int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) { unsigned int i; avtab_ptr_t cur; avtab_t expa; if (avtab_init(&expa)) goto oom; if (expand_avtab(p, a, &expa)) { avtab_destroy(&expa); goto oom; } /* hmm...should have used avtab_map. */ for (i = 0; i < expa.nslot; i++) { for (cur = expa.htable[i]; cur; cur = cur->next) { render_av_rule(&cur->key, &cur->datum, what, p, fp); } } avtab_destroy(&expa); fprintf(fp, "\n"); return 0; oom: fprintf(stderr, "out of memory\n"); return 1; }
int display_cond_expressions(policydb_t * p, FILE * fp) { cond_node_t *cur; cond_av_list_t *av_cur, *expl = NULL; avtab_t expa; for (cur = p->cond_list; cur != NULL; cur = cur->next) { fprintf(fp, "expression: "); display_expr(p, cur->expr, fp); fprintf(fp, "current state: %d\n", cur->cur_state); fprintf(fp, "True list:\n"); if (avtab_init(&expa)) goto oom; if (expand_cond_av_list(p, cur->true_list, &expl, &expa)) { avtab_destroy(&expa); goto oom; } for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) { fprintf(fp, "\t"); render_av_rule(&av_cur->node->key, &av_cur->node->datum, RENDER_CONDITIONAL, p, fp); } cond_av_list_destroy(expl); avtab_destroy(&expa); fprintf(fp, "False list:\n"); if (avtab_init(&expa)) goto oom; if (expand_cond_av_list(p, cur->false_list, &expl, &expa)) { avtab_destroy(&expa); goto oom; } for (av_cur = expl; av_cur != NULL; av_cur = av_cur->next) { fprintf(fp, "\t"); render_av_rule(&av_cur->node->key, &av_cur->node->datum, RENDER_CONDITIONAL, p, fp); } cond_av_list_destroy(expl); avtab_destroy(&expa); } return 0; oom: fprintf(stderr, "out of memory\n"); return 1; }
int avtab_read(struct avtab *a, void *fp, struct policydb *pol) { int rc; __le32 buf[1]; u32 nel, i; rc = next_entry(buf, fp, sizeof(u32)); if (rc < 0) { printk(KERN_ERR "SELinux: avtab: truncated table\n"); goto bad; } nel = le32_to_cpu(buf[0]); if (!nel) { printk(KERN_ERR "SELinux: avtab: table is empty\n"); rc = -EINVAL; goto bad; } rc = avtab_alloc(a, nel); if (rc) goto bad; for (i = 0; i < nel; i++) { rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); if (rc) { if (rc == -ENOMEM) printk(KERN_ERR "SELinux: avtab: out of memory\n"); else if (rc == -EEXIST) printk(KERN_ERR "SELinux: avtab: duplicate entry\n"); else rc = -EINVAL; goto bad; } } rc = 0; out: return rc; bad: avtab_destroy(a); goto out; }
int avtab_read(struct avtab *a, void *fp, u32 config) { int i, rc = -EINVAL; struct avtab_key avkey; struct avtab_datum avdatum; u32 *buf; u32 nel; buf = next_entry(fp, sizeof(u32)); if (!buf) { printk(KERN_ERR "security: avtab: truncated table\n"); goto bad; } nel = le32_to_cpu(buf[0]); if (!nel) { printk(KERN_ERR "security: avtab: table is empty\n"); goto bad; } for (i = 0; i < nel; i++) { if (avtab_read_item(fp, &avdatum, &avkey)) goto bad; rc = avtab_insert(a, &avkey, &avdatum); if (rc) { if (rc == -ENOMEM) printk(KERN_ERR "security: avtab: out of memory\n"); if (rc == -EEXIST) printk(KERN_ERR "security: avtab: duplicate entry\n"); goto bad; } } rc = 0; out: return rc; bad: avtab_destroy(a); goto out; }
static int analyze_types(policydb_t * policydb, char equiv, char diff) { avtab_t exp_avtab, exp_cond_avtab; struct avtab_node *type_rules, *l1, *l2; struct type_datum *type; size_t i, j; /* * Create a list of access vector rules for each type * from the access vector table. */ type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim); if (!type_rules) { fprintf(stderr, "out of memory\n"); exit(1); } memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim); if (avtab_init(&exp_avtab) || avtab_init(&exp_cond_avtab)) { fputs("out of memory\n", stderr); return -1; } if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) { fputs("out of memory\n", stderr); avtab_destroy(&exp_avtab); return -1; } if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) { fputs("out of memory\n", stderr); avtab_destroy(&exp_avtab); return -1; } if (avtab_map(&exp_avtab, create_type_rules, type_rules)) exit(1); if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules)) exit(1); avtab_destroy(&exp_avtab); avtab_destroy(&exp_cond_avtab); /* * Compare the type lists and identify similar types. */ for (i = 0; i < policydb->p_types.nprim - 1; i++) { if (!type_rules[i].next) continue; type = policydb->type_val_to_struct[i]; if (type->flavor) { free_type_rules(type_rules[i].next); type_rules[i].next = NULL; continue; } for (j = i + 1; j < policydb->p_types.nprim; j++) { type = policydb->type_val_to_struct[j]; if (type->flavor) { free_type_rules(type_rules[j].next); type_rules[j].next = NULL; continue; } for (l1 = type_rules[i].next, l2 = type_rules[j].next; l1 && l2; l1 = l1->next, l2 = l2->next) { if (l1->key.source_type != l2->key.source_type) break; if (l1->key.target_type != l2->key.target_type) break; if (l1->key.target_class != l2->key.target_class || l1->datum.data != l2->datum.data) break; } if (l1 || l2) { if (diff) { printf ("Types %s and %s differ, starting with:\n", policydb->p_type_val_to_name[i], policydb->p_type_val_to_name[j]); if (l1 && l2) { if (find_match(policydb, l1, i, l2, j)) continue; if (find_match(policydb, l2, j, l1, i)) continue; } if (l1) display_allow(policydb, &l1->key, i, l1->datum.data); if (l2) display_allow(policydb, &l2->key, j, l2->datum.data); printf("\n"); } continue; } free_type_rules(type_rules[j].next); type_rules[j].next = NULL; if (equiv) { printf("Types %s and %s are equivalent.\n", policydb->p_type_val_to_name[i], policydb->p_type_val_to_name[j]); } } free_type_rules(type_rules[i].next); type_rules[i].next = NULL; } free(type_rules); return 0; }