xref: /openbmc/linux/security/selinux/ss/policydb.c (revision 9ac8d3fb)
1 /*
2  * Implementation of the policy database.
3  *
4  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5  */
6 
7 /*
8  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9  *
10  *	Support for enhanced MLS infrastructure.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *	Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul.moore@hp.com>
17  *
18  *      Added support for the policy capability bitmap
19  *
20  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
21  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23  *	This program is free software; you can redistribute it and/or modify
24  *	it under the terms of the GNU General Public License as published by
25  *	the Free Software Foundation, version 2.
26  */
27 
28 #include <linux/kernel.h>
29 #include <linux/sched.h>
30 #include <linux/slab.h>
31 #include <linux/string.h>
32 #include <linux/errno.h>
33 #include <linux/audit.h>
34 #include "security.h"
35 
36 #include "policydb.h"
37 #include "conditional.h"
38 #include "mls.h"
39 
40 #define _DEBUG_HASHES
41 
42 #ifdef DEBUG_HASHES
43 static char *symtab_name[SYM_NUM] = {
44 	"common prefixes",
45 	"classes",
46 	"roles",
47 	"types",
48 	"users",
49 	"bools",
50 	"levels",
51 	"categories",
52 };
53 #endif
54 
55 int selinux_mls_enabled;
56 
57 static unsigned int symtab_sizes[SYM_NUM] = {
58 	2,
59 	32,
60 	16,
61 	512,
62 	128,
63 	16,
64 	16,
65 	16,
66 };
67 
68 struct policydb_compat_info {
69 	int version;
70 	int sym_num;
71 	int ocon_num;
72 };
73 
74 /* These need to be updated if SYM_NUM or OCON_NUM changes */
75 static struct policydb_compat_info policydb_compat[] = {
76 	{
77 		.version	= POLICYDB_VERSION_BASE,
78 		.sym_num	= SYM_NUM - 3,
79 		.ocon_num	= OCON_NUM - 1,
80 	},
81 	{
82 		.version	= POLICYDB_VERSION_BOOL,
83 		.sym_num	= SYM_NUM - 2,
84 		.ocon_num	= OCON_NUM - 1,
85 	},
86 	{
87 		.version	= POLICYDB_VERSION_IPV6,
88 		.sym_num	= SYM_NUM - 2,
89 		.ocon_num	= OCON_NUM,
90 	},
91 	{
92 		.version	= POLICYDB_VERSION_NLCLASS,
93 		.sym_num	= SYM_NUM - 2,
94 		.ocon_num	= OCON_NUM,
95 	},
96 	{
97 		.version	= POLICYDB_VERSION_MLS,
98 		.sym_num	= SYM_NUM,
99 		.ocon_num	= OCON_NUM,
100 	},
101 	{
102 		.version	= POLICYDB_VERSION_AVTAB,
103 		.sym_num	= SYM_NUM,
104 		.ocon_num	= OCON_NUM,
105 	},
106 	{
107 		.version	= POLICYDB_VERSION_RANGETRANS,
108 		.sym_num	= SYM_NUM,
109 		.ocon_num	= OCON_NUM,
110 	},
111 	{
112 		.version	= POLICYDB_VERSION_POLCAP,
113 		.sym_num	= SYM_NUM,
114 		.ocon_num	= OCON_NUM,
115 	},
116 	{
117 		.version	= POLICYDB_VERSION_PERMISSIVE,
118 		.sym_num	= SYM_NUM,
119 		.ocon_num	= OCON_NUM,
120 	},
121 	{
122 		.version	= POLICYDB_VERSION_BOUNDARY,
123 		.sym_num	= SYM_NUM,
124 		.ocon_num	= OCON_NUM,
125 	},
126 };
127 
128 static struct policydb_compat_info *policydb_lookup_compat(int version)
129 {
130 	int i;
131 	struct policydb_compat_info *info = NULL;
132 
133 	for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) {
134 		if (policydb_compat[i].version == version) {
135 			info = &policydb_compat[i];
136 			break;
137 		}
138 	}
139 	return info;
140 }
141 
142 /*
143  * Initialize the role table.
144  */
145 static int roles_init(struct policydb *p)
146 {
147 	char *key = NULL;
148 	int rc;
149 	struct role_datum *role;
150 
151 	role = kzalloc(sizeof(*role), GFP_KERNEL);
152 	if (!role) {
153 		rc = -ENOMEM;
154 		goto out;
155 	}
156 	role->value = ++p->p_roles.nprim;
157 	if (role->value != OBJECT_R_VAL) {
158 		rc = -EINVAL;
159 		goto out_free_role;
160 	}
161 	key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
162 	if (!key) {
163 		rc = -ENOMEM;
164 		goto out_free_role;
165 	}
166 	strcpy(key, OBJECT_R);
167 	rc = hashtab_insert(p->p_roles.table, key, role);
168 	if (rc)
169 		goto out_free_key;
170 out:
171 	return rc;
172 
173 out_free_key:
174 	kfree(key);
175 out_free_role:
176 	kfree(role);
177 	goto out;
178 }
179 
180 /*
181  * Initialize a policy database structure.
182  */
183 static int policydb_init(struct policydb *p)
184 {
185 	int i, rc;
186 
187 	memset(p, 0, sizeof(*p));
188 
189 	for (i = 0; i < SYM_NUM; i++) {
190 		rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
191 		if (rc)
192 			goto out_free_symtab;
193 	}
194 
195 	rc = avtab_init(&p->te_avtab);
196 	if (rc)
197 		goto out_free_symtab;
198 
199 	rc = roles_init(p);
200 	if (rc)
201 		goto out_free_symtab;
202 
203 	rc = cond_policydb_init(p);
204 	if (rc)
205 		goto out_free_symtab;
206 
207 	ebitmap_init(&p->policycaps);
208 	ebitmap_init(&p->permissive_map);
209 
210 out:
211 	return rc;
212 
213 out_free_symtab:
214 	for (i = 0; i < SYM_NUM; i++)
215 		hashtab_destroy(p->symtab[i].table);
216 	goto out;
217 }
218 
219 /*
220  * The following *_index functions are used to
221  * define the val_to_name and val_to_struct arrays
222  * in a policy database structure.  The val_to_name
223  * arrays are used when converting security context
224  * structures into string representations.  The
225  * val_to_struct arrays are used when the attributes
226  * of a class, role, or user are needed.
