expand.c revision 2ef297d4c80b7e55d9a33e20b44c540ffc6ad351
113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> 213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Jason Tang <jtang@tresys.com> 313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Joshua Brindle <jbrindle@tresys.com> 413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Copyright (C) 2004-2005 Tresys Technology, LLC 613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Copyright (C) 2007 Red Hat, Inc. 713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * This library is free software; you can redistribute it and/or 913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * modify it under the terms of the GNU Lesser General Public 1013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * License as published by the Free Software Foundation; either 1113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * version 2.1 of the License, or (at your option) any later version. 1213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 1313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * This library is distributed in the hope that it will be useful, 1413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * but WITHOUT ANY WARRANTY; without even the implied warranty of 1513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 1613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Lesser General Public License for more details. 1713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * 1813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * You should have received a copy of the GNU Lesser General Public 1913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * License along with this library; if not, write to the Free Software 2013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 2113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 2213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include "context.h" 2413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/policydb.h> 2513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/conditional.h> 2613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/hashtab.h> 2713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/expand.h> 2813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/hierarchy.h> 2913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <sepol/policydb/avrule_block.h> 3013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <stdlib.h> 3213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <stdarg.h> 3313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <stdio.h> 3413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <string.h> 3513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include <assert.h> 3613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 3713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include "debug.h" 3813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#include "private.h" 3913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 4013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindletypedef struct expand_state { 4113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int verbose; 4213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t *typemap; 4313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t *boolmap; 4413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t *rolemap; 4513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t *usermap; 4613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t *base; 4713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t *out; 4813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sepol_handle_t *handle; 4913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int expand_neverallow; 5013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} expand_state_t; 5113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic void expand_state_init(expand_state_t * state) 5313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 5413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(state, 0, sizeof(expand_state_t)); 5513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 5613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 5713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map) 5813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 5913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 6013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *tnode; 6113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(dst); 6213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 6313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(src, tnode, i) { 6413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, i)) 6513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 6613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!map[i]) 6713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 6813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(dst, map[i] - 1, 1)) 6913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 7013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 7113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 7213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 7313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 7413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 7513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 7613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 7713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 7813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 7913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *type, *new_type; 8013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 8113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 8313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type = (type_datum_t *) datum; 8413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 8513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 8613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((type->flavor == TYPE_TYPE && !type->primary) 8713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle || type->flavor == TYPE_ALIAS) { 8813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* aliases are handled later */ 8913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 9013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 9113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_TYPES)) { 9213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 9313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 9413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 9513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 9613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 9713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying type or attribute %s", id); 9813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 9913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 10013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_id == NULL) { 10113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 10213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 10313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 10413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 10513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type = (type_datum_t *) malloc(sizeof(type_datum_t)); 10613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_type) { 10713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 10813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 10913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return SEPOL_ENOMEM; 11013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 11113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_type, 0, sizeof(type_datum_t)); 11213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 11313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type->flavor = type->flavor; 11413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type->flags = type->flags; 11513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type->s.value = ++state->out->p_types.nprim; 11613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_type->s.value > UINT16_MAX) { 11713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 11813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_type); 11913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "type space overflow"); 12013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 12113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 12213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type->primary = 1; 12313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->typemap[type->s.value - 1] = new_type->s.value; 12413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(state->out->p_types.table, 12613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 12713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_type); 12813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 12913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 13013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_type); 13113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 13213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 13313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 13413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_type->flags & TYPE_FLAGS_PERMISSIVE) 13613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&state->out->permissive_map, new_type->s.value, 1)) { 13713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!\n"); 13813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 13913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 14013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 14213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 14313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 14413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int attr_convert_callback(hashtab_key_t key, hashtab_datum_t datum, 14513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 14613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 14713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id; 14813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *type, *new_type; 14913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 15013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t tmp_union; 15113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 15213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 15313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type = (type_datum_t *) datum; 15413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 15513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 15613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (type->flavor != TYPE_ATTRIB) 15713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 15813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 15913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_TYPES)) { 16013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 16113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 16213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 16313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 16413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 16513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "converting attribute %s", id); 16613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 16713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_type = hashtab_search(state->out->p_types.table, id); 16813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_type) { 16913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "attribute %s vanished!", id); 17013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 17113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 17213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&type->types, &tmp_union, state->typemap)) { 17313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "out of memory"); 17413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 17513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 17613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 17713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* then union tmp_union onto &new_type->types */ 17813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union(&new_type->types, &tmp_union)) { 17913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 18013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 18113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 18213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union); 18313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 18513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 18613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 18713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 18813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 18913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 19013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 19113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 19213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle symtab_t *s; 19313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle perm_datum_t *perm, *new_perm; 19413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = key; 19613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle perm = (perm_datum_t *) datum; 19713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle s = (symtab_t *) data; 19813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 19913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_perm = (perm_datum_t *) malloc(sizeof(perm_datum_t)); 20013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_perm) { 20113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 20213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 20313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_perm, 0, sizeof(perm_datum_t)); 20413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 20513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 20613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 20713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_perm); 20813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 20913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 21013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_perm->s.value = perm->s.value; 21213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle s->nprim++; 21313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 21413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm); 21513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 21613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 21713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_perm); 21813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 21913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 22013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 22113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 22213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 22313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 22413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 22513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 22613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 22713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 22813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 22913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle common_datum_t *common, *new_common; 23013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 23113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 23313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle common = (common_datum_t *) datum; 23413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 23513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 23713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying common %s", id); 23813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_common = (common_datum_t *) malloc(sizeof(common_datum_t)); 24013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_common) { 24113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 24213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 24313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 24413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_common, 0, sizeof(common_datum_t)); 24513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (symtab_init(&new_common->permissions, PERM_SYMTAB_SIZE)) { 24613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 24713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_common); 24813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 24913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 25013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 25213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 25313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 25413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_common); 25513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 25613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 25713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 25813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_common->s.value = common->s.value; 25913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_commons.nprim++; 26013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 26113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = 26213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle hashtab_insert(state->out->p_commons.table, new_id, 26313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t *) new_common); 26413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 26513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 26613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_common); 26713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 26813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 26913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 27013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 27113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 27213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (common->permissions.table, perm_copy_callback, 27313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_common->permissions)) { 27413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 27513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 27613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 27713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 27813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 27913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 28013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 28113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int constraint_node_clone(constraint_node_t ** dst, 28213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle constraint_node_t * src, 28313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t * state) 28413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 28513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle constraint_node_t *new_con = NULL, *last_new_con = NULL; 28613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle constraint_expr_t *new_expr = NULL; 28713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *dst = NULL; 28813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (src != NULL) { 28913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle constraint_expr_t *expr, *expr_l = NULL; 29013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_con = 29113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (constraint_node_t *) malloc(sizeof(constraint_node_t)); 29213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_con) { 29313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 29413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 29513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_con, 0, sizeof(constraint_node_t)); 29613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_con->permissions = src->permissions; 29713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (expr = src->expr; expr; expr = expr->next) { 29813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((new_expr = calloc(1, sizeof(*new_expr))) == NULL) { 29913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 30013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 30113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (constraint_expr_init(new_expr) == -1) { 30213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 30313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 30413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_expr->expr_type = expr->expr_type; 30513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_expr->attr = expr->attr; 30613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_expr->op = expr->op; 30713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_expr->expr_type == CEXPR_NAMES) { 30813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_expr->attr & CEXPR_TYPE) { 30913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Type sets require expansion and conversion. */ 31013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set(state->out, 31113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state-> 31213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle typemap, 31313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expr-> 31413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_names, 31513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_expr-> 31613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle names, 1)) { 31713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 31813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 31913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (new_expr->attr & CEXPR_ROLE) { 32013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) { 32113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 32213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 32313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (new_expr->attr & CEXPR_USER) { 32413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) { 32513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 32613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 32713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 32813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Other kinds of sets do not. */ 32913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&new_expr->names, 33013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &expr->names)) { 33113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 33213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 33313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 33413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 33513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expr_l) { 33613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expr_l->next = new_expr; 33713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 33813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_con->expr = new_expr; 33913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 34013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expr_l = new_expr; 34113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_expr = NULL; 34213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 34313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (last_new_con == NULL) { 34413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *dst = new_con; 34513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 34613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle last_new_con->next = new_con; 34713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 34813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle last_new_con = new_con; 34913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle src = src->next; 35013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 35113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 35213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 35313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out_of_mem: 35413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 35513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_con) 35613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_con); 35713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle constraint_expr_destroy(new_expr); 35813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 35913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 36013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 36109c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Parisstatic int class_copy_default_new_object(expand_state_t *state, 36209c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris class_datum_t *olddatum, 36309c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris class_datum_t *newdatum) 36409c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris{ 36509c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (olddatum->default_user) { 36609c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { 36709c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris ERR(state->handle, "Found conflicting default user definitions"); 36809c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris return SEPOL_ENOTSUP; 36909c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 37009c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris newdatum->default_user = olddatum->default_user; 37109c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris 37209c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 37309c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (olddatum->default_role) { 37409c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { 37509c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris ERR(state->handle, "Found conflicting default role definitions"); 37609c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris return SEPOL_ENOTSUP; 37709c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 37809c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris newdatum->default_role = olddatum->default_role; 37909c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 38009c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (olddatum->default_range) { 38109c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { 38209c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris ERR(state->handle, "Found conflicting default range definitions"); 38309c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris return SEPOL_ENOTSUP; 38409c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 38509c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris newdatum->default_range = olddatum->default_range; 38609c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 38709c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris return 0; 38809c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris} 38909c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris 39013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 39113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 39213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 39313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 39413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 39513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_datum_t *class, *new_class; 39613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 39713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 39813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 39913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class = (class_datum_t *) datum; 40013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 40113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 40213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_CLASSES)) { 40313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 40413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 40513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 40613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 40713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 40813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying class %s", id); 40913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 41013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class = (class_datum_t *) malloc(sizeof(class_datum_t)); 41113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_class) { 41213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 41313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 41413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 41513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_class, 0, sizeof(class_datum_t)); 41613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (symtab_init(&new_class->permissions, PERM_SYMTAB_SIZE)) { 41713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 41813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_class); 41913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 42013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 42113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->s.value = class->s.value; 42313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_classes.nprim++; 42413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 42509c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris ret = class_copy_default_new_object(state, class, new_class); 42609c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris if (ret) { 42709c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris free(new_class); 42809c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris return ret; 42909c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris } 43009c783c9a36cd47216df827c5d2c21ec8cd613e2Eric Paris 43113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 43213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 43313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 43413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_class); 43513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 43613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 43713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 43813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = 43913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle hashtab_insert(state->out->p_classes.table, new_id, 44013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t *) new_class); 44113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 44213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 44313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_class); 44413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 44513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 44613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 44713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 44813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 44913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (class->permissions.table, perm_copy_callback, 45013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_class->permissions)) { 45113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 45213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 45313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 45413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 45513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (class->comkey) { 45613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->comkey = strdup(class->comkey); 45713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_class->comkey) { 45813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 45913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 46013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 46113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 46213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->comdatum = 46313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle hashtab_search(state->out->p_commons.table, 46413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->comkey); 46513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_class->comdatum) { 46613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "could not find common datum %s", 46713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->comkey); 46813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 46913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 47013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->permissions.nprim += 47113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class->comdatum->permissions.nprim; 47213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 47313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 47513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 47613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 47713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int constraint_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 47813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 47913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 48013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id; 48113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_datum_t *class, *new_class; 48213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 48313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 48513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class = (class_datum_t *) datum; 48613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 48713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 48813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_class = hashtab_search(state->out->p_classes.table, id); 48913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_class) { 49013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "class %s vanished", id); 49113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 49213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 49313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 49413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* constraints */ 49513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (constraint_node_clone 49613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (&new_class->constraints, class->constraints, state) == -1 49713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle || constraint_node_clone(&new_class->validatetrans, 49813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class->validatetrans, state) == -1) { 49913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 50013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 50113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 50213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 50313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 504f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle/* 505f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle * The boundaries have to be copied after the types/roles/users are copied, 506f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle * because it refers hashtab to lookup destinated objects. 507f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle */ 508f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindlestatic int type_bounds_copy_callback(hashtab_key_t key, 509f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle hashtab_datum_t datum, void *data) 510f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle{ 511f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle expand_state_t *state = (expand_state_t *) data; 512f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle type_datum_t *type = (type_datum_t *) datum; 513f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle type_datum_t *dest; 514f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle uint32_t bounds_val; 515f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 516f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!type->bounds) 517f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 518f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 519f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!is_id_enabled((char *)key, state->base, SYM_TYPES)) 520f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 521f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 522f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle bounds_val = state->typemap[type->bounds - 1]; 523f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 524f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest = hashtab_search(state->out->p_types.table, (char *)key); 525f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!dest) { 526f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "Type lookup failed for %s", (char *)key); 527f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 528f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 529f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (dest->bounds != 0 && dest->bounds != bounds_val) { 530f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "Inconsistent boundary for %s", (char *)key); 531f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 532f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 533f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest->bounds = bounds_val; 534f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 535f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 536f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle} 537f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 538f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindlestatic int role_bounds_copy_callback(hashtab_key_t key, 539f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle hashtab_datum_t datum, void *data) 540f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle{ 541f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle expand_state_t *state = (expand_state_t *) data; 542f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle role_datum_t *role = (role_datum_t *) datum; 543f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle role_datum_t *dest; 544f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle uint32_t bounds_val; 545f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 546f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!role->bounds) 547f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 548f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 549f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!is_id_enabled((char *)key, state->base, SYM_ROLES)) 550f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 551f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 552f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle bounds_val = state->rolemap[role->bounds - 1]; 553f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 554f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest = hashtab_search(state->out->p_roles.table, (char *)key); 555f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!dest) { 556f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "Role lookup failed for %s", (char *)key); 557f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 558f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 559f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (dest->bounds != 0 && dest->bounds != bounds_val) { 560f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "Inconsistent boundary for %s", (char *)key); 561f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 562f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 563f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest->bounds = bounds_val; 564f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 565f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 566f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle} 567f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 568f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindlestatic int user_bounds_copy_callback(hashtab_key_t key, 569f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle hashtab_datum_t datum, void *data) 570f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle{ 571f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle expand_state_t *state = (expand_state_t *) data; 572f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle user_datum_t *user = (user_datum_t *) datum; 573f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle user_datum_t *dest; 574f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle uint32_t bounds_val; 575f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 576f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!user->bounds) 577f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 578f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 579f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!is_id_enabled((char *)key, state->base, SYM_USERS)) 580f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 581f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 582f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle bounds_val = state->usermap[user->bounds - 1]; 583f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 584f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest = hashtab_search(state->out->p_users.table, (char *)key); 585f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (!dest) { 586f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "User lookup failed for %s", (char *)key); 587f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 588f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 589f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (dest->bounds != 0 && dest->bounds != bounds_val) { 590f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle ERR(state->handle, "Inconsistent boundary for %s", (char *)key); 591f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return -1; 592f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle } 593f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle dest->bounds = bounds_val; 594f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 595f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle return 0; 596f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle} 597f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 59813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* The aliases have to be copied after the types and attributes to be certain that 59913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * the out symbol table will have the type that the alias refers. Otherwise, we 60013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * won't be able to find the type value for the alias. We can't depend on the 60113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * declaration ordering because of the hash table. 60213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 60313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 60413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 60513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 60613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 60713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 60813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *alias, *new_alias; 60913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 610e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle uint32_t prival; 61113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 61213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = (char *)key; 61313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle alias = (type_datum_t *) datum; 61413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 61513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 61613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* ignore regular types */ 61713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (alias->flavor == TYPE_TYPE && alias->primary) 61813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 61913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 62013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* ignore attributes */ 62113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (alias->flavor == TYPE_ATTRIB) 62213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 62313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 624e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle if (alias->flavor == TYPE_ALIAS) 625e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle prival = alias->primary; 626e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle else 627e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle prival = alias->s.value; 628e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle 629e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle if (!is_id_enabled(state->base->p_type_val_to_name[prival - 1], 630e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle state->base, SYM_TYPES)) { 631e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle /* The primary type for this alias is not enabled, the alias 632e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle * shouldn't be either */ 633e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle return 0; 634e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle } 635e61b36a5c78852c5d30d9512e0c69546d23ea25cJoshua Brindle 63613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 63713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying alias %s", id); 63813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 63913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 64013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 64113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 64213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 64313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 64413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 64513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_alias = (type_datum_t *) malloc(sizeof(type_datum_t)); 64613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_alias) { 64713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 64813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 64913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return SEPOL_ENOMEM; 65013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 65113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_alias, 0, sizeof(type_datum_t)); 65213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (alias->flavor == TYPE_TYPE) 65313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_alias->s.value = state->typemap[alias->s.value - 1]; 65413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else if (alias->flavor == TYPE_ALIAS) 65513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_alias->s.value = state->typemap[alias->primary - 1]; 65613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else 65713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(0); /* unreachable */ 65813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 65913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_alias->flags = alias->flags; 66013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 66113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(state->out->p_types.table, 66213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 66313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_alias); 66413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 66513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 66613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 66713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_alias); 66813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 66913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 67013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 67113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 67213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->typemap[alias->s.value - 1] = new_alias->s.value; 67313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 67413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_alias->flags & TYPE_FLAGS_PERMISSIVE) 67513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&state->out->permissive_map, new_alias->s.value, 1)) { 67613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 67713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 67813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 67913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 68013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 68113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 68213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 68313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data) 68413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 68513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t mapped_roles; 68613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_datum_t *role = (role_datum_t *) datum; 68713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state = (expand_state_t *) data; 68813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 68913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap)) 69013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 69113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 69213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&role->dominates); 69313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 69413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&role->dominates, &mapped_roles)) 69513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 69613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 69713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&mapped_roles); 69813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 69913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 70013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 70113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 702d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao/* For the role attribute in the base module, escalate its counterpart's 703d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao * types.types ebitmap in the out module to the counterparts of all the 704d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao * regular role that belongs to the current role attribute. Note, must be 705d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao * invoked after role_copy_callback so that state->rolemap is available. 706d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao */ 707d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciaostatic int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 708d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao void *data) 709d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao{ 710d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao char *id, *base_reg_role_id; 711d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao role_datum_t *role, *new_role, *regular_role; 712d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao expand_state_t *state; 713d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_node_t *rnode; 714d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao unsigned int i; 715d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_t mapped_roles; 716d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 717d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao id = key; 718d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao role = (role_datum_t *)datum; 719d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao state = (expand_state_t *)data; 720d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 721d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (strcmp(id, OBJECT_R) == 0) { 722d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao /* object_r is never a role attribute by far */ 723d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return 0; 724d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao } 725d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 7262ef297d4c80b7e55d9a33e20b44c540ffc6ad351Harry Ciao if (!is_id_enabled(id, state->base, SYM_ROLES)) { 7272ef297d4c80b7e55d9a33e20b44c540ffc6ad351Harry Ciao /* identifier's scope is not enabled */ 7282ef297d4c80b7e55d9a33e20b44c540ffc6ad351Harry Ciao return 0; 7292ef297d4c80b7e55d9a33e20b44c540ffc6ad351Harry Ciao } 7302ef297d4c80b7e55d9a33e20b44c540ffc6ad351Harry Ciao 731d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (role->flavor != ROLE_ATTRIB) 732d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return 0; 733d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 734d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (state->verbose) 735d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao INFO(state->handle, "fixing role attribute %s", id); 736d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 737d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao new_role = 738d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao (role_datum_t *)hashtab_search(state->out->p_roles.table, id); 739d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 740d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao assert(new_role != NULL && new_role->flavor == ROLE_ATTRIB); 741d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 742d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_init(&mapped_roles); 743d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (map_ebitmap(&role->roles, &mapped_roles, state->rolemap)) 744d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return -1; 745d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (ebitmap_union(&new_role->roles, &mapped_roles)) { 746d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ERR(state->handle, "Out of memory!"); 747d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_destroy(&mapped_roles); 748d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return -1; 749d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao } 750d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_destroy(&mapped_roles); 751d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 752d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ebitmap_for_each_bit(&role->roles, rnode, i) { 753d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (ebitmap_node_get_bit(rnode, i)) { 754d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao /* take advantage of sym_val_to_name[] 755d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao * of the base module */ 756d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao base_reg_role_id = state->base->p_role_val_to_name[i]; 757d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao regular_role = (role_datum_t *)hashtab_search( 758d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao state->out->p_roles.table, 759d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao base_reg_role_id); 760d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao assert(regular_role != NULL && 761d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao regular_role->flavor == ROLE_ROLE); 762d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 763d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (ebitmap_union(®ular_role->types.types, 764d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao &new_role->types.types)) { 765d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao ERR(state->handle, "Out of memory!"); 766d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return -1; 767d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao } 768d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao } 769d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao } 770d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 771d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao return 0; 772d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao} 773d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao 77413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 77513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 77613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 77713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 77813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 77913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_datum_t *role; 78013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_datum_t *new_role; 78113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 78213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t tmp_union_types; 78313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 78413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = key; 78513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role = (role_datum_t *) datum; 78613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 78713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 78813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (strcmp(id, OBJECT_R) == 0) { 78913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* object_r is always value 1 */ 79013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->rolemap[role->s.value - 1] = 1; 79113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 79213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 79313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 79413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_ROLES)) { 79513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 79613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 79713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 79813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 79913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 80013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying role %s", id); 80113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 80213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_role = 80313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (role_datum_t *) hashtab_search(state->out->p_roles.table, id); 80413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_role) { 80513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_role = (role_datum_t *) malloc(sizeof(role_datum_t)); 80613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_role) { 80713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 80813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 80913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 81013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_role, 0, sizeof(role_datum_t)); 81113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 81213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 81313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 81413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 81513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 81613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 81713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 81813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_roles.nprim++; 819d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao new_role->flavor = role->flavor; 82013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_role->s.value = state->out->p_roles.nprim; 82113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->rolemap[role->s.value - 1] = new_role->s.value; 82213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(state->out->p_roles.table, 82313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 82413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_role); 82513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 82613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 82713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 82813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_role); 82913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 83013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 83113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 83213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 83313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 83413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* The dominates bitmap is going to be wrong for the moment, 83513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * we'll come back later and remap them, after we are sure all 83613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * the roles have been added */ 83713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union(&new_role->dominates, &role->dominates)) { 83813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 83913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 84013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 84113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 84213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&tmp_union_types); 84313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 84413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* convert types in the role datum in the global symtab */ 84513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 84613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->out, state->typemap, &role->types, &tmp_union_types, 1)) { 84713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union_types); 84813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 84913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 85013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 85113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 85213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union(&new_role->types.types, &tmp_union_types)) { 85313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 85413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union_types); 85513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 85613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 85713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union_types); 85813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 85913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 86013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 86113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 86213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l, 86313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * p, sepol_handle_t * h) 86413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 86513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_semantic_cat_t *cat; 86613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle level_datum_t *levdatum; 86713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 86813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 86913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_init(l); 87013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 87113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!p->mls) 87213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 87313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 87413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Required not declared. */ 87513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!sl->sens) 87613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 87713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 87813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l->sens = sl->sens; 87913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle levdatum = (level_datum_t *) hashtab_search(p->p_levels.table, 88013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_sens_val_to_name[l-> 88113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sens - 88213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1]); 88313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (cat = sl->cat; cat; cat = cat->next) { 88413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cat->low > cat->high) { 88513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(h, "Category range is not valid %s.%s", 88613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_cat_val_to_name[cat->low - 1], 88713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_cat_val_to_name[cat->high - 1]); 88813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 88913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 89013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = cat->low - 1; i < cat->high; i++) { 89113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_get_bit(&levdatum->level->cat, i)) { 89213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(h, "Category %s can not be associate with " 89313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle "level %s", 89413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_cat_val_to_name[i], 89513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_sens_val_to_name[l->sens - 1]); 89613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 89713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&l->cat, i, 1)) { 89813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(h, "Out of memory!"); 89913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 90013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 90113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 90213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 90313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 90413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 90513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 90613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 90713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint mls_semantic_range_expand(mls_semantic_range_t * sr, mls_range_t * r, 90813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * p, sepol_handle_t * h) 90913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 91013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_level_expand(&sr->level[0], &r->level[0], p, h) < 0) 91113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 91213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 91313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_level_expand(&sr->level[1], &r->level[1], p, h) < 0) { 91413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_semantic_level_destroy(&sr->level[0]); 91513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 91613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 91713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 91813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!mls_level_dom(&r->level[1], &r->level[0])) { 91913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_destroy(r); 92013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(h, "MLS range high level does not dominate low level"); 92113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 92213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 92313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 92413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 92513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 92613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 92713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 92813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 92913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 93013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 93113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 93213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle user_datum_t *user; 93313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle user_datum_t *new_user; 93413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 93513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t tmp_union; 93613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 93713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = key; 93813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle user = (user_datum_t *) datum; 93913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 94013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 94113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_USERS)) { 94213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 94313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 94413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 94513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 94613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 94713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying user %s", id); 94813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 94913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_user = 95013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (user_datum_t *) hashtab_search(state->out->p_users.table, id); 95113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_user) { 95213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_user = (user_datum_t *) malloc(sizeof(user_datum_t)); 95313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_user) { 95413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 95513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 95613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 95713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(new_user, 0, sizeof(user_datum_t)); 95813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 95913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_users.nprim++; 96013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_user->s.value = state->out->p_users.nprim; 96113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->usermap[user->s.value - 1] = new_user->s.value; 96213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 96313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 96413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 96513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 96613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 96713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 96813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(state->out->p_users.table, 96913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 97013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_user); 97113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 97213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 97313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle user_datum_destroy(new_user); 97413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_user); 97513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 97613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 97713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 97813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 97913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* expand the semantic MLS info */ 98013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_range_expand(&user->range, 98113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_user->exp_range, 98213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out, state->handle)) { 98313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 98413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 98513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_level_expand(&user->dfltlevel, 98613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_user->exp_dfltlevel, 98713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out, state->handle)) { 98813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 98913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 99013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!mls_level_between(&new_user->exp_dfltlevel, 99113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_user->exp_range.level[0], 99213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_user->exp_range.level[1])) { 99313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "default level not within user " 99413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle "range"); 99513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 99613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 99713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 99813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* require that the MLS info match */ 99913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_t tmp_range; 100013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_t tmp_level; 100113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 100213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_range_expand(&user->range, &tmp_range, 100313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out, state->handle)) { 100413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 100513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 100613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_level_expand(&user->dfltlevel, &tmp_level, 100713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out, state->handle)) { 100813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_destroy(&tmp_range); 100913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 101013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 101113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!mls_range_eq(&new_user->exp_range, &tmp_range) || 101213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle !mls_level_eq(&new_user->exp_dfltlevel, &tmp_level)) { 101313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_destroy(&tmp_range); 101413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_destroy(&tmp_level); 101513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 101613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 101713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_destroy(&tmp_range); 101813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_destroy(&tmp_level); 101913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 102013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 102113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&tmp_union); 102213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 102313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* get global roles for this user */ 10243592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (role_set_expand(&user->roles, &tmp_union, state->out, state->base, state->rolemap)) { 102513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 102613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union); 102713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 102813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 102913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 103013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union(&new_user->roles.roles, &tmp_union)) { 103113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 103213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union); 103313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 103413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 103513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&tmp_union); 103613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 103713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 103813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 103913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 104013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 104113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 104213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 104313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int ret; 104413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state; 104513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_bool_datum_t *bool, *new_bool; 104613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id, *new_id; 104713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 104813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle id = key; 104913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle bool = (cond_bool_datum_t *) datum; 105013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state = (expand_state_t *) data; 105113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 105213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_BOOLS)) { 105313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 105413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 105513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 105613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 10575722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao if (bool->flags & COND_BOOL_FLAGS_TUNABLE) { 10585722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao /* Skip tunables */ 10595722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao return 0; 10605722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao } 10615722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao 106213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 106313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying boolean %s", id); 106413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 106513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_bool = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t)); 106613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_bool) { 106713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 106813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 106913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 107013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 107113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 107213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) { 107313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 107413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_bool); 107513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 107613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 107713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 107813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_bools.nprim++; 107913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_bool->s.value = state->out->p_bools.nprim; 108013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 108113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ret = hashtab_insert(state->out->p_bools.table, 108213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 108313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_bool); 108413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ret) { 108513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "hashtab overflow"); 108613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_bool); 108713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 108813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 108913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 109013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 109113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->boolmap[bool->s.value - 1] = new_bool->s.value; 109213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 109313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_bool->state = bool->state; 10945722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao new_bool->flags = bool->flags; 109513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 109613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 109713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 109813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 109913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 110013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 110113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 110213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state = (expand_state_t *) data; 110313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle level_datum_t *level = (level_datum_t *) datum, *new_level = NULL; 110413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id = (char *)key, *new_id = NULL; 110513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 110613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_LEVELS)) { 110713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 110813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 110913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 111013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 111113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 111213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying sensitivity level %s", id); 111313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 111413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_level = (level_datum_t *) malloc(sizeof(level_datum_t)); 111513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_level) 111613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 111713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle level_datum_init(new_level); 111813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_level->level = (mls_level_t *) malloc(sizeof(mls_level_t)); 111913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_level->level) 112013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 112113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_init(new_level->level); 112213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 112313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) 112413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 112513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 112613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_level_cpy(new_level->level, level->level)) { 112713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 112813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 112913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_level->isalias = level->isalias; 113013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_levels.nprim++; 113113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 113213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_insert(state->out->p_levels.table, 113313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, 113413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_datum_t) new_level)) { 113513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 113613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 113713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 113813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 113913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out_of_mem: 114013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 114113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (new_level != NULL && new_level->level != NULL) { 114213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_level_destroy(new_level->level); 114313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_level->level); 114413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 114513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle level_datum_destroy(new_level); 114613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_level); 114713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 114813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 114913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 115013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 115113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int cats_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 115213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *data) 115313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 115413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state = (expand_state_t *) data; 115513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cat_datum_t *cat = (cat_datum_t *) datum, *new_cat = NULL; 115613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle char *id = (char *)key, *new_id = NULL; 115713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 115813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!is_id_enabled(id, state->base, SYM_CATS)) { 115913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* identifier's scope is not enabled */ 116013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 116113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 116213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 116313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 116413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "copying category attribute %s", id); 116513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 116613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_cat = (cat_datum_t *) malloc(sizeof(cat_datum_t)); 116713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_cat) 116813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 116913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cat_datum_init(new_cat); 117013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_id = strdup(id); 117113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_id) 117213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 117313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 117413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_cat->s.value = cat->s.value; 117513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_cat->isalias = cat->isalias; 117613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_cats.nprim++; 117713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_insert(state->out->p_cats.table, 117813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (hashtab_key_t) new_id, (hashtab_datum_t) new_cat)) { 117913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out_of_mem; 118013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 118113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 118213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 118313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 118413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out_of_mem: 118513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 118613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cat_datum_destroy(new_cat); 118713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_cat); 118813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(new_id); 118913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 119013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 119113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 119213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules) 119313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 119413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i, j; 119513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_allow_t *cur_allow, *n, *l; 119613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_allow_rule_t *cur; 119713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t roles, new_roles; 119813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *snode, *tnode; 119913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 120013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* start at the end of the list */ 120113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (l = state->out->role_allow; l && l->next; l = l->next) ; 120213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 120313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = rules; 120413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 120513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&roles); 120613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&new_roles); 120713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12083592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (role_set_expand(&cur->roles, &roles, state->out, state->base, state->rolemap)) { 120913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 121013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 121113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 121213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12133592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->base, state->rolemap)) { 121413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 121513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 121613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 121713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 121813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&roles, snode, i) { 121913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 122013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 122113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&new_roles, tnode, j) { 122213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 122313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 122413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* check for duplicates */ 122513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_allow = state->out->role_allow; 122613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur_allow) { 122713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((cur_allow->role == i + 1) && 122813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (cur_allow->new_role == j + 1)) 122913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 123013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_allow = cur_allow->next; 123113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 123213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cur_allow) 123313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 123413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n = (role_allow_t *) 123513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle malloc(sizeof(role_allow_t)); 123613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!n) { 123713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 123813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 123913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 124013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(n, 0, sizeof(role_allow_t)); 124113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->role = i + 1; 124213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->new_role = j + 1; 124313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (l) { 124413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l->next = n; 124513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 124613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->role_allow = n; 124713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 124813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l = n; 124913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 125013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 125113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 125213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&roles); 125313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&new_roles); 125413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 125513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 125613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 125713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 125813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 125913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 126013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 126113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) 126213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 12636db9b74210197f792a52038abbd10e946e99e49dHarry Ciao unsigned int i, j, k; 126413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_trans_t *n, *l, *cur_trans; 126513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle role_trans_rule_t *cur; 126613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t roles, types; 12676db9b74210197f792a52038abbd10e946e99e49dHarry Ciao ebitmap_node_t *rnode, *tnode, *cnode; 126813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 126913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* start at the end of the list */ 127013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (l = state->out->role_tr; l && l->next; l = l->next) ; 127113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 127213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = rules; 127313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 127413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&roles); 127513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&types); 127613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 12773592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (role_set_expand(&cur->roles, &roles, state->out, state->base, state->rolemap)) { 127813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 127913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 128013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 128113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 128213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->out, state->typemap, &cur->types, &types, 1)) { 128313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 128413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 128513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 128613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&roles, rnode, i) { 128713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(rnode, i)) 128813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 128913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&types, tnode, j) { 129013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 129113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 12926db9b74210197f792a52038abbd10e946e99e49dHarry Ciao ebitmap_for_each_bit(&cur->classes, cnode, k) { 12936db9b74210197f792a52038abbd10e946e99e49dHarry Ciao if (!ebitmap_node_get_bit(cnode, k)) 12946db9b74210197f792a52038abbd10e946e99e49dHarry Ciao continue; 12956db9b74210197f792a52038abbd10e946e99e49dHarry Ciao 12966db9b74210197f792a52038abbd10e946e99e49dHarry Ciao cur_trans = state->out->role_tr; 12976db9b74210197f792a52038abbd10e946e99e49dHarry Ciao while (cur_trans) { 12981867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris unsigned int mapped_role; 12991867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris 13001867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris mapped_role = state->rolemap[cur->new_role - 1]; 13011867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris 13026db9b74210197f792a52038abbd10e946e99e49dHarry Ciao if ((cur_trans->role == 13036db9b74210197f792a52038abbd10e946e99e49dHarry Ciao i + 1) && 13046db9b74210197f792a52038abbd10e946e99e49dHarry Ciao (cur_trans->type == 13056db9b74210197f792a52038abbd10e946e99e49dHarry Ciao j + 1) && 13066db9b74210197f792a52038abbd10e946e99e49dHarry Ciao (cur_trans->tclass == 13076db9b74210197f792a52038abbd10e946e99e49dHarry Ciao k + 1)) { 13081867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris if (cur_trans->new_role == mapped_role) { 13096db9b74210197f792a52038abbd10e946e99e49dHarry Ciao break; 13106db9b74210197f792a52038abbd10e946e99e49dHarry Ciao } else { 13116db9b74210197f792a52038abbd10e946e99e49dHarry Ciao ERR(state->handle, 13121867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris "Conflicting role trans rule %s %s : %s { %s vs %s }", 13136db9b74210197f792a52038abbd10e946e99e49dHarry Ciao state->out->p_role_val_to_name[i], 13146db9b74210197f792a52038abbd10e946e99e49dHarry Ciao state->out->p_type_val_to_name[j], 13156db9b74210197f792a52038abbd10e946e99e49dHarry Ciao state->out->p_class_val_to_name[k], 13161867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris state->out->p_role_val_to_name[mapped_role - 1], 13171867652e5424e867cea542a9311ccdc5fa9ec835Eric Paris state->out->p_role_val_to_name[cur_trans->new_role - 1]); 13186db9b74210197f792a52038abbd10e946e99e49dHarry Ciao return -1; 13196db9b74210197f792a52038abbd10e946e99e49dHarry Ciao } 132013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 13216db9b74210197f792a52038abbd10e946e99e49dHarry Ciao cur_trans = cur_trans->next; 132213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 13236db9b74210197f792a52038abbd10e946e99e49dHarry Ciao if (cur_trans) 13246db9b74210197f792a52038abbd10e946e99e49dHarry Ciao continue; 13256db9b74210197f792a52038abbd10e946e99e49dHarry Ciao 13266db9b74210197f792a52038abbd10e946e99e49dHarry Ciao n = (role_trans_t *) 13276db9b74210197f792a52038abbd10e946e99e49dHarry Ciao malloc(sizeof(role_trans_t)); 13286db9b74210197f792a52038abbd10e946e99e49dHarry Ciao if (!n) { 13296db9b74210197f792a52038abbd10e946e99e49dHarry Ciao ERR(state->handle, 13306db9b74210197f792a52038abbd10e946e99e49dHarry Ciao "Out of memory!"); 13316db9b74210197f792a52038abbd10e946e99e49dHarry Ciao return -1; 13326db9b74210197f792a52038abbd10e946e99e49dHarry Ciao } 13336db9b74210197f792a52038abbd10e946e99e49dHarry Ciao memset(n, 0, sizeof(role_trans_t)); 13346db9b74210197f792a52038abbd10e946e99e49dHarry Ciao n->role = i + 1; 13356db9b74210197f792a52038abbd10e946e99e49dHarry Ciao n->type = j + 1; 13366db9b74210197f792a52038abbd10e946e99e49dHarry Ciao n->tclass = k + 1; 13376db9b74210197f792a52038abbd10e946e99e49dHarry Ciao n->new_role = state->rolemap 13386db9b74210197f792a52038abbd10e946e99e49dHarry Ciao [cur->new_role - 1]; 13396db9b74210197f792a52038abbd10e946e99e49dHarry Ciao if (l) 13406db9b74210197f792a52038abbd10e946e99e49dHarry Ciao l->next = n; 13416db9b74210197f792a52038abbd10e946e99e49dHarry Ciao else 13426db9b74210197f792a52038abbd10e946e99e49dHarry Ciao state->out->role_tr = n; 13436db9b74210197f792a52038abbd10e946e99e49dHarry Ciao 13446db9b74210197f792a52038abbd10e946e99e49dHarry Ciao l = n; 134513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 134613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 134713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 134813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 134913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&roles); 135013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&types); 135113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 135213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 135313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 135413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 135513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 135613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 13576eeb71538ea29b639ac7549831cd1aa4da32722aEric Parisstatic int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) 13586eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris{ 13596eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris unsigned int i, j; 1360d21ec5a5605f708b70e0b685b76f03a978f2008cAdam Tkac filename_trans_t *new_trans, *cur_trans; 13616eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris filename_trans_rule_t *cur_rule; 13626eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_t stypes, ttypes; 13636eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_node_t *snode, *tnode; 13646eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 13656eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris cur_rule = rules; 13666eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris while (cur_rule) { 13670a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris uint32_t mapped_otype; 13680a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris 13696eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_init(&stypes); 13706eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_init(&ttypes); 13716eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 13726eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (expand_convert_type_set(state->out, state->typemap, 13736eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris &cur_rule->stypes, &stypes, 1)) { 13746eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ERR(state->handle, "Out of memory!"); 13756eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return -1; 13766eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 13776eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 13786eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (expand_convert_type_set(state->out, state->typemap, 13796eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris &cur_rule->ttypes, &ttypes, 1)) { 13806eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ERR(state->handle, "Out of memory!"); 13816eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return -1; 13826eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 13836eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 13840a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris mapped_otype = state->typemap[cur_rule->otype - 1]; 13850a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris 13866eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_for_each_bit(&stypes, snode, i) { 13876eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (!ebitmap_node_get_bit(snode, i)) 13886eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris continue; 13896eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_for_each_bit(&ttypes, tnode, j) { 13906eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (!ebitmap_node_get_bit(tnode, j)) 13916eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris continue; 13926eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 13936eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris cur_trans = state->out->filename_trans; 13946eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris while (cur_trans) { 13956eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if ((cur_trans->stype == i + 1) && 13966eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris (cur_trans->ttype == j + 1) && 13976eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris (cur_trans->tclass == cur_rule->tclass) && 13986eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris (!strcmp(cur_trans->name, cur_rule->name))) { 13996eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris /* duplicate rule, who cares */ 14000a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris if (cur_trans->otype == mapped_otype) 14016eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris break; 14026eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14036eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", 14046eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris cur_trans->name, 14056eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris state->out->p_type_val_to_name[i], 14066eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris state->out->p_type_val_to_name[j], 14076eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris state->out->p_class_val_to_name[cur_trans->tclass - 1], 14086eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris state->out->p_type_val_to_name[cur_trans->otype - 1], 14090a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris state->out->p_type_val_to_name[mapped_otype - 1]); 14106eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14116eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return -1; 14126eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14136eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris cur_trans = cur_trans->next; 14146eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14156eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris /* duplicate rule, who cares */ 14166eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (cur_trans) 14176eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris continue; 14186eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14196eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris new_trans = malloc(sizeof(*new_trans)); 14206eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (!new_trans) { 14216eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ERR(state->handle, "Out of memory!"); 14226eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return -1; 14236eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14246eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris memset(new_trans, 0, sizeof(*new_trans)); 1425d21ec5a5605f708b70e0b685b76f03a978f2008cAdam Tkac new_trans->next = state->out->filename_trans; 1426d21ec5a5605f708b70e0b685b76f03a978f2008cAdam Tkac state->out->filename_trans = new_trans; 14276eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14286eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris new_trans->name = strdup(cur_rule->name); 14296eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (!new_trans->name) { 14306eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ERR(state->handle, "Out of memory!"); 14316eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return -1; 14326eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14336eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris new_trans->stype = i + 1; 14346eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris new_trans->ttype = j + 1; 14356eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris new_trans->tclass = cur_rule->tclass; 14360a778ba601d68ef91304f90c101b5dc67d433e04Eric Paris new_trans->otype = mapped_otype; 14376eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14386eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14396eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14406eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_destroy(&stypes); 14416eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris ebitmap_destroy(&ttypes); 14426eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 14436eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris cur_rule = cur_rule->next; 14446eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris } 14456eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris return 0; 14466eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris} 14476eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 144813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass, 144913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_semantic_range_t * trange, 145013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t * state) 145113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 145213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle range_trans_t *rt, *check_rt = state->out->range_tr; 145313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_t exp_range; 145413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int rc = -1; 145513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 145613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_semantic_range_expand(trange, &exp_range, state->out, 145713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->handle)) 145813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 145913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 146013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* check for duplicates/conflicts */ 146113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (check_rt) { 146213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((check_rt->source_type == stype) && 146313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (check_rt->target_type == ttype) && 146413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (check_rt->target_class == tclass)) { 146513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_range_eq(&check_rt->target_range, &exp_range)) { 146613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* duplicate */ 146713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 146813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 146913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* conflict */ 147013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, 147113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle "Conflicting range trans rule %s %s : %s", 147213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_type_val_to_name[stype - 1], 147313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_type_val_to_name[ttype - 1], 147413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->p_class_val_to_name[tclass - 147513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1]); 147613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 147713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 147813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 147913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle check_rt = check_rt->next; 148013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 148113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (check_rt) { 148213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* this is a dup - skip */ 148313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = 0; 148413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 148513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 148613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 148713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rt = (range_trans_t *) calloc(1, sizeof(range_trans_t)); 148813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!rt) { 148913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 149013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 149113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 149213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 149313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rt->next = state->out->range_tr; 149413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->range_tr = rt; 149513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 149613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rt->source_type = stype; 149713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rt->target_type = ttype; 149813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rt->target_class = tclass; 149913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (mls_range_cpy(&rt->target_range, &exp_range)) { 150013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 150113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 150213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 150313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 150413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = 0; 150513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 150613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out: 150713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle mls_range_destroy(&exp_range); 150813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return rc; 150913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 151013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 151113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_range_trans(expand_state_t * state, 151213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle range_trans_rule_t * rules) 151313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 151413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i, j, k; 151513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle range_trans_rule_t *rule; 151613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 151713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t stypes, ttypes; 151813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *snode, *tnode, *cnode; 151913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 152013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->verbose) 152113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle INFO(state->handle, "expanding range transitions"); 152213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 152313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (rule = rules; rule; rule = rule->next) { 152413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&stypes); 152513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&ttypes); 152613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 152713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* expand the type sets */ 152813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set(state->out, state->typemap, 152913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &rule->stypes, &stypes, 1)) { 153013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 153113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 153213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 153313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set(state->out, state->typemap, 153413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &rule->ttypes, &ttypes, 1)) { 153513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 153613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 153713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 153813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 153913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 154013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* loop on source type */ 154113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&stypes, snode, i) { 154213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 154313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 154413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* loop on target type */ 154513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&ttypes, tnode, j) { 154613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 154713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 154813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* loop on target class */ 154913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&rule->tclasses, cnode, k) { 155013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(cnode, k)) 155113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 155213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 155313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (exp_rangetr_helper(i + 1, 155413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle j + 1, 155513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle k + 1, 155613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &rule->trange, 155713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state)) { 155813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 155913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&ttypes); 156013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 156113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 156213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 156313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 156413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 156513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 156613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 156713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&ttypes); 156813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 156913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 157013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 157113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 157213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 157313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Search for an AV tab node within a hash table with the given key. 157413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * If the node does not exist, create it and return it; otherwise 157513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * return the pre-existing one. 157613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle*/ 157713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic avtab_ptr_t find_avtab_node(sepol_handle_t * handle, 157813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t * avtab, avtab_key_t * key, 157913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** cond) 158013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 158113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 158213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t avdatum; 158313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t *nl; 158413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 158513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node(avtab, key); 158613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 158713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* If this is for conditional policies, keep searching in case 158813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle the node is part of my conditional avtab. */ 158913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond) { 159013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (node) { 159113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (node->parse_context == cond) 159213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 159313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node_next(node, key->specified); 159413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 159513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 159613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 159713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) { 159813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(&avdatum, 0, sizeof avdatum); 159913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* this is used to get the node - insertion is actually unique */ 160013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_insert_nonunique(avtab, key, &avdatum); 160113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) { 160213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "hash table overflow"); 160313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return NULL; 160413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 160513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond) { 160613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->parse_context = cond; 160713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl = (cond_av_list_t *) malloc(sizeof(cond_av_list_t)); 160813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!nl) { 160913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Memory error"); 161013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return NULL; 161113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 161213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(nl, 0, sizeof(cond_av_list_t)); 161313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl->node = node; 161413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl->next = *cond; 161513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *cond = nl; 161613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 161713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 161813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 161913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return node; 162013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 162113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 162213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define EXPAND_RULE_SUCCESS 1 162313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define EXPAND_RULE_CONFLICT 0 162413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle#define EXPAND_RULE_ERROR -1 162513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 162613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_terule_helper(sepol_handle_t * handle, 162713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * p, uint32_t * typemap, 162813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t specified, cond_av_list_t ** cond, 162913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** other, uint32_t stype, 163013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t ttype, class_perm_node_t * perms, 163113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t * avtab, int enabled) 163213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 163313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t avkey; 163413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t *avdatump; 163513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 163613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_perm_node_t *cur; 163713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int conflict; 163813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t oldtype = 0, spec = 0; 163913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 164013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (specified & AVRULE_TRANSITION) { 164113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_TRANSITION; 164213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_MEMBER) { 164313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_MEMBER; 164413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_CHANGE) { 164513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_CHANGE; 164613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 164713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(0); /* unreachable */ 164813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 164913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 165013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = perms; 165113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 165213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t remapped_data = 165313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle typemap ? typemap[cur->data - 1] : cur->data; 165413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.source_type = stype + 1; 165513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.target_type = ttype + 1; 165613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.target_class = cur->class; 165713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.specified = spec; 165813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 165913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle conflict = 0; 166013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* check to see if the expanded TE already exists -- 166113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * either in the global scope or in another 166213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * conditional AV tab */ 166313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node(&p->te_avtab, &avkey); 166413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (node) { 166513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle conflict = 1; 166613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 166713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node(&p->te_cond_avtab, &avkey); 166813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (node && node->parse_context != other) { 166913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle conflict = 2; 167013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 167113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 167213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 167313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (conflict) { 167413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump = &node->datum; 167513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (specified & AVRULE_TRANSITION) { 167613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle oldtype = avdatump->data; 167713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_MEMBER) { 167813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle oldtype = avdatump->data; 167913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_CHANGE) { 168013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle oldtype = avdatump->data; 168113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 168213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 168313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (oldtype == remapped_data) { 168413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* if the duplicate is inside the same scope (eg., unconditional 168513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * or in same conditional then ignore it */ 168613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((conflict == 1 && cond == NULL) 168713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle || node->parse_context == cond) 168813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 168913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "duplicate TE rule for %s %s:%s %s", 169013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[avkey.source_type - 169113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1], 169213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[avkey.target_type - 169313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1], 169413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_class_val_to_name[avkey.target_class - 169513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 1], 169613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[oldtype - 1]); 169713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_CONFLICT; 169813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 169913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, 170013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle "conflicting TE rule for (%s, %s:%s): old was %s, new is %s", 170113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[avkey.source_type - 1], 170213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[avkey.target_type - 1], 170313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_class_val_to_name[avkey.target_class - 1], 170413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[oldtype - 1], 170513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->p_type_val_to_name[remapped_data - 1]); 170613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_CONFLICT; 170713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 170813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 170913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = find_avtab_node(handle, avtab, &avkey, cond); 171013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) 171113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 171213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (enabled) { 171313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->key.specified |= AVTAB_ENABLED; 171413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 171513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->key.specified &= ~AVTAB_ENABLED; 171613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 171713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 171813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump = &node->datum; 171913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (specified & AVRULE_TRANSITION) { 172013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data = remapped_data; 172113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_MEMBER) { 172213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data = remapped_data; 172313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_CHANGE) { 172413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data = remapped_data; 172513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 172613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(0); /* should never occur */ 172713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 172813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 172913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 173013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 173113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 173213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 173313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 173413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 173513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_avrule_helper(sepol_handle_t * handle, 173613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t specified, 173713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** cond, 173813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t stype, uint32_t ttype, 173913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_perm_node_t * perms, avtab_t * avtab, 174013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int enabled) 174113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 174213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t avkey; 174313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t *avdatump; 174413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 174513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_perm_node_t *cur; 174613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t spec = 0; 174713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 174813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (specified & AVRULE_ALLOWED) { 174913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_ALLOWED; 175013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_AUDITALLOW) { 175113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_AUDITALLOW; 175213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_AUDITDENY) { 175313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_AUDITDENY; 175413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_DONTAUDIT) { 175513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (handle && handle->disable_dontaudit) 175613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 175713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_AUDITDENY; 175813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_NEVERALLOW) { 175913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle spec = AVTAB_NEVERALLOW; 176013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 176113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(0); /* unreachable */ 176213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 176313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 176413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = perms; 176513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 176613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.source_type = stype + 1; 176713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.target_type = ttype + 1; 176813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.target_class = cur->class; 176913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avkey.specified = spec; 177013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 177113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = find_avtab_node(handle, avtab, &avkey, cond); 177213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) 177313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_ERROR; 177413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (enabled) { 177513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->key.specified |= AVTAB_ENABLED; 177613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 177713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->key.specified &= ~AVTAB_ENABLED; 177813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 177913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 178013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump = &node->datum; 178113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (specified & AVRULE_ALLOWED) { 178213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data |= cur->data; 178313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_AUDITALLOW) { 178413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data |= cur->data; 178513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_NEVERALLOW) { 178613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data |= cur->data; 178713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_AUDITDENY) { 178813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Since a '0' in an auditdeny mask represents 178913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * a permission we do NOT want to audit 179013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * (dontaudit), we use the '&' operand to 179113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * ensure that all '0's in the mask are 179213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * retained (much unlike the allow and 179313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * auditallow cases). 179413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 179513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data &= cur->data; 179613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else if (specified & AVRULE_DONTAUDIT) { 179713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (avdatump->data) 179813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data &= ~cur->data; 179913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else 180013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avdatump->data = ~cur->data; 180113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 180213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(0); /* should never occur */ 180313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 180413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 180513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 180613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 180713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 180813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 180913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 181013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_rule_helper(sepol_handle_t * handle, 181113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * p, uint32_t * typemap, 181213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t * source_rule, avtab_t * dest_avtab, 181313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** cond, cond_av_list_t ** other, 181413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int enabled, 181513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t * stypes, ebitmap_t * ttypes) 181613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 181713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i, j; 181813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int retval; 181913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *snode, *tnode; 182013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 182113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(stypes, snode, i) { 182213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 182313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 182413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (source_rule->flags & RULE_SELF) { 182513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (source_rule->specified & AVRULE_AV) { 1826c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris retval = expand_avrule_helper(handle, source_rule->specified, 1827c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris cond, i, i, source_rule->perms, 1828c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris dest_avtab, enabled); 1829c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris if (retval != EXPAND_RULE_SUCCESS) 183013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 183113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 1832c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris retval = expand_terule_helper(handle, p, typemap, 1833c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris source_rule->specified, cond, 1834c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris other, i, i, source_rule->perms, 1835c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris dest_avtab, enabled); 1836c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris if (retval != EXPAND_RULE_SUCCESS) 183713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 183813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 183913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 184013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(ttypes, tnode, j) { 184113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 184213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 184313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (source_rule->specified & AVRULE_AV) { 1844c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris retval = expand_avrule_helper(handle, source_rule->specified, 1845c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris cond, i, j, source_rule->perms, 1846c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris dest_avtab, enabled); 1847c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris if (retval != EXPAND_RULE_SUCCESS) 184813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 184913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 1850c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris retval = expand_terule_helper(handle, p, typemap, 1851c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris source_rule->specified, cond, 1852c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris other, i, j, source_rule->perms, 1853c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris dest_avtab, enabled); 1854c43f5b1d34d9cbdc767254046d9b7e0ab47b866dEric Paris if (retval != EXPAND_RULE_SUCCESS) 185513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 185613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 185713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 185813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 185913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 186013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 186113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 186213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 186313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* 186413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Expand a rule into a given avtab - checking for conflicting type 186513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * rules in the destination policy. Return EXPAND_RULE_SUCCESS on 186613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * success, EXPAND_RULE_CONFLICT if the rule conflicts with something 186713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * (and hence was not added), or EXPAND_RULE_ERROR on error. 186813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 186913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int convert_and_expand_rule(sepol_handle_t * handle, 187013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * dest_pol, uint32_t * typemap, 187113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t * source_rule, avtab_t * dest_avtab, 187213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** cond, 187313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** other, int enabled, 187413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int do_neverallow) 187513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 187613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int retval; 187713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t stypes, ttypes; 187813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned char alwaysexpand; 187913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 188013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) 188113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_SUCCESS; 188213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 188313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&stypes); 188413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&ttypes); 188513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 188613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Force expansion for type rules and for self rules. */ 188713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle alwaysexpand = ((source_rule->specified & AVRULE_TYPE) || 188813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (source_rule->flags & RULE_SELF)); 188913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 189013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 189113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (dest_pol, typemap, &source_rule->stypes, &stypes, alwaysexpand)) 189213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_ERROR; 189313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 189413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (dest_pol, typemap, &source_rule->ttypes, &ttypes, alwaysexpand)) 189513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return EXPAND_RULE_ERROR; 189613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 189713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle retval = expand_rule_helper(handle, dest_pol, typemap, 189813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle source_rule, dest_avtab, 189913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond, other, enabled, &stypes, &ttypes); 190013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 190113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&ttypes); 190213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 190313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 190413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 190513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int cond_avrule_list_copy(policydb_t * dest_pol, avrule_t * source_rules, 190613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t * dest_avtab, cond_av_list_t ** list, 190713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** other, uint32_t * typemap, 190813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int enabled, expand_state_t * state) 190913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 191013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t *cur; 191113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 191213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = source_rules; 191313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 191413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (convert_and_expand_rule(state->handle, dest_pol, 191513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle typemap, cur, dest_avtab, 191613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle list, other, enabled, 191713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 0) != EXPAND_RULE_SUCCESS) { 191813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 191913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 192013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 192113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 192213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 192313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 192413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 192513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 192613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 192713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int cond_node_map_bools(expand_state_t * state, cond_node_t * cn) 192813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 192913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_expr_t *cur; 193013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 193113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 193213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cn->expr; 193313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur) { 193413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cur->bool) 193513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur->bool = state->boolmap[cur->bool - 1]; 193613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur = cur->next; 193713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 193813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 193913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++) 194013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1]; 194113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 194213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_normalize_expr(state->out, cn)) { 194313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Error while normalizing conditional"); 194413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 194513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 194613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 194713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 194813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 194913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 195013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* copy the nodes in *reverse* order -- the result is that the last 195113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * given conditional appears first in the policy, so as to match the 195213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * behavior of the upstream compiler */ 195313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int cond_node_copy(expand_state_t * state, cond_node_t * cn) 195413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 195513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_node_t *new_cond, *tmp; 195613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 195713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cn == NULL) { 195813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 195913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 196013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_node_copy(state, cn->next)) { 196113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 196213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 19635722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao 19645722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao /* If current cond_node_t is of tunable, its effective branch 19655722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao * has been appended to its home decl->avrules list during link 19665722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao * and now we should just skip it. */ 19675722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao if (cn->flags & COND_NODE_FLAGS_TUNABLE) 19685722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao return 0; 19695722d765c756ac8dc52c52077f9311b8886fe8daHarry Ciao 197013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_normalize_expr(state->base, cn)) { 197113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Error while normalizing conditional"); 197213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 197313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 197413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 197513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* create a new temporary conditional node with the booleans 197613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * mapped */ 197713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tmp = cond_node_create(state->base, cn); 197813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!tmp) { 197913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory"); 198013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 198113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 198213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 198313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_node_map_bools(state, tmp)) { 198413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Error mapping booleans"); 198513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 198613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 198713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 198813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_cond = cond_node_search(state->out, state->out->cond_list, tmp); 198913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_cond) { 199013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_node_destroy(tmp); 199113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(tmp); 199213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 199313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 199413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 199513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_node_destroy(tmp); 199613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(tmp); 199713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 199813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_avrule_list_copy 199913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->out, cn->avtrue_list, &state->out->te_cond_avtab, 200013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_cond->true_list, &new_cond->false_list, state->typemap, 200113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_cond->cur_state, state)) 200213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 200313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_avrule_list_copy 200413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->out, cn->avfalse_list, &state->out->te_cond_avtab, 200513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &new_cond->false_list, &new_cond->true_list, state->typemap, 200613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle !new_cond->cur_state, state)) 200713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 200813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 200913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 201013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 201113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 201213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int context_copy(context_struct_t * dst, context_struct_t * src, 201313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t * state) 201413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 201513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dst->user = state->usermap[src->user - 1]; 201613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dst->role = state->rolemap[src->role - 1]; 201713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dst->type = state->typemap[src->type - 1]; 201813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return mls_context_cpy(dst, src); 201913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 202013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2021505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzistatic int ocontext_copy_xen(expand_state_t *state) 202213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 2023505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi unsigned int i; 202413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ocontext_t *c, *n, *l; 202513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 202613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < OCON_NUM; i++) { 202713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l = NULL; 202813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (c = state->base->ocontexts[i]; c; c = c->next) { 202913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n = malloc(sizeof(ocontext_t)); 203013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!n) { 203113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 203213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 203313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 203413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(n, 0, sizeof(ocontext_t)); 2035505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi if (l) 203613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l->next = n; 2037505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi else 203813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->ocontexts[i] = n; 2039505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi l = n; 2040505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi switch (i) { 2041505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case OCON_XEN_ISID: 20421f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito if (c->context[0].user == 0) { 20431f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito ERR(state->handle, 20441f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito "Missing context for %s initial sid", 20451f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito c->u.name); 20461f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito return -1; 20471f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito } 2048505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->sid[0] = c->sid[0]; 2049505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2050505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case OCON_XEN_PIRQ: 2051505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.pirq = c->u.pirq; 2052505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2053505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case OCON_XEN_IOPORT: 2054505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.ioport.low_ioport = c->u.ioport.low_ioport; 2055505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.ioport.high_ioport = 2056505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi c->u.ioport.high_ioport; 2057505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2058505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case OCON_XEN_IOMEM: 2059505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.iomem.low_iomem = c->u.iomem.low_iomem; 2060505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.iomem.high_iomem = c->u.iomem.high_iomem; 2061505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2062505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case OCON_XEN_PCIDEVICE: 2063505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n->u.device = c->u.device; 2064505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2065505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi default: 2066505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi /* shouldn't get here */ 2067505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi ERR(state->handle, "Unknown ocontext"); 2068505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return -1; 2069505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi } 2070e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito if (context_copy(&n->context[0], &c->context[0], 2071e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito state)) { 2072e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito ERR(state->handle, "Out of memory!"); 2073e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito return -1; 2074e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito } 2075505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi } 2076505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi } 2077505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return 0; 2078505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi} 2079505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi 2080505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzistatic int ocontext_copy_selinux(expand_state_t *state) 2081505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi{ 2082505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi unsigned int i, j; 2083505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi ocontext_t *c, *n, *l; 2084505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi 2085505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi for (i = 0; i < OCON_NUM; i++) { 2086505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi l = NULL; 2087505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi for (c = state->base->ocontexts[i]; c; c = c->next) { 2088505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi n = malloc(sizeof(ocontext_t)); 2089505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi if (!n) { 2090505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi ERR(state->handle, "Out of memory!"); 2091505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return -1; 209213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 2093505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi memset(n, 0, sizeof(ocontext_t)); 2094505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi if (l) 2095505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi l->next = n; 2096505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi else 2097505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi state->out->ocontexts[i] = n; 209813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l = n; 209913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle switch (i) { 210013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_ISID: 21011f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito if (c->context[0].user == 0) { 21021f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito ERR(state->handle, 21031f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito "Missing context for %s initial sid", 21041f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito c->u.name); 21051f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito return -1; 21061f3bca77e04687afb87a7a4e034298c9c955919bChris PeBenito } 210713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->sid[0] = c->sid[0]; 210813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 210913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_FS: /* FALLTHROUGH */ 211013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_NETIF: 211113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.name = strdup(c->u.name); 211213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!n->u.name) { 