📄 flask_op.c
字号:
u32 sid; u32 len; int length; length = domain_has_security(current->domain, SECURITY__CHECK_CONTEXT); if ( length ) goto out; if ( sscanf(buf, "%u", &sid) != 1 ) goto out; length = security_sid_to_context(sid, &context, &len); if ( length < 0 ) goto out; memset(buf, 0, count); memcpy(buf, context, len); length = len; xfree(context);out: return length;}int flask_disable(void){ static int flask_disabled = 0; if ( ss_initialized ) { /* Not permitted after initial policy load. */ return -EINVAL; } if ( flask_disabled ) { /* Only do this once. */ return -EINVAL; } printk("Flask: Disabled at runtime.\n"); flask_disabled = 1; /* Reset xsm_ops to the original module. */ xsm_ops = original_ops; return 0;}static int flask_security_disable(char *buf, uint32_t count){ int length; int new_value; length = -EINVAL; if ( sscanf(buf, "%d", &new_value) != 1 ) goto out; if ( new_value ) { length = flask_disable(); if ( length < 0 ) goto out; } length = count;out: return length;}static int flask_security_setavc_threshold(char *buf, uint32_t count){ int ret; int new_value; if ( sscanf(buf, "%u", &new_value) != 1 ) { ret = -EINVAL; goto out; } if ( new_value != avc_cache_threshold ) { ret = domain_has_security(current->domain, SECURITY__SETSECPARAM); if ( ret ) goto out; avc_cache_threshold = new_value; } ret = count;out: return ret;}static int flask_security_set_bool(char *buf, uint32_t count){ int length = -EFAULT; int i, new_value; spin_lock(&sel_sem); length = domain_has_security(current->domain, SECURITY__SETBOOL); if ( length ) goto out; length = -EINVAL; if ( sscanf(buf, "%d %d", &i, &new_value) != 2 ) goto out; if ( new_value ) { new_value = 1; } bool_pending_values[i] = new_value; length = count;out: spin_unlock(&sel_sem); return length;}static int flask_security_commit_bools(char *buf, uint32_t count){ int length = -EFAULT; int new_value; spin_lock(&sel_sem); length = domain_has_security(current->domain, SECURITY__SETBOOL); if ( length ) goto out; length = -EINVAL; if ( sscanf(buf, "%d", &new_value) != 1 ) goto out; if ( new_value ) security_set_bools(bool_num, bool_pending_values); length = count;out: spin_unlock(&sel_sem); return length;}static int flask_security_get_bool(char *buf, uint32_t count){ int length; int i, cur_enforcing; spin_lock(&sel_sem); length = -EINVAL; if ( sscanf(buf, "%d", &i) != 1 ) goto out; cur_enforcing = security_get_bool_value(i); if ( cur_enforcing < 0 ) { length = cur_enforcing; goto out; } memset(buf, 0, count); length = snprintf(buf, count, "%d %d", cur_enforcing, bool_pending_values[i]);out: spin_unlock(&sel_sem); return length;}static int flask_security_make_bools(void){ int i, ret = 0; char **names = NULL; int num; int *values = NULL; xfree(bool_pending_values); ret = security_get_bools(&num, &names, &values); if ( ret != 0 ) goto out; bool_num = num; bool_pending_values = values;out: if ( names ) { for ( i = 0; i < num; i++ ) xfree(names[i]); xfree(names); } return ret;}#ifdef FLASK_AVC_STATSstatic int flask_security_avc_cachestats(char *buf, uint32_t count){ char *page = NULL; int len = 0; int length = 0; long long idx = 0; int cpu; struct avc_cache_stats *st; page = (char *)xmalloc_bytes(PAGE_SIZE); if ( !page ) return -ENOMEM; memset(page, 0, PAGE_SIZE); len = snprintf(page, PAGE_SIZE, "lookups hits misses allocations reclaims " "frees\n"); if ( len > count ) { length = -EINVAL; goto out; } memcpy(buf, page, len); buf += len; length += len; count -= len; for ( cpu = idx; cpu < NR_CPUS; ++cpu ) { if ( !cpu_possible(cpu) ) continue; idx = cpu + 1; st = &per_cpu(avc_cache_stats, cpu); len = snprintf(page, PAGE_SIZE, "%u %u %u %u %u %u\n", st->lookups, st->hits, st->misses, st->allocations, st->reclaims, st->frees); if ( len > count ) { length = -EINVAL; goto out; } memcpy(buf, page, len); buf += len; length += len; count -= len; }out: xfree(page); return length;}#endifstatic int flask_security_load(char *buf, uint32_t count){ int ret; int length; spin_lock(&sel_sem); length = domain_has_security(current->domain, SECURITY__LOAD_POLICY); if ( length ) goto out; length = security_load_policy(buf, count); if ( length ) goto out; ret = flask_security_make_bools(); if ( ret ) length = ret; else length = count;out: spin_unlock(&sel_sem); return length;}long do_flask_op(XEN_GUEST_HANDLE(xsm_op_t) u_flask_op){ flask_op_t curop, *op = &curop; int rc = 0; int length = 0; char *arg = NULL; if ( copy_from_guest(op, u_flask_op, 1) ) return -EFAULT; if ( op->cmd > FLASK_LAST) return -EINVAL; if ( op->size > MAX_POLICY_SIZE ) return -EINVAL; if ( (op->buf == NULL && op->size != 0) || (op->buf != NULL && op->size == 0) ) return -EINVAL; arg = xmalloc_bytes(op->size + 1); if ( !arg ) return -ENOMEM; memset(arg, 0, op->size + 1); if ( (FLASK_COPY_IN&(1UL<<op->cmd)) && op->buf != NULL && copy_from_guest(arg, guest_handle_from_ptr(op->buf, char), op->size) ) { rc = -EFAULT; goto out; } switch ( op->cmd ) { case FLASK_LOAD: { length = flask_security_load(arg, op->size); } break; case FLASK_GETENFORCE: { length = snprintf(arg, op->size, "%d", flask_enforcing); } break; case FLASK_SETENFORCE: { length = flask_security_setenforce(arg, op->size); } break; case FLASK_CONTEXT_TO_SID: { length = flask_security_context(arg, op->size); } break; case FLASK_SID_TO_CONTEXT: { length = flask_security_sid(arg, op->size); } break; case FLASK_ACCESS: { length = flask_security_access(arg, op->size); } break; case FLASK_CREATE: { length = flask_security_create(arg, op->size); } break; case FLASK_RELABEL: { length = flask_security_relabel(arg, op->size); } break; case FLASK_USER: { length = flask_security_user(arg, op->size); } break; case FLASK_POLICYVERS: { length = snprintf(arg, op->size, "%d", POLICYDB_VERSION_MAX); } break; case FLASK_GETBOOL: { length = flask_security_get_bool(arg, op->size); } break; case FLASK_SETBOOL: { length = flask_security_set_bool(arg, op->size); } break; case FLASK_COMMITBOOLS: { length = flask_security_commit_bools(arg, op->size); } break; case FLASK_MLS: { length = snprintf(arg, op->size, "%d", flask_mls_enabled); } break; case FLASK_DISABLE: { length = flask_security_disable(arg, op->size); } break; case FLASK_GETAVC_THRESHOLD: { length = snprintf(arg, op->size, "%d", avc_cache_threshold); } break; case FLASK_SETAVC_THRESHOLD: { length = flask_security_setavc_threshold(arg, op->size); } break; case FLASK_AVC_HASHSTATS: { length = avc_get_hash_stats(arg, op->size); } break;#ifdef FLASK_AVC_STATS case FLASK_AVC_CACHESTATS: { length = flask_security_avc_cachestats(arg, op->size); } break;#endif case FLASK_MEMBER: { length = flask_security_member(arg, op->size); } break; default: length = -ENOSYS; break; } if ( length < 0 ) { rc = length; goto out; } if ( (FLASK_COPY_OUT&(1UL<<op->cmd)) && op->buf != NULL && copy_to_guest(guest_handle_from_ptr(op->buf, char), arg, op->size) ) { rc = -EFAULT; goto out; } op->size = length; if ( copy_to_guest(u_flask_op, op, 1) ) rc = -EFAULT;out: xfree(arg); return rc;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -