1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /* Authors: Karl MacMillan <kmacmillan@tresys.com>
3 * Frank Mayer <mayerf@tresys.com>
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
7 #include <linux/kernel.h>
8 #include <linux/errno.h>
9 #include <linux/string.h>
10 #include <linux/spinlock.h>
11 #include <linux/slab.h>
14 #include "conditional.h"
18 * cond_evaluate_expr evaluates a conditional expr
19 * in reverse polish notation. It returns true (1), false (0),
20 * or undefined (-1). Undefined occurs when the expression
21 * exceeds the stack depth of COND_EXPR_MAXDEPTH.
23 static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
26 int s[COND_EXPR_MAXDEPTH];
32 for (i = 0; i < expr->len; i++) {
33 struct cond_expr_node *node = &expr->nodes[i];
35 switch (node->expr_type) {
37 if (sp == (COND_EXPR_MAXDEPTH - 1))
40 s[sp] = p->bool_val_to_struct[node->boolean - 1]->state;
69 s[sp] = (s[sp] == s[sp + 1]);
75 s[sp] = (s[sp] != s[sp + 1]);
85 * evaluate_cond_node evaluates the conditional stored in
86 * a struct cond_node and if the result is different than the
87 * current state of the node it sets the rules in the true/false
88 * list appropriately. If the result of the expression is undefined
89 * all of the rules are disabled for safety.
91 static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
93 struct avtab_node *avnode;
97 new_state = cond_evaluate_expr(p, &node->expr);
98 if (new_state != node->cur_state) {
99 node->cur_state = new_state;
101 pr_err("SELinux: expression result was undefined - disabling all rules.\n");
102 /* turn the rules on or off */
103 for (i = 0; i < node->true_list.len; i++) {
104 avnode = node->true_list.nodes[i];
106 avnode->key.specified &= ~AVTAB_ENABLED;
108 avnode->key.specified |= AVTAB_ENABLED;
111 for (i = 0; i < node->false_list.len; i++) {
112 avnode = node->false_list.nodes[i];
115 avnode->key.specified &= ~AVTAB_ENABLED;
117 avnode->key.specified |= AVTAB_ENABLED;
122 void evaluate_cond_nodes(struct policydb *p)
126 for (i = 0; i < p->cond_list_len; i++)
127 evaluate_cond_node(p, &p->cond_list[i]);
130 void cond_policydb_init(struct policydb *p)
132 p->bool_val_to_struct = NULL;
134 p->cond_list_len = 0;
136 avtab_init(&p->te_cond_avtab);
139 static void cond_node_destroy(struct cond_node *node)
141 kfree(node->expr.nodes);
142 /* the avtab_ptr_t nodes are destroyed by the avtab */
143 kfree(node->true_list.nodes);
144 kfree(node->false_list.nodes);
147 static void cond_list_destroy(struct policydb *p)
151 for (i = 0; i < p->cond_list_len; i++)
152 cond_node_destroy(&p->cond_list[i]);
155 p->cond_list_len = 0;
158 void cond_policydb_destroy(struct policydb *p)
160 kfree(p->bool_val_to_struct);
161 avtab_destroy(&p->te_cond_avtab);
162 cond_list_destroy(p);
165 int cond_init_bool_indexes(struct policydb *p)
167 kfree(p->bool_val_to_struct);
168 p->bool_val_to_struct = kmalloc_array(
169 p->p_bools.nprim, sizeof(*p->bool_val_to_struct), GFP_KERNEL);
170 if (!p->bool_val_to_struct)
173 avtab_hash_eval(&p->te_cond_avtab, "conditional_rules");
178 int cond_destroy_bool(void *key, void *datum, void *p)
185 int cond_index_bool(void *key, void *datum, void *datap)
188 struct cond_bool_datum *booldatum;
193 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
196 p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
197 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
202 static int bool_isvalid(struct cond_bool_datum *b)
204 if (!(b->state == 0 || b->state == 1))
209 int cond_read_bool(struct policydb *p, struct symtab *s, struct policy_file *fp)
212 struct cond_bool_datum *booldatum;
217 booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
221 rc = next_entry(buf, fp, sizeof(buf));
225 booldatum->value = le32_to_cpu(buf[0]);
226 booldatum->state = le32_to_cpu(buf[1]);
229 if (!bool_isvalid(booldatum))
232 len = le32_to_cpu(buf[2]);
234 rc = str_read(&key, GFP_KERNEL, fp, len);
238 rc = symtab_insert(s, key, booldatum);
244 cond_destroy_bool(key, booldatum, NULL);
248 struct cond_insertf_data {
250 struct avtab_node **dst;
251 struct cond_av_list *other;
254 static int cond_insertf(struct avtab *a, const struct avtab_key *k,
255 const struct avtab_datum *d, void *ptr)
257 struct cond_insertf_data *data = ptr;
258 struct policydb *p = data->p;
259 struct cond_av_list *other = data->other;
260 struct avtab_node *node_ptr;
265 * For type rules we have to make certain there aren't any
266 * conflicting rules by searching the te_avtab and the
269 if (k->specified & AVTAB_TYPE) {
270 if (avtab_search_node(&p->te_avtab, k)) {
271 pr_err("SELinux: type rule already exists outside of a conditional.\n");
275 * If we are reading the false list other will be a pointer to
276 * the true list. We can have duplicate entries if there is only
277 * 1 other entry and it is in our true list.
279 * If we are reading the true list (other == NULL) there shouldn't
280 * be any other entries.
283 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
285 if (avtab_search_node_next(node_ptr,
287 pr_err("SELinux: too many conflicting type rules.\n");
291 for (i = 0; i < other->len; i++) {
292 if (other->nodes[i] == node_ptr) {
298 pr_err("SELinux: conflicting type rules.\n");
303 if (avtab_search_node(&p->te_cond_avtab, k)) {
304 pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
310 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
312 pr_err("SELinux: could not insert rule.\n");
316 *data->dst = node_ptr;
320 static int cond_read_av_list(struct policydb *p, struct policy_file *fp,
321 struct cond_av_list *list,
322 struct cond_av_list *other)
327 struct cond_insertf_data data;
329 rc = next_entry(buf, fp, sizeof(u32));
333 len = le32_to_cpu(buf[0]);
337 list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL);
343 for (i = 0; i < len; i++) {
344 data.dst = &list->nodes[i];
345 rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
358 static int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr)
360 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
361 pr_err("SELinux: conditional expressions uses unknown operator.\n");
365 if (expr->boolean > p->p_bools.nprim) {
366 pr_err("SELinux: conditional expressions uses unknown bool.\n");
372 static int cond_read_node(struct policydb *p, struct cond_node *node, struct policy_file *fp)
378 rc = next_entry(buf, fp, sizeof(u32) * 2);
382 node->cur_state = le32_to_cpu(buf[0]);
385 len = le32_to_cpu(buf[1]);
386 node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL);
387 if (!node->expr.nodes)
390 node->expr.len = len;
392 for (i = 0; i < len; i++) {
393 struct cond_expr_node *expr = &node->expr.nodes[i];
395 rc = next_entry(buf, fp, sizeof(u32) * 2);
399 expr->expr_type = le32_to_cpu(buf[0]);
400 expr->boolean = le32_to_cpu(buf[1]);
402 if (!expr_node_isvalid(p, expr))
406 rc = cond_read_av_list(p, fp, &node->true_list, NULL);
409 return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
412 int cond_read_list(struct policydb *p, struct policy_file *fp)
418 rc = next_entry(buf, fp, sizeof(buf));
422 len = le32_to_cpu(buf[0]);
424 p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
428 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
432 p->cond_list_len = len;
434 for (i = 0; i < len; i++) {
435 rc = cond_read_node(p, &p->cond_list[i], fp);
441 cond_list_destroy(p);
445 int cond_write_bool(void *vkey, void *datum, void *ptr)
448 struct cond_bool_datum *booldatum = datum;
449 struct policy_data *pd = ptr;
450 struct policy_file *fp = pd->fp;
456 buf[0] = cpu_to_le32(booldatum->value);
457 buf[1] = cpu_to_le32(booldatum->state);
458 buf[2] = cpu_to_le32(len);
459 rc = put_entry(buf, sizeof(u32), 3, fp);
462 rc = put_entry(key, 1, len, fp);
469 * cond_write_cond_av_list doesn't write out the av_list nodes.
470 * Instead it writes out the key/value pairs from the avtab. This
471 * is necessary because there is no way to uniquely identifying rules
472 * in the avtab so it is not possible to associate individual rules
473 * in the avtab with a conditional without saving them as part of
474 * the conditional. This means that the avtab with the conditional
475 * rules will not be saved but will be rebuilt on policy load.
477 static int cond_write_av_list(struct policydb *p, struct cond_av_list *list,
478 struct policy_file *fp)
484 buf[0] = cpu_to_le32(list->len);
485 rc = put_entry(buf, sizeof(u32), 1, fp);
489 for (i = 0; i < list->len; i++) {
490 rc = avtab_write_item(p, list->nodes[i], fp);
498 static int cond_write_node(struct policydb *p, struct cond_node *node,
499 struct policy_file *fp)
505 buf[0] = cpu_to_le32(node->cur_state);
506 rc = put_entry(buf, sizeof(u32), 1, fp);
510 buf[0] = cpu_to_le32(node->expr.len);
511 rc = put_entry(buf, sizeof(u32), 1, fp);
515 for (i = 0; i < node->expr.len; i++) {
516 buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type);
517 buf[1] = cpu_to_le32(node->expr.nodes[i].boolean);
518 rc = put_entry(buf, sizeof(u32), 2, fp);
523 rc = cond_write_av_list(p, &node->true_list, fp);
526 rc = cond_write_av_list(p, &node->false_list, fp);
533 int cond_write_list(struct policydb *p, struct policy_file *fp)
539 buf[0] = cpu_to_le32(p->cond_list_len);
540 rc = put_entry(buf, sizeof(u32), 1, fp);
544 for (i = 0; i < p->cond_list_len; i++) {
545 rc = cond_write_node(p, &p->cond_list[i], fp);
553 void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
554 struct extended_perms_decision *xpermd)
556 struct avtab_node *node;
558 if (!ctab || !key || !xpermd)
561 for (node = avtab_search_node(ctab, key); node;
562 node = avtab_search_node_next(node, key->specified)) {
563 if (node->key.specified & AVTAB_ENABLED)
564 services_compute_xperms_decision(xpermd, node);
567 /* Determine whether additional permissions are granted by the conditional
568 * av table, and if so, add them to the result
570 void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
571 struct av_decision *avd, struct extended_perms *xperms)
573 struct avtab_node *node;
575 if (!ctab || !key || !avd)
578 for (node = avtab_search_node(ctab, key); node;
579 node = avtab_search_node_next(node, key->specified)) {
580 if ((u16)(AVTAB_ALLOWED | AVTAB_ENABLED) ==
581 (node->key.specified & (AVTAB_ALLOWED | AVTAB_ENABLED)))
582 avd->allowed |= node->datum.u.data;
583 if ((u16)(AVTAB_AUDITDENY | AVTAB_ENABLED) ==
584 (node->key.specified & (AVTAB_AUDITDENY | AVTAB_ENABLED)))
585 /* Since a '0' in an auditdeny mask represents a
586 * permission we do NOT want to audit (dontaudit), we use
587 * the '&' operand to ensure that all '0's in the mask
588 * are retained (much unlike the allow and auditallow cases).
590 avd->auditdeny &= node->datum.u.data;
591 if ((u16)(AVTAB_AUDITALLOW | AVTAB_ENABLED) ==
592 (node->key.specified & (AVTAB_AUDITALLOW | AVTAB_ENABLED)))
593 avd->auditallow |= node->datum.u.data;
594 if (xperms && (node->key.specified & AVTAB_ENABLED) &&
595 (node->key.specified & AVTAB_XPERMS))
596 services_compute_xperms_drivers(xperms, node);
600 static int cond_dup_av_list(struct cond_av_list *new,
601 const struct cond_av_list *orig,
606 memset(new, 0, sizeof(*new));
608 new->nodes = kcalloc(orig->len, sizeof(*new->nodes), GFP_KERNEL);
612 for (i = 0; i < orig->len; i++) {
613 new->nodes[i] = avtab_insert_nonunique(
614 avtab, &orig->nodes[i]->key, &orig->nodes[i]->datum);
623 static int duplicate_policydb_cond_list(struct policydb *newp,
624 const struct policydb *origp)
629 rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);
633 newp->cond_list_len = 0;
634 newp->cond_list = kcalloc(origp->cond_list_len,
635 sizeof(*newp->cond_list), GFP_KERNEL);
636 if (!newp->cond_list)
639 for (i = 0; i < origp->cond_list_len; i++) {
640 struct cond_node *newn = &newp->cond_list[i];
641 const struct cond_node *orign = &origp->cond_list[i];
643 newp->cond_list_len++;
645 newn->cur_state = orign->cur_state;
647 kmemdup(orign->expr.nodes,
648 orign->expr.len * sizeof(*orign->expr.nodes),
650 if (!newn->expr.nodes)
653 newn->expr.len = orign->expr.len;
655 rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
656 &newp->te_cond_avtab);
660 rc = cond_dup_av_list(&newn->false_list, &orign->false_list,
661 &newp->te_cond_avtab);
669 avtab_destroy(&newp->te_cond_avtab);
670 cond_list_destroy(newp);
674 static int cond_bools_destroy(void *key, void *datum, void *args)
676 /* key was not copied so no need to free here */
681 static int cond_bools_copy(struct hashtab_node *new,
682 const struct hashtab_node *orig, void *args)
684 struct cond_bool_datum *datum;
686 datum = kmemdup(orig->datum, sizeof(struct cond_bool_datum),
691 new->key = orig->key; /* No need to copy, never modified */
696 static int cond_bools_index(void *key, void *datum, void *args)
698 struct cond_bool_datum *booldatum, **cond_bool_array;
701 cond_bool_array = args;
702 cond_bool_array[booldatum->value - 1] = booldatum;
707 static int duplicate_policydb_bools(struct policydb *newdb,
708 const struct policydb *orig)
710 struct cond_bool_datum **cond_bool_array;
713 cond_bool_array = kmalloc_array(orig->p_bools.nprim,
714 sizeof(*orig->bool_val_to_struct),
716 if (!cond_bool_array)
719 rc = hashtab_duplicate(&newdb->p_bools.table, &orig->p_bools.table,
720 cond_bools_copy, cond_bools_destroy, NULL);
722 kfree(cond_bool_array);
726 hashtab_map(&newdb->p_bools.table, cond_bools_index, cond_bool_array);
727 newdb->bool_val_to_struct = cond_bool_array;
729 newdb->p_bools.nprim = orig->p_bools.nprim;
734 void cond_policydb_destroy_dup(struct policydb *p)
736 hashtab_map(&p->p_bools.table, cond_bools_destroy, NULL);
737 hashtab_destroy(&p->p_bools.table);
738 cond_policydb_destroy(p);
741 int cond_policydb_dup(struct policydb *new, const struct policydb *orig)
743 cond_policydb_init(new);
745 if (duplicate_policydb_bools(new, orig))
748 if (duplicate_policydb_cond_list(new, orig)) {
749 cond_policydb_destroy_dup(new);
projects / linux-block.git / blob