Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | /* |
3 | * Implementation of the kernel access vector cache (AVC). | |
4 | * | |
7efbb60b | 5 | * Authors: Stephen Smalley, <sds@tycho.nsa.gov> |
95fff33b | 6 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
7 | * |
8 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 9 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
10 | * |
11 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
1da177e4 LT |
12 | */ |
13 | #include <linux/types.h> | |
14 | #include <linux/stddef.h> | |
15 | #include <linux/kernel.h> | |
16 | #include <linux/slab.h> | |
17 | #include <linux/fs.h> | |
18 | #include <linux/dcache.h> | |
19 | #include <linux/init.h> | |
20 | #include <linux/skbuff.h> | |
21 | #include <linux/percpu.h> | |
fa1aa143 | 22 | #include <linux/list.h> |
1da177e4 LT |
23 | #include <net/sock.h> |
24 | #include <linux/un.h> | |
25 | #include <net/af_unix.h> | |
26 | #include <linux/ip.h> | |
27 | #include <linux/audit.h> | |
28 | #include <linux/ipv6.h> | |
29 | #include <net/ipv6.h> | |
30 | #include "avc.h" | |
31 | #include "avc_ss.h" | |
c6d3aaa4 | 32 | #include "classmap.h" |
5c458998 | 33 | |
1da177e4 LT |
34 | #define AVC_CACHE_SLOTS 512 |
35 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
36 | #define AVC_CACHE_RECLAIM 16 | |
37 | ||
38 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
044aea9b | 39 | #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) |
1da177e4 LT |
40 | #else |
41 | #define avc_cache_stats_incr(field) do {} while (0) | |
42 | #endif | |
43 | ||
44 | struct avc_entry { | |
45 | u32 ssid; | |
46 | u32 tsid; | |
47 | u16 tclass; | |
48 | struct av_decision avd; | |
fa1aa143 | 49 | struct avc_xperms_node *xp_node; |
1da177e4 LT |
50 | }; |
51 | ||
52 | struct avc_node { | |
53 | struct avc_entry ae; | |
26036651 | 54 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 55 | struct rcu_head rhead; |
1da177e4 LT |
56 | }; |
57 | ||
fa1aa143 JVS |
58 | struct avc_xperms_decision_node { |
59 | struct extended_perms_decision xpd; | |
60 | struct list_head xpd_list; /* list of extended_perms_decision */ | |
61 | }; | |
62 | ||
63 | struct avc_xperms_node { | |
64 | struct extended_perms xp; | |
65 | struct list_head xpd_head; /* list head of extended_perms_decision */ | |
66 | }; | |
67 | ||
1da177e4 | 68 | struct avc_cache { |
26036651 | 69 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
70 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
71 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
72 | atomic_t active_nodes; | |
73 | u32 latest_notif; /* latest revocation notification */ | |
74 | }; | |
75 | ||
76 | struct avc_callback_node { | |
562c99f2 | 77 | int (*callback) (u32 event); |
1da177e4 | 78 | u32 events; |
1da177e4 LT |
79 | struct avc_callback_node *next; |
80 | }; | |
81 | ||
1da177e4 LT |
82 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS |
83 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
84 | #endif | |
85 | ||
6b6bc620 SS |
86 | struct selinux_avc { |
87 | unsigned int avc_cache_threshold; | |
88 | struct avc_cache avc_cache; | |
89 | }; | |
90 | ||
91 | static struct selinux_avc selinux_avc; | |
92 | ||
93 | void selinux_avc_init(struct selinux_avc **avc) | |
94 | { | |
95 | int i; | |
96 | ||
97 | selinux_avc.avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
98 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
99 | INIT_HLIST_HEAD(&selinux_avc.avc_cache.slots[i]); | |
100 | spin_lock_init(&selinux_avc.avc_cache.slots_lock[i]); | |
101 | } | |
102 | atomic_set(&selinux_avc.avc_cache.active_nodes, 0); | |
103 | atomic_set(&selinux_avc.avc_cache.lru_hint, 0); | |
104 | *avc = &selinux_avc; | |
105 | } | |
106 | ||
107 | unsigned int avc_get_cache_threshold(struct selinux_avc *avc) | |
108 | { | |
109 | return avc->avc_cache_threshold; | |
110 | } | |
111 | ||
112 | void avc_set_cache_threshold(struct selinux_avc *avc, | |
113 | unsigned int cache_threshold) | |
114 | { | |
115 | avc->avc_cache_threshold = cache_threshold; | |
116 | } | |
117 | ||
1da177e4 | 118 | static struct avc_callback_node *avc_callbacks; |
e18b890b | 119 | static struct kmem_cache *avc_node_cachep; |
fa1aa143 JVS |
120 | static struct kmem_cache *avc_xperms_data_cachep; |
121 | static struct kmem_cache *avc_xperms_decision_cachep; | |
122 | static struct kmem_cache *avc_xperms_cachep; | |
1da177e4 LT |
123 | |
124 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
125 | { | |
126 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
127 | } | |
128 | ||
1da177e4 LT |
129 | /** |
130 | * avc_init - Initialize the AVC. | |
131 | * | |
132 | * Initialize the access vector cache. | |
133 | */ | |
134 | void __init avc_init(void) | |
135 | { | |
1da177e4 | 136 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), |
fa1aa143 JVS |
137 | 0, SLAB_PANIC, NULL); |
138 | avc_xperms_cachep = kmem_cache_create("avc_xperms_node", | |
139 | sizeof(struct avc_xperms_node), | |
140 | 0, SLAB_PANIC, NULL); | |
141 | avc_xperms_decision_cachep = kmem_cache_create( | |
142 | "avc_xperms_decision_node", | |
143 | sizeof(struct avc_xperms_decision_node), | |
144 | 0, SLAB_PANIC, NULL); | |
145 | avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", | |
146 | sizeof(struct extended_perms_data), | |
147 | 0, SLAB_PANIC, NULL); | |
1da177e4 LT |
148 | } |
149 | ||
6b6bc620 | 150 | int avc_get_hash_stats(struct selinux_avc *avc, char *page) |
1da177e4 LT |
151 | { |
152 | int i, chain_len, max_chain_len, slots_used; | |
153 | struct avc_node *node; | |
26036651 | 154 | struct hlist_head *head; |
1da177e4 LT |
155 | |
156 | rcu_read_lock(); | |
157 | ||
158 | slots_used = 0; | |
159 | max_chain_len = 0; | |
160 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
6b6bc620 | 161 | head = &avc->avc_cache.slots[i]; |
26036651 | 162 | if (!hlist_empty(head)) { |
1da177e4 LT |
163 | slots_used++; |
164 | chain_len = 0; | |
b67bfe0d | 165 | hlist_for_each_entry_rcu(node, head, list) |
1da177e4 LT |
166 | chain_len++; |
167 | if (chain_len > max_chain_len) | |
168 | max_chain_len = chain_len; | |
169 | } | |
170 | } | |
171 | ||
172 | rcu_read_unlock(); | |
173 | ||
174 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
175 | "longest chain: %d\n", | |
6b6bc620 | 176 | atomic_read(&avc->avc_cache.active_nodes), |
1da177e4 LT |
177 | slots_used, AVC_CACHE_SLOTS, max_chain_len); |
178 | } | |
179 | ||
fa1aa143 JVS |
180 | /* |
181 | * using a linked list for extended_perms_decision lookup because the list is | |
182 | * always small. i.e. less than 5, typically 1 | |
183 | */ | |
184 | static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver, | |
185 | struct avc_xperms_node *xp_node) | |
186 | { | |
187 | struct avc_xperms_decision_node *xpd_node; | |
188 | ||
189 | list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) { | |
190 | if (xpd_node->xpd.driver == driver) | |
191 | return &xpd_node->xpd; | |
192 | } | |
193 | return NULL; | |
194 | } | |
195 | ||
196 | static inline unsigned int | |
197 | avc_xperms_has_perm(struct extended_perms_decision *xpd, | |
198 | u8 perm, u8 which) | |
199 | { | |
200 | unsigned int rc = 0; | |
201 | ||
202 | if ((which == XPERMS_ALLOWED) && | |
203 | (xpd->used & XPERMS_ALLOWED)) | |
204 | rc = security_xperm_test(xpd->allowed->p, perm); | |
205 | else if ((which == XPERMS_AUDITALLOW) && | |
206 | (xpd->used & XPERMS_AUDITALLOW)) | |
207 | rc = security_xperm_test(xpd->auditallow->p, perm); | |
208 | else if ((which == XPERMS_DONTAUDIT) && | |
209 | (xpd->used & XPERMS_DONTAUDIT)) | |
210 | rc = security_xperm_test(xpd->dontaudit->p, perm); | |
211 | return rc; | |
212 | } | |
213 | ||
214 | static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node, | |
215 | u8 driver, u8 perm) | |
216 | { | |
217 | struct extended_perms_decision *xpd; | |
218 | security_xperm_set(xp_node->xp.drivers.p, driver); | |
219 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
220 | if (xpd && xpd->allowed) | |
221 | security_xperm_set(xpd->allowed->p, perm); | |
222 | } | |
223 | ||
224 | static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node) | |
225 | { | |
226 | struct extended_perms_decision *xpd; | |
227 | ||
228 | xpd = &xpd_node->xpd; | |
229 | if (xpd->allowed) | |
230 | kmem_cache_free(avc_xperms_data_cachep, xpd->allowed); | |
231 | if (xpd->auditallow) | |
232 | kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow); | |
233 | if (xpd->dontaudit) | |
234 | kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit); | |
235 | kmem_cache_free(avc_xperms_decision_cachep, xpd_node); | |
236 | } | |
237 | ||
238 | static void avc_xperms_free(struct avc_xperms_node *xp_node) | |
239 | { | |
240 | struct avc_xperms_decision_node *xpd_node, *tmp; | |
241 | ||
242 | if (!xp_node) | |
243 | return; | |
244 | ||
245 | list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) { | |
246 | list_del(&xpd_node->xpd_list); | |
247 | avc_xperms_decision_free(xpd_node); | |
248 | } | |
249 | kmem_cache_free(avc_xperms_cachep, xp_node); | |
250 | } | |
251 | ||
252 | static void avc_copy_xperms_decision(struct extended_perms_decision *dest, | |
253 | struct extended_perms_decision *src) | |
254 | { | |
255 | dest->driver = src->driver; | |
256 | dest->used = src->used; | |
257 | if (dest->used & XPERMS_ALLOWED) | |
258 | memcpy(dest->allowed->p, src->allowed->p, | |
259 | sizeof(src->allowed->p)); | |
260 | if (dest->used & XPERMS_AUDITALLOW) | |
261 | memcpy(dest->auditallow->p, src->auditallow->p, | |
262 | sizeof(src->auditallow->p)); | |
263 | if (dest->used & XPERMS_DONTAUDIT) | |
264 | memcpy(dest->dontaudit->p, src->dontaudit->p, | |
265 | sizeof(src->dontaudit->p)); | |
266 | } | |
267 | ||
268 | /* | |
269 | * similar to avc_copy_xperms_decision, but only copy decision | |
270 | * information relevant to this perm | |
271 | */ | |
272 | static inline void avc_quick_copy_xperms_decision(u8 perm, | |
273 | struct extended_perms_decision *dest, | |
274 | struct extended_perms_decision *src) | |
275 | { | |
276 | /* | |
277 | * compute index of the u32 of the 256 bits (8 u32s) that contain this | |
278 | * command permission | |
279 | */ | |
280 | u8 i = perm >> 5; | |
281 | ||
282 | dest->used = src->used; | |
283 | if (dest->used & XPERMS_ALLOWED) | |
284 | dest->allowed->p[i] = src->allowed->p[i]; | |
285 | if (dest->used & XPERMS_AUDITALLOW) | |
286 | dest->auditallow->p[i] = src->auditallow->p[i]; | |
287 | if (dest->used & XPERMS_DONTAUDIT) | |
288 | dest->dontaudit->p[i] = src->dontaudit->p[i]; | |
289 | } | |
290 | ||
291 | static struct avc_xperms_decision_node | |
292 | *avc_xperms_decision_alloc(u8 which) | |
293 | { | |
294 | struct avc_xperms_decision_node *xpd_node; | |
295 | struct extended_perms_decision *xpd; | |
296 | ||
476accbe | 297 | xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
298 | if (!xpd_node) |
299 | return NULL; | |
300 | ||
301 | xpd = &xpd_node->xpd; | |
302 | if (which & XPERMS_ALLOWED) { | |
303 | xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 304 | GFP_NOWAIT); |
fa1aa143 JVS |
305 | if (!xpd->allowed) |
306 | goto error; | |
307 | } | |
308 | if (which & XPERMS_AUDITALLOW) { | |
309 | xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 310 | GFP_NOWAIT); |
fa1aa143 JVS |
311 | if (!xpd->auditallow) |
312 | goto error; | |
313 | } | |
314 | if (which & XPERMS_DONTAUDIT) { | |
315 | xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep, | |
476accbe | 316 | GFP_NOWAIT); |
fa1aa143 JVS |
317 | if (!xpd->dontaudit) |
318 | goto error; | |
319 | } | |
320 | return xpd_node; | |
321 | error: | |
322 | avc_xperms_decision_free(xpd_node); | |
323 | return NULL; | |
324 | } | |
325 | ||
326 | static int avc_add_xperms_decision(struct avc_node *node, | |
327 | struct extended_perms_decision *src) | |
328 | { | |
329 | struct avc_xperms_decision_node *dest_xpd; | |
330 | ||
331 | node->ae.xp_node->xp.len++; | |
332 | dest_xpd = avc_xperms_decision_alloc(src->used); | |
333 | if (!dest_xpd) | |
334 | return -ENOMEM; | |
335 | avc_copy_xperms_decision(&dest_xpd->xpd, src); | |
336 | list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); | |
337 | return 0; | |
338 | } | |
339 | ||
340 | static struct avc_xperms_node *avc_xperms_alloc(void) | |
341 | { | |
342 | struct avc_xperms_node *xp_node; | |
343 | ||
476accbe | 344 | xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT); |
fa1aa143 JVS |
345 | if (!xp_node) |
346 | return xp_node; | |
347 | INIT_LIST_HEAD(&xp_node->xpd_head); | |
348 | return xp_node; | |
349 | } | |
350 | ||
351 | static int avc_xperms_populate(struct avc_node *node, | |
352 | struct avc_xperms_node *src) | |
353 | { | |
354 | struct avc_xperms_node *dest; | |
355 | struct avc_xperms_decision_node *dest_xpd; | |
356 | struct avc_xperms_decision_node *src_xpd; | |
357 | ||
358 | if (src->xp.len == 0) | |
359 | return 0; | |
360 | dest = avc_xperms_alloc(); | |
361 | if (!dest) | |
362 | return -ENOMEM; | |
363 | ||
364 | memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p)); | |
365 | dest->xp.len = src->xp.len; | |
366 | ||
367 | /* for each source xpd allocate a destination xpd and copy */ | |
368 | list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) { | |
369 | dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used); | |
370 | if (!dest_xpd) | |
371 | goto error; | |
372 | avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd); | |
373 | list_add(&dest_xpd->xpd_list, &dest->xpd_head); | |
374 | } | |
375 | node->ae.xp_node = dest; | |
376 | return 0; | |
377 | error: | |
378 | avc_xperms_free(dest); | |
379 | return -ENOMEM; | |
380 | ||
381 | } | |
382 | ||
383 | static inline u32 avc_xperms_audit_required(u32 requested, | |
384 | struct av_decision *avd, | |
385 | struct extended_perms_decision *xpd, | |
386 | u8 perm, | |
387 | int result, | |
388 | u32 *deniedp) | |
389 | { | |
390 | u32 denied, audited; | |
391 | ||
392 | denied = requested & ~avd->allowed; | |
393 | if (unlikely(denied)) { | |
394 | audited = denied & avd->auditdeny; | |
395 | if (audited && xpd) { | |
396 | if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) | |
397 | audited &= ~requested; | |
398 | } | |
399 | } else if (result) { | |
400 | audited = denied = requested; | |
401 | } else { | |
402 | audited = requested & avd->auditallow; | |
403 | if (audited && xpd) { | |
404 | if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) | |
405 | audited &= ~requested; | |
406 | } | |
407 | } | |
408 | ||
409 | *deniedp = denied; | |
410 | return audited; | |
411 | } | |
412 | ||
6b6bc620 SS |
413 | static inline int avc_xperms_audit(struct selinux_state *state, |
414 | u32 ssid, u32 tsid, u16 tclass, | |
415 | u32 requested, struct av_decision *avd, | |
416 | struct extended_perms_decision *xpd, | |
417 | u8 perm, int result, | |
418 | struct common_audit_data *ad) | |
fa1aa143 JVS |
419 | { |
420 | u32 audited, denied; | |
421 | ||
422 | audited = avc_xperms_audit_required( | |
423 | requested, avd, xpd, perm, result, &denied); | |
424 | if (likely(!audited)) | |
425 | return 0; | |
6b6bc620 | 426 | return slow_avc_audit(state, ssid, tsid, tclass, requested, |
fa1aa143 JVS |
427 | audited, denied, result, ad, 0); |
428 | } | |
429 | ||
1da177e4 LT |
430 | static void avc_node_free(struct rcu_head *rhead) |
431 | { | |
432 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
fa1aa143 | 433 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
434 | kmem_cache_free(avc_node_cachep, node); |
435 | avc_cache_stats_incr(frees); | |
436 | } | |
437 | ||
6b6bc620 | 438 | static void avc_node_delete(struct selinux_avc *avc, struct avc_node *node) |
1da177e4 | 439 | { |
26036651 | 440 | hlist_del_rcu(&node->list); |
1da177e4 | 441 | call_rcu(&node->rhead, avc_node_free); |
6b6bc620 | 442 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
443 | } |
444 | ||
6b6bc620 | 445 | static void avc_node_kill(struct selinux_avc *avc, struct avc_node *node) |
1da177e4 | 446 | { |
fa1aa143 | 447 | avc_xperms_free(node->ae.xp_node); |
1da177e4 LT |
448 | kmem_cache_free(avc_node_cachep, node); |
449 | avc_cache_stats_incr(frees); | |
6b6bc620 | 450 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
451 | } |
452 | ||
6b6bc620 SS |
453 | static void avc_node_replace(struct selinux_avc *avc, |
454 | struct avc_node *new, struct avc_node *old) | |
1da177e4 | 455 | { |
26036651 | 456 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 | 457 | call_rcu(&old->rhead, avc_node_free); |
6b6bc620 | 458 | atomic_dec(&avc->avc_cache.active_nodes); |
1da177e4 LT |
459 | } |
460 | ||
6b6bc620 | 461 | static inline int avc_reclaim_node(struct selinux_avc *avc) |
1da177e4 LT |
462 | { |
463 | struct avc_node *node; | |
464 | int hvalue, try, ecx; | |
465 | unsigned long flags; | |
26036651 | 466 | struct hlist_head *head; |
edf3d1ae | 467 | spinlock_t *lock; |
1da177e4 | 468 | |
95fff33b | 469 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
6b6bc620 SS |
470 | hvalue = atomic_inc_return(&avc->avc_cache.lru_hint) & |
471 | (AVC_CACHE_SLOTS - 1); | |
472 | head = &avc->avc_cache.slots[hvalue]; | |
473 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
1da177e4 | 474 | |
edf3d1ae | 475 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
476 | continue; |
477 | ||
61844250 | 478 | rcu_read_lock(); |
b67bfe0d | 479 | hlist_for_each_entry(node, head, list) { |
6b6bc620 | 480 | avc_node_delete(avc, node); |
906d27d9 EP |
481 | avc_cache_stats_incr(reclaims); |
482 | ecx++; | |
483 | if (ecx >= AVC_CACHE_RECLAIM) { | |
484 | rcu_read_unlock(); | |
edf3d1ae | 485 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 486 | goto out; |
1da177e4 LT |
487 | } |
488 | } | |
61844250 | 489 | rcu_read_unlock(); |
edf3d1ae | 490 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
491 | } |
492 | out: | |
493 | return ecx; | |
494 | } | |
495 | ||
6b6bc620 | 496 | static struct avc_node *avc_alloc_node(struct selinux_avc *avc) |
1da177e4 LT |
497 | { |
498 | struct avc_node *node; | |
499 | ||
476accbe | 500 | node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT); |
1da177e4 LT |
501 | if (!node) |
502 | goto out; | |
503 | ||
26036651 | 504 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
505 | avc_cache_stats_incr(allocations); |
506 | ||
6b6bc620 SS |
507 | if (atomic_inc_return(&avc->avc_cache.active_nodes) > |
508 | avc->avc_cache_threshold) | |
509 | avc_reclaim_node(avc); | |
1da177e4 LT |
510 | |
511 | out: | |
512 | return node; | |
513 | } | |
514 | ||
21193dcd | 515 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
516 | { |
517 | node->ae.ssid = ssid; | |
518 | node->ae.tsid = tsid; | |
519 | node->ae.tclass = tclass; | |
21193dcd | 520 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
521 | } |
522 | ||
6b6bc620 SS |
523 | static inline struct avc_node *avc_search_node(struct selinux_avc *avc, |
524 | u32 ssid, u32 tsid, u16 tclass) | |
1da177e4 LT |
525 | { |
526 | struct avc_node *node, *ret = NULL; | |
527 | int hvalue; | |
26036651 | 528 | struct hlist_head *head; |
1da177e4 LT |
529 | |
530 | hvalue = avc_hash(ssid, tsid, tclass); | |
6b6bc620 | 531 | head = &avc->avc_cache.slots[hvalue]; |
b67bfe0d | 532 | hlist_for_each_entry_rcu(node, head, list) { |
1da177e4 LT |
533 | if (ssid == node->ae.ssid && |
534 | tclass == node->ae.tclass && | |
535 | tsid == node->ae.tsid) { | |
536 | ret = node; | |
537 | break; | |
538 | } | |
539 | } | |
540 | ||
1da177e4 LT |
541 | return ret; |
542 | } | |
543 | ||
544 | /** | |
545 | * avc_lookup - Look up an AVC entry. | |
546 | * @ssid: source security identifier | |
547 | * @tsid: target security identifier | |
548 | * @tclass: target security class | |
1da177e4 LT |
549 | * |
550 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
551 | * (@ssid, @tsid), interpreting the permissions |
552 | * based on @tclass. If a valid AVC entry exists, | |
6382dc33 | 553 | * then this function returns the avc_node. |
1da177e4 LT |
554 | * Otherwise, this function returns NULL. |
555 | */ | |
6b6bc620 SS |
556 | static struct avc_node *avc_lookup(struct selinux_avc *avc, |
557 | u32 ssid, u32 tsid, u16 tclass) | |
1da177e4 LT |
558 | { |
559 | struct avc_node *node; | |
560 | ||
561 | avc_cache_stats_incr(lookups); | |
6b6bc620 | 562 | node = avc_search_node(avc, ssid, tsid, tclass); |
1da177e4 | 563 | |
f1c6381a | 564 | if (node) |
257313b2 | 565 | return node; |
1da177e4 | 566 | |
257313b2 LT |
567 | avc_cache_stats_incr(misses); |
568 | return NULL; | |
1da177e4 LT |
569 | } |
570 | ||
6b6bc620 SS |
571 | static int avc_latest_notif_update(struct selinux_avc *avc, |
572 | int seqno, int is_insert) | |
1da177e4 LT |
573 | { |
574 | int ret = 0; | |
575 | static DEFINE_SPINLOCK(notif_lock); | |
576 | unsigned long flag; | |
577 | ||
578 | spin_lock_irqsave(¬if_lock, flag); | |
579 | if (is_insert) { | |
6b6bc620 | 580 | if (seqno < avc->avc_cache.latest_notif) { |
07c81ac2 | 581 | pr_warn("SELinux: avc: seqno %d < latest_notif %d\n", |
6b6bc620 | 582 | seqno, avc->avc_cache.latest_notif); |
1da177e4 LT |
583 | ret = -EAGAIN; |
584 | } | |
585 | } else { | |
6b6bc620 SS |
586 | if (seqno > avc->avc_cache.latest_notif) |
587 | avc->avc_cache.latest_notif = seqno; | |
1da177e4 LT |
588 | } |
589 | spin_unlock_irqrestore(¬if_lock, flag); | |
590 | ||
591 | return ret; | |
592 | } | |
593 | ||
594 | /** | |
595 | * avc_insert - Insert an AVC entry. | |
596 | * @ssid: source security identifier | |
597 | * @tsid: target security identifier | |
598 | * @tclass: target security class | |
21193dcd | 599 | * @avd: resulting av decision |
fa1aa143 | 600 | * @xp_node: resulting extended permissions |
1da177e4 LT |
601 | * |
602 | * Insert an AVC entry for the SID pair | |
603 | * (@ssid, @tsid) and class @tclass. | |
604 | * The access vectors and the sequence number are | |
605 | * normally provided by the security server in | |
606 | * response to a security_compute_av() call. If the | |
21193dcd | 607 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
608 | * revocation notification, then the function copies |
609 | * the access vectors into a cache entry, returns | |
610 | * avc_node inserted. Otherwise, this function returns NULL. | |
611 | */ | |
6b6bc620 SS |
612 | static struct avc_node *avc_insert(struct selinux_avc *avc, |
613 | u32 ssid, u32 tsid, u16 tclass, | |
614 | struct av_decision *avd, | |
615 | struct avc_xperms_node *xp_node) | |
1da177e4 LT |
616 | { |
617 | struct avc_node *pos, *node = NULL; | |
618 | int hvalue; | |
619 | unsigned long flag; | |
620 | ||
6b6bc620 | 621 | if (avc_latest_notif_update(avc, avd->seqno, 1)) |
1da177e4 LT |
622 | goto out; |
623 | ||
6b6bc620 | 624 | node = avc_alloc_node(avc); |
1da177e4 | 625 | if (node) { |
26036651 | 626 | struct hlist_head *head; |
edf3d1ae | 627 | spinlock_t *lock; |
fa1aa143 | 628 | int rc = 0; |
edf3d1ae | 629 | |
1da177e4 | 630 | hvalue = avc_hash(ssid, tsid, tclass); |
21193dcd | 631 | avc_node_populate(node, ssid, tsid, tclass, avd); |
fa1aa143 JVS |
632 | rc = avc_xperms_populate(node, xp_node); |
633 | if (rc) { | |
634 | kmem_cache_free(avc_node_cachep, node); | |
635 | return NULL; | |
636 | } | |
6b6bc620 SS |
637 | head = &avc->avc_cache.slots[hvalue]; |
638 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
edf3d1ae EP |
639 | |
640 | spin_lock_irqsave(lock, flag); | |
b67bfe0d | 641 | hlist_for_each_entry(pos, head, list) { |
1da177e4 LT |
642 | if (pos->ae.ssid == ssid && |
643 | pos->ae.tsid == tsid && | |
644 | pos->ae.tclass == tclass) { | |
6b6bc620 | 645 | avc_node_replace(avc, node, pos); |
1da177e4 LT |
646 | goto found; |
647 | } | |
648 | } | |
26036651 | 649 | hlist_add_head_rcu(&node->list, head); |
1da177e4 | 650 | found: |
edf3d1ae | 651 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
652 | } |
653 | out: | |
654 | return node; | |
655 | } | |
656 | ||
2bf49690 TL |
657 | /** |
658 | * avc_audit_pre_callback - SELinux specific information | |
659 | * will be called by generic audit code | |
660 | * @ab: the audit buffer | |
661 | * @a: audit_data | |
662 | */ | |
663 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 664 | { |
2bf49690 | 665 | struct common_audit_data *ad = a; |
a2c51383 OM |
666 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
667 | u32 av = sad->audited; | |
668 | const char **perms; | |
669 | int i, perm; | |
670 | ||
671 | audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted"); | |
672 | ||
673 | if (av == 0) { | |
45189a19 | 674 | audit_log_format(ab, " null"); |
a2c51383 OM |
675 | return; |
676 | } | |
677 | ||
a2c51383 OM |
678 | perms = secclass_map[sad->tclass-1].perms; |
679 | ||
45189a19 | 680 | audit_log_format(ab, " {"); |
a2c51383 OM |
681 | i = 0; |
682 | perm = 1; | |
683 | while (i < (sizeof(av) * 8)) { | |
684 | if ((perm & av) && perms[i]) { | |
685 | audit_log_format(ab, " %s", perms[i]); | |
686 | av &= ~perm; | |
687 | } | |
688 | i++; | |
689 | perm <<= 1; | |
690 | } | |
691 | ||
692 | if (av) | |
693 | audit_log_format(ab, " 0x%x", av); | |
694 | ||
45189a19 | 695 | audit_log_format(ab, " } for "); |
1da177e4 LT |
696 | } |
697 | ||
2bf49690 TL |
698 | /** |
699 | * avc_audit_post_callback - SELinux specific information | |
700 | * will be called by generic audit code | |
701 | * @ab: the audit buffer | |
702 | * @a: audit_data | |
703 | */ | |
704 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 705 | { |
2bf49690 | 706 | struct common_audit_data *ad = a; |
a2c51383 OM |
707 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
708 | char *scontext; | |
709 | u32 scontext_len; | |
710 | int rc; | |
711 | ||
712 | rc = security_sid_to_context(sad->state, sad->ssid, &scontext, | |
713 | &scontext_len); | |
714 | if (rc) | |
715 | audit_log_format(ab, " ssid=%d", sad->ssid); | |
716 | else { | |
717 | audit_log_format(ab, " scontext=%s", scontext); | |
718 | kfree(scontext); | |
ca7786a2 | 719 | } |
a2c51383 OM |
720 | |
721 | rc = security_sid_to_context(sad->state, sad->tsid, &scontext, | |
722 | &scontext_len); | |
723 | if (rc) | |
724 | audit_log_format(ab, " tsid=%d", sad->tsid); | |
725 | else { | |
726 | audit_log_format(ab, " tcontext=%s", scontext); | |
727 | kfree(scontext); | |
728 | } | |
729 | ||
a2c51383 OM |
730 | audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); |
731 | ||
732 | if (sad->denied) | |
733 | audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); | |
fede1483 OM |
734 | |
735 | /* in case of invalid context report also the actual context string */ | |
736 | rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext, | |
737 | &scontext_len); | |
738 | if (!rc && scontext) { | |
aff7ed48 OM |
739 | if (scontext_len && scontext[scontext_len - 1] == '\0') |
740 | scontext_len--; | |
741 | audit_log_format(ab, " srawcon="); | |
742 | audit_log_n_untrustedstring(ab, scontext, scontext_len); | |
fede1483 OM |
743 | kfree(scontext); |
744 | } | |
745 | ||
746 | rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext, | |
747 | &scontext_len); | |
748 | if (!rc && scontext) { | |
aff7ed48 OM |
749 | if (scontext_len && scontext[scontext_len - 1] == '\0') |
750 | scontext_len--; | |
751 | audit_log_format(ab, " trawcon="); | |
752 | audit_log_n_untrustedstring(ab, scontext, scontext_len); | |
fede1483 OM |
753 | kfree(scontext); |
754 | } | |
1da177e4 LT |
755 | } |
756 | ||
48aab2f7 | 757 | /* This is the slow part of avc audit with big stack footprint */ |
6b6bc620 SS |
758 | noinline int slow_avc_audit(struct selinux_state *state, |
759 | u32 ssid, u32 tsid, u16 tclass, | |
760 | u32 requested, u32 audited, u32 denied, int result, | |
761 | struct common_audit_data *a, | |
762 | unsigned int flags) | |
48aab2f7 LT |
763 | { |
764 | struct common_audit_data stack_data; | |
899838b2 | 765 | struct selinux_audit_data sad; |
48aab2f7 | 766 | |
994fb065 OM |
767 | if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map))) |
768 | return -EINVAL; | |
769 | ||
48aab2f7 LT |
770 | if (!a) { |
771 | a = &stack_data; | |
50c205f5 | 772 | a->type = LSM_AUDIT_DATA_NONE; |
48aab2f7 LT |
773 | } |
774 | ||
775 | /* | |
776 | * When in a RCU walk do the audit on the RCU retry. This is because | |
777 | * the collection of the dname in an inode audit message is not RCU | |
778 | * safe. Note this may drop some audits when the situation changes | |
779 | * during retry. However this is logically just as if the operation | |
780 | * happened a little later. | |
781 | */ | |
782 | if ((a->type == LSM_AUDIT_DATA_INODE) && | |
783 | (flags & MAY_NOT_BLOCK)) | |
784 | return -ECHILD; | |
785 | ||
899838b2 EP |
786 | sad.tclass = tclass; |
787 | sad.requested = requested; | |
788 | sad.ssid = ssid; | |
789 | sad.tsid = tsid; | |
790 | sad.audited = audited; | |
791 | sad.denied = denied; | |
ca7786a2 | 792 | sad.result = result; |
6b6bc620 | 793 | sad.state = state; |
899838b2 EP |
794 | |
795 | a->selinux_audit_data = &sad; | |
3f0882c4 | 796 | |
b61c37f5 | 797 | common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); |
48aab2f7 LT |
798 | return 0; |
799 | } | |
800 | ||
1da177e4 LT |
801 | /** |
802 | * avc_add_callback - Register a callback for security events. | |
803 | * @callback: callback function | |
804 | * @events: security events | |
1da177e4 | 805 | * |
562c99f2 WG |
806 | * Register a callback function for events in the set @events. |
807 | * Returns %0 on success or -%ENOMEM if insufficient memory | |
808 | * exists to add the callback. | |
1da177e4 | 809 | */ |
562c99f2 | 810 | int __init avc_add_callback(int (*callback)(u32 event), u32 events) |
1da177e4 LT |
811 | { |
812 | struct avc_callback_node *c; | |
813 | int rc = 0; | |
814 | ||
0b36e44c | 815 | c = kmalloc(sizeof(*c), GFP_KERNEL); |
1da177e4 LT |
816 | if (!c) { |
817 | rc = -ENOMEM; | |
818 | goto out; | |
819 | } | |
820 | ||
821 | c->callback = callback; | |
822 | c->events = events; | |
1da177e4 LT |
823 | c->next = avc_callbacks; |
824 | avc_callbacks = c; | |
825 | out: | |
826 | return rc; | |
827 | } | |
828 | ||
1da177e4 LT |
829 | /** |
830 | * avc_update_node Update an AVC entry | |
831 | * @event : Updating event | |
832 | * @perms : Permission mask bits | |
833 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 834 | * @seqno : sequence number when decision was made |
fa1aa143 | 835 | * @xpd: extended_perms_decision to be added to the node |
3a28cff3 | 836 | * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0. |
1da177e4 LT |
837 | * |
838 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
839 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
6382dc33 | 840 | * otherwise, this function updates the AVC entry. The original AVC-entry object |
1da177e4 LT |
841 | * will release later by RCU. |
842 | */ | |
6b6bc620 SS |
843 | static int avc_update_node(struct selinux_avc *avc, |
844 | u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, | |
845 | u32 tsid, u16 tclass, u32 seqno, | |
846 | struct extended_perms_decision *xpd, | |
847 | u32 flags) | |
1da177e4 LT |
848 | { |
849 | int hvalue, rc = 0; | |
850 | unsigned long flag; | |
851 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 | 852 | struct hlist_head *head; |
edf3d1ae | 853 | spinlock_t *lock; |
1da177e4 | 854 | |
3a28cff3 SS |
855 | /* |
856 | * If we are in a non-blocking code path, e.g. VFS RCU walk, | |
857 | * then we must not add permissions to a cache entry | |
858 | * because we cannot safely audit the denial. Otherwise, | |
859 | * during the subsequent blocking retry (e.g. VFS ref walk), we | |
860 | * will find the permissions already granted in the cache entry | |
861 | * and won't audit anything at all, leading to silent denials in | |
862 | * permissive mode that only appear when in enforcing mode. | |
863 | * | |
864 | * See the corresponding handling in slow_avc_audit(), and the | |
e46e01ee SS |
865 | * logic in selinux_inode_permission for the MAY_NOT_BLOCK flag, |
866 | * which is transliterated into AVC_NONBLOCKING. | |
3a28cff3 SS |
867 | */ |
868 | if (flags & AVC_NONBLOCKING) | |
869 | return 0; | |
870 | ||
6b6bc620 | 871 | node = avc_alloc_node(avc); |
1da177e4 LT |
872 | if (!node) { |
873 | rc = -ENOMEM; | |
874 | goto out; | |
875 | } | |
876 | ||
877 | /* Lock the target slot */ | |
878 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 879 | |
6b6bc620 SS |
880 | head = &avc->avc_cache.slots[hvalue]; |
881 | lock = &avc->avc_cache.slots_lock[hvalue]; | |
edf3d1ae EP |
882 | |
883 | spin_lock_irqsave(lock, flag); | |
884 | ||
b67bfe0d | 885 | hlist_for_each_entry(pos, head, list) { |
95fff33b EP |
886 | if (ssid == pos->ae.ssid && |
887 | tsid == pos->ae.tsid && | |
a5dda683 EP |
888 | tclass == pos->ae.tclass && |
889 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
890 | orig = pos; |
891 | break; | |
892 | } | |
893 | } | |
894 | ||
895 | if (!orig) { | |
896 | rc = -ENOENT; | |
6b6bc620 | 897 | avc_node_kill(avc, node); |
1da177e4 LT |
898 | goto out_unlock; |
899 | } | |
900 | ||
901 | /* | |
902 | * Copy and replace original node. | |
903 | */ | |
904 | ||
21193dcd | 905 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 | 906 | |
fa1aa143 JVS |
907 | if (orig->ae.xp_node) { |
908 | rc = avc_xperms_populate(node, orig->ae.xp_node); | |
909 | if (rc) { | |
910 | kmem_cache_free(avc_node_cachep, node); | |
911 | goto out_unlock; | |
912 | } | |
913 | } | |
914 | ||
1da177e4 LT |
915 | switch (event) { |
916 | case AVC_CALLBACK_GRANT: | |
917 | node->ae.avd.allowed |= perms; | |
fa1aa143 JVS |
918 | if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS)) |
919 | avc_xperms_allow_perm(node->ae.xp_node, driver, xperm); | |
1da177e4 LT |
920 | break; |
921 | case AVC_CALLBACK_TRY_REVOKE: | |
922 | case AVC_CALLBACK_REVOKE: | |
923 | node->ae.avd.allowed &= ~perms; | |
924 | break; | |
925 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
926 | node->ae.avd.auditallow |= perms; | |
927 | break; | |
928 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
929 | node->ae.avd.auditallow &= ~perms; | |
930 | break; | |
931 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
932 | node->ae.avd.auditdeny |= perms; | |
933 | break; | |
934 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
935 | node->ae.avd.auditdeny &= ~perms; | |
936 | break; | |
fa1aa143 JVS |
937 | case AVC_CALLBACK_ADD_XPERMS: |
938 | avc_add_xperms_decision(node, xpd); | |
939 | break; | |
1da177e4 | 940 | } |
6b6bc620 | 941 | avc_node_replace(avc, node, orig); |
1da177e4 | 942 | out_unlock: |
edf3d1ae | 943 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
944 | out: |
945 | return rc; | |
946 | } | |
947 | ||
948 | /** | |
008574b1 | 949 | * avc_flush - Flush the cache |
1da177e4 | 950 | */ |
6b6bc620 | 951 | static void avc_flush(struct selinux_avc *avc) |
1da177e4 | 952 | { |
26036651 | 953 | struct hlist_head *head; |
008574b1 | 954 | struct avc_node *node; |
edf3d1ae | 955 | spinlock_t *lock; |
008574b1 EP |
956 | unsigned long flag; |
957 | int i; | |
1da177e4 LT |
958 | |
959 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
6b6bc620 SS |
960 | head = &avc->avc_cache.slots[i]; |
961 | lock = &avc->avc_cache.slots_lock[i]; | |
edf3d1ae EP |
962 | |
963 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
964 | /* |
965 | * With preemptable RCU, the outer spinlock does not | |
966 | * prevent RCU grace periods from ending. | |
967 | */ | |
968 | rcu_read_lock(); | |
b67bfe0d | 969 | hlist_for_each_entry(node, head, list) |
6b6bc620 | 970 | avc_node_delete(avc, node); |
61844250 | 971 | rcu_read_unlock(); |
edf3d1ae | 972 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 973 | } |
008574b1 EP |
974 | } |
975 | ||
976 | /** | |
977 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
978 | * @seqno: policy sequence number | |
979 | */ | |
6b6bc620 | 980 | int avc_ss_reset(struct selinux_avc *avc, u32 seqno) |
008574b1 EP |
981 | { |
982 | struct avc_callback_node *c; | |
983 | int rc = 0, tmprc; | |
984 | ||
6b6bc620 | 985 | avc_flush(avc); |
1da177e4 LT |
986 | |
987 | for (c = avc_callbacks; c; c = c->next) { | |
988 | if (c->events & AVC_CALLBACK_RESET) { | |
562c99f2 | 989 | tmprc = c->callback(AVC_CALLBACK_RESET); |
376bd9cb DG |
990 | /* save the first error encountered for the return |
991 | value and continue processing the callbacks */ | |
992 | if (!rc) | |
993 | rc = tmprc; | |
1da177e4 LT |
994 | } |
995 | } | |
996 | ||
6b6bc620 | 997 | avc_latest_notif_update(avc, seqno, 0); |
1da177e4 LT |
998 | return rc; |
999 | } | |
1000 | ||
a554bea8 LT |
1001 | /* |
1002 | * Slow-path helper function for avc_has_perm_noaudit, | |
1003 | * when the avc_node lookup fails. We get called with | |
1004 | * the RCU read lock held, and need to return with it | |
1005 | * still held, but drop if for the security compute. | |
1006 | * | |
1007 | * Don't inline this, since it's the slow-path and just | |
1008 | * results in a bigger stack frame. | |
1009 | */ | |
6b6bc620 SS |
1010 | static noinline |
1011 | struct avc_node *avc_compute_av(struct selinux_state *state, | |
1012 | u32 ssid, u32 tsid, | |
1013 | u16 tclass, struct av_decision *avd, | |
1014 | struct avc_xperms_node *xp_node) | |
a554bea8 LT |
1015 | { |
1016 | rcu_read_unlock(); | |
fa1aa143 | 1017 | INIT_LIST_HEAD(&xp_node->xpd_head); |
6b6bc620 | 1018 | security_compute_av(state, ssid, tsid, tclass, avd, &xp_node->xp); |
a554bea8 | 1019 | rcu_read_lock(); |
6b6bc620 | 1020 | return avc_insert(state->avc, ssid, tsid, tclass, avd, xp_node); |
a554bea8 LT |
1021 | } |
1022 | ||
6b6bc620 SS |
1023 | static noinline int avc_denied(struct selinux_state *state, |
1024 | u32 ssid, u32 tsid, | |
1025 | u16 tclass, u32 requested, | |
1026 | u8 driver, u8 xperm, unsigned int flags, | |
1027 | struct av_decision *avd) | |
a554bea8 LT |
1028 | { |
1029 | if (flags & AVC_STRICT) | |
1030 | return -EACCES; | |
1031 | ||
6b6bc620 | 1032 | if (enforcing_enabled(state) && |
aa8e712c | 1033 | !(avd->flags & AVD_FLAGS_PERMISSIVE)) |
a554bea8 LT |
1034 | return -EACCES; |
1035 | ||
6b6bc620 SS |
1036 | avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver, |
1037 | xperm, ssid, tsid, tclass, avd->seqno, NULL, flags); | |
a554bea8 LT |
1038 | return 0; |
1039 | } | |
1040 | ||
fa1aa143 JVS |
1041 | /* |
1042 | * The avc extended permissions logic adds an additional 256 bits of | |
1043 | * permissions to an avc node when extended permissions for that node are | |
1044 | * specified in the avtab. If the additional 256 permissions is not adequate, | |
1045 | * as-is the case with ioctls, then multiple may be chained together and the | |
1046 | * driver field is used to specify which set contains the permission. | |
1047 | */ | |
6b6bc620 SS |
1048 | int avc_has_extended_perms(struct selinux_state *state, |
1049 | u32 ssid, u32 tsid, u16 tclass, u32 requested, | |
1050 | u8 driver, u8 xperm, struct common_audit_data *ad) | |
fa1aa143 JVS |
1051 | { |
1052 | struct avc_node *node; | |
1053 | struct av_decision avd; | |
1054 | u32 denied; | |
1055 | struct extended_perms_decision local_xpd; | |
1056 | struct extended_perms_decision *xpd = NULL; | |
1057 | struct extended_perms_data allowed; | |
1058 | struct extended_perms_data auditallow; | |
1059 | struct extended_perms_data dontaudit; | |
1060 | struct avc_xperms_node local_xp_node; | |
1061 | struct avc_xperms_node *xp_node; | |
1062 | int rc = 0, rc2; | |
1063 | ||
1064 | xp_node = &local_xp_node; | |
e6f2f381 OM |
1065 | if (WARN_ON(!requested)) |
1066 | return -EACCES; | |
fa1aa143 JVS |
1067 | |
1068 | rcu_read_lock(); | |
1069 | ||
6b6bc620 | 1070 | node = avc_lookup(state->avc, ssid, tsid, tclass); |
fa1aa143 | 1071 | if (unlikely(!node)) { |
6b6bc620 | 1072 | node = avc_compute_av(state, ssid, tsid, tclass, &avd, xp_node); |
fa1aa143 JVS |
1073 | } else { |
1074 | memcpy(&avd, &node->ae.avd, sizeof(avd)); | |
1075 | xp_node = node->ae.xp_node; | |
1076 | } | |
1077 | /* if extended permissions are not defined, only consider av_decision */ | |
1078 | if (!xp_node || !xp_node->xp.len) | |
1079 | goto decision; | |
1080 | ||
1081 | local_xpd.allowed = &allowed; | |
1082 | local_xpd.auditallow = &auditallow; | |
1083 | local_xpd.dontaudit = &dontaudit; | |
1084 | ||
1085 | xpd = avc_xperms_decision_lookup(driver, xp_node); | |
1086 | if (unlikely(!xpd)) { | |
1087 | /* | |
1088 | * Compute the extended_perms_decision only if the driver | |
1089 | * is flagged | |
1090 | */ | |
1091 | if (!security_xperm_test(xp_node->xp.drivers.p, driver)) { | |
1092 | avd.allowed &= ~requested; | |
1093 | goto decision; | |
1094 | } | |
1095 | rcu_read_unlock(); | |
6b6bc620 SS |
1096 | security_compute_xperms_decision(state, ssid, tsid, tclass, |
1097 | driver, &local_xpd); | |
fa1aa143 | 1098 | rcu_read_lock(); |
6b6bc620 SS |
1099 | avc_update_node(state->avc, AVC_CALLBACK_ADD_XPERMS, requested, |
1100 | driver, xperm, ssid, tsid, tclass, avd.seqno, | |
1101 | &local_xpd, 0); | |
fa1aa143 JVS |
1102 | } else { |
1103 | avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd); | |
1104 | } | |
1105 | xpd = &local_xpd; | |
1106 | ||
1107 | if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED)) | |
1108 | avd.allowed &= ~requested; | |
1109 | ||
1110 | decision: | |
1111 | denied = requested & ~(avd.allowed); | |
1112 | if (unlikely(denied)) | |
6b6bc620 SS |
1113 | rc = avc_denied(state, ssid, tsid, tclass, requested, |
1114 | driver, xperm, AVC_EXTENDED_PERMS, &avd); | |
fa1aa143 JVS |
1115 | |
1116 | rcu_read_unlock(); | |
1117 | ||
6b6bc620 | 1118 | rc2 = avc_xperms_audit(state, ssid, tsid, tclass, requested, |
fa1aa143 JVS |
1119 | &avd, xpd, xperm, rc, ad); |
1120 | if (rc2) | |
1121 | return rc2; | |
1122 | return rc; | |
1123 | } | |
a554bea8 | 1124 | |
1da177e4 LT |
1125 | /** |
1126 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
1127 | * @ssid: source security identifier | |
1128 | * @tsid: target security identifier | |
1129 | * @tclass: target security class | |
1130 | * @requested: requested permissions, interpreted based on @tclass | |
3a28cff3 | 1131 | * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0 |
1da177e4 LT |
1132 | * @avd: access vector decisions |
1133 | * | |
1134 | * Check the AVC to determine whether the @requested permissions are granted | |
1135 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1136 | * based on @tclass, and call the security server on a cache miss to obtain | |
1137 | * a new decision and add it to the cache. Return a copy of the decisions | |
1138 | * in @avd. Return %0 if all @requested permissions are granted, | |
1139 | * -%EACCES if any permissions are denied, or another -errno upon | |
1140 | * other errors. This function is typically called by avc_has_perm(), | |
1141 | * but may also be called directly to separate permission checking from | |
1142 | * auditing, e.g. in cases where a lock must be held for the check but | |
1143 | * should be released for the auditing. | |
1144 | */ | |
6b6bc620 SS |
1145 | inline int avc_has_perm_noaudit(struct selinux_state *state, |
1146 | u32 ssid, u32 tsid, | |
1147 | u16 tclass, u32 requested, | |
1148 | unsigned int flags, | |
1149 | struct av_decision *avd) | |
1da177e4 LT |
1150 | { |
1151 | struct avc_node *node; | |
fa1aa143 | 1152 | struct avc_xperms_node xp_node; |
1da177e4 LT |
1153 | int rc = 0; |
1154 | u32 denied; | |
1155 | ||
e6f2f381 OM |
1156 | if (WARN_ON(!requested)) |
1157 | return -EACCES; | |
eda4f69c | 1158 | |
1da177e4 LT |
1159 | rcu_read_lock(); |
1160 | ||
6b6bc620 | 1161 | node = avc_lookup(state->avc, ssid, tsid, tclass); |
83d4a806 | 1162 | if (unlikely(!node)) |
6b6bc620 | 1163 | node = avc_compute_av(state, ssid, tsid, tclass, avd, &xp_node); |
83d4a806 | 1164 | else |
f01e1af4 | 1165 | memcpy(avd, &node->ae.avd, sizeof(*avd)); |
1da177e4 | 1166 | |
21193dcd | 1167 | denied = requested & ~(avd->allowed); |
a554bea8 | 1168 | if (unlikely(denied)) |
6b6bc620 SS |
1169 | rc = avc_denied(state, ssid, tsid, tclass, requested, 0, 0, |
1170 | flags, avd); | |
1da177e4 LT |
1171 | |
1172 | rcu_read_unlock(); | |
1da177e4 LT |
1173 | return rc; |
1174 | } | |
1175 | ||
1176 | /** | |
1177 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
1178 | * @ssid: source security identifier | |
1179 | * @tsid: target security identifier | |
1180 | * @tclass: target security class | |
1181 | * @requested: requested permissions, interpreted based on @tclass | |
1182 | * @auditdata: auxiliary audit data | |
1183 | * | |
1184 | * Check the AVC to determine whether the @requested permissions are granted | |
1185 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
1186 | * based on @tclass, and call the security server on a cache miss to obtain | |
1187 | * a new decision and add it to the cache. Audit the granting or denial of | |
1188 | * permissions in accordance with the policy. Return %0 if all @requested | |
1189 | * permissions are granted, -%EACCES if any permissions are denied, or | |
1190 | * another -errno upon other errors. | |
1191 | */ | |
6b6bc620 | 1192 | int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass, |
cb4fbe57 | 1193 | u32 requested, struct common_audit_data *auditdata) |
1da177e4 LT |
1194 | { |
1195 | struct av_decision avd; | |
9ade0cf4 | 1196 | int rc, rc2; |
1da177e4 | 1197 | |
6b6bc620 SS |
1198 | rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0, |
1199 | &avd); | |
9ade0cf4 | 1200 | |
6b6bc620 SS |
1201 | rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc, |
1202 | auditdata, 0); | |
7b20ea25 N |
1203 | if (rc2) |
1204 | return rc2; | |
1205 | return rc; | |
1206 | } | |
1207 | ||
6b6bc620 | 1208 | u32 avc_policy_seqno(struct selinux_state *state) |
788e7dd4 | 1209 | { |
6b6bc620 | 1210 | return state->avc->avc_cache.latest_notif; |
788e7dd4 | 1211 | } |
89c86576 TL |
1212 | |
1213 | void avc_disable(void) | |
1214 | { | |
5224ee08 EP |
1215 | /* |
1216 | * If you are looking at this because you have realized that we are | |
1217 | * not destroying the avc_node_cachep it might be easy to fix, but | |
1218 | * I don't know the memory barrier semantics well enough to know. It's | |
1219 | * possible that some other task dereferenced security_ops when | |
1220 | * it still pointed to selinux operations. If that is the case it's | |
1221 | * possible that it is about to use the avc and is about to need the | |
1222 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
1223 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
1224 | * the cache and get that memory back. | |
1225 | */ | |
1226 | if (avc_node_cachep) { | |
6b6bc620 | 1227 | avc_flush(selinux_state.avc); |
5224ee08 EP |
1228 | /* kmem_cache_destroy(avc_node_cachep); */ |
1229 | } | |
89c86576 | 1230 | } |