* [PATCH 0/8] Revert the prefix/suffix filename transition patches
@ 2023-07-26 14:25 James Carter
2023-07-26 14:25 ` [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" James Carter
` (9 more replies)
0 siblings, 10 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
Since the kernel patches have not been accepted yet, it seems better to
revert these patches while they can still be cleanly reverted just in
case the kernel patches are not accepted.
If the kernel patches get accepted, then I will re-apply these patches.
I should have waited for the kernel patches to be accepted before committing
these in the first place.
James Carter (8):
Revert "libsepol/cil: add support for prefix/suffix filename
transtions to CIL"
Revert "checkpolicy,libsepol: add prefix/suffix support to module
policy"
Revert "checkpolicy,libsepol: add prefix/suffix support to kernel
policy"
Revert "libsepol: implement new module binary format of avrule"
Revert "libsepol: implement new kernel binary format for avtab"
Revert "checkpolicy,libsepol: move filename transition rules to
avrule"
Revert "checkpolicy,libsepol: move filename transitions to avtab"
Revert "checkpolicy,libsepol: move transition to separate structure in
avtab"
checkpolicy/checkmodule.c | 9 -
checkpolicy/module_compiler.c | 12 +
checkpolicy/module_compiler.h | 1 +
checkpolicy/policy_define.c | 211 +++++-
checkpolicy/policy_define.h | 3 +-
checkpolicy/policy_parse.y | 13 +-
checkpolicy/policy_scan.l | 4 -
checkpolicy/test/dismod.c | 39 +-
checkpolicy/test/dispol.c | 106 ++-
libsepol/cil/src/cil.c | 6 -
libsepol/cil/src/cil_binary.c | 63 +-
libsepol/cil/src/cil_build_ast.c | 26 +-
libsepol/cil/src/cil_copy_ast.c | 1 -
libsepol/cil/src/cil_internal.h | 4 -
libsepol/cil/src/cil_policy.c | 17 +-
libsepol/cil/src/cil_resolve_ast.c | 10 -
libsepol/cil/src/cil_write_ast.c | 2 -
libsepol/include/sepol/policydb/avtab.h | 19 +-
libsepol/include/sepol/policydb/hashtab.h | 8 -
libsepol/include/sepol/policydb/policydb.h | 50 +-
libsepol/src/avrule_block.c | 1 +
libsepol/src/avtab.c | 338 +---------
libsepol/src/conditional.c | 6 +-
libsepol/src/expand.c | 153 +++--
libsepol/src/kernel_to_cil.c | 182 +++--
libsepol/src/kernel_to_common.h | 10 -
libsepol/src/kernel_to_conf.c | 178 +++--
libsepol/src/link.c | 57 +-
libsepol/src/module_to_cil.c | 86 ++-
libsepol/src/optimize.c | 8 -
libsepol/src/policydb.c | 479 +++++++++++---
libsepol/src/policydb_validate.c | 101 ++-
libsepol/src/services.c | 5 +-
libsepol/src/write.c | 735 +++++----------------
34 files changed, 1390 insertions(+), 1553 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 2/8] Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" James Carter
` (8 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit 0c50de03cd38ef80dc6c5df9acef027f4b5c9526.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil.c | 6 ------
libsepol/cil/src/cil_binary.c | 8 ++++----
libsepol/cil/src/cil_build_ast.c | 26 +++++---------------------
libsepol/cil/src/cil_copy_ast.c | 1 -
libsepol/cil/src/cil_internal.h | 4 ----
libsepol/cil/src/cil_policy.c | 17 +----------------
libsepol/cil/src/cil_resolve_ast.c | 10 ----------
libsepol/cil/src/cil_write_ast.c | 2 --
8 files changed, 10 insertions(+), 64 deletions(-)
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index fa693020..38edcf8e 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -95,8 +95,6 @@ char *CIL_KEY_TUNABLEIF;
char *CIL_KEY_ALLOW;
char *CIL_KEY_DONTAUDIT;
char *CIL_KEY_TYPETRANSITION;
-char *CIL_KEY_PREFIX;
-char *CIL_KEY_SUFFIX;
char *CIL_KEY_TYPECHANGE;
char *CIL_KEY_CALL;
char *CIL_KEY_TUNABLE;
@@ -266,8 +264,6 @@ static void cil_init_keys(void)
CIL_KEY_ALLOW = cil_strpool_add("allow");
CIL_KEY_DONTAUDIT = cil_strpool_add("dontaudit");
CIL_KEY_TYPETRANSITION = cil_strpool_add("typetransition");
- CIL_KEY_PREFIX = cil_strpool_add("prefix");
- CIL_KEY_SUFFIX = cil_strpool_add("suffix");
CIL_KEY_TYPECHANGE = cil_strpool_add("typechange");
CIL_KEY_CALL = cil_strpool_add("call");
CIL_KEY_TUNABLE = cil_strpool_add("tunable");
@@ -2391,8 +2387,6 @@ void cil_nametypetransition_init(struct cil_nametypetransition **nametypetrans)
(*nametypetrans)->obj = NULL;
(*nametypetrans)->name_str = NULL;
(*nametypetrans)->name = NULL;
- (*nametypetrans)->name_match_str = NULL;
- (*nametypetrans)->name_match = NAME_TRANS_MATCH_EXACT;
(*nametypetrans)->result_str = NULL;
(*nametypetrans)->result = NULL;
}
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index ea0cef32..ffa44be7 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1193,7 +1193,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
type_datum_t *sepol_src,
type_datum_t *sepol_tgt,
struct cil_list *class_list,
- char *name, uint8_t name_match,
+ char *name,
type_datum_t *sepol_result)
{
int rc;
@@ -1211,7 +1211,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
avt_key.target_type = sepol_tgt->s.value;
avt_key.target_class = sepol_obj->s.value;
rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key,
- sepol_result->s.value, name, name_match,
+ sepol_result->s.value, name, NAME_TRANS_MATCH_EXACT,
&otype);
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
@@ -1280,7 +1280,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d
rc = __cil_typetransition_to_avtab_helper(
pdb, sepol_src, sepol_src, class_list,
- name, typetrans->name_match, sepol_result
+ name, sepol_result
);
if (rc != SEPOL_OK) goto exit;
}
@@ -1298,7 +1298,7 @@ static int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *d
rc = __cil_typetransition_to_avtab_helper(
pdb, sepol_src, sepol_tgt, class_list,
- name, typetrans->name_match, sepol_result
+ name, sepol_result
);
if (rc != SEPOL_OK) goto exit;
}
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 67bbdcab..4177c9f6 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -3334,11 +3334,10 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren
CIL_SYN_STRING,
CIL_SYN_STRING,
CIL_SYN_STRING | CIL_SYN_END,
- CIL_SYN_STRING | CIL_SYN_END,
- CIL_SYN_END,
+ CIL_SYN_END
};
size_t syntax_len = sizeof(syntax)/sizeof(*syntax);
- char *s1, *s2, *s3, *s4, *s5, *s6;
+ char *s1, *s2, *s3, *s4, *s5;
if (db == NULL || parse_current == NULL || ast_node == NULL ) {
goto exit;
@@ -3354,22 +3353,12 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren
s3 = parse_current->next->next->next->data;
s4 = parse_current->next->next->next->next->data;
s5 = NULL;
- s6 = NULL;
if (parse_current->next->next->next->next->next) {
if (s4 == CIL_KEY_STAR) {
- if (parse_current->next->next->next->next->next->next) {
- s4 = parse_current->next->next->next->next->next->next->data;
- } else {
- s4 = parse_current->next->next->next->next->next->data;
- }
+ s4 = parse_current->next->next->next->next->next->data;
} else {
- if (parse_current->next->next->next->next->next->next) {
- s5 = parse_current->next->next->next->next->next->data;
- s6 = parse_current->next->next->next->next->next->next->data;
- } else {
- s5 = parse_current->next->next->next->next->next->data;
- }
+ s5 = parse_current->next->next->next->next->next->data;
}
}
@@ -3381,13 +3370,8 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren
nametypetrans->src_str = s1;
nametypetrans->tgt_str = s2;
nametypetrans->obj_str = s3;
+ nametypetrans->result_str = s5;
nametypetrans->name_str = s4;
- if (s6) {
- nametypetrans->name_match_str = s5;
- nametypetrans->result_str = s6;
- } else {
- nametypetrans->result_str = s5;
- }
ast_node->data = nametypetrans;
ast_node->flavor = CIL_NAMETYPETRANSITION;
diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c
index a2d2fe40..17f05021 100644
--- a/libsepol/cil/src/cil_copy_ast.c
+++ b/libsepol/cil/src/cil_copy_ast.c
@@ -726,7 +726,6 @@ int cil_copy_nametypetransition(__attribute__((unused)) struct cil_db *db, void
new->tgt_str = orig->tgt_str;
new->obj_str = orig->obj_str;
new->name_str = orig->name_str;
- new->name_match_str = orig->name_match_str;
new->result_str = orig->result_str;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index a5ff808b..a7604762 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -112,8 +112,6 @@ extern char *CIL_KEY_TUNABLEIF;
extern char *CIL_KEY_ALLOW;
extern char *CIL_KEY_DONTAUDIT;
extern char *CIL_KEY_TYPETRANSITION;
-extern char *CIL_KEY_PREFIX;
-extern char *CIL_KEY_SUFFIX;
extern char *CIL_KEY_TYPECHANGE;
extern char *CIL_KEY_CALL;
extern char *CIL_KEY_TUNABLE;
@@ -577,8 +575,6 @@ struct cil_nametypetransition {
struct cil_class *obj;
char *name_str;
struct cil_name *name;
- char *name_match_str;
- uint8_t name_match;
char *result_str;
void *result; /* type or alias */
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index 9ee40ba7..feb97868 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -1260,7 +1260,6 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans
struct cil_name *name;
struct cil_list *class_list;
struct cil_list_item *i1;
- const char *name_match_str = "";
src = trans->src;
tgt = trans->tgt;
@@ -1269,21 +1268,7 @@ static void cil_nametypetransition_to_policy(FILE *out, struct cil_nametypetrans
class_list = cil_expand_class(trans->obj);
cil_list_for_each(i1, class_list) {
- switch (trans->name_match) {
- case NAME_TRANS_MATCH_EXACT:
- name_match_str = "";
- break;
- case NAME_TRANS_MATCH_PREFIX:
- name_match_str = " PREFIX";
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- name_match_str = " SUFFIX";
- break;
- default:
- name_match_str = "???";
- break;
- }
- fprintf(out, "type_transition %s %s : %s %s \"%s\"%s;\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn, name_match_str);
+ fprintf(out, "type_transition %s %s : %s %s \"%s\";\n", src->fqn, tgt->fqn, DATUM(i1->data)->fqn, res->fqn, name->datum.fqn);
}
cil_list_destroy(&class_list, CIL_FALSE);
}
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 1ef0986c..d2bfdc81 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -668,16 +668,6 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar
nametypetrans->name = (struct cil_name *)name_datum;
}
- if (nametypetrans->name_match_str == NULL) {
- nametypetrans->name_match = NAME_TRANS_MATCH_EXACT;
- } else if (nametypetrans->name_match_str == CIL_KEY_PREFIX) {
- nametypetrans->name_match = NAME_TRANS_MATCH_PREFIX;
- } else if (nametypetrans->name_match_str == CIL_KEY_SUFFIX) {
- nametypetrans->name_match = NAME_TRANS_MATCH_SUFFIX;
- } else {
- cil_tree_log(current, CIL_ERR, "Invalid name match type \"%s\"", nametypetrans->name_match_str);
- }
-
rc = cil_resolve_name(current, nametypetrans->result_str, CIL_SYM_TYPES, extra_args, &result_datum);
if (rc != SEPOL_OK) {
goto exit;
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index d96f6c39..b75784ef 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1168,8 +1168,6 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node)
fprintf(out, "%s ", datum_or_str(DATUM(rule->tgt), rule->tgt_str));
fprintf(out, "%s ", datum_or_str(DATUM(rule->obj), rule->obj_str));
fprintf(out, "\"%s\" ", datum_or_str(DATUM(rule->name), rule->name_str));
- if (rule->name_match != NAME_TRANS_MATCH_EXACT)
- fprintf(out, "%s ", rule->name_match_str);
fprintf(out, "%s", datum_or_str(DATUM(rule->result), rule->result_str));
fprintf(out, ")\n");
break;
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/8] Revert "checkpolicy,libsepol: add prefix/suffix support to module policy"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
2023-07-26 14:25 ` [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" James Carter
` (7 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit c39ebd07acd030a59a432797ed4da7733266a305.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/policy_define.c | 13 +++----
checkpolicy/policy_define.h | 2 +-
checkpolicy/policy_parse.y | 13 +++----
checkpolicy/policy_scan.l | 4 ---
checkpolicy/test/dismod.c | 14 --------
checkpolicy/test/dispol.c | 2 +-
libsepol/cil/src/cil_binary.c | 4 +--
libsepol/include/sepol/policydb/avtab.h | 1 -
libsepol/include/sepol/policydb/policydb.h | 13 +++----
libsepol/src/avtab.c | 30 ++++------------
libsepol/src/expand.c | 6 +---
libsepol/src/kernel_to_common.h | 2 +-
libsepol/src/link.c | 1 -
libsepol/src/module_to_cil.c | 25 +++-----------
libsepol/src/policydb.c | 23 +------------
libsepol/src/write.c | 40 ++++++----------------
16 files changed, 43 insertions(+), 150 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 8421b253..25dbf25d 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1601,8 +1601,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
return -1;
}
-static int define_compute_type_helper(int which, avrule_t ** rule,
- int has_filename, uint8_t name_match)
+static int define_compute_type_helper(int which, avrule_t ** rule, int has_filename)
{
char *id;
type_datum_t *datum;
@@ -1677,7 +1676,6 @@ static int define_compute_type_helper(int which, avrule_t ** rule,
goto bad;
}
}
- avrule->name_match = name_match;
ebitmap_for_each_positive_bit(&tclasses, node, i) {
perm = malloc(sizeof(class_perm_node_t));
@@ -1702,7 +1700,7 @@ static int define_compute_type_helper(int which, avrule_t ** rule,
return -1;
}
-int define_compute_type(int which, int has_filename, uint8_t name_match)
+int define_compute_type(int which, int has_filename)
{
char *id;
avrule_t *avrule;
@@ -1723,8 +1721,7 @@ int define_compute_type(int which, int has_filename, uint8_t name_match)
return 0;
}
- if (define_compute_type_helper(which, &avrule, has_filename,
- name_match))
+ if (define_compute_type_helper(which, &avrule, has_filename))
return -1;
append_avrule(avrule);
@@ -1748,8 +1745,7 @@ avrule_t *define_cond_compute_type(int which)
return (avrule_t *) 1;
}
- if (define_compute_type_helper(which, &avrule, 0,
- NAME_TRANS_MATCH_EXACT))
+ if (define_compute_type_helper(which, &avrule, 0))
return COND_ERR;
return avrule;
@@ -2398,7 +2394,6 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
return -1;
}
}
- dest->name_match = src->name_match;
dest->line = src->line;
dest->source_filename = strdup(source_file);
if (!dest->source_filename) {
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index c1314871..5d0f70e4 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -28,7 +28,7 @@ int define_default_role(int which);
int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
-int define_compute_type(int which, int has_filename, uint8_t name_match);
+int define_compute_type(int which, int has_filename);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
int define_constraint(constraint_expr_t *expr);
int define_dominance(void);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 6b6890a3..2a14fc1e 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -108,7 +108,6 @@ typedef int (* require_func_t)(int pass);
%token IF
%token ELSE
%token TYPE_TRANSITION
-%token PREFIX SUFFIX
%token TYPE_MEMBER
%token TYPE_CHANGE
%token ROLE_TRANSITION
@@ -452,17 +451,13 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
;
;
transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
- {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_EXACT)) return -1;}
- | TYPE_TRANSITION names names ':' names identifier filename PREFIX ';'
- {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_PREFIX)) return -1;}
- | TYPE_TRANSITION names names ':' names identifier filename SUFFIX ';'
- {if (define_compute_type(AVRULE_TRANSITION, 1, NAME_TRANS_MATCH_SUFFIX)) return -1;}
+ {if (define_compute_type(AVRULE_TRANSITION, 1)) return -1; }
| TYPE_TRANSITION names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_TRANSITION, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
+ {if (define_compute_type(AVRULE_TRANSITION, 0)) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_MEMBER, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
+ {if (define_compute_type(AVRULE_MEMBER, 0)) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_CHANGE, 0, NAME_TRANS_MATCH_EXACT)) return -1;}
+ {if (define_compute_type(AVRULE_CHANGE, 0)) return -1;}
;
range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
{ if (define_range_trans(0)) return -1; }
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 9ffac353..2c025b61 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -123,10 +123,6 @@ EXPANDATTRIBUTE |
expandattribute { return(EXPANDATTRIBUTE); }
TYPE_TRANSITION |
type_transition { return(TYPE_TRANSITION); }
-PREFIX |
-prefix { return(PREFIX); }
-SUFFIX |
-suffix { return(SUFFIX); }
TYPE_MEMBER |
type_member { return(TYPE_MEMBER); }
TYPE_CHANGE |
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 011191c3..8bab207c 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -345,20 +345,6 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
if (avrule->object_name)
fprintf(fp, " \"%s\"", avrule->object_name);
- switch (avrule->name_match) {
- case NAME_TRANS_MATCH_EXACT:
- /* do nothing */
- break;
- case NAME_TRANS_MATCH_PREFIX:
- fprintf(fp, " PREFIX");
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- fprintf(fp, " SUFFIX");
- break;
- default:
- fprintf(fp, " ERROR: no valid name match type specified\n");
- return -1;
- }
} else if (avrule->specified & AVRULE_XPERMS) {
avtab_extended_perms_t xperms;
int i;
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index b5a41c1f..776bf54d 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -129,7 +129,7 @@ typedef struct {
avtab_key_t *key;
policydb_t *p;
FILE *fp;
- uint8_t match;
+ name_trans_match_t match;
} render_name_trans_args_t;
static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index ffa44be7..996bad70 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1211,8 +1211,7 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
avt_key.target_type = sepol_tgt->s.value;
avt_key.target_class = sepol_obj->s.value;
rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key,
- sepol_result->s.value, name, NAME_TRANS_MATCH_EXACT,
- &otype);
+ sepol_result->s.value, name, &otype);
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
if (sepol_result->s.value!= otype) {
@@ -4652,7 +4651,6 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
__cil_init_sepol_type_set(&avrule->ttypes);
avrule->perms = NULL;
avrule->object_name = NULL;
- avrule->name_match = NAME_TRANS_MATCH_EXACT;
avrule->line = node->line;
avrule->source_filename = NULL;
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 7d892879..870fb08a 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -156,7 +156,6 @@ extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
extern int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
uint32_t otype, const char *name,
- uint8_t name_match,
uint32_t *present_otype);
extern int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a);
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 48b7b8bb..a2df4a62 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -252,6 +252,12 @@ typedef struct av_extended_perms {
uint32_t perms[EXTENDED_PERMS_LEN];
} av_extended_perms_t;
+typedef enum name_trans_match {
+ NAME_TRANS_MATCH_EXACT,
+ NAME_TRANS_MATCH_PREFIX,
+ NAME_TRANS_MATCH_SUFFIX,
+} name_trans_match_t;
+
typedef struct avrule {
/* these typedefs are almost exactly the same as those in avtab.h - they are
* here because of the need to include neverallow and dontaudit messages */
@@ -279,10 +285,6 @@ typedef struct avrule {
type_set_t ttypes;
class_perm_node_t *perms;
char *object_name; /* optional object name */
-#define NAME_TRANS_MATCH_EXACT 0
-#define NAME_TRANS_MATCH_PREFIX 1
-#define NAME_TRANS_MATCH_SUFFIX 2
- uint8_t name_match;
av_extended_perms_t *xperms;
unsigned long line; /* line number from policy.conf where
* this rule originated */
@@ -755,10 +757,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define MOD_POLICYDB_VERSION_GLBLUB 20
#define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21
#define MOD_POLICYDB_VERSION_AVRULE_FTRANS 22
-#define MOD_POLICYDB_VERSION_PREFIX_SUFFIX 23 /* preffix/suffix support for filename transitions */
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_PREFIX_SUFFIX
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_AVRULE_FTRANS
#define POLICYDB_CONFIG_MLS 1
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 99fdaa87..90cfb90b 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -771,7 +771,7 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
uint32_t otype, const char *name,
- uint8_t name_match, uint32_t *present_otype)
+ uint32_t *present_otype)
{
int rc = SEPOL_ENOMEM;
avtab_trans_t new_trans = {0};
@@ -780,7 +780,6 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
avtab_ptr_t node;
char *name_key = NULL;
uint32_t *otype_datum = NULL;
- symtab_t *target_symtab;
datum = avtab_search(a, key);
if (!datum) {
@@ -794,22 +793,8 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
datum = &node->datum;
}
- switch (name_match) {
- case NAME_TRANS_MATCH_EXACT:
- target_symtab = &datum->trans->name_trans;
- break;
- case NAME_TRANS_MATCH_PREFIX:
- target_symtab = &datum->trans->prefix_trans;
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- target_symtab = &datum->trans->suffix_trans;
- break;
- default:
- return SEPOL_ERR;
- }
-
- if (!target_symtab->table) {
- rc = symtab_init(target_symtab, 1 << 8);
+ if (!datum->trans->name_trans.table) {
+ rc = symtab_init(&datum->trans->name_trans, 1 << 8);
if (rc < 0)
return rc;
}
@@ -825,7 +810,8 @@ int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
goto bad;
*otype_datum = otype;
- rc = hashtab_insert(target_symtab->table, name_key, otype_datum);
+ rc = hashtab_insert(datum->trans->name_trans.table, name_key,
+ otype_datum);
if (rc < 0)
goto bad;
@@ -870,8 +856,7 @@ static int filename_trans_read_one(avtab_t *a, void *fp)
key.target_class = le32_to_cpu(buf[2]);
otype = le32_to_cpu(buf[3]);
- rc = avtab_insert_filename_trans(a, &key, otype, name,
- NAME_TRANS_MATCH_EXACT, NULL);
+ rc = avtab_insert_filename_trans(a, &key, otype, name, NULL);
if (rc)
goto err;
@@ -924,8 +909,7 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp)
key.source_type = bit + 1;
rc = avtab_insert_filename_trans(a, &key, otype, name,
- NAME_TRANS_MATCH_EXACT,
- NULL);
+ NULL);
if (rc < 0)
goto err_ebitmap;
}
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 7a011508..a4c92f4f 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1620,8 +1620,7 @@ static int expand_terule_helper(sepol_handle_t * handle,
uint32_t specified, cond_av_list_t ** cond,
cond_av_list_t ** other, uint32_t stype,
uint32_t ttype, class_perm_node_t * perms,
- char *object_name, uint8_t name_match,
- avtab_t * avtab, int enabled)
+ char *object_name, avtab_t * avtab, int enabled)
{
avtab_key_t avkey;
avtab_datum_t *avdatump;
@@ -1653,7 +1652,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
int rc = avtab_insert_filename_trans(avtab, &avkey,
remapped_data,
object_name,
- name_match,
&oldtype);
if (rc == SEPOL_EEXIST) {
ERR(handle, "conflicting filename transition %s %s:%s \"%s\": %s vs %s",
@@ -1887,7 +1885,6 @@ static int expand_rule_helper(sepol_handle_t * handle,
source_rule->specified, cond,
other, i, i, source_rule->perms,
source_rule->object_name,
- source_rule->name_match,
dest_avtab, enabled);
if (retval != EXPAND_RULE_SUCCESS)
return retval;
@@ -1905,7 +1902,6 @@ static int expand_rule_helper(sepol_handle_t * handle,
source_rule->specified, cond,
other, i, j, source_rule->perms,
source_rule->object_name,
- source_rule->name_match,
dest_avtab, enabled);
if (retval != EXPAND_RULE_SUCCESS)
return retval;
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 353eb78f..07869e3d 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -90,7 +90,7 @@ typedef struct {
const char *src;
const char *tgt;
const char *class;
- uint8_t match;
+ name_trans_match_t match;
} name_trans_to_strs_args_t;
void sepol_indent(FILE *out, int indent);
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 332d62b2..88b23594 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -1254,7 +1254,6 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
if (!new_rule->object_name)
goto cleanup;
}
- new_rule->name_match = cur->name_match;
cur_perm = cur->perms;
tail_perm = NULL;
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 3fbb4af5..ca96bb67 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -547,13 +547,12 @@ static int semantic_level_to_cil(struct policydb *pdb, int sens_offset, struct m
return 0;
}
-static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, uint8_t name_match, const struct class_perm_node *classperms)
+static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, const struct class_perm_node *classperms)
{
int rc = -1;
const char *rule;
const struct class_perm_node *classperm;
char *perms;
- const char *match_str = "";
switch (type) {
case AVRULE_ALLOWED:
@@ -599,24 +598,10 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
pdb->p_class_val_to_name[classperm->tclass - 1],
perms + 1);
} else if (object_name) {
- switch (name_match) {
- case NAME_TRANS_MATCH_EXACT:
- match_str = "";
- break;
- case NAME_TRANS_MATCH_PREFIX:
- match_str = " prefix";
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- match_str = " suffix";
- break;
- default:
- ERR(NULL, "Unknown name match type: %" PRIu8,
- name_match);
- }
- cil_println(indent, "(%s %s %s %s \"%s\"%s %s)",
+ cil_println(indent, "(%s %s %s %s \"%s\" %s)",
rule, src, tgt,
pdb->p_class_val_to_name[classperm->tclass - 1],
- object_name, match_str,
+ object_name,
pdb->p_type_val_to_name[classperm->data - 1]);
} else {
cil_println(indent, "(%s %s %s %s %s)",
@@ -1220,7 +1205,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
if (avrule->specified & AVRULE_XPERMS) {
rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms);
} else {
- rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->name_match, avrule->perms);
+ rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->perms);
}
if (rc != 0) {
goto exit;
@@ -1231,7 +1216,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
if (avrule->specified & AVRULE_XPERMS) {
rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms);
} else {
- rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->name_match, avrule->perms);
+ rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->perms);
}
if (rc != 0) {
goto exit;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 552eb77a..f1f6cec6 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -355,13 +355,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_IBENDPORT + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_BASE,
- .version = MOD_POLICYDB_VERSION_PREFIX_SUFFIX,
- .sym_num = SYM_NUM,
- .ocon_num = OCON_IBENDPORT + 1,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
{
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
@@ -495,13 +488,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_MOD,
- .version = MOD_POLICYDB_VERSION_PREFIX_SUFFIX,
- .sym_num = SYM_NUM,
- .ocon_num = 0,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
};
#if 0
@@ -3185,7 +3171,6 @@ common_read, class_read, role_read, type_read, user_read,
static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp)
{
unsigned int i;
- uint8_t buf8;
uint32_t buf[2], len;
class_perm_node_t *cur, *tail = NULL;
avrule_t *avrule;
@@ -3249,15 +3234,10 @@ static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp)
if (rc < 0)
goto bad;
}
- if (p->policyvers >= MOD_POLICYDB_VERSION_PREFIX_SUFFIX) {
- rc = next_entry(&buf8, fp, sizeof(uint8_t));
- if (rc < 0)
- goto bad;
- avrule->name_match = buf8;
- }
}
if (avrule->specified & AVRULE_XPERMS) {
+ uint8_t buf8;
size_t nel = ARRAY_SIZE(avrule->xperms->perms);
uint32_t buf32[nel];
@@ -3566,7 +3546,6 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r,
rc = str_read(&cur->object_name, fp, len);
if (rc)
return -1;
- cur->name_match = NAME_TRANS_MATCH_EXACT;
if (type_set_read(&cur->stypes, fp))
return -1;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index f0ed9e33..df47197c 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -2071,7 +2071,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
struct policy_file *fp)
{
size_t items, items2;
- uint8_t buf8;
uint32_t buf[32], len;
class_perm_node_t *cur;
@@ -2079,11 +2078,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
avrule->specified & AVRULE_TRANSITION && avrule->object_name)
return POLICYDB_SUCCESS;
- /* skip prefix/suffix name transition if writing older version */
- if (p->policyvers < MOD_POLICYDB_VERSION_PREFIX_SUFFIX &&
- avrule->specified & AVRULE_TRANSITION &&
- avrule->object_name && avrule->name_match != NAME_TRANS_MATCH_EXACT)
- return POLICYDB_SUCCESS;
if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
(avrule->specified & AVRULE_TYPE) &&
@@ -2142,17 +2136,12 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
if (items != len)
return POLICYDB_ERROR;
}
- if (p->policyvers >= MOD_POLICYDB_VERSION_PREFIX_SUFFIX) {
- buf8 = avrule->name_match;
- items = put_entry(&buf8, sizeof(uint8_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
- }
}
if (avrule->specified & AVRULE_XPERMS) {
size_t nel = ARRAY_SIZE(avrule->xperms->perms);
uint32_t buf32[nel];
+ uint8_t buf8;
unsigned int i;
if (p->policyvers < MOD_POLICYDB_VERSION_XPERMS_IOCTL) {
@@ -2197,17 +2186,12 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules,
avrule = avrules;
len = 0;
- for (avrule = avrules; avrule; avrule = avrule->next) {
- if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
- (avrule->specified & AVTAB_TRANSITION) &&
- avrule->object_name)
- continue;
- if (p->policyvers < MOD_POLICYDB_VERSION_PREFIX_SUFFIX &&
- (avrule->specified & AVTAB_TRANSITION) &&
- avrule->object_name &&
- avrule->name_match != NAME_TRANS_MATCH_EXACT)
- continue;
- len++;
+ while (avrule) {
+ if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS ||
+ !(avrule->specified & AVRULE_TRANSITION &&
+ avrule->object_name))
+ len++;
+ avrule = avrule->next;
}
buf[0] = cpu_to_le32(len);
@@ -2315,8 +2299,7 @@ static int filename_trans_rule_write(policydb_t *p, avrule_t *rules,
class_perm_node_t *perm;
for (rule = rules; rule; rule = rule->next) {
- if (rule->specified & AVRULE_TRANSITION && rule->object_name &&
- rule->name_match == NAME_TRANS_MATCH_EXACT) {
+ if (rule->specified & AVRULE_TRANSITION && rule->object_name) {
for (perm = rule->perms; perm; perm = perm->next) {
nel++;
}
@@ -2329,9 +2312,7 @@ static int filename_trans_rule_write(policydb_t *p, avrule_t *rules,
return POLICYDB_ERROR;
for (rule = rules; rule; rule = rule->next) {
- if (!(rule->specified & AVRULE_TRANSITION &&
- rule->object_name &&
- rule->name_match == NAME_TRANS_MATCH_EXACT))
+ if (!(rule->specified & AVRULE_TRANSITION && rule->object_name))
continue;
len = strlen(rule->object_name);
for (perm = rule->perms; perm; perm = perm->next) {
@@ -2770,8 +2751,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
if (p->policy_type == POLICY_KERN) {
if (avtab_write(p, &p->te_avtab, fp))
return POLICYDB_ERROR;
- if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX &&
- avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) {
+ if (avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) {
WARN(fp->handle,
"Discarding filename prefix/suffix type transition rules");
}
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
2023-07-26 14:25 ` [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" James Carter
2023-07-26 14:25 ` [PATCH 2/8] Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 4/8] Revert "libsepol: implement new module binary format of avrule" James Carter
` (6 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit 1174483d2924dc700673363b240fca2b9fe45786.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/test/dispol.c | 25 +----
libsepol/include/sepol/policydb/avtab.h | 2 -
libsepol/include/sepol/policydb/policydb.h | 9 +-
libsepol/src/avtab.c | 13 ---
libsepol/src/kernel_to_cil.c | 30 +-----
libsepol/src/kernel_to_common.h | 1 -
libsepol/src/kernel_to_conf.c | 30 +-----
libsepol/src/policydb.c | 7 --
libsepol/src/policydb_validate.c | 11 +-
libsepol/src/write.c | 113 ++++-----------------
10 files changed, 30 insertions(+), 211 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 776bf54d..861fa903 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -129,7 +129,6 @@ typedef struct {
avtab_key_t *key;
policydb_t *p;
FILE *fp;
- name_trans_match_t match;
} render_name_trans_args_t;
static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
@@ -141,22 +140,7 @@ static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
fprintf(args->fp, "type_transition ");
render_key(args->key, args->p, args->fp);
render_type(*otype, args->p, args->fp);
- const char *match_str = "";
- switch (args->match) {
- case NAME_TRANS_MATCH_EXACT:
- match_str = "";
- break;
- case NAME_TRANS_MATCH_PREFIX:
- match_str = " PREFIX";
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- match_str = " SUFFIX";
- break;
- default:
- fprintf(args->fp, " ERROR: no valid name match type specified\n");
- return -1;
- }
- fprintf(args->fp, " \"%s\"%s;\n", name, match_str);
+ fprintf(args->fp, " \"%s\";\n", name);
return 0;
}
@@ -223,16 +207,9 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
.key = key,
.p = p,
.fp = fp,
- .match = NAME_TRANS_MATCH_EXACT,
};
hashtab_map(datum->trans->name_trans.table,
render_name_trans_helper, &args);
- args.match = NAME_TRANS_MATCH_PREFIX;
- hashtab_map(datum->trans->prefix_trans.table,
- render_name_trans_helper, &args);
- args.match = NAME_TRANS_MATCH_SUFFIX;
- hashtab_map(datum->trans->suffix_trans.table,
- render_name_trans_helper, &args);
}
if (key->specified & AVTAB_MEMBER) {
fprintf(fp, "type_member ");
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 870fb08a..5dc720cc 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -74,8 +74,6 @@ typedef struct avtab_key {
typedef struct avtab_trans {
uint32_t otype; /* resulting type of the new object */
symtab_t name_trans; /* filename transitions */
- symtab_t prefix_trans; /* prefix filename transitions */
- symtab_t suffix_trans; /* prefix filename transitions */
} avtab_trans_t;
typedef struct avtab_extended_perms {
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index a2df4a62..5efd0a47 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -252,12 +252,6 @@ typedef struct av_extended_perms {
uint32_t perms[EXTENDED_PERMS_LEN];
} av_extended_perms_t;
-typedef enum name_trans_match {
- NAME_TRANS_MATCH_EXACT,
- NAME_TRANS_MATCH_PREFIX,
- NAME_TRANS_MATCH_SUFFIX,
-} name_trans_match_t;
-
typedef struct avrule {
/* these typedefs are almost exactly the same as those in avtab.h - they are
* here because of the need to include neverallow and dontaudit messages */
@@ -729,11 +723,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define POLICYDB_VERSION_GLBLUB 32
#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */
#define POLICYDB_VERSION_AVTAB_FTRANS 34 /* filename transitions moved to avtab */
-#define POLICYDB_VERSION_PREFIX_SUFFIX 35 /* prefix/suffix support for filename transitions */
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_PREFIX_SUFFIX
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB_FTRANS
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 90cfb90b..2a9564ba 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -327,10 +327,6 @@ void avtab_trans_destroy(avtab_trans_t *trans)
{
hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL);
symtab_destroy(&trans->name_trans);
- hashtab_map(trans->prefix_trans.table, avtab_trans_destroy_helper, NULL);
- symtab_destroy(&trans->prefix_trans);
- hashtab_map(trans->suffix_trans.table, avtab_trans_destroy_helper, NULL);
- symtab_destroy(&trans->suffix_trans);
}
void avtab_destroy(avtab_t * h)
@@ -524,15 +520,6 @@ static int avtab_trans_read(policy_file_t *fp, uint32_t vers,
if (rc < 0)
goto bad;
- if (vers >= POLICYDB_VERSION_PREFIX_SUFFIX) {
- rc = avtab_read_name_trans(fp, &trans->prefix_trans);
- if (rc < 0)
- goto bad;
- rc = avtab_read_name_trans(fp, &trans->suffix_trans);
- if (rc < 0)
- goto bad;
- }
-
return SEPOL_OK;
bad:
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 30a67017..8ed695f1 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1705,24 +1705,9 @@ static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a
char *name = k;
uint32_t *otype = d;
name_trans_to_strs_args_t *args = a;
- const char *match_str = "";
- switch (args->match) {
- case NAME_TRANS_MATCH_EXACT:
- match_str = "";
- break;
- case NAME_TRANS_MATCH_PREFIX:
- match_str = " prefix";
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- match_str = " suffix";
- break;
- default:
- ERR(NULL, "Unknown name match type: %" PRIu8, args->match);
- return SEPOL_ERR;
- }
- return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\"%s %s)", 7,
+ return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6,
args->flavor, args->src, args->tgt,
- args->class, name, match_str,
+ args->class, name,
args->pdb->p_type_val_to_name[*otype - 1]);
}
@@ -1810,20 +1795,9 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
.src = src,
.tgt = tgt,
.class = class,
- .match = NAME_TRANS_MATCH_EXACT,
};
rc = hashtab_map(datum->trans->name_trans.table,
name_trans_to_strs_helper, &args);
- if (rc < 0)
- return rc;
- args.match = NAME_TRANS_MATCH_PREFIX;
- rc = hashtab_map(datum->trans->prefix_trans.table,
- name_trans_to_strs_helper, &args);
- if (rc < 0)
- return rc;
- args.match = NAME_TRANS_MATCH_SUFFIX;
- rc = hashtab_map(datum->trans->suffix_trans.table,
- name_trans_to_strs_helper, &args);
} else {
new = pdb->p_type_val_to_name[data - 1];
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 07869e3d..b8ea237d 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -90,7 +90,6 @@ typedef struct {
const char *src;
const char *tgt;
const char *class;
- name_trans_match_t match;
} name_trans_to_strs_args_t;
void sepol_indent(FILE *out, int indent);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index b1699b39..eb14ccf1 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -1683,26 +1683,11 @@ static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a
char *name = k;
uint32_t *otype = d;
name_trans_to_strs_args_t *args = a;
- const char *match_str = "";
- switch (args->match) {
- case NAME_TRANS_MATCH_EXACT:
- match_str = "";
- break;
- case NAME_TRANS_MATCH_PREFIX:
- match_str = " PREFIX";
- break;
- case NAME_TRANS_MATCH_SUFFIX:
- match_str = " SUFFIX";
- break;
- default:
- ERR(NULL, "Unknown name match type: %" PRIu8, args->match);
- return SEPOL_ERR;
- }
- return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\"%s;", 7,
+ return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6,
args->flavor, args->src, args->tgt,
args->class,
args->pdb->p_type_val_to_name[*otype - 1],
- name, match_str);
+ name);
}
static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
@@ -1786,20 +1771,9 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
.src = src,
.tgt = tgt,
.class = class,
- .match = NAME_TRANS_MATCH_EXACT,
};
rc = hashtab_map(datum->trans->name_trans.table,
name_trans_to_strs_helper, &args);
- if (rc < 0)
- return rc;
- args.match = NAME_TRANS_MATCH_PREFIX;
- rc = hashtab_map(datum->trans->prefix_trans.table,
- name_trans_to_strs_helper, &args);
- if (rc < 0)
- return rc;
- args.match = NAME_TRANS_MATCH_SUFFIX;
- rc = hashtab_map(datum->trans->suffix_trans.table,
- name_trans_to_strs_helper, &args);
} else {
new = pdb->p_type_val_to_name[data - 1];
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index f1f6cec6..37bb97a1 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -215,13 +215,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_IBENDPORT + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_KERN,
- .version = POLICYDB_VERSION_PREFIX_SUFFIX,
- .sym_num = SYM_NUM,
- .ocon_num = OCON_IBENDPORT + 1,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
{
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 08b4a477..0b8e8eee 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -855,18 +855,11 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
/* also each transition must be non empty */
if (!d->trans->otype &&
- !hashtab_nel(d->trans->name_trans.table) &&
- !hashtab_nel(d->trans->name_trans.table) &&
- !hashtab_nel(d->trans->prefix_trans.table) &&
- !hashtab_nel(d->trans->suffix_trans.table))
+ !hashtab_nel(d->trans->name_trans.table))
return -1;
- /* and each name transition must be also valid */
+ /* and each filename transition must be also valid */
if (hashtab_map(d->trans->name_trans.table,
- validate_name_trans_helper, margs) ||
- hashtab_map(d->trans->prefix_trans.table,
- validate_name_trans_helper, margs) ||
- hashtab_map(d->trans->suffix_trans.table,
validate_name_trans_helper, margs))
return -1;
} else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) {
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index df47197c..d7f47c8d 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -133,43 +133,16 @@ static int avtab_trans_write(policydb_t *p, const avtab_trans_t *cur,
uint32_t buf32[2];
if (p->policyvers >= POLICYDB_VERSION_AVTAB_FTRANS) {
- /* write otype and number of name transitions */
+ /* write otype and number of filename transitions */
buf32[0] = cpu_to_le32(cur->otype);
buf32[1] = cpu_to_le32(hashtab_nel(cur->name_trans.table));
items = put_entry(buf32, sizeof(uint32_t), 2, fp);
if (items != 2)
return -1;
- /* write name transitions */
- if (hashtab_map(cur->name_trans.table,
- avtab_trans_write_helper, fp))
- return -1;
-
- if (p->policyvers >= POLICYDB_VERSION_PREFIX_SUFFIX) {
- /* write number of prefix transitions */
- buf32[0] = cpu_to_le32(hashtab_nel(
- cur->prefix_trans.table));
- items = put_entry(buf32, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return -1;
-
- /* write prefix transitions */
- if (hashtab_map(cur->prefix_trans.table,
- avtab_trans_write_helper, fp))
- return -1;
-
- /* write number of suffix transitions */
- buf32[0] = cpu_to_le32(hashtab_nel(
- cur->suffix_trans.table));
- items = put_entry(buf32, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return -1;
-
- /* write suffix transitions */
- if (hashtab_map(cur->suffix_trans.table,
- avtab_trans_write_helper, fp))
- return -1;
- }
+ /* write filename transitions */
+ return hashtab_map(cur->name_trans.table,
+ avtab_trans_write_helper, fp);
} else if (cur->otype) {
buf32[0] = cpu_to_le32(cur->otype);
items = put_entry(buf32, sizeof(uint32_t), 1, fp);
@@ -195,26 +168,14 @@ static int avtab_write_item(policydb_t * p,
/*
* skip entries which only contain filename transitions in versions
- * before filename transitions were moved to avtab,
- * skip entries which only contain prefix/suffix transitions in versions
- * before prefix/suffix filename transitions
+ * before filename transitions were moved to avtab
*/
- if (cur->key.specified & AVTAB_TRANSITION) {
- if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
- cur->key.specified & AVTAB_TRANSITION &&
- !cur->datum.trans->otype) {
- /*
- * if oldvers, reduce nel, because this node will be
- * skipped
- */
- if (oldvers && nel)
- (*nel)--;
- return 0;
- }
- if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX &&
- !cur->datum.trans->otype &&
- !hashtab_nel(cur->datum.trans->name_trans.table))
- return 0;
+ if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
+ cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
+ /* if oldvers, reduce nel, because this node will be skipped */
+ if (oldvers && nel)
+ (*nel)--;
+ return 0;
}
if (oldvers) {
@@ -417,27 +378,17 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
* filename transitions.
*/
nel = a->nel;
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (!(cur->key.specified & AVTAB_TRANSITION))
- continue;
- if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
- !cur->datum.trans->otype) {
- /*
- * entries containing only filename
- * transitions are skipped and written
- * out later
- */
- nel--;
- } else if (p->policyvers < POLICYDB_VERSION_PREFIX_SUFFIX &&
- !cur->datum.trans->otype &&
- !hashtab_nel(cur->datum.trans->name_trans.table)) {
- /*
- * entries containing only prefix/suffix
- * transitions are not supported in
- * previous versions
- */
- nel--;
+ if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS) {
+ /*
+ * entries containing only filename transitions are
+ * skipped and written out later
+ */
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next) {
+ if ((cur->key.specified
+ & AVTAB_TRANSITION) &&
+ !cur->datum.trans->otype)
+ nel--;
}
}
}
@@ -2569,22 +2520,6 @@ static int avtab_has_filename_transitions(avtab_t *a)
return 0;
}
-static int avtab_has_prefix_suffix_filename_transitions(avtab_t *a)
-{
- uint32_t i;
- struct avtab_node *cur;
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION) {
- if (hashtab_nel(cur->datum.trans->prefix_trans.table)
- || hashtab_nel(cur->datum.trans->suffix_trans.table))
- return 1;
- }
- }
- }
- return 0;
-}
-
/*
* Write the configuration data in a policy database
* structure to a policy database binary representation
@@ -2751,10 +2686,6 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
if (p->policy_type == POLICY_KERN) {
if (avtab_write(p, &p->te_avtab, fp))
return POLICYDB_ERROR;
- if (avtab_has_prefix_suffix_filename_transitions(&p->te_avtab)) {
- WARN(fp->handle,
- "Discarding filename prefix/suffix type transition rules");
- }
if (p->policyvers < POLICYDB_VERSION_BOOL) {
if (p->p_bools.nprim)
WARN(fp->handle, "Discarding "
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/8] Revert "libsepol: implement new module binary format of avrule"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (2 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 5/8] Revert "libsepol: implement new kernel binary format for avtab" James Carter
` (5 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit 11013986ac484586e50ce318f4f10c1edf39e746.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/include/sepol/policydb/policydb.h | 3 +--
libsepol/src/policydb.c | 28 ----------------------
libsepol/src/write.c | 24 +++----------------
3 files changed, 4 insertions(+), 51 deletions(-)
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 5efd0a47..528c1cad 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -749,10 +749,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define MOD_POLICYDB_VERSION_INFINIBAND 19
#define MOD_POLICYDB_VERSION_GLBLUB 20
#define MOD_POLICYDB_VERSION_SELF_TYPETRANS 21
-#define MOD_POLICYDB_VERSION_AVRULE_FTRANS 22
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_AVRULE_FTRANS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_SELF_TYPETRANS
#define POLICYDB_CONFIG_MLS 1
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 37bb97a1..b15d4163 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -341,13 +341,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_IBENDPORT + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_BASE,
- .version = MOD_POLICYDB_VERSION_AVRULE_FTRANS,
- .sym_num = SYM_NUM,
- .ocon_num = OCON_IBENDPORT + 1,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
{
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
@@ -474,13 +467,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_MOD,
- .version = MOD_POLICYDB_VERSION_AVRULE_FTRANS,
- .sym_num = SYM_NUM,
- .ocon_num = 0,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
};
#if 0
@@ -3216,19 +3202,6 @@ static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp)
tail = cur;
}
- if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
- avrule->specified & AVRULE_TRANSITION) {
- rc = next_entry(buf, fp, sizeof(uint32_t));
- if (rc < 0)
- goto bad;
- len = le32_to_cpu(*buf);
- if (len) {
- rc = str_read(&avrule->object_name, fp, len);
- if (rc < 0)
- goto bad;
- }
- }
-
if (avrule->specified & AVRULE_XPERMS) {
uint8_t buf8;
size_t nel = ARRAY_SIZE(avrule->xperms->perms);
@@ -3660,7 +3633,6 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
}
if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
- p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
filename_trans_rule_read(p, &decl->avrules, fp))
return -1;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index d7f47c8d..68495198 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -2025,9 +2025,8 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
uint32_t buf[32], len;
class_perm_node_t *cur;
- /* skip filename transitions if writing older version without name */
- if (p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
- avrule->specified & AVRULE_TRANSITION && avrule->object_name)
+ /* skip filename transitions for now */
+ if (avrule->specified & AVRULE_TRANSITION && avrule->object_name)
return POLICYDB_SUCCESS;
if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
@@ -2074,21 +2073,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
cur = cur->next;
}
- if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
- avrule->specified & AVRULE_TRANSITION) {
- len = avrule->object_name ? strlen(avrule->object_name) : 0;
- *buf = cpu_to_le32(len);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
- if (avrule->object_name) {
- items = put_entry(avrule->object_name, sizeof(char),
- len, fp);
- if (items != len)
- return POLICYDB_ERROR;
- }
- }
-
if (avrule->specified & AVRULE_XPERMS) {
size_t nel = ARRAY_SIZE(avrule->xperms->perms);
uint32_t buf32[nel];
@@ -2138,8 +2122,7 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules,
avrule = avrules;
len = 0;
while (avrule) {
- if (p->policyvers >= MOD_POLICYDB_VERSION_AVRULE_FTRANS ||
- !(avrule->specified & AVRULE_TRANSITION &&
+ if (!(avrule->specified & AVRULE_TRANSITION &&
avrule->object_name))
len++;
avrule = avrule->next;
@@ -2374,7 +2357,6 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms,
}
if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
- p->policyvers < MOD_POLICYDB_VERSION_AVRULE_FTRANS &&
filename_trans_rule_write(p, decl->avrules, fp))
return POLICYDB_ERROR;
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/8] Revert "libsepol: implement new kernel binary format for avtab"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (3 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 4/8] Revert "libsepol: implement new module binary format of avrule" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 6/8] Revert "checkpolicy,libsepol: move filename transition rules to avrule" James Carter
` (4 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit 7b77edd91946d8a415cddc596765d8c2e8bd6f63.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/include/sepol/policydb/policydb.h | 3 +-
libsepol/src/avtab.c | 88 ++--------------------
libsepol/src/policydb.c | 8 --
libsepol/src/write.c | 86 ++++-----------------
4 files changed, 21 insertions(+), 164 deletions(-)
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 528c1cad..d30f26af 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -722,11 +722,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */
#define POLICYDB_VERSION_GLBLUB 32
#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */
-#define POLICYDB_VERSION_AVTAB_FTRANS 34 /* filename transitions moved to avtab */
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB_FTRANS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 2a9564ba..eef259cf 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -446,87 +446,6 @@ void avtab_hash_eval(avtab_t * h, char *tag)
tag, h->nel, slots_used, h->nslot, max_chain_len);
}
-static int avtab_read_name_trans(policy_file_t *fp, symtab_t *target)
-{
- int rc;
- uint32_t buf32[2], nel, i, len, *otype = NULL;
- char *name = NULL;
-
- /* read number of name transitions */
- rc = next_entry(buf32, fp, sizeof(uint32_t) * 1);
- if (rc < 0)
- return rc;
- nel = le32_to_cpu(buf32[0]);
-
- rc = symtab_init(target, nel);
- if (rc < 0)
- return rc;
-
- /* read name transitions */
- for (i = 0; i < nel; i++) {
- rc = SEPOL_ENOMEM;
- otype = malloc(sizeof(uint32_t));
- if (!otype)
- goto exit;
-
- /* read name transition otype and name length */
- rc = next_entry(buf32, fp, sizeof(uint32_t) * 2);
- if (rc < 0)
- goto exit;
- *otype = le32_to_cpu(buf32[0]);
- len = le32_to_cpu(buf32[1]);
-
- /* read the name */
- rc = str_read(&name, fp, len);
- if (rc < 0)
- goto exit;
-
- rc = hashtab_insert(target->table, name, otype);
- if (rc < 0)
- goto exit;
- otype = NULL;
- name = NULL;
- }
-
-exit:
- free(otype);
- free(name);
- return rc;
-}
-
-static int avtab_trans_read(policy_file_t *fp, uint32_t vers,
- avtab_trans_t *trans)
-{
- int rc;
- uint32_t buf32[1];
-
- if (vers < POLICYDB_VERSION_AVTAB_FTRANS) {
- rc = next_entry(buf32, fp, sizeof(uint32_t));
- if (rc < 0) {
- ERR(fp->handle, "truncated entry");
- return SEPOL_ERR;
- }
- trans->otype = le32_to_cpu(*buf32);
- return SEPOL_OK;
- }
-
- /* read otype */
- rc = next_entry(buf32, fp, sizeof(uint32_t) * 1);
- if (rc < 0)
- return rc;
- trans->otype = le32_to_cpu(buf32[0]);
-
- rc = avtab_read_name_trans(fp, &trans->name_trans);
- if (rc < 0)
- goto bad;
-
- return SEPOL_OK;
-
-bad:
- avtab_trans_destroy(trans);
- return rc;
-}
-
/* Ordering of datums in the original avtab format in the policy file. */
static const uint16_t spec_order[] = {
AVTAB_ALLOWED,
@@ -690,9 +609,12 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
xperms.perms[i] = le32_to_cpu(buf32[i]);
datum.xperms = &xperms;
} else if (key.specified & AVTAB_TRANSITION) {
- rc = avtab_trans_read(fp, vers, &trans);
- if (rc < 0)
+ rc = next_entry(buf32, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(fp->handle, "truncated entry");
return -1;
+ }
+ trans.otype = le32_to_cpu(*buf32);
datum.trans = &trans;
} else {
rc = next_entry(buf32, fp, sizeof(uint32_t));
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index b15d4163..4913ee21 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -208,13 +208,6 @@ static const struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_IBENDPORT + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
- {
- .type = POLICY_KERN,
- .version = POLICYDB_VERSION_AVTAB_FTRANS,
- .sym_num = SYM_NUM,
- .ocon_num = OCON_IBENDPORT + 1,
- .target_platform = SEPOL_TARGET_SELINUX,
- },
{
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
@@ -4106,7 +4099,6 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
if (role_allow_read(&p->role_allow, fp))
goto bad;
if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
- r_policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
avtab_filename_trans_read(fp, r_policyvers, &p->te_avtab))
goto bad;
} else {
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 68495198..2035b350 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -102,56 +102,6 @@ static uint16_t spec_order[] = {
AVTAB_MEMBER
};
-static int avtab_trans_write_helper(hashtab_key_t hkey, hashtab_datum_t hdatum,
- void *fp)
-{
- char *name = hkey;
- uint32_t *otype = hdatum;
- uint32_t buf32[2], len;
- size_t items;
-
- /* write filename transition otype and name length */
- len = strlen(name);
- buf32[0] = cpu_to_le32(*otype);
- buf32[1] = cpu_to_le32(len);
- items = put_entry(buf32, sizeof(uint32_t), 2, fp);
- if (items != 2)
- return -1;
-
- /* write filename transition name */
- items = put_entry(name, sizeof(char), len, fp);
- if (items != len)
- return -1;
-
- return 0;
-}
-
-static int avtab_trans_write(policydb_t *p, const avtab_trans_t *cur,
- policy_file_t *fp)
-{
- size_t items;
- uint32_t buf32[2];
-
- if (p->policyvers >= POLICYDB_VERSION_AVTAB_FTRANS) {
- /* write otype and number of filename transitions */
- buf32[0] = cpu_to_le32(cur->otype);
- buf32[1] = cpu_to_le32(hashtab_nel(cur->name_trans.table));
- items = put_entry(buf32, sizeof(uint32_t), 2, fp);
- if (items != 2)
- return -1;
-
- /* write filename transitions */
- return hashtab_map(cur->name_trans.table,
- avtab_trans_write_helper, fp);
- } else if (cur->otype) {
- buf32[0] = cpu_to_le32(cur->otype);
- items = put_entry(buf32, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return -1;
- }
- return 0;
-}
-
static int avtab_write_item(policydb_t * p,
avtab_ptr_t cur, struct policy_file *fp,
unsigned merge, unsigned commit, uint32_t * nel)
@@ -166,12 +116,8 @@ static int avtab_write_item(policydb_t * p,
&& p->policyvers < POLICYDB_VERSION_AVTAB);
unsigned int i;
- /*
- * skip entries which only contain filename transitions in versions
- * before filename transitions were moved to avtab
- */
- if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
- cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
+ /* skip entries which only contain filename transitions */
+ if (cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
/* if oldvers, reduce nel, because this node will be skipped */
if (oldvers && nel)
(*nel)--;
@@ -325,7 +271,9 @@ static int avtab_write_item(policydb_t * p,
if (items != 8)
return POLICYDB_ERROR;
} else if (cur->key.specified & AVTAB_TRANSITION) {
- if (avtab_trans_write(p, cur->datum.trans, fp) < 0)
+ buf32[0] = cpu_to_le32(cur->datum.trans->otype);
+ items = put_entry(buf32, sizeof(uint32_t), 1, fp);
+ if (items != 1)
return POLICYDB_ERROR;
} else {
buf32[0] = cpu_to_le32(cur->datum.data);
@@ -378,18 +326,15 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
* filename transitions.
*/
nel = a->nel;
- if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS) {
- /*
- * entries containing only filename transitions are
- * skipped and written out later
- */
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if ((cur->key.specified
- & AVTAB_TRANSITION) &&
- !cur->datum.trans->otype)
- nel--;
- }
+ /*
+ * entries containing only filename transitions are skipped and
+ * written out later
+ */
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next) {
+ if (cur->key.specified & AVTAB_TRANSITION &&
+ !cur->datum.trans->otype)
+ nel--;
}
}
nel = cpu_to_le32(nel);
@@ -2681,8 +2626,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
if (role_allow_write(p->role_allow, fp))
return POLICYDB_ERROR;
if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) {
- if (p->policyvers < POLICYDB_VERSION_AVTAB_FTRANS &&
- avtab_filename_trans_write(p, &p->te_avtab, fp))
+ if (avtab_filename_trans_write(p, &p->te_avtab, fp))
return POLICYDB_ERROR;
} else if (avtab_has_filename_transitions(&p->te_avtab)) {
WARN(fp->handle,
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 6/8] Revert "checkpolicy,libsepol: move filename transition rules to avrule"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (4 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 5/8] Revert "libsepol: implement new kernel binary format for avtab" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab" James Carter
` (3 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit 565d87489bc00cab2e624aae1a40872d2a2232ba.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/checkpolicy.c | 9 +
checkpolicy/module_compiler.c | 12 ++
checkpolicy/module_compiler.h | 1 +
checkpolicy/policy_define.c | 215 ++++++++++++++++++---
checkpolicy/policy_define.h | 3 +-
checkpolicy/policy_parse.y | 8 +-
checkpolicy/test/dismod.c | 25 ++-
libsepol/cil/src/cil_binary.c | 2 -
libsepol/include/sepol/policydb/policydb.h | 16 +-
libsepol/src/avrule_block.c | 1 +
libsepol/src/expand.c | 132 +++++++++----
libsepol/src/link.c | 56 +++++-
libsepol/src/module_to_cil.c | 71 ++++++-
libsepol/src/policydb.c | 70 +++++--
libsepol/src/policydb_validate.c | 27 +++
libsepol/src/write.c | 86 ++++-----
16 files changed, 580 insertions(+), 154 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 623ba8b2..83000bcb 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -615,6 +615,15 @@ int main(int argc, char **argv)
parse_policy.mls = mlspol;
parse_policy.handle_unknown = handle_unknown;
+ /*
+ * Init and alloc te_avtab for filename transition duplicate
+ * checking
+ */
+ if (avtab_init(&parse_policy.te_avtab))
+ exit(1);
+ if (avtab_alloc(&parse_policy.te_avtab, 1 << 11))
+ exit(1);
+
policydbp = &parse_policy;
if (read_source_policy(policydbp, file, "checkpolicy") < 0)
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 5fe1729a..3188af89 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -1278,6 +1278,18 @@ void append_role_allow(role_allow_rule_t * role_allow_rules)
decl->role_allow_rules = role_allow_rules;
}
+/* this doesn't actually append, but really prepends it */
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* filename transitions are not allowed within conditionals */
+ assert(stack_top->type == 1);
+
+ filename_trans_rules->next = decl->filename_trans_rules;
+ decl->filename_trans_rules = filename_trans_rules;
+}
+
/* this doesn't actually append, but really prepends it */
void append_range_trans(range_trans_rule_t * range_tr_rules)
{
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
index 6f8bb9b9..29b824b4 100644
--- a/checkpolicy/module_compiler.h
+++ b/checkpolicy/module_compiler.h
@@ -83,6 +83,7 @@ void append_avrule(avrule_t * avrule);
void append_role_trans(role_trans_rule_t * role_tr_rules);
void append_role_allow(role_allow_rule_t * role_allow_rules);
void append_range_trans(range_trans_rule_t * range_tr_rules);
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
/* Create a new optional block and add it to the global policy.
* During the second pass resolve the block's requirements. Return 0
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 25dbf25d..dc2ee8f3 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1601,7 +1601,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
return -1;
}
-static int define_compute_type_helper(int which, avrule_t ** rule, int has_filename)
+static int define_compute_type_helper(int which, avrule_t ** rule)
{
char *id;
type_datum_t *datum;
@@ -1669,14 +1669,6 @@ static int define_compute_type_helper(int which, avrule_t ** rule, int has_filen
}
free(id);
- if (has_filename) {
- avrule->object_name = queue_remove(id_queue);
- if (!avrule->object_name) {
- yyerror("no object_name?");
- goto bad;
- }
- }
-
ebitmap_for_each_positive_bit(&tclasses, node, i) {
perm = malloc(sizeof(class_perm_node_t));
if (!perm) {
@@ -1700,7 +1692,7 @@ static int define_compute_type_helper(int which, avrule_t ** rule, int has_filen
return -1;
}
-int define_compute_type(int which, int has_filename)
+int define_compute_type(int which)
{
char *id;
avrule_t *avrule;
@@ -1714,14 +1706,10 @@ int define_compute_type(int which, int has_filename)
free(id);
id = queue_remove(id_queue);
free(id);
- if (has_filename) {
- id = queue_remove(id_queue);
- free(id);
- }
return 0;
}
- if (define_compute_type_helper(which, &avrule, has_filename))
+ if (define_compute_type_helper(which, &avrule))
return -1;
append_avrule(avrule);
@@ -1745,7 +1733,7 @@ avrule_t *define_cond_compute_type(int which)
return (avrule_t *) 1;
}
- if (define_compute_type_helper(which, &avrule, 0))
+ if (define_compute_type_helper(which, &avrule))
return COND_ERR;
return avrule;
@@ -2387,13 +2375,6 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
yyerror("out of memory");
return -1;
}
- if (src->object_name) {
- dest->object_name = strdup(src->object_name);
- if (!dest->object_name) {
- yyerror("out of memory");
- return -1;
- }
- }
dest->line = src->line;
dest->source_filename = strdup(source_file);
if (!dest->source_filename) {
@@ -3362,6 +3343,194 @@ avrule_t *define_cond_filename_trans(void)
return COND_ERR;
}
+int define_filename_trans(void)
+{
+ char *id, *name = NULL;
+ type_set_t stypes, ttypes;
+ ebitmap_t e_stypes, e_ttypes;
+ ebitmap_t e_tclasses;
+ ebitmap_node_t *snode, *tnode, *cnode;
+ filename_trans_rule_t *ftr;
+ type_datum_t *typdatum;
+ avtab_key_t avt_key;
+ uint32_t otype;
+ unsigned int c, s, t;
+ int add, self, rc;
+
+ if (pass == 1) {
+ /* stype */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* ttype */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* tclass */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* otype */
+ id = queue_remove(id_queue);
+ free(id);
+ /* name */
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ type_set_init(&stypes);
+ type_set_init(&ttypes);
+ ebitmap_init(&e_stypes);
+ ebitmap_init(&e_ttypes);
+ ebitmap_init(&e_tclasses);
+
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&stypes, id, &add, 0))
+ goto bad;
+ }
+
+ self = 0;
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id, "self") == 0) {
+ free(id);
+ if (add == 0) {
+ yyerror("-self is not supported");
+ goto bad;
+ }
+ self = 1;
+ continue;
+ }
+ if (set_types(&ttypes, id, &add, 0))
+ goto bad;
+ }
+
+ if (read_classes(&e_tclasses))
+ goto bad;
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no otype in transition definition?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ typdatum = hashtab_search(policydbp->p_types.table, id);
+ if (!typdatum) {
+ yyerror2("unknown type %s used in transition definition", id);
+ free(id);
+ goto bad;
+ }
+ free(id);
+ otype = typdatum->s.value;
+
+ name = queue_remove(id_queue);
+ if (!name) {
+ yyerror("no pathname specified in filename_trans definition?");
+ goto bad;
+ }
+
+ /* We expand the class set into separate rules. We expand the types
+ * just to make sure there are not duplicates. They will get turned
+ * into separate rules later */
+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1))
+ goto bad;
+
+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1))
+ goto bad;
+
+ ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
+ ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
+ ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
+ avt_key.specified = AVTAB_TRANSITION;
+ avt_key.source_type = s + 1;
+ avt_key.target_type = t + 1;
+ avt_key.target_class = c + 1;
+ rc = avtab_insert_filename_trans(
+ &policydbp->te_avtab, &avt_key, otype,
+ name, NULL
+ );
+ if (rc != SEPOL_OK) {
+ if (rc == SEPOL_EEXIST) {
+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
+ name,
+ policydbp->p_type_val_to_name[s],
+ policydbp->p_type_val_to_name[t],
+ policydbp->p_class_val_to_name[c]);
+ goto bad;
+ }
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+ if (self) {
+ avt_key.specified = AVTAB_TRANSITION;
+ avt_key.source_type = s + 1;
+ avt_key.target_type = t + 1;
+ avt_key.target_class = c + 1;
+ rc = avtab_insert_filename_trans(
+ &policydbp->te_avtab, &avt_key, otype,
+ name, NULL
+ );
+ if (rc != SEPOL_OK) {
+ if (rc == SEPOL_EEXIST) {
+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
+ name,
+ policydbp->p_type_val_to_name[s],
+ policydbp->p_type_val_to_name[s],
+ policydbp->p_class_val_to_name[c]);
+ goto bad;
+ }
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+ }
+
+ /* Now add the real rule since we didn't find any duplicates */
+ ftr = malloc(sizeof(*ftr));
+ if (!ftr) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ filename_trans_rule_init(ftr);
+ append_filename_trans(ftr);
+
+ ftr->name = strdup(name);
+ if (type_set_cpy(&ftr->stypes, &stypes)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ if (type_set_cpy(&ftr->ttypes, &ttypes)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ ftr->tclass = c + 1;
+ ftr->otype = otype;
+ ftr->flags = self ? RULE_SELF : 0;
+ }
+
+ free(name);
+ ebitmap_destroy(&e_stypes);
+ ebitmap_destroy(&e_ttypes);
+ ebitmap_destroy(&e_tclasses);
+ type_set_destroy(&stypes);
+ type_set_destroy(&ttypes);
+
+ return 0;
+
+bad:
+ free(name);
+ ebitmap_destroy(&e_stypes);
+ ebitmap_destroy(&e_ttypes);
+ ebitmap_destroy(&e_tclasses);
+ type_set_destroy(&stypes);
+ type_set_destroy(&ttypes);
+ return -1;
+}
+
static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
{
constraint_expr_t *h = NULL, *l = NULL, *newe;
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 5d0f70e4..50a7ba78 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -28,7 +28,7 @@ int define_default_role(int which);
int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
-int define_compute_type(int which, int has_filename);
+int define_compute_type(int which);
int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
int define_constraint(constraint_expr_t *expr);
int define_dominance(void);
@@ -57,6 +57,7 @@ int define_role_trans(int class_specified);
int define_role_types(void);
int define_role_attr(void);
int define_roleattribute(void);
+int define_filename_trans(void);
int define_sens(void);
int define_te_avtab(int which);
int define_te_avtab_extended_perms(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 2a14fc1e..da32a776 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -451,13 +451,13 @@ cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
;
;
transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
- {if (define_compute_type(AVRULE_TRANSITION, 1)) return -1; }
+ {if (define_filename_trans()) return -1; }
| TYPE_TRANSITION names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_TRANSITION, 0)) return -1;}
+ {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
| TYPE_MEMBER names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_MEMBER, 0)) return -1;}
+ {if (define_compute_type(AVRULE_MEMBER)) return -1;}
| TYPE_CHANGE names names ':' names identifier ';'
- {if (define_compute_type(AVRULE_CHANGE, 0)) return -1;}
+ {if (define_compute_type(AVRULE_CHANGE)) return -1;}
;
range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
{ if (define_range_trans(0)) return -1; }
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 8bab207c..fa7117f5 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -50,6 +50,7 @@
#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
#define DISPLAY_AVBLOCK_REQUIRES 5
#define DISPLAY_AVBLOCK_DECLARES 6
+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7
static policydb_t policydb;
@@ -86,6 +87,7 @@ static struct command {
{CMD, 'c', "Display policy capabilities"},
{CMD|NOOPT, 'l', "Link in a module"},
{CMD, 'u', "Display the unknown handling setting"},
+ {CMD, 'F', "Display filename_trans rules"},
{CMD, 'v', "display the version of policy and/or module"},
{HEADER, 0, ""},
{CMD|NOOPT, 'f', "set output file"},
@@ -343,8 +345,6 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
policy, fp);
} else if (avrule->specified & AVRULE_TYPE) {
display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
- if (avrule->object_name)
- fprintf(fp, " \"%s\"", avrule->object_name);
} else if (avrule->specified & AVRULE_XPERMS) {
avtab_extended_perms_t xperms;
int i;
@@ -562,6 +562,18 @@ static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp
}
}
+static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, FILE * fp)
+{
+ fprintf(fp, "filename transition");
+ for (; tr; tr = tr->next) {
+ display_type_set(&tr->stypes, 0, p, fp);
+ display_type_set(&tr->ttypes, 0, p, fp);
+ display_id(p, fp, SYM_CLASSES, tr->tclass - 1, ":");
+ display_id(p, fp, SYM_TYPES, tr->otype - 1, "");
+ fprintf(fp, " %s\n", tr->name);
+ }
+}
+
static int role_display_callback(hashtab_key_t key __attribute__((unused)),
hashtab_datum_t datum, void *data)
{
@@ -726,6 +738,10 @@ static int display_avdecl(avrule_decl_t * decl, int field,
}
break;
}
+ case DISPLAY_AVBLOCK_FILENAME_TRANS:
+ display_filename_trans(decl->filename_trans_rules, policy,
+ out_fp);
+ break;
default:{
assert(0);
}
@@ -1059,6 +1075,11 @@ int main(int argc, char **argv)
if (out_fp != stdout)
printf("\nOutput to file: %s\n", OutfileName);
break;
+ case 'F':
+ fprintf(out_fp, "filename_trans rules:\n");
+ display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
+ &policydb, out_fp);
+ break;
case 'l':
link_module(&policydb, out_fp, ops? 0: 1);
break;
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 996bad70..7150d405 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4650,7 +4650,6 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
__cil_init_sepol_type_set(&avrule->stypes);
__cil_init_sepol_type_set(&avrule->ttypes);
avrule->perms = NULL;
- avrule->object_name = NULL;
avrule->line = node->line;
avrule->source_filename = NULL;
@@ -4677,7 +4676,6 @@ static void __cil_destroy_sepol_avrules(avrule_t *curr)
ebitmap_destroy(&curr->stypes.negset);
ebitmap_destroy(&curr->ttypes.types);
ebitmap_destroy(&curr->ttypes.negset);
- free(curr->object_name);
__cil_destroy_sepol_class_perms(curr->perms);
free(curr);
curr = next;
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index d30f26af..8bb11d18 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -278,7 +278,6 @@ typedef struct avrule {
type_set_t stypes;
type_set_t ttypes;
class_perm_node_t *perms;
- char *object_name; /* optional object name */
av_extended_perms_t *xperms;
unsigned long line; /* line number from policy.conf where
* this rule originated */
@@ -302,6 +301,16 @@ typedef struct role_allow_rule {
struct role_allow_rule *next;
} role_allow_rule_t;
+typedef struct filename_trans_rule {
+ uint32_t flags; /* may have RULE_SELF set */
+ type_set_t stypes;
+ type_set_t ttypes;
+ uint32_t tclass;
+ char *name;
+ uint32_t otype; /* new type */
+ struct filename_trans_rule *next;
+} filename_trans_rule_t;
+
typedef struct range_trans_rule {
type_set_t stypes;
type_set_t ttypes;
@@ -442,6 +451,9 @@ typedef struct avrule_decl {
scope_index_t required; /* symbols needed to activate this block */
scope_index_t declared; /* symbols declared within this block */
+ /* type transition rules with a 'name' component */
+ filename_trans_rule_t *filename_trans_rules;
+
/* for additive statements (type attribute, roles, and users) */
symtab_t symtab[SYM_NUM];
@@ -644,6 +656,8 @@ extern void avrule_destroy(avrule_t * x);
extern void avrule_list_destroy(avrule_t * x);
extern void role_trans_rule_init(role_trans_rule_t * x);
extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
+extern void filename_trans_rule_init(filename_trans_rule_t * x);
+extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x);
extern void role_datum_init(role_datum_t * x);
extern void role_datum_destroy(role_datum_t * x);
diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c
index fce4e772..dcfce8b8 100644
--- a/libsepol/src/avrule_block.c
+++ b/libsepol/src/avrule_block.c
@@ -99,6 +99,7 @@ void avrule_decl_destroy(avrule_decl_t * x)
cond_list_destroy(x->cond_list);
avrule_list_destroy(x->avrules);
role_trans_rule_list_destroy(x->role_tr_rules);
+ filename_trans_rule_list_destroy(x->filename_trans_rules);
role_allow_rule_list_destroy(x->role_allow_rules);
range_trans_rule_list_destroy(x->range_tr_rules);
scope_index_destroy(&x->required);
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index a4c92f4f..878b0f21 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1407,6 +1407,94 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
return 0;
}
+static int expand_filename_trans_helper(expand_state_t *state,
+ filename_trans_rule_t *rule,
+ unsigned int s, unsigned int t)
+{
+ uint32_t mapped_otype, present_otype;
+ int rc;
+ avtab_key_t avt_key;
+
+ mapped_otype = state->typemap[rule->otype - 1];
+
+ avt_key.specified = AVTAB_TRANSITION;
+ avt_key.source_type = s + 1;
+ avt_key.target_type = t + 1;
+ avt_key.target_class = rule->tclass;
+
+ rc = avtab_insert_filename_trans(&state->out->te_avtab, &avt_key,
+ mapped_otype, rule->name, &present_otype);
+ if (rc == SEPOL_EEXIST) {
+ /* duplicate rule, ignore */
+ if (present_otype == mapped_otype)
+ return 0;
+
+ ERR(state->handle, "Conflicting name-based type_transition %s %s:%s \"%s\": %s vs %s",
+ state->out->p_type_val_to_name[s],
+ state->out->p_type_val_to_name[t],
+ state->out->p_class_val_to_name[rule->tclass - 1],
+ rule->name,
+ state->out->p_type_val_to_name[present_otype - 1],
+ state->out->p_type_val_to_name[mapped_otype - 1]);
+ return -1;
+ } else if (rc < 0) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ return 0;
+}
+
+static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
+{
+ unsigned int i, j;
+ filename_trans_rule_t *cur_rule;
+ ebitmap_t stypes, ttypes;
+ ebitmap_node_t *snode, *tnode;
+ int rc;
+
+ cur_rule = rules;
+ while (cur_rule) {
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ if (expand_convert_type_set(state->out, state->typemap,
+ &cur_rule->stypes, &stypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ if (expand_convert_type_set(state->out, state->typemap,
+ &cur_rule->ttypes, &ttypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+
+ ebitmap_for_each_positive_bit(&stypes, snode, i) {
+ ebitmap_for_each_positive_bit(&ttypes, tnode, j) {
+ rc = expand_filename_trans_helper(
+ state, cur_rule, i, j
+ );
+ if (rc)
+ return rc;
+ }
+ if (cur_rule->flags & RULE_SELF) {
+ rc = expand_filename_trans_helper(
+ state, cur_rule, i, i
+ );
+ if (rc)
+ return rc;
+ }
+ }
+
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+
+ cur_rule = cur_rule->next;
+ }
+ return 0;
+}
+
static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
mls_semantic_range_t * trange,
expand_state_t * state)
@@ -1620,7 +1708,7 @@ static int expand_terule_helper(sepol_handle_t * handle,
uint32_t specified, cond_av_list_t ** cond,
cond_av_list_t ** other, uint32_t stype,
uint32_t ttype, class_perm_node_t * perms,
- char *object_name, avtab_t * avtab, int enabled)
+ avtab_t * avtab, int enabled)
{
avtab_key_t avkey;
avtab_datum_t *avdatump;
@@ -1644,34 +1732,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
typemap ? typemap[cur->data - 1] : cur->data;
avkey.target_class = cur->tclass;
- /*
- * if expanded node is a filename transition, insert it, insert
- * function checks for duplicates
- */
- if (specified & AVRULE_TRANSITION && object_name) {
- int rc = avtab_insert_filename_trans(avtab, &avkey,
- remapped_data,
- object_name,
- &oldtype);
- if (rc == SEPOL_EEXIST) {
- ERR(handle, "conflicting filename transition %s %s:%s \"%s\": %s vs %s",
- p->p_type_val_to_name[avkey.source_type - 1],
- p->p_type_val_to_name[avkey.target_type - 1],
- p->p_class_val_to_name[avkey.target_class - 1],
- object_name,
- p->p_type_val_to_name[oldtype - 1],
- p->p_type_val_to_name[remapped_data - 1]);
- return EXPAND_RULE_CONFLICT;
- }
- if (rc < 0)
- return EXPAND_RULE_ERROR;
- /*
- * filename transtion inserted, continue with next node
- */
- cur = cur->next;
- continue;
- }
-
conflict = 0;
/* check to see if the expanded TE already exists --
* either in the global scope or in another
@@ -1717,9 +1777,12 @@ static int expand_terule_helper(sepol_handle_t * handle,
|| node->parse_context == cond)
return EXPAND_RULE_SUCCESS;
ERR(handle, "duplicate TE rule for %s %s:%s %s",
- p->p_type_val_to_name[avkey.source_type - 1],
- p->p_type_val_to_name[avkey.target_type - 1],
- p->p_class_val_to_name[avkey.target_class - 1],
+ p->p_type_val_to_name[avkey.source_type -
+ 1],
+ p->p_type_val_to_name[avkey.target_type -
+ 1],
+ p->p_class_val_to_name[avkey.target_class -
+ 1],
p->p_type_val_to_name[oldtype - 1]);
return EXPAND_RULE_CONFLICT;
}
@@ -1884,7 +1947,6 @@ static int expand_rule_helper(sepol_handle_t * handle,
retval = expand_terule_helper(handle, p, typemap,
source_rule->specified, cond,
other, i, i, source_rule->perms,
- source_rule->object_name,
dest_avtab, enabled);
if (retval != EXPAND_RULE_SUCCESS)
return retval;
@@ -1901,7 +1963,6 @@ static int expand_rule_helper(sepol_handle_t * handle,
retval = expand_terule_helper(handle, p, typemap,
source_rule->specified, cond,
other, i, j, source_rule->perms,
- source_rule->object_name,
dest_avtab, enabled);
if (retval != EXPAND_RULE_SUCCESS)
return retval;
@@ -2730,6 +2791,9 @@ static int copy_and_expand_avrule_block(expand_state_t * state)
goto cleanup;
}
+ if (expand_filename_trans(state, decl->filename_trans_rules))
+ goto cleanup;
+
/* expand the range transition rules */
if (expand_range_trans(state, decl->range_tr_rules))
goto cleanup;
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 88b23594..3b7742bc 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -1249,12 +1249,6 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
goto cleanup;
}
- if (cur->object_name) {
- new_rule->object_name = strdup(cur->object_name);
- if (!new_rule->object_name)
- goto cleanup;
- }
-
cur_perm = cur->perms;
tail_perm = NULL;
while (cur_perm) {
@@ -1418,6 +1412,51 @@ static int copy_role_allow_list(role_allow_rule_t * list,
return -1;
}
+static int copy_filename_trans_list(filename_trans_rule_t * list,
+ filename_trans_rule_t ** dst,
+ policy_module_t * module,
+ link_state_t * state)
+{
+ filename_trans_rule_t *cur, *new_rule, *tail;
+
+ cur = list;
+ tail = *dst;
+ while (tail && tail->next)
+ tail = tail->next;
+
+ while (cur) {
+ new_rule = malloc(sizeof(*new_rule));
+ if (!new_rule)
+ goto err;
+
+ filename_trans_rule_init(new_rule);
+
+ if (*dst == NULL)
+ *dst = new_rule;
+ else
+ tail->next = new_rule;
+ tail = new_rule;
+
+ new_rule->name = strdup(cur->name);
+ if (!new_rule->name)
+ goto err;
+
+ if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module) ||
+ type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module))
+ goto err;
+
+ new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1];
+ new_rule->otype = module->map[SYM_TYPES][cur->otype - 1];
+ new_rule->flags = cur->flags;
+
+ cur = cur->next;
+ }
+ return 0;
+err:
+ ERR(state->handle, "Out of memory!");
+ return -1;
+}
+
static int copy_range_trans_list(range_trans_rule_t * rules,
range_trans_rule_t ** dst,
policy_module_t * mod, link_state_t * state)
@@ -1640,6 +1679,11 @@ static int copy_avrule_decl(link_state_t * state, policy_module_t * module,
return -1;
}
+ if (copy_filename_trans_list(src_decl->filename_trans_rules,
+ &dest_decl->filename_trans_rules,
+ module, state))
+ return -1;
+
if (copy_range_trans_list(src_decl->range_tr_rules,
&dest_decl->range_tr_rules, module, state))
return -1;
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index ca96bb67..a6b6d66f 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -547,7 +547,7 @@ static int semantic_level_to_cil(struct policydb *pdb, int sens_offset, struct m
return 0;
}
-static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const char *object_name, const struct class_perm_node *classperms)
+static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const char *src, const char *tgt, const struct class_perm_node *classperms)
{
int rc = -1;
const char *rule;
@@ -597,12 +597,6 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
rule, src, tgt,
pdb->p_class_val_to_name[classperm->tclass - 1],
perms + 1);
- } else if (object_name) {
- cil_println(indent, "(%s %s %s %s \"%s\" %s)",
- rule, src, tgt,
- pdb->p_class_val_to_name[classperm->tclass - 1],
- object_name,
- pdb->p_type_val_to_name[classperm->data - 1]);
} else {
cil_println(indent, "(%s %s %s %s %s)",
rule, src, tgt,
@@ -1205,7 +1199,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
if (avrule->specified & AVRULE_XPERMS) {
rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms, avrule->xperms);
} else {
- rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->object_name, avrule->perms);
+ rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], tnames[t], avrule->perms);
}
if (rc != 0) {
goto exit;
@@ -1216,7 +1210,7 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
if (avrule->specified & AVRULE_XPERMS) {
rc = avrulex_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms, avrule->xperms);
} else {
- rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->object_name, avrule->perms);
+ rc = avrule_to_cil(indent, pdb, avrule->specified, snames[s], "self", avrule->perms);
}
if (rc != 0) {
goto exit;
@@ -1582,6 +1576,60 @@ exit:
return rc;
}
+static int filename_trans_to_cil(int indent, struct policydb *pdb, struct filename_trans_rule *rules, struct list *attr_list)
+{
+ int rc = -1;
+ char **stypes = NULL;
+ unsigned int num_stypes = 0;
+ unsigned int stype;
+ char **ttypes = NULL;
+ unsigned int num_ttypes = 0;
+ unsigned int ttype;
+ struct type_set *ts;
+ struct filename_trans_rule *rule;
+
+ for (rule = rules; rule != NULL; rule = rule->next) {
+ ts = &rule->stypes;
+ rc = process_typeset(pdb, ts, attr_list, &stypes, &num_stypes);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ ts = &rule->ttypes;
+ rc = process_typeset(pdb, ts, attr_list, &ttypes, &num_ttypes);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ for (stype = 0; stype < num_stypes; stype++) {
+ for (ttype = 0; ttype < num_ttypes; ttype++) {
+ cil_println(indent, "(typetransition %s %s %s \"%s\" %s)",
+ stypes[stype], ttypes[ttype],
+ pdb->p_class_val_to_name[rule->tclass - 1],
+ rule->name,
+ pdb->p_type_val_to_name[rule->otype - 1]);
+ }
+ if (rule->flags & RULE_SELF) {
+ cil_println(indent, "(typetransition %s self %s \"%s\" %s)",
+ stypes[stype],
+ pdb->p_class_val_to_name[rule->tclass - 1],
+ rule->name,
+ pdb->p_type_val_to_name[rule->otype - 1]);
+ }
+ }
+
+ names_destroy(&stypes, &num_stypes);
+ names_destroy(&ttypes, &num_ttypes);
+ }
+
+ rc = 0;
+exit:
+ names_destroy(&stypes, &num_stypes);
+ names_destroy(&ttypes, &num_ttypes);
+
+ return rc;
+}
+
struct class_perm_datum {
char *name;
uint32_t val;
@@ -3635,6 +3683,11 @@ static int block_to_cil(struct policydb *pdb, struct avrule_block *block, struct
goto exit;
}
+ rc = filename_trans_to_cil(indent, pdb, decl->filename_trans_rules, type_attr_list);
+ if (rc != 0) {
+ goto exit;
+ }
+
rc = cond_list_to_cil(indent, pdb, decl->cond_list, type_attr_list);
if (rc != 0) {
goto exit;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 4913ee21..c1ce9c34 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -638,7 +638,6 @@ void avrule_destroy(avrule_t * x)
}
free(x->xperms);
- free(x->object_name);
}
void role_trans_rule_init(role_trans_rule_t * x)
@@ -668,6 +667,33 @@ void role_trans_rule_list_destroy(role_trans_rule_t * x)
}
}
+void filename_trans_rule_init(filename_trans_rule_t * x)
+{
+ memset(x, 0, sizeof(*x));
+ type_set_init(&x->stypes);
+ type_set_init(&x->ttypes);
+}
+
+static void filename_trans_rule_destroy(filename_trans_rule_t * x)
+{
+ if (!x)
+ return;
+ type_set_destroy(&x->stypes);
+ type_set_destroy(&x->ttypes);
+ free(x->name);
+}
+
+void filename_trans_rule_list_destroy(filename_trans_rule_t * x)
+{
+ filename_trans_rule_t *next;
+ while (x) {
+ next = x->next;
+ filename_trans_rule_destroy(x);
+ free(x);
+ x = next;
+ }
+}
+
void role_allow_rule_init(role_allow_rule_t * x)
{
memset(x, 0, sizeof(role_allow_rule_t));
@@ -3467,32 +3493,31 @@ static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp)
return 0;
}
-static int filename_trans_rule_read(policydb_t *p, avrule_t **r,
+static int filename_trans_rule_read(policydb_t *p, filename_trans_rule_t **r,
struct policy_file *fp)
{
uint32_t buf[3], nel, i, len;
unsigned int entries;
- avrule_t *cur;
+ filename_trans_rule_t *ftr, *lftr;
int rc;
rc = next_entry(buf, fp, sizeof(uint32_t));
if (rc < 0)
return -1;
nel = le32_to_cpu(buf[0]);
+ lftr = NULL;
for (i = 0; i < nel; i++) {
- cur = malloc(sizeof(avrule_t));
- if (!cur)
+ ftr = malloc(sizeof(*ftr));
+ if (!ftr)
return -1;
- avrule_init(cur);
- cur->next = *r;
- *r = cur;
+ filename_trans_rule_init(ftr);
- cur->specified = AVRULE_TRANSITION;
- cur->perms = malloc(sizeof(class_perm_node_t));
- if (!cur->perms)
- return -1;
- class_perm_node_init(cur->perms);
+ if (lftr)
+ lftr->next = ftr;
+ else
+ *r = ftr;
+ lftr = ftr;
rc = next_entry(buf, fp, sizeof(uint32_t));
if (rc < 0)
@@ -3502,14 +3527,19 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r,
if (zero_or_saturated(len))
return -1;
- rc = str_read(&cur->object_name, fp, len);
+ ftr->name = malloc(len + 1);
+ if (!ftr->name)
+ return -1;
+
+ rc = next_entry(ftr->name, fp, len);
if (rc)
return -1;
+ ftr->name[len] = 0;
- if (type_set_read(&cur->stypes, fp))
+ if (type_set_read(&ftr->stypes, fp))
return -1;
- if (type_set_read(&cur->ttypes, fp))
+ if (type_set_read(&ftr->ttypes, fp))
return -1;
if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS)
@@ -3520,10 +3550,10 @@ static int filename_trans_rule_read(policydb_t *p, avrule_t **r,
rc = next_entry(buf, fp, sizeof(uint32_t) * entries);
if (rc < 0)
return -1;
- cur->perms->tclass = le32_to_cpu(buf[0]);
- cur->perms->data = le32_to_cpu(buf[1]);
+ ftr->tclass = le32_to_cpu(buf[0]);
+ ftr->otype = le32_to_cpu(buf[1]);
if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS)
- cur->flags = le32_to_cpu(buf[2]);
+ ftr->flags = le32_to_cpu(buf[2]);
}
return 0;
@@ -3626,7 +3656,7 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
}
if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
- filename_trans_rule_read(p, &decl->avrules, fp))
+ filename_trans_rule_read(p, &decl->filename_trans_rules, fp))
return -1;
if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 0b8e8eee..89306185 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1313,6 +1313,31 @@ bad:
return -1;
}
+
+static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, const policydb_t *p, validate_t flavors[])
+{
+ for (; filename_trans; filename_trans = filename_trans->next) {
+ if (validate_type_set(&filename_trans->stypes, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_type_set(&filename_trans->ttypes, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_value(filename_trans->tclass,&flavors[SYM_CLASSES] ))
+ goto bad;
+ if (validate_simpletype(filename_trans->otype, p, flavors))
+ goto bad;
+
+ /* currently only the RULE_SELF flag can be set */
+ if ((filename_trans->flags & ~RULE_SELF) != 0)
+ goto bad;
+ }
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid filename trans rule list");
+ return -1;
+}
+
static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[])
{
unsigned int i;
@@ -1347,6 +1372,8 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *
goto bad;
if (validate_scope_index(handle, &decl->declared, flavors))
goto bad;
+ if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors))
+ goto bad;
if (validate_symtabs(handle, decl->symtab, flavors))
goto bad;
}
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 2035b350..c4d593ab 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1970,10 +1970,6 @@ static int avrule_write(policydb_t *p, avrule_t * avrule,
uint32_t buf[32], len;
class_perm_node_t *cur;
- /* skip filename transitions for now */
- if (avrule->specified & AVRULE_TRANSITION && avrule->object_name)
- return POLICYDB_SUCCESS;
-
if (p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
(avrule->specified & AVRULE_TYPE) &&
(avrule->flags & RULE_SELF)) {
@@ -2067,9 +2063,7 @@ static int avrule_write_list(policydb_t *p, avrule_t * avrules,
avrule = avrules;
len = 0;
while (avrule) {
- if (!(avrule->specified & AVRULE_TRANSITION &&
- avrule->object_name))
- len++;
+ len++;
avrule = avrule->next;
}
@@ -2168,67 +2162,55 @@ static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp)
return POLICYDB_SUCCESS;
}
-static int filename_trans_rule_write(policydb_t *p, avrule_t *rules,
+static int filename_trans_rule_write(policydb_t *p, filename_trans_rule_t *t,
struct policy_file *fp)
{
int nel = 0;
size_t items, entries;
uint32_t buf[3], len;
- avrule_t *rule;
- class_perm_node_t *perm;
+ filename_trans_rule_t *ftr;
- for (rule = rules; rule; rule = rule->next) {
- if (rule->specified & AVRULE_TRANSITION && rule->object_name) {
- for (perm = rule->perms; perm; perm = perm->next) {
- nel++;
- }
- }
- }
+ for (ftr = t; ftr; ftr = ftr->next)
+ nel++;
buf[0] = cpu_to_le32(nel);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
return POLICYDB_ERROR;
- for (rule = rules; rule; rule = rule->next) {
- if (!(rule->specified & AVRULE_TRANSITION && rule->object_name))
- continue;
- len = strlen(rule->object_name);
- for (perm = rule->perms; perm; perm = perm->next) {
- buf[0] = cpu_to_le32(len);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
+ for (ftr = t; ftr; ftr = ftr->next) {
+ len = strlen(ftr->name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
- items = put_entry(rule->object_name, sizeof(char), len,
- fp);
- if (items != len)
- return POLICYDB_ERROR;
+ items = put_entry(ftr->name, sizeof(char), len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
- if (type_set_write(&rule->stypes, fp))
- return POLICYDB_ERROR;
- if (type_set_write(&rule->ttypes, fp))
- return POLICYDB_ERROR;
+ if (type_set_write(&ftr->stypes, fp))
+ return POLICYDB_ERROR;
+ if (type_set_write(&ftr->ttypes, fp))
+ return POLICYDB_ERROR;
- buf[0] = cpu_to_le32(perm->tclass);
- buf[1] = cpu_to_le32(perm->data);
- buf[2] = cpu_to_le32(rule->flags);
-
- if (p->policyvers >=
- MOD_POLICYDB_VERSION_SELF_TYPETRANS) {
- entries = 3;
- } else if (!(rule->flags & RULE_SELF)) {
- entries = 2;
- } else {
- ERR(fp->handle,
- "Module contains a self rule not supported by the target module policy version");
- return POLICYDB_ERROR;
- }
+ buf[0] = cpu_to_le32(ftr->tclass);
+ buf[1] = cpu_to_le32(ftr->otype);
+ buf[2] = cpu_to_le32(ftr->flags);
- items = put_entry(buf, sizeof(uint32_t), entries, fp);
- if (items != entries)
- return POLICYDB_ERROR;
+ if (p->policyvers >= MOD_POLICYDB_VERSION_SELF_TYPETRANS) {
+ entries = 3;
+ } else if (!(ftr->flags & RULE_SELF)) {
+ entries = 2;
+ } else {
+ ERR(fp->handle,
+ "Module contains a self rule not supported by the target module policy version");
+ return POLICYDB_ERROR;
}
+
+ items = put_entry(buf, sizeof(uint32_t), entries, fp);
+ if (items != entries)
+ return POLICYDB_ERROR;
}
return POLICYDB_SUCCESS;
}
@@ -2302,7 +2284,7 @@ static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms,
}
if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
- filename_trans_rule_write(p, decl->avrules, fp))
+ filename_trans_rule_write(p, decl->filename_trans_rules, fp))
return POLICYDB_ERROR;
if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (5 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 6/8] Revert "checkpolicy,libsepol: move filename transition rules to avrule" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 14:25 ` [PATCH 8/8] Revert "checkpolicy,libsepol: move transition to separate structure in avtab" James Carter
` (2 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit e169fe26530ef2c6b3dd126788cc81676359a3b3.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/checkmodule.c | 9 -
checkpolicy/checkpolicy.c | 9 -
checkpolicy/policy_define.c | 21 +-
checkpolicy/test/dispol.c | 83 ++--
libsepol/cil/src/cil_binary.c | 27 +-
libsepol/include/sepol/policydb/avtab.h | 9 -
libsepol/include/sepol/policydb/hashtab.h | 8 -
libsepol/include/sepol/policydb/policydb.h | 22 +
libsepol/src/avtab.c | 199 ---------
libsepol/src/conditional.c | 6 +-
libsepol/src/expand.c | 27 +-
libsepol/src/kernel_to_cil.c | 159 +++++--
libsepol/src/kernel_to_common.h | 9 -
libsepol/src/kernel_to_conf.c | 155 +++++--
libsepol/src/optimize.c | 8 +-
libsepol/src/policydb.c | 343 ++++++++++++++-
libsepol/src/policydb_validate.c | 69 +--
libsepol/src/write.c | 463 ++++++---------------
18 files changed, 822 insertions(+), 804 deletions(-)
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index d81d8c97..14e6c891 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -280,15 +280,6 @@ int main(int argc, char **argv)
modpolicydb.mls = mlspol;
modpolicydb.handle_unknown = handle_unknown;
- /*
- * Init and alloc te_avtab for filename transition duplicate
- * checking
- */
- if (avtab_init(&modpolicydb.te_avtab))
- exit(1);
- if (avtab_alloc(&modpolicydb.te_avtab, 1 << 11))
- exit(1);
-
if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
}
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 83000bcb..623ba8b2 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -615,15 +615,6 @@ int main(int argc, char **argv)
parse_policy.mls = mlspol;
parse_policy.handle_unknown = handle_unknown;
- /*
- * Init and alloc te_avtab for filename transition duplicate
- * checking
- */
- if (avtab_init(&parse_policy.te_avtab))
- exit(1);
- if (avtab_alloc(&parse_policy.te_avtab, 1 << 11))
- exit(1);
-
policydbp = &parse_policy;
if (read_source_policy(policydbp, file, "checkpolicy") < 0)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index dc2ee8f3..cef8f3c4 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3352,7 +3352,6 @@ int define_filename_trans(void)
ebitmap_node_t *snode, *tnode, *cnode;
filename_trans_rule_t *ftr;
type_datum_t *typdatum;
- avtab_key_t avt_key;
uint32_t otype;
unsigned int c, s, t;
int add, self, rc;
@@ -3444,13 +3443,9 @@ int define_filename_trans(void)
ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
- avt_key.specified = AVTAB_TRANSITION;
- avt_key.source_type = s + 1;
- avt_key.target_type = t + 1;
- avt_key.target_class = c + 1;
- rc = avtab_insert_filename_trans(
- &policydbp->te_avtab, &avt_key, otype,
- name, NULL
+ rc = policydb_filetrans_insert(
+ policydbp, s+1, t+1, c+1, name,
+ NULL, otype, NULL
);
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
@@ -3466,13 +3461,9 @@ int define_filename_trans(void)
}
}
if (self) {
- avt_key.specified = AVTAB_TRANSITION;
- avt_key.source_type = s + 1;
- avt_key.target_type = t + 1;
- avt_key.target_class = c + 1;
- rc = avtab_insert_filename_trans(
- &policydbp->te_avtab, &avt_key, otype,
- name, NULL
+ rc = policydb_filetrans_insert(
+ policydbp, s+1, s+1, c+1, name,
+ NULL, otype, NULL
);
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 861fa903..e45528b9 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -63,6 +63,7 @@ static struct command {
{CMD, 'a', "display type attributes"},
{CMD, 'p', "display the list of permissive types"},
{CMD, 'u', "display unknown handling setting"},
+ {CMD, 'F', "display filename_trans rules"},
{HEADER, 0, ""},
{CMD|NOOPT, 'f', "set output file"},
{CMD|NOOPT, 'm', "display menu"},
@@ -125,26 +126,6 @@ static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
return 0;
}
-typedef struct {
- avtab_key_t *key;
- policydb_t *p;
- FILE *fp;
-} render_name_trans_args_t;
-
-static int render_name_trans_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
- char *name = k;
- uint32_t *otype = d;
- render_name_trans_args_t *args = a;
-
- fprintf(args->fp, "type_transition ");
- render_key(args->key, args->p, args->fp);
- render_type(*otype, args->p, args->fp);
- fprintf(args->fp, " \"%s\";\n", name);
-
- return 0;
-}
-
/* 'what' values for this function */
#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
#define RENDER_ENABLED 0x0002
@@ -197,19 +178,10 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
}
} else if (key->specified & AVTAB_TYPE) {
if (key->specified & AVTAB_TRANSITION) {
- if (datum->trans->otype) {
- fprintf(fp, "type_transition ");
- render_key(key, p, fp);
- render_type(datum->trans->otype, p, fp);
- fprintf(fp, ";\n");
- }
- render_name_trans_args_t args = {
- .key = key,
- .p = p,
- .fp = fp,
- };
- hashtab_map(datum->trans->name_trans.table,
- render_name_trans_helper, &args);
+ fprintf(fp, "type_transition ");
+ render_key(key, p, fp);
+ render_type(datum->trans->otype, p, fp);
+ fprintf(fp, ";\n");
}
if (key->specified & AVTAB_MEMBER) {
fprintf(fp, "type_member ");
@@ -476,6 +448,48 @@ static void display_role_trans(policydb_t *p, FILE *fp)
}
}
+struct filenametr_display_args {
+ policydb_t *p;
+ FILE *fp;
+};
+
+static int filenametr_display(hashtab_key_t key,
+ hashtab_datum_t datum,
+ void *ptr)
+{
+ struct filename_trans_key *ft = (struct filename_trans_key *)key;
+ struct filename_trans_datum *ftdatum = datum;
+ struct filenametr_display_args *args = ptr;
+ policydb_t *p = args->p;
+ FILE *fp = args->fp;
+ ebitmap_node_t *node;
+ uint32_t bit;
+
+ do {
+ ebitmap_for_each_positive_bit(&ftdatum->stypes, node, bit) {
+ display_id(p, fp, SYM_TYPES, bit, "");
+ display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
+ display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
+ display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
+ fprintf(fp, " %s\n", ft->name);
+ }
+ ftdatum = ftdatum->next;
+ } while (ftdatum);
+
+ return 0;
+}
+
+
+static void display_filename_trans(policydb_t *p, FILE *fp)
+{
+ struct filenametr_display_args args;
+
+ fprintf(fp, "filename_trans rules:\n");
+ args.p = p;
+ args.fp = fp;
+ hashtab_map(p->filename_trans, filenametr_display, &args);
+}
+
static int menu(void)
{
unsigned int i;
@@ -678,6 +692,9 @@ int main(int argc, char **argv)
if (out_fp != stdout)
printf("\nOutput to file: %s\n", OutfileName);
break;
+ case 'F':
+ display_filename_trans(&policydb, out_fp);
+ break;
case 'q':
policydb_destroy(&policydb);
exit(0);
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 7150d405..3f264594 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1005,12 +1005,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
}
existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
- /*
- * There might be empty transition node containing filename transitions
- * only. That is okay, we can merge them later.
- */
- if (existing && !(existing->key.specified & AVTAB_TRANSITION &&
- !existing->datum.trans->otype)) {
+ if (existing) {
/* Don't add duplicate type rule and warn if they conflict.
* A warning should have been previously given if there is a
* non-duplicate rule using the same key.
@@ -1034,13 +1029,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
}
if (!cond_node) {
- /* If we have node from empty filename transition, use it */
- if (existing && existing->key.specified & AVTAB_TRANSITION &&
- !existing->datum.trans->otype)
- existing->datum.trans->otype = avtab_datum.trans->otype;
- else
- rc = avtab_insert(&pdb->te_avtab, &avtab_key,
- &avtab_datum);
+ rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
} else {
existing = avtab_search_node(&pdb->te_cond_avtab, &avtab_key);
if (existing) {
@@ -1200,18 +1189,16 @@ static int __cil_typetransition_to_avtab_helper(policydb_t *pdb,
class_datum_t *sepol_obj = NULL;
uint32_t otype;
struct cil_list_item *c;
- avtab_key_t avt_key;
cil_list_for_each(c, class_list) {
rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
if (rc != SEPOL_OK) return rc;
- avt_key.specified = AVTAB_TRANSITION;
- avt_key.source_type = sepol_src->s.value;
- avt_key.target_type = sepol_tgt->s.value;
- avt_key.target_class = sepol_obj->s.value;
- rc = avtab_insert_filename_trans(&pdb->te_avtab, &avt_key,
- sepol_result->s.value, name, &otype);
+ rc = policydb_filetrans_insert(
+ pdb, sepol_src->s.value, sepol_tgt->s.value,
+ sepol_obj->s.value, name, NULL,
+ sepol_result->s.value, &otype
+ );
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
if (sepol_result->s.value!= otype) {
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 5dc720cc..ca009c16 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -42,7 +42,6 @@
#include <sys/types.h>
#include <stdint.h>
-#include <sepol/policydb/symtab.h>
#ifdef __cplusplus
extern "C" {
@@ -73,7 +72,6 @@ typedef struct avtab_key {
typedef struct avtab_trans {
uint32_t otype; /* resulting type of the new object */
- symtab_t name_trans; /* filename transitions */
} avtab_trans_t;
typedef struct avtab_extended_perms {
@@ -117,8 +115,6 @@ extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d);
extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
-extern void avtab_trans_destroy(avtab_trans_t *trans);
-
extern void avtab_destroy(avtab_t * h);
extern int avtab_map(const avtab_t * h,
@@ -152,11 +148,6 @@ extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
/* avtab_alloc uses one bucket per 2-4 elements, so adjust to get maximum buckets */
#define MAX_AVTAB_SIZE (MAX_AVTAB_HASH_BUCKETS << 1)
-extern int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
- uint32_t otype, const char *name,
- uint32_t *present_otype);
-extern int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a);
-
#ifdef __cplusplus
}
#endif
diff --git a/libsepol/include/sepol/policydb/hashtab.h b/libsepol/include/sepol/policydb/hashtab.h
index 354ebb43..dca8c983 100644
--- a/libsepol/include/sepol/policydb/hashtab.h
+++ b/libsepol/include/sepol/policydb/hashtab.h
@@ -110,14 +110,6 @@ extern int hashtab_map(hashtab_t h,
extern void hashtab_hash_eval(hashtab_t h, char *tag);
-/* Returns number of elements in the hashtab h or 0 is h is NULL */
-static inline uint32_t hashtab_nel(hashtab_t h)
-{
- if (!h)
- return 0;
- return h->nel;
-}
-
#ifdef __cplusplus
}
#endif
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 8bb11d18..b014b7a8 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -161,6 +161,19 @@ typedef struct role_allow {
struct role_allow *next;
} role_allow_t;
+/* filename_trans rules */
+typedef struct filename_trans_key {
+ uint32_t ttype;
+ uint32_t tclass;
+ char *name;
+} filename_trans_key_t;
+
+typedef struct filename_trans_datum {
+ ebitmap_t stypes;
+ uint32_t otype;
+ struct filename_trans_datum *next;
+} filename_trans_datum_t;
+
/* Type attributes */
typedef struct type_datum {
symtab_datum_t s;
@@ -579,6 +592,10 @@ typedef struct policydb {
/* range transitions table (range_trans_key -> mls_range) */
hashtab_t range_tr;
+ /* file transitions with the last path component */
+ hashtab_t filename_trans;
+ uint32_t filename_trans_count;
+
ebitmap_t *type_attr_map;
ebitmap_t *attr_type_map; /* not saved in the binary policy */
@@ -637,6 +654,11 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
extern int policydb_sort_ocontexts(policydb_t *p);
+extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype,
+ uint32_t ttype, uint32_t tclass,
+ const char *name, char **name_alloc,
+ uint32_t otype, uint32_t *present_otype);
+
/* Deprecated */
extern int policydb_context_isvalid(const policydb_t * p,
const context_struct_t * c);
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index eef259cf..4c292e8b 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -315,20 +315,6 @@ avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified)
return NULL;
}
-static int avtab_trans_destroy_helper(hashtab_key_t k, hashtab_datum_t d,
- void *a __attribute__ ((unused)))
-{
- free(k);
- free(d);
- return 0;
-}
-
-void avtab_trans_destroy(avtab_trans_t *trans)
-{
- hashtab_map(trans->name_trans.table, avtab_trans_destroy_helper, NULL);
- symtab_destroy(&trans->name_trans);
-}
-
void avtab_destroy(avtab_t * h)
{
unsigned int i;
@@ -343,7 +329,6 @@ void avtab_destroy(avtab_t * h)
if (cur->key.specified & AVTAB_XPERMS) {
free(cur->datum.xperms);
} else if (cur->key.specified & AVTAB_TRANSITION) {
- avtab_trans_destroy(cur->datum.trans);
free(cur->datum.trans);
}
temp = cur;
@@ -675,187 +660,3 @@ int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
avtab_destroy(a);
return -1;
}
-
-/* policydb filename transition compatibility */
-
-int avtab_insert_filename_trans(avtab_t *a, avtab_key_t *key,
- uint32_t otype, const char *name,
- uint32_t *present_otype)
-{
- int rc = SEPOL_ENOMEM;
- avtab_trans_t new_trans = {0};
- avtab_datum_t new_datum = {.trans = &new_trans};
- avtab_datum_t *datum;
- avtab_ptr_t node;
- char *name_key = NULL;
- uint32_t *otype_datum = NULL;
-
- datum = avtab_search(a, key);
- if (!datum) {
- /*
- * insert is actually unique, but with this function we can get
- * the inserted node and therefore the datum
- */
- node = avtab_insert_nonunique(a, key, &new_datum);
- if (!node)
- return SEPOL_ENOMEM;
- datum = &node->datum;
- }
-
- if (!datum->trans->name_trans.table) {
- rc = symtab_init(&datum->trans->name_trans, 1 << 8);
- if (rc < 0)
- return rc;
- }
-
- rc = SEPOL_ENOMEM;
- name_key = strdup(name);
- if (!name_key)
- goto bad;
-
- rc = SEPOL_ENOMEM;
- otype_datum = malloc(sizeof(*otype_datum));
- if (!otype_datum)
- goto bad;
- *otype_datum = otype;
-
- rc = hashtab_insert(datum->trans->name_trans.table, name_key,
- otype_datum);
- if (rc < 0)
- goto bad;
-
- return SEPOL_OK;
-
-bad:
- free(name_key);
- free(otype_datum);
- if (rc == SEPOL_EEXIST && present_otype) {
- otype_datum = hashtab_search(datum->trans->name_trans.table,
- name);
- if (otype_datum)
- *present_otype = *otype_datum;
- }
- return rc;
-}
-
-static int filename_trans_read_one(avtab_t *a, void *fp)
-{
- int rc;
- uint32_t buf[4], len, otype;
- char *name = NULL;
- avtab_key_t key;
-
- /* read length of the name and the name */
- rc = next_entry(buf, fp, sizeof(uint32_t));
- if (rc < 0)
- return SEPOL_ERR;
- len = le32_to_cpu(*buf);
- rc = str_read(&name, fp, len);
- if (rc < 0)
- return SEPOL_ERR;
-
- /* read stype, ttype, tclass and otype */
- rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
- if (rc < 0)
- goto err;
-
- key.specified = AVTAB_TRANSITION;
- key.source_type = le32_to_cpu(buf[0]);
- key.target_type = le32_to_cpu(buf[1]);
- key.target_class = le32_to_cpu(buf[2]);
- otype = le32_to_cpu(buf[3]);
-
- rc = avtab_insert_filename_trans(a, &key, otype, name, NULL);
- if (rc)
- goto err;
-
- free(name);
- return SEPOL_OK;
-err:
- free(name);
- return SEPOL_ERR;
-}
-
-static int filename_trans_comp_read_one(avtab_t *a, void *fp)
-{
- int rc;
- uint32_t buf[3], len, ndatum, i, bit, otype;
- char *name = NULL;
- avtab_key_t key;
- ebitmap_t stypes;
- ebitmap_node_t *node;
-
- /* read length of the name and the name */
- rc = next_entry(buf, fp, sizeof(uint32_t));
- if (rc < 0)
- return SEPOL_ERR;
- len = le32_to_cpu(*buf);
- rc = str_read(&name, fp, len);
- if (rc < 0)
- return SEPOL_ERR;
-
- /* read ttype, tclass, ndatum */
- rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
- if (rc < 0)
- goto err;
-
- key.specified = AVTAB_TRANSITION;
- key.target_type = le32_to_cpu(buf[0]);
- key.target_class = le32_to_cpu(buf[1]);
-
- ndatum = le32_to_cpu(buf[2]);
- for (i = 0; i < ndatum; i++) {
- rc = ebitmap_read(&stypes, fp);
- if (rc < 0)
- goto err;
-
- rc = next_entry(buf, fp, sizeof(uint32_t));
- if (rc < 0)
- goto err_ebitmap;
- otype = le32_to_cpu(*buf);
-
- ebitmap_for_each_positive_bit(&stypes, node, bit) {
- key.source_type = bit + 1;
-
- rc = avtab_insert_filename_trans(a, &key, otype, name,
- NULL);
- if (rc < 0)
- goto err_ebitmap;
- }
- }
-
- free(name);
- return SEPOL_OK;
-
-err_ebitmap:
- ebitmap_destroy(&stypes);
-err:
- free(name);
- return rc;
-}
-
-int avtab_filename_trans_read(void *fp, uint32_t vers, avtab_t *a)
-{
- uint32_t buf[1], nel, i;
- int rc;
-
- rc = next_entry(buf, fp, sizeof(uint32_t));
- if (rc < 0)
- return rc;
- nel = le32_to_cpu(*buf);
-
- if (vers < POLICYDB_VERSION_COMP_FTRANS) {
- for (i = 0; i < nel; i++) {
- rc = filename_trans_read_one(a, fp);
- if (rc < 0)
- return rc;
- }
- } else {
- for (i = 0; i < nel; i++) {
- rc = filename_trans_comp_read_one(a, fp);
- if (rc < 0)
- return rc;
- }
- }
- return SEPOL_OK;
-}
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index 7900e928..24380ea0 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -624,7 +624,6 @@ static int cond_insertf(avtab_t * a
struct policydb *p = data->p;
cond_av_list_t *other = data->other, *list, *cur;
avtab_ptr_t node_ptr;
- avtab_datum_t *existing;
uint8_t found;
/*
@@ -633,10 +632,7 @@ static int cond_insertf(avtab_t * a
* cond_te_avtab.
*/
if (k->specified & AVTAB_TYPE) {
- existing = avtab_search(&p->te_avtab, k);
- /* empty transition rule is not a conflict */
- if (existing && !(k->specified & AVTAB_TRANSITION
- && !existing->trans->otype)) {
+ if (avtab_search(&p->te_avtab, k)) {
WARN(NULL, "security: type rule already exists outside of a conditional.");
return -1;
}
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 878b0f21..6793a27d 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1413,17 +1413,14 @@ static int expand_filename_trans_helper(expand_state_t *state,
{
uint32_t mapped_otype, present_otype;
int rc;
- avtab_key_t avt_key;
mapped_otype = state->typemap[rule->otype - 1];
- avt_key.specified = AVTAB_TRANSITION;
- avt_key.source_type = s + 1;
- avt_key.target_type = t + 1;
- avt_key.target_class = rule->tclass;
-
- rc = avtab_insert_filename_trans(&state->out->te_avtab, &avt_key,
- mapped_otype, rule->name, &present_otype);
+ rc = policydb_filetrans_insert(
+ state->out, s + 1, t + 1,
+ rule->tclass, rule->name,
+ NULL, mapped_otype, &present_otype
+ );
if (rc == SEPOL_EEXIST) {
/* duplicate rule, ignore */
if (present_otype == mapped_otype)
@@ -1737,16 +1734,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
* either in the global scope or in another
* conditional AV tab */
node = avtab_search_node(&p->te_avtab, &avkey);
-
- /*
- * if node does not already contain transition, it is not a
- * conflict and transition otype will be set to node found by
- * find_avtab_node()
- */
- if (specified & AVRULE_TRANSITION && node &&
- !node->datum.trans->otype)
- node = NULL;
-
if (node) {
conflict = 1;
} else {
@@ -1754,10 +1741,6 @@ static int expand_terule_helper(sepol_handle_t * handle,
if (node && node->parse_context != other) {
conflict = 2;
}
- /*
- * conditional avtab does not contain filename
- * transitions, no need to check for otype == 0
- */
}
if (conflict) {
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 8ed695f1..316679cc 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1700,24 +1700,14 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms)
return xpermsbuf;
}
-static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
+static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
{
- char *name = k;
- uint32_t *otype = d;
- name_trans_to_strs_args_t *args = a;
- return strs_create_and_add(args->strs, "(%s %s %s %s \"%s\" %s)", 6,
- args->flavor, args->src, args->tgt,
- args->class, name,
- args->pdb->p_type_val_to_name[*otype - 1]);
-}
-
-static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
-{
- int rc = SEPOL_OK;
- uint32_t data = datum->data;
+ uint32_t data = key->specified & AVTAB_TRANSITION
+ ? datum->trans->otype : datum->data;
type_datum_t *type;
const char *flavor, *tgt;
char *src, *class, *perms, *new;
+ char *rule = NULL;
switch (0xFFF & key->specified) {
case AVTAB_ALLOWED:
@@ -1750,7 +1740,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
break;
default:
ERR(NULL, "Unknown avtab type: %i", key->specified);
- return SEPOL_ERR;
+ goto exit;
}
src = pdb->p_type_val_to_name[key->source_type - 1];
@@ -1767,44 +1757,33 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
perms = sepol_av_to_string(pdb, key->target_class, data);
if (perms == NULL) {
ERR(NULL, "Failed to generate permission string");
- return SEPOL_ERR;
+ goto exit;
}
- rc = strs_create_and_add(strs, "(%s %s %s (%s (%s)))", 5,
- flavor, src, tgt, class, perms + 1);
+ rule = create_str("(%s %s %s (%s (%s)))", 5,
+ flavor, src, tgt, class, perms+1);
} else if (key->specified & AVTAB_XPERMS) {
perms = xperms_to_str(datum->xperms);
if (perms == NULL) {
ERR(NULL, "Failed to generate extended permission string");
- return SEPOL_ERR;
+ goto exit;
}
- rc = strs_create_and_add(strs, "(%s %s %s (%s %s (%s)))", 6,
- flavor, src, tgt, "ioctl", class, perms);
- } else if (key->specified & AVTAB_TRANSITION) {
- if (datum->trans->otype) {
- rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5,
- flavor, src, tgt, class,
- pdb->p_type_val_to_name[datum->trans->otype - 1]);
- if (rc < 0)
- return rc;
- }
- name_trans_to_strs_args_t args = {
- .pdb = pdb,
- .strs = strs,
- .flavor = flavor,
- .src = src,
- .tgt = tgt,
- .class = class,
- };
- rc = hashtab_map(datum->trans->name_trans.table,
- name_trans_to_strs_helper, &args);
+ rule = create_str("(%s %s %s (%s %s (%s)))", 6,
+ flavor, src, tgt, "ioctl", class, perms);
} else {
new = pdb->p_type_val_to_name[data - 1];
- rc = strs_create_and_add(strs, "(%s %s %s %s %s)", 5, flavor, src, tgt, class, new);
+ rule = create_str("(%s %s %s %s %s)", 5, flavor, src, tgt, class, new);
}
- return rc;
+ if (!rule) {
+ goto exit;
+ }
+
+ return rule;
+
+exit:
+ return NULL;
}
struct map_avtab_args {
@@ -1819,12 +1798,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void *
uint32_t flavor = map_args->flavor;
struct policydb *pdb = map_args->pdb;
struct strs *strs = map_args->strs;
+ char *rule;
int rc = 0;
if (key->specified & flavor) {
- rc = avtab_node_to_strs(pdb, key, datum, strs);
+ rule = avtab_node_to_str(pdb, key, datum);
+ if (!rule) {
+ rc = -1;
+ goto exit;
+ }
+ rc = strs_add(strs, rule);
+ if (rc != 0) {
+ free(rule);
+ goto exit;
+ }
}
+exit:
return rc;
}
@@ -1878,6 +1868,77 @@ exit:
return rc;
}
+struct map_filename_trans_args {
+ struct policydb *pdb;
+ struct strs *strs;
+};
+
+static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+{
+ filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ filename_trans_datum_t *datum = data;
+ struct map_filename_trans_args *map_args = arg;
+ struct policydb *pdb = map_args->pdb;
+ struct strs *strs = map_args->strs;
+ char *src, *tgt, *class, *filename, *new;
+ struct ebitmap_node *node;
+ uint32_t bit;
+ int rc;
+
+ tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+ class = pdb->p_class_val_to_name[ft->tclass - 1];
+ filename = ft->name;
+ do {
+ new = pdb->p_type_val_to_name[datum->otype - 1];
+
+ ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+ src = pdb->p_type_val_to_name[bit];
+ rc = strs_create_and_add(strs,
+ "(typetransition %s %s %s \"%s\" %s)",
+ 5, src, tgt, class, filename, new);
+ if (rc)
+ return rc;
+ }
+
+ datum = datum->next;
+ } while (datum);
+
+ return 0;
+}
+
+static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb)
+{
+ struct map_filename_trans_args args;
+ struct strs *strs;
+ int rc = 0;
+
+ rc = strs_init(&strs, 100);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ args.pdb = pdb;
+ args.strs = strs;
+
+ rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ strs_sort(strs);
+ strs_write_each(strs, out);
+
+exit:
+ strs_free_all(strs);
+ strs_destroy(&strs);
+
+ if (rc != 0) {
+ ERR(NULL, "Error writing filename typetransition rules to CIL");
+ }
+
+ return rc;
+}
+
static char *level_to_str(struct policydb *pdb, struct mls_level *level)
{
ebitmap_t *cats = &level->cat;
@@ -1997,6 +2058,7 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li
avtab_key_t *key;
avtab_datum_t *datum;
struct strs *strs;
+ char *rule;
unsigned i;
int rc;
@@ -2012,8 +2074,14 @@ static int write_cond_av_list_to_cil(FILE *out, struct policydb *pdb, cond_av_li
key = &node->key;
datum = &node->datum;
if (key->specified & flavor) {
- rc = avtab_node_to_strs(pdb, key, datum, strs);
+ rule = avtab_node_to_str(pdb, key, datum);
+ if (!rule) {
+ rc = -1;
+ goto exit;
+ }
+ rc = strs_add(strs, rule);
if (rc != 0) {
+ free(rule);
goto exit;
}
}
@@ -3261,6 +3329,11 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb)
goto exit;
}
+ rc = write_filename_trans_rules_to_cil(out, pdb);
+ if (rc != 0) {
+ goto exit;
+ }
+
if (pdb->mls) {
rc = write_range_trans_rules_to_cil(out, pdb);
if (rc != 0) {
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index b8ea237d..9e567eb8 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -83,15 +83,6 @@ struct strs {
size_t size;
};
-typedef struct {
- policydb_t *pdb;
- struct strs *strs;
- const char *flavor;
- const char *src;
- const char *tgt;
- const char *class;
-} name_trans_to_strs_args_t;
-
void sepol_indent(FILE *out, int indent);
__attribute__ ((format(printf, 2, 3)))
void sepol_printf(FILE *out, const char *fmt, ...);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index eb14ccf1..aa161b08 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -1678,24 +1678,13 @@ exit:
return rc;
}
-static int name_trans_to_strs_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
+static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
{
- char *name = k;
- uint32_t *otype = d;
- name_trans_to_strs_args_t *args = a;
- return strs_create_and_add(args->strs, "%s %s %s:%s %s \"%s\";", 6,
- args->flavor, args->src, args->tgt,
- args->class,
- args->pdb->p_type_val_to_name[*otype - 1],
- name);
-}
-
-static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum, struct strs *strs)
-{
- int rc = SEPOL_OK;
- uint32_t data = datum->data;
+ uint32_t data = key->specified & AVTAB_TRANSITION
+ ? datum->trans->otype : datum->data;
type_datum_t *type;
const char *flavor, *src, *tgt, *class, *perms, *new;
+ char *rule = NULL;
switch (0xFFF & key->specified) {
case AVTAB_ALLOWED:
@@ -1728,7 +1717,7 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
break;
default:
ERR(NULL, "Unknown avtab type: %i", key->specified);
- return SEPOL_ERR;
+ goto exit;
}
src = pdb->p_type_val_to_name[key->source_type - 1];
@@ -1745,42 +1734,32 @@ static int avtab_node_to_strs(struct policydb *pdb, avtab_key_t *key, avtab_datu
perms = sepol_av_to_string(pdb, key->target_class, data);
if (perms == NULL) {
ERR(NULL, "Failed to generate permission string");
- return SEPOL_ERR;
+ goto exit;
}
- rc = strs_create_and_add(strs, "%s %s %s:%s { %s };", 5,
- flavor, src, tgt, class, perms + 1);
+ rule = create_str("%s %s %s:%s { %s };", 5,
+ flavor, src, tgt, class, perms+1);
} else if (key->specified & AVTAB_XPERMS) {
perms = sepol_extended_perms_to_string(datum->xperms);
if (perms == NULL) {
ERR(NULL, "Failed to generate extended permission string");
- return SEPOL_ERR;
- }
- rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms);
- } else if (key->specified & AVTAB_TRANSITION) {
- if (datum->trans->otype) {
- rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5,
- flavor, src, tgt, class,
- pdb->p_type_val_to_name[datum->trans->otype - 1]);
- if (rc < 0)
- return rc;
+ goto exit;
}
- name_trans_to_strs_args_t args = {
- .pdb = pdb,
- .strs = strs,
- .flavor = flavor,
- .src = src,
- .tgt = tgt,
- .class = class,
- };
- rc = hashtab_map(datum->trans->name_trans.table,
- name_trans_to_strs_helper, &args);
+
+ rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms);
} else {
new = pdb->p_type_val_to_name[data - 1];
- rc = strs_create_and_add(strs, "%s %s %s:%s %s;", 5, flavor, src, tgt, class, new);
+ rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, new);
}
- return rc;
+ if (!rule) {
+ goto exit;
+ }
+
+ return rule;
+
+exit:
+ return NULL;
}
struct map_avtab_args {
@@ -1795,12 +1774,23 @@ static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void *
uint32_t flavor = map_args->flavor;
struct policydb *pdb = map_args->pdb;
struct strs *strs = map_args->strs;
+ char *rule;
int rc = 0;
if (key->specified & flavor) {
- rc = avtab_node_to_strs(pdb, key, datum, strs);
+ rule = avtab_node_to_str(pdb, key, datum);
+ if (!rule) {
+ rc = -1;
+ goto exit;
+ }
+ rc = strs_add(strs, rule);
+ if (rc != 0) {
+ free(rule);
+ goto exit;
+ }
}
+exit:
return rc;
}
@@ -1854,6 +1844,77 @@ exit:
return rc;
}
+struct map_filename_trans_args {
+ struct policydb *pdb;
+ struct strs *strs;
+};
+
+static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+{
+ filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ filename_trans_datum_t *datum = data;
+ struct map_filename_trans_args *map_args = arg;
+ struct policydb *pdb = map_args->pdb;
+ struct strs *strs = map_args->strs;
+ char *src, *tgt, *class, *filename, *new;
+ struct ebitmap_node *node;
+ uint32_t bit;
+ int rc;
+
+ tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+ class = pdb->p_class_val_to_name[ft->tclass - 1];
+ filename = ft->name;
+ do {
+ new = pdb->p_type_val_to_name[datum->otype - 1];
+
+ ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+ src = pdb->p_type_val_to_name[bit];
+ rc = strs_create_and_add(strs,
+ "type_transition %s %s:%s %s \"%s\";",
+ 5, src, tgt, class, new, filename);
+ if (rc)
+ return rc;
+ }
+
+ datum = datum->next;
+ } while (datum);
+
+ return 0;
+}
+
+static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb)
+{
+ struct map_filename_trans_args args;
+ struct strs *strs;
+ int rc = 0;
+
+ rc = strs_init(&strs, 100);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ args.pdb = pdb;
+ args.strs = strs;
+
+ rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args);
+ if (rc != 0) {
+ goto exit;
+ }
+
+ strs_sort(strs);
+ strs_write_each(strs, out);
+
+exit:
+ strs_free_all(strs);
+ strs_destroy(&strs);
+
+ if (rc != 0) {
+ ERR(NULL, "Error writing filename typetransition rules to policy.conf");
+ }
+
+ return rc;
+}
+
static char *level_to_str(struct policydb *pdb, struct mls_level *level)
{
ebitmap_t *cats = &level->cat;
@@ -1973,6 +2034,7 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l
avtab_key_t *key;
avtab_datum_t *datum;
struct strs *strs;
+ char *rule;
unsigned i;
int rc;
@@ -1988,8 +2050,14 @@ static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_l
key = &node->key;
datum = &node->datum;
if (key->specified & flavor) {
- rc = avtab_node_to_strs(pdb, key, datum, strs);
+ rule = avtab_node_to_str(pdb, key, datum);
+ if (!rule) {
+ rc = -1;
+ goto exit;
+ }
+ rc = strs_add(strs, rule);
if (rc != 0) {
+ free(rule);
goto exit;
}
}
@@ -3135,6 +3203,7 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb)
if (rc != 0) {
goto exit;
}
+ write_filename_trans_rules_to_conf(out, pdb);
if (pdb->mls) {
rc = write_range_trans_rules_to_conf(out, pdb);
diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
index 7948d983..2d4a2d7a 100644
--- a/libsepol/src/optimize.c
+++ b/libsepol/src/optimize.c
@@ -308,10 +308,8 @@ static void optimize_avtab(policydb_t *p, const struct type_vec *type_map)
*cur = tmp->next;
if (tmp->key.specified & AVTAB_XPERMS)
free(tmp->datum.xperms);
- if (tmp->key.specified & AVTAB_TRANSITION) {
- avtab_trans_destroy(tmp->datum.trans);
+ if (tmp->key.specified & AVTAB_TRANSITION)
free(tmp->datum.trans);
- }
free(tmp);
tab->nel--;
@@ -431,10 +429,8 @@ static void optimize_cond_avtab(policydb_t *p, const struct type_vec *type_map)
*cur = tmp->next;
if (tmp->key.specified & AVTAB_XPERMS)
free(tmp->datum.xperms);
- if (tmp->key.specified & AVTAB_TRANSITION) {
- avtab_trans_destroy(tmp->datum.trans);
+ if (tmp->key.specified & AVTAB_TRANSITION)
free(tmp->datum.trans);
- }
free(tmp);
tab->nel--;
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index c1ce9c34..605d290a 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -801,6 +801,47 @@ static int roles_init(policydb_t * p)
goto out;
}
+ignore_unsigned_overflow_
+static inline unsigned long
+partial_name_hash(unsigned long c, unsigned long prevhash)
+{
+ return (prevhash + (c << 4) + (c >> 4)) * 11;
+}
+
+static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
+{
+ const filename_trans_key_t *ft = (const filename_trans_key_t *)k;
+ unsigned long hash;
+ unsigned int byte_num;
+ unsigned char focus;
+
+ hash = ft->ttype ^ ft->tclass;
+
+ byte_num = 0;
+ while ((focus = ft->name[byte_num++]))
+ hash = partial_name_hash(focus, hash);
+ return hash & (h->size - 1);
+}
+
+static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
+ const_hashtab_key_t k1, const_hashtab_key_t k2)
+{
+ const filename_trans_key_t *ft1 = (const filename_trans_key_t *)k1;
+ const filename_trans_key_t *ft2 = (const filename_trans_key_t *)k2;
+ int v;
+
+ v = spaceship_cmp(ft1->ttype, ft2->ttype);
+ if (v)
+ return v;
+
+ v = spaceship_cmp(ft1->tclass, ft2->tclass);
+ if (v)
+ return v;
+
+ return strcmp(ft1->name, ft2->name);
+
+}
+
static unsigned int rangetr_hash(hashtab_t h, const_hashtab_key_t k)
{
const struct range_trans *key = (const struct range_trans *)k;
@@ -868,6 +909,12 @@ int policydb_init(policydb_t * p)
if (rc)
goto err;
+ p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, (1 << 10));
+ if (!p->filename_trans) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
if (!p->range_tr) {
rc = -ENOMEM;
@@ -879,6 +926,7 @@ int policydb_init(policydb_t * p)
return 0;
err:
+ hashtab_destroy(p->filename_trans);
hashtab_destroy(p->range_tr);
for (i = 0; i < SYM_NUM; i++) {
hashtab_destroy(p->symtab[i].table);
@@ -1364,6 +1412,23 @@ static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
cond_destroy_bool, sens_destroy, cat_destroy,};
+static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
+ void *p __attribute__ ((unused)))
+{
+ filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ filename_trans_datum_t *fd = datum, *next;
+
+ free(ft->name);
+ free(key);
+ do {
+ next = fd->next;
+ ebitmap_destroy(&fd->stypes);
+ free(fd);
+ fd = next;
+ } while (fd);
+ return 0;
+}
+
static int range_tr_destroy(hashtab_key_t key, hashtab_datum_t datum,
void *p __attribute__ ((unused)))
{
@@ -1499,6 +1564,9 @@ void policydb_destroy(policydb_t * p)
if (lra)
free(lra);
+ hashtab_map(p->filename_trans, filenametr_destroy, NULL);
+ hashtab_destroy(p->filename_trans);
+
hashtab_map(p->range_tr, range_tr_destroy, NULL);
hashtab_destroy(p->range_tr);
@@ -2528,6 +2596,279 @@ static int role_allow_read(role_allow_t ** r, struct policy_file *fp)
return 0;
}
+int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
+ uint32_t tclass, const char *name,
+ char **name_alloc, uint32_t otype,
+ uint32_t *present_otype)
+{
+ filename_trans_key_t *ft, key;
+ filename_trans_datum_t *datum, *last;
+
+ key.ttype = ttype;
+ key.tclass = tclass;
+ key.name = (char *)name;
+
+ last = NULL;
+ datum = hashtab_search(p->filename_trans, (hashtab_key_t)&key);
+ while (datum) {
+ if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
+ if (present_otype)
+ *present_otype = datum->otype;
+ return SEPOL_EEXIST;
+ }
+ if (datum->otype == otype)
+ break;
+ last = datum;
+ datum = datum->next;
+ }
+ if (!datum) {
+ datum = malloc(sizeof(*datum));
+ if (!datum)
+ return SEPOL_ENOMEM;
+
+ ebitmap_init(&datum->stypes);
+ datum->otype = otype;
+ datum->next = NULL;
+
+ if (last) {
+ last->next = datum;
+ } else {
+ char *name_dup;
+
+ if (name_alloc) {
+ name_dup = *name_alloc;
+ *name_alloc = NULL;
+ } else {
+ name_dup = strdup(name);
+ if (!name_dup) {
+ free(datum);
+ return SEPOL_ENOMEM;
+ }
+ }
+
+ ft = malloc(sizeof(*ft));
+ if (!ft) {
+ free(name_dup);
+ free(datum);
+ return SEPOL_ENOMEM;
+ }
+
+ ft->ttype = ttype;
+ ft->tclass = tclass;
+ ft->name = name_dup;
+
+ if (hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
+ (hashtab_datum_t)datum)) {
+ free(name_dup);
+ free(datum);
+ free(ft);
+ return SEPOL_ENOMEM;
+ }
+ }
+ }
+
+ p->filename_trans_count++;
+ return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
+}
+
+static int filename_trans_read_one_compat(policydb_t *p, struct policy_file *fp)
+{
+ uint32_t buf[4], len, stype, ttype, tclass, otype;
+ char *name = NULL;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ len = le32_to_cpu(buf[0]);
+ if (zero_or_saturated(len))
+ return -1;
+
+ name = calloc(len + 1, sizeof(*name));
+ if (!name)
+ return -1;
+
+ rc = next_entry(name, fp, len);
+ if (rc < 0)
+ goto err;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
+ if (rc < 0)
+ goto err;
+
+ stype = le32_to_cpu(buf[0]);
+ if (stype == 0)
+ goto err;
+
+ ttype = le32_to_cpu(buf[1]);
+ tclass = le32_to_cpu(buf[2]);
+ otype = le32_to_cpu(buf[3]);
+
+ rc = policydb_filetrans_insert(p, stype, ttype, tclass, name, &name,
+ otype, NULL);
+ if (rc) {
+ if (rc != SEPOL_EEXIST)
+ goto err;
+ /*
+ * Some old policies were wrongly generated with
+ * duplicate filename transition rules. For backward
+ * compatibility, do not reject such policies, just
+ * ignore the duplicate.
