^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /* Authors: Karl MacMillan <kmacmillan@tresys.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Frank Mayer <mayerf@tresys.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright (C) 2003 - 2004 Tresys Technology, LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) #include <linux/errno.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include <linux/string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/spinlock.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include "security.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include "conditional.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include "services.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * cond_evaluate_expr evaluates a conditional expr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * in reverse polish notation. It returns true (1), false (0),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * or undefined (-1). Undefined occurs when the expression
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * exceeds the stack depth of COND_EXPR_MAXDEPTH.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) int s[COND_EXPR_MAXDEPTH];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) int sp = -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) if (expr->len == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) for (i = 0; i < expr->len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) struct cond_expr_node *node = &expr->nodes[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) switch (node->expr_type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) case COND_BOOL:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) if (sp == (COND_EXPR_MAXDEPTH - 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) sp++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) s[sp] = p->bool_val_to_struct[node->bool - 1]->state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) case COND_NOT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) if (sp < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) s[sp] = !s[sp];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) case COND_OR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) if (sp < 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) sp--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) s[sp] |= s[sp + 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) case COND_AND:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) if (sp < 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) sp--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) s[sp] &= s[sp + 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) case COND_XOR:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) if (sp < 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) sp--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) s[sp] ^= s[sp + 1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) case COND_EQ:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) if (sp < 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) sp--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) s[sp] = (s[sp] == s[sp + 1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) case COND_NEQ:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) if (sp < 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) sp--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) s[sp] = (s[sp] != s[sp + 1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) return -1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) return s[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) * evaluate_cond_node evaluates the conditional stored in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) * a struct cond_node and if the result is different than the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) * current state of the node it sets the rules in the true/false
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) * list appropriately. If the result of the expression is undefined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) * all of the rules are disabled for safety.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) struct avtab_node *avnode;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) int new_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) new_state = cond_evaluate_expr(p, &node->expr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) if (new_state != node->cur_state) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) node->cur_state = new_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) if (new_state == -1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) pr_err("SELinux: expression result was undefined - disabling all rules.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) /* turn the rules on or off */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) for (i = 0; i < node->true_list.len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) avnode = node->true_list.nodes[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) if (new_state <= 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) avnode->key.specified &= ~AVTAB_ENABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) avnode->key.specified |= AVTAB_ENABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) for (i = 0; i < node->false_list.len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) avnode = node->false_list.nodes[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) /* -1 or 1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) if (new_state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) avnode->key.specified &= ~AVTAB_ENABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) avnode->key.specified |= AVTAB_ENABLED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) void evaluate_cond_nodes(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) for (i = 0; i < p->cond_list_len; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) evaluate_cond_node(p, &p->cond_list[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) void cond_policydb_init(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) p->bool_val_to_struct = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) p->cond_list = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) p->cond_list_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) avtab_init(&p->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) static void cond_node_destroy(struct cond_node *node)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) kfree(node->expr.nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) /* the avtab_ptr_t nodes are destroyed by the avtab */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) kfree(node->true_list.nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) kfree(node->false_list.nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) static void cond_list_destroy(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) for (i = 0; i < p->cond_list_len; i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) cond_node_destroy(&p->cond_list[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) kfree(p->cond_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) p->cond_list = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) p->cond_list_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) void cond_policydb_destroy(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) kfree(p->bool_val_to_struct);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) avtab_destroy(&p->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) cond_list_destroy(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) int cond_init_bool_indexes(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) kfree(p->bool_val_to_struct);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) sizeof(*p->bool_val_to_struct),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) if (!p->bool_val_to_struct)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) int cond_destroy_bool(void *key, void *datum, void *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) kfree(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) kfree(datum);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) int cond_index_bool(void *key, void *datum, void *datap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) struct policydb *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) struct cond_bool_datum *booldatum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) booldatum = datum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) p = datap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) if (!booldatum->value || booldatum->value > p->p_bools.nprim)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) p->bool_val_to_struct[booldatum->value - 1] = booldatum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) static int bool_isvalid(struct cond_bool_datum *b)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) if (!(b->state == 0 || b->state == 1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) int cond_read_bool(struct policydb *p, struct symtab *s, void *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) char *key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) struct cond_bool_datum *booldatum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) __le32 buf[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) if (!booldatum)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) rc = next_entry(buf, fp, sizeof(buf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) booldatum->value = le32_to_cpu(buf[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) booldatum->state = le32_to_cpu(buf[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) rc = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) if (!bool_isvalid(booldatum))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) len = le32_to_cpu(buf[2]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) if (((len == 0) || (len == (u32)-1)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) rc = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) key = kmalloc(len + 1, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) if (!key)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) rc = next_entry(key, fp, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) key[len] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) rc = symtab_insert(s, key, booldatum);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) cond_destroy_bool(key, booldatum, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) struct cond_insertf_data {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) struct policydb *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) struct avtab_node **dst;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) struct cond_av_list *other;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) struct cond_insertf_data *data = ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) struct policydb *p = data->p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) struct cond_av_list *other = data->other;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) struct avtab_node *node_ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) bool found;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) * For type rules we have to make certain there aren't any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) * conflicting rules by searching the te_avtab and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) * cond_te_avtab.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) if (k->specified & AVTAB_TYPE) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) if (avtab_search(&p->te_avtab, k)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) pr_err("SELinux: type rule already exists outside of a conditional.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) * If we are reading the false list other will be a pointer to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) * the true list. We can have duplicate entries if there is only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) * 1 other entry and it is in our true list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) * If we are reading the true list (other == NULL) there shouldn't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) * be any other entries.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) if (other) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) node_ptr = avtab_search_node(&p->te_cond_avtab, k);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) if (node_ptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) if (avtab_search_node_next(node_ptr, k->specified)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) pr_err("SELinux: too many conflicting type rules.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) found = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) for (i = 0; i < other->len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) if (other->nodes[i] == node_ptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) found = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) if (!found) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) pr_err("SELinux: conflicting type rules.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) if (avtab_search(&p->te_cond_avtab, k)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) pr_err("SELinux: conflicting type rules when adding type rule for true.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) if (!node_ptr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) pr_err("SELinux: could not insert rule.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) *data->dst = node_ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) static int cond_read_av_list(struct policydb *p, void *fp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) struct cond_av_list *list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) struct cond_av_list *other)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) __le32 buf[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) u32 i, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) struct cond_insertf_data data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) rc = next_entry(buf, fp, sizeof(u32));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) len = le32_to_cpu(buf[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) if (len == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) if (!list->nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) data.p = p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) data.other = other;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) for (i = 0; i < len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) data.dst = &list->nodes[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) &data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) kfree(list->nodes);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) list->nodes = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) list->len = len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) static int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) pr_err("SELinux: conditional expressions uses unknown operator.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) if (expr->bool > p->p_bools.nprim) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) pr_err("SELinux: conditional expressions uses unknown bool.\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) __le32 buf[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) u32 i, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) rc = next_entry(buf, fp, sizeof(u32) * 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) node->cur_state = le32_to_cpu(buf[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) /* expr */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) len = le32_to_cpu(buf[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) if (!node->expr.nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) node->expr.len = len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) for (i = 0; i < len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) struct cond_expr_node *expr = &node->expr.nodes[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) rc = next_entry(buf, fp, sizeof(u32) * 2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) expr->expr_type = le32_to_cpu(buf[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) expr->bool = le32_to_cpu(buf[1]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) if (!expr_node_isvalid(p, expr))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) rc = cond_read_av_list(p, fp, &node->true_list, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) int cond_read_list(struct policydb *p, void *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) __le32 buf[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) u32 i, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) rc = next_entry(buf, fp, sizeof(buf));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) len = le32_to_cpu(buf[0]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) if (!p->cond_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) p->cond_list_len = len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) for (i = 0; i < len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) rc = cond_read_node(p, &p->cond_list[i], fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) goto err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) err:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) cond_list_destroy(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) int cond_write_bool(void *vkey, void *datum, void *ptr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) char *key = vkey;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) struct cond_bool_datum *booldatum = datum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) struct policy_data *pd = ptr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) void *fp = pd->fp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) __le32 buf[3];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) u32 len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) len = strlen(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) buf[0] = cpu_to_le32(booldatum->value);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) buf[1] = cpu_to_le32(booldatum->state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) buf[2] = cpu_to_le32(len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) rc = put_entry(buf, sizeof(u32), 3, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) rc = put_entry(key, 1, len, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) * cond_write_cond_av_list doesn't write out the av_list nodes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) * Instead it writes out the key/value pairs from the avtab. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) * is necessary because there is no way to uniquely identifying rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) * in the avtab so it is not possible to associate individual rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) * in the avtab with a conditional without saving them as part of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) * the conditional. This means that the avtab with the conditional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) * rules will not be saved but will be rebuilt on policy load.