]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Implementation of the kernel access vector cache (AVC). | |
3 | * | |
4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | |
95fff33b | 5 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 8 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU General Public License version 2, | |
95fff33b | 14 | * as published by the Free Software Foundation. |
1da177e4 LT |
15 | */ |
16 | #include <linux/types.h> | |
17 | #include <linux/stddef.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/fs.h> | |
21 | #include <linux/dcache.h> | |
22 | #include <linux/init.h> | |
23 | #include <linux/skbuff.h> | |
24 | #include <linux/percpu.h> | |
fa1aa143 | 25 | #include <linux/list.h> |
1da177e4 LT |
26 | #include <net/sock.h> |
27 | #include <linux/un.h> | |
28 | #include <net/af_unix.h> | |
29 | #include <linux/ip.h> | |
30 | #include <linux/audit.h> | |
31 | #include <linux/ipv6.h> | |
32 | #include <net/ipv6.h> | |
33 | #include "avc.h" | |
34 | #include "avc_ss.h" | |
c6d3aaa4 | 35 | #include "classmap.h" |
5c458998 | 36 | |
1da177e4 LT |
37 | #define AVC_CACHE_SLOTS 512 |
38 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
39 | #define AVC_CACHE_RECLAIM 16 | |
40 | ||
41 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
044aea9b | 42 | #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) |
1da177e4 LT |
43 | #else |
44 | #define avc_cache_stats_incr(field) do {} while (0) | |
45 | #endif | |
46 | ||
47 | struct avc_entry { | |
48 | u32 ssid; | |
49 | u32 tsid; | |
50 | u16 tclass; | |
51 | struct av_decision avd; | |
fa1aa143 | 52 | struct avc_xperms_node *xp_node; |
1da177e4 LT |
53 | }; |
54 | ||
55 | struct avc_node { | |
56 | struct avc_entry ae; | |
26036651 | 57 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 58 | struct rcu_head rhead; |
1da177e4 LT |
59 | }; |
60 | ||
fa1aa143 JVS |
61 | struct avc_xperms_decision_node { |
62 | struct extended_perms_decision xpd; | |
63 | struct list_head xpd_list; /* list of extended_perms_decision */ | |
64 | }; | |
65 | ||
66 | struct avc_xperms_node { | |
67 | struct extended_perms xp; | |
68 | struct list_head xpd_head; /* list head of extended_perms_decision */ | |
69 | }; | |
70 | ||
1da177e4 | 71 | struct avc_cache { |
26036651 | 72 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
73 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
74 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
75 | atomic_t active_nodes; | |
76 | u32 latest_notif; /* latest revocation notification */ | |
77 | }; | |
78 | ||
79 | struct avc_callback_node { | |
562c99f2 | 80 | int (*callback) (u32 event); |
1da177e4 | 81 | u32 events; |
1da177e4 LT |
82 | struct avc_callback_node *next; |
83 | }; | |
84 | ||
85 | /* Exported via selinufs */ | |
86 | unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
87 | ||
88 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
89 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
90 | #endif | |
91 | ||
92 | static struct avc_cache avc_cache; | |
93 | static struct avc_callback_node *avc_callbacks; | |
e18b890b | 94 | static struct kmem_cache *avc_node_cachep; |
fa1aa143 JVS |
95 | static struct kmem_cache *avc_xperms_data_cachep; |
96 | static struct kmem_cache *avc_xperms_decision_cachep; | |
97 | static struct kmem_cache *avc_xperms_cachep; | |
1da177e4 LT |
98 | |
99 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
100 | { | |
101 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
102 | } | |
103 | ||
104 | /** | |
105 | * avc_dump_av - Display an access vector in human-readable form. | |
106 | * @tclass: target security class | |
107 | * @av: access vector | |
108 | */ | |
44c2d9bd | 109 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) |
1da177e4 | 110 | { |
c6d3aaa4 SS |
111 | const char **perms; |
112 | int i, perm; | |
1da177e4 LT |
113 | |
114 | if (av == 0) { | |
115 | audit_log_format(ab, " null"); | |
116 | return; | |
117 | } | |
118 | ||
bd1741f4 | 119 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); |
c6d3aaa4 | 120 | perms = secclass_map[tclass-1].perms; |
1da177e4 LT |
121 | |
122 | audit_log_format(ab, " {"); | |
123 | i = 0; | |
124 | perm = 1; | |
c6d3aaa4 | 125 | while (i < (sizeof(av) * 8)) { |
0bce9527 | 126 | if ((perm & av) && perms[i]) { |
c6d3aaa4 | 127 | audit_log_format(ab, " %s", perms[i]); |
1da177e4 LT |
128 | av &= ~perm; |
129 | } | |
130 | i++; | |
131 | perm <<= 1; | |
132 | } | |
133 | ||
1da177e4 LT |
134 | if (av) |
135 | audit_log_format(ab, " 0x%x", av); | |
136 | ||
137 | audit_log_format(ab, " }"); | |
138 | } | |
139 | ||
140 | /** | |
141 | * avc_dump_query - Display a SID pair and a class in human-readable form. | |
142 | * @ssid: source security identifier | |
143 | * @tsid: target security identifier | |
144 | * @tclass: target security class | |
145 | */ | |
146 | static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) | |
147 | { | |
148 | int rc; | |
149 | char *scontext; | |
150 | u32 scontext_len; | |
151 | ||
95fff33b | 152 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
1da177e4 LT |
153 | if (rc) |
154 | audit_log_format(ab, "ssid=%d", ssid); | |
155 | else { | |
156 | audit_log_format(ab, "scontext=%s", scontext); | |
157 | kfree(scontext); | |
158 | } | |
159 | ||
160 | rc = security_sid_to_context(tsid, &scontext, &scontext_len); | |
161 | if (rc) | |
162 | audit_log_format(ab, " tsid=%d", tsid); | |
163 | else { | |
164 | audit_log_format(ab, " tcontext=%s", scontext); | |
165 | kfree(scontext); | |
166 | } | |
a764ae4b | 167 | |
bd1741f4 | 168 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); |
c6d3aaa4 | 169 | audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); |
1da177e4 LT |
170 | } |
171 | ||
172 | /** | |
173 | * avc_init - Initialize the AVC. | |
174 | * | |
175 | * Initialize the access vector cache. | |
176 | */ | |
177 | void __init avc_init(void) | |
178 | { | |
179 | int i; | |
180 | ||
181 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
26036651 | 182 | INIT_HLIST_HEAD(&avc_cache.slots[i]); |
1da177e4 LT |
183 | spin_lock_init(&avc_cache.slots_lock[i]); |
184 | } | |
185 | atomic_set(&avc_cache.active_nodes, 0); | |
186 | atomic_set(&avc_cache.lru_hint, 0); | |
187 | ||
188 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | |
fa1aa143 JVS |
189 | 0, SLAB_PANIC, NULL); |
190 | avc_xperms_cachep = kmem_cache_create("avc_xperms_node", | |
191 | sizeof(struct avc_xperms_node), | |
192 | 0, SLAB_PANIC, NULL); | |
193 | avc_xperms_decision_cachep = kmem_cache_create( | |
194 | "avc_xperms_decision_node", | |
195 | sizeof(struct avc_xperms_decision_node), | |
196 | 0, SLAB_PANIC, NULL); | |
197 | avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", | |
198 | sizeof(struct extended_perms_data), | |
199 | 0, SLAB_PANIC, NULL); | |
1da177e4 | 200 | |
9ad9ad38 | 201 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
1da177e4 LT |
202 | } |
203 | ||
204 | int avc_get_hash_stats(char *page) | |
205 | { | |
206 | int i, chain_len, max_chain_len, slots_used; | |
207 | struct avc_node *node; | |
26036651 | 208 | struct hlist_head *head; |
1da177e4 LT |
209 | |
210 | rcu_read_lock(); | |
211 | ||
212 | slots_used = 0; | |
213 | max_chain_len = 0; | |
214 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae | 215 | head = &avc_cache.slots[i]; |
26036651 | 216 | if (!hlist_empty(head)) { |
1da177e4 LT |
217 | slots_used++; |
218 | chain_len = 0; | |
b67bfe0d | 219 | hlist_for_each_entry_rcu(node, head, list) |
1da177e4 LT |
220 | chain_len++; |
221 | if (chain_len > max_chain_len) | |
222 | max_chain_len = chain_len; | |
223 | } | |
224 | } | |
225 | ||
226 | rcu_read_unlock(); | |
227 | ||
228 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
229 | "longest chain: %d\n", | |
230 | atomic_read(&avc_cache.active_nodes), | |
231 | slots_used, AVC_CACHE_SLOTS, max_chain_len); | |
232 | } | |
233 | ||
fa1aa143 JVS |
234 | /* |
235 | * using a linked list for extended_perms_decision lookup because the list is | |
236 | * always small. i.e. less than 5, typically 1 | |
237 | */ | |
238 | static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver, | |
239 | struct avc_xperms_node *xp_node) | |
240 | { | |
241 | struct avc_xperms_decision_node *xpd_node; | |
242 | ||
243 | list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) { | |
244 | if (xpd_node->xpd.driver == driver) | |
245 | return &xpd_node->xpd; | |
246 | } | |
247 | return NULL; | |
248 | } | |
249 | ||
250 | static inline unsigned int | |
251 | avc_xperms_has_perm(struct extended_perms_decision *xpd, | |
252 | u8 perm, u8 which) | |
253 | { | |
254 | unsigned int rc = 0; | |
255 | ||
256 | if ((which == XPERMS_ALLOWED) && | |
257 | (xpd->used & XPERMS_ALLOWED)) | |
258 | rc = security_xperm_test(xpd->allowed->p, perm); | |
259 | else if ((which == XPERMS_AUDITALLOW) && | |
260 | (xpd->used & XPERMS_AUDITALLOW)) | |
261 | rc = security_xperm_test(xpd->auditallow->p, perm); | |
262 | else if ((which == XPERMS_DONTAUDIT) && | |
263 | (xpd->used & XPERMS_DONTAUDIT)) | |
264 | rc = security_xperm_test(xpd->dontaudit->p, perm); | |
265 | return rc; | |
266 | } | |
267 | ||
268 | static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node, | |
269 | u8 driver, u8 perm) | |
270 | { | |
271 | struct extended_perms_decision *xpd; | |
272 | security_xperm_set(xp_node->xp.drivers.p, driver); | |
273 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
274 | if (xpd && xpd->allowed) | |
275 | security_xperm_set(xpd->allowed->p, perm); | |
276 | } | |
277 | ||
278 | static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node) | |
279 | { | |
280 | struct extended_perms_decision *xpd; | |
281 | ||
282 | xpd = &xpd_node->xpd; | |
283 | if (xpd->allowed) | |
284 | kmem_cache_free(avc_xperms_data_cachep, xpd->allowed); | |
285 | if (xpd->auditallow) | |
286 | kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow); | |
287 | if (xpd->dontaudit) | |
288 | kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit); | |
289 | kmem_cache_free(avc_xperms_decision_cachep, xpd_node); | |
290 | } | |
291 | ||
292 | static void avc_xperms_free(struct avc_xperms_node *xp_node) | |
293 | { | |
294 | struct avc_xperms_decision_node *xpd_node, *tmp; | |
295 | ||
296 | if (!xp_node) | |
297 | return; | |
298 | ||
299 | list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) { | |
300 | list_del(&xpd_node->xpd_list); | |
301 | avc_xperms_decision_free(xpd_node); | |
302 | } | |
303 | kmem_cache_free(avc_xperms_cachep, xp_node); | |
304 | } | |
305 | ||
306 | static void avc_copy_xperms_decision(struct extended_perms_decision *dest, | |
307 | struct extended_perms_decision *src) | |
308 | { | |
309 | dest->driver = src->driver; | |
310 | dest->used = src->used; | |
311 | if (dest->used & XPERMS_ALLOWED) | |
312 | memcpy(dest->allowed->p, src->allowed->p, | |
313 | sizeof(src->allowed->p)); | |
314 | if (dest->used & XPERMS_AUDITALLOW) | |
315 | memcpy(dest->auditallow->p, src->auditallow->p, | |
316 | sizeof(src->auditallow->p)); | |
317 | if (dest->used & XPERMS_DONTAUDIT) | |
318 | memcpy(dest->dontaudit->p, src->dontaudit->p, | |
319 | sizeof(src->dontaudit->p)); | |
320 | } | |
321 | ||
322 | /* | |
323 | * similar to avc_copy_xperms_decision, but only copy decision | |
324 | * information relevant to this perm | |
325 | */ | |
326 | static inline void avc_quick_copy_xperms_decision(u8 perm, | |
327 | struct extended_perms_decision *dest, | |
328 | struct extended_perms_decision *src) | |
329 | { | |
330 | /* | |
331 | * compute index of the u32 of the 256 bits (8 u32s) that contain this | |
332 | * command permission | |
333 | */ | |
334 | u8 i = perm >> 5; | |
335 | ||
336 | dest->used = src->used; | |
337 | if (dest->used & XPERMS_ALLOWED) | |
338 | dest->allowed->p[i] = src->allowed->p[i]; | |
339 | if (dest->used & XPERMS_AUDITALLOW) | |
340 | dest->auditallow->p[i] = src->auditallow->p[i]; | |
341 | if (dest->used & XPERMS_DONTAUDIT) | |
342 | dest->dontaudit->p[i] = src->dontaudit->p[i]; | |
343 | } | |
344 | ||
345 | static struct avc_xperms_decision_node | |
346 | *avc_xperms_decision_alloc(u8 which) | |
347 | { | |
348 | struct avc_xperms_decision_node *xpd_node; | |
349 | struct extended_perms_decision *xpd; | |
350 | ||
351 | xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, | |
352 | GFP_ATOMIC | __GFP_NOMEMALLOC); | |
353 | if (!xpd_node) | |
354 | return NULL; | |
355 | ||
356 | xpd = &xpd_node->xpd; | |
357 | if (which & XPERMS_ALLOWED) { | |
358 | xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, | |
359 | GFP_ATOMIC | __GFP_NOMEMALLOC); | |
360 | if (!xpd->allowed) | |
361 | goto error; | |
362 | } | |
363 | if (which & XPERMS_AUDITALLOW) { | |
364 | xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, | |
365 | GFP_ATOMIC | __GFP_NOMEMALLOC); | |
366 | if (!xpd->auditallow) | |
367 | goto error; | |
368 | } | |
369 | if (which & XPERMS_DONTAUDIT) { | |
370 | xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, | |
371 | GFP_ATOMIC | __GFP_NOMEMALLOC); | |
372 | if (!xpd->dontaudit) | |
373 | goto error; | |
374 | } | |
375 | return xpd_node; | |
376 | error: | |
377 | avc_xperms_decision_free(xpd_node); | |
378 | return NULL; | |
379 | } | |
380 | ||
381 | static int avc_add_xperms_decision(struct avc_node *node, | |
382 | struct extended_perms_decision *src) | |
383 | { | |
384 | struct avc_xperms_decision_node *dest_xpd; | |
385 | ||
386 | node->ae.xp_node->xp.len++; | |
387 | dest_xpd = avc_xperms_decision_alloc(src->used); | |
388 | if (!dest_xpd) | |
389 | return -ENOMEM; | |
390 | avc_copy_xperms_decision(&dest_xpd->xpd, src); | |
391 | list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); | |
392 | return 0; | |
393 | } | |
394 | ||
395 | static struct avc_xperms_node *avc_xperms_alloc(void) | |
396 | { | |
397 | struct avc_xperms_node *xp_node; | |
398 | ||
399 | xp_node = kmem_cache_zalloc(avc_xperms_cachep, | |
400 | GFP_ATOMIC|__GFP_NOMEMALLOC); | |
401 | if (!xp_node) | |
402 | return xp_node; | |
403 | INIT_LIST_HEAD(&xp_node->xpd_head); | |
404 | return xp_node; | |
405 | } | |
406 | ||
407 | static int avc_xperms_populate(struct avc_node *node, | |
408 | struct avc_xperms_node *src) | |
409 | { | |
410 | struct avc_xperms_node *dest; | |
411 | struct avc_xperms_decision_node *dest_xpd; | |
412 | struct avc_xperms_decision_node *src_xpd; | |
413 | ||
414 | if (src->xp.len == 0) | |
415 | return 0; | |
416 | dest = avc_xperms_alloc(); | |
417 | if (!dest) | |
418 | return -ENOMEM; | |
419 | ||
420 | memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p)); | |
421 | dest->xp.len = src->xp.len; | |
422 | ||
423 | /* for each source xpd allocate a destination xpd and copy */ | |
424 | list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) { | |
425 | dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used); | |
426 | if (!dest_xpd) | |
427 | goto error; | |
428 | avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd); | |
429 | list_add(&dest_xpd->xpd_list, &dest->xpd_head); | |
430 | } | |
431 | node->ae.xp_node = dest; | |
432 | return 0; | |
433 | error: | |
434 | avc_xperms_free(dest); | |
435 | return -ENOMEM; | |
436 | ||
437 | } | |
438 | ||
439 | static inline u32 avc_xperms_audit_required(u32 requested, | |
440 | struct av_decision *avd, | |
441 | struct extended_perms_decision *xpd, | |
442 | u8 perm, | |
443 | int result, | |
444 | u32 *deniedp) | |
445 | { | |
446 | u32 denied, audited; | |
447 | ||
448 | denied = requested & ~avd->allowed; | |
449 | if (unlikely(denied)) { | |
450 | audited = denied & avd->auditdeny; | |
451 | if (audited && xpd) { | |
452 | if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) | |
453 | audited &= ~requested; | |
454 | } | |
455 | } else if (result) { | |
456 | audited = denied = requested; | |
457 | } else { | |
458 | audited = requested & avd->auditallow; | |
459 | if (audited && xpd) { | |
460 | if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) | |
461 | audited &= ~requested; | |
462 | } | |
463 | } | |
464 | ||
465 | *deniedp = denied; | |
466 | return audited; | |
467 | } | |
468 | ||
469 | static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass, | |
470 | u32 requested, struct av_decision *avd, | |
471 | struct extended_perms_decision *xpd, | |