227  */
228 
229 static int common_index(void *key, void *datum, void *datap)
230 {
231 	struct policydb *p;
232 	struct common_datum *comdatum;
233 
234 	comdatum = datum;
235 	p = datap;
236 	if (!comdatum->value || comdatum->value > p->p_commons.nprim)
237 		return -EINVAL;
238 	p->p_common_val_to_name[comdatum->value - 1] = key;
239 	return 0;
240 }
241 
242 static int class_index(void *key, void *datum, void *datap)
243 {
244 	struct policydb *p;
245 	struct class_datum *cladatum;
246 
247 	cladatum = datum;
248 	p = datap;
249 	if (!cladatum->value || cladatum->value > p->p_classes.nprim)
250 		return -EINVAL;
251 	p->p_class_val_to_name[cladatum->value - 1] = key;
252 	p->class_val_to_struct[cladatum->value - 1] = cladatum;
253 	return 0;
254 }
255 
256 static int role_index(void *key, void *datum, void *datap)
257 {
258 	struct policydb *p;
259 	struct role_datum *role;
260 
261 	role = datum;
262 	p = datap;
263 	if (!role->value
264 	    || role->value > p->p_roles.nprim
265 	    || role->bounds > p->p_roles.nprim)
266 		return -EINVAL;
267 	p->p_role_val_to_name[role->value - 1] = key;
268 	p->role_val_to_struct[role->value - 1] = role;
269 	return 0;
270 }
271 
272 static int type_index(void *key, void *datum, void *datap)
273 {
274 	struct policydb *p;
275 	struct type_datum *typdatum;
276 
277 	typdatum = datum;
278 	p = datap;
279 
280 	if (typdatum->primary) {
281 		if (!typdatum->value
282 		    || typdatum->value > p->p_types.nprim
283 		    || typdatum->bounds > p->p_types.nprim)
284 			return -EINVAL;
285 		p->p_type_val_to_name[typdatum->value - 1] = key;
286 		p->type_val_to_struct[typdatum->value - 1] = typdatum;
287 	}
288 
289 	return 0;
290 }
291 
292 static int user_index(void *key, void *datum, void *datap)
293 {
294 	struct policydb *p;
295 	struct user_datum *usrdatum;
296 
297 	usrdatum = datum;
298 	p = datap;
299 	if (!usrdatum->value
300 	    || usrdatum->value > p->p_users.nprim
301 	    || usrdatum->bounds > p->p_users.nprim)
302 		return -EINVAL;
303 	p->p_user_val_to_name[usrdatum->value - 1] = key;
304 	p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
305 	return 0;
306 }
307 
308 static int sens_index(void *key, void *datum, void *datap)
309 {
310 	struct policydb *p;
311 	struct level_datum *levdatum;
312 
313 	levdatum = datum;
314 	p = datap;
315 
316 	if (!levdatum->isalias) {
317 		if (!levdatum->level->sens ||
318 		    levdatum->level->sens > p->p_levels.nprim)
319 			return -EINVAL;
320 		p->p_sens_val_to_name[levdatum->level->sens - 1] = key;
321 	}
322 
323 	return 0;
324 }
325 
326 static int cat_index(void *key, void *datum, void *datap)
327 {
328 	struct policydb *p;
329 	struct cat_datum *catdatum;
330 
331 	catdatum = datum;
332 	p = datap;
333 
334 	if (!catdatum->isalias) {
335 		if (!catdatum->value || catdatum->value > p->p_cats.nprim)
336 			return -EINVAL;
337 		p->p_cat_val_to_name[catdatum->value - 1] = key;
338 	}
339 
340 	return 0;
341 }
342 
343 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
344 {
345 	common_index,
346 	class_index,
347 	role_index,
348 	type_index,
349 	user_index,
350 	cond_index_bool,
351 	sens_index,
352 	cat_index,
353 };
354 
355 /*
356  * Define the common val_to_name array and the class
357  * val_to_name and val_to_struct arrays in a policy
358  * database structure.
359  *
360  * Caller must clean up upon failure.
361  */
362 static int policydb_index_classes(struct policydb *p)
363 {
364 	int rc;
365 
366 	p->p_common_val_to_name =
367 		kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL);
368 	if (!p->p_common_val_to_name) {
369 		rc = -ENOMEM;
370 		goto out;
371 	}
372 
373 	rc = hashtab_map(p->p_commons.table, common_index, p);
374 	if (rc)
375 		goto out;
376 
377 	p->class_val_to_struct =
378 		kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL);
379 	if (!p->class_val_to_struct) {
380 		rc = -ENOMEM;
381 		goto out;
382 	}
383 
384 	p->p_class_val_to_name =
385 		kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL);
386 	if (!p->p_class_val_to_name) {
387 		rc = -ENOMEM;
388 		goto out;
389 	}
390 
391 	rc = hashtab_map(p->p_classes.table, class_index, p);
392 out:
393 	return rc;
394 }
395 
396 #ifdef DEBUG_HASHES
397 static void symtab_hash_eval(struct symtab *s)
398 {
399 	int i;
400 
401 	for (i = 0; i < SYM_NUM; i++) {
402 		struct hashtab *h = s[i].table;
403 		struct hashtab_info info;
404 
405 		hashtab_stat(h, &info);
406 		printk(KERN_DEBUG "SELinux: %s:  %d entries and %d/%d buckets used, "
407 		       "longest chain length %d\n", symtab_name[i], h->nel,
408 		       info.slots_used, h->size, info.max_chain_len);
409 	}
410 }
411 #endif
412 
413 /*
414  * Define the other val_to_name and val_to_struct arrays
415  * in a policy database structure.
416  *
417  * Caller must clean up on failure.
418  */
419 static int policydb_index_others(struct policydb *p)
420 {
421 	int i, rc = 0;
422 
423 	printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
424 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
425 	if (selinux_mls_enabled)
426 		printk(", %d sens, %d cats", p->p_levels.nprim,
427 		       p->p_cats.nprim);
428 	printk("\n");
429 
430 	printk(KERN_DEBUG "SELinux:  %d classes, %d rules\n",
431 	       p->p_classes.nprim, p->te_avtab.nel);
432 
433 #ifdef DEBUG_HASHES
434 	avtab_hash_eval(&p->te_avtab, "rules");
435 	symtab_hash_eval(p->symtab);
436 #endif
437 
438 	p->role_val_to_struct =
439 		kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
440 			GFP_KERNEL);
441 	if (!p->role_val_to_struct) {
442 		rc = -ENOMEM;
443 		goto out;
444 	}
445 
446 	p->user_val_to_struct =
447 		kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
448 			GFP_KERNEL);
449 	if (!p->user_val_to_struct) {
450 		rc = -ENOMEM;
451 		goto out;
452 	}
453 
454 	p->type_val_to_struct =
455 		kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)),
456 			GFP_KERNEL);
457 	if (!p->type_val_to_struct) {
458 		rc = -ENOMEM;
459 		goto out;
460 	}
461 
462 	if (cond_init_bool_indexes(p)) {
463 		rc = -ENOMEM;
464 		goto out;
465 	}
466 
467 	for (i = SYM_ROLES; i < SYM_NUM; i++) {
468 		p->sym_val_to_name[i] =
469 			kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL);
470 		if (!p->sym_val_to_name[i]) {
471 			rc = -ENOMEM;
472 			goto out;
473 		}
474 		rc = hashtab_map(p->symtab[i].table, index_f[i], p);
475 		if (rc)
476 			goto out;
477 	}
478 
479 out:
480 	return rc;
481 }
482 
483 /*
484  * The following *_destroy functions are used to
485  * free any memory allocated for each kind of
486  * symbol data in the policy database.
