2 * Implementation of the policy database.
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10 * Support for enhanced MLS infrastructure.
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14 * Added conditional policy language extensions
16 * Updated: Hewlett-Packard <paul.moore@hp.com>
18 * Added support for the policy capability bitmap
20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation, version 2.
28 #include <linux/kernel.h>
29 #include <linux/sched.h>
30 #include <linux/slab.h>
31 #include <linux/string.h>
32 #include <linux/errno.h>
33 #include <linux/audit.h>
37 #include "conditional.h"
43 static const char *symtab_name
[SYM_NUM
] = {
55 static unsigned int symtab_sizes
[SYM_NUM
] = {
66 struct policydb_compat_info
{
72 /* These need to be updated if SYM_NUM or OCON_NUM changes */
73 static struct policydb_compat_info policydb_compat
[] = {
75 .version
= POLICYDB_VERSION_BASE
,
76 .sym_num
= SYM_NUM
- 3,
77 .ocon_num
= OCON_NUM
- 1,
80 .version
= POLICYDB_VERSION_BOOL
,
81 .sym_num
= SYM_NUM
- 2,
82 .ocon_num
= OCON_NUM
- 1,
85 .version
= POLICYDB_VERSION_IPV6
,
86 .sym_num
= SYM_NUM
- 2,
90 .version
= POLICYDB_VERSION_NLCLASS
,
91 .sym_num
= SYM_NUM
- 2,
95 .version
= POLICYDB_VERSION_MLS
,
100 .version
= POLICYDB_VERSION_AVTAB
,
102 .ocon_num
= OCON_NUM
,
105 .version
= POLICYDB_VERSION_RANGETRANS
,
107 .ocon_num
= OCON_NUM
,
110 .version
= POLICYDB_VERSION_POLCAP
,
112 .ocon_num
= OCON_NUM
,
115 .version
= POLICYDB_VERSION_PERMISSIVE
,
117 .ocon_num
= OCON_NUM
,
120 .version
= POLICYDB_VERSION_BOUNDARY
,
122 .ocon_num
= OCON_NUM
,
126 static struct policydb_compat_info
*policydb_lookup_compat(int version
)
129 struct policydb_compat_info
*info
= NULL
;
131 for (i
= 0; i
< ARRAY_SIZE(policydb_compat
); i
++) {
132 if (policydb_compat
[i
].version
== version
) {
133 info
= &policydb_compat
[i
];
141 * Initialize the role table.
143 static int roles_init(struct policydb
*p
)
147 struct role_datum
*role
;
149 role
= kzalloc(sizeof(*role
), GFP_KERNEL
);
154 role
->value
= ++p
->p_roles
.nprim
;
155 if (role
->value
!= OBJECT_R_VAL
) {
159 key
= kstrdup(OBJECT_R
, GFP_KERNEL
);
164 rc
= hashtab_insert(p
->p_roles
.table
, key
, role
);
177 static u32
rangetr_hash(struct hashtab
*h
, const void *k
)
179 const struct range_trans
*key
= k
;
180 return (key
->source_type
+ (key
->target_type
<< 3) +
181 (key
->target_class
<< 5)) & (h
->size
- 1);
184 static int rangetr_cmp(struct hashtab
*h
, const void *k1
, const void *k2
)
186 const struct range_trans
*key1
= k1
, *key2
= k2
;
187 return (key1
->source_type
!= key2
->source_type
||
188 key1
->target_type
!= key2
->target_type
||
189 key1
->target_class
!= key2
->target_class
);
193 * Initialize a policy database structure.
195 static int policydb_init(struct policydb
*p
)
199 memset(p
, 0, sizeof(*p
));
201 for (i
= 0; i
< SYM_NUM
; i
++) {
202 rc
= symtab_init(&p
->symtab
[i
], symtab_sizes
[i
]);
204 goto out_free_symtab
;
207 rc
= avtab_init(&p
->te_avtab
);
209 goto out_free_symtab
;
213 goto out_free_symtab
;
215 rc
= cond_policydb_init(p
);
217 goto out_free_symtab
;
219 p
->range_tr
= hashtab_create(rangetr_hash
, rangetr_cmp
, 256);
221 goto out_free_symtab
;
223 ebitmap_init(&p
->policycaps
);
224 ebitmap_init(&p
->permissive_map
);
230 for (i
= 0; i
< SYM_NUM
; i
++)
231 hashtab_destroy(p
->symtab
[i
].table
);
236 * The following *_index functions are used to
237 * define the val_to_name and val_to_struct arrays
238 * in a policy database structure. The val_to_name
239 * arrays are used when converting security context
240 * structures into string representations. The
241 * val_to_struct arrays are used when the attributes
242 * of a class, role, or user are needed.
245 static int common_index(void *key
, void *datum
, void *datap
)
248 struct common_datum
*comdatum
;
252 if (!comdatum
->value
|| comdatum
->value
> p
->p_commons
.nprim
)
254 p
->p_common_val_to_name
[comdatum
->value
- 1] = key
;
258 static int class_index(void *key
, void *datum
, void *datap
)
261 struct class_datum
*cladatum
;
265 if (!cladatum
->value
|| cladatum
->value
> p
->p_classes
.nprim
)
267 p
->p_class_val_to_name
[cladatum
->value
- 1] = key
;
268 p
->class_val_to_struct
[cladatum
->value
- 1] = cladatum
;
272 static int role_index(void *key
, void *datum
, void *datap
)
275 struct role_datum
*role
;
280 || role
->value
> p
->p_roles
.nprim
281 || role
->bounds
> p
->p_roles
.nprim
)
283 p
->p_role_val_to_name
[role
->value
- 1] = key
;
284 p
->role_val_to_struct
[role
->value
- 1] = role
;
288 static int type_index(void *key
, void *datum
, void *datap
)
291 struct type_datum
*typdatum
;
296 if (typdatum
->primary
) {
298 || typdatum
->value
> p
->p_types
.nprim
299 || typdatum
->bounds
> p
->p_types
.nprim
)
301 p
->p_type_val_to_name
[typdatum
->value
- 1] = key
;
302 p
->type_val_to_struct
[typdatum
->value
- 1] = typdatum
;
308 static int user_index(void *key
, void *datum
, void *datap
)
311 struct user_datum
*usrdatum
;
316 || usrdatum
->value
> p
->p_users
.nprim
317 || usrdatum
->bounds
> p
->p_users
.nprim
)
319 p
->p_user_val_to_name
[usrdatum
->value
- 1] = key
;
320 p
->user_val_to_struct
[usrdatum
->value
- 1] = usrdatum
;
324 static int sens_index(void *key
, void *datum
, void *datap
)
327 struct level_datum
*levdatum
;
332 if (!levdatum
->isalias
) {
333 if (!levdatum
->level
->sens
||
334 levdatum
->level
->sens
> p
->p_levels
.nprim
)
336 p
->p_sens_val_to_name
[levdatum
->level
->sens
- 1] = key
;
342 static int cat_index(void *key
, void *datum
, void *datap
)
345 struct cat_datum
*catdatum
;
350 if (!catdatum
->isalias
) {
351 if (!catdatum
->value
|| catdatum
->value
> p
->p_cats
.nprim
)
353 p
->p_cat_val_to_name
[catdatum
->value
- 1] = key
;
359 static int (*index_f
[SYM_NUM
]) (void *key
, void *datum
, void *datap
) =
372 * Define the common val_to_name array and the class
373 * val_to_name and val_to_struct arrays in a policy
374 * database structure.
376 * Caller must clean up upon failure.
378 static int policydb_index_classes(struct policydb
*p
)
382 p
->p_common_val_to_name
=
383 kmalloc(p
->p_commons
.nprim
* sizeof(char *), GFP_KERNEL
);
384 if (!p
->p_common_val_to_name
) {
389 rc
= hashtab_map(p
->p_commons
.table
, common_index
, p
);
393 p
->class_val_to_struct
=
394 kmalloc(p
->p_classes
.nprim
* sizeof(*(p
->class_val_to_struct
)), GFP_KERNEL
);
395 if (!p
->class_val_to_struct
) {
400 p
->p_class_val_to_name
=
401 kmalloc(p
->p_classes
.nprim
* sizeof(char *), GFP_KERNEL
);
402 if (!p
->p_class_val_to_name
) {
407 rc
= hashtab_map(p
->p_classes
.table
, class_index
, p
);
413 static void symtab_hash_eval(struct symtab
*s
)
417 for (i
= 0; i
< SYM_NUM
; i
++) {
418 struct hashtab
*h
= s
[i
].table
;
419 struct hashtab_info info
;
421 hashtab_stat(h
, &info
);
422 printk(KERN_DEBUG
"SELinux: %s: %d entries and %d/%d buckets used, "
423 "longest chain length %d\n", symtab_name
[i
], h
->nel
,
424 info
.slots_used
, h
->size
, info
.max_chain_len
);
428 static void rangetr_hash_eval(struct hashtab
*h
)
430 struct hashtab_info info
;
432 hashtab_stat(h
, &info
);
433 printk(KERN_DEBUG
"SELinux: rangetr: %d entries and %d/%d buckets used, "
434 "longest chain length %d\n", h
->nel
,
435 info
.slots_used
, h
->size
, info
.max_chain_len
);
438 static inline void rangetr_hash_eval(struct hashtab
*h
)
444 * Define the other val_to_name and val_to_struct arrays
445 * in a policy database structure.
447 * Caller must clean up on failure.
449 static int policydb_index_others(struct policydb
*p
)
453 printk(KERN_DEBUG
"SELinux: %d users, %d roles, %d types, %d bools",
454 p
->p_users
.nprim
, p
->p_roles
.nprim
, p
->p_types
.nprim
, p
->p_bools
.nprim
);
456 printk(", %d sens, %d cats", p
->p_levels
.nprim
,
460 printk(KERN_DEBUG
"SELinux: %d classes, %d rules\n",
461 p
->p_classes
.nprim
, p
->te_avtab
.nel
);
464 avtab_hash_eval(&p
->te_avtab
, "rules");
465 symtab_hash_eval(p
->symtab
);
468 p
->role_val_to_struct
=
469 kmalloc(p
->p_roles
.nprim
* sizeof(*(p
->role_val_to_struct
)),
471 if (!p
->role_val_to_struct
) {
476 p
->user_val_to_struct
=
477 kmalloc(p
->p_users
.nprim
* sizeof(*(p
->user_val_to_struct
)),
479 if (!p
->user_val_to_struct
) {
484 p
->type_val_to_struct
=
485 kmalloc(p
->p_types
.nprim
* sizeof(*(p
->type_val_to_struct
)),
487 if (!p
->type_val_to_struct
) {
492 if (cond_init_bool_indexes(p
)) {
497 for (i
= SYM_ROLES
; i
< SYM_NUM
; i
++) {
498 p
->sym_val_to_name
[i
] =
499 kmalloc(p
->symtab
[i
].nprim
* sizeof(char *), GFP_KERNEL
);
500 if (!p
->sym_val_to_name
[i
]) {
504 rc
= hashtab_map(p
->symtab
[i
].table
, index_f
[i
], p
);
514 * The following *_destroy functions are used to
515 * free any memory allocated for each kind of
516 * symbol data in the policy database.
519 static int perm_destroy(void *key
, void *datum
, void *p
)
526 static int common_destroy(void *key
, void *datum
, void *p
)
528 struct common_datum
*comdatum
;
532 hashtab_map(comdatum
->permissions
.table
, perm_destroy
, NULL
);
533 hashtab_destroy(comdatum
->permissions
.table
);
538 static int cls_destroy(void *key
, void *datum
, void *p
)
540 struct class_datum
*cladatum
;
541 struct constraint_node
*constraint
, *ctemp
;
542 struct constraint_expr
*e
, *etmp
;
546 hashtab_map(cladatum
->permissions
.table
, perm_destroy
, NULL
);
547 hashtab_destroy(cladatum
->permissions
.table
);
548 constraint
= cladatum
->constraints
;
550 e
= constraint
->expr
;
552 ebitmap_destroy(&e
->names
);
558 constraint
= constraint
->next
;
562 constraint
= cladatum
->validatetrans
;
564 e
= constraint
->expr
;
566 ebitmap_destroy(&e
->names
);
572 constraint
= constraint
->next
;
576 kfree(cladatum
->comkey
);
581 static int role_destroy(void *key
, void *datum
, void *p
)
583 struct role_datum
*role
;
587 ebitmap_destroy(&role
->dominates
);
588 ebitmap_destroy(&role
->types
);
593 static int type_destroy(void *key
, void *datum
, void *p
)
600 static int user_destroy(void *key
, void *datum
, void *p
)
602 struct user_datum
*usrdatum
;
606 ebitmap_destroy(&usrdatum
->roles
);
607 ebitmap_destroy(&usrdatum
->range
.level
[0].cat
);
608 ebitmap_destroy(&usrdatum
->range
.level
[1].cat
);
609 ebitmap_destroy(&usrdatum
->dfltlevel
.cat
);
614 static int sens_destroy(void *key
, void *datum
, void *p
)
616 struct level_datum
*levdatum
;
620 ebitmap_destroy(&levdatum
->level
->cat
);
621 kfree(levdatum
->level
);
626 static int cat_destroy(void *key
, void *datum
, void *p
)
633 static int (*destroy_f
[SYM_NUM
]) (void *key
, void *datum
, void *datap
) =
645 static int range_tr_destroy(void *key
, void *datum
, void *p
)
647 struct mls_range
*rt
= datum
;
649 ebitmap_destroy(&rt
->level
[0].cat
);
650 ebitmap_destroy(&rt
->level
[1].cat
);
656 static void ocontext_destroy(struct ocontext
*c
, int i
)
658 context_destroy(&c
->context
[0]);
659 context_destroy(&c
->context
[1]);
660 if (i
== OCON_ISID
|| i
== OCON_FS
||
661 i
== OCON_NETIF
|| i
== OCON_FSUSE
)
667 * Free any memory allocated by a policy database structure.
669 void policydb_destroy(struct policydb
*p
)
671 struct ocontext
*c
, *ctmp
;
672 struct genfs
*g
, *gtmp
;
674 struct role_allow
*ra
, *lra
= NULL
;
675 struct role_trans
*tr
, *ltr
= NULL
;
677 for (i
= 0; i
< SYM_NUM
; i
++) {
679 hashtab_map(p
->symtab
[i
].table
, destroy_f
[i
], NULL
);
680 hashtab_destroy(p
->symtab
[i
].table
);
683 for (i
= 0; i
< SYM_NUM
; i
++)
684 kfree(p
->sym_val_to_name
[i
]);
686 kfree(p
->class_val_to_struct
);
687 kfree(p
->role_val_to_struct
);
688 kfree(p
->user_val_to_struct
);
689 kfree(p
->type_val_to_struct
);
691 avtab_destroy(&p
->te_avtab
);
693 for (i
= 0; i
< OCON_NUM
; i
++) {
699 ocontext_destroy(ctmp
, i
);
701 p
->ocontexts
[i
] = NULL
;
712 ocontext_destroy(ctmp
, OCON_FSUSE
);
720 cond_policydb_destroy(p
);
722 for (tr
= p
->role_tr
; tr
; tr
= tr
->next
) {
729 for (ra
= p
->role_allow
; ra
; ra
= ra
->next
) {
736 hashtab_map(p
->range_tr
, range_tr_destroy
, NULL
);
737 hashtab_destroy(p
->range_tr
);
739 if (p
->type_attr_map
) {
740 for (i
= 0; i
< p
->p_types
.nprim
; i
++)
741 ebitmap_destroy(&p
->type_attr_map
[i
]);
743 kfree(p
->type_attr_map
);
744 ebitmap_destroy(&p
->policycaps
);
745 ebitmap_destroy(&p
->permissive_map
);
751 * Load the initial SIDs specified in a policy database
752 * structure into a SID table.
754 int policydb_load_isids(struct policydb
*p
, struct sidtab
*s
)
756 struct ocontext
*head
, *c
;
761 printk(KERN_ERR
"SELinux: out of memory on SID table init\n");
765 head
= p
->ocontexts
[OCON_ISID
];
766 for (c
= head
; c
; c
= c
->next
) {
767 if (!c
->context
[0].user
) {
768 printk(KERN_ERR
"SELinux: SID %s was never "
769 "defined.\n", c
->u
.name
);
773 if (sidtab_insert(s
, c
->sid
[0], &c
->context
[0])) {
774 printk(KERN_ERR
"SELinux: unable to load initial "
775 "SID %s.\n", c
->u
.name
);
784 int policydb_class_isvalid(struct policydb
*p
, unsigned int class)
786 if (!class || class > p
->p_classes
.nprim
)
791 int policydb_role_isvalid(struct policydb
*p
, unsigned int role
)
793 if (!role
|| role
> p
->p_roles
.nprim
)
798 int policydb_type_isvalid(struct policydb
*p
, unsigned int type
)
800 if (!type
|| type
> p
->p_types
.nprim
)
806 * Return 1 if the fields in the security context
807 * structure `c' are valid. Return 0 otherwise.
809 int policydb_context_isvalid(struct policydb
*p
, struct context
*c
)
811 struct role_datum
*role
;
812 struct user_datum
*usrdatum
;
814 if (!c
->role
|| c
->role
> p
->p_roles
.nprim
)
817 if (!c
->user
|| c
->user
> p
->p_users
.nprim
)
820 if (!c
->type
|| c
->type
> p
->p_types
.nprim
)
823 if (c
->role
!= OBJECT_R_VAL
) {
825 * Role must be authorized for the type.
827 role
= p
->role_val_to_struct
[c
->role
- 1];
828 if (!ebitmap_get_bit(&role
->types
,
830 /* role may not be associated with type */
834 * User must be authorized for the role.
836 usrdatum
= p
->user_val_to_struct
[c
->user
- 1];
840 if (!ebitmap_get_bit(&usrdatum
->roles
,
842 /* user may not be associated with role */
846 if (!mls_context_isvalid(p
, c
))
853 * Read a MLS range structure from a policydb binary
854 * representation file.
856 static int mls_read_range_helper(struct mls_range
*r
, void *fp
)
862 rc
= next_entry(buf
, fp
, sizeof(u32
));
866 items
= le32_to_cpu(buf
[0]);
867 if (items
> ARRAY_SIZE(buf
)) {
868 printk(KERN_ERR
"SELinux: mls: range overflow\n");
872 rc
= next_entry(buf
, fp
, sizeof(u32
) * items
);
874 printk(KERN_ERR
"SELinux: mls: truncated range\n");
877 r
->level
[0].sens
= le32_to_cpu(buf
[0]);
879 r
->level
[1].sens
= le32_to_cpu(buf
[1]);
881 r
->level
[1].sens
= r
->level
[0].sens
;
883 rc
= ebitmap_read(&r
->level
[0].cat
, fp
);
885 printk(KERN_ERR
"SELinux: mls: error reading low "
890 rc
= ebitmap_read(&r
->level
[1].cat
, fp
);
892 printk(KERN_ERR
"SELinux: mls: error reading high "
897 rc
= ebitmap_cpy(&r
->level
[1].cat
, &r
->level
[0].cat
);
899 printk(KERN_ERR
"SELinux: mls: out of memory\n");
908 ebitmap_destroy(&r
->level
[0].cat
);
913 * Read and validate a security context structure
914 * from a policydb binary representation file.
916 static int context_read_and_validate(struct context
*c
,
923 rc
= next_entry(buf
, fp
, sizeof buf
);
925 printk(KERN_ERR
"SELinux: context truncated\n");
928 c
->user
= le32_to_cpu(buf
[0]);
929 c
->role
= le32_to_cpu(buf
[1]);
930 c
->type
= le32_to_cpu(buf
[2]);
931 if (p
->policyvers
>= POLICYDB_VERSION_MLS
) {
932 if (mls_read_range_helper(&c
->range
, fp
)) {
933 printk(KERN_ERR
"SELinux: error reading MLS range of "
940 if (!policydb_context_isvalid(p
, c
)) {
941 printk(KERN_ERR
"SELinux: invalid security context\n");
950 * The following *_read functions are used to
951 * read the symbol data from a policy database
952 * binary representation file.
955 static int perm_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
958 struct perm_datum
*perdatum
;
963 perdatum
= kzalloc(sizeof(*perdatum
), GFP_KERNEL
);
969 rc
= next_entry(buf
, fp
, sizeof buf
);
973 len
= le32_to_cpu(buf
[0]);
974 perdatum
->value
= le32_to_cpu(buf
[1]);
976 key
= kmalloc(len
+ 1, GFP_KERNEL
);
981 rc
= next_entry(key
, fp
, len
);
986 rc
= hashtab_insert(h
, key
, perdatum
);
992 perm_destroy(key
, perdatum
, NULL
);
996 static int common_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
999 struct common_datum
*comdatum
;
1004 comdatum
= kzalloc(sizeof(*comdatum
), GFP_KERNEL
);
1010 rc
= next_entry(buf
, fp
, sizeof buf
);
1014 len
= le32_to_cpu(buf
[0]);
1015 comdatum
->value
= le32_to_cpu(buf
[1]);
1017 rc
= symtab_init(&comdatum
->permissions
, PERM_SYMTAB_SIZE
);
1020 comdatum
->permissions
.nprim
= le32_to_cpu(buf
[2]);
1021 nel
= le32_to_cpu(buf
[3]);
1023 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1028 rc
= next_entry(key
, fp
, len
);
1033 for (i
= 0; i
< nel
; i
++) {
1034 rc
= perm_read(p
, comdatum
->permissions
.table
, fp
);
1039 rc
= hashtab_insert(h
, key
, comdatum
);
1045 common_destroy(key
, comdatum
, NULL
);
1049 static int read_cons_helper(struct constraint_node
**nodep
, int ncons
,
1050 int allowxtarget
, void *fp
)
1052 struct constraint_node
*c
, *lc
;
1053 struct constraint_expr
*e
, *le
;
1056 int rc
, i
, j
, depth
;
1059 for (i
= 0; i
< ncons
; i
++) {
1060 c
= kzalloc(sizeof(*c
), GFP_KERNEL
);
1069 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 2));
1072 c
->permissions
= le32_to_cpu(buf
[0]);
1073 nexpr
= le32_to_cpu(buf
[1]);
1076 for (j
= 0; j
< nexpr
; j
++) {
1077 e
= kzalloc(sizeof(*e
), GFP_KERNEL
);
1086 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 3));
1089 e
->expr_type
= le32_to_cpu(buf
[0]);
1090 e
->attr
= le32_to_cpu(buf
[1]);
1091 e
->op
= le32_to_cpu(buf
[2]);
1093 switch (e
->expr_type
) {
1105 if (depth
== (CEXPR_MAXDEPTH
- 1))
1110 if (!allowxtarget
&& (e
->attr
& CEXPR_XTARGET
))
1112 if (depth
== (CEXPR_MAXDEPTH
- 1))
1115 if (ebitmap_read(&e
->names
, fp
))
1131 static int class_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1134 struct class_datum
*cladatum
;
1136 u32 len
, len2
, ncons
, nel
;
1139 cladatum
= kzalloc(sizeof(*cladatum
), GFP_KERNEL
);
1145 rc
= next_entry(buf
, fp
, sizeof(u32
)*6);
1149 len
= le32_to_cpu(buf
[0]);
1150 len2
= le32_to_cpu(buf
[1]);
1151 cladatum
->value
= le32_to_cpu(buf
[2]);
1153 rc
= symtab_init(&cladatum
->permissions
, PERM_SYMTAB_SIZE
);
1156 cladatum
->permissions
.nprim
= le32_to_cpu(buf
[3]);
1157 nel
= le32_to_cpu(buf
[4]);
1159 ncons
= le32_to_cpu(buf
[5]);
1161 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1166 rc
= next_entry(key
, fp
, len
);
1172 cladatum
->comkey
= kmalloc(len2
+ 1, GFP_KERNEL
);
1173 if (!cladatum
->comkey
) {
1177 rc
= next_entry(cladatum
->comkey
, fp
, len2
);
1180 cladatum
->comkey
[len2
] = '\0';
1182 cladatum
->comdatum
= hashtab_search(p
->p_commons
.table
,
1184 if (!cladatum
->comdatum
) {
1185 printk(KERN_ERR
"SELinux: unknown common %s\n",
1191 for (i
= 0; i
< nel
; i
++) {
1192 rc
= perm_read(p
, cladatum
->permissions
.table
, fp
);
1197 rc
= read_cons_helper(&cladatum
->constraints
, ncons
, 0, fp
);
1201 if (p
->policyvers
>= POLICYDB_VERSION_VALIDATETRANS
) {
1202 /* grab the validatetrans rules */
1203 rc
= next_entry(buf
, fp
, sizeof(u32
));
1206 ncons
= le32_to_cpu(buf
[0]);
1207 rc
= read_cons_helper(&cladatum
->validatetrans
, ncons
, 1, fp
);
1212 rc
= hashtab_insert(h
, key
, cladatum
);
1220 cls_destroy(key
, cladatum
, NULL
);
1224 static int role_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1227 struct role_datum
*role
;
1228 int rc
, to_read
= 2;
1232 role
= kzalloc(sizeof(*role
), GFP_KERNEL
);
1238 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1241 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1245 len
= le32_to_cpu(buf
[0]);
1246 role
->value
= le32_to_cpu(buf
[1]);
1247 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1248 role
->bounds
= le32_to_cpu(buf
[2]);
1250 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1255 rc
= next_entry(key
, fp
, len
);
1260 rc
= ebitmap_read(&role
->dominates
, fp
);
1264 rc
= ebitmap_read(&role
->types
, fp
);
1268 if (strcmp(key
, OBJECT_R
) == 0) {
1269 if (role
->value
!= OBJECT_R_VAL
) {
1270 printk(KERN_ERR
"SELinux: Role %s has wrong value %d\n",
1271 OBJECT_R
, role
->value
);
1279 rc
= hashtab_insert(h
, key
, role
);
1285 role_destroy(key
, role
, NULL
);
1289 static int type_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1292 struct type_datum
*typdatum
;
1293 int rc
, to_read
= 3;
1297 typdatum
= kzalloc(sizeof(*typdatum
), GFP_KERNEL
);
1303 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1306 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1310 len
= le32_to_cpu(buf
[0]);
1311 typdatum
->value
= le32_to_cpu(buf
[1]);
1312 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
) {
1313 u32 prop
= le32_to_cpu(buf
[2]);
1315 if (prop
& TYPEDATUM_PROPERTY_PRIMARY
)
1316 typdatum
->primary
= 1;
1317 if (prop
& TYPEDATUM_PROPERTY_ATTRIBUTE
)
1318 typdatum
->attribute
= 1;
1320 typdatum
->bounds
= le32_to_cpu(buf
[3]);
1322 typdatum
->primary
= le32_to_cpu(buf
[2]);
1325 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1330 rc
= next_entry(key
, fp
, len
);
1335 rc
= hashtab_insert(h
, key
, typdatum
);
1341 type_destroy(key
, typdatum
, NULL
);
1347 * Read a MLS level structure from a policydb binary
1348 * representation file.
1350 static int mls_read_level(struct mls_level
*lp
, void *fp
)
1355 memset(lp
, 0, sizeof(*lp
));
1357 rc
= next_entry(buf
, fp
, sizeof buf
);
1359 printk(KERN_ERR
"SELinux: mls: truncated level\n");
1362 lp
->sens
= le32_to_cpu(buf
[0]);
1364 if (ebitmap_read(&lp
->cat
, fp
)) {
1365 printk(KERN_ERR
"SELinux: mls: error reading level "
1376 static int user_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1379 struct user_datum
*usrdatum
;
1380 int rc
, to_read
= 2;
1384 usrdatum
= kzalloc(sizeof(*usrdatum
), GFP_KERNEL
);
1390 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1393 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1397 len
= le32_to_cpu(buf
[0]);
1398 usrdatum
->value
= le32_to_cpu(buf
[1]);
1399 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1400 usrdatum
->bounds
= le32_to_cpu(buf
[2]);
1402 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1407 rc
= next_entry(key
, fp
, len
);
1412 rc
= ebitmap_read(&usrdatum
->roles
, fp
);
1416 if (p
->policyvers
>= POLICYDB_VERSION_MLS
) {
1417 rc
= mls_read_range_helper(&usrdatum
->range
, fp
);
1420 rc
= mls_read_level(&usrdatum
->dfltlevel
, fp
);
1425 rc
= hashtab_insert(h
, key
, usrdatum
);
1431 user_destroy(key
, usrdatum
, NULL
);
1435 static int sens_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1438 struct level_datum
*levdatum
;
1443 levdatum
= kzalloc(sizeof(*levdatum
), GFP_ATOMIC
);
1449 rc
= next_entry(buf
, fp
, sizeof buf
);
1453 len
= le32_to_cpu(buf
[0]);
1454 levdatum
->isalias
= le32_to_cpu(buf
[1]);
1456 key
= kmalloc(len
+ 1, GFP_ATOMIC
);
1461 rc
= next_entry(key
, fp
, len
);
1466 levdatum
->level
= kmalloc(sizeof(struct mls_level
), GFP_ATOMIC
);
1467 if (!levdatum
->level
) {
1471 if (mls_read_level(levdatum
->level
, fp
)) {
1476 rc
= hashtab_insert(h
, key
, levdatum
);
1482 sens_destroy(key
, levdatum
, NULL
);
1486 static int cat_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1489 struct cat_datum
*catdatum
;
1494 catdatum
= kzalloc(sizeof(*catdatum
), GFP_ATOMIC
);
1500 rc
= next_entry(buf
, fp
, sizeof buf
);
1504 len
= le32_to_cpu(buf
[0]);
1505 catdatum
->value
= le32_to_cpu(buf
[1]);
1506 catdatum
->isalias
= le32_to_cpu(buf
[2]);
1508 key
= kmalloc(len
+ 1, GFP_ATOMIC
);
1513 rc
= next_entry(key
, fp
, len
);
1518 rc
= hashtab_insert(h
, key
, catdatum
);
1525 cat_destroy(key
, catdatum
, NULL
);
1529 static int (*read_f
[SYM_NUM
]) (struct policydb
*p
, struct hashtab
*h
, void *fp
) =
1541 static int user_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1543 struct user_datum
*upper
, *user
;
1544 struct policydb
*p
= datap
;
1547 upper
= user
= datum
;
1548 while (upper
->bounds
) {
1549 struct ebitmap_node
*node
;
1552 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1553 printk(KERN_ERR
"SELinux: user %s: "
1554 "too deep or looped boundary",
1559 upper
= p
->user_val_to_struct
[upper
->bounds
- 1];
1560 ebitmap_for_each_positive_bit(&user
->roles
, node
, bit
) {
1561 if (ebitmap_get_bit(&upper
->roles
, bit
))
1565 "SELinux: boundary violated policy: "
1566 "user=%s role=%s bounds=%s\n",
1567 p
->p_user_val_to_name
[user
->value
- 1],
1568 p
->p_role_val_to_name
[bit
],
1569 p
->p_user_val_to_name
[upper
->value
- 1]);
1578 static int role_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1580 struct role_datum
*upper
, *role
;
1581 struct policydb
*p
= datap
;
1584 upper
= role
= datum
;
1585 while (upper
->bounds
) {
1586 struct ebitmap_node
*node
;
1589 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1590 printk(KERN_ERR
"SELinux: role %s: "
1591 "too deep or looped bounds\n",
1596 upper
= p
->role_val_to_struct
[upper
->bounds
- 1];
1597 ebitmap_for_each_positive_bit(&role
->types
, node
, bit
) {
1598 if (ebitmap_get_bit(&upper
->types
, bit
))
1602 "SELinux: boundary violated policy: "
1603 "role=%s type=%s bounds=%s\n",
1604 p
->p_role_val_to_name
[role
->value
- 1],
1605 p
->p_type_val_to_name
[bit
],
1606 p
->p_role_val_to_name
[upper
->value
- 1]);
1615 static int type_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1617 struct type_datum
*upper
, *type
;
1618 struct policydb
*p
= datap
;
1621 upper
= type
= datum
;
1622 while (upper
->bounds
) {
1623 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1624 printk(KERN_ERR
"SELinux: type %s: "
1625 "too deep or looped boundary\n",
1630 upper
= p
->type_val_to_struct
[upper
->bounds
- 1];
1631 if (upper
->attribute
) {
1632 printk(KERN_ERR
"SELinux: type %s: "
1633 "bounded by attribute %s",
1635 p
->p_type_val_to_name
[upper
->value
- 1]);
1643 static int policydb_bounds_sanity_check(struct policydb
*p
)
1647 if (p
->policyvers
< POLICYDB_VERSION_BOUNDARY
)
1650 rc
= hashtab_map(p
->p_users
.table
,
1651 user_bounds_sanity_check
, p
);
1655 rc
= hashtab_map(p
->p_roles
.table
,
1656 role_bounds_sanity_check
, p
);
1660 rc
= hashtab_map(p
->p_types
.table
,
1661 type_bounds_sanity_check
, p
);
1668 extern int ss_initialized
;
1670 u16
string_to_security_class(struct policydb
*p
, const char *name
)
1672 struct class_datum
*cladatum
;
1674 cladatum
= hashtab_search(p
->p_classes
.table
, name
);
1678 return cladatum
->value
;
1681 u32
string_to_av_perm(struct policydb
*p
, u16 tclass
, const char *name
)
1683 struct class_datum
*cladatum
;
1684 struct perm_datum
*perdatum
= NULL
;
1685 struct common_datum
*comdatum
;
1687 if (!tclass
|| tclass
> p
->p_classes
.nprim
)
1690 cladatum
= p
->class_val_to_struct
[tclass
-1];
1691 comdatum
= cladatum
->comdatum
;
1693 perdatum
= hashtab_search(comdatum
->permissions
.table
,
1696 perdatum
= hashtab_search(cladatum
->permissions
.table
,
1701 return 1U << (perdatum
->value
-1);
1704 static int range_read(struct policydb
*p
, void *fp
)
1706 struct range_trans
*rt
= NULL
;
1707 struct mls_range
*r
= NULL
;
1712 if (p
->policyvers
< POLICYDB_VERSION_MLS
)
1715 rc
= next_entry(buf
, fp
, sizeof(u32
));
1719 nel
= le32_to_cpu(buf
[0]);
1720 for (i
= 0; i
< nel
; i
++) {
1722 rt
= kzalloc(sizeof(*rt
), GFP_KERNEL
);
1726 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 2));
1730 rt
->source_type
= le32_to_cpu(buf
[0]);
1731 rt
->target_type
= le32_to_cpu(buf
[1]);
1732 if (p
->policyvers
>= POLICYDB_VERSION_RANGETRANS
) {
1733 rc
= next_entry(buf
, fp
, sizeof(u32
));
1736 rt
->target_class
= le32_to_cpu(buf
[0]);
1738 rt
->target_class
= p
->process_class
;
1741 if (!policydb_type_isvalid(p
, rt
->source_type
) ||
1742 !policydb_type_isvalid(p
, rt
->target_type
) ||
1743 !policydb_class_isvalid(p
, rt
->target_class
))
1747 r
= kzalloc(sizeof(*r
), GFP_KERNEL
);
1751 rc
= mls_read_range_helper(r
, fp
);
1756 if (!mls_range_isvalid(p
, r
)) {
1757 printk(KERN_WARNING
"SELinux: rangetrans: invalid range\n");
1761 rc
= hashtab_insert(p
->range_tr
, rt
, r
);
1768 rangetr_hash_eval(p
->range_tr
);
1777 * Read the configuration data from a policy database binary
1778 * representation file into a policy database structure.
1780 int policydb_read(struct policydb
*p
, void *fp
)
1782 struct role_allow
*ra
, *lra
;
1783 struct role_trans
*tr
, *ltr
;
1784 struct ocontext
*l
, *c
, *newc
;
1785 struct genfs
*genfs_p
, *genfs
, *newgenfs
;
1789 u32 len
, len2
, nprim
, nel
, nel2
;
1791 struct policydb_compat_info
*info
;
1793 rc
= policydb_init(p
);
1797 /* Read the magic number and string length. */
1798 rc
= next_entry(buf
, fp
, sizeof(u32
) * 2);
1802 if (le32_to_cpu(buf
[0]) != POLICYDB_MAGIC
) {
1803 printk(KERN_ERR
"SELinux: policydb magic number 0x%x does "
1804 "not match expected magic number 0x%x\n",
1805 le32_to_cpu(buf
[0]), POLICYDB_MAGIC
);
1809 len
= le32_to_cpu(buf
[1]);
1810 if (len
!= strlen(POLICYDB_STRING
)) {
1811 printk(KERN_ERR
"SELinux: policydb string length %d does not "
1812 "match expected length %Zu\n",
1813 len
, strlen(POLICYDB_STRING
));
1816 policydb_str
= kmalloc(len
+ 1, GFP_KERNEL
);
1817 if (!policydb_str
) {
1818 printk(KERN_ERR
"SELinux: unable to allocate memory for policydb "
1819 "string of length %d\n", len
);
1823 rc
= next_entry(policydb_str
, fp
, len
);
1825 printk(KERN_ERR
"SELinux: truncated policydb string identifier\n");
1826 kfree(policydb_str
);
1829 policydb_str
[len
] = '\0';
1830 if (strcmp(policydb_str
, POLICYDB_STRING
)) {
1831 printk(KERN_ERR
"SELinux: policydb string %s does not match "
1832 "my string %s\n", policydb_str
, POLICYDB_STRING
);
1833 kfree(policydb_str
);
1836 /* Done with policydb_str. */
1837 kfree(policydb_str
);
1838 policydb_str
= NULL
;
1840 /* Read the version and table sizes. */
1841 rc
= next_entry(buf
, fp
, sizeof(u32
)*4);
1845 p
->policyvers
= le32_to_cpu(buf
[0]);
1846 if (p
->policyvers
< POLICYDB_VERSION_MIN
||
1847 p
->policyvers
> POLICYDB_VERSION_MAX
) {
1848 printk(KERN_ERR
"SELinux: policydb version %d does not match "
1849 "my version range %d-%d\n",
1850 le32_to_cpu(buf
[0]), POLICYDB_VERSION_MIN
, POLICYDB_VERSION_MAX
);
1854 if ((le32_to_cpu(buf
[1]) & POLICYDB_CONFIG_MLS
)) {
1857 if (p
->policyvers
< POLICYDB_VERSION_MLS
) {
1858 printk(KERN_ERR
"SELinux: security policydb version %d "
1859 "(MLS) not backwards compatible\n",
1864 p
->reject_unknown
= !!(le32_to_cpu(buf
[1]) & REJECT_UNKNOWN
);
1865 p
->allow_unknown
= !!(le32_to_cpu(buf
[1]) & ALLOW_UNKNOWN
);
1867 if (p
->policyvers
>= POLICYDB_VERSION_POLCAP
&&
1868 ebitmap_read(&p
->policycaps
, fp
) != 0)
1871 if (p
->policyvers
>= POLICYDB_VERSION_PERMISSIVE
&&
1872 ebitmap_read(&p
->permissive_map
, fp
) != 0)
1875 info
= policydb_lookup_compat(p
->policyvers
);
1877 printk(KERN_ERR
"SELinux: unable to find policy compat info "
1878 "for version %d\n", p
->policyvers
);
1882 if (le32_to_cpu(buf
[2]) != info
->sym_num
||
1883 le32_to_cpu(buf
[3]) != info
->ocon_num
) {
1884 printk(KERN_ERR
"SELinux: policydb table sizes (%d,%d) do "
1885 "not match mine (%d,%d)\n", le32_to_cpu(buf
[2]),
1886 le32_to_cpu(buf
[3]),
1887 info
->sym_num
, info
->ocon_num
);
1891 for (i
= 0; i
< info
->sym_num
; i
++) {
1892 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
1895 nprim
= le32_to_cpu(buf
[0]);
1896 nel
= le32_to_cpu(buf
[1]);
1897 for (j
= 0; j
< nel
; j
++) {
1898 rc
= read_f
[i
](p
, p
->symtab
[i
].table
, fp
);
1903 p
->symtab
[i
].nprim
= nprim
;
1906 rc
= avtab_read(&p
->te_avtab
, fp
, p
);
1910 if (p
->policyvers
>= POLICYDB_VERSION_BOOL
) {
1911 rc
= cond_read_list(p
, fp
);
1916 rc
= next_entry(buf
, fp
, sizeof(u32
));
1919 nel
= le32_to_cpu(buf
[0]);
1921 for (i
= 0; i
< nel
; i
++) {
1922 tr
= kzalloc(sizeof(*tr
), GFP_KERNEL
);
1931 rc
= next_entry(buf
, fp
, sizeof(u32
)*3);
1934 tr
->role
= le32_to_cpu(buf
[0]);
1935 tr
->type
= le32_to_cpu(buf
[1]);
1936 tr
->new_role
= le32_to_cpu(buf
[2]);
1937 if (!policydb_role_isvalid(p
, tr
->role
) ||
1938 !policydb_type_isvalid(p
, tr
->type
) ||
1939 !policydb_role_isvalid(p
, tr
->new_role
)) {
1946 rc
= next_entry(buf
, fp
, sizeof(u32
));
1949 nel
= le32_to_cpu(buf
[0]);
1951 for (i
= 0; i
< nel
; i
++) {
1952 ra
= kzalloc(sizeof(*ra
), GFP_KERNEL
);
1961 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
1964 ra
->role
= le32_to_cpu(buf
[0]);
1965 ra
->new_role
= le32_to_cpu(buf
[1]);
1966 if (!policydb_role_isvalid(p
, ra
->role
) ||
1967 !policydb_role_isvalid(p
, ra
->new_role
)) {
1974 rc
= policydb_index_classes(p
);
1978 rc
= policydb_index_others(p
);
1982 p
->process_class
= string_to_security_class(p
, "process");
1983 if (!p
->process_class
)
1985 p
->process_trans_perms
= string_to_av_perm(p
, p
->process_class
,
1987 p
->process_trans_perms
|= string_to_av_perm(p
, p
->process_class
,
1989 if (!p
->process_trans_perms
)
1992 for (i
= 0; i
< info
->ocon_num
; i
++) {
1993 rc
= next_entry(buf
, fp
, sizeof(u32
));
1996 nel
= le32_to_cpu(buf
[0]);
1998 for (j
= 0; j
< nel
; j
++) {
1999 c
= kzalloc(sizeof(*c
), GFP_KERNEL
);
2007 p
->ocontexts
[i
] = c
;
2012 rc
= next_entry(buf
, fp
, sizeof(u32
));
2015 c
->sid
[0] = le32_to_cpu(buf
[0]);
2016 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2022 rc
= next_entry(buf
, fp
, sizeof(u32
));
2025 len
= le32_to_cpu(buf
[0]);
2026 c
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
2031 rc
= next_entry(c
->u
.name
, fp
, len
);
2035 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2038 rc
= context_read_and_validate(&c
->context
[1], p
, fp
);
2043 rc
= next_entry(buf
, fp
, sizeof(u32
)*3);
2046 c
->u
.port
.protocol
= le32_to_cpu(buf
[0]);
2047 c
->u
.port
.low_port
= le32_to_cpu(buf
[1]);
2048 c
->u
.port
.high_port
= le32_to_cpu(buf
[2]);
2049 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2054 rc
= next_entry(nodebuf
, fp
, sizeof(u32
) * 2);
2057 c
->u
.node
.addr
= nodebuf
[0]; /* network order */
2058 c
->u
.node
.mask
= nodebuf
[1]; /* network order */
2059 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2064 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
2067 c
->v
.behavior
= le32_to_cpu(buf
[0]);
2068 if (c
->v
.behavior
> SECURITY_FS_USE_NONE
)
2070 len
= le32_to_cpu(buf
[1]);
2071 c
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
2076 rc
= next_entry(c
->u
.name
, fp
, len
);
2080 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2087 rc
= next_entry(nodebuf
, fp
, sizeof(u32
) * 8);
2090 for (k
= 0; k
< 4; k
++)
2091 c
->u
.node6
.addr
[k
] = nodebuf
[k
];
2092 for (k
= 0; k
< 4; k
++)
2093 c
->u
.node6
.mask
[k
] = nodebuf
[k
+4];
2094 if (context_read_and_validate(&c
->context
[0], p
, fp
))
2102 rc
= next_entry(buf
, fp
, sizeof(u32
));
2105 nel
= le32_to_cpu(buf
[0]);
2108 for (i
= 0; i
< nel
; i
++) {
2109 rc
= next_entry(buf
, fp
, sizeof(u32
));
2112 len
= le32_to_cpu(buf
[0]);
2113 newgenfs
= kzalloc(sizeof(*newgenfs
), GFP_KERNEL
);
2119 newgenfs
->fstype
= kmalloc(len
+ 1, GFP_KERNEL
);
2120 if (!newgenfs
->fstype
) {
2125 rc
= next_entry(newgenfs
->fstype
, fp
, len
);
2127 kfree(newgenfs
->fstype
);
2131 newgenfs
->fstype
[len
] = 0;
2132 for (genfs_p
= NULL
, genfs
= p
->genfs
; genfs
;
2133 genfs_p
= genfs
, genfs
= genfs
->next
) {
2134 if (strcmp(newgenfs
->fstype
, genfs
->fstype
) == 0) {
2135 printk(KERN_ERR
"SELinux: dup genfs "
2136 "fstype %s\n", newgenfs
->fstype
);
2137 kfree(newgenfs
->fstype
);
2141 if (strcmp(newgenfs
->fstype
, genfs
->fstype
) < 0)
2144 newgenfs
->next
= genfs
;
2146 genfs_p
->next
= newgenfs
;
2148 p
->genfs
= newgenfs
;
2149 rc
= next_entry(buf
, fp
, sizeof(u32
));
2152 nel2
= le32_to_cpu(buf
[0]);
2153 for (j
= 0; j
< nel2
; j
++) {
2154 rc
= next_entry(buf
, fp
, sizeof(u32
));
2157 len
= le32_to_cpu(buf
[0]);
2159 newc
= kzalloc(sizeof(*newc
), GFP_KERNEL
);
2165 newc
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
2166 if (!newc
->u
.name
) {
2170 rc
= next_entry(newc
->u
.name
, fp
, len
);
2173 newc
->u
.name
[len
] = 0;
2174 rc
= next_entry(buf
, fp
, sizeof(u32
));
2177 newc
->v
.sclass
= le32_to_cpu(buf
[0]);
2178 if (context_read_and_validate(&newc
->context
[0], p
, fp
))
2180 for (l
= NULL
, c
= newgenfs
->head
; c
;
2181 l
= c
, c
= c
->next
) {
2182 if (!strcmp(newc
->u
.name
, c
->u
.name
) &&
2183 (!c
->v
.sclass
|| !newc
->v
.sclass
||
2184 newc
->v
.sclass
== c
->v
.sclass
)) {
2185 printk(KERN_ERR
"SELinux: dup genfs "
2187 newgenfs
->fstype
, c
->u
.name
);
2190 len
= strlen(newc
->u
.name
);
2191 len2
= strlen(c
->u
.name
);
2200 newgenfs
->head
= newc
;
2204 rc
= range_read(p
, fp
);
2208 p
->type_attr_map
= kmalloc(p
->p_types
.nprim
* sizeof(struct ebitmap
), GFP_KERNEL
);
2209 if (!p
->type_attr_map
)
2212 for (i
= 0; i
< p
->p_types
.nprim
; i
++) {
2213 ebitmap_init(&p
->type_attr_map
[i
]);
2214 if (p
->policyvers
>= POLICYDB_VERSION_AVTAB
) {
2215 if (ebitmap_read(&p
->type_attr_map
[i
], fp
))
2218 /* add the type itself as the degenerate case */
2219 if (ebitmap_set_bit(&p
->type_attr_map
[i
], i
, 1))
2223 rc
= policydb_bounds_sanity_check(p
);
2231 ocontext_destroy(newc
, OCON_FSUSE
);
2235 policydb_destroy(p
);