1 /*
2 * Implementation of the policy database.
3 *
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5 */
6
7 /*
8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9 *
10 * Support for enhanced MLS infrastructure.
11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 *
14 * Added conditional policy language extensions
15 *
16 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
17 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
18 * This program is free software; you can redistribute it and/or modify
19 * it under the terms of the GNU General Public License as published by
20 * the Free Software Foundation, version 2.
21 */
22
23 /* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */
24
25 #include <asm/byteorder.h>
26 #include <xen/lib.h>
27 #include <xen/types.h>
28 #include <xen/xmalloc.h>
29 #include <xen/string.h>
30 #include <xen/errno.h>
31 #include "security.h"
32
33 #include "policydb.h"
34 #include "conditional.h"
35 #include "mls.h"
36
37 #define _DEBUG_HASHES
38
39 #ifdef DEBUG_HASHES
40 static char *symtab_name[SYM_NUM] = {
41 "common prefixes",
42 "classes",
43 "roles",
44 "types",
45 "users",
46 "bools",
47 "levels",
48 "categories",
49 };
50 #endif
51
52 int flask_mls_enabled = 0;
53
54 static unsigned int symtab_sizes[SYM_NUM] = {
55 2,
56 32,
57 16,
58 512,
59 128,
60 16,
61 16,
62 16,
63 };
64
65 struct policydb_compat_info {
66 int version;
67 int sym_num;
68 int ocon_num;
69 int target_type;
70 };
71
72 /* These need to be updated if SYM_NUM or OCON_NUM changes */
73 static struct policydb_compat_info policydb_compat[] = {
74 {
75 .version = POLICYDB_VERSION_BASE,
76 .sym_num = SYM_NUM - 3,
77 .ocon_num = 4,
78 .target_type = TARGET_XEN_OLD,
79 },
80 {
81 .version = POLICYDB_VERSION_BOOL,
82 .sym_num = SYM_NUM - 2,
83 .ocon_num = 4,
84 .target_type = TARGET_XEN_OLD,
85 },
86 {
87 .version = POLICYDB_VERSION_IPV6,
88 .sym_num = SYM_NUM - 2,
89 .ocon_num = 5,
90 .target_type = TARGET_XEN_OLD,
91 },
92 {
93 .version = POLICYDB_VERSION_NLCLASS,
94 .sym_num = SYM_NUM - 2,
95 .ocon_num = 5,
96 .target_type = TARGET_XEN_OLD,
97 },
98 {
99 .version = POLICYDB_VERSION_MLS,
100 .sym_num = SYM_NUM,
101 .ocon_num = 5,
102 .target_type = TARGET_XEN_OLD,
103 },
104 {
105 .version = POLICYDB_VERSION_AVTAB,
106 .sym_num = SYM_NUM,
107 .ocon_num = 5,
108 .target_type = TARGET_XEN_OLD,
109 },
110 {
111 .version = POLICYDB_VERSION_RANGETRANS,
112 .sym_num = SYM_NUM,
113 .ocon_num = 5,
114 .target_type = TARGET_XEN_OLD,
115 },
116 {
117 .version = POLICYDB_VERSION_POLCAP,
118 .sym_num = SYM_NUM,
119 .ocon_num = 5,
120 .target_type = TARGET_XEN_OLD,
121 },
122 {
123 .version = POLICYDB_VERSION_PERMISSIVE,
124 .sym_num = SYM_NUM,
125 .ocon_num = 5,
126 .target_type = TARGET_XEN_OLD,
127 },
128 {
129 .version = POLICYDB_VERSION_BOUNDARY,
130 .sym_num = SYM_NUM,
131 .ocon_num = OCON_NUM_OLD,
132 .target_type = TARGET_XEN_OLD,
133 },
134 {
135 .version = POLICYDB_VERSION_BOUNDARY,
136 .sym_num = SYM_NUM,
137 .ocon_num = OCON_DEVICE + 1,
138 .target_type = TARGET_XEN,
139 },
140 {
141 .version = POLICYDB_VERSION_XEN_DEVICETREE,
142 .sym_num = SYM_NUM,
143 .ocon_num = OCON_DTREE + 1,
144 .target_type = TARGET_XEN,
145 },
146 };
147
policydb_lookup_compat(int version,int target)148 static struct policydb_compat_info *policydb_lookup_compat(int version,
149 int target)
150 {
151 int i;
152 struct policydb_compat_info *info = NULL;
153
154 for ( i = 0; i < sizeof(policydb_compat)/sizeof(*info); i++ )
155 {
156 if ( policydb_compat[i].version == version &&
157 policydb_compat[i].target_type == target )
158 {
159 info = &policydb_compat[i];
160 break;
161 }
162 }
163 return info;
164 }
165
166 /*
167 * Initialize the role table.
168 */
roles_init(struct policydb * p)169 static int roles_init(struct policydb *p)
170 {
171 char *key = NULL;
172 int rc;
173 struct role_datum *role;
174
175 role = xzalloc(struct role_datum);
176 if ( !role )
177 {
178 rc = -ENOMEM;
179 goto out;
180 }
181 role->value = ++p->p_roles.nprim;
182 if ( role->value != OBJECT_R_VAL )
183 {
184 rc = -EINVAL;
185 goto out_free_role;
186 }
187 key = xmalloc_array(char, strlen(OBJECT_R)+1);
188 if ( !key )
189 {
190 rc = -ENOMEM;
191 goto out_free_role;
192 }
193 strlcpy(key, OBJECT_R, strlen(OBJECT_R)+1);
194 rc = hashtab_insert(p->p_roles.table, key, role);
195 if ( rc )
196 goto out_free_key;
197 out:
198 return rc;
199
200 out_free_key:
201 xfree(key);
202 out_free_role:
203 xfree(role);
204 goto out;
205 }
206
207 /*
208 * Initialize a policy database structure.
209 */
policydb_init(struct policydb * p)210 static int policydb_init(struct policydb *p)
211 {
212 int i, rc;
213
214 memset(p, 0, sizeof(*p));
215
216 for ( i = 0; i < SYM_NUM; i++ )
217 {
218 rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
219 if ( rc )
220 goto out_free_symtab;
221 }
222
223 rc = avtab_init(&p->te_avtab);
224 if ( rc )
225 goto out_free_symtab;
226
227 rc = roles_init(p);
228 if ( rc )
229 goto out_free_avtab;
230
231 rc = cond_policydb_init(p);
232 if ( rc )
233 goto out_free_avtab;
234
235 ebitmap_init(&p->policycaps);
236 ebitmap_init(&p->permissive_map);
237
238 out:
239 return rc;
240
241 out_free_avtab:
242 avtab_destroy(&p->te_avtab);
243
244 out_free_symtab:
245 for ( i = 0; i < SYM_NUM; i++ )
246 hashtab_destroy(p->symtab[i].table);
247 goto out;
248 }
249
250 /*
251 * The following *_index functions are used to
252 * define the val_to_name and val_to_struct arrays
253 * in a policy database structure. The val_to_name
254 * arrays are used when converting security context
255 * structures into string representations. The
256 * val_to_struct arrays are used when the attributes
257 * of a class, role, or user are needed.
258 */
259
common_index(void * key,void * datum,void * datap)260 static int common_index(void *key, void *datum, void *datap)
261 {
262 return 0;
263 }
264
class_index(void * key,void * datum,void * datap)265 static int class_index(void *key, void *datum, void *datap)
266 {
267 struct policydb *p;
268 struct class_datum *cladatum;
269
270 cladatum = datum;
271 p = datap;
272 if ( !cladatum->value || cladatum->value > p->p_classes.nprim )
273 return -EINVAL;
274 p->p_class_val_to_name[cladatum->value - 1] = key;
275 p->class_val_to_struct[cladatum->value - 1] = cladatum;
276 return 0;
277 }
278
role_index(void * key,void * datum,void * datap)279 static int role_index(void *key, void *datum, void *datap)
280 {
281 struct policydb *p;
282 struct role_datum *role;
283
284 role = datum;
285 p = datap;
286 if ( !role->value
287 || role->value > p->p_roles.nprim
288 || role->bounds > p->p_roles.nprim )
289 return -EINVAL;
290 p->p_role_val_to_name[role->value - 1] = key;
291 p->role_val_to_struct[role->value - 1] = role;
292 return 0;
293 }
294
type_index(void * key,void * datum,void * datap)295 static int type_index(void *key, void *datum, void *datap)
296 {
297 struct policydb *p;
298 struct type_datum *typdatum;
299
300 typdatum = datum;
301 p = datap;
302
303 if ( typdatum->primary )
304 {
305 if ( !typdatum->value
306 || typdatum->value > p->p_types.nprim
307 || typdatum->bounds > p->p_types.nprim )
308 return -EINVAL;
309 p->p_type_val_to_name[typdatum->value - 1] = key;
310 p->type_val_to_struct[typdatum->value - 1] = typdatum;
311 }
312
313 return 0;
314 }
315
user_index(void * key,void * datum,void * datap)316 static int user_index(void *key, void *datum, void *datap)
317 {
318 struct policydb *p;
319 struct user_datum *usrdatum;
320
321 usrdatum = datum;
322 p = datap;
323 if ( !usrdatum->value
324 || usrdatum->value > p->p_users.nprim
325 || usrdatum->bounds > p->p_users.nprim )
326 return -EINVAL;
327 p->p_user_val_to_name[usrdatum->value - 1] = key;
328 p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
329 return 0;
330 }
331
sens_index(void * key,void * datum,void * datap)332 static int sens_index(void *key, void *datum, void *datap)
333 {
334 struct policydb *p;
335 struct level_datum *levdatum;
336
337 levdatum = datum;
338 p = datap;
339
340 if ( !levdatum->isalias )
341 {
342 if ( !levdatum->level->sens || levdatum->level->sens >
343 p->p_levels.nprim )
344 return -EINVAL;
345 p->p_sens_val_to_name[levdatum->level->sens - 1] = key;
346 }
347
348 return 0;
349 }
350
cat_index(void * key,void * datum,void * datap)351 static int cat_index(void *key, void *datum, void *datap)
352 {
353 struct policydb *p;
354 struct cat_datum *catdatum;
355
356 catdatum = datum;
357 p = datap;
358
359 if ( !catdatum->isalias )
360 {
361 if ( !catdatum->value || catdatum->value > p->p_cats.nprim )
362 return -EINVAL;
363 p->p_cat_val_to_name[catdatum->value - 1] = key;
364 }
365
366 return 0;
367 }
368
369 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
370 {
371 common_index,
372 class_index,
373 role_index,
374 type_index,
375 user_index,
376 cond_index_bool,
377 sens_index,
378 cat_index,
379 };
380
381 /*
382 * Define the class val_to_name and val_to_struct arrays in a policy
383 * database structure.
384 *
385 * Caller must clean up upon failure.
386 */
policydb_index_classes(struct policydb * p)387 static int policydb_index_classes(struct policydb *p)
388 {
389 int rc;
390
391 p->class_val_to_struct =
392 xmalloc_array(struct class_datum *, p->p_classes.nprim);
393 if ( !p->class_val_to_struct )
394 {
395 rc = -ENOMEM;
396 goto out;
397 }
398
399 p->p_class_val_to_name =
400 xmalloc_array(char *, p->p_classes.nprim);
401 if ( !p->p_class_val_to_name )
402 {
403 rc = -ENOMEM;
404 goto out;
405 }
406
407 rc = hashtab_map(p->p_classes.table, class_index, p);
408 out:
409 return rc;
410 }
411
412 #ifdef DEBUG_HASHES
symtab_hash_eval(struct symtab * s)413 static void symtab_hash_eval(struct symtab *s)
414 {
415 int i;
416
417 for ( i = 0; i < SYM_NUM; i++ )
418 {
419 struct hashtab *h = s[i].table;
420 struct hashtab_info info;
421
422 hashtab_stat(h, &info);
423 printk(KERN_INFO "%s: %d entries and %d/%d buckets used, "
424 "longest chain length %d\n", symtab_name[i], h->nel,
425 info.slots_used, h->size, info.max_chain_len);
426 }
427 }
428 #endif
429
430 /*
431 * Define the other val_to_name and val_to_struct arrays
432 * in a policy database structure.
433 *
434 * Caller must clean up on failure.
435 */
policydb_index_others(struct policydb * p)436 static int policydb_index_others(struct policydb *p)
437 {
438 int i, rc = 0;
439
440 printk(KERN_INFO "Flask: %d users, %d roles, %d types, %d bools",
441 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
442 if ( flask_mls_enabled )
443 printk(", %d sens, %d cats", p->p_levels.nprim, p->p_cats.nprim);
444
445 printk("\n");
446
447 printk(KERN_INFO "Flask: %d classes, %d rules\n",
448 p->p_classes.nprim, p->te_avtab.nel);
449
450 #ifdef DEBUG_HASHES
451 avtab_hash_eval(&p->te_avtab, "rules");
452 symtab_hash_eval(p->symtab);
453 #endif
454
455 p->role_val_to_struct =
456 xmalloc_array(struct role_datum *, p->p_roles.nprim);
457 if ( !p->role_val_to_struct )
458 {
459 rc = -ENOMEM;
460 goto out;
461 }
462
463 p->user_val_to_struct =
464 xmalloc_array(struct user_datum *, p->p_users.nprim);
465 if ( !p->user_val_to_struct )
466 {
467 rc = -ENOMEM;
468 goto out;
469 }
470
471 p->type_val_to_struct =
472 xmalloc_array(struct type_datum *, p->p_types.nprim);
473 if ( !p->type_val_to_struct )
474 {
475 rc = -ENOMEM;
476 goto out;
477 }
478
479 if ( cond_init_bool_indexes(p) )
480 {
481 rc = -ENOMEM;
482 goto out;
483 }
484
485 for ( i = SYM_ROLES; i < SYM_NUM; i++ )
486 {
487 p->sym_val_to_name[i] =
488 xmalloc_array(char *, p->symtab[i].nprim);
489 if ( !p->sym_val_to_name[i] )
490 {
491 rc = -ENOMEM;
492 goto out;
493 }
494 rc = hashtab_map(p->symtab[i].table, index_f[i], p);
495 if ( rc )
496 goto out;
497 }
498
499 out:
500 return rc;
501 }
502
503 /*
504 * The following *_destroy functions are used to
505 * free any memory allocated for each kind of
506 * symbol data in the policy database.
507 */
508
perm_destroy(void * key,void * datum,void * p)509 static int perm_destroy(void *key, void *datum, void *p)
510 {
511 xfree(key);
512 xfree(datum);
513 return 0;
514 }
515
common_destroy(void * key,void * datum,void * p)516 static int common_destroy(void *key, void *datum, void *p)
517 {
518 struct common_datum *comdatum;
519
520 xfree(key);
521 comdatum = datum;
522 hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
523 hashtab_destroy(comdatum->permissions.table);
524 xfree(datum);
525 return 0;
526 }
527
class_destroy(void * key,void * datum,void * p)528 static int class_destroy(void *key, void *datum, void *p)
529 {
530 struct class_datum *cladatum;
531 struct constraint_node *constraint, *ctemp;
532 struct constraint_expr *e, *etmp;
533
534 xfree(key);
535 cladatum = datum;
536 hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
537 hashtab_destroy(cladatum->permissions.table);
538 constraint = cladatum->constraints;
539 while ( constraint )
540 {
541 e = constraint->expr;
542 while ( e )
543 {
544 ebitmap_destroy(&e->names);
545 etmp = e;
546 e = e->next;
547 xfree(etmp);
548 }
549 ctemp = constraint;
550 constraint = constraint->next;
551 xfree(ctemp);
552 }
553
554 constraint = cladatum->validatetrans;
555 while ( constraint )
556 {
557 e = constraint->expr;
558 while ( e )
559 {
560 ebitmap_destroy(&e->names);
561 etmp = e;
562 e = e->next;
563 xfree(etmp);
564 }
565 ctemp = constraint;
566 constraint = constraint->next;
567 xfree(ctemp);
568 }
569
570 xfree(cladatum->comkey);
571 xfree(datum);
572 return 0;
573 }
574
role_destroy(void * key,void * datum,void * p)575 static int role_destroy(void *key, void *datum, void *p)
576 {
577 struct role_datum *role;
578
579 xfree(key);
580 role = datum;
581 ebitmap_destroy(&role->dominates);
582 ebitmap_destroy(&role->types);
583 xfree(datum);
584 return 0;
585 }
586
type_destroy(void * key,void * datum,void * p)587 static int type_destroy(void *key, void *datum, void *p)
588 {
589 xfree(key);
590 xfree(datum);
591 return 0;
592 }
593
user_destroy(void * key,void * datum,void * p)594 static int user_destroy(void *key, void *datum, void *p)
595 {
596 struct user_datum *usrdatum;
597
598 xfree(key);
599 usrdatum = datum;
600 ebitmap_destroy(&usrdatum->roles);
601 ebitmap_destroy(&usrdatum->range.level[0].cat);
602 ebitmap_destroy(&usrdatum->range.level[1].cat);
603 ebitmap_destroy(&usrdatum->dfltlevel.cat);
604 xfree(datum);
605 return 0;
606 }
607
sens_destroy(void * key,void * datum,void * p)608 static int sens_destroy(void *key, void *datum, void *p)
609 {
610 struct level_datum *levdatum;
611
612 xfree(key);
613 levdatum = datum;
614 ebitmap_destroy(&levdatum->level->cat);
615 xfree(levdatum->level);
616 xfree(datum);
617 return 0;
618 }
619
cat_destroy(void * key,void * datum,void * p)620 static int cat_destroy(void *key, void *datum, void *p)
621 {
622 xfree(key);
623 xfree(datum);
624 return 0;
625 }
626
627 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
628 {
629 common_destroy,
630 class_destroy,
631 role_destroy,
632 type_destroy,
633 user_destroy,
634 cond_destroy_bool,
635 sens_destroy,
636 cat_destroy,
637 };
638
ocontext_destroy(struct ocontext * c,int i)639 static void ocontext_destroy(struct ocontext *c, int i)
640 {
641 context_destroy(&c->context);
642 if ( i == OCON_ISID || i == OCON_DTREE )
643 xfree(c->u.name);
644 xfree(c);
645 }
646
647 /*
648 * Free any memory allocated by a policy database structure.
649 */
policydb_destroy(struct policydb * p)650 void policydb_destroy(struct policydb *p)
651 {
652 struct ocontext *c, *ctmp;
653 int i;
654 struct role_allow *ra, *lra = NULL;
655 struct role_trans *tr, *ltr = NULL;
656 struct range_trans *rt, *lrt = NULL;
657
658 for ( i = 0; i < SYM_NUM; i++ )
659 {
660 hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
661 hashtab_destroy(p->symtab[i].table);
662 }
663
664 for ( i = 0; i < SYM_NUM; i++ )
665 xfree(p->sym_val_to_name[i]);
666
667 xfree(p->class_val_to_struct);
668 xfree(p->role_val_to_struct);
669 xfree(p->user_val_to_struct);
670 xfree(p->type_val_to_struct);
671
672 avtab_destroy(&p->te_avtab);
673
674 for ( i = 0; i < OCON_NUM; i++ )
675 {
676 c = p->ocontexts[i];
677 while ( c )
678 {
679 ctmp = c;
680 c = c->next;
681 ocontext_destroy(ctmp,i);
682 }
683 p->ocontexts[i] = NULL;
684 }
685
686 cond_policydb_destroy(p);
687
688 for ( tr = p->role_tr; tr; tr = tr->next )
689 {
690 xfree(ltr);
691 ltr = tr;
692 }
693 xfree(ltr);
694
695 for ( ra = p->role_allow; ra; ra = ra -> next )
696 {
697 xfree(lra);
698 lra = ra;
699 }
700 xfree(lra);
701
702 for ( rt = p->range_tr; rt; rt = rt -> next )
703 {
704 if ( lrt )
705 {
706 ebitmap_destroy(&lrt->target_range.level[0].cat);
707 ebitmap_destroy(&lrt->target_range.level[1].cat);
708 xfree(lrt);
709 }
710 lrt = rt;
711 }
712 if ( lrt )
713 {
714 ebitmap_destroy(&lrt->target_range.level[0].cat);
715 ebitmap_destroy(&lrt->target_range.level[1].cat);
716 xfree(lrt);
717 }
718
719 if ( p->type_attr_map )
720 for ( i = 0; i < p->p_types.nprim; i++ )
721 ebitmap_destroy(&p->type_attr_map[i]);
722 xfree(p->type_attr_map);
723
724 ebitmap_destroy(&p->policycaps);
725 ebitmap_destroy(&p->permissive_map);
726
727 return;
728 }
729
730 /*
731 * Load the initial SIDs specified in a policy database
732 * structure into a SID table.
733 */
policydb_load_isids(struct policydb * p,struct sidtab * s)734 int policydb_load_isids(struct policydb *p, struct sidtab *s)
735 {
736 struct ocontext *head, *c;
737 int rc;
738
739 rc = sidtab_init(s);
740 if ( rc )
741 {
742 printk(KERN_ERR "Flask: out of memory on SID table init\n");
743 goto out;
744 }
745
746 head = p->ocontexts[OCON_ISID];
747 for ( c = head; c; c = c->next )
748 {
749 if ( !c->context.user )
750 {
751 printk(KERN_ERR "Flask: SID %s was never "
752 "defined.\n", c->u.name);
753 rc = -EINVAL;
754 goto out;
755 }
756 if ( sidtab_insert(s, c->sid, &c->context) )
757 {
758 printk(KERN_ERR "Flask: unable to load initial "
759 "SID %s.\n", c->u.name);
760 rc = -EINVAL;
761 goto out;
762 }
763 }
764 out:
765 return rc;
766 }
767
policydb_class_isvalid(struct policydb * p,unsigned int class)768 int policydb_class_isvalid(struct policydb *p, unsigned int class)
769 {
770 if ( !class || class > p->p_classes.nprim )
771 return 0;
772 return 1;
773 }
774
policydb_role_isvalid(struct policydb * p,unsigned int role)775 int policydb_role_isvalid(struct policydb *p, unsigned int role)
776 {
777 if ( !role || role > p->p_roles.nprim )
778 return 0;
779 return 1;
780 }
781
policydb_type_isvalid(struct policydb * p,unsigned int type)782 int policydb_type_isvalid(struct policydb *p, unsigned int type)
783 {
784 if ( !type || type > p->p_types.nprim )
785 return 0;
786 return 1;
787 }
788
789 /*
790 * Return 1 if the fields in the security context
791 * structure `c' are valid. Return 0 otherwise.
792 */
policydb_context_isvalid(struct policydb * p,struct context * c)793 int policydb_context_isvalid(struct policydb *p, struct context *c)
794 {
795 struct role_datum *role;
796 struct user_datum *usrdatum;
797
798 if ( !c->role || c->role > p->p_roles.nprim )
799 return 0;
800
801 if ( !c->user || c->user > p->p_users.nprim )
802 return 0;
803
804 if ( !c->type || c->type > p->p_types.nprim )
805 return 0;
806
807 if ( c->role != OBJECT_R_VAL )
808 {
809 /*
810 * Role must be authorized for the type.
811 */
812 role = p->role_val_to_struct[c->role - 1];
813 if ( !ebitmap_get_bit(&role->types, c->type - 1) )
814 /* role may not be associated with type */
815 return 0;
816
817 /*
818 * User must be authorized for the role.
819 */
820 usrdatum = p->user_val_to_struct[c->user - 1];
821 if ( !usrdatum )
822 return 0;
823
824 if ( !ebitmap_get_bit(&usrdatum->roles, c->role - 1) )
825 /* user may not be associated with role */
826 return 0;
827 }
828
829 if ( !mls_context_isvalid(p, c) )
830 return 0;
831
832 return 1;
833 }
834
835 /*
836 * Read a MLS range structure from a policydb binary
837 * representation file.
838 */
mls_read_range_helper(struct mls_range * r,void * fp)839 static int mls_read_range_helper(struct mls_range *r, void *fp)
840 {
841 __le32 buf[2];
842 u32 items;
843 int rc;
844
845 rc = next_entry(buf, fp, sizeof(u32));
846 if ( rc < 0 )
847 goto out;
848
849 items = le32_to_cpu(buf[0]);
850 if ( items > ARRAY_SIZE(buf) )
851 {
852 printk(KERN_ERR "Flask: mls: range overflow\n");
853 rc = -EINVAL;
854 goto out;
855 }
856 rc = next_entry(buf, fp, sizeof(u32) * items);
857 if ( rc < 0 )
858 {
859 printk(KERN_ERR "Flask: mls: truncated range\n");
860 goto out;
861 }
862 r->level[0].sens = le32_to_cpu(buf[0]);
863 if ( items > 1 )
864 r->level[1].sens = le32_to_cpu(buf[1]);
865 else
866 r->level[1].sens = r->level[0].sens;
867
868 rc = ebitmap_read(&r->level[0].cat, fp);
869 if ( rc )
870 {
871 printk(KERN_ERR "Flask: mls: error reading low "
872 "categories\n");
873 goto out;
874 }
875 if ( items > 1 )
876 {
877 rc = ebitmap_read(&r->level[1].cat, fp);
878 if ( rc )
879 {
880 printk(KERN_ERR "Flask: mls: error reading high "
881 "categories\n");
882 goto bad_high;
883 }
884 }
885 else
886 {
887 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
888 if ( rc )
889 {
890 printk(KERN_ERR "Flask: mls: out of memory\n");
891 goto bad_high;
892 }
893 }
894
895 rc = 0;
896 out:
897 return rc;
898 bad_high:
899 ebitmap_destroy(&r->level[0].cat);
900 goto out;
901 }
902
903 /*
904 * Read and validate a security context structure
905 * from a policydb binary representation file.
906 */
context_read_and_validate(struct context * c,struct policydb * p,void * fp)907 static int context_read_and_validate(struct context *c, struct policydb *p,
908 void *fp)
909 {
910 __le32 buf[3];
911 int rc;
912
913 rc = next_entry(buf, fp, sizeof buf);
914 if ( rc < 0 )
915 {
916 printk(KERN_ERR "Flask: context truncated\n");
917 goto out;
918 }
919 c->user = le32_to_cpu(buf[0]);
920 c->role = le32_to_cpu(buf[1]);
921 c->type = le32_to_cpu(buf[2]);
922 if ( p->policyvers >= POLICYDB_VERSION_MLS )
923 {
924 if ( mls_read_range_helper(&c->range, fp) )
925 {
926 printk(KERN_ERR "Flask: error reading MLS range of "
927 "context\n");
928 rc = -EINVAL;
929 goto out;
930 }
931 }
932
933 if ( !policydb_context_isvalid(p, c) )
934 {
935 printk(KERN_ERR "Flask: invalid security context\n");
936 context_destroy(c);
937 rc = -EINVAL;
938 }
939 out:
940 return rc;
941 }
942
943 /*
944 * The following *_read functions are used to
945 * read the symbol data from a policy database
946 * binary representation file.
947 */
948
perm_read(struct policydb * p,struct hashtab * h,void * fp)949 static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
950 {
951 char *key = NULL;
952 struct perm_datum *perdatum;
953 int rc;
954 __le32 buf[2];
955 u32 len;
956
957 perdatum = xzalloc(struct perm_datum);
958 if ( !perdatum )
959 {
960 rc = -ENOMEM;
961 goto out;
962 }
963
964 rc = next_entry(buf, fp, sizeof buf);
965 if ( rc < 0 )
966 goto bad;
967
968 len = le32_to_cpu(buf[0]);
969 perdatum->value = le32_to_cpu(buf[1]);
970
971 key = xmalloc_array(char, len + 1);
972 if ( !key )
973 {
974 rc = -ENOMEM;
975 goto bad;
976 }
977 rc = next_entry(key, fp, len);
978 if ( rc < 0 )
979 goto bad;
980 key[len] = 0;
981
982 rc = hashtab_insert(h, key, perdatum);
983 if ( rc )
984 goto bad;
985 out:
986 return rc;
987 bad:
988 perm_destroy(key, perdatum, NULL);
989 goto out;
990 }
991
common_read(struct policydb * p,struct hashtab * h,void * fp)992 static int common_read(struct policydb *p, struct hashtab *h, void *fp)
993 {
994 char *key = NULL;
995 struct common_datum *comdatum;
996 __le32 buf[4];
997 u32 len, nel;
998 int i, rc;
999
1000 comdatum = xzalloc(struct common_datum);
1001 if ( !comdatum )
1002 {
1003 rc = -ENOMEM;
1004 goto out;
1005 }
1006
1007 rc = next_entry(buf, fp, sizeof buf);
1008 if ( rc < 0 )
1009 goto bad;
1010
1011 len = le32_to_cpu(buf[0]);
1012 comdatum->value = le32_to_cpu(buf[1]);
1013
1014 rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
1015 if ( rc )
1016 goto bad;
1017 comdatum->permissions.nprim = le32_to_cpu(buf[2]);
1018 nel = le32_to_cpu(buf[3]);
1019
1020 key = xmalloc_array(char, len + 1);
1021 if ( !key )
1022 {
1023 rc = -ENOMEM;
1024 goto bad;
1025 }
1026 rc = next_entry(key, fp, len);
1027 if ( rc < 0 )
1028 goto bad;
1029 key[len] = 0;
1030
1031 for ( i = 0; i < nel; i++ )
1032 {
1033 rc = perm_read(p, comdatum->permissions.table, fp);
1034 if ( rc )
1035 goto bad;
1036 }
1037
1038 rc = hashtab_insert(h, key, comdatum);
1039 if ( rc )
1040 goto bad;
1041 out:
1042 return rc;
1043 bad:
1044 common_destroy(key, comdatum, NULL);
1045 goto out;
1046 }
1047
read_cons_helper(struct policydb * p,struct constraint_node ** nodep,int ncons,int allowxtarget,void * fp)1048 static int read_cons_helper(struct policydb *p, struct constraint_node **nodep,
1049 int ncons, int allowxtarget, void *fp)
1050 {
1051 struct constraint_node *c, *lc;
1052 struct constraint_expr *e, *le;
1053 __le32 buf[3];
1054 u32 nexpr;
1055 int rc, i, j, depth;
1056
1057 lc = NULL;
1058 for ( i = 0; i < ncons; i++ )
1059 {
1060 c = xzalloc(struct constraint_node);
1061 if ( !c )
1062 return -ENOMEM;
1063
1064 if ( lc )
1065 {
1066 lc->next = c;
1067 }
1068 else
1069 {
1070 *nodep = c;
1071 }
1072
1073 rc = next_entry(buf, fp, (sizeof(u32) * 2));
1074 if ( rc < 0 )
1075 return rc;
1076 c->permissions = le32_to_cpu(buf[0]);
1077 nexpr = le32_to_cpu(buf[1]);
1078 le = NULL;
1079 depth = -1;
1080 for ( j = 0; j < nexpr; j++ )
1081 {
1082 e = xzalloc(struct constraint_expr);
1083 if ( !e )
1084 return -ENOMEM;
1085
1086 if ( le )
1087 le->next = e;
1088 else
1089 c->expr = e;
1090
1091 rc = next_entry(buf, fp, (sizeof(u32) * 3));
1092 if ( rc < 0 )
1093 return rc;
1094 e->expr_type = le32_to_cpu(buf[0]);
1095 e->attr = le32_to_cpu(buf[1]);
1096 e->op = le32_to_cpu(buf[2]);
1097
1098 switch ( e->expr_type )
1099 {
1100 case CEXPR_NOT:
1101 if ( depth < 0 )
1102 return -EINVAL;
1103 break;
1104 case CEXPR_AND:
1105 case CEXPR_OR:
1106 if ( depth < 1 )
1107 return -EINVAL;
1108 depth--;
1109 break;
1110 case CEXPR_ATTR:
1111 if ( depth == (CEXPR_MAXDEPTH - 1) )
1112 return -EINVAL;
1113 depth++;
1114 break;
1115 case CEXPR_NAMES:
1116 if ( !allowxtarget && (e->attr & CEXPR_XTARGET) )
1117 return -EINVAL;
1118 if ( depth == (CEXPR_MAXDEPTH - 1) )
1119 return -EINVAL;
1120 depth++;
1121 if ( ebitmap_read(&e->names, fp) )
1122 return -EINVAL;
1123 if ( p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES )
1124 {
1125 struct ebitmap dummy;
1126 ebitmap_init(&dummy);
1127 if ( ebitmap_read(&dummy, fp) )
1128 return -EINVAL;
1129 ebitmap_destroy(&dummy);
1130
1131 ebitmap_init(&dummy);
1132 if ( ebitmap_read(&dummy, fp) )
1133 return -EINVAL;
1134 ebitmap_destroy(&dummy);
1135
1136 rc = next_entry(buf, fp, sizeof(u32));
1137 if ( rc < 0 )
1138 return rc;
1139 }
1140 break;
1141 default:
1142 return -EINVAL;
1143 }
1144 le = e;
1145 }
1146 if ( depth != 0 )
1147 return -EINVAL;
1148 lc = c;
1149 }
1150
1151 return 0;
1152 }
1153
class_read(struct policydb * p,struct hashtab * h,void * fp)1154 static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1155 {
1156 char *key = NULL;
1157 struct class_datum *cladatum;
1158 __le32 buf[6];
1159 u32 len, len2, ncons, nel;
1160 int i, rc;
1161
1162 cladatum = xzalloc(struct class_datum);
1163 if ( !cladatum )
1164 {
1165 rc = -ENOMEM;
1166 goto out;
1167 }
1168
1169 rc = next_entry(buf, fp, sizeof(u32)*6);
1170 if ( rc < 0 )
1171 goto bad;
1172
1173 len = le32_to_cpu(buf[0]);
1174 len2 = le32_to_cpu(buf[1]);
1175 cladatum->value = le32_to_cpu(buf[2]);
1176
1177 rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
1178 if ( rc )
1179 goto bad;
1180 cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1181 nel = le32_to_cpu(buf[4]);
1182
1183 ncons = le32_to_cpu(buf[5]);
1184
1185 key = xmalloc_array(char, len + 1);
1186 if ( !key )
1187 {
1188 rc = -ENOMEM;
1189 goto bad;
1190 }
1191 rc = next_entry(key, fp, len);
1192 if ( rc < 0 )
1193 goto bad;
1194 key[len] = 0;
1195
1196 if ( len2 )
1197 {
1198 printk(KERN_ERR "Flask: classes with common prefixes are not supported\n");
1199 rc = -EINVAL;
1200 goto bad;
1201 }
1202 for ( i = 0; i < nel; i++ )
1203 {
1204 rc = perm_read(p, cladatum->permissions.table, fp);
1205 if ( rc )
1206 goto bad;
1207 }
1208
1209 rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
1210 if ( rc )
1211 goto bad;
1212
1213 if ( p->policyvers >= POLICYDB_VERSION_VALIDATETRANS )
1214 {
1215 /* grab the validatetrans rules */
1216 rc = next_entry(buf, fp, sizeof(u32));
1217 if ( rc < 0 )
1218 goto bad;
1219 ncons = le32_to_cpu(buf[0]);
1220 rc = read_cons_helper(p, &cladatum->validatetrans, ncons, 1, fp);
1221 if ( rc )
1222 goto bad;
1223 }
1224
1225 if ( p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS )
1226 {
1227 rc = next_entry(buf, fp, sizeof(u32) * 3);
1228 if ( rc )
1229 goto bad;
1230 /* these values are ignored by Xen */
1231 }
1232
1233 if ( p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE )
1234 {
1235 rc = next_entry(buf, fp, sizeof(u32) * 1);
1236 if ( rc )
1237 goto bad;
1238 /* ignored by Xen */
1239 }
1240
1241 rc = hashtab_insert(h, key, cladatum);
1242 if ( rc )
1243 goto bad;
1244
1245 rc = 0;
1246 out:
1247 return rc;
1248 bad:
1249 class_destroy(key, cladatum, NULL);
1250 goto out;
1251 }
1252
role_read(struct policydb * p,struct hashtab * h,void * fp)1253 static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1254 {
1255 char *key = NULL;
1256 struct role_datum *role;
1257 int rc;
1258 __le32 buf[3];
1259 u32 len;
1260 u32 ver = p->policyvers;
1261
1262 role = xzalloc(struct role_datum);
1263 if ( !role )
1264 {
1265 rc = -ENOMEM;
1266 goto out;
1267 }
1268
1269 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1270 rc = next_entry(buf, fp, sizeof(buf[0]) * 3);
1271 else
1272 rc = next_entry(buf, fp, sizeof(buf[0]) * 2);
1273
1274 if ( rc < 0 )
1275 goto bad;
1276
1277 len = le32_to_cpu(buf[0]);
1278 role->value = le32_to_cpu(buf[1]);
1279 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1280 role->bounds = le32_to_cpu(buf[2]);
1281
1282 key = xmalloc_array(char, len + 1);
1283 if ( !key )
1284 {
1285 rc = -ENOMEM;
1286 goto bad;
1287 }
1288 rc = next_entry(key, fp, len);
1289 if ( rc < 0 )
1290 goto bad;
1291 key[len] = 0;
1292
1293 rc = ebitmap_read(&role->dominates, fp);
1294 if ( rc )
1295 goto bad;
1296
1297 rc = ebitmap_read(&role->types, fp);
1298 if ( rc )
1299 goto bad;
1300
1301 if ( strcmp(key, OBJECT_R) == 0 )
1302 {
1303 if ( role->value != OBJECT_R_VAL )
1304 {
1305 printk(KERN_ERR "Role %s has wrong value %d\n", OBJECT_R,
1306 role->value);
1307 rc = -EINVAL;
1308 goto bad;
1309 }
1310 rc = 0;
1311 goto bad;
1312 }
1313
1314 rc = hashtab_insert(h, key, role);
1315 if ( rc )
1316 goto bad;
1317 out:
1318 return rc;
1319 bad:
1320 role_destroy(key, role, NULL);
1321 goto out;
1322 }
1323
type_read(struct policydb * p,struct hashtab * h,void * fp)1324 static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1325 {
1326 char *key = NULL;
1327 struct type_datum *typdatum;
1328 int rc;
1329 __le32 buf[4];
1330 u32 len;
1331 u32 ver = p->policyvers;
1332
1333 typdatum = xzalloc(struct type_datum);
1334 if ( !typdatum )
1335 {
1336 rc = -ENOMEM;
1337 return rc;
1338 }
1339
1340 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1341 rc = next_entry(buf, fp, sizeof(buf[0]) * 4);
1342 else
1343 rc = next_entry(buf, fp, sizeof(buf[0]) * 3);
1344
1345 if ( rc < 0 )
1346 goto bad;
1347
1348 len = le32_to_cpu(buf[0]);
1349 typdatum->value = le32_to_cpu(buf[1]);
1350 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1351 {
1352 u32 prop = le32_to_cpu(buf[2]);
1353
1354 if ( prop & TYPEDATUM_PROPERTY_PRIMARY )
1355 typdatum->primary = 1;
1356 if ( prop & TYPEDATUM_PROPERTY_ATTRIBUTE )
1357 typdatum->attribute = 1;
1358
1359 typdatum->bounds = le32_to_cpu(buf[3]);
1360 }
1361 else
1362 {
1363 typdatum->primary = le32_to_cpu(buf[2]);
1364 }
1365
1366 key = xmalloc_array(char, len + 1);
1367 if ( !key )
1368 {
1369 rc = -ENOMEM;
1370 goto bad;
1371 }
1372 rc = next_entry(key, fp, len);
1373 if ( rc < 0 )
1374 goto bad;
1375 key[len] = 0;
1376
1377 rc = hashtab_insert(h, key, typdatum);
1378 if ( rc )
1379 goto bad;
1380 out:
1381 return rc;
1382 bad:
1383 type_destroy(key, typdatum, NULL);
1384 goto out;
1385 }
1386
1387
1388 /*
1389 * Read a MLS level structure from a policydb binary
1390 * representation file.
1391 */
mls_read_level(struct mls_level * lp,void * fp)1392 static int mls_read_level(struct mls_level *lp, void *fp)
1393 {
1394 __le32 buf[1];
1395 int rc;
1396
1397 memset(lp, 0, sizeof(*lp));
1398
1399 rc = next_entry(buf, fp, sizeof buf);
1400 if ( rc < 0 )
1401 {
1402 printk(KERN_ERR "Flask: mls: truncated level\n");
1403 goto bad;
1404 }
1405 lp->sens = le32_to_cpu(buf[0]);
1406
1407 if ( ebitmap_read(&lp->cat, fp) )
1408 {
1409 printk(KERN_ERR "Flask: mls: error reading level categories\n");
1410 goto bad;
1411 }
1412 return 0;
1413
1414 bad:
1415 return -EINVAL;
1416 }
1417
user_read(struct policydb * p,struct hashtab * h,void * fp)1418 static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1419 {
1420 char *key = NULL;
1421 struct user_datum *usrdatum;
1422 int rc;
1423 __le32 buf[3];
1424 u32 len;
1425 u32 ver = p->policyvers;
1426
1427 usrdatum = xzalloc(struct user_datum);
1428 if ( !usrdatum )
1429 {
1430 rc = -ENOMEM;
1431 goto out;
1432 }
1433
1434 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1435 rc = next_entry(buf, fp, sizeof(buf[0]) * 3);
1436 else
1437 rc = next_entry(buf, fp, sizeof(buf[0]) * 2);
1438
1439 if ( rc < 0 )
1440 goto bad;
1441
1442 len = le32_to_cpu(buf[0]);
1443 usrdatum->value = le32_to_cpu(buf[1]);
1444 if ( ver >= POLICYDB_VERSION_BOUNDARY )
1445 usrdatum->bounds = le32_to_cpu(buf[2]);
1446
1447 key = xmalloc_array(char, len + 1);
1448 if ( !key )
1449 {
1450 rc = -ENOMEM;
1451 goto bad;
1452 }
1453 rc = next_entry(key, fp, len);
1454 if ( rc < 0 )
1455 goto bad;
1456 key[len] = 0;
1457
1458 rc = ebitmap_read(&usrdatum->roles, fp);
1459 if ( rc )
1460 goto bad;
1461
1462 if ( ver >= POLICYDB_VERSION_MLS )
1463 {
1464 rc = mls_read_range_helper(&usrdatum->range, fp);
1465 if ( rc )
1466 goto bad;
1467 rc = mls_read_level(&usrdatum->dfltlevel, fp);
1468 if ( rc )
1469 goto bad;
1470 }
1471
1472 rc = hashtab_insert(h, key, usrdatum);
1473 if ( rc )
1474 goto bad;
1475 out:
1476 return rc;
1477 bad:
1478 user_destroy(key, usrdatum, NULL);
1479 goto out;
1480 }
1481
sens_read(struct policydb * p,struct hashtab * h,void * fp)1482 static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1483 {
1484 char *key = NULL;
1485 struct level_datum *levdatum;
1486 int rc;
1487 __le32 buf[2];
1488 u32 len;
1489
1490 levdatum = xzalloc(struct level_datum);
1491 if ( !levdatum )
1492 {
1493 rc = -ENOMEM;
1494 goto out;
1495 }
1496
1497 rc = next_entry(buf, fp, sizeof buf);
1498 if ( rc < 0 )
1499 goto bad;
1500
1501 len = le32_to_cpu(buf[0]);
1502 levdatum->isalias = le32_to_cpu(buf[1]);
1503
1504 key = xmalloc_array(char, len + 1);
1505 if ( !key )
1506 {
1507 rc = -ENOMEM;
1508 goto bad;
1509 }
1510 rc = next_entry(key, fp, len);
1511 if ( rc < 0 )
1512 goto bad;
1513 key[len] = 0;
1514
1515 levdatum->level = xmalloc(struct mls_level);
1516 if ( !levdatum->level )
1517 {
1518 rc = -ENOMEM;
1519 goto bad;
1520 }
1521 if ( mls_read_level(levdatum->level, fp) )
1522 {
1523 rc = -EINVAL;
1524 goto bad;
1525 }
1526
1527 rc = hashtab_insert(h, key, levdatum);
1528 if ( rc )
1529 goto bad;
1530 out:
1531 return rc;
1532 bad:
1533 sens_destroy(key, levdatum, NULL);
1534 goto out;
1535 }
1536
cat_read(struct policydb * p,struct hashtab * h,void * fp)1537 static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1538 {
1539 char *key = NULL;
1540 struct cat_datum *catdatum;
1541 int rc;
1542 __le32 buf[3];
1543 u32 len;
1544
1545 catdatum = xzalloc(struct cat_datum);
1546 if ( !catdatum )
1547 {
1548 rc = -ENOMEM;
1549 goto out;
1550 }
1551
1552 rc = next_entry(buf, fp, sizeof buf);
1553 if ( rc < 0 )
1554 goto bad;
1555
1556 len = le32_to_cpu(buf[0]);
1557 catdatum->value = le32_to_cpu(buf[1]);
1558 catdatum->isalias = le32_to_cpu(buf[2]);
1559
1560 key = xmalloc_array(char, len + 1);
1561 if ( !key )
1562 {
1563 rc = -ENOMEM;
1564 goto bad;
1565 }
1566 rc = next_entry(key, fp, len);
1567 if ( rc < 0 )
1568 goto bad;
1569 key[len] = 0;
1570
1571 rc = hashtab_insert(h, key, catdatum);
1572 if ( rc )
1573 goto bad;
1574 out:
1575 return rc;
1576
1577 bad:
1578 cat_destroy(key, catdatum, NULL);
1579 goto out;
1580 }
1581
1582 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1583 {
1584 common_read,
1585 class_read,
1586 role_read,
1587 type_read,
1588 user_read,
1589 cond_read_bool,
1590 sens_read,
1591 cat_read,
1592 };
1593
user_bounds_sanity_check(void * key,void * datum,void * datap)1594 static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1595 {
1596 struct user_datum *upper, *user;
1597 struct policydb *p = datap;
1598 int depth = 0;
1599
1600 upper = user = datum;
1601 while (upper->bounds)
1602 {
1603 struct ebitmap_node *node;
1604 unsigned long bit;
1605
1606 if ( ++depth == POLICYDB_BOUNDS_MAXDEPTH )
1607 {
1608 printk(KERN_ERR "Flask: user %s: "
1609 "too deep or looped boundary",
1610 (char *) key);
1611 return -EINVAL;
1612 }
1613
1614 upper = p->user_val_to_struct[upper->bounds - 1];
1615 ebitmap_for_each_positive_bit(&user->roles, node, bit)
1616 {
1617 if ( ebitmap_get_bit(&upper->roles, bit) )
1618 continue;
1619
1620 printk(KERN_ERR
1621 "Flask: boundary violated policy: "
1622 "user=%s role=%s bounds=%s\n",
1623 p->p_user_val_to_name[user->value - 1],
1624 p->p_role_val_to_name[bit],
1625 p->p_user_val_to_name[upper->value - 1]);
1626
1627 return -EINVAL;
1628 }
1629 }
1630
1631 return 0;
1632 }
1633
role_bounds_sanity_check(void * key,void * datum,void * datap)1634 static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1635 {
1636 struct role_datum *upper, *role;
1637 struct policydb *p = datap;
1638 int depth = 0;
1639
1640 upper = role = datum;
1641 while (upper->bounds)
1642 {
1643 struct ebitmap_node *node;
1644 unsigned long bit;
1645
1646 if ( ++depth == POLICYDB_BOUNDS_MAXDEPTH )
1647 {
1648 printk(KERN_ERR "Flask: role %s: "
1649 "too deep or looped bounds\n",
1650 (char *) key);
1651 return -EINVAL;
1652 }
1653
1654 upper = p->role_val_to_struct[upper->bounds - 1];
1655 ebitmap_for_each_positive_bit(&role->types, node, bit)
1656 {
1657 if ( ebitmap_get_bit(&upper->types, bit) )
1658 continue;
1659
1660 printk(KERN_ERR
1661 "Flask: boundary violated policy: "
1662 "role=%s type=%s bounds=%s\n",
1663 p->p_role_val_to_name[role->value - 1],
1664 p->p_type_val_to_name[bit],
1665 p->p_role_val_to_name[upper->value - 1]);
1666
1667 return -EINVAL;
1668 }
1669 }
1670
1671 return 0;
1672 }
1673
type_bounds_sanity_check(void * key,void * datum,void * datap)1674 static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1675 {
1676 struct type_datum *upper, *type;
1677 struct policydb *p = datap;
1678 int depth = 0;
1679
1680 upper = type = datum;
1681 while (upper->bounds)
1682 {
1683 if ( ++depth == POLICYDB_BOUNDS_MAXDEPTH )
1684 {
1685 printk(KERN_ERR "Flask: type %s: "
1686 "too deep or looped boundary\n",
1687 (char *) key);
1688 return -EINVAL;
1689 }
1690
1691 upper = p->type_val_to_struct[upper->bounds - 1];
1692 if ( upper->attribute )
1693 {
1694 printk(KERN_ERR "Flask: type %s: "
1695 "bounded by attribute %s",
1696 (char *) key,
1697 p->p_type_val_to_name[upper->value - 1]);
1698 return -EINVAL;
1699 }
1700 }
1701
1702 return 0;
1703 }
1704
policydb_bounds_sanity_check(struct policydb * p)1705 static int policydb_bounds_sanity_check(struct policydb *p)
1706 {
1707 int rc;
1708
1709 if ( p->policyvers < POLICYDB_VERSION_BOUNDARY )
1710 return 0;
1711
1712 rc = hashtab_map(p->p_users.table,
1713 user_bounds_sanity_check, p);
1714 if ( rc )
1715 return rc;
1716
1717 rc = hashtab_map(p->p_roles.table,
1718 role_bounds_sanity_check, p);
1719 if ( rc )
1720 return rc;
1721
1722 rc = hashtab_map(p->p_types.table,
1723 type_bounds_sanity_check, p);
1724 if ( rc )
1725 return rc;
1726
1727 return 0;
1728 }
1729
1730 extern int ss_initialized;
1731
1732 /*
1733 * Read the configuration data from a policy database binary
1734 * representation file into a policy database structure.
1735 */
policydb_read(struct policydb * p,void * fp)1736 int policydb_read(struct policydb *p, void *fp)
1737 {
1738 struct role_allow *ra, *lra;
1739 struct role_trans *tr, *ltr;
1740 struct ocontext *l, *c /*, *newc*/;
1741 int i, j, rc;
1742 __le32 buf[8];
1743 u32 len, /*len2,*/ config, nprim, nel /*, nel2*/;
1744 char *policydb_str;
1745 struct policydb_compat_info *info;
1746 struct range_trans *rt, *lrt;
1747
1748 config = 0;
1749 rc = policydb_init(p);
1750 if ( rc )
1751 goto out;
1752
1753 /* Read the magic number and string length. */
1754 rc = next_entry(buf, fp, sizeof(u32)* 2);
1755 if ( rc < 0 )
1756 goto bad;
1757
1758 if ( le32_to_cpu(buf[0]) != POLICYDB_MAGIC )
1759 {
1760 printk(KERN_ERR "Flask: policydb magic number %#x does "
1761 "not match expected magic number %#x\n",
1762 le32_to_cpu(buf[0]), POLICYDB_MAGIC);
1763 goto bad;
1764 }
1765
1766 len = le32_to_cpu(buf[1]);
1767 if ( len != strlen(POLICYDB_STRING) )
1768 {
1769 printk(KERN_ERR "Flask: policydb string length %d does not "
1770 "match expected length %zu\n",
1771 len, strlen(POLICYDB_STRING));
1772 goto bad;
1773 }
1774 policydb_str = xmalloc_array(char, len + 1);
1775 if ( !policydb_str )
1776 {
1777 printk(KERN_ERR "Flask: unable to allocate memory for policydb "
1778 "string of length %d\n", len);
1779 rc = -ENOMEM;
1780 goto bad;
1781 }
1782 rc = next_entry(policydb_str, fp, len);
1783 if ( rc < 0 )
1784 {
1785 printk(KERN_ERR "Flask: truncated policydb string identifier\n");
1786 xfree(policydb_str);
1787 goto bad;
1788 }
1789 policydb_str[len] = 0;
1790 if ( strcmp(policydb_str, POLICYDB_STRING) == 0 )
1791 p->target_type = TARGET_XEN;
1792 else if ( strcmp(policydb_str, POLICYDB_STRING_OLD) == 0 )
1793 p->target_type = TARGET_XEN_OLD;
1794 else
1795 {
1796 printk(KERN_ERR "Flask: %s not a valid policydb string", policydb_str);
1797 xfree(policydb_str);
1798 goto bad;
1799 }
1800 /* Done with policydb_str. */
1801 xfree(policydb_str);
1802 policydb_str = NULL;
1803
1804 /* Read the version, config, and table sizes. */
1805 rc = next_entry(buf, fp, sizeof(u32)*4);
1806 if ( rc < 0 )
1807 goto bad;
1808
1809 p->policyvers = le32_to_cpu(buf[0]);
1810 if ( p->policyvers < POLICYDB_VERSION_MIN ||
1811 p->policyvers > POLICYDB_VERSION_MAX )
1812 {
1813 printk(KERN_ERR "Flask: policydb version %d does not match "
1814 "my version range %d-%d\n",
1815 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1816 goto bad;
1817 }
1818
1819 if ( (le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS) )
1820 {
1821 if ( ss_initialized && !flask_mls_enabled )
1822 {
1823 printk(KERN_ERR "Cannot switch between non-MLS and MLS "
1824 "policies\n");
1825 goto bad;
1826 }
1827 flask_mls_enabled = 1;
1828 config |= POLICYDB_CONFIG_MLS;
1829
1830 if ( p->policyvers < POLICYDB_VERSION_MLS )
1831 {
1832 printk(KERN_ERR "security policydb version %d (MLS) "
1833 "not backwards compatible\n", p->policyvers);
1834 goto bad;
1835 }
1836 }
1837 else
1838 {
1839 if ( ss_initialized && flask_mls_enabled )
1840 {
1841 printk(KERN_ERR "Cannot switch between MLS and non-MLS "
1842 "policies\n");
1843 goto bad;
1844 }
1845 }
1846 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
1847
1848 if ( p->policyvers >= POLICYDB_VERSION_POLCAP &&
1849 ebitmap_read(&p->policycaps, fp) != 0 )
1850 goto bad;
1851
1852 if ( p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
1853 ebitmap_read(&p->permissive_map, fp) != 0 )
1854 goto bad;
1855
1856 info = policydb_lookup_compat(p->policyvers, p->target_type);
1857 if ( !info )
1858 {
1859 printk(KERN_ERR "Flask: unable to find policy compat info "
1860 "for version %d target %d\n", p->policyvers, p->target_type);
1861 goto bad;
1862 }
1863
1864 if ( le32_to_cpu(buf[2]) != info->sym_num ||
1865 le32_to_cpu(buf[3]) != info->ocon_num )
1866 {
1867 printk(KERN_ERR "Flask: policydb table sizes (%d,%d) do "
1868 "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
1869 le32_to_cpu(buf[3]),
1870 info->sym_num, info->ocon_num);
1871 goto bad;
1872 }
1873
1874 for ( i = 0; i < info->sym_num; i++ )
1875 {
1876 rc = next_entry(buf, fp, sizeof(u32)*2);
1877 if ( rc < 0 )
1878 goto bad;
1879 nprim = le32_to_cpu(buf[0]);
1880 nel = le32_to_cpu(buf[1]);
1881 for ( j = 0; j < nel; j++ )
1882 {
1883 rc = read_f[i](p, p->symtab[i].table, fp);
1884 if ( rc )
1885 goto bad;
1886 }
1887
1888 p->symtab[i].nprim = nprim;
1889 }
1890
1891 rc = avtab_read(&p->te_avtab, fp, p);
1892 if ( rc )
1893 goto bad;
1894
1895 if ( p->policyvers >= POLICYDB_VERSION_BOOL )
1896 {
1897 rc = cond_read_list(p, fp);
1898 if ( rc )
1899 goto bad;
1900 }
1901
1902 rc = next_entry(buf, fp, sizeof(u32));
1903 if ( rc < 0 )
1904 goto bad;
1905 nel = le32_to_cpu(buf[0]);
1906 ltr = NULL;
1907 for ( i = 0; i < nel; i++ )
1908 {
1909 tr = xzalloc(struct role_trans);
1910 if ( !tr )
1911 {
1912 rc = -ENOMEM;
1913 goto bad;
1914 }
1915 if ( ltr )
1916 ltr->next = tr;
1917 else
1918 p->role_tr = tr;
1919 if ( p->policyvers >= POLICYDB_VERSION_ROLETRANS )
1920 rc = next_entry(buf, fp, sizeof(u32)*4);
1921 else
1922 rc = next_entry(buf, fp, sizeof(u32)*3);
1923 if ( rc < 0 )
1924 goto bad;
1925 tr->role = le32_to_cpu(buf[0]);
1926 tr->type = le32_to_cpu(buf[1]);
1927 tr->new_role = le32_to_cpu(buf[2]);
1928 if ( !policydb_role_isvalid(p, tr->role) ||
1929 !policydb_type_isvalid(p, tr->type) ||
1930 !policydb_role_isvalid(p, tr->new_role) )
1931 {
1932 rc = -EINVAL;
1933 goto bad;
1934 }
1935 ltr = tr;
1936 }
1937
1938 rc = next_entry(buf, fp, sizeof(u32));
1939 if ( rc < 0 )
1940 goto bad;
1941 nel = le32_to_cpu(buf[0]);
1942 lra = NULL;
1943 for ( i = 0; i < nel; i++ )
1944 {
1945 ra = xzalloc(struct role_allow);
1946 if ( !ra )
1947 {
1948 rc = -ENOMEM;
1949 goto bad;
1950 }
1951 if ( lra )
1952 lra->next = ra;
1953 else
1954 p->role_allow = ra;
1955 rc = next_entry(buf, fp, sizeof(u32)*2);
1956 if ( rc < 0 )
1957 goto bad;
1958 ra->role = le32_to_cpu(buf[0]);
1959 ra->new_role = le32_to_cpu(buf[1]);
1960 if ( !policydb_role_isvalid(p, ra->role) ||
1961 !policydb_role_isvalid(p, ra->new_role) )
1962 {
1963 rc = -EINVAL;
1964 goto bad;
1965 }
1966 lra = ra;
1967 }
1968
1969 if ( p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS )
1970 {
1971 rc = next_entry(buf, fp, sizeof(u32));
1972 if ( rc )
1973 goto bad;
1974 nel = le32_to_cpu(buf[0]);
1975 if ( nel )
1976 {
1977 printk(KERN_ERR "Flask: unsupported genfs config data\n");
1978 rc = -EINVAL;
1979 goto bad;
1980 }
1981 }
1982
1983 rc = policydb_index_classes(p);
1984 if ( rc )
1985 goto bad;
1986
1987 rc = policydb_index_others(p);
1988 if ( rc )
1989 goto bad;
1990
1991 for ( i = 0; i < info->ocon_num; i++ )
1992 {
1993 rc = next_entry(buf, fp, sizeof(u32));
1994 if ( rc < 0 )
1995 goto bad;
1996 nel = le32_to_cpu(buf[0]);
1997 l = NULL;
1998 for ( j = 0; j < nel; j++ )
1999 {
2000 c = xzalloc(struct ocontext);
2001 if ( !c )
2002 {
2003 rc = -ENOMEM;
2004 goto bad;
2005 }
2006 if ( l )
2007 l->next = c;
2008 else
2009 p->ocontexts[i] = c;
2010 l = c;
2011 rc = -EINVAL;
2012 switch ( i )
2013 {
2014 case OCON_ISID:
2015 rc = next_entry(buf, fp, sizeof(u32));
2016 if ( rc < 0 )
2017 goto bad;
2018 c->sid = le32_to_cpu(buf[0]);
2019 rc = context_read_and_validate(&c->context, p, fp);
2020 if ( rc )
2021 goto bad;
2022 break;
2023 case OCON_PIRQ:
2024 if ( p->target_type != TARGET_XEN )
2025 {
2026 printk(KERN_ERR
2027 "Old xen policy does not support pirqcon");
2028 goto bad;
2029 }
2030 rc = next_entry(buf, fp, sizeof(u32));
2031 if ( rc < 0 )
2032 goto bad;
2033 c->u.pirq = le32_to_cpu(buf[0]);
2034 rc = context_read_and_validate(&c->context, p, fp);
2035 if ( rc )
2036 goto bad;
2037 break;
2038 case OCON_IOPORT:
2039 if ( p->target_type != TARGET_XEN )
2040 {
2041 printk(KERN_ERR
2042 "Old xen policy does not support ioportcon");
2043 goto bad;
2044 }
2045 rc = next_entry(buf, fp, sizeof(u32) *2);
2046 if ( rc < 0 )
2047 goto bad;
2048 c->u.ioport.low_ioport = le32_to_cpu(buf[0]);
2049 c->u.ioport.high_ioport = le32_to_cpu(buf[1]);
2050 rc = context_read_and_validate(&c->context, p, fp);
2051 if ( rc )
2052 goto bad;
2053 break;
2054 case OCON_IOMEM:
2055 if ( p->target_type != TARGET_XEN )
2056 {
2057 printk(KERN_ERR
2058 "Old xen policy does not support iomemcon");
2059 goto bad;
2060 }
2061 if ( p->policyvers >= POLICYDB_VERSION_XEN_DEVICETREE )
2062 {
2063 u64 b64[2];
2064 rc = next_entry(b64, fp, sizeof(u64) *2);
2065 if ( rc < 0 )
2066 goto bad;
2067 c->u.iomem.low_iomem = le64_to_cpu(b64[0]);
2068 c->u.iomem.high_iomem = le64_to_cpu(b64[1]);
2069 }
2070 else
2071 {
2072 rc = next_entry(buf, fp, sizeof(u32) *2);
2073 if ( rc < 0 )
2074 goto bad;
2075 c->u.iomem.low_iomem = le32_to_cpu(buf[0]);
2076 c->u.iomem.high_iomem = le32_to_cpu(buf[1]);
2077 }
2078 rc = context_read_and_validate(&c->context, p, fp);
2079 if ( rc )
2080 goto bad;
2081 break;
2082 case OCON_DEVICE:
2083 if ( p->target_type != TARGET_XEN )
2084 {
2085 printk(KERN_ERR
2086 "Old xen policy does not support pcidevicecon");
2087 goto bad;
2088 }
2089 rc = next_entry(buf, fp, sizeof(u32));
2090 if ( rc < 0 )
2091 goto bad;
2092 c->u.device = le32_to_cpu(buf[0]);
2093 rc = context_read_and_validate(&c->context, p, fp);
2094 if ( rc )
2095 goto bad;
2096 break;
2097 case OCON_DTREE:
2098 if ( p->target_type != TARGET_XEN )
2099 {
2100 printk(KERN_ERR
2101 "Old xen policy does not support devicetreecon");
2102 goto bad;
2103 }
2104 rc = next_entry(buf, fp, sizeof(u32));
2105 if ( rc < 0 )
2106 goto bad;
2107 len = le32_to_cpu(buf[0]);
2108 rc = -ENOMEM;
2109 c->u.name = xmalloc_array(char, len + 1);
2110 if (!c->u.name)
2111 goto bad;
2112 rc = next_entry(c->u.name, fp, len);
2113 if ( rc < 0 )
2114 goto bad;
2115 c->u.name[len] = 0;
2116 rc = context_read_and_validate(&c->context, p, fp);
2117 if ( rc )
2118 goto bad;
2119 break;
2120 default:
2121 printk(KERN_ERR
2122 "Flask: unsupported object context config data\n");
2123 rc = -EINVAL;
2124 goto bad;
2125 }
2126 }
2127 }
2128
2129 rc = next_entry(buf, fp, sizeof(u32));
2130 if ( rc < 0 )
2131 goto bad;
2132 nel = le32_to_cpu(buf[0]);
2133 if ( nel )
2134 {
2135 printk(KERN_ERR "Flask: unsupported genfs config data\n");
2136 rc = -EINVAL;
2137 goto bad;
2138 }
2139
2140 if ( p->policyvers >= POLICYDB_VERSION_MLS )
2141 {
2142 int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS;
2143 rc = next_entry(buf, fp, sizeof(u32));
2144 if ( rc < 0 )
2145 goto bad;
2146 nel = le32_to_cpu(buf[0]);
2147 lrt = NULL;
2148 for ( i = 0; i < nel; i++ )
2149 {
2150 rt = xzalloc(struct range_trans);
2151 if ( !rt )
2152 {
2153 rc = -ENOMEM;
2154 goto bad;
2155 }
2156 if ( lrt )
2157 lrt->next = rt;
2158 else
2159 p->range_tr = rt;
2160 rc = next_entry(buf, fp, (sizeof(u32) * 2));
2161 if ( rc < 0 )
2162 goto bad;
2163 rt->source_type = le32_to_cpu(buf[0]);
2164 rt->target_type = le32_to_cpu(buf[1]);
2165 if ( new_rangetr )
2166 {
2167 rc = next_entry(buf, fp, sizeof(u32));
2168 if ( rc < 0 )
2169 goto bad;
2170 rt->target_class = le32_to_cpu(buf[0]);
2171 } else
2172 rt->target_class = SECCLASS_DOMAIN;
2173 if ( !policydb_type_isvalid(p, rt->source_type) ||
2174 !policydb_type_isvalid(p, rt->target_type) ||
2175 !policydb_class_isvalid(p, rt->target_class) )
2176 {
2177 rc = -EINVAL;
2178 goto bad;
2179 }
2180 rc = mls_read_range_helper(&rt->target_range, fp);
2181 if ( rc )
2182 goto bad;
2183 if ( !mls_range_isvalid(p, &rt->target_range) )
2184 {
2185 printk(KERN_WARNING "Flask: rangetrans: invalid range\n");
2186 goto bad;
2187 }
2188 lrt = rt;
2189 }
2190 }
2191
2192 p->type_attr_map = xmalloc_array(struct ebitmap, p->p_types.nprim);
2193 if ( !p->type_attr_map )
2194 goto bad;
2195
2196 for ( i = 0; i < p->p_types.nprim; i++ )
2197 {
2198 ebitmap_init(&p->type_attr_map[i]);
2199 if ( p->policyvers >= POLICYDB_VERSION_AVTAB )
2200 {
2201 if ( ebitmap_read(&p->type_attr_map[i], fp) )
2202 goto bad;
2203 }
2204 /* add the type itself as the degenerate case */
2205 if ( ebitmap_set_bit(&p->type_attr_map[i], i, 1) )
2206 goto bad;
2207 }
2208
2209 rc = policydb_bounds_sanity_check(p);
2210 if ( rc )
2211 goto bad;
2212
2213 rc = 0;
2214 out:
2215 return rc;
2216 bad:
2217 if ( !rc )
2218 rc = -EINVAL;
2219 policydb_destroy(p);
2220 goto out;
2221 }
2222