1 // SPDX-License-Identifier: GPL-2.0
3  * Implementation of the multi-level security (MLS) policy.
12  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
15  * Updated: Hewlett-Packard <paul@paul-moore.com>
19  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
43 	if (!p->mls_enabled)  in mls_compute_context_len()
48 		int index_sens = context->range.level[l].sens;  in mls_compute_context_len()
49 		len += strlen(sym_name(p, SYM_LEVELS, index_sens - 1));  in mls_compute_context_len()
52 		head = -2;  in mls_compute_context_len()
53 		prev = -2;  in mls_compute_context_len()
54 		e = &context->range.level[l].cat;  in mls_compute_context_len()
56 			if (i - prev > 1) {  in mls_compute_context_len()
73 			if (mls_level_eq(&context->range.level[0],  in mls_compute_context_len()
74 					 &context->range.level[1]))  in mls_compute_context_len()
98 	if (!p->mls_enabled)  in mls_sid_to_context()
108 					   context->range.level[l].sens - 1));  in mls_sid_to_context()
112 		head = -2;  in mls_sid_to_context()
113 		prev = -2;  in mls_sid_to_context()
114 		e = &context->range.level[l].cat;  in mls_sid_to_context()
116 			if (i - prev > 1) {  in mls_sid_to_context()
119 					if (prev - head > 1)  in mls_sid_to_context()
140 			if (prev - head > 1)  in mls_sid_to_context()
150 			if (mls_level_eq(&context->range.level[0],  in mls_sid_to_context()
151 					 &context->range.level[1]))  in mls_sid_to_context()
154 				*scontextp++ = '-';  in mls_sid_to_context()
165 	if (!l->sens || l->sens > p->p_levels.nprim)  in mls_level_isvalid()
167 	levdatum = symtab_search(&p->p_levels,  in mls_level_isvalid()
168 				 sym_name(p, SYM_LEVELS, l->sens - 1));  in mls_level_isvalid()
173 	 * Return 1 iff all the bits set in l->cat are also be set in  in mls_level_isvalid()
174 	 * levdatum->level->cat and no bit in l->cat is larger than  in mls_level_isvalid()
175 	 * p->p_cats.nprim.  in mls_level_isvalid()
177 	return ebitmap_contains(&levdatum->level->cat, &l->cat,  in mls_level_isvalid()
178 				p->p_cats.nprim);  in mls_level_isvalid()
183 	return (mls_level_isvalid(p, &r->level[0]) &&  in mls_range_isvalid()
184 		mls_level_isvalid(p, &r->level[1]) &&  in mls_range_isvalid()
185 		mls_level_dom(&r->level[1], &r->level[0]));  in mls_range_isvalid()
196 	if (!p->mls_enabled)  in mls_context_isvalid()
199 	if (!mls_range_isvalid(p, &c->range))  in mls_context_isvalid()
202 	if (c->role == OBJECT_R_VAL)  in mls_context_isvalid()
206 	 * User must be authorized for the MLS range.  in mls_context_isvalid()
208 	if (!c->user || c->user > p->p_users.nprim)  in mls_context_isvalid()
210 	usrdatum = p->user_val_to_struct[c->user - 1];  in mls_context_isvalid()
211 	if (!mls_range_contains(usrdatum->range, c->range))  in mls_context_isvalid()
212 		return 0; /* user may not be associated with range */  in mls_context_isvalid()
230  * Policy read-lock must be held for sidtab lookup.
246 	if (!pol->mls_enabled) {  in mls_context_to_sid()
248 		 * With no MLS, only return -EINVAL if there is a MLS field  in mls_context_to_sid()
252 			return -EINVAL;  in mls_context_to_sid()
264 			return -EINVAL;  in mls_context_to_sid()
268 			return -EINVAL;  in mls_context_to_sid()
278 	rangep[1] = strchr(scontext, '-');  in mls_context_to_sid()
295 		levdatum = symtab_search(&pol->p_levels, sensitivity);  in mls_context_to_sid()
297 			return -EINVAL;  in mls_context_to_sid()
298 		context->range.level[l].sens = levdatum->level->sens;  in mls_context_to_sid()
314 			catdatum = symtab_search(&pol->p_cats, cur_cat);  in mls_context_to_sid()
316 				return -EINVAL;  in mls_context_to_sid()
318 			rc = ebitmap_set_bit(&context->range.level[l].cat,  in mls_context_to_sid()
319 					     catdatum->value - 1, 1);  in mls_context_to_sid()
327 			rngdatum = symtab_search(&pol->p_cats, rngptr);  in mls_context_to_sid()
329 				return -EINVAL;  in mls_context_to_sid()
331 			if (catdatum->value >= rngdatum->value)  in mls_context_to_sid()
332 				return -EINVAL;  in mls_context_to_sid()
334 			for (i = catdatum->value; i < rngdatum->value; i++) {  in mls_context_to_sid()
335 				rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1);  in mls_context_to_sid()
342 	/* If we didn't see a '-', the range start is also the range end. */  in mls_context_to_sid()
344 		context->range.level[1].sens = context->range.level[0].sens;  in mls_context_to_sid()
345 		rc = ebitmap_cpy(&context->range.level[1].cat,  in mls_context_to_sid()
346 				 &context->range.level[0].cat);  in mls_context_to_sid()
366 	if (!p->mls_enabled)  in mls_from_string()
367 		return -EINVAL;  in mls_from_string()
371 		rc = -ENOMEM;  in mls_from_string()
391 		context->range.level[l].sens = range->level[l].sens;  in mls_range_set()
392 		rc = ebitmap_cpy(&context->range.level[l].cat,  in mls_range_set()
393 				 &range->level[l].cat);  in mls_range_set()
402 			 struct context *fromcon, struct user_datum *user,  in mls_setup_user_range()  argument
405 	if (p->mls_enabled) {  in mls_setup_user_range()
406 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);  in mls_setup_user_range()
407 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);  in mls_setup_user_range()
408 		struct mls_level *user_low = &(user->range.level[0]);  in mls_setup_user_range()
409 		struct mls_level *user_clr = &(user->range.level[1]);  in mls_setup_user_range()
410 		struct mls_level *user_def = &(user->dfltlevel);  in mls_setup_user_range()
411 		struct mls_level *usercon_sen = &(usercon->range.level[0]);  in mls_setup_user_range()
412 		struct mls_level *usercon_clr = &(usercon->range.level[1]);  in mls_setup_user_range()
414 		/* Honor the user's default level if we can */  in mls_setup_user_range()
422 			return -EINVAL;  in mls_setup_user_range()
426 		   that of the user's default clearance (but  in mls_setup_user_range()
428 		   the user's computed sensitivity level) */  in mls_setup_user_range()
434 			return -EINVAL;  in mls_setup_user_range()
456 	if (!oldp->mls_enabled || !newp->mls_enabled)  in mls_convert_context()
461 				      oldc->range.level[l].sens - 1);  in mls_convert_context()
463 		levdatum = symtab_search(&newp->p_levels, name);  in mls_convert_context()
466 			return -EINVAL;  in mls_convert_context()
467 		newc->range.level[l].sens = levdatum->level->sens;  in mls_convert_context()
469 		ebitmap_for_each_positive_bit(&oldc->range.level[l].cat,  in mls_convert_context()
473 			catdatum = symtab_search(&newp->p_cats,  in mls_convert_context()
476 				return -EINVAL;  in mls_convert_context()
477 			rc = ebitmap_set_bit(&newc->range.level[l].cat,  in mls_convert_context()
478 					     catdatum->value - 1, 1);  in mls_convert_context()
500 	if (!p->mls_enabled)  in mls_compute_sid()
506 		rtr.source_type = scontext->type;  in mls_compute_sid()
507 		rtr.target_type = tcontext->type;  in mls_compute_sid()
513 		if (tclass && tclass <= p->p_classes.nprim) {  in mls_compute_sid()
514 			cladatum = p->class_val_to_struct[tclass - 1];  in mls_compute_sid()
516 				default_range = cladatum->default_range;  in mls_compute_sid()
539 		if ((tclass == p->process_class) || sock)  in mls_compute_sid()
549 	return -EINVAL;  in mls_compute_sid()
554  * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
560  * Given the security context copy the low MLS sensitivity level into the
561  * NetLabel MLS sensitivity level field.
568 	if (!p->mls_enabled)  in mls_export_netlbl_lvl()
571 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;  in mls_export_netlbl_lvl()
572 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;  in mls_export_netlbl_lvl()
576  * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
583  * NetLabel MLS sensitivity level into the context.
590 	if (!p->mls_enabled)  in mls_import_netlbl_lvl()
593 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;  in mls_import_netlbl_lvl()
594 	context->range.level[1].sens = context->range.level[0].sens;  in mls_import_netlbl_lvl()
598  * mls_export_netlbl_cat - Export the MLS categories to NetLabel
614 	if (!p->mls_enabled)  in mls_export_netlbl_cat()
617 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,  in mls_export_netlbl_cat()
618 				   &secattr->attr.mls.cat);  in mls_export_netlbl_cat()
619 	if (rc == 0 && secattr->attr.mls.cat != NULL)  in mls_export_netlbl_cat()
620 		secattr->flags |= NETLBL_SECATTR_MLS_CAT;  in mls_export_netlbl_cat()
626  * mls_import_netlbl_cat - Import the MLS categories from NetLabel
644 	if (!p->mls_enabled)  in mls_import_netlbl_cat()
647 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,  in mls_import_netlbl_cat()
648 				   secattr->attr.mls.cat);  in mls_import_netlbl_cat()
651 	memcpy(&context->range.level[1].cat, &context->range.level[0].cat,  in mls_import_netlbl_cat()
652 	       sizeof(context->range.level[0].cat));  in mls_import_netlbl_cat()
657 	ebitmap_destroy(&context->range.level[0].cat);  in mls_import_netlbl_cat()