1 // SPDX-License-Identifier: GPL-2.0
3 * Implementation of the SID table type.
8 * Copyright (C) 2018 Red Hat, Inc.
10 #include <linux/errno.h>
11 #include <linux/kernel.h>
12 #include <linux/slab.h>
13 #include <linux/sched.h>
14 #include <linux/spinlock.h>
15 #include <linux/atomic.h>
20 int sidtab_init(struct sidtab *s)
24 memset(s->roots, 0, sizeof(s->roots));
26 for (i = 0; i < SIDTAB_RCACHE_SIZE; i++)
27 atomic_set(&s->rcache[i], -1);
29 for (i = 0; i < SECINITSID_NUM; i++)
32 atomic_set(&s->count, 0);
36 spin_lock_init(&s->lock);
40 int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context)
42 struct sidtab_isid_entry *entry;
45 if (sid == 0 || sid > SECINITSID_NUM)
48 entry = &s->isids[sid - 1];
50 rc = context_cpy(&entry->context, context);
58 static u32 sidtab_level_from_count(u32 count)
60 u32 capacity = SIDTAB_LEAF_ENTRIES;
63 while (count > capacity) {
64 capacity <<= SIDTAB_INNER_SHIFT;
70 static int sidtab_alloc_roots(struct sidtab *s, u32 level)
74 if (!s->roots[0].ptr_leaf) {
75 s->roots[0].ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
77 if (!s->roots[0].ptr_leaf)
80 for (l = 1; l <= level; ++l)
81 if (!s->roots[l].ptr_inner) {
82 s->roots[l].ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
84 if (!s->roots[l].ptr_inner)
86 s->roots[l].ptr_inner->entries[0] = s->roots[l - 1];
91 static struct context *sidtab_do_lookup(struct sidtab *s, u32 index, int alloc)
93 union sidtab_entry_inner *entry;
94 u32 level, capacity_shift, leaf_index = index / SIDTAB_LEAF_ENTRIES;
96 /* find the level of the subtree we need */
97 level = sidtab_level_from_count(index + 1);
98 capacity_shift = level * SIDTAB_INNER_SHIFT;
100 /* allocate roots if needed */
101 if (alloc && sidtab_alloc_roots(s, level) != 0)
104 /* lookup inside the subtree */
105 entry = &s->roots[level];
107 capacity_shift -= SIDTAB_INNER_SHIFT;
110 entry = &entry->ptr_inner->entries[leaf_index >> capacity_shift];
111 leaf_index &= ((u32)1 << capacity_shift) - 1;
113 if (!entry->ptr_inner) {
115 entry->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
117 if (!entry->ptr_inner)
121 if (!entry->ptr_leaf) {
123 entry->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
125 if (!entry->ptr_leaf)
128 return &entry->ptr_leaf->entries[index % SIDTAB_LEAF_ENTRIES].context;
131 static struct context *sidtab_lookup(struct sidtab *s, u32 index)
133 u32 count = (u32)atomic_read(&s->count);
138 /* read entries after reading count */
141 return sidtab_do_lookup(s, index, 0);
144 static struct context *sidtab_lookup_initial(struct sidtab *s, u32 sid)
146 return s->isids[sid - 1].set ? &s->isids[sid - 1].context : NULL;
149 static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
151 struct context *context;
154 if (sid > SECINITSID_NUM)
155 context = sidtab_lookup(s, sid - (SECINITSID_NUM + 1));
157 context = sidtab_lookup_initial(s, sid);
158 if (context && (!context->len || force))
162 return sidtab_lookup_initial(s, SECINITSID_UNLABELED);
165 struct context *sidtab_search(struct sidtab *s, u32 sid)
167 return sidtab_search_core(s, sid, 0);
170 struct context *sidtab_search_force(struct sidtab *s, u32 sid)
172 return sidtab_search_core(s, sid, 1);
175 static int sidtab_find_context(union sidtab_entry_inner entry,
176 u32 *pos, u32 count, u32 level,
177 struct context *context, u32 *index)
183 struct sidtab_node_inner *node = entry.ptr_inner;
186 while (i < SIDTAB_INNER_ENTRIES && *pos < count) {
187 rc = sidtab_find_context(node->entries[i],
188 pos, count, level - 1,
195 struct sidtab_node_leaf *node = entry.ptr_leaf;
198 while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
199 if (context_cmp(&node->entries[i].context, context)) {
210 static void sidtab_rcache_update(struct sidtab *s, u32 index, u32 pos)
213 atomic_set(&s->rcache[pos], atomic_read(&s->rcache[pos - 1]));
216 atomic_set(&s->rcache[0], (int)index);
219 static void sidtab_rcache_push(struct sidtab *s, u32 index)
221 sidtab_rcache_update(s, index, SIDTAB_RCACHE_SIZE - 1);
224 static int sidtab_rcache_search(struct sidtab *s, struct context *context,
229 for (i = 0; i < SIDTAB_RCACHE_SIZE; i++) {
230 int v = atomic_read(&s->rcache[i]);
235 if (context_cmp(sidtab_do_lookup(s, (u32)v, 0), context)) {
236 sidtab_rcache_update(s, (u32)v, i);
244 static int sidtab_reverse_lookup(struct sidtab *s, struct context *context,
248 u32 count = (u32)atomic_read(&s->count);
249 u32 count_locked, level, pos;
250 struct sidtab_convert_params *convert;
251 struct context *dst, *dst_convert;
254 rc = sidtab_rcache_search(s, context, index);
258 level = sidtab_level_from_count(count);
260 /* read entries after reading count */
264 rc = sidtab_find_context(s->roots[level], &pos, count, level,
267 sidtab_rcache_push(s, *index);
271 /* lock-free search failed: lock, re-search, and insert if not found */
272 spin_lock_irqsave(&s->lock, flags);
274 convert = s->convert;
275 count_locked = (u32)atomic_read(&s->count);
276 level = sidtab_level_from_count(count_locked);
278 /* if count has changed before we acquired the lock, then catch up */
279 while (count < count_locked) {
280 if (context_cmp(sidtab_do_lookup(s, count, 0), context)) {
281 sidtab_rcache_push(s, count);
289 /* insert context into new entry */
291 dst = sidtab_do_lookup(s, count, 1);
295 rc = context_cpy(dst, context);
300 * if we are building a new sidtab, we need to convert the context
301 * and insert it there as well
305 dst_convert = sidtab_do_lookup(convert->target, count, 1);
307 context_destroy(dst);
311 rc = convert->func(context, dst_convert, convert->args);
313 context_destroy(dst);
317 /* at this point we know the insert won't fail */
318 atomic_set(&convert->target->count, count + 1);
322 pr_info("SELinux: Context %s is not valid (left unmapped).\n",
325 sidtab_rcache_push(s, count);
328 /* write entries before writing new count */
331 atomic_set(&s->count, count + 1);
335 spin_unlock_irqrestore(&s->lock, flags);
339 int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
344 for (i = 0; i < SECINITSID_NUM; i++) {
345 struct sidtab_isid_entry *entry = &s->isids[i];
347 if (entry->set && context_cmp(context, &entry->context)) {
353 rc = sidtab_reverse_lookup(s, context, sid);
356 *sid += SECINITSID_NUM + 1;
360 static int sidtab_convert_tree(union sidtab_entry_inner *edst,
361 union sidtab_entry_inner *esrc,
362 u32 *pos, u32 count, u32 level,
363 struct sidtab_convert_params *convert)
369 if (!edst->ptr_inner) {
370 edst->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
372 if (!edst->ptr_inner)
376 while (i < SIDTAB_INNER_ENTRIES && *pos < count) {
377 rc = sidtab_convert_tree(&edst->ptr_inner->entries[i],
378 &esrc->ptr_inner->entries[i],
379 pos, count, level - 1,
386 if (!edst->ptr_leaf) {
387 edst->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
393 while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
394 rc = convert->func(&esrc->ptr_leaf->entries[i].context,
395 &edst->ptr_leaf->entries[i].context,
407 int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params)
410 u32 count, level, pos;
413 spin_lock_irqsave(&s->lock, flags);
415 /* concurrent policy loads are not allowed */
417 spin_unlock_irqrestore(&s->lock, flags);
421 count = (u32)atomic_read(&s->count);
422 level = sidtab_level_from_count(count);
424 /* allocate last leaf in the new sidtab (to avoid race with
427 rc = sidtab_do_lookup(params->target, count - 1, 1) ? 0 : -ENOMEM;
429 spin_unlock_irqrestore(&s->lock, flags);
433 /* set count in case no new entries are added during conversion */
434 atomic_set(¶ms->target->count, count);
436 /* enable live convert of new entries */
439 /* we can safely do the rest of the conversion outside the lock */
440 spin_unlock_irqrestore(&s->lock, flags);
442 pr_info("SELinux: Converting %u SID table entries...\n", count);
444 /* convert all entries not covered by live convert */
446 rc = sidtab_convert_tree(¶ms->target->roots[level],
447 &s->roots[level], &pos, count, level, params);
449 /* we need to keep the old table - disable live convert */
450 spin_lock_irqsave(&s->lock, flags);
452 spin_unlock_irqrestore(&s->lock, flags);
457 static void sidtab_destroy_tree(union sidtab_entry_inner entry, u32 level)
462 struct sidtab_node_inner *node = entry.ptr_inner;
467 for (i = 0; i < SIDTAB_INNER_ENTRIES; i++)
468 sidtab_destroy_tree(node->entries[i], level - 1);
471 struct sidtab_node_leaf *node = entry.ptr_leaf;
476 for (i = 0; i < SIDTAB_LEAF_ENTRIES; i++)
477 context_destroy(&node->entries[i].context);
482 void sidtab_destroy(struct sidtab *s)
486 for (i = 0; i < SECINITSID_NUM; i++)
488 context_destroy(&s->isids[i].context);
490 level = SIDTAB_MAX_LEVEL;
491 while (level && !s->roots[level].ptr_inner)
494 sidtab_destroy_tree(s->roots[level], level);