aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-11-29 15:47:09 -0500
committerEric Paris <eparis@redhat.com>2010-11-30 17:28:58 -0500
commitac76c05becb6beedbb458d0827d3deaa6f479a72 (patch)
tree255276b52f7b031671ae5948b39d7c92e50ba420 /security/selinux
parent23bdecb000c806cf4ec52764499a600f7200d7a9 (diff)
selinux: convert part of the sym_val_to_name array to use flex_array
The sym_val_to_name type array can be quite large as it grows linearly with the number of types. With known policies having over 5k types these allocations are growing large enough that they are likely to fail. Convert those to flex_array so no allocation is larger than PAGE_SIZE Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/conditional.c6
-rw-r--r--security/selinux/ss/mls.c25
-rw-r--r--security/selinux/ss/policydb.c109
-rw-r--r--security/selinux/ss/policydb.h17
-rw-r--r--security/selinux/ss/services.c38
5 files changed, 127 insertions, 68 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 655fe1c6cc69..c3f845cbcd48 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -193,6 +193,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
193{ 193{
194 struct policydb *p; 194 struct policydb *p;
195 struct cond_bool_datum *booldatum; 195 struct cond_bool_datum *booldatum;
196 struct flex_array *fa;
196 197
197 booldatum = datum; 198 booldatum = datum;
198 p = datap; 199 p = datap;
@@ -200,7 +201,10 @@ int cond_index_bool(void *key, void *datum, void *datap)
200 if (!booldatum->value || booldatum->value > p->p_bools.nprim) 201 if (!booldatum->value || booldatum->value > p->p_bools.nprim)
201 return -EINVAL; 202 return -EINVAL;
202 203
203 p->p_bool_val_to_name[booldatum->value - 1] = key; 204 fa = p->sym_val_to_name[SYM_BOOLS];
205 if (flex_array_put_ptr(fa, booldatum->value - 1, key,
206 GFP_KERNEL | __GFP_ZERO))
207 BUG();
204 p->bool_val_to_struct[booldatum->value - 1] = booldatum; 208 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
205 209
206 return 0; 210 return 0;
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b4eff7a60c50..1ef8e4e89880 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -45,7 +45,7 @@ int mls_compute_context_len(struct context *context)
45 len = 1; /* for the beginning ":" */ 45 len = 1; /* for the beginning ":" */
46 for (l = 0; l < 2; l++) { 46 for (l = 0; l < 2; l++) {
47 int index_sens = context->range.level[l].sens; 47 int index_sens = context->range.level[l].sens;
48 len += strlen(policydb.p_sens_val_to_name[index_sens - 1]); 48 len += strlen(sym_name(&policydb, SYM_LEVELS, index_sens - 1));
49 49
50 /* categories */ 50 /* categories */
51 head = -2; 51 head = -2;
@@ -55,17 +55,17 @@ int mls_compute_context_len(struct context *context)
55 if (i - prev > 1) { 55 if (i - prev > 1) {
56 /* one or more negative bits are skipped */ 56 /* one or more negative bits are skipped */
57 if (head != prev) { 57 if (head != prev) {
58 nm = policydb.p_cat_val_to_name[prev]; 58 nm = sym_name(&policydb, SYM_CATS, prev);
59 len += strlen(nm) + 1; 59 len += strlen(nm) + 1;
60 } 60 }
61 nm = policydb.p_cat_val_to_name[i]; 61 nm = sym_name(&policydb, SYM_CATS, i);
62 len += strlen(nm) + 1; 62 len += strlen(nm) + 1;
63 head = i; 63 head = i;
64 } 64 }
65 prev = i; 65 prev = i;
66 } 66 }
67 if (prev != head) { 67 if (prev != head) {
68 nm = policydb.p_cat_val_to_name[prev]; 68 nm = sym_name(&policydb, SYM_CATS, prev);
69 len += strlen(nm) + 1; 69 len += strlen(nm) + 1;
70 } 70 }
71 if (l == 0) { 71 if (l == 0) {
@@ -102,8 +102,8 @@ void mls_sid_to_context(struct context *context,
102 scontextp++; 102 scontextp++;
103 103
104 for (l = 0; l < 2; l++) { 104 for (l = 0; l < 2; l++) {
105 strcpy(scontextp, 105 strcpy(scontextp, sym_name(&policydb, SYM_LEVELS,
106 policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); 106 context->range.level[l].sens - 1));
107 scontextp += strlen(scontextp); 107 scontextp += strlen(scontextp);
108 108
109 /* categories */ 109 /* categories */
@@ -118,7 +118,7 @@ void mls_sid_to_context(struct context *context,
118 *scontextp++ = '.'; 118 *scontextp++ = '.';
119 else 119 else
120 *scontextp++ = ','; 120 *scontextp++ = ',';
121 nm = policydb.p_cat_val_to_name[prev]; 121 nm = sym_name(&policydb, SYM_CATS, prev);
122 strcpy(scontextp, nm); 122 strcpy(scontextp, nm);
123 scontextp += strlen(nm); 123 scontextp += strlen(nm);
124 } 124 }
@@ -126,7 +126,7 @@ void mls_sid_to_context(struct context *context,
126 *scontextp++ = ':'; 126 *scontextp++ = ':';
127 else 127 else
128 *scontextp++ = ','; 128 *scontextp++ = ',';
129 nm = policydb.p_cat_val_to_name[i]; 129 nm = sym_name(&policydb, SYM_CATS, i);
130 strcpy(scontextp, nm); 130 strcpy(scontextp, nm);
131 scontextp += strlen(nm); 131 scontextp += strlen(nm);
132 head = i; 132 head = i;
@@ -139,7 +139,7 @@ void mls_sid_to_context(struct context *context,
139 *scontextp++ = '.'; 139 *scontextp++ = '.';
140 else 140 else
141 *scontextp++ = ','; 141 *scontextp++ = ',';
142 nm = policydb.p_cat_val_to_name[prev]; 142 nm = sym_name(&policydb, SYM_CATS, prev);
143 strcpy(scontextp, nm); 143 strcpy(scontextp, nm);
144 scontextp += strlen(nm); 144 scontextp += strlen(nm);
145 } 145 }
@@ -166,7 +166,7 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l)
166 if (!l->sens || l->sens > p->p_levels.nprim) 166 if (!l->sens || l->sens > p->p_levels.nprim)
167 return 0; 167 return 0;
168 levdatum = hashtab_search(p->p_levels.table, 168 levdatum = hashtab_search(p->p_levels.table,
169 p->p_sens_val_to_name[l->sens - 1]); 169 sym_name(p, SYM_LEVELS, l->sens - 1));
170 if (!levdatum) 170 if (!levdatum)
171 return 0; 171 return 0;
172 172
@@ -482,7 +482,8 @@ int mls_convert_context(struct policydb *oldp,
482 482
483 for (l = 0; l < 2; l++) { 483 for (l = 0; l < 2; l++) {
484 levdatum = hashtab_search(newp->p_levels.table, 484 levdatum = hashtab_search(newp->p_levels.table,
485 oldp->p_sens_val_to_name[c->range.level[l].sens - 1]); 485 sym_name(oldp, SYM_LEVELS,
486 c->range.level[l].sens - 1));
486 487
487 if (!levdatum) 488 if (!levdatum)
488 return -EINVAL; 489 return -EINVAL;
@@ -493,7 +494,7 @@ int mls_convert_context(struct policydb *oldp,
493 int rc; 494 int rc;
494 495
495 catdatum = hashtab_search(newp->p_cats.table, 496 catdatum = hashtab_search(newp->p_cats.table,
496 oldp->p_cat_val_to_name[i]); 497 sym_name(oldp, SYM_CATS, i));
497 if (!catdatum) 498 if (!catdatum)
498 return -EINVAL; 499 return -EINVAL;
499 rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); 500 rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index af41fdfe1a71..5adca670e5af 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -254,12 +254,17 @@ static int common_index(void *key, void *datum, void *datap)
254{ 254{
255 struct policydb *p; 255 struct policydb *p;
256 struct common_datum *comdatum; 256 struct common_datum *comdatum;
257 struct flex_array *fa;
257 258
258 comdatum = datum; 259 comdatum = datum;
259 p = datap; 260 p = datap;
260 if (!comdatum->value || comdatum->value > p->p_commons.nprim) 261 if (!comdatum->value || comdatum->value > p->p_commons.nprim)
261 return -EINVAL; 262 return -EINVAL;
262 p->p_common_val_to_name[comdatum->value - 1] = key; 263
264 fa = p->sym_val_to_name[SYM_COMMONS];
265 if (flex_array_put_ptr(fa, comdatum->value - 1, key,
266 GFP_KERNEL | __GFP_ZERO))
267 BUG();
263 return 0; 268 return 0;
264} 269}
265 270
@@ -267,12 +272,16 @@ static int class_index(void *key, void *datum, void *datap)
267{ 272{
268 struct policydb *p; 273 struct policydb *p;
269 struct class_datum *cladatum; 274 struct class_datum *cladatum;
275 struct flex_array *fa;
270 276
271 cladatum = datum; 277 cladatum = datum;
272 p = datap; 278 p = datap;
273 if (!cladatum->value || cladatum->value > p->p_classes.nprim) 279 if (!cladatum->value || cladatum->value > p->p_classes.nprim)
274 return -EINVAL; 280 return -EINVAL;
275 p->p_class_val_to_name[cladatum->value - 1] = key; 281 fa = p->sym_val_to_name[SYM_CLASSES];
282 if (flex_array_put_ptr(fa, cladatum->value - 1, key,
283 GFP_KERNEL | __GFP_ZERO))
284 BUG();
276 p->class_val_to_struct[cladatum->value - 1] = cladatum; 285 p->class_val_to_struct[cladatum->value - 1] = cladatum;
277 return 0; 286 return 0;
278} 287}
@@ -281,6 +290,7 @@ static int role_index(void *key, void *datum, void *datap)
281{ 290{
282 struct policydb *p; 291 struct policydb *p;
283 struct role_datum *role; 292 struct role_datum *role;
293 struct flex_array *fa;
284 294
285 role = datum; 295 role = datum;
286 p = datap; 296 p = datap;
@@ -288,7 +298,11 @@ static int role_index(void *key, void *datum, void *datap)
288 || role->value > p->p_roles.nprim 298 || role->value > p->p_roles.nprim
289 || role->bounds > p->p_roles.nprim) 299 || role->bounds > p->p_roles.nprim)
290 return -EINVAL; 300 return -EINVAL;
291 p->p_role_val_to_name[role->value - 1] = key; 301
302 fa = p->sym_val_to_name[SYM_ROLES];
303 if (flex_array_put_ptr(fa, role->value - 1, key,
304 GFP_KERNEL | __GFP_ZERO))
305 BUG();
292 p->role_val_to_struct[role->value - 1] = role; 306 p->role_val_to_struct[role->value - 1] = role;
293 return 0; 307 return 0;
294} 308}
@@ -297,6 +311,7 @@ static int type_index(void *key, void *datum, void *datap)
297{ 311{
298 struct policydb *p; 312 struct policydb *p;
299 struct type_datum *typdatum; 313 struct type_datum *typdatum;
314 struct flex_array *fa;
300 315
301 typdatum = datum; 316 typdatum = datum;
302 p = datap; 317 p = datap;
@@ -306,10 +321,13 @@ static int type_index(void *key, void *datum, void *datap)
306 || typdatum->value > p->p_types.nprim 321 || typdatum->value > p->p_types.nprim
307 || typdatum->bounds > p->p_types.nprim) 322 || typdatum->bounds > p->p_types.nprim)
308 return -EINVAL; 323 return -EINVAL;
309 p->p_type_val_to_name[typdatum->value - 1] = key; 324 fa = p->sym_val_to_name[SYM_TYPES];
310 /* this flex array was all preallocated, this cannot fail */ 325 if (flex_array_put_ptr(fa, typdatum->value - 1, key,
311 if (flex_array_put_ptr(p->type_val_to_struct_array, 326 GFP_KERNEL | __GFP_ZERO))
312 typdatum->value - 1, typdatum, 327 BUG();
328
329 fa = p->type_val_to_struct_array;
330 if (flex_array_put_ptr(fa, typdatum->value - 1, typdatum,
313 GFP_KERNEL | __GFP_ZERO)) 331 GFP_KERNEL | __GFP_ZERO))
314 BUG(); 332 BUG();
315 } 333 }
@@ -321,6 +339,7 @@ static int user_index(void *key, void *datum, void *datap)
321{ 339{
322 struct policydb *p; 340 struct policydb *p;
323 struct user_datum *usrdatum; 341 struct user_datum *usrdatum;
342 struct flex_array *fa;
324 343
325 usrdatum = datum; 344 usrdatum = datum;
326 p = datap; 345 p = datap;
