Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Implementation of the kernel access vector cache (AVC). | |
3 | * | |
4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | |
95fff33b | 5 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 8 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU General Public License version 2, | |
95fff33b | 14 | * as published by the Free Software Foundation. |
1da177e4 LT |
15 | */ |
16 | #include <linux/types.h> | |
17 | #include <linux/stddef.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/fs.h> | |
21 | #include <linux/dcache.h> | |
22 | #include <linux/init.h> | |
23 | #include <linux/skbuff.h> | |
24 | #include <linux/percpu.h> | |
25 | #include <net/sock.h> | |
26 | #include <linux/un.h> | |
27 | #include <net/af_unix.h> | |
28 | #include <linux/ip.h> | |
29 | #include <linux/audit.h> | |
30 | #include <linux/ipv6.h> | |
31 | #include <net/ipv6.h> | |
32 | #include "avc.h" | |
33 | #include "avc_ss.h" | |
c6d3aaa4 | 34 | #include "classmap.h" |
5c458998 | 35 | |
1da177e4 LT |
36 | #define AVC_CACHE_SLOTS 512 |
37 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
38 | #define AVC_CACHE_RECLAIM 16 | |
39 | ||
40 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
044aea9b | 41 | #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) |
1da177e4 LT |
42 | #else |
43 | #define avc_cache_stats_incr(field) do {} while (0) | |
44 | #endif | |
45 | ||
46 | struct avc_entry { | |
47 | u32 ssid; | |
48 | u32 tsid; | |
49 | u16 tclass; | |
50 | struct av_decision avd; | |
1da177e4 LT |
51 | }; |
52 | ||
53 | struct avc_node { | |
54 | struct avc_entry ae; | |
26036651 | 55 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 56 | struct rcu_head rhead; |
1da177e4 LT |
57 | }; |
58 | ||
59 | struct avc_cache { | |
26036651 | 60 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
61 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
62 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
63 | atomic_t active_nodes; | |
64 | u32 latest_notif; /* latest revocation notification */ | |
65 | }; | |
66 | ||
67 | struct avc_callback_node { | |
68 | int (*callback) (u32 event, u32 ssid, u32 tsid, | |
95fff33b EP |
69 | u16 tclass, u32 perms, |
70 | u32 *out_retained); | |
1da177e4 LT |
71 | u32 events; |
72 | u32 ssid; | |
73 | u32 tsid; | |
74 | u16 tclass; | |
75 | u32 perms; | |
76 | struct avc_callback_node *next; | |
77 | }; | |
78 | ||
79 | /* Exported via selinufs */ | |
80 | unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
81 | ||
82 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
83 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
84 | #endif | |
85 | ||
86 | static struct avc_cache avc_cache; | |
87 | static struct avc_callback_node *avc_callbacks; | |
e18b890b | 88 | static struct kmem_cache *avc_node_cachep; |
1da177e4 LT |
89 | |
90 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
91 | { | |
92 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
93 | } | |
94 | ||
95 | /** | |
96 | * avc_dump_av - Display an access vector in human-readable form. | |
97 | * @tclass: target security class | |
98 | * @av: access vector | |
99 | */ | |
44c2d9bd | 100 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) |
1da177e4 | 101 | { |
c6d3aaa4 SS |
102 | const char **perms; |
103 | int i, perm; | |
1da177e4 LT |
104 | |
105 | if (av == 0) { | |
106 | audit_log_format(ab, " null"); | |
107 | return; | |
108 | } | |
109 | ||
c6d3aaa4 | 110 | perms = secclass_map[tclass-1].perms; |
1da177e4 LT |
111 | |
112 | audit_log_format(ab, " {"); | |
113 | i = 0; | |
114 | perm = 1; | |
c6d3aaa4 | 115 | while (i < (sizeof(av) * 8)) { |
0bce9527 | 116 | if ((perm & av) && perms[i]) { |
c6d3aaa4 | 117 | audit_log_format(ab, " %s", perms[i]); |
1da177e4 LT |
118 | av &= ~perm; |
119 | } | |
120 | i++; | |
121 | perm <<= 1; | |
122 | } | |
123 | ||
1da177e4 LT |
124 | if (av) |
125 | audit_log_format(ab, " 0x%x", av); | |
126 | ||
127 | audit_log_format(ab, " }"); | |
128 | } | |
