diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/ss/conditional.c | 6 | ||||
-rw-r--r-- | security/selinux/ss/mls.c | 25 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 109 | ||||
-rw-r--r-- | security/selinux/ss/policydb.h | 17 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 38 |
5 files changed, 127 insertions, 68 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 655fe1c6cc69..c3f845cbcd48 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c | |||
@@ -193,6 +193,7 @@ int cond_index_bool(void *key, void *datum, void *datap) | |||
193 | { | 193 | { |
194 | struct policydb *p; | 194 | struct policydb *p; |
195 | struct cond_bool_datum *booldatum; | 195 | struct cond_bool_datum *booldatum; |
196 | struct flex_array *fa; | ||
196 | 197 | ||
197 | booldatum = datum; | 198 | booldatum = datum; |
198 | p = datap; | 199 | p = datap; |
@@ -200,7 +201,10 @@ int cond_index_bool(void *key, void *datum, void *datap) | |||
200 | if (!booldatum->value || booldatum->value > p->p_bools.nprim) | 201 | if (!booldatum->value || booldatum->value > p->p_bools.nprim) |
201 | return -EINVAL; | 202 | return -EINVAL; |
202 | 203 | ||
203 | p->p_bool_val_to_name[booldatum->value - 1] = key; | 204 | fa = p->sym_val_to_name[SYM_BOOLS]; |
205 | if (flex_array_put_ptr(fa, booldatum->value - 1, key, | ||
206 | GFP_KERNEL | __GFP_ZERO)) | ||
207 | BUG(); | ||
204 | p->bool_val_to_struct[booldatum->value - 1] = booldatum; | 208 | p->bool_val_to_struct[booldatum->value - 1] = booldatum; |
205 | 209 | ||
206 | return 0; | 210 | return 0; |
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index b4eff7a60c50..1ef8e4e89880 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
@@ -45,7 +45,7 @@ int mls_compute_context_len(struct context *context) | |||
45 | len = 1; /* for the beginning ":" */ | 45 | len = 1; /* for the beginning ":" */ |
46 | for (l = 0; l < 2; l++) { | 46 | for (l = 0; l < 2; l++) { |
47 | int index_sens = context->range.level[l].sens; | 47 | int index_sens = context->range.level[l].sens; |
48 | len += strlen(policydb.p_sens_val_to_name[index_sens - 1]); | 48 | len += strlen(sym_name(&policydb, SYM_LEVELS, index_sens - 1)); |
49 | 49 | ||
50 | /* categories */ | 50 | /* categories */ |
51 | head = -2; | 51 | head = -2; |
@@ -55,17 +55,17 @@ int mls_compute_context_len(struct context *context) | |||
55 | if (i - prev > 1) { | 55 | if (i - prev > 1) { |
56 | /* one or more negative bits are skipped */ | 56 | /* one or more negative bits are skipped */ |
57 | if (head != prev) { | 57 | if (head != prev) { |
58 | nm = policydb.p_cat_val_to_name[prev]; | 58 | nm = sym_name(&policydb, SYM_CATS, prev); |
59 | len += strlen(nm) + 1; | 59 | len += strlen(nm) + 1; |
60 | } | 60 | } |
61 | nm = policydb.p_cat_val_to_name[i]; | 61 | nm = sym_name(&policydb, SYM_CATS, i); |
62 | len += strlen(nm) + 1; | 62 | len += strlen(nm) + 1; |
63 | head = i; | 63 | head = i; |
64 | } | 64 | } |
65 | prev = i; | 65 | prev = i; |
66 | } | 66 | } |
67 | if (prev != head) { | 67 | if (prev != head) { |
68 | nm = policydb.p_cat_val_to_name[prev]; | 68 | nm = sym_name(&policydb, SYM_CATS, prev); |
69 | len += strlen(nm) + 1; | 69 | len += strlen(nm) + 1; |
70 | } | 70 | } |
71 | if (l == 0) { | 71 | if (l == 0) { |
@@ -102,8 +102,8 @@ void mls_sid_to_context(struct context *context, | |||
102 | scontextp++; | 102 | scontextp++; |
103 | 103 | ||
104 | for (l = 0; l < 2; l++) { | 104 | for (l = 0; l < 2; l++) { |
105 | strcpy(scontextp, | 105 | strcpy(scontextp, sym_name(&policydb, SYM_LEVELS, |
106 | policydb.p_sens_val_to_name[context->range.level[l].sens - 1]); | 106 | context->range.level[l].sens - 1)); |
107 | scontextp += strlen(scontextp); | 107 | scontextp += strlen(scontextp); |
108 | 108 | ||
109 | /* categories */ | 109 | /* categories */ |
@@ -118,7 +118,7 @@ void mls_sid_to_context(struct context *context, | |||
118 | *scontextp++ = '.'; | 118 | *scontextp++ = '.'; |
119 | else | 119 | else |
120 | *scontextp++ = ','; | 120 | *scontextp++ = ','; |
121 | nm = policydb.p_cat_val_to_name[prev]; | 121 | nm = sym_name(&policydb, SYM_CATS, prev); |
122 | strcpy(scontextp, nm); | 122 | strcpy(scontextp, nm); |
123 | scontextp += strlen(nm); | 123 | scontextp += strlen(nm); |
124 | } | 124 | } |
@@ -126,7 +126,7 @@ void mls_sid_to_context(struct context *context, | |||
126 | *scontextp++ = ':'; | 126 | *scontextp++ = ':'; |
127 | else | 127 | else |
128 | *scontextp++ = ','; | 128 | *scontextp++ = ','; |
129 | nm = policydb.p_cat_val_to_name[i]; | 129 | nm = sym_name(&policydb, SYM_CATS, i); |
130 | strcpy(scontextp, nm); | 130 | strcpy(scontextp, nm); |
131 | scontextp += strlen(nm); | 131 | scontextp += strlen(nm); |
132 | head = i; | 132 | head = i; |
@@ -139,7 +139,7 @@ void mls_sid_to_context(struct context *context, | |||
139 | *scontextp++ = '.'; | 139 | *scontextp++ = '.'; |
140 | else | 140 | else |
141 | *scontextp++ = ','; | 141 | *scontextp++ = ','; |
142 | nm = policydb.p_cat_val_to_name[prev]; | 142 | nm = sym_name(&policydb, SYM_CATS, prev); |
143 | strcpy(scontextp, nm); | 143 | strcpy(scontextp, nm); |
144 | scontextp += strlen(nm); | 144 | scontextp += strlen(nm); |
145 | } | 145 | } |
@@ -166,7 +166,7 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l) | |||
166 | if (!l->sens || l->sens > p->p_levels.nprim) | 166 | if (!l->sens || l->sens > p->p_levels.nprim) |
167 | return 0; | 167 | return 0; |
168 | levdatum = hashtab_search(p->p_levels.table, | 168 | levdatum = hashtab_search(p->p_levels.table, |
169 | p->p_sens_val_to_name[l->sens - 1]); | 169 | sym_name(p, SYM_LEVELS, l->sens - 1)); |
170 | if (!levdatum) | 170 | if (!levdatum) |
171 | return 0; | 171 | return 0; |
172 | 172 | ||
@@ -482,7 +482,8 @@ int mls_convert_context(struct policydb *oldp, | |||
482 | 482 | ||
483 | for (l = 0; l < 2; l++) { | 483 | for (l = 0; l < 2; l++) { |
484 | levdatum = hashtab_search(newp->p_levels.table, | 484 | levdatum = hashtab_search(newp->p_levels.table, |
485 | oldp->p_sens_val_to_name[c->range.level[l].sens - 1]); | 485 | sym_name(oldp, SYM_LEVELS, |
486 | c->range.level[l].sens - 1)); | ||
486 | 487 | ||
487 | if (!levdatum) | 488 | if (!levdatum) |
488 | return -EINVAL; | 489 | return -EINVAL; |
@@ -493,7 +494,7 @@ int mls_convert_context(struct policydb *oldp, | |||
493 | int rc; | 494 | int rc; |
494 | 495 | ||
495 | catdatum = hashtab_search(newp->p_cats.table, | 496 | catdatum = hashtab_search(newp->p_cats.table, |
496 | oldp->p_cat_val_to_name[i]); | 497 | sym_name(oldp, SYM_CATS, i)); |
497 | if (!catdatum) | 498 | if (!catdatum) |
498 | return -EINVAL; | 499 | return -EINVAL; |
499 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); | 500 | rc = ebitmap_set_bit(&bitmap, catdatum->value - 1, 1); |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index af41fdfe1a71..5adca670e5af 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
@@ -254,12 +254,17 @@ static int common_index(void *key, void *datum, void *datap) | |||
254 | { | 254 | { |
255 | struct policydb *p; | 255 | struct policydb *p; |
256 | struct common_datum *comdatum; | 256 | struct common_datum *comdatum; |
257 | struct flex_array *fa; | ||
257 | 258 | ||
258 | comdatum = datum; | 259 | comdatum = datum; |
259 | p = datap; | 260 | p = datap; |
