📄 services.c

📁 linux 内核源代码
💻 C
📖 第 1 页 / 共 5 页
字号:
 */int security_change_sid(u32 ssid,			u32 tsid,			u16 tclass,			u32 *out_sid){	return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);}/* * Verify that each kernel class that is defined in the * policy is correct */static int validate_classes(struct policydb *p){	int i, j;	struct class_datum *cladatum;	struct perm_datum *perdatum;	u32 nprim, tmp, common_pts_len, perm_val, pol_val;	u16 class_val;	const struct selinux_class_perm *kdefs = &selinux_class_perm;	const char *def_class, *def_perm, *pol_class;	struct symtab *perms;	if (p->allow_unknown) {		u32 num_classes = kdefs->cts_len;		p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);		if (!p->undefined_perms)			return -ENOMEM;	}	for (i = 1; i < kdefs->cts_len; i++) {		def_class = kdefs->class_to_string[i];		if (!def_class)			continue;		if (i > p->p_classes.nprim) {			printk(KERN_INFO			       "security:  class %s not defined in policy\n",			       def_class);			if (p->reject_unknown)				return -EINVAL;			if (p->allow_unknown)				p->undefined_perms[i-1] = ~0U;			continue;		}		pol_class = p->p_class_val_to_name[i-1];		if (strcmp(pol_class, def_class)) {			printk(KERN_ERR			       "security:  class %d is incorrect, found %s but should be %s\n",			       i, pol_class, def_class);			return -EINVAL;		}	}	for (i = 0; i < kdefs->av_pts_len; i++) {		class_val = kdefs->av_perm_to_string[i].tclass;		perm_val = kdefs->av_perm_to_string[i].value;		def_perm = kdefs->av_perm_to_string[i].name;		if (class_val > p->p_classes.nprim)			continue;		pol_class = p->p_class_val_to_name[class_val-1];		cladatum = hashtab_search(p->p_classes.table, pol_class);		BUG_ON(!cladatum);		perms = &cladatum->permissions;		nprim = 1 << (perms->nprim - 1);		if (perm_val > nprim) {			printk(KERN_INFO			       "security:  permission %s in class %s not defined in policy\n",			       def_perm, pol_class);			if (p->reject_unknown)				return -EINVAL;			if (p->allow_unknown)				p->undefined_perms[class_val-1] |= perm_val;			continue;		}		perdatum = hashtab_search(perms->table, def_perm);		if (perdatum == NULL) {			printk(KERN_ERR			       "security:  permission %s in class %s not found in policy, bad policy\n",			       def_perm, pol_class);			return -EINVAL;		}		pol_val = 1 << (perdatum->value - 1);		if (pol_val != perm_val) {			printk(KERN_ERR			       "security:  permission %s in class %s has incorrect value\n",			       def_perm, pol_class);			return -EINVAL;		}	}	for (i = 0; i < kdefs->av_inherit_len; i++) {		class_val = kdefs->av_inherit[i].tclass;		if (class_val > p->p_classes.nprim)			continue;		pol_class = p->p_class_val_to_name[class_val-1];		cladatum = hashtab_search(p->p_classes.table, pol_class);		BUG_ON(!cladatum);		if (!cladatum->comdatum) {			printk(KERN_ERR			       "security:  class %s should have an inherits clause but does not\n",			       pol_class);			return -EINVAL;		}		tmp = kdefs->av_inherit[i].common_base;		common_pts_len = 0;		while (!(tmp & 0x01)) {			common_pts_len++;			tmp >>= 1;		}		perms = &cladatum->comdatum->permissions;		for (j = 0; j < common_pts_len; j++) {			def_perm = kdefs->av_inherit[i].common_pts[j];			if (j >= perms->nprim) {				printk(KERN_INFO				       "security:  permission %s in class %s not defined in policy\n",				       def_perm, pol_class);				if (p->reject_unknown)					return -EINVAL;				if (p->allow_unknown)					p->undefined_perms[class_val-1] |= (1 << j);				continue;			}			perdatum = hashtab_search(perms->table, def_perm);			if (perdatum == NULL) {				printk(KERN_ERR				       "security:  permission %s in class %s not found in policy, bad policy\n",				       def_perm, pol_class);				return -EINVAL;			}			if (perdatum->value != j + 1) {				printk(KERN_ERR				       "security:  permission %s in class %s has incorrect value\n",				       def_perm, pol_class);				return -EINVAL;			}		}	}	return 0;}/* Clone the SID into the new SID table. */static