link.c revision c71644b06ebd417ef060f3f07472125516f86c41
1/* Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> 2 * Joshua Brindle <jbrindle@tresys.com> 3 * Jason Tang <jtang@tresys.com> 4 * 5 * Copyright (C) 2004-2005 Tresys Technology, LLC 6 * Copyright (C) 2007 Red Hat, Inc. 7 * 8 * This library is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU Lesser General Public 10 * License as published by the Free Software Foundation; either 11 * version 2.1 of the License, or (at your option) any later version. 12 * 13 * This library is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 * Lesser General Public License for more details. 17 * 18 * You should have received a copy of the GNU Lesser General Public 19 * License along with this library; if not, write to the Free Software 20 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 21 */ 22 23#include <sepol/policydb/policydb.h> 24#include <sepol/policydb/conditional.h> 25#include <sepol/policydb/hashtab.h> 26#include <sepol/policydb/avrule_block.h> 27#include <sepol/policydb/link.h> 28#include <sepol/policydb/util.h> 29 30#include <stdlib.h> 31#include <stdarg.h> 32#include <stdio.h> 33#include <string.h> 34#include <assert.h> 35 36#include "debug.h" 37 38#undef min 39#define min(a,b) (((a) < (b)) ? (a) : (b)) 40 41typedef struct policy_module { 42 policydb_t *policy; 43 uint32_t num_decls; 44 uint32_t *map[SYM_NUM]; 45 uint32_t *avdecl_map; 46 uint32_t **perm_map; 47 uint32_t *perm_map_len; 48 49 /* a pointer to within the base module's avrule_block chain to 50 * where this module's global now resides */ 51 avrule_block_t *base_global; 52} policy_module_t; 53 54typedef struct link_state { 55 int verbose; 56 policydb_t *base; 57 avrule_block_t *last_avrule_block, *last_base_avrule_block; 58 uint32_t next_decl_id, current_decl_id; 59 60 /* temporary variables, used during hashtab_map() calls */ 61 policy_module_t *cur; 62 char *cur_mod_name; 63 avrule_decl_t *dest_decl; 64 class_datum_t *src_class, *dest_class; 65 char *dest_class_name; 66 char dest_class_req; /* flag indicating the class was not declared */ 67 uint32_t symbol_num; 68 /* used to report the name of the module if dependancy error occurs */ 69 policydb_t **decl_to_mod; 70 71 /* error reporting fields */ 72 sepol_handle_t *handle; 73} link_state_t; 74 75typedef struct missing_requirement { 76 uint32_t symbol_type; 77 uint32_t symbol_value; 78 uint32_t perm_value; 79} missing_requirement_t; 80 81static const char *symtab_names[SYM_NUM] = { 82 "common", "class", "role", "type/attribute", "user", 83 "bool", "level", "category" 84}; 85 86/* Deallocates all elements within a module, but NOT the policydb_t 87 * structure within, as well as the pointer itself. */ 88static void policy_module_destroy(policy_module_t * mod) 89{ 90 unsigned int i; 91 if (mod == NULL) { 92 return; 93 } 94 for (i = 0; i < SYM_NUM; i++) { 95 free(mod->map[i]); 96 } 97 for (i = 0; mod->perm_map != NULL && i < mod->policy->p_classes.nprim; 98 i++) { 99 free(mod->perm_map[i]); 100 } 101 free(mod->perm_map); 102 free(mod->perm_map_len); 103 free(mod->avdecl_map); 104 free(mod); 105} 106 107/***** functions that copy identifiers from a module to base *****/ 108 109/* Note: there is currently no scoping for permissions, which causes some 110 * strange side-effects. The current approach is this: 111 * 112 * a) perm is required and the class _and_ perm are declared in base: only add a mapping. 113 * b) perm is required and the class and perm are _not_ declared in base: simply add the permissions 114 * to the object class. This means that the requirements for the decl are the union of the permissions 115 * required for all decls, but who cares. 116 * c) perm is required, the class is declared in base, but the perm is not present. Nothing we can do 117 * here because we can't mark a single permission as required, so we bail with a requirement error 118 * _even_ if we are in an optional. 119 * 120 * A is correct behavior, b is wrong but not too bad, c is totall wrong for optionals. Fixing this requires 121 * a format change. 122 */ 123static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 124 void *data) 125{ 126 char *perm_id = key, *new_id = NULL; 127 perm_datum_t *perm, *new_perm = NULL, *dest_perm; 128 link_state_t *state = (link_state_t *) data; 129 130 class_datum_t *src_class = state->src_class; 131 class_datum_t *dest_class = state->dest_class; 132 policy_module_t *mod = state->cur; 133 uint32_t sclassi = src_class->s.value - 1; 134 int ret; 135 136 perm = (perm_datum_t *) datum; 137 dest_perm = hashtab_search(dest_class->permissions.table, perm_id); 138 if (dest_perm == NULL && dest_class->comdatum != NULL) { 139 dest_perm = 140 hashtab_search(dest_class->comdatum->permissions.table, 141 perm_id); 142 } 143 144 if (dest_perm == NULL) { 145 /* If the object class was not declared in the base, add the perm 146 * to the object class. */ 147 if (state->dest_class_req) { 148 /* If the class was required (not declared), insert the new permission */ 149 new_id = strdup(perm_id); 150 if (new_id == NULL) { 151 ERR(state->handle, "Memory error"); 152 ret = SEPOL_ERR; 153 goto err; 154 } 155 new_perm = 156 (perm_datum_t *) calloc(1, sizeof(perm_datum_t)); 157 if (new_perm == NULL) { 158 ERR(state->handle, "Memory error"); 159 ret = SEPOL_ERR; 160 goto err; 161 } 162 ret = hashtab_insert(dest_class->permissions.table, 163 (hashtab_key_t) new_id, 164 (hashtab_datum_t) new_perm); 165 if (ret) { 166 ERR(state->handle, 167 "could not insert permission into class\n"); 168 goto err; 169 } 170 new_perm->s.value = dest_class->permissions.nprim + 1; 171 dest_perm = new_perm; 172 } else { 173 /* this is case c from above */ 174 ERR(state->handle, 175 "Module %s depends on permission %s in class %s, not satisfied", 176 state->cur_mod_name, perm_id, 177 state->dest_class_name); 178 return SEPOL_EREQ; 179 } 180 } 181 182 /* build the mapping for permissions encompassing this class. 183 * unlike symbols, the permission map translates between 184 * module permission bit to target permission bit. that bit 185 * may have originated from the class -or- it could be from 186 * the class's common parent.*/ 187 if (perm->s.value > mod->perm_map_len[sclassi]) { 188 uint32_t *newmap = calloc(perm->s.value, sizeof(*newmap)); 189 if (newmap == NULL) { 190 ERR(state->handle, "Out of memory!"); 191 return -1; 192 } 193 memcpy(newmap, mod->perm_map[sclassi], 194 mod->perm_map_len[sclassi] * sizeof(*newmap)); 195 free(mod->perm_map[sclassi]); 196 mod->perm_map[sclassi] = newmap; 197 mod->perm_map_len[sclassi] = perm->s.value; 198 } 199 mod->perm_map[sclassi][perm->s.value - 1] = dest_perm->s.value; 200 201 return 0; 202 err: 203 free(new_id); 204 free(new_perm); 205 return ret; 206} 207 208static int class_copy_default_new_object(link_state_t *state, 209 class_datum_t *olddatum, 210 class_datum_t *newdatum) 211{ 212 if (olddatum->default_user) { 213 if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { 214 ERR(state->handle, "Found conflicting default user definitions"); 215 return SEPOL_ENOTSUP; 216 } 217 newdatum->default_user = olddatum->default_user; 218 } 219 if (olddatum->default_role) { 220 if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { 221 ERR(state->handle, "Found conflicting default role definitions"); 222 return SEPOL_ENOTSUP; 223 } 224 newdatum->default_role = olddatum->default_role; 225 } 226 if (olddatum->default_type) { 227 if (newdatum->default_type && olddatum->default_type != newdatum->default_type) { 228 ERR(state->handle, "Found conflicting default type definitions"); 229 return SEPOL_ENOTSUP; 230 } 231 newdatum->default_type = olddatum->default_type; 232 } 233 if (olddatum->default_range) { 234 if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { 235 ERR(state->handle, "Found conflicting default range definitions"); 236 return SEPOL_ENOTSUP; 237 } 238 newdatum->default_range = olddatum->default_range; 239 } 240 return 0; 241} 242 243static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 244 void *data) 245{ 246 char *id = key, *new_id = NULL; 247 class_datum_t *cladatum, *new_class = NULL; 248 link_state_t *state = (link_state_t *) data; 249 scope_datum_t *scope = NULL; 250 int ret; 251 252 cladatum = (class_datum_t *) datum; 253 state->dest_class_req = 0; 254 255 new_class = hashtab_search(state->base->p_classes.table, id); 256 /* If there is not an object class already in the base symtab that means 257 * that either a) a module is trying to declare a new object class (which 258 * the compiler should prevent) or b) an object class was required that is 259 * not in the base. 260 */ 261 if (new_class == NULL) { 262 scope = 263 hashtab_search(state->cur->policy->p_classes_scope.table, 264 id); 265 if (scope == NULL) { 266 ret = SEPOL_ERR; 267 goto err; 268 } 269 if (scope->scope == SCOPE_DECL) { 270 /* disallow declarations in modules */ 271 ERR(state->handle, 272 "%s: Modules may not yet declare new classes.", 273 state->cur_mod_name); 274 ret = SEPOL_ENOTSUP; 275 goto err; 276 } else { 277 /* It would be nice to error early here because the requirement is 278 * not met, but we cannot because the decl might be optional (in which 279 * case we should record the requirement so that it is just turned 280 * off). Note: this will break horribly if modules can declare object 281 * classes because the class numbers will be all wrong (i.e., they 282 * might be assigned in the order they were required rather than the 283 * current scheme which ensures correct numbering by ordering the 284 * declarations properly). This can't be fixed until some infrastructure 285 * for querying the object class numbers is in place. */ 286 state->dest_class_req = 1; 287 new_class = 288 (class_datum_t *) calloc(1, sizeof(class_datum_t)); 289 if (new_class == NULL) { 290 ERR(state->handle, "Memory error\n"); 291 ret = SEPOL_ERR; 292 goto err; 293 } 294 if (symtab_init 295 (&new_class->permissions, PERM_SYMTAB_SIZE)) { 296 ret = SEPOL_ERR; 297 goto err; 298 } 299 new_id = strdup(id); 300 if (new_id == NULL) { 301 ERR(state->handle, "Memory error\n"); 302 symtab_destroy(&new_class->permissions); 303 ret = SEPOL_ERR; 304 goto err; 305 } 306 ret = hashtab_insert(state->base->p_classes.table, 307 (hashtab_key_t) new_id, 308 (hashtab_datum_t) new_class); 309 if (ret) { 310 ERR(state->handle, 311 "could not insert new class into symtab"); 312 symtab_destroy(&new_class->permissions); 313 goto err; 314 } 315 new_class->s.value = ++(state->base->p_classes.nprim); 316 } 317 } 318 319 state->cur->map[SYM_CLASSES][cladatum->s.value - 1] = 320 new_class->s.value; 321 322 /* copy permissions */ 323 state->src_class = cladatum; 324 state->dest_class = new_class; 325 state->dest_class_name = (char *)key; 326 327 /* copy default new object rules */ 328 ret = class_copy_default_new_object(state, cladatum, new_class); 329 if (ret) 330 return ret; 331 332 ret = 333 hashtab_map(cladatum->permissions.table, permission_copy_callback, 334 state); 335 if (ret != 0) { 336 return ret; 337 } 338 339 return 0; 340 err: 341 free(new_class); 342 free(new_id); 343 return ret; 344} 345 346static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 347 void *data) 348{ 349 int ret; 350 char *id = key, *new_id = NULL; 351 role_datum_t *role, *base_role, *new_role = NULL; 352 link_state_t *state = (link_state_t *) data; 353 354 role = (role_datum_t *) datum; 355 356 base_role = hashtab_search(state->base->p_roles.table, id); 357 if (base_role != NULL) { 358 /* role already exists. check that it is what this 359 * module expected. duplicate declarations (e.g., two 360 * modules both declare role foo_r) is checked during 361 * scope_copy_callback(). */ 362 if (role->flavor == ROLE_ATTRIB 363 && base_role->flavor != ROLE_ATTRIB) { 364 ERR(state->handle, 365 "%s: Expected %s to be a role attribute, but it was already declared as a regular role.", 366 state->cur_mod_name, id); 367 return -1; 368 } else if (role->flavor != ROLE_ATTRIB 369 && base_role->flavor == ROLE_ATTRIB) { 370 ERR(state->handle, 371 "%s: Expected %s to be a regular role, but it was already declared as a role attribute.", 372 state->cur_mod_name, id); 373 return -1; 374 } 375 } else { 376 if (state->verbose) 377 INFO(state->handle, "copying role %s", id); 378 379 if ((new_id = strdup(id)) == NULL) { 380 goto cleanup; 381 } 382 383 if ((new_role = 384 (role_datum_t *) malloc(sizeof(*new_role))) == NULL) { 385 goto cleanup; 386 } 387 role_datum_init(new_role); 388 389 /* new_role's dominates, types and roles field will be copied 390 * during role_fix_callback() */ 391 new_role->flavor = role->flavor; 392 new_role->s.value = state->base->p_roles.nprim + 1; 393 394 ret = hashtab_insert(state->base->p_roles.table, 395 (hashtab_key_t) new_id, 396 (hashtab_datum_t) new_role); 397 if (ret) { 398 goto cleanup; 399 } 400 state->base->p_roles.nprim++; 401 base_role = new_role; 402 } 403 404 if (state->dest_decl) { 405 new_id = NULL; 406 if ((new_role = malloc(sizeof(*new_role))) == NULL) { 407 goto cleanup; 408 } 409 role_datum_init(new_role); 410 new_role->flavor = base_role->flavor; 411 new_role->s.value = base_role->s.value; 412 if ((new_id = strdup(id)) == NULL) { 413 goto cleanup; 414 } 415 if (hashtab_insert 416 (state->dest_decl->p_roles.table, new_id, new_role)) { 417 goto cleanup; 418 } 419 state->dest_decl->p_roles.nprim++; 420 } 421 422 state->cur->map[SYM_ROLES][role->s.value - 1] = base_role->s.value; 423 return 0; 424 425 cleanup: 426 ERR(state->handle, "Out of memory!"); 427 role_datum_destroy(new_role); 428 free(new_id); 429 free(new_role); 430 return -1; 431} 432 433/* Copy types and attributes from a module into the base module. The 434 * attributes are copied, but the types that make up this attribute 435 * are delayed type_fix_callback(). */ 436static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 437 void *data) 438{ 439 int ret; 440 char *id = key, *new_id = NULL; 441 type_datum_t *type, *base_type, *new_type = NULL; 442 link_state_t *state = (link_state_t *) data; 443 444 type = (type_datum_t *) datum; 445 if ((type->flavor == TYPE_TYPE && !type->primary) 446 || type->flavor == TYPE_ALIAS) { 447 /* aliases are handled later, in alias_copy_callback() */ 448 return 0; 449 } 450 451 base_type = hashtab_search(state->base->p_types.table, id); 452 if (base_type != NULL) { 453 /* type already exists. check that it is what this 454 * module expected. duplicate declarations (e.g., two 455 * modules both declare type foo_t) is checked during 456 * scope_copy_callback(). */ 457 if (type->flavor == TYPE_ATTRIB 458 && base_type->flavor != TYPE_ATTRIB) { 459 ERR(state->handle, 460 "%s: Expected %s to be an attribute, but it was already declared as a type.", 461 state->cur_mod_name, id); 462 return -1; 463 } else if (type->flavor != TYPE_ATTRIB 464 && base_type->flavor == TYPE_ATTRIB) { 465 ERR(state->handle, 466 "%s: Expected %s to be a type, but it was already declared as an attribute.", 467 state->cur_mod_name, id); 468 return -1; 469 } 470 /* permissive should pass to the base type */ 471 base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 472 } else { 473 if (state->verbose) 474 INFO(state->handle, "copying type %s", id); 475 476 if ((new_id = strdup(id)) == NULL) { 477 goto cleanup; 478 } 479 480 if ((new_type = 481 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 482 goto cleanup; 483 } 484 new_type->primary = type->primary; 485 new_type->flags = type->flags; 486 new_type->flavor = type->flavor; 487 /* for attributes, the writing of new_type->types is 488 done in type_fix_callback() */ 489 490 new_type->s.value = state->base->p_types.nprim + 1; 491 492 ret = hashtab_insert(state->base->p_types.table, 493 (hashtab_key_t) new_id, 494 (hashtab_datum_t) new_type); 495 if (ret) { 496 goto cleanup; 497 } 498 state->base->p_types.nprim++; 499 base_type = new_type; 500 } 501 502 if (state->dest_decl) { 503 new_id = NULL; 504 if ((new_type = calloc(1, sizeof(*new_type))) == NULL) { 505 goto cleanup; 506 } 507 new_type->primary = type->primary; 508 new_type->flavor = type->flavor; 509 new_type->flags = type->flags; 510 new_type->s.value = base_type->s.value; 511 if ((new_id = strdup(id)) == NULL) { 512 goto cleanup; 513 } 514 if (hashtab_insert 515 (state->dest_decl->p_types.table, new_id, new_type)) { 516 goto cleanup; 517 } 518 state->dest_decl->p_types.nprim++; 519 } 520 521 state->cur->map[SYM_TYPES][type->s.value - 1] = base_type->s.value; 522 return 0; 523 524 cleanup: 525 ERR(state->handle, "Out of memory!"); 526 free(new_id); 527 free(new_type); 528 return -1; 529} 530 531static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 532 void *data) 533{ 534 int ret; 535 char *id = key, *new_id = NULL; 536 user_datum_t *user, *base_user, *new_user = NULL; 537 link_state_t *state = (link_state_t *) data; 538 539 user = (user_datum_t *) datum; 540 541 base_user = hashtab_search(state->base->p_users.table, id); 542 if (base_user == NULL) { 543 if (state->verbose) 544 INFO(state->handle, "copying user %s", id); 545 546 if ((new_id = strdup(id)) == NULL) { 547 goto cleanup; 548 } 549 550 if ((new_user = 551 (user_datum_t *) malloc(sizeof(*new_user))) == NULL) { 552 goto cleanup; 553 } 554 user_datum_init(new_user); 555 /* new_users's roles and MLS fields will be copied during 556 user_fix_callback(). */ 557 558 new_user->s.value = state->base->p_users.nprim + 1; 559 560 ret = hashtab_insert(state->base->p_users.table, 561 (hashtab_key_t) new_id, 562 (hashtab_datum_t) new_user); 563 if (ret) { 564 goto cleanup; 565 } 566 state->base->p_users.nprim++; 567 base_user = new_user; 568 } 569 570 if (state->dest_decl) { 571 new_id = NULL; 572 if ((new_user = malloc(sizeof(*new_user))) == NULL) { 573 goto cleanup; 574 } 575 user_datum_init(new_user); 576 new_user->s.value = base_user->s.value; 577 if ((new_id = strdup(id)) == NULL) { 578 goto cleanup; 579 } 580 if (hashtab_insert 581 (state->dest_decl->p_users.table, new_id, new_user)) { 582 goto cleanup; 583 } 584 state->dest_decl->p_users.nprim++; 585 } 586 587 state->cur->map[SYM_USERS][user->s.value - 1] = base_user->s.value; 588 return 0; 589 590 cleanup: 591 ERR(state->handle, "Out of memory!"); 592 user_datum_destroy(new_user); 593 free(new_id); 594 free(new_user); 595 return -1; 596} 597 598static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 599 void *data) 600{ 601 int ret; 602 char *id = key, *new_id = NULL; 603 cond_bool_datum_t *booldatum, *base_bool, *new_bool = NULL; 604 link_state_t *state = (link_state_t *) data; 605 scope_datum_t *scope; 606 607 booldatum = (cond_bool_datum_t *) datum; 608 609 base_bool = hashtab_search(state->base->p_bools.table, id); 610 if (base_bool == NULL) { 611 if (state->verbose) 612 INFO(state->handle, "copying boolean %s", id); 613 614 if ((new_id = strdup(id)) == NULL) { 615 goto cleanup; 616 } 617 618 if ((new_bool = 619 (cond_bool_datum_t *) malloc(sizeof(*new_bool))) == NULL) { 620 goto cleanup; 621 } 622 new_bool->s.value = state->base->p_bools.nprim + 1; 623 624 ret = hashtab_insert(state->base->p_bools.table, 625 (hashtab_key_t) new_id, 626 (hashtab_datum_t) new_bool); 627 if (ret) { 628 goto cleanup; 629 } 630 state->base->p_bools.nprim++; 631 base_bool = new_bool; 632 base_bool->flags = booldatum->flags; 633 } else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) != 634 (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) { 635 /* A mismatch between boolean/tunable declaration 636 * and usage(for example a boolean used in the 637 * tunable_policy() or vice versa). 638 * 639 * This is not allowed and bail out with errors */ 640 ERR(state->handle, 641 "%s: Mismatch between boolean/tunable definition " 642 "and usage for %s", state->cur_mod_name, id); 643 return -1; 644 } 645 646 /* Get the scope info for this boolean to see if this is the declaration, 647 * if so set the state */ 648 scope = hashtab_search(state->cur->policy->p_bools_scope.table, id); 649 if (!scope) 650 return SEPOL_ERR; 651 if (scope->scope == SCOPE_DECL) { 652 base_bool->state = booldatum->state; 653 /* Only the declaration rather than requirement 654 * decides if it is a boolean or tunable. */ 655 base_bool->flags = booldatum->flags; 656 } 657 state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value; 658 return 0; 659 660 cleanup: 661 ERR(state->handle, "Out of memory!"); 662 cond_destroy_bool(new_id, new_bool, NULL); 663 return -1; 664} 665 666static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 667 void *data) 668{ 669 char *id = key; 670 level_datum_t *level, *base_level; 671 link_state_t *state = (link_state_t *) data; 672 scope_datum_t *scope; 673 674 level = (level_datum_t *) datum; 675 676 base_level = hashtab_search(state->base->p_levels.table, id); 677 if (!base_level) { 678 scope = 679 hashtab_search(state->cur->policy->p_sens_scope.table, id); 680 if (!scope) 681 return SEPOL_ERR; 682 if (scope->scope == SCOPE_DECL) { 683 /* disallow declarations in modules */ 684 ERR(state->handle, 685 "%s: Modules may not declare new sensitivities.", 686 state->cur_mod_name); 687 return SEPOL_ENOTSUP; 688 } else if (scope->scope == SCOPE_REQ) { 689 /* unmet requirement */ 690 ERR(state->handle, 691 "%s: Sensitivity %s not declared by base.", 692 state->cur_mod_name, id); 693 return SEPOL_ENOTSUP; 694 } else { 695 ERR(state->handle, 696 "%s: has an unknown scope: %d\n", 697 state->cur_mod_name, scope->scope); 698 return SEPOL_ENOTSUP; 699 } 700 } 701 702 state->cur->map[SYM_LEVELS][level->level->sens - 1] = 703 base_level->level->sens; 704 705 return 0; 706} 707 708static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 709 void *data) 710{ 711 char *id = key; 712 cat_datum_t *cat, *base_cat; 713 link_state_t *state = (link_state_t *) data; 714 scope_datum_t *scope; 715 716 cat = (cat_datum_t *) datum; 717 718 base_cat = hashtab_search(state->base->p_cats.table, id); 719 if (!base_cat) { 720 scope = hashtab_search(state->cur->policy->p_cat_scope.table, id); 721 if (!scope) 722 return SEPOL_ERR; 723 if (scope->scope == SCOPE_DECL) { 724 /* disallow declarations in modules */ 725 ERR(state->handle, 726 "%s: Modules may not declare new categories.", 727 state->cur_mod_name); 728 return SEPOL_ENOTSUP; 729 } else if (scope->scope == SCOPE_REQ) { 730 /* unmet requirement */ 731 ERR(state->handle, 732 "%s: Category %s not declared by base.", 733 state->cur_mod_name, id); 734 return SEPOL_ENOTSUP; 735 } else { 736 /* unknown scope? malformed policy? */ 737 ERR(state->handle, 738 "%s: has an unknown scope: %d\n", 739 state->cur_mod_name, scope->scope); 740 return SEPOL_ENOTSUP; 741 } 742 } 743 744 state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value; 745 746 return 0; 747} 748 749static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key, 750 hashtab_datum_t datum, void *datap) = { 751NULL, class_copy_callback, role_copy_callback, type_copy_callback, 752 user_copy_callback, bool_copy_callback, sens_copy_callback, 753 cat_copy_callback}; 754 755/* 756 * The boundaries have to be copied after the types/roles/users are copied, 757 * because it refers hashtab to lookup destinated objects. 758 */ 759static int type_bounds_copy_callback(hashtab_key_t key, 760 hashtab_datum_t datum, void *data) 761{ 762 link_state_t *state = (link_state_t *) data; 763 type_datum_t *type = (type_datum_t *) datum; 764 type_datum_t *dest; 765 uint32_t bounds_val; 766 767 if (!type->bounds) 768 return 0; 769 770 bounds_val = state->cur->map[SYM_TYPES][type->bounds - 1]; 771 772 dest = hashtab_search(state->base->p_types.table, key); 773 if (!dest) { 774 ERR(state->handle, 775 "Type lookup failed for %s", (char *)key); 776 return -1; 777 } 778 if (dest->bounds != 0 && dest->bounds != bounds_val) { 779 ERR(state->handle, 780 "Inconsistent boundary for %s", (char *)key); 781 return -1; 782 } 783 dest->bounds = bounds_val; 784 785 return 0; 786} 787 788static int role_bounds_copy_callback(hashtab_key_t key, 789 hashtab_datum_t datum, void *data) 790{ 791 link_state_t *state = (link_state_t *) data; 792 role_datum_t *role = (role_datum_t *) datum; 793 role_datum_t *dest; 794 uint32_t bounds_val; 795 796 if (!role->bounds) 797 return 0; 798 799 bounds_val = state->cur->map[SYM_ROLES][role->bounds - 1]; 800 801 dest = hashtab_search(state->base->p_roles.table, key); 802 if (!dest) { 803 ERR(state->handle, 804 "Role lookup failed for %s", (char *)key); 805 return -1; 806 } 807 if (dest->bounds != 0 && dest->bounds != bounds_val) { 808 ERR(state->handle, 809 "Inconsistent boundary for %s", (char *)key); 810 return -1; 811 } 812 dest->bounds = bounds_val; 813 814 return 0; 815} 816 817static int user_bounds_copy_callback(hashtab_key_t key, 818 hashtab_datum_t datum, void *data) 819{ 820 link_state_t *state = (link_state_t *) data; 821 user_datum_t *user = (user_datum_t *) datum; 822 user_datum_t *dest; 823 uint32_t bounds_val; 824 825 if (!user->bounds) 826 return 0; 827 828 bounds_val = state->cur->map[SYM_USERS][user->bounds - 1]; 829 830 dest = hashtab_search(state->base->p_users.table, key); 831 if (!dest) { 832 ERR(state->handle, 833 "User lookup failed for %s", (char *)key); 834 return -1; 835 } 836 if (dest->bounds != 0 && dest->bounds != bounds_val) { 837 ERR(state->handle, 838 "Inconsistent boundary for %s", (char *)key); 839 return -1; 840 } 841 dest->bounds = bounds_val; 842 843 return 0; 844} 845 846/* The aliases have to be copied after the types and attributes to be 847 * certain that the base symbol table will have the type that the 848 * alias refers. Otherwise, we won't be able to find the type value 849 * for the alias. We can't depend on the declaration ordering because 850 * of the hash table. 851 */ 852static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 853 void *data) 854{ 855 char *id = key, *new_id = NULL, *target_id; 856 type_datum_t *type, *base_type, *new_type = NULL, *target_type; 857 link_state_t *state = (link_state_t *) data; 858 policy_module_t *mod = state->cur; 859 int primval; 860 861 type = (type_datum_t *) datum; 862 /* there are 2 kinds of aliases. Ones with their own value (TYPE_ALIAS) 863 * and ones with the value of their primary (TYPE_TYPE && type->primary = 0) 864 */ 865 if (! 866 (type->flavor == TYPE_ALIAS 867 || (type->flavor == TYPE_TYPE && !type->primary))) { 868 /* ignore types and attributes -- they were handled in 869 * type_copy_callback() */ 870 return 0; 871 } 872 873 if (type->flavor == TYPE_ALIAS) 874 primval = type->primary; 875 else 876 primval = type->s.value; 877 878 target_id = mod->policy->p_type_val_to_name[primval - 1]; 879 target_type = hashtab_search(state->base->p_types.table, target_id); 880 if (target_type == NULL) { 881 ERR(state->handle, "%s: Could not find type %s for alias %s.", 882 state->cur_mod_name, target_id, id); 883 return -1; 884 } 885 886 if (!strcmp(id, target_id)) { 887 ERR(state->handle, "%s: Self aliasing of %s.", 888 state->cur_mod_name, id); 889 return -1; 890 } 891 892 target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 893 894 base_type = hashtab_search(state->base->p_types.table, id); 895 if (base_type == NULL) { 896 if (state->verbose) 897 INFO(state->handle, "copying alias %s", id); 898 899 if ((new_type = 900 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 901 goto cleanup; 902 } 903 /* the linked copy always has TYPE_ALIAS style aliases */ 904 new_type->primary = target_type->s.value; 905 new_type->flags = target_type->flags; 906 new_type->flavor = TYPE_ALIAS; 907 new_type->s.value = state->base->p_types.nprim + 1; 908 if ((new_id = strdup(id)) == NULL) { 909 goto cleanup; 910 } 911 if (hashtab_insert 912 (state->base->p_types.table, new_id, new_type)) { 913 goto cleanup; 914 } 915 state->base->p_types.nprim++; 916 base_type = new_type; 917 } else { 918 919 /* if this already exists and isn't an alias it was required by another module (or base) 920 * and inserted into the hashtable as a type, fix it up now */ 921 922 if (base_type->flavor == TYPE_ALIAS) { 923 /* error checking */ 924 assert(base_type->primary == target_type->s.value); 925 assert(base_type->primary == 926 mod->map[SYM_TYPES][primval - 1]); 927 assert(mod->map[SYM_TYPES][type->s.value - 1] == 928 base_type->primary); 929 return 0; 930 } 931 932 if (base_type->flavor == TYPE_ATTRIB) { 933 ERR(state->handle, 934 "%s is an alias of an attribute, not allowed", id); 935 return -1; 936 } 937 938 base_type->flavor = TYPE_ALIAS; 939 base_type->primary = target_type->s.value; 940 base_type->flags |= (target_type->flags & TYPE_FLAGS_PERMISSIVE); 941 942 } 943 /* the aliases map points from its value to its primary so when this module 944 * references this type the value it gets back from the map is the primary */ 945 mod->map[SYM_TYPES][type->s.value - 1] = base_type->primary; 946 947 return 0; 948 949 cleanup: 950 ERR(state->handle, "Out of memory!"); 951 free(new_id); 952 free(new_type); 953 return -1; 954} 955 956/*********** callbacks that fix bitmaps ***********/ 957 958static int type_set_convert(type_set_t * types, type_set_t * dst, 959 policy_module_t * mod, link_state_t * state 960 __attribute__ ((unused))) 961{ 962 unsigned int i; 963 ebitmap_node_t *tnode; 964 ebitmap_for_each_bit(&types->types, tnode, i) { 965 if (ebitmap_node_get_bit(tnode, i)) { 966 assert(mod->map[SYM_TYPES][i]); 967 if (ebitmap_set_bit 968 (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { 969 goto cleanup; 970 } 971 } 972 } 973 ebitmap_for_each_bit(&types->negset, tnode, i) { 974 if (ebitmap_node_get_bit(tnode, i)) { 975 assert(mod->map[SYM_TYPES][i]); 976 if (ebitmap_set_bit 977 (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { 978 goto cleanup; 979 } 980 } 981 } 982 dst->flags = types->flags; 983 return 0; 984 985 cleanup: 986 return -1; 987} 988 989/* OR 2 typemaps together and at the same time map the src types to 990 * the correct values in the dst typeset. 991 */ 992static int type_set_or_convert(type_set_t * types, type_set_t * dst, 993 policy_module_t * mod, link_state_t * state) 994{ 995 type_set_t ts_tmp; 996 997 type_set_init(&ts_tmp); 998 if (type_set_convert(types, &ts_tmp, mod, state) == -1) { 999 goto cleanup; 1000 } 1001 if (type_set_or_eq(dst, &ts_tmp)) { 1002 goto cleanup; 1003 } 1004 type_set_destroy(&ts_tmp); 1005 return 0; 1006 1007 cleanup: 1008 ERR(state->handle, "Out of memory!"); 1009 type_set_destroy(&ts_tmp); 1010 return -1; 1011} 1012 1013static int role_set_or_convert(role_set_t * roles, role_set_t * dst, 1014 policy_module_t * mod, link_state_t * state) 1015{ 1016 unsigned int i; 1017 ebitmap_t tmp; 1018 ebitmap_node_t *rnode; 1019 1020 ebitmap_init(&tmp); 1021 ebitmap_for_each_bit(&roles->roles, rnode, i) { 1022 if (ebitmap_node_get_bit(rnode, i)) { 1023 assert(mod->map[SYM_ROLES][i]); 1024 if (ebitmap_set_bit 1025 (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1026 goto cleanup; 1027 } 1028 } 1029 } 1030 if (ebitmap_union(&dst->roles, &tmp)) { 1031 goto cleanup; 1032 } 1033 dst->flags |= roles->flags; 1034 ebitmap_destroy(&tmp); 1035 return 0; 1036 cleanup: 1037 ERR(state->handle, "Out of memory!"); 1038 ebitmap_destroy(&tmp); 1039 return -1; 1040} 1041 1042static int mls_level_convert(mls_semantic_level_t * src, mls_semantic_level_t * dst, 1043 policy_module_t * mod, link_state_t * state) 1044{ 1045 mls_semantic_cat_t *src_cat, *new_cat; 1046 1047 if (!mod->policy->mls) 1048 return 0; 1049 1050 /* Required not declared. */ 1051 if (!src->sens) 1052 return 0; 1053 1054 assert(mod->map[SYM_LEVELS][src->sens - 1]); 1055 dst->sens = mod->map[SYM_LEVELS][src->sens - 1]; 1056 1057 for (src_cat = src->cat; src_cat; src_cat = src_cat->next) { 1058 new_cat = 1059 (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t)); 1060 if (!new_cat) { 1061 ERR(state->handle, "Out of memory"); 1062 return -1; 1063 } 1064 mls_semantic_cat_init(new_cat); 1065 1066 new_cat->next = dst->cat; 1067 dst->cat = new_cat; 1068 1069 assert(mod->map[SYM_CATS][src_cat->low - 1]); 1070 dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1]; 1071 assert(mod->map[SYM_CATS][src_cat->high - 1]); 1072 dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1]; 1073 } 1074 1075 return 0; 1076} 1077 1078static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * dst, 1079 policy_module_t * mod, link_state_t * state) 1080{ 1081 int ret; 1082 ret = mls_level_convert(&src->level[0], &dst->level[0], mod, state); 1083 if (ret) 1084 return ret; 1085 ret = mls_level_convert(&src->level[1], &dst->level[1], mod, state); 1086 if (ret) 1087 return ret; 1088 return 0; 1089} 1090 1091static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1092 void *data) 1093{ 1094 unsigned int i; 1095 char *id = key; 1096 role_datum_t *role, *dest_role = NULL; 1097 link_state_t *state = (link_state_t *) data; 1098 ebitmap_t e_tmp; 1099 policy_module_t *mod = state->cur; 1100 ebitmap_node_t *rnode; 1101 hashtab_t role_tab; 1102 1103 role = (role_datum_t *) datum; 1104 if (state->dest_decl == NULL) 1105 role_tab = state->base->p_roles.table; 1106 else 1107 role_tab = state->dest_decl->p_roles.table; 1108 1109 dest_role = hashtab_search(role_tab, id); 1110 assert(dest_role != NULL); 1111 1112 if (state->verbose) { 1113 INFO(state->handle, "fixing role %s", id); 1114 } 1115 1116 ebitmap_init(&e_tmp); 1117 ebitmap_for_each_bit(&role->dominates, rnode, i) { 1118 if (ebitmap_node_get_bit(rnode, i)) { 1119 assert(mod->map[SYM_ROLES][i]); 1120 if (ebitmap_set_bit 1121 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1122 goto cleanup; 1123 } 1124 } 1125 } 1126 if (ebitmap_union(&dest_role->dominates, &e_tmp)) { 1127 goto cleanup; 1128 } 1129 if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) { 1130 goto cleanup; 1131 } 1132 ebitmap_destroy(&e_tmp); 1133 1134 if (role->flavor == ROLE_ATTRIB) { 1135 ebitmap_init(&e_tmp); 1136 ebitmap_for_each_bit(&role->roles, rnode, i) { 1137 if (ebitmap_node_get_bit(rnode, i)) { 1138 assert(mod->map[SYM_ROLES][i]); 1139 if (ebitmap_set_bit 1140 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1141 goto cleanup; 1142 } 1143 } 1144 } 1145 if (ebitmap_union(&dest_role->roles, &e_tmp)) { 1146 goto cleanup; 1147 } 1148 ebitmap_destroy(&e_tmp); 1149 } 1150 1151 return 0; 1152 1153 cleanup: 1154 ERR(state->handle, "Out of memory!"); 1155 ebitmap_destroy(&e_tmp); 1156 return -1; 1157} 1158 1159static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1160 void *data) 1161{ 1162 unsigned int i; 1163 char *id = key; 1164 type_datum_t *type, *new_type = NULL; 1165 link_state_t *state = (link_state_t *) data; 1166 ebitmap_t e_tmp; 1167 policy_module_t *mod = state->cur; 1168 ebitmap_node_t *tnode; 1169 symtab_t *typetab; 1170 1171 type = (type_datum_t *) datum; 1172 1173 if (state->dest_decl == NULL) 1174 typetab = &state->base->p_types; 1175 else 1176 typetab = &state->dest_decl->p_types; 1177 1178 /* only fix attributes */ 1179 if (type->flavor != TYPE_ATTRIB) { 1180 return 0; 1181 } 1182 1183 new_type = hashtab_search(typetab->table, id); 1184 assert(new_type != NULL && new_type->flavor == TYPE_ATTRIB); 1185 1186 if (state->verbose) { 1187 INFO(state->handle, "fixing attribute %s", id); 1188 } 1189 1190 ebitmap_init(&e_tmp); 1191 ebitmap_for_each_bit(&type->types, tnode, i) { 1192 if (ebitmap_node_get_bit(tnode, i)) { 1193 assert(mod->map[SYM_TYPES][i]); 1194 if (ebitmap_set_bit 1195 (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { 1196 goto cleanup; 1197 } 1198 } 1199 } 1200 if (ebitmap_union(&new_type->types, &e_tmp)) { 1201 goto cleanup; 1202 } 1203 ebitmap_destroy(&e_tmp); 1204 return 0; 1205 1206 cleanup: 1207 ERR(state->handle, "Out of memory!"); 1208 ebitmap_destroy(&e_tmp); 1209 return -1; 1210} 1211 1212static int user_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1213 void *data) 1214{ 1215 char *id = key; 1216 user_datum_t *user, *new_user = NULL; 1217 link_state_t *state = (link_state_t *) data; 1218 policy_module_t *mod = state->cur; 1219 symtab_t *usertab; 1220 1221 user = (user_datum_t *) datum; 1222 1223 if (state->dest_decl == NULL) 1224 usertab = &state->base->p_users; 1225 else 1226 usertab = &state->dest_decl->p_users; 1227 1228 new_user = hashtab_search(usertab->table, id); 1229 assert(new_user != NULL); 1230 1231 if (state->verbose) { 1232 INFO(state->handle, "fixing user %s", id); 1233 } 1234 1235 if (role_set_or_convert(&user->roles, &new_user->roles, mod, state)) { 1236 goto cleanup; 1237 } 1238 1239 if (mls_range_convert(&user->range, &new_user->range, mod, state)) 1240 goto cleanup; 1241 1242 if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod, state)) 1243 goto cleanup; 1244 1245 return 0; 1246 1247 cleanup: 1248 ERR(state->handle, "Out of memory!"); 1249 return -1; 1250} 1251 1252static int (*fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, 1253 void *datap) = { 1254NULL, NULL, role_fix_callback, type_fix_callback, user_fix_callback, 1255 NULL, NULL, NULL}; 1256 1257/*********** functions that copy AV rules ***********/ 1258 1259static int copy_avrule_list(avrule_t * list, avrule_t ** dst, 1260 policy_module_t * module, link_state_t * state) 1261{ 1262 unsigned int i; 1263 avrule_t *cur, *new_rule = NULL, *tail; 1264 class_perm_node_t *cur_perm, *new_perm, *tail_perm = NULL; 1265 1266 tail = *dst; 1267 while (tail && tail->next) { 1268 tail = tail->next; 1269 } 1270 1271 cur = list; 1272 while (cur) { 1273 if ((new_rule = (avrule_t *) malloc(sizeof(avrule_t))) == NULL) { 1274 goto cleanup; 1275 } 1276 avrule_init(new_rule); 1277 1278 new_rule->specified = cur->specified; 1279 new_rule->flags = cur->flags; 1280 if (type_set_convert 1281 (&cur->stypes, &new_rule->stypes, module, state) == -1 1282 || type_set_convert(&cur->ttypes, &new_rule->ttypes, module, 1283 state) == -1) { 1284 goto cleanup; 1285 } 1286 1287 cur_perm = cur->perms; 1288 tail_perm = NULL; 1289 while (cur_perm) { 1290 if ((new_perm = (class_perm_node_t *) 1291 malloc(sizeof(class_perm_node_t))) == NULL) { 1292 goto cleanup; 1293 } 1294 class_perm_node_init(new_perm); 1295 1296 new_perm->class = 1297 module->map[SYM_CLASSES][cur_perm->class - 1]; 1298 assert(new_perm->class); 1299 1300 if (new_rule->specified & AVRULE_AV) { 1301 for (i = 0; 1302 i < 1303 module->perm_map_len[cur_perm->class - 1]; 1304 i++) { 1305 if (!(cur_perm->data & (1U << i))) 1306 continue; 1307 new_perm->data |= 1308 (1U << 1309 (module-> 1310 perm_map[cur_perm->class - 1][i] - 1311 1)); 1312 } 1313 } else { 1314 new_perm->data = 1315 module->map[SYM_TYPES][cur_perm->data - 1]; 1316 } 1317 1318 if (new_rule->perms == NULL) { 1319 new_rule->perms = new_perm; 1320 } else { 1321 assert(tail_perm); 1322 tail_perm->next = new_perm; 1323 } 1324 tail_perm = new_perm; 1325 cur_perm = cur_perm->next; 1326 } 1327 new_rule->line = cur->line; 1328 new_rule->source_line = cur->source_line; 1329 new_rule->source_filename = strdup(cur->source_filename); 1330 if (!new_rule->source_filename) 1331 goto cleanup; 1332 1333 cur = cur->next; 1334 1335 if (*dst == NULL) { 1336 *dst = new_rule; 1337 } else { 1338 tail->next = new_rule; 1339 } 1340 tail = new_rule; 1341 } 1342 1343 return 0; 1344 cleanup: 1345 ERR(state->handle, "Out of memory!"); 1346 avrule_destroy(new_rule); 1347 free(new_rule); 1348 return -1; 1349} 1350 1351static int copy_role_trans_list(role_trans_rule_t * list, 1352 role_trans_rule_t ** dst, 1353 policy_module_t * module, link_state_t * state) 1354{ 1355 role_trans_rule_t *cur, *new_rule = NULL, *tail; 1356 unsigned int i; 1357 ebitmap_node_t *cnode; 1358 1359 cur = list; 1360 tail = *dst; 1361 while (tail && tail->next) { 1362 tail = tail->next; 1363 } 1364 while (cur) { 1365 if ((new_rule = 1366 (role_trans_rule_t *) malloc(sizeof(role_trans_rule_t))) == 1367 NULL) { 1368 goto cleanup; 1369 } 1370 role_trans_rule_init(new_rule); 1371 1372 if (role_set_or_convert 1373 (&cur->roles, &new_rule->roles, module, state) 1374 || type_set_or_convert(&cur->types, &new_rule->types, 1375 module, state)) { 1376 goto cleanup; 1377 } 1378 1379 ebitmap_for_each_bit(&cur->classes, cnode, i) { 1380 if (ebitmap_node_get_bit(cnode, i)) { 1381 assert(module->map[SYM_CLASSES][i]); 1382 if (ebitmap_set_bit(&new_rule->classes, 1383 module-> 1384 map[SYM_CLASSES][i] - 1, 1385 1)) { 1386 goto cleanup; 1387 } 1388 } 1389 } 1390 1391 new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1]; 1392 1393 if (*dst == NULL) { 1394 *dst = new_rule; 1395 } else { 1396 tail->next = new_rule; 1397 } 1398 tail = new_rule; 1399 cur = cur->next; 1400 } 1401 return 0; 1402 cleanup: 1403 ERR(state->handle, "Out of memory!"); 1404 role_trans_rule_list_destroy(new_rule); 1405 return -1; 1406} 1407 1408static int copy_role_allow_list(role_allow_rule_t * list, 1409 role_allow_rule_t ** dst, 1410 policy_module_t * module, link_state_t * state) 1411{ 1412 role_allow_rule_t *cur, *new_rule = NULL, *tail; 1413 1414 cur = list; 1415 tail = *dst; 1416 while (tail && tail->next) { 1417 tail = tail->next; 1418 } 1419 1420 while (cur) { 1421 if ((new_rule = 1422 (role_allow_rule_t *) malloc(sizeof(role_allow_rule_t))) == 1423 NULL) { 1424 goto cleanup; 1425 } 1426 role_allow_rule_init(new_rule); 1427 1428 if (role_set_or_convert 1429 (&cur->roles, &new_rule->roles, module, state) 1430 || role_set_or_convert(&cur->new_roles, 1431 &new_rule->new_roles, module, 1432 state)) { 1433 goto cleanup; 1434 } 1435 if (*dst == NULL) { 1436 *dst = new_rule; 1437 } else { 1438 tail->next = new_rule; 1439 } 1440 tail = new_rule; 1441 cur = cur->next; 1442 } 1443 return 0; 1444 cleanup: 1445 ERR(state->handle, "Out of memory!"); 1446 role_allow_rule_list_destroy(new_rule); 1447 return -1; 1448} 1449 1450static int copy_filename_trans_list(filename_trans_rule_t * list, 1451 filename_trans_rule_t ** dst, 1452 policy_module_t * module, 1453 link_state_t * state) 1454{ 1455 filename_trans_rule_t *cur, *new_rule, *tail; 1456 1457 cur = list; 1458 tail = *dst; 1459 while (tail && tail->next) 1460 tail = tail->next; 1461 1462 while (cur) { 1463 new_rule = malloc(sizeof(*new_rule)); 1464 if (!new_rule) 1465 goto err; 1466 1467 filename_trans_rule_init(new_rule); 1468 1469 if (*dst == NULL) 1470 *dst = new_rule; 1471 else 1472 tail->next = new_rule; 1473 tail = new_rule; 1474 1475 new_rule->name = strdup(cur->name); 1476 if (!new_rule->name) 1477 goto err; 1478 1479 if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) || 1480 type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state)) 1481 goto err; 1482 1483 new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; 1484 new_rule->otype = module->map[SYM_TYPES][cur->otype - 1]; 1485 1486 cur = cur->next; 1487 } 1488 return 0; 1489err: 1490 ERR(state->handle, "Out of memory!"); 1491 return -1; 1492} 1493 1494static int copy_range_trans_list(range_trans_rule_t * rules, 1495 range_trans_rule_t ** dst, 1496 policy_module_t * mod, link_state_t * state) 1497{ 1498 range_trans_rule_t *rule, *new_rule = NULL; 1499 unsigned int i; 1500 ebitmap_node_t *cnode; 1501 1502 for (rule = rules; rule; rule = rule->next) { 1503 new_rule = 1504 (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t)); 1505 if (!new_rule) 1506 goto cleanup; 1507 1508 range_trans_rule_init(new_rule); 1509 1510 new_rule->next = *dst; 1511 *dst = new_rule; 1512 1513 if (type_set_convert(&rule->stypes, &new_rule->stypes, 1514 mod, state)) 1515 goto cleanup; 1516 1517 if (type_set_convert(&rule->ttypes, &new_rule->ttypes, 1518 mod, state)) 1519 goto cleanup; 1520 1521 ebitmap_for_each_bit(&rule->tclasses, cnode, i) { 1522 if (ebitmap_node_get_bit(cnode, i)) { 1523 assert(mod->map[SYM_CLASSES][i]); 1524 if (ebitmap_set_bit 1525 (&new_rule->tclasses, 1526 mod->map[SYM_CLASSES][i] - 1, 1)) { 1527 goto cleanup; 1528 } 1529 } 1530 } 1531 1532 if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state)) 1533 goto cleanup; 1534 } 1535 return 0; 1536 1537 cleanup: 1538 ERR(state->handle, "Out of memory!"); 1539 range_trans_rule_list_destroy(new_rule); 1540 return -1; 1541} 1542 1543static int copy_cond_list(cond_node_t * list, cond_node_t ** dst, 1544 policy_module_t * module, link_state_t * state) 1545{ 1546 unsigned i; 1547 cond_node_t *cur, *new_node = NULL, *tail; 1548 cond_expr_t *cur_expr; 1549 tail = *dst; 1550 while (tail && tail->next) 1551 tail = tail->next; 1552 1553 cur = list; 1554 while (cur) { 1555 new_node = (cond_node_t *) malloc(sizeof(cond_node_t)); 1556 if (!new_node) { 1557 goto cleanup; 1558 } 1559 memset(new_node, 0, sizeof(cond_node_t)); 1560 1561 new_node->cur_state = cur->cur_state; 1562 new_node->expr = cond_copy_expr(cur->expr); 1563 if (!new_node->expr) 1564 goto cleanup; 1565 /* go back through and remap the expression */ 1566 for (cur_expr = new_node->expr; cur_expr != NULL; 1567 cur_expr = cur_expr->next) { 1568 /* expression nodes don't have a bool value of 0 - don't map them */ 1569 if (cur_expr->expr_type != COND_BOOL) 1570 continue; 1571 assert(module->map[SYM_BOOLS][cur_expr->bool - 1] != 0); 1572 cur_expr->bool = 1573 module->map[SYM_BOOLS][cur_expr->bool - 1]; 1574 } 1575 new_node->nbools = cur->nbools; 1576 /* FIXME should COND_MAX_BOOLS be used here? */ 1577 for (i = 0; i < min(cur->nbools, COND_MAX_BOOLS); i++) { 1578 uint32_t remapped_id = 1579 module->map[SYM_BOOLS][cur->bool_ids[i] - 1]; 1580 assert(remapped_id != 0); 1581 new_node->bool_ids[i] = remapped_id; 1582 } 1583 new_node->expr_pre_comp = cur->expr_pre_comp; 1584 1585 if (copy_avrule_list 1586 (cur->avtrue_list, &new_node->avtrue_list, module, state) 1587 || copy_avrule_list(cur->avfalse_list, 1588 &new_node->avfalse_list, module, 1589 state)) { 1590 goto cleanup; 1591 } 1592 1593 if (*dst == NULL) { 1594 *dst = new_node; 1595 } else { 1596 tail->next = new_node; 1597 } 1598 tail = new_node; 1599 cur = cur->next; 1600 } 1601 return 0; 1602 cleanup: 1603 ERR(state->handle, "Out of memory!"); 1604 cond_node_destroy(new_node); 1605 free(new_node); 1606 return -1; 1607 1608} 1609 1610/*********** functions that copy avrule_decls from module to base ***********/ 1611 1612static int copy_identifiers(link_state_t * state, symtab_t * src_symtab, 1613 avrule_decl_t * dest_decl) 1614{ 1615 int i, ret; 1616 1617 state->dest_decl = dest_decl; 1618 for (i = 0; i < SYM_NUM; i++) { 1619 if (copy_callback_f[i] != NULL) { 1620 ret = 1621 hashtab_map(src_symtab[i].table, copy_callback_f[i], 1622 state); 1623 if (ret) { 1624 return ret; 1625 } 1626 } 1627 } 1628 1629 if (hashtab_map(src_symtab[SYM_TYPES].table, 1630 type_bounds_copy_callback, state)) 1631 return -1; 1632 1633 if (hashtab_map(src_symtab[SYM_TYPES].table, 1634 alias_copy_callback, state)) 1635 return -1; 1636 1637 if (hashtab_map(src_symtab[SYM_ROLES].table, 1638 role_bounds_copy_callback, state)) 1639 return -1; 1640 1641 if (hashtab_map(src_symtab[SYM_USERS].table, 1642 user_bounds_copy_callback, state)) 1643 return -1; 1644 1645 /* then fix bitmaps associated with those newly copied identifiers */ 1646 for (i = 0; i < SYM_NUM; i++) { 1647 if (fix_callback_f[i] != NULL && 1648 hashtab_map(src_symtab[i].table, fix_callback_f[i], 1649 state)) { 1650 return -1; 1651 } 1652 } 1653 return 0; 1654} 1655 1656static int copy_scope_index(scope_index_t * src, scope_index_t * dest, 1657 policy_module_t * module, link_state_t * state) 1658{ 1659 unsigned int i, j; 1660 uint32_t largest_mapped_class_value = 0; 1661 ebitmap_node_t *node; 1662 /* copy the scoping information for this avrule decl block */ 1663 for (i = 0; i < SYM_NUM; i++) { 1664 ebitmap_t *srcmap = src->scope + i; 1665 ebitmap_t *destmap = dest->scope + i; 1666 if (copy_callback_f[i] == NULL) { 1667 continue; 1668 } 1669 ebitmap_for_each_bit(srcmap, node, j) { 1670 if (ebitmap_node_get_bit(node, j)) { 1671 assert(module->map[i][j] != 0); 1672 if (ebitmap_set_bit 1673 (destmap, module->map[i][j] - 1, 1) != 0) { 1674 1675 goto cleanup; 1676 } 1677 if (i == SYM_CLASSES && 1678 largest_mapped_class_value < 1679 module->map[SYM_CLASSES][j]) { 1680 largest_mapped_class_value = 1681 module->map[SYM_CLASSES][j]; 1682 } 1683 } 1684 } 1685 } 1686 1687 /* next copy the enabled permissions data */ 1688 if ((dest->class_perms_map = malloc(largest_mapped_class_value * 1689 sizeof(*dest->class_perms_map))) == 1690 NULL) { 1691 goto cleanup; 1692 } 1693 for (i = 0; i < largest_mapped_class_value; i++) { 1694 ebitmap_init(dest->class_perms_map + i); 1695 } 1696 dest->class_perms_len = largest_mapped_class_value; 1697 for (i = 0; i < src->class_perms_len; i++) { 1698 ebitmap_t *srcmap = src->class_perms_map + i; 1699 ebitmap_t *destmap = 1700 dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; 1701 ebitmap_for_each_bit(srcmap, node, j) { 1702 if (ebitmap_node_get_bit(node, j) && 1703 ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, 1704 1)) { 1705 goto cleanup; 1706 } 1707 } 1708 } 1709 1710 return 0; 1711 1712 cleanup: 1713 ERR(state->handle, "Out of memory!"); 1714 return -1; 1715} 1716 1717static int copy_avrule_decl(link_state_t * state, policy_module_t * module, 1718 avrule_decl_t * src_decl, avrule_decl_t * dest_decl) 1719{ 1720 int ret; 1721 1722 /* copy all of the RBAC and TE rules */ 1723 if (copy_avrule_list 1724 (src_decl->avrules, &dest_decl->avrules, module, state) == -1 1725 || copy_role_trans_list(src_decl->role_tr_rules, 1726 &dest_decl->role_tr_rules, module, 1727 state) == -1 1728 || copy_role_allow_list(src_decl->role_allow_rules, 1729 &dest_decl->role_allow_rules, module, 1730 state) == -1 1731 || copy_cond_list(src_decl->cond_list, &dest_decl->cond_list, 1732 module, state) == -1) { 1733 return -1; 1734 } 1735 1736 if (copy_filename_trans_list(src_decl->filename_trans_rules, 1737 &dest_decl->filename_trans_rules, 1738 module, state)) 1739 return -1; 1740 1741 if (copy_range_trans_list(src_decl->range_tr_rules, 1742 &dest_decl->range_tr_rules, module, state)) 1743 return -1; 1744 1745 /* finally copy any identifiers local to this declaration */ 1746 ret = copy_identifiers(state, src_decl->symtab, dest_decl); 1747 if (ret < 0) { 1748 return ret; 1749 } 1750 1751 /* then copy required and declared scope indices here */ 1752 if (copy_scope_index(&src_decl->required, &dest_decl->required, 1753 module, state) == -1 || 1754 copy_scope_index(&src_decl->declared, &dest_decl->declared, 1755 module, state) == -1) { 1756 return -1; 1757 } 1758 1759 return 0; 1760} 1761 1762static int copy_avrule_block(link_state_t * state, policy_module_t * module, 1763 avrule_block_t * block) 1764{ 1765 avrule_block_t *new_block = avrule_block_create(); 1766 avrule_decl_t *decl, *last_decl = NULL; 1767 int ret; 1768 1769 if (new_block == NULL) { 1770 ERR(state->handle, "Out of memory!"); 1771 ret = -1; 1772 goto cleanup; 1773 } 1774 1775 new_block->flags = block->flags; 1776 1777 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 1778 avrule_decl_t *new_decl = 1779 avrule_decl_create(state->next_decl_id); 1780 if (new_decl == NULL) { 1781 ERR(state->handle, "Out of memory!"); 1782 ret = -1; 1783 goto cleanup; 1784 } 1785 1786 if (module->policy->name != NULL) { 1787 new_decl->module_name = strdup(module->policy->name); 1788 if (new_decl->module_name == NULL) { 1789 ERR(state->handle, "Out of memory\n"); 1790 avrule_decl_destroy(new_decl); 1791 ret = -1; 1792 goto cleanup; 1793 } 1794 } 1795 1796 if (last_decl == NULL) { 1797 new_block->branch_list = new_decl; 1798 } else { 1799 last_decl->next = new_decl; 1800 } 1801 last_decl = new_decl; 1802 state->base->decl_val_to_struct[state->next_decl_id - 1] = 1803 new_decl; 1804 state->decl_to_mod[state->next_decl_id] = module->policy; 1805 1806 module->avdecl_map[decl->decl_id] = new_decl->decl_id; 1807 1808 ret = copy_avrule_decl(state, module, decl, new_decl); 1809 if (ret) { 1810 avrule_decl_destroy(new_decl); 1811 goto cleanup; 1812 } 1813 1814 state->next_decl_id++; 1815 } 1816 state->last_avrule_block->next = new_block; 1817 state->last_avrule_block = new_block; 1818 return 0; 1819 1820 cleanup: 1821 avrule_block_list_destroy(new_block); 1822 return ret; 1823} 1824 1825static int scope_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 1826 void *data) 1827{ 1828 unsigned int i; 1829 int ret; 1830 char *id = key, *new_id = NULL; 1831 scope_datum_t *scope, *base_scope; 1832 link_state_t *state = (link_state_t *) data; 1833 uint32_t symbol_num = state->symbol_num; 1834 uint32_t *avdecl_map = state->cur->avdecl_map; 1835 1836 scope = (scope_datum_t *) datum; 1837 1838 /* check if the base already has a scope entry */ 1839 base_scope = hashtab_search(state->base->scope[symbol_num].table, id); 1840 if (base_scope == NULL) { 1841 scope_datum_t *new_scope; 1842 if ((new_id = strdup(id)) == NULL) { 1843 goto cleanup; 1844 } 1845 1846 if ((new_scope = 1847 (scope_datum_t *) calloc(1, sizeof(*new_scope))) == NULL) { 1848 free(new_id); 1849 goto cleanup; 1850 } 1851 ret = hashtab_insert(state->base->scope[symbol_num].table, 1852 (hashtab_key_t) new_id, 1853 (hashtab_datum_t) new_scope); 1854 if (ret) { 1855 free(new_id); 1856 free(new_scope); 1857 goto cleanup; 1858 } 1859 new_scope->scope = SCOPE_REQ; /* this is reset further down */ 1860 base_scope = new_scope; 1861 } 1862 if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_DECL) { 1863 /* this module declared symbol, so overwrite the old 1864 * list with the new decl ids */ 1865 base_scope->scope = SCOPE_DECL; 1866 free(base_scope->decl_ids); 1867 base_scope->decl_ids = NULL; 1868 base_scope->decl_ids_len = 0; 1869 for (i = 0; i < scope->decl_ids_len; i++) { 1870 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1871 &base_scope->decl_ids_len, 1872 &base_scope->decl_ids) == -1) { 1873 goto cleanup; 1874 } 1875 } 1876 } else if (base_scope->scope == SCOPE_DECL && scope->scope == SCOPE_REQ) { 1877 /* this module depended on a symbol that now exists, 1878 * so don't do anything */ 1879 } else if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_REQ) { 1880 /* symbol is still required, so add to the list */ 1881 for (i = 0; i < scope->decl_ids_len; i++) { 1882 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1883 &base_scope->decl_ids_len, 1884 &base_scope->decl_ids) == -1) { 1885 goto cleanup; 1886 } 1887 } 1888 } else { 1889 /* this module declared a symbol, and it was already 1890 * declared. only roles and users may be multiply 1891 * declared; for all others this is an error. */ 1892 if (symbol_num != SYM_ROLES && symbol_num != SYM_USERS) { 1893 ERR(state->handle, 1894 "%s: Duplicate declaration in module: %s %s", 1895 state->cur_mod_name, 1896 symtab_names[state->symbol_num], id); 1897 return -1; 1898 } 1899 for (i = 0; i < scope->decl_ids_len; i++) { 1900 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1901 &base_scope->decl_ids_len, 1902 &base_scope->decl_ids) == -1) { 1903 goto cleanup; 1904 } 1905 } 1906 } 1907 return 0; 1908 1909 cleanup: 1910 ERR(state->handle, "Out of memory!"); 1911 return -1; 1912} 1913 1914/* Copy a module over to a base, remapping all values within. After 1915 * all identifiers and rules are done, copy the scoping information. 1916 * This is when it checks for duplicate declarations. */ 1917static int copy_module(link_state_t * state, policy_module_t * module) 1918{ 1919 int i, ret; 1920 avrule_block_t *cur; 1921 state->cur = module; 1922 state->cur_mod_name = module->policy->name; 1923 1924 /* first copy all of the identifiers */ 1925 ret = copy_identifiers(state, module->policy->symtab, NULL); 1926 if (ret) { 1927 return ret; 1928 } 1929 1930 /* next copy all of the avrule blocks */ 1931 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 1932 ret = copy_avrule_block(state, module, cur); 1933 if (ret) { 1934 return ret; 1935 } 1936 } 1937 1938 /* then copy the scoping tables */ 1939 for (i = 0; i < SYM_NUM; i++) { 1940 state->symbol_num = i; 1941 if (hashtab_map 1942 (module->policy->scope[i].table, scope_copy_callback, 1943 state)) { 1944 return -1; 1945 } 1946 } 1947 1948 return 0; 1949} 1950 1951/***** functions that check requirements and enable blocks in a module ******/ 1952 1953/* borrowed from checkpolicy.c */ 1954 1955struct find_perm_arg { 1956 unsigned int valuep; 1957 hashtab_key_t key; 1958}; 1959 1960static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg) 1961{ 1962 1963 struct find_perm_arg *arg = varg; 1964 1965 perm_datum_t *perdatum = (perm_datum_t *) datum; 1966 if (arg->valuep == perdatum->s.value) { 1967 arg->key = key; 1968 return 1; 1969 } 1970 1971 return 0; 1972} 1973 1974/* Check if the requirements are met for a single declaration. If all 1975 * are met return 1. For the first requirement found to be missing, 1976 * if 'missing_sym_num' and 'missing_value' are both not NULL then 1977 * write to them the symbol number and value for the missing 1978 * declaration. Then return 0 to indicate a missing declaration. 