1
2
3
4
5
6
7
8
9
10#include <linux/kernel.h>
11#include <linux/errno.h>
12#include <linux/string.h>
13#include <linux/spinlock.h>
14#include <linux/slab.h>
15
16#include "security.h"
17#include "conditional.h"
18#include "services.h"
19
20
21
22
23
24
25
26static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
27{
28 u32 i;
29 int s[COND_EXPR_MAXDEPTH];
30 int sp = -1;
31
32 if (expr->len == 0)
33 return -1;
34
35 for (i = 0; i < expr->len; i++) {
36 struct cond_expr_node *node = &expr->nodes[i];
37
38 switch (node->expr_type) {
39 case COND_BOOL:
40 if (sp == (COND_EXPR_MAXDEPTH - 1))
41 return -1;
42 sp++;
43 s[sp] = p->bool_val_to_struct[node->bool - 1]->state;
44 break;
45 case COND_NOT:
46 if (sp < 0)
47 return -1;
48 s[sp] = !s[sp];
49 break;
50 case COND_OR:
51 if (sp < 1)
52 return -1;
53 sp--;
54 s[sp] |= s[sp + 1];
55 break;
56 case COND_AND:
57 if (sp < 1)
58 return -1;
59 sp--;
60 s[sp] &= s[sp + 1];
61 break;
62 case COND_XOR:
63 if (sp < 1)
64 return -1;
65 sp--;
66 s[sp] ^= s[sp + 1];
67 break;
68 case COND_EQ:
69 if (sp < 1)
70 return -1;
71 sp--;
72 s[sp] = (s[sp] == s[sp + 1]);
73 break;
74 case COND_NEQ:
75 if (sp < 1)
76 return -1;
77 sp--;
78 s[sp] = (s[sp] != s[sp + 1]);
79 break;
80 default:
81 return -1;
82 }
83 }
84 return s[0];
85}
86
87
88
89
90
91
92
93
94static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
95{
96 struct avtab_node *avnode;
97 int new_state;
98 u32 i;
99
100 new_state = cond_evaluate_expr(p, &node->expr);
101 if (new_state != node->cur_state) {
102 node->cur_state = new_state;
103 if (new_state == -1)
104 pr_err("SELinux: expression result was undefined - disabling all rules.\n");
105
106 for (i = 0; i < node->true_list.len; i++) {
107 avnode = node->true_list.nodes[i];
108 if (new_state <= 0)
109 avnode->key.specified &= ~AVTAB_ENABLED;
110 else
111 avnode->key.specified |= AVTAB_ENABLED;
112 }
113
114 for (i = 0; i < node->false_list.len; i++) {
115 avnode = node->false_list.nodes[i];
116
117 if (new_state)
118 avnode->key.specified &= ~AVTAB_ENABLED;
119 else
120 avnode->key.specified |= AVTAB_ENABLED;
121 }
122 }
123}
124
125void evaluate_cond_nodes(struct policydb *p)
126{
127 u32 i;
128
129 for (i = 0; i < p->cond_list_len; i++)
130 evaluate_cond_node(p, &p->cond_list[i]);
131}
132
133void cond_policydb_init(struct policydb *p)
134{
135 p->bool_val_to_struct = NULL;
136 p->cond_list = NULL;
137 p->cond_list_len = 0;
138
139 avtab_init(&p->te_cond_avtab);
140}
141
142static void cond_node_destroy(struct cond_node *node)
143{
144 kfree(node->expr.nodes);
145
146 kfree(node->true_list.nodes);
147 kfree(node->false_list.nodes);
148}
149
150static void cond_list_destroy(struct policydb *p)
151{
152 u32 i;
153
154 for (i = 0; i < p->cond_list_len; i++)
155 cond_node_destroy(&p->cond_list[i]);
156 kfree(p->cond_list);
157}
158
159void cond_policydb_destroy(struct policydb *p)
160{
161 kfree(p->bool_val_to_struct);
162 avtab_destroy(&p->te_cond_avtab);
163 cond_list_destroy(p);
164}
165
166int cond_init_bool_indexes(struct policydb *p)
167{
168 kfree(p->bool_val_to_struct);
169 p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
170 sizeof(*p->bool_val_to_struct),
171 GFP_KERNEL);
172 if (!p->bool_val_to_struct)
173 return -ENOMEM;
174 return 0;
175}
176
177int cond_destroy_bool(void *key, void *datum, void *p)
178{
179 kfree(key);
180 kfree(datum);
181 return 0;
182}
183
184int cond_index_bool(void *key, void *datum, void *datap)
185{
186 struct policydb *p;
187 struct cond_bool_datum *booldatum;
188
189 booldatum = datum;
190 p = datap;
191
192 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
193 return -EINVAL;
194
195 p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
196 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
197
198 return 0;
199}
200
201static int bool_isvalid(struct cond_bool_datum *b)
202{
203 if (!(b->state == 0 || b->state == 1))
204 return 0;
205 return 1;
206}
207
208int cond_read_bool(struct policydb *p, struct symtab *s, void *fp)
209{
210 char *key = NULL;
211 struct cond_bool_datum *booldatum;
212 __le32 buf[3];
213 u32 len;
214 int rc;
215
216 booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
217 if (!booldatum)
218 return -ENOMEM;
219
220 rc = next_entry(buf, fp, sizeof(buf));
221 if (rc)
222 goto err;
223
224 booldatum->value = le32_to_cpu(buf[0]);
225 booldatum->state = le32_to_cpu(buf[1]);
226
227 rc = -EINVAL;
228 if (!bool_isvalid(booldatum))
229 goto err;
230
231 len = le32_to_cpu(buf[2]);
232 if (((len == 0) || (len == (u32)-1)))
233 goto err;
234
235 rc = -ENOMEM;
236 key = kmalloc(len + 1, GFP_KERNEL);
237 if (!key)
238 goto err;
239 rc = next_entry(key, fp, len);
240 if (rc)
241 goto err;
242 key[len] = '\0';
243 rc = symtab_insert(s, key, booldatum);
244 if (rc)
245 goto err;
246
247 return 0;
248err:
249 cond_destroy_bool(key, booldatum, NULL);
250 return rc;
251}
252
253struct cond_insertf_data {
254 struct policydb *p;
255 struct avtab_node **dst;
256 struct cond_av_list *other;
257};
258
259static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
260{
261 struct cond_insertf_data *data = ptr;
262 struct policydb *p = data->p;
263 struct cond_av_list *other = data->other;
264 struct avtab_node *node_ptr;
265 u32 i;
266 bool found;
267
268
269
270
271
272
273 if (k->specified & AVTAB_TYPE) {
274 if (avtab_search(&p->te_avtab, k)) {
275 pr_err("SELinux: type rule already exists outside of a conditional.\n");
276 return -EINVAL;
277 }
278
279
280
281
282
283
284
285
286 if (other) {
287 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
288 if (node_ptr) {
289 if (avtab_search_node_next(node_ptr, k->specified)) {
290 pr_err("SELinux: too many conflicting type rules.\n");
291 return -EINVAL;
292 }
293 found = false;
294 for (i = 0; i < other->len; i++) {
295 if (other->nodes[i] == node_ptr) {
296 found = true;
297 break;
298 }
299 }
300 if (!found) {
301 pr_err("SELinux: conflicting type rules.\n");
302 return -EINVAL;
303 }
304 }
305 } else {
306 if (avtab_search(&p->te_cond_avtab, k)) {
307 pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
308 return -EINVAL;
309 }
310 }
311 }
312
313 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
314 if (!node_ptr) {
315 pr_err("SELinux: could not insert rule.\n");
316 return -ENOMEM;
317 }
318
319 *data->dst = node_ptr;
320 return 0;
321}
322
323static int cond_read_av_list(struct policydb *p, void *fp,
324 struct cond_av_list *list,
325 struct cond_av_list *other)
326{
327 int rc;
328 __le32 buf[1];
329 u32 i, len;
330 struct cond_insertf_data data;
331
332 rc = next_entry(buf, fp, sizeof(u32));
333 if (rc)
334 return rc;
335
336 len = le32_to_cpu(buf[0]);
337 if (len == 0)
338 return 0;
339
340 list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL);
341 if (!list->nodes)
342 return -ENOMEM;
343
344 data.p = p;
345 data.other = other;
346 for (i = 0; i < len; i++) {
347 data.dst = &list->nodes[i];
348 rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
349 &data);
350 if (rc) {
351 kfree(list->nodes);
352 list->nodes = NULL;
353 return rc;
354 }
355 }
356
357 list->len = len;
358 return 0;
359}
360
361static int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr)
362{
363 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
364 pr_err("SELinux: conditional expressions uses unknown operator.\n");
365 return 0;
366 }
367
368 if (expr->bool > p->p_bools.nprim) {
369 pr_err("SELinux: conditional expressions uses unknown bool.\n");
370 return 0;
371 }
372 return 1;
373}
374
375static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
376{
377 __le32 buf[2];
378 u32 i, len;
379 int rc;
380
381 rc = next_entry(buf, fp, sizeof(u32) * 2);
382 if (rc)
383 return rc;
384
385 node->cur_state = le32_to_cpu(buf[0]);
386
387
388 len = le32_to_cpu(buf[1]);
389 node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL);
390 if (!node->expr.nodes)
391 return -ENOMEM;
392
393 node->expr.len = len;
394
395 for (i = 0; i < len; i++) {
396 struct cond_expr_node *expr = &node->expr.nodes[i];
397
398 rc = next_entry(buf, fp, sizeof(u32) * 2);
399 if (rc)
400 return rc;
401
402 expr->expr_type = le32_to_cpu(buf[0]);
403 expr->bool = le32_to_cpu(buf[1]);
404
405 if (!expr_node_isvalid(p, expr))
406 return -EINVAL;
407 }
408
409 rc = cond_read_av_list(p, fp, &node->true_list, NULL);
410 if (rc)
411 return rc;
412 return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
413}
414
415int cond_read_list(struct policydb *p, void *fp)
416{
417 __le32 buf[1];
418 u32 i, len;
419 int rc;
420
421 rc = next_entry(buf, fp, sizeof(buf));
422 if (rc)
423 return rc;
424
425 len = le32_to_cpu(buf[0]);
426
427 p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
428 if (!p->cond_list)
429 return -ENOMEM;
430
431 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
432 if (rc)
433 goto err;
434
435 p->cond_list_len = len;
436
437 for (i = 0; i < len; i++) {
438 rc = cond_read_node(p, &p->cond_list[i], fp);
439 if (rc)
440 goto err;
441 }
442 return 0;
443err:
444 cond_list_destroy(p);
445 p->cond_list = NULL;
446 return rc;
447}
448
449int cond_write_bool(void *vkey, void *datum, void *ptr)
450{
451 char *key = vkey;
452 struct cond_bool_datum *booldatum = datum;
453 struct policy_data *pd = ptr;
454 void *fp = pd->fp;
455 __le32 buf[3];
456 u32 len;
457 int rc;
458
459 len = strlen(key);
460 buf[0] = cpu_to_le32(booldatum->value);
461 buf[1] = cpu_to_le32(booldatum->state);
462 buf[2] = cpu_to_le32(len);
463 rc = put_entry(buf, sizeof(u32), 3, fp);
464 if (rc)
465 return rc;
466 rc = put_entry(key, 1, len, fp);
467 if (rc)
468 return rc;
469 return 0;
470}
471
472
473
474
475
476
477
478
479
480
481static int cond_write_av_list(struct policydb *p,
482 struct cond_av_list *list, struct policy_file *fp)
483{
484 __le32 buf[1];
485 u32 i;
486 int rc;
487
488 buf[0] = cpu_to_le32(list->len);
489 rc = put_entry(buf, sizeof(u32), 1, fp);
490 if (rc)
491 return rc;
492
493 for (i = 0; i < list->len; i++) {
494 rc = avtab_write_item(p, list->nodes[i], fp);
495 if (rc)
496 return rc;
497 }
498
499 return 0;
500}
501
502static int cond_write_node(struct policydb *p, struct cond_node *node,
503 struct policy_file *fp)
504{
505 __le32 buf[2];
506 int rc;
507 u32 i;
508
509 buf[0] = cpu_to_le32(node->cur_state);
510 rc = put_entry(buf, sizeof(u32), 1, fp);
511 if (rc)
512 return rc;
513
514 buf[0] = cpu_to_le32(node->expr.len);
515 rc = put_entry(buf, sizeof(u32), 1, fp);
516 if (rc)
517 return rc;
518
519 for (i = 0; i < node->expr.len; i++) {
520 buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type);
521 buf[1] = cpu_to_le32(node->expr.nodes[i].bool);
522 rc = put_entry(buf, sizeof(u32), 2, fp);
523 if (rc)
524 return rc;
525 }
526
527 rc = cond_write_av_list(p, &node->true_list, fp);
528 if (rc)
529 return rc;
530 rc = cond_write_av_list(p, &node->false_list, fp);
531 if (rc)
532 return rc;
533
534 return 0;
535}
536
537int cond_write_list(struct policydb *p, void *fp)
538{
539 u32 i;
540 __le32 buf[1];
541 int rc;
542
543 buf[0] = cpu_to_le32(p->cond_list_len);
544 rc = put_entry(buf, sizeof(u32), 1, fp);
545 if (rc)
546 return rc;
547
548 for (i = 0; i < p->cond_list_len; i++) {
549 rc = cond_write_node(p, &p->cond_list[i], fp);
550 if (rc)
551 return rc;
552 }
553
554 return 0;
555}
556
557void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
558 struct extended_perms_decision *xpermd)
559{
560 struct avtab_node *node;
561
562 if (!ctab || !key || !xpermd)
563 return;
564
565 for (node = avtab_search_node(ctab, key); node;
566 node = avtab_search_node_next(node, key->specified)) {
567 if (node->key.specified & AVTAB_ENABLED)
568 services_compute_xperms_decision(xpermd, node);
569 }
570 return;
571
572}
573
574
575
576void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
577 struct av_decision *avd, struct extended_perms *xperms)
578{
579 struct avtab_node *node;
580
581 if (!ctab || !key || !avd)
582 return;
583
584 for (node = avtab_search_node(ctab, key); node;
585 node = avtab_search_node_next(node, key->specified)) {
586 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
587 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
588 avd->allowed |= node->datum.u.data;
589 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
590 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
591
592
593
594
595
596 avd->auditdeny &= node->datum.u.data;
597 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
598 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
599 avd->auditallow |= node->datum.u.data;
600 if (xperms && (node->key.specified & AVTAB_ENABLED) &&
601 (node->key.specified & AVTAB_XPERMS))
602 services_compute_xperms_drivers(xperms, node);
603 }
604}
605