blob: 70c378ee1a2f6ad6c03de966aa56c691b16ab3be [file] [log] [blame]
Thomas Gleixnera10e7632019-05-31 01:09:32 -07001// SPDX-License-Identifier: GPL-2.0-only
Linus Torvalds1da177e2005-04-16 15:20:36 -07002/* Authors: Karl MacMillan <kmacmillan@tresys.com>
Eric Paris7c2b2402008-04-18 17:38:29 -04003 * Frank Mayer <mayerf@tresys.com>
Linus Torvalds1da177e2005-04-16 15:20:36 -07004 *
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
Linus Torvalds1da177e2005-04-16 15:20:36 -07006 */
7
8#include <linux/kernel.h>
9#include <linux/errno.h>
10#include <linux/string.h>
11#include <linux/spinlock.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070012#include <linux/slab.h>
13
14#include "security.h"
15#include "conditional.h"
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -040016#include "services.h"
Linus Torvalds1da177e2005-04-16 15:20:36 -070017
18/*
19 * cond_evaluate_expr evaluates a conditional expr
20 * in reverse polish notation. It returns true (1), false (0),
21 * or undefined (-1). Undefined occurs when the expression
22 * exceeds the stack depth of COND_EXPR_MAXDEPTH.
23 */
24static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
25{
26
27 struct cond_expr *cur;
28 int s[COND_EXPR_MAXDEPTH];
29 int sp = -1;
30
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +030031 for (cur = expr; cur; cur = cur->next) {
Linus Torvalds1da177e2005-04-16 15:20:36 -070032 switch (cur->expr_type) {
33 case COND_BOOL:
34 if (sp == (COND_EXPR_MAXDEPTH - 1))
35 return -1;
36 sp++;
37 s[sp] = p->bool_val_to_struct[cur->bool - 1]->state;
38 break;
39 case COND_NOT:
40 if (sp < 0)
41 return -1;
42 s[sp] = !s[sp];
43 break;
44 case COND_OR:
45 if (sp < 1)
46 return -1;
47 sp--;
48 s[sp] |= s[sp + 1];
49 break;
50 case COND_AND:
51 if (sp < 1)
52 return -1;
53 sp--;
54 s[sp] &= s[sp + 1];
55 break;
56 case COND_XOR:
57 if (sp < 1)
58 return -1;
59 sp--;
60 s[sp] ^= s[sp + 1];
61 break;
62 case COND_EQ:
63 if (sp < 1)
64 return -1;
65 sp--;
66 s[sp] = (s[sp] == s[sp + 1]);
67 break;
68 case COND_NEQ:
69 if (sp < 1)
70 return -1;
71 sp--;
72 s[sp] = (s[sp] != s[sp + 1]);
73 break;
74 default:
75 return -1;
76 }
77 }
78 return s[0];
79}
80
81/*
82 * evaluate_cond_node evaluates the conditional stored in
83 * a struct cond_node and if the result is different than the
84 * current state of the node it sets the rules in the true/false
85 * list appropriately. If the result of the expression is undefined
86 * all of the rules are disabled for safety.
87 */
88int evaluate_cond_node(struct policydb *p, struct cond_node *node)
89{
90 int new_state;
Eric Paris7c2b2402008-04-18 17:38:29 -040091 struct cond_av_list *cur;
Linus Torvalds1da177e2005-04-16 15:20:36 -070092
93 new_state = cond_evaluate_expr(p, node->expr);
94 if (new_state != node->cur_state) {
95 node->cur_state = new_state;
96 if (new_state == -1)
peter enderborgab485762018-06-12 10:09:00 +020097 pr_err("SELinux: expression result was undefined - disabling all rules.\n");
Linus Torvalds1da177e2005-04-16 15:20:36 -070098 /* turn the rules on or off */
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +030099 for (cur = node->true_list; cur; cur = cur->next) {
Eric Paris7c2b2402008-04-18 17:38:29 -0400100 if (new_state <= 0)
Stephen Smalley782ebb92005-09-03 15:55:16 -0700101 cur->node->key.specified &= ~AVTAB_ENABLED;
Eric Paris7c2b2402008-04-18 17:38:29 -0400102 else
Stephen Smalley782ebb92005-09-03 15:55:16 -0700103 cur->node->key.specified |= AVTAB_ENABLED;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700104 }
105
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300106 for (cur = node->false_list; cur; cur = cur->next) {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700107 /* -1 or 1 */
Eric Paris7c2b2402008-04-18 17:38:29 -0400108 if (new_state)
Stephen Smalley782ebb92005-09-03 15:55:16 -0700109 cur->node->key.specified &= ~AVTAB_ENABLED;
Eric Paris7c2b2402008-04-18 17:38:29 -0400110 else
Stephen Smalley782ebb92005-09-03 15:55:16 -0700111 cur->node->key.specified |= AVTAB_ENABLED;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700112 }
113 }
114 return 0;
115}
116
117int cond_policydb_init(struct policydb *p)
118{
Dan Carpenter38184c52010-06-12 20:55:01 +0200119 int rc;
120
Linus Torvalds1da177e2005-04-16 15:20:36 -0700121 p->bool_val_to_struct = NULL;
122 p->cond_list = NULL;
Dan Carpenter38184c52010-06-12 20:55:01 +0200123
124 rc = avtab_init(&p->te_cond_avtab);
125 if (rc)
126 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700127
128 return 0;
129}
130
131static void cond_av_list_destroy(struct cond_av_list *list)
132{
133 struct cond_av_list *cur, *next;
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300134 for (cur = list; cur; cur = next) {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700135 next = cur->next;
136 /* the avtab_ptr_t node is destroy by the avtab */
137 kfree(cur);
138 }
139}
140
141static void cond_node_destroy(struct cond_node *node)
142{
143 struct cond_expr *cur_expr, *next_expr;
144
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300145 for (cur_expr = node->expr; cur_expr; cur_expr = next_expr) {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700146 next_expr = cur_expr->next;
147 kfree(cur_expr);
148 }
149 cond_av_list_destroy(node->true_list);
150 cond_av_list_destroy(node->false_list);
151 kfree(node);
152}
153
154static void cond_list_destroy(struct cond_node *list)
155{
156 struct cond_node *next, *cur;
157
158 if (list == NULL)
159 return;
160
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300161 for (cur = list; cur; cur = next) {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700162 next = cur->next;
163 cond_node_destroy(cur);
164 }
165}
166
167void cond_policydb_destroy(struct policydb *p)
168{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700169 kfree(p->bool_val_to_struct);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700170 avtab_destroy(&p->te_cond_avtab);
171 cond_list_destroy(p->cond_list);
172}
173
174int cond_init_bool_indexes(struct policydb *p)
175{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700176 kfree(p->bool_val_to_struct);
Markus Elfringf6076f72017-01-14 10:48:28 +0100177 p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
178 sizeof(*p->bool_val_to_struct),
179 GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700180 if (!p->bool_val_to_struct)
Davidlohr Bueso3ac285ff2011-01-21 12:28:04 -0300181 return -ENOMEM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700182 return 0;
183}
184
185int cond_destroy_bool(void *key, void *datum, void *p)
186{
Jesper Juhl9a5f04b2005-06-25 14:58:51 -0700187 kfree(key);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700188 kfree(datum);
189 return 0;
190}
191
192int cond_index_bool(void *key, void *datum, void *datap)
193{
194 struct policydb *p;
195 struct cond_bool_datum *booldatum;
196
197 booldatum = datum;
198 p = datap;
199
200 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
201 return -EINVAL;
202
Kent Overstreetacdf52d2019-03-11 23:31:10 -0700203 p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
Eric Paris7c2b2402008-04-18 17:38:29 -0400204 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700205
206 return 0;
207}
208
209static int bool_isvalid(struct cond_bool_datum *b)
210{
211 if (!(b->state == 0 || b->state == 1))
212 return 0;
213 return 1;
214}
215
216int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
217{
218 char *key = NULL;
219 struct cond_bool_datum *booldatum;
Alexey Dobriyanb5bf6c52005-09-03 15:55:17 -0700220 __le32 buf[3];
221 u32 len;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700222 int rc;
223
Markus Elfringfb13a312017-01-14 11:22:12 +0100224 booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700225 if (!booldatum)
Dan Carpenter338437f2010-06-12 20:56:01 +0200226 return -ENOMEM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700227
228 rc = next_entry(buf, fp, sizeof buf);
Dan Carpenter338437f2010-06-12 20:56:01 +0200229 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700230 goto err;
231
232 booldatum->value = le32_to_cpu(buf[0]);
233 booldatum->state = le32_to_cpu(buf[1]);
234
Dan Carpenter338437f2010-06-12 20:56:01 +0200235 rc = -EINVAL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700236 if (!bool_isvalid(booldatum))
237 goto err;
238
239 len = le32_to_cpu(buf[2]);
William Roberts7c686af2016-08-30 09:28:11 -0700240 if (((len == 0) || (len == (u32)-1)))
241 goto err;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700242
Dan Carpenter338437f2010-06-12 20:56:01 +0200243 rc = -ENOMEM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700244 key = kmalloc(len + 1, GFP_KERNEL);
245 if (!key)
246 goto err;
247 rc = next_entry(key, fp, len);
Dan Carpenter338437f2010-06-12 20:56:01 +0200248 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700249 goto err;
Vesa-Matti J Karidf4ea8652008-07-20 23:57:01 +0300250 key[len] = '\0';
Dan Carpenter338437f2010-06-12 20:56:01 +0200251 rc = hashtab_insert(h, key, booldatum);
252 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700253 goto err;
254
255 return 0;
256err:
257 cond_destroy_bool(key, booldatum, NULL);
Dan Carpenter338437f2010-06-12 20:56:01 +0200258 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700259}
260
Eric Paris7c2b2402008-04-18 17:38:29 -0400261struct cond_insertf_data {
Stephen Smalley782ebb92005-09-03 15:55:16 -0700262 struct policydb *p;
263 struct cond_av_list *other;
264 struct cond_av_list *head;
265 struct cond_av_list *tail;
266};
267
268static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
269{
270 struct cond_insertf_data *data = ptr;
271 struct policydb *p = data->p;
272 struct cond_av_list *other = data->other, *list, *cur;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700273 struct avtab_node *node_ptr;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700274 u8 found;
Dan Carpenter9d623b12010-06-12 20:52:19 +0200275 int rc = -EINVAL;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700276
277 /*
278 * For type rules we have to make certain there aren't any
279 * conflicting rules by searching the te_avtab and the
280 * cond_te_avtab.
281 */
282 if (k->specified & AVTAB_TYPE) {
283 if (avtab_search(&p->te_avtab, k)) {
peter enderborgab485762018-06-12 10:09:00 +0200284 pr_err("SELinux: type rule already exists outside of a conditional.\n");
Stephen Smalley782ebb92005-09-03 15:55:16 -0700285 goto err;
286 }
287 /*
288 * If we are reading the false list other will be a pointer to
289 * the true list. We can have duplicate entries if there is only
290 * 1 other entry and it is in our true list.
291 *
292 * If we are reading the true list (other == NULL) there shouldn't
293 * be any other entries.
294 */
295 if (other) {
296 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
297 if (node_ptr) {
298 if (avtab_search_node_next(node_ptr, k->specified)) {
peter enderborgab485762018-06-12 10:09:00 +0200299 pr_err("SELinux: too many conflicting type rules.\n");
Stephen Smalley782ebb92005-09-03 15:55:16 -0700300 goto err;
301 }
302 found = 0;
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300303 for (cur = other; cur; cur = cur->next) {
Stephen Smalley782ebb92005-09-03 15:55:16 -0700304 if (cur->node == node_ptr) {
305 found = 1;
306 break;
307 }
308 }
309 if (!found) {
peter enderborgab485762018-06-12 10:09:00 +0200310 pr_err("SELinux: conflicting type rules.\n");
Stephen Smalley782ebb92005-09-03 15:55:16 -0700311 goto err;
312 }
313 }
314 } else {
315 if (avtab_search(&p->te_cond_avtab, k)) {
peter enderborgab485762018-06-12 10:09:00 +0200316 pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
Stephen Smalley782ebb92005-09-03 15:55:16 -0700317 goto err;
318 }
319 }
320 }
321
322 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
323 if (!node_ptr) {
peter enderborgab485762018-06-12 10:09:00 +0200324 pr_err("SELinux: could not insert rule.\n");
Dan Carpenter9d623b12010-06-12 20:52:19 +0200325 rc = -ENOMEM;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700326 goto err;
327 }
328
Markus Elfringfb13a312017-01-14 11:22:12 +0100329 list = kzalloc(sizeof(*list), GFP_KERNEL);
Dan Carpenter9d623b12010-06-12 20:52:19 +0200330 if (!list) {
331 rc = -ENOMEM;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700332 goto err;
Dan Carpenter9d623b12010-06-12 20:52:19 +0200333 }
Stephen Smalley782ebb92005-09-03 15:55:16 -0700334
335 list->node = node_ptr;
336 if (!data->head)
337 data->head = list;
338 else
339 data->tail->next = list;
340 data->tail = list;
341 return 0;
342
343err:
344 cond_av_list_destroy(data->head);
345 data->head = NULL;
Dan Carpenter9d623b12010-06-12 20:52:19 +0200346 return rc;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700347}
348
349static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list, struct cond_av_list *other)
350{
351 int i, rc;
Alexey Dobriyanb5bf6c52005-09-03 15:55:17 -0700352 __le32 buf[1];
353 u32 len;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700354 struct cond_insertf_data data;
355
Linus Torvalds1da177e2005-04-16 15:20:36 -0700356 *ret_list = NULL;
357
Stephen Smalley782ebb92005-09-03 15:55:16 -0700358 rc = next_entry(buf, fp, sizeof(u32));
Dan Carpenter9d623b12010-06-12 20:52:19 +0200359 if (rc)
360 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700361
362 len = le32_to_cpu(buf[0]);
Eric Paris7c2b2402008-04-18 17:38:29 -0400363 if (len == 0)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700364 return 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700365
Stephen Smalley782ebb92005-09-03 15:55:16 -0700366 data.p = p;
367 data.other = other;
368 data.head = NULL;
369 data.tail = NULL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700370 for (i = 0; i < len; i++) {
Stephen Smalley45e54212007-11-07 10:08:00 -0500371 rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
372 &data);
Stephen Smalley782ebb92005-09-03 15:55:16 -0700373 if (rc)
374 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700375 }
376
Stephen Smalley782ebb92005-09-03 15:55:16 -0700377 *ret_list = data.head;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700378 return 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700379}
380
381static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
382{
383 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
peter enderborgab485762018-06-12 10:09:00 +0200384 pr_err("SELinux: conditional expressions uses unknown operator.\n");
Linus Torvalds1da177e2005-04-16 15:20:36 -0700385 return 0;
386 }
387
388 if (expr->bool > p->p_bools.nprim) {
peter enderborgab485762018-06-12 10:09:00 +0200389 pr_err("SELinux: conditional expressions uses unknown bool.\n");
Linus Torvalds1da177e2005-04-16 15:20:36 -0700390 return 0;
391 }
392 return 1;
393}
394
395static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
396{
Alexey Dobriyanb5bf6c52005-09-03 15:55:17 -0700397 __le32 buf[2];
398 u32 len, i;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700399 int rc;
400 struct cond_expr *expr = NULL, *last = NULL;
401
Namhyung Kimf004afe2014-06-15 01:19:01 +0900402 rc = next_entry(buf, fp, sizeof(u32) * 2);
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200403 if (rc)
Namhyung Kim6e51f9c2014-06-15 01:19:02 +0900404 goto err;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700405
406 node->cur_state = le32_to_cpu(buf[0]);
407
Linus Torvalds1da177e2005-04-16 15:20:36 -0700408 /* expr */
Namhyung Kimf004afe2014-06-15 01:19:01 +0900409 len = le32_to_cpu(buf[1]);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700410
Eric Paris7c2b2402008-04-18 17:38:29 -0400411 for (i = 0; i < len; i++) {
Linus Torvalds1da177e2005-04-16 15:20:36 -0700412 rc = next_entry(buf, fp, sizeof(u32) * 2);
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200413 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700414 goto err;
415
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200416 rc = -ENOMEM;
Markus Elfringfb13a312017-01-14 11:22:12 +0100417 expr = kzalloc(sizeof(*expr), GFP_KERNEL);
Eric Paris7c2b2402008-04-18 17:38:29 -0400418 if (!expr)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700419 goto err;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700420
421 expr->expr_type = le32_to_cpu(buf[0]);
422 expr->bool = le32_to_cpu(buf[1]);
423
424 if (!expr_isvalid(p, expr)) {
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200425 rc = -EINVAL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700426 kfree(expr);
427 goto err;
428 }
429
Eric Paris7c2b2402008-04-18 17:38:29 -0400430 if (i == 0)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700431 node->expr = expr;
Eric Paris7c2b2402008-04-18 17:38:29 -0400432 else
Linus Torvalds1da177e2005-04-16 15:20:36 -0700433 last->next = expr;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700434 last = expr;
435 }
436
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200437 rc = cond_read_av_list(p, fp, &node->true_list, NULL);
438 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700439 goto err;
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200440 rc = cond_read_av_list(p, fp, &node->false_list, node->true_list);
441 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700442 goto err;
443 return 0;
444err:
445 cond_node_destroy(node);
Dan Carpenterfc5c1262010-06-12 20:53:46 +0200446 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700447}
448
449int cond_read_list(struct policydb *p, void *fp)
450{
451 struct cond_node *node, *last = NULL;
Alexey Dobriyanb5bf6c52005-09-03 15:55:17 -0700452 __le32 buf[1];
453 u32 i, len;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700454 int rc;
455
456 rc = next_entry(buf, fp, sizeof buf);
Dan Carpenter5241c102010-06-12 20:51:40 +0200457 if (rc)
458 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700459
460 len = le32_to_cpu(buf[0]);
461
Yuichi Nakamura3232c112007-08-24 11:55:11 +0900462 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
463 if (rc)
464 goto err;
465
Linus Torvalds1da177e2005-04-16 15:20:36 -0700466 for (i = 0; i < len; i++) {
Dan Carpenter5241c102010-06-12 20:51:40 +0200467 rc = -ENOMEM;
Markus Elfringfb13a312017-01-14 11:22:12 +0100468 node = kzalloc(sizeof(*node), GFP_KERNEL);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700469 if (!node)
470 goto err;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700471
Dan Carpenter5241c102010-06-12 20:51:40 +0200472 rc = cond_read_node(p, node, fp);
473 if (rc)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700474 goto err;
475
Eric Paris7c2b2402008-04-18 17:38:29 -0400476 if (i == 0)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700477 p->cond_list = node;
Eric Paris7c2b2402008-04-18 17:38:29 -0400478 else
Linus Torvalds1da177e2005-04-16 15:20:36 -0700479 last->next = node;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700480 last = node;
481 }
482 return 0;
483err:
484 cond_list_destroy(p->cond_list);
Stephen Smalley782ebb92005-09-03 15:55:16 -0700485 p->cond_list = NULL;
Dan Carpenter5241c102010-06-12 20:51:40 +0200486 return rc;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700487}
488
Eric Pariscee74f42010-10-13 17:50:25 -0400489int cond_write_bool(void *vkey, void *datum, void *ptr)
490{
491 char *key = vkey;
492 struct cond_bool_datum *booldatum = datum;
493 struct policy_data *pd = ptr;
494 void *fp = pd->fp;
495 __le32 buf[3];
496 u32 len;
497 int rc;
498
499 len = strlen(key);
500 buf[0] = cpu_to_le32(booldatum->value);
501 buf[1] = cpu_to_le32(booldatum->state);
502 buf[2] = cpu_to_le32(len);
503 rc = put_entry(buf, sizeof(u32), 3, fp);
504 if (rc)
505 return rc;
506 rc = put_entry(key, 1, len, fp);
507 if (rc)
508 return rc;
509 return 0;
510}
511
512/*
513 * cond_write_cond_av_list doesn't write out the av_list nodes.
514 * Instead it writes out the key/value pairs from the avtab. This
515 * is necessary because there is no way to uniquely identifying rules
516 * in the avtab so it is not possible to associate individual rules
517 * in the avtab with a conditional without saving them as part of
518 * the conditional. This means that the avtab with the conditional
519 * rules will not be saved but will be rebuilt on policy load.