487  */
488 
489 static int perm_destroy(void *key, void *datum, void *p)
490 {
491 	kfree(key);
492 	kfree(datum);
493 	return 0;
494 }
495 
496 static int common_destroy(void *key, void *datum, void *p)
497 {
498 	struct common_datum *comdatum;
499 
500 	kfree(key);
501 	comdatum = datum;
502 	hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
503 	hashtab_destroy(comdatum->permissions.table);
504 	kfree(datum);
505 	return 0;
506 }
507 
508 static int cls_destroy(void *key, void *datum, void *p)
509 {
510 	struct class_datum *cladatum;
511 	struct constraint_node *constraint, *ctemp;
512 	struct constraint_expr *e, *etmp;
513 
514 	kfree(key);
515 	cladatum = datum;
516 	hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
517 	hashtab_destroy(cladatum->permissions.table);
518 	constraint = cladatum->constraints;
519 	while (constraint) {
520 		e = constraint->expr;
521 		while (e) {
522 			ebitmap_destroy(&e->names);
523 			etmp = e;
524 			e = e->next;
525 			kfree(etmp);
526 		}
527 		ctemp = constraint;
528 		constraint = constraint->next;
529 		kfree(ctemp);
530 	}
531 
532 	constraint = cladatum->validatetrans;
533 	while (constraint) {
534 		e = constraint->expr;
535 		while (e) {
536 			ebitmap_destroy(&e->names);
537 			etmp = e;
538 			e = e->next;
539 			kfree(etmp);
540 		}
541 		ctemp = constraint;
542 		constraint = constraint->next;
543 		kfree(ctemp);
544 	}
545 
546 	kfree(cladatum->comkey);
547 	kfree(datum);
548 	return 0;
549 }
550 
551 static int role_destroy(void *key, void *datum, void *p)
552 {
553 	struct role_datum *role;
554 
555 	kfree(key);
556 	role = datum;
557 	ebitmap_destroy(&role->dominates);
558 	ebitmap_destroy(&role->types);
559 	kfree(datum);
560 	return 0;
561 }
562 
563 static int type_destroy(void *key, void *datum, void *p)
564 {
565 	kfree(key);
566 	kfree(datum);
567 	return 0;
568 }
569 
570 static int user_destroy(void *key, void *datum, void *p)
571 {
572 	struct user_datum *usrdatum;
573 
574 	kfree(key);
575 	usrdatum = datum;
576 	ebitmap_destroy(&usrdatum->roles);
577 	ebitmap_destroy(&usrdatum->range.level[0].cat);
578 	ebitmap_destroy(&usrdatum->range.level[1].cat);
579 	ebitmap_destroy(&usrdatum->dfltlevel.cat);
580 	kfree(datum);
581 	return 0;
582 }
583 
584 static int sens_destroy(void *key, void *datum, void *p)
585 {
586 	struct level_datum *levdatum;
587 
588 	kfree(key);
589 	levdatum = datum;
590 	ebitmap_destroy(&levdatum->level->cat);
591 	kfree(levdatum->level);
592 	kfree(datum);
593 	return 0;
594 }
595 
596 static int cat_destroy(void *key, void *datum, void *p)
597 {
598 	kfree(key);
599 	kfree(datum);
600 	return 0;
601 }
602 
603 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
604 {
605 	common_destroy,
606 	cls_destroy,
607 	role_destroy,
608 	type_destroy,
609 	user_destroy,
610 	cond_destroy_bool,
611 	sens_destroy,
612 	cat_destroy,
613 };
614 
615 static void ocontext_destroy(struct ocontext *c, int i)
616 {
617 	context_destroy(&c->context[0]);
618 	context_destroy(&c->context[1]);
619 	if (i == OCON_ISID || i == OCON_FS ||
620 	    i == OCON_NETIF || i == OCON_FSUSE)
621 		kfree(c->u.name);
622 	kfree(c);
623 }
624 
625 /*
626  * Free any memory allocated by a policy database structure.
627  */
628 void policydb_destroy(struct policydb *p)
629 {
630 	struct ocontext *c, *ctmp;
631 	struct genfs *g, *gtmp;
632 	int i;
633 	struct role_allow *ra, *lra = NULL;
634 	struct role_trans *tr, *ltr = NULL;
635 	struct range_trans *rt, *lrt = NULL;
636 
637 	for (i = 0; i < SYM_NUM; i++) {
638 		cond_resched();
639 		hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
640 		hashtab_destroy(p->symtab[i].table);
641 	}
642 
643 	for (i = 0; i < SYM_NUM; i++)
644 		kfree(p->sym_val_to_name[i]);
645 
646 	kfree(p->class_val_to_struct);
647 	kfree(p->role_val_to_struct);
648 	kfree(p->user_val_to_struct);
649 	kfree(p->type_val_to_struct);
650 
651 	avtab_destroy(&p->te_avtab);
652 
653 	for (i = 0; i < OCON_NUM; i++) {
654 		cond_resched();
655 		c = p->ocontexts[i];
656 		while (c) {
657 			ctmp = c;
658 			c = c->next;
659 			ocontext_destroy(ctmp, i);
660 		}
661 		p->ocontexts[i] = NULL;
662 	}
663 
664 	g = p->genfs;
665 	while (g) {
666 		cond_resched();
667 		kfree(g->fstype);
668 		c = g->head;
669 		while (c) {
670 			ctmp = c;
671 			c = c->next;
672 			ocontext_destroy(ctmp, OCON_FSUSE);
673 		}
674 		gtmp = g;
675 		g = g->next;
676 		kfree(gtmp);
677 	}
678 	p->genfs = NULL;
679 
680 	cond_policydb_destroy(p);
681 
682 	for (tr = p->role_tr; tr; tr = tr->next) {
683 		cond_resched();
684 		kfree(ltr);
685 		ltr = tr;
686 	}
687 	kfree(ltr);
688 
689 	for (ra = p->role_allow; ra; ra = ra->next) {
690 		cond_resched();
691 		kfree(lra);
692 		lra = ra;
693 	}
694 	kfree(lra);
695 
696 	for (rt = p->range_tr; rt; rt = rt->next) {
697 		cond_resched();
698 		if (lrt) {
699 			ebitmap_destroy(&lrt->target_range.level[0].cat);
700 			ebitmap_destroy(&lrt->target_range.level[1].cat);
701 			kfree(lrt);
702 		}
703 		lrt = rt;
704 	}
705 	if (lrt) {
706 		ebitmap_destroy(&lrt->target_range.level[0].cat);
707 		ebitmap_destroy(&lrt->target_range.level[1].cat);
708 		kfree(lrt);
709 	}
710 
711 	if (p->type_attr_map) {
712 		for (i = 0; i < p->p_types.nprim; i++)
713 			ebitmap_destroy(&p->type_attr_map[i]);
714 	}
715 	kfree(p->type_attr_map);
716 	kfree(p->undefined_perms);
717 	ebitmap_destroy(&p->policycaps);
718 	ebitmap_destroy(&p->permissive_map);
719 
720 	return;
721 }
722 
723 /*
724  * Load the initial SIDs specified in a policy database
725  * structure into a SID table.
726  */
727 int policydb_load_isids(struct policydb *p, struct sidtab *s)
728 {
729 	struct ocontext *head, *c;
730 	int rc;
731 
732 	rc = sidtab_init(s);
733 	if (rc) {
734 		printk(KERN_ERR "SELinux:  out of memory on SID table init\n");
735 		goto out;
736 	}
737 
738 	head = p->ocontexts[OCON_ISID];
739 	for (c = head; c; c = c->next) {
740 		if (!c->context[0].user) {
741 			printk(KERN_ERR "SELinux:  SID %s was never "
742 			       "defined.\n", c->u.name);
743 			rc = -EINVAL;
744 			goto out;
745 		}
746 		if (sidtab_insert(s, c->sid[0], &c->context[0])) {
747 			printk(KERN_ERR "SELinux:  unable to load initial "
748 			       "SID %s.\n", c->u.name);
749 			rc = -EINVAL;
750 			goto out;
751 		}
752 	}
753 out:
754 	return rc;
755 }
756 
757 int policydb_class_isvalid(struct policydb *p, unsigned int class)
758 {
759 	if (!class || class > p->p_classes.nprim)
760 		return 0;
761 	return 1;
762 }
763 
764 int policydb_role_isvalid(struct policydb *p, unsigned int role)
765 {
766 	if (!role || role > p->p_roles.nprim)
767 		return 0;
768 	return 1;
769 }
770 
771 int policydb_type_isvalid(struct policydb *p, unsigned int type)
772 {
773 	if (!type || type > p->p_types.nprim)
774 		return 0;
775 	return 1;
776 }
777 
778 /*
779  * Return 1 if the fields in the security context
780  * structure `c' are valid.  Return 0 otherwise.
781  */
782 int policydb_context_isvalid(struct policydb *p, struct context *c)
783 {
784 	struct role_datum *role;
785 	struct user_datum *usrdatum;
786 
787 	if (!c->role || c->role > p->p_roles.nprim)
788 		return 0;
789 
790 	if (!c->user || c->user > p->p_users.nprim)
791 		return 0;
792 
793 	if (!c->type || c->type > p->p_types.nprim)
794 		return 0;
795 
796 	if (c->role != OBJECT_R_VAL) {
797 		/*
798 		 * Role must be authorized for the type.
799 		 */
800 		role = p->role_val_to_struct[c->role - 1];
801 		if (!ebitmap_get_bit(&role->types,
802 				     c->type - 1))
803 			/* role may not be associated with type */
804 			return 0;
805 
806 		/*
807 		 * User must be authorized for the role.
