Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Implementation of the kernel access vector cache (AVC). | |
3 | * | |
4 | * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> | |
95fff33b | 5 | * James Morris <jmorris@redhat.com> |
1da177e4 LT |
6 | * |
7 | * Update: KaiGai, Kohei <kaigai@ak.jp.nec.com> | |
95fff33b | 8 | * Replaced the avc_lock spinlock by RCU. |
1da177e4 LT |
9 | * |
10 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
11 | * | |
12 | * This program is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU General Public License version 2, | |
95fff33b | 14 | * as published by the Free Software Foundation. |
1da177e4 LT |
15 | */ |
16 | #include <linux/types.h> | |
17 | #include <linux/stddef.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/slab.h> | |
20 | #include <linux/fs.h> | |
21 | #include <linux/dcache.h> | |
22 | #include <linux/init.h> | |
23 | #include <linux/skbuff.h> | |
24 | #include <linux/percpu.h> | |
25 | #include <net/sock.h> | |
26 | #include <linux/un.h> | |
27 | #include <net/af_unix.h> | |
28 | #include <linux/ip.h> | |
29 | #include <linux/audit.h> | |
30 | #include <linux/ipv6.h> | |
31 | #include <net/ipv6.h> | |
32 | #include "avc.h" | |
33 | #include "avc_ss.h" | |
34 | ||
5c458998 | 35 | static const struct av_perm_to_string av_perm_to_string[] = { |
1da177e4 LT |
36 | #define S_(c, v, s) { c, v, s }, |
37 | #include "av_perm_to_string.h" | |
38 | #undef S_ | |
39 | }; | |
40 | ||
1da177e4 LT |
41 | static const char *class_to_string[] = { |
42 | #define S_(s) s, | |
43 | #include "class_to_string.h" | |
44 | #undef S_ | |
45 | }; | |
1da177e4 | 46 | |
95fff33b | 47 | #define TB_(s) static const char *s[] = { |
1da177e4 LT |
48 | #define TE_(s) }; |
49 | #define S_(s) s, | |
50 | #include "common_perm_to_string.h" | |
51 | #undef TB_ | |
52 | #undef TE_ | |
53 | #undef S_ | |
54 | ||
5c458998 | 55 | static const struct av_inherit av_inherit[] = { |
76f7ba35 EP |
56 | #define S_(c, i, b) { .tclass = c,\ |
57 | .common_pts = common_##i##_perm_to_string,\ | |
58 | .common_base = b }, | |
1da177e4 LT |
59 | #include "av_inherit.h" |
60 | #undef S_ | |
61 | }; | |
62 | ||
5c458998 | 63 | const struct selinux_class_perm selinux_class_perm = { |
76f7ba35 EP |
64 | .av_perm_to_string = av_perm_to_string, |
65 | .av_pts_len = ARRAY_SIZE(av_perm_to_string), | |
66 | .class_to_string = class_to_string, | |
67 | .cts_len = ARRAY_SIZE(class_to_string), | |
68 | .av_inherit = av_inherit, | |
69 | .av_inherit_len = ARRAY_SIZE(av_inherit) | |
5c458998 CS |
70 | }; |
71 | ||
1da177e4 LT |
72 | #define AVC_CACHE_SLOTS 512 |
73 | #define AVC_DEF_CACHE_THRESHOLD 512 | |
74 | #define AVC_CACHE_RECLAIM 16 | |
75 | ||
76 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
95fff33b | 77 | #define avc_cache_stats_incr(field) \ |
1da177e4 LT |
78 | do { \ |
79 | per_cpu(avc_cache_stats, get_cpu()).field++; \ | |
80 | put_cpu(); \ | |
81 | } while (0) | |
82 | #else | |
83 | #define avc_cache_stats_incr(field) do {} while (0) | |
84 | #endif | |
85 | ||
86 | struct avc_entry { | |
87 | u32 ssid; | |
88 | u32 tsid; | |
89 | u16 tclass; | |
90 | struct av_decision avd; | |
1da177e4 LT |
91 | }; |
92 | ||
93 | struct avc_node { | |
94 | struct avc_entry ae; | |
26036651 | 95 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
95fff33b | 96 | struct rcu_head rhead; |
1da177e4 LT |
97 | }; |
98 | ||
99 | struct avc_cache { | |
26036651 | 100 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
1da177e4 LT |
101 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
102 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | |
103 | atomic_t active_nodes; | |
104 | u32 latest_notif; /* latest revocation notification */ | |
105 | }; | |
106 | ||
107 | struct avc_callback_node { | |
108 | int (*callback) (u32 event, u32 ssid, u32 tsid, | |
95fff33b EP |
109 | u16 tclass, u32 perms, |
110 | u32 *out_retained); | |
1da177e4 LT |
111 | u32 events; |
112 | u32 ssid; | |
