diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h index f90a48d..9152446 100644 --- a/libsepol/include/sepol/policydb/polcaps.h +++ b/libsepol/include/sepol/policydb/polcaps.h @@ -5,7 +5,7 @@ enum { POLICYDB_CAPABILITY_NETPEER, POLICYDB_CAPABILITY_OPENPERM, - POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ + POLICYDB_CAPABILITY_PTRACE_CHILD, POLICYDB_CAPABILITY_ALWAYSNETWORK, __POLICYDB_CAPABILITY_MAX }; diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index aef0c7b..3fd9700 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -58,6 +58,36 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid, struct sepol_av_decision *avd, unsigned int *reason); +/* + * Same as above, but also returns the constraint expression calculations + * whether allowed or denied in a buffer. This buffer is allocated by + * this call and must be free'd by the caller. + * The contraint buffer is in RPN format. + */ +extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason, + char **reason_buf); + +/* + * Return a class ID associated with the class string representation + * specified by `class_name'. + */ +extern int sepol_class_name_to_id(const char *class_name, + sepol_security_class_t *tclass); + +/* + * Return a permission av bit associated with tclass and the string + * representation of the `perm_name'. + */ +extern int sepol_perm_name_to_av(sepol_security_class_t tclass, + const char *perm_name, + sepol_access_vector_t *av); + + /* * Compute a SID to use for labeling a new object in the * class `tclass' based on a SID pair. diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 2003eb6..a2d209c 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -49,6 +49,82 @@ typedef struct expand_state { int expand_neverallow; } expand_state_t; +struct linear_probe { + filename_trans_t **table; /* filename_trans chunks with same stype */ + filename_trans_t **ends; /* pointers to ends of **table chunks */ + uint32_t length; /* length of the table */ +}; + +static int linear_probe_create(struct linear_probe *probe, uint32_t length) +{ + probe->table = calloc(length, sizeof(*probe->table)); + if (probe->table == NULL) + return -1; + + probe->ends = calloc(length, sizeof(*probe->ends)); + if (probe->ends == NULL) + return -1; + + probe->length = length; + + return 0; +} + +static void linear_probe_destroy(struct linear_probe *probe) +{ + if (probe->length == 0) + return; + + free(probe->table); + free(probe->ends); + memset(probe, 0, sizeof(*probe)); +} + +static void linear_probe_insert(struct linear_probe *probe, uint32_t key, + filename_trans_t *data) +{ + assert(probe->length > key); + + if (probe->table[key] != NULL) { + data->next = probe->table[key]; + probe->table[key] = data; + } else { + probe->table[key] = probe->ends[key] = data; + } +} + +static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key) +{ + assert(probe->length > key); + + return probe->table[key]; +} + +/* Returns all chunks stored in the *probe as single-linked list */ +static filename_trans_t *linear_probe_dump(struct linear_probe *probe, + filename_trans_t **endp) +{ + uint32_t i; + filename_trans_t *result = NULL; + filename_trans_t *end = NULL; + + for (i = 0; i < probe->length; i++) { + if (probe->table[i] != NULL) { + if (end == NULL) + end = probe->ends[i]; + probe->ends[i]->next = result; + result = probe->table[i]; + probe->table[i] = probe->ends[i] = NULL; + } + } + + /* Incoherent result and end pointers indicates bug */ + assert((result != NULL && end != NULL) || (result == NULL && end == NULL)); + + *endp = end; + return result; +} + static void expand_state_init(expand_state_t * state) { memset(state, 0, sizeof(expand_state_t)); @@ -1357,10 +1433,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) { unsigned int i, j; - filename_trans_t *new_trans, *cur_trans; + filename_trans_t *new_trans, *cur_trans, *end; filename_trans_rule_t *cur_rule; ebitmap_t stypes, ttypes; ebitmap_node_t *snode, *tnode; + struct linear_probe probe; + + /* + * Linear probing speeds-up finding filename_trans rules with certain + * "stype" value. + */ + if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */ + ERR(state->handle, "Out of memory!"); + return -1; + } cur_rule = rules; while (cur_rule) { @@ -1383,6 +1469,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r mapped_otype = state->typemap[cur_rule->otype - 1]; + if (ebitmap_length(&stypes) > probe.length) { + linear_probe_destroy(&probe); + if (linear_probe_create(&probe, ebitmap_length(&stypes))) { + ERR(state->handle, "Out of memory!"); + return -1; + } + } + ebitmap_for_each_bit(&stypes, snode, i) { if (!ebitmap_node_get_bit(snode, i)) continue; @@ -1390,16 +1484,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r if (!ebitmap_node_get_bit(tnode, j)) continue; - cur_trans = state->out->filename_trans; - while (cur_trans) { - if ((cur_trans->stype == i + 1) && - (cur_trans->ttype == j + 1) && + cur_trans = linear_probe_find(&probe, i); + while (cur_trans != NULL) { + if ((cur_trans->ttype == j + 1) && (cur_trans->tclass == cur_rule->tclass) && (!strcmp(cur_trans->name, cur_rule->name))) { /* duplicate rule, who cares */ if (cur_trans->otype == mapped_otype) break; - ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", cur_trans->name, state->out->p_type_val_to_name[i], @@ -1407,7 +1499,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r state->out->p_class_val_to_name[cur_trans->tclass - 1], state->out->p_type_val_to_name[cur_trans->otype - 1], state->out->p_type_val_to_name[mapped_otype - 1]); - + return -1; } cur_trans = cur_trans->next; @@ -1422,8 +1514,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r return -1; } memset(new_trans, 0, sizeof(*new_trans)); - new_trans->next = state->out->filename_trans; - state->out->filename_trans = new_trans; new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { @@ -1434,9 +1524,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r new_trans->ttype = j + 1; new_trans->tclass = cur_rule->tclass; new_trans->otype = mapped_otype; + linear_probe_insert(&probe, i, new_trans); } } + cur_trans = linear_probe_dump(&probe, &end); + if (cur_trans != NULL) { + end->next = state->out->filename_trans; + state->out->filename_trans = cur_trans; + } + ebitmap_destroy(&stypes); ebitmap_destroy(&ttypes); @@ -2037,14 +2134,13 @@ static int ocontext_copy_xen(expand_state_t *state) else state->out->ocontexts[i] = n; l = n; + if (context_copy(&n->context[0], &c->context[0], + state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } switch (i) { case OCON_XEN_ISID: - if (c->context[0].user == 0) { - ERR(state->handle, - "Missing context for %s initial sid", - c->u.name); - return -1; - } n->sid[0] = c->sid[0]; break; case OCON_XEN_PIRQ: @@ -2067,11 +2163,6 @@ static int ocontext_copy_xen(expand_state_t *state) ERR(state->handle, "Unknown ocontext"); return -1; } - if (context_copy(&n->context[0], &c->context[0], - state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } } } return 0; @@ -2096,14 +2187,12 @@ static int ocontext_copy_selinux(expand_state_t *state) else state->out->ocontexts[i] = n; l = n; + if (context_copy(&n->context[0], &c->context[0], state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } switch (i) { case OCON_ISID: - if (c->context[0].user == 0) { - ERR(state->handle, - "Missing context for %s initial sid", - c->u.name); - return -1; - } n->sid[0] = c->sid[0]; break; case OCON_FS: /* FALLTHROUGH */ @@ -2147,10 +2236,6 @@ static int ocontext_copy_selinux(expand_state_t *state) ERR(state->handle, "Unknown ocontext"); return -1; } - if (context_copy(&n->context[0], &c->context[0], state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } } } return 0; diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c index 43a71a7..7615a9b 100644 --- a/libsepol/src/polcaps.c +++ b/libsepol/src/polcaps.c @@ -8,7 +8,7 @@ static const char *polcap_names[] = { "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */ - "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ + "ptrace_child", /* POLICYDB_CAPABILITY_PTRACE_CHILD */ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ NULL }; diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 9c2920c..096c28e 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1,4 +1,3 @@ - /* * Author : Stephen Smalley, */ @@ -43,6 +42,8 @@ * Implementation of the security services. */ +#define REASON_BUF_SIZE 100000 + #include #include #include @@ -54,6 +55,7 @@ #include #include #include +#include #include "debug.h" #include "private.h" @@ -112,20 +114,223 @@ int sepol_set_policydb_from_file(FILE * fp) static uint32_t latest_granting = 0; /* - * Return the boolean value of a constraint expression - * when it is applied to the specified source and target + * Start of changes to support constraint reason failures. + */ + +/* + * get_names_list obtains the list of users, roles or types when expr + * has a names list. For 'types' only, find how many in the name list, and + * then the attributes associated to them (also count these). When + * complete take the list of attributes and find those whose count + * matches the number of types. The attributes in the final list will be + * the ones that need to have the type added to give access should this + * part of the expression fail (but which one - currently the only way + * is to check the policy source). + * + * The best way to solve this is for the compilers (checkpolicy and + * checkmodule) to add attributes to the constraint_expr_t structure + * (see constraint.h). The CIL compiler does add attribute names to + * constraint_expr_t->names, but the kernel does not translate them to + * types (i.e. the 30-04-12 version of the CIL compiler does not build + * the policy correctly). + * + * Note that the type_datum_t ->types (policydb.h) does not contain + * a list of types when inspecting a binary policy. This is only used + * in the *.pp modules. + */ +int get_names_list(const ebitmap_t * e, int type, char ** expr_buf) +{ + type_datum_t *t1 = NULL; + ebitmap_t *attr; + +#define MAX_ATTRS 400 + /* Hold the type attribute names and count of instances */ + struct attr_entries { + unsigned int entry; + int count; + } attr_info[MAX_ATTRS]; + + /* Various counters */ + int x, rc = 0; + unsigned int i, z; + + /* + * If an attribute is found in ->names then set to 1. Note this + * will only happen with the CIL compiler 30-Mar-2012 version) and + * is an error but we process anyway. + */ + int is_attr = 0; + + char tmp_buf[100]; + /* if ->names is 0, then output string */ + int empty_set = 0; + + /* The number of types in ->names */ + int type_count = 0; + + /* If no buffer set then just return. */ + if (!*expr_buf) + return 0; + + for (x = 0; x < MAX_ATTRS; x++) { + attr_info[x].entry = '\0'; + attr_info[x].count = '\0'; + } + + /* For type entries find how many entries so we can check attributes */ + if (type == CEXPR_TYPE) { + for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) { + if ((rc = ebitmap_get_bit(e, i)) == 0) + continue; + type_count++; + } + } + + /* + * Start the list of names where e = &e->names, except for types as + * a list of possible attributes will be given + */ + if (type != CEXPR_TYPE) + strncat(*expr_buf, "names-{ ", REASON_BUF_SIZE); + + for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) { + if ((rc = ebitmap_get_bit(e, i)) == 0) + continue; + + switch (type) { + case CEXPR_USER: + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_user_val_to_name[i]); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + + case CEXPR_ROLE: + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_role_val_to_name[i]); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + + case CEXPR_TYPE: +/* + * When checking a type for associated attributes, you can get a number + * of attributes, any one of which could be the one to update, for example: + * + * constrain process { transition noatsecure siginh rlimitinh } + * ( + * r1 == r2 + * or ( t1 == can_change_process_role and t2 == process_user_target ) + * or ( t1 == cron_source_domain and t2 == cron_job_domain ) + * or ( t1 == can_system_change and r2 == system_r ) + * or ( t1 == process_uncond_exempt ) + * ); + * + * for the 'targeted' policy it will yeld for "can_change_process_role" + * the following possible entries: can_change_process_role, + * nsswitch_domain or domain as each type that makes up + * "can_change_process_role" is also in the others. + * + * The "cron_source_domain" will give the largest amount of attributes + * as there is only one type (crond_t) but has 36 attribute associations. + */ + /* + * Get node for the type ID and if an attribute just add name, + * otherwise find the list of attrs associated to this type. + */ + t1 = policydb->type_val_to_struct[i]; + if (t1->flavor == TYPE_ATTRIB) { + is_attr = 1; + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + } else { + /* Don't add type names to buffer, only attributes */ + /* snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); */ + /* strcat(*expr_buf, tmp_buf); */ + /* Process attributes attached to this type */ + attr = &policydb->type_attr_map[t1->s.value-1]; + + for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) { + if ((rc = ebitmap_get_bit(attr, z)) == 0) + continue; + t1 = policydb->type_val_to_struct[z]; + if (t1->flavor == TYPE_ATTRIB) { + x = 0; + while (x < MAX_ATTRS) { + if (attr_info[x].entry == z) { + attr_info[x].entry = z; + attr_info[x].count++; + break; + } + if (attr_info[x].entry == 0) { + attr_info[x].entry = z; + attr_info[x].count++; + break; + } + x++; + } + } + } + break; + } + break; + + default: + ERR(NULL, "Invalid u_r_t value: %d\n", type); + return -1; + break; + } + empty_set++; + } + + /* End processing entries, now check for attributes if CEXPR_TYPE. */ + if (empty_set == 0) { + strncat(*expr_buf, "", REASON_BUF_SIZE); + } else if (type == CEXPR_TYPE && is_attr == 0) { + strncat(*expr_buf, "# POSSIBLE_ATTRIBUTES:", REASON_BUF_SIZE); + for (x = 0; x < MAX_ATTRS; x++) { + if (attr_info[x].count == type_count) { + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", + policydb->p_type_val_to_name[attr_info[x].entry]); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + } + } + } + strncat(*expr_buf, "\n", REASON_BUF_SIZE); + return 0; +} + +static void msgcat(char **expr_buf, char *src, char *tgt, char *rel, int failed) { + char tmp_buf[1024]; + if (*expr_buf) { + if (failed) + snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-)\n", src, rel, tgt); + else + snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-)\n", src, rel, tgt); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + } +} + +/* + * Modified version of constraint_expr_eval + * + * Return the boolean value of a constraint expression + * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast... It is used by the validatetrans rules * only. For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition. All other callers of - * constraint_expr_eval should pass in NULL for xcontext. + * constraint_expr_eval_reason should pass in NULL for xcontext. + * + * This function will also build a buffer as the constraint is processed + * for analysis. If this option is not required, then: + * 'tclass' should be '0' and expr_buf MUST be NULL. */ -static int constraint_expr_eval(context_struct_t * scontext, +static int constraint_expr_eval_reason(context_struct_t * scontext, context_struct_t * tcontext, context_struct_t * xcontext, - constraint_expr_t * cexpr) + sepol_security_class_t tclass, + constraint_node_t *constraint, + char ** expr_buf) { uint32_t val1, val2; context_struct_t *c; @@ -135,56 +340,112 @@ static int constraint_expr_eval(context_struct_t * scontext, int s[CEXPR_MAXDEPTH]; int sp = -1; - for (e = cexpr; e; e = e->next) { + char tmp_buf[1024]; + +/* + * Define the s_t_x_num values that make up r1, t2 etc. in text strings + * Set 1 = source, 2 = target, 3 = xcontext for validatetrans + */ +#define SOURCE 1 +#define TARGET 2 +#define XTARGET 3 + + int s_t_x_num = SOURCE; + int rc = 0; + /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */ + int u_r_t = 0; + + char *name1, *name2; + char *src=NULL; + char *tgt=NULL; + + if (*expr_buf) { + /* Get constraint statement type */ + strncpy(tmp_buf, "constrain ", sizeof(tmp_buf)); + for (e = constraint->expr; e; e = e->next) { + if (e->attr >= CEXPR_L1L2) { + strncpy(tmp_buf, "mlsconstrain ", sizeof(tmp_buf)); + break; + } + } + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + + /* Get class entry */ + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_class_val_to_name[tclass - 1]); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + + /* Get permission entries from the constraint node. */ + snprintf(tmp_buf, sizeof(tmp_buf), "{%s } (", sepol_av_to_string(policydb, tclass, + constraint->permissions)); + strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + } + + /* Original function but with buffer support */ + for (e = constraint->expr; e; e = e->next) { switch (e->expr_type) { case CEXPR_NOT: BUG_ON(sp < 0); s[sp] = !s[sp]; + if (*expr_buf) + strncat(*expr_buf, " not ", REASON_BUF_SIZE); break; case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp + 1]; + if (*expr_buf) + strncat(*expr_buf, " and ", REASON_BUF_SIZE); break; case CEXPR_OR: BUG_ON(sp < 1); sp--; s[sp] |= s[sp + 1]; + if (*expr_buf) + strncat(*expr_buf, " or ", REASON_BUF_SIZE); break; case CEXPR_ATTR: if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; + goto out; + switch (e->attr) { case CEXPR_USER: val1 = scontext->user; val2 = tcontext->user; + free(src); src = strdup("u1"); + free(tgt); tgt = strdup("u2"); break; case CEXPR_TYPE: val1 = scontext->type; val2 = tcontext->type; + free(src); src = strdup("t1"); + free(tgt); tgt = strdup("t2"); break; case CEXPR_ROLE: val1 = scontext->role; val2 = tcontext->role; r1 = policydb->role_val_to_struct[val1 - 1]; r2 = policydb->role_val_to_struct[val2 - 1]; + if (*expr_buf) { + name1 = policydb->p_role_val_to_name[r1->s.value - 1]; + name2 = policydb->p_role_val_to_name[r2->s.value - 1]; + snprintf(tmp_buf,sizeof(tmp_buf), "r1-%s", name1); + free(src); src = strdup(tmp_buf); + snprintf(tmp_buf,sizeof(tmp_buf), "r2-%s ", name2); + free(tgt); tgt = strdup(tmp_buf); + } switch (e->op) { case CEXPR_DOM: - s[++sp] = - ebitmap_get_bit(&r1->dominates, - val2 - 1); + s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); + msgcat(expr_buf, src, tgt, "dom", s[sp] == 0); continue; case CEXPR_DOMBY: - s[++sp] = - ebitmap_get_bit(&r2->dominates, - val1 - 1); + s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); + msgcat(expr_buf, src, tgt, "domby", s[sp] == 0); continue; case CEXPR_INCOMP: - s[++sp] = - (!ebitmap_get_bit - (&r1->dominates, val2 - 1) - && !ebitmap_get_bit(&r2->dominates, - val1 - 1)); + s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1) + && !ebitmap_get_bit(&r2->dominates, val1 - 1)); + msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0); continue; default: break; @@ -193,112 +454,203 @@ static int constraint_expr_eval(context_struct_t * scontext, case CEXPR_L1L2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[0]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("l2"); goto mls_ops; case CEXPR_L1H2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[1]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_H1L2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[0]); + free(src); src = strdup("h1"); + free(tgt); tgt = strdup("L2"); goto mls_ops; case CEXPR_H1H2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[1]); + free(src); src = strdup("h1"); + free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_L1H1: l1 = &(scontext->range.level[0]); l2 = &(scontext->range.level[1]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("h1"); goto mls_ops; case CEXPR_L2H2: l1 = &(tcontext->range.level[0]); l2 = &(tcontext->range.level[1]); - goto mls_ops; - mls_ops: + free(src); src = strdup("l2"); + free(tgt); tgt = strdup("h2"); + mls_ops: switch (e->op) { case CEXPR_EQ: s[++sp] = mls_level_eq(l1, l2); + msgcat(expr_buf, src, tgt, "eq", s[sp] == 0); continue; case CEXPR_NEQ: s[++sp] = !mls_level_eq(l1, l2); + msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); continue; case CEXPR_DOM: s[++sp] = mls_level_dom(l1, l2); + msgcat(expr_buf, src, tgt, "dom", s[sp] == 0); continue; case CEXPR_DOMBY: s[++sp] = mls_level_dom(l2, l1); + msgcat(expr_buf, src, tgt, "domby", s[sp] == 0); continue; case CEXPR_INCOMP: s[++sp] = mls_level_incomp(l2, l1); + msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0); continue; default: BUG(); - return 0; + goto out; } break; default: BUG(); - return 0; + goto out; } switch (e->op) { case CEXPR_EQ: s[++sp] = (val1 == val2); + msgcat(expr_buf, src, tgt, "eq", s[sp] == 0); break; case CEXPR_NEQ: s[++sp] = (val1 != val2); + msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); break; default: BUG(); - return 0; + goto out; } break; case CEXPR_NAMES: if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; + goto out; + s_t_x_num = SOURCE; c = scontext; - if (e->attr & CEXPR_TARGET) + if (e->attr & CEXPR_TARGET) { + s_t_x_num = TARGET; c = tcontext; - else if (e->attr & CEXPR_XTARGET) { + } else if (e->attr & CEXPR_XTARGET) { + s_t_x_num = XTARGET; c = xcontext; - if (!c) { - BUG(); - return 0; - } } - if (e->attr & CEXPR_USER) + if (!c) { + BUG(); + goto out; + } + if (e->attr & CEXPR_USER) { + u_r_t = CEXPR_USER; val1 = c->user; - else if (e->attr & CEXPR_ROLE) + if (*expr_buf) { + name1 = policydb->p_user_val_to_name[val1 - 1]; + snprintf(tmp_buf,sizeof(tmp_buf), "u%d=%s ", s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } + } + else if (e->attr & CEXPR_ROLE) { + u_r_t = CEXPR_ROLE; val1 = c->role; - else if (e->attr & CEXPR_TYPE) + if (*expr_buf) { + name1 = policydb->p_role_val_to_name[val1 - 1]; + snprintf(tmp_buf,sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } + } + else if (e->attr & CEXPR_TYPE) { + u_r_t = CEXPR_TYPE; val1 = c->type; + if (*expr_buf) { + name1 = policydb->p_type_val_to_name[val1 - 1]; + snprintf(tmp_buf,sizeof(tmp_buf), "t%d=%s ", s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } + } else { BUG(); - return 0; + goto out; } switch (e->op) { case CEXPR_EQ: + switch (u_r_t) { + case CEXPR_USER: + name1 = policydb->p_user_val_to_name[val1 - 1]; + break; + case CEXPR_ROLE: + name1 = policydb->p_role_val_to_name[val1 - 1]; + break; + case CEXPR_TYPE: + name1 = policydb->p_type_val_to_name[val1 - 1]; + break; + default: + name1 = NULL; + ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); + break; + } + s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); + free(tgt); tgt=strdup("ATTRIBUTE"); + msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); + if (s[sp] == 0) { + get_names_list(&e->names, u_r_t, expr_buf); + } break; + case CEXPR_NEQ: + switch (u_r_t) { + case CEXPR_USER: + name1 = policydb->p_user_val_to_name[val1 - 1]; + break; + case CEXPR_ROLE: + name1 = policydb->p_role_val_to_name[val1 - 1]; + break; + case CEXPR_TYPE: + name1 = policydb->p_type_val_to_name[val1 - 1]; + break; + default: + name1 = NULL; + ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); + break; + } + s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); + free(tgt); tgt=strdup("ATTRIBUTE"); + msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); + get_names_list(&e->names, u_r_t, expr_buf); break; default: BUG(); - return 0; + goto out; } break; default: BUG(); - return 0; + goto out; } } + if (*expr_buf) + strncat(*expr_buf, ")", REASON_BUF_SIZE); + rc = s[0]; + +out: + free(src); + free(tgt); BUG_ON(sp != 0); - return s[0]; + return rc; } + /* * Compute access vectors based on a context structure pair for * the permissions in a particular class. @@ -308,7 +660,8 @@ static int context_struct_compute_av(context_struct_t * scontext, sepol_security_class_t tclass, sepol_access_vector_t requested, struct sepol_av_decision *avd, - unsigned int *reason) + unsigned int *reason, + char *expr_buf) { constraint_node_t *constraint; struct role_allow *ra; @@ -383,8 +736,8 @@ static int context_struct_compute_av(context_struct_t * scontext, constraint = tclass_datum->constraints; while (constraint) { if ((constraint->permissions & (avd->allowed)) && - !constraint_expr_eval(scontext, tcontext, NULL, - constraint->expr)) { + !constraint_expr_eval_reason(scontext, tcontext, NULL, + tclass, constraint, &expr_buf)) { avd->allowed = (avd->allowed) & ~(constraint->permissions); } @@ -459,8 +812,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, constraint = tclass_datum->validatetrans; while (constraint) { - if (!constraint_expr_eval(ocontext, ncontext, tcontext, - constraint->expr)) { + if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, + 0, constraint, NULL)) { return -EPERM; } constraint = constraint->next; @@ -493,11 +846,57 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, } rc = context_struct_compute_av(scontext, tcontext, tclass, - requested, avd, reason); + requested, avd, reason, NULL); out: return rc; } +/* + * sepol_compute_av_reason_buffer - the reason buffer is malloc'd + * to REASON_BUF_SIZE that seems okay for the Reference Policy. + * TODO manage size using realloc at some stage. + */ +int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason, + char **reason_buf) +{ + char *expr_buf = NULL; + + expr_buf = malloc(REASON_BUF_SIZE); + if (!expr_buf) { + ERR(NULL, "malloc failed to allocate constraint reason buffer"); + return -ENOMEM; + } + bzero(expr_buf, REASON_BUF_SIZE); + + context_struct_t *scontext = 0, *tcontext = 0; + int rc = 0; + + scontext = sepol_sidtab_search(sidtab, ssid); + if (!scontext) { + ERR(NULL, "unrecognized SID %d", ssid); + rc = -EINVAL; + goto out; + } + tcontext = sepol_sidtab_search(sidtab, tsid); + if (!tcontext) { + ERR(NULL, "unrecognized SID %d", tsid); + rc = -EINVAL; + goto out; + } + + rc = context_struct_compute_av(scontext, tcontext, tclass, + requested, avd, reason, expr_buf); + *reason_buf = expr_buf; + + out: + return rc; +} + int hidden sepol_compute_av(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, @@ -510,6 +909,66 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, } /* + * Return a class ID associated with the class string specified by + * class_name. + */ +int hidden sepol_class_name_to_id(const char *class_name, + sepol_security_class_t *tclass) +{ + char *class = NULL; + sepol_security_class_t id; + + for (id = 1; ; id++) { + if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) { + ERR(NULL, "could not convert %s to class id", class_name); + return STATUS_ERR; + } + if ((strcmp(class, class_name)) == 0) { + *tclass = id; + return STATUS_SUCCESS; + } + } +} + +/* + * Return access vector bit associated with the class ID and permission + * string. + */ +int hidden sepol_perm_name_to_av(sepol_security_class_t tclass, + const char *perm_name, + sepol_access_vector_t *av) +{ + class_datum_t *tclass_datum; + perm_datum_t *perm_datum; + + if (!tclass || tclass > policydb->p_classes.nprim) { + ERR(NULL, "unrecognized class %d", tclass); + return -EINVAL; + } + tclass_datum = policydb->class_val_to_struct[tclass - 1]; + + /* Check for unique perms then the common ones */ + perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->permissions.table, + (hashtab_key_t)perm_name); + if (perm_datum != NULL) { + *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } + + perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->comdatum->permissions.table, + (hashtab_key_t)perm_name); + if (perm_datum != NULL) { + *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } + + ERR(NULL, "could not convert %s to av bit", perm_name); + return STATUS_ERR; +} + +/* * Write the security context string representation of * the context associated with `sid' into a dynamically * allocated string of the correct size. Set `*scontext' @@ -1337,7 +1796,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, rc = context_struct_compute_av(fromcon, &usercon, SECCLASS_PROCESS, PROCESS__TRANSITION, - &avd, &reason); + &avd, &reason, NULL); if (rc || !(avd.allowed & PROCESS__TRANSITION)) continue; rc = sepol_sidtab_context_to_sid(sidtab, &usercon,