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) static int cond_write_av_list(struct policydb *p,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) struct cond_av_list *list, struct policy_file *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) __le32 buf[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) buf[0] = cpu_to_le32(list->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) rc = put_entry(buf, sizeof(u32), 1, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) for (i = 0; i < list->len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) rc = avtab_write_item(p, list->nodes[i], fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) static int cond_write_node(struct policydb *p, struct cond_node *node,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) struct policy_file *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) __le32 buf[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) buf[0] = cpu_to_le32(node->cur_state);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) rc = put_entry(buf, sizeof(u32), 1, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) buf[0] = cpu_to_le32(node->expr.len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) rc = put_entry(buf, sizeof(u32), 1, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) for (i = 0; i < node->expr.len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) buf[1] = cpu_to_le32(node->expr.nodes[i].bool);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) rc = put_entry(buf, sizeof(u32), 2, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) rc = cond_write_av_list(p, &node->true_list, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) rc = cond_write_av_list(p, &node->false_list, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) int cond_write_list(struct policydb *p, void *fp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) __le32 buf[1];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) buf[0] = cpu_to_le32(p->cond_list_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) rc = put_entry(buf, sizeof(u32), 1, fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) for (i = 0; i < p->cond_list_len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) rc = cond_write_node(p, &p->cond_list[i], fp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) struct extended_perms_decision *xpermd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) struct avtab_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) if (!ctab || !key || !xpermd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) for (node = avtab_search_node(ctab, key); node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) node = avtab_search_node_next(node, key->specified)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) if (node->key.specified & AVTAB_ENABLED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) services_compute_xperms_decision(xpermd, node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) /* Determine whether additional permissions are granted by the conditional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) * av table, and if so, add them to the result
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) struct av_decision *avd, struct extended_perms *xperms)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) struct avtab_node *node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) if (!ctab || !key || !avd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) for (node = avtab_search_node(ctab, key); node;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) node = avtab_search_node_next(node, key->specified)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) avd->allowed |= node->datum.u.data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) /* Since a '0' in an auditdeny mask represents a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) * permission we do NOT want to audit (dontaudit), we use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) * the '&' operand to ensure that all '0's in the mask
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) * are retained (much unlike the allow and auditallow cases).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) avd->auditdeny &= node->datum.u.data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) avd->auditallow |= node->datum.u.data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) if (xperms && (node->key.specified & AVTAB_ENABLED) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) (node->key.specified & AVTAB_XPERMS))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) services_compute_xperms_drivers(xperms, node);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) static int cond_dup_av_list(struct cond_av_list *new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) struct cond_av_list *orig,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) struct avtab *avtab)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) u32 i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) memset(new, 0, sizeof(*new));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) new->nodes = kcalloc(orig->len, sizeof(*new->nodes), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) if (!new->nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) for (i = 0; i < orig->len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) new->nodes[i] = avtab_insert_nonunique(avtab,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) &orig->nodes[i]->key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) &orig->nodes[i]->datum);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) if (!new->nodes[i])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) new->len++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) static int duplicate_policydb_cond_list(struct policydb *newp,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) struct policydb *origp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) int rc, i, j;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) newp->cond_list_len = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) newp->cond_list = kcalloc(origp->cond_list_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) sizeof(*newp->cond_list),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) if (!newp->cond_list)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) for (i = 0; i < origp->cond_list_len; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) struct cond_node *newn = &newp->cond_list[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) struct cond_node *orign = &origp->cond_list[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) newp->cond_list_len++;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) newn->cur_state = orign->cur_state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) newn->expr.nodes = kcalloc(orign->expr.len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) sizeof(*newn->expr.nodes), GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) if (!newn->expr.nodes)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) for (j = 0; j < orign->expr.len; j++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) newn->expr.nodes[j] = orign->expr.nodes[j];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) newn->expr.len = orign->expr.len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) rc = cond_dup_av_list(&newn->true_list, &orign->true_list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) &newp->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) rc = cond_dup_av_list(&newn->false_list, &orign->false_list,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) &newp->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) goto error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) avtab_destroy(&newp->te_cond_avtab);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) cond_list_destroy(newp);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) static int cond_bools_destroy(void *key, void *datum, void *args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) /* key was not copied so no need to free here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) kfree(datum);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig, void *args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) struct cond_bool_datum *datum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) datum = kmemdup(orig->datum, sizeof(struct cond_bool_datum),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) if (!datum)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) new->key = orig->key; /* No need to copy, never modified */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) new->datum = datum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) static int cond_bools_index(void *key, void *datum, void *args)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) struct cond_bool_datum *booldatum, **cond_bool_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) booldatum = datum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) cond_bool_array = args;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) cond_bool_array[booldatum->value - 1] = booldatum;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) static int duplicate_policydb_bools(struct policydb *newdb,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) struct policydb *orig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) struct cond_bool_datum **cond_bool_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) cond_bool_array = kmalloc_array(orig->p_bools.nprim,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) sizeof(*orig->bool_val_to_struct),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) if (!cond_bool_array)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) rc = hashtab_duplicate(&newdb->p_bools.table, &orig->p_bools.table,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) cond_bools_copy, cond_bools_destroy, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) if (rc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) kfree(cond_bool_array);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) hashtab_map(&newdb->p_bools.table, cond_bools_index, cond_bool_array);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) newdb->bool_val_to_struct = cond_bool_array;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) newdb->p_bools.nprim = orig->p_bools.nprim;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) void cond_policydb_destroy_dup(struct policydb *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) hashtab_map(&p->p_bools.table, cond_bools_destroy, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) hashtab_destroy(&p->p_bools.table);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) cond_policydb_destroy(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) int cond_policydb_dup(struct policydb *new, struct policydb *orig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) cond_policydb_init(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) if (duplicate_policydb_bools(new, orig))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) if (duplicate_policydb_cond_list(new, orig)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) cond_policydb_destroy_dup(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags