclass: target security class
1145 * @perms: permissions to grant
1146 * @seqno: policy sequence number
1147 * @enable: enable flag.
1148 */
avc_ss_set_auditallow(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno,uint32_t enable)1149 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
1150 security_class_t tclass, access_vector_t perms,
1151 uint32_t seqno, uint32_t enable)
1152 {
1153 if (enable)
1154 return avc_control(AVC_CALLBACK_AUDITALLOW_ENABLE,
1155 ssid, tsid, tclass, perms, seqno, 0);
1156 else
1157 return avc_control(AVC_CALLBACK_AUDITALLOW_DISABLE,
1158 ssid, tsid, tclass, perms, seqno, 0);
1159 }
1160
1161 /**
1162 * avc_ss_set_auditdeny - Enable or disable auditing of denied permissions.
1163 * @ssid: source security identifier or %SECSID_WILD
1164 * @tsid: target security identifier or %SECSID_WILD
1165 * @tclass: target security class
1166 * @perms: permissions to grant
1167 * @seqno: policy sequence number
1168 * @enable: enable flag.
1169 */
avc_ss_set_auditdeny(security_id_t ssid,security_id_t tsid,security_class_t tclass,access_vector_t perms,uint32_t seqno,uint32_t enable)1170 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
1171 security_class_t tclass, access_vector_t perms,
1172 uint32_t seqno, uint32_t enable)
1173 {
1174 if (enable)
1175 return avc_control(AVC_CALLBACK_AUDITDENY_ENABLE,
1176 ssid, tsid, tclass, perms, seqno, 0);
1177 else
1178 return avc_control(AVC_CALLBACK_AUDITDENY_DISABLE,
1179 ssid, tsid, tclass, perms, seqno, 0);
1180 }
1181