472 | u8 perm, int result, | |
473 | struct common_audit_data *ad) | |
474 | { | |
475 | u32 audited, denied; | |
476 | ||
477 | audited = avc_xperms_audit_required( | |
478 | requested, avd, xpd, perm, result, &denied); | |
479 | if (likely(!audited)) | |
480 | return 0; | |
481 | return slow_avc_audit(ssid, tsid, tclass, requested, | |
482 | audited, denied, result, ad, 0); | |
483 | } | |
484 | ||
1da177e4 LT |
485 | static void avc_node_free(struct rcu_head *rhead) |
486 | { | |
487 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
fa1aa143 | 488 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
489 | kmem_cache_free(avc_node_cachep, node); |
490 | avc_cache_stats_incr(frees); | |
491 | } | |
492 | ||
493 | static void avc_node_delete(struct avc_node *node) | |
494 | { | |
26036651 | 495 | hlist_del_rcu(&node->list); |
1da177e4 LT |
496 | call_rcu(&node->rhead, avc_node_free); |
497 | atomic_dec(&avc_cache.active_nodes); | |
498 | } | |
499 | ||
500 | static void avc_node_kill(struct avc_node *node) | |
501 | { | |
fa1aa143 | 502 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
503 | kmem_cache_free(avc_node_cachep, node); |
504 | avc_cache_stats_incr(frees); | |
505 | atomic_dec(&avc_cache.active_nodes); | |
506 | } | |
507 | ||
508 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) | |
509 | { | |
26036651 | 510 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 LT |
511 | call_rcu(&old->rhead, avc_node_free); |
512 | atomic_dec(&avc_cache.active_nodes); | |
513 | } | |
514 | ||
515 | static inline int avc_reclaim_node(void) | |
516 | { | |
517 | struct avc_node *node; | |
518 | int hvalue, try, ecx; | |
519 | unsigned long flags; | |
26036651 | 520 | struct hlist_head *head; |
edf3d1ae | 521 | spinlock_t *lock; |
1da177e4 | 522 | |
95fff33b | 523 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
1da177e4 | 524 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
edf3d1ae EP |
525 | head = &avc_cache.slots[hvalue]; |
526 | lock = &avc_cache.slots_lock[hvalue]; | |
1da177e4 | 527 | |
edf3d1ae | 528 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
529 | continue; |
530 | ||
61844250 | 531 | rcu_read_lock(); |
b67bfe0d | 532 | hlist_for_each_entry(node, head, list) { |
906d27d9 EP |
533 | avc_node_delete(node); |
534 | avc_cache_stats_incr(reclaims); | |
535 | ecx++; | |
536 | if (ecx >= AVC_CACHE_RECLAIM) { | |
537 | rcu_read_unlock(); | |
edf3d1ae | 538 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 539 | goto out; |
1da177e4 LT |
540 | } |
541 | } | |
61844250 | 542 | rcu_read_unlock(); |
edf3d1ae | 543 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
544 | } |
545 | out: | |
546 | return ecx; | |
547 | } | |
548 | ||
549 | static struct avc_node *avc_alloc_node(void) | |
550 | { | |
551 | struct avc_node *node; | |
552 | ||
6290c2c4 | 553 | node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC|__GFP_NOMEMALLOC); |
1da177e4 LT |
554 | if (!node) |
555 | goto out; | |
556 | ||
26036651 | 557 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
558 | avc_cache_stats_incr(allocations); |
559 | ||
560 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) | |
561 | avc_reclaim_node(); | |
562 | ||
563 | out: | |
564 | return node; | |
565 | } | |
566 | ||
21193dcd | 567 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
568 | { |
569 | node->ae.ssid = ssid; | |
570 | node->ae.tsid = tsid; | |
571 | node->ae.tclass = tclass; | |
21193dcd | 572 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
573 | } |
574 | ||
575 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |
576 | { | |
577 | struct avc_node *node, *ret = NULL; | |
578 | int hvalue; | |
26036651 | 579 | struct hlist_head *head; |
1da177e4 LT |
580 | |
581 | hvalue = avc_hash(ssid, tsid, tclass); | |
edf3d1ae | 582 | head = &avc_cache.slots[hvalue]; |
b67bfe0d | 583 | hlist_for_each_entry_rcu(node, head, list) { |
1da177e4 LT |
584 | if (ssid == node->ae.ssid && |
585 | tclass == node->ae.tclass && | |
586 | tsid == node->ae.tsid) { | |
587 | ret = node; | |
588 | break; | |
589 | } | |
590 | } | |
591 | ||
1da177e4 LT |
592 | return ret; |
593 | } | |
594 | ||
595 | /** | |
596 | * avc_lookup - Look up an AVC entry. | |
597 | * @ssid: source security identifier | |
598 | * @tsid: target security identifier | |
599 | * @tclass: target security class | |
1da177e4 LT |
600 | * |
601 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
602 | * (@ssid, @tsid), interpreting the permissions |
603 | * based on @tclass. If a valid AVC entry exists, | |
6382dc33 | 604 | * then this function returns the avc_node. |
1da177e4 LT |
605 | * Otherwise, this function returns NULL. |
606 | */ | |
f1c6381a | 607 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
1da177e4 LT |
608 | { |
609 | struct avc_node *node; | |
610 | ||
611 | avc_cache_stats_incr(lookups); | |
612 | node = avc_search_node(ssid, tsid, tclass); | |
613 | ||
f1c6381a | 614 | if (node) |
257313b2 | 615 | return node; |
1da177e4 | 616 | |
257313b2 LT |
617 | avc_cache_stats_incr(misses); |
618 | return NULL; | |
1da177e4 LT |
619 | } |
620 | ||
621 | static int avc_latest_notif_update(int seqno, int is_insert) | |
622 | { | |
623 | int ret = 0; | |
624 | static DEFINE_SPINLOCK(notif_lock); | |
625 | unsigned long flag; | |
626 | ||
627 | spin_lock_irqsave(¬if_lock, flag); | |
628 | if (is_insert) { | |
629 | if (seqno < avc_cache.latest_notif) { | |
744ba35e | 630 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
1da177e4 LT |
631 | seqno, avc_cache.latest_notif); |
632 | ret = -EAGAIN; | |
633 | } | |
634 | } else { | |
635 | if (seqno > avc_cache.latest_notif) | |
636 | avc_cache.latest_notif = seqno; | |
637 | } | |
638 | spin_unlock_irqrestore(¬if_lock, flag); | |
639 | ||
640 | return ret; | |
641 | } | |
642 | ||
643 | /** | |
644 | * avc_insert - Insert an AVC entry. | |
645 | * @ssid: source security identifier | |
646 | * @tsid: target security identifier | |
647 | * @tclass: target security class | |
21193dcd | 648 | * @avd: resulting av decision |
fa1aa143 | 649 | * @xp_node: resulting extended permissions |
1da177e4 LT |
650 | * |
651 | * Insert an AVC entry for the SID pair | |
652 | * (@ssid, @tsid) and class @tclass. | |
653 | * The access vectors and the sequence number are | |
654 | * normally provided by the security server in | |
655 | * response to a security_compute_av() call. If the | |
21193dcd | 656 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
657 | * revocation notification, then the function copies |
658 | * the access vectors into a cache entry, returns | |
659 | * avc_node inserted. Otherwise, this function returns NULL. | |
660 | */ | |
fa1aa143 JVS |
661 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, |
662 | struct av_decision *avd, | |
663 | struct avc_xperms_node *xp_node) | |
1da177e4 LT |
664 | { |
665 | struct avc_node *pos, *node = NULL; | |
666 | int hvalue; | |
667 | unsigned long flag; | |
668 | ||
21193dcd | 669 | if (avc_latest_notif_update(avd->seqno, 1)) |
1da177e4 LT |
670 | goto out; |
671 | ||
672 | node = avc_alloc_node(); | |
673 | if (node) { | |
26036651 | 674 | struct hlist_head *head; |
edf3d1ae | 675 | spinlock_t *lock; |
fa1aa143 | 676 | int rc = 0; |
edf3d1ae | 677 | |
1da177e4 | 678 | hvalue = avc_hash(ssid, tsid, tclass); |
21193dcd | 679 | avc_node_populate(node, ssid, tsid, tclass, avd); |
fa1aa143 JVS |
680 | rc = avc_xperms_populate(node, xp_node); |
681 | if (rc) { | |
682 | kmem_cache_free(avc_node_cachep, node); | |
683 | return NULL; | |
684 | } | |
edf3d1ae EP |
685 | head = &avc_cache.slots[hvalue]; |
686 | lock = &avc_cache.slots_lock[hvalue]; | |
687 | ||
688 | spin_lock_irqsave(lock, flag); | |
b67bfe0d | 689 | hlist_for_each_entry(pos, head, list) { |
1da177e4 LT |
690 | if (pos->ae.ssid == ssid && |
691 | pos->ae.tsid == tsid && | |
692 | pos->ae.tclass == tclass) { | |
95fff33b | 693 | avc_node_replace(node, pos); |
1da177e4 LT |
694 | goto found; |
695 | } | |
696 | } | |
26036651 | 697 | hlist_add_head_rcu(&node->list, head); |
1da177e4 | 698 | found: |
edf3d1ae | 699 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
700 | } |
701 | out: | |
702 | return node; | |
703 | } | |
704 | ||
2bf49690 TL |
705 | /** |
706 | * avc_audit_pre_callback - SELinux specific information | |
707 | * will be called by generic audit code | |
708 | * @ab: the audit buffer | |
709 | * @a: audit_data | |
710 | */ | |
711 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 712 | { |
2bf49690 TL |
713 | struct common_audit_data *ad = a; |
714 | audit_log_format(ab, "avc: %s ", | |
899838b2 EP |
715 | ad->selinux_audit_data->denied ? "denied" : "granted"); |
716 | avc_dump_av(ab, ad->selinux_audit_data->tclass, | |
717 | ad->selinux_audit_data->audited); | |
2bf49690 | 718 | audit_log_format(ab, " for "); |
1da177e4 LT |
719 | } |
720 | ||
2bf49690 TL |
721 | /** |
722 | * avc_audit_post_callback - SELinux specific information | |
723 | * will be called by generic audit code | |
724 | * @ab: the audit buffer | |
725 | * @a: audit_data | |
726 | */ | |
727 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 728 | { |
2bf49690 TL |
729 | struct common_audit_data *ad = a; |
730 | audit_log_format(ab, " "); | |
899838b2 EP |
731 | avc_dump_query(ab, ad->selinux_audit_data->ssid, |
732 | ad->selinux_audit_data->tsid, | |
733 | ad->selinux_audit_data->tclass); | |
ca7786a2 SS |
734 | if (ad->selinux_audit_data->denied) { |
735 | audit_log_format(ab, " permissive=%u", | |
736 | ad->selinux_audit_data->result ? 0 : 1); | |
737 | } | |
1da177e4 LT |
738 | } |
739 | ||
48aab2f7 | 740 | /* This is the slow part of avc audit with big stack footprint */ |
2e334057 | 741 | noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, |
ca7786a2 | 742 | u32 requested, u32 audited, u32 denied, int result, |
f8294f11 | 743 | struct common_audit_data *a, |
48aab2f7 LT |
744 | unsigned flags) |
745 | { | |
746 | struct common_audit_data stack_data; | |
899838b2 | 747 | struct selinux_audit_data sad; |
48aab2f7 LT |
748 | |
749 | if (!a) { | |
750 | a = &stack_data; | |
50c205f5 | 751 | a->type = LSM_AUDIT_DATA_NONE; |
48aab2f7 LT |
752 | } |
753 | ||
754 | /* | |
755 | * When in a RCU walk do the audit on the RCU retry. This is because | |
756 | * the collection of the dname in an inode audit message is not RCU | |
757 | * safe. Note this may drop some audits when the situation changes | |
758 | * during retry. However this is logically just as if the operation | |
759 | * happened a little later. | |
760 | */ | |
761 | if ((a->type == LSM_AUDIT_DATA_INODE) && | |
762 | (flags & MAY_NOT_BLOCK)) | |
763 | return -ECHILD; | |
764 | ||
899838b2 EP |
765 | sad.tclass = tclass; |
766 | sad.requested = requested; | |
767 | sad.ssid = ssid; | |
768 | sad.tsid = tsid; | |
769 | sad.audited = audited; | |
770 | sad.denied = denied; | |
ca7786a2 | 771 | sad.result = result; |
899838b2 EP |
772 | |
773 | a->selinux_audit_data = &sad; | |
3f0882c4 | 774 | |
b61c37f5 | 775 | common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); |
48aab2f7 LT |
776 | return 0; |
777 | } | |
778 | ||
1da177e4 LT |
779 | /** |
780 | * avc_add_callback - Register a callback for security events. | |
781 | * @callback: callback function | |
782 | * @events: security events | |
1da177e4 | 783 | * |
562c99f2 WG |
784 | * Register a callback function for events in the set @events. |
785 | * Returns %0 on success or -%ENOMEM if insufficient memory | |
786 | * exists to add the callback. | |
1da177e4 | 787 | */ |
562c99f2 | 788 | int __init avc_add_callback(int (*callback)(u32 event), u32 events) |
1da177e4 LT |
789 | { |
790 | struct avc_callback_node *c; | |
791 | int rc = 0; | |
792 | ||
0b36e44c | 793 | c = kmalloc(sizeof(*c), GFP_KERNEL); |
1da177e4 LT |
794 | if (!c) { |
795 | rc = -ENOMEM; | |
796 | goto out; | |
797 | } | |
798 | ||
799 | c->callback = callback; | |
800 | c->events = events; | |
1da177e4 LT |
801 | c->next = avc_callbacks; |
802 | avc_callbacks = c; | |
803 | out: | |
804 | return rc; | |
805 | } | |
806 | ||
1da177e4 LT |
807 | /** |
808 | * avc_update_node Update an AVC entry | |
809 | * @event : Updating event | |
810 | * @perms : Permission mask bits | |
811 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 812 | * @seqno : sequence number when decision was made |
fa1aa143 | 813 | * @xpd: extended_perms_decision to be added to the node |
1da177e4 LT |
814 | * |
815 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
816 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
6382dc33 | 817 | * otherwise, this function updates the AVC entry. The original AVC-entry object |
1da177e4 LT |
818 | * will release later by RCU. |
819 | */ | |
fa1aa143 JVS |
820 | static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, |
821 | u32 tsid, u16 tclass, u32 seqno, | |
822 | struct extended_perms_decision *xpd, | |
823 | u32 flags) | |
1da177e4 LT |
824 | { |
825 | int hvalue, rc = 0; | |
826 | unsigned long flag; | |
827 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 | 828 | struct hlist_head *head; |
edf3d1ae | 829 | spinlock_t *lock; |
1da177e4 LT |
830 | |
831 | node = avc_alloc_node(); | |
832 | if (!node) { | |
833 | rc = -ENOMEM; | |
834 | goto out; | |
835 | } | |
836 | ||
837 | /* Lock the target slot */ | |
838 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 839 | |
edf3d1ae EP |
840 | head = &avc_cache.slots[hvalue]; |
841 | lock = &avc_cache.slots_lock[hvalue]; | |
842 | ||
843 | spin_lock_irqsave(lock, flag); | |
844 | ||
b67bfe0d | 845 | hlist_for_each_entry(pos, head, list) { |
95fff33b EP |
846 | if (ssid == pos->ae.ssid && |
847 | tsid == pos->ae.tsid && | |
a5dda683 EP |
848 | tclass == pos->ae.tclass && |
849 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
850 | orig = pos; |
851 | break; | |
852 | } | |
853 | } | |
854 | ||
855 | if (!orig) { | |
856 | rc = -ENOENT; | |
857 | avc_node_kill(node); | |
858 | goto out_unlock; | |
859 | } | |
860 | ||
861 | /* | |
862 | * Copy and replace original node. | |
863 | */ | |
864 | ||
21193dcd | 865 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 | 866 | |
fa1aa143 JVS |
867 | if (orig->ae.xp_node) { |
868 | rc = avc_xperms_populate(node, orig->ae.xp_node); | |
869 | if (rc) { | |
870 | kmem_cache_free(avc_node_cachep, node); | |
871 | goto out_unlock; | |
872 | } | |
873 | } | |
874 | ||
1da177e4 LT |
875 | switch (event) { |
876 | case AVC_CALLBACK_GRANT: | |
877 | node->ae.avd.allowed |= perms; | |
fa1aa143 JVS |
878 | if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS)) |
879 | avc_xperms_allow_perm(node->ae.xp_node, driver, xperm); | |
1da177e4 LT |
880 | break; |
881 | case AVC_CALLBACK_TRY_REVOKE: | |
882 | case AVC_CALLBACK_REVOKE: | |
883 | node->ae.avd.allowed &= ~perms; | |
884 | break; | |
885 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
886 | node->ae.avd.auditallow |= perms; | |
887 | break; | |
888 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
889 | node->ae.avd.auditallow &= ~perms; | |
890 | break; | |
891 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
892 | node->ae.avd.auditdeny |= perms; | |
893 | break; | |
894 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
895 | node->ae.avd.auditdeny &= ~perms; | |
896 | break; | |
fa1aa143 JVS |
897 | case AVC_CALLBACK_ADD_XPERMS: |
898 | avc_add_xperms_decision(node, xpd); | |
899 | break; | |
1da177e4 LT |
900 | } |
901 | avc_node_replace(node, orig); | |
902 | out_unlock: | |
edf3d1ae | 903 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
904 | out: |
905 | return rc; | |
906 | } | |
907 | ||
908 | /** | |
008574b1 | 909 | * avc_flush - Flush the cache |
1da177e4 | 910 | */ |
008574b1 | 911 | static void avc_flush(void) |
1da177e4 | 912 | { |
26036651 | 913 | struct hlist_head *head; |
008574b1 | 914 | struct avc_node *node; |
edf3d1ae | 915 | spinlock_t *lock; |
008574b1 EP |
916 | unsigned long flag; |
917 | int i; | |
1da177e4 LT |
918 | |
919 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae EP |
920 | head = &avc_cache.slots[i]; |
921 | lock = &avc_cache.slots_lock[i]; | |
922 | ||
923 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
924 | /* |
925 | * With preemptable RCU, the outer spinlock does not | |
926 | * prevent RCU grace periods from ending. | |
927 | */ | |
928 | rcu_read_lock(); | |
b67bfe0d | 929 | hlist_for_each_entry(node, head, list) |
1da177e4 | 930 | avc_node_delete(node); |
61844250 | 931 | rcu_read_unlock(); |
edf3d1ae | 932 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 933 | } |
008574b1 EP |
934 | } |
935 | ||
936 | /** | |
937 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
938 | * @seqno: policy sequence number | |
939 | */ | |
940 | int avc_ss_reset(u32 seqno) | |
941 | { | |
942 | struct avc_callback_node *c; | |
943 | int rc = 0, tmprc; | |
944 | ||
945 | avc_flush(); | |
1da177e4 LT |
946 | |
947 | for (c = avc_callbacks; c; c = c->next) { | |
948 | if (c->events & AVC_CALLBACK_RESET) { | |
562c99f2 | 949 | tmprc = c->callback(AVC_CALLBACK_RESET); |
376bd9cb DG |
950 | /* save the first error encountered for the return |
951 | value and continue processing the callbacks */ | |
952 | if (!rc) | |
953 | rc = tmprc; | |
1da177e4 LT |
954 | } |
955 | } | |
956 | ||
957 | avc_latest_notif_update(seqno, 0); | |
1da177e4 LT |
958 | return rc; |
959 | } | |
960 | ||
a554bea8 LT |
961 | /* |
962 | * Slow-path helper function for avc_has_perm_noaudit, | |
963 | * when the avc_node lookup fails. We get called with | |
964 | * the RCU read lock held, and need to return with it | |
965 | * still held, but drop if for the security compute. | |
966 | * | |
967 | * Don't inline this, since it's the slow-path and just | |
968 | * results in a bigger stack frame. | |
969 | */ | |
970 | static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, | |
fa1aa143 JVS |
971 | u16 tclass, struct av_decision *avd, |
972 | struct avc_xperms_node *xp_node) | |
a554bea8 LT |
973 | { |
974 | rcu_read_unlock(); | |
fa1aa143 JVS |
975 | INIT_LIST_HEAD(&xp_node->xpd_head); |
976 | security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp); | |
a554bea8 | 977 | rcu_read_lock(); |
fa1aa143 | 978 | return avc_insert(ssid, tsid, tclass, avd, xp_node); |
a554bea8 LT |
979 | } |
980 | ||
981 | static noinline int avc_denied(u32 ssid, u32 tsid, | |
fa1aa143 JVS |
982 | u16 tclass, u32 requested, |
983 | u8 driver, u8 xperm, unsigned flags, | |
984 | struct av_decision *avd) | |
a554bea8 LT |
985 | { |
986 | if (flags & AVC_STRICT) | |
987 | return -EACCES; | |
988 | ||
989 | if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) | |
990 | return -EACCES; | |
991 | ||
fa1aa143 JVS |
992 | avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid, |
993 | tsid, tclass, avd->seqno, NULL, flags); | |
a554bea8 LT |
994 | return 0; |
995 | } | |
996 | ||
fa1aa143 JVS |
997 | /* |
998 | * The avc extended permissions logic adds an additional 256 bits of | |
999 | * permissions to an avc node when extended permissions for that node are | |
1000 | * specified in the avtab. If the additional 256 permissions is not adequate, | |
1001 | * as-is the case with ioctls, then multiple may be chained together and the | |
1002 | * driver field is used to specify which set contains the permission. | |
1003 | */ | |
1004 | int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, | |
1005 | u8 driver, u8 xperm, struct common_audit_data *ad) | |
1006 | { | |
1007 | struct avc_node *node; | |
1008 | struct av_decision avd; | |
1009 | u32 denied; | |
1010 | struct extended_perms_decision local_xpd; | |
1011 | struct extended_perms_decision *xpd = NULL; | |
1012 | struct extended_perms_data allowed; | |
1013 | struct extended_perms_data auditallow; | |
1014 | struct extended_perms_data dontaudit; | |
1015 | struct avc_xperms_node local_xp_node; | |
1016 | struct avc_xperms_node *xp_node; | |
1017 | int rc = 0, rc2; | |
1018 | ||
1019 | xp_node = &local_xp_node; | |
1020 | BUG_ON(!requested); | |
1021 | ||
1022 | rcu_read_lock(); | |
1023 | ||
1024 | node = avc_lookup(ssid, tsid, tclass); | |
1025 | if (unlikely(!node)) { | |
1026 | node = avc_compute_av(ssid, tsid, tclass, &avd, xp_node); | |
1027 | } else { | |
1028 | memcpy(&avd, &node->ae.avd, sizeof(avd)); | |
1029 | xp_node = node->ae.xp_node; | |
1030 | } | |
1031 | /* if extended permissions are not defined, only consider av_decision */ | |
1032 | if (!xp_node || !xp_node->xp.len) | |
1033 | goto decision; | |
1034 | ||
1035 | local_xpd.allowed = &allowed; | |
1036 | local_xpd.auditallow = &auditallow; | |
1037 | local_xpd.dontaudit = &dontaudit; | |
1038 | ||
1039 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
1040 | if (unlikely(!xpd)) { | |
1041 | /* | |
1042 | * Compute the extended_perms_decision only if the driver | |
1043 | * is flagged | |
1044 | */ | |
1045 | if (!security_xperm_test(xp_node->xp.drivers.p, driver)) { | |
1046 | avd.allowed &= ~requested; | |
1047 | goto decision; | |
1048 | } | |
1049 | rcu_read_unlock(); | |
1050 | security_compute_xperms_decision(ssid, tsid, tclass, driver, | |
1051 | &local_xpd); | |
1052 | rcu_read_lock(); | |
1053 | avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm, | |
1054 | ssid, tsid, tclass, avd.seqno, &local_xpd, 0); | |
1055 | } else { | |
1056 | avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd); | |
1057 | } | |
1058 | xpd = &local_xpd; | |
1059 | ||
1060 | if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)) | |
1061 | avd.allowed &= ~requested; | |
1062 | ||
1063 | decision: | |
1064 | denied = requested & ~(avd.allowed); | |
1065 | if (unlikely(denied)) | |
1066 | rc = avc_denied(ssid, tsid, tclass, requested, driver, xperm, | |
1067 | AVC_EXTENDED_PERMS, &avd); | |
