1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of the multi-level security (MLS) policy.
5 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
9 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10 * Support for enhanced MLS infrastructure.
11 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
13 * Updated: Hewlett-Packard <paul@paul-moore.com>
14 * Added support to import/export the MLS label from NetLabel
15 * Copyright (C) Hewlett-Packard Development Company, L.P., 2006
18 #include <linux/kernel.h>
19 #include <linux/slab.h>
20 #include <linux/string.h>
21 #include <linux/errno.h>
22 #include <net/netlabel.h>
29 * Return the length in bytes for the MLS fields of the
30 * security context string representation of `context'.
32 int mls_compute_context_len(struct policydb *p, struct context *context)
34 int i, l, len, head, prev;
37 struct ebitmap_node *node;
42 len = 1; /* for the beginning ":" */
43 for (l = 0; l < 2; l++) {
44 u32 index_sens = context->range.level[l].sens;
45 len += strlen(sym_name(p, SYM_LEVELS, index_sens - 1));
50 e = &context->range.level[l].cat;
51 ebitmap_for_each_positive_bit(e, node, i)
54 /* one or more negative bits are skipped */
56 nm = sym_name(p, SYM_CATS, prev);
57 len += strlen(nm) + 1;
59 nm = sym_name(p, SYM_CATS, i);
60 len += strlen(nm) + 1;
66 nm = sym_name(p, SYM_CATS, prev);
67 len += strlen(nm) + 1;
70 if (mls_level_eq(&context->range.level[0],
71 &context->range.level[1]))
82 * Write the security context string representation of
83 * the MLS fields of `context' into the string `*scontext'.
84 * Update `*scontext' to point to the end of the MLS fields.
86 void mls_sid_to_context(struct policydb *p, struct context *context,
92 struct ebitmap_node *node;
97 scontextp = *scontext;
102 for (l = 0; l < 2; l++) {
103 strcpy(scontextp, sym_name(p, SYM_LEVELS,
104 context->range.level[l].sens - 1));
105 scontextp += strlen(scontextp);
110 e = &context->range.level[l].cat;
111 ebitmap_for_each_positive_bit(e, node, i)
114 /* one or more negative bits are skipped */
120 nm = sym_name(p, SYM_CATS, prev);
121 strcpy(scontextp, nm);
122 scontextp += strlen(nm);
128 nm = sym_name(p, SYM_CATS, i);
129 strcpy(scontextp, nm);
130 scontextp += strlen(nm);
141 nm = sym_name(p, SYM_CATS, prev);
142 strcpy(scontextp, nm);
143 scontextp += strlen(nm);
147 if (mls_level_eq(&context->range.level[0],
148 &context->range.level[1]))
155 *scontext = scontextp;
158 int mls_level_isvalid(struct policydb *p, struct mls_level *l)
160 struct level_datum *levdatum;
162 if (!l->sens || l->sens > p->p_levels.nprim)
164 levdatum = symtab_search(&p->p_levels,
165 sym_name(p, SYM_LEVELS, l->sens - 1));
170 * Return 1 iff all the bits set in l->cat are also be set in
171 * levdatum->level->cat and no bit in l->cat is larger than
174 return ebitmap_contains(&levdatum->level->cat, &l->cat,
178 int mls_range_isvalid(struct policydb *p, struct mls_range *r)
180 return (mls_level_isvalid(p, &r->level[0]) &&
181 mls_level_isvalid(p, &r->level[1]) &&
182 mls_level_dom(&r->level[1], &r->level[0]));
186 * Return 1 if the MLS fields in the security context
187 * structure `c' are valid. Return 0 otherwise.
189 int mls_context_isvalid(struct policydb *p, struct context *c)
191 struct user_datum *usrdatum;
196 if (!mls_range_isvalid(p, &c->range))
199 if (c->role == OBJECT_R_VAL)
203 * User must be authorized for the MLS range.
205 if (!c->user || c->user > p->p_users.nprim)
207 usrdatum = p->user_val_to_struct[c->user - 1];
208 if (!mls_range_contains(usrdatum->range, c->range))
209 return 0; /* user may not be associated with range */
215 * Set the MLS fields in the security context structure
216 * `context' based on the string representation in
217 * the string `scontext'.
219 * This function modifies the string in place, inserting
220 * NULL characters to terminate the MLS fields.
222 * If a def_sid is provided and no MLS field is present,
223 * copy the MLS field of the associated default context.
224 * Used for upgraded to MLS systems where objects may lack
227 * Policy read-lock must be held for sidtab lookup.
230 int mls_context_to_sid(struct policydb *pol, char oldc, char *scontext,
231 struct context *context, struct sidtab *s, u32 def_sid)
233 char *sensitivity, *cur_cat, *next_cat, *rngptr;
234 struct level_datum *levdatum;
235 struct cat_datum *catdatum, *rngdatum;
240 if (!pol->mls_enabled) {
242 * With no MLS, only return -EINVAL if there is a MLS field
243 * and it did not come from an xattr.
245 if (oldc && def_sid == SECSID_NULL)
251 * No MLS component to the security context, try and map to
252 * default if provided.
255 struct context *defcon;
257 if (def_sid == SECSID_NULL)
260 defcon = sidtab_search(s, def_sid);
264 return mls_context_cpy(context, defcon);
268 * If we're dealing with a range, figure out where the two parts
269 * of the range begin.
271 rangep[0] = scontext;
272 rangep[1] = strchr(scontext, '-');
278 /* For each part of the range: */
279 for (l = 0; l < 2; l++) {
280 /* Split sensitivity and category set. */
281 sensitivity = rangep[l];
282 if (sensitivity == NULL)
284 next_cat = strchr(sensitivity, ':');
286 *(next_cat++) = '\0';
288 /* Parse sensitivity. */
289 levdatum = symtab_search(&pol->p_levels, sensitivity);
292 context->range.level[l].sens = levdatum->level->sens;
294 /* Extract category set. */
295 while (next_cat != NULL) {
297 next_cat = strchr(next_cat, ',');
298 if (next_cat != NULL)
299 *(next_cat++) = '\0';
301 /* Separate into range if exists */
302 rngptr = strchr(cur_cat, '.');
303 if (rngptr != NULL) {
308 catdatum = symtab_search(&pol->p_cats, cur_cat);
312 rc = ebitmap_set_bit(&context->range.level[l].cat,
313 catdatum->value - 1, 1);
317 /* If range, set all categories in range */
321 rngdatum = symtab_search(&pol->p_cats, rngptr);
325 if (catdatum->value >= rngdatum->value)
328 for (i = catdatum->value; i < rngdatum->value; i++) {
329 rc = ebitmap_set_bit(
330 &context->range.level[l].cat, i, 1);
337 /* If we didn't see a '-', the range start is also the range end. */
338 if (rangep[1] == NULL) {
339 context->range.level[1].sens = context->range.level[0].sens;
340 rc = ebitmap_cpy(&context->range.level[1].cat,
341 &context->range.level[0].cat);
350 * Set the MLS fields in the security context structure
351 * `context' based on the string representation in
352 * the string `str'. This function will allocate temporary memory with the
353 * given constraints of gfp_mask.
355 int mls_from_string(struct policydb *p, char *str, struct context *context,
364 tmpstr = kstrdup(str, gfp_mask);
368 rc = mls_context_to_sid(p, ':', tmpstr, context, NULL,
377 * Copies the MLS range `range' into `context'.
379 int mls_range_set(struct context *context, struct mls_range *range)
383 /* Copy the MLS range into the context */
384 for (l = 0; l < 2; l++) {
385 context->range.level[l].sens = range->level[l].sens;
386 rc = ebitmap_cpy(&context->range.level[l].cat,
387 &range->level[l].cat);
395 int mls_setup_user_range(struct policydb *p, struct context *fromcon,
396 struct user_datum *user, struct context *usercon)
398 if (p->mls_enabled) {
399 struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
400 struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
401 struct mls_level *user_low = &(user->range.level[0]);
402 struct mls_level *user_clr = &(user->range.level[1]);
403 struct mls_level *user_def = &(user->dfltlevel);
404 struct mls_level *usercon_sen = &(usercon->range.level[0]);
405 struct mls_level *usercon_clr = &(usercon->range.level[1]);
407 /* Honor the user's default level if we can */
408 if (mls_level_between(user_def, fromcon_sen, fromcon_clr))
409 *usercon_sen = *user_def;
410 else if (mls_level_between(fromcon_sen, user_def, user_clr))
411 *usercon_sen = *fromcon_sen;
412 else if (mls_level_between(fromcon_clr, user_low, user_def))
413 *usercon_sen = *user_low;
417 /* Lower the clearance of available contexts
418 if the clearance of "fromcon" is lower than
419 that of the user's default clearance (but
420 only if the "fromcon" clearance dominates
421 the user's computed sensitivity level) */
422 if (mls_level_dom(user_clr, fromcon_clr))
423 *usercon_clr = *fromcon_clr;
424 else if (mls_level_dom(fromcon_clr, user_clr))
425 *usercon_clr = *user_clr;
434 * Convert the MLS fields in the security context
435 * structure `oldc' from the values specified in the
436 * policy `oldp' to the values specified in the policy `newp',
437 * storing the resulting context in `newc'.
439 int mls_convert_context(struct policydb *oldp, struct policydb *newp,
440 struct context *oldc, struct context *newc)
442 struct level_datum *levdatum;
443 struct cat_datum *catdatum;
444 struct ebitmap_node *node;
448 if (!oldp->mls_enabled || !newp->mls_enabled)
451 for (l = 0; l < 2; l++) {
452 char *name = sym_name(oldp, SYM_LEVELS,
453 oldc->range.level[l].sens - 1);
455 levdatum = symtab_search(&newp->p_levels, name);
459 newc->range.level[l].sens = levdatum->level->sens;
461 ebitmap_for_each_positive_bit(&oldc->range.level[l].cat, node,
466 catdatum = symtab_search(&newp->p_cats,
467 sym_name(oldp, SYM_CATS, i));
470 rc = ebitmap_set_bit(&newc->range.level[l].cat,
471 catdatum->value - 1, 1);
480 int mls_compute_sid(struct policydb *p, struct context *scontext,
481 struct context *tcontext, u16 tclass, u32 specified,
482 struct context *newcontext, bool sock)
484 struct range_trans rtr;
486 struct class_datum *cladatum;
487 char default_range = 0;
493 case AVTAB_TRANSITION:
494 /* Look for a range transition rule. */
495 rtr.source_type = scontext->type;
496 rtr.target_type = tcontext->type;
497 rtr.target_class = tclass;
498 r = policydb_rangetr_search(p, &rtr);
500 return mls_range_set(newcontext, r);
502 if (tclass && tclass <= p->p_classes.nprim) {
503 cladatum = p->class_val_to_struct[tclass - 1];
505 default_range = cladatum->default_range;
508 switch (default_range) {
509 case DEFAULT_SOURCE_LOW:
510 return mls_context_cpy_low(newcontext, scontext);
511 case DEFAULT_SOURCE_HIGH:
512 return mls_context_cpy_high(newcontext, scontext);
513 case DEFAULT_SOURCE_LOW_HIGH:
514 return mls_context_cpy(newcontext, scontext);
515 case DEFAULT_TARGET_LOW:
516 return mls_context_cpy_low(newcontext, tcontext);
517 case DEFAULT_TARGET_HIGH:
518 return mls_context_cpy_high(newcontext, tcontext);
519 case DEFAULT_TARGET_LOW_HIGH:
520 return mls_context_cpy(newcontext, tcontext);
522 return mls_context_glblub(newcontext, scontext,
528 if ((tclass == p->process_class) || sock)
529 /* Use the process MLS attributes. */
530 return mls_context_cpy(newcontext, scontext);
532 /* Use the process effective MLS attributes. */
533 return mls_context_cpy_low(newcontext, scontext);
535 /* Use the process effective MLS attributes. */
536 return mls_context_cpy_low(newcontext, scontext);
541 #ifdef CONFIG_NETLABEL
543 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
545 * @context: the security context
546 * @secattr: the NetLabel security attributes
549 * Given the security context copy the low MLS sensitivity level into the
550 * NetLabel MLS sensitivity level field.
553 void mls_export_netlbl_lvl(struct policydb *p, struct context *context,
554 struct netlbl_lsm_secattr *secattr)
559 secattr->attr.mls.lvl = context->range.level[0].sens - 1;
560 secattr->flags |= NETLBL_SECATTR_MLS_LVL;
564 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
566 * @context: the security context
567 * @secattr: the NetLabel security attributes
570 * Given the security context and the NetLabel security attributes, copy the
571 * NetLabel MLS sensitivity level into the context.
574 void mls_import_netlbl_lvl(struct policydb *p, struct context *context,
575 struct netlbl_lsm_secattr *secattr)
580 context->range.level[0].sens = secattr->attr.mls.lvl + 1;
581 context->range.level[1].sens = context->range.level[0].sens;
585 * mls_export_netlbl_cat - Export the MLS categories to NetLabel
587 * @context: the security context
588 * @secattr: the NetLabel security attributes
591 * Given the security context copy the low MLS categories into the NetLabel
592 * MLS category field. Returns zero on success, negative values on failure.
595 int mls_export_netlbl_cat(struct policydb *p, struct context *context,
596 struct netlbl_lsm_secattr *secattr)
603 rc = ebitmap_netlbl_export(&context->range.level[0].cat,
604 &secattr->attr.mls.cat);
605 if (rc == 0 && secattr->attr.mls.cat != NULL)
606 secattr->flags |= NETLBL_SECATTR_MLS_CAT;
612 * mls_import_netlbl_cat - Import the MLS categories from NetLabel
614 * @context: the security context
615 * @secattr: the NetLabel security attributes
618 * Copy the NetLabel security attributes into the SELinux context; since the
619 * NetLabel security attribute only contains a single MLS category use it for
620 * both the low and high categories of the context. Returns zero on success,
621 * negative values on failure.
624 int mls_import_netlbl_cat(struct policydb *p, struct context *context,
625 struct netlbl_lsm_secattr *secattr)
632 rc = ebitmap_netlbl_import(&context->range.level[0].cat,
633 secattr->attr.mls.cat);
635 goto import_netlbl_cat_failure;
636 memcpy(&context->range.level[1].cat, &context->range.level[0].cat,
637 sizeof(context->range.level[0].cat));
641 import_netlbl_cat_failure:
642 ebitmap_destroy(&context->range.level[0].cat);
645 #endif /* CONFIG_NETLABEL */