xref: /linux/security/selinux/ss/policydb.c (revision a44e4f3ab16bc808590763a543a93b6fbf3abcc4)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Implementation of the policy database.
4  *
5  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6  */
7 
8 /*
9  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10  *
11  *	Support for enhanced MLS infrastructure.
12  *
13  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14  *
15  *	Added conditional policy language extensions
16  *
17  * Updated: Hewlett-Packard <paul@paul-moore.com>
18  *
19  *      Added support for the policy capability bitmap
20  *
21  * Update: Mellanox Techonologies
22  *
23  *	Added Infiniband support
24  *
25  * Copyright (C) 2016 Mellanox Techonologies
26  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
27  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
28  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
29  */
30 
31 #include <linux/kernel.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/string.h>
35 #include <linux/errno.h>
36 #include <linux/audit.h>
37 #include "security.h"
38 
39 #include "policydb.h"
40 #include "conditional.h"
41 #include "mls.h"
42 #include "services.h"
43 
44 #define _DEBUG_HASHES
45 
46 #ifdef DEBUG_HASHES
47 static const char *symtab_name[SYM_NUM] = {
48 	"common prefixes",
49 	"classes",
50 	"roles",
51 	"types",
52 	"users",
53 	"bools",
54 	"levels",
55 	"categories",
56 };
57 #endif
58 
59 static unsigned int symtab_sizes[SYM_NUM] = {
60 	2,
61 	32,
62 	16,
63 	512,
64 	128,
65 	16,
66 	16,
67 	16,
68 };
69 
70 struct policydb_compat_info {
71 	int version;
72 	int sym_num;
73 	int ocon_num;
74 };
75 
76 /* These need to be updated if SYM_NUM or OCON_NUM changes */
77 static struct policydb_compat_info policydb_compat[] = {
78 	{
79 		.version	= POLICYDB_VERSION_BASE,
80 		.sym_num	= SYM_NUM - 3,
81 		.ocon_num	= OCON_NUM - 3,
82 	},
83 	{
84 		.version	= POLICYDB_VERSION_BOOL,
85 		.sym_num	= SYM_NUM - 2,
86 		.ocon_num	= OCON_NUM - 3,
87 	},
88 	{
89 		.version	= POLICYDB_VERSION_IPV6,
90 		.sym_num	= SYM_NUM - 2,
91 		.ocon_num	= OCON_NUM - 2,
92 	},
93 	{
94 		.version	= POLICYDB_VERSION_NLCLASS,
95 		.sym_num	= SYM_NUM - 2,
96 		.ocon_num	= OCON_NUM - 2,
97 	},
98 	{
99 		.version	= POLICYDB_VERSION_MLS,
100 		.sym_num	= SYM_NUM,
101 		.ocon_num	= OCON_NUM - 2,
102 	},
103 	{
104 		.version	= POLICYDB_VERSION_AVTAB,
105 		.sym_num	= SYM_NUM,
106 		.ocon_num	= OCON_NUM - 2,
107 	},
108 	{
109 		.version	= POLICYDB_VERSION_RANGETRANS,
110 		.sym_num	= SYM_NUM,
111 		.ocon_num	= OCON_NUM - 2,
112 	},
113 	{
114 		.version	= POLICYDB_VERSION_POLCAP,
115 		.sym_num	= SYM_NUM,
116 		.ocon_num	= OCON_NUM - 2,
117 	},
118 	{
119 		.version	= POLICYDB_VERSION_PERMISSIVE,
120 		.sym_num	= SYM_NUM,
121 		.ocon_num	= OCON_NUM - 2,
122 	},
123 	{
124 		.version	= POLICYDB_VERSION_BOUNDARY,
125 		.sym_num	= SYM_NUM,
126 		.ocon_num	= OCON_NUM - 2,
127 	},
128 	{
129 		.version	= POLICYDB_VERSION_FILENAME_TRANS,
130 		.sym_num	= SYM_NUM,
131 		.ocon_num	= OCON_NUM - 2,
132 	},
133 	{
134 		.version	= POLICYDB_VERSION_ROLETRANS,
135 		.sym_num	= SYM_NUM,
136 		.ocon_num	= OCON_NUM - 2,
137 	},
138 	{
139 		.version	= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
140 		.sym_num	= SYM_NUM,
141 		.ocon_num	= OCON_NUM - 2,
142 	},
143 	{
144 		.version	= POLICYDB_VERSION_DEFAULT_TYPE,
145 		.sym_num	= SYM_NUM,
146 		.ocon_num	= OCON_NUM - 2,
147 	},
148 	{
149 		.version	= POLICYDB_VERSION_CONSTRAINT_NAMES,
150 		.sym_num	= SYM_NUM,
151 		.ocon_num	= OCON_NUM - 2,
152 	},
153 	{
154 		.version	= POLICYDB_VERSION_XPERMS_IOCTL,
155 		.sym_num	= SYM_NUM,
156 		.ocon_num	= OCON_NUM - 2,
157 	},
158 	{
159 		.version	= POLICYDB_VERSION_INFINIBAND,
160 		.sym_num	= SYM_NUM,
161 		.ocon_num	= OCON_NUM,
162 	},
163 };
164 
165 static struct policydb_compat_info *policydb_lookup_compat(int version)
166 {
167 	int i;
168 	struct policydb_compat_info *info = NULL;
169 
170 	for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) {
171 		if (policydb_compat[i].version == version) {
172 			info = &policydb_compat[i];
173 			break;
174 		}
175 	}
176 	return info;
177 }
178 
179 /*
180  * The following *_destroy functions are used to
181  * free any memory allocated for each kind of
182  * symbol data in the policy database.
183  */
184 
185 static int perm_destroy(void *key, void *datum, void *p)
186 {
187 	kfree(key);
188 	kfree(datum);
189 	return 0;
190 }
191 
192 static int common_destroy(void *key, void *datum, void *p)
193 {
194 	struct common_datum *comdatum;
195 
196 	kfree(key);
197 	if (datum) {
198 		comdatum = datum;
199 		hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
200 		hashtab_destroy(comdatum->permissions.table);
201 	}
202 	kfree(datum);
203 	return 0;
204 }
205 
206 static void constraint_expr_destroy(struct constraint_expr *expr)
207 {
208 	if (expr) {
209 		ebitmap_destroy(&expr->names);
210 		if (expr->type_names) {
211 			ebitmap_destroy(&expr->type_names->types);
212 			ebitmap_destroy(&expr->type_names->negset);
213 			kfree(expr->type_names);
214 		}
215 		kfree(expr);
216 	}
217 }
218 
219 static int cls_destroy(void *key, void *datum, void *p)
220 {
221 	struct class_datum *cladatum;
222 	struct constraint_node *constraint, *ctemp;
223 	struct constraint_expr *e, *etmp;
224 
225 	kfree(key);
226 	if (datum) {
227 		cladatum = datum;
228 		hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
229 		hashtab_destroy(cladatum->permissions.table);
230 		constraint = cladatum->constraints;
231 		while (constraint) {
232 			e = constraint->expr;
233 			while (e) {
234 				etmp = e;
235 				e = e->next;
236 				constraint_expr_destroy(etmp);
237 			}
238 			ctemp = constraint;
239 			constraint = constraint->next;
240 			kfree(ctemp);
241 		}
242 
243 		constraint = cladatum->validatetrans;
244 		while (constraint) {
245 			e = constraint->expr;
246 			while (e) {
247 				etmp = e;
248 				e = e->next;
249 				constraint_expr_destroy(etmp);
250 			}
251 			ctemp = constraint;
252 			constraint = constraint->next;
253 			kfree(ctemp);
254 		}
255 		kfree(cladatum->comkey);
256 	}
257 	kfree(datum);
258 	return 0;
259 }
260 
261 static int role_destroy(void *key, void *datum, void *p)
262 {
263 	struct role_datum *role;
264 
265 	kfree(key);
266 	if (datum) {
267 		role = datum;
268 		ebitmap_destroy(&role->dominates);
269 		ebitmap_destroy(&role->types);
270 	}
271 	kfree(datum);
272 	return 0;
273 }
274 
275 static int type_destroy(void *key, void *datum, void *p)
276 {
277 	kfree(key);
278 	kfree(datum);
279 	return 0;
280 }
281 
282 static int user_destroy(void *key, void *datum, void *p)
283 {
284 	struct user_datum *usrdatum;
285 
286 	kfree(key);
287 	if (datum) {
288 		usrdatum = datum;
289 		ebitmap_destroy(&usrdatum->roles);
290 		ebitmap_destroy(&usrdatum->range.level[0].cat);
291 		ebitmap_destroy(&usrdatum->range.level[1].cat);
292 		ebitmap_destroy(&usrdatum->dfltlevel.cat);
293 	}
294 	kfree(datum);
295 	return 0;
296 }
297 
298 static int sens_destroy(void *key, void *datum, void *p)
299 {
300 	struct level_datum *levdatum;
301 
302 	kfree(key);
303 	if (datum) {
304 		levdatum = datum;
305 		if (levdatum->level)
306 			ebitmap_destroy(&levdatum->level->cat);
307 		kfree(levdatum->level);
308 	}
309 	kfree(datum);
310 	return 0;
311 }
312 
313 static int cat_destroy(void *key, void *datum, void *p)
314 {
315 	kfree(key);
316 	kfree(datum);
317 	return 0;
318 }
319 
320 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
321 {
322 	common_destroy,
323 	cls_destroy,
324 	role_destroy,
325 	type_destroy,
326 	user_destroy,
327 	cond_destroy_bool,
328 	sens_destroy,
329 	cat_destroy,
330 };
331 
332 static int filenametr_destroy(void *key, void *datum, void *p)
333 {
334 	struct filename_trans *ft = key;
335 
336 	kfree(ft->name);
337 	kfree(key);
338 	kfree(datum);
339 	cond_resched();
340 	return 0;
341 }
342 
343 static int range_tr_destroy(void *key, void *datum, void *p)
344 {
345 	struct mls_range *rt = datum;
346 
347 	kfree(key);
348 	ebitmap_destroy(&rt->level[0].cat);
349 	ebitmap_destroy(&rt->level[1].cat);
350 	kfree(datum);
351 	cond_resched();
352 	return 0;
353 }
354 
355 static void ocontext_destroy(struct ocontext *c, int i)
356 {
357 	if (!c)
358 		return;
359 
360 	context_destroy(&c->context[0]);
361 	context_destroy(&c->context[1]);
362 	if (i == OCON_ISID || i == OCON_FS ||
363 	    i == OCON_NETIF || i == OCON_FSUSE)
364 		kfree(c->u.name);
365 	kfree(c);
366 }
367 
368 /*
369  * Initialize the role table.
370  */
371 static int roles_init(struct policydb *p)
372 {
373 	char *key = NULL;
374 	int rc;
375 	struct role_datum *role;
376 
377 	role = kzalloc(sizeof(*role), GFP_KERNEL);
378 	if (!role)
379 		return -ENOMEM;
380 
381 	rc = -EINVAL;
382 	role->value = ++p->p_roles.nprim;
383 	if (role->value != OBJECT_R_VAL)
384 		goto out;
385 
386 	rc = -ENOMEM;
387 	key = kstrdup(OBJECT_R, GFP_KERNEL);
388 	if (!key)
389 		goto out;
390 
391 	rc = hashtab_insert(p->p_roles.table, key, role);
392 	if (rc)
393 		goto out;
394 
395 	return 0;
396 out:
397 	kfree(key);
398 	kfree(role);
399 	return rc;
400 }
401 
402 static u32 filenametr_hash(struct hashtab *h, const void *k)
403 {
404 	const struct filename_trans *ft = k;
405 	unsigned long hash;
406 	unsigned int byte_num;
407 	unsigned char focus;
408 
409 	hash = ft->stype ^ ft->ttype ^ ft->tclass;
410 
411 	byte_num = 0;
412 	while ((focus = ft->name[byte_num++]))
413 		hash = partial_name_hash(focus, hash);
414 	return hash & (h->size - 1);
415 }
416 
417 static int filenametr_cmp(struct hashtab *h, const void *k1, const void *k2)
418 {
419 	const struct filename_trans *ft1 = k1;
420 	const struct filename_trans *ft2 = k2;
421 	int v;
422 
423 	v = ft1->stype - ft2->stype;
424 	if (v)
425 		return v;
426 
427 	v = ft1->ttype - ft2->ttype;
428 	if (v)
429 		return v;
430 
431 	v = ft1->tclass - ft2->tclass;
432 	if (v)
433 		return v;
434 
435 	return strcmp(ft1->name, ft2->name);
436 
437 }
438 
439 static u32 rangetr_hash(struct hashtab *h, const void *k)
440 {
441 	const struct range_trans *key = k;
442 
443 	return (key->source_type + (key->target_type << 3) +
444 		(key->target_class << 5)) & (h->size - 1);
445 }
446 
447 static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
448 {
449 	const struct range_trans *key1 = k1, *key2 = k2;
450 	int v;
451 
452 	v = key1->source_type - key2->source_type;
453 	if (v)
454 		return v;
455 
456 	v = key1->target_type - key2->target_type;
457 	if (v)
458 		return v;
459 
460 	v = key1->target_class - key2->target_class;
461 
462 	return v;
463 }
464 
465 /*
466  * Initialize a policy database structure.
467  */
468 static int policydb_init(struct policydb *p)
469 {
470 	int i, rc;
471 
472 	memset(p, 0, sizeof(*p));
473 
474 	for (i = 0; i < SYM_NUM; i++) {
475 		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
476 		if (rc)
477 			goto out;
478 	}
479 
480 	rc = avtab_init(&p->te_avtab);
481 	if (rc)
482 		goto out;
483 
484 	rc = roles_init(p);
485 	if (rc)
486 		goto out;
487 
488 	rc = cond_policydb_init(p);
489 	if (rc)
490 		goto out;
491 
492 	p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp,
493 					   (1 << 10));
494 	if (!p->filename_trans) {
495 		rc = -ENOMEM;
496 		goto out;
497 	}
498 
499 	p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
500 	if (!p->range_tr) {
501 		rc = -ENOMEM;
502 		goto out;
503 	}
504 
505 	ebitmap_init(&p->filename_trans_ttypes);
506 	ebitmap_init(&p->policycaps);
507 	ebitmap_init(&p->permissive_map);
508 
509 	return 0;
510 out:
511 	hashtab_destroy(p->filename_trans);
512 	hashtab_destroy(p->range_tr);
513 	for (i = 0; i < SYM_NUM; i++) {
514 		hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
515 		hashtab_destroy(p->symtab[i].table);
516 	}
517 	return rc;
518 }
519 
520 /*
521  * The following *_index functions are used to
522  * define the val_to_name and val_to_struct arrays
523  * in a policy database structure.  The val_to_name
524  * arrays are used when converting security context
525  * structures into string representations.  The
526  * val_to_struct arrays are used when the attributes
527  * of a class, role, or user are needed.
528  */
529 
530 static int common_index(void *key, void *datum, void *datap)
531 {
532 	struct policydb *p;
533 	struct common_datum *comdatum;
534 
535 	comdatum = datum;
536 	p = datap;
537 	if (!comdatum->value || comdatum->value > p->p_commons.nprim)
538 		return -EINVAL;
539 
540 	p->sym_val_to_name[SYM_COMMONS][comdatum->value - 1] = key;
541 
542 	return 0;
543 }
544 
545 static int class_index(void *key, void *datum, void *datap)
546 {
547 	struct policydb *p;
548 	struct class_datum *cladatum;
549 
550 	cladatum = datum;
551 	p = datap;
552 	if (!cladatum->value || cladatum->value > p->p_classes.nprim)
553 		return -EINVAL;
554 
555 	p->sym_val_to_name[SYM_CLASSES][cladatum->value - 1] = key;
556 	p->class_val_to_struct[cladatum->value - 1] = cladatum;
557 	return 0;
558 }
559 
560 static int role_index(void *key, void *datum, void *datap)
561 {
562 	struct policydb *p;
563 	struct role_datum *role;
564 
565 	role = datum;
566 	p = datap;
567 	if (!role->value
568 	    || role->value > p->p_roles.nprim
569 	    || role->bounds > p->p_roles.nprim)
570 		return -EINVAL;
571 
572 	p->sym_val_to_name[SYM_ROLES][role->value - 1] = key;
573 	p->role_val_to_struct[role->value - 1] = role;
574 	return 0;
575 }
576 
577 static int type_index(void *key, void *datum, void *datap)
578 {
579 	struct policydb *p;
580 	struct type_datum *typdatum;
581 
582 	typdatum = datum;
583 	p = datap;
584 
585 	if (typdatum->primary) {
586 		if (!typdatum->value
587 		    || typdatum->value > p->p_types.nprim
588 		    || typdatum->bounds > p->p_types.nprim)
589 			return -EINVAL;
590 		p->sym_val_to_name[SYM_TYPES][typdatum->value - 1] = key;
591 		p->type_val_to_struct[typdatum->value - 1] = typdatum;
592 	}
593 
594 	return 0;
595 }
596 
597 static int user_index(void *key, void *datum, void *datap)
598 {
599 	struct policydb *p;
600 	struct user_datum *usrdatum;
601 
602 	usrdatum = datum;
603 	p = datap;
604 	if (!usrdatum->value
605 	    || usrdatum->value > p->p_users.nprim
606 	    || usrdatum->bounds > p->p_users.nprim)
607 		return -EINVAL;
608 
609 	p->sym_val_to_name[SYM_USERS][usrdatum->value - 1] = key;
610 	p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
611 	return 0;
612 }
613 
614 static int sens_index(void *key, void *datum, void *datap)
615 {
616 	struct policydb *p;
617 	struct level_datum *levdatum;
618 
619 	levdatum = datum;
620 	p = datap;
621 
622 	if (!levdatum->isalias) {
623 		if (!levdatum->level->sens ||
624 		    levdatum->level->sens > p->p_levels.nprim)
625 			return -EINVAL;
626 
627 		p->sym_val_to_name[SYM_LEVELS][levdatum->level->sens - 1] = key;
628 	}
629 
630 	return 0;
631 }
632 
633 static int cat_index(void *key, void *datum, void *datap)
634 {
635 	struct policydb *p;
636 	struct cat_datum *catdatum;
637 
638 	catdatum = datum;
639 	p = datap;
640 
641 	if (!catdatum->isalias) {
642 		if (!catdatum->value || catdatum->value > p->p_cats.nprim)
643 			return -EINVAL;
644 
645 		p->sym_val_to_name[SYM_CATS][catdatum->value - 1] = key;
646 	}
647 
648 	return 0;
649 }
650 
651 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
652 {
653 	common_index,
654 	class_index,
655 	role_index,
656 	type_index,
657 	user_index,
658 	cond_index_bool,
659 	sens_index,
660 	cat_index,
661 };
662 
663 #ifdef DEBUG_HASHES
664 static void hash_eval(struct hashtab *h, const char *hash_name)
665 {
666 	struct hashtab_info info;
667 
668 	hashtab_stat(h, &info);
669 	pr_debug("SELinux: %s:  %d entries and %d/%d buckets used, longest chain length %d\n",
670 		 hash_name, h->nel, info.slots_used, h->size,
671 		 info.max_chain_len);
672 }
673 
674 static void symtab_hash_eval(struct symtab *s)
675 {
676 	int i;
677 
678 	for (i = 0; i < SYM_NUM; i++)
679 		hash_eval(s[i].table, symtab_name[i]);
680 }
681 
682 #else
683 static inline void hash_eval(struct hashtab *h, char *hash_name)
684 {
685 }
686 #endif
687 
688 /*
689  * Define the other val_to_name and val_to_struct arrays
690  * in a policy database structure.
691  *
692  * Caller must clean up on failure.
693  */
694 static int policydb_index(struct policydb *p)
695 {
696 	int i, rc;
697 
698 	if (p->mls_enabled)
699 		pr_debug("SELinux:  %d users, %d roles, %d types, %d bools, %d sens, %d cats\n",
700 			 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
701 			 p->p_bools.nprim, p->p_levels.nprim, p->p_cats.nprim);
702 	else
703 		pr_debug("SELinux:  %d users, %d roles, %d types, %d bools\n",
704 			 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
705 			 p->p_bools.nprim);
706 
707 	pr_debug("SELinux:  %d classes, %d rules\n",
708 		 p->p_classes.nprim, p->te_avtab.nel);
709 
710 #ifdef DEBUG_HASHES
711 	avtab_hash_eval(&p->te_avtab, "rules");
712 	symtab_hash_eval(p->symtab);
713 #endif
714 
715 	p->class_val_to_struct = kcalloc(p->p_classes.nprim,
716 					 sizeof(*p->class_val_to_struct),
717 					 GFP_KERNEL);
718 	if (!p->class_val_to_struct)
719 		return -ENOMEM;
720 
721 	p->role_val_to_struct = kcalloc(p->p_roles.nprim,
722 					sizeof(*p->role_val_to_struct),
723 					GFP_KERNEL);
724 	if (!p->role_val_to_struct)
725 		return -ENOMEM;
726 
727 	p->user_val_to_struct = kcalloc(p->p_users.nprim,
728 					sizeof(*p->user_val_to_struct),
729 					GFP_KERNEL);
730 	if (!p->user_val_to_struct)
731 		return -ENOMEM;
732 
733 	p->type_val_to_struct = kvcalloc(p->p_types.nprim,
734 					 sizeof(*p->type_val_to_struct),
735 					 GFP_KERNEL);
736 	if (!p->type_val_to_struct)
737 		return -ENOMEM;
738 
739 	rc = cond_init_bool_indexes(p);
740 	if (rc)
741 		goto out;
742 
743 	for (i = 0; i < SYM_NUM; i++) {
744 		p->sym_val_to_name[i] = kvcalloc(p->symtab[i].nprim,
745 						 sizeof(char *),
746 						 GFP_KERNEL);
747 		if (!p->sym_val_to_name[i])
748 			return -ENOMEM;
749 
750 		rc = hashtab_map(p->symtab[i].table, index_f[i], p);
751 		if (rc)
752 			goto out;
753 	}
754 	rc = 0;
755 out:
756 	return rc;
757 }
758 
759 /*
760  * Free any memory allocated by a policy database structure.
761  */
762 void policydb_destroy(struct policydb *p)
763 {
764 	struct ocontext *c, *ctmp;
765 	struct genfs *g, *gtmp;
766 	int i;
767 	struct role_allow *ra, *lra = NULL;
768 	struct role_trans *tr, *ltr = NULL;
769 
770 	for (i = 0; i < SYM_NUM; i++) {
771 		cond_resched();
772 		hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
773 		hashtab_destroy(p->symtab[i].table);
774 	}
775 
776 	for (i = 0; i < SYM_NUM; i++)
777 		kvfree(p->sym_val_to_name[i]);
778 
779 	kfree(p->class_val_to_struct);
780 	kfree(p->role_val_to_struct);
781 	kfree(p->user_val_to_struct);
782 	kvfree(p->type_val_to_struct);
783 
784 	avtab_destroy(&p->te_avtab);
785 
786 	for (i = 0; i < OCON_NUM; i++) {
787 		cond_resched();
788 		c = p->ocontexts[i];
789 		while (c) {
790 			ctmp = c;
791 			c = c->next;
792 			ocontext_destroy(ctmp, i);
793 		}
794 		p->ocontexts[i] = NULL;
795 	}
796 
797 	g = p->genfs;
798 	while (g) {
799 		cond_resched();
800 		kfree(g->fstype);
801 		c = g->head;
802 		while (c) {
803 			ctmp = c;
804 			c = c->next;
805 			ocontext_destroy(ctmp, OCON_FSUSE);
806 		}
807 		gtmp = g;
808 		g = g->next;
809 		kfree(gtmp);
810 	}
811 	p->genfs = NULL;
812 
813 	cond_policydb_destroy(p);
814 
815 	for (tr = p->role_tr; tr; tr = tr->next) {
816 		cond_resched();
817 		kfree(ltr);
818 		ltr = tr;
819 	}
820 	kfree(ltr);
821 
822 	for (ra = p->role_allow; ra; ra = ra->next) {
823 		cond_resched();
824 		kfree(lra);
825 		lra = ra;
826 	}
827 	kfree(lra);
828 
829 	hashtab_map(p->filename_trans, filenametr_destroy, NULL);
830 	hashtab_destroy(p->filename_trans);
831 
832 	hashtab_map(p->range_tr, range_tr_destroy, NULL);
833 	hashtab_destroy(p->range_tr);
834 
835 	if (p->type_attr_map_array) {
836 		for (i = 0; i < p->p_types.nprim; i++)
837 			ebitmap_destroy(&p->type_attr_map_array[i]);
838 		kvfree(p->type_attr_map_array);
839 	}
840 
841 	ebitmap_destroy(&p->filename_trans_ttypes);
842 	ebitmap_destroy(&p->policycaps);
843 	ebitmap_destroy(&p->permissive_map);
844 }
845 
846 /*
847  * Load the initial SIDs specified in a policy database
848  * structure into a SID table.
849  */
850 int policydb_load_isids(struct policydb *p, struct sidtab *s)
851 {
852 	struct ocontext *head, *c;
853 	int rc;
854 
855 	rc = sidtab_init(s);
856 	if (rc) {
857 		pr_err("SELinux:  out of memory on SID table init\n");
858 		goto out;
859 	}
860 
861 	head = p->ocontexts[OCON_ISID];
862 	for (c = head; c; c = c->next) {
863 		rc = -EINVAL;
864 		if (!c->context[0].user) {
865 			pr_err("SELinux:  SID %s was never defined.\n",
866 				c->u.name);
867 			sidtab_destroy(s);
868 			goto out;
869 		}
870 		if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
871 			pr_err("SELinux:  Initial SID %s out of range.\n",
872 				c->u.name);
873 			sidtab_destroy(s);
874 			goto out;
875 		}
876 
877 		rc = sidtab_set_initial(s, c->sid[0], &c->context[0]);
878 		if (rc) {
879 			pr_err("SELinux:  unable to load initial SID %s.\n",
880 				c->u.name);
881 			sidtab_destroy(s);
882 			goto out;
883 		}
884 	}
885 	rc = 0;
886 out:
887 	return rc;
888 }
889 
890 int policydb_class_isvalid(struct policydb *p, unsigned int class)
891 {
892 	if (!class || class > p->p_classes.nprim)
893 		return 0;
894 	return 1;
895 }
896 
897 int policydb_role_isvalid(struct policydb *p, unsigned int role)
898 {
899 	if (!role || role > p->p_roles.nprim)
900 		return 0;
901 	return 1;
902 }
903 
904 int policydb_type_isvalid(struct policydb *p, unsigned int type)
905 {
906 	if (!type || type > p->p_types.nprim)
907 		return 0;
908 	return 1;
909 }
910 
911 /*
912  * Return 1 if the fields in the security context
913  * structure `c' are valid.  Return 0 otherwise.
914  */
915 int policydb_context_isvalid(struct policydb *p, struct context *c)
916 {
917 	struct role_datum *role;
918 	struct user_datum *usrdatum;
919 
920 	if (!c->role || c->role > p->p_roles.nprim)
921 		return 0;
922 
923 	if (!c->user || c->user > p->p_users.nprim)
924 		return 0;
925 
926 	if (!c->type || c->type > p->p_types.nprim)
927 		return 0;
928 
929 	if (c->role != OBJECT_R_VAL) {
930 		/*
931 		 * Role must be authorized for the type.
932 		 */
933 		role = p->role_val_to_struct[c->role - 1];
934 		if (!role || !ebitmap_get_bit(&role->types, c->type - 1))
935 			/* role may not be associated with type */
936 			return 0;
937 
938 		/*
939 		 * User must be authorized for the role.
940 		 */
941 		usrdatum = p->user_val_to_struct[c->user - 1];
942 		if (!usrdatum)
943 			return 0;
944 
945 		if (!ebitmap_get_bit(&usrdatum->roles, c->role - 1))
946 			/* user may not be associated with role */
947 			return 0;
948 	}
949 
950 	if (!mls_context_isvalid(p, c))
951 		return 0;
952 
953 	return 1;
954 }
955 
956 /*
957  * Read a MLS range structure from a policydb binary
958  * representation file.
959  */
960 static int mls_read_range_helper(struct mls_range *r, void *fp)
961 {
962 	__le32 buf[2];
963 	u32 items;
964 	int rc;
965 
966 	rc = next_entry(buf, fp, sizeof(u32));
967 	if (rc)
968 		goto out;
969 
970 	rc = -EINVAL;
971 	items = le32_to_cpu(buf[0]);
972 	if (items > ARRAY_SIZE(buf)) {
973 		pr_err("SELinux: mls:  range overflow\n");
974 		goto out;
975 	}
976 
977 	rc = next_entry(buf, fp, sizeof(u32) * items);
978 	if (rc) {
979 		pr_err("SELinux: mls:  truncated range\n");
980 		goto out;
981 	}
982 
983 	r->level[0].sens = le32_to_cpu(buf[0]);
984 	if (items > 1)
985 		r->level[1].sens = le32_to_cpu(buf[1]);
986 	else
987 		r->level[1].sens = r->level[0].sens;
988 
989 	rc = ebitmap_read(&r->level[0].cat, fp);
990 	if (rc) {
991 		pr_err("SELinux: mls:  error reading low categories\n");
992 		goto out;
993 	}
994 	if (items > 1) {
995 		rc = ebitmap_read(&r->level[1].cat, fp);
996 		if (rc) {
997 			pr_err("SELinux: mls:  error reading high categories\n");
998 			goto bad_high;
999 		}
1000 	} else {
1001 		rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
1002 		if (rc) {
1003 			pr_err("SELinux: mls:  out of memory\n");
1004 			goto bad_high;
1005 		}
1006 	}
1007 
1008 	return 0;
1009 bad_high:
1010 	ebitmap_destroy(&r->level[0].cat);
1011 out:
1012 	return rc;
1013 }
1014 
1015 /*
1016  * Read and validate a security context structure
1017  * from a policydb binary representation file.
1018  */
1019 static int context_read_and_validate(struct context *c,
1020 				     struct policydb *p,
1021 				     void *fp)
1022 {
1023 	__le32 buf[3];
1024 	int rc;
1025 
1026 	rc = next_entry(buf, fp, sizeof buf);
1027 	if (rc) {
1028 		pr_err("SELinux: context truncated\n");
1029 		goto out;
1030 	}
1031 	c->user = le32_to_cpu(buf[0]);
1032 	c->role = le32_to_cpu(buf[1]);
1033 	c->type = le32_to_cpu(buf[2]);
1034 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
1035 		rc = mls_read_range_helper(&c->range, fp);
1036 		if (rc) {
1037 			pr_err("SELinux: error reading MLS range of context\n");
1038 			goto out;
1039 		}
1040 	}
1041 
1042 	rc = -EINVAL;
1043 	if (!policydb_context_isvalid(p, c)) {
1044 		pr_err("SELinux:  invalid security context\n");
1045 		context_destroy(c);
1046 		goto out;
1047 	}
1048 	rc = 0;
1049 out:
1050 	return rc;
1051 }
1052 
1053 /*
1054  * The following *_read functions are used to
1055  * read the symbol data from a policy database
1056  * binary representation file.
1057  */
1058 
1059 static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
1060 {
1061 	int rc;
1062 	char *str;
1063 
1064 	if ((len == 0) || (len == (u32)-1))
1065 		return -EINVAL;
1066 
1067 	str = kmalloc(len + 1, flags | __GFP_NOWARN);
1068 	if (!str)
1069 		return -ENOMEM;
1070 
1071 	/* it's expected the caller should free the str */
1072 	*strp = str;
1073 
1074 	rc = next_entry(str, fp, len);
1075 	if (rc)
1076 		return rc;
1077 
1078 	str[len] = '\0';
1079 	return 0;
1080 }
1081 
1082 static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
1083 {
1084 	char *key = NULL;
1085 	struct perm_datum *perdatum;
1086 	int rc;
1087 	__le32 buf[2];
1088 	u32 len;
1089 
1090 	perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
1091 	if (!perdatum)
1092 		return -ENOMEM;
1093 
1094 	rc = next_entry(buf, fp, sizeof buf);
1095 	if (rc)
1096 		goto bad;
1097 
1098 	len = le32_to_cpu(buf[0]);
1099 	perdatum->value = le32_to_cpu(buf[1]);
1100 
1101 	rc = str_read(&key, GFP_KERNEL, fp, len);
1102 	if (rc)
1103 		goto bad;
1104 
1105 	rc = hashtab_insert(h, key, perdatum);
1106 	if (rc)
1107 		goto bad;
1108 
1109 	return 0;
1110 bad:
1111 	perm_destroy(key, perdatum, NULL);
1112 	return rc;
1113 }
1114 
1115 static int common_read(struct policydb *p, struct hashtab *h, void *fp)
1116 {
1117 	char *key = NULL;
1118 	struct common_datum *comdatum;
1119 	__le32 buf[4];
1120 	u32 len, nel;
1121 	int i, rc;
1122 
1123 	comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
1124 	if (!comdatum)
1125 		return -ENOMEM;
1126 
1127 	rc = next_entry(buf, fp, sizeof buf);
1128 	if (rc)
1129 		goto bad;
1130 
1131 	len = le32_to_cpu(buf[0]);
1132 	comdatum->value = le32_to_cpu(buf[1]);
1133 
1134 	rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
1135 	if (rc)
1136 		goto bad;
1137 	comdatum->permissions.nprim = le32_to_cpu(buf[2]);
1138 	nel = le32_to_cpu(buf[3]);
1139 
1140 	rc = str_read(&key, GFP_KERNEL, fp, len);
1141 	if (rc)
1142 		goto bad;
1143 
1144 	for (i = 0; i < nel; i++) {
1145 		rc = perm_read(p, comdatum->permissions.table, fp);
1146 		if (rc)
1147 			goto bad;
1148 	}
1149 
1150 	rc = hashtab_insert(h, key, comdatum);
1151 	if (rc)
1152 		goto bad;
1153 	return 0;
1154 bad:
1155 	common_destroy(key, comdatum, NULL);
1156 	return rc;
1157 }
1158 
1159 static void type_set_init(struct type_set *t)
1160 {
1161 	ebitmap_init(&t->types);
1162 	ebitmap_init(&t->negset);
1163 }
1164 
1165 static int type_set_read(struct type_set *t, void *fp)
1166 {
1167 	__le32 buf[1];
1168 	int rc;
1169 
1170 	if (ebitmap_read(&t->types, fp))
1171 		return -EINVAL;
1172 	if (ebitmap_read(&t->negset, fp))
1173 		return -EINVAL;
1174 
1175 	rc = next_entry(buf, fp, sizeof(u32));
1176 	if (rc < 0)
1177 		return -EINVAL;
1178 	t->flags = le32_to_cpu(buf[0]);
1179 
1180 	return 0;
1181 }
1182 
1183 
1184 static int read_cons_helper(struct policydb *p,
1185 				struct constraint_node **nodep,
1186 				int ncons, int allowxtarget, void *fp)
1187 {
1188 	struct constraint_node *c, *lc;
1189 	struct constraint_expr *e, *le;
1190 	__le32 buf[3];
1191 	u32 nexpr;
1192 	int rc, i, j, depth;
1193 
1194 	lc = NULL;
1195 	for (i = 0; i < ncons; i++) {
1196 		c = kzalloc(sizeof(*c), GFP_KERNEL);
1197 		if (!c)
1198 			return -ENOMEM;
1199 
1200 		if (lc)
1201 			lc->next = c;
1202 		else
1203 			*nodep = c;
1204 
1205 		rc = next_entry(buf, fp, (sizeof(u32) * 2));
1206 		if (rc)
1207 			return rc;
1208 		c->permissions = le32_to_cpu(buf[0]);
1209 		nexpr = le32_to_cpu(buf[1]);
1210 		le = NULL;
1211 		depth = -1;
1212 		for (j = 0; j < nexpr; j++) {
1213 			e = kzalloc(sizeof(*e), GFP_KERNEL);
1214 			if (!e)
1215 				return -ENOMEM;
1216 
1217 			if (le)
1218 				le->next = e;
1219 			else
1220 				c->expr = e;
1221 
1222 			rc = next_entry(buf, fp, (sizeof(u32) * 3));
1223 			if (rc)
1224 				return rc;
1225 			e->expr_type = le32_to_cpu(buf[0]);
1226 			e->attr = le32_to_cpu(buf[1]);
1227 			e->op = le32_to_cpu(buf[2]);
1228 
1229 			switch (e->expr_type) {
1230 			case CEXPR_NOT:
1231 				if (depth < 0)
1232 					return -EINVAL;
1233 				break;
1234 			case CEXPR_AND:
1235 			case CEXPR_OR:
1236 				if (depth < 1)
1237 					return -EINVAL;
1238 				depth--;
1239 				break;
1240 			case CEXPR_ATTR:
1241 				if (depth == (CEXPR_MAXDEPTH - 1))
1242 					return -EINVAL;
1243 				depth++;
1244 				break;
1245 			case CEXPR_NAMES:
1246 				if (!allowxtarget && (e->attr & CEXPR_XTARGET))
1247 					return -EINVAL;
1248 				if (depth == (CEXPR_MAXDEPTH - 1))
1249 					return -EINVAL;
1250 				depth++;
1251 				rc = ebitmap_read(&e->names, fp);
1252 				if (rc)
1253 					return rc;
1254 				if (p->policyvers >=
1255 					POLICYDB_VERSION_CONSTRAINT_NAMES) {
1256 						e->type_names = kzalloc(sizeof
1257 						(*e->type_names),
1258 						GFP_KERNEL);
1259 					if (!e->type_names)
1260 						return -ENOMEM;
1261 					type_set_init(e->type_names);
1262 					rc = type_set_read(e->type_names, fp);
1263 					if (rc)
1264 						return rc;
1265 				}
1266 				break;
1267 			default:
1268 				return -EINVAL;
1269 			}
1270 			le = e;
1271 		}
1272 		if (depth != 0)
1273 			return -EINVAL;
1274 		lc = c;
1275 	}
1276 
1277 	return 0;
1278 }
1279 
1280 static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1281 {
1282 	char *key = NULL;
1283 	struct class_datum *cladatum;
1284 	__le32 buf[6];
1285 	u32 len, len2, ncons, nel;
1286 	int i, rc;
1287 
1288 	cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
1289 	if (!cladatum)
1290 		return -ENOMEM;
1291 
1292 	rc = next_entry(buf, fp, sizeof(u32)*6);
1293 	if (rc)
1294 		goto bad;
1295 
1296 	len = le32_to_cpu(buf[0]);
1297 	len2 = le32_to_cpu(buf[1]);
1298 	cladatum->value = le32_to_cpu(buf[2]);
1299 
1300 	rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
1301 	if (rc)
1302 		goto bad;
1303 	cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1304 	nel = le32_to_cpu(buf[4]);
1305 
1306 	ncons = le32_to_cpu(buf[5]);
1307 
1308 	rc = str_read(&key, GFP_KERNEL, fp, len);
1309 	if (rc)
1310 		goto bad;
1311 
1312 	if (len2) {
1313 		rc = str_read(&cladatum->comkey, GFP_KERNEL, fp, len2);
1314 		if (rc)
1315 			goto bad;
1316 
1317 		rc = -EINVAL;
1318 		cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey);
1319 		if (!cladatum->comdatum) {
1320 			pr_err("SELinux:  unknown common %s\n",
1321 			       cladatum->comkey);
1322 			goto bad;
1323 		}
1324 	}
1325 	for (i = 0; i < nel; i++) {
1326 		rc = perm_read(p, cladatum->permissions.table, fp);
1327 		if (rc)
1328 			goto bad;
1329 	}
1330 
1331 	rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
1332 	if (rc)
1333 		goto bad;
1334 
1335 	if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) {
1336 		/* grab the validatetrans rules */
1337 		rc = next_entry(buf, fp, sizeof(u32));
1338 		if (rc)
1339 			goto bad;
1340 		ncons = le32_to_cpu(buf[0]);
1341 		rc = read_cons_helper(p, &cladatum->validatetrans,
1342 				ncons, 1, fp);
1343 		if (rc)
1344 			goto bad;
1345 	}
1346 
1347 	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
1348 		rc = next_entry(buf, fp, sizeof(u32) * 3);
1349 		if (rc)
1350 			goto bad;
1351 
1352 		cladatum->default_user = le32_to_cpu(buf[0]);
1353 		cladatum->default_role = le32_to_cpu(buf[1]);
1354 		cladatum->default_range = le32_to_cpu(buf[2]);
1355 	}
1356 
1357 	if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
1358 		rc = next_entry(buf, fp, sizeof(u32) * 1);
1359 		if (rc)
1360 			goto bad;
1361 		cladatum->default_type = le32_to_cpu(buf[0]);
1362 	}
1363 
1364 	rc = hashtab_insert(h, key, cladatum);
1365 	if (rc)
1366 		goto bad;
1367 
1368 	return 0;
1369 bad:
1370 	cls_destroy(key, cladatum, NULL);
1371 	return rc;
1372 }
1373 
1374 static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1375 {
1376 	char *key = NULL;
1377 	struct role_datum *role;
1378 	int rc, to_read = 2;
1379 	__le32 buf[3];
1380 	u32 len;
1381 
1382 	role = kzalloc(sizeof(*role), GFP_KERNEL);
1383 	if (!role)
1384 		return -ENOMEM;
1385 
1386 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1387 		to_read = 3;
1388 
1389 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1390 	if (rc)
1391 		goto bad;
1392 
1393 	len = le32_to_cpu(buf[0]);
1394 	role->value = le32_to_cpu(buf[1]);
1395 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1396 		role->bounds = le32_to_cpu(buf[2]);
1397 
1398 	rc = str_read(&key, GFP_KERNEL, fp, len);
1399 	if (rc)
1400 		goto bad;
1401 
1402 	rc = ebitmap_read(&role->dominates, fp);
1403 	if (rc)
1404 		goto bad;
1405 
1406 	rc = ebitmap_read(&role->types, fp);
1407 	if (rc)
1408 		goto bad;
1409 
1410 	if (strcmp(key, OBJECT_R) == 0) {
1411 		rc = -EINVAL;
1412 		if (role->value != OBJECT_R_VAL) {
1413 			pr_err("SELinux: Role %s has wrong value %d\n",
1414 			       OBJECT_R, role->value);
1415 			goto bad;
1416 		}
1417 		rc = 0;
1418 		goto bad;
1419 	}
1420 
1421 	rc = hashtab_insert(h, key, role);
1422 	if (rc)
1423 		goto bad;
1424 	return 0;
1425 bad:
1426 	role_destroy(key, role, NULL);
1427 	return rc;
1428 }
1429 
1430 static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1431 {
1432 	char *key = NULL;
1433 	struct type_datum *typdatum;
1434 	int rc, to_read = 3;
1435 	__le32 buf[4];
1436 	u32 len;
1437 
1438 	typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1439 	if (!typdatum)
1440 		return -ENOMEM;
1441 
1442 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1443 		to_read = 4;
1444 
1445 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1446 	if (rc)
1447 		goto bad;
1448 
1449 	len = le32_to_cpu(buf[0]);
1450 	typdatum->value = le32_to_cpu(buf[1]);
1451 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
1452 		u32 prop = le32_to_cpu(buf[2]);
1453 
1454 		if (prop & TYPEDATUM_PROPERTY_PRIMARY)
1455 			typdatum->primary = 1;
1456 		if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
1457 			typdatum->attribute = 1;
1458 
1459 		typdatum->bounds = le32_to_cpu(buf[3]);
1460 	} else {
1461 		typdatum->primary = le32_to_cpu(buf[2]);
1462 	}
1463 
1464 	rc = str_read(&key, GFP_KERNEL, fp, len);
1465 	if (rc)
1466 		goto bad;
1467 
1468 	rc = hashtab_insert(h, key, typdatum);
1469 	if (rc)
1470 		goto bad;
1471 	return 0;
1472 bad:
1473 	type_destroy(key, typdatum, NULL);
1474 	return rc;
1475 }
1476 
1477 
1478 /*
1479  * Read a MLS level structure from a policydb binary
1480  * representation file.
1481  */
1482 static int mls_read_level(struct mls_level *lp, void *fp)
1483 {
1484 	__le32 buf[1];
1485 	int rc;
1486 
1487 	memset(lp, 0, sizeof(*lp));
1488 
1489 	rc = next_entry(buf, fp, sizeof buf);
1490 	if (rc) {
1491 		pr_err("SELinux: mls: truncated level\n");
1492 		return rc;
1493 	}
1494 	lp->sens = le32_to_cpu(buf[0]);
1495 
1496 	rc = ebitmap_read(&lp->cat, fp);
1497 	if (rc) {
1498 		pr_err("SELinux: mls:  error reading level categories\n");
1499 		return rc;
1500 	}
1501 	return 0;
1502 }
1503 
1504 static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1505 {
1506 	char *key = NULL;
1507 	struct user_datum *usrdatum;
1508 	int rc, to_read = 2;
1509 	__le32 buf[3];
1510 	u32 len;
1511 
1512 	usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
1513 	if (!usrdatum)
1514 		return -ENOMEM;
1515 
1516 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1517 		to_read = 3;
1518 
1519 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1520 	if (rc)
1521 		goto bad;
1522 
1523 	len = le32_to_cpu(buf[0]);
1524 	usrdatum->value = le32_to_cpu(buf[1]);
1525 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1526 		usrdatum->bounds = le32_to_cpu(buf[2]);
1527 
1528 	rc = str_read(&key, GFP_KERNEL, fp, len);
1529 	if (rc)
1530 		goto bad;
1531 
1532 	rc = ebitmap_read(&usrdatum->roles, fp);
1533 	if (rc)
1534 		goto bad;
1535 
1536 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
1537 		rc = mls_read_range_helper(&usrdatum->range, fp);
1538 		if (rc)
1539 			goto bad;
1540 		rc = mls_read_level(&usrdatum->dfltlevel, fp);
1541 		if (rc)
1542 			goto bad;
1543 	}
1544 
1545 	rc = hashtab_insert(h, key, usrdatum);
1546 	if (rc)
1547 		goto bad;
1548 	return 0;
1549 bad:
1550 	user_destroy(key, usrdatum, NULL);
1551 	return rc;
1552 }
1553 
1554 static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1555 {
1556 	char *key = NULL;
1557 	struct level_datum *levdatum;
1558 	int rc;
1559 	__le32 buf[2];
1560 	u32 len;
1561 
1562 	levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
1563 	if (!levdatum)
1564 		return -ENOMEM;
1565 
1566 	rc = next_entry(buf, fp, sizeof buf);
1567 	if (rc)
1568 		goto bad;
1569 
1570 	len = le32_to_cpu(buf[0]);
1571 	levdatum->isalias = le32_to_cpu(buf[1]);
1572 
1573 	rc = str_read(&key, GFP_ATOMIC, fp, len);
1574 	if (rc)
1575 		goto bad;
1576 
1577 	rc = -ENOMEM;
1578 	levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC);
1579 	if (!levdatum->level)
1580 		goto bad;
1581 
1582 	rc = mls_read_level(levdatum->level, fp);
1583 	if (rc)
1584 		goto bad;
1585 
1586 	rc = hashtab_insert(h, key, levdatum);
1587 	if (rc)
1588 		goto bad;
1589 	return 0;
1590 bad:
1591 	sens_destroy(key, levdatum, NULL);
1592 	return rc;
1593 }
1594 
1595 static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1596 {
1597 	char *key = NULL;
1598 	struct cat_datum *catdatum;
1599 	int rc;
1600 	__le32 buf[3];
1601 	u32 len;
1602 
1603 	catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
1604 	if (!catdatum)
1605 		return -ENOMEM;
1606 
1607 	rc = next_entry(buf, fp, sizeof buf);
1608 	if (rc)
1609 		goto bad;
1610 
1611 	len = le32_to_cpu(buf[0]);
1612 	catdatum->value = le32_to_cpu(buf[1]);
1613 	catdatum->isalias = le32_to_cpu(buf[2]);
1614 
1615 	rc = str_read(&key, GFP_ATOMIC, fp, len);
1616 	if (rc)
1617 		goto bad;
1618 
1619 	rc = hashtab_insert(h, key, catdatum);
1620 	if (rc)
1621 		goto bad;
1622 	return 0;
1623 bad:
1624 	cat_destroy(key, catdatum, NULL);
1625 	return rc;
1626 }
1627 
1628 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1629 {
1630 	common_read,
1631 	class_read,
1632 	role_read,
1633 	type_read,
1634 	user_read,
1635 	cond_read_bool,
1636 	sens_read,
1637 	cat_read,
1638 };
1639 
1640 static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1641 {
1642 	struct user_datum *upper, *user;
1643 	struct policydb *p = datap;
1644 	int depth = 0;
1645 
1646 	upper = user = datum;
1647 	while (upper->bounds) {
1648 		struct ebitmap_node *node;
1649 		unsigned long bit;
1650 
1651 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1652 			pr_err("SELinux: user %s: "
1653 			       "too deep or looped boundary",
1654 			       (char *) key);
1655 			return -EINVAL;
1656 		}
1657 
1658 		upper = p->user_val_to_struct[upper->bounds - 1];
1659 		ebitmap_for_each_positive_bit(&user->roles, node, bit) {
1660 			if (ebitmap_get_bit(&upper->roles, bit))
1661 				continue;
1662 
1663 			pr_err("SELinux: boundary violated policy: "
1664 			       "user=%s role=%s bounds=%s\n",
1665 			       sym_name(p, SYM_USERS, user->value - 1),
1666 			       sym_name(p, SYM_ROLES, bit),
1667 			       sym_name(p, SYM_USERS, upper->value - 1));
1668 
1669 			return -EINVAL;
1670 		}
1671 	}
1672 
1673 	return 0;
1674 }
1675 
1676 static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1677 {
1678 	struct role_datum *upper, *role;
1679 	struct policydb *p = datap;
1680 	int depth = 0;
1681 
1682 	upper = role = datum;
1683 	while (upper->bounds) {
1684 		struct ebitmap_node *node;
1685 		unsigned long bit;
1686 
1687 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1688 			pr_err("SELinux: role %s: "
1689 			       "too deep or looped bounds\n",
1690 			       (char *) key);
1691 			return -EINVAL;
1692 		}
1693 
1694 		upper = p->role_val_to_struct[upper->bounds - 1];
1695 		ebitmap_for_each_positive_bit(&role->types, node, bit) {
1696 			if (ebitmap_get_bit(&upper->types, bit))
1697 				continue;
1698 
1699 			pr_err("SELinux: boundary violated policy: "
1700 			       "role=%s type=%s bounds=%s\n",
1701 			       sym_name(p, SYM_ROLES, role->value - 1),
1702 			       sym_name(p, SYM_TYPES, bit),
1703 			       sym_name(p, SYM_ROLES, upper->value - 1));
1704 
1705 			return -EINVAL;
1706 		}
1707 	}
1708 
1709 	return 0;
1710 }
1711 
1712 static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1713 {
1714 	struct type_datum *upper;
1715 	struct policydb *p = datap;
1716 	int depth = 0;
1717 
1718 	upper = datum;
1719 	while (upper->bounds) {
1720 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1721 			pr_err("SELinux: type %s: "
1722 			       "too deep or looped boundary\n",
1723 			       (char *) key);
1724 			return -EINVAL;
1725 		}
1726 
1727 		upper = p->type_val_to_struct[upper->bounds - 1];
1728 		BUG_ON(!upper);
1729 
1730 		if (upper->attribute) {
1731 			pr_err("SELinux: type %s: "
1732 			       "bounded by attribute %s",
1733 			       (char *) key,
1734 			       sym_name(p, SYM_TYPES, upper->value - 1));
1735 			return -EINVAL;
1736 		}
1737 	}
1738 
1739 	return 0;
1740 }
1741 
1742 static int policydb_bounds_sanity_check(struct policydb *p)
1743 {
1744 	int rc;
1745 
1746 	if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
1747 		return 0;
1748 
1749 	rc = hashtab_map(p->p_users.table,
1750 			 user_bounds_sanity_check, p);
1751 	if (rc)
1752 		return rc;
1753 
1754 	rc = hashtab_map(p->p_roles.table,
1755 			 role_bounds_sanity_check, p);
1756 	if (rc)
1757 		return rc;
1758 
1759 	rc = hashtab_map(p->p_types.table,
1760 			 type_bounds_sanity_check, p);
1761 	if (rc)
1762 		return rc;
1763 
1764 	return 0;
1765 }
1766 
1767 u16 string_to_security_class(struct policydb *p, const char *name)
1768 {
1769 	struct class_datum *cladatum;
1770 
1771 	cladatum = hashtab_search(p->p_classes.table, name);
1772 	if (!cladatum)
1773 		return 0;
1774 
1775 	return cladatum->value;
1776 }
1777 
1778 u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1779 {
1780 	struct class_datum *cladatum;
1781 	struct perm_datum *perdatum = NULL;
1782 	struct common_datum *comdatum;
1783 
1784 	if (!tclass || tclass > p->p_classes.nprim)
1785 		return 0;
1786 
1787 	cladatum = p->class_val_to_struct[tclass-1];
1788 	comdatum = cladatum->comdatum;
1789 	if (comdatum)
1790 		perdatum = hashtab_search(comdatum->permissions.table,
1791 					  name);
1792 	if (!perdatum)
1793 		perdatum = hashtab_search(cladatum->permissions.table,
1794 					  name);
1795 	if (!perdatum)
1796 		return 0;
1797 
1798 	return 1U << (perdatum->value-1);
1799 }
1800 
1801 static int range_read(struct policydb *p, void *fp)
1802 {
1803 	struct range_trans *rt = NULL;
1804 	struct mls_range *r = NULL;
1805 	int i, rc;
1806 	__le32 buf[2];
1807 	u32 nel;
1808 
1809 	if (p->policyvers < POLICYDB_VERSION_MLS)
1810 		return 0;
1811 
1812 	rc = next_entry(buf, fp, sizeof(u32));
1813 	if (rc)
1814 		return rc;
1815 
1816 	nel = le32_to_cpu(buf[0]);
1817 	for (i = 0; i < nel; i++) {
1818 		rc = -ENOMEM;
1819 		rt = kzalloc(sizeof(*rt), GFP_KERNEL);
1820 		if (!rt)
1821 			goto out;
1822 
1823 		rc = next_entry(buf, fp, (sizeof(u32) * 2));
1824 		if (rc)
1825 			goto out;
1826 
1827 		rt->source_type = le32_to_cpu(buf[0]);
1828 		rt->target_type = le32_to_cpu(buf[1]);
1829 		if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) {
1830 			rc = next_entry(buf, fp, sizeof(u32));
1831 			if (rc)
1832 				goto out;
1833 			rt->target_class = le32_to_cpu(buf[0]);
1834 		} else
1835 			rt->target_class = p->process_class;
1836 
1837 		rc = -EINVAL;
1838 		if (!policydb_type_isvalid(p, rt->source_type) ||
1839 		    !policydb_type_isvalid(p, rt->target_type) ||
1840 		    !policydb_class_isvalid(p, rt->target_class))
1841 			goto out;
1842 
1843 		rc = -ENOMEM;
1844 		r = kzalloc(sizeof(*r), GFP_KERNEL);
1845 		if (!r)
1846 			goto out;
1847 
1848 		rc = mls_read_range_helper(r, fp);
1849 		if (rc)
1850 			goto out;
1851 
1852 		rc = -EINVAL;
1853 		if (!mls_range_isvalid(p, r)) {
1854 			pr_warn("SELinux:  rangetrans:  invalid range\n");
1855 			goto out;
1856 		}
1857 
1858 		rc = hashtab_insert(p->range_tr, rt, r);
1859 		if (rc)
1860 			goto out;
1861 
1862 		rt = NULL;
1863 		r = NULL;
1864 	}
1865 	hash_eval(p->range_tr, "rangetr");
1866 	rc = 0;
1867 out:
1868 	kfree(rt);
1869 	kfree(r);
1870 	return rc;
1871 }
1872 
1873 static int filename_trans_read(struct policydb *p, void *fp)
1874 {
1875 	struct filename_trans *ft;
1876 	struct filename_trans_datum *otype;
1877 	char *name;
1878 	u32 nel, len;
1879 	__le32 buf[4];
1880 	int rc, i;
1881 
1882 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
1883 		return 0;
1884 
1885 	rc = next_entry(buf, fp, sizeof(u32));
1886 	if (rc)
1887 		return rc;
1888 	nel = le32_to_cpu(buf[0]);
1889 
1890 	for (i = 0; i < nel; i++) {
1891 		otype = NULL;
1892 		name = NULL;
1893 
1894 		rc = -ENOMEM;
1895 		ft = kzalloc(sizeof(*ft), GFP_KERNEL);
1896 		if (!ft)
1897 			goto out;
1898 
1899 		rc = -ENOMEM;
1900 		otype = kmalloc(sizeof(*otype), GFP_KERNEL);
1901 		if (!otype)
1902 			goto out;
1903 
1904 		/* length of the path component string */
1905 		rc = next_entry(buf, fp, sizeof(u32));
1906 		if (rc)
1907 			goto out;
1908 		len = le32_to_cpu(buf[0]);
1909 
1910 		/* path component string */
1911 		rc = str_read(&name, GFP_KERNEL, fp, len);
1912 		if (rc)
1913 			goto out;
1914 
1915 		ft->name = name;
1916 
1917 		rc = next_entry(buf, fp, sizeof(u32) * 4);
1918 		if (rc)
1919 			goto out;
1920 
1921 		ft->stype = le32_to_cpu(buf[0]);
1922 		ft->ttype = le32_to_cpu(buf[1]);
1923 		ft->tclass = le32_to_cpu(buf[2]);
1924 
1925 		otype->otype = le32_to_cpu(buf[3]);
1926 
1927 		rc = ebitmap_set_bit(&p->filename_trans_ttypes, ft->ttype, 1);
1928 		if (rc)
1929 			goto out;
1930 
1931 		rc = hashtab_insert(p->filename_trans, ft, otype);
1932 		if (rc) {
1933 			/*
1934 			 * Do not return -EEXIST to the caller, or the system
1935 			 * will not boot.
1936 			 */
1937 			if (rc != -EEXIST)
1938 				goto out;
1939 			/* But free memory to avoid memory leak. */
1940 			kfree(ft);
1941 			kfree(name);
1942 			kfree(otype);
1943 		}
1944 	}
1945 	hash_eval(p->filename_trans, "filenametr");
1946 	return 0;
1947 out:
1948 	kfree(ft);
1949 	kfree(name);
1950 	kfree(otype);
1951 
1952 	return rc;
1953 }
1954 
1955 static int genfs_read(struct policydb *p, void *fp)
1956 {
1957 	int i, j, rc;
1958 	u32 nel, nel2, len, len2;
1959 	__le32 buf[1];
1960 	struct ocontext *l, *c;
1961 	struct ocontext *newc = NULL;
1962 	struct genfs *genfs_p, *genfs;
1963 	struct genfs *newgenfs = NULL;
1964 
1965 	rc = next_entry(buf, fp, sizeof(u32));
1966 	if (rc)
1967 		return rc;
1968 	nel = le32_to_cpu(buf[0]);
1969 
1970 	for (i = 0; i < nel; i++) {
1971 		rc = next_entry(buf, fp, sizeof(u32));
1972 		if (rc)
1973 			goto out;
1974 		len = le32_to_cpu(buf[0]);
1975 
1976 		rc = -ENOMEM;
1977 		newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL);
1978 		if (!newgenfs)
1979 			goto out;
1980 
1981 		rc = str_read(&newgenfs->fstype, GFP_KERNEL, fp, len);
1982 		if (rc)
1983 			goto out;
1984 
1985 		for (genfs_p = NULL, genfs = p->genfs; genfs;
1986 		     genfs_p = genfs, genfs = genfs->next) {
1987 			rc = -EINVAL;
1988 			if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
1989 				pr_err("SELinux:  dup genfs fstype %s\n",
1990 				       newgenfs->fstype);
1991 				goto out;
1992 			}
1993 			if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
1994 				break;
1995 		}
1996 		newgenfs->next = genfs;
1997 		if (genfs_p)
1998 			genfs_p->next = newgenfs;
1999 		else
2000 			p->genfs = newgenfs;
2001 		genfs = newgenfs;
2002 		newgenfs = NULL;
2003 
2004 		rc = next_entry(buf, fp, sizeof(u32));
2005 		if (rc)
2006 			goto out;
2007 
2008 		nel2 = le32_to_cpu(buf[0]);
2009 		for (j = 0; j < nel2; j++) {
2010 			rc = next_entry(buf, fp, sizeof(u32));
2011 			if (rc)
2012 				goto out;
2013 			len = le32_to_cpu(buf[0]);
2014 
2015 			rc = -ENOMEM;
2016 			newc = kzalloc(sizeof(*newc), GFP_KERNEL);
2017 			if (!newc)
2018 				goto out;
2019 
2020 			rc = str_read(&newc->u.name, GFP_KERNEL, fp, len);
2021 			if (rc)
2022 				goto out;
2023 
2024 			rc = next_entry(buf, fp, sizeof(u32));
2025 			if (rc)
2026 				goto out;
2027 
2028 			newc->v.sclass = le32_to_cpu(buf[0]);
2029 			rc = context_read_and_validate(&newc->context[0], p, fp);
2030 			if (rc)
2031 				goto out;
2032 
2033 			for (l = NULL, c = genfs->head; c;
2034 			     l = c, c = c->next) {
2035 				rc = -EINVAL;
2036 				if (!strcmp(newc->u.name, c->u.name) &&
2037 				    (!c->v.sclass || !newc->v.sclass ||
2038 				     newc->v.sclass == c->v.sclass)) {
2039 					pr_err("SELinux:  dup genfs entry (%s,%s)\n",
2040 					       genfs->fstype, c->u.name);
2041 					goto out;
2042 				}
2043 				len = strlen(newc->u.name);
2044 				len2 = strlen(c->u.name);
2045 				if (len > len2)
2046 					break;
2047 			}
2048 
2049 			newc->next = c;
2050 			if (l)
2051 				l->next = newc;
2052 			else
2053 				genfs->head = newc;
2054 			newc = NULL;
2055 		}
2056 	}
2057 	rc = 0;
2058 out:
2059 	if (newgenfs) {
2060 		kfree(newgenfs->fstype);
2061 		kfree(newgenfs);
2062 	}
2063 	ocontext_destroy(newc, OCON_FSUSE);
2064 
2065 	return rc;
2066 }
2067 
2068 static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
2069 			 void *fp)
2070 {
2071 	int i, j, rc;
2072 	u32 nel, len;
2073 	__be64 prefixbuf[1];
2074 	__le32 buf[3];
2075 	struct ocontext *l, *c;
2076 	u32 nodebuf[8];
2077 
2078 	for (i = 0; i < info->ocon_num; i++) {
2079 		rc = next_entry(buf, fp, sizeof(u32));
2080 		if (rc)
2081 			goto out;
2082 		nel = le32_to_cpu(buf[0]);
2083 
2084 		l = NULL;
2085 		for (j = 0; j < nel; j++) {
2086 			rc = -ENOMEM;
2087 			c = kzalloc(sizeof(*c), GFP_KERNEL);
2088 			if (!c)
2089 				goto out;
2090 			if (l)
2091 				l->next = c;
2092 			else
2093 				p->ocontexts[i] = c;
2094 			l = c;
2095 
2096 			switch (i) {
2097 			case OCON_ISID:
2098 				rc = next_entry(buf, fp, sizeof(u32));
2099 				if (rc)
2100 					goto out;
2101 
2102 				c->sid[0] = le32_to_cpu(buf[0]);
2103 				rc = context_read_and_validate(&c->context[0], p, fp);
2104 				if (rc)
2105 					goto out;
2106 				break;
2107 			case OCON_FS:
2108 			case OCON_NETIF:
2109 				rc = next_entry(buf, fp, sizeof(u32));
2110 				if (rc)
2111 					goto out;
2112 				len = le32_to_cpu(buf[0]);
2113 
2114 				rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2115 				if (rc)
2116 					goto out;
2117 
2118 				rc = context_read_and_validate(&c->context[0], p, fp);
2119 				if (rc)
2120 					goto out;
2121 				rc = context_read_and_validate(&c->context[1], p, fp);
2122 				if (rc)
2123 					goto out;
2124 				break;
2125 			case OCON_PORT:
2126 				rc = next_entry(buf, fp, sizeof(u32)*3);
2127 				if (rc)
2128 					goto out;
2129 				c->u.port.protocol = le32_to_cpu(buf[0]);
2130 				c->u.port.low_port = le32_to_cpu(buf[1]);
2131 				c->u.port.high_port = le32_to_cpu(buf[2]);
2132 				rc = context_read_and_validate(&c->context[0], p, fp);
2133 				if (rc)
2134 					goto out;
2135 				break;
2136 			case OCON_NODE:
2137 				rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
2138 				if (rc)
2139 					goto out;
2140 				c->u.node.addr = nodebuf[0]; /* network order */
2141 				c->u.node.mask = nodebuf[1]; /* network order */
2142 				rc = context_read_and_validate(&c->context[0], p, fp);
2143 				if (rc)
2144 					goto out;
2145 				break;
2146 			case OCON_FSUSE:
2147 				rc = next_entry(buf, fp, sizeof(u32)*2);
2148 				if (rc)
2149 					goto out;
2150 
2151 				rc = -EINVAL;
2152 				c->v.behavior = le32_to_cpu(buf[0]);
2153 				/* Determined at runtime, not in policy DB. */
2154 				if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
2155 					goto out;
2156 				if (c->v.behavior > SECURITY_FS_USE_MAX)
2157 					goto out;
2158 
2159 				len = le32_to_cpu(buf[1]);
2160 				rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2161 				if (rc)
2162 					goto out;
2163 
2164 				rc = context_read_and_validate(&c->context[0], p, fp);
2165 				if (rc)
2166 					goto out;
2167 				break;
2168 			case OCON_NODE6: {
2169 				int k;
2170 
2171 				rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
2172 				if (rc)
2173 					goto out;
2174 				for (k = 0; k < 4; k++)
2175 					c->u.node6.addr[k] = nodebuf[k];
2176 				for (k = 0; k < 4; k++)
2177 					c->u.node6.mask[k] = nodebuf[k+4];
2178 				rc = context_read_and_validate(&c->context[0], p, fp);
2179 				if (rc)
2180 					goto out;
2181 				break;
2182 			}
2183 			case OCON_IBPKEY: {
2184 				u32 pkey_lo, pkey_hi;
2185 
2186 				rc = next_entry(prefixbuf, fp, sizeof(u64));
2187 				if (rc)
2188 					goto out;
2189 
2190 				/* we need to have subnet_prefix in CPU order */
2191 				c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
2192 
2193 				rc = next_entry(buf, fp, sizeof(u32) * 2);
2194 				if (rc)
2195 					goto out;
2196 
2197 				pkey_lo = le32_to_cpu(buf[0]);
2198 				pkey_hi = le32_to_cpu(buf[1]);
2199 
2200 				if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
2201 					rc = -EINVAL;
2202 					goto out;
2203 				}
2204 
2205 				c->u.ibpkey.low_pkey  = pkey_lo;
2206 				c->u.ibpkey.high_pkey = pkey_hi;
2207 
2208 				rc = context_read_and_validate(&c->context[0],
2209 							       p,
2210 							       fp);
2211 				if (rc)
2212 					goto out;
2213 				break;
2214 			}
2215 			case OCON_IBENDPORT: {
2216 				u32 port;
2217 
2218 				rc = next_entry(buf, fp, sizeof(u32) * 2);
2219 				if (rc)
2220 					goto out;
2221 				len = le32_to_cpu(buf[0]);
2222 
2223 				rc = str_read(&c->u.ibendport.dev_name, GFP_KERNEL, fp, len);
2224 				if (rc)
2225 					goto out;
2226 
2227 				port = le32_to_cpu(buf[1]);
2228 				if (port > U8_MAX || port == 0) {
2229 					rc = -EINVAL;
2230 					goto out;
2231 				}
2232 
2233 				c->u.ibendport.port = port;
2234 
2235 				rc = context_read_and_validate(&c->context[0],
2236 							       p,
2237 							       fp);
2238 				if (rc)
2239 					goto out;
2240 				break;
2241 			} /* end case */
2242 			} /* end switch */
2243 		}
2244 	}
2245 	rc = 0;
2246 out:
2247 	return rc;
2248 }
2249 
2250 /*
2251  * Read the configuration data from a policy database binary
2252  * representation file into a policy database structure.
