services_compute_xperms_drivers(xperms, node);
}
}
+
+static int cond_dup_av_list(struct cond_av_list *new,
+ struct cond_av_list *orig,
+ struct avtab *avtab)
+{
+ struct avtab_node *avnode;
+ u32 i;
+
+ memset(new, 0, sizeof(*new));
+
+ new->nodes = kcalloc(orig->len, sizeof(*new->nodes), GFP_KERNEL);
+ if (!new->nodes)
+ return -ENOMEM;
+
+ for (i = 0; i < orig->len; i++) {
+ avnode = avtab_search_node(avtab, &orig->nodes[i]->key);
+ if (WARN_ON(!avnode))
+ return -EINVAL;
+ new->nodes[i] = avnode;
+ new->len++;
+ }
+
+ return 0;
+}
+
+static int duplicate_policydb_cond_list(struct policydb *newp,
+ struct policydb *origp)
+{
+ int rc, i, j;
+
+ rc = avtab_duplicate(&newp->te_cond_avtab, &origp->te_cond_avtab);
+ if (rc)
+ return rc;
+
+ newp->cond_list_len = 0;
+ newp->cond_list = kcalloc(origp->cond_list_len,
+ sizeof(*newp->cond_list),
+ GFP_KERNEL);
+ if (!newp->cond_list)
+ goto error;
+
+ for (i = 0; i < origp->cond_list_len; i++) {
+ struct cond_node *newn = &newp->cond_list[i];
+ struct cond_node *orign = &origp->cond_list[i];
+
+ newp->cond_list_len++;
+
+ newn->cur_state = orign->cur_state;
+ newn->expr.nodes = kcalloc(orign->expr.len,
+ sizeof(*newn->expr.nodes), GFP_KERNEL);
+ if (!newn->expr.nodes)
+ goto error;
+ for (j = 0; j < orign->expr.len; j++)
+ newn->expr.nodes[j] = orign->expr.nodes[j];
+ newn->expr.len = orign->expr.len;
+
+ rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
+ &newp->te_cond_avtab);
+ if (rc)
+ goto error;
+
+ rc = cond_dup_av_list(&newn->false_list, &orign->false_list,
+ &newp->te_cond_avtab);
+ if (rc)
+ goto error;
+ }
+
+ return 0;
+
+error:
+ avtab_destroy(&newp->te_cond_avtab);
+ cond_list_destroy(newp);
+ return -ENOMEM;
+}
+
+static int cond_bools_destroy(void *key, void *datum, void *args)
+{
+ /* key was not copied so no need to free here */
+ kfree(datum);
+ return 0;
+}
+
+static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig, void *args)
+{
+ struct cond_bool_datum *datum;
+
+ datum = kmalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);
+ if (!datum)
+ return -ENOMEM;
+
+ memcpy(datum, orig->datum, sizeof(struct cond_bool_datum));
+
+ new->key = orig->key; /* No need to copy, never modified */
+ new->datum = datum;
+ return 0;
+}
+
+static int cond_bools_index(void *key, void *datum, void *args)
+{
+ struct cond_bool_datum *booldatum, **cond_bool_array;
+
+ booldatum = datum;
+ cond_bool_array = args;
+ cond_bool_array[booldatum->value - 1] = booldatum;
+
+ return 0;
+}
+
+static int duplicate_policydb_bools(struct policydb *newdb,
+ struct policydb *orig)
+{
+ struct cond_bool_datum **cond_bool_array;
+ int rc;
+
+ cond_bool_array = kmalloc_array(orig->p_bools.nprim,
+ sizeof(*orig->bool_val_to_struct),
+ GFP_KERNEL);
+ if (!cond_bool_array)
+ return -ENOMEM;
+
+ rc = hashtab_duplicate(&newdb->p_bools.table, &orig->p_bools.table,
+ cond_bools_copy, cond_bools_destroy, NULL);
+ if (rc) {
+ kfree(cond_bool_array);
+ return -ENOMEM;
+ }
+
+ hashtab_map(&newdb->p_bools.table, cond_bools_index, cond_bool_array);
+ newdb->bool_val_to_struct = cond_bool_array;
+
+ newdb->p_bools.nprim = orig->p_bools.nprim;
+
+ return 0;
+}
+
+void cond_policydb_destroy_dup(struct policydb *p)
+{
+ hashtab_map(&p->p_bools.table, cond_bools_destroy, NULL);
+ hashtab_destroy(&p->p_bools.table);
+ cond_policydb_destroy(p);
+}
+
+int cond_policydb_dup(struct policydb *new, struct policydb *orig)
+{
+ cond_policydb_init(new);
+
+ if (duplicate_policydb_bools(new, orig))
+ return -ENOMEM;
+
+ if (duplicate_policydb_cond_list(new, orig)) {
+ cond_policydb_destroy_dup(new);
+ return -ENOMEM;
+ }
+
+ return 0;
+}
u16 tclass)
{
struct policydb *p = &state->ss->policy->policydb;
- struct sidtab *sidtab = &state->ss->policy->sidtab;
+ struct sidtab *sidtab = state->ss->policy->sidtab;
char *o = NULL, *n = NULL, *t = NULL;
u32 olen, nlen, tlen;
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
if (!user)
tclass = unmap_class(&state->ss->policy->map, orig_tclass);
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
rc = -EINVAL;
old_entry = sidtab_search_entry(sidtab, old_sid);
goto allow;
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
scontext = sidtab_search(sidtab, ssid);
if (!scontext) {
goto allow;
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
scontext = sidtab_search(sidtab, ssid);
if (!scontext) {
goto allow;
