security/selinux/avc.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Implementation of the kernel access vector cache (AVC).
0004  *
0005  * Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
0006  *       James Morris <jmorris@redhat.com>
0007  *
0008  * Update:   KaiGai, Kohei <kaigai@ak.jp.nec.com>
0009  *  Replaced the avc_lock spinlock by RCU.
0010  *
0011  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
0012  */
0013 #include <linux/types.h>
0014 #include <linux/stddef.h>
0015 #include <linux/kernel.h>
0016 #include <linux/slab.h>
0017 #include <linux/fs.h>
0018 #include <linux/dcache.h>
0019 #include <linux/init.h>
0020 #include <linux/skbuff.h>
0021 #include <linux/percpu.h>
0022 #include <linux/list.h>
0023 #include <net/sock.h>
0024 #include <linux/un.h>
0025 #include <net/af_unix.h>
0026 #include <linux/ip.h>
0027 #include <linux/audit.h>
0028 #include <linux/ipv6.h>
0029 #include <net/ipv6.h>
0030 #include "avc.h"
0031 #include "avc_ss.h"
0032 #include "classmap.h"
0033
0034 #define CREATE_TRACE_POINTS
0035 #include <trace/events/avc.h>
0036
0037 #define AVC_CACHE_SLOTS         512
0038 #define AVC_DEF_CACHE_THRESHOLD     512
0039 #define AVC_CACHE_RECLAIM       16
0040
0041 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
0042 #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field)
0043 #else
0044 #define avc_cache_stats_incr(field) do {} while (0)
0045 #endif
0046
0047 struct avc_entry {
0048     u32         ssid;
0049     u32         tsid;
0050     u16         tclass;
0051     struct av_decision  avd;
0052     struct avc_xperms_node  *xp_node;
0053 };
0054
0055 struct avc_node {
0056     struct avc_entry    ae;
0057     struct hlist_node   list; /* anchored in avc_cache->slots[i] */
0058     struct rcu_head     rhead;
0059 };
0060
0061 struct avc_xperms_decision_node {
0062     struct extended_perms_decision xpd;
0063     struct list_head xpd_list; /* list of extended_perms_decision */
0064 };
0065
0066 struct avc_xperms_node {
0067     struct extended_perms xp;
0068     struct list_head xpd_head; /* list head of extended_perms_decision */
0069 };
0070
0071 struct avc_cache {
0072     struct hlist_head   slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */
0073     spinlock_t      slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */
0074     atomic_t        lru_hint;   /* LRU hint for reclaim scan */
0075     atomic_t        active_nodes;
0076     u32         latest_notif;   /* latest revocation notification */
0077 };
0078
0079 struct avc_callback_node {
0080     int (*callback) (u32 event);
0081     u32 events;
0082     struct avc_callback_node *next;
0083 };
0084
0085 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
0086 DEFINE_PER_CPU(struct avc_cache_stats, avc_cache_stats) = { 0 };
0087 #endif
0088
0089 struct selinux_avc {
0090     unsigned int avc_cache_threshold;
0091     struct avc_cache avc_cache;
0092 };
0093
0094 static struct selinux_avc selinux_avc;
0095
0096 void selinux_avc_init(struct selinux_avc **avc)
0097 {
0098     int i;
0099
0100     selinux_avc.avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
0101     for (i = 0; i < AVC_CACHE_SLOTS; i++) {
0102         INIT_HLIST_HEAD(&selinux_avc.avc_cache.slots[i]);
0103         spin_lock_init(&selinux_avc.avc_cache.slots_lock[i]);
0104     }
0105     atomic_set(&selinux_avc.avc_cache.active_nodes, 0);
0106     atomic_set(&selinux_avc.avc_cache.lru_hint, 0);
0107     *avc = &selinux_avc;
0108 }
0109
0110 unsigned int avc_get_cache_threshold(struct selinux_avc *avc)
0111 {
0112     return avc->avc_cache_threshold;
0113 }
0114
0115 void avc_set_cache_threshold(struct selinux_avc *avc,
0116                  unsigned int cache_threshold)
0117 {
0118     avc->avc_cache_threshold = cache_threshold;
0119 }
0120
0121 static struct avc_callback_node *avc_callbacks __ro_after_init;
0122 static struct kmem_cache *avc_node_cachep __ro_after_init;
0123 static struct kmem_cache *avc_xperms_data_cachep __ro_after_init;
0124 static struct kmem_cache *avc_xperms_decision_cachep __ro_after_init;
0125 static struct kmem_cache *avc_xperms_cachep __ro_after_init;
0126
0127 static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
0128 {
0129     return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
0130 }
0131
0132 /**
0133  * avc_init - Initialize the AVC.
0134  *
0135  * Initialize the access vector cache.
0136  */
0137 void __init avc_init(void)
0138 {
0139     avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
0140                     0, SLAB_PANIC, NULL);
0141     avc_xperms_cachep = kmem_cache_create("avc_xperms_node",
0142                     sizeof(struct avc_xperms_node),
0143                     0, SLAB_PANIC, NULL);
0144     avc_xperms_decision_cachep = kmem_cache_create(
0145                     "avc_xperms_decision_node",
0146                     sizeof(struct avc_xperms_decision_node),
0147                     0, SLAB_PANIC, NULL);
0148     avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
0149                     sizeof(struct extended_perms_data),
0150                     0, SLAB_PANIC, NULL);
0151 }
0152
0153 int avc_get_hash_stats(struct selinux_avc *avc, char *page)
0154 {
0155     int i, chain_len, max_chain_len, slots_used;
0156     struct avc_node *node;
0157     struct hlist_head *head;
0158
0159     rcu_read_lock();
0160
0161     slots_used = 0;
0162     max_chain_len = 0;
0163     for (i = 0; i < AVC_CACHE_SLOTS; i++) {
0164         head = &avc->avc_cache.slots[i];
0165         if (!hlist_empty(head)) {
0166             slots_used++;
0167             chain_len = 0;
0168             hlist_for_each_entry_rcu(node, head, list)
0169                 chain_len++;
0170             if (chain_len > max_chain_len)
0171                 max_chain_len = chain_len;
0172         }
0173     }
0174
0175     rcu_read_unlock();
0176
0177     return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
0178              "longest chain: %d\n",
0179              atomic_read(&avc->avc_cache.active_nodes),
0180              slots_used, AVC_CACHE_SLOTS, max_chain_len);
0181 }
0182
0183 /*
0184  * using a linked list for extended_perms_decision lookup because the list is
0185  * always small. i.e. less than 5, typically 1
0186  */
0187 static struct extended_perms_decision *avc_xperms_decision_lookup(u8 driver,
0188                     struct avc_xperms_node *xp_node)
0189 {
0190     struct avc_xperms_decision_node *xpd_node;
0191
0192     list_for_each_entry(xpd_node, &xp_node->xpd_head, xpd_list) {
0193         if (xpd_node->xpd.driver == driver)
0194             return &xpd_node->xpd;
0195     }
0196     return NULL;
0197 }
0198
0199 static inline unsigned int
0200 avc_xperms_has_perm(struct extended_perms_decision *xpd,
0201                     u8 perm, u8 which)
0202 {
0203     unsigned int rc = 0;
0204
0205     if ((which == XPERMS_ALLOWED) &&
0206             (xpd->used & XPERMS_ALLOWED))
0207         rc = security_xperm_test(xpd->allowed->p, perm);
0208     else if ((which == XPERMS_AUDITALLOW) &&
0209             (xpd->used & XPERMS_AUDITALLOW))
0210         rc = security_xperm_test(xpd->auditallow->p, perm);
0211     else if ((which == XPERMS_DONTAUDIT) &&
0212             (xpd->used & XPERMS_DONTAUDIT))
0213         rc = security_xperm_test(xpd->dontaudit->p, perm);
0214     return rc;
0215 }
0216
0217 static void avc_xperms_allow_perm(struct avc_xperms_node *xp_node,
0218                 u8 driver, u8 perm)
0219 {
0220     struct extended_perms_decision *xpd;
0221     security_xperm_set(xp_node->xp.drivers.p, driver);
0222     xpd = avc_xperms_decision_lookup(driver, xp_node);
0223     if (xpd && xpd->allowed)
0224         security_xperm_set(xpd->allowed->p, perm);
0225 }
0226
0227 static void avc_xperms_decision_free(struct avc_xperms_decision_node *xpd_node)
0228 {
0229     struct extended_perms_decision *xpd;
0230
0231     xpd = &xpd_node->xpd;
0232     if (xpd->allowed)
0233         kmem_cache_free(avc_xperms_data_cachep, xpd->allowed);
0234     if (xpd->auditallow)
0235         kmem_cache_free(avc_xperms_data_cachep, xpd->auditallow);
0236     if (xpd->dontaudit)
0237         kmem_cache_free(avc_xperms_data_cachep, xpd->dontaudit);
0238     kmem_cache_free(avc_xperms_decision_cachep, xpd_node);
0239 }
0240
0241 static void avc_xperms_free(struct avc_xperms_node *xp_node)
0242 {
0243     struct avc_xperms_decision_node *xpd_node, *tmp;
0244
0245     if (!xp_node)
0246         return;
0247
0248     list_for_each_entry_safe(xpd_node, tmp, &xp_node->xpd_head, xpd_list) {
0249         list_del(&xpd_node->xpd_list);
0250         avc_xperms_decision_free(xpd_node);
0251     }
0252     kmem_cache_free(avc_xperms_cachep, xp_node);
0253 }
0254
0255 static void avc_copy_xperms_decision(struct extended_perms_decision *dest,
0256                     struct extended_perms_decision *src)
0257 {
0258     dest->driver = src->driver;
0259     dest->used = src->used;
0260     if (dest->used & XPERMS_ALLOWED)
0261         memcpy(dest->allowed->p, src->allowed->p,
0262                 sizeof(src->allowed->p));
0263     if (dest->used & XPERMS_AUDITALLOW)
0264         memcpy(dest->auditallow->p, src->auditallow->p,
0265                 sizeof(src->auditallow->p));
0266     if (dest->used & XPERMS_DONTAUDIT)
0267         memcpy(dest->dontaudit->p, src->dontaudit->p,
0268                 sizeof(src->dontaudit->p));
0269 }
0270
0271 /*
0272  * similar to avc_copy_xperms_decision, but only copy decision
0273  * information relevant to this perm
0274  */
0275 static inline void avc_quick_copy_xperms_decision(u8 perm,
0276             struct extended_perms_decision *dest,
0277             struct extended_perms_decision *src)
0278 {
0279     /*
0280      * compute index of the u32 of the 256 bits (8 u32s) that contain this
0281      * command permission
0282      */
0283     u8 i = perm >> 5;
0284
0285     dest->used = src->used;
0286     if (dest->used & XPERMS_ALLOWED)
0287         dest->allowed->p[i] = src->allowed->p[i];
0288     if (dest->used & XPERMS_AUDITALLOW)
0289         dest->auditallow->p[i] = src->auditallow->p[i];
0290     if (dest->used & XPERMS_DONTAUDIT)
0291         dest->dontaudit->p[i] = src->dontaudit->p[i];
0292 }
0293
0294 static struct avc_xperms_decision_node
0295         *avc_xperms_decision_alloc(u8 which)
0296 {
0297     struct avc_xperms_decision_node *xpd_node;
0298     struct extended_perms_decision *xpd;
0299
0300     xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
0301                      GFP_NOWAIT | __GFP_NOWARN);
0302     if (!xpd_node)
0303         return NULL;
0304
0305     xpd = &xpd_node->xpd;
0306     if (which & XPERMS_ALLOWED) {
0307         xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
0308                         GFP_NOWAIT | __GFP_NOWARN);
0309         if (!xpd->allowed)
0310             goto error;
0311     }
0312     if (which & XPERMS_AUDITALLOW) {
0313         xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
0314                         GFP_NOWAIT | __GFP_NOWARN);
0315         if (!xpd->auditallow)
0316             goto error;
0317     }
0318     if (which & XPERMS_DONTAUDIT) {
0319         xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
0320                         GFP_NOWAIT | __GFP_NOWARN);
0321         if (!xpd->dontaudit)
0322             goto error;
0323     }
0324     return xpd_node;
0325 error:
0326     avc_xperms_decision_free(xpd_node);
0327     return NULL;
0328 }
0329
0330 static int avc_add_xperms_decision(struct avc_node *node,
0331             struct extended_perms_decision *src)
0332 {
0333     struct avc_xperms_decision_node *dest_xpd;
0334
0335     node->ae.xp_node->xp.len++;
0336     dest_xpd = avc_xperms_decision_alloc(src->used);
0337     if (!dest_xpd)
0338         return -ENOMEM;
0339     avc_copy_xperms_decision(&dest_xpd->xpd, src);
0340     list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head);
0341     return 0;
0342 }
0343
0344 static struct avc_xperms_node *avc_xperms_alloc(void)
0345 {
0346     struct avc_xperms_node *xp_node;
0347
0348     xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
0349     if (!xp_node)
0350         return xp_node;
0351     INIT_LIST_HEAD(&xp_node->xpd_head);
0352     return xp_node;
0353 }
0354
0355 static int avc_xperms_populate(struct avc_node *node,
0356                 struct avc_xperms_node *src)
0357 {
0358     struct avc_xperms_node *dest;
0359     struct avc_xperms_decision_node *dest_xpd;
0360     struct avc_xperms_decision_node *src_xpd;
0361
0362     if (src->xp.len == 0)
0363         return 0;
0364     dest = avc_xperms_alloc();
0365     if (!dest)
0366         return -ENOMEM;
0367
0368     memcpy(dest->xp.drivers.p, src->xp.drivers.p, sizeof(dest->xp.drivers.p));
0369     dest->xp.len = src->xp.len;
0370
0371     /* for each source xpd allocate a destination xpd and copy */
0372     list_for_each_entry(src_xpd, &src->xpd_head, xpd_list) {
0373         dest_xpd = avc_xperms_decision_alloc(src_xpd->xpd.used);
0374         if (!dest_xpd)
0375             goto error;
0376         avc_copy_xperms_decision(&dest_xpd->xpd, &src_xpd->xpd);
0377         list_add(&dest_xpd->xpd_list, &dest->xpd_head);
0378     }
0379     node->ae.xp_node = dest;
0380     return 0;
0381 error:
0382     avc_xperms_free(dest);
0383     return -ENOMEM;
0384
0385 }
0386
0387 static inline u32 avc_xperms_audit_required(u32 requested,
0388                     struct av_decision *avd,
0389                     struct extended_perms_decision *xpd,
0390                     u8 perm,
0391                     int result,
0392                     u32 *deniedp)
0393 {
0394     u32 denied, audited;
0395
0396     denied = requested & ~avd->allowed;
0397     if (unlikely(denied)) {
0398         audited = denied & avd->auditdeny;
0399         if (audited && xpd) {
0400             if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT))
0401                 audited &= ~requested;
0402         }
0403     } else if (result) {
0404         audited = denied = requested;
0405     } else {
0406         audited = requested & avd->auditallow;
0407         if (audited && xpd) {
0408             if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW))
0409                 audited &= ~requested;
0410         }
0411     }
0412
0413     *deniedp = denied;
0414     return audited;
0415 }
0416
0417 static inline int avc_xperms_audit(struct selinux_state *state,
0418                    u32 ssid, u32 tsid, u16 tclass,
0419                    u32 requested, struct av_decision *avd,
0420                    struct extended_perms_decision *xpd,
0421                    u8 perm, int result,
0422                    struct common_audit_data *ad)
0423 {
0424     u32 audited, denied;
0425
0426     audited = avc_xperms_audit_required(
0427             requested, avd, xpd, perm, result, &denied);
0428     if (likely(!audited))
0429         return 0;
0430     return slow_avc_audit(state, ssid, tsid, tclass, requested,
0431             audited, denied, result, ad);
0432 }
0433
0434 static void avc_node_free(struct rcu_head *rhead)
0435 {
0436     struct avc_node *node = container_of(rhead, struct avc_node, rhead);
0437     avc_xperms_free(node->ae.xp_node);
0438     kmem_cache_free(avc_node_cachep, node);
0439     avc_cache_stats_incr(frees);
0440 }
0441
0442 static void avc_node_delete(struct selinux_avc *avc, struct avc_node *node)
0443 {
0444     hlist_del_rcu(&node->list);
0445     call_rcu(&node->rhead, avc_node_free);
0446     atomic_dec(&avc->avc_cache.active_nodes);
0447 }
0448
0449 static void avc_node_kill(struct selinux_avc *avc, struct avc_node *node)
0450 {
0451     avc_xperms_free(node->ae.xp_node);
0452     kmem_cache_free(avc_node_cachep, node);
0453     avc_cache_stats_incr(frees);
0454     atomic_dec(&avc->avc_cache.active_nodes);
0455 }
0456
0457 static void avc_node_replace(struct selinux_avc *avc,
0458                  struct avc_node *new, struct avc_node *old)
0459 {
0460     hlist_replace_rcu(&old->list, &new->list);
0461     call_rcu(&old->rhead, avc_node_free);
0462     atomic_dec(&avc->avc_cache.active_nodes);
0463 }
0464
0465 static inline int avc_reclaim_node(struct selinux_avc *avc)
0466 {
0467     struct avc_node *node;
0468     int hvalue, try, ecx;
0469     unsigned long flags;
0470     struct hlist_head *head;
0471     spinlock_t *lock;
0472
0473     for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
0474         hvalue = atomic_inc_return(&avc->avc_cache.lru_hint) &
0475             (AVC_CACHE_SLOTS - 1);
0476         head = &avc->avc_cache.slots[hvalue];
0477         lock = &avc->avc_cache.slots_lock[hvalue];
0478
0479         if (!spin_trylock_irqsave(lock, flags))
0480             continue;
0481
0482         rcu_read_lock();
0483         hlist_for_each_entry(node, head, list) {
0484             avc_node_delete(avc, node);
0485             avc_cache_stats_incr(reclaims);
0486             ecx++;
0487             if (ecx >= AVC_CACHE_RECLAIM) {
0488                 rcu_read_unlock();
0489                 spin_unlock_irqrestore(lock, flags);
0490                 goto out;
0491             }
0492         }
0493         rcu_read_unlock();
0494         spin_unlock_irqrestore(lock, flags);
0495     }
0496 out:
0497     return ecx;
0498 }
0499
0500 static struct avc_node *avc_alloc_node(struct selinux_avc *avc)
0501 {
0502     struct avc_node *node;
0503
0504     node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
0505     if (!node)
0506         goto out;
0507
0508     INIT_HLIST_NODE(&node->list);
0509     avc_cache_stats_incr(allocations);
0510
0511     if (atomic_inc_return(&avc->avc_cache.active_nodes) >
0512         avc->avc_cache_threshold)
0513         avc_reclaim_node(avc);
0514
0515 out:
0516     return node;
0517 }
0518
0519 static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd)
0520 {
0521     node->ae.ssid = ssid;
0522     node->ae.tsid = tsid;
0523     node->ae.tclass = tclass;
0524     memcpy(&node->ae.avd, avd, sizeof(node->ae.avd));
0525 }
0526
0527 static inline struct avc_node *avc_search_node(struct selinux_avc *avc,
0528                            u32 ssid, u32 tsid, u16 tclass)
0529 {
0530     struct avc_node *node, *ret = NULL;
0531     int hvalue;
0532     struct hlist_head *head;
0533
0534     hvalue = avc_hash(ssid, tsid, tclass);
0535     head = &avc->avc_cache.slots[hvalue];
0536     hlist_for_each_entry_rcu(node, head, list) {
0537         if (ssid == node->ae.ssid &&
0538             tclass == node->ae.tclass &&
0539             tsid == node->ae.tsid) {
0540             ret = node;
0541             break;
0542         }
0543     }
0544
0545     return ret;
0546 }
0547
0548 /**
0549  * avc_lookup - Look up an AVC entry.
0550  * @avc: the access vector cache
0551  * @ssid: source security identifier
0552  * @tsid: target security identifier
0553  * @tclass: target security class
0554  *
0555  * Look up an AVC entry that is valid for the
0556  * (@ssid, @tsid), interpreting the permissions
0557  * based on @tclass.  If a valid AVC entry exists,
0558  * then this function returns the avc_node.
0559  * Otherwise, this function returns NULL.
0560  */
0561 static struct avc_node *avc_lookup(struct selinux_avc *avc,
0562                    u32 ssid, u32 tsid, u16 tclass)
0563 {
0564     struct avc_node *node;
0565
0566     avc_cache_stats_incr(lookups);
0567     node = avc_search_node(avc, ssid, tsid, tclass);
0568
0569     if (node)
0570         return node;
0571
0572     avc_cache_stats_incr(misses);
0573     return NULL;
0574 }
0575
0576 static int avc_latest_notif_update(struct selinux_avc *avc,
0577                    int seqno, int is_insert)
0578 {
0579     int ret = 0;
0580     static DEFINE_SPINLOCK(notif_lock);
0581     unsigned long flag;
0582
0583     spin_lock_irqsave(&notif_lock, flag);
0584     if (is_insert) {
0585         if (seqno < avc->avc_cache.latest_notif) {
0586             pr_warn("SELinux: avc:  seqno %d < latest_notif %d\n",
0587                    seqno, avc->avc_cache.latest_notif);
0588             ret = -EAGAIN;
0589         }
0590     } else {
0591         if (seqno > avc->avc_cache.latest_notif)
0592             avc->avc_cache.latest_notif = seqno;
0593     }
0594     spin_unlock_irqrestore(&notif_lock, flag);
0595
0596     return ret;
0597 }
0598
0599 /**
0600  * avc_insert - Insert an AVC entry.
0601  * @avc: the access vector cache
0602  * @ssid: source security identifier
0603  * @tsid: target security identifier
0604  * @tclass: target security class
0605  * @avd: resulting av decision
0606  * @xp_node: resulting extended permissions
0607  *
0608  * Insert an AVC entry for the SID pair
0609  * (@ssid, @tsid) and class @tclass.
