18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Implementation of the SID table type. 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Original author: Stephen Smalley, <sds@tycho.nsa.gov> 68c2ecf20Sopenharmony_ci * Author: Ondrej Mosnacek, <omosnacek@gmail.com> 78c2ecf20Sopenharmony_ci * 88c2ecf20Sopenharmony_ci * Copyright (C) 2018 Red Hat, Inc. 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci#include <linux/errno.h> 118c2ecf20Sopenharmony_ci#include <linux/kernel.h> 128c2ecf20Sopenharmony_ci#include <linux/list.h> 138c2ecf20Sopenharmony_ci#include <linux/rcupdate.h> 148c2ecf20Sopenharmony_ci#include <linux/slab.h> 158c2ecf20Sopenharmony_ci#include <linux/sched.h> 168c2ecf20Sopenharmony_ci#include <linux/spinlock.h> 178c2ecf20Sopenharmony_ci#include <asm/barrier.h> 188c2ecf20Sopenharmony_ci#include "flask.h" 198c2ecf20Sopenharmony_ci#include "security.h" 208c2ecf20Sopenharmony_ci#include "sidtab.h" 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_cistruct sidtab_str_cache { 238c2ecf20Sopenharmony_ci struct rcu_head rcu_member; 248c2ecf20Sopenharmony_ci struct list_head lru_member; 258c2ecf20Sopenharmony_ci struct sidtab_entry *parent; 268c2ecf20Sopenharmony_ci u32 len; 278c2ecf20Sopenharmony_ci char str[]; 288c2ecf20Sopenharmony_ci}; 298c2ecf20Sopenharmony_ci 308c2ecf20Sopenharmony_ci#define index_to_sid(index) (index + SECINITSID_NUM + 1) 318c2ecf20Sopenharmony_ci#define sid_to_index(sid) (sid - (SECINITSID_NUM + 1)) 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ciint sidtab_init(struct sidtab *s) 348c2ecf20Sopenharmony_ci{ 358c2ecf20Sopenharmony_ci u32 i; 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ci memset(s->roots, 0, sizeof(s->roots)); 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci for (i = 0; i < SECINITSID_NUM; i++) 408c2ecf20Sopenharmony_ci s->isids[i].set = 0; 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ci s->frozen = false; 438c2ecf20Sopenharmony_ci s->count = 0; 448c2ecf20Sopenharmony_ci s->convert = NULL; 458c2ecf20Sopenharmony_ci hash_init(s->context_to_sid); 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ci spin_lock_init(&s->lock); 488c2ecf20Sopenharmony_ci 498c2ecf20Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 508c2ecf20Sopenharmony_ci s->cache_free_slots = CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE; 518c2ecf20Sopenharmony_ci INIT_LIST_HEAD(&s->cache_lru_list); 528c2ecf20Sopenharmony_ci spin_lock_init(&s->cache_lock); 538c2ecf20Sopenharmony_ci#endif 548c2ecf20Sopenharmony_ci 558c2ecf20Sopenharmony_ci return 0; 568c2ecf20Sopenharmony_ci} 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_cistatic u32 context_to_sid(struct sidtab *s, struct context *context, u32 hash) 598c2ecf20Sopenharmony_ci{ 608c2ecf20Sopenharmony_ci struct sidtab_entry *entry; 618c2ecf20Sopenharmony_ci u32 sid = 0; 628c2ecf20Sopenharmony_ci 638c2ecf20Sopenharmony_ci rcu_read_lock(); 648c2ecf20Sopenharmony_ci hash_for_each_possible_rcu(s->context_to_sid, entry, list, hash) { 658c2ecf20Sopenharmony_ci if (entry->hash != hash) 668c2ecf20Sopenharmony_ci continue; 678c2ecf20Sopenharmony_ci if (context_cmp(&entry->context, context)) { 688c2ecf20Sopenharmony_ci sid = entry->sid; 698c2ecf20Sopenharmony_ci break; 708c2ecf20Sopenharmony_ci } 718c2ecf20Sopenharmony_ci } 728c2ecf20Sopenharmony_ci rcu_read_unlock(); 738c2ecf20Sopenharmony_ci return sid; 748c2ecf20Sopenharmony_ci} 758c2ecf20Sopenharmony_ci 768c2ecf20Sopenharmony_ciint sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context) 778c2ecf20Sopenharmony_ci{ 788c2ecf20Sopenharmony_ci struct sidtab_isid_entry *isid; 798c2ecf20Sopenharmony_ci u32 hash; 808c2ecf20Sopenharmony_ci int rc; 818c2ecf20Sopenharmony_ci 828c2ecf20Sopenharmony_ci if (sid == 0 || sid > SECINITSID_NUM) 838c2ecf20Sopenharmony_ci return -EINVAL; 848c2ecf20Sopenharmony_ci 858c2ecf20Sopenharmony_ci isid = &s->isids[sid - 1]; 868c2ecf20Sopenharmony_ci 878c2ecf20Sopenharmony_ci rc = context_cpy(&isid->entry.context, context); 888c2ecf20Sopenharmony_ci if (rc) 898c2ecf20Sopenharmony_ci return rc; 908c2ecf20Sopenharmony_ci 918c2ecf20Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 928c2ecf20Sopenharmony_ci isid->entry.cache = NULL; 938c2ecf20Sopenharmony_ci#endif 948c2ecf20Sopenharmony_ci isid->set = 1; 958c2ecf20Sopenharmony_ci 968c2ecf20Sopenharmony_ci hash = context_compute_hash(context); 978c2ecf20Sopenharmony_ci 988c2ecf20Sopenharmony_ci /* 998c2ecf20Sopenharmony_ci * Multiple initial sids may map to the same context. Check that this 1008c2ecf20Sopenharmony_ci * context is not already represented in the context_to_sid hashtable 1018c2ecf20Sopenharmony_ci * to avoid duplicate entries and long linked lists upon hash 1028c2ecf20Sopenharmony_ci * collision. 1038c2ecf20Sopenharmony_ci */ 1048c2ecf20Sopenharmony_ci if (!context_to_sid(s, context, hash)) { 1058c2ecf20Sopenharmony_ci isid->entry.sid = sid; 1068c2ecf20Sopenharmony_ci isid->entry.hash = hash; 1078c2ecf20Sopenharmony_ci hash_add(s->context_to_sid, &isid->entry.list, hash); 1088c2ecf20Sopenharmony_ci } 1098c2ecf20Sopenharmony_ci 1108c2ecf20Sopenharmony_ci return 0; 1118c2ecf20Sopenharmony_ci} 1128c2ecf20Sopenharmony_ci 1138c2ecf20Sopenharmony_ciint sidtab_hash_stats(struct sidtab *sidtab, char *page) 1148c2ecf20Sopenharmony_ci{ 1158c2ecf20Sopenharmony_ci int i; 1168c2ecf20Sopenharmony_ci int chain_len = 0; 1178c2ecf20Sopenharmony_ci int slots_used = 0; 1188c2ecf20Sopenharmony_ci int entries = 0; 1198c2ecf20Sopenharmony_ci int max_chain_len = 0; 1208c2ecf20Sopenharmony_ci int cur_bucket = 0; 1218c2ecf20Sopenharmony_ci struct sidtab_entry *entry; 1228c2ecf20Sopenharmony_ci 1238c2ecf20Sopenharmony_ci rcu_read_lock(); 1248c2ecf20Sopenharmony_ci hash_for_each_rcu(sidtab->context_to_sid, i, entry, list) { 1258c2ecf20Sopenharmony_ci entries++; 1268c2ecf20Sopenharmony_ci if (i == cur_bucket) { 1278c2ecf20Sopenharmony_ci chain_len++; 1288c2ecf20Sopenharmony_ci if (chain_len == 1) 1298c2ecf20Sopenharmony_ci slots_used++; 1308c2ecf20Sopenharmony_ci } else { 1318c2ecf20Sopenharmony_ci cur_bucket = i; 1328c2ecf20Sopenharmony_ci if (chain_len > max_chain_len) 1338c2ecf20Sopenharmony_ci max_chain_len = chain_len; 1348c2ecf20Sopenharmony_ci chain_len = 0; 1358c2ecf20Sopenharmony_ci } 1368c2ecf20Sopenharmony_ci } 1378c2ecf20Sopenharmony_ci rcu_read_unlock(); 1388c2ecf20Sopenharmony_ci 1398c2ecf20Sopenharmony_ci if (chain_len > max_chain_len) 1408c2ecf20Sopenharmony_ci max_chain_len = chain_len; 1418c2ecf20Sopenharmony_ci 1428c2ecf20Sopenharmony_ci return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" 1438c2ecf20Sopenharmony_ci "longest chain: %d\n", entries, 1448c2ecf20Sopenharmony_ci slots_used, SIDTAB_HASH_BUCKETS, max_chain_len); 1458c2ecf20Sopenharmony_ci} 1468c2ecf20Sopenharmony_ci 1478c2ecf20Sopenharmony_cistatic u32 sidtab_level_from_count(u32 count) 1488c2ecf20Sopenharmony_ci{ 1498c2ecf20Sopenharmony_ci u32 capacity = SIDTAB_LEAF_ENTRIES; 1508c2ecf20Sopenharmony_ci u32 level = 0; 1518c2ecf20Sopenharmony_ci 1528c2ecf20Sopenharmony_ci while (count > capacity) { 1538c2ecf20Sopenharmony_ci capacity <<= SIDTAB_INNER_SHIFT; 1548c2ecf20Sopenharmony_ci ++level; 1558c2ecf20Sopenharmony_ci } 1568c2ecf20Sopenharmony_ci return level; 1578c2ecf20Sopenharmony_ci} 1588c2ecf20Sopenharmony_ci 1598c2ecf20Sopenharmony_cistatic int sidtab_alloc_roots(struct sidtab *s, u32 level) 1608c2ecf20Sopenharmony_ci{ 1618c2ecf20Sopenharmony_ci u32 l; 1628c2ecf20Sopenharmony_ci 1638c2ecf20Sopenharmony_ci if (!s->roots[0].ptr_leaf) { 1648c2ecf20Sopenharmony_ci s->roots[0].ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 1658c2ecf20Sopenharmony_ci GFP_ATOMIC); 1668c2ecf20Sopenharmony_ci if (!s->roots[0].ptr_leaf) 1678c2ecf20Sopenharmony_ci return -ENOMEM; 1688c2ecf20Sopenharmony_ci } 1698c2ecf20Sopenharmony_ci for (l = 1; l <= level; ++l) 1708c2ecf20Sopenharmony_ci if (!s->roots[l].ptr_inner) { 1718c2ecf20Sopenharmony_ci s->roots[l].ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 1728c2ecf20Sopenharmony_ci GFP_ATOMIC); 1738c2ecf20Sopenharmony_ci if (!s->roots[l].ptr_inner) 1748c2ecf20Sopenharmony_ci return -ENOMEM; 1758c2ecf20Sopenharmony_ci s->roots[l].ptr_inner->entries[0] = s->roots[l - 1]; 1768c2ecf20Sopenharmony_ci } 1778c2ecf20Sopenharmony_ci return 0; 1788c2ecf20Sopenharmony_ci} 1798c2ecf20Sopenharmony_ci 1808c2ecf20Sopenharmony_cistatic struct sidtab_entry *sidtab_do_lookup(struct sidtab *s, u32 index, 1818c2ecf20Sopenharmony_ci int alloc) 1828c2ecf20Sopenharmony_ci{ 1838c2ecf20Sopenharmony_ci union sidtab_entry_inner *entry; 1848c2ecf20Sopenharmony_ci u32 level, capacity_shift, leaf_index = index / SIDTAB_LEAF_ENTRIES; 1858c2ecf20Sopenharmony_ci 1868c2ecf20Sopenharmony_ci /* find the level of the subtree we need */ 1878c2ecf20Sopenharmony_ci level = sidtab_level_from_count(index + 1); 1888c2ecf20Sopenharmony_ci capacity_shift = level * SIDTAB_INNER_SHIFT; 1898c2ecf20Sopenharmony_ci 1908c2ecf20Sopenharmony_ci /* allocate roots if needed */ 1918c2ecf20Sopenharmony_ci if (alloc && sidtab_alloc_roots(s, level) != 0) 1928c2ecf20Sopenharmony_ci return NULL; 1938c2ecf20Sopenharmony_ci 1948c2ecf20Sopenharmony_ci /* lookup inside the subtree */ 1958c2ecf20Sopenharmony_ci entry = &s->roots[level]; 1968c2ecf20Sopenharmony_ci while (level != 0) { 1978c2ecf20Sopenharmony_ci capacity_shift -= SIDTAB_INNER_SHIFT; 1988c2ecf20Sopenharmony_ci --level; 1998c2ecf20Sopenharmony_ci 2008c2ecf20Sopenharmony_ci entry = &entry->ptr_inner->entries[leaf_index >> capacity_shift]; 2018c2ecf20Sopenharmony_ci leaf_index &= ((u32)1 << capacity_shift) - 1; 2028c2ecf20Sopenharmony_ci 2038c2ecf20Sopenharmony_ci if (!entry->ptr_inner) { 2048c2ecf20Sopenharmony_ci if (alloc) 2058c2ecf20Sopenharmony_ci entry->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 2068c2ecf20Sopenharmony_ci GFP_ATOMIC); 2078c2ecf20Sopenharmony_ci if (!entry->ptr_inner) 2088c2ecf20Sopenharmony_ci return NULL; 2098c2ecf20Sopenharmony_ci } 2108c2ecf20Sopenharmony_ci } 2118c2ecf20Sopenharmony_ci if (!entry->ptr_leaf) { 2128c2ecf20Sopenharmony_ci if (alloc) 2138c2ecf20Sopenharmony_ci entry->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 2148c2ecf20Sopenharmony_ci GFP_ATOMIC); 2158c2ecf20Sopenharmony_ci if (!entry->ptr_leaf) 2168c2ecf20Sopenharmony_ci return NULL; 2178c2ecf20Sopenharmony_ci } 2188c2ecf20Sopenharmony_ci return &entry->ptr_leaf->entries[index % SIDTAB_LEAF_ENTRIES]; 2198c2ecf20Sopenharmony_ci} 2208c2ecf20Sopenharmony_ci 2218c2ecf20Sopenharmony_cistatic struct sidtab_entry *sidtab_lookup(struct sidtab *s, u32 index) 2228c2ecf20Sopenharmony_ci{ 2238c2ecf20Sopenharmony_ci /* read entries only after reading count */ 2248c2ecf20Sopenharmony_ci u32 count = smp_load_acquire(&s->count); 2258c2ecf20Sopenharmony_ci 2268c2ecf20Sopenharmony_ci if (index >= count) 2278c2ecf20Sopenharmony_ci return NULL; 2288c2ecf20Sopenharmony_ci 2298c2ecf20Sopenharmony_ci return sidtab_do_lookup(s, index, 0); 2308c2ecf20Sopenharmony_ci} 2318c2ecf20Sopenharmony_ci 2328c2ecf20Sopenharmony_cistatic struct sidtab_entry *sidtab_lookup_initial(struct sidtab *s, u32 sid) 2338c2ecf20Sopenharmony_ci{ 2348c2ecf20Sopenharmony_ci return s->isids[sid - 1].set ? &s->isids[sid - 1].entry : NULL; 2358c2ecf20Sopenharmony_ci} 2368c2ecf20Sopenharmony_ci 2378c2ecf20Sopenharmony_cistatic struct sidtab_entry *sidtab_search_core(struct sidtab *s, u32 sid, 2388c2ecf20Sopenharmony_ci int force) 2398c2ecf20Sopenharmony_ci{ 2408c2ecf20Sopenharmony_ci if (sid != 0) { 2418c2ecf20Sopenharmony_ci struct sidtab_entry *entry; 2428c2ecf20Sopenharmony_ci 2438c2ecf20Sopenharmony_ci if (sid > SECINITSID_NUM) 2448c2ecf20Sopenharmony_ci entry = sidtab_lookup(s, sid_to_index(sid)); 2458c2ecf20Sopenharmony_ci else 2468c2ecf20Sopenharmony_ci entry = sidtab_lookup_initial(s, sid); 2478c2ecf20Sopenharmony_ci if (entry && (!entry->context.len || force)) 2488c2ecf20Sopenharmony_ci return entry; 2498c2ecf20Sopenharmony_ci } 2508c2ecf20Sopenharmony_ci 2518c2ecf20Sopenharmony_ci return sidtab_lookup_initial(s, SECINITSID_UNLABELED); 2528c2ecf20Sopenharmony_ci} 2538c2ecf20Sopenharmony_ci 2548c2ecf20Sopenharmony_cistruct sidtab_entry *sidtab_search_entry(struct sidtab *s, u32 sid) 2558c2ecf20Sopenharmony_ci{ 2568c2ecf20Sopenharmony_ci return sidtab_search_core(s, sid, 0); 2578c2ecf20Sopenharmony_ci} 2588c2ecf20Sopenharmony_ci 2598c2ecf20Sopenharmony_cistruct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid) 2608c2ecf20Sopenharmony_ci{ 2618c2ecf20Sopenharmony_ci return sidtab_search_core(s, sid, 1); 2628c2ecf20Sopenharmony_ci} 2638c2ecf20Sopenharmony_ci 2648c2ecf20Sopenharmony_ciint sidtab_context_to_sid(struct sidtab *s, struct context *context, 2658c2ecf20Sopenharmony_ci u32 *sid) 2668c2ecf20Sopenharmony_ci{ 2678c2ecf20Sopenharmony_ci unsigned long flags; 2688c2ecf20Sopenharmony_ci u32 count, hash = context_compute_hash(context); 2698c2ecf20Sopenharmony_ci struct sidtab_convert_params *convert; 2708c2ecf20Sopenharmony_ci struct sidtab_entry *dst, *dst_convert; 2718c2ecf20Sopenharmony_ci int rc; 2728c2ecf20Sopenharmony_ci 2738c2ecf20Sopenharmony_ci *sid = context_to_sid(s, context, hash); 2748c2ecf20Sopenharmony_ci if (*sid) 2758c2ecf20Sopenharmony_ci return 0; 2768c2ecf20Sopenharmony_ci 2778c2ecf20Sopenharmony_ci /* lock-free search failed: lock, re-search, and insert if not found */ 2788c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, flags); 2798c2ecf20Sopenharmony_ci 2808c2ecf20Sopenharmony_ci rc = 0; 2818c2ecf20Sopenharmony_ci *sid = context_to_sid(s, context, hash); 2828c2ecf20Sopenharmony_ci if (*sid) 2838c2ecf20Sopenharmony_ci goto out_unlock; 2848c2ecf20Sopenharmony_ci 2858c2ecf20Sopenharmony_ci if (unlikely(s->frozen)) { 2868c2ecf20Sopenharmony_ci /* 2878c2ecf20Sopenharmony_ci * This sidtab is now frozen - tell the caller to abort and 2888c2ecf20Sopenharmony_ci * get the new one. 2898c2ecf20Sopenharmony_ci */ 2908c2ecf20Sopenharmony_ci rc = -ESTALE; 2918c2ecf20Sopenharmony_ci goto out_unlock; 2928c2ecf20Sopenharmony_ci } 2938c2ecf20Sopenharmony_ci 2948c2ecf20Sopenharmony_ci count = s->count; 2958c2ecf20Sopenharmony_ci convert = s->convert; 2968c2ecf20Sopenharmony_ci 2978c2ecf20Sopenharmony_ci /* bail out if we already reached max entries */ 2988c2ecf20Sopenharmony_ci rc = -EOVERFLOW; 2998c2ecf20Sopenharmony_ci if (count >= SIDTAB_MAX) 3008c2ecf20Sopenharmony_ci goto out_unlock; 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci /* insert context into new entry */ 3038c2ecf20Sopenharmony_ci rc = -ENOMEM; 3048c2ecf20Sopenharmony_ci dst = sidtab_do_lookup(s, count, 1); 3058c2ecf20Sopenharmony_ci if (!dst) 3068c2ecf20Sopenharmony_ci goto out_unlock; 3078c2ecf20Sopenharmony_ci 3088c2ecf20Sopenharmony_ci dst->sid = index_to_sid(count); 3098c2ecf20Sopenharmony_ci dst->hash = hash; 3108c2ecf20Sopenharmony_ci 3118c2ecf20Sopenharmony_ci rc = context_cpy(&dst->context, context); 3128c2ecf20Sopenharmony_ci if (rc) 3138c2ecf20Sopenharmony_ci goto out_unlock; 3148c2ecf20Sopenharmony_ci 3158c2ecf20Sopenharmony_ci /* 3168c2ecf20Sopenharmony_ci * if we are building a new sidtab, we need to convert the context 3178c2ecf20Sopenharmony_ci * and insert it there as well 3188c2ecf20Sopenharmony_ci */ 3198c2ecf20Sopenharmony_ci if (convert) { 3208c2ecf20Sopenharmony_ci rc = -ENOMEM; 3218c2ecf20Sopenharmony_ci dst_convert = sidtab_do_lookup(convert->target, count, 1); 3228c2ecf20Sopenharmony_ci if (!dst_convert) { 3238c2ecf20Sopenharmony_ci context_destroy(&dst->context); 3248c2ecf20Sopenharmony_ci goto out_unlock; 3258c2ecf20Sopenharmony_ci } 3268c2ecf20Sopenharmony_ci 3278c2ecf20Sopenharmony_ci rc = convert->func(context, &dst_convert->context, 3288c2ecf20Sopenharmony_ci convert->args, GFP_ATOMIC); 3298c2ecf20Sopenharmony_ci if (rc) { 3308c2ecf20Sopenharmony_ci context_destroy(&dst->context); 3318c2ecf20Sopenharmony_ci goto out_unlock; 3328c2ecf20Sopenharmony_ci } 3338c2ecf20Sopenharmony_ci dst_convert->sid = index_to_sid(count); 3348c2ecf20Sopenharmony_ci dst_convert->hash = context_compute_hash(&dst_convert->context); 3358c2ecf20Sopenharmony_ci convert->target->count = count + 1; 3368c2ecf20Sopenharmony_ci 3378c2ecf20Sopenharmony_ci hash_add_rcu(convert->target->context_to_sid, 3388c2ecf20Sopenharmony_ci &dst_convert->list, dst_convert->hash); 3398c2ecf20Sopenharmony_ci } 3408c2ecf20Sopenharmony_ci 3418c2ecf20Sopenharmony_ci if (context->len) 3428c2ecf20Sopenharmony_ci pr_info("SELinux: Context %s is not valid (left unmapped).\n", 3438c2ecf20Sopenharmony_ci context->str); 3448c2ecf20Sopenharmony_ci 3458c2ecf20Sopenharmony_ci *sid = index_to_sid(count); 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci /* write entries before updating count */ 3488c2ecf20Sopenharmony_ci smp_store_release(&s->count, count + 1); 3498c2ecf20Sopenharmony_ci hash_add_rcu(s->context_to_sid, &dst->list, dst->hash); 3508c2ecf20Sopenharmony_ci 3518c2ecf20Sopenharmony_ci rc = 0; 3528c2ecf20Sopenharmony_ciout_unlock: 3538c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 3548c2ecf20Sopenharmony_ci return rc; 3558c2ecf20Sopenharmony_ci} 3568c2ecf20Sopenharmony_ci 3578c2ecf20Sopenharmony_cistatic void sidtab_convert_hashtable(struct sidtab *s, u32 count) 3588c2ecf20Sopenharmony_ci{ 3598c2ecf20Sopenharmony_ci struct sidtab_entry *entry; 3608c2ecf20Sopenharmony_ci u32 i; 3618c2ecf20Sopenharmony_ci 3628c2ecf20Sopenharmony_ci for (i = 0; i < count; i++) { 3638c2ecf20Sopenharmony_ci entry = sidtab_do_lookup(s, i, 0); 3648c2ecf20Sopenharmony_ci entry->sid = index_to_sid(i); 3658c2ecf20Sopenharmony_ci entry->hash = context_compute_hash(&entry->context); 3668c2ecf20Sopenharmony_ci 3678c2ecf20Sopenharmony_ci hash_add_rcu(s->context_to_sid, &entry->list, entry->hash); 3688c2ecf20Sopenharmony_ci } 3698c2ecf20Sopenharmony_ci} 3708c2ecf20Sopenharmony_ci 3718c2ecf20Sopenharmony_cistatic int sidtab_convert_tree(union sidtab_entry_inner *edst, 3728c2ecf20Sopenharmony_ci union sidtab_entry_inner *esrc, 3738c2ecf20Sopenharmony_ci u32 *pos, u32 count, u32 level, 3748c2ecf20Sopenharmony_ci struct sidtab_convert_params *convert) 3758c2ecf20Sopenharmony_ci{ 3768c2ecf20Sopenharmony_ci int rc; 3778c2ecf20Sopenharmony_ci u32 i; 3788c2ecf20Sopenharmony_ci 3798c2ecf20Sopenharmony_ci if (level != 0) { 3808c2ecf20Sopenharmony_ci if (!edst->ptr_inner) { 3818c2ecf20Sopenharmony_ci edst->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 3828c2ecf20Sopenharmony_ci GFP_KERNEL); 3838c2ecf20Sopenharmony_ci if (!edst->ptr_inner) 3848c2ecf20Sopenharmony_ci return -ENOMEM; 3858c2ecf20Sopenharmony_ci } 3868c2ecf20Sopenharmony_ci i = 0; 3878c2ecf20Sopenharmony_ci while (i < SIDTAB_INNER_ENTRIES && *pos < count) { 3888c2ecf20Sopenharmony_ci rc = sidtab_convert_tree(&edst->ptr_inner->entries[i], 3898c2ecf20Sopenharmony_ci &esrc->ptr_inner->entries[i], 3908c2ecf20Sopenharmony_ci pos, count, level - 1, 3918c2ecf20Sopenharmony_ci convert); 3928c2ecf20Sopenharmony_ci if (rc) 3938c2ecf20Sopenharmony_ci return rc; 3948c2ecf20Sopenharmony_ci i++; 3958c2ecf20Sopenharmony_ci } 3968c2ecf20Sopenharmony_ci } else { 3978c2ecf20Sopenharmony_ci if (!edst->ptr_leaf) { 3988c2ecf20Sopenharmony_ci edst->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE, 3998c2ecf20Sopenharmony_ci GFP_KERNEL); 4008c2ecf20Sopenharmony_ci if (!edst->ptr_leaf) 4018c2ecf20Sopenharmony_ci return -ENOMEM; 4028c2ecf20Sopenharmony_ci } 4038c2ecf20Sopenharmony_ci i = 0; 4048c2ecf20Sopenharmony_ci while (i < SIDTAB_LEAF_ENTRIES && *pos < count) { 4058c2ecf20Sopenharmony_ci rc = convert->func(&esrc->ptr_leaf->entries[i].context, 4068c2ecf20Sopenharmony_ci &edst->ptr_leaf->entries[i].context, 4078c2ecf20Sopenharmony_ci convert->args, GFP_KERNEL); 4088c2ecf20Sopenharmony_ci if (rc) 4098c2ecf20Sopenharmony_ci return rc; 4108c2ecf20Sopenharmony_ci (*pos)++; 4118c2ecf20Sopenharmony_ci i++; 4128c2ecf20Sopenharmony_ci } 4138c2ecf20Sopenharmony_ci cond_resched(); 4148c2ecf20Sopenharmony_ci } 4158c2ecf20Sopenharmony_ci return 0; 4168c2ecf20Sopenharmony_ci} 4178c2ecf20Sopenharmony_ci 4188c2ecf20Sopenharmony_ciint sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params) 4198c2ecf20Sopenharmony_ci{ 4208c2ecf20Sopenharmony_ci unsigned long flags; 4218c2ecf20Sopenharmony_ci u32 count, level, pos; 4228c2ecf20Sopenharmony_ci int rc; 4238c2ecf20Sopenharmony_ci 4248c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, flags); 4258c2ecf20Sopenharmony_ci 4268c2ecf20Sopenharmony_ci /* concurrent policy loads are not allowed */ 4278c2ecf20Sopenharmony_ci if (s->convert) { 4288c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4298c2ecf20Sopenharmony_ci return -EBUSY; 4308c2ecf20Sopenharmony_ci } 4318c2ecf20Sopenharmony_ci 4328c2ecf20Sopenharmony_ci count = s->count; 4338c2ecf20Sopenharmony_ci level = sidtab_level_from_count(count); 4348c2ecf20Sopenharmony_ci 4358c2ecf20Sopenharmony_ci /* allocate last leaf in the new sidtab (to avoid race with 4368c2ecf20Sopenharmony_ci * live convert) 4378c2ecf20Sopenharmony_ci */ 4388c2ecf20Sopenharmony_ci rc = sidtab_do_lookup(params->target, count - 1, 1) ? 0 : -ENOMEM; 4398c2ecf20Sopenharmony_ci if (rc) { 4408c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4418c2ecf20Sopenharmony_ci return rc; 4428c2ecf20Sopenharmony_ci } 4438c2ecf20Sopenharmony_ci 4448c2ecf20Sopenharmony_ci /* set count in case no new entries are added during conversion */ 4458c2ecf20Sopenharmony_ci params->target->count = count; 4468c2ecf20Sopenharmony_ci 4478c2ecf20Sopenharmony_ci /* enable live convert of new entries */ 4488c2ecf20Sopenharmony_ci s->convert = params; 4498c2ecf20Sopenharmony_ci 4508c2ecf20Sopenharmony_ci /* we can safely convert the tree outside the lock */ 4518c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4528c2ecf20Sopenharmony_ci 4538c2ecf20Sopenharmony_ci pr_info("SELinux: Converting %u SID table entries...\n", count); 4548c2ecf20Sopenharmony_ci 4558c2ecf20Sopenharmony_ci /* convert all entries not covered by live convert */ 4568c2ecf20Sopenharmony_ci pos = 0; 4578c2ecf20Sopenharmony_ci rc = sidtab_convert_tree(¶ms->target->roots[level], 4588c2ecf20Sopenharmony_ci &s->roots[level], &pos, count, level, params); 4598c2ecf20Sopenharmony_ci if (rc) { 4608c2ecf20Sopenharmony_ci /* we need to keep the old table - disable live convert */ 4618c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, flags); 4628c2ecf20Sopenharmony_ci s->convert = NULL; 4638c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4648c2ecf20Sopenharmony_ci return rc; 4658c2ecf20Sopenharmony_ci } 4668c2ecf20Sopenharmony_ci /* 4678c2ecf20Sopenharmony_ci * The hashtable can also be modified in sidtab_context_to_sid() 4688c2ecf20Sopenharmony_ci * so we must re-acquire the lock here. 4698c2ecf20Sopenharmony_ci */ 4708c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, flags); 4718c2ecf20Sopenharmony_ci sidtab_convert_hashtable(params->target, count); 4728c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4738c2ecf20Sopenharmony_ci 4748c2ecf20Sopenharmony_ci return 0; 4758c2ecf20Sopenharmony_ci} 4768c2ecf20Sopenharmony_ci 4778c2ecf20Sopenharmony_civoid sidtab_cancel_convert(struct sidtab *s) 4788c2ecf20Sopenharmony_ci{ 4798c2ecf20Sopenharmony_ci unsigned long flags; 4808c2ecf20Sopenharmony_ci 4818c2ecf20Sopenharmony_ci /* cancelling policy load - disable live convert of sidtab */ 4828c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, flags); 4838c2ecf20Sopenharmony_ci s->convert = NULL; 4848c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, flags); 4858c2ecf20Sopenharmony_ci} 4868c2ecf20Sopenharmony_ci 4878c2ecf20Sopenharmony_civoid sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) __acquires(&s->lock) 4888c2ecf20Sopenharmony_ci{ 4898c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->lock, *flags); 4908c2ecf20Sopenharmony_ci s->frozen = true; 4918c2ecf20Sopenharmony_ci s->convert = NULL; 4928c2ecf20Sopenharmony_ci} 4938c2ecf20Sopenharmony_civoid sidtab_freeze_end(struct sidtab *s, unsigned long *flags) __releases(&s->lock) 4948c2ecf20Sopenharmony_ci{ 4958c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->lock, *flags); 4968c2ecf20Sopenharmony_ci} 4978c2ecf20Sopenharmony_ci 4988c2ecf20Sopenharmony_cistatic void sidtab_destroy_entry(struct sidtab_entry *entry) 4998c2ecf20Sopenharmony_ci{ 5008c2ecf20Sopenharmony_ci context_destroy(&entry->context); 5018c2ecf20Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 5028c2ecf20Sopenharmony_ci kfree(rcu_dereference_raw(entry->cache)); 5038c2ecf20Sopenharmony_ci#endif 5048c2ecf20Sopenharmony_ci} 5058c2ecf20Sopenharmony_ci 5068c2ecf20Sopenharmony_cistatic void sidtab_destroy_tree(union sidtab_entry_inner entry, u32 level) 5078c2ecf20Sopenharmony_ci{ 5088c2ecf20Sopenharmony_ci u32 i; 5098c2ecf20Sopenharmony_ci 5108c2ecf20Sopenharmony_ci if (level != 0) { 5118c2ecf20Sopenharmony_ci struct sidtab_node_inner *node = entry.ptr_inner; 5128c2ecf20Sopenharmony_ci 5138c2ecf20Sopenharmony_ci if (!node) 5148c2ecf20Sopenharmony_ci return; 5158c2ecf20Sopenharmony_ci 5168c2ecf20Sopenharmony_ci for (i = 0; i < SIDTAB_INNER_ENTRIES; i++) 5178c2ecf20Sopenharmony_ci sidtab_destroy_tree(node->entries[i], level - 1); 5188c2ecf20Sopenharmony_ci kfree(node); 5198c2ecf20Sopenharmony_ci } else { 5208c2ecf20Sopenharmony_ci struct sidtab_node_leaf *node = entry.ptr_leaf; 5218c2ecf20Sopenharmony_ci 5228c2ecf20Sopenharmony_ci if (!node) 5238c2ecf20Sopenharmony_ci return; 5248c2ecf20Sopenharmony_ci 5258c2ecf20Sopenharmony_ci for (i = 0; i < SIDTAB_LEAF_ENTRIES; i++) 5268c2ecf20Sopenharmony_ci sidtab_destroy_entry(&node->entries[i]); 5278c2ecf20Sopenharmony_ci kfree(node); 5288c2ecf20Sopenharmony_ci } 5298c2ecf20Sopenharmony_ci} 5308c2ecf20Sopenharmony_ci 5318c2ecf20Sopenharmony_civoid sidtab_destroy(struct sidtab *s) 5328c2ecf20Sopenharmony_ci{ 5338c2ecf20Sopenharmony_ci u32 i, level; 5348c2ecf20Sopenharmony_ci 5358c2ecf20Sopenharmony_ci for (i = 0; i < SECINITSID_NUM; i++) 5368c2ecf20Sopenharmony_ci if (s->isids[i].set) 5378c2ecf20Sopenharmony_ci sidtab_destroy_entry(&s->isids[i].entry); 5388c2ecf20Sopenharmony_ci 5398c2ecf20Sopenharmony_ci level = SIDTAB_MAX_LEVEL; 5408c2ecf20Sopenharmony_ci while (level && !s->roots[level].ptr_inner) 5418c2ecf20Sopenharmony_ci --level; 5428c2ecf20Sopenharmony_ci 5438c2ecf20Sopenharmony_ci sidtab_destroy_tree(s->roots[level], level); 5448c2ecf20Sopenharmony_ci /* 5458c2ecf20Sopenharmony_ci * The context_to_sid hashtable's objects are all shared 5468c2ecf20Sopenharmony_ci * with the isids array and context tree, and so don't need 5478c2ecf20Sopenharmony_ci * to be cleaned up here. 5488c2ecf20Sopenharmony_ci */ 5498c2ecf20Sopenharmony_ci} 5508c2ecf20Sopenharmony_ci 5518c2ecf20Sopenharmony_ci#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_civoid sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry, 5548c2ecf20Sopenharmony_ci const char *str, u32 str_len) 5558c2ecf20Sopenharmony_ci{ 5568c2ecf20Sopenharmony_ci struct sidtab_str_cache *cache, *victim = NULL; 5578c2ecf20Sopenharmony_ci unsigned long flags; 5588c2ecf20Sopenharmony_ci 5598c2ecf20Sopenharmony_ci /* do not cache invalid contexts */ 5608c2ecf20Sopenharmony_ci if (entry->context.len) 5618c2ecf20Sopenharmony_ci return; 5628c2ecf20Sopenharmony_ci 5638c2ecf20Sopenharmony_ci spin_lock_irqsave(&s->cache_lock, flags); 5648c2ecf20Sopenharmony_ci 5658c2ecf20Sopenharmony_ci cache = rcu_dereference_protected(entry->cache, 5668c2ecf20Sopenharmony_ci lockdep_is_held(&s->cache_lock)); 5678c2ecf20Sopenharmony_ci if (cache) { 5688c2ecf20Sopenharmony_ci /* entry in cache - just bump to the head of LRU list */ 5698c2ecf20Sopenharmony_ci list_move(&cache->lru_member, &s->cache_lru_list); 5708c2ecf20Sopenharmony_ci goto out_unlock; 5718c2ecf20Sopenharmony_ci } 5728c2ecf20Sopenharmony_ci 5738c2ecf20Sopenharmony_ci cache = kmalloc(sizeof(struct sidtab_str_cache) + str_len, GFP_ATOMIC); 5748c2ecf20Sopenharmony_ci if (!cache) 5758c2ecf20Sopenharmony_ci goto out_unlock; 5768c2ecf20Sopenharmony_ci 5778c2ecf20Sopenharmony_ci if (s->cache_free_slots == 0) { 5788c2ecf20Sopenharmony_ci /* pop a cache entry from the tail and free it */ 5798c2ecf20Sopenharmony_ci victim = container_of(s->cache_lru_list.prev, 5808c2ecf20Sopenharmony_ci struct sidtab_str_cache, lru_member); 5818c2ecf20Sopenharmony_ci list_del(&victim->lru_member); 5828c2ecf20Sopenharmony_ci rcu_assign_pointer(victim->parent->cache, NULL); 5838c2ecf20Sopenharmony_ci } else { 5848c2ecf20Sopenharmony_ci s->cache_free_slots--; 5858c2ecf20Sopenharmony_ci } 5868c2ecf20Sopenharmony_ci cache->parent = entry; 5878c2ecf20Sopenharmony_ci cache->len = str_len; 5888c2ecf20Sopenharmony_ci memcpy(cache->str, str, str_len); 5898c2ecf20Sopenharmony_ci list_add(&cache->lru_member, &s->cache_lru_list); 5908c2ecf20Sopenharmony_ci 5918c2ecf20Sopenharmony_ci rcu_assign_pointer(entry->cache, cache); 5928c2ecf20Sopenharmony_ci 5938c2ecf20Sopenharmony_ciout_unlock: 5948c2ecf20Sopenharmony_ci spin_unlock_irqrestore(&s->cache_lock, flags); 5958c2ecf20Sopenharmony_ci kfree_rcu(victim, rcu_member); 5968c2ecf20Sopenharmony_ci} 5978c2ecf20Sopenharmony_ci 5988c2ecf20Sopenharmony_ciint sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry, 5998c2ecf20Sopenharmony_ci char **out, u32 *out_len) 6008c2ecf20Sopenharmony_ci{ 6018c2ecf20Sopenharmony_ci struct sidtab_str_cache *cache; 6028c2ecf20Sopenharmony_ci int rc = 0; 6038c2ecf20Sopenharmony_ci 6048c2ecf20Sopenharmony_ci if (entry->context.len) 6058c2ecf20Sopenharmony_ci return -ENOENT; /* do not cache invalid contexts */ 6068c2ecf20Sopenharmony_ci 6078c2ecf20Sopenharmony_ci rcu_read_lock(); 6088c2ecf20Sopenharmony_ci 6098c2ecf20Sopenharmony_ci cache = rcu_dereference(entry->cache); 6108c2ecf20Sopenharmony_ci if (!cache) { 6118c2ecf20Sopenharmony_ci rc = -ENOENT; 6128c2ecf20Sopenharmony_ci } else { 6138c2ecf20Sopenharmony_ci *out_len = cache->len; 6148c2ecf20Sopenharmony_ci if (out) { 6158c2ecf20Sopenharmony_ci *out = kmemdup(cache->str, cache->len, GFP_ATOMIC); 6168c2ecf20Sopenharmony_ci if (!*out) 6178c2ecf20Sopenharmony_ci rc = -ENOMEM; 6188c2ecf20Sopenharmony_ci } 6198c2ecf20Sopenharmony_ci } 6208c2ecf20Sopenharmony_ci 6218c2ecf20Sopenharmony_ci rcu_read_unlock(); 6228c2ecf20Sopenharmony_ci 6238c2ecf20Sopenharmony_ci if (!rc && out) 6248c2ecf20Sopenharmony_ci sidtab_sid2str_put(s, entry, *out, *out_len); 6258c2ecf20Sopenharmony_ci return rc; 6268c2ecf20Sopenharmony_ci} 6278c2ecf20Sopenharmony_ci 6288c2ecf20Sopenharmony_ci#endif /* CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 */ 629