static ssize_t sel_write_enforce(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { char *page = NULL; ssize_t length; int new_value; length = -ENOMEM; if (count >= PAGE_SIZE) goto out; /* No partial writes. */ length = -EINVAL; if (*ppos != 0) goto out; length = -ENOMEM; page = (char *)get_zeroed_page(GFP_KERNEL); if (!page) goto out; length = -EFAULT; if (copy_from_user(page, buf, count)) goto out; length = -EINVAL; if (sscanf(page, "%d", &new_value) != 1) goto out; new_value = 0; if (new_value != selinux_enforcing) { length = task_has_security(current, SECURITY__SETENFORCE); if (length) goto out; audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, "enforcing=%d old_enforcing=%d auid=%u ses=%u", new_value, selinux_enforcing, from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current)); selinux_enforcing = new_value; if (selinux_enforcing) avc_ss_reset(0); selnl_notify_setenforce(selinux_enforcing); selinux_status_update_setenforce(selinux_enforcing); } length = count; out: free_page((unsigned long) page); return length; }
static ssize_t sel_write_enforce(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { char *page = NULL; ssize_t length; int new_value; if (count >= PAGE_SIZE) return -ENOMEM; /* No partial writes. */ if (*ppos != 0) return -EINVAL; page = memdup_user_nul(buf, count); if (IS_ERR(page)) return PTR_ERR(page); length = -EINVAL; if (sscanf(page, "%d", &new_value) != 1) goto out; new_value = !!new_value; if (new_value != selinux_enforcing) { length = avc_has_perm(current_sid(), SECINITSID_SECURITY, SECCLASS_SECURITY, SECURITY__SETENFORCE, NULL); if (length) goto out; audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, "enforcing=%d old_enforcing=%d auid=%u ses=%u", new_value, selinux_enforcing, from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current)); selinux_enforcing = new_value; if (selinux_enforcing) avc_ss_reset(0); selnl_notify_setenforce(selinux_enforcing); selinux_status_update_setenforce(selinux_enforcing); } length = count; out: kfree(page); return length; }
static int flask_security_setenforce(struct xen_flask_setenforce *arg) { int enforce = !!(arg->enforcing); int rv; if ( enforce == flask_enforcing ) return 0; rv = domain_has_security(current->domain, SECURITY__SETENFORCE); if ( rv ) return rv; flask_enforcing = enforce; if ( flask_enforcing ) avc_ss_reset(0); return 0; }
static int avc_netlink_process(char *buf) { int rc; struct nlmsghdr *nlh = (struct nlmsghdr *)buf; switch (nlh->nlmsg_type) { case NLMSG_ERROR:{ struct nlmsgerr *err = NLMSG_DATA(nlh); /* Netlink ack */ if (err->error == 0) break; errno = -err->error; avc_log(SELINUX_ERROR, "%s: netlink error: %d\n", avc_prefix, errno); return -1; } case SELNL_MSG_SETENFORCE:{ struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); avc_log(SELINUX_INFO, "%s: received setenforce notice (enforcing=%d)\n", avc_prefix, msg->val); if (avc_setenforce) break; avc_enforcing = msg->val; if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) { avc_log(SELINUX_ERROR, "%s: cache reset returned %d (errno %d)\n", avc_prefix, rc, errno); return rc; } rc = selinux_netlink_setenforce(msg->val); if (rc < 0) return rc; break; } case SELNL_MSG_POLICYLOAD:{ struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); avc_log(SELINUX_INFO, "%s: received policyload notice (seqno=%d)\n", avc_prefix, msg->seqno); rc = avc_ss_reset(msg->seqno); if (rc < 0) { avc_log(SELINUX_ERROR, "%s: cache reset returned %d (errno %d)\n", avc_prefix, rc, errno); return rc; } rc = selinux_netlink_policyload(msg->seqno); if (rc < 0) return rc; break; } default: avc_log(SELINUX_WARNING, "%s: warning: unknown netlink message %d\n", avc_prefix, nlh->nlmsg_type); } return 0; }
static ssize_t sel_write_enforce(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { char *page = NULL; ssize_t length; int new_value; length = -ENOMEM; if (count >= PAGE_SIZE) goto out; /* No partial writes. */ length = EINVAL; if (*ppos != 0) goto out; length = -ENOMEM; page = (char *)get_zeroed_page(GFP_KERNEL); if (!page) goto out; length = -EFAULT; if (copy_from_user(page, buf, count)) goto out; length = -EINVAL; if (sscanf(page, "%d", &new_value) != 1) goto out; #ifdef CONFIG_ALWAYS_ENFORCE // If build is user build and enforce option is set, selinux is always enforcing new_value = 1; length = task_has_security(current, SECURITY__SETENFORCE); audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, "config_always_enforce - true; enforcing=%d old_enforcing=%d auid=%u ses=%u", new_value, selinux_enforcing, from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current)); selinux_enforcing = new_value; avc_ss_reset(0); selnl_notify_setenforce(new_value); selinux_status_update_setenforce(new_value); #else new_value = 0; /* Bye NSA! Nobody invited you here, so go back into reclusion and be permissive */ if (new_value != selinux_enforcing) { length = task_has_security(current, SECURITY__SETENFORCE); if (length) goto out; audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, "enforcing=%d old_enforcing=%d auid=%u ses=%u", new_value, selinux_enforcing, from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current)); selinux_enforcing = new_value; if (selinux_enforcing) avc_ss_reset(0); selnl_notify_setenforce(selinux_enforcing); selinux_status_update_setenforce(selinux_enforcing); } #endif length = count; out: free_page((unsigned long) page); return length; }
/** * security_load_policy - Load a security policy configuration. * @data: binary policy data * @len: length of data in bytes * * Load a new set of security policy configuration data, * validate it and convert the SID table as necessary. * This function will flush the access vector cache after * loading the new policy. */ int security_load_policy(void *data, size_t len) { struct policydb oldpolicydb, newpolicydb; struct sidtab oldsidtab, newsidtab; struct convert_context_args args; u32 seqno; int rc = 0; struct policy_file file = { data, len }, *fp = &file; LOAD_LOCK; if (!ss_initialized) { if (policydb_read(&policydb, fp)) { LOAD_UNLOCK; return -EINVAL; } if (policydb_load_isids(&policydb, &sidtab)) { LOAD_UNLOCK; policydb_destroy(&policydb); return -EINVAL; } ss_initialized = 1; LOAD_UNLOCK; selinux_complete_init(); return 0; } #if 0 sidtab_hash_eval(&sidtab, "sids"); #endif if (policydb_read(&newpolicydb, fp)) { LOAD_UNLOCK; return -EINVAL; } sidtab_init(&newsidtab); /* Verify that the existing classes did not change. */ if (hashtab_map(policydb.p_classes.table, validate_class, &newpolicydb)) { printk(KERN_ERR "security: the definition of an existing " "class changed\n"); rc = -EINVAL; goto err; } /* Clone the SID table. */ sidtab_shutdown(&sidtab); if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { rc = -ENOMEM; goto err; } /* Convert the internal representations of contexts in the new SID table and remove invalid SIDs. */ args.oldp = &policydb; args.newp = &newpolicydb; sidtab_map_remove_on_error(&newsidtab, convert_context, &args); /* Save the old policydb and SID table to free later. */ memcpy(&oldpolicydb, &policydb, sizeof policydb); sidtab_set(&oldsidtab, &sidtab); /* Install the new policydb and SID table. */ POLICY_WRLOCK; memcpy(&policydb, &newpolicydb, sizeof policydb); sidtab_set(&sidtab, &newsidtab); seqno = ++latest_granting; POLICY_WRUNLOCK; LOAD_UNLOCK; /* Free the old policydb and SID table. */ policydb_destroy(&oldpolicydb); sidtab_destroy(&oldsidtab); avc_ss_reset(seqno); return 0; err: LOAD_UNLOCK; sidtab_destroy(&newsidtab); policydb_destroy(&newpolicydb); return rc; }