2 * Implementation of the policy database.
4 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
8 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10 * Support for enhanced MLS infrastructure.
12 * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14 * Added conditional policy language extensions
16 * Updated: Hewlett-Packard <paul.moore@hp.com>
18 * Added support for the policy capability bitmap
20 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
21 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation, version 2.
28 #include <linux/kernel.h>
29 #include <linux/sched.h>
30 #include <linux/slab.h>
31 #include <linux/string.h>
32 #include <linux/errno.h>
33 #include <linux/audit.h>
37 #include "conditional.h"
43 static char *symtab_name
[SYM_NUM
] = {
55 int selinux_mls_enabled
;
57 static unsigned int symtab_sizes
[SYM_NUM
] = {
68 struct policydb_compat_info
{
74 /* These need to be updated if SYM_NUM or OCON_NUM changes */
75 static struct policydb_compat_info policydb_compat
[] = {
77 .version
= POLICYDB_VERSION_BASE
,
78 .sym_num
= SYM_NUM
- 3,
79 .ocon_num
= OCON_NUM
- 1,
82 .version
= POLICYDB_VERSION_BOOL
,
83 .sym_num
= SYM_NUM
- 2,
84 .ocon_num
= OCON_NUM
- 1,
87 .version
= POLICYDB_VERSION_IPV6
,
88 .sym_num
= SYM_NUM
- 2,
92 .version
= POLICYDB_VERSION_NLCLASS
,
93 .sym_num
= SYM_NUM
- 2,
97 .version
= POLICYDB_VERSION_MLS
,
102 .version
= POLICYDB_VERSION_AVTAB
,
104 .ocon_num
= OCON_NUM
,
107 .version
= POLICYDB_VERSION_RANGETRANS
,
109 .ocon_num
= OCON_NUM
,
112 .version
= POLICYDB_VERSION_POLCAP
,
114 .ocon_num
= OCON_NUM
,
117 .version
= POLICYDB_VERSION_PERMISSIVE
,
119 .ocon_num
= OCON_NUM
,
122 .version
= POLICYDB_VERSION_BOUNDARY
,
124 .ocon_num
= OCON_NUM
,
128 static struct policydb_compat_info
*policydb_lookup_compat(int version
)
131 struct policydb_compat_info
*info
= NULL
;
133 for (i
= 0; i
< ARRAY_SIZE(policydb_compat
); i
++) {
134 if (policydb_compat
[i
].version
== version
) {
135 info
= &policydb_compat
[i
];
143 * Initialize the role table.
145 static int roles_init(struct policydb
*p
)
149 struct role_datum
*role
;
151 role
= kzalloc(sizeof(*role
), GFP_KERNEL
);
156 role
->value
= ++p
->p_roles
.nprim
;
157 if (role
->value
!= OBJECT_R_VAL
) {
161 key
= kmalloc(strlen(OBJECT_R
)+1, GFP_KERNEL
);
166 strcpy(key
, OBJECT_R
);
167 rc
= hashtab_insert(p
->p_roles
.table
, key
, role
);
181 * Initialize a policy database structure.
183 static int policydb_init(struct policydb
*p
)
187 memset(p
, 0, sizeof(*p
));
189 for (i
= 0; i
< SYM_NUM
; i
++) {
190 rc
= symtab_init(&p
->symtab
[i
], symtab_sizes
[i
]);
192 goto out_free_symtab
;
195 rc
= avtab_init(&p
->te_avtab
);
197 goto out_free_symtab
;
201 goto out_free_symtab
;
203 rc
= cond_policydb_init(p
);
205 goto out_free_symtab
;
207 ebitmap_init(&p
->policycaps
);
208 ebitmap_init(&p
->permissive_map
);
214 for (i
= 0; i
< SYM_NUM
; i
++)
215 hashtab_destroy(p
->symtab
[i
].table
);
220 * The following *_index functions are used to
221 * define the val_to_name and val_to_struct arrays
222 * in a policy database structure. The val_to_name
223 * arrays are used when converting security context
224 * structures into string representations. The
225 * val_to_struct arrays are used when the attributes
226 * of a class, role, or user are needed.
229 static int common_index(void *key
, void *datum
, void *datap
)
232 struct common_datum
*comdatum
;
236 if (!comdatum
->value
|| comdatum
->value
> p
->p_commons
.nprim
)
238 p
->p_common_val_to_name
[comdatum
->value
- 1] = key
;
242 static int class_index(void *key
, void *datum
, void *datap
)
245 struct class_datum
*cladatum
;
249 if (!cladatum
->value
|| cladatum
->value
> p
->p_classes
.nprim
)
251 p
->p_class_val_to_name
[cladatum
->value
- 1] = key
;
252 p
->class_val_to_struct
[cladatum
->value
- 1] = cladatum
;
256 static int role_index(void *key
, void *datum
, void *datap
)
259 struct role_datum
*role
;
264 || role
->value
> p
->p_roles
.nprim
265 || role
->bounds
> p
->p_roles
.nprim
)
267 p
->p_role_val_to_name
[role
->value
- 1] = key
;
268 p
->role_val_to_struct
[role
->value
- 1] = role
;
272 static int type_index(void *key
, void *datum
, void *datap
)
275 struct type_datum
*typdatum
;
280 if (typdatum
->primary
) {
282 || typdatum
->value
> p
->p_types
.nprim
283 || typdatum
->bounds
> p
->p_types
.nprim
)
285 p
->p_type_val_to_name
[typdatum
->value
- 1] = key
;
286 p
->type_val_to_struct
[typdatum
->value
- 1] = typdatum
;
292 static int user_index(void *key
, void *datum
, void *datap
)
295 struct user_datum
*usrdatum
;
300 || usrdatum
->value
> p
->p_users
.nprim
301 || usrdatum
->bounds
> p
->p_users
.nprim
)
303 p
->p_user_val_to_name
[usrdatum
->value
- 1] = key
;
304 p
->user_val_to_struct
[usrdatum
->value
- 1] = usrdatum
;
308 static int sens_index(void *key
, void *datum
, void *datap
)
311 struct level_datum
*levdatum
;
316 if (!levdatum
->isalias
) {
317 if (!levdatum
->level
->sens
||
318 levdatum
->level
->sens
> p
->p_levels
.nprim
)
320 p
->p_sens_val_to_name
[levdatum
->level
->sens
- 1] = key
;
326 static int cat_index(void *key
, void *datum
, void *datap
)
329 struct cat_datum
*catdatum
;
334 if (!catdatum
->isalias
) {
335 if (!catdatum
->value
|| catdatum
->value
> p
->p_cats
.nprim
)
337 p
->p_cat_val_to_name
[catdatum
->value
- 1] = key
;
343 static int (*index_f
[SYM_NUM
]) (void *key
, void *datum
, void *datap
) =
356 * Define the common val_to_name array and the class
357 * val_to_name and val_to_struct arrays in a policy
358 * database structure.
360 * Caller must clean up upon failure.
362 static int policydb_index_classes(struct policydb
*p
)
366 p
->p_common_val_to_name
=
367 kmalloc(p
->p_commons
.nprim
* sizeof(char *), GFP_KERNEL
);
368 if (!p
->p_common_val_to_name
) {
373 rc
= hashtab_map(p
->p_commons
.table
, common_index
, p
);
377 p
->class_val_to_struct
=
378 kmalloc(p
->p_classes
.nprim
* sizeof(*(p
->class_val_to_struct
)), GFP_KERNEL
);
379 if (!p
->class_val_to_struct
) {
384 p
->p_class_val_to_name
=
385 kmalloc(p
->p_classes
.nprim
* sizeof(char *), GFP_KERNEL
);
386 if (!p
->p_class_val_to_name
) {
391 rc
= hashtab_map(p
->p_classes
.table
, class_index
, p
);
397 static void symtab_hash_eval(struct symtab
*s
)
401 for (i
= 0; i
< SYM_NUM
; i
++) {
402 struct hashtab
*h
= s
[i
].table
;
403 struct hashtab_info info
;
405 hashtab_stat(h
, &info
);
406 printk(KERN_DEBUG
"SELinux: %s: %d entries and %d/%d buckets used, "
407 "longest chain length %d\n", symtab_name
[i
], h
->nel
,
408 info
.slots_used
, h
->size
, info
.max_chain_len
);
414 * Define the other val_to_name and val_to_struct arrays
415 * in a policy database structure.
417 * Caller must clean up on failure.
419 static int policydb_index_others(struct policydb
*p
)
423 printk(KERN_DEBUG
"SELinux: %d users, %d roles, %d types, %d bools",
424 p
->p_users
.nprim
, p
->p_roles
.nprim
, p
->p_types
.nprim
, p
->p_bools
.nprim
);
425 if (selinux_mls_enabled
)
426 printk(", %d sens, %d cats", p
->p_levels
.nprim
,
430 printk(KERN_DEBUG
"SELinux: %d classes, %d rules\n",
431 p
->p_classes
.nprim
, p
->te_avtab
.nel
);
434 avtab_hash_eval(&p
->te_avtab
, "rules");
435 symtab_hash_eval(p
->symtab
);
438 p
->role_val_to_struct
=
439 kmalloc(p
->p_roles
.nprim
* sizeof(*(p
->role_val_to_struct
)),
441 if (!p
->role_val_to_struct
) {
446 p
->user_val_to_struct
=
447 kmalloc(p
->p_users
.nprim
* sizeof(*(p
->user_val_to_struct
)),
449 if (!p
->user_val_to_struct
) {
454 p
->type_val_to_struct
=
455 kmalloc(p
->p_types
.nprim
* sizeof(*(p
->type_val_to_struct
)),
457 if (!p
->type_val_to_struct
) {
462 if (cond_init_bool_indexes(p
)) {
467 for (i
= SYM_ROLES
; i
< SYM_NUM
; i
++) {
468 p
->sym_val_to_name
[i
] =
469 kmalloc(p
->symtab
[i
].nprim
* sizeof(char *), GFP_KERNEL
);
470 if (!p
->sym_val_to_name
[i
]) {
474 rc
= hashtab_map(p
->symtab
[i
].table
, index_f
[i
], p
);
484 * The following *_destroy functions are used to
485 * free any memory allocated for each kind of
486 * symbol data in the policy database.
489 static int perm_destroy(void *key
, void *datum
, void *p
)
496 static int common_destroy(void *key
, void *datum
, void *p
)
498 struct common_datum
*comdatum
;
502 hashtab_map(comdatum
->permissions
.table
, perm_destroy
, NULL
);
503 hashtab_destroy(comdatum
->permissions
.table
);
508 static int cls_destroy(void *key
, void *datum
, void *p
)
510 struct class_datum
*cladatum
;
511 struct constraint_node
*constraint
, *ctemp
;
512 struct constraint_expr
*e
, *etmp
;
516 hashtab_map(cladatum
->permissions
.table
, perm_destroy
, NULL
);
517 hashtab_destroy(cladatum
->permissions
.table
);
518 constraint
= cladatum
->constraints
;
520 e
= constraint
->expr
;
522 ebitmap_destroy(&e
->names
);
528 constraint
= constraint
->next
;
532 constraint
= cladatum
->validatetrans
;
534 e
= constraint
->expr
;
536 ebitmap_destroy(&e
->names
);
542 constraint
= constraint
->next
;
546 kfree(cladatum
->comkey
);
551 static int role_destroy(void *key
, void *datum
, void *p
)
553 struct role_datum
*role
;
557 ebitmap_destroy(&role
->dominates
);
558 ebitmap_destroy(&role
->types
);
563 static int type_destroy(void *key
, void *datum
, void *p
)
570 static int user_destroy(void *key
, void *datum
, void *p
)
572 struct user_datum
*usrdatum
;
576 ebitmap_destroy(&usrdatum
->roles
);
577 ebitmap_destroy(&usrdatum
->range
.level
[0].cat
);
578 ebitmap_destroy(&usrdatum
->range
.level
[1].cat
);
579 ebitmap_destroy(&usrdatum
->dfltlevel
.cat
);
584 static int sens_destroy(void *key
, void *datum
, void *p
)
586 struct level_datum
*levdatum
;
590 ebitmap_destroy(&levdatum
->level
->cat
);
591 kfree(levdatum
->level
);
596 static int cat_destroy(void *key
, void *datum
, void *p
)
603 static int (*destroy_f
[SYM_NUM
]) (void *key
, void *datum
, void *datap
) =
615 static void ocontext_destroy(struct ocontext
*c
, int i
)
617 context_destroy(&c
->context
[0]);
618 context_destroy(&c
->context
[1]);
619 if (i
== OCON_ISID
|| i
== OCON_FS
||
620 i
== OCON_NETIF
|| i
== OCON_FSUSE
)
626 * Free any memory allocated by a policy database structure.
628 void policydb_destroy(struct policydb
*p
)
630 struct ocontext
*c
, *ctmp
;
631 struct genfs
*g
, *gtmp
;
633 struct role_allow
*ra
, *lra
= NULL
;
634 struct role_trans
*tr
, *ltr
= NULL
;
635 struct range_trans
*rt
, *lrt
= NULL
;
637 for (i
= 0; i
< SYM_NUM
; i
++) {
639 hashtab_map(p
->symtab
[i
].table
, destroy_f
[i
], NULL
);
640 hashtab_destroy(p
->symtab
[i
].table
);
643 for (i
= 0; i
< SYM_NUM
; i
++)
644 kfree(p
->sym_val_to_name
[i
]);
646 kfree(p
->class_val_to_struct
);
647 kfree(p
->role_val_to_struct
);
648 kfree(p
->user_val_to_struct
);
649 kfree(p
->type_val_to_struct
);
651 avtab_destroy(&p
->te_avtab
);
653 for (i
= 0; i
< OCON_NUM
; i
++) {
659 ocontext_destroy(ctmp
, i
);
661 p
->ocontexts
[i
] = NULL
;
672 ocontext_destroy(ctmp
, OCON_FSUSE
);
680 cond_policydb_destroy(p
);
682 for (tr
= p
->role_tr
; tr
; tr
= tr
->next
) {
689 for (ra
= p
->role_allow
; ra
; ra
= ra
->next
) {
696 for (rt
= p
->range_tr
; rt
; rt
= rt
->next
) {
699 ebitmap_destroy(&lrt
->target_range
.level
[0].cat
);
700 ebitmap_destroy(&lrt
->target_range
.level
[1].cat
);
706 ebitmap_destroy(&lrt
->target_range
.level
[0].cat
);
707 ebitmap_destroy(&lrt
->target_range
.level
[1].cat
);
711 if (p
->type_attr_map
) {
712 for (i
= 0; i
< p
->p_types
.nprim
; i
++)
713 ebitmap_destroy(&p
->type_attr_map
[i
]);
715 kfree(p
->type_attr_map
);
716 ebitmap_destroy(&p
->policycaps
);
717 ebitmap_destroy(&p
->permissive_map
);
723 * Load the initial SIDs specified in a policy database
724 * structure into a SID table.
726 int policydb_load_isids(struct policydb
*p
, struct sidtab
*s
)
728 struct ocontext
*head
, *c
;
733 printk(KERN_ERR
"SELinux: out of memory on SID table init\n");
737 head
= p
->ocontexts
[OCON_ISID
];
738 for (c
= head
; c
; c
= c
->next
) {
739 if (!c
->context
[0].user
) {
740 printk(KERN_ERR
"SELinux: SID %s was never "
741 "defined.\n", c
->u
.name
);
745 if (sidtab_insert(s
, c
->sid
[0], &c
->context
[0])) {
746 printk(KERN_ERR
"SELinux: unable to load initial "
747 "SID %s.\n", c
->u
.name
);
756 int policydb_class_isvalid(struct policydb
*p
, unsigned int class)
758 if (!class || class > p
->p_classes
.nprim
)
763 int policydb_role_isvalid(struct policydb
*p
, unsigned int role
)
765 if (!role
|| role
> p
->p_roles
.nprim
)
770 int policydb_type_isvalid(struct policydb
*p
, unsigned int type
)
772 if (!type
|| type
> p
->p_types
.nprim
)
778 * Return 1 if the fields in the security context
779 * structure `c' are valid. Return 0 otherwise.
781 int policydb_context_isvalid(struct policydb
*p
, struct context
*c
)
783 struct role_datum
*role
;
784 struct user_datum
*usrdatum
;
786 if (!c
->role
|| c
->role
> p
->p_roles
.nprim
)
789 if (!c
->user
|| c
->user
> p
->p_users
.nprim
)
792 if (!c
->type
|| c
->type
> p
->p_types
.nprim
)
795 if (c
->role
!= OBJECT_R_VAL
) {
797 * Role must be authorized for the type.
799 role
= p
->role_val_to_struct
[c
->role
- 1];
800 if (!ebitmap_get_bit(&role
->types
,
802 /* role may not be associated with type */
806 * User must be authorized for the role.
808 usrdatum
= p
->user_val_to_struct
[c
->user
- 1];
812 if (!ebitmap_get_bit(&usrdatum
->roles
,
814 /* user may not be associated with role */
818 if (!mls_context_isvalid(p
, c
))
825 * Read a MLS range structure from a policydb binary
826 * representation file.
828 static int mls_read_range_helper(struct mls_range
*r
, void *fp
)
834 rc
= next_entry(buf
, fp
, sizeof(u32
));
838 items
= le32_to_cpu(buf
[0]);
839 if (items
> ARRAY_SIZE(buf
)) {
840 printk(KERN_ERR
"SELinux: mls: range overflow\n");
844 rc
= next_entry(buf
, fp
, sizeof(u32
) * items
);
846 printk(KERN_ERR
"SELinux: mls: truncated range\n");
849 r
->level
[0].sens
= le32_to_cpu(buf
[0]);
851 r
->level
[1].sens
= le32_to_cpu(buf
[1]);
853 r
->level
[1].sens
= r
->level
[0].sens
;
855 rc
= ebitmap_read(&r
->level
[0].cat
, fp
);
857 printk(KERN_ERR
"SELinux: mls: error reading low "
862 rc
= ebitmap_read(&r
->level
[1].cat
, fp
);
864 printk(KERN_ERR
"SELinux: mls: error reading high "
869 rc
= ebitmap_cpy(&r
->level
[1].cat
, &r
->level
[0].cat
);
871 printk(KERN_ERR
"SELinux: mls: out of memory\n");
880 ebitmap_destroy(&r
->level
[0].cat
);
885 * Read and validate a security context structure
886 * from a policydb binary representation file.
888 static int context_read_and_validate(struct context
*c
,
895 rc
= next_entry(buf
, fp
, sizeof buf
);
897 printk(KERN_ERR
"SELinux: context truncated\n");
900 c
->user
= le32_to_cpu(buf
[0]);
901 c
->role
= le32_to_cpu(buf
[1]);
902 c
->type
= le32_to_cpu(buf
[2]);
903 if (p
->policyvers
>= POLICYDB_VERSION_MLS
) {
904 if (mls_read_range_helper(&c
->range
, fp
)) {
905 printk(KERN_ERR
"SELinux: error reading MLS range of "
912 if (!policydb_context_isvalid(p
, c
)) {
913 printk(KERN_ERR
"SELinux: invalid security context\n");
922 * The following *_read functions are used to
923 * read the symbol data from a policy database
924 * binary representation file.
927 static int perm_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
930 struct perm_datum
*perdatum
;
935 perdatum
= kzalloc(sizeof(*perdatum
), GFP_KERNEL
);
941 rc
= next_entry(buf
, fp
, sizeof buf
);
945 len
= le32_to_cpu(buf
[0]);
946 perdatum
->value
= le32_to_cpu(buf
[1]);
948 key
= kmalloc(len
+ 1, GFP_KERNEL
);
953 rc
= next_entry(key
, fp
, len
);
958 rc
= hashtab_insert(h
, key
, perdatum
);
964 perm_destroy(key
, perdatum
, NULL
);
968 static int common_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
971 struct common_datum
*comdatum
;
976 comdatum
= kzalloc(sizeof(*comdatum
), GFP_KERNEL
);
982 rc
= next_entry(buf
, fp
, sizeof buf
);
986 len
= le32_to_cpu(buf
[0]);
987 comdatum
->value
= le32_to_cpu(buf
[1]);
989 rc
= symtab_init(&comdatum
->permissions
, PERM_SYMTAB_SIZE
);
992 comdatum
->permissions
.nprim
= le32_to_cpu(buf
[2]);
993 nel
= le32_to_cpu(buf
[3]);
995 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1000 rc
= next_entry(key
, fp
, len
);
1005 for (i
= 0; i
< nel
; i
++) {
1006 rc
= perm_read(p
, comdatum
->permissions
.table
, fp
);
1011 rc
= hashtab_insert(h
, key
, comdatum
);
1017 common_destroy(key
, comdatum
, NULL
);
1021 static int read_cons_helper(struct constraint_node
**nodep
, int ncons
,
1022 int allowxtarget
, void *fp
)
1024 struct constraint_node
*c
, *lc
;
1025 struct constraint_expr
*e
, *le
;
1028 int rc
, i
, j
, depth
;
1031 for (i
= 0; i
< ncons
; i
++) {
1032 c
= kzalloc(sizeof(*c
), GFP_KERNEL
);
1041 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 2));
1044 c
->permissions
= le32_to_cpu(buf
[0]);
1045 nexpr
= le32_to_cpu(buf
[1]);
1048 for (j
= 0; j
< nexpr
; j
++) {
1049 e
= kzalloc(sizeof(*e
), GFP_KERNEL
);
1058 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 3));
1061 e
->expr_type
= le32_to_cpu(buf
[0]);
1062 e
->attr
= le32_to_cpu(buf
[1]);
1063 e
->op
= le32_to_cpu(buf
[2]);
1065 switch (e
->expr_type
) {
1077 if (depth
== (CEXPR_MAXDEPTH
- 1))
1082 if (!allowxtarget
&& (e
->attr
& CEXPR_XTARGET
))
1084 if (depth
== (CEXPR_MAXDEPTH
- 1))
1087 if (ebitmap_read(&e
->names
, fp
))
1103 static int class_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1106 struct class_datum
*cladatum
;
1108 u32 len
, len2
, ncons
, nel
;
1111 cladatum
= kzalloc(sizeof(*cladatum
), GFP_KERNEL
);
1117 rc
= next_entry(buf
, fp
, sizeof(u32
)*6);
1121 len
= le32_to_cpu(buf
[0]);
1122 len2
= le32_to_cpu(buf
[1]);
1123 cladatum
->value
= le32_to_cpu(buf
[2]);
1125 rc
= symtab_init(&cladatum
->permissions
, PERM_SYMTAB_SIZE
);
1128 cladatum
->permissions
.nprim
= le32_to_cpu(buf
[3]);
1129 nel
= le32_to_cpu(buf
[4]);
1131 ncons
= le32_to_cpu(buf
[5]);
1133 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1138 rc
= next_entry(key
, fp
, len
);
1144 cladatum
->comkey
= kmalloc(len2
+ 1, GFP_KERNEL
);
1145 if (!cladatum
->comkey
) {
1149 rc
= next_entry(cladatum
->comkey
, fp
, len2
);
1152 cladatum
->comkey
[len2
] = '\0';
1154 cladatum
->comdatum
= hashtab_search(p
->p_commons
.table
,
1156 if (!cladatum
->comdatum
) {
1157 printk(KERN_ERR
"SELinux: unknown common %s\n",
1163 for (i
= 0; i
< nel
; i
++) {
1164 rc
= perm_read(p
, cladatum
->permissions
.table
, fp
);
1169 rc
= read_cons_helper(&cladatum
->constraints
, ncons
, 0, fp
);
1173 if (p
->policyvers
>= POLICYDB_VERSION_VALIDATETRANS
) {
1174 /* grab the validatetrans rules */
1175 rc
= next_entry(buf
, fp
, sizeof(u32
));
1178 ncons
= le32_to_cpu(buf
[0]);
1179 rc
= read_cons_helper(&cladatum
->validatetrans
, ncons
, 1, fp
);
1184 rc
= hashtab_insert(h
, key
, cladatum
);
1192 cls_destroy(key
, cladatum
, NULL
);
1196 static int role_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1199 struct role_datum
*role
;
1200 int rc
, to_read
= 2;
1204 role
= kzalloc(sizeof(*role
), GFP_KERNEL
);
1210 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1213 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1217 len
= le32_to_cpu(buf
[0]);
1218 role
->value
= le32_to_cpu(buf
[1]);
1219 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1220 role
->bounds
= le32_to_cpu(buf
[2]);
1222 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1227 rc
= next_entry(key
, fp
, len
);
1232 rc
= ebitmap_read(&role
->dominates
, fp
);
1236 rc
= ebitmap_read(&role
->types
, fp
);
1240 if (strcmp(key
, OBJECT_R
) == 0) {
1241 if (role
->value
!= OBJECT_R_VAL
) {
1242 printk(KERN_ERR
"SELinux: Role %s has wrong value %d\n",
1243 OBJECT_R
, role
->value
);
1251 rc
= hashtab_insert(h
, key
, role
);
1257 role_destroy(key
, role
, NULL
);
1261 static int type_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1264 struct type_datum
*typdatum
;
1265 int rc
, to_read
= 3;
1269 typdatum
= kzalloc(sizeof(*typdatum
), GFP_KERNEL
);
1275 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1278 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1282 len
= le32_to_cpu(buf
[0]);
1283 typdatum
->value
= le32_to_cpu(buf
[1]);
1284 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
) {
1285 u32 prop
= le32_to_cpu(buf
[2]);
1287 if (prop
& TYPEDATUM_PROPERTY_PRIMARY
)
1288 typdatum
->primary
= 1;
1289 if (prop
& TYPEDATUM_PROPERTY_ATTRIBUTE
)
1290 typdatum
->attribute
= 1;
1292 typdatum
->bounds
= le32_to_cpu(buf
[3]);
1294 typdatum
->primary
= le32_to_cpu(buf
[2]);
1297 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1302 rc
= next_entry(key
, fp
, len
);
1307 rc
= hashtab_insert(h
, key
, typdatum
);
1313 type_destroy(key
, typdatum
, NULL
);
1319 * Read a MLS level structure from a policydb binary
1320 * representation file.
1322 static int mls_read_level(struct mls_level
*lp
, void *fp
)
1327 memset(lp
, 0, sizeof(*lp
));
1329 rc
= next_entry(buf
, fp
, sizeof buf
);
1331 printk(KERN_ERR
"SELinux: mls: truncated level\n");
1334 lp
->sens
= le32_to_cpu(buf
[0]);
1336 if (ebitmap_read(&lp
->cat
, fp
)) {
1337 printk(KERN_ERR
"SELinux: mls: error reading level "
1348 static int user_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1351 struct user_datum
*usrdatum
;
1352 int rc
, to_read
= 2;
1356 usrdatum
= kzalloc(sizeof(*usrdatum
), GFP_KERNEL
);
1362 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1365 rc
= next_entry(buf
, fp
, sizeof(buf
[0]) * to_read
);
1369 len
= le32_to_cpu(buf
[0]);
1370 usrdatum
->value
= le32_to_cpu(buf
[1]);
1371 if (p
->policyvers
>= POLICYDB_VERSION_BOUNDARY
)
1372 usrdatum
->bounds
= le32_to_cpu(buf
[2]);
1374 key
= kmalloc(len
+ 1, GFP_KERNEL
);
1379 rc
= next_entry(key
, fp
, len
);
1384 rc
= ebitmap_read(&usrdatum
->roles
, fp
);
1388 if (p
->policyvers
>= POLICYDB_VERSION_MLS
) {
1389 rc
= mls_read_range_helper(&usrdatum
->range
, fp
);
1392 rc
= mls_read_level(&usrdatum
->dfltlevel
, fp
);
1397 rc
= hashtab_insert(h
, key
, usrdatum
);
1403 user_destroy(key
, usrdatum
, NULL
);
1407 static int sens_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1410 struct level_datum
*levdatum
;
1415 levdatum
= kzalloc(sizeof(*levdatum
), GFP_ATOMIC
);
1421 rc
= next_entry(buf
, fp
, sizeof buf
);
1425 len
= le32_to_cpu(buf
[0]);
1426 levdatum
->isalias
= le32_to_cpu(buf
[1]);
1428 key
= kmalloc(len
+ 1, GFP_ATOMIC
);
1433 rc
= next_entry(key
, fp
, len
);
1438 levdatum
->level
= kmalloc(sizeof(struct mls_level
), GFP_ATOMIC
);
1439 if (!levdatum
->level
) {
1443 if (mls_read_level(levdatum
->level
, fp
)) {
1448 rc
= hashtab_insert(h
, key
, levdatum
);
1454 sens_destroy(key
, levdatum
, NULL
);
1458 static int cat_read(struct policydb
*p
, struct hashtab
*h
, void *fp
)
1461 struct cat_datum
*catdatum
;
1466 catdatum
= kzalloc(sizeof(*catdatum
), GFP_ATOMIC
);
1472 rc
= next_entry(buf
, fp
, sizeof buf
);
1476 len
= le32_to_cpu(buf
[0]);
1477 catdatum
->value
= le32_to_cpu(buf
[1]);
1478 catdatum
->isalias
= le32_to_cpu(buf
[2]);
1480 key
= kmalloc(len
+ 1, GFP_ATOMIC
);
1485 rc
= next_entry(key
, fp
, len
);
1490 rc
= hashtab_insert(h
, key
, catdatum
);
1497 cat_destroy(key
, catdatum
, NULL
);
1501 static int (*read_f
[SYM_NUM
]) (struct policydb
*p
, struct hashtab
*h
, void *fp
) =
1513 static int user_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1515 struct user_datum
*upper
, *user
;
1516 struct policydb
*p
= datap
;
1519 upper
= user
= datum
;
1520 while (upper
->bounds
) {
1521 struct ebitmap_node
*node
;
1524 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1525 printk(KERN_ERR
"SELinux: user %s: "
1526 "too deep or looped boundary",
1531 upper
= p
->user_val_to_struct
[upper
->bounds
- 1];
1532 ebitmap_for_each_positive_bit(&user
->roles
, node
, bit
) {
1533 if (ebitmap_get_bit(&upper
->roles
, bit
))
1537 "SELinux: boundary violated policy: "
1538 "user=%s role=%s bounds=%s\n",
1539 p
->p_user_val_to_name
[user
->value
- 1],
1540 p
->p_role_val_to_name
[bit
],
1541 p
->p_user_val_to_name
[upper
->value
- 1]);
1550 static int role_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1552 struct role_datum
*upper
, *role
;
1553 struct policydb
*p
= datap
;
1556 upper
= role
= datum
;
1557 while (upper
->bounds
) {
1558 struct ebitmap_node
*node
;
1561 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1562 printk(KERN_ERR
"SELinux: role %s: "
1563 "too deep or looped bounds\n",
1568 upper
= p
->role_val_to_struct
[upper
->bounds
- 1];
1569 ebitmap_for_each_positive_bit(&role
->types
, node
, bit
) {
1570 if (ebitmap_get_bit(&upper
->types
, bit
))
1574 "SELinux: boundary violated policy: "
1575 "role=%s type=%s bounds=%s\n",
1576 p
->p_role_val_to_name
[role
->value
- 1],
1577 p
->p_type_val_to_name
[bit
],
1578 p
->p_role_val_to_name
[upper
->value
- 1]);
1587 static int type_bounds_sanity_check(void *key
, void *datum
, void *datap
)
1589 struct type_datum
*upper
, *type
;
1590 struct policydb
*p
= datap
;
1593 upper
= type
= datum
;
1594 while (upper
->bounds
) {
1595 if (++depth
== POLICYDB_BOUNDS_MAXDEPTH
) {
1596 printk(KERN_ERR
"SELinux: type %s: "
1597 "too deep or looped boundary\n",
1602 upper
= p
->type_val_to_struct
[upper
->bounds
- 1];
1603 if (upper
->attribute
) {
1604 printk(KERN_ERR
"SELinux: type %s: "
1605 "bounded by attribute %s",
1607 p
->p_type_val_to_name
[upper
->value
- 1]);
1615 static int policydb_bounds_sanity_check(struct policydb
*p
)
1619 if (p
->policyvers
< POLICYDB_VERSION_BOUNDARY
)
1622 rc
= hashtab_map(p
->p_users
.table
,
1623 user_bounds_sanity_check
, p
);
1627 rc
= hashtab_map(p
->p_roles
.table
,
1628 role_bounds_sanity_check
, p
);
1632 rc
= hashtab_map(p
->p_types
.table
,
1633 type_bounds_sanity_check
, p
);
1640 extern int ss_initialized
;
1642 u16
string_to_security_class(struct policydb
*p
, const char *name
)
1644 struct class_datum
*cladatum
;
1646 cladatum
= hashtab_search(p
->p_classes
.table
, name
);
1650 return cladatum
->value
;
1653 u32
string_to_av_perm(struct policydb
*p
, u16 tclass
, const char *name
)
1655 struct class_datum
*cladatum
;
1656 struct perm_datum
*perdatum
= NULL
;
1657 struct common_datum
*comdatum
;
1659 if (!tclass
|| tclass
> p
->p_classes
.nprim
)
1662 cladatum
= p
->class_val_to_struct
[tclass
-1];
1663 comdatum
= cladatum
->comdatum
;
1665 perdatum
= hashtab_search(comdatum
->permissions
.table
,
1668 perdatum
= hashtab_search(cladatum
->permissions
.table
,
1673 return 1U << (perdatum
->value
-1);
1677 * Read the configuration data from a policy database binary
1678 * representation file into a policy database structure.
1680 int policydb_read(struct policydb
*p
, void *fp
)
1682 struct role_allow
*ra
, *lra
;
1683 struct role_trans
*tr
, *ltr
;
1684 struct ocontext
*l
, *c
, *newc
;
1685 struct genfs
*genfs_p
, *genfs
, *newgenfs
;
1689 u32 len
, len2
, config
, nprim
, nel
, nel2
;
1691 struct policydb_compat_info
*info
;
1692 struct range_trans
*rt
, *lrt
;
1696 rc
= policydb_init(p
);
1700 /* Read the magic number and string length. */
1701 rc
= next_entry(buf
, fp
, sizeof(u32
) * 2);
1705 if (le32_to_cpu(buf
[0]) != POLICYDB_MAGIC
) {
1706 printk(KERN_ERR
"SELinux: policydb magic number 0x%x does "
1707 "not match expected magic number 0x%x\n",
1708 le32_to_cpu(buf
[0]), POLICYDB_MAGIC
);
1712 len
= le32_to_cpu(buf
[1]);
1713 if (len
!= strlen(POLICYDB_STRING
)) {
1714 printk(KERN_ERR
"SELinux: policydb string length %d does not "
1715 "match expected length %Zu\n",
1716 len
, strlen(POLICYDB_STRING
));
1719 policydb_str
= kmalloc(len
+ 1, GFP_KERNEL
);
1720 if (!policydb_str
) {
1721 printk(KERN_ERR
"SELinux: unable to allocate memory for policydb "
1722 "string of length %d\n", len
);
1726 rc
= next_entry(policydb_str
, fp
, len
);
1728 printk(KERN_ERR
"SELinux: truncated policydb string identifier\n");
1729 kfree(policydb_str
);
1732 policydb_str
[len
] = '\0';
1733 if (strcmp(policydb_str
, POLICYDB_STRING
)) {
1734 printk(KERN_ERR
"SELinux: policydb string %s does not match "
1735 "my string %s\n", policydb_str
, POLICYDB_STRING
);
1736 kfree(policydb_str
);
1739 /* Done with policydb_str. */
1740 kfree(policydb_str
);
1741 policydb_str
= NULL
;
1743 /* Read the version, config, and table sizes. */
1744 rc
= next_entry(buf
, fp
, sizeof(u32
)*4);
1748 p
->policyvers
= le32_to_cpu(buf
[0]);
1749 if (p
->policyvers
< POLICYDB_VERSION_MIN
||
1750 p
->policyvers
> POLICYDB_VERSION_MAX
) {
1751 printk(KERN_ERR
"SELinux: policydb version %d does not match "
1752 "my version range %d-%d\n",
1753 le32_to_cpu(buf
[0]), POLICYDB_VERSION_MIN
, POLICYDB_VERSION_MAX
);
1757 if ((le32_to_cpu(buf
[1]) & POLICYDB_CONFIG_MLS
)) {
1758 if (ss_initialized
&& !selinux_mls_enabled
) {
1759 printk(KERN_ERR
"SELinux: Cannot switch between non-MLS"
1760 " and MLS policies\n");
1763 selinux_mls_enabled
= 1;
1764 config
|= POLICYDB_CONFIG_MLS
;
1766 if (p
->policyvers
< POLICYDB_VERSION_MLS
) {
1767 printk(KERN_ERR
"SELinux: security policydb version %d "
1768 "(MLS) not backwards compatible\n",
1773 if (ss_initialized
&& selinux_mls_enabled
) {
1774 printk(KERN_ERR
"SELinux: Cannot switch between MLS and"
1775 " non-MLS policies\n");
1779 p
->reject_unknown
= !!(le32_to_cpu(buf
[1]) & REJECT_UNKNOWN
);
1780 p
->allow_unknown
= !!(le32_to_cpu(buf
[1]) & ALLOW_UNKNOWN
);
1782 if (p
->policyvers
>= POLICYDB_VERSION_POLCAP
&&
1783 ebitmap_read(&p
->policycaps
, fp
) != 0)
1786 if (p
->policyvers
>= POLICYDB_VERSION_PERMISSIVE
&&
1787 ebitmap_read(&p
->permissive_map
, fp
) != 0)
1790 info
= policydb_lookup_compat(p
->policyvers
);
1792 printk(KERN_ERR
"SELinux: unable to find policy compat info "
1793 "for version %d\n", p
->policyvers
);
1797 if (le32_to_cpu(buf
[2]) != info
->sym_num
||
1798 le32_to_cpu(buf
[3]) != info
->ocon_num
) {
1799 printk(KERN_ERR
"SELinux: policydb table sizes (%d,%d) do "
1800 "not match mine (%d,%d)\n", le32_to_cpu(buf
[2]),
1801 le32_to_cpu(buf
[3]),
1802 info
->sym_num
, info
->ocon_num
);
1806 for (i
= 0; i
< info
->sym_num
; i
++) {
1807 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
1810 nprim
= le32_to_cpu(buf
[0]);
1811 nel
= le32_to_cpu(buf
[1]);
1812 for (j
= 0; j
< nel
; j
++) {
1813 rc
= read_f
[i
](p
, p
->symtab
[i
].table
, fp
);
1818 p
->symtab
[i
].nprim
= nprim
;
1821 rc
= avtab_read(&p
->te_avtab
, fp
, p
);
1825 if (p
->policyvers
>= POLICYDB_VERSION_BOOL
) {
1826 rc
= cond_read_list(p
, fp
);
1831 rc
= next_entry(buf
, fp
, sizeof(u32
));
1834 nel
= le32_to_cpu(buf
[0]);
1836 for (i
= 0; i
< nel
; i
++) {
1837 tr
= kzalloc(sizeof(*tr
), GFP_KERNEL
);
1846 rc
= next_entry(buf
, fp
, sizeof(u32
)*3);
1849 tr
->role
= le32_to_cpu(buf
[0]);
1850 tr
->type
= le32_to_cpu(buf
[1]);
1851 tr
->new_role
= le32_to_cpu(buf
[2]);
1852 if (!policydb_role_isvalid(p
, tr
->role
) ||
1853 !policydb_type_isvalid(p
, tr
->type
) ||
1854 !policydb_role_isvalid(p
, tr
->new_role
)) {
1861 rc
= next_entry(buf
, fp
, sizeof(u32
));
1864 nel
= le32_to_cpu(buf
[0]);
1866 for (i
= 0; i
< nel
; i
++) {
1867 ra
= kzalloc(sizeof(*ra
), GFP_KERNEL
);
1876 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
1879 ra
->role
= le32_to_cpu(buf
[0]);
1880 ra
->new_role
= le32_to_cpu(buf
[1]);
1881 if (!policydb_role_isvalid(p
, ra
->role
) ||
1882 !policydb_role_isvalid(p
, ra
->new_role
)) {
1889 rc
= policydb_index_classes(p
);
1893 rc
= policydb_index_others(p
);
1897 p
->process_class
= string_to_security_class(p
, "process");
1898 if (!p
->process_class
)
1900 p
->process_trans_perms
= string_to_av_perm(p
, p
->process_class
,
1902 p
->process_trans_perms
|= string_to_av_perm(p
, p
->process_class
,
1904 if (!p
->process_trans_perms
)
1907 for (i
= 0; i
< info
->ocon_num
; i
++) {
1908 rc
= next_entry(buf
, fp
, sizeof(u32
));
1911 nel
= le32_to_cpu(buf
[0]);
1913 for (j
= 0; j
< nel
; j
++) {
1914 c
= kzalloc(sizeof(*c
), GFP_KERNEL
);
1922 p
->ocontexts
[i
] = c
;
1927 rc
= next_entry(buf
, fp
, sizeof(u32
));
1930 c
->sid
[0] = le32_to_cpu(buf
[0]);
1931 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
1937 rc
= next_entry(buf
, fp
, sizeof(u32
));
1940 len
= le32_to_cpu(buf
[0]);
1941 c
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
1946 rc
= next_entry(c
->u
.name
, fp
, len
);
1950 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
1953 rc
= context_read_and_validate(&c
->context
[1], p
, fp
);
1958 rc
= next_entry(buf
, fp
, sizeof(u32
)*3);
1961 c
->u
.port
.protocol
= le32_to_cpu(buf
[0]);
1962 c
->u
.port
.low_port
= le32_to_cpu(buf
[1]);
1963 c
->u
.port
.high_port
= le32_to_cpu(buf
[2]);
1964 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
1969 rc
= next_entry(nodebuf
, fp
, sizeof(u32
) * 2);
1972 c
->u
.node
.addr
= nodebuf
[0]; /* network order */
1973 c
->u
.node
.mask
= nodebuf
[1]; /* network order */
1974 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
1979 rc
= next_entry(buf
, fp
, sizeof(u32
)*2);
1982 c
->v
.behavior
= le32_to_cpu(buf
[0]);
1983 if (c
->v
.behavior
> SECURITY_FS_USE_NONE
)
1985 len
= le32_to_cpu(buf
[1]);
1986 c
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
1991 rc
= next_entry(c
->u
.name
, fp
, len
);
1995 rc
= context_read_and_validate(&c
->context
[0], p
, fp
);
2002 rc
= next_entry(nodebuf
, fp
, sizeof(u32
) * 8);
2005 for (k
= 0; k
< 4; k
++)
2006 c
->u
.node6
.addr
[k
] = nodebuf
[k
];
2007 for (k
= 0; k
< 4; k
++)
2008 c
->u
.node6
.mask
[k
] = nodebuf
[k
+4];
2009 if (context_read_and_validate(&c
->context
[0], p
, fp
))
2017 rc
= next_entry(buf
, fp
, sizeof(u32
));
2020 nel
= le32_to_cpu(buf
[0]);
2023 for (i
= 0; i
< nel
; i
++) {
2024 rc
= next_entry(buf
, fp
, sizeof(u32
));
2027 len
= le32_to_cpu(buf
[0]);
2028 newgenfs
= kzalloc(sizeof(*newgenfs
), GFP_KERNEL
);
2034 newgenfs
->fstype
= kmalloc(len
+ 1, GFP_KERNEL
);
2035 if (!newgenfs
->fstype
) {
2040 rc
= next_entry(newgenfs
->fstype
, fp
, len
);
2042 kfree(newgenfs
->fstype
);
2046 newgenfs
->fstype
[len
] = 0;
2047 for (genfs_p
= NULL
, genfs
= p
->genfs
; genfs
;
2048 genfs_p
= genfs
, genfs
= genfs
->next
) {
2049 if (strcmp(newgenfs
->fstype
, genfs
->fstype
) == 0) {
2050 printk(KERN_ERR
"SELinux: dup genfs "
2051 "fstype %s\n", newgenfs
->fstype
);
2052 kfree(newgenfs
->fstype
);
2056 if (strcmp(newgenfs
->fstype
, genfs
->fstype
) < 0)
2059 newgenfs
->next
= genfs
;
2061 genfs_p
->next
= newgenfs
;
2063 p
->genfs
= newgenfs
;
2064 rc
= next_entry(buf
, fp
, sizeof(u32
));
2067 nel2
= le32_to_cpu(buf
[0]);
2068 for (j
= 0; j
< nel2
; j
++) {
2069 rc
= next_entry(buf
, fp
, sizeof(u32
));
2072 len
= le32_to_cpu(buf
[0]);
2074 newc
= kzalloc(sizeof(*newc
), GFP_KERNEL
);
2080 newc
->u
.name
= kmalloc(len
+ 1, GFP_KERNEL
);
2081 if (!newc
->u
.name
) {
2085 rc
= next_entry(newc
->u
.name
, fp
, len
);
2088 newc
->u
.name
[len
] = 0;
2089 rc
= next_entry(buf
, fp
, sizeof(u32
));
2092 newc
->v
.sclass
= le32_to_cpu(buf
[0]);
2093 if (context_read_and_validate(&newc
->context
[0], p
, fp
))
2095 for (l
= NULL
, c
= newgenfs
->head
; c
;
2096 l
= c
, c
= c
->next
) {
2097 if (!strcmp(newc
->u
.name
, c
->u
.name
) &&
2098 (!c
->v
.sclass
|| !newc
->v
.sclass
||
2099 newc
->v
.sclass
== c
->v
.sclass
)) {
2100 printk(KERN_ERR
"SELinux: dup genfs "
2102 newgenfs
->fstype
, c
->u
.name
);
2105 len
= strlen(newc
->u
.name
);
2106 len2
= strlen(c
->u
.name
);
2115 newgenfs
->head
= newc
;
2119 if (p
->policyvers
>= POLICYDB_VERSION_MLS
) {
2120 int new_rangetr
= p
->policyvers
>= POLICYDB_VERSION_RANGETRANS
;
2121 rc
= next_entry(buf
, fp
, sizeof(u32
));
2124 nel
= le32_to_cpu(buf
[0]);
2126 for (i
= 0; i
< nel
; i
++) {
2127 rt
= kzalloc(sizeof(*rt
), GFP_KERNEL
);
2136 rc
= next_entry(buf
, fp
, (sizeof(u32
) * 2));
2139 rt
->source_type
= le32_to_cpu(buf
[0]);
2140 rt
->target_type
= le32_to_cpu(buf
[1]);
2142 rc
= next_entry(buf
, fp
, sizeof(u32
));
2145 rt
->target_class
= le32_to_cpu(buf
[0]);
2147 rt
->target_class
= p
->process_class
;
2148 if (!policydb_type_isvalid(p
, rt
->source_type
) ||
2149 !policydb_type_isvalid(p
, rt
->target_type
) ||
2150 !policydb_class_isvalid(p
, rt
->target_class
)) {
2154 rc
= mls_read_range_helper(&rt
->target_range
, fp
);
2157 if (!mls_range_isvalid(p
, &rt
->target_range
)) {
2158 printk(KERN_WARNING
"SELinux: rangetrans: invalid range\n");
2165 p
->type_attr_map
= kmalloc(p
->p_types
.nprim
*sizeof(struct ebitmap
), GFP_KERNEL
);
2166 if (!p
->type_attr_map
)
2169 for (i
= 0; i
< p
->p_types
.nprim
; i
++) {
2170 ebitmap_init(&p
->type_attr_map
[i
]);
2171 if (p
->policyvers
>= POLICYDB_VERSION_AVTAB
) {
2172 if (ebitmap_read(&p
->type_attr_map
[i
], fp
))
2175 /* add the type itself as the degenerate case */
2176 if (ebitmap_set_bit(&p
->type_attr_map
[i
], i
, 1))
2180 rc
= policydb_bounds_sanity_check(p
);
2188 ocontext_destroy(newc
, OCON_FSUSE
);
2192 policydb_destroy(p
);