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
scontext = sidtab_search(sidtab, ssid);
if (!scontext) {
}
read_lock(&state->ss->policy_rwlock);
- rc = sidtab_hash_stats(&state->ss->policy->sidtab, page);
+ rc = sidtab_hash_stats(state->ss->policy->sidtab, page);
read_unlock(&state->ss->policy_rwlock);
return rc;
}
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
if (force)
entry = sidtab_search_entry_force(sidtab, sid);
}
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
rc = string_to_context_struct(policydb, sidtab, scontext2,
&context, def_sid);
if (rc == -EINVAL && force) {
struct context *newcontext)
{
struct policydb *policydb = &state->ss->policy->policydb;
- struct sidtab *sidtab = &state->ss->policy->sidtab;
+ struct sidtab *sidtab = state->ss->policy->sidtab;
char *s = NULL, *t = NULL, *n = NULL;
u32 slen, tlen, nlen;
struct audit_buffer *ab;
}
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
sentry = sidtab_search_entry(sidtab, ssid);
if (!sentry) {
return;
policydb_destroy(&policy->policydb);
- sidtab_destroy(&policy->sidtab);
+ sidtab_destroy(policy->sidtab);
+ kfree(policy->sidtab);
kfree(policy->map.mapping);
kfree(policy);
}
void selinux_policy_cancel(struct selinux_state *state,
struct selinux_policy *policy)
{
-
- sidtab_cancel_convert(&state->ss->policy->sidtab);
+ sidtab_cancel_convert(state->ss->policy->sidtab);
selinux_policy_free(policy);
}
+static void selinux_notify_policy_change(struct selinux_state *state,
+ u32 seqno)
+{
+ /* Flush external caches and notify userspace of policy load */
+ avc_ss_reset(state->avc, seqno);
+ selnl_notify_policyload(seqno);
+ selinux_status_update_policyload(state, seqno);
+ selinux_netlbl_cache_invalidate();
+ selinux_xfrm_notify_policyload();
+}
+
void selinux_policy_commit(struct selinux_state *state,
struct selinux_policy *newpolicy)
{
/* Free the old policy */
selinux_policy_free(oldpolicy);
- /* Flush external caches and notify userspace of policy load */
- avc_ss_reset(state->avc, seqno);
- selnl_notify_policyload(seqno);
- selinux_status_update_policyload(state, seqno);
- selinux_netlbl_cache_invalidate();
- selinux_xfrm_notify_policyload();
+ /* Notify others of the policy change */
+ selinux_notify_policy_change(state, seqno);
}
/**
if (!newpolicy)
return -ENOMEM;
+ newpolicy->sidtab = kzalloc(sizeof(*newpolicy->sidtab), GFP_KERNEL);
+ if (!newpolicy)
+ goto err;
+
rc = policydb_read(&newpolicy->policydb, fp);
if (rc)
goto err;
if (rc)
goto err;
- rc = policydb_load_isids(&newpolicy->policydb, &newpolicy->sidtab);
+ rc = policydb_load_isids(&newpolicy->policydb, newpolicy->sidtab);
if (rc) {
pr_err("SELinux: unable to load the initial SIDs\n");
goto err;
convert_params.func = convert_context;
convert_params.args = &args;
- convert_params.target = &newpolicy->sidtab;
+ convert_params.target = newpolicy->sidtab;
- rc = sidtab_convert(&state->ss->policy->sidtab, &convert_params);
+ rc = sidtab_convert(state->ss->policy->sidtab, &convert_params);
if (rc) {
pr_err("SELinux: unable to convert the internal"
" representation of contexts in the new SID"
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
c = policydb->ocontexts[OCON_PORT];
while (c) {
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
c = policydb->ocontexts[OCON_IBPKEY];
while (c) {
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
c = policydb->ocontexts[OCON_IBENDPORT];
while (c) {
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
c = policydb->ocontexts[OCON_NETIF];
while (c) {
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
switch (domain) {
case AF_INET: {
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
context_init(&usercon);
u32 *sid)
{
struct policydb *policydb = &policy->policydb;
- struct sidtab *sidtab = &policy->sidtab;
+ struct sidtab *sidtab = policy->sidtab;
int len;
u16 sclass;
struct genfs *genfs;
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
c = policydb->ocontexts[OCON_FSUSE];
while (c) {
int security_set_bools(struct selinux_state *state, u32 len, int *values)
{
- struct policydb *policydb;
+ struct selinux_policy *newpolicy, *oldpolicy;
int rc;
- u32 i, lenp, seqno = 0;
+ u32 i, seqno = 0;
- write_lock_irq(&state->ss->policy_rwlock);
+ /*
+ * NOTE: We do not need to take the policy read-lock
+ * around the code below because other policy-modifying
+ * operations are already excluded by selinuxfs via
+ * fsi->mutex.
+ */
- policydb = &state->ss->policy->policydb;
+ /* Consistency check on number of booleans, should never fail */
+ if (WARN_ON(len != state->ss->policy->policydb.p_bools.nprim))
+ return -EINVAL;
- rc = -EFAULT;
- lenp = policydb->p_bools.nprim;
- if (len != lenp)
- goto out;
+ newpolicy = kmemdup(state->ss->policy, sizeof(*newpolicy),
+ GFP_KERNEL);
+ if (!newpolicy)
+ return -ENOMEM;
+
+ oldpolicy = state->ss->policy;
+ /*
+ * Deep copy only the parts of the policydb that might be
+ * modified as a result of changing booleans.
+ */
+ rc = cond_policydb_dup(&newpolicy->policydb, &oldpolicy->policydb);
+ if (rc) {
+ kfree(newpolicy);
+ return -ENOMEM;
+ }
+
+ /* Update the boolean states in the copy */
for (i = 0; i < len; i++) {
- if (!!values[i] != policydb->bool_val_to_struct[i]->state) {
+ int new_state = !!values[i];
+ int old_state = newpolicy->policydb.bool_val_to_struct[i]->state;
+
+ if (new_state != old_state) {
audit_log(audit_context(), GFP_ATOMIC,
AUDIT_MAC_CONFIG_CHANGE,
"bool=%s val=%d old_val=%d auid=%u ses=%u",
- sym_name(policydb, SYM_BOOLS, i),
- !!values[i],
- policydb->bool_val_to_struct[i]->state,
+ sym_name(&newpolicy->policydb, SYM_BOOLS, i),
+ new_state,
+ old_state,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
+ newpolicy->policydb.bool_val_to_struct[i]->state = new_state;
}
- if (values[i])
- policydb->bool_val_to_struct[i]->state = 1;
- else
- policydb->bool_val_to_struct[i]->state = 0;
}
- evaluate_cond_nodes(policydb);
+ /* Re-evaluate the conditional rules in the copy */
+ evaluate_cond_nodes(&newpolicy->policydb);
+ /* Install the new policy */
+ write_lock_irq(&state->ss->policy_rwlock);
+ state->ss->policy = newpolicy;
seqno = ++state->ss->latest_granting;
- rc = 0;
-out:
write_unlock_irq(&state->ss->policy_rwlock);
- if (!rc) {
- avc_ss_reset(state->avc, seqno);
- selnl_notify_policyload(seqno);
- selinux_status_update_policyload(state, seqno);
- selinux_xfrm_notify_policyload();
- }
- return rc;
+
+ /*
+ * Free the conditional portions of the old policydb
+ * that were copied for the new policy.
+ */
+ cond_policydb_destroy_dup(&oldpolicy->policydb);
+
+ /* Free the old policy structure but not what it references. */
+ kfree(oldpolicy);
+
+ /* Notify others of the policy change */
+ selinux_notify_policy_change(state, seqno);
+ return 0;
}
int security_get_bool_value(struct selinux_state *state,
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
if (!policydb->mls_enabled) {
*new_sid = sid;
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
/*
* We don't need to check initialized here since the only way both
goto out;
}
- ctxt = sidtab_search(&state->ss->policy->sidtab, sid);
+ ctxt = sidtab_search(state->ss->policy->sidtab, sid);
if (unlikely(!ctxt)) {
WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
sid);
read_lock(&state->ss->policy_rwlock);
policydb = &state->ss->policy->policydb;
- sidtab = &state->ss->policy->sidtab;
+ sidtab = state->ss->policy->sidtab;
if (secattr->flags & NETLBL_SECATTR_CACHE)
*sid = *(u32 *)secattr->cache->data;
policydb = &state->ss->policy->policydb;
rc = -ENOENT;
- ctx = sidtab_search(&state->ss->policy->sidtab, sid);
+ ctx = sidtab_search(state->ss->policy->sidtab, sid);
if (ctx == NULL)
goto out;