@@ -328,7 +347,11 @@ static int user_index(void *key, void *datum, void *datap)
328 || usrdatum->value > p->p_users.nprim 347 || usrdatum->value > p->p_users.nprim
329 || usrdatum->bounds > p->p_users.nprim) 348 || usrdatum->bounds > p->p_users.nprim)
330 return -EINVAL; 349 return -EINVAL;
331 p->p_user_val_to_name[usrdatum->value - 1] = key; 350
351 fa = p->sym_val_to_name[SYM_USERS];
352 if (flex_array_put_ptr(fa, usrdatum->value - 1, key,
353 GFP_KERNEL | __GFP_ZERO))
354 BUG();
332 p->user_val_to_struct[usrdatum->value - 1] = usrdatum; 355 p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
333 return 0; 356 return 0;
334} 357}
@@ -337,6 +360,7 @@ static int sens_index(void *key, void *datum, void *datap)
337{ 360{
338 struct policydb *p; 361 struct policydb *p;
339 struct level_datum *levdatum; 362 struct level_datum *levdatum;
363 struct flex_array *fa;
340 364
341 levdatum = datum; 365 levdatum = datum;
342 p = datap; 366 p = datap;
@@ -345,7 +369,10 @@ static int sens_index(void *key, void *datum, void *datap)
345 if (!levdatum->level->sens || 369 if (!levdatum->level->sens ||
346 levdatum->level->sens > p->p_levels.nprim) 370 levdatum->level->sens > p->p_levels.nprim)
347 return -EINVAL; 371 return -EINVAL;
348 p->p_sens_val_to_name[levdatum->level->sens - 1] = key; 372 fa = p->sym_val_to_name[SYM_LEVELS];
373 if (flex_array_put_ptr(fa, levdatum->level->sens - 1, key,
374 GFP_KERNEL | __GFP_ZERO))
375 BUG();
349 } 376 }
350 377
351 return 0; 378 return 0;
@@ -355,6 +382,7 @@ static int cat_index(void *key, void *datum, void *datap)
355{ 382{
356 struct policydb *p; 383 struct policydb *p;
357 struct cat_datum *catdatum; 384 struct cat_datum *catdatum;
385 struct flex_array *fa;
358 386
359 catdatum = datum; 387 catdatum = datum;
360 p = datap; 388 p = datap;
@@ -362,7 +390,10 @@ static int cat_index(void *key, void *datum, void *datap)
362 if (!catdatum->isalias) { 390 if (!catdatum->isalias) {
363 if (!catdatum->value || catdatum->value > p->p_cats.nprim) 391 if (!catdatum->value || catdatum->value > p->p_cats.nprim)
364 return -EINVAL; 392 return -EINVAL;
365 p->p_cat_val_to_name[catdatum->value - 1] = key; 393 fa = p->sym_val_to_name[SYM_CATS];
394 if (flex_array_put_ptr(fa, catdatum->value - 1, key,
395 GFP_KERNEL | __GFP_ZERO))
396 BUG();
366 } 397 }
367 398
368 return 0; 399 return 0;
@@ -392,9 +423,16 @@ static int policydb_index_classes(struct policydb *p)
392 int rc; 423 int rc;
393 424
394 rc = -ENOMEM; 425 rc = -ENOMEM;
395 p->p_common_val_to_name = 426 p->sym_val_to_name[SYM_COMMONS] = flex_array_alloc(sizeof(char *),
396 kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL); 427 p->p_commons.nprim,
397 if (!p->p_common_val_to_name) 428 GFP_KERNEL | __GFP_ZERO);
429 if (!p->sym_val_to_name[SYM_COMMONS])
430 goto out;
431
432 rc = flex_array_prealloc(p->sym_val_to_name[SYM_COMMONS],
433 0, p->p_commons.nprim - 1,
434 GFP_KERNEL | __GFP_ZERO);
435 if (rc)
398 goto out; 436 goto out;
399 437
400 rc = hashtab_map(p->p_commons.table, common_index, p); 438 rc = hashtab_map(p->p_commons.table, common_index, p);
@@ -408,9 +446,16 @@ static int policydb_index_classes(struct policydb *p)
408 goto out; 446 goto out;
409 447
410 rc = -ENOMEM; 448 rc = -ENOMEM;
411 p->p_class_val_to_name = 449 p->sym_val_to_name[SYM_CLASSES] = flex_array_alloc(sizeof(char *),
412 kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL); 450 p->p_classes.nprim,
413 if (!p->p_class_val_to_name) 451 GFP_KERNEL | __GFP_ZERO);
452 if (!p->sym_val_to_name[SYM_CLASSES])
453 goto out;
454