2253  */
2254 int policydb_read(struct policydb *p, void *fp)
2255 {
2256 	struct role_allow *ra, *lra;
2257 	struct role_trans *tr, *ltr;
2258 	int i, j, rc;
2259 	__le32 buf[4];
2260 	u32 len, nprim, nel;
2261 
2262 	char *policydb_str;
2263 	struct policydb_compat_info *info;
2264 
2265 	rc = policydb_init(p);
2266 	if (rc)
2267 		return rc;
2268 
2269 	/* Read the magic number and string length. */
2270 	rc = next_entry(buf, fp, sizeof(u32) * 2);
2271 	if (rc)
2272 		goto bad;
2273 
2274 	rc = -EINVAL;
2275 	if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
2276 		pr_err("SELinux:  policydb magic number 0x%x does "
2277 		       "not match expected magic number 0x%x\n",
2278 		       le32_to_cpu(buf[0]), POLICYDB_MAGIC);
2279 		goto bad;
2280 	}
2281 
2282 	rc = -EINVAL;
2283 	len = le32_to_cpu(buf[1]);
2284 	if (len != strlen(POLICYDB_STRING)) {
2285 		pr_err("SELinux:  policydb string length %d does not "
2286 		       "match expected length %zu\n",
2287 		       len, strlen(POLICYDB_STRING));
2288 		goto bad;
2289 	}
2290 
2291 	rc = -ENOMEM;
2292 	policydb_str = kmalloc(len + 1, GFP_KERNEL);
2293 	if (!policydb_str) {
2294 		pr_err("SELinux:  unable to allocate memory for policydb "
2295 		       "string of length %d\n", len);
2296 		goto bad;
2297 	}
2298 
2299 	rc = next_entry(policydb_str, fp, len);
2300 	if (rc) {
2301 		pr_err("SELinux:  truncated policydb string identifier\n");
2302 		kfree(policydb_str);
2303 		goto bad;
2304 	}
2305 
2306 	rc = -EINVAL;
2307 	policydb_str[len] = '\0';
2308 	if (strcmp(policydb_str, POLICYDB_STRING)) {
2309 		pr_err("SELinux:  policydb string %s does not match "
2310 		       "my string %s\n", policydb_str, POLICYDB_STRING);
2311 		kfree(policydb_str);
2312 		goto bad;
2313 	}
2314 	/* Done with policydb_str. */
2315 	kfree(policydb_str);
2316 	policydb_str = NULL;
2317 
2318 	/* Read the version and table sizes. */
2319 	rc = next_entry(buf, fp, sizeof(u32)*4);
2320 	if (rc)
2321 		goto bad;
2322 
2323 	rc = -EINVAL;
2324 	p->policyvers = le32_to_cpu(buf[0]);
2325 	if (p->policyvers < POLICYDB_VERSION_MIN ||
2326 	    p->policyvers > POLICYDB_VERSION_MAX) {
2327 		pr_err("SELinux:  policydb version %d does not match "
2328 		       "my version range %d-%d\n",
2329 		       le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
2330 		goto bad;
2331 	}
2332 
2333 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
2334 		p->mls_enabled = 1;
2335 
2336 		rc = -EINVAL;
2337 		if (p->policyvers < POLICYDB_VERSION_MLS) {
2338 			pr_err("SELinux: security policydb version %d "
2339 				"(MLS) not backwards compatible\n",
2340 				p->policyvers);
2341 			goto bad;
2342 		}
2343 	}
2344 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
2345 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
2346 
2347 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
2348 		rc = ebitmap_read(&p->policycaps, fp);
2349 		if (rc)
2350 			goto bad;
2351 	}
2352 
2353 	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) {
2354 		rc = ebitmap_read(&p->permissive_map, fp);
2355 		if (rc)
2356 			goto bad;
2357 	}
2358 
2359 	rc = -EINVAL;
2360 	info = policydb_lookup_compat(p->policyvers);
2361 	if (!info) {
2362 		pr_err("SELinux:  unable to find policy compat info "
2363 		       "for version %d\n", p->policyvers);
2364 		goto bad;
2365 	}
2366 
2367 	rc = -EINVAL;
2368 	if (le32_to_cpu(buf[2]) != info->sym_num ||
2369 		le32_to_cpu(buf[3]) != info->ocon_num) {
2370 		pr_err("SELinux:  policydb table sizes (%d,%d) do "
2371 		       "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
2372 			le32_to_cpu(buf[3]),
2373 		       info->sym_num, info->ocon_num);
2374 		goto bad;
2375 	}
2376 
2377 	for (i = 0; i < info->sym_num; i++) {
2378 		rc = next_entry(buf, fp, sizeof(u32)*2);
2379 		if (rc)
2380 			goto bad;
2381 		nprim = le32_to_cpu(buf[0]);
2382 		nel = le32_to_cpu(buf[1]);
2383 		for (j = 0; j < nel; j++) {
2384 			rc = read_f[i](p, p->symtab[i].table, fp);
2385 			if (rc)
2386 				goto bad;
2387 		}
2388 
2389 		p->symtab[i].nprim = nprim;
2390 	}
2391 
2392 	rc = -EINVAL;
2393 	p->process_class = string_to_security_class(p, "process");
2394 	if (!p->process_class)
2395 		goto bad;
2396 
2397 	rc = avtab_read(&p->te_avtab, fp, p);
2398 	if (rc)
2399 		goto bad;
2400 
2401 	if (p->policyvers >= POLICYDB_VERSION_BOOL) {
2402 		rc = cond_read_list(p, fp);
2403 		if (rc)
2404 			goto bad;
2405 	}
2406 
2407 	rc = next_entry(buf, fp, sizeof(u32));
2408 	if (rc)
2409 		goto bad;
2410 	nel = le32_to_cpu(buf[0]);
2411 	ltr = NULL;
2412 	for (i = 0; i < nel; i++) {
2413 		rc = -ENOMEM;
2414 		tr = kzalloc(sizeof(*tr), GFP_KERNEL);
2415 		if (!tr)
2416 			goto bad;
2417 		if (ltr)
2418 			ltr->next = tr;
2419 		else
2420 			p->role_tr = tr;
2421 		rc = next_entry(buf, fp, sizeof(u32)*3);
2422 		if (rc)
2423 			goto bad;
2424 
2425 		rc = -EINVAL;
2426 		tr->role = le32_to_cpu(buf[0]);
2427 		tr->type = le32_to_cpu(buf[1]);
2428 		tr->new_role = le32_to_cpu(buf[2]);
2429 		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
2430 			rc = next_entry(buf, fp, sizeof(u32));
2431 			if (rc)
2432 				goto bad;
2433 			tr->tclass = le32_to_cpu(buf[0]);
2434 		} else
2435 			tr->tclass = p->process_class;
2436 
2437 		rc = -EINVAL;
2438 		if (!policydb_role_isvalid(p, tr->role) ||
2439 		    !policydb_type_isvalid(p, tr->type) ||
2440 		    !policydb_class_isvalid(p, tr->tclass) ||
2441 		    !policydb_role_isvalid(p, tr->new_role))
2442 			goto bad;
2443 		ltr = tr;
2444 	}
2445 
2446 	rc = next_entry(buf, fp, sizeof(u32));
2447 	if (rc)
2448 		goto bad;
2449 	nel = le32_to_cpu(buf[0]);
2450 	lra = NULL;
2451 	for (i = 0; i < nel; i++) {
2452 		rc = -ENOMEM;
2453 		ra = kzalloc(sizeof(*ra), GFP_KERNEL);
2454 		if (!ra)
2455 			goto bad;
2456 		if (lra)
2457 			lra->next = ra;
2458 		else
2459 			p->role_allow = ra;
2460 		rc = next_entry(buf, fp, sizeof(u32)*2);
2461 		if (rc)
2462 			goto bad;
2463 
2464 		rc = -EINVAL;
2465 		ra->role = le32_to_cpu(buf[0]);
2466 		ra->new_role = le32_to_cpu(buf[1]);
2467 		if (!policydb_role_isvalid(p, ra->role) ||
2468 		    !policydb_role_isvalid(p, ra->new_role))
2469 			goto bad;
2470 		lra = ra;
2471 	}
2472 
2473 	rc = filename_trans_read(p, fp);
2474 	if (rc)
2475 		goto bad;
2476 
2477 	rc = policydb_index(p);
2478 	if (rc)
2479 		goto bad;
2480 
2481 	rc = -EINVAL;
2482 	p->process_trans_perms = string_to_av_perm(p, p->process_class, "transition");
2483 	p->process_trans_perms |= string_to_av_perm(p, p->process_class, "dyntransition");
2484 	if (!p->process_trans_perms)
2485 		goto bad;
2486 
2487 	rc = ocontext_read(p, info, fp);
2488 	if (rc)
2489 		goto bad;
2490 
2491 	rc = genfs_read(p, fp);
2492 	if (rc)
2493 		goto bad;
2494 
2495 	rc = range_read(p, fp);
2496 	if (rc)
2497 		goto bad;
2498 
2499 	p->type_attr_map_array = kvcalloc(p->p_types.nprim,
2500 					  sizeof(*p->type_attr_map_array),
2501 					  GFP_KERNEL);
2502 	if (!p->type_attr_map_array)
2503 		goto bad;
2504 
2505 	/* just in case ebitmap_init() becomes more than just a memset(0): */
2506 	for (i = 0; i < p->p_types.nprim; i++)
2507 		ebitmap_init(&p->type_attr_map_array[i]);
2508 
2509 	for (i = 0; i < p->p_types.nprim; i++) {
2510 		struct ebitmap *e = &p->type_attr_map_array[i];
2511 
2512 		if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
2513 			rc = ebitmap_read(e, fp);
2514 			if (rc)
2515 				goto bad;
2516 		}
2517 		/* add the type itself as the degenerate case */
2518 		rc = ebitmap_set_bit(e, i, 1);
2519 		if (rc)
2520 			goto bad;
2521 	}
2522 
2523 	rc = policydb_bounds_sanity_check(p);
2524 	if (rc)
2525 		goto bad;
2526 
2527 	rc = 0;
2528 out:
2529 	return rc;
2530 bad:
2531 	policydb_destroy(p);
2532 	goto out;
2533 }
2534 
2535 /*
2536  * Write a MLS level structure to a policydb binary
2537  * representation file.
2538  */
2539 static int mls_write_level(struct mls_level *l, void *fp)
2540 {
2541 	__le32 buf[1];
2542 	int rc;
2543 
2544 	buf[0] = cpu_to_le32(l->sens);
2545 	rc = put_entry(buf, sizeof(u32), 1, fp);
2546 	if (rc)
2547 		return rc;
2548 
2549 	rc = ebitmap_write(&l->cat, fp);
2550 	if (rc)
2551 		return rc;
2552 
2553 	return 0;
2554 }
2555 
2556 /*
2557  * Write a MLS range structure to a policydb binary
2558  * representation file.
2559  */
2560 static int mls_write_range_helper(struct mls_range *r, void *fp)
2561 {
2562 	__le32 buf[3];
2563 	size_t items;
2564 	int rc, eq;
2565 
2566 	eq = mls_level_eq(&r->level[1], &r->level[0]);
2567 
2568 	if (eq)
2569 		items = 2;
2570 	else
2571 		items = 3;
2572 	buf[0] = cpu_to_le32(items-1);
2573 	buf[1] = cpu_to_le32(r->level[0].sens);
2574 	if (!eq)
2575 		buf[2] = cpu_to_le32(r->level[1].sens);
2576 
2577 	BUG_ON(items > ARRAY_SIZE(buf));
2578 
2579 	rc = put_entry(buf, sizeof(u32), items, fp);
2580 	if (rc)
2581 		return rc;
2582 
2583 	rc = ebitmap_write(&r->level[0].cat, fp);
2584 	if (rc)
2585 		return rc;
2586 	if (!eq) {
2587 		rc = ebitmap_write(&r->level[1].cat, fp);
2588 		if (rc)
2589 			return rc;
2590 	}
2591 
2592 	return 0;
2593 }
2594 
2595 static int sens_write(void *vkey, void *datum, void *ptr)
2596 {
2597 	char *key = vkey;
2598 	struct level_datum *levdatum = datum;
2599 	struct policy_data *pd = ptr;
2600 	void *fp = pd->fp;
2601 	__le32 buf[2];
2602 	size_t len;
2603 	int rc;
2604 
2605 	len = strlen(key);
2606 	buf[0] = cpu_to_le32(len);
2607 	buf[1] = cpu_to_le32(levdatum->isalias);
2608 	rc = put_entry(buf, sizeof(u32), 2, fp);
2609 	if (rc)
2610 		return rc;
2611 
2612 	rc = put_entry(key, 1, len, fp);
2613 	if (rc)
2614 		return rc;
2615 
2616 	rc = mls_write_level(levdatum->level, fp);
2617 	if (rc)
2618 		return rc;
2619 
2620 	return 0;
2621 }
2622 
2623 static int cat_write(void *vkey, void *datum, void *ptr)
2624 {
2625 	char *key = vkey;
2626 	struct cat_datum *catdatum = datum;
2627 	struct policy_data *pd = ptr;
2628 	void *fp = pd->fp;
2629 	__le32 buf[3];
2630 	size_t len;
2631 	int rc;
2632 
2633 	len = strlen(key);
2634 	buf[0] = cpu_to_le32(len);
2635 	buf[1] = cpu_to_le32(catdatum->value);
2636 	buf[2] = cpu_to_le32(catdatum->isalias);
2637 	rc = put_entry(buf, sizeof(u32), 3, fp);
2638 	if (rc)
2639 		return rc;
2640 
2641 	rc = put_entry(key, 1, len, fp);
2642 	if (rc)
2643 		return rc;
2644 
2645 	return 0;
2646 }
2647 
2648 static int role_trans_write(struct policydb *p, void *fp)
2649 {
2650 	struct role_trans *r = p->role_tr;
2651 	struct role_trans *tr;
2652 	u32 buf[3];
2653 	size_t nel;
2654 	int rc;
2655 
2656 	nel = 0;
2657 	for (tr = r; tr; tr = tr->next)
2658 		nel++;
2659 	buf[0] = cpu_to_le32(nel);
2660 	rc = put_entry(buf, sizeof(u32), 1, fp);
2661 	if (rc)
2662 		return rc;
2663 	for (tr = r; tr; tr = tr->next) {
2664 		buf[0] = cpu_to_le32(tr->role);
2665 		buf[1] = cpu_to_le32(tr->type);
2666 		buf[2] = cpu_to_le32(tr->new_role);
2667 		rc = put_entry(buf, sizeof(u32), 3, fp);
2668 		if (rc)
2669 			return rc;
2670 		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
2671 			buf[0] = cpu_to_le32(tr->tclass);
2672 			rc = put_entry(buf, sizeof(u32), 1, fp);
2673 			if (rc)
2674 				return rc;
2675 		}
2676 	}
2677 
2678 	return 0;
2679 }
2680 
2681 static int role_allow_write(struct role_allow *r, void *fp)
2682 {
2683 	struct role_allow *ra;
2684 	u32 buf[2];
2685 	size_t nel;
2686 	int rc;
2687 
2688 	nel = 0;
2689 	for (ra = r; ra; ra = ra->next)
2690 		nel++;
2691 	buf[0] = cpu_to_le32(nel);
2692 	rc = put_entry(buf, sizeof(u32), 1, fp);
2693 	if (rc)
2694 		return rc;
2695 	for (ra = r; ra; ra = ra->next) {
2696 		buf[0] = cpu_to_le32(ra->role);
2697 		buf[1] = cpu_to_le32(ra->new_role);
2698 		rc = put_entry(buf, sizeof(u32), 2, fp);
2699 		if (rc)
2700 			return rc;
2701 	}
2702 	return 0;
2703 }
2704 
2705 /*
2706  * Write a security context structure
2707  * to a policydb binary representation file.
2708  */
2709 static int context_write(struct policydb *p, struct context *c,
2710 			 void *fp)
2711 {
2712 	int rc;
2713 	__le32 buf[3];
2714 
2715 	buf[0] = cpu_to_le32(c->user);
2716 	buf[1] = cpu_to_le32(c->role);
2717 	buf[2] = cpu_to_le32(c->type);
2718 
2719 	rc = put_entry(buf, sizeof(u32), 3, fp);
2720 	if (rc)
2721 		return rc;
2722 
2723 	rc = mls_write_range_helper(&c->range, fp);
2724 	if (rc)
2725 		return rc;
2726 
2727 	return 0;
2728 }
2729 
2730 /*
2731  * The following *_write functions are used to
2732  * write the symbol data to a policy database
2733  * binary representation file.
2734  */
2735 
2736 static int perm_write(void *vkey, void *datum, void *fp)
2737 {
2738 	char *key = vkey;
2739 	struct perm_datum *perdatum = datum;
2740 	__le32 buf[2];
2741 	size_t len;
2742 	int rc;
2743 
2744 	len = strlen(key);
2745 	buf[0] = cpu_to_le32(len);
2746 	buf[1] = cpu_to_le32(perdatum->value);
2747 	rc = put_entry(buf, sizeof(u32), 2, fp);
2748 	if (rc)
2749 		return rc;
2750 
2751 	rc = put_entry(key, 1, len, fp);
2752 	if (rc)
2753 		return rc;
2754 
2755 	return 0;
2756 }
2757 
2758 static int common_write(void *vkey, void *datum, void *ptr)
2759 {
2760 	char *key = vkey;
2761 	struct common_datum *comdatum = datum;
2762 	struct policy_data *pd = ptr;
2763 	void *fp = pd->fp;
2764 	__le32 buf[4];
2765 	size_t len;
2766 	int rc;
2767 
2768 	len = strlen(key);
2769 	buf[0] = cpu_to_le32(len);
2770 	buf[1] = cpu_to_le32(comdatum->value);
2771 	buf[2] = cpu_to_le32(comdatum->permissions.nprim);
2772 	buf[3] = cpu_to_le32(comdatum->permissions.table->nel);
2773 	rc = put_entry(buf, sizeof(u32), 4, fp);
2774 	if (rc)
2775 		return rc;
2776 
2777 	rc = put_entry(key, 1, len, fp);
2778 	if (rc)
2779 		return rc;
2780 
2781 	rc = hashtab_map(comdatum->permissions.table, perm_write, fp);
2782 	if (rc)
2783 		return rc;
2784 
2785 	return 0;
2786 }
2787 
2788 static int type_set_write(struct type_set *t, void *fp)
2789 {
2790 	int rc;
2791 	__le32 buf[1];
2792 
2793 	if (ebitmap_write(&t->types, fp))
2794 		return -EINVAL;
2795 	if (ebitmap_write(&t->negset, fp))
2796 		return -EINVAL;
2797 
2798 	buf[0] = cpu_to_le32(t->flags);
2799 	rc = put_entry(buf, sizeof(u32), 1, fp);
2800 	if (rc)
2801 		return -EINVAL;
2802 
2803 	return 0;
2804 }
2805 
2806 static int write_cons_helper(struct policydb *p, struct constraint_node *node,
2807 			     void *fp)
2808 {
2809 	struct constraint_node *c;
2810 	struct constraint_expr *e;
2811 	__le32 buf[3];
2812 	u32 nel;
2813 	int rc;
2814 
2815 	for (c = node; c; c = c->next) {
2816 		nel = 0;
2817 		for (e = c->expr; e; e = e->next)
2818 			nel++;
2819 		buf[0] = cpu_to_le32(c->permissions);
2820 		buf[1] = cpu_to_le32(nel);
2821 		rc = put_entry(buf, sizeof(u32), 2, fp);
2822 		if (rc)
2823 			return rc;
2824 		for (e = c->expr; e; e = e->next) {
2825 			buf[0] = cpu_to_le32(e->expr_type);
2826 			buf[1] = cpu_to_le32(e->attr);
2827 			buf[2] = cpu_to_le32(e->op);
2828 			rc = put_entry(buf, sizeof(u32), 3, fp);
2829 			if (rc)
2830 				return rc;
2831 
2832 			switch (e->expr_type) {
2833 			case CEXPR_NAMES:
2834 				rc = ebitmap_write(&e->names, fp);
2835 				if (rc)
2836 					return rc;
2837 				if (p->policyvers >=
2838 					POLICYDB_VERSION_CONSTRAINT_NAMES) {
2839 					rc = type_set_write(e->type_names, fp);
2840 					if (rc)
2841 						return rc;
2842 				}
2843 				break;
2844 			default:
2845 				break;
2846 			}
2847 		}
2848 	}
2849 
2850 	return 0;
2851 }
2852 
2853 static int class_write(void *vkey, void *datum, void *ptr)
2854 {
2855 	char *key = vkey;
2856 	struct class_datum *cladatum = datum;
2857 	struct policy_data *pd = ptr;
2858 	void *fp = pd->fp;
2859 	struct policydb *p = pd->p;
2860 	struct constraint_node *c;
2861 	__le32 buf[6];
2862 	u32 ncons;
2863 	size_t len, len2;
2864 	int rc;
2865 
2866 	len = strlen(key);
2867 	if (cladatum->comkey)
2868 		len2 = strlen(cladatum->comkey);
2869 	else
2870 		len2 = 0;
2871 
2872 	ncons = 0;
2873 	for (c = cladatum->constraints; c; c = c->next)
2874 		ncons++;
2875 
2876 	buf[0] = cpu_to_le32(len);
2877 	buf[1] = cpu_to_le32(len2);
2878 	buf[2] = cpu_to_le32(cladatum->value);
2879 	buf[3] = cpu_to_le32(cladatum->permissions.nprim);
2880 	if (cladatum->permissions.table)
2881 		buf[4] = cpu_to_le32(cladatum->permissions.table->nel);
2882 	else
2883 		buf[4] = 0;
2884 	buf[5] = cpu_to_le32(ncons);
2885 	rc = put_entry(buf, sizeof(u32), 6, fp);
2886 	if (rc)
2887 		return rc;
2888 
2889 	rc = put_entry(key, 1, len, fp);
2890 	if (rc)
2891 		return rc;
2892 
2893 	if (cladatum->comkey) {
2894 		rc = put_entry(cladatum->comkey, 1, len2, fp);
2895 		if (rc)
2896 			return rc;
2897 	}
2898 
2899 	rc = hashtab_map(cladatum->permissions.table, perm_write, fp);
2900 	if (rc)
2901 		return rc;
2902 
2903 	rc = write_cons_helper(p, cladatum->constraints, fp);
2904 	if (rc)
2905 		return rc;
2906 
2907 	/* write out the validatetrans rule */
2908 	ncons = 0;
2909 	for (c = cladatum->validatetrans; c; c = c->next)
2910 		ncons++;
2911 
2912 	buf[0] = cpu_to_le32(ncons);
2913 	rc = put_entry(buf, sizeof(u32), 1, fp);
2914 	if (rc)
2915 		return rc;
2916 
2917 	rc = write_cons_helper(p, cladatum->validatetrans, fp);
2918 	if (rc)
2919 		return rc;
2920 
2921 	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
2922 		buf[0] = cpu_to_le32(cladatum->default_user);
2923 		buf[1] = cpu_to_le32(cladatum->default_role);
2924 		buf[2] = cpu_to_le32(cladatum->default_range);
2925 
2926 		rc = put_entry(buf, sizeof(uint32_t), 3, fp);
2927 		if (rc)
2928 			return rc;
2929 	}
2930 
2931 	if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
2932 		buf[0] = cpu_to_le32(cladatum->default_type);
2933 		rc = put_entry(buf, sizeof(uint32_t), 1, fp);
2934 		if (rc)
2935 			return rc;
2936 	}
2937 
2938 	return 0;
2939 }
2940 
2941 static int role_write(void *vkey, void *datum, void *ptr)
2942 {
2943 	char *key = vkey;
2944 	struct role_datum *role = datum;
2945 	struct policy_data *pd = ptr;
2946 	void *fp = pd->fp;
2947 	struct policydb *p = pd->p;
2948 	__le32 buf[3];
2949 	size_t items, len;
2950 	int rc;
2951 
2952 	len = strlen(key);
2953 	items = 0;
2954 	buf[items++] = cpu_to_le32(len);
2955 	buf[items++] = cpu_to_le32(role->value);
2956 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
2957 		buf[items++] = cpu_to_le32(role->bounds);
2958 
2959 	BUG_ON(items > ARRAY_SIZE(buf));
2960 
2961 	rc = put_entry(buf, sizeof(u32), items, fp);
2962 	if (rc)
2963 		return rc;
2964 
2965 	rc = put_entry(key, 1, len, fp);
2966 	if (rc)
2967 		return rc;
2968 
2969 	rc = ebitmap_write(&role->dominates, fp);
2970 	if (rc)
2971 		return rc;
2972 
2973 	rc = ebitmap_write(&role->types, fp);
2974 	if (rc)
2975 		return rc;
2976 
2977 	return 0;
2978 }
2979 
2980 static int type_write(void *vkey, void *datum, void *ptr)
2981 {
2982 	char *key = vkey;
2983 	struct type_datum *typdatum = datum;
2984 	struct policy_data *pd = ptr;
2985 	struct policydb *p = pd->p;
2986 	void *fp = pd->fp;
2987 	__le32 buf[4];
2988 	int rc;
2989 	size_t items, len;
2990 
2991 	len = strlen(key);
2992 	items = 0;
2993 	buf[items++] = cpu_to_le32(len);
2994 	buf[items++] = cpu_to_le32(typdatum->value);
2995 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
2996 		u32 properties = 0;
2997 
2998 		if (typdatum->primary)
2999 			properties |= TYPEDATUM_PROPERTY_PRIMARY;
3000 
3001 		if (typdatum->attribute)
3002 			properties |= TYPEDATUM_PROPERTY_ATTRIBUTE;
3003 
3004 		buf[items++] = cpu_to_le32(properties);
3005 		buf[items++] = cpu_to_le32(typdatum->bounds);
3006 	} else {
3007 		buf[items++] = cpu_to_le32(typdatum->primary);
3008 	}
3009 	BUG_ON(items > ARRAY_SIZE(buf));
3010 	rc = put_entry(buf, sizeof(u32), items, fp);
3011 	if (rc)
3012 		return rc;
3013 
3014 	rc = put_entry(key, 1, len, fp);
3015 	if (rc)
3016 		return rc;
3017 
3018 	return 0;
3019 }
3020 
3021 static int user_write(void *vkey, void *datum, void *ptr)
3022 {
3023 	char *key = vkey;
3024 	struct user_datum *usrdatum = datum;
3025 	struct policy_data *pd = ptr;
3026 	struct policydb *p = pd->p;
3027 	void *fp = pd->fp;
3028 	__le32 buf[3];
3029 	size_t items, len;
3030 	int rc;
3031 
3032 	len = strlen(key);
3033 	items = 0;
3034 	buf[items++] = cpu_to_le32(len);
3035 	buf[items++] = cpu_to_le32(usrdatum->value);
3036 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
3037 		buf[items++] = cpu_to_le32(usrdatum->bounds);
3038 	BUG_ON(items > ARRAY_SIZE(buf));
3039 	rc = put_entry(buf, sizeof(u32), items, fp);
3040 	if (rc)
3041 		return rc;
3042 
3043 	rc = put_entry(key, 1, len, fp);
3044 	if (rc)
3045 		return rc;
3046 
3047 	rc = ebitmap_write(&usrdatum->roles, fp);
3048 	if (rc)
3049 		return rc;
3050 
3051 	rc = mls_write_range_helper(&usrdatum->range, fp);
3052 	if (rc)
3053 		return rc;
3054 
3055 	rc = mls_write_level(&usrdatum->dfltlevel, fp);
3056 	if (rc)
3057 		return rc;
3058 
3059 	return 0;
3060 }
3061 
3062 static int (*write_f[SYM_NUM]) (void *key, void *datum,
3063 				void *datap) =
3064 {
3065 	common_write,
3066 	class_write,
3067 	role_write,
3068 	type_write,
3069 	user_write,
3070 	cond_write_bool,
3071 	sens_write,
3072 	cat_write,
3073 };
3074 
3075 static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
3076 			  void *fp)
3077 {
3078 	unsigned int i, j, rc;
3079 	size_t nel, len;
3080 	__be64 prefixbuf[1];
3081 	__le32 buf[3];
3082 	u32 nodebuf[8];
3083 	struct ocontext *c;
3084 	for (i = 0; i < info->ocon_num; i++) {
3085 		nel = 0;
3086 		for (c = p->ocontexts[i]; c; c = c->next)
3087 			nel++;
3088 		buf[0] = cpu_to_le32(nel);
3089 		rc = put_entry(buf, sizeof(u32), 1, fp);
3090 		if (rc)
3091 			return rc;
3092 		for (c = p->ocontexts[i]; c; c = c->next) {
3093 			switch (i) {
3094 			case OCON_ISID:
3095 				buf[0] = cpu_to_le32(c->sid[0]);
3096 				rc = put_entry(buf, sizeof(u32), 1, fp);
3097 				if (rc)
3098 					return rc;
3099 				rc = context_write(p, &c->context[0], fp);
3100 				if (rc)
3101 					return rc;
3102 				break;
3103 			case OCON_FS:
3104 			case OCON_NETIF:
3105 				len = strlen(c->u.name);
3106 				buf[0] = cpu_to_le32(len);
3107 				rc = put_entry(buf, sizeof(u32), 1, fp);
3108 				if (rc)
3109 					return rc;
3110 				rc = put_entry(c->u.name, 1, len, fp);
3111 				if (rc)
3112 					return rc;
3113 				rc = context_write(p, &c->context[0], fp);
3114 				if (rc)
3115 					return rc;
3116 				rc = context_write(p, &c->context[1], fp);
3117 				if (rc)
3118 					return rc;
3119 				break;
3120 			case OCON_PORT:
3121 				buf[0] = cpu_to_le32(c->u.port.protocol);
3122 				buf[1] = cpu_to_le32(c->u.port.low_port);
3123 				buf[2] = cpu_to_le32(c->u.port.high_port);
3124 				rc = put_entry(buf, sizeof(u32), 3, fp);
3125 				if (rc)
3126 					return rc;
3127 				rc = context_write(p, &c->context[0], fp);
3128 				if (rc)
3129 					return rc;
3130 				break;
3131 			case OCON_NODE:
3132 				nodebuf[0] = c->u.node.addr; /* network order */
3133 				nodebuf[1] = c->u.node.mask; /* network order */
3134 				rc = put_entry(nodebuf, sizeof(u32), 2, fp);
3135 				if (rc)
3136 					return rc;
3137 				rc = context_write(p, &c->context[0], fp);
3138 				if (rc)
3139 					return rc;
3140 				break;
3141 			case OCON_FSUSE:
3142 				buf[0] = cpu_to_le32(c->v.behavior);
3143 				len = strlen(c->u.name);
3144 				buf[1] = cpu_to_le32(len);
3145 				rc = put_entry(buf, sizeof(u32), 2, fp);
3146 				if (rc)
3147 					return rc;
3148 				rc = put_entry(c->u.name, 1, len, fp);
3149 				if (rc)
3150 					return rc;
3151 				rc = context_write(p, &c->context[0], fp);
3152 				if (rc)
3153 					return rc;
3154 				break;
3155 			case OCON_NODE6:
3156 				for (j = 0; j < 4; j++)
3157 					nodebuf[j] = c->u.node6.addr[j]; /* network order */
3158 				for (j = 0; j < 4; j++)
3159 					nodebuf[j + 4] = c->u.node6.mask[j]; /* network order */
3160 				rc = put_entry(nodebuf, sizeof(u32), 8, fp);
3161 				if (rc)
3162 					return rc;
3163 				rc = context_write(p, &c->context[0], fp);
3164 				if (rc)
3165 					return rc;
3166 				break;
3167 			case OCON_IBPKEY:
3168 				/* subnet_prefix is in CPU order */
3169 				prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
3170 
3171 				rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
3172 				if (rc)
3173 					return rc;
3174 
3175 				buf[0] = cpu_to_le32(c->u.ibpkey.low_pkey);
3176 				buf[1] = cpu_to_le32(c->u.ibpkey.high_pkey);
3177 
3178 				rc = put_entry(buf, sizeof(u32), 2, fp);
3179 				if (rc)
3180 					return rc;
3181 				rc = context_write(p, &c->context[0], fp);
3182 				if (rc)
3183 					return rc;
3184 				break;
3185 			case OCON_IBENDPORT:
3186 				len = strlen(c->u.ibendport.dev_name);
3187 				buf[0] = cpu_to_le32(len);
3188 				buf[1] = cpu_to_le32(c->u.ibendport.port);
3189 				rc = put_entry(buf, sizeof(u32), 2, fp);
3190 				if (rc)
3191 					return rc;
3192 				rc = put_entry(c->u.ibendport.dev_name, 1, len, fp);
3193 				if (rc)
3194 					return rc;
3195 				rc = context_write(p, &c->context[0], fp);
3196 				if (rc)
3197 					return rc;
3198 				break;
3199 			}
3200 		}
3201 	}
3202 	return 0;
3203 }
3204 
3205 static int genfs_write(struct policydb *p, void *fp)
3206 {
3207 	struct genfs *genfs;
3208 	struct ocontext *c;
3209 	size_t len;
3210 	__le32 buf[1];
3211 	int rc;
3212 
3213 	len = 0;
3214 	for (genfs = p->genfs; genfs; genfs = genfs->next)
3215 		len++;
3216 	buf[0] = cpu_to_le32(len);
3217 	rc = put_entry(buf, sizeof(u32), 1, fp);
3218 	if (rc)
3219 		return rc;
3220 	for (genfs = p->genfs; genfs; genfs = genfs->next) {
3221 		len = strlen(genfs->fstype);
3222 		buf[0] = cpu_to_le32(len);
3223 		rc = put_entry(buf, sizeof(u32), 1, fp);
3224 		if (rc)
3225 			return rc;
3226 		rc = put_entry(genfs->fstype, 1, len, fp);
3227 		if (rc)
3228 			return rc;
3229 		len = 0;
3230 		for (c = genfs->head; c; c = c->next)
3231 			len++;
3232 		buf[0] = cpu_to_le32(len);
3233 		rc = put_entry(buf, sizeof(u32), 1, fp);
3234 		if (rc)
3235 			return rc;
3236 		for (c = genfs->head; c; c = c->next) {
3237 			len = strlen(c->u.name);
3238 			buf[0] = cpu_to_le32(len);
3239 			rc = put_entry(buf, sizeof(u32), 1, fp);
3240 			if (rc)
3241 				return rc;
3242 			rc = put_entry(c->u.name, 1, len, fp);
3243 			if (rc)
3244 				return rc;
3245 			buf[0] = cpu_to_le32(c->v.sclass);
3246 			rc = put_entry(buf, sizeof(u32), 1, fp);
3247 			if (rc)
3248 				return rc;
3249 			rc = context_write(p, &c->context[0], fp);
3250 			if (rc)
3251 				return rc;
3252 		}
3253 	}
3254 	return 0;
3255 }
3256 
3257 static int hashtab_cnt(void *key, void *data, void *ptr)
3258 {
3259 	int *cnt = ptr;
3260 	*cnt = *cnt + 1;
3261 
3262 	return 0;
3263 }
3264 
3265 static int range_write_helper(void *key, void *data, void *ptr)
3266 {
3267 	__le32 buf[2];
3268 	struct range_trans *rt = key;
3269 	struct mls_range *r = data;
3270 	struct policy_data *pd = ptr;
3271 	void *fp = pd->fp;
3272 	struct policydb *p = pd->p;
3273 	int rc;
3274 
3275 	buf[0] = cpu_to_le32(rt->source_type);
3276 	buf[1] = cpu_to_le32(rt->target_type);
3277 	rc = put_entry(buf, sizeof(u32), 2, fp);
3278 	if (rc)
3279 		return rc;
3280 	if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) {
3281 		buf[0] = cpu_to_le32(rt->target_class);
3282 		rc = put_entry(buf, sizeof(u32), 1, fp);
3283 		if (rc)
3284 			return rc;
3285 	}
3286 	rc = mls_write_range_helper(r, fp);
3287 	if (rc)
3288 		return rc;
3289 
3290 	return 0;
3291 }
3292 
3293 static int range_write(struct policydb *p, void *fp)
3294 {
3295 	__le32 buf[1];
3296 	int rc, nel;
3297 	struct policy_data pd;
3298 
3299 	pd.p = p;
3300 	pd.fp = fp;
3301 
3302 	/* count the number of entries in the hashtab */
3303 	nel = 0;
3304 	rc = hashtab_map(p->range_tr, hashtab_cnt, &nel);
3305 	if (rc)
3306 		return rc;
3307 
3308 	buf[0] = cpu_to_le32(nel);
3309 	rc = put_entry(buf, sizeof(u32), 1, fp);
3310 	if (rc)
3311 		return rc;
3312 
3313 	/* actually write all of the entries */
3314 	rc = hashtab_map(p->range_tr, range_write_helper, &pd);
3315 	if (rc)
3316 		return rc;
3317 
3318 	return 0;
3319 }
3320 
3321 static int filename_write_helper(void *key, void *data, void *ptr)
3322 {
3323 	__le32 buf[4];
3324 	struct filename_trans *ft = key;
3325 	struct filename_trans_datum *otype = data;
3326 	void *fp = ptr;
3327 	int rc;
3328 	u32 len;
3329 
3330 	len = strlen(ft->name);
3331 	buf[0] = cpu_to_le32(len);
3332 	rc = put_entry(buf, sizeof(u32), 1, fp);
3333 	if (rc)
3334 		return rc;
3335 
3336 	rc = put_entry(ft->name, sizeof(char), len, fp);
3337 	if (rc)
3338 		return rc;
3339 
3340 	buf[0] = cpu_to_le32(ft->stype);
3341 	buf[1] = cpu_to_le32(ft->ttype);
3342 	buf[2] = cpu_to_le32(ft->tclass);
3343 	buf[3] = cpu_to_le32(otype->otype);
3344 
3345 	rc = put_entry(buf, sizeof(u32), 4, fp);
3346 	if (rc)
3347 		return rc;
3348 
3349 	return 0;
3350 }
3351 
3352 static int filename_trans_write(struct policydb *p, void *fp)
3353 {
3354 	u32 nel;
3355 	__le32 buf[1];
3356 	int rc;
3357 
3358 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
3359 		return 0;
3360 
3361 	nel = 0;
3362 	rc = hashtab_map(p->filename_trans, hashtab_cnt, &nel);
3363 	if (rc)
3364 		return rc;
3365 
3366 	buf[0] = cpu_to_le32(nel);
3367 	rc = put_entry(buf, sizeof(u32), 1, fp);
3368 	if (rc)
3369 		return rc;
3370 
3371 	rc = hashtab_map(p->filename_trans, filename_write_helper, fp);
3372 	if (rc)
3373 		return rc;
3374 
3375 	return 0;
3376 }
3377 
3378 /*
3379  * Write the configuration data in a policy database
3380  * structure to a policy database binary representation
3381  * file.
3382  */
3383 int policydb_write(struct policydb *p, void *fp)
3384 {
3385 	unsigned int i, num_syms;
3386 	int rc;
3387 	__le32 buf[4];
3388 	u32 config;
3389 	size_t len;
3390 	struct policydb_compat_info *info;
3391 
3392 	/*
3393 	 * refuse to write policy older than compressed avtab
3394 	 * to simplify the writer.  There are other tests dropped
3395 	 * since we assume this throughout the writer code.  Be
3396 	 * careful if you ever try to remove this restriction
3397 	 */
3398 	if (p->policyvers < POLICYDB_VERSION_AVTAB) {
3399 		pr_err("SELinux: refusing to write policy version %d."
3400 		       "  Because it is less than version %d\n", p->policyvers,
3401 		       POLICYDB_VERSION_AVTAB);
3402 		return -EINVAL;
3403 	}
3404 
3405 	config = 0;
3406 	if (p->mls_enabled)
3407 		config |= POLICYDB_CONFIG_MLS;
3408 
3409 	if (p->reject_unknown)
3410 		config |= REJECT_UNKNOWN;
3411 	if (p->allow_unknown)
3412 		config |= ALLOW_UNKNOWN;
3413 
3414 	/* Write the magic number and string identifiers. */
3415 	buf[0] = cpu_to_le32(POLICYDB_MAGIC);
3416 	len = strlen(POLICYDB_STRING);
3417 	buf[1] = cpu_to_le32(len);
3418 	rc = put_entry(buf, sizeof(u32), 2, fp);
3419 	if (rc)
3420 		return rc;
3421 	rc = put_entry(POLICYDB_STRING, 1, len, fp);
3422 	if (rc)
3423 		return rc;
3424 
3425 	/* Write the version, config, and table sizes. */
3426 	info = policydb_lookup_compat(p->policyvers);
3427 	if (!info) {
3428 		pr_err("SELinux: compatibility lookup failed for policy "
3429 		    "version %d", p->policyvers);
3430 		return -EINVAL;
3431 	}
3432 
3433 	buf[0] = cpu_to_le32(p->policyvers);
3434 	buf[1] = cpu_to_le32(config);
3435 	buf[2] = cpu_to_le32(info->sym_num);
3436 	buf[3] = cpu_to_le32(info->ocon_num);
3437 
3438 	rc = put_entry(buf, sizeof(u32), 4, fp);
3439 	if (rc)
3440 		return rc;
3441 
3442 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
3443 		rc = ebitmap_write(&p->policycaps, fp);
3444 		if (rc)
3445 			return rc;
3446 	}
3447 
3448 	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) {
3449 		rc = ebitmap_write(&p->permissive_map, fp);
3450 		if (rc)
3451 			return rc;
3452 	}
3453 
3454 	num_syms = info->sym_num;
3455 	for (i = 0; i < num_syms; i++) {
3456 		struct policy_data pd;
3457 
3458 		pd.fp = fp;
3459 		pd.p = p;
3460 
3461 		buf[0] = cpu_to_le32(p->symtab[i].nprim);
3462 		buf[1] = cpu_to_le32(p->symtab[i].table->nel);
3463 
3464 		rc = put_entry(buf, sizeof(u32), 2, fp);
3465 		if (rc)
3466 			return rc;
3467 		rc = hashtab_map(p->symtab[i].table, write_f[i], &pd);
3468 		if (rc)
3469 			return rc;
3470 	}
3471 
3472 	rc = avtab_write(p, &p->te_avtab, fp);
3473 	if (rc)
3474 		return rc;
3475 
3476 	rc = cond_write_list(p, p->cond_list, fp);
3477 	if (rc)
3478 		return rc;
3479 
3480 	rc = role_trans_write(p, fp);
3481 	if (rc)
3482 		return rc;
3483 
3484 	rc = role_allow_write(p->role_allow, fp);
3485 	if (rc)
3486 		return rc;
3487 
3488 	rc = filename_trans_write(p, fp);
3489 	if (rc)
3490 		return rc;
3491 
3492 	rc = ocontext_write(p, info, fp);
3493 	if (rc)
3494 		return rc;
3495 
3496 	rc = genfs_write(p, fp);
3497 	if (rc)
3498 		return rc;
3499 
3500 	rc = range_write(p, fp);
3501 	if (rc)
3502 		return rc;
3503 
3504 	for (i = 0; i < p->p_types.nprim; i++) {
3505 		struct ebitmap *e = &p->type_attr_map_array[i];
3506 
3507 		rc = ebitmap_write(e, fp);
3508 		if (rc)
3509 			return rc;
3510 	}
3511 
3512 	return 0;
3513 }
3514