1068 | ||
1069 | rcu_read_unlock(); | |
1070 | ||
1071 | rc2 = avc_xperms_audit(ssid, tsid, tclass, requested, | |
1072 | &avd, xpd, xperm, rc, ad); | |
1073 | if (rc2) | |
1074 | return rc2; | |
1075 | return rc; | |
1076 | } | |
a554bea8 | 1077 | |
1da177e4 LT |
1078 | /** |
1079 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
1080 | * @ssid: source security identifier | |
1081 | * @tsid: target security identifier | |
1082 | * @tclass: target security class | |
1083 | * @requested: requested permissions, interpreted based on @tclass | |
2c3c05db | 1084 | * @flags: AVC_STRICT or 0 |
1da177e4 LT |
1085 | * @avd: access vector decisions |
1086 | * | |
1087 | * Check the AVC to determine whether the @requested permissions are granted | |
1088 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1089 | * based on @tclass, and call the security server on a cache miss to obtain | |
1090 | * a new decision and add it to the cache. Return a copy of the decisions | |
1091 | * in @avd. Return %0 if all @requested permissions are granted, | |
1092 | * -%EACCES if any permissions are denied, or another -errno upon | |
1093 | * other errors. This function is typically called by avc_has_perm(), | |
1094 | * but may also be called directly to separate permission checking from | |
1095 | * auditing, e.g. in cases where a lock must be held for the check but | |
1096 | * should be released for the auditing. | |
1097 | */ | |
cdb0f9a1 | 1098 | inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
2c3c05db SS |
1099 | u16 tclass, u32 requested, |
1100 | unsigned flags, | |
f01e1af4 | 1101 | struct av_decision *avd) |
1da177e4 LT |
1102 | { |
1103 | struct avc_node *node; | |
fa1aa143 | 1104 | struct avc_xperms_node xp_node; |
1da177e4 LT |
1105 | int rc = 0; |
1106 | u32 denied; | |
1107 | ||
eda4f69c EP |
1108 | BUG_ON(!requested); |
1109 | ||
1da177e4 LT |
1110 | rcu_read_lock(); |
1111 | ||
f1c6381a | 1112 | node = avc_lookup(ssid, tsid, tclass); |
83d4a806 | 1113 | if (unlikely(!node)) |
fa1aa143 | 1114 | node = avc_compute_av(ssid, tsid, tclass, avd, &xp_node); |
83d4a806 | 1115 | else |
f01e1af4 | 1116 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
1da177e4 | 1117 | |
21193dcd | 1118 | denied = requested & ~(avd->allowed); |
a554bea8 | 1119 | if (unlikely(denied)) |
fa1aa143 | 1120 | rc = avc_denied(ssid, tsid, tclass, requested, 0, 0, flags, avd); |
1da177e4 LT |
1121 | |
1122 | rcu_read_unlock(); | |
1da177e4 LT |
1123 | return rc; |
1124 | } | |
1125 | ||
1126 | /** | |
1127 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
1128 | * @ssid: source security identifier | |
1129 | * @tsid: target security identifier | |
1130 | * @tclass: target security class | |
1131 | * @requested: requested permissions, interpreted based on @tclass | |
1132 | * @auditdata: auxiliary audit data | |
1133 | * | |
1134 | * Check the AVC to determine whether the @requested permissions are granted | |
1135 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1136 | * based on @tclass, and call the security server on a cache miss to obtain | |
1137 | * a new decision and add it to the cache. Audit the granting or denial of | |
1138 | * permissions in accordance with the policy. Return %0 if all @requested | |
1139 | * permissions are granted, -%EACCES if any permissions are denied, or | |
1140 | * another -errno upon other errors. | |
1141 | */ | |
cb4fbe57 LT |
1142 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, |
1143 | u32 requested, struct common_audit_data *auditdata) | |
1da177e4 LT |
1144 | { |
1145 | struct av_decision avd; | |
9ade0cf4 | 1146 | int rc, rc2; |
1da177e4 | 1147 | |
2c3c05db | 1148 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
9ade0cf4 | 1149 | |
7b20ea25 N |
1150 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0); |
1151 | if (rc2) | |
1152 | return rc2; | |
1153 | return rc; | |
1154 | } | |
1155 | ||
1156 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, | |
1157 | u32 requested, struct common_audit_data *auditdata, | |
1158 | int flags) | |
1159 | { | |
1160 | struct av_decision avd; | |
1161 | int rc, rc2; | |
1162 | ||
1163 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); | |
1164 | ||
1165 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, | |
1166 | auditdata, flags); | |
9ade0cf4 EP |
1167 | if (rc2) |
1168 | return rc2; | |
1da177e4 LT |
1169 | return rc; |
1170 | } | |
788e7dd4 YN |
1171 | |
1172 | u32 avc_policy_seqno(void) | |
1173 | { | |
1174 | return avc_cache.latest_notif; | |
1175 | } | |
89c86576 TL |
1176 | |
1177 | void avc_disable(void) | |
1178 | { | |
5224ee08 EP |
1179 | /* |
1180 | * If you are looking at this because you have realized that we are | |
1181 | * not destroying the avc_node_cachep it might be easy to fix, but | |
1182 | * I don't know the memory barrier semantics well enough to know. It's | |
1183 | * possible that some other task dereferenced security_ops when | |
1184 | * it still pointed to selinux operations. If that is the case it's | |
1185 | * possible that it is about to use the avc and is about to need the | |
1186 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
1187 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
1188 | * the cache and get that memory back. | |
1189 | */ | |
1190 | if (avc_node_cachep) { | |
1191 | avc_flush(); | |
1192 | /* kmem_cache_destroy(avc_node_cachep); */ | |
1193 | } | |
89c86576 | 1194 | } |