2019-05-31 16:09:32 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
|
2008-04-19 05:38:29 +08:00
|
|
|
* Frank Mayer <mayerf@tresys.com>
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
|
|
|
|
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
|
|
|
|
|
#include "security.h"
|
|
|
|
|
#include "conditional.h"
|
2015-07-11 05:19:56 +08:00
|
|
|
#include "services.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* cond_evaluate_expr evaluates a conditional expr
|
|
|
|
|
* in reverse polish notation. It returns true (1), false (0),
|
|
|
|
|
* or undefined (-1). Undefined occurs when the expression
|
|
|
|
|
* exceeds the stack depth of COND_EXPR_MAXDEPTH.
|
|
|
|
|
*/
|
|
|
|
|
static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
|
|
|
|
|
{
|
2020-02-03 19:27:22 +08:00
|
|
|
u32 i;
|
2005-04-17 06:20:36 +08:00
|
|
|
int s[COND_EXPR_MAXDEPTH];
|
|
|
|
|
int sp = -1;
|
|
|
|
|
|
2020-06-17 20:40:28 +08:00
|
|
|
if (expr->len == 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
2020-02-03 19:27:22 +08:00
|
|
|
for (i = 0; i < expr->len; i++) {
|
|
|
|
|
struct cond_expr_node *node = &expr->nodes[i];
|
|
|
|
|
|
|
|
|
|
switch (node->expr_type) {
|
2005-04-17 06:20:36 +08:00
|
|
|
case COND_BOOL:
|
|
|
|
|
if (sp == (COND_EXPR_MAXDEPTH - 1))
|
|
|
|
|
return -1;
|
|
|
|
|
sp++;
|
2020-02-03 19:27:22 +08:00
|
|
|
s[sp] = p->bool_val_to_struct[node->bool - 1]->state;
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
|
case COND_NOT:
|
|
|
|
|
if (sp < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
s[sp] = !s[sp];
|
|
|
|
|
break;
|
|
|
|
|
case COND_OR:
|
|
|
|
|
if (sp < 1)
|
|
|
|
|
return -1;
|
|
|
|
|
sp--;
|
|
|
|
|
s[sp] |= s[sp + 1];
|
|
|
|
|
break;
|
|
|
|
|
case COND_AND:
|
|
|
|
|
if (sp < 1)
|
|
|
|
|
return -1;
|
|
|
|
|
sp--;
|
|
|
|
|
s[sp] &= s[sp + 1];
|
|
|
|
|
break;
|
|
|
|
|
case COND_XOR:
|
|
|
|
|
if (sp < 1)
|
|
|
|
|
return -1;
|
|
|
|
|
sp--;
|
|
|
|
|
s[sp] ^= s[sp + 1];
|
|
|
|
|
break;
|
|
|
|
|
case COND_EQ:
|
|
|
|
|
if (sp < 1)
|
|
|
|
|
return -1;
|
|
|
|
|
sp--;
|
|
|
|
|
s[sp] = (s[sp] == s[sp + 1]);
|
|
|
|
|
break;
|
|
|
|
|
case COND_NEQ:
|
|
|
|
|
if (sp < 1)
|
|
|
|
|
return -1;
|
|
|
|
|
sp--;
|
|
|
|
|
s[sp] = (s[sp] != s[sp + 1]);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return s[0];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* evaluate_cond_node evaluates the conditional stored in
|
|
|
|
|
* a struct cond_node and if the result is different than the
|
|
|
|
|
* current state of the node it sets the rules in the true/false
|
|
|
|
|
* list appropriately. If the result of the expression is undefined
|
|
|
|
|
* all of the rules are disabled for safety.
|
|
|
|
|
*/
|
2020-02-03 19:27:23 +08:00
|
|
|
static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2020-02-03 19:27:21 +08:00
|
|
|
struct avtab_node *avnode;
|
2005-04-17 06:20:36 +08:00
|
|
|
int new_state;
|
2020-02-03 19:27:21 +08:00
|
|
|
u32 i;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-02-03 19:27:22 +08:00
|
|
|
new_state = cond_evaluate_expr(p, &node->expr);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (new_state != node->cur_state) {
|
|
|
|
|
node->cur_state = new_state;
|
|
|
|
|
if (new_state == -1)
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: expression result was undefined - disabling all rules.\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
/* turn the rules on or off */
|
2020-02-03 19:27:21 +08:00
|
|
|
for (i = 0; i < node->true_list.len; i++) {
|
|
|
|
|
avnode = node->true_list.nodes[i];
|
2008-04-19 05:38:29 +08:00
|
|
|
if (new_state <= 0)
|
2020-02-03 19:27:21 +08:00
|
|
|
avnode->key.specified &= ~AVTAB_ENABLED;
|
2008-04-19 05:38:29 +08:00
|
|
|
else
|
2020-02-03 19:27:21 +08:00
|
|
|
avnode->key.specified |= AVTAB_ENABLED;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
for (i = 0; i < node->false_list.len; i++) {
|
|
|
|
|
avnode = node->false_list.nodes[i];
|
2005-04-17 06:20:36 +08:00
|
|
|
/* -1 or 1 */
|
2008-04-19 05:38:29 +08:00
|
|
|
if (new_state)
|
2020-02-03 19:27:21 +08:00
|
|
|
avnode->key.specified &= ~AVTAB_ENABLED;
|
2008-04-19 05:38:29 +08:00
|
|
|
else
|
2020-02-03 19:27:21 +08:00
|
|
|
avnode->key.specified |= AVTAB_ENABLED;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:23 +08:00
|
|
|
void evaluate_cond_nodes(struct policydb *p)
|
|
|
|
|
{
|
|
|
|
|
u32 i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < p->cond_list_len; i++)
|
|
|
|
|
evaluate_cond_node(p, &p->cond_list[i]);
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-06 03:55:43 +08:00
|
|
|
void cond_policydb_init(struct policydb *p)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
|
p->bool_val_to_struct = NULL;
|
|
|
|
|
p->cond_list = NULL;
|
2020-02-03 19:27:20 +08:00
|
|
|
p->cond_list_len = 0;
|
2010-06-13 02:55:01 +08:00
|
|
|
|
2020-03-06 03:55:43 +08:00
|
|
|
avtab_init(&p->te_cond_avtab);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cond_node_destroy(struct cond_node *node)
|
|
|
|
|
{
|
2020-02-03 19:27:22 +08:00
|
|
|
kfree(node->expr.nodes);
|
2020-02-03 19:27:21 +08:00
|
|
|
/* the avtab_ptr_t nodes are destroyed by the avtab */
|
|
|
|
|
kfree(node->true_list.nodes);
|
|
|
|
|
kfree(node->false_list.nodes);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
static void cond_list_destroy(struct policydb *p)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2020-02-03 19:27:20 +08:00
|
|
|
u32 i;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
for (i = 0; i < p->cond_list_len; i++)
|
|
|
|
|
cond_node_destroy(&p->cond_list[i]);
|
|
|
|
|
kfree(p->cond_list);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cond_policydb_destroy(struct policydb *p)
|
|
|
|
|
{
|
2005-06-26 05:58:51 +08:00
|
|
|
kfree(p->bool_val_to_struct);
|
2005-04-17 06:20:36 +08:00
|
|
|
avtab_destroy(&p->te_cond_avtab);
|
2020-02-03 19:27:20 +08:00
|
|
|
cond_list_destroy(p);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cond_init_bool_indexes(struct policydb *p)
|
|
|
|
|
{
|
2005-06-26 05:58:51 +08:00
|
|
|
kfree(p->bool_val_to_struct);
|
2017-01-14 17:48:28 +08:00
|
|
|
p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
|
|
|
|
|
sizeof(*p->bool_val_to_struct),
|
|
|
|
|
GFP_KERNEL);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!p->bool_val_to_struct)
|
2011-01-21 23:28:04 +08:00
|
|
|
return -ENOMEM;
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cond_destroy_bool(void *key, void *datum, void *p)
|
|
|
|
|
{
|
2005-06-26 05:58:51 +08:00
|
|
|
kfree(key);
|
2005-04-17 06:20:36 +08:00
|
|
|
kfree(datum);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cond_index_bool(void *key, void *datum, void *datap)