455 rc = flex_array_prealloc(p->sym_val_to_name[SYM_CLASSES],
456 0, p->p_classes.nprim - 1,
457 GFP_KERNEL | __GFP_ZERO);
458 if (rc)
414 goto out; 459 goto out;
415 460
416 rc = hashtab_map(p->p_classes.table, class_index, p); 461 rc = hashtab_map(p->p_classes.table, class_index, p);
@@ -507,10 +552,18 @@ static int policydb_index_others(struct policydb *p)
507 552
508 for (i = SYM_ROLES; i < SYM_NUM; i++) { 553 for (i = SYM_ROLES; i < SYM_NUM; i++) {
509 rc = -ENOMEM; 554 rc = -ENOMEM;
510 p->sym_val_to_name[i] = 555 p->sym_val_to_name[i] = flex_array_alloc(sizeof(char *),
511 kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL); 556 p->symtab[i].nprim,
557 GFP_KERNEL | __GFP_ZERO);
512 if (!p->sym_val_to_name[i]) 558 if (!p->sym_val_to_name[i])
513 goto out; 559 goto out;
560
561 rc = flex_array_prealloc(p->sym_val_to_name[i],
562 0, p->symtab[i].nprim - 1,
563 GFP_KERNEL | __GFP_ZERO);
564 if (rc)
565 goto out;
566
514 rc = hashtab_map(p->symtab[i].table, index_f[i], p); 567 rc = hashtab_map(p->symtab[i].table, index_f[i], p);
515 if (rc) 568 if (rc)
516 goto out; 569 goto out;
@@ -703,8 +756,10 @@ void policydb_destroy(struct policydb *p)
703 hashtab_destroy(p->symtab[i].table); 756 hashtab_destroy(p->symtab[i].table);
704 } 757 }
705 758
706 for (i = 0; i < SYM_NUM; i++) 759 for (i = 0; i < SYM_NUM; i++) {
707 kfree(p->sym_val_to_name[i]); 760 if (p->sym_val_to_name[i])
761 flex_array_free(p->sym_val_to_name[i]);
762 }
708 763
709 kfree(p->class_val_to_struct); 764 kfree(p->class_val_to_struct);
710 kfree(p->role_val_to_struct); 765 kfree(p->role_val_to_struct);
@@ -1566,9 +1621,9 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1566 printk(KERN_ERR 1621 printk(KERN_ERR
1567 "SELinux: boundary violated policy: " 1622 "SELinux: boundary violated policy: "
1568 "user=%s role=%s bounds=%s\n", 1623 "user=%s role=%s bounds=%s\n",
1569 p->p_user_val_to_name[user->value - 1], 1624 sym_name(p, SYM_USERS, user->value - 1),
1570 p->p_role_val_to_name[bit], 1625 sym_name(p, SYM_ROLES, bit),
1571 p->p_user_val_to_name[upper->value - 1]); 1626 sym_name(p, SYM_USERS, upper->value - 1));
1572 1627
1573 return -EINVAL; 1628 return -EINVAL;
1574 } 1629 }
@@ -1603,9 +1658,9 @@ static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1603 printk(KERN_ERR 1658 printk(KERN_ERR
1604 "SELinux: boundary violated policy: " 1659 "SELinux: boundary violated policy: "
1605 "role=%s type=%s bounds=%s\n", 1660 "role=%s type=%s bounds=%s\n",
1606 p->p_role_val_to_name[role->value - 1], 1661 sym_name(p, SYM_ROLES, role->value - 1),
1607 p->p_type_val_to_name[bit], 1662 sym_name(p, SYM_TYPES, bit),
1608 p->p_role_val_to_name[upper->value - 1]); 1663 sym_name(p, SYM_ROLES, upper->value - 1));
1609 1664
1610 return -EINVAL; 1665 return -EINVAL;
1611 } 1666 }
@@ -1637,7 +1692,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1637 printk(KERN_ERR "SELinux: type %s: " 1692 printk(KERN_ERR "SELinux: type %s: "
1638 "bounded by attribute %s", 1693 "bounded by attribute %s",
1639 (char *) key, 1694 (char *) key,
1640 p->p_type_val_to_name[upper->value - 1]); 1695 sym_name(p, SYM_TYPES, upper->value - 1));
1641 return -EINVAL; 1696 return -EINVAL;
1642 } 1697 }
1643 } 1698 }
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 9826a92a6b0c..4e3ab9d0b315 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -203,15 +203,7 @@ struct policydb {
203#define p_cats symtab[SYM_CATS] 203#define p_cats symtab[SYM_CATS]
204 204
205 /* symbol names indexed by (value - 1) */ 205 /* symbol names indexed by (value - 1) */
206 char **sym_val_to_name[SYM_NUM]; 206 struct flex_array *sym_val_to_name[SYM_NUM];
207#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
208#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
209#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
210#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
211#define p_user_val_to_name sym_val_to_name[SYM_USERS]
212#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
213#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
214#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
215 207
216 /* class, role, and user attributes indexed by (value - 1) */ 208 /* class, role, and user attributes indexed by (value - 1) */
217 struct class_datum **class_val_to_struct; 209 struct class_datum **class_val_to_struct;
@@ -321,6 +313,13 @@ static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file
321 return 0; 313 return 0;
322} 314}
323 315
316static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
317{
318 struct flex_array *fa = p->sym_val_to_name[sym_num];
319
320 return flex_array_get_ptr(fa, element_nr);
321}
322
324extern u16 string_to_security_class(struct policydb *p, const char *name); 323extern u16 string_to_security_class(struct policydb *p, const char *name);
325extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); 324extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
326 325
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index afcbc19817f7..a03cfaf0ee07 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -464,7 +464,7 @@ static void security_dump_masked_av(struct context *scontext,
464 if (!permissions) 464 if (!permissions)
465 return; 465 return;
466 466
467 tclass_name = policydb.p_class_val_to_name[tclass - 1]; 467 tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1);
468 tclass_dat = policydb.class_val_to_struct[tclass - 1]; 468 tclass_dat = policydb.class_val_to_struct[tclass - 1];
469 common_dat = tclass_dat->comdatum; 469 common_dat = tclass_dat->comdatum;
470 470
@@ -716,7 +716,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
716 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, 716 audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
717 "security_validate_transition: denied for" 717 "security_validate_transition: denied for"
718 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 718 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
719 o, n, t, policydb.p_class_val_to_name[tclass-1]); 719 o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
720out: 720out:
721 kfree(o); 721 kfree(o);
722 kfree(n); 722 kfree(n);
@@ -1012,9 +1012,9 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
1012 } 1012 }
1013 1013
1014 /* Compute the size of the context. */ 1014 /* Compute the size of the context. */
1015 *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; 1015 *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1;
1016 *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; 1016 *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1;
1017 *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; 1017 *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1;
1018 *scontext_len += mls_compute_context_len(context); 1018 *scontext_len += mls_compute_context_len(context);
1019 1019
1020 if (!scontext) 1020 if (!scontext)
@@ -1030,12 +1030,12 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
1030 * Copy the user name, role name and type name into the context. 1030 * Copy the user name, role name and type name into the context.
1031 */ 1031 */
1032 sprintf(scontextp, "%s:%s:%s", 1032 sprintf(scontextp, "%s:%s:%s",
1033 policydb.p_user_val_to_name[context->user - 1], 1033 sym_name(&policydb, SYM_USERS, context->user - 1),
1034 policydb.p_role_val_to_name[context->role - 1], 1034 sym_name(&policydb, SYM_ROLES, context->role - 1),
1035 policydb.p_type_val_to_name[context->type - 1]); 1035 sym_name(&policydb, SYM_TYPES, context->type - 1));
1036 scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1036 scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) +
1037 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + 1037 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) +
1038 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); 1038 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1));
1039 1039
1040 mls_sid_to_context(context, &scontextp); 1040 mls_sid_to_context(context, &scontextp);
1041 1041
@@ -1333,7 +1333,7 @@ static int compute_sid_handle_invalid_context(
1333 " for scontext=%s" 1333 " for scontext=%s"
1334 " tcontext=%s" 1334 " tcontext=%s"
1335 " tclass=%s", 1335 " tclass=%s",
1336 n, s, t, policydb.p_class_val_to_name[tclass-1]); 1336 n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
1337out: 1337out:
1338 kfree(s); 1338 kfree(s);
1339 kfree(t); 1339 kfree(t);
@@ -1654,7 +1654,7 @@ static int convert_context(u32 key,
1654 /* Convert the user. */ 1654 /* Convert the user. */
1655 rc = -EINVAL; 1655 rc = -EINVAL;
1656 usrdatum = hashtab_search(args->newp->p_users.table, 1656 usrdatum = hashtab_search(args->newp->p_users.table,
1657 args->oldp->p_user_val_to_name[c->user - 1]); 1657 sym_name(args->oldp, SYM_USERS, c->user - 1));
1658 if (!usrdatum) 1658 if (!usrdatum)
1659 goto bad; 1659 goto bad;
1660 c->user = usrdatum->value; 1660 c->user = usrdatum->value;
@@ -1662,7 +1662,7 @@ static int convert_context(u32 key,
1662 /* Convert the role. */ 1662 /* Convert the role. */
1663 rc = -EINVAL; 1663 rc = -EINVAL;
1664 role = hashtab_search(args->newp->p_roles.table, 1664 role = hashtab_search(args->newp->p_roles.table,
1665 args->oldp->p_role_val_to_name[c->role - 1]); 1665 sym_name(args->oldp, SYM_ROLES, c->role - 1));
1666 if (!role) 1666 if (!role)
1667 goto bad; 1667 goto bad;
1668 c->role = role->value; 1668 c->role = role->value;
@@ -1670,7 +1670,7 @@ static int convert_context(u32 key,
1670 /* Convert the type. */ 1670 /* Convert the type. */
1671 rc = -EINVAL; 1671 rc = -EINVAL;
1672 typdatum = hashtab_search(args->newp->p_types.table, 1672 typdatum = hashtab_search(args->newp->p_types.table,
1673 args->oldp->p_type_val_to_name[c->type - 1]); 1673 sym_name(args->oldp, SYM_TYPES, c->type - 1));
1674 if (!typdatum) 1674 if (!typdatum)
1675 goto bad; 1675 goto bad;
1676 c->type = typdatum->value; 1676 c->type = typdatum->value;
@@ -2326,14 +2326,14 @@ int security_get_bools(int *len, char ***names, int **values)
2326 size_t name_len; 2326 size_t name_len;
2327 2327
2328 (*values)[i] = policydb.bool_val_to_struct[i]->state; 2328 (*values)[i] = policydb.bool_val_to_struct[i]->state;
2329 name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; 2329 name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1;
2330 2330
2331 rc = -ENOMEM; 2331 rc = -ENOMEM;
2332 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); 2332 (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
2333 if (!(*names)[i]) 2333 if (!(*names)[i])
2334 goto err; 2334 goto err;
2335 2335
2336 strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); 2336 strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len);
2337 (*names)[i][name_len - 1] = 0; 2337 (*names)[i][name_len - 1] = 0;
2338 } 2338 }
2339 rc = 0; 2339 rc = 0;
@@ -2368,7 +2368,7 @@ int security_set_bools(int len, int *values)
2368 audit_log(current->audit_context, GFP_ATOMIC, 2368 audit_log(current->audit_context, GFP_ATOMIC,
2369 AUDIT_MAC_CONFIG_CHANGE, 2369 AUDIT_MAC_CONFIG_CHANGE,
2370 "bool=%s val=%d old_val=%d auid=%u ses=%u", 2370 "bool=%s val=%d old_val=%d auid=%u ses=%u",
2371 policydb.p_bool_val_to_name[i], 2371 sym_name(&policydb, SYM_BOOLS, i),
2372 !!values[i], 2372 !!values[i],
2373 policydb.bool_val_to_struct[i]->state, 2373 policydb.bool_val_to_struct[i]->state,
2374 audit_get_loginuid(current), 2374 audit_get_loginuid(current),
@@ -3132,7 +3132,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
3132 goto out; 3132 goto out;
3133 3133
3134 rc = -ENOMEM; 3134 rc = -ENOMEM;
3135 secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 3135 secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1),
3136 GFP_ATOMIC); 3136 GFP_ATOMIC);
3137 if (secattr->domain == NULL) 3137 if (secattr->domain == NULL)
3138 goto out; 3138 goto out;