18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* Authors: Karl MacMillan <kmacmillan@tresys.com> 38c2ecf20Sopenharmony_ci * Frank Mayer <mayerf@tresys.com> 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (C) 2003 - 2004 Tresys Technology, LLC 68c2ecf20Sopenharmony_ci */ 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include <linux/kernel.h> 98c2ecf20Sopenharmony_ci#include <linux/errno.h> 108c2ecf20Sopenharmony_ci#include <linux/string.h> 118c2ecf20Sopenharmony_ci#include <linux/spinlock.h> 128c2ecf20Sopenharmony_ci#include <linux/slab.h> 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci#include "security.h" 158c2ecf20Sopenharmony_ci#include "conditional.h" 168c2ecf20Sopenharmony_ci#include "services.h" 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci/* 198c2ecf20Sopenharmony_ci * cond_evaluate_expr evaluates a conditional expr 208c2ecf20Sopenharmony_ci * in reverse polish notation. It returns true (1), false (0), 218c2ecf20Sopenharmony_ci * or undefined (-1). Undefined occurs when the expression 228c2ecf20Sopenharmony_ci * exceeds the stack depth of COND_EXPR_MAXDEPTH. 238c2ecf20Sopenharmony_ci */ 248c2ecf20Sopenharmony_cistatic int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) 258c2ecf20Sopenharmony_ci{ 268c2ecf20Sopenharmony_ci u32 i; 278c2ecf20Sopenharmony_ci int s[COND_EXPR_MAXDEPTH]; 288c2ecf20Sopenharmony_ci int sp = -1; 298c2ecf20Sopenharmony_ci 308c2ecf20Sopenharmony_ci if (expr->len == 0) 318c2ecf20Sopenharmony_ci return -1; 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci for (i = 0; i < expr->len; i++) { 348c2ecf20Sopenharmony_ci struct cond_expr_node *node = &expr->nodes[i]; 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci switch (node->expr_type) { 378c2ecf20Sopenharmony_ci case COND_BOOL: 388c2ecf20Sopenharmony_ci if (sp == (COND_EXPR_MAXDEPTH - 1)) 398c2ecf20Sopenharmony_ci return -1; 408c2ecf20Sopenharmony_ci sp++; 418c2ecf20Sopenharmony_ci s[sp] = p->bool_val_to_struct[node->bool - 1]->state; 428c2ecf20Sopenharmony_ci break; 438c2ecf20Sopenharmony_ci case COND_NOT: 448c2ecf20Sopenharmony_ci if (sp < 0) 458c2ecf20Sopenharmony_ci return -1; 468c2ecf20Sopenharmony_ci s[sp] = !s[sp]; 478c2ecf20Sopenharmony_ci break; 488c2ecf20Sopenharmony_ci case COND_OR: 498c2ecf20Sopenharmony_ci if (sp < 1) 508c2ecf20Sopenharmony_ci return -1; 518c2ecf20Sopenharmony_ci sp--; 528c2ecf20Sopenharmony_ci s[sp] |= s[sp + 1]; 538c2ecf20Sopenharmony_ci break; 548c2ecf20Sopenharmony_ci case COND_AND: 558c2ecf20Sopenharmony_ci if (sp < 1) 568c2ecf20Sopenharmony_ci return -1; 578c2ecf20Sopenharmony_ci sp--; 588c2ecf20Sopenharmony_ci s[sp] &= s[sp + 1]; 598c2ecf20Sopenharmony_ci break; 608c2ecf20Sopenharmony_ci case COND_XOR: 618c2ecf20Sopenharmony_ci if (sp < 1) 628c2ecf20Sopenharmony_ci return -1; 638c2ecf20Sopenharmony_ci sp--; 648c2ecf20Sopenharmony_ci s[sp] ^= s[sp + 1]; 658c2ecf20Sopenharmony_ci break; 668c2ecf20Sopenharmony_ci case COND_EQ: 678c2ecf20Sopenharmony_ci if (sp < 1) 688c2ecf20Sopenharmony_ci return -1; 698c2ecf20Sopenharmony_ci sp--; 708c2ecf20Sopenharmony_ci s[sp] = (s[sp] == s[sp + 1]); 718c2ecf20Sopenharmony_ci break; 728c2ecf20Sopenharmony_ci case COND_NEQ: 738c2ecf20Sopenharmony_ci if (sp < 1) 748c2ecf20Sopenharmony_ci return -1; 758c2ecf20Sopenharmony_ci sp--; 768c2ecf20Sopenharmony_ci s[sp] = (s[sp] != s[sp + 1]); 778c2ecf20Sopenharmony_ci break; 788c2ecf20Sopenharmony_ci default: 798c2ecf20Sopenharmony_ci return -1; 808c2ecf20Sopenharmony_ci } 818c2ecf20Sopenharmony_ci } 828c2ecf20Sopenharmony_ci return s[0]; 838c2ecf20Sopenharmony_ci} 848c2ecf20Sopenharmony_ci 858c2ecf20Sopenharmony_ci/* 868c2ecf20Sopenharmony_ci * evaluate_cond_node evaluates the conditional stored in 878c2ecf20Sopenharmony_ci * a struct cond_node and if the result is different than the 888c2ecf20Sopenharmony_ci * current state of the node it sets the rules in the true/false 898c2ecf20Sopenharmony_ci * list appropriately. If the result of the expression is undefined 908c2ecf20Sopenharmony_ci * all of the rules are disabled for safety. 918c2ecf20Sopenharmony_ci */ 928c2ecf20Sopenharmony_cistatic void evaluate_cond_node(struct policydb *p, struct cond_node *node) 938c2ecf20Sopenharmony_ci{ 948c2ecf20Sopenharmony_ci struct avtab_node *avnode; 958c2ecf20Sopenharmony_ci int new_state; 968c2ecf20Sopenharmony_ci u32 i; 978c2ecf20Sopenharmony_ci 988c2ecf20Sopenharmony_ci new_state = cond_evaluate_expr(p, &node->expr); 998c2ecf20Sopenharmony_ci if (new_state != node->cur_state) { 1008c2ecf20Sopenharmony_ci node->cur_state = new_state; 1018c2ecf20Sopenharmony_ci if (new_state == -1) 1028c2ecf20Sopenharmony_ci pr_err("SELinux: expression result was undefined - disabling all rules.\n"); 1038c2ecf20Sopenharmony_ci /* turn the rules on or off */ 1048c2ecf20Sopenharmony_ci for (i = 0; i < node->true_list.len; i++) { 1058c2ecf20Sopenharmony_ci avnode = node->true_list.nodes[i]; 1068c2ecf20Sopenharmony_ci if (new_state <= 0) 1078c2ecf20Sopenharmony_ci avnode->key.specified &= ~AVTAB_ENABLED; 1088c2ecf20Sopenharmony_ci else 1098c2ecf20Sopenharmony_ci avnode->key.specified |= AVTAB_ENABLED; 1108c2ecf20Sopenharmony_ci } 1118c2ecf20Sopenharmony_ci 1128c2ecf20Sopenharmony_ci for (i = 0; i < node->false_list.len; i++) { 1138c2ecf20Sopenharmony_ci avnode = node->false_list.nodes[i]; 1148c2ecf20Sopenharmony_ci /* -1 or 1 */ 1158c2ecf20Sopenharmony_ci if (new_state) 1168c2ecf20Sopenharmony_ci avnode->key.specified &= ~AVTAB_ENABLED; 1178c2ecf20Sopenharmony_ci else 1188c2ecf20Sopenharmony_ci avnode->key.specified |= AVTAB_ENABLED; 1198c2ecf20Sopenharmony_ci } 1208c2ecf20Sopenharmony_ci } 1218c2ecf20Sopenharmony_ci} 1228c2ecf20Sopenharmony_ci 1238c2ecf20Sopenharmony_civoid evaluate_cond_nodes(struct policydb *p) 1248c2ecf20Sopenharmony_ci{ 1258c2ecf20Sopenharmony_ci u32 i; 1268c2ecf20Sopenharmony_ci 1278c2ecf20Sopenharmony_ci for (i = 0; i < p->cond_list_len; i++) 1288c2ecf20Sopenharmony_ci evaluate_cond_node(p, &p->cond_list[i]); 1298c2ecf20Sopenharmony_ci} 1308c2ecf20Sopenharmony_ci 1318c2ecf20Sopenharmony_civoid cond_policydb_init(struct policydb *p) 1328c2ecf20Sopenharmony_ci{ 1338c2ecf20Sopenharmony_ci p->bool_val_to_struct = NULL; 1348c2ecf20Sopenharmony_ci p->cond_list = NULL; 1358c2ecf20Sopenharmony_ci p->cond_list_len = 0; 1368c2ecf20Sopenharmony_ci 1378c2ecf20Sopenharmony_ci avtab_init(&p->te_cond_avtab); 1388c2ecf20Sopenharmony_ci} 1398c2ecf20Sopenharmony_ci 1408c2ecf20Sopenharmony_cistatic void cond_node_destroy(struct cond_node *node) 1418c2ecf20Sopenharmony_ci{ 1428c2ecf20Sopenharmony_ci kfree(node->expr.nodes); 1438c2ecf20Sopenharmony_ci /* the avtab_ptr_t nodes are destroyed by the avtab */ 1448c2ecf20Sopenharmony_ci kfree(node->true_list.nodes); 1458c2ecf20Sopenharmony_ci kfree(node->false_list.nodes); 1468c2ecf20Sopenharmony_ci} 1478c2ecf20Sopenharmony_ci 1488c2ecf20Sopenharmony_cistatic void cond_list_destroy(struct policydb *p) 1498c2ecf20Sopenharmony_ci{ 1508c2ecf20Sopenharmony_ci u32 i; 1518c2ecf20Sopenharmony_ci 1528c2ecf20Sopenharmony_ci for (i = 0; i < p->cond_list_len; i++) 1538c2ecf20Sopenharmony_ci cond_node_destroy(&p->cond_list[i]); 1548c2ecf20Sopenharmony_ci kfree(p->cond_list); 1558c2ecf20Sopenharmony_ci p->cond_list = NULL; 1568c2ecf20Sopenharmony_ci p->cond_list_len = 0; 1578c2ecf20Sopenharmony_ci} 1588c2ecf20Sopenharmony_ci 1598c2ecf20Sopenharmony_civoid cond_policydb_destroy(struct policydb *p) 1608c2ecf20Sopenharmony_ci{ 1618c2ecf20Sopenharmony_ci kfree(p->bool_val_to_struct); 1628c2ecf20Sopenharmony_ci avtab_destroy(&p->te_cond_avtab); 1638c2ecf20Sopenharmony_ci cond_list_destroy(p); 1648c2ecf20Sopenharmony_ci} 1658c2ecf20Sopenharmony_ci 1668c2ecf20Sopenharmony_ciint cond_init_bool_indexes(struct policydb *p) 1678c2ecf20Sopenharmony_ci{ 1688c2ecf20Sopenharmony_ci kfree(p->bool_val_to_struct); 1698c2ecf20Sopenharmony_ci p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim, 1708c2ecf20Sopenharmony_ci sizeof(*p->bool_val_to_struct), 1718c2ecf20Sopenharmony_ci GFP_KERNEL); 1728c2ecf20Sopenharmony_ci if (!p->bool_val_to_struct) 1738c2ecf20Sopenharmony_ci return -ENOMEM; 1748c2ecf20Sopenharmony_ci return 0; 1758c2ecf20Sopenharmony_ci} 1768c2ecf20Sopenharmony_ci 1778c2ecf20Sopenharmony_ciint cond_destroy_bool(void *key, void *datum, void *p) 1788c2ecf20Sopenharmony_ci{ 1798c2ecf20Sopenharmony_ci kfree(key); 1808c2ecf20Sopenharmony_ci kfree(datum); 1818c2ecf20Sopenharmony_ci return 0; 1828c2ecf20Sopenharmony_ci} 1838c2ecf20Sopenharmony_ci 1848c2ecf20Sopenharmony_ciint cond_index_bool(void *key, void *datum, void *datap) 1858c2ecf20Sopenharmony_ci{ 1868c2ecf20Sopenharmony_ci struct policydb *p; 1878c2ecf20Sopenharmony_ci struct cond_bool_datum *booldatum; 1888c2ecf20Sopenharmony_ci 1898c2ecf20Sopenharmony_ci booldatum = datum; 1908c2ecf20Sopenharmony_ci p = datap; 1918c2ecf20Sopenharmony_ci 1928c2ecf20Sopenharmony_ci if (!booldatum->value || booldatum->value > p->p_bools.nprim) 1938c2ecf20Sopenharmony_ci return -EINVAL; 1948c2ecf20Sopenharmony_ci 1958c2ecf20Sopenharmony_ci p->sym_val_to_name[SYM_BOOLS][booldatum->value - 1] = key; 1968c2ecf20Sopenharmony_ci p->bool_val_to_struct[booldatum->value - 1] = booldatum; 1978c2ecf20Sopenharmony_ci 1988c2ecf20Sopenharmony_ci return 0; 1998c2ecf20Sopenharmony_ci} 2008c2ecf20Sopenharmony_ci 2018c2ecf20Sopenharmony_cistatic int bool_isvalid(struct cond_bool_datum *b) 2028c2ecf20Sopenharmony_ci{ 2038c2ecf20Sopenharmony_ci if (!(b->state == 0 || b->state == 1)) 2048c2ecf20Sopenharmony_ci return 0; 2058c2ecf20Sopenharmony_ci return 1; 2068c2ecf20Sopenharmony_ci} 2078c2ecf20Sopenharmony_ci 2088c2ecf20Sopenharmony_ciint cond_read_bool(struct policydb *p, struct symtab *s, void *fp) 2098c2ecf20Sopenharmony_ci{ 2108c2ecf20Sopenharmony_ci char *key = NULL; 2118c2ecf20Sopenharmony_ci struct cond_bool_datum *booldatum; 2128c2ecf20Sopenharmony_ci __le32 buf[3]; 2138c2ecf20Sopenharmony_ci u32 len; 2148c2ecf20Sopenharmony_ci int rc; 2158c2ecf20Sopenharmony_ci 2168c2ecf20Sopenharmony_ci booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL); 2178c2ecf20Sopenharmony_ci if (!booldatum) 2188c2ecf20Sopenharmony_ci return -ENOMEM; 2198c2ecf20Sopenharmony_ci 2208c2ecf20Sopenharmony_ci rc = next_entry(buf, fp, sizeof(buf)); 2218c2ecf20Sopenharmony_ci if (rc) 2228c2ecf20Sopenharmony_ci goto err; 2238c2ecf20Sopenharmony_ci 2248c2ecf20Sopenharmony_ci booldatum->value = le32_to_cpu(buf[0]); 2258c2ecf20Sopenharmony_ci booldatum->state = le32_to_cpu(buf[1]); 2268c2ecf20Sopenharmony_ci 2278c2ecf20Sopenharmony_ci rc = -EINVAL; 2288c2ecf20Sopenharmony_ci if (!bool_isvalid(booldatum)) 2298c2ecf20Sopenharmony_ci goto err; 2308c2ecf20Sopenharmony_ci 2318c2ecf20Sopenharmony_ci len = le32_to_cpu(buf[2]); 2328c2ecf20Sopenharmony_ci if (((len == 0) || (len == (u32)-1))) 2338c2ecf20Sopenharmony_ci goto err; 2348c2ecf20Sopenharmony_ci 2358c2ecf20Sopenharmony_ci rc = -ENOMEM; 2368c2ecf20Sopenharmony_ci key = kmalloc(len + 1, GFP_KERNEL); 2378c2ecf20Sopenharmony_ci if (!key) 2388c2ecf20Sopenharmony_ci goto err; 2398c2ecf20Sopenharmony_ci rc = next_entry(key, fp, len); 2408c2ecf20Sopenharmony_ci if (rc) 2418c2ecf20Sopenharmony_ci goto err; 2428c2ecf20Sopenharmony_ci key[len] = '\0'; 2438c2ecf20Sopenharmony_ci rc = symtab_insert(s, key, booldatum); 2448c2ecf20Sopenharmony_ci if (rc) 2458c2ecf20Sopenharmony_ci goto err; 2468c2ecf20Sopenharmony_ci 2478c2ecf20Sopenharmony_ci return 0; 2488c2ecf20Sopenharmony_cierr: 2498c2ecf20Sopenharmony_ci cond_destroy_bool(key, booldatum, NULL); 2508c2ecf20Sopenharmony_ci return rc; 2518c2ecf20Sopenharmony_ci} 2528c2ecf20Sopenharmony_ci 2538c2ecf20Sopenharmony_cistruct cond_insertf_data { 2548c2ecf20Sopenharmony_ci struct policydb *p; 2558c2ecf20Sopenharmony_ci struct avtab_node **dst; 2568c2ecf20Sopenharmony_ci struct cond_av_list *other; 2578c2ecf20Sopenharmony_ci}; 2588c2ecf20Sopenharmony_ci 2598c2ecf20Sopenharmony_cistatic int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum *d, void *ptr) 2608c2ecf20Sopenharmony_ci{ 2618c2ecf20Sopenharmony_ci struct cond_insertf_data *data = ptr; 2628c2ecf20Sopenharmony_ci struct policydb *p = data->p; 2638c2ecf20Sopenharmony_ci struct cond_av_list *other = data->other; 2648c2ecf20Sopenharmony_ci struct avtab_node *node_ptr; 2658c2ecf20Sopenharmony_ci u32 i; 2668c2ecf20Sopenharmony_ci bool found; 2678c2ecf20Sopenharmony_ci 2688c2ecf20Sopenharmony_ci /* 2698c2ecf20Sopenharmony_ci * For type rules we have to make certain there aren't any 2708c2ecf20Sopenharmony_ci * conflicting rules by searching the te_avtab and the 2718c2ecf20Sopenharmony_ci * cond_te_avtab. 2728c2ecf20Sopenharmony_ci */ 2738c2ecf20Sopenharmony_ci if (k->specified & AVTAB_TYPE) { 2748c2ecf20Sopenharmony_ci if (avtab_search(&p->te_avtab, k)) { 2758c2ecf20Sopenharmony_ci pr_err("SELinux: type rule already exists outside of a conditional.\n"); 2768c2ecf20Sopenharmony_ci return -EINVAL; 2778c2ecf20Sopenharmony_ci } 2788c2ecf20Sopenharmony_ci /* 2798c2ecf20Sopenharmony_ci * If we are reading the false list other will be a pointer to 2808c2ecf20Sopenharmony_ci * the true list. We can have duplicate entries if there is only 2818c2ecf20Sopenharmony_ci * 1 other entry and it is in our true list. 2828c2ecf20Sopenharmony_ci * 2838c2ecf20Sopenharmony_ci * If we are reading the true list (other == NULL) there shouldn't 2848c2ecf20Sopenharmony_ci * be any other entries. 2858c2ecf20Sopenharmony_ci */ 2868c2ecf20Sopenharmony_ci if (other) { 2878c2ecf20Sopenharmony_ci node_ptr = avtab_search_node(&p->te_cond_avtab, k); 2888c2ecf20Sopenharmony_ci if (node_ptr) { 2898c2ecf20Sopenharmony_ci if (avtab_search_node_next(node_ptr, k->specified)) { 2908c2ecf20Sopenharmony_ci pr_err("SELinux: too many conflicting type rules.\n"); 2918c2ecf20Sopenharmony_ci return -EINVAL; 2928c2ecf20Sopenharmony_ci } 2938c2ecf20Sopenharmony_ci found = false; 2948c2ecf20Sopenharmony_ci for (i = 0; i < other->len; i++) { 2958c2ecf20Sopenharmony_ci if (other->nodes[i] == node_ptr) { 2968c2ecf20Sopenharmony_ci found = true; 2978c2ecf20Sopenharmony_ci break; 2988c2ecf20Sopenharmony_ci } 2998c2ecf20Sopenharmony_ci } 3008c2ecf20Sopenharmony_ci if (!found) { 3018c2ecf20Sopenharmony_ci pr_err("SELinux: conflicting type rules.\n"); 3028c2ecf20Sopenharmony_ci return -EINVAL; 3038c2ecf20Sopenharmony_ci } 3048c2ecf20Sopenharmony_ci } 3058c2ecf20Sopenharmony_ci } else { 3068c2ecf20Sopenharmony_ci if (avtab_search(&p->te_cond_avtab, k)) { 3078c2ecf20Sopenharmony_ci pr_err("SELinux: conflicting type rules when adding type rule for true.\n"); 3088c2ecf20Sopenharmony_ci return -EINVAL; 3098c2ecf20Sopenharmony_ci } 3108c2ecf20Sopenharmony_ci } 3118c2ecf20Sopenharmony_ci } 3128c2ecf20Sopenharmony_ci 3138c2ecf20Sopenharmony_ci node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d); 3148c2ecf20Sopenharmony_ci if (!node_ptr) { 3158c2ecf20Sopenharmony_ci pr_err("SELinux: could not insert rule.\n"); 3168c2ecf20Sopenharmony_ci return -ENOMEM; 3178c2ecf20Sopenharmony_ci } 3188c2ecf20Sopenharmony_ci 3198c2ecf20Sopenharmony_ci *data->dst = node_ptr; 3208c2ecf20Sopenharmony_ci return 0; 3218c2ecf20Sopenharmony_ci} 3228c2ecf20Sopenharmony_ci 3238c2ecf20Sopenharmony_cistatic int cond_read_av_list(struct policydb *p, void *fp, 3248c2ecf20Sopenharmony_ci struct cond_av_list *list, 3258c2ecf20Sopenharmony_ci struct cond_av_list *other) 3268c2ecf20Sopenharmony_ci{ 3278c2ecf20Sopenharmony_ci int rc; 3288c2ecf20Sopenharmony_ci __le32 buf[1]; 3298c2ecf20Sopenharmony_ci u32 i, len; 3308c2ecf20Sopenharmony_ci struct cond_insertf_data data; 3318c2ecf20Sopenharmony_ci 3328c2ecf20Sopenharmony_ci rc = next_entry(buf, fp, sizeof(u32)); 3338c2ecf20Sopenharmony_ci if (rc) 3348c2ecf20Sopenharmony_ci return rc; 3358c2ecf20Sopenharmony_ci 3368c2ecf20Sopenharmony_ci len = le32_to_cpu(buf[0]); 3378c2ecf20Sopenharmony_ci if (len == 0) 3388c2ecf20Sopenharmony_ci return 0; 3398c2ecf20Sopenharmony_ci 3408c2ecf20Sopenharmony_ci list->nodes = kcalloc(len, sizeof(*list->nodes), GFP_KERNEL); 3418c2ecf20Sopenharmony_ci if (!list->nodes) 3428c2ecf20Sopenharmony_ci return -ENOMEM; 3438c2ecf20Sopenharmony_ci 3448c2ecf20Sopenharmony_ci data.p = p; 3458c2ecf20Sopenharmony_ci data.other = other; 3468c2ecf20Sopenharmony_ci for (i = 0; i < len; i++) { 3478c2ecf20Sopenharmony_ci data.dst = &list->nodes[i]; 3488c2ecf20Sopenharmony_ci rc = avtab_read_item(&p->te_cond_avtab, fp, p, cond_insertf, 3498c2ecf20Sopenharmony_ci &data); 3508c2ecf20Sopenharmony_ci if (rc) { 3518c2ecf20Sopenharmony_ci kfree(list->nodes); 3528c2ecf20Sopenharmony_ci list->nodes = NULL; 3538c2ecf20Sopenharmony_ci return rc; 3548c2ecf20Sopenharmony_ci } 3558c2ecf20Sopenharmony_ci } 3568c2ecf20Sopenharmony_ci 3578c2ecf20Sopenharmony_ci list->len = len; 3588c2ecf20Sopenharmony_ci return 0; 3598c2ecf20Sopenharmony_ci} 3608c2ecf20Sopenharmony_ci 3618c2ecf20Sopenharmony_cistatic int expr_node_isvalid(struct policydb *p, struct cond_expr_node *expr) 3628c2ecf20Sopenharmony_ci{ 3638c2ecf20Sopenharmony_ci if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) { 3648c2ecf20Sopenharmony_ci pr_err("SELinux: conditional expressions uses unknown operator.\n"); 3658c2ecf20Sopenharmony_ci return 0; 3668c2ecf20Sopenharmony_ci } 3678c2ecf20Sopenharmony_ci 3688c2ecf20Sopenharmony_ci if (expr->bool > p->p_bools.nprim) { 3698c2ecf20Sopenharmony_ci pr_err("SELinux: conditional expressions uses unknown bool.\n"); 3708c2ecf20Sopenharmony_ci return 0; 3718c2ecf20Sopenharmony_ci } 3728c2ecf20Sopenharmony_ci return 1; 3738c2ecf20Sopenharmony_ci} 3748c2ecf20Sopenharmony_ci 3758c2ecf20Sopenharmony_cistatic int cond_read_node(struct policydb *p, struct cond_node *node, void *fp) 3768c2ecf20Sopenharmony_ci{ 3778c2ecf20Sopenharmony_ci __le32 buf[2]; 3788c2ecf20Sopenharmony_ci u32 i, len; 3798c2ecf20Sopenharmony_ci int rc; 3808c2ecf20Sopenharmony_ci 3818c2ecf20Sopenharmony_ci rc = next_entry(buf, fp, sizeof(u32) * 2); 3828c2ecf20Sopenharmony_ci if (rc) 3838c2ecf20Sopenharmony_ci return rc; 3848c2ecf20Sopenharmony_ci 3858c2ecf20Sopenharmony_ci node->cur_state = le32_to_cpu(buf[0]); 3868c2ecf20Sopenharmony_ci 3878c2ecf20Sopenharmony_ci /* expr */ 3888c2ecf20Sopenharmony_ci len = le32_to_cpu(buf[1]); 3898c2ecf20Sopenharmony_ci node->expr.nodes = kcalloc(len, sizeof(*node->expr.nodes), GFP_KERNEL); 3908c2ecf20Sopenharmony_ci if (!node->expr.nodes) 3918c2ecf20Sopenharmony_ci return -ENOMEM; 3928c2ecf20Sopenharmony_ci 3938c2ecf20Sopenharmony_ci node->expr.len = len; 3948c2ecf20Sopenharmony_ci 3958c2ecf20Sopenharmony_ci for (i = 0; i < len; i++) { 3968c2ecf20Sopenharmony_ci struct cond_expr_node *expr = &node->expr.nodes[i]; 3978c2ecf20Sopenharmony_ci 3988c2ecf20Sopenharmony_ci rc = next_entry(buf, fp, sizeof(u32) * 2); 3998c2ecf20Sopenharmony_ci if (rc) 4008c2ecf20Sopenharmony_ci return rc; 4018c2ecf20Sopenharmony_ci 4028c2ecf20Sopenharmony_ci expr->expr_type = le32_to_cpu(buf[0]); 4038c2ecf20Sopenharmony_ci expr->bool = le32_to_cpu(buf[1]); 4048c2ecf20Sopenharmony_ci 4058c2ecf20Sopenharmony_ci if (!expr_node_isvalid(p, expr)) 4068c2ecf20Sopenharmony_ci return -EINVAL; 4078c2ecf20Sopenharmony_ci } 4088c2ecf20Sopenharmony_ci 4098c2ecf20Sopenharmony_ci rc = cond_read_av_list(p, fp, &node->true_list, NULL); 4108c2ecf20Sopenharmony_ci if (rc) 4118c2ecf20Sopenharmony_ci return rc; 4128c2ecf20Sopenharmony_ci return cond_read_av_list(p, fp, &node->false_list, &node->true_list); 4138c2ecf20Sopenharmony_ci} 4148c2ecf20Sopenharmony_ci 4158c2ecf20Sopenharmony_ciint cond_read_list(struct policydb *p, void *fp) 4168c2ecf20Sopenharmony_ci{ 4178c2ecf20Sopenharmony_ci __le32 buf[1]; 4188c2ecf20Sopenharmony_ci u32 i, len; 4198c2ecf20Sopenharmony_ci int rc; 4208c2ecf20Sopenharmony_ci 4218c2ecf20Sopenharmony_ci rc = next_entry(buf, fp, sizeof(buf)); 4228c2ecf20Sopenharmony_ci if (rc) 4238c2ecf20Sopenharmony_ci return rc; 4248c2ecf20Sopenharmony_ci 4258c2ecf20Sopenharmony_ci len = le32_to_cpu(buf[0]); 4268c2ecf20Sopenharmony_ci 4278c2ecf20Sopenharmony_ci p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL); 4288c2ecf20Sopenharmony_ci if (!p->cond_list) 4298c2ecf20Sopenharmony_ci return -ENOMEM; 4308c2ecf20Sopenharmony_ci 4318c2ecf20Sopenharmony_ci rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel); 4328c2ecf20Sopenharmony_ci if (rc) 4338c2ecf20Sopenharmony_ci goto err; 4348c2ecf20Sopenharmony_ci 4358c2ecf20Sopenharmony_ci p->cond_list_len = len; 4368c2ecf20Sopenharmony_ci 4378c2ecf20Sopenharmony_ci for (i = 0; i < len; i++) { 4388c2ecf20Sopenharmony_ci rc = cond_read_node(p, &p->cond_list[i], fp); 4398c2ecf20Sopenharmony_ci if (rc) 4408c2ecf20Sopenharmony_ci goto err; 4418c2ecf20Sopenharmony_ci } 4428c2ecf20Sopenharmony_ci return 0; 4438c2ecf20Sopenharmony_cierr: 4448c2ecf20Sopenharmony_ci cond_list_destroy(p); 4458c2ecf20Sopenharmony_ci return rc; 4468c2ecf20Sopenharmony_ci} 4478c2ecf20Sopenharmony_ci 4488c2ecf20Sopenharmony_ciint cond_write_bool(void *vkey, void *datum, void *ptr) 4498c2ecf20Sopenharmony_ci{ 4508c2ecf20Sopenharmony_ci char *key = vkey; 4518c2ecf20Sopenharmony_ci struct cond_bool_datum *booldatum = datum; 4528c2ecf20Sopenharmony_ci struct policy_data *pd = ptr; 4538c2ecf20Sopenharmony_ci void *fp = pd->fp; 4548c2ecf20Sopenharmony_ci __le32 buf[3]; 4558c2ecf20Sopenharmony_ci u32 len; 4568c2ecf20Sopenharmony_ci int rc; 4578c2ecf20Sopenharmony_ci 4588c2ecf20Sopenharmony_ci len = strlen(key); 4598c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(booldatum->value); 4608c2ecf20Sopenharmony_ci buf[1] = cpu_to_le32(booldatum->state); 4618c2ecf20Sopenharmony_ci buf[2] = cpu_to_le32(len); 4628c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 3, fp); 4638c2ecf20Sopenharmony_ci if (rc) 4648c2ecf20Sopenharmony_ci return rc; 4658c2ecf20Sopenharmony_ci rc = put_entry(key, 1, len, fp); 4668c2ecf20Sopenharmony_ci if (rc) 4678c2ecf20Sopenharmony_ci return rc; 4688c2ecf20Sopenharmony_ci return 0; 4698c2ecf20Sopenharmony_ci} 4708c2ecf20Sopenharmony_ci 4718c2ecf20Sopenharmony_ci/* 4728c2ecf20Sopenharmony_ci * cond_write_cond_av_list doesn't write out the av_list nodes. 4738c2ecf20Sopenharmony_ci * Instead it writes out the key/value pairs from the avtab. This 4748c2ecf20Sopenharmony_ci * is necessary because there is no way to uniquely identifying rules 4758c2ecf20Sopenharmony_ci * in the avtab so it is not possible to associate individual rules 4768c2ecf20Sopenharmony_ci * in the avtab with a conditional without saving them as part of 4778c2ecf20Sopenharmony_ci * the conditional. This means that the avtab with the conditional 4788c2ecf20Sopenharmony_ci * rules will not be saved but will be rebuilt on policy load. 4798c2ecf20Sopenharmony_ci */ 4808c2ecf20Sopenharmony_cistatic int cond_write_av_list(struct policydb *p, 4818c2ecf20Sopenharmony_ci struct cond_av_list *list, struct policy_file *fp) 4828c2ecf20Sopenharmony_ci{ 4838c2ecf20Sopenharmony_ci __le32 buf[1]; 4848c2ecf20Sopenharmony_ci u32 i; 4858c2ecf20Sopenharmony_ci int rc; 4868c2ecf20Sopenharmony_ci 4878c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(list->len); 4888c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 1, fp); 4898c2ecf20Sopenharmony_ci if (rc) 4908c2ecf20Sopenharmony_ci return rc; 4918c2ecf20Sopenharmony_ci 4928c2ecf20Sopenharmony_ci for (i = 0; i < list->len; i++) { 4938c2ecf20Sopenharmony_ci rc = avtab_write_item(p, list->nodes[i], fp); 4948c2ecf20Sopenharmony_ci if (rc) 4958c2ecf20Sopenharmony_ci return rc; 4968c2ecf20Sopenharmony_ci } 4978c2ecf20Sopenharmony_ci 4988c2ecf20Sopenharmony_ci return 0; 4998c2ecf20Sopenharmony_ci} 5008c2ecf20Sopenharmony_ci 5018c2ecf20Sopenharmony_cistatic int cond_write_node(struct policydb *p, struct cond_node *node, 5028c2ecf20Sopenharmony_ci struct policy_file *fp) 5038c2ecf20Sopenharmony_ci{ 5048c2ecf20Sopenharmony_ci __le32 buf[2]; 5058c2ecf20Sopenharmony_ci int rc; 5068c2ecf20Sopenharmony_ci u32 i; 5078c2ecf20Sopenharmony_ci 5088c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(node->cur_state); 5098c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 1, fp); 5108c2ecf20Sopenharmony_ci if (rc) 5118c2ecf20Sopenharmony_ci return rc; 5128c2ecf20Sopenharmony_ci 5138c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(node->expr.len); 5148c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 1, fp); 5158c2ecf20Sopenharmony_ci if (rc) 5168c2ecf20Sopenharmony_ci return rc; 5178c2ecf20Sopenharmony_ci 5188c2ecf20Sopenharmony_ci for (i = 0; i < node->expr.len; i++) { 5198c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(node->expr.nodes[i].expr_type); 5208c2ecf20Sopenharmony_ci buf[1] = cpu_to_le32(node->expr.nodes[i].bool); 5218c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 2, fp); 5228c2ecf20Sopenharmony_ci if (rc) 5238c2ecf20Sopenharmony_ci return rc; 5248c2ecf20Sopenharmony_ci } 5258c2ecf20Sopenharmony_ci 5268c2ecf20Sopenharmony_ci rc = cond_write_av_list(p, &node->true_list, fp); 5278c2ecf20Sopenharmony_ci if (rc) 5288c2ecf20Sopenharmony_ci return rc; 5298c2ecf20Sopenharmony_ci rc = cond_write_av_list(p, &node->false_list, fp); 5308c2ecf20Sopenharmony_ci if (rc) 5318c2ecf20Sopenharmony_ci return rc; 5328c2ecf20Sopenharmony_ci 5338c2ecf20Sopenharmony_ci return 0; 5348c2ecf20Sopenharmony_ci} 5358c2ecf20Sopenharmony_ci 5368c2ecf20Sopenharmony_ciint cond_write_list(struct policydb *p, void *fp) 5378c2ecf20Sopenharmony_ci{ 5388c2ecf20Sopenharmony_ci u32 i; 5398c2ecf20Sopenharmony_ci __le32 buf[1]; 5408c2ecf20Sopenharmony_ci int rc; 5418c2ecf20Sopenharmony_ci 5428c2ecf20Sopenharmony_ci buf[0] = cpu_to_le32(p->cond_list_len); 5438c2ecf20Sopenharmony_ci rc = put_entry(buf, sizeof(u32), 1, fp); 5448c2ecf20Sopenharmony_ci if (rc) 5458c2ecf20Sopenharmony_ci return rc; 5468c2ecf20Sopenharmony_ci 5478c2ecf20Sopenharmony_ci for (i = 0; i < p->cond_list_len; i++) { 5488c2ecf20Sopenharmony_ci rc = cond_write_node(p, &p->cond_list[i], fp); 5498c2ecf20Sopenharmony_ci if (rc) 5508c2ecf20Sopenharmony_ci return rc; 5518c2ecf20Sopenharmony_ci } 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_ci return 0; 5548c2ecf20Sopenharmony_ci} 5558c2ecf20Sopenharmony_ci 5568c2ecf20Sopenharmony_civoid cond_compute_xperms(struct avtab *ctab, struct avtab_key *key, 5578c2ecf20Sopenharmony_ci struct extended_perms_decision *xpermd) 5588c2ecf20Sopenharmony_ci{ 5598c2ecf20Sopenharmony_ci struct avtab_node *node; 5608c2ecf20Sopenharmony_ci 5618c2ecf20Sopenharmony_ci if (!ctab || !key || !xpermd) 5628c2ecf20Sopenharmony_ci return; 5638c2ecf20Sopenharmony_ci 5648c2ecf20Sopenharmony_ci for (node = avtab_search_node(ctab, key); node; 5658c2ecf20Sopenharmony_ci node = avtab_search_node_next(node, key->specified)) { 5668c2ecf20Sopenharmony_ci if (node->key.specified & AVTAB_ENABLED) 5678c2ecf20Sopenharmony_ci services_compute_xperms_decision(xpermd, node); 5688c2ecf20Sopenharmony_ci } 5698c2ecf20Sopenharmony_ci return; 5708c2ecf20Sopenharmony_ci 5718c2ecf20Sopenharmony_ci} 5728c2ecf20Sopenharmony_ci/* Determine whether additional permissions are granted by the conditional 5738c2ecf20Sopenharmony_ci * av table, and if so, add them to the result 5748c2ecf20Sopenharmony_ci */ 5758c2ecf20Sopenharmony_civoid cond_compute_av(struct avtab *ctab, struct avtab_key *key, 5768c2ecf20Sopenharmony_ci struct av_decision *avd, struct extended_perms *xperms) 5778c2ecf20Sopenharmony_ci{ 5788c2ecf20Sopenharmony_ci struct avtab_node *node; 5798c2ecf20Sopenharmony_ci 5808c2ecf20Sopenharmony_ci if (!ctab || !key || !avd) 5818c2ecf20Sopenharmony_ci return; 5828c2ecf20Sopenharmony_ci 5838c2ecf20Sopenharmony_ci for (node = avtab_search_node(ctab, key); node; 5848c2ecf20Sopenharmony_ci node = avtab_search_node_next(node, key->specified)) { 5858c2ecf20Sopenharmony_ci if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) == 5868c2ecf20Sopenharmony_ci (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED))) 5878c2ecf20Sopenharmony_ci avd->allowed |= node->datum.u.data; 5888c2ecf20Sopenharmony_ci if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) == 5898c2ecf20Sopenharmony_ci (node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED))) 5908c2ecf20Sopenharmony_ci /* Since a '0' in an auditdeny mask represents a 5918c2ecf20Sopenharmony_ci * permission we do NOT want to audit (dontaudit), we use 5928c2ecf20Sopenharmony_ci * the '&' operand to ensure that all '0's in the mask 5938c2ecf20Sopenharmony_ci * are retained (much unlike the allow and auditallow cases). 5948c2ecf20Sopenharmony_ci */ 5958c2ecf20Sopenharmony_ci avd->auditdeny &= node->datum.u.data; 5968c2ecf20Sopenharmony_ci if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) == 5978c2ecf20Sopenharmony_ci (node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED))) 5988c2ecf20Sopenharmony_ci avd->auditallow |= node->datum.u.data; 5998c2ecf20Sopenharmony_ci if (xperms && (node->key.specified & AVTAB_ENABLED) && 6008c2ecf20Sopenharmony_ci (node->key.specified & AVTAB_XPERMS)) 6018c2ecf20Sopenharmony_ci services_compute_xperms_drivers(xperms, node); 6028c2ecf20Sopenharmony_ci } 6038c2ecf20Sopenharmony_ci} 6048c2ecf20Sopenharmony_ci 6058c2ecf20Sopenharmony_cistatic int cond_dup_av_list(struct cond_av_list *new, 6068c2ecf20Sopenharmony_ci struct cond_av_list *orig, 6078c2ecf20Sopenharmony_ci struct avtab *avtab) 6088c2ecf20Sopenharmony_ci{ 6098c2ecf20Sopenharmony_ci u32 i; 6108c2ecf20Sopenharmony_ci 6118c2ecf20Sopenharmony_ci memset(new, 0, sizeof(*new)); 6128c2ecf20Sopenharmony_ci 6138c2ecf20Sopenharmony_ci new->nodes = kcalloc(orig->len, sizeof(*new->nodes), GFP_KERNEL); 6148c2ecf20Sopenharmony_ci if (!new->nodes) 6158c2ecf20Sopenharmony_ci return -ENOMEM; 6168c2ecf20Sopenharmony_ci 6178c2ecf20Sopenharmony_ci for (i = 0; i < orig->len; i++) { 6188c2ecf20Sopenharmony_ci new->nodes[i] = avtab_insert_nonunique(avtab, 6198c2ecf20Sopenharmony_ci &orig->nodes[i]->key, 6208c2ecf20Sopenharmony_ci &orig->nodes[i]->datum); 6218c2ecf20Sopenharmony_ci if (!new->nodes[i]) 6228c2ecf20Sopenharmony_ci return -ENOMEM; 6238c2ecf20Sopenharmony_ci new->len++; 6248c2ecf20Sopenharmony_ci } 6258c2ecf20Sopenharmony_ci 6268c2ecf20Sopenharmony_ci return 0; 6278c2ecf20Sopenharmony_ci} 6288c2ecf20Sopenharmony_ci 6298c2ecf20Sopenharmony_cistatic int duplicate_policydb_cond_list(struct policydb *newp, 6308c2ecf20Sopenharmony_ci struct policydb *origp) 6318c2ecf20Sopenharmony_ci{ 6328c2ecf20Sopenharmony_ci int rc, i, j; 6338c2ecf20Sopenharmony_ci 6348c2ecf20Sopenharmony_ci rc = avtab_alloc_dup(&newp->te_cond_avtab, &origp->te_cond_avtab); 6358c2ecf20Sopenharmony_ci if (rc) 6368c2ecf20Sopenharmony_ci return rc; 6378c2ecf20Sopenharmony_ci 6388c2ecf20Sopenharmony_ci newp->cond_list_len = 0; 6398c2ecf20Sopenharmony_ci newp->cond_list = kcalloc(origp->cond_list_len, 6408c2ecf20Sopenharmony_ci sizeof(*newp->cond_list), 6418c2ecf20Sopenharmony_ci GFP_KERNEL); 6428c2ecf20Sopenharmony_ci if (!newp->cond_list) 6438c2ecf20Sopenharmony_ci goto error; 6448c2ecf20Sopenharmony_ci 6458c2ecf20Sopenharmony_ci for (i = 0; i < origp->cond_list_len; i++) { 6468c2ecf20Sopenharmony_ci struct cond_node *newn = &newp->cond_list[i]; 6478c2ecf20Sopenharmony_ci struct cond_node *orign = &origp->cond_list[i]; 6488c2ecf20Sopenharmony_ci 6498c2ecf20Sopenharmony_ci newp->cond_list_len++; 6508c2ecf20Sopenharmony_ci 6518c2ecf20Sopenharmony_ci newn->cur_state = orign->cur_state; 6528c2ecf20Sopenharmony_ci newn->expr.nodes = kcalloc(orign->expr.len, 6538c2ecf20Sopenharmony_ci sizeof(*newn->expr.nodes), GFP_KERNEL); 6548c2ecf20Sopenharmony_ci if (!newn->expr.nodes) 6558c2ecf20Sopenharmony_ci goto error; 6568c2ecf20Sopenharmony_ci for (j = 0; j < orign->expr.len; j++) 6578c2ecf20Sopenharmony_ci newn->expr.nodes[j] = orign->expr.nodes[j]; 6588c2ecf20Sopenharmony_ci newn->expr.len = orign->expr.len; 6598c2ecf20Sopenharmony_ci 6608c2ecf20Sopenharmony_ci rc = cond_dup_av_list(&newn->true_list, &orign->true_list, 6618c2ecf20Sopenharmony_ci &newp->te_cond_avtab); 6628c2ecf20Sopenharmony_ci if (rc) 6638c2ecf20Sopenharmony_ci goto error; 6648c2ecf20Sopenharmony_ci 6658c2ecf20Sopenharmony_ci rc = cond_dup_av_list(&newn->false_list, &orign->false_list, 6668c2ecf20Sopenharmony_ci &newp->te_cond_avtab); 6678c2ecf20Sopenharmony_ci if (rc) 6688c2ecf20Sopenharmony_ci goto error; 6698c2ecf20Sopenharmony_ci } 6708c2ecf20Sopenharmony_ci 6718c2ecf20Sopenharmony_ci return 0; 6728c2ecf20Sopenharmony_ci 6738c2ecf20Sopenharmony_cierror: 6748c2ecf20Sopenharmony_ci avtab_destroy(&newp->te_cond_avtab); 6758c2ecf20Sopenharmony_ci cond_list_destroy(newp); 6768c2ecf20Sopenharmony_ci return -ENOMEM; 6778c2ecf20Sopenharmony_ci} 6788c2ecf20Sopenharmony_ci 6798c2ecf20Sopenharmony_cistatic int cond_bools_destroy(void *key, void *datum, void *args) 6808c2ecf20Sopenharmony_ci{ 6818c2ecf20Sopenharmony_ci /* key was not copied so no need to free here */ 6828c2ecf20Sopenharmony_ci kfree(datum); 6838c2ecf20Sopenharmony_ci return 0; 6848c2ecf20Sopenharmony_ci} 6858c2ecf20Sopenharmony_ci 6868c2ecf20Sopenharmony_cistatic int cond_bools_copy(struct hashtab_node *new, struct hashtab_node *orig, void *args) 6878c2ecf20Sopenharmony_ci{ 6888c2ecf20Sopenharmony_ci struct cond_bool_datum *datum; 6898c2ecf20Sopenharmony_ci 6908c2ecf20Sopenharmony_ci datum = kmemdup(orig->datum, sizeof(struct cond_bool_datum), 6918c2ecf20Sopenharmony_ci GFP_KERNEL); 6928c2ecf20Sopenharmony_ci if (!datum) 6938c2ecf20Sopenharmony_ci return -ENOMEM; 6948c2ecf20Sopenharmony_ci 6958c2ecf20Sopenharmony_ci new->key = orig->key; /* No need to copy, never modified */ 6968c2ecf20Sopenharmony_ci new->datum = datum; 6978c2ecf20Sopenharmony_ci return 0; 6988c2ecf20Sopenharmony_ci} 6998c2ecf20Sopenharmony_ci 7008c2ecf20Sopenharmony_cistatic int cond_bools_index(void *key, void *datum, void *args) 7018c2ecf20Sopenharmony_ci{ 7028c2ecf20Sopenharmony_ci struct cond_bool_datum *booldatum, **cond_bool_array; 7038c2ecf20Sopenharmony_ci 7048c2ecf20Sopenharmony_ci booldatum = datum; 7058c2ecf20Sopenharmony_ci cond_bool_array = args; 7068c2ecf20Sopenharmony_ci cond_bool_array[booldatum->value - 1] = booldatum; 7078c2ecf20Sopenharmony_ci 7088c2ecf20Sopenharmony_ci return 0; 7098c2ecf20Sopenharmony_ci} 7108c2ecf20Sopenharmony_ci 7118c2ecf20Sopenharmony_cistatic int duplicate_policydb_bools(struct policydb *newdb, 7128c2ecf20Sopenharmony_ci struct policydb *orig) 7138c2ecf20Sopenharmony_ci{ 7148c2ecf20Sopenharmony_ci struct cond_bool_datum **cond_bool_array; 7158c2ecf20Sopenharmony_ci int rc; 7168c2ecf20Sopenharmony_ci 7178c2ecf20Sopenharmony_ci cond_bool_array = kmalloc_array(orig->p_bools.nprim, 7188c2ecf20Sopenharmony_ci sizeof(*orig->bool_val_to_struct), 7198c2ecf20Sopenharmony_ci GFP_KERNEL); 7208c2ecf20Sopenharmony_ci if (!cond_bool_array) 7218c2ecf20Sopenharmony_ci return -ENOMEM; 7228c2ecf20Sopenharmony_ci 7238c2ecf20Sopenharmony_ci rc = hashtab_duplicate(&newdb->p_bools.table, &orig->p_bools.table, 7248c2ecf20Sopenharmony_ci cond_bools_copy, cond_bools_destroy, NULL); 7258c2ecf20Sopenharmony_ci if (rc) { 7268c2ecf20Sopenharmony_ci kfree(cond_bool_array); 7278c2ecf20Sopenharmony_ci return -ENOMEM; 7288c2ecf20Sopenharmony_ci } 7298c2ecf20Sopenharmony_ci 7308c2ecf20Sopenharmony_ci hashtab_map(&newdb->p_bools.table, cond_bools_index, cond_bool_array); 7318c2ecf20Sopenharmony_ci newdb->bool_val_to_struct = cond_bool_array; 7328c2ecf20Sopenharmony_ci 7338c2ecf20Sopenharmony_ci newdb->p_bools.nprim = orig->p_bools.nprim; 7348c2ecf20Sopenharmony_ci 7358c2ecf20Sopenharmony_ci return 0; 7368c2ecf20Sopenharmony_ci} 7378c2ecf20Sopenharmony_ci 7388c2ecf20Sopenharmony_civoid cond_policydb_destroy_dup(struct policydb *p) 7398c2ecf20Sopenharmony_ci{ 7408c2ecf20Sopenharmony_ci hashtab_map(&p->p_bools.table, cond_bools_destroy, NULL); 7418c2ecf20Sopenharmony_ci hashtab_destroy(&p->p_bools.table); 7428c2ecf20Sopenharmony_ci cond_policydb_destroy(p); 7438c2ecf20Sopenharmony_ci} 7448c2ecf20Sopenharmony_ci 7458c2ecf20Sopenharmony_ciint cond_policydb_dup(struct policydb *new, struct policydb *orig) 7468c2ecf20Sopenharmony_ci{ 7478c2ecf20Sopenharmony_ci cond_policydb_init(new); 7488c2ecf20Sopenharmony_ci 7498c2ecf20Sopenharmony_ci if (duplicate_policydb_bools(new, orig)) 7508c2ecf20Sopenharmony_ci return -ENOMEM; 7518c2ecf20Sopenharmony_ci 7528c2ecf20Sopenharmony_ci if (duplicate_policydb_cond_list(new, orig)) { 7538c2ecf20Sopenharmony_ci cond_policydb_destroy_dup(new); 7548c2ecf20Sopenharmony_ci return -ENOMEM; 7558c2ecf20Sopenharmony_ci } 7568c2ecf20Sopenharmony_ci 7578c2ecf20Sopenharmony_ci return 0; 7588c2ecf20Sopenharmony_ci} 759