/* Authors: Karl MacMillan <kmacmillan@tresys.com>
|
* Frank Mayer <mayerf@tresys.com>
|
* David Caplan <dac@tresys.com>
|
*
|
* Copyright (C) 2003 - 2005 Tresys Technology, LLC
|
*
|
* This library is free software; you can redistribute it and/or
|
* modify it under the terms of the GNU Lesser General Public
|
* License as published by the Free Software Foundation; either
|
* version 2.1 of the License, or (at your option) any later version.
|
*
|
* This library is distributed in the hope that it will be useful,
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
* Lesser General Public License for more details.
|
*
|
* You should have received a copy of the GNU Lesser General Public
|
* License along with this library; if not, write to the Free Software
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
*/
|
|
#include <stdlib.h>
|
|
#include <sepol/policydb/flask_types.h>
|
#include <sepol/policydb/conditional.h>
|
|
#include "private.h"
|
|
/* move all type rules to top of t/f lists to help kernel on evaluation */
|
static void cond_optimize(cond_av_list_t ** l)
|
{
|
cond_av_list_t *top, *p, *cur;
|
|
top = p = cur = *l;
|
|
while (cur) {
|
if ((cur->node->key.specified & AVTAB_TYPE) && (top != cur)) {
|
p->next = cur->next;
|
cur->next = top;
|
top = cur;
|
cur = p->next;
|
} else {
|
p = cur;
|
cur = cur->next;
|
}
|
}
|
*l = top;
|
}
|
|
/* reorder t/f lists for kernel */
|
void cond_optimize_lists(cond_list_t * cl)
|
{
|
cond_list_t *n;
|
|
for (n = cl; n != NULL; n = n->next) {
|
cond_optimize(&n->true_list);
|
cond_optimize(&n->false_list);
|
}
|
}
|
|
static int bool_present(unsigned int target, unsigned int bools[],
|
unsigned int num_bools)
|
{
|
unsigned int i = 0;
|
int ret = 1;
|
|
if (num_bools > COND_MAX_BOOLS) {
|
return 0;
|
}
|
while (i < num_bools && target != bools[i])
|
i++;
|
if (i == num_bools)
|
ret = 0; /* got to end w/o match */
|
return ret;
|
}
|
|
static int same_bools(cond_node_t * a, cond_node_t * b)
|
{
|
unsigned int i, x;
|
|
x = a->nbools;
|
|
/* same number of bools? */
|
if (x != b->nbools)
|
return 0;
|
|
/* make sure all the bools in a are also in b */
|
for (i = 0; i < x; i++)
|
if (!bool_present(a->bool_ids[i], b->bool_ids, x))
|
return 0;
|
return 1;
|
}
|
|
/*
|
* Determine if two conditional expressions are equal.
|
*/
|
int cond_expr_equal(cond_node_t * a, cond_node_t * b)
|
{
|
cond_expr_t *cur_a, *cur_b;
|
|
if (a == NULL || b == NULL)
|
return 0;
|
|
if (a->nbools != b->nbools)
|
return 0;
|
|
/* if exprs have <= COND_MAX_BOOLS we can check the precompute values
|
* for the expressions.
|
*/
|
if (a->nbools <= COND_MAX_BOOLS && b->nbools <= COND_MAX_BOOLS) {
|
if (!same_bools(a, b))
|
return 0;
|
return (a->expr_pre_comp == b->expr_pre_comp);
|
}
|
|
/* for long expressions we check for exactly the same expression */
|
cur_a = a->expr;
|
cur_b = b->expr;
|
while (1) {
|
if (cur_a == NULL && cur_b == NULL)
|
return 1;
|
else if (cur_a == NULL || cur_b == NULL)
|
return 0;
|
if (cur_a->expr_type != cur_b->expr_type)
|
return 0;
|
if (cur_a->expr_type == COND_BOOL) {
|
if (cur_a->bool != cur_b->bool)
|
return 0;
|
}
|
cur_a = cur_a->next;
|
cur_b = cur_b->next;
|
}
|
return 1;
|
}
|
|
/* Create a new conditional node, optionally copying
|
* the conditional expression from an existing node.
|
* If node is NULL then a new node will be created
|
* with no conditional expression.
|
*/
|
cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
|
{
|
cond_node_t *new_node;
|
unsigned int i;
|
|
new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
|
if (!new_node) {
|
return NULL;
|
}
|
memset(new_node, 0, sizeof(cond_node_t));
|
|
if (node) {
|
new_node->expr = cond_copy_expr(node->expr);
|
if (!new_node->expr) {
|
free(new_node);
|
return NULL;
|
}
|
new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
|
new_node->nbools = node->nbools;
|
for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
|
new_node->bool_ids[i] = node->bool_ids[i];
|
new_node->expr_pre_comp = node->expr_pre_comp;
|
new_node->flags = node->flags;
|
}
|
|
return new_node;
|
}
|
|
/* Find a conditional (the needle) within a list of existing ones (the
|
* haystack) that has a matching expression. If found, return a
|
* pointer to the existing node, setting 'was_created' to 0.
|
* Otherwise create a new one and return it, setting 'was_created' to
|
* 1. */
|
cond_node_t *cond_node_find(policydb_t * p,
|
cond_node_t * needle, cond_node_t * haystack,
|
int *was_created)
|
{
|
while (haystack) {
|
if (cond_expr_equal(needle, haystack)) {
|
*was_created = 0;
|
return haystack;
|
}
|
haystack = haystack->next;
|
}
|
*was_created = 1;
|
|
return cond_node_create(p, needle);
|
}
|
|
/* return either a pre-existing matching node or create a new node */
|
cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
|
cond_node_t * cn)
|
{
|
int was_created;
|
cond_node_t *result = cond_node_find(p, cn, list, &was_created);
|
if (result != NULL && was_created) {
|
/* add conditional node to policy list */
|
result->next = p->cond_list;
|
p->cond_list = result;
|
}
|
return result;
|
}
|
|
/*
|
* cond_evaluate_expr evaluates a conditional expr
|
* in reverse polish notation. It returns true (1), false (0),
|
* or undefined (-1). Undefined occurs when the expression
|
* exceeds the stack depth of COND_EXPR_MAXDEPTH.
|
*/
|
int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr)
|
{
|
|
cond_expr_t *cur;
|
int s[COND_EXPR_MAXDEPTH];
|
int sp = -1;
|
|
s[0] = -1;
|
|
for (cur = expr; cur != NULL; cur = cur->next) {
|
switch (cur->expr_type) {
|
case COND_BOOL:
|
if (sp == (COND_EXPR_MAXDEPTH - 1))
|
return -1;
|
sp++;
|
s[sp] = p->bool_val_to_struct[cur->bool - 1]->state;
|
break;
|
case COND_NOT:
|
if (sp < 0)
|
return -1;
|
s[sp] = !s[sp];
|
break;
|
case COND_OR:
|
if (sp < 1)
|
return -1;
|
sp--;
|
s[sp] |= s[sp + 1];
|
break;
|
case COND_AND:
|
if (sp < 1)
|
return -1;
|
sp--;
|
s[sp] &= s[sp + 1];
|
break;
|
case COND_XOR:
|
if (sp < 1)
|
return -1;
|
sp--;
|
s[sp] ^= s[sp + 1];
|
break;
|
case COND_EQ:
|
if (sp < 1)
|
return -1;
|
sp--;
|
s[sp] = (s[sp] == s[sp + 1]);
|
break;
|
case COND_NEQ:
|
if (sp < 1)
|
return -1;
|
sp--;
|
s[sp] = (s[sp] != s[sp + 1]);
|
break;
|
default:
|
return -1;
|
}
|
}
|
return s[0];
|
}
|
|
cond_expr_t *cond_copy_expr(cond_expr_t * expr)
|
{
|
cond_expr_t *cur, *head, *tail, *new_expr;
|
tail = head = NULL;
|
cur = expr;
|
while (cur) {
|
new_expr = (cond_expr_t *) malloc(sizeof(cond_expr_t));
|
if (!new_expr)
|
goto free_head;
|
memset(new_expr, 0, sizeof(cond_expr_t));
|
|
new_expr->expr_type = cur->expr_type;
|
new_expr->bool = cur->bool;
|
|
if (!head)
|
head = new_expr;
|
if (tail)
|
tail->next = new_expr;
|
tail = new_expr;
|
cur = cur->next;
|
}
|
return head;
|
|
free_head:
|
while (head) {
|
tail = head->next;
|
free(head);
|
head = tail;
|
}
|
return NULL;
|
}
|
|
/*
|
* evaluate_cond_node evaluates the conditional stored in
|
* a cond_node_t and if the result is different than the
|
* current state of the node it sets the rules in the true/false
|
* list appropriately. If the result of the expression is undefined
|
* all of the rules are disabled for safety.
|
*/
|
static int evaluate_cond_node(policydb_t * p, cond_node_t * node)
|
{
|
int new_state;
|
cond_av_list_t *cur;
|
|
new_state = cond_evaluate_expr(p, node->expr);
|
if (new_state != node->cur_state) {
|
node->cur_state = new_state;
|
if (new_state == -1)
|
printf
|
("expression result was undefined - disabling all rules.\n");
|
/* turn the rules on or off */
|
for (cur = node->true_list; cur != NULL; cur = cur->next) {
|
if (new_state <= 0) {
|
cur->node->key.specified &= ~AVTAB_ENABLED;
|
} else {
|
cur->node->key.specified |= AVTAB_ENABLED;
|
}
|
}
|
|
for (cur = node->false_list; cur != NULL; cur = cur->next) {
|
/* -1 or 1 */
|
if (new_state) {
|
cur->node->key.specified &= ~AVTAB_ENABLED;
|
} else {
|
cur->node->key.specified |= AVTAB_ENABLED;
|
}
|
}
|
}
|
return 0;
|
}
|
|
/* precompute and simplify an expression if possible. If left with !expression, change
|
* to expression and switch t and f. precompute expression for expressions with limited
|
* number of bools.
|
*/
|
int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
|
{
|
cond_expr_t *ne, *e;
|
cond_av_list_t *tmp;
|
unsigned int i, j, orig_value[COND_MAX_BOOLS];
|
int k;
|
uint32_t test = 0x0;
|
avrule_t *tmp2;
|
|
cn->nbools = 0;
|
|
memset(cn->bool_ids, 0, sizeof(cn->bool_ids));
|
cn->expr_pre_comp = 0x0;
|
|
/* take care of !expr case */
|
ne = NULL;
|
e = cn->expr;
|
|
/* becuase it's RPN look at last element */
|
while (e->next != NULL) {
|
ne = e;
|
e = e->next;
|
}
|
if (e->expr_type == COND_NOT) {
|
if (ne) {
|
ne->next = NULL;
|
} else { /* ne should never be NULL */
|
printf
|
("Found expr with no bools and only a ! - this should never happen.\n");
|
return -1;
|
}
|
/* swap the true and false lists */
|
tmp = cn->true_list;
|
cn->true_list = cn->false_list;
|
cn->false_list = tmp;
|
tmp2 = cn->avtrue_list;
|
cn->avtrue_list = cn->avfalse_list;
|
cn->avfalse_list = tmp2;
|
|
/* free the "not" node in the list */
|
free(e);
|
}
|
|
/* find all the bools in the expression */
|
for (e = cn->expr; e != NULL; e = e->next) {
|
switch (e->expr_type) {
|
case COND_BOOL:
|
i = 0;
|
/* see if we've already seen this bool */
|
if (!bool_present(e->bool, cn->bool_ids, cn->nbools)) {
|
/* count em all but only record up to COND_MAX_BOOLS */
|
if (cn->nbools < COND_MAX_BOOLS)
|
cn->bool_ids[cn->nbools++] = e->bool;
|
else
|
cn->nbools++;
|
}
|
break;
|
default:
|
break;
|
}
|
}
|
|
/* only precompute for exprs with <= COND_AX_BOOLS */
|
if (cn->nbools <= COND_MAX_BOOLS) {
|
/* save the default values for the bools so we can play with them */
|
for (i = 0; i < cn->nbools; i++) {
|
orig_value[i] =
|
p->bool_val_to_struct[cn->bool_ids[i] - 1]->state;
|
}
|
|
/* loop through all possible combinations of values for bools in expression */
|
for (test = 0x0; test < (0x1U << cn->nbools); test++) {
|
/* temporarily set the value for all the bools in the
|
* expression using the corr. bit in test */
|
for (j = 0; j < cn->nbools; j++) {
|
p->bool_val_to_struct[cn->bool_ids[j] -
|
1]->state =
|
(test & (0x1 << j)) ? 1 : 0;
|
}
|
k = cond_evaluate_expr(p, cn->expr);
|
if (k == -1) {
|
printf
|
("While testing expression, expression result "
|
"was undefined - this should never happen.\n");
|
return -1;
|
}
|
/* set the bit if expression evaluates true */
|
if (k)
|
cn->expr_pre_comp |= 0x1 << test;
|
}
|
|
/* restore bool default values */
|
for (i = 0; i < cn->nbools; i++)
|
p->bool_val_to_struct[cn->bool_ids[i] - 1]->state =
|
orig_value[i];
|
}
|
return 0;
|
}
|
|
int evaluate_conds(policydb_t * p)
|
{
|
int ret;
|
cond_node_t *cur;
|
|
for (cur = p->cond_list; cur != NULL; cur = cur->next) {
|
ret = evaluate_cond_node(p, cur);
|
if (ret)
|
return ret;
|
}
|
return 0;
|
}
|
|
int cond_policydb_init(policydb_t * p)
|
{
|
