2
/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
4
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
6
* Added conditional policy language extensions
8
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
9
* This program is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU General Public License as published by
11
* the Free Software Foundation, version 2.
17
* Implementation of the policy database.
22
#include "conditional.h"
24
/* These need to be updated if SYM_NUM or OCON_NUM changes */
25
struct policydb_compat_info policydb_compat[] = {
27
.version = POLICYDB_VERSION_BASE,
28
.sym_num = SYM_NUM - 1,
29
.ocon_num = OCON_NUM - 1,
32
.version = POLICYDB_VERSION_BOOL,
34
.ocon_num = OCON_NUM - 1,
37
.version = POLICYDB_VERSION_IPV6,
44
static char *symtab_name[SYM_NUM] = {
56
static unsigned int symtab_sizes[SYM_NUM] = {
66
struct policydb_compat_info *policydb_lookup_compat(int version)
69
struct policydb_compat_info *info = NULL;
71
for (i = 0; i < sizeof(policydb_compat)/sizeof(*info); i++) {
72
if (policydb_compat[i].version == version) {
73
info = &policydb_compat[i];
81
* Initialize the role table.
83
int roles_init(policydb_t *p)
89
role = kmalloc(sizeof(role_datum_t),GFP_KERNEL);
94
memset(role, 0, sizeof(role_datum_t));
95
role->value = ++p->p_roles.nprim;
96
if (role->value != OBJECT_R_VAL) {
100
key = kmalloc(strlen(OBJECT_R)+1,GFP_KERNEL);
105
strcpy(key, OBJECT_R);
106
rc = hashtab_insert(p->p_roles.table, key, role);
121
* Initialize a policy database structure.
123
int policydb_init(policydb_t * p)
127
memset(p, 0, sizeof(policydb_t));
129
for (i = 0; i < SYM_NUM; i++) {
130
p->sym_val_to_name[i] = NULL;
131
rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
133
goto out_free_symtab;
136
rc = avtab_init(&p->te_avtab);
138
goto out_free_symtab;
144
rc = cond_policydb_init(p);
151
avtab_destroy(&p->te_avtab);
154
for (i = 0; i < SYM_NUM; i++)
155
hashtab_destroy(p->symtab[i].table);
161
* The following *_index functions are used to
162
* define the val_to_name and val_to_struct arrays
163
* in a policy database structure. The val_to_name
164
* arrays are used when converting security context
165
* structures into string representations. The
166
* val_to_struct arrays are used when the attributes
167
* of a class, role, or user are needed.
170
static int common_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
173
common_datum_t *comdatum;
176
comdatum = (common_datum_t *) datum;
177
p = (policydb_t *) datap;
178
if (!comdatum->value || comdatum->value > p->p_commons.nprim)
180
p->p_common_val_to_name[comdatum->value - 1] = (char *) key;
186
static int class_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
189
class_datum_t *cladatum;
192
cladatum = (class_datum_t *) datum;
193
p = (policydb_t *) datap;
194
if (!cladatum->value || cladatum->value > p->p_classes.nprim)
196
p->p_class_val_to_name[cladatum->value - 1] = (char *) key;
197
p->class_val_to_struct[cladatum->value - 1] = cladatum;
203
static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
209
role = (role_datum_t *) datum;
210
p = (policydb_t *) datap;
211
if (!role->value || role->value > p->p_roles.nprim)
213
p->p_role_val_to_name[role->value - 1] = (char *) key;
214
p->role_val_to_struct[role->value - 1] = role;
220
static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
223
type_datum_t *typdatum;
226
typdatum = (type_datum_t *) datum;
227
p = (policydb_t *) datap;
229
if (typdatum->primary) {
230
if (!typdatum->value || typdatum->value > p->p_types.nprim)
232
p->p_type_val_to_name[typdatum->value - 1] = (char *) key;
238
static int user_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
241
user_datum_t *usrdatum;
244
usrdatum = (user_datum_t *) datum;
245
p = (policydb_t *) datap;
247
if (!usrdatum->value || usrdatum->value > p->p_users.nprim)
250
p->p_user_val_to_name[usrdatum->value - 1] = (char *) key;
251
p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
256
static int (*index_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, void *datap) =
269
* Define the common val_to_name array and the class
270
* val_to_name and val_to_struct arrays in a policy
271
* database structure.
273
int policydb_index_classes(policydb_t * p)
275
p->p_common_val_to_name = (char **)
276
kmalloc(p->p_commons.nprim * sizeof(char *),GFP_KERNEL);
277
if (!p->p_common_val_to_name)
280
if (hashtab_map(p->p_commons.table, common_index, p))
283
p->class_val_to_struct = (class_datum_t **)
284
kmalloc(p->p_classes.nprim * sizeof(class_datum_t *),GFP_KERNEL);
285
if (!p->class_val_to_struct)
288
p->p_class_val_to_name = (char **)
289
kmalloc(p->p_classes.nprim * sizeof(char *),GFP_KERNEL);
290
if (!p->p_class_val_to_name)
293
if (hashtab_map(p->p_classes.table, class_index, p))
299
int policydb_index_bools(policydb_t * p)
302
if (cond_init_bool_indexes(p) == -1)
304
p->p_bool_val_to_name = (char **)
305
kmalloc(p->p_bools.nprim * sizeof(char *),GFP_KERNEL);
306
if (!p->p_bool_val_to_name)
317
* Define the other val_to_name and val_to_struct arrays
318
* in a policy database structure.
320
int policydb_index_others(policydb_t * p)
325
printk("security: %d users, %d roles, %d types, %d bools",
326
p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
327
mls_policydb_index_others(p);
330
printk("security: %d classes, %d rules\n",
331
p->p_classes.nprim, p->te_avtab.nel);
334
avtab_hash_eval(&p->te_avtab, "rules");
335
for (i = 0; i < SYM_NUM; i++)
336
hashtab_hash_eval(p->symtab[i].table, symtab_name[i]);
339
p->role_val_to_struct = (role_datum_t **)
340
kmalloc(p->p_roles.nprim * sizeof(role_datum_t *),GFP_KERNEL);
341
if (!p->role_val_to_struct)
344
p->user_val_to_struct = (user_datum_t **)
345
kmalloc(p->p_users.nprim * sizeof(user_datum_t *),GFP_KERNEL);
346
if (!p->user_val_to_struct)
349
cond_init_bool_indexes(p);
351
for (i = SYM_ROLES; i < SYM_NUM; i++) {
352
if (p->sym_val_to_name[i])
353
kfree(p->sym_val_to_name[i]);
354
p->sym_val_to_name[i] = (char **)
355
kmalloc(p->symtab[i].nprim * sizeof(char *),GFP_KERNEL);
356
if (!p->sym_val_to_name[i])
358
if (hashtab_map(p->symtab[i].table, index_f[i], p))
367
* The following *_destroy functions are used to
368
* free any memory allocated for each kind of
369
* symbol data in the policy database.
372
static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
381
static int common_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
383
common_datum_t *comdatum;
387
comdatum = (common_datum_t *) datum;
388
hashtab_map(comdatum->permissions.table, perm_destroy, 0);
389
hashtab_destroy(comdatum->permissions.table);
395
static int class_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
397
class_datum_t *cladatum;
398
constraint_node_t *constraint, *ctemp;
399
constraint_expr_t *e, *etmp;
403
cladatum = (class_datum_t *) datum;
404
hashtab_map(cladatum->permissions.table, perm_destroy, 0);
405
hashtab_destroy(cladatum->permissions.table);
406
constraint = cladatum->constraints;
408
e = constraint->expr;
410
ebitmap_destroy(&e->names);
416
constraint = constraint->next;
419
if (cladatum->comkey)
420
kfree(cladatum->comkey);
425
static int role_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
431
role = (role_datum_t *) datum;
432
ebitmap_destroy(&role->dominates);
433
ebitmap_destroy(&role->types);
438
static int type_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
446
static int user_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
448
user_datum_t *usrdatum;
452
usrdatum = (user_datum_t *) datum;
453
ebitmap_destroy(&usrdatum->roles);
454
mls_user_destroy(usrdatum);
460
static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, void *datap) =
473
* Free any memory allocated by a policy database structure.
475
void policydb_destroy(policydb_t * p)
477
ocontext_t *c, *ctmp;
481
for (i = 0; i < SYM_NUM; i++) {
482
hashtab_map(p->symtab[i].table, destroy_f[i], 0);
483
hashtab_destroy(p->symtab[i].table);
486
for (i = 0; i < SYM_NUM; i++) {
487
if (p->sym_val_to_name[i])
488
kfree(p->sym_val_to_name[i]);
491
if (p->class_val_to_struct)
492
kfree(p->class_val_to_struct);
493
if (p->role_val_to_struct)
494
kfree(p->role_val_to_struct);
495
if (p->user_val_to_struct)
496
kfree(p->user_val_to_struct);
498
avtab_destroy(&p->te_avtab);
500
for (i = 0; i < OCON_NUM; i++) {
505
context_destroy(&ctmp->context[0]);
506
context_destroy(&ctmp->context[1]);
507
if (i == OCON_ISID || i == OCON_FS || i == OCON_NETIF || i == OCON_FSUSE)
520
context_destroy(&ctmp->context[0]);
528
cond_policydb_destroy(p);
534
* Load the initial SIDs specified in a policy database
535
* structure into a SID table.
537
int policydb_load_isids(policydb_t *p, sidtab_t *s)
539
ocontext_t *head, *c;
541
if (sidtab_init(s)) {
542
printk("security: out of memory on SID table init\n");
546
head = p->ocontexts[OCON_ISID];
547
for (c = head; c; c = c->next) {
548
if (!c->context[0].user) {
549
printk("security: SID %s was never defined.\n",
553
if (sidtab_insert(s, c->sid[0], &c->context[0])) {
554
printk("security: unable to load initial SID %s.\n",
565
* Return 1 if the fields in the security context
566
* structure `c' are valid. Return 0 otherwise.
568
int policydb_context_isvalid(policydb_t *p, context_struct_t *c)
571
user_datum_t *usrdatum;
574
if (!c->role || c->role > p->p_roles.nprim)
577
if (!c->user || c->user > p->p_users.nprim)
580
if (!c->type || c->type > p->p_types.nprim)
583
if (c->role != OBJECT_R_VAL) {
585
* Role must be authorized for the type.
587
role = p->role_val_to_struct[c->role - 1];
588
if (!ebitmap_get_bit(&role->types,
590
/* role may not be associated with type */
594
* User must be authorized for the role.
596
usrdatum = p->user_val_to_struct[c->user - 1];
600
if (!ebitmap_get_bit(&usrdatum->roles,
602
/* user may not be associated with role */
606
if (!mls_context_isvalid(p, c))
614
* Read and validate a security context structure
615
* from a policydb binary representation file.
617
static int context_read_and_validate(context_struct_t * c,
619
struct policy_file * fp)
623
buf = next_entry(fp, sizeof(__u32)*3);
625
printk("security: context truncated\n");
628
c->user = le32_to_cpu(buf[0]);
629
c->role = le32_to_cpu(buf[1]);
630
c->type = le32_to_cpu(buf[2]);
631
if (mls_read_range(c, fp)) {
632
printk("security: error reading MLS range of context\n");
636
if (!policydb_context_isvalid(p, c)) {
637
printk("security: invalid security context\n");
646
* The following *_read functions are used to
647
* read the symbol data from a policy database
648
* binary representation file.
651
static int perm_read(policydb_t * p __attribute__ ((unused)), hashtab_t h, struct policy_file * fp)
654
perm_datum_t *perdatum;
658
perdatum = kmalloc(sizeof(perm_datum_t),GFP_KERNEL);
661
memset(perdatum, 0, sizeof(perm_datum_t));
663
buf = next_entry(fp, sizeof(__u32)*2);
667
len = le32_to_cpu(buf[0]);
668
perdatum->value = le32_to_cpu(buf[1]);
669
if (mls_read_perm(perdatum, fp))
672
buf = next_entry(fp, len);
675
key = kmalloc(len + 1,GFP_KERNEL);
678
memcpy(key, buf, len);
681
if (hashtab_insert(h, key, perdatum))
687
perm_destroy(key, perdatum, NULL);
692
static int common_read(policydb_t * p, hashtab_t h, struct policy_file * fp)
695
common_datum_t *comdatum;
700
comdatum = kmalloc(sizeof(common_datum_t),GFP_KERNEL);
703
memset(comdatum, 0, sizeof(common_datum_t));
705
buf = next_entry(fp, sizeof(__u32)*4);
709
len = le32_to_cpu(buf[0]);
710
comdatum->value = le32_to_cpu(buf[1]);
712
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE))
714
comdatum->permissions.nprim = le32_to_cpu(buf[2]);
715
nel = le32_to_cpu(buf[3]);
717
buf = next_entry(fp, len);
720
key = kmalloc(len + 1,GFP_KERNEL);
723
memcpy(key, buf, len);
726
for (i = 0; i < nel; i++) {
727
if (perm_read(p, comdatum->permissions.table, fp))
731
if (hashtab_insert(h, key, comdatum))
737
common_destroy(key, comdatum, NULL);
742
static int class_read(policydb_t * p, hashtab_t h, struct policy_file * fp)
745
class_datum_t *cladatum;
746
constraint_node_t *c, *lc;
747
constraint_expr_t *e, *le;
749
size_t len, len2, ncons, nexpr, nel;
753
cladatum = (class_datum_t *) kmalloc(sizeof(class_datum_t),GFP_KERNEL);
756
memset(cladatum, 0, sizeof(class_datum_t));
758
buf = next_entry(fp, sizeof(__u32)*6);
762
len = le32_to_cpu(buf[0]);
763
len2 = le32_to_cpu(buf[1]);
764
cladatum->value = le32_to_cpu(buf[2]);
766
if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
768
cladatum->permissions.nprim = le32_to_cpu(buf[3]);
769
nel = le32_to_cpu(buf[4]);
771
ncons = le32_to_cpu(buf[5]);
773
buf = next_entry(fp, len);
776
key = kmalloc(len + 1,GFP_KERNEL);
779
memcpy(key, buf, len);
783
cladatum->comkey = kmalloc(len2 + 1,GFP_KERNEL);
784
if (!cladatum->comkey)
786
buf = next_entry(fp, len2);
789
memcpy(cladatum->comkey, buf, len2);
790
cladatum->comkey[len2] = 0;
792
cladatum->comdatum = hashtab_search(p->p_commons.table,
794
if (!cladatum->comdatum) {
795
printk("security: unknown common %s\n", cladatum->comkey);
799
for (i = 0; i < nel; i++) {
800
if (perm_read(p, cladatum->permissions.table, fp))
805
for (i = 0; i < ncons; i++) {
806
c = kmalloc(sizeof(constraint_node_t),GFP_KERNEL);
809
memset(c, 0, sizeof(constraint_node_t));
810
buf = next_entry(fp, sizeof(__u32)*2);
813
c->permissions = le32_to_cpu(buf[0]);
814
nexpr = le32_to_cpu(buf[1]);
817
for (j = 0; j < nexpr; j++) {
818
e = kmalloc(sizeof(constraint_expr_t),GFP_KERNEL);
821
memset(e, 0, sizeof(constraint_expr_t));
822
buf = next_entry(fp, sizeof(__u32)*3);
827
e->expr_type = le32_to_cpu(buf[0]);
828
e->attr = le32_to_cpu(buf[1]);
829
e->op = le32_to_cpu(buf[2]);
831
switch (e->expr_type) {
847
if (depth == (CEXPR_MAXDEPTH-1)) {
854
if (depth == (CEXPR_MAXDEPTH-1)) {
859
if (ebitmap_read(&e->names, fp)) {
881
cladatum->constraints = c;
886
if (mls_read_class(cladatum, fp))
889
if (hashtab_insert(h, key, cladatum))
895
class_destroy(key, cladatum, NULL);
900
static int role_read(policydb_t * p __attribute__ ((unused)), hashtab_t h, struct policy_file * fp)
907
role = kmalloc(sizeof(role_datum_t),GFP_KERNEL);
910
memset(role, 0, sizeof(role_datum_t));
912
buf = next_entry(fp, sizeof(__u32)*2);
916
len = le32_to_cpu(buf[0]);
917
role->value = le32_to_cpu(buf[1]);
919
buf = next_entry(fp, len);
922
key = kmalloc(len + 1,GFP_KERNEL);
925
memcpy(key, buf, len);
928
if (ebitmap_read(&role->dominates, fp))
931
if (ebitmap_read(&role->types, fp))
934
if (strcmp(key, OBJECT_R) == 0) {
935
if (role->value != OBJECT_R_VAL) {
936
printk("Role %s has wrong value %d\n",
937
OBJECT_R, role->value);
938
role_destroy(key, role, NULL);
941
role_destroy(key, role, NULL);
945
if (hashtab_insert(h, key, role))
951
role_destroy(key, role, NULL);
956
static int type_read(policydb_t * p __attribute__ ((unused)), hashtab_t h, struct policy_file * fp)
959
type_datum_t *typdatum;
963
typdatum = kmalloc(sizeof(type_datum_t),GFP_KERNEL);
966
memset(typdatum, 0, sizeof(type_datum_t));
968
buf = next_entry(fp, sizeof(__u32)*3);
972
len = le32_to_cpu(buf[0]);
973
typdatum->value = le32_to_cpu(buf[1]);
974
typdatum->primary = le32_to_cpu(buf[2]);
976
buf = next_entry(fp, len);
979
key = kmalloc(len + 1,GFP_KERNEL);
982
memcpy(key, buf, len);
985
if (hashtab_insert(h, key, typdatum))
991
type_destroy(key, typdatum, NULL);
995
static int user_read(policydb_t * p __attribute__ ((unused)), hashtab_t h, struct policy_file * fp)
998
user_datum_t *usrdatum;
1003
usrdatum = kmalloc(sizeof(user_datum_t),GFP_KERNEL);
1006
memset(usrdatum, 0, sizeof(user_datum_t));
1008
buf = next_entry(fp, sizeof(__u32)*2);
1012
len = le32_to_cpu(buf[0]);
1013
usrdatum->value = le32_to_cpu(buf[1]);
1015
buf = next_entry(fp, len);
1018
key = kmalloc(len + 1,GFP_KERNEL);
1021
memcpy(key, buf, len);
1024
if (ebitmap_read(&usrdatum->roles, fp))
1027
if (mls_read_user(usrdatum, fp))
1030
if (hashtab_insert(h, key, usrdatum))
1036
user_destroy(key, usrdatum, NULL);
1041
static int (*read_f[SYM_NUM]) (policydb_t * p, hashtab_t h, struct policy_file * fp) =
1052
#define mls_config(x) \
1053
((x) & POLICYDB_CONFIG_MLS) ? "mls" : "no_mls"
1056
* Read the configuration data from a policy database binary
1057
* representation file into a policy database structure.
1059
int policydb_read(policydb_t * p, struct policy_file * fp)
1061
struct role_allow *ra, *lra;
1062
struct role_trans *tr, *ltr;
1063
ocontext_t *l, *c, *newc;
1064
genfs_t *genfs_p, *genfs, *newgenfs;
1065
unsigned int i, j, r_policyvers;
1067
size_t len, len2, nprim, nel, nel2;
1069
struct policydb_compat_info *info;
1072
mls_set_config(config);
1074
if (policydb_init(p))
1077
/* Read the magic number and string length. */
1078
buf = next_entry(fp, sizeof(__u32)* 2);
1081
for (i = 0; i < 2; i++)
1082
buf[i] = le32_to_cpu(buf[i]);
1084
if (buf[0] != POLICYDB_MAGIC) {
1085
printk("security: policydb magic number 0x%x does not match expected magic number 0x%x\n", buf[0], POLICYDB_MAGIC);
1090
if (len != strlen(POLICYDB_STRING)) {
1091
printk("security: policydb string length %zu does not match expected length %zu\n", len, strlen(POLICYDB_STRING));
1094
buf = next_entry(fp, len);
1096
printk("security: truncated policydb string identifier\n");
1099
policydb_str = kmalloc(len + 1,GFP_KERNEL);
1100
if (!policydb_str) {
1101
printk("security: unable to allocate memory for policydb string of length %zu\n", len);
1104
memcpy(policydb_str, buf, len);
1105
policydb_str[len] = 0;
1106
if (strcmp(policydb_str, POLICYDB_STRING)) {
1107
printk("security: policydb string %s does not match my string %s\n", policydb_str, POLICYDB_STRING);
1108
kfree(policydb_str);
1111
/* Done with policydb_str. */
1112
kfree(policydb_str);
1113
policydb_str = NULL;
1115
/* Read the version, config, and table sizes. */
1116
buf = next_entry(fp, sizeof(__u32)*4);
1119
for (i = 0; i < 4; i++)
1120
buf[i] = le32_to_cpu(buf[i]);
1122
r_policyvers = buf[0];
1123
if (r_policyvers < POLICYDB_VERSION_MIN || r_policyvers > POLICYDB_VERSION_MAX) {
1124
printk("security: policydb version %d does not match "
1125
"my version range %d-%d\n", buf[0], POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1129
if (buf[1] != config) {
1130
printk("security: policydb configuration (%s) does not match my configuration (%s)\n",
1132
mls_config(config));
1136
info = policydb_lookup_compat(r_policyvers);
1138
printk("security: unable to find policy compat info for version %d\n", r_policyvers);
1142
if (buf[2] != info->sym_num || buf[3] != info->ocon_num) {
1143
printk("security: policydb table sizes (%d,%d) do not match mine (%d,%d)\n",
1144
buf[2], buf[3], info->sym_num, info->ocon_num);
1148
if (mls_read_nlevels(p, fp))
1151
for (i = 0; i < info->sym_num; i++) {
1152
buf = next_entry(fp, sizeof(__u32)*2);
1155
nprim = le32_to_cpu(buf[0]);
1156
nel = le32_to_cpu(buf[1]);
1157
for (j = 0; j < nel; j++) {
1158
if (read_f[i] (p, p->symtab[i].table, fp))
1162
p->symtab[i].nprim = nprim;
1165
if (avtab_read(&p->te_avtab, fp, config))
1167
if (r_policyvers >= POLICYDB_VERSION_BOOL)
1168
if (cond_read_list(p, fp))
1171
buf = next_entry(fp, sizeof(__u32));
1174
nel = le32_to_cpu(buf[0]);
1176
for (i = 0; i < nel; i++) {
1177
tr = kmalloc(sizeof(struct role_trans),GFP_KERNEL);
1181
memset(tr, 0, sizeof(struct role_trans));
1187
buf = next_entry(fp, sizeof(__u32)*3);
1190
tr->role = le32_to_cpu(buf[0]);
1191
tr->type = le32_to_cpu(buf[1]);
1192
tr->new_role = le32_to_cpu(buf[2]);
1196
buf = next_entry(fp, sizeof(__u32));
1199
nel = le32_to_cpu(buf[0]);
1201
for (i = 0; i < nel; i++) {
1202
ra = kmalloc(sizeof(struct role_allow),GFP_KERNEL);
1206
memset(ra, 0, sizeof(struct role_allow));
1212
buf = next_entry(fp, sizeof(__u32)*2);
1215
ra->role = le32_to_cpu(buf[0]);
1216
ra->new_role = le32_to_cpu(buf[1]);
1220
if (policydb_index_classes(p))
1223
if (policydb_index_others(p))
1226
for (i = 0; i < info->ocon_num; i++) {
1227
buf = next_entry(fp, sizeof(__u32));
1230
nel = le32_to_cpu(buf[0]);
1232
for (j = 0; j < nel; j++) {
1233
c = kmalloc(sizeof(ocontext_t),GFP_KERNEL);
1237
memset(c, 0, sizeof(ocontext_t));
1241
p->ocontexts[i] = c;
1246
buf = next_entry(fp, sizeof(__u32));
1249
c->sid[0] = le32_to_cpu(buf[0]);
1250
if (context_read_and_validate(&c->context[0], p, fp))
1255
buf = next_entry(fp, sizeof(__u32));
1258
len = le32_to_cpu(buf[0]);
1259
buf = next_entry(fp, len);
1262
c->u.name = kmalloc(len + 1,GFP_KERNEL);
1266
memcpy(c->u.name, buf, len);
1268
if (context_read_and_validate(&c->context[0], p, fp))
1270
if (context_read_and_validate(&c->context[1], p, fp))
1274
buf = next_entry(fp, sizeof(__u32)*3);
1277
c->u.port.protocol = le32_to_cpu(buf[0]);
1278
c->u.port.low_port = le32_to_cpu(buf[1]);
1279
c->u.port.high_port = le32_to_cpu(buf[2]);
1280
if (context_read_and_validate(&c->context[0], p, fp))
1284
buf = next_entry(fp, sizeof(__u32)* 2);
1287
c->u.node.addr = le32_to_cpu(buf[0]);
1288
c->u.node.mask = le32_to_cpu(buf[1]);
1289
if (context_read_and_validate(&c->context[0], p, fp))
1293
buf = next_entry(fp, sizeof(__u32)*2);
1296
c->v.behavior = le32_to_cpu(buf[0]);
1297
len = le32_to_cpu(buf[1]);
1298
buf = next_entry(fp, len);
1301
c->u.name = kmalloc(len + 1,GFP_KERNEL);
1305
memcpy(c->u.name, buf, len);
1307
if (context_read_and_validate(&c->context[0], p, fp))
1313
buf = next_entry(fp, sizeof(__u32) * 8);
1316
for (k = 0; k < 4; k++)
1317
c->u.node6.addr[k] = le32_to_cpu(buf[k]);
1318
for (k = 0; k < 4; k++)
1319
c->u.node6.mask[k] = le32_to_cpu(buf[k+4]);
1320
if (context_read_and_validate(&c->context[0], p, fp))
1328
buf = next_entry(fp, sizeof(__u32));
1331
nel = le32_to_cpu(buf[0]);
1333
for (i = 0; i < nel; i++) {
1334
newgenfs = kmalloc(sizeof(genfs_t),GFP_KERNEL);
1338
memset(newgenfs, 0, sizeof(genfs_t));
1339
buf = next_entry(fp, sizeof(__u32));
1342
len = le32_to_cpu(buf[0]);
1343
buf = next_entry(fp, len);
1346
newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL);
1347
if (!newgenfs->fstype) {
1350
memcpy(newgenfs->fstype, buf, len);
1351
newgenfs->fstype[len] = 0;
1352
for (genfs_p = NULL, genfs = p->genfs; genfs;
1353
genfs_p = genfs, genfs = genfs->next) {
1354
if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
1355
printk("security: dup genfs fstype %s\n", newgenfs->fstype);
1358
if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
1361
newgenfs->next = genfs;
1363
genfs_p->next = newgenfs;
1365
p->genfs = newgenfs;
1366
buf = next_entry(fp, sizeof(__u32));
1369
nel2 = le32_to_cpu(buf[0]);
1370
for (j = 0; j < nel2; j++) {
1371
newc = kmalloc(sizeof(ocontext_t),GFP_KERNEL);
1375
memset(newc, 0, sizeof(ocontext_t));
1376
buf = next_entry(fp, sizeof(__u32));
1379
len = le32_to_cpu(buf[0]);
1380
buf = next_entry(fp, len);
1383
newc->u.name = kmalloc(len + 1,GFP_KERNEL);
1384
if (!newc->u.name) {
1387
memcpy(newc->u.name, buf, len);
1388
newc->u.name[len] = 0;
1389
buf = next_entry(fp, sizeof(__u32));
1392
newc->v.sclass = le32_to_cpu(buf[0]);
1393
if (context_read_and_validate(&newc->context[0], p, fp))
1395
for (l = NULL, c = newgenfs->head; c;
1396
l = c, c = c->next) {
1397
if (!strcmp(newc->u.name, c->u.name) &&
1398
(!c->v.sclass || !newc->v.sclass || newc->v.sclass == c->v.sclass)) {
1399
printk("security: dup genfs entry (%s,%s)\n", newgenfs->fstype, c->u.name);
1402
len = strlen(newc->u.name);
1403
len2 = strlen(c->u.name);
1411
newgenfs->head = newc;
1415
if (mls_read_trusted(p, fp))
1420
policydb_destroy(p);