void cleanavc() {
avc_reset();
avc_cleanup();
avc_reset();
}
int
selinux_set_mapping(struct security_class_mapping *map)
{
size_t size = sizeof(struct selinux_mapping);
security_class_t i, j;
unsigned k;
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
if (avc_reset() < 0)
goto err;
/* Find number of classes in the input mapping */
if (!map) {
errno = EINVAL;
goto err;
}
i = 0;
while (map[i].name)
i++;
/* Allocate space for the class records, plus one for class zero */
current_mapping = (struct selinux_mapping *)calloc(++i, size);
if (!current_mapping)
goto err;
/* Store the raw class and permission values */
j = 0;
while (map[j].name) {
struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = current_mapping + j;
p_out->value = string_to_security_class(p_in->name);
if (!p_out->value)
goto err2;
k = 0;
while (p_in->perms[k]) {
/* An empty permission string skips ahead */
if (!*p_in->perms[k]) {
k++;
continue;
}
p_out->perms[k] = string_to_av_perm(p_out->value,
p_in->perms[k]);
if (!p_out->perms[k])
goto err2;
k++;
}
p_out->num_perms = k;
}
/* Set the mapping size here so the above lookups are "raw" */
current_mapping_size = i;
return 0;
err2:
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
err:
return -1;
}
int
selinux_set_mapping(struct security_class_mapping *map)
{
size_t size = sizeof(struct selinux_mapping);
security_class_t i, j;
unsigned k;
bool print_unknown_handle = false;
bool reject = (security_reject_unknown() == 1);
bool deny = (security_deny_unknown() == 1);
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
if (avc_reset() < 0)
goto err;
/* Find number of classes in the input mapping */
if (!map) {
errno = EINVAL;
goto err;
}
i = 0;
while (map[i].name)
i++;
/* Allocate space for the class records, plus one for class zero */
current_mapping = (struct selinux_mapping *)calloc(++i, size);
if (!current_mapping)
goto err;
/* Store the raw class and permission values */
j = 0;
while (map[j].name) {
struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = current_mapping + j;
p_out->value = string_to_security_class(p_in->name);
if (!p_out->value) {
selinux_log(SELINUX_INFO,
"SELinux: Class %s not defined in policy.\n",
p_in->name);
if (reject)
goto err2;
p_out->num_perms = 0;
print_unknown_handle = true;
continue;
}
k = 0;
while (p_in->perms[k]) {
/* An empty permission string skips ahead */
if (!*p_in->perms[k]) {
k++;
continue;
}
p_out->perms[k] = string_to_av_perm(p_out->value,
p_in->perms[k]);
if (!p_out->perms[k]) {
selinux_log(SELINUX_INFO,
"SELinux: Permission %s in class %s not defined in policy.\n",
p_in->perms[k], p_in->name);
if (reject)
goto err2;
print_unknown_handle = true;
}
k++;
}
p_out->num_perms = k;
}
if (print_unknown_handle)
selinux_log(SELINUX_INFO,
"SELinux: the above unknown classes and permissions will be %s\n",
deny ? "denied" : "allowed");
/* Set the mapping size here so the above lookups are "raw" */
current_mapping_size = i;
return 0;
err2:
free(current_mapping);
current_mapping = NULL;
current_mapping_size = 0;
err:
return -1;
}
