^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Implementation of the SID table type.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Original author: Stephen Smalley, <sds@tycho.nsa.gov>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Author: Ondrej Mosnacek, <omosnacek@gmail.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Copyright (C) 2018 Red Hat, Inc.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/errno.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/list.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/rcupdate.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/spinlock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <asm/barrier.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include "flask.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include "security.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include "sidtab.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) struct sidtab_str_cache {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) struct rcu_head rcu_member;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) struct list_head lru_member;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) struct sidtab_entry *parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) char str[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) #define index_to_sid(index) (index + SECINITSID_NUM + 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) #define sid_to_index(sid) (sid - (SECINITSID_NUM + 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) int sidtab_init(struct sidtab *s)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) memset(s->roots, 0, sizeof(s->roots));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) for (i = 0; i < SECINITSID_NUM; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) s->isids[i].set = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) s->frozen = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) s->count = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) s->convert = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) hash_init(s->context_to_sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) spin_lock_init(&s->lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) s->cache_free_slots = CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) INIT_LIST_HEAD(&s->cache_lru_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) spin_lock_init(&s->cache_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) static u32 context_to_sid(struct sidtab *s, struct context *context, u32 hash)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) struct sidtab_entry *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) u32 sid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) hash_for_each_possible_rcu(s->context_to_sid, entry, list, hash) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) if (entry->hash != hash)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) if (context_cmp(&entry->context, context)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) sid = entry->sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) return sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) struct sidtab_isid_entry *isid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) u32 hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) if (sid == 0 || sid > SECINITSID_NUM)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) isid = &s->isids[sid - 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) rc = context_cpy(&isid->entry.context, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) #if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) isid->entry.cache = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) isid->set = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) hash = context_compute_hash(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * Multiple initial sids may map to the same context. Check that this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) * context is not already represented in the context_to_sid hashtable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * to avoid duplicate entries and long linked lists upon hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * collision.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) if (!context_to_sid(s, context, hash)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) isid->entry.sid = sid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) isid->entry.hash = hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) hash_add(s->context_to_sid, &isid->entry.list, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) int sidtab_hash_stats(struct sidtab *sidtab, char *page)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) int chain_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) int slots_used = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) int entries = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) int max_chain_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) int cur_bucket = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) struct sidtab_entry *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) hash_for_each_rcu(sidtab->context_to_sid, i, entry, list) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) entries++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) if (i == cur_bucket) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) chain_len++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) if (chain_len == 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) slots_used++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) cur_bucket = i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) if (chain_len > max_chain_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) max_chain_len = chain_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) chain_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) if (chain_len > max_chain_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) max_chain_len = chain_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) "longest chain: %d\n", entries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) slots_used, SIDTAB_HASH_BUCKETS, max_chain_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) static u32 sidtab_level_from_count(u32 count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) u32 capacity = SIDTAB_LEAF_ENTRIES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) u32 level = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) while (count > capacity) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) capacity <<= SIDTAB_INNER_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) ++level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) return level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) static int sidtab_alloc_roots(struct sidtab *s, u32 level)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) u32 l;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) if (!s->roots[0].ptr_leaf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) s->roots[0].ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) if (!s->roots[0].ptr_leaf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) for (l = 1; l <= level; ++l)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) if (!s->roots[l].ptr_inner) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) s->roots[l].ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) if (!s->roots[l].ptr_inner)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) s->roots[l].ptr_inner->entries[0] = s->roots[l - 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) static struct sidtab_entry *sidtab_do_lookup(struct sidtab *s, u32 index,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) int alloc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) union sidtab_entry_inner *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) u32 level, capacity_shift, leaf_index = index / SIDTAB_LEAF_ENTRIES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) /* find the level of the subtree we need */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) level = sidtab_level_from_count(index + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) capacity_shift = level * SIDTAB_INNER_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) /* allocate roots if needed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) if (alloc && sidtab_alloc_roots(s, level) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) /* lookup inside the subtree */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) entry = &s->roots[level];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) while (level != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) capacity_shift -= SIDTAB_INNER_SHIFT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) --level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) entry = &entry->ptr_inner->entries[leaf_index >> capacity_shift];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) leaf_index &= ((u32)1 << capacity_shift) - 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) if (!entry->ptr_inner) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) if (alloc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) entry->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) if (!entry->ptr_inner)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) if (!entry->ptr_leaf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) if (alloc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) entry->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) if (!entry->ptr_leaf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) return &entry->ptr_leaf->entries[index % SIDTAB_LEAF_ENTRIES];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) static struct sidtab_entry *sidtab_lookup(struct sidtab *s, u32 index)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) /* read entries only after reading count */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) u32 count = smp_load_acquire(&s->count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) if (index >= count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) return NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) return sidtab_do_lookup(s, index, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) static struct sidtab_entry *sidtab_lookup_initial(struct sidtab *s, u32 sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) return s->isids[sid - 1].set ? &s->isids[sid - 1].entry : NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) static struct sidtab_entry *sidtab_search_core(struct sidtab *s, u32 sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) int force)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) if (sid != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) struct sidtab_entry *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) if (sid > SECINITSID_NUM)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) entry = sidtab_lookup(s, sid_to_index(sid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) entry = sidtab_lookup_initial(s, sid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) if (entry && (!entry->context.len || force))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) return entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) return sidtab_lookup_initial(s, SECINITSID_UNLABELED);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) struct sidtab_entry *sidtab_search_entry(struct sidtab *s, u32 sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) return sidtab_search_core(s, sid, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) struct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) return sidtab_search_core(s, sid, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) int sidtab_context_to_sid(struct sidtab *s, struct context *context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) u32 *sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) u32 count, hash = context_compute_hash(context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) struct sidtab_convert_params *convert;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) struct sidtab_entry *dst, *dst_convert;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) *sid = context_to_sid(s, context, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) if (*sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) /* lock-free search failed: lock, re-search, and insert if not found */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) spin_lock_irqsave(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) *sid = context_to_sid(s, context, hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) if (*sid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) if (unlikely(s->frozen)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) * This sidtab is now frozen - tell the caller to abort and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) * get the new one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) rc = -ESTALE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) count = s->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) convert = s->convert;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) /* bail out if we already reached max entries */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) rc = -EOVERFLOW;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) if (count >= SIDTAB_MAX)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) /* insert context into new entry */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) dst = sidtab_do_lookup(s, count, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) if (!dst)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) dst->sid = index_to_sid(count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) dst->hash = hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) rc = context_cpy(&dst->context, context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) * if we are building a new sidtab, we need to convert the context
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) * and insert it there as well
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) if (convert) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) dst_convert = sidtab_do_lookup(convert->target, count, 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) if (!dst_convert) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) context_destroy(&dst->context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) rc = convert->func(context, &dst_convert->context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) convert->args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) context_destroy(&dst->context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) dst_convert->sid = index_to_sid(count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) dst_convert->hash = context_compute_hash(&dst_convert->context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) convert->target->count = count + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) hash_add_rcu(convert->target->context_to_sid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) &dst_convert->list, dst_convert->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) if (context->len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) pr_info("SELinux: Context %s is not valid (left unmapped).\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) context->str);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) *sid = index_to_sid(count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) /* write entries before updating count */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) smp_store_release(&s->count, count + 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) hash_add_rcu(s->context_to_sid, &dst->list, dst->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) out_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) static void sidtab_convert_hashtable(struct sidtab *s, u32 count)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) struct sidtab_entry *entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) for (i = 0; i < count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) entry = sidtab_do_lookup(s, i, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) entry->sid = index_to_sid(i);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) entry->hash = context_compute_hash(&entry->context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) hash_add_rcu(s->context_to_sid, &entry->list, entry->hash);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) static int sidtab_convert_tree(union sidtab_entry_inner *edst,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) union sidtab_entry_inner *esrc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) u32 *pos, u32 count, u32 level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) struct sidtab_convert_params *convert)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) if (level != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) if (!edst->ptr_inner) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) edst->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) if (!edst->ptr_inner)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) while (i < SIDTAB_INNER_ENTRIES && *pos < count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) rc = sidtab_convert_tree(&edst->ptr_inner->entries[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) &esrc->ptr_inner->entries[i],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) pos, count, level - 1,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) convert);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) i++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) if (!edst->ptr_leaf) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) edst->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) if (!edst->ptr_leaf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) i = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) rc = convert->func(&esrc->ptr_leaf->entries[i].context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) &edst->ptr_leaf->entries[i].context,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) convert->args);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) (*pos)++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) i++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) cond_resched();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) u32 count, level, pos;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) spin_lock_irqsave(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) /* concurrent policy loads are not allowed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) if (s->convert) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) return -EBUSY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) count = s->count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) level = sidtab_level_from_count(count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) /* allocate last leaf in the new sidtab (to avoid race with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) * live convert)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) rc = sidtab_do_lookup(params->target, count - 1, 1) ? 0 : -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) /* set count in case no new entries are added during conversion */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) params->target->count = count;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) /* enable live convert of new entries */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) s->convert = params;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) /* we can safely convert the tree outside the lock */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) pr_info("SELinux: Converting %u SID table entries...\n", count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) /* convert all entries not covered by live convert */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) pos = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) rc = sidtab_convert_tree(¶ms->target->roots[level],
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) &s->roots[level], &pos, count, level, params);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) /* we need to keep the old table - disable live convert */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) spin_lock_irqsave(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) s->convert = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) * The hashtable can also be modified in sidtab_context_to_sid()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) * so we must re-acquire the lock here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) spin_lock_irqsave(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) sidtab_convert_hashtable(params->target, count);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) void sidtab_cancel_convert(struct sidtab *s)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) /* cancelling policy load - disable live convert of sidtab */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) spin_lock_irqsave(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) s->convert = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) spin_unlock_irqrestore(&s->lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) __acquires(&s->lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) spin_lock_irqsave(&s->lock, *flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) s->frozen = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) s->convert = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) void sidtab_freeze_end(struct sidtab *s, unsigned long *flags) __releases(&s->lock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) spin_unlock_irqrestore(&s->lock, *flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) static void sidtab_destroy_entry(struct sidtab_entry *entry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) context_destroy(&entry->context);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) #if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) kfree(rcu_dereference_raw(entry->cache));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) static void sidtab_destroy_tree(union sidtab_entry_inner entry, u32 level)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) if (level != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) struct sidtab_node_inner *node = entry.ptr_inner;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) if (!node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) for (i = 0; i < SIDTAB_INNER_ENTRIES; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) sidtab_destroy_tree(node->entries[i], level - 1);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) kfree(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) struct sidtab_node_leaf *node = entry.ptr_leaf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) if (!node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) for (i = 0; i < SIDTAB_LEAF_ENTRIES; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) sidtab_destroy_entry(&node->entries[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) kfree(node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) void sidtab_destroy(struct sidtab *s)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) u32 i, level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) for (i = 0; i < SECINITSID_NUM; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) if (s->isids[i].set)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) sidtab_destroy_entry(&s->isids[i].entry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) level = SIDTAB_MAX_LEVEL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) while (level && !s->roots[level].ptr_inner)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) --level;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) sidtab_destroy_tree(s->roots[level], level);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) * The context_to_sid hashtable's objects are all shared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) * with the isids array and context tree, and so don't need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) * to be cleaned up here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) #if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) const char *str, u32 str_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) struct sidtab_str_cache *cache, *victim = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) unsigned long flags;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) /* do not cache invalid contexts */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) if (entry->context.len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) spin_lock_irqsave(&s->cache_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) cache = rcu_dereference_protected(entry->cache,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) lockdep_is_held(&s->cache_lock));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) if (cache) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) /* entry in cache - just bump to the head of LRU list */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) list_move(&cache->lru_member, &s->cache_lru_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) cache = kmalloc(sizeof(struct sidtab_str_cache) + str_len, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) if (!cache)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) goto out_unlock;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) if (s->cache_free_slots == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) /* pop a cache entry from the tail and free it */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) victim = container_of(s->cache_lru_list.prev,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) struct sidtab_str_cache, lru_member);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) list_del(&victim->lru_member);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) rcu_assign_pointer(victim->parent->cache, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) s->cache_free_slots--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) cache->parent = entry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) cache->len = str_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) memcpy(cache->str, str, str_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) list_add(&cache->lru_member, &s->cache_lru_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) rcu_assign_pointer(entry->cache, cache);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) out_unlock:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) spin_unlock_irqrestore(&s->cache_lock, flags);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) kfree_rcu(victim, rcu_member);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) char **out, u32 *out_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) struct sidtab_str_cache *cache;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) if (entry->context.len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) return -ENOENT; /* do not cache invalid contexts */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) cache = rcu_dereference(entry->cache);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) if (!cache) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) rc = -ENOENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) *out_len = cache->len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) if (out) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) *out = kmemdup(cache->str, cache->len, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) if (!*out)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) if (!rc && out)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) sidtab_sid2str_put(s, entry, *out, *out_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) #endif /* CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags