xref: /openbmc/linux/security/selinux/ss/policydb.c (revision 15e3ae36)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Implementation of the policy database.
4  *
5  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
6  */
7 
8 /*
9  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
10  *
11  *	Support for enhanced MLS infrastructure.
12  *
13  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
14  *
15  *	Added conditional policy language extensions
16  *
17  * Updated: Hewlett-Packard <paul@paul-moore.com>
18  *
19  *      Added support for the policy capability bitmap
20  *
21  * Update: Mellanox Techonologies
22  *
23  *	Added Infiniband support
24  *
25  * Copyright (C) 2016 Mellanox Techonologies
26  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
27  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
28  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
29  */
30 
31 #include <linux/kernel.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/string.h>
35 #include <linux/errno.h>
36 #include <linux/audit.h>
37 #include "security.h"
38 
39 #include "policydb.h"
40 #include "conditional.h"
41 #include "mls.h"
42 #include "services.h"
43 
44 #define _DEBUG_HASHES
45 
46 #ifdef DEBUG_HASHES
47 static const char *symtab_name[SYM_NUM] = {
48 	"common prefixes",
49 	"classes",
50 	"roles",
51 	"types",
52 	"users",
53 	"bools",
54 	"levels",
55 	"categories",
56 };
57 #endif
58 
59 struct policydb_compat_info {
60 	int version;
61 	int sym_num;
62 	int ocon_num;
63 };
64 
65 /* These need to be updated if SYM_NUM or OCON_NUM changes */
66 static struct policydb_compat_info policydb_compat[] = {
67 	{
68 		.version	= POLICYDB_VERSION_BASE,
69 		.sym_num	= SYM_NUM - 3,
70 		.ocon_num	= OCON_NUM - 3,
71 	},
72 	{
73 		.version	= POLICYDB_VERSION_BOOL,
74 		.sym_num	= SYM_NUM - 2,
75 		.ocon_num	= OCON_NUM - 3,
76 	},
77 	{
78 		.version	= POLICYDB_VERSION_IPV6,
79 		.sym_num	= SYM_NUM - 2,
80 		.ocon_num	= OCON_NUM - 2,
81 	},
82 	{
83 		.version	= POLICYDB_VERSION_NLCLASS,
84 		.sym_num	= SYM_NUM - 2,
85 		.ocon_num	= OCON_NUM - 2,
86 	},
87 	{
88 		.version	= POLICYDB_VERSION_MLS,
89 		.sym_num	= SYM_NUM,
90 		.ocon_num	= OCON_NUM - 2,
91 	},
92 	{
93 		.version	= POLICYDB_VERSION_AVTAB,
94 		.sym_num	= SYM_NUM,
95 		.ocon_num	= OCON_NUM - 2,
96 	},
97 	{
98 		.version	= POLICYDB_VERSION_RANGETRANS,
99 		.sym_num	= SYM_NUM,
100 		.ocon_num	= OCON_NUM - 2,
101 	},
102 	{
103 		.version	= POLICYDB_VERSION_POLCAP,
104 		.sym_num	= SYM_NUM,
105 		.ocon_num	= OCON_NUM - 2,
106 	},
107 	{
108 		.version	= POLICYDB_VERSION_PERMISSIVE,
109 		.sym_num	= SYM_NUM,
110 		.ocon_num	= OCON_NUM - 2,
111 	},
112 	{
113 		.version	= POLICYDB_VERSION_BOUNDARY,
114 		.sym_num	= SYM_NUM,
115 		.ocon_num	= OCON_NUM - 2,
116 	},
117 	{
118 		.version	= POLICYDB_VERSION_FILENAME_TRANS,
119 		.sym_num	= SYM_NUM,
120 		.ocon_num	= OCON_NUM - 2,
121 	},
122 	{
123 		.version	= POLICYDB_VERSION_ROLETRANS,
124 		.sym_num	= SYM_NUM,
125 		.ocon_num	= OCON_NUM - 2,
126 	},
127 	{
128 		.version	= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
129 		.sym_num	= SYM_NUM,
130 		.ocon_num	= OCON_NUM - 2,
131 	},
132 	{
133 		.version	= POLICYDB_VERSION_DEFAULT_TYPE,
134 		.sym_num	= SYM_NUM,
135 		.ocon_num	= OCON_NUM - 2,
136 	},
137 	{
138 		.version	= POLICYDB_VERSION_CONSTRAINT_NAMES,
139 		.sym_num	= SYM_NUM,
140 		.ocon_num	= OCON_NUM - 2,
141 	},
142 	{
143 		.version	= POLICYDB_VERSION_XPERMS_IOCTL,
144 		.sym_num	= SYM_NUM,
145 		.ocon_num	= OCON_NUM - 2,
146 	},
147 	{
148 		.version	= POLICYDB_VERSION_INFINIBAND,
149 		.sym_num	= SYM_NUM,
150 		.ocon_num	= OCON_NUM,
151 	},
152 	{
153 		.version	= POLICYDB_VERSION_GLBLUB,
154 		.sym_num	= SYM_NUM,
155 		.ocon_num	= OCON_NUM,
156 	},
157 };
158 
159 static struct policydb_compat_info *policydb_lookup_compat(int version)
160 {
161 	int i;
162 	struct policydb_compat_info *info = NULL;
163 
164 	for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) {
165 		if (policydb_compat[i].version == version) {
166 			info = &policydb_compat[i];
167 			break;
168 		}
169 	}
170 	return info;
171 }
172 
173 /*
174  * The following *_destroy functions are used to
175  * free any memory allocated for each kind of
176  * symbol data in the policy database.
177  */
178 
179 static int perm_destroy(void *key, void *datum, void *p)
180 {
181 	kfree(key);
182 	kfree(datum);
183 	return 0;
184 }
185 
186 static int common_destroy(void *key, void *datum, void *p)
187 {
188 	struct common_datum *comdatum;
189 
190 	kfree(key);
191 	if (datum) {
192 		comdatum = datum;
193 		hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
194 		hashtab_destroy(comdatum->permissions.table);
195 	}
196 	kfree(datum);
197 	return 0;
198 }
199 
200 static void constraint_expr_destroy(struct constraint_expr *expr)
201 {
202 	if (expr) {
203 		ebitmap_destroy(&expr->names);
204 		if (expr->type_names) {
205 			ebitmap_destroy(&expr->type_names->types);
206 			ebitmap_destroy(&expr->type_names->negset);
207 			kfree(expr->type_names);
208 		}
209 		kfree(expr);
210 	}
211 }
212 
213 static int cls_destroy(void *key, void *datum, void *p)
214 {
215 	struct class_datum *cladatum;
216 	struct constraint_node *constraint, *ctemp;
217 	struct constraint_expr *e, *etmp;
218 
219 	kfree(key);
220 	if (datum) {
221 		cladatum = datum;
222 		hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
223 		hashtab_destroy(cladatum->permissions.table);
224 		constraint = cladatum->constraints;
225 		while (constraint) {
226 			e = constraint->expr;
227 			while (e) {
228 				etmp = e;
229 				e = e->next;
230 				constraint_expr_destroy(etmp);
231 			}
232 			ctemp = constraint;
233 			constraint = constraint->next;
234 			kfree(ctemp);
235 		}
236 
237 		constraint = cladatum->validatetrans;
238 		while (constraint) {
239 			e = constraint->expr;
240 			while (e) {
241 				etmp = e;
242 				e = e->next;
243 				constraint_expr_destroy(etmp);
244 			}
245 			ctemp = constraint;
246 			constraint = constraint->next;
247 			kfree(ctemp);
248 		}
249 		kfree(cladatum->comkey);
250 	}
251 	kfree(datum);
252 	return 0;
253 }
254 
255 static int role_destroy(void *key, void *datum, void *p)
256 {
257 	struct role_datum *role;
258 
259 	kfree(key);
260 	if (datum) {
261 		role = datum;
262 		ebitmap_destroy(&role->dominates);
263 		ebitmap_destroy(&role->types);
264 	}
265 	kfree(datum);
266 	return 0;
267 }
268 
269 static int type_destroy(void *key, void *datum, void *p)
270 {
271 	kfree(key);
272 	kfree(datum);
273 	return 0;
274 }
275 
276 static int user_destroy(void *key, void *datum, void *p)
277 {
278 	struct user_datum *usrdatum;
279 
280 	kfree(key);
281 	if (datum) {
282 		usrdatum = datum;
283 		ebitmap_destroy(&usrdatum->roles);
284 		ebitmap_destroy(&usrdatum->range.level[0].cat);
285 		ebitmap_destroy(&usrdatum->range.level[1].cat);
286 		ebitmap_destroy(&usrdatum->dfltlevel.cat);
287 	}
288 	kfree(datum);
289 	return 0;
290 }
291 
292 static int sens_destroy(void *key, void *datum, void *p)
293 {
294 	struct level_datum *levdatum;
295 
296 	kfree(key);
297 	if (datum) {
298 		levdatum = datum;
299 		if (levdatum->level)
300 			ebitmap_destroy(&levdatum->level->cat);
301 		kfree(levdatum->level);
302 	}
303 	kfree(datum);
304 	return 0;
305 }
306 
307 static int cat_destroy(void *key, void *datum, void *p)
308 {
309 	kfree(key);
310 	kfree(datum);
311 	return 0;
312 }
313 
314 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
315 {
316 	common_destroy,
317 	cls_destroy,
318 	role_destroy,
319 	type_destroy,
320 	user_destroy,
321 	cond_destroy_bool,
322 	sens_destroy,
323 	cat_destroy,
324 };
325 
326 static int filenametr_destroy(void *key, void *datum, void *p)
327 {
328 	struct filename_trans_key *ft = key;
329 	struct filename_trans_datum *next, *d = datum;
330 
331 	kfree(ft->name);
332 	kfree(key);
333 	do {
334 		ebitmap_destroy(&d->stypes);
335 		next = d->next;
336 		kfree(d);
337 		d = next;
338 	} while (unlikely(d));
339 	cond_resched();
340 	return 0;
341 }
342 
343 static int range_tr_destroy(void *key, void *datum, void *p)
344 {
345 	struct mls_range *rt = datum;
346 
347 	kfree(key);
348 	ebitmap_destroy(&rt->level[0].cat);
349 	ebitmap_destroy(&rt->level[1].cat);
350 	kfree(datum);
351 	cond_resched();
352 	return 0;
353 }
354 
355 static void ocontext_destroy(struct ocontext *c, int i)
356 {
357 	if (!c)
358 		return;
359 
360 	context_destroy(&c->context[0]);
361 	context_destroy(&c->context[1]);
362 	if (i == OCON_ISID || i == OCON_FS ||
363 	    i == OCON_NETIF || i == OCON_FSUSE)
364 		kfree(c->u.name);
365 	kfree(c);
366 }
367 
368 /*
369  * Initialize the role table.
370  */
371 static int roles_init(struct policydb *p)
372 {
373 	char *key = NULL;
374 	int rc;
375 	struct role_datum *role;
376 
377 	role = kzalloc(sizeof(*role), GFP_KERNEL);
378 	if (!role)
379 		return -ENOMEM;
380 
381 	rc = -EINVAL;
382 	role->value = ++p->p_roles.nprim;
383 	if (role->value != OBJECT_R_VAL)
384 		goto out;
385 
386 	rc = -ENOMEM;
387 	key = kstrdup(OBJECT_R, GFP_KERNEL);
388 	if (!key)
389 		goto out;
390 
391 	rc = hashtab_insert(p->p_roles.table, key, role);
392 	if (rc)
393 		goto out;
394 
395 	return 0;
396 out:
397 	kfree(key);
398 	kfree(role);
399 	return rc;
400 }
401 
402 static u32 filenametr_hash(struct hashtab *h, const void *k)
403 {
404 	const struct filename_trans_key *ft = k;
405 	unsigned long hash;
406 	unsigned int byte_num;
407 	unsigned char focus;
408 
409 	hash = ft->ttype ^ ft->tclass;
410 
411 	byte_num = 0;
412 	while ((focus = ft->name[byte_num++]))
413 		hash = partial_name_hash(focus, hash);
414 	return hash & (h->size - 1);
415 }
416 
417 static int filenametr_cmp(struct hashtab *h, const void *k1, const void *k2)
418 {
419 	const struct filename_trans_key *ft1 = k1;
420 	const struct filename_trans_key *ft2 = k2;
421 	int v;
422 
423 	v = ft1->ttype - ft2->ttype;
424 	if (v)
425 		return v;
426 
427 	v = ft1->tclass - ft2->tclass;
428 	if (v)
429 		return v;
430 
431 	return strcmp(ft1->name, ft2->name);
432 
433 }
434 
435 static u32 rangetr_hash(struct hashtab *h, const void *k)
436 {
437 	const struct range_trans *key = k;
438 
439 	return (key->source_type + (key->target_type << 3) +
440 		(key->target_class << 5)) & (h->size - 1);
441 }
442 
443 static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
444 {
445 	const struct range_trans *key1 = k1, *key2 = k2;
446 	int v;
447 
448 	v = key1->source_type - key2->source_type;
449 	if (v)
450 		return v;
451 
452 	v = key1->target_type - key2->target_type;
453 	if (v)
454 		return v;
455 
456 	v = key1->target_class - key2->target_class;
457 
458 	return v;
459 }
460 
461 /*
462  * Initialize a policy database structure.
463  */
464 static int policydb_init(struct policydb *p)
465 {
466 	memset(p, 0, sizeof(*p));
467 
468 	avtab_init(&p->te_avtab);
469 	cond_policydb_init(p);
470 
471 	p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp,
472 					   (1 << 11));
473 	if (!p->filename_trans)
474 		return -ENOMEM;
475 
476 	ebitmap_init(&p->filename_trans_ttypes);
477 	ebitmap_init(&p->policycaps);
478 	ebitmap_init(&p->permissive_map);
479 
480 	return 0;
481 }
482 
483 /*
484  * The following *_index functions are used to
485  * define the val_to_name and val_to_struct arrays
486  * in a policy database structure.  The val_to_name
487  * arrays are used when converting security context
488  * structures into string representations.  The
489  * val_to_struct arrays are used when the attributes
490  * of a class, role, or user are needed.
