1 /* Authors: Karl MacMillan <kmacmillan@tresys.com>
2 * Frank Mayer <mayerf@tresys.com>
3 * David Caplan <dac@tresys.com>
4 *
5 * Copyright (C) 2003 - 2005 Tresys Technology, LLC
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include <stdlib.h>
23
24 #include <sepol/policydb/flask_types.h>
25 #include <sepol/policydb/conditional.h>
26
27 #include "private.h"
28
29 /* move all type rules to top of t/f lists to help kernel on evaluation */
cond_optimize(cond_av_list_t ** l)30 static void cond_optimize(cond_av_list_t ** l)
31 {
32 cond_av_list_t *top, *p, *cur;
33
34 top = p = cur = *l;
35
36 while (cur) {
37 if ((cur->node->key.specified & AVTAB_TYPE) && (top != cur)) {
38 p->next = cur->next;
39 cur->next = top;
40 top = cur;
41 cur = p->next;
42 } else {
43 p = cur;
44 cur = cur->next;
45 }
46 }
47 *l = top;
48 }
49
50 /* reorder t/f lists for kernel */
cond_optimize_lists(cond_list_t * cl)51 void cond_optimize_lists(cond_list_t * cl)
52 {
53 cond_list_t *n;
54
55 for (n = cl; n != NULL; n = n->next) {
56 cond_optimize(&n->true_list);
57 cond_optimize(&n->false_list);
58 }
59 }
60
bool_present(unsigned int target,unsigned int bools[],unsigned int num_bools)61 static int bool_present(unsigned int target, unsigned int bools[],
62 unsigned int num_bools)
63 {
64 unsigned int i = 0;
65 int ret = 1;
66
67 if (num_bools > COND_MAX_BOOLS) {
68 return 0;
69 }
70 while (i < num_bools && target != bools[i])
71 i++;
72 if (i == num_bools)
73 ret = 0; /* got to end w/o match */
74 return ret;
75 }
76
same_bools(cond_node_t * a,cond_node_t * b)77 static int same_bools(cond_node_t * a, cond_node_t * b)
78 {
79 unsigned int i, x;
80
81 x = a->nbools;
82
83 /* same number of bools? */
84 if (x != b->nbools)
85 return 0;
86
87 /* make sure all the bools in a are also in b */
88 for (i = 0; i < x; i++)
89 if (!bool_present(a->bool_ids[i], b->bool_ids, x))
90 return 0;
91 return 1;
92 }
93
94 /*
95 * Determine if two conditional expressions are equal.
96 */
cond_expr_equal(cond_node_t * a,cond_node_t * b)97 int cond_expr_equal(cond_node_t * a, cond_node_t * b)
98 {
99 cond_expr_t *cur_a, *cur_b;
100
101 if (a == NULL || b == NULL)
102 return 0;
103
104 if (a->nbools != b->nbools)
105 return 0;
106
107 /* if exprs have <= COND_MAX_BOOLS we can check the precompute values
108 * for the expressions.
109 */
110 if (a->nbools <= COND_MAX_BOOLS && b->nbools <= COND_MAX_BOOLS) {
111 if (!same_bools(a, b))
112 return 0;
113 return (a->expr_pre_comp == b->expr_pre_comp);
114 }
115
116 /* for long expressions we check for exactly the same expression */
117 cur_a = a->expr;
118 cur_b = b->expr;
119 while (1) {
120 if (cur_a == NULL && cur_b == NULL)
121 return 1;
122 else if (cur_a == NULL || cur_b == NULL)
123 return 0;
124 if (cur_a->expr_type != cur_b->expr_type)
125 return 0;
126 if (cur_a->expr_type == COND_BOOL) {
127 if (cur_a->bool != cur_b->bool)
128 return 0;
129 }
130 cur_a = cur_a->next;
131 cur_b = cur_b->next;
132 }
133 return 1;
134 }
135
136 /* Create a new conditional node, optionally copying
137 * the conditional expression from an existing node.
138 * If node is NULL then a new node will be created
139 * with no conditional expression.
