1 /* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com>
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2.
10 #include <linux/kernel.h>
11 #include <linux/errno.h>
12 #include <linux/string.h>
13 #include <linux/spinlock.h>
14 #include <linux/slab.h>
17 #include "conditional.h"
21 * cond_evaluate_expr evaluates a conditional expr
22 * in reverse polish notation. It returns true (1), false (0),
23 * or undefined (-1). Undefined occurs when the expression
24 * exceeds the stack depth of COND_EXPR_MAXDEPTH.
26 static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
29 struct cond_expr *cur;
30 int s[COND_EXPR_MAXDEPTH];
33 for (cur = expr; cur; cur = cur->next) {
34 switch (cur->expr_type) {
36 if (sp == (COND_EXPR_MAXDEPTH - 1))
39 s[sp] = p->bool_val_to_struct[cur->bool - 1]->state;
68 s[sp] = (s[sp] == s[sp + 1]);
74 s[sp] = (s[sp] != s[sp + 1]);
84 * evaluate_cond_node evaluates the conditional stored in
85 * a struct cond_node and if the result is different than the
86 * current state of the node it sets the rules in the true/false
87 * list appropriately. If the result of the expression is undefined
88 * all of the rules are disabled for safety.
90 int evaluate_cond_node(struct policydb *p, struct cond_node *node)
93 struct cond_av_list *cur;
95 new_state = cond_evaluate_expr(p, node->expr);
96 if (new_state != node->cur_state) {
97 node->cur_state = new_state;
99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */
101 for (cur = node->true_list; cur; cur = cur->next) {
103 cur->node->key.specified &= ~AVTAB_ENABLED;
105 cur->node->key.specified |= AVTAB_ENABLED;
108 for (cur = node->false_list; cur; cur = cur->next) {
111 cur->node->key.specified &= ~AVTAB_ENABLED;
113 cur->node->key.specified |= AVTAB_ENABLED;
119 int cond_policydb_init(struct policydb *p)
123 p->bool_val_to_struct = NULL;
126 rc = avtab_init(&p->te_cond_avtab);
133 static void cond_av_list_destroy(struct cond_av_list *list)
135 struct cond_av_list *cur, *next;
136 for (cur = list; cur; cur = next) {
138 /* the avtab_ptr_t node is destroy by the avtab */
143 static void cond_node_destroy(struct cond_node *node)
145 struct cond_expr *cur_expr, *next_expr;
147 for (cur_expr = node->expr; cur_expr; cur_expr = next_expr) {
148 next_expr = cur_expr->next;
151 cond_av_list_destroy(node->true_list);
152 cond_av_list_destroy(node->false_list);
156 static void cond_list_destroy(struct cond_node *list)
158 struct cond_node *next, *cur;
163 for (cur = list; cur; cur = next) {
165 cond_node_destroy(cur);
169 void cond_policydb_destroy(struct policydb *p)
171 kfree(p->bool_val_to_struct);
172 avtab_destroy(&p->te_cond_avtab);
173 cond_list_destroy(p->cond_list);
176 int cond_init_bool_indexes(struct policydb *p)
178 kfree(p->bool_val_to_struct);
179 p->bool_val_to_struct =
180 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
181 if (!p->bool_val_to_struct)
186 int cond_destroy_bool(void *key, void *datum, void *p)
193 int cond_index_bool(void *key, void *datum, void *datap)
196 struct cond_bool_datum *booldatum;
197 struct flex_array *fa;
202 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
205 fa = p->sym_val_to_name[SYM_BOOLS];
206 if (flex_array_put_ptr(fa, booldatum->value - 1, key,
207 GFP_KERNEL | __GFP_ZERO))
209 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
214 static int bool_isvalid(struct cond_bool_datum *b)
216 if (!(b->state == 0 || b->state == 1))
221 int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
224 struct cond_bool_datum *booldatum;
229 booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);
233 rc = next_entry(buf, fp, sizeof buf);
237 booldatum->value = le32_to_cpu(buf[0]);
238 booldatum->state = le32_to_cpu(buf[1]);
241 if (!bool_isvalid(booldatum))
244 len = le32_to_cpu(buf[2]);
247 key = kmalloc(len + 1, GFP_KERNEL);
250 rc = next_entry(key, fp, len);
254 rc = hashtab_insert(h, key, booldatum);
260 cond_destroy_bool(key, booldatum, NULL);
264 struct cond_insertf_data {
266 struct cond_av_list *other;
267 struct cond_av_list *head;
268 struct cond_av_list *tail;
271 static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
273 struct cond_insertf_data *data = ptr;
274 struct policydb *p = data->p;
275 struct cond_av_list *other = data->other, *list, *cur;
276 struct avtab_node *node_ptr;
281 * For type rules we have to make certain there aren't any
282 * conflicting rules by searching the te_avtab and the
285 if (k->specified & AVTAB_TYPE) {
286 if (avtab_search(&p->te_avtab, k)) {
287 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
291 * If we are reading the false list other will be a pointer to
292 * the true list. We can have duplicate entries if there is only
293 * 1 other entry and it is in our true list.
295 * If we are reading the true list (other == NULL) there shouldn't
296 * be any other entries.
299 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
301 if (avtab_search_node_next(node_ptr, k->specified)) {
302 printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
306 for (cur = other; cur; cur = cur->next) {
307 if (cur->node == node_ptr) {
313 printk(KERN_ERR "SELinux: conflicting type rules.\n");
318 if (avtab_search(&p->te_cond_avtab, k)) {
319 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
325 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
327 printk(KERN_ERR "SELinux: could not insert rule.\n");
332 list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL);
338 list->node = node_ptr;
342 data->tail->next = list;
347 cond_av_list_destroy(data->head);
352 static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list, struct cond_av_list *other)
357 struct cond_insertf_data data;
362 rc = next_entry(buf, fp, sizeof(u32));
366 len = le32_to_cpu(buf[0]);
374 for (i = 0; i < len; i++) {
375 rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
381 *ret_list = data.head;
385 static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
387 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
388 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
392 if (expr->bool > p->p_bools.nprim) {
393 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
399 static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
404 struct cond_expr *expr = NULL, *last = NULL;
406 rc = next_entry(buf, fp, sizeof(u32) * 2);
410 node->cur_state = le32_to_cpu(buf[0]);
413 len = le32_to_cpu(buf[1]);
415 for (i = 0; i < len; i++) {
416 rc = next_entry(buf, fp, sizeof(u32) * 2);
421 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
425 expr->expr_type = le32_to_cpu(buf[0]);
426 expr->bool = le32_to_cpu(buf[1]);
428 if (!expr_isvalid(p, expr)) {
441 rc = cond_read_av_list(p, fp, &node->true_list, NULL);
444 rc = cond_read_av_list(p, fp, &node->false_list, node->true_list);
449 cond_node_destroy(node);
453 int cond_read_list(struct policydb *p, void *fp)
455 struct cond_node *node, *last = NULL;
460 rc = next_entry(buf, fp, sizeof buf);
464 len = le32_to_cpu(buf[0]);
466 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
470 for (i = 0; i < len; i++) {
472 node = kzalloc(sizeof(struct cond_node), GFP_KERNEL);
476 rc = cond_read_node(p, node, fp);
488 cond_list_destroy(p->cond_list);
493 int cond_write_bool(void *vkey, void *datum, void *ptr)
496 struct cond_bool_datum *booldatum = datum;
497 struct policy_data *pd = ptr;
504 buf[0] = cpu_to_le32(booldatum->value);
505 buf[1] = cpu_to_le32(booldatum->state);
506 buf[2] = cpu_to_le32(len);
507 rc = put_entry(buf, sizeof(u32), 3, fp);
510 rc = put_entry(key, 1, len, fp);
517 * cond_write_cond_av_list doesn't write out the av_list nodes.
518 * Instead it writes out the key/value pairs from the avtab. This
519 * is necessary because there is no way to uniquely identifying rules
520 * in the avtab so it is not possible to associate individual rules
521 * in the avtab with a conditional without saving them as part of
522 * the conditional. This means that the avtab with the conditional
523 * rules will not be saved but will be rebuilt on policy load.
525 static int cond_write_av_list(struct policydb *p,
526 struct cond_av_list *list, struct policy_file *fp)
529 struct cond_av_list *cur_list;
534 for (cur_list = list; cur_list != NULL; cur_list = cur_list->next)
537 buf[0] = cpu_to_le32(len);
538 rc = put_entry(buf, sizeof(u32), 1, fp);
545 for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) {
546 rc = avtab_write_item(p, cur_list->node, fp);
554 static int cond_write_node(struct policydb *p, struct cond_node *node,
555 struct policy_file *fp)
557 struct cond_expr *cur_expr;
562 buf[0] = cpu_to_le32(node->cur_state);
563 rc = put_entry(buf, sizeof(u32), 1, fp);
567 for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next)
570 buf[0] = cpu_to_le32(len);
571 rc = put_entry(buf, sizeof(u32), 1, fp);
575 for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) {
576 buf[0] = cpu_to_le32(cur_expr->expr_type);
577 buf[1] = cpu_to_le32(cur_expr->bool);
578 rc = put_entry(buf, sizeof(u32), 2, fp);
583 rc = cond_write_av_list(p, node->true_list, fp);
586 rc = cond_write_av_list(p, node->false_list, fp);
593 int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
595 struct cond_node *cur;
601 for (cur = list; cur != NULL; cur = cur->next)
603 buf[0] = cpu_to_le32(len);
604 rc = put_entry(buf, sizeof(u32), 1, fp);
608 for (cur = list; cur != NULL; cur = cur->next) {
609 rc = cond_write_node(p, cur, fp);
617 void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
618 struct extended_perms_decision *xpermd)
620 struct avtab_node *node;
622 if (!ctab || !key || !xpermd)
625 for (node = avtab_search_node(ctab, key); node;
626 node = avtab_search_node_next(node, key->specified)) {
627 if (node->key.specified & AVTAB_ENABLED)
628 services_compute_xperms_decision(xpermd, node);
633 /* Determine whether additional permissions are granted by the conditional
634 * av table, and if so, add them to the result
636 void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
637 struct av_decision *avd, struct extended_perms *xperms)
639 struct avtab_node *node;
641 if (!ctab || !key || !avd)
644 for (node = avtab_search_node(ctab, key); node;
645 node = avtab_search_node_next(node, key->specified)) {
646 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
647 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
648 avd->allowed |= node->datum.u.data;
649 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
650 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
651 /* Since a '0' in an auditdeny mask represents a
652 * permission we do NOT want to audit (dontaudit), we use
653 * the '&' operand to ensure that all '0's in the mask
654 * are retained (much unlike the allow and auditallow cases).
656 avd->auditdeny &= node->datum.u.data;
657 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
658 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
659 avd->auditallow |= node->datum.u.data;
660 if (xperms && (node->key.specified & AVTAB_ENABLED) &&
661 (node->key.specified & AVTAB_XPERMS))
662 services_compute_xperms_drivers(xperms, node);
projects / librecmc / linux-libre.git / blob