xref: /security/selinux/ss/services.c

78 static int context_struct_to_string(struct policydb *policydb,
83 static int sidtab_entry_to_string(struct policydb *policydb,
89 static void context_struct_compute_av(struct policydb *policydb,
96 static int selinux_set_mapping(struct policydb *pol,  in selinux_set_mapping()
249 	mls_enabled = policy->policydb.mls_enabled;  in security_mls_enabled()
265 static int constraint_expr_eval(struct policydb *policydb,  in constraint_expr_eval()  argument
310 				r1 = policydb->role_val_to_struct[val1 - 1];  in constraint_expr_eval()
311 				r2 = policydb->role_val_to_struct[val2 - 1];  in constraint_expr_eval()
456 static void security_dump_masked_av(struct policydb *policydb,  in security_dump_masked_av()  argument
477 	tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1);  in security_dump_masked_av()
478 	tclass_dat = policydb->class_val_to_struct[tclass - 1];  in security_dump_masked_av()
492 	if (context_struct_to_string(policydb, scontext,  in security_dump_masked_av()
496 	if (context_struct_to_string(policydb, tcontext,  in security_dump_masked_av()
533 static void type_attribute_bounds_av(struct policydb *policydb,  in type_attribute_bounds_av()  argument
546 	source = policydb->type_val_to_struct[scontext->type - 1];  in type_attribute_bounds_av()
552 	target = policydb->type_val_to_struct[tcontext->type - 1];  in type_attribute_bounds_av()
566 	context_struct_compute_av(policydb, &lo_scontext,  in type_attribute_bounds_av()
581 	security_dump_masked_av(policydb, scontext, tcontext,  in type_attribute_bounds_av()
622 static void context_struct_compute_av(struct policydb *policydb,  in context_struct_compute_av()  argument
645 	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {  in context_struct_compute_av()
650 	tclass_datum = policydb->class_val_to_struct[tclass - 1];  in context_struct_compute_av()
658 	sattr = &policydb->type_attr_map_array[scontext->type - 1];  in context_struct_compute_av()
659 	tattr = &policydb->type_attr_map_array[tcontext->type - 1];  in context_struct_compute_av()
664 			for (node = avtab_search_node(&policydb->te_avtab,  in context_struct_compute_av()
679 			cond_compute_av(&policydb->te_cond_avtab, &avkey,  in context_struct_compute_av()
692 		    !constraint_expr_eval(policydb, scontext, tcontext, NULL,  in context_struct_compute_av()
704 	if (tclass == policydb->process_class &&  in context_struct_compute_av()
705 	    (avd->allowed & policydb->process_trans_perms) &&  in context_struct_compute_av()
707 		for (ra = policydb->role_allow; ra; ra = ra->next) {  in context_struct_compute_av()
713 			avd->allowed &= ~policydb->process_trans_perms;  in context_struct_compute_av()
721 	type_attribute_bounds_av(policydb, scontext, tcontext,  in context_struct_compute_av()
731 	struct policydb *p = &policy->policydb;  in security_validtrans_handle_fail()
760 	struct policydb *policydb;  in security_compute_validatetrans()  local
777 	policydb = &policy->policydb;  in security_compute_validatetrans()
785 	if (!tclass || tclass > policydb->p_classes.nprim) {  in security_compute_validatetrans()
789 	tclass_datum = policydb->class_val_to_struct[tclass - 1];  in security_compute_validatetrans()
817 		if (!constraint_expr_eval(policydb, &oentry->context,  in security_compute_validatetrans()
864 	struct policydb *policydb;  in security_bounded_transition()  local
876 	policydb = &policy->policydb;  in security_bounded_transition()
902 		type = policydb->type_val_to_struct[index - 1];  in security_bounded_transition()
923 		if (!sidtab_entry_to_string(policydb, sidtab, old_entry,  in security_bounded_transition()
925 		    !sidtab_entry_to_string(policydb, sidtab, new_entry,  in security_bounded_transition()
1034 	struct policydb *policydb;  in security_compute_xperms_decision()  local
1056 	policydb = &policy->policydb;  in security_compute_xperms_decision()
1075 		if (policydb->allow_unknown)  in security_compute_xperms_decision()
1081 	if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {  in security_compute_xperms_decision()
1088 	sattr = &policydb->type_attr_map_array[scontext->type - 1];  in security_compute_xperms_decision()
1089 	tattr = &policydb->type_attr_map_array[tcontext->type - 1];  in security_compute_xperms_decision()
1094 			for (node = avtab_search_node(&policydb->te_avtab,  in security_compute_xperms_decision()
1100 			cond_compute_xperms(&policydb->te_cond_avtab,  in security_compute_xperms_decision()
1130 	struct policydb *policydb;  in security_compute_av()  local
1142 	policydb = &policy->policydb;  in security_compute_av()
1153 	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))  in security_compute_av()
1157 	if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type))  in security_compute_av()
1173 		if (policydb->allow_unknown)  in security_compute_av()
1177 	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,  in security_compute_av()
1180 		     policydb->allow_unknown);  in security_compute_av()
1197 	struct policydb *policydb;  in security_compute_av_user()  local
1207 	policydb = &policy->policydb;  in security_compute_av_user()
1218 	if (ebitmap_get_bit(&policydb->permissive_map, scontext->type))  in security_compute_av_user()
1222 	if (ebitmap_get_bit(&policydb->neveraudit_map, scontext->type))  in security_compute_av_user()
1237 		if (policydb->allow_unknown)  in security_compute_av_user()
1242 	context_struct_compute_av(policydb, scontext, tcontext, tclass, avd,  in security_compute_av_user()
1261 static int context_struct_to_string(struct policydb *p,  in context_struct_to_string()
1311 static int sidtab_entry_to_string(struct policydb *p,  in sidtab_entry_to_string()
1361 	struct policydb *policydb;  in security_sid_to_context_core()  local
1403 	policydb = &policy->policydb;  in security_sid_to_context_core()
1419 	rc = sidtab_entry_to_string(policydb, sidtab, entry, scontext,  in security_sid_to_context_core()
1474 static int string_to_context_struct(struct policydb *pol,  in string_to_context_struct()
1557 	struct policydb *policydb;  in security_context_to_sid_core()  local
1598 	policydb = &policy->policydb;  in security_context_to_sid_core()
1600 	rc = string_to_context_struct(policydb, sidtab, scontext2,  in security_context_to_sid_core()
1692 	struct policydb *policydb = &policy->policydb;  in compute_sid_handle_invalid_context()  local
1698 	if (sidtab_entry_to_string(policydb, sidtab, sentry, &s, &slen))  in compute_sid_handle_invalid_context()
1700 	if (sidtab_entry_to_string(policydb, sidtab, tentry, &t, &tlen))  in compute_sid_handle_invalid_context()
1702 	if (context_struct_to_string(policydb, newcontext, &n, &nlen))  in compute_sid_handle_invalid_context()
1712 			 s, t, sym_name(policydb, SYM_CLASSES, tclass-1));  in compute_sid_handle_invalid_context()
1723 static void filename_compute_type(struct policydb *policydb,  in filename_compute_type()  argument
1736 	if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype))  in filename_compute_type()
1743 	datum = policydb_filenametr_search(policydb, &ft);  in filename_compute_type()
1762 	struct policydb *policydb;  in security_compute_sid()  local
1802 	policydb = &policy->policydb;  in security_compute_sid()
1823 	if (tclass && tclass <= policydb->p_classes.nprim)  in security_compute_sid()
1824 		cladatum = policydb->class_val_to_struct[tclass - 1];  in security_compute_sid()
1850 		if ((tclass == policydb->process_class) || sock)  in security_compute_sid()
1863 	avnode = avtab_search_node(&policydb->te_avtab, &avkey);  in security_compute_sid()
1867 		node = avtab_search_node(&policydb->te_cond_avtab, &avkey);  in security_compute_sid()
1887 		if ((tclass == policydb->process_class) || sock) {  in security_compute_sid()
1898 		filename_compute_type(policydb, &newcontext, scontext->type,  in security_compute_sid()
1911 		rtd = policydb_roletr_search(policydb, &rtk);  in security_compute_sid()
1918 	rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,  in security_compute_sid()
1924 	if (!policydb_context_isvalid(policydb, &newcontext)) {  in security_compute_sid()
2027 	struct policydb *policydb,  in convert_context_handle_invalid_context()  argument
2036 	if (!context_struct_to_string(policydb, context, &s, &len)) {  in convert_context_handle_invalid_context()
2172 	struct policydb *p;  in security_load_policycaps()
2176 	p = &policy->policydb;  in security_load_policycaps()
2204 	policydb_destroy(&policy->policydb);  in selinux_policy_free()
2211 	cond_policydb_destroy_dup(&policy->policydb);  in selinux_policy_cond_free()
2251 		if (oldpolicy->policydb.mls_enabled && !newpolicy->policydb.mls_enabled)  in selinux_policy_commit()
2253 		else if (!oldpolicy->policydb.mls_enabled && newpolicy->policydb.mls_enabled)  in selinux_policy_commit()
2325 	rc = policydb_read(&newpolicy->policydb, fp);  in security_load_policy()
2329 	newpolicy->policydb.len = len;  in security_load_policy()
2330 	rc = selinux_set_mapping(&newpolicy->policydb, secclass_map,  in security_load_policy()
2335 	rc = policydb_load_isids(&newpolicy->policydb, newpolicy->sidtab);  in security_load_policy()
2369 	convert_data->args.oldp = &oldpolicy->policydb;  in security_load_policy()
2370 	convert_data->args.newp = &newpolicy->policydb;  in security_load_policy()
2394 	policydb_destroy(&newpolicy->policydb);  in security_load_policy()
2449 	struct policydb *policydb;  in security_port_sid()  local
2463 	policydb = &policy->policydb;  in security_port_sid()
2466 	c = policydb->ocontexts[OCON_PORT];  in security_port_sid()
2501 	struct policydb *policydb;  in security_ib_pkey_sid()  local
2515 	policydb = &policy->policydb;  in security_ib_pkey_sid()
2518 	c = policydb->ocontexts[OCON_IBPKEY];  in security_ib_pkey_sid()
2553 	struct policydb *policydb;  in security_ib_endport_sid()  local
2567 	policydb = &policy->policydb;  in security_ib_endport_sid()
2570 	c = policydb->ocontexts[OCON_IBENDPORT];  in security_ib_endport_sid()
2605 	struct policydb *policydb;  in security_netif_sid()  local
2620 	policydb = &policy->policydb;  in security_netif_sid()
2622 	wildcard_support = ebitmap_get_bit(&policydb->policycaps, POLICYDB_CAP_NETIF_WILDCARD);  in security_netif_sid()
2624 	c = policydb->ocontexts[OCON_NETIF];  in security_netif_sid()
2677 	struct policydb *policydb;  in security_node_sid()  local
2690 	policydb = &policy->policydb;  in security_node_sid()
2703 		c = policydb->ocontexts[OCON_NODE];  in security_node_sid()
2716 		c = policydb->ocontexts[OCON_NODE6];  in security_node_sid()
2771 	struct policydb *policydb;  in security_get_user_sids()  local
2795 	policydb = &policy->policydb;  in security_get_user_sids()
2806 	user = symtab_search(&policydb->p_users, username);  in security_get_user_sids()
2813 		role = policydb->role_val_to_struct[i];  in security_get_user_sids()
2818 			if (mls_setup_user_range(policydb, fromcon, user,  in security_get_user_sids()
2895 	struct policydb *policydb = &policy->policydb;  in __security_genfs_sid()  local
2909 	for (genfs = policydb->genfs; genfs; genfs = genfs->next) {  in __security_genfs_sid()
2918 	wildcard = ebitmap_get_bit(&policy->policydb.policycaps,  in __security_genfs_sid()
2990 	struct policydb *policydb;  in security_fs_use()  local
3006 	policydb = &policy->policydb;  in security_fs_use()
3009 	c = policydb->ocontexts[OCON_FSUSE];  in security_fs_use()
3048 	struct policydb *policydb;  in security_get_bools()  local
3052 	policydb = &policy->policydb;  in security_get_bools()
3058 	*len = policydb->p_bools.nprim;  in security_get_bools()
3073 		(*values)[i] = policydb->bool_val_to_struct[i]->state;  in security_get_bools()
3076 		(*names)[i] = kstrdup(sym_name(policydb, SYM_BOOLS, i),  in security_get_bools()
3112 	if (WARN_ON(len != oldpolicy->policydb.p_bools.nprim))  in security_set_bools()
3123 	rc = cond_policydb_dup(&newpolicy->policydb, &oldpolicy->policydb);  in security_set_bools()
3132 		int old_state = newpolicy->policydb.bool_val_to_struct[i]->state;  in security_set_bools()
3138 				sym_name(&newpolicy->policydb, SYM_BOOLS, i),  in security_set_bools()
3143 			newpolicy->policydb.bool_val_to_struct[i]->state = new_state;  in security_set_bools()
3148 	evaluate_cond_nodes(&newpolicy->policydb);  in security_set_bools()
3173 	struct policydb *policydb;  in security_get_bool_value()  local
3182 	policydb = &policy->policydb;  in security_get_bool_value()
3185 	len = policydb->p_bools.nprim;  in security_get_bool_value()
3189 	rc = policydb->bool_val_to_struct[index]->state;  in security_get_bool_value()
3207 		booldatum = symtab_search(&newpolicy->policydb.p_bools,  in security_preserve_bools()
3212 	evaluate_cond_nodes(&newpolicy->policydb);  in security_preserve_bools()
3231 	struct policydb *policydb;  in security_sid_mls_copy()  local
3251 	policydb = &policy->policydb;  in security_sid_mls_copy()
3254 	if (!policydb->mls_enabled) {  in security_sid_mls_copy()
3283 	if (!policydb_context_isvalid(policydb, &newcon)) {  in security_sid_mls_copy()
3284 		rc = convert_context_handle_invalid_context(policydb,  in security_sid_mls_copy()
3287 			if (!context_struct_to_string(policydb, &newcon, &s,  in security_sid_mls_copy()
3342 	struct policydb *policydb;  in security_net_peersid_resolve()  local
3370 	policydb = &policy->policydb;  in security_net_peersid_resolve()
3378 	if (!policydb->mls_enabled) {  in security_net_peersid_resolve()
3428 	struct policydb *policydb;  in security_get_classes()  local
3431 	policydb = &policy->policydb;  in security_get_classes()
3434 	*nclasses = policydb->p_classes.nprim;  in security_get_classes()
3439 	rc = hashtab_map(&policydb->p_classes.table, get_classes_callback,  in security_get_classes()
3469 	struct policydb *policydb;  in security_get_permissions()  local
3474 	policydb = &policy->policydb;  in security_get_permissions()
3477 	match = symtab_search(&policydb->p_classes, class);  in security_get_permissions()
3522 	value = policy->policydb.reject_unknown;  in security_get_reject_unknown()
3537 	value = policy->policydb.allow_unknown;  in security_get_allow_unknown()
3562 	rc = ebitmap_get_bit(&policy->policydb.policycaps, req_cap);  in security_policycap_supported()
3588 	struct policydb *policydb;  in selinux_audit_rule_init()  local
3632 	policydb = &policy->policydb;  in selinux_audit_rule_init()
3637 		userdatum = symtab_search(&policydb->p_users, rulestr);  in selinux_audit_rule_init()
3646 		roledatum = symtab_search(&policydb->p_roles, rulestr);  in selinux_audit_rule_init()
3655 		typedatum = symtab_search(&policydb->p_types, rulestr);  in selinux_audit_rule_init()
3666 		rc = mls_from_string(policydb, rulestr, &tmprule->au_ctxt,  in selinux_audit_rule_init()
3893 	struct policydb *policydb;  in security_netlbl_secattr_to_sid()  local
3908 	policydb = &policy->policydb;  in security_netlbl_secattr_to_sid()
3925 		mls_import_netlbl_lvl(policydb, &ctx_new, secattr);  in security_netlbl_secattr_to_sid()
3927 			rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr);  in security_netlbl_secattr_to_sid()
3932 		if (!mls_context_isvalid(policydb, &ctx_new)) {  in security_netlbl_secattr_to_sid()
3968 	struct policydb *policydb;  in security_netlbl_sid_to_secattr()  local
3977 	policydb = &policy->policydb;  in security_netlbl_sid_to_secattr()
3985 	secattr->domain = kstrdup(sym_name(policydb, SYM_TYPES, ctx->type - 1),  in security_netlbl_sid_to_secattr()
3992 	mls_export_netlbl_lvl(policydb, ctx, secattr);  in security_netlbl_sid_to_secattr()
3993 	rc = mls_export_netlbl_cat(policydb, ctx, secattr);  in security_netlbl_sid_to_secattr()
4016 	rc = policydb_write(&policy->policydb, &fp);  in __security_read_policy()
4040 	*len = policy->policydb.len;  in security_read_policy()
4070 	*len = policy->policydb.len;  in security_read_state_kernel()

Last Index update Fri Aug 22 10:33:58 CST 2025