| services.c (9e8238020c5beba64e7ffafbb7ea0fb02fe68270) | services.c (339949be25863ac15e24659c2ab4b01185e1234a) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 50 unchanged lines hidden (view full) --- 59#include "services.h" 60#include "conditional.h" 61#include "mls.h" 62#include "objsec.h" 63#include "netlabel.h" 64#include "xfrm.h" 65#include "ebitmap.h" 66#include "audit.h" | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the security services. 4 * 5 * Authors : Stephen Smalley, <sds@tycho.nsa.gov> 6 * James Morris <jmorris@redhat.com> 7 * 8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> --- 50 unchanged lines hidden (view full) --- 59#include "services.h" 60#include "conditional.h" 61#include "mls.h" 62#include "objsec.h" 63#include "netlabel.h" 64#include "xfrm.h" 65#include "ebitmap.h" 66#include "audit.h" |
| 67#include "policycap_names.h" |
|
| 67 | 68 |
| 68/* Policy capability names */ 69const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { 70 "network_peer_controls", 71 "open_perms", 72 "extended_socket_class", 73 "always_check_network", 74 "cgroup_seclabel", 75 "nnp_nosuid_transition", 76 "genfs_seclabel_symlinks" 77}; 78 | |
| 79static struct selinux_ss selinux_ss; 80 81void selinux_ss_init(struct selinux_ss **ss) 82{ 83 rwlock_init(&selinux_ss.policy_rwlock); 84 *ss = &selinux_ss; 85} 86 --- 390 unchanged lines hidden (view full) --- 477 return; 478 479 tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1); 480 tclass_dat = policydb->class_val_to_struct[tclass - 1]; 481 common_dat = tclass_dat->comdatum; 482 483 /* init permission_names */ 484 if (common_dat && | 69static struct selinux_ss selinux_ss; 70 71void selinux_ss_init(struct selinux_ss **ss) 72{ 73 rwlock_init(&selinux_ss.policy_rwlock); 74 *ss = &selinux_ss; 75} 76 --- 390 unchanged lines hidden (view full) --- 467 return; 468 469 tclass_name = sym_name(policydb, SYM_CLASSES, tclass - 1); 470 tclass_dat = policydb->class_val_to_struct[tclass - 1]; 471 common_dat = tclass_dat->comdatum; 472 473 /* init permission_names */ 474 if (common_dat && |
| 485 hashtab_map(common_dat->permissions.table, | 475 hashtab_map(&common_dat->permissions.table, |
| 486 dump_masked_av_helper, permission_names) < 0) 487 goto out; 488 | 476 dump_masked_av_helper, permission_names) < 0) 477 goto out; 478 |
| 489 if (hashtab_map(tclass_dat->permissions.table, | 479 if (hashtab_map(&tclass_dat->permissions.table, |
| 490 dump_masked_av_helper, permission_names) < 0) 491 goto out; 492 493 /* get scontext/tcontext in text form */ 494 if (context_struct_to_string(policydb, scontext, 495 &scontext_name, &length) < 0) 496 goto out; 497 --- 938 unchanged lines hidden (view full) --- 1436 while (*p && *p != ':') 1437 p++; 1438 1439 if (*p == 0) 1440 goto out; 1441 1442 *p++ = 0; 1443 | 480 dump_masked_av_helper, permission_names) < 0) 481 goto out; 482 483 /* get scontext/tcontext in text form */ 484 if (context_struct_to_string(policydb, scontext, 485 &scontext_name, &length) < 0) 486 goto out; 487 --- 938 unchanged lines hidden (view full) --- 1426 while (*p && *p != ':') 1427 p++; 1428 1429 if (*p == 0) 1430 goto out; 1431 1432 *p++ = 0; 1433 |
| 1444 usrdatum = hashtab_search(pol->p_users.table, scontextp); | 1434 usrdatum = symtab_search(&pol->p_users, scontextp); |
| 1445 if (!usrdatum) 1446 goto out; 1447 1448 ctx->user = usrdatum->value; 1449 1450 /* Extract role. */ 1451 scontextp = p; 1452 while (*p && *p != ':') 1453 p++; 1454 1455 if (*p == 0) 1456 goto out; 1457 1458 *p++ = 0; 1459 | 1435 if (!usrdatum) 1436 goto out; 1437 1438 ctx->user = usrdatum->value; 1439 1440 /* Extract role. */ 1441 scontextp = p; 1442 while (*p && *p != ':') 1443 p++; 1444 1445 if (*p == 0) 1446 goto out; 1447 1448 *p++ = 0; 1449 |
| 1460 role = hashtab_search(pol->p_roles.table, scontextp); | 1450 role = symtab_search(&pol->p_roles, scontextp); |
| 1461 if (!role) 1462 goto out; 1463 ctx->role = role->value; 1464 1465 /* Extract type. */ 1466 scontextp = p; 1467 while (*p && *p != ':') 1468 p++; 1469 oldc = *p; 1470 *p++ = 0; 1471 | 1451 if (!role) 1452 goto out; 1453 ctx->role = role->value; 1454 1455 /* Extract type. */ 1456 scontextp = p; 1457 while (*p && *p != ':') 1458 p++; 1459 oldc = *p; 1460 *p++ = 0; 1461 |
| 1472 typdatum = hashtab_search(pol->p_types.table, scontextp); | 1462 typdatum = symtab_search(&pol->p_types, scontextp); |
| 1473 if (!typdatum || typdatum->attribute) 1474 goto out; 1475 1476 ctx->type = typdatum->value; 1477 1478 rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); 1479 if (rc) 1480 goto out; --- 4 unchanged lines hidden (view full) --- 1485 goto out; 1486 rc = 0; 1487out: 1488 if (rc) 1489 context_destroy(ctx); 1490 return rc; 1491} 1492 | 1463 if (!typdatum || typdatum->attribute) 1464 goto out; 1465 1466 ctx->type = typdatum->value; 1467 1468 rc = mls_context_to_sid(pol, oldc, p, ctx, sidtabp, def_sid); 1469 if (rc) 1470 goto out; --- 4 unchanged lines hidden (view full) --- 1475 goto out; 1476 rc = 0; 1477out: 1478 if (rc) 1479 context_destroy(ctx); 1480 return rc; 1481} 1482 |
| 1493int context_add_hash(struct policydb *policydb, 1494 struct context *context) 1495{ 1496 int rc; 1497 char *str; 1498 int len; 1499 1500 if (context->str) { 1501 context->hash = context_compute_hash(context->str); 1502 } else { 1503 rc = context_struct_to_string(policydb, context, 1504 &str, &len); 1505 if (rc) 1506 return rc; 1507 context->hash = context_compute_hash(str); 1508 kfree(str); 1509 } 1510 return 0; 1511} 1512 1513static int context_struct_to_sid(struct selinux_state *state, 1514 struct context *context, u32 *sid) 1515{ 1516 int rc; 1517 struct sidtab *sidtab = state->ss->sidtab; 1518 struct policydb *policydb = &state->ss->policydb; 1519 1520 if (!context->hash) { 1521 rc = context_add_hash(policydb, context); 1522 if (rc) 1523 return rc; 1524 } 1525 1526 return sidtab_context_to_sid(sidtab, context, sid); 1527} 1528 | |
| 1529static int security_context_to_sid_core(struct selinux_state *state, 1530 const char *scontext, u32 scontext_len, 1531 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1532 int force) 1533{ 1534 struct policydb *policydb; 1535 struct sidtab *sidtab; 1536 char *scontext2, *str = NULL; --- 38 unchanged lines hidden (view full) --- 1575 rc = string_to_context_struct(policydb, sidtab, scontext2, 1576 &context, def_sid); 1577 if (rc == -EINVAL && force) { 1578 context.str = str; 1579 context.len = strlen(str) + 1; 1580 str = NULL; 1581 } else if (rc) 1582 goto out_unlock; | 1483static int security_context_to_sid_core(struct selinux_state *state, 1484 const char *scontext, u32 scontext_len, 1485 u32 *sid, u32 def_sid, gfp_t gfp_flags, 1486 int force) 1487{ 1488 struct policydb *policydb; 1489 struct sidtab *sidtab; 1490 char *scontext2, *str = NULL; --- 38 unchanged lines hidden (view full) --- 1529 rc = string_to_context_struct(policydb, sidtab, scontext2, 1530 &context, def_sid); 1531 if (rc == -EINVAL && force) { 1532 context.str = str; 1533 context.len = strlen(str) + 1; 1534 str = NULL; 1535 } else if (rc) 1536 goto out_unlock; |
| 1583 rc = context_struct_to_sid(state, &context, sid); | 1537 rc = sidtab_context_to_sid(sidtab, &context, sid); |
| 1584 context_destroy(&context); 1585out_unlock: 1586 read_unlock(&state->ss->policy_rwlock); 1587out: 1588 kfree(scontext2); 1589 kfree(str); 1590 return rc; 1591} --- 110 unchanged lines hidden (view full) --- 1702 */ 1703 if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype)) 1704 return; 1705 1706 ft.ttype = ttype; 1707 ft.tclass = tclass; 1708 ft.name = objname; 1709 | 1538 context_destroy(&context); 1539out_unlock: 1540 read_unlock(&state->ss->policy_rwlock); 1541out: 1542 kfree(scontext2); 1543 kfree(str); 1544 return rc; 1545} --- 110 unchanged lines hidden (view full) --- 1656 */ 1657 if (!ebitmap_get_bit(&policydb->filename_trans_ttypes, ttype)) 1658 return; 1659 1660 ft.ttype = ttype; 1661 ft.tclass = tclass; 1662 ft.name = objname; 1663 |
| 1710 datum = hashtab_search(policydb->filename_trans, &ft); | 1664 datum = policydb_filenametr_search(policydb, &ft); |
| 1711 while (datum) { 1712 if (ebitmap_get_bit(&datum->stypes, stype - 1)) { 1713 newcontext->type = datum->otype; 1714 return; 1715 } 1716 datum = datum->next; 1717 } 1718} --- 7 unchanged lines hidden (view full) --- 1726 u32 *out_sid, 1727 bool kern) 1728{ 1729 struct policydb *policydb; 1730 struct sidtab *sidtab; 1731 struct class_datum *cladatum = NULL; 1732 struct context *scontext, *tcontext, newcontext; 1733 struct sidtab_entry *sentry, *tentry; | 1665 while (datum) { 1666 if (ebitmap_get_bit(&datum->stypes, stype - 1)) { 1667 newcontext->type = datum->otype; 1668 return; 1669 } 1670 datum = datum->next; 1671 } 1672} --- 7 unchanged lines hidden (view full) --- 1680 u32 *out_sid, 1681 bool kern) 1682{ 1683 struct policydb *policydb; 1684 struct sidtab *sidtab; 1685 struct class_datum *cladatum = NULL; 1686 struct context *scontext, *tcontext, newcontext; 1687 struct sidtab_entry *sentry, *tentry; |
| 1734 struct role_trans *roletr = NULL; | |
| 1735 struct avtab_key avkey; 1736 struct avtab_datum *avdatum; 1737 struct avtab_node *node; 1738 u16 tclass; 1739 int rc = 0; 1740 bool sock; 1741 1742 if (!selinux_initialized(state)) { --- 64 unchanged lines hidden (view full) --- 1807 } 1808 1809 /* Set the role to default values. */ 1810 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { 1811 newcontext.role = scontext->role; 1812 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { 1813 newcontext.role = tcontext->role; 1814 } else { | 1688 struct avtab_key avkey; 1689 struct avtab_datum *avdatum; 1690 struct avtab_node *node; 1691 u16 tclass; 1692 int rc = 0; 1693 bool sock; 1694 1695 if (!selinux_initialized(state)) { --- 64 unchanged lines hidden (view full) --- 1760 } 1761 1762 /* Set the role to default values. */ 1763 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) { 1764 newcontext.role = scontext->role; 1765 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) { 1766 newcontext.role = tcontext->role; 1767 } else { |
| 1815 if ((tclass == policydb->process_class) || (sock == true)) | 1768 if ((tclass == policydb->process_class) || sock) |
| 1816 newcontext.role = scontext->role; 1817 else 1818 newcontext.role = OBJECT_R_VAL; 1819 } 1820 1821 /* Set the type to default values. */ 1822 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { 1823 newcontext.type = scontext->type; 1824 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { 1825 newcontext.type = tcontext->type; 1826 } else { | 1769 newcontext.role = scontext->role; 1770 else 1771 newcontext.role = OBJECT_R_VAL; 1772 } 1773 1774 /* Set the type to default values. */ 1775 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { 1776 newcontext.type = scontext->type; 1777 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { 1778 newcontext.type = tcontext->type; 1779 } else { |
| 1827 if ((tclass == policydb->process_class) || (sock == true)) { | 1780 if ((tclass == policydb->process_class) || sock) { |
| 1828 /* Use the type of process. */ 1829 newcontext.type = scontext->type; 1830 } else { 1831 /* Use the type of the related object. */ 1832 newcontext.type = tcontext->type; 1833 } 1834 } 1835 --- 23 unchanged lines hidden (view full) --- 1859 /* if we have a objname this is a file trans check so check those rules */ 1860 if (objname) 1861 filename_compute_type(policydb, &newcontext, scontext->type, 1862 tcontext->type, tclass, objname); 1863 1864 /* Check for class-specific changes. */ 1865 if (specified & AVTAB_TRANSITION) { 1866 /* Look for a role transition rule. */ | 1781 /* Use the type of process. */ 1782 newcontext.type = scontext->type; 1783 } else { 1784 /* Use the type of the related object. */ 1785 newcontext.type = tcontext->type; 1786 } 1787 } 1788 --- 23 unchanged lines hidden (view full) --- 1812 /* if we have a objname this is a file trans check so check those rules */ 1813 if (objname) 1814 filename_compute_type(policydb, &newcontext, scontext->type, 1815 tcontext->type, tclass, objname); 1816 1817 /* Check for class-specific changes. */ 1818 if (specified & AVTAB_TRANSITION) { 1819 /* Look for a role transition rule. */ |
| 1867 for (roletr = policydb->role_tr; roletr; 1868 roletr = roletr->next) { 1869 if ((roletr->role == scontext->role) && 1870 (roletr->type == tcontext->type) && 1871 (roletr->tclass == tclass)) { 1872 /* Use the role transition rule. */ 1873 newcontext.role = roletr->new_role; 1874 break; 1875 } 1876 } | 1820 struct role_trans_datum *rtd; 1821 struct role_trans_key rtk = { 1822 .role = scontext->role, 1823 .type = tcontext->type, 1824 .tclass = tclass, 1825 }; 1826 1827 rtd = policydb_roletr_search(policydb, &rtk); 1828 if (rtd) 1829 newcontext.role = rtd->new_role; |
| 1877 } 1878 1879 /* Set the MLS attributes. 1880 This is done last because it may allocate memory. */ 1881 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified, 1882 &newcontext, sock); 1883 if (rc) 1884 goto out_unlock; 1885 1886 /* Check the validity of the context. */ 1887 if (!policydb_context_isvalid(policydb, &newcontext)) { 1888 rc = compute_sid_handle_invalid_context(state, sentry, tentry, 1889 tclass, &newcontext); 1890 if (rc) 1891 goto out_unlock; 1892 } 1893 /* Obtain the sid for the context. */ | 1830 } 1831 1832 /* Set the MLS attributes. 1833 This is done last because it may allocate memory. */ 1834 rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified, 1835 &newcontext, sock); 1836 if (rc) 1837 goto out_unlock; 1838 1839 /* Check the validity of the context. */ 1840 if (!policydb_context_isvalid(policydb, &newcontext)) { 1841 rc = compute_sid_handle_invalid_context(state, sentry, tentry, 1842 tclass, &newcontext); 1843 if (rc) 1844 goto out_unlock; 1845 } 1846 /* Obtain the sid for the context. */ |
| 1894 rc = context_struct_to_sid(state, &newcontext, out_sid); | 1847 rc = sidtab_context_to_sid(sidtab, &newcontext, out_sid); |
| 1895out_unlock: 1896 read_unlock(&state->ss->policy_rwlock); 1897 context_destroy(&newcontext); 1898out: 1899 return rc; 1900} 1901 1902/** --- 135 unchanged lines hidden (view full) --- 2038 * IMPORTANT: We need to copy the contents of oldc->str 2039 * back into s again because string_to_context_struct() 2040 * may have garbled it. 2041 */ 2042 memcpy(s, oldc->str, oldc->len); 2043 context_init(newc); 2044 newc->str = s; 2045 newc->len = oldc->len; | 1848out_unlock: 1849 read_unlock(&state->ss->policy_rwlock); 1850 context_destroy(&newcontext); 1851out: 1852 return rc; 1853} 1854 1855/** --- 135 unchanged lines hidden (view full) --- 1991 * IMPORTANT: We need to copy the contents of oldc->str 1992 * back into s again because string_to_context_struct() 1993 * may have garbled it. 1994 */ 1995 memcpy(s, oldc->str, oldc->len); 1996 context_init(newc); 1997 newc->str = s; 1998 newc->len = oldc->len; |
| 2046 newc->hash = oldc->hash; | |
| 2047 return 0; 2048 } 2049 kfree(s); 2050 if (rc) { 2051 /* Other error condition, e.g. ENOMEM. */ 2052 pr_err("SELinux: Unable to map context %s, rc = %d.\n", 2053 oldc->str, -rc); 2054 return rc; 2055 } 2056 pr_info("SELinux: Context %s became valid (mapped).\n", 2057 oldc->str); 2058 return 0; 2059 } 2060 2061 context_init(newc); 2062 2063 /* Convert the user. */ 2064 rc = -EINVAL; | 1999 return 0; 2000 } 2001 kfree(s); 2002 if (rc) { 2003 /* Other error condition, e.g. ENOMEM. */ 2004 pr_err("SELinux: Unable to map context %s, rc = %d.\n", 2005 oldc->str, -rc); 2006 return rc; 2007 } 2008 pr_info("SELinux: Context %s became valid (mapped).\n", 2009 oldc->str); 2010 return 0; 2011 } 2012 2013 context_init(newc); 2014 2015 /* Convert the user. */ 2016 rc = -EINVAL; |
| 2065 usrdatum = hashtab_search(args->newp->p_users.table, 2066 sym_name(args->oldp, 2067 SYM_USERS, oldc->user - 1)); | 2017 usrdatum = symtab_search(&args->newp->p_users, 2018 sym_name(args->oldp, 2019 SYM_USERS, oldc->user - 1)); |
| 2068 if (!usrdatum) 2069 goto bad; 2070 newc->user = usrdatum->value; 2071 2072 /* Convert the role. */ 2073 rc = -EINVAL; | 2020 if (!usrdatum) 2021 goto bad; 2022 newc->user = usrdatum->value; 2023 2024 /* Convert the role. */ 2025 rc = -EINVAL; |
| 2074 role = hashtab_search(args->newp->p_roles.table, 2075 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); | 2026 role = symtab_search(&args->newp->p_roles, 2027 sym_name(args->oldp, SYM_ROLES, oldc->role - 1)); |
| 2076 if (!role) 2077 goto bad; 2078 newc->role = role->value; 2079 2080 /* Convert the type. */ 2081 rc = -EINVAL; | 2028 if (!role) 2029 goto bad; 2030 newc->role = role->value; 2031 2032 /* Convert the type. */ 2033 rc = -EINVAL; |
| 2082 typdatum = hashtab_search(args->newp->p_types.table, 2083 sym_name(args->oldp, 2084 SYM_TYPES, oldc->type - 1)); | 2034 typdatum = symtab_search(&args->newp->p_types, 2035 sym_name(args->oldp, 2036 SYM_TYPES, oldc->type - 1)); |
| 2085 if (!typdatum) 2086 goto bad; 2087 newc->type = typdatum->value; 2088 2089 /* Convert the MLS fields if dealing with MLS policies */ 2090 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2091 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2092 if (rc) --- 22 unchanged lines hidden (view full) --- 2115 2116 /* Check the validity of the new context. */ 2117 if (!policydb_context_isvalid(args->newp, newc)) { 2118 rc = convert_context_handle_invalid_context(args->state, oldc); 2119 if (rc) 2120 goto bad; 2121 } 2122 | 2037 if (!typdatum) 2038 goto bad; 2039 newc->type = typdatum->value; 2040 2041 /* Convert the MLS fields if dealing with MLS policies */ 2042 if (args->oldp->mls_enabled && args->newp->mls_enabled) { 2043 rc = mls_convert_context(args->oldp, args->newp, oldc, newc); 2044 if (rc) --- 22 unchanged lines hidden (view full) --- 2067 2068 /* Check the validity of the new context. */ 2069 if (!policydb_context_isvalid(args->newp, newc)) { 2070 rc = convert_context_handle_invalid_context(args->state, oldc); 2071 if (rc) 2072 goto bad; 2073 } 2074 |
| 2123 rc = context_add_hash(args->newp, newc); 2124 if (rc) 2125 goto bad; 2126 | |
| 2127 return 0; 2128bad: 2129 /* Map old representation to string and save it. */ 2130 rc = context_struct_to_string(args->oldp, oldc, &s, &len); 2131 if (rc) 2132 return rc; 2133 context_destroy(newc); 2134 newc->str = s; 2135 newc->len = len; | 2075 return 0; 2076bad: 2077 /* Map old representation to string and save it. */ 2078 rc = context_struct_to_string(args->oldp, oldc, &s, &len); 2079 if (rc) 2080 return rc; 2081 context_destroy(newc); 2082 newc->str = s; 2083 newc->len = len; |
| 2136 newc->hash = context_compute_hash(s); | |
| 2137 pr_info("SELinux: Context %s became invalid (unmapped).\n", 2138 newc->str); 2139 return 0; 2140} 2141 2142static void security_load_policycaps(struct selinux_state *state) 2143{ 2144 struct policydb *p = &state->ss->policydb; --- 200 unchanged lines hidden (view full) --- 2345 * @protocol: protocol number 2346 * @port: port number 2347 * @out_sid: security identifier 2348 */ 2349int security_port_sid(struct selinux_state *state, 2350 u8 protocol, u16 port, u32 *out_sid) 2351{ 2352 struct policydb *policydb; | 2084 pr_info("SELinux: Context %s became invalid (unmapped).\n", 2085 newc->str); 2086 return 0; 2087} 2088 2089static void security_load_policycaps(struct selinux_state *state) 2090{ 2091 struct policydb *p = &state->ss->policydb; --- 200 unchanged lines hidden (view full) --- 2292 * @protocol: protocol number 2293 * @port: port number 2294 * @out_sid: security identifier 2295 */ 2296int security_port_sid(struct selinux_state *state, 2297 u8 protocol, u16 port, u32 *out_sid) 2298{ 2299 struct policydb *policydb; |
| 2300 struct sidtab *sidtab; |
|
| 2353 struct ocontext *c; 2354 int rc = 0; 2355 2356 read_lock(&state->ss->policy_rwlock); 2357 2358 policydb = &state->ss->policydb; | 2301 struct ocontext *c; 2302 int rc = 0; 2303 2304 read_lock(&state->ss->policy_rwlock); 2305 2306 policydb = &state->ss->policydb; |
| 2307 sidtab = state->ss->sidtab; |
|
| 2359 2360 c = policydb->ocontexts[OCON_PORT]; 2361 while (c) { 2362 if (c->u.port.protocol == protocol && 2363 c->u.port.low_port <= port && 2364 c->u.port.high_port >= port) 2365 break; 2366 c = c->next; 2367 } 2368 2369 if (c) { 2370 if (!c->sid[0]) { | 2308 2309 c = policydb->ocontexts[OCON_PORT]; 2310 while (c) { 2311 if (c->u.port.protocol == protocol && 2312 c->u.port.low_port <= port && 2313 c->u.port.high_port >= port) 2314 break; 2315 c = c->next; 2316 } 2317 2318 if (c) { 2319 if (!c->sid[0]) { |
| 2371 rc = context_struct_to_sid(state, &c->context[0], | 2320 rc = sidtab_context_to_sid(sidtab, &c->context[0], |
| 2372 &c->sid[0]); 2373 if (rc) 2374 goto out; 2375 } 2376 *out_sid = c->sid[0]; 2377 } else { 2378 *out_sid = SECINITSID_PORT; 2379 } --- 8 unchanged lines hidden (view full) --- 2388 * @subnet_prefix: Subnet Prefix 2389 * @pkey_num: pkey number 2390 * @out_sid: security identifier 2391 */ 2392int security_ib_pkey_sid(struct selinux_state *state, 2393 u64 subnet_prefix, u16 pkey_num, u32 *out_sid) 2394{ 2395 struct policydb *policydb; | 2321 &c->sid[0]); 2322 if (rc) 2323 goto out; 2324 } 2325 *out_sid = c->sid[0]; 2326 } else { 2327 *out_sid = SECINITSID_PORT; 2328 } --- 8 unchanged lines hidden (view full) --- 2337 * @subnet_prefix: Subnet Prefix 2338 * @pkey_num: pkey number 2339 * @out_sid: security identifier 2340 */ 2341int security_ib_pkey_sid(struct selinux_state *state, 2342 u64 subnet_prefix, u16 pkey_num, u32 *out_sid) 2343{ 2344 struct policydb *policydb; |
| 2345 struct sidtab *sidtab; |
|
| 2396 struct ocontext *c; 2397 int rc = 0; 2398 2399 read_lock(&state->ss->policy_rwlock); 2400 2401 policydb = &state->ss->policydb; | 2346 struct ocontext *c; 2347 int rc = 0; 2348 2349 read_lock(&state->ss->policy_rwlock); 2350 2351 policydb = &state->ss->policydb; |
| 2352 sidtab = state->ss->sidtab; |
|
| 2402 2403 c = policydb->ocontexts[OCON_IBPKEY]; 2404 while (c) { 2405 if (c->u.ibpkey.low_pkey <= pkey_num && 2406 c->u.ibpkey.high_pkey >= pkey_num && 2407 c->u.ibpkey.subnet_prefix == subnet_prefix) 2408 break; 2409 2410 c = c->next; 2411 } 2412 2413 if (c) { 2414 if (!c->sid[0]) { | 2353 2354 c = policydb->ocontexts[OCON_IBPKEY]; 2355 while (c) { 2356 if (c->u.ibpkey.low_pkey <= pkey_num && 2357 c->u.ibpkey.high_pkey >= pkey_num && 2358 c->u.ibpkey.subnet_prefix == subnet_prefix) 2359 break; 2360 2361 c = c->next; 2362 } 2363 2364 if (c) { 2365 if (!c->sid[0]) { |
| 2415 rc = context_struct_to_sid(state, | 2366 rc = sidtab_context_to_sid(sidtab, |
| 2416 &c->context[0], 2417 &c->sid[0]); 2418 if (rc) 2419 goto out; 2420 } 2421 *out_sid = c->sid[0]; 2422 } else 2423 *out_sid = SECINITSID_UNLABELED; --- 8 unchanged lines hidden (view full) --- 2432 * @dev_name: device name 2433 * @port: port number 2434 * @out_sid: security identifier 2435 */ 2436int security_ib_endport_sid(struct selinux_state *state, 2437 const char *dev_name, u8 port_num, u32 *out_sid) 2438{ 2439 struct policydb *policydb; | 2367 &c->context[0], 2368 &c->sid[0]); 2369 if (rc) 2370 goto out; 2371 } 2372 *out_sid = c->sid[0]; 2373 } else 2374 *out_sid = SECINITSID_UNLABELED; --- 8 unchanged lines hidden (view full) --- 2383 * @dev_name: device name 2384 * @port: port number 2385 * @out_sid: security identifier 2386 */ 2387int security_ib_endport_sid(struct selinux_state *state, 2388 const char *dev_name, u8 port_num, u32 *out_sid) 2389{ 2390 struct policydb *policydb; |
| 2391 struct sidtab *sidtab; |
|
| 2440 struct ocontext *c; 2441 int rc = 0; 2442 2443 read_lock(&state->ss->policy_rwlock); 2444 2445 policydb = &state->ss->policydb; | 2392 struct ocontext *c; 2393 int rc = 0; 2394 2395 read_lock(&state->ss->policy_rwlock); 2396 2397 policydb = &state->ss->policydb; |
| 2398 sidtab = state->ss->sidtab; |
|
| 2446 2447 c = policydb->ocontexts[OCON_IBENDPORT]; 2448 while (c) { 2449 if (c->u.ibendport.port == port_num && 2450 !strncmp(c->u.ibendport.dev_name, 2451 dev_name, 2452 IB_DEVICE_NAME_MAX)) 2453 break; 2454 2455 c = c->next; 2456 } 2457 2458 if (c) { 2459 if (!c->sid[0]) { | 2399 2400 c = policydb->ocontexts[OCON_IBENDPORT]; 2401 while (c) { 2402 if (c->u.ibendport.port == port_num && 2403 !strncmp(c->u.ibendport.dev_name, 2404 dev_name, 2405 IB_DEVICE_NAME_MAX)) 2406 break; 2407 2408 c = c->next; 2409 } 2410 2411 if (c) { 2412 if (!c->sid[0]) { |
| 2460 rc = context_struct_to_sid(state, &c->context[0], | 2413 rc = sidtab_context_to_sid(sidtab, &c->context[0], |
| 2461 &c->sid[0]); 2462 if (rc) 2463 goto out; 2464 } 2465 *out_sid = c->sid[0]; 2466 } else 2467 *out_sid = SECINITSID_UNLABELED; 2468 --- 6 unchanged lines hidden (view full) --- 2475 * security_netif_sid - Obtain the SID for a network interface. 2476 * @name: interface name 2477 * @if_sid: interface SID 2478 */ 2479int security_netif_sid(struct selinux_state *state, 2480 char *name, u32 *if_sid) 2481{ 2482 struct policydb *policydb; | 2414 &c->sid[0]); 2415 if (rc) 2416 goto out; 2417 } 2418 *out_sid = c->sid[0]; 2419 } else 2420 *out_sid = SECINITSID_UNLABELED; 2421 --- 6 unchanged lines hidden (view full) --- 2428 * security_netif_sid - Obtain the SID for a network interface. 2429 * @name: interface name 2430 * @if_sid: interface SID 2431 */ 2432int security_netif_sid(struct selinux_state *state, 2433 char *name, u32 *if_sid) 2434{ 2435 struct policydb *policydb; |
| 2436 struct sidtab *sidtab; |
|
| 2483 int rc = 0; 2484 struct ocontext *c; 2485 2486 read_lock(&state->ss->policy_rwlock); 2487 2488 policydb = &state->ss->policydb; | 2437 int rc = 0; 2438 struct ocontext *c; 2439 2440 read_lock(&state->ss->policy_rwlock); 2441 2442 policydb = &state->ss->policydb; |
| 2443 sidtab = state->ss->sidtab; |
|
| 2489 2490 c = policydb->ocontexts[OCON_NETIF]; 2491 while (c) { 2492 if (strcmp(name, c->u.name) == 0) 2493 break; 2494 c = c->next; 2495 } 2496 2497 if (c) { 2498 if (!c->sid[0] || !c->sid[1]) { | 2444 2445 c = policydb->ocontexts[OCON_NETIF]; 2446 while (c) { 2447 if (strcmp(name, c->u.name) == 0) 2448 break; 2449 c = c->next; 2450 } 2451 2452 if (c) { 2453 if (!c->sid[0] || !c->sid[1]) { |
| 2499 rc = context_struct_to_sid(state, &c->context[0], | 2454 rc = sidtab_context_to_sid(sidtab, &c->context[0], |
| 2500 &c->sid[0]); 2501 if (rc) 2502 goto out; | 2455 &c->sid[0]); 2456 if (rc) 2457 goto out; |
| 2503 rc = context_struct_to_sid(state, &c->context[1], | 2458 rc = sidtab_context_to_sid(sidtab, &c->context[1], |
| 2504 &c->sid[1]); 2505 if (rc) 2506 goto out; 2507 } 2508 *if_sid = c->sid[0]; 2509 } else 2510 *if_sid = SECINITSID_NETIF; 2511 --- 24 unchanged lines hidden (view full) --- 2536 */ 2537int security_node_sid(struct selinux_state *state, 2538 u16 domain, 2539 void *addrp, 2540 u32 addrlen, 2541 u32 *out_sid) 2542{ 2543 struct policydb *policydb; | 2459 &c->sid[1]); 2460 if (rc) 2461 goto out; 2462 } 2463 *if_sid = c->sid[0]; 2464 } else 2465 *if_sid = SECINITSID_NETIF; 2466 --- 24 unchanged lines hidden (view full) --- 2491 */ 2492int security_node_sid(struct selinux_state *state, 2493 u16 domain, 2494 void *addrp, 2495 u32 addrlen, 2496 u32 *out_sid) 2497{ 2498 struct policydb *policydb; |
| 2499 struct sidtab *sidtab; |
|
| 2544 int rc; 2545 struct ocontext *c; 2546 2547 read_lock(&state->ss->policy_rwlock); 2548 2549 policydb = &state->ss->policydb; | 2500 int rc; 2501 struct ocontext *c; 2502 2503 read_lock(&state->ss->policy_rwlock); 2504 2505 policydb = &state->ss->policydb; |
| 2506 sidtab = state->ss->sidtab; |
|
| 2550 2551 switch (domain) { 2552 case AF_INET: { 2553 u32 addr; 2554 2555 rc = -EINVAL; 2556 if (addrlen != sizeof(u32)) 2557 goto out; --- 25 unchanged lines hidden (view full) --- 2583 default: 2584 rc = 0; 2585 *out_sid = SECINITSID_NODE; 2586 goto out; 2587 } 2588 2589 if (c) { 2590 if (!c->sid[0]) { | 2507 2508 switch (domain) { 2509 case AF_INET: { 2510 u32 addr; 2511 2512 rc = -EINVAL; 2513 if (addrlen != sizeof(u32)) 2514 goto out; --- 25 unchanged lines hidden (view full) --- 2540 default: 2541 rc = 0; 2542 *out_sid = SECINITSID_NODE; 2543 goto out; 2544 } 2545 2546 if (c) { 2547 if (!c->sid[0]) { |
| 2591 rc = context_struct_to_sid(state, | 2548 rc = sidtab_context_to_sid(sidtab, |
| 2592 &c->context[0], 2593 &c->sid[0]); 2594 if (rc) 2595 goto out; 2596 } 2597 *out_sid = c->sid[0]; 2598 } else { 2599 *out_sid = SECINITSID_NODE; --- 51 unchanged lines hidden (view full) --- 2651 context_init(&usercon); 2652 2653 rc = -EINVAL; 2654 fromcon = sidtab_search(sidtab, fromsid); 2655 if (!fromcon) 2656 goto out_unlock; 2657 2658 rc = -EINVAL; | 2549 &c->context[0], 2550 &c->sid[0]); 2551 if (rc) 2552 goto out; 2553 } 2554 *out_sid = c->sid[0]; 2555 } else { 2556 *out_sid = SECINITSID_NODE; --- 51 unchanged lines hidden (view full) --- 2608 context_init(&usercon); 2609 2610 rc = -EINVAL; 2611 fromcon = sidtab_search(sidtab, fromsid); 2612 if (!fromcon) 2613 goto out_unlock; 2614 2615 rc = -EINVAL; |
| 2659 user = hashtab_search(policydb->p_users.table, username); | 2616 user = symtab_search(&policydb->p_users, username); |
| 2660 if (!user) 2661 goto out_unlock; 2662 2663 usercon.user = user->value; 2664 2665 rc = -ENOMEM; 2666 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2667 if (!mysids) 2668 goto out_unlock; 2669 2670 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2671 role = policydb->role_val_to_struct[i]; 2672 usercon.role = i + 1; 2673 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2674 usercon.type = j + 1; | 2617 if (!user) 2618 goto out_unlock; 2619 2620 usercon.user = user->value; 2621 2622 rc = -ENOMEM; 2623 mysids = kcalloc(maxnel, sizeof(*mysids), GFP_ATOMIC); 2624 if (!mysids) 2625 goto out_unlock; 2626 2627 ebitmap_for_each_positive_bit(&user->roles, rnode, i) { 2628 role = policydb->role_val_to_struct[i]; 2629 usercon.role = i + 1; 2630 ebitmap_for_each_positive_bit(&role->types, tnode, j) { 2631 usercon.type = j + 1; |
| 2675 /* 2676 * The same context struct is reused here so the hash 2677 * must be reset. 2678 */ 2679 usercon.hash = 0; | |
| 2680 2681 if (mls_setup_user_range(policydb, fromcon, user, 2682 &usercon)) 2683 continue; 2684 | 2632 2633 if (mls_setup_user_range(policydb, fromcon, user, 2634 &usercon)) 2635 continue; 2636 |
| 2685 rc = context_struct_to_sid(state, &usercon, &sid); | 2637 rc = sidtab_context_to_sid(sidtab, &usercon, &sid); |
| 2686 if (rc) 2687 goto out_unlock; 2688 if (mynel < maxnel) { 2689 mysids[mynel++] = sid; 2690 } else { 2691 rc = -ENOMEM; 2692 maxnel += SIDS_NEL; 2693 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); --- 54 unchanged lines hidden (view full) --- 2748 */ 2749static inline int __security_genfs_sid(struct selinux_state *state, 2750 const char *fstype, 2751 char *path, 2752 u16 orig_sclass, 2753 u32 *sid) 2754{ 2755 struct policydb *policydb = &state->ss->policydb; | 2638 if (rc) 2639 goto out_unlock; 2640 if (mynel < maxnel) { 2641 mysids[mynel++] = sid; 2642 } else { 2643 rc = -ENOMEM; 2644 maxnel += SIDS_NEL; 2645 mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC); --- 54 unchanged lines hidden (view full) --- 2700 */ 2701static inline int __security_genfs_sid(struct selinux_state *state, 2702 const char *fstype, 2703 char *path, 2704 u16 orig_sclass, 2705 u32 *sid) 2706{ 2707 struct policydb *policydb = &state->ss->policydb; |
| 2708 struct sidtab *sidtab = state->ss->sidtab; |
|
| 2756 int len; 2757 u16 sclass; 2758 struct genfs *genfs; 2759 struct ocontext *c; 2760 int rc, cmp = 0; 2761 2762 while (path[0] == '/' && path[1] == '/') 2763 path++; --- 18 unchanged lines hidden (view full) --- 2782 break; 2783 } 2784 2785 rc = -ENOENT; 2786 if (!c) 2787 goto out; 2788 2789 if (!c->sid[0]) { | 2709 int len; 2710 u16 sclass; 2711 struct genfs *genfs; 2712 struct ocontext *c; 2713 int rc, cmp = 0; 2714 2715 while (path[0] == '/' && path[1] == '/') 2716 path++; --- 18 unchanged lines hidden (view full) --- 2735 break; 2736 } 2737 2738 rc = -ENOENT; 2739 if (!c) 2740 goto out; 2741 2742 if (!c->sid[0]) { |
| 2790 rc = context_struct_to_sid(state, &c->context[0], &c->sid[0]); | 2743 rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); |
| 2791 if (rc) 2792 goto out; 2793 } 2794 2795 *sid = c->sid[0]; 2796 rc = 0; 2797out: 2798 return rc; --- 25 unchanged lines hidden (view full) --- 2824 2825/** 2826 * security_fs_use - Determine how to handle labeling for a filesystem. 2827 * @sb: superblock in question 2828 */ 2829int security_fs_use(struct selinux_state *state, struct super_block *sb) 2830{ 2831 struct policydb *policydb; | 2744 if (rc) 2745 goto out; 2746 } 2747 2748 *sid = c->sid[0]; 2749 rc = 0; 2750out: 2751 return rc; --- 25 unchanged lines hidden (view full) --- 2777 2778/** 2779 * security_fs_use - Determine how to handle labeling for a filesystem. 2780 * @sb: superblock in question 2781 */ 2782int security_fs_use(struct selinux_state *state, struct super_block *sb) 2783{ 2784 struct policydb *policydb; |
| 2785 struct sidtab *sidtab; |
|
| 2832 int rc = 0; 2833 struct ocontext *c; 2834 struct superblock_security_struct *sbsec = sb->s_security; 2835 const char *fstype = sb->s_type->name; 2836 2837 read_lock(&state->ss->policy_rwlock); 2838 2839 policydb = &state->ss->policydb; | 2786 int rc = 0; 2787 struct ocontext *c; 2788 struct superblock_security_struct *sbsec = sb->s_security; 2789 const char *fstype = sb->s_type->name; 2790 2791 read_lock(&state->ss->policy_rwlock); 2792 2793 policydb = &state->ss->policydb; |
| 2794 sidtab = state->ss->sidtab; |
|
| 2840 2841 c = policydb->ocontexts[OCON_FSUSE]; 2842 while (c) { 2843 if (strcmp(fstype, c->u.name) == 0) 2844 break; 2845 c = c->next; 2846 } 2847 2848 if (c) { 2849 sbsec->behavior = c->v.behavior; 2850 if (!c->sid[0]) { | 2795 2796 c = policydb->ocontexts[OCON_FSUSE]; 2797 while (c) { 2798 if (strcmp(fstype, c->u.name) == 0) 2799 break; 2800 c = c->next; 2801 } 2802 2803 if (c) { 2804 sbsec->behavior = c->v.behavior; 2805 if (!c->sid[0]) { |
| 2851 rc = context_struct_to_sid(state, &c->context[0], | 2806 rc = sidtab_context_to_sid(sidtab, &c->context[0], |
| 2852 &c->sid[0]); 2853 if (rc) 2854 goto out; 2855 } 2856 sbsec->sid = c->sid[0]; 2857 } else { 2858 rc = __security_genfs_sid(state, fstype, "/", SECCLASS_DIR, 2859 &sbsec->sid); --- 58 unchanged lines hidden (view full) --- 2918 rc = 0; 2919out: 2920 read_unlock(&state->ss->policy_rwlock); 2921 return rc; 2922err: 2923 if (*names) { 2924 for (i = 0; i < *len; i++) 2925 kfree((*names)[i]); | 2807 &c->sid[0]); 2808 if (rc) 2809 goto out; 2810 } 2811 sbsec->sid = c->sid[0]; 2812 } else { 2813 rc = __security_genfs_sid(state, fstype, "/", SECCLASS_DIR, 2814 &sbsec->sid); --- 58 unchanged lines hidden (view full) --- 2873 rc = 0; 2874out: 2875 read_unlock(&state->ss->policy_rwlock); 2876 return rc; 2877err: 2878 if (*names) { 2879 for (i = 0; i < *len; i++) 2880 kfree((*names)[i]); |
| 2881 kfree(*names); |
|
| 2926 } 2927 kfree(*values); | 2882 } 2883 kfree(*values); |
| 2884 *len = 0; 2885 *names = NULL; 2886 *values = NULL; |
|
| 2928 goto out; 2929} 2930 2931 2932int security_set_bools(struct selinux_state *state, u32 len, int *values) 2933{ 2934 struct policydb *policydb; 2935 int rc; --- 69 unchanged lines hidden (view full) --- 3005 char **bnames = NULL; 3006 struct cond_bool_datum *booldatum; 3007 u32 i, nbools = 0; 3008 3009 rc = security_get_bools(state, &nbools, &bnames, &bvalues); 3010 if (rc) 3011 goto out; 3012 for (i = 0; i < nbools; i++) { | 2887 goto out; 2888} 2889 2890 2891int security_set_bools(struct selinux_state *state, u32 len, int *values) 2892{ 2893 struct policydb *policydb; 2894 int rc; --- 69 unchanged lines hidden (view full) --- 2964 char **bnames = NULL; 2965 struct cond_bool_datum *booldatum; 2966 u32 i, nbools = 0; 2967 2968 rc = security_get_bools(state, &nbools, &bnames, &bvalues); 2969 if (rc) 2970 goto out; 2971 for (i = 0; i < nbools; i++) { |
| 3013 booldatum = hashtab_search(policydb->p_bools.table, bnames[i]); | 2972 booldatum = symtab_search(&policydb->p_bools, bnames[i]); |
| 3014 if (booldatum) 3015 booldatum->state = bvalues[i]; 3016 } 3017 evaluate_cond_nodes(policydb); 3018 3019out: 3020 if (bnames) { 3021 for (i = 0; i < nbools; i++) --- 69 unchanged lines hidden (view full) --- 3091 /* don't record NUL with untrusted strings */ 3092 audit_log_n_untrustedstring(ab, s, len - 1); 3093 audit_log_end(ab); 3094 kfree(s); 3095 } 3096 goto out_unlock; 3097 } 3098 } | 2973 if (booldatum) 2974 booldatum->state = bvalues[i]; 2975 } 2976 evaluate_cond_nodes(policydb); 2977 2978out: 2979 if (bnames) { 2980 for (i = 0; i < nbools; i++) --- 69 unchanged lines hidden (view full) --- 3050 /* don't record NUL with untrusted strings */ 3051 audit_log_n_untrustedstring(ab, s, len - 1); 3052 audit_log_end(ab); 3053 kfree(s); 3054 } 3055 goto out_unlock; 3056 } 3057 } |
| 3099 rc = context_struct_to_sid(state, &newcon, new_sid); | 3058 rc = sidtab_context_to_sid(sidtab, &newcon, new_sid); |
| 3100out_unlock: 3101 read_unlock(&state->ss->policy_rwlock); 3102 context_destroy(&newcon); 3103out: 3104 return rc; 3105} 3106 3107/** --- 111 unchanged lines hidden (view full) --- 3219 read_lock(&state->ss->policy_rwlock); 3220 3221 rc = -ENOMEM; 3222 *nclasses = policydb->p_classes.nprim; 3223 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 3224 if (!*classes) 3225 goto out; 3226 | 3059out_unlock: 3060 read_unlock(&state->ss->policy_rwlock); 3061 context_destroy(&newcon); 3062out: 3063 return rc; 3064} 3065 3066/** --- 111 unchanged lines hidden (view full) --- 3178 read_lock(&state->ss->policy_rwlock); 3179 3180 rc = -ENOMEM; 3181 *nclasses = policydb->p_classes.nprim; 3182 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC); 3183 if (!*classes) 3184 goto out; 3185 |
| 3227 rc = hashtab_map(policydb->p_classes.table, get_classes_callback, 3228 *classes); | 3186 rc = hashtab_map(&policydb->p_classes.table, get_classes_callback, 3187 *classes); |
| 3229 if (rc) { 3230 int i; 3231 for (i = 0; i < *nclasses; i++) 3232 kfree((*classes)[i]); 3233 kfree(*classes); 3234 } 3235 3236out: --- 19 unchanged lines hidden (view full) --- 3256{ 3257 struct policydb *policydb = &state->ss->policydb; 3258 int rc, i; 3259 struct class_datum *match; 3260 3261 read_lock(&state->ss->policy_rwlock); 3262 3263 rc = -EINVAL; | 3188 if (rc) { 3189 int i; 3190 for (i = 0; i < *nclasses; i++) 3191 kfree((*classes)[i]); 3192 kfree(*classes); 3193 } 3194 3195out: --- 19 unchanged lines hidden (view full) --- 3215{ 3216 struct policydb *policydb = &state->ss->policydb; 3217 int rc, i; 3218 struct class_datum *match; 3219 3220 read_lock(&state->ss->policy_rwlock); 3221 3222 rc = -EINVAL; |
| 3264 match = hashtab_search(policydb->p_classes.table, class); | 3223 match = symtab_search(&policydb->p_classes, class); |
| 3265 if (!match) { 3266 pr_err("SELinux: %s: unrecognized class %s\n", 3267 __func__, class); 3268 goto out; 3269 } 3270 3271 rc = -ENOMEM; 3272 *nperms = match->permissions.nprim; 3273 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 3274 if (!*perms) 3275 goto out; 3276 3277 if (match->comdatum) { | 3224 if (!match) { 3225 pr_err("SELinux: %s: unrecognized class %s\n", 3226 __func__, class); 3227 goto out; 3228 } 3229 3230 rc = -ENOMEM; 3231 *nperms = match->permissions.nprim; 3232 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC); 3233 if (!*perms) 3234 goto out; 3235 3236 if (match->comdatum) { |
| 3278 rc = hashtab_map(match->comdatum->permissions.table, 3279 get_permissions_callback, *perms); | 3237 rc = hashtab_map(&match->comdatum->permissions.table, 3238 get_permissions_callback, *perms); |
| 3280 if (rc) 3281 goto err; 3282 } 3283 | 3239 if (rc) 3240 goto err; 3241 } 3242 |
| 3284 rc = hashtab_map(match->permissions.table, get_permissions_callback, 3285 *perms); | 3243 rc = hashtab_map(&match->permissions.table, get_permissions_callback, 3244 *perms); |
| 3286 if (rc) 3287 goto err; 3288 3289out: 3290 read_unlock(&state->ss->policy_rwlock); 3291 return rc; 3292 3293err: --- 101 unchanged lines hidden (view full) --- 3395 read_lock(&state->ss->policy_rwlock); 3396 3397 tmprule->au_seqno = state->ss->latest_granting; 3398 3399 switch (field) { 3400 case AUDIT_SUBJ_USER: 3401 case AUDIT_OBJ_USER: 3402 rc = -EINVAL; | 3245 if (rc) 3246 goto err; 3247 3248out: 3249 read_unlock(&state->ss->policy_rwlock); 3250 return rc; 3251 3252err: --- 101 unchanged lines hidden (view full) --- 3354 read_lock(&state->ss->policy_rwlock); 3355 3356 tmprule->au_seqno = state->ss->latest_granting; 3357 3358 switch (field) { 3359 case AUDIT_SUBJ_USER: 3360 case AUDIT_OBJ_USER: 3361 rc = -EINVAL; |
| 3403 userdatum = hashtab_search(policydb->p_users.table, rulestr); | 3362 userdatum = symtab_search(&policydb->p_users, rulestr); |
| 3404 if (!userdatum) 3405 goto out; 3406 tmprule->au_ctxt.user = userdatum->value; 3407 break; 3408 case AUDIT_SUBJ_ROLE: 3409 case AUDIT_OBJ_ROLE: 3410 rc = -EINVAL; | 3363 if (!userdatum) 3364 goto out; 3365 tmprule->au_ctxt.user = userdatum->value; 3366 break; 3367 case AUDIT_SUBJ_ROLE: 3368 case AUDIT_OBJ_ROLE: 3369 rc = -EINVAL; |
| 3411 roledatum = hashtab_search(policydb->p_roles.table, rulestr); | 3370 roledatum = symtab_search(&policydb->p_roles, rulestr); |
| 3412 if (!roledatum) 3413 goto out; 3414 tmprule->au_ctxt.role = roledatum->value; 3415 break; 3416 case AUDIT_SUBJ_TYPE: 3417 case AUDIT_OBJ_TYPE: 3418 rc = -EINVAL; | 3371 if (!roledatum) 3372 goto out; 3373 tmprule->au_ctxt.role = roledatum->value; 3374 break; 3375 case AUDIT_SUBJ_TYPE: 3376 case AUDIT_OBJ_TYPE: 3377 rc = -EINVAL; |
| 3419 typedatum = hashtab_search(policydb->p_types.table, rulestr); | 3378 typedatum = symtab_search(&policydb->p_types, rulestr); |
| 3420 if (!typedatum) 3421 goto out; 3422 tmprule->au_ctxt.type = typedatum->value; 3423 break; 3424 case AUDIT_SUBJ_SEN: 3425 case AUDIT_SUBJ_CLR: 3426 case AUDIT_OBJ_LEV_LOW: 3427 case AUDIT_OBJ_LEV_HIGH: --- 256 unchanged lines hidden (view full) --- 3684 rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr); 3685 if (rc) 3686 goto out; 3687 } 3688 rc = -EIDRM; 3689 if (!mls_context_isvalid(policydb, &ctx_new)) 3690 goto out_free; 3691 | 3379 if (!typedatum) 3380 goto out; 3381 tmprule->au_ctxt.type = typedatum->value; 3382 break; 3383 case AUDIT_SUBJ_SEN: 3384 case AUDIT_SUBJ_CLR: 3385 case AUDIT_OBJ_LEV_LOW: 3386 case AUDIT_OBJ_LEV_HIGH: --- 256 unchanged lines hidden (view full) --- 3643 rc = mls_import_netlbl_cat(policydb, &ctx_new, secattr); 3644 if (rc) 3645 goto out; 3646 } 3647 rc = -EIDRM; 3648 if (!mls_context_isvalid(policydb, &ctx_new)) 3649 goto out_free; 3650 |
| 3692 rc = context_struct_to_sid(state, &ctx_new, sid); | 3651 rc = sidtab_context_to_sid(sidtab, &ctx_new, sid); |
| 3693 if (rc) 3694 goto out_free; 3695 3696 security_netlbl_cache_add(secattr, *sid); 3697 3698 ebitmap_destroy(&ctx_new.range.level[0].cat); 3699 } else 3700 *sid = SECSID_NULL; --- 89 unchanged lines hidden --- | 3652 if (rc) 3653 goto out_free; 3654 3655 security_netlbl_cache_add(secattr, *sid); 3656 3657 ebitmap_destroy(&ctx_new.range.level[0].cat); 3658 } else 3659 *sid = SECSID_NULL; --- 89 unchanged lines hidden --- |