aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/selinux/ss/policydb.c131
1 files changed, 63 insertions, 68 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 891c2d07e8b6..84f8cc73c7db 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -11,7 +11,7 @@
11 * 11 *
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> 12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13 * 13 *
14 * Added conditional policy language extensions 14 * Added conditional policy language extensions
15 * 15 *
16 * Updated: Hewlett-Packard <paul.moore@hp.com> 16 * Updated: Hewlett-Packard <paul.moore@hp.com>
17 * 17 *
@@ -21,7 +21,7 @@
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * This program is free software; you can redistribute it and/or modify 23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by 24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation, version 2. 25 * the Free Software Foundation, version 2.
26 */ 26 */
27 27
@@ -51,7 +51,7 @@ static char *symtab_name[SYM_NUM] = {
51}; 51};
52#endif 52#endif
53 53
54int selinux_mls_enabled = 0; 54int selinux_mls_enabled;
55 55
56static unsigned int symtab_sizes[SYM_NUM] = { 56static unsigned int symtab_sizes[SYM_NUM] = {
57 2, 57 2,
@@ -73,39 +73,39 @@ struct policydb_compat_info {
73/* These need to be updated if SYM_NUM or OCON_NUM changes */ 73/* These need to be updated if SYM_NUM or OCON_NUM changes */
74static struct policydb_compat_info policydb_compat[] = { 74static struct policydb_compat_info policydb_compat[] = {
75 { 75 {
76 .version = POLICYDB_VERSION_BASE, 76 .version = POLICYDB_VERSION_BASE,
77 .sym_num = SYM_NUM - 3, 77 .sym_num = SYM_NUM - 3,
78 .ocon_num = OCON_NUM - 1, 78 .ocon_num = OCON_NUM - 1,
79 }, 79 },
80 { 80 {
81 .version = POLICYDB_VERSION_BOOL, 81 .version = POLICYDB_VERSION_BOOL,
82 .sym_num = SYM_NUM - 2, 82 .sym_num = SYM_NUM - 2,
83 .ocon_num = OCON_NUM - 1, 83 .ocon_num = OCON_NUM - 1,
84 }, 84 },
85 { 85 {
86 .version = POLICYDB_VERSION_IPV6, 86 .version = POLICYDB_VERSION_IPV6,
87 .sym_num = SYM_NUM - 2, 87 .sym_num = SYM_NUM - 2,
88 .ocon_num = OCON_NUM, 88 .ocon_num = OCON_NUM,
89 }, 89 },
90 { 90 {
91 .version = POLICYDB_VERSION_NLCLASS, 91 .version = POLICYDB_VERSION_NLCLASS,
92 .sym_num = SYM_NUM - 2, 92 .sym_num = SYM_NUM - 2,
93 .ocon_num = OCON_NUM, 93 .ocon_num = OCON_NUM,
94 }, 94 },
95 { 95 {
96 .version = POLICYDB_VERSION_MLS, 96 .version = POLICYDB_VERSION_MLS,
97 .sym_num = SYM_NUM, 97 .sym_num = SYM_NUM,
98 .ocon_num = OCON_NUM, 98 .ocon_num = OCON_NUM,
99 }, 99 },
100 { 100 {
101 .version = POLICYDB_VERSION_AVTAB, 101 .version = POLICYDB_VERSION_AVTAB,
102 .sym_num = SYM_NUM, 102 .sym_num = SYM_NUM,
103 .ocon_num = OCON_NUM, 103 .ocon_num = OCON_NUM,
104 }, 104 },
105 { 105 {
106 .version = POLICYDB_VERSION_RANGETRANS, 106 .version = POLICYDB_VERSION_RANGETRANS,
107 .sym_num = SYM_NUM, 107 .sym_num = SYM_NUM,
108 .ocon_num = OCON_NUM, 108 .ocon_num = OCON_NUM,
109 }, 109 },
110 { 110 {
111 .version = POLICYDB_VERSION_POLCAP, 111 .version = POLICYDB_VERSION_POLCAP,
@@ -152,7 +152,7 @@ static int roles_init(struct policydb *p)
152 rc = -EINVAL; 152 rc = -EINVAL;
153 goto out_free_role; 153 goto out_free_role;
154 } 154 }
155 key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL); 155 key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
156 if (!key) { 156 if (!key) {
157 rc = -ENOMEM; 157 rc = -ENOMEM;
158 goto out_free_role; 158 goto out_free_role;
@@ -424,7 +424,7 @@ static int policydb_index_others(struct policydb *p)
424 424
425 p->role_val_to_struct = 425 p->role_val_to_struct =
426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), 426 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
427 GFP_KERNEL); 427 GFP_KERNEL);
428 if (!p->role_val_to_struct) { 428 if (!p->role_val_to_struct) {
429 rc = -ENOMEM; 429 rc = -ENOMEM;
430 goto out; 430 goto out;
@@ -432,7 +432,7 @@ static int policydb_index_others(struct policydb *p)
432 432
433 p->user_val_to_struct = 433 p->user_val_to_struct =
434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), 434 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
435 GFP_KERNEL); 435 GFP_KERNEL);
436 if (!p->user_val_to_struct) { 436 if (!p->user_val_to_struct) {
437 rc = -ENOMEM; 437 rc = -ENOMEM;
438 goto out; 438 goto out;
@@ -634,7 +634,7 @@ void policydb_destroy(struct policydb *p)
634 while (c) { 634 while (c) {
635 ctmp = c; 635 ctmp = c;
636 c = c->next; 636 c = c->next;
637 ocontext_destroy(ctmp,i); 637 ocontext_destroy(ctmp, i);
638 } 638 }
639 p->ocontexts[i] = NULL; 639 p->ocontexts[i] = NULL;
640 } 640 }
@@ -647,7 +647,7 @@ void policydb_destroy(struct policydb *p)
647 while (c) { 647 while (c) {
648 ctmp = c; 648 ctmp = c;
649 c = c->next; 649 c = c->next;
650 ocontext_destroy(ctmp,OCON_FSUSE); 650 ocontext_destroy(ctmp, OCON_FSUSE);
651 } 651 }
652 gtmp = g; 652 gtmp = g;
653 g = g->next; 653 g = g->next;
@@ -664,14 +664,14 @@ void policydb_destroy(struct policydb *p)
664 } 664 }
665 kfree(ltr); 665 kfree(ltr);
666 666
667 for (ra = p->role_allow; ra; ra = ra -> next) { 667 for (ra = p->role_allow; ra; ra = ra->next) {
668 cond_resched(); 668 cond_resched();
669 kfree(lra); 669 kfree(lra);
670 lra = ra; 670 lra = ra;
671 } 671 }
672 kfree(lra); 672 kfree(lra);
673 673
674 for (rt = p->range_tr; rt; rt = rt -> next) { 674 for (rt = p->range_tr; rt; rt = rt->next) {
675 cond_resched(); 675 cond_resched();
676 if (lrt) { 676 if (lrt) {
677 ebitmap_destroy(&lrt->target_range.level[0].cat); 677 ebitmap_destroy(&lrt->target_range.level[0].cat);
@@ -924,7 +924,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
924 len = le32_to_cpu(buf[0]); 924 len = le32_to_cpu(buf[0]);
925 perdatum->value = le32_to_cpu(buf[1]); 925 perdatum->value = le32_to_cpu(buf[1]);
926 926
927 key = kmalloc(len + 1,GFP_KERNEL); 927 key = kmalloc(len + 1, GFP_KERNEL);
928 if (!key) { 928 if (!key) {
929 rc = -ENOMEM; 929 rc = -ENOMEM;
930 goto bad; 930 goto bad;
@@ -971,7 +971,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
971 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 971 comdatum->permissions.nprim = le32_to_cpu(buf[2]);
972 nel = le32_to_cpu(buf[3]); 972 nel = le32_to_cpu(buf[3]);
973 973
974 key = kmalloc(len + 1,GFP_KERNEL); 974 key = kmalloc(len + 1, GFP_KERNEL);
975 if (!key) { 975 if (!key) {
976 rc = -ENOMEM; 976 rc = -ENOMEM;
977 goto bad; 977 goto bad;
@@ -998,7 +998,7 @@ bad:
998} 998}
999 999
1000static int read_cons_helper(struct constraint_node **nodep, int ncons, 1000static int read_cons_helper(struct constraint_node **nodep, int ncons,
1001 int allowxtarget, void *fp) 1001 int allowxtarget, void *fp)
1002{ 1002{
1003 struct constraint_node *c, *lc; 1003 struct constraint_node *c, *lc;
1004 struct constraint_expr *e, *le; 1004 struct constraint_expr *e, *le;
@@ -1012,11 +1012,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1012 if (!c) 1012 if (!c)
1013 return -ENOMEM; 1013 return -ENOMEM;
1014 1014
1015 if (lc) { 1015 if (lc)
1016 lc->next = c; 1016 lc->next = c;
1017 } else { 1017 else
1018 *nodep = c; 1018 *nodep = c;
1019 }
1020 1019
1021 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 1020 rc = next_entry(buf, fp, (sizeof(u32) * 2));
1022 if (rc < 0) 1021 if (rc < 0)
@@ -1030,11 +1029,10 @@ static int read_cons_helper(struct constraint_node **nodep, int ncons,
1030 if (!e) 1029 if (!e)
1031 return -ENOMEM; 1030 return -ENOMEM;
1032 1031
1033 if (le) { 1032 if (le)
1034 le->next = e; 1033 le->next = e;
1035 } else { 1034 else
1036 c->expr = e; 1035 c->expr = e;
1037 }
1038 1036
1039 rc = next_entry(buf, fp, (sizeof(u32) * 3)); 1037 rc = next_entry(buf, fp, (sizeof(u32) * 3));
1040 if (rc < 0) 1038 if (rc < 0)
@@ -1111,7 +1109,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1111 1109
1112 ncons = le32_to_cpu(buf[5]); 1110 ncons = le32_to_cpu(buf[5]);
1113 1111
1114 key = kmalloc(len + 1,GFP_KERNEL); 1112 key = kmalloc(len + 1, GFP_KERNEL);
1115 if (!key) { 1113 if (!key) {
1116 rc = -ENOMEM; 1114 rc = -ENOMEM;
1117 goto bad; 1115 goto bad;
@@ -1122,7 +1120,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1122 key[len] = 0; 1120 key[len] = 0;
1123 1121
1124 if (len2) { 1122 if (len2) {
1125 cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL); 1123 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1126 if (!cladatum->comkey) { 1124 if (!cladatum->comkey) {
1127 rc = -ENOMEM; 1125 rc = -ENOMEM;
1128 goto bad; 1126 goto bad;
@@ -1195,7 +1193,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1195 len = le32_to_cpu(buf[0]); 1193 len = le32_to_cpu(buf[0]);
1196 role->value = le32_to_cpu(buf[1]); 1194 role->value = le32_to_cpu(buf[1]);
1197 1195
1198 key = kmalloc(len + 1,GFP_KERNEL); 1196 key = kmalloc(len + 1, GFP_KERNEL);
1199 if (!key) { 1197 if (!key) {
1200 rc = -ENOMEM; 1198 rc = -ENOMEM;
1201 goto bad; 1199 goto bad;
@@ -1242,7 +1240,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1242 __le32 buf[3]; 1240 __le32 buf[3];
1243 u32 len; 1241 u32 len;
1244 1242
1245 typdatum = kzalloc(sizeof(*typdatum),GFP_KERNEL); 1243 typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1246 if (!typdatum) { 1244 if (!typdatum) {
1247 rc = -ENOMEM; 1245 rc = -ENOMEM;
1248 return rc; 1246 return rc;
@@ -1256,7 +1254,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1256 typdatum->value = le32_to_cpu(buf[1]); 1254 typdatum->value = le32_to_cpu(buf[1]);
1257 typdatum->primary = le32_to_cpu(buf[2]); 1255 typdatum->primary = le32_to_cpu(buf[2]);
1258 1256
1259 key = kmalloc(len + 1,GFP_KERNEL); 1257 key = kmalloc(len + 1, GFP_KERNEL);
1260 if (!key) { 1258 if (!key) {
1261 rc = -ENOMEM; 1259 rc = -ENOMEM;
1262 goto bad; 1260 goto bad;
@@ -1328,7 +1326,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1328 len = le32_to_cpu(buf[0]); 1326 len = le32_to_cpu(buf[0]);
1329 usrdatum->value = le32_to_cpu(buf[1]); 1327 usrdatum->value = le32_to_cpu(buf[1]);
1330 1328
1331 key = kmalloc(len + 1,GFP_KERNEL); 1329 key = kmalloc(len + 1, GFP_KERNEL);
1332 if (!key) { 1330 if (!key) {
1333 rc = -ENOMEM; 1331 rc = -ENOMEM;
1334 goto bad; 1332 goto bad;
@@ -1382,7 +1380,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1382 len = le32_to_cpu(buf[0]); 1380 len = le32_to_cpu(buf[0]);
1383 levdatum->isalias = le32_to_cpu(buf[1]); 1381 levdatum->isalias = le32_to_cpu(buf[1]);
1384 1382
1385 key = kmalloc(len + 1,GFP_ATOMIC); 1383 key = kmalloc(len + 1, GFP_ATOMIC);
1386 if (!key) { 1384 if (!key) {
1387 rc = -ENOMEM; 1385 rc = -ENOMEM;
1388 goto bad; 1386 goto bad;
@@ -1434,7 +1432,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1434 catdatum->value = le32_to_cpu(buf[1]); 1432 catdatum->value = le32_to_cpu(buf[1]);
1435 catdatum->isalias = le32_to_cpu(buf[2]); 1433 catdatum->isalias = le32_to_cpu(buf[2]);
1436 1434
1437 key = kmalloc(len + 1,GFP_ATOMIC); 1435 key = kmalloc(len + 1, GFP_ATOMIC);
1438 if (!key) { 1436 if (!key) {
1439 rc = -ENOMEM; 1437 rc = -ENOMEM;
1440 goto bad; 1438 goto bad;
@@ -1493,7 +1491,7 @@ int policydb_read(struct policydb *p, void *fp)
1493 goto out; 1491 goto out;
1494 1492
1495 /* Read the magic number and string length. */ 1493 /* Read the magic number and string length. */
1496 rc = next_entry(buf, fp, sizeof(u32)* 2); 1494 rc = next_entry(buf, fp, sizeof(u32) * 2);
1497 if (rc < 0) 1495 if (rc < 0)
1498 goto bad; 1496 goto bad;
1499 1497
@@ -1511,7 +1509,7 @@ int policydb_read(struct policydb *p, void *fp)
1511 len, strlen(POLICYDB_STRING)); 1509 len, strlen(POLICYDB_STRING));
1512 goto bad; 1510 goto bad;
1513 } 1511 }
1514 policydb_str = kmalloc(len + 1,GFP_KERNEL); 1512 policydb_str = kmalloc(len + 1, GFP_KERNEL);
1515 if (!policydb_str) { 1513 if (!policydb_str) {
1516 printk(KERN_ERR "SELinux: unable to allocate memory for policydb " 1514 printk(KERN_ERR "SELinux: unable to allocate memory for policydb "
1517 "string of length %d\n", len); 1515 "string of length %d\n", len);
@@ -1544,9 +1542,9 @@ int policydb_read(struct policydb *p, void *fp)
1544 if (p->policyvers < POLICYDB_VERSION_MIN || 1542 if (p->policyvers < POLICYDB_VERSION_MIN ||
1545 p->policyvers > POLICYDB_VERSION_MAX) { 1543 p->policyvers > POLICYDB_VERSION_MAX) {
1546 printk(KERN_ERR "SELinux: policydb version %d does not match " 1544 printk(KERN_ERR "SELinux: policydb version %d does not match "
1547 "my version range %d-%d\n", 1545 "my version range %d-%d\n",
1548 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); 1546 le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1549 goto bad; 1547 goto bad;
1550 } 1548 }
1551 1549
1552 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1550 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
@@ -1634,11 +1632,10 @@ int policydb_read(struct policydb *p, void *fp)
1634 rc = -ENOMEM; 1632 rc = -ENOMEM;
1635 goto bad; 1633 goto bad;
1636 } 1634 }
1637 if (ltr) { 1635 if (ltr)
1638 ltr->next = tr; 1636 ltr->next = tr;
1639 } else { 1637 else
1640 p->role_tr = tr; 1638 p->role_tr = tr;
1641 }
1642 rc = next_entry(buf, fp, sizeof(u32)*3); 1639 rc = next_entry(buf, fp, sizeof(u32)*3);
1643 if (rc < 0) 1640 if (rc < 0)
1644 goto bad; 1641 goto bad;
@@ -1665,11 +1662,10 @@ int policydb_read(struct policydb *p, void *fp)
1665 rc = -ENOMEM; 1662 rc = -ENOMEM;
1666 goto bad; 1663 goto bad;
1667 } 1664 }
1668 if (lra) { 1665 if (lra)
1669 lra->next = ra; 1666 lra->next = ra;
1670 } else { 1667 else
1671 p->role_allow = ra; 1668 p->role_allow = ra;
1672 }
1673 rc = next_entry(buf, fp, sizeof(u32)*2); 1669 rc = next_entry(buf, fp, sizeof(u32)*2);
1674 if (rc < 0) 1670 if (rc < 0)
1675 goto bad; 1671 goto bad;
@@ -1703,11 +1699,10 @@ int policydb_read(struct policydb *p, void *fp)
1703 rc = -ENOMEM; 1699 rc = -ENOMEM;
1704 goto bad; 1700 goto bad;
1705 } 1701 }
1706 if (l) { 1702 if (l)
1707 l->next = c; 1703 l->next = c;
1708 } else { 1704 else
1709 p->ocontexts[i] = c; 1705 p->ocontexts[i] = c;
1710 }
1711 l = c; 1706 l = c;
1712 rc = -EINVAL; 1707 rc = -EINVAL;
1713 switch (i) { 1708 switch (i) {
@@ -1726,7 +1721,7 @@ int policydb_read(struct policydb *p, void *fp)
1726 if (rc < 0) 1721 if (rc < 0)
1727 goto bad; 1722 goto bad;
1728 len = le32_to_cpu(buf[0]); 1723 len = le32_to_cpu(buf[0]);
1729 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1724 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1730 if (!c->u.name) { 1725 if (!c->u.name) {
1731 rc = -ENOMEM; 1726 rc = -ENOMEM;
1732 goto bad; 1727 goto bad;
@@ -1754,7 +1749,7 @@ int policydb_read(struct policydb *p, void *fp)
1754 goto bad; 1749 goto bad;
1755 break; 1750 break;
1756 case OCON_NODE: 1751 case OCON_NODE:
1757 rc = next_entry(buf, fp, sizeof(u32)* 2); 1752 rc = next_entry(buf, fp, sizeof(u32) * 2);
1758 if (rc < 0) 1753 if (rc < 0)
1759 goto bad; 1754 goto bad;
1760 c->u.node.addr = le32_to_cpu(buf[0]); 1755 c->u.node.addr = le32_to_cpu(buf[0]);
@@ -1771,7 +1766,7 @@ int policydb_read(struct policydb *p, void *fp)
1771 if (c->v.behavior > SECURITY_FS_USE_NONE) 1766 if (c->v.behavior > SECURITY_FS_USE_NONE)
1772 goto bad; 1767 goto bad;
1773 len = le32_to_cpu(buf[1]); 1768 len = le32_to_cpu(buf[1]);
1774 c->u.name = kmalloc(len + 1,GFP_KERNEL); 1769 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1775 if (!c->u.name) { 1770 if (!c->u.name) {
1776 rc = -ENOMEM; 1771 rc = -ENOMEM;
1777 goto bad; 1772 goto bad;
@@ -1819,7 +1814,7 @@ int policydb_read(struct policydb *p, void *fp)
1819 goto bad; 1814 goto bad;
1820 } 1815 }
1821 1816
1822 newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); 1817 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
1823 if (!newgenfs->fstype) { 1818 if (!newgenfs->fstype) {
1824 rc = -ENOMEM; 1819 rc = -ENOMEM;
1825 kfree(newgenfs); 1820 kfree(newgenfs);
@@ -1865,7 +1860,7 @@ int policydb_read(struct policydb *p, void *fp)
1865 goto bad; 1860 goto bad;
1866 } 1861 }
1867 1862
1868 newc->u.name = kmalloc(len + 1,GFP_KERNEL); 1863 newc->u.name = kmalloc(len + 1, GFP_KERNEL);
1869 if (!newc->u.name) { 1864 if (!newc->u.name) {
1870 rc = -ENOMEM; 1865 rc = -ENOMEM;
1871 goto bad_newc; 1866 goto bad_newc;
@@ -1969,7 +1964,7 @@ int policydb_read(struct policydb *p, void *fp)
1969out: 1964out:
1970 return rc; 1965 return rc;
1971bad_newc: 1966bad_newc:
1972 ocontext_destroy(newc,OCON_FSUSE); 1967 ocontext_destroy(newc, OCON_FSUSE);
1973bad: 1968bad:
1974 if (!rc) 1969 if (!rc)
1975 rc = -EINVAL; 1970 rc = -EINVAL;