491  */
492 
493 static int common_index(void *key, void *datum, void *datap)
494 {
495 	struct policydb *p;
496 	struct common_datum *comdatum;
497 
498 	comdatum = datum;
499 	p = datap;
500 	if (!comdatum->value || comdatum->value > p->p_commons.nprim)
501 		return -EINVAL;
502 
503 	p->sym_val_to_name[SYM_COMMONS][comdatum->value - 1] = key;
504 
505 	return 0;
506 }
507 
508 static int class_index(void *key, void *datum, void *datap)
509 {
510 	struct policydb *p;
511 	struct class_datum *cladatum;
512 
513 	cladatum = datum;
514 	p = datap;
515 	if (!cladatum->value || cladatum->value > p->p_classes.nprim)
516 		return -EINVAL;
517 
518 	p->sym_val_to_name[SYM_CLASSES][cladatum->value - 1] = key;
519 	p->class_val_to_struct[cladatum->value - 1] = cladatum;
520 	return 0;
521 }
522 
523 static int role_index(void *key, void *datum, void *datap)
524 {
525 	struct policydb *p;
526 	struct role_datum *role;
527 
528 	role = datum;
529 	p = datap;
530 	if (!role->value
531 	    || role->value > p->p_roles.nprim
532 	    || role->bounds > p->p_roles.nprim)
533 		return -EINVAL;
534 
535 	p->sym_val_to_name[SYM_ROLES][role->value - 1] = key;
536 	p->role_val_to_struct[role->value - 1] = role;
537 	return 0;
538 }
539 
540 static int type_index(void *key, void *datum, void *datap)
541 {
542 	struct policydb *p;
543 	struct type_datum *typdatum;
544 
545 	typdatum = datum;
546 	p = datap;
547 
548 	if (typdatum->primary) {
549 		if (!typdatum->value
550 		    || typdatum->value > p->p_types.nprim
551 		    || typdatum->bounds > p->p_types.nprim)
552 			return -EINVAL;
553 		p->sym_val_to_name[SYM_TYPES][typdatum->value - 1] = key;
554 		p->type_val_to_struct[typdatum->value - 1] = typdatum;
555 	}
556 
557 	return 0;
558 }
559 
560 static int user_index(void *key, void *datum, void *datap)
561 {
562 	struct policydb *p;
563 	struct user_datum *usrdatum;
564 
565 	usrdatum = datum;
566 	p = datap;
567 	if (!usrdatum->value
568 	    || usrdatum->value > p->p_users.nprim
569 	    || usrdatum->bounds > p->p_users.nprim)
570 		return -EINVAL;
571 
572 	p->sym_val_to_name[SYM_USERS][usrdatum->value - 1] = key;
573 	p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
574 	return 0;
575 }
576 
577 static int sens_index(void *key, void *datum, void *datap)
578 {
579 	struct policydb *p;
580 	struct level_datum *levdatum;
581 
582 	levdatum = datum;
583 	p = datap;
584 
585 	if (!levdatum->isalias) {
586 		if (!levdatum->level->sens ||
587 		    levdatum->level->sens > p->p_levels.nprim)
588 			return -EINVAL;
589 
590 		p->sym_val_to_name[SYM_LEVELS][levdatum->level->sens - 1] = key;
591 	}
592 
593 	return 0;
594 }
595 
596 static int cat_index(void *key, void *datum, void *datap)
597 {
598 	struct policydb *p;
599 	struct cat_datum *catdatum;
600 
601 	catdatum = datum;
602 	p = datap;
603 
604 	if (!catdatum->isalias) {
605 		if (!catdatum->value || catdatum->value > p->p_cats.nprim)
606 			return -EINVAL;
607 
608 		p->sym_val_to_name[SYM_CATS][catdatum->value - 1] = key;
609 	}
610 
611 	return 0;
612 }
613 
614 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
615 {
616 	common_index,
617 	class_index,
618 	role_index,
619 	type_index,
620 	user_index,
621 	cond_index_bool,
622 	sens_index,
623 	cat_index,
624 };
625 
626 #ifdef DEBUG_HASHES
627 static void hash_eval(struct hashtab *h, const char *hash_name)
628 {
629 	struct hashtab_info info;
630 
631 	hashtab_stat(h, &info);
632 	pr_debug("SELinux: %s:  %d entries and %d/%d buckets used, longest chain length %d\n",
633 		 hash_name, h->nel, info.slots_used, h->size,
634 		 info.max_chain_len);
635 }
636 
637 static void symtab_hash_eval(struct symtab *s)
638 {
639 	int i;
640 
641 	for (i = 0; i < SYM_NUM; i++)
642 		hash_eval(s[i].table, symtab_name[i]);
643 }
644 
645 #else
646 static inline void hash_eval(struct hashtab *h, char *hash_name)
647 {
648 }
649 #endif
650 
651 /*
652  * Define the other val_to_name and val_to_struct arrays
653  * in a policy database structure.
654  *
655  * Caller must clean up on failure.
656  */
657 static int policydb_index(struct policydb *p)
658 {
659 	int i, rc;
660 
661 	if (p->mls_enabled)
662 		pr_debug("SELinux:  %d users, %d roles, %d types, %d bools, %d sens, %d cats\n",
663 			 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
664 			 p->p_bools.nprim, p->p_levels.nprim, p->p_cats.nprim);
665 	else
666 		pr_debug("SELinux:  %d users, %d roles, %d types, %d bools\n",
667 			 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
668 			 p->p_bools.nprim);
669 
670 	pr_debug("SELinux:  %d classes, %d rules\n",
671 		 p->p_classes.nprim, p->te_avtab.nel);
672 
673 #ifdef DEBUG_HASHES
674 	avtab_hash_eval(&p->te_avtab, "rules");
675 	symtab_hash_eval(p->symtab);
676 #endif
677 
678 	p->class_val_to_struct = kcalloc(p->p_classes.nprim,
679 					 sizeof(*p->class_val_to_struct),
680 					 GFP_KERNEL);
681 	if (!p->class_val_to_struct)
682 		return -ENOMEM;
683 
684 	p->role_val_to_struct = kcalloc(p->p_roles.nprim,
685 					sizeof(*p->role_val_to_struct),
686 					GFP_KERNEL);
687 	if (!p->role_val_to_struct)
688 		return -ENOMEM;
689 
690 	p->user_val_to_struct = kcalloc(p->p_users.nprim,
691 					sizeof(*p->user_val_to_struct),
692 					GFP_KERNEL);
693 	if (!p->user_val_to_struct)
694 		return -ENOMEM;
695 
696 	p->type_val_to_struct = kvcalloc(p->p_types.nprim,
697 					 sizeof(*p->type_val_to_struct),
698 					 GFP_KERNEL);
699 	if (!p->type_val_to_struct)
700 		return -ENOMEM;
701 
702 	rc = cond_init_bool_indexes(p);
703 	if (rc)
704 		goto out;
705 
706 	for (i = 0; i < SYM_NUM; i++) {
707 		p->sym_val_to_name[i] = kvcalloc(p->symtab[i].nprim,
708 						 sizeof(char *),
709 						 GFP_KERNEL);
710 		if (!p->sym_val_to_name[i])
711 			return -ENOMEM;
712 
713 		rc = hashtab_map(p->symtab[i].table, index_f[i], p);
714 		if (rc)
715 			goto out;
716 	}
717 	rc = 0;
718 out:
719 	return rc;
720 }
721 
722 /*
723  * Free any memory allocated by a policy database structure.
724  */
725 void policydb_destroy(struct policydb *p)
726 {
727 	struct ocontext *c, *ctmp;
728 	struct genfs *g, *gtmp;
729 	int i;
730 	struct role_allow *ra, *lra = NULL;
731 	struct role_trans *tr, *ltr = NULL;
732 
733 	for (i = 0; i < SYM_NUM; i++) {
734 		cond_resched();
735 		hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
736 		hashtab_destroy(p->symtab[i].table);
737 	}
738 
739 	for (i = 0; i < SYM_NUM; i++)
740 		kvfree(p->sym_val_to_name[i]);
741 
742 	kfree(p->class_val_to_struct);
743 	kfree(p->role_val_to_struct);
744 	kfree(p->user_val_to_struct);
745 	kvfree(p->type_val_to_struct);
746 
747 	avtab_destroy(&p->te_avtab);
748 
749 	for (i = 0; i < OCON_NUM; i++) {
750 		cond_resched();
751 		c = p->ocontexts[i];
752 		while (c) {
753 			ctmp = c;
754 			c = c->next;
755 			ocontext_destroy(ctmp, i);
756 		}
757 		p->ocontexts[i] = NULL;
758 	}
759 
760 	g = p->genfs;
761 	while (g) {
762 		cond_resched();
763 		kfree(g->fstype);
764 		c = g->head;
765 		while (c) {
766 			ctmp = c;
767 			c = c->next;
768 			ocontext_destroy(ctmp, OCON_FSUSE);
769 		}
770 		gtmp = g;
771 		g = g->next;
772 		kfree(gtmp);
773 	}
774 	p->genfs = NULL;
775 
776 	cond_policydb_destroy(p);
777 
778 	for (tr = p->role_tr; tr; tr = tr->next) {
779 		cond_resched();
780 		kfree(ltr);
781 		ltr = tr;
782 	}
783 	kfree(ltr);
784 
785 	for (ra = p->role_allow; ra; ra = ra->next) {
786 		cond_resched();
787 		kfree(lra);
788 		lra = ra;
789 	}
790 	kfree(lra);
791 
792 	hashtab_map(p->filename_trans, filenametr_destroy, NULL);
793 	hashtab_destroy(p->filename_trans);
794 
795 	hashtab_map(p->range_tr, range_tr_destroy, NULL);
796 	hashtab_destroy(p->range_tr);
797 
798 	if (p->type_attr_map_array) {
799 		for (i = 0; i < p->p_types.nprim; i++)
800 			ebitmap_destroy(&p->type_attr_map_array[i]);
801 		kvfree(p->type_attr_map_array);
802 	}
803 
804 	ebitmap_destroy(&p->filename_trans_ttypes);
805 	ebitmap_destroy(&p->policycaps);
806 	ebitmap_destroy(&p->permissive_map);
807 }
808 
809 /*
810  * Load the initial SIDs specified in a policy database
811  * structure into a SID table.
812  */
813 int policydb_load_isids(struct policydb *p, struct sidtab *s)
814 {
815 	struct ocontext *head, *c;
816 	int rc;
817 
818 	rc = sidtab_init(s);
819 	if (rc) {
820 		pr_err("SELinux:  out of memory on SID table init\n");
821 		goto out;
822 	}
823 
824 	head = p->ocontexts[OCON_ISID];
825 	for (c = head; c; c = c->next) {
826 		u32 sid = c->sid[0];
827 		const char *name = security_get_initial_sid_context(sid);
828 
829 		if (sid == SECSID_NULL) {
830 			pr_err("SELinux:  SID 0 was assigned a context.\n");
831 			sidtab_destroy(s);
832 			goto out;
833 		}
834 
835 		/* Ignore initial SIDs unused by this kernel. */
836 		if (!name)
837 			continue;
838 
839 		rc = context_add_hash(p, &c->context[0]);
840 		if (rc) {
841 			sidtab_destroy(s);
842 			goto out;
843 		}
844 		rc = sidtab_set_initial(s, sid, &c->context[0]);
845 		if (rc) {
846 			pr_err("SELinux:  unable to load initial SID %s.\n",
847 			       name);
848 			sidtab_destroy(s);
849 			goto out;
850 		}
851 	}
852 	rc = 0;
853 out:
854 	return rc;
855 }
856 
857 int policydb_class_isvalid(struct policydb *p, unsigned int class)
858 {
859 	if (!class || class > p->p_classes.nprim)
860 		return 0;
861 	return 1;
862 }
863 
864 int policydb_role_isvalid(struct policydb *p, unsigned int role)
865 {
866 	if (!role || role > p->p_roles.nprim)
867 		return 0;
868 	return 1;
869 }
870 
871 int policydb_type_isvalid(struct policydb *p, unsigned int type)
872 {
873 	if (!type || type > p->p_types.nprim)
874 		return 0;
875 	return 1;
876 }
877 
878 /*
879  * Return 1 if the fields in the security context
880  * structure `c' are valid.  Return 0 otherwise.
881  */
882 int policydb_context_isvalid(struct policydb *p, struct context *c)
883 {
884 	struct role_datum *role;
885 	struct user_datum *usrdatum;
886 
887 	if (!c->role || c->role > p->p_roles.nprim)
888 		return 0;
889 
890 	if (!c->user || c->user > p->p_users.nprim)
891 		return 0;
892 
893 	if (!c->type || c->type > p->p_types.nprim)
894 		return 0;
895 
896 	if (c->role != OBJECT_R_VAL) {
897 		/*
898 		 * Role must be authorized for the type.
899 		 */
900 		role = p->role_val_to_struct[c->role - 1];
901 		if (!role || !ebitmap_get_bit(&role->types, c->type - 1))
902 			/* role may not be associated with type */
903 			return 0;
904 
905 		/*
906 		 * User must be authorized for the role.
907 		 */
908 		usrdatum = p->user_val_to_struct[c->user - 1];
909 		if (!usrdatum)
910 			return 0;
911 
912 		if (!ebitmap_get_bit(&usrdatum->roles, c->role - 1))
913 			/* user may not be associated with role */
914 			return 0;
915 	}
916 
917 	if (!mls_context_isvalid(p, c))
918 		return 0;
919 
920 	return 1;
921 }
922 
923 /*
924  * Read a MLS range structure from a policydb binary
925  * representation file.