1979 * Note that if a declaration had no requirement at all (e.g., an ELSE 1980 * block) this returns 1. */ 1981static int is_decl_requires_met(link_state_t * state, 1982 avrule_decl_t * decl, 1983 struct missing_requirement *req) 1984{ 1985 /* (This algorithm is very unoptimized. It performs many 1986 * redundant checks. A very obvious improvement is to cache 1987 * which symbols have been verified, so that they do not need 1988 * to be re-checked.) */ 1989 unsigned int i, j; 1990 ebitmap_t *bitmap; 1991 char *id, *perm_id; 1992 policydb_t *pol = state->base; 1993 ebitmap_node_t *node; 1994 1995 /* check that all symbols have been satisfied */ 1996 for (i = 0; i < SYM_NUM; i++) { 1997 if (i == SYM_CLASSES) { 1998 /* classes will be checked during permissions 1999 * checking phase below */ 2000 continue; 2001 } 2002 bitmap = &decl->required.scope[i]; 2003 ebitmap_for_each_bit(bitmap, node, j) { 2004 if (!ebitmap_node_get_bit(node, j)) { 2005 continue; 2006 } 2007 2008 /* check base's scope table */ 2009 id = pol->sym_val_to_name[i][j]; 2010 if (!is_id_enabled(id, state->base, i)) { 2011 /* this symbol was not found */ 2012 if (req != NULL) { 2013 req->symbol_type = i; 2014 req->symbol_value = j + 1; 2015 } 2016 return 0; 2017 } 2018 } 2019 } 2020 /* check that all classes and permissions have been satisfied */ 2021 for (i = 0; i < decl->required.class_perms_len; i++) { 2022 2023 bitmap = decl->required.class_perms_map + i; 2024 ebitmap_for_each_bit(bitmap, node, j) { 2025 struct find_perm_arg fparg; 2026 class_datum_t *cladatum; 2027 uint32_t perm_value = j + 1; 2028 int rc; 2029 scope_datum_t *scope; 2030 2031 if (!ebitmap_node_get_bit(node, j)) { 2032 continue; 2033 } 2034 id = pol->p_class_val_to_name[i]; 2035 cladatum = pol->class_val_to_struct[i]; 2036 2037 scope = 2038 hashtab_search(state->base->p_classes_scope.table, 2039 id); 2040 if (scope == NULL) { 2041 ERR(state->handle, 2042 "Could not find scope information for class %s", 2043 id); 2044 return -1; 2045 } 2046 2047 fparg.valuep = perm_value; 2048 fparg.key = NULL; 2049 2050 (void)hashtab_map(cladatum->permissions.table, find_perm, 2051 &fparg); 2052 if (fparg.key == NULL && cladatum->comdatum != NULL) { 2053 rc = hashtab_map(cladatum->comdatum->permissions.table, 2054 find_perm, &fparg); 2055 assert(rc == 1); 2056 } 2057 perm_id = fparg.key; 2058 2059 assert(perm_id != NULL); 2060 if (!is_perm_enabled(id, perm_id, state->base)) { 2061 if (req != NULL) { 2062 req->symbol_type = SYM_CLASSES; 2063 req->symbol_value = i + 1; 2064 req->perm_value = perm_value; 2065 } 2066 return 0; 2067 } 2068 } 2069 } 2070 2071 /* all requirements have been met */ 2072 return 1; 2073} 2074 2075static int debug_requirements(link_state_t * state, policydb_t * p) 2076{ 2077 int ret; 2078 avrule_block_t *cur; 2079 missing_requirement_t req; 2080 memset(&req, 0, sizeof(req)); 2081 2082 for (cur = p->global; cur != NULL; cur = cur->next) { 2083 if (cur->enabled != NULL) 2084 continue; 2085 2086 ret = is_decl_requires_met(state, cur->branch_list, &req); 2087 if (ret < 0) { 2088 return ret; 2089 } else if (ret == 0) { 2090 char *mod_name = cur->branch_list->module_name ? 2091 cur->branch_list->module_name : "BASE"; 2092 if (req.symbol_type == SYM_CLASSES) { 2093 struct find_perm_arg fparg; 2094 2095 class_datum_t *cladatum; 2096 cladatum = p->class_val_to_struct[req.symbol_value - 1]; 2097 2098 fparg.valuep = req.perm_value; 2099 fparg.key = NULL; 2100 (void)hashtab_map(cladatum->permissions.table, 2101 find_perm, &fparg); 2102 2103 if (cur->flags & AVRULE_OPTIONAL) { 2104 ERR(state->handle, 2105 "%s[%d]'s optional requirements were not met: class %s, permission %s", 2106 mod_name, cur->branch_list->decl_id, 2107 p->p_class_val_to_name[req.symbol_value - 1], 2108 fparg.key); 2109 } else { 2110 ERR(state->handle, 2111 "%s[%d]'s global requirements were not met: class %s, permission %s", 2112 mod_name, cur->branch_list->decl_id, 2113 p->p_class_val_to_name[req.symbol_value - 1], 2114 fparg.key); 2115 } 2116 } else { 2117 if (cur->flags & AVRULE_OPTIONAL) { 2118 ERR(state->handle, 2119 "%s[%d]'s optional requirements were not met: %s %s", 2120 mod_name, cur->branch_list->decl_id, 2121 symtab_names[req.symbol_type], 2122 p->sym_val_to_name[req. 2123 symbol_type][req. 2124 symbol_value 2125 - 2126 1]); 2127 } else { 2128 ERR(state->handle, 2129 "%s[%d]'s global requirements were not met: %s %s", 2130 mod_name, cur->branch_list->decl_id, 2131 symtab_names[req.symbol_type], 2132 p->sym_val_to_name[req. 2133 symbol_type][req. 2134 symbol_value 2135 - 2136 1]); 2137 } 2138 } 2139 } 2140 } 2141 return 0; 2142} 2143 2144static void print_missing_requirements(link_state_t * state, 2145 avrule_block_t * cur, 2146 missing_requirement_t * req) 2147{ 2148 policydb_t *p = state->base; 2149 char *mod_name = cur->branch_list->module_name ? 2150 cur->branch_list->module_name : "BASE"; 2151 2152 if (req->symbol_type == SYM_CLASSES) { 2153 2154 struct find_perm_arg fparg; 2155 2156 class_datum_t *cladatum; 2157 cladatum = p->class_val_to_struct[req->symbol_value - 1]; 2158 2159 fparg.valuep = req->perm_value; 2160 fparg.key = NULL; 2161 (void)hashtab_map(cladatum->permissions.table, find_perm, &fparg); 2162 2163 ERR(state->handle, 2164 "%s's global requirements were not met: class %s, permission %s", 2165 mod_name, 2166 p->p_class_val_to_name[req->symbol_value - 1], fparg.key); 2167 } else { 2168 ERR(state->handle, 2169 "%s's global requirements were not met: %s %s", 2170 mod_name, 2171 symtab_names[req->symbol_type], 2172 p->sym_val_to_name[req->symbol_type][req->symbol_value - 1]); 2173 } 2174} 2175 2176/* Enable all of the avrule_decl blocks for the policy. This simple 2177 * algorithm is the following: 2178 * 2179 * 1) Enable all of the non-else avrule_decls for all blocks. 2180 * 2) Iterate through the non-else decls looking for decls whose requirements 2181 * are not met. 2182 * 2a) If the decl is non-optional, return immediately with an error. 2183 * 2b) If the decl is optional, disable the block and mark changed = 1 2184 * 3) If changed == 1 goto 2. 2185 * 4) Iterate through all blocks looking for those that have no enabled 2186 * decl. If the block has an else decl, enable. 2187 * 2188 * This will correctly handle all dependencies, including mutual and 2189 * cicular. The only downside is that it is slow. 2190 */ 2191static int enable_avrules(link_state_t * state, policydb_t * pol) 2192{ 2193 int changed = 1; 2194 avrule_block_t *block; 2195 avrule_decl_t *decl; 2196 missing_requirement_t req; 2197 int ret = 0, rc; 2198 2199 if (state->verbose) { 2200 INFO(state->handle, "Determining which avrules to enable."); 2201 } 2202 2203 /* 1) enable all of the non-else blocks */ 2204 for (block = pol->global; block != NULL; block = block->next) { 2205 block->enabled = block->branch_list; 2206 block->enabled->enabled = 1; 2207 for (decl = block->branch_list->next; decl != NULL; 2208 decl = decl->next) 2209 decl->enabled = 0; 2210 } 2211 2212 /* 2) Iterate */ 2213 while (changed) { 2214 changed = 0; 2215 for (block = pol->global; block != NULL; block = block->next) { 2216 if (block->enabled == NULL) { 2217 continue; 2218 } 2219 decl = block->branch_list; 2220 if (state->verbose) { 2221 char *mod_name = decl->module_name ? 2222 decl->module_name : "BASE"; 2223 INFO(state->handle, "check module %s decl %d\n", 2224 mod_name, decl->decl_id); 2225 } 2226 rc = is_decl_requires_met(state, decl, &req); 2227 if (rc < 0) { 2228 ret = SEPOL_ERR; 2229 goto out; 2230 } else if (rc == 0) { 2231 decl->enabled = 0; 2232 block->enabled = NULL; 2233 changed = 1; 2234 if (!(block->flags & AVRULE_OPTIONAL)) { 2235 print_missing_requirements(state, block, 2236 &req); 2237 ret = SEPOL_EREQ; 2238 goto out; 2239 } 2240 } 2241 } 2242 } 2243 2244 /* 4) else handling 2245 * 2246 * Iterate through all of the blocks skipping the first (which is the 2247 * global block, is required to be present, and cannot have an else). 2248 * If the block is disabled and has an else decl, enable that. 2249 * 2250 * This code assumes that the second block in the branch list is the else 2251 * block. This is currently supported by the compiler. 2252 */ 2253 for (block = pol->global->next; block != NULL; block = block->next) { 2254 if (block->enabled == NULL) { 2255 if (block->branch_list->next != NULL) { 2256 block->enabled = block->branch_list->next; 2257 block->branch_list->next->enabled = 1; 2258 } 2259 } 2260 } 2261 2262 out: 2263 if (state->verbose) 2264 debug_requirements(state, pol); 2265 2266 return ret; 2267} 2268 2269/*********** the main linking functions ***********/ 2270 2271/* Given a module's policy, normalize all conditional expressions 2272 * within. Return 0 on success, -1 on error. */ 2273static int cond_normalize(policydb_t * p) 2274{ 2275 avrule_block_t *block; 2276 for (block = p->global; block != NULL; block = block->next) { 2277 avrule_decl_t *decl; 2278 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 2279 cond_list_t *cond = decl->cond_list; 2280 while (cond) { 2281 if (cond_normalize_expr(p, cond) < 0) 2282 return -1; 2283 cond = cond->next; 2284 } 2285 } 2286 } 2287 return 0; 2288} 2289 2290/* Allocate space for the various remapping arrays. */ 2291static int prepare_module(link_state_t * state, policy_module_t * module) 2292{ 2293 int i; 2294 uint32_t items, num_decls = 0; 2295 avrule_block_t *cur; 2296 2297 /* allocate the maps */ 2298 for (i = 0; i < SYM_NUM; i++) { 2299 items = module->policy->symtab[i].nprim; 2300 if ((module->map[i] = 2301 (uint32_t *) calloc(items, 2302 sizeof(*module->map[i]))) == NULL) { 2303 ERR(state->handle, "Out of memory!"); 2304 return -1; 2305 } 2306 } 2307 2308 /* allocate the permissions remap here */ 2309 items = module->policy->p_classes.nprim; 2310 if ((module->perm_map_len = 2311 calloc(items, sizeof(*module->perm_map_len))) == NULL) { 2312 ERR(state->handle, "Out of memory!"); 2313 return -1; 2314 } 2315 if ((module->perm_map = 2316 calloc(items, sizeof(*module->perm_map))) == NULL) { 2317 ERR(state->handle, "Out of memory!"); 2318 return -1; 2319 } 2320 2321 /* allocate a map for avrule_decls */ 2322 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 2323 avrule_decl_t *decl; 2324 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2325 if (decl->decl_id > num_decls) { 2326 num_decls = decl->decl_id; 2327 } 2328 } 2329 } 2330 num_decls++; 2331 if ((module->avdecl_map = calloc(num_decls, sizeof(uint32_t))) == NULL) { 2332 ERR(state->handle, "Out of memory!"); 2333 return -1; 2334 } 2335 module->num_decls = num_decls; 2336 2337 /* normalize conditionals within */ 2338 if (cond_normalize(module->policy) < 0) { 2339 ERR(state->handle, 2340 "Error while normalizing conditionals within the module %s.", 2341 module->policy->name); 2342 return -1; 2343 } 2344 return 0; 2345} 2346 2347static int prepare_base(link_state_t * state, uint32_t num_mod_decls) 2348{ 2349 avrule_block_t *cur = state->base->global; 2350 assert(cur != NULL); 2351 state->next_decl_id = 0; 2352 2353 /* iterate through all of the declarations in the base, to 2354 determine what the next decl_id should be */ 2355 while (cur != NULL) { 2356 avrule_decl_t *decl; 2357 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2358 if (decl->decl_id > state->next_decl_id) { 2359 state->next_decl_id = decl->decl_id; 2360 } 2361 } 2362 state->last_avrule_block = cur; 2363 cur = cur->next; 2364 } 2365 state->last_base_avrule_block = state->last_avrule_block; 2366 state->next_decl_id++; 2367 2368 /* allocate the table mapping from base's decl_id to its 2369 * avrule_decls and set the initial mappings */ 2370 free(state->base->decl_val_to_struct); 2371 if ((state->base->decl_val_to_struct = 2372 calloc(state->next_decl_id + num_mod_decls, 2373 sizeof(*(state->base->decl_val_to_struct)))) == NULL) { 2374 ERR(state->handle, "Out of memory!"); 2375 return -1; 2376 } 2377 /* This allocates the decl block to module mapping used for error reporting */ 2378 if ((state->decl_to_mod = calloc(state->next_decl_id + num_mod_decls, 2379 sizeof(*(state->decl_to_mod)))) == 2380 NULL) { 2381 ERR(state->handle, "Out of memory!"); 2382 return -1; 2383 } 2384 cur = state->base->global; 2385 while (cur != NULL) { 2386 avrule_decl_t *decl = cur->branch_list; 2387 while (decl != NULL) { 2388 state->base->decl_val_to_struct[decl->decl_id - 1] = 2389 decl; 2390 state->decl_to_mod[decl->decl_id] = state->base; 2391 decl = decl->next; 2392 } 2393 cur = cur->next; 2394 } 2395 2396 /* normalize conditionals within */ 2397 if (cond_normalize(state->base) < 0) { 2398 ERR(state->handle, 2399 "Error while normalizing conditionals within the base module."); 2400 return -1; 2401 } 2402 return 0; 2403} 2404 2405static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum, 2406 void * data) 2407{ 2408 char *id; 2409 role_datum_t *role, *sub_attr; 2410 link_state_t *state; 2411 unsigned int i; 2412 ebitmap_node_t *rnode; 2413 2414 id = key; 2415 role = (role_datum_t *)datum; 2416 state = (link_state_t *)data; 2417 2418 if (strcmp(id, OBJECT_R) == 0){ 2419 /* object_r is never a role attribute by far */ 2420 return 0; 2421 } 2422 2423 if (role->flavor != ROLE_ATTRIB) 2424 return 0; 2425 2426 if (state->verbose) 2427 INFO(state->handle, "expanding role attribute %s", id); 2428 2429restart: 2430 ebitmap_for_each_bit(&role->roles, rnode, i) { 2431 if (ebitmap_node_get_bit(rnode, i)) { 2432 sub_attr = state->base->role_val_to_struct[i]; 2433 if (sub_attr->flavor != ROLE_ATTRIB) 2434 continue; 2435 2436 /* remove the sub role attribute from the parent 2437 * role attribute's roles ebitmap */ 2438 if (ebitmap_set_bit(&role->roles, i, 0)) 2439 return -1; 2440 2441 /* loop dependency of role attributes */ 2442 if (sub_attr->s.value == role->s.value) 2443 continue; 2444 2445 /* now go on to expand a sub role attribute 2446 * by escalating its roles ebitmap */ 2447 if (ebitmap_union(&role->roles, &sub_attr->roles)) { 2448 ERR(state->handle, "Out of memory!"); 2449 return -1; 2450 } 2451 2452 /* sub_attr->roles may contain other role attributes, 2453 * re-scan the parent role attribute's roles ebitmap */ 2454 goto restart; 2455 } 2456 } 2457 2458 return 0; 2459} 2460 2461/* For any role attribute in a declaration's local symtab[SYM_ROLES] table, 2462 * copy its roles ebitmap into its duplicate's in the base->p_roles.table. 2463 */ 2464static int populate_decl_roleattributes(hashtab_key_t key, 2465 hashtab_datum_t datum, 2466 void *data) 2467{ 2468 char *id = key; 2469 role_datum_t *decl_role, *base_role; 2470 link_state_t *state = (link_state_t *)data; 2471 2472 decl_role = (role_datum_t *)datum; 2473 2474 if (strcmp(id, OBJECT_R) == 0) { 2475 /* object_r is never a role attribute by far */ 2476 return 0; 2477 } 2478 2479 if (decl_role->flavor != ROLE_ATTRIB) 2480 return 0; 2481 2482 base_role = (role_datum_t *)hashtab_search(state->base->p_roles.table, 2483 id); 2484 assert(base_role != NULL && base_role->flavor == ROLE_ATTRIB); 2485 2486 if (ebitmap_union(&base_role->roles, &decl_role->roles)) { 2487 ERR(state->handle, "Out of memory!"); 2488 return -1; 2489 } 2490 2491 return 0; 2492} 2493 2494static int populate_roleattributes(link_state_t *state, policydb_t *pol) 2495{ 2496 avrule_block_t *block; 2497 avrule_decl_t *decl; 2498 2499 if (state->verbose) 2500 INFO(state->handle, "Populating role-attribute relationship " 2501 "from enabled declarations' local symtab."); 2502 2503 /* Iterate through all of the blocks skipping the first(which is the 2504 * global block, is required to be present and can't have an else). 2505 * If the block is disabled or not having an enabled decl, skip it. 2506 */ 2507 for (block = pol->global->next; block != NULL; block = block->next) 2508 { 2509 decl = block->enabled; 2510 if (decl == NULL || decl->enabled == 0) 2511 continue; 2512 2513 if (hashtab_map(decl->symtab[SYM_ROLES].table, 2514 populate_decl_roleattributes, state)) 2515 return -1; 2516 } 2517 2518 return 0; 2519} 2520 2521/* Link a set of modules into a base module. This process is somewhat 2522 * similar to an actual compiler: it requires a set of order dependent 2523 * steps. The base and every module must have been indexed prior to 2524 * calling this function. 2525 */ 2526int link_modules(sepol_handle_t * handle, 2527 policydb_t * b, policydb_t ** mods, int len, int verbose) 2528{ 2529 int i, ret, retval = -1; 2530 policy_module_t **modules = NULL; 2531 link_state_t state; 2532 uint32_t num_mod_decls = 0; 2533 2534 memset(&state, 0, sizeof(state)); 2535 state.base = b; 2536 state.verbose = verbose; 2537 state.handle = handle; 2538 2539 if (b->policy_type != POLICY_BASE) { 2540 ERR(state.handle, "Target of link was not a base policy."); 2541 return -1; 2542 } 2543 2544 /* first allocate some space to hold the maps from module 2545 * symbol's value to the destination symbol value; then do 2546 * other preparation work */ 2547 if ((modules = 2548 (policy_module_t **) calloc(len, sizeof(*modules))) == NULL) { 2549 ERR(state.handle, "Out of memory!"); 2550 return -1; 2551 } 2552 for (i = 0; i < len; i++) { 2553 if (mods[i]->policy_type != POLICY_MOD) { 2554 ERR(state.handle, 2555 "Tried to link in a policy that was not a module."); 2556 goto cleanup; 2557 } 2558 2559 if (mods[i]->mls != b->mls) { 2560 if (b->mls) 2561 ERR(state.handle, 2562 "Tried to link in a non-MLS module with an MLS base."); 2563 else 2564 ERR(state.handle, 2565 "Tried to link in an MLS module with a non-MLS base."); 2566 goto cleanup; 2567 } 2568 2569 if ((modules[i] = 2570 (policy_module_t *) calloc(1, 2571 sizeof(policy_module_t))) == 2572 NULL) { 2573 ERR(state.handle, "Out of memory!"); 2574 goto cleanup; 2575 } 2576 modules[i]->policy = mods[i]; 2577 if (prepare_module(&state, modules[i]) == -1) { 2578 goto cleanup; 2579 } 2580 num_mod_decls += modules[i]->num_decls; 2581 } 2582 if (prepare_base(&state, num_mod_decls) == -1) { 2583 goto cleanup; 2584 } 2585 2586 /* copy all types, declared and required */ 2587 for (i = 0; i < len; i++) { 2588 state.cur = modules[i]; 2589 state.cur_mod_name = modules[i]->policy->name; 2590 ret = 2591 hashtab_map(modules[i]->policy->p_types.table, 2592 type_copy_callback, &state); 2593 if (ret) { 2594 retval = ret; 2595 goto cleanup; 2596 } 2597 } 2598 2599 /* then copy everything else, including aliases, and fixup attributes */ 2600 for (i = 0; i < len; i++) { 2601 state.cur = modules[i]; 2602 state.cur_mod_name = modules[i]->policy->name; 2603 ret = 2604 copy_identifiers(&state, modules[i]->policy->symtab, NULL); 2605 if (ret) { 2606 retval = ret; 2607 goto cleanup; 2608 } 2609 } 2610 2611 if (policydb_index_others(state.handle, state.base, 0)) { 2612 ERR(state.handle, "Error while indexing others"); 2613 goto cleanup; 2614 } 2615 2616 /* copy and remap the module's data over to base */ 2617 for (i = 0; i < len; i++) { 2618 state.cur = modules[i]; 2619 ret = copy_module(&state, modules[i]); 2620 if (ret) { 2621 retval = ret; 2622 goto cleanup; 2623 } 2624 } 2625 2626 /* re-index base, for symbols were added to symbol tables */ 2627 if (policydb_index_classes(state.base)) { 2628 ERR(state.handle, "Error while indexing classes"); 2629 goto cleanup; 2630 } 2631 if (policydb_index_others(state.handle, state.base, 0)) { 2632 ERR(state.handle, "Error while indexing others"); 2633 goto cleanup; 2634 } 2635 2636 if (enable_avrules(&state, state.base)) { 2637 retval = SEPOL_EREQ; 2638 goto cleanup; 2639 } 2640 2641 /* Now that all role attribute's roles ebitmap have been settled, 2642 * escalate sub role attribute's roles ebitmap into that of parent. 2643 * 2644 * First, since some role-attribute relationships could be recorded 2645 * in some decl's local symtab(see get_local_role()), we need to 2646 * populate them up to the base.p_roles table. */ 2647 if (populate_roleattributes(&state, state.base)) { 2648 retval = SEPOL_EREQ; 2649 goto cleanup; 2650 } 2651 2652 /* Now do the escalation. */ 2653 if (hashtab_map(state.base->p_roles.table, expand_role_attributes, 2654 &state)) 2655 goto cleanup; 2656 2657 retval = 0; 2658 cleanup: 2659 for (i = 0; modules != NULL && i < len; i++) { 2660 policy_module_destroy(modules[i]); 2661 } 2662 free(modules); 2663 free(state.decl_to_mod); 2664 return retval; 2665} 2666