808 		 */
809 		usrdatum = p->user_val_to_struct[c->user - 1];
810 		if (!usrdatum)
811 			return 0;
812 
813 		if (!ebitmap_get_bit(&usrdatum->roles,
814 				     c->role - 1))
815 			/* user may not be associated with role */
816 			return 0;
817 	}
818 
819 	if (!mls_context_isvalid(p, c))
820 		return 0;
821 
822 	return 1;
823 }
824 
825 /*
826  * Read a MLS range structure from a policydb binary
827  * representation file.
828  */
829 static int mls_read_range_helper(struct mls_range *r, void *fp)
830 {
831 	__le32 buf[2];
832 	u32 items;
833 	int rc;
834 
835 	rc = next_entry(buf, fp, sizeof(u32));
836 	if (rc < 0)
837 		goto out;
838 
839 	items = le32_to_cpu(buf[0]);
840 	if (items > ARRAY_SIZE(buf)) {
841 		printk(KERN_ERR "SELinux: mls:  range overflow\n");
842 		rc = -EINVAL;
843 		goto out;
844 	}
845 	rc = next_entry(buf, fp, sizeof(u32) * items);
846 	if (rc < 0) {
847 		printk(KERN_ERR "SELinux: mls:  truncated range\n");
848 		goto out;
849 	}
850 	r->level[0].sens = le32_to_cpu(buf[0]);
851 	if (items > 1)
852 		r->level[1].sens = le32_to_cpu(buf[1]);
853 	else
854 		r->level[1].sens = r->level[0].sens;
855 
856 	rc = ebitmap_read(&r->level[0].cat, fp);
857 	if (rc) {
858 		printk(KERN_ERR "SELinux: mls:  error reading low "
859 		       "categories\n");
860 		goto out;
861 	}
862 	if (items > 1) {
863 		rc = ebitmap_read(&r->level[1].cat, fp);
864 		if (rc) {
865 			printk(KERN_ERR "SELinux: mls:  error reading high "
866 			       "categories\n");
867 			goto bad_high;
868 		}
869 	} else {
870 		rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
871 		if (rc) {
872 			printk(KERN_ERR "SELinux: mls:  out of memory\n");
873 			goto bad_high;
874 		}
875 	}
876 
877 	rc = 0;
878 out:
879 	return rc;
880 bad_high:
881 	ebitmap_destroy(&r->level[0].cat);
882 	goto out;
883 }
884 
885 /*
886  * Read and validate a security context structure
887  * from a policydb binary representation file.
888  */
889 static int context_read_and_validate(struct context *c,
890 				     struct policydb *p,
891 				     void *fp)
892 {
893 	__le32 buf[3];
894 	int rc;
895 
896 	rc = next_entry(buf, fp, sizeof buf);
897 	if (rc < 0) {
898 		printk(KERN_ERR "SELinux: context truncated\n");
899 		goto out;
900 	}
901 	c->user = le32_to_cpu(buf[0]);
902 	c->role = le32_to_cpu(buf[1]);
903 	c->type = le32_to_cpu(buf[2]);
904 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
905 		if (mls_read_range_helper(&c->range, fp)) {
906 			printk(KERN_ERR "SELinux: error reading MLS range of "
907 			       "context\n");
908 			rc = -EINVAL;
909 			goto out;
910 		}
911 	}
912 
913 	if (!policydb_context_isvalid(p, c)) {
914 		printk(KERN_ERR "SELinux:  invalid security context\n");
915 		context_destroy(c);
916 		rc = -EINVAL;
917 	}
918 out:
919 	return rc;
920 }
921 
922 /*
923  * The following *_read functions are used to
924  * read the symbol data from a policy database
925  * binary representation file.
926  */
927 
928 static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
929 {
930 	char *key = NULL;
931 	struct perm_datum *perdatum;
932 	int rc;
933 	__le32 buf[2];
934 	u32 len;
935 
936 	perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
937 	if (!perdatum) {
938 		rc = -ENOMEM;
939 		goto out;
940 	}
941 
942 	rc = next_entry(buf, fp, sizeof buf);
943 	if (rc < 0)
944 		goto bad;
945 
946 	len = le32_to_cpu(buf[0]);
947 	perdatum->value = le32_to_cpu(buf[1]);
948 
949 	key = kmalloc(len + 1, GFP_KERNEL);
950 	if (!key) {
951 		rc = -ENOMEM;
952 		goto bad;
953 	}
954 	rc = next_entry(key, fp, len);
955 	if (rc < 0)
956 		goto bad;
957 	key[len] = '\0';
958 
959 	rc = hashtab_insert(h, key, perdatum);
960 	if (rc)
961 		goto bad;
962 out:
963 	return rc;
964 bad:
965 	perm_destroy(key, perdatum, NULL);
966 	goto out;
967 }
968 
969 static int common_read(struct policydb *p, struct hashtab *h, void *fp)
970 {
971 	char *key = NULL;
972 	struct common_datum *comdatum;
973 	__le32 buf[4];
974 	u32 len, nel;
975 	int i, rc;
976 
977 	comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
978 	if (!comdatum) {
979 		rc = -ENOMEM;
980 		goto out;
981 	}
982 
983 	rc = next_entry(buf, fp, sizeof buf);
984 	if (rc < 0)
985 		goto bad;
986 
987 	len = le32_to_cpu(buf[0]);
988 	comdatum->value = le32_to_cpu(buf[1]);
989 
990 	rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
991 	if (rc)
992 		goto bad;
993 	comdatum->permissions.nprim = le32_to_cpu(buf[2]);
994 	nel = le32_to_cpu(buf[3]);
995 
996 	key = kmalloc(len + 1, GFP_KERNEL);
997 	if (!key) {
998 		rc = -ENOMEM;
999 		goto bad;
1000 	}
1001 	rc = next_entry(key, fp, len);
1002 	if (rc < 0)
1003 		goto bad;
1004 	key[len] = '\0';
1005 
1006 	for (i = 0; i < nel; i++) {
1007 		rc = perm_read(p, comdatum->permissions.table, fp);
1008 		if (rc)
1009 			goto bad;
1010 	}
1011 
1012 	rc = hashtab_insert(h, key, comdatum);
1013 	if (rc)
1014 		goto bad;
1015 out:
1016 	return rc;
1017 bad:
1018 	common_destroy(key, comdatum, NULL);
1019 	goto out;
1020 }
1021 
1022 static int read_cons_helper(struct constraint_node **nodep, int ncons,
1023 			    int allowxtarget, void *fp)
1024 {
1025 	struct constraint_node *c, *lc;
1026 	struct constraint_expr *e, *le;
1027 	__le32 buf[3];
1028 	u32 nexpr;
1029 	int rc, i, j, depth;
1030 
1031 	lc = NULL;
1032 	for (i = 0; i < ncons; i++) {
1033 		c = kzalloc(sizeof(*c), GFP_KERNEL);
1034 		if (!c)
1035 			return -ENOMEM;
1036 
1037 		if (lc)
1038 			lc->next = c;
1039 		else
1040 			*nodep = c;
1041 
1042 		rc = next_entry(buf, fp, (sizeof(u32) * 2));
1043 		if (rc < 0)
1044 			return rc;
1045 		c->permissions = le32_to_cpu(buf[0]);
1046 		nexpr = le32_to_cpu(buf[1]);
1047 		le = NULL;
1048 		depth = -1;
1049 		for (j = 0; j < nexpr; j++) {
1050 			e = kzalloc(sizeof(*e), GFP_KERNEL);
1051 			if (!e)
1052 				return -ENOMEM;
1053 
1054 			if (le)
1055 				le->next = e;
1056 			else
1057 				c->expr = e;
1058 
1059 			rc = next_entry(buf, fp, (sizeof(u32) * 3));
1060 			if (rc < 0)
1061 				return rc;
1062 			e->expr_type = le32_to_cpu(buf[0]);
1063 			e->attr = le32_to_cpu(buf[1]);
1064 			e->op = le32_to_cpu(buf[2]);
1065 
1066 			switch (e->expr_type) {
1067 			case CEXPR_NOT:
1068 				if (depth < 0)
1069 					return -EINVAL;
1070 				break;
1071 			case CEXPR_AND:
1072 			case CEXPR_OR:
1073 				if (depth < 1)
1074 					return -EINVAL;
1075 				depth--;
1076 				break;
1077 			case CEXPR_ATTR:
1078 				if (depth == (CEXPR_MAXDEPTH - 1))
1079 					return -EINVAL;
1080 				depth++;
1081 				break;
1082 			case CEXPR_NAMES:
1083 				if (!allowxtarget && (e->attr & CEXPR_XTARGET))
1084 					return -EINVAL;
1085 				if (depth == (CEXPR_MAXDEPTH - 1))
1086 					return -EINVAL;
1087 				depth++;
1088 				if (ebitmap_read(&e->names, fp))
1089 					return -EINVAL;
1090 				break;
1091 			default:
1092 				return -EINVAL;
1093 			}
1094 			le = e;
1095 		}
1096 		if (depth != 0)
1097 			return -EINVAL;
1098 		lc = c;
1099 	}
1100 
1101 	return 0;
1102 }
1103 
1104 static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1105 {
1106 	char *key = NULL;
1107 	struct class_datum *cladatum;
1108 	__le32 buf[6];
1109 	u32 len, len2, ncons, nel;
1110 	int i, rc;
1111 
1112 	cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
1113 	if (!cladatum) {
1114 		rc = -ENOMEM;
1115 		goto out;
1116 	}
1117 
1118 	rc = next_entry(buf, fp, sizeof(u32)*6);
1119 	if (rc < 0)
1120 		goto bad;
1121 
1122 	len = le32_to_cpu(buf[0]);
1123 	len2 = le32_to_cpu(buf[1]);
1124 	cladatum->value = le32_to_cpu(buf[2]);
1125 
1126 	rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
1127 	if (rc)
1128 		goto bad;
1129 	cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1130 	nel = le32_to_cpu(buf[4]);
1131 
1132 	ncons = le32_to_cpu(buf[5]);
1133 
1134 	key = kmalloc(len + 1, GFP_KERNEL);
1135 	if (!key) {
1136 		rc = -ENOMEM;
1137 		goto bad;
1138 	}
1139 	rc = next_entry(key, fp, len);
1140 	if (rc < 0)
1141 		goto bad;
1142 	key[len] = '\0';
1143 
1144 	if (len2) {
1145 		cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1146 		if (!cladatum->comkey) {
1147 			rc = -ENOMEM;
1148 			goto bad;
1149 		}
1150 		rc = next_entry(cladatum->comkey, fp, len2);
1151 		if (rc < 0)
1152 			goto bad;
1153 		cladatum->comkey[len2] = '\0';
1154 
1155 		cladatum->comdatum = hashtab_search(p->p_commons.table,
1156 						    cladatum->comkey);
1157 		if (!cladatum->comdatum) {
1158 			printk(KERN_ERR "SELinux:  unknown common %s\n",
1159 			       cladatum->comkey);
1160 			rc = -EINVAL;
1161 			goto bad;
1162 		}
1163 	}
1164 	for (i = 0; i < nel; i++) {
1165 		rc = perm_read(p, cladatum->permissions.table, fp);
1166 		if (rc)
1167 			goto bad;
1168 	}
1169 
1170 	rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp);
1171 	if (rc)
1172 		goto bad;
1173 
1174 	if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) {
1175 		/* grab the validatetrans rules */
1176 		rc = next_entry(buf, fp, sizeof(u32));
1177 		if (rc < 0)
1178 			goto bad;
1179 		ncons = le32_to_cpu(buf[0]);
1180 		rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp);
1181 		if (rc)
1182 			goto bad;
1183 	}
1184 
1185 	rc = hashtab_insert(h, key, cladatum);
1186 	if (rc)
1187 		goto bad;
1188 
1189 	rc = 0;
1190 out:
1191 	return rc;
1192 bad:
1193 	cls_destroy(key, cladatum, NULL);
1194 	goto out;
1195 }
1196 
1197 static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1198 {
1199 	char *key = NULL;
1200 	struct role_datum *role;
1201 	int rc, to_read = 2;
1202 	__le32 buf[3];
1203 	u32 len;
1204 
1205 	role = kzalloc(sizeof(*role), GFP_KERNEL);
1206 	if (!role) {
1207 		rc = -ENOMEM;
1208 		goto out;
1209 	}
1210 
1211 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1212 		to_read = 3;
1213 
1214 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1215 	if (rc < 0)
1216 		goto bad;
1217 
1218 	len = le32_to_cpu(buf[0]);
1219 	role->value = le32_to_cpu(buf[1]);
1220 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1221 		role->bounds = le32_to_cpu(buf[2]);
1222 
1223 	key = kmalloc(len + 1, GFP_KERNEL);
1224 	if (!key) {
1225 		rc = -ENOMEM;
1226 		goto bad;
1227 	}
1228 	rc = next_entry(key, fp, len);
1229 	if (rc < 0)
1230 		goto bad;
1231 	key[len] = '\0';
1232 
1233 	rc = ebitmap_read(&role->dominates, fp);
1234 	if (rc)
1235 		goto bad;
1236 
1237 	rc = ebitmap_read(&role->types, fp);
1238 	if (rc)
1239 		goto bad;
1240 
1241 	if (strcmp(key, OBJECT_R) == 0) {
1242 		if (role->value != OBJECT_R_VAL) {
1243 			printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1244 			       OBJECT_R, role->value);
1245 			rc = -EINVAL;
1246 			goto bad;
1247 		}
1248 		rc = 0;
1249 		goto bad;
1250 	}
1251 
1252 	rc = hashtab_insert(h, key, role);
1253 	if (rc)
1254 		goto bad;
1255 out:
1256 	return rc;
1257 bad:
1258 	role_destroy(key, role, NULL);
1259 	goto out;
1260 }
1261 
1262 static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1263 {
1264 	char *key = NULL;
1265 	struct type_datum *typdatum;
1266 	int rc, to_read = 3;
1267 	__le32 buf[4];
1268 	u32 len;
1269 
1270 	typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1271 	if (!typdatum) {
1272 		rc = -ENOMEM;
1273 		return rc;
1274 	}
1275 
1276 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1277 		to_read = 4;
1278 
1279 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1280 	if (rc < 0)
1281 		goto bad;
1282 
1283 	len = le32_to_cpu(buf[0]);
1284 	typdatum->value = le32_to_cpu(buf[1]);
1285 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
1286 		u32 prop = le32_to_cpu(buf[2]);
1287 
1288 		if (prop & TYPEDATUM_PROPERTY_PRIMARY)
1289 			typdatum->primary = 1;
1290 		if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
1291 			typdatum->attribute = 1;
1292 
1293 		typdatum->bounds = le32_to_cpu(buf[3]);
1294 	} else {
1295 		typdatum->primary = le32_to_cpu(buf[2]);
1296 	}
1297 
1298 	key = kmalloc(len + 1, GFP_KERNEL);
1299 	if (!key) {
1300 		rc = -ENOMEM;
1301 		goto bad;
1302 	}
1303 	rc = next_entry(key, fp, len);
1304 	if (rc < 0)
1305 		goto bad;
1306 	key[len] = '\0';
1307 
1308 	rc = hashtab_insert(h, key, typdatum);
1309 	if (rc)
1310 		goto bad;
1311 out:
1312 	return rc;
1313 bad:
1314 	type_destroy(key, typdatum, NULL);
1315 	goto out;
1316 }
1317 
1318 
1319 /*
1320  * Read a MLS level structure from a policydb binary
1321  * representation file.
1322  */
1323 static int mls_read_level(struct mls_level *lp, void *fp)
1324 {
1325 	__le32 buf[1];
1326 	int rc;
1327 
1328 	memset(lp, 0, sizeof(*lp));
1329 
1330 	rc = next_entry(buf, fp, sizeof buf);
1331 	if (rc < 0) {
1332 		printk(KERN_ERR "SELinux: mls: truncated level\n");
1333 		goto bad;
1334 	}
1335 	lp->sens = le32_to_cpu(buf[0]);
1336 
1337 	if (ebitmap_read(&lp->cat, fp)) {
1338 		printk(KERN_ERR "SELinux: mls:  error reading level "
1339 		       "categories\n");
1340 		goto bad;
1341 	}
1342 
1343 	return 0;
1344 
1345 bad:
1346 	return -EINVAL;
1347 }
1348 
1349 static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1350 {
1351 	char *key = NULL;
1352 	struct user_datum *usrdatum;
1353 	int rc, to_read = 2;
1354 	__le32 buf[3];
1355 	u32 len;
1356 
1357 	usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
1358 	if (!usrdatum) {
1359 		rc = -ENOMEM;
1360 		goto out;
1361 	}
1362 
1363 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1364 		to_read = 3;
1365 
1366 	rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1367 	if (rc < 0)
1368 		goto bad;
1369 
1370 	len = le32_to_cpu(buf[0]);
1371 	usrdatum->value = le32_to_cpu(buf[1]);
1372 	if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1373 		usrdatum->bounds = le32_to_cpu(buf[2]);
1374 
1375 	key = kmalloc(len + 1, GFP_KERNEL);
1376 	if (!key) {
1377 		rc = -ENOMEM;
1378 		goto bad;
1379 	}
1380 	rc = next_entry(key, fp, len);
1381 	if (rc < 0)
1382 		goto bad;
1383 	key[len] = '\0';
1384 
1385 	rc = ebitmap_read(&usrdatum->roles, fp);
1386 	if (rc)
1387 		goto bad;
1388 
1389 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
1390 		rc = mls_read_range_helper(&usrdatum->range, fp);
1391 		if (rc)
1392 			goto bad;
1393 		rc = mls_read_level(&usrdatum->dfltlevel, fp);
1394 		if (rc)
1395 			goto bad;
1396 	}
1397 
1398 	rc = hashtab_insert(h, key, usrdatum);
1399 	if (rc)
1400 		goto bad;
1401 out:
1402 	return rc;
1403 bad:
1404 	user_destroy(key, usrdatum, NULL);
1405 	goto out;
1406 }
1407 
1408 static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1409 {
1410 	char *key = NULL;
1411 	struct level_datum *levdatum;
1412 	int rc;
1413 	__le32 buf[2];
1414 	u32 len;
1415 
1416 	levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
1417 	if (!levdatum) {
1418 		rc = -ENOMEM;
1419 		goto out;
1420 	}
1421 
1422 	rc = next_entry(buf, fp, sizeof buf);
1423 	if (rc < 0)
1424 		goto bad;
1425 
1426 	len = le32_to_cpu(buf[0]);
1427 	levdatum->isalias = le32_to_cpu(buf[1]);
1428 
1429 	key = kmalloc(len + 1, GFP_ATOMIC);
1430 	if (!key) {
1431 		rc = -ENOMEM;
1432 		goto bad;
1433 	}
1434 	rc = next_entry(key, fp, len);
1435 	if (rc < 0)
1436 		goto bad;
1437 	key[len] = '\0';
1438 
1439 	levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
1440 	if (!levdatum->level) {
1441 		rc = -ENOMEM;
1442 		goto bad;
1443 	}
1444 	if (mls_read_level(levdatum->level, fp)) {
1445 		rc = -EINVAL;
1446 		goto bad;
1447 	}
1448 
1449 	rc = hashtab_insert(h, key, levdatum);
1450 	if (rc)
1451 		goto bad;
1452 out:
1453 	return rc;
1454 bad:
1455 	sens_destroy(key, levdatum, NULL);
1456 	goto out;
1457 }
1458 
1459 static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1460 {
1461 	char *key = NULL;
1462 	struct cat_datum *catdatum;
1463 	int rc;
1464 	__le32 buf[3];
1465 	u32 len;
1466 
1467 	catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
1468 	if (!catdatum) {
1469 		rc = -ENOMEM;
1470 		goto out;
1471 	}
1472 
1473 	rc = next_entry(buf, fp, sizeof buf);
1474 	if (rc < 0)
1475 		goto bad;
1476 
1477 	len = le32_to_cpu(buf[0]);
1478 	catdatum->value = le32_to_cpu(buf[1]);
1479 	catdatum->isalias = le32_to_cpu(buf[2]);
1480 
1481 	key = kmalloc(len + 1, GFP_ATOMIC);
1482 	if (!key) {
1483 		rc = -ENOMEM;
1484 		goto bad;
1485 	}
1486 	rc = next_entry(key, fp, len);
1487 	if (rc < 0)
1488 		goto bad;
1489 	key[len] = '\0';
1490 
1491 	rc = hashtab_insert(h, key, catdatum);
1492 	if (rc)
1493 		goto bad;
1494 out:
1495 	return rc;
1496 
1497 bad:
1498 	cat_destroy(key, catdatum, NULL);
1499 	goto out;
1500 }
1501 
1502 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1503 {
1504 	common_read,
1505 	class_read,
1506 	role_read,
1507 	type_read,
1508 	user_read,
1509 	cond_read_bool,
1510 	sens_read,
1511 	cat_read,
1512 };
1513 
1514 static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1515 {
1516 	struct user_datum *upper, *user;
1517 	struct policydb *p = datap;
1518 	int depth = 0;
1519 
1520 	upper = user = datum;
1521 	while (upper->bounds) {
1522 		struct ebitmap_node *node;
1523 		unsigned long bit;
1524 
1525 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1526 			printk(KERN_ERR "SELinux: user %s: "
1527 			       "too deep or looped boundary",
1528 			       (char *) key);
1529 			return -EINVAL;
1530 		}
1531 
1532 		upper = p->user_val_to_struct[upper->bounds - 1];
1533 		ebitmap_for_each_positive_bit(&user->roles, node, bit) {
1534 			if (ebitmap_get_bit(&upper->roles, bit))
1535 				continue;
1536 
1537 			printk(KERN_ERR
1538 			       "SELinux: boundary violated policy: "
1539 			       "user=%s role=%s bounds=%s\n",
1540 			       p->p_user_val_to_name[user->value - 1],
1541 			       p->p_role_val_to_name[bit],
1542 			       p->p_user_val_to_name[upper->value - 1]);
1543 
1544 			return -EINVAL;
1545 		}
1546 	}
1547 
1548 	return 0;
1549 }
1550 
1551 static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1552 {
1553 	struct role_datum *upper, *role;
1554 	struct policydb *p = datap;
1555 	int depth = 0;
1556 
1557 	upper = role = datum;
1558 	while (upper->bounds) {
1559 		struct ebitmap_node *node;
1560 		unsigned long bit;
1561 
1562 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1563 			printk(KERN_ERR "SELinux: role %s: "
1564 			       "too deep or looped bounds\n",
1565 			       (char *) key);
1566 			return -EINVAL;
1567 		}
1568 
1569 		upper = p->role_val_to_struct[upper->bounds - 1];
1570 		ebitmap_for_each_positive_bit(&role->types, node, bit) {
1571 			if (ebitmap_get_bit(&upper->types, bit))
1572 				continue;
1573 
1574 			printk(KERN_ERR
1575 			       "SELinux: boundary violated policy: "
1576 			       "role=%s type=%s bounds=%s\n",
1577 			       p->p_role_val_to_name[role->value - 1],
1578 			       p->p_type_val_to_name[bit],
1579 			       p->p_role_val_to_name[upper->value - 1]);
1580 
1581 			return -EINVAL;
1582 		}
1583 	}
1584 
1585 	return 0;
1586 }
1587 
1588 static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1589 {
1590 	struct type_datum *upper, *type;
1591 	struct policydb *p = datap;
1592 	int depth = 0;
1593 
1594 	upper = type = datum;
1595 	while (upper->bounds) {
1596 		if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1597 			printk(KERN_ERR "SELinux: type %s: "
1598 			       "too deep or looped boundary\n",
1599 			       (char *) key);
1600 			return -EINVAL;
1601 		}
1602 
1603 		upper = p->type_val_to_struct[upper->bounds - 1];
1604 		if (upper->attribute) {
1605 			printk(KERN_ERR "SELinux: type %s: "
1606 			       "bounded by attribute %s",
1607 			       (char *) key,
1608 			       p->p_type_val_to_name[upper->value - 1]);
1609 			return -EINVAL;
1610 		}
1611 	}
1612 
1613 	return 0;
1614 }
1615 
1616 static int policydb_bounds_sanity_check(struct policydb *p)
1617 {
1618 	int rc;
1619 
1620 	if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
1621 		return 0;
1622 
1623 	rc = hashtab_map(p->p_users.table,
1624 			 user_bounds_sanity_check, p);
1625 	if (rc)
1626 		return rc;
1627 
1628 	rc = hashtab_map(p->p_roles.table,
1629 			 role_bounds_sanity_check, p);
1630 	if (rc)
1631 		return rc;
1632 
1633 	rc = hashtab_map(p->p_types.table,
1634 			 type_bounds_sanity_check, p);
1635 	if (rc)
1636 		return rc;
1637 
1638 	return 0;
1639 }
1640 
1641 extern int ss_initialized;
1642 
1643 /*
1644  * Read the configuration data from a policy database binary
1645  * representation file into a policy database structure.
1646  */
1647 int policydb_read(struct policydb *p, void *fp)
1648 {
1649 	struct role_allow *ra, *lra;
1650 	struct role_trans *tr, *ltr;
1651 	struct ocontext *l, *c, *newc;
1652 	struct genfs *genfs_p, *genfs, *newgenfs;
1653 	int i, j, rc;
1654 	__le32 buf[4];
1655 	u32 nodebuf[8];
1656 	u32 len, len2, config, nprim, nel, nel2;
1657 	char *policydb_str;
1658 	struct policydb_compat_info *info;
1659 	struct range_trans *rt, *lrt;
1660 
1661 	config = 0;
1662 
1663 	rc = policydb_init(p);
1664 	if (rc)
1665 		goto out;
1666 
1667 	/* Read the magic number and string length. */
1668 	rc = next_entry(buf, fp, sizeof(u32) * 2);
1669 	if (rc < 0)
1670 		goto bad;
1671 
1672 	if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
1673 		printk(KERN_ERR "SELinux:  policydb magic number 0x%x does "
1674 		       "not match expected magic number 0x%x\n",
1675 		       le32_to_cpu(buf[0]), POLICYDB_MAGIC);
1676 		goto bad;
1677 	}
1678 
1679 	len = le32_to_cpu(buf[1]);
1680 	if (len != strlen(POLICYDB_STRING)) {
1681 		printk(KERN_ERR "SELinux:  policydb string length %d does not "
1682 		       "match expected length %Zu\n",
1683 		       len, strlen(POLICYDB_STRING));
1684 		goto bad;
1685 	}
1686 	policydb_str = kmalloc(len + 1, GFP_KERNEL);
1687 	if (!policydb_str) {
1688 		printk(KERN_ERR "SELinux:  unable to allocate memory for policydb "
1689 		       "string of length %d\n", len);
1690 		rc = -ENOMEM;
1691 		goto bad;
1692 	}
1693 	rc = next_entry(policydb_str, fp, len);
1694 	if (rc < 0) {
1695 		printk(KERN_ERR "SELinux:  truncated policydb string identifier\n");
1696 		kfree(policydb_str);
1697 		goto bad;
1698 	}
1699 	policydb_str[len] = '\0';
1700 	if (strcmp(policydb_str, POLICYDB_STRING)) {
1701 		printk(KERN_ERR "SELinux:  policydb string %s does not match "
1702 		       "my string %s\n", policydb_str, POLICYDB_STRING);
1703 		kfree(policydb_str);
1704 		goto bad;
1705 	}
1706 	/* Done with policydb_str. */
1707 	kfree(policydb_str);
1708 	policydb_str = NULL;
1709 
1710 	/* Read the version, config, and table sizes. */
1711 	rc = next_entry(buf, fp, sizeof(u32)*4);
1712 	if (rc < 0)
1713 		goto bad;
1714 
1715 	p->policyvers = le32_to_cpu(buf[0]);
1716 	if (p->policyvers < POLICYDB_VERSION_MIN ||
1717 	    p->policyvers > POLICYDB_VERSION_MAX) {
1718 		printk(KERN_ERR "SELinux:  policydb version %d does not match "
1719 		       "my version range %d-%d\n",
1720 		       le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1721 		goto bad;
1722 	}
1723 
1724 	if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1725 		if (ss_initialized && !selinux_mls_enabled) {
1726 			printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1727 				" and MLS policies\n");
1728 			goto bad;
1729 		}
1730 		selinux_mls_enabled = 1;
1731 		config |= POLICYDB_CONFIG_MLS;
1732 
1733 		if (p->policyvers < POLICYDB_VERSION_MLS) {
1734 			printk(KERN_ERR "SELinux: security policydb version %d "
1735 				"(MLS) not backwards compatible\n",
1736 				p->policyvers);
1737 			goto bad;
1738 		}
1739 	} else {
1740 		if (ss_initialized && selinux_mls_enabled) {
1741 			printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1742 				" non-MLS policies\n");
1743 			goto bad;
1744 		}
1745 	}
1746 	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
1747 	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
1748 
1749 	if (p->policyvers >= POLICYDB_VERSION_POLCAP &&
1750 	    ebitmap_read(&p->policycaps, fp) != 0)
1751 		goto bad;
1752 
1753 	if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
1754 	    ebitmap_read(&p->permissive_map, fp) != 0)
1755 		goto bad;
1756 
1757 	info = policydb_lookup_compat(p->policyvers);
1758 	if (!info) {
1759 		printk(KERN_ERR "SELinux:  unable to find policy compat info "
1760 		       "for version %d\n", p->policyvers);
1761 		goto bad;
1762 	}
1763 
1764 	if (le32_to_cpu(buf[2]) != info->sym_num ||
1765 		le32_to_cpu(buf[3]) != info->ocon_num) {
1766 		printk(KERN_ERR "SELinux:  policydb table sizes (%d,%d) do "
1767 		       "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
1768 			le32_to_cpu(buf[3]),
1769 		       info->sym_num, info->ocon_num);
1770 		goto bad;
1771 	}
1772 
1773 	for (i = 0; i < info->sym_num; i++) {
1774 		rc = next_entry(buf, fp, sizeof(u32)*2);
1775 		if (rc < 0)
1776 			goto bad;
1777 		nprim = le32_to_cpu(buf[0]);
1778 		nel = le32_to_cpu(buf[1]);
1779 		for (j = 0; j < nel; j++) {
1780 			rc = read_f[i](p, p->symtab[i].table, fp);
1781 			if (rc)
1782 				goto bad;
1783 		}
1784 
1785 		p->symtab[i].nprim = nprim;
1786 	}
1787 
1788 	rc = avtab_read(&p->te_avtab, fp, p);
1789 	if (rc)
1790 		goto bad;
1791 
1792 	if (p->policyvers >= POLICYDB_VERSION_BOOL) {
1793 		rc = cond_read_list(p, fp);
1794 		if (rc)
1795 			goto bad;
1796 	}
1797 
1798 	rc = next_entry(buf, fp, sizeof(u32));
1799 	if (rc < 0)
1800 		goto bad;
1801 	nel = le32_to_cpu(buf[0]);
1802 	ltr = NULL;
1803 	for (i = 0; i < nel; i++) {
1804 		tr = kzalloc(sizeof(*tr), GFP_KERNEL);
1805 		if (!tr) {
1806 			rc = -ENOMEM;
1807 			goto bad;
1808 		}
1809 		if (ltr)
1810 			ltr->next = tr;
1811 		else
1812 			p->role_tr = tr;
1813 		rc = next_entry(buf, fp, sizeof(u32)*3);
1814 		if (rc < 0)
1815 			goto bad;
1816 		tr->role = le32_to_cpu(buf[0]);
1817 		tr->type = le32_to_cpu(buf[1]);
1818 		tr->new_role = le32_to_cpu(buf[2]);
1819 		if (!policydb_role_isvalid(p, tr->role) ||
1820 		    !policydb_type_isvalid(p, tr->type) ||
