aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss/conditional.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss/conditional.c')
-rw-r--r--security/selinux/ss/conditional.c73
1 files changed, 33 insertions, 40 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index da0566c4f329..fb4efe4f4bc8 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -1,9 +1,9 @@
1/* Authors: Karl MacMillan <kmacmillan@tresys.com> 1/* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com> 2 * Frank Mayer <mayerf@tresys.com>
3 * 3 *
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2. 7 * the Free Software Foundation, version 2.
8 */ 8 */
9 9
@@ -89,7 +89,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
89int evaluate_cond_node(struct policydb *p, struct cond_node *node) 89int evaluate_cond_node(struct policydb *p, struct cond_node *node)
90{ 90{
91 int new_state; 91 int new_state;
92 struct cond_av_list* cur; 92 struct cond_av_list *cur;
93 93
94 new_state = cond_evaluate_expr(p, node->expr); 94 new_state = cond_evaluate_expr(p, node->expr);
95 if (new_state != node->cur_state) { 95 if (new_state != node->cur_state) {
@@ -98,20 +98,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
98 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); 98 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
99 /* turn the rules on or off */ 99 /* turn the rules on or off */
100 for (cur = node->true_list; cur != NULL; cur = cur->next) { 100 for (cur = node->true_list; cur != NULL; cur = cur->next) {
101 if (new_state <= 0) { 101 if (new_state <= 0)
102 cur->node->key.specified &= ~AVTAB_ENABLED; 102 cur->node->key.specified &= ~AVTAB_ENABLED;
103 } else { 103 else
104 cur->node->key.specified |= AVTAB_ENABLED; 104 cur->node->key.specified |= AVTAB_ENABLED;
105 }
106 } 105 }
107 106
108 for (cur = node->false_list; cur != NULL; cur = cur->next) { 107 for (cur = node->false_list; cur != NULL; cur = cur->next) {
109 /* -1 or 1 */ 108 /* -1 or 1 */
110 if (new_state) { 109 if (new_state)
111 cur->node->key.specified &= ~AVTAB_ENABLED; 110 cur->node->key.specified &= ~AVTAB_ENABLED;
112 } else { 111 else
113 cur->node->key.specified |= AVTAB_ENABLED; 112 cur->node->key.specified |= AVTAB_ENABLED;
114 }
115 } 113 }
116 } 114 }
117 return 0; 115 return 0;
@@ -173,8 +171,8 @@ void cond_policydb_destroy(struct policydb *p)
173int cond_init_bool_indexes(struct policydb *p) 171int cond_init_bool_indexes(struct policydb *p)
174{ 172{
175 kfree(p->bool_val_to_struct); 173 kfree(p->bool_val_to_struct);
176 p->bool_val_to_struct = (struct cond_bool_datum**) 174 p->bool_val_to_struct = (struct cond_bool_datum **)
177 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); 175 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
178 if (!p->bool_val_to_struct) 176 if (!p->bool_val_to_struct)
179 return -1; 177 return -1;
180 return 0; 178 return 0;
@@ -199,7 +197,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
199 return -EINVAL; 197 return -EINVAL;
200 198
201 p->p_bool_val_to_name[booldatum->value - 1] = key; 199 p->p_bool_val_to_name[booldatum->value - 1] = key;
202 p->bool_val_to_struct[booldatum->value -1] = booldatum; 200 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
203 201
204 return 0; 202 return 0;
205} 203}
@@ -251,8 +249,7 @@ err:
251 return -1; 249 return -1;
252} 250}
253 251
254struct cond_insertf_data 252struct cond_insertf_data {
255{
256 struct policydb *p; 253 struct policydb *p;
257 struct cond_av_list *other; 254 struct cond_av_list *other;
258 struct cond_av_list *head; 255 struct cond_av_list *head;
@@ -275,7 +272,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
275 */ 272 */
276 if (k->specified & AVTAB_TYPE) { 273 if (k->specified & AVTAB_TYPE) {
277 if (avtab_search(&p->te_avtab, k)) { 274 if (avtab_search(&p->te_avtab, k)) {
278 printk("SELinux: type rule already exists outside of a conditional."); 275 printk(KERN_ERR "SELinux: type rule already exists outside of a conditional.\n");
279 goto err; 276 goto err;
280 } 277 }
281 /* 278 /*
@@ -290,7 +287,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
290 node_ptr = avtab_search_node(&p->te_cond_avtab, k); 287 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
291 if (node_ptr) { 288 if (node_ptr) {
292 if (avtab_search_node_next(node_ptr, k->specified)) { 289 if (avtab_search_node_next(node_ptr, k->specified)) {
293 printk("SELinux: too many conflicting type rules."); 290 printk(KERN_ERR "SELinux: too many conflicting type rules.\n");
294 goto err; 291 goto err;
295 } 292 }
296 found = 0; 293 found = 0;
@@ -301,13 +298,13 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
301 } 298 }
302 } 299 }
303 if (!found) { 300 if (!found) {
304 printk("SELinux: conflicting type rules.\n"); 301 printk(KERN_ERR "SELinux: conflicting type rules.\n");
305 goto err; 302 goto err;
306 } 303 }
307 } 304 }
308 } else { 305 } else {
309 if (avtab_search(&p->te_cond_avtab, k)) { 306 if (avtab_search(&p->te_cond_avtab, k)) {
310 printk("SELinux: conflicting type rules when adding type rule for true.\n"); 307 printk(KERN_ERR "SELinux: conflicting type rules when adding type rule for true.\n");
311 goto err; 308 goto err;
312 } 309 }
313 } 310 }
@@ -315,7 +312,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
315 312
316 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 313 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
317 if (!node_ptr) { 314 if (!node_ptr) {
318 printk("SELinux: could not insert rule."); 315 printk(KERN_ERR "SELinux: could not insert rule.\n");
319 goto err; 316 goto err;
320 } 317 }
321 318
@@ -352,9 +349,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
352 return -1; 349 return -1;
353 350
354 len = le32_to_cpu(buf[0]); 351 len = le32_to_cpu(buf[0]);
355 if (len == 0) { 352 if (len == 0)
356 return 0; 353 return 0;
357 }
358 354
359 data.p = p; 355 data.p = p;
360 data.other = other; 356 data.other = other;
@@ -375,12 +371,12 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
375static int expr_isvalid(struct policydb *p, struct cond_expr *expr) 371static int expr_isvalid(struct policydb *p, struct cond_expr *expr)
376{ 372{
377 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 373 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
378 printk("SELinux: conditional expressions uses unknown operator.\n"); 374 printk(KERN_ERR "SELinux: conditional expressions uses unknown operator.\n");
379 return 0; 375 return 0;
380 } 376 }
381 377
382 if (expr->bool > p->p_bools.nprim) { 378 if (expr->bool > p->p_bools.nprim) {
383 printk("SELinux: conditional expressions uses unknown bool.\n"); 379 printk(KERN_ERR "SELinux: conditional expressions uses unknown bool.\n");
384 return 0; 380 return 0;
385 } 381 }
386 return 1; 382 return 1;
@@ -407,15 +403,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
407 /* expr */ 403 /* expr */
408 len = le32_to_cpu(buf[0]); 404 len = le32_to_cpu(buf[0]);
409 405
410 for (i = 0; i < len; i++ ) { 406 for (i = 0; i < len; i++) {
411 rc = next_entry(buf, fp, sizeof(u32) * 2); 407 rc = next_entry(buf, fp, sizeof(u32) * 2);
412 if (rc < 0) 408 if (rc < 0)
413 goto err; 409 goto err;
414 410
415 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); 411 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
416 if (!expr) { 412 if (!expr)
417 goto err; 413 goto err;
418 }
419 414
420 expr->expr_type = le32_to_cpu(buf[0]); 415 expr->expr_type = le32_to_cpu(buf[0]);
421 expr->bool = le32_to_cpu(buf[1]); 416 expr->bool = le32_to_cpu(buf[1]);
@@ -425,11 +420,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
425 goto err; 420 goto err;
426 } 421 }
427 422
428 if (i == 0) { 423 if (i == 0)
429 node->expr = expr; 424 node->expr = expr;
430 } else { 425 else
431 last->next = expr; 426 last->next = expr;
432 }
433 last = expr; 427 last = expr;
434 } 428 }
435 429
@@ -468,11 +462,10 @@ int cond_read_list(struct policydb *p, void *fp)
468 if (cond_read_node(p, node, fp) != 0) 462 if (cond_read_node(p, node, fp) != 0)
469 goto err; 463 goto err;
470 464
471 if (i == 0) { 465 if (i == 0)
472 p->cond_list = node; 466 p->cond_list = node;
473 } else { 467 else
474 last->next = node; 468 last->next = node;
475 }
476 last = node; 469 last = node;
477 } 470 }
478 return 0; 471 return 0;
@@ -489,24 +482,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
489{ 482{
490 struct avtab_node *node; 483 struct avtab_node *node;
491 484
492 if(!ctab || !key || !avd) 485 if (!ctab || !key || !avd)
493 return; 486 return;
494 487
495 for(node = avtab_search_node(ctab, key); node != NULL; 488 for (node = avtab_search_node(ctab, key); node != NULL;
496 node = avtab_search_node_next(node, key->specified)) { 489 node = avtab_search_node_next(node, key->specified)) {
497 if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == 490 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
498 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) 491 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
499 avd->allowed |= node->datum.data; 492 avd->allowed |= node->datum.data;
500 if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == 493 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
501 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) 494 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
502 /* Since a '0' in an auditdeny mask represents a 495 /* Since a '0' in an auditdeny mask represents a
503 * permission we do NOT want to audit (dontaudit), we use 496 * permission we do NOT want to audit (dontaudit), we use
504 * the '&' operand to ensure that all '0's in the mask 497 * the '&' operand to ensure that all '0's in the mask
505 * are retained (much unlike the allow and auditallow cases). 498 * are retained (much unlike the allow and auditallow cases).
506 */ 499 */
507 avd->auditdeny &= node->datum.data; 500 avd->auditdeny &= node->datum.data;
508 if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == 501 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
509 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 502 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
510 avd->auditallow |= node->datum.data; 503 avd->auditallow |= node->datum.data;
511 } 504 }
512 return; 505 return;
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-07 06:31:29 -0500