]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Implementation of the kernel access vector cache (AVC). | |
3 | * | |
7efbb60b | 4 | * Authors: Stephen Smalley, <sds@tycho.nsa.gov> |
95fff33b | 5 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 8 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU General Public License version 2, | |
95fff33b | 14 | * as published by the Free Software Foundation. |
1da177e4 LT |
15 | */ |
16 | #include <linux/types.h> | |
17 | #include <linux/stddef.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/fs.h> | |
21 | #include <linux/dcache.h> | |
22 | #include <linux/init.h> | |
23 | #include <linux/skbuff.h> | |
24 | #include <linux/percpu.h> | |
fa1aa143 | 25 | #include <linux/list.h> |
1da177e4 LT |
26 | #include <net/sock.h> |
27 | #include <linux/un.h> | |
28 | #include <net/af_unix.h> | |
29 | #include <linux/ip.h> | |
30 | #include <linux/audit.h> | |
31 | #include <linux/ipv6.h> | |
32 | #include <net/ipv6.h> | |
33 | #include "avc.h" | |
34 | #include "avc_ss.h" | |
c6d3aaa4 | 35 | #include "classmap.h" |
5c458998 | 36 | |
1da177e4 LT |
37 | #define AVC_CACHE_SLOTS 512 |
38 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
39 | #define AVC_CACHE_RECLAIM 16 | |
40 | ||
41 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
044aea9b | 42 | #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) |
1da177e4 LT |
43 | #else |
44 | #define avc_cache_stats_incr(field) do {} while (0) | |
45 | #endif | |
46 | ||
47 | struct avc_entry { | |
48 | u32 ssid; | |
49 | u32 tsid; | |
50 | u16 tclass; | |
51 | struct av_decision avd; | |
fa1aa143 | 52 | struct avc_xperms_node *xp_node; |
1da177e4 LT |
53 | }; |
54 | ||
55 | struct avc_node { | |
56 | struct avc_entry ae; | |
26036651 | 57 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 58 | struct rcu_head rhead; |
1da177e4 LT |
59 | }; |
60 | ||
fa1aa143 JVS |
61 | struct avc_xperms_decision_node { |
62 | struct extended_perms_decision xpd; | |
63 | struct list_head xpd_list; /* list of extended_perms_decision */ | |
64 | }; | |
65 | ||
66 | struct avc_xperms_node { | |
67 | struct extended_perms xp; | |
68 | struct list_head xpd_head; /* list head of extended_perms_decision */ | |
69 | }; | |
70 | ||
1da177e4 | 71 | struct avc_cache { |
26036651 | 72 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
73 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
74 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
75 | atomic_t active_nodes; | |
76 | u32 latest_notif; /* latest revocation notification */ | |
77 | }; | |
78 | ||
79 | struct avc_callback_node { | |
562c99f2 | 80 | int (*callback) (u32 event); |
1da177e4 | 81 | u32 events; |
1da177e4 LT |
82 | struct avc_callback_node *next; |
83 | }; | |
84 | ||
85 | /* Exported via selinufs */ | |
86 | unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
87 | ||
88 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
89 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
90 | #endif | |
91 | ||
92 | static struct avc_cache avc_cache; | |
93 | static struct avc_callback_node *avc_callbacks; | |
e18b890b | 94 | static struct kmem_cache *avc_node_cachep; |
fa1aa143 JVS |
95 | static struct kmem_cache *avc_xperms_data_cachep; |
96 | static struct kmem_cache *avc_xperms_decision_cachep; | |
97 | static struct kmem_cache *avc_xperms_cachep; | |
1da177e4 LT |
98 | |
99 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
100 | { | |
101 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
102 | } | |
103 | ||
104 | /** | |
105 | * avc_dump_av - Display an access vector in human-readable form. | |
106 | * @tclass: target security class | |
107 | * @av: access vector | |
108 | */ | |
44c2d9bd | 109 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) |
1da177e4 | 110 | { |
c6d3aaa4 SS |
111 | const char **perms; |
112 | int i, perm; | |
1da177e4 LT |
113 | |
114 | if (av == 0) { | |
115 | audit_log_format(ab, " null"); | |
116 | return; | |
117 | } | |
118 | ||
bd1741f4 | 119 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); |
c6d3aaa4 | 120 | perms = secclass_map[tclass-1].perms; |
1da177e4 LT |
121 | |
122 | audit_log_format(ab, " {"); | |
123 | i = 0; | |
124 | perm = 1; | |
c6d3aaa4 | 125 | while (i < (sizeof(av) * 8)) { |
0bce9527 | 126 | if ((perm & av) && perms[i]) { |
c6d3aaa4 | 127 | audit_log_format(ab, " %s", perms[i]); |
1da177e4 LT |
128 | av &= ~perm; |
129 | } | |
130 | i++; | |
131 | perm <<= 1; | |
132 | } | |
133 | ||
1da177e4 LT |
134 | if (av) |
135 | audit_log_format(ab, " 0x%x", av); | |
136 | ||
137 | audit_log_format(ab, " }"); | |
138 | } | |
139 | ||
140 | /** | |
141 | * avc_dump_query - Display a SID pair and a class in human-readable form. | |
142 | * @ssid: source security identifier | |
143 | * @tsid: target security identifier | |
144 | * @tclass: target security class | |
145 | */ | |
146 | static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) | |
147 | { | |
148 | int rc; | |
149 | char *scontext; | |
150 | u32 scontext_len; | |
151 | ||
95fff33b | 152 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
1da177e4 LT |
153 | if (rc) |
154 | audit_log_format(ab, "ssid=%d", ssid); | |
155 | else { | |
156 | audit_log_format(ab, "scontext=%s", scontext); | |
157 | kfree(scontext); | |
158 | } | |
159 | ||
160 | rc = security_sid_to_context(tsid, &scontext, &scontext_len); | |
161 | if (rc) | |
162 | audit_log_format(ab, " tsid=%d", tsid); | |
163 | else { | |
164 | audit_log_format(ab, " tcontext=%s", scontext); | |
165 | kfree(scontext); | |
166 | } | |
a764ae4b | 167 | |
bd1741f4 | 168 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); |
c6d3aaa4 | 169 | audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); |
1da177e4 LT |
170 | } |
171 | ||
172 | /** | |
173 | * avc_init - Initialize the AVC. | |
174 | * | |
175 | * Initialize the access vector cache. | |
176 | */ | |
177 | void __init avc_init(void) | |
178 | { | |
179 | int i; | |
180 | ||
181 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
26036651 | 182 | INIT_HLIST_HEAD(&avc_cache.slots[i]); |
1da177e4 LT |
183 | spin_lock_init(&avc_cache.slots_lock[i]); |
184 | } | |
185 | atomic_set(&avc_cache.active_nodes, 0); | |
186 | atomic_set(&avc_cache.lru_hint, 0); | |
187 | ||
188 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | |
fa1aa143 JVS |
189 | 0, SLAB_PANIC, NULL); |
190 | avc_xperms_cachep = kmem_cache_create("avc_xperms_node", | |
191 | sizeof(struct avc_xperms_node), | |
192 | 0, SLAB_PANIC, NULL); | |
193 | avc_xperms_decision_cachep = kmem_cache_create( | |
194 | "avc_xperms_decision_node", | |
195 | sizeof(struct avc_xperms_decision_node), | |
196 | 0, SLAB_PANIC, NULL); | |
197 | avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", | |
198 | sizeof(struct extended_perms_data), | |
199 | 0, SLAB_PANIC, NULL); | |
1da177e4 LT |
200 | } |
201 | ||
202 | int avc_get_hash_stats(char *page) | |
203 | { | |
204 | int i, chain_len, max_chain_len, slots_used; | |
205 | struct avc_node *node; | |
26036651 | 206 | struct hlist_head *head; |
1da177e4 LT |
207 | |
208 | rcu_read_lock(); | |
209 | ||
210 | slots_used = 0; | |
211 | max_chain_len = 0; | |
212 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae | 213 | head = &avc_cache.slots[i]; |
26036651 | 214 | if (!hlist_empty(head)) { |
1da177e4 LT |
215 | slots_used++; |
216 | chain_len = 0; | |
b67bfe0d | 217 | hlist_for_each_entry_rcu(node, head, list) |
1da177e4 LT |
218 | chain_len++; |
219 | if (chain_len > max_chain_len) | |
220 | max_chain_len = chain_len; | |
221 | } | |
222 | } | |
223 | ||
224 | rcu_read_unlock(); | |
225 | ||
226 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
227 | "longest chain: %d\n", | |
228 | atomic_read(&avc_cache.active_nodes), | |
229 | slots_used, AVC_CACHE_SLOTS, max_chain_len); | |
230 | } | |
231 | ||
fa1aa143 JVS |
232 | /* |
233 | * using a linked list for extended_perms_decision lookup because the list is | |
234 | * always small. i.e. less than 5, typically 1 | |
235 | */ | |
236 | static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver, | |
237 | struct avc_xperms_node *xp_node) | |
238 | { | |
239 | struct avc_xperms_decision_node *xpd_node; | |
240 | ||
241 | list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) { | |
242 | if (xpd_node->xpd.driver == driver) | |
243 | return &xpd_node->xpd; | |
244 | } | |
245 | return NULL; | |
246 | } | |
247 | ||
248 | static inline unsigned int | |
249 | avc_xperms_has_perm(struct extended_perms_decision *xpd, | |
250 | u8 perm, u8 which) | |
251 | { | |
252 | unsigned int rc = 0; | |
253 | ||
254 | if ((which == XPERMS_ALLOWED) && | |
255 | (xpd->used & XPERMS_ALLOWED)) | |
256 | rc = security_xperm_test(xpd->allowed->p, perm); | |
257 | else if ((which == XPERMS_AUDITALLOW) && | |
258 | (xpd->used & XPERMS_AUDITALLOW)) | |
259 | rc = security_xperm_test(xpd->auditallow->p, perm); | |
260 | else if ((which == XPERMS_DONTAUDIT) && | |
261 | (xpd->used & XPERMS_DONTAUDIT)) | |
262 | rc = security_xperm_test(xpd->dontaudit->p, perm); | |
263 | return rc; | |
264 | } | |
265 | ||
266 | static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node, | |
267 | u8 driver, u8 perm) | |
268 | { | |
269 | struct extended_perms_decision *xpd; | |
270 | security_xperm_set(xp_node->xp.drivers.p, driver); | |
271 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
272 | if (xpd && xpd->allowed) | |
273 | security_xperm_set(xpd->allowed->p, perm); | |
274 | } | |
275 | ||
276 | static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node) | |
277 | { | |
278 | struct extended_perms_decision *xpd; | |
279 | ||
280 | xpd = &xpd_node->xpd; | |
281 | if (xpd->allowed) | |
282 | kmem_cache_free(avc_xperms_data_cachep, xpd->allowed); | |
283 | if (xpd->auditallow) | |
284 | kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow); | |
285 | if (xpd->dontaudit) | |
286 | kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit); | |
287 | kmem_cache_free(avc_xperms_decision_cachep, xpd_node); | |
288 | } | |
289 | ||
290 | static void avc_xperms_free(struct avc_xperms_node *xp_node) | |
291 | { | |
292 | struct avc_xperms_decision_node *xpd_node, *tmp; | |
293 | ||
294 | if (!xp_node) | |
295 | return; | |
296 | ||
297 | list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) { | |
298 | list_del(&xpd_node->xpd_list); | |
299 | avc_xperms_decision_free(xpd_node); | |
300 | } | |
301 | kmem_cache_free(avc_xperms_cachep, xp_node); | |
302 | } | |
303 | ||
304 | static void avc_copy_xperms_decision(struct extended_perms_decision *dest, | |
305 | struct extended_perms_decision *src) | |
306 | { | |
307 | dest->driver = src->driver; | |
308 | dest->used = src->used; | |
309 | if (dest->used & XPERMS_ALLOWED) | |
310 | memcpy(dest->allowed->p, src->allowed->p, | |
311 | sizeof(src->allowed->p)); | |
312 | if (dest->used & XPERMS_AUDITALLOW) | |
313 | memcpy(dest->auditallow->p, src->auditallow->p, | |
314 | sizeof(src->auditallow->p)); | |
315 | if (dest->used & XPERMS_DONTAUDIT) | |
316 | memcpy(dest->dontaudit->p, src->dontaudit->p, | |
317 | sizeof(src->dontaudit->p)); | |
318 | } | |
319 | ||
320 | /* | |
321 | * similar to avc_copy_xperms_decision, but only copy decision | |
322 | * information relevant to this perm | |
323 | */ | |
324 | static inline void avc_quick_copy_xperms_decision(u8 perm, | |
325 | struct extended_perms_decision *dest, | |
326 | struct extended_perms_decision *src) | |
327 | { | |
328 | /* | |
329 | * compute index of the u32 of the 256 bits (8 u32s) that contain this | |
330 | * command permission | |
331 | */ | |
332 | u8 i = perm >> 5; | |
333 | ||
334 | dest->used = src->used; | |
335 | if (dest->used & XPERMS_ALLOWED) | |
336 | dest->allowed->p[i] = src->allowed->p[i]; | |
337 | if (dest->used & XPERMS_AUDITALLOW) | |
338 | dest->auditallow->p[i] = src->auditallow->p[i]; | |
339 | if (dest->used & XPERMS_DONTAUDIT) | |
340 | dest->dontaudit->p[i] = src->dontaudit->p[i]; | |
341 | } | |
342 | ||
343 | static struct avc_xperms_decision_node | |
344 | *avc_xperms_decision_alloc(u8 which) | |
345 | { | |
346 | struct avc_xperms_decision_node *xpd_node; | |
347 | struct extended_perms_decision *xpd; | |
348 | ||
476accbe | 349 | xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
350 | if (!xpd_node) |
351 | return NULL; | |
352 | ||
353 | xpd = &xpd_node->xpd; | |
354 | if (which & XPERMS_ALLOWED) { | |
355 | xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 356 | GFP_NOWAIT); |
fa1aa143 JVS |
357 | if (!xpd->allowed) |
358 | goto error; | |
359 | } | |
360 | if (which & XPERMS_AUDITALLOW) { | |
361 | xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 362 | GFP_NOWAIT); |
fa1aa143 JVS |
363 | if (!xpd->auditallow) |
364 | goto error; | |
365 | } | |
366 | if (which & XPERMS_DONTAUDIT) { | |
367 | xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 368 | GFP_NOWAIT); |
fa1aa143 JVS |
369 | if (!xpd->dontaudit) |
370 | goto error; | |
371 | } | |
372 | return xpd_node; | |
373 | error: | |
374 | avc_xperms_decision_free(xpd_node); | |
375 | return NULL; | |
376 | } | |
377 | ||
378 | static int avc_add_xperms_decision(struct avc_node *node, | |
379 | struct extended_perms_decision *src) | |
380 | { | |
381 | struct avc_xperms_decision_node *dest_xpd; | |
382 | ||
383 | node->ae.xp_node->xp.len++; | |
384 | dest_xpd = avc_xperms_decision_alloc(src->used); | |
385 | if (!dest_xpd) | |
386 | return -ENOMEM; | |
387 | avc_copy_xperms_decision(&dest_xpd->xpd, src); | |
388 | list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); | |
389 | return 0; | |
390 | } | |
391 | ||
392 | static struct avc_xperms_node *avc_xperms_alloc(void) | |
393 | { | |
394 | struct avc_xperms_node *xp_node; | |
395 | ||
476accbe | 396 | xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
397 | if (!xp_node) |
398 | return xp_node; | |
399 | INIT_LIST_HEAD(&xp_node->xpd_head); | |
400 | return xp_node; | |
401 | } | |
402 | ||
403 | static int avc_xperms_populate(struct avc_node *node, | |
404 | struct avc_xperms_node *src) | |
405 | { | |
406 | struct avc_xperms_node *dest; | |
407 | struct avc_xperms_decision_node *dest_xpd; | |
408 | struct avc_xperms_decision_node *src_xpd; | |
409 | ||
410 | if (src->xp.len == 0) | |
411 | return 0; | |
412 | dest = avc_xperms_alloc(); | |
413 | if (!dest) | |
414 | return -ENOMEM; | |
415 | ||
416 | memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p)); | |
417 | dest->xp.len = src->xp.len; | |
418 | ||
419 | /* for each source xpd allocate a destination xpd and copy */ | |
420 | list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) { | |
421 | dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used); | |
422 | if (!dest_xpd) | |
423 | goto error; | |
424 | avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd); | |
425 | list_add(&dest_xpd->xpd_list, &dest->xpd_head); | |
426 | } | |
427 | node->ae.xp_node = dest; | |
428 | return 0; | |
429 | error: | |
430 | avc_xperms_free(dest); | |
431 | return -ENOMEM; | |
432 | ||
433 | } | |
434 | ||
435 | static inline u32 avc_xperms_audit_required(u32 requested, | |
436 | struct av_decision *avd, | |
437 | struct extended_perms_decision *xpd, | |
438 | u8 perm, | |
439 | int result, | |
440 | u32 *deniedp) | |
441 | { | |
442 | u32 denied, audited; | |
443 | ||
444 | denied = requested & ~avd->allowed; | |
445 | if (unlikely(denied)) { | |
446 | audited = denied & avd->auditdeny; | |
447 | if (audited && xpd) { | |
448 | if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) | |
449 | audited &= ~requested; | |
450 | } | |
451 | } else if (result) { | |
452 | audited = denied = requested; | |
453 | } else { | |
454 | audited = requested & avd->auditallow; | |
455 | if (audited && xpd) { | |
456 | if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) | |
457 | audited &= ~requested; | |
458 | } | |
459 | } | |
460 | ||
461 | *deniedp = denied; | |
462 | return audited; | |
463 | } | |
464 | ||
465 | static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, | |
466 | u32 requested, struct av_decision *avd, | |
467 | struct extended_perms_decision *xpd, | |
468 | u8 perm, int result, | |
469 | struct common_audit_data *ad) | |
470 | { | |
471 | u32 audited, denied; | |
472 | ||
473 | audited = avc_xperms_audit_required( | |
474 | requested, avd, xpd, perm, result, &denied); | |
475 | if (likely(!audited)) | |
476 | return 0; | |
477 | return slow_avc_audit(ssid, tsid, tclass, requested, | |
478 | audited, denied, result, ad, 0); | |
479 | } | |
480 | ||
1da177e4 LT |
481 | static void avc_node_free(struct rcu_head *rhead) |
482 | { | |
483 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
fa1aa143 | 484 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
485 | kmem_cache_free(avc_node_cachep, node); |
486 | avc_cache_stats_incr(frees); | |
487 | } | |
488 | ||
489 | static void avc_node_delete(struct avc_node *node) | |
490 | { | |
26036651 | 491 | hlist_del_rcu(&node->list); |
1da177e4 LT |
492 | call_rcu(&node->rhead, avc_node_free); |
493 | atomic_dec(&avc_cache.active_nodes); | |
494 | } | |
495 | ||
496 | static void avc_node_kill(struct avc_node *node) | |
497 | { | |
fa1aa143 | 498 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
499 | kmem_cache_free(avc_node_cachep, node); |
500 | avc_cache_stats_incr(frees); | |
501 | atomic_dec(&avc_cache.active_nodes); | |
502 | } | |
503 | ||
504 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) | |
505 | { | |
26036651 | 506 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 LT |
507 | call_rcu(&old->rhead, avc_node_free); |
508 | atomic_dec(&avc_cache.active_nodes); | |
509 | } | |
510 | ||
511 | static inline int avc_reclaim_node(void) | |
512 | { | |
513 | struct avc_node *node; | |
514 | int hvalue, try, ecx; | |
515 | unsigned long flags; | |
26036651 | 516 | struct hlist_head *head; |
edf3d1ae | 517 | spinlock_t *lock; |
1da177e4 | 518 | |
95fff33b | 519 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
1da177e4 | 520 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
edf3d1ae EP |
521 | head = &avc_cache.slots[hvalue]; |
522 | lock = &avc_cache.slots_lock[hvalue]; | |
1da177e4 | 523 | |
edf3d1ae | 524 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
525 | continue; |
526 | ||
61844250 | 527 | rcu_read_lock(); |
b67bfe0d | 528 | hlist_for_each_entry(node, head, list) { |
906d27d9 EP |
529 | avc_node_delete(node); |
530 | avc_cache_stats_incr(reclaims); | |
531 | ecx++; | |
532 | if (ecx >= AVC_CACHE_RECLAIM) { | |
533 | rcu_read_unlock(); | |
edf3d1ae | 534 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 535 | goto out; |
1da177e4 LT |
536 | } |
537 | } | |
61844250 | 538 | rcu_read_unlock(); |
edf3d1ae | 539 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
540 | } |
541 | out: | |
542 | return ecx; | |
543 | } | |
544 | ||
545 | static struct avc_node *avc_alloc_node(void) | |
546 | { | |
547 | struct avc_node *node; | |
548 | ||
476accbe | 549 | node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); |
1da177e4 LT |
550 | if (!node) |
551 | goto out; | |
552 | ||
26036651 | 553 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
554 | avc_cache_stats_incr(allocations); |
555 | ||
556 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) | |
557 | avc_reclaim_node(); | |
558 | ||
559 | out: | |
560 | return node; | |
561 | } | |
562 | ||
21193dcd | 563 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
564 | { |
565 | node->ae.ssid = ssid; | |
566 | node->ae.tsid = tsid; | |
567 | node->ae.tclass = tclass; | |
21193dcd | 568 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
569 | } |
570 | ||
571 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |
572 | { | |
573 | struct avc_node *node, *ret = NULL; | |
574 | int hvalue; | |
26036651 | 575 | struct hlist_head *head; |
1da177e4 LT |
576 | |
577 | hvalue = avc_hash(ssid, tsid, tclass); | |
edf3d1ae | 578 | head = &avc_cache.slots[hvalue]; |
b67bfe0d | 579 | hlist_for_each_entry_rcu(node, head, list) { |
1da177e4 LT |
580 | if (ssid == node->ae.ssid && |
581 | tclass == node->ae.tclass && | |
582 | tsid == node->ae.tsid) { | |
583 | ret = node; | |
584 | break; | |
585 | } | |
586 | } | |
587 | ||
1da177e4 LT |
588 | return ret; |
589 | } | |
590 | ||
591 | /** | |
592 | * avc_lookup - Look up an AVC entry. | |
593 | * @ssid: source security identifier | |
594 | * @tsid: target security identifier | |
595 | * @tclass: target security class | |
1da177e4 LT |
596 | * |
597 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
598 | * (@ssid, @tsid), interpreting the permissions |
599 | * based on @tclass. If a valid AVC entry exists, | |
6382dc33 | 600 | * then this function returns the avc_node. |
1da177e4 LT |
601 | * Otherwise, this function returns NULL. |
602 | */ | |
f1c6381a | 603 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
1da177e4 LT |
604 | { |
605 | struct avc_node *node; | |
606 | ||
607 | avc_cache_stats_incr(lookups); | |
608 | node = avc_search_node(ssid, tsid, tclass); | |
609 | ||
f1c6381a | 610 | if (node) |
257313b2 | 611 | return node; |
1da177e4 | 612 | |
257313b2 LT |
613 | avc_cache_stats_incr(misses); |
614 | return NULL; | |
1da177e4 LT |
615 | } |
616 | ||
617 | static int avc_latest_notif_update(int seqno, int is_insert) | |
618 | { | |
619 | int ret = 0; | |
620 | static DEFINE_SPINLOCK(notif_lock); | |
621 | unsigned long flag; | |
622 | ||
623 | spin_lock_irqsave(¬if_lock, flag); | |
624 | if (is_insert) { | |
625 | if (seqno < avc_cache.latest_notif) { | |
744ba35e | 626 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
1da177e4 LT |
627 | seqno, avc_cache.latest_notif); |
628 | ret = -EAGAIN; | |
629 | } | |
630 | } else { | |
631 | if (seqno > avc_cache.latest_notif) | |
632 | avc_cache.latest_notif = seqno; | |
633 | } | |
634 | spin_unlock_irqrestore(¬if_lock, flag); | |
635 | ||
636 | return ret; | |
637 | } | |
638 | ||
639 | /** | |
640 | * avc_insert - Insert an AVC entry. | |
641 | * @ssid: source security identifier | |
642 | * @tsid: target security identifier | |
643 | * @tclass: target security class | |
21193dcd | 644 | * @avd: resulting av decision |
fa1aa143 | 645 | * @xp_node: resulting extended permissions |
1da177e4 LT |
646 | * |
647 | * Insert an AVC entry for the SID pair | |
648 | * (@ssid, @tsid) and class @tclass. | |
649 | * The access vectors and the sequence number are | |
650 | * normally provided by the security server in | |
651 | * response to a security_compute_av() call. If the | |
21193dcd | 652 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
653 | * revocation notification, then the function copies |
654 | * the access vectors into a cache entry, returns | |
655 | * avc_node inserted. Otherwise, this function returns NULL. | |
656 | */ | |
fa1aa143 JVS |
657 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, |
658 | struct av_decision *avd, | |
659 | struct avc_xperms_node *xp_node) | |
1da177e4 LT |
660 | { |
661 | struct avc_node *pos, *node = NULL; | |
662 | int hvalue; | |
663 | unsigned long flag; | |
664 | ||
21193dcd | 665 | if (avc_latest_notif_update(avd->seqno, 1)) |
1da177e4 LT |
666 | goto out; |
667 | ||
668 | node = avc_alloc_node(); | |
669 | if (node) { | |
26036651 | 670 | struct hlist_head *head; |
edf3d1ae | 671 | spinlock_t *lock; |
fa1aa143 | 672 | int rc = 0; |
edf3d1ae | 673 | |
1da177e4 | 674 | hvalue = avc_hash(ssid, tsid, tclass); |
21193dcd | 675 | avc_node_populate(node, ssid, tsid, tclass, avd); |
fa1aa143 JVS |
676 | rc = avc_xperms_populate(node, xp_node); |
677 | if (rc) { | |
678 | kmem_cache_free(avc_node_cachep, node); | |
679 | return NULL; | |
680 | } | |
edf3d1ae EP |
681 | head = &avc_cache.slots[hvalue]; |
682 | lock = &avc_cache.slots_lock[hvalue]; | |
683 | ||
684 | spin_lock_irqsave(lock, flag); | |
b67bfe0d | 685 | hlist_for_each_entry(pos, head, list) { |
1da177e4 LT |
686 | if (pos->ae.ssid == ssid && |
687 | pos->ae.tsid == tsid && | |
688 | pos->ae.tclass == tclass) { | |
95fff33b | 689 | avc_node_replace(node, pos); |
1da177e4 LT |
690 | goto found; |
691 | } | |
692 | } | |
26036651 | 693 | hlist_add_head_rcu(&node->list, head); |
1da177e4 | 694 | found: |
edf3d1ae | 695 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
696 | } |
697 | out: | |
698 | return node; | |
699 | } | |
700 | ||
2bf49690 TL |
701 | /** |
702 | * avc_audit_pre_callback - SELinux specific information | |
703 | * will be called by generic audit code | |
704 | * @ab: the audit buffer | |
705 | * @a: audit_data | |
706 | */ | |
707 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 708 | { |
2bf49690 TL |
709 | struct common_audit_data *ad = a; |
710 | audit_log_format(ab, "avc: %s ", | |
899838b2 EP |
711 | ad->selinux_audit_data->denied ? "denied" : "granted"); |
712 | avc_dump_av(ab, ad->selinux_audit_data->tclass, | |
713 | ad->selinux_audit_data->audited); | |
2bf49690 | 714 | audit_log_format(ab, " for "); |
1da177e4 LT |
715 | } |
716 | ||
2bf49690 TL |
717 | /** |
718 | * avc_audit_post_callback - SELinux specific information | |
719 | * will be called by generic audit code | |
720 | * @ab: the audit buffer | |
721 | * @a: audit_data | |
722 | */ | |
723 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 724 | { |
2bf49690 TL |
725 | struct common_audit_data *ad = a; |
726 | audit_log_format(ab, " "); | |
899838b2 EP |
727 | avc_dump_query(ab, ad->selinux_audit_data->ssid, |
728 | ad->selinux_audit_data->tsid, | |
729 | ad->selinux_audit_data->tclass); | |
ca7786a2 SS |
730 | if (ad->selinux_audit_data->denied) { |
731 | audit_log_format(ab, " permissive=%u", | |
732 | ad->selinux_audit_data->result ? 0 : 1); | |
733 | } | |
1da177e4 LT |
734 | } |
735 | ||
48aab2f7 | 736 | /* This is the slow part of avc audit with big stack footprint */ |
2e334057 | 737 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
ca7786a2 | 738 | u32 requested, u32 audited, u32 denied, int result, |
f8294f11 | 739 | struct common_audit_data *a, |
48aab2f7 LT |
740 | unsigned flags) |
741 | { | |
742 | struct common_audit_data stack_data; | |
899838b2 | 743 | struct selinux_audit_data sad; |
48aab2f7 LT |
744 | |
745 | if (!a) { | |
746 | a = &stack_data; | |
50c205f5 | 747 | a->type = LSM_AUDIT_DATA_NONE; |
48aab2f7 LT |
748 | } |
749 | ||
750 | /* | |
751 | * When in a RCU walk do the audit on the RCU retry. This is because | |
752 | * the collection of the dname in an inode audit message is not RCU | |
753 | * safe. Note this may drop some audits when the situation changes | |
754 | * during retry. However this is logically just as if the operation | |
755 | * happened a little later. | |
756 | */ | |
757 | if ((a->type == LSM_AUDIT_DATA_INODE) && | |
758 | (flags & MAY_NOT_BLOCK)) | |
759 | return -ECHILD; | |
760 | ||
899838b2 EP |
761 | sad.tclass = tclass; |
762 | sad.requested = requested; | |
763 | sad.ssid = ssid; | |
764 | sad.tsid = tsid; | |
765 | sad.audited = audited; | |
766 | sad.denied = denied; | |
ca7786a2 | 767 | sad.result = result; |
899838b2 EP |
768 | |
769 | a->selinux_audit_data = &sad; | |
3f0882c4 | 770 | |
b61c37f5 | 771 | common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); |
48aab2f7 LT |
772 | return 0; |
773 | } | |
774 | ||
1da177e4 LT |
775 | /** |
776 | * avc_add_callback - Register a callback for security events. | |
777 | * @callback: callback function | |
778 | * @events: security events | |
1da177e4 | 779 | * |
562c99f2 WG |
780 | * Register a callback function for events in the set @events. |
781 | * Returns %0 on success or -%ENOMEM if insufficient memory | |
782 | * exists to add the callback. | |
1da177e4 | 783 | */ |
562c99f2 | 784 | int __init avc_add_callback(int (*callback)(u32 event), u32 events) |
1da177e4 LT |
785 | { |
786 | struct avc_callback_node *c; | |
787 | int rc = 0; | |
788 | ||
0b36e44c | 789 | c = kmalloc(sizeof(*c), GFP_KERNEL); |
1da177e4 LT |
790 | if (!c) { |
791 | rc = -ENOMEM; | |
792 | goto out; | |
793 | } | |
794 | ||
795 | c->callback = callback; | |
796 | c->events = events; | |
1da177e4 LT |
797 | c->next = avc_callbacks; |
798 | avc_callbacks = c; | |
799 | out: | |
800 | return rc; | |
801 | } | |
802 | ||
1da177e4 LT |
803 | /** |
804 | * avc_update_node Update an AVC entry | |
805 | * @event : Updating event | |
806 | * @perms : Permission mask bits | |
807 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 808 | * @seqno : sequence number when decision was made |
fa1aa143 | 809 | * @xpd: extended_perms_decision to be added to the node |
1da177e4 LT |
810 | * |
811 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
812 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
6382dc33 | 813 | * otherwise, this function updates the AVC entry. The original AVC-entry object |
1da177e4 LT |
814 | * will release later by RCU. |
815 | */ | |
fa1aa143 JVS |
816 | static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, |
817 | u32 tsid, u16 tclass, u32 seqno, | |
818 | struct extended_perms_decision *xpd, | |
819 | u32 flags) | |
1da177e4 LT |
820 | { |
821 | int hvalue, rc = 0; | |
822 | unsigned long flag; | |
823 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 | 824 | struct hlist_head *head; |
edf3d1ae | 825 | spinlock_t *lock; |
1da177e4 LT |
826 | |
827 | node = avc_alloc_node(); | |
828 | if (!node) { | |
829 | rc = -ENOMEM; | |
830 | goto out; | |
831 | } | |
832 | ||
833 | /* Lock the target slot */ | |
834 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 835 | |
edf3d1ae EP |
836 | head = &avc_cache.slots[hvalue]; |
837 | lock = &avc_cache.slots_lock[hvalue]; | |
838 | ||
839 | spin_lock_irqsave(lock, flag); | |
840 | ||
b67bfe0d | 841 | hlist_for_each_entry(pos, head, list) { |
95fff33b EP |
842 | if (ssid == pos->ae.ssid && |
843 | tsid == pos->ae.tsid && | |
a5dda683 EP |
844 | tclass == pos->ae.tclass && |
845 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
846 | orig = pos; |
847 | break; | |
848 | } | |
849 | } | |
850 | ||
851 | if (!orig) { | |
852 | rc = -ENOENT; | |
853 | avc_node_kill(node); | |
854 | goto out_unlock; | |
855 | } | |
856 | ||
857 | /* | |
858 | * Copy and replace original node. | |
859 | */ | |
860 | ||
21193dcd | 861 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 | 862 | |
fa1aa143 JVS |
863 | if (orig->ae.xp_node) { |
864 | rc = avc_xperms_populate(node, orig->ae.xp_node); | |
865 | if (rc) { | |
866 | kmem_cache_free(avc_node_cachep, node); | |
867 | goto out_unlock; | |
868 | } | |
869 | } | |
870 | ||
1da177e4 LT |
871 | switch (event) { |
872 | case AVC_CALLBACK_GRANT: | |
873 | node->ae.avd.allowed |= perms; | |
fa1aa143 JVS |
874 | if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS)) |
875 | avc_xperms_allow_perm(node->ae.xp_node, driver, xperm); | |
1da177e4 LT |
876 | break; |
877 | case AVC_CALLBACK_TRY_REVOKE: | |
878 | case AVC_CALLBACK_REVOKE: | |
879 | node->ae.avd.allowed &= ~perms; | |
880 | break; | |
881 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
882 | node->ae.avd.auditallow |= perms; | |
883 | break; | |
884 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
885 | node->ae.avd.auditallow &= ~perms; | |
886 | break; | |
887 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
888 | node->ae.avd.auditdeny |= perms; | |
889 | break; | |
890 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
891 | node->ae.avd.auditdeny &= ~perms; | |
892 | break; | |
fa1aa143 JVS |
893 | case AVC_CALLBACK_ADD_XPERMS: |
894 | avc_add_xperms_decision(node, xpd); | |
895 | break; | |
1da177e4 LT |
896 | } |
897 | avc_node_replace(node, orig); | |
898 | out_unlock: | |
edf3d1ae | 899 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
900 | out: |
901 | return rc; | |
902 | } | |
903 | ||
904 | /** | |
008574b1 | 905 | * avc_flush - Flush the cache |
1da177e4 | 906 | */ |
008574b1 | 907 | static void avc_flush(void) |
1da177e4 | 908 | { |
26036651 | 909 | struct hlist_head *head; |
008574b1 | 910 | struct avc_node *node; |
edf3d1ae | 911 | spinlock_t *lock; |
008574b1 EP |
912 | unsigned long flag; |
913 | int i; | |
1da177e4 LT |
914 | |
915 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae EP |
916 | head = &avc_cache.slots[i]; |
917 | lock = &avc_cache.slots_lock[i]; | |
918 | ||
919 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
920 | /* |
921 | * With preemptable RCU, the outer spinlock does not | |
922 | * prevent RCU grace periods from ending. | |
923 | */ | |
924 | rcu_read_lock(); | |
b67bfe0d | 925 | hlist_for_each_entry(node, head, list) |
1da177e4 | 926 | avc_node_delete(node); |
61844250 | 927 | rcu_read_unlock(); |
edf3d1ae | 928 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 929 | } |
008574b1 EP |
930 | } |
931 | ||
932 | /** | |
933 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
934 | * @seqno: policy sequence number | |
935 | */ | |
936 | int avc_ss_reset(u32 seqno) | |
937 | { | |
938 | struct avc_callback_node *c; | |
939 | int rc = 0, tmprc; | |
940 | ||
941 | avc_flush(); | |
1da177e4 LT |
942 | |
943 | for (c = avc_callbacks; c; c = c->next) { | |
944 | if (c->events & AVC_CALLBACK_RESET) { | |
562c99f2 | 945 | tmprc = c->callback(AVC_CALLBACK_RESET); |
376bd9cb DG |
946 | /* save the first error encountered for the return |
947 | value and continue processing the callbacks */ | |
948 | if (!rc) | |
949 | rc = tmprc; | |
1da177e4 LT |
950 | } |
951 | } | |
952 | ||
953 | avc_latest_notif_update(seqno, 0); | |
1da177e4 LT |
954 | return rc; |
955 | } | |
956 | ||
a554bea8 LT |
957 | /* |
958 | * Slow-path helper function for avc_has_perm_noaudit, | |
959 | * when the avc_node lookup fails. We get called with | |
960 | * the RCU read lock held, and need to return with it | |
961 | * still held, but drop if for the security compute. | |
962 | * | |
963 | * Don't inline this, since it's the slow-path and just | |
964 | * results in a bigger stack frame. | |
965 | */ | |
966 | static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, | |
fa1aa143 JVS |
967 | u16 tclass, struct av_decision *avd, |
968 | struct avc_xperms_node *xp_node) | |
a554bea8 LT |
969 | { |
970 | rcu_read_unlock(); | |
fa1aa143 JVS |
971 | INIT_LIST_HEAD(&xp_node->xpd_head); |
972 | security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp); | |
a554bea8 | 973 | rcu_read_lock(); |
fa1aa143 | 974 | return avc_insert(ssid, tsid, tclass, avd, xp_node); |
a554bea8 LT |
975 | } |
976 | ||
977 | static noinline int avc_denied(u32 ssid, u32 tsid, | |
fa1aa143 JVS |
978 | u16 tclass, u32 requested, |
979 | u8 driver, u8 xperm, unsigned flags, | |
980 | struct av_decision *avd) | |
a554bea8 LT |
981 | { |
982 | if (flags & AVC_STRICT) | |
983 | return -EACCES; | |
984 | ||
985 | if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) | |
986 | return -EACCES; | |
987 | ||
fa1aa143 JVS |
988 | avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, |
989 | tsid, tclass, avd->seqno, NULL, flags); | |
a554bea8 LT |
990 | return 0; |
991 | } | |
992 | ||
fa1aa143 JVS |
993 | /* |
994 | * The avc extended permissions logic adds an additional 256 bits of | |
995 | * permissions to an avc node when extended permissions for that node are | |
996 | * specified in the avtab. If the additional 256 permissions is not adequate, | |
997 | * as-is the case with ioctls, then multiple may be chained together and the | |
998 | * driver field is used to specify which set contains the permission. | |
999 | */ | |
1000 | int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, | |
1001 | u8 driver, u8 xperm, struct common_audit_data *ad) | |
1002 | { | |
1003 | struct avc_node *node; | |
1004 | struct av_decision avd; | |
1005 | u32 denied; | |
1006 | struct extended_perms_decision local_xpd; | |
1007 | struct extended_perms_decision *xpd = NULL; | |
1008 | struct extended_perms_data allowed; | |
1009 | struct extended_perms_data auditallow; | |
1010 | struct extended_perms_data dontaudit; | |
1011 | struct avc_xperms_node local_xp_node; | |
1012 | struct avc_xperms_node *xp_node; | |
1013 | int rc = 0, rc2; | |
1014 | ||
1015 | xp_node = &local_xp_node; | |
1016 | BUG_ON(!requested); | |
1017 | ||
1018 | rcu_read_lock(); | |
1019 | ||
1020 | node = avc_lookup(ssid, tsid, tclass); | |
1021 | if (unlikely(!node)) { | |
1022 | node = avc_compute_av(ssid, tsid, tclass, &avd, xp_node); | |
1023 | } else { | |
1024 | memcpy(&avd, &node->ae.avd, sizeof(avd)); | |
1025 | xp_node = node->ae.xp_node; | |
1026 | } | |
1027 | /* if extended permissions are not defined, only consider av_decision */ | |
1028 | if (!xp_node || !xp_node->xp.len) | |
1029 | goto decision; | |
1030 | ||
1031 | local_xpd.allowed = &allowed; | |
1032 | local_xpd.auditallow = &auditallow; | |
1033 | local_xpd.dontaudit = &dontaudit; | |
1034 | ||
1035 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
1036 | if (unlikely(!xpd)) { | |
1037 | /* | |
1038 | * Compute the extended_perms_decision only if the driver | |
1039 | * is flagged | |
1040 | */ | |
1041 | if (!security_xperm_test(xp_node->xp.drivers.p, driver)) { | |
1042 | avd.allowed &= ~requested; | |
1043 | goto decision; | |
1044 | } | |
1045 | rcu_read_unlock(); | |
1046 | security_compute_xperms_decision(ssid, tsid, tclass, driver, | |
1047 | &local_xpd); | |
1048 | rcu_read_lock(); | |
1049 | avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm, | |
1050 | ssid, tsid, tclass, avd.seqno, &local_xpd, 0); | |
1051 | } else { | |
1052 | avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd); | |
1053 | } | |
1054 | xpd = &local_xpd; | |
1055 | ||
1056 | if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)) | |
1057 | avd.allowed &= ~requested; | |
1058 | ||
1059 | decision: | |
1060 | denied = requested & ~(avd.allowed); | |
1061 | if (unlikely(denied)) | |
1062 | rc = avc_denied(ssid, tsid, tclass, requested, driver, xperm, | |
1063 | AVC_EXTENDED_PERMS, &avd); | |
1064 | ||
1065 | rcu_read_unlock(); | |
1066 | ||
1067 | rc2 = avc_xperms_audit(ssid, tsid, tclass, requested, | |
1068 | &avd, xpd, xperm, rc, ad); | |
1069 | if (rc2) | |
1070 | return rc2; | |
1071 | return rc; | |
1072 | } | |
a554bea8 | 1073 | |
1da177e4 LT |
1074 | /** |
1075 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
1076 | * @ssid: source security identifier | |
1077 | * @tsid: target security identifier | |
1078 | * @tclass: target security class | |
1079 | * @requested: requested permissions, interpreted based on @tclass | |
2c3c05db | 1080 | * @flags: AVC_STRICT or 0 |
1da177e4 LT |
1081 | * @avd: access vector decisions |
1082 | * | |
1083 | * Check the AVC to determine whether the @requested permissions are granted | |
1084 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1085 | * based on @tclass, and call the security server on a cache miss to obtain | |
1086 | * a new decision and add it to the cache. Return a copy of the decisions | |
1087 | * in @avd. Return %0 if all @requested permissions are granted, | |
1088 | * -%EACCES if any permissions are denied, or another -errno upon | |
1089 | * other errors. This function is typically called by avc_has_perm(), | |
1090 | * but may also be called directly to separate permission checking from | |
1091 | * auditing, e.g. in cases where a lock must be held for the check but | |
1092 | * should be released for the auditing. | |
1093 | */ | |
cdb0f9a1 | 1094 | inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
2c3c05db SS |
1095 | u16 tclass, u32 requested, |
1096 | unsigned flags, | |
f01e1af4 | 1097 | struct av_decision *avd) |
1da177e4 LT |
1098 | { |
1099 | struct avc_node *node; | |
fa1aa143 | 1100 | struct avc_xperms_node xp_node; |
1da177e4 LT |
1101 | int rc = 0; |
1102 | u32 denied; | |
1103 | ||
eda4f69c EP |
1104 | BUG_ON(!requested); |
1105 | ||
1da177e4 LT |
1106 | rcu_read_lock(); |
1107 | ||
f1c6381a | 1108 | node = avc_lookup(ssid, tsid, tclass); |
83d4a806 | 1109 | if (unlikely(!node)) |
fa1aa143 | 1110 | node = avc_compute_av(ssid, tsid, tclass, avd, &xp_node); |
83d4a806 | 1111 | else |
f01e1af4 | 1112 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
1da177e4 | 1113 | |
21193dcd | 1114 | denied = requested & ~(avd->allowed); |
a554bea8 | 1115 | if (unlikely(denied)) |
fa1aa143 | 1116 | rc = avc_denied(ssid, tsid, tclass, requested, 0, 0, flags, avd); |
1da177e4 LT |
1117 | |
1118 | rcu_read_unlock(); | |
1da177e4 LT |
1119 | return rc; |
1120 | } | |
1121 | ||
1122 | /** | |
1123 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
1124 | * @ssid: source security identifier | |
1125 | * @tsid: target security identifier | |
1126 | * @tclass: target security class | |
1127 | * @requested: requested permissions, interpreted based on @tclass | |
1128 | * @auditdata: auxiliary audit data | |
1129 | * | |
1130 | * Check the AVC to determine whether the @requested permissions are granted | |
1131 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1132 | * based on @tclass, and call the security server on a cache miss to obtain | |
1133 | * a new decision and add it to the cache. Audit the granting or denial of | |
1134 | * permissions in accordance with the policy. Return %0 if all @requested | |
1135 | * permissions are granted, -%EACCES if any permissions are denied, or | |
1136 | * another -errno upon other errors. | |
1137 | */ | |
cb4fbe57 LT |
1138 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
1139 | u32 requested, struct common_audit_data *auditdata) | |
1da177e4 LT |
1140 | { |
1141 | struct av_decision avd; | |
9ade0cf4 | 1142 | int rc, rc2; |
1da177e4 | 1143 | |
2c3c05db | 1144 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
9ade0cf4 | 1145 | |
7b20ea25 N |
1146 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0); |
1147 | if (rc2) | |
1148 | return rc2; | |
1149 | return rc; | |
1150 | } | |
1151 | ||
1152 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, | |
1153 | u32 requested, struct common_audit_data *auditdata, | |
1154 | int flags) | |
1155 | { | |
1156 | struct av_decision avd; | |
1157 | int rc, rc2; | |
1158 | ||
1159 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); | |
1160 | ||
1161 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, | |
1162 | auditdata, flags); | |
9ade0cf4 EP |
1163 | if (rc2) |
1164 | return rc2; | |
1da177e4 LT |
1165 | return rc; |
1166 | } | |
788e7dd4 YN |
1167 | |
1168 | u32 avc_policy_seqno(void) | |
1169 | { | |
1170 | return avc_cache.latest_notif; | |
1171 | } | |
89c86576 TL |
1172 | |
1173 | void avc_disable(void) | |
1174 | { | |
5224ee08 EP |
1175 | /* |
1176 | * If you are looking at this because you have realized that we are | |
1177 | * not destroying the avc_node_cachep it might be easy to fix, but | |
1178 | * I don't know the memory barrier semantics well enough to know. It's | |
1179 | * possible that some other task dereferenced security_ops when | |
1180 | * it still pointed to selinux operations. If that is the case it's | |
1181 | * possible that it is about to use the avc and is about to need the | |
1182 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
1183 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
1184 | * the cache and get that memory back. | |
1185 | */ | |
1186 | if (avc_node_cachep) { | |
1187 | avc_flush(); | |
1188 | /* kmem_cache_destroy(avc_node_cachep); */ | |
1189 | } | |
89c86576 | 1190 | } |