summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/seclvl.c2
-rw-r--r--security/selinux/avc.c4
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/avtab.c196
-rw-r--r--security/selinux/ss/avtab.h37
-rw-r--r--security/selinux/ss/conditional.c215
-rw-r--r--security/selinux/ss/ebitmap.c5
-rw-r--r--security/selinux/ss/ebitmap.h30
-rw-r--r--security/selinux/ss/mls.c42
-rw-r--r--security/selinux/ss/policydb.c107
-rw-r--r--security/selinux/ss/policydb.h3
-rw-r--r--security/selinux/ss/services.c76
12 files changed, 450 insertions, 270 deletions
diff --git a/security/seclvl.c b/security/seclvl.c
index c8e87b22c9bd..96b1f2122f67 100644
--- a/security/seclvl.c
+++ b/security/seclvl.c
@@ -321,7 +321,7 @@ plaintext_to_sha1(unsigned char *hash, const char *plaintext, int len)
"bytes.\n", len, PAGE_SIZE);
return -ENOMEM;
}
- tfm = crypto_alloc_tfm("sha1", 0);
+ tfm = crypto_alloc_tfm("sha1", CRYPTO_TFM_REQ_MAY_SLEEP);
if (tfm == NULL) {
seclvl_printk(0, KERN_ERR,
"Failed to load transform for SHA1\n");
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 451502467a9b..cf6020f85403 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -490,7 +490,7 @@ out:
}
static inline void avc_print_ipv6_addr(struct audit_buffer *ab,
- struct in6_addr *addr, u16 port,
+ struct in6_addr *addr, __be16 port,
char *name1, char *name2)
{
if (!ipv6_addr_any(addr))
@@ -501,7 +501,7 @@ static inline void avc_print_ipv6_addr(struct audit_buffer *ab,
}
static inline void avc_print_ipv4_addr(struct audit_buffer *ab, u32 addr,
- u16 port, char *name1, char *name2)
+ __be16 port, char *name1, char *name2)
{
if (addr)
audit_log_format(ab, " %s=%d.%d.%d.%d", name1, NIPQUAD(addr));
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 71c0a19c9753..5f016c98056f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -23,10 +23,11 @@
#define POLICYDB_VERSION_NLCLASS 18
#define POLICYDB_VERSION_VALIDATETRANS 19
#define POLICYDB_VERSION_MLS 19
+#define POLICYDB_VERSION_AVTAB 20
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_MLS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB
#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
extern int selinux_enabled;
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index f238c034c44e..dde094feb20d 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -58,6 +58,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
{
int hvalue;
struct avtab_node *prev, *cur, *newnode;
+ u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return -EINVAL;
@@ -69,7 +70,7 @@ static int avtab_insert(struct avtab *h, struct avtab_key *key, struct avtab_dat
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (datum->specified & cur->datum.specified))
+ (specified & cur->key.specified))
return -EEXIST;
if (key->source_type < cur->key.source_type)
break;
@@ -98,6 +99,7 @@ avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_da
{
int hvalue;
struct avtab_node *prev, *cur, *newnode;
+ u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return NULL;
@@ -108,7 +110,7 @@ avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_da
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (datum->specified & cur->datum.specified))
+ (specified & cur->key.specified))
break;
if (key->source_type < cur->key.source_type)
break;
@@ -125,10 +127,11 @@ avtab_insert_nonunique(struct avtab * h, struct avtab_key * key, struct avtab_da
return newnode;
}
-struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key, int specified)
+struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
{
int hvalue;
struct avtab_node *cur;
+ u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return NULL;
@@ -138,7 +141,7 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key, int spe
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (specified & cur->datum.specified))
+ (specified & cur->key.specified))
return &cur->datum;
if (key->source_type < cur->key.source_type)
@@ -159,10 +162,11 @@ struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key, int spe
* conjunction with avtab_search_next_node()
*/
struct avtab_node*
-avtab_search_node(struct avtab *h, struct avtab_key *key, int specified)
+avtab_search_node(struct avtab *h, struct avtab_key *key)
{
int hvalue;
struct avtab_node *cur;
+ u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
if (!h)
return NULL;
@@ -172,7 +176,7 @@ avtab_search_node(struct avtab *h, struct avtab_key *key, int specified)
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (specified & cur->datum.specified))
+ (specified & cur->key.specified))
return cur;
if (key->source_type < cur->key.source_type)
@@ -196,11 +200,12 @@ avtab_search_node_next(struct avtab_node *node, int specified)
if (!node)
return NULL;
+ specified &= ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
for (cur = node->next; cur; cur = cur->next) {
if (node->key.source_type == cur->key.source_type &&
node->key.target_type == cur->key.target_type &&
node->key.target_class == cur->key.target_class &&
- (specified & cur->datum.specified))
+ (specified & cur->key.specified))
return cur;
if (node->key.source_type < cur->key.source_type)
@@ -278,76 +283,129 @@ void avtab_hash_eval(struct avtab *h, char *tag)
max_chain_len);
}
-int avtab_read_item(void *fp, struct avtab_datum *avdatum, struct avtab_key *avkey)
+static uint16_t spec_order[] = {
+ AVTAB_ALLOWED,
+ AVTAB_AUDITDENY,
+ AVTAB_AUDITALLOW,
+ AVTAB_TRANSITION,
+ AVTAB_CHANGE,
+ AVTAB_MEMBER
+};
+
+int avtab_read_item(void *fp, u32 vers, struct avtab *a,
+ int (*insertf)(struct avtab *a, struct avtab_key *k,
+ struct avtab_datum *d, void *p),
+ void *p)
{
- u32 buf[7];
- u32 items, items2;
- int rc;
+ __le16 buf16[4];
+ u16 enabled;
+ __le32 buf32[7];
+ u32 items, items2, val;
+ struct avtab_key key;
+ struct avtab_datum datum;
+ int i, rc;
+
+ memset(&key, 0, sizeof(struct avtab_key));
+ memset(&datum, 0, sizeof(struct avtab_datum));
+
+ if (vers < POLICYDB_VERSION_AVTAB) {
+ rc = next_entry(buf32, fp, sizeof(u32));
+ if (rc < 0) {
+ printk(KERN_ERR "security: avtab: truncated entry\n");
+ return -1;
+ }
+ items2 = le32_to_cpu(buf32[0]);
+ if (items2 > ARRAY_SIZE(buf32)) {
+ printk(KERN_ERR "security: avtab: entry overflow\n");
+ return -1;
- memset(avkey, 0, sizeof(struct avtab_key));
- memset(avdatum, 0, sizeof(struct avtab_datum));
+ }
+ rc = next_entry(buf32, fp, sizeof(u32)*items2);
+ if (rc < 0) {
+ printk(KERN_ERR "security: avtab: truncated entry\n");
+ return -1;
+ }
+ items = 0;
- rc = next_entry(buf, fp, sizeof(u32));
- if (rc < 0) {
- printk(KERN_ERR "security: avtab: truncated entry\n");
- goto bad;
- }
- items2 = le32_to_cpu(buf[0]);
- if (items2 > ARRAY_SIZE(buf)) {
- printk(KERN_ERR "security: avtab: entry overflow\n");
- goto bad;
+ val = le32_to_cpu(buf32[items++]);
+ key.source_type = (u16)val;
+ if (key.source_type != val) {
+ printk("security: avtab: truncated source type\n");
+ return -1;
+ }
+ val = le32_to_cpu(buf32[items++]);
+ key.target_type = (u16)val;
+ if (key.target_type != val) {
+ printk("security: avtab: truncated target type\n");
+ return -1;
+ }
+ val = le32_to_cpu(buf32[items++]);
+ key.target_class = (u16)val;
+ if (key.target_class != val) {
+ printk("security: avtab: truncated target class\n");
+ return -1;
+ }
+
+ val = le32_to_cpu(buf32[items++]);
+ enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
+
+ if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
+ printk("security: avtab: null entry\n");
+ return -1;
+ }
+ if ((val & AVTAB_AV) &&
+ (val & AVTAB_TYPE)) {
+ printk("security: avtab: entry has both access vectors and types\n");
+ return -1;
+ }
+
+ for (i = 0; i < sizeof(spec_order)/sizeof(u16); i++) {
+ if (val & spec_order[i]) {
+ key.specified = spec_order[i] | enabled;
+ datum.data = le32_to_cpu(buf32[items++]);
+ rc = insertf(a, &key, &datum, p);
+ if (rc) return rc;
+ }
+ }
+
+ if (items != items2) {
+ printk("security: avtab: entry only had %d items, expected %d\n", items2, items);
+ return -1;
+ }
+ return 0;
}
- rc = next_entry(buf, fp, sizeof(u32)*items2);
+
+ rc = next_entry(buf16, fp, sizeof(u16)*4);
if (rc < 0) {
- printk(KERN_ERR "security: avtab: truncated entry\n");
- goto bad;
+ printk("security: avtab: truncated entry\n");
+ return -1;
}
+
items = 0;
- avkey->source_type = le32_to_cpu(buf[items++]);
- avkey->target_type = le32_to_cpu(buf[items++]);
- avkey->target_class = le32_to_cpu(buf[items++]);
- avdatum->specified = le32_to_cpu(buf[items++]);
- if (!(avdatum->specified & (AVTAB_AV | AVTAB_TYPE))) {
- printk(KERN_ERR "security: avtab: null entry\n");
- goto bad;
- }
- if ((avdatum->specified & AVTAB_AV) &&
- (avdatum->specified & AVTAB_TYPE)) {
- printk(KERN_ERR "security: avtab: entry has both access vectors and types\n");
- goto bad;
- }
- if (avdatum->specified & AVTAB_AV) {
- if (avdatum->specified & AVTAB_ALLOWED)
- avtab_allowed(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_AUDITDENY)
- avtab_auditdeny(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_AUDITALLOW)
- avtab_auditallow(avdatum) = le32_to_cpu(buf[items++]);
- } else {
- if (avdatum->specified & AVTAB_TRANSITION)
- avtab_transition(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_CHANGE)
- avtab_change(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_MEMBER)
- avtab_member(avdatum) = le32_to_cpu(buf[items++]);
- }
- if (items != items2) {
- printk(KERN_ERR "security: avtab: entry only had %d items, expected %d\n",
- items2, items);
- goto bad;
+ key.source_type = le16_to_cpu(buf16[items++]);
+ key.target_type = le16_to_cpu(buf16[items++]);
+ key.target_class = le16_to_cpu(buf16[items++]);
+ key.specified = le16_to_cpu(buf16[items++]);
+
+ rc = next_entry(buf32, fp, sizeof(u32));
+ if (rc < 0) {
+ printk("security: avtab: truncated entry\n");
+ return -1;
}
+ datum.data = le32_to_cpu(*buf32);
+ return insertf(a, &key, &datum, p);
+}
- return 0;
-bad:
- return -1;
+static int avtab_insertf(struct avtab *a, struct avtab_key *k,
+ struct avtab_datum *d, void *p)
