2 * Implementation of the multi-level security (MLS) policy.
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9 * Support for enhanced MLS infrastructure.
11 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
14 * Updated: Hewlett-Packard <paul.moore@hp.com>
16 * Added support to import/export the MLS label from NetLabel
18 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
21 #include <linux/kernel.h>
22 #include <linux/slab.h>
23 #include <linux/string.h>
24 #include <linux/errno.h>
25 #include <net/netlabel.h>
32 * Return the length in bytes for the MLS fields of the
33 * security context string representation of `context'.
35 int mls_compute_context_len(struct context * context)
38 struct ebitmap_node *node;
40 if (!selinux_mls_enabled)
43 len = 1; /* for the beginning ":" */
44 for (l = 0; l < 2; l++) {
46 len += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]);
48 ebitmap_for_each_bit(&context->range.level[l].cat, node, i) {
49 if (ebitmap_node_get_bit(node, i)) {
55 len += strlen(policydb.p_cat_val_to_name[i]) + 1;
59 len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1;
63 /* Handle case where last category is the end of range */
65 len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1;
68 if (mls_level_eq(&context->range.level[0],
69 &context->range.level[1]))
80 * Write the security context string representation of
81 * the MLS fields of `context' into the string `*scontext'.
82 * Update `*scontext' to point to the end of the MLS fields.
84 void mls_sid_to_context(struct context *context,
88 int i, l, range, wrote_sep;
89 struct ebitmap_node *node;
91 if (!selinux_mls_enabled)
94 scontextp = *scontext;
99 for (l = 0; l < 2; l++) {
103 policydb.p_sens_val_to_name[context->range.level[l].sens - 1]);
104 scontextp += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]);
107 ebitmap_for_each_bit(&context->range.level[l].cat, node, i) {
108 if (ebitmap_node_get_bit(node, i)) {
119 strcpy(scontextp, policydb.p_cat_val_to_name[i]);
120 scontextp += strlen(policydb.p_cat_val_to_name[i]);
129 strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]);
130 scontextp += strlen(policydb.p_cat_val_to_name[i - 1]);
136 /* Handle case where last category is the end of range */
143 strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]);
144 scontextp += strlen(policydb.p_cat_val_to_name[i - 1]);
148 if (mls_level_eq(&context->range.level[0],
149 &context->range.level[1]))
158 *scontext = scontextp;
163 * Return 1 if the MLS fields in the security context
164 * structure `c' are valid. Return 0 otherwise.
166 int mls_context_isvalid(struct policydb *p, struct context *c)
168 struct level_datum *levdatum;
169 struct user_datum *usrdatum;
170 struct ebitmap_node *node;
173 if (!selinux_mls_enabled)
177 * MLS range validity checks: high must dominate low, low level must
178 * be valid (category set <-> sensitivity check), and high level must
179 * be valid (category set <-> sensitivity check)
181 if (!mls_level_dom(&c->range.level[1], &c->range.level[0]))
182 /* High does not dominate low. */
185 for (l = 0; l < 2; l++) {
186 if (!c->range.level[l].sens || c->range.level[l].sens > p->p_levels.nprim)
188 levdatum = hashtab_search(p->p_levels.table,
189 p->p_sens_val_to_name[c->range.level[l].sens - 1]);
193 ebitmap_for_each_bit(&c->range.level[l].cat, node, i) {
194 if (ebitmap_node_get_bit(node, i)) {
195 if (i > p->p_cats.nprim)
197 if (!ebitmap_get_bit(&levdatum->level->cat, i))
199 * Category may not be associated with
200 * sensitivity in low level.
207 if (c->role == OBJECT_R_VAL)
211 * User must be authorized for the MLS range.
213 if (!c->user || c->user > p->p_users.nprim)
215 usrdatum = p->user_val_to_struct[c->user - 1];
216 if (!mls_range_contains(usrdatum->range, c->range))
217 return 0; /* user may not be associated with range */
223 * Set the MLS fields in the security context structure
224 * `context' based on the string representation in
225 * the string `*scontext'. Update `*scontext' to
226 * point to the end of the string representation of
229 * This function modifies the string in place, inserting
230 * NULL characters to terminate the MLS fields.
232 * If a def_sid is provided and no MLS field is present,
233 * copy the MLS field of the associated default context.
234 * Used for upgraded to MLS systems where objects may lack
237 * Policy read-lock must be held for sidtab lookup.
240 int mls_context_to_sid(char oldc,
242 struct context *context,
248 char *scontextp, *p, *rngptr;
249 struct level_datum *levdatum;
250 struct cat_datum *catdatum, *rngdatum;
253 if (!selinux_mls_enabled) {
254 if (def_sid != SECSID_NULL && oldc)
255 *scontext += strlen(*scontext)+1;
260 * No MLS component to the security context, try and map to
261 * default if provided.
264 struct context *defcon;
266 if (def_sid == SECSID_NULL)
269 defcon = sidtab_search(s, def_sid);
273 rc = mls_context_cpy(context, defcon);
277 /* Extract low sensitivity. */
278 scontextp = p = *scontext;
279 while (*p && *p != ':' && *p != '-')
286 for (l = 0; l < 2; l++) {
287 levdatum = hashtab_search(policydb.p_levels.table, scontextp);
293 context->range.level[l].sens = levdatum->level->sens;
296 /* Extract category set. */
299 while (*p && *p != ',' && *p != '-')
305 /* Separate into range if exists */
306 if ((rngptr = strchr(scontextp, '.')) != NULL) {
311 catdatum = hashtab_search(policydb.p_cats.table,
318 rc = ebitmap_set_bit(&context->range.level[l].cat,
319 catdatum->value - 1, 1);
323 /* If range, set all categories in range */
327 rngdatum = hashtab_search(policydb.p_cats.table, rngptr);
333 if (catdatum->value >= rngdatum->value) {
338 for (i = catdatum->value; i < rngdatum->value; i++) {
339 rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1);
350 /* Extract high sensitivity. */
352 while (*p && *p != ':')
363 context->range.level[1].sens = context->range.level[0].sens;
364 rc = ebitmap_cpy(&context->range.level[1].cat,
365 &context->range.level[0].cat);
376 * Set the MLS fields in the security context structure
377 * `context' based on the string representation in
378 * the string `str'. This function will allocate temporary memory with the
379 * given constraints of gfp_mask.
381 int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
383 char *tmpstr, *freestr;
386 if (!selinux_mls_enabled)
389 /* we need freestr because mls_context_to_sid will change
390 the value of tmpstr */
391 tmpstr = freestr = kstrdup(str, gfp_mask);
395 rc = mls_context_to_sid(':', &tmpstr, context,
404 * Copies the MLS range `range' into `context'.
406 static inline int mls_range_set(struct context *context,
407 struct mls_range *range)
411 /* Copy the MLS range into the context */
412 for (l = 0; l < 2; l++) {
413 context->range.level[l].sens = range->level[l].sens;
414 rc = ebitmap_cpy(&context->range.level[l].cat,
415 &range->level[l].cat);
423 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
424 struct context *usercon)
426 if (selinux_mls_enabled) {
427 struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
428 struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
429 struct mls_level *user_low = &(user->range.level[0]);
430 struct mls_level *user_clr = &(user->range.level[1]);
431 struct mls_level *user_def = &(user->dfltlevel);
432 struct mls_level *usercon_sen = &(usercon->range.level[0]);
433 struct mls_level *usercon_clr = &(usercon->range.level[1]);
435 /* Honor the user's default level if we can */
436 if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) {
437 *usercon_sen = *user_def;
438 } else if (mls_level_between(fromcon_sen, user_def, user_clr)) {
439 *usercon_sen = *fromcon_sen;
440 } else if (mls_level_between(fromcon_clr, user_low, user_def)) {
441 *usercon_sen = *user_low;
445 /* Lower the clearance of available contexts
446 if the clearance of "fromcon" is lower than
447 that of the user's default clearance (but
448 only if the "fromcon" clearance dominates
449 the user's computed sensitivity level) */
450 if (mls_level_dom(user_clr, fromcon_clr)) {
451 *usercon_clr = *fromcon_clr;
452 } else if (mls_level_dom(fromcon_clr, user_clr)) {
453 *usercon_clr = *user_clr;
462 * Convert the MLS fields in the security context
463 * structure `c' from the values specified in the
464 * policy `oldp' to the values specified in the policy `newp'.
466 int mls_convert_context(struct policydb *oldp,
467 struct policydb *newp,
470 struct level_datum *levdatum;
471 struct cat_datum *catdatum;
472 struct ebitmap bitmap;
473 struct ebitmap_node *node;
476 if (!selinux_mls_enabled)
479 for (l = 0; l < 2; l++) {
480 levdatum = hashtab_search(newp->p_levels.table,
481 oldp->p_sens_val_to_name[c->range.level[l].sens - 1]);
485 c->range.level[l].sens = levdatum->level->sens;
487 ebitmap_init(&bitmap);
488 ebitmap_for_each_bit(&c->range.level[l].cat, node, i) {
489 if (ebitmap_node_get_bit(node, i)) {
492 catdatum = hashtab_search(newp->p_cats.table,
493 oldp->p_cat_val_to_name[i]);
496 rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1);
501 ebitmap_destroy(&c->range.level[l].cat);
502 c->range.level[l].cat = bitmap;
508 int mls_compute_sid(struct context *scontext,
509 struct context *tcontext,
512 struct context *newcontext)
514 struct range_trans *rtr;
516 if (!selinux_mls_enabled)
520 case AVTAB_TRANSITION:
521 /* Look for a range transition rule. */
522 for (rtr = policydb.range_tr; rtr; rtr = rtr->next) {
523 if (rtr->source_type == scontext->type &&
524 rtr->target_type == tcontext->type &&
525 rtr->target_class == tclass) {
526 /* Set the range from the rule */
527 return mls_range_set(newcontext,
533 if (tclass == SECCLASS_PROCESS)
534 /* Use the process MLS attributes. */
535 return mls_context_cpy(newcontext, scontext);
537 /* Use the process effective MLS attributes. */
538 return mls_context_cpy_low(newcontext, scontext);
540 /* Only polyinstantiate the MLS attributes if
541 the type is being polyinstantiated */
542 if (newcontext->type != tcontext->type) {
543 /* Use the process effective MLS attributes. */
544 return mls_context_cpy_low(newcontext, scontext);
546 /* Use the related object MLS attributes. */
547 return mls_context_cpy(newcontext, tcontext);
555 #ifdef CONFIG_NETLABEL
557 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
558 * @context: the security context
559 * @secattr: the NetLabel security attributes
562 * Given the security context copy the low MLS sensitivity level into the
563 * NetLabel MLS sensitivity level field.
566 void mls_export_netlbl_lvl(struct context *context,
567 struct netlbl_lsm_secattr *secattr)
569 if (!selinux_mls_enabled)
572 secattr->mls_lvl = context->range.level[0].sens - 1;
573 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
577 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
578 * @context: the security context
579 * @secattr: the NetLabel security attributes
582 * Given the security context and the NetLabel security attributes, copy the
583 * NetLabel MLS sensitivity level into the context.
586 void mls_import_netlbl_lvl(struct context *context,
587 struct netlbl_lsm_secattr *secattr)
589 if (!selinux_mls_enabled)
592 context->range.level[0].sens = secattr->mls_lvl + 1;
593 context->range.level[1].sens = context->range.level[0].sens;
597 * mls_export_netlbl_cat - Export the MLS categories to NetLabel
598 * @context: the security context
599 * @secattr: the NetLabel security attributes
602 * Given the security context copy the low MLS categories into the NetLabel
603 * MLS category field. Returns zero on success, negative values on failure.
606 int mls_export_netlbl_cat(struct context *context,
607 struct netlbl_lsm_secattr *secattr)
611 if (!selinux_mls_enabled)
614 rc = ebitmap_netlbl_export(&context->range.level[0].cat,
616 if (rc == 0 && secattr->mls_cat != NULL)
617 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
623 * mls_import_netlbl_cat - Import the MLS categories from NetLabel
624 * @context: the security context
625 * @secattr: the NetLabel security attributes
628 * Copy the NetLabel security attributes into the SELinux context; since the
629 * NetLabel security attribute only contains a single MLS category use it for
630 * both the low and high categories of the context. Returns zero on success,
631 * negative values on failure.
634 int mls_import_netlbl_cat(struct context *context,
635 struct netlbl_lsm_secattr *secattr)
639 if (!selinux_mls_enabled)
642 rc = ebitmap_netlbl_import(&context->range.level[0].cat,
645 goto import_netlbl_cat_failure;
647 rc = ebitmap_cpy(&context->range.level[1].cat,
648 &context->range.level[0].cat);
650 goto import_netlbl_cat_failure;
654 import_netlbl_cat_failure:
655 ebitmap_destroy(&context->range.level[0].cat);
656 ebitmap_destroy(&context->range.level[1].cat);
659 #endif /* CONFIG_NETLABEL */
git://git.onelab.eu / linux-2.6.git / blob