520 */
521static int cond_write_av_list(struct policydb *p,
522 struct cond_av_list *list, struct policy_file *fp)
523{
524 __le32 buf[1];
525 struct cond_av_list *cur_list;
526 u32 len;
527 int rc;
528
529 len = 0;
530 for (cur_list = list; cur_list != NULL; cur_list = cur_list->next)
531 len++;
532
533 buf[0] = cpu_to_le32(len);
534 rc = put_entry(buf, sizeof(u32), 1, fp);
535 if (rc)
536 return rc;
537
538 if (len == 0)
539 return 0;
540
541 for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) {
542 rc = avtab_write_item(p, cur_list->node, fp);
543 if (rc)
544 return rc;
545 }
546
547 return 0;
548}
549
James Morris7b98a582011-08-30 12:52:32 +1000550static int cond_write_node(struct policydb *p, struct cond_node *node,
Eric Pariscee74f42010-10-13 17:50:25 -0400551 struct policy_file *fp)
552{
553 struct cond_expr *cur_expr;
554 __le32 buf[2];
555 int rc;
556 u32 len = 0;
557
558 buf[0] = cpu_to_le32(node->cur_state);
559 rc = put_entry(buf, sizeof(u32), 1, fp);
560 if (rc)
561 return rc;
562
563 for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next)
564 len++;
565
566 buf[0] = cpu_to_le32(len);
567 rc = put_entry(buf, sizeof(u32), 1, fp);
568 if (rc)
569 return rc;
570
571 for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) {
572 buf[0] = cpu_to_le32(cur_expr->expr_type);
573 buf[1] = cpu_to_le32(cur_expr->bool);
574 rc = put_entry(buf, sizeof(u32), 2, fp);
575 if (rc)
576 return rc;
577 }
578
579 rc = cond_write_av_list(p, node->true_list, fp);
580 if (rc)
581 return rc;
582 rc = cond_write_av_list(p, node->false_list, fp);
583 if (rc)
584 return rc;
585
586 return 0;
587}
588
589int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
590{
591 struct cond_node *cur;
592 u32 len;
593 __le32 buf[1];
594 int rc;
595
596 len = 0;
597 for (cur = list; cur != NULL; cur = cur->next)
598 len++;
599 buf[0] = cpu_to_le32(len);
600 rc = put_entry(buf, sizeof(u32), 1, fp);
601 if (rc)
602 return rc;
603
604 for (cur = list; cur != NULL; cur = cur->next) {
605 rc = cond_write_node(p, cur, fp);
606 if (rc)
607 return rc;
608 }
609
610 return 0;
611}
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400612
613void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
614 struct extended_perms_decision *xpermd)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700615{
616 struct avtab_node *node;
617
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400618 if (!ctab || !key || !xpermd)
619 return;
620
621 for (node = avtab_search_node(ctab, key); node;
622 node = avtab_search_node_next(node, key->specified)) {
623 if (node->key.specified & AVTAB_ENABLED)
624 services_compute_xperms_decision(xpermd, node);
625 }
626 return;
627
628}
629/* Determine whether additional permissions are granted by the conditional
630 * av table, and if so, add them to the result
631 */
632void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
633 struct av_decision *avd, struct extended_perms *xperms)
634{
635 struct avtab_node *node;
636
Stephen Smalleyf3bef672015-11-23 16:07:41 -0500637 if (!ctab || !key || !avd)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700638 return;
639
Vesa-Matti Karidbc74c62008-08-07 03:18:20 +0300640 for (node = avtab_search_node(ctab, key); node;
Stephen Smalley782ebb92005-09-03 15:55:16 -0700641 node = avtab_search_node_next(node, key->specified)) {
Eric Paris7c2b2402008-04-18 17:38:29 -0400642 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
643 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400644 avd->allowed |= node->datum.u.data;
Eric Paris7c2b2402008-04-18 17:38:29 -0400645 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
646 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700647 /* Since a '0' in an auditdeny mask represents a
648 * permission we do NOT want to audit (dontaudit), we use
649 * the '&' operand to ensure that all '0's in the mask
650 * are retained (much unlike the allow and auditallow cases).
651 */
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400652 avd->auditdeny &= node->datum.u.data;
Eric Paris7c2b2402008-04-18 17:38:29 -0400653 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
654 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400655 avd->auditallow |= node->datum.u.data;
Stephen Smalleyf3bef672015-11-23 16:07:41 -0500656 if (xperms && (node->key.specified & AVTAB_ENABLED) &&
Jeff Vander Stoepfa1aa142015-07-10 17:19:56 -0400657 (node->key.specified & AVTAB_XPERMS))
658 services_compute_xperms_drivers(xperms, node);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700659 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700660}