linux/security/selinux/avc.c
<<
>>
Prefs
   1/*
   2 * Implementation of the kernel access vector cache (AVC).
   3 *
   4 * Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
   5 *           James Morris <jmorris@redhat.com>
   6 *
   7 * Update:   KaiGai, Kohei <kaigai@ak.jp.nec.com>
   8 *      Replaced the avc_lock spinlock by RCU.
   9 *
  10 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  11 *
  12 *      This program is free software; you can redistribute it and/or modify
  13 *      it under the terms of the GNU General Public License version 2,
  14 *      as published by the Free Software Foundation.
  15 */
  16#include <linux/types.h>
  17#include <linux/stddef.h>
  18#include <linux/kernel.h>
  19#include <linux/slab.h>
  20#include <linux/fs.h>
  21#include <linux/dcache.h>
  22#include <linux/init.h>
  23#include <linux/skbuff.h>
  24#include <linux/percpu.h>
  25#include <linux/list.h>
  26#include <net/sock.h>
  27#include <linux/un.h>
  28#include <net/af_unix.h>
  29#include <linux/ip.h>
  30#include <linux/audit.h>
  31#include <linux/ipv6.h>
  32#include <net/ipv6.h>
  33#include "avc.h"
  34#include "avc_ss.h"
  35#include "classmap.h"
  36
  37#define AVC_CACHE_SLOTS                 512
  38#define AVC_DEF_CACHE_THRESHOLD         512
  39#define AVC_CACHE_RECLAIM               16
  40
  41#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
  42#define avc_cache_stats_incr(field)     this_cpu_inc(avc_cache_stats.field)
  43#else
  44#define avc_cache_stats_incr(field)     do {} while (0)
  45#endif
  46
  47struct avc_entry {
  48        u32                     ssid;
  49        u32                     tsid;
  50        u16                     tclass;
  51        struct av_decision      avd;
  52        struct avc_xperms_node  *xp_node;
  53};
  54
  55struct avc_node {
  56        struct avc_entry        ae;
  57        struct hlist_node       list; /* anchored in avc_cache->slots[i] */
  58        struct rcu_head         rhead;
  59};
  60
  61struct avc_xperms_decision_node {
  62        struct extended_perms_decision xpd;
  63        struct list_head xpd_list; /* list of extended_perms_decision */
  64};
  65
  66struct avc_xperms_node {
  67        struct extended_perms xp;
  68        struct list_head xpd_head; /* list head of extended_perms_decision */
  69};
  70
  71struct avc_cache {
  72        struct hlist_head       slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */
  73        spinlock_t              slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */
  74        atomic_t                lru_hint;       /* LRU hint for reclaim scan */
  75        atomic_t                active_nodes;
  76        u32                     latest_notif;   /* latest revocation notification */
  77};
  78
  79struct avc_callback_node {
  80        int (*callback) (u32 event);
  81        u32 events;
  82        struct avc_callback_node *next;
  83};
  84
  85/* Exported via selinufs */
  86unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
  87
  88#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
  89DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
  90#endif
  91
  92static struct avc_cache avc_cache;
  93static struct avc_callback_node *avc_callbacks;
  94static struct kmem_cache *avc_node_cachep;
  95static struct kmem_cache *avc_xperms_data_cachep;
  96static struct kmem_cache *avc_xperms_decision_cachep;
  97static struct kmem_cache *avc_xperms_cachep;
  98
  99static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
 100{
 101        return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
 102}
 103
 104/**
 105 * avc_dump_av - Display an access vector in human-readable form.
 106 * @tclass: target security class
 107 * @av: access vector
 108 */
 109static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
 110{
 111        const char **perms;
 112        int i, perm;
 113
 114        if (av == 0) {
 115                audit_log_format(ab, " null");
 116                return;
 117        }
 118
 119        BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map));
 120        perms = secclass_map[tclass-1].perms;
 121
 122        audit_log_format(ab, " {");
 123        i = 0;
 124        perm = 1;
 125        while (i < (sizeof(av) * 8)) {
 126                if ((perm & av) && perms[i]) {
 127                        audit_log_format(ab, " %s", perms[i]);
 128                        av &= ~perm;
 129                }
 130                i++;
 131                perm <<= 1;
 132        }
 133
 134        if (av)
 135                audit_log_format(ab, " 0x%x", av);
 136
 137        audit_log_format(ab, " }");
 138}
 139
 140/**
 141 * avc_dump_query - Display a SID pair and a class in human-readable form.
 142 * @ssid: source security identifier
 143 * @tsid: target security identifier
 144 * @tclass: target security class
 145 */
 146static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass)
 147{
 148        int rc;
 149        char *scontext;
 150        u32 scontext_len;
 151
 152        rc = security_sid_to_context(ssid, &scontext, &scontext_len);
 153        if (rc)
 154                audit_log_format(ab, "ssid=%d", ssid);
 155        else {
 156                audit_log_format(ab, "scontext=%s", scontext);
 157                kfree(scontext);
 158        }
 159
 160        rc = security_sid_to_context(tsid, &scontext, &scontext_len);
 161        if (rc)
 162                audit_log_format(ab, " tsid=%d", tsid);
 163        else {
 164                audit_log_format(ab, " tcontext=%s", scontext);
 165                kfree(scontext);
 166        }
 167
 168        BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map));
 169        audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
 170}
 171
 172/**
 173 * avc_init - Initialize the AVC.
 174 *
 175 * Initialize the access vector cache.
 176 */
 177void __init avc_init(void)
 178{
 179        int i;
 180
 181        for (i = 0; i < AVC_CACHE_SLOTS; i++) {
 182                INIT_HLIST_HEAD(&avc_cache.slots[i]);
 183                spin_lock_init(&avc_cache.slots_lock[i]);
 184        }
 185        atomic_set(&avc_cache.active_nodes, 0);
 186        atomic_set(&avc_cache.lru_hint, 0);
 187
 188        avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
 189                                        0, SLAB_PANIC, NULL);
 190        avc_xperms_cachep = kmem_cache_create("avc_xperms_node",
 191                                        sizeof(struct avc_xperms_node),
 192                                        0, SLAB_PANIC, NULL);
 193        avc_xperms_decision_cachep = kmem_cache_create(
 194                                        "avc_xperms_decision_node",
 195                                        sizeof(struct avc_xperms_decision_node),
 196                                        0, SLAB_PANIC, NULL);
 197        avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
 198                                        sizeof(struct extended_perms_data),
 199                                        0, SLAB_PANIC, NULL);
 200
 201        audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
 202}
 203
 204int avc_get_hash_stats(char *page)
 205{
 206        int i, chain_len, max_chain_len, slots_used;
 207        struct avc_node *node;
 208        struct hlist_head *head;
 209
 210        rcu_read_lock();
 211
 212        slots_used = 0;
 213        max_chain_len = 0;
 214        for (i = 0; i < AVC_CACHE_SLOTS; i++) {
 215                head = &avc_cache.slots[i];
 216                if (!hlist_empty(head)) {
 217                        slots_used++;
 218                        chain_len = 0;
 219                        hlist_for_each_entry_rcu(node, head, list)
 220                                chain_len++;
 221                        if (chain_len > max_chain_len)
 222                                max_chain_len = chain_len;
 223                }
 224        }
 225
 226        rcu_read_unlock();
 227
 228        return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
 229                         "longest chain: %d\n",
 230                         atomic_read(&avc_cache.active_nodes),
 231                         slots_used, AVC_CACHE_SLOTS, max_chain_len);
 232}
 233
 234/*
 235 * using a linked list for extended_perms_decision lookup because the list is
 236 * always small. i.e. less than 5, typically 1
 237 */
 238static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver,
 239                                        struct avc_xperms_node *xp_node)
 240{
 241        struct avc_xperms_decision_node *xpd_node;
 242
 243        list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) {
 244                if (xpd_node->xpd.driver == driver)
 245                        return &xpd_node->xpd;
 246        }
 247        return NULL;
 248}
 249
 250static inline unsigned int
 251avc_xperms_has_perm(struct extended_perms_decision *xpd,
 252                                        u8 perm, u8 which)
 253{
 254        unsigned int rc = 0;
 255
 256        if ((which == XPERMS_ALLOWED) &&
 257                        (xpd->used & XPERMS_ALLOWED))
 258                rc = security_xperm_test(xpd->allowed->p, perm);
 259        else if ((which == XPERMS_AUDITALLOW) &&
 260                        (xpd->used & XPERMS_AUDITALLOW))
 261                rc = security_xperm_test(xpd->auditallow->p, perm);
 262        else if ((which == XPERMS_DONTAUDIT) &&
 263                        (xpd->used & XPERMS_DONTAUDIT))
 264                rc = security_xperm_test(xpd->dontaudit->p, perm);
 265        return rc;
 266}
 267
 268static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node,
 269                                u8 driver, u8 perm)
 270{
 271        struct extended_perms_decision *xpd;
 272        security_xperm_set(xp_node->xp.drivers.p, driver);
 273        xpd = avc_xperms_decision_lookup(driver, xp_node);
 274        if (xpd && xpd->allowed)
 275                security_xperm_set(xpd->allowed->p, perm);
 276}
 277
 278static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node)
 279{
 280        struct extended_perms_decision *xpd;
 281
 282        xpd = &xpd_node->xpd;
 283        if (xpd->allowed)
 284                kmem_cache_free(avc_xperms_data_cachep, xpd->allowed);
 285        if (xpd->auditallow)
 286                kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow);
 287        if (xpd->dontaudit)
 288                kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit);
 289        kmem_cache_free(avc_xperms_decision_cachep, xpd_node);
 290}
 291
 292static void avc_xperms_free(struct avc_xperms_node *xp_node)
 293{
 294        struct avc_xperms_decision_node *xpd_node, *tmp;
 295
 296        if (!xp_node)
 297                return;
 298
 299        list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) {
 300                list_del(&xpd_node->xpd_list);
 301                avc_xperms_decision_free(xpd_node);
 302        }
 303        kmem_cache_free(avc_xperms_cachep, xp_node);
 304}
 305
 306static void avc_copy_xperms_decision(struct extended_perms_decision *dest,
 307                                        struct extended_perms_decision *src)
 308{
 309        dest->driver = src->driver;
 310        dest->used = src->used;
 311        if (dest->used & XPERMS_ALLOWED)
 312                memcpy(dest->allowed->p, src->allowed->p,
 313                                sizeof(src->allowed->p));
 314        if (dest->used & XPERMS_AUDITALLOW)
 315                memcpy(dest->auditallow->p, src->auditallow->p,
 316                                sizeof(src->auditallow->p));
 317        if (dest->used & XPERMS_DONTAUDIT)
 318                memcpy(dest->dontaudit->p, src->dontaudit->p,
 319                                sizeof(src->dontaudit->p));
 320}
 321
 322/*
 323 * similar to avc_copy_xperms_decision, but only copy decision
 324 * information relevant to this perm
 325 */
 326static inline void avc_quick_copy_xperms_decision(u8 perm,
 327                        struct extended_perms_decision *dest,
 328                        struct extended_perms_decision *src)
 329{
 330        /*
 331         * compute index of the u32 of the 256 bits (8 u32s) that contain this
 332         * command permission
 333         */
 334        u8 i = perm >> 5;
 335
 336        dest->used = src->used;
 337        if (dest->used & XPERMS_ALLOWED)
 338                dest->allowed->p[i] = src->allowed->p[i];
 339        if (dest->used & XPERMS_AUDITALLOW)
 340                dest->auditallow->p[i] = src->auditallow->p[i];
 341        if (dest->used & XPERMS_DONTAUDIT)
 342                dest->dontaudit->p[i] = src->dontaudit->p[i];
 343}
 344
 345static struct avc_xperms_decision_node
 346                *avc_xperms_decision_alloc(u8 which)
 347{
 348        struct avc_xperms_decision_node *xpd_node;
 349        struct extended_perms_decision *xpd;
 350
 351        xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
 352                                GFP_ATOMIC | __GFP_NOMEMALLOC);
 353        if (!xpd_node)
 354                return NULL;
 355
 356        xpd = &xpd_node->xpd;
 357        if (which & XPERMS_ALLOWED) {
 358                xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
 359                                                GFP_ATOMIC | __GFP_NOMEMALLOC);
 360                if (!xpd->allowed)
 361                        goto error;
 362        }
 363        if (which & XPERMS_AUDITALLOW) {
 364                xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
 365                                                GFP_ATOMIC | __GFP_NOMEMALLOC);
 366                if (!xpd->auditallow)
 367                        goto error;
 368        }
 369        if (which & XPERMS_DONTAUDIT) {
 370                xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
 371                                                GFP_ATOMIC | __GFP_NOMEMALLOC);
 372                if (!xpd->dontaudit)
 373                        goto error;
 374        }
 375        return xpd_node;
 376error:
 377        avc_xperms_decision_free(xpd_node);
 378        return NULL;
 379}
 380
 381static int avc_add_xperms_decision(struct avc_node *node,
 382                        struct extended_perms_decision *src)
 383{
 384        struct avc_xperms_decision_node *dest_xpd;
 385
 386        node->ae.xp_node->xp.len++;
 387        dest_xpd = avc_xperms_decision_alloc(src->used);
 388        if (!dest_xpd)
 389                return -ENOMEM;
 390        avc_copy_xperms_decision(&dest_xpd->xpd, src);
 391        list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
 392        return 0;
 393}
 394
 395static struct avc_xperms_node *avc_xperms_alloc(void)
 396{
 397        struct avc_xperms_node *xp_node;
 398
 399        xp_node = kmem_cache_zalloc(avc_xperms_cachep,
 400                                GFP_ATOMIC|__GFP_NOMEMALLOC);
 401        if (!xp_node)
 402                return xp_node;
 403        INIT_LIST_HEAD(&xp_node->xpd_head);
 404        return xp_node;
 405}
 406
 407static int avc_xperms_populate(struct avc_node *node,
 408                                struct avc_xperms_node *src)
 409{
 410        struct avc_xperms_node *dest;
 411        struct avc_xperms_decision_node *dest_xpd;
 412        struct avc_xperms_decision_node *src_xpd;
 413
 414        if (src->xp.len == 0)
 415                return 0;
 416        dest = avc_xperms_alloc();
 417        if (!dest)
 418                return -ENOMEM;
 419
 420        memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p));
 421        dest->xp.len = src->xp.len;
 422
 423        /* for each source xpd allocate a destination xpd and copy */
 424        list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) {
 425                dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used);
 426                if (!dest_xpd)
 427                        goto error;
 428                avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd);
 429                list_add(&dest_xpd->xpd_list, &dest->xpd_head);
 430        }
 431        node->ae.xp_node = dest;
 432        return 0;
 433error:
 434        avc_xperms_free(dest);
 435        return -ENOMEM;
 436
 437}
 438
 439static inline u32 avc_xperms_audit_required(u32 requested,
 440                                        struct av_decision *avd,
 441                                        struct extended_perms_decision *xpd,
 442                                        u8 perm,
 443                                        int result,
 444                                        u32 *deniedp)
 445{
 446        u32 denied, audited;
 447
 448        denied = requested & ~avd->allowed;
 449        if (unlikely(denied)) {
 450                audited = denied & avd->auditdeny;
 451                if (audited && xpd) {
 452                        if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT))
 453                                audited &= ~requested;
 454                }
 455        } else if (result) {
 456                audited = denied = requested;
 457        } else {
 458                audited = requested & avd->auditallow;
 459                if (audited && xpd) {
 460                        if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW))
 461                                audited &= ~requested;
 462                }
 463        }
 464
 465        *deniedp = denied;
 466        return audited;
 467}
 468
 469static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
 470                                u32 requested, struct av_decision *avd,
 471                                struct extended_perms_decision *xpd,
 472                                u8 perm, int result,
 473                                struct common_audit_data *ad)
 474{
 475        u32 audited, denied;
 476
 477        audited = avc_xperms_audit_required(
 478                        requested, avd, xpd, perm, result, &denied);
 479        if (likely(!audited))
 480                return 0;
 481        return slow_avc_audit(ssid, tsid, tclass, requested,
 482                        audited, denied, result, ad, 0);
 483}
 484
 485static void avc_node_free(struct rcu_head *rhead)
 486{
 487        struct avc_node *node = container_of(rhead, struct avc_node, rhead);
 488        avc_xperms_free(node->ae.xp_node);
 489        kmem_cache_free(avc_node_cachep, node);
 490        avc_cache_stats_incr(frees);
 491}
 492
 493static void avc_node_delete(struct avc_node *node)
 494{
 495        hlist_del_rcu(&node->list);
 496        call_rcu(&node->rhead, avc_node_free);
 497        atomic_dec(&avc_cache.active_nodes);
 498}
 499
 500static void avc_node_kill(struct avc_node *node)
 501{
 502        avc_xperms_free(node->ae.xp_node);
 503        kmem_cache_free(avc_node_cachep, node);
 504        avc_cache_stats_incr(frees);
 505        atomic_dec(&avc_cache.active_nodes);
 506}
 507
 508static void avc_node_replace(struct avc_node *new, struct avc_node *old)
 509{
 510        hlist_replace_rcu(&old->list, &new->list);
 511        call_rcu(&old->rhead, avc_node_free);
 512        atomic_dec(&avc_cache.active_nodes);
 513}
 514
 515static inline int avc_reclaim_node(void)
 516{
 517        struct avc_node *node;
 518        int hvalue, try, ecx;
 519        unsigned long flags;
 520        struct hlist_head *head;
 521        spinlock_t *lock;
 522
 523        for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
 524                hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1);
 525                head = &avc_cache.slots[hvalue];
 526                lock = &avc_cache.slots_lock[hvalue];
 527
 528                if (!spin_trylock_irqsave(lock, flags))
 529                        continue;
 530
 531                rcu_read_lock();
 532                hlist_for_each_entry(node, head, list) {
 533                        avc_node_delete(node);
 534                        avc_cache_stats_incr(reclaims);
 535                        ecx++;
 536                        if (ecx >= AVC_CACHE_RECLAIM) {
 537                                rcu_read_unlock();
 538                                spin_unlock_irqrestore(lock, flags);
 539                                goto out;
 540                        }
 541                }
 542                rcu_read_unlock();
 543                spin_unlock_irqrestore(lock, flags);
 544        }
 545out:
 546        return ecx;
 547}
 548
 549static struct avc_node *avc_alloc_node(void)
 550{
 551        struct avc_node *node;
 552
 553        node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC|__GFP_NOMEMALLOC);
 554        if (!node)
 555                goto out;
 556
 557        INIT_HLIST_NODE(&node->list);
 558        avc_cache_stats_incr(allocations);
 559
 560        if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold)
 561                avc_reclaim_node();
 562
 563out:
 564        return node;
 565}
 566
 567static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd)
 568{
 569        node->ae.ssid = ssid;
 570        node->ae.tsid = tsid;
 571        node->ae.tclass = tclass;
 572        memcpy(&node->ae.avd, avd, sizeof(node->ae.avd));
 573}
 574
 575static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 576{
 577        struct avc_node *node, *ret = NULL;
 578        int hvalue;
 579        struct hlist_head *head;
 580
 581        hvalue = avc_hash(ssid, tsid, tclass);
 582        head = &avc_cache.slots[hvalue];
 583        hlist_for_each_entry_rcu(node, head, list) {
 584                if (ssid == node->ae.ssid &&
 585                    tclass == node->ae.tclass &&
 586                    tsid == node->ae.tsid) {
 587                        ret = node;
 588                        break;
 589                }
 590        }
 591
 592        return ret;
 593}
 594
 595/**
 596 * avc_lookup - Look up an AVC entry.
 597 * @ssid: source security identifier
 598 * @tsid: target security identifier
 599 * @tclass: target security class
 600 *
 601 * Look up an AVC entry that is valid for the
 602 * (@ssid, @tsid), interpreting the permissions
 603 * based on @tclass.  If a valid AVC entry exists,
 604 * then this function returns the avc_node.
 605 * Otherwise, this function returns NULL.
 606 */
 607static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
 608{
 609        struct avc_node *node;
 610
 611        avc_cache_stats_incr(lookups);
 612        node = avc_search_node(ssid, tsid, tclass);
 613
 614        if (node)
 615                return node;
 616
 617        avc_cache_stats_incr(misses);
 618        return NULL;
 619}
 620
 621static int avc_latest_notif_update(int seqno, int is_insert)
 622{
 623        int ret = 0;
 624        static DEFINE_SPINLOCK(notif_lock);
 625        unsigned long flag;
 626
 627        spin_lock_irqsave(&notif_lock, flag);
 628        if (is_insert) {
 629                if (seqno < avc_cache.latest_notif) {
 630                        printk(KERN_WARNING "SELinux: avc:  seqno %d < latest_notif %d\n",
 631                               seqno, avc_cache.latest_notif);
 632                        ret = -EAGAIN;
 633                }
 634        } else {
 635                if (seqno > avc_cache.latest_notif)
 636                        avc_cache.latest_notif = seqno;
 637        }
 638        spin_unlock_irqrestore(&notif_lock, flag);
 639
 640        return ret;
 641}
 642
 643/**
 644 * avc_insert - Insert an AVC entry.
 645 * @ssid: source security identifier
 646 * @tsid: target security identifier
 647 * @tclass: target security class
 648 * @avd: resulting av decision
 649 * @xp_node: resulting extended permissions
 650 *
 651 * Insert an AVC entry for the SID pair
 652 * (@ssid, @tsid) and class @tclass.
 653 * The access vectors and the sequence number are
 654 * normally provided by the security server in
 655 * response to a security_compute_av() call.  If the
 656 * sequence number @avd->seqno is not less than the latest
 657 * revocation notification, then the function copies
 658 * the access vectors into a cache entry, returns
 659 * avc_node inserted. Otherwise, this function returns NULL.
 660 */
 661static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass,
 662                                struct av_decision *avd,
 663                                struct avc_xperms_node *xp_node)
 664{
 665        struct avc_node *pos, *node = NULL;
 666        int hvalue;
 667        unsigned long flag;
 668
 669        if (avc_latest_notif_update(avd->seqno, 1))
 670                goto out;
 671
 672        node = avc_alloc_node();
 673        if (node) {
 674                struct hlist_head *head;
 675                spinlock_t *lock;
 676                int rc = 0;
 677
 678                hvalue = avc_hash(ssid, tsid, tclass);
 679                avc_node_populate(node, ssid, tsid, tclass, avd);
 680                rc = avc_xperms_populate(node, xp_node);
 681                if (rc) {
 682                        kmem_cache_free(avc_node_cachep, node);
 683                        return NULL;
 684                }
 685                head = &avc_cache.slots[hvalue];
 686                lock = &avc_cache.slots_lock[hvalue];
 687
 688                spin_lock_irqsave(lock, flag);
 689                hlist_for_each_entry(pos, head, list) {
 690                        if (pos->ae.ssid == ssid &&
 691                            pos->ae.tsid == tsid &&
 692                            pos->ae.tclass == tclass) {
 693                                avc_node_replace(node, pos);
 694                                goto found;
 695                        }
 696                }
 697                hlist_add_head_rcu(&node->list, head);
 698found:
 699                spin_unlock_irqrestore(lock, flag);
 700        }
 701out:
 702        return node;
 703}
 704
 705/**
 706 * avc_audit_pre_callback - SELinux specific information
 707 * will be called by generic audit code
 708 * @ab: the audit buffer
 709 * @a: audit_data
 710 */
 711static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
 712{
 713        struct common_audit_data *ad = a;
 714        audit_log_format(ab, "avc:  %s ",
 715                         ad->selinux_audit_data->denied ? "denied" : "granted");
 716        avc_dump_av(ab, ad->selinux_audit_data->tclass,
 717                        ad->selinux_audit_data->audited);
 718        audit_log_format(ab, " for ");
 719}
 720
 721/**
 722 * avc_audit_post_callback - SELinux specific information
 723 * will be called by generic audit code
 724 * @ab: the audit buffer
 725 * @a: audit_data
 726 */
 727static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 728{
 729        struct common_audit_data *ad = a;
 730        audit_log_format(ab, " ");
 731        avc_dump_query(ab, ad->selinux_audit_data->ssid,
 732                           ad->selinux_audit_data->tsid,
 733                           ad->selinux_audit_data->tclass);
 734        if (ad->selinux_audit_data->denied) {
 735                audit_log_format(ab, " permissive=%u",
 736                                 ad->selinux_audit_data->result ? 0 : 1);
 737        }
 738}
 739
 740/* This is the slow part of avc audit with big stack footprint */
 741noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
 742                u32 requested, u32 audited, u32 denied, int result,
 743                struct common_audit_data *a,
 744                unsigned flags)
 745{
 746        struct common_audit_data stack_data;
 747        struct selinux_audit_data sad;
 748
 749        if (!a) {
 750                a = &stack_data;
 751                a->type = LSM_AUDIT_DATA_NONE;
 752        }
 753
 754        /*
 755         * When in a RCU walk do the audit on the RCU retry.  This is because
 756         * the collection of the dname in an inode audit message is not RCU
 757         * safe.  Note this may drop some audits when the situation changes
 758         * during retry. However this is logically just as if the operation
 759         * happened a little later.
 760         */
 761        if ((a->type == LSM_AUDIT_DATA_INODE) &&
 762            (flags & MAY_NOT_BLOCK))
 763                return -ECHILD;
 764
 765        sad.tclass = tclass;
 766        sad.requested = requested;
 767        sad.ssid = ssid;
 768        sad.tsid = tsid;
 769        sad.audited = audited;
 770        sad.denied = denied;
 771        sad.result = result;
 772
 773        a->selinux_audit_data = &sad;
 774
 775        common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
 776        return 0;
 777}
 778
 779/**
 780 * avc_add_callback - Register a callback for security events.
 781 * @callback: callback function
 782 * @events: security events
 783 *
 784 * Register a callback function for events in the set @events.
 785 * Returns %0 on success or -%ENOMEM if insufficient memory
 786 * exists to add the callback.
 787 */
 788int __init avc_add_callback(int (*callback)(u32 event), u32 events)
 789{
 790        struct avc_callback_node *c;
 791        int rc = 0;
 792
 793        c = kmalloc(sizeof(*c), GFP_KERNEL);
 794        if (!c) {
 795                rc = -ENOMEM;
 796                goto out;
 797        }
 798
 799        c->callback = callback;
 800        c->events = events;
 801        c->next = avc_callbacks;
 802        avc_callbacks = c;
 803out:
 804        return rc;
 805}
 806
 807/**
 808 * avc_update_node Update an AVC entry
 809 * @event : Updating event
 810 * @perms : Permission mask bits
 811 * @ssid,@tsid,@tclass : identifier of an AVC entry
 812 * @seqno : sequence number when decision was made
 813 * @xpd: extended_perms_decision to be added to the node
 814 *
 815 * if a valid AVC entry doesn't exist,this function returns -ENOENT.
 816 * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
 817 * otherwise, this function updates the AVC entry. The original AVC-entry object
 818 * will release later by RCU.
 819 */
 820static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
 821                        u32 tsid, u16 tclass, u32 seqno,
 822                        struct extended_perms_decision *xpd,
 823                        u32 flags)
 824{
 825        int hvalue, rc = 0;
 826        unsigned long flag;
 827        struct avc_node *pos, *node, *orig = NULL;
 828        struct hlist_head *head;
 829        spinlock_t *lock;
 830
 831        node = avc_alloc_node();
 832        if (!node) {
 833                rc = -ENOMEM;
 834                goto out;
 835        }
 836
 837        /* Lock the target slot */
 838        hvalue = avc_hash(ssid, tsid, tclass);
 839
 840        head = &avc_cache.slots[hvalue];
 841        lock = &avc_cache.slots_lock[hvalue];
 842
 843        spin_lock_irqsave(lock, flag);
 844
 845        hlist_for_each_entry(pos, head, list) {
 846                if (ssid == pos->ae.ssid &&
 847                    tsid == pos->ae.tsid &&
 848                    tclass == pos->ae.tclass &&
 849                    seqno == pos->ae.avd.seqno){
 850                        orig = pos;
 851                        break;
 852                }
 853        }
 854
 855        if (!orig) {
 856                rc = -ENOENT;
 857                avc_node_kill(node);
 858                goto out_unlock;
 859        }
 860
 861        /*
 862         * Copy and replace original node.
 863         */
 864
 865        avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
 866
 867        if (orig->ae.xp_node) {
 868                rc = avc_xperms_populate(node, orig->ae.xp_node);
 869                if (rc) {
 870                        kmem_cache_free(avc_node_cachep, node);
 871                        goto out_unlock;
 872                }
 873        }
 874
 875        switch (event) {
 876        case AVC_CALLBACK_GRANT:
 877                node->ae.avd.allowed |= perms;
 878                if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS))
 879                        avc_xperms_allow_perm(node->ae.xp_node, driver, xperm);
 880                break;
 881        case AVC_CALLBACK_TRY_REVOKE:
 882        case AVC_CALLBACK_REVOKE:
 883                node->ae.avd.allowed &= ~perms;
 884                break;
 885        case AVC_CALLBACK_AUDITALLOW_ENABLE:
 886                node->ae.avd.auditallow |= perms;
 887                break;
 888        case AVC_CALLBACK_AUDITALLOW_DISABLE:
 889                node->ae.avd.auditallow &= ~perms;
 890                break;
 891        case AVC_CALLBACK_AUDITDENY_ENABLE:
 892                node->ae.avd.auditdeny |= perms;
 893                break;
 894        case AVC_CALLBACK_AUDITDENY_DISABLE:
 895                node->ae.avd.auditdeny &= ~perms;
 896                break;
 897        case AVC_CALLBACK_ADD_XPERMS:
 898                avc_add_xperms_decision(node, xpd);
 899                break;
 900        }
 901        avc_node_replace(node, orig);
 902out_unlock:
 903        spin_unlock_irqrestore(lock, flag);
 904out:
 905        return rc;
 906}
 907
 908/**
 909 * avc_flush - Flush the cache
 910 */
 911static void avc_flush(void)
 912{
 913        struct hlist_head *head;
 914        struct avc_node *node;
 915        spinlock_t *lock;
 916        unsigned long flag;
 917        int i;
 918
 919        for (i = 0; i < AVC_CACHE_SLOTS; i++) {
 920                head = &avc_cache.slots[i];
 921                lock = &avc_cache.slots_lock[i];
 922
 923                spin_lock_irqsave(lock, flag);
 924                /*
 925                 * With preemptable RCU, the outer spinlock does not
 926                 * prevent RCU grace periods from ending.
 927                 */
 928                rcu_read_lock();
 929                hlist_for_each_entry(node, head, list)
 930                        avc_node_delete(node);
 931                rcu_read_unlock();
 932                spin_unlock_irqrestore(lock, flag);
 933        }
 934}
 935
 936/**
 937 * avc_ss_reset - Flush the cache and revalidate migrated permissions.
 938 * @seqno: policy sequence number
 939 */
 940int avc_ss_reset(u32 seqno)
 941{
 942        struct avc_callback_node *c;
 943        int rc = 0, tmprc;
 944
 945        avc_flush();
 946
 947        for (c = avc_callbacks; c; c = c->next) {
 948                if (c->events & AVC_CALLBACK_RESET) {
 949                        tmprc = c->callback(AVC_CALLBACK_RESET);
 950                        /* save the first error encountered for the return
 951                           value and continue processing the callbacks */
 952                        if (!rc)
 953                                rc = tmprc;
 954                }
 955        }
 956
 957        avc_latest_notif_update(seqno, 0);
 958        return rc;
 959}
 960
 961/*
 962 * Slow-path helper function for avc_has_perm_noaudit,
 963 * when the avc_node lookup fails. We get called with
 964 * the RCU read lock held, and need to return with it
 965 * still held, but drop if for the security compute.
 966 *
 967 * Don't inline this, since it's the slow-path and just
 968 * results in a bigger stack frame.
 969 */
 970static noinline struct avc_node *avc_compute_av(u32 ssid, u32 tsid,
 971                         u16 tclass, struct av_decision *avd,
 972                         struct avc_xperms_node *xp_node)
 973{
 974        rcu_read_unlock();
 975        INIT_LIST_HEAD(&xp_node->xpd_head);
 976        security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp);
 977        rcu_read_lock();
 978        return avc_insert(ssid, tsid, tclass, avd, xp_node);
 979}
 980
 981static noinline int avc_denied(u32 ssid, u32 tsid,
 982                                u16 tclass, u32 requested,
 983                                u8 driver, u8 xperm, unsigned flags,
 984                                struct av_decision *avd)
 985{
 986        if (flags & AVC_STRICT)
 987                return -EACCES;
 988
 989        if (selinux_enforcing && !(avd->flags & AVD_FLAGS_PERMISSIVE))
 990                return -EACCES;
 991
 992        avc_update_node(AVC_CALLBACK_GRANT, requested, driver, xperm, ssid,
 993                                tsid, tclass, avd->seqno, NULL, flags);
 994        return 0;
 995}
 996
 997/*
 998 * The avc extended permissions logic adds an additional 256 bits of
 999 * permissions to an avc node when extended permissions for that node are
1000 * specified in the avtab. If the additional 256 permissions is not adequate,
1001 * as-is the case with ioctls, then multiple may be chained together and the
1002 * driver field is used to specify which set contains the permission.
1003 */
1004int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
1005                        u8 driver, u8 xperm, struct common_audit_data *ad)
1006{
1007        struct avc_node *node;
1008        struct av_decision avd;
1009        u32 denied;
1010        struct extended_perms_decision local_xpd;
1011        struct extended_perms_decision *xpd = NULL;
1012        struct extended_perms_data allowed;
1013        struct extended_perms_data auditallow;
1014        struct extended_perms_data dontaudit;
1015        struct avc_xperms_node local_xp_node;
1016        struct avc_xperms_node *xp_node;
1017        int rc = 0, rc2;
1018
1019        xp_node = &local_xp_node;
1020        BUG_ON(!requested);
1021
1022        rcu_read_lock();
1023
1024        node = avc_lookup(ssid, tsid, tclass);
1025        if (unlikely(!node)) {
1026                node = avc_compute_av(ssid, tsid, tclass, &avd, xp_node);
1027        } else {
1028                memcpy(&avd, &node->ae.avd, sizeof(avd));
1029                xp_node = node->ae.xp_node;
1030        }
1031        /* if extended permissions are not defined, only consider av_decision */
1032        if (!xp_node || !xp_node->xp.len)
1033                goto decision;
1034
1035        local_xpd.allowed = &allowed;
1036        local_xpd.auditallow = &auditallow;
1037        local_xpd.dontaudit = &dontaudit;
1038
1039        xpd = avc_xperms_decision_lookup(driver, xp_node);
1040        if (unlikely(!xpd)) {
1041                /*
1042                 * Compute the extended_perms_decision only if the driver
1043                 * is flagged
1044                 */
1045                if (!security_xperm_test(xp_node->xp.drivers.p, driver)) {
1046                        avd.allowed &= ~requested;
1047                        goto decision;
1048                }
1049                rcu_read_unlock();
1050                security_compute_xperms_decision(ssid, tsid, tclass, driver,
1051                                                &local_xpd);
1052                rcu_read_lock();
1053                avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver, xperm,
1054                                ssid, tsid, tclass, avd.seqno, &local_xpd, 0);
1055        } else {
1056                avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd);
1057        }
1058        xpd = &local_xpd;
1059
1060        if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED))
1061                avd.allowed &= ~requested;
1062
1063decision:
1064        denied = requested & ~(avd.allowed);
1065        if (unlikely(denied))
1066                rc = avc_denied(ssid, tsid, tclass, requested, driver, xperm,
1067                                AVC_EXTENDED_PERMS, &avd);
1068
1069        rcu_read_unlock();
1070
1071        rc2 = avc_xperms_audit(ssid, tsid, tclass, requested,
1072                        &avd, xpd, xperm, rc, ad);
1073        if (rc2)
1074                return rc2;
1075        return rc;
1076}
1077
1078/**
1079 * avc_has_perm_noaudit - Check permissions but perform no auditing.
1080 * @ssid: source security identifier
1081 * @tsid: target security identifier
1082 * @tclass: target security class
1083 * @requested: requested permissions, interpreted based on @tclass
1084 * @flags:  AVC_STRICT or 0
1085 * @avd: access vector decisions
1086 *
1087 * Check the AVC to determine whether the @requested permissions are granted
1088 * for the SID pair (@ssid, @tsid), interpreting the permissions
1089 * based on @tclass, and call the security server on a cache miss to obtain
1090 * a new decision and add it to the cache.  Return a copy of the decisions
1091 * in @avd.  Return %0 if all @requested permissions are granted,
1092 * -%EACCES if any permissions are denied, or another -errno upon
1093 * other errors.  This function is typically called by avc_has_perm(),
1094 * but may also be called directly to separate permission checking from
1095 * auditing, e.g. in cases where a lock must be held for the check but
1096 * should be released for the auditing.
1097 */
1098inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
1099                         u16 tclass, u32 requested,
1100                         unsigned flags,
1101                         struct av_decision *avd)
1102{
1103        struct avc_node *node;
1104        struct avc_xperms_node xp_node;
1105        int rc = 0;
1106        u32 denied;
1107
1108        BUG_ON(!requested);
1109
1110        rcu_read_lock();
1111
1112        node = avc_lookup(ssid, tsid, tclass);
1113        if (unlikely(!node))
1114                node = avc_compute_av(ssid, tsid, tclass, avd, &xp_node);
1115        else
1116                memcpy(avd, &node->ae.avd, sizeof(*avd));
1117
1118        denied = requested & ~(avd->allowed);
1119        if (unlikely(denied))
1120                rc = avc_denied(ssid, tsid, tclass, requested, 0, 0, flags, avd);
1121
1122        rcu_read_unlock();
1123        return rc;
1124}
1125
1126/**
1127 * avc_has_perm - Check permissions and perform any appropriate auditing.
1128 * @ssid: source security identifier
1129 * @tsid: target security identifier
1130 * @tclass: target security class
1131 * @requested: requested permissions, interpreted based on @tclass
1132 * @auditdata: auxiliary audit data
1133 *
1134 * Check the AVC to determine whether the @requested permissions are granted
1135 * for the SID pair (@ssid, @tsid), interpreting the permissions
1136 * based on @tclass, and call the security server on a cache miss to obtain
1137 * a new decision and add it to the cache.  Audit the granting or denial of
1138 * permissions in accordance with the policy.  Return %0 if all @requested
1139 * permissions are granted, -%EACCES if any permissions are denied, or
1140 * another -errno upon other errors.
1141 */
1142int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
1143                 u32 requested, struct common_audit_data *auditdata)
1144{
1145        struct av_decision avd;
1146        int rc, rc2;
1147
1148        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
1149
1150        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0);
1151        if (rc2)
1152                return rc2;
1153        return rc;
1154}
1155
1156int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
1157                       u32 requested, struct common_audit_data *auditdata,
1158                       int flags)
1159{
1160        struct av_decision avd;
1161        int rc, rc2;
1162
1163        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
1164
1165        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,
1166                        auditdata, flags);
1167        if (rc2)
1168                return rc2;
1169        return rc;
1170}
1171
1172u32 avc_policy_seqno(void)
1173{
1174        return avc_cache.latest_notif;
1175}
1176
1177void avc_disable(void)
1178{
1179        /*
1180         * If you are looking at this because you have realized that we are
1181         * not destroying the avc_node_cachep it might be easy to fix, but
1182         * I don't know the memory barrier semantics well enough to know.  It's
1183         * possible that some other task dereferenced security_ops when
1184         * it still pointed to selinux operations.  If that is the case it's
1185         * possible that it is about to use the avc and is about to need the
1186         * avc_node_cachep.  I know I could wrap the security.c security_ops call
1187         * in an rcu_lock, but seriously, it's not worth it.  Instead I just flush
1188         * the cache and get that memory back.
1189         */
1190        if (avc_node_cachep) {
1191                avc_flush();
1192                /* kmem_cache_destroy(avc_node_cachep); */
1193        }
1194}
1195