selinux/

access_vector_cache.rs

// Copyright 2023 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

use crate::access_cache::AccessCache;
use crate::policy::{AccessDecision, XpermsAccessDecision, XpermsKind};
use crate::security_server::SecurityServerBackend;
use crate::{FsNodeClass, NullessByteStr, ObjectClass, SecurityId};
use std::sync::Arc;

pub use crate::access_cache::CacheStats;

/// Interface used internally by the `SecurityServer` implementation to implement policy queries
/// such as looking up the set of permissions to grant, or the Security Context to apply to new
/// files, etc.
///
/// This trait allows layering of caching, delegation, and thread-safety between the policy-backed
/// calculations, and the caller-facing permission-check interface.
pub(super) trait Query {
    /// Computes the [`AccessDecision`] permitted to `source_sid` for accessing `target_sid`, an
    /// object of type `target_class`.
    fn compute_access_decision(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> AccessDecision;

    /// Returns the security identifier (SID) with which to label a new object of `object_class`.
    /// The label is calculated based on the creating `source_sid` and the `target_sid` of the
    /// container (e.g. file-system, parent file node, process, etc).
    ///
    /// This computation does not take into account filename transition rules, for which the
    /// `compute_fs_node_sid_with_name()` lookup should be used instead.
    fn compute_create_sid(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> Result<SecurityId, anyhow::Error>;

    /// Returns the security identifier (SID) with which to label a new `fs_node_class` instance of
    /// name `fs_node_name`, created by `source_sid` in a parent directory labeled `target_sid`.
    /// If no filename-transition rules exist for the specified `fs_node_name` then `None` is
    /// returned.
    fn compute_new_fs_node_sid_with_name(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        fs_node_class: FsNodeClass,
        fs_node_name: NullessByteStr<'_>,
    ) -> Option<SecurityId>;

    /// Computes the [`XpermsAccessDecision`] permitted to `source_sid` for accessing `target_sid`,
    /// an object of type `target_class`, for xperms of kind `xperms_kind` with high byte
    /// `xperms_prefix`.
    fn compute_xperms_access_decision(
        &self,
        xperms_kind: XpermsKind,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
        xperms_prefix: u8,
    ) -> XpermsAccessDecision;
}

#[derive(Clone, Hash, PartialEq, Eq)]
struct AccessQueryArgs {
    source_sid: SecurityId,
    target_sid: SecurityId,
    target_class: ObjectClass,
}

#[derive(Clone, Hash, PartialEq, Eq)]
struct XpermsAccessQueryArgs {
    xperms_kind: XpermsKind,
    source_sid: SecurityId,
    target_sid: SecurityId,
    target_class: ObjectClass,
    xperms_prefix: u8,
}

/// Thread-hostile associative cache with capacity defined at construction and FIFO eviction.
pub(super) struct FifoQueryCache {
    access_cache: AccessCache<AccessQueryArgs, AccessDecision>,
    sid_cache: AccessCache<AccessQueryArgs, SecurityId>,
    xperms_access_cache: AccessCache<XpermsAccessQueryArgs, XpermsAccessDecision>,
}

impl FifoQueryCache {
    // The multiplier used to compute the xperms access cache capacity from the main cache capacity.
    const XPERMS_CAPACITY_MULTIPLIER: f32 = 0.25;

    /// Constructs a fixed-size access vector cache.
    ///
    /// # Panics
    ///
    /// This will panic if called with a `capacity` of zero.
    pub fn new(capacity: usize) -> Self {
        assert!(capacity > 0, "cannot instantiate fixed access vector cache of size 0");
        let xperms_access_cache_capacity =
            (Self::XPERMS_CAPACITY_MULTIPLIER * (capacity as f32)) as usize;
        assert!(
            xperms_access_cache_capacity > 0,
            "cannot instantiate xperms cache partition of size 0"
        );

