selinux: Add Sony SELinux extended log info and error trap support

	  /selinux/avc/cache_stats, which may be monitored via

	  tools such as avcstat.

config SECURITY_SELINUX_AVC_EXTRA_INFO

	bool "SELinux extended log info"

	depends on SECURITY_SELINUX

	default n

	help

	  This option enables extra log info providing information

	  about the audit result and the process under audit, such

	  as thread group and parent pid. Appended log tags are:

	  "ppid", "pcomm", "pgid", pgcomm" and "op_res".

config SECURITY_SELINUX_CHECKREQPROT_VALUE

	int "NSA SELinux checkreqprot default value"

	depends on SECURITY_SELINUX

	  installed under /etc/selinux/$SELINUXTYPE/policy, where

	  SELINUXTYPE is defined in your /etc/selinux/config.

config SECURITY_SELINUX_TRAP

	bool "SELinux error trap support"

	depends on SECURITY_SELINUX

	default n

	help

	  This option enables the trap feature for SELinux errors.

	  User process will get SIGABRT so that system can generate core file

	  for more further invesitaion of SELinux errors.

	     ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \

	     ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o

selinux-$(CONFIG_SECURITY_SELINUX_TRAP) += trap.o

selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o

selinux-$(CONFIG_NETLABEL) += netlabel.o

 *	it under the terms of the GNU General Public License version 2,

 *	as published by the Free Software Foundation.

 */

/*

 * NOTE: This file has been modified by Sony Mobile Communications Inc.

 * Modifications are Copyright (c) 2014 Sony Mobile Communications Inc,

 * and licensed under the license of the file.

 */

#include <linux/types.h>

#include <linux/stddef.h>

#include <linux/kernel.h>

#include "avc.h"

#include "avc_ss.h"

#include "classmap.h"

#ifdef CONFIG_SECURITY_SELINUX_TRAP

#include "trap.h"

const int secclass_map_size = ARRAY_SIZE(secclass_map);

#endif

#define AVC_CACHE_SLOTS			512

#define AVC_DEF_CACHE_THRESHOLD		512

#define AVC_CACHE_SLOTS			1024

#define AVC_DEF_CACHE_THRESHOLD		2048

#define AVC_CACHE_RECLAIM		16

#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS

	audit_log_format(ab, " for ");

}

/**

 * avc_dump_extra_info - add extra info about task and audit result

 * @ab: the audit buffer

 * @ad: audit_data

 */

#ifdef CONFIG_SECURITY_SELINUX_AVC_EXTRA_INFO

static void avc_dump_extra_info(struct audit_buffer *ab,

		struct common_audit_data *ad)

{

	struct task_struct *tsk = current;

	if (tsk && tsk->pid) {

		audit_log_format(ab, " ppid=%d pcomm=", tsk->parent->pid);

		audit_log_untrustedstring(ab, tsk->parent->comm);

		if (tsk->group_leader->pid != tsk->pid) {

			audit_log_format(ab, " pgid=%d pgcomm=",

					tsk->group_leader->pid);

			audit_log_untrustedstring(ab,

					tsk->group_leader->comm);

		} else if (tsk->parent->group_leader->pid) {

			audit_log_format(ab, " pgid=%d pgcomm=",

					tsk->parent->group_leader->pid);

			audit_log_untrustedstring(ab,

					tsk->parent->group_leader->comm);

		}

	}

}

#endif

/**

 * avc_audit_post_callback - SELinux specific information

 * will be called by generic audit code

		audit_log_format(ab, " permissive=%u",

				 ad->selinux_audit_data->result ? 0 : 1);

	}

#ifdef CONFIG_SECURITY_SELINUX_AVC_EXTRA_INFO

	avc_dump_extra_info(ab, ad);

#endif

#ifdef CONFIG_SECURITY_SELINUX_TRAP

	if (ad->selinux_audit_data->denied && ad->selinux_audit_data->result)

		trap_selinux_error(ad);

#endif

}

/* This is the slow part of avc audit with big stack footprint */

 *

 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>

 */

/*

 * NOTE: This file has been modified by Sony Mobile Communications Inc.

 * Modifications are Copyright (c) 2014 Sony Mobile Communications Inc,

 * and licensed under the license of the file.

 */

#ifndef _SELINUX_AVC_SS_H_

#define _SELINUX_AVC_SS_H_

};

extern struct security_class_mapping secclass_map[];

#ifdef CONFIG_SECURITY_SELINUX_TRAP

extern const int secclass_map_size;

#endif

/*

 * The security server must be initialized before

 * any labeling or access decisions can be provided.

/*

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2, as

 * published by the Free Software Foundation; either version 2

 * of the License, or (at your option) any later version.

 */

/*

 * Copyright (C) 2014 Sony Mobile Communications Inc.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2, as

 * published by the Free Software Foundation.

 */

#ifndef _SELINUX_TRAP_H_

#define _SELINUX_TRAP_H_

#include <linux/stddef.h>

#include <linux/semaphore.h>

#include <linux/audit.h>

#include <linux/sched.h>

#include "avc.h"

enum trap_mask_type {

	TRAP_MASK_TYPE_POLARITY,

	TRAP_MASK_TYPE_SCONTEXT,

	TRAP_MASK_TYPE_TCONTEXT,

	TRAP_MASK_TYPE_TCLASS,

	TRAP_MASK_TYPE_PNAME,

	TRAP_MASK_TYPE_PNAME_PARENT,

	TRAP_MASK_TYPE_PNAME_PGL,

	TRAP_MASK_TYPE_PATH,

	TRAP_MASK_TYPE_NAME,

	TRAP_MASK_TYPE_ACTION,

	TRAP_MASK_TYPE_MAX

};

enum trap_loglevel_type {

	TRAP_LOGLEVEL_MINIMUM = 0,

	TRAP_LOGLEVEL_NORMAL,

	TRAP_LOGLEVEL_DEVELOPER,

	TRAP_LOGLEVEL_MAX

};

#define TRAP_MASK_TYPE_BEGIN TRAP_MASK_TYPE_POLARITY

struct selinux_trap_list {

	char *item_array[TRAP_MASK_TYPE_MAX];

	struct list_head list;

	struct rcu_head rcu;

};

struct selinux_trap_process_list {

	struct list_head list;

	pid_t pid;

	char *msg;

	struct inode *inode;

	struct dentry *ldentry;

};

void trap_selinux_error(struct common_audit_data *ad);

extern int selinux_trap_enable;

extern int selinux_trap_debug;

extern struct selinux_trap_list selinux_trap_list_head;

extern struct selinux_trap_process_list selinux_trap_process_list_head;

extern struct semaphore selinux_trap_list_sem;

#define trap_devel_log(fmt, ...) \

	do {		/* Multhi-statement Macro for semicolon */ \

		if (selinux_trap_debug >= TRAP_LOGLEVEL_DEVELOPER) { \

			pr_devel(fmt, ##__VA_ARGS__); \

		} \

	} while (0)	/* Multhi-statement Macro for semicolon */

#endif /* _SELINUX_TRAP_H_ */