140 */
cond_node_create(policydb_t * p,cond_node_t * node)141 cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
142 {
143 cond_node_t *new_node;
144 unsigned int i;
145
146 new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
147 if (!new_node) {
148 return NULL;
149 }
150 memset(new_node, 0, sizeof(cond_node_t));
151
152 if (node) {
153 new_node->expr = cond_copy_expr(node->expr);
154 if (!new_node->expr) {
155 free(new_node);
156 return NULL;
157 }
158 new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
159 new_node->nbools = node->nbools;
160 for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
161 new_node->bool_ids[i] = node->bool_ids[i];
162 new_node->expr_pre_comp = node->expr_pre_comp;
163 new_node->flags = node->flags;
164 }
165
166 return new_node;
167 }
168
169 /* Find a conditional (the needle) within a list of existing ones (the
170 * haystack) that has a matching expression. If found, return a
171 * pointer to the existing node, setting 'was_created' to 0.
172 * Otherwise create a new one and return it, setting 'was_created' to
173 * 1. */
cond_node_find(policydb_t * p,cond_node_t * needle,cond_node_t * haystack,int * was_created)174 cond_node_t *cond_node_find(policydb_t * p,
175 cond_node_t * needle, cond_node_t * haystack,
176 int *was_created)
177 {
178 while (haystack) {
179 if (cond_expr_equal(needle, haystack)) {
180 *was_created = 0;
181 return haystack;
182 }
183 haystack = haystack->next;
184 }
185 *was_created = 1;
186
187 return cond_node_create(p, needle);
188 }
189
190 /* return either a pre-existing matching node or create a new node */
cond_node_search(policydb_t * p,cond_node_t * list,cond_node_t * cn)191 cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
192 cond_node_t * cn)
193 {
194 int was_created;
195 cond_node_t *result = cond_node_find(p, cn, list, &was_created);
196 if (result != NULL && was_created) {
197 /* add conditional node to policy list */
198 result->next = p->cond_list;
199 p->cond_list = result;
200 }
201 return result;
202 }
203
204 /*
205 * cond_evaluate_expr evaluates a conditional expr
206 * in reverse polish notation. It returns true (1), false (0),
207 * or undefined (-1). Undefined occurs when the expression
208 * exceeds the stack depth of COND_EXPR_MAXDEPTH.
209 */
cond_evaluate_expr(policydb_t * p,cond_expr_t * expr)210 int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr)
211 {
212
213 cond_expr_t *cur;
214 int s[COND_EXPR_MAXDEPTH];
215 int sp = -1;
216
217 s[0] = -1;
218
219 for (cur = expr; cur != NULL; cur = cur->next) {
220 switch (cur->expr_type) {
221 case COND_BOOL:
222 if (sp == (COND_EXPR_MAXDEPTH - 1))
223 return -1;
224 sp++;
225 s[sp] = p->bool_val_to_struct[cur->bool - 1]->state;
226 break;
227 case COND_NOT:
228 if (sp < 0)
229 return -1;
230 s[sp] = !s[sp];
231 break;
232 case COND_OR:
233 if (sp < 1)
234 return -1;
235 sp--;
236 s[sp] |= s[sp + 1];
237 break;
238 case COND_AND:
239 if (sp < 1)
240 return -1;
241 sp--;
242 s[sp] &= s[sp + 1];
243 break;
244 case COND_XOR:
245 if (sp < 1)
246 return -1;
247 sp--;
248 s[sp] ^= s[sp + 1];
249 break;
250 case COND_EQ:
251 if (sp < 1)
252 return -1;
253 sp--;
254 s[sp] = (s[sp] == s[sp + 1]);
255 break;
256 case COND_NEQ:
257 if (sp < 1)
258 return -1;
259 sp--;
260 s[sp] = (s[sp] != s[sp + 1]);
261 break;
262 default:
263 return -1;
264 }
265 }
266 return s[0];
267 }
268
cond_copy_expr(cond_expr_t * expr)269 cond_expr_t *cond_copy_expr(cond_expr_t * expr)
270 {
271 cond_expr_t *cur, *head, *tail, *new_expr;
272 tail = head = NULL;
273 cur = expr;
274 while (cur) {
275 new_expr = (cond_expr_t *) malloc(sizeof(cond_expr_t));
276 if (!new_expr)
277 goto free_head;
278 memset(new_expr, 0, sizeof(cond_expr_t));
279
280 new_expr->expr_type = cur->expr_type;
281 new_expr->bool = cur->bool;
282
283 if (!head)
284 head = new_expr;
285 if (tail)
286 tail->next = new_expr;
287 tail = new_expr;
288 cur = cur->next;
289 }
290 return head;
291
292 free_head:
293 while (head) {
294 tail = head->next;
295 free(head);
296 head = tail;
297 }
298 return NULL;
299 }
300
301 /*
302 * evaluate_cond_node evaluates the conditional stored in
303 * a cond_node_t and if the result is different than the
304 * current state of the node it sets the rules in the true/false
305 * list appropriately. If the result of the expression is undefined
306 * all of the rules are disabled for safety.
307 */
evaluate_cond_node(policydb_t * p,cond_node_t * node)308 static int evaluate_cond_node(policydb_t * p, cond_node_t * node)
309 {
310 int new_state;
311 cond_av_list_t *cur;
312
313 new_state = cond_evaluate_expr(p, node->expr);
314 if (new_state != node->cur_state) {
315 node->cur_state = new_state;
316 if (new_state == -1)
317 printf
318 ("expression result was undefined - disabling all rules.\n");
319 /* turn the rules on or off */
320 for (cur = node->true_list; cur != NULL; cur = cur->next) {
321 if (new_state <= 0) {
322 cur->node->key.specified &= ~AVTAB_ENABLED;
323 } else {
324 cur->node->key.specified |= AVTAB_ENABLED;
325 }
326 }
327
328 for (cur = node->false_list; cur != NULL; cur = cur->next) {
329 /* -1 or 1 */
330 if (new_state) {
331 cur->node->key.specified &= ~AVTAB_ENABLED;
332 } else {
333 cur->node->key.specified |= AVTAB_ENABLED;
334 }
335 }
336 }
337 return 0;
338 }
339
340 /* precompute and simplify an expression if possible. If left with !expression, change
341 * to expression and switch t and f. precompute expression for expressions with limited
342 * number of bools.
343 */
cond_normalize_expr(policydb_t * p,cond_node_t * cn)344 int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
345 {
346 cond_expr_t *ne, *e;
347 cond_av_list_t *tmp;
348 unsigned int i, j, orig_value[COND_MAX_BOOLS];
349 int k;
350 uint32_t test = 0x0;
351 avrule_t *tmp2;
352
353 cn->nbools = 0;
354
355 memset(cn->bool_ids, 0, sizeof(cn->bool_ids));
356 cn->expr_pre_comp = 0x0;
357
358 /* take care of !expr case */
359 ne = NULL;
360 e = cn->expr;
361
362 /* because it's RPN look at last element */
363 while (e->next != NULL) {
364 ne = e;
365 e = e->next;
366 }
367 if (e->expr_type == COND_NOT) {
368 if (ne) {
369 ne->next = NULL;
370 } else { /* ne should never be NULL */
371 printf
372 ("Found expr with no bools and only a ! - this should never happen.\n");
373 return -1;
374 }
375 /* swap the true and false lists */
376 tmp = cn->true_list;
377 cn->true_list = cn->false_list;
378 cn->false_list = tmp;
379 tmp2 = cn->avtrue_list;
380 cn->avtrue_list = cn->avfalse_list;
381 cn->avfalse_list = tmp2;
382
383 /* free the "not" node in the list */
384 free(e);
385 }
386
387 /* find all the bools in the expression */
388 for (e = cn->expr; e != NULL; e = e->next) {
389 switch (e->expr_type) {
390 case COND_BOOL:
391 /* see if we've already seen this bool */
392 if (!bool_present(e->bool, cn->bool_ids, cn->nbools)) {
393 /* count em all but only record up to COND_MAX_BOOLS */
394 if (cn->nbools < COND_MAX_BOOLS)
395 cn->bool_ids[cn->nbools++] = e->bool;
396 else
397 cn->nbools++;
398 }
399 break;
400 default:
401 break;
402 }
403 }
404
405 /* only precompute for exprs with <= COND_AX_BOOLS */
406 if (cn->nbools <= COND_MAX_BOOLS) {
407 /* save the default values for the bools so we can play with them */
408 for (i = 0; i < cn->nbools; i++) {
409 orig_value[i] =
410 p->bool_val_to_struct[cn->bool_ids[i] - 1]->state;
411 }
412
413 /* loop through all possible combinations of values for bools in expression */
414 for (test = 0x0; test < (UINT32_C(1) << cn->nbools); test++) {
415 /* temporarily set the value for all the bools in the
416 * expression using the corr. bit in test */
417 for (j = 0; j < cn->nbools; j++) {
418 p->bool_val_to_struct[cn->bool_ids[j] -
419 1]->state =
420 (test & (UINT32_C(1) << j)) ? 1 : 0;
421 }
422 k = cond_evaluate_expr(p, cn->expr);
423 if (k == -1) {
424 printf
425 ("While testing expression, expression result "
426 "was undefined - this should never happen.\n");
427 return -1;
428 }
429 /* set the bit if expression evaluates true */
430 if (k)
431 cn->expr_pre_comp |= UINT32_C(1) << test;
432 }
433
434 /* restore bool default values */
435 for (i = 0; i < cn->nbools; i++)
436 p->bool_val_to_struct[cn->bool_ids[i] - 1]->state =
437 orig_value[i];
438 }
439 return 0;
440 }
441
evaluate_conds(policydb_t * p)442 int evaluate_conds(policydb_t * p)
443 {
444 int ret;
445 cond_node_t *cur;
446
447 for (cur = p->cond_list; cur != NULL; cur = cur->next) {
448 ret = evaluate_cond_node(p, cur);
449 if (ret)
450 return ret;
451 }
452 return 0;
453 }
454
cond_policydb_init(policydb_t * p)455 int cond_policydb_init(policydb_t * p)
456 {
457 p->bool_val_to_struct = NULL;
458 p->cond_list = NULL;
459 if (avtab_init(&p->te_cond_avtab))
460 return -1;
461
462 return 0;
463 }
464
cond_av_list_destroy(cond_av_list_t * list)465 void cond_av_list_destroy(cond_av_list_t * list)
466 {
467 cond_av_list_t *cur, *next;
468 for (cur = list; cur != NULL; cur = next) {
469 next = cur->next;
470 /* the avtab_ptr_t node is destroy by the avtab */
471 free(cur);
472 }
473 }
474
cond_expr_destroy(cond_expr_t * expr)475 void cond_expr_destroy(cond_expr_t * expr)
476 {
477 cond_expr_t *cur_expr, *next_expr;
478
479 if (!expr)
480 return;
481
482 for (cur_expr = expr; cur_expr != NULL; cur_expr = next_expr) {
483 next_expr = cur_expr->next;
484 free(cur_expr);
485 }
486 }
487
cond_node_destroy(cond_node_t * node)488 void cond_node_destroy(cond_node_t * node)
489 {
490 if (!node)
491 return;
492
493 cond_expr_destroy(node->expr);
494 avrule_list_destroy(node->avtrue_list);
495 avrule_list_destroy(node->avfalse_list);
496 cond_av_list_destroy(node->true_list);
497 cond_av_list_destroy(node->false_list);
498 }
499
cond_list_destroy(cond_list_t * list)500 void cond_list_destroy(cond_list_t * list)
501 {
502 cond_node_t *next, *cur;
503
504 if (list == NULL)
505 return;
506
507 for (cur = list; cur != NULL; cur = next) {
508 next = cur->next;
509 cond_node_destroy(cur);
510 free(cur);
511 }
512 }
513
cond_policydb_destroy(policydb_t * p)514 void cond_policydb_destroy(policydb_t * p)
515 {
516 if (p->bool_val_to_struct != NULL)
517 free(p->bool_val_to_struct);
518 avtab_destroy(&p->te_cond_avtab);
519 cond_list_destroy(p->cond_list);
520 }
521
cond_init_bool_indexes(policydb_t * p)522 int cond_init_bool_indexes(policydb_t * p)
523 {
524 if (p->bool_val_to_struct)
525 free(p->bool_val_to_struct);
526 p->bool_val_to_struct = (cond_bool_datum_t **)
527 malloc(p->p_bools.nprim * sizeof(cond_bool_datum_t *));
528 if (!p->bool_val_to_struct)
529 return -1;
530 return 0;
531 }
532
cond_destroy_bool(hashtab_key_t key,hashtab_datum_t datum,void * p)533 int cond_destroy_bool(hashtab_key_t key, hashtab_datum_t datum, void *p
534 __attribute__ ((unused)))
535 {
536 if (key)
537 free(key);
538 free(datum);
539 return 0;
540 }
541
cond_index_bool(hashtab_key_t key,hashtab_datum_t datum,void * datap)542 int cond_index_bool(hashtab_key_t key, hashtab_datum_t datum, void *datap)
543 {
544 policydb_t *p;
545 cond_bool_datum_t *booldatum;
546
547 booldatum = datum;
548 p = datap;
549
550 if (!booldatum->s.value || booldatum->s.value > p->p_bools.nprim)
551 return -EINVAL;
552
553 if (p->p_bool_val_to_name[booldatum->s.value - 1] != NULL)
554 return -EINVAL;
555
556 p->p_bool_val_to_name[booldatum->s.value - 1] = key;
557 p->bool_val_to_struct[booldatum->s.value - 1] = booldatum;
558
559 return 0;
560 }
561
bool_isvalid(cond_bool_datum_t * b)562 static int bool_isvalid(cond_bool_datum_t * b)
563 {
564 if (!(b->state == 0 || b->state == 1))
565 return 0;
566 return 1;
567 }
568
cond_read_bool(policydb_t * p,hashtab_t h,struct policy_file * fp)569 int cond_read_bool(policydb_t * p,
570 hashtab_t h,
571 struct policy_file *fp)
572 {
573 char *key = 0;
574 cond_bool_datum_t *booldatum;
575 uint32_t buf[3], len;
576 int rc;
577
578 booldatum = malloc(sizeof(cond_bool_datum_t));
579 if (!booldatum)
580 return -1;
581 memset(booldatum, 0, sizeof(cond_bool_datum_t));
582
583 rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
584 if (rc < 0)
585 goto err;
586
587 booldatum->s.value = le32_to_cpu(buf[0]);
588 booldatum->state = le32_to_cpu(buf[1]);
589
590 if (!bool_isvalid(booldatum))
591 goto err;
592
593 len = le32_to_cpu(buf[2]);
594 if (str_read(&key, fp, len))
595 goto err;
596
597 if (p->policy_type != POLICY_KERN &&
598 p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
599 rc = next_entry(buf, fp, sizeof(uint32_t));
600 if (rc < 0)
601 goto err;
602 booldatum->flags = le32_to_cpu(buf[0]);
603 }
604
605 if (hashtab_insert(h, key, booldatum))
606 goto err;
607
608 return 0;
609 err:
610 cond_destroy_bool(key, booldatum, 0);
611 return -1;
612 }
613
614 struct cond_insertf_data {
615 struct policydb *p;
616 cond_av_list_t *other;
617 cond_av_list_t *head;
618 cond_av_list_t *tail;
619 };
620
cond_insertf(avtab_t * a,avtab_key_t * k,avtab_datum_t * d,void * ptr)621 static int cond_insertf(avtab_t * a
622 __attribute__ ((unused)), avtab_key_t * k,
623 avtab_datum_t * d, void *ptr)
624 {
625 struct cond_insertf_data *data = ptr;
626 struct policydb *p = data->p;
627 cond_av_list_t *other = data->other, *list, *cur;
628 avtab_ptr_t node_ptr;
629 uint8_t found;
630
631 /*
632 * For type rules we have to make certain there aren't any
633 * conflicting rules by searching the te_avtab and the
634 * cond_te_avtab.
635 */
636 if (k->specified & AVTAB_TYPE) {
637 if (avtab_search(&p->te_avtab, k)) {
638 printf
639 ("security: type rule already exists outside of a conditional.");
640 goto err;
641 }
642 /*
643 * If we are reading the false list other will be a pointer to
644 * the true list. We can have duplicate entries if there is only
645 * 1 other entry and it is in our true list.
646 *
647 * If we are reading the true list (other == NULL) there shouldn't
648 * be any other entries.
649 */
650 if (other) {
651 node_ptr = avtab_search_node(&p->te_cond_avtab, k);
652 if (node_ptr) {
653 if (avtab_search_node_next
654 (node_ptr, k->specified)) {
655 printf
656 ("security: too many conflicting type rules.");
657 goto err;
658 }
659 found = 0;
660 for (cur = other; cur != NULL; cur = cur->next) {
661 if (cur->node == node_ptr) {
662 found = 1;
663 break;
664 }
665 }
666 if (!found) {
667 printf
668 ("security: conflicting type rules.\n");
669 goto err;
670 }
671 }
672 } else {
673 if (avtab_search(&p->te_cond_avtab, k)) {
674 printf
675 ("security: conflicting type rules when adding type rule for true.\n");
676 goto err;
677 }
678 }
679 }
680
681 node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
682 if (!node_ptr) {
683 printf("security: could not insert rule.");
684 goto err;
685 }
686 node_ptr->parse_context = (void *)1;
687
688 list = malloc(sizeof(cond_av_list_t));
689 if (!list)
690 goto err;
691 memset(list, 0, sizeof(cond_av_list_t));
692
693 list->node = node_ptr;
694 if (!data->head)
695 data->head = list;
696 else
697 data->tail->next = list;
698 data->tail = list;
699 return 0;
700
701 err:
702 cond_av_list_destroy(data->head);
703 data->head = NULL;
704 return -1;
705 }
706
cond_read_av_list(policydb_t * p,void * fp,cond_av_list_t ** ret_list,cond_av_list_t * other)707 static int cond_read_av_list(policydb_t * p, void *fp,
708 cond_av_list_t ** ret_list, cond_av_list_t * other)
709 {
710 unsigned int i;
711 int rc;
712 uint32_t buf[1], len;
713 struct cond_insertf_data data;
714
715 *ret_list = NULL;
716
717 rc = next_entry(buf, fp, sizeof(uint32_t));
718 if (rc < 0)
719 return -1;
720
721 len = le32_to_cpu(buf[0]);
722 if (len == 0) {
723 return 0;
724 }
725
726 data.p = p;
727 data.other = other;
728 data.head = NULL;
729 data.tail = NULL;
730 for (i = 0; i < len; i++) {
731 rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
732 cond_insertf, &data);
733 if (rc)
734 return rc;
735
736 }
737
738 *ret_list = data.head;
739 return 0;
740 }
741
expr_isvalid(policydb_t * p,cond_expr_t * expr)742 static int expr_isvalid(policydb_t * p, cond_expr_t * expr)
743 {
744 if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
745 printf
746 ("security: conditional expressions uses unknown operator.\n");
747 return 0;
748 }
749
750 if (expr->bool > p->p_bools.nprim) {
751 printf
752 ("security: conditional expressions uses unknown bool.\n");
753 return 0;
754 }
755 return 1;
756 }
757
cond_read_node(policydb_t * p,cond_node_t * node,void * fp)758 static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
759 {
760 uint32_t buf[2];
761 int len, i, rc;
762 cond_expr_t *expr = NULL, *last = NULL;
763
764 rc = next_entry(buf, fp, sizeof(uint32_t));
765 if (rc < 0)
766 goto err;
767
768 node->cur_state = le32_to_cpu(buf[0]);
769
770 rc = next_entry(buf, fp, sizeof(uint32_t));
771 if (rc < 0)
772 goto err;
773
774 /* expr */
775 len = le32_to_cpu(buf[0]);
776
777 for (i = 0; i < len; i++) {
778 rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
779 if (rc < 0)
780 goto err;
781
782 expr = malloc(sizeof(cond_expr_t));
783 if (!expr) {
784 goto err;
785 }
786 memset(expr, 0, sizeof(cond_expr_t));
787
788 expr->expr_type = le32_to_cpu(buf[0]);
789 expr->bool = le32_to_cpu(buf[1]);
790
791 if (!expr_isvalid(p, expr)) {
792 free(expr);
793 goto err;
794 }
795
796 if (i == 0) {
797 node->expr = expr;
798 } else {
799 last->next = expr;
800 }
801 last = expr;
802 }
803
804 if (p->policy_type == POLICY_KERN) {
805 if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0)
806 goto err;
807 if (cond_read_av_list(p, fp, &node->false_list, node->true_list)
808 != 0)
809 goto err;
810 } else {
811 if (avrule_read_list(p, &node->avtrue_list, fp))
812 goto err;
813 if (avrule_read_list(p, &node->avfalse_list, fp))
814 goto err;
815 }
816
817 if (p->policy_type != POLICY_KERN &&
818 p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
819 rc = next_entry(buf, fp, sizeof(uint32_t));
820 if (rc < 0)
821 goto err;
822 node->flags = le32_to_cpu(buf[0]);
823 }
824
825 return 0;
826 err:
827 cond_node_destroy(node);
828 free(node);
829 return -1;
830 }
831
cond_read_list(policydb_t * p,cond_list_t ** list,void * fp)832 int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
833 {
834 cond_node_t *node, *last = NULL;
835 uint32_t buf[1];
836 int i, len, rc;
837
838 rc = next_entry(buf, fp, sizeof(uint32_t));
839 if (rc < 0)
840 return -1;
841
842 len = le32_to_cpu(buf[0]);
843
844 rc = avtab_alloc(&p->te_cond_avtab, p->te_avtab.nel);
845 if (rc)
846 goto err;
847
848 for (i = 0; i < len; i++) {
849 node = malloc(sizeof(cond_node_t));
850 if (!node)
851 goto err;
852 memset(node, 0, sizeof(cond_node_t));
853
854 if (cond_read_node(p, node, fp) != 0)
855 goto err;
856
857 if (i == 0) {
858 *list = node;
859 } else {
860 last->next = node;
861 }
862 last = node;
863 }
864 return 0;
865 err:
866 return -1;
867 }
868
869 /* Determine whether additional permissions are granted by the conditional
870 * av table, and if so, add them to the result
871 */
cond_compute_av(avtab_t * ctab,avtab_key_t * key,struct sepol_av_decision * avd)872 void cond_compute_av(avtab_t * ctab, avtab_key_t * key,
873 struct sepol_av_decision *avd)
874 {
875 avtab_ptr_t node;
876
877 if (!ctab || !key || !avd)
878 return;
879
880 for (node = avtab_search_node(ctab, key); node != NULL;
881 node = avtab_search_node_next(node, key->specified)) {
882 if ((uint16_t) (AVTAB_ALLOWED | AVTAB_ENABLED) ==
883 (node->key.specified & (AVTAB_ALLOWED | AVTAB_ENABLED)))
884 avd->allowed |= node->datum.data;
885 if ((uint16_t) (AVTAB_AUDITDENY | AVTAB_ENABLED) ==
886 (node->key.specified & (AVTAB_AUDITDENY | AVTAB_ENABLED)))
887 /* Since a '0' in an auditdeny mask represents a
888 * permission we do NOT want to audit (dontaudit), we use
889 * the '&' operand to ensure that all '0's in the mask
890 * are retained (much unlike the allow and auditallow cases).
891 */
892 avd->auditdeny &= node->datum.data;
893 if ((uint16_t) (AVTAB_AUDITALLOW | AVTAB_ENABLED) ==
894 (node->key.specified & (AVTAB_AUDITALLOW | AVTAB_ENABLED)))
895 avd->auditallow |= node->datum.data;
896 }
897 return;
898 }
899
cond_av_list_search(avtab_key_t * key,cond_av_list_t * cond_list)900 avtab_datum_t *cond_av_list_search(avtab_key_t * key,
901 cond_av_list_t * cond_list)
902 {
903
904 cond_av_list_t *cur_av;
905
906 for (cur_av = cond_list; cur_av != NULL; cur_av = cur_av->next) {
907
908 if (cur_av->node->key.source_type == key->source_type &&
909 cur_av->node->key.target_type == key->target_type &&
910 cur_av->node->key.target_class == key->target_class)
911
912 return &cur_av->node->datum;
913
914 }
915 return NULL;
916
917 }
918