260 | if (!comdatum->value || comdatum->value > p->p_commons.nprim) | 261 | if (!comdatum->value || comdatum->value > p->p_commons.nprim) |
261 | return -EINVAL; | 262 | return -EINVAL; |
262 | p->p_common_val_to_name[comdatum->value - 1] = key; | 263 | |
264 | fa = p->sym_val_to_name[SYM_COMMONS]; | ||
265 | if (flex_array_put_ptr(fa, comdatum->value - 1, key, | ||
266 | GFP_KERNEL | __GFP_ZERO)) | ||
267 | BUG(); | ||
263 | return 0; | 268 | return 0; |
264 | } | 269 | } |
265 | 270 | ||
@@ -267,12 +272,16 @@ static int class_index(void *key, void *datum, void *datap) | |||
267 | { | 272 | { |
268 | struct policydb *p; | 273 | struct policydb *p; |
269 | struct class_datum *cladatum; | 274 | struct class_datum *cladatum; |
275 | struct flex_array *fa; | ||
270 | 276 | ||
271 | cladatum = datum; | 277 | cladatum = datum; |
272 | p = datap; | 278 | p = datap; |
273 | if (!cladatum->value || cladatum->value > p->p_classes.nprim) | 279 | if (!cladatum->value || cladatum->value > p->p_classes.nprim) |
274 | return -EINVAL; | 280 | return -EINVAL; |
275 | p->p_class_val_to_name[cladatum->value - 1] = key; | 281 | fa = p->sym_val_to_name[SYM_CLASSES]; |
282 | if (flex_array_put_ptr(fa, cladatum->value - 1, key, | ||
283 | GFP_KERNEL | __GFP_ZERO)) | ||
284 | BUG(); | ||
276 | p->class_val_to_struct[cladatum->value - 1] = cladatum; | 285 | p->class_val_to_struct[cladatum->value - 1] = cladatum; |
277 | return 0; | 286 | return 0; |
278 | } | 287 | } |
@@ -281,6 +290,7 @@ static int role_index(void *key, void *datum, void *datap) | |||
281 | { | 290 | { |
282 | struct policydb *p; | 291 | struct policydb *p; |
283 | struct role_datum *role; | 292 | struct role_datum *role; |
293 | struct flex_array *fa; | ||
284 | 294 | ||
285 | role = datum; | 295 | role = datum; |
286 | p = datap; | 296 | p = datap; |
@@ -288,7 +298,11 @@ static int role_index(void *key, void *datum, void *datap) | |||
288 | || role->value > p->p_roles.nprim | 298 | || role->value > p->p_roles.nprim |
289 | || role->bounds > p->p_roles.nprim) | 299 | || role->bounds > p->p_roles.nprim) |
290 | return -EINVAL; | 300 | return -EINVAL; |
291 | p->p_role_val_to_name[role->value - 1] = key; | 301 | |
302 | fa = p->sym_val_to_name[SYM_ROLES]; | ||
303 | if (flex_array_put_ptr(fa, role->value - 1, key, | ||
304 | GFP_KERNEL | __GFP_ZERO)) | ||
305 | BUG(); | ||
292 | p->role_val_to_struct[role->value - 1] = role; | 306 | p->role_val_to_struct[role->value - 1] = role; |
293 | return 0; | 307 | return 0; |
294 | } | 308 | } |
@@ -297,6 +311,7 @@ static int type_index(void *key, void *datum, void *datap) | |||
297 | { | 311 | { |
298 | struct policydb *p; | 312 | struct policydb *p; |
299 | struct type_datum *typdatum; | 313 | struct type_datum *typdatum; |
314 | struct flex_array *fa; | ||
300 | 315 | ||
301 | typdatum = datum; | 316 | typdatum = datum; |
302 | p = datap; | 317 | p = datap; |
@@ -306,10 +321,13 @@ static int type_index(void *key, void *datum, void *datap) | |||
306 | || typdatum->value > p->p_types.nprim | 321 | || typdatum->value > p->p_types.nprim |
307 | || typdatum->bounds > p->p_types.nprim) | 322 | || typdatum->bounds > p->p_types.nprim) |
308 | return -EINVAL; | 323 | return -EINVAL; |
309 | p->p_type_val_to_name[typdatum->value - 1] = key; | 324 | fa = p->sym_val_to_name[SYM_TYPES]; |
310 | /* this flex array was all preallocated, this cannot fail */ | 325 | if (flex_array_put_ptr(fa, typdatum->value - 1, key, |
311 | if (flex_array_put_ptr(p->type_val_to_struct_array, | 326 | GFP_KERNEL | __GFP_ZERO)) |
312 | typdatum->value - 1, typdatum, | 327 | BUG(); |
328 | |||
329 | fa = p->type_val_to_struct_array; | ||