p->bool_val_to_struct = NULL;
|
p->cond_list = NULL;
|
if (avtab_init(&p->te_cond_avtab))
|
return -1;
|
|
return 0;
|
}
|
|
void cond_av_list_destroy(cond_av_list_t * list)
|
{
|
cond_av_list_t *cur, *next;
|
for (cur = list; cur != NULL; cur = next) {
|
next = cur->next;
|
/* the avtab_ptr_t node is destroy by the avtab */
|
free(cur);
|
}
|
}
|
|
void cond_expr_destroy(cond_expr_t * expr)
|
{
|
cond_expr_t *cur_expr, *next_expr;
|
|
if (!expr)
|
return;
|
|
for (cur_expr = expr; cur_expr != NULL; cur_expr = next_expr) {
|
next_expr = cur_expr->next;
|
free(cur_expr);
|
}
|
}
|
|
void cond_node_destroy(cond_node_t * node)
|
{
|
if (!node)
|
return;
|
|
cond_expr_destroy(node->expr);
|
avrule_list_destroy(node->avtrue_list);
|
avrule_list_destroy(node->avfalse_list);
|
cond_av_list_destroy(node->true_list);
|
cond_av_list_destroy(node->false_list);
|
}
|
|
void cond_list_destroy(cond_list_t * list)
|
{
|
cond_node_t *next, *cur;
|
|
if (list == NULL)
|
return;
|
|
for (cur = list; cur != NULL; cur = next) {
|
next = cur->next;
|
cond_node_destroy(cur);
|
free(cur);
|
}
|
}
|
|
void cond_policydb_destroy(policydb_t * p)
|
{
|
if (p->bool_val_to_struct != NULL)
|
free(p->bool_val_to_struct);
|
avtab_destroy(&p->te_cond_avtab);
|
cond_list_destroy(p->cond_list);
|
}
|
|
int cond_init_bool_indexes(policydb_t * p)
|
{
|
if (p->bool_val_to_struct)
|
free(p->bool_val_to_struct);
|
p->bool_val_to_struct = (cond_bool_datum_t **)
|
malloc(p->p_bools.nprim * sizeof(cond_bool_datum_t *));
|
if (!p->bool_val_to_struct)
|
return -1;
|
return 0;
|
}
|
|
int cond_destroy_bool(hashtab_key_t key, hashtab_datum_t datum, void *p
|
__attribute__ ((unused)))
|
{
|
if (key)
|
free(key);
|
free(datum);
|
return 0;
|
}
|
|
int cond_index_bool(hashtab_key_t key, hashtab_datum_t datum, void *datap)
|
{
|
policydb_t *p;
|
cond_bool_datum_t *booldatum;
|
|
booldatum = datum;
|
p = datap;
|
|
if (!booldatum->s.value || booldatum->s.value > p->p_bools.nprim)
|
return -EINVAL;
|
|
if (p->p_bool_val_to_name[booldatum->s.value - 1] != NULL)
|
return -EINVAL;
|
|
p->p_bool_val_to_name[booldatum->s.value - 1] = key;
|
p->bool_val_to_struct[booldatum->s.value - 1] = booldatum;
|
|
return 0;
|
}
|
|
static int bool_isvalid(cond_bool_datum_t * b)
|
{
|
if (!(b->state == 0 || b->state == 1))
|
return 0;
|
return 1;
|
}
|
|
int cond_read_bool(policydb_t * p,
|
hashtab_t h,
|
struct policy_file *fp)
|
{
|
char *key = 0;
|
cond_bool_datum_t *booldatum;
|
uint32_t buf[3], len;
|
int rc;
|
|
booldatum = malloc(sizeof(cond_bool_datum_t));
|
if (!booldatum)
|
return -1;
|
memset(booldatum, 0, sizeof(cond_bool_datum_t));
|
|
rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
|
if (rc < 0)
|
goto err;
|
|
booldatum->s.value = le32_to_cpu(buf[0]);
|
booldatum->state = le32_to_cpu(buf[1]);
|
|
if (!bool_isvalid(booldatum))
|
goto err;
|
|
len = le32_to_cpu(buf[2]);
|
if (str_read(&key, fp, len))
|
goto err;
|
|
if (p->policy_type != POLICY_KERN &&
|
p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
goto err;
|
booldatum->flags = le32_to_cpu(buf[0]);
|
}
|
|
if (hashtab_insert(h, key, booldatum))
|
goto err;
|
|
return 0;
|
err:
|
cond_destroy_bool(key, booldatum, 0);
|
return -1;
|
}
|
|
struct cond_insertf_data {
|
struct policydb *p;
|
cond_av_list_t *other;
|
cond_av_list_t *head;
|
cond_av_list_t *tail;
|
};
|
|
static int cond_insertf(avtab_t * a
|
__attribute__ ((unused)), avtab_key_t * k,
|
avtab_datum_t * d, void *ptr)
|
{
|
struct cond_insertf_data *data = ptr;
|
struct policydb *p = data->p;
|
cond_av_list_t *other = data->other, *list, *cur;
|
avtab_ptr_t node_ptr;
|
uint8_t found;
|
|
/*
|
* For type rules we have to make certain there aren't any
|
* conflicting rules by searching the te_avtab and the
|
* cond_te_avtab.
|
*/
|
if (k->specified & AVTAB_TYPE) {
|
if (avtab_search(&p->te_avtab, k)) {
|
printf
|
("security: type rule already exists outside of a conditional.");
|
goto err;
|
}
|
/*
|
* If we are reading the false list other will be a pointer to
|
* the true list. We can have duplicate entries if there is only
|
* 1 other entry and it is in our true list.
|
*
|
* If we are reading the true list (other == NULL) there shouldn't
|
* be any other entries.
|
*/
|
if (other) {
|
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
|
if (node_ptr) {
|
if (avtab_search_node_next
|
(node_ptr, k->specified)) {
|
printf
|
("security: too many conflicting type rules.");
|
goto err;
|
}
|
found = 0;
|
for (cur = other; cur != NULL; cur = cur->next) {
|
if (cur->node == node_ptr) {
|
found = 1;
|
break;
|
}
|
}
|
if (!found) {
|
printf
|
("security: conflicting type rules.\n");
|
goto err;
|
}
|
}
|
} else {
|
if (avtab_search(&p->te_cond_avtab, k)) {
|
printf
|
("security: conflicting type rules when adding type rule for true.\n");
|
goto err;
|
}
|
}
|
}
|
|
node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
|
if (!node_ptr) {
|
printf("security: could not insert rule.");
|
goto err;
|
}
|
node_ptr->parse_context = (void *)1;
|
|
list = malloc(sizeof(cond_av_list_t));
|
if (!list)
|
goto err;
|
memset(list, 0, sizeof(cond_av_list_t));
|
|
list->node = node_ptr;
|
if (!data->head)
|
data->head = list;
|
else
|
data->tail->next = list;
|
data->tail = list;
|
return 0;
|
|
err:
|
cond_av_list_destroy(data->head);
|
data->head = NULL;
|
return -1;
|
}
|
|
static int cond_read_av_list(policydb_t * p, void *fp,
|
cond_av_list_t ** ret_list, cond_av_list_t * other)
|
{
|
unsigned int i;
|
int rc;
|
uint32_t buf[1], len;
|
struct cond_insertf_data data;
|
|
*ret_list = NULL;
|
|
len = 0;
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
return -1;
|
|
len = le32_to_cpu(buf[0]);
|
if (len == 0) {
|
return 0;
|
}
|
|
data.p = p;
|
data.other = other;
|
data.head = NULL;
|
data.tail = NULL;
|
for (i = 0; i < len; i++) {
|
rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
|
cond_insertf, &data);
|
if (rc)
|
return rc;
|
|
}
|
|
*ret_list = data.head;
|
return 0;
|
}
|
|
static int expr_isvalid(policydb_t * p, cond_expr_t * expr)
|
{
|
if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
|
printf
|
("security: conditional expressions uses unknown operator.\n");
|
return 0;
|
}
|
|
if (expr->bool > p->p_bools.nprim) {
|
printf
|
("security: conditional expressions uses unknown bool.\n");
|
return 0;
|
}
|
return 1;
|
}
|
|
static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
|
{
|
uint32_t buf[2];
|
int len, i, rc;
|
cond_expr_t *expr = NULL, *last = NULL;
|
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
goto err;
|
|
node->cur_state = le32_to_cpu(buf[0]);
|
|
len = 0;
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
goto err;
|
|
/* expr */
|
len = le32_to_cpu(buf[0]);
|
|
for (i = 0; i < len; i++) {
|
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
|
if (rc < 0)
|
goto err;
|
|
expr = malloc(sizeof(cond_expr_t));
|
if (!expr) {
|
goto err;
|
}
|
memset(expr, 0, sizeof(cond_expr_t));
|
|
expr->expr_type = le32_to_cpu(buf[0]);
|
expr->bool = le32_to_cpu(buf[1]);
|
|
if (!expr_isvalid(p, expr)) {
|
free(expr);
|
goto err;
|
}
|
|
if (i == 0) {
|
node->expr = expr;
|
} else {
|
last->next = expr;
|
}
|
last = expr;
|
}
|
|
if (p->policy_type == POLICY_KERN) {
|
if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0)
|
goto err;
|
if (cond_read_av_list(p, fp, &node->false_list, node->true_list)
|
!= 0)
|
goto err;
|
} else {
|
if (avrule_read_list(p, &node->avtrue_list, fp))
|
goto err;
|
if (avrule_read_list(p, &node->avfalse_list, fp))
|
goto err;
|
}
|
|
if (p->policy_type != POLICY_KERN &&
|
p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
goto err;
|
node->flags = le32_to_cpu(buf[0]);
|
}
|
|
return 0;
|
err:
|
cond_node_destroy(node);
|
free(node);
|
return -1;
|
}
|
|
int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
|
{
|
cond_node_t *node, *last = NULL;
|
uint32_t buf[1];
|
int i, len, rc;
|
|
rc = next_entry(buf, fp, sizeof(uint32_t));
|
if (rc < 0)
|
return -1;
|
|
len = le32_to_cpu(buf[0]);
|
|
rc = avtab_alloc(&p->te_cond_avtab, p->te_avtab.nel);
|
if (rc)
|
goto err;
|
|
for (i = 0; i < len; i++) {
|
node = malloc(sizeof(cond_node_t));
|
if (!node)
|
goto err;
|
memset(node, 0, sizeof(cond_node_t));
|
|
if (cond_read_node(p, node, fp) != 0)
|
goto err;
|
|
if (i == 0) {
|
*list = node;
|
} else {
|
last->next = node;
|
}
|
last = node;
|
}
|
return 0;
|
err:
|
return -1;
|
}
|
|
/* Determine whether additional permissions are granted by the conditional
|
* av table, and if so, add them to the result
|
*/
|
void cond_compute_av(avtab_t * ctab, avtab_key_t * key,
|
struct sepol_av_decision *avd)
|
{
|
avtab_ptr_t node;
|
|
if (!ctab || !key || !avd)
|
return;
|
|
for (node = avtab_search_node(ctab, key); node != NULL;
|
node = avtab_search_node_next(node, key->specified)) {
|
if ((uint16_t) (AVTAB_ALLOWED | AVTAB_ENABLED) ==
|
(node->key.specified & (AVTAB_ALLOWED | AVTAB_ENABLED)))
|
avd->allowed |= node->datum.data;
|
if ((uint16_t) (AVTAB_AUDITDENY | AVTAB_ENABLED) ==
|
(node->key.specified & (AVTAB_AUDITDENY | AVTAB_ENABLED)))
|
/* Since a '0' in an auditdeny mask represents a
|
* permission we do NOT want to audit (dontaudit), we use
|
* the '&' operand to ensure that all '0's in the mask
|
* are retained (much unlike the allow and auditallow cases).
|
*/
|
avd->auditdeny &= node->datum.data;
|
if ((uint16_t) (AVTAB_AUDITALLOW | AVTAB_ENABLED) ==
|
(node->key.specified & (AVTAB_AUDITALLOW | AVTAB_ENABLED)))
|
avd->auditallow |= node->datum.data;
|
}
|
return;
|
}
|
|
avtab_datum_t *cond_av_list_search(avtab_key_t * key,
|
cond_av_list_t * cond_list)
|
{
|
|
cond_av_list_t *cur_av;
|
|
for (cur_av = cond_list; cur_av != NULL; cur_av = cur_av->next) {
|
|
if (cur_av->node->key.source_type == key->source_type &&
|
cur_av->node->key.target_type == key->target_type &&
|
cur_av->node->key.target_class == key->target_class)
|
|
return &cur_av->node->datum;
|
|
}
|
return NULL;
|
|
}
|
