linux/security/selinux/ss/policydb.c
<<
>>
Prefs
   1/*
   2 * Implementation of the policy database.
   3 *
   4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
   5 */
   6
   7/*
   8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
   9 *
  10 *      Support for enhanced MLS infrastructure.
  11 *
  12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  13 *
  14 *      Added conditional policy language extensions
  15 *
  16 * Updated: Hewlett-Packard <paul.moore@hp.com>
  17 *
  18 *      Added support for the policy capability bitmap
  19 *
  20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
  23 *      This program is free software; you can redistribute it and/or modify
  24 *      it under the terms of the GNU General Public License as published by
  25 *      the Free Software Foundation, version 2.
  26 */
  27
  28#include <linux/kernel.h>
  29#include <linux/sched.h>
  30#include <linux/slab.h>
  31#include <linux/string.h>
  32#include <linux/errno.h>
  33#include <linux/audit.h>
  34#include "security.h"
  35
  36#include "policydb.h"
  37#include "conditional.h"
  38#include "mls.h"
  39
  40#define _DEBUG_HASHES
  41
  42#ifdef DEBUG_HASHES
  43static const char *symtab_name[SYM_NUM] = {
  44        "common prefixes",
  45        "classes",
  46        "roles",
  47        "types",
  48        "users",
  49        "bools",
  50        "levels",
  51        "categories",
  52};
  53#endif
  54
  55static unsigned int symtab_sizes[SYM_NUM] = {
  56        2,
  57        32,
  58        16,
  59        512,
  60        128,
  61        16,
  62        16,
  63        16,
  64};
  65
  66struct policydb_compat_info {
  67        int version;
  68        int sym_num;
  69        int ocon_num;
  70};
  71
  72/* These need to be updated if SYM_NUM or OCON_NUM changes */
  73static struct policydb_compat_info policydb_compat[] = {
  74        {
  75                .version        = POLICYDB_VERSION_BASE,
  76                .sym_num        = SYM_NUM - 3,
  77                .ocon_num       = OCON_NUM - 1,
  78        },
  79        {
  80                .version        = POLICYDB_VERSION_BOOL,
  81                .sym_num        = SYM_NUM - 2,
  82                .ocon_num       = OCON_NUM - 1,
  83        },
  84        {
  85                .version        = POLICYDB_VERSION_IPV6,
  86                .sym_num        = SYM_NUM - 2,
  87                .ocon_num       = OCON_NUM,
  88        },
  89        {
  90                .version        = POLICYDB_VERSION_NLCLASS,
  91                .sym_num        = SYM_NUM - 2,
  92                .ocon_num       = OCON_NUM,
  93        },
  94        {
  95                .version        = POLICYDB_VERSION_MLS,
  96                .sym_num        = SYM_NUM,
  97                .ocon_num       = OCON_NUM,
  98        },
  99        {
 100                .version        = POLICYDB_VERSION_AVTAB,
 101                .sym_num        = SYM_NUM,
 102                .ocon_num       = OCON_NUM,
 103        },
 104        {
 105                .version        = POLICYDB_VERSION_RANGETRANS,
 106                .sym_num        = SYM_NUM,
 107                .ocon_num       = OCON_NUM,
 108        },
 109        {
 110                .version        = POLICYDB_VERSION_POLCAP,
 111                .sym_num        = SYM_NUM,
 112                .ocon_num       = OCON_NUM,
 113        },
 114        {
 115                .version        = POLICYDB_VERSION_PERMISSIVE,
 116                .sym_num        = SYM_NUM,
 117                .ocon_num       = OCON_NUM,
 118        },
 119        {
 120                .version        = POLICYDB_VERSION_BOUNDARY,
 121                .sym_num        = SYM_NUM,
 122                .ocon_num       = OCON_NUM,
 123        },
 124};
 125
 126static struct policydb_compat_info *policydb_lookup_compat(int version)
 127{
 128        int i;
 129        struct policydb_compat_info *info = NULL;
 130
 131        for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) {
 132                if (policydb_compat[i].version == version) {
 133                        info = &policydb_compat[i];
 134                        break;
 135                }
 136        }
 137        return info;
 138}
 139
 140/*
 141 * Initialize the role table.
 142 */
 143static int roles_init(struct policydb *p)
 144{
 145        char *key = NULL;
 146        int rc;
 147        struct role_datum *role;
 148
 149        role = kzalloc(sizeof(*role), GFP_KERNEL);
 150        if (!role) {
 151                rc = -ENOMEM;
 152                goto out;
 153        }
 154        role->value = ++p->p_roles.nprim;
 155        if (role->value != OBJECT_R_VAL) {
 156                rc = -EINVAL;
 157                goto out_free_role;
 158        }
 159        key = kstrdup(OBJECT_R, GFP_KERNEL);
 160        if (!key) {
 161                rc = -ENOMEM;
 162                goto out_free_role;
 163        }
 164        rc = hashtab_insert(p->p_roles.table, key, role);
 165        if (rc)
 166                goto out_free_key;
 167out:
 168        return rc;
 169
 170out_free_key:
 171        kfree(key);
 172out_free_role:
 173        kfree(role);
 174        goto out;
 175}
 176
 177static u32 rangetr_hash(struct hashtab *h, const void *k)
 178{
 179        const struct range_trans *key = k;
 180        return (key->source_type + (key->target_type << 3) +
 181                (key->target_class << 5)) & (h->size - 1);
 182}
 183
 184static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
 185{
 186        const struct range_trans *key1 = k1, *key2 = k2;
 187        return (key1->source_type != key2->source_type ||
 188                key1->target_type != key2->target_type ||
 189                key1->target_class != key2->target_class);
 190}
 191
 192/*
 193 * Initialize a policy database structure.
 194 */
 195static int policydb_init(struct policydb *p)
 196{
 197        int i, rc;
 198
 199        memset(p, 0, sizeof(*p));
 200
 201        for (i = 0; i < SYM_NUM; i++) {
 202                rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
 203                if (rc)
 204                        goto out_free_symtab;
 205        }
 206
 207        rc = avtab_init(&p->te_avtab);
 208        if (rc)
 209                goto out_free_symtab;
 210
 211        rc = roles_init(p);
 212        if (rc)
 213                goto out_free_symtab;
 214
 215        rc = cond_policydb_init(p);
 216        if (rc)
 217                goto out_free_symtab;
 218
 219        p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
 220        if (!p->range_tr)
 221                goto out_free_symtab;
 222
 223        ebitmap_init(&p->policycaps);
 224        ebitmap_init(&p->permissive_map);
 225
 226out:
 227        return rc;
 228
 229out_free_symtab:
 230        for (i = 0; i < SYM_NUM; i++)
 231                hashtab_destroy(p->symtab[i].table);
 232        goto out;
 233}
 234
 235/*
 236 * The following *_index functions are used to
 237 * define the val_to_name and val_to_struct arrays
 238 * in a policy database structure.  The val_to_name
 239 * arrays are used when converting security context
 240 * structures into string representations.  The
 241 * val_to_struct arrays are used when the attributes
 242 * of a class, role, or user are needed.