330 | if (flex_array_put_ptr(fa, typdatum->value - 1, typdatum, | ||
313 | GFP_KERNEL | __GFP_ZERO)) | 331 | GFP_KERNEL | __GFP_ZERO)) |
314 | BUG(); | 332 | BUG(); |
315 | } | 333 | } |
@@ -321,6 +339,7 @@ static int user_index(void *key, void *datum, void *datap) | |||
321 | { | 339 | { |
322 | struct policydb *p; | 340 | struct policydb *p; |
323 | struct user_datum *usrdatum; | 341 | struct user_datum *usrdatum; |
342 | struct flex_array *fa; | ||
324 | 343 | ||
325 | usrdatum = datum; | 344 | usrdatum = datum; |
326 | p = datap; | 345 | p = datap; |
@@ -328,7 +347,11 @@ static int user_index(void *key, void *datum, void *datap) | |||
328 | || usrdatum->value > p->p_users.nprim | 347 | || usrdatum->value > p->p_users.nprim |
329 | || usrdatum->bounds > p->p_users.nprim) | 348 | || usrdatum->bounds > p->p_users.nprim) |
330 | return -EINVAL; | 349 | return -EINVAL; |
331 | p->p_user_val_to_name[usrdatum->value - 1] = key; | 350 | |
351 | fa = p->sym_val_to_name[SYM_USERS]; | ||
352 | if (flex_array_put_ptr(fa, usrdatum->value - 1, key, | ||
353 | GFP_KERNEL | __GFP_ZERO)) | ||
354 | BUG(); | ||
332 | p->user_val_to_struct[usrdatum->value - 1] = usrdatum; | 355 | p->user_val_to_struct[usrdatum->value - 1] = usrdatum; |
333 | return 0; | 356 | return 0; |
334 | } | 357 | } |
@@ -337,6 +360,7 @@ static int sens_index(void *key, void *datum, void *datap) | |||
337 | { | 360 | { |
338 | struct policydb *p; | 361 | struct policydb *p; |
339 | struct level_datum *levdatum; | 362 | struct level_datum *levdatum; |
363 | struct flex_array *fa; | ||
340 | 364 | ||
341 | levdatum = datum; | 365 | levdatum = datum; |
342 | p = datap; | 366 | p = datap; |
@@ -345,7 +369,10 @@ static int sens_index(void *key, void *datum, void *datap) | |||
345 | if (!levdatum->level->sens || | 369 | if (!levdatum->level->sens || |
346 | levdatum->level->sens > p->p_levels.nprim) | 370 | levdatum->level->sens > p->p_levels.nprim) |
347 | return -EINVAL; | 371 | return -EINVAL; |
348 | p->p_sens_val_to_name[levdatum->level->sens - 1] = key; | 372 | fa = p->sym_val_to_name[SYM_LEVELS]; |
373 | if (flex_array_put_ptr(fa, levdatum->level->sens - 1, key, | ||
374 | GFP_KERNEL | __GFP_ZERO)) | ||
375 | BUG(); | ||
349 | } | 376 | } |
350 | 377 | ||
351 | return 0; | 378 | return 0; |
@@ -355,6 +382,7 @@ static int cat_index(void *key, void *datum, void *datap) | |||
355 | { | 382 | { |
356 | struct policydb *p; | 383 | struct policydb *p; |
357 | struct cat_datum *catdatum; | 384 | struct cat_datum *catdatum; |
385 | struct flex_array *fa; | ||
358 | 386 | ||
359 | catdatum = datum; | 387 | catdatum = datum; |
360 | p = datap; | 388 | p = datap; |
@@ -362,7 +390,10 @@ static int cat_index(void *key, void *datum, void *datap) | |||
362 | if (!catdatum->isalias) { | 390 | if (!catdatum->isalias) { |
363 | if (!catdatum->value || catdatum->value > p->p_cats.nprim) | 391 | if (!catdatum->value || catdatum->value > p->p_cats.nprim) |
364 | return -EINVAL; | 392 | return -EINVAL; |
365 | p->p_cat_val_to_name[catdatum->value - 1] = key; | 393 | fa = p->sym_val_to_name[SYM_CATS]; |
394 | if (flex_array_put_ptr(fa, catdatum->value - 1, key, | ||
395 | GFP_KERNEL | __GFP_ZERO)) | ||
396 | BUG(); | ||
366 | } | 397 | } |
367 | 398 | ||
368 | return 0; | 399 | return 0; |
@@ -392,9 +423,16 @@ static int policydb_index_classes(struct policydb *p) | |||
392 | int rc; | 423 | int rc; |
393 | 424 | ||
394 | rc = -ENOMEM; | 425 | rc = -ENOMEM; |
395 | p->p_common_val_to_name = | 426 | p->sym_val_to_name[SYM_COMMONS] = flex_array_alloc(sizeof(char *), |
396 | kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL); | 427 | p->p_commons.nprim, |
397 | if (!p->p_common_val_to_name) | 428 | GFP_KERNEL | __GFP_ZERO); |
429 | if (!p->sym_val_to_name[SYM_COMMONS]) | ||
430 | goto out; | ||
431 | |||
432 | rc = flex_array_prealloc(p->sym_val_to_name[SYM_COMMONS], | ||
433 | 0, p->p_commons.nprim - 1, | ||
434 | GFP_KERNEL | __GFP_ZERO); | ||
435 | if (rc) | ||
398 | goto out; | 436 | goto out; |
399 | 437 | ||
400 | rc = hashtab_map(p->p_commons.table, common_index, p); | 438 | rc = hashtab_map(p->p_commons.table, common_index, p); |
@@ -408,9 +446,16 @@ static int policydb_index_classes(struct policydb *p) | |||
408 | goto out; | 446 | goto out; |
409 | 447 | ||
410 | rc = -ENOMEM; | 448 | rc = -ENOMEM; |
411 | p->p_class_val_to_name = | 449 | p->sym_val_to_name[SYM_CLASSES] = flex_array_alloc(sizeof(char *), |
412 | kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL); | 450 | p->p_classes.nprim, |
413 | if (!p->p_class_val_to_name) | 451 | GFP_KERNEL | __GFP_ZERO); |
452 | if (!p->sym_val_to_name[SYM_CLASSES]) | ||
453 | goto out; | ||
454 | |||
455 | rc = flex_array_prealloc(p->sym_val_to_name[SYM_CLASSES], | ||
456 | 0, p->p_classes.nprim - 1, | ||
457 | GFP_KERNEL | __GFP_ZERO); | ||
458 | if (rc) | ||
414 | goto out; | 459 | goto out; |
415 | 460 | ||
416 | rc = hashtab_map(p->p_classes.table, class_index, p); | 461 | rc = hashtab_map(p->p_classes.table, class_index, p); |
@@ -507,10 +552,18 @@ static int policydb_index_others(struct policydb *p) | |||
507 | 552 | ||
508 | for (i = SYM_ROLES; i < SYM_NUM; i++) { | 553 | for (i = SYM_ROLES; i < SYM_NUM; i++) { |
509 | rc = -ENOMEM; | 554 | rc = -ENOMEM; |
510 | p->sym_val_to_name[i] = | 555 | p->sym_val_to_name[i] = flex_array_alloc(sizeof(char *), |
511 | kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL); | 556 | p->symtab[i].nprim, |
557 | GFP_KERNEL | __GFP_ZERO); | ||
512 | if (!p->sym_val_to_name[i]) | 558 | if (!p->sym_val_to_name[i]) |
513 | goto out; | 559 | goto out; |
560 | |||
561 | rc = flex_array_prealloc(p->sym_val_to_name[i], | ||
562 | 0, p->symtab[i].nprim - 1, | ||
563 | GFP_KERNEL | __GFP_ZERO); | ||
564 | if (rc) | ||
565 | goto out; | ||
566 | |||
514 | rc = hashtab_map(p->symtab[i].table, index_f[i], p); | 567 | rc = hashtab_map(p->symtab[i].table, index_f[i], p); |
515 | if (rc) | 568 | if (rc) |
516 | goto out; | 569 | goto out; |
@@ -703,8 +756,10 @@ void policydb_destroy(struct policydb *p) | |||
703 | hashtab_destroy(p->symtab[i].table); | 756 | hashtab_destroy(p->symtab[i].table); |
704 | } | 757 | } |
705 | 758 | ||
706 | for (i = 0; i < SYM_NUM; i++) | 759 | for (i = 0; i < SYM_NUM; i++) { |
707 | kfree(p->sym_val_to_name[i]); | 760 | if (p->sym_val_to_name[i]) |
761 | flex_array_free(p->sym_val_to_name[i]); | ||
762 | } | ||
708 | 763 | ||
709 | kfree(p->class_val_to_struct); | 764 | kfree(p->class_val_to_struct); |
710 | kfree(p->role_val_to_struct); | 765 | kfree(p->role_val_to_struct); |
@@ -1566,9 +1621,9 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap) | |||
1566 | printk(KERN_ERR | 1621 | printk(KERN_ERR |
1567 | "SELinux: boundary violated policy: " | 1622 | "SELinux: boundary violated policy: " |
1568 | "user=%s role=%s bounds=%s\n", | 1623 | "user=%s role=%s bounds=%s\n", |
1569 | p->p_user_val_to_name[user->value - 1], | 1624 | sym_name(p, SYM_USERS, user->value - 1), |
1570 | p->p_role_val_to_name[bit], | 1625 | sym_name(p, SYM_ROLES, bit), |
1571 | p->p_user_val_to_name[upper->value - 1]); | 1626 | sym_name(p, SYM_USERS, upper->value - 1)); |
1572 | 1627 | ||
1573 | return -EINVAL; | 1628 | return -EINVAL; |
1574 | } | 1629 | } |
@@ -1603,9 +1658,9 @@ static int role_bounds_sanity_check(void *key, void *datum, void *datap) | |||
1603 | printk(KERN_ERR | 1658 | printk(KERN_ERR |
1604 | "SELinux: boundary violated policy: " | 1659 | "SELinux: boundary violated policy: " |
1605 | "role=%s type=%s bounds=%s\n", | 1660 | "role=%s type=%s bounds=%s\n", |
1606 | p->p_role_val_to_name[role->value - 1], | 1661 | sym_name(p, SYM_ROLES, role->value - 1), |
1607 | p->p_type_val_to_name[bit], | 1662 | sym_name(p, SYM_TYPES, bit), |
1608 | p->p_role_val_to_name[upper->value - 1]); | 1663 | sym_name(p, SYM_ROLES, upper->value - 1)); |
1609 | 1664 | ||
1610 | return -EINVAL; | 1665 | return -EINVAL; |
1611 | } | 1666 | } |
@@ -1637,7 +1692,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap) | |||
1637 | printk(KERN_ERR "SELinux: type %s: " | 1692 | printk(KERN_ERR "SELinux: type %s: " |
1638 | "bounded by attribute %s", | 1693 | "bounded by attribute %s", |
1639 | (char *) key, | 1694 | (char *) key, |
1640 | p->p_type_val_to_name[upper->value - 1]); | 1695 | sym_name(p, SYM_TYPES, upper->value - 1)); |
1641 | return -EINVAL; | 1696 | return -EINVAL; |
1642 | } | 1697 | } |
1643 | } | 1698 | } |
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 9826a92a6b0c..4e3ab9d0b315 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h | |||
@@ -203,15 +203,7 @@ struct policydb { | |||
203 | #define p_cats symtab[SYM_CATS] | 203 | #define p_cats symtab[SYM_CATS] |
204 | 204 | ||
205 | /* symbol names indexed by (value - 1) */ | 205 | /* symbol names indexed by (value - 1) */ |
206 | char **sym_val_to_name[SYM_NUM]; | 206 | struct flex_array *sym_val_to_name[SYM_NUM]; |
207 | #define p_common_val_to_name sym_val_to_name[SYM_COMMONS] | ||
208 | #define p_class_val_to_name sym_val_to_name[SYM_CLASSES] | ||
209 | #define p_role_val_to_name sym_val_to_name[SYM_ROLES] | ||
210 | #define p_type_val_to_name sym_val_to_name[SYM_TYPES] | ||
211 | #define p_user_val_to_name sym_val_to_name[SYM_USERS] | ||
212 | #define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] | ||
213 | #define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] | ||
214 | #define p_cat_val_to_name sym_val_to_name[SYM_CATS] | ||
215 | 207 | ||
216 | /* class, role, and user attributes indexed by (value - 1) */ | 208 | /* class, role, and user attributes indexed by (value - 1) */ |
217 | struct class_datum **class_val_to_struct; | 209 | struct class_datum **class_val_to_struct; |
@@ -321,6 +313,13 @@ static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file | |||
321 | return 0; | 313 | return 0; |
322 | } | 314 | } |
323 | 315 | ||
316 | static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr) | ||
317 | { | ||
318 | struct flex_array *fa = p->sym_val_to_name[sym_num]; | ||
319 | |||
320 | return flex_array_get_ptr(fa, element_nr); | ||
321 | } | ||
322 | |||
324 | extern u16 string_to_security_class(struct policydb *p, const char *name); | 323 | extern u16 string_to_security_class(struct policydb *p, const char *name); |
325 | extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); | 324 | extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); |
326 | 325 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index afcbc19817f7..a03cfaf0ee07 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -464,7 +464,7 @@ static void security_dump_masked_av(struct context *scontext, | |||
464 | if (!permissions) | 464 | if (!permissions) |
465 | return; | 465 | return; |
466 | 466 | ||
467 | tclass_name = policydb.p_class_val_to_name[tclass - 1]; | 467 | tclass_name = sym_name(&policydb, SYM_CLASSES, tclass - 1); |
468 | tclass_dat = policydb.class_val_to_struct[tclass - 1]; | 468 | tclass_dat = policydb.class_val_to_struct[tclass - 1]; |
469 | common_dat = tclass_dat->comdatum; | 469 | common_dat = tclass_dat->comdatum; |
470 | 470 | ||
@@ -716,7 +716,7 @@ static int security_validtrans_handle_fail(struct context *ocontext, | |||
716 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, | 716 | audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR, |
717 | "security_validate_transition: denied for" | 717 | "security_validate_transition: denied for" |
718 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", | 718 | " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", |
719 | o, n, t, policydb.p_class_val_to_name[tclass-1]); | 719 | o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); |
720 | out: | 720 | out: |
721 | kfree(o); | 721 | kfree(o); |
722 | kfree(n); | 722 | kfree(n); |
@@ -1012,9 +1012,9 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
1012 | } | 1012 | } |
1013 | 1013 | ||
1014 | /* Compute the size of the context. */ | 1014 | /* Compute the size of the context. */ |
1015 | *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1; | 1015 | *scontext_len += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + 1; |
1016 | *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1; | 1016 | *scontext_len += strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + 1; |
1017 | *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1; | 1017 | *scontext_len += strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)) + 1; |
1018 | *scontext_len += mls_compute_context_len(context); | 1018 | *scontext_len += mls_compute_context_len(context); |
1019 | 1019 | ||
1020 | if (!scontext) | 1020 | if (!scontext) |
@@ -1030,12 +1030,12 @@ static int context_struct_to_string(struct context *context, char **scontext, u3 | |||
1030 | * Copy the user name, role name and type name into the context. | 1030 | * Copy the user name, role name and type name into the context. |
1031 | */ | 1031 | */ |
1032 | sprintf(scontextp, "%s:%s:%s", | 1032 | sprintf(scontextp, "%s:%s:%s", |
1033 | policydb.p_user_val_to_name[context->user - 1], | 1033 | sym_name(&policydb, SYM_USERS, context->user - 1), |
1034 | policydb.p_role_val_to_name[context->role - 1], | 1034 | sym_name(&policydb, SYM_ROLES, context->role - 1), |
1035 | policydb.p_type_val_to_name[context->type - 1]); | 1035 | sym_name(&policydb, SYM_TYPES, context->type - 1)); |
1036 | scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) + | 1036 | scontextp += strlen(sym_name(&policydb, SYM_USERS, context->user - 1)) + |
1037 | 1 + strlen(policydb.p_role_val_to_name[context->role - 1]) + | 1037 | 1 + strlen(sym_name(&policydb, SYM_ROLES, context->role - 1)) + |
1038 | 1 + strlen(policydb.p_type_val_to_name[context->type - 1]); | 1038 | 1 + strlen(sym_name(&policydb, SYM_TYPES, context->type - 1)); |
1039 | 1039 | ||
1040 | mls_sid_to_context(context, &scontextp); | 1040 | mls_sid_to_context(context, &scontextp); |
1041 | 1041 | ||
@@ -1333,7 +1333,7 @@ static int compute_sid_handle_invalid_context( | |||
1333 | " for scontext=%s" | 1333 | " for scontext=%s" |
1334 | " tcontext=%s" | 1334 | " tcontext=%s" |
1335 | " tclass=%s", | 1335 | " tclass=%s", |
1336 | n, s, t, policydb.p_class_val_to_name[tclass-1]); | 1336 | n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1)); |
1337 | out: | 1337 | out: |
1338 | kfree(s); | 1338 | kfree(s); |
1339 | kfree(t); | 1339 | kfree(t); |
@@ -1654,7 +1654,7 @@ static int convert_context(u32 key, | |||
1654 | /* Convert the user. */ | 1654 | /* Convert the user. */ |
1655 | rc = -EINVAL; | 1655 | rc = -EINVAL; |
1656 | usrdatum = hashtab_search(args->newp->p_users.table, | 1656 | usrdatum = hashtab_search(args->newp->p_users.table, |
1657 | args->oldp->p_user_val_to_name[c->user - 1]); | 1657 | sym_name(args->oldp, SYM_USERS, c->user - 1)); |
1658 | if (!usrdatum) | 1658 | if (!usrdatum) |
1659 | goto bad; | 1659 | goto bad; |
1660 | c->user = usrdatum->value; | 1660 | c->user = usrdatum->value; |
@@ -1662,7 +1662,7 @@ static int convert_context(u32 key, | |||
1662 | /* Convert the role. */ | 1662 | /* Convert the role. */ |
1663 | rc = -EINVAL; | 1663 | rc = -EINVAL; |
1664 | role = hashtab_search(args->newp->p_roles.table, | 1664 | role = hashtab_search(args->newp->p_roles.table, |
1665 | args->oldp->p_role_val_to_name[c->role - 1]); | 1665 | sym_name(args->oldp, SYM_ROLES, c->role - 1)); |
1666 | if (!role) | 1666 | if (!role) |
1667 | goto bad; | 1667 | goto bad; |
1668 | c->role = role->value; | 1668 | c->role = role->value; |
@@ -1670,7 +1670,7 @@ static int convert_context(u32 key, | |||
1670 | /* Convert the type. */ | 1670 | /* Convert the type. */ |
1671 | rc = -EINVAL; | 1671 | rc = -EINVAL; |
1672 | typdatum = hashtab_search(args->newp->p_types.table, | 1672 | typdatum = hashtab_search(args->newp->p_types.table, |
1673 | args->oldp->p_type_val_to_name[c->type - 1]); | 1673 | sym_name(args->oldp, SYM_TYPES, c->type - 1)); |
1674 | if (!typdatum) | 1674 | if (!typdatum) |
1675 | goto bad; | 1675 | goto bad; |
1676 | c->type = typdatum->value; | 1676 | c->type = typdatum->value; |
@@ -2326,14 +2326,14 @@ int security_get_bools(int *len, char ***names, int **values) | |||
2326 | size_t name_len; | 2326 | size_t name_len; |
2327 | 2327 | ||
2328 | (*values)[i] = policydb.bool_val_to_struct[i]->state; | 2328 | (*values)[i] = policydb.bool_val_to_struct[i]->state; |
2329 | name_len = strlen(policydb.p_bool_val_to_name[i]) + 1; | 2329 | name_len = strlen(sym_name(&policydb, SYM_BOOLS, i)) + 1; |
2330 | 2330 | ||
2331 | rc = -ENOMEM; | 2331 | rc = -ENOMEM; |
2332 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); | 2332 | (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC); |
2333 | if (!(*names)[i]) | 2333 | if (!(*names)[i]) |
2334 | goto err; | 2334 | goto err; |
2335 | 2335 | ||
2336 | strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len); | 2336 | strncpy((*names)[i], sym_name(&policydb, SYM_BOOLS, i), name_len); |
2337 | (*names)[i][name_len - 1] = 0; | 2337 | (*names)[i][name_len - 1] = 0; |
2338 | } | 2338 | } |
2339 | rc = 0; | 2339 | rc = 0; |
@@ -2368,7 +2368,7 @@ int security_set_bools(int len, int *values) | |||
2368 | audit_log(current->audit_context, GFP_ATOMIC, | 2368 | audit_log(current->audit_context, GFP_ATOMIC, |
2369 | AUDIT_MAC_CONFIG_CHANGE, | 2369 | AUDIT_MAC_CONFIG_CHANGE, |
2370 | "bool=%s val=%d old_val=%d auid=%u ses=%u", | 2370 | "bool=%s val=%d old_val=%d auid=%u ses=%u", |
2371 | policydb.p_bool_val_to_name[i], | 2371 | sym_name(&policydb, SYM_BOOLS, i), |
2372 | !!values[i], | 2372 | !!values[i], |
2373 | policydb.bool_val_to_struct[i]->state, | 2373 | policydb.bool_val_to_struct[i]->state, |
2374 | audit_get_loginuid(current), | 2374 | audit_get_loginuid(current), |
@@ -3132,7 +3132,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) | |||
3132 | goto out; | 3132 | goto out; |
3133 | 3133 | ||
3134 | rc = -ENOMEM; | 3134 | rc = -ENOMEM; |
3135 | secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], | 3135 | secattr->domain = kstrdup(sym_name(&policydb, SYM_TYPES, ctx->type - 1), |
3136 | GFP_ATOMIC); | 3136 | GFP_ATOMIC); |
3137 | if (secattr->domain == NULL) | 3137 | if (secattr->domain == NULL) |
3138 | goto out; | 3138 | goto out; |