avc.c 31 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Implementation of the kernel access vector cache (AVC).
  4. *
  5. * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
  6. * James Morris <jmorris@redhat.com>
  7. *
  8. * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com>
  9. * Replaced the avc_lock spinlock by RCU.
  10. *
  11. * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  12. */
  13. #include <linux/types.h>
  14. #include <linux/stddef.h>
  15. #include <linux/kernel.h>
  16. #include <linux/slab.h>
  17. #include <linux/fs.h>
  18. #include <linux/dcache.h>
  19. #include <linux/init.h>
  20. #include <linux/skbuff.h>
  21. #include <linux/percpu.h>
  22. #include <linux/list.h>
  23. #include <net/sock.h>
  24. #include <linux/un.h>
  25. #include <net/af_unix.h>
  26. #include <linux/ip.h>
  27. #include <linux/audit.h>
  28. #include <linux/ipv6.h>
  29. #include <net/ipv6.h>
  30. #include "avc.h"
  31. #include "avc_ss.h"
  32. #include "classmap.h"
  33. #include "hash.h"
  34. #define CREATE_TRACE_POINTS
  35. #include <trace/events/avc.h>
  36. #define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS)
  37. #define AVC_DEF_CACHE_THRESHOLD AVC_CACHE_SLOTS
  38. #define AVC_CACHE_RECLAIM 16
  39. #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
  40. #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field)
  41. #else
  42. #define avc_cache_stats_incr(field) do {} while (0)
  43. #endif
  44. struct avc_entry {
  45. u32 ssid;
  46. u32 tsid;
  47. u16 tclass;
  48. struct av_decision avd;
  49. struct avc_xperms_node *xp_node;
  50. };
  51. struct avc_node {
  52. struct avc_entry ae;
  53. struct hlist_node list; /* anchored in avc_cache->slots[i] */
  54. struct rcu_head rhead;
  55. };
  56. struct avc_xperms_decision_node {
  57. struct extended_perms_decision xpd;
  58. struct list_head xpd_list; /* list of extended_perms_decision */
  59. };
  60. struct avc_xperms_node {
  61. struct extended_perms xp;
  62. struct list_head xpd_head; /* list head of extended_perms_decision */
  63. };
  64. struct avc_cache {
  65. struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */
  66. spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */
  67. atomic_t lru_hint; /* LRU hint for reclaim scan */
  68. atomic_t active_nodes;
  69. u32 latest_notif; /* latest revocation notification */
  70. };
  71. struct avc_callback_node {
  72. int (*callback) (u32 event);
  73. u32 events;
  74. struct avc_callback_node *next;
  75. };
  76. #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
  77. DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
  78. #endif
  79. struct selinux_avc {
  80. unsigned int avc_cache_threshold;
  81. struct avc_cache avc_cache;
  82. };
  83. static struct selinux_avc selinux_avc;
  84. void selinux_avc_init(void)
  85. {
  86. int i;
  87. selinux_avc.avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
  88. for (i = 0; i < AVC_CACHE_SLOTS; i++) {
  89. INIT_HLIST_HEAD(&selinux_avc.avc_cache.slots[i]);
  90. spin_lock_init(&selinux_avc.avc_cache.slots_lock[i]);
  91. }
  92. atomic_set(&selinux_avc.avc_cache.active_nodes, 0);
  93. atomic_set(&selinux_avc.avc_cache.lru_hint, 0);
  94. }
  95. unsigned int avc_get_cache_threshold(void)
  96. {
  97. return selinux_avc.avc_cache_threshold;
  98. }
  99. void avc_set_cache_threshold(unsigned int cache_threshold)
  100. {
  101. selinux_avc.avc_cache_threshold = cache_threshold;
  102. }
  103. static struct avc_callback_node *avc_callbacks __ro_after_init;
  104. static struct kmem_cache *avc_node_cachep __ro_after_init;
  105. static struct kmem_cache *avc_xperms_data_cachep __ro_after_init;
  106. static struct kmem_cache *avc_xperms_decision_cachep __ro_after_init;
  107. static struct kmem_cache *avc_xperms_cachep __ro_after_init;
  108. static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass)
  109. {
  110. return av_hash(ssid, tsid, (u32)tclass, (u32)(AVC_CACHE_SLOTS - 1));
  111. }
  112. /**
  113. * avc_init - Initialize the AVC.
  114. *
  115. * Initialize the access vector cache.
