diff mbox series

[3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy"

Message ID 20230726142549.94685-4-jwcart2@gmail.com (mailing list archive)
State Accepted
Commit 748614b73cad
Delegated to: Petr Lautrbach
Headers show
Series Revert the prefix/suffix filename transition patches | expand

Commit Message

James Carter July 26, 2023, 2:25 p.m. UTC
This reverts commit 1174483d2924dc700673363b240fca2b9fe45786.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 checkpolicy/test/dispol.c                  |  25 +----
 libsepol/include/sepol/policydb/avtab.h    |   2 -
 libsepol/include/sepol/policydb/policydb.h |   9 +-
 libsepol/src/avtab.c                       |  13 ---
 libsepol/src/kernel_to_cil.c               |  30 +-----
 libsepol/src/kernel_to_common.h            |   1 -
 libsepol/src/kernel_to_conf.c              |  30 +-----
 libsepol/src/policydb.c                    |   7 --
 libsepol/src/policydb_validate.c           |  11 +-
 libsepol/src/write.c                       | 113 ++++-----------------
 10 files changed, 30 insertions(+), 211 deletions(-)
diff mbox series

Patch

diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 776bf54d..861fa903 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -129,7 +129,6 @@  typedef struct {
 	avtab_key_t *key;
 	policydb_t *p;
 	FILE *fp;
-	name_trans_match_t match;
 } render_name_trans_args_t;
 
 static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
@@ -141,22 +140,7 @@  static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
 	fprintf(args->fp, "type_transition ");
 	render_key(args->key, args->p, args->fp);
 	render_type(*otype, args->p, args->fp);
-	const char *match_str = "";
-	switch (args->match) {
-	case NAME_TRANS_MATCH_EXACT:
-		match_str = "";
-		break;
-	case NAME_TRANS_MATCH_PREFIX:
-		match_str = " PREFIX";
-		break;
-	case NAME_TRANS_MATCH_SUFFIX:
-		match_str = " SUFFIX";
-		break;
-	default:
-		fprintf(args->fp, "     ERROR: no valid name match type specified\n");
-		return -1;
-	}
-	fprintf(args->fp, " \"%s\"%s;\n", name, match_str);
+	fprintf(args->fp, " \"%s\";\n", name);
 
 	return 0;
 }
@@ -223,16 +207,9 @@  static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
 				.key = key,
 				.p = p,
 				.fp = fp,
-				.match = NAME_TRANS_MATCH_EXACT,
 			};
 			hashtab_map(datum->trans->name_trans.table,
 				    render_name_trans_helper, &args);
-			args.match = NAME_TRANS_MATCH_PREFIX;
-			hashtab_map(datum->trans->prefix_trans.table,
-				    render_name_trans_helper, &args);
-			args.match = NAME_TRANS_MATCH_SUFFIX;
-			hashtab_map(datum->trans->suffix_trans.table,
-				    render_name_trans_helper, &args);
 		}
 		if (key->specified & AVTAB_MEMBER) {
 			fprintf(fp, "type_member ");
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 870fb08a..5dc720cc 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -74,8 +74,6 @@  typedef struct avtab_key {
 typedef struct avtab_trans {
 	uint32_t otype;		/* resulting type of the new object */
 	symtab_t name_trans;	/* filename transitions */
-	symtab_t prefix_trans;	/* prefix filename transitions */
-	symtab_t suffix_trans;	/* prefix filename transitions */
 } avtab_trans_t;
 
 typedef struct avtab_extended_perms {
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index a2df4a62..5efd0a47 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -252,12 +252,6 @@  typedef struct av_extended_perms {
 	uint32_t perms[EXTENDED_PERMS_LEN];
 } av_extended_perms_t;
 
-typedef enum name_trans_match {
-	NAME_TRANS_MATCH_EXACT,
-	NAME_TRANS_MATCH_PREFIX,
-	NAME_TRANS_MATCH_SUFFIX,
-} name_trans_match_t;
-
 typedef struct avrule {
 /* these typedefs are almost exactly the same as those in avtab.h - they are
  * here because of the need to include neverallow and dontaudit messages */
@@ -729,11 +723,10 @@  extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define POLICYDB_VERSION_GLBLUB		32
 #define POLICYDB_VERSION_COMP_FTRANS	33 /* compressed filename transitions */
 #define POLICYDB_VERSION_AVTAB_FTRANS	34 /* filename transitions moved to avtab */
-#define POLICYDB_VERSION_PREFIX_SUFFIX	35 /* prefix/suffix support for filename transitions */
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_PREFIX_SUFFIX
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_AVTAB_FTRANS
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE		4
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 90cfb90b..2a9564ba 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -327,10 +327,6 @@  void avtab_trans_destroy(avtab_trans_t *trans)
 {
 	hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL);
 	symtab_destroy(&trans->name_trans);
-	hashtab_map(trans->prefix_trans.table, avtab_trans_destroy_helper, NULL);
-	symtab_destroy(&trans->prefix_trans);
-	hashtab_map(trans->suffix_trans.table, avtab_trans_destroy_helper, NULL);
-	symtab_destroy(&trans->suffix_trans);
 }
 
 void avtab_destroy(avtab_t * h)
@@ -524,15 +520,6 @@  static int avtab_trans_read(policy_file_t *fp, uint32_t vers,
 	if (rc < 0)
 		goto bad;
 
-	if (vers >= POLICYDB_VERSION_PREFIX_SUFFIX) {
-		rc = avtab_read_name_trans(fp, &trans->prefix_trans);
-		if (rc < 0)
-			goto bad;
-		rc = avtab_read_name_trans(fp, &trans->suffix_trans);
-		if (rc < 0)
-			goto bad;
-	}
-
 	return SEPOL_OK;
 
 bad:
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 30a67017..8ed695f1 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1705,24 +1705,9 @@  static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a
 	char *name = k;
 	uint32_t *otype = d;
 	name_trans_to_strs_args_t *args = a;
-	const char *match_str = "";
-	switch (args->match) {
-	case NAME_TRANS_MATCH_EXACT:
-		match_str = "";
-		break;
-	case NAME_TRANS_MATCH_PREFIX:
-		match_str = " prefix";
-		break;
-	case NAME_TRANS_MATCH_SUFFIX:
-		match_str = " suffix";
-		break;
-	default:
-		ERR(NULL, "Unknown name match type: %" PRIu8, args->match);
-		return SEPOL_ERR;
-	}
-	return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\"%s %s)", 7,
+	return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6,
 				   args->flavor, args->src, args->tgt,
-				   args->class, name, match_str,
+				   args->class, name,
 				   args->pdb->p_type_val_to_name[*otype - 1]);
 }
 
@@ -1810,20 +1795,9 @@  static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 			.src = src,
 			.tgt = tgt,
 			.class = class,
-			.match = NAME_TRANS_MATCH_EXACT,
 		};
 		rc = hashtab_map(datum->trans->name_trans.table,
 				 name_trans_to_strs_helper, &args);
-		if (rc < 0)
-			return rc;
-		args.match = NAME_TRANS_MATCH_PREFIX;
-		rc = hashtab_map(datum->trans->prefix_trans.table,
-				 name_trans_to_strs_helper, &args);
-		if (rc < 0)
-			return rc;
-		args.match = NAME_TRANS_MATCH_SUFFIX;
-		rc = hashtab_map(datum->trans->suffix_trans.table,
-				 name_trans_to_strs_helper, &args);
 	} else {
 		new = pdb->p_type_val_to_name[data - 1];
 
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 07869e3d..b8ea237d 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -90,7 +90,6 @@  typedef struct {
 	const char *src;
 	const char *tgt;
 	const char *class;
-	name_trans_match_t match;
 } name_trans_to_strs_args_t;
 
 void sepol_indent(FILE *out, int indent);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index b1699b39..eb14ccf1 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -1683,26 +1683,11 @@  static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a
 	char *name = k;
 	uint32_t *otype = d;
 	name_trans_to_strs_args_t *args = a;
-	const char *match_str = "";
-	switch (args->match) {
-	case NAME_TRANS_MATCH_EXACT:
-		match_str = "";
-		break;
-	case NAME_TRANS_MATCH_PREFIX:
-		match_str = " PREFIX";
-		break;
-	case NAME_TRANS_MATCH_SUFFIX:
-		match_str = " SUFFIX";
-		break;
-	default:
-		ERR(NULL, "Unknown name match type: %" PRIu8, args->match);
-		return SEPOL_ERR;
-	}
-	return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\"%s;", 7,
+	return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6,
 				   args->flavor, args->src, args->tgt,
 				   args->class,
 				   args->pdb->p_type_val_to_name[*otype - 1],
-				   name, match_str);
+				   name);
 }
 
 static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
@@ -1786,20 +1771,9 @@  static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
 			.src = src,
 			.tgt = tgt,
 			.class = class,
-			.match = NAME_TRANS_MATCH_EXACT,
 		};
 		rc = hashtab_map(datum->trans->name_trans.table,
 				 name_trans_to_strs_helper, &args);
-		if (rc < 0)
-			return rc;
-		args.match = NAME_TRANS_MATCH_PREFIX;
-		rc = hashtab_map(datum->trans->prefix_trans.table,
-				 name_trans_to_strs_helper, &args);
-		if (rc < 0)
-			return rc;
-		args.match = NAME_TRANS_MATCH_SUFFIX;
-		rc = hashtab_map(datum->trans->suffix_trans.table,
-				 name_trans_to_strs_helper, &args);
 	} else {
 		new = pdb->p_type_val_to_name[data - 1];
 
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index f1f6cec6..37bb97a1 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -215,13 +215,6 @@  static const struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = OCON_IBENDPORT + 1,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
-	{
-	 .type = POLICY_KERN,
-	 .version = POLICYDB_VERSION_PREFIX_SUFFIX,
-	 .sym_num = SYM_NUM,
-	 .ocon_num = OCON_IBENDPORT + 1,
-	 .target_platform = SEPOL_TARGET_SELINUX,
-	},
 	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 08b4a477..0b8e8eee 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -855,18 +855,11 @@  static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
 
 		/* also each transition must be non empty */
 		if (!d->trans->otype &&
-		    !hashtab_nel(d->trans->name_trans.table) &&
-		    !hashtab_nel(d->trans->name_trans.table) &&
-		    !hashtab_nel(d->trans->prefix_trans.table) &&
-		    !hashtab_nel(d->trans->suffix_trans.table))
+		    !hashtab_nel(d->trans->name_trans.table))
 			return -1;
 
-		/* and each name transition must be also valid */
+		/* and each filename transition must be also valid */
 		if (hashtab_map(d->trans->name_trans.table,
-				validate_name_trans_helper, margs) ||
-		    hashtab_map(d->trans->prefix_trans.table,
-				validate_name_trans_helper, margs) ||
-		    hashtab_map(d->trans->suffix_trans.table,
 				validate_name_trans_helper, margs))
 			return -1;
 	} else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) {
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index df47197c..d7f47c8d 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -133,43 +133,16 @@  static int avtab_trans_write(policydb_t *p, const avtab_trans_t *cur,
 	uint32_t buf32[2];
 
 	if (p->policyvers >= POLICYDB_VERSION_AVTAB_FTRANS) {
-		/* write otype and number of name transitions */
+		/* write otype and number of filename transitions */
 		buf32[0] = cpu_to_le32(cur->otype);
 		buf32[1] = cpu_to_le32(hashtab_nel(cur->name_trans.table));
 		items = put_entry(buf32, sizeof(uint32_t), 2, fp);
 		if (items != 2)
 			return -1;
 
-		/* write name transitions */
-		if (hashtab_map(cur->name_trans.table,
-				avtab_trans_write_helper, fp))
-			return -1;
-
-		if (p->policyvers >= POLICYDB_VERSION_PREFIX_SUFFIX) {
-			/* write number of prefix transitions */
-			buf32[0] = cpu_to_le32(hashtab_nel(
-					cur->prefix_trans.table));
-			items = put_entry(buf32, sizeof(uint32_t), 1, fp);
-			if (items != 1)
-				return -1;
-
-			/* write prefix transitions */
-			if (hashtab_map(cur->prefix_trans.table,
-					avtab_trans_write_helper, fp))
-				return -1;
-
-			/* write number of suffix transitions */
-			buf32[0] = cpu_to_le32(hashtab_nel(
-					cur->suffix_trans.table));
-			items = put_entry(buf32, sizeof(uint32_t), 1, fp);
-			if (items != 1)
-				return -1;
-
-			/* write suffix transitions */
-			if (hashtab_map(cur->suffix_trans.table,
-					avtab_trans_write_helper, fp))
-				return -1;
-		}
+		/* write filename transitions */
+		return hashtab_map(cur->name_trans.table,
+				   avtab_trans_write_helper, fp);
 	} else if (cur->otype) {
 		buf32[0] = cpu_to_le32(cur->otype);
 		items = put_entry(buf32, sizeof(uint32_t), 1, fp);
@@ -195,26 +168,14 @@  static int avtab_write_item(policydb_t * p,
 
 	/*
 	 * skip entries which only contain filename transitions in versions
-	 * before filename transitions were moved to avtab,
-	 * skip entries which only contain prefix/suffix transitions in versions
-	 * before prefix/suffix filename transitions
+	 * before filename transitions were moved to avtab
 	 */
-	if (cur->key.specified & AVTAB_TRANSITION) {
-		if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
-		    cur->key.specified & AVTAB_TRANSITION &&
-		    !cur->datum.trans->otype) {
-                        /*
-                         * if oldvers, reduce nel, because this node will be
-                         * skipped
-			 */
-                        if (oldvers && nel)
-				(*nel)--;
-			return 0;
-		}
-		if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX &&
-		    !cur->datum.trans->otype &&
-		    !hashtab_nel(cur->datum.trans->name_trans.table))
-			return 0;
+	if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
+	    cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
+		/* if oldvers, reduce nel, because this node will be skipped */
+		if (oldvers && nel)
+			(*nel)--;
+		return 0;
 	}
 
 	if (oldvers) {
@@ -417,27 +378,17 @@  static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
 		 * filename transitions.
 		 */
 		nel = a->nel;
-		for (i = 0; i < a->nslot; i++) {
-			for (cur = a->htable[i]; cur; cur = cur->next) {
-				if (!(cur->key.specified & AVTAB_TRANSITION))
-					continue;
-                                if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
-				    !cur->datum.trans->otype) {
-                                        /*
-                                         * entries containing only filename
-                                         * transitions are skipped and written
-                                         * out later
-                                         */
-                                        nel--;
-				} else if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX &&
-					   !cur->datum.trans->otype &&
-					   !hashtab_nel(cur->datum.trans->name_trans.table)) {
-					/*
-					 * entries containing only prefix/suffix
-					 * transitions are not supported in
-					 * previous versions
-					 */
-					nel--;
+		if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS) {
+			/*
+			 * entries containing only filename transitions are
+			 * skipped and written out later
+			 */
+			for (i = 0; i < a->nslot; i++) {
+				for (cur = a->htable[i]; cur; cur = cur->next) {
+					if ((cur->key.specified
+					     & AVTAB_TRANSITION) &&
+					    !cur->datum.trans->otype)
+						nel--;
 				}
 			}
 		}
@@ -2569,22 +2520,6 @@  static int avtab_has_filename_transitions(avtab_t *a)
 	return 0;
 }
 
-static int avtab_has_prefix_suffix_filename_transitions(avtab_t *a)
-{
-	uint32_t i;
-	struct avtab_node *cur;
-	for (i = 0; i < a->nslot; i++) {
-		for (cur = a->htable[i]; cur; cur = cur->next) {
-			if (cur->key.specified & AVTAB_TRANSITION) {
-				if (hashtab_nel(cur->datum.trans->prefix_trans.table)
-				    || hashtab_nel(cur->datum.trans->suffix_trans.table))
-					return 1;
-			}
-		}
-	}
-	return 0;
-}
-
 /*
  * Write the configuration data in a policy database
  * structure to a policy database binary representation
@@ -2751,10 +2686,6 @@  int policydb_write(policydb_t * p, struct policy_file *fp)
 	if (p->policy_type == POLICY_KERN) {
 		if (avtab_write(p, &p->te_avtab, fp))
 			return POLICYDB_ERROR;
-		if (avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) {
-			WARN(fp->handle,
-			     "Discarding filename prefix/suffix type transition rules");
-		}
 		if (p->policyvers < POLICYDB_VERSION_BOOL) {
 			if (p->p_bools.nprim)
 				WARN(fp->handle, "Discarding "