avc.c

xen 3.2.2 源码

 *
 * Look up an AVC entry that is valid for the
 * @requested permissions between the SID pair
 * (@ssid, @tsid), interpreting the permissions
 * based on @tclass.  If a valid AVC entry exists,
 * then this function return the avc_node.
 * Otherwise, this function returns NULL.
 */
static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested)
{
    struct avc_node *node;

    avc_cache_stats_incr(lookups);
    node = avc_search_node(ssid, tsid, tclass);

    if ( node && ((node->ae.avd.decided & requested) == requested) )
    {
        avc_cache_stats_incr(hits);
        goto out;
    }

    node = NULL;
    avc_cache_stats_incr(misses);
out:
    return node;
}

static int avc_latest_notif_update(int seqno, int is_insert)
{
    int ret = 0;
    static DEFINE_SPINLOCK(notif_lock);
    unsigned long flag;

    spin_lock_irqsave(&notif_lock, flag);
    if ( is_insert )
    {
        if ( seqno < avc_cache.latest_notif )
        {
            printk(KERN_WARNING "avc:  seqno %d < latest_notif %d\n",
                   seqno, avc_cache.latest_notif);
            ret = -EAGAIN;
        }
    }
    else
    {
        if ( seqno > avc_cache.latest_notif )
            avc_cache.latest_notif = seqno;
    }
    spin_unlock_irqrestore(&notif_lock, flag);

    return ret;
}

/**
 * avc_insert - Insert an AVC entry.
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
 * @ae: AVC entry
 *
 * Insert an AVC entry for the SID pair
 * (@ssid, @tsid) and class @tclass.
 * The access vectors and the sequence number are
 * normally provided by the security server in
 * response to a security_compute_av() call.  If the
 * sequence number @ae->avd.seqno is not less than the latest
 * revocation notification, then the function copies
 * the access vectors into a cache entry, returns
 * avc_node inserted. Otherwise, this function returns NULL.
 */
static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_entry *ae)
{
    struct avc_node *pos, *node = NULL;
    int hvalue;
	unsigned long flag;

    if ( avc_latest_notif_update(ae->avd.seqno, 1) )
        goto out;

    node = avc_alloc_node();
    if ( node )
    {
        hvalue = avc_hash(ssid, tsid, tclass);
        avc_node_populate(node, ssid, tsid, tclass, ae);

		spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);
        list_for_each_entry(pos, &avc_cache.slots[hvalue], list)
        {
            if ( pos->ae.ssid == ssid && pos->ae.tsid == tsid &&
                                                    pos->ae.tclass == tclass )
            {
                avc_node_replace(node, pos);
                goto found;
            }
        }
        list_add_rcu(&node->list, &avc_cache.slots[hvalue]);
found:
		spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flag);
    }
out:
    return node;
}

/**
 * avc_audit - Audit the granting or denial of permissions.
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
 * @requested: requested permissions
 * @avd: access vector decisions
 * @result: result from avc_has_perm_noaudit
 * @a:  auxiliary audit data
 *
 * Audit the granting or denial of permissions in accordance
 * with the policy.  This function is typically called by
 * avc_has_perm() after a permission check, but can also be
 * called directly by callers who use avc_has_perm_noaudit()
 * in order to separate the permission check from the auditing.
 * For example, this separation is useful when the permission check must
 * be performed under a lock, to allow the lock to be released
 * before calling the auditing code.
 */
void avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
               struct av_decision *avd, int result, struct avc_audit_data *a)
{
    struct domain *d = current->domain;
    u32 denied, audited;

    denied = requested & ~avd->allowed;
    if ( denied )
    {
        audited = denied;
        if ( !(audited & avd->auditdeny) )
            return;
    }
    else if ( result )
    {
        audited = denied = requested;
    }
    else
    {
        audited = requested;
        if ( !(audited & avd->auditallow) )
            return;
    }

    printk("avc:  %s ", denied ? "denied" : "granted");
    avc_dump_av(tclass, audited);
    printk(" for ");

    if ( a && a->d )
        d = a->d;
    if ( d )
        printk("domid=%d", d->domain_id);

    printk("\n");
    avc_dump_query(ssid, tsid, tclass);
    printk("\n");

}

/**
 * avc_add_callback - Register a callback for security events.
 * @callback: callback function
 * @events: security events
 * @ssid: source security identifier or %SECSID_WILD
 * @tsid: target security identifier or %SECSID_WILD
 * @tclass: target security class
 * @perms: permissions
 *
 * Register a callback function for events in the set @events
 * related to the SID pair (@ssid, @tsid) and
 * and the permissions @perms, interpreting
 * @perms based on @tclass.  Returns %0 on success or
 * -%ENOMEM if insufficient memory exists to add the callback.
 */
int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u16 tclass,
                u32 perms, u32 *out_retained), u32 events, u32 ssid, u32 tsid,
                                                        u16 tclass, u32 perms)
{
    struct avc_callback_node *c;
    int rc = 0;

    c = xmalloc(struct avc_callback_node);
    if ( !c )
    {
        rc = -ENOMEM;
        goto out;
    }

    c->callback = callback;
    c->events = events;
    c->ssid = ssid;
    c->tsid = tsid;
    c->perms = perms;
    c->next = avc_callbacks;
    avc_callbacks = c;
out:
    return rc;
}

static inline int avc_sidcmp(u32 x, u32 y)
{
    return (x == y || x == SECSID_WILD || y == SECSID_WILD);
}

/**
 * avc_update_node Update an AVC entry
 * @event : Updating event
 * @perms : Permission mask bits
 * @ssid,@tsid,@tclass : identifier of an AVC entry
 *
 * if a valid AVC entry doesn't exist,this function returns -ENOENT.
 * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
 * otherwise, this function update the AVC entry. The original AVC-entry object
 * will release later by RCU.
 */
static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass)
{
    int hvalue, rc = 0;
	unsigned long flag;
    struct avc_node *pos, *node, *orig = NULL;
    
    node = avc_alloc_node();
    if ( !node )
    {
        rc = -ENOMEM;
        goto out;
    }

    hvalue = avc_hash(ssid, tsid, tclass);    
	spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag);

    list_for_each_entry(pos, &avc_cache.slots[hvalue], list)
    {
        if ( ssid==pos->ae.ssid && tsid==pos->ae.tsid &&
                                                        tclass==pos->ae.tclass )
        {
            orig = pos;
            break;
        }
    }

    if ( !orig )
    {
        rc = -ENOENT;
        avc_node_kill(node);
        goto out_unlock;
    }

    /*
     * Copy and replace original node.
     */

    avc_node_populate(node, ssid, tsid, tclass, &orig->ae);

    switch ( event )
    {
    case AVC_CALLBACK_GRANT:
        node->ae.avd.allowed |= perms;
    break;
    case AVC_CALLBACK_TRY_REVOKE:
    case AVC_CALLBACK_REVOKE:
        node->ae.avd.allowed &= ~perms;
    break;
    case AVC_CALLBACK_AUDITALLOW_ENABLE:
        node->ae.avd.auditallow |= perms;
    break;
    case AVC_CALLBACK_AUDITALLOW_DISABLE:
        node->ae.avd.auditallow &= ~perms;
    break;
    case AVC_CALLBACK_AUDITDENY_ENABLE:
        node->ae.avd.auditdeny |= perms;
    break;
    case AVC_CALLBACK_AUDITDENY_DISABLE:
        node->ae.avd.auditdeny &= ~perms;
    break;
    }
    avc_node_replace(node, orig);
out_unlock:
	spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flag);
out:
    return rc;
}

/**
 * avc_ss_reset - Flush the cache and revalidate migrated permissions.
 * @seqno: policy sequence number
 */
int avc_ss_reset(u32 seqno)
{
    struct avc_callback_node *c;
    int i, rc = 0;
	unsigned long flag;
    struct avc_node *node;

    for ( i = 0; i < AVC_CACHE_SLOTS; i++ )
    {
		spin_lock_irqsave(&avc_cache.slots_lock[i], flag);
        list_for_each_entry(node, &avc_cache.slots[i], list)
            avc_node_delete(node);
		spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag);
    }
    
    for ( c = avc_callbacks; c; c = c->next )
    {
        if ( c->events & AVC_CALLBACK_RESET )
        {
            rc = c->callback(AVC_CALLBACK_RESET,
                     0, 0, 0, 0, NULL);
            if ( rc )
                goto out;
        }
    }

    avc_latest_notif_update(seqno, 0);
out:
    return rc;
}

/**
 * avc_has_perm_noaudit - Check permissions but perform no auditing.
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
 * @requested: requested permissions, interpreted based on @tclass
 * @avd: access vector decisions
 *
 * Check the AVC to determine whether the @requested permissions are granted
 * for the SID pair (@ssid, @tsid), interpreting the permissions
 * based on @tclass, and call the security server on a cache miss to obtain
 * a new decision and add it to the cache.  Return a copy of the decisions
 * in @avd.  Return %0 if all @requested permissions are granted,
 * -%EACCES if any permissions are denied, or another -errno upon
 * other errors.  This function is typically called by avc_has_perm(),
 * but may also be called directly to separate permission checking from
 * auditing, e.g. in cases where a lock must be held for the check but
 * should be released for the auditing.
 */
int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested,
                                                     struct av_decision *avd)
{
    struct avc_node *node;
    struct avc_entry entry, *p_ae;
    int rc = 0;
    u32 denied;

    rcu_read_lock();

    node = avc_lookup(ssid, tsid, tclass, requested);
    if ( !node )
    {
        rcu_read_unlock();
        rc = security_compute_av(ssid,tsid,tclass,requested,&entry.avd);
        if ( rc )
            goto out;
        rcu_read_lock();
        node = avc_insert(ssid,tsid,tclass,&entry);
    }

    p_ae = node ? &node->ae : &entry;

    if ( avd )
        memcpy(avd, &p_ae->avd, sizeof(*avd));

    denied = requested & ~(p_ae->avd.allowed);

    if ( !requested || denied )
    {
        if ( flask_enforcing )
            rc = -EACCES;
        else
            if ( node )
                avc_update_node(AVC_CALLBACK_GRANT,requested,
                        ssid,tsid,tclass);
    }

    rcu_read_unlock();
out:
    return rc;
}

/**
 * avc_has_perm - Check permissions and perform any appropriate auditing.
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
 * @requested: requested permissions, interpreted based on @tclass
 * @auditdata: auxiliary audit data
 *
 * Check the AVC to determine whether the @requested permissions are granted
 * for the SID pair (@ssid, @tsid), interpreting the permissions
 * based on @tclass, and call the security server on a cache miss to obtain
 * a new decision and add it to the cache.  Audit the granting or denial of
 * permissions in accordance with the policy.  Return %0 if all @requested
 * permissions are granted, -%EACCES if any permissions are denied, or
 * another -errno upon other errors.
 */
int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
                 u32 requested, struct avc_audit_data *auditdata)
{
    struct av_decision avd;
    int rc;

    rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, &avd);
    avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
    return rc;
}