int clone_sid(u32 sid,		     struct context *context,		     void *arg){	struct sidtab *s = arg;	return sidtab_insert(s, sid, context);}static inline int convert_context_handle_invalid_context(struct context *context){	int rc = 0;	if (selinux_enforcing) {		rc = -EINVAL;	} else {		char *s;		u32 len;		context_struct_to_string(context, &s, &len);		printk(KERN_ERR "security:  context %s is invalid\n", s);		kfree(s);	}	return rc;}struct convert_context_args {	struct policydb *oldp;	struct policydb *newp;};/* * Convert the values in the security context * structure `c' from the values specified * in the policy `p->oldp' to the values specified * in the policy `p->newp'.  Verify that the * context is valid under the new policy. */static int convert_context(u32 key,			   struct context *c,			   void *p){	struct convert_context_args *args;	struct context oldc;	struct role_datum *role;	struct type_datum *typdatum;	struct user_datum *usrdatum;	char *s;	u32 len;	int rc;	args = p;	rc = context_cpy(&oldc, c);	if (rc)		goto out;	rc = -EINVAL;	/* Convert the user. */	usrdatum = hashtab_search(args->newp->p_users.table,	                          args->oldp->p_user_val_to_name[c->user - 1]);	if (!usrdatum) {		goto bad;	}	c->user = usrdatum->value;	/* Convert the role. */	role = hashtab_search(args->newp->p_roles.table,	                      args->oldp->p_role_val_to_name[c->role - 1]);	if (!role) {		goto bad;	}	c->role = role->value;	/* Convert the type. */	typdatum = hashtab_search(args->newp->p_types.table,	                          args->oldp->p_type_val_to_name[c->type - 1]);	if (!typdatum) {		goto bad;	}	c->type = typdatum->value;	rc = mls_convert_context(args->oldp, args->newp, c);	if (rc)		goto bad;	/* Check the validity of the new context. */	if (!policydb_context_isvalid(args->newp, c)) {		rc = convert_context_handle_invalid_context(&oldc);		if (rc)			goto bad;	}	context_destroy(&oldc);out:	return rc;bad:	context_struct_to_string(&oldc, &s, &len);	context_destroy(&oldc);	printk(KERN_ERR "security:  invalidating context %s\n", s);	kfree(s);	goto out;}extern void selinux_complete_init(void);static int security_preserve_bools(struct policydb *p);/** * security_load_policy - Load a security policy configuration. * @data: binary policy data * @len: length of data in bytes * * Load a new set of security policy configuration data, * validate it and convert the SID table as necessary. * This function will flush the access vector cache after * loading the new policy. */int security_load_policy(void *data, size_t len){	struct policydb oldpolicydb, newpolicydb;	struct sidtab oldsidtab, newsidtab;	struct convert_context_args args;	u32 seqno;	int rc = 0;	struct policy_file file = { data, len }, *fp = &file;	LOAD_LOCK;	if (!ss_initialized) {		avtab_cache_init();		if (policydb_read(&policydb, fp)) {			LOAD_UNLOCK;			avtab_cache_destroy();			return -EINVAL;		}		if (policydb_load_isids(&policydb, &sidtab)) {			LOAD_UNLOCK;			policydb_destroy(&policydb);			avtab_cache_destroy();			return -EINVAL;		}		/* Verify that the kernel defined classes are correct. */		if (validate_classes(&policydb)) {			printk(KERN_ERR			       "security:  the definition of a class is incorrect\n");			LOAD_UNLOCK;			sidtab_destroy(&sidtab);			policydb_destroy(&policydb);			avtab_cache_destroy();			return -EINVAL;		}		policydb_loaded_version = policydb.policyvers;		ss_initialized = 1;		seqno = ++latest_granting;		LOAD_UNLOCK;		selinux_complete_init();		avc_ss_reset(seqno);		selnl_notify_policyload(seqno);		selinux_netlbl_cache_invalidate();		selinux_xfrm_notify_policyload();		return 0;	}#if 0	sidtab_hash_eval(&sidtab, "sids");#endif	if (policydb_read(&newpolicydb, fp)) {		LOAD_UNLOCK;		return -EINVAL;	}	sidtab_init(&newsidtab);	/* Verify that the kernel defined classes are correct. */	if (validate_classes(&newpolicydb)) {		printk(KERN_ERR		       "security:  the definition of a class is incorrect\n");		rc = -EINVAL;		goto err;	}	rc = security_preserve_bools(&newpolicydb);	if (rc) {		printk(KERN_ERR "security:  unable to preserve booleans\n");		goto err;	}	/* Clone the SID table. */	sidtab_shutdown(&sidtab);	if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {		rc = -ENOMEM;		goto err;	}	/* Convert the internal representations of contexts	   in the new SID table and remove invalid SIDs. */	args.oldp = &policydb;	args.newp = &newpolicydb;	sidtab_map_remove_on_error(&newsidtab, convert_context, &args);	/* Save the old policydb and SID table to free later. */	memcpy(&oldpolicydb, &policydb, sizeof policydb);	sidtab_set(&oldsidtab, &sidtab);	/* Install the new policydb and SID table. */	POLICY_WRLOCK;	memcpy(&policydb, &newpolicydb, sizeof policydb);	sidtab_set(&sidtab, &newsidtab);	seqno = ++latest_granting;	policydb_loaded_version = policydb.policyvers;	POLICY_WRUNLOCK;	LOAD_UNLOCK;	/* Free the old policydb and SID table. */	policydb_destroy(&oldpolicydb);	sidtab_destroy(&oldsidtab);	avc_ss_reset(seqno);	selnl_notify_policyload(seqno);	selinux_netlbl_cache_invalidate();	selinux_xfrm_notify_policyload();	return 0;err:	LOAD_UNLOCK;	sidtab_destroy(&newsidtab);	policydb_destroy(&newpolicydb);	return rc;}/** * security_port_sid - Obtain the SID for a port. * @domain: communication domain aka address family * @type: socket type * @protocol: protocol number * @port: port number * @out_sid: security identifier */int security_port_sid(u16 domain,		      u16 type,		      u8 protocol,		      u16 port,		      u32 *out_sid){	struct ocontext *c;	int rc = 0;	POLICY_RDLOCK;	c = policydb.ocontexts[OCON_PORT];	while (c) {		if (c->u.port.protocol == protocol &&		    c->u.port.low_port <= port &&		    c->u.port.high_port >= port)			break;		c = c->next;	}	if (c) {		if (!c->sid[0]) {			rc = sidtab_context_to_sid(&sidtab,						   &c->context[0],						   &c->sid[0]);			if (rc)				goto out;		}		*out_sid = c->sid[0];	} else {		*out_sid = SECINITSID_PORT;	}out:	POLICY_RDUNLOCK;	return rc;}/** * security_netif_sid - Obtain the SID for a network interface. * @name: interface name * @if_sid: interface SID * @msg_sid: default SID for received packets */int security_netif_sid(char *name,		       u32 *if_sid,		       u32 *msg_sid){	int rc = 0;	struct ocontext *c;	POLICY_RDLOCK;	c = policydb.ocontexts[OCON_NETIF];	while (c) {		if (strcmp(name, c->u.name) == 0)			break;		c = c->next;	}	if (c) {		if (!c->sid[0] || !c->sid[1]) {			rc = sidtab_context_to_sid(&sidtab,						  &c->context[0],						  &c->sid[0]);			if (rc)				goto out;			rc = sidtab_context_to_sid(&sidtab,						   &c->context[1],						   &c->sid[1]);			if (rc)				goto out;		}		*if_sid = c->sid[0];		*msg_sid = c->sid[1];	} else {		*if_sid = SECINITSID_NETIF;		*msg_sid = SECINITSID_NETMSG;	}out:	POLICY_RDUNLOCK;	return rc;}static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask){	int i, fail = 0;	for(i = 0; i < 4; i++)		if(addr[i] != (input[i] & mask[i])) {			fail = 1;			break;		}	return !fail;}/** * security_node_sid - Obtain the SID for a node (host). * @domain: communication domain aka address family * @addrp: address * @addrlen: address length in bytes * @out_sid: security identifier */int security_node_sid(u16 domain,		      void *addrp,		      u32 addrlen,		      u32 *out_sid){	int rc = 0;	struct ocontext *c;	POLICY_RDLOCK;	switch (domain) {	case AF_INET: {		u32 addr;		if (addrlen != sizeof(u32)) {			rc = -EINVAL;			goto out;		}		addr = *((u32 *)addrp);		c = policydb.ocontexts[OCON_NODE];		while (c) {			if (c->u.node.addr == (addr & c->u.node.mask))				break;			c = c->next;		}		break;	}	case AF_INET6:		if (addrlen != sizeof(u64) * 2) {			rc = -EINVAL;			goto out;		}		c = policydb.ocontexts[OCON_NODE6];		while (c) {			if (match_ipv6_addrmask(addrp, c->u.node6.addr,						c->u.node6.mask))				break;			c = c->next;
💿 文件大小 57701 K
👤 上传用户 huanzhudev
📂 所属分类网络
🏷️ 相关标签

#linux #内核 #源代码
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -