aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/conditional.c59
1 files changed, 26 insertions, 33 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index a996cf1d378a..5691af498c40 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -1,9 +1,9 @@
1/* Authors: Karl MacMillan <kmacmillan@tresys.com> 1/* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com> 2 * Frank Mayer <mayerf@tresys.com>
3 * 3 *
4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 4 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 2. 7 * the Free Software Foundation, version 2.
8 */ 8 */
9 9
@@ -90,7 +90,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
90int evaluate_cond_node(struct policydb *p, struct cond_node *node) 90int evaluate_cond_node(struct policydb *p, struct cond_node *node)
91{ 91{
92 int new_state; 92 int new_state;
93 struct cond_av_list* cur; 93 struct cond_av_list *cur;
94 94
95 new_state = cond_evaluate_expr(p, node->expr); 95 new_state = cond_evaluate_expr(p, node->expr);
96 if (new_state != node->cur_state) { 96 if (new_state != node->cur_state) {
@@ -99,20 +99,18 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n"); 99 printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
100 /* turn the rules on or off */ 100 /* turn the rules on or off */
101 for (cur = node->true_list; cur != NULL; cur = cur->next) { 101 for (cur = node->true_list; cur != NULL; cur = cur->next) {
102 if (new_state <= 0) { 102 if (new_state <= 0)
103 cur->node->key.specified &= ~AVTAB_ENABLED; 103 cur->node->key.specified &= ~AVTAB_ENABLED;
104 } else { 104 else
105 cur->node->key.specified |= AVTAB_ENABLED; 105 cur->node->key.specified |= AVTAB_ENABLED;
106 }
107 } 106 }
108 107
109 for (cur = node->false_list; cur != NULL; cur = cur->next) { 108 for (cur = node->false_list; cur != NULL; cur = cur->next) {
110 /* -1 or 1 */ 109 /* -1 or 1 */
111 if (new_state) { 110 if (new_state)
112 cur->node->key.specified &= ~AVTAB_ENABLED; 111 cur->node->key.specified &= ~AVTAB_ENABLED;
113 } else { 112 else
114 cur->node->key.specified |= AVTAB_ENABLED; 113 cur->node->key.specified |= AVTAB_ENABLED;
115 }
116 } 114 }
117 } 115 }
118 return 0; 116 return 0;
@@ -174,8 +172,8 @@ void cond_policydb_destroy(struct policydb *p)
174int cond_init_bool_indexes(struct policydb *p) 172int cond_init_bool_indexes(struct policydb *p)
175{ 173{
176 kfree(p->bool_val_to_struct); 174 kfree(p->bool_val_to_struct);
177 p->bool_val_to_struct = (struct cond_bool_datum**) 175 p->bool_val_to_struct = (struct cond_bool_datum **)
178 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL); 176 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
179 if (!p->bool_val_to_struct) 177 if (!p->bool_val_to_struct)
180 return -1; 178 return -1;
181 return 0; 179 return 0;
@@ -200,7 +198,7 @@ int cond_index_bool(void *key, void *datum, void *datap)
200 return -EINVAL; 198 return -EINVAL;
201 199
202 p->p_bool_val_to_name[booldatum->value - 1] = key; 200 p->p_bool_val_to_name[booldatum->value - 1] = key;
203 p->bool_val_to_struct[booldatum->value -1] = booldatum; 201 p->bool_val_to_struct[booldatum->value - 1] = booldatum;
204 202
205 return 0; 203 return 0;
206} 204}
@@ -252,8 +250,7 @@ err:
252 return -1; 250 return -1;
253} 251}
254 252
255struct cond_insertf_data 253struct cond_insertf_data {
256{
257 struct policydb *p; 254 struct policydb *p;
258 struct cond_av_list *other; 255 struct cond_av_list *other;
259 struct cond_av_list *head; 256 struct cond_av_list *head;
@@ -353,9 +350,8 @@ static int cond_read_av_list(struct policydb *p, void *fp, struct cond_av_list *
353 return -1; 350 return -1;
354 351
355 len = le32_to_cpu(buf[0]); 352 len = le32_to_cpu(buf[0]);
356 if (len == 0) { 353 if (len == 0)
357 return 0; 354 return 0;
358 }
359 355
360 data.p = p; 356 data.p = p;
361 data.other = other; 357 data.other = other;
@@ -408,15 +404,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
408 /* expr */ 404 /* expr */
409 len = le32_to_cpu(buf[0]); 405 len = le32_to_cpu(buf[0]);
410 406
411 for (i = 0; i < len; i++ ) { 407 for (i = 0; i < len; i++) {
412 rc = next_entry(buf, fp, sizeof(u32) * 2); 408 rc = next_entry(buf, fp, sizeof(u32) * 2);
413 if (rc < 0) 409 if (rc < 0)
414 goto err; 410 goto err;
415 411
416 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL); 412 expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
417 if (!expr) { 413 if (!expr)
418 goto err; 414 goto err;
419 }
420 415
421 expr->expr_type = le32_to_cpu(buf[0]); 416 expr->expr_type = le32_to_cpu(buf[0]);
422 expr->bool = le32_to_cpu(buf[1]); 417 expr->bool = le32_to_cpu(buf[1]);
@@ -426,11 +421,10 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
426 goto err; 421 goto err;
427 } 422 }
428 423
429 if (i == 0) { 424 if (i == 0)
430 node->expr = expr; 425 node->expr = expr;
431 } else { 426 else
432 last->next = expr; 427 last->next = expr;
433 }
434 last = expr; 428 last = expr;
435 } 429 }
436 430
@@ -469,11 +463,10 @@ int cond_read_list(struct policydb *p, void *fp)
469 if (cond_read_node(p, node, fp) != 0) 463 if (cond_read_node(p, node, fp) != 0)
470 goto err; 464 goto err;
471 465
472 if (i == 0) { 466 if (i == 0)
473 p->cond_list = node; 467 p->cond_list = node;
474 } else { 468 else
475 last->next = node; 469 last->next = node;
476 }
477 last = node; 470 last = node;
478 } 471 }
479 return 0; 472 return 0;
@@ -490,24 +483,24 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
490{ 483{
491 struct avtab_node *node; 484 struct avtab_node *node;
492 485
493 if(!ctab || !key || !avd) 486 if (!ctab || !key || !avd)
494 return; 487 return;
495 488
496 for(node = avtab_search_node(ctab, key); node != NULL; 489 for (node = avtab_search_node(ctab, key); node != NULL;
497 node = avtab_search_node_next(node, key->specified)) { 490 node = avtab_search_node_next(node, key->specified)) {
498 if ( (u16) (AVTAB_ALLOWED|AVTAB_ENABLED) == 491 if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
499 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) 492 (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
500 avd->allowed |= node->datum.data; 493 avd->allowed |= node->datum.data;
501 if ( (u16) (AVTAB_AUDITDENY|AVTAB_ENABLED) == 494 if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
502 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) 495 (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
503 /* Since a '0' in an auditdeny mask represents a 496 /* Since a '0' in an auditdeny mask represents a
504 * permission we do NOT want to audit (dontaudit), we use 497 * permission we do NOT want to audit (dontaudit), we use
505 * the '&' operand to ensure that all '0's in the mask 498 * the '&' operand to ensure that all '0's in the mask
506 * are retained (much unlike the allow and auditallow cases). 499 * are retained (much unlike the allow and auditallow cases).
507 */ 500 */
508 avd->auditdeny &= node->datum.data; 501 avd->auditdeny &= node->datum.data;
509 if ( (u16) (AVTAB_AUDITALLOW|AVTAB_ENABLED) == 502 if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
510 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 503 (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
511 avd->auditallow |= node->datum.data; 504 avd->auditallow |= node->datum.data;
512 } 505 }
513 return; 506 return;
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-27 14:48:06 -0500