926  */
927 static int mls_read_range_helper(struct mls_range *r, void *fp)
928 {
929 	__le32 buf[2];
930 	u32 items;
931 	int rc;
932 
933 	rc = next_entry(buf, fp, sizeof(u32));
934 	if (rc)
935 		goto out;
936 
937 	rc = -EINVAL;
938 	items = le32_to_cpu(buf[0]);
939 	if (items > ARRAY_SIZE(buf)) {
940 		pr_err("SELinux: mls:  range overflow\n");
941 		goto out;
942 	}
943 
944 	rc = next_entry(buf, fp, sizeof(u32) * items);
945 	if (rc) {
946 		pr_err("SELinux: mls:  truncated range\n");
947 		goto out;
948 	}
949 
950 	r->level[0].sens = le32_to_cpu(buf[0]);
951 	if (items > 1)
952 		r->level[1].sens = le32_to_cpu(buf[1]);
953 	else
954 		r->level[1].sens = r->level[0].sens;
955 
956 	rc = ebitmap_read(&r->level[0].cat, fp);
957 	if (rc) {
958 		pr_err("SELinux: mls:  error reading low categories\n");
959 		goto out;
960 	}
961 	if (items > 1) {
962 		rc = ebitmap_read(&r->level[1].cat, fp);
963 		if (rc) {
964 			pr_err("SELinux: mls:  error reading high categories\n");
965 			goto bad_high;
966 		}
967 	} else {
968 		rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
969 		if (rc) {
970 			pr_err("SELinux: mls:  out of memory\n");
971 			goto bad_high;
972 		}
973 	}
974 
975 	return 0;
976 bad_high:
977 	ebitmap_destroy(&r->level[0].cat);
978 out:
979 	return rc;
980 }
981 
982 /*
983  * Read and validate a security context structure
984  * from a policydb binary representation file.
985  */
986 static int context_read_and_validate(struct context *c,
987 				     struct policydb *p,
988 				     void *fp)
989 {
990 	__le32 buf[3];
991 	int rc;
992 
993 	rc = next_entry(buf, fp, sizeof buf);
994 	if (rc) {
995 		pr_err("SELinux: context truncated\n");
996 		goto out;
997 	}
998 	c->user = le32_to_cpu(buf[0]);
999 	c->role = le32_to_cpu(buf[1]);
1000 	c->type = le32_to_cpu(buf[2]);
1001 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
1002 		rc = mls_read_range_helper(&c->range, fp);
1003 		if (rc) {
1004 			pr_err("SELinux: error reading MLS range of context\n");
1005 			goto out;
1006 		}
1007 	}
1008 
1009 	rc = -EINVAL;
1010 	if (!policydb_context_isvalid(p, c)) {
1011 		pr_err("SELinux:  invalid security context\n");
1012 		context_destroy(c);
1013 		goto out;
1014 	}
1015 	rc = 0;
1016 out:
1017 	return rc;
1018 }
1019 
1020 /*
1021  * The following *_read functions are used to
1022  * read the symbol data from a policy database
1023  * binary representation file.
1024  */
1025 
1026 static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
1027 {
1028 	int rc;
1029 	char *str;
1030 
1031 	if ((len == 0) || (len == (u32)-1))
1032 		return -EINVAL;
1033 
1034 	str = kmalloc(len + 1, flags | __GFP_NOWARN);
1035 	if (!str)
1036 		return -ENOMEM;
1037 
1038 	/* it's expected the caller should free the str */
1039 	*strp = str;
1040 
1041 	rc = next_entry(str, fp, len);
1042 	if (rc)
1043 		return rc;
1044 
1045 	str[len] = '\0';
1046 	return 0;
1047 }
1048 
1049 static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
1050 {
1051 	char *key = NULL;
1052 	struct perm_datum *perdatum;
1053 	int rc;
1054 	__le32 buf[2];
1055 	u32 len;
1056 
1057 	perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
1058 	if (!perdatum)
1059 		return -ENOMEM;
1060 
1061 	rc = next_entry(buf, fp, sizeof buf);
1062 	if (rc)
1063 		goto bad;
1064 
1065 	len = le32_to_cpu(buf[0]);
1066 	perdatum->value = le32_to_cpu(buf[1]);
1067 
1068 	rc = str_read(&key, GFP_KERNEL, fp, len);
1069 	if (rc)
1070 		goto bad;
1071 
1072 	rc = hashtab_insert(h, key, perdatum);
1073 	if (rc)
1074 		goto bad;
1075 
1076 	return 0;
1077 bad:
1078 	perm_destroy(key, perdatum, NULL);
1079 	return rc;
1080 }
1081 
1082 static int common_read(struct policydb *p, struct hashtab *h, void *fp)
1083 {
1084 	char *key = NULL;
1085 	struct common_datum *comdatum;
1086 	__le32 buf[4];
1087 	u32 len, nel;
1088 	int i, rc;
1089 
1090 	comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
1091 	if (!comdatum)
1092 		return -ENOMEM;
1093 
1094 	rc = next_entry(buf, fp, sizeof buf);
1095 	if (rc)
1096 		goto bad;
1097 
1098 	len = le32_to_cpu(buf[0]);
1099 	comdatum->value = le32_to_cpu(buf[1]);
1100 	nel = le32_to_cpu(buf[3]);
1101 
1102 	rc = symtab_init(&comdatum->permissions, nel);
1103 	if (rc)
1104 		goto bad;
1105 	comdatum->permissions.nprim = le32_to_cpu(buf[2]);
1106 
1107 	rc = str_read(&key, GFP_KERNEL, fp, len);
1108 	if (rc)
1109 		goto bad;
1110 
1111 	for (i = 0; i < nel; i++) {
1112 		rc = perm_read(p, comdatum->permissions.table, fp);
1113 		if (rc)
1114 			goto bad;
1115 	}
1116 
1117 	rc = hashtab_insert(h, key, comdatum);
1118 	if (rc)
1119 		goto bad;
1120 	return 0;
1121 bad:
1122 	common_destroy(key, comdatum, NULL);
1123 	return rc;
1124 }
1125 
1126 static void type_set_init(struct type_set *t)
1127 {
1128 	ebitmap_init(&t->types);
1129 	ebitmap_init(&t->negset);
1130 }
1131 
1132 static int type_set_read(struct type_set *t, void *fp)
1133 {
1134 	__le32 buf[1];
1135 	int rc;
1136 
1137 	if (ebitmap_read(&t->types, fp))
1138 		return -EINVAL;
1139 	if (ebitmap_read(&t->negset, fp))
1140 		return -EINVAL;
1141 
1142 	rc = next_entry(buf, fp, sizeof(u32));
1143 	if (rc < 0)
1144 		return -EINVAL;
1145 	t->flags = le32_to_cpu(buf[0]);
1146 
1147 	return 0;
1148 }
1149 
1150 
1151 static int read_cons_helper(struct policydb *p,
1152 				struct constraint_node **nodep,
1153 				int ncons, int allowxtarget, void *fp)
1154 {
1155 	struct constraint_node *c, *lc;
1156 	struct constraint_expr *e, *le;
1157 	__le32 buf[3];
1158 	u32 nexpr;
1159 	int rc, i, j, depth;
1160 
1161 	lc = NULL;
1162 	for (i = 0; i < ncons; i++) {
1163 		c = kzalloc(sizeof(*c), GFP_KERNEL);
1164 		if (!c)
1165 			return -ENOMEM;
1166 
1167 		if (lc)
1168 			lc->next = c;
1169 		else
1170 			*nodep = c;
1171 
1172 		rc = next_entry(buf, fp, (sizeof(u32) * 2));
1173 		if (rc)
1174 			return rc;
1175 		c->permissions = le32_to_cpu(buf[0]);
1176 		nexpr = le32_to_cpu(buf[1]);
1177 		le = NULL;
1178 		depth = -1;
1179 		for (j = 0; j < nexpr; j++) {
1180 			e = kzalloc(sizeof(*e), GFP_KERNEL);
1181 			if (!e)
1182 				return -ENOMEM;
1183 
1184 			if (le)
1185 				le->next = e;
1186 			else
1187 				c->expr = e;
1188 
1189 			rc = next_entry(buf, fp, (sizeof(u32) * 3));
1190 			if (rc)
1191 				return rc;
1192 			e->expr_type = le32_to_cpu(buf[0]);
1193 			e->attr = le32_to_cpu(buf[1]);
1194 			e->op = le32_to_cpu(buf[2]);
1195 
1196 			switch (e->expr_type) {
1197 			case CEXPR_NOT:
1198 				if (depth < 0)
1199 					return -EINVAL;
1200 				break;
1201 			case CEXPR_AND:
1202 			case CEXPR_OR:
1203 				if (depth < 1)
1204 					return -EINVAL;
1205 				depth--;
1206 				break;
1207 			case CEXPR_ATTR:
1208 				if (depth == (CEXPR_MAXDEPTH - 1))
1209 					return -EINVAL;
1210 				depth++;
1211 				break;
1212 			case CEXPR_NAMES:
1213 				if (!allowxtarget && (e->attr & CEXPR_XTARGET))
1214 					return -EINVAL;
1215 				if (depth == (CEXPR_MAXDEPTH - 1))
1216 					return -EINVAL;
1217 				depth++;
1218 				rc = ebitmap_read(&e->names, fp);
1219 				if (rc)
1220 					return rc;
1221 				if (p->policyvers >=
1222 				    POLICYDB_VERSION_CONSTRAINT_NAMES) {
1223 					e->type_names = kzalloc(sizeof
1224 						(*e->type_names), GFP_KERNEL);
1225 					if (!e->type_names)
1226 						return -ENOMEM;
1227 					type_set_init(e->type_names);
1228 					rc = type_set_read(e->type_names, fp);
1229 					if (rc)
1230 						return rc;
1231 				}
1232 				break;
1233 			default:
1234 				return -EINVAL;
1235 			}
1236 			le = e;
1237 		}
1238 		if (depth != 0)
1239 			return -EINVAL;
1240 		lc = c;
1241 	}
1242 
1243 	return 0;
1244 }
1245 
1246 static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1247 {
1248 	char *key = NULL;
1249 	struct class_datum *cladatum;
1250 	__le32 buf[6];
1251 	u32 len, len2, ncons, nel;
1252 	int i, rc;
1253 
1254 	cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
1255 	if (!cladatum)
1256 		return -ENOMEM;
1257 
1258 	rc = next_entry(buf, fp, sizeof(u32)*6);
1259 	if (rc)
1260 		goto bad;
1261 
1262 	len = le32_to_cpu(buf[0]);
1263 	len2 = le32_to_cpu(buf[1]);
1264 	cladatum->value = le32_to_cpu(buf[2]);
1265 	nel = le32_to_cpu(buf[4]);
1266 
1267 	rc = symtab_init(&cladatum->permissions, nel);
1268 	if (rc)
1269 		goto bad;
1270 	cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1271 
1272 	ncons = le32_to_cpu(buf[5]);
1273 
1274 	rc = str_read(&key, GFP_KERNEL, fp, len);
1275 	if (rc)
1276 		goto bad;
1277 
1278 	if (len2) {
1279 		rc = str_read(&cladatum->comkey, GFP_KERNEL, fp, len2);
1280 		if (rc)
1281 			goto bad;
1282 
1283 		rc = -EINVAL;
1284 		cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey);
1285 		if (!cladatum->comdatum) {
1286 			pr_err("SELinux:  unknown common %s\n",
1287 			       cladatum->comkey);
1288 			goto bad;
1289 		}
1290 	}
1291 	for (i = 0; i < nel; i++) {
1292 		rc = perm_read(p, cladatum->permissions.table, fp);
1293 		if (rc)
1294 			goto bad;
1295 	}
1296 
1297 	rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
1298 	if (rc)
1299 		goto bad;
1300 
1301 	if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) {
1302 		/* grab the validatetrans rules */
1303 		rc = next_entry(buf, fp, sizeof(u32));
1304 		if (rc)
1305 			goto bad;
1306 		ncons = le32_to_cpu(buf[0]);
1307 		rc = read_cons_helper(p, &cladatum->validatetrans,
1308 				ncons, 1, fp);
1309 		if (rc)
1310 			goto bad;
1311 	}
1312 
1313 	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
1314 		rc = next_entry(buf, fp, sizeof(u32) * 3);
1315 		if (rc)
1316 			goto bad;
1317 
1318 		cladatum->default_user = le32_to_cpu(buf[0]);
1319 		cladatum->default_role = le32_to_cpu(buf[1]);
1320 		cladatum->default_range = le32_to_cpu(buf[2]);
1321 	}
1322 
1323 	if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
1324 		rc = next_entry(buf, fp, sizeof(u32) * 1);
1325 		if (rc)
1326 			goto bad;
1327 		cladatum->default_type = le32_to_cpu(buf[0]);
1328 	}
1329 
1330 	rc = hashtab_insert(h, key, cladatum);
1331 	if (rc)
1332 		goto bad;
1333 
1334 	return 0;
1335 bad:
1336 	cls_destroy(key, cladatum, NULL);
1337 	return rc;
1338 }
1339 
1340 static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1341 {
1342 	char *key = NULL;
1343 	struct role_datum *role;
1344 	int rc, to_read = 2;
1345 	__le32 buf[3];
1346 	u32 len;
1347 
1348 	role = kzalloc(sizeof(*role), GFP_KERNEL);
1349 	if (!role)
1350 		return -ENOMEM;
1351 
1352 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1353 		to_read = 3;
1354 
1355 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1356 	if (rc)
1357 		goto bad;
1358 
1359 	len = le32_to_cpu(buf[0]);
1360 	role->value = le32_to_cpu(buf[1]);
1361 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1362 		role->bounds = le32_to_cpu(buf[2]);
1363 
1364 	rc = str_read(&key, GFP_KERNEL, fp, len);
1365 	if (rc)
1366 		goto bad;
1367 
1368 	rc = ebitmap_read(&role->dominates, fp);
1369 	if (rc)
1370 		goto bad;
1371 
1372 	rc = ebitmap_read(&role->types, fp);
1373 	if (rc)
1374 		goto bad;
1375 
1376 	if (strcmp(key, OBJECT_R) == 0) {
1377 		rc = -EINVAL;
1378 		if (role->value != OBJECT_R_VAL) {
1379 			pr_err("SELinux: Role %s has wrong value %d\n",
1380 			       OBJECT_R, role->value);
1381 			goto bad;
1382 		}
1383 		rc = 0;
1384 		goto bad;
1385 	}
1386 
1387 	rc = hashtab_insert(h, key, role);
1388 	if (rc)
1389 		goto bad;
1390 	return 0;
1391 bad:
1392 	role_destroy(key, role, NULL);
1393 	return rc;
1394 }
1395 
1396 static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1397 {
1398 	char *key = NULL;
1399 	struct type_datum *typdatum;
1400 	int rc, to_read = 3;
1401 	__le32 buf[4];
1402 	u32 len;
1403 
1404 	typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1405 	if (!typdatum)
1406 		return -ENOMEM;
1407 
1408 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1409 		to_read = 4;
1410 
1411 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1412 	if (rc)
1413 		goto bad;
1414 
1415 	len = le32_to_cpu(buf[0]);
1416 	typdatum->value = le32_to_cpu(buf[1]);
1417 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
1418 		u32 prop = le32_to_cpu(buf[2]);
1419 
1420 		if (prop & TYPEDATUM_PROPERTY_PRIMARY)
1421 			typdatum->primary = 1;
1422 		if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
1423 			typdatum->attribute = 1;
1424 
1425 		typdatum->bounds = le32_to_cpu(buf[3]);
1426 	} else {
1427 		typdatum->primary = le32_to_cpu(buf[2]);
1428 	}
1429 
1430 	rc = str_read(&key, GFP_KERNEL, fp, len);
1431 	if (rc)
1432 		goto bad;
1433 
1434 	rc = hashtab_insert(h, key, typdatum);
1435 	if (rc)
1436 		goto bad;
1437 	return 0;
1438 bad:
1439 	type_destroy(key, typdatum, NULL);
1440 	return rc;
1441 }
1442 
1443 
1444 /*
1445  * Read a MLS level structure from a policydb binary
1446  * representation file.
1447  */
1448 static int mls_read_level(struct mls_level *lp, void *fp)
1449 {
1450 	__le32 buf[1];
1451 	int rc;
1452 
1453 	memset(lp, 0, sizeof(*lp));
1454 
1455 	rc = next_entry(buf, fp, sizeof buf);
1456 	if (rc) {
1457 		pr_err("SELinux: mls: truncated level\n");
1458 		return rc;
1459 	}
1460 	lp->sens = le32_to_cpu(buf[0]);
1461 
1462 	rc = ebitmap_read(&lp->cat, fp);
1463 	if (rc) {
1464 		pr_err("SELinux: mls:  error reading level categories\n");
1465 		return rc;
1466 	}
1467 	return 0;
1468 }
1469 
1470 static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1471 {
1472 	char *key = NULL;
1473 	struct user_datum *usrdatum;
1474 	int rc, to_read = 2;
1475 	__le32 buf[3];
1476 	u32 len;
1477 
1478 	usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
1479 	if (!usrdatum)
1480 		return -ENOMEM;
1481 
1482 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1483 		to_read = 3;
1484 
1485 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1486 	if (rc)
1487 		goto bad;
1488 
1489 	len = le32_to_cpu(buf[0]);
1490 	usrdatum->value = le32_to_cpu(buf[1]);
1491 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1492 		usrdatum->bounds = le32_to_cpu(buf[2]);
1493 
1494 	rc = str_read(&key, GFP_KERNEL, fp, len);
1495 	if (rc)
1496 		goto bad;
1497 
1498 	rc = ebitmap_read(&usrdatum->roles, fp);
1499 	if (rc)
1500 		goto bad;
1501 
1502 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
1503 		rc = mls_read_range_helper(&usrdatum->range, fp);
1504 		if (rc)
1505 			goto bad;
1506 		rc = mls_read_level(&usrdatum->dfltlevel, fp);
1507 		if (rc)
1508 			goto bad;
1509 	}
1510 
1511 	rc = hashtab_insert(h, key, usrdatum);
1512 	if (rc)
1513 		goto bad;
1514 	return 0;
1515 bad:
1516 	user_destroy(key, usrdatum, NULL);
1517 	return rc;
1518 }
1519 
1520 static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1521 {
1522 	char *key = NULL;
1523 	struct level_datum *levdatum;
1524 	int rc;
1525 	__le32 buf[2];
1526 	u32 len;
1527 
1528 	levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
1529 	if (!levdatum)
1530 		return -ENOMEM;
1531 
1532 	rc = next_entry(buf, fp, sizeof buf);
1533 	if (rc)
1534 		goto bad;
1535 
1536 	len = le32_to_cpu(buf[0]);
1537 	levdatum->isalias = le32_to_cpu(buf[1]);
1538 
1539 	rc = str_read(&key, GFP_ATOMIC, fp, len);
1540 	if (rc)
1541 		goto bad;
1542 
1543 	rc = -ENOMEM;
1544 	levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC);
1545 	if (!levdatum->level)
1546 		goto bad;
1547 
1548 	rc = mls_read_level(levdatum->level, fp);
1549 	if (rc)
1550 		goto bad;
1551 
1552 	rc = hashtab_insert(h, key, levdatum);
1553 	if (rc)
1554 		goto bad;
1555 	return 0;
1556 bad:
1557 	sens_destroy(key, levdatum, NULL);
1558 	return rc;
1559 }
1560 
1561 static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1562 {
1563 	char *key = NULL;
1564 	struct cat_datum *catdatum;
1565 	int rc;
1566 	__le32 buf[3];
1567 	u32 len;
1568 
1569 	catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
1570 	if (!catdatum)
1571 		return -ENOMEM;
1572 
1573 	rc = next_entry(buf, fp, sizeof buf);
1574 	if (rc)
1575 		goto bad;
1576 
1577 	len = le32_to_cpu(buf[0]);
1578 	catdatum->value = le32_to_cpu(buf[1]);
1579 	catdatum->isalias = le32_to_cpu(buf[2]);
1580 
1581 	rc = str_read(&key, GFP_ATOMIC, fp, len);
1582 	if (rc)
1583 		goto bad;
1584 
1585 	rc = hashtab_insert(h, key, catdatum);
1586 	if (rc)
1587 		goto bad;
1588 	return 0;
1589 bad:
1590 	cat_destroy(key, catdatum, NULL);
1591 	return rc;
1592 }
1593 
1594 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1595 {
1596 	common_read,
1597 	class_read,
1598 	role_read,
1599 	type_read,
1600 	user_read,
1601 	cond_read_bool,
1602 	sens_read,
1603 	cat_read,
1604 };
1605 
1606 static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1607 {
1608 	struct user_datum *upper, *user;
1609 	struct policydb *p = datap;
1610 	int depth = 0;
1611 
1612 	upper = user = datum;
1613 	while (upper->bounds) {
1614 		struct ebitmap_node *node;
1615 		unsigned long bit;
1616 
1617 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1618 			pr_err("SELinux: user %s: "
1619 			       "too deep or looped boundary",
1620 			       (char *) key);
1621 			return -EINVAL;
1622 		}
1623 
1624 		upper = p->user_val_to_struct[upper->bounds - 1];
1625 		ebitmap_for_each_positive_bit(&user->roles, node, bit) {
1626 			if (ebitmap_get_bit(&upper->roles, bit))
1627 				continue;
1628 
1629 			pr_err("SELinux: boundary violated policy: "
1630 			       "user=%s role=%s bounds=%s\n",
1631 			       sym_name(p, SYM_USERS, user->value - 1),
1632 			       sym_name(p, SYM_ROLES, bit),
1633 			       sym_name(p, SYM_USERS, upper->value - 1));
1634 
1635 			return -EINVAL;
1636 		}
1637 	}
1638 
1639 	return 0;
1640 }
1641 
1642 static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1643 {
1644 	struct role_datum *upper, *role;
1645 	struct policydb *p = datap;
1646 	int depth = 0;
1647 
1648 	upper = role = datum;
1649 	while (upper->bounds) {
1650 		struct ebitmap_node *node;
1651 		unsigned long bit;
1652 
1653 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1654 			pr_err("SELinux: role %s: "
1655 			       "too deep or looped bounds\n",
1656 			       (char *) key);
1657 			return -EINVAL;
1658 		}
1659 
1660 		upper = p->role_val_to_struct[upper->bounds - 1];
1661 		ebitmap_for_each_positive_bit(&role->types, node, bit) {
1662 			if (ebitmap_get_bit(&upper->types, bit))
1663 				continue;
1664 
1665 			pr_err("SELinux: boundary violated policy: "
1666 			       "role=%s type=%s bounds=%s\n",
1667 			       sym_name(p, SYM_ROLES, role->value - 1),
1668 			       sym_name(p, SYM_TYPES, bit),
1669 			       sym_name(p, SYM_ROLES, upper->value - 1));
1670 
1671 			return -EINVAL;
1672 		}
1673 	}
1674 
1675 	return 0;
1676 }
1677 
1678 static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1679 {
1680 	struct type_datum *upper;
1681 	struct policydb *p = datap;
1682 	int depth = 0;
1683 
1684 	upper = datum;
1685 	while (upper->bounds) {
1686 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1687 			pr_err("SELinux: type %s: "
1688 			       "too deep or looped boundary\n",
1689 			       (char *) key);
1690 			return -EINVAL;
1691 		}
1692 
1693 		upper = p->type_val_to_struct[upper->bounds - 1];
1694 		BUG_ON(!upper);
1695 
1696 		if (upper->attribute) {
1697 			pr_err("SELinux: type %s: "
1698 			       "bounded by attribute %s",
1699 			       (char *) key,
1700 			       sym_name(p, SYM_TYPES, upper->value - 1));
1701 			return -EINVAL;
1702 		}
1703 	}
1704 
1705 	return 0;
1706 }
1707 
1708 static int policydb_bounds_sanity_check(struct policydb *p)
1709 {
1710 	int rc;
1711 
1712 	if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
1713 		return 0;
1714 
1715 	rc = hashtab_map(p->p_users.table,
1716 			 user_bounds_sanity_check, p);
1717 	if (rc)
1718 		return rc;
1719 
1720 	rc = hashtab_map(p->p_roles.table,
1721 			 role_bounds_sanity_check, p);
1722 	if (rc)
1723 		return rc;
1724 
1725 	rc = hashtab_map(p->p_types.table,
1726 			 type_bounds_sanity_check, p);
1727 	if (rc)
1728 		return rc;
1729 
1730 	return 0;
1731 }
1732 
1733 u16 string_to_security_class(struct policydb *p, const char *name)
1734 {
1735 	struct class_datum *cladatum;
1736 
1737 	cladatum = hashtab_search(p->p_classes.table, name);
1738 	if (!cladatum)
1739 		return 0;
1740 
1741 	return cladatum->value;
1742 }
1743 
1744 u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1745 {
1746 	struct class_datum *cladatum;
1747 	struct perm_datum *perdatum = NULL;
1748 	struct common_datum *comdatum;
1749 
1750 	if (!tclass || tclass > p->p_classes.nprim)
1751 		return 0;
1752 
1753 	cladatum = p->class_val_to_struct[tclass-1];
1754 	comdatum = cladatum->comdatum;
1755 	if (comdatum)
1756 		perdatum = hashtab_search(comdatum->permissions.table,
1757 					  name);
1758 	if (!perdatum)
1759 		perdatum = hashtab_search(cladatum->permissions.table,
1760 					  name);
1761 	if (!perdatum)
1762 		return 0;
1763 
1764 	return 1U << (perdatum->value-1);
1765 }
1766 
1767 static int range_read(struct policydb *p, void *fp)
1768 {
1769 	struct range_trans *rt = NULL;
1770 	struct mls_range *r = NULL;
1771 	int i, rc;
1772 	__le32 buf[2];
1773 	u32 nel;
1774 
1775 	if (p->policyvers < POLICYDB_VERSION_MLS)
1776 		return 0;
1777 
1778 	rc = next_entry(buf, fp, sizeof(u32));
1779 	if (rc)
1780 		return rc;
1781 
1782 	nel = le32_to_cpu(buf[0]);
1783 
1784 	p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, nel);
1785 	if (!p->range_tr)
1786 		return -ENOMEM;
1787 
1788 	for (i = 0; i < nel; i++) {
1789 		rc = -ENOMEM;
1790 		rt = kzalloc(sizeof(*rt), GFP_KERNEL);
1791 		if (!rt)
1792 			goto out;
1793 
1794 		rc = next_entry(buf, fp, (sizeof(u32) * 2));
1795 		if (rc)
1796 			goto out;
1797 
1798 		rt->source_type = le32_to_cpu(buf[0]);
1799 		rt->target_type = le32_to_cpu(buf[1]);
1800 		if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) {
1801 			rc = next_entry(buf, fp, sizeof(u32));
1802 			if (rc)
1803 				goto out;
1804 			rt->target_class = le32_to_cpu(buf[0]);
1805 		} else
1806 			rt->target_class = p->process_class;
1807 
1808 		rc = -EINVAL;
1809 		if (!policydb_type_isvalid(p, rt->source_type) ||
1810 		    !policydb_type_isvalid(p, rt->target_type) ||
1811 		    !policydb_class_isvalid(p, rt->target_class))
1812 			goto out;
1813 
1814 		rc = -ENOMEM;
1815 		r = kzalloc(sizeof(*r), GFP_KERNEL);
1816 		if (!r)
1817 			goto out;
1818 
1819 		rc = mls_read_range_helper(r, fp);
1820 		if (rc)
1821 			goto out;
1822 
1823 		rc = -EINVAL;
1824 		if (!mls_range_isvalid(p, r)) {
1825 			pr_warn("SELinux:  rangetrans:  invalid range\n");
1826 			goto out;
1827 		}
1828 
1829 		rc = hashtab_insert(p->range_tr, rt, r);
1830 		if (rc)
1831 			goto out;
1832 
1833 		rt = NULL;
1834 		r = NULL;
1835 	}
1836 	hash_eval(p->range_tr, "rangetr");
1837 	rc = 0;
1838 out:
1839 	kfree(rt);
1840 	kfree(r);
1841 	return rc;
1842 }
1843 
1844 static int filename_trans_read_one(struct policydb *p, void *fp)
1845 {
1846 	struct filename_trans_key key, *ft = NULL;
1847 	struct filename_trans_datum *last, *datum = NULL;
1848 	char *name = NULL;
1849 	u32 len, stype, otype;
1850 	__le32 buf[4];
1851 	int rc;
1852 
1853 	/* length of the path component string */
1854 	rc = next_entry(buf, fp, sizeof(u32));
1855 	if (rc)
1856 		return rc;
1857 	len = le32_to_cpu(buf[0]);
1858 
1859 	/* path component string */
1860 	rc = str_read(&name, GFP_KERNEL, fp, len);
1861 	if (rc)
1862 		return rc;
1863 
1864 	rc = next_entry(buf, fp, sizeof(u32) * 4);
1865 	if (rc)
1866 		goto out;
1867 
1868 	stype = le32_to_cpu(buf[0]);
1869 	key.ttype = le32_to_cpu(buf[1]);
1870 	key.tclass = le32_to_cpu(buf[2]);
1871 	key.name = name;
1872 
1873 	otype = le32_to_cpu(buf[3]);
1874 
1875 	last = NULL;
1876 	datum = hashtab_search(p->filename_trans, &key);
1877 	while (datum) {
1878 		if (unlikely(ebitmap_get_bit(&datum->stypes, stype - 1))) {
1879 			/* conflicting/duplicate rules are ignored */
1880 			datum = NULL;
1881 			goto out;
1882 		}
1883 		if (likely(datum->otype == otype))
1884 			break;
1885 		last = datum;
1886 		datum = datum->next;
1887 	}
1888 	if (!datum) {
1889 		rc = -ENOMEM;
1890 		datum = kmalloc(sizeof(*datum), GFP_KERNEL);
1891 		if (!datum)
1892 			goto out;
1893 
1894 		ebitmap_init(&datum->stypes);
1895 		datum->otype = otype;
1896 		datum->next = NULL;
1897 
1898 		if (unlikely(last)) {
1899 			last->next = datum;
1900 		} else {
1901 			rc = -ENOMEM;
1902 			ft = kmemdup(&key, sizeof(key), GFP_KERNEL);
1903 			if (!ft)
1904 				goto out;
1905 
1906 			rc = hashtab_insert(p->filename_trans, ft, datum);
1907 			if (rc)
1908 				goto out;
1909 			name = NULL;
1910 
1911 			rc = ebitmap_set_bit(&p->filename_trans_ttypes,
1912 					     key.ttype, 1);
1913 			if (rc)
1914 				return rc;
1915 		}
1916 	}
1917 	kfree(name);
1918 	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
1919 
1920 out:
1921 	kfree(ft);
1922 	kfree(name);
1923 	kfree(datum);
1924 	return rc;
1925 }
1926 
1927 static int filename_trans_read(struct policydb *p, void *fp)
1928 {
1929 	u32 nel;
1930 	__le32 buf[1];
1931 	int rc, i;
1932 
1933 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
1934 		return 0;
1935 
1936 	rc = next_entry(buf, fp, sizeof(u32));
1937 	if (rc)
1938 		return rc;
1939 	nel = le32_to_cpu(buf[0]);
1940 
1941 	p->filename_trans_count = nel;
1942 
1943 	for (i = 0; i < nel; i++) {
1944 		rc = filename_trans_read_one(p, fp);
1945 		if (rc)
1946 			return rc;
1947 	}
1948 	hash_eval(p->filename_trans, "filenametr");
1949 	return 0;
1950 }
1951 
1952 static int genfs_read(struct policydb *p, void *fp)
1953 {
1954 	int i, j, rc;
1955 	u32 nel, nel2, len, len2;
1956 	__le32 buf[1];
1957 	struct ocontext *l, *c;
1958 	struct ocontext *newc = NULL;
1959 	struct genfs *genfs_p, *genfs;
1960 	struct genfs *newgenfs = NULL;
1961 
1962 	rc = next_entry(buf, fp, sizeof(u32));
1963 	if (rc)
1964 		return rc;
1965 	nel = le32_to_cpu(buf[0]);
1966 
1967 	for (i = 0; i < nel; i++) {
1968 		rc = next_entry(buf, fp, sizeof(u32));
1969 		if (rc)
1970 			goto out;
1971 		len = le32_to_cpu(buf[0]);
1972 
1973 		rc = -ENOMEM;
1974 		newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL);
1975 		if (!newgenfs)
1976 			goto out;
1977 
1978 		rc = str_read(&newgenfs->fstype, GFP_KERNEL, fp, len);
1979 		if (rc)
1980 			goto out;
1981 
1982 		for (genfs_p = NULL, genfs = p->genfs; genfs;
1983 		     genfs_p = genfs, genfs = genfs->next) {
1984 			rc = -EINVAL;
1985 			if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
1986 				pr_err("SELinux:  dup genfs fstype %s\n",
1987 				       newgenfs->fstype);
1988 				goto out;
1989 			}
1990 			if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
1991 				break;
1992 		}
1993 		newgenfs->next = genfs;
1994 		if (genfs_p)
1995 			genfs_p->next = newgenfs;
1996 		else
1997 			p->genfs = newgenfs;
1998 		genfs = newgenfs;
1999 		newgenfs = NULL;
2000 
2001 		rc = next_entry(buf, fp, sizeof(u32));
2002 		if (rc)
2003 			goto out;
2004 
2005 		nel2 = le32_to_cpu(buf[0]);
2006 		for (j = 0; j < nel2; j++) {
2007 			rc = next_entry(buf, fp, sizeof(u32));
2008 			if (rc)
2009 				goto out;
2010 			len = le32_to_cpu(buf[0]);
2011 
2012 			rc = -ENOMEM;
2013 			newc = kzalloc(sizeof(*newc), GFP_KERNEL);
2014 			if (!newc)
2015 				goto out;
2016 
2017 			rc = str_read(&newc->u.name, GFP_KERNEL, fp, len);
2018 			if (rc)
2019 				goto out;
2020 
2021 			rc = next_entry(buf, fp, sizeof(u32));
2022 			if (rc)
2023 				goto out;
2024 
2025 			newc->v.sclass = le32_to_cpu(buf[0]);
2026 			rc = context_read_and_validate(&newc->context[0], p, fp);
2027 			if (rc)
2028 				goto out;
2029 
2030 			for (l = NULL, c = genfs->head; c;
2031 			     l = c, c = c->next) {
2032 				rc = -EINVAL;
2033 				if (!strcmp(newc->u.name, c->u.name) &&
2034 				    (!c->v.sclass || !newc->v.sclass ||
2035 				     newc->v.sclass == c->v.sclass)) {
2036 					pr_err("SELinux:  dup genfs entry (%s,%s)\n",
2037 					       genfs->fstype, c->u.name);
2038 					goto out;
2039 				}
2040 				len = strlen(newc->u.name);
2041 				len2 = strlen(c->u.name);
2042 				if (len > len2)
2043 					break;
2044 			}
2045 
2046 			newc->next = c;
2047 			if (l)
2048 				l->next = newc;
2049 			else
2050 				genfs->head = newc;
2051 			newc = NULL;
2052 		}
2053 	}
2054 	rc = 0;
2055 out:
2056 	if (newgenfs) {
2057 		kfree(newgenfs->fstype);
2058 		kfree(newgenfs);
2059 	}
2060 	ocontext_destroy(newc, OCON_FSUSE);
2061 
2062 	return rc;
2063 }
2064 
2065 static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
2066 			 void *fp)
2067 {
2068 	int i, j, rc;
2069 	u32 nel, len;
2070 	__be64 prefixbuf[1];
2071 	__le32 buf[3];
2072 	struct ocontext *l, *c;
2073 	u32 nodebuf[8];
2074 
2075 	for (i = 0; i < info->ocon_num; i++) {
2076 		rc = next_entry(buf, fp, sizeof(u32));
2077 		if (rc)
2078 			goto out;
2079 		nel = le32_to_cpu(buf[0]);
2080 
2081 		l = NULL;
2082 		for (j = 0; j < nel; j++) {
2083 			rc = -ENOMEM;
2084 			c = kzalloc(sizeof(*c), GFP_KERNEL);
2085 			if (!c)
2086 				goto out;
2087 			if (l)
2088 				l->next = c;
2089 			else
2090 				p->ocontexts[i] = c;
2091 			l = c;
2092 
2093 			switch (i) {
2094 			case OCON_ISID:
2095 				rc = next_entry(buf, fp, sizeof(u32));
2096 				if (rc)
2097 					goto out;
2098 
2099 				c->sid[0] = le32_to_cpu(buf[0]);
2100 				rc = context_read_and_validate(&c->context[0], p, fp);
2101 				if (rc)
2102 					goto out;
2103 				break;
2104 			case OCON_FS:
2105 			case OCON_NETIF:
2106 				rc = next_entry(buf, fp, sizeof(u32));
2107 				if (rc)
2108 					goto out;
2109 				len = le32_to_cpu(buf[0]);
2110 
2111 				rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2112 				if (rc)
2113 					goto out;
2114 
2115 				rc = context_read_and_validate(&c->context[0], p, fp);
2116 				if (rc)
2117 					goto out;
2118 				rc = context_read_and_validate(&c->context[1], p, fp);
2119 				if (rc)
2120 					goto out;
2121 				break;
2122 			case OCON_PORT:
2123 				rc = next_entry(buf, fp, sizeof(u32)*3);
2124 				if (rc)
2125 					goto out;
2126 				c->u.port.protocol = le32_to_cpu(buf[0]);
2127 				c->u.port.low_port = le32_to_cpu(buf[1]);
2128 				c->u.port.high_port = le32_to_cpu(buf[2]);
2129 				rc = context_read_and_validate(&c->context[0], p, fp);
2130 				if (rc)
2131 					goto out;
2132 				break;
2133 			case OCON_NODE:
2134 				rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
2135 				if (rc)
2136 					goto out;
2137 				c->u.node.addr = nodebuf[0]; /* network order */
2138 				c->u.node.mask = nodebuf[1]; /* network order */
2139 				rc = context_read_and_validate(&c->context[0], p, fp);
2140 				if (rc)
2141 					goto out;
2142 				break;
2143 			case OCON_FSUSE:
2144 				rc = next_entry(buf, fp, sizeof(u32)*2);
2145 				if (rc)
2146 					goto out;
2147 
2148 				rc = -EINVAL;
2149 				c->v.behavior = le32_to_cpu(buf[0]);
2150 				/* Determined at runtime, not in policy DB. */
2151 				if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
2152 					goto out;
2153 				if (c->v.behavior > SECURITY_FS_USE_MAX)
2154 					goto out;
2155 
2156 				len = le32_to_cpu(buf[1]);
2157 				rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2158 				if (rc)
2159 					goto out;
2160 
2161 				rc = context_read_and_validate(&c->context[0], p, fp);
2162 				if (rc)
2163 					goto out;
2164 				break;
2165 			case OCON_NODE6: {
2166 				int k;
2167 
2168 				rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
2169 				if (rc)
2170 					goto out;
2171 				for (k = 0; k < 4; k++)
2172 					c->u.node6.addr[k] = nodebuf[k];
2173 				for (k = 0; k < 4; k++)
2174 					c->u.node6.mask[k] = nodebuf[k+4];
2175 				rc = context_read_and_validate(&c->context[0], p, fp);
2176 				if (rc)
2177 					goto out;
2178 				break;
2179 			}
2180 			case OCON_IBPKEY: {
2181 				u32 pkey_lo, pkey_hi;
2182 
2183 				rc = next_entry(prefixbuf, fp, sizeof(u64));
2184 				if (rc)
2185 					goto out;
2186 
2187 				/* we need to have subnet_prefix in CPU order */
2188 				c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
2189 
2190 				rc = next_entry(buf, fp, sizeof(u32) * 2);
2191 				if (rc)
2192 					goto out;
2193 
2194 				pkey_lo = le32_to_cpu(buf[0]);
2195 				pkey_hi = le32_to_cpu(buf[1]);
2196 
2197 				if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
2198 					rc = -EINVAL;
2199 					goto out;
2200 				}
2201 
2202 				c->u.ibpkey.low_pkey  = pkey_lo;
2203 				c->u.ibpkey.high_pkey = pkey_hi;
2204 
2205 				rc = context_read_and_validate(&c->context[0],
2206 							       p,
2207 							       fp);
2208 				if (rc)
2209 					goto out;
2210 				break;
2211 			}
2212 			case OCON_IBENDPORT: {
2213 				u32 port;
2214 
2215 				rc = next_entry(buf, fp, sizeof(u32) * 2);
2216 				if (rc)
2217 					goto out;
2218 				len = le32_to_cpu(buf[0]);
2219 
2220 				rc = str_read(&c->u.ibendport.dev_name, GFP_KERNEL, fp, len);
2221 				if (rc)
2222 					goto out;
2223 
2224 				port = le32_to_cpu(buf[1]);
2225 				if (port > U8_MAX || port == 0) {
2226 					rc = -EINVAL;
2227 					goto out;
2228 				}
2229 
2230 				c->u.ibendport.port = port;
2231 
2232 				rc = context_read_and_validate(&c->context[0],
2233 							       p,
2234 							       fp);
2235 				if (rc)
2236 					goto out;
2237 				break;
2238 			} /* end case */
2239 			} /* end switch */
2240 		}
2241 	}
2242 	rc = 0;
2243 out:
2244 	return rc;
2245 }
2246 
2247 /*
2248  * Read the configuration data from a policy database binary
2249  * representation file into a policy database structure.