211313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 211413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 211513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 211613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (context_copy 211713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (&n->context[1], &c->context[1], state)) { 211813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 211913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 212013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 212113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 212213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_PORT: 212313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.port.protocol = c->u.port.protocol; 212413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.port.low_port = c->u.port.low_port; 212513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.port.high_port = c->u.port.high_port; 212613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 212713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_NODE: 212813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.node.addr = c->u.node.addr; 212913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.node.mask = c->u.node.mask; 213013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 213113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_FSUSE: 213213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->v.behavior = c->v.behavior; 213313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.name = strdup(c->u.name); 213413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!n->u.name) { 213513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 213613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 213713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 213813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 213913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case OCON_NODE6: 214013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (j = 0; j < 4; j++) 214113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.node6.addr[j] = c->u.node6.addr[j]; 214213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (j = 0; j < 4; j++) 214313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle n->u.node6.mask[j] = c->u.node6.mask[j]; 214413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 214513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle default: 214613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* shouldn't get here */ 2147505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi ERR(state->handle, "Unknown ocontext"); 2148505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return -1; 214913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 2150e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito if (context_copy(&n->context[0], &c->context[0], state)) { 2151e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito ERR(state->handle, "Out of memory!"); 2152e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito return -1; 2153e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccfChris PeBenito } 215413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 215513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 215613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 215713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 215813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2159505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzistatic int ocontext_copy(expand_state_t *state, uint32_t target) 2160505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi{ 2161505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi int rc = -1; 2162505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi switch (target) { 2163505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case SEPOL_TARGET_SELINUX: 2164505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi rc = ocontext_copy_selinux(state); 2165505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2166505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi case SEPOL_TARGET_XEN: 2167505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi rc = ocontext_copy_xen(state); 2168505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi break; 2169505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi default: 2170505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi ERR(state->handle, "Unknown target"); 2171505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return -1; 2172505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi } 2173505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi return rc; 2174505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi} 2175505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi 217613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int genfs_copy(expand_state_t * state) 217713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 217813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ocontext_t *c, *newc, *l; 217913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle genfs_t *genfs, *newgenfs, *end; 218013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 218113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle end = NULL; 218213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (genfs = state->base->genfs; genfs; genfs = genfs->next) { 218313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newgenfs = malloc(sizeof(genfs_t)); 218413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!newgenfs) { 218513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 218613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 218713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 218813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(newgenfs, 0, sizeof(genfs_t)); 218913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newgenfs->fstype = strdup(genfs->fstype); 219013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!newgenfs->fstype) { 219113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 219213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 219313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 219413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 219513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l = NULL; 219613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (c = genfs->head; c; c = c->next) { 219713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newc = malloc(sizeof(ocontext_t)); 219813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!newc) { 219913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 220013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 220113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 220213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(newc, 0, sizeof(ocontext_t)); 220313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newc->u.name = strdup(c->u.name); 220413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!newc->u.name) { 220513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 220613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 220713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 220813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newc->v.sclass = c->v.sclass; 220913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle context_copy(&newc->context[0], &c->context[0], state); 221013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (l) 221113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l->next = newc; 221213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else 221313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newgenfs->head = newc; 221413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle l = newc; 221513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 221613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!end) { 221713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->genfs = newgenfs; 221813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 221913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle end->next = newgenfs; 222013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 222113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle end = newgenfs; 222213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 222313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 222413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 222513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 222613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int type_attr_map(hashtab_key_t key 222713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle __attribute__ ((unused)), hashtab_datum_t datum, 222813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle void *ptr) 222913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 223013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *type; 223113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t *state = ptr; 223213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t *p = state->out; 223313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 223413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *tnode; 223513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 223613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type = (type_datum_t *) datum; 223713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (type->flavor == TYPE_ATTRIB) { 223813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&p->attr_type_map[type->s.value - 1], 223913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &type->types)) { 224013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 224113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 224213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 224313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&type->types, tnode, i) { 224413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, i)) 224513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 224613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&p->type_attr_map[i], 224713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type->s.value - 1, 1)) { 224813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of memory!"); 224913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 225013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 225113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 225213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 225313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 225413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 225513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 225613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy. 225713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * this should not be called until after all the blocks have been processed and the attributes in target policy 225813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * are complete. */ 225913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_convert_type_set(policydb_t * p, uint32_t * typemap, 226013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_set_t * set, ebitmap_t * types, 226113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned char alwaysexpand) 226213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 226313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_set_t tmpset; 226413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 226513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_set_init(&tmpset); 226613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 226713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&set->types, &tmpset.types, typemap)) 226813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 226913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 227013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (map_ebitmap(&set->negset, &tmpset.negset, typemap)) 227113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 227213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 227313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tmpset.flags = set->flags; 227413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 227513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (type_set_expand(&tmpset, types, p, alwaysexpand)) 227613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 227713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 227813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_set_destroy(&tmpset); 227913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 228013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 228113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 228213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2283eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle/* Expand a rule into a given avtab - checking for conflicting type 2284eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle * rules. Return 1 on success, 0 if the rule conflicts with something 2285eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle * (and hence was not added), or -1 on error. */ 2286eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindleint expand_rule(sepol_handle_t * handle, 2287eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle policydb_t * source_pol, 2288eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle avrule_t * source_rule, avtab_t * dest_avtab, 2289eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle cond_av_list_t ** cond, cond_av_list_t ** other, int enabled) 2290eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle{ 2291eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle int retval; 2292eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle ebitmap_t stypes, ttypes; 2293eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle 2294eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle if (source_rule->specified & AVRULE_NEVERALLOW) 2295eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle return 1; 2296eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle 2297eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle ebitmap_init(&stypes); 2298eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle ebitmap_init(&ttypes); 2299eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle 2300eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle if (type_set_expand(&source_rule->stypes, &stypes, source_pol, 1)) 2301eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle return -1; 2302eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle if (type_set_expand(&source_rule->ttypes, &ttypes, source_pol, 1)) 2303eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle return -1; 2304eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle retval = expand_rule_helper(handle, source_pol, NULL, 2305eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle source_rule, dest_avtab, 2306eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle cond, other, enabled, &stypes, &ttypes); 2307eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle ebitmap_destroy(&stypes); 2308eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle ebitmap_destroy(&ttypes); 2309eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle return retval; 2310eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle} 2311eeb520a0453ccc3d51770c4281125086e91c4ff7Joshua Brindle 23123592ebea1a5beb390a520c09747d3699867af9deHarry Ciao/* Expand a role set into an ebitmap containing the roles. 23133592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * This handles the attribute and flags. 23143592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * Attribute expansion depends on if the rolemap is available. 23153592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * During module compile the rolemap is not available, the 23163592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * possible duplicates of a regular role and the role attribute 23173592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * the regular role belongs to could be properly handled by 23183592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * copy_role_trans and copy_role_allow. 23193592ebea1a5beb390a520c09747d3699867af9deHarry Ciao */ 23203592ebea1a5beb390a520c09747d3699867af9deHarry Ciaoint role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t * base, uint32_t * rolemap) 232113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 232213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 232313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *rnode; 23243592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_t mapped_roles, roles; 23253592ebea1a5beb390a520c09747d3699867af9deHarry Ciao policydb_t *p = out; 23263592ebea1a5beb390a520c09747d3699867af9deHarry Ciao role_datum_t *role; 232713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 232813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(r); 232913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 233013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (x->flags & ROLE_STAR) { 233113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < p->p_roles.nprim++; i++) 233213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(r, i, 1)) 233313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 233413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 233513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 233613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 23373592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_init(&mapped_roles); 23383592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_init(&roles); 23393592ebea1a5beb390a520c09747d3699867af9deHarry Ciao 234013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rolemap) { 23413592ebea1a5beb390a520c09747d3699867af9deHarry Ciao assert(base != NULL); 23423592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_for_each_bit(&x->roles, rnode, i) { 23433592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (ebitmap_node_get_bit(rnode, i)) { 23443592ebea1a5beb390a520c09747d3699867af9deHarry Ciao /* take advantage of p_role_val_to_struct[] 23453592ebea1a5beb390a520c09747d3699867af9deHarry Ciao * of the base module */ 23463592ebea1a5beb390a520c09747d3699867af9deHarry Ciao role = base->role_val_to_struct[i]; 23473592ebea1a5beb390a520c09747d3699867af9deHarry Ciao assert(role != NULL); 23483592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (role->flavor == ROLE_ATTRIB) { 23493592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (ebitmap_union(&roles, 23503592ebea1a5beb390a520c09747d3699867af9deHarry Ciao &role->roles)) 23513592ebea1a5beb390a520c09747d3699867af9deHarry Ciao goto bad; 23523592ebea1a5beb390a520c09747d3699867af9deHarry Ciao } else { 23533592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (ebitmap_set_bit(&roles, i, 1)) 23543592ebea1a5beb390a520c09747d3699867af9deHarry Ciao goto bad; 23553592ebea1a5beb390a520c09747d3699867af9deHarry Ciao } 23563592ebea1a5beb390a520c09747d3699867af9deHarry Ciao } 23573592ebea1a5beb390a520c09747d3699867af9deHarry Ciao } 23583592ebea1a5beb390a520c09747d3699867af9deHarry Ciao if (map_ebitmap(&roles, &mapped_roles, rolemap)) 23593592ebea1a5beb390a520c09747d3699867af9deHarry Ciao goto bad; 236013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 236113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&mapped_roles, &x->roles)) 23623592ebea1a5beb390a520c09747d3699867af9deHarry Ciao goto bad; 236313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 236413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 236513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&mapped_roles, rnode, i) { 236613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_node_get_bit(rnode, i)) { 236713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(r, i, 1)) 23683592ebea1a5beb390a520c09747d3699867af9deHarry Ciao goto bad; 236913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 237013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 237113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 237213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&mapped_roles); 23733592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_destroy(&roles); 237413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 237513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* if role is to be complimented, invert the entire bitmap here */ 237613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (x->flags & ROLE_COMP) { 237713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < ebitmap_length(r); i++) { 237813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_get_bit(r, i)) { 237913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(r, i, 0)) 238013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 238113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 238213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(r, i, 1)) 238313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 238413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 238513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 238613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 238713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 23883592ebea1a5beb390a520c09747d3699867af9deHarry Ciao 23893592ebea1a5beb390a520c09747d3699867af9deHarry Ciaobad: 23903592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_destroy(&mapped_roles); 23913592ebea1a5beb390a520c09747d3699867af9deHarry Ciao ebitmap_destroy(&roles); 23923592ebea1a5beb390a520c09747d3699867af9deHarry Ciao return -1; 239313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 239413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 239513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Expand a type set into an ebitmap containing the types. This 239613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * handles the negset, attributes, and flags. 239713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Attribute expansion depends on several factors: 239813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * - if alwaysexpand is 1, then they will be expanded, 239913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * - if the type set has a negset or flags, then they will be expanded, 240013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * - otherwise, they will not be expanded. 240113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 240213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p, 240313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned char alwaysexpand) 240413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 240513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 240613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t types, neg_types; 240713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *tnode; 240813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 240913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&types); 241013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(t); 241113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 241213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (alwaysexpand || ebitmap_length(&set->negset) || set->flags) { 241313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* First go through the types and OR all the attributes to types */ 241413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&set->types, tnode, i) { 241513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_node_get_bit(tnode, i)) { 241613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (p->type_val_to_struct[i]->flavor == 241713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle TYPE_ATTRIB) { 241813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union 241913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (&types, 242013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &p->type_val_to_struct[i]-> 242113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle types)) { 242213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 242313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 242413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 242513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&types, i, 1)) { 242613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 242713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 242813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 242913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 243013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 243113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 243213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* No expansion of attributes, just copy the set as is. */ 243313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&types, &set->types)) 243413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 243513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 243613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 243713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Now do the same thing for negset */ 243813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&neg_types); 243913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&set->negset, tnode, i) { 244013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_node_get_bit(tnode, i)) { 244113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (p->type_val_to_struct[i] && 244213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) { 244313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_union 244413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (&neg_types, 244513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle &p->type_val_to_struct[i]->types)) { 244613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 244713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 244813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 244913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&neg_types, i, 1)) { 245013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 245113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 245213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 245313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 245413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 245513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 245613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (set->flags & TYPE_STAR) { 245713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* set all types not in neg_types */ 245813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < p->p_types.nprim; i++) { 245913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_get_bit(&neg_types, i)) 246013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 246113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (p->type_val_to_struct[i] && 246213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) 246313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 246413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(t, i, 1)) 246513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 246613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 246713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto out; 246813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 246913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 247013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(&types, tnode, i) { 247113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_node_get_bit(tnode, i) 247213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle && (!ebitmap_get_bit(&neg_types, i))) 247313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(t, i, 1)) 247413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 247513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 247613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 247713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (set->flags & TYPE_COMP) { 247813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < p->p_types.nprim; i++) { 247913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (p->type_val_to_struct[i] && 248013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) { 248113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(!ebitmap_get_bit(t, i)); 248213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 248313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 248413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_get_bit(t, i)) { 248513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(t, i, 0)) 248613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 248713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 248813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(t, i, 1)) 248913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 249013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 249113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 249213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 249313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 249413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out: 249513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 249613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&types); 249713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&neg_types); 249813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 249913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 250013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 250113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 250213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int copy_neverallow(policydb_t * dest_pol, uint32_t * typemap, 250313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t * source_rule) 250413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 250513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t stypes, ttypes; 250613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t *avrule; 250713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_perm_node_t *cur_perm, *new_perm, *tail_perm; 250813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 250913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&stypes); 251013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&ttypes); 251113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 251213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 251313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (dest_pol, typemap, &source_rule->stypes, &stypes, 1)) 251413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 251513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_convert_type_set 251613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (dest_pol, typemap, &source_rule->ttypes, &ttypes, 1)) 251713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 251813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 251913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule = (avrule_t *) malloc(sizeof(avrule_t)); 252013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!avrule) 252113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 252213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 252313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_init(avrule); 252413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule->specified = AVRULE_NEVERALLOW; 252513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule->line = source_rule->line; 252613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule->flags = source_rule->flags; 252713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 252813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&avrule->stypes.types, &stypes)) 252913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto err; 253013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 253113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&avrule->ttypes.types, &ttypes)) 253213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto err; 253313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 253413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_perm = source_rule->perms; 253513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tail_perm = NULL; 253613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur_perm) { 253713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_perm = 253813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); 253913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!new_perm) 254013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto err; 254113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle class_perm_node_init(new_perm); 254213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_perm->class = cur_perm->class; 254313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle assert(new_perm->class); 254413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 254513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* once we have modules with permissions we'll need to map the permissions (and classes) */ 254613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle new_perm->data = cur_perm->data; 254713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 254813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!avrule->perms) 254913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule->perms = new_perm; 255013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 255113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (tail_perm) 255213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tail_perm->next = new_perm; 255313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tail_perm = new_perm; 255413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_perm = cur_perm->next; 255513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 255613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 255713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* just prepend the avrule to the first branch; it'll never be 255813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle written to disk */ 255913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!dest_pol->global->branch_list->avrules) 256013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dest_pol->global->branch_list->avrules = avrule; 256113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle else { 256213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule->next = dest_pol->global->branch_list->avrules; 256313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle dest_pol->global->branch_list->avrules = avrule; 256413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 256513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 256613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 256713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&ttypes); 256813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 256913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 257013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 257113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle err: 257213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&stypes); 257313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&ttypes); 257413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&avrule->stypes.types); 257513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_destroy(&avrule->ttypes.types); 257613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_perm = avrule->perms; 257713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur_perm) { 257813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle tail_perm = cur_perm->next; 257913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(cur_perm); 258013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_perm = tail_perm; 258113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 258213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(avrule); 258313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 258413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 258513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 258613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* 258713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * Expands the avrule blocks for a policy. RBAC rules are copied. Neverallow 258813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * rules are copied or expanded as per the settings in the state object; all 258913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * other AV rules are expanded. If neverallow rules are expanded, they are not 259013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * copied, otherwise they are copied for later use by the assertion checker. 259113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 259213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int copy_and_expand_avrule_block(expand_state_t * state) 259313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 259413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_block_t *curblock = state->base->global; 259513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_block_t *prevblock; 259613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int retval = -1; 259713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 259813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (avtab_alloc(&state->out->te_avtab, MAX_AVTAB_SIZE)) { 259913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of Memory!"); 260013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 260113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 260213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 260313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (avtab_alloc(&state->out->te_cond_avtab, MAX_AVTAB_SIZE)) { 260413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, "Out of Memory!"); 260513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 260613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 260713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 260813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (curblock) { 260913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_decl_t *decl = curblock->enabled; 261013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_t *cur_avrule; 261113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 261213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (decl == NULL) { 261313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* nothing was enabled within this block */ 261413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cont; 261513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 261613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 261713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy role allows and role trans */ 261813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (copy_role_allows(state, decl->role_allow_rules) != 0 || 261913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle copy_role_trans(state, decl->role_tr_rules) != 0) { 262013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 262113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 262213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 26236eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris if (expand_filename_trans(state, decl->filename_trans_rules)) 26246eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris goto cleanup; 26256eeb71538ea29b639ac7549831cd1aa4da32722aEric Paris 262613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* expand the range transition rules */ 262713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (expand_range_trans(state, decl->range_tr_rules)) 262813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 262913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 263013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy rules */ 263113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_avrule = decl->avrules; 263213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle while (cur_avrule != NULL) { 263313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!(state->expand_neverallow) 263413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle && cur_avrule->specified & AVRULE_NEVERALLOW) { 263513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy this over directly so that assertions are checked later */ 263613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (copy_neverallow 263713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->out, state->typemap, cur_avrule)) 263813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(state->handle, 263913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle "Error while copying neverallow."); 264013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } else { 264113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cur_avrule->specified & AVRULE_NEVERALLOW) { 264213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->out->unsupported_format = 1; 264313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 264413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (convert_and_expand_rule 264513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state->handle, state->out, state->typemap, 264613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_avrule, &state->out->te_avtab, NULL, 264713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle NULL, 0, 264813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->expand_neverallow) != 264913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle EXPAND_RULE_SUCCESS) { 265013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 265113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 265213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 265313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cur_avrule = cur_avrule->next; 265413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 265513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 265613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy conditional rules */ 265713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (cond_node_copy(state, decl->cond_list)) 265813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 265913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 266013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cont: 266113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle prevblock = curblock; 266213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle curblock = curblock->next; 266313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 266413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (state->handle && state->handle->expand_consume_base) { 266513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* set base top avrule block in case there 266613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * is an error condition and the policy needs 266713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * to be destroyed */ 266813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state->base->global = curblock; 266913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_block_destroy(prevblock); 267013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 267113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 267213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 267313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle retval = 0; 267413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 267513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cleanup: 267613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 267713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 267813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 267913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* 268013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * This function allows external users of the library (such as setools) to 268113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * expand only the avrules and optionally perform expansion of neverallow rules 268213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * or expand into the same policy for analysis purposes. 268313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 268413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_module_avrules(sepol_handle_t * handle, policydb_t * base, 268513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * out, uint32_t * typemap, 268613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t * boolmap, uint32_t * rolemap, 268713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle uint32_t * usermap, int verbose, 268813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int expand_neverallow) 268913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 269013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t state; 269113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 269213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_init(&state); 269313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 269413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.base = base; 269513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out = out; 269613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.typemap = typemap; 269713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.boolmap = boolmap; 269813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.rolemap = rolemap; 269913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.usermap = usermap; 270013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.handle = handle; 270113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.verbose = verbose; 270213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.expand_neverallow = expand_neverallow; 270313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 270413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return copy_and_expand_avrule_block(&state); 270513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 270613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 27079f709e6bab863036950644a7dd470d50663b558bHarry Ciaostatic void discard_tunables(sepol_handle_t *sh, policydb_t *pol) 2708ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao{ 2709ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao avrule_block_t *block; 2710ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao avrule_decl_t *decl; 2711ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cond_node_t *cur_node; 2712ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cond_expr_t *cur_expr; 27139f709e6bab863036950644a7dd470d50663b558bHarry Ciao int cur_state, preserve_tunables = 0; 2714ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao avrule_t *tail, *to_be_appended; 2715ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 27169f709e6bab863036950644a7dd470d50663b558bHarry Ciao if (sh && sh->preserve_tunables) 27179f709e6bab863036950644a7dd470d50663b558bHarry Ciao preserve_tunables = 1; 27189f709e6bab863036950644a7dd470d50663b558bHarry Ciao 2719ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao /* Iterate through all cond_node of all enabled decls, if a cond_node 27209f709e6bab863036950644a7dd470d50663b558bHarry Ciao * is about tunable, calculate its state value and concatenate one of 27219f709e6bab863036950644a7dd470d50663b558bHarry Ciao * its avrule list to the current decl->avrules list. On the other 27229f709e6bab863036950644a7dd470d50663b558bHarry Ciao * hand, the disabled unused branch of a tunable would be discarded. 2723ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * 2724ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * Note, such tunable cond_node would be skipped over in expansion, 2725ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * so we won't have to worry about removing it from decl->cond_list 2726ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * here :-) 2727ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * 27289f709e6bab863036950644a7dd470d50663b558bHarry Ciao * If tunables are requested to be preserved then they would be 27299f709e6bab863036950644a7dd470d50663b558bHarry Ciao * "transformed" as booleans by having their TUNABLE flag cleared. 2730ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao */ 2731ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao for (block = pol->global; block != NULL; block = block->next) { 2732ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao decl = block->enabled; 2733ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (decl == NULL || decl->enabled == 0) 2734ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao continue; 2735ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2736ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao tail = decl->avrules; 2737ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao while (tail && tail->next) 2738ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao tail = tail->next; 2739ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2740ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao for (cur_node = decl->cond_list; cur_node != NULL; 2741ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node = cur_node->next) { 27429f709e6bab863036950644a7dd470d50663b558bHarry Ciao int booleans, tunables, i; 2743ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cond_bool_datum_t *booldatum; 27449f709e6bab863036950644a7dd470d50663b558bHarry Ciao cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH]; 2745ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2746ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao booleans = tunables = 0; 27479f709e6bab863036950644a7dd470d50663b558bHarry Ciao memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH); 2748ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2749ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao for (cur_expr = cur_node->expr; cur_expr != NULL; 2750ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_expr = cur_expr->next) { 2751ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (cur_expr->expr_type != COND_BOOL) 2752ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao continue; 2753ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao booldatum = pol->bool_val_to_struct[cur_expr->bool - 1]; 2754ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE) 27559f709e6bab863036950644a7dd470d50663b558bHarry Ciao tmp[tunables++] = booldatum; 2756ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao else 2757ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao booleans++; 2758ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } 2759ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2760ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao /* bool_copy_callback() at link phase has ensured 2761ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * that no mixture of tunables and booleans in one 27629f709e6bab863036950644a7dd470d50663b558bHarry Ciao * expression. However, this would be broken by the 27639f709e6bab863036950644a7dd470d50663b558bHarry Ciao * request to preserve tunables */ 27649f709e6bab863036950644a7dd470d50663b558bHarry Ciao if (!preserve_tunables) 27659f709e6bab863036950644a7dd470d50663b558bHarry Ciao assert(!(booleans && tunables)); 2766ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 27679f709e6bab863036950644a7dd470d50663b558bHarry Ciao if (booleans || preserve_tunables) { 2768ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE; 27699f709e6bab863036950644a7dd470d50663b558bHarry Ciao if (tunables) { 27709f709e6bab863036950644a7dd470d50663b558bHarry Ciao for (i = 0; i < tunables; i++) 27719f709e6bab863036950644a7dd470d50663b558bHarry Ciao tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE; 27729f709e6bab863036950644a7dd470d50663b558bHarry Ciao } 2773ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } else { 2774ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node->flags |= COND_NODE_FLAGS_TUNABLE; 2775ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_state = cond_evaluate_expr(pol, cur_node->expr); 2776ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (cur_state == -1) { 2777ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao printf("Expression result was " 2778ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao "undefined, skipping all" 2779ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao "rules\n"); 2780ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao continue; 2781ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } 2782ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2783ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao to_be_appended = (cur_state == 1) ? 2784ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node->avtrue_list : cur_node->avfalse_list; 2785ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2786ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (tail) 2787ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao tail->next = to_be_appended; 2788ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao else 2789ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao tail = decl->avrules = to_be_appended; 2790ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2791ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao /* Now that the effective branch has been 2792ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * appended, neutralize its original pointer */ 2793ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao if (cur_state == 1) 2794ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node->avtrue_list = NULL; 2795ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao else 2796ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao cur_node->avfalse_list = NULL; 2797ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 2798ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao /* Update the tail of decl->avrules for 2799ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * further concatenation */ 2800ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao while (tail && tail->next) 2801ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao tail = tail->next; 2802ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } 2803ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } 2804ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao } 2805ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao} 2806ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 280713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle/* Linking should always be done before calling expand, even if 280813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * there is only a base since all optionals are dealt with at link time 280913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * the base passed in should be indexed and avrule blocks should be 281013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * enabled. 281113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle */ 281213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_module(sepol_handle_t * handle, 281313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t * base, policydb_t * out, int verbose, int check) 281413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 281513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int retval = -1; 281613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i; 281713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_t state; 281813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_block_t *curblock; 281913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2820ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao /* Append tunable's avtrue_list or avfalse_list to the avrules list 2821ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * of its home decl depending on its state value, so that the effect 2822ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * rules of a tunable would be added to te_avtab permanently. Whereas 2823ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * the disabled unused branch would be discarded. 2824ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * 2825ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * Originally this function is called at the very end of link phase, 2826ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * however, we need to keep the linked policy intact for analysis 2827ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao * purpose. */ 28289f709e6bab863036950644a7dd470d50663b558bHarry Ciao discard_tunables(handle, base); 2829ad5951fcb142cf9c2e899d3d99ce35b729b66b4cHarry Ciao 283013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle expand_state_init(&state); 283113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 283213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.verbose = verbose; 283313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.typemap = NULL; 283413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.base = base; 283513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out = out; 283613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.handle = handle; 283713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 283813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (base->policy_type != POLICY_BASE) { 283913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Target of expand was not a base policy."); 284013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 284113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 284213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 284313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out->policy_type = POLICY_KERN; 284413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out->policyvers = POLICYDB_VERSION_MAX; 284513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 284613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Copy mls state from base to out */ 284713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out->mls = base->mls; 284813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle out->handle_unknown = base->handle_unknown; 284913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2850505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi /* Copy target from base to out */ 2851505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi out->target_platform = base->target_platform; 2852505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi 285313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Copy policy capabilities */ 285413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_cpy(&out->policycaps, &base->policycaps)) { 285513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 285613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 285713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 285813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 285913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((state.typemap = 286013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (uint32_t *) calloc(state.base->p_types.nprim, 286113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sizeof(uint32_t))) == NULL) { 286213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 286313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 286413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 286513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 286613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t)); 286713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!state.boolmap) { 286813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 286913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 287013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 287113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 287213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t)); 287313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!state.rolemap) { 287413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 287513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 287613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 287713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 287813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t)); 287913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!state.usermap) { 288013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 288113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 288213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 288313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 288413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* order is important - types must be first */ 288513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 288613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy types */ 288713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_types.table, type_copy_callback, &state)) { 288813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 288913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 289013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 289113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* convert attribute type sets */ 289213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 289313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state.base->p_types.table, attr_convert_callback, &state)) { 289413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 289513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 289613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 289713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy commons */ 289813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 289913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state.base->p_commons.table, common_copy_callback, &state)) { 290013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 290113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 290213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 290313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy classes, note, this does not copy constraints, constraints can't be 290413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * copied until after all the blocks have been processed and attributes are complete */ 290513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 290613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state.base->p_classes.table, class_copy_callback, &state)) { 290713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 290813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 290913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 2910f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle /* copy type bounds */ 2911f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (hashtab_map(state.base->p_types.table, 2912f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle type_bounds_copy_callback, &state)) 2913f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle goto cleanup; 2914f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle 291513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy aliases */ 291613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_types.table, alias_copy_callback, &state)) 291713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 291813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 291913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* index here so that type indexes are available for role_copy_callback */ 292013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (policydb_index_others(handle, out, verbose)) { 292113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Error while indexing out symbols"); 292213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 292313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 292413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 292513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy roles */ 292613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_roles.table, role_copy_callback, &state)) 292713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 2928f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (hashtab_map(state.base->p_roles.table, 2929f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle role_bounds_copy_callback, &state)) 2930f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle goto cleanup; 2931d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao /* escalate the type_set_t in a role attribute to all regular roles 2932d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao * that belongs to it. */ 2933d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state)) 2934d4d90eceeba902874252fd7c1b9384fc5b1605d4Harry Ciao goto cleanup; 293513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 293613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy MLS's sensitivity level and categories - this needs to be done 293713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle * before expanding users (they need to be indexed too) */ 293813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state)) 293913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 294013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_cats.table, cats_copy_callback, &state)) 294113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 294213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (policydb_index_others(handle, out, verbose)) { 294313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Error while indexing out symbols"); 294413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 294513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 294613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 294713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy users */ 294813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_users.table, user_copy_callback, &state)) 294913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 2950f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle if (hashtab_map(state.base->p_users.table, 2951f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle user_bounds_copy_callback, &state)) 2952f470207454f5f6ce539aa543e5168a07d667254bJoshua Brindle goto cleanup; 295313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 295413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy bools */ 295513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.base->p_bools.table, bool_copy_callback, &state)) 295613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 295713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 295813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (policydb_index_classes(out)) { 295913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Error while indexing out classes"); 296013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 296113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 296213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (policydb_index_others(handle, out, verbose)) { 296313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Error while indexing out symbols"); 296413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 296513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 296613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 296713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* loop through all decls and union attributes, roles, users */ 296813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (curblock = state.base->global; curblock != NULL; 296913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle curblock = curblock->next) { 297013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avrule_decl_t *decl = curblock->enabled; 297113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 297213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (decl == NULL) { 297313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* nothing was enabled within this block */ 297413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 297513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 297613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 297713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* convert attribute type sets */ 297813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 297913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (decl->p_types.table, attr_convert_callback, &state)) { 298013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 298113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 298213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 298313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy roles */ 298413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 298513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (decl->p_roles.table, role_copy_callback, &state)) 298613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 298713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 298813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy users */ 298913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 299013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (decl->p_users.table, user_copy_callback, &state)) 299113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 299213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 299313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 299413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 299513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* remap role dominates bitmaps */ 299613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.out->p_roles.table, role_remap_dominates, &state)) { 299713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 299813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 299913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 300013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (copy_and_expand_avrule_block(&state) < 0) { 300113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Error during expand"); 300213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 300313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 300413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 300513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy constraints */ 300613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map 300713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (state.base->p_classes.table, constraint_copy_callback, &state)) { 300813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 300913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 301013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 301113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_optimize_lists(state.out->cond_list); 301213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle evaluate_conds(state.out); 301313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 301413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy ocontexts */ 3015505c75aad7f16e0db9ccfeb04eaa70f242e6b060Paul Nuzzi if (ocontext_copy(&state, out->target_platform)) 301613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 301713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 301813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* copy genfs */ 301913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (genfs_copy(&state)) 302013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 302113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 302213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Build the type<->attribute maps and remove attributes. */ 302313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out->attr_type_map = malloc(state.out->p_types.nprim * 302413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sizeof(ebitmap_t)); 302513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out->type_attr_map = malloc(state.out->p_types.nprim * 302613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle sizeof(ebitmap_t)); 302713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!state.out->attr_type_map || !state.out->type_attr_map) { 302813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 302913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 303013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 303113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (i = 0; i < state.out->p_types.nprim; i++) { 303213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&state.out->type_attr_map[i]); 303313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_init(&state.out->attr_type_map[i]); 303413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* add the type itself as the degenerate case */ 303513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (ebitmap_set_bit(&state.out->type_attr_map[i], i, 1)) { 303613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(handle, "Out of memory!"); 303713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 303813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 303913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 304013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hashtab_map(state.out->p_types.table, type_attr_map, &state)) 304113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 304213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (check) { 304313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (hierarchy_check_constraints(handle, state.out)) 304413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 304513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 304613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (check_assertions 304713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (handle, state.out, 304813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle state.out->global->branch_list->avrules)) 304913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle goto cleanup; 305013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 305113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 305213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle retval = 0; 305313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 305413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cleanup: 305513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(state.typemap); 305613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(state.boolmap); 305713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(state.rolemap); 305813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle free(state.usermap); 305913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return retval; 306013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 306113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 306213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_avtab_insert(avtab_t * a, avtab_key_t * k, avtab_datum_t * d) 306313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 306413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 306513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t *avd; 306613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int rc; 306713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 306813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node(a, k); 306913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) { 307013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = avtab_insert(a, k, d); 307113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 307213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 307313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return rc; 307413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 307513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 307613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if ((k->specified & AVTAB_ENABLED) != 307713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (node->key.specified & AVTAB_ENABLED)) { 307813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_insert_nonunique(a, k, d); 307913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) { 308013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 308113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 308213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 308313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 308413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 308513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 308613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd = &node->datum; 308713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle switch (k->specified & ~AVTAB_ENABLED) { 308813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_ALLOWED: 308913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_AUDITALLOW: 309013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd->data |= d->data; 309113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 309213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_AUDITDENY: 309313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd->data &= d->data; 309413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 309513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle default: 309613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Type conflict!"); 309713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 309813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 309913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 310013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 310113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 310213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 310313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestruct expand_avtab_data { 310413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t *expa; 310513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t *p; 310613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 310713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle}; 310813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 310913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args) 311013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 311113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle struct expand_avtab_data *ptr = args; 311213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t *expa = ptr->expa; 311313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle policydb_t *p = ptr->p; 311413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *stype = p->type_val_to_struct[k->source_type - 1]; 311513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *ttype = p->type_val_to_struct[k->target_type - 1]; 311613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t *sattr = &p->attr_type_map[k->source_type - 1]; 311713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t *tattr = &p->attr_type_map[k->target_type - 1]; 311813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *snode, *tnode; 311913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i, j; 312013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t newkey; 312113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int rc; 312213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 312313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_class = k->target_class; 312413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.specified = k->specified; 312513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31264a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) { 312713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Both are individual types, no expansion required. */ 312813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return expand_avtab_insert(expa, k, d); 312913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 313013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31314a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (stype->flavor != TYPE_ATTRIB) { 313213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Source is an individual type, target is an attribute. */ 313313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = k->source_type; 313413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(tattr, tnode, j) { 313513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 313613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 313713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = j + 1; 313813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_avtab_insert(expa, &newkey, d); 313913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 314013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 314113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 314213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 314313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 314413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 31454a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (ttype->flavor != TYPE_ATTRIB) { 314613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Target is an individual type, source is an attribute. */ 314713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = k->target_type; 314813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(sattr, snode, i) { 314913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 315013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 315113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = i + 1; 315213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_avtab_insert(expa, &newkey, d); 315313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 315413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 315513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 315613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 315713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 315813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 315913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Both source and target type are attributes. */ 316013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(sattr, snode, i) { 316113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 316213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 316313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(tattr, tnode, j) { 316413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 316513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 316613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = i + 1; 316713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = j + 1; 316813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_avtab_insert(expa, &newkey, d); 316913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 317013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 317113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 317213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 317313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 317413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 317513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 317613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 317713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_avtab(policydb_t * p, avtab_t * a, avtab_t * expa) 317813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 317913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle struct expand_avtab_data data; 318013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 318113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (avtab_alloc(expa, MAX_AVTAB_SIZE)) { 318213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 318313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 318413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 318513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 318613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle data.expa = expa; 318713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle data.p = p; 318813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return avtab_map(a, expand_avtab_node, &data); 318913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 319013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 319113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindlestatic int expand_cond_insert(cond_av_list_t ** l, 319213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_t * expa, 319313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t * k, avtab_datum_t * d) 319413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 319513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 319613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t *avd; 319713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t *nl; 319813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 319913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_search_node(expa, k); 320013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node || 320113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (k->specified & AVTAB_ENABLED) != 320213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle (node->key.specified & AVTAB_ENABLED)) { 320313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = avtab_insert_nonunique(expa, k, d); 320413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!node) { 320513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 320613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 320713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 320813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node->parse_context = (void *)1; 320913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl = (cond_av_list_t *) malloc(sizeof(*nl)); 321013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!nl) { 321113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 321213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 321313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 321413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle memset(nl, 0, sizeof(*nl)); 321513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl->node = node; 321613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle nl->next = *l; 321713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *l = nl; 321813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 321913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 322013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 322113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd = &node->datum; 322213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle switch (k->specified & ~AVTAB_ENABLED) { 322313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_ALLOWED: 322413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_AUDITALLOW: 322513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd->data |= d->data; 322613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 322713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle case AVTAB_AUDITDENY: 322813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avd->data &= d->data; 322913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle break; 323013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle default: 323113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Type conflict!"); 323213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 323313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 323413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 323513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 323613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 323713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 323813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_cond_av_node(policydb_t * p, 323913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node, 324013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** newl, avtab_t * expa) 324113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 324213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t *k = &node->key; 324313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_datum_t *d = &node->datum; 324413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *stype = p->type_val_to_struct[k->source_type - 1]; 324513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle type_datum_t *ttype = p->type_val_to_struct[k->target_type - 1]; 324613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t *sattr = &p->attr_type_map[k->source_type - 1]; 324713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_t *tattr = &p->attr_type_map[k->target_type - 1]; 324813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_node_t *snode, *tnode; 324913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle unsigned int i, j; 325013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_key_t newkey; 325113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int rc; 325213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 325313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_class = k->target_class; 325413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.specified = k->specified; 325513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 32564a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) { 325713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Both are individual types, no expansion required. */ 325813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return expand_cond_insert(newl, expa, k, d); 325913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 326013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 32614a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (stype->flavor != TYPE_ATTRIB) { 326213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Source is an individual type, target is an attribute. */ 326313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = k->source_type; 326413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(tattr, tnode, j) { 326513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 326613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 326713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = j + 1; 326813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_cond_insert(newl, expa, &newkey, d); 326913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 327013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 327113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 327213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 327313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 327413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 32754a33c78ca572598ff76976a41d8b456293dfaebcStephen Smalley if (ttype->flavor != TYPE_ATTRIB) { 327613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Target is an individual type, source is an attribute. */ 327713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = k->target_type; 327813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(sattr, snode, i) { 327913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 328013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 328113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = i + 1; 328213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_cond_insert(newl, expa, &newkey, d); 328313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 328413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 328513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 328613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 328713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 328813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 328913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle /* Both source and target type are attributes. */ 329013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(sattr, snode, i) { 329113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(snode, i)) 329213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 329313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ebitmap_for_each_bit(tattr, tnode, j) { 329413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (!ebitmap_node_get_bit(tnode, j)) 329513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle continue; 329613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.source_type = i + 1; 329713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle newkey.target_type = j + 1; 329813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_cond_insert(newl, expa, &newkey, d); 329913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 330013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 330113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 330213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 330313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 330413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 330513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 330613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 330713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindleint expand_cond_av_list(policydb_t * p, cond_av_list_t * l, 330813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t ** newl, avtab_t * expa) 330913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle{ 331013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle cond_av_list_t *cur; 331113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle avtab_ptr_t node; 331213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle int rc; 331313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 331413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (avtab_alloc(expa, MAX_AVTAB_SIZE)) { 331513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle ERR(NULL, "Out of memory!"); 331613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return -1; 331713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 331813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 331913cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle *newl = NULL; 332013cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle for (cur = l; cur; cur = cur->next) { 332113cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle node = cur->node; 332213cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle rc = expand_cond_av_node(p, node, newl, expa); 332313cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle if (rc) 332413cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return rc; 332513cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle } 332613cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle 332713cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle return 0; 332813cd4c8960688af11ad23b4c946149015c80d54Joshua Brindle} 3329