129 | ||
130 | /** | |
131 | * avc_dump_query - Display a SID pair and a class in human-readable form. | |
132 | * @ssid: source security identifier | |
133 | * @tsid: target security identifier | |
134 | * @tclass: target security class | |
135 | */ | |
136 | static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) | |
137 | { | |
138 | int rc; | |
139 | char *scontext; | |
140 | u32 scontext_len; | |
141 | ||
95fff33b | 142 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
1da177e4 LT |
143 | if (rc) |
144 | audit_log_format(ab, "ssid=%d", ssid); | |
145 | else { | |
146 | audit_log_format(ab, "scontext=%s", scontext); | |
147 | kfree(scontext); | |
148 | } | |
149 | ||
150 | rc = security_sid_to_context(tsid, &scontext, &scontext_len); | |
151 | if (rc) | |
152 | audit_log_format(ab, " tsid=%d", tsid); | |
153 | else { | |
154 | audit_log_format(ab, " tcontext=%s", scontext); | |
155 | kfree(scontext); | |
156 | } | |
a764ae4b | 157 | |
c6d3aaa4 SS |
158 | BUG_ON(tclass >= ARRAY_SIZE(secclass_map)); |
159 | audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); | |
1da177e4 LT |
160 | } |
161 | ||
162 | /** | |
163 | * avc_init - Initialize the AVC. | |
164 | * | |
165 | * Initialize the access vector cache. | |
166 | */ | |
167 | void __init avc_init(void) | |
168 | { | |
169 | int i; | |
170 | ||
171 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
26036651 | 172 | INIT_HLIST_HEAD(&avc_cache.slots[i]); |
1da177e4 LT |
173 | spin_lock_init(&avc_cache.slots_lock[i]); |
174 | } | |
175 | atomic_set(&avc_cache.active_nodes, 0); | |
176 | atomic_set(&avc_cache.lru_hint, 0); | |
177 | ||
178 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | |
20c2df83 | 179 | 0, SLAB_PANIC, NULL); |
1da177e4 | 180 | |
9ad9ad38 | 181 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
1da177e4 LT |
182 | } |
183 | ||
184 | int avc_get_hash_stats(char *page) | |
185 | { | |
186 | int i, chain_len, max_chain_len, slots_used; | |
187 | struct avc_node *node; | |
26036651 | 188 | struct hlist_head *head; |
1da177e4 LT |
189 | |
190 | rcu_read_lock(); | |
191 | ||
192 | slots_used = 0; | |
193 | max_chain_len = 0; | |
194 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae | 195 | head = &avc_cache.slots[i]; |
26036651 EP |
196 | if (!hlist_empty(head)) { |
197 | struct hlist_node *next; | |
198 | ||
1da177e4 LT |
199 | slots_used++; |
200 | chain_len = 0; | |
26036651 | 201 | hlist_for_each_entry_rcu(node, next, head, list) |
1da177e4 LT |
202 | chain_len++; |
203 | if (chain_len > max_chain_len) | |
204 | max_chain_len = chain_len; | |
205 | } | |
206 | } | |
207 | ||
208 | rcu_read_unlock(); | |
209 | ||
210 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
211 | "longest chain: %d\n", | |
212 | atomic_read(&avc_cache.active_nodes), | |
213 | slots_used, AVC_CACHE_SLOTS, max_chain_len); | |
214 | } | |
215 | ||
216 | static void avc_node_free(struct rcu_head *rhead) | |
217 | { | |
218 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
219 | kmem_cache_free(avc_node_cachep, node); | |
220 | avc_cache_stats_incr(frees); | |
221 | } | |
222 | ||
223 | static void avc_node_delete(struct avc_node *node) | |
224 | { | |
26036651 | 225 | hlist_del_rcu(&node->list); |
1da177e4 LT |
226 | call_rcu(&node->rhead, avc_node_free); |
227 | atomic_dec(&avc_cache.active_nodes); | |
228 | } | |
229 | ||
230 | static void avc_node_kill(struct avc_node *node) | |
231 | { | |
232 | kmem_cache_free(avc_node_cachep, node); | |
233 | avc_cache_stats_incr(frees); | |
234 | atomic_dec(&avc_cache.active_nodes); | |
235 | } | |
236 | ||
237 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) | |
238 | { | |
26036651 | 239 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 LT |
240 | call_rcu(&old->rhead, avc_node_free); |
241 | atomic_dec(&avc_cache.active_nodes); | |
242 | } | |
243 | ||
244 | static inline int avc_reclaim_node(void) | |
245 | { | |
246 | struct avc_node *node; | |
247 | int hvalue, try, ecx; | |
248 | unsigned long flags; | |
