📄 services.c
字号:
/* * Implementation of the security services. * * Authors : Stephen Smalley, <sds@epoch.ncsc.mil> * James Morris <jmorris@redhat.com> * * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> * * Support for enhanced MLS infrastructure. * * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> * * Added conditional policy language extensions * * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004 Tresys Technology, LLC * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 2. *//* Ported to Xen 3.0, George Coker, <gscoker@alpha.ncsc.mil> */#include <xen/lib.h>#include <xen/xmalloc.h>#include <xen/string.h>#include <xen/spinlock.h>#include <xen/errno.h>#include "flask.h"#include "avc.h"#include "avc_ss.h"#include "security.h"#include "context.h"#include "policydb.h"#include "sidtab.h"#include "services.h"#include "conditional.h"#include "mls.h"unsigned int policydb_loaded_version;static DEFINE_RWLOCK(policy_rwlock);#define POLICY_RDLOCK read_lock(&policy_rwlock)#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)static DEFINE_SPINLOCK(load_sem);#define LOAD_LOCK spin_lock(&load_sem)#define LOAD_UNLOCK spin_unlock(&load_sem)static struct sidtab sidtab;struct policydb policydb;int ss_initialized = 0;/* * The largest sequence number that has been used when * providing an access decision to the access vector cache. * The sequence number only changes when a policy change * occurs. */static u32 latest_granting = 0;/* Forward declaration. */static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len);/* * Return the boolean value of a constraint expression * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast... It is used by the validatetrans rules * only. For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition. All other callers of * constraint_expr_eval should pass in NULL for xcontext. */static int constraint_expr_eval(struct context *scontext, struct context *tcontext, struct context *xcontext, struct constraint_expr *cexpr){ u32 val1, val2; struct context *c; struct role_datum *r1, *r2; struct mls_level *l1, *l2; struct constraint_expr *e; int s[CEXPR_MAXDEPTH]; int sp = -1; for ( e = cexpr; e; e = e->next ) { switch ( e->expr_type ) { case CEXPR_NOT: BUG_ON(sp < 0); s[sp] = !s[sp]; break; case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp+1]; break; case CEXPR_OR: BUG_ON(sp < 1); sp--; s[sp] |= s[sp+1]; break; case CEXPR_ATTR: if ( sp == (CEXPR_MAXDEPTH-1) ) return 0; switch ( e->attr ) { case CEXPR_USER: val1 = scontext->user; val2 = tcontext->user; break; case CEXPR_TYPE: val1 = scontext->type; val2 = tcontext->type; break; case CEXPR_ROLE: val1 = scontext->role; val2 = tcontext->role; r1 = policydb.role_val_to_struct[val1 - 1]; r2 = policydb.role_val_to_struct[val2 - 1]; switch ( e->op ) { case CEXPR_DOM: s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); continue; case CEXPR_DOMBY: s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); continue; case CEXPR_INCOMP: s[++sp] = ( !ebitmap_get_bit(&r1->dominates, val2 - 1) && !ebitmap_get_bit(&r2->dominates, val1 - 1) ); continue; default: break; } break; case CEXPR_L1L2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[0]); goto mls_ops; case CEXPR_L1H2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[1]); goto mls_ops; case CEXPR_H1L2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[0]); goto mls_ops; case CEXPR_H1H2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[1]); goto mls_ops; case CEXPR_L1H1: l1 = &(scontext->range.level[0]); l2 = &(scontext->range.level[1]); goto mls_ops; case CEXPR_L2H2: l1 = &(tcontext->range.level[0]); l2 = &(tcontext->range.level[1]); goto mls_ops;mls_ops: switch ( e->op ) { case CEXPR_EQ: s[++sp] = mls_level_eq(l1, l2); continue; case CEXPR_NEQ: s[++sp] = !mls_level_eq(l1, l2); continue; case CEXPR_DOM: s[++sp] = mls_level_dom(l1, l2); continue; case CEXPR_DOMBY: s[++sp] = mls_level_dom(l2, l1); continue; case CEXPR_INCOMP: s[++sp] = mls_level_incomp(l2, l1); continue; default: BUG(); return 0; } break; default: BUG(); return 0; } switch ( e->op ) { case CEXPR_EQ: s[++sp] = (val1 == val2); break; case CEXPR_NEQ: s[++sp] = (val1 != val2); break; default: BUG(); return 0; } break; case CEXPR_NAMES: if ( sp == (CEXPR_MAXDEPTH-1) ) return 0; c = scontext; if ( e->attr & CEXPR_TARGET ) c = tcontext; else if ( e->attr & CEXPR_XTARGET ) { c = xcontext; if ( !c ) { BUG(); return 0; } } if ( e->attr & CEXPR_USER ) val1 = c->user; else if ( e->attr & CEXPR_ROLE ) val1 = c->role; else if ( e->attr & CEXPR_TYPE ) val1 = c->type; else { BUG(); return 0; } switch ( e->op ) { case CEXPR_EQ: s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); break; case CEXPR_NEQ: s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); break; default: BUG(); return 0; } break; default: BUG(); return 0; } } BUG_ON(sp != 0); return s[0];}/* * Compute access vectors based on a context structure pair for * the permissions in a particular class. */static int context_struct_compute_av(struct context *scontext, struct context *tcontext, u16 tclass, u32 requested, struct av_decision *avd){ struct constraint_node *constraint; struct role_allow *ra; struct avtab_key avkey; struct avtab_node *node; struct class_datum *tclass_datum; struct ebitmap *sattr, *tattr; struct ebitmap_node *snode, *tnode; unsigned int i, j; if ( !tclass || tclass > policydb.p_classes.nprim ) { printk(KERN_ERR "security_compute_av: unrecognized class %d\n", tclass); return -EINVAL; } tclass_datum = policydb.class_val_to_struct[tclass - 1]; /* * Initialize the access vectors to the default values. */ avd->allowed = 0; avd->decided = 0xffffffff; avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; /* * If a specific type enforcement rule was defined for * this permission check, then use it. */ avkey.target_class = tclass; avkey.specified = AVTAB_AV; sattr = &policydb.type_attr_map[scontext->type - 1]; tattr = &policydb.type_attr_map[tcontext->type - 1]; ebitmap_for_each_bit(sattr, snode, i) { if ( !ebitmap_node_get_bit(snode, i) ) continue; ebitmap_for_each_bit(tattr, tnode, j) { if ( !ebitmap_node_get_bit(tnode, j) ) continue; avkey.source_type = i + 1; avkey.target_type = j + 1; for ( node = avtab_search_node(&policydb.te_avtab, &avkey); node != NULL; node = avtab_search_node_next(node, avkey.specified) ) { if ( node->key.specified == AVTAB_ALLOWED ) avd->allowed |= node->datum.data; else if ( node->key.specified == AVTAB_AUDITALLOW ) avd->auditallow |= node->datum.data; else if ( node->key.specified == AVTAB_AUDITDENY ) avd->auditdeny &= node->datum.data; } /* Check conditional av table for additional permissions */ cond_compute_av(&policydb.te_cond_avtab, &avkey, avd); } } /* * Remove any permissions prohibited by a constraint (this includes * the MLS policy). */ constraint = tclass_datum->constraints; while ( constraint ) { if ( (constraint->permissions & (avd->allowed) ) && !constraint_expr_eval(scontext, tcontext, NULL, constraint->expr)) { avd->allowed = (avd->allowed) & ~(constraint->permissions); } constraint = constraint->next; } /* * If checking process transition permission and the * role is changing, then check the (current_role, new_role) * pair. */ if ( tclass == SECCLASS_DOMAIN &&/* removed until future dynamic domain capability (avd->allowed & (DOMAIN__TRANSITION | DOMAIN__DYNTRANSITION)) &&*/ scontext->role != tcontext->role ) { for ( ra = policydb.role_allow; ra; ra = ra->next ) { if ( scontext->role == ra->role && tcontext->role == ra->new_role ) break; }/* removed until future dynamic domain capability if (!ra) avd->allowed = (avd->allowed) & ~(DOMAIN__TRANSITION | DOMAIN__DYNTRANSITION);*/ } return 0;}static int security_validtrans_handle_fail(struct context *ocontext, struct context *ncontext, struct context *tcontext, u16 tclass){ char *o = NULL, *n = NULL, *t = NULL; u32 olen, nlen, tlen; if ( context_struct_to_string(ocontext, &o, &olen) < 0 ) goto out; if ( context_struct_to_string(ncontext, &n, &nlen) < 0 ) goto out; if ( context_struct_to_string(tcontext, &t, &tlen) < 0 ) goto out; printk("security_validate_transition: denied for" " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", o, n, t, policydb.p_class_val_to_name[tclass-1]);out: xfree(o); xfree(n); xfree(t); if ( !flask_enforcing ) return 0; return -EPERM;}int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, u16 tclass){ struct context *ocontext; struct context *ncontext; struct context *tcontext; struct class_datum *tclass_datum; struct constraint_node *constraint; int rc = 0; if ( !ss_initialized ) return 0; POLICY_RDLOCK; if ( !tclass || tclass > policydb.p_classes.nprim ) { printk(KERN_ERR "security_validate_transition: " "unrecognized class %d\n", tclass); rc = -EINVAL; goto out; } tclass_datum = policydb.class_val_to_struct[tclass - 1]; ocontext = sidtab_search(&sidtab, oldsid); if ( !ocontext ) { printk(KERN_ERR "security_validate_transition: " " unrecognized SID %d\n", oldsid); rc = -EINVAL; goto out; } ncontext = sidtab_search(&sidtab, newsid); if ( !ncontext ) { printk(KERN_ERR "security_validate_transition: " " unrecognized SID %d\n", newsid); rc = -EINVAL; goto out; } tcontext = sidtab_search(&sidtab, tasksid); if ( !tcontext ) { printk(KERN_ERR "security_validate_transition: " " unrecognized SID %d\n", tasksid); rc = -EINVAL; goto out; } constraint = tclass_datum->validatetrans; while ( constraint ) { if ( !constraint_expr_eval(ocontext, ncontext, tcontext, constraint->expr) ) { rc = security_validtrans_handle_fail(ocontext, ncontext, tcontext, tclass); goto out; } constraint = constraint->next; }out: POLICY_RDUNLOCK; return rc;}/** * security_compute_av - Compute access vector decisions. * @ssid: source security identifier * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions * @avd: access vector decisions * * Compute a set of access vector decisions based on the * SID pair (@ssid, @tsid) for the permissions in @tclass. * Return -%EINVAL if any of the parameters are invalid or %0 * if the access vector decisions were computed successfully. */int security_compute_av(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct av_decision *avd){ struct context *scontext = NULL, *tcontext = NULL; int rc = 0; if ( !ss_initialized ) { avd->allowed = 0xffffffff; avd->decided = 0xffffffff; avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; return 0; } POLICY_RDLOCK; scontext = sidtab_search(&sidtab, ssid); if ( !scontext ) { printk("security_compute_av: unrecognized SID %d\n", ssid); rc = -EINVAL; goto out; } tcontext = sidtab_search(&sidtab, tsid); if ( !tcontext ) { printk("security_compute_av: unrecognized SID %d\n", tsid); rc = -EINVAL; goto out; } rc = context_struct_compute_av(scontext, tcontext, tclass, requested, avd);out: POLICY_RDUNLOCK; return rc;}/* * Write the security context string representation of * the context structure `context' into a dynamically * allocated string of the correct size. Set `*scontext' * to point to this string and set `*scontext_len' to * the length of the string. */static int context_struct_to_string(struct context *context, char **scontext, u32 *scontext_len){ char *scontextp; *scontext = NULL; *scontext_len = 0; /* Compute the size of the context. */ *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; *scontext_len += mls_compute_context_len(context); /* Allocate space for the context; caller must free this space. */ scontextp = xmalloc_array(char, *scontext_len); if ( !scontextp ) return -ENOMEM; *scontext = scontextp; /* * Copy the user name, role name and type name into the context. */ snprintf(scontextp, *scontext_len, "%s:%s:%s", policydb.p_user_val_to_name[context->user - 1], policydb.p_role_val_to_name[context->role - 1], policydb.p_type_val_to_name[context->type - 1]); scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -