1 /* Authors: Karl MacMillan <kmacmillan (at) mentalrootkit.com> 2 * Joshua Brindle <jbrindle (at) tresys.com> 3 * Jason Tang <jtang (at) tresys.com> 4 * 5 * Copyright (C) 2004-2005 Tresys Technology, LLC 6 * Copyright (C) 2007 Red Hat, Inc. 7 * 8 * This library is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU Lesser General Public 10 * License as published by the Free Software Foundation; either 11 * version 2.1 of the License, or (at your option) any later version. 12 * 13 * This library is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 * Lesser General Public License for more details. 17 * 18 * You should have received a copy of the GNU Lesser General Public 19 * License along with this library; if not, write to the Free Software 20 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 21 */ 22 23 #include <sepol/policydb/policydb.h> 24 #include <sepol/policydb/conditional.h> 25 #include <sepol/policydb/hashtab.h> 26 #include <sepol/policydb/avrule_block.h> 27 #include <sepol/policydb/link.h> 28 #include <sepol/policydb/util.h> 29 30 #include <stdlib.h> 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <string.h> 34 #include <assert.h> 35 36 #include "debug.h" 37 38 #undef min 39 #define min(a,b) (((a) < (b)) ? (a) : (b)) 40 41 typedef struct policy_module { 42 policydb_t *policy; 43 uint32_t num_decls; 44 uint32_t *map[SYM_NUM]; 45 uint32_t *avdecl_map; 46 uint32_t **perm_map; 47 uint32_t *perm_map_len; 48 49 /* a pointer to within the base module's avrule_block chain to 50 * where this module's global now resides */ 51 avrule_block_t *base_global; 52 } policy_module_t; 53 54 typedef struct link_state { 55 int verbose; 56 policydb_t *base; 57 avrule_block_t *last_avrule_block, *last_base_avrule_block; 58 uint32_t next_decl_id, current_decl_id; 59 60 /* temporary variables, used during hashtab_map() calls */ 61 policy_module_t *cur; 62 char *cur_mod_name; 63 avrule_decl_t *dest_decl; 64 class_datum_t *src_class, *dest_class; 65 char *dest_class_name; 66 char dest_class_req; /* flag indicating the class was not declared */ 67 uint32_t symbol_num; 68 /* used to report the name of the module if dependancy error occurs */ 69 policydb_t **decl_to_mod; 70 71 /* error reporting fields */ 72 sepol_handle_t *handle; 73 } link_state_t; 74 75 typedef struct missing_requirement { 76 uint32_t symbol_type; 77 uint32_t symbol_value; 78 uint32_t perm_value; 79 } missing_requirement_t; 80 81 static const char *symtab_names[SYM_NUM] = { 82 "common", "class", "role", "type/attribute", "user", 83 "bool", "level", "category" 84 }; 85 86 /* Deallocates all elements within a module, but NOT the policydb_t 87 * structure within, as well as the pointer itself. */ 88 static void policy_module_destroy(policy_module_t * mod) 89 { 90 unsigned int i; 91 if (mod == NULL) { 92 return; 93 } 94 for (i = 0; i < SYM_NUM; i++) { 95 free(mod->map[i]); 96 } 97 for (i = 0; mod->perm_map != NULL && i < mod->policy->p_classes.nprim; 98 i++) { 99 free(mod->perm_map[i]); 100 } 101 free(mod->perm_map); 102 free(mod->perm_map_len); 103 free(mod->avdecl_map); 104 free(mod); 105 } 106 107 /***** functions that copy identifiers from a module to base *****/ 108 109 /* Note: there is currently no scoping for permissions, which causes some 110 * strange side-effects. The current approach is this: 111 * 112 * a) perm is required and the class _and_ perm are declared in base: only add a mapping. 113 * b) perm is required and the class and perm are _not_ declared in base: simply add the permissions 114 * to the object class. This means that the requirements for the decl are the union of the permissions 115 * required for all decls, but who cares. 116 * c) perm is required, the class is declared in base, but the perm is not present. Nothing we can do 117 * here because we can't mark a single permission as required, so we bail with a requirement error 118 * _even_ if we are in an optional. 119 * 120 * A is correct behavior, b is wrong but not too bad, c is totall wrong for optionals. Fixing this requires 121 * a format change. 122 */ 123 static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 124 void *data) 125 { 126 char *perm_id = key, *new_id = NULL; 127 perm_datum_t *perm, *new_perm = NULL, *dest_perm; 128 link_state_t *state = (link_state_t *) data; 129 130 class_datum_t *src_class = state->src_class; 131 class_datum_t *dest_class = state->dest_class; 132 policy_module_t *mod = state->cur; 133 uint32_t sclassi = src_class->s.value - 1; 134 int ret; 135 136 perm = (perm_datum_t *) datum; 137 dest_perm = hashtab_search(dest_class->permissions.table, perm_id); 138 if (dest_perm == NULL && dest_class->comdatum != NULL) { 139 dest_perm = 140 hashtab_search(dest_class->comdatum->permissions.table, 141 perm_id); 142 } 143 144 if (dest_perm == NULL) { 145 /* If the object class was not declared in the base, add the perm 146 * to the object class. */ 147 if (state->dest_class_req) { 148 /* If the class was required (not declared), insert the new permission */ 149 new_id = strdup(perm_id); 150 if (new_id == NULL) { 151 ERR(state->handle, "Memory error"); 152 ret = SEPOL_ERR; 153 goto err; 154 } 155 new_perm = 156 (perm_datum_t *) calloc(1, sizeof(perm_datum_t)); 157 if (new_perm == NULL) { 158 ERR(state->handle, "Memory error"); 159 ret = SEPOL_ERR; 160 goto err; 161 } 162 ret = hashtab_insert(dest_class->permissions.table, 163 (hashtab_key_t) new_id, 164 (hashtab_datum_t) new_perm); 165 if (ret) { 166 ERR(state->handle, 167 "could not insert permission into class\n"); 168 goto err; 169 } 170 new_perm->s.value = dest_class->permissions.nprim + 1; 171 dest_perm = new_perm; 172 } else { 173 /* this is case c from above */ 174 ERR(state->handle, 175 "Module %s depends on permission %s in class %s, not satisfied", 176 state->cur_mod_name, perm_id, 177 state->dest_class_name); 178 return SEPOL_EREQ; 179 } 180 } 181 182 /* build the mapping for permissions encompassing this class. 183 * unlike symbols, the permission map translates between 184 * module permission bit to target permission bit. that bit 185 * may have originated from the class -or- it could be from 186 * the class's common parent.*/ 187 if (perm->s.value > mod->perm_map_len[sclassi]) { 188 uint32_t *newmap = calloc(perm->s.value, sizeof(*newmap)); 189 if (newmap == NULL) { 190 ERR(state->handle, "Out of memory!"); 191 return -1; 192 } 193 memcpy(newmap, mod->perm_map[sclassi], 194 mod->perm_map_len[sclassi] * sizeof(*newmap)); 195 free(mod->perm_map[sclassi]); 196 mod->perm_map[sclassi] = newmap; 197 mod->perm_map_len[sclassi] = perm->s.value; 198 } 199 mod->perm_map[sclassi][perm->s.value - 1] = dest_perm->s.value; 200 201 return 0; 202 err: 203 free(new_id); 204 free(new_perm); 205 return ret; 206 } 207 208 static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 209 void *data) 210 { 211 char *id = key, *new_id = NULL; 212 class_datum_t *cladatum, *new_class = NULL; 213 link_state_t *state = (link_state_t *) data; 214 scope_datum_t *scope = NULL; 215 int ret; 216 217 cladatum = (class_datum_t *) datum; 218 state->dest_class_req = 0; 219 220 new_class = hashtab_search(state->base->p_classes.table, id); 221 /* If there is not an object class already in the base symtab that means 222 * that either a) a module is trying to declare a new object class (which 223 * the compiler should prevent) or b) an object class was required that is 224 * not in the base. 225 */ 226 if (new_class == NULL) { 227 scope = 228 hashtab_search(state->cur->policy->p_classes_scope.table, 229 id); 230 if (scope == NULL) { 231 ret = SEPOL_ERR; 232 goto err; 233 } 234 if (scope->scope == SCOPE_DECL) { 235 /* disallow declarations in modules */ 236 ERR(state->handle, 237 "%s: Modules may not yet declare new classes.", 238 state->cur_mod_name); 239 ret = SEPOL_ENOTSUP; 240 goto err; 241 } else { 242 /* It would be nice to error early here because the requirement is 243 * not met, but we cannot because the decl might be optional (in which 244 * case we should record the requirement so that it is just turned 245 * off). Note: this will break horribly if modules can declare object 246 * classes because the class numbers will be all wrong (i.e., they 247 * might be assigned in the order they were required rather than the 248 * current scheme which ensures correct numbering by ordering the 249 * declarations properly). This can't be fixed until some infrastructure 250 * for querying the object class numbers is in place. */ 251 state->dest_class_req = 1; 252 new_class = 253 (class_datum_t *) calloc(1, sizeof(class_datum_t)); 254 if (new_class == NULL) { 255 ERR(state->handle, "Memory error\n"); 256 ret = SEPOL_ERR; 257 goto err; 258 } 259 if (symtab_init 260 (&new_class->permissions, PERM_SYMTAB_SIZE)) { 261 ret = SEPOL_ERR; 262 goto err; 263 } 264 new_id = strdup(id); 265 if (new_id == NULL) { 266 ERR(state->handle, "Memory error\n"); 267 ret = SEPOL_ERR; 268 goto err; 269 } 270 ret = hashtab_insert(state->base->p_classes.table, 271 (hashtab_key_t) new_id, 272 (hashtab_datum_t) new_class); 273 if (ret) { 274 ERR(state->handle, 275 "could not insert new class into symtab"); 276 goto err; 277 } 278 new_class->s.value = ++(state->base->p_classes.nprim); 279 } 280 } 281 282 state->cur->map[SYM_CLASSES][cladatum->s.value - 1] = 283 new_class->s.value; 284 285 /* copy permissions */ 286 state->src_class = cladatum; 287 state->dest_class = new_class; 288 state->dest_class_name = (char *)key; 289 290 ret = 291 hashtab_map(cladatum->permissions.table, permission_copy_callback, 292 state); 293 if (ret != 0) { 294 return ret; 295 } 296 297 return 0; 298 err: 299 free(new_class); 300 free(new_id); 301 return ret; 302 } 303 304 static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 305 void *data) 306 { 307 int ret; 308 char *id = key, *new_id = NULL; 309 role_datum_t *role, *base_role, *new_role = NULL; 310 link_state_t *state = (link_state_t *) data; 311 312 role = (role_datum_t *) datum; 313 314 base_role = hashtab_search(state->base->p_roles.table, id); 315 if (base_role != NULL) { 316 /* role already exists. check that it is what this 317 * module expected. duplicate declarations (e.g., two 318 * modules both declare role foo_r) is checked during 319 * scope_copy_callback(). */ 320 if (role->flavor == ROLE_ATTRIB 321 && base_role->flavor != ROLE_ATTRIB) { 322 ERR(state->handle, 323 "%s: Expected %s to be a role attribute, but it was already declared as a regular role.", 324 state->cur_mod_name, id); 325 return -1; 326 } else if (role->flavor != ROLE_ATTRIB 327 && base_role->flavor == ROLE_ATTRIB) { 328 ERR(state->handle, 329 "%s: Expected %s to be a regular role, but it was already declared as a role attribute.", 330 state->cur_mod_name, id); 331 return -1; 332 } 333 } else { 334 if (state->verbose) 335 INFO(state->handle, "copying role %s", id); 336 337 if ((new_id = strdup(id)) == NULL) { 338 goto cleanup; 339 } 340 341 if ((new_role = 342 (role_datum_t *) malloc(sizeof(*new_role))) == NULL) { 343 goto cleanup; 344 } 345 role_datum_init(new_role); 346 347 /* new_role's dominates, types and roles field will be copied 348 * during role_fix_callback() */ 349 new_role->flavor = role->flavor; 350 new_role->s.value = state->base->p_roles.nprim + 1; 351 352 ret = hashtab_insert(state->base->p_roles.table, 353 (hashtab_key_t) new_id, 354 (hashtab_datum_t) new_role); 355 if (ret) { 356 goto cleanup; 357 } 358 state->base->p_roles.nprim++; 359 base_role = new_role; 360 } 361 362 if (state->dest_decl) { 363 new_id = NULL; 364 if ((new_role = malloc(sizeof(*new_role))) == NULL) { 365 goto cleanup; 366 } 367 role_datum_init(new_role); 368 new_role->flavor = base_role->flavor; 369 new_role->s.value = base_role->s.value; 370 if ((new_id = strdup(id)) == NULL) { 371 goto cleanup; 372 } 373 if (hashtab_insert 374 (state->dest_decl->p_roles.table, new_id, new_role)) { 375 goto cleanup; 376 } 377 state->dest_decl->p_roles.nprim++; 378 } 379 380 state->cur->map[SYM_ROLES][role->s.value - 1] = base_role->s.value; 381 return 0; 382 383 cleanup: 384 ERR(state->handle, "Out of memory!"); 385 role_datum_destroy(new_role); 386 free(new_id); 387 free(new_role); 388 return -1; 389 } 390 391 /* Copy types and attributes from a module into the base module. The 392 * attributes are copied, but the types that make up this attribute 393 * are delayed type_fix_callback(). */ 394 static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 395 void *data) 396 { 397 int ret; 398 char *id = key, *new_id = NULL; 399 type_datum_t *type, *base_type, *new_type = NULL; 400 link_state_t *state = (link_state_t *) data; 401 402 type = (type_datum_t *) datum; 403 if ((type->flavor == TYPE_TYPE && !type->primary) 404 || type->flavor == TYPE_ALIAS) { 405 /* aliases are handled later, in alias_copy_callback() */ 406 return 0; 407 } 408 409 base_type = hashtab_search(state->base->p_types.table, id); 410 if (base_type != NULL) { 411 /* type already exists. check that it is what this 412 * module expected. duplicate declarations (e.g., two 413 * modules both declare type foo_t) is checked during 414 * scope_copy_callback(). */ 415 if (type->flavor == TYPE_ATTRIB 416 && base_type->flavor != TYPE_ATTRIB) { 417 ERR(state->handle, 418 "%s: Expected %s to be an attribute, but it was already declared as a type.", 419 state->cur_mod_name, id); 420 return -1; 421 } else if (type->flavor != TYPE_ATTRIB 422 && base_type->flavor == TYPE_ATTRIB) { 423 ERR(state->handle, 424 "%s: Expected %s to be a type, but it was already declared as an attribute.", 425 state->cur_mod_name, id); 426 return -1; 427 } 428 /* permissive should pass to the base type */ 429 base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 430 } else { 431 if (state->verbose) 432 INFO(state->handle, "copying type %s", id); 433 434 if ((new_id = strdup(id)) == NULL) { 435 goto cleanup; 436 } 437 438 if ((new_type = 439 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 440 goto cleanup; 441 } 442 new_type->primary = type->primary; 443 new_type->flags = type->flags; 444 new_type->flavor = type->flavor; 445 /* for attributes, the writing of new_type->types is 446 done in type_fix_callback() */ 447 448 new_type->s.value = state->base->p_types.nprim + 1; 449 450 ret = hashtab_insert(state->base->p_types.table, 451 (hashtab_key_t) new_id, 452 (hashtab_datum_t) new_type); 453 if (ret) { 454 goto cleanup; 455 } 456 state->base->p_types.nprim++; 457 base_type = new_type; 458 } 459 460 if (state->dest_decl) { 461 new_id = NULL; 462 if ((new_type = calloc(1, sizeof(*new_type))) == NULL) { 463 goto cleanup; 464 } 465 new_type->primary = type->primary; 466 new_type->flavor = type->flavor; 467 new_type->flags = type->flags; 468 new_type->s.value = base_type->s.value; 469 if ((new_id = strdup(id)) == NULL) { 470 goto cleanup; 471 } 472 if (hashtab_insert 473 (state->dest_decl->p_types.table, new_id, new_type)) { 474 goto cleanup; 475 } 476 state->dest_decl->p_types.nprim++; 477 } 478 479 state->cur->map[SYM_TYPES][type->s.value - 1] = base_type->s.value; 480 return 0; 481 482 cleanup: 483 ERR(state->handle, "Out of memory!"); 484 free(new_id); 485 free(new_type); 486 return -1; 487 } 488 489 static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 490 void *data) 491 { 492 int ret; 493 char *id = key, *new_id = NULL; 494 user_datum_t *user, *base_user, *new_user = NULL; 495 link_state_t *state = (link_state_t *) data; 496 497 user = (user_datum_t *) datum; 498 499 base_user = hashtab_search(state->base->p_users.table, id); 500 if (base_user == NULL) { 501 if (state->verbose) 502 INFO(state->handle, "copying user %s", id); 503 504 if ((new_id = strdup(id)) == NULL) { 505 goto cleanup; 506 } 507 508 if ((new_user = 509 (user_datum_t *) malloc(sizeof(*new_user))) == NULL) { 510 goto cleanup; 511 } 512 user_datum_init(new_user); 513 /* new_users's roles and MLS fields will be copied during 514 user_fix_callback(). */ 515 516 new_user->s.value = state->base->p_users.nprim + 1; 517 518 ret = hashtab_insert(state->base->p_users.table, 519 (hashtab_key_t) new_id, 520 (hashtab_datum_t) new_user); 521 if (ret) { 522 goto cleanup; 523 } 524 state->base->p_users.nprim++; 525 base_user = new_user; 526 } 527 528 if (state->dest_decl) { 529 new_id = NULL; 530 if ((new_user = malloc(sizeof(*new_user))) == NULL) { 531 goto cleanup; 532 } 533 user_datum_init(new_user); 534 new_user->s.value = base_user->s.value; 535 if ((new_id = strdup(id)) == NULL) { 536 goto cleanup; 537 } 538 if (hashtab_insert 539 (state->dest_decl->p_users.table, new_id, new_user)) { 540 goto cleanup; 541 } 542 state->dest_decl->p_users.nprim++; 543 } 544 545 state->cur->map[SYM_USERS][user->s.value - 1] = base_user->s.value; 546 return 0; 547 548 cleanup: 549 ERR(state->handle, "Out of memory!"); 550 user_datum_destroy(new_user); 551 free(new_id); 552 free(new_user); 553 return -1; 554 } 555 556 static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 557 void *data) 558 { 559 int ret; 560 char *id = key, *new_id = NULL; 561 cond_bool_datum_t *booldatum, *base_bool, *new_bool = NULL; 562 link_state_t *state = (link_state_t *) data; 563 scope_datum_t *scope; 564 565 booldatum = (cond_bool_datum_t *) datum; 566 567 base_bool = hashtab_search(state->base->p_bools.table, id); 568 if (base_bool == NULL) { 569 if (state->verbose) 570 INFO(state->handle, "copying boolean %s", id); 571 572 if ((new_id = strdup(id)) == NULL) { 573 goto cleanup; 574 } 575 576 if ((new_bool = 577 (cond_bool_datum_t *) malloc(sizeof(*new_bool))) == NULL) { 578 goto cleanup; 579 } 580 new_bool->s.value = state->base->p_bools.nprim + 1; 581 582 ret = hashtab_insert(state->base->p_bools.table, 583 (hashtab_key_t) new_id, 584 (hashtab_datum_t) new_bool); 585 if (ret) { 586 goto cleanup; 587 } 588 state->base->p_bools.nprim++; 589 base_bool = new_bool; 590 base_bool->flags = booldatum->flags; 591 } else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) != 592 (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) { 593 /* A mismatch between boolean/tunable declaration 594 * and usage(for example a boolean used in the 595 * tunable_policy() or vice versa). 596 * 597 * This is not allowed and bail out with errors */ 598 ERR(state->handle, 599 "%s: Mismatch between boolean/tunable definition " 600 "and usage for %s", state->cur_mod_name, id); 601 return -1; 602 } 603 604 /* Get the scope info for this boolean to see if this is the declaration, 605 * if so set the state */ 606 scope = hashtab_search(state->cur->policy->p_bools_scope.table, id); 607 if (!scope) 608 return SEPOL_ERR; 609 if (scope->scope == SCOPE_DECL) { 610 base_bool->state = booldatum->state; 611 /* Only the declaration rather than requirement 612 * decides if it is a boolean or tunable. */ 613 base_bool->flags = booldatum->flags; 614 } 615 state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value; 616 return 0; 617 618 cleanup: 619 ERR(state->handle, "Out of memory!"); 620 cond_destroy_bool(new_id, new_bool, NULL); 621 return -1; 622 } 623 624 static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 625 void *data) 626 { 627 char *id = key; 628 level_datum_t *level, *base_level; 629 link_state_t *state = (link_state_t *) data; 630 scope_datum_t *scope; 631 632 level = (level_datum_t *) datum; 633 634 base_level = hashtab_search(state->base->p_levels.table, id); 635 if (!base_level) { 636 scope = 637 hashtab_search(state->cur->policy->p_sens_scope.table, id); 638 if (!scope) 639 return SEPOL_ERR; 640 if (scope->scope == SCOPE_DECL) { 641 /* disallow declarations in modules */ 642 ERR(state->handle, 643 "%s: Modules may not declare new sensitivities.", 644 state->cur_mod_name); 645 return SEPOL_ENOTSUP; 646 } 647 if (scope->scope == SCOPE_REQ) { 648 /* unmet requirement */ 649 ERR(state->handle, 650 "%s: Sensitivity %s not declared by base.", 651 state->cur_mod_name, id); 652 return SEPOL_ENOTSUP; 653 } 654 } 655 656 state->cur->map[SYM_LEVELS][level->level->sens - 1] = 657 base_level->level->sens; 658 659 return 0; 660 } 661 662 static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 663 void *data) 664 { 665 char *id = key; 666 cat_datum_t *cat, *base_cat; 667 link_state_t *state = (link_state_t *) data; 668 scope_datum_t *scope; 669 670 cat = (cat_datum_t *) datum; 671 672 base_cat = hashtab_search(state->base->p_cats.table, id); 673 if (!base_cat) { 674 scope = 675 hashtab_search(state->cur->policy->p_cat_scope.table, id); 676 if (!scope) 677 return SEPOL_ERR; 678 if (scope->scope == SCOPE_DECL) { 679 /* disallow declarations in modules */ 680 ERR(state->handle, 681 "%s: Modules may not declare new categories.", 682 state->cur_mod_name); 683 return SEPOL_ENOTSUP; 684 } 685 if (scope->scope == SCOPE_REQ) { 686 /* unmet requirement */ 687 ERR(state->handle, 688 "%s: Category %s not declared by base.", 689 state->cur_mod_name, id); 690 return SEPOL_ENOTSUP; 691 } 692 } 693 694 state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value; 695 696 return 0; 697 } 698 699 static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key, 700 hashtab_datum_t datum, void *datap) = { 701 NULL, class_copy_callback, role_copy_callback, type_copy_callback, 702 user_copy_callback, bool_copy_callback, sens_copy_callback, 703 cat_copy_callback}; 704 705 /* 706 * The boundaries have to be copied after the types/roles/users are copied, 707 * because it refers hashtab to lookup destinated objects. 708 */ 709 static int type_bounds_copy_callback(hashtab_key_t key, 710 hashtab_datum_t datum, void *data) 711 { 712 link_state_t *state = (link_state_t *) data; 713 type_datum_t *type = (type_datum_t *) datum; 714 type_datum_t *dest; 715 uint32_t bounds_val; 716 717 if (!type->bounds) 718 return 0; 719 720 bounds_val = state->cur->map[SYM_TYPES][type->bounds - 1]; 721 722 dest = hashtab_search(state->base->p_types.table, key); 723 if (!dest) { 724 ERR(state->handle, 725 "Type lookup failed for %s", (char *)key); 726 return -1; 727 } 728 if (dest->bounds != 0 && dest->bounds != bounds_val) { 729 ERR(state->handle, 730 "Inconsistent boundary for %s", (char *)key); 731 return -1; 732 } 733 dest->bounds = bounds_val; 734 735 return 0; 736 } 737 738 static int role_bounds_copy_callback(hashtab_key_t key, 739 hashtab_datum_t datum, void *data) 740 { 741 link_state_t *state = (link_state_t *) data; 742 role_datum_t *role = (role_datum_t *) datum; 743 role_datum_t *dest; 744 uint32_t bounds_val; 745 746 if (!role->bounds) 747 return 0; 748 749 bounds_val = state->cur->map[SYM_ROLES][role->bounds - 1]; 750 751 dest = hashtab_search(state->base->p_roles.table, key); 752 if (!dest) { 753 ERR(state->handle, 754 "Role lookup failed for %s", (char *)key); 755 return -1; 756 } 757 if (dest->bounds != 0 && dest->bounds != bounds_val) { 758 ERR(state->handle, 759 "Inconsistent boundary for %s", (char *)key); 760 return -1; 761 } 762 dest->bounds = bounds_val; 763 764 return 0; 765 } 766 767 static int user_bounds_copy_callback(hashtab_key_t key, 768 hashtab_datum_t datum, void *data) 769 { 770 link_state_t *state = (link_state_t *) data; 771 user_datum_t *user = (user_datum_t *) datum; 772 user_datum_t *dest; 773 uint32_t bounds_val; 774 775 if (!user->bounds) 776 return 0; 777 778 bounds_val = state->cur->map[SYM_USERS][user->bounds - 1]; 779 780 dest = hashtab_search(state->base->p_users.table, key); 781 if (!dest) { 782 ERR(state->handle, 783 "User lookup failed for %s", (char *)key); 784 return -1; 785 } 786 if (dest->bounds != 0 && dest->bounds != bounds_val) { 787 ERR(state->handle, 788 "Inconsistent boundary for %s", (char *)key); 789 return -1; 790 } 791 dest->bounds = bounds_val; 792 793 return 0; 794 } 795 796 /* The aliases have to be copied after the types and attributes to be 797 * certain that the base symbol table will have the type that the 798 * alias refers. Otherwise, we won't be able to find the type value 799 * for the alias. We can't depend on the declaration ordering because 800 * of the hash table. 801 */ 802 static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 803 void *data) 804 { 805 char *id = key, *new_id = NULL, *target_id; 806 type_datum_t *type, *base_type, *new_type = NULL, *target_type; 807 link_state_t *state = (link_state_t *) data; 808 policy_module_t *mod = state->cur; 809 int primval; 810 811 type = (type_datum_t *) datum; 812 /* there are 2 kinds of aliases. Ones with their own value (TYPE_ALIAS) 813 * and ones with the value of their primary (TYPE_TYPE && type->primary = 0) 814 */ 815 if (! 816 (type->flavor == TYPE_ALIAS 817 || (type->flavor == TYPE_TYPE && !type->primary))) { 818 /* ignore types and attributes -- they were handled in 819 * type_copy_callback() */ 820 return 0; 821 } 822 823 if (type->flavor == TYPE_ALIAS) 824 primval = type->primary; 825 else 826 primval = type->s.value; 827 828 target_id = mod->policy->p_type_val_to_name[primval - 1]; 829 target_type = hashtab_search(state->base->p_types.table, target_id); 830 if (target_type == NULL) { 831 ERR(state->handle, "%s: Could not find type %s for alias %s.", 832 state->cur_mod_name, target_id, id); 833 return -1; 834 } 835 836 if (!strcmp(id, target_id)) { 837 ERR(state->handle, "%s: Self aliasing of %s.", 838 state->cur_mod_name, id); 839 return -1; 840 } 841 842 target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 843 844 base_type = hashtab_search(state->base->p_types.table, id); 845 if (base_type == NULL) { 846 if (state->verbose) 847 INFO(state->handle, "copying alias %s", id); 848 849 if ((new_type = 850 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 851 goto cleanup; 852 } 853 /* the linked copy always has TYPE_ALIAS style aliases */ 854 new_type->primary = target_type->s.value; 855 new_type->flags = target_type->flags; 856 new_type->flavor = TYPE_ALIAS; 857 new_type->s.value = state->base->p_types.nprim + 1; 858 if ((new_id = strdup(id)) == NULL) { 859 goto cleanup; 860 } 861 if (hashtab_insert 862 (state->base->p_types.table, new_id, new_type)) { 863 goto cleanup; 864 } 865 state->base->p_types.nprim++; 866 base_type = new_type; 867 } else { 868 869 /* if this already exists and isn't an alias it was required by another module (or base) 870 * and inserted into the hashtable as a type, fix it up now */ 871 872 if (base_type->flavor == TYPE_ALIAS) { 873 /* error checking */ 874 assert(base_type->primary == target_type->s.value); 875 assert(base_type->primary == 876 mod->map[SYM_TYPES][primval - 1]); 877 assert(mod->map[SYM_TYPES][type->s.value - 1] == 878 base_type->primary); 879 return 0; 880 } 881 882 if (base_type->flavor == TYPE_ATTRIB) { 883 ERR(state->handle, 884 "%s is an alias of an attribute, not allowed", id); 885 return -1; 886 } 887 888 base_type->flavor = TYPE_ALIAS; 889 base_type->primary = target_type->s.value; 890 base_type->flags |= (target_type->flags & TYPE_FLAGS_PERMISSIVE); 891 892 } 893 /* the aliases map points from its value to its primary so when this module 894 * references this type the value it gets back from the map is the primary */ 895 mod->map[SYM_TYPES][type->s.value - 1] = base_type->primary; 896 897 return 0; 898 899 cleanup: 900 ERR(state->handle, "Out of memory!"); 901 free(new_id); 902 free(new_type); 903 return -1; 904 } 905 906 /*********** callbacks that fix bitmaps ***********/ 907 908 static int type_set_convert(type_set_t * types, type_set_t * dst, 909 policy_module_t * mod, link_state_t * state 910 __attribute__ ((unused))) 911 { 912 unsigned int i; 913 ebitmap_node_t *tnode; 914 ebitmap_for_each_bit(&types->types, tnode, i) { 915 if (ebitmap_node_get_bit(tnode, i)) { 916 assert(mod->map[SYM_TYPES][i]); 917 if (ebitmap_set_bit 918 (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { 919 goto cleanup; 920 } 921 } 922 } 923 ebitmap_for_each_bit(&types->negset, tnode, i) { 924 if (ebitmap_node_get_bit(tnode, i)) { 925 assert(mod->map[SYM_TYPES][i]); 926 if (ebitmap_set_bit 927 (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { 928 goto cleanup; 929 } 930 } 931 } 932 dst->flags = types->flags; 933 return 0; 934 935 cleanup: 936 return -1; 937 } 938 939 /* OR 2 typemaps together and at the same time map the src types to 940 * the correct values in the dst typeset. 941 */ 942 static int type_set_or_convert(type_set_t * types, type_set_t * dst, 943 policy_module_t * mod, link_state_t * state) 944 { 945 type_set_t ts_tmp; 946 947 type_set_init(&ts_tmp); 948 if (type_set_convert(types, &ts_tmp, mod, state) == -1) { 949 goto cleanup; 950 } 951 if (type_set_or_eq(dst, &ts_tmp)) { 952 goto cleanup; 953 } 954 type_set_destroy(&ts_tmp); 955 return 0; 956 957 cleanup: 958 ERR(state->handle, "Out of memory!"); 959 type_set_destroy(&ts_tmp); 960 return -1; 961 } 962 963 static int role_set_or_convert(role_set_t * roles, role_set_t * dst, 964 policy_module_t * mod, link_state_t * state) 965 { 966 unsigned int i; 967 ebitmap_t tmp; 968 ebitmap_node_t *rnode; 969 970 ebitmap_init(&tmp); 971 ebitmap_for_each_bit(&roles->roles, rnode, i) { 972 if (ebitmap_node_get_bit(rnode, i)) { 973 assert(mod->map[SYM_ROLES][i]); 974 if (ebitmap_set_bit 975 (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 976 goto cleanup; 977 } 978 } 979 } 980 if (ebitmap_union(&dst->roles, &tmp)) { 981 goto cleanup; 982 } 983 dst->flags |= roles->flags; 984 ebitmap_destroy(&tmp); 985 return 0; 986 cleanup: 987 ERR(state->handle, "Out of memory!"); 988 ebitmap_destroy(&tmp); 989 return -1; 990 } 991 992 static int mls_level_convert(mls_semantic_level_t * src, mls_semantic_level_t * dst, 993 policy_module_t * mod, link_state_t * state) 994 { 995 mls_semantic_cat_t *src_cat, *new_cat; 996 997 if (!mod->policy->mls) 998 return 0; 999 1000 /* Required not declared. */ 1001 if (!src->sens) 1002 return 0; 1003 1004 assert(mod->map[SYM_LEVELS][src->sens - 1]); 1005 dst->sens = mod->map[SYM_LEVELS][src->sens - 1]; 1006 1007 for (src_cat = src->cat; src_cat; src_cat = src_cat->next) { 1008 new_cat = 1009 (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t)); 1010 if (!new_cat) { 1011 ERR(state->handle, "Out of memory"); 1012 return -1; 1013 } 1014 mls_semantic_cat_init(new_cat); 1015 1016 new_cat->next = dst->cat; 1017 dst->cat = new_cat; 1018 1019 assert(mod->map[SYM_CATS][src_cat->low - 1]); 1020 dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1]; 1021 assert(mod->map[SYM_CATS][src_cat->high - 1]); 1022 dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1]; 1023 } 1024 1025 return 0; 1026 } 1027 1028 static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * dst, 1029 policy_module_t * mod, link_state_t * state) 1030 { 1031 int ret; 1032 ret = mls_level_convert(&src->level[0], &dst->level[0], mod, state); 1033 if (ret) 1034 return ret; 1035 ret = mls_level_convert(&src->level[1], &dst->level[1], mod, state); 1036 if (ret) 1037 return ret; 1038 return 0; 1039 } 1040 1041 static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1042 void *data) 1043 { 1044 unsigned int i; 1045 char *id = key; 1046 role_datum_t *role, *dest_role = NULL; 1047 link_state_t *state = (link_state_t *) data; 1048 ebitmap_t e_tmp; 1049 policy_module_t *mod = state->cur; 1050 ebitmap_node_t *rnode; 1051 hashtab_t role_tab; 1052 1053 role = (role_datum_t *) datum; 1054 if (state->dest_decl == NULL) 1055 role_tab = state->base->p_roles.table; 1056 else 1057 role_tab = state->dest_decl->p_roles.table; 1058 1059 dest_role = hashtab_search(role_tab, id); 1060 assert(dest_role != NULL); 1061 1062 if (state->verbose) { 1063 INFO(state->handle, "fixing role %s", id); 1064 } 1065 1066 ebitmap_init(&e_tmp); 1067 ebitmap_for_each_bit(&role->dominates, rnode, i) { 1068 if (ebitmap_node_get_bit(rnode, i)) { 1069 assert(mod->map[SYM_ROLES][i]); 1070 if (ebitmap_set_bit 1071 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1072 goto cleanup; 1073 } 1074 } 1075 } 1076 if (ebitmap_union(&dest_role->dominates, &e_tmp)) { 1077 goto cleanup; 1078 } 1079 if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) { 1080 goto cleanup; 1081 } 1082 ebitmap_destroy(&e_tmp); 1083 1084 if (role->flavor == ROLE_ATTRIB) { 1085 ebitmap_init(&e_tmp); 1086 ebitmap_for_each_bit(&role->roles, rnode, i) { 1087 if (ebitmap_node_get_bit(rnode, i)) { 1088 assert(mod->map[SYM_ROLES][i]); 1089 if (ebitmap_set_bit 1090 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1091 goto cleanup; 1092 } 1093 } 1094 } 1095 if (ebitmap_union(&dest_role->roles, &e_tmp)) { 1096 goto cleanup; 1097 } 1098 ebitmap_destroy(&e_tmp); 1099 } 1100 1101 return 0; 1102 1103 cleanup: 1104 ERR(state->handle, "Out of memory!"); 1105 ebitmap_destroy(&e_tmp); 1106 return -1; 1107 } 1108 1109 static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1110 void *data) 1111 { 1112 unsigned int i; 1113 char *id = key; 1114 type_datum_t *type, *new_type = NULL; 1115 link_state_t *state = (link_state_t *) data; 1116 ebitmap_t e_tmp; 1117 policy_module_t *mod = state->cur; 1118 ebitmap_node_t *tnode; 1119 symtab_t *typetab; 1120 1121 type = (type_datum_t *) datum; 1122 1123 if (state->dest_decl == NULL) 1124 typetab = &state->base->p_types; 1125 else 1126 typetab = &state->dest_decl->p_types; 1127 1128 /* only fix attributes */ 1129 if (type->flavor != TYPE_ATTRIB) { 1130 return 0; 1131 } 1132 1133 new_type = hashtab_search(typetab->table, id); 1134 assert(new_type != NULL && new_type->flavor == TYPE_ATTRIB); 1135 1136 if (state->verbose) { 1137 INFO(state->handle, "fixing attribute %s", id); 1138 } 1139 1140 ebitmap_init(&e_tmp); 1141 ebitmap_for_each_bit(&type->types, tnode, i) { 1142 if (ebitmap_node_get_bit(tnode, i)) { 1143 assert(mod->map[SYM_TYPES][i]); 1144 if (ebitmap_set_bit 1145 (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { 1146 goto cleanup; 1147 } 1148 } 1149 } 1150 if (ebitmap_union(&new_type->types, &e_tmp)) { 1151 goto cleanup; 1152 } 1153 ebitmap_destroy(&e_tmp); 1154 return 0; 1155 1156 cleanup: 1157 ERR(state->handle, "Out of memory!"); 1158 ebitmap_destroy(&e_tmp); 1159 return -1; 1160 } 1161 1162 static int user_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1163 void *data) 1164 { 1165 char *id = key; 1166 user_datum_t *user, *new_user = NULL; 1167 link_state_t *state = (link_state_t *) data; 1168 policy_module_t *mod = state->cur; 1169 symtab_t *usertab; 1170 1171 user = (user_datum_t *) datum; 1172 1173 if (state->dest_decl == NULL) 1174 usertab = &state->base->p_users; 1175 else 1176 usertab = &state->dest_decl->p_users; 1177 1178 new_user = hashtab_search(usertab->table, id); 1179 assert(new_user != NULL); 1180 1181 if (state->verbose) { 1182 INFO(state->handle, "fixing user %s", id); 1183 } 1184 1185 if (role_set_or_convert(&user->roles, &new_user->roles, mod, state)) { 1186 goto cleanup; 1187 } 1188 1189 if (mls_range_convert(&user->range, &new_user->range, mod, state)) 1190 goto cleanup; 1191 1192 if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod, state)) 1193 goto cleanup; 1194 1195 return 0; 1196 1197 cleanup: 1198 ERR(state->handle, "Out of memory!"); 1199 return -1; 1200 } 1201 1202 static int (*fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, 1203 void *datap) = { 1204 NULL, NULL, role_fix_callback, type_fix_callback, user_fix_callback, 1205 NULL, NULL, NULL}; 1206 1207 /*********** functions that copy AV rules ***********/ 1208 1209 static int copy_avrule_list(avrule_t * list, avrule_t ** dst, 1210 policy_module_t * module, link_state_t * state) 1211 { 1212 unsigned int i; 1213 avrule_t *cur, *new_rule = NULL, *tail; 1214 class_perm_node_t *cur_perm, *new_perm, *tail_perm = NULL; 1215 1216 tail = *dst; 1217 while (tail && tail->next) { 1218 tail = tail->next; 1219 } 1220 1221 cur = list; 1222 while (cur) { 1223 if ((new_rule = (avrule_t *) malloc(sizeof(avrule_t))) == NULL) { 1224 goto cleanup; 1225 } 1226 avrule_init(new_rule); 1227 1228 new_rule->specified = cur->specified; 1229 new_rule->flags = cur->flags; 1230 if (type_set_convert 1231 (&cur->stypes, &new_rule->stypes, module, state) == -1 1232 || type_set_convert(&cur->ttypes, &new_rule->ttypes, module, 1233 state) == -1) { 1234 goto cleanup; 1235 } 1236 1237 cur_perm = cur->perms; 1238 tail_perm = NULL; 1239 while (cur_perm) { 1240 if ((new_perm = (class_perm_node_t *) 1241 malloc(sizeof(class_perm_node_t))) == NULL) { 1242 goto cleanup; 1243 } 1244 class_perm_node_init(new_perm); 1245 1246 new_perm->class = 1247 module->map[SYM_CLASSES][cur_perm->class - 1]; 1248 assert(new_perm->class); 1249 1250 if (new_rule->specified & AVRULE_AV) { 1251 for (i = 0; 1252 i < 1253 module->perm_map_len[cur_perm->class - 1]; 1254 i++) { 1255 if (!(cur_perm->data & (1U << i))) 1256 continue; 1257 new_perm->data |= 1258 (1U << 1259 (module-> 1260 perm_map[cur_perm->class - 1][i] - 1261 1)); 1262 } 1263 } else { 1264 new_perm->data = 1265 module->map[SYM_TYPES][cur_perm->data - 1]; 1266 } 1267 1268 if (new_rule->perms == NULL) { 1269 new_rule->perms = new_perm; 1270 } else { 1271 tail_perm->next = new_perm; 1272 } 1273 tail_perm = new_perm; 1274 cur_perm = cur_perm->next; 1275 } 1276 new_rule->line = cur->line; 1277 1278 cur = cur->next; 1279 1280 if (*dst == NULL) { 1281 *dst = new_rule; 1282 } else { 1283 tail->next = new_rule; 1284 } 1285 tail = new_rule; 1286 } 1287 1288 return 0; 1289 cleanup: 1290 ERR(state->handle, "Out of memory!"); 1291 avrule_destroy(new_rule); 1292 free(new_rule); 1293 return -1; 1294 } 1295 1296 static int copy_role_trans_list(role_trans_rule_t * list, 1297 role_trans_rule_t ** dst, 1298 policy_module_t * module, link_state_t * state) 1299 { 1300 role_trans_rule_t *cur, *new_rule = NULL, *tail; 1301 unsigned int i; 1302 ebitmap_node_t *cnode; 1303 1304 cur = list; 1305 tail = *dst; 1306 while (tail && tail->next) { 1307 tail = tail->next; 1308 } 1309 while (cur) { 1310 if ((new_rule = 1311 (role_trans_rule_t *) malloc(sizeof(role_trans_rule_t))) == 1312 NULL) { 1313 goto cleanup; 1314 } 1315 role_trans_rule_init(new_rule); 1316 1317 if (role_set_or_convert 1318 (&cur->roles, &new_rule->roles, module, state) 1319 || type_set_or_convert(&cur->types, &new_rule->types, 1320 module, state)) { 1321 goto cleanup; 1322 } 1323 1324 ebitmap_for_each_bit(&cur->classes, cnode, i) { 1325 if (ebitmap_node_get_bit(cnode, i)) { 1326 assert(module->map[SYM_CLASSES][i]); 1327 if (ebitmap_set_bit(&new_rule->classes, 1328 module-> 1329 map[SYM_CLASSES][i] - 1, 1330 1)) { 1331 goto cleanup; 1332 } 1333 } 1334 } 1335 1336 new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1]; 1337 1338 if (*dst == NULL) { 1339 *dst = new_rule; 1340 } else { 1341 tail->next = new_rule; 1342 } 1343 tail = new_rule; 1344 cur = cur->next; 1345 } 1346 return 0; 1347 cleanup: 1348 ERR(state->handle, "Out of memory!"); 1349 role_trans_rule_list_destroy(new_rule); 1350 return -1; 1351 } 1352 1353 static int copy_role_allow_list(role_allow_rule_t * list, 1354 role_allow_rule_t ** dst, 1355 policy_module_t * module, link_state_t * state) 1356 { 1357 role_allow_rule_t *cur, *new_rule = NULL, *tail; 1358 1359 cur = list; 1360 tail = *dst; 1361 while (tail && tail->next) { 1362 tail = tail->next; 1363 } 1364 1365 while (cur) { 1366 if ((new_rule = 1367 (role_allow_rule_t *) malloc(sizeof(role_allow_rule_t))) == 1368 NULL) { 1369 goto cleanup; 1370 } 1371 role_allow_rule_init(new_rule); 1372 1373 if (role_set_or_convert 1374 (&cur->roles, &new_rule->roles, module, state) 1375 || role_set_or_convert(&cur->new_roles, 1376 &new_rule->new_roles, module, 1377 state)) { 1378 goto cleanup; 1379 } 1380 if (*dst == NULL) { 1381 *dst = new_rule; 1382 } else { 1383 tail->next = new_rule; 1384 } 1385 tail = new_rule; 1386 cur = cur->next; 1387 } 1388 return 0; 1389 cleanup: 1390 ERR(state->handle, "Out of memory!"); 1391 role_allow_rule_list_destroy(new_rule); 1392 return -1; 1393 } 1394 1395 static int copy_filename_trans_list(filename_trans_rule_t * list, 1396 filename_trans_rule_t ** dst, 1397 policy_module_t * module, 1398 link_state_t * state) 1399 { 1400 filename_trans_rule_t *cur, *new_rule, *tail; 1401 1402 cur = list; 1403 tail = *dst; 1404 while (tail && tail->next) 1405 tail = tail->next; 1406 1407 while (cur) { 1408 new_rule = malloc(sizeof(*new_rule)); 1409 if (!new_rule) 1410 goto err; 1411 1412 filename_trans_rule_init(new_rule); 1413 1414 if (*dst == NULL) 1415 *dst = new_rule; 1416 else 1417 tail->next = new_rule; 1418 tail = new_rule; 1419 1420 new_rule->name = strdup(cur->name); 1421 if (!new_rule->name) 1422 goto err; 1423 1424 if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) || 1425 type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state)) 1426 goto err; 1427 1428 new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; 1429 new_rule->otype = module->map[SYM_TYPES][cur->otype - 1]; 1430 1431 cur = cur->next; 1432 } 1433 return 0; 1434 err: 1435 ERR(state->handle, "Out of memory!"); 1436 return -1; 1437 } 1438 1439 static int copy_range_trans_list(range_trans_rule_t * rules, 1440 range_trans_rule_t ** dst, 1441 policy_module_t * mod, link_state_t * state) 1442 { 1443 range_trans_rule_t *rule, *new_rule = NULL; 1444 unsigned int i; 1445 ebitmap_node_t *cnode; 1446 1447 for (rule = rules; rule; rule = rule->next) { 1448 new_rule = 1449 (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t)); 1450 if (!new_rule) 1451 goto cleanup; 1452 1453 range_trans_rule_init(new_rule); 1454 1455 new_rule->next = *dst; 1456 *dst = new_rule; 1457 1458 if (type_set_convert(&rule->stypes, &new_rule->stypes, 1459 mod, state)) 1460 goto cleanup; 1461 1462 if (type_set_convert(&rule->ttypes, &new_rule->ttypes, 1463 mod, state)) 1464 goto cleanup; 1465 1466 ebitmap_for_each_bit(&rule->tclasses, cnode, i) { 1467 if (ebitmap_node_get_bit(cnode, i)) { 1468 assert(mod->map[SYM_CLASSES][i]); 1469 if (ebitmap_set_bit 1470 (&new_rule->tclasses, 1471 mod->map[SYM_CLASSES][i] - 1, 1)) { 1472 goto cleanup; 1473 } 1474 } 1475 } 1476 1477 if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state)) 1478 goto cleanup; 1479 } 1480 return 0; 1481 1482 cleanup: 1483 ERR(state->handle, "Out of memory!"); 1484 range_trans_rule_list_destroy(new_rule); 1485 return -1; 1486 } 1487 1488 static int copy_cond_list(cond_node_t * list, cond_node_t ** dst, 1489 policy_module_t * module, link_state_t * state) 1490 { 1491 unsigned i; 1492 cond_node_t *cur, *new_node = NULL, *tail; 1493 cond_expr_t *cur_expr; 1494 tail = *dst; 1495 while (tail && tail->next) 1496 tail = tail->next; 1497 1498 cur = list; 1499 while (cur) { 1500 new_node = (cond_node_t *) malloc(sizeof(cond_node_t)); 1501 if (!new_node) { 1502 goto cleanup; 1503 } 1504 memset(new_node, 0, sizeof(cond_node_t)); 1505 1506 new_node->cur_state = cur->cur_state; 1507 new_node->expr = cond_copy_expr(cur->expr); 1508 if (!new_node->expr) 1509 goto cleanup; 1510 /* go back through and remap the expression */ 1511 for (cur_expr = new_node->expr; cur_expr != NULL; 1512 cur_expr = cur_expr->next) { 1513 /* expression nodes don't have a bool value of 0 - don't map them */ 1514 if (cur_expr->expr_type != COND_BOOL) 1515 continue; 1516 assert(module->map[SYM_BOOLS][cur_expr->bool - 1] != 0); 1517 cur_expr->bool = 1518 module->map[SYM_BOOLS][cur_expr->bool - 1]; 1519 } 1520 new_node->nbools = cur->nbools; 1521 /* FIXME should COND_MAX_BOOLS be used here? */ 1522 for (i = 0; i < min(cur->nbools, COND_MAX_BOOLS); i++) { 1523 uint32_t remapped_id = 1524 module->map[SYM_BOOLS][cur->bool_ids[i] - 1]; 1525 assert(remapped_id != 0); 1526 new_node->bool_ids[i] = remapped_id; 1527 } 1528 new_node->expr_pre_comp = cur->expr_pre_comp; 1529 1530 if (copy_avrule_list 1531 (cur->avtrue_list, &new_node->avtrue_list, module, state) 1532 || copy_avrule_list(cur->avfalse_list, 1533 &new_node->avfalse_list, module, 1534 state)) { 1535 goto cleanup; 1536 } 1537 1538 if (*dst == NULL) { 1539 *dst = new_node; 1540 } else { 1541 tail->next = new_node; 1542 } 1543 tail = new_node; 1544 cur = cur->next; 1545 } 1546 return 0; 1547 cleanup: 1548 ERR(state->handle, "Out of memory!"); 1549 cond_node_destroy(new_node); 1550 free(new_node); 1551 return -1; 1552 1553 } 1554 1555 /*********** functions that copy avrule_decls from module to base ***********/ 1556 1557 static int copy_identifiers(link_state_t * state, symtab_t * src_symtab, 1558 avrule_decl_t * dest_decl) 1559 { 1560 int i, ret; 1561 1562 state->dest_decl = dest_decl; 1563 for (i = 0; i < SYM_NUM; i++) { 1564 if (copy_callback_f[i] != NULL) { 1565 ret = 1566 hashtab_map(src_symtab[i].table, copy_callback_f[i], 1567 state); 1568 if (ret) { 1569 return ret; 1570 } 1571 } 1572 } 1573 1574 if (hashtab_map(src_symtab[SYM_TYPES].table, 1575 type_bounds_copy_callback, state)) 1576 return -1; 1577 1578 if (hashtab_map(src_symtab[SYM_TYPES].table, 1579 alias_copy_callback, state)) 1580 return -1; 1581 1582 if (hashtab_map(src_symtab[SYM_ROLES].table, 1583 role_bounds_copy_callback, state)) 1584 return -1; 1585 1586 if (hashtab_map(src_symtab[SYM_USERS].table, 1587 user_bounds_copy_callback, state)) 1588 return -1; 1589 1590 /* then fix bitmaps associated with those newly copied identifiers */ 1591 for (i = 0; i < SYM_NUM; i++) { 1592 if (fix_callback_f[i] != NULL && 1593 hashtab_map(src_symtab[i].table, fix_callback_f[i], 1594 state)) { 1595 return -1; 1596 } 1597 } 1598 return 0; 1599 } 1600 1601 static int copy_scope_index(scope_index_t * src, scope_index_t * dest, 1602 policy_module_t * module, link_state_t * state) 1603 { 1604 unsigned int i, j; 1605 uint32_t largest_mapped_class_value = 0; 1606 ebitmap_node_t *node; 1607 /* copy the scoping information for this avrule decl block */ 1608 for (i = 0; i < SYM_NUM; i++) { 1609 ebitmap_t *srcmap = src->scope + i; 1610 ebitmap_t *destmap = dest->scope + i; 1611 if (copy_callback_f[i] == NULL) { 1612 continue; 1613 } 1614 ebitmap_for_each_bit(srcmap, node, j) { 1615 if (ebitmap_node_get_bit(node, j)) { 1616 assert(module->map[i][j] != 0); 1617 if (ebitmap_set_bit 1618 (destmap, module->map[i][j] - 1, 1) != 0) { 1619 1620 goto cleanup; 1621 } 1622 if (i == SYM_CLASSES && 1623 largest_mapped_class_value < 1624 module->map[SYM_CLASSES][j]) { 1625 largest_mapped_class_value = 1626 module->map[SYM_CLASSES][j]; 1627 } 1628 } 1629 } 1630 } 1631 1632 /* next copy the enabled permissions data */ 1633 if ((dest->class_perms_map = malloc(largest_mapped_class_value * 1634 sizeof(*dest->class_perms_map))) == 1635 NULL) { 1636 goto cleanup; 1637 } 1638 for (i = 0; i < largest_mapped_class_value; i++) { 1639 ebitmap_init(dest->class_perms_map + i); 1640 } 1641 dest->class_perms_len = largest_mapped_class_value; 1642 for (i = 0; i < src->class_perms_len; i++) { 1643 ebitmap_t *srcmap = src->class_perms_map + i; 1644 ebitmap_t *destmap = 1645 dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; 1646 ebitmap_for_each_bit(srcmap, node, j) { 1647 if (ebitmap_node_get_bit(node, j) && 1648 ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, 1649 1)) { 1650 goto cleanup; 1651 } 1652 } 1653 } 1654 1655 return 0; 1656 1657 cleanup: 