113 | u32 tsid; | |
114 | u16 tclass; | |
115 | u32 perms; | |
116 | struct avc_callback_node *next; | |
117 | }; | |
118 | ||
119 | /* Exported via selinufs */ | |
120 | unsigned int avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD; | |
121 | ||
122 | #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS | |
123 | DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 }; | |
124 | #endif | |
125 | ||
126 | static struct avc_cache avc_cache; | |
127 | static struct avc_callback_node *avc_callbacks; | |
e18b890b | 128 | static struct kmem_cache *avc_node_cachep; |
1da177e4 LT |
129 | |
130 | static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |
131 | { | |
132 | return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); | |
133 | } | |
134 | ||
135 | /** | |
136 | * avc_dump_av - Display an access vector in human-readable form. | |
137 | * @tclass: target security class | |
138 | * @av: access vector | |
139 | */ | |
44c2d9bd | 140 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) |
1da177e4 LT |
141 | { |
142 | const char **common_pts = NULL; | |
143 | u32 common_base = 0; | |
144 | int i, i2, perm; | |
145 | ||
146 | if (av == 0) { | |
147 | audit_log_format(ab, " null"); | |
148 | return; | |
149 | } | |
150 | ||
151 | for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { | |
152 | if (av_inherit[i].tclass == tclass) { | |
153 | common_pts = av_inherit[i].common_pts; | |
154 | common_base = av_inherit[i].common_base; | |
155 | break; | |
156 | } | |
157 | } | |
158 | ||
159 | audit_log_format(ab, " {"); | |
160 | i = 0; | |
161 | perm = 1; | |
162 | while (perm < common_base) { | |
163 | if (perm & av) { | |
164 | audit_log_format(ab, " %s", common_pts[i]); | |
165 | av &= ~perm; | |
166 | } | |
167 | i++; | |
168 | perm <<= 1; | |
169 | } | |
170 | ||
171 | while (i < sizeof(av) * 8) { | |
172 | if (perm & av) { | |
173 | for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) { | |
174 | if ((av_perm_to_string[i2].tclass == tclass) && | |
175 | (av_perm_to_string[i2].value == perm)) | |
176 | break; | |
177 | } | |
178 | if (i2 < ARRAY_SIZE(av_perm_to_string)) { | |
179 | audit_log_format(ab, " %s", | |
180 | av_perm_to_string[i2].name); | |
181 | av &= ~perm; | |
182 | } | |
183 | } | |
184 | i++; | |
185 | perm <<= 1; | |
186 | } | |
187 | ||
188 | if (av) | |
189 | audit_log_format(ab, " 0x%x", av); | |
190 | ||
191 | audit_log_format(ab, " }"); | |
192 | } | |
193 | ||
194 | /** | |
195 | * avc_dump_query - Display a SID pair and a class in human-readable form. | |
196 | * @ssid: source security identifier | |
197 | * @tsid: target security identifier | |
198 | * @tclass: target security class | |
199 | */ | |
200 | static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tclass) | |
201 | { | |
202 | int rc; | |
203 | char *scontext; | |
204 | u32 scontext_len; | |
205 | ||
95fff33b | 206 | rc = security_sid_to_context(ssid, &scontext, &scontext_len); |
1da177e4 LT |
207 | if (rc) |
208 | audit_log_format(ab, "ssid=%d", ssid); | |
209 | else { | |
210 | audit_log_format(ab, "scontext=%s", scontext); | |
211 | kfree(scontext); | |
212 | } | |
213 | ||
214 | rc = security_sid_to_context(tsid, &scontext, &scontext_len); | |
215 | if (rc) | |
216 | audit_log_format(ab, " tsid=%d", tsid); | |
217 | else { | |
218 | audit_log_format(ab, " tcontext=%s", scontext); | |
219 | kfree(scontext); | |
220 | } | |
a764ae4b SS |
221 | |
222 | BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); | |
1da177e4 LT |
223 | audit_log_format(ab, " tclass=%s", class_to_string[tclass]); |
224 | } | |
225 | ||
226 | /** | |
227 | * avc_init - Initialize the AVC. | |
228 | * | |
229 | * Initialize the access vector cache. | |
230 | */ | |
231 | void __init avc_init(void) | |
232 | { | |
233 | int i; | |
234 | ||
235 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
26036651 | 236 | INIT_HLIST_HEAD(&avc_cache.slots[i]); |
1da177e4 LT |
237 | spin_lock_init(&avc_cache.slots_lock[i]); |