0610  * The access vectors and the sequence number are
0611  * normally provided by the security server in
0612  * response to a security_compute_av() call.  If the
0613  * sequence number @avd->seqno is not less than the latest
0614  * revocation notification, then the function copies
0615  * the access vectors into a cache entry, returns
0616  * avc_node inserted. Otherwise, this function returns NULL.
0617  */
0618 static struct avc_node *avc_insert(struct selinux_avc *avc,
0619                    u32 ssid, u32 tsid, u16 tclass,
0620                    struct av_decision *avd,
0621                    struct avc_xperms_node *xp_node)
0622 {
0623     struct avc_node *pos, *node = NULL;
0624     int hvalue;
0625     unsigned long flag;
0626     spinlock_t *lock;
0627     struct hlist_head *head;
0628
0629     if (avc_latest_notif_update(avc, avd->seqno, 1))
0630         return NULL;
0631
0632     node = avc_alloc_node(avc);
0633     if (!node)
0634         return NULL;
0635
0636     avc_node_populate(node, ssid, tsid, tclass, avd);
0637     if (avc_xperms_populate(node, xp_node)) {
0638         avc_node_kill(avc, node);
0639         return NULL;
0640     }
0641
0642     hvalue = avc_hash(ssid, tsid, tclass);
0643     head = &avc->avc_cache.slots[hvalue];
0644     lock = &avc->avc_cache.slots_lock[hvalue];
0645     spin_lock_irqsave(lock, flag);
0646     hlist_for_each_entry(pos, head, list) {
0647         if (pos->ae.ssid == ssid &&
0648             pos->ae.tsid == tsid &&
0649             pos->ae.tclass == tclass) {
0650             avc_node_replace(avc, node, pos);
0651             goto found;
0652         }
0653     }
0654     hlist_add_head_rcu(&node->list, head);
0655 found:
0656     spin_unlock_irqrestore(lock, flag);
0657     return node;
0658 }
0659
0660 /**
0661  * avc_audit_pre_callback - SELinux specific information
0662  * will be called by generic audit code
0663  * @ab: the audit buffer
0664  * @a: audit_data
0665  */
0666 static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
0667 {
0668     struct common_audit_data *ad = a;
0669     struct selinux_audit_data *sad = ad->selinux_audit_data;
0670     u32 av = sad->audited;
0671     const char *const *perms;
0672     int i, perm;
0673
0674     audit_log_format(ab, "avc:  %s ", sad->denied ? "denied" : "granted");
0675
0676     if (av == 0) {
0677         audit_log_format(ab, " null");
0678         return;
0679     }
0680
0681     perms = secclass_map[sad->tclass-1].perms;
0682
0683     audit_log_format(ab, " {");
0684     i = 0;
0685     perm = 1;
0686     while (i < (sizeof(av) * 8)) {
0687         if ((perm & av) && perms[i]) {
0688             audit_log_format(ab, " %s", perms[i]);
0689             av &= ~perm;
0690         }
0691         i++;
0692         perm <<= 1;
0693     }
0694
0695     if (av)
0696         audit_log_format(ab, " 0x%x", av);
0697
0698     audit_log_format(ab, " } for ");
0699 }
0700
0701 /**
0702  * avc_audit_post_callback - SELinux specific information
0703  * will be called by generic audit code
0704  * @ab: the audit buffer
0705  * @a: audit_data
0706  */
0707 static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
0708 {
0709     struct common_audit_data *ad = a;
0710     struct selinux_audit_data *sad = ad->selinux_audit_data;
0711     char *scontext = NULL;
0712     char *tcontext = NULL;
0713     const char *tclass = NULL;
0714     u32 scontext_len;
0715     u32 tcontext_len;
0716     int rc;
0717
0718     rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
0719                      &scontext_len);
0720     if (rc)
0721         audit_log_format(ab, " ssid=%d", sad->ssid);
0722     else
0723         audit_log_format(ab, " scontext=%s", scontext);
0724
0725     rc = security_sid_to_context(sad->state, sad->tsid, &tcontext,
0726                      &tcontext_len);
0727     if (rc)
0728         audit_log_format(ab, " tsid=%d", sad->tsid);
0729     else
0730         audit_log_format(ab, " tcontext=%s", tcontext);
0731
0732     tclass = secclass_map[sad->tclass-1].name;
0733     audit_log_format(ab, " tclass=%s", tclass);
0734
0735     if (sad->denied)
0736         audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
0737
0738     trace_selinux_audited(sad, scontext, tcontext, tclass);
0739     kfree(tcontext);
0740     kfree(scontext);
0741
0742     /* in case of invalid context report also the actual context string */
0743     rc = security_sid_to_context_inval(sad->state, sad->ssid, &scontext,
0744                        &scontext_len);
0745     if (!rc && scontext) {
0746         if (scontext_len && scontext[scontext_len - 1] == '\0')
0747             scontext_len--;
0748         audit_log_format(ab, " srawcon=");
0749         audit_log_n_untrustedstring(ab, scontext, scontext_len);
0750         kfree(scontext);
0751     }
0752
0753     rc = security_sid_to_context_inval(sad->state, sad->tsid, &scontext,
0754                        &scontext_len);
0755     if (!rc && scontext) {
0756         if (scontext_len && scontext[scontext_len - 1] == '\0')
0757             scontext_len--;
0758         audit_log_format(ab, " trawcon=");
0759         audit_log_n_untrustedstring(ab, scontext, scontext_len);
0760         kfree(scontext);
0761     }
0762 }
0763
0764 /*
0765  * This is the slow part of avc audit with big stack footprint.
0766  * Note that it is non-blocking and can be called from under
0767  * rcu_read_lock().
0768  */
0769 noinline int slow_avc_audit(struct selinux_state *state,
0770                 u32 ssid, u32 tsid, u16 tclass,
0771                 u32 requested, u32 audited, u32 denied, int result,
0772                 struct common_audit_data *a)
0773 {
0774     struct common_audit_data stack_data;
0775     struct selinux_audit_data sad;
0776
0777     if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
0778         return -EINVAL;
0779
0780     if (!a) {
0781         a = &stack_data;
0782         a->type = LSM_AUDIT_DATA_NONE;
0783     }
0784
0785     sad.tclass = tclass;
0786     sad.requested = requested;
0787     sad.ssid = ssid;
0788     sad.tsid = tsid;
0789     sad.audited = audited;
0790     sad.denied = denied;
0791     sad.result = result;
0792     sad.state = state;
0793
0794     a->selinux_audit_data = &sad;
0795
0796     common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
0797     return 0;
0798 }
0799
0800 /**
0801  * avc_add_callback - Register a callback for security events.
0802  * @callback: callback function
0803  * @events: security events
0804  *
0805  * Register a callback function for events in the set @events.
0806  * Returns %0 on success or -%ENOMEM if insufficient memory
0807  * exists to add the callback.
0808  */
0809 int __init avc_add_callback(int (*callback)(u32 event), u32 events)
0810 {
0811     struct avc_callback_node *c;
0812     int rc = 0;
0813
0814     c = kmalloc(sizeof(*c), GFP_KERNEL);
0815     if (!c) {
0816         rc = -ENOMEM;
0817         goto out;
0818     }
0819
0820     c->callback = callback;
0821     c->events = events;
0822     c->next = avc_callbacks;
0823     avc_callbacks = c;
0824 out:
0825     return rc;
0826 }
0827
0828 /**
0829  * avc_update_node - Update an AVC entry
0830  * @avc: the access vector cache
0831  * @event : Updating event
0832  * @perms : Permission mask bits
0833  * @driver: xperm driver information
0834  * @xperm: xperm permissions
0835  * @ssid: AVC entry source sid
0836  * @tsid: AVC entry target sid
0837  * @tclass : AVC entry target object class
0838  * @seqno : sequence number when decision was made
0839  * @xpd: extended_perms_decision to be added to the node
0840  * @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0.
0841  *
0842  * if a valid AVC entry doesn't exist,this function returns -ENOENT.
0843  * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
0844  * otherwise, this function updates the AVC entry. The original AVC-entry object
0845  * will release later by RCU.
0846  */
0847 static int avc_update_node(struct selinux_avc *avc,
0848                u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid,
0849                u32 tsid, u16 tclass, u32 seqno,
0850                struct extended_perms_decision *xpd,
0851                u32 flags)
0852 {
0853     int hvalue, rc = 0;
0854     unsigned long flag;
0855     struct avc_node *pos, *node, *orig = NULL;
0856     struct hlist_head *head;
0857     spinlock_t *lock;
0858
0859     node = avc_alloc_node(avc);
0860     if (!node) {
0861         rc = -ENOMEM;
0862         goto out;
0863     }
0864
0865     /* Lock the target slot */
0866     hvalue = avc_hash(ssid, tsid, tclass);
0867
0868     head = &avc->avc_cache.slots[hvalue];
0869     lock = &avc->avc_cache.slots_lock[hvalue];
0870
0871     spin_lock_irqsave(lock, flag);
0872
0873     hlist_for_each_entry(pos, head, list) {
0874         if (ssid == pos->ae.ssid &&
0875             tsid == pos->ae.tsid &&
0876             tclass == pos->ae.tclass &&
0877             seqno == pos->ae.avd.seqno){
0878             orig = pos;
0879             break;
0880         }
0881     }
0882
0883     if (!orig) {
0884         rc = -ENOENT;
0885         avc_node_kill(avc, node);
0886         goto out_unlock;
0887     }
0888
0889     /*
0890      * Copy and replace original node.
0891      */
0892
0893     avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd);
0894
0895     if (orig->ae.xp_node) {
0896         rc = avc_xperms_populate(node, orig->ae.xp_node);
0897         if (rc) {
0898             avc_node_kill(avc, node);
0899             goto out_unlock;
0900         }
0901     }
0902
0903     switch (event) {
0904     case AVC_CALLBACK_GRANT:
0905         node->ae.avd.allowed |= perms;
0906         if (node->ae.xp_node && (flags & AVC_EXTENDED_PERMS))
0907             avc_xperms_allow_perm(node->ae.xp_node, driver, xperm);
0908         break;
0909     case AVC_CALLBACK_TRY_REVOKE:
0910     case AVC_CALLBACK_REVOKE:
0911         node->ae.avd.allowed &= ~perms;
0912         break;
0913     case AVC_CALLBACK_AUDITALLOW_ENABLE:
0914         node->ae.avd.auditallow |= perms;
0915         break;
0916     case AVC_CALLBACK_AUDITALLOW_DISABLE:
0917         node->ae.avd.auditallow &= ~perms;
0918         break;
0919     case AVC_CALLBACK_AUDITDENY_ENABLE:
0920         node->ae.avd.auditdeny |= perms;
0921         break;
0922     case AVC_CALLBACK_AUDITDENY_DISABLE:
0923         node->ae.avd.auditdeny &= ~perms;
0924         break;
0925     case AVC_CALLBACK_ADD_XPERMS:
0926         avc_add_xperms_decision(node, xpd);
0927         break;
0928     }
0929     avc_node_replace(avc, node, orig);
0930 out_unlock:
0931     spin_unlock_irqrestore(lock, flag);
0932 out:
0933     return rc;
0934 }
0935
0936 /**
0937  * avc_flush - Flush the cache
0938  * @avc: the access vector cache
0939  */
0940 static void avc_flush(struct selinux_avc *avc)
0941 {
0942     struct hlist_head *head;
0943     struct avc_node *node;
0944     spinlock_t *lock;
0945     unsigned long flag;
0946     int i;
0947
0948     for (i = 0; i < AVC_CACHE_SLOTS; i++) {
0949         head = &avc->avc_cache.slots[i];
0950         lock = &avc->avc_cache.slots_lock[i];
0951
0952         spin_lock_irqsave(lock, flag);
0953         /*
0954          * With preemptable RCU, the outer spinlock does not
0955          * prevent RCU grace periods from ending.
0956          */
0957         rcu_read_lock();
0958         hlist_for_each_entry(node, head, list)
0959             avc_node_delete(avc, node);
0960         rcu_read_unlock();
0961         spin_unlock_irqrestore(lock, flag);
0962     }
0963 }
0964
0965 /**
0966  * avc_ss_reset - Flush the cache and revalidate migrated permissions.
0967  * @avc: the access vector cache
0968  * @seqno: policy sequence number
0969  */
0970 int avc_ss_reset(struct selinux_avc *avc, u32 seqno)
0971 {
0972     struct avc_callback_node *c;
0973     int rc = 0, tmprc;
0974
0975     avc_flush(avc);
0976
0977     for (c = avc_callbacks; c; c = c->next) {
0978         if (c->events & AVC_CALLBACK_RESET) {
0979             tmprc = c->callback(AVC_CALLBACK_RESET);
0980             /* save the first error encountered for the return
0981                value and continue processing the callbacks */
0982             if (!rc)
0983                 rc = tmprc;
0984         }
0985     }
0986
0987     avc_latest_notif_update(avc, seqno, 0);
0988     return rc;
0989 }
0990
0991 /*
0992  * Slow-path helper function for avc_has_perm_noaudit,
0993  * when the avc_node lookup fails. We get called with
0994  * the RCU read lock held, and need to return with it
0995  * still held, but drop if for the security compute.
0996  *
0997  * Don't inline this, since it's the slow-path and just
0998  * results in a bigger stack frame.
0999  */
1000 static noinline
1001 struct avc_node *avc_compute_av(struct selinux_state *state,
1002                 u32 ssid, u32 tsid,
1003                 u16 tclass, struct av_decision *avd,
1004                 struct avc_xperms_node *xp_node)
1005 {
1006     rcu_read_unlock();
1007     INIT_LIST_HEAD(&xp_node->xpd_head);
1008     security_compute_av(state, ssid, tsid, tclass, avd, &xp_node->xp);
1009     rcu_read_lock();
1010     return avc_insert(state->avc, ssid, tsid, tclass, avd, xp_node);
1011 }
1012
1013 static noinline int avc_denied(struct selinux_state *state,
1014                    u32 ssid, u32 tsid,
1015                    u16 tclass, u32 requested,
1016                    u8 driver, u8 xperm, unsigned int flags,
1017                    struct av_decision *avd)
1018 {
1019     if (flags & AVC_STRICT)
1020         return -EACCES;
1021
1022     if (enforcing_enabled(state) &&
1023         !(avd->flags & AVD_FLAGS_PERMISSIVE))
1024         return -EACCES;
1025
1026     avc_update_node(state->avc, AVC_CALLBACK_GRANT, requested, driver,
1027             xperm, ssid, tsid, tclass, avd->seqno, NULL, flags);
1028     return 0;
1029 }
1030
1031 /*
1032  * The avc extended permissions logic adds an additional 256 bits of
1033  * permissions to an avc node when extended permissions for that node are
1034  * specified in the avtab. If the additional 256 permissions is not adequate,
1035  * as-is the case with ioctls, then multiple may be chained together and the
1036  * driver field is used to specify which set contains the permission.
1037  */
1038 int avc_has_extended_perms(struct selinux_state *state,
1039                u32 ssid, u32 tsid, u16 tclass, u32 requested,
1040                u8 driver, u8 xperm, struct common_audit_data *ad)
1041 {
1042     struct avc_node *node;
1043     struct av_decision avd;
1044     u32 denied;
1045     struct extended_perms_decision local_xpd;
1046     struct extended_perms_decision *xpd = NULL;
1047     struct extended_perms_data allowed;
1048     struct extended_perms_data auditallow;
1049     struct extended_perms_data dontaudit;
1050     struct avc_xperms_node local_xp_node;
1051     struct avc_xperms_node *xp_node;
1052     int rc = 0, rc2;
1053
1054     xp_node = &local_xp_node;
1055     if (WARN_ON(!requested))
1056         return -EACCES;
1057
1058     rcu_read_lock();
1059
1060     node = avc_lookup(state->avc, ssid, tsid, tclass);
1061     if (unlikely(!node)) {
1062         avc_compute_av(state, ssid, tsid, tclass, &avd, xp_node);
1063     } else {
1064         memcpy(&avd, &node->ae.avd, sizeof(avd));
1065         xp_node = node->ae.xp_node;
1066     }
1067     /* if extended permissions are not defined, only consider av_decision */
1068     if (!xp_node || !xp_node->xp.len)
1069         goto decision;
1070
1071     local_xpd.allowed = &allowed;
1072     local_xpd.auditallow = &auditallow;
1073     local_xpd.dontaudit = &dontaudit;
1074
1075     xpd = avc_xperms_decision_lookup(driver, xp_node);
1076     if (unlikely(!xpd)) {
1077         /*
1078          * Compute the extended_perms_decision only if the driver
1079          * is flagged
1080          */
1081         if (!security_xperm_test(xp_node->xp.drivers.p, driver)) {
1082             avd.allowed &= ~requested;
1083             goto decision;
1084         }
1085         rcu_read_unlock();
1086         security_compute_xperms_decision(state, ssid, tsid, tclass,
1087                          driver, &local_xpd);
1088         rcu_read_lock();
1089         avc_update_node(state->avc, AVC_CALLBACK_ADD_XPERMS, requested,
1090                 driver, xperm, ssid, tsid, tclass, avd.seqno,
1091                 &local_xpd, 0);
1092     } else {
1093         avc_quick_copy_xperms_decision(xperm, &local_xpd, xpd);
1094     }
1095     xpd = &local_xpd;
1096
1097     if (!avc_xperms_has_perm(xpd, xperm, XPERMS_ALLOWED))
1098         avd.allowed &= ~requested;
1099
1100 decision:
1101     denied = requested & ~(avd.allowed);
1102     if (unlikely(denied))
1103         rc = avc_denied(state, ssid, tsid, tclass, requested,
1104                 driver, xperm, AVC_EXTENDED_PERMS, &avd);
1105
1106     rcu_read_unlock();
1107
1108     rc2 = avc_xperms_audit(state, ssid, tsid, tclass, requested,
1109             &avd, xpd, xperm, rc, ad);
1110     if (rc2)
1111         return rc2;
1112     return rc;
1113 }
1114
1115 /**
1116  * avc_has_perm_noaudit - Check permissions but perform no auditing.
1117  * @state: SELinux state
1118  * @ssid: source security identifier
1119  * @tsid: target security identifier
1120  * @tclass: target security class
1121  * @requested: requested permissions, interpreted based on @tclass
1122  * @flags:  AVC_STRICT or 0
1123  * @avd: access vector decisions
1124  *
1125  * Check the AVC to determine whether the @requested permissions are granted
1126  * for the SID pair (@ssid, @tsid), interpreting the permissions
1127  * based on @tclass, and call the security server on a cache miss to obtain
1128  * a new decision and add it to the cache.  Return a copy of the decisions
1129  * in @avd.  Return %0 if all @requested permissions are granted,
1130  * -%EACCES if any permissions are denied, or another -errno upon
1131  * other errors.  This function is typically called by avc_has_perm(),
1132  * but may also be called directly to separate permission checking from
1133  * auditing, e.g. in cases where a lock must be held for the check but
1134  * should be released for the auditing.
1135  */
1136 inline int avc_has_perm_noaudit(struct selinux_state *state,
1137                 u32 ssid, u32 tsid,
1138                 u16 tclass, u32 requested,
1139                 unsigned int flags,
1140                 struct av_decision *avd)
1141 {
1142     struct avc_node *node;
1143     struct avc_xperms_node xp_node;
1144     int rc = 0;
1145     u32 denied;
1146
1147     if (WARN_ON(!requested))
1148         return -EACCES;
1149
1150     rcu_read_lock();
1151
1152     node = avc_lookup(state->avc, ssid, tsid, tclass);
1153     if (unlikely(!node))
1154         avc_compute_av(state, ssid, tsid, tclass, avd, &xp_node);
1155     else
1156         memcpy(avd, &node->ae.avd, sizeof(*avd));
1157
1158     denied = requested & ~(avd->allowed);
1159     if (unlikely(denied))
1160         rc = avc_denied(state, ssid, tsid, tclass, requested, 0, 0,
1161                 flags, avd);
1162
1163     rcu_read_unlock();
1164     return rc;
1165 }
1166
1167 /**
1168  * avc_has_perm - Check permissions and perform any appropriate auditing.
1169  * @state: SELinux state
1170  * @ssid: source security identifier
1171  * @tsid: target security identifier
1172  * @tclass: target security class
1173  * @requested: requested permissions, interpreted based on @tclass
1174  * @auditdata: auxiliary audit data
1175  *
1176  * Check the AVC to determine whether the @requested permissions are granted
1177  * for the SID pair (@ssid, @tsid), interpreting the permissions
1178  * based on @tclass, and call the security server on a cache miss to obtain
1179  * a new decision and add it to the cache.  Audit the granting or denial of
1180  * permissions in accordance with the policy.  Return %0 if all @requested
1181  * permissions are granted, -%EACCES if any permissions are denied, or
1182  * another -errno upon other errors.
1183  */
1184 int avc_has_perm(struct selinux_state *state, u32 ssid, u32 tsid, u16 tclass,
1185          u32 requested, struct common_audit_data *auditdata)
1186 {
1187     struct av_decision avd;
1188     int rc, rc2;
1189
1190     rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,
1191                   &avd);
1192
1193     rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
1194             auditdata);
1195     if (rc2)
1196         return rc2;
1197     return rc;
1198 }
1199
1200 u32 avc_policy_seqno(struct selinux_state *state)
1201 {
1202     return state->avc->avc_cache.latest_notif;
1203 }
1204
1205 void avc_disable(void)
1206 {
1207     /*
1208      * If you are looking at this because you have realized that we are
1209      * not destroying the avc_node_cachep it might be easy to fix, but
1210      * I don't know the memory barrier semantics well enough to know.  It's
1211      * possible that some other task dereferenced security_ops when
1212      * it still pointed to selinux operations.  If that is the case it's
1213      * possible that it is about to use the avc and is about to need the
1214      * avc_node_cachep.  I know I could wrap the security.c security_ops call
1215      * in an rcu_lock, but seriously, it's not worth it.  Instead I just flush
1216      * the cache and get that memory back.
1217      */
1218     if (avc_node_cachep) {
1219         avc_flush(selinux_state.avc);
1220         /* kmem_cache_destroy(avc_node_cachep); */
1221     }
1222 }