        Self {
            access_cache: AccessCache::with_capacity(capacity),
            sid_cache: AccessCache::with_capacity(capacity),
            xperms_access_cache: AccessCache::with_capacity(xperms_access_cache_capacity),
        }
    }

    pub fn cache_stats(&self) -> CacheStats {
        let stats = &self.access_cache.cache_stats() + &self.sid_cache.cache_stats();
        &stats + &self.xperms_access_cache.cache_stats()
    }

    pub fn compute_access_decision(
        &self,
        delegate: &impl Query,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> AccessDecision {
        let query_args =
            AccessQueryArgs { source_sid, target_sid, target_class: target_class.clone() };
        self.access_cache.get_or_insert(query_args, || {
            delegate.compute_access_decision(source_sid, target_sid, target_class)
        })
    }

    pub fn compute_create_sid(
        &self,
        delegate: &impl Query,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> Result<SecurityId, anyhow::Error> {
        let query_args =
            AccessQueryArgs { source_sid, target_sid, target_class: target_class.clone() };
        self.sid_cache.get_or_try_insert(query_args, || {
            delegate.compute_create_sid(source_sid, target_sid, target_class)
        })
    }

    pub fn compute_new_fs_node_sid_with_name(
        &self,
        delegate: &impl Query,
        source_sid: SecurityId,
        target_sid: SecurityId,
        fs_node_class: FsNodeClass,
        fs_node_name: NullessByteStr<'_>,
    ) -> Option<SecurityId> {
        delegate.compute_new_fs_node_sid_with_name(
            source_sid,
            target_sid,
            fs_node_class,
            fs_node_name,
        )
    }

    pub fn compute_xperms_access_decision(
        &self,
        delegate: &impl Query,
        xperms_kind: XpermsKind,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
        xperms_prefix: u8,
    ) -> XpermsAccessDecision {
        let query_args = XpermsAccessQueryArgs {
            xperms_kind: xperms_kind.clone(),
            source_sid,
            target_sid,
            target_class: target_class.clone(),
            xperms_prefix,
        };
        self.xperms_access_cache.get_or_insert(query_args, || {
            delegate.compute_xperms_access_decision(
                xperms_kind,
                source_sid,
                target_sid,
                target_class,
                xperms_prefix,
            )
        })
    }

    pub fn reset(&self) {
        self.access_cache.reset();
        self.sid_cache.reset();
        self.xperms_access_cache.reset();
    }

    /// Returns true if the main access decision cache has reached capacity.
    #[cfg(test)]
    fn access_cache_is_full(&self) -> bool {
        self.access_cache.is_full()
    }

    /// Returns true if the xperms access decision cache has reached capacity.
    #[cfg(test)]
    fn xperms_access_cache_is_full(&self) -> bool {
        self.xperms_access_cache.is_full()
    }
}

/// Default size of an access vector cache shared by all threads in the system.
const DEFAULT_SHARED_SIZE: usize = 2000;

/// An access vector cache.
#[derive(Clone)]
pub(super) struct AccessVectorCache {
    cache: Arc<FifoQueryCache>,
    backend: Arc<SecurityServerBackend>,
}

impl AccessVectorCache {
    pub fn new(backend: Arc<SecurityServerBackend>) -> Self {
        let cache = FifoQueryCache::new(DEFAULT_SHARED_SIZE);
        Self { cache: Arc::new(cache), backend }
    }

    pub fn cache_stats(&self) -> CacheStats {
        self.cache.cache_stats()
    }

    pub fn reset(&self) {
        self.cache.reset()
    }
}

impl Query for AccessVectorCache {
    fn compute_access_decision(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> AccessDecision {
        self.cache.compute_access_decision(
            self.backend.as_ref(),
            source_sid,
            target_sid,
            target_class,
        )
    }

    fn compute_create_sid(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
    ) -> Result<SecurityId, anyhow::Error> {
        self.cache.compute_create_sid(self.backend.as_ref(), source_sid, target_sid, target_class)
    }

    fn compute_new_fs_node_sid_with_name(
        &self,
        source_sid: SecurityId,
        target_sid: SecurityId,
        fs_node_class: FsNodeClass,
        fs_node_name: NullessByteStr<'_>,
    ) -> Option<SecurityId> {
        self.cache.compute_new_fs_node_sid_with_name(
            self.backend.as_ref(),
            source_sid,
            target_sid,
            fs_node_class,
            fs_node_name,
        )
    }

    fn compute_xperms_access_decision(
        &self,
        xperms_kind: XpermsKind,
        source_sid: SecurityId,
        target_sid: SecurityId,
        target_class: ObjectClass,
        xperms_prefix: u8,
    ) -> XpermsAccessDecision {
        self.cache.compute_xperms_access_decision(
            self.backend.as_ref(),
            xperms_kind,
            source_sid,
            target_sid,
            target_class,
            xperms_prefix,
        )
    }
}

/// Test constants and helpers shared by `tests` and `starnix_tests`.
#[cfg(test)]
mod testing {
    use crate::SecurityId;

    use std::num::NonZeroU32;
    use std::sync::LazyLock;
    use std::sync::atomic::{AtomicU32, Ordering};

    /// SID to use where any value will do.
    pub(super) static A_TEST_SID: LazyLock<SecurityId> = LazyLock::new(unique_sid);

    /// Default fixed cache capacity to request in tests.
    pub(super) const TEST_CAPACITY: usize = 10;

    /// Returns a new `SecurityId` with unique id.
    pub(super) fn unique_sid() -> SecurityId {
        static NEXT_ID: AtomicU32 = AtomicU32::new(1000);
        SecurityId(NonZeroU32::new(NEXT_ID.fetch_add(1, Ordering::AcqRel)).unwrap())
    }

    /// Returns a vector of `count` unique `SecurityIds`.
    pub(super) fn unique_sids(count: usize) -> Vec<SecurityId> {
        (0..count).map(|_| unique_sid()).collect()
    }
}

#[cfg(test)]
mod tests {
    use super::testing::*;
    use super::*;
    use crate::KernelClass;
    use crate::policy::{AccessVector, XpermsBitmap};

    use std::sync::atomic::{AtomicUsize, Ordering};

    /// No-op policy query delegate that allows all permissions and maintains no internal state, for testing.
    #[derive(Default)]
    struct TestDelegate {
        query_count: AtomicUsize,
    }

    impl TestDelegate {
        fn query_count(&self) -> usize {
            self.query_count.load(Ordering::Relaxed)
        }
    }

    impl Query for TestDelegate {
        fn compute_access_decision(
            &self,
            _source_sid: SecurityId,
            _target_sid: SecurityId,
            _target_class: ObjectClass,
        ) -> AccessDecision {
            self.query_count.fetch_add(1, Ordering::Relaxed);
            AccessDecision::allow(AccessVector::ALL)
        }

        fn compute_create_sid(
            &self,
            _source_sid: SecurityId,
            _target_sid: SecurityId,
            _target_class: ObjectClass,
        ) -> Result<SecurityId, anyhow::Error> {
            unreachable!()
        }

        fn compute_new_fs_node_sid_with_name(
            &self,
            _source_sid: SecurityId,
            _target_sid: SecurityId,
            _fs_node_class: FsNodeClass,
            _fs_node_name: NullessByteStr<'_>,
        ) -> Option<SecurityId> {
            unreachable!()
        }

        fn compute_xperms_access_decision(
            &self,
            _xperms_kind: XpermsKind,
            _source_sid: SecurityId,
            _target_sid: SecurityId,
            _target_class: ObjectClass,
            _xperms_prefix: u8,
        ) -> XpermsAccessDecision {
            self.query_count.fetch_add(1, Ordering::Relaxed);
            XpermsAccessDecision::ALLOW_ALL
        }
    }

    #[test]
    fn fixed_access_vector_cache_add_entry() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);
        assert_eq!(0, delegate.query_count());
        assert_eq!(
            AccessVector::ALL,
            avc.compute_access_decision(
                &delegate,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into()
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
        assert_eq!(
            AccessVector::ALL,
            avc.compute_access_decision(
                &delegate,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into()
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
        assert_eq!(false, avc.access_cache_is_full());
    }

    #[test]
    fn fixed_access_vector_cache_reset() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        avc.reset();
        assert_eq!(false, avc.access_cache_is_full());

        assert_eq!(0, delegate.query_count());
        assert_eq!(
            AccessVector::ALL,
            avc.compute_access_decision(
                &delegate,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into()
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
        assert_eq!(false, avc.access_cache_is_full());

        avc.reset();
        assert_eq!(false, avc.access_cache_is_full());
    }

    #[test]
    fn fixed_access_vector_cache_fill() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        for sid in unique_sids(avc.access_cache.capacity()) {
            avc.compute_access_decision(
                &delegate,
                sid,
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
            );
        }
        assert_eq!(true, avc.access_cache_is_full());

        avc.reset();
        assert_eq!(false, avc.access_cache_is_full());

        for sid in unique_sids(avc.access_cache.capacity()) {
            avc.compute_access_decision(
                &delegate,
                A_TEST_SID.clone(),
                sid,
                KernelClass::Process.into(),
            );
        }
        assert_eq!(true, avc.access_cache_is_full());

        avc.reset();
        assert_eq!(false, avc.access_cache_is_full());
    }

    #[test]
    fn fixed_access_vector_cache_full_miss() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        // Make the test query, which will trivially miss.
        avc.compute_access_decision(
            &delegate,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
        );
        assert!(!avc.access_cache_is_full());

        // Fill the cache with new queries, which should evict the test query.
        for sid in unique_sids(avc.access_cache.capacity()) {
            avc.compute_access_decision(
                &delegate,
                sid,
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
            );
        }
        assert!(avc.access_cache_is_full());

        // Making the test query should result in another miss.
        let delegate_query_count = delegate.query_count();
        avc.compute_access_decision(
            &delegate,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
        );
        assert_eq!(delegate_query_count + 1, delegate.query_count());

        // Because the cache is not LRU, making `capacity()` unique queries, each preceded by
        // the test query, will still result in the test query result being evicted.
        // Each test query will hit, and the interleaved queries will miss, with the final of the
        // interleaved queries evicting the test query.
        for sid in unique_sids(avc.access_cache.capacity()) {
            avc.compute_access_decision(
                &delegate,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
            );
            avc.compute_access_decision(
                &delegate,
                sid,
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
            );
        }

        // The test query should now miss.
        let delegate_query_count = delegate.query_count();
        avc.compute_access_decision(
            &delegate,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
        );
        assert_eq!(delegate_query_count + 1, delegate.query_count());
    }

    #[test]
    fn access_vector_cache_ioctl_hit() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);
        assert_eq!(0, delegate.query_count());
        assert_eq!(
            XpermsBitmap::ALL,
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Ioctl,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                0x0,
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
        // The second request for the same key is a cache hit.
        assert_eq!(
            XpermsBitmap::ALL,
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Ioctl,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                0x0
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
    }

    #[test]
    fn access_vector_cache_ioctl_miss() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        // Make the test query, which will trivially miss.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Ioctl,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );

        // Fill the xperms cache with new queries, which should evict the test query.
        for ioctl_prefix in 0x1..(1 + avc.xperms_access_cache.capacity())
            .try_into()
            .expect("assumed that test xperms cache capacity was < 255")
        {
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Ioctl,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                ioctl_prefix,
            );
        }
        // Make sure that we've fulfilled at least one new cache miss since the original test query,
        // and that the cache is now full.
        assert!(delegate.query_count() > 1);
        assert!(avc.xperms_access_cache_is_full());
        let delegate_query_count = delegate.query_count();

        // Making the original test query again should result in another miss.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Ioctl,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );
        assert_eq!(delegate_query_count + 1, delegate.query_count());
    }

    #[test]
    fn access_vector_cache_nlmsg_hit() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);
        assert_eq!(0, delegate.query_count());
        assert_eq!(
            XpermsBitmap::ALL,
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Nlmsg,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                0x0,
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
        // The second request for the same key is a cache hit.
        assert_eq!(
            XpermsBitmap::ALL,
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Nlmsg,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                0x0
            )
            .allow
        );
        assert_eq!(1, delegate.query_count());
    }

    #[test]
    fn access_vector_cache_nlmsg_miss() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        // Make the test query, which will trivially miss.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Nlmsg,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );

        // Fill the xperms cache with new queries, which should evict the test query.
        for nlmsg_prefix in 0x1..(1 + avc.xperms_access_cache.capacity())
            .try_into()
            .expect("assumed that test xperms cache capacity was < 255")
        {
            avc.compute_xperms_access_decision(
                &delegate,
                XpermsKind::Nlmsg,
                A_TEST_SID.clone(),
                A_TEST_SID.clone(),
                KernelClass::Process.into(),
                nlmsg_prefix,
            );
        }
        // Make sure that we've fulfilled at least one new cache miss since the original test query,
        // and that the cache is now full.
        assert!(delegate.query_count() > 1);
        assert!(avc.xperms_access_cache_is_full());
        let delegate_query_count = delegate.query_count();

        // Making the original test query again should result in another miss.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Nlmsg,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );
        assert_eq!(delegate_query_count + 1, delegate.query_count());
    }

    #[test]
    fn access_vector_cache_nlmsg_and_ioctl() {
        let delegate = TestDelegate::default();
        let avc = FifoQueryCache::new(TEST_CAPACITY);

        // Query for an `ioctl` extended permission.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Ioctl,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );
        assert_eq!(avc.cache_stats().allocs, 1);

        // Query for an `nlmsg` extended permission for the same source, target, class,
        // and prefix. This should cause a new allocation.
        avc.compute_xperms_access_decision(
            &delegate,
            XpermsKind::Nlmsg,
            A_TEST_SID.clone(),
            A_TEST_SID.clone(),
            KernelClass::Process.into(),
            0x0,
        );
        assert_eq!(avc.cache_stats().allocs, 2);
    }
}