+{
+ return avtab_insert(a, k, d);
}
-int avtab_read(struct avtab *a, void *fp, u32 config)
+int avtab_read(struct avtab *a, void *fp, u32 vers)
{
int rc;
- struct avtab_key avkey;
- struct avtab_datum avdatum;
- u32 buf[1];
+ __le32 buf[1];
u32 nel, i;
@@ -363,16 +421,14 @@ int avtab_read(struct avtab *a, void *fp, u32 config)
goto bad;
}
for (i = 0; i < nel; i++) {
- if (avtab_read_item(fp, &avdatum, &avkey)) {
- rc = -EINVAL;
- goto bad;
- }
- rc = avtab_insert(a, &avkey, &avdatum);
+ rc = avtab_read_item(fp,vers, a, avtab_insertf, NULL);
if (rc) {
if (rc == -ENOMEM)
printk(KERN_ERR "security: avtab: out of memory\n");
- if (rc == -EEXIST)
+ else if (rc == -EEXIST)
printk(KERN_ERR "security: avtab: duplicate entry\n");
+ else
+ rc = -EINVAL;
goto bad;
}
}
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 519d4f6dc655..0a90d939af93 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -21,12 +21,9 @@
#define _SS_AVTAB_H_
struct avtab_key {
- u32 source_type; /* source type */
- u32 target_type; /* target type */
- u32 target_class; /* target object class */
-};
-
-struct avtab_datum {
+ u16 source_type; /* source type */
+ u16 target_type; /* target type */
+ u16 target_class; /* target object class */
#define AVTAB_ALLOWED 1
#define AVTAB_AUDITALLOW 2
#define AVTAB_AUDITDENY 4
@@ -35,15 +32,13 @@ struct avtab_datum {
#define AVTAB_MEMBER 32
#define AVTAB_CHANGE 64
#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_ENABLED 0x80000000 /* reserved for used in cond_avtab */
- u32 specified; /* what fields are specified */
- u32 data[3]; /* access vectors or types */
-#define avtab_allowed(x) (x)->data[0]
-#define avtab_auditdeny(x) (x)->data[1]
-#define avtab_auditallow(x) (x)->data[2]
-#define avtab_transition(x) (x)->data[0]
-#define avtab_change(x) (x)->data[1]
-#define avtab_member(x) (x)->data[2]
+#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
+ u16 specified; /* what field is specified */
+};
+
+struct avtab_datum {
+ u32 data; /* access vector or type value */
};
struct avtab_node {
@@ -58,17 +53,21 @@ struct avtab {
};
int avtab_init(struct avtab *);
-struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k, int specified);
+struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
void avtab_destroy(struct avtab *h);
void avtab_hash_eval(struct avtab *h, char *tag);
-int avtab_read_item(void *fp, struct avtab_datum *avdatum, struct avtab_key *avkey);
-int avtab_read(struct avtab *a, void *fp, u32 config);
+int avtab_read_item(void *fp, uint32_t vers, struct avtab *a,
+ int (*insert)(struct avtab *a, struct avtab_key *k,
+ struct avtab_datum *d, void *p),
+ void *p);
+
+int avtab_read(struct avtab *a, void *fp, u32 vers);
struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
struct avtab_datum *datum);
-struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key, int specified);
+struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index e2057f5a411a..daf288007460 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -100,18 +100,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
/* turn the rules on or off */
for (cur = node->true_list; cur != NULL; cur = cur->next) {
if (new_state <= 0) {
- cur->node->datum.specified &= ~AVTAB_ENABLED;
+ cur->node->key.specified &= ~AVTAB_ENABLED;
} else {
- cur->node->datum.specified |= AVTAB_ENABLED;
+ cur->node->key.specified |= AVTAB_ENABLED;
}
}
for (cur = node->false_list; cur != NULL; cur = cur->next) {
/* -1 or 1 */
if (new_state) {
- cur->node->datum.specified &= ~AVTAB_ENABLED;
+ cur->node->key.specified &= ~AVTAB_ENABLED;
} else {
- cur->node->datum.specified |= AVTAB_ENABLED;
+ cur->node->key.specified |= AVTAB_ENABLED;
}
}
}
@@ -216,7 +216,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
{
char *key = NULL;
struct cond_bool_datum *booldatum;
- u32 buf[3], len;
+ __le32 buf[3];
+ u32 len;
int rc;
booldatum = kmalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);
@@ -252,104 +253,127 @@ err:
return -1;
}
-static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list,
- struct cond_av_list *other)
+struct cond_insertf_data
{
- struct cond_av_list *list, *last = NULL, *cur;
- struct avtab_key key;
- struct avtab_datum datum;
+ struct policydb *p;
+ struct cond_av_list *other;
+ struct cond_av_list *head;
+ struct cond_av_list *tail;
+};
+
+static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
+{
+ struct cond_insertf_data *data = ptr;
+ struct policydb *p = data->p;
+ struct cond_av_list *other = data->other, *list, *cur;
struct avtab_node *node_ptr;
- int rc;
- u32 buf[1], i, len;
u8 found;
- *ret_list = NULL;
-
- len = 0;
- rc = next_entry(buf, fp, sizeof buf);
- if (rc < 0)
- return -1;
-
- len = le32_to_cpu(buf[0]);
- if (len == 0) {
- return 0;
- }
- for (i = 0; i < len; i++) {
- if (avtab_read_item(fp, &datum, &key))
+ /*
+ * For type rules we have to make certain there aren't any
+ * conflicting rules by searching the te_avtab and the
+ * cond_te_avtab.
+ */
+ if (k->specified & AVTAB_TYPE) {
+ if (avtab_search(&p->te_avtab, k)) {
+ printk("security: type rule already exists outside of a conditional.");
goto err;
-
+ }
/*
- * For type rules we have to make certain there aren't any
- * conflicting rules by searching the te_avtab and the
- * cond_te_avtab.
+ * If we are reading the false list other will be a pointer to
+ * the true list. We can have duplicate entries if there is only
+ * 1 other entry and it is in our true list.
+ *
+ * If we are reading the true list (other == NULL) there shouldn't
+ * be any other entries.
*/
- if (datum.specified & AVTAB_TYPE) {
- if (avtab_search(&p->te_avtab, &key, AVTAB_TYPE)) {
- printk("security: type rule already exists outside of a conditional.");
- goto err;
- }
- /*
- * If we are reading the false list other will be a pointer to
- * the true list. We can have duplicate entries if there is only
- * 1 other entry and it is in our true list.
- *
- * If we are reading the true list (other == NULL) there shouldn't
- * be any other entries.
- */
- if (other) {
- node_ptr = avtab_search_node(&p->te_cond_avtab, &key, AVTAB_TYPE);
- if (node_ptr) {
- if (avtab_search_node_next(node_ptr, AVTAB_TYPE)) {
- printk("security: too many conflicting type rules.");
- goto err;
- }
- found = 0;
- for (cur = other; cur != NULL; cur = cur->next) {
- if (cur->node == node_ptr) {
- found = 1;
- break;
- }
- }
- if (!found) {
- printk("security: conflicting type rules.");
- goto err;
+ if (other) {
+ node_ptr = avtab_search_node(&p->te_cond_avtab, k);
+ if (node_ptr) {
+ if (avtab_search_node_next(node_ptr, k->specified)) {
+ printk("security: too many conflicting type rules.");
+ goto err;
+ }
+ found = 0;
+ for (cur = other; cur != NULL; cur = cur->next) {
+ if (cur->node == node_ptr) {
+ found = 1;
+ break;
}
}
- } else {
- if (avtab_search(&p->te_cond_avtab, &key, AVTAB_TYPE)) {
- printk("security: conflicting type rules when adding type rule for true.");
+ if (!found) {
+ printk("security: conflicting type rules.\n");
goto err;
}
}
+ } else {
+ if (avtab_search(&p->te_cond_avtab, k)) {
+ printk("security: conflicting type rules when adding type rule for true.\n");
+ goto err;
+ }
}
- node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, &key, &datum);
- if (!node_ptr) {
- printk("security: could not insert rule.");
- goto err;
- }
-
- list = kmalloc(sizeof(struct cond_av_list), GFP_KERNEL);
- if (!list)
- goto err;
- memset(list, 0, sizeof(struct cond_av_list));
-
- list->node = node_ptr;
- if (i == 0)
- *ret_list = list;
- else
- last->next = list;
- last = list;
+ }
+ node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
+ if (!node_ptr) {
+ printk("security: could not insert rule.");
+ goto err;
}
+ list = kmalloc(sizeof(struct cond_av_list), GFP_KERNEL);
+ if (!list)
+ goto err;
+ memset(list, 0, sizeof(*list));
+
+ list->node = node_ptr;
+ if (!data->head)
+ data->head = list;
+ else
+ data->tail->next = list;
+ data->tail = list;
return 0;
+
err:
- cond_av_list_destroy(*ret_list);
- *ret_list = NULL;
+ cond_av_list_destroy(data->head);
+ data->head = NULL;
return -1;
}
+static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list **ret_list, struct cond_av_list *other)
+{
+ int i, rc;
+ __le32 buf[1];
+ u32 len;
+ struct cond_insertf_data data;
+
+ *ret_list = NULL;
+
+ len = 0;
+ rc = next_entry(buf, fp, sizeof(u32));
+ if (rc < 0)
+ return -1;
+
+ len = le32_to_cpu(buf[0]);
+ if (len == 0) {
+ return 0;
+ }
+
+ data.p = p;
+ data.other = other;
+ data.head = NULL;
+ data.tail = NULL;
+ for (i = 0; i < len; i++) {
+ rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab, cond_insertf, &data);
+ if (rc)
+ return rc;
+
+ }
+
+ *ret_list = data.head;
+ return 0;
+}
+
static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
{
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
@@ -366,7 +390,8 @@ static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
{
- u32 buf[2], len, i;
+ __le32 buf[2];
+ u32 len, i;
int rc;
struct cond_expr *expr = NULL, *last = NULL;
@@ -424,7 +449,8 @@ err:
int cond_read_list(struct policydb *p, void *fp)
{
struct cond_node *node, *last = NULL;
- u32 buf[1], i, len;
+ __le32 buf[1];
+ u32 i, len;
int rc;
rc = next_entry(buf, fp, sizeof buf);
@@ -452,6 +478,7 @@ int cond_read_list(struct policydb *p, void *fp)
return 0;
err:
cond_list_destroy(p->cond_list);
+ p->cond_list = NULL;
return -1;
}
@@ -465,22 +492,22 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
if(!ctab || !key || !avd)
return;
- for(node = avtab_search_node(ctab, key, AVTAB_AV); node != NULL;
- node = avtab_search_node_next(node, AVTAB_AV)) {
- if ( (__u32) (AVTAB_ALLOWED|AVTAB_ENABLED) ==
- (node->datum.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
- avd->allowed |= avtab_allowed(&node->datum);
- if ( (__u32) (AVTAB_AUDITDENY|AVTAB_ENABLED) ==
- (node->datum.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
+ for(node = avtab_search_node(ctab, key); node != NULL;
+ node = avtab_search_node_next(node, key->specified)) {
+ if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
+ avd->allowed |= node->datum.data;
+ if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use
* the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases).