  116. */
  117. void __init avc_init(void)
  118. {
  119. avc_node_cachep = KMEM_CACHE(avc_node, SLAB_PANIC);
  120. avc_xperms_cachep = KMEM_CACHE(avc_xperms_node, SLAB_PANIC);
  121. avc_xperms_decision_cachep = KMEM_CACHE(avc_xperms_decision_node, SLAB_PANIC);
  122. avc_xperms_data_cachep = KMEM_CACHE(extended_perms_data, SLAB_PANIC);
  123. }
  124. int avc_get_hash_stats(char *page)
  125. {
  126. int i, chain_len, max_chain_len, slots_used;
  127. struct avc_node *node;
  128. struct hlist_head *head;
  129. rcu_read_lock();
  130. slots_used = 0;
  131. max_chain_len = 0;
  132. for (i = 0; i < AVC_CACHE_SLOTS; i++) {
  133. head = &selinux_avc.avc_cache.slots[i];
  134. if (!hlist_empty(head)) {
  135. slots_used++;
  136. chain_len = 0;
  137. hlist_for_each_entry_rcu(node, head, list)
  138. chain_len++;
  139. if (chain_len > max_chain_len)
  140. max_chain_len = chain_len;
  141. }
  142. }
  143. rcu_read_unlock();
  144. return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
  145. "longest chain: %d\n",
  146. atomic_read(&selinux_avc.avc_cache.active_nodes),
  147. slots_used, AVC_CACHE_SLOTS, max_chain_len);
  148. }
  149. /*
  150. * using a linked list for extended_perms_decision lookup because the list is
  151. * always small. i.e. less than 5, typically 1
  152. */
  153. static struct extended_perms_decision *
  154. avc_xperms_decision_lookup(u8 driver, u8 base_perm,
  155. struct avc_xperms_node *xp_node)
  156. {
  157. struct avc_xperms_decision_node *xpd_node;
  158. list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) {
  159. if (xpd_node->xpd.driver == driver &&
  160. xpd_node->xpd.base_perm == base_perm)
  161. return &xpd_node->xpd;
  162. }
  163. return NULL;
  164. }
  165. static inline unsigned int
  166. avc_xperms_has_perm(struct extended_perms_decision *xpd,
  167. u8 perm, u8 which)
  168. {
  169. unsigned int rc = 0;
  170. if ((which == XPERMS_ALLOWED) &&
  171. (xpd->used & XPERMS_ALLOWED))
  172. rc = security_xperm_test(xpd->allowed->p, perm);
  173. else if ((which == XPERMS_AUDITALLOW) &&
  174. (xpd->used & XPERMS_AUDITALLOW))
  175. rc = security_xperm_test(xpd->auditallow->p, perm);
  176. else if ((which == XPERMS_DONTAUDIT) &&
  177. (xpd->used & XPERMS_DONTAUDIT))
  178. rc = security_xperm_test(xpd->dontaudit->p, perm);
  179. return rc;
  180. }
  181. static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node,
  182. u8 driver, u8 base_perm, u8 perm)
  183. {
  184. struct extended_perms_decision *xpd;
  185. security_xperm_set(xp_node->xp.drivers.p, driver);
  186. xp_node->xp.base_perms |= base_perm;
  187. xpd = avc_xperms_decision_lookup(driver, base_perm, xp_node);
  188. if (xpd && xpd->allowed)
  189. security_xperm_set(xpd->allowed->p, perm);
  190. }
  191. static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node)
  192. {
  193. struct extended_perms_decision *xpd;
  194. xpd = &xpd_node->xpd;
  195. if (xpd->allowed)
  196. kmem_cache_free(avc_xperms_data_cachep, xpd->allowed);
  197. if (xpd->auditallow)
  198. kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow);
  199. if (xpd->dontaudit)
  200. kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit);
  201. kmem_cache_free(avc_xperms_decision_cachep, xpd_node);
  202. }
  203. static void avc_xperms_free(struct avc_xperms_node *xp_node)
  204. {
  205. struct avc_xperms_decision_node *xpd_node, *tmp;
  206. if (!xp_node)
  207. return;
  208. list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) {
  209. list_del(&xpd_node->xpd_list);
  210. avc_xperms_decision_free(xpd_node);
  211. }
  212. kmem_cache_free(avc_xperms_cachep, xp_node);
  213. }
  214. static void avc_copy_xperms_decision(struct extended_perms_decision *dest,
  215. struct extended_perms_decision *src)
  216. {
  217. dest->base_perm = src->base_perm;
  218. dest->driver = src->driver;
  219. dest->used = src->used;
  220. if (dest->used & XPERMS_ALLOWED)
  221. memcpy(dest->allowed->p, src->allowed->p,
  222. sizeof(src->allowed->p));
  223. if (dest->used & XPERMS_AUDITALLOW)
  224. memcpy(dest->auditallow->p, src->auditallow->p,
  225. sizeof(src->auditallow->p));
  226. if (dest->used & XPERMS_DONTAUDIT)
  227. memcpy(dest->dontaudit->p, src->dontaudit->p,
  228. sizeof(src->dontaudit->p));
  229. }
  230. /*
  231. * similar to avc_copy_xperms_decision, but only copy decision
  232. * information relevant to this perm
  233. */
  234. static inline void avc_quick_copy_xperms_decision(u8 perm,
  235. struct extended_perms_decision *dest,
  236. struct extended_perms_decision *src)
  237. {
  238. /*
  239. * compute index of the u32 of the 256 bits (8 u32s) that contain this
  240. * command permission
  241. */
  242. u8 i = perm >> 5;
  243. dest->base_perm = src->base_perm;