2250  */
2251 int policydb_read(struct policydb *p, void *fp)
2252 {
2253 	struct role_allow *ra, *lra;
2254 	struct role_trans *tr, *ltr;
2255 	int i, j, rc;
2256 	__le32 buf[4];
2257 	u32 len, nprim, nel;
2258 
2259 	char *policydb_str;
2260 	struct policydb_compat_info *info;
2261 
2262 	rc = policydb_init(p);
2263 	if (rc)
2264 		return rc;
2265 
2266 	/* Read the magic number and string length. */
2267 	rc = next_entry(buf, fp, sizeof(u32) * 2);
2268 	if (rc)
2269 		goto bad;
2270 
2271 	rc = -EINVAL;
2272 	if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
2273 		pr_err("SELinux:  policydb magic number 0x%x does "
2274 		       "not match expected magic number 0x%x\n",
2275 		       le32_to_cpu(buf[0]), POLICYDB_MAGIC);
2276 		goto bad;
2277 	}
2278 
2279 	rc = -EINVAL;
2280 	len = le32_to_cpu(buf[1]);
2281 	if (len != strlen(POLICYDB_STRING)) {
2282 		pr_err("SELinux:  policydb string length %d does not "
2283 		       "match expected length %zu\n",
2284 		       len, strlen(POLICYDB_STRING));
2285 		goto bad;
2286 	}
2287 
2288 	rc = -ENOMEM;
2289 	policydb_str = kmalloc(len + 1, GFP_KERNEL);
2290 	if (!policydb_str) {
2291 		pr_err("SELinux:  unable to allocate memory for policydb "
2292 		       "string of length %d\n", len);
2293 		goto bad;
2294 	}
2295 
2296 	rc = next_entry(policydb_str, fp, len);
2297 	if (rc) {
2298 		pr_err("SELinux:  truncated policydb string identifier\n");
2299 		kfree(policydb_str);
2300 		goto bad;
2301 	}
2302 
2303 	rc = -EINVAL;
2304 	policydb_str[len] = '\0';
2305 	if (strcmp(policydb_str, POLICYDB_STRING)) {
2306 		pr_err("SELinux:  policydb string %s does not match "
2307 		       "my string %s\n", policydb_str, POLICYDB_STRING);
2308 		kfree(policydb_str);
2309 		goto bad;
2310 	}
2311 	/* Done with policydb_str. */
2312 	kfree(policydb_str);
2313 	policydb_str = NULL;
2314 
2315 	/* Read the version and table sizes. */
2316 	rc = next_entry(buf, fp, sizeof(u32)*4);
2317 	if (rc)
2318 		goto bad;
2319 
2320 	rc = -EINVAL;
2321 	p->policyvers = le32_to_cpu(buf[0]);
2322 	if (p->policyvers < POLICYDB_VERSION_MIN ||
2323 	    p->policyvers > POLICYDB_VERSION_MAX) {
2324 		pr_err("SELinux:  policydb version %d does not match "
2325 		       "my version range %d-%d\n",
2326 		       le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
2327 		goto bad;
2328 	}
2329 
2330 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
2331 		p->mls_enabled = 1;
2332 
2333 		rc = -EINVAL;
2334 		if (p->policyvers < POLICYDB_VERSION_MLS) {
2335 			pr_err("SELinux: security policydb version %d "
2336 				"(MLS) not backwards compatible\n",
2337 				p->policyvers);
2338 			goto bad;
2339 		}
2340 	}
2341 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
2342 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
2343 
2344 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
2345 		rc = ebitmap_read(&p->policycaps, fp);
2346 		if (rc)
2347 			goto bad;
2348 	}
2349 
2350 	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) {
2351 		rc = ebitmap_read(&p->permissive_map, fp);
2352 		if (rc)
2353 			goto bad;
2354 	}
2355 
2356 	rc = -EINVAL;
2357 	info = policydb_lookup_compat(p->policyvers);
2358 	if (!info) {
2359 		pr_err("SELinux:  unable to find policy compat info "
2360 		       "for version %d\n", p->policyvers);
2361 		goto bad;
2362 	}
2363 
2364 	rc = -EINVAL;
2365 	if (le32_to_cpu(buf[2]) != info->sym_num ||
2366 		le32_to_cpu(buf[3]) != info->ocon_num) {
2367 		pr_err("SELinux:  policydb table sizes (%d,%d) do "
2368 		       "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
2369 			le32_to_cpu(buf[3]),
2370 		       info->sym_num, info->ocon_num);
2371 		goto bad;
2372 	}
2373 
2374 	for (i = 0; i < info->sym_num; i++) {
2375 		rc = next_entry(buf, fp, sizeof(u32)*2);
2376 		if (rc)
2377 			goto bad;
2378 		nprim = le32_to_cpu(buf[0]);
2379 		nel = le32_to_cpu(buf[1]);
2380 
2381 		rc = symtab_init(&p->symtab[i], nel);
2382 		if (rc)
2383 			goto out;
2384 
2385 		if (i == SYM_ROLES) {
2386 			rc = roles_init(p);
2387 			if (rc)
2388 				goto out;
2389 		}
2390 
2391 		for (j = 0; j < nel; j++) {
2392 			rc = read_f[i](p, p->symtab[i].table, fp);
2393 			if (rc)
2394 				goto bad;
2395 		}
2396 
2397 		p->symtab[i].nprim = nprim;
2398 	}
2399 
2400 	rc = -EINVAL;
2401 	p->process_class = string_to_security_class(p, "process");
2402 	if (!p->process_class)
2403 		goto bad;
2404 
2405 	rc = avtab_read(&p->te_avtab, fp, p);
2406 	if (rc)
2407 		goto bad;
2408 
2409 	if (p->policyvers >= POLICYDB_VERSION_BOOL) {
2410 		rc = cond_read_list(p, fp);
2411 		if (rc)
2412 			goto bad;
2413 	}
2414 
2415 	rc = next_entry(buf, fp, sizeof(u32));
2416 	if (rc)
2417 		goto bad;
2418 	nel = le32_to_cpu(buf[0]);
2419 	ltr = NULL;
2420 	for (i = 0; i < nel; i++) {
2421 		rc = -ENOMEM;
2422 		tr = kzalloc(sizeof(*tr), GFP_KERNEL);
2423 		if (!tr)
2424 			goto bad;
2425 		if (ltr)
2426 			ltr->next = tr;
2427 		else
2428 			p->role_tr = tr;
2429 		rc = next_entry(buf, fp, sizeof(u32)*3);
2430 		if (rc)
2431 			goto bad;
2432 
2433 		rc = -EINVAL;
2434 		tr->role = le32_to_cpu(buf[0]);
2435 		tr->type = le32_to_cpu(buf[1]);
2436 		tr->new_role = le32_to_cpu(buf[2]);
2437 		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
2438 			rc = next_entry(buf, fp, sizeof(u32));
2439 			if (rc)
2440 				goto bad;
2441 			tr->tclass = le32_to_cpu(buf[0]);
2442 		} else
2443 			tr->tclass = p->process_class;
2444 
2445 		rc = -EINVAL;
2446 		if (!policydb_role_isvalid(p, tr->role) ||
2447 		    !policydb_type_isvalid(p, tr->type) ||
2448 		    !policydb_class_isvalid(p, tr->tclass) ||
2449 		    !policydb_role_isvalid(p, tr->new_role))
2450 			goto bad;
2451 		ltr = tr;
2452 	}
2453 
2454 	rc = next_entry(buf, fp, sizeof(u32));
2455 	if (rc)
2456 		goto bad;
2457 	nel = le32_to_cpu(buf[0]);
2458 	lra = NULL;
2459 	for (i = 0; i < nel; i++) {
2460 		rc = -ENOMEM;
2461 		ra = kzalloc(sizeof(*ra), GFP_KERNEL);
2462 		if (!ra)
2463 			goto bad;
2464 		if (lra)
2465 			lra->next = ra;
2466 		else
2467 			p->role_allow = ra;
2468 		rc = next_entry(buf, fp, sizeof(u32)*2);
2469 		if (rc)
2470 			goto bad;
2471 
2472 		rc = -EINVAL;
2473 		ra->role = le32_to_cpu(buf[0]);
2474 		ra->new_role = le32_to_cpu(buf[1]);
2475 		if (!policydb_role_isvalid(p, ra->role) ||
2476 		    !policydb_role_isvalid(p, ra->new_role))
2477 			goto bad;
2478 		lra = ra;
2479 	}
2480 
2481 	rc = filename_trans_read(p, fp);
2482 	if (rc)
2483 		goto bad;
2484 
2485 	rc = policydb_index(p);
2486 	if (rc)
2487 		goto bad;
2488 
2489 	rc = -EINVAL;
2490 	p->process_trans_perms = string_to_av_perm(p, p->process_class, "transition");
2491 	p->process_trans_perms |= string_to_av_perm(p, p->process_class, "dyntransition");
2492 	if (!p->process_trans_perms)
2493 		goto bad;
2494 
2495 	rc = ocontext_read(p, info, fp);
2496 	if (rc)
2497 		goto bad;
2498 
2499 	rc = genfs_read(p, fp);
2500 	if (rc)
2501 		goto bad;
2502 
2503 	rc = range_read(p, fp);
2504 	if (rc)
2505 		goto bad;
2506 
2507 	p->type_attr_map_array = kvcalloc(p->p_types.nprim,
2508 					  sizeof(*p->type_attr_map_array),
2509 					  GFP_KERNEL);
2510 	if (!p->type_attr_map_array)
2511 		goto bad;
2512 
2513 	/* just in case ebitmap_init() becomes more than just a memset(0): */
2514 	for (i = 0; i < p->p_types.nprim; i++)
2515 		ebitmap_init(&p->type_attr_map_array[i]);
2516 
2517 	for (i = 0; i < p->p_types.nprim; i++) {
2518 		struct ebitmap *e = &p->type_attr_map_array[i];
2519 
2520 		if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
2521 			rc = ebitmap_read(e, fp);
2522 			if (rc)
2523 				goto bad;
2524 		}
2525 		/* add the type itself as the degenerate case */
2526 		rc = ebitmap_set_bit(e, i, 1);
2527 		if (rc)
2528 			goto bad;
2529 	}
2530 
2531 	rc = policydb_bounds_sanity_check(p);
2532 	if (rc)
2533 		goto bad;
2534 
2535 	rc = 0;
2536 out:
2537 	return rc;
2538 bad:
2539 	policydb_destroy(p);
2540 	goto out;
2541 }
2542 
2543 /*
2544  * Write a MLS level structure to a policydb binary
2545  * representation file.
2546  */
2547 static int mls_write_level(struct mls_level *l, void *fp)
2548 {
2549 	__le32 buf[1];
2550 	int rc;
2551 
2552 	buf[0] = cpu_to_le32(l->sens);
2553 	rc = put_entry(buf, sizeof(u32), 1, fp);
2554 	if (rc)
2555 		return rc;
2556 
2557 	rc = ebitmap_write(&l->cat, fp);
2558 	if (rc)
2559 		return rc;
2560 
2561 	return 0;
2562 }
2563 
2564 /*
2565  * Write a MLS range structure to a policydb binary
2566  * representation file.
2567  */
2568 static int mls_write_range_helper(struct mls_range *r, void *fp)
2569 {
2570 	__le32 buf[3];
2571 	size_t items;
2572 	int rc, eq;
2573 
2574 	eq = mls_level_eq(&r->level[1], &r->level[0]);
2575 
2576 	if (eq)
2577 		items = 2;
2578 	else
2579 		items = 3;
2580 	buf[0] = cpu_to_le32(items-1);
2581 	buf[1] = cpu_to_le32(r->level[0].sens);
2582 	if (!eq)
2583 		buf[2] = cpu_to_le32(r->level[1].sens);
2584 
2585 	BUG_ON(items > ARRAY_SIZE(buf));
2586 
2587 	rc = put_entry(buf, sizeof(u32), items, fp);
2588 	if (rc)
2589 		return rc;
2590 
2591 	rc = ebitmap_write(&r->level[0].cat, fp);
2592 	if (rc)
2593 		return rc;
2594 	if (!eq) {
2595 		rc = ebitmap_write(&r->level[1].cat, fp);
2596 		if (rc)
2597 			return rc;
2598 	}
2599 
2600 	return 0;
2601 }
2602 
2603 static int sens_write(void *vkey, void *datum, void *ptr)
2604 {
2605 	char *key = vkey;
2606 	struct level_datum *levdatum = datum;
2607 	struct policy_data *pd = ptr;
2608 	void *fp = pd->fp;
2609 	__le32 buf[2];
2610 	size_t len;
2611 	int rc;
2612 
2613 	len = strlen(key);
2614 	buf[0] = cpu_to_le32(len);
2615 	buf[1] = cpu_to_le32(levdatum->isalias);
2616 	rc = put_entry(buf, sizeof(u32), 2, fp);
2617 	if (rc)
2618 		return rc;
2619 
2620 	rc = put_entry(key, 1, len, fp);
2621 	if (rc)
2622 		return rc;
2623 
2624 	rc = mls_write_level(levdatum->level, fp);
2625 	if (rc)
2626 		return rc;
2627 
2628 	return 0;
2629 }
2630 
2631 static int cat_write(void *vkey, void *datum, void *ptr)
2632 {
2633 	char *key = vkey;
2634 	struct cat_datum *catdatum = datum;
2635 	struct policy_data *pd = ptr;
2636 	void *fp = pd->fp;
2637 	__le32 buf[3];
2638 	size_t len;
2639 	int rc;
2640 
2641 	len = strlen(key);
2642 	buf[0] = cpu_to_le32(len);
2643 	buf[1] = cpu_to_le32(catdatum->value);
2644 	buf[2] = cpu_to_le32(catdatum->isalias);
2645 	rc = put_entry(buf, sizeof(u32), 3, fp);
2646 	if (rc)
2647 		return rc;
2648 
2649 	rc = put_entry(key, 1, len, fp);
2650 	if (rc)
2651 		return rc;
2652 
2653 	return 0;
2654 }
2655 
2656 static int role_trans_write(struct policydb *p, void *fp)
2657 {
2658 	struct role_trans *r = p->role_tr;
2659 	struct role_trans *tr;
2660 	__le32 buf[3];
2661 	size_t nel;
2662 	int rc;
2663 
2664 	nel = 0;
2665 	for (tr = r; tr; tr = tr->next)
2666 		nel++;
2667 	buf[0] = cpu_to_le32(nel);
2668 	rc = put_entry(buf, sizeof(u32), 1, fp);
2669 	if (rc)
2670 		return rc;
2671 	for (tr = r; tr; tr = tr->next) {
2672 		buf[0] = cpu_to_le32(tr->role);
2673 		buf[1] = cpu_to_le32(tr->type);
2674 		buf[2] = cpu_to_le32(tr->new_role);
2675 		rc = put_entry(buf, sizeof(u32), 3, fp);
2676 		if (rc)
2677 			return rc;
2678 		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
2679 			buf[0] = cpu_to_le32(tr->tclass);
2680 			rc = put_entry(buf, sizeof(u32), 1, fp);
2681 			if (rc)
2682 				return rc;
2683 		}
2684 	}
2685 
2686 	return 0;
2687 }
2688 
2689 static int role_allow_write(struct role_allow *r, void *fp)
2690 {
2691 	struct role_allow *ra;
2692 	__le32 buf[2];
2693 	size_t nel;
2694 	int rc;
2695 
2696 	nel = 0;
2697 	for (ra = r; ra; ra = ra->next)
2698 		nel++;
2699 	buf[0] = cpu_to_le32(nel);
2700 	rc = put_entry(buf, sizeof(u32), 1, fp);
2701 	if (rc)
2702 		return rc;
2703 	for (ra = r; ra; ra = ra->next) {
2704 		buf[0] = cpu_to_le32(ra->role);
2705 		buf[1] = cpu_to_le32(ra->new_role);
2706 		rc = put_entry(buf, sizeof(u32), 2, fp);
2707 		if (rc)
2708 			return rc;
2709 	}
2710 	return 0;
2711 }
2712 
2713 /*
2714  * Write a security context structure
2715  * to a policydb binary representation file.
2716  */
2717 static int context_write(struct policydb *p, struct context *c,
2718 			 void *fp)
2719 {
2720 	int rc;
2721 	__le32 buf[3];
2722 
2723 	buf[0] = cpu_to_le32(c->user);
2724 	buf[1] = cpu_to_le32(c->role);
2725 	buf[2] = cpu_to_le32(c->type);
2726 
2727 	rc = put_entry(buf, sizeof(u32), 3, fp);
2728 	if (rc)
2729 		return rc;
2730 
2731 	rc = mls_write_range_helper(&c->range, fp);
2732 	if (rc)
2733 		return rc;
2734 
2735 	return 0;
2736 }
2737 
2738 /*
2739  * The following *_write functions are used to
2740  * write the symbol data to a policy database
2741  * binary representation file.
2742  */
2743 
2744 static int perm_write(void *vkey, void *datum, void *fp)
2745 {
2746 	char *key = vkey;
2747 	struct perm_datum *perdatum = datum;
2748 	__le32 buf[2];
2749 	size_t len;
2750 	int rc;
2751 
2752 	len = strlen(key);
2753 	buf[0] = cpu_to_le32(len);
2754 	buf[1] = cpu_to_le32(perdatum->value);
2755 	rc = put_entry(buf, sizeof(u32), 2, fp);
2756 	if (rc)
2757 		return rc;
2758 
2759 	rc = put_entry(key, 1, len, fp);
2760 	if (rc)
2761 		return rc;
2762 
2763 	return 0;
2764 }
2765 
2766 static int common_write(void *vkey, void *datum, void *ptr)
2767 {
2768 	char *key = vkey;
2769 	struct common_datum *comdatum = datum;
2770 	struct policy_data *pd = ptr;
2771 	void *fp = pd->fp;
2772 	__le32 buf[4];
2773 	size_t len;
2774 	int rc;
2775 
2776 	len = strlen(key);
2777 	buf[0] = cpu_to_le32(len);
2778 	buf[1] = cpu_to_le32(comdatum->value);
2779 	buf[2] = cpu_to_le32(comdatum->permissions.nprim);
2780 	buf[3] = cpu_to_le32(comdatum->permissions.table->nel);
2781 	rc = put_entry(buf, sizeof(u32), 4, fp);
2782 	if (rc)
2783 		return rc;
2784 
2785 	rc = put_entry(key, 1, len, fp);
2786 	if (rc)
2787 		return rc;
2788 
2789 	rc = hashtab_map(comdatum->permissions.table, perm_write, fp);
2790 	if (rc)
2791 		return rc;
2792 
2793 	return 0;
2794 }
2795 
2796 static int type_set_write(struct type_set *t, void *fp)
2797 {
2798 	int rc;
2799 	__le32 buf[1];
2800 
2801 	if (ebitmap_write(&t->types, fp))
2802 		return -EINVAL;
2803 	if (ebitmap_write(&t->negset, fp))
2804 		return -EINVAL;
2805 
2806 	buf[0] = cpu_to_le32(t->flags);
2807 	rc = put_entry(buf, sizeof(u32), 1, fp);
2808 	if (rc)
2809 		return -EINVAL;
2810 
2811 	return 0;
2812 }
2813 
2814 static int write_cons_helper(struct policydb *p, struct constraint_node *node,
2815 			     void *fp)
2816 {
2817 	struct constraint_node *c;
2818 	struct constraint_expr *e;
2819 	__le32 buf[3];
2820 	u32 nel;
2821 	int rc;
2822 
2823 	for (c = node; c; c = c->next) {
2824 		nel = 0;
2825 		for (e = c->expr; e; e = e->next)
2826 			nel++;
2827 		buf[0] = cpu_to_le32(c->permissions);
2828 		buf[1] = cpu_to_le32(nel);
2829 		rc = put_entry(buf, sizeof(u32), 2, fp);
2830 		if (rc)
2831 			return rc;
2832 		for (e = c->expr; e; e = e->next) {
2833 			buf[0] = cpu_to_le32(e->expr_type);
2834 			buf[1] = cpu_to_le32(e->attr);
2835 			buf[2] = cpu_to_le32(e->op);
2836 			rc = put_entry(buf, sizeof(u32), 3, fp);
2837 			if (rc)
2838 				return rc;
2839 
2840 			switch (e->expr_type) {
2841 			case CEXPR_NAMES:
2842 				rc = ebitmap_write(&e->names, fp);
2843 				if (rc)
2844 					return rc;
2845 				if (p->policyvers >=
2846 					POLICYDB_VERSION_CONSTRAINT_NAMES) {
2847 					rc = type_set_write(e->type_names, fp);
2848 					if (rc)
2849 						return rc;
2850 				}
2851 				break;
2852 			default:
2853 				break;
2854 			}
2855 		}
2856 	}
2857 
2858 	return 0;
2859 }
2860 
2861 static int class_write(void *vkey, void *datum, void *ptr)
2862 {
2863 	char *key = vkey;
2864 	struct class_datum *cladatum = datum;
2865 	struct policy_data *pd = ptr;
2866 	void *fp = pd->fp;
2867 	struct policydb *p = pd->p;
2868 	struct constraint_node *c;
2869 	__le32 buf[6];
2870 	u32 ncons;
2871 	size_t len, len2;
2872 	int rc;
2873 
2874 	len = strlen(key);
2875 	if (cladatum->comkey)
2876 		len2 = strlen(cladatum->comkey);
2877 	else
2878 		len2 = 0;
2879 
2880 	ncons = 0;
2881 	for (c = cladatum->constraints; c; c = c->next)
2882 		ncons++;
2883 
2884 	buf[0] = cpu_to_le32(len);
2885 	buf[1] = cpu_to_le32(len2);
2886 	buf[2] = cpu_to_le32(cladatum->value);
2887 	buf[3] = cpu_to_le32(cladatum->permissions.nprim);
2888 	if (cladatum->permissions.table)
2889 		buf[4] = cpu_to_le32(cladatum->permissions.table->nel);
2890 	else
2891 		buf[4] = 0;
2892 	buf[5] = cpu_to_le32(ncons);
2893 	rc = put_entry(buf, sizeof(u32), 6, fp);
2894 	if (rc)
2895 		return rc;
2896 
2897 	rc = put_entry(key, 1, len, fp);
2898 	if (rc)
2899 		return rc;
2900 
2901 	if (cladatum->comkey) {
2902 		rc = put_entry(cladatum->comkey, 1, len2, fp);
2903 		if (rc)
2904 			return rc;
2905 	}
2906 
2907 	rc = hashtab_map(cladatum->permissions.table, perm_write, fp);
2908 	if (rc)
2909 		return rc;
2910 
2911 	rc = write_cons_helper(p, cladatum->constraints, fp);
2912 	if (rc)
2913 		return rc;
2914 
2915 	/* write out the validatetrans rule */
2916 	ncons = 0;
2917 	for (c = cladatum->validatetrans; c; c = c->next)
2918 		ncons++;
2919 
2920 	buf[0] = cpu_to_le32(ncons);
2921 	rc = put_entry(buf, sizeof(u32), 1, fp);
2922 	if (rc)
2923 		return rc;
2924 
2925 	rc = write_cons_helper(p, cladatum->validatetrans, fp);
2926 	if (rc)
2927 		return rc;
2928 
2929 	if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
2930 		buf[0] = cpu_to_le32(cladatum->default_user);
2931 		buf[1] = cpu_to_le32(cladatum->default_role);
2932 		buf[2] = cpu_to_le32(cladatum->default_range);
2933 
2934 		rc = put_entry(buf, sizeof(uint32_t), 3, fp);
2935 		if (rc)
2936 			return rc;
2937 	}
2938 
2939 	if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
2940 		buf[0] = cpu_to_le32(cladatum->default_type);
2941 		rc = put_entry(buf, sizeof(uint32_t), 1, fp);
2942 		if (rc)
2943 			return rc;
2944 	}
2945 
2946 	return 0;
2947 }
2948 
2949 static int role_write(void *vkey, void *datum, void *ptr)
2950 {
2951 	char *key = vkey;
2952 	struct role_datum *role = datum;
2953 	struct policy_data *pd = ptr;
2954 	void *fp = pd->fp;
2955 	struct policydb *p = pd->p;
2956 	__le32 buf[3];
2957 	size_t items, len;
2958 	int rc;
2959 
2960 	len = strlen(key);
2961 	items = 0;
2962 	buf[items++] = cpu_to_le32(len);
2963 	buf[items++] = cpu_to_le32(role->value);
2964 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
2965 		buf[items++] = cpu_to_le32(role->bounds);
2966 
2967 	BUG_ON(items > ARRAY_SIZE(buf));
2968 
2969 	rc = put_entry(buf, sizeof(u32), items, fp);
2970 	if (rc)
2971 		return rc;
2972 
2973 	rc = put_entry(key, 1, len, fp);
2974 	if (rc)
2975 		return rc;
2976 
2977 	rc = ebitmap_write(&role->dominates, fp);
2978 	if (rc)
2979 		return rc;
2980 
2981 	rc = ebitmap_write(&role->types, fp);
2982 	if (rc)
2983 		return rc;
2984 
2985 	return 0;
2986 }
2987 
2988 static int type_write(void *vkey, void *datum, void *ptr)
2989 {
2990 	char *key = vkey;
2991 	struct type_datum *typdatum = datum;
2992 	struct policy_data *pd = ptr;
2993 	struct policydb *p = pd->p;
2994 	void *fp = pd->fp;
2995 	__le32 buf[4];
2996 	int rc;
2997 	size_t items, len;
2998 
2999 	len = strlen(key);
3000 	items = 0;
3001 	buf[items++] = cpu_to_le32(len);
3002 	buf[items++] = cpu_to_le32(typdatum->value);
3003 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
3004 		u32 properties = 0;
3005 
3006 		if (typdatum->primary)
3007 			properties |= TYPEDATUM_PROPERTY_PRIMARY;
3008 
3009 		if (typdatum->attribute)
3010 			properties |= TYPEDATUM_PROPERTY_ATTRIBUTE;
3011 
3012 		buf[items++] = cpu_to_le32(properties);
3013 		buf[items++] = cpu_to_le32(typdatum->bounds);
3014 	} else {
3015 		buf[items++] = cpu_to_le32(typdatum->primary);
3016 	}
3017 	BUG_ON(items > ARRAY_SIZE(buf));
3018 	rc = put_entry(buf, sizeof(u32), items, fp);
3019 	if (rc)
3020 		return rc;
3021 
3022 	rc = put_entry(key, 1, len, fp);
3023 	if (rc)
3024 		return rc;
3025 
3026 	return 0;
3027 }
3028 
3029 static int user_write(void *vkey, void *datum, void *ptr)
3030 {
3031 	char *key = vkey;
3032 	struct user_datum *usrdatum = datum;
3033 	struct policy_data *pd = ptr;
3034 	struct policydb *p = pd->p;
3035 	void *fp = pd->fp;
3036 	__le32 buf[3];
3037 	size_t items, len;
3038 	int rc;
3039 
3040 	len = strlen(key);
3041 	items = 0;
3042 	buf[items++] = cpu_to_le32(len);
3043 	buf[items++] = cpu_to_le32(usrdatum->value);
3044 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
3045 		buf[items++] = cpu_to_le32(usrdatum->bounds);
3046 	BUG_ON(items > ARRAY_SIZE(buf));
3047 	rc = put_entry(buf, sizeof(u32), items, fp);
3048 	if (rc)
3049 		return rc;
3050 
3051 	rc = put_entry(key, 1, len, fp);
3052 	if (rc)
3053 		return rc;
3054 
3055 	rc = ebitmap_write(&usrdatum->roles, fp);
3056 	if (rc)
3057 		return rc;
3058 
3059 	rc = mls_write_range_helper(&usrdatum->range, fp);
3060 	if (rc)
3061 		return rc;
3062 
3063 	rc = mls_write_level(&usrdatum->dfltlevel, fp);
3064 	if (rc)
3065 		return rc;
3066 
3067 	return 0;
3068 }
3069 
3070 static int (*write_f[SYM_NUM]) (void *key, void *datum,
3071 				void *datap) =
3072 {
3073 	common_write,
3074 	class_write,
3075 	role_write,
3076 	type_write,
3077 	user_write,
3078 	cond_write_bool,
3079 	sens_write,
3080 	cat_write,
3081 };
3082 
3083 static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
3084 			  void *fp)
3085 {
3086 	unsigned int i, j, rc;
3087 	size_t nel, len;
3088 	__be64 prefixbuf[1];
3089 	__le32 buf[3];
3090 	u32 nodebuf[8];
3091 	struct ocontext *c;
3092 	for (i = 0; i < info->ocon_num; i++) {
3093 		nel = 0;
3094 		for (c = p->ocontexts[i]; c; c = c->next)
3095 			nel++;
3096 		buf[0] = cpu_to_le32(nel);
3097 		rc = put_entry(buf, sizeof(u32), 1, fp);
3098 		if (rc)
3099 			return rc;
3100 		for (c = p->ocontexts[i]; c; c = c->next) {
3101 			switch (i) {
3102 			case OCON_ISID:
3103 				buf[0] = cpu_to_le32(c->sid[0]);
3104 				rc = put_entry(buf, sizeof(u32), 1, fp);
3105 				if (rc)
3106 					return rc;
3107 				rc = context_write(p, &c->context[0], fp);
3108 				if (rc)
3109 					return rc;
3110 				break;
3111 			case OCON_FS:
3112 			case OCON_NETIF:
3113 				len = strlen(c->u.name);
3114 				buf[0] = cpu_to_le32(len);
3115 				rc = put_entry(buf, sizeof(u32), 1, fp);
3116 				if (rc)
3117 					return rc;
3118 				rc = put_entry(c->u.name, 1, len, fp);
3119 				if (rc)
3120 					return rc;
3121 				rc = context_write(p, &c->context[0], fp);
3122 				if (rc)
3123 					return rc;
3124 				rc = context_write(p, &c->context[1], fp);
3125 				if (rc)
3126 					return rc;
3127 				break;
3128 			case OCON_PORT:
3129 				buf[0] = cpu_to_le32(c->u.port.protocol);
3130 				buf[1] = cpu_to_le32(c->u.port.low_port);
3131 				buf[2] = cpu_to_le32(c->u.port.high_port);
3132 				rc = put_entry(buf, sizeof(u32), 3, fp);
3133 				if (rc)
3134 					return rc;
3135 				rc = context_write(p, &c->context[0], fp);
3136 				if (rc)
3137 					return rc;
3138 				break;
3139 			case OCON_NODE:
3140 				nodebuf[0] = c->u.node.addr; /* network order */
3141 				nodebuf[1] = c->u.node.mask; /* network order */
3142 				rc = put_entry(nodebuf, sizeof(u32), 2, fp);
3143 				if (rc)
3144 					return rc;
3145 				rc = context_write(p, &c->context[0], fp);
3146 				if (rc)
3147 					return rc;
3148 				break;
3149 			case OCON_FSUSE:
3150 				buf[0] = cpu_to_le32(c->v.behavior);
3151 				len = strlen(c->u.name);
3152 				buf[1] = cpu_to_le32(len);
3153 				rc = put_entry(buf, sizeof(u32), 2, fp);
3154 				if (rc)
3155 					return rc;
3156 				rc = put_entry(c->u.name, 1, len, fp);
3157 				if (rc)
3158 					return rc;
3159 				rc = context_write(p, &c->context[0], fp);
3160 				if (rc)
3161 					return rc;
3162 				break;
3163 			case OCON_NODE6:
3164 				for (j = 0; j < 4; j++)
3165 					nodebuf[j] = c->u.node6.addr[j]; /* network order */
3166 				for (j = 0; j < 4; j++)
3167 					nodebuf[j + 4] = c->u.node6.mask[j]; /* network order */
3168 				rc = put_entry(nodebuf, sizeof(u32), 8, fp);
3169 				if (rc)
3170 					return rc;
3171 				rc = context_write(p, &c->context[0], fp);
3172 				if (rc)
3173 					return rc;
3174 				break;
3175 			case OCON_IBPKEY:
3176 				/* subnet_prefix is in CPU order */
3177 				prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
3178 
3179 				rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
3180 				if (rc)
3181 					return rc;
3182 
3183 				buf[0] = cpu_to_le32(c->u.ibpkey.low_pkey);
3184 				buf[1] = cpu_to_le32(c->u.ibpkey.high_pkey);
3185 
3186 				rc = put_entry(buf, sizeof(u32), 2, fp);
3187 				if (rc)
3188 					return rc;
3189 				rc = context_write(p, &c->context[0], fp);
3190 				if (rc)
3191 					return rc;
3192 				break;
3193 			case OCON_IBENDPORT:
3194 				len = strlen(c->u.ibendport.dev_name);
3195 				buf[0] = cpu_to_le32(len);
3196 				buf[1] = cpu_to_le32(c->u.ibendport.port);
3197 				rc = put_entry(buf, sizeof(u32), 2, fp);
3198 				if (rc)
3199 					return rc;
3200 				rc = put_entry(c->u.ibendport.dev_name, 1, len, fp);
3201 				if (rc)
3202 					return rc;
3203 				rc = context_write(p, &c->context[0], fp);
3204 				if (rc)
3205 					return rc;
3206 				break;
3207 			}
3208 		}
3209 	}
3210 	return 0;
3211 }
3212 
3213 static int genfs_write(struct policydb *p, void *fp)
3214 {
3215 	struct genfs *genfs;
3216 	struct ocontext *c;
3217 	size_t len;
3218 	__le32 buf[1];
3219 	int rc;
3220 
3221 	len = 0;
3222 	for (genfs = p->genfs; genfs; genfs = genfs->next)
3223 		len++;
3224 	buf[0] = cpu_to_le32(len);
3225 	rc = put_entry(buf, sizeof(u32), 1, fp);
3226 	if (rc)
3227 		return rc;
3228 	for (genfs = p->genfs; genfs; genfs = genfs->next) {
3229 		len = strlen(genfs->fstype);
3230 		buf[0] = cpu_to_le32(len);
3231 		rc = put_entry(buf, sizeof(u32), 1, fp);
3232 		if (rc)
3233 			return rc;
3234 		rc = put_entry(genfs->fstype, 1, len, fp);
3235 		if (rc)
3236 			return rc;
3237 		len = 0;
3238 		for (c = genfs->head; c; c = c->next)
3239 			len++;
3240 		buf[0] = cpu_to_le32(len);
3241 		rc = put_entry(buf, sizeof(u32), 1, fp);
3242 		if (rc)
3243 			return rc;
3244 		for (c = genfs->head; c; c = c->next) {
3245 			len = strlen(c->u.name);
3246 			buf[0] = cpu_to_le32(len);
3247 			rc = put_entry(buf, sizeof(u32), 1, fp);
3248 			if (rc)
3249 				return rc;
3250 			rc = put_entry(c->u.name, 1, len, fp);
3251 			if (rc)
3252 				return rc;
3253 			buf[0] = cpu_to_le32(c->v.sclass);
3254 			rc = put_entry(buf, sizeof(u32), 1, fp);
3255 			if (rc)
3256 				return rc;
3257 			rc = context_write(p, &c->context[0], fp);
3258 			if (rc)
3259 				return rc;
3260 		}
3261 	}
3262 	return 0;
3263 }
3264 
3265 static int hashtab_cnt(void *key, void *data, void *ptr)
3266 {
3267 	int *cnt = ptr;
3268 	*cnt = *cnt + 1;
3269 
3270 	return 0;
3271 }
3272 
3273 static int range_write_helper(void *key, void *data, void *ptr)
3274 {
3275 	__le32 buf[2];
3276 	struct range_trans *rt = key;
3277 	struct mls_range *r = data;
3278 	struct policy_data *pd = ptr;
3279 	void *fp = pd->fp;
3280 	struct policydb *p = pd->p;
3281 	int rc;
3282 
3283 	buf[0] = cpu_to_le32(rt->source_type);
3284 	buf[1] = cpu_to_le32(rt->target_type);
3285 	rc = put_entry(buf, sizeof(u32), 2, fp);
3286 	if (rc)
3287 		return rc;
3288 	if (p->policyvers >= POLICYDB_VERSION_RANGETRANS) {
3289 		buf[0] = cpu_to_le32(rt->target_class);
3290 		rc = put_entry(buf, sizeof(u32), 1, fp);
3291 		if (rc)
3292 			return rc;
3293 	}
3294 	rc = mls_write_range_helper(r, fp);
3295 	if (rc)
3296 		return rc;
3297 
3298 	return 0;
3299 }
3300 
3301 static int range_write(struct policydb *p, void *fp)
3302 {
3303 	__le32 buf[1];
3304 	int rc, nel;
3305 	struct policy_data pd;
3306 
3307 	pd.p = p;
3308 	pd.fp = fp;
3309 
3310 	/* count the number of entries in the hashtab */
3311 	nel = 0;
3312 	rc = hashtab_map(p->range_tr, hashtab_cnt, &nel);
3313 	if (rc)
3314 		return rc;
3315 
3316 	buf[0] = cpu_to_le32(nel);
3317 	rc = put_entry(buf, sizeof(u32), 1, fp);
3318 	if (rc)
3319 		return rc;
3320 
3321 	/* actually write all of the entries */
3322 	rc = hashtab_map(p->range_tr, range_write_helper, &pd);
3323 	if (rc)
3324 		return rc;
3325 
3326 	return 0;
3327 }
3328 
3329 static int filename_write_helper(void *key, void *data, void *ptr)
3330 {
3331 	struct filename_trans_key *ft = key;
3332 	struct filename_trans_datum *datum = data;
3333 	struct ebitmap_node *node;
3334 	void *fp = ptr;
3335 	__le32 buf[4];
3336 	int rc;
3337 	u32 bit, len = strlen(ft->name);
3338 
3339 	do {
3340 		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
3341 			buf[0] = cpu_to_le32(len);
3342 			rc = put_entry(buf, sizeof(u32), 1, fp);
3343 			if (rc)
3344 				return rc;
3345 
3346 			rc = put_entry(ft->name, sizeof(char), len, fp);
3347 			if (rc)
3348 				return rc;
3349 
3350 			buf[0] = cpu_to_le32(bit + 1);
3351 			buf[1] = cpu_to_le32(ft->ttype);
3352 			buf[2] = cpu_to_le32(ft->tclass);
3353 			buf[3] = cpu_to_le32(datum->otype);
3354 
3355 			rc = put_entry(buf, sizeof(u32), 4, fp);
3356 			if (rc)
3357 				return rc;
3358 		}
3359 
3360 		datum = datum->next;
3361 	} while (unlikely(datum));
3362 
3363 	return 0;
3364 }
3365 
3366 static int filename_trans_write(struct policydb *p, void *fp)
3367 {
3368 	__le32 buf[1];
3369 	int rc;
3370 
3371 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
3372 		return 0;
3373 
3374 	buf[0] = cpu_to_le32(p->filename_trans_count);
3375 	rc = put_entry(buf, sizeof(u32), 1, fp);
3376 	if (rc)
3377 		return rc;
3378 
3379 	rc = hashtab_map(p->filename_trans, filename_write_helper, fp);
3380 	if (rc)
3381 		return rc;
3382 
3383 	return 0;
3384 }
3385 
3386 /*
3387  * Write the configuration data in a policy database
3388  * structure to a policy database binary representation
3389  * file.
3390  */
3391 int policydb_write(struct policydb *p, void *fp)
3392 {
3393 	unsigned int i, num_syms;
3394 	int rc;
3395 	__le32 buf[4];
3396 	u32 config;
3397 	size_t len;
3398 	struct policydb_compat_info *info;
3399 
3400 	/*
3401 	 * refuse to write policy older than compressed avtab
3402 	 * to simplify the writer.  There are other tests dropped
3403 	 * since we assume this throughout the writer code.  Be
3404 	 * careful if you ever try to remove this restriction
3405 	 */
3406 	if (p->policyvers < POLICYDB_VERSION_AVTAB) {
3407 		pr_err("SELinux: refusing to write policy version %d."
3408 		       "  Because it is less than version %d\n", p->policyvers,
3409 		       POLICYDB_VERSION_AVTAB);
3410 		return -EINVAL;
3411 	}
3412 
3413 	config = 0;
3414 	if (p->mls_enabled)
3415 		config |= POLICYDB_CONFIG_MLS;
3416 
3417 	if (p->reject_unknown)
3418 		config |= REJECT_UNKNOWN;
3419 	if (p->allow_unknown)
3420 		config |= ALLOW_UNKNOWN;
3421 
3422 	/* Write the magic number and string identifiers. */
3423 	buf[0] = cpu_to_le32(POLICYDB_MAGIC);
3424 	len = strlen(POLICYDB_STRING);
3425 	buf[1] = cpu_to_le32(len);
3426 	rc = put_entry(buf, sizeof(u32), 2, fp);
3427 	if (rc)
3428 		return rc;
3429 	rc = put_entry(POLICYDB_STRING, 1, len, fp);
3430 	if (rc)
3431 		return rc;
3432 
3433 	/* Write the version, config, and table sizes. */
3434 	info = policydb_lookup_compat(p->policyvers);
3435 	if (!info) {
3436 		pr_err("SELinux: compatibility lookup failed for policy "
3437 		    "version %d", p->policyvers);
3438 		return -EINVAL;
3439 	}
3440 
3441 	buf[0] = cpu_to_le32(p->policyvers);
3442 	buf[1] = cpu_to_le32(config);
3443 	buf[2] = cpu_to_le32(info->sym_num);
3444 	buf[3] = cpu_to_le32(info->ocon_num);
3445 
3446 	rc = put_entry(buf, sizeof(u32), 4, fp);
3447 	if (rc)
3448 		return rc;
3449 
3450 	if (p->policyvers >= POLICYDB_VERSION_POLCAP) {
3451 		rc = ebitmap_write(&p->policycaps, fp);
3452 		if (rc)
3453 			return rc;
3454 	}
3455 
3456 	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE) {
3457 		rc = ebitmap_write(&p->permissive_map, fp);
3458 		if (rc)
3459 			return rc;
3460 	}
3461 
3462 	num_syms = info->sym_num;
3463 	for (i = 0; i < num_syms; i++) {
3464 		struct policy_data pd;
3465 
3466 		pd.fp = fp;
3467 		pd.p = p;
3468 
3469 		buf[0] = cpu_to_le32(p->symtab[i].nprim);
3470 		buf[1] = cpu_to_le32(p->symtab[i].table->nel);
3471 
3472 		rc = put_entry(buf, sizeof(u32), 2, fp);
3473 		if (rc)
3474 			return rc;
3475 		rc = hashtab_map(p->symtab[i].table, write_f[i], &pd);
3476 		if (rc)
3477 			return rc;
3478 	}
3479 
3480 	rc = avtab_write(p, &p->te_avtab, fp);
3481 	if (rc)
3482 		return rc;
3483 
3484 	rc = cond_write_list(p, fp);
3485 	if (rc)
3486 		return rc;
3487 
3488 	rc = role_trans_write(p, fp);
3489 	if (rc)
3490 		return rc;
3491 
3492 	rc = role_allow_write(p->role_allow, fp);
3493 	if (rc)
3494 		return rc;
3495 
3496 	rc = filename_trans_write(p, fp);
3497 	if (rc)
3498 		return rc;
3499 
3500 	rc = ocontext_write(p, info, fp);
3501 	if (rc)
3502 		return rc;
3503 
3504 	rc = genfs_write(p, fp);
3505 	if (rc)
3506 		return rc;
3507 
3508 	rc = range_write(p, fp);
3509 	if (rc)
3510 		return rc;
3511 
3512 	for (i = 0; i < p->p_types.nprim; i++) {
3513 		struct ebitmap *e = &p->type_attr_map_array[i];
3514 
3515 		rc = ebitmap_write(e, fp);
3516 		if (rc)
3517 			return rc;
3518 	}
3519 
3520 	return 0;
3521 }
3522