+ */
+ }
+ free(name);
+ return 0;
+err:
+ free(name);
+ return -1;
+}
+
+static int filename_trans_check_datum(filename_trans_datum_t *datum)
+{
+ ebitmap_t stypes, otypes;
+ int rc = -1;
+
+ ebitmap_init(&stypes);
+ ebitmap_init(&otypes);
+
+ while (datum) {
+ if (ebitmap_get_bit(&otypes, datum->otype))
+ goto out;
+
+ if (ebitmap_set_bit(&otypes, datum->otype, 1))
+ goto out;
+
+ if (ebitmap_match_any(&stypes, &datum->stypes))
+ goto out;
+
+ if (ebitmap_union(&stypes, &datum->stypes))
+ goto out;
+
+ datum = datum->next;
+ }
+ rc = 0;
+out:
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&otypes);
+ return rc;
+}
+
+static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)
+{
+ filename_trans_key_t *ft = NULL;
+ filename_trans_datum_t **dst, *datum, *first = NULL;
+ unsigned int i;
+ uint32_t buf[3], len, ttype, tclass, ndatum;
+ char *name = NULL;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ len = le32_to_cpu(buf[0]);
+ if (zero_or_saturated(len))
+ return -1;
+
+ name = calloc(len + 1, sizeof(*name));
+ if (!name)
+ return -1;
+
+ rc = next_entry(name, fp, len);
+ if (rc < 0)
+ goto err;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0)
+ goto err;
+
+ ttype = le32_to_cpu(buf[0]);
+ tclass = le32_to_cpu(buf[1]);
+ ndatum = le32_to_cpu(buf[2]);
+ if (ndatum == 0)
+ goto err;
+
+ dst = &first;
+ for (i = 0; i < ndatum; i++) {
+ datum = malloc(sizeof(*datum));
+ if (!datum)
+ goto err;
+
+ datum->next = NULL;
+ *dst = datum;
+
+ /* ebitmap_read() will at least init the bitmap */
+ rc = ebitmap_read(&datum->stypes, fp);
+ if (rc < 0)
+ goto err;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto err;
+
+ datum->otype = le32_to_cpu(buf[0]);
+
+ p->filename_trans_count += ebitmap_cardinality(&datum->stypes);
+
+ dst = &datum->next;
+ }
+
+ if (ndatum > 1 && filename_trans_check_datum(first))
+ goto err;
+
+ ft = malloc(sizeof(*ft));
+ if (!ft)
+ goto err;
+
+ ft->ttype = ttype;
+ ft->tclass = tclass;
+ ft->name = name;
+
+ rc = hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
+ (hashtab_datum_t)first);
+ if (rc)
+ goto err;
+
+ return 0;
+err:
+ free(ft);
+ free(name);
+ while (first) {
+ datum = first;
+ first = first->next;
+
+ ebitmap_destroy(&datum->stypes);
+ free(datum);
+ }
+ return -1;
+}
+
+static int filename_trans_read(policydb_t *p, struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[1], nel;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+
+ if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
+ for (i = 0; i < nel; i++) {
+ rc = filename_trans_read_one_compat(p, fp);
+ if (rc < 0)
+ return -1;
+ }
+ } else {
+ for (i = 0; i < nel; i++) {
+ rc = filename_trans_read_one(p, fp);
+ if (rc < 0)
+ return -1;
+ }
+ }
+ return 0;
+}
+
static int ocontext_read_xen(const struct policydb_compat_info *info,
policydb_t *p, struct policy_file *fp)
{
@@ -4129,7 +4470,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
if (role_allow_read(&p->role_allow, fp))
goto bad;
if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
- avtab_filename_trans_read(fp, r_policyvers, &p->te_avtab))
+ filename_trans_read(p, fp))
goto bad;
} else {
/* first read the AV rule blocks, then the scope tables */
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 89306185..f402b506 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -829,18 +829,6 @@ static int validate_xperms(const avtab_extended_perms_t *xperms)
bad:
return -1;
}
-
-static int validate_name_trans_helper(hashtab_key_t k __attribute__ ((unused)),
- hashtab_datum_t d, void *a)
-{
- uint32_t *otype = d;
- map_arg_t *margs = a;
-
- if (validate_simpletype(*otype, margs->policy, margs->flavors))
- return -1;
- return 0;
-}
-
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
{
map_arg_t *margs = args;
@@ -848,23 +836,10 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
- if (k->specified & AVTAB_TRANSITION) {
- /* if otype is set (non-zero), it must by a valid simple type */
- if (d->trans->otype && validate_simpletype(d->trans->otype, margs->policy, margs->flavors))
- return -1;
-
- /* also each transition must be non empty */
- if (!d->trans->otype &&
- !hashtab_nel(d->trans->name_trans.table))
- return -1;
-
- /* and each filename transition must be also valid */
- if (hashtab_map(d->trans->name_trans.table,
- validate_name_trans_helper, margs))
- return -1;
- } else if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) {
+ uint32_t otype = k->specified & AVTAB_TRANSITION
+ ? d->trans->otype : d->data;
+ if ((k->specified & AVTAB_TYPE) && validate_simpletype(otype, margs->policy, margs->flavors))
return -1;
- }
if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms))
return -1;
@@ -1117,6 +1092,41 @@ bad:
return -1;
}
+static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+ const filename_trans_key_t *ftk = (filename_trans_key_t *)k;
+ const filename_trans_datum_t *ftd = d;
+ validate_t *flavors = (validate_t *)args;
+
+ if (validate_value(ftk->ttype, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_value(ftk->tclass, &flavors[SYM_CLASSES]))
+ goto bad;
+ if (!ftd)
+ goto bad;
+ for (; ftd; ftd = ftd->next) {
+ if (validate_ebitmap(&ftd->stypes, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_value(ftd->otype, &flavors[SYM_TYPES]))
+ goto bad;
+ }
+
+ return 0;
+
+bad:
+ return -1;
+}
+
+static int validate_filename_trans_hashtab(sepol_handle_t *handle, hashtab_t filename_trans, validate_t flavors[])
+{
+ if (hashtab_map(filename_trans, validate_filename_trans, flavors)) {
+ ERR(handle, "Invalid filename trans");
+ return -1;
+ }
+
+ return 0;
+}
+
static int validate_context(const context_struct_t *con, validate_t flavors[], int mls)
{
if (validate_value(con->user, &flavors[SYM_USERS]))
@@ -1546,6 +1556,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
goto bad;
if (validate_role_allows(handle, p->role_allow, flavors))
goto bad;
+ if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS)
+ if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
+ goto bad;
} else {
if (validate_avrule_blocks(handle, p->global, p, flavors))
goto bad;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index c4d593ab..0d3d5f14 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -116,14 +116,6 @@ static int avtab_write_item(policydb_t * p,
&& p->policyvers < POLICYDB_VERSION_AVTAB);
unsigned int i;
- /* skip entries which only contain filename transitions */
- if (cur->key.specified & AVTAB_TRANSITION && !cur->datum.trans->otype) {
- /* if oldvers, reduce nel, because this node will be skipped */
- if (oldvers && nel)
- (*nel)--;
- return 0;
- }
-
if (oldvers) {
/* Generate the old avtab format.
Requires merging similar entries if uncond avtab. */
@@ -321,23 +313,8 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
avtab_reset_merged(a);
nel = a->nel;
} else {
- /*
- * New avtab format. nel is good to go unless we need to skip
- * filename transitions.
- */
- nel = a->nel;
- /*
- * entries containing only filename transitions are skipped and
- * written out later
- */
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION &&
- !cur->datum.trans->otype)
- nel--;
- }
- }
- nel = cpu_to_le32(nel);
+ /* New avtab format. nel is good to go. */
+ nel = cpu_to_le32(a->nel);
items = put_entry(&nel, sizeof(uint32_t), 1, fp);
if (items != 1)
return POLICYDB_ERROR;
@@ -381,307 +358,6 @@ static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
return rc;
}
-/* policydb filename transition compatibility */
-
-typedef struct filenametr_key {
- uint32_t ttype;
- uint32_t tclass;
- char *name;
-} filenametr_key_t;
-
-typedef struct filenametr_datum {
- ebitmap_t stypes;
- uint32_t otype;
- struct filenametr_datum *next;
-} filenametr_datum_t;
-
-ignore_unsigned_overflow_
-static inline unsigned long
-partial_name_hash(unsigned long c, unsigned long prevhash)
-{
- return (prevhash + (c << 4) + (c >> 4)) * 11;
-}
-
-static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
-{
- const filenametr_key_t *ft = (const filenametr_key_t *)k;
- unsigned long hash;
- unsigned int byte_num;
- unsigned char focus;
-
- hash = ft->ttype ^ ft->tclass;
-
- byte_num = 0;
- while ((focus = ft->name[byte_num++]))
- hash = partial_name_hash(focus, hash);
- return hash & (h->size - 1);
-}
-
-static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
- const_hashtab_key_t k1, const_hashtab_key_t k2)
-{
- const filenametr_key_t *ft1 = (const filenametr_key_t *)k1;
- const filenametr_key_t *ft2 = (const filenametr_key_t *)k2;
- int v;
-
- v = spaceship_cmp(ft1->ttype, ft2->ttype);
- if (v)
- return v;
-
- v = spaceship_cmp(ft1->tclass, ft2->tclass);
- if (v)
- return v;
-
- return strcmp(ft1->name, ft2->name);
-}
-
-static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
- void *p __attribute__ ((unused)))
-{
- filenametr_key_t *ft = (filenametr_key_t *)key;
- filenametr_datum_t *fd = datum, *next;
-
- free(ft->name);
- free(key);
- do {
- next = fd->next;
- ebitmap_destroy(&fd->stypes);
- free(fd);
- fd = next;
- } while (fd);
- return 0;
-}
-
-typedef struct {
- void *fp;
- avtab_key_t *key;
-} name_trans_write_args_t;
-
-static int name_trans_write_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
- char *name = k;
- uint32_t *otype = d;
- name_trans_write_args_t *args = a;
- size_t items;
- uint32_t len, buf[4];
-
- len = strlen(name);
- buf[0] = cpu_to_le32(len);
- items = put_entry(buf, sizeof(uint32_t), 1, args->fp);
- if (items != 1)
- return -1;
-
- items = put_entry(name, sizeof(char), len,args-> fp);
- if (items != len)
- return -1;
-
- buf[0] = cpu_to_le32(args->key->source_type);
- buf[1] = cpu_to_le32(args->key->target_type);
- buf[2] = cpu_to_le32(args->key->target_class);
- buf[3] = cpu_to_le32(*otype);
-
- items = put_entry(buf, sizeof(uint32_t), 4, args->fp);
- if (items != 4)
- return -1;
- return 0;
-}
-
-typedef struct {
- hashtab_t fnts_tab;
- avtab_key_t *av_key;
-} name_trans_insert_args_t;
-
-static int name_trans_insert_helper(hashtab_key_t k, hashtab_datum_t d, void *a)
-{
- char *name = k;
- uint32_t *otype = d;
- name_trans_insert_args_t *args = a;
- filenametr_key_t key, *ft = NULL;
- filenametr_datum_t *last, *datum = NULL;
- int rc;
-
- key.ttype = args->av_key->target_type;
- key.tclass = args->av_key->target_class;
- key.name = name;
-
- last = NULL;
- datum = hashtab_search(args->fnts_tab, (hashtab_key_t)&key);
- while (datum) {
- if (ebitmap_get_bit(&datum->stypes, args->av_key->source_type - 1)) {
- datum = NULL;
- goto bad;
- }
- if (datum->otype == *otype)
- break;
- last = datum;
- datum = datum->next;
- }
- if (!datum) {
- datum = malloc(sizeof(filenametr_datum_t));
- if (!datum)
- goto bad;
-
- ebitmap_init(&datum->stypes);
- datum->otype = *otype;
- datum->next = NULL;
-
- if (last) {
- last->next = datum;
- } else {
- ft = malloc(sizeof(filenametr_key_t));
- if (!ft)
- goto bad;
-
- ft->ttype = args->av_key->target_type;
- ft->tclass = args->av_key->target_class;
- ft->name = strdup(name);
- if (!ft->name)
- goto bad;
-
- rc = hashtab_insert(args->fnts_tab, (hashtab_key_t)ft, datum);
- if (rc)
- goto bad;
- }
- }
-
- return ebitmap_set_bit(&datum->stypes, args->av_key->source_type - 1, 1);
-
-bad:
- if (ft != NULL)
- free(ft->name);
- free(ft);
- free(datum);
- return -1;
-}
-
-static int filenametr_comp_write_one(hashtab_key_t key, void *data, void *ptr)
-{
- uint32_t buf[3];
- size_t items, len, ndatum;
- filenametr_key_t *ft = (filenametr_key_t *)key;
- filenametr_datum_t *datum;
- void *fp = ptr;
-
- len = strlen(ft->name);
- buf[0] = cpu_to_le32(len);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
-
- items = put_entry(ft->name, sizeof(char), len, fp);
- if (items != len)
- return POLICYDB_ERROR;
-
- ndatum = 0;
- datum = data;
- do {
- ndatum++;
- datum = datum->next;
- } while (datum);
-
- buf[0] = cpu_to_le32(ft->ttype);
- buf[1] = cpu_to_le32(ft->tclass);
- buf[2] = cpu_to_le32(ndatum);
- items = put_entry(buf, sizeof(uint32_t), 3, fp);
- if (items != 3)
- return POLICYDB_ERROR;
-
- datum = data;
- do {
- if (ebitmap_write(&datum->stypes, fp))
- return POLICYDB_ERROR;
-
- buf[0] = cpu_to_le32(datum->otype);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
-
- datum = datum->next;
- } while (datum);
-
- return 0;
-}
-
-static int avtab_filename_trans_write(policydb_t *pol, avtab_t *a,
- policy_file_t *fp)
-{
- policydb_t *p = pol;
- uint32_t buf[1];
- int rc;
- size_t items;
- uint32_t i, nel = 0;
- struct avtab_node *cur;
- hashtab_t fnts_tab;
- name_trans_write_args_t write_args = { .fp = fp };
- name_trans_insert_args_t insert_args;
-
- /* count number of filename transitions */
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION) {
- nel += hashtab_nel(cur->datum.trans->name_trans.table);
- }
- }
- }
-
- if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
- buf[0] = cpu_to_le32(nel);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return -1;
-
- /* write filename transitions */
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION) {
- write_args.key = &cur->key;
- rc = hashtab_map(cur->datum.trans->name_trans.table,
- name_trans_write_helper,
- &write_args);
- if (rc)
- return -1;
- }
- }
- }
- return 0;
- }
-
- /* init filename transitions */
- fnts_tab = hashtab_create(filenametr_hash, filenametr_cmp, nel);
- if (!fnts_tab)
- return -1;
- insert_args.fnts_tab = fnts_tab;
-
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION) {
- insert_args.av_key = &cur->key;
- rc = hashtab_map(cur->datum.trans->name_trans.table,
- name_trans_insert_helper,
- &insert_args);
- }
- }
- }
-
- rc = -1;
- /* write compressed filename transitions */
- buf[0] = cpu_to_le32(fnts_tab->nel);
- items = put_entry(buf, sizeof(uint32_t), 1, fp);
- if (items != 1)
- goto out;
-
- rc = hashtab_map(fnts_tab, filenametr_comp_write_one, fp);
-
-out:
- /* destroy temp filename transitions table */
- hashtab_map(fnts_tab, filenametr_destroy, NULL);
- hashtab_destroy(fnts_tab);
-
- return rc ? -1 : 0;
-}
-
-/* end policydb filename transition compatibility */
-
/*
* Write a semantic MLS level structure to a policydb binary
* representation file.
@@ -904,6 +580,118 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
return POLICYDB_SUCCESS;
}
+static int filename_write_one_compat(hashtab_key_t key, void *data, void *ptr)
+{
+ uint32_t bit, buf[4];
+ size_t items, len;
+ filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ filename_trans_datum_t *datum = data;
+ ebitmap_node_t *node;
+ void *fp = ptr;
+
+ len = strlen(ft->name);
+ do {
+ ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ items = put_entry(ft->name, sizeof(char), len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(bit + 1);
+ buf[1] = cpu_to_le32(ft->ttype);
+ buf[2] = cpu_to_le32(ft->tclass);
+ buf[3] = cpu_to_le32(datum->otype);
+ items = put_entry(buf, sizeof(uint32_t), 4, fp);
+ if (items != 4)
+ return POLICYDB_ERROR;
+ }
+
+ datum = datum->next;
+ } while (datum);
+
+ return 0;
+}
+
+static int filename_write_one(hashtab_key_t key, void *data, void *ptr)
+{
+ uint32_t buf[3];
+ size_t items, len, ndatum;
+ filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ filename_trans_datum_t *datum;
+ void *fp = ptr;
+
+ len = strlen(ft->name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ items = put_entry(ft->name, sizeof(char), len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ ndatum = 0;
+ datum = data;
+ do {
+ ndatum++;
+ datum = datum->next;
+ } while (datum);
+
+ buf[0] = cpu_to_le32(ft->ttype);
+ buf[1] = cpu_to_le32(ft->tclass);
+ buf[2] = cpu_to_le32(ndatum);
+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ if (items != 3)
+ return POLICYDB_ERROR;
+
+ datum = data;
+ do {
+ if (ebitmap_write(&datum->stypes, fp))
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(datum->otype);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ datum = datum->next;
+ } while (datum);
+
+ return 0;
+}
+
+static int filename_trans_write(struct policydb *p, void *fp)
+{
+ size_t items;
+ uint32_t buf[1];
+ int rc;
+
+ if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+ return 0;
+
+ if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
+ buf[0] = cpu_to_le32(p->filename_trans_count);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ rc = hashtab_map(p->filename_trans, filename_write_one_compat,
+ fp);
+ } else {
+ buf[0] = cpu_to_le32(p->filename_trans->nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ rc = hashtab_map(p->filename_trans, filename_write_one, fp);
+ }
+ return rc;
+}
+
static int role_set_write(role_set_t * x, struct policy_file *fp)
{
size_t items;
@@ -2414,21 +2202,6 @@ static int role_attr_uncount(hashtab_key_t key __attribute__ ((unused)),
return 0;
}
-static int avtab_has_filename_transitions(avtab_t *a)
-{
- uint32_t i;
- struct avtab_node *cur;
- for (i = 0; i < a->nslot; i++) {
- for (cur = a->htable[i]; cur; cur = cur->next) {
- if (cur->key.specified & AVTAB_TRANSITION) {
- if (hashtab_nel(cur->datum.trans->name_trans.table))
- return 1;
- }
- }
- }
- return 0;
-}
-
/*
* Write the configuration data in a policy database
* structure to a policy database binary representation
@@ -2608,11 +2381,11 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
if (role_allow_write(p->role_allow, fp))
return POLICYDB_ERROR;
if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) {
- if (avtab_filename_trans_write(p, &p->te_avtab, fp))
+ if (filename_trans_write(p, fp))
return POLICYDB_ERROR;
- } else if (avtab_has_filename_transitions(&p->te_avtab)) {
- WARN(fp->handle,
- "Discarding filename type transition rules");
+ } else {
+ if (p->filename_trans)
+ WARN(fp->handle, "Discarding filename type transition rules");
}
} else {
if (avrule_block_write(p->global, num_syms, p, fp) == -1) {
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 8/8] Revert "checkpolicy,libsepol: move transition to separate structure in avtab"
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (6 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab" James Carter
@ 2023-07-26 14:25 ` James Carter
2023-07-26 15:33 ` [PATCH 0/8] Revert the prefix/suffix filename transition patches Paul Moore
2023-07-26 16:31 ` Petr Lautrbach
9 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-07-26 14:25 UTC (permalink / raw)
To: selinux; +Cc: juraj, James Carter
This reverts commit de708edf527be7e5142e5a9ae09879d58d65f50b.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
checkpolicy/test/dispol.c | 2 +-
libsepol/cil/src/cil_binary.c | 26 +++++---------------
libsepol/include/sepol/policydb/avtab.h | 7 +-----
libsepol/src/avtab.c | 32 +------------------------
libsepol/src/expand.c | 8 ++-----
libsepol/src/kernel_to_cil.c | 3 +--
libsepol/src/kernel_to_conf.c | 3 +--
libsepol/src/optimize.c | 4 ----
libsepol/src/policydb_validate.c | 4 +---
libsepol/src/services.c | 5 +---
libsepol/src/write.c | 17 +++----------
11 files changed, 18 insertions(+), 93 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index e45528b9..b567ce77 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -180,7 +180,7 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
if (key->specified & AVTAB_TRANSITION) {
fprintf(fp, "type_transition ");
render_key(key, p, fp);
- render_type(datum->trans->otype, p, fp);
+ render_type(datum->data, p, fp);
fprintf(fp, ";\n");
}
if (key->specified & AVTAB_MEMBER) {
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 3f264594..c4ee2380 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -975,34 +975,28 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
int rc = SEPOL_OK;
avtab_key_t avtab_key;
avtab_datum_t avtab_datum;
- avtab_trans_t trans;
avtab_ptr_t existing;
avtab_key.source_type = src;
avtab_key.target_type = tgt;
avtab_key.target_class = obj;
- memset(&avtab_datum, 0, sizeof(avtab_datum_t));
- memset(&trans, 0, sizeof(avtab_trans_t));
-
switch (kind) {
case CIL_TYPE_TRANSITION:
avtab_key.specified = AVTAB_TRANSITION;
- trans.otype = res;
- avtab_datum.trans = &trans;
break;
case CIL_TYPE_CHANGE:
avtab_key.specified = AVTAB_CHANGE;
- avtab_datum.data = res;
break;
case CIL_TYPE_MEMBER:
avtab_key.specified = AVTAB_MEMBER;
- avtab_datum.data = res;
break;
default:
rc = SEPOL_ERR;
goto exit;
}
+
+ avtab_datum.data = res;
existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
if (existing) {
@@ -1010,17 +1004,13 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
* A warning should have been previously given if there is a
* non-duplicate rule using the same key.
*/
- uint32_t existing_otype =
- existing->key.specified & AVTAB_TRANSITION
- ? existing->datum.trans->otype
- : existing->datum.data;
- if (existing_otype != res) {
+ if (existing->datum.data != res) {
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n",
pdb->p_type_val_to_name[src - 1],
pdb->p_type_val_to_name[tgt - 1],
pdb->p_class_val_to_name[obj - 1],
pdb->p_type_val_to_name[res - 1],
- pdb->p_type_val_to_name[existing_otype - 1]);
+ pdb->p_type_val_to_name[existing->datum.data - 1]);
cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n",
cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
rc = SEPOL_ERR;
@@ -1047,17 +1037,13 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
search_datum = cil_cond_av_list_search(&avtab_key, other_list);
if (search_datum == NULL) {
- uint32_t existing_otype =
- existing->key.specified & AVTAB_TRANSITION
- ? existing->datum.trans->otype
- : existing->datum.data;
- if (existing_otype != res) {
+ if (existing->datum.data != res) {
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n",
pdb->p_type_val_to_name[src - 1],
pdb->p_type_val_to_name[tgt - 1],
pdb->p_class_val_to_name[obj - 1],
pdb->p_type_val_to_name[res - 1],
- pdb->p_type_val_to_name[existing_otype - 1]);
+ pdb->p_type_val_to_name[existing->datum.data - 1]);
cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n",
cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
rc = SEPOL_ERR;
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index ca009c16..e4c48576 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -70,10 +70,6 @@ typedef struct avtab_key {
uint16_t specified; /* what fields are specified */
} avtab_key_t;
-typedef struct avtab_trans {
- uint32_t otype; /* resulting type of the new object */
-} avtab_trans_t;
-
typedef struct avtab_extended_perms {
#define AVTAB_XPERMS_IOCTLFUNCTION 0x01
@@ -85,8 +81,7 @@ typedef struct avtab_extended_perms {
} avtab_extended_perms_t;
typedef struct avtab_datum {
- uint32_t data; /* access vector, member or change value */
- avtab_trans_t *trans; /* transition value */
+ uint32_t data; /* access vector or type */
avtab_extended_perms_t *xperms;
} avtab_datum_t;
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 4c292e8b..82fec783 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -94,7 +94,6 @@ avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key,
avtab_datum_t * datum)
{
avtab_ptr_t newnode;
- avtab_trans_t *trans;
avtab_extended_perms_t *xperms;
newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node));
@@ -118,16 +117,6 @@ avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key,
* So copy data so it is set in the avtab
*/
newnode->datum.data = datum->data;
- } else if (key->specified & AVTAB_TRANSITION) {
- trans = calloc(1, sizeof(*trans));
- if (trans == NULL) {
- free(newnode);
- return NULL;
- }
- if (datum->trans) /* else caller populates transition */
- *trans = *(datum->trans);
-
- newnode->datum.trans = trans;
} else {
newnode->datum = *datum;
}
@@ -328,8 +317,6 @@ void avtab_destroy(avtab_t * h)
while (cur != NULL) {
if (cur->key.specified & AVTAB_XPERMS) {
free(cur->datum.xperms);
- } else if (cur->key.specified & AVTAB_TRANSITION) {
- free(cur->datum.trans);
}
temp = cur;
cur = cur->next;
@@ -453,7 +440,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
uint32_t buf32[8], items, items2, val;
avtab_key_t key;
avtab_datum_t datum;
- avtab_trans_t trans;
avtab_extended_perms_t xperms;
unsigned set;
unsigned int i;
@@ -461,7 +447,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
memset(&key, 0, sizeof(avtab_key_t));
memset(&datum, 0, sizeof(avtab_datum_t));
- memset(&trans, 0, sizeof(avtab_trans_t));
memset(&xperms, 0, sizeof(avtab_extended_perms_t));
if (vers < POLICYDB_VERSION_AVTAB) {
@@ -524,14 +509,7 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
return -1;
}
key.specified = spec_order[i] | enabled;
- if (key.specified & AVTAB_TRANSITION) {
- trans.otype =
- le32_to_cpu(buf32[items++]);
- datum.trans = &trans;
- } else {
- datum.data =
- le32_to_cpu(buf32[items++]);
- }
+ datum.data = le32_to_cpu(buf32[items++]);
rc = insertf(a, &key, &datum, p);
if (rc)
return rc;
@@ -593,14 +571,6 @@ int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
for (i = 0; i < ARRAY_SIZE(xperms.perms); i++)
xperms.perms[i] = le32_to_cpu(buf32[i]);
datum.xperms = &xperms;
- } else if (key.specified & AVTAB_TRANSITION) {
- rc = next_entry(buf32, fp, sizeof(uint32_t));
- if (rc < 0) {
- ERR(fp->handle, "truncated entry");
- return -1;
- }
- trans.otype = le32_to_cpu(*buf32);
- datum.trans = &trans;
} else {
rc = next_entry(buf32, fp, sizeof(uint32_t));
if (rc < 0) {
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 6793a27d..8795229a 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1746,7 +1746,7 @@ static int expand_terule_helper(sepol_handle_t * handle,
if (conflict) {
avdatump = &node->datum;
if (specified & AVRULE_TRANSITION) {
- oldtype = avdatump->trans->otype;
+ oldtype = avdatump->data;
} else if (specified & AVRULE_MEMBER) {
oldtype = avdatump->data;
} else if (specified & AVRULE_CHANGE) {
@@ -1789,11 +1789,7 @@ static int expand_terule_helper(sepol_handle_t * handle,
}
avdatump = &node->datum;
- if (specified & AVRULE_TRANSITION) {
- avdatump->trans->otype = remapped_data;
- } else {
- avdatump->data = remapped_data;
- }
+ avdatump->data = remapped_data;
cur = cur->next;
}
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 316679cc..8fcc385d 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -1702,8 +1702,7 @@ static char *xperms_to_str(avtab_extended_perms_t *xperms)
static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
{
- uint32_t data = key->specified & AVTAB_TRANSITION
- ? datum->trans->otype : datum->data;
+ uint32_t data = datum->data;
type_datum_t *type;
const char *flavor, *tgt;
char *src, *class, *perms, *new;
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index aa161b08..b0ae16d9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -1680,8 +1680,7 @@ exit:
static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
{
- uint32_t data = key->specified & AVTAB_TRANSITION
- ? datum->trans->otype : datum->data;
+ uint32_t data = datum->data;
type_datum_t *type;
const char *flavor, *src, *tgt, *class, *perms, *new;
char *rule = NULL;
diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
index 2d4a2d7a..a38025ec 100644
--- a/libsepol/src/optimize.c
+++ b/libsepol/src/optimize.c
@@ -308,8 +308,6 @@ static void optimize_avtab(policydb_t *p, const struct type_vec *type_map)
*cur = tmp->next;
if (tmp->key.specified & AVTAB_XPERMS)
free(tmp->datum.xperms);
- if (tmp->key.specified & AVTAB_TRANSITION)
- free(tmp->datum.trans);
free(tmp);
tab->nel--;
@@ -429,8 +427,6 @@ static void optimize_cond_avtab(policydb_t *p, const struct type_vec *type_map)
*cur = tmp->next;
if (tmp->key.specified & AVTAB_XPERMS)
free(tmp->datum.xperms);
- if (tmp->key.specified & AVTAB_TRANSITION)
- free(tmp->datum.trans);
free(tmp);
tab->nel--;
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index f402b506..3540f34a 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -836,9 +836,7 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
- uint32_t otype = k->specified & AVTAB_TRANSITION
- ? d->trans->otype : d->data;
- if ((k->specified & AVTAB_TYPE) && validate_simpletype(otype, margs->policy, margs->flavors))
+ if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
return -1;
if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms))
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 6bddc287..07ae051b 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1423,10 +1423,7 @@ static int sepol_compute_sid(sepol_security_id_t ssid,
if (avdatum) {
/* Use the type from the type transition/member/change rule. */
- if (specified & AVTAB_TRANSITION)
- newcontext.type = avdatum->trans->otype;
- else
- newcontext.type = avdatum->data;
+ newcontext.type = avdatum->data;
}
/* Check for class-specific changes. */
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 0d3d5f14..024fe628 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -190,20 +190,14 @@ static int avtab_write_item(policydb_t * p,
ERR(fp->handle, "missing node");
return POLICYDB_ERROR;
}
- uint32_t data =
- node->key.specified & AVTAB_TRANSITION
- ? node->datum.trans->otype
- : node->datum.data;
- buf32[items++] = cpu_to_le32(data);
+ buf32[items++] =
+ cpu_to_le32(node->datum.data);
set--;
node->merged = 1;
}
}
} else {
- uint32_t data = cur->key.specified & AVTAB_TRANSITION
- ? cur->datum.trans->otype
- : cur->datum.data;
- buf32[items++] = cpu_to_le32(data);
+ buf32[items++] = cpu_to_le32(cur->datum.data);
cur->merged = 1;
set--;
}
@@ -262,11 +256,6 @@ static int avtab_write_item(policydb_t * p,
items = put_entry(buf32, sizeof(uint32_t),8,fp);
if (items != 8)
return POLICYDB_ERROR;
- } else if (cur->key.specified & AVTAB_TRANSITION) {
- buf32[0] = cpu_to_le32(cur->datum.trans->otype);
- items = put_entry(buf32, sizeof(uint32_t), 1, fp);
- if (items != 1)
- return POLICYDB_ERROR;
} else {
buf32[0] = cpu_to_le32(cur->datum.data);
items = put_entry(buf32, sizeof(uint32_t), 1, fp);
--
2.41.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 0/8] Revert the prefix/suffix filename transition patches
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (7 preceding siblings ...)
2023-07-26 14:25 ` [PATCH 8/8] Revert "checkpolicy,libsepol: move transition to separate structure in avtab" James Carter
@ 2023-07-26 15:33 ` Paul Moore
2023-07-26 16:31 ` Petr Lautrbach
9 siblings, 0 replies; 12+ messages in thread
From: Paul Moore @ 2023-07-26 15:33 UTC (permalink / raw)
To: James Carter; +Cc: selinux, juraj
On Wed, Jul 26, 2023 at 10:25 AM James Carter <jwcart2@gmail.com> wrote:
>
> Since the kernel patches have not been accepted yet, it seems better to
> revert these patches while they can still be cleanly reverted just in
> case the kernel patches are not accepted.
>
> If the kernel patches get accepted, then I will re-apply these patches.
Thanks James, I think this is the smart move.
--
paul-moore.com
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/8] Revert the prefix/suffix filename transition patches
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
` (8 preceding siblings ...)
2023-07-26 15:33 ` [PATCH 0/8] Revert the prefix/suffix filename transition patches Paul Moore
@ 2023-07-26 16:31 ` Petr Lautrbach
2023-08-04 18:34 ` James Carter
9 siblings, 1 reply; 12+ messages in thread
From: Petr Lautrbach @ 2023-07-26 16:31 UTC (permalink / raw)
To: James Carter, selinux; +Cc: juraj, James Carter
James Carter <jwcart2@gmail.com> writes:
> Since the kernel patches have not been accepted yet, it seems better to
> revert these patches while they can still be cleanly reverted just in
> case the kernel patches are not accepted.
>
> If the kernel patches get accepted, then I will re-apply these patches.
>
> I should have waited for the kernel patches to be accepted before committing
> these in the first place.
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
> James Carter (8):
> Revert "libsepol/cil: add support for prefix/suffix filename
> transtions to CIL"
> Revert "checkpolicy,libsepol: add prefix/suffix support to module
> policy"
> Revert "checkpolicy,libsepol: add prefix/suffix support to kernel
> policy"
> Revert "libsepol: implement new module binary format of avrule"
> Revert "libsepol: implement new kernel binary format for avtab"
> Revert "checkpolicy,libsepol: move filename transition rules to
> avrule"
> Revert "checkpolicy,libsepol: move filename transitions to avtab"
> Revert "checkpolicy,libsepol: move transition to separate structure in
> avtab"
>
> checkpolicy/checkmodule.c | 9 -
> checkpolicy/module_compiler.c | 12 +
> checkpolicy/module_compiler.h | 1 +
> checkpolicy/policy_define.c | 211 +++++-
> checkpolicy/policy_define.h | 3 +-
> checkpolicy/policy_parse.y | 13 +-
> checkpolicy/policy_scan.l | 4 -
> checkpolicy/test/dismod.c | 39 +-
> checkpolicy/test/dispol.c | 106 ++-
> libsepol/cil/src/cil.c | 6 -
> libsepol/cil/src/cil_binary.c | 63 +-
> libsepol/cil/src/cil_build_ast.c | 26 +-
> libsepol/cil/src/cil_copy_ast.c | 1 -
> libsepol/cil/src/cil_internal.h | 4 -
> libsepol/cil/src/cil_policy.c | 17 +-
> libsepol/cil/src/cil_resolve_ast.c | 10 -
> libsepol/cil/src/cil_write_ast.c | 2 -
> libsepol/include/sepol/policydb/avtab.h | 19 +-
> libsepol/include/sepol/policydb/hashtab.h | 8 -
> libsepol/include/sepol/policydb/policydb.h | 50 +-
> libsepol/src/avrule_block.c | 1 +
> libsepol/src/avtab.c | 338 +---------
> libsepol/src/conditional.c | 6 +-
> libsepol/src/expand.c | 153 +++--
> libsepol/src/kernel_to_cil.c | 182 +++--
> libsepol/src/kernel_to_common.h | 10 -
> libsepol/src/kernel_to_conf.c | 178 +++--
> libsepol/src/link.c | 57 +-
> libsepol/src/module_to_cil.c | 86 ++-
> libsepol/src/optimize.c | 8 -
> libsepol/src/policydb.c | 479 +++++++++++---
> libsepol/src/policydb_validate.c | 101 ++-
> libsepol/src/services.c | 5 +-
> libsepol/src/write.c | 735 +++++----------------
> 34 files changed, 1390 insertions(+), 1553 deletions(-)
>
> --
> 2.41.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/8] Revert the prefix/suffix filename transition patches
2023-07-26 16:31 ` Petr Lautrbach
@ 2023-08-04 18:34 ` James Carter
0 siblings, 0 replies; 12+ messages in thread
From: James Carter @ 2023-08-04 18:34 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: selinux, juraj
On Wed, Jul 26, 2023 at 12:31 PM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> James Carter <jwcart2@gmail.com> writes:
>
> > Since the kernel patches have not been accepted yet, it seems better to
> > revert these patches while they can still be cleanly reverted just in
> > case the kernel patches are not accepted.
> >
> > If the kernel patches get accepted, then I will re-apply these patches.
> >
> > I should have waited for the kernel patches to be accepted before committing
> > these in the first place.
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
>
This series has been merged. I am eagerly awaiting the new and improved version.
Jim
>
> > James Carter (8):
> > Revert "libsepol/cil: add support for prefix/suffix filename
> > transtions to CIL"
> > Revert "checkpolicy,libsepol: add prefix/suffix support to module
> > policy"
> > Revert "checkpolicy,libsepol: add prefix/suffix support to kernel
> > policy"
> > Revert "libsepol: implement new module binary format of avrule"
> > Revert "libsepol: implement new kernel binary format for avtab"
> > Revert "checkpolicy,libsepol: move filename transition rules to
> > avrule"
> > Revert "checkpolicy,libsepol: move filename transitions to avtab"
> > Revert "checkpolicy,libsepol: move transition to separate structure in
> > avtab"
> >
> > checkpolicy/checkmodule.c | 9 -
> > checkpolicy/module_compiler.c | 12 +
> > checkpolicy/module_compiler.h | 1 +
> > checkpolicy/policy_define.c | 211 +++++-
> > checkpolicy/policy_define.h | 3 +-
> > checkpolicy/policy_parse.y | 13 +-
> > checkpolicy/policy_scan.l | 4 -
> > checkpolicy/test/dismod.c | 39 +-
> > checkpolicy/test/dispol.c | 106 ++-
> > libsepol/cil/src/cil.c | 6 -
> > libsepol/cil/src/cil_binary.c | 63 +-
> > libsepol/cil/src/cil_build_ast.c | 26 +-
> > libsepol/cil/src/cil_copy_ast.c | 1 -
> > libsepol/cil/src/cil_internal.h | 4 -
> > libsepol/cil/src/cil_policy.c | 17 +-
> > libsepol/cil/src/cil_resolve_ast.c | 10 -
> > libsepol/cil/src/cil_write_ast.c | 2 -
> > libsepol/include/sepol/policydb/avtab.h | 19 +-
> > libsepol/include/sepol/policydb/hashtab.h | 8 -
> > libsepol/include/sepol/policydb/policydb.h | 50 +-
> > libsepol/src/avrule_block.c | 1 +
> > libsepol/src/avtab.c | 338 +---------
> > libsepol/src/conditional.c | 6 +-
> > libsepol/src/expand.c | 153 +++--
> > libsepol/src/kernel_to_cil.c | 182 +++--
> > libsepol/src/kernel_to_common.h | 10 -
> > libsepol/src/kernel_to_conf.c | 178 +++--
> > libsepol/src/link.c | 57 +-
> > libsepol/src/module_to_cil.c | 86 ++-
> > libsepol/src/optimize.c | 8 -
> > libsepol/src/policydb.c | 479 +++++++++++---
> > libsepol/src/policydb_validate.c | 101 ++-
> > libsepol/src/services.c | 5 +-
> > libsepol/src/write.c | 735 +++++----------------
> > 34 files changed, 1390 insertions(+), 1553 deletions(-)
> >
> > --
> > 2.41.0
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-08-04 18:36 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-26 14:25 [PATCH 0/8] Revert the prefix/suffix filename transition patches James Carter
2023-07-26 14:25 ` [PATCH 1/8] Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" James Carter
2023-07-26 14:25 ` [PATCH 2/8] Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" James Carter
2023-07-26 14:25 ` [PATCH 3/8] Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" James Carter
2023-07-26 14:25 ` [PATCH 4/8] Revert "libsepol: implement new module binary format of avrule" James Carter
2023-07-26 14:25 ` [PATCH 5/8] Revert "libsepol: implement new kernel binary format for avtab" James Carter
2023-07-26 14:25 ` [PATCH 6/8] Revert "checkpolicy,libsepol: move filename transition rules to avrule" James Carter
2023-07-26 14:25 ` [PATCH 7/8] Revert "checkpolicy,libsepol: move filename transitions to avtab" James Carter
2023-07-26 14:25 ` [PATCH 8/8] Revert "checkpolicy,libsepol: move transition to separate structure in avtab" James Carter
2023-07-26 15:33 ` [PATCH 0/8] Revert the prefix/suffix filename transition patches Paul Moore
2023-07-26 16:31 ` Petr Lautrbach
2023-08-04 18:34 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.