1 files changed, 89 insertions, 109 deletions
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index d539346ab3a2..ce492a6b38ed 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -6,7 +6,7 @@
 /*
 * Updated: Hewlett-Packard <paul.moore@hp.com>
 *
- *      Added ebitmap_export() and ebitmap_import()
+ *      Added support to import/export the NetLabel category bitmap
 *
 * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
 */
@@ -14,6 +14,7 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
 #include <linux/errno.h>
+#include <net/netlabel.h>
 #include "ebitmap.h"
 #include "policydb.h"
@@ -67,141 +68,120 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
        return 0;
 }
+#ifdef CONFIG_NETLABEL
 /**
- * ebitmap_export - Export an ebitmap to a unsigned char bitmap string
+ * ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
- * @src: the ebitmap to export
+ * @ebmap: the ebitmap to export
- * @dst: the resulting bitmap string
+ * @catmap: the NetLabel category bitmap
- * @dst_len: length of dst in bytes
 *
 * Description:
- * Allocate a buffer at least src->highbit bits long and export the extensible
+ * Export a SELinux extensibile bitmap into a NetLabel category bitmap.
- * bitmap into the buffer.  The bitmap string will be in little endian format,
+ * Returns zero on success, negative values on error.
- * i.e. LSB first.  The value returned in dst_len may not the true size of the
- * buffer as the length of the buffer is rounded up to a multiple of MAPTYPE.
- * The caller must free the buffer when finished. Returns zero on success,
- * negative values on failure.
 *
 */
-int ebitmap_export(const struct ebitmap *src,
+int ebitmap_netlbl_export(struct ebitmap *ebmap,
-                   unsigned char **dst,
+                          struct netlbl_lsm_secattr_catmap **catmap)
-                   size_t *dst_len)
 {
-        size_t bitmap_len;
+        struct ebitmap_node *e_iter = ebmap->node;
-        unsigned char *bitmap;
+        struct netlbl_lsm_secattr_catmap *c_iter;
-        struct ebitmap_node *iter_node;
+        u32 cmap_idx;
-        MAPTYPE node_val;
-        size_t bitmap_byte;
+        /* This function is a much simpler because SELinux's MAPTYPE happens
-        unsigned char bitmask;
+         * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
+         * changed from a u64 this function will most likely need to be changed
-        if (src->highbit == 0) {
+         * as well.  It's not ideal but I think the tradeoff in terms of
-                *dst = NULL;
+         * neatness and speed is worth it. */
-                *dst_len = 0;
+        if (e_iter == NULL) {
+                *catmap = NULL;
                return 0;
        }
-        bitmap_len = src->highbit / 8;
+        c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
-        if (src->highbit % 7)
+        if (c_iter == NULL)
-                bitmap_len += 1;
-        bitmap = kzalloc((bitmap_len & ~(sizeof(MAPTYPE) - 1)) +
-                         sizeof(MAPTYPE),
-                         GFP_ATOMIC);
-        if (bitmap == NULL)
                return -ENOMEM;
+        *catmap = c_iter;
+        c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
+        while (e_iter != NULL) {
+                if (e_iter->startbit >=
+                    (c_iter->startbit + NETLBL_CATMAP_SIZE)) {
+                        c_iter->next = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
+                        if (c_iter->next == NULL)
+                                goto netlbl_export_failure;
+                        c_iter = c_iter->next;
+                        c_iter->startbit = e_iter->startbit &
+                                           ~(NETLBL_CATMAP_SIZE - 1);
+                }
+                cmap_idx = (e_iter->startbit - c_iter->startbit) /
+                           NETLBL_CATMAP_MAPSIZE;
+                c_iter->bitmap[cmap_idx] = e_iter->map;
+                e_iter = e_iter->next;
+        }
-        iter_node = src->node;
-        do {
-                bitmap_byte = iter_node->startbit / 8;
-                bitmask = 0x80;
-                node_val = iter_node->map;
-                do {
-                        if (bitmask == 0) {
-                                bitmap_byte++;
-                                bitmask = 0x80;
-                        }
-                        if (node_val & (MAPTYPE)0x01)
-                                bitmap[bitmap_byte] |= bitmask;
-                        node_val >>= 1;
-                        bitmask >>= 1;
-                } while (node_val > 0);
-                iter_node = iter_node->next;
-        } while (iter_node);
-        *dst = bitmap;
-        *dst_len = bitmap_len;
        return 0;
+netlbl_export_failure:
+        netlbl_secattr_catmap_free(*catmap);
+        return -ENOMEM;
 }
 /**
- * ebitmap_import - Import an unsigned char bitmap string into an ebitmap
+ * ebitmap_netlbl_import - Import a NetLabel category bitmap into an ebitmap
- * @src: the bitmap string
+ * @ebmap: the ebitmap to export
- * @src_len: the bitmap length in bytes
+ * @catmap: the NetLabel category bitmap
- * @dst: the empty ebitmap
 *
 * Description:
- * This function takes a little endian bitmap string in src and imports it into
+ * Import a NetLabel category bitmap into a SELinux extensibile bitmap.
- * the ebitmap pointed to by dst.  Returns zero on success, negative values on
+ * Returns zero on success, negative values on error.
- * failure.
 *
 */
-int ebitmap_import(const unsigned char *src,
+int ebitmap_netlbl_import(struct ebitmap *ebmap,
-                   size_t src_len,
+                          struct netlbl_lsm_secattr_catmap *catmap)
-                   struct ebitmap *dst)
 {
-        size_t src_off = 0;
+        struct ebitmap_node *e_iter = NULL;
-        size_t node_limit;
+        struct ebitmap_node *emap_prev = NULL;
-        struct ebitmap_node *node_new;
+        struct netlbl_lsm_secattr_catmap *c_iter = catmap;
-        struct ebitmap_node *node_last = NULL;
+        u32 c_idx;
-        u32 i_byte;
-        u32 i_bit;
-        unsigned char src_byte;
-        while (src_off < src_len) {
-                if (src_len - src_off >= sizeof(MAPTYPE)) {
-                        if (*(MAPTYPE *)&src[src_off] == 0) {
-                                src_off += sizeof(MAPTYPE);
-                                continue;
-                        }
-                        node_limit = sizeof(MAPTYPE);
-                } else {
-                        for (src_byte = 0, i_byte = src_off;
-                             i_byte < src_len && src_byte == 0;
-                             i_byte++)
-                                src_byte |= src[i_byte];
-                        if (src_byte == 0)
-                                break;
-                        node_limit = src_len - src_off;
-                }
-                node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC);
+        /* This function is a much simpler because SELinux's MAPTYPE happens
-                if (unlikely(node_new == NULL)) {
+         * to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
-                        ebitmap_destroy(dst);
+         * changed from a u64 this function will most likely need to be changed
-                        return -ENOMEM;
+         * as well.  It's not ideal but I think the tradeoff in terms of
-                }
+         * neatness and speed is worth it. */
-                node_new->startbit = src_off * 8;
-                for (i_byte = 0; i_byte < node_limit; i_byte++) {
-                        src_byte = src[src_off++];
-                        for (i_bit = i_byte * 8; src_byte != 0; i_bit++) {
-                                if (src_byte & 0x80)
-                                        node_new->map |= MAPBIT << i_bit;
-                                src_byte <<= 1;
-                        }
-                }
-                if (node_last != NULL)
+        do {
-                        node_last->next = node_new;
+                for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
-                else
+                        if (c_iter->bitmap[c_idx] == 0)
-                        dst->node = node_new;
+                                continue;
-                node_last = node_new;
-        }
+                        e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
+                        if (e_iter == NULL)
+                                goto netlbl_import_failure;
+                        if (emap_prev == NULL)
+                                ebmap->node = e_iter;
+                        else
+                                emap_prev->next = e_iter;
+                        emap_prev = e_iter;
-        if (likely(node_last != NULL))
+                        e_iter->startbit = c_iter->startbit +
-                dst->highbit = node_last->startbit + MAPSIZE;
+                                           NETLBL_CATMAP_MAPSIZE * c_idx;
+                        e_iter->map = c_iter->bitmap[c_idx];
+                }
+                c_iter = c_iter->next;
+        } while (c_iter != NULL);
+        if (e_iter != NULL)
+                ebmap->highbit = e_iter->startbit + MAPSIZE;
        else
-                ebitmap_init(dst);
+                ebitmap_destroy(ebmap);
        return 0;
+netlbl_import_failure:
+        ebitmap_destroy(ebmap);
+        return -ENOMEM;
 }
+#endif /* CONFIG_NETLABEL */
 int ebitmap_contains(struct ebitmap *e1, struct ebitmap *e2)
 {

diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index d539346ab3a2..ce492a6b38ed 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c
@@ -6,7 +6,7 @@
6	/*	6	/*
7	* Updated: Hewlett-Packard <paul.moore@hp.com>	7	* Updated: Hewlett-Packard <paul.moore@hp.com>
8	*	8	*
9	* Added ebitmap_export() and ebitmap_import()	9	* Added support to import/export the NetLabel category bitmap
10	*	10	*
11	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006	11	* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
12	*/	12	*/
@@ -14,6 +14,7 @@
14	#include <linux/kernel.h>	14	#include <linux/kernel.h>
15	#include <linux/slab.h>	15	#include <linux/slab.h>
16	#include <linux/errno.h>	16	#include <linux/errno.h>
		17	#include <net/netlabel.h>
17	#include "ebitmap.h"	18	#include "ebitmap.h"
18	#include "policydb.h"	19	#include "policydb.h"
19		20
@@ -67,141 +68,120 @@ int ebitmap_cpy(struct ebitmap dst, struct ebitmap src)
67	return 0;	68	return 0;
68	}	69	}
69		70
		71	#ifdef CONFIG_NETLABEL
70	/**	72	/**
71	* ebitmap_export - Export an ebitmap to a unsigned char bitmap string	73	* ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
72	* @src: the ebitmap to export	74	* @ebmap: the ebitmap to export
73	* @dst: the resulting bitmap string	75	* @catmap: the NetLabel category bitmap
74	* @dst_len: length of dst in bytes
75	*	76	*
76	* Description:	77	* Description:
77	* Allocate a buffer at least src->highbit bits long and export the extensible	78	* Export a SELinux extensibile bitmap into a NetLabel category bitmap.
78	* bitmap into the buffer. The bitmap string will be in little endian format,	79	* Returns zero on success, negative values on error.
79	* i.e. LSB first. The value returned in dst_len may not the true size of the
80	* buffer as the length of the buffer is rounded up to a multiple of MAPTYPE.
81	* The caller must free the buffer when finished. Returns zero on success,
82	* negative values on failure.
83	*	80	*
84	*/	81	*/
85	int ebitmap_export(const struct ebitmap *src,	82	int ebitmap_netlbl_export(struct ebitmap *ebmap,
86	unsigned char **dst,	83	struct netlbl_lsm_secattr_catmap **catmap)
87	size_t *dst_len)
88	{	84	{
89	size_t bitmap_len;	85	struct ebitmap_node *e_iter = ebmap->node;
90	unsigned char *bitmap;	86	struct netlbl_lsm_secattr_catmap *c_iter;
91	struct ebitmap_node *iter_node;	87	u32 cmap_idx;
92	MAPTYPE node_val;	88
93	size_t bitmap_byte;	89	/* This function is a much simpler because SELinux's MAPTYPE happens
94	unsigned char bitmask;	90	* to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
95		91	* changed from a u64 this function will most likely need to be changed
96	if (src->highbit == 0) {	92	* as well. It's not ideal but I think the tradeoff in terms of
97	*dst = NULL;	93	* neatness and speed is worth it. */
98	*dst_len = 0;	94
		95	if (e_iter == NULL) {
		96	*catmap = NULL;
99	return 0;	97	return 0;
100	}	98	}
101		99
102	bitmap_len = src->highbit / 8;	100	c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
103	if (src->highbit % 7)	101	if (c_iter == NULL)
104	bitmap_len += 1;
105
106	bitmap = kzalloc((bitmap_len & ~(sizeof(MAPTYPE) - 1)) +
107	sizeof(MAPTYPE),
108	GFP_ATOMIC);
109	if (bitmap == NULL)
110	return -ENOMEM;	102	return -ENOMEM;
		103	*catmap = c_iter;
		104	c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
		105
		106	while (e_iter != NULL) {
		107	if (e_iter->startbit >=
		108	(c_iter->startbit + NETLBL_CATMAP_SIZE)) {
		109	c_iter->next = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
		110	if (c_iter->next == NULL)
		111	goto netlbl_export_failure;
		112	c_iter = c_iter->next;
		113	c_iter->startbit = e_iter->startbit &
		114	~(NETLBL_CATMAP_SIZE - 1);
		115	}
		116	cmap_idx = (e_iter->startbit - c_iter->startbit) /
		117	NETLBL_CATMAP_MAPSIZE;
		118	c_iter->bitmap[cmap_idx] = e_iter->map;
		119	e_iter = e_iter->next;
		120	}
111		121
112	iter_node = src->node;
113	do {
114	bitmap_byte = iter_node->startbit / 8;
115	bitmask = 0x80;
116	node_val = iter_node->map;
117	do {
118	if (bitmask == 0) {
119	bitmap_byte++;
120	bitmask = 0x80;
121	}
122	if (node_val & (MAPTYPE)0x01)
123	bitmap[bitmap_byte] \|= bitmask;
124	node_val >>= 1;
125	bitmask >>= 1;
126	} while (node_val > 0);
127	iter_node = iter_node->next;
128	} while (iter_node);
129
130	*dst = bitmap;
131	*dst_len = bitmap_len;
132	return 0;	122	return 0;
		123
		124	netlbl_export_failure:
		125	netlbl_secattr_catmap_free(*catmap);
		126	return -ENOMEM;
133	}	127	}
134		128
135	/**	129	/**
136	* ebitmap_import - Import an unsigned char bitmap string into an ebitmap	130	* ebitmap_netlbl_import - Import a NetLabel category bitmap into an ebitmap
137	* @src: the bitmap string	131	* @ebmap: the ebitmap to export
138	* @src_len: the bitmap length in bytes	132	* @catmap: the NetLabel category bitmap
139	* @dst: the empty ebitmap
140	*	133	*
141	* Description:	134	* Description:
142	* This function takes a little endian bitmap string in src and imports it into	135	* Import a NetLabel category bitmap into a SELinux extensibile bitmap.
143	* the ebitmap pointed to by dst. Returns zero on success, negative values on	136	* Returns zero on success, negative values on error.
144	* failure.
145	*	137	*
146	*/	138	*/
147	int ebitmap_import(const unsigned char *src,	139	int ebitmap_netlbl_import(struct ebitmap *ebmap,
148	size_t src_len,	140	struct netlbl_lsm_secattr_catmap *catmap)
149	struct ebitmap *dst)
150	{	141	{
151	size_t src_off = 0;	142	struct ebitmap_node *e_iter = NULL;
152	size_t node_limit;	143	struct ebitmap_node *emap_prev = NULL;
153	struct ebitmap_node *node_new;	144	struct netlbl_lsm_secattr_catmap *c_iter = catmap;
154	struct ebitmap_node *node_last = NULL;	145	u32 c_idx;
155	u32 i_byte;
156	u32 i_bit;
157	unsigned char src_byte;
158
159	while (src_off < src_len) {
160	if (src_len - src_off >= sizeof(MAPTYPE)) {
161	if ((MAPTYPE )&src[src_off] == 0) {
162	src_off += sizeof(MAPTYPE);
163	continue;
164	}
165	node_limit = sizeof(MAPTYPE);
166	} else {
167	for (src_byte = 0, i_byte = src_off;
168	i_byte < src_len && src_byte == 0;
169	i_byte++)
170	src_byte \|= src[i_byte];
171	if (src_byte == 0)
172	break;
173	node_limit = src_len - src_off;
174	}
175		146
176	node_new = kzalloc(sizeof(*node_new), GFP_ATOMIC);	147	/* This function is a much simpler because SELinux's MAPTYPE happens
177	if (unlikely(node_new == NULL)) {	148	* to be the same as NetLabel's NETLBL_CATMAP_MAPTYPE, if MAPTYPE is
178	ebitmap_destroy(dst);	149	* changed from a u64 this function will most likely need to be changed
179	return -ENOMEM;	150	* as well. It's not ideal but I think the tradeoff in terms of
180	}	151	* neatness and speed is worth it. */
181	node_new->startbit = src_off * 8;
182	for (i_byte = 0; i_byte < node_limit; i_byte++) {
183	src_byte = src[src_off++];
184	for (i_bit = i_byte * 8; src_byte != 0; i_bit++) {
185	if (src_byte & 0x80)
186	node_new->map \|= MAPBIT << i_bit;
187	src_byte <<= 1;
188	}
189	}
190		152
191	if (node_last != NULL)	153	do {
192	node_last->next = node_new;	154	for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
193	else	155	if (c_iter->bitmap[c_idx] == 0)
194	dst->node = node_new;	156	continue;
195	node_last = node_new;	157
196	}	158	e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
		159	if (e_iter == NULL)
		160	goto netlbl_import_failure;
		161	if (emap_prev == NULL)
		162	ebmap->node = e_iter;
		163	else
		164	emap_prev->next = e_iter;
		165	emap_prev = e_iter;
197		166
198	if (likely(node_last != NULL))	167	e_iter->startbit = c_iter->startbit +
199	dst->highbit = node_last->startbit + MAPSIZE;	168	NETLBL_CATMAP_MAPSIZE * c_idx;
		169	e_iter->map = c_iter->bitmap[c_idx];
		170	}
		171	c_iter = c_iter->next;
		172	} while (c_iter != NULL);
		173	if (e_iter != NULL)
		174	ebmap->highbit = e_iter->startbit + MAPSIZE;
200	else	175	else
201	ebitmap_init(dst);	176	ebitmap_destroy(ebmap);
202		177
203	return 0;	178	return 0;
		179
		180	netlbl_import_failure:
		181	ebitmap_destroy(ebmap);
		182	return -ENOMEM;
204	}	183	}
		184	#endif /* CONFIG_NETLABEL */
205		185
206	int ebitmap_contains(struct ebitmap e1, struct ebitmap e2)	186	int ebitmap_contains(struct ebitmap e1, struct ebitmap e2)
207	{	187	{