1 /* Authors: Karl MacMillan <kmacmillan (at) mentalrootkit.com> 2 * Joshua Brindle <jbrindle (at) tresys.com> 3 * Jason Tang <jtang (at) tresys.com> 4 * 5 * Copyright (C) 2004-2005 Tresys Technology, LLC 6 * Copyright (C) 2007 Red Hat, Inc. 7 * 8 * This library is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU Lesser General Public 10 * License as published by the Free Software Foundation; either 11 * version 2.1 of the License, or (at your option) any later version. 12 * 13 * This library is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 * Lesser General Public License for more details. 17 * 18 * You should have received a copy of the GNU Lesser General Public 19 * License along with this library; if not, write to the Free Software 20 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 21 */ 22 23 #include <sepol/policydb/policydb.h> 24 #include <sepol/policydb/conditional.h> 25 #include <sepol/policydb/hashtab.h> 26 #include <sepol/policydb/avrule_block.h> 27 #include <sepol/policydb/link.h> 28 #include <sepol/policydb/util.h> 29 30 #include <stdlib.h> 31 #include <stdarg.h> 32 #include <stdio.h> 33 #include <string.h> 34 #include <assert.h> 35 36 #include "debug.h" 37 38 #undef min 39 #define min(a,b) (((a) < (b)) ? (a) : (b)) 40 41 typedef struct policy_module { 42 policydb_t *policy; 43 uint32_t num_decls; 44 uint32_t *map[SYM_NUM]; 45 uint32_t *avdecl_map; 46 uint32_t **perm_map; 47 uint32_t *perm_map_len; 48 49 /* a pointer to within the base module's avrule_block chain to 50 * where this module's global now resides */ 51 avrule_block_t *base_global; 52 } policy_module_t; 53 54 typedef struct link_state { 55 int verbose; 56 policydb_t *base; 57 avrule_block_t *last_avrule_block, *last_base_avrule_block; 58 uint32_t next_decl_id, current_decl_id; 59 60 /* temporary variables, used during hashtab_map() calls */ 61 policy_module_t *cur; 62 char *cur_mod_name; 63 avrule_decl_t *dest_decl; 64 class_datum_t *src_class, *dest_class; 65 char *dest_class_name; 66 char dest_class_req; /* flag indicating the class was not declared */ 67 uint32_t symbol_num; 68 /* used to report the name of the module if dependancy error occurs */ 69 policydb_t **decl_to_mod; 70 71 /* error reporting fields */ 72 sepol_handle_t *handle; 73 } link_state_t; 74 75 typedef struct missing_requirement { 76 uint32_t symbol_type; 77 uint32_t symbol_value; 78 uint32_t perm_value; 79 } missing_requirement_t; 80 81 static const char *symtab_names[SYM_NUM] = { 82 "common", "class", "role", "type/attribute", "user", 83 "bool", "level", "category" 84 }; 85 86 /* Deallocates all elements within a module, but NOT the policydb_t 87 * structure within, as well as the pointer itself. */ 88 static void policy_module_destroy(policy_module_t * mod) 89 { 90 unsigned int i; 91 if (mod == NULL) { 92 return; 93 } 94 for (i = 0; i < SYM_NUM; i++) { 95 free(mod->map[i]); 96 } 97 for (i = 0; mod->perm_map != NULL && i < mod->policy->p_classes.nprim; 98 i++) { 99 free(mod->perm_map[i]); 100 } 101 free(mod->perm_map); 102 free(mod->perm_map_len); 103 free(mod->avdecl_map); 104 free(mod); 105 } 106 107 /***** functions that copy identifiers from a module to base *****/ 108 109 /* Note: there is currently no scoping for permissions, which causes some 110 * strange side-effects. The current approach is this: 111 * 112 * a) perm is required and the class _and_ perm are declared in base: only add a mapping. 113 * b) perm is required and the class and perm are _not_ declared in base: simply add the permissions 114 * to the object class. This means that the requirements for the decl are the union of the permissions 115 * required for all decls, but who cares. 116 * c) perm is required, the class is declared in base, but the perm is not present. Nothing we can do 117 * here because we can't mark a single permission as required, so we bail with a requirement error 118 * _even_ if we are in an optional. 119 * 120 * A is correct behavior, b is wrong but not too bad, c is totall wrong for optionals. Fixing this requires 121 * a format change. 122 */ 123 static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 124 void *data) 125 { 126 char *perm_id = key, *new_id = NULL; 127 perm_datum_t *perm, *new_perm = NULL, *dest_perm; 128 link_state_t *state = (link_state_t *) data; 129 130 class_datum_t *src_class = state->src_class; 131 class_datum_t *dest_class = state->dest_class; 132 policy_module_t *mod = state->cur; 133 uint32_t sclassi = src_class->s.value - 1; 134 int ret; 135 136 perm = (perm_datum_t *) datum; 137 dest_perm = hashtab_search(dest_class->permissions.table, perm_id); 138 if (dest_perm == NULL && dest_class->comdatum != NULL) { 139 dest_perm = 140 hashtab_search(dest_class->comdatum->permissions.table, 141 perm_id); 142 } 143 144 if (dest_perm == NULL) { 145 /* If the object class was not declared in the base, add the perm 146 * to the object class. */ 147 if (state->dest_class_req) { 148 /* If the class was required (not declared), insert the new permission */ 149 new_id = strdup(perm_id); 150 if (new_id == NULL) { 151 ERR(state->handle, "Memory error"); 152 ret = SEPOL_ERR; 153 goto err; 154 } 155 new_perm = 156 (perm_datum_t *) calloc(1, sizeof(perm_datum_t)); 157 if (new_perm == NULL) { 158 ERR(state->handle, "Memory error"); 159 ret = SEPOL_ERR; 160 goto err; 161 } 162 ret = hashtab_insert(dest_class->permissions.table, 163 (hashtab_key_t) new_id, 164 (hashtab_datum_t) new_perm); 165 if (ret) { 166 ERR(state->handle, 167 "could not insert permission into class\n"); 168 goto err; 169 } 170 new_perm->s.value = dest_class->permissions.nprim + 1; 171 dest_perm = new_perm; 172 } else { 173 /* this is case c from above */ 174 ERR(state->handle, 175 "Module %s depends on permission %s in class %s, not satisfied", 176 state->cur_mod_name, perm_id, 177 state->dest_class_name); 178 return SEPOL_EREQ; 179 } 180 } 181 182 /* build the mapping for permissions encompassing this class. 183 * unlike symbols, the permission map translates between 184 * module permission bit to target permission bit. that bit 185 * may have originated from the class -or- it could be from 186 * the class's common parent.*/ 187 if (perm->s.value > mod->perm_map_len[sclassi]) { 188 uint32_t *newmap = calloc(perm->s.value, sizeof(*newmap)); 189 if (newmap == NULL) { 190 ERR(state->handle, "Out of memory!"); 191 return -1; 192 } 193 memcpy(newmap, mod->perm_map[sclassi], 194 mod->perm_map_len[sclassi] * sizeof(*newmap)); 195 free(mod->perm_map[sclassi]); 196 mod->perm_map[sclassi] = newmap; 197 mod->perm_map_len[sclassi] = perm->s.value; 198 } 199 mod->perm_map[sclassi][perm->s.value - 1] = dest_perm->s.value; 200 201 return 0; 202 err: 203 free(new_id); 204 free(new_perm); 205 return ret; 206 } 207 208 static int class_copy_default_new_object(link_state_t *state, 209 class_datum_t *olddatum, 210 class_datum_t *newdatum) 211 { 212 if (olddatum->default_user) { 213 if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { 214 ERR(state->handle, "Found conflicting default user definitions"); 215 return SEPOL_ENOTSUP; 216 } 217 newdatum->default_user = olddatum->default_user; 218 } 219 if (olddatum->default_role) { 220 if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { 221 ERR(state->handle, "Found conflicting default role definitions"); 222 return SEPOL_ENOTSUP; 223 } 224 newdatum->default_role = olddatum->default_role; 225 } 226 if (olddatum->default_type) { 227 if (newdatum->default_type && olddatum->default_type != newdatum->default_type) { 228 ERR(state->handle, "Found conflicting default type definitions"); 229 return SEPOL_ENOTSUP; 230 } 231 newdatum->default_type = olddatum->default_type; 232 } 233 if (olddatum->default_range) { 234 if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { 235 ERR(state->handle, "Found conflicting default range definitions"); 236 return SEPOL_ENOTSUP; 237 } 238 newdatum->default_range = olddatum->default_range; 239 } 240 return 0; 241 } 242 243 static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 244 void *data) 245 { 246 char *id = key, *new_id = NULL; 247 class_datum_t *cladatum, *new_class = NULL; 248 link_state_t *state = (link_state_t *) data; 249 scope_datum_t *scope = NULL; 250 int ret; 251 252 cladatum = (class_datum_t *) datum; 253 state->dest_class_req = 0; 254 255 new_class = hashtab_search(state->base->p_classes.table, id); 256 /* If there is not an object class already in the base symtab that means 257 * that either a) a module is trying to declare a new object class (which 258 * the compiler should prevent) or b) an object class was required that is 259 * not in the base. 260 */ 261 if (new_class == NULL) { 262 scope = 263 hashtab_search(state->cur->policy->p_classes_scope.table, 264 id); 265 if (scope == NULL) { 266 ret = SEPOL_ERR; 267 goto err; 268 } 269 if (scope->scope == SCOPE_DECL) { 270 /* disallow declarations in modules */ 271 ERR(state->handle, 272 "%s: Modules may not yet declare new classes.", 273 state->cur_mod_name); 274 ret = SEPOL_ENOTSUP; 275 goto err; 276 } else { 277 /* It would be nice to error early here because the requirement is 278 * not met, but we cannot because the decl might be optional (in which 279 * case we should record the requirement so that it is just turned 280 * off). Note: this will break horribly if modules can declare object 281 * classes because the class numbers will be all wrong (i.e., they 282 * might be assigned in the order they were required rather than the 283 * current scheme which ensures correct numbering by ordering the 284 * declarations properly). This can't be fixed until some infrastructure 285 * for querying the object class numbers is in place. */ 286 state->dest_class_req = 1; 287 new_class = 288 (class_datum_t *) calloc(1, sizeof(class_datum_t)); 289 if (new_class == NULL) { 290 ERR(state->handle, "Memory error\n"); 291 ret = SEPOL_ERR; 292 goto err; 293 } 294 if (symtab_init 295 (&new_class->permissions, PERM_SYMTAB_SIZE)) { 296 ret = SEPOL_ERR; 297 goto err; 298 } 299 new_id = strdup(id); 300 if (new_id == NULL) { 301 ERR(state->handle, "Memory error\n"); 302 symtab_destroy(&new_class->permissions); 303 ret = SEPOL_ERR; 304 goto err; 305 } 306 ret = hashtab_insert(state->base->p_classes.table, 307 (hashtab_key_t) new_id, 308 (hashtab_datum_t) new_class); 309 if (ret) { 310 ERR(state->handle, 311 "could not insert new class into symtab"); 312 symtab_destroy(&new_class->permissions); 313 goto err; 314 } 315 new_class->s.value = ++(state->base->p_classes.nprim); 316 } 317 } 318 319 state->cur->map[SYM_CLASSES][cladatum->s.value - 1] = 320 new_class->s.value; 321 322 /* copy permissions */ 323 state->src_class = cladatum; 324 state->dest_class = new_class; 325 state->dest_class_name = (char *)key; 326 327 /* copy default new object rules */ 328 ret = class_copy_default_new_object(state, cladatum, new_class); 329 if (ret) 330 return ret; 331 332 ret = 333 hashtab_map(cladatum->permissions.table, permission_copy_callback, 334 state); 335 if (ret != 0) { 336 return ret; 337 } 338 339 return 0; 340 err: 341 free(new_class); 342 free(new_id); 343 return ret; 344 } 345 346 static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 347 void *data) 348 { 349 int ret; 350 char *id = key, *new_id = NULL; 351 role_datum_t *role, *base_role, *new_role = NULL; 352 link_state_t *state = (link_state_t *) data; 353 354 role = (role_datum_t *) datum; 355 356 base_role = hashtab_search(state->base->p_roles.table, id); 357 if (base_role != NULL) { 358 /* role already exists. check that it is what this 359 * module expected. duplicate declarations (e.g., two 360 * modules both declare role foo_r) is checked during 361 * scope_copy_callback(). */ 362 if (role->flavor == ROLE_ATTRIB 363 && base_role->flavor != ROLE_ATTRIB) { 364 ERR(state->handle, 365 "%s: Expected %s to be a role attribute, but it was already declared as a regular role.", 366 state->cur_mod_name, id); 367 return -1; 368 } else if (role->flavor != ROLE_ATTRIB 369 && base_role->flavor == ROLE_ATTRIB) { 370 ERR(state->handle, 371 "%s: Expected %s to be a regular role, but it was already declared as a role attribute.", 372 state->cur_mod_name, id); 373 return -1; 374 } 375 } else { 376 if (state->verbose) 377 INFO(state->handle, "copying role %s", id); 378 379 if ((new_id = strdup(id)) == NULL) { 380 goto cleanup; 381 } 382 383 if ((new_role = 384 (role_datum_t *) malloc(sizeof(*new_role))) == NULL) { 385 goto cleanup; 386 } 387 role_datum_init(new_role); 388 389 /* new_role's dominates, types and roles field will be copied 390 * during role_fix_callback() */ 391 new_role->flavor = role->flavor; 392 new_role->s.value = state->base->p_roles.nprim + 1; 393 394 ret = hashtab_insert(state->base->p_roles.table, 395 (hashtab_key_t) new_id, 396 (hashtab_datum_t) new_role); 397 if (ret) { 398 goto cleanup; 399 } 400 state->base->p_roles.nprim++; 401 base_role = new_role; 402 } 403 404 if (state->dest_decl) { 405 new_id = NULL; 406 if ((new_role = malloc(sizeof(*new_role))) == NULL) { 407 goto cleanup; 408 } 409 role_datum_init(new_role); 410 new_role->flavor = base_role->flavor; 411 new_role->s.value = base_role->s.value; 412 if ((new_id = strdup(id)) == NULL) { 413 goto cleanup; 414 } 415 if (hashtab_insert 416 (state->dest_decl->p_roles.table, new_id, new_role)) { 417 goto cleanup; 418 } 419 state->dest_decl->p_roles.nprim++; 420 } 421 422 state->cur->map[SYM_ROLES][role->s.value - 1] = base_role->s.value; 423 return 0; 424 425 cleanup: 426 ERR(state->handle, "Out of memory!"); 427 role_datum_destroy(new_role); 428 free(new_id); 429 free(new_role); 430 return -1; 431 } 432 433 /* Copy types and attributes from a module into the base module. The 434 * attributes are copied, but the types that make up this attribute 435 * are delayed type_fix_callback(). */ 436 static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 437 void *data) 438 { 439 int ret; 440 char *id = key, *new_id = NULL; 441 type_datum_t *type, *base_type, *new_type = NULL; 442 link_state_t *state = (link_state_t *) data; 443 444 type = (type_datum_t *) datum; 445 if ((type->flavor == TYPE_TYPE && !type->primary) 446 || type->flavor == TYPE_ALIAS) { 447 /* aliases are handled later, in alias_copy_callback() */ 448 return 0; 449 } 450 451 base_type = hashtab_search(state->base->p_types.table, id); 452 if (base_type != NULL) { 453 /* type already exists. check that it is what this 454 * module expected. duplicate declarations (e.g., two 455 * modules both declare type foo_t) is checked during 456 * scope_copy_callback(). */ 457 if (type->flavor == TYPE_ATTRIB 458 && base_type->flavor != TYPE_ATTRIB) { 459 ERR(state->handle, 460 "%s: Expected %s to be an attribute, but it was already declared as a type.", 461 state->cur_mod_name, id); 462 return -1; 463 } else if (type->flavor != TYPE_ATTRIB 464 && base_type->flavor == TYPE_ATTRIB) { 465 ERR(state->handle, 466 "%s: Expected %s to be a type, but it was already declared as an attribute.", 467 state->cur_mod_name, id); 468 return -1; 469 } 470 /* permissive should pass to the base type */ 471 base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 472 } else { 473 if (state->verbose) 474 INFO(state->handle, "copying type %s", id); 475 476 if ((new_id = strdup(id)) == NULL) { 477 goto cleanup; 478 } 479 480 if ((new_type = 481 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 482 goto cleanup; 483 } 484 new_type->primary = type->primary; 485 new_type->flags = type->flags; 486 new_type->flavor = type->flavor; 487 /* for attributes, the writing of new_type->types is 488 done in type_fix_callback() */ 489 490 new_type->s.value = state->base->p_types.nprim + 1; 491 492 ret = hashtab_insert(state->base->p_types.table, 493 (hashtab_key_t) new_id, 494 (hashtab_datum_t) new_type); 495 if (ret) { 496 goto cleanup; 497 } 498 state->base->p_types.nprim++; 499 base_type = new_type; 500 } 501 502 if (state->dest_decl) { 503 new_id = NULL; 504 if ((new_type = calloc(1, sizeof(*new_type))) == NULL) { 505 goto cleanup; 506 } 507 new_type->primary = type->primary; 508 new_type->flavor = type->flavor; 509 new_type->flags = type->flags; 510 new_type->s.value = base_type->s.value; 511 if ((new_id = strdup(id)) == NULL) { 512 goto cleanup; 513 } 514 if (hashtab_insert 515 (state->dest_decl->p_types.table, new_id, new_type)) { 516 goto cleanup; 517 } 518 state->dest_decl->p_types.nprim++; 519 } 520 521 state->cur->map[SYM_TYPES][type->s.value - 1] = base_type->s.value; 522 return 0; 523 524 cleanup: 525 ERR(state->handle, "Out of memory!"); 526 free(new_id); 527 free(new_type); 528 return -1; 529 } 530 531 static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 532 void *data) 533 { 534 int ret; 535 char *id = key, *new_id = NULL; 536 user_datum_t *user, *base_user, *new_user = NULL; 537 link_state_t *state = (link_state_t *) data; 538 539 user = (user_datum_t *) datum; 540 541 base_user = hashtab_search(state->base->p_users.table, id); 542 if (base_user == NULL) { 543 if (state->verbose) 544 INFO(state->handle, "copying user %s", id); 545 546 if ((new_id = strdup(id)) == NULL) { 547 goto cleanup; 548 } 549 550 if ((new_user = 551 (user_datum_t *) malloc(sizeof(*new_user))) == NULL) { 552 goto cleanup; 553 } 554 user_datum_init(new_user); 555 /* new_users's roles and MLS fields will be copied during 556 user_fix_callback(). */ 557 558 new_user->s.value = state->base->p_users.nprim + 1; 559 560 ret = hashtab_insert(state->base->p_users.table, 561 (hashtab_key_t) new_id, 562 (hashtab_datum_t) new_user); 563 if (ret) { 564 goto cleanup; 565 } 566 state->base->p_users.nprim++; 567 base_user = new_user; 568 } 569 570 if (state->dest_decl) { 571 new_id = NULL; 572 if ((new_user = malloc(sizeof(*new_user))) == NULL) { 573 goto cleanup; 574 } 575 user_datum_init(new_user); 576 new_user->s.value = base_user->s.value; 577 if ((new_id = strdup(id)) == NULL) { 578 goto cleanup; 579 } 580 if (hashtab_insert 581 (state->dest_decl->p_users.table, new_id, new_user)) { 582 goto cleanup; 583 } 584 state->dest_decl->p_users.nprim++; 585 } 586 587 state->cur->map[SYM_USERS][user->s.value - 1] = base_user->s.value; 588 return 0; 589 590 cleanup: 591 ERR(state->handle, "Out of memory!"); 592 user_datum_destroy(new_user); 593 free(new_id); 594 free(new_user); 595 return -1; 596 } 597 598 static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 599 void *data) 600 { 601 int ret; 602 char *id = key, *new_id = NULL; 603 cond_bool_datum_t *booldatum, *base_bool, *new_bool = NULL; 604 link_state_t *state = (link_state_t *) data; 605 scope_datum_t *scope; 606 607 booldatum = (cond_bool_datum_t *) datum; 608 609 base_bool = hashtab_search(state->base->p_bools.table, id); 610 if (base_bool == NULL) { 611 if (state->verbose) 612 INFO(state->handle, "copying boolean %s", id); 613 614 if ((new_id = strdup(id)) == NULL) { 615 goto cleanup; 616 } 617 618 if ((new_bool = 619 (cond_bool_datum_t *) malloc(sizeof(*new_bool))) == NULL) { 620 goto cleanup; 621 } 622 new_bool->s.value = state->base->p_bools.nprim + 1; 623 624 ret = hashtab_insert(state->base->p_bools.table, 625 (hashtab_key_t) new_id, 626 (hashtab_datum_t) new_bool); 627 if (ret) { 628 goto cleanup; 629 } 630 state->base->p_bools.nprim++; 631 base_bool = new_bool; 632 base_bool->flags = booldatum->flags; 633 } else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) != 634 (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) { 635 /* A mismatch between boolean/tunable declaration 636 * and usage(for example a boolean used in the 637 * tunable_policy() or vice versa). 638 * 639 * This is not allowed and bail out with errors */ 640 ERR(state->handle, 641 "%s: Mismatch between boolean/tunable definition " 642 "and usage for %s", state->cur_mod_name, id); 643 return -1; 644 } 645 646 /* Get the scope info for this boolean to see if this is the declaration, 647 * if so set the state */ 648 scope = hashtab_search(state->cur->policy->p_bools_scope.table, id); 649 if (!scope) 650 return SEPOL_ERR; 651 if (scope->scope == SCOPE_DECL) { 652 base_bool->state = booldatum->state; 653 /* Only the declaration rather than requirement 654 * decides if it is a boolean or tunable. */ 655 base_bool->flags = booldatum->flags; 656 } 657 state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value; 658 return 0; 659 660 cleanup: 661 ERR(state->handle, "Out of memory!"); 662 cond_destroy_bool(new_id, new_bool, NULL); 663 return -1; 664 } 665 666 static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 667 void *data) 668 { 669 char *id = key; 670 level_datum_t *level, *base_level; 671 link_state_t *state = (link_state_t *) data; 672 scope_datum_t *scope; 673 674 level = (level_datum_t *) datum; 675 676 base_level = hashtab_search(state->base->p_levels.table, id); 677 if (!base_level) { 678 scope = 679 hashtab_search(state->cur->policy->p_sens_scope.table, id); 680 if (!scope) 681 return SEPOL_ERR; 682 if (scope->scope == SCOPE_DECL) { 683 /* disallow declarations in modules */ 684 ERR(state->handle, 685 "%s: Modules may not declare new sensitivities.", 686 state->cur_mod_name); 687 return SEPOL_ENOTSUP; 688 } else if (scope->scope == SCOPE_REQ) { 689 /* unmet requirement */ 690 ERR(state->handle, 691 "%s: Sensitivity %s not declared by base.", 692 state->cur_mod_name, id); 693 return SEPOL_ENOTSUP; 694 } else { 695 ERR(state->handle, 696 "%s: has an unknown scope: %d\n", 697 state->cur_mod_name, scope->scope); 698 return SEPOL_ENOTSUP; 699 } 700 } 701 702 state->cur->map[SYM_LEVELS][level->level->sens - 1] = 703 base_level->level->sens; 704 705 return 0; 706 } 707 708 static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 709 void *data) 710 { 711 char *id = key; 712 cat_datum_t *cat, *base_cat; 713 link_state_t *state = (link_state_t *) data; 714 scope_datum_t *scope; 715 716 cat = (cat_datum_t *) datum; 717 718 base_cat = hashtab_search(state->base->p_cats.table, id); 719 if (!base_cat) { 720 scope = hashtab_search(state->cur->policy->p_cat_scope.table, id); 721 if (!scope) 722 return SEPOL_ERR; 723 if (scope->scope == SCOPE_DECL) { 724 /* disallow declarations in modules */ 725 ERR(state->handle, 726 "%s: Modules may not declare new categories.", 727 state->cur_mod_name); 728 return SEPOL_ENOTSUP; 729 } else if (scope->scope == SCOPE_REQ) { 730 /* unmet requirement */ 731 ERR(state->handle, 732 "%s: Category %s not declared by base.", 733 state->cur_mod_name, id); 734 return SEPOL_ENOTSUP; 735 } else { 736 /* unknown scope? malformed policy? */ 737 ERR(state->handle, 738 "%s: has an unknown scope: %d\n", 739 state->cur_mod_name, scope->scope); 740 return SEPOL_ENOTSUP; 741 } 742 } 743 744 state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value; 745 746 return 0; 747 } 748 749 static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key, 750 hashtab_datum_t datum, void *datap) = { 751 NULL, class_copy_callback, role_copy_callback, type_copy_callback, 752 user_copy_callback, bool_copy_callback, sens_copy_callback, 753 cat_copy_callback}; 754 755 /* 756 * The boundaries have to be copied after the types/roles/users are copied, 757 * because it refers hashtab to lookup destinated objects. 758 */ 759 static int type_bounds_copy_callback(hashtab_key_t key, 760 hashtab_datum_t datum, void *data) 761 { 762 link_state_t *state = (link_state_t *) data; 763 type_datum_t *type = (type_datum_t *) datum; 764 type_datum_t *dest; 765 uint32_t bounds_val; 766 767 if (!type->bounds) 768 return 0; 769 770 bounds_val = state->cur->map[SYM_TYPES][type->bounds - 1]; 771 772 dest = hashtab_search(state->base->p_types.table, key); 773 if (!dest) { 774 ERR(state->handle, 775 "Type lookup failed for %s", (char *)key); 776 return -1; 777 } 778 if (dest->bounds != 0 && dest->bounds != bounds_val) { 779 ERR(state->handle, 780 "Inconsistent boundary for %s", (char *)key); 781 return -1; 782 } 783 dest->bounds = bounds_val; 784 785 return 0; 786 } 787 788 static int role_bounds_copy_callback(hashtab_key_t key, 789 hashtab_datum_t datum, void *data) 790 { 791 link_state_t *state = (link_state_t *) data; 792 role_datum_t *role = (role_datum_t *) datum; 793 role_datum_t *dest; 794 uint32_t bounds_val; 795 796 if (!role->bounds) 797 return 0; 798 799 bounds_val = state->cur->map[SYM_ROLES][role->bounds - 1]; 800 801 dest = hashtab_search(state->base->p_roles.table, key); 802 if (!dest) { 803 ERR(state->handle, 804 "Role lookup failed for %s", (char *)key); 805 return -1; 806 } 807 if (dest->bounds != 0 && dest->bounds != bounds_val) { 808 ERR(state->handle, 809 "Inconsistent boundary for %s", (char *)key); 810 return -1; 811 } 812 dest->bounds = bounds_val; 813 814 return 0; 815 } 816 817 static int user_bounds_copy_callback(hashtab_key_t key, 818 hashtab_datum_t datum, void *data) 819 { 820 link_state_t *state = (link_state_t *) data; 821 user_datum_t *user = (user_datum_t *) datum; 822 user_datum_t *dest; 823 uint32_t bounds_val; 824 825 if (!user->bounds) 826 return 0; 827 828 bounds_val = state->cur->map[SYM_USERS][user->bounds - 1]; 829 830 dest = hashtab_search(state->base->p_users.table, key); 831 if (!dest) { 832 ERR(state->handle, 833 "User lookup failed for %s", (char *)key); 834 return -1; 835 } 836 if (dest->bounds != 0 && dest->bounds != bounds_val) { 837 ERR(state->handle, 838 "Inconsistent boundary for %s", (char *)key); 839 return -1; 840 } 841 dest->bounds = bounds_val; 842 843 return 0; 844 } 845 846 /* The aliases have to be copied after the types and attributes to be 847 * certain that the base symbol table will have the type that the 848 * alias refers. Otherwise, we won't be able to find the type value 849 * for the alias. We can't depend on the declaration ordering because 850 * of the hash table. 851 */ 852 static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 853 void *data) 854 { 855 char *id = key, *new_id = NULL, *target_id; 856 type_datum_t *type, *base_type, *new_type = NULL, *target_type; 857 link_state_t *state = (link_state_t *) data; 858 policy_module_t *mod = state->cur; 859 int primval; 860 861 type = (type_datum_t *) datum; 862 /* there are 2 kinds of aliases. Ones with their own value (TYPE_ALIAS) 863 * and ones with the value of their primary (TYPE_TYPE && type->primary = 0) 864 */ 865 if (! 866 (type->flavor == TYPE_ALIAS 867 || (type->flavor == TYPE_TYPE && !type->primary))) { 868 /* ignore types and attributes -- they were handled in 869 * type_copy_callback() */ 870 return 0; 871 } 872 873 if (type->flavor == TYPE_ALIAS) 874 primval = type->primary; 875 else 876 primval = type->s.value; 877 878 target_id = mod->policy->p_type_val_to_name[primval - 1]; 879 target_type = hashtab_search(state->base->p_types.table, target_id); 880 if (target_type == NULL) { 881 ERR(state->handle, "%s: Could not find type %s for alias %s.", 882 state->cur_mod_name, target_id, id); 883 return -1; 884 } 885 886 if (!strcmp(id, target_id)) { 887 ERR(state->handle, "%s: Self aliasing of %s.", 888 state->cur_mod_name, id); 889 return -1; 890 } 891 892 target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE); 893 894 base_type = hashtab_search(state->base->p_types.table, id); 895 if (base_type == NULL) { 896 if (state->verbose) 897 INFO(state->handle, "copying alias %s", id); 898 899 if ((new_type = 900 (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) { 901 goto cleanup; 902 } 903 /* the linked copy always has TYPE_ALIAS style aliases */ 904 new_type->primary = target_type->s.value; 905 new_type->flags = target_type->flags; 906 new_type->flavor = TYPE_ALIAS; 907 new_type->s.value = state->base->p_types.nprim + 1; 908 if ((new_id = strdup(id)) == NULL) { 909 goto cleanup; 910 } 911 if (hashtab_insert 912 (state->base->p_types.table, new_id, new_type)) { 913 goto cleanup; 914 } 915 state->base->p_types.nprim++; 916 base_type = new_type; 917 } else { 918 919 /* if this already exists and isn't an alias it was required by another module (or base) 920 * and inserted into the hashtable as a type, fix it up now */ 921 922 if (base_type->flavor == TYPE_ALIAS) { 923 /* error checking */ 924 assert(base_type->primary == target_type->s.value); 925 assert(base_type->primary == 926 mod->map[SYM_TYPES][primval - 1]); 927 assert(mod->map[SYM_TYPES][type->s.value - 1] == 928 base_type->primary); 929 return 0; 930 } 931 932 if (base_type->flavor == TYPE_ATTRIB) { 933 ERR(state->handle, 934 "%s is an alias of an attribute, not allowed", id); 935 return -1; 936 } 937 938 base_type->flavor = TYPE_ALIAS; 939 base_type->primary = target_type->s.value; 940 base_type->flags |= (target_type->flags & TYPE_FLAGS_PERMISSIVE); 941 942 } 943 /* the aliases map points from its value to its primary so when this module 944 * references this type the value it gets back from the map is the primary */ 945 mod->map[SYM_TYPES][type->s.value - 1] = base_type->primary; 946 947 return 0; 948 949 cleanup: 950 ERR(state->handle, "Out of memory!"); 951 free(new_id); 952 free(new_type); 953 return -1; 954 } 955 956 /*********** callbacks that fix bitmaps ***********/ 957 958 static int type_set_convert(type_set_t * types, type_set_t * dst, 959 policy_module_t * mod, link_state_t * state 960 __attribute__ ((unused))) 961 { 962 unsigned int i; 963 ebitmap_node_t *tnode; 964 ebitmap_for_each_bit(&types->types, tnode, i) { 965 if (ebitmap_node_get_bit(tnode, i)) { 966 assert(mod->map[SYM_TYPES][i]); 967 if (ebitmap_set_bit 968 (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { 969 goto cleanup; 970 } 971 } 972 } 973 ebitmap_for_each_bit(&types->negset, tnode, i) { 974 if (ebitmap_node_get_bit(tnode, i)) { 975 assert(mod->map[SYM_TYPES][i]); 976 if (ebitmap_set_bit 977 (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { 978 goto cleanup; 979 } 980 } 981 } 982 dst->flags = types->flags; 983 return 0; 984 985 cleanup: 986 return -1; 987 } 988 989 /* OR 2 typemaps together and at the same time map the src types to 990 * the correct values in the dst typeset. 991 */ 992 static int type_set_or_convert(type_set_t * types, type_set_t * dst, 993 policy_module_t * mod, link_state_t * state) 994 { 995 type_set_t ts_tmp; 996 997 type_set_init(&ts_tmp); 998 if (type_set_convert(types, &ts_tmp, mod, state) == -1) { 999 goto cleanup; 1000 } 1001 if (type_set_or_eq(dst, &ts_tmp)) { 1002 goto cleanup; 1003 } 1004 type_set_destroy(&ts_tmp); 1005 return 0; 1006 1007 cleanup: 1008 ERR(state->handle, "Out of memory!"); 1009 type_set_destroy(&ts_tmp); 1010 return -1; 1011 } 1012 1013 static int role_set_or_convert(role_set_t * roles, role_set_t * dst, 1014 policy_module_t * mod, link_state_t * state) 1015 { 1016 unsigned int i; 1017 ebitmap_t tmp; 1018 ebitmap_node_t *rnode; 1019 1020 ebitmap_init(&tmp); 1021 ebitmap_for_each_bit(&roles->roles, rnode, i) { 1022 if (ebitmap_node_get_bit(rnode, i)) { 1023 assert(mod->map[SYM_ROLES][i]); 1024 if (ebitmap_set_bit 1025 (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1026 goto cleanup; 1027 } 1028 } 1029 } 1030 if (ebitmap_union(&dst->roles, &tmp)) { 1031 goto cleanup; 1032 } 1033 dst->flags |= roles->flags; 1034 ebitmap_destroy(&tmp); 1035 return 0; 1036 cleanup: 1037 ERR(state->handle, "Out of memory!"); 1038 ebitmap_destroy(&tmp); 1039 return -1; 1040 } 1041 1042 static int mls_level_convert(mls_semantic_level_t * src, mls_semantic_level_t * dst, 1043 policy_module_t * mod, link_state_t * state) 1044 { 1045 mls_semantic_cat_t *src_cat, *new_cat; 1046 1047 if (!mod->policy->mls) 1048 return 0; 1049 1050 /* Required not declared. */ 1051 if (!src->sens) 1052 return 0; 1053 1054 assert(mod->map[SYM_LEVELS][src->sens - 1]); 1055 dst->sens = mod->map[SYM_LEVELS][src->sens - 1]; 1056 1057 for (src_cat = src->cat; src_cat; src_cat = src_cat->next) { 1058 new_cat = 1059 (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t)); 1060 if (!new_cat) { 1061 ERR(state->handle, "Out of memory"); 1062 return -1; 1063 } 1064 mls_semantic_cat_init(new_cat); 1065 1066 new_cat->next = dst->cat; 1067 dst->cat = new_cat; 1068 1069 assert(mod->map[SYM_CATS][src_cat->low - 1]); 1070 dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1]; 1071 assert(mod->map[SYM_CATS][src_cat->high - 1]); 1072 dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1]; 1073 } 1074 1075 return 0; 1076 } 1077 1078 static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * dst, 1079 policy_module_t * mod, link_state_t * state) 1080 { 1081 int ret; 1082 ret = mls_level_convert(&src->level[0], &dst->level[0], mod, state); 1083 if (ret) 1084 return ret; 1085 ret = mls_level_convert(&src->level[1], &dst->level[1], mod, state); 1086 if (ret) 1087 return ret; 1088 return 0; 1089 } 1090 1091 static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1092 void *data) 1093 { 1094 unsigned int i; 1095 char *id = key; 1096 role_datum_t *role, *dest_role = NULL; 1097 link_state_t *state = (link_state_t *) data; 1098 ebitmap_t e_tmp; 1099 policy_module_t *mod = state->cur; 1100 ebitmap_node_t *rnode; 1101 hashtab_t role_tab; 1102 1103 role = (role_datum_t *) datum; 1104 if (state->dest_decl == NULL) 1105 role_tab = state->base->p_roles.table; 1106 else 1107 role_tab = state->dest_decl->p_roles.table; 1108 1109 dest_role = hashtab_search(role_tab, id); 1110 assert(dest_role != NULL); 1111 1112 if (state->verbose) { 1113 INFO(state->handle, "fixing role %s", id); 1114 } 1115 1116 ebitmap_init(&e_tmp); 1117 ebitmap_for_each_bit(&role->dominates, rnode, i) { 1118 if (ebitmap_node_get_bit(rnode, i)) { 1119 assert(mod->map[SYM_ROLES][i]); 1120 if (ebitmap_set_bit 1121 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1122 goto cleanup; 1123 } 1124 } 1125 } 1126 if (ebitmap_union(&dest_role->dominates, &e_tmp)) { 1127 goto cleanup; 1128 } 1129 if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) { 1130 goto cleanup; 1131 } 1132 ebitmap_destroy(&e_tmp); 1133 1134 if (role->flavor == ROLE_ATTRIB) { 1135 ebitmap_init(&e_tmp); 1136 ebitmap_for_each_bit(&role->roles, rnode, i) { 1137 if (ebitmap_node_get_bit(rnode, i)) { 1138 assert(mod->map[SYM_ROLES][i]); 1139 if (ebitmap_set_bit 1140 (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { 1141 goto cleanup; 1142 } 1143 } 1144 } 1145 if (ebitmap_union(&dest_role->roles, &e_tmp)) { 1146 goto cleanup; 1147 } 1148 ebitmap_destroy(&e_tmp); 1149 } 1150 1151 return 0; 1152 1153 cleanup: 1154 ERR(state->handle, "Out of memory!"); 1155 ebitmap_destroy(&e_tmp); 1156 return -1; 1157 } 1158 1159 static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1160 void *data) 1161 { 1162 unsigned int i; 1163 char *id = key; 1164 type_datum_t *type, *new_type = NULL; 1165 link_state_t *state = (link_state_t *) data; 1166 ebitmap_t e_tmp; 1167 policy_module_t *mod = state->cur; 1168 ebitmap_node_t *tnode; 1169 symtab_t *typetab; 1170 1171 type = (type_datum_t *) datum; 1172 1173 if (state->dest_decl == NULL) 1174 typetab = &state->base->p_types; 1175 else 1176 typetab = &state->dest_decl->p_types; 1177 1178 /* only fix attributes */ 1179 if (type->flavor != TYPE_ATTRIB) { 1180 return 0; 1181 } 1182 1183 new_type = hashtab_search(typetab->table, id); 1184 assert(new_type != NULL && new_type->flavor == TYPE_ATTRIB); 1185 1186 if (state->verbose) { 1187 INFO(state->handle, "fixing attribute %s", id); 1188 } 1189 1190 ebitmap_init(&e_tmp); 1191 ebitmap_for_each_bit(&type->types, tnode, i) { 1192 if (ebitmap_node_get_bit(tnode, i)) { 1193 assert(mod->map[SYM_TYPES][i]); 1194 if (ebitmap_set_bit 1195 (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { 1196 goto cleanup; 1197 } 1198 } 1199 } 1200 if (ebitmap_union(&new_type->types, &e_tmp)) { 1201 goto cleanup; 1202 } 1203 ebitmap_destroy(&e_tmp); 1204 return 0; 1205 1206 cleanup: 1207 ERR(state->handle, "Out of memory!"); 1208 ebitmap_destroy(&e_tmp); 1209 return -1; 1210 } 1211 1212 static int user_fix_callback(hashtab_key_t key, hashtab_datum_t datum, 1213 void *data) 1214 { 1215 char *id = key; 1216 user_datum_t *user, *new_user = NULL; 1217 link_state_t *state = (link_state_t *) data; 1218 policy_module_t *mod = state->cur; 1219 symtab_t *usertab; 1220 1221 user = (user_datum_t *) datum; 1222 1223 if (state->dest_decl == NULL) 1224 usertab = &state->base->p_users; 1225 else 1226 usertab = &state->dest_decl->p_users; 1227 1228 new_user = hashtab_search(usertab->table, id); 1229 assert(new_user != NULL); 1230 1231 if (state->verbose) { 1232 INFO(state->handle, "fixing user %s", id); 1233 } 1234 1235 if (role_set_or_convert(&user->roles, &new_user->roles, mod, state)) { 1236 goto cleanup; 1237 } 1238 1239 if (mls_range_convert(&user->range, &new_user->range, mod, state)) 1240 goto cleanup; 1241 1242 if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod, state)) 1243 goto cleanup; 1244 1245 return 0; 1246 1247 cleanup: 1248 ERR(state->handle, "Out of memory!"); 1249 return -1; 1250 } 1251 1252 static int (*fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, 1253 void *datap) = { 1254 NULL, NULL, role_fix_callback, type_fix_callback, user_fix_callback, 1255 NULL, NULL, NULL}; 1256 1257 /*********** functions that copy AV rules ***********/ 1258 1259 static int copy_avrule_list(avrule_t * list, avrule_t ** dst, 1260 policy_module_t * module, link_state_t * state) 1261 { 1262 unsigned int i; 1263 avrule_t *cur, *new_rule = NULL, *tail; 1264 class_perm_node_t *cur_perm, *new_perm, *tail_perm = NULL; 1265 1266 tail = *dst; 1267 while (tail && tail->next) { 1268 tail = tail->next; 1269 } 1270 1271 cur = list; 1272 while (cur) { 1273 if ((new_rule = (avrule_t *) malloc(sizeof(avrule_t))) == NULL) { 1274 goto cleanup; 1275 } 1276 avrule_init(new_rule); 1277 1278 new_rule->specified = cur->specified; 1279 new_rule->flags = cur->flags; 1280 if (type_set_convert 1281 (&cur->stypes, &new_rule->stypes, module, state) == -1 1282 || type_set_convert(&cur->ttypes, &new_rule->ttypes, module, 1283 state) == -1) { 1284 goto cleanup; 1285 } 1286 1287 cur_perm = cur->perms; 1288 tail_perm = NULL; 1289 while (cur_perm) { 1290 if ((new_perm = (class_perm_node_t *) 1291 malloc(sizeof(class_perm_node_t))) == NULL) { 1292 goto cleanup; 1293 } 1294 class_perm_node_init(new_perm); 1295 1296 new_perm->class = 1297 module->map[SYM_CLASSES][cur_perm->class - 1]; 1298 assert(new_perm->class); 1299 1300 if (new_rule->specified & AVRULE_AV) { 1301 for (i = 0; 1302 i < 1303 module->perm_map_len[cur_perm->class - 1]; 1304 i++) { 1305 if (!(cur_perm->data & (1U << i))) 1306 continue; 1307 new_perm->data |= 1308 (1U << 1309 (module-> 1310 perm_map[cur_perm->class - 1][i] - 1311 1)); 1312 } 1313 } else { 1314 new_perm->data = 1315 module->map[SYM_TYPES][cur_perm->data - 1]; 1316 } 1317 1318 if (new_rule->perms == NULL) { 1319 new_rule->perms = new_perm; 1320 } else { 1321 assert(tail_perm); 1322 tail_perm->next = new_perm; 1323 } 1324 tail_perm = new_perm; 1325 cur_perm = cur_perm->next; 1326 } 1327 new_rule->line = cur->line; 1328 new_rule->source_line = cur->source_line; 1329 if (cur->source_filename) { 1330 new_rule->source_filename = strdup(cur->source_filename); 1331 if (!new_rule->source_filename) 1332 goto cleanup; 1333 } 1334 1335 cur = cur->next; 1336 1337 if (*dst == NULL) { 1338 *dst = new_rule; 1339 } else { 1340 tail->next = new_rule; 1341 } 1342 tail = new_rule; 1343 } 1344 1345 return 0; 1346 cleanup: 1347 ERR(state->handle, "Out of memory!"); 1348 avrule_destroy(new_rule); 1349 free(new_rule); 1350 return -1; 1351 } 1352 1353 static int copy_role_trans_list(role_trans_rule_t * list, 1354 role_trans_rule_t ** dst, 1355 policy_module_t * module, link_state_t * state) 1356 { 1357 role_trans_rule_t *cur, *new_rule = NULL, *tail; 1358 unsigned int i; 1359 ebitmap_node_t *cnode; 1360 1361 cur = list; 1362 tail = *dst; 1363 while (tail && tail->next) { 1364 tail = tail->next; 1365 } 1366 while (cur) { 1367 if ((new_rule = 1368 (role_trans_rule_t *) malloc(sizeof(role_trans_rule_t))) == 1369 NULL) { 1370 goto cleanup; 1371 } 1372 role_trans_rule_init(new_rule); 1373 1374 if (role_set_or_convert 1375 (&cur->roles, &new_rule->roles, module, state) 1376 || type_set_or_convert(&cur->types, &new_rule->types, 1377 module, state)) { 1378 goto cleanup; 1379 } 1380 1381 ebitmap_for_each_bit(&cur->classes, cnode, i) { 1382 if (ebitmap_node_get_bit(cnode, i)) { 1383 assert(module->map[SYM_CLASSES][i]); 1384 if (ebitmap_set_bit(&new_rule->classes, 1385 module-> 1386 map[SYM_CLASSES][i] - 1, 1387 1)) { 1388 goto cleanup; 1389 } 1390 } 1391 } 1392 1393 new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1]; 1394 1395 if (*dst == NULL) { 1396 *dst = new_rule; 1397 } else { 1398 tail->next = new_rule; 1399 } 1400 tail = new_rule; 1401 cur = cur->next; 1402 } 1403 return 0; 1404 cleanup: 1405 ERR(state->handle, "Out of memory!"); 1406 role_trans_rule_list_destroy(new_rule); 1407 return -1; 1408 } 1409 1410 static int copy_role_allow_list(role_allow_rule_t * list, 1411 role_allow_rule_t ** dst, 1412 policy_module_t * module, link_state_t * state) 1413 { 1414 role_allow_rule_t *cur, *new_rule = NULL, *tail; 1415 1416 cur = list; 1417 tail = *dst; 1418 while (tail && tail->next) { 1419 tail = tail->next; 1420 } 1421 1422 while (cur) { 1423 if ((new_rule = 1424 (role_allow_rule_t *) malloc(sizeof(role_allow_rule_t))) == 1425 NULL) { 1426 goto cleanup; 1427 } 1428 role_allow_rule_init(new_rule); 1429 1430 if (role_set_or_convert 1431 (&cur->roles, &new_rule->roles, module, state) 1432 || role_set_or_convert(&cur->new_roles, 1433 &new_rule->new_roles, module, 1434 state)) { 1435 goto cleanup; 1436 } 1437 if (*dst == NULL) { 1438 *dst = new_rule; 1439 } else { 1440 tail->next = new_rule; 1441 } 1442 tail = new_rule; 1443 cur = cur->next; 1444 } 1445 return 0; 1446 cleanup: 1447 ERR(state->handle, "Out of memory!"); 1448 role_allow_rule_list_destroy(new_rule); 1449 return -1; 1450 } 1451 1452 static int copy_filename_trans_list(filename_trans_rule_t * list, 1453 filename_trans_rule_t ** dst, 1454 policy_module_t * module, 1455 link_state_t * state) 1456 { 1457 filename_trans_rule_t *cur, *new_rule, *tail; 1458 1459 cur = list; 1460 tail = *dst; 1461 while (tail && tail->next) 1462 tail = tail->next; 1463 1464 while (cur) { 1465 new_rule = malloc(sizeof(*new_rule)); 1466 if (!new_rule) 1467 goto err; 1468 1469 filename_trans_rule_init(new_rule); 1470 1471 if (*dst == NULL) 1472 *dst = new_rule; 1473 else 1474 tail->next = new_rule; 1475 tail = new_rule; 1476 1477 new_rule->name = strdup(cur->name); 1478 if (!new_rule->name) 1479 goto err; 1480 1481 if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) || 1482 type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state)) 1483 goto err; 1484 1485 new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; 1486 new_rule->otype = module->map[SYM_TYPES][cur->otype - 1]; 1487 1488 cur = cur->next; 1489 } 1490 return 0; 1491 err: 1492 ERR(state->handle, "Out of memory!"); 1493 return -1; 1494 } 1495 1496 static int copy_range_trans_list(range_trans_rule_t * rules, 1497 range_trans_rule_t ** dst, 1498 policy_module_t * mod, link_state_t * state) 1499 { 1500 range_trans_rule_t *rule, *new_rule = NULL; 1501 unsigned int i; 1502 ebitmap_node_t *cnode; 1503 1504 for (rule = rules; rule; rule = rule->next) { 1505 new_rule = 1506 (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t)); 1507 if (!new_rule) 1508 goto cleanup; 1509 1510 range_trans_rule_init(new_rule); 1511 1512 new_rule->next = *dst; 1513 *dst = new_rule; 1514 1515 if (type_set_convert(&rule->stypes, &new_rule->stypes, 1516 mod, state)) 1517 goto cleanup; 1518 1519 if (type_set_convert(&rule->ttypes, &new_rule->ttypes, 1520 mod, state)) 1521 goto cleanup; 1522 1523 ebitmap_for_each_bit(&rule->tclasses, cnode, i) { 1524 if (ebitmap_node_get_bit(cnode, i)) { 1525 assert(mod->map[SYM_CLASSES][i]); 1526 if (ebitmap_set_bit 1527 (&new_rule->tclasses, 1528 mod->map[SYM_CLASSES][i] - 1, 1)) { 1529 goto cleanup; 1530 } 1531 } 1532 } 1533 1534 if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state)) 1535 goto cleanup; 1536 } 1537 return 0; 1538 1539 cleanup: 1540 ERR(state->handle, "Out of memory!"); 1541 range_trans_rule_list_destroy(new_rule); 1542 return -1; 1543 } 1544 1545 static int copy_cond_list(cond_node_t * list, cond_node_t ** dst, 1546 policy_module_t * module, link_state_t * state) 1547 { 1548 unsigned i; 1549 cond_node_t *cur, *new_node = NULL, *tail; 1550 cond_expr_t *cur_expr; 1551 tail = *dst; 1552 while (tail && tail->next) 1553 tail = tail->next; 1554 1555 cur = list; 1556 while (cur) { 1557 new_node = (cond_node_t *) malloc(sizeof(cond_node_t)); 1558 if (!new_node) { 1559 goto cleanup; 1560 } 1561 memset(new_node, 0, sizeof(cond_node_t)); 1562 1563 new_node->cur_state = cur->cur_state; 1564 new_node->expr = cond_copy_expr(cur->expr); 1565 if (!new_node->expr) 1566 goto cleanup; 1567 /* go back through and remap the expression */ 1568 for (cur_expr = new_node->expr; cur_expr != NULL; 1569 cur_expr = cur_expr->next) { 1570 /* expression nodes don't have a bool value of 0 - don't map them */ 1571 if (cur_expr->expr_type != COND_BOOL) 1572 continue; 1573 assert(module->map[SYM_BOOLS][cur_expr->bool - 1] != 0); 1574 cur_expr->bool = 1575 module->map[SYM_BOOLS][cur_expr->bool - 1]; 1576 } 1577 new_node->nbools = cur->nbools; 1578 /* FIXME should COND_MAX_BOOLS be used here? */ 1579 for (i = 0; i < min(cur->nbools, COND_MAX_BOOLS); i++) { 1580 uint32_t remapped_id = 1581 module->map[SYM_BOOLS][cur->bool_ids[i] - 1]; 1582 assert(remapped_id != 0); 1583 new_node->bool_ids[i] = remapped_id; 1584 } 1585 new_node->expr_pre_comp = cur->expr_pre_comp; 1586 1587 if (copy_avrule_list 1588 (cur->avtrue_list, &new_node->avtrue_list, module, state) 1589 || copy_avrule_list(cur->avfalse_list, 1590 &new_node->avfalse_list, module, 1591 state)) { 1592 goto cleanup; 1593 } 1594 1595 if (*dst == NULL) { 1596 *dst = new_node; 1597 } else { 1598 tail->next = new_node; 1599 } 1600 tail = new_node; 1601 cur = cur->next; 1602 } 1603 return 0; 1604 cleanup: 1605 ERR(state->handle, "Out of memory!"); 1606 cond_node_destroy(new_node); 1607 free(new_node); 1608 return -1; 1609 1610 } 1611 1612 /*********** functions that copy avrule_decls from module to base ***********/ 1613 1614 static int copy_identifiers(link_state_t * state, symtab_t * src_symtab, 1615 avrule_decl_t * dest_decl) 1616 { 1617 int i, ret; 1618 1619 state->dest_decl = dest_decl; 1620 for (i = 0; i < SYM_NUM; i++) { 1621 if (copy_callback_f[i] != NULL) { 1622 ret = 1623 hashtab_map(src_symtab[i].table, copy_callback_f[i], 1624 state); 1625 if (ret) { 1626 return ret; 1627 } 1628 } 1629 } 1630 1631 if (hashtab_map(src_symtab[SYM_TYPES].table, 1632 type_bounds_copy_callback, state)) 1633 return -1; 1634 1635 if (hashtab_map(src_symtab[SYM_TYPES].table, 1636 alias_copy_callback, state)) 1637 return -1; 1638 1639 if (hashtab_map(src_symtab[SYM_ROLES].table, 1640 role_bounds_copy_callback, state)) 1641 return -1; 1642 1643 if (hashtab_map(src_symtab[SYM_USERS].table, 1644 user_bounds_copy_callback, state)) 1645 return -1; 1646 1647 /* then fix bitmaps associated with those newly copied identifiers */ 1648 for (i = 0; i < SYM_NUM; i++) { 1649 if (fix_callback_f[i] != NULL && 1650 hashtab_map(src_symtab[i].table, fix_callback_f[i], 1651 state)) { 1652 return -1; 1653 } 1654 } 1655 return 0; 1656 } 1657 1658 static int copy_scope_index(scope_index_t * src, scope_index_t * dest, 1659 policy_module_t * module, link_state_t * state) 1660 { 1661 unsigned int i, j; 1662 uint32_t largest_mapped_class_value = 0; 1663 ebitmap_node_t *node; 1664 /* copy the scoping information for this avrule decl block */ 1665 for (i = 0; i < SYM_NUM; i++) { 1666 ebitmap_t *srcmap = src->scope + i; 1667 ebitmap_t *destmap = dest->scope + i; 1668 if (copy_callback_f[i] == NULL) { 1669 continue; 1670 } 1671 ebitmap_for_each_bit(srcmap, node, j) { 1672 if (ebitmap_node_get_bit(node, j)) { 1673 assert(module->map[i][j] != 0); 1674 if (ebitmap_set_bit 1675 (destmap, module->map[i][j] - 1, 1) != 0) { 1676 1677 goto cleanup; 1678 } 1679 if (i == SYM_CLASSES && 1680 largest_mapped_class_value < 1681 module->map[SYM_CLASSES][j]) { 1682 largest_mapped_class_value = 1683 module->map[SYM_CLASSES][j]; 1684 } 1685 } 1686 } 1687 } 1688 1689 /* next copy the enabled permissions data */ 1690 if ((dest->class_perms_map = malloc(largest_mapped_class_value * 1691 sizeof(*dest->class_perms_map))) == 1692 NULL) { 1693 goto cleanup; 1694 } 1695 for (i = 0; i < largest_mapped_class_value; i++) { 1696 ebitmap_init(dest->class_perms_map + i); 1697 } 1698 dest->class_perms_len = largest_mapped_class_value; 1699 for (i = 0; i < src->class_perms_len; i++) { 1700 ebitmap_t *srcmap = src->class_perms_map + i; 1701 ebitmap_t *destmap = 1702 dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; 1703 ebitmap_for_each_bit(srcmap, node, j) { 1704 if (ebitmap_node_get_bit(node, j) && 1705 ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, 1706 1)) { 1707 goto cleanup; 1708 } 1709 } 1710 } 1711 1712 return 0; 1713 1714 cleanup: 1715 ERR(state->handle, "Out of memory!"); 1716 return -1; 1717 } 1718 1719 static int copy_avrule_decl(link_state_t * state, policy_module_t * module, 1720 avrule_decl_t * src_decl, avrule_decl_t * dest_decl) 1721 { 1722 int ret; 1723 1724 /* copy all of the RBAC and TE rules */ 1725 if (copy_avrule_list 1726 (src_decl->avrules, &dest_decl->avrules, module, state) == -1 1727 || copy_role_trans_list(src_decl->role_tr_rules, 1728 &dest_decl->role_tr_rules, module, 1729 state) == -1 1730 || copy_role_allow_list(src_decl->role_allow_rules, 1731 &dest_decl->role_allow_rules, module, 1732 state) == -1 1733 || copy_cond_list(src_decl->cond_list, &dest_decl->cond_list, 1734 module, state) == -1) { 1735 return -1; 1736 } 1737 1738 if (copy_filename_trans_list(src_decl->filename_trans_rules, 1739 &dest_decl->filename_trans_rules, 1740 module, state)) 1741 return -1; 1742 1743 if (copy_range_trans_list(src_decl->range_tr_rules, 1744 &dest_decl->range_tr_rules, module, state)) 1745 return -1; 1746 1747 /* finally copy any identifiers local to this declaration */ 1748 ret = copy_identifiers(state, src_decl->symtab, dest_decl); 1749 if (ret < 0) { 1750 return ret; 1751 } 1752 1753 /* then copy required and declared scope indices here */ 1754 if (copy_scope_index(&src_decl->required, &dest_decl->required, 1755 module, state) == -1 || 1756 copy_scope_index(&src_decl->declared, &dest_decl->declared, 1757 module, state) == -1) { 1758 return -1; 1759 } 1760 1761 return 0; 1762 } 1763 1764 static int copy_avrule_block(link_state_t * state, policy_module_t * module, 1765 avrule_block_t * block) 1766 { 1767 avrule_block_t *new_block = avrule_block_create(); 1768 avrule_decl_t *decl, *last_decl = NULL; 1769 int ret; 1770 1771 if (new_block == NULL) { 1772 ERR(state->handle, "Out of memory!"); 1773 ret = -1; 1774 goto cleanup; 1775 } 1776 1777 new_block->flags = block->flags; 1778 1779 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 1780 avrule_decl_t *new_decl = 1781 avrule_decl_create(state->next_decl_id); 1782 if (new_decl == NULL) { 1783 ERR(state->handle, "Out of memory!"); 1784 ret = -1; 1785 goto cleanup; 1786 } 1787 1788 if (module->policy->name != NULL) { 1789 new_decl->module_name = strdup(module->policy->name); 1790 if (new_decl->module_name == NULL) { 1791 ERR(state->handle, "Out of memory\n"); 1792 avrule_decl_destroy(new_decl); 1793 ret = -1; 1794 goto cleanup; 1795 } 1796 } 1797 1798 if (last_decl == NULL) { 1799 new_block->branch_list = new_decl; 1800 } else { 1801 last_decl->next = new_decl; 1802 } 1803 last_decl = new_decl; 1804 state->base->decl_val_to_struct[state->next_decl_id - 1] = 1805 new_decl; 1806 state->decl_to_mod[state->next_decl_id] = module->policy; 1807 1808 module->avdecl_map[decl->decl_id] = new_decl->decl_id; 1809 1810 ret = copy_avrule_decl(state, module, decl, new_decl); 1811 if (ret) { 1812 avrule_decl_destroy(new_decl); 1813 goto cleanup; 1814 } 1815 1816 state->next_decl_id++; 1817 } 1818 state->last_avrule_block->next = new_block; 1819 state->last_avrule_block = new_block; 1820 return 0; 1821 1822 cleanup: 1823 avrule_block_list_destroy(new_block); 1824 return ret; 1825 } 1826 1827 static int scope_copy_callback(hashtab_key_t key, hashtab_datum_t datum, 1828 void *data) 1829 { 1830 unsigned int i; 1831 int ret; 1832 char *id = key, *new_id = NULL; 1833 scope_datum_t *scope, *base_scope; 1834 link_state_t *state = (link_state_t *) data; 1835 uint32_t symbol_num = state->symbol_num; 1836 uint32_t *avdecl_map = state->cur->avdecl_map; 1837 1838 scope = (scope_datum_t *) datum; 1839 1840 /* check if the base already has a scope entry */ 1841 base_scope = hashtab_search(state->base->scope[symbol_num].table, id); 1842 if (base_scope == NULL) { 1843 scope_datum_t *new_scope; 1844 if ((new_id = strdup(id)) == NULL) { 1845 goto cleanup; 1846 } 1847 1848 if ((new_scope = 1849 (scope_datum_t *) calloc(1, sizeof(*new_scope))) == NULL) { 1850 free(new_id); 1851 goto cleanup; 1852 } 1853 ret = hashtab_insert(state->base->scope[symbol_num].table, 1854 (hashtab_key_t) new_id, 1855 (hashtab_datum_t) new_scope); 1856 if (ret) { 1857 free(new_id); 1858 free(new_scope); 1859 goto cleanup; 1860 } 1861 new_scope->scope = SCOPE_REQ; /* this is reset further down */ 1862 base_scope = new_scope; 1863 } 1864 if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_DECL) { 1865 /* this module declared symbol, so overwrite the old 1866 * list with the new decl ids */ 1867 base_scope->scope = SCOPE_DECL; 1868 free(base_scope->decl_ids); 1869 base_scope->decl_ids = NULL; 1870 base_scope->decl_ids_len = 0; 1871 for (i = 0; i < scope->decl_ids_len; i++) { 1872 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1873 &base_scope->decl_ids_len, 1874 &base_scope->decl_ids) == -1) { 1875 goto cleanup; 1876 } 1877 } 1878 } else if (base_scope->scope == SCOPE_DECL && scope->scope == SCOPE_REQ) { 1879 /* this module depended on a symbol that now exists, 1880 * so don't do anything */ 1881 } else if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_REQ) { 1882 /* symbol is still required, so add to the list */ 1883 for (i = 0; i < scope->decl_ids_len; i++) { 1884 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1885 &base_scope->decl_ids_len, 1886 &base_scope->decl_ids) == -1) { 1887 goto cleanup; 1888 } 1889 } 1890 } else { 1891 /* this module declared a symbol, and it was already 1892 * declared. only roles and users may be multiply 1893 * declared; for all others this is an error. */ 1894 if (symbol_num != SYM_ROLES && symbol_num != SYM_USERS) { 1895 ERR(state->handle, 1896 "%s: Duplicate declaration in module: %s %s", 1897 state->cur_mod_name, 1898 symtab_names[state->symbol_num], id); 1899 return -1; 1900 } 1901 for (i = 0; i < scope->decl_ids_len; i++) { 1902 if (add_i_to_a(avdecl_map[scope->decl_ids[i]], 1903 &base_scope->decl_ids_len, 1904 &base_scope->decl_ids) == -1) { 1905 goto cleanup; 1906 } 1907 } 1908 } 1909 return 0; 1910 1911 cleanup: 1912 ERR(state->handle, "Out of memory!"); 1913 return -1; 1914 } 1915 1916 /* Copy a module over to a base, remapping all values within. After 1917 * all identifiers and rules are done, copy the scoping information. 1918 * This is when it checks for duplicate declarations. */ 1919 static int copy_module(link_state_t * state, policy_module_t * module) 1920 { 1921 int i, ret; 1922 avrule_block_t *cur; 1923 state->cur = module; 1924 state->cur_mod_name = module->policy->name; 1925 1926 /* first copy all of the identifiers */ 1927 ret = copy_identifiers(state, module->policy->symtab, NULL); 1928 if (ret) { 1929 return ret; 1930 } 1931 1932 /* next copy all of the avrule blocks */ 1933 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 1934 ret = copy_avrule_block(state, module, cur); 1935 if (ret) { 1936 return ret; 1937 } 1938 } 1939 1940 /* then copy the scoping tables */ 1941 for (i = 0; i < SYM_NUM; i++) { 1942 state->symbol_num = i; 1943 if (hashtab_map 1944 (module->policy->scope[i].table, scope_copy_callback, 1945 state)) { 1946 return -1; 1947 } 1948 } 1949 1950 return 0; 1951 } 1952 1953 /***** functions that check requirements and enable blocks in a module ******/ 1954 1955 /* borrowed from checkpolicy.c */ 1956 1957 struct find_perm_arg { 1958 unsigned int valuep; 1959 hashtab_key_t key; 1960 }; 1961 1962 static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg) 1963 { 1964 1965 struct find_perm_arg *arg = varg; 1966 1967 perm_datum_t *perdatum = (perm_datum_t *) datum; 1968 if (arg->valuep == perdatum->s.value) { 1969 arg->key = key; 1970 return 1; 1971 } 1972 1973 return 0; 1974 } 1975 1976 /* Check if the requirements are met for a single declaration. If all 1977 * are met return 1. For the first requirement found to be missing, 1978 * if 'missing_sym_num' and 'missing_value' are both not NULL then 1979 * write to them the symbol number and value for the missing 1980 * declaration. Then return 0 to indicate a missing declaration. 1981 * Note that if a declaration had no requirement at all (e.g., an ELSE 1982 * block) this returns 1. */ 1983 static int is_decl_requires_met(link_state_t * state, 1984 avrule_decl_t * decl, 1985 struct missing_requirement *req) 1986 { 1987 /* (This algorithm is very unoptimized. It performs many 1988 * redundant checks. A very obvious improvement is to cache 1989 * which symbols have been verified, so that they do not need 1990 * to be re-checked.) */ 1991 unsigned int i, j; 1992 ebitmap_t *bitmap; 1993 char *id, *perm_id; 1994 policydb_t *pol = state->base; 1995 ebitmap_node_t *node; 1996 1997 /* check that all symbols have been satisfied */ 1998 for (i = 0; i < SYM_NUM; i++) { 1999 if (i == SYM_CLASSES) { 2000 /* classes will be checked during permissions 2001 * checking phase below */ 2002 continue; 2003 } 2004 bitmap = &decl->required.scope[i]; 2005 ebitmap_for_each_bit(bitmap, node, j) { 2006 if (!ebitmap_node_get_bit(node, j)) { 2007 continue; 2008 } 2009 2010 /* check base's scope table */ 2011 id = pol->sym_val_to_name[i][j]; 2012 if (!is_id_enabled(id, state->base, i)) { 2013 /* this symbol was not found */ 2014 if (req != NULL) { 2015 req->symbol_type = i; 2016 req->symbol_value = j + 1; 2017 } 2018 return 0; 2019 } 2020 } 2021 } 2022 /* check that all classes and permissions have been satisfied */ 2023 for (i = 0; i < decl->required.class_perms_len; i++) { 2024 2025 bitmap = decl->required.class_perms_map + i; 2026 ebitmap_for_each_bit(bitmap, node, j) { 2027 struct find_perm_arg fparg; 2028 class_datum_t *cladatum; 2029 uint32_t perm_value = j + 1; 2030 int rc; 2031 scope_datum_t *scope; 2032 2033 if (!ebitmap_node_get_bit(node, j)) { 2034 continue; 2035 } 2036 id = pol->p_class_val_to_name[i]; 2037 cladatum = pol->class_val_to_struct[i]; 2038 2039 scope = 2040 hashtab_search(state->base->p_classes_scope.table, 2041 id); 2042 if (scope == NULL) { 2043 ERR(state->handle, 2044 "Could not find scope information for class %s", 2045 id); 2046 return -1; 2047 } 2048 2049 fparg.valuep = perm_value; 2050 fparg.key = NULL; 2051 2052 (void)hashtab_map(cladatum->permissions.table, find_perm, 2053 &fparg); 2054 if (fparg.key == NULL && cladatum->comdatum != NULL) { 2055 rc = hashtab_map(cladatum->comdatum->permissions.table, 2056 find_perm, &fparg); 2057 assert(rc == 1); 2058 } 2059 perm_id = fparg.key; 2060 2061 assert(perm_id != NULL); 2062 if (!is_perm_enabled(id, perm_id, state->base)) { 2063 if (req != NULL) { 2064 req->symbol_type = SYM_CLASSES; 2065 req->symbol_value = i + 1; 2066 req->perm_value = perm_value; 2067 } 2068 return 0; 2069 } 2070 } 2071 } 2072 2073 /* all requirements have been met */ 2074 return 1; 2075 } 2076 2077 static int debug_requirements(link_state_t * state, policydb_t * p) 2078 { 2079 int ret; 2080 avrule_block_t *cur; 2081 missing_requirement_t req; 2082 memset(&req, 0, sizeof(req)); 2083 2084 for (cur = p->global; cur != NULL; cur = cur->next) { 2085 if (cur->enabled != NULL) 2086 continue; 2087 2088 ret = is_decl_requires_met(state, cur->branch_list, &req); 2089 if (ret < 0) { 2090 return ret; 2091 } else if (ret == 0) { 2092 char *mod_name = cur->branch_list->module_name ? 2093 cur->branch_list->module_name : "BASE"; 2094 if (req.symbol_type == SYM_CLASSES) { 2095 struct find_perm_arg fparg; 2096 2097 class_datum_t *cladatum; 2098 cladatum = p->class_val_to_struct[req.symbol_value - 1]; 2099 2100 fparg.valuep = req.perm_value; 2101 fparg.key = NULL; 2102 (void)hashtab_map(cladatum->permissions.table, 2103 find_perm, &fparg); 2104 2105 if (cur->flags & AVRULE_OPTIONAL) { 2106 ERR(state->handle, 2107 "%s[%d]'s optional requirements were not met: class %s, permission %s", 2108 mod_name, cur->branch_list->decl_id, 2109 p->p_class_val_to_name[req.symbol_value - 1], 2110 fparg.key); 2111 } else { 2112 ERR(state->handle, 2113 "%s[%d]'s global requirements were not met: class %s, permission %s", 2114 mod_name, cur->branch_list->decl_id, 2115 p->p_class_val_to_name[req.symbol_value - 1], 2116 fparg.key); 2117 } 2118 } else { 2119 if (cur->flags & AVRULE_OPTIONAL) { 2120 ERR(state->handle, 2121 "%s[%d]'s optional requirements were not met: %s %s", 2122 mod_name, cur->branch_list->decl_id, 2123 symtab_names[req.symbol_type], 2124 p->sym_val_to_name[req. 2125 symbol_type][req. 2126 symbol_value 2127 - 2128 1]); 2129 } else { 2130 ERR(state->handle, 2131 "%s[%d]'s global requirements were not met: %s %s", 2132 mod_name, cur->branch_list->decl_id, 2133 symtab_names[req.symbol_type], 2134 p->sym_val_to_name[req. 2135 symbol_type][req. 2136 symbol_value 2137 - 2138 1]); 2139 } 2140 } 2141 } 2142 } 2143 return 0; 2144 } 2145 2146 static void print_missing_requirements(link_state_t * state, 2147 avrule_block_t * cur, 2148 missing_requirement_t * req) 2149 { 2150 policydb_t *p = state->base; 2151 char *mod_name = cur->branch_list->module_name ? 2152 cur->branch_list->module_name : "BASE"; 2153 2154 if (req->symbol_type == SYM_CLASSES) { 2155 2156 struct find_perm_arg fparg; 2157 2158 class_datum_t *cladatum; 2159 cladatum = p->class_val_to_struct[req->symbol_value - 1]; 2160 2161 fparg.valuep = req->perm_value; 2162 fparg.key = NULL; 2163 (void)hashtab_map(cladatum->permissions.table, find_perm, &fparg); 2164 2165 ERR(state->handle, 2166 "%s's global requirements were not met: class %s, permission %s", 2167 mod_name, 2168 p->p_class_val_to_name[req->symbol_value - 1], fparg.key); 2169 } else { 2170 ERR(state->handle, 2171 "%s's global requirements were not met: %s %s", 2172 mod_name, 2173 symtab_names[req->symbol_type], 2174 p->sym_val_to_name[req->symbol_type][req->symbol_value - 1]); 2175 } 2176 } 2177 2178 /* Enable all of the avrule_decl blocks for the policy. This simple 2179 * algorithm is the following: 2180 * 2181 * 1) Enable all of the non-else avrule_decls for all blocks. 2182 * 2) Iterate through the non-else decls looking for decls whose requirements 2183 * are not met. 2184 * 2a) If the decl is non-optional, return immediately with an error. 2185 * 2b) If the decl is optional, disable the block and mark changed = 1 2186 * 3) If changed == 1 goto 2. 2187 * 4) Iterate through all blocks looking for those that have no enabled 2188 * decl. If the block has an else decl, enable. 2189 * 2190 * This will correctly handle all dependencies, including mutual and 2191 * cicular. The only downside is that it is slow. 2192 */ 2193 static int enable_avrules(link_state_t * state, policydb_t * pol) 2194 { 2195 int changed = 1; 2196 avrule_block_t *block; 2197 avrule_decl_t *decl; 2198 missing_requirement_t req; 2199 int ret = 0, rc; 2200 2201 if (state->verbose) { 2202 INFO(state->handle, "Determining which avrules to enable."); 2203 } 2204 2205 /* 1) enable all of the non-else blocks */ 2206 for (block = pol->global; block != NULL; block = block->next) { 2207 block->enabled = block->branch_list; 2208 block->enabled->enabled = 1; 2209 for (decl = block->branch_list->next; decl != NULL; 2210 decl = decl->next) 2211 decl->enabled = 0; 2212 } 2213 2214 /* 2) Iterate */ 2215 while (changed) { 2216 changed = 0; 2217 for (block = pol->global; block != NULL; block = block->next) { 2218 if (block->enabled == NULL) { 2219 continue; 2220 } 2221 decl = block->branch_list; 2222 if (state->verbose) { 2223 char *mod_name = decl->module_name ? 2224 decl->module_name : "BASE"; 2225 INFO(state->handle, "check module %s decl %d\n", 2226 mod_name, decl->decl_id); 2227 } 2228 rc = is_decl_requires_met(state, decl, &req); 2229 if (rc < 0) { 2230 ret = SEPOL_ERR; 2231 goto out; 2232 } else if (rc == 0) { 2233 decl->enabled = 0; 2234 block->enabled = NULL; 2235 changed = 1; 2236 if (!(block->flags & AVRULE_OPTIONAL)) { 2237 print_missing_requirements(state, block, 2238 &req); 2239 ret = SEPOL_EREQ; 2240 goto out; 2241 } 2242 } 2243 } 2244 } 2245 2246 /* 4) else handling 2247 * 2248 * Iterate through all of the blocks skipping the first (which is the 2249 * global block, is required to be present, and cannot have an else). 2250 * If the block is disabled and has an else decl, enable that. 2251 * 2252 * This code assumes that the second block in the branch list is the else 2253 * block. This is currently supported by the compiler. 2254 */ 2255 for (block = pol->global->next; block != NULL; block = block->next) { 2256 if (block->enabled == NULL) { 2257 if (block->branch_list->next != NULL) { 2258 block->enabled = block->branch_list->next; 2259 block->branch_list->next->enabled = 1; 2260 } 2261 } 2262 } 2263 2264 out: 2265 if (state->verbose) 2266 debug_requirements(state, pol); 2267 2268 return ret; 2269 } 2270 2271 /*********** the main linking functions ***********/ 2272 2273 /* Given a module's policy, normalize all conditional expressions 2274 * within. Return 0 on success, -1 on error. */ 2275 static int cond_normalize(policydb_t * p) 2276 { 2277 avrule_block_t *block; 2278 for (block = p->global; block != NULL; block = block->next) { 2279 avrule_decl_t *decl; 2280 for (decl = block->branch_list; decl != NULL; decl = decl->next) { 2281 cond_list_t *cond = decl->cond_list; 2282 while (cond) { 2283 if (cond_normalize_expr(p, cond) < 0) 2284 return -1; 2285 cond = cond->next; 2286 } 2287 } 2288 } 2289 return 0; 2290 } 2291 2292 /* Allocate space for the various remapping arrays. */ 2293 static int prepare_module(link_state_t * state, policy_module_t * module) 2294 { 2295 int i; 2296 uint32_t items, num_decls = 0; 2297 avrule_block_t *cur; 2298 2299 /* allocate the maps */ 2300 for (i = 0; i < SYM_NUM; i++) { 2301 items = module->policy->symtab[i].nprim; 2302 if ((module->map[i] = 2303 (uint32_t *) calloc(items, 2304 sizeof(*module->map[i]))) == NULL) { 2305 ERR(state->handle, "Out of memory!"); 2306 return -1; 2307 } 2308 } 2309 2310 /* allocate the permissions remap here */ 2311 items = module->policy->p_classes.nprim; 2312 if ((module->perm_map_len = 2313 calloc(items, sizeof(*module->perm_map_len))) == NULL) { 2314 ERR(state->handle, "Out of memory!"); 2315 return -1; 2316 } 2317 if ((module->perm_map = 2318 calloc(items, sizeof(*module->perm_map))) == NULL) { 2319 ERR(state->handle, "Out of memory!"); 2320 return -1; 2321 } 2322 2323 /* allocate a map for avrule_decls */ 2324 for (cur = module->policy->global; cur != NULL; cur = cur->next) { 2325 avrule_decl_t *decl; 2326 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2327 if (decl->decl_id > num_decls) { 2328 num_decls = decl->decl_id; 2329 } 2330 } 2331 } 2332 num_decls++; 2333 if ((module->avdecl_map = calloc(num_decls, sizeof(uint32_t))) == NULL) { 2334 ERR(state->handle, "Out of memory!"); 2335 return -1; 2336 } 2337 module->num_decls = num_decls; 2338 2339 /* normalize conditionals within */ 2340 if (cond_normalize(module->policy) < 0) { 2341 ERR(state->handle, 2342 "Error while normalizing conditionals within the module %s.", 2343 module->policy->name); 2344 return -1; 2345 } 2346 return 0; 2347 } 2348 2349 static int prepare_base(link_state_t * state, uint32_t num_mod_decls) 2350 { 2351 avrule_block_t *cur = state->base->global; 2352 assert(cur != NULL); 2353 state->next_decl_id = 0; 2354 2355 /* iterate through all of the declarations in the base, to 2356 determine what the next decl_id should be */ 2357 while (cur != NULL) { 2358 avrule_decl_t *decl; 2359 for (decl = cur->branch_list; decl != NULL; decl = decl->next) { 2360 if (decl->decl_id > state->next_decl_id) { 2361 state->next_decl_id = decl->decl_id; 2362 } 2363 } 2364 state->last_avrule_block = cur; 2365 cur = cur->next; 2366 } 2367 state->last_base_avrule_block = state->last_avrule_block; 2368 state->next_decl_id++; 2369 2370 /* allocate the table mapping from base's decl_id to its 2371 * avrule_decls and set the initial mappings */ 2372 free(state->base->decl_val_to_struct); 2373 if ((state->base->decl_val_to_struct = 2374 calloc(state->next_decl_id + num_mod_decls, 2375 sizeof(*(state->base->decl_val_to_struct)))) == NULL) { 2376 ERR(state->handle, "Out of memory!"); 2377 return -1; 2378 } 2379 /* This allocates the decl block to module mapping used for error reporting */ 2380 if ((state->decl_to_mod = calloc(state->next_decl_id + num_mod_decls, 2381 sizeof(*(state->decl_to_mod)))) == 2382 NULL) { 2383 ERR(state->handle, "Out of memory!"); 2384 return -1; 2385 } 2386 cur = state->base->global; 2387 while (cur != NULL) { 2388 avrule_decl_t *decl = cur->branch_list; 2389 while (decl != NULL) { 2390 state->base->decl_val_to_struct[decl->decl_id - 1] = 2391 decl; 2392 state->decl_to_mod[decl->decl_id] = state->base; 2393 decl = decl->next; 2394 } 2395 cur = cur->next; 2396 } 2397 2398 /* normalize conditionals within */ 2399 if (cond_normalize(state->base) < 0) { 2400 ERR(state->handle, 2401 "Error while normalizing conditionals within the base module."); 2402 return -1; 2403 } 2404 return 0; 2405 } 2406 2407 static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum, 2408 void * data) 2409 { 2410 char *id; 2411 role_datum_t *role, *sub_attr; 2412 link_state_t *state; 2413 unsigned int i; 2414 ebitmap_node_t *rnode; 2415 2416 id = key; 2417 role = (role_datum_t *)datum; 2418 state = (link_state_t *)data; 2419 2420 if (strcmp(id, OBJECT_R) == 0){ 2421 /* object_r is never a role attribute by far */ 2422 return 0; 2423 } 2424 2425 if (role->flavor != ROLE_ATTRIB) 2426 return 0; 2427 2428 if (state->verbose) 2429 INFO(state->handle, "expanding role attribute %s", id); 2430 2431 restart: 2432 ebitmap_for_each_bit(&role->roles, rnode, i) { 2433 if (ebitmap_node_get_bit(rnode, i)) { 2434 sub_attr = state->base->role_val_to_struct[i]; 2435 if (sub_attr->flavor != ROLE_ATTRIB) 2436 continue; 2437 2438 /* remove the sub role attribute from the parent 2439 * role attribute's roles ebitmap */ 2440 if (ebitmap_set_bit(&role->roles, i, 0)) 2441 return -1; 2442 2443 /* loop dependency of role attributes */ 2444 if (sub_attr->s.value == role->s.value) 2445 continue; 2446 2447 /* now go on to expand a sub role attribute 2448 * by escalating its roles ebitmap */ 2449 if (ebitmap_union(&role->roles, &sub_attr->roles)) { 2450 ERR(state->handle, "Out of memory!"); 2451 return -1; 2452 } 2453 2454 /* sub_attr->roles may contain other role attributes, 2455 * re-scan the parent role attribute's roles ebitmap */ 2456 goto restart; 2457 } 2458 } 2459 2460 return 0; 2461 } 2462 2463 /* For any role attribute in a declaration's local symtab[SYM_ROLES] table, 2464 * copy its roles ebitmap into its duplicate's in the base->p_roles.table. 2465 */ 2466 static int populate_decl_roleattributes(hashtab_key_t key, 2467 hashtab_datum_t datum, 2468 void *data) 2469 { 2470 char *id = key; 2471 role_datum_t *decl_role, *base_role; 2472 link_state_t *state = (link_state_t *)data; 2473 2474 decl_role = (role_datum_t *)datum; 2475 2476 if (strcmp(id, OBJECT_R) == 0) { 2477 /* object_r is never a role attribute by far */ 2478 return 0; 2479 } 2480 2481 if (decl_role->flavor != ROLE_ATTRIB) 2482 return 0; 2483 2484 base_role = (role_datum_t *)hashtab_search(state->base->p_roles.table, 2485 id); 2486 assert(base_role != NULL && base_role->flavor == ROLE_ATTRIB); 2487 2488 if (ebitmap_union(&base_role->roles, &decl_role->roles)) { 2489 ERR(state->handle, "Out of memory!"); 2490 return -1; 2491 } 2492 2493 return 0; 2494 } 2495 2496 static int populate_roleattributes(link_state_t *state, policydb_t *pol) 2497 { 2498 avrule_block_t *block; 2499 avrule_decl_t *decl; 2500 2501 if (state->verbose) 2502 INFO(state->handle, "Populating role-attribute relationship " 2503 "from enabled declarations' local symtab."); 2504 2505 /* Iterate through all of the blocks skipping the first(which is the 2506 * global block, is required to be present and can't have an else). 2507 * If the block is disabled or not having an enabled decl, skip it. 2508 */ 2509 for (block = pol->global->next; block != NULL; block = block->next) 2510 { 2511 decl = block->enabled; 2512 if (decl == NULL || decl->enabled == 0) 2513 continue; 2514 2515 if (hashtab_map(decl->symtab[SYM_ROLES].table, 2516 populate_decl_roleattributes, state)) 2517 return -1; 2518 } 2519 2520 return 0; 2521 } 2522 2523 /* Link a set of modules into a base module. This process is somewhat 2524 * similar to an actual compiler: it requires a set of order dependent 2525 * steps. The base and every module must have been indexed prior to 2526 * calling this function. 2527 */ 2528 int link_modules(sepol_handle_t * handle, 2529 policydb_t * b, policydb_t ** mods, int len, int verbose) 2530 { 2531 int i, ret, retval = -1; 2532 policy_module_t **modules = NULL; 2533 link_state_t state; 2534 uint32_t num_mod_decls = 0; 2535 2536 memset(&state, 0, sizeof(state)); 2537 state.base = b; 2538 state.verbose = verbose; 2539 state.handle = handle; 2540 2541 if (b->policy_type != POLICY_BASE) { 2542 ERR(state.handle, "Target of link was not a base policy."); 2543 return -1; 2544 } 2545 2546 /* first allocate some space to hold the maps from module 2547 * symbol's value to the destination symbol value; then do 2548 * other preparation work */ 2549 if ((modules = 2550 (policy_module_t **) calloc(len, sizeof(*modules))) == NULL) { 2551 ERR(state.handle, "Out of memory!"); 2552 return -1; 2553 } 2554 for (i = 0; i < len; i++) { 2555 if (mods[i]->policy_type != POLICY_MOD) { 2556 ERR(state.handle, 2557 "Tried to link in a policy that was not a module."); 2558 goto cleanup; 2559 } 2560 2561 if (mods[i]->mls != b->mls) { 2562 if (b->mls) 2563 ERR(state.handle, 2564 "Tried to link in a non-MLS module with an MLS base."); 2565 else 2566 ERR(state.handle, 2567 "Tried to link in an MLS module with a non-MLS base."); 2568 goto cleanup; 2569 } 2570 2571 if ((modules[i] = 2572 (policy_module_t *) calloc(1, 2573 sizeof(policy_module_t))) == 2574 NULL) { 2575 ERR(state.handle, "Out of memory!"); 2576 goto cleanup; 2577 } 2578 modules[i]->policy = mods[i]; 2579 if (prepare_module(&state, modules[i]) == -1) { 2580 goto cleanup; 2581 } 2582 num_mod_decls += modules[i]->num_decls; 2583 } 2584 if (prepare_base(&state, num_mod_decls) == -1) { 2585 goto cleanup; 2586 } 2587 2588 /* copy all types, declared and required */ 2589 for (i = 0; i < len; i++) { 2590 state.cur = modules[i]; 2591 state.cur_mod_name = modules[i]->policy->name; 2592 ret = 2593 hashtab_map(modules[i]->policy->p_types.table, 2594 type_copy_callback, &state); 2595 if (ret) { 2596 retval = ret; 2597 goto cleanup; 2598 } 2599 } 2600 2601 /* then copy everything else, including aliases, and fixup attributes */ 2602 for (i = 0; i < len; i++) { 2603 state.cur = modules[i]; 2604 state.cur_mod_name = modules[i]->policy->name; 2605 ret = 2606 copy_identifiers(&state, modules[i]->policy->symtab, NULL); 2607 if (ret) { 2608 retval = ret; 2609 goto cleanup; 2610 } 2611 } 2612 2613 if (policydb_index_others(state.handle, state.base, 0)) { 2614 ERR(state.handle, "Error while indexing others"); 2615 goto cleanup; 2616 } 2617 2618 /* copy and remap the module's data over to base */ 2619 for (i = 0; i < len; i++) { 2620 state.cur = modules[i]; 2621 ret = copy_module(&state, modules[i]); 2622 if (ret) { 2623 retval = ret; 2624 goto cleanup; 2625 } 2626 } 2627 2628 /* re-index base, for symbols were added to symbol tables */ 2629 if (policydb_index_classes(state.base)) { 2630 ERR(state.handle, "Error while indexing classes"); 2631 goto cleanup; 2632 } 2633 if (policydb_index_others(state.handle, state.base, 0)) { 2634 ERR(state.handle, "Error while indexing others"); 2635 goto cleanup; 2636 } 2637 2638 if (enable_avrules(&state, state.base)) { 2639 retval = SEPOL_EREQ; 2640 goto cleanup; 2641 } 2642 2643 /* Now that all role attribute's roles ebitmap have been settled, 2644 * escalate sub role attribute's roles ebitmap into that of parent. 2645 * 2646 * First, since some role-attribute relationships could be recorded 2647 * in some decl's local symtab(see get_local_role()), we need to 2648 * populate them up to the base.p_roles table. */ 2649 if (populate_roleattributes(&state, state.base)) { 2650 retval = SEPOL_EREQ; 2651 goto cleanup; 2652 } 2653 2654 /* Now do the escalation. */ 2655 if (hashtab_map(state.base->p_roles.table, expand_role_attributes, 2656 &state)) 2657 goto cleanup; 2658 2659 retval = 0; 2660 cleanup: 2661 for (i = 0; modules != NULL && i < len; i++) { 2662 policy_module_destroy(modules[i]); 2663 } 2664 free(modules); 2665 free(state.decl_to_mod); 2666 return retval; 2667 } 2668
