extern const struct selinux_class_perm selinux_class_perm;
static DEFINE_RWLOCK(policy_rwlock);
-#define POLICY_RDLOCK read_lock(&policy_rwlock)
-#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
-#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
-#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
-
-static DEFINE_MUTEX(load_mutex);
-#define LOAD_LOCK mutex_lock(&load_mutex)
-#define LOAD_UNLOCK mutex_unlock(&load_mutex)
static struct sidtab sidtab;
struct policydb policydb;
goto inval_class;
if (unlikely(tclass > policydb.p_classes.nprim))
if (tclass > kdefs->cts_len ||
- !kdefs->class_to_string[tclass - 1] ||
+ !kdefs->class_to_string[tclass] ||
!policydb.allow_unknown)
goto inval_class;
return 0;
inval_class:
- printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
- tclass);
- return -EINVAL;
+ if (!tclass || tclass > kdefs->cts_len ||
+ !kdefs->class_to_string[tclass]) {
+ if (printk_ratelimit())
+ printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
+ __func__, tclass);
+ return -EINVAL;
+ }
+
+ /*
+ * Known to the kernel, but not to the policy.
+ * Handle as a denial (allowed is 0).
+ */
+ return 0;
}
/*
u32 type;
int rc;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
context = sidtab_search(&sidtab, sid);
BUG_ON(!context);
*/
rc = ebitmap_get_bit(&policydb.permissive_map, type);
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
if (!ss_initialized)
return 0;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
/*
* Remap extended Netlink classes for old policy versions.
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
return 0;
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
scontext = sidtab_search(&sidtab, ssid);
if (!scontext) {
rc = context_struct_compute_av(scontext, tcontext, tclass,
requested, avd);
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
rc = -EINVAL;
goto out;
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
if (force)
context = sidtab_search_force(&sidtab, sid);
else
}
rc = context_struct_to_string(context, scontext, scontext_len);
out_unlock:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
out:
return rc;
}
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
rc = string_to_context_struct(&policydb, &sidtab,
scontext2, scontext_len,
&context, def_sid);
if (rc)
context_destroy(&context);
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
kfree(scontext2);
kfree(str);
return rc;
context_init(&newcontext);
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
scontext = sidtab_search(&sidtab, ssid);
if (!scontext) {
/* Obtain the sid for the context. */
rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
out_unlock:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
context_destroy(&newcontext);
out:
return rc;
const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class;
struct symtab *perms;
+ bool print_unknown_handle = 0;
if (p->allow_unknown) {
u32 num_classes = kdefs->cts_len;
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[i-1] = ~0U;
+ print_unknown_handle = 1;
continue;
}
pol_class = p->p_class_val_to_name[i-1];
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= perm_val;
+ print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= (1 << j);
+ print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
}
}
}
+ if (print_unknown_handle)
+ printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+ (security_get_allow_unknown() ? "allowed" : "denied"));
return 0;
}
int rc = 0;
struct policy_file file = { data, len }, *fp = &file;
- LOAD_LOCK;
-
if (!ss_initialized) {
avtab_cache_init();
if (policydb_read(&policydb, fp)) {
- LOAD_UNLOCK;
avtab_cache_destroy();
return -EINVAL;
}
if (policydb_load_isids(&policydb, &sidtab)) {
- LOAD_UNLOCK;
policydb_destroy(&policydb);
avtab_cache_destroy();
return -EINVAL;
if (validate_classes(&policydb)) {
printk(KERN_ERR
"SELinux: the definition of a class is incorrect\n");
- LOAD_UNLOCK;
sidtab_destroy(&sidtab);
policydb_destroy(&policydb);
avtab_cache_destroy();
policydb_loaded_version = policydb.policyvers;
ss_initialized = 1;
seqno = ++latest_granting;
- LOAD_UNLOCK;
selinux_complete_init();
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
sidtab_hash_eval(&sidtab, "sids");
#endif
- if (policydb_read(&newpolicydb, fp)) {
- LOAD_UNLOCK;
+ if (policydb_read(&newpolicydb, fp))
return -EINVAL;
- }
if (sidtab_init(&newsidtab)) {
- LOAD_UNLOCK;
policydb_destroy(&newpolicydb);
return -ENOMEM;
}
sidtab_set(&oldsidtab, &sidtab);
/* Install the new policydb and SID table. */
- POLICY_WRLOCK;
+ write_lock_irq(&policy_rwlock);
memcpy(&policydb, &newpolicydb, sizeof policydb);
sidtab_set(&sidtab, &newsidtab);
security_load_policycaps();
seqno = ++latest_granting;
policydb_loaded_version = policydb.policyvers;
- POLICY_WRUNLOCK;
- LOAD_UNLOCK;
+ write_unlock_irq(&policy_rwlock);
/* Free the old policydb and SID table. */
policydb_destroy(&oldpolicydb);
return 0;
err:
- LOAD_UNLOCK;
sidtab_destroy(&newsidtab);
policydb_destroy(&newpolicydb);
return rc;
struct ocontext *c;
int rc = 0;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
c = policydb.ocontexts[OCON_PORT];
while (c) {
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
int rc = 0;
struct ocontext *c;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
c = policydb.ocontexts[OCON_NETIF];
while (c) {
*if_sid = SECINITSID_NETIF;
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
int rc = 0;
struct ocontext *c;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
switch (domain) {
case AF_INET: {
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
if (!ss_initialized)
goto out;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
context_init(&usercon);
}
out_unlock:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
if (rc || !mynel) {
kfree(mysids);
goto out;
while (path[0] == '/' && path[1] == '/')
path++;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
cmp = strcmp(fstype, genfs->fstype);
*sid = c->sid[0];
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
int security_fs_use(
const char *fstype,
unsigned int *behavior,
- u32 *sid)
+ u32 *sid,
+ bool can_xattr)
{
int rc = 0;
struct ocontext *c;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
c = policydb.ocontexts[OCON_FSUSE];
while (c) {
c = c->next;
}
+ /* look for labeling behavior defined in policy */
if (c) {
*behavior = c->v.behavior;
if (!c->sid[0]) {
goto out;
}
*sid = c->sid[0];
+ goto out;
+ }
+
+ /* labeling behavior not in policy, use xattrs if possible */
+ if (can_xattr) {
+ *behavior = SECURITY_FS_USE_XATTR;
+ *sid = SECINITSID_FS;
+ goto out;
+ }
+
+ /* no behavior in policy and can't use xattrs, try GENFS */
+ rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
+ if (rc) {
+ *behavior = SECURITY_FS_USE_NONE;
+ rc = 0;
} else {
- rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
- if (rc) {
- *behavior = SECURITY_FS_USE_NONE;
- rc = 0;
- } else {
- *behavior = SECURITY_FS_USE_GENFS;
- }
+ *behavior = SECURITY_FS_USE_GENFS;
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
{
int i, rc = -ENOMEM;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
*names = NULL;
*values = NULL;
}
rc = 0;
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
err:
if (*names) {
int lenp, seqno = 0;
struct cond_node *cur;
- POLICY_WRLOCK;
+ write_lock_irq(&policy_rwlock);
lenp = policydb.p_bools.nprim;
if (len != lenp) {
seqno = ++latest_granting;
out:
- POLICY_WRUNLOCK;
+ write_unlock_irq(&policy_rwlock);
if (!rc) {
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
int rc = 0;
int len;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
len = policydb.p_bools.nprim;
if (bool >= len) {
rc = policydb.bool_val_to_struct[bool]->state;
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
context_init(&newcon);
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
context1 = sidtab_search(&sidtab, sid);
if (!context1) {
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
}
out_unlock:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
context_destroy(&newcon);
out:
return rc;
return 0;
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
if (!nlbl_ctx) {
rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
out_slowpath:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
if (rc == 0)
/* at present NetLabel SIDs/labels really only carry MLS
* information so if the MLS portion of the NetLabel SID
{
int rc = -ENOMEM;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
*nclasses = policydb.p_classes.nprim;
*classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC);
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
int rc = -ENOMEM, i;
struct class_datum *match;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
match = hashtab_search(policydb.p_classes.table, class);
if (!match) {
goto err;
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
err:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
for (i = 0; i < *nperms; i++)
kfree((*perms)[i]);
kfree(*perms);
{
int rc;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
context_init(&tmprule->au_ctxt);
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
tmprule->au_seqno = latest_granting;
break;
}
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
if (rc) {
selinux_audit_rule_free(tmprule);
}
int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
- struct audit_context *actx)
+ struct audit_context *actx)
{
struct context *ctxt;
struct mls_level *level;
return -ENOENT;
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
if (rule->au_seqno < latest_granting) {
audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
}
out:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return match;
}
static int (*aurule_callback)(void) = audit_update_lsm_rules;
static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
- u16 class, u32 perms, u32 *retained)
+ u16 class, u32 perms, u32 *retained)
{
int err = 0;
return 0;
}
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
if (secattr->flags & NETLBL_SECATTR_CACHE) {
*sid = *(u32 *)secattr->cache->data;
}
netlbl_secattr_to_sid_return:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
netlbl_secattr_to_sid_return_cleanup:
ebitmap_destroy(&ctx_new.range.level[0].cat);
if (!ss_initialized)
return 0;
- POLICY_RDLOCK;
+ read_lock(&policy_rwlock);
ctx = sidtab_search(&sidtab, sid);
if (ctx == NULL)
goto netlbl_sid_to_secattr_failure;
rc = mls_export_netlbl_cat(ctx, secattr);
if (rc != 0)
goto netlbl_sid_to_secattr_failure;
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return 0;
netlbl_sid_to_secattr_failure:
- POLICY_RDUNLOCK;
+ read_unlock(&policy_rwlock);
return rc;
}
#endif /* CONFIG_NETLABEL */