Commit ca661c5e authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'selinux-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "Really only a few notable changes:

   - Continue the coding style/formatting fixup work

     This is the bulk of the diffstat in this pull request, with the
     focus this time around being the security/selinux/ss directory.

     We've only got a couple of files left to cleanup and once we're
     done with that we can start enabling some automatic style
     verfication and introduce tooling to help new folks format their
     code correctly.

   - Don't restrict xattr copy-up when SELinux policy is not loaded

     This helps systems that use overlayfs, or similar filesystems,
     preserve their SELinux labels during early boot when the SELinux
     policy has yet to be loaded.

   - Reduce the work we do during inode initialization time

     This isn't likely to show up in any benchmark results, but we
     removed an unnecessary SELinux object class lookup/calculation
     during inode initialization.

   - Correct the return values in selinux_socket_getpeersec_dgram()

     We had some inconsistencies with respect to our return values
     across selinux_socket_getpeersec_dgram() and
     selinux_socket_getpeersec_stream().

     This provides a more uniform set of error codes across the two
     functions and should help make it easier for users to identify
     the source of a failure"

* tag 'selinux-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (24 commits)
  selinux: fix style issues in security/selinux/ss/symtab.c
  selinux: fix style issues in security/selinux/ss/symtab.h
  selinux: fix style issues in security/selinux/ss/sidtab.c
  selinux: fix style issues in security/selinux/ss/sidtab.h
  selinux: fix style issues in security/selinux/ss/services.h
  selinux: fix style issues in security/selinux/ss/policydb.c
  selinux: fix style issues in security/selinux/ss/policydb.h
  selinux: fix style issues in security/selinux/ss/mls_types.h
  selinux: fix style issues in security/selinux/ss/mls.c
  selinux: fix style issues in security/selinux/ss/mls.h
  selinux: fix style issues in security/selinux/ss/hashtab.c
  selinux: fix style issues in security/selinux/ss/hashtab.h
  selinux: fix style issues in security/selinux/ss/ebitmap.c
  selinux: fix style issues in security/selinux/ss/ebitmap.h
  selinux: fix style issues in security/selinux/ss/context.h
  selinux: fix style issues in security/selinux/ss/context.h
  selinux: fix style issues in security/selinux/ss/constraint.h
  selinux: fix style issues in security/selinux/ss/conditional.c
  selinux: fix style issues in security/selinux/ss/conditional.h
  selinux: fix style issues in security/selinux/ss/avtab.c
  ...
parents 9187210e a1fc7934
......@@ -2920,23 +2920,22 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
struct superblock_security_struct *sbsec;
struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
u32 newsid, clen;
u16 newsclass;
int rc;
char *context;
sbsec = selinux_superblock(dir->i_sb);
newsid = tsec->create_sid;
rc = selinux_determine_inode_label(tsec, dir, qstr,
inode_mode_to_security_class(inode->i_mode),
&newsid);
newsclass = inode_mode_to_security_class(inode->i_mode);
rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
if (rc)
return rc;
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
struct inode_security_struct *isec = selinux_inode(inode);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sclass = newsclass;
isec->sid = newsid;
isec->initialized = LABEL_INITIALIZED;
}
......@@ -3534,9 +3533,10 @@ static int selinux_inode_copy_up_xattr(const char *name)
{
/* The copy_up hook above sets the initial context on an inode, but we
* don't then want to overwrite it by blindly copying all the lower
* xattrs up. Instead, we have to filter out SELinux-related xattrs.
* xattrs up. Instead, filter out SELinux-related xattrs following
* policy load.
*/
if (strcmp(name, XATTR_NAME_SELINUX) == 0)
if (selinux_initialized() && strcmp(name, XATTR_NAME_SELINUX) == 0)
return 1; /* Discard */
/*
* Any other attribute apart from SELINUX is not claimed, supported
......@@ -5194,11 +5194,11 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
return err;
}
static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
static int selinux_socket_getpeersec_dgram(struct socket *sock,
struct sk_buff *skb, u32 *secid)
{
u32 peer_secid = SECSID_NULL;
u16 family;
struct inode_security_struct *isec;
if (skb && skb->protocol == htons(ETH_P_IP))
family = PF_INET;
......@@ -5206,19 +5206,21 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
family = PF_INET6;
else if (sock)
family = sock->sk->sk_family;
else
goto out;
else {
*secid = SECSID_NULL;
return -EINVAL;
}
if (sock && family == PF_UNIX) {
struct inode_security_struct *isec;
isec = inode_security_novalidate(SOCK_INODE(sock));
peer_secid = isec->sid;
} else if (skb)
selinux_skb_peerlbl_sid(skb, family, &peer_secid);
out:
*secid = peer_secid;
if (peer_secid == SECSID_NULL)
return -EINVAL;
return -ENOPROTOOPT;
return 0;
}
......
/* SPDX-License-Identifier: GPL-2.0-only */
/*
* Implementation of the access vector table type.
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
/* Updated: Frank Mayer <mayerf@tresys.com> and
* Karl MacMillan <kmacmillan@tresys.com>
* Added conditional policy language extensions
*
* Copyright (C) 2003 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
*
* Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
* Tuned number of hash slots for avtab to reduce memory usage
......@@ -41,7 +38,8 @@ static inline u32 avtab_hash(const struct avtab_key *keyp, u32 mask)
u32 hash = 0;
#define mix(input) do { \
#define mix(input) \
do { \
u32 v = input; \
v *= c1; \
v = (v << r1) | (v >> (32 - r1)); \
......@@ -66,9 +64,10 @@ static inline u32 avtab_hash(const struct avtab_key *keyp, u32 mask)
return hash & mask;
}
static struct avtab_node*
avtab_insert_node(struct avtab *h, struct avtab_node **dst,
const struct avtab_key *key, const struct avtab_datum *datum)
static struct avtab_node *avtab_insert_node(struct avtab *h,
struct avtab_node **dst,
const struct avtab_key *key,
const struct avtab_datum *datum)
{
struct avtab_node *newnode;
struct avtab_extended_perms *xperms;
......@@ -99,7 +98,7 @@ avtab_insert_node(struct avtab *h, struct avtab_node **dst,
static int avtab_node_cmp(const struct avtab_key *key1,
const struct avtab_key *key2)
{
u16 specified = key1->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
u16 specified = key1->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
if (key1->source_type == key2->source_type &&
key1->target_type == key2->target_type &&
......@@ -129,8 +128,7 @@ static int avtab_insert(struct avtab *h, const struct avtab_key *key,
return -EINVAL;
hvalue = avtab_hash(key, h->mask);
for (prev = NULL, cur = h->htable[hvalue];
cur;
for (prev = NULL, cur = h->htable[hvalue]; cur;
prev = cur, cur = cur->next) {
cmp = avtab_node_cmp(key, &cur->key);
/* extended perms may not be unique */
......@@ -163,8 +161,7 @@ struct avtab_node *avtab_insert_nonunique(struct avtab *h,
if (!h || !h->nslot || h->nel == U32_MAX)
return NULL;
hvalue = avtab_hash(key, h->mask);
for (prev = NULL, cur = h->htable[hvalue];
cur;
for (prev = NULL, cur = h->htable[hvalue]; cur;
prev = cur, cur = cur->next) {
cmp = avtab_node_cmp(key, &cur->key);
if (cmp <= 0)
......@@ -188,8 +185,7 @@ struct avtab_node *avtab_search_node(struct avtab *h,
return NULL;
hvalue = avtab_hash(key, h->mask);
for (cur = h->htable[hvalue]; cur;
cur = cur->next) {
for (cur = h->htable[hvalue]; cur; cur = cur->next) {
cmp = avtab_node_cmp(key, &cur->key);
if (cmp == 0)
return cur;
......@@ -199,8 +195,8 @@ struct avtab_node *avtab_search_node(struct avtab *h,
return NULL;
}
struct avtab_node*
avtab_search_node_next(struct avtab_node *node, u16 specified)
struct avtab_node *avtab_search_node_next(struct avtab_node *node,
u16 specified)
{
struct avtab_key tmp_key;
struct avtab_node *cur;
......@@ -314,7 +310,8 @@ void avtab_hash_eval(struct avtab *h, const char *tag)
if (chain_len > max_chain_len)
max_chain_len = chain_len;
chain2_len_sum += (unsigned long long)chain_len * chain_len;
chain2_len_sum +=
(unsigned long long)chain_len * chain_len;
}
}
......@@ -325,6 +322,7 @@ void avtab_hash_eval(struct avtab *h, const char *tag)
}
#endif /* CONFIG_SECURITY_SELINUX_DEBUG */
/* clang-format off */
static const uint16_t spec_order[] = {
AVTAB_ALLOWED,
AVTAB_AUDITDENY,
......@@ -336,6 +334,7 @@ static const uint16_t spec_order[] = {
AVTAB_XPERMS_AUDITALLOW,
AVTAB_XPERMS_DONTAUDIT
};
/* clang-format on */
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
int (*insertf)(struct avtab *a, const struct avtab_key *k,
......@@ -365,9 +364,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
if (items2 > ARRAY_SIZE(buf32)) {
pr_err("SELinux: avtab: entry overflow\n");
return -EINVAL;
}
rc = next_entry(buf32, fp, sizeof(u32)*items2);
rc = next_entry(buf32, fp, sizeof(u32) * items2);
if (rc) {
pr_err("SELinux: avtab: truncated entry\n");
return rc;
......@@ -400,8 +398,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
pr_err("SELinux: avtab: null entry\n");
return -EINVAL;
}
if ((val & AVTAB_AV) &&
(val & AVTAB_TYPE)) {
if ((val & AVTAB_AV) && (val & AVTAB_TYPE)) {
pr_err("SELinux: avtab: entry has both access vectors and types\n");
return -EINVAL;
}
......@@ -428,7 +425,7 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
return 0;
}
rc = next_entry(buf16, fp, sizeof(u16)*4);
rc = next_entry(buf16, fp, sizeof(u16) * 4);
if (rc) {
pr_err("SELinux: avtab: truncated entry\n");
return rc;
......@@ -457,7 +454,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
(key.specified & AVTAB_XPERMS)) {
pr_err("SELinux: avtab: policy version %u does not "
"support extended permissions rules and one "
"was specified\n", vers);
"was specified\n",
vers);
return -EINVAL;
} else if (key.specified & AVTAB_XPERMS) {
memset(&xperms, 0, sizeof(struct avtab_extended_perms));
......@@ -471,7 +469,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
pr_err("SELinux: avtab: truncated entry\n");
return rc;
}
rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(xperms.perms.p));
rc = next_entry(buf32, fp,
sizeof(u32) * ARRAY_SIZE(xperms.perms.p));
if (rc) {
pr_err("SELinux: avtab: truncated entry\n");
return rc;
......@@ -507,7 +506,6 @@ int avtab_read(struct avtab *a, void *fp, struct policydb *pol)
__le32 buf[1];
u32 nel, i;
rc = next_entry(buf, fp, sizeof(u32));
if (rc < 0) {
pr_err("SELinux: avtab: truncated table\n");
......@@ -561,7 +559,8 @@ int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp)
return rc;
if (cur->key.specified & AVTAB_XPERMS) {
rc = put_entry(&cur->datum.u.xperms->specified, sizeof(u8), 1, fp);
rc = put_entry(&cur->datum.u.xperms->specified, sizeof(u8), 1,
fp);
if (rc)
return rc;
rc = put_entry(&cur->datum.u.xperms->driver, sizeof(u8), 1, fp);
......@@ -593,8 +592,7 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp)
return rc;
for (i = 0; i < a->nslot; i++) {
for (cur = a->htable[i]; cur;
cur = cur->next) {
for (cur = a->htable[i]; cur; cur = cur->next) {
rc = avtab_write_item(p, cur, fp);
if (rc)
return rc;
......@@ -606,10 +604,9 @@ int avtab_write(struct policydb *p, struct avtab *a, void *fp)
void __init avtab_cache_init(void)
{
avtab_node_cachep = kmem_cache_create("avtab_node",
sizeof(struct avtab_node),
0, SLAB_PANIC, NULL);
avtab_xperms_cachep = kmem_cache_create("avtab_extended_perms",
sizeof(struct avtab_extended_perms),
0, SLAB_PANIC, NULL);
avtab_node_cachep = kmem_cache_create(
"avtab_node", sizeof(struct avtab_node), 0, SLAB_PANIC, NULL);
avtab_xperms_cachep = kmem_cache_create(
"avtab_extended_perms", sizeof(struct avtab_extended_perms), 0,
SLAB_PANIC, NULL);
}
......@@ -9,15 +9,15 @@
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
/* Updated: Frank Mayer <mayerf@tresys.com> and
* Karl MacMillan <kmacmillan@tresys.com>
* Added conditional policy language extensions
*
* Copyright (C) 2003 Tresys Technology, LLC
*
* Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
* Tuned number of hash slots for avtab to reduce memory usage
*/
#ifndef _SS_AVTAB_H_
#define _SS_AVTAB_H_
......@@ -39,8 +39,8 @@ struct avtab_key {
#define AVTAB_XPERMS_ALLOWED 0x0100
#define AVTAB_XPERMS_AUDITALLOW 0x0200
#define AVTAB_XPERMS_DONTAUDIT 0x0400
#define AVTAB_XPERMS (AVTAB_XPERMS_ALLOWED | \
AVTAB_XPERMS_AUDITALLOW | \
#define AVTAB_XPERMS \
(AVTAB_XPERMS_ALLOWED | AVTAB_XPERMS_AUDITALLOW | \
AVTAB_XPERMS_DONTAUDIT)
#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
......@@ -92,6 +92,9 @@ int avtab_alloc(struct avtab *, u32);
int avtab_alloc_dup(struct avtab *new, const struct avtab *orig);
void avtab_destroy(struct avtab *h);
#define MAX_AVTAB_HASH_BITS 16
#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
#ifdef CONFIG_SECURITY_SELINUX_DEBUG
void avtab_hash_eval(struct avtab *h, const char *tag);
#else
......@@ -107,7 +110,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
void *p);
int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
int avtab_write_item(struct policydb *p, const struct avtab_node *cur, void *fp);
int avtab_write_item(struct policydb *p, const struct avtab_node *cur,
void *fp);
int avtab_write(struct policydb *p, struct avtab *a, void *fp);
struct avtab_node *avtab_insert_nonunique(struct avtab *h,
......@@ -116,11 +120,7 @@ struct avtab_node *avtab_insert_nonunique(struct avtab *h,
struct avtab_node *avtab_search_node(struct avtab *h,
const struct avtab_key *key);
struct avtab_node *avtab_search_node_next(struct avtab_node *node, u16 specified);
#define MAX_AVTAB_HASH_BITS 16
#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
struct avtab_node *avtab_search_node_next(struct avtab_node *node,
u16 specified);
#endif /* _SS_AVTAB_H_ */
// SPDX-License-Identifier: GPL-2.0-only
/* SPDX-License-Identifier: GPL-2.0-only */
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
* Frank Mayer <mayerf@tresys.com>
*
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
*/
......@@ -166,9 +165,8 @@ void cond_policydb_destroy(struct policydb *p)
int cond_init_bool_indexes(struct policydb *p)
{
kfree(p->bool_val_to_struct);
p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
sizeof(*p->bool_val_to_struct),
GFP_KERNEL);
p->bool_val_to_struct = kmalloc_array(
p->p_bools.nprim, sizeof(*p->bool_val_to_struct), GFP_KERNEL);
if (!p->bool_val_to_struct)
return -ENOMEM;
return 0;
......@@ -287,7 +285,8 @@ static int cond_insertf(struct avtab *a, const struct avtab_key *k,
if (other) {
node_ptr = avtab_search_node(&p->te_cond_avtab, k);
if (node_ptr) {
if (avtab_search_node_next(node_ptr, k->specified)) {
if (avtab_search_node_next(node_ptr,
k->specified)) {
pr_err("SELinux: too many conflicting type rules.\n");
return -EINVAL;
}
......@@ -478,8 +477,8 @@ int cond_write_bool(void *vkey, void *datum, void *ptr)
* the conditional. This means that the avtab with the conditional
* rules will not be saved but will be rebuilt on policy load.
*/
static int cond_write_av_list(struct policydb *p,
struct cond_av_list *list, struct policy_file *fp)
static int cond_write_av_list(struct policydb *p, struct cond_av_list *list,
struct policy_file *fp)
{
__le32 buf[1];
u32 i;
......@@ -581,19 +580,19 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
for (node = avtab_search_node(ctab, key); node;
node = avtab_search_node_next(node, key->specified)) {
if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
if ((u16)(AVTAB_ALLOWED | AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED | AVTAB_ENABLED)))
avd->allowed |= node->datum.u.data;
if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
if ((u16)(AVTAB_AUDITDENY | AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY | AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a
* permission we do NOT want to audit (dontaudit), we use
* the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases).
*/
avd->auditdeny &= node->datum.u.data;
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
if ((u16)(AVTAB_AUDITALLOW | AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW | AVTAB_ENABLED)))
avd->auditallow |= node->datum.u.data;
if (xperms && (node->key.specified & AVTAB_ENABLED) &&
(node->key.specified & AVTAB_XPERMS))
......@@ -601,8 +600,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
}
}
static int cond_dup_av_list(struct cond_av_list *new,
struct cond_av_list *orig,
static int cond_dup_av_list(struct cond_av_list *new, struct cond_av_list *orig,
struct avtab *avtab)
{
u32 i;
......@@ -614,9 +612,8 @@ static int cond_dup_av_list(struct cond_av_list *new,
return -ENOMEM;
for (i = 0; i < orig->len; i++) {
new->nodes[i] = avtab_insert_nonunique(avtab,
&orig->nodes[i]->key,
&orig->nodes[i]->datum);
new->nodes[i] = avtab_insert_nonunique(
avtab, &orig->nodes[i]->key, &orig->nodes[i]->datum);
if (!new->nodes[i])
return -ENOMEM;
new->len++;
......@@ -637,8 +634,7 @@ static int duplicate_policydb_cond_list(struct policydb *newp,
newp->cond_list_len = 0;
newp->cond_list = kcalloc(origp->cond_list_len,
sizeof(*newp->cond_list),
GFP_KERNEL);
sizeof(*newp->cond_list), GFP_KERNEL);
if (!newp->cond_list)
goto error;
......@@ -649,7 +645,8 @@ static int duplicate_policydb_cond_list(struct policydb *newp,
newp->cond_list_len++;
newn->cur_state = orign->cur_state;
newn->expr.nodes = kmemdup(orign->expr.nodes,
newn->expr.nodes =
kmemdup(orign->expr.nodes,
orign->expr.len * sizeof(*orign->expr.nodes),
GFP_KERNEL);
if (!newn->expr.nodes)
......@@ -683,7 +680,8 @@ static int cond_bools_destroy(void *key, void *datum, void *args)
return 0;
}
static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig, void *args)
static int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig,
void *args)
{
struct cond_bool_datum *datum;
......
/* SPDX-License-Identifier: GPL-2.0-only */
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
* Frank Mayer <mayerf@tresys.com>
*
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
*/
......
......@@ -13,6 +13,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_CONSTRAINT_H_
#define _SS_CONSTRAINT_H_
......
// SPDX-License-Identifier: GPL-2.0
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Implementations of the security context functions.
*
......
......@@ -13,6 +13,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_CONTEXT_H_
#define _SS_CONTEXT_H_
......@@ -38,7 +39,8 @@ static inline void mls_context_init(struct context *c)
memset(&c->range, 0, sizeof(c->range));
}
static inline int mls_context_cpy(struct context *dst, const struct context *src)
static inline int mls_context_cpy(struct context *dst,
const struct context *src)
{
int rc;
......@@ -58,7 +60,8 @@ static inline int mls_context_cpy(struct context *dst, const struct context *src
/*
* Sets both levels in the MLS range of 'dst' to the low level of 'src'.
*/
static inline int mls_context_cpy_low(struct context *dst, const struct context *src)
static inline int mls_context_cpy_low(struct context *dst,
const struct context *src)
{
int rc;
......@@ -78,7 +81,8 @@ static inline int mls_context_cpy_low(struct context *dst, const struct context
/*
* Sets both levels in the MLS range of 'dst' to the high level of 'src'.
