diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index f90a48d..9152446 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -5,7 +5,7 @@
enum {
POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
- POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
+ POLICYDB_CAPABILITY_PTRACE_CHILD,
POLICYDB_CAPABILITY_ALWAYSNETWORK,
__POLICYDB_CAPABILITY_MAX
};
diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h
index aef0c7b..3fd9700 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -58,6 +58,36 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid,
struct sepol_av_decision *avd,
unsigned int *reason);
+/*
+ * Same as above, but also returns the constraint expression calculations
+ * whether allowed or denied in a buffer. This buffer is allocated by
+ * this call and must be free'd by the caller.
+ * The contraint buffer is in RPN format.
+ */
+extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd,
+ unsigned int *reason,
+ char **reason_buf);
+
+/*
+ * Return a class ID associated with the class string representation
+ * specified by `class_name'.
+ */
+extern int sepol_class_name_to_id(const char *class_name,
+ sepol_security_class_t *tclass);
+
+/*
+ * Return a permission av bit associated with tclass and the string
+ * representation of the `perm_name'.
+ */
+extern int sepol_perm_name_to_av(sepol_security_class_t tclass,
+ const char *perm_name,
+ sepol_access_vector_t *av);
+
+
/*
* Compute a SID to use for labeling a new object in the
* class `tclass' based on a SID pair.
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 2003eb6..a2d209c 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -49,6 +49,82 @@ typedef struct expand_state {
int expand_neverallow;
} expand_state_t;
+struct linear_probe {
+ filename_trans_t **table; /* filename_trans chunks with same stype */
+ filename_trans_t **ends; /* pointers to ends of **table chunks */
+ uint32_t length; /* length of the table */
+};
+
+static int linear_probe_create(struct linear_probe *probe, uint32_t length)
+{
+ probe->table = calloc(length, sizeof(*probe->table));
+ if (probe->table == NULL)
+ return -1;
+
+ probe->ends = calloc(length, sizeof(*probe->ends));
+ if (probe->ends == NULL)
+ return -1;
+
+ probe->length = length;
+
+ return 0;
+}
+
+static void linear_probe_destroy(struct linear_probe *probe)
+{
+ if (probe->length == 0)
+ return;
+
+ free(probe->table);
+ free(probe->ends);
+ memset(probe, 0, sizeof(*probe));
+}
+
+static void linear_probe_insert(struct linear_probe *probe, uint32_t key,
+ filename_trans_t *data)
+{
+ assert(probe->length > key);
+
+ if (probe->table[key] != NULL) {
+ data->next = probe->table[key];
+ probe->table[key] = data;
+ } else {
+ probe->table[key] = probe->ends[key] = data;
+ }
+}
+
+static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key)
+{
+ assert(probe->length > key);
+
+ return probe->table[key];
+}
+
+/* Returns all chunks stored in the *probe as single-linked list */
+static filename_trans_t *linear_probe_dump(struct linear_probe *probe,
+ filename_trans_t **endp)
+{
+ uint32_t i;
+ filename_trans_t *result = NULL;
+ filename_trans_t *end = NULL;
+
+ for (i = 0; i < probe->length; i++) {
+ if (probe->table[i] != NULL) {
+ if (end == NULL)
+ end = probe->ends[i];
+ probe->ends[i]->next = result;
+ result = probe->table[i];
+ probe->table[i] = probe->ends[i] = NULL;
+ }
+ }
+
+ /* Incoherent result and end pointers indicates bug */
+ assert((result != NULL && end != NULL) || (result == NULL && end == NULL));
+
+ *endp = end;
+ return result;
+}
+
static void expand_state_init(expand_state_t * state)
{
memset(state, 0, sizeof(expand_state_t));
@@ -1357,10 +1433,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
{
unsigned int i, j;
- filename_trans_t *new_trans, *cur_trans;
+ filename_trans_t *new_trans, *cur_trans, *end;
filename_trans_rule_t *cur_rule;
ebitmap_t stypes, ttypes;
ebitmap_node_t *snode, *tnode;
+ struct linear_probe probe;
+
+ /*
+ * Linear probing speeds-up finding filename_trans rules with certain
+ * "stype" value.
+ */
+ if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
cur_rule = rules;
while (cur_rule) {
@@ -1383,6 +1469,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
mapped_otype = state->typemap[cur_rule->otype - 1];
+ if (ebitmap_length(&stypes) > probe.length) {
+ linear_probe_destroy(&probe);
+ if (linear_probe_create(&probe, ebitmap_length(&stypes))) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ }
+
ebitmap_for_each_bit(&stypes, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -1390,16 +1484,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
if (!ebitmap_node_get_bit(tnode, j))
continue;
- cur_trans = state->out->filename_trans;
- while (cur_trans) {
- if ((cur_trans->stype == i + 1) &&
- (cur_trans->ttype == j + 1) &&
+ cur_trans = linear_probe_find(&probe, i);
+ while (cur_trans != NULL) {
+ if ((cur_trans->ttype == j + 1) &&
(cur_trans->tclass == cur_rule->tclass) &&
(!strcmp(cur_trans->name, cur_rule->name))) {
/* duplicate rule, who cares */
if (cur_trans->otype == mapped_otype)
break;
-
ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
cur_trans->name,
state->out->p_type_val_to_name[i],
@@ -1407,7 +1499,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
state->out->p_class_val_to_name[cur_trans->tclass - 1],
state->out->p_type_val_to_name[cur_trans->otype - 1],
state->out->p_type_val_to_name[mapped_otype - 1]);
-
+
return -1;
}
cur_trans = cur_trans->next;
@@ -1422,8 +1514,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
return -1;
}
memset(new_trans, 0, sizeof(*new_trans));
- new_trans->next = state->out->filename_trans;
- state->out->filename_trans = new_trans;
new_trans->name = strdup(cur_rule->name);
if (!new_trans->name) {
@@ -1434,9 +1524,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
new_trans->ttype = j + 1;
new_trans->tclass = cur_rule->tclass;
new_trans->otype = mapped_otype;
+ linear_probe_insert(&probe, i, new_trans);
}
}
+ cur_trans = linear_probe_dump(&probe, &end);
+ if (cur_trans != NULL) {
+ end->next = state->out->filename_trans;
+ state->out->filename_trans = cur_trans;
+ }
+
ebitmap_destroy(&stypes);
ebitmap_destroy(&ttypes);
@@ -2037,14 +2134,13 @@ static int ocontext_copy_xen(expand_state_t *state)
else
state->out->ocontexts[i] = n;
l = n;
+ if (context_copy(&n->context[0], &c->context[0],
+ state)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
switch (i) {
case OCON_XEN_ISID:
- if (c->context[0].user == 0) {
- ERR(state->handle,
- "Missing context for %s initial sid",
- c->u.name);
- return -1;
- }
n->sid[0] = c->sid[0];
break;
case OCON_XEN_PIRQ:
@@ -2067,11 +2163,6 @@ static int ocontext_copy_xen(expand_state_t *state)
ERR(state->handle, "Unknown ocontext");
return -1;
}
- if (context_copy(&n->context[0], &c->context[0],
- state)) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
}
}
return 0;
@@ -2096,14 +2187,12 @@ static int ocontext_copy_selinux(expand_state_t *state)
else
state->out->ocontexts[i] = n;
l = n;
+ if (context_copy(&n->context[0], &c->context[0], state)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
switch (i) {
case OCON_ISID:
- if (c->context[0].user == 0) {
- ERR(state->handle,
- "Missing context for %s initial sid",
- c->u.name);
- return -1;
- }
n->sid[0] = c->sid[0];
break;
case OCON_FS: /* FALLTHROUGH */
@@ -2147,10 +2236,6 @@ static int ocontext_copy_selinux(expand_state_t *state)
ERR(state->handle, "Unknown ocontext");
return -1;
}
- if (context_copy(&n->context[0], &c->context[0], state)) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
}
}
return 0;
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 43a71a7..7615a9b 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -8,7 +8,7 @@
static const char *polcap_names[] = {
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
- "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
+ "ptrace_child", /* POLICYDB_CAPABILITY_PTRACE_CHILD */
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
NULL
};
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 9c2920c..096c28e 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1,4 +1,3 @@
-
/*
* Author : Stephen Smalley, <sds@epoch.ncsc.mil>
*/
@@ -43,6 +42,8 @@
* Implementation of the security services.
*/
+#define REASON_BUF_SIZE 100000
+
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
@@ -54,6 +55,7 @@
#include <sepol/policydb/services.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
+#include <sepol/policydb/util.h>
#include "debug.h"
#include "private.h"
@@ -112,20 +114,223 @@ int sepol_set_policydb_from_file(FILE * fp)
static uint32_t latest_granting = 0;
/*
- * Return the boolean value of a constraint expression
- * when it is applied to the specified source and target
+ * Start of changes to support constraint reason failures.
+ */
+
+/*
+ * get_names_list obtains the list of users, roles or types when expr
+ * has a names list. For 'types' only, find how many in the name list, and
+ * then the attributes associated to them (also count these). When
+ * complete take the list of attributes and find those whose count
+ * matches the number of types. The attributes in the final list will be
+ * the ones that need to have the type added to give access should this
+ * part of the expression fail (but which one - currently the only way
+ * is to check the policy source).
+ *
+ * The best way to solve this is for the compilers (checkpolicy and
+ * checkmodule) to add attributes to the constraint_expr_t structure
+ * (see constraint.h). The CIL compiler does add attribute names to
+ * constraint_expr_t->names, but the kernel does not translate them to
+ * types (i.e. the 30-04-12 version of the CIL compiler does not build
+ * the policy correctly).
+ *
+ * Note that the type_datum_t ->types (policydb.h) does not contain
+ * a list of types when inspecting a binary policy. This is only used
+ * in the *.pp modules.
+ */
+int get_names_list(const ebitmap_t * e, int type, char ** expr_buf)
+{
+ type_datum_t *t1 = NULL;
+ ebitmap_t *attr;
+
+#define MAX_ATTRS 400
+ /* Hold the type attribute names and count of instances */
+ struct attr_entries {
+ unsigned int entry;
+ int count;
+ } attr_info[MAX_ATTRS];
+
+ /* Various counters */
+ int x, rc = 0;
+ unsigned int i, z;
+
+ /*
+ * If an attribute is found in ->names then set to 1. Note this
+ * will only happen with the CIL compiler 30-Mar-2012 version) and
+ * is an error but we process anyway.
+ */
+ int is_attr = 0;
+
+ char tmp_buf[100];
+ /* if ->names is 0, then output string <empty_set> */
+ int empty_set = 0;
+
+ /* The number of types in ->names */
+ int type_count = 0;
+
+ /* If no buffer set then just return. */
+ if (!*expr_buf)
+ return 0;
+
+ for (x = 0; x < MAX_ATTRS; x++) {
+ attr_info[x].entry = '\0';
+ attr_info[x].count = '\0';
+ }
+
+ /* For type entries find how many entries so we can check attributes */
+ if (type == CEXPR_TYPE) {
+ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
+ if ((rc = ebitmap_get_bit(e, i)) == 0)
+ continue;
+ type_count++;
+ }
+ }
+
+ /*
+ * Start the list of names where e = &e->names, except for types as
+ * a list of possible attributes will be given
+ */
+ if (type != CEXPR_TYPE)
+ strncat(*expr_buf, "names-{ ", REASON_BUF_SIZE);
+
+ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
+ if ((rc = ebitmap_get_bit(e, i)) == 0)
+ continue;
+
+ switch (type) {
+ case CEXPR_USER:
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_user_val_to_name[i]);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ break;
+
+ case CEXPR_ROLE:
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_role_val_to_name[i]);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ break;
+
+ case CEXPR_TYPE:
+/*
+ * When checking a type for associated attributes, you can get a number
+ * of attributes, any one of which could be the one to update, for example:
+ *
+ * constrain process { transition noatsecure siginh rlimitinh }
+ * (
+ * r1 == r2
+ * or ( t1 == can_change_process_role and t2 == process_user_target )
+ * or ( t1 == cron_source_domain and t2 == cron_job_domain )
+ * or ( t1 == can_system_change and r2 == system_r )
+ * or ( t1 == process_uncond_exempt )
+ * );
+ *
+ * for the 'targeted' policy it will yeld for "can_change_process_role"
+ * the following possible entries: can_change_process_role,
+ * nsswitch_domain or domain as each type that makes up
+ * "can_change_process_role" is also in the others.
+ *
+ * The "cron_source_domain" will give the largest amount of attributes
+ * as there is only one type (crond_t) but has 36 attribute associations.
+ */
+ /*
+ * Get node for the type ID and if an attribute just add name,
+ * otherwise find the list of attrs associated to this type.
+ */
+ t1 = policydb->type_val_to_struct[i];
+ if (t1->flavor == TYPE_ATTRIB) {
+ is_attr = 1;
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ break;
+ } else {
+ /* Don't add type names to buffer, only attributes */
+ /* snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); */
+ /* strcat(*expr_buf, tmp_buf); */
+ /* Process attributes attached to this type */
+ attr = &policydb->type_attr_map[t1->s.value-1];
+
+ for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) {
+ if ((rc = ebitmap_get_bit(attr, z)) == 0)
+ continue;
+ t1 = policydb->type_val_to_struct[z];
+ if (t1->flavor == TYPE_ATTRIB) {
+ x = 0;
+ while (x < MAX_ATTRS) {
+ if (attr_info[x].entry == z) {
+ attr_info[x].entry = z;
+ attr_info[x].count++;
+ break;
+ }
+ if (attr_info[x].entry == 0) {
+ attr_info[x].entry = z;
+ attr_info[x].count++;
+ break;
+ }
+ x++;
+ }
+ }
+ }
+ break;
+ }
+ break;
+
+ default:
+ ERR(NULL, "Invalid u_r_t value: %d\n", type);
+ return -1;
+ break;
+ }
+ empty_set++;
+ }
+
+ /* End processing entries, now check for attributes if CEXPR_TYPE. */
+ if (empty_set == 0) {
+ strncat(*expr_buf, "<empty_set>", REASON_BUF_SIZE);
+ } else if (type == CEXPR_TYPE && is_attr == 0) {
+ strncat(*expr_buf, "# POSSIBLE_ATTRIBUTES:", REASON_BUF_SIZE);
+ for (x = 0; x < MAX_ATTRS; x++) {
+ if (attr_info[x].count == type_count) {
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ",
+ policydb->p_type_val_to_name[attr_info[x].entry]);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ }
+ }
+ }
+ strncat(*expr_buf, "\n", REASON_BUF_SIZE);
+ return 0;
+}
+
+static void msgcat(char **expr_buf, char *src, char *tgt, char *rel, int failed) {
+ char tmp_buf[1024];
+ if (*expr_buf) {
+ if (failed)
+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-)\n", src, rel, tgt);
+ else
+ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-)\n", src, rel, tgt);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ }
+}
+
+/*
+ * Modified version of constraint_expr_eval
+ *
+ * Return the boolean value of a constraint expression
+ * when it is applied to the specified source and target
* security contexts.
*
* xcontext is a special beast... It is used by the validatetrans rules
* only. For these rules, scontext is the context before the transition,
* tcontext is the context after the transition, and xcontext is the context
* of the process performing the transition. All other callers of
- * constraint_expr_eval should pass in NULL for xcontext.
+ * constraint_expr_eval_reason should pass in NULL for xcontext.
+ *
+ * This function will also build a buffer as the constraint is processed
+ * for analysis. If this option is not required, then:
+ * 'tclass' should be '0' and expr_buf MUST be NULL.
*/
-static int constraint_expr_eval(context_struct_t * scontext,
+static int constraint_expr_eval_reason(context_struct_t * scontext,
context_struct_t * tcontext,
context_struct_t * xcontext,
- constraint_expr_t * cexpr)
+ sepol_security_class_t tclass,
+ constraint_node_t *constraint,
+ char ** expr_buf)
{
uint32_t val1, val2;
context_struct_t *c;
@@ -135,56 +340,112 @@ static int constraint_expr_eval(context_struct_t * scontext,
int s[CEXPR_MAXDEPTH];
int sp = -1;
- for (e = cexpr; e; e = e->next) {
+ char tmp_buf[1024];
+
+/*
+ * Define the s_t_x_num values that make up r1, t2 etc. in text strings
+ * Set 1 = source, 2 = target, 3 = xcontext for validatetrans
+ */
+#define SOURCE 1
+#define TARGET 2
+#define XTARGET 3
+
+ int s_t_x_num = SOURCE;
+ int rc = 0;
+ /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */
+ int u_r_t = 0;
+
+ char *name1, *name2;
+ char *src=NULL;
+ char *tgt=NULL;
+
+ if (*expr_buf) {
+ /* Get constraint statement type */
+ strncpy(tmp_buf, "constrain ", sizeof(tmp_buf));
+ for (e = constraint->expr; e; e = e->next) {
+ if (e->attr >= CEXPR_L1L2) {
+ strncpy(tmp_buf, "mlsconstrain ", sizeof(tmp_buf));
+ break;
+ }
+ }
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+
+ /* Get class entry */
+ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_class_val_to_name[tclass - 1]);
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+
+ /* Get permission entries from the constraint node. */
+ snprintf(tmp_buf, sizeof(tmp_buf), "{%s } (", sepol_av_to_string(policydb, tclass,
+ constraint->permissions));
+ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE);
+ }
+
+ /* Original function but with buffer support */
+ for (e = constraint->expr; e; e = e->next) {
switch (e->expr_type) {
case CEXPR_NOT:
BUG_ON(sp < 0);
s[sp] = !s[sp];
+ if (*expr_buf)
+ strncat(*expr_buf, " not ", REASON_BUF_SIZE);
break;
case CEXPR_AND:
BUG_ON(sp < 1);
sp--;
s[sp] &= s[sp + 1];
+ if (*expr_buf)
+ strncat(*expr_buf, " and ", REASON_BUF_SIZE);
break;
case CEXPR_OR:
BUG_ON(sp < 1);
sp--;
s[sp] |= s[sp + 1];
+ if (*expr_buf)
+ strncat(*expr_buf, " or ", REASON_BUF_SIZE);
break;
case CEXPR_ATTR:
if (sp == (CEXPR_MAXDEPTH - 1))
- return 0;
+ goto out;
+
switch (e->attr) {
case CEXPR_USER:
val1 = scontext->user;
val2 = tcontext->user;
+ free(src); src = strdup("u1");
+ free(tgt); tgt = strdup("u2");
break;
case CEXPR_TYPE:
val1 = scontext->type;
val2 = tcontext->type;
+ free(src); src = strdup("t1");
+ free(tgt); tgt = strdup("t2");
break;
case CEXPR_ROLE:
val1 = scontext->role;
val2 = tcontext->role;
r1 = policydb->role_val_to_struct[val1 - 1];
r2 = policydb->role_val_to_struct[val2 - 1];
+ if (*expr_buf) {
+ name1 = policydb->p_role_val_to_name[r1->s.value - 1];
+ name2 = policydb->p_role_val_to_name[r2->s.value - 1];
+ snprintf(tmp_buf,sizeof(tmp_buf), "r1-%s", name1);
+ free(src); src = strdup(tmp_buf);
+ snprintf(tmp_buf,sizeof(tmp_buf), "r2-%s ", name2);
+ free(tgt); tgt = strdup(tmp_buf);
+ }
switch (e->op) {
case CEXPR_DOM:
- s[++sp] =
- ebitmap_get_bit(&r1->dominates,
- val2 - 1);
+ s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
+ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
continue;
case CEXPR_DOMBY:
- s[++sp] =
- ebitmap_get_bit(&r2->dominates,
- val1 - 1);
+ s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
+ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
continue;
case CEXPR_INCOMP:
- s[++sp] =
- (!ebitmap_get_bit
- (&r1->dominates, val2 - 1)
- && !ebitmap_get_bit(&r2->dominates,
- val1 - 1));
+ s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)
+ && !ebitmap_get_bit(&r2->dominates, val1 - 1));
+ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
continue;
default:
break;
@@ -193,112 +454,203 @@ static int constraint_expr_eval(context_struct_t * scontext,
case CEXPR_L1L2:
l1 = &(scontext->range.level[0]);
l2 = &(tcontext->range.level[0]);
+ free(src); src = strdup("l1");
+ free(tgt); tgt = strdup("l2");
goto mls_ops;
case CEXPR_L1H2:
l1 = &(scontext->range.level[0]);
l2 = &(tcontext->range.level[1]);
+ free(src); src = strdup("l1");
+ free(tgt); tgt = strdup("h2");
goto mls_ops;
case CEXPR_H1L2:
l1 = &(scontext->range.level[1]);
l2 = &(tcontext->range.level[0]);
+ free(src); src = strdup("h1");
+ free(tgt); tgt = strdup("L2");
goto mls_ops;
case CEXPR_H1H2:
l1 = &(scontext->range.level[1]);
l2 = &(tcontext->range.level[1]);
+ free(src); src = strdup("h1");
+ free(tgt); tgt = strdup("h2");
goto mls_ops;
case CEXPR_L1H1:
l1 = &(scontext->range.level[0]);
l2 = &(scontext->range.level[1]);
+ free(src); src = strdup("l1");
+ free(tgt); tgt = strdup("h1");
goto mls_ops;
case CEXPR_L2H2:
l1 = &(tcontext->range.level[0]);
l2 = &(tcontext->range.level[1]);
- goto mls_ops;
- mls_ops:
+ free(src); src = strdup("l2");
+ free(tgt); tgt = strdup("h2");
+ mls_ops:
switch (e->op) {
case CEXPR_EQ:
s[++sp] = mls_level_eq(l1, l2);
+ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
continue;
case CEXPR_NEQ:
s[++sp] = !mls_level_eq(l1, l2);
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
continue;
case CEXPR_DOM:
s[++sp] = mls_level_dom(l1, l2);
+ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0);
continue;
case CEXPR_DOMBY:
s[++sp] = mls_level_dom(l2, l1);
+ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0);
continue;
case CEXPR_INCOMP:
s[++sp] = mls_level_incomp(l2, l1);
+ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0);
continue;
default:
BUG();
- return 0;
+ goto out;
}
break;
default:
BUG();
- return 0;
+ goto out;
}
switch (e->op) {
case CEXPR_EQ:
s[++sp] = (val1 == val2);
+ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0);
break;
case CEXPR_NEQ:
s[++sp] = (val1 != val2);
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
break;
default:
BUG();
- return 0;
+ goto out;
}
break;
case CEXPR_NAMES:
if (sp == (CEXPR_MAXDEPTH - 1))
- return 0;
+ goto out;
+ s_t_x_num = SOURCE;
c = scontext;
- if (e->attr & CEXPR_TARGET)
+ if (e->attr & CEXPR_TARGET) {
+ s_t_x_num = TARGET;
c = tcontext;
- else if (e->attr & CEXPR_XTARGET) {
+ } else if (e->attr & CEXPR_XTARGET) {
+ s_t_x_num = XTARGET;
c = xcontext;
- if (!c) {
- BUG();
- return 0;
- }
}
- if (e->attr & CEXPR_USER)
+ if (!c) {
+ BUG();
+ goto out;
+ }
+ if (e->attr & CEXPR_USER) {
+ u_r_t = CEXPR_USER;
val1 = c->user;
- else if (e->attr & CEXPR_ROLE)
+ if (*expr_buf) {
+ name1 = policydb->p_user_val_to_name[val1 - 1];
+ snprintf(tmp_buf,sizeof(tmp_buf), "u%d=%s ", s_t_x_num, name1);
+ free(src); src = strdup(tmp_buf);
+ }
+ }
+ else if (e->attr & CEXPR_ROLE) {
+ u_r_t = CEXPR_ROLE;
val1 = c->role;
- else if (e->attr & CEXPR_TYPE)
+ if (*expr_buf) {
+ name1 = policydb->p_role_val_to_name[val1 - 1];
+ snprintf(tmp_buf,sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1);
+ free(src); src = strdup(tmp_buf);
+ }
+ }
+ else if (e->attr & CEXPR_TYPE) {
+ u_r_t = CEXPR_TYPE;
val1 = c->type;
+ if (*expr_buf) {
+ name1 = policydb->p_type_val_to_name[val1 - 1];
+ snprintf(tmp_buf,sizeof(tmp_buf), "t%d=%s ", s_t_x_num, name1);
+ free(src); src = strdup(tmp_buf);
+ }
+ }
else {
BUG();
- return 0;
+ goto out;
}
switch (e->op) {
case CEXPR_EQ:
+ switch (u_r_t) {
+ case CEXPR_USER:
+ name1 = policydb->p_user_val_to_name[val1 - 1];
+ break;
+ case CEXPR_ROLE:
+ name1 = policydb->p_role_val_to_name[val1 - 1];
+ break;
+ case CEXPR_TYPE:
+ name1 = policydb->p_type_val_to_name[val1 - 1];
+ break;
+ default:
+ name1 = NULL;
+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
+ break;
+ }
+
s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
+ free(tgt); tgt=strdup("ATTRIBUTE");
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
+ if (s[sp] == 0) {
+ get_names_list(&e->names, u_r_t, expr_buf);
+ }
break;
+
case CEXPR_NEQ:
+ switch (u_r_t) {
+ case CEXPR_USER:
+ name1 = policydb->p_user_val_to_name[val1 - 1];
+ break;
+ case CEXPR_ROLE:
+ name1 = policydb->p_role_val_to_name[val1 - 1];
+ break;
+ case CEXPR_TYPE:
+ name1 = policydb->p_type_val_to_name[val1 - 1];
+ break;
+ default:
+ name1 = NULL;
+ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
+ break;
+ }
+
s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
+ free(tgt); tgt=strdup("ATTRIBUTE");
+ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0);
+ get_names_list(&e->names, u_r_t, expr_buf);
break;
default:
BUG();
- return 0;
+ goto out;
}
break;
default:
BUG();
- return 0;
+ goto out;
}
}
+ if (*expr_buf)
+ strncat(*expr_buf, ")", REASON_BUF_SIZE);
+ rc = s[0];
+
+out:
+ free(src);
+ free(tgt);
BUG_ON(sp != 0);
- return s[0];
+ return rc;
}
+
/*
* Compute access vectors based on a context structure pair for
* the permissions in a particular class.
@@ -308,7 +660,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
sepol_security_class_t tclass,
sepol_access_vector_t requested,
struct sepol_av_decision *avd,
- unsigned int *reason)
+ unsigned int *reason,
+ char *expr_buf)
{
constraint_node_t *constraint;
struct role_allow *ra;
@@ -383,8 +736,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
constraint = tclass_datum->constraints;
while (constraint) {
if ((constraint->permissions & (avd->allowed)) &&
- !constraint_expr_eval(scontext, tcontext, NULL,
- constraint->expr)) {
+ !constraint_expr_eval_reason(scontext, tcontext, NULL,
+ tclass, constraint, &expr_buf)) {
avd->allowed =
(avd->allowed) & ~(constraint->permissions);
}
@@ -459,8 +812,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
constraint = tclass_datum->validatetrans;
while (constraint) {
- if (!constraint_expr_eval(ocontext, ncontext, tcontext,
- constraint->expr)) {
+ if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
+ 0, constraint, NULL)) {
return -EPERM;
}
constraint = constraint->next;
@@ -493,11 +846,57 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
}
rc = context_struct_compute_av(scontext, tcontext, tclass,
- requested, avd, reason);
+ requested, avd, reason, NULL);
out:
return rc;
}
+/*
+ * sepol_compute_av_reason_buffer - the reason buffer is malloc'd
+ * to REASON_BUF_SIZE that seems okay for the Reference Policy.
+ * TODO manage size using realloc at some stage.
+ */
+int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd,
+ unsigned int *reason,
+ char **reason_buf)
+{
+ char *expr_buf = NULL;
+
+ expr_buf = malloc(REASON_BUF_SIZE);
+ if (!expr_buf) {
+ ERR(NULL, "malloc failed to allocate constraint reason buffer");
+ return -ENOMEM;
+ }
+ bzero(expr_buf, REASON_BUF_SIZE);
+
+ context_struct_t *scontext = 0, *tcontext = 0;
+ int rc = 0;
+
+ scontext = sepol_sidtab_search(sidtab, ssid);
+ if (!scontext) {
+ ERR(NULL, "unrecognized SID %d", ssid);
+ rc = -EINVAL;
+ goto out;
+ }
+ tcontext = sepol_sidtab_search(sidtab, tsid);
+ if (!tcontext) {
+ ERR(NULL, "unrecognized SID %d", tsid);
+ rc = -EINVAL;
+ goto out;
+ }
+
+ rc = context_struct_compute_av(scontext, tcontext, tclass,
+ requested, avd, reason, expr_buf);
+ *reason_buf = expr_buf;
+
+ out:
+ return rc;
+}
+
int hidden sepol_compute_av(sepol_security_id_t ssid,
sepol_security_id_t tsid,
sepol_security_class_t tclass,
@@ -510,6 +909,66 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
}
/*
+ * Return a class ID associated with the class string specified by
+ * class_name.
+ */
+int hidden sepol_class_name_to_id(const char *class_name,
+ sepol_security_class_t *tclass)
+{
+ char *class = NULL;
+ sepol_security_class_t id;
+
+ for (id = 1; ; id++) {
+ if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) {
+ ERR(NULL, "could not convert %s to class id", class_name);
+ return STATUS_ERR;
+ }
+ if ((strcmp(class, class_name)) == 0) {
+ *tclass = id;
+ return STATUS_SUCCESS;
+ }
+ }
+}
+
+/*
+ * Return access vector bit associated with the class ID and permission
+ * string.
+ */
+int hidden sepol_perm_name_to_av(sepol_security_class_t tclass,
+ const char *perm_name,
+ sepol_access_vector_t *av)
+{
+ class_datum_t *tclass_datum;
+ perm_datum_t *perm_datum;
+
+ if (!tclass || tclass > policydb->p_classes.nprim) {
+ ERR(NULL, "unrecognized class %d", tclass);
+ return -EINVAL;
+ }
+ tclass_datum = policydb->class_val_to_struct[tclass - 1];
+
+ /* Check for unique perms then the common ones */
+ perm_datum = (perm_datum_t *)
+ hashtab_search(tclass_datum->permissions.table,
+ (hashtab_key_t)perm_name);
+ if (perm_datum != NULL) {
+ *av = 0x1 << (perm_datum->s.value - 1);
+ return STATUS_SUCCESS;
+ }
+
+ perm_datum = (perm_datum_t *)
+ hashtab_search(tclass_datum->comdatum->permissions.table,
+ (hashtab_key_t)perm_name);
+ if (perm_datum != NULL) {
+ *av = 0x1 << (perm_datum->s.value - 1);
+ return STATUS_SUCCESS;
+ }
+
+ ERR(NULL, "could not convert %s to av bit", perm_name);
+ return STATUS_ERR;
+}
+
+/*
* Write the security context string representation of
* the context associated with `sid' into a dynamically
* allocated string of the correct size. Set `*scontext'
@@ -1337,7 +1796,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
rc = context_struct_compute_av(fromcon, &usercon,
SECCLASS_PROCESS,
PROCESS__TRANSITION,
- &avd, &reason);
+ &avd, &reason, NULL);
if (rc || !(avd.allowed & PROCESS__TRANSITION))
continue;
rc = sepol_sidtab_context_to_sid(sidtab, &usercon,