*/
- avd->auditdeny &= avtab_auditdeny(&node->datum);
- if ( (__u32) (AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
- (node->datum.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
- avd->auditallow |= avtab_auditallow(&node->datum);
+ avd->auditdeny &= node->datum.data;
+ if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
+ avd->auditallow |= node->datum.data;
}
return;
}
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index d8ce9cc0b9f1..d515154128cc 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -196,8 +196,9 @@ int ebitmap_read(struct ebitmap *e, void *fp)
{
int rc;
struct ebitmap_node *n, *l;
- u32 buf[3], mapsize, count, i;
- u64 map;
+ __le32 buf[3];
+ u32 mapsize, count, i;
+ __le64 map;
ebitmap_init(e);
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 471370233fd9..8bf41055a6cb 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -32,11 +32,41 @@ struct ebitmap {
#define ebitmap_length(e) ((e)->highbit)
#define ebitmap_startbit(e) ((e)->node ? (e)->node->startbit : 0)
+static inline unsigned int ebitmap_start(struct ebitmap *e,
+ struct ebitmap_node **n)
+{
+ *n = e->node;
+ return ebitmap_startbit(e);
+}
+
static inline void ebitmap_init(struct ebitmap *e)
{
memset(e, 0, sizeof(*e));
}
+static inline unsigned int ebitmap_next(struct ebitmap_node **n,
+ unsigned int bit)
+{
+ if ((bit == ((*n)->startbit + MAPSIZE - 1)) &&
+ (*n)->next) {
+ *n = (*n)->next;
+ return (*n)->startbit;
+ }
+
+ return (bit+1);
+}
+
+static inline int ebitmap_node_get_bit(struct ebitmap_node * n,
+ unsigned int bit)
+{
+ if (n->map & (MAPBIT << (bit - n->startbit)))
+ return 1;
+ return 0;
+}
+
+#define ebitmap_for_each_bit(e, n, bit) \
+ for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
+
int ebitmap_cmp(struct ebitmap *e1, struct ebitmap *e2);
int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src);
int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2);
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index d4c32c39ccc9..aaefac2921f1 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -27,6 +27,7 @@
int mls_compute_context_len(struct context * context)
{
int i, l, len, range;
+ struct ebitmap_node *node;
if (!selinux_mls_enabled)
return 0;
@@ -36,24 +37,24 @@ int mls_compute_context_len(struct context * context)
range = 0;
len += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]);
- for (i = 1; i <= ebitmap_length(&context->range.level[l].cat); i++) {
- if (ebitmap_get_bit(&context->range.level[l].cat, i - 1)) {
+ ebitmap_for_each_bit(&context->range.level[l].cat, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
if (range) {
range++;
continue;
}
- len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1;
+ len += strlen(policydb.p_cat_val_to_name[i]) + 1;
range++;
} else {
if (range > 1)
- len += strlen(policydb.p_cat_val_to_name[i - 2]) + 1;
+ len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1;
range = 0;
}
}
/* Handle case where last category is the end of range */
if (range > 1)
- len += strlen(policydb.p_cat_val_to_name[i - 2]) + 1;
+ len += strlen(policydb.p_cat_val_to_name[i - 1]) + 1;
if (l == 0) {
if (mls_level_eq(&context->range.level[0],
@@ -77,6 +78,7 @@ void mls_sid_to_context(struct context *context,
{
char *scontextp;
int i, l, range, wrote_sep;
+ struct ebitmap_node *node;
if (!selinux_mls_enabled)
return;
@@ -94,8 +96,8 @@ void mls_sid_to_context(struct context *context,
scontextp += strlen(policydb.p_sens_val_to_name[context->range.level[l].sens - 1]);
/* categories */
- for (i = 1; i <= ebitmap_length(&context->range.level[l].cat); i++) {
- if (ebitmap_get_bit(&context->range.level[l].cat, i - 1)) {
+ ebitmap_for_each_bit(&context->range.level[l].cat, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
if (range) {
range++;
continue;
@@ -106,8 +108,8 @@ void mls_sid_to_context(struct context *context,
wrote_sep = 1;
} else
*scontextp++ = ',';
- strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]);
- scontextp += strlen(policydb.p_cat_val_to_name[i - 1]);
+ strcpy(scontextp, policydb.p_cat_val_to_name[i]);
+ scontextp += strlen(policydb.p_cat_val_to_name[i]);
range++;
} else {
if (range > 1) {
@@ -116,8 +118,8 @@ void mls_sid_to_context(struct context *context,
else
*scontextp++ = ',';
- strcpy(scontextp, policydb.p_cat_val_to_name[i - 2]);
- scontextp += strlen(policydb.p_cat_val_to_name[i - 2]);
+ strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]);
+ scontextp += strlen(policydb.p_cat_val_to_name[i - 1]);
}
range = 0;
}
@@ -130,8 +132,8 @@ void mls_sid_to_context(struct context *context,
else
*scontextp++ = ',';
- strcpy(scontextp, policydb.p_cat_val_to_name[i - 2]);
- scontextp += strlen(policydb.p_cat_val_to_name[i - 2]);
+ strcpy(scontextp, policydb.p_cat_val_to_name[i - 1]);
+ scontextp += strlen(policydb.p_cat_val_to_name[i - 1]);
}
if (l == 0) {
@@ -157,6 +159,7 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
{
struct level_datum *levdatum;
struct user_datum *usrdatum;
+ struct ebitmap_node *node;
int i, l;
if (!selinux_mls_enabled)
@@ -179,11 +182,11 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
if (!levdatum)
return 0;
- for (i = 1; i <= ebitmap_length(&c->range.level[l].cat); i++) {
- if (ebitmap_get_bit(&c->range.level[l].cat, i - 1)) {
+ ebitmap_for_each_bit(&c->range.level[l].cat, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
if (i > p->p_cats.nprim)
return 0;
- if (!ebitmap_get_bit(&levdatum->level->cat, i - 1))
+ if (!ebitmap_get_bit(&levdatum->level->cat, i))
/*
* Category may not be associated with
* sensitivity in low level.
@@ -468,6 +471,7 @@ int mls_convert_context(struct policydb *oldp,
struct level_datum *levdatum;
struct cat_datum *catdatum;
struct ebitmap bitmap;
+ struct ebitmap_node *node;
int l, i;
if (!selinux_mls_enabled)
@@ -482,12 +486,12 @@ int mls_convert_context(struct policydb *oldp,
c->range.level[l].sens = levdatum->level->sens;
ebitmap_init(&bitmap);
- for (i = 1; i <= ebitmap_length(&c->range.level[l].cat); i++) {
- if (ebitmap_get_bit(&c->range.level[l].cat, i - 1)) {
+ ebitmap_for_each_bit(&c->range.level[l].cat, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
int rc;
catdatum = hashtab_search(newp->p_cats.table,
- oldp->p_cat_val_to_name[i - 1]);
+ oldp->p_cat_val_to_name[i]);
if (!catdatum)
return -EINVAL;
rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 785c33cf4864..0a758323a9cf 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -91,6 +91,11 @@ static struct policydb_compat_info policydb_compat[] = {
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
+ {
+ .version = POLICYDB_VERSION_AVTAB,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NUM,
+ },
};
static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -584,6 +589,9 @@ void policydb_destroy(struct policydb *p)
struct ocontext *c, *ctmp;
struct genfs *g, *gtmp;
int i;
+ struct role_allow *ra, *lra = NULL;
+ struct role_trans *tr, *ltr = NULL;
+ struct range_trans *rt, *lrt = NULL;
for (i = 0; i < SYM_NUM; i++) {
hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
@@ -624,6 +632,28 @@ void policydb_destroy(struct policydb *p)
cond_policydb_destroy(p);
+ for (tr = p->role_tr; tr; tr = tr->next) {
+ if (ltr) kfree(ltr);
+ ltr = tr;
+ }
+ if (ltr) kfree(ltr);
+
+ for (ra = p->role_allow; ra; ra = ra -> next) {
+ if (lra) kfree(lra);
+ lra = ra;
+ }
+ if (lra) kfree(lra);
+
+ for (rt = p->range_tr; rt; rt = rt -> next) {
+ if (lrt) kfree(lrt);
+ lrt = rt;
+ }
+ if (lrt) kfree(lrt);
+
+ for (i = 0; i < p->p_types.nprim; i++)
+ ebitmap_destroy(&p->type_attr_map[i]);
+ kfree(p->type_attr_map);
+
return;
}
@@ -714,7 +744,8 @@ int policydb_context_isvalid(struct policydb *p, struct context *c)
*/
static int mls_read_range_helper(struct mls_range *r, void *fp)
{
- u32 buf[2], items;
+ __le32 buf[2];
+ u32 items;
int rc;
rc = next_entry(buf, fp, sizeof(u32));
@@ -775,7 +806,7 @@ static int context_read_and_validate(struct context *c,
struct policydb *p,
void *fp)
{
- u32 buf[3];
+ __le32 buf[3];
int rc;
rc = next_entry(buf, fp, sizeof buf);
@@ -815,7 +846,8 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct perm_datum *perdatum;
int rc;
- u32 buf[2], len;
+ __le32 buf[2];
+ u32 len;
perdatum = kmalloc(sizeof(*perdatum), GFP_KERNEL);
if (!perdatum) {
@@ -855,7 +887,8 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
{
char *key = NULL;
struct common_datum *comdatum;
- u32 buf[4], len, nel;
+ __le32 buf[4];
+ u32 len, nel;
int i, rc;
comdatum = kmalloc(sizeof(*comdatum), GFP_KERNEL);
@@ -909,7 +942,8 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
{
struct constraint_node *c, *lc;
struct constraint_expr *e, *le;
- u32 buf[3], nexpr;
+ __le32 buf[3];
+ u32 nexpr;
int rc, i, j, depth;
lc = NULL;
@@ -993,7 +1027,8 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
{
char *key = NULL;
struct class_datum *cladatum;
- u32 buf[6], len, len2, ncons, nel;
+ __le32 buf[6];
+ u32 len, len2, ncons, nel;
int i, rc;
cladatum = kmalloc(sizeof(*cladatum), GFP_KERNEL);
@@ -1087,7 +1122,8 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct role_datum *role;
int rc;
- u32 buf[2], len;
+ __le32 buf[2];
+ u32 len;
role = kmalloc(sizeof(*role), GFP_KERNEL);
if (!role) {
@@ -1147,7 +1183,8 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct type_datum *typdatum;
int rc;
- u32 buf[3], len;
+ __le32 buf[3];
+ u32 len;
typdatum = kmalloc(sizeof(*typdatum),GFP_KERNEL);
if (!typdatum) {
@@ -1191,7 +1228,7 @@ bad:
*/
static int mls_read_level(struct mls_level *lp, void *fp)
{
- u32 buf[1];
+ __le32 buf[1];
int rc;
memset(lp, 0, sizeof(*lp));
@@ -1219,7 +1256,8 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct user_datum *usrdatum;
int rc;
- u32 buf[2], len;
+ __le32 buf[2];
+ u32 len;
usrdatum = kmalloc(sizeof(*usrdatum), GFP_KERNEL);
if (!usrdatum) {
@@ -1273,7 +1311,8 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct level_datum *levdatum;
int rc;
- u32 buf[2], len;
+ __le32 buf[2];
+ u32 len;
levdatum = kmalloc(sizeof(*levdatum), GFP_ATOMIC);
if (!levdatum) {
@@ -1324,7 +1363,8 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
char *key = NULL;
struct cat_datum *catdatum;
int rc;
- u32 buf[3], len;
+ __le32 buf[3];
+ u32 len;
catdatum = kmalloc(sizeof(*catdatum), GFP_ATOMIC);
if (!catdatum) {
@@ -1387,7 +1427,8 @@ int policydb_read(struct policydb *p, void *fp)
struct ocontext *l, *c, *newc;
struct genfs *genfs_p, *genfs, *newgenfs;
int i, j, rc;
- u32 buf[8], len, len2, config, nprim, nel, nel2;
+ __le32 buf[8];
+ u32 len, len2, config, nprim, nel, nel2;
char *policydb_str;
struct policydb_compat_info *info;
struct range_trans *rt, *lrt;
@@ -1403,17 +1444,14 @@ int policydb_read(struct policydb *p, void *fp)
if (rc < 0)
goto bad;
- for (i = 0; i < 2; i++)
- buf[i] = le32_to_cpu(buf[i]);
-
- if (buf[0] != POLICYDB_MAGIC) {
+ if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
printk(KERN_ERR "security: policydb magic number 0x%x does "
"not match expected magic number 0x%x\n",
- buf[0], POLICYDB_MAGIC);
+ le32_to_cpu(buf[0]), POLICYDB_MAGIC);
goto bad;
}
- len = buf[1];
+ len = le32_to_cpu(buf[1]);
if (len != strlen(POLICYDB_STRING)) {
printk(KERN_ERR "security: policydb string length %d does not "
"match expected length %Zu\n",
@@ -1448,19 +1486,17 @@ int policydb_read(struct policydb *p, void *fp)
rc = next_entry(buf, fp, sizeof(u32)*4);
if (rc < 0)
goto bad;
- for (i = 0; i < 4; i++)
- buf[i] = le32_to_cpu(buf[i]);
- p->policyvers = buf[0];
+ p->policyvers = le32_to_cpu(buf[0]);
if (p->policyvers < POLICYDB_VERSION_MIN ||
p->policyvers > POLICYDB_VERSION_MAX) {
printk(KERN_ERR "security: policydb version %d does not match "
"my version range %d-%d\n",
- buf[0], POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
+ le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
goto bad;
}
- if ((buf[1] & POLICYDB_CONFIG_MLS)) {
+ if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
if (ss_initialized && !selinux_mls_enabled) {
printk(KERN_ERR "Cannot switch between non-MLS and MLS "
"policies\n");
@@ -1489,9 +1525,11 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
}
- if (buf[2] != info->sym_num || buf[3] != info->ocon_num) {
+ if (le32_to_cpu(buf[2]) != info->sym_num ||
+ le32_to_cpu(buf[3]) != info->ocon_num) {
printk(KERN_ERR "security: policydb table sizes (%d,%d) do "
- "not match mine (%d,%d)\n", buf[2], buf[3],
+ "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
+ le32_to_cpu(buf[3]),
info->sym_num, info->ocon_num);
goto bad;
}
@@ -1511,7 +1549,7 @@ int policydb_read(struct policydb *p, void *fp)
p->symtab[i].nprim = nprim;
}
- rc = avtab_read(&p->te_avtab, fp, config);
+ rc = avtab_read(&p->te_avtab, fp, p->policyvers);
if (rc)
goto bad;
@@ -1825,6 +1863,21 @@ int policydb_read(struct policydb *p, void *fp)
}
}
+ p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);
+ if (!p->type_attr_map)
+ goto bad;
+
+ for (i = 0; i < p->p_types.nprim; i++) {
+ ebitmap_init(&p->type_attr_map[i]);
+ if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
+ if (ebitmap_read(&p->type_attr_map[i], fp))
+ goto bad;
+ }
+ /* add the type itself as the degenerate case */
+ if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
+ goto bad;
+ }
+
rc = 0;
out:
return rc;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 2470e2a1a1c3..b1340711f721 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -237,6 +237,9 @@ struct policydb {
/* range transitions */
struct range_trans *range_tr;
+ /* type -> attribute reverse mapping */
+ struct ebitmap *type_attr_map;
+
unsigned int policyvers;
};
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 014120474e69..92b89dc99bcd 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -266,8 +266,11 @@ static int context_struct_compute_av(struct context *scontext,
struct constraint_node *constraint;
struct role_allow *ra;
struct avtab_key avkey;
- struct avtab_datum *avdatum;
+ struct avtab_node *node;
struct class_datum *tclass_datum;
+ struct ebitmap *sattr, *tattr;
+ struct ebitmap_node *snode, *tnode;
+ unsigned int i, j;
/*
* Remap extended Netlink classes for old policy versions.
@@ -300,21 +303,34 @@ static int context_struct_compute_av(struct context *scontext,
* If a specific type enforcement rule was defined for
* this permission check, then use it.
*/
- avkey.source_type = scontext->type;
- avkey.target_type = tcontext->type;
avkey.target_class = tclass;
- avdatum = avtab_search(&policydb.te_avtab, &avkey, AVTAB_AV);
- if (avdatum) {
- if (avdatum->specified & AVTAB_ALLOWED)
- avd->allowed = avtab_allowed(avdatum);
- if (avdatum->specified & AVTAB_AUDITDENY)
- avd->auditdeny = avtab_auditdeny(avdatum);
- if (avdatum->specified & AVTAB_AUDITALLOW)
- avd->auditallow = avtab_auditallow(avdatum);
- }
+ avkey.specified = AVTAB_AV;
+ sattr = &policydb.type_attr_map[scontext->type - 1];
+ tattr = &policydb.type_attr_map[tcontext->type - 1];
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ avkey.source_type = i + 1;
+ avkey.target_type = j + 1;
+ for (node = avtab_search_node(&policydb.te_avtab, &avkey);
+ node != NULL;
+ node = avtab_search_node_next(node, avkey.specified)) {
+ if (node->key.specified == AVTAB_ALLOWED)
+ avd->allowed |= node->datum.data;
+ else if (node->key.specified == AVTAB_AUDITALLOW)
+ avd->auditallow |= node->datum.data;
+ else if (node->key.specified == AVTAB_AUDITDENY)
+ avd->auditdeny &= node->datum.data;
+ }
- /* Check conditional av table for additional permissions */
- cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
+ /* Check conditional av table for additional permissions */
+ cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
+
+ }
+ }
/*
* Remove any permissions prohibited by a constraint (this includes
@@ -797,7 +813,6 @@ static int security_compute_sid(u32 ssid,
struct avtab_key avkey;
struct avtab_datum *avdatum;
struct avtab_node *node;
- unsigned int type_change = 0;
int rc = 0;
if (!ss_initialized) {
@@ -862,33 +877,23 @@ static int security_compute_sid(u32 ssid,
avkey.source_type = scontext->type;
avkey.target_type = tcontext->type;
avkey.target_class = tclass;
- avdatum = avtab_search(&policydb.te_avtab, &avkey, AVTAB_TYPE);
+ avkey.specified = specified;
+ avdatum = avtab_search(&policydb.te_avtab, &avkey);
/* If no permanent rule, also check for enabled conditional rules */
if(!avdatum) {
- node = avtab_search_node(&policydb.te_cond_avtab, &avkey, specified);
+ node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
for (; node != NULL; node = avtab_search_node_next(node, specified)) {
- if (node->datum.specified & AVTAB_ENABLED) {
+ if (node->key.specified & AVTAB_ENABLED) {
avdatum = &node->datum;
break;
}
}
}
- type_change = (avdatum && (avdatum->specified & specified));
- if (type_change) {
+ if (avdatum) {
/* Use the type from the type transition/member/change rule. */
- switch (specified) {
- case AVTAB_TRANSITION:
- newcontext.type = avtab_transition(avdatum);
- break;
- case AVTAB_MEMBER:
- newcontext.type = avtab_member(avdatum);
- break;
- case AVTAB_CHANGE:
- newcontext.type = avtab_change(avdatum);
- break;
- }
+ newcontext.type = avdatum->data;
}
/* Check for class-specific changes. */
@@ -1502,6 +1507,7 @@ int security_get_user_sids(u32 fromsid,
struct user_datum *user;
struct role_datum *role;
struct av_decision avd;
+ struct ebitmap_node *rnode, *tnode;
int rc = 0, i, j;
if (!ss_initialized) {
@@ -1532,13 +1538,13 @@ int security_get_user_sids(u32 fromsid,
}
memset(mysids, 0, maxnel*sizeof(*mysids));
- for (i = ebitmap_startbit(&user->roles); i < ebitmap_length(&user->roles); i++) {
- if (!ebitmap_get_bit(&user->roles, i))
+ ebitmap_for_each_bit(&user->roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
continue;
role = policydb.role_val_to_struct[i];
usercon.role = i+1;
- for (j = ebitmap_startbit(&role->types); j < ebitmap_length(&role->types); j++) {
- if (!ebitmap_get_bit(&role->types, j))
+ ebitmap_for_each_bit(&role->types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
continue;
usercon.type = j+1;