*/
static inline int mls_context_cpy_high(struct context *dst, const struct context *src)
static inline int mls_context_cpy_high(struct context *dst,
const struct context *src)
{
int rc;
......@@ -95,9 +99,9 @@ static inline int mls_context_cpy_high(struct context *dst, const struct context
return rc;
}
static inline int mls_context_glblub(struct context *dst,
const struct context *c1, const struct context *c2)
const struct context *c1,
const struct context *c2)
{
struct mls_range *dr = &dst->range;
const struct mls_range *r1 = &c1->range, *r2 = &c2->range;
......@@ -114,13 +118,13 @@ static inline int mls_context_glblub(struct context *dst,
/* Take the least of the high */
dr->level[1].sens = min(r1->level[1].sens, r2->level[1].sens);
rc = ebitmap_and(&dr->level[0].cat,
&r1->level[0].cat, &r2->level[0].cat);
rc = ebitmap_and(&dr->level[0].cat, &r1->level[0].cat,
&r2->level[0].cat);
if (rc)
goto out;
rc = ebitmap_and(&dr->level[1].cat,
&r1->level[1].cat, &r2->level[1].cat);
rc = ebitmap_and(&dr->level[1].cat, &r1->level[1].cat,
&r2->level[1].cat);
if (rc)
goto out;
......@@ -128,7 +132,8 @@ static inline int mls_context_glblub(struct context *dst,
return rc;
}
static inline int mls_context_cmp(const struct context *c1, const struct context *c2)
static inline int mls_context_cmp(const struct context *c1,
const struct context *c2)
{
return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
......@@ -183,19 +188,17 @@ static inline void context_destroy(struct context *c)
mls_context_destroy(c);
}
static inline int context_cmp(const struct context *c1, const struct context *c2)
static inline int context_cmp(const struct context *c1,
const struct context *c2)
{
if (c1->len && c2->len)
return (c1->len == c2->len && !strcmp(c1->str, c2->str));
if (c1->len || c2->len)
return 0;
return ((c1->user == c2->user) &&
(c1->role == c2->role) &&
(c1->type == c2->type) &&
mls_context_cmp(c1, c2));
return ((c1->user == c2->user) && (c1->role == c2->role) &&
(c1->type == c2->type) && mls_context_cmp(c1, c2));
}
u32 context_compute_hash(const struct context *c);
#endif /* _SS_CONTEXT_H_ */
// SPDX-License-Identifier: GPL-2.0
/* SPDX-License-Identifier: GPL-2.0 */
/*
* Implementation of the extensible bitmap type.
*
......@@ -6,12 +6,9 @@
*/
/*
* Updated: Hewlett-Packard <paul@paul-moore.com>
*
* Added support to import/export the NetLabel category bitmap
*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
*/
/*
*
* Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
* Applied standard bit operations to improve bitmap scanning.
*/
......@@ -37,8 +34,7 @@ int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2)
n1 = e1->node;
n2 = e2->node;
while (n1 && n2 &&
(n1->startbit == n2->startbit) &&
while (n1 && n2 && (n1->startbit == n2->startbit) &&
!memcmp(n1->maps, n2->maps, EBITMAP_SIZE / 8)) {
n1 = n1->next;
n2 = n2->next;
......@@ -79,14 +75,16 @@ int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src)
return 0;
}
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebitmap *e2)
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1,
const struct ebitmap *e2)
{
struct ebitmap_node *n;
int bit, rc;
ebitmap_init(dst);
ebitmap_for_each_positive_bit(e1, n, bit) {
ebitmap_for_each_positive_bit(e1, n, bit)
{
if (ebitmap_get_bit(e2, bit)) {
rc = ebitmap_set_bit(dst, bit, 1);
if (rc < 0)
......@@ -96,7 +94,6 @@ int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebit
return 0;
}
#ifdef CONFIG_NETLABEL
/**
* ebitmap_netlbl_export - Export an ebitmap into a NetLabel category bitmap
......@@ -131,10 +128,8 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
e_map = e_iter->maps[iter];
if (e_map != 0) {
rc = netlbl_catmap_setlong(catmap,
offset,
e_map,
GFP_ATOMIC);
rc = netlbl_catmap_setlong(catmap, offset,
e_map, GFP_ATOMIC);
if (rc != 0)
goto netlbl_export_failure;
}
......@@ -185,7 +180,8 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
if (e_iter == NULL ||
offset >= e_iter->startbit + EBITMAP_SIZE) {
e_prev = e_iter;
e_iter = kmem_cache_zalloc(ebitmap_node_cachep, GFP_ATOMIC);
e_iter = kmem_cache_zalloc(ebitmap_node_cachep,
GFP_ATOMIC);
if (e_iter == NULL)
goto netlbl_import_failure;
e_iter->startbit = offset - (offset % EBITMAP_SIZE);
......@@ -218,7 +214,8 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
* if last_e2bit is non-zero, the highest set bit in e2 cannot exceed
* last_e2bit.
*/
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 last_e2bit)
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2,
u32 last_e2bit)
{
const struct ebitmap_node *n1, *n2;
int i;
......@@ -234,7 +231,7 @@ int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 las
n1 = n1->next;
continue;
}
for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i]; )
for (i = EBITMAP_UNIT_NUMS - 1; (i >= 0) && !n2->maps[i];)
i--; /* Skip trailing NULL map entries */
if (last_e2bit && (i >= 0)) {
u32 lastsetbit = n2->startbit + i * EBITMAP_UNIT_SIZE +
......@@ -302,8 +299,8 @@ int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value)
* within the bitmap
*/
if (prev)
e->highbit = prev->startbit
+ EBITMAP_SIZE;
e->highbit = prev->startbit +
EBITMAP_SIZE;
else
e->highbit = 0;
}
......@@ -424,7 +421,8 @@ int ebitmap_read(struct ebitmap *e, void *fp)
if (!n || startbit >= n->startbit + EBITMAP_SIZE) {
struct ebitmap_node *tmp;
tmp = kmem_cache_zalloc(ebitmap_node_cachep, GFP_KERNEL);
tmp = kmem_cache_zalloc(ebitmap_node_cachep,
GFP_KERNEL);
if (!tmp) {
pr_err("SELinux: ebitmap: out of memory\n");
rc = -ENOMEM;
......@@ -481,7 +479,8 @@ int ebitmap_write(const struct ebitmap *e, void *fp)
count = 0;
last_bit = 0;
last_startbit = -1;
ebitmap_for_each_positive_bit(e, n, bit) {
ebitmap_for_each_positive_bit(e, n, bit)
{
if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) {
count++;
last_startbit = rounddown(bit, BITS_PER_U64);
......@@ -497,7 +496,8 @@ int ebitmap_write(const struct ebitmap *e, void *fp)
map = 0;
last_startbit = INT_MIN;
ebitmap_for_each_positive_bit(e, n, bit) {
ebitmap_for_each_positive_bit(e, n, bit)
{
if (rounddown(bit, (int)BITS_PER_U64) > last_startbit) {
__le64 buf64[1];
......@@ -559,6 +559,6 @@ u32 ebitmap_hash(const struct ebitmap *e, u32 hash)
void __init ebitmap_cache_init(void)
{
ebitmap_node_cachep = kmem_cache_create("ebitmap_node",
sizeof(struct ebitmap_node),
0, SLAB_PANIC, NULL);
sizeof(struct ebitmap_node), 0,
SLAB_PANIC, NULL);
}
......@@ -12,6 +12,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_EBITMAP_H_
#define _SS_EBITMAP_H_
......@@ -23,8 +24,9 @@
#define EBITMAP_NODE_SIZE 32
#endif
#define EBITMAP_UNIT_NUMS ((EBITMAP_NODE_SIZE-sizeof(void *)-sizeof(u32))\
/ sizeof(unsigned long))
#define EBITMAP_UNIT_NUMS \
((EBITMAP_NODE_SIZE - sizeof(void *) - sizeof(u32)) / \
sizeof(unsigned long))
#define EBITMAP_UNIT_SIZE BITS_PER_LONG
#define EBITMAP_SIZE (EBITMAP_UNIT_NUMS * EBITMAP_UNIT_SIZE)
#define EBITMAP_BIT 1ULL
......@@ -120,12 +122,14 @@ static inline void ebitmap_node_clr_bit(struct ebitmap_node *n,
#define ebitmap_for_each_positive_bit(e, n, bit) \
for ((bit) = ebitmap_start_positive(e, &(n)); \
(bit) < ebitmap_length(e); \
(bit) = ebitmap_next_positive(e, &(n), bit)) \
(bit) = ebitmap_next_positive(e, &(n), bit))
int ebitmap_cmp(const struct ebitmap *e1, const struct ebitmap *e2);
int ebitmap_cpy(struct ebitmap *dst, const struct ebitmap *src);
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1, const struct ebitmap *e2);
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2, u32 last_e2bit);
int ebitmap_and(struct ebitmap *dst, const struct ebitmap *e1,
const struct ebitmap *e2);
int ebitmap_contains(const struct ebitmap *e1, const struct ebitmap *e2,
u32 last_e2bit);
int ebitmap_get_bit(const struct ebitmap *e, unsigned long bit);
int ebitmap_set_bit(struct ebitmap *e, unsigned long bit, int value);
void ebitmap_destroy(struct ebitmap *e);
......
......@@ -4,6 +4,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/errno.h>
......@@ -47,8 +48,8 @@ int hashtab_init(struct hashtab *h, u32 nel_hint)
return 0;
}
int __hashtab_insert(struct hashtab *h, struct hashtab_node **dst,
void *key, void *datum)
int __hashtab_insert(struct hashtab *h, struct hashtab_node **dst, void *key,
void *datum)
{
struct hashtab_node *newnode;
......@@ -83,8 +84,7 @@ void hashtab_destroy(struct hashtab *h)
h->htable = NULL;
}
int hashtab_map(struct hashtab *h,
int (*apply)(void *k, void *d, void *args),
int hashtab_map(struct hashtab *h, int (*apply)(void *k, void *d, void *args),
void *args)
{
u32 i;
......@@ -139,8 +139,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
int hashtab_duplicate(struct hashtab *new, struct hashtab *orig,
int (*copy)(struct hashtab_node *new,
struct hashtab_node *orig, void *args),
int (*destroy)(void *k, void *d, void *args),
void *args)
int (*destroy)(void *k, void *d, void *args), void *args)
{
struct hashtab_node *cur, *tmp, *tail;
u32 i;
......@@ -178,7 +177,7 @@ int hashtab_duplicate(struct hashtab *new, struct hashtab *orig,
return 0;
error:
error:
for (i = 0; i < new->size; i++) {
for (cur = new->htable[i]; cur; cur = tmp) {
tmp = cur->next;
......@@ -194,6 +193,6 @@ int hashtab_duplicate(struct hashtab *new, struct hashtab *orig,
void __init hashtab_cache_init(void)
{
hashtab_node_cachep = kmem_cache_create("hashtab_node",
sizeof(struct hashtab_node),
0, SLAB_PANIC, NULL);
sizeof(struct hashtab_node), 0,
SLAB_PANIC, NULL);
}
......@@ -8,6 +8,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_HASHTAB_H_
#define _SS_HASHTAB_H_
......@@ -18,9 +19,8 @@
#define HASHTAB_MAX_NODES U32_MAX
struct hashtab_key_params {
u32 (*hash)(const void *key); /* hash function */
int (*cmp)(const void *key1, const void *key2);
/* key comparison function */
u32 (*hash)(const void *key); /* hash func */
int (*cmp)(const void *key1, const void *key2); /* comparison func */
};
struct hashtab_node {
......@@ -48,8 +48,8 @@ struct hashtab_info {
*/
int hashtab_init(struct hashtab *h, u32 nel_hint);
int __hashtab_insert(struct hashtab *h, struct hashtab_node **dst,
void *key, void *datum);
int __hashtab_insert(struct hashtab *h, struct hashtab_node **dst, void *key,
void *datum);
/*
* Inserts the specified (key, datum) pair into the specified hash table.
......@@ -84,8 +84,8 @@ static inline int hashtab_insert(struct hashtab *h, void *key, void *datum,
cur = cur->next;
}
return __hashtab_insert(h, prev ? &prev->next : &h->htable[hvalue],
key, datum);
return __hashtab_insert(h, prev ? &prev->next : &h->htable[hvalue], key,
datum);
}
/*
......@@ -133,15 +133,13 @@ void hashtab_destroy(struct hashtab *h);
* iterating through the hash table and will propagate the error
* return to its caller.
*/
int hashtab_map(struct hashtab *h,
int (*apply)(void *k, void *d, void *args),
int hashtab_map(struct hashtab *h, int (*apply)(void *k, void *d, void *args),
void *args);
int hashtab_duplicate(struct hashtab *new, struct hashtab *orig,
int (*copy)(struct hashtab_node *new,
struct hashtab_node *orig, void *args),
int (*destroy)(void *k, void *d, void *args),
void *args);
int (*destroy)(void *k, void *d, void *args), void *args);
#ifdef CONFIG_SECURITY_SELINUX_DEBUG
/* Fill info with some hash table statistics */
......@@ -149,6 +147,7 @@ void hashtab_stat(struct hashtab *h, struct hashtab_info *info);
#else
static inline void hashtab_stat(struct hashtab *h, struct hashtab_info *info)
{
return;
}
#endif
......
......@@ -4,19 +4,15 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
*
* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
*/
/*
* Updated: Hewlett-Packard <paul@paul-moore.com>
*
* Updated: Hewlett-Packard <paul@paul-moore.com>
* Added support to import/export the MLS label from NetLabel
*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
* Copyright (C) Hewlett-Packard Development Company, L.P., 2006
*/
#include <linux/kernel.h>
......@@ -52,7 +48,8 @@ int mls_compute_context_len(struct policydb *p, struct context *context)
head = -2;
prev = -2;
e = &context->range.level[l].cat;
ebitmap_for_each_positive_bit(e, node, i) {
ebitmap_for_each_positive_bit(e, node, i)
{
if (i - prev > 1) {
/* one or more negative bits are skipped */
if (head != prev) {
......@@ -86,8 +83,7 @@ int mls_compute_context_len(struct policydb *p, struct context *context)
* the MLS fields of `context' into the string `*scontext'.
* Update `*scontext' to point to the end of the MLS fields.
*/
void mls_sid_to_context(struct policydb *p,
struct context *context,
void mls_sid_to_context(struct policydb *p, struct context *context,
char **scontext)
{
char *scontextp, *nm;
......@@ -112,7 +108,8 @@ void mls_sid_to_context(struct policydb *p,
head = -2;
prev = -2;
e = &context->range.level[l].cat;
ebitmap_for_each_positive_bit(e, node, i) {
ebitmap_for_each_positive_bit(e, node, i)
{
if (i - prev > 1) {
/* one or more negative bits are skipped */
if (prev != head) {
......@@ -230,12 +227,8 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
* Policy read-lock must be held for sidtab lookup.
*
*/
int mls_context_to_sid(struct policydb *pol,
char oldc,
char *scontext,
struct context *context,
struct sidtab *s,
u32 def_sid)
int mls_context_to_sid(struct policydb *pol, char oldc, char *scontext,
struct context *context, struct sidtab *s, u32 def_sid)
{
char *sensitivity, *cur_cat, *next_cat, *rngptr;
struct level_datum *levdatum;
......@@ -333,7 +326,8 @@ int mls_context_to_sid(struct policydb *pol,
return -EINVAL;
for (i = catdatum->value; i < rngdatum->value; i++) {
rc = ebitmap_set_bit(&context->range.level[l].cat, i, 1);
rc = ebitmap_set_bit(
&context->range.level[l].cat, i, 1);
if (rc)
return rc;
}
......@@ -371,8 +365,8 @@ int mls_from_string(struct policydb *p, char *str, struct context *context,
if (!tmpstr) {
rc = -ENOMEM;
} else {
rc = mls_context_to_sid(p, ':', tmpstr, context,
NULL, SECSID_NULL);
rc = mls_context_to_sid(p, ':', tmpstr, context, NULL,
SECSID_NULL);
kfree(tmpstr);
}
......@@ -382,8 +376,7 @@ int mls_from_string(struct policydb *p, char *str, struct context *context,
/*
* Copies the MLS range `range' into `context'.
*/
int mls_range_set(struct context *context,
struct mls_range *range)
int mls_range_set(struct context *context, struct mls_range *range)
{
int l, rc = 0;
......@@ -399,9 +392,8 @@ int mls_range_set(struct context *context,
return rc;
}
int mls_setup_user_range(struct policydb *p,
struct context *fromcon, struct user_datum *user,
struct context *usercon)
int mls_setup_user_range(struct policydb *p, struct context *fromcon,
struct user_datum *user, struct context *usercon)
{
if (p->mls_enabled) {
struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
......@@ -444,10 +436,8 @@ int mls_setup_user_range(struct policydb *p,
* policy `oldp' to the values specified in the policy `newp',
* storing the resulting context in `newc'.
*/
int mls_convert_context(struct policydb *oldp,
struct policydb *newp,
struct context *oldc,
struct context *newc)
int mls_convert_context(struct policydb *oldp, struct policydb *newp,
struct context *oldc, struct context *newc)
{
struct level_datum *levdatum;
struct cat_datum *catdatum;
......@@ -468,8 +458,9 @@ int mls_convert_context(struct policydb *oldp,
return -EINVAL;
newc->range.level[l].sens = levdatum->level->sens;
ebitmap_for_each_positive_bit(&oldc->range.level[l].cat,
node, i) {
ebitmap_for_each_positive_bit(&oldc->range.level[l].cat, node,
i)
{
int rc;
catdatum = symtab_search(&newp->p_cats,
......@@ -486,13 +477,9 @@ int mls_convert_context(struct policydb *oldp,
return 0;
}
int mls_compute_sid(struct policydb *p,
struct context *scontext,
struct context *tcontext,
u16 tclass,
u32 specified,
struct context *newcontext,
bool sock)
int mls_compute_sid(struct policydb *p, struct context *scontext,
struct context *tcontext, u16 tclass, u32 specified,
struct context *newcontext, bool sock)
{
struct range_trans rtr;
struct mls_range *r;
......@@ -532,8 +519,8 @@ int mls_compute_sid(struct policydb *p,
case DEFAULT_TARGET_LOW_HIGH:
return mls_context_cpy(newcontext, tcontext);
case DEFAULT_GLBLUB:
return mls_context_glblub(newcontext,
scontext, tcontext);
return mls_context_glblub(newcontext, scontext,
tcontext);
}
fallthrough;
......@@ -563,8 +550,7 @@ int mls_compute_sid(struct policydb *p,
* NetLabel MLS sensitivity level field.
*
*/
void mls_export_netlbl_lvl(struct policydb *p,
struct context *context,
void mls_export_netlbl_lvl(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr)
{
if (!p->mls_enabled)
......@@ -585,8 +571,7 @@ void mls_export_netlbl_lvl(struct policydb *p,
* NetLabel MLS sensitivity level into the context.
*
*/
void mls_import_netlbl_lvl(struct policydb *p,
struct context *context,
void mls_import_netlbl_lvl(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr)
{
if (!p->mls_enabled)
......@@ -607,8 +592,7 @@ void mls_import_netlbl_lvl(struct policydb *p,
* MLS category field. Returns zero on success, negative values on failure.
*
*/
int mls_export_netlbl_cat(struct policydb *p,
struct context *context,
int mls_export_netlbl_cat(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr)
{
int rc;
......@@ -637,8 +621,7 @@ int mls_export_netlbl_cat(struct policydb *p,
* negative values on failure.
*
*/
int mls_import_netlbl_cat(struct policydb *p,
struct context *context,
int mls_import_netlbl_cat(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr)
{
int rc;
......
......@@ -4,19 +4,15 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
*
* Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
*/
/*
* Updated: Hewlett-Packard <paul@paul-moore.com>
*
* Updated: Hewlett-Packard <paul@paul-moore.com>
* Added support to import/export the MLS label from NetLabel
*
* (c) Copyright Hewlett-Packard Development Company, L.P., 2006
* Copyright (X) Hewlett-Packard Development Company, L.P., 2006
*/
#ifndef _SS_MLS_H_
......@@ -35,47 +31,32 @@ int mls_context_isvalid(struct policydb *p, struct context *c);
int mls_range_isvalid(struct policydb *p, struct mls_range *r);
int mls_level_isvalid(struct policydb *p, struct mls_level *l);
int mls_context_to_sid(struct policydb *p,
char oldc,
char *scontext,
struct context *context,
struct sidtab *s,
u32 def_sid);
int mls_context_to_sid(struct policydb *p, char oldc, char *scontext,
struct context *context, struct sidtab *s, u32 def_sid);
int mls_from_string(struct policydb *p, char *str, struct context *context,
gfp_t gfp_mask);
int mls_range_set(struct context *context, struct mls_range *range);
int mls_convert_context(struct policydb *oldp,
struct policydb *newp,
struct context *oldc,
struct context *newc);
int mls_convert_context(struct policydb *oldp, struct policydb *newp,
struct context *oldc, struct context *newc);
int mls_compute_sid(struct policydb *p,
struct context *scontext,
struct context *tcontext,
u16 tclass,
u32 specified,
struct context *newcontext,
bool sock);
int mls_compute_sid(struct policydb *p, struct context *scontext,
struct context *tcontext, u16 tclass, u32 specified,
struct context *newcontext, bool sock);
int mls_setup_user_range(struct policydb *p,
struct context *fromcon, struct user_datum *user,
struct context *usercon);
int mls_setup_user_range(struct policydb *p, struct context *fromcon,
struct user_datum *user, struct context *usercon);
#ifdef CONFIG_NETLABEL
void mls_export_netlbl_lvl(struct policydb *p,
struct context *context,
void mls_export_netlbl_lvl(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr);
void mls_import_netlbl_lvl(struct policydb *p,
struct context *context,
void mls_import_netlbl_lvl(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr);
int mls_export_netlbl_cat(struct policydb *p,
struct context *context,
int mls_export_netlbl_cat(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr);
int mls_import_netlbl_cat(struct policydb *p,
struct context *context,
int mls_import_netlbl_cat(struct policydb *p, struct context *context,
struct netlbl_lsm_secattr *secattr);
#else
static inline void mls_export_netlbl_lvl(struct policydb *p,
......@@ -113,4 +94,3 @@ static inline u32 mls_range_hash(const struct mls_range *r, u32 hash)
}
#endif /* _SS_MLS_H */
......@@ -4,11 +4,10 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
*
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
*/
......@@ -27,26 +26,27 @@ struct mls_range {
struct mls_level level[2]; /* low == level[0], high == level[1] */
};
static inline int mls_level_eq(const struct mls_level *l1, const struct mls_level *l2)
static inline int mls_level_eq(const struct mls_level *l1,
const struct mls_level *l2)
{
return ((l1->sens == l2->sens) &&
ebitmap_cmp(&l1->cat, &l2->cat));
return ((l1->sens == l2->sens) && ebitmap_cmp(&l1->cat, &l2->cat));
}
static inline int mls_level_dom(const struct mls_level *l1, const struct mls_level *l2)
static inline int mls_level_dom(const struct mls_level *l1,
const struct mls_level *l2)
{
return ((l1->sens >= l2->sens) &&
ebitmap_contains(&l1->cat, &l2->cat, 0));
}
#define mls_level_incomp(l1, l2) \
(!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1)))
(!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1)))
#define mls_level_between(l1, l2, l3) \
(mls_level_dom((l1), (l2)) && mls_level_dom((l3), (l1)))
(mls_level_dom((l1), (l2)) && mls_level_dom((l3), (l1)))
#define mls_range_contains(r1, r2) \
(mls_level_dom(&(r2).level[0], &(r1).level[0]) && \
(mls_level_dom(&(r2).level[0], &(r1).level[0]) && \
mls_level_dom(&(r1).level[1], &(r2).level[1]))
#endif /* _SS_MLS_TYPES_H_ */
......@@ -7,25 +7,21 @@
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
*
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
* Updated: Frank Mayer <mayerf@tresys.com> and
* Karl MacMillan <kmacmillan@tresys.com>
* Added conditional policy language extensions
* Copyright (C) 2003-2004 Tresys Technology, LLC
*
* Updated: Hewlett-Packard <paul@paul-moore.com>
*
* Added support for the policy capability bitmap
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
*
* Update: Mellanox Techonologies
*
* Added Infiniband support
*
* Copyright (C) 2016 Mellanox Techonologies
* Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
*/
#include <linux/kernel.h>
......@@ -42,6 +38,7 @@
#include "services.h"
#ifdef CONFIG_SECURITY_SELINUX_DEBUG
/* clang-format off */
static const char *const symtab_name[SYM_NUM] = {
"common prefixes",
"classes",
......@@ -52,6 +49,7 @@ static const char *const symtab_name[SYM_NUM] = {
"levels",
"categories",
};
/* clang-format off */
#endif
struct policydb_compat_info {
......@@ -159,7 +157,8 @@ static const struct policydb_compat_info policydb_compat[] = {
},
};
static const struct policydb_compat_info *policydb_lookup_compat(unsigned int version)
static const struct policydb_compat_info *
policydb_lookup_compat(unsigned int version)
{
unsigned int i;
......@@ -312,7 +311,8 @@ static int cat_destroy(void *key, void *datum, void *p)
return 0;
}
static int (*const destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
/* clang-format off */
static int (*const destroy_f[SYM_NUM])(void *key, void *datum, void *datap) = {
common_destroy,
cls_destroy,
role_destroy,
......@@ -322,6 +322,7 @@ static int (*const destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
sens_destroy,
cat_destroy,
};
/* clang-format on */
static int filenametr_destroy(void *key, void *datum, void *p)
{
......@@ -366,8 +367,8 @@ static void ocontext_destroy(struct ocontext *c, unsigned int i)
context_destroy(&c->context[0]);
context_destroy(&c->context[1]);
if (i == OCON_ISID || i == OCON_FS ||
i == OCON_NETIF || i == OCON_FSUSE)
if (i == OCON_ISID || i == OCON_FS || i == OCON_NETIF ||
i == OCON_FSUSE)
kfree(c->u.name);
kfree(c);
}
......@@ -429,7 +430,6 @@ static int filenametr_cmp(const void *k1, const void *k2)
return v;
return strcmp(ft1->name, ft2->name);
}
static const struct hashtab_key_params filenametr_key_params = {
......@@ -437,8 +437,8 @@ static const struct hashtab_key_params filenametr_key_params = {
.cmp = filenametr_cmp,
};
struct filename_trans_datum *policydb_filenametr_search(
struct policydb *p, struct filename_trans_key *key)
struct filename_trans_datum *
policydb_filenametr_search(struct policydb *p, struct filename_trans_key *key)
{
return hashtab_search(&p->filename_trans, key, filenametr_key_params);
}
......@@ -484,7 +484,8 @@ static u32 role_trans_hash(const void *k)
{
const struct role_trans_key *key = k;
return jhash_3words(key->role, key->type, (u32)key->tclass << 16 | key->tclass, 0);
return jhash_3words(key->role, key->type,
(u32)key->tclass << 16 | key->tclass, 0);
}
static int role_trans_cmp(const void *k1, const void *k2)
......@@ -576,9 +577,8 @@ static int role_index(void *key, void *datum, void *datap)
role = datum;
p = datap;
if (!role->value
|| role->value > p->p_roles.nprim
|| role->bounds > p->p_roles.nprim)
if (!role->value || role->value > p->p_roles.nprim ||
role->bounds > p->p_roles.nprim)
return -EINVAL;
p->sym_val_to_name[SYM_ROLES][role->value - 1] = key;
......@@ -595,9 +595,8 @@ static int type_index(void *key, void *datum, void *datap)
p = datap;
if (typdatum->primary) {
if (!typdatum->value
|| typdatum->value > p->p_types.nprim
|| typdatum->bounds > p->p_types.nprim)
if (!typdatum->value || typdatum->value > p->p_types.nprim ||
typdatum->bounds > p->p_types.nprim)
return -EINVAL;
p->sym_val_to_name[SYM_TYPES][typdatum->value - 1] = key;
p->type_val_to_struct[typdatum->value - 1] = typdatum;
......@@ -613,9 +612,8 @@ static int user_index(void *key, void *datum, void *datap)
usrdatum = datum;
p = datap;
if (!usrdatum->value
|| usrdatum->value > p->p_users.nprim
|| usrdatum->bounds > p->p_users.nprim)
if (!usrdatum->value || usrdatum->value > p->p_users.nprim ||
usrdatum->bounds > p->p_users.nprim)
return -EINVAL;
p->sym_val_to_name[SYM_USERS][usrdatum->value - 1] = key;
......@@ -660,7 +658,8 @@ static int cat_index(void *key, void *datum, void *datap)
return 0;
}
static int (*const index_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
/* clang-format off */
static int (*const index_f[SYM_NUM])(void *key, void *datum, void *datap) = {
common_index,
class_index,
role_index,
......@@ -670,6 +669,7 @@ static int (*const index_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
sens_index,
cat_index,
};
/* clang-format on */
#ifdef CONFIG_SECURITY_SELINUX_DEBUG
static void hash_eval(struct hashtab *h, const char *hash_name)
......@@ -677,9 +677,10 @@ static void hash_eval(struct hashtab *h, const char *hash_name)
struct hashtab_info info;
hashtab_stat(h, &info);
pr_debug("SELinux: %s: %d entries and %d/%d buckets used, longest chain length %d, sum of chain length^2 %llu\n",
hash_name, h->nel, info.slots_used, h->size,
info.max_chain_len, info.chain2_len_sum);
pr_debug(
"SELinux: %s: %d entries and %d/%d buckets used, longest chain length %d, sum of chain length^2 %llu\n",
hash_name, h->nel, info.slots_used, h->size, info.max_chain_len,
info.chain2_len_sum);
}
static void symtab_hash_eval(struct symtab *s)
......@@ -710,7 +711,8 @@ static int policydb_index(struct policydb *p)
int i, rc;
if (p->mls_enabled)
pr_debug("SELinux: %d users, %d roles, %d types, %d bools, %d sens, %d cats\n",
pr_debug(
"SELinux: %d users, %d roles, %d types, %d bools, %d sens, %d cats\n",
p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
p->p_bools.nprim, p->p_levels.nprim, p->p_cats.nprim);
else
......@@ -718,8 +720,8 @@ static int policydb_index(struct policydb *p)
p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
p->p_bools.nprim);
pr_debug("SELinux: %d classes, %d rules\n",
p->p_classes.nprim, p->te_avtab.nel);
pr_debug("SELinux: %d classes, %d rules\n", p->p_classes.nprim,
p->te_avtab.nel);
avtab_hash_eval(&p->te_avtab, "rules");
symtab_hash_eval(p->symtab);
......@@ -730,21 +732,18 @@ static int policydb_index(struct policydb *p)
if (!p->class_val_to_struct)
return -ENOMEM;
p->role_val_to_struct = kcalloc(p->p_roles.nprim,
sizeof(*p->role_val_to_struct),
GFP_KERNEL);
p->role_val_to_struct = kcalloc(
p->p_roles.nprim, sizeof(*p->role_val_to_struct), GFP_KERNEL);
if (!p->role_val_to_struct)
return -ENOMEM;
p->user_val_to_struct = kcalloc(p->p_users.nprim,
sizeof(*p->user_val_to_struct),
GFP_KERNEL);
p->user_val_to_struct = kcalloc(
p->p_users.nprim, sizeof(*p->user_val_to_struct), GFP_KERNEL);
if (!p->user_val_to_struct)
return -ENOMEM;
p->type_val_to_struct = kvcalloc(p->p_types.nprim,
sizeof(*p->type_val_to_struct),
GFP_KERNEL);
p->type_val_to_struct = kvcalloc(
p->p_types.nprim, sizeof(*p->type_val_to_struct), GFP_KERNEL);
if (!p->type_val_to_struct)
return -ENOMEM;
......@@ -754,8 +753,7 @@ static int policydb_index(struct policydb *p)
for (i = 0; i < SYM_NUM; i++) {
p->sym_val_to_name[i] = kvcalloc(p->symtab[i].nprim,
sizeof(char *),
GFP_KERNEL);
sizeof(char *), GFP_KERNEL);
if (!p->sym_val_to_name[i])
return -ENOMEM;
......@@ -857,8 +855,7 @@ void policydb_destroy(struct policydb *p)
int policydb_load_isids(struct policydb *p, struct sidtab *s)
{
struct ocontext *head, *c;
bool isid_init_supported = ebitmap_get_bit(&p->policycaps,
POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT);
bool isid_init;
int rc;
rc = sidtab_init(s);
......@@ -867,6 +864,9 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
return rc;
}
isid_init = ebitmap_get_bit(&p->policycaps,
POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT);
head = p->ocontexts[OCON_ISID];
for (c = head; c; c = c->next) {
u32 sid = c->sid[0];
......@@ -886,7 +886,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
* Also ignore SECINITSID_INIT if the policy doesn't declare
* support for it
*/
if (sid == SECINITSID_INIT && !isid_init_supported)
if (sid == SECINITSID_INIT && !isid_init)
continue;
rc = sidtab_set_initial(s, sid, &c->context[0]);
......@@ -905,8 +905,9 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
* started before policy load would initially get the context
* corresponding to SECINITSID_KERNEL.
*/
if (sid == SECINITSID_KERNEL && !isid_init_supported) {
rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]);
if (sid == SECINITSID_KERNEL && !isid_init) {
rc = sidtab_set_initial(s, SECINITSID_INIT,
&c->context[0]);
if (rc) {
pr_err("SELinux: unable to load initial SID %s.\n",
name);
......@@ -1047,8 +1048,7 @@ static int mls_read_range_helper(struct mls_range *r, void *fp)
* Read and validate a security context structure
* from a policydb binary representation file.
*/
static int context_read_and_validate(struct context *c,
struct policydb *p,
static int context_read_and_validate(struct context *c, struct policydb *p,
void *fp)
{
__le32 buf[3];
......@@ -1211,9 +1211,7 @@ static int type_set_read(struct type_set *t, void *fp)
return 0;
}
static int read_cons_helper(struct policydb *p,
struct constraint_node **nodep,
static int read_cons_helper(struct policydb *p, struct constraint_node **nodep,
u32 ncons, int allowxtarget, void *fp)
{
struct constraint_node *c, *lc;
......@@ -1284,8 +1282,9 @@ static int read_cons_helper(struct policydb *p,
return rc;
if (p->policyvers >=
POLICYDB_VERSION_CONSTRAINT_NAMES) {
e->type_names = kzalloc(sizeof
(*e->type_names), GFP_KERNEL);
e->type_names =
kzalloc(sizeof(*e->type_names),
GFP_KERNEL);
if (!e->type_names)
return -ENOMEM;
type_set_init(e->type_names);
......@@ -1319,7 +1318,7 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
if (!cladatum)
return -ENOMEM;
rc = next_entry(buf, fp, sizeof(u32)*6);
rc = next_entry(buf, fp, sizeof(u32) * 6);
if (rc)
goto bad;
......@@ -1345,8 +1344,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
goto bad;
rc = -EINVAL;
cladatum->comdatum = symtab_search(&p->p_commons,
cladatum->comkey);
cladatum->comdatum =
symtab_search(&p->p_commons, cladatum->comkey);
if (!cladatum->comdatum) {
pr_err("SELinux: unknown common %s\n",
cladatum->comkey);
......@@ -1369,8 +1368,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
if (rc)
goto bad;
ncons = le32_to_cpu(buf[0]);
rc = read_cons_helper(p, &cladatum->validatetrans,
ncons, 1, fp);
rc = read_cons_helper(p, &cladatum->validatetrans, ncons, 1,
fp);
if (rc)
goto bad;
}
......@@ -1507,7 +1506,6 @@ static int type_read(struct policydb *p, struct symtab *s, void *fp)
return rc;
}
/*
* Read a MLS level structure from a policydb binary
* representation file.
......@@ -1659,8 +1657,9 @@ static int cat_read(struct policydb *p, struct symtab *s, void *fp)
return rc;
}
static int (*const read_f[SYM_NUM]) (struct policydb *p,
struct symtab *s, void *fp) = {
/* clang-format off */
static int (*const read_f[SYM_NUM])(struct policydb *p, struct symtab *s,
void *fp) = {
common_read,
class_read,
role_read,
......@@ -1670,6 +1669,7 @@ static int (*const read_f[SYM_NUM]) (struct policydb *p,
sens_read,
cat_read,
};
/* clang-format on */
static int user_bounds_sanity_check(void *key, void *datum, void *datap)
{
......@@ -1685,12 +1685,13 @@ static int user_bounds_sanity_check(void *key, void *datum, void *datap)
if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
pr_err("SELinux: user %s: "
"too deep or looped boundary\n",
(char *) key);
(char *)key);
return -EINVAL;
}
upper = p->user_val_to_struct[upper->bounds - 1];
ebitmap_for_each_positive_bit(&user->roles, node, bit) {
ebitmap_for_each_positive_bit(&user->roles, node, bit)
{
if (ebitmap_get_bit(&upper->roles, bit))
continue;
......@@ -1721,12 +1722,13 @@ static int role_bounds_sanity_check(void *key, void *datum, void *datap)
if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
pr_err("SELinux: role %s: "
"too deep or looped bounds\n",
(char *) key);
(char *)key);
return -EINVAL;
}
upper = p->role_val_to_struct[upper->bounds - 1];
ebitmap_for_each_positive_bit(&role->types, node, bit) {
ebitmap_for_each_positive_bit(&role->types, node, bit)
{
if (ebitmap_get_bit(&upper->types, bit))
continue;
......@@ -1754,7 +1756,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
pr_err("SELinux: type %s: "
"too deep or looped boundary\n",
(char *) key);
(char *)key);
return -EINVAL;
}
......@@ -1764,7 +1766,7 @@ static int type_bounds_sanity_check(void *key, void *datum, void *datap)
if (upper->attribute) {
pr_err("SELinux: type %s: "
"bounded by attribute %s\n",
(char *) key,
(char *)key,
sym_name(p, SYM_TYPES, upper->value - 1));
return -EINVAL;
}
......@@ -1815,7 +1817,7 @@ u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
if (!tclass || tclass > p->p_classes.nprim)
return 0;
cladatum = p->class_val_to_struct[tclass-1];
cladatum = p->class_val_to_struct[tclass - 1];
comdatum = cladatum->comdatum;
if (comdatum)
perdatum = symtab_search(&comdatum->permissions, name);
......@@ -1824,7 +1826,7 @@ u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
if (!perdatum)
return 0;
return 1U << (perdatum->value-1);
return 1U << (perdatum->value - 1);
}
static int range_read(struct policydb *p, void *fp)
......@@ -2192,12 +2194,12 @@ static int genfs_read(struct policydb *p, void *fp)
goto out;
newc->v.sclass = le32_to_cpu(buf[0]);
rc = context_read_and_validate(&newc->context[0], p, fp);
rc = context_read_and_validate(&newc->context[0], p,
fp);
if (rc)
goto out;
for (l = NULL, c = genfs->head; c;
l = c, c = c->next) {
for (l = NULL, c = genfs->head; c; l = c, c = c->next) {
rc = -EINVAL;
if (!strcmp(newc->u.name, c->u.name) &&
(!c->v.sclass || !newc->v.sclass ||
......@@ -2231,8 +2233,8 @@ static int genfs_read(struct policydb *p, void *fp)
return rc;
}
static int ocontext_read(struct policydb *p, const struct policydb_compat_info *info,
void *fp)
static int ocontext_read(struct policydb *p,
const struct policydb_compat_info *info, void *fp)
{
int rc;
unsigned int i;
......@@ -2267,7 +2269,8 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
goto out;
c->sid[0] = le32_to_cpu(buf[0]);
rc = context_read_and_validate(&c->context[0], p, fp);
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
break;
......@@ -2286,21 +2289,24 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
pr_warn("SELinux: void and deprecated fs ocon %s\n",
c->u.name);
rc = context_read_and_validate(&c->context[0], p, fp);
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
rc = context_read_and_validate(&c->context[1], p, fp);
rc = context_read_and_validate(&c->context[1],
p, fp);
if (rc)
goto out;
break;
case OCON_PORT:
rc = next_entry(buf, fp, sizeof(u32)*3);
rc = next_entry(buf, fp, sizeof(u32) * 3);
if (rc)
goto out;
c->u.port.protocol = le32_to_cpu(buf[0]);
c->u.port.low_port = le32_to_cpu(buf[1]);
c->u.port.high_port = le32_to_cpu(buf[2]);
rc = context_read_and_validate(&c->context[0], p, fp);
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
break;
......@@ -2310,12 +2316,13 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
goto out;
c->u.node.addr = nodebuf[0]; /* network order */
c->u.node.mask = nodebuf[1]; /* network order */
rc = context_read_and_validate(&c->context[0], p, fp);
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
break;
case OCON_FSUSE:
rc = next_entry(buf, fp, sizeof(u32)*2);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
goto out;
......@@ -2332,7 +2339,8 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
if (rc)
goto out;
rc = context_read_and_validate(&c->context[0], p, fp);
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
break;
......@@ -2345,8 +2353,9 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
for (k = 0; k < 4; k++)
c->u.node6.addr[k] = nodebuf[k];
for (k = 0; k < 4; k++)
c->u.node6.mask[k] = nodebuf[k+4];
rc = context_read_and_validate(&c->context[0], p, fp);
c->u.node6.mask[k] = nodebuf[k + 4];
rc = context_read_and_validate(&c->context[0],
p, fp);
if (rc)
goto out;
break;
......@@ -2359,7 +2368,8 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
goto out;
/* we need to have subnet_prefix in CPU order */
c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
c->u.ibpkey.subnet_prefix =
be64_to_cpu(prefixbuf[0]);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
......@@ -2377,8 +2387,7 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
c->u.ibpkey.high_pkey = pkey_hi;
rc = context_read_and_validate(&c->context[0],
p,
fp);
p, fp);
if (rc)
goto out;
break;
......@@ -2391,7 +2400,8 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
goto out;
len = le32_to_cpu(buf[0]);
rc = str_read(&c->u.ibendport.dev_name, GFP_KERNEL, fp, len);
rc = str_read(&c->u.ibendport.dev_name,
GFP_KERNEL, fp, len);
if (rc)
goto out;
......@@ -2404,8 +2414,7 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info *
c->u.ibendport.port = port;
rc = context_read_and_validate(&c->context[0],
p,
fp);
p, fp);
if (rc)
goto out;
break;
......@@ -2462,7 +2471,8 @@ int policydb_read(struct policydb *p, void *fp)
policydb_str = kmalloc(len + 1, GFP_KERNEL);
if (!policydb_str) {
pr_err("SELinux: unable to allocate memory for policydb "
"string of length %d\n", len);
"string of length %d\n",
len);
goto bad;
}
......@@ -2477,7 +2487,8 @@ int policydb_read(struct policydb *p, void *fp)
policydb_str[len] = '\0';
if (strcmp(policydb_str, POLICYDB_STRING)) {
pr_err("SELinux: policydb string %s does not match "