1658 ERR(state->handle, "Out of memory!"); 1659 return -1; 1660 } 1661 1662 static int copy_avrule_decl(link_state_t * state, policy_module_t * module, 1663 avrule_decl_t * src_decl, avrule_decl_t * dest_decl) 1664 { 1665 int ret; 1666 1667 /* copy all of the RBAC and TE rules */ 1668 if (copy_avrule_list 1669 (src_decl->avrules, &dest_decl->avrules, module, state) == -1 1670 || copy_role_trans_list(src_decl->role_tr_rules, 1671 &dest_decl->role_tr_rules, module, 1672 state) == -1 1673 || copy_role_allow_list(src_decl->role_allow_rules, 1674 &dest_decl->role_allow_rules, module, 1675 state) == -1 1676 || copy_cond_list(src_decl->cond_list, &dest_decl->cond_list, 1677 module, state) == -1) { 1678 return -1; 1679 } 1680 1681 if (copy_filename_trans_list(src_decl->filename_trans_rules, 1682 &dest_decl->filename_trans_rules, 1683 module, state)) 1684 return -1; 1685 1686 if (copy_range_trans_list(src_decl->range_tr_rules, 1687 &dest_decl->range_tr_rules, module, state)) 1688 return -1; 1689 1690 /* finally copy any identifiers local to this declaration */ 1691 ret = copy_identifiers(state, src_decl->symtab, dest_decl); 1692 if (ret < 0) { 1693 return ret; 1694 } 1695 1696 /* then copy required and declared scope indices here */ 1697 if (copy_scope_index(&src_decl->required, &dest_decl->required, 1698 module, state) == -1 || 1699 copy_scope_index(&src_decl->declared, &dest_decl->declared, 1700 module, state) == -1) { 1701 return -1; 1702 } 1703 1704 return 0; 1705 } 1706 1707 static int copy_avrule_block(link_state_t * state, policy_module_t * module, 1708 avrule_block_t * block) 1709 { 1710 avrule_block_t *new_block = avrule_block_create(); 1711 avrule_decl_t *decl, *last_decl = NULL; 1712 int ret; 1713 1714 if (new_block == NULL) { 1715 ERR(state->handle, "Out of memory!"); 1716 ret = -1; 1717 goto cleanup; 1718 } 1719 1720 new_block->flags = block->flags; 1721 1722 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 1723 avrule_decl_t *new_decl = 1724 avrule_decl_create(state->next_decl_id); 1725 if (new_decl == NULL) { 1726 ERR(state->handle, "Out of memory!"); 1727 ret = -1; 1728 goto cleanup; 1729 } 1730 1731 if (module->policy->name != NULL) { 1732 new_decl->module_name = strdup(module->policy->name); 1733 if (new_decl->module_name == NULL) { 1734 ERR(state->handle, "Out of memory\n"); 1735 ret = -1; 1736 goto cleanup; 1737 } 1738 } 1739 1740 if (last_decl == NULL) { 1741 new_block->branch_list = new_decl; 1742 } else { 1743 last_decl->next = new_decl; 1744 } 1745 last_decl = new_decl; 1746 state->base->decl_val_to_struct[state->next_decl_id - 1] = 1747 new_decl; 1748 state->decl_to_mod[state->next_decl_id] = module->policy; 1749 1750 module->avdecl_map[decl->decl_id] = new_decl->decl_id; 1751 1752 ret = copy_avrule_decl(state, module, decl, new_decl); 1753 if (ret) { 1754 goto cleanup; 1755 } 1756 1757 state->next_decl_id++; 1758 } 1759 state->last_avrule_block->next = new_block; 1760 state->last_avrule_block = new_block; 1761 return 0; 1762 1763 cleanup: 1764 avrule_block_list_destroy(new_block); 1765 return ret; 1766 } 1767 1768 static int scope_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 1769 void *data) 1770 { 1771 unsigned int i; 1772 int ret; 1773 char *id = key, *new_id = NULL; 1774 scope_datum_t *scope, *base_scope; 1775 link_state_t *state = (link_state_t *) data; 1776 uint32_t symbol_num = state->symbol_num; 1777 uint32_t *avdecl_map = state->cur->avdecl_map; 1778 1779 scope = (scope_datum_t *) datum; 1780 1781 /* check if the base already has a scope entry */ 1782 base_scope = hashtab_search(state->base->scope[symbol_num].table, id); 1783 if (base_scope == NULL) { 1784 scope_datum_t *new_scope; 1785 if ((new_id = strdup(id)) == NULL) { 1786 goto cleanup; 1787 } 1788 1789 if ((new_scope = 1790 (scope_datum_t *) calloc(1, sizeof(*new_scope))) == NULL) { 1791 free(new_id); 1792 goto cleanup; 1793 } 1794 ret = hashtab_insert(state->base->scope[symbol_num].table, 1795 (hashtab_key_t) new_id, 1796 (hashtab_datum_t) new_scope); 1797 if (ret) { 1798 free(new_id); 1799 free(new_scope); 1800 goto cleanup; 1801 } 1802 new_scope->scope = SCOPE_REQ; /* this is reset further down */ 1803 base_scope = new_scope; 1804 } 1805 if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_DECL) { 1806 /* this module declared symbol, so overwrite the old 1807 * list with the new decl ids */ 1808 base_scope->scope = SCOPE_DECL; 1809 free(base_scope->decl_ids); 1810 base_scope->decl_ids = NULL; 1811 base_scope->decl_ids_len = 0; 1812 for (i = 0; i < scope->decl_ids_len; i++) { 1813 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1814 &base_scope->decl_ids_len, 1815 &base_scope->decl_ids) == -1) { 1816 goto cleanup; 1817 } 1818 } 1819 } else if (base_scope->scope == SCOPE_DECL && scope->scope == SCOPE_REQ) { 1820 /* this module depended on a symbol that now exists, 1821 * so don't do anything */ 1822 } else if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_REQ) { 1823 /* symbol is still required, so add to the list */ 1824 for (i = 0; i < scope->decl_ids_len; i++) { 1825 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1826 &base_scope->decl_ids_len, 1827 &base_scope->decl_ids) == -1) { 1828 goto cleanup; 1829 } 1830 } 1831 } else { 1832 /* this module declared a symbol, and it was already 1833 * declared. only roles and users may be multiply 1834 * declared; for all others this is an error. */ 1835 if (symbol_num != SYM_ROLES && symbol_num != SYM_USERS) { 1836 ERR(state->handle, 1837 "%s: Duplicate declaration in module: %s %s", 1838 state->cur_mod_name, 1839 symtab_names[state->symbol_num], id); 1840 return -1; 1841 } 1842 for (i = 0; i < scope->decl_ids_len; i++) { 1843 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1844 &base_scope->decl_ids_len, 1845 &base_scope->decl_ids) == -1) { 1846 goto cleanup; 1847 } 1848 } 1849 } 1850 return 0; 1851 1852 cleanup: 1853 ERR(state->handle, "Out of memory!"); 1854 return -1; 1855 } 1856 1857 /* Copy a module over to a base, remapping all values within. After 1858 * all identifiers and rules are done, copy the scoping information. 1859 * This is when it checks for duplicate declarations. */ 1860 static int copy_module(link_state_t * state, policy_module_t * module) 1861 { 1862 int i, ret; 1863 avrule_block_t *cur; 1864 state->cur = module; 1865 state->cur_mod_name = module->policy->name; 1866 1867 /* first copy all of the identifiers */ 1868 ret = copy_identifiers(state, module->policy->symtab, NULL); 1869 if (ret) { 1870 return ret; 1871 } 1872 1873 /* next copy all of the avrule blocks */ 1874 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 1875 ret = copy_avrule_block(state, module, cur); 1876 if (ret) { 1877 return ret; 1878 } 1879 } 1880 1881 /* then copy the scoping tables */ 1882 for (i = 0; i < SYM_NUM; i++) { 1883 state->symbol_num = i; 1884 if (hashtab_map 1885 (module->policy->scope[i].table, scope_copy_callback, 1886 state)) { 1887 return -1; 1888 } 1889 } 1890 1891 return 0; 1892 } 1893 1894 /***** functions that check requirements and enable blocks in a module ******/ 1895 1896 /* borrowed from checkpolicy.c */ 1897 1898 struct find_perm_arg { 1899 unsigned int valuep; 1900 hashtab_key_t key; 1901 }; 1902 1903 static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg) 1904 { 1905 1906 struct find_perm_arg *arg = varg; 1907 1908 perm_datum_t *perdatum = (perm_datum_t *) datum; 1909 if (arg->valuep == perdatum->s.value) { 1910 arg->key = key; 1911 return 1; 1912 } 1913 1914 return 0; 1915 } 1916 1917 /* Check if the requirements are met for a single declaration. If all 1918 * are met return 1. For the first requirement found to be missing, 1919 * if 'missing_sym_num' and 'missing_value' are both not NULL then 1920 * write to them the symbol number and value for the missing 1921 * declaration. Then return 0 to indicate a missing declaration. 1922 * Note that if a declaration had no requirement at all (e.g., an ELSE 1923 * block) this returns 1. */ 1924 static int is_decl_requires_met(link_state_t * state, 1925 avrule_decl_t * decl, 1926 struct missing_requirement *req) 1927 { 1928 /* (This algorithm is very unoptimized. It performs many 1929 * redundant checks. A very obvious improvement is to cache 1930 * which symbols have been verified, so that they do not need 1931 * to be re-checked.) */ 1932 unsigned int i, j; 1933 ebitmap_t *bitmap; 1934 char *id, *perm_id; 1935 policydb_t *pol = state->base; 1936 ebitmap_node_t *node; 1937 1938 /* check that all symbols have been satisfied */ 1939 for (i = 0; i < SYM_NUM; i++) { 1940 if (i == SYM_CLASSES) { 1941 /* classes will be checked during permissions 1942 * checking phase below */ 1943 continue; 1944 } 1945 bitmap = &decl->required.scope[i]; 1946 ebitmap_for_each_bit(bitmap, node, j) { 1947 if (!ebitmap_node_get_bit(node, j)) { 1948 continue; 1949 } 1950 1951 /* check base's scope table */ 1952 id = pol->sym_val_to_name[i][j]; 1953 if (!is_id_enabled(id, state->base, i)) { 1954 /* this symbol was not found */ 1955 if (req != NULL) { 1956 req->symbol_type = i; 1957 req->symbol_value = j + 1; 1958 } 1959 return 0; 1960 } 1961 } 1962 } 1963 /* check that all classes and permissions have been satisfied */ 1964 for (i = 0; i < decl->required.class_perms_len; i++) { 1965 1966 bitmap = decl->required.class_perms_map + i; 1967 ebitmap_for_each_bit(bitmap, node, j) { 1968 struct find_perm_arg fparg; 1969 class_datum_t *cladatum; 1970 uint32_t perm_value = j + 1; 1971 scope_datum_t *scope; 1972 1973 if (!ebitmap_node_get_bit(node, j)) { 1974 continue; 1975 } 1976 id = pol->p_class_val_to_name[i]; 1977 cladatum = pol->class_val_to_struct[i]; 1978 1979 scope = 1980 hashtab_search(state->base->p_classes_scope.table, 1981 id); 1982 if (scope == NULL) { 1983 ERR(state->handle, 1984 "Could not find scope information for class %s", 1985 id); 1986 return -1; 1987 } 1988 1989 fparg.valuep = perm_value; 1990 fparg.key = NULL; 1991 1992 hashtab_map(cladatum->permissions.table, find_perm, 1993 &fparg); 1994 if (fparg.key == NULL && cladatum->comdatum != NULL) 1995 hashtab_map(cladatum->comdatum->permissions. 1996 table, find_perm, &fparg); 1997 perm_id = fparg.key; 1998 1999 assert(perm_id != NULL); 2000 if (!is_perm_enabled(id, perm_id, state->base)) { 2001 if (req != NULL) { 2002 req->symbol_type = SYM_CLASSES; 2003 req->symbol_value = i + 1; 2004 req->perm_value = perm_value; 2005 } 2006 return 0; 2007 } 2008 } 2009 } 2010 2011 /* all requirements have been met */ 2012 return 1; 2013 } 2014 2015 static int debug_requirements(link_state_t * state, policydb_t * p) 2016 { 2017 int ret; 2018 avrule_block_t *cur; 2019 missing_requirement_t req; 2020 2021 for (cur = p->global; cur != NULL; cur = cur->next) { 2022 if (cur->enabled != NULL) 2023 continue; 2024 2025 ret = is_decl_requires_met(state, cur->branch_list, &req); 2026 if (ret < 0) { 2027 return ret; 2028 } else if (ret == 0) { 2029 char *mod_name = cur->branch_list->module_name ? 2030 cur->branch_list->module_name : "BASE"; 2031 if (req.symbol_type == SYM_CLASSES) { 2032 2033 struct find_perm_arg fparg; 2034 2035 class_datum_t *cladatum; 2036 cladatum = 2037 p->class_val_to_struct[req.symbol_value - 2038 1]; 2039 2040 fparg.valuep = req.perm_value; 2041 fparg.key = NULL; 2042 hashtab_map(cladatum->permissions.table, 2043 find_perm, &fparg); 2044 2045 if (cur->flags & AVRULE_OPTIONAL) { 2046 ERR(state->handle, 2047 "%s[%d]'s optional requirements were not met: class %s, permission %s", 2048 mod_name, cur->branch_list->decl_id, 2049 p->p_class_val_to_name[req. 2050 symbol_value 2051 - 1], 2052 fparg.key); 2053 } else { 2054 ERR(state->handle, 2055 "%s[%d]'s global requirements were not met: class %s, permission %s", 2056 mod_name, cur->branch_list->decl_id, 2057 p->p_class_val_to_name[req. 2058 symbol_value 2059 - 1], 2060 fparg.key); 2061 } 2062 } else { 2063 if (cur->flags & AVRULE_OPTIONAL) { 2064 ERR(state->handle, 2065 "%s[%d]'s optional requirements were not met: %s %s", 2066 mod_name, cur->branch_list->decl_id, 2067 symtab_names[req.symbol_type], 2068 p->sym_val_to_name[req. 2069 symbol_type][req. 2070 symbol_value 2071 - 2072 1]); 2073 } else { 2074 ERR(state->handle, 2075 "%s[%d]'s global requirements were not met: %s %s", 2076 mod_name, cur->branch_list->decl_id, 2077 symtab_names[req.symbol_type], 2078 p->sym_val_to_name[req. 2079 symbol_type][req. 2080 symbol_value 2081 - 2082 1]); 2083 } 2084 } 2085 } 2086 } 2087 return 0; 2088 } 2089 2090 static void print_missing_requirements(link_state_t * state, 2091 avrule_block_t * cur, 2092 missing_requirement_t * req) 2093 { 2094 policydb_t *p = state->base; 2095 char *mod_name = cur->branch_list->module_name ? 2096 cur->branch_list->module_name : "BASE"; 2097 2098 if (req->symbol_type == SYM_CLASSES) { 2099 2100 struct find_perm_arg fparg; 2101 2102 class_datum_t *cladatum; 2103 cladatum = p->class_val_to_struct[req->symbol_value - 1]; 2104 2105 fparg.valuep = req->perm_value; 2106 fparg.key = NULL; 2107 hashtab_map(cladatum->permissions.table, find_perm, &fparg); 2108 2109 ERR(state->handle, 2110 "%s's global requirements were not met: class %s, permission %s", 2111 mod_name, 2112 p->p_class_val_to_name[req->symbol_value - 1], fparg.key); 2113 } else { 2114 ERR(state->handle, 2115 "%s's global requirements were not met: %s %s", 2116 mod_name, 2117 symtab_names[req->symbol_type], 2118 p->sym_val_to_name[req->symbol_type][req->symbol_value - 2119 1]); 2120 } 2121 } 2122 2123 /* Enable all of the avrule_decl blocks for the policy. This simple 2124 * algorithm is the following: 2125 * 2126 * 1) Enable all of the non-else avrule_decls for all blocks. 2127 * 2) Iterate through the non-else decls looking for decls whose requirements 2128 * are not met. 2129 * 2a) If the decl is non-optional, return immediately with an error. 2130 * 2b) If the decl is optional, disable the block and mark changed = 1 2131 * 3) If changed == 1 goto 2. 2132 * 4) Iterate through all blocks looking for those that have no enabled 2133 * decl. If the block has an else decl, enable. 2134 * 2135 * This will correctly handle all dependencies, including mutual and 2136 * cicular. The only downside is that it is slow. 2137 */ 2138 static int enable_avrules(link_state_t * state, policydb_t * pol) 2139 { 2140 int changed = 1; 2141 avrule_block_t *block; 2142 avrule_decl_t *decl; 2143 missing_requirement_t req; 2144 int ret = 0, rc; 2145 2146 if (state->verbose) { 2147 INFO(state->handle, "Determining which avrules to enable."); 2148 } 2149 2150 /* 1) enable all of the non-else blocks */ 2151 for (block = pol->global; block != NULL; block = block->next) { 2152 block->enabled = block->branch_list; 2153 block->enabled->enabled = 1; 2154 for (decl = block->branch_list->next; decl != NULL; 2155 decl = decl->next) 2156 decl->enabled = 0; 2157 } 2158 2159 /* 2) Iterate */ 2160 while (changed) { 2161 changed = 0; 2162 for (block = pol->global; block != NULL; block = block->next) { 2163 if (block->enabled == NULL) { 2164 continue; 2165 } 2166 decl = block->branch_list; 2167 if (state->verbose) { 2168 char *mod_name = decl->module_name ? 2169 decl->module_name : "BASE"; 2170 INFO(state->handle, "check module %s decl %d\n", 2171 mod_name, decl->decl_id); 2172 } 2173 rc = is_decl_requires_met(state, decl, &req); 2174 if (rc < 0) { 2175 ret = SEPOL_ERR; 2176 goto out; 2177 } else if (rc == 0) { 2178 decl->enabled = 0; 2179 block->enabled = NULL; 2180 changed = 1; 2181 if (!(block->flags & AVRULE_OPTIONAL)) { 2182 print_missing_requirements(state, block, 2183 &req); 2184 ret = SEPOL_EREQ; 2185 goto out; 2186 } 2187 } 2188 } 2189 } 2190 2191 /* 4) else handling 2192 * 2193 * Iterate through all of the blocks skipping the first (which is the 2194 * global block, is required to be present, and cannot have an else). 2195 * If the block is disabled and has an else decl, enable that. 2196 * 2197 * This code assumes that the second block in the branch list is the else 2198 * block. This is currently supported by the compiler. 2199 */ 2200 for (block = pol->global->next; block != NULL; block = block->next) { 2201 if (block->enabled == NULL) { 2202 if (block->branch_list->next != NULL) { 2203 block->enabled = block->branch_list->next; 2204 block->branch_list->next->enabled = 1; 2205 } 2206 } 2207 } 2208 2209 out: 2210 if (state->verbose) 2211 debug_requirements(state, pol); 2212 2213 return ret; 2214 } 2215 2216 /*********** the main linking functions ***********/ 2217 2218 /* Given a module's policy, normalize all conditional expressions 2219 * within. Return 0 on success, -1 on error. */ 2220 static int cond_normalize(policydb_t * p) 2221 { 2222 avrule_block_t *block; 2223 for (block = p->global; block != NULL; block = block->next) { 2224 avrule_decl_t *decl; 2225 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 2226 cond_list_t *cond = decl->cond_list; 2227 while (cond) { 2228 if (cond_normalize_expr(p, cond) < 0) 2229 return -1; 2230 cond = cond->next; 2231 } 2232 } 2233 } 2234 return 0; 2235 } 2236 2237 /* Allocate space for the various remapping arrays. */ 2238 static int prepare_module(link_state_t * state, policy_module_t * module) 2239 { 2240 int i; 2241 uint32_t items, num_decls = 0; 2242 avrule_block_t *cur; 2243 2244 /* allocate the maps */ 2245 for (i = 0; i < SYM_NUM; i++) { 2246 items = module->policy->symtab[i].nprim; 2247 if ((module->map[i] = 2248 (uint32_t *) calloc(items, 2249 sizeof(*module->map[i]))) == NULL) { 2250 ERR(state->handle, "Out of memory!"); 2251 return -1; 2252 } 2253 } 2254 2255 /* allocate the permissions remap here */ 2256 items = module->policy->p_classes.nprim; 2257 if ((module->perm_map_len = 2258 calloc(items, sizeof(*module->perm_map_len))) == NULL) { 2259 ERR(state->handle, "Out of memory!"); 2260 return -1; 2261 } 2262 if ((module->perm_map = 2263 calloc(items, sizeof(*module->perm_map))) == NULL) { 2264 ERR(state->handle, "Out of memory!"); 2265 return -1; 2266 } 2267 2268 /* allocate a map for avrule_decls */ 2269 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 2270 avrule_decl_t *decl; 2271 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2272 if (decl->decl_id > num_decls) { 2273 num_decls = decl->decl_id; 2274 } 2275 } 2276 } 2277 num_decls++; 2278 if ((module->avdecl_map = calloc(num_decls, sizeof(uint32_t))) == NULL) { 2279 ERR(state->handle, "Out of memory!"); 2280 return -1; 2281 } 2282 module->num_decls = num_decls; 2283 2284 /* normalize conditionals within */ 2285 if (cond_normalize(module->policy) < 0) { 2286 ERR(state->handle, 2287 "Error while normalizing conditionals within the module %s.", 2288 module->policy->name); 2289 return -1; 2290 } 2291 return 0; 2292 } 2293 2294 static int prepare_base(link_state_t * state, uint32_t num_mod_decls) 2295 { 2296 avrule_block_t *cur = state->base->global; 2297 assert(cur != NULL); 2298 state->next_decl_id = 0; 2299 2300 /* iterate through all of the declarations in the base, to 2301 determine what the next decl_id should be */ 2302 while (cur != NULL) { 2303 avrule_decl_t *decl; 2304 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2305 if (decl->decl_id > state->next_decl_id) { 2306 state->next_decl_id = decl->decl_id; 2307 } 2308 } 2309 state->last_avrule_block = cur; 2310 cur = cur->next; 2311 } 2312 state->last_base_avrule_block = state->last_avrule_block; 2313 state->next_decl_id++; 2314 2315 /* allocate the table mapping from base's decl_id to its 2316 * avrule_decls and set the initial mappings */ 2317 free(state->base->decl_val_to_struct); 2318 if ((state->base->decl_val_to_struct = 2319 calloc(state->next_decl_id + num_mod_decls, 2320 sizeof(*(state->base->decl_val_to_struct)))) == NULL) { 2321 ERR(state->handle, "Out of memory!"); 2322 return -1; 2323 } 2324 /* This allocates the decl block to module mapping used for error reporting */ 2325 if ((state->decl_to_mod = calloc(state->next_decl_id + num_mod_decls, 2326 sizeof(*(state->decl_to_mod)))) == 2327 NULL) { 2328 ERR(state->handle, "Out of memory!"); 2329 return -1; 2330 } 2331 cur = state->base->global; 2332 while (cur != NULL) { 2333 avrule_decl_t *decl = cur->branch_list; 2334 while (decl != NULL) { 2335 state->base->decl_val_to_struct[decl->decl_id - 1] = 2336 decl; 2337 state->decl_to_mod[decl->decl_id] = state->base; 2338 decl = decl->next; 2339 } 2340 cur = cur->next; 2341 } 2342 2343 /* normalize conditionals within */ 2344 if (cond_normalize(state->base) < 0) { 2345 ERR(state->handle, 2346 "Error while normalizing conditionals within the base module."); 2347 return -1; 2348 } 2349 return 0; 2350 } 2351 2352 static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum, 2353 void * data) 2354 { 2355 char *id; 2356 role_datum_t *role, *sub_attr; 2357 link_state_t *state; 2358 unsigned int i; 2359 ebitmap_node_t *rnode; 2360 2361 id = key; 2362 role = (role_datum_t *)datum; 2363 state = (link_state_t *)data; 2364 2365 if (strcmp(id, OBJECT_R) == 0){ 2366 /* object_r is never a role attribute by far */ 2367 return 0; 2368 } 2369 2370 if (role->flavor != ROLE_ATTRIB) 2371 return 0; 2372 2373 if (state->verbose) 2374 INFO(state->handle, "expanding role attribute %s", id); 2375 2376 restart: 2377 ebitmap_for_each_bit(&role->roles, rnode, i) { 2378 if (ebitmap_node_get_bit(rnode, i)) { 2379 sub_attr = state->base->role_val_to_struct[i]; 2380 if (sub_attr->flavor != ROLE_ATTRIB) 2381 continue; 2382 2383 /* remove the sub role attribute from the parent 2384 * role attribute's roles ebitmap */ 2385 if (ebitmap_set_bit(&role->roles, i, 0)) 2386 return -1; 2387 2388 /* loop dependency of role attributes */ 2389 if (sub_attr->s.value == role->s.value) 2390 continue; 2391 2392 /* now go on to expand a sub role attribute 2393 * by escalating its roles ebitmap */ 2394 if (ebitmap_union(&role->roles, &sub_attr->roles)) { 2395 ERR(state->handle, "Out of memory!"); 2396 return -1; 2397 } 2398 2399 /* sub_attr->roles may contain other role attributes, 2400 * re-scan the parent role attribute's roles ebitmap */ 2401 goto restart; 2402 } 2403 } 2404 2405 return 0; 2406 } 2407 2408 /* For any role attribute in a declaration's local symtab[SYM_ROLES] table, 2409 * copy its roles ebitmap into its duplicate's in the base->p_roles.table. 2410 */ 2411 static int populate_decl_roleattributes(hashtab_key_t key, 2412 hashtab_datum_t datum, 2413 void *data) 2414 { 2415 char *id = key; 2416 role_datum_t *decl_role, *base_role; 2417 link_state_t *state = (link_state_t *)data; 2418 2419 decl_role = (role_datum_t *)datum; 2420 2421 if (strcmp(id, OBJECT_R) == 0) { 2422 /* object_r is never a role attribute by far */ 2423 return 0; 2424 } 2425 2426 if (decl_role->flavor != ROLE_ATTRIB) 2427 return 0; 2428 2429 base_role = (role_datum_t *)hashtab_search(state->base->p_roles.table, 2430 id); 2431 assert(base_role != NULL && base_role->flavor == ROLE_ATTRIB); 2432 2433 if (ebitmap_union(&base_role->roles, &decl_role->roles)) { 2434 ERR(state->handle, "Out of memory!"); 2435 return -1; 2436 } 2437 2438 return 0; 2439 } 2440 2441 static int populate_roleattributes(link_state_t *state, policydb_t *pol) 2442 { 2443 avrule_block_t *block; 2444 avrule_decl_t *decl; 2445 2446 if (state->verbose) 2447 INFO(state->handle, "Populating role-attribute relationship " 2448 "from enabled declarations' local symtab."); 2449 2450 /* Iterate through all of the blocks skipping the first(which is the 2451 * global block, is required to be present and can't have an else). 2452 * If the block is disabled or not having an enabled decl, skip it. 2453 */ 2454 for (block = pol->global->next; block != NULL; block = block->next) 2455 { 2456 decl = block->enabled; 2457 if (decl == NULL || decl->enabled == 0) 2458 continue; 2459 2460 if (hashtab_map(decl->symtab[SYM_ROLES].table, 2461 populate_decl_roleattributes, state)) 2462 return -1; 2463 } 2464 2465 return 0; 2466 } 2467 2468 /* Link a set of modules into a base module. This process is somewhat 2469 * similar to an actual compiler: it requires a set of order dependent 2470 * steps. The base and every module must have been indexed prior to 2471 * calling this function. 2472 */ 2473 int link_modules(sepol_handle_t * handle, 2474 policydb_t * b, policydb_t ** mods, int len, int verbose) 2475 { 2476 int i, ret, retval = -1; 2477 policy_module_t **modules = NULL; 2478 link_state_t state; 2479 uint32_t num_mod_decls = 0; 2480 2481 memset(&state, 0, sizeof(state)); 2482 state.base = b; 2483 state.verbose = verbose; 2484 state.handle = handle; 2485 2486 if (b->policy_type != POLICY_BASE) { 2487 ERR(state.handle, "Target of link was not a base policy."); 2488 return -1; 2489 } 2490 2491 /* first allocate some space to hold the maps from module 2492 * symbol's value to the destination symbol value; then do 2493 * other preparation work */ 2494 if ((modules = 2495 (policy_module_t **) calloc(len, sizeof(*modules))) == NULL) { 2496 ERR(state.handle, "Out of memory!"); 2497 return -1; 2498 } 2499 for (i = 0; i < len; i++) { 2500 if (mods[i]->policy_type != POLICY_MOD) { 2501 ERR(state.handle, 2502 "Tried to link in a policy that was not a module."); 2503 goto cleanup; 2504 } 2505 2506 if (mods[i]->mls != b->mls) { 2507 if (b->mls) 2508 ERR(state.handle, 2509 "Tried to link in a non-MLS module with an MLS base."); 2510 else 2511 ERR(state.handle, 2512 "Tried to link in an MLS module with a non-MLS base."); 2513 goto cleanup; 2514 } 2515 2516 if ((modules[i] = 2517 (policy_module_t *) calloc(1, 2518 sizeof(policy_module_t))) == 2519 NULL) { 2520 ERR(state.handle, "Out of memory!"); 2521 goto cleanup; 2522 } 2523 modules[i]->policy = mods[i]; 2524 if (prepare_module(&state, modules[i]) == -1) { 2525 goto cleanup; 2526 } 2527 num_mod_decls += modules[i]->num_decls; 2528 } 2529 if (prepare_base(&state, num_mod_decls) == -1) { 2530 goto cleanup; 2531 } 2532 2533 /* copy all types, declared and required */ 2534 for (i = 0; i < len; i++) { 2535 state.cur = modules[i]; 2536 state.cur_mod_name = modules[i]->policy->name; 2537 ret = 2538 hashtab_map(modules[i]->policy->p_types.table, 2539 type_copy_callback, &state); 2540 if (ret) { 2541 retval = ret; 2542 goto cleanup; 2543 } 2544 } 2545 2546 /* then copy everything else, including aliases, and fixup attributes */ 2547 for (i = 0; i < len; i++) { 2548 state.cur = modules[i]; 2549 state.cur_mod_name = modules[i]->policy->name; 2550 ret = 2551 copy_identifiers(&state, modules[i]->policy->symtab, NULL); 2552 if (ret) { 2553 retval = ret; 2554 goto cleanup; 2555 } 2556 } 2557 2558 if (policydb_index_others(state.handle, state.base, 0)) { 2559 ERR(state.handle, "Error while indexing others"); 2560 goto cleanup; 2561 } 2562 2563 /* copy and remap the module's data over to base */ 2564 for (i = 0; i < len; i++) { 2565 state.cur = modules[i]; 2566 ret = copy_module(&state, modules[i]); 2567 if (ret) { 2568 retval = ret; 2569 goto cleanup; 2570 } 2571 } 2572 2573 /* re-index base, for symbols were added to symbol tables */ 2574 if (policydb_index_classes(state.base)) { 2575 ERR(state.handle, "Error while indexing classes"); 2576 goto cleanup; 2577 } 2578 if (policydb_index_others(state.handle, state.base, 0)) { 2579 ERR(state.handle, "Error while indexing others"); 2580 goto cleanup; 2581 } 2582 2583 if (enable_avrules(&state, state.base)) { 2584 retval = SEPOL_EREQ; 2585 goto cleanup; 2586 } 2587 2588 /* Now that all role attribute's roles ebitmap have been settled, 2589 * escalate sub role attribute's roles ebitmap into that of parent. 2590 * 2591 * First, since some role-attribute relationships could be recorded 2592 * in some decl's local symtab(see get_local_role()), we need to 2593 * populate them up to the base.p_roles table. */ 2594 if (populate_roleattributes(&state, state.base)) { 2595 retval = SEPOL_EREQ; 2596 goto cleanup; 2597 } 2598 2599 /* Now do the escalation. */ 2600 if (hashtab_map(state.base->p_roles.table, expand_role_attributes, 2601 &state)) 2602 goto cleanup; 2603 2604 retval = 0; 2605 cleanup: 2606 for (i = 0; modules != NULL && i < len; i++) { 2607 policy_module_destroy(modules[i]); 2608 } 2609 free(modules); 2610 free(state.decl_to_mod); 2611 return retval; 2612 } 2613