1 /* 2 * Callbacks for user-supplied memory allocation, supplemental 3 * auditing, and locking routines. 4 * 5 * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil> 6 * 7 * Netlink code derived in part from sample code by 8 * James Morris <jmorris@redhat.com>. 9 */ 10 11 #include <errno.h> 12 #include <stdio.h> 13 #include <stdlib.h> 14 #include <stdint.h> 15 #include <unistd.h> 16 #include <fcntl.h> 17 #include <string.h> 18 #include <poll.h> 19 #include <sys/types.h> 20 #include <sys/socket.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 #include "callbacks.h" 24 #include "selinux_netlink.h" 25 #include "avc_internal.h" 26 27 #ifndef NETLINK_SELINUX 28 #define NETLINK_SELINUX 7 29 #endif 30 31 /* callback pointers */ 32 void *(*avc_func_malloc) (size_t) = NULL; 33 void (*avc_func_free) (void *) = NULL; 34 35 void (*avc_func_log) (const char *, ...) = NULL; 36 void (*avc_func_audit) (void *, security_class_t, char *, size_t) = NULL; 37 38 int avc_using_threads = 0; 39 int avc_app_main_loop = 0; 40 void *(*avc_func_create_thread) (void (*)(void)) = NULL; 41 void (*avc_func_stop_thread) (void *) = NULL; 42 43 void *(*avc_func_alloc_lock) (void) = NULL; 44 void (*avc_func_get_lock) (void *) = NULL; 45 void (*avc_func_release_lock) (void *) = NULL; 46 void (*avc_func_free_lock) (void *) = NULL; 47 48 /* message prefix string and avc enforcing mode */ 49 char avc_prefix[AVC_PREFIX_SIZE] = "uavc"; 50 int avc_running = 0; 51 int avc_enforcing = 1; 52 int avc_setenforce = 0; 53 int avc_netlink_trouble = 0; 54 55 /* netlink socket code */ 56 static int fd = -1; 57 58 int avc_netlink_open(int blocking) 59 { 60 int len, rc = 0; 61 struct sockaddr_nl addr; 62 63 fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); 64 if (fd < 0) { 65 rc = fd; 66 goto out; 67 } 68 69 if (!blocking && fcntl(fd, F_SETFL, O_NONBLOCK)) { 70 close(fd); 71 fd = -1; 72 rc = -1; 73 goto out; 74 } 75 76 len = sizeof(addr); 77 78 memset(&addr, 0, len); 79 addr.nl_family = AF_NETLINK; 80 addr.nl_groups = SELNL_GRP_AVC; 81 82 if (bind(fd, (struct sockaddr *)&addr, len) < 0) { 83 close(fd); 84 fd = -1; 85 rc = -1; 86 goto out; 87 } 88 out: 89 return rc; 90 } 91 92 void avc_netlink_close(void) 93 { 94 if (fd >= 0) 95 close(fd); 96 fd = -1; 97 } 98 99 static int avc_netlink_receive(void *buf, unsigned buflen, int blocking) 100 { 101 int rc; 102 struct pollfd pfd = { fd, POLLIN | POLLPRI, 0 }; 103 struct sockaddr_nl nladdr; 104 socklen_t nladdrlen = sizeof nladdr; 105 struct nlmsghdr *nlh = (struct nlmsghdr *)buf; 106 107 do { 108 rc = poll(&pfd, 1, (blocking ? -1 : 0)); 109 } while (rc < 0 && errno == EINTR); 110 111 if (rc == 0 && !blocking) { 112 errno = EWOULDBLOCK; 113 return -1; 114 } 115 else if (rc < 1) { 116 avc_log(SELINUX_ERROR, "%s: netlink poll: error %d\n", 117 avc_prefix, errno); 118 return rc; 119 } 120 121 rc = recvfrom(fd, buf, buflen, 0, (struct sockaddr *)&nladdr, 122 &nladdrlen); 123 if (rc < 0) 124 return rc; 125 126 if (nladdrlen != sizeof nladdr) { 127 avc_log(SELINUX_WARNING, 128 "%s: warning: netlink address truncated, len %u?\n", 129 avc_prefix, nladdrlen); 130 return -1; 131 } 132 133 if (nladdr.nl_pid) { 134 avc_log(SELINUX_WARNING, 135 "%s: warning: received spoofed netlink packet from: %u\n", 136 avc_prefix, nladdr.nl_pid); 137 return -1; 138 } 139 140 if (rc == 0) { 141 avc_log(SELINUX_WARNING, 142 "%s: warning: received EOF on netlink socket\n", 143 avc_prefix); 144 errno = EBADFD; 145 return -1; 146 } 147 148 if (nlh->nlmsg_flags & MSG_TRUNC || nlh->nlmsg_len > (unsigned)rc) { 149 avc_log(SELINUX_WARNING, 150 "%s: warning: incomplete netlink message\n", 151 avc_prefix); 152 return -1; 153 } 154 155 return 0; 156 } 157 158 static int avc_netlink_process(void *buf) 159 { 160 int rc; 161 struct nlmsghdr *nlh = (struct nlmsghdr *)buf; 162 163 switch (nlh->nlmsg_type) { 164 case NLMSG_ERROR:{ 165 struct nlmsgerr *err = NLMSG_DATA(nlh); 166 167 /* Netlink ack */ 168 if (err->error == 0) 169 break; 170 171 errno = -err->error; 172 avc_log(SELINUX_ERROR, 173 "%s: netlink error: %d\n", avc_prefix, errno); 174 return -1; 175 } 176 177 case SELNL_MSG_SETENFORCE:{ 178 struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); 179 msg->val = !!msg->val; 180 avc_log(SELINUX_INFO, 181 "%s: received setenforce notice (enforcing=%d)\n", 182 avc_prefix, msg->val); 183 if (avc_setenforce) 184 break; 185 avc_enforcing = msg->val; 186 if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) { 187 avc_log(SELINUX_ERROR, 188 "%s: cache reset returned %d (errno %d)\n", 189 avc_prefix, rc, errno); 190 return rc; 191 } 192 rc = selinux_netlink_setenforce(msg->val); 193 if (rc < 0) 194 return rc; 195 break; 196 } 197 198 case SELNL_MSG_POLICYLOAD:{ 199 struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); 200 avc_log(SELINUX_INFO, 201 "%s: received policyload notice (seqno=%u)\n", 202 avc_prefix, msg->seqno); 203 rc = avc_ss_reset(msg->seqno); 204 if (rc < 0) { 205 avc_log(SELINUX_ERROR, 206 "%s: cache reset returned %d (errno %d)\n", 207 avc_prefix, rc, errno); 208 return rc; 209 } 210 rc = selinux_netlink_policyload(msg->seqno); 211 if (rc < 0) 212 return rc; 213 break; 214 } 215 216 default: 217 avc_log(SELINUX_WARNING, 218 "%s: warning: unknown netlink message %d\n", 219 avc_prefix, nlh->nlmsg_type); 220 } 221 return 0; 222 } 223 224 int avc_netlink_check_nb(void) 225 { 226 int rc; 227 char buf[1024] __attribute__ ((aligned)); 228 229 while (1) { 230 errno = 0; 231 rc = avc_netlink_receive(buf, sizeof(buf), 0); 232 if (rc < 0) { 233 if (errno == EWOULDBLOCK) 234 return 0; 235 if (errno == 0 || errno == EINTR) 236 continue; 237 else { 238 avc_log(SELINUX_ERROR, 239 "%s: netlink recvfrom: error %d\n", 240 avc_prefix, errno); 241 return rc; 242 } 243 } 244 245 (void)avc_netlink_process(buf); 246 } 247 return 0; 248 } 249 250 /* run routine for the netlink listening thread */ 251 void avc_netlink_loop(void) 252 { 253 int rc; 254 char buf[1024] __attribute__ ((aligned)); 255 256 while (1) { 257 errno = 0; 258 rc = avc_netlink_receive(buf, sizeof(buf), 1); 259 if (rc < 0) { 260 if (errno == 0 || errno == EINTR) 261 continue; 262 else { 263 avc_log(SELINUX_ERROR, 264 "%s: netlink recvfrom: error %d\n", 265 avc_prefix, errno); 266 break; 267 } 268 } 269 270 rc = avc_netlink_process(buf); 271 if (rc < 0) 272 break; 273 } 274 275 close(fd); 276 fd = -1; 277 avc_netlink_trouble = 1; 278 avc_log(SELINUX_ERROR, 279 "%s: netlink thread: errors encountered, terminating\n", 280 avc_prefix); 281 } 282 283 int avc_netlink_acquire_fd(void) 284 { 285 avc_app_main_loop = 1; 286 287 return fd; 288 } 289 290 void avc_netlink_release_fd(void) 291 { 292 avc_app_main_loop = 0; 293 } 294