From patchwork Wed Jul 26 14:25:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328160 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91966C001DC for ; Wed, 26 Jul 2023 14:25:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233114AbjGZOZ5 (ORCPT ); Wed, 26 Jul 2023 10:25:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233379AbjGZOZ5 (ORCPT ); Wed, 26 Jul 2023 10:25:57 -0400 Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCF04188 for ; Wed, 26 Jul 2023 07:25:55 -0700 (PDT) Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-63ce8bea776so26374526d6.0 for ; Wed, 26 Jul 2023 07:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381554; x=1690986354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZEURyXjei7Di8hCp5M5j2fKeQCacdFeOAtWC8quZg2E=; b=aFYU6A2wwHNTfv89DauZsoApHp8g3P7cDZi6yji81kSmW3j0R69TRc7KdXktGCyjT8 64XCQ0YNZyI+RfpBYJN6GvAjLnsXnjcWDtxPD76mj1HpxKlQyi2mcbUlXJhr8PvUYnW8 yQnnZSfNmkPK3FLGc6dWU1NXx7Y2CJRtjxNx42NFwDWOhXbjYO+m0U8xaBIRGikQLhZo C5OmDwOWIG2JhUp2Hqj04P0EXeZ0W/CRMg7B0RgT/Rz+igiKnTkQHgGCXkqPx1tcsqAo doW7P9Fve3oZq6aoqfpogUnXaFz+fl+W4fMrNt2YHXd9g2/o+atp6vgw/D9obkkxX43h znCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381554; x=1690986354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZEURyXjei7Di8hCp5M5j2fKeQCacdFeOAtWC8quZg2E=; b=ZDNmNntR2W27fBA4AkhQtuVcpJTCRjVZt6+Reg5VHLpfko9zwdgZeoYSkEgu1cAhAi cwPeRhy9+Dmgjdx1IVsIgjAR4rbOFnD9PwYIHMpDlooxZfASoXiJVFLxQwNLj/4eYE99 kkb4WZNVkLhsFrIJyU5bYmnPpCcdwpEeZj1m5O/YSSs2t9zvU6Pyf5TVEmKGCQVBMrGw zigsIrVmIAPUab2bA6psEEo9bYjs3duvUjuUpc2VIkUXGwucQ8xMLStv3Iw0SXtPvDw5 mAtdaELDCaJGtHxViE3RzmjWvH2V+IBUfKd1Ucq+dyet8hM5vAFFrXjE+amGHIuzeinJ 7SdQ== X-Gm-Message-State: ABy/qLYAMjsyRk6wFTjqMwGuH7NsQqYzjf67Bdy2heYm6KtjspZCJqAW aPVpeZ8vqQEzBtcGitu6TGsB60YhHOeJ8A== X-Google-Smtp-Source: APBJJlE4GQkvsUWMmVz1h+QJxNeQ6PI0DbXUbzXJYrPWrEC1G5OUAkkmb+1BdFVqVPo+/kvLKp5wkw== X-Received: by 2002:a05:6214:2b52:b0:63c:b107:e8a0 with SMTP id jy18-20020a0562142b5200b0063cb107e8a0mr2075914qvb.56.1690381554439; Wed, 26 Jul 2023 07:25:54 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:53 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" Date: Wed, 26 Jul 2023 10:25:42 -0400 Message-ID: <20230726142549.94685-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit 0c50de03cd38ef80dc6c5df9acef027f4b5c9526. Signed-off-by: James Carter --- libsepol/cil/src/cil.c | 6 ------ libsepol/cil/src/cil_binary.c | 8 ++++---- libsepol/cil/src/cil_build_ast.c | 26 +++++--------------------- libsepol/cil/src/cil_copy_ast.c | 1 - libsepol/cil/src/cil_internal.h | 4 ---- libsepol/cil/src/cil_policy.c | 17 +---------------- libsepol/cil/src/cil_resolve_ast.c | 10 ---------- libsepol/cil/src/cil_write_ast.c | 2 -- 8 files changed, 10 insertions(+), 64 deletions(-) diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index fa693020..38edcf8e 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -95,8 +95,6 @@ char *CIL_KEY_TUNABLEIF; char *CIL_KEY_ALLOW; char *CIL_KEY_DONTAUDIT; char *CIL_KEY_TYPETRANSITION; -char *CIL_KEY_PREFIX; -char *CIL_KEY_SUFFIX; char *CIL_KEY_TYPECHANGE; char *CIL_KEY_CALL; char *CIL_KEY_TUNABLE; @@ -266,8 +264,6 @@ static void cil_init_keys(void) CIL_KEY_ALLOW = cil_strpool_add("allow"); CIL_KEY_DONTAUDIT = cil_strpool_add("dontaudit"); CIL_KEY_TYPETRANSITION = cil_strpool_add("typetransition"); - CIL_KEY_PREFIX = cil_strpool_add("prefix"); - CIL_KEY_SUFFIX = cil_strpool_add("suffix"); CIL_KEY_TYPECHANGE = cil_strpool_add("typechange"); CIL_KEY_CALL = cil_strpool_add("call"); CIL_KEY_TUNABLE = cil_strpool_add("tunable"); @@ -2391,8 +2387,6 @@ void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans) (*nametypetrans)->obj = NULL; (*nametypetrans)->name_str = NULL; (*nametypetrans)->name = NULL; - (*nametypetrans)->name_match_str = NULL; - (*nametypetrans)->name_match = NAME_TRANS_MATCH_EXACT; (*nametypetrans)->result_str = NULL; (*nametypetrans)->result = NULL; } diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index ea0cef32..ffa44be7 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1193,7 +1193,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, type_datum_t *sepol_src, type_datum_t *sepol_tgt, struct cil_list *class_list, - char *name, uint8_t name_match, + char *name, type_datum_t *sepol_result) { int rc; @@ -1211,7 +1211,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, avt_key.target_type = sepol_tgt->s.value; avt_key.target_class = sepol_obj->s.value; rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key, - sepol_result->s.value, name, name_match, + sepol_result->s.value, name, NAME_TRANS_MATCH_EXACT, &otype); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { @@ -1280,7 +1280,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d rc = __cil_typetransition_to_avtab_helper( pdb, sepol_src, sepol_src, class_list, - name, typetrans->name_match, sepol_result + name, sepol_result ); if (rc != SEPOL_OK) goto exit; } @@ -1298,7 +1298,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d rc = __cil_typetransition_to_avtab_helper( pdb, sepol_src, sepol_tgt, class_list, - name, typetrans->name_match, sepol_result + name, sepol_result ); if (rc != SEPOL_OK) goto exit; } diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 67bbdcab..4177c9f6 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -3334,11 +3334,10 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren CIL_SYN_STRING, CIL_SYN_STRING, CIL_SYN_STRING | CIL_SYN_END, - CIL_SYN_STRING | CIL_SYN_END, - CIL_SYN_END, + CIL_SYN_END }; size_t syntax_len = sizeof(syntax)/sizeof(*syntax); - char *s1, *s2, *s3, *s4, *s5, *s6; + char *s1, *s2, *s3, *s4, *s5; if (db == NULL || parse_current == NULL || ast_node == NULL ) { goto exit; @@ -3354,22 +3353,12 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren s3 = parse_current->next->next->next->data; s4 = parse_current->next->next->next->next->data; s5 = NULL; - s6 = NULL; if (parse_current->next->next->next->next->next) { if (s4 == CIL_KEY_STAR) { - if (parse_current->next->next->next->next->next->next) { - s4 = parse_current->next->next->next->next->next->next->data; - } else { - s4 = parse_current->next->next->next->next->next->data; - } + s4 = parse_current->next->next->next->next->next->data; } else { - if (parse_current->next->next->next->next->next->next) { - s5 = parse_current->next->next->next->next->next->data; - s6 = parse_current->next->next->next->next->next->next->data; - } else { - s5 = parse_current->next->next->next->next->next->data; - } + s5 = parse_current->next->next->next->next->next->data; } } @@ -3381,13 +3370,8 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren nametypetrans->src_str = s1; nametypetrans->tgt_str = s2; nametypetrans->obj_str = s3; + nametypetrans->result_str = s5; nametypetrans->name_str = s4; - if (s6) { - nametypetrans->name_match_str = s5; - nametypetrans->result_str = s6; - } else { - nametypetrans->result_str = s5; - } ast_node->data = nametypetrans; ast_node->flavor = CIL_NAMETYPETRANSITION; diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index a2d2fe40..17f05021 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -726,7 +726,6 @@ int cil_copy_nametypetransition(__attribute__((unused)) struct cil_db *db, void new->tgt_str = orig->tgt_str; new->obj_str = orig->obj_str; new->name_str = orig->name_str; - new->name_match_str = orig->name_match_str; new->result_str = orig->result_str; diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index a5ff808b..a7604762 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -112,8 +112,6 @@ extern char *CIL_KEY_TUNABLEIF; extern char *CIL_KEY_ALLOW; extern char *CIL_KEY_DONTAUDIT; extern char *CIL_KEY_TYPETRANSITION; -extern char *CIL_KEY_PREFIX; -extern char *CIL_KEY_SUFFIX; extern char *CIL_KEY_TYPECHANGE; extern char *CIL_KEY_CALL; extern char *CIL_KEY_TUNABLE; @@ -577,8 +575,6 @@ struct cil_nametypetransition { struct cil_class *obj; char *name_str; struct cil_name *name; - char *name_match_str; - uint8_t name_match; char *result_str; void *result; /* type or alias */ diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 9ee40ba7..feb97868 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -1260,7 +1260,6 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans struct cil_name *name; struct cil_list *class_list; struct cil_list_item *i1; - const char *name_match_str = ""; src = trans->src; tgt = trans->tgt; @@ -1269,21 +1268,7 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans class_list = cil_expand_class(trans->obj); cil_list_for_each(i1, class_list) { - switch (trans->name_match) { - case NAME_TRANS_MATCH_EXACT: - name_match_str = ""; - break; - case NAME_TRANS_MATCH_PREFIX: - name_match_str = " PREFIX"; - break; - case NAME_TRANS_MATCH_SUFFIX: - name_match_str = " SUFFIX"; - break; - default: - name_match_str = "???"; - break; - } - fprintf(out, "type_transition %s %s : %s %s \"%s\"%s;\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn, name_match_str); + fprintf(out, "type_transition %s %s : %s %s \"%s\";\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn); } cil_list_destroy(&class_list, CIL_FALSE); } diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 1ef0986c..d2bfdc81 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -668,16 +668,6 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar nametypetrans->name = (struct cil_name *)name_datum; } - if (nametypetrans->name_match_str == NULL) { - nametypetrans->name_match = NAME_TRANS_MATCH_EXACT; - } else if (nametypetrans->name_match_str == CIL_KEY_PREFIX) { - nametypetrans->name_match = NAME_TRANS_MATCH_PREFIX; - } else if (nametypetrans->name_match_str == CIL_KEY_SUFFIX) { - nametypetrans->name_match = NAME_TRANS_MATCH_SUFFIX; - } else { - cil_tree_log(current, CIL_ERR, "Invalid name match type \"%s\"", nametypetrans->name_match_str); - } - rc = cil_resolve_name(current, nametypetrans->result_str, CIL_SYM_TYPES, extra_args, &result_datum); if (rc != SEPOL_OK) { goto exit; diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c index d96f6c39..b75784ef 100644 --- a/libsepol/cil/src/cil_write_ast.c +++ b/libsepol/cil/src/cil_write_ast.c @@ -1168,8 +1168,6 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node) fprintf(out, "%s ", datum_or_str(DATUM(rule->tgt), rule->tgt_str)); fprintf(out, "%s ", datum_or_str(DATUM(rule->obj), rule->obj_str)); fprintf(out, "\"%s\" ", datum_or_str(DATUM(rule->name), rule->name_str)); - if (rule->name_match != NAME_TRANS_MATCH_EXACT) - fprintf(out, "%s ", rule->name_match_str); fprintf(out, "%s", datum_or_str(DATUM(rule->result), rule->result_str)); fprintf(out, ")\n"); break; From patchwork Wed Jul 26 14:25:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328162 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37CE4C001B0 for ; Wed, 26 Jul 2023 14:26:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234490AbjGZO0A (ORCPT ); Wed, 26 Jul 2023 10:26:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234193AbjGZOZ7 (ORCPT ); Wed, 26 Jul 2023 10:25:59 -0400 Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 089051B0 for ; Wed, 26 Jul 2023 07:25:57 -0700 (PDT) Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-63cf9eddbc6so4960456d6.0 for ; Wed, 26 Jul 2023 07:25:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381555; x=1690986355; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=imYa12CnkHZVYmYNE+jrAJtRsID9LYwGGCOrXWRV5DY=; b=nC1WEzW57FoUNUHpPCzpi4zAQmPQfUHrp/Rp+YtomKJSjEJ3poR7oUwmogrvevhrQ/ MVKs7KmCCXD+hWHwC74MGb9fm8kxk3/+sGJ+tQCietMuLZNeOqXlMcKh3EsoXrnIyJnM Ti79+KqbM1SnmaDv/H0SV5VQV2ygD0SAEa9kAZJc84jGjgTO8HdKwtJV4ot1k6qVxMLn kTOlTHT5yY9sSJVoD8HSBhEJ1O9GqAbDW3nHIj4zuu2O01frrIczJmci4NWlLQRgTtO0 2Hvo+Nfap/akiHhj+HTzLA+Y6zw1QANyEZmXFL+qrScEHn9+D57z8EvobLy7a5nhIWdf H4Aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381555; x=1690986355; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=imYa12CnkHZVYmYNE+jrAJtRsID9LYwGGCOrXWRV5DY=; b=Lhz5oymXlggx97I8KG1dMhCSG0j27wxwAWMjM55gqaD4Ob6MLmSPyRGDAMdCk8Dc+q kNjvdLwMFdHMit5ZUortt5XXnfAeYJivqXcotIJMsvV8QlWMdh1BuC37LQS1J84wATOy fwKTSLLMG8LOzM505gQVx6jcDHt5PTX9ffuSYlVfCKHjPxNN9vytV50w4dgvzc+ALJrb h+rJY/ART8zFpyeuz0w37gsHAgl62gKELcg6uUQ5Eat+bO6qwNWA2zwh5J06xfjbPXtq tD/oV6lQrb/tW0Ix2IDEPUTMwKLNphPwGfsghM/xqPbcbe1U0g2ktMd7LELNTpOhbz+0 XCDg== X-Gm-Message-State: ABy/qLaPtk4diVX8IOOxtznT66Nen3kjkYqNPqmSptKQEt9ldMrTFtES ivd7Y4NcFtqPg6X4p+zmSl6GWcUIecniug== X-Google-Smtp-Source: APBJJlFPe3or11Kd164oZSBaeTRAOBybnc60sp91ed5rnDbU/DK96v6QrM3343C12EQ5ezlMK1Md2Q== X-Received: by 2002:a05:6214:2262:b0:63c:7b04:6dfd with SMTP id gs2-20020a056214226200b0063c7b046dfdmr5974164qvb.30.1690381555423; Wed, 26 Jul 2023 07:25:55 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:54 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 2/8] Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" Date: Wed, 26 Jul 2023 10:25:43 -0400 Message-ID: <20230726142549.94685-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit c39ebd07acd030a59a432797ed4da7733266a305. Signed-off-by: James Carter --- checkpolicy/policy_define.c | 13 +++---- checkpolicy/policy_define.h | 2 +- checkpolicy/policy_parse.y | 13 +++---- checkpolicy/policy_scan.l | 4 --- checkpolicy/test/dismod.c | 14 -------- checkpolicy/test/dispol.c | 2 +- libsepol/cil/src/cil_binary.c | 4 +-- libsepol/include/sepol/policydb/avtab.h | 1 - libsepol/include/sepol/policydb/policydb.h | 13 +++---- libsepol/src/avtab.c | 30 ++++------------ libsepol/src/expand.c | 6 +--- libsepol/src/kernel_to_common.h | 2 +- libsepol/src/link.c | 1 - libsepol/src/module_to_cil.c | 25 +++----------- libsepol/src/policydb.c | 23 +------------ libsepol/src/write.c | 40 ++++++---------------- 16 files changed, 43 insertions(+), 150 deletions(-) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 8421b253..25dbf25d 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -1601,8 +1601,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed) return -1; } -static int define_compute_type_helper(int which, avrule_t ** rule, - int has_filename, uint8_t name_match) +static int define_compute_type_helper(int which, avrule_t ** rule, int has_filename) { char *id; type_datum_t *datum; @@ -1677,7 +1676,6 @@ static int define_compute_type_helper(int which, avrule_t ** rule, goto bad; } } - avrule->name_match = name_match; ebitmap_for_each_positive_bit(&tclasses, node, i) { perm = malloc(sizeof(class_perm_node_t)); @@ -1702,7 +1700,7 @@ static int define_compute_type_helper(int which, avrule_t ** rule, return -1; } -int define_compute_type(int which, int has_filename, uint8_t name_match) +int define_compute_type(int which, int has_filename) { char *id; avrule_t *avrule; @@ -1723,8 +1721,7 @@ int define_compute_type(int which, int has_filename, uint8_t name_match) return 0; } - if (define_compute_type_helper(which, &avrule, has_filename, - name_match)) + if (define_compute_type_helper(which, &avrule, has_filename)) return -1; append_avrule(avrule); @@ -1748,8 +1745,7 @@ avrule_t *define_cond_compute_type(int which) return (avrule_t *) 1; } - if (define_compute_type_helper(which, &avrule, 0, - NAME_TRANS_MATCH_EXACT)) + if (define_compute_type_helper(which, &avrule, 0)) return COND_ERR; return avrule; @@ -2398,7 +2394,6 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src) return -1; } } - dest->name_match = src->name_match; dest->line = src->line; dest->source_filename = strdup(source_file); if (!dest->source_filename) { diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h index c1314871..5d0f70e4 100644 --- a/checkpolicy/policy_define.h +++ b/checkpolicy/policy_define.h @@ -28,7 +28,7 @@ int define_default_role(int which); int define_default_type(int which); int define_default_range(int which); int define_common_perms(void); -int define_compute_type(int which, int has_filename, uint8_t name_match); +int define_compute_type(int which, int has_filename); int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); int define_constraint(constraint_expr_t *expr); int define_dominance(void); diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 6b6890a3..2a14fc1e 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -108,7 +108,6 @@ typedef int (* require_func_t)(int pass); %token IF %token ELSE %token TYPE_TRANSITION -%token PREFIX SUFFIX %token TYPE_MEMBER %token TYPE_CHANGE %token ROLE_TRANSITION @@ -452,17 +451,13 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' ; ; transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' - {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_EXACT)) return -1;} - | TYPE_TRANSITION names names ':' names identifier filename PREFIX ';' - {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_PREFIX)) return -1;} - | TYPE_TRANSITION names names ':' names identifier filename SUFFIX ';' - {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_SUFFIX)) return -1;} + {if (define_compute_type(AVRULE_TRANSITION, 1)) return -1; } | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION, 0, NAME_TRANS_MATCH_EXACT)) return -1;} + {if (define_compute_type(AVRULE_TRANSITION, 0)) return -1;} | TYPE_MEMBER names names ':' names identifier ';' - {if (define_compute_type(AVRULE_MEMBER, 0, NAME_TRANS_MATCH_EXACT)) return -1;} + {if (define_compute_type(AVRULE_MEMBER, 0)) return -1;} | TYPE_CHANGE names names ':' names identifier ';' - {if (define_compute_type(AVRULE_CHANGE, 0, NAME_TRANS_MATCH_EXACT)) return -1;} + {if (define_compute_type(AVRULE_CHANGE, 0)) return -1;} ; range_trans_def : RANGE_TRANSITION names names mls_range_def ';' { if (define_range_trans(0)) return -1; } diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 9ffac353..2c025b61 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -123,10 +123,6 @@ EXPANDATTRIBUTE | expandattribute { return(EXPANDATTRIBUTE); } TYPE_TRANSITION | type_transition { return(TYPE_TRANSITION); } -PREFIX | -prefix { return(PREFIX); } -SUFFIX | -suffix { return(SUFFIX); } TYPE_MEMBER | type_member { return(TYPE_MEMBER); } TYPE_CHANGE | diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index 011191c3..8bab207c 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -345,20 +345,6 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, ""); if (avrule->object_name) fprintf(fp, " \"%s\"", avrule->object_name); - switch (avrule->name_match) { - case NAME_TRANS_MATCH_EXACT: - /* do nothing */ - break; - case NAME_TRANS_MATCH_PREFIX: - fprintf(fp, " PREFIX"); - break; - case NAME_TRANS_MATCH_SUFFIX: - fprintf(fp, " SUFFIX"); - break; - default: - fprintf(fp, " ERROR: no valid name match type specified\n"); - return -1; - } } else if (avrule->specified & AVRULE_XPERMS) { avtab_extended_perms_t xperms; int i; diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index b5a41c1f..776bf54d 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -129,7 +129,7 @@ typedef struct { avtab_key_t *key; policydb_t *p; FILE *fp; - uint8_t match; + name_trans_match_t match; } render_name_trans_args_t; static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index ffa44be7..996bad70 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1211,8 +1211,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, avt_key.target_type = sepol_tgt->s.value; avt_key.target_class = sepol_obj->s.value; rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key, - sepol_result->s.value, name, NAME_TRANS_MATCH_EXACT, - &otype); + sepol_result->s.value, name, &otype); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { if (sepol_result->s.value!= otype) { @@ -4652,7 +4651,6 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no __cil_init_sepol_type_set(&avrule->ttypes); avrule->perms = NULL; avrule->object_name = NULL; - avrule->name_match = NAME_TRANS_MATCH_EXACT; avrule->line = node->line; avrule->source_filename = NULL; diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h index 7d892879..870fb08a 100644 --- a/libsepol/include/sepol/policydb/avtab.h +++ b/libsepol/include/sepol/policydb/avtab.h @@ -156,7 +156,6 @@ extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified); extern int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, uint32_t otype, const char *name, - uint8_t name_match, uint32_t *present_otype); extern int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a); diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 48b7b8bb..a2df4a62 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -252,6 +252,12 @@ typedef struct av_extended_perms { uint32_t perms[EXTENDED_PERMS_LEN]; } av_extended_perms_t; +typedef enum name_trans_match { + NAME_TRANS_MATCH_EXACT, + NAME_TRANS_MATCH_PREFIX, + NAME_TRANS_MATCH_SUFFIX, +} name_trans_match_t; + typedef struct avrule { /* these typedefs are almost exactly the same as those in avtab.h - they are * here because of the need to include neverallow and dontaudit messages */ @@ -279,10 +285,6 @@ typedef struct avrule { type_set_t ttypes; class_perm_node_t *perms; char *object_name; /* optional object name */ -#define NAME_TRANS_MATCH_EXACT 0 -#define NAME_TRANS_MATCH_PREFIX 1 -#define NAME_TRANS_MATCH_SUFFIX 2 - uint8_t name_match; av_extended_perms_t *xperms; unsigned long line; /* line number from policy.conf where * this rule originated */ @@ -755,10 +757,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_GLBLUB 20 #define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21 #define MOD_POLICYDB_VERSION_AVRULE_FTRANS 22 -#define MOD_POLICYDB_VERSION_PREFIX_SUFFIX 23 /* preffix/suffix support for filename transitions */ #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_PREFIX_SUFFIX +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_AVRULE_FTRANS #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 99fdaa87..90cfb90b 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -771,7 +771,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, uint32_t otype, const char *name, - uint8_t name_match, uint32_t *present_otype) + uint32_t *present_otype) { int rc = SEPOL_ENOMEM; avtab_trans_t new_trans = {0}; @@ -780,7 +780,6 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, avtab_ptr_t node; char *name_key = NULL; uint32_t *otype_datum = NULL; - symtab_t *target_symtab; datum = avtab_search(a, key); if (!datum) { @@ -794,22 +793,8 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, datum = &node->datum; } - switch (name_match) { - case NAME_TRANS_MATCH_EXACT: - target_symtab = &datum->trans->name_trans; - break; - case NAME_TRANS_MATCH_PREFIX: - target_symtab = &datum->trans->prefix_trans; - break; - case NAME_TRANS_MATCH_SUFFIX: - target_symtab = &datum->trans->suffix_trans; - break; - default: - return SEPOL_ERR; - } - - if (!target_symtab->table) { - rc = symtab_init(target_symtab, 1 << 8); + if (!datum->trans->name_trans.table) { + rc = symtab_init(&datum->trans->name_trans, 1 << 8); if (rc < 0) return rc; } @@ -825,7 +810,8 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, goto bad; *otype_datum = otype; - rc = hashtab_insert(target_symtab->table, name_key, otype_datum); + rc = hashtab_insert(datum->trans->name_trans.table, name_key, + otype_datum); if (rc < 0) goto bad; @@ -870,8 +856,7 @@ static int filename_trans_read_one(avtab_t *a, void *fp) key.target_class = le32_to_cpu(buf[2]); otype = le32_to_cpu(buf[3]); - rc = avtab_insert_filename_trans(a, &key, otype, name, - NAME_TRANS_MATCH_EXACT, NULL); + rc = avtab_insert_filename_trans(a, &key, otype, name, NULL); if (rc) goto err; @@ -924,8 +909,7 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) key.source_type = bit + 1; rc = avtab_insert_filename_trans(a, &key, otype, name, - NAME_TRANS_MATCH_EXACT, - NULL); + NULL); if (rc < 0) goto err_ebitmap; } diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 7a011508..a4c92f4f 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1620,8 +1620,7 @@ static int expand_terule_helper(sepol_handle_t * handle, uint32_t specified, cond_av_list_t ** cond, cond_av_list_t ** other, uint32_t stype, uint32_t ttype, class_perm_node_t * perms, - char *object_name, uint8_t name_match, - avtab_t * avtab, int enabled) + char *object_name, avtab_t * avtab, int enabled) { avtab_key_t avkey; avtab_datum_t *avdatump; @@ -1653,7 +1652,6 @@ static int expand_terule_helper(sepol_handle_t * handle, int rc = avtab_insert_filename_trans(avtab, &avkey, remapped_data, object_name, - name_match, &oldtype); if (rc == SEPOL_EEXIST) { ERR(handle, "conflicting filename transition %s %s:%s \"%s\": %s vs %s", @@ -1887,7 +1885,6 @@ static int expand_rule_helper(sepol_handle_t * handle, source_rule->specified, cond, other, i, i, source_rule->perms, source_rule->object_name, - source_rule->name_match, dest_avtab, enabled); if (retval != EXPAND_RULE_SUCCESS) return retval; @@ -1905,7 +1902,6 @@ static int expand_rule_helper(sepol_handle_t * handle, source_rule->specified, cond, other, i, j, source_rule->perms, source_rule->object_name, - source_rule->name_match, dest_avtab, enabled); if (retval != EXPAND_RULE_SUCCESS) return retval; diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 353eb78f..07869e3d 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -90,7 +90,7 @@ typedef struct { const char *src; const char *tgt; const char *class; - uint8_t match; + name_trans_match_t match; } name_trans_to_strs_args_t; void sepol_indent(FILE *out, int indent); diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 332d62b2..88b23594 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1254,7 +1254,6 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, if (!new_rule->object_name) goto cleanup; } - new_rule->name_match = cur->name_match; cur_perm = cur->perms; tail_perm = NULL; diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 3fbb4af5..ca96bb67 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -547,13 +547,12 @@ static int semantic_level_to_cil(struct policydb *pdb, int sens_offset, struct m return 0; } -static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, uint8_t name_match, const struct class_perm_node *classperms) +static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, const struct class_perm_node *classperms) { int rc = -1; const char *rule; const struct class_perm_node *classperm; char *perms; - const char *match_str = ""; switch (type) { case AVRULE_ALLOWED: @@ -599,24 +598,10 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const pdb->p_class_val_to_name[classperm->tclass - 1], perms + 1); } else if (object_name) { - switch (name_match) { - case NAME_TRANS_MATCH_EXACT: - match_str = ""; - break; - case NAME_TRANS_MATCH_PREFIX: - match_str = " prefix"; - break; - case NAME_TRANS_MATCH_SUFFIX: - match_str = " suffix"; - break; - default: - ERR(NULL, "Unknown name match type: %" PRIu8, - name_match); - } - cil_println(indent, "(%s %s %s %s \"%s\"%s %s)", + cil_println(indent, "(%s %s %s %s \"%s\" %s)", rule, src, tgt, pdb->p_class_val_to_name[classperm->tclass - 1], - object_name, match_str, + object_name, pdb->p_type_val_to_name[classperm->data - 1]); } else { cil_println(indent, "(%s %s %s %s %s)", @@ -1220,7 +1205,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (avrule->specified & AVRULE_XPERMS) { rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); } else { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->name_match, avrule->perms); + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->perms); } if (rc != 0) { goto exit; @@ -1231,7 +1216,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (avrule->specified & AVRULE_XPERMS) { rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); } else { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->name_match, avrule->perms); + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->perms); } if (rc != 0) { goto exit; diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 552eb77a..f1f6cec6 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -355,13 +355,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_IBENDPORT + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_BASE, - .version = MOD_POLICYDB_VERSION_PREFIX_SUFFIX, - .sym_num = SYM_NUM, - .ocon_num = OCON_IBENDPORT + 1, - .target_platform = SEPOL_TARGET_SELINUX, - }, { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, @@ -495,13 +488,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_MOD, - .version = MOD_POLICYDB_VERSION_PREFIX_SUFFIX, - .sym_num = SYM_NUM, - .ocon_num = 0, - .target_platform = SEPOL_TARGET_SELINUX, - }, }; #if 0 @@ -3185,7 +3171,6 @@ common_read, class_read, role_read, type_read, user_read, static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp) { unsigned int i; - uint8_t buf8; uint32_t buf[2], len; class_perm_node_t *cur, *tail = NULL; avrule_t *avrule; @@ -3249,15 +3234,10 @@ static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp) if (rc < 0) goto bad; } - if (p->policyvers >= MOD_POLICYDB_VERSION_PREFIX_SUFFIX) { - rc = next_entry(&buf8, fp, sizeof(uint8_t)); - if (rc < 0) - goto bad; - avrule->name_match = buf8; - } } if (avrule->specified & AVRULE_XPERMS) { + uint8_t buf8; size_t nel = ARRAY_SIZE(avrule->xperms->perms); uint32_t buf32[nel]; @@ -3566,7 +3546,6 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r, rc = str_read(&cur->object_name, fp, len); if (rc) return -1; - cur->name_match = NAME_TRANS_MATCH_EXACT; if (type_set_read(&cur->stypes, fp)) return -1; diff --git a/libsepol/src/write.c b/libsepol/src/write.c index f0ed9e33..df47197c 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -2071,7 +2071,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, struct policy_file *fp) { size_t items, items2; - uint8_t buf8; uint32_t buf[32], len; class_perm_node_t *cur; @@ -2079,11 +2078,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS && avrule->specified & AVRULE_TRANSITION && avrule->object_name) return POLICYDB_SUCCESS; - /* skip prefix/suffix name transition if writing older version */ - if (p->policyvers < MOD_POLICYDB_VERSION_PREFIX_SUFFIX && - avrule->specified & AVRULE_TRANSITION && - avrule->object_name && avrule->name_match != NAME_TRANS_MATCH_EXACT) - return POLICYDB_SUCCESS; if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS && (avrule->specified & AVRULE_TYPE) && @@ -2142,17 +2136,12 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, if (items != len) return POLICYDB_ERROR; } - if (p->policyvers >= MOD_POLICYDB_VERSION_PREFIX_SUFFIX) { - buf8 = avrule->name_match; - items = put_entry(&buf8, sizeof(uint8_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; - } } if (avrule->specified & AVRULE_XPERMS) { size_t nel = ARRAY_SIZE(avrule->xperms->perms); uint32_t buf32[nel]; + uint8_t buf8; unsigned int i; if (p->policyvers < MOD_POLICYDB_VERSION_XPERMS_IOCTL) { @@ -2197,17 +2186,12 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules, avrule = avrules; len = 0; - for (avrule = avrules; avrule; avrule = avrule->next) { - if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS && - (avrule->specified & AVTAB_TRANSITION) && - avrule->object_name) - continue; - if (p->policyvers < MOD_POLICYDB_VERSION_PREFIX_SUFFIX && - (avrule->specified & AVTAB_TRANSITION) && - avrule->object_name && - avrule->name_match != NAME_TRANS_MATCH_EXACT) - continue; - len++; + while (avrule) { + if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS || + !(avrule->specified & AVRULE_TRANSITION && + avrule->object_name)) + len++; + avrule = avrule->next; } buf[0] = cpu_to_le32(len); @@ -2315,8 +2299,7 @@ static int filename_trans_rule_write(policydb_t *p, avrule_t *rules, class_perm_node_t *perm; for (rule = rules; rule; rule = rule->next) { - if (rule->specified & AVRULE_TRANSITION && rule->object_name && - rule->name_match == NAME_TRANS_MATCH_EXACT) { + if (rule->specified & AVRULE_TRANSITION && rule->object_name) { for (perm = rule->perms; perm; perm = perm->next) { nel++; } @@ -2329,9 +2312,7 @@ static int filename_trans_rule_write(policydb_t *p, avrule_t *rules, return POLICYDB_ERROR; for (rule = rules; rule; rule = rule->next) { - if (!(rule->specified & AVRULE_TRANSITION && - rule->object_name && - rule->name_match == NAME_TRANS_MATCH_EXACT)) + if (!(rule->specified & AVRULE_TRANSITION && rule->object_name)) continue; len = strlen(rule->object_name); for (perm = rule->perms; perm; perm = perm->next) { @@ -2770,8 +2751,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp) if (p->policy_type == POLICY_KERN) { if (avtab_write(p, &p->te_avtab, fp)) return POLICYDB_ERROR; - if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX && - avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) { + if (avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) { WARN(fp->handle, "Discarding filename prefix/suffix type transition rules"); } From patchwork Wed Jul 26 14:25:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328161 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0694BC001DF for ; Wed, 26 Jul 2023 14:26:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234193AbjGZO0B (ORCPT ); Wed, 26 Jul 2023 10:26:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233379AbjGZOZ7 (ORCPT ); Wed, 26 Jul 2023 10:25:59 -0400 Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B629188 for ; Wed, 26 Jul 2023 07:25:57 -0700 (PDT) Received: by mail-oi1-x230.google.com with SMTP id 5614622812f47-3a3790a0a48so4983790b6e.1 for ; Wed, 26 Jul 2023 07:25:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381556; x=1690986356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cLEYzh6JidfFIpdAlUcErWyClrJJVOubSE6R4Rudx2c=; b=DmPhVPbVsXsSkMnUAHvVuIclOenayEJt5ds4DAZKuPhnqefrszckSFMqaSJCrMnUpE Y3Az/suhD693tYT8mRplYZPYEn077vJSyeHQKuejg2ZwRfIdcWOYLvwA83mxMgjF7X2w U0RRFqDXMdQ9EVFF8zWwIoovAKeeYpu1+XSq2FGu1EtY1ZVoPgIraEFzEv2Tu2JlG2v+ VMff7MGbPgg1sINmCxPGuvr8sc+3Fdnb7RNJqFr6RizVXZVtHtK8Hoze/ZHYRB2Rik3O 7KdxydpSBxOLa8Z55+ZCTGG1/I280kUTyBq3Oj5cYu59DrTtXt72SRfCkC0kr5qdyTEb ejkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381556; x=1690986356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cLEYzh6JidfFIpdAlUcErWyClrJJVOubSE6R4Rudx2c=; b=mFwfgcUW/C/fv5W4zeAHyBzdugJBPyMj/py/Oam2hqJsSFctt+xOCytcHvMUi1u2P9 i1NsdTxAqBh1bwe6GK7NbD8IZH4D5n6GhMMYb+5MI6LutHGRjuciy5EcnzMLjO+83OO9 uandtlOF/NJ7UX+CeAlxXTYMXtBPSXcwt3kiIjifQRmVSimeQUKk1I3ANwam74/7LXXs 3Zq40+XGeZG0mo1LEnVGwT1eGC6nLLM8e4lp+HiHN48sGahqxoHRU9esgOUiYHCJbw4m d25Pgtxh0Avtus1H9XCTxxe2f/QMgTUyw6hi7Dwj7ERNEpTpDHWLB4/3nkm/VycKPBzN hR2A== X-Gm-Message-State: ABy/qLbvgJwZIcQlXl7QnT2q1BrWmbdTw8HNqH3BnDh8HLogQBcOoNOj j2u7e4hkkqB5eNG9tk+0szUcc6TL52o4KA== X-Google-Smtp-Source: APBJJlFwxXbzbtaiDiV7iht3UUtaMSxSOXDWKIzcdGzRiRNIs2FW195bu90nwWftcW8PyP/JBx1SzQ== X-Received: by 2002:a05:6808:178d:b0:3a3:654d:b2e5 with SMTP id bg13-20020a056808178d00b003a3654db2e5mr2594603oib.42.1690381556204; Wed, 26 Jul 2023 07:25:56 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:55 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" Date: Wed, 26 Jul 2023 10:25:44 -0400 Message-ID: <20230726142549.94685-4-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit 1174483d2924dc700673363b240fca2b9fe45786. Signed-off-by: James Carter --- checkpolicy/test/dispol.c | 25 +---- libsepol/include/sepol/policydb/avtab.h | 2 - libsepol/include/sepol/policydb/policydb.h | 9 +- libsepol/src/avtab.c | 13 --- libsepol/src/kernel_to_cil.c | 30 +----- libsepol/src/kernel_to_common.h | 1 - libsepol/src/kernel_to_conf.c | 30 +----- libsepol/src/policydb.c | 7 -- libsepol/src/policydb_validate.c | 11 +- libsepol/src/write.c | 113 ++++----------------- 10 files changed, 30 insertions(+), 211 deletions(-) diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index 776bf54d..861fa903 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -129,7 +129,6 @@ typedef struct { avtab_key_t *key; policydb_t *p; FILE *fp; - name_trans_match_t match; } render_name_trans_args_t; static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a) @@ -141,22 +140,7 @@ static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a) fprintf(args->fp, "type_transition "); render_key(args->key, args->p, args->fp); render_type(*otype, args->p, args->fp); - const char *match_str = ""; - switch (args->match) { - case NAME_TRANS_MATCH_EXACT: - match_str = ""; - break; - case NAME_TRANS_MATCH_PREFIX: - match_str = " PREFIX"; - break; - case NAME_TRANS_MATCH_SUFFIX: - match_str = " SUFFIX"; - break; - default: - fprintf(args->fp, " ERROR: no valid name match type specified\n"); - return -1; - } - fprintf(args->fp, " \"%s\"%s;\n", name, match_str); + fprintf(args->fp, " \"%s\";\n", name); return 0; } @@ -223,16 +207,9 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha .key = key, .p = p, .fp = fp, - .match = NAME_TRANS_MATCH_EXACT, }; hashtab_map(datum->trans->name_trans.table, render_name_trans_helper, &args); - args.match = NAME_TRANS_MATCH_PREFIX; - hashtab_map(datum->trans->prefix_trans.table, - render_name_trans_helper, &args); - args.match = NAME_TRANS_MATCH_SUFFIX; - hashtab_map(datum->trans->suffix_trans.table, - render_name_trans_helper, &args); } if (key->specified & AVTAB_MEMBER) { fprintf(fp, "type_member "); diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h index 870fb08a..5dc720cc 100644 --- a/libsepol/include/sepol/policydb/avtab.h +++ b/libsepol/include/sepol/policydb/avtab.h @@ -74,8 +74,6 @@ typedef struct avtab_key { typedef struct avtab_trans { uint32_t otype; /* resulting type of the new object */ symtab_t name_trans; /* filename transitions */ - symtab_t prefix_trans; /* prefix filename transitions */ - symtab_t suffix_trans; /* prefix filename transitions */ } avtab_trans_t; typedef struct avtab_extended_perms { diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index a2df4a62..5efd0a47 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -252,12 +252,6 @@ typedef struct av_extended_perms { uint32_t perms[EXTENDED_PERMS_LEN]; } av_extended_perms_t; -typedef enum name_trans_match { - NAME_TRANS_MATCH_EXACT, - NAME_TRANS_MATCH_PREFIX, - NAME_TRANS_MATCH_SUFFIX, -} name_trans_match_t; - typedef struct avrule { /* these typedefs are almost exactly the same as those in avtab.h - they are * here because of the need to include neverallow and dontaudit messages */ @@ -729,11 +723,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_GLBLUB 32 #define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ #define POLICYDB_VERSION_AVTAB_FTRANS 34 /* filename transitions moved to avtab */ -#define POLICYDB_VERSION_PREFIX_SUFFIX 35 /* prefix/suffix support for filename transitions */ /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_PREFIX_SUFFIX +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB_FTRANS /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 90cfb90b..2a9564ba 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -327,10 +327,6 @@ void avtab_trans_destroy(avtab_trans_t *trans) { hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL); symtab_destroy(&trans->name_trans); - hashtab_map(trans->prefix_trans.table, avtab_trans_destroy_helper, NULL); - symtab_destroy(&trans->prefix_trans); - hashtab_map(trans->suffix_trans.table, avtab_trans_destroy_helper, NULL); - symtab_destroy(&trans->suffix_trans); } void avtab_destroy(avtab_t * h) @@ -524,15 +520,6 @@ static int avtab_trans_read(policy_file_t *fp, uint32_t vers, if (rc < 0) goto bad; - if (vers >= POLICYDB_VERSION_PREFIX_SUFFIX) { - rc = avtab_read_name_trans(fp, &trans->prefix_trans); - if (rc < 0) - goto bad; - rc = avtab_read_name_trans(fp, &trans->suffix_trans); - if (rc < 0) - goto bad; - } - return SEPOL_OK; bad: diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 30a67017..8ed695f1 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -1705,24 +1705,9 @@ static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a char *name = k; uint32_t *otype = d; name_trans_to_strs_args_t *args = a; - const char *match_str = ""; - switch (args->match) { - case NAME_TRANS_MATCH_EXACT: - match_str = ""; - break; - case NAME_TRANS_MATCH_PREFIX: - match_str = " prefix"; - break; - case NAME_TRANS_MATCH_SUFFIX: - match_str = " suffix"; - break; - default: - ERR(NULL, "Unknown name match type: %" PRIu8, args->match); - return SEPOL_ERR; - } - return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\"%s %s)", 7, + return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6, args->flavor, args->src, args->tgt, - args->class, name, match_str, + args->class, name, args->pdb->p_type_val_to_name[*otype - 1]); } @@ -1810,20 +1795,9 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu .src = src, .tgt = tgt, .class = class, - .match = NAME_TRANS_MATCH_EXACT, }; rc = hashtab_map(datum->trans->name_trans.table, name_trans_to_strs_helper, &args); - if (rc < 0) - return rc; - args.match = NAME_TRANS_MATCH_PREFIX; - rc = hashtab_map(datum->trans->prefix_trans.table, - name_trans_to_strs_helper, &args); - if (rc < 0) - return rc; - args.match = NAME_TRANS_MATCH_SUFFIX; - rc = hashtab_map(datum->trans->suffix_trans.table, - name_trans_to_strs_helper, &args); } else { new = pdb->p_type_val_to_name[data - 1]; diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 07869e3d..b8ea237d 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -90,7 +90,6 @@ typedef struct { const char *src; const char *tgt; const char *class; - name_trans_match_t match; } name_trans_to_strs_args_t; void sepol_indent(FILE *out, int indent); diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index b1699b39..eb14ccf1 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -1683,26 +1683,11 @@ static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a char *name = k; uint32_t *otype = d; name_trans_to_strs_args_t *args = a; - const char *match_str = ""; - switch (args->match) { - case NAME_TRANS_MATCH_EXACT: - match_str = ""; - break; - case NAME_TRANS_MATCH_PREFIX: - match_str = " PREFIX"; - break; - case NAME_TRANS_MATCH_SUFFIX: - match_str = " SUFFIX"; - break; - default: - ERR(NULL, "Unknown name match type: %" PRIu8, args->match); - return SEPOL_ERR; - } - return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\"%s;", 7, + return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6, args->flavor, args->src, args->tgt, args->class, args->pdb->p_type_val_to_name[*otype - 1], - name, match_str); + name); } static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs) @@ -1786,20 +1771,9 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu .src = src, .tgt = tgt, .class = class, - .match = NAME_TRANS_MATCH_EXACT, }; rc = hashtab_map(datum->trans->name_trans.table, name_trans_to_strs_helper, &args); - if (rc < 0) - return rc; - args.match = NAME_TRANS_MATCH_PREFIX; - rc = hashtab_map(datum->trans->prefix_trans.table, - name_trans_to_strs_helper, &args); - if (rc < 0) - return rc; - args.match = NAME_TRANS_MATCH_SUFFIX; - rc = hashtab_map(datum->trans->suffix_trans.table, - name_trans_to_strs_helper, &args); } else { new = pdb->p_type_val_to_name[data - 1]; diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index f1f6cec6..37bb97a1 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -215,13 +215,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_IBENDPORT + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_KERN, - .version = POLICYDB_VERSION_PREFIX_SUFFIX, - .sym_num = SYM_NUM, - .ocon_num = OCON_IBENDPORT + 1, - .target_platform = SEPOL_TARGET_SELINUX, - }, { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 08b4a477..0b8e8eee 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -855,18 +855,11 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void * /* also each transition must be non empty */ if (!d->trans->otype && - !hashtab_nel(d->trans->name_trans.table) && - !hashtab_nel(d->trans->name_trans.table) && - !hashtab_nel(d->trans->prefix_trans.table) && - !hashtab_nel(d->trans->suffix_trans.table)) + !hashtab_nel(d->trans->name_trans.table)) return -1; - /* and each name transition must be also valid */ + /* and each filename transition must be also valid */ if (hashtab_map(d->trans->name_trans.table, - validate_name_trans_helper, margs) || - hashtab_map(d->trans->prefix_trans.table, - validate_name_trans_helper, margs) || - hashtab_map(d->trans->suffix_trans.table, validate_name_trans_helper, margs)) return -1; } else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) { diff --git a/libsepol/src/write.c b/libsepol/src/write.c index df47197c..d7f47c8d 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -133,43 +133,16 @@ static int avtab_trans_write(policydb_t *p, const avtab_trans_t *cur, uint32_t buf32[2]; if (p->policyvers >= POLICYDB_VERSION_AVTAB_FTRANS) { - /* write otype and number of name transitions */ + /* write otype and number of filename transitions */ buf32[0] = cpu_to_le32(cur->otype); buf32[1] = cpu_to_le32(hashtab_nel(cur->name_trans.table)); items = put_entry(buf32, sizeof(uint32_t), 2, fp); if (items != 2) return -1; - /* write name transitions */ - if (hashtab_map(cur->name_trans.table, - avtab_trans_write_helper, fp)) - return -1; - - if (p->policyvers >= POLICYDB_VERSION_PREFIX_SUFFIX) { - /* write number of prefix transitions */ - buf32[0] = cpu_to_le32(hashtab_nel( - cur->prefix_trans.table)); - items = put_entry(buf32, sizeof(uint32_t), 1, fp); - if (items != 1) - return -1; - - /* write prefix transitions */ - if (hashtab_map(cur->prefix_trans.table, - avtab_trans_write_helper, fp)) - return -1; - - /* write number of suffix transitions */ - buf32[0] = cpu_to_le32(hashtab_nel( - cur->suffix_trans.table)); - items = put_entry(buf32, sizeof(uint32_t), 1, fp); - if (items != 1) - return -1; - - /* write suffix transitions */ - if (hashtab_map(cur->suffix_trans.table, - avtab_trans_write_helper, fp)) - return -1; - } + /* write filename transitions */ + return hashtab_map(cur->name_trans.table, + avtab_trans_write_helper, fp); } else if (cur->otype) { buf32[0] = cpu_to_le32(cur->otype); items = put_entry(buf32, sizeof(uint32_t), 1, fp); @@ -195,26 +168,14 @@ static int avtab_write_item(policydb_t * p, /* * skip entries which only contain filename transitions in versions - * before filename transitions were moved to avtab, - * skip entries which only contain prefix/suffix transitions in versions - * before prefix/suffix filename transitions + * before filename transitions were moved to avtab */ - if (cur->key.specified & AVTAB_TRANSITION) { - if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS && - cur->key.specified & AVTAB_TRANSITION && - !cur->datum.trans->otype) { - /* - * if oldvers, reduce nel, because this node will be - * skipped - */ - if (oldvers && nel) - (*nel)--; - return 0; - } - if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX && - !cur->datum.trans->otype && - !hashtab_nel(cur->datum.trans->name_trans.table)) - return 0; + if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS && + cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) { + /* if oldvers, reduce nel, because this node will be skipped */ + if (oldvers && nel) + (*nel)--; + return 0; } if (oldvers) { @@ -417,27 +378,17 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp) * filename transitions. */ nel = a->nel; - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (!(cur->key.specified & AVTAB_TRANSITION)) - continue; - if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS && - !cur->datum.trans->otype) { - /* - * entries containing only filename - * transitions are skipped and written - * out later - */ - nel--; - } else if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX && - !cur->datum.trans->otype && - !hashtab_nel(cur->datum.trans->name_trans.table)) { - /* - * entries containing only prefix/suffix - * transitions are not supported in - * previous versions - */ - nel--; + if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS) { + /* + * entries containing only filename transitions are + * skipped and written out later + */ + for (i = 0; i < a->nslot; i++) { + for (cur = a->htable[i]; cur; cur = cur->next) { + if ((cur->key.specified + & AVTAB_TRANSITION) && + !cur->datum.trans->otype) + nel--; } } } @@ -2569,22 +2520,6 @@ static int avtab_has_filename_transitions(avtab_t *a) return 0; } -static int avtab_has_prefix_suffix_filename_transitions(avtab_t *a) -{ - uint32_t i; - struct avtab_node *cur; - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION) { - if (hashtab_nel(cur->datum.trans->prefix_trans.table) - || hashtab_nel(cur->datum.trans->suffix_trans.table)) - return 1; - } - } - } - return 0; -} - /* * Write the configuration data in a policy database * structure to a policy database binary representation @@ -2751,10 +2686,6 @@ int policydb_write(policydb_t * p, struct policy_file *fp) if (p->policy_type == POLICY_KERN) { if (avtab_write(p, &p->te_avtab, fp)) return POLICYDB_ERROR; - if (avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) { - WARN(fp->handle, - "Discarding filename prefix/suffix type transition rules"); - } if (p->policyvers < POLICYDB_VERSION_BOOL) { if (p->p_bools.nprim) WARN(fp->handle, "Discarding " From patchwork Wed Jul 26 14:25:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328164 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 061CCC41513 for ; Wed, 26 Jul 2023 14:26:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233043AbjGZO0C (ORCPT ); Wed, 26 Jul 2023 10:26:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234485AbjGZO0A (ORCPT ); Wed, 26 Jul 2023 10:26:00 -0400 Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6B451B8 for ; Wed, 26 Jul 2023 07:25:58 -0700 (PDT) Received: by mail-vk1-xa2f.google.com with SMTP id 71dfb90a1353d-486487be6aeso481915e0c.1 for ; Wed, 26 Jul 2023 07:25:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381557; x=1690986357; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=u8XYB2wTHqEeTQIYLWcK3hZnQZBUmPmtBSTX1IvNBZY=; b=HjruF3Km6drLQBHohF9bMGENxxkvCTR/Pnyo63CSuPXpA9kFj+vGG1MlBYvWJhDkt4 4o/ejsy1svGUVb7IkaWfss+Yi8lD8ySfVoCiGkT6FCG77xv07J8vT8ZzC9HIGScaRAP4 1hZSfvEuAM20qOzxIrvwKZxYdvr4X8n8GaFAVnCWyz/NdINfvuAJSz7rNRhQIV3cUSwd HcnGNw1htX7HhormWToko1rm4iN2qDKLJGrtM3lrhuFaLczjg+eaMptk/p8JJTg2n5Mb 7AtUKarCo94s754W9IK1p4Qyf+URQMAJgB9Xvqpb0EI9d+NTZP/LwtIxR5iJqcEB4ATQ 9tuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381557; x=1690986357; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u8XYB2wTHqEeTQIYLWcK3hZnQZBUmPmtBSTX1IvNBZY=; b=ioC7OeJhbbA8CvUkSy7UcZvYO9o8ha1sLrUUzvPFCaojHYSlY0AQCF6uat7Y6QdezX O/GK0qs2Be9oYgAEnf+3P9Nh6QyoskVt+y85BJ8WvUuUva6GSeAQqj8U6bBLUHebdSVL gungdUCly0Tq86FNlLuIbVwGZEJS0kWYnyY0FbOOAkTmpO/SHffBJ8CW1BET0y5wofbV f2ZZhkYHoex9nTLL+LBpi9o1UgCI8ZzO7kvhycEbyhHwWmsKu3QPr/qRyYz1S0aWqyBZ DznT/c07ZeHA3iPDLSh8JXTaYVY3Y80OO4rR/cWjkYxk1jkweenhaGHIscAqMPxY0KcE te8g== X-Gm-Message-State: ABy/qLYtsh+KxSuiIZDbbx4ug0UgeDoX6YTAEN4WAID6hYZxJ3MDzXNS A2yd3LVaWveTy1oO4GHeuuCT2817wRvFmg== X-Google-Smtp-Source: APBJJlEGWGOIJaTy6wy53sCBzQUCIPrsLRKG+601tfxDlNOFuCi+ZE0mS4vuM9Xh6g06ti+34JuD+g== X-Received: by 2002:a1f:bfd7:0:b0:486:4a16:63c6 with SMTP id p206-20020a1fbfd7000000b004864a1663c6mr868877vkf.15.1690381557309; Wed, 26 Jul 2023 07:25:57 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:56 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 4/8] Revert "libsepol: implement new module binary format of avrule" Date: Wed, 26 Jul 2023 10:25:45 -0400 Message-ID: <20230726142549.94685-5-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit 11013986ac484586e50ce318f4f10c1edf39e746. Signed-off-by: James Carter --- libsepol/include/sepol/policydb/policydb.h | 3 +-- libsepol/src/policydb.c | 28 ---------------------- libsepol/src/write.c | 24 +++---------------- 3 files changed, 4 insertions(+), 51 deletions(-) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 5efd0a47..528c1cad 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -749,10 +749,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_INFINIBAND 19 #define MOD_POLICYDB_VERSION_GLBLUB 20 #define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21 -#define MOD_POLICYDB_VERSION_AVRULE_FTRANS 22 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_AVRULE_FTRANS +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SELF_TYPETRANS #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 37bb97a1..b15d4163 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -341,13 +341,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_IBENDPORT + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_BASE, - .version = MOD_POLICYDB_VERSION_AVRULE_FTRANS, - .sym_num = SYM_NUM, - .ocon_num = OCON_IBENDPORT + 1, - .target_platform = SEPOL_TARGET_SELINUX, - }, { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, @@ -474,13 +467,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_MOD, - .version = MOD_POLICYDB_VERSION_AVRULE_FTRANS, - .sym_num = SYM_NUM, - .ocon_num = 0, - .target_platform = SEPOL_TARGET_SELINUX, - }, }; #if 0 @@ -3216,19 +3202,6 @@ static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp) tail = cur; } - if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS && - avrule->specified & AVRULE_TRANSITION) { - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - goto bad; - len = le32_to_cpu(*buf); - if (len) { - rc = str_read(&avrule->object_name, fp, len); - if (rc < 0) - goto bad; - } - } - if (avrule->specified & AVRULE_XPERMS) { uint8_t buf8; size_t nel = ARRAY_SIZE(avrule->xperms->perms); @@ -3660,7 +3633,6 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl, } if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS && - p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS && filename_trans_rule_read(p, &decl->avrules, fp)) return -1; diff --git a/libsepol/src/write.c b/libsepol/src/write.c index d7f47c8d..68495198 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -2025,9 +2025,8 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, uint32_t buf[32], len; class_perm_node_t *cur; - /* skip filename transitions if writing older version without name */ - if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS && - avrule->specified & AVRULE_TRANSITION && avrule->object_name) + /* skip filename transitions for now */ + if (avrule->specified & AVRULE_TRANSITION && avrule->object_name) return POLICYDB_SUCCESS; if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS && @@ -2074,21 +2073,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, cur = cur->next; } - if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS && - avrule->specified & AVRULE_TRANSITION) { - len = avrule->object_name ? strlen(avrule->object_name) : 0; - *buf = cpu_to_le32(len); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; - if (avrule->object_name) { - items = put_entry(avrule->object_name, sizeof(char), - len, fp); - if (items != len) - return POLICYDB_ERROR; - } - } - if (avrule->specified & AVRULE_XPERMS) { size_t nel = ARRAY_SIZE(avrule->xperms->perms); uint32_t buf32[nel]; @@ -2138,8 +2122,7 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules, avrule = avrules; len = 0; while (avrule) { - if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS || - !(avrule->specified & AVRULE_TRANSITION && + if (!(avrule->specified & AVRULE_TRANSITION && avrule->object_name)) len++; avrule = avrule->next; @@ -2374,7 +2357,6 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms, } if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS && - p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS && filename_trans_rule_write(p, decl->avrules, fp)) return POLICYDB_ERROR; From patchwork Wed Jul 26 14:25:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328163 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59951C001DC for ; Wed, 26 Jul 2023 14:26:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233501AbjGZO0C (ORCPT ); Wed, 26 Jul 2023 10:26:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234474AbjGZO0B (ORCPT ); Wed, 26 Jul 2023 10:26:01 -0400 Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABB57E4D for ; Wed, 26 Jul 2023 07:25:59 -0700 (PDT) Received: by mail-ot1-x32b.google.com with SMTP id 46e09a7af769-6b9c57c4d12so5430730a34.1 for ; Wed, 26 Jul 2023 07:25:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381558; x=1690986358; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vpBR41DJTJEZdtrQT+uRJvpbMCAqB6uKcRO5S+6upyE=; b=WFJwXYipIw3oPb4c8H/YLSWl0LH7QSYo56aqbw7QB2hFDZdC2jVV7PFt3QpIA0c1Sc U9E2Ot0LbN2+/0CLj29u/8afV0TX+koyoIPsbJUxnotzKOPRYpRH3k4X54QkBd4RBeOp pyQ7hDmWPAkzLgrgIIFz09nweXnfF34WGyiPO/HLy2ok85QkZ0yKTj9/Kk/sG+pOrsTY 4Vjwi34aMonv+0gZYvF5KhWwkx5Q5kfe+B/uZ1u05e07qg1bKdO358LlJKANIj6LBikp ut75jFUAUzRB/7fqUPO6hNThapTj7+d8MeCSstlXNoMUYhS7kKUfXx3GIUQcufKnNUaG v9uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381558; x=1690986358; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vpBR41DJTJEZdtrQT+uRJvpbMCAqB6uKcRO5S+6upyE=; b=ha5YkGv/BNEB7obybbRYhul1KWof2XgiMS5Sz2XQJO5HGyAiirS/u+HZV8qp91bKSt 5P97ZlB18birExhhNyN3kQxqjYzHchDfqZxBph7ACkIDYVsHTK+D/dOnODU0cZJnJO62 UP03JLVGEurTjGnZ3Ar38ws11wVGhP5wShcs3WIMLvKeSrbFNsG1JzpUVED12mDFsnM1 8Zwk/V7mYcInc22WAUA9guX7VM3NLzOnJBdWjeOz0FrfUeVNUa+YkFdnPlIEtWb8E7A2 WDpvgkRxCKhzq05ryhH5dbpV9VDtnesS+wq7m2BFth1I4UbsGleA3okbXJ8EXgUZ6/Be U5Ew== X-Gm-Message-State: ABy/qLYnLNpUc0MBsOJXEReYUlZDjRcLbewCL6cxqvyEztAapwhlJN9O xHQjlTRPtiR+iDpFKu9xIkHXMYmPIJPvSQ== X-Google-Smtp-Source: APBJJlFWeDwmzRZt/Iv+QfnXAf4fgT17P1FLCTOywgjmJgqsiuYf9SaxrwuQTgfKvT0UR0dnqTMDgQ== X-Received: by 2002:a05:6808:3095:b0:3a4:19fd:672 with SMTP id bl21-20020a056808309500b003a419fd0672mr2875696oib.36.1690381558065; Wed, 26 Jul 2023 07:25:58 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:57 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 5/8] Revert "libsepol: implement new kernel binary format for avtab" Date: Wed, 26 Jul 2023 10:25:46 -0400 Message-ID: <20230726142549.94685-6-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit 7b77edd91946d8a415cddc596765d8c2e8bd6f63. Signed-off-by: James Carter --- libsepol/include/sepol/policydb/policydb.h | 3 +- libsepol/src/avtab.c | 88 ++-------------------- libsepol/src/policydb.c | 8 -- libsepol/src/write.c | 86 ++++----------------- 4 files changed, 21 insertions(+), 164 deletions(-) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 528c1cad..d30f26af 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -722,11 +722,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */ #define POLICYDB_VERSION_GLBLUB 32 #define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ -#define POLICYDB_VERSION_AVTAB_FTRANS 34 /* filename transitions moved to avtab */ /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB_FTRANS +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 2a9564ba..eef259cf 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -446,87 +446,6 @@ void avtab_hash_eval(avtab_t * h, char *tag) tag, h->nel, slots_used, h->nslot, max_chain_len); } -static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target) -{ - int rc; - uint32_t buf32[2], nel, i, len, *otype = NULL; - char *name = NULL; - - /* read number of name transitions */ - rc = next_entry(buf32, fp, sizeof(uint32_t) * 1); - if (rc < 0) - return rc; - nel = le32_to_cpu(buf32[0]); - - rc = symtab_init(target, nel); - if (rc < 0) - return rc; - - /* read name transitions */ - for (i = 0; i < nel; i++) { - rc = SEPOL_ENOMEM; - otype = malloc(sizeof(uint32_t)); - if (!otype) - goto exit; - - /* read name transition otype and name length */ - rc = next_entry(buf32, fp, sizeof(uint32_t) * 2); - if (rc < 0) - goto exit; - *otype = le32_to_cpu(buf32[0]); - len = le32_to_cpu(buf32[1]); - - /* read the name */ - rc = str_read(&name, fp, len); - if (rc < 0) - goto exit; - - rc = hashtab_insert(target->table, name, otype); - if (rc < 0) - goto exit; - otype = NULL; - name = NULL; - } - -exit: - free(otype); - free(name); - return rc; -} - -static int avtab_trans_read(policy_file_t *fp, uint32_t vers, - avtab_trans_t *trans) -{ - int rc; - uint32_t buf32[1]; - - if (vers < POLICYDB_VERSION_AVTAB_FTRANS) { - rc = next_entry(buf32, fp, sizeof(uint32_t)); - if (rc < 0) { - ERR(fp->handle, "truncated entry"); - return SEPOL_ERR; - } - trans->otype = le32_to_cpu(*buf32); - return SEPOL_OK; - } - - /* read otype */ - rc = next_entry(buf32, fp, sizeof(uint32_t) * 1); - if (rc < 0) - return rc; - trans->otype = le32_to_cpu(buf32[0]); - - rc = avtab_read_name_trans(fp, &trans->name_trans); - if (rc < 0) - goto bad; - - return SEPOL_OK; - -bad: - avtab_trans_destroy(trans); - return rc; -} - /* Ordering of datums in the original avtab format in the policy file. */ static const uint16_t spec_order[] = { AVTAB_ALLOWED, @@ -690,9 +609,12 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, xperms.perms[i] = le32_to_cpu(buf32[i]); datum.xperms = &xperms; } else if (key.specified & AVTAB_TRANSITION) { - rc = avtab_trans_read(fp, vers, &trans); - if (rc < 0) + rc = next_entry(buf32, fp, sizeof(uint32_t)); + if (rc < 0) { + ERR(fp->handle, "truncated entry"); return -1; + } + trans.otype = le32_to_cpu(*buf32); datum.trans = &trans; } else { rc = next_entry(buf32, fp, sizeof(uint32_t)); diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index b15d4163..4913ee21 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -208,13 +208,6 @@ static const struct policydb_compat_info policydb_compat[] = { .ocon_num = OCON_IBENDPORT + 1, .target_platform = SEPOL_TARGET_SELINUX, }, - { - .type = POLICY_KERN, - .version = POLICYDB_VERSION_AVTAB_FTRANS, - .sym_num = SYM_NUM, - .ocon_num = OCON_IBENDPORT + 1, - .target_platform = SEPOL_TARGET_SELINUX, - }, { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, @@ -4106,7 +4099,6 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) if (role_allow_read(&p->role_allow, fp)) goto bad; if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS && - r_policyvers < POLICYDB_VERSION_AVTAB_FTRANS && avtab_filename_trans_read(fp, r_policyvers, &p->te_avtab)) goto bad; } else { diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 68495198..2035b350 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -102,56 +102,6 @@ static uint16_t spec_order[] = { AVTAB_MEMBER }; -static int avtab_trans_write_helper(hashtab_key_t hkey, hashtab_datum_t hdatum, - void *fp) -{ - char *name = hkey; - uint32_t *otype = hdatum; - uint32_t buf32[2], len; - size_t items; - - /* write filename transition otype and name length */ - len = strlen(name); - buf32[0] = cpu_to_le32(*otype); - buf32[1] = cpu_to_le32(len); - items = put_entry(buf32, sizeof(uint32_t), 2, fp); - if (items != 2) - return -1; - - /* write filename transition name */ - items = put_entry(name, sizeof(char), len, fp); - if (items != len) - return -1; - - return 0; -} - -static int avtab_trans_write(policydb_t *p, const avtab_trans_t *cur, - policy_file_t *fp) -{ - size_t items; - uint32_t buf32[2]; - - if (p->policyvers >= POLICYDB_VERSION_AVTAB_FTRANS) { - /* write otype and number of filename transitions */ - buf32[0] = cpu_to_le32(cur->otype); - buf32[1] = cpu_to_le32(hashtab_nel(cur->name_trans.table)); - items = put_entry(buf32, sizeof(uint32_t), 2, fp); - if (items != 2) - return -1; - - /* write filename transitions */ - return hashtab_map(cur->name_trans.table, - avtab_trans_write_helper, fp); - } else if (cur->otype) { - buf32[0] = cpu_to_le32(cur->otype); - items = put_entry(buf32, sizeof(uint32_t), 1, fp); - if (items != 1) - return -1; - } - return 0; -} - static int avtab_write_item(policydb_t * p, avtab_ptr_t cur, struct policy_file *fp, unsigned merge, unsigned commit, uint32_t * nel) @@ -166,12 +116,8 @@ static int avtab_write_item(policydb_t * p, && p->policyvers < POLICYDB_VERSION_AVTAB); unsigned int i; - /* - * skip entries which only contain filename transitions in versions - * before filename transitions were moved to avtab - */ - if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS && - cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) { + /* skip entries which only contain filename transitions */ + if (cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) { /* if oldvers, reduce nel, because this node will be skipped */ if (oldvers && nel) (*nel)--; @@ -325,7 +271,9 @@ static int avtab_write_item(policydb_t * p, if (items != 8) return POLICYDB_ERROR; } else if (cur->key.specified & AVTAB_TRANSITION) { - if (avtab_trans_write(p, cur->datum.trans, fp) < 0) + buf32[0] = cpu_to_le32(cur->datum.trans->otype); + items = put_entry(buf32, sizeof(uint32_t), 1, fp); + if (items != 1) return POLICYDB_ERROR; } else { buf32[0] = cpu_to_le32(cur->datum.data); @@ -378,18 +326,15 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp) * filename transitions. */ nel = a->nel; - if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS) { - /* - * entries containing only filename transitions are - * skipped and written out later - */ - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if ((cur->key.specified - & AVTAB_TRANSITION) && - !cur->datum.trans->otype) - nel--; - } + /* + * entries containing only filename transitions are skipped and + * written out later + */ + for (i = 0; i < a->nslot; i++) { + for (cur = a->htable[i]; cur; cur = cur->next) { + if (cur->key.specified & AVTAB_TRANSITION && + !cur->datum.trans->otype) + nel--; } } nel = cpu_to_le32(nel); @@ -2681,8 +2626,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp) if (role_allow_write(p->role_allow, fp)) return POLICYDB_ERROR; if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) { - if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS && - avtab_filename_trans_write(p, &p->te_avtab, fp)) + if (avtab_filename_trans_write(p, &p->te_avtab, fp)) return POLICYDB_ERROR; } else if (avtab_has_filename_transitions(&p->te_avtab)) { WARN(fp->handle, From patchwork Wed Jul 26 14:25:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328166 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F2F4C001B0 for ; Wed, 26 Jul 2023 14:26:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233379AbjGZO0G (ORCPT ); Wed, 26 Jul 2023 10:26:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234474AbjGZO0E (ORCPT ); Wed, 26 Jul 2023 10:26:04 -0400 Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 972751A8 for ; Wed, 26 Jul 2023 07:26:00 -0700 (PDT) Received: by mail-qv1-xf2f.google.com with SMTP id 6a1803df08f44-63cf9eddbc6so4960936d6.0 for ; Wed, 26 Jul 2023 07:26:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381559; x=1690986359; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a2/Nh8PqEQZ+U7m7RZqk9K32ypDfcQU4QQMlfCZfj3U=; b=WBFtJ3d6kz534WBSPUSug0xI66dnMSI+uwyn9A+5Nl4oNCwnuuMl7D97uDK4cl7EJE QH4FNcvJogn17Je2JXumyHS/3FcTiXMSC2/MNH2ASwrbz1bwm5GLDEXYDwZ/F1OQw7Zh 1ILimZxGq1BPPXvv1fhYwOsBjVIIFfptl0vhgnEmNrcyHl5OL8C3QGSZP5XFo6duMg8a 6vCPIvBlsZDmr38/l8tMFRyCy4CTgoXLfKg9IvCRw3Y6G9fZDSUd43wtbwvktQytNu01 xApONArq3c5fxWHbPgZtqJKQoSFGUBFC8ETxrjCjPqabvBjgRlwp+ho4G9pyWeTZfQhA 3dtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381559; x=1690986359; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a2/Nh8PqEQZ+U7m7RZqk9K32ypDfcQU4QQMlfCZfj3U=; b=b1OMuV0xiUWDkmgPPKO0soq4HqBK4ld+t/OeSiGxDX6iBUjfXyeohbvmSyAqqaOO/c yg07lqhxWu/4rg5DvXyGf4cjRNW6Y0beqjoFRv2fj4WTA/s2qs/ryWXGoqnmufRL3eKU +bj9e+6vSdD7NVx3iTc1TVsJxnBvDQc5xvvH3YvsGi8QW9SuEl0eaCnwUjiMr01FAECf srEEIQpqASUciqSZtUiDT5GqN6Rui7sCUNZjx96lcYfBzV1MJJQf1JZkioTVhmLf2pYw iOwZ/H2eZ7BMk3fF60+llJrJ/UTEKjeGQ7m3N9kQlYvhUDlsmHSp7jlXrUl84jNU49N3 0Alg== X-Gm-Message-State: ABy/qLYvq1gKotCoqxHJDhGlX3bAsO83K/S4aLz3jlf3m2lOhyiwbUPc R9pwHoJq5SJ2+BbCvJKrqnNYZ5v0qk0v0Q== X-Google-Smtp-Source: APBJJlFzZSs3iZDibmw5J2tM4UKriYbXpEfNHKkXX65JLoF0E2gSX+buW+69de2ZGsHP9LCezOtd2w== X-Received: by 2002:a0c:dd12:0:b0:62d:ed86:154b with SMTP id u18-20020a0cdd12000000b0062ded86154bmr2993359qvk.5.1690381558836; Wed, 26 Jul 2023 07:25:58 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:58 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 6/8] Revert "checkpolicy,libsepol: move filename transition rules to avrule" Date: Wed, 26 Jul 2023 10:25:47 -0400 Message-ID: <20230726142549.94685-7-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit 565d87489bc00cab2e624aae1a40872d2a2232ba. Signed-off-by: James Carter --- checkpolicy/checkpolicy.c | 9 + checkpolicy/module_compiler.c | 12 ++ checkpolicy/module_compiler.h | 1 + checkpolicy/policy_define.c | 215 ++++++++++++++++++--- checkpolicy/policy_define.h | 3 +- checkpolicy/policy_parse.y | 8 +- checkpolicy/test/dismod.c | 25 ++- libsepol/cil/src/cil_binary.c | 2 - libsepol/include/sepol/policydb/policydb.h | 16 +- libsepol/src/avrule_block.c | 1 + libsepol/src/expand.c | 132 +++++++++---- libsepol/src/link.c | 56 +++++- libsepol/src/module_to_cil.c | 71 ++++++- libsepol/src/policydb.c | 70 +++++-- libsepol/src/policydb_validate.c | 27 +++ libsepol/src/write.c | 86 ++++----- 16 files changed, 580 insertions(+), 154 deletions(-) diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index 623ba8b2..83000bcb 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -615,6 +615,15 @@ int main(int argc, char **argv) parse_policy.mls = mlspol; parse_policy.handle_unknown = handle_unknown; + /* + * Init and alloc te_avtab for filename transition duplicate + * checking + */ + if (avtab_init(&parse_policy.te_avtab)) + exit(1); + if (avtab_alloc(&parse_policy.te_avtab, 1 << 11)) + exit(1); + policydbp = &parse_policy; if (read_source_policy(policydbp, file, "checkpolicy") < 0) diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c index 5fe1729a..3188af89 100644 --- a/checkpolicy/module_compiler.c +++ b/checkpolicy/module_compiler.c @@ -1278,6 +1278,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules) decl->role_allow_rules = role_allow_rules; } +/* this doesn't actually append, but really prepends it */ +void append_filename_trans(filename_trans_rule_t * filename_trans_rules) +{ + avrule_decl_t *decl = stack_top->decl; + + /* filename transitions are not allowed within conditionals */ + assert(stack_top->type == 1); + + filename_trans_rules->next = decl->filename_trans_rules; + decl->filename_trans_rules = filename_trans_rules; +} + /* this doesn't actually append, but really prepends it */ void append_range_trans(range_trans_rule_t * range_tr_rules) { diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h index 6f8bb9b9..29b824b4 100644 --- a/checkpolicy/module_compiler.h +++ b/checkpolicy/module_compiler.h @@ -83,6 +83,7 @@ void append_avrule(avrule_t * avrule); void append_role_trans(role_trans_rule_t * role_tr_rules); void append_role_allow(role_allow_rule_t * role_allow_rules); void append_range_trans(range_trans_rule_t * range_tr_rules); +void append_filename_trans(filename_trans_rule_t * filename_trans_rules); /* Create a new optional block and add it to the global policy. * During the second pass resolve the block's requirements. Return 0 diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 25dbf25d..dc2ee8f3 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -1601,7 +1601,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed) return -1; } -static int define_compute_type_helper(int which, avrule_t ** rule, int has_filename) +static int define_compute_type_helper(int which, avrule_t ** rule) { char *id; type_datum_t *datum; @@ -1669,14 +1669,6 @@ static int define_compute_type_helper(int which, avrule_t ** rule, int has_filen } free(id); - if (has_filename) { - avrule->object_name = queue_remove(id_queue); - if (!avrule->object_name) { - yyerror("no object_name?"); - goto bad; - } - } - ebitmap_for_each_positive_bit(&tclasses, node, i) { perm = malloc(sizeof(class_perm_node_t)); if (!perm) { @@ -1700,7 +1692,7 @@ static int define_compute_type_helper(int which, avrule_t ** rule, int has_filen return -1; } -int define_compute_type(int which, int has_filename) +int define_compute_type(int which) { char *id; avrule_t *avrule; @@ -1714,14 +1706,10 @@ int define_compute_type(int which, int has_filename) free(id); id = queue_remove(id_queue); free(id); - if (has_filename) { - id = queue_remove(id_queue); - free(id); - } return 0; } - if (define_compute_type_helper(which, &avrule, has_filename)) + if (define_compute_type_helper(which, &avrule)) return -1; append_avrule(avrule); @@ -1745,7 +1733,7 @@ avrule_t *define_cond_compute_type(int which) return (avrule_t *) 1; } - if (define_compute_type_helper(which, &avrule, 0)) + if (define_compute_type_helper(which, &avrule)) return COND_ERR; return avrule; @@ -2387,13 +2375,6 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src) yyerror("out of memory"); return -1; } - if (src->object_name) { - dest->object_name = strdup(src->object_name); - if (!dest->object_name) { - yyerror("out of memory"); - return -1; - } - } dest->line = src->line; dest->source_filename = strdup(source_file); if (!dest->source_filename) { @@ -3362,6 +3343,194 @@ avrule_t *define_cond_filename_trans(void) return COND_ERR; } +int define_filename_trans(void) +{ + char *id, *name = NULL; + type_set_t stypes, ttypes; + ebitmap_t e_stypes, e_ttypes; + ebitmap_t e_tclasses; + ebitmap_node_t *snode, *tnode, *cnode; + filename_trans_rule_t *ftr; + type_datum_t *typdatum; + avtab_key_t avt_key; + uint32_t otype; + unsigned int c, s, t; + int add, self, rc; + + if (pass == 1) { + /* stype */ + while ((id = queue_remove(id_queue))) + free(id); + /* ttype */ + while ((id = queue_remove(id_queue))) + free(id); + /* tclass */ + while ((id = queue_remove(id_queue))) + free(id); + /* otype */ + id = queue_remove(id_queue); + free(id); + /* name */ + id = queue_remove(id_queue); + free(id); + return 0; + } + + type_set_init(&stypes); + type_set_init(&ttypes); + ebitmap_init(&e_stypes); + ebitmap_init(&e_ttypes); + ebitmap_init(&e_tclasses); + + add = 1; + while ((id = queue_remove(id_queue))) { + if (set_types(&stypes, id, &add, 0)) + goto bad; + } + + self = 0; + add = 1; + while ((id = queue_remove(id_queue))) { + if (strcmp(id, "self") == 0) { + free(id); + if (add == 0) { + yyerror("-self is not supported"); + goto bad; + } + self = 1; + continue; + } + if (set_types(&ttypes, id, &add, 0)) + goto bad; + } + + if (read_classes(&e_tclasses)) + goto bad; + + id = (char *)queue_remove(id_queue); + if (!id) { + yyerror("no otype in transition definition?"); + goto bad; + } + if (!is_id_in_scope(SYM_TYPES, id)) { + yyerror2("type %s is not within scope", id); + free(id); + goto bad; + } + typdatum = hashtab_search(policydbp->p_types.table, id); + if (!typdatum) { + yyerror2("unknown type %s used in transition definition", id); + free(id); + goto bad; + } + free(id); + otype = typdatum->s.value; + + name = queue_remove(id_queue); + if (!name) { + yyerror("no pathname specified in filename_trans definition?"); + goto bad; + } + + /* We expand the class set into separate rules. We expand the types + * just to make sure there are not duplicates. They will get turned + * into separate rules later */ + if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) + goto bad; + + if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) + goto bad; + + ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) { + ebitmap_for_each_positive_bit(&e_stypes, snode, s) { + ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) { + avt_key.specified = AVTAB_TRANSITION; + avt_key.source_type = s + 1; + avt_key.target_type = t + 1; + avt_key.target_class = c + 1; + rc = avtab_insert_filename_trans( + &policydbp->te_avtab, &avt_key, otype, + name, NULL + ); + if (rc != SEPOL_OK) { + if (rc == SEPOL_EEXIST) { + yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", + name, + policydbp->p_type_val_to_name[s], + policydbp->p_type_val_to_name[t], + policydbp->p_class_val_to_name[c]); + goto bad; + } + yyerror("out of memory"); + goto bad; + } + } + if (self) { + avt_key.specified = AVTAB_TRANSITION; + avt_key.source_type = s + 1; + avt_key.target_type = t + 1; + avt_key.target_class = c + 1; + rc = avtab_insert_filename_trans( + &policydbp->te_avtab, &avt_key, otype, + name, NULL + ); + if (rc != SEPOL_OK) { + if (rc == SEPOL_EEXIST) { + yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", + name, + policydbp->p_type_val_to_name[s], + policydbp->p_type_val_to_name[s], + policydbp->p_class_val_to_name[c]); + goto bad; + } + yyerror("out of memory"); + goto bad; + } + } + } + + /* Now add the real rule since we didn't find any duplicates */ + ftr = malloc(sizeof(*ftr)); + if (!ftr) { + yyerror("out of memory"); + goto bad; + } + filename_trans_rule_init(ftr); + append_filename_trans(ftr); + + ftr->name = strdup(name); + if (type_set_cpy(&ftr->stypes, &stypes)) { + yyerror("out of memory"); + goto bad; + } + if (type_set_cpy(&ftr->ttypes, &ttypes)) { + yyerror("out of memory"); + goto bad; + } + ftr->tclass = c + 1; + ftr->otype = otype; + ftr->flags = self ? RULE_SELF : 0; + } + + free(name); + ebitmap_destroy(&e_stypes); + ebitmap_destroy(&e_ttypes); + ebitmap_destroy(&e_tclasses); + type_set_destroy(&stypes); + type_set_destroy(&ttypes); + + return 0; + +bad: + free(name); + ebitmap_destroy(&e_stypes); + ebitmap_destroy(&e_ttypes); + ebitmap_destroy(&e_tclasses); + type_set_destroy(&stypes); + type_set_destroy(&ttypes); + return -1; +} + static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) { constraint_expr_t *h = NULL, *l = NULL, *newe; diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h index 5d0f70e4..50a7ba78 100644 --- a/checkpolicy/policy_define.h +++ b/checkpolicy/policy_define.h @@ -28,7 +28,7 @@ int define_default_role(int which); int define_default_type(int which); int define_default_range(int which); int define_common_perms(void); -int define_compute_type(int which, int has_filename); +int define_compute_type(int which); int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); int define_constraint(constraint_expr_t *expr); int define_dominance(void); @@ -57,6 +57,7 @@ int define_role_trans(int class_specified); int define_role_types(void); int define_role_attr(void); int define_roleattribute(void); +int define_filename_trans(void); int define_sens(void); int define_te_avtab(int which); int define_te_avtab_extended_perms(int which); diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 2a14fc1e..da32a776 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -451,13 +451,13 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';' ; ; transition_def : TYPE_TRANSITION names names ':' names identifier filename ';' - {if (define_compute_type(AVRULE_TRANSITION, 1)) return -1; } + {if (define_filename_trans()) return -1; } | TYPE_TRANSITION names names ':' names identifier ';' - {if (define_compute_type(AVRULE_TRANSITION, 0)) return -1;} + {if (define_compute_type(AVRULE_TRANSITION)) return -1;} | TYPE_MEMBER names names ':' names identifier ';' - {if (define_compute_type(AVRULE_MEMBER, 0)) return -1;} + {if (define_compute_type(AVRULE_MEMBER)) return -1;} | TYPE_CHANGE names names ':' names identifier ';' - {if (define_compute_type(AVRULE_CHANGE, 0)) return -1;} + {if (define_compute_type(AVRULE_CHANGE)) return -1;} ; range_trans_def : RANGE_TRANSITION names names mls_range_def ';' { if (define_range_trans(0)) return -1; } diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index 8bab207c..fa7117f5 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -50,6 +50,7 @@ #define DISPLAY_AVBLOCK_ROLE_ALLOW 4 #define DISPLAY_AVBLOCK_REQUIRES 5 #define DISPLAY_AVBLOCK_DECLARES 6 +#define DISPLAY_AVBLOCK_FILENAME_TRANS 7 static policydb_t policydb; @@ -86,6 +87,7 @@ static struct command { {CMD, 'c', "Display policy capabilities"}, {CMD|NOOPT, 'l', "Link in a module"}, {CMD, 'u', "Display the unknown handling setting"}, + {CMD, 'F', "Display filename_trans rules"}, {CMD, 'v', "display the version of policy and/or module"}, {HEADER, 0, ""}, {CMD|NOOPT, 'f', "set output file"}, @@ -343,8 +345,6 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy, policy, fp); } else if (avrule->specified & AVRULE_TYPE) { display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, ""); - if (avrule->object_name) - fprintf(fp, " \"%s\"", avrule->object_name); } else if (avrule->specified & AVRULE_XPERMS) { avtab_extended_perms_t xperms; int i; @@ -562,6 +562,18 @@ static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp } } +static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, FILE * fp) +{ + fprintf(fp, "filename transition"); + for (; tr; tr = tr->next) { + display_type_set(&tr->stypes, 0, p, fp); + display_type_set(&tr->ttypes, 0, p, fp); + display_id(p, fp, SYM_CLASSES, tr->tclass - 1, ":"); + display_id(p, fp, SYM_TYPES, tr->otype - 1, ""); + fprintf(fp, " %s\n", tr->name); + } +} + static int role_display_callback(hashtab_key_t key __attribute__((unused)), hashtab_datum_t datum, void *data) { @@ -726,6 +738,10 @@ static int display_avdecl(avrule_decl_t * decl, int field, } break; } + case DISPLAY_AVBLOCK_FILENAME_TRANS: + display_filename_trans(decl->filename_trans_rules, policy, + out_fp); + break; default:{ assert(0); } @@ -1059,6 +1075,11 @@ int main(int argc, char **argv) if (out_fp != stdout) printf("\nOutput to file: %s\n", OutfileName); break; + case 'F': + fprintf(out_fp, "filename_trans rules:\n"); + display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS, + &policydb, out_fp); + break; case 'l': link_module(&policydb, out_fp, ops? 0: 1); break; diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 996bad70..7150d405 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4650,7 +4650,6 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no __cil_init_sepol_type_set(&avrule->stypes); __cil_init_sepol_type_set(&avrule->ttypes); avrule->perms = NULL; - avrule->object_name = NULL; avrule->line = node->line; avrule->source_filename = NULL; @@ -4677,7 +4676,6 @@ static void __cil_destroy_sepol_avrules(avrule_t *curr) ebitmap_destroy(&curr->stypes.negset); ebitmap_destroy(&curr->ttypes.types); ebitmap_destroy(&curr->ttypes.negset); - free(curr->object_name); __cil_destroy_sepol_class_perms(curr->perms); free(curr); curr = next; diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index d30f26af..8bb11d18 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -278,7 +278,6 @@ typedef struct avrule { type_set_t stypes; type_set_t ttypes; class_perm_node_t *perms; - char *object_name; /* optional object name */ av_extended_perms_t *xperms; unsigned long line; /* line number from policy.conf where * this rule originated */ @@ -302,6 +301,16 @@ typedef struct role_allow_rule { struct role_allow_rule *next; } role_allow_rule_t; +typedef struct filename_trans_rule { + uint32_t flags; /* may have RULE_SELF set */ + type_set_t stypes; + type_set_t ttypes; + uint32_t tclass; + char *name; + uint32_t otype; /* new type */ + struct filename_trans_rule *next; +} filename_trans_rule_t; + typedef struct range_trans_rule { type_set_t stypes; type_set_t ttypes; @@ -442,6 +451,9 @@ typedef struct avrule_decl { scope_index_t required; /* symbols needed to activate this block */ scope_index_t declared; /* symbols declared within this block */ + /* type transition rules with a 'name' component */ + filename_trans_rule_t *filename_trans_rules; + /* for additive statements (type attribute, roles, and users) */ symtab_t symtab[SYM_NUM]; @@ -644,6 +656,8 @@ extern void avrule_destroy(avrule_t * x); extern void avrule_list_destroy(avrule_t * x); extern void role_trans_rule_init(role_trans_rule_t * x); extern void role_trans_rule_list_destroy(role_trans_rule_t * x); +extern void filename_trans_rule_init(filename_trans_rule_t * x); +extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x); extern void role_datum_init(role_datum_t * x); extern void role_datum_destroy(role_datum_t * x); diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c index fce4e772..dcfce8b8 100644 --- a/libsepol/src/avrule_block.c +++ b/libsepol/src/avrule_block.c @@ -99,6 +99,7 @@ void avrule_decl_destroy(avrule_decl_t * x) cond_list_destroy(x->cond_list); avrule_list_destroy(x->avrules); role_trans_rule_list_destroy(x->role_tr_rules); + filename_trans_rule_list_destroy(x->filename_trans_rules); role_allow_rule_list_destroy(x->role_allow_rules); range_trans_rule_list_destroy(x->range_tr_rules); scope_index_destroy(&x->required); diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index a4c92f4f..878b0f21 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1407,6 +1407,94 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) return 0; } +static int expand_filename_trans_helper(expand_state_t *state, + filename_trans_rule_t *rule, + unsigned int s, unsigned int t) +{ + uint32_t mapped_otype, present_otype; + int rc; + avtab_key_t avt_key; + + mapped_otype = state->typemap[rule->otype - 1]; + + avt_key.specified = AVTAB_TRANSITION; + avt_key.source_type = s + 1; + avt_key.target_type = t + 1; + avt_key.target_class = rule->tclass; + + rc = avtab_insert_filename_trans(&state->out->te_avtab, &avt_key, + mapped_otype, rule->name, &present_otype); + if (rc == SEPOL_EEXIST) { + /* duplicate rule, ignore */ + if (present_otype == mapped_otype) + return 0; + + ERR(state->handle, "Conflicting name-based type_transition %s %s:%s \"%s\": %s vs %s", + state->out->p_type_val_to_name[s], + state->out->p_type_val_to_name[t], + state->out->p_class_val_to_name[rule->tclass - 1], + rule->name, + state->out->p_type_val_to_name[present_otype - 1], + state->out->p_type_val_to_name[mapped_otype - 1]); + return -1; + } else if (rc < 0) { + ERR(state->handle, "Out of memory!"); + return -1; + } + return 0; +} + +static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) +{ + unsigned int i, j; + filename_trans_rule_t *cur_rule; + ebitmap_t stypes, ttypes; + ebitmap_node_t *snode, *tnode; + int rc; + + cur_rule = rules; + while (cur_rule) { + ebitmap_init(&stypes); + ebitmap_init(&ttypes); + + if (expand_convert_type_set(state->out, state->typemap, + &cur_rule->stypes, &stypes, 1)) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + if (expand_convert_type_set(state->out, state->typemap, + &cur_rule->ttypes, &ttypes, 1)) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + + ebitmap_for_each_positive_bit(&stypes, snode, i) { + ebitmap_for_each_positive_bit(&ttypes, tnode, j) { + rc = expand_filename_trans_helper( + state, cur_rule, i, j + ); + if (rc) + return rc; + } + if (cur_rule->flags & RULE_SELF) { + rc = expand_filename_trans_helper( + state, cur_rule, i, i + ); + if (rc) + return rc; + } + } + + ebitmap_destroy(&stypes); + ebitmap_destroy(&ttypes); + + cur_rule = cur_rule->next; + } + return 0; +} + static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass, mls_semantic_range_t * trange, expand_state_t * state) @@ -1620,7 +1708,7 @@ static int expand_terule_helper(sepol_handle_t * handle, uint32_t specified, cond_av_list_t ** cond, cond_av_list_t ** other, uint32_t stype, uint32_t ttype, class_perm_node_t * perms, - char *object_name, avtab_t * avtab, int enabled) + avtab_t * avtab, int enabled) { avtab_key_t avkey; avtab_datum_t *avdatump; @@ -1644,34 +1732,6 @@ static int expand_terule_helper(sepol_handle_t * handle, typemap ? typemap[cur->data - 1] : cur->data; avkey.target_class = cur->tclass; - /* - * if expanded node is a filename transition, insert it, insert - * function checks for duplicates - */ - if (specified & AVRULE_TRANSITION && object_name) { - int rc = avtab_insert_filename_trans(avtab, &avkey, - remapped_data, - object_name, - &oldtype); - if (rc == SEPOL_EEXIST) { - ERR(handle, "conflicting filename transition %s %s:%s \"%s\": %s vs %s", - p->p_type_val_to_name[avkey.source_type - 1], - p->p_type_val_to_name[avkey.target_type - 1], - p->p_class_val_to_name[avkey.target_class - 1], - object_name, - p->p_type_val_to_name[oldtype - 1], - p->p_type_val_to_name[remapped_data - 1]); - return EXPAND_RULE_CONFLICT; - } - if (rc < 0) - return EXPAND_RULE_ERROR; - /* - * filename transtion inserted, continue with next node - */ - cur = cur->next; - continue; - } - conflict = 0; /* check to see if the expanded TE already exists -- * either in the global scope or in another @@ -1717,9 +1777,12 @@ static int expand_terule_helper(sepol_handle_t * handle, || node->parse_context == cond) return EXPAND_RULE_SUCCESS; ERR(handle, "duplicate TE rule for %s %s:%s %s", - p->p_type_val_to_name[avkey.source_type - 1], - p->p_type_val_to_name[avkey.target_type - 1], - p->p_class_val_to_name[avkey.target_class - 1], + p->p_type_val_to_name[avkey.source_type - + 1], + p->p_type_val_to_name[avkey.target_type - + 1], + p->p_class_val_to_name[avkey.target_class - + 1], p->p_type_val_to_name[oldtype - 1]); return EXPAND_RULE_CONFLICT; } @@ -1884,7 +1947,6 @@ static int expand_rule_helper(sepol_handle_t * handle, retval = expand_terule_helper(handle, p, typemap, source_rule->specified, cond, other, i, i, source_rule->perms, - source_rule->object_name, dest_avtab, enabled); if (retval != EXPAND_RULE_SUCCESS) return retval; @@ -1901,7 +1963,6 @@ static int expand_rule_helper(sepol_handle_t * handle, retval = expand_terule_helper(handle, p, typemap, source_rule->specified, cond, other, i, j, source_rule->perms, - source_rule->object_name, dest_avtab, enabled); if (retval != EXPAND_RULE_SUCCESS) return retval; @@ -2730,6 +2791,9 @@ static int copy_and_expand_avrule_block(expand_state_t * state) goto cleanup; } + if (expand_filename_trans(state, decl->filename_trans_rules)) + goto cleanup; + /* expand the range transition rules */ if (expand_range_trans(state, decl->range_tr_rules)) goto cleanup; diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 88b23594..3b7742bc 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1249,12 +1249,6 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, goto cleanup; } - if (cur->object_name) { - new_rule->object_name = strdup(cur->object_name); - if (!new_rule->object_name) - goto cleanup; - } - cur_perm = cur->perms; tail_perm = NULL; while (cur_perm) { @@ -1418,6 +1412,51 @@ static int copy_role_allow_list(role_allow_rule_t * list, return -1; } +static int copy_filename_trans_list(filename_trans_rule_t * list, + filename_trans_rule_t ** dst, + policy_module_t * module, + link_state_t * state) +{ + filename_trans_rule_t *cur, *new_rule, *tail; + + cur = list; + tail = *dst; + while (tail && tail->next) + tail = tail->next; + + while (cur) { + new_rule = malloc(sizeof(*new_rule)); + if (!new_rule) + goto err; + + filename_trans_rule_init(new_rule); + + if (*dst == NULL) + *dst = new_rule; + else + tail->next = new_rule; + tail = new_rule; + + new_rule->name = strdup(cur->name); + if (!new_rule->name) + goto err; + + if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module) || + type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module)) + goto err; + + new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; + new_rule->otype = module->map[SYM_TYPES][cur->otype - 1]; + new_rule->flags = cur->flags; + + cur = cur->next; + } + return 0; +err: + ERR(state->handle, "Out of memory!"); + return -1; +} + static int copy_range_trans_list(range_trans_rule_t * rules, range_trans_rule_t ** dst, policy_module_t * mod, link_state_t * state) @@ -1640,6 +1679,11 @@ static int copy_avrule_decl(link_state_t * state, policy_module_t * module, return -1; } + if (copy_filename_trans_list(src_decl->filename_trans_rules, + &dest_decl->filename_trans_rules, + module, state)) + return -1; + if (copy_range_trans_list(src_decl->range_tr_rules, &dest_decl->range_tr_rules, module, state)) return -1; diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index ca96bb67..a6b6d66f 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -547,7 +547,7 @@ static int semantic_level_to_cil(struct policydb *pdb, int sens_offset, struct m return 0; } -static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, const struct class_perm_node *classperms) +static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const struct class_perm_node *classperms) { int rc = -1; const char *rule; @@ -597,12 +597,6 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const rule, src, tgt, pdb->p_class_val_to_name[classperm->tclass - 1], perms + 1); - } else if (object_name) { - cil_println(indent, "(%s %s %s %s \"%s\" %s)", - rule, src, tgt, - pdb->p_class_val_to_name[classperm->tclass - 1], - object_name, - pdb->p_type_val_to_name[classperm->data - 1]); } else { cil_println(indent, "(%s %s %s %s %s)", rule, src, tgt, @@ -1205,7 +1199,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (avrule->specified & AVRULE_XPERMS) { rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms); } else { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->perms); + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms); } if (rc != 0) { goto exit; @@ -1216,7 +1210,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a if (avrule->specified & AVRULE_XPERMS) { rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms); } else { - rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->perms); + rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms); } if (rc != 0) { goto exit; @@ -1582,6 +1576,60 @@ exit: return rc; } +static int filename_trans_to_cil(int indent, struct policydb *pdb, struct filename_trans_rule *rules, struct list *attr_list) +{ + int rc = -1; + char **stypes = NULL; + unsigned int num_stypes = 0; + unsigned int stype; + char **ttypes = NULL; + unsigned int num_ttypes = 0; + unsigned int ttype; + struct type_set *ts; + struct filename_trans_rule *rule; + + for (rule = rules; rule != NULL; rule = rule->next) { + ts = &rule->stypes; + rc = process_typeset(pdb, ts, attr_list, &stypes, &num_stypes); + if (rc != 0) { + goto exit; + } + + ts = &rule->ttypes; + rc = process_typeset(pdb, ts, attr_list, &ttypes, &num_ttypes); + if (rc != 0) { + goto exit; + } + + for (stype = 0; stype < num_stypes; stype++) { + for (ttype = 0; ttype < num_ttypes; ttype++) { + cil_println(indent, "(typetransition %s %s %s \"%s\" %s)", + stypes[stype], ttypes[ttype], + pdb->p_class_val_to_name[rule->tclass - 1], + rule->name, + pdb->p_type_val_to_name[rule->otype - 1]); + } + if (rule->flags & RULE_SELF) { + cil_println(indent, "(typetransition %s self %s \"%s\" %s)", + stypes[stype], + pdb->p_class_val_to_name[rule->tclass - 1], + rule->name, + pdb->p_type_val_to_name[rule->otype - 1]); + } + } + + names_destroy(&stypes, &num_stypes); + names_destroy(&ttypes, &num_ttypes); + } + + rc = 0; +exit: + names_destroy(&stypes, &num_stypes); + names_destroy(&ttypes, &num_ttypes); + + return rc; +} + struct class_perm_datum { char *name; uint32_t val; @@ -3635,6 +3683,11 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct goto exit; } + rc = filename_trans_to_cil(indent, pdb, decl->filename_trans_rules, type_attr_list); + if (rc != 0) { + goto exit; + } + rc = cond_list_to_cil(indent, pdb, decl->cond_list, type_attr_list); if (rc != 0) { goto exit; diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 4913ee21..c1ce9c34 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -638,7 +638,6 @@ void avrule_destroy(avrule_t * x) } free(x->xperms); - free(x->object_name); } void role_trans_rule_init(role_trans_rule_t * x) @@ -668,6 +667,33 @@ void role_trans_rule_list_destroy(role_trans_rule_t * x) } } +void filename_trans_rule_init(filename_trans_rule_t * x) +{ + memset(x, 0, sizeof(*x)); + type_set_init(&x->stypes); + type_set_init(&x->ttypes); +} + +static void filename_trans_rule_destroy(filename_trans_rule_t * x) +{ + if (!x) + return; + type_set_destroy(&x->stypes); + type_set_destroy(&x->ttypes); + free(x->name); +} + +void filename_trans_rule_list_destroy(filename_trans_rule_t * x) +{ + filename_trans_rule_t *next; + while (x) { + next = x->next; + filename_trans_rule_destroy(x); + free(x); + x = next; + } +} + void role_allow_rule_init(role_allow_rule_t * x) { memset(x, 0, sizeof(role_allow_rule_t)); @@ -3467,32 +3493,31 @@ static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp) return 0; } -static int filename_trans_rule_read(policydb_t *p, avrule_t **r, +static int filename_trans_rule_read(policydb_t *p, filename_trans_rule_t **r, struct policy_file *fp) { uint32_t buf[3], nel, i, len; unsigned int entries; - avrule_t *cur; + filename_trans_rule_t *ftr, *lftr; int rc; rc = next_entry(buf, fp, sizeof(uint32_t)); if (rc < 0) return -1; nel = le32_to_cpu(buf[0]); + lftr = NULL; for (i = 0; i < nel; i++) { - cur = malloc(sizeof(avrule_t)); - if (!cur) + ftr = malloc(sizeof(*ftr)); + if (!ftr) return -1; - avrule_init(cur); - cur->next = *r; - *r = cur; + filename_trans_rule_init(ftr); - cur->specified = AVRULE_TRANSITION; - cur->perms = malloc(sizeof(class_perm_node_t)); - if (!cur->perms) - return -1; - class_perm_node_init(cur->perms); + if (lftr) + lftr->next = ftr; + else + *r = ftr; + lftr = ftr; rc = next_entry(buf, fp, sizeof(uint32_t)); if (rc < 0) @@ -3502,14 +3527,19 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r, if (zero_or_saturated(len)) return -1; - rc = str_read(&cur->object_name, fp, len); + ftr->name = malloc(len + 1); + if (!ftr->name) + return -1; + + rc = next_entry(ftr->name, fp, len); if (rc) return -1; + ftr->name[len] = 0; - if (type_set_read(&cur->stypes, fp)) + if (type_set_read(&ftr->stypes, fp)) return -1; - if (type_set_read(&cur->ttypes, fp)) + if (type_set_read(&ftr->ttypes, fp)) return -1; if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS) @@ -3520,10 +3550,10 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r, rc = next_entry(buf, fp, sizeof(uint32_t) * entries); if (rc < 0) return -1; - cur->perms->tclass = le32_to_cpu(buf[0]); - cur->perms->data = le32_to_cpu(buf[1]); + ftr->tclass = le32_to_cpu(buf[0]); + ftr->otype = le32_to_cpu(buf[1]); if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS) - cur->flags = le32_to_cpu(buf[2]); + ftr->flags = le32_to_cpu(buf[2]); } return 0; @@ -3626,7 +3656,7 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl, } if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS && - filename_trans_rule_read(p, &decl->avrules, fp)) + filename_trans_rule_read(p, &decl->filename_trans_rules, fp)) return -1; if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS && diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 0b8e8eee..89306185 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -1313,6 +1313,31 @@ bad: return -1; } + +static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, const policydb_t *p, validate_t flavors[]) +{ + for (; filename_trans; filename_trans = filename_trans->next) { + if (validate_type_set(&filename_trans->stypes, &flavors[SYM_TYPES])) + goto bad; + if (validate_type_set(&filename_trans->ttypes, &flavors[SYM_TYPES])) + goto bad; + if (validate_value(filename_trans->tclass,&flavors[SYM_CLASSES] )) + goto bad; + if (validate_simpletype(filename_trans->otype, p, flavors)) + goto bad; + + /* currently only the RULE_SELF flag can be set */ + if ((filename_trans->flags & ~RULE_SELF) != 0) + goto bad; + } + + return 0; + +bad: + ERR(handle, "Invalid filename trans rule list"); + return -1; +} + static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[]) { unsigned int i; @@ -1347,6 +1372,8 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t * goto bad; if (validate_scope_index(handle, &decl->declared, flavors)) goto bad; + if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors)) + goto bad; if (validate_symtabs(handle, decl->symtab, flavors)) goto bad; } diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 2035b350..c4d593ab 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -1970,10 +1970,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule, uint32_t buf[32], len; class_perm_node_t *cur; - /* skip filename transitions for now */ - if (avrule->specified & AVRULE_TRANSITION && avrule->object_name) - return POLICYDB_SUCCESS; - if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS && (avrule->specified & AVRULE_TYPE) && (avrule->flags & RULE_SELF)) { @@ -2067,9 +2063,7 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules, avrule = avrules; len = 0; while (avrule) { - if (!(avrule->specified & AVRULE_TRANSITION && - avrule->object_name)) - len++; + len++; avrule = avrule->next; } @@ -2168,67 +2162,55 @@ static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp) return POLICYDB_SUCCESS; } -static int filename_trans_rule_write(policydb_t *p, avrule_t *rules, +static int filename_trans_rule_write(policydb_t *p, filename_trans_rule_t *t, struct policy_file *fp) { int nel = 0; size_t items, entries; uint32_t buf[3], len; - avrule_t *rule; - class_perm_node_t *perm; + filename_trans_rule_t *ftr; - for (rule = rules; rule; rule = rule->next) { - if (rule->specified & AVRULE_TRANSITION && rule->object_name) { - for (perm = rule->perms; perm; perm = perm->next) { - nel++; - } - } - } + for (ftr = t; ftr; ftr = ftr->next) + nel++; buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) return POLICYDB_ERROR; - for (rule = rules; rule; rule = rule->next) { - if (!(rule->specified & AVRULE_TRANSITION && rule->object_name)) - continue; - len = strlen(rule->object_name); - for (perm = rule->perms; perm; perm = perm->next) { - buf[0] = cpu_to_le32(len); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; + for (ftr = t; ftr; ftr = ftr->next) { + len = strlen(ftr->name); + buf[0] = cpu_to_le32(len); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; - items = put_entry(rule->object_name, sizeof(char), len, - fp); - if (items != len) - return POLICYDB_ERROR; + items = put_entry(ftr->name, sizeof(char), len, fp); + if (items != len) + return POLICYDB_ERROR; - if (type_set_write(&rule->stypes, fp)) - return POLICYDB_ERROR; - if (type_set_write(&rule->ttypes, fp)) - return POLICYDB_ERROR; + if (type_set_write(&ftr->stypes, fp)) + return POLICYDB_ERROR; + if (type_set_write(&ftr->ttypes, fp)) + return POLICYDB_ERROR; - buf[0] = cpu_to_le32(perm->tclass); - buf[1] = cpu_to_le32(perm->data); - buf[2] = cpu_to_le32(rule->flags); - - if (p->policyvers >= - MOD_POLICYDB_VERSION_SELF_TYPETRANS) { - entries = 3; - } else if (!(rule->flags & RULE_SELF)) { - entries = 2; - } else { - ERR(fp->handle, - "Module contains a self rule not supported by the target module policy version"); - return POLICYDB_ERROR; - } + buf[0] = cpu_to_le32(ftr->tclass); + buf[1] = cpu_to_le32(ftr->otype); + buf[2] = cpu_to_le32(ftr->flags); - items = put_entry(buf, sizeof(uint32_t), entries, fp); - if (items != entries) - return POLICYDB_ERROR; + if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS) { + entries = 3; + } else if (!(ftr->flags & RULE_SELF)) { + entries = 2; + } else { + ERR(fp->handle, + "Module contains a self rule not supported by the target module policy version"); + return POLICYDB_ERROR; } + + items = put_entry(buf, sizeof(uint32_t), entries, fp); + if (items != entries) + return POLICYDB_ERROR; } return POLICYDB_SUCCESS; } @@ -2302,7 +2284,7 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms, } if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS && - filename_trans_rule_write(p, decl->avrules, fp)) + filename_trans_rule_write(p, decl->filename_trans_rules, fp)) return POLICYDB_ERROR; if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS && From patchwork Wed Jul 26 14:25:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328167 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64C00C001DC for ; Wed, 26 Jul 2023 14:26:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234474AbjGZO0H (ORCPT ); Wed, 26 Jul 2023 10:26:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234485AbjGZO0G (ORCPT ); Wed, 26 Jul 2023 10:26:06 -0400 Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D88E1B0 for ; Wed, 26 Jul 2023 07:26:02 -0700 (PDT) Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-635eb3a1d93so49474146d6.1 for ; Wed, 26 Jul 2023 07:26:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381560; x=1690986360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uB6fFNftsol6VpHSlCqZ5i19m6hZJ6I4TaExXox3MOU=; b=FDsE3Yz5qXglGXsvPkTaWO70JKqYl1K8iDeOM2fuYmEst4mcmWN5nXw++7ey0JyXIn 05azZjYjMSl9gL+m2iDtqoOlXR0DTuZhVG6rC7YnFoexwM7r/dyDAKLJnE5dYkWfe7jM 6ySySBJbAy8eewnTMQjiETgUrgkc5+OxfoNwnS3Il9XE1qXD+XCKECAQoz0imo2WXD6e DTH07NFZWrjnGu4CK7rKwWiuBCi6dom+s6x+3xXEyHw1n+pO1CKnHNY25Iu7OGBNXqKU qDFdwfifCJ6ilfQI+RzqrS3cYwTPofPtPlLvhAycaPztFPa4hoYmTzwpuxIJXs1dBbLD FVGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381560; x=1690986360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uB6fFNftsol6VpHSlCqZ5i19m6hZJ6I4TaExXox3MOU=; b=Ep466aPZ+7z1j5z1bKmoPD395gfzIFzVMj9MrsoyPj+8H0hJ5qQYfdagtD33wKS23w g258iNMyDNUZg7RIQQxuQBIpjQu1gEOBt0g9tv0yhBNJREyEcWsPPBvI4kb0V5gc0l9y 0pk6VAIaTv7zVMt0YLNBscE7jC1xzgDv79ognIRA1+oYkQGH5DMizKldId5K0FdZLuXy XITQIzUSKnhERYCUu7LzLCHyevG64PQa3Vw0NYgu+IgBvzhe6K2no3X23aTt3Hqtj1Wb M1pOJHldApfSVdJIR1QfytnQsFX1u3RdKGOV3L+qrk4Vu4GYIuvsMflUIMgl4tdCgETb v0/w== X-Gm-Message-State: ABy/qLbYit7LaJLXsu4EvUNjBJL0Smml+d/5RBoJ3BLJUz8Y1AcvaOXY OMy+Hv2ef8faPhsdZKZpy7zGW9za5xBYyg== X-Google-Smtp-Source: APBJJlFDvh0zrJtm41D2SC7WOtNzwvLE/dwpcOIgYPHNkwsX1HTReMW/hmFIDMw3foL5HaI2PRTdyA== X-Received: by 2002:a0c:f086:0:b0:63c:eef6:8565 with SMTP id g6-20020a0cf086000000b0063ceef68565mr2429614qvk.39.1690381559625; Wed, 26 Jul 2023 07:25:59 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:59 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab" Date: Wed, 26 Jul 2023 10:25:48 -0400 Message-ID: <20230726142549.94685-8-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit e169fe26530ef2c6b3dd126788cc81676359a3b3. Signed-off-by: James Carter --- checkpolicy/checkmodule.c | 9 - checkpolicy/checkpolicy.c | 9 - checkpolicy/policy_define.c | 21 +- checkpolicy/test/dispol.c | 83 ++-- libsepol/cil/src/cil_binary.c | 27 +- libsepol/include/sepol/policydb/avtab.h | 9 - libsepol/include/sepol/policydb/hashtab.h | 8 - libsepol/include/sepol/policydb/policydb.h | 22 + libsepol/src/avtab.c | 199 --------- libsepol/src/conditional.c | 6 +- libsepol/src/expand.c | 27 +- libsepol/src/kernel_to_cil.c | 159 +++++-- libsepol/src/kernel_to_common.h | 9 - libsepol/src/kernel_to_conf.c | 155 +++++-- libsepol/src/optimize.c | 8 +- libsepol/src/policydb.c | 343 ++++++++++++++- libsepol/src/policydb_validate.c | 69 +-- libsepol/src/write.c | 463 ++++++--------------- 18 files changed, 822 insertions(+), 804 deletions(-) diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index d81d8c97..14e6c891 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -280,15 +280,6 @@ int main(int argc, char **argv) modpolicydb.mls = mlspol; modpolicydb.handle_unknown = handle_unknown; - /* - * Init and alloc te_avtab for filename transition duplicate - * checking - */ - if (avtab_init(&modpolicydb.te_avtab)) - exit(1); - if (avtab_alloc(&modpolicydb.te_avtab, 1 << 11)) - exit(1); - if (read_source_policy(&modpolicydb, file, argv[0]) == -1) { exit(1); } diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index 83000bcb..623ba8b2 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -615,15 +615,6 @@ int main(int argc, char **argv) parse_policy.mls = mlspol; parse_policy.handle_unknown = handle_unknown; - /* - * Init and alloc te_avtab for filename transition duplicate - * checking - */ - if (avtab_init(&parse_policy.te_avtab)) - exit(1); - if (avtab_alloc(&parse_policy.te_avtab, 1 << 11)) - exit(1); - policydbp = &parse_policy; if (read_source_policy(policydbp, file, "checkpolicy") < 0) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index dc2ee8f3..cef8f3c4 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -3352,7 +3352,6 @@ int define_filename_trans(void) ebitmap_node_t *snode, *tnode, *cnode; filename_trans_rule_t *ftr; type_datum_t *typdatum; - avtab_key_t avt_key; uint32_t otype; unsigned int c, s, t; int add, self, rc; @@ -3444,13 +3443,9 @@ int define_filename_trans(void) ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) { ebitmap_for_each_positive_bit(&e_stypes, snode, s) { ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) { - avt_key.specified = AVTAB_TRANSITION; - avt_key.source_type = s + 1; - avt_key.target_type = t + 1; - avt_key.target_class = c + 1; - rc = avtab_insert_filename_trans( - &policydbp->te_avtab, &avt_key, otype, - name, NULL + rc = policydb_filetrans_insert( + policydbp, s+1, t+1, c+1, name, + NULL, otype, NULL ); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { @@ -3466,13 +3461,9 @@ int define_filename_trans(void) } } if (self) { - avt_key.specified = AVTAB_TRANSITION; - avt_key.source_type = s + 1; - avt_key.target_type = t + 1; - avt_key.target_class = c + 1; - rc = avtab_insert_filename_trans( - &policydbp->te_avtab, &avt_key, otype, - name, NULL + rc = policydb_filetrans_insert( + policydbp, s+1, s+1, c+1, name, + NULL, otype, NULL ); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index 861fa903..e45528b9 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -63,6 +63,7 @@ static struct command { {CMD, 'a', "display type attributes"}, {CMD, 'p', "display the list of permissive types"}, {CMD, 'u', "display unknown handling setting"}, + {CMD, 'F', "display filename_trans rules"}, {HEADER, 0, ""}, {CMD|NOOPT, 'f', "set output file"}, {CMD|NOOPT, 'm', "display menu"}, @@ -125,26 +126,6 @@ static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) return 0; } -typedef struct { - avtab_key_t *key; - policydb_t *p; - FILE *fp; -} render_name_trans_args_t; - -static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a) -{ - char *name = k; - uint32_t *otype = d; - render_name_trans_args_t *args = a; - - fprintf(args->fp, "type_transition "); - render_key(args->key, args->p, args->fp); - render_type(*otype, args->p, args->fp); - fprintf(args->fp, " \"%s\";\n", name); - - return 0; -} - /* 'what' values for this function */ #define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */ #define RENDER_ENABLED 0x0002 @@ -197,19 +178,10 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha } } else if (key->specified & AVTAB_TYPE) { if (key->specified & AVTAB_TRANSITION) { - if (datum->trans->otype) { - fprintf(fp, "type_transition "); - render_key(key, p, fp); - render_type(datum->trans->otype, p, fp); - fprintf(fp, ";\n"); - } - render_name_trans_args_t args = { - .key = key, - .p = p, - .fp = fp, - }; - hashtab_map(datum->trans->name_trans.table, - render_name_trans_helper, &args); + fprintf(fp, "type_transition "); + render_key(key, p, fp); + render_type(datum->trans->otype, p, fp); + fprintf(fp, ";\n"); } if (key->specified & AVTAB_MEMBER) { fprintf(fp, "type_member "); @@ -476,6 +448,48 @@ static void display_role_trans(policydb_t *p, FILE *fp) } } +struct filenametr_display_args { + policydb_t *p; + FILE *fp; +}; + +static int filenametr_display(hashtab_key_t key, + hashtab_datum_t datum, + void *ptr) +{ + struct filename_trans_key *ft = (struct filename_trans_key *)key; + struct filename_trans_datum *ftdatum = datum; + struct filenametr_display_args *args = ptr; + policydb_t *p = args->p; + FILE *fp = args->fp; + ebitmap_node_t *node; + uint32_t bit; + + do { + ebitmap_for_each_positive_bit(&ftdatum->stypes, node, bit) { + display_id(p, fp, SYM_TYPES, bit, ""); + display_id(p, fp, SYM_TYPES, ft->ttype - 1, ""); + display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":"); + display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, ""); + fprintf(fp, " %s\n", ft->name); + } + ftdatum = ftdatum->next; + } while (ftdatum); + + return 0; +} + + +static void display_filename_trans(policydb_t *p, FILE *fp) +{ + struct filenametr_display_args args; + + fprintf(fp, "filename_trans rules:\n"); + args.p = p; + args.fp = fp; + hashtab_map(p->filename_trans, filenametr_display, &args); +} + static int menu(void) { unsigned int i; @@ -678,6 +692,9 @@ int main(int argc, char **argv) if (out_fp != stdout) printf("\nOutput to file: %s\n", OutfileName); break; + case 'F': + display_filename_trans(&policydb, out_fp); + break; case 'q': policydb_destroy(&policydb); exit(0); diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 7150d405..3f264594 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1005,12 +1005,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, } existing = avtab_search_node(&pdb->te_avtab, &avtab_key); - /* - * There might be empty transition node containing filename transitions - * only. That is okay, we can merge them later. - */ - if (existing && !(existing->key.specified & AVTAB_TRANSITION && - !existing->datum.trans->otype)) { + if (existing) { /* Don't add duplicate type rule and warn if they conflict. * A warning should have been previously given if there is a * non-duplicate rule using the same key. @@ -1034,13 +1029,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, } if (!cond_node) { - /* If we have node from empty filename transition, use it */ - if (existing && existing->key.specified & AVTAB_TRANSITION && - !existing->datum.trans->otype) - existing->datum.trans->otype = avtab_datum.trans->otype; - else - rc = avtab_insert(&pdb->te_avtab, &avtab_key, - &avtab_datum); + rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum); } else { existing = avtab_search_node(&pdb->te_cond_avtab, &avtab_key); if (existing) { @@ -1200,18 +1189,16 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb, class_datum_t *sepol_obj = NULL; uint32_t otype; struct cil_list_item *c; - avtab_key_t avt_key; cil_list_for_each(c, class_list) { rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj); if (rc != SEPOL_OK) return rc; - avt_key.specified = AVTAB_TRANSITION; - avt_key.source_type = sepol_src->s.value; - avt_key.target_type = sepol_tgt->s.value; - avt_key.target_class = sepol_obj->s.value; - rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key, - sepol_result->s.value, name, &otype); + rc = policydb_filetrans_insert( + pdb, sepol_src->s.value, sepol_tgt->s.value, + sepol_obj->s.value, name, NULL, + sepol_result->s.value, &otype + ); if (rc != SEPOL_OK) { if (rc == SEPOL_EEXIST) { if (sepol_result->s.value!= otype) { diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h index 5dc720cc..ca009c16 100644 --- a/libsepol/include/sepol/policydb/avtab.h +++ b/libsepol/include/sepol/policydb/avtab.h @@ -42,7 +42,6 @@ #include #include -#include #ifdef __cplusplus extern "C" { @@ -73,7 +72,6 @@ typedef struct avtab_key { typedef struct avtab_trans { uint32_t otype; /* resulting type of the new object */ - symtab_t name_trans; /* filename transitions */ } avtab_trans_t; typedef struct avtab_extended_perms { @@ -117,8 +115,6 @@ extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d); extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k); -extern void avtab_trans_destroy(avtab_trans_t *trans); - extern void avtab_destroy(avtab_t * h); extern int avtab_map(const avtab_t * h, @@ -152,11 +148,6 @@ extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified); /* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */ #define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1) -extern int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, - uint32_t otype, const char *name, - uint32_t *present_otype); -extern int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a); - #ifdef __cplusplus } #endif diff --git a/libsepol/include/sepol/policydb/hashtab.h b/libsepol/include/sepol/policydb/hashtab.h index 354ebb43..dca8c983 100644 --- a/libsepol/include/sepol/policydb/hashtab.h +++ b/libsepol/include/sepol/policydb/hashtab.h @@ -110,14 +110,6 @@ extern int hashtab_map(hashtab_t h, extern void hashtab_hash_eval(hashtab_t h, char *tag); -/* Returns number of elements in the hashtab h or 0 is h is NULL */ -static inline uint32_t hashtab_nel(hashtab_t h) -{ - if (!h) - return 0; - return h->nel; -} - #ifdef __cplusplus } #endif diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 8bb11d18..b014b7a8 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -161,6 +161,19 @@ typedef struct role_allow { struct role_allow *next; } role_allow_t; +/* filename_trans rules */ +typedef struct filename_trans_key { + uint32_t ttype; + uint32_t tclass; + char *name; +} filename_trans_key_t; + +typedef struct filename_trans_datum { + ebitmap_t stypes; + uint32_t otype; + struct filename_trans_datum *next; +} filename_trans_datum_t; + /* Type attributes */ typedef struct type_datum { symtab_datum_t s; @@ -579,6 +592,10 @@ typedef struct policydb { /* range transitions table (range_trans_key -> mls_range) */ hashtab_t range_tr; + /* file transitions with the last path component */ + hashtab_t filename_trans; + uint32_t filename_trans_count; + ebitmap_t *type_attr_map; ebitmap_t *attr_type_map; /* not saved in the binary policy */ @@ -637,6 +654,11 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s); extern int policydb_sort_ocontexts(policydb_t *p); +extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype, + uint32_t ttype, uint32_t tclass, + const char *name, char **name_alloc, + uint32_t otype, uint32_t *present_otype); + /* Deprecated */ extern int policydb_context_isvalid(const policydb_t * p, const context_struct_t * c); diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index eef259cf..4c292e8b 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -315,20 +315,6 @@ avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified) return NULL; } -static int avtab_trans_destroy_helper(hashtab_key_t k, hashtab_datum_t d, - void *a __attribute__ ((unused))) -{ - free(k); - free(d); - return 0; -} - -void avtab_trans_destroy(avtab_trans_t *trans) -{ - hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL); - symtab_destroy(&trans->name_trans); -} - void avtab_destroy(avtab_t * h) { unsigned int i; @@ -343,7 +329,6 @@ void avtab_destroy(avtab_t * h) if (cur->key.specified & AVTAB_XPERMS) { free(cur->datum.xperms); } else if (cur->key.specified & AVTAB_TRANSITION) { - avtab_trans_destroy(cur->datum.trans); free(cur->datum.trans); } temp = cur; @@ -675,187 +660,3 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers) avtab_destroy(a); return -1; } - -/* policydb filename transition compatibility */ - -int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key, - uint32_t otype, const char *name, - uint32_t *present_otype) -{ - int rc = SEPOL_ENOMEM; - avtab_trans_t new_trans = {0}; - avtab_datum_t new_datum = {.trans = &new_trans}; - avtab_datum_t *datum; - avtab_ptr_t node; - char *name_key = NULL; - uint32_t *otype_datum = NULL; - - datum = avtab_search(a, key); - if (!datum) { - /* - * insert is actually unique, but with this function we can get - * the inserted node and therefore the datum - */ - node = avtab_insert_nonunique(a, key, &new_datum); - if (!node) - return SEPOL_ENOMEM; - datum = &node->datum; - } - - if (!datum->trans->name_trans.table) { - rc = symtab_init(&datum->trans->name_trans, 1 << 8); - if (rc < 0) - return rc; - } - - rc = SEPOL_ENOMEM; - name_key = strdup(name); - if (!name_key) - goto bad; - - rc = SEPOL_ENOMEM; - otype_datum = malloc(sizeof(*otype_datum)); - if (!otype_datum) - goto bad; - *otype_datum = otype; - - rc = hashtab_insert(datum->trans->name_trans.table, name_key, - otype_datum); - if (rc < 0) - goto bad; - - return SEPOL_OK; - -bad: - free(name_key); - free(otype_datum); - if (rc == SEPOL_EEXIST && present_otype) { - otype_datum = hashtab_search(datum->trans->name_trans.table, - name); - if (otype_datum) - *present_otype = *otype_datum; - } - return rc; -} - -static int filename_trans_read_one(avtab_t *a, void *fp) -{ - int rc; - uint32_t buf[4], len, otype; - char *name = NULL; - avtab_key_t key; - - /* read length of the name and the name */ - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - return SEPOL_ERR; - len = le32_to_cpu(*buf); - rc = str_read(&name, fp, len); - if (rc < 0) - return SEPOL_ERR; - - /* read stype, ttype, tclass and otype */ - rc = next_entry(buf, fp, sizeof(uint32_t) * 4); - if (rc < 0) - goto err; - - key.specified = AVTAB_TRANSITION; - key.source_type = le32_to_cpu(buf[0]); - key.target_type = le32_to_cpu(buf[1]); - key.target_class = le32_to_cpu(buf[2]); - otype = le32_to_cpu(buf[3]); - - rc = avtab_insert_filename_trans(a, &key, otype, name, NULL); - if (rc) - goto err; - - free(name); - return SEPOL_OK; -err: - free(name); - return SEPOL_ERR; -} - -static int filename_trans_comp_read_one(avtab_t *a, void *fp) -{ - int rc; - uint32_t buf[3], len, ndatum, i, bit, otype; - char *name = NULL; - avtab_key_t key; - ebitmap_t stypes; - ebitmap_node_t *node; - - /* read length of the name and the name */ - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - return SEPOL_ERR; - len = le32_to_cpu(*buf); - rc = str_read(&name, fp, len); - if (rc < 0) - return SEPOL_ERR; - - /* read ttype, tclass, ndatum */ - rc = next_entry(buf, fp, sizeof(uint32_t) * 3); - if (rc < 0) - goto err; - - key.specified = AVTAB_TRANSITION; - key.target_type = le32_to_cpu(buf[0]); - key.target_class = le32_to_cpu(buf[1]); - - ndatum = le32_to_cpu(buf[2]); - for (i = 0; i < ndatum; i++) { - rc = ebitmap_read(&stypes, fp); - if (rc < 0) - goto err; - - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - goto err_ebitmap; - otype = le32_to_cpu(*buf); - - ebitmap_for_each_positive_bit(&stypes, node, bit) { - key.source_type = bit + 1; - - rc = avtab_insert_filename_trans(a, &key, otype, name, - NULL); - if (rc < 0) - goto err_ebitmap; - } - } - - free(name); - return SEPOL_OK; - -err_ebitmap: - ebitmap_destroy(&stypes); -err: - free(name); - return rc; -} - -int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a) -{ - uint32_t buf[1], nel, i; - int rc; - - rc = next_entry(buf, fp, sizeof(uint32_t)); - if (rc < 0) - return rc; - nel = le32_to_cpu(*buf); - - if (vers < POLICYDB_VERSION_COMP_FTRANS) { - for (i = 0; i < nel; i++) { - rc = filename_trans_read_one(a, fp); - if (rc < 0) - return rc; - } - } else { - for (i = 0; i < nel; i++) { - rc = filename_trans_comp_read_one(a, fp); - if (rc < 0) - return rc; - } - } - return SEPOL_OK; -} diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c index 7900e928..24380ea0 100644 --- a/libsepol/src/conditional.c +++ b/libsepol/src/conditional.c @@ -624,7 +624,6 @@ static int cond_insertf(avtab_t * a struct policydb *p = data->p; cond_av_list_t *other = data->other, *list, *cur; avtab_ptr_t node_ptr; - avtab_datum_t *existing; uint8_t found; /* @@ -633,10 +632,7 @@ static int cond_insertf(avtab_t * a * cond_te_avtab. */ if (k->specified & AVTAB_TYPE) { - existing = avtab_search(&p->te_avtab, k); - /* empty transition rule is not a conflict */ - if (existing && !(k->specified & AVTAB_TRANSITION - && !existing->trans->otype)) { + if (avtab_search(&p->te_avtab, k)) { WARN(NULL, "security: type rule already exists outside of a conditional."); return -1; } diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 878b0f21..6793a27d 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1413,17 +1413,14 @@ static int expand_filename_trans_helper(expand_state_t *state, { uint32_t mapped_otype, present_otype; int rc; - avtab_key_t avt_key; mapped_otype = state->typemap[rule->otype - 1]; - avt_key.specified = AVTAB_TRANSITION; - avt_key.source_type = s + 1; - avt_key.target_type = t + 1; - avt_key.target_class = rule->tclass; - - rc = avtab_insert_filename_trans(&state->out->te_avtab, &avt_key, - mapped_otype, rule->name, &present_otype); + rc = policydb_filetrans_insert( + state->out, s + 1, t + 1, + rule->tclass, rule->name, + NULL, mapped_otype, &present_otype + ); if (rc == SEPOL_EEXIST) { /* duplicate rule, ignore */ if (present_otype == mapped_otype) @@ -1737,16 +1734,6 @@ static int expand_terule_helper(sepol_handle_t * handle, * either in the global scope or in another * conditional AV tab */ node = avtab_search_node(&p->te_avtab, &avkey); - - /* - * if node does not already contain transition, it is not a - * conflict and transition otype will be set to node found by - * find_avtab_node() - */ - if (specified & AVRULE_TRANSITION && node && - !node->datum.trans->otype) - node = NULL; - if (node) { conflict = 1; } else { @@ -1754,10 +1741,6 @@ static int expand_terule_helper(sepol_handle_t * handle, if (node && node->parse_context != other) { conflict = 2; } - /* - * conditional avtab does not contain filename - * transitions, no need to check for otype == 0 - */ } if (conflict) { diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 8ed695f1..316679cc 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -1700,24 +1700,14 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms) return xpermsbuf; } -static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a) +static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum) { - char *name = k; - uint32_t *otype = d; - name_trans_to_strs_args_t *args = a; - return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6, - args->flavor, args->src, args->tgt, - args->class, name, - args->pdb->p_type_val_to_name[*otype - 1]); -} - -static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs) -{ - int rc = SEPOL_OK; - uint32_t data = datum->data; + uint32_t data = key->specified & AVTAB_TRANSITION + ? datum->trans->otype : datum->data; type_datum_t *type; const char *flavor, *tgt; char *src, *class, *perms, *new; + char *rule = NULL; switch (0xFFF & key->specified) { case AVTAB_ALLOWED: @@ -1750,7 +1740,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu break; default: ERR(NULL, "Unknown avtab type: %i", key->specified); - return SEPOL_ERR; + goto exit; } src = pdb->p_type_val_to_name[key->source_type - 1]; @@ -1767,44 +1757,33 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu perms = sepol_av_to_string(pdb, key->target_class, data); if (perms == NULL) { ERR(NULL, "Failed to generate permission string"); - return SEPOL_ERR; + goto exit; } - rc = strs_create_and_add(strs, "(%s %s %s (%s (%s)))", 5, - flavor, src, tgt, class, perms + 1); + rule = create_str("(%s %s %s (%s (%s)))", 5, + flavor, src, tgt, class, perms+1); } else if (key->specified & AVTAB_XPERMS) { perms = xperms_to_str(datum->xperms); if (perms == NULL) { ERR(NULL, "Failed to generate extended permission string"); - return SEPOL_ERR; + goto exit; } - rc = strs_create_and_add(strs, "(%s %s %s (%s %s (%s)))", 6, - flavor, src, tgt, "ioctl", class, perms); - } else if (key->specified & AVTAB_TRANSITION) { - if (datum->trans->otype) { - rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5, - flavor, src, tgt, class, - pdb->p_type_val_to_name[datum->trans->otype - 1]); - if (rc < 0) - return rc; - } - name_trans_to_strs_args_t args = { - .pdb = pdb, - .strs = strs, - .flavor = flavor, - .src = src, - .tgt = tgt, - .class = class, - }; - rc = hashtab_map(datum->trans->name_trans.table, - name_trans_to_strs_helper, &args); + rule = create_str("(%s %s %s (%s %s (%s)))", 6, + flavor, src, tgt, "ioctl", class, perms); } else { new = pdb->p_type_val_to_name[data - 1]; - rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5, flavor, src, tgt, class, new); + rule = create_str("(%s %s %s %s %s)", 5, flavor, src, tgt, class, new); } - return rc; + if (!rule) { + goto exit; + } + + return rule; + +exit: + return NULL; } struct map_avtab_args { @@ -1819,12 +1798,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void * uint32_t flavor = map_args->flavor; struct policydb *pdb = map_args->pdb; struct strs *strs = map_args->strs; + char *rule; int rc = 0; if (key->specified & flavor) { - rc = avtab_node_to_strs(pdb, key, datum, strs); + rule = avtab_node_to_str(pdb, key, datum); + if (!rule) { + rc = -1; + goto exit; + } + rc = strs_add(strs, rule); + if (rc != 0) { + free(rule); + goto exit; + } } +exit: return rc; } @@ -1878,6 +1868,77 @@ exit: return rc; } +struct map_filename_trans_args { + struct policydb *pdb; + struct strs *strs; +}; + +static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg) +{ + filename_trans_key_t *ft = (filename_trans_key_t *)key; + filename_trans_datum_t *datum = data; + struct map_filename_trans_args *map_args = arg; + struct policydb *pdb = map_args->pdb; + struct strs *strs = map_args->strs; + char *src, *tgt, *class, *filename, *new; + struct ebitmap_node *node; + uint32_t bit; + int rc; + + tgt = pdb->p_type_val_to_name[ft->ttype - 1]; + class = pdb->p_class_val_to_name[ft->tclass - 1]; + filename = ft->name; + do { + new = pdb->p_type_val_to_name[datum->otype - 1]; + + ebitmap_for_each_positive_bit(&datum->stypes, node, bit) { + src = pdb->p_type_val_to_name[bit]; + rc = strs_create_and_add(strs, + "(typetransition %s %s %s \"%s\" %s)", + 5, src, tgt, class, filename, new); + if (rc) + return rc; + } + + datum = datum->next; + } while (datum); + + return 0; +} + +static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb) +{ + struct map_filename_trans_args args; + struct strs *strs; + int rc = 0; + + rc = strs_init(&strs, 100); + if (rc != 0) { + goto exit; + } + + args.pdb = pdb; + args.strs = strs; + + rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args); + if (rc != 0) { + goto exit; + } + + strs_sort(strs); + strs_write_each(strs, out); + +exit: + strs_free_all(strs); + strs_destroy(&strs); + + if (rc != 0) { + ERR(NULL, "Error writing filename typetransition rules to CIL"); + } + + return rc; +} + static char *level_to_str(struct policydb *pdb, struct mls_level *level) { ebitmap_t *cats = &level->cat; @@ -1997,6 +2058,7 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li avtab_key_t *key; avtab_datum_t *datum; struct strs *strs; + char *rule; unsigned i; int rc; @@ -2012,8 +2074,14 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li key = &node->key; datum = &node->datum; if (key->specified & flavor) { - rc = avtab_node_to_strs(pdb, key, datum, strs); + rule = avtab_node_to_str(pdb, key, datum); + if (!rule) { + rc = -1; + goto exit; + } + rc = strs_add(strs, rule); if (rc != 0) { + free(rule); goto exit; } } @@ -3261,6 +3329,11 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb) goto exit; } + rc = write_filename_trans_rules_to_cil(out, pdb); + if (rc != 0) { + goto exit; + } + if (pdb->mls) { rc = write_range_trans_rules_to_cil(out, pdb); if (rc != 0) { diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index b8ea237d..9e567eb8 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -83,15 +83,6 @@ struct strs { size_t size; }; -typedef struct { - policydb_t *pdb; - struct strs *strs; - const char *flavor; - const char *src; - const char *tgt; - const char *class; -} name_trans_to_strs_args_t; - void sepol_indent(FILE *out, int indent); __attribute__ ((format(printf, 2, 3))) void sepol_printf(FILE *out, const char *fmt, ...); diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index eb14ccf1..aa161b08 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -1678,24 +1678,13 @@ exit: return rc; } -static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a) +static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum) { - char *name = k; - uint32_t *otype = d; - name_trans_to_strs_args_t *args = a; - return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6, - args->flavor, args->src, args->tgt, - args->class, - args->pdb->p_type_val_to_name[*otype - 1], - name); -} - -static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs) -{ - int rc = SEPOL_OK; - uint32_t data = datum->data; + uint32_t data = key->specified & AVTAB_TRANSITION + ? datum->trans->otype : datum->data; type_datum_t *type; const char *flavor, *src, *tgt, *class, *perms, *new; + char *rule = NULL; switch (0xFFF & key->specified) { case AVTAB_ALLOWED: @@ -1728,7 +1717,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu break; default: ERR(NULL, "Unknown avtab type: %i", key->specified); - return SEPOL_ERR; + goto exit; } src = pdb->p_type_val_to_name[key->source_type - 1]; @@ -1745,42 +1734,32 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu perms = sepol_av_to_string(pdb, key->target_class, data); if (perms == NULL) { ERR(NULL, "Failed to generate permission string"); - return SEPOL_ERR; + goto exit; } - rc = strs_create_and_add(strs, "%s %s %s:%s { %s };", 5, - flavor, src, tgt, class, perms + 1); + rule = create_str("%s %s %s:%s { %s };", 5, + flavor, src, tgt, class, perms+1); } else if (key->specified & AVTAB_XPERMS) { perms = sepol_extended_perms_to_string(datum->xperms); if (perms == NULL) { ERR(NULL, "Failed to generate extended permission string"); - return SEPOL_ERR; - } - rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms); - } else if (key->specified & AVTAB_TRANSITION) { - if (datum->trans->otype) { - rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, - flavor, src, tgt, class, - pdb->p_type_val_to_name[datum->trans->otype - 1]); - if (rc < 0) - return rc; + goto exit; } - name_trans_to_strs_args_t args = { - .pdb = pdb, - .strs = strs, - .flavor = flavor, - .src = src, - .tgt = tgt, - .class = class, - }; - rc = hashtab_map(datum->trans->name_trans.table, - name_trans_to_strs_helper, &args); + + rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms); } else { new = pdb->p_type_val_to_name[data - 1]; - rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, new); + rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, new); } - return rc; + if (!rule) { + goto exit; + } + + return rule; + +exit: + return NULL; } struct map_avtab_args { @@ -1795,12 +1774,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void * uint32_t flavor = map_args->flavor; struct policydb *pdb = map_args->pdb; struct strs *strs = map_args->strs; + char *rule; int rc = 0; if (key->specified & flavor) { - rc = avtab_node_to_strs(pdb, key, datum, strs); + rule = avtab_node_to_str(pdb, key, datum); + if (!rule) { + rc = -1; + goto exit; + } + rc = strs_add(strs, rule); + if (rc != 0) { + free(rule); + goto exit; + } } +exit: return rc; } @@ -1854,6 +1844,77 @@ exit: return rc; } +struct map_filename_trans_args { + struct policydb *pdb; + struct strs *strs; +}; + +static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg) +{ + filename_trans_key_t *ft = (filename_trans_key_t *)key; + filename_trans_datum_t *datum = data; + struct map_filename_trans_args *map_args = arg; + struct policydb *pdb = map_args->pdb; + struct strs *strs = map_args->strs; + char *src, *tgt, *class, *filename, *new; + struct ebitmap_node *node; + uint32_t bit; + int rc; + + tgt = pdb->p_type_val_to_name[ft->ttype - 1]; + class = pdb->p_class_val_to_name[ft->tclass - 1]; + filename = ft->name; + do { + new = pdb->p_type_val_to_name[datum->otype - 1]; + + ebitmap_for_each_positive_bit(&datum->stypes, node, bit) { + src = pdb->p_type_val_to_name[bit]; + rc = strs_create_and_add(strs, + "type_transition %s %s:%s %s \"%s\";", + 5, src, tgt, class, new, filename); + if (rc) + return rc; + } + + datum = datum->next; + } while (datum); + + return 0; +} + +static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb) +{ + struct map_filename_trans_args args; + struct strs *strs; + int rc = 0; + + rc = strs_init(&strs, 100); + if (rc != 0) { + goto exit; + } + + args.pdb = pdb; + args.strs = strs; + + rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args); + if (rc != 0) { + goto exit; + } + + strs_sort(strs); + strs_write_each(strs, out); + +exit: + strs_free_all(strs); + strs_destroy(&strs); + + if (rc != 0) { + ERR(NULL, "Error writing filename typetransition rules to policy.conf"); + } + + return rc; +} + static char *level_to_str(struct policydb *pdb, struct mls_level *level) { ebitmap_t *cats = &level->cat; @@ -1973,6 +2034,7 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l avtab_key_t *key; avtab_datum_t *datum; struct strs *strs; + char *rule; unsigned i; int rc; @@ -1988,8 +2050,14 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l key = &node->key; datum = &node->datum; if (key->specified & flavor) { - rc = avtab_node_to_strs(pdb, key, datum, strs); + rule = avtab_node_to_str(pdb, key, datum); + if (!rule) { + rc = -1; + goto exit; + } + rc = strs_add(strs, rule); if (rc != 0) { + free(rule); goto exit; } } @@ -3135,6 +3203,7 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb) if (rc != 0) { goto exit; } + write_filename_trans_rules_to_conf(out, pdb); if (pdb->mls) { rc = write_range_trans_rules_to_conf(out, pdb); diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c index 7948d983..2d4a2d7a 100644 --- a/libsepol/src/optimize.c +++ b/libsepol/src/optimize.c @@ -308,10 +308,8 @@ static void optimize_avtab(policydb_t *p, const struct type_vec *type_map) *cur = tmp->next; if (tmp->key.specified & AVTAB_XPERMS) free(tmp->datum.xperms); - if (tmp->key.specified & AVTAB_TRANSITION) { - avtab_trans_destroy(tmp->datum.trans); + if (tmp->key.specified & AVTAB_TRANSITION) free(tmp->datum.trans); - } free(tmp); tab->nel--; @@ -431,10 +429,8 @@ static void optimize_cond_avtab(policydb_t *p, const struct type_vec *type_map) *cur = tmp->next; if (tmp->key.specified & AVTAB_XPERMS) free(tmp->datum.xperms); - if (tmp->key.specified & AVTAB_TRANSITION) { - avtab_trans_destroy(tmp->datum.trans); + if (tmp->key.specified & AVTAB_TRANSITION) free(tmp->datum.trans); - } free(tmp); tab->nel--; diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index c1ce9c34..605d290a 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -801,6 +801,47 @@ static int roles_init(policydb_t * p) goto out; } +ignore_unsigned_overflow_ +static inline unsigned long +partial_name_hash(unsigned long c, unsigned long prevhash) +{ + return (prevhash + (c << 4) + (c >> 4)) * 11; +} + +static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k) +{ + const filename_trans_key_t *ft = (const filename_trans_key_t *)k; + unsigned long hash; + unsigned int byte_num; + unsigned char focus; + + hash = ft->ttype ^ ft->tclass; + + byte_num = 0; + while ((focus = ft->name[byte_num++])) + hash = partial_name_hash(focus, hash); + return hash & (h->size - 1); +} + +static int filenametr_cmp(hashtab_t h __attribute__ ((unused)), + const_hashtab_key_t k1, const_hashtab_key_t k2) +{ + const filename_trans_key_t *ft1 = (const filename_trans_key_t *)k1; + const filename_trans_key_t *ft2 = (const filename_trans_key_t *)k2; + int v; + + v = spaceship_cmp(ft1->ttype, ft2->ttype); + if (v) + return v; + + v = spaceship_cmp(ft1->tclass, ft2->tclass); + if (v) + return v; + + return strcmp(ft1->name, ft2->name); + +} + static unsigned int rangetr_hash(hashtab_t h, const_hashtab_key_t k) { const struct range_trans *key = (const struct range_trans *)k; @@ -868,6 +909,12 @@ int policydb_init(policydb_t * p) if (rc) goto err; + p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, (1 << 10)); + if (!p->filename_trans) { + rc = -ENOMEM; + goto err; + } + p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256); if (!p->range_tr) { rc = -ENOMEM; @@ -879,6 +926,7 @@ int policydb_init(policydb_t * p) return 0; err: + hashtab_destroy(p->filename_trans); hashtab_destroy(p->range_tr); for (i = 0; i < SYM_NUM; i++) { hashtab_destroy(p->symtab[i].table); @@ -1364,6 +1412,23 @@ static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, common_destroy, class_destroy, role_destroy, type_destroy, user_destroy, cond_destroy_bool, sens_destroy, cat_destroy,}; +static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum, + void *p __attribute__ ((unused))) +{ + filename_trans_key_t *ft = (filename_trans_key_t *)key; + filename_trans_datum_t *fd = datum, *next; + + free(ft->name); + free(key); + do { + next = fd->next; + ebitmap_destroy(&fd->stypes); + free(fd); + fd = next; + } while (fd); + return 0; +} + static int range_tr_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused))) { @@ -1499,6 +1564,9 @@ void policydb_destroy(policydb_t * p) if (lra) free(lra); + hashtab_map(p->filename_trans, filenametr_destroy, NULL); + hashtab_destroy(p->filename_trans); + hashtab_map(p->range_tr, range_tr_destroy, NULL); hashtab_destroy(p->range_tr); @@ -2528,6 +2596,279 @@ static int role_allow_read(role_allow_t ** r, struct policy_file *fp) return 0; } +int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype, + uint32_t tclass, const char *name, + char **name_alloc, uint32_t otype, + uint32_t *present_otype) +{ + filename_trans_key_t *ft, key; + filename_trans_datum_t *datum, *last; + + key.ttype = ttype; + key.tclass = tclass; + key.name = (char *)name; + + last = NULL; + datum = hashtab_search(p->filename_trans, (hashtab_key_t)&key); + while (datum) { + if (ebitmap_get_bit(&datum->stypes, stype - 1)) { + if (present_otype) + *present_otype = datum->otype; + return SEPOL_EEXIST; + } + if (datum->otype == otype) + break; + last = datum; + datum = datum->next; + } + if (!datum) { + datum = malloc(sizeof(*datum)); + if (!datum) + return SEPOL_ENOMEM; + + ebitmap_init(&datum->stypes); + datum->otype = otype; + datum->next = NULL; + + if (last) { + last->next = datum; + } else { + char *name_dup; + + if (name_alloc) { + name_dup = *name_alloc; + *name_alloc = NULL; + } else { + name_dup = strdup(name); + if (!name_dup) { + free(datum); + return SEPOL_ENOMEM; + } + } + + ft = malloc(sizeof(*ft)); + if (!ft) { + free(name_dup); + free(datum); + return SEPOL_ENOMEM; + } + + ft->ttype = ttype; + ft->tclass = tclass; + ft->name = name_dup; + + if (hashtab_insert(p->filename_trans, (hashtab_key_t)ft, + (hashtab_datum_t)datum)) { + free(name_dup); + free(datum); + free(ft); + return SEPOL_ENOMEM; + } + } + } + + p->filename_trans_count++; + return ebitmap_set_bit(&datum->stypes, stype - 1, 1); +} + +static int filename_trans_read_one_compat(policydb_t *p, struct policy_file *fp) +{ + uint32_t buf[4], len, stype, ttype, tclass, otype; + char *name = NULL; + int rc; + + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) + return -1; + len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; + + name = calloc(len + 1, sizeof(*name)); + if (!name) + return -1; + + rc = next_entry(name, fp, len); + if (rc < 0) + goto err; + + rc = next_entry(buf, fp, sizeof(uint32_t) * 4); + if (rc < 0) + goto err; + + stype = le32_to_cpu(buf[0]); + if (stype == 0) + goto err; + + ttype = le32_to_cpu(buf[1]); + tclass = le32_to_cpu(buf[2]); + otype = le32_to_cpu(buf[3]); + + rc = policydb_filetrans_insert(p, stype, ttype, tclass, name, &name, + otype, NULL); + if (rc) { + if (rc != SEPOL_EEXIST) + goto err; + /* + * Some old policies were wrongly generated with + * duplicate filename transition rules. For backward + * compatibility, do not reject such policies, just + * ignore the duplicate. + */ + } + free(name); + return 0; +err: + free(name); + return -1; +} + +static int filename_trans_check_datum(filename_trans_datum_t *datum) +{ + ebitmap_t stypes, otypes; + int rc = -1; + + ebitmap_init(&stypes); + ebitmap_init(&otypes); + + while (datum) { + if (ebitmap_get_bit(&otypes, datum->otype)) + goto out; + + if (ebitmap_set_bit(&otypes, datum->otype, 1)) + goto out; + + if (ebitmap_match_any(&stypes, &datum->stypes)) + goto out; + + if (ebitmap_union(&stypes, &datum->stypes)) + goto out; + + datum = datum->next; + } + rc = 0; +out: + ebitmap_destroy(&stypes); + ebitmap_destroy(&otypes); + return rc; +} + +static int filename_trans_read_one(policydb_t *p, struct policy_file *fp) +{ + filename_trans_key_t *ft = NULL; + filename_trans_datum_t **dst, *datum, *first = NULL; + unsigned int i; + uint32_t buf[3], len, ttype, tclass, ndatum; + char *name = NULL; + int rc; + + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) + return -1; + len = le32_to_cpu(buf[0]); + if (zero_or_saturated(len)) + return -1; + + name = calloc(len + 1, sizeof(*name)); + if (!name) + return -1; + + rc = next_entry(name, fp, len); + if (rc < 0) + goto err; + + rc = next_entry(buf, fp, sizeof(uint32_t) * 3); + if (rc < 0) + goto err; + + ttype = le32_to_cpu(buf[0]); + tclass = le32_to_cpu(buf[1]); + ndatum = le32_to_cpu(buf[2]); + if (ndatum == 0) + goto err; + + dst = &first; + for (i = 0; i < ndatum; i++) { + datum = malloc(sizeof(*datum)); + if (!datum) + goto err; + + datum->next = NULL; + *dst = datum; + + /* ebitmap_read() will at least init the bitmap */ + rc = ebitmap_read(&datum->stypes, fp); + if (rc < 0) + goto err; + + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) + goto err; + + datum->otype = le32_to_cpu(buf[0]); + + p->filename_trans_count += ebitmap_cardinality(&datum->stypes); + + dst = &datum->next; + } + + if (ndatum > 1 && filename_trans_check_datum(first)) + goto err; + + ft = malloc(sizeof(*ft)); + if (!ft) + goto err; + + ft->ttype = ttype; + ft->tclass = tclass; + ft->name = name; + + rc = hashtab_insert(p->filename_trans, (hashtab_key_t)ft, + (hashtab_datum_t)first); + if (rc) + goto err; + + return 0; +err: + free(ft); + free(name); + while (first) { + datum = first; + first = first->next; + + ebitmap_destroy(&datum->stypes); + free(datum); + } + return -1; +} + +static int filename_trans_read(policydb_t *p, struct policy_file *fp) +{ + unsigned int i; + uint32_t buf[1], nel; + int rc; + + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) + return -1; + nel = le32_to_cpu(buf[0]); + + if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) { + for (i = 0; i < nel; i++) { + rc = filename_trans_read_one_compat(p, fp); + if (rc < 0) + return -1; + } + } else { + for (i = 0; i < nel; i++) { + rc = filename_trans_read_one(p, fp); + if (rc < 0) + return -1; + } + } + return 0; +} + static int ocontext_read_xen(const struct policydb_compat_info *info, policydb_t *p, struct policy_file *fp) { @@ -4129,7 +4470,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) if (role_allow_read(&p->role_allow, fp)) goto bad; if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS && - avtab_filename_trans_read(fp, r_policyvers, &p->te_avtab)) + filename_trans_read(p, fp)) goto bad; } else { /* first read the AV rule blocks, then the scope tables */ diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 89306185..f402b506 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -829,18 +829,6 @@ static int validate_xperms(const avtab_extended_perms_t *xperms) bad: return -1; } - -static int validate_name_trans_helper(hashtab_key_t k __attribute__ ((unused)), - hashtab_datum_t d, void *a) -{ - uint32_t *otype = d; - map_arg_t *margs = a; - - if (validate_simpletype(*otype, margs->policy, margs->flavors)) - return -1; - return 0; -} - static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args) { map_arg_t *margs = args; @@ -848,23 +836,10 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void * if (validate_avtab_key(k, 0, margs->policy, margs->flavors)) return -1; - if (k->specified & AVTAB_TRANSITION) { - /* if otype is set (non-zero), it must by a valid simple type */ - if (d->trans->otype && validate_simpletype(d->trans->otype, margs->policy, margs->flavors)) - return -1; - - /* also each transition must be non empty */ - if (!d->trans->otype && - !hashtab_nel(d->trans->name_trans.table)) - return -1; - - /* and each filename transition must be also valid */ - if (hashtab_map(d->trans->name_trans.table, - validate_name_trans_helper, margs)) - return -1; - } else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) { + uint32_t otype = k->specified & AVTAB_TRANSITION + ? d->trans->otype : d->data; + if ((k->specified & AVTAB_TYPE) && validate_simpletype(otype, margs->policy, margs->flavors)) return -1; - } if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms)) return -1; @@ -1117,6 +1092,41 @@ bad: return -1; } +static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *args) +{ + const filename_trans_key_t *ftk = (filename_trans_key_t *)k; + const filename_trans_datum_t *ftd = d; + validate_t *flavors = (validate_t *)args; + + if (validate_value(ftk->ttype, &flavors[SYM_TYPES])) + goto bad; + if (validate_value(ftk->tclass, &flavors[SYM_CLASSES])) + goto bad; + if (!ftd) + goto bad; + for (; ftd; ftd = ftd->next) { + if (validate_ebitmap(&ftd->stypes, &flavors[SYM_TYPES])) + goto bad; + if (validate_value(ftd->otype, &flavors[SYM_TYPES])) + goto bad; + } + + return 0; + +bad: + return -1; +} + +static int validate_filename_trans_hashtab(sepol_handle_t *handle, hashtab_t filename_trans, validate_t flavors[]) +{ + if (hashtab_map(filename_trans, validate_filename_trans, flavors)) { + ERR(handle, "Invalid filename trans"); + return -1; + } + + return 0; +} + static int validate_context(const context_struct_t *con, validate_t flavors[], int mls) { if (validate_value(con->user, &flavors[SYM_USERS])) @@ -1546,6 +1556,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p) goto bad; if (validate_role_allows(handle, p->role_allow, flavors)) goto bad; + if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) + if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors)) + goto bad; } else { if (validate_avrule_blocks(handle, p->global, p, flavors)) goto bad; diff --git a/libsepol/src/write.c b/libsepol/src/write.c index c4d593ab..0d3d5f14 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -116,14 +116,6 @@ static int avtab_write_item(policydb_t * p, && p->policyvers < POLICYDB_VERSION_AVTAB); unsigned int i; - /* skip entries which only contain filename transitions */ - if (cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) { - /* if oldvers, reduce nel, because this node will be skipped */ - if (oldvers && nel) - (*nel)--; - return 0; - } - if (oldvers) { /* Generate the old avtab format. Requires merging similar entries if uncond avtab. */ @@ -321,23 +313,8 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp) avtab_reset_merged(a); nel = a->nel; } else { - /* - * New avtab format. nel is good to go unless we need to skip - * filename transitions. - */ - nel = a->nel; - /* - * entries containing only filename transitions are skipped and - * written out later - */ - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION && - !cur->datum.trans->otype) - nel--; - } - } - nel = cpu_to_le32(nel); + /* New avtab format. nel is good to go. */ + nel = cpu_to_le32(a->nel); items = put_entry(&nel, sizeof(uint32_t), 1, fp); if (items != 1) return POLICYDB_ERROR; @@ -381,307 +358,6 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp) return rc; } -/* policydb filename transition compatibility */ - -typedef struct filenametr_key { - uint32_t ttype; - uint32_t tclass; - char *name; -} filenametr_key_t; - -typedef struct filenametr_datum { - ebitmap_t stypes; - uint32_t otype; - struct filenametr_datum *next; -} filenametr_datum_t; - -ignore_unsigned_overflow_ -static inline unsigned long -partial_name_hash(unsigned long c, unsigned long prevhash) -{ - return (prevhash + (c << 4) + (c >> 4)) * 11; -} - -static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k) -{ - const filenametr_key_t *ft = (const filenametr_key_t *)k; - unsigned long hash; - unsigned int byte_num; - unsigned char focus; - - hash = ft->ttype ^ ft->tclass; - - byte_num = 0; - while ((focus = ft->name[byte_num++])) - hash = partial_name_hash(focus, hash); - return hash & (h->size - 1); -} - -static int filenametr_cmp(hashtab_t h __attribute__ ((unused)), - const_hashtab_key_t k1, const_hashtab_key_t k2) -{ - const filenametr_key_t *ft1 = (const filenametr_key_t *)k1; - const filenametr_key_t *ft2 = (const filenametr_key_t *)k2; - int v; - - v = spaceship_cmp(ft1->ttype, ft2->ttype); - if (v) - return v; - - v = spaceship_cmp(ft1->tclass, ft2->tclass); - if (v) - return v; - - return strcmp(ft1->name, ft2->name); -} - -static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum, - void *p __attribute__ ((unused))) -{ - filenametr_key_t *ft = (filenametr_key_t *)key; - filenametr_datum_t *fd = datum, *next; - - free(ft->name); - free(key); - do { - next = fd->next; - ebitmap_destroy(&fd->stypes); - free(fd); - fd = next; - } while (fd); - return 0; -} - -typedef struct { - void *fp; - avtab_key_t *key; -} name_trans_write_args_t; - -static int name_trans_write_helper(hashtab_key_t k, hashtab_datum_t d, void *a) -{ - char *name = k; - uint32_t *otype = d; - name_trans_write_args_t *args = a; - size_t items; - uint32_t len, buf[4]; - - len = strlen(name); - buf[0] = cpu_to_le32(len); - items = put_entry(buf, sizeof(uint32_t), 1, args->fp); - if (items != 1) - return -1; - - items = put_entry(name, sizeof(char), len,args-> fp); - if (items != len) - return -1; - - buf[0] = cpu_to_le32(args->key->source_type); - buf[1] = cpu_to_le32(args->key->target_type); - buf[2] = cpu_to_le32(args->key->target_class); - buf[3] = cpu_to_le32(*otype); - - items = put_entry(buf, sizeof(uint32_t), 4, args->fp); - if (items != 4) - return -1; - return 0; -} - -typedef struct { - hashtab_t fnts_tab; - avtab_key_t *av_key; -} name_trans_insert_args_t; - -static int name_trans_insert_helper(hashtab_key_t k, hashtab_datum_t d, void *a) -{ - char *name = k; - uint32_t *otype = d; - name_trans_insert_args_t *args = a; - filenametr_key_t key, *ft = NULL; - filenametr_datum_t *last, *datum = NULL; - int rc; - - key.ttype = args->av_key->target_type; - key.tclass = args->av_key->target_class; - key.name = name; - - last = NULL; - datum = hashtab_search(args->fnts_tab, (hashtab_key_t)&key); - while (datum) { - if (ebitmap_get_bit(&datum->stypes, args->av_key->source_type - 1)) { - datum = NULL; - goto bad; - } - if (datum->otype == *otype) - break; - last = datum; - datum = datum->next; - } - if (!datum) { - datum = malloc(sizeof(filenametr_datum_t)); - if (!datum) - goto bad; - - ebitmap_init(&datum->stypes); - datum->otype = *otype; - datum->next = NULL; - - if (last) { - last->next = datum; - } else { - ft = malloc(sizeof(filenametr_key_t)); - if (!ft) - goto bad; - - ft->ttype = args->av_key->target_type; - ft->tclass = args->av_key->target_class; - ft->name = strdup(name); - if (!ft->name) - goto bad; - - rc = hashtab_insert(args->fnts_tab, (hashtab_key_t)ft, datum); - if (rc) - goto bad; - } - } - - return ebitmap_set_bit(&datum->stypes, args->av_key->source_type - 1, 1); - -bad: - if (ft != NULL) - free(ft->name); - free(ft); - free(datum); - return -1; -} - -static int filenametr_comp_write_one(hashtab_key_t key, void *data, void *ptr) -{ - uint32_t buf[3]; - size_t items, len, ndatum; - filenametr_key_t *ft = (filenametr_key_t *)key; - filenametr_datum_t *datum; - void *fp = ptr; - - len = strlen(ft->name); - buf[0] = cpu_to_le32(len); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; - - items = put_entry(ft->name, sizeof(char), len, fp); - if (items != len) - return POLICYDB_ERROR; - - ndatum = 0; - datum = data; - do { - ndatum++; - datum = datum->next; - } while (datum); - - buf[0] = cpu_to_le32(ft->ttype); - buf[1] = cpu_to_le32(ft->tclass); - buf[2] = cpu_to_le32(ndatum); - items = put_entry(buf, sizeof(uint32_t), 3, fp); - if (items != 3) - return POLICYDB_ERROR; - - datum = data; - do { - if (ebitmap_write(&datum->stypes, fp)) - return POLICYDB_ERROR; - - buf[0] = cpu_to_le32(datum->otype); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; - - datum = datum->next; - } while (datum); - - return 0; -} - -static int avtab_filename_trans_write(policydb_t *pol, avtab_t *a, - policy_file_t *fp) -{ - policydb_t *p = pol; - uint32_t buf[1]; - int rc; - size_t items; - uint32_t i, nel = 0; - struct avtab_node *cur; - hashtab_t fnts_tab; - name_trans_write_args_t write_args = { .fp = fp }; - name_trans_insert_args_t insert_args; - - /* count number of filename transitions */ - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION) { - nel += hashtab_nel(cur->datum.trans->name_trans.table); - } - } - } - - if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) { - buf[0] = cpu_to_le32(nel); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - return -1; - - /* write filename transitions */ - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION) { - write_args.key = &cur->key; - rc = hashtab_map(cur->datum.trans->name_trans.table, - name_trans_write_helper, - &write_args); - if (rc) - return -1; - } - } - } - return 0; - } - - /* init filename transitions */ - fnts_tab = hashtab_create(filenametr_hash, filenametr_cmp, nel); - if (!fnts_tab) - return -1; - insert_args.fnts_tab = fnts_tab; - - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION) { - insert_args.av_key = &cur->key; - rc = hashtab_map(cur->datum.trans->name_trans.table, - name_trans_insert_helper, - &insert_args); - } - } - } - - rc = -1; - /* write compressed filename transitions */ - buf[0] = cpu_to_le32(fnts_tab->nel); - items = put_entry(buf, sizeof(uint32_t), 1, fp); - if (items != 1) - goto out; - - rc = hashtab_map(fnts_tab, filenametr_comp_write_one, fp); - -out: - /* destroy temp filename transitions table */ - hashtab_map(fnts_tab, filenametr_destroy, NULL); - hashtab_destroy(fnts_tab); - - return rc ? -1 : 0; -} - -/* end policydb filename transition compatibility */ - /* * Write a semantic MLS level structure to a policydb binary * representation file. @@ -904,6 +580,118 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp) return POLICYDB_SUCCESS; } +static int filename_write_one_compat(hashtab_key_t key, void *data, void *ptr) +{ + uint32_t bit, buf[4]; + size_t items, len; + filename_trans_key_t *ft = (filename_trans_key_t *)key; + filename_trans_datum_t *datum = data; + ebitmap_node_t *node; + void *fp = ptr; + + len = strlen(ft->name); + do { + ebitmap_for_each_positive_bit(&datum->stypes, node, bit) { + buf[0] = cpu_to_le32(len); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + items = put_entry(ft->name, sizeof(char), len, fp); + if (items != len) + return POLICYDB_ERROR; + + buf[0] = cpu_to_le32(bit + 1); + buf[1] = cpu_to_le32(ft->ttype); + buf[2] = cpu_to_le32(ft->tclass); + buf[3] = cpu_to_le32(datum->otype); + items = put_entry(buf, sizeof(uint32_t), 4, fp); + if (items != 4) + return POLICYDB_ERROR; + } + + datum = datum->next; + } while (datum); + + return 0; +} + +static int filename_write_one(hashtab_key_t key, void *data, void *ptr) +{ + uint32_t buf[3]; + size_t items, len, ndatum; + filename_trans_key_t *ft = (filename_trans_key_t *)key; + filename_trans_datum_t *datum; + void *fp = ptr; + + len = strlen(ft->name); + buf[0] = cpu_to_le32(len); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + items = put_entry(ft->name, sizeof(char), len, fp); + if (items != len) + return POLICYDB_ERROR; + + ndatum = 0; + datum = data; + do { + ndatum++; + datum = datum->next; + } while (datum); + + buf[0] = cpu_to_le32(ft->ttype); + buf[1] = cpu_to_le32(ft->tclass); + buf[2] = cpu_to_le32(ndatum); + items = put_entry(buf, sizeof(uint32_t), 3, fp); + if (items != 3) + return POLICYDB_ERROR; + + datum = data; + do { + if (ebitmap_write(&datum->stypes, fp)) + return POLICYDB_ERROR; + + buf[0] = cpu_to_le32(datum->otype); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + datum = datum->next; + } while (datum); + + return 0; +} + +static int filename_trans_write(struct policydb *p, void *fp) +{ + size_t items; + uint32_t buf[1]; + int rc; + + if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS) + return 0; + + if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) { + buf[0] = cpu_to_le32(p->filename_trans_count); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + rc = hashtab_map(p->filename_trans, filename_write_one_compat, + fp); + } else { + buf[0] = cpu_to_le32(p->filename_trans->nel); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + + rc = hashtab_map(p->filename_trans, filename_write_one, fp); + } + return rc; +} + static int role_set_write(role_set_t * x, struct policy_file *fp) { size_t items; @@ -2414,21 +2202,6 @@ static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)), return 0; } -static int avtab_has_filename_transitions(avtab_t *a) -{ - uint32_t i; - struct avtab_node *cur; - for (i = 0; i < a->nslot; i++) { - for (cur = a->htable[i]; cur; cur = cur->next) { - if (cur->key.specified & AVTAB_TRANSITION) { - if (hashtab_nel(cur->datum.trans->name_trans.table)) - return 1; - } - } - } - return 0; -} - /* * Write the configuration data in a policy database * structure to a policy database binary representation @@ -2608,11 +2381,11 @@ int policydb_write(policydb_t * p, struct policy_file *fp) if (role_allow_write(p->role_allow, fp)) return POLICYDB_ERROR; if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) { - if (avtab_filename_trans_write(p, &p->te_avtab, fp)) + if (filename_trans_write(p, fp)) return POLICYDB_ERROR; - } else if (avtab_has_filename_transitions(&p->te_avtab)) { - WARN(fp->handle, - "Discarding filename type transition rules"); + } else { + if (p->filename_trans) + WARN(fp->handle, "Discarding filename type transition rules"); } } else { if (avrule_block_write(p->global, num_syms, p, fp) == -1) { From patchwork Wed Jul 26 14:25:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 13328165 X-Patchwork-Delegate: plautrba@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0CB4C0015E for ; Wed, 26 Jul 2023 14:26:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233717AbjGZO0D (ORCPT ); Wed, 26 Jul 2023 10:26:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233379AbjGZO0D (ORCPT ); Wed, 26 Jul 2023 10:26:03 -0400 Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9721D188 for ; Wed, 26 Jul 2023 07:26:01 -0700 (PDT) Received: by mail-oo1-xc31.google.com with SMTP id 006d021491bc7-5607cdb0959so3194896eaf.2 for ; Wed, 26 Jul 2023 07:26:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690381560; x=1690986360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ProxwXLHiDD6tEuJsFFfAMwgc3dFJs/MvjHgL0tX2ks=; b=GiJiCxPLi5Fh5Fnuy8RVNrp8htto/+8W0mL+s4wDOg98OQtTqAPc91ECx2iDaoUxsE PNzMVkk+KShNcbvFDB7zJUT9xa7G1R3nJo+gjLH+tK62mS7EjPWfN1QXH5qp5yYTF/zm UZTjG5Y3MHaEV66Vd5uIsFuUaJt8SMNtcBeAkbfFOjn4+ftjorD69fcNkmDaU5oOHmkd htXzXXbdXhxbo9Gzfy6oNB/+KnFjLUA+i4W8Fn8fya1ZG1WQBmRJnLh4uRHYHZ1JK3HQ fVUox5KB/GCyAchiI2J0iy018hplqFcQOjSpALbGfNxlsRgjxfA6JPvLubGlool3i9QK I1Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690381560; x=1690986360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ProxwXLHiDD6tEuJsFFfAMwgc3dFJs/MvjHgL0tX2ks=; b=fi0bHz2anLgxfpzGpPVFInOy08M/Zr7BxRG9jXsKwyGumg3XLIo3frhMjDTZFf18kI VtKQs2gHQuOdVqHimqIoV0Ij3A9qJoLUnzALAhos13HqUAj540m7/JhUS0ycj9G05o7v my6hc3Ir2FqizbfKqJB0NMUMuScZdu6YpTB5LqU2OZA57WUpfxLjdiOoc67oY8PV/gHA LZEutKVRCVjSwr+p1a6xXnR+rWp2t7YL3GQOgQ5DeHiqxIcyG0/KEj2u2awG3FRsdt/J Qf0v05yeBY1KOkTX1HBWXlk/SEYt+CSZ+dUY/1Qn/U59wc7i2oFXoPnXJ8zJA1ryLhOK jj0A== X-Gm-Message-State: ABy/qLaWhf3bowQjl34X3IMHUlZZYniaatvYwV/raDVgPY5CteP4tej/ uu4r60O0KWW4JPaA7L8u3Y9Ip0e4sB9UkQ== X-Google-Smtp-Source: APBJJlHr93b+NLYh5W2w3mazBPbswqg5/rgfgYd6MJDgogxk34EVTHtXjrvZg5neo7iQQ1ND/X6Lsg== X-Received: by 2002:a05:6808:4399:b0:3a1:cbea:3bf2 with SMTP id dz25-20020a056808439900b003a1cbea3bf2mr1563981oib.11.1690381560328; Wed, 26 Jul 2023 07:26:00 -0700 (PDT) Received: from electric.. (c-73-172-54-2.hsd1.md.comcast.net. [73.172.54.2]) by smtp.gmail.com with ESMTPSA id z20-20020a0cf014000000b006362d4eeb6esm5066471qvk.144.2023.07.26.07.25.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jul 2023 07:25:59 -0700 (PDT) From: James Carter To: selinux@vger.kernel.org Cc: juraj@jurajmarcin.com, James Carter Subject: [PATCH 8/8] Revert "checkpolicy,libsepol: move transition to separate structure in avtab" Date: Wed, 26 Jul 2023 10:25:49 -0400 Message-ID: <20230726142549.94685-9-jwcart2@gmail.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230726142549.94685-1-jwcart2@gmail.com> References: <20230726142549.94685-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This reverts commit de708edf527be7e5142e5a9ae09879d58d65f50b. Signed-off-by: James Carter --- checkpolicy/test/dispol.c | 2 +- libsepol/cil/src/cil_binary.c | 26 +++++--------------- libsepol/include/sepol/policydb/avtab.h | 7 +----- libsepol/src/avtab.c | 32 +------------------------ libsepol/src/expand.c | 8 ++----- libsepol/src/kernel_to_cil.c | 3 +-- libsepol/src/kernel_to_conf.c | 3 +-- libsepol/src/optimize.c | 4 ---- libsepol/src/policydb_validate.c | 4 +--- libsepol/src/services.c | 5 +--- libsepol/src/write.c | 17 +++---------- 11 files changed, 18 insertions(+), 93 deletions(-) diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index e45528b9..b567ce77 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -180,7 +180,7 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha if (key->specified & AVTAB_TRANSITION) { fprintf(fp, "type_transition "); render_key(key, p, fp); - render_type(datum->trans->otype, p, fp); + render_type(datum->data, p, fp); fprintf(fp, ";\n"); } if (key->specified & AVTAB_MEMBER) { diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 3f264594..c4ee2380 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -975,34 +975,28 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, int rc = SEPOL_OK; avtab_key_t avtab_key; avtab_datum_t avtab_datum; - avtab_trans_t trans; avtab_ptr_t existing; avtab_key.source_type = src; avtab_key.target_type = tgt; avtab_key.target_class = obj; - memset(&avtab_datum, 0, sizeof(avtab_datum_t)); - memset(&trans, 0, sizeof(avtab_trans_t)); - switch (kind) { case CIL_TYPE_TRANSITION: avtab_key.specified = AVTAB_TRANSITION; - trans.otype = res; - avtab_datum.trans = &trans; break; case CIL_TYPE_CHANGE: avtab_key.specified = AVTAB_CHANGE; - avtab_datum.data = res; break; case CIL_TYPE_MEMBER: avtab_key.specified = AVTAB_MEMBER; - avtab_datum.data = res; break; default: rc = SEPOL_ERR; goto exit; } + + avtab_datum.data = res; existing = avtab_search_node(&pdb->te_avtab, &avtab_key); if (existing) { @@ -1010,17 +1004,13 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, * A warning should have been previously given if there is a * non-duplicate rule using the same key. */ - uint32_t existing_otype = - existing->key.specified & AVTAB_TRANSITION - ? existing->datum.trans->otype - : existing->datum.data; - if (existing_otype != res) { + if (existing->datum.data != res) { cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n", pdb->p_type_val_to_name[src - 1], pdb->p_type_val_to_name[tgt - 1], pdb->p_class_val_to_name[obj - 1], pdb->p_type_val_to_name[res - 1], - pdb->p_type_val_to_name[existing_otype - 1]); + pdb->p_type_val_to_name[existing->datum.data - 1]); cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str); rc = SEPOL_ERR; @@ -1047,17 +1037,13 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, search_datum = cil_cond_av_list_search(&avtab_key, other_list); if (search_datum == NULL) { - uint32_t existing_otype = - existing->key.specified & AVTAB_TRANSITION - ? existing->datum.trans->otype - : existing->datum.data; - if (existing_otype != res) { + if (existing->datum.data != res) { cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n", pdb->p_type_val_to_name[src - 1], pdb->p_type_val_to_name[tgt - 1], pdb->p_class_val_to_name[obj - 1], pdb->p_type_val_to_name[res - 1], - pdb->p_type_val_to_name[existing_otype - 1]); + pdb->p_type_val_to_name[existing->datum.data - 1]); cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str); rc = SEPOL_ERR; diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h index ca009c16..e4c48576 100644 --- a/libsepol/include/sepol/policydb/avtab.h +++ b/libsepol/include/sepol/policydb/avtab.h @@ -70,10 +70,6 @@ typedef struct avtab_key { uint16_t specified; /* what fields are specified */ } avtab_key_t; -typedef struct avtab_trans { - uint32_t otype; /* resulting type of the new object */ -} avtab_trans_t; - typedef struct avtab_extended_perms { #define AVTAB_XPERMS_IOCTLFUNCTION 0x01 @@ -85,8 +81,7 @@ typedef struct avtab_extended_perms { } avtab_extended_perms_t; typedef struct avtab_datum { - uint32_t data; /* access vector, member or change value */ - avtab_trans_t *trans; /* transition value */ + uint32_t data; /* access vector or type */ avtab_extended_perms_t *xperms; } avtab_datum_t; diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 4c292e8b..82fec783 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -94,7 +94,6 @@ avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key, avtab_datum_t * datum) { avtab_ptr_t newnode; - avtab_trans_t *trans; avtab_extended_perms_t *xperms; newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node)); @@ -118,16 +117,6 @@ avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key, * So copy data so it is set in the avtab */ newnode->datum.data = datum->data; - } else if (key->specified & AVTAB_TRANSITION) { - trans = calloc(1, sizeof(*trans)); - if (trans == NULL) { - free(newnode); - return NULL; - } - if (datum->trans) /* else caller populates transition */ - *trans = *(datum->trans); - - newnode->datum.trans = trans; } else { newnode->datum = *datum; } @@ -328,8 +317,6 @@ void avtab_destroy(avtab_t * h) while (cur != NULL) { if (cur->key.specified & AVTAB_XPERMS) { free(cur->datum.xperms); - } else if (cur->key.specified & AVTAB_TRANSITION) { - free(cur->datum.trans); } temp = cur; cur = cur->next; @@ -453,7 +440,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, uint32_t buf32[8], items, items2, val; avtab_key_t key; avtab_datum_t datum; - avtab_trans_t trans; avtab_extended_perms_t xperms; unsigned set; unsigned int i; @@ -461,7 +447,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, memset(&key, 0, sizeof(avtab_key_t)); memset(&datum, 0, sizeof(avtab_datum_t)); - memset(&trans, 0, sizeof(avtab_trans_t)); memset(&xperms, 0, sizeof(avtab_extended_perms_t)); if (vers < POLICYDB_VERSION_AVTAB) { @@ -524,14 +509,7 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, return -1; } key.specified = spec_order[i] | enabled; - if (key.specified & AVTAB_TRANSITION) { - trans.otype = - le32_to_cpu(buf32[items++]); - datum.trans = &trans; - } else { - datum.data = - le32_to_cpu(buf32[items++]); - } + datum.data = le32_to_cpu(buf32[items++]); rc = insertf(a, &key, &datum, p); if (rc) return rc; @@ -593,14 +571,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a, for (i = 0; i < ARRAY_SIZE(xperms.perms); i++) xperms.perms[i] = le32_to_cpu(buf32[i]); datum.xperms = &xperms; - } else if (key.specified & AVTAB_TRANSITION) { - rc = next_entry(buf32, fp, sizeof(uint32_t)); - if (rc < 0) { - ERR(fp->handle, "truncated entry"); - return -1; - } - trans.otype = le32_to_cpu(*buf32); - datum.trans = &trans; } else { rc = next_entry(buf32, fp, sizeof(uint32_t)); if (rc < 0) { diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 6793a27d..8795229a 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1746,7 +1746,7 @@ static int expand_terule_helper(sepol_handle_t * handle, if (conflict) { avdatump = &node->datum; if (specified & AVRULE_TRANSITION) { - oldtype = avdatump->trans->otype; + oldtype = avdatump->data; } else if (specified & AVRULE_MEMBER) { oldtype = avdatump->data; } else if (specified & AVRULE_CHANGE) { @@ -1789,11 +1789,7 @@ static int expand_terule_helper(sepol_handle_t * handle, } avdatump = &node->datum; - if (specified & AVRULE_TRANSITION) { - avdatump->trans->otype = remapped_data; - } else { - avdatump->data = remapped_data; - } + avdatump->data = remapped_data; cur = cur->next; } diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 316679cc..8fcc385d 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -1702,8 +1702,7 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms) static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum) { - uint32_t data = key->specified & AVTAB_TRANSITION - ? datum->trans->otype : datum->data; + uint32_t data = datum->data; type_datum_t *type; const char *flavor, *tgt; char *src, *class, *perms, *new; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index aa161b08..b0ae16d9 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -1680,8 +1680,7 @@ exit: static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum) { - uint32_t data = key->specified & AVTAB_TRANSITION - ? datum->trans->otype : datum->data; + uint32_t data = datum->data; type_datum_t *type; const char *flavor, *src, *tgt, *class, *perms, *new; char *rule = NULL; diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c index 2d4a2d7a..a38025ec 100644 --- a/libsepol/src/optimize.c +++ b/libsepol/src/optimize.c @@ -308,8 +308,6 @@ static void optimize_avtab(policydb_t *p, const struct type_vec *type_map) *cur = tmp->next; if (tmp->key.specified & AVTAB_XPERMS) free(tmp->datum.xperms); - if (tmp->key.specified & AVTAB_TRANSITION) - free(tmp->datum.trans); free(tmp); tab->nel--; @@ -429,8 +427,6 @@ static void optimize_cond_avtab(policydb_t *p, const struct type_vec *type_map) *cur = tmp->next; if (tmp->key.specified & AVTAB_XPERMS) free(tmp->datum.xperms); - if (tmp->key.specified & AVTAB_TRANSITION) - free(tmp->datum.trans); free(tmp); tab->nel--; diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index f402b506..3540f34a 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -836,9 +836,7 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void * if (validate_avtab_key(k, 0, margs->policy, margs->flavors)) return -1; - uint32_t otype = k->specified & AVTAB_TRANSITION - ? d->trans->otype : d->data; - if ((k->specified & AVTAB_TYPE) && validate_simpletype(otype, margs->policy, margs->flavors)) + if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) return -1; if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms)) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 6bddc287..07ae051b 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1423,10 +1423,7 @@ static int sepol_compute_sid(sepol_security_id_t ssid, if (avdatum) { /* Use the type from the type transition/member/change rule. */ - if (specified & AVTAB_TRANSITION) - newcontext.type = avdatum->trans->otype; - else - newcontext.type = avdatum->data; + newcontext.type = avdatum->data; } /* Check for class-specific changes. */ diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 0d3d5f14..024fe628 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -190,20 +190,14 @@ static int avtab_write_item(policydb_t * p, ERR(fp->handle, "missing node"); return POLICYDB_ERROR; } - uint32_t data = - node->key.specified & AVTAB_TRANSITION - ? node->datum.trans->otype - : node->datum.data; - buf32[items++] = cpu_to_le32(data); + buf32[items++] = + cpu_to_le32(node->datum.data); set--; node->merged = 1; } } } else { - uint32_t data = cur->key.specified & AVTAB_TRANSITION - ? cur->datum.trans->otype - : cur->datum.data; - buf32[items++] = cpu_to_le32(data); + buf32[items++] = cpu_to_le32(cur->datum.data); cur->merged = 1; set--; } @@ -262,11 +256,6 @@ static int avtab_write_item(policydb_t * p, items = put_entry(buf32, sizeof(uint32_t),8,fp); if (items != 8) return POLICYDB_ERROR; - } else if (cur->key.specified & AVTAB_TRANSITION) { - buf32[0] = cpu_to_le32(cur->datum.trans->otype); - items = put_entry(buf32, sizeof(uint32_t), 1, fp); - if (items != 1) - return POLICYDB_ERROR; } else { buf32[0] = cpu_to_le32(cur->datum.data); items = put_entry(buf32, sizeof(uint32_t), 1, fp);