26036651 EP |
249 | struct hlist_head *head; |
250 | struct hlist_node *next; | |
edf3d1ae | 251 | spinlock_t *lock; |
1da177e4 | 252 | |
95fff33b | 253 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
1da177e4 | 254 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
edf3d1ae EP |
255 | head = &avc_cache.slots[hvalue]; |
256 | lock = &avc_cache.slots_lock[hvalue]; | |
1da177e4 | 257 | |
edf3d1ae | 258 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
259 | continue; |
260 | ||
61844250 | 261 | rcu_read_lock(); |
26036651 | 262 | hlist_for_each_entry(node, next, head, list) { |
906d27d9 EP |
263 | avc_node_delete(node); |
264 | avc_cache_stats_incr(reclaims); | |
265 | ecx++; | |
266 | if (ecx >= AVC_CACHE_RECLAIM) { | |
267 | rcu_read_unlock(); | |
edf3d1ae | 268 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 269 | goto out; |
1da177e4 LT |
270 | } |
271 | } | |
61844250 | 272 | rcu_read_unlock(); |
edf3d1ae | 273 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
274 | } |
275 | out: | |
276 | return ecx; | |
277 | } | |
278 | ||
279 | static struct avc_node *avc_alloc_node(void) | |
280 | { | |
281 | struct avc_node *node; | |
282 | ||
c3762229 | 283 | node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC); |
1da177e4 LT |
284 | if (!node) |
285 | goto out; | |
286 | ||
26036651 | 287 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
288 | avc_cache_stats_incr(allocations); |
289 | ||
290 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) | |
291 | avc_reclaim_node(); | |
292 | ||
293 | out: | |
294 | return node; | |
295 | } | |
296 | ||
21193dcd | 297 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
298 | { |
299 | node->ae.ssid = ssid; | |
300 | node->ae.tsid = tsid; | |
301 | node->ae.tclass = tclass; | |
21193dcd | 302 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
303 | } |
304 | ||
305 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |
306 | { | |
307 | struct avc_node *node, *ret = NULL; | |
308 | int hvalue; | |
26036651 EP |
309 | struct hlist_head *head; |
310 | struct hlist_node *next; | |
1da177e4 LT |
311 | |
312 | hvalue = avc_hash(ssid, tsid, tclass); | |
edf3d1ae | 313 | head = &avc_cache.slots[hvalue]; |
26036651 | 314 | hlist_for_each_entry_rcu(node, next, head, list) { |
1da177e4 LT |
315 | if (ssid == node->ae.ssid && |
316 | tclass == node->ae.tclass && | |
317 | tsid == node->ae.tsid) { | |
318 | ret = node; | |
319 | break; | |
320 | } | |
321 | } | |
322 | ||
1da177e4 LT |
323 | return ret; |
324 | } | |
325 | ||
326 | /** | |
327 | * avc_lookup - Look up an AVC entry. | |
328 | * @ssid: source security identifier | |
329 | * @tsid: target security identifier | |
330 | * @tclass: target security class | |
1da177e4 LT |
331 | * |
332 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
333 | * (@ssid, @tsid), interpreting the permissions |
334 | * based on @tclass. If a valid AVC entry exists, | |
6382dc33 | 335 | * then this function returns the avc_node. |
1da177e4 LT |
336 | * Otherwise, this function returns NULL. |
337 | */ | |
f1c6381a | 338 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
1da177e4 LT |
339 | { |
340 | struct avc_node *node; | |
341 | ||
342 | avc_cache_stats_incr(lookups); | |
343 | node = avc_search_node(ssid, tsid, tclass); | |
344 | ||
f1c6381a | 345 | if (node) |
257313b2 | 346 | return node; |
1da177e4 | 347 | |
257313b2 LT |
348 | avc_cache_stats_incr(misses); |
349 | return NULL; | |
1da177e4 LT |
350 | } |
351 | ||
352 | static int avc_latest_notif_update(int seqno, int is_insert) | |
353 | { | |
354 | int ret = 0; | |
355 | static DEFINE_SPINLOCK(notif_lock); | |
356 | unsigned long flag; | |
357 | ||
358 | spin_lock_irqsave(¬if_lock, flag); | |
359 | if (is_insert) { | |
360 | if (seqno < avc_cache.latest_notif) { | |
744ba35e | 361 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
1da177e4 LT |
362 | seqno, avc_cache.latest_notif); |
363 | ret = -EAGAIN; | |
364 | } | |
365 | } else { | |
366 | if (seqno > avc_cache.latest_notif) | |
367 | avc_cache.latest_notif = seqno; | |
368 | } | |
369 | spin_unlock_irqrestore(¬if_lock, flag); | |
370 | ||
371 | return ret; | |
372 | } | |
373 | ||
374 | /** | |
375 | * avc_insert - Insert an AVC entry. | |
376 | * @ssid: source security identifier | |
377 | * @tsid: target security identifier | |
378 | * @tclass: target security class | |
21193dcd | 379 | * @avd: resulting av decision |
1da177e4 LT |
380 | * |
381 | * Insert an AVC entry for the SID pair | |
382 | * (@ssid, @tsid) and class @tclass. | |
383 | * The access vectors and the sequence number are | |
384 | * normally provided by the security server in | |
385 | * response to a security_compute_av() call. If the | |
21193dcd | 386 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
387 | * revocation notification, then the function copies |
388 | * the access vectors into a cache entry, returns | |
389 | * avc_node inserted. Otherwise, this function returns NULL. | |
390 | */ | |
21193dcd | 391 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
392 | { |
393 | struct avc_node *pos, *node = NULL; | |
394 | int hvalue; | |
395 | unsigned long flag; | |
396 | ||
21193dcd | 397 | if (avc_latest_notif_update(avd->seqno, 1)) |
1da177e4 LT |
398 | goto out; |
399 | ||
400 | node = avc_alloc_node(); | |
401 | if (node) { | |
26036651 EP |
402 | struct hlist_head *head; |
403 | struct hlist_node *next; | |
edf3d1ae EP |
404 | spinlock_t *lock; |
405 | ||
1da177e4 | 406 | hvalue = avc_hash(ssid, tsid, tclass); |
21193dcd | 407 | avc_node_populate(node, ssid, tsid, tclass, avd); |
1da177e4 | 408 | |
edf3d1ae EP |
409 | head = &avc_cache.slots[hvalue]; |
410 | lock = &avc_cache.slots_lock[hvalue]; | |
411 | ||
412 | spin_lock_irqsave(lock, flag); | |
26036651 | 413 | hlist_for_each_entry(pos, next, head, list) { |
1da177e4 LT |
414 | if (pos->ae.ssid == ssid && |
415 | pos->ae.tsid == tsid && | |
416 | pos->ae.tclass == tclass) { | |
95fff33b | 417 | avc_node_replace(node, pos); |
1da177e4 LT |
418 | goto found; |
419 | } | |
420 | } | |
26036651 | 421 | hlist_add_head_rcu(&node->list, head); |
1da177e4 | 422 | found: |
edf3d1ae | 423 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
424 | } |
425 | out: | |
426 | return node; | |
427 | } | |
428 | ||
2bf49690 TL |
429 | /** |
430 | * avc_audit_pre_callback - SELinux specific information | |
431 | * will be called by generic audit code | |
432 | * @ab: the audit buffer | |
433 | * @a: audit_data | |
434 | */ | |
435 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 436 | { |
2bf49690 TL |
437 | struct common_audit_data *ad = a; |
438 | audit_log_format(ab, "avc: %s ", | |
3f0882c4 EP |
439 | ad->selinux_audit_data->slad->denied ? "denied" : "granted"); |
440 | avc_dump_av(ab, ad->selinux_audit_data->slad->tclass, | |
441 | ad->selinux_audit_data->slad->audited); | |
2bf49690 | 442 | audit_log_format(ab, " for "); |
1da177e4 LT |
443 | } |
444 | ||
2bf49690 TL |
445 | /** |
446 | * avc_audit_post_callback - SELinux specific information | |
447 | * will be called by generic audit code | |
448 | * @ab: the audit buffer | |
449 | * @a: audit_data | |
450 | */ | |
451 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 452 | { |
2bf49690 TL |
453 | struct common_audit_data *ad = a; |
454 | audit_log_format(ab, " "); | |
3f0882c4 EP |
455 | avc_dump_query(ab, ad->selinux_audit_data->slad->ssid, |
456 | ad->selinux_audit_data->slad->tsid, | |
457 | ad->selinux_audit_data->slad->tclass); | |
1da177e4 LT |
458 | } |
459 | ||
48aab2f7 LT |
460 | /* This is the slow part of avc audit with big stack footprint */ |
461 | static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, | |
462 | u32 requested, u32 audited, u32 denied, | |
f8294f11 | 463 | struct common_audit_data *a, |
48aab2f7 LT |
464 | unsigned flags) |
465 | { | |
466 | struct common_audit_data stack_data; | |
3b3b0e4f | 467 | struct selinux_audit_data sad = {0,}; |
3f0882c4 | 468 | struct selinux_late_audit_data slad; |
48aab2f7 LT |
469 | |
470 | if (!a) { | |
471 | a = &stack_data; | |
472 | COMMON_AUDIT_DATA_INIT(a, NONE); | |
3b3b0e4f | 473 | a->selinux_audit_data = &sad; |
48aab2f7 LT |
474 | } |
475 | ||
476 | /* | |
477 | * When in a RCU walk do the audit on the RCU retry. This is because | |
478 | * the collection of the dname in an inode audit message is not RCU | |
479 | * safe. Note this may drop some audits when the situation changes | |
480 | * during retry. However this is logically just as if the operation | |
481 | * happened a little later. | |
482 | */ | |
483 | if ((a->type == LSM_AUDIT_DATA_INODE) && | |
484 | (flags & MAY_NOT_BLOCK)) | |
485 | return -ECHILD; | |
486 | ||
3f0882c4 EP |
487 | slad.tclass = tclass; |
488 | slad.requested = requested; | |
489 | slad.ssid = ssid; | |
490 | slad.tsid = tsid; | |
491 | slad.audited = audited; | |
492 | slad.denied = denied; | |
493 | ||
494 | a->selinux_audit_data->slad = &slad; | |
b61c37f5 | 495 | common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); |
48aab2f7 LT |
496 | return 0; |
497 | } | |
498 | ||
1da177e4 LT |
499 | /** |
500 | * avc_audit - Audit the granting or denial of permissions. | |
501 | * @ssid: source security identifier | |
502 | * @tsid: target security identifier | |
503 | * @tclass: target security class | |
504 | * @requested: requested permissions | |
505 | * @avd: access vector decisions | |
506 | * @result: result from avc_has_perm_noaudit | |
507 | * @a: auxiliary audit data | |
9ade0cf4 | 508 | * @flags: VFS walk flags |
1da177e4 LT |
509 | * |
510 | * Audit the granting or denial of permissions in accordance | |
511 | * with the policy. This function is typically called by | |
512 | * avc_has_perm() after a permission check, but can also be | |
513 | * called directly by callers who use avc_has_perm_noaudit() | |
514 | * in order to separate the permission check from the auditing. | |
515 | * For example, this separation is useful when the permission check must | |
516 | * be performed under a lock, to allow the lock to be released | |
517 | * before calling the auditing code. | |
518 | */ | |
cdb0f9a1 | 519 | inline int avc_audit(u32 ssid, u32 tsid, |
95fff33b | 520 | u16 tclass, u32 requested, |
9ade0cf4 EP |
521 | struct av_decision *avd, int result, struct common_audit_data *a, |
522 | unsigned flags) | |
1da177e4 | 523 | { |
be940d62 | 524 | u32 denied, audited; |
be940d62 | 525 | denied = requested & ~avd->allowed; |
48aab2f7 | 526 | if (unlikely(denied)) { |
b6cac5a3 | 527 | audited = denied & avd->auditdeny; |
b782e0a6 | 528 | /* |
3b3b0e4f | 529 | * a->selinux_audit_data->auditdeny is TRICKY! Setting a bit in |
b782e0a6 EP |
530 | * this field means that ANY denials should NOT be audited if |
531 | * the policy contains an explicit dontaudit rule for that | |
532 | * permission. Take notice that this is unrelated to the | |
533 | * actual permissions that were denied. As an example lets | |
534 | * assume: | |
535 | * | |
536 | * denied == READ | |
537 | * avd.auditdeny & ACCESS == 0 (not set means explicit rule) | |
3b3b0e4f | 538 | * selinux_audit_data->auditdeny & ACCESS == 1 |
b782e0a6 EP |
539 | * |
540 | * We will NOT audit the denial even though the denied | |
541 | * permission was READ and the auditdeny checks were for | |
542 | * ACCESS | |
543 | */ | |
544 | if (a && | |
3b3b0e4f EP |
545 | a->selinux_audit_data->auditdeny && |
546 | !(a->selinux_audit_data->auditdeny & avd->auditdeny)) | |
b782e0a6 EP |
547 | audited = 0; |
548 | } else if (result) | |
be940d62 | 549 | audited = denied = requested; |
b6cac5a3 SS |
550 | else |
551 | audited = requested & avd->auditallow; | |
48aab2f7 | 552 | if (likely(!audited)) |
9ade0cf4 EP |
553 | return 0; |
554 | ||
48aab2f7 LT |
555 | return slow_avc_audit(ssid, tsid, tclass, |
556 | requested, audited, denied, | |
f8294f11 | 557 | a, flags); |
1da177e4 LT |
558 | } |
559 | ||
560 | /** | |
561 | * avc_add_callback - Register a callback for security events. | |
562 | * @callback: callback function | |
563 | * @events: security events | |
564 | * @ssid: source security identifier or %SECSID_WILD | |
565 | * @tsid: target security identifier or %SECSID_WILD | |
566 | * @tclass: target security class | |
567 | * @perms: permissions | |
568 | * | |
569 | * Register a callback function for events in the set @events | |
6382dc33 | 570 | * related to the SID pair (@ssid, @tsid) |
1da177e4 LT |
571 | * and the permissions @perms, interpreting |
572 | * @perms based on @tclass. Returns %0 on success or | |
573 | * -%ENOMEM if insufficient memory exists to add the callback. | |
574 | */ | |
575 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | |
95fff33b EP |
576 | u16 tclass, u32 perms, |
577 | u32 *out_retained), | |
578 | u32 events, u32 ssid, u32 tsid, | |
579 | u16 tclass, u32 perms) | |
1da177e4 LT |
580 | { |
581 | struct avc_callback_node *c; | |
582 | int rc = 0; | |
583 | ||
584 | c = kmalloc(sizeof(*c), GFP_ATOMIC); | |
585 | if (!c) { | |
586 | rc = -ENOMEM; | |
587 | goto out; | |
588 | } | |
589 | ||
590 | c->callback = callback; | |
591 | c->events = events; | |
592 | c->ssid = ssid; | |
593 | c->tsid = tsid; | |
594 | c->perms = perms; | |
595 | c->next = avc_callbacks; | |
596 | avc_callbacks = c; | |
597 | out: | |
598 | return rc; | |
599 | } | |
600 | ||
601 | static inline int avc_sidcmp(u32 x, u32 y) | |
602 | { | |
603 | return (x == y || x == SECSID_WILD || y == SECSID_WILD); | |
604 | } | |
605 | ||
606 | /** | |
607 | * avc_update_node Update an AVC entry | |
608 | * @event : Updating event | |
609 | * @perms : Permission mask bits | |
610 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 611 | * @seqno : sequence number when decision was made |
1da177e4 LT |
612 | * |
613 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
614 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
6382dc33 | 615 | * otherwise, this function updates the AVC entry. The original AVC-entry object |
1da177e4 LT |
616 | * will release later by RCU. |
617 | */ | |
a5dda683 EP |
618 | static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, |
619 | u32 seqno) | |
1da177e4 LT |
620 | { |
621 | int hvalue, rc = 0; | |
622 | unsigned long flag; | |
623 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 EP |
624 | struct hlist_head *head; |
625 | struct hlist_node *next; | |
edf3d1ae | 626 | spinlock_t *lock; |
1da177e4 LT |
627 | |
628 | node = avc_alloc_node(); | |
629 | if (!node) { | |
630 | rc = -ENOMEM; | |
631 | goto out; | |
632 | } | |
633 | ||
634 | /* Lock the target slot */ | |
635 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 636 | |
edf3d1ae EP |
637 | head = &avc_cache.slots[hvalue]; |
638 | lock = &avc_cache.slots_lock[hvalue]; | |
639 | ||
640 | spin_lock_irqsave(lock, flag); | |
641 | ||
26036651 | 642 | hlist_for_each_entry(pos, next, head, list) { |
95fff33b EP |
643 | if (ssid == pos->ae.ssid && |
644 | tsid == pos->ae.tsid && | |
a5dda683 EP |
645 | tclass == pos->ae.tclass && |
646 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
647 | orig = pos; |
648 | break; | |
649 | } | |
650 | } | |
651 | ||
652 | if (!orig) { | |
653 | rc = -ENOENT; | |
654 | avc_node_kill(node); | |
655 | goto out_unlock; | |
656 | } | |
657 | ||
658 | /* | |
659 | * Copy and replace original node. | |
660 | */ | |
661 | ||
21193dcd | 662 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 LT |
663 | |
664 | switch (event) { | |
665 | case AVC_CALLBACK_GRANT: | |
666 | node->ae.avd.allowed |= perms; | |
667 | break; | |
668 | case AVC_CALLBACK_TRY_REVOKE: | |
669 | case AVC_CALLBACK_REVOKE: | |
670 | node->ae.avd.allowed &= ~perms; | |
671 | break; | |
672 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
673 | node->ae.avd.auditallow |= perms; | |
674 | break; | |
675 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
676 | node->ae.avd.auditallow &= ~perms; | |
677 | break; | |
678 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
679 | node->ae.avd.auditdeny |= perms; | |
680 | break; | |
681 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
682 | node->ae.avd.auditdeny &= ~perms; | |
683 | break; | |
684 | } | |
685 | avc_node_replace(node, orig); | |
686 | out_unlock: | |
edf3d1ae | 687 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
688 | out: |
689 | return rc; | |
690 | } | |
691 | ||
692 | /** | |
008574b1 | 693 | * avc_flush - Flush the cache |
1da177e4 | 694 | */ |
008574b1 | 695 | static void avc_flush(void) |
1da177e4 | 696 | { |
26036651 EP |
697 | struct hlist_head *head; |
698 | struct hlist_node *next; | |
008574b1 | 699 | struct avc_node *node; |
edf3d1ae | 700 | spinlock_t *lock; |
008574b1 EP |
701 | unsigned long flag; |
702 | int i; | |
1da177e4 LT |
703 | |
704 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae EP |
705 | head = &avc_cache.slots[i]; |
706 | lock = &avc_cache.slots_lock[i]; | |
707 | ||
708 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
709 | /* |
710 | * With preemptable RCU, the outer spinlock does not | |
711 | * prevent RCU grace periods from ending. | |
712 | */ | |
713 | rcu_read_lock(); | |
26036651 | 714 | hlist_for_each_entry(node, next, head, list) |
1da177e4 | 715 | avc_node_delete(node); |
61844250 | 716 | rcu_read_unlock(); |
edf3d1ae | 717 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 718 | } |
008574b1 EP |
719 | } |
720 | ||
721 | /** | |
722 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
723 | * @seqno: policy sequence number | |
724 | */ | |
725 | int avc_ss_reset(u32 seqno) | |
726 | { | |
727 | struct avc_callback_node *c; | |
728 | int rc = 0, tmprc; | |
729 | ||
730 | avc_flush(); | |
1da177e4 LT |
731 | |
732 | for (c = avc_callbacks; c; c = c->next) { | |
733 | if (c->events & AVC_CALLBACK_RESET) { | |
376bd9cb | 734 | tmprc = c->callback(AVC_CALLBACK_RESET, |
95fff33b | 735 | 0, 0, 0, 0, NULL); |
376bd9cb DG |
736 | /* save the first error encountered for the return |
737 | value and continue processing the callbacks */ | |
738 | if (!rc) | |
739 | rc = tmprc; | |
1da177e4 LT |
740 | } |
741 | } | |
742 | ||
743 | avc_latest_notif_update(seqno, 0); | |
1da177e4 LT |
744 | return rc; |
745 | } | |
746 | ||
a554bea8 LT |
747 | /* |
748 | * Slow-path helper function for avc_has_perm_noaudit, | |
749 | * when the avc_node lookup fails. We get called with | |
750 | * the RCU read lock held, and need to return with it | |
751 | * still held, but drop if for the security compute. | |
752 | * | |
753 | * Don't inline this, since it's the slow-path and just | |
754 | * results in a bigger stack frame. | |
755 | */ | |
756 | static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid, | |
757 | u16 tclass, struct av_decision *avd) | |
758 | { | |
759 | rcu_read_unlock(); | |
760 | security_compute_av(ssid, tsid, tclass, avd); | |
761 | rcu_read_lock(); | |
762 | return avc_insert(ssid, tsid, tclass, avd); | |
763 | } | |
764 | ||
765 | static noinline int avc_denied(u32 ssid, u32 tsid, | |
766 | u16 tclass, u32 requested, | |
767 | unsigned flags, | |
768 | struct av_decision *avd) | |
769 | { | |
770 | if (flags & AVC_STRICT) | |
771 | return -EACCES; | |
772 | ||
773 | if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE)) | |
774 | return -EACCES; | |
775 | ||
776 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | |
777 | tsid, tclass, avd->seqno); | |
778 | return 0; | |
779 | } | |
780 | ||
781 | ||
1da177e4 LT |
782 | /** |
783 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
784 | * @ssid: source security identifier | |
785 | * @tsid: target security identifier | |
786 | * @tclass: target security class | |
787 | * @requested: requested permissions, interpreted based on @tclass | |
2c3c05db | 788 | * @flags: AVC_STRICT or 0 |
1da177e4 LT |
789 | * @avd: access vector decisions |
790 | * | |
791 | * Check the AVC to determine whether the @requested permissions are granted | |
792 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
793 | * based on @tclass, and call the security server on a cache miss to obtain | |
794 | * a new decision and add it to the cache. Return a copy of the decisions | |
795 | * in @avd. Return %0 if all @requested permissions are granted, | |
796 | * -%EACCES if any permissions are denied, or another -errno upon | |
797 | * other errors. This function is typically called by avc_has_perm(), | |
798 | * but may also be called directly to separate permission checking from | |
799 | * auditing, e.g. in cases where a lock must be held for the check but | |
800 | * should be released for the auditing. | |
801 | */ | |
cdb0f9a1 | 802 | inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
2c3c05db SS |
803 | u16 tclass, u32 requested, |
804 | unsigned flags, | |
f01e1af4 | 805 | struct av_decision *avd) |
1da177e4 LT |
806 | { |
807 | struct avc_node *node; | |
1da177e4 LT |
808 | int rc = 0; |
809 | u32 denied; | |
810 | ||
eda4f69c EP |
811 | BUG_ON(!requested); |
812 | ||
1da177e4 LT |
813 | rcu_read_lock(); |
814 | ||
f1c6381a | 815 | node = avc_lookup(ssid, tsid, tclass); |
257313b2 | 816 | if (unlikely(!node)) { |
a554bea8 | 817 | node = avc_compute_av(ssid, tsid, tclass, avd); |
21193dcd | 818 | } else { |
f01e1af4 | 819 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
21193dcd | 820 | avd = &node->ae.avd; |
1da177e4 LT |
821 | } |
822 | ||
21193dcd | 823 | denied = requested & ~(avd->allowed); |
a554bea8 LT |
824 | if (unlikely(denied)) |
825 | rc = avc_denied(ssid, tsid, tclass, requested, flags, avd); | |
1da177e4 LT |
826 | |
827 | rcu_read_unlock(); | |
1da177e4 LT |
828 | return rc; |
829 | } | |
830 | ||
831 | /** | |
832 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
833 | * @ssid: source security identifier | |
834 | * @tsid: target security identifier | |
835 | * @tclass: target security class | |
836 | * @requested: requested permissions, interpreted based on @tclass | |
837 | * @auditdata: auxiliary audit data | |
9ade0cf4 | 838 | * @flags: VFS walk flags |
1da177e4 LT |
839 | * |
840 | * Check the AVC to determine whether the @requested permissions are granted | |
841 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
842 | * based on @tclass, and call the security server on a cache miss to obtain | |
843 | * a new decision and add it to the cache. Audit the granting or denial of | |
844 | * permissions in accordance with the policy. Return %0 if all @requested | |
845 | * permissions are granted, -%EACCES if any permissions are denied, or | |
846 | * another -errno upon other errors. | |
847 | */ | |
9ade0cf4 EP |
848 | int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, |
849 | u32 requested, struct common_audit_data *auditdata, | |
850 | unsigned flags) | |
1da177e4 LT |
851 | { |
852 | struct av_decision avd; | |
9ade0cf4 | 853 | int rc, rc2; |
1da177e4 | 854 | |
2c3c05db | 855 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
9ade0cf4 EP |
856 | |
857 | rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, | |
858 | flags); | |
859 | if (rc2) | |
860 | return rc2; | |
1da177e4 LT |
861 | return rc; |
862 | } | |
788e7dd4 YN |
863 | |
864 | u32 avc_policy_seqno(void) | |
865 | { | |
866 | return avc_cache.latest_notif; | |
867 | } | |
89c86576 TL |
868 | |
869 | void avc_disable(void) | |
870 | { | |
5224ee08 EP |
871 | /* |
872 | * If you are looking at this because you have realized that we are | |
873 | * not destroying the avc_node_cachep it might be easy to fix, but | |
874 | * I don't know the memory barrier semantics well enough to know. It's | |
875 | * possible that some other task dereferenced security_ops when | |
876 | * it still pointed to selinux operations. If that is the case it's | |
877 | * possible that it is about to use the avc and is about to need the | |
878 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
879 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
880 | * the cache and get that memory back. | |
881 | */ | |
882 | if (avc_node_cachep) { | |
883 | avc_flush(); | |
884 | /* kmem_cache_destroy(avc_node_cachep); */ | |
885 | } | |
89c86576 | 886 | } |