📄 services.c
字号:
__FUNCTION__, class); rc = -EINVAL; goto out; } *nperms = match->permissions.nprim; *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); if (!*perms) goto out; if (match->comdatum) { rc = hashtab_map(match->comdatum->permissions.table, get_permissions_callback, *perms); if (rc < 0) goto err; } rc = hashtab_map(match->permissions.table, get_permissions_callback, *perms); if (rc < 0) goto err;out: POLICY_RDUNLOCK; return rc;err: POLICY_RDUNLOCK; for (i = 0; i < *nperms; i++) kfree((*perms)[i]); kfree(*perms); return rc;}int security_get_reject_unknown(void){ return policydb.reject_unknown;}int security_get_allow_unknown(void){ return policydb.allow_unknown;}struct selinux_audit_rule { u32 au_seqno; struct context au_ctxt;};void selinux_audit_rule_free(struct selinux_audit_rule *rule){ if (rule) { context_destroy(&rule->au_ctxt); kfree(rule); }}int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, struct selinux_audit_rule **rule){ struct selinux_audit_rule *tmprule; struct role_datum *roledatum; struct type_datum *typedatum; struct user_datum *userdatum; int rc = 0; *rule = NULL; if (!ss_initialized) return -EOPNOTSUPP; switch (field) { case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: case AUDIT_OBJ_USER: case AUDIT_OBJ_ROLE: case AUDIT_OBJ_TYPE: /* only 'equals' and 'not equals' fit user, role, and type */ if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) return -EINVAL; break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: /* we do not allow a range, indicated by the presense of '-' */ if (strchr(rulestr, '-')) return -EINVAL; break; default: /* only the above fields are valid */ return -EINVAL; } tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); if (!tmprule) return -ENOMEM; context_init(&tmprule->au_ctxt); POLICY_RDLOCK; tmprule->au_seqno = latest_granting; switch (field) { case AUDIT_SUBJ_USER: case AUDIT_OBJ_USER: userdatum = hashtab_search(policydb.p_users.table, rulestr); if (!userdatum) rc = -EINVAL; else tmprule->au_ctxt.user = userdatum->value; break; case AUDIT_SUBJ_ROLE: case AUDIT_OBJ_ROLE: roledatum = hashtab_search(policydb.p_roles.table, rulestr); if (!roledatum) rc = -EINVAL; else tmprule->au_ctxt.role = roledatum->value; break; case AUDIT_SUBJ_TYPE: case AUDIT_OBJ_TYPE: typedatum = hashtab_search(policydb.p_types.table, rulestr); if (!typedatum) rc = -EINVAL; else tmprule->au_ctxt.type = typedatum->value; break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: rc = mls_from_string(rulestr, &tmprule->au_ctxt, GFP_ATOMIC); break; } POLICY_RDUNLOCK; if (rc) { selinux_audit_rule_free(tmprule); tmprule = NULL; } *rule = tmprule; return rc;}int selinux_audit_rule_match(u32 sid, u32 field, u32 op, struct selinux_audit_rule *rule, struct audit_context *actx){ struct context *ctxt; struct mls_level *level; int match = 0; if (!rule) { audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, "selinux_audit_rule_match: missing rule\n"); return -ENOENT; } POLICY_RDLOCK; if (rule->au_seqno < latest_granting) { audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, "selinux_audit_rule_match: stale rule\n"); match = -ESTALE; goto out; } ctxt = sidtab_search(&sidtab, sid); if (!ctxt) { audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, "selinux_audit_rule_match: unrecognized SID %d\n", sid); match = -ENOENT; goto out; } /* a field/op pair that is not caught here will simply fall through without a match */ switch (field) { case AUDIT_SUBJ_USER: case AUDIT_OBJ_USER: switch (op) { case AUDIT_EQUAL: match = (ctxt->user == rule->au_ctxt.user); break; case AUDIT_NOT_EQUAL: match = (ctxt->user != rule->au_ctxt.user); break; } break; case AUDIT_SUBJ_ROLE: case AUDIT_OBJ_ROLE: switch (op) { case AUDIT_EQUAL: match = (ctxt->role == rule->au_ctxt.role); break; case AUDIT_NOT_EQUAL: match = (ctxt->role != rule->au_ctxt.role); break; } break; case AUDIT_SUBJ_TYPE: case AUDIT_OBJ_TYPE: switch (op) { case AUDIT_EQUAL: match = (ctxt->type == rule->au_ctxt.type); break; case AUDIT_NOT_EQUAL: match = (ctxt->type != rule->au_ctxt.type); break; } break; case AUDIT_SUBJ_SEN: case AUDIT_SUBJ_CLR: case AUDIT_OBJ_LEV_LOW: case AUDIT_OBJ_LEV_HIGH: level = ((field == AUDIT_SUBJ_SEN || field == AUDIT_OBJ_LEV_LOW) ? &ctxt->range.level[0] : &ctxt->range.level[1]); switch (op) { case AUDIT_EQUAL: match = mls_level_eq(&rule->au_ctxt.range.level[0], level); break; case AUDIT_NOT_EQUAL: match = !mls_level_eq(&rule->au_ctxt.range.level[0], level); break; case AUDIT_LESS_THAN: match = (mls_level_dom(&rule->au_ctxt.range.level[0], level) && !mls_level_eq(&rule->au_ctxt.range.level[0], level)); break; case AUDIT_LESS_THAN_OR_EQUAL: match = mls_level_dom(&rule->au_ctxt.range.level[0], level); break; case AUDIT_GREATER_THAN: match = (mls_level_dom(level, &rule->au_ctxt.range.level[0]) && !mls_level_eq(level, &rule->au_ctxt.range.level[0])); break; case AUDIT_GREATER_THAN_OR_EQUAL: match = mls_level_dom(level, &rule->au_ctxt.range.level[0]); break; } }out: POLICY_RDUNLOCK; return match;}static int (*aurule_callback)(void) = NULL;static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, u16 class, u32 perms, u32 *retained){ int err = 0; if (event == AVC_CALLBACK_RESET && aurule_callback) err = aurule_callback(); return err;}static int __init aurule_init(void){ int err; err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0); if (err) panic("avc_add_callback() failed, error %d\n", err); return err;}__initcall(aurule_init);void selinux_audit_set_callback(int (*callback)(void)){ aurule_callback = callback;}#ifdef CONFIG_NETLABEL/* * NetLabel cache structure */#define NETLBL_CACHE(x) ((struct selinux_netlbl_cache *)(x))#define NETLBL_CACHE_T_NONE 0#define NETLBL_CACHE_T_SID 1#define NETLBL_CACHE_T_MLS 2struct selinux_netlbl_cache { u32 type; union { u32 sid; struct mls_range mls_label; } data;};/** * security_netlbl_cache_free - Free the NetLabel cached data * @data: the data to free * * Description: * This function is intended to be used as the free() callback inside the * netlbl_lsm_cache structure. * */static void security_netlbl_cache_free(const void *data){ struct selinux_netlbl_cache *cache; if (data == NULL) return; cache = NETLBL_CACHE(data); switch (cache->type) { case NETLBL_CACHE_T_MLS: ebitmap_destroy(&cache->data.mls_label.level[0].cat); break; } kfree(data);}/** * security_netlbl_cache_add - Add an entry to the NetLabel cache * @secattr: the NetLabel packet security attributes * @ctx: the SELinux context * * Description: * Attempt to cache the context in @ctx, which was derived from the packet in * @skb, in the NetLabel subsystem cache. This function assumes @secattr has * already been initialized. * */static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, struct context *ctx){ struct selinux_netlbl_cache *cache = NULL; secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); if (secattr->cache == NULL) return; cache = kzalloc(sizeof(*cache), GFP_ATOMIC); if (cache == NULL) return; cache->type = NETLBL_CACHE_T_MLS; if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, &ctx->range.level[0].cat) != 0) { kfree(cache); return; } cache->data.mls_label.level[1].cat.highbit = cache->data.mls_label.level[0].cat.highbit; cache->data.mls_label.level[1].cat.node = cache->data.mls_label.level[0].cat.node; cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; secattr->cache->free = security_netlbl_cache_free; secattr->cache->data = (void *)cache; secattr->flags |= NETLBL_SECATTR_CACHE;}/** * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID * @secattr: the NetLabel packet security attributes * @base_sid: the SELinux SID to use as a context for MLS only attributes * @sid: the SELinux SID * * Description: * Convert the given NetLabel security attributes in @secattr into a * SELinux SID. If the @secattr field does not contain a full SELinux * SID/context then use the context in @base_sid as the foundation. If * possibile the 'cache' field of @secattr is set and the CACHE flag is set; * this is to allow the @secattr to be used by NetLabel to cache the secattr to * SID conversion for future lookups. Returns zero on success, negative * values on failure. * */int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, u32 base_sid, u32 *sid){ int rc = -EIDRM; struct context *ctx; struct context ctx_new; struct selinux_netlbl_cache *cache; if (!ss_initialized) { *sid = SECSID_NULL; return 0; } POLICY_RDLOCK; if (secattr->flags & NETLBL_SECATTR_CACHE) { cache = NETLBL_CACHE(secattr->cache->data); switch (cache->type) { case NETLBL_CACHE_T_SID: *sid = cache->data.sid; rc = 0; break; case NETLBL_CACHE_T_MLS: ctx = sidtab_search(&sidtab, base_sid); if (ctx == NULL) goto netlbl_secattr_to_sid_return; ctx_new.user = ctx->user; ctx_new.role = ctx->role; ctx_new.type = ctx->type; ctx_new.range.level[0].sens = cache->data.mls_label.level[0].sens; ctx_new.range.level[0].cat.highbit = cache->data.mls_label.level[0].cat.highbit; ctx_new.range.level[0].cat.node = cache->data.mls_label.level[0].cat.node; ctx_new.range.level[1].sens = cache->data.mls_label.level[1].sens; ctx_new.range.level[1].cat.highbit = cache->data.mls_label.level[1].cat.highbit; ctx_new.range.level[1].cat.node = cache->data.mls_label.level[1].cat.node; rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); break; default: goto netlbl_secattr_to_sid_return; } } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) { ctx = sidtab_search(&sidtab, base_sid); if (ctx == NULL) goto netlbl_secattr_to_sid_return; ctx_new.user = ctx->user; ctx_new.role = ctx->role; ctx_new.type = ctx->type; mls_import_netlbl_lvl(&ctx_new, secattr); if (secattr->flags & NETLBL_SECATTR_MLS_CAT) { if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat, secattr->mls_cat) != 0) goto netlbl_secattr_to_sid_return; ctx_new.range.level[1].cat.highbit = ctx_new.range.level[0].cat.highbit; ctx_new.range.level[1].cat.node = ctx_new.range.level[0].cat.node; } else { ebitmap_init(&ctx_new.range.level[0].cat); ebitmap_init(&ctx_new.range.level[1].cat); } if (mls_context_isvalid(&policydb, &ctx_new) != 1) goto netlbl_secattr_to_sid_return_cleanup; rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid); if (rc != 0) goto netlbl_secattr_to_sid_return_cleanup; security_netlbl_cache_add(secattr, &ctx_new); ebitmap_destroy(&ctx_new.range.level[0].cat); } else { *sid = SECSID_NULL; rc = 0; }netlbl_secattr_to_sid_return: POLICY_RDUNLOCK; return rc;netlbl_secattr_to_sid_return_cleanup: ebitmap_destroy(&ctx_new.range.level[0].cat); goto netlbl_secattr_to_sid_return;}/** * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr * @sid: the SELinux SID * @secattr: the NetLabel packet security attributes * * Description: * Convert the given SELinux SID in @sid into a NetLabel security attribute. * Returns zero on success, negative values on failure. * */int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr){ int rc = -ENOENT; struct context *ctx; if (!ss_initialized) return 0; POLICY_RDLOCK; ctx = sidtab_search(&sidtab, sid); if (ctx == NULL) goto netlbl_sid_to_secattr_failure; secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], GFP_ATOMIC); secattr->flags |= NETLBL_SECATTR_DOMAIN; mls_export_netlbl_lvl(ctx, secattr); rc = mls_export_netlbl_cat(ctx, secattr); if (rc != 0) goto netlbl_sid_to_secattr_failure; POLICY_RDUNLOCK; return 0;netlbl_sid_to_secattr_failure: POLICY_RDUNLOCK; netlbl_secattr_destroy(secattr); return rc;}#endif /* CONFIG_NETLABEL */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -