]>
Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | /* |
3 | * Implementation of the kernel access vector cache (AVC). | |
4 | * | |
7efbb60b | 5 | * Authors: Stephen Smalley, <sds@tycho.nsa.gov> |
95fff33b | 6 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
7 | * |
8 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 9 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
10 | * |
11 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
1da177e4 LT |
12 | */ |
13 | #include <linux/types.h> | |
14 | #include <linux/stddef.h> | |
15 | #include <linux/kernel.h> | |
16 | #include <linux/slab.h> | |
17 | #include <linux/fs.h> | |
18 | #include <linux/dcache.h> | |
19 | #include <linux/init.h> | |
20 | #include <linux/skbuff.h> | |
21 | #include <linux/percpu.h> | |
fa1aa143 | 22 | #include <linux/list.h> |
1da177e4 LT |
23 | #include <net/sock.h> |
24 | #include <linux/un.h> | |
25 | #include <net/af_unix.h> | |
26 | #include <linux/ip.h> | |
27 | #include <linux/audit.h> | |
28 | #include <linux/ipv6.h> | |
29 | #include <net/ipv6.h> | |
30 | #include "avc.h" | |
31 | #include "avc_ss.h" | |
c6d3aaa4 | 32 | #include "classmap.h" |
5c458998 | 33 | |
dd816621 TW |
34 | #define CREATE_TRACE_POINTS |
35 | #include <trace/events/avc.h> | |
36 | ||
1da177e4 LT |
37 | #define AVC_CACHE_SLOTS 512 |
38 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
39 | #define AVC_CACHE_RECLAIM 16 | |
40 | ||
41 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
044aea9b | 42 | #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) |
1da177e4 LT |
43 | #else |
44 | #define avc_cache_stats_incr(field) do {} while (0) | |
45 | #endif | |
46 | ||
47 | struct avc_entry { | |
48 | u32 ssid; | |
49 | u32 tsid; | |
50 | u16 tclass; | |
51 | struct av_decision avd; | |
fa1aa143 | 52 | struct avc_xperms_node *xp_node; |
1da177e4 LT |
53 | }; |
54 | ||
55 | struct avc_node { | |
56 | struct avc_entry ae; | |
26036651 | 57 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 58 | struct rcu_head rhead; |
1da177e4 LT |
59 | }; |
60 | ||
fa1aa143 JVS |
61 | struct avc_xperms_decision_node { |
62 | struct extended_perms_decision xpd; | |
63 | struct list_head xpd_list; /* list of extended_perms_decision */ | |
64 | }; | |
65 | ||
66 | struct avc_xperms_node { | |
67 | struct extended_perms xp; | |
68 | struct list_head xpd_head; /* list head of extended_perms_decision */ | |
69 | }; | |
70 | ||
1da177e4 | 71 | struct avc_cache { |
26036651 | 72 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
73 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
74 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
75 | atomic_t active_nodes; | |
76 | u32 latest_notif; /* latest revocation notification */ | |
77 | }; | |
78 | ||
79 | struct avc_callback_node { | |
562c99f2 | 80 | int (*callback) (u32 event); |
1da177e4 | 81 | u32 events; |
1da177e4 LT |
82 | struct avc_callback_node *next; |
83 | }; | |
84 | ||
1da177e4 LT |
85 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS |
86 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
87 | #endif | |
88 | ||
6b6bc620 SS |
89 | struct selinux_avc { |
90 | unsigned int avc_cache_threshold; | |
91 | struct avc_cache avc_cache; | |
92 | }; | |
93 | ||
94 | static struct selinux_avc selinux_avc; | |
95 | ||
96 | void selinux_avc_init(struct selinux_avc **avc) | |
97 | { | |
98 | int i; | |
99 | ||
100 | selinux_avc.avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
101 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
102 | INIT_HLIST_HEAD(&selinux_avc.avc_cache.slots[i]); | |
103 | spin_lock_init(&selinux_avc.avc_cache.slots_lock[i]); | |
104 | } | |
105 | atomic_set(&selinux_avc.avc_cache.active_nodes, 0); | |
106 | atomic_set(&selinux_avc.avc_cache.lru_hint, 0); | |
107 | *avc = &selinux_avc; | |
108 | } | |
109 | ||
110 | unsigned int avc_get_cache_threshold(struct selinux_avc *avc) | |
111 | { | |
112 | return avc->avc_cache_threshold; | |
113 | } | |
114 | ||
115 | void avc_set_cache_threshold(struct selinux_avc *avc, | |
116 | unsigned int cache_threshold) | |
117 | { | |
118 | avc->avc_cache_threshold = cache_threshold; | |
119 | } | |
120 | ||
1da177e4 | 121 | static struct avc_callback_node *avc_callbacks; |
e18b890b | 122 | static struct kmem_cache *avc_node_cachep; |
fa1aa143 JVS |
123 | static struct kmem_cache *avc_xperms_data_cachep; |
124 | static struct kmem_cache *avc_xperms_decision_cachep; | |
125 | static struct kmem_cache *avc_xperms_cachep; | |
1da177e4 LT |
126 | |
127 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
128 | { | |
129 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
130 | } | |
131 | ||
1da177e4 LT |
132 | /** |
133 | * avc_init - Initialize the AVC. | |
134 | * | |
135 | * Initialize the access vector cache. | |
136 | */ | |
137 | void __init avc_init(void) | |
138 | { | |
1da177e4 | 139 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
fa1aa143 JVS |
140 | 0, SLAB_PANIC, NULL); |
141 | avc_xperms_cachep = kmem_cache_create("avc_xperms_node", | |
142 | sizeof(struct avc_xperms_node), | |
143 | 0, SLAB_PANIC, NULL); | |
144 | avc_xperms_decision_cachep = kmem_cache_create( | |
145 | "avc_xperms_decision_node", | |
146 | sizeof(struct avc_xperms_decision_node), | |
147 | 0, SLAB_PANIC, NULL); | |
148 | avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", | |
149 | sizeof(struct extended_perms_data), | |
150 | 0, SLAB_PANIC, NULL); | |
1da177e4 LT |
151 | } |
152 | ||
6b6bc620 | 153 | int avc_get_hash_stats(struct selinux_avc *avc, char *page) |
1da177e4 LT |
154 | { |
155 | int i, chain_len, max_chain_len, slots_used; | |
156 | struct avc_node *node; | |
26036651 | 157 | struct hlist_head *head; |
1da177e4 LT |
158 | |
159 | rcu_read_lock(); | |
160 | ||
161 | slots_used = 0; | |
162 | max_chain_len = 0; | |
163 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
6b6bc620 | 164 | head = &avc->avc_cache.slots[i]; |
26036651 | 165 | if (!hlist_empty(head)) { |
1da177e4 LT |
166 | slots_used++; |
167 | chain_len = 0; | |
b67bfe0d | 168 | hlist_for_each_entry_rcu(node, head, list) |
1da177e4 LT |
169 | chain_len++; |
170 | if (chain_len > max_chain_len) | |
171 | max_chain_len = chain_len; | |
172 | } | |
173 | } | |
174 | ||
175 | rcu_read_unlock(); | |
176 | ||
177 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
178 | "longest chain: %d\n", | |
6b6bc620 | 179 | atomic_read(&avc->avc_cache.active_nodes), |
1da177e4 LT |
180 | slots_used, AVC_CACHE_SLOTS, max_chain_len); |
181 | } | |
182 | ||
fa1aa143 JVS |
183 | /* |
184 | * using a linked list for extended_perms_decision lookup because the list is | |
185 | * always small. i.e. less than 5, typically 1 | |
186 | */ | |
187 | static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver, | |
188 | struct avc_xperms_node *xp_node) | |
189 | { | |
190 | struct avc_xperms_decision_node *xpd_node; | |
191 | ||
192 | list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) { | |
193 | if (xpd_node->xpd.driver == driver) | |
194 | return &xpd_node->xpd; | |
195 | } | |
196 | return NULL; | |
197 | } | |
198 | ||
199 | static inline unsigned int | |
200 | avc_xperms_has_perm(struct extended_perms_decision *xpd, | |
201 | u8 perm, u8 which) | |
202 | { | |
203 | unsigned int rc = 0; | |
204 | ||
205 | if ((which == XPERMS_ALLOWED) && | |
206 | (xpd->used & XPERMS_ALLOWED)) | |
207 | rc = security_xperm_test(xpd->allowed->p, perm); | |
208 | else if ((which == XPERMS_AUDITALLOW) && | |
209 | (xpd->used & XPERMS_AUDITALLOW)) | |
210 | rc = security_xperm_test(xpd->auditallow->p, perm); | |
211 | else if ((which == XPERMS_DONTAUDIT) && | |
212 | (xpd->used & XPERMS_DONTAUDIT)) | |
213 | rc = security_xperm_test(xpd->dontaudit->p, perm); | |
214 | return rc; | |
215 | } | |
216 | ||
217 | static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node, | |
218 | u8 driver, u8 perm) | |
219 | { | |
220 | struct extended_perms_decision *xpd; | |
221 | security_xperm_set(xp_node->xp.drivers.p, driver); | |
222 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
223 | if (xpd && xpd->allowed) | |
224 | security_xperm_set(xpd->allowed->p, perm); | |
225 | } | |
226 | ||
227 | static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node) | |
228 | { | |
229 | struct extended_perms_decision *xpd; | |
230 | ||
231 | xpd = &xpd_node->xpd; | |
232 | if (xpd->allowed) | |
233 | kmem_cache_free(avc_xperms_data_cachep, xpd->allowed); | |
234 | if (xpd->auditallow) | |
235 | kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow); | |
236 | if (xpd->dontaudit) | |
237 | kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit); | |
238 | kmem_cache_free(avc_xperms_decision_cachep, xpd_node); | |
239 | } | |
240 | ||
241 | static void avc_xperms_free(struct avc_xperms_node *xp_node) | |
242 | { | |
243 | struct avc_xperms_decision_node *xpd_node, *tmp; | |
244 | ||
245 | if (!xp_node) | |
246 | return; | |
247 | ||
248 | list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) { | |
249 | list_del(&xpd_node->xpd_list); | |
250 | avc_xperms_decision_free(xpd_node); | |
251 | } | |
252 | kmem_cache_free(avc_xperms_cachep, xp_node); | |
253 | } | |
254 | ||
255 | static void avc_copy_xperms_decision(struct extended_perms_decision *dest, | |
256 | struct extended_perms_decision *src) | |
257 | { | |
258 | dest->driver = src->driver; | |
259 | dest->used = src->used; | |
260 | if (dest->used & XPERMS_ALLOWED) | |
261 | memcpy(dest->allowed->p, src->allowed->p, | |
262 | sizeof(src->allowed->p)); | |
263 | if (dest->used & XPERMS_AUDITALLOW) | |
264 | memcpy(dest->auditallow->p, src->auditallow->p, | |
265 | sizeof(src->auditallow->p)); | |
266 | if (dest->used & XPERMS_DONTAUDIT) | |
267 | memcpy(dest->dontaudit->p, src->dontaudit->p, | |
268 | sizeof(src->dontaudit->p)); | |
269 | } | |
270 | ||
271 | /* | |
272 | * similar to avc_copy_xperms_decision, but only copy decision | |
273 | * information relevant to this perm | |
274 | */ | |
275 | static inline void avc_quick_copy_xperms_decision(u8 perm, | |
276 | struct extended_perms_decision *dest, | |
277 | struct extended_perms_decision *src) | |
278 | { | |
279 | /* | |
280 | * compute index of the u32 of the 256 bits (8 u32s) that contain this | |
281 | * command permission | |
282 | */ | |
283 | u8 i = perm >> 5; | |
284 | ||
285 | dest->used = src->used; | |
286 | if (dest->used & XPERMS_ALLOWED) | |
287 | dest->allowed->p[i] = src->allowed->p[i]; | |
288 | if (dest->used & XPERMS_AUDITALLOW) | |
289 | dest->auditallow->p[i] = src->auditallow->p[i]; | |
290 | if (dest->used & XPERMS_DONTAUDIT) | |
291 | dest->dontaudit->p[i] = src->dontaudit->p[i]; | |
292 | } | |
293 | ||
294 | static struct avc_xperms_decision_node | |
295 | *avc_xperms_decision_alloc(u8 which) | |
296 | { | |
297 | struct avc_xperms_decision_node *xpd_node; | |
298 | struct extended_perms_decision *xpd; | |
299 | ||
476accbe | 300 | xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
301 | if (!xpd_node) |
302 | return NULL; | |
303 | ||
304 | xpd = &xpd_node->xpd; | |
305 | if (which & XPERMS_ALLOWED) { | |
306 | xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 307 | GFP_NOWAIT); |
fa1aa143 JVS |
308 | if (!xpd->allowed) |
309 | goto error; | |
310 | } | |
311 | if (which & XPERMS_AUDITALLOW) { | |
312 | xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 313 | GFP_NOWAIT); |
fa1aa143 JVS |
314 | if (!xpd->auditallow) |
315 | goto error; | |
316 | } | |
317 | if (which & XPERMS_DONTAUDIT) { | |
318 | xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 319 | GFP_NOWAIT); |
fa1aa143 JVS |
320 | if (!xpd->dontaudit) |
321 | goto error; | |
322 | } | |
323 | return xpd_node; | |
324 | error: | |
325 | avc_xperms_decision_free(xpd_node); | |
326 | return NULL; | |
327 | } | |
328 | ||
329 | static int avc_add_xperms_decision(struct avc_node *node, | |
330 | struct extended_perms_decision *src) | |
331 | { | |
332 | struct avc_xperms_decision_node *dest_xpd; | |
333 | ||
334 | node->ae.xp_node->xp.len++; | |
335 | dest_xpd = avc_xperms_decision_alloc(src->used); | |
336 | if (!dest_xpd) | |
337 | return -ENOMEM; | |
338 | avc_copy_xperms_decision(&dest_xpd->xpd, src); | |
339 | list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); | |
340 | return 0; | |
341 | } | |
342 | ||
343 | static struct avc_xperms_node *avc_xperms_alloc(void) | |
344 | { | |
345 | struct avc_xperms_node *xp_node; | |
346 | ||
476accbe | 347 | xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
348 | if (!xp_node) |
349 | return xp_node; | |
350 | INIT_LIST_HEAD(&xp_node->xpd_head); | |
351 | return xp_node; | |
352 | } | |
353 | ||
354 | static int avc_xperms_populate(struct avc_node *node, | |
355 | struct avc_xperms_node *src) | |
356 | { | |
357 | struct avc_xperms_node *dest; | |
358 | struct avc_xperms_decision_node *dest_xpd; | |
359 | struct avc_xperms_decision_node *src_xpd; | |
360 | ||
361 | if (src->xp.len == 0) | |
362 | return 0; | |
363 | dest = avc_xperms_alloc(); | |
364 | if (!dest) | |
365 | return -ENOMEM; | |
366 | ||
367 | memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p)); | |
368 | dest->xp.len = src->xp.len; | |
369 | ||
370 | /* for each source xpd allocate a destination xpd and copy */ | |
371 | list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) { | |
372 | dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used); | |
373 | if (!dest_xpd) | |
374 | goto error; | |
375 | avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd); | |
376 | list_add(&dest_xpd->xpd_list, &dest->xpd_head); | |
377 | } | |
378 | node->ae.xp_node = dest; | |
379 | return 0; | |
380 | error: | |
381 | avc_xperms_free(dest); | |
382 | return -ENOMEM; | |
383 | ||
384 | } | |
385 | ||
386 | static inline u32 avc_xperms_audit_required(u32 requested, | |
387 | struct av_decision *avd, | |
388 | struct extended_perms_decision *xpd, | |
389 | u8 perm, | |
390 | int result, | |
391 | u32 *deniedp) | |
392 | { | |
393 | u32 denied, audited; | |
394 | ||
395 | denied = requested & ~avd->allowed; | |
396 | if (unlikely(denied)) { | |
397 | audited = denied & avd->auditdeny; | |
398 | if (audited && xpd) { | |
399 | if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) | |
400 | audited &= ~requested; | |
401 | } | |
402 | } else if (result) { | |
403 | audited = denied = requested; | |
404 | } else { | |
405 | audited = requested & avd->auditallow; | |
406 | if (audited && xpd) { | |
407 | if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) | |
408 | audited &= ~requested; | |
409 | } | |
410 | } | |
411 | ||
412 | *deniedp = denied; | |
413 | return audited; | |
414 | } | |
415 | ||
6b6bc620 SS |
416 | static inline int avc_xperms_audit(struct selinux_state *state, |
417 | u32 ssid, u32 tsid, u16 tclass, | |
418 | u32 requested, struct av_decision *avd, | |
419 | struct extended_perms_decision *xpd, | |
420 | u8 perm, int result, | |
421 | struct common_audit_data *ad) | |
fa1aa143 JVS |
422 | { |
423 | u32 audited, denied; | |
424 | ||
425 | audited = avc_xperms_audit_required( | |
426 | requested, avd, xpd, perm, result, &denied); | |
427 | if (likely(!audited)) | |
428 | return 0; | |
6b6bc620 | 429 | return slow_avc_audit(state, ssid, tsid, tclass, requested, |
0188d5c0 | 430 | audited, denied, result, ad); |
fa1aa143 JVS |
431 | } |
432 | ||
1da177e4 LT |
433 | static void avc_node_free(struct rcu_head *rhead) |
434 | { | |
435 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
fa1aa143 | 436 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
437 | kmem_cache_free(avc_node_cachep, node); |
438 | avc_cache_stats_incr(frees); | |
439 | } | |
440 | ||
6b6bc620 | 441 | static void avc_node_delete(struct selinux_avc *avc, struct avc_node *node) |
1da177e4 | 442 | { |
26036651 | 443 | hlist_del_rcu(&node->list); |
1da177e4 | 444 | call_rcu(&node->rhead, avc_node_free); |
6b6bc620 | 445 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
446 | } |
447 | ||
6b6bc620 | 448 | static void avc_node_kill(struct selinux_avc *avc, struct avc_node *node) |
1da177e4 | 449 | { |
fa1aa143 | 450 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
451 | kmem_cache_free(avc_node_cachep, node); |
452 | avc_cache_stats_incr(frees); | |
6b6bc620 | 453 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
454 | } |
455 | ||
6b6bc620 SS |
456 | static void avc_node_replace(struct selinux_avc *avc, |
457 | struct avc_node *new, struct avc_node *old) | |
1da177e4 | 458 | { |
26036651 | 459 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 | 460 | call_rcu(&old->rhead, avc_node_free); |
6b6bc620 | 461 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
462 | } |
463 | ||
6b6bc620 | 464 | static inline int avc_reclaim_node(struct selinux_avc *avc) |
1da177e4 LT |
465 | { |
466 | struct avc_node *node; | |
467 | int hvalue, try, ecx; | |
468 | unsigned long flags; | |
26036651 | 469 | struct hlist_head *head; |
edf3d1ae | 470 | spinlock_t *lock; |
1da177e4 | 471 | |
95fff33b | 472 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
6b6bc620 SS |
473 | hvalue = atomic_inc_return(&avc->avc_cache.lru_hint) & |
474 | (AVC_CACHE_SLOTS - 1); | |
475 | head = &avc->avc_cache.slots[hvalue]; | |
476 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
1da177e4 | 477 | |
edf3d1ae | 478 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
479 | continue; |
480 | ||
61844250 | 481 | rcu_read_lock(); |
b67bfe0d | 482 | hlist_for_each_entry(node, head, list) { |
6b6bc620 | 483 | avc_node_delete(avc, node); |
906d27d9 EP |
484 | avc_cache_stats_incr(reclaims); |
485 | ecx++; | |
486 | if (ecx >= AVC_CACHE_RECLAIM) { | |
487 | rcu_read_unlock(); | |
edf3d1ae | 488 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 489 | goto out; |
1da177e4 LT |
490 | } |
491 | } | |
61844250 | 492 | rcu_read_unlock(); |
edf3d1ae | 493 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
494 | } |
495 | out: | |
496 | return ecx; | |
497 | } | |
498 | ||
6b6bc620 | 499 | static struct avc_node *avc_alloc_node(struct selinux_avc *avc) |
1da177e4 LT |
500 | { |
501 | struct avc_node *node; | |
502 | ||
476accbe | 503 | node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); |
1da177e4 LT |
504 | if (!node) |
505 | goto out; | |
506 | ||
26036651 | 507 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
508 | avc_cache_stats_incr(allocations); |
509 | ||
6b6bc620 SS |
510 | if (atomic_inc_return(&avc->avc_cache.active_nodes) > |
511 | avc->avc_cache_threshold) | |
512 | avc_reclaim_node(avc); | |
1da177e4 LT |
513 | |
514 | out: | |
515 | return node; | |
516 | } | |
517 | ||
21193dcd | 518 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
519 | { |
520 | node->ae.ssid = ssid; | |
521 | node->ae.tsid = tsid; | |
522 | node->ae.tclass = tclass; | |
21193dcd | 523 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
524 | } |
525 | ||
6b6bc620 SS |
526 | static inline struct avc_node *avc_search_node(struct selinux_avc *avc, |
527 | u32 ssid, u32 tsid, u16 tclass) | |
1da177e4 LT |
528 | { |
529 | struct avc_node *node, *ret = NULL; | |
530 | int hvalue; | |
26036651 | 531 | struct hlist_head *head; |
1da177e4 LT |
532 | |
533 | hvalue = avc_hash(ssid, tsid, tclass); | |
6b6bc620 | 534 | head = &avc->avc_cache.slots[hvalue]; |
b67bfe0d | 535 | hlist_for_each_entry_rcu(node, head, list) { |
1da177e4 LT |
536 | if (ssid == node->ae.ssid && |
537 | tclass == node->ae.tclass && | |
538 | tsid == node->ae.tsid) { | |
539 | ret = node; | |
540 | break; | |
541 | } | |
542 | } | |
543 | ||
1da177e4 LT |
544 | return ret; |
545 | } | |
546 | ||
547 | /** | |
548 | * avc_lookup - Look up an AVC entry. | |
549 | * @ssid: source security identifier | |
550 | * @tsid: target security identifier | |
551 | * @tclass: target security class | |
1da177e4 LT |
552 | * |
553 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
554 | * (@ssid, @tsid), interpreting the permissions |
555 | * based on @tclass. If a valid AVC entry exists, | |
6382dc33 | 556 | * then this function returns the avc_node. |
1da177e4 LT |
557 | * Otherwise, this function returns NULL. |
558 | */ | |
6b6bc620 SS |
559 | static struct avc_node *avc_lookup(struct selinux_avc *avc, |
560 | u32 ssid, u32 tsid, u16 tclass) | |
1da177e4 LT |
561 | { |
562 | struct avc_node *node; | |
563 | ||
564 | avc_cache_stats_incr(lookups); | |
6b6bc620 | 565 | node = avc_search_node(avc, ssid, tsid, tclass); |
1da177e4 | 566 | |
f1c6381a | 567 | if (node) |
257313b2 | 568 | return node; |
1da177e4 | 569 | |
257313b2 LT |
570 | avc_cache_stats_incr(misses); |
571 | return NULL; | |
1da177e4 LT |
572 | } |
573 | ||
6b6bc620 SS |
574 | static int avc_latest_notif_update(struct selinux_avc *avc, |
575 | int seqno, int is_insert) | |
1da177e4 LT |
576 | { |
577 | int ret = 0; | |
578 | static DEFINE_SPINLOCK(notif_lock); | |
579 | unsigned long flag; | |
580 | ||
581 | spin_lock_irqsave(¬if_lock, flag); | |
582 | if (is_insert) { | |
6b6bc620 | 583 | if (seqno < avc->avc_cache.latest_notif) { |
07c81ac2 | 584 | pr_warn("SELinux: avc: seqno %d < latest_notif %d\n", |
6b6bc620 | 585 | seqno, avc->avc_cache.latest_notif); |
1da177e4 LT |
586 | ret = -EAGAIN; |
587 | } | |
588 | } else { | |
6b6bc620 SS |
589 | if (seqno > avc->avc_cache.latest_notif) |
590 | avc->avc_cache.latest_notif = seqno; | |
1da177e4 LT |
591 | } |
592 | spin_unlock_irqrestore(¬if_lock, flag); | |
593 | ||
594 | return ret; | |
595 | } | |
596 | ||
597 | /** | |
598 | * avc_insert - Insert an AVC entry. | |
599 | * @ssid: source security identifier | |
600 | * @tsid: target security identifier | |
601 | * @tclass: target security class | |
21193dcd | 602 | * @avd: resulting av decision |
fa1aa143 | 603 | * @xp_node: resulting extended permissions |
1da177e4 LT |
604 | * |
605 | * Insert an AVC entry for the SID pair | |
606 | * (@ssid, @tsid) and class @tclass. | |
607 | * The access vectors and the sequence number are | |
608 | * normally provided by the security server in | |
609 | * response to a security_compute_av() call. If the | |
21193dcd | 610 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
611 | * revocation notification, then the function copies |
612 | * the access vectors into a cache entry, returns | |
613 | * avc_node inserted. Otherwise, this function returns NULL. | |
614 | */ | |
6b6bc620 SS |
615 | static struct avc_node *avc_insert(struct selinux_avc *avc, |
616 | u32 ssid, u32 tsid, u16 tclass, | |
617 | struct av_decision *avd, | |
618 | struct avc_xperms_node *xp_node) | |
1da177e4 LT |
619 | { |
620 | struct avc_node *pos, *node = NULL; | |
621 | int hvalue; | |
622 | unsigned long flag; | |
d8db60cb PM |
623 | spinlock_t *lock; |
624 | struct hlist_head *head; | |
1da177e4 | 625 | |
6b6bc620 | 626 | if (avc_latest_notif_update(avc, avd->seqno, 1)) |
d8db60cb | 627 | return NULL; |
1da177e4 | 628 | |
6b6bc620 | 629 | node = avc_alloc_node(avc); |
d8db60cb PM |
630 | if (!node) |
631 | return NULL; | |
edf3d1ae | 632 | |
d8db60cb PM |
633 | avc_node_populate(node, ssid, tsid, tclass, avd); |
634 | if (avc_xperms_populate(node, xp_node)) { | |
635 | avc_node_kill(avc, node); | |
636 | return NULL; | |
637 | } | |
638 | ||
639 | hvalue = avc_hash(ssid, tsid, tclass); | |
640 | head = &avc->avc_cache.slots[hvalue]; | |
641 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
642 | spin_lock_irqsave(lock, flag); | |
643 | hlist_for_each_entry(pos, head, list) { | |
644 | if (pos->ae.ssid == ssid && | |
645 | pos->ae.tsid == tsid && | |
646 | pos->ae.tclass == tclass) { | |
647 | avc_node_replace(avc, node, pos); | |
648 | goto found; | |
1da177e4 | 649 | } |
1da177e4 | 650 | } |
d8db60cb PM |
651 | hlist_add_head_rcu(&node->list, head); |
652 | found: | |
653 | spin_unlock_irqrestore(lock, flag); | |
1da177e4 LT |
654 | return node; |
655 | } | |
656 | ||
2bf49690 TL |
657 | /** |
658 | * avc_audit_pre_callback - SELinux specific information | |
659 | * will be called by generic audit code | |
660 | * @ab: the audit buffer | |
661 | * @a: audit_data | |
662 | */ | |
663 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 664 | { |
2bf49690 | 665 | struct common_audit_data *ad = a; |
a2c51383 OM |
666 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
667 | u32 av = sad->audited; | |
668 | const char **perms; | |
669 | int i, perm; | |
670 | ||
671 | audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted"); | |
672 | ||
673 | if (av == 0) { | |
45189a19 | 674 | audit_log_format(ab, " null"); |
a2c51383 OM |
675 | return; |
676 | } | |
677 | ||
a2c51383 OM |
678 | perms = secclass_map[sad->tclass-1].perms; |
679 | ||
45189a19 | 680 | audit_log_format(ab, " {"); |
a2c51383 OM |
681 | i = 0; |
682 | perm = 1; | |
683 | while (i < (sizeof(av) * 8)) { | |
684 | if ((perm & av) && perms[i]) { | |
685 | audit_log_format(ab, " %s", perms[i]); | |
686 | av &= ~perm; | |
687 | } | |
688 | i++; | |
689 | perm <<= 1; | |
690 | } | |
691 | ||
692 | if (av) | |
693 | audit_log_format(ab, " 0x%x", av); | |
694 | ||
45189a19 | 695 | audit_log_format(ab, " } for "); |
1da177e4 LT |
696 | } |
697 | ||
2bf49690 TL |
698 | /** |
699 | * avc_audit_post_callback - SELinux specific information | |
700 | * will be called by generic audit code | |
701 | * @ab: the audit buffer | |
702 | * @a: audit_data | |
703 | */ | |
704 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 705 | { |
2bf49690 | 706 | struct common_audit_data *ad = a; |
a2c51383 | 707 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
30969bc8 PE |
708 | char *scontext = NULL; |
709 | char *tcontext = NULL; | |
710 | const char *tclass = NULL; | |
a2c51383 | 711 | u32 scontext_len; |
30969bc8 | 712 | u32 tcontext_len; |
a2c51383 OM |
713 | int rc; |
714 | ||
715 | rc = security_sid_to_context(sad->state, sad->ssid, &scontext, | |
716 | &scontext_len); | |
717 | if (rc) | |
718 | audit_log_format(ab, " ssid=%d", sad->ssid); | |
30969bc8 | 719 | else |
a2c51383 | 720 | audit_log_format(ab, " scontext=%s", scontext); |
a2c51383 | 721 | |
30969bc8 PE |
722 | rc = security_sid_to_context(sad->state, sad->tsid, &tcontext, |
723 | &tcontext_len); | |
a2c51383 OM |
724 | if (rc) |
725 | audit_log_format(ab, " tsid=%d", sad->tsid); | |
30969bc8 PE |
726 | else |
727 | audit_log_format(ab, " tcontext=%s", tcontext); | |
a2c51383 | 728 | |
30969bc8 PE |
729 | tclass = secclass_map[sad->tclass-1].name; |
730 | audit_log_format(ab, " tclass=%s", tclass); | |
a2c51383 OM |
731 | |
732 | if (sad->denied) | |
733 | audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); | |
fede1483 | 734 | |
30969bc8 PE |
735 | trace_selinux_audited(sad, scontext, tcontext, tclass); |
736 | kfree(tcontext); | |
737 | kfree(scontext); | |
738 | ||
fede1483 OM |
739 | /* in case of invalid context report also the actual context string */ |
740 | rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, | |
741 | &scontext_len); | |
742 | if (!rc && scontext) { | |
aff7ed48 OM |
743 | if (scontext_len && scontext[scontext_len - 1] == '\0') |
744 | scontext_len--; | |
745 | audit_log_format(ab, " srawcon="); | |
746 | audit_log_n_untrustedstring(ab, scontext, scontext_len); | |
fede1483 OM |
747 | kfree(scontext); |
748 | } | |
749 | ||
750 | rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, | |
751 | &scontext_len); | |
752 | if (!rc && scontext) { | |
aff7ed48 OM |
753 | if (scontext_len && scontext[scontext_len - 1] == '\0') |
754 | scontext_len--; | |
755 | audit_log_format(ab, " trawcon="); | |
756 | audit_log_n_untrustedstring(ab, scontext, scontext_len); | |
fede1483 OM |
757 | kfree(scontext); |
758 | } | |
1da177e4 LT |
759 | } |
760 | ||
48aab2f7 | 761 | /* This is the slow part of avc audit with big stack footprint */ |
6b6bc620 SS |
762 | noinline int slow_avc_audit(struct selinux_state *state, |
763 | u32 ssid, u32 tsid, u16 tclass, | |
764 | u32 requested, u32 audited, u32 denied, int result, | |
0188d5c0 | 765 | struct common_audit_data *a) |
48aab2f7 LT |
766 | { |
767 | struct common_audit_data stack_data; | |
899838b2 | 768 | struct selinux_audit_data sad; |
48aab2f7 | 769 | |
994fb065 OM |
770 | if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) |
771 | return -EINVAL; | |
772 | ||
48aab2f7 LT |
773 | if (!a) { |
774 | a = &stack_data; | |
50c205f5 | 775 | a->type = LSM_AUDIT_DATA_NONE; |
48aab2f7 LT |
776 | } |
777 | ||
899838b2 EP |
778 | sad.tclass = tclass; |
779 | sad.requested = requested; | |
780 | sad.ssid = ssid; | |
781 | sad.tsid = tsid; | |
782 | sad.audited = audited; | |
783 | sad.denied = denied; | |
ca7786a2 | 784 | sad.result = result; |
6b6bc620 | 785 | sad.state = state; |
899838b2 EP |
786 | |
787 | a->selinux_audit_data = &sad; | |
3f0882c4 | 788 | |
b61c37f5 | 789 | common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); |
48aab2f7 LT |
790 | return 0; |
791 | } | |
792 | ||
1da177e4 LT |
793 | /** |
794 | * avc_add_callback - Register a callback for security events. | |
795 | * @callback: callback function | |
796 | * @events: security events | |
1da177e4 | 797 | * |
562c99f2 WG |
798 | * Register a callback function for events in the set @events. |
799 | * Returns %0 on success or -%ENOMEM if insufficient memory | |
800 | * exists to add the callback. | |
1da177e4 | 801 | */ |
562c99f2 | 802 | int __init avc_add_callback(int (*callback)(u32 event), u32 events) |
1da177e4 LT |
803 | { |
804 | struct avc_callback_node *c; | |
805 | int rc = 0; | |
806 | ||
0b36e44c | 807 | c = kmalloc(sizeof(*c), GFP_KERNEL); |
1da177e4 LT |
808 | if (!c) { |
809 | rc = -ENOMEM; | |
810 | goto out; | |
811 | } | |
812 | ||
813 | c->callback = callback; | |
814 | c->events = events; | |
1da177e4 LT |
815 | c->next = avc_callbacks; |
816 | avc_callbacks = c; | |
817 | out: | |
818 | return rc; | |
819 | } | |
820 | ||
1da177e4 LT |
821 | /** |
822 | * avc_update_node Update an AVC entry | |
823 | * @event : Updating event | |
824 | * @perms : Permission mask bits | |
825 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 826 | * @seqno : sequence number when decision was made |
fa1aa143 | 827 | * @xpd: extended_perms_decision to be added to the node |
3a28cff3 | 828 | * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0. |
1da177e4 LT |
829 | * |
830 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
831 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
6382dc33 | 832 | * otherwise, this function updates the AVC entry. The original AVC-entry object |
1da177e4 LT |
833 | * will release later by RCU. |
834 | */ | |
6b6bc620 SS |
835 | static int avc_update_node(struct selinux_avc *avc, |
836 | u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, | |
837 | u32 tsid, u16 tclass, u32 seqno, | |
838 | struct extended_perms_decision *xpd, | |
839 | u32 flags) | |
1da177e4 LT |
840 | { |
841 | int hvalue, rc = 0; | |
842 | unsigned long flag; | |
843 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 | 844 | struct hlist_head *head; |
edf3d1ae | 845 | spinlock_t *lock; |
1da177e4 | 846 | |
3a28cff3 SS |
847 | /* |
848 | * If we are in a non-blocking code path, e.g. VFS RCU walk, | |
849 | * then we must not add permissions to a cache entry | |
0188d5c0 | 850 | * because we will not audit the denial. Otherwise, |
3a28cff3 SS |
851 | * during the subsequent blocking retry (e.g. VFS ref walk), we |
852 | * will find the permissions already granted in the cache entry | |
853 | * and won't audit anything at all, leading to silent denials in | |
854 | * permissive mode that only appear when in enforcing mode. | |
855 | * | |
0188d5c0 SS |
856 | * See the corresponding handling of MAY_NOT_BLOCK in avc_audit() |
857 | * and selinux_inode_permission(). | |
3a28cff3 SS |
858 | */ |
859 | if (flags & AVC_NONBLOCKING) | |
860 | return 0; | |
861 | ||
6b6bc620 | 862 | node = avc_alloc_node(avc); |
1da177e4 LT |
863 | if (!node) { |
864 | rc = -ENOMEM; | |
865 | goto out; | |
866 | } | |
867 | ||
868 | /* Lock the target slot */ | |
869 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 870 | |
6b6bc620 SS |
871 | head = &avc->avc_cache.slots[hvalue]; |
872 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
edf3d1ae EP |
873 | |
874 | spin_lock_irqsave(lock, flag); | |
875 | ||
b67bfe0d | 876 | hlist_for_each_entry(pos, head, list) { |
95fff33b EP |
877 | if (ssid == pos->ae.ssid && |
878 | tsid == pos->ae.tsid && | |
a5dda683 EP |
879 | tclass == pos->ae.tclass && |
880 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
881 | orig = pos; |
882 | break; | |
883 | } | |
884 | } | |
885 | ||
886 | if (!orig) { | |
887 | rc = -ENOENT; | |
6b6bc620 | 888 | avc_node_kill(avc, node); |
1da177e4 LT |
889 | goto out_unlock; |
890 | } | |
891 | ||
892 | /* | |
893 | * Copy and replace original node. | |
894 | */ | |
895 | ||
21193dcd | 896 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 | 897 | |
fa1aa143 JVS |
898 | if (orig->ae.xp_node) { |
899 | rc = avc_xperms_populate(node, orig->ae.xp_node); | |
900 | if (rc) { | |
030b995a | 901 | avc_node_kill(avc, node); |
fa1aa143 JVS |
902 | goto out_unlock; |
903 | } | |
904 | } | |
905 | ||
1da177e4 LT |
906 | switch (event) { |
907 | case AVC_CALLBACK_GRANT: | |
908 | node->ae.avd.allowed |= perms; | |
fa1aa143 JVS |
909 | if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS)) |
910 | avc_xperms_allow_perm(node->ae.xp_node, driver, xperm); | |
1da177e4 LT |
911 | break; |
912 | case AVC_CALLBACK_TRY_REVOKE: | |
913 | case AVC_CALLBACK_REVOKE: | |
914 | node->ae.avd.allowed &= ~perms; | |
915 | break; | |
916 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
917 | node->ae.avd.auditallow |= perms; | |
918 | break; | |
919 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
920 | node->ae.avd.auditallow &= ~perms; | |
921 | break; | |
922 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
923 | node->ae.avd.auditdeny |= perms; | |
924 | break; | |
925 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
926 | node->ae.avd.auditdeny &= ~perms; | |
927 | break; | |
fa1aa143 JVS |
928 | case AVC_CALLBACK_ADD_XPERMS: |
929 | avc_add_xperms_decision(node, xpd); | |
930 | break; | |
1da177e4 | 931 | } |
6b6bc620 | 932 | avc_node_replace(avc, node, orig); |
1da177e4 | 933 | out_unlock: |
edf3d1ae | 934 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
935 | out: |
936 | return rc; | |
937 | } | |
938 | ||
939 | /** | |
008574b1 | 940 | * avc_flush - Flush the cache |
1da177e4 | 941 | */ |
6b6bc620 | 942 | static void avc_flush(struct selinux_avc *avc) |
1da177e4 | 943 | { |
26036651 | 944 | struct hlist_head *head; |
008574b1 | 945 | struct avc_node *node; |
edf3d1ae | 946 | spinlock_t *lock; |
008574b1 EP |
947 | unsigned long flag; |
948 | int i; | |
1da177e4 LT |
949 | |
950 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
6b6bc620 SS |
951 | head = &avc->avc_cache.slots[i]; |
952 | lock = &avc->avc_cache.slots_lock[i]; | |
edf3d1ae EP |
953 | |
954 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
955 | /* |
956 | * With preemptable RCU, the outer spinlock does not | |
957 | * prevent RCU grace periods from ending. | |
958 | */ | |
959 | rcu_read_lock(); | |
b67bfe0d | 960 | hlist_for_each_entry(node, head, list) |
6b6bc620 | 961 | avc_node_delete(avc, node); |
61844250 | 962 | rcu_read_unlock(); |
edf3d1ae | 963 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 964 | } |
008574b1 EP |
965 | } |
966 | ||
967 | /** | |
968 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
969 | * @seqno: policy sequence number | |
970 | */ | |
6b6bc620 | 971 | int avc_ss_reset(struct selinux_avc *avc, u32 seqno) |
008574b1 EP |
972 | { |
973 | struct avc_callback_node *c; | |
974 | int rc = 0, tmprc; | |
975 | ||
6b6bc620 | 976 | avc_flush(avc); |
1da177e4 LT |
977 | |
978 | for (c = avc_callbacks; c; c = c->next) { | |
979 | if (c->events & AVC_CALLBACK_RESET) { | |
562c99f2 | 980 | tmprc = c->callback(AVC_CALLBACK_RESET); |
376bd9cb DG |
981 | /* save the first error encountered for the return |
982 | value and continue processing the callbacks */ | |
983 | if (!rc) | |
984 | rc = tmprc; | |
1da177e4 LT |
985 | } |
986 | } | |
987 | ||
6b6bc620 | 988 | avc_latest_notif_update(avc, seqno, 0); |
1da177e4 LT |
989 | return rc; |
990 | } | |
991 | ||
a554bea8 LT |
992 | /* |
993 | * Slow-path helper function for avc_has_perm_noaudit, | |
994 | * when the avc_node lookup fails. We get called with | |
995 | * the RCU read lock held, and need to return with it | |
996 | * still held, but drop if for the security compute. | |
997 | * | |
998 | * Don't inline this, since it's the slow-path and just | |
999 | * results in a bigger stack frame. | |
1000 | */ | |
6b6bc620 SS |
1001 | static noinline |
1002 | struct avc_node *avc_compute_av(struct selinux_state *state, | |
1003 | u32 ssid, u32 tsid, | |
1004 | u16 tclass, struct av_decision *avd, | |
1005 | struct avc_xperms_node *xp_node) | |
a554bea8 LT |
1006 | { |
1007 | rcu_read_unlock(); | |
fa1aa143 | 1008 | INIT_LIST_HEAD(&xp_node->xpd_head); |
6b6bc620 | 1009 | security_compute_av(state, ssid, tsid, tclass, avd, &xp_node->xp); |
a554bea8 | 1010 | rcu_read_lock(); |
6b6bc620 | 1011 | return avc_insert(state->avc, ssid, tsid, tclass, avd, xp_node); |
a554bea8 LT |
1012 | } |
1013 | ||
6b6bc620 SS |
1014 | static noinline int avc_denied(struct selinux_state *state, |
1015 | u32 ssid, u32 tsid, | |
1016 | u16 tclass, u32 requested, | |
1017 | u8 driver, u8 xperm, unsigned int flags, | |
1018 | struct av_decision *avd) | |
a554bea8 LT |
1019 | { |
1020 | if (flags & AVC_STRICT) | |
1021 | return -EACCES; | |
1022 | ||
6b6bc620 | 1023 | if (enforcing_enabled(state) && |
aa8e712c | 1024 | !(avd->flags & AVD_FLAGS_PERMISSIVE)) |
a554bea8 LT |
1025 | return -EACCES; |
1026 | ||
6b6bc620 SS |
1027 | avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver, |
1028 | xperm, ssid, tsid, tclass, avd->seqno, NULL, flags); | |
a554bea8 LT |
1029 | return 0; |
1030 | } | |
1031 | ||
fa1aa143 JVS |
1032 | /* |
1033 | * The avc extended permissions logic adds an additional 256 bits of | |
1034 | * permissions to an avc node when extended permissions for that node are | |
1035 | * specified in the avtab. If the additional 256 permissions is not adequate, | |
1036 | * as-is the case with ioctls, then multiple may be chained together and the | |
1037 | * driver field is used to specify which set contains the permission. | |
1038 | */ | |
6b6bc620 SS |
1039 | int avc_has_extended_perms(struct selinux_state *state, |
1040 | u32 ssid, u32 tsid, u16 tclass, u32 requested, | |
1041 | u8 driver, u8 xperm, struct common_audit_data *ad) | |
fa1aa143 JVS |
1042 | { |
1043 | struct avc_node *node; | |
1044 | struct av_decision avd; | |
1045 | u32 denied; | |
1046 | struct extended_perms_decision local_xpd; | |
1047 | struct extended_perms_decision *xpd = NULL; | |
1048 | struct extended_perms_data allowed; | |
1049 | struct extended_perms_data auditallow; | |
1050 | struct extended_perms_data dontaudit; | |
1051 | struct avc_xperms_node local_xp_node; | |
1052 | struct avc_xperms_node *xp_node; | |
1053 | int rc = 0, rc2; | |
1054 | ||
1055 | xp_node = &local_xp_node; | |
e6f2f381 OM |
1056 | if (WARN_ON(!requested)) |
1057 | return -EACCES; | |
fa1aa143 JVS |
1058 | |
1059 | rcu_read_lock(); | |
1060 | ||
6b6bc620 | 1061 | node = avc_lookup(state->avc, ssid, tsid, tclass); |
fa1aa143 | 1062 | if (unlikely(!node)) { |
6b6bc620 | 1063 | node = avc_compute_av(state, ssid, tsid, tclass, &avd, xp_node); |
fa1aa143 JVS |
1064 | } else { |
1065 | memcpy(&avd, &node->ae.avd, sizeof(avd)); | |
1066 | xp_node = node->ae.xp_node; | |
1067 | } | |
1068 | /* if extended permissions are not defined, only consider av_decision */ | |
1069 | if (!xp_node || !xp_node->xp.len) | |
1070 | goto decision; | |
1071 | ||
1072 | local_xpd.allowed = &allowed; | |
1073 | local_xpd.auditallow = &auditallow; | |
1074 | local_xpd.dontaudit = &dontaudit; | |
1075 | ||
1076 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
1077 | if (unlikely(!xpd)) { | |
1078 | /* | |
1079 | * Compute the extended_perms_decision only if the driver | |
1080 | * is flagged | |
1081 | */ | |
1082 | if (!security_xperm_test(xp_node->xp.drivers.p, driver)) { | |
1083 | avd.allowed &= ~requested; | |
1084 | goto decision; | |
1085 | } | |
1086 | rcu_read_unlock(); | |
6b6bc620 SS |
1087 | security_compute_xperms_decision(state, ssid, tsid, tclass, |
1088 | driver, &local_xpd); | |
fa1aa143 | 1089 | rcu_read_lock(); |
6b6bc620 SS |
1090 | avc_update_node(state->avc, AVC_CALLBACK_ADD_XPERMS, requested, |
1091 | driver, xperm, ssid, tsid, tclass, avd.seqno, | |
1092 | &local_xpd, 0); | |
fa1aa143 JVS |
1093 | } else { |
1094 | avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd); | |
1095 | } | |
1096 | xpd = &local_xpd; | |
1097 | ||
1098 | if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)) | |
1099 | avd.allowed &= ~requested; | |
1100 | ||
1101 | decision: | |
1102 | denied = requested & ~(avd.allowed); | |
1103 | if (unlikely(denied)) | |
6b6bc620 SS |
1104 | rc = avc_denied(state, ssid, tsid, tclass, requested, |
1105 | driver, xperm, AVC_EXTENDED_PERMS, &avd); | |
fa1aa143 JVS |
1106 | |
1107 | rcu_read_unlock(); | |
1108 | ||
6b6bc620 | 1109 | rc2 = avc_xperms_audit(state, ssid, tsid, tclass, requested, |
fa1aa143 JVS |
1110 | &avd, xpd, xperm, rc, ad); |
1111 | if (rc2) | |
1112 | return rc2; | |
1113 | return rc; | |
1114 | } | |
a554bea8 | 1115 | |
1da177e4 LT |
1116 | /** |
1117 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
1118 | * @ssid: source security identifier | |
1119 | * @tsid: target security identifier | |
1120 | * @tclass: target security class | |
1121 | * @requested: requested permissions, interpreted based on @tclass | |
3a28cff3 | 1122 | * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0 |
1da177e4 LT |
1123 | * @avd: access vector decisions |
1124 | * | |
1125 | * Check the AVC to determine whether the @requested permissions are granted | |
1126 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1127 | * based on @tclass, and call the security server on a cache miss to obtain | |
1128 | * a new decision and add it to the cache. Return a copy of the decisions | |
1129 | * in @avd. Return %0 if all @requested permissions are granted, | |
1130 | * -%EACCES if any permissions are denied, or another -errno upon | |
1131 | * other errors. This function is typically called by avc_has_perm(), | |
1132 | * but may also be called directly to separate permission checking from | |
1133 | * auditing, e.g. in cases where a lock must be held for the check but | |
1134 | * should be released for the auditing. | |
1135 | */ | |
6b6bc620 SS |
1136 | inline int avc_has_perm_noaudit(struct selinux_state *state, |
1137 | u32 ssid, u32 tsid, | |
1138 | u16 tclass, u32 requested, | |
1139 | unsigned int flags, | |
1140 | struct av_decision *avd) | |
1da177e4 LT |
1141 | { |
1142 | struct avc_node *node; | |
fa1aa143 | 1143 | struct avc_xperms_node xp_node; |
1da177e4 LT |
1144 | int rc = 0; |
1145 | u32 denied; | |
1146 | ||
e6f2f381 OM |
1147 | if (WARN_ON(!requested)) |
1148 | return -EACCES; | |
eda4f69c | 1149 | |
1da177e4 LT |
1150 | rcu_read_lock(); |
1151 | ||
6b6bc620 | 1152 | node = avc_lookup(state->avc, ssid, tsid, tclass); |
83d4a806 | 1153 | if (unlikely(!node)) |
6b6bc620 | 1154 | node = avc_compute_av(state, ssid, tsid, tclass, avd, &xp_node); |
83d4a806 | 1155 | else |
f01e1af4 | 1156 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
1da177e4 | 1157 | |
21193dcd | 1158 | denied = requested & ~(avd->allowed); |
a554bea8 | 1159 | if (unlikely(denied)) |
6b6bc620 SS |
1160 | rc = avc_denied(state, ssid, tsid, tclass, requested, 0, 0, |
1161 | flags, avd); | |
1da177e4 LT |
1162 | |
1163 | rcu_read_unlock(); | |
1da177e4 LT |
1164 | return rc; |
1165 | } | |
1166 | ||
1167 | /** | |
1168 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
1169 | * @ssid: source security identifier | |
1170 | * @tsid: target security identifier | |
1171 | * @tclass: target security class | |
1172 | * @requested: requested permissions, interpreted based on @tclass | |
1173 | * @auditdata: auxiliary audit data | |
1174 | * | |
1175 | * Check the AVC to determine whether the @requested permissions are granted | |
1176 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1177 | * based on @tclass, and call the security server on a cache miss to obtain | |
1178 | * a new decision and add it to the cache. Audit the granting or denial of | |
1179 | * permissions in accordance with the policy. Return %0 if all @requested | |
1180 | * permissions are granted, -%EACCES if any permissions are denied, or | |
1181 | * another -errno upon other errors. | |
1182 | */ | |
6b6bc620 | 1183 | int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, |
cb4fbe57 | 1184 | u32 requested, struct common_audit_data *auditdata) |
1da177e4 LT |
1185 | { |
1186 | struct av_decision avd; | |
9ade0cf4 | 1187 | int rc, rc2; |
1da177e4 | 1188 | |
6b6bc620 SS |
1189 | rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0, |
1190 | &avd); | |
9ade0cf4 | 1191 | |
6b6bc620 SS |
1192 | rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, |
1193 | auditdata, 0); | |
7b20ea25 N |
1194 | if (rc2) |
1195 | return rc2; | |
1196 | return rc; | |
1197 | } | |
1198 | ||
1a37079c SS |
1199 | int avc_has_perm_flags(struct selinux_state *state, |
1200 | u32 ssid, u32 tsid, u16 tclass, u32 requested, | |
1201 | struct common_audit_data *auditdata, | |
1202 | int flags) | |
1203 | { | |
1204 | struct av_decision avd; | |
1205 | int rc, rc2; | |
1206 | ||
1207 | rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, | |
1208 | (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, | |
1209 | &avd); | |
1210 | ||
1211 | rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, | |
1212 | auditdata, flags); | |
1213 | if (rc2) | |
1214 | return rc2; | |
1215 | return rc; | |
1216 | } | |
1217 | ||
6b6bc620 | 1218 | u32 avc_policy_seqno(struct selinux_state *state) |
788e7dd4 | 1219 | { |
6b6bc620 | 1220 | return state->avc->avc_cache.latest_notif; |
788e7dd4 | 1221 | } |
89c86576 TL |
1222 | |
1223 | void avc_disable(void) | |
1224 | { | |
5224ee08 EP |
1225 | /* |
1226 | * If you are looking at this because you have realized that we are | |
1227 | * not destroying the avc_node_cachep it might be easy to fix, but | |
1228 | * I don't know the memory barrier semantics well enough to know. It's | |
1229 | * possible that some other task dereferenced security_ops when | |
1230 | * it still pointed to selinux operations. If that is the case it's | |
1231 | * possible that it is about to use the avc and is about to need the | |
1232 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
1233 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
1234 | * the cache and get that memory back. | |
1235 | */ | |
1236 | if (avc_node_cachep) { | |
6b6bc620 | 1237 | avc_flush(selinux_state.avc); |
5224ee08 EP |
1238 | /* kmem_cache_destroy(avc_node_cachep); */ |
1239 | } | |
89c86576 | 1240 | } |