"my string %s\n", policydb_str, POLICYDB_STRING);
"my string %s\n",
policydb_str, POLICYDB_STRING);
kfree(policydb_str);
goto bad;
}
......@@ -2486,7 +2497,7 @@ int policydb_read(struct policydb *p, void *fp)
policydb_str = NULL;
/* Read the version and table sizes. */
rc = next_entry(buf, fp, sizeof(u32)*4);
rc = next_entry(buf, fp, sizeof(u32) * 4);
if (rc)
goto bad;
......@@ -2496,7 +2507,8 @@ int policydb_read(struct policydb *p, void *fp)
p->policyvers > POLICYDB_VERSION_MAX) {
pr_err("SELinux: policydb version %d does not match "
"my version range %d-%d\n",
le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN,
POLICYDB_VERSION_MAX);
goto bad;
}
......@@ -2530,7 +2542,8 @@ int policydb_read(struct policydb *p, void *fp)
info = policydb_lookup_compat(p->policyvers);
if (!info) {
pr_err("SELinux: unable to find policy compat info "
"for version %d\n", p->policyvers);
"for version %d\n",
p->policyvers);
goto bad;
}
......@@ -2538,14 +2551,14 @@ int policydb_read(struct policydb *p, void *fp)
if (le32_to_cpu(buf[2]) != info->sym_num ||
le32_to_cpu(buf[3]) != info->ocon_num) {
pr_err("SELinux: policydb table sizes (%d,%d) do "
"not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
le32_to_cpu(buf[3]),
info->sym_num, info->ocon_num);
"not match mine (%d,%d)\n",
le32_to_cpu(buf[2]), le32_to_cpu(buf[3]), info->sym_num,
info->ocon_num);
goto bad;
}
for (i = 0; i < info->sym_num; i++) {
rc = next_entry(buf, fp, sizeof(u32)*2);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
goto bad;
nprim = le32_to_cpu(buf[0]);
......@@ -2606,7 +2619,7 @@ int policydb_read(struct policydb *p, void *fp)
if (!rtd)
goto bad;
rc = next_entry(buf, fp, sizeof(u32)*3);
rc = next_entry(buf, fp, sizeof(u32) * 3);
if (rc)
goto bad;
......@@ -2650,7 +2663,7 @@ int policydb_read(struct policydb *p, void *fp)
lra->next = ra;
else
p->role_allow = ra;
rc = next_entry(buf, fp, sizeof(u32)*2);
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
goto bad;
......@@ -2698,9 +2711,8 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
rc = -ENOMEM;
p->type_attr_map_array = kvcalloc(p->p_types.nprim,
sizeof(*p->type_attr_map_array),
GFP_KERNEL);
p->type_attr_map_array = kvcalloc(
p->p_types.nprim, sizeof(*p->type_attr_map_array), GFP_KERNEL);
if (!p->type_attr_map_array)
goto bad;
......@@ -2773,7 +2785,7 @@ static int mls_write_range_helper(struct mls_range *r, void *fp)
items = 2;
else
items = 3;
buf[0] = cpu_to_le32(items-1);
buf[0] = cpu_to_le32(items - 1);
buf[1] = cpu_to_le32(r->level[0].sens);
if (!eq)
buf[2] = cpu_to_le32(r->level[1].sens);
......@@ -2916,8 +2928,7 @@ static int role_allow_write(struct role_allow *r, void *fp)
* Write a security context structure
* to a policydb binary representation file.
*/
static int context_write(struct policydb *p, struct context *c,
void *fp)
static int context_write(struct policydb *p, struct context *c, void *fp)
{
int rc;
__le32 buf[3];
......@@ -3266,7 +3277,8 @@ static int user_write(void *vkey, void *datum, void *ptr)
return 0;
}
static int (*const write_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
/* clang-format off */
static int (*const write_f[SYM_NUM])(void *key, void *datum, void *datap) = {
common_write,
class_write,
role_write,
......@@ -3276,9 +3288,10 @@ static int (*const write_f[SYM_NUM]) (void *key, void *datum, void *datap) = {
sens_write,
cat_write,
};
/* clang-format on */
static int ocontext_write(struct policydb *p, const struct policydb_compat_info *info,
void *fp)
static int ocontext_write(struct policydb *p,
const struct policydb_compat_info *info, void *fp)
{
unsigned int i, j;
int rc;
......@@ -3360,9 +3373,13 @@ static int ocontext_write(struct policydb *p, const struct policydb_compat_info
break;
case OCON_NODE6:
for (j = 0; j < 4; j++)
nodebuf[j] = c->u.node6.addr[j]; /* network order */
nodebuf[j] =
c->u.node6.addr
[j]; /* network order */
for (j = 0; j < 4; j++)
nodebuf[j + 4] = c->u.node6.mask[j]; /* network order */
nodebuf[j + 4] =
c->u.node6.mask
[j]; /* network order */
rc = put_entry(nodebuf, sizeof(u32), 8, fp);
if (rc)
return rc;
......@@ -3372,7 +3389,8 @@ static int ocontext_write(struct policydb *p, const struct policydb_compat_info
break;
case OCON_IBPKEY:
/* subnet_prefix is in CPU order */
prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
prefixbuf[0] =
cpu_to_be64(c->u.ibpkey.subnet_prefix);
rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
if (rc)
......@@ -3395,7 +3413,8 @@ static int ocontext_write(struct policydb *p, const struct policydb_compat_info
rc = put_entry(buf, sizeof(u32), 2, fp);
if (rc)
return rc;
rc = put_entry(c->u.ibendport.dev_name, 1, len, fp);
rc = put_entry(c->u.ibendport.dev_name, 1, len,
fp);
if (rc)
return rc;
rc = context_write(p, &c->context[0], fp);
......@@ -3521,7 +3540,8 @@ static int filename_write_helper_compat(void *key, void *data, void *ptr)
u32 bit, len = strlen(ft->name);
do {
ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
ebitmap_for_each_positive_bit(&datum->stypes, node, bit)
{
buf[0] = cpu_to_le32(len);
rc = put_entry(buf, sizeof(u32), 1, fp);
if (rc)
......@@ -3645,8 +3665,8 @@ int policydb_write(struct policydb *p, void *fp)
*/
if (p->policyvers < POLICYDB_VERSION_AVTAB) {
pr_err("SELinux: refusing to write policy version %d."
" Because it is less than version %d\n", p->policyvers,
POLICYDB_VERSION_AVTAB);
" Because it is less than version %d\n",
p->policyvers, POLICYDB_VERSION_AVTAB);
return -EINVAL;
}
......@@ -3674,7 +3694,8 @@ int policydb_write(struct policydb *p, void *fp)
info = policydb_lookup_compat(p->policyvers);
if (!info) {
pr_err("SELinux: compatibility lookup failed for policy "
"version %d\n", p->policyvers);
"version %d\n",
p->policyvers);
return -EINVAL;
}
......
......@@ -8,15 +8,13 @@
/*
* Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
*
* Support for enhanced MLS infrastructure.
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
*
* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
*
* Updated: Frank Mayer <mayerf@tresys.com> and
* Karl MacMillan <kmacmillan@tresys.com>
* Added conditional policy language extensions
*
* Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
* Copyright (C) 2003 - 2004 Tresys Technology, LLC
* Copyright (C) 2003-2004 Tresys Technology, LLC
*/
#ifndef _SS_POLICYDB_H_
......@@ -54,7 +52,7 @@ struct class_datum {
char *comkey; /* common name */
struct common_datum *comdatum; /* common datum */
struct symtab permissions; /* class-specific permission symbol table */
struct constraint_node *constraints; /* constraints on class permissions */
struct constraint_node *constraints; /* constraints on class perms */
struct constraint_node *validatetrans; /* special transition rules */
/* Options how a new object user, role, and type should be decided */
#define DEFAULT_SOURCE 1
......@@ -114,7 +112,7 @@ struct type_datum {
u32 value; /* internal type value */
u32 bounds; /* boundary of type */
unsigned char primary; /* primary name? */
unsigned char attribute;/* attribute ?*/
unsigned char attribute; /* attribute ?*/
};
/* User attributes */
......@@ -126,7 +124,6 @@ struct user_datum {
struct mls_level dfltlevel; /* default login MLS level for user */
};
/* Sensitivity attributes */
struct level_datum {
struct mls_level *level; /* sensitivity and associated categories */
......@@ -324,14 +321,14 @@ extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
extern int policydb_read(struct policydb *p, void *fp);
extern int policydb_write(struct policydb *p, void *fp);
extern struct filename_trans_datum *policydb_filenametr_search(
struct policydb *p, struct filename_trans_key *key);
extern struct filename_trans_datum *
policydb_filenametr_search(struct policydb *p, struct filename_trans_key *key);
extern struct mls_range *policydb_rangetr_search(
struct policydb *p, struct range_trans *key);
extern struct mls_range *policydb_rangetr_search(struct policydb *p,
struct range_trans *key);
extern struct role_trans_datum *policydb_roletr_search(
struct policydb *p, struct role_trans_key *key);
extern struct role_trans_datum *
policydb_roletr_search(struct policydb *p, struct role_trans_key *key);
#define POLICYDB_CONFIG_MLS 1
......@@ -366,7 +363,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
return 0;
}
static inline int put_entry(const void *buf, size_t bytes, size_t num, struct policy_file *fp)
static inline int put_entry(const void *buf, size_t bytes, size_t num,
struct policy_file *fp)
{
size_t len;
......@@ -382,7 +380,8 @@ static inline int put_entry(const void *buf, size_t bytes, size_t num, struct po
return 0;
}
static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
static inline char *sym_name(struct policydb *p, unsigned int sym_num,
unsigned int element_nr)
{
return p->sym_val_to_name[sym_num][element_nr];
}
......@@ -391,4 +390,3 @@ extern u16 string_to_security_class(struct policydb *p, const char *name);
extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
#endif /* _SS_POLICYDB_H_ */
......@@ -4,6 +4,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_SERVICES_H_
#define _SS_SERVICES_H_
......
......@@ -7,6 +7,7 @@
*
* Copyright (C) 2018 Red Hat, Inc.
*/
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/list.h>
......@@ -140,9 +141,11 @@ int sidtab_hash_stats(struct sidtab *sidtab, char *page)
if (chain_len > max_chain_len)
max_chain_len = chain_len;
return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n"
"longest chain: %d\n", entries,
slots_used, SIDTAB_HASH_BUCKETS, max_chain_len);
return scnprintf(page, PAGE_SIZE,
"entries: %d\nbuckets used: %d/%d\n"
"longest chain: %d\n",
entries, slots_used, SIDTAB_HASH_BUCKETS,
max_chain_len);
}
static u32 sidtab_level_from_count(u32 count)
......@@ -162,15 +165,15 @@ static int sidtab_alloc_roots(struct sidtab *s, u32 level)
u32 l;
if (!s->roots[0].ptr_leaf) {
s->roots[0].ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_ATOMIC);
s->roots[0].ptr_leaf =
kzalloc(SIDTAB_NODE_ALLOC_SIZE, GFP_ATOMIC);
if (!s->roots[0].ptr_leaf)
return -ENOMEM;
}
for (l = 1; l <= level; ++l)
if (!s->roots[l].ptr_inner) {
s->roots[l].ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_ATOMIC);
s->roots[l].ptr_inner =
kzalloc(SIDTAB_NODE_ALLOC_SIZE, GFP_ATOMIC);
if (!s->roots[l].ptr_inner)
return -ENOMEM;
s->roots[l].ptr_inner->entries[0] = s->roots[l - 1];
......@@ -203,16 +206,16 @@ static struct sidtab_entry *sidtab_do_lookup(struct sidtab *s, u32 index,
if (!entry->ptr_inner) {
if (alloc)
entry->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_ATOMIC);
entry->ptr_inner = kzalloc(
SIDTAB_NODE_ALLOC_SIZE, GFP_ATOMIC);
if (!entry->ptr_inner)
return NULL;
}
}
if (!entry->ptr_leaf) {
if (alloc)
entry->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_ATOMIC);
entry->ptr_leaf =
kzalloc(SIDTAB_NODE_ALLOC_SIZE, GFP_ATOMIC);
if (!entry->ptr_leaf)
return NULL;
}
......@@ -262,8 +265,7 @@ struct sidtab_entry *sidtab_search_entry_force(struct sidtab *s, u32 sid)
return sidtab_search_core(s, sid, 1);
}
int sidtab_context_to_sid(struct sidtab *s, struct context *context,
u32 *sid)
int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
{
unsigned long flags;
u32 count, hash = context_compute_hash(context);
......@@ -327,8 +329,8 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context,
goto out_unlock;
}
rc = services_convert_context(convert->args,
context, &dst_convert->context,
rc = services_convert_context(convert->args, context,
&dst_convert->context,
GFP_ATOMIC);
if (rc) {
context_destroy(&dst->context);
......@@ -338,8 +340,8 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context,
dst_convert->hash = context_compute_hash(&dst_convert->context);
target->count = count + 1;
hash_add_rcu(target->context_to_sid,
&dst_convert->list, dst_convert->hash);
hash_add_rcu(target->context_to_sid, &dst_convert->list,
dst_convert->hash);
}
if (context->len)
......@@ -373,8 +375,8 @@ static void sidtab_convert_hashtable(struct sidtab *s, u32 count)
}
static int sidtab_convert_tree(union sidtab_entry_inner *edst,
union sidtab_entry_inner *esrc,
u32 *pos, u32 count, u32 level,
union sidtab_entry_inner *esrc, u32 *pos,
u32 count, u32 level,
struct sidtab_convert_params *convert)
{
int rc;
......@@ -382,8 +384,8 @@ static int sidtab_convert_tree(union sidtab_entry_inner *edst,
if (level != 0) {
if (!edst->ptr_inner) {
edst->ptr_inner = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_KERNEL);
edst->ptr_inner =
kzalloc(SIDTAB_NODE_ALLOC_SIZE, GFP_KERNEL);
if (!edst->ptr_inner)
return -ENOMEM;
}
......@@ -399,14 +401,15 @@ static int sidtab_convert_tree(union sidtab_entry_inner *edst,
}
} else {
if (!edst->ptr_leaf) {
edst->ptr_leaf = kzalloc(SIDTAB_NODE_ALLOC_SIZE,
GFP_KERNEL);
edst->ptr_leaf =
kzalloc(SIDTAB_NODE_ALLOC_SIZE, GFP_KERNEL);
if (!edst->ptr_leaf)
return -ENOMEM;
}
i = 0;
while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
rc = services_convert_context(convert->args,
rc = services_convert_context(
convert->args,
&esrc->ptr_leaf->entries[i].context,
&edst->ptr_leaf->entries[i].context,
GFP_KERNEL);
......@@ -489,13 +492,15 @@ void sidtab_cancel_convert(struct sidtab *s)
spin_unlock_irqrestore(&s->lock, flags);
}
void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) __acquires(&s->lock)
void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags)
__acquires(&s->lock)
{
spin_lock_irqsave(&s->lock, *flags);
s->frozen = true;
s->convert = NULL;
}
void sidtab_freeze_end(struct sidtab *s, unsigned long *flags) __releases(&s->lock)
void sidtab_freeze_end(struct sidtab *s, unsigned long *flags)
__releases(&s->lock)
{
spin_unlock_irqrestore(&s->lock, *flags);
}
......@@ -600,8 +605,8 @@ void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
kfree_rcu(victim, rcu_member);
}
int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry,
char **out, u32 *out_len)
int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry, char **out,
u32 *out_len)
{
struct sidtab_str_cache *cache;
int rc = 0;
......
......@@ -8,6 +8,7 @@
*
* Copyright (C) 2018 Red Hat, Inc.
*/
#ifndef _SS_SIDTAB_H_
#define _SS_SIDTAB_H_
......@@ -36,10 +37,11 @@ union sidtab_entry_inner {
#define SIDTAB_NODE_ALLOC_SHIFT PAGE_SHIFT
#define SIDTAB_NODE_ALLOC_SIZE PAGE_SIZE
#define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size) - 1) + 1))
#define size_to_shift(size) ((size) == 1 ? 1 : (const_ilog2((size)-1) + 1))
#define SIDTAB_INNER_SHIFT \
(SIDTAB_NODE_ALLOC_SHIFT - size_to_shift(sizeof(union sidtab_entry_inner)))
(SIDTAB_NODE_ALLOC_SHIFT - \
size_to_shift(sizeof(union sidtab_entry_inner)))
#define SIDTAB_INNER_ENTRIES ((size_t)1 << SIDTAB_INNER_SHIFT)
#define SIDTAB_LEAF_ENTRIES \
(SIDTAB_NODE_ALLOC_SIZE / sizeof(struct sidtab_entry))
......@@ -125,8 +127,10 @@ int sidtab_convert(struct sidtab *s, struct sidtab_convert_params *params);
void sidtab_cancel_convert(struct sidtab *s);
void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags) __acquires(&s->lock);
void sidtab_freeze_end(struct sidtab *s, unsigned long *flags) __releases(&s->lock);
void sidtab_freeze_begin(struct sidtab *s, unsigned long *flags)
__acquires(&s->lock);
void sidtab_freeze_end(struct sidtab *s, unsigned long *flags)
__releases(&s->lock);
int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid);
......@@ -137,8 +141,8 @@ int sidtab_hash_stats(struct sidtab *sidtab, char *page);
#if CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0
void sidtab_sid2str_put(struct sidtab *s, struct sidtab_entry *entry,
const char *str, u32 str_len);
int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry,
char **out, u32 *out_len);
int sidtab_sid2str_get(struct sidtab *s, struct sidtab_entry *entry, char **out,
u32 *out_len);
#else
static inline void sidtab_sid2str_put(struct sidtab *s,
struct sidtab_entry *entry,
......@@ -146,13 +150,11 @@ static inline void sidtab_sid2str_put(struct sidtab *s,
{
}
static inline int sidtab_sid2str_get(struct sidtab *s,
struct sidtab_entry *entry,
char **out, u32 *out_len)
struct sidtab_entry *entry, char **out,
u32 *out_len)
{
return -ENOENT;
}
#endif /* CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE > 0 */
#endif /* _SS_SIDTAB_H_ */
......@@ -4,6 +4,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/errno.h>
......@@ -19,7 +20,8 @@ static unsigned int symhash(const void *key)
keyp = key;
size = strlen(keyp);
for (p = keyp; (p - keyp) < size; p++)
val = (val << 4 | (val >> (8*sizeof(unsigned int)-4))) ^ (*p);
val = (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^
(*p);
return val;
}
......
......@@ -7,6 +7,7 @@
*
* Author : Stephen Smalley, <stephen.smalley.work@gmail.com>
*/
#ifndef _SS_SYMTAB_H_
#define _SS_SYMTAB_H_
......@@ -23,5 +24,3 @@ int symtab_insert(struct symtab *s, char *name, void *datum);
void *symtab_search(struct symtab *s, const char *name);
#endif /* _SS_SYMTAB_H_ */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment