1 // SPDX-License-Identifier: GPL-2.0
3  * Implementation of the multi-level security (MLS) policy.
12  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
15  * Updated: Hewlett-Packard <paul@paul-moore.com>
19  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
43 	if (!p->mls_enabled)  in mls_compute_context_len()
48 		int index_sens = context->range.level[l].sens;  in mls_compute_context_len()
49 		len += strlen(sym_name(p, SYM_LEVELS, index_sens - 1));  in mls_compute_context_len()
52 		head = -2;  in mls_compute_context_len()
53 		prev = -2;  in mls_compute_context_len()
54 		e = &context->range.level[l].cat;  in mls_compute_context_len()
56 			if (i - prev > 1) {  in mls_compute_context_len()
73 			if (mls_level_eq(&context->range.level[0],  in mls_compute_context_len()
74 					 &context->range.level[1]))  in mls_compute_context_len()
98 	if (!p->mls_enabled)  in mls_sid_to_context()
108 					   context->range.level[l].sens - 1));  in mls_sid_to_context()
112 		head = -2;  in mls_sid_to_context()
113 		prev = -2;  in mls_sid_to_context()
114 		e = &context->range.level[l].cat;  in mls_sid_to_context()
116 			if (i - prev > 1) {  in mls_sid_to_context()
119 					if (prev - head > 1)  in mls_sid_to_context()
140 			if (prev - head > 1)  in mls_sid_to_context()
150 			if (mls_level_eq(&context->range.level[0],  in mls_sid_to_context()
151 					 &context->range.level[1]))  in mls_sid_to_context()
154 				*scontextp++ = '-';  in mls_sid_to_context()
166 	if (!l->sens || l->sens > p->p_levels.nprim)  in mls_level_isvalid()
168 	levdatum = symtab_search(&p->p_levels,  in mls_level_isvalid()
169 				 sym_name(p, SYM_LEVELS, l->sens - 1));  in mls_level_isvalid()
174 	 * Return 1 iff all the bits set in l->cat are also be set in  in mls_level_isvalid()
175 	 * levdatum->level->cat and no bit in l->cat is larger than  in mls_level_isvalid()
176 	 * p->p_cats.nprim.  in mls_level_isvalid()
178 	return ebitmap_contains(&levdatum->level->cat, &l->cat,  in mls_level_isvalid()
179 				p->p_cats.nprim);  in mls_level_isvalid()
184 	return (mls_level_isvalid(p, &r->level[0]) &&  in mls_range_isvalid()
185 		mls_level_isvalid(p, &r->level[1]) &&  in mls_range_isvalid()
186 		mls_level_dom(&r->level[1], &r->level[0]));  in mls_range_isvalid()
197 	if (!p->mls_enabled)  in mls_context_isvalid()
200 	if (!mls_range_isvalid(p, &c->range))  in mls_context_isvalid()
203 	if (c->role == OBJECT_R_VAL)  in mls_context_isvalid()
207 	 * User must be authorized for the MLS range.  in mls_context_isvalid()
209 	if (!c->user || c->user > p->p_users.nprim)  in mls_context_isvalid()
211 	usrdatum = p->user_val_to_struct[c->user - 1];  in mls_context_isvalid()
212 	if (!mls_range_contains(usrdatum->range, c->range))  in mls_context_isvalid()
213 		return 0; /* user may not be associated with range */  in mls_context_isvalid()
231  * Policy read-lock must be held for sidtab lookup.
247 	if (!pol->mls_enabled) {  in mls_context_to_sid()
249 		 * With no MLS, only return -EINVAL if there is a MLS field  in mls_context_to_sid()
253 			return -EINVAL;  in mls_context_to_sid()
265 			return -EINVAL;  in mls_context_to_sid()
269 			return -EINVAL;  in mls_context_to_sid()
279 	rangep[1] = strchr(scontext, '-');  in mls_context_to_sid()
296 		levdatum = symtab_search(&pol->p_levels, sensitivity);  in mls_context_to_sid()
298 			return -EINVAL;  in mls_context_to_sid()
299 		context->range.level[l].sens = levdatum->level->sens;  in mls_context_to_sid()
315 			catdatum = symtab_search(&pol->p_cats, cur_cat);  in mls_context_to_sid()
317 				return -EINVAL;  in mls_context_to_sid()
319 			rc = ebitmap_set_bit(&context->range.level[l].cat,  in mls_context_to_sid()
320 					     catdatum->value - 1, 1);  in mls_context_to_sid()
328 			rngdatum = symtab_search(&pol->p_cats, rngptr);  in mls_context_to_sid()
330 				return -EINVAL;  in mls_context_to_sid()
332 			if (catdatum->value >= rngdatum->value)  in mls_context_to_sid()
333 				return -EINVAL;  in mls_context_to_sid()
335 			for (i = catdatum->value; i < rngdatum->value; i++) {  in mls_context_to_sid()
336 				rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1);  in mls_context_to_sid()
343 	/* If we didn't see a '-', the range start is also the range end. */  in mls_context_to_sid()
345 		context->range.level[1].sens = context->range.level[0].sens;  in mls_context_to_sid()
346 		rc = ebitmap_cpy(&context->range.level[1].cat,  in mls_context_to_sid()
347 				 &context->range.level[0].cat);  in mls_context_to_sid()
367 	if (!p->mls_enabled)  in mls_from_string()
368 		return -EINVAL;  in mls_from_string()
372 		rc = -ENOMEM;  in mls_from_string()
392 		context->range.level[l].sens = range->level[l].sens;  in mls_range_set()
393 		rc = ebitmap_cpy(&context->range.level[l].cat,  in mls_range_set()
394 				 &range->level[l].cat);  in mls_range_set()
403 			 struct context *fromcon, struct user_datum *user,  in mls_setup_user_range()  argument
406 	if (p->mls_enabled) {  in mls_setup_user_range()
407 		struct mls_level *fromcon_sen = &(fromcon->range.level[0]);  in mls_setup_user_range()
408 		struct mls_level *fromcon_clr = &(fromcon->range.level[1]);  in mls_setup_user_range()
409 		struct mls_level *user_low = &(user->range.level[0]);  in mls_setup_user_range()
410 		struct mls_level *user_clr = &(user->range.level[1]);  in mls_setup_user_range()
411 		struct mls_level *user_def = &(user->dfltlevel);  in mls_setup_user_range()
412 		struct mls_level *usercon_sen = &(usercon->range.level[0]);  in mls_setup_user_range()
413 		struct mls_level *usercon_clr = &(usercon->range.level[1]);  in mls_setup_user_range()
415 		/* Honor the user's default level if we can */  in mls_setup_user_range()
423 			return -EINVAL;  in mls_setup_user_range()
427 		   that of the user's default clearance (but  in mls_setup_user_range()
429 		   the user's computed sensitivity level) */  in mls_setup_user_range()
435 			return -EINVAL;  in mls_setup_user_range()
457 	if (!oldp->mls_enabled || !newp->mls_enabled)  in mls_convert_context()
462 				      oldc->range.level[l].sens - 1);  in mls_convert_context()
464 		levdatum = symtab_search(&newp->p_levels, name);  in mls_convert_context()
467 			return -EINVAL;  in mls_convert_context()
468 		newc->range.level[l].sens = levdatum->level->sens;  in mls_convert_context()
470 		ebitmap_for_each_positive_bit(&oldc->range.level[l].cat,  in mls_convert_context()
474 			catdatum = symtab_search(&newp->p_cats,  in mls_convert_context()
477 				return -EINVAL;  in mls_convert_context()
478 			rc = ebitmap_set_bit(&newc->range.level[l].cat,  in mls_convert_context()
479 					     catdatum->value - 1, 1);  in mls_convert_context()
501 	if (!p->mls_enabled)  in mls_compute_sid()
507 		rtr.source_type = scontext->type;  in mls_compute_sid()
508 		rtr.target_type = tcontext->type;  in mls_compute_sid()
514 		if (tclass && tclass <= p->p_classes.nprim) {  in mls_compute_sid()
515 			cladatum = p->class_val_to_struct[tclass - 1];  in mls_compute_sid()
517 				default_range = cladatum->default_range;  in mls_compute_sid()
540 		if ((tclass == p->process_class) || sock)  in mls_compute_sid()
550 	return -EINVAL;  in mls_compute_sid()
555  * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel
560  * Given the security context copy the low MLS sensitivity level into the
561  * NetLabel MLS sensitivity level field.
568 	if (!p->mls_enabled)  in mls_export_netlbl_lvl()
571 	secattr->attr.mls.lvl = context->range.level[0].sens - 1;  in mls_export_netlbl_lvl()
572 	secattr->flags |= NETLBL_SECATTR_MLS_LVL;  in mls_export_netlbl_lvl()
576  * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels
582  * NetLabel MLS sensitivity level into the context.
589 	if (!p->mls_enabled)  in mls_import_netlbl_lvl()
592 	context->range.level[0].sens = secattr->attr.mls.lvl + 1;  in mls_import_netlbl_lvl()
593 	context->range.level[1].sens = context->range.level[0].sens;  in mls_import_netlbl_lvl()
597  * mls_export_netlbl_cat - Export the MLS categories to NetLabel
612 	if (!p->mls_enabled)  in mls_export_netlbl_cat()
615 	rc = ebitmap_netlbl_export(&context->range.level[0].cat,  in mls_export_netlbl_cat()
616 				   &secattr->attr.mls.cat);  in mls_export_netlbl_cat()
617 	if (rc == 0 && secattr->attr.mls.cat != NULL)  in mls_export_netlbl_cat()
618 		secattr->flags |= NETLBL_SECATTR_MLS_CAT;  in mls_export_netlbl_cat()
624  * mls_import_netlbl_cat - Import the MLS categories from NetLabel
641 	if (!p->mls_enabled)  in mls_import_netlbl_cat()
644 	rc = ebitmap_netlbl_import(&context->range.level[0].cat,  in mls_import_netlbl_cat()
645 				   secattr->attr.mls.cat);  in mls_import_netlbl_cat()
648 	memcpy(&context->range.level[1].cat, &context->range.level[0].cat,  in mls_import_netlbl_cat()
649 	       sizeof(context->range.level[0].cat));  in mls_import_netlbl_cat()
654 	ebitmap_destroy(&context->range.level[0].cat);  in mls_import_netlbl_cat()