1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Authors: Karl MacMillan <kmacmillan@tresys.com>
3 * Frank Mayer <mayerf@tresys.com>
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
8 #include <linux/kernel.h>
9 #include <linux/errno.h>
10 #include <linux/string.h>
11 #include <linux/spinlock.h>
12 #include <linux/slab.h>
15 #include "conditional.h"
19 * cond_evaluate_expr evaluates a conditional expr
20 * in reverse polish notation. It returns true (1), false (0),
21 * or undefined (-1). Undefined occurs when the expression
22 * exceeds the stack depth of COND_EXPR_MAXDEPTH.
24 static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
27 int s[COND_EXPR_MAXDEPTH];
30 for (i = 0; i < expr->len; i++) {
31 struct cond_expr_node *node = &expr->nodes[i];
33 switch (node->expr_type) {
35 if (sp == (COND_EXPR_MAXDEPTH - 1))
38 s[sp] = p->bool_val_to_struct[node->bool - 1]->state;
67 s[sp] = (s[sp] == s[sp + 1]);
73 s[sp] = (s[sp] != s[sp + 1]);
83 * evaluate_cond_node evaluates the conditional stored in
84 * a struct cond_node and if the result is different than the
85 * current state of the node it sets the rules in the true/false
86 * list appropriately. If the result of the expression is undefined
87 * all of the rules are disabled for safety.
89 static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
91 struct avtab_node *avnode;
95 new_state = cond_evaluate_expr(p, &node->expr);
96 if (new_state != node->cur_state) {
97 node->cur_state = new_state;
99 pr_err("SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */
101 for (i = 0; i < node->true_list.len; i++) {
102 avnode = node->true_list.nodes[i];
104 avnode->key.specified &= ~AVTAB_ENABLED;
106 avnode->key.specified |= AVTAB_ENABLED;
109 for (i = 0; i < node->false_list.len; i++) {
110 avnode = node->false_list.nodes[i];
113 avnode->key.specified &= ~AVTAB_ENABLED;
115 avnode->key.specified |= AVTAB_ENABLED;
120 void evaluate_cond_nodes(struct policydb *p)
124 for (i = 0; i < p->cond_list_len; i++)
125 evaluate_cond_node(p, &p->cond_list[i]);
128 void cond_policydb_init(struct policydb *p)
130 p->bool_val_to_struct = NULL;
132 p->cond_list_len = 0;
134 avtab_init(&p->te_cond_avtab);
137 static void cond_node_destroy(struct cond_node *node)
139 kfree(node->expr.nodes);
140 /* the avtab_ptr_t nodes are destroyed by the avtab */
141 kfree(node->true_list.nodes);
142 kfree(node->false_list.nodes);
145 static void cond_list_destroy(struct policydb *p)
149 for (i = 0; i < p->cond_list_len; i++)
150 cond_node_destroy(&p->cond_list[i]);
154 void cond_policydb_destroy(struct policydb *p)
156 kfree(p->bool_val_to_struct);
157 avtab_destroy(&p->te_cond_avtab);
158 cond_list_destroy(p);
161 int cond_init_bool_indexes(struct policydb *p)
163 kfree(p->bool_val_to_struct);
164 p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
165 sizeof(*p->bool_val_to_struct),
167 if (!p->bool_val_to_struct)
172 int cond_destroy_bool(void *key, void *datum, void *p)
179 int cond_index_bool(void *key, void *datum, void *datap)
182 struct cond_bool_datum *booldatum;
187 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
190 p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
191 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
196 static int bool_isvalid(struct cond_bool_datum *b)
198 if (!(b->state == 0 || b->state == 1))
203 int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
206 struct cond_bool_datum *booldatum;
211 booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
215 rc = next_entry(buf, fp, sizeof buf);
219 booldatum->value = le32_to_cpu(buf[0]);
220 booldatum->state = le32_to_cpu(buf[1]);
223 if (!bool_isvalid(booldatum))
226 len = le32_to_cpu(buf[2]);
227 if (((len == 0) || (len == (u32)-1)))
231 key = kmalloc(len + 1, GFP_KERNEL);
234 rc = next_entry(key, fp, len);
238 rc = hashtab_insert(h, key, booldatum);
244 cond_destroy_bool(key, booldatum, NULL);
248 struct cond_insertf_data {
250 struct avtab_node **dst;
251 struct cond_av_list *other;
254 static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
256 struct cond_insertf_data *data = ptr;
257 struct policydb *p = data->p;
258 struct cond_av_list *other = data->other;
259 struct avtab_node *node_ptr;
264 * For type rules we have to make certain there aren't any
265 * conflicting rules by searching the te_avtab and the
268 if (k->specified & AVTAB_TYPE) {
269 if (avtab_search(&p->te_avtab, k)) {
270 pr_err("SELinux: type rule already exists outside of a conditional.\n");
274 * If we are reading the false list other will be a pointer to
275 * the true list. We can have duplicate entries if there is only
276 * 1 other entry and it is in our true list.
278 * If we are reading the true list (other == NULL) there shouldn't
279 * be any other entries.
282 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
284 if (avtab_search_node_next(node_ptr, k->specified)) {
285 pr_err("SELinux: too many conflicting type rules.\n");
289 for (i = 0; i < other->len; i++) {
290 if (other->nodes[i] == node_ptr) {
296 pr_err("SELinux: conflicting type rules.\n");
301 if (avtab_search(&p->te_cond_avtab, k)) {
302 pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
308 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
310 pr_err("SELinux: could not insert rule.\n");
314 *data->dst = node_ptr;
318 static int cond_read_av_list(struct policydb *p, void *fp,
319 struct cond_av_list *list,
320 struct cond_av_list *other)
325 struct cond_insertf_data data;
327 rc = next_entry(buf, fp, sizeof(u32));
331 len = le32_to_cpu(buf[0]);
335 list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL);
341 for (i = 0; i < len; i++) {
342 data.dst = &list->nodes[i];
343 rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
356 static int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr)
358 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
359 pr_err("SELinux: conditional expressions uses unknown operator.\n");
363 if (expr->bool > p->p_bools.nprim) {
364 pr_err("SELinux: conditional expressions uses unknown bool.\n");
370 static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
376 rc = next_entry(buf, fp, sizeof(u32) * 2);
380 node->cur_state = le32_to_cpu(buf[0]);
383 len = le32_to_cpu(buf[1]);
384 node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL);
385 if (!node->expr.nodes)
388 node->expr.len = len;
390 for (i = 0; i < len; i++) {
391 struct cond_expr_node *expr = &node->expr.nodes[i];
393 rc = next_entry(buf, fp, sizeof(u32) * 2);
397 expr->expr_type = le32_to_cpu(buf[0]);
398 expr->bool = le32_to_cpu(buf[1]);
400 if (!expr_node_isvalid(p, expr)) {
406 rc = cond_read_av_list(p, fp, &node->true_list, NULL);
409 rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list);
414 cond_node_destroy(node);
418 int cond_read_list(struct policydb *p, void *fp)
424 rc = next_entry(buf, fp, sizeof buf);
428 len = le32_to_cpu(buf[0]);
430 p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
434 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
438 p->cond_list_len = len;
440 for (i = 0; i < len; i++) {
441 rc = cond_read_node(p, &p->cond_list[i], fp);
447 cond_list_destroy(p);
452 int cond_write_bool(void *vkey, void *datum, void *ptr)
455 struct cond_bool_datum *booldatum = datum;
456 struct policy_data *pd = ptr;
463 buf[0] = cpu_to_le32(booldatum->value);
464 buf[1] = cpu_to_le32(booldatum->state);
465 buf[2] = cpu_to_le32(len);
466 rc = put_entry(buf, sizeof(u32), 3, fp);
469 rc = put_entry(key, 1, len, fp);
476 * cond_write_cond_av_list doesn't write out the av_list nodes.
477 * Instead it writes out the key/value pairs from the avtab. This
478 * is necessary because there is no way to uniquely identifying rules
479 * in the avtab so it is not possible to associate individual rules
480 * in the avtab with a conditional without saving them as part of
481 * the conditional. This means that the avtab with the conditional
482 * rules will not be saved but will be rebuilt on policy load.
484 static int cond_write_av_list(struct policydb *p,
485 struct cond_av_list *list, struct policy_file *fp)
491 buf[0] = cpu_to_le32(list->len);
492 rc = put_entry(buf, sizeof(u32), 1, fp);
496 for (i = 0; i < list->len; i++) {
497 rc = avtab_write_item(p, list->nodes[i], fp);
505 static int cond_write_node(struct policydb *p, struct cond_node *node,
506 struct policy_file *fp)
512 buf[0] = cpu_to_le32(node->cur_state);
513 rc = put_entry(buf, sizeof(u32), 1, fp);
517 buf[0] = cpu_to_le32(node->expr.len);
518 rc = put_entry(buf, sizeof(u32), 1, fp);
522 for (i = 0; i < node->expr.len; i++) {
523 buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type);
524 buf[1] = cpu_to_le32(node->expr.nodes[i].bool);
525 rc = put_entry(buf, sizeof(u32), 2, fp);
530 rc = cond_write_av_list(p, &node->true_list, fp);
533 rc = cond_write_av_list(p, &node->false_list, fp);
540 int cond_write_list(struct policydb *p, void *fp)
546 buf[0] = cpu_to_le32(p->cond_list_len);
547 rc = put_entry(buf, sizeof(u32), 1, fp);
551 for (i = 0; i < p->cond_list_len; i++) {
552 rc = cond_write_node(p, &p->cond_list[i], fp);
560 void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
561 struct extended_perms_decision *xpermd)
563 struct avtab_node *node;
565 if (!ctab || !key || !xpermd)
568 for (node = avtab_search_node(ctab, key); node;
569 node = avtab_search_node_next(node, key->specified)) {
570 if (node->key.specified & AVTAB_ENABLED)
571 services_compute_xperms_decision(xpermd, node);
576 /* Determine whether additional permissions are granted by the conditional
577 * av table, and if so, add them to the result
579 void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
580 struct av_decision *avd, struct extended_perms *xperms)
582 struct avtab_node *node;
584 if (!ctab || !key || !avd)
587 for (node = avtab_search_node(ctab, key); node;
588 node = avtab_search_node_next(node, key->specified)) {
589 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
590 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
591 avd->allowed |= node->datum.u.data;
592 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
593 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
594 /* Since a '0' in an auditdeny mask represents a
595 * permission we do NOT want to audit (dontaudit), we use
596 * the '&' operand to ensure that all '0's in the mask
597 * are retained (much unlike the allow and auditallow cases).
599 avd->auditdeny &= node->datum.u.data;
600 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
601 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
602 avd->auditallow |= node->datum.u.data;
603 if (xperms && (node->key.specified & AVTAB_ENABLED) &&
604 (node->key.specified & AVTAB_XPERMS))
605 services_compute_xperms_drivers(xperms, node);
OSDN Git Service
