static int read_binary_policy(policydb_t * p, char *file, char *progname) { int fd; struct stat sb; void *map; struct policy_file f, *fp; fd = open(file, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can't open '%s': %s\n", file, strerror(errno)); return -1; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "Can't stat '%s': %s\n", file, strerror(errno)); close(fd); return -1; } map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); close(fd); if (map == MAP_FAILED) { fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno)); return -1; } policy_file_init(&f); f.type = PF_USE_MEMORY; f.data = map; f.len = sb.st_size; fp = &f; if (policydb_init(p)) { fprintf(stderr, "%s: policydb_init: Out of memory!\n", progname); return -1; } if (policydb_read(p, fp, 1)) { fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname); return -1; } /* Check Policy Consistency */ if (p->mls) { if (!mlspol) { fprintf(stderr, "%s: MLS policy, but non-MLS" " is specified\n", progname); return -1; } } else { if (mlspol) { fprintf(stderr, "%s: non-MLS policy, but MLS" " is specified\n", progname); return -1; } } return 0; }
static void selinux_permissive(void) { policydb_t policydb; struct policy_file pf; policydb_init(&policydb); sepol_set_policydb(&policydb); policy_file_init(&pf); // Read the current policy pf.fp = fopen("/sepolicy", "r"); pf.type = PF_USE_STDIO; policydb_read(&policydb, &pf, 0); fclose(pf.fp); // Make init, recovery, and ueventd permissive set_permissive("init", &policydb); set_permissive("recovery", &policydb); set_permissive("ueventd", &policydb); // Write the new policy and load it pf.fp = fopen("/dev/sepolicy", "w+"); policydb_write(&policydb, &pf); int size = ftell(pf.fp); fseek(pf.fp, SEEK_SET, 0); void *map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fileno(pf.fp), 0); int load = open("/sys/fs/selinux/load", O_WRONLY); write(load, map, size); close(load); munmap(map, size); fclose(pf.fp); policydb_destroy(&policydb); }
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { FILE* f; size_t size; void *data; int ret; f = fopen(filename, "rb"); if (f == NULL) { fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); return 1; } fseek(f, 0, SEEK_END); size = ftell(f); fseek(f, 0, SEEK_SET); data = malloc(size); if (data == NULL) { fprintf(stderr, "Can't allocat memory\n"); fclose(f); return 1; } if (fread(data, 1, size, f) != size) { fprintf(stderr, "Can't read policy file '%s': %s\n", filename, strerror(errno)); free(data); fclose(f); return 1; } policy_file_init(pf); pf->type = PF_USE_MEMORY; pf->data = (char*)data; pf->len = size; if (policydb_init(policydb)) { fprintf(stderr, "policydb_init: Out of memory!\n"); free(data); fclose(f); return 1; } ret = policydb_read(policydb, pf, 1); if (ret) { fprintf(stderr, "error(s) encountered while parsing configuration\n"); free(data); fclose(f); return 1; } free(data); fclose(f); return 0; }
int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf) { int fd; struct stat sb; void *map; int ret; fd = open(filename, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); return 1; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); close(fd); return 1; } policy_file_init(pf); pf->type = PF_USE_MEMORY; pf->data = map; pf->len = sb.st_size; if (policydb_init(policydb)) { fprintf(stderr, "Could not initialize policydb!\n"); close(fd); munmap(map, sb.st_size); return 1; } ret = policydb_read(policydb, pf, 0); if (ret) { fprintf(stderr, "error(s) encountered while parsing configuration\n"); close(fd); munmap(map, sb.st_size); return 1; } return 0; }
bool selinux_read_policy(const std::string &path, policydb_t *pdb) { struct policy_file pf; struct stat sb; void *map; int fd; fd = open(path.c_str(), O_RDONLY); if (fd < 0) { LOGE("Failed to open %s: %s", path.c_str(), strerror(errno)); return false; } auto close_fd = finally([&] { close(fd); }); if (fstat(fd, &sb) < 0) { LOGE("Failed to stat %s: %s", path.c_str(), strerror(errno)); return false; } map = mmap(nullptr, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { LOGE("Failed to mmap %s: %s", path.c_str(), strerror(errno)); return false; } auto unmap_map = finally([&] { munmap(map, sb.st_size); }); policy_file_init(&pf); pf.type = PF_USE_MEMORY; pf.data = (char *) map; pf.len = sb.st_size; auto destroy_pf = finally([&] { sepol_handle_destroy(pf.handle); }); return policydb_read(pdb, &pf, 0) == 0; }
int selinux_mkload_policy(int preservebools) { int kernvers = security_policyvers(); int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers; int setlocaldefs = load_setlocaldefs; char path[PATH_MAX]; struct stat sb; struct utsname uts; size_t size; void *map, *data; int fd, rc = -1, prot; sepol_policydb_t *policydb; sepol_policy_file_t *pf; int usesepol = 0; int (*vers_max)(void) = NULL; int (*vers_min)(void) = NULL; int (*policy_file_create)(sepol_policy_file_t **) = NULL; void (*policy_file_free)(sepol_policy_file_t *) = NULL; void (*policy_file_set_mem)(sepol_policy_file_t *, char*, size_t) = NULL; int (*policydb_create)(sepol_policydb_t **) = NULL; void (*policydb_free)(sepol_policydb_t *) = NULL; int (*policydb_read)(sepol_policydb_t *, sepol_policy_file_t *) = NULL; int (*policydb_set_vers)(sepol_policydb_t *, unsigned int) = NULL; int (*policydb_to_image)(sepol_handle_t *, sepol_policydb_t *, void **, size_t *) = NULL; int (*genbools_array)(void *data, size_t len, char **names, int *values, int nel) = NULL; int (*genusers)(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen) = NULL; int (*genbools)(void *data, size_t len, char *boolpath) = NULL; #ifdef SHARED char *errormsg = NULL; void *libsepolh = NULL; libsepolh = dlopen("libsepol.so.1", RTLD_NOW); if (libsepolh) { usesepol = 1; dlerror(); #define DLERR() if ((errormsg = dlerror())) goto dlclose; vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max"); DLERR(); vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min"); DLERR(); policy_file_create = dlsym(libsepolh, "sepol_policy_file_create"); DLERR(); policy_file_free = dlsym(libsepolh, "sepol_policy_file_free"); DLERR(); policy_file_set_mem = dlsym(libsepolh, "sepol_policy_file_set_mem"); DLERR(); policydb_create = dlsym(libsepolh, "sepol_policydb_create"); DLERR(); policydb_free = dlsym(libsepolh, "sepol_policydb_free"); DLERR(); policydb_read = dlsym(libsepolh, "sepol_policydb_read"); DLERR(); policydb_set_vers = dlsym(libsepolh, "sepol_policydb_set_vers"); DLERR(); policydb_to_image = dlsym(libsepolh, "sepol_policydb_to_image"); DLERR(); genbools_array = dlsym(libsepolh, "sepol_genbools_array"); DLERR(); genusers = dlsym(libsepolh, "sepol_genusers"); DLERR(); genbools = dlsym(libsepolh, "sepol_genbools"); DLERR(); #undef DLERR } #else usesepol = 1; vers_max = sepol_policy_kern_vers_max; vers_min = sepol_policy_kern_vers_min; policy_file_create = sepol_policy_file_create; policy_file_free = sepol_policy_file_free; policy_file_set_mem = sepol_policy_file_set_mem; policydb_create = sepol_policydb_create; policydb_free = sepol_policydb_free; policydb_read = sepol_policydb_read; policydb_set_vers = sepol_policydb_set_vers; policydb_to_image = sepol_policydb_to_image; genbools_array = sepol_genbools_array; genusers = sepol_genusers; genbools = sepol_genbools; #endif /* * Check whether we need to support local boolean and user definitions. */ if (setlocaldefs) { if (access(selinux_booleans_path(), F_OK) == 0) goto checkbool; snprintf(path, sizeof path, "%s.local", selinux_booleans_path()); if (access(path, F_OK) == 0) goto checkbool; snprintf(path, sizeof path, "%s/local.users", selinux_users_path()); if (access(path, F_OK) == 0) goto checkbool; /* No local definition files, so disable setlocaldefs. */ setlocaldefs = 0; } checkbool: /* * As of Linux 2.6.22, the kernel preserves boolean * values across a reload, so we do not need to * preserve them in userspace. */ if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0) preservebools = 0; if (usesepol) { maxvers = vers_max(); minvers = vers_min(); if (!setlocaldefs && !preservebools) maxvers = max(kernvers, maxvers); } vers = maxvers; search: snprintf(path, sizeof(path), "%s.%d", selinux_binary_policy_path(), vers); fd = open(path, O_RDONLY); while (fd < 0 && errno == ENOENT && --vers >= minvers) { /* Check prior versions to see if old policy is available */ snprintf(path, sizeof(path), "%s.%d", selinux_binary_policy_path(), vers); fd = open(path, O_RDONLY); } if (fd < 0) { fprintf(stderr, "SELinux: Could not open policy file <= %s.%d: %s\n", selinux_binary_policy_path(), maxvers, strerror(errno)); goto dlclose; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "SELinux: Could not stat policy file %s: %s\n", path, strerror(errno)); goto close; } prot = PROT_READ; if (setlocaldefs || preservebools) prot |= PROT_WRITE; size = sb.st_size; data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "SELinux: Could not map policy file %s: %s\n", path, strerror(errno)); goto close; } if (vers > kernvers && usesepol) { /* Need to downgrade to kernel-supported version. */ if (policy_file_create(&pf)) goto unmap; if (policydb_create(&policydb)) { policy_file_free(pf); goto unmap; } policy_file_set_mem(pf, data, size); if (policydb_read(policydb, pf)) { policy_file_free(pf); policydb_free(policydb); goto unmap; } if (policydb_set_vers(policydb, kernvers) || policydb_to_image(NULL, policydb, &data, &size)) { /* Downgrade failed, keep searching. */ fprintf(stderr, "SELinux: Could not downgrade policy file %s, searching for an older version.\n", path); policy_file_free(pf); policydb_free(policydb); munmap(map, sb.st_size); close(fd); vers--; goto search; } policy_file_free(pf); policydb_free(policydb); } if (usesepol) { if (setlocaldefs) { void *olddata = data; size_t oldsize = size; rc = genusers(olddata, oldsize, selinux_users_path(), &data, &size); if (rc < 0) { /* Fall back to the prior image if genusers failed. */ data = olddata; size = oldsize; rc = 0; } else { if (olddata != map) free(olddata); } } #ifndef DISABLE_BOOL if (preservebools) { int *values, len, i; char **names; rc = security_get_boolean_names(&names, &len); if (!rc) { values = malloc(sizeof(int) * len); if (!values) goto unmap; for (i = 0; i < len; i++) values[i] = security_get_boolean_active(names[i]); (void)genbools_array(data, size, names, values, len); free(values); for (i = 0; i < len; i++) free(names[i]); free(names); } } else if (setlocaldefs) { (void)genbools(data, size, (char *)selinux_booleans_path()); } #endif } rc = security_load_policy(data, size); if (rc) fprintf(stderr, "SELinux: Could not load policy file %s: %s\n", path, strerror(errno)); unmap: if (data != map) free(data); munmap(map, sb.st_size); close: close(fd); dlclose: #ifdef SHARED if (errormsg) fprintf(stderr, "libselinux: %s\n", errormsg); if (libsepolh) dlclose(libsepolh); #endif return rc; }
/** * security_load_policy - Load a security policy configuration. * @data: binary policy data * @len: length of data in bytes * * Load a new set of security policy configuration data, * validate it and convert the SID table as necessary. * This function will flush the access vector cache after * loading the new policy. */ int security_load_policy(void *data, size_t len) { struct policydb oldpolicydb, newpolicydb; struct sidtab oldsidtab, newsidtab; struct convert_context_args args; u32 seqno; int rc = 0; struct policy_file file = { data, len }, *fp = &file; LOAD_LOCK; if (!ss_initialized) { if (policydb_read(&policydb, fp)) { LOAD_UNLOCK; return -EINVAL; } if (policydb_load_isids(&policydb, &sidtab)) { LOAD_UNLOCK; policydb_destroy(&policydb); return -EINVAL; } ss_initialized = 1; LOAD_UNLOCK; selinux_complete_init(); return 0; } #if 0 sidtab_hash_eval(&sidtab, "sids"); #endif if (policydb_read(&newpolicydb, fp)) { LOAD_UNLOCK; return -EINVAL; } sidtab_init(&newsidtab); /* Verify that the existing classes did not change. */ if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) { printk(KERN_ERR "security: the definition of an existing " "class changed\n"); rc = -EINVAL; goto err; } /* Clone the SID table. */ sidtab_shutdown(&sidtab); if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { rc = -ENOMEM; goto err; } /* Convert the internal representations of contexts in the new SID table and remove invalid SIDs. */ args.oldp = &policydb; args.newp = &newpolicydb; sidtab_map_remove_on_error(&newsidtab, convert_context, &args); /* Save the old policydb and SID table to free later. */ memcpy(&oldpolicydb, &policydb, sizeof policydb); sidtab_set(&oldsidtab, &sidtab); /* Install the new policydb and SID table. */ POLICY_WRLOCK; memcpy(&policydb, &newpolicydb, sizeof policydb); sidtab_set(&sidtab, &newsidtab); seqno = ++latest_granting; POLICY_WRUNLOCK; LOAD_UNLOCK; /* Free the old policydb and SID table. */ policydb_destroy(&oldpolicydb); sidtab_destroy(&oldsidtab); avc_ss_reset(seqno); return 0; err: LOAD_UNLOCK; sidtab_destroy(&newsidtab); policydb_destroy(&newpolicydb); return rc; }
int sepol_module_package_read(sepol_module_package_t *mod, struct sepol_policy_file *spf, int verbose) { struct policy_file *file= &spf->pf; uint32_t *buf, nsec; size_t *offsets, len; int retval = -1; unsigned i, seen = 0; if (module_package_read_offsets(mod, file, &offsets, &nsec)) return -1; /* we know the section offsets, seek to them and read in the data */ for (i = 0; i < nsec; i++ ) { if (policy_file_seek(file, offsets[i])) { ERR(file->handle, "error seeking to offset %zu for " "module package section %u", offsets[i], i); goto cleanup; } len = offsets[i + 1] - offsets[i]; if (len < sizeof(uint32_t)) { ERR(file->handle, "module package section %u " "has too small length %zu", i, len); goto cleanup; } /* read the magic number, so that we know which function to call */ buf = next_entry(file, sizeof(uint32_t)); if (!buf) { ERR(file->handle, "module package section %u truncated, lacks magic number", i); goto cleanup; } switch(le32_to_cpu(buf[0])) { case SEPOL_PACKAGE_SECTION_FC: if (seen & SEEN_FC) { ERR(file->handle, "found multiple file contexts sections in module package (at section %u)", i); goto cleanup; } mod->file_contexts_len = len - sizeof(uint32_t); mod->file_contexts = (char *)malloc(mod->file_contexts_len); if (!mod->file_contexts) { ERR(file->handle, "out of memory"); goto cleanup; } if (read_helper(mod->file_contexts, file, mod->file_contexts_len)) { ERR(file->handle, "invalid file contexts section at section %u", i); free(mod->file_contexts); mod->file_contexts = NULL; goto cleanup; } seen |= SEEN_FC; break; case SEPOL_PACKAGE_SECTION_SEUSER: if (seen & SEEN_SEUSER) { ERR(file->handle, "found multiple seuser sections in module package (at section %u)", i); goto cleanup; } mod->seusers_len = len - sizeof(uint32_t); mod->seusers = (char *)malloc(mod->seusers_len); if (!mod->seusers) { ERR(file->handle, "out of memory"); goto cleanup; } if (read_helper(mod->seusers, file, mod->seusers_len)) { ERR(file->handle, "invalid seuser section at section %u", i); free(mod->seusers); mod->seusers = NULL; goto cleanup; } seen |= SEEN_SEUSER; break; case SEPOL_PACKAGE_SECTION_USER_EXTRA: if (seen & SEEN_USER_EXTRA) { ERR(file->handle, "found multiple user_extra sections in module package (at section %u)", i); goto cleanup; } mod->user_extra_len = len - sizeof(uint32_t); mod->user_extra = (char *)malloc(mod->user_extra_len); if (!mod->user_extra) { ERR(file->handle, "out of memory"); goto cleanup; } if (read_helper(mod->user_extra, file, mod->user_extra_len)) { ERR(file->handle, "invalid user_extra section at section %u", i); free(mod->user_extra); mod->user_extra= NULL; goto cleanup; } seen |= SEEN_USER_EXTRA; break; case POLICYDB_MOD_MAGIC: if (seen & SEEN_MOD) { ERR(file->handle, "found multiple module sections in module package (at section %u)", i); goto cleanup; } /* seek back to where the magic number was */ if (policy_file_seek(file, offsets[i])) goto cleanup; retval = policydb_read(&mod->policy->p, file, verbose); if (retval < 0) { ERR(file->handle, "invalid module in module package (at section %u)", i); goto cleanup; } seen |= SEEN_MOD; break; default: /* unknown section, ignore */ ERR(file->handle, "unknown magic number at section %u, offset: %zx, number: %ux ", i, offsets[i],le32_to_cpu(buf[0])); break; } } if ((seen & SEEN_MOD) == 0) { ERR(file->handle, "missing module in module package"); goto cleanup; } free(offsets); return 0; cleanup: free(offsets); return retval; }