  244. dest->used = src->used;
  245. if (dest->used & XPERMS_ALLOWED)
  246. dest->allowed->p[i] = src->allowed->p[i];
  247. if (dest->used & XPERMS_AUDITALLOW)
  248. dest->auditallow->p[i] = src->auditallow->p[i];
  249. if (dest->used & XPERMS_DONTAUDIT)
  250. dest->dontaudit->p[i] = src->dontaudit->p[i];
  251. }
  252. static struct avc_xperms_decision_node
  253. *avc_xperms_decision_alloc(u8 which)
  254. {
  255. struct avc_xperms_decision_node *xpd_node;
  256. struct extended_perms_decision *xpd;
  257. xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
  258. if (!xpd_node)
  259. return NULL;
  260. xpd = &xpd_node->xpd;
  261. if (which & XPERMS_ALLOWED) {
  262. xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
  263. GFP_NOWAIT);
  264. if (!xpd->allowed)
  265. goto error;
  266. }
  267. if (which & XPERMS_AUDITALLOW) {
  268. xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
  269. GFP_NOWAIT);
  270. if (!xpd->auditallow)
  271. goto error;
  272. }
  273. if (which & XPERMS_DONTAUDIT) {
  274. xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
  275. GFP_NOWAIT);
  276. if (!xpd->dontaudit)
  277. goto error;
  278. }
  279. return xpd_node;
  280. error:
  281. avc_xperms_decision_free(xpd_node);
  282. return NULL;
  283. }
  284. static int avc_add_xperms_decision(struct avc_node *node,
  285. struct extended_perms_decision *src)
  286. {
  287. struct avc_xperms_decision_node *dest_xpd;
  288. dest_xpd = avc_xperms_decision_alloc(src->used);
  289. if (!dest_xpd)
  290. return -ENOMEM;
  291. avc_copy_xperms_decision(&dest_xpd->xpd, src);
  292. list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
  293. node->ae.xp_node->xp.len++;
  294. return 0;
  295. }
  296. static struct avc_xperms_node *avc_xperms_alloc(void)
  297. {
  298. struct avc_xperms_node *xp_node;
  299. xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
  300. if (!xp_node)
  301. return xp_node;
  302. INIT_LIST_HEAD(&xp_node->xpd_head);
  303. return xp_node;
  304. }
  305. static int avc_xperms_populate(struct avc_node *node,
  306. struct avc_xperms_node *src)
  307. {
  308. struct avc_xperms_node *dest;
  309. struct avc_xperms_decision_node *dest_xpd;
  310. struct avc_xperms_decision_node *src_xpd;
  311. if (src->xp.len == 0)
  312. return 0;
  313. dest = avc_xperms_alloc();
  314. if (!dest)
  315. return -ENOMEM;
  316. memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p));
  317. dest->xp.len = src->xp.len;
  318. dest->xp.base_perms = src->xp.base_perms;
  319. /* for each source xpd allocate a destination xpd and copy */
  320. list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) {
  321. dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used);
  322. if (!dest_xpd)
  323. goto error;
  324. avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd);
  325. list_add(&dest_xpd->xpd_list, &dest->xpd_head);
  326. }
  327. node->ae.xp_node = dest;
  328. return 0;
  329. error:
  330. avc_xperms_free(dest);
  331. return -ENOMEM;
  332. }
  333. static inline u32 avc_xperms_audit_required(u32 requested,
  334. struct av_decision *avd,
  335. struct extended_perms_decision *xpd,
  336. u8 perm,
  337. int result,
  338. u32 *deniedp)
  339. {
  340. u32 denied, audited;
  341. denied = requested & ~avd->allowed;
  342. if (unlikely(denied)) {
  343. audited = denied & avd->auditdeny;
  344. if (audited && xpd) {
  345. if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT))
  346. audited = 0;
  347. }
  348. } else if (result) {
  349. audited = denied = requested;
  350. } else {
  351. audited = requested & avd->auditallow;
  352. if (audited && xpd) {
  353. if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW))
  354. audited = 0;
  355. }
  356. }
  357. *deniedp = denied;
  358. return audited;
  359. }
  360. static inline int avc_xperms_audit(u32 ssid, u32 tsid, u16 tclass,
  361. u32 requested, struct av_decision *avd,
  362. struct extended_perms_decision *xpd,
  363. u8 perm, int result,
  364. struct common_audit_data *ad)
  365. {
  366. u32 audited, denied;
  367. audited = avc_xperms_audit_required(
  368. requested, avd, xpd, perm, result, &denied);
  369. if (likely(!audited))
  370. return 0;
  371. return slow_avc_audit(ssid, tsid, tclass, requested,
  372. audited, denied, result, ad);
  373. }
  374. static void avc_node_free(struct rcu_head *rhead)
  375. {
  376. struct avc_node *node = container_of(rhead, struct avc_node, rhead);
  377. avc_xperms_free(node->ae.xp_node);
  378. kmem_cache_free(avc_node_cachep, node);
  379. avc_cache_stats_incr(frees);
  380. }
  381. static void avc_node_delete(struct avc_node *node)
  382. {
  383. hlist_del_rcu(&node->list);
  384. call_rcu(&node->rhead, avc_node_free);
  385. atomic_dec(&selinux_avc.avc_cache.active_nodes);
  386. }
  387. static void avc_node_kill(struct avc_node *node)
  388. {
  389. avc_xperms_free(node->ae.xp_node);
  390. kmem_cache_free(avc_node_cachep, node);
  391. avc_cache_stats_incr(frees);
  392. atomic_dec(&selinux_avc.avc_cache.active_nodes);
  393. }
  394. static void avc_node_replace(struct avc_node *new, struct avc_node *old)
  395. {
  396. hlist_replace_rcu(&old->list, &new->list);
  397. call_rcu(&old->rhead, avc_node_free);
  398. atomic_dec(&selinux_avc.avc_cache.active_nodes);
  399. }
  400. static inline int avc_reclaim_node(void)
  401. {
  402. struct avc_node *node;
  403. int hvalue, try, ecx;
  404. unsigned long flags;
  405. struct hlist_head *head;
  406. spinlock_t *lock;
  407. for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
  408. hvalue = atomic_inc_return(&selinux_avc.avc_cache.lru_hint) &
  409. (AVC_CACHE_SLOTS - 1);
  410. head = &selinux_avc.avc_cache.slots[hvalue];
  411. lock = &selinux_avc.avc_cache.slots_lock[hvalue];
  412. if (!spin_trylock_irqsave(lock, flags))
  413. continue;
  414. rcu_read_lock();
  415. hlist_for_each_entry(node, head, list) {
  416. avc_node_delete(node);
  417. avc_cache_stats_incr(reclaims);
  418. ecx++;
  419. if (ecx >= AVC_CACHE_RECLAIM) {
  420. rcu_read_unlock();
  421. spin_unlock_irqrestore(lock, flags);
  422. goto out;
  423. }
  424. }
  425. rcu_read_unlock();
  426. spin_unlock_irqrestore(lock, flags);
  427. }
  428. out:
  429. return ecx;
  430. }
  431. static struct avc_node *avc_alloc_node(void)
  432. {
  433. struct avc_node *node;
  434. node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
  435. if (!node)
  436. goto out;
  437. INIT_HLIST_NODE(&node->list);
  438. avc_cache_stats_incr(allocations);
  439. if (atomic_inc_return(&selinux_avc.avc_cache.active_nodes) >
  440. selinux_avc.avc_cache_threshold)
  441. avc_reclaim_node();
  442. out:
  443. return node;
  444. }
  445. static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd)
  446. {
  447. node->ae.ssid = ssid;
  448. node->ae.tsid = tsid;
  449. node->ae.tclass = tclass;
  450. memcpy(&node->ae.avd, avd, sizeof(node->ae.avd));
  451. }
  452. static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
  453. {
  454. struct avc_node *node, *ret = NULL;
  455. u32 hvalue;
  456. struct hlist_head *head;
  457. hvalue = avc_hash(ssid, tsid, tclass);
  458. head = &selinux_avc.avc_cache.slots[hvalue];
  459. hlist_for_each_entry_rcu(node, head, list) {
  460. if (ssid == node->ae.ssid &&
  461. tclass == node->ae.tclass &&
  462. tsid == node->ae.tsid) {
  463. ret = node;
  464. break;
  465. }
  466. }
  467. return ret;
  468. }
  469. /**
  470. * avc_lookup - Look up an AVC entry.
  471. * @ssid: source security identifier
  472. * @tsid: target security identifier
  473. * @tclass: target security class
  474. *
  475. * Look up an AVC entry that is valid for the
  476. * (@ssid, @tsid), interpreting the permissions
  477. * based on @tclass. If a valid AVC entry exists,
  478. * then this function returns the avc_node.
  479. * Otherwise, this function returns NULL.
  480. */
  481. static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass)
  482. {
  483. struct avc_node *node;
  484. avc_cache_stats_incr(lookups);
  485. node = avc_search_node(ssid, tsid, tclass);
  486. if (node)
  487. return node;
  488. avc_cache_stats_incr(misses);
  489. return NULL;
  490. }
  491. static int avc_latest_notif_update(u32 seqno, int is_insert)
  492. {
  493. int ret = 0;
  494. static DEFINE_SPINLOCK(notif_lock);
  495. unsigned long flag;
  496. spin_lock_irqsave(&notif_lock, flag);
  497. if (is_insert) {
  498. if (seqno < selinux_avc.avc_cache.latest_notif) {
  499. pr_warn("SELinux: avc: seqno %d < latest_notif %d\n",
  500. seqno, selinux_avc.avc_cache.latest_notif);
  501. ret = -EAGAIN;
  502. }
  503. } else {
  504. if (seqno > selinux_avc.avc_cache.latest_notif)
  505. selinux_avc.avc_cache.latest_notif = seqno;
  506. }
  507. spin_unlock_irqrestore(&notif_lock, flag);
  508. return ret;
  509. }
  510. /**
  511. * avc_insert - Insert an AVC entry.
  512. * @ssid: source security identifier
  513. * @tsid: target security identifier
  514. * @tclass: target security class
  515. * @avd: resulting av decision
  516. * @xp_node: resulting extended permissions
  517. *
  518. * Insert an AVC entry for the SID pair
  519. * (@ssid, @tsid) and class @tclass.
  520. * The access vectors and the sequence number are
  521. * normally provided by the security server in
  522. * response to a security_compute_av() call. If the
  523. * sequence number @avd->seqno is not less than the latest
  524. * revocation notification, then the function copies
  525. * the access vectors into a cache entry.
  526. */
  527. static void avc_insert(u32 ssid, u32 tsid, u16 tclass,
  528. struct av_decision *avd, struct avc_xperms_node *xp_node)
  529. {
  530. struct avc_node *pos, *node = NULL;
  531. u32 hvalue;
  532. unsigned long flag;
  533. spinlock_t *lock;
  534. struct hlist_head *head;
  535. if (avc_latest_notif_update(avd->seqno, 1))
  536. return;
  537. node = avc_alloc_node();
  538. if (!node)
  539. return;
  540. avc_node_populate(node, ssid, tsid, tclass, avd);
  541. if (avc_xperms_populate(node, xp_node)) {
  542. avc_node_kill(node);
  543. return;
  544. }
  545. hvalue = avc_hash(ssid, tsid, tclass);
  546. head = &selinux_avc.avc_cache.slots[hvalue];
  547. lock = &selinux_avc.avc_cache.slots_lock[hvalue];
  548. spin_lock_irqsave(lock, flag);
  549. hlist_for_each_entry(pos, head, list) {
  550. if (pos->ae.ssid == ssid &&
  551. pos->ae.tsid == tsid &&
  552. pos->ae.tclass == tclass) {
  553. avc_node_replace(node, pos);
  554. goto found;
  555. }
  556. }
  557. hlist_add_head_rcu(&node->list, head);
  558. found:
  559. spin_unlock_irqrestore(lock, flag);
  560. }
  561. /**
  562. * avc_audit_pre_callback - SELinux specific information
  563. * will be called by generic audit code
  564. * @ab: the audit buffer
  565. * @a: audit_data
  566. */
  567. static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
  568. {
  569. struct common_audit_data *ad = a;
  570. struct selinux_audit_data *sad = ad->selinux_audit_data;
  571. u32 av = sad->audited, perm;
  572. const char *const *perms;
  573. u32 i;
  574. audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted");
  575. if (av == 0) {
  576. audit_log_format(ab, " null");
  577. return;
  578. }
  579. perms = secclass_map[sad->tclass-1].perms;
  580. audit_log_format(ab, " {");
  581. i = 0;
  582. perm = 1;
  583. while (i < (sizeof(av) * 8)) {
  584. if ((perm & av) && perms[i]) {
  585. audit_log_format(ab, " %s", perms[i]);
  586. av &= ~perm;
  587. }
  588. i++;
  589. perm <<= 1;
  590. }
  591. if (av)
  592. audit_log_format(ab, " 0x%x", av);
  593. audit_log_format(ab, " } for ");
  594. }
  595. /**
  596. * avc_audit_post_callback - SELinux specific information
  597. * will be called by generic audit code
  598. * @ab: the audit buffer
  599. * @a: audit_data
  600. */
  601. static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
  602. {
  603. struct common_audit_data *ad = a;
  604. struct selinux_audit_data *sad = ad->selinux_audit_data;
  605. char *scontext = NULL;
  606. char *tcontext = NULL;
  607. const char *tclass = NULL;
  608. u32 scontext_len;
  609. u32 tcontext_len;
  610. int rc;
  611. rc = security_sid_to_context(sad->ssid, &scontext,
  612. &scontext_len);
  613. if (rc)
  614. audit_log_format(ab, " ssid=%d", sad->ssid);
  615. else
  616. audit_log_format(ab, " scontext=%s", scontext);
  617. rc = security_sid_to_context(sad->tsid, &tcontext,
  618. &tcontext_len);
  619. if (rc)
  620. audit_log_format(ab, " tsid=%d", sad->tsid);
  621. else
  622. audit_log_format(ab, " tcontext=%s", tcontext);
  623. tclass = secclass_map[sad->tclass-1].name;
  624. audit_log_format(ab, " tclass=%s", tclass);
  625. if (sad->denied)
  626. audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
  627. trace_selinux_audited(sad, scontext, tcontext, tclass);
  628. kfree(tcontext);
  629. kfree(scontext);
  630. /* in case of invalid context report also the actual context string */
  631. rc = security_sid_to_context_inval(sad->ssid, &scontext,
  632. &scontext_len);
  633. if (!rc && scontext) {
  634. if (scontext_len && scontext[scontext_len - 1] == '\0')
  635. scontext_len--;
  636. audit_log_format(ab, " srawcon=");
  637. audit_log_n_untrustedstring(ab, scontext, scontext_len);
  638. kfree(scontext);
  639. }
  640. rc = security_sid_to_context_inval(sad->tsid, &scontext,
  641. &scontext_len);
  642. if (!rc && scontext) {
  643. if (scontext_len && scontext[scontext_len - 1] == '\0')
  644. scontext_len--;
  645. audit_log_format(ab, " trawcon=");
  646. audit_log_n_untrustedstring(ab, scontext, scontext_len);
  647. kfree(scontext);
  648. }
  649. }
  650. /*
  651. * This is the slow part of avc audit with big stack footprint.
  652. * Note that it is non-blocking and can be called from under
  653. * rcu_read_lock().
  654. */
  655. noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
  656. u32 requested, u32 audited, u32 denied, int result,
  657. struct common_audit_data *a)
  658. {
  659. struct common_audit_data stack_data;
  660. struct selinux_audit_data sad;
  661. if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
  662. return -EINVAL;
  663. if (!a) {
  664. a = &stack_data;
  665. a->type = LSM_AUDIT_DATA_NONE;
  666. }
  667. sad.tclass = tclass;
  668. sad.requested = requested;
  669. sad.ssid = ssid;
  670. sad.tsid = tsid;
  671. sad.audited = audited;
  672. sad.denied = denied;
  673. sad.result = result;
  674. a->selinux_audit_data = &sad;
  675. common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
  676. return 0;
  677. }
  678. /**
  679. * avc_add_callback - Register a callback for security events.
  680. * @callback: callback function
  681. * @events: security events
  682. *
  683. * Register a callback function for events in the set @events.
  684. * Returns %0 on success or -%ENOMEM if insufficient memory
  685. * exists to add the callback.
  686. */
  687. int __init avc_add_callback(int (*callback)(u32 event), u32 events)
  688. {
  689. struct avc_callback_node *c;
  690. int rc = 0;
  691. c = kmalloc_obj(*c);
  692. if (!c) {
  693. rc = -ENOMEM;
  694. goto out;
  695. }
  696. c->callback = callback;
  697. c->events = events;
  698. c->next = avc_callbacks;
  699. avc_callbacks = c;
  700. out:
  701. return rc;
  702. }
  703. /**
  704. * avc_update_node - Update an AVC entry
  705. * @event : Updating event
  706. * @perms : Permission mask bits
  707. * @driver: xperm driver information
  708. * @base_perm: the base permission associated with the extended permission
  709. * @xperm: xperm permissions
  710. * @ssid: AVC entry source sid
  711. * @tsid: AVC entry target sid
  712. * @tclass : AVC entry target object class
  713. * @seqno : sequence number when decision was made
  714. * @xpd: extended_perms_decision to be added to the node
  715. * @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0.
  716. *
  717. * if a valid AVC entry doesn't exist,this function returns -ENOENT.
  718. * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
  719. * otherwise, this function updates the AVC entry. The original AVC-entry object
  720. * will release later by RCU.
  721. */
  722. static int avc_update_node(u32 event, u32 perms, u8 driver, u8 base_perm,
  723. u8 xperm, u32 ssid, u32 tsid, u16 tclass, u32 seqno,
  724. struct extended_perms_decision *xpd, u32 flags)
  725. {
  726. u32 hvalue;
  727. int rc = 0;
  728. unsigned long flag;
  729. struct avc_node *pos, *node, *orig = NULL;
  730. struct hlist_head *head;
  731. spinlock_t *lock;
  732. node = avc_alloc_node();
  733. if (!node) {
  734. rc = -ENOMEM;
  735. goto out;
  736. }
  737. /* Lock the target slot */
  738. hvalue = avc_hash(ssid, tsid, tclass);
  739. head = &selinux_avc.avc_cache.slots[hvalue];
  740. lock = &selinux_avc.avc_cache.slots_lock[hvalue];
  741. spin_lock_irqsave(lock, flag);
  742. hlist_for_each_entry(pos, head, list) {
  743. if (ssid == pos->ae.ssid &&
  744. tsid == pos->ae.tsid &&
  745. tclass == pos->ae.tclass &&
  746. seqno == pos->ae.avd.seqno){
  747. orig = pos;
  748. break;
  749. }
  750. }
  751. if (!orig) {
  752. rc = -ENOENT;
  753. avc_node_kill(node);
  754. goto out_unlock;
  755. }
  756. /*
  757. * Copy and replace original node.
  758. */
  759. avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
  760. if (orig->ae.xp_node) {
  761. rc = avc_xperms_populate(node, orig->ae.xp_node);
  762. if (rc) {
  763. avc_node_kill(node);
  764. goto out_unlock;
  765. }
  766. }
  767. switch (event) {
  768. case AVC_CALLBACK_GRANT:
  769. node->ae.avd.allowed |= perms;
  770. if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS))
  771. avc_xperms_allow_perm(node->ae.xp_node, driver, base_perm, xperm);
  772. break;
  773. case AVC_CALLBACK_TRY_REVOKE:
  774. case AVC_CALLBACK_REVOKE:
  775. node->ae.avd.allowed &= ~perms;
  776. break;
  777. case AVC_CALLBACK_AUDITALLOW_ENABLE:
  778. node->ae.avd.auditallow |= perms;
  779. break;
  780. case AVC_CALLBACK_AUDITALLOW_DISABLE:
  781. node->ae.avd.auditallow &= ~perms;
  782. break;
  783. case AVC_CALLBACK_AUDITDENY_ENABLE:
  784. node->ae.avd.auditdeny |= perms;
  785. break;
  786. case AVC_CALLBACK_AUDITDENY_DISABLE:
  787. node->ae.avd.auditdeny &= ~perms;
  788. break;
  789. case AVC_CALLBACK_ADD_XPERMS:
  790. rc = avc_add_xperms_decision(node, xpd);
  791. if (rc) {
  792. avc_node_kill(node);
  793. goto out_unlock;
  794. }
  795. break;
  796. }
  797. avc_node_replace(node, orig);
  798. out_unlock:
  799. spin_unlock_irqrestore(lock, flag);
  800. out:
  801. return rc;
  802. }
  803. /**
  804. * avc_flush - Flush the cache
  805. */
  806. static void avc_flush(void)
  807. {
  808. struct hlist_head *head;
  809. struct avc_node *node;
  810. spinlock_t *lock;
  811. unsigned long flag;
  812. int i;
  813. for (i = 0; i < AVC_CACHE_SLOTS; i++) {
  814. head = &selinux_avc.avc_cache.slots[i];
  815. lock = &selinux_avc.avc_cache.slots_lock[i];
  816. spin_lock_irqsave(lock, flag);
  817. /*
  818. * With preemptible RCU, the outer spinlock does not
  819. * prevent RCU grace periods from ending.
  820. */
  821. rcu_read_lock();
  822. hlist_for_each_entry(node, head, list)
  823. avc_node_delete(node);
  824. rcu_read_unlock();
  825. spin_unlock_irqrestore(lock, flag);
  826. }
  827. }
  828. /**
  829. * avc_ss_reset - Flush the cache and revalidate migrated permissions.
  830. * @seqno: policy sequence number
  831. */
  832. int avc_ss_reset(u32 seqno)
  833. {
  834. struct avc_callback_node *c;
  835. int rc = 0, tmprc;
  836. avc_flush();
  837. for (c = avc_callbacks; c; c = c->next) {
  838. if (c->events & AVC_CALLBACK_RESET) {
  839. tmprc = c->callback(AVC_CALLBACK_RESET);
  840. /* save the first error encountered for the return
  841. value and continue processing the callbacks */
  842. if (!rc)
  843. rc = tmprc;
  844. }
  845. }
  846. avc_latest_notif_update(seqno, 0);
  847. return rc;
  848. }
  849. /**
  850. * avc_compute_av - Add an entry to the AVC based on the security policy
  851. * @ssid: subject
  852. * @tsid: object/target
  853. * @tclass: object class
  854. * @avd: access vector decision
  855. * @xp_node: AVC extended permissions node
  856. *
  857. * Slow-path helper function for avc_has_perm_noaudit, when the avc_node lookup
  858. * fails. Don't inline this, since it's the slow-path and just results in a
  859. * bigger stack frame.
  860. */
  861. static noinline void avc_compute_av(u32 ssid, u32 tsid, u16 tclass,
  862. struct av_decision *avd,
  863. struct avc_xperms_node *xp_node)
  864. {
  865. INIT_LIST_HEAD(&xp_node->xpd_head);
  866. security_compute_av(ssid, tsid, tclass, avd, &xp_node->xp);
  867. avc_insert(ssid, tsid, tclass, avd, xp_node);
  868. }
  869. static noinline int avc_denied(u32 ssid, u32 tsid, u16 tclass, u32 requested,
  870. u8 driver, u8 base_perm, u8 xperm,
  871. unsigned int flags, struct av_decision *avd)
  872. {
  873. if (flags & AVC_STRICT)
  874. return -EACCES;
  875. if (enforcing_enabled() &&
  876. !(avd->flags & AVD_FLAGS_PERMISSIVE))
  877. return -EACCES;
  878. avc_update_node(AVC_CALLBACK_GRANT, requested, driver, base_perm,
  879. xperm, ssid, tsid, tclass, avd->seqno, NULL, flags);
  880. return 0;
  881. }
  882. /*
  883. * The avc extended permissions logic adds an additional 256 bits of
  884. * permissions to an avc node when extended permissions for that node are
  885. * specified in the avtab. If the additional 256 permissions is not adequate,
  886. * as-is the case with ioctls, then multiple may be chained together and the
  887. * driver field is used to specify which set contains the permission.
  888. */
  889. int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
  890. u8 driver, u8 base_perm, u8 xperm,
  891. struct common_audit_data *ad)
  892. {
  893. struct avc_node *node;
  894. struct av_decision avd;
  895. u32 denied;
  896. struct extended_perms_decision local_xpd;
  897. struct extended_perms_decision *xpd = NULL;
  898. struct extended_perms_data allowed;
  899. struct extended_perms_data auditallow;
  900. struct extended_perms_data dontaudit;
  901. struct avc_xperms_node local_xp_node;
  902. struct avc_xperms_node *xp_node;
  903. int rc = 0, rc2;
  904. xp_node = &local_xp_node;
  905. if (WARN_ON(!requested))
  906. return -EACCES;
  907. rcu_read_lock();
  908. node = avc_lookup(ssid, tsid, tclass);
  909. if (unlikely(!node)) {
  910. avc_compute_av(ssid, tsid, tclass, &avd, xp_node);
  911. } else {
  912. memcpy(&avd, &node->ae.avd, sizeof(avd));
  913. xp_node = node->ae.xp_node;
  914. }
  915. /* if extended permissions are not defined, only consider av_decision */
  916. if (!xp_node || !xp_node->xp.len)
  917. goto decision;
  918. local_xpd.allowed = &allowed;
  919. local_xpd.auditallow = &auditallow;
  920. local_xpd.dontaudit = &dontaudit;
  921. xpd = avc_xperms_decision_lookup(driver, base_perm, xp_node);
  922. if (unlikely(!xpd)) {
  923. /*
  924. * Compute the extended_perms_decision only if the driver
  925. * is flagged and the base permission is known.
  926. */
  927. if (!security_xperm_test(xp_node->xp.drivers.p, driver) ||
  928. !(xp_node->xp.base_perms & base_perm)) {
  929. avd.allowed &= ~requested;
  930. goto decision;
  931. }
  932. rcu_read_unlock();
  933. security_compute_xperms_decision(ssid, tsid, tclass, driver,
  934. base_perm, &local_xpd);
  935. rcu_read_lock();
  936. avc_update_node(AVC_CALLBACK_ADD_XPERMS, requested, driver,
  937. base_perm, xperm, ssid, tsid, tclass, avd.seqno,
  938. &local_xpd, 0);
  939. } else {
  940. avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd);
  941. }
  942. xpd = &local_xpd;
  943. if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED))
  944. avd.allowed &= ~requested;
  945. decision:
  946. denied = requested & ~(avd.allowed);
  947. if (unlikely(denied))
  948. rc = avc_denied(ssid, tsid, tclass, requested, driver,
  949. base_perm, xperm, AVC_EXTENDED_PERMS, &avd);
  950. rcu_read_unlock();
  951. rc2 = avc_xperms_audit(ssid, tsid, tclass, requested,
  952. &avd, xpd, xperm, rc, ad);
  953. if (rc2)
  954. return rc2;
  955. return rc;
  956. }
  957. /**
  958. * avc_perm_nonode - Add an entry to the AVC
  959. * @ssid: subject
  960. * @tsid: object/target
  961. * @tclass: object class
  962. * @requested: requested permissions
  963. * @flags: AVC flags
  964. * @avd: access vector decision
  965. *
  966. * This is the "we have no node" part of avc_has_perm_noaudit(), which is
  967. * unlikely and needs extra stack space for the new node that we generate, so
  968. * don't inline it.
  969. */
  970. static noinline int avc_perm_nonode(u32 ssid, u32 tsid, u16 tclass,
  971. u32 requested, unsigned int flags,
  972. struct av_decision *avd)
  973. {
  974. u32 denied;
  975. struct avc_xperms_node xp_node;
  976. avc_compute_av(ssid, tsid, tclass, avd, &xp_node);
  977. denied = requested & ~(avd->allowed);
  978. if (unlikely(denied))
  979. return avc_denied(ssid, tsid, tclass, requested, 0, 0, 0,
  980. flags, avd);
  981. return 0;
  982. }
  983. /**
  984. * avc_has_perm_noaudit - Check permissions but perform no auditing.
  985. * @ssid: source security identifier
  986. * @tsid: target security identifier
  987. * @tclass: target security class
  988. * @requested: requested permissions, interpreted based on @tclass
  989. * @flags: AVC_STRICT or 0
  990. * @avd: access vector decisions
  991. *
  992. * Check the AVC to determine whether the @requested permissions are granted
  993. * for the SID pair (@ssid, @tsid), interpreting the permissions
  994. * based on @tclass, and call the security server on a cache miss to obtain
  995. * a new decision and add it to the cache. Return a copy of the decisions
  996. * in @avd. Return %0 if all @requested permissions are granted,
  997. * -%EACCES if any permissions are denied, or another -errno upon
  998. * other errors. This function is typically called by avc_has_perm(),
  999. * but may also be called directly to separate permission checking from
  1000. * auditing, e.g. in cases where a lock must be held for the check but
  1001. * should be released for the auditing.
  1002. */
  1003. inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
  1004. u16 tclass, u32 requested,
  1005. unsigned int flags,
  1006. struct av_decision *avd)
  1007. {
  1008. u32 denied;
  1009. struct avc_node *node;
  1010. if (WARN_ON(!requested))
  1011. return -EACCES;
  1012. rcu_read_lock();
  1013. node = avc_lookup(ssid, tsid, tclass);
  1014. if (unlikely(!node)) {
  1015. rcu_read_unlock();
  1016. return avc_perm_nonode(ssid, tsid, tclass, requested,
  1017. flags, avd);
  1018. }
  1019. denied = requested & ~node->ae.avd.allowed;
  1020. memcpy(avd, &node->ae.avd, sizeof(*avd));
  1021. rcu_read_unlock();
  1022. if (unlikely(denied))
  1023. return avc_denied(ssid, tsid, tclass, requested, 0, 0, 0,
  1024. flags, avd);
  1025. return 0;
  1026. }
  1027. /**
  1028. * avc_has_perm - Check permissions and perform any appropriate auditing.
  1029. * @ssid: source security identifier
  1030. * @tsid: target security identifier
  1031. * @tclass: target security class
  1032. * @requested: requested permissions, interpreted based on @tclass
  1033. * @auditdata: auxiliary audit data
  1034. *
  1035. * Check the AVC to determine whether the @requested permissions are granted
  1036. * for the SID pair (@ssid, @tsid), interpreting the permissions
  1037. * based on @tclass, and call the security server on a cache miss to obtain
  1038. * a new decision and add it to the cache. Audit the granting or denial of
  1039. * permissions in accordance with the policy. Return %0 if all @requested
  1040. * permissions are granted, -%EACCES if any permissions are denied, or
  1041. * another -errno upon other errors.
  1042. */
  1043. int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
  1044. u32 requested, struct common_audit_data *auditdata)
  1045. {
  1046. struct av_decision avd;
  1047. int rc, rc2;
  1048. rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0,
  1049. &avd);
  1050. rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,
  1051. auditdata);
  1052. if (rc2)
  1053. return rc2;
  1054. return rc;
  1055. }
  1056. u32 avc_policy_seqno(void)
  1057. {
  1058. return selinux_avc.avc_cache.latest_notif;
  1059. }