1821 		    !policydb_role_isvalid(p, tr->new_role)) {
1822 			rc = -EINVAL;
1823 			goto bad;
1824 		}
1825 		ltr = tr;
1826 	}
1827 
1828 	rc = next_entry(buf, fp, sizeof(u32));
1829 	if (rc < 0)
1830 		goto bad;
1831 	nel = le32_to_cpu(buf[0]);
1832 	lra = NULL;
1833 	for (i = 0; i < nel; i++) {
1834 		ra = kzalloc(sizeof(*ra), GFP_KERNEL);
1835 		if (!ra) {
1836 			rc = -ENOMEM;
1837 			goto bad;
1838 		}
1839 		if (lra)
1840 			lra->next = ra;
1841 		else
1842 			p->role_allow = ra;
1843 		rc = next_entry(buf, fp, sizeof(u32)*2);
1844 		if (rc < 0)
1845 			goto bad;
1846 		ra->role = le32_to_cpu(buf[0]);
1847 		ra->new_role = le32_to_cpu(buf[1]);
1848 		if (!policydb_role_isvalid(p, ra->role) ||
1849 		    !policydb_role_isvalid(p, ra->new_role)) {
1850 			rc = -EINVAL;
1851 			goto bad;
1852 		}
1853 		lra = ra;
1854 	}
1855 
1856 	rc = policydb_index_classes(p);
1857 	if (rc)
1858 		goto bad;
1859 
1860 	rc = policydb_index_others(p);
1861 	if (rc)
1862 		goto bad;
1863 
1864 	for (i = 0; i < info->ocon_num; i++) {
1865 		rc = next_entry(buf, fp, sizeof(u32));
1866 		if (rc < 0)
1867 			goto bad;
1868 		nel = le32_to_cpu(buf[0]);
1869 		l = NULL;
1870 		for (j = 0; j < nel; j++) {
1871 			c = kzalloc(sizeof(*c), GFP_KERNEL);
1872 			if (!c) {
1873 				rc = -ENOMEM;
1874 				goto bad;
1875 			}
1876 			if (l)
1877 				l->next = c;
1878 			else
1879 				p->ocontexts[i] = c;
1880 			l = c;
1881 			rc = -EINVAL;
1882 			switch (i) {
1883 			case OCON_ISID:
1884 				rc = next_entry(buf, fp, sizeof(u32));
1885 				if (rc < 0)
1886 					goto bad;
1887 				c->sid[0] = le32_to_cpu(buf[0]);
1888 				rc = context_read_and_validate(&c->context[0], p, fp);
1889 				if (rc)
1890 					goto bad;
1891 				break;
1892 			case OCON_FS:
1893 			case OCON_NETIF:
1894 				rc = next_entry(buf, fp, sizeof(u32));
1895 				if (rc < 0)
1896 					goto bad;
1897 				len = le32_to_cpu(buf[0]);
1898 				c->u.name = kmalloc(len + 1, GFP_KERNEL);
1899 				if (!c->u.name) {
1900 					rc = -ENOMEM;
1901 					goto bad;
1902 				}
1903 				rc = next_entry(c->u.name, fp, len);
1904 				if (rc < 0)
1905 					goto bad;
1906 				c->u.name[len] = 0;
1907 				rc = context_read_and_validate(&c->context[0], p, fp);
1908 				if (rc)
1909 					goto bad;
1910 				rc = context_read_and_validate(&c->context[1], p, fp);
1911 				if (rc)
1912 					goto bad;
1913 				break;
1914 			case OCON_PORT:
1915 				rc = next_entry(buf, fp, sizeof(u32)*3);
1916 				if (rc < 0)
1917 					goto bad;
1918 				c->u.port.protocol = le32_to_cpu(buf[0]);
1919 				c->u.port.low_port = le32_to_cpu(buf[1]);
1920 				c->u.port.high_port = le32_to_cpu(buf[2]);
1921 				rc = context_read_and_validate(&c->context[0], p, fp);
1922 				if (rc)
1923 					goto bad;
1924 				break;
1925 			case OCON_NODE:
1926 				rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
1927 				if (rc < 0)
1928 					goto bad;
1929 				c->u.node.addr = nodebuf[0]; /* network order */
1930 				c->u.node.mask = nodebuf[1]; /* network order */
1931 				rc = context_read_and_validate(&c->context[0], p, fp);
1932 				if (rc)
1933 					goto bad;
1934 				break;
1935 			case OCON_FSUSE:
1936 				rc = next_entry(buf, fp, sizeof(u32)*2);
1937 				if (rc < 0)
1938 					goto bad;
1939 				c->v.behavior = le32_to_cpu(buf[0]);
1940 				if (c->v.behavior > SECURITY_FS_USE_NONE)
1941 					goto bad;
1942 				len = le32_to_cpu(buf[1]);
1943 				c->u.name = kmalloc(len + 1, GFP_KERNEL);
1944 				if (!c->u.name) {
1945 					rc = -ENOMEM;
1946 					goto bad;
1947 				}
1948 				rc = next_entry(c->u.name, fp, len);
1949 				if (rc < 0)
1950 					goto bad;
1951 				c->u.name[len] = 0;
1952 				rc = context_read_and_validate(&c->context[0], p, fp);
1953 				if (rc)
1954 					goto bad;
1955 				break;
1956 			case OCON_NODE6: {
1957 				int k;
1958 
1959 				rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
1960 				if (rc < 0)
1961 					goto bad;
1962 				for (k = 0; k < 4; k++)
1963 					c->u.node6.addr[k] = nodebuf[k];
1964 				for (k = 0; k < 4; k++)
1965 					c->u.node6.mask[k] = nodebuf[k+4];
1966 				if (context_read_and_validate(&c->context[0], p, fp))
1967 					goto bad;
1968 				break;
1969 			}
1970 			}
1971 		}
1972 	}
1973 
1974 	rc = next_entry(buf, fp, sizeof(u32));
1975 	if (rc < 0)
1976 		goto bad;
1977 	nel = le32_to_cpu(buf[0]);
1978 	genfs_p = NULL;
1979 	rc = -EINVAL;
1980 	for (i = 0; i < nel; i++) {
1981 		rc = next_entry(buf, fp, sizeof(u32));
1982 		if (rc < 0)
1983 			goto bad;
1984 		len = le32_to_cpu(buf[0]);
1985 		newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL);
1986 		if (!newgenfs) {
1987 			rc = -ENOMEM;
1988 			goto bad;
1989 		}
1990 
1991 		newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
1992 		if (!newgenfs->fstype) {
1993 			rc = -ENOMEM;
1994 			kfree(newgenfs);
1995 			goto bad;
1996 		}
1997 		rc = next_entry(newgenfs->fstype, fp, len);
1998 		if (rc < 0) {
1999 			kfree(newgenfs->fstype);
2000 			kfree(newgenfs);
2001 			goto bad;
2002 		}
2003 		newgenfs->fstype[len] = 0;
2004 		for (genfs_p = NULL, genfs = p->genfs; genfs;
2005 		     genfs_p = genfs, genfs = genfs->next) {
2006 			if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
2007 				printk(KERN_ERR "SELinux:  dup genfs "
2008 				       "fstype %s\n", newgenfs->fstype);
2009 				kfree(newgenfs->fstype);
2010 				kfree(newgenfs);
2011 				goto bad;
2012 			}
2013 			if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