|
|
|
|
|
{
|
|
|
|
|
struct policydb *p;
|
|
|
|
|
struct cond_bool_datum *booldatum;
|
|
|
|
|
|
|
|
|
|
booldatum = datum;
|
|
|
|
|
p = datap;
|
|
|
|
|
|
|
|
|
|
if (!booldatum->value || booldatum->value > p->p_bools.nprim)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2019-03-12 14:31:10 +08:00
|
|
|
p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
|
2008-04-19 05:38:29 +08:00
|
|
|
p->bool_val_to_struct[booldatum->value - 1] = booldatum;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int bool_isvalid(struct cond_bool_datum *b)
|
|
|
|
|
{
|
|
|
|
|
if (!(b->state == 0 || b->state == 1))
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-08 19:24:45 +08:00
|
|
|
int cond_read_bool(struct policydb *p, struct symtab *s, void *fp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
|
char *key = NULL;
|
|
|
|
|
struct cond_bool_datum *booldatum;
|
2005-09-04 06:55:17 +08:00
|
|
|
__le32 buf[3];
|
|
|
|
|
u32 len;
|
2005-04-17 06:20:36 +08:00
|
|
|
int rc;
|
|
|
|
|
|
2017-01-14 18:22:12 +08:00
|
|
|
booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!booldatum)
|
2010-06-13 02:56:01 +08:00
|
|
|
return -ENOMEM;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-06-25 00:12:58 +08:00
|
|
|
rc = next_entry(buf, fp, sizeof(buf));
|
2010-06-13 02:56:01 +08:00
|
|
|
if (rc)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
booldatum->value = le32_to_cpu(buf[0]);
|
|
|
|
|
booldatum->state = le32_to_cpu(buf[1]);
|
|
|
|
|
|
2010-06-13 02:56:01 +08:00
|
|
|
rc = -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!bool_isvalid(booldatum))
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
len = le32_to_cpu(buf[2]);
|
2016-08-31 00:28:11 +08:00
|
|
|
if (((len == 0) || (len == (u32)-1)))
|
|
|
|
|
goto err;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-06-13 02:56:01 +08:00
|
|
|
rc = -ENOMEM;
|
2005-04-17 06:20:36 +08:00
|
|
|
key = kmalloc(len + 1, GFP_KERNEL);
|
|
|
|
|
if (!key)
|
|
|
|
|
goto err;
|
|
|
|
|
rc = next_entry(key, fp, len);
|
2010-06-13 02:56:01 +08:00
|
|
|
if (rc)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto err;
|
2008-07-21 04:57:01 +08:00
|
|
|
key[len] = '\0';
|
2020-07-08 19:24:45 +08:00
|
|
|
rc = symtab_insert(s, key, booldatum);
|
2010-06-13 02:56:01 +08:00
|
|
|
if (rc)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
err:
|
|
|
|
|
cond_destroy_bool(key, booldatum, NULL);
|
2010-06-13 02:56:01 +08:00
|
|
|
return rc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
2008-04-19 05:38:29 +08:00
|
|
|
struct cond_insertf_data {
|
2005-09-04 06:55:16 +08:00
|
|
|
struct policydb *p;
|
2020-02-03 19:27:21 +08:00
|
|
|
struct avtab_node **dst;
|
2005-09-04 06:55:16 +08:00
|
|
|
struct cond_av_list *other;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
|
|
|
|
|
{
|
|
|
|
|
struct cond_insertf_data *data = ptr;
|
|
|
|
|
struct policydb *p = data->p;
|
2020-02-03 19:27:21 +08:00
|
|
|
struct cond_av_list *other = data->other;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct avtab_node *node_ptr;
|
2020-02-03 19:27:21 +08:00
|
|
|
u32 i;
|
|
|
|
|
bool found;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-09-04 06:55:16 +08:00
|
|
|
/*
|
|
|
|
|
* For type rules we have to make certain there aren't any
|
|
|
|
|
* conflicting rules by searching the te_avtab and the
|
|
|
|
|
* cond_te_avtab.
|
|
|
|
|
*/
|
|
|
|
|
if (k->specified & AVTAB_TYPE) {
|
|
|
|
|
if (avtab_search(&p->te_avtab, k)) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: type rule already exists outside of a conditional.\n");
|
2020-02-03 19:27:21 +08:00
|
|
|
return -EINVAL;
|
2005-09-04 06:55:16 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2005-09-04 06:55:16 +08:00
|
|
|
* If we are reading the false list other will be a pointer to
|
|
|
|
|
* the true list. We can have duplicate entries if there is only
|
|
|
|
|
* 1 other entry and it is in our true list.