 243 */
 244
 245static int common_index(void *key, void *datum, void *datap)
 246{
 247        struct policydb *p;
 248        struct common_datum *comdatum;
 249
 250        comdatum = datum;
 251        p = datap;
 252        if (!comdatum->value || comdatum->value > p->p_commons.nprim)
 253                return -EINVAL;
 254        p->p_common_val_to_name[comdatum->value - 1] = key;
 255        return 0;
 256}
 257
 258static int class_index(void *key, void *datum, void *datap)
 259{
 260        struct policydb *p;
 261        struct class_datum *cladatum;
 262
 263        cladatum = datum;
 264        p = datap;
 265        if (!cladatum->value || cladatum->value > p->p_classes.nprim)
 266                return -EINVAL;
 267        p->p_class_val_to_name[cladatum->value - 1] = key;
 268        p->class_val_to_struct[cladatum->value - 1] = cladatum;
 269        return 0;
 270}
 271
 272static int role_index(void *key, void *datum, void *datap)
 273{
 274        struct policydb *p;
 275        struct role_datum *role;
 276
 277        role = datum;
 278        p = datap;
 279        if (!role->value
 280            || role->value > p->p_roles.nprim
 281            || role->bounds > p->p_roles.nprim)
 282                return -EINVAL;
 283        p->p_role_val_to_name[role->value - 1] = key;
 284        p->role_val_to_struct[role->value - 1] = role;
 285        return 0;
 286}
 287
 288static int type_index(void *key, void *datum, void *datap)
 289{
 290        struct policydb *p;
 291        struct type_datum *typdatum;
 292
 293        typdatum = datum;
 294        p = datap;
 295
 296        if (typdatum->primary) {
 297                if (!typdatum->value
 298                    || typdatum->value > p->p_types.nprim
 299                    || typdatum->bounds > p->p_types.nprim)
 300                        return -EINVAL;
 301                p->p_type_val_to_name[typdatum->value - 1] = key;
 302                p->type_val_to_struct[typdatum->value - 1] = typdatum;
 303        }
 304
 305        return 0;
 306}
 307
 308static int user_index(void *key, void *datum, void *datap)
 309{
 310        struct policydb *p;
 311        struct user_datum *usrdatum;
 312
 313        usrdatum = datum;
 314        p = datap;
 315        if (!usrdatum->value
 316            || usrdatum->value > p->p_users.nprim
 317            || usrdatum->bounds > p->p_users.nprim)
 318                return -EINVAL;
 319        p->p_user_val_to_name[usrdatum->value - 1] = key;
 320        p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
 321        return 0;
 322}
 323
 324static int sens_index(void *key, void *datum, void *datap)
 325{
 326        struct policydb *p;
 327        struct level_datum *levdatum;
 328
 329        levdatum = datum;
 330        p = datap;
 331
 332        if (!levdatum->isalias) {
 333                if (!levdatum->level->sens ||
 334                    levdatum->level->sens > p->p_levels.nprim)
 335                        return -EINVAL;
 336                p->p_sens_val_to_name[levdatum->level->sens - 1] = key;
 337        }
 338
 339        return 0;
 340}
 341
 342static int cat_index(void *key, void *datum, void *datap)
 343{
 344        struct policydb *p;
 345        struct cat_datum *catdatum;
 346
 347        catdatum = datum;
 348        p = datap;
 349
 350        if (!catdatum->isalias) {
 351                if (!catdatum->value || catdatum->value > p->p_cats.nprim)
 352                        return -EINVAL;
 353                p->p_cat_val_to_name[catdatum->value - 1] = key;
 354        }
 355
 356        return 0;
 357}
 358
 359static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
 360{
 361        common_index,
 362        class_index,
 363        role_index,
 364        type_index,
 365        user_index,
 366        cond_index_bool,
 367        sens_index,
 368        cat_index,
 369};
 370
 371/*
 372 * Define the common val_to_name array and the class
 373 * val_to_name and val_to_struct arrays in a policy
 374 * database structure.
 375 *
 376 * Caller must clean up upon failure.
 377 */
 378static int policydb_index_classes(struct policydb *p)
 379{
 380        int rc;
 381
 382        p->p_common_val_to_name =
 383                kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL);
 384        if (!p->p_common_val_to_name) {
 385                rc = -ENOMEM;
 386                goto out;
 387        }
 388
 389        rc = hashtab_map(p->p_commons.table, common_index, p);
 390        if (rc)
 391                goto out;
 392
 393        p->class_val_to_struct =
 394                kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL);
 395        if (!p->class_val_to_struct) {
 396                rc = -ENOMEM;
 397                goto out;
 398        }
 399
 400        p->p_class_val_to_name =
 401                kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL);
 402        if (!p->p_class_val_to_name) {
 403                rc = -ENOMEM;
 404                goto out;
 405        }
 406
 407        rc = hashtab_map(p->p_classes.table, class_index, p);
 408out:
 409        return rc;
 410}
 411
 412#ifdef DEBUG_HASHES
 413static void symtab_hash_eval(struct symtab *s)
 414{
 415        int i;
 416
 417        for (i = 0; i < SYM_NUM; i++) {
 418                struct hashtab *h = s[i].table;
 419                struct hashtab_info info;
 420
 421                hashtab_stat(h, &info);
 422                printk(KERN_DEBUG "SELinux: %s:  %d entries and %d/%d buckets used, "
 423                       "longest chain length %d\n", symtab_name[i], h->nel,
 424                       info.slots_used, h->size, info.max_chain_len);
 425        }
 426}
 427
 428static void rangetr_hash_eval(struct hashtab *h)
 429{
 430        struct hashtab_info info;
 431
 432        hashtab_stat(h, &info);
 433        printk(KERN_DEBUG "SELinux: rangetr:  %d entries and %d/%d buckets used, "
 434               "longest chain length %d\n", h->nel,
 435               info.slots_used, h->size, info.max_chain_len);
 436}
 437#else
 438static inline void rangetr_hash_eval(struct hashtab *h)
 439{
 440}
 441#endif
 442
 443/*
 444 * Define the other val_to_name and val_to_struct arrays
 445 * in a policy database structure.
 446 *
 447 * Caller must clean up on failure.
 448 */
 449static int policydb_index_others(struct policydb *p)
 450{
 451        int i, rc = 0;
 452
 453        printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
 454               p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
 455        if (p->mls_enabled)
 456                printk(", %d sens, %d cats", p->p_levels.nprim,
 457                       p->p_cats.nprim);
 458        printk("\n");
 459
 460        printk(KERN_DEBUG "SELinux:  %d classes, %d rules\n",
 461               p->p_classes.nprim, p->te_avtab.nel);
 462
 463#ifdef DEBUG_HASHES
 464        avtab_hash_eval(&p->te_avtab, "rules");
 465        symtab_hash_eval(p->symtab);
 466#endif
 467
 468        p->role_val_to_struct =
 469                kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
 470                        GFP_KERNEL);
 471        if (!p->role_val_to_struct) {
 472                rc = -ENOMEM;
 473                goto out;
 474        }
 475
 476        p->user_val_to_struct =
 477                kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
 478                        GFP_KERNEL);
 479        if (!p->user_val_to_struct) {
 480                rc = -ENOMEM;
 481                goto out;
 482        }
 483
 484        p->type_val_to_struct =
 485                kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)),
 486                        GFP_KERNEL);
 487        if (!p->type_val_to_struct) {
 488                rc = -ENOMEM;
 489                goto out;
 490        }
 491
 492        if (cond_init_bool_indexes(p)) {
 493                rc = -ENOMEM;
 494                goto out;
 495        }
 496
 497        for (i = SYM_ROLES; i < SYM_NUM; i++) {
 498                p->sym_val_to_name[i] =
 499                        kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL);
 500                if (!p->sym_val_to_name[i]) {
 501                        rc = -ENOMEM;
 502                        goto out;
 503                }
 504                rc = hashtab_map(p->symtab[i].table, index_f[i], p);
 505                if (rc)
 506                        goto out;
 507        }
 508
 509out:
 510        return rc;
 511}
 512
 513/*
 514 * The following *_destroy functions are used to
 515 * free any memory allocated for each kind of
 516 * symbol data in the policy database.
 517 */
 518
 519static int perm_destroy(void *key, void *datum, void *p)
 520{
 521        kfree(key);
 522        kfree(datum);
 523        return 0;
 524}
 525
 526static int common_destroy(void *key, void *datum, void *p)
 527{
 528        struct common_datum *comdatum;
 529
 530        kfree(key);
 531        comdatum = datum;
 532        hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
 533        hashtab_destroy(comdatum->permissions.table);
 534        kfree(datum);
 535        return 0;
 536}
 537
 538static int cls_destroy(void *key, void *datum, void *p)
 539{
 540        struct class_datum *cladatum;
 541        struct constraint_node *constraint, *ctemp;
 542        struct constraint_expr *e, *etmp;
 543
 544        kfree(key);
 545        cladatum = datum;
 546        hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
 547        hashtab_destroy(cladatum->permissions.table);
 548        constraint = cladatum->constraints;
 549        while (constraint) {
 550                e = constraint->expr;
 551                while (e) {
 552                        ebitmap_destroy(&e->names);
 553                        etmp = e;
 554                        e = e->next;
 555                        kfree(etmp);
 556                }
 557                ctemp = constraint;
 558                constraint = constraint->next;
 559                kfree(ctemp);
 560        }
 561
 562        constraint = cladatum->validatetrans;
 563        while (constraint) {
 564                e = constraint->expr;
 565                while (e) {
 566                        ebitmap_destroy(&e->names);
 567                        etmp = e;
 568                        e = e->next;
 569                        kfree(etmp);
 570                }
 571                ctemp = constraint;
 572                constraint = constraint->next;
 573                kfree(ctemp);
 574        }
 575
 576        kfree(cladatum->comkey);
 577        kfree(datum);
 578        return 0;
 579}
 580
 581static int role_destroy(void *key, void *datum, void *p)
 582{
 583        struct role_datum *role;
 584
 585        kfree(key);
 586        role = datum;
 587        ebitmap_destroy(&role->dominates);
 588        ebitmap_destroy(&role->types);
 589        kfree(datum);
 590        return 0;
 591}
 592
 593static int type_destroy(void *key, void *datum, void *p)
 594{
 595        kfree(key);
 596        kfree(datum);
 597        return 0;
 598}
 599
 600static int user_destroy(void *key, void *datum, void *p)
 601{
 602        struct user_datum *usrdatum;
 603
 604        kfree(key);
 605        usrdatum = datum;
 606        ebitmap_destroy(&usrdatum->roles);
 607        ebitmap_destroy(&usrdatum->range.level[0].cat);
 608        ebitmap_destroy(&usrdatum->range.level[1].cat);
 609        ebitmap_destroy(&usrdatum->dfltlevel.cat);
 610        kfree(datum);
 611        return 0;
 612}
 613
 614static int sens_destroy(void *key, void *datum, void *p)
 615{
 616        struct level_datum *levdatum;
 617
 618        kfree(key);
 619        levdatum = datum;
 620        ebitmap_destroy(&levdatum->level->cat);
 621        kfree(levdatum->level);
 622        kfree(datum);
 623        return 0;
 624}
 625
 626static int cat_destroy(void *key, void *datum, void *p)
 627{
 628        kfree(key);
 629        kfree(datum);
 630        return 0;
 631}
 632
 633static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
 634{
 635        common_destroy,
 636        cls_destroy,
 637        role_destroy,
 638        type_destroy,
 639        user_destroy,
 640        cond_destroy_bool,
 641        sens_destroy,
 642        cat_destroy,
 643};
 644
 645static int range_tr_destroy(void *key, void *datum, void *p)
 646{
 647        struct mls_range *rt = datum;
 648        kfree(key);
 649        ebitmap_destroy(&rt->level[0].cat);
 650        ebitmap_destroy(&rt->level[1].cat);
 651        kfree(datum);
 652        cond_resched();
 653        return 0;
 654}
 655
 656static void ocontext_destroy(struct ocontext *c, int i)
 657{
 658        context_destroy(&c->context[0]);
 659        context_destroy(&c->context[1]);
 660        if (i == OCON_ISID || i == OCON_FS ||
 661            i == OCON_NETIF || i == OCON_FSUSE)
 662                kfree(c->u.name);
 663        kfree(c);
 664}
 665
 666/*
 667 * Free any memory allocated by a policy database structure.
 668 */
 669void policydb_destroy(struct policydb *p)
 670{
 671        struct ocontext *c, *ctmp;
 672        struct genfs *g, *gtmp;
 673        int i;
 674        struct role_allow *ra, *lra = NULL;
 675        struct role_trans *tr, *ltr = NULL;
 676
 677        for (i = 0; i < SYM_NUM; i++) {
 678                cond_resched();
 679                hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
 680                hashtab_destroy(p->symtab[i].table);
 681        }
 682
 683        for (i = 0; i < SYM_NUM; i++)
 684                kfree(p->sym_val_to_name[i]);
 685
 686        kfree(p->class_val_to_struct);
 687        kfree(p->role_val_to_struct);
 688        kfree(p->user_val_to_struct);
 689        kfree(p->type_val_to_struct);
 690
 691        avtab_destroy(&p->te_avtab);
 692
 693        for (i = 0; i < OCON_NUM; i++) {
 694                cond_resched();
 695                c = p->ocontexts[i];
 696                while (c) {
 697                        ctmp = c;
 698                        c = c->next;
 699                        ocontext_destroy(ctmp, i);
 700                }
 701                p->ocontexts[i] = NULL;
 702        }
 703
 704        g = p->genfs;
 705        while (g) {
 706                cond_resched();
 707                kfree(g->fstype);
 708                c = g->head;
 709                while (c) {
 710                        ctmp = c;
 711                        c = c->next;
 712                        ocontext_destroy(ctmp, OCON_FSUSE);
 713                }
 714                gtmp = g;
 715                g = g->next;
 716                kfree(gtmp);
 717        }
 718        p->genfs = NULL;
 719
 720        cond_policydb_destroy(p);
 721
 722        for (tr = p->role_tr; tr; tr = tr->next) {
 723                cond_resched();
 724                kfree(ltr);
 725                ltr = tr;
 726        }
 727        kfree(ltr);
 728
 729        for (ra = p->role_allow; ra; ra = ra->next) {
 730                cond_resched();
 731                kfree(lra);
 732                lra = ra;
 733        }
 734        kfree(lra);
 735
 736        hashtab_map(p->range_tr, range_tr_destroy, NULL);
 737        hashtab_destroy(p->range_tr);
 738
 739        if (p->type_attr_map) {
 740                for (i = 0; i < p->p_types.nprim; i++)
 741                        ebitmap_destroy(&p->type_attr_map[i]);
 742        }
 743        kfree(p->type_attr_map);
 744        ebitmap_destroy(&p->policycaps);
 745        ebitmap_destroy(&p->permissive_map);
 746
 747        return;
 748}
 749
 750/*
 751 * Load the initial SIDs specified in a policy database
 752 * structure into a SID table.
 753 */
 754int policydb_load_isids(struct policydb *p, struct sidtab *s)
 755{
 756        struct ocontext *head, *c;
 757        int rc;
 758
 759        rc = sidtab_init(s);
 760        if (rc) {
 761                printk(KERN_ERR "SELinux:  out of memory on SID table init\n");
 762                goto out;
 763        }
 764
 765        head = p->ocontexts[OCON_ISID];
 766        for (c = head; c; c = c->next) {
 767                if (!c->context[0].user) {
 768                        printk(KERN_ERR "SELinux:  SID %s was never "
 769                               "defined.\n", c->u.name);
 770                        rc = -EINVAL;
 771                        goto out;
 772                }
 773                if (sidtab_insert(s, c->sid[0], &c->context[0])) {
 774                        printk(KERN_ERR "SELinux:  unable to load initial "
 775                               "SID %s.\n", c->u.name);
 776                        rc = -EINVAL;
 777                        goto out;
 778                }
 779        }
 780out:
 781        return rc;
 782}
 783
 784int policydb_class_isvalid(struct policydb *p, unsigned int class)
 785{
 786        if (!class || class > p->p_classes.nprim)
 787                return 0;
 788        return 1;
 789}
 790
 791int policydb_role_isvalid(struct policydb *p, unsigned int role)
 792{
 793        if (!role || role > p->p_roles.nprim)
 794                return 0;
 795        return 1;
 796}
 797
 798int policydb_type_isvalid(struct policydb *p, unsigned int type)
 799{
 800        if (!type || type > p->p_types.nprim)
 801                return 0;
 802        return 1;
 803}
 804
 805/*
 806 * Return 1 if the fields in the security context
 807 * structure `c' are valid.  Return 0 otherwise.
 808 */
 809int policydb_context_isvalid(struct policydb *p, struct context *c)
 810{
 811        struct role_datum *role;
 812        struct user_datum *usrdatum;
 813
 814        if (!c->role || c->role > p->p_roles.nprim)
 815                return 0;
 816
 817        if (!c->user || c->user > p->p_users.nprim)
 818                return 0;
 819
 820        if (!c->type || c->type > p->p_types.nprim)
 821                return 0;
 822
 823        if (c->role != OBJECT_R_VAL) {
 824                /*
 825                 * Role must be authorized for the type.
 826                 */
 827                role = p->role_val_to_struct[c->role - 1];
 828                if (!ebitmap_get_bit(&role->types,
 829                                     c->type - 1))
 830                        /* role may not be associated with type */
 831                        return 0;
 832
 833                /*
 834                 * User must be authorized for the role.
 835                 */
 836                usrdatum = p->user_val_to_struct[c->user - 1];
 837                if (!usrdatum)
 838                        return 0;
 839
 840                if (!ebitmap_get_bit(&usrdatum->roles,
 841                                     c->role - 1))
 842                        /* user may not be associated with role */
 843                        return 0;
 844        }
 845
 846        if (!mls_context_isvalid(p, c))
 847                return 0;
 848
 849        return 1;
 850}
 851
 852/*
 853 * Read a MLS range structure from a policydb binary
 854 * representation file.
 855 */
 856static int mls_read_range_helper(struct mls_range *r, void *fp)
 857{
 858        __le32 buf[2];
 859        u32 items;
 860        int rc;
 861
 862        rc = next_entry(buf, fp, sizeof(u32));
 863        if (rc < 0)
 864                goto out;
 865
 866        items = le32_to_cpu(buf[0]);
 867        if (items > ARRAY_SIZE(buf)) {
 868                printk(KERN_ERR "SELinux: mls:  range overflow\n");
 869                rc = -EINVAL;
 870                goto out;
 871        }
 872        rc = next_entry(buf, fp, sizeof(u32) * items);
 873        if (rc < 0) {
 874                printk(KERN_ERR "SELinux: mls:  truncated range\n");
 875                goto out;
 876        }
 877        r->level[0].sens = le32_to_cpu(buf[0]);
 878        if (items > 1)
 879                r->level[1].sens = le32_to_cpu(buf[1]);
 880        else
 881                r->level[1].sens = r->level[0].sens;
 882
 883        rc = ebitmap_read(&r->level[0].cat, fp);
 884        if (rc) {
 885                printk(KERN_ERR "SELinux: mls:  error reading low "
 886                       "categories\n");
 887                goto out;
 888        }
 889        if (items > 1) {
 890                rc = ebitmap_read(&r->level[1].cat, fp);
 891                if (rc) {
 892                        printk(KERN_ERR "SELinux: mls:  error reading high "
 893                               "categories\n");
 894                        goto bad_high;
 895                }
 896        } else {
 897                rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
 898                if (rc) {
 899                        printk(KERN_ERR "SELinux: mls:  out of memory\n");
 900                        goto bad_high;
 901                }
 902        }
 903
 904        rc = 0;
 905out:
 906        return rc;
 907bad_high:
 908        ebitmap_destroy(&r->level[0].cat);
 909        goto out;
 910}
 911
 912/*
 913 * Read and validate a security context structure
 914 * from a policydb binary representation file.
 915 */
 916static int context_read_and_validate(struct context *c,
 917                                     struct policydb *p,
 918                                     void *fp)
 919{
 920        __le32 buf[3];
 921        int rc;
 922
 923        rc = next_entry(buf, fp, sizeof buf);
 924        if (rc < 0) {
 925                printk(KERN_ERR "SELinux: context truncated\n");
 926                goto out;
 927        }
 928        c->user = le32_to_cpu(buf[0]);
 929        c->role = le32_to_cpu(buf[1]);
 930        c->type = le32_to_cpu(buf[2]);
 931        if (p->policyvers >= POLICYDB_VERSION_MLS) {
 932                if (mls_read_range_helper(&c->range, fp)) {
 933                        printk(KERN_ERR "SELinux: error reading MLS range of "
 934                               "context\n");
 935                        rc = -EINVAL;
 936                        goto out;
 937                }
 938        }
 939
 940        if (!policydb_context_isvalid(p, c)) {
 941                printk(KERN_ERR "SELinux:  invalid security context\n");
 942                context_destroy(c);
 943                rc = -EINVAL;
 944        }
 945out:
 946        return rc;
 947}
 948
 949/*
 950 * The following *_read functions are used to
 951 * read the symbol data from a policy database
 952 * binary representation file.
 953 */
 954
 955static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
 956{
 957        char *key = NULL;
 958        struct perm_datum *perdatum;
 959        int rc;
 960        __le32 buf[2];
 961        u32 len;
 962
 963        perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
 964        if (!perdatum) {
 965                rc = -ENOMEM;
 966                goto out;
 967        }
 968
 969        rc = next_entry(buf, fp, sizeof buf);
 970        if (rc < 0)
 971                goto bad;
 972
 973        len = le32_to_cpu(buf[0]);
 974        perdatum->value = le32_to_cpu(buf[1]);
 975
 976        key = kmalloc(len + 1, GFP_KERNEL);
 977        if (!key) {
 978                rc = -ENOMEM;
 979                goto bad;
 980        }
 981        rc = next_entry(key, fp, len);
 982        if (rc < 0)
 983                goto bad;
 984        key[len] = '\0';
 985
 986        rc = hashtab_insert(h, key, perdatum);
 987        if (rc)
 988                goto bad;
 989out:
 990        return rc;
 991bad:
 992        perm_destroy(key, perdatum, NULL);
 993        goto out;
 994}
 995
 996static int common_read(struct policydb *p, struct hashtab *h, void *fp)
 997{
 998        char *key = NULL;
 999        struct common_datum *comdatum;
1000        __le32 buf[4];
1001        u32 len, nel;
1002        int i, rc;
1003
1004        comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
1005        if (!comdatum) {
1006                rc = -ENOMEM;
1007                goto out;
1008        }
1009
1010        rc = next_entry(buf, fp, sizeof buf);
1011        if (rc < 0)
1012                goto bad;
1013
1014        len = le32_to_cpu(buf[0]);
1015        comdatum->value = le32_to_cpu(buf[1]);
1016
1017        rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
1018        if (rc)
1019                goto bad;
1020        comdatum->permissions.nprim = le32_to_cpu(buf[2]);
1021        nel = le32_to_cpu(buf[3]);
1022
1023        key = kmalloc(len + 1, GFP_KERNEL);
1024        if (!key) {
1025                rc = -ENOMEM;
1026                goto bad;
1027        }
1028        rc = next_entry(key, fp, len);
1029        if (rc < 0)
1030                goto bad;
1031        key[len] = '\0';
1032
1033        for (i = 0; i < nel; i++) {
1034                rc = perm_read(p, comdatum->permissions.table, fp);
1035                if (rc)
1036                        goto bad;
1037        }
1038
1039        rc = hashtab_insert(h, key, comdatum);
1040        if (rc)
1041                goto bad;
1042out:
1043        return rc;
1044bad:
1045        common_destroy(key, comdatum, NULL);
1046        goto out;
1047}
1048
1049static int read_cons_helper(struct constraint_node **nodep, int ncons,
1050                            int allowxtarget, void *fp)
1051{
1052        struct constraint_node *c, *lc;
1053        struct constraint_expr *e, *le;
1054        __le32 buf[3];
1055        u32 nexpr;
1056        int rc, i, j, depth;
1057
1058        lc = NULL;
1059        for (i = 0; i < ncons; i++) {
1060                c = kzalloc(sizeof(*c), GFP_KERNEL);
1061                if (!c)
1062                        return -ENOMEM;
1063
1064                if (lc)
1065                        lc->next = c;
1066                else
1067                        *nodep = c;
1068
1069                rc = next_entry(buf, fp, (sizeof(u32) * 2));
1070                if (rc < 0)
1071                        return rc;
1072                c->permissions = le32_to_cpu(buf[0]);
1073                nexpr = le32_to_cpu(buf[1]);
1074                le = NULL;
1075                depth = -1;
1076                for (j = 0; j < nexpr; j++) {
1077                        e = kzalloc(sizeof(*e), GFP_KERNEL);
1078                        if (!e)
1079                                return -ENOMEM;
1080
1081                        if (le)
1082                                le->next = e;
1083                        else
1084                                c->expr = e;
1085
1086                        rc = next_entry(buf, fp, (sizeof(u32) * 3));
1087                        if (rc < 0)
1088                                return rc;
1089                        e->expr_type = le32_to_cpu(buf[0]);
1090                        e->attr = le32_to_cpu(buf[1]);
1091                        e->op = le32_to_cpu(buf[2]);
1092
1093                        switch (e->expr_type) {
1094                        case CEXPR_NOT:
1095                                if (depth < 0)
1096                                        return -EINVAL;
1097                                break;
1098                        case CEXPR_AND:
1099                        case CEXPR_OR:
1100                                if (depth < 1)
1101                                        return -EINVAL;
1102                                depth--;
1103                                break;
1104                        case CEXPR_ATTR:
1105                                if (depth == (CEXPR_MAXDEPTH - 1))
1106                                        return -EINVAL;
1107                                depth++;
1108                                break;
1109                        case CEXPR_NAMES:
1110                                if (!allowxtarget && (e->attr & CEXPR_XTARGET))
1111                                        return -EINVAL;
1112                                if (depth == (CEXPR_MAXDEPTH - 1))
1113                                        return -EINVAL;
1114                                depth++;
1115                                if (ebitmap_read(&e->names, fp))
1116                                        return -EINVAL;
1117                                break;
1118                        default:
1119                                return -EINVAL;
1120                        }
1121                        le = e;
1122                }
1123                if (depth != 0)
1124                        return -EINVAL;
1125                lc = c;
1126        }
1127
1128        return 0;
1129}
1130
1131static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1132{
1133        char *key = NULL;
1134        struct class_datum *cladatum;
1135        __le32 buf[6];
1136        u32 len, len2, ncons, nel;
1137        int i, rc;
1138
1139        cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
1140        if (!cladatum) {
1141                rc = -ENOMEM;
1142                goto out;
1143        }
1144
1145        rc = next_entry(buf, fp, sizeof(u32)*6);
1146        if (rc < 0)
1147                goto bad;
1148
1149        len = le32_to_cpu(buf[0]);
1150        len2 = le32_to_cpu(buf[1]);
1151        cladatum->value = le32_to_cpu(buf[2]);
1152
1153        rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
1154        if (rc)
1155                goto bad;
1156        cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1157        nel = le32_to_cpu(buf[4]);
1158
1159        ncons = le32_to_cpu(buf[5]);
1160
1161        key = kmalloc(len + 1, GFP_KERNEL);
1162        if (!key) {
1163                rc = -ENOMEM;
1164                goto bad;
1165        }
1166        rc = next_entry(key, fp, len);
1167        if (rc < 0)
1168                goto bad;
1169        key[len] = '\0';
1170
1171        if (len2) {
1172                cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1173                if (!cladatum->comkey) {
1174                        rc = -ENOMEM;
1175                        goto bad;
1176                }
1177                rc = next_entry(cladatum->comkey, fp, len2);
1178                if (rc < 0)
1179                        goto bad;
1180                cladatum->comkey[len2] = '\0';
1181
1182                cladatum->comdatum = hashtab_search(p->p_commons.table,
1183                                                    cladatum->comkey);
1184                if (!cladatum->comdatum) {
1185                        printk(KERN_ERR "SELinux:  unknown common %s\n",
1186                               cladatum->comkey);
1187                        rc = -EINVAL;
1188                        goto bad;
1189                }
1190        }
1191        for (i = 0; i < nel; i++) {
1192                rc = perm_read(p, cladatum->permissions.table, fp);
1193                if (rc)
1194                        goto bad;
1195        }
1196
1197        rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp);
1198        if (rc)
1199                goto bad;
1200
1201        if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) {
1202                /* grab the validatetrans rules */
1203                rc = next_entry(buf, fp, sizeof(u32));
1204                if (rc < 0)
1205                        goto bad;
1206                ncons = le32_to_cpu(buf[0]);
1207                rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp);
1208                if (rc)
1209                        goto bad;
1210        }
1211
1212        rc = hashtab_insert(h, key, cladatum);
1213        if (rc)
1214                goto bad;
1215
1216        rc = 0;
1217out:
1218        return rc;
1219bad:
1220        cls_destroy(key, cladatum, NULL);
1221        goto out;
1222}
1223
1224static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1225{
1226        char *key = NULL;
1227        struct role_datum *role;
1228        int rc, to_read = 2;
1229        __le32 buf[3];
1230        u32 len;
1231
1232        role = kzalloc(sizeof(*role), GFP_KERNEL);
1233        if (!role) {
1234                rc = -ENOMEM;
1235                goto out;
1236        }
1237
1238        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1239                to_read = 3;
1240
1241        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1242        if (rc < 0)
1243                goto bad;
1244
1245        len = le32_to_cpu(buf[0]);
1246        role->value = le32_to_cpu(buf[1]);
1247        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1248                role->bounds = le32_to_cpu(buf[2]);
1249
1250        key = kmalloc(len + 1, GFP_KERNEL);
1251        if (!key) {
1252                rc = -ENOMEM;
1253                goto bad;
1254        }
1255        rc = next_entry(key, fp, len);
1256        if (rc < 0)
1257                goto bad;
1258        key[len] = '\0';
1259
1260        rc = ebitmap_read(&role->dominates, fp);
1261        if (rc)
1262                goto bad;
1263
1264        rc = ebitmap_read(&role->types, fp);
1265        if (rc)
1266                goto bad;
1267
1268        if (strcmp(key, OBJECT_R) == 0) {
1269                if (role->value != OBJECT_R_VAL) {
1270                        printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1271                               OBJECT_R, role->value);
1272                        rc = -EINVAL;
1273                        goto bad;
1274                }
1275                rc = 0;
1276                goto bad;
1277        }
1278
1279        rc = hashtab_insert(h, key, role);
1280        if (rc)
1281                goto bad;
1282out:
1283        return rc;
1284bad:
1285        role_destroy(key, role, NULL);
1286        goto out;
1287}
1288
1289static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1290{
1291        char *key = NULL;
1292        struct type_datum *typdatum;
1293        int rc, to_read = 3;
1294        __le32 buf[4];
1295        u32 len;
1296
1297        typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1298        if (!typdatum) {
1299                rc = -ENOMEM;
1300                return rc;
1301        }
1302
1303        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1304                to_read = 4;
1305
1306        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1307        if (rc < 0)
1308                goto bad;
1309
1310        len = le32_to_cpu(buf[0]);
1311        typdatum->value = le32_to_cpu(buf[1]);
1312        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
1313                u32 prop = le32_to_cpu(buf[2]);
1314
1315                if (prop & TYPEDATUM_PROPERTY_PRIMARY)
1316                        typdatum->primary = 1;
1317                if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
1318                        typdatum->attribute = 1;
1319
1320                typdatum->bounds = le32_to_cpu(buf[3]);
1321        } else {
1322                typdatum->primary = le32_to_cpu(buf[2]);
1323        }
1324
1325        key = kmalloc(len + 1, GFP_KERNEL);
1326        if (!key) {
1327                rc = -ENOMEM;
1328                goto bad;
1329        }
1330        rc = next_entry(key, fp, len);
1331        if (rc < 0)
1332                goto bad;
1333        key[len] = '\0';
1334
1335        rc = hashtab_insert(h, key, typdatum);
1336        if (rc)
1337                goto bad;
1338out:
1339        return rc;
1340bad:
1341        type_destroy(key, typdatum, NULL);
1342        goto out;
1343}
1344
1345
1346/*
1347 * Read a MLS level structure from a policydb binary
1348 * representation file.
1349 */
1350static int mls_read_level(struct mls_level *lp, void *fp)
1351{
1352        __le32 buf[1];
1353        int rc;
1354
1355        memset(lp, 0, sizeof(*lp));
1356
1357        rc = next_entry(buf, fp, sizeof buf);
1358        if (rc < 0) {
1359                printk(KERN_ERR "SELinux: mls: truncated level\n");
1360                goto bad;
1361        }
1362        lp->sens = le32_to_cpu(buf[0]);
1363
1364        if (ebitmap_read(&lp->cat, fp)) {
1365                printk(KERN_ERR "SELinux: mls:  error reading level "
1366                       "categories\n");
1367                goto bad;
1368        }
1369
1370        return 0;
1371
1372bad:
1373        return -EINVAL;
1374}
1375
1376static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1377{
1378        char *key = NULL;
1379        struct user_datum *usrdatum;
1380        int rc, to_read = 2;
1381        __le32 buf[3];
1382        u32 len;
1383
1384        usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
1385        if (!usrdatum) {
1386                rc = -ENOMEM;
1387                goto out;
1388        }
1389
1390        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1391                to_read = 3;
1392
1393        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1394        if (rc < 0)
1395                goto bad;
1396
1397        len = le32_to_cpu(buf[0]);
1398        usrdatum->value = le32_to_cpu(buf[1]);
1399        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1400                usrdatum->bounds = le32_to_cpu(buf[2]);
1401
1402        key = kmalloc(len + 1, GFP_KERNEL);
1403        if (!key) {
1404                rc = -ENOMEM;
1405                goto bad;
1406        }
1407        rc = next_entry(key, fp, len);
1408        if (rc < 0)
1409                goto bad;
1410        key[len] = '\0';
1411
1412        rc = ebitmap_read(&usrdatum->roles, fp);
1413        if (rc)
1414                goto bad;
1415
1416        if (p->policyvers >= POLICYDB_VERSION_MLS) {
1417                rc = mls_read_range_helper(&usrdatum->range, fp);
1418                if (rc)
1419                        goto bad;
1420                rc = mls_read_level(&usrdatum->dfltlevel, fp);
1421                if (rc)
1422                        goto bad;
1423        }
1424
1425        rc = hashtab_insert(h, key, usrdatum);
1426        if (rc)
1427                goto bad;
1428out:
1429        return rc;
1430bad:
1431        user_destroy(key, usrdatum, NULL);
1432        goto out;
1433}
1434
1435static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1436{
1437        char *key = NULL;
1438        struct level_datum *levdatum;
1439        int rc;
1440        __le32 buf[2];
1441        u32 len;
1442
1443        levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
1444        if (!levdatum) {
1445                rc = -ENOMEM;
1446                goto out;
1447        }
1448
1449        rc = next_entry(buf, fp, sizeof buf);
1450        if (rc < 0)
1451                goto bad;
1452
1453        len = le32_to_cpu(buf[0]);
1454        levdatum->isalias = le32_to_cpu(buf[1]);
1455
1456        key = kmalloc(len + 1, GFP_ATOMIC);
1457        if (!key) {
1458                rc = -ENOMEM;
1459                goto bad;
1460        }
1461        rc = next_entry(key, fp, len);
1462        if (rc < 0)
1463                goto bad;
1464        key[len] = '\0';
1465
1466        levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
1467        if (!levdatum->level) {
1468                rc = -ENOMEM;
1469                goto bad;
1470        }
1471        if (mls_read_level(levdatum->level, fp)) {
1472                rc = -EINVAL;
1473                goto bad;
1474        }
1475
1476        rc = hashtab_insert(h, key, levdatum);
1477        if (rc)
1478                goto bad;
1479out:
1480        return rc;
1481bad:
1482        sens_destroy(key, levdatum, NULL);
1483        goto out;
1484}
1485
1486static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1487{
1488        char *key = NULL;
1489        struct cat_datum *catdatum;
1490        int rc;
1491        __le32 buf[3];
1492        u32 len;
1493
1494        catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
1495        if (!catdatum) {
1496                rc = -ENOMEM;
1497                goto out;
1498        }
1499
1500        rc = next_entry(buf, fp, sizeof buf);
1501        if (rc < 0)
1502                goto bad;
1503
1504        len = le32_to_cpu(buf[0]);
1505        catdatum->value = le32_to_cpu(buf[1]);
1506        catdatum->isalias = le32_to_cpu(buf[2]);
1507
1508        key = kmalloc(len + 1, GFP_ATOMIC);
1509        if (!key) {
1510                rc = -ENOMEM;
1511                goto bad;
1512        }
1513        rc = next_entry(key, fp, len);
1514        if (rc < 0)
1515                goto bad;
1516        key[len] = '\0';
1517
1518        rc = hashtab_insert(h, key, catdatum);
1519        if (rc)
1520                goto bad;
1521out:
1522        return rc;
1523
1524bad:
1525        cat_destroy(key, catdatum, NULL);
1526        goto out;
1527}
1528
1529static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1530{
1531        common_read,
1532        class_read,
1533        role_read,
1534        type_read,
1535        user_read,
1536        cond_read_bool,
1537        sens_read,
1538        cat_read,
1539};
1540
1541static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1542{
1543        struct user_datum *upper, *user;
1544        struct policydb *p = datap;
1545        int depth = 0;
1546
1547        upper = user = datum;
1548        while (upper->bounds) {
1549                struct ebitmap_node *node;
1550                unsigned long bit;
1551
1552                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1553                        printk(KERN_ERR "SELinux: user %s: "
1554                               "too deep or looped boundary",
1555                               (char *) key);
1556                        return -EINVAL;
1557                }
1558
1559                upper = p->user_val_to_struct[upper->bounds - 1];
1560                ebitmap_for_each_positive_bit(&user->roles, node, bit) {
1561                        if (ebitmap_get_bit(&upper->roles, bit))
1562                                continue;
1563
1564                        printk(KERN_ERR
1565                               "SELinux: boundary violated policy: "
1566                               "user=%s role=%s bounds=%s\n",
1567                               p->p_user_val_to_name[user->value - 1],
1568                               p->p_role_val_to_name[bit],
1569                               p->p_user_val_to_name[upper->value - 1]);
1570
1571                        return -EINVAL;
1572                }
1573        }
1574
1575        return 0;
1576}
1577
1578static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1579{
1580        struct role_datum *upper, *role;
1581        struct policydb *p = datap;
1582        int depth = 0;
1583
1584        upper = role = datum;
1585        while (upper->bounds) {
1586                struct ebitmap_node *node;
1587                unsigned long bit;
1588
1589                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1590                        printk(KERN_ERR "SELinux: role %s: "
1591                               "too deep or looped bounds\n",
1592                               (char *) key);
1593                        return -EINVAL;
1594                }
1595
1596                upper = p->role_val_to_struct[upper->bounds - 1];
1597                ebitmap_for_each_positive_bit(&role->types, node, bit) {
1598                        if (ebitmap_get_bit(&upper->types, bit))
1599                                continue;
1600
1601                        printk(KERN_ERR
1602                               "SELinux: boundary violated policy: "
1603                               "role=%s type=%s bounds=%s\n",
1604                               p->p_role_val_to_name[role->value - 1],
1605                               p->p_type_val_to_name[bit],
1606                               p->p_role_val_to_name[upper->value - 1]);
1607
1608                        return -EINVAL;
1609                }
1610        }
1611
1612        return 0;
1613}
1614
1615static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1616{
1617        struct type_datum *upper, *type;
1618        struct policydb *p = datap;
1619        int depth = 0;
1620
1621        upper = type = datum;
1622        while (upper->bounds) {
1623                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1624                        printk(KERN_ERR "SELinux: type %s: "
1625                               "too deep or looped boundary\n",
1626                               (char *) key);
1627                        return -EINVAL;
1628                }
1629
1630                upper = p->type_val_to_struct[upper->bounds - 1];
1631                if (upper->attribute) {
1632                        printk(KERN_ERR "SELinux: type %s: "
1633                               "bounded by attribute %s",
1634                               (char *) key,
1635                               p->p_type_val_to_name[upper->value - 1]);
1636                        return -EINVAL;
1637                }
1638        }
1639
1640        return 0;
1641}
1642
1643static int policydb_bounds_sanity_check(struct policydb *p)
1644{
1645        int rc;
1646
1647        if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
1648                return 0;
1649
1650        rc = hashtab_map(p->p_users.table,
1651                         user_bounds_sanity_check, p);
1652        if (rc)
1653                return rc;
1654
1655        rc = hashtab_map(p->p_roles.table,
1656                         role_bounds_sanity_check, p);
1657        if (rc)
1658                return rc;
1659
1660        rc = hashtab_map(p->p_types.table,
1661                         type_bounds_sanity_check, p);
1662        if (rc)
1663                return rc;
1664
1665        return 0;
1666}
1667
1668extern int ss_initialized;
1669
1670u16 string_to_security_class(struct policydb *p, const char *name)
1671{
1672        struct class_datum *cladatum;
1673
1674        cladatum = hashtab_search(p->p_classes.table, name);
1675        if (!cladatum)
1676                return 0;
1677
1678        return cladatum->value;
1679}
1680
1681u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1682{
1683        struct class_datum *cladatum;
1684        struct perm_datum *perdatum = NULL;
1685        struct common_datum *comdatum;
1686
1687        if (!tclass || tclass > p->p_classes.nprim)
1688                return 0;
1689
1690        cladatum = p->class_val_to_struct[tclass-1];
1691        comdatum = cladatum->comdatum;
1692        if (comdatum)
1693                perdatum = hashtab_search(comdatum->permissions.table,
1694                                          name);
1695        if (!perdatum)
1696                perdatum = hashtab_search(cladatum->permissions.table,
1697                                          name);
1698        if (!perdatum)
1699                return 0;
1700
1701        return 1U << (perdatum->value-1);
1702}
1703
1704/*
1705 * Read the configuration data from a policy database binary
1706 * representation file into a policy database structure.
1707 */
1708int policydb_read(struct policydb *p, void *fp)
1709{
1710        struct role_allow *ra, *lra;
1711        struct role_trans *tr, *ltr;
1712        struct ocontext *l, *c, *newc;
1713        struct genfs *genfs_p, *genfs, *newgenfs;
1714        int i, j, rc;
1715        __le32 buf[4];
1716        u32 nodebuf[8];
1717        u32 len, len2, nprim, nel, nel2;
1718        char *policydb_str;
1719        struct policydb_compat_info *info;
1720        struct range_trans *rt;
1721        struct mls_range *r;
1722
1723        rc = policydb_init(p);
1724        if (rc)
1725                goto out;
1726
1727        /* Read the magic number and string length. */
1728        rc = next_entry(buf, fp, sizeof(u32) * 2);
1729        if (rc < 0)
1730                goto bad;
1731
1732        if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
1733                printk(KERN_ERR "SELinux:  policydb magic number 0x%x does "
1734                       "not match expected magic number 0x%x\n",
1735                       le32_to_cpu(buf[0]), POLICYDB_MAGIC);
1736                goto bad;
1737        }
1738
1739        len = le32_to_cpu(buf[1]);
1740        if (len != strlen(POLICYDB_STRING)) {
1741                printk(KERN_ERR "SELinux:  policydb string length %d does not "
1742                       "match expected length %Zu\n",
1743                       len, strlen(POLICYDB_STRING));
1744                goto bad;
1745        }
1746        policydb_str = kmalloc(len + 1, GFP_KERNEL);
1747        if (!policydb_str) {
1748                printk(KERN_ERR "SELinux:  unable to allocate memory for policydb "
1749                       "string of length %d\n", len);
1750                rc = -ENOMEM;
1751                goto bad;
1752        }
1753        rc = next_entry(policydb_str, fp, len);
1754        if (rc < 0) {
1755                printk(KERN_ERR "SELinux:  truncated policydb string identifier\n");
1756                kfree(policydb_str);
1757                goto bad;
1758        }
1759        policydb_str[len] = '\0';
1760        if (strcmp(policydb_str, POLICYDB_STRING)) {
1761                printk(KERN_ERR "SELinux:  policydb string %s does not match "
1762                       "my string %s\n", policydb_str, POLICYDB_STRING);
1763                kfree(policydb_str);
1764                goto bad;
1765        }
1766        /* Done with policydb_str. */
1767        kfree(policydb_str);
1768        policydb_str = NULL;
1769
1770        /* Read the version and table sizes. */
1771        rc = next_entry(buf, fp, sizeof(u32)*4);
1772        if (rc < 0)
1773                goto bad;
1774
1775        p->policyvers = le32_to_cpu(buf[0]);
1776        if (p->policyvers < POLICYDB_VERSION_MIN ||
1777            p->policyvers > POLICYDB_VERSION_MAX) {
1778                printk(KERN_ERR "SELinux:  policydb version %d does not match "
1779                       "my version range %d-%d\n",
1780                       le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1781                goto bad;
1782        }
1783
1784        if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1785                p->mls_enabled = 1;
1786
1787                if (p->policyvers < POLICYDB_VERSION_MLS) {
1788                        printk(KERN_ERR "SELinux: security policydb version %d "
1789                                "(MLS) not backwards compatible\n",
1790                                p->policyvers);
1791                        goto bad;
1792                }
1793        }
1794        p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
1795        p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
1796
1797        if (p->policyvers >= POLICYDB_VERSION_POLCAP &&
1798            ebitmap_read(&p->policycaps, fp) != 0)
1799                goto bad;
1800
1801        if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
1802            ebitmap_read(&p->permissive_map, fp) != 0)
1803                goto bad;
1804
1805        info = policydb_lookup_compat(p->policyvers);
1806        if (!info) {
1807                printk(KERN_ERR "SELinux:  unable to find policy compat info "
1808                       "for version %d\n", p->policyvers);
1809                goto bad;
1810        }
1811
1812        if (le32_to_cpu(buf[2]) != info->sym_num ||
1813                le32_to_cpu(buf[3]) != info->ocon_num) {
1814                printk(KERN_ERR "SELinux:  policydb table sizes (%d,%d) do "
1815                       "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
1816                        le32_to_cpu(buf[3]),
1817                       info->sym_num, info->ocon_num);
1818                goto bad;
1819        }
1820
1821        for (i = 0; i < info->sym_num; i++) {
1822                rc = next_entry(buf, fp, sizeof(u32)*2);
1823                if (rc < 0)
1824                        goto bad;
1825                nprim = le32_to_cpu(buf[0]);
1826                nel = le32_to_cpu(buf[1]);
1827                for (j = 0; j < nel; j++) {
1828                        rc = read_f[i](p, p->symtab[i].table, fp);
1829                        if (rc)
1830                                goto bad;
1831                }
1832
1833                p->symtab[i].nprim = nprim;
1834        }
1835
1836        rc = avtab_read(&p->te_avtab, fp, p);
1837        if (rc)
1838                goto bad;
1839
1840        if (p->policyvers >= POLICYDB_VERSION_BOOL) {
1841                rc = cond_read_list(p, fp);
1842                if (rc)
1843                        goto bad;
1844        }
1845
1846        rc = next_entry(buf, fp, sizeof(u32));
1847        if (rc < 0)
1848                goto bad;
1849        nel = le32_to_cpu(buf[0]);
1850        ltr = NULL;
1851        for (i = 0; i < nel; i++) {
1852                tr = kzalloc(sizeof(*tr), GFP_KERNEL);
1853                if (!tr) {
1854                        rc = -ENOMEM;
1855                        goto bad;
1856                }
1857                if (ltr)
1858                        ltr->next = tr;
1859                else
1860                        p->role_tr = tr;
1861                rc = next_entry(buf, fp, sizeof(u32)*3);
1862                if (rc < 0)
1863                        goto bad;
1864                tr->role = le32_to_cpu(buf[0]);
1865                tr->type = le32_to_cpu(buf[1]);
1866                tr->new_role = le32_to_cpu(buf[2]);
1867                if (!policydb_role_isvalid(p, tr->role) ||
1868                    !policydb_type_isvalid(p, tr->type) ||
1869                    !policydb_role_isvalid(p, tr->new_role)) {
1870                        rc = -EINVAL;
1871                        goto bad;
1872                }
1873                ltr = tr;
1874        }
1875
1876        rc = next_entry(buf, fp, sizeof(u32));
1877        if (rc < 0)
1878                goto bad;
1879        nel = le32_to_cpu(buf[0]);
1880        lra = NULL;
1881        for (i = 0; i < nel; i++) {
1882                ra = kzalloc(sizeof(*ra), GFP_KERNEL);
1883                if (!ra) {
1884                        rc = -ENOMEM;
1885                        goto bad;
1886                }
1887                if (lra)
1888                        lra->next = ra;
1889                else
1890                        p->role_allow = ra;
1891                rc = next_entry(buf, fp, sizeof(u32)*2);
1892                if (rc < 0)
1893                        goto bad;
1894                ra->role = le32_to_cpu(buf[0]);
1895                ra->new_role = le32_to_cpu(buf[1]);
1896                if (!policydb_role_isvalid(p, ra->role) ||
1897                    !policydb_role_isvalid(p, ra->new_role)) {
1898                        rc = -EINVAL;
1899                        goto bad;
1900                }
1901                lra = ra;
1902        }
1903
1904        rc = policydb_index_classes(p);
1905        if (rc)
1906                goto bad;
1907
1908        rc = policydb_index_others(p);
1909        if (rc)
1910                goto bad;
1911
1912        p->process_class = string_to_security_class(p, "process");
1913        if (!p->process_class)
1914                goto bad;
1915        p->process_trans_perms = string_to_av_perm(p, p->process_class,
1916                                                   "transition");
1917        p->process_trans_perms |= string_to_av_perm(p, p->process_class,
1918                                                    "dyntransition");
1919        if (!p->process_trans_perms)
1920                goto bad;
1921
1922        for (i = 0; i < info->ocon_num; i++) {
1923                rc = next_entry(buf, fp, sizeof(u32));
1924                if (rc < 0)
1925                        goto bad;
1926                nel = le32_to_cpu(buf[0]);
1927                l = NULL;
1928                for (j = 0; j < nel; j++) {
1929                        c = kzalloc(sizeof(*c), GFP_KERNEL);
1930                        if (!c) {
1931                                rc = -ENOMEM;
1932                                goto bad;
1933                        }
1934                        if (l)
1935                                l->next = c;
1936                        else
1937                                p->ocontexts[i] = c;
1938                        l = c;
1939                        rc = -EINVAL;
1940                        switch (i) {
1941                        case OCON_ISID:
1942                                rc = next_entry(buf, fp, sizeof(u32));
1943                                if (rc < 0)
1944                                        goto bad;
1945                                c->sid[0] = le32_to_cpu(buf[0]);
1946                                rc = context_read_and_validate(&c->context[0], p, fp);
1947                                if (rc)
1948                                        goto bad;
1949                                break;
1950                        case OCON_FS:
1951                        case OCON_NETIF:
1952                                rc = next_entry(buf, fp, sizeof(u32));
1953                                if (rc < 0)
1954                                        goto bad;
1955                                len = le32_to_cpu(buf[0]);
1956                                c->u.name = kmalloc(len + 1, GFP_KERNEL);
1957                                if (!c->u.name) {
1958                                        rc = -ENOMEM;
1959                                        goto bad;
1960                                }
1961                                rc = next_entry(c->u.name, fp, len);
1962                                if (rc < 0)
1963                                        goto bad;
1964                                c->u.name[len] = 0;
1965                                rc = context_read_and_validate(&c->context[0], p, fp);
1966                                if (rc)
1967                                        goto bad;
1968                                rc = context_read_and_validate(&c->context[1], p, fp);
1969                                if (rc)
1970                                        goto bad;
1971                                break;
1972                        case OCON_PORT:
1973                                rc = next_entry(buf, fp, sizeof(u32)*3);
1974                                if (rc < 0)
1975                                        goto bad;
1976                                c->u.port.protocol = le32_to_cpu(buf[0]);
1977                                c->u.port.low_port = le32_to_cpu(buf[1]);
1978                                c->u.port.high_port = le32_to_cpu(buf[2]);
1979                                rc = context_read_and_validate(&c->context[0], p, fp);
1980                                if (rc)
1981                                        goto bad;
1982                                break;
1983                        case OCON_NODE:
1984                                rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
1985                                if (rc < 0)
1986                                        goto bad;
1987                                c->u.node.addr = nodebuf[0]; /* network order */
1988                                c->u.node.mask = nodebuf[1]; /* network order */
1989                                rc = context_read_and_validate(&c->context[0], p, fp);
1990                                if (rc)
1991                                        goto bad;
1992                                break;
1993                        case OCON_FSUSE:
1994                                rc = next_entry(buf, fp, sizeof(u32)*2);
1995                                if (rc < 0)
1996                                        goto bad;
1997                                c->v.behavior = le32_to_cpu(buf[0]);
1998                                if (c->v.behavior > SECURITY_FS_USE_NONE)
1999                                        goto bad;
2000                                len = le32_to_cpu(buf[1]);
2001                                c->u.name = kmalloc(len + 1, GFP_KERNEL);
2002                                if (!c->u.name) {
2003                                        rc = -ENOMEM;
2004                                        goto bad;
2005                                }
2006                                rc = next_entry(c->u.name, fp, len);
2007                                if (rc < 0)
2008                                        goto bad;
2009                                c->u.name[len] = 0;
2010                                rc = context_read_and_validate(&c->context[0], p, fp);
2011                                if (rc)
2012                                        goto bad;
2013                                break;
2014                        case OCON_NODE6: {
2015                                int k;
2016
2017                                rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
2018                                if (rc < 0)
2019                                        goto bad;
2020                                for (k = 0; k < 4; k++)
2021                                        c->u.node6.addr[k] = nodebuf[k];
2022                                for (k = 0; k < 4; k++)
2023                                        c->u.node6.mask[k] = nodebuf[k+4];
2024                                if (context_read_and_validate(&c->context[0], p, fp))
2025                                        goto bad;
2026                                break;
2027                        }
2028                        }
2029                }
2030        }
2031
2032        rc = next_entry(buf, fp, sizeof(u32));
2033        if (rc < 0)
2034                goto bad;
2035        nel = le32_to_cpu(buf[0]);
2036        genfs_p = NULL;
2037        rc = -EINVAL;
2038        for (i = 0; i < nel; i++) {
2039                rc = next_entry(buf, fp, sizeof(u32));
2040                if (rc < 0)
2041                        goto bad;
2042                len = le32_to_cpu(buf[0]);
2043                newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL);
2044                if (!newgenfs) {
2045                        rc = -ENOMEM;
2046                        goto bad;
2047                }
2048
2049                newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
2050                if (!newgenfs->fstype) {
2051                        rc = -ENOMEM;
2052                        kfree(newgenfs);
2053                        goto bad;
2054                }
2055                rc = next_entry(newgenfs->fstype, fp, len);
2056                if (rc < 0) {
2057                        kfree(newgenfs->fstype);
2058                        kfree(newgenfs);
2059                        goto bad;
2060                }
2061                newgenfs->fstype[len] = 0;
2062                for (genfs_p = NULL, genfs = p->genfs; genfs;
2063                     genfs_p = genfs, genfs = genfs->next) {
2064                        if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
2065                                printk(KERN_ERR "SELinux:  dup genfs "
2066                                       "fstype %s\n", newgenfs->fstype);
2067                                kfree(newgenfs->fstype);
2068                                kfree(newgenfs);
2069                                goto bad;
2070                        }
2071                        if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
2072                                break;
2073                }
2074                newgenfs->next = genfs;
2075                if (genfs_p)
2076                        genfs_p->next = newgenfs;
2077                else
2078                        p->genfs = newgenfs;
2079                rc = next_entry(buf, fp, sizeof(u32));
2080                if (rc < 0)
2081                        goto bad;
2082                nel2 = le32_to_cpu(buf[0]);
2083                for (j = 0; j < nel2; j++) {
2084                        rc = next_entry(buf, fp, sizeof(u32));
2085                        if (rc < 0)
2086                                goto bad;
2087                        len = le32_to_cpu(buf[0]);
2088
2089                        newc = kzalloc(sizeof(*newc), GFP_KERNEL);
2090                        if (!newc) {
2091                                rc = -ENOMEM;
2092                                goto bad;
2093                        }
2094
2095                        newc->u.name = kmalloc(len + 1, GFP_KERNEL);
2096                        if (!newc->u.name) {
2097                                rc = -ENOMEM;
2098                                goto bad_newc;
2099                        }
2100                        rc = next_entry(newc->u.name, fp, len);
2101                        if (rc < 0)
2102                                goto bad_newc;
2103                        newc->u.name[len] = 0;
2104                        rc = next_entry(buf, fp, sizeof(u32));
2105                        if (rc < 0)
2106                                goto bad_newc;
2107                        newc->v.sclass = le32_to_cpu(buf[0]);
2108                        if (context_read_and_validate(&newc->context[0], p, fp))
2109                                goto bad_newc;
2110                        for (l = NULL, c = newgenfs->head; c;
2111                             l = c, c = c->next) {
2112                                if (!strcmp(newc->u.name, c->u.name) &&
2113                                    (!c->v.sclass || !newc->v.sclass ||
2114                                     newc->v.sclass == c->v.sclass)) {
2115                                        printk(KERN_ERR "SELinux:  dup genfs "
2116                                               "entry (%s,%s)\n",
2117                                               newgenfs->fstype, c->u.name);
2118                                        goto bad_newc;
2119                                }
2120                                len = strlen(newc->u.name);
2121                                len2 = strlen(c->u.name);
2122                                if (len > len2)
2123                                        break;
2124                        }
2125
2126                        newc->next = c;
2127                        if (l)
2128                                l->next = newc;
2129                        else
2130                                newgenfs->head = newc;
2131                }
2132        }
2133
2134        if (p->policyvers >= POLICYDB_VERSION_MLS) {
2135                int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS;
2136                rc = next_entry(buf, fp, sizeof(u32));
2137                if (rc < 0)
2138                        goto bad;
2139                nel = le32_to_cpu(buf[0]);
2140                for (i = 0; i < nel; i++) {
2141                        rt = kzalloc(sizeof(*rt), GFP_KERNEL);
2142                        if (!rt) {
2143                                rc = -ENOMEM;
2144                                goto bad;
2145                        }
2146                        rc = next_entry(buf, fp, (sizeof(u32) * 2));
2147                        if (rc < 0) {
2148                                kfree(rt);
2149                                goto bad;
2150                        }
2151                        rt->source_type = le32_to_cpu(buf[0]);
2152                        rt->target_type = le32_to_cpu(buf[1]);
2153                        if (new_rangetr) {
2154                                rc = next_entry(buf, fp, sizeof(u32));
2155                                if (rc < 0) {
2156                                        kfree(rt);
2157                                        goto bad;
2158                                }
2159                                rt->target_class = le32_to_cpu(buf[0]);
2160                        } else
2161                                rt->target_class = p->process_class;
2162                        if (!policydb_type_isvalid(p, rt->source_type) ||
2163                            !policydb_type_isvalid(p, rt->target_type) ||
2164                            !policydb_class_isvalid(p, rt->target_class)) {
2165                                kfree(rt);
2166                                rc = -EINVAL;
2167                                goto bad;
2168                        }
2169                        r = kzalloc(sizeof(*r), GFP_KERNEL);
2170                        if (!r) {
2171                                kfree(rt);
2172                                rc = -ENOMEM;
2173                                goto bad;
2174                        }
2175                        rc = mls_read_range_helper(r, fp);
2176                        if (rc) {
2177                                kfree(rt);
2178                                kfree(r);
2179                                goto bad;
2180                        }
2181                        if (!mls_range_isvalid(p, r)) {
2182                                printk(KERN_WARNING "SELinux:  rangetrans:  invalid range\n");
2183                                kfree(rt);
2184                                kfree(r);
2185                                goto bad;
2186                        }
2187                        rc = hashtab_insert(p->range_tr, rt, r);
2188                        if (rc) {
2189                                kfree(rt);
2190                                kfree(r);
2191                                goto bad;
2192                        }
2193                }
2194                rangetr_hash_eval(p->range_tr);
2195        }
2196
2197        p->type_attr_map = kmalloc(p->p_types.nprim * sizeof(struct ebitmap), GFP_KERNEL);
2198        if (!p->type_attr_map)
2199                goto bad;
2200
2201        for (i = 0; i < p->p_types.nprim; i++) {
2202                ebitmap_init(&p->type_attr_map[i]);
2203                if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
2204                        if (ebitmap_read(&p->type_attr_map[i], fp))
2205                                goto bad;
2206                }
2207                /* add the type itself as the degenerate case */
2208                if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
2209                                goto bad;
2210        }
2211
2212        rc = policydb_bounds_sanity_check(p);
2213        if (rc)
2214                goto bad;
2215
2216        rc = 0;
2217out:
2218        return rc;
2219bad_newc:
2220        ocontext_destroy(newc, OCON_FSUSE);
2221bad:
2222        if (!rc)
2223                rc = -EINVAL;
2224        policydb_destroy(p);
2225        goto out;
2226}
2227
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.