238 | } | |
239 | atomic_set(&avc_cache.active_nodes, 0); | |
240 | atomic_set(&avc_cache.lru_hint, 0); | |
241 | ||
242 | avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), | |
20c2df83 | 243 | 0, SLAB_PANIC, NULL); |
1da177e4 | 244 | |
9ad9ad38 | 245 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); |
1da177e4 LT |
246 | } |
247 | ||
248 | int avc_get_hash_stats(char *page) | |
249 | { | |
250 | int i, chain_len, max_chain_len, slots_used; | |
251 | struct avc_node *node; | |
26036651 | 252 | struct hlist_head *head; |
1da177e4 LT |
253 | |
254 | rcu_read_lock(); | |
255 | ||
256 | slots_used = 0; | |
257 | max_chain_len = 0; | |
258 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae | 259 | head = &avc_cache.slots[i]; |
26036651 EP |
260 | if (!hlist_empty(head)) { |
261 | struct hlist_node *next; | |
262 | ||
1da177e4 LT |
263 | slots_used++; |
264 | chain_len = 0; | |
26036651 | 265 | hlist_for_each_entry_rcu(node, next, head, list) |
1da177e4 LT |
266 | chain_len++; |
267 | if (chain_len > max_chain_len) | |
268 | max_chain_len = chain_len; | |
269 | } | |
270 | } | |
271 | ||
272 | rcu_read_unlock(); | |
273 | ||
274 | return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" | |
275 | "longest chain: %d\n", | |
276 | atomic_read(&avc_cache.active_nodes), | |
277 | slots_used, AVC_CACHE_SLOTS, max_chain_len); | |
278 | } | |
279 | ||
280 | static void avc_node_free(struct rcu_head *rhead) | |
281 | { | |
282 | struct avc_node *node = container_of(rhead, struct avc_node, rhead); | |
283 | kmem_cache_free(avc_node_cachep, node); | |
284 | avc_cache_stats_incr(frees); | |
285 | } | |
286 | ||
287 | static void avc_node_delete(struct avc_node *node) | |
288 | { | |
26036651 | 289 | hlist_del_rcu(&node->list); |
1da177e4 LT |
290 | call_rcu(&node->rhead, avc_node_free); |
291 | atomic_dec(&avc_cache.active_nodes); | |
292 | } | |
293 | ||
294 | static void avc_node_kill(struct avc_node *node) | |
295 | { | |
296 | kmem_cache_free(avc_node_cachep, node); | |
297 | avc_cache_stats_incr(frees); | |
298 | atomic_dec(&avc_cache.active_nodes); | |
299 | } | |
300 | ||
301 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) | |
302 | { | |
26036651 | 303 | hlist_replace_rcu(&old->list, &new->list); |
1da177e4 LT |
304 | call_rcu(&old->rhead, avc_node_free); |
305 | atomic_dec(&avc_cache.active_nodes); | |
306 | } | |
307 | ||
308 | static inline int avc_reclaim_node(void) | |
309 | { | |
310 | struct avc_node *node; | |
311 | int hvalue, try, ecx; | |
312 | unsigned long flags; | |
26036651 EP |
313 | struct hlist_head *head; |
314 | struct hlist_node *next; | |
edf3d1ae | 315 | spinlock_t *lock; |
1da177e4 | 316 | |
95fff33b | 317 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
1da177e4 | 318 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
edf3d1ae EP |
319 | head = &avc_cache.slots[hvalue]; |
320 | lock = &avc_cache.slots_lock[hvalue]; | |
1da177e4 | 321 | |
edf3d1ae | 322 | if (!spin_trylock_irqsave(lock, flags)) |
1da177e4 LT |
323 | continue; |
324 | ||
61844250 | 325 | rcu_read_lock(); |
26036651 | 326 | hlist_for_each_entry(node, next, head, list) { |
906d27d9 EP |
327 | avc_node_delete(node); |
328 | avc_cache_stats_incr(reclaims); | |
329 | ecx++; | |
330 | if (ecx >= AVC_CACHE_RECLAIM) { | |
331 | rcu_read_unlock(); | |
edf3d1ae | 332 | spin_unlock_irqrestore(lock, flags); |
906d27d9 | 333 | goto out; |
1da177e4 LT |
334 | } |
335 | } | |
61844250 | 336 | rcu_read_unlock(); |
edf3d1ae | 337 | spin_unlock_irqrestore(lock, flags); |
1da177e4 LT |
338 | } |
339 | out: | |
340 | return ecx; | |
341 | } | |
342 | ||
343 | static struct avc_node *avc_alloc_node(void) | |
344 | { | |
345 | struct avc_node *node; | |
346 | ||
c3762229 | 347 | node = kmem_cache_zalloc(avc_node_cachep, GFP_ATOMIC); |
1da177e4 LT |
348 | if (!node) |
349 | goto out; | |
350 | ||
1da177e4 | 351 | INIT_RCU_HEAD(&node->rhead); |
26036651 | 352 | INIT_HLIST_NODE(&node->list); |
1da177e4 LT |
353 | avc_cache_stats_incr(allocations); |
354 | ||
355 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) | |
356 | avc_reclaim_node(); | |
357 | ||
358 | out: | |
359 | return node; | |
360 | } | |
361 | ||
21193dcd | 362 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
363 | { |
364 | node->ae.ssid = ssid; | |
365 | node->ae.tsid = tsid; | |
366 | node->ae.tclass = tclass; | |
21193dcd | 367 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
1da177e4 LT |
368 | } |
369 | ||
370 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |
371 | { | |
372 | struct avc_node *node, *ret = NULL; | |
373 | int hvalue; | |
26036651 EP |
374 | struct hlist_head *head; |
375 | struct hlist_node *next; | |
1da177e4 LT |
376 | |
377 | hvalue = avc_hash(ssid, tsid, tclass); | |
edf3d1ae | 378 | head = &avc_cache.slots[hvalue]; |
26036651 | 379 | hlist_for_each_entry_rcu(node, next, head, list) { |
1da177e4 LT |
380 | if (ssid == node->ae.ssid && |
381 | tclass == node->ae.tclass && | |
382 | tsid == node->ae.tsid) { | |
383 | ret = node; | |
384 | break; | |
385 | } | |
386 | } | |
387 | ||
1da177e4 LT |
388 | return ret; |
389 | } | |
390 | ||
391 | /** | |
392 | * avc_lookup - Look up an AVC entry. | |
393 | * @ssid: source security identifier | |
394 | * @tsid: target security identifier | |
395 | * @tclass: target security class | |
1da177e4 LT |
396 | * |
397 | * Look up an AVC entry that is valid for the | |
1da177e4 LT |
398 | * (@ssid, @tsid), interpreting the permissions |
399 | * based on @tclass. If a valid AVC entry exists, | |
400 | * then this function return the avc_node. | |
401 | * Otherwise, this function returns NULL. | |
402 | */ | |
f1c6381a | 403 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
1da177e4 LT |
404 | { |
405 | struct avc_node *node; | |
406 | ||
407 | avc_cache_stats_incr(lookups); | |
408 | node = avc_search_node(ssid, tsid, tclass); | |
409 | ||
f1c6381a | 410 | if (node) |
1da177e4 | 411 | avc_cache_stats_incr(hits); |
f1c6381a EP |
412 | else |
413 | avc_cache_stats_incr(misses); | |
1da177e4 | 414 | |
1da177e4 LT |
415 | return node; |
416 | } | |
417 | ||
418 | static int avc_latest_notif_update(int seqno, int is_insert) | |
419 | { | |
420 | int ret = 0; | |
421 | static DEFINE_SPINLOCK(notif_lock); | |
422 | unsigned long flag; | |
423 | ||
424 | spin_lock_irqsave(¬if_lock, flag); | |
425 | if (is_insert) { | |
426 | if (seqno < avc_cache.latest_notif) { | |
744ba35e | 427 | printk(KERN_WARNING "SELinux: avc: seqno %d < latest_notif %d\n", |
1da177e4 LT |
428 | seqno, avc_cache.latest_notif); |
429 | ret = -EAGAIN; | |
430 | } | |
431 | } else { | |
432 | if (seqno > avc_cache.latest_notif) | |
433 | avc_cache.latest_notif = seqno; | |
434 | } | |
435 | spin_unlock_irqrestore(¬if_lock, flag); | |
436 | ||
437 | return ret; | |
438 | } | |
439 | ||
440 | /** | |
441 | * avc_insert - Insert an AVC entry. | |
442 | * @ssid: source security identifier | |
443 | * @tsid: target security identifier | |
444 | * @tclass: target security class | |
21193dcd | 445 | * @avd: resulting av decision |
1da177e4 LT |
446 | * |
447 | * Insert an AVC entry for the SID pair | |
448 | * (@ssid, @tsid) and class @tclass. | |
449 | * The access vectors and the sequence number are | |
450 | * normally provided by the security server in | |
451 | * response to a security_compute_av() call. If the | |
21193dcd | 452 | * sequence number @avd->seqno is not less than the latest |
1da177e4 LT |
453 | * revocation notification, then the function copies |
454 | * the access vectors into a cache entry, returns | |
455 | * avc_node inserted. Otherwise, this function returns NULL. | |
456 | */ | |
21193dcd | 457 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
1da177e4 LT |
458 | { |
459 | struct avc_node *pos, *node = NULL; | |
460 | int hvalue; | |
461 | unsigned long flag; | |
462 | ||
21193dcd | 463 | if (avc_latest_notif_update(avd->seqno, 1)) |
1da177e4 LT |
464 | goto out; |
465 | ||
466 | node = avc_alloc_node(); | |
467 | if (node) { | |
26036651 EP |
468 | struct hlist_head *head; |
469 | struct hlist_node *next; | |
edf3d1ae EP |
470 | spinlock_t *lock; |
471 | ||
1da177e4 | 472 | hvalue = avc_hash(ssid, tsid, tclass); |
21193dcd | 473 | avc_node_populate(node, ssid, tsid, tclass, avd); |
1da177e4 | 474 | |
edf3d1ae EP |
475 | head = &avc_cache.slots[hvalue]; |
476 | lock = &avc_cache.slots_lock[hvalue]; | |
477 | ||
478 | spin_lock_irqsave(lock, flag); | |
26036651 | 479 | hlist_for_each_entry(pos, next, head, list) { |
1da177e4 LT |
480 | if (pos->ae.ssid == ssid && |
481 | pos->ae.tsid == tsid && | |
482 | pos->ae.tclass == tclass) { | |
95fff33b | 483 | avc_node_replace(node, pos); |
1da177e4 LT |
484 | goto found; |
485 | } | |
486 | } | |
26036651 | 487 | hlist_add_head_rcu(&node->list, head); |
1da177e4 | 488 | found: |
edf3d1ae | 489 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
490 | } |
491 | out: | |
492 | return node; | |
493 | } | |
494 | ||
2bf49690 TL |
495 | /** |
496 | * avc_audit_pre_callback - SELinux specific information | |
497 | * will be called by generic audit code | |
498 | * @ab: the audit buffer | |
499 | * @a: audit_data | |
500 | */ | |
501 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 502 | { |
2bf49690 TL |
503 | struct common_audit_data *ad = a; |
504 | audit_log_format(ab, "avc: %s ", | |
505 | ad->selinux_audit_data.denied ? "denied" : "granted"); | |
506 | avc_dump_av(ab, ad->selinux_audit_data.tclass, | |
507 | ad->selinux_audit_data.audited); | |
508 | audit_log_format(ab, " for "); | |
1da177e4 LT |
509 | } |
510 | ||
2bf49690 TL |
511 | /** |
512 | * avc_audit_post_callback - SELinux specific information | |
513 | * will be called by generic audit code | |
514 | * @ab: the audit buffer | |
515 | * @a: audit_data | |
516 | */ | |
517 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | |
1da177e4 | 518 | { |
2bf49690 TL |
519 | struct common_audit_data *ad = a; |
520 | audit_log_format(ab, " "); | |
521 | avc_dump_query(ab, ad->selinux_audit_data.ssid, | |
522 | ad->selinux_audit_data.tsid, | |
523 | ad->selinux_audit_data.tclass); | |
1da177e4 LT |
524 | } |
525 | ||
526 | /** | |
527 | * avc_audit - Audit the granting or denial of permissions. | |
528 | * @ssid: source security identifier | |
529 | * @tsid: target security identifier | |
530 | * @tclass: target security class | |
531 | * @requested: requested permissions | |
532 | * @avd: access vector decisions | |
533 | * @result: result from avc_has_perm_noaudit | |
534 | * @a: auxiliary audit data | |
535 | * | |
536 | * Audit the granting or denial of permissions in accordance | |
537 | * with the policy. This function is typically called by | |
538 | * avc_has_perm() after a permission check, but can also be | |
539 | * called directly by callers who use avc_has_perm_noaudit() | |
540 | * in order to separate the permission check from the auditing. | |
541 | * For example, this separation is useful when the permission check must | |
542 | * be performed under a lock, to allow the lock to be released | |
543 | * before calling the auditing code. | |
544 | */ | |
545 | void avc_audit(u32 ssid, u32 tsid, | |
95fff33b | 546 | u16 tclass, u32 requested, |
2bf49690 | 547 | struct av_decision *avd, int result, struct common_audit_data *a) |
1da177e4 | 548 | { |
2bf49690 | 549 | struct common_audit_data stack_data; |
be940d62 | 550 | u32 denied, audited; |
be940d62 JM |
551 | denied = requested & ~avd->allowed; |
552 | if (denied) { | |
553 | audited = denied; | |
554 | if (!(audited & avd->auditdeny)) | |
555 | return; | |
556 | } else if (result) { | |
557 | audited = denied = requested; | |
558 | } else { | |
559 | audited = requested; | |
560 | if (!(audited & avd->auditallow)) | |
561 | return; | |
562 | } | |
2bf49690 TL |
563 | if (!a) { |
564 | a = &stack_data; | |
565 | memset(a, 0, sizeof(*a)); | |
566 | a->type = LSM_AUDIT_NO_AUDIT; | |
be940d62 | 567 | } |
2bf49690 TL |
568 | a->selinux_audit_data.tclass = tclass; |
569 | a->selinux_audit_data.requested = requested; | |
570 | a->selinux_audit_data.ssid = ssid; | |
571 | a->selinux_audit_data.tsid = tsid; | |
572 | a->selinux_audit_data.audited = audited; | |
573 | a->selinux_audit_data.denied = denied; | |
574 | a->lsm_pre_audit = avc_audit_pre_callback; | |
575 | a->lsm_post_audit = avc_audit_post_callback; | |
576 | common_lsm_audit(a); | |
1da177e4 LT |
577 | } |
578 | ||
579 | /** | |
580 | * avc_add_callback - Register a callback for security events. | |
581 | * @callback: callback function | |
582 | * @events: security events | |
583 | * @ssid: source security identifier or %SECSID_WILD | |
584 | * @tsid: target security identifier or %SECSID_WILD | |
585 | * @tclass: target security class | |
586 | * @perms: permissions | |
587 | * | |
588 | * Register a callback function for events in the set @events | |
589 | * related to the SID pair (@ssid, @tsid) and | |
590 | * and the permissions @perms, interpreting | |
591 | * @perms based on @tclass. Returns %0 on success or | |
592 | * -%ENOMEM if insufficient memory exists to add the callback. | |
593 | */ | |
594 | int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, | |
95fff33b EP |
595 | u16 tclass, u32 perms, |
596 | u32 *out_retained), | |
597 | u32 events, u32 ssid, u32 tsid, | |
598 | u16 tclass, u32 perms) | |
1da177e4 LT |
599 | { |
600 | struct avc_callback_node *c; | |
601 | int rc = 0; | |
602 | ||
603 | c = kmalloc(sizeof(*c), GFP_ATOMIC); | |
604 | if (!c) { | |
605 | rc = -ENOMEM; | |
606 | goto out; | |
607 | } | |
608 | ||
609 | c->callback = callback; | |
610 | c->events = events; | |
611 | c->ssid = ssid; | |
612 | c->tsid = tsid; | |
613 | c->perms = perms; | |
614 | c->next = avc_callbacks; | |
615 | avc_callbacks = c; | |
616 | out: | |
617 | return rc; | |
618 | } | |
619 | ||
620 | static inline int avc_sidcmp(u32 x, u32 y) | |
621 | { | |
622 | return (x == y || x == SECSID_WILD || y == SECSID_WILD); | |
623 | } | |
624 | ||
625 | /** | |
626 | * avc_update_node Update an AVC entry | |
627 | * @event : Updating event | |
628 | * @perms : Permission mask bits | |
629 | * @ssid,@tsid,@tclass : identifier of an AVC entry | |
a5dda683 | 630 | * @seqno : sequence number when decision was made |
1da177e4 LT |
631 | * |
632 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | |
633 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | |
634 | * otherwise, this function update the AVC entry. The original AVC-entry object | |
635 | * will release later by RCU. | |
636 | */ | |
a5dda683 EP |
637 | static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, |
638 | u32 seqno) | |
1da177e4 LT |
639 | { |
640 | int hvalue, rc = 0; | |
641 | unsigned long flag; | |
642 | struct avc_node *pos, *node, *orig = NULL; | |
26036651 EP |
643 | struct hlist_head *head; |
644 | struct hlist_node *next; | |
edf3d1ae | 645 | spinlock_t *lock; |
1da177e4 LT |
646 | |
647 | node = avc_alloc_node(); | |
648 | if (!node) { | |
649 | rc = -ENOMEM; | |
650 | goto out; | |
651 | } | |
652 | ||
653 | /* Lock the target slot */ | |
654 | hvalue = avc_hash(ssid, tsid, tclass); | |
1da177e4 | 655 | |
edf3d1ae EP |
656 | head = &avc_cache.slots[hvalue]; |
657 | lock = &avc_cache.slots_lock[hvalue]; | |
658 | ||
659 | spin_lock_irqsave(lock, flag); | |
660 | ||
26036651 | 661 | hlist_for_each_entry(pos, next, head, list) { |
95fff33b EP |
662 | if (ssid == pos->ae.ssid && |
663 | tsid == pos->ae.tsid && | |
a5dda683 EP |
664 | tclass == pos->ae.tclass && |
665 | seqno == pos->ae.avd.seqno){ | |
1da177e4 LT |
666 | orig = pos; |
667 | break; | |
668 | } | |
669 | } | |
670 | ||
671 | if (!orig) { | |
672 | rc = -ENOENT; | |
673 | avc_node_kill(node); | |
674 | goto out_unlock; | |
675 | } | |
676 | ||
677 | /* | |
678 | * Copy and replace original node. | |
679 | */ | |
680 | ||
21193dcd | 681 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
1da177e4 LT |
682 | |
683 | switch (event) { | |
684 | case AVC_CALLBACK_GRANT: | |
685 | node->ae.avd.allowed |= perms; | |
686 | break; | |
687 | case AVC_CALLBACK_TRY_REVOKE: | |
688 | case AVC_CALLBACK_REVOKE: | |
689 | node->ae.avd.allowed &= ~perms; | |
690 | break; | |
691 | case AVC_CALLBACK_AUDITALLOW_ENABLE: | |
692 | node->ae.avd.auditallow |= perms; | |
693 | break; | |
694 | case AVC_CALLBACK_AUDITALLOW_DISABLE: | |
695 | node->ae.avd.auditallow &= ~perms; | |
696 | break; | |
697 | case AVC_CALLBACK_AUDITDENY_ENABLE: | |
698 | node->ae.avd.auditdeny |= perms; | |
699 | break; | |
700 | case AVC_CALLBACK_AUDITDENY_DISABLE: | |
701 | node->ae.avd.auditdeny &= ~perms; | |
702 | break; | |
703 | } | |
704 | avc_node_replace(node, orig); | |
705 | out_unlock: | |
edf3d1ae | 706 | spin_unlock_irqrestore(lock, flag); |
1da177e4 LT |
707 | out: |
708 | return rc; | |
709 | } | |
710 | ||
711 | /** | |
008574b1 | 712 | * avc_flush - Flush the cache |
1da177e4 | 713 | */ |
008574b1 | 714 | static void avc_flush(void) |
1da177e4 | 715 | { |
26036651 EP |
716 | struct hlist_head *head; |
717 | struct hlist_node *next; | |
008574b1 | 718 | struct avc_node *node; |
edf3d1ae | 719 | spinlock_t *lock; |
008574b1 EP |
720 | unsigned long flag; |
721 | int i; | |
1da177e4 LT |
722 | |
723 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | |
edf3d1ae EP |
724 | head = &avc_cache.slots[i]; |
725 | lock = &avc_cache.slots_lock[i]; | |
726 | ||
727 | spin_lock_irqsave(lock, flag); | |
61844250 PM |
728 | /* |
729 | * With preemptable RCU, the outer spinlock does not | |
730 | * prevent RCU grace periods from ending. | |
731 | */ | |
732 | rcu_read_lock(); | |
26036651 | 733 | hlist_for_each_entry(node, next, head, list) |
1da177e4 | 734 | avc_node_delete(node); |
61844250 | 735 | rcu_read_unlock(); |
edf3d1ae | 736 | spin_unlock_irqrestore(lock, flag); |
1da177e4 | 737 | } |
008574b1 EP |
738 | } |
739 | ||
740 | /** | |
741 | * avc_ss_reset - Flush the cache and revalidate migrated permissions. | |
742 | * @seqno: policy sequence number | |
743 | */ | |
744 | int avc_ss_reset(u32 seqno) | |
745 | { | |
746 | struct avc_callback_node *c; | |
747 | int rc = 0, tmprc; | |
748 | ||
749 | avc_flush(); | |
1da177e4 LT |
750 | |
751 | for (c = avc_callbacks; c; c = c->next) { | |
752 | if (c->events & AVC_CALLBACK_RESET) { | |
376bd9cb | 753 | tmprc = c->callback(AVC_CALLBACK_RESET, |
95fff33b | 754 | 0, 0, 0, 0, NULL); |
376bd9cb DG |
755 | /* save the first error encountered for the return |
756 | value and continue processing the callbacks */ | |
757 | if (!rc) | |
758 | rc = tmprc; | |
1da177e4 LT |
759 | } |
760 | } | |
761 | ||
762 | avc_latest_notif_update(seqno, 0); | |
1da177e4 LT |
763 | return rc; |
764 | } | |
765 | ||
766 | /** | |
767 | * avc_has_perm_noaudit - Check permissions but perform no auditing. | |
768 | * @ssid: source security identifier | |
769 | * @tsid: target security identifier | |
770 | * @tclass: target security class | |
771 | * @requested: requested permissions, interpreted based on @tclass | |
2c3c05db | 772 | * @flags: AVC_STRICT or 0 |
1da177e4 LT |
773 | * @avd: access vector decisions |
774 | * | |
775 | * Check the AVC to determine whether the @requested permissions are granted | |
776 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
777 | * based on @tclass, and call the security server on a cache miss to obtain | |
778 | * a new decision and add it to the cache. Return a copy of the decisions | |
779 | * in @avd. Return %0 if all @requested permissions are granted, | |
780 | * -%EACCES if any permissions are denied, or another -errno upon | |
781 | * other errors. This function is typically called by avc_has_perm(), | |
782 | * but may also be called directly to separate permission checking from | |
783 | * auditing, e.g. in cases where a lock must be held for the check but | |
784 | * should be released for the auditing. | |
785 | */ | |
786 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |
2c3c05db SS |
787 | u16 tclass, u32 requested, |
788 | unsigned flags, | |
21193dcd | 789 | struct av_decision *in_avd) |
1da177e4 LT |
790 | { |
791 | struct avc_node *node; | |
21193dcd | 792 | struct av_decision avd_entry, *avd; |
1da177e4 LT |
793 | int rc = 0; |
794 | u32 denied; | |
795 | ||
eda4f69c EP |
796 | BUG_ON(!requested); |
797 | ||
1da177e4 LT |
798 | rcu_read_lock(); |
799 | ||
f1c6381a | 800 | node = avc_lookup(ssid, tsid, tclass); |
1da177e4 LT |
801 | if (!node) { |
802 | rcu_read_unlock(); | |
21193dcd EP |
803 | |
804 | if (in_avd) | |
805 | avd = in_avd; | |
806 | else | |
807 | avd = &avd_entry; | |
808 | ||
809 | rc = security_compute_av(ssid, tsid, tclass, requested, avd); | |
1da177e4 LT |
810 | if (rc) |
811 | goto out; | |
812 | rcu_read_lock(); | |
21193dcd EP |
813 | node = avc_insert(ssid, tsid, tclass, avd); |
814 | } else { | |
815 | if (in_avd) | |
816 | memcpy(in_avd, &node->ae.avd, sizeof(*in_avd)); | |
817 | avd = &node->ae.avd; | |
1da177e4 LT |
818 | } |
819 | ||
21193dcd | 820 | denied = requested & ~(avd->allowed); |
1da177e4 | 821 | |
eda4f69c | 822 | if (denied) { |
64dbf074 | 823 | if (flags & AVC_STRICT) |
1da177e4 | 824 | rc = -EACCES; |
8a6f83af | 825 | else if (!selinux_enforcing || (avd->flags & AVD_FLAGS_PERMISSIVE)) |
64dbf074 | 826 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
21193dcd | 827 | tsid, tclass, avd->seqno); |
1da177e4 | 828 | else |
64dbf074 | 829 | rc = -EACCES; |
1da177e4 LT |
830 | } |
831 | ||
832 | rcu_read_unlock(); | |
833 | out: | |
834 | return rc; | |
835 | } | |
836 | ||
837 | /** | |
838 | * avc_has_perm - Check permissions and perform any appropriate auditing. | |
839 | * @ssid: source security identifier | |
840 | * @tsid: target security identifier | |
841 | * @tclass: target security class | |
842 | * @requested: requested permissions, interpreted based on @tclass | |
843 | * @auditdata: auxiliary audit data | |
844 | * | |
845 | * Check the AVC to determine whether the @requested permissions are granted | |
846 | * for the SID pair (@ssid, @tsid), interpreting the permissions | |
847 | * based on @tclass, and call the security server on a cache miss to obtain | |
848 | * a new decision and add it to the cache. Audit the granting or denial of | |
849 | * permissions in accordance with the policy. Return %0 if all @requested | |
850 | * permissions are granted, -%EACCES if any permissions are denied, or | |
851 | * another -errno upon other errors. | |
852 | */ | |
853 | int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, | |
2bf49690 | 854 | u32 requested, struct common_audit_data *auditdata) |
1da177e4 LT |
855 | { |
856 | struct av_decision avd; | |
857 | int rc; | |
858 | ||
2c3c05db | 859 | rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd); |
1da177e4 LT |
860 | avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); |
861 | return rc; | |
862 | } | |
788e7dd4 YN |
863 | |
864 | u32 avc_policy_seqno(void) | |
865 | { | |
866 | return avc_cache.latest_notif; | |
867 | } | |
89c86576 TL |
868 | |
869 | void avc_disable(void) | |
870 | { | |
5224ee08 EP |
871 | /* |
872 | * If you are looking at this because you have realized that we are | |
873 | * not destroying the avc_node_cachep it might be easy to fix, but | |
874 | * I don't know the memory barrier semantics well enough to know. It's | |
875 | * possible that some other task dereferenced security_ops when | |
876 | * it still pointed to selinux operations. If that is the case it's | |
877 | * possible that it is about to use the avc and is about to need the | |
878 | * avc_node_cachep. I know I could wrap the security.c security_ops call | |
879 | * in an rcu_lock, but seriously, it's not worth it. Instead I just flush | |
880 | * the cache and get that memory back. | |
881 | */ | |
882 | if (avc_node_cachep) { | |
883 | avc_flush(); | |
884 | /* kmem_cache_destroy(avc_node_cachep); */ | |
885 | } | |
89c86576 | 886 | } |