|
|
|
|
|
*
|
|
|
|
|
* If we are reading the true list (other == NULL) there shouldn't
|
|
|
|
|
* be any other entries.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2005-09-04 06:55:16 +08:00
|
|
|
if (other) {
|
|
|
|
|
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
|
|
|
|
|
if (node_ptr) {
|
|
|
|
|
if (avtab_search_node_next(node_ptr, k->specified)) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: too many conflicting type rules.\n");
|
2020-02-03 19:27:21 +08:00
|
|
|
return -EINVAL;
|
2005-09-04 06:55:16 +08:00
|
|
|
}
|
2020-02-03 19:27:21 +08:00
|
|
|
found = false;
|
|
|
|
|
for (i = 0; i < other->len; i++) {
|
|
|
|
|
if (other->nodes[i] == node_ptr) {
|
|
|
|
|
found = true;
|
2005-09-04 06:55:16 +08:00
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
}
|
2005-09-04 06:55:16 +08:00
|
|
|
if (!found) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: conflicting type rules.\n");
|
2020-02-03 19:27:21 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
}
|
2005-09-04 06:55:16 +08:00
|
|
|
} else {
|
|
|
|
|
if (avtab_search(&p->te_cond_avtab, k)) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
|
2020-02-03 19:27:21 +08:00
|
|
|
return -EINVAL;
|
2005-09-04 06:55:16 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2005-09-04 06:55:16 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-09-04 06:55:16 +08:00
|
|
|
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
|
|
|
|
|
if (!node_ptr) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: could not insert rule.\n");
|
2020-02-03 19:27:21 +08:00
|
|
|
return -ENOMEM;
|
2010-06-13 02:52:19 +08:00
|
|
|
}
|
2005-09-04 06:55:16 +08:00
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
*data->dst = node_ptr;
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
static int cond_read_av_list(struct policydb *p, void *fp,
|
|
|
|
|
struct cond_av_list *list,
|
|
|
|
|
struct cond_av_list *other)
|
2005-09-04 06:55:16 +08:00
|
|
|
{
|
2020-02-03 19:27:21 +08:00
|
|
|
int rc;
|
2005-09-04 06:55:17 +08:00
|
|
|
__le32 buf[1];
|
2020-02-03 19:27:21 +08:00
|
|
|
u32 i, len;
|
2005-09-04 06:55:16 +08:00
|
|
|
struct cond_insertf_data data;
|
|
|
|
|
|
|
|
|
|
rc = next_entry(buf, fp, sizeof(u32));
|
2010-06-13 02:52:19 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
2005-09-04 06:55:16 +08:00
|
|
|
|
|
|
|
|
len = le32_to_cpu(buf[0]);
|
2008-04-19 05:38:29 +08:00
|
|
|
if (len == 0)
|
2005-09-04 06:55:16 +08:00
|
|
|
return 0;
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL);
|
|
|
|
|
if (!list->nodes)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2005-09-04 06:55:16 +08:00
|
|
|
data.p = p;
|
|
|
|
|
data.other = other;
|
|
|
|
|
for (i = 0; i < len; i++) {
|
2020-02-03 19:27:21 +08:00
|
|
|
data.dst = &list->nodes[i];
|
2007-11-07 23:08:00 +08:00
|
|
|
rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
|
|
|
|
|
&data);
|
2020-02-03 19:27:21 +08:00
|
|
|
if (rc) {
|
|
|
|
|
kfree(list->nodes);
|
|
|
|
|
list->nodes = NULL;
|
2005-09-04 06:55:16 +08:00
|
|
|
return rc;
|
2020-02-03 19:27:21 +08:00
|
|
|
}
|
2005-09-04 06:55:16 +08:00
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
list->len = len;
|
2005-09-04 06:55:16 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:22 +08:00
|
|
|
static int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
|
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: conditional expressions uses unknown operator.\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (expr->bool > p->p_bools.nprim) {
|
2018-06-12 16:09:00 +08:00
|
|
|
pr_err("SELinux: conditional expressions uses unknown bool.\n");
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
|
|
|
|
|
{
|
2005-09-04 06:55:17 +08:00
|
|
|
__le32 buf[2];
|
2020-02-03 19:27:22 +08:00
|
|
|
u32 i, len;
|
2005-04-17 06:20:36 +08:00
|
|
|
int rc;
|
|
|
|
|
|
2014-06-15 00:19:01 +08:00
|
|
|
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
2010-06-13 02:53:46 +08:00
|
|
|
if (rc)
|
2020-02-03 19:27:22 +08:00
|
|
|
return rc;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
|
node->cur_state = le32_to_cpu(buf[0]);
|
|
|
|
|
|
|
|
|
|
/* expr */
|
2014-06-15 00:19:01 +08:00
|
|
|
len = le32_to_cpu(buf[1]);
|
2020-02-03 19:27:22 +08:00
|
|
|
node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL);
|
|
|
|
|
if (!node->expr.nodes)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
node->expr.len = len;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-19 05:38:29 +08:00
|
|
|
for (i = 0; i < len; i++) {
|
2020-02-03 19:27:22 +08:00
|
|
|
struct cond_expr_node *expr = &node->expr.nodes[i];
|
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
2010-06-13 02:53:46 +08:00
|
|
|
if (rc)
|
2020-06-16 04:45:48 +08:00
|
|
|
return rc;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
|
expr->expr_type = le32_to_cpu(buf[0]);
|
|
|
|
|
expr->bool = le32_to_cpu(buf[1]);
|
|
|
|
|
|
2020-06-16 04:45:48 +08:00
|
|
|
if (!expr_node_isvalid(p, expr))
|
|
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
2010-06-13 02:53:46 +08:00
|
|
|
rc = cond_read_av_list(p, fp, &node->true_list, NULL);
|
|
|
|
|
if (rc)
|
2020-06-16 04:45:48 +08:00
|
|
|
return rc;
|
|
|
|
|
return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cond_read_list(struct policydb *p, void *fp)
|
|
|
|
|
{
|
2005-09-04 06:55:17 +08:00
|
|
|
__le32 buf[1];
|
|
|
|
|
u32 i, len;
|
2005-04-17 06:20:36 +08:00
|
|
|
int rc;
|
|
|
|
|
|
2020-06-25 00:12:58 +08:00
|
|
|
rc = next_entry(buf, fp, sizeof(buf));
|
2010-06-13 02:51:40 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
|
len = le32_to_cpu(buf[0]);
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
|
|
|
|
|
if (!p->cond_list)
|
2020-04-27 20:49:35 +08:00
|
|
|
return -ENOMEM;
|
2020-02-03 19:27:20 +08:00
|
|
|
|
2007-08-24 10:55:11 +08:00
|
|
|
rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto err;
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
p->cond_list_len = len;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
for (i = 0; i < len; i++) {
|
|
|
|
|
rc = cond_read_node(p, &p->cond_list[i], fp);
|
2010-06-13 02:51:40 +08:00
|
|
|
if (rc)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
err:
|
2020-02-03 19:27:20 +08:00
|
|
|
cond_list_destroy(p);
|
2005-09-04 06:55:16 +08:00
|
|
|
p->cond_list = NULL;
|
2010-06-13 02:51:40 +08:00
|
|
|
return rc;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
2010-10-14 05:50:25 +08:00
|
|
|
int cond_write_bool(void *vkey, void *datum, void *ptr)
|
|
|
|
|
{
|
|
|
|
|
char *key = vkey;
|
|
|
|
|
struct cond_bool_datum *booldatum = datum;
|
|
|
|
|
struct policy_data *pd = ptr;
|
|
|
|
|
void *fp = pd->fp;
|
|
|
|
|
__le32 buf[3];
|
|
|
|
|
u32 len;
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
len = strlen(key);
|
|
|
|
|
buf[0] = cpu_to_le32(booldatum->value);
|
|
|
|
|
buf[1] = cpu_to_le32(booldatum->state);
|
|
|
|
|
buf[2] = cpu_to_le32(len);
|
|
|
|
|
rc = put_entry(buf, sizeof(u32), 3, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
rc = put_entry(key, 1, len, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* cond_write_cond_av_list doesn't write out the av_list nodes.
|
|
|
|
|
* Instead it writes out the key/value pairs from the avtab. This
|
|
|
|
|
* is necessary because there is no way to uniquely identifying rules
|
|
|
|
|
* in the avtab so it is not possible to associate individual rules
|
|
|
|
|
* in the avtab with a conditional without saving them as part of
|
|
|
|
|
* the conditional. This means that the avtab with the conditional
|
|
|
|
|
* rules will not be saved but will be rebuilt on policy load.
|
|
|
|
|
*/
|
|
|
|
|
static int cond_write_av_list(struct policydb *p,
|
|
|
|
|
struct cond_av_list *list, struct policy_file *fp)
|
|
|
|
|
{
|
|
|
|
|
__le32 buf[1];
|
2020-02-03 19:27:21 +08:00
|
|
|
u32 i;
|
2010-10-14 05:50:25 +08:00
|
|
|
int rc;
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
buf[0] = cpu_to_le32(list->len);
|
2010-10-14 05:50:25 +08:00
|
|
|
rc = put_entry(buf, sizeof(u32), 1, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
for (i = 0; i < list->len; i++) {
|
|
|
|
|
rc = avtab_write_item(p, list->nodes[i], fp);
|
2010-10-14 05:50:25 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-08-30 10:52:32 +08:00
|
|
|
static int cond_write_node(struct policydb *p, struct cond_node *node,
|
2010-10-14 05:50:25 +08:00
|
|
|
struct policy_file *fp)
|
|
|
|
|
{
|
|
|
|
|
__le32 buf[2];
|
|
|
|
|
int rc;
|
2020-02-03 19:27:22 +08:00
|
|
|
u32 i;
|
2010-10-14 05:50:25 +08:00
|
|
|
|
|
|
|
|
buf[0] = cpu_to_le32(node->cur_state);
|
|
|
|
|
rc = put_entry(buf, sizeof(u32), 1, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
2020-02-03 19:27:22 +08:00
|
|
|
buf[0] = cpu_to_le32(node->expr.len);
|
2010-10-14 05:50:25 +08:00
|
|
|
rc = put_entry(buf, sizeof(u32), 1, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
2020-02-03 19:27:22 +08:00
|
|
|
for (i = 0; i < node->expr.len; i++) {
|
|
|
|
|
buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type);
|
|
|
|
|
buf[1] = cpu_to_le32(node->expr.nodes[i].bool);
|
2010-10-14 05:50:25 +08:00
|
|
|
rc = put_entry(buf, sizeof(u32), 2, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:21 +08:00
|
|
|
rc = cond_write_av_list(p, &node->true_list, fp);
|
2010-10-14 05:50:25 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
2020-02-03 19:27:21 +08:00
|
|
|
rc = cond_write_av_list(p, &node->false_list, fp);
|
2010-10-14 05:50:25 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
int cond_write_list(struct policydb *p, void *fp)
|
2010-10-14 05:50:25 +08:00
|
|
|
{
|
2020-02-03 19:27:20 +08:00
|
|
|
u32 i;
|
2010-10-14 05:50:25 +08:00
|
|
|
__le32 buf[1];
|
|
|
|
|
int rc;
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
buf[0] = cpu_to_le32(p->cond_list_len);
|
2010-10-14 05:50:25 +08:00
|
|
|
rc = put_entry(buf, sizeof(u32), 1, fp);
|
|
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
2020-02-03 19:27:20 +08:00
|
|
|
for (i = 0; i < p->cond_list_len; i++) {
|
|
|
|
|
rc = cond_write_node(p, &p->cond_list[i], fp);
|
2010-10-14 05:50:25 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-07-11 05:19:56 +08:00
|
|
|
|
|
|
|
|
void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
|
|
|
|
|
struct extended_perms_decision *xpermd)
|
|
|
|
|
{
|
|
|
|
|
struct avtab_node *node;
|
|
|
|
|
|
|
|
|
|
if (!ctab || !key || !xpermd)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
for (node = avtab_search_node(ctab, key); node;
|
|
|
|
|
node = avtab_search_node_next(node, key->specified)) {
|
|
|
|
|
if (node->key.specified & AVTAB_ENABLED)
|
|
|
|
|
services_compute_xperms_decision(xpermd, node);
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Determine whether additional permissions are granted by the conditional
|
|
|
|
|
* av table, and if so, add them to the result
|
|
|
|
|
*/
|
2015-07-11 05:19:56 +08:00
|
|
|
void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
|
|
|
|
|
struct av_decision *avd, struct extended_perms *xperms)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
|
struct avtab_node *node;
|
|
|
|
|
|
2015-11-24 05:07:41 +08:00
|
|
|
if (!ctab || !key || !avd)
|
2005-04-17 06:20:36 +08:00
|
|
|
return;
|
|
|
|
|
|
2008-08-07 08:18:20 +08:00
|
|
|
for (node = avtab_search_node(ctab, key); node;
|
2005-09-04 06:55:16 +08:00
|
|
|
node = avtab_search_node_next(node, key->specified)) {
|
2008-04-19 05:38:29 +08:00
|
|
|
if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
|
|
|
|
|
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
|
2015-07-11 05:19:56 +08:00
|
|
|
avd->allowed |= node->datum.u.data;
|
2008-04-19 05:38:29 +08:00
|
|
|
if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
|
|
|
|
|
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Since a '0' in an auditdeny mask represents a
|
|
|
|
|
* permission we do NOT want to audit (dontaudit), we use
|
|
|
|
|
* the '&' operand to ensure that all '0's in the mask
|
|
|
|
|
* are retained (much unlike the allow and auditallow cases).
|
|
|
|
|
*/
|
2015-07-11 05:19:56 +08:00
|
|
|
avd->auditdeny &= node->datum.u.data;
|
2008-04-19 05:38:29 +08:00
|
|
|
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
|
|
|
|
|
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
|
2015-07-11 05:19:56 +08:00
|
|
|
avd->auditallow |= node->datum.u.data;
|
2015-11-24 05:07:41 +08:00
|
|
|
if (xperms && (node->key.specified & AVTAB_ENABLED) &&
|
2015-07-11 05:19:56 +08:00
|
|
|
(node->key.specified & AVTAB_XPERMS))
|
|
|
|
|
services_compute_xperms_drivers(xperms, node);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
}
|
2020-08-12 03:01:56 +08:00
|
|
|
|
|
|
|
|
static int cond_dup_av_list(struct cond_av_list *new,
|
|
|
|
|
struct cond_av_list *orig,
|
|
|
|
|
struct avtab *avtab)
|
|
|
|
|
{
|
|
|
|
|
u32 i;
|
|
|
|
|
|
|
|
|
|
memset(new, 0, sizeof(*new));
|
|
|
|
|
|
|
|
|
|
new->nodes = kcalloc(orig->len, sizeof(*new->nodes), GFP_KERNEL);
|
|
|
|
|
if (!new->nodes)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < orig->len; i++) {
|
selinux: fix cond_list corruption when changing booleans
commit d8f5f0ea5b86300390b026b6c6e7836b7150814a upstream.
Currently, duplicate_policydb_cond_list() first copies the whole
conditional avtab and then tries to link to the correct entries in
cond_dup_av_list() using avtab_search(). However, since the conditional
avtab may contain multiple entries with the same key, this approach
often fails to find the right entry, potentially leading to wrong rules
being activated/deactivated when booleans are changed.
To fix this, instead start with an empty conditional avtab and add the
individual entries one-by-one while building the new av_lists. This
approach leads to the correct result, since each entry is present in the
av_lists exactly once.
The issue can be reproduced with Fedora policy as follows:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True
# setsebool ftpd_anon_write=off ftpd_connect_all_unreserved=off ftpd_connect_db=off ftpd_full_access=off
On fixed kernels, the sesearch output is the same after the setsebool
command:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True
While on the broken kernels, it will be different:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
While there, also simplify the computation of nslots. This changes the
nslots values for nrules 2 or 3 to just two slots instead of 4, which
makes the sequence more consistent.
Cc: stable@vger.kernel.org
Fixes: c7c556f1e81b ("selinux: refactor changing booleans")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-04-02 16:56:19 +08:00
|
|
|
new->nodes[i] = avtab_insert_nonunique(avtab,
|
|
|
|
|
&orig->nodes[i]->key,
|
|
|
|
|
&orig->nodes[i]->datum);
|
|
|
|
|
if (!new->nodes[i])
|
|
|
|
|
return -ENOMEM;
|
2020-08-12 03:01:56 +08:00
|
|
|
new->len++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int duplicate_policydb_cond_list(struct policydb *newp,
|
|
|
|
|
struct policydb *origp)
|
|
|
|
|
{
|
|
|
|
|
int rc, i, j;
|
|
|
|
|
|
selinux: fix cond_list corruption when changing booleans
commit d8f5f0ea5b86300390b026b6c6e7836b7150814a upstream.
Currently, duplicate_policydb_cond_list() first copies the whole
conditional avtab and then tries to link to the correct entries in
cond_dup_av_list() using avtab_search(). However, since the conditional
avtab may contain multiple entries with the same key, this approach
often fails to find the right entry, potentially leading to wrong rules
being activated/deactivated when booleans are changed.
To fix this, instead start with an empty conditional avtab and add the
individual entries one-by-one while building the new av_lists. This
approach leads to the correct result, since each entry is present in the
av_lists exactly once.
The issue can be reproduced with Fedora policy as follows:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True
# setsebool ftpd_anon_write=off ftpd_connect_all_unreserved=off ftpd_connect_db=off ftpd_full_access=off
On fixed kernels, the sesearch output is the same after the setsebool
command:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True
While on the broken kernels, it will be different:
# sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True
While there, also simplify the computation of nslots. This changes the
nslots values for nrules 2 or 3 to just two slots instead of 4, which
makes the sequence more consistent.
Cc: stable@vger.kernel.org
Fixes: c7c556f1e81b ("selinux: refactor changing booleans")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-04-02 16:56:19 +08:00
|
|
|
rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);
|
2020-08-12 03:01:56 +08:00
|
|
|
if (rc)
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
newp->cond_list_len = 0;
|
|
|
|
|
newp->cond_list = kcalloc(origp->cond_list_len,
|
|
|
|
|
sizeof(*newp->cond_list),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (!newp->cond_list)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < origp->cond_list_len; i++) {
|
|
|
|
|
struct cond_node *newn = &newp->cond_list[i];
|
|
|
|
|
struct cond_node *orign = &origp->cond_list[i];
|
|
|
|
|
|
|
|
|
|
newp->cond_list_len++;
|
|
|
|
|
|
|
|
|
|
newn->cur_state = orign->cur_state;
|
|
|
|
|
newn->expr.nodes = kcalloc(orign->expr.len,
|
|
|
|
|
sizeof(*newn->expr.nodes), GFP_KERNEL);
|
|
|
|
|
if (!newn->expr.nodes)
|
|
|
|
|
goto error;
|
|
|
|
|
for (j = 0; j < orign->expr.len; j++)
|
|
|
|
|
newn->expr.nodes[j] = orign->expr.nodes[j];
|
|
|
|
|
newn->expr.len = orign->expr.len;
|
|
|
|
|
|
|
|
|
|
rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
|
|
|
|
|
&newp->te_cond_avtab);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
rc = cond_dup_av_list(&newn->false_list, &orign->false_list,
|
|
|
|
|
&newp->te_cond_avtab);
|
|
|
|
|
if (rc)
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
error:
|
|
|
|
|
avtab_destroy(&newp->te_cond_avtab);
|
|
|
|
|
cond_list_destroy(newp);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cond_bools_destroy(void *key, void *datum, void *args)
|
|
|
|
|
{
|
|
|
|
|
/* key was not copied so no need to free here */
|
|
|
|
|
kfree(datum);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig, void *args)
|
|
|
|
|
{
|
|
|
|
|
struct cond_bool_datum *datum;
|
|
|
|
|
|
2020-08-20 18:20:51 +08:00
|
|
|
datum = kmemdup(orig->datum, sizeof(struct cond_bool_datum),
|
|
|
|
|
GFP_KERNEL);
|
2020-08-12 03:01:56 +08:00
|
|
|
if (!datum)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
new->key = orig->key; /* No need to copy, never modified */
|
|
|
|
|
new->datum = datum;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cond_bools_index(void *key, void *datum, void *args)
|
|
|
|
|
{
|
|
|
|
|
struct cond_bool_datum *booldatum, **cond_bool_array;
|
|
|
|
|
|
|
|
|
|
booldatum = datum;
|
|
|
|
|
cond_bool_array = args;
|
|
|
|
|
cond_bool_array[booldatum->value - 1] = booldatum;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int duplicate_policydb_bools(struct policydb *newdb,
|
|
|
|
|
struct policydb *orig)
|
|
|
|
|
{
|
|
|
|
|
struct cond_bool_datum **cond_bool_array;
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
cond_bool_array = kmalloc_array(orig->p_bools.nprim,
|
|
|
|
|
sizeof(*orig->bool_val_to_struct),
|
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
if (!cond_bool_array)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
rc = hashtab_duplicate(&newdb->p_bools.table, &orig->p_bools.table,
|
|
|
|
|
cond_bools_copy, cond_bools_destroy, NULL);
|
|
|
|
|
if (rc) {
|
|
|
|
|
kfree(cond_bool_array);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hashtab_map(&newdb->p_bools.table, cond_bools_index, cond_bool_array);
|
|
|
|
|
newdb->bool_val_to_struct = cond_bool_array;
|
|
|
|
|
|
|
|
|
|
newdb->p_bools.nprim = orig->p_bools.nprim;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cond_policydb_destroy_dup(struct policydb *p)
|
|
|
|
|
{
|
|
|
|
|
hashtab_map(&p->p_bools.table, cond_bools_destroy, NULL);
|
|
|
|
|
hashtab_destroy(&p->p_bools.table);
|
|
|
|
|
cond_policydb_destroy(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cond_policydb_dup(struct policydb *new, struct policydb *orig)
|
|
|
|
|
{
|
|
|
|
|
cond_policydb_init(new);
|
|
|
|
|
|
|
|
|
|
if (duplicate_policydb_bools(new, orig))
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
if (duplicate_policydb_cond_list(new, orig)) {
|
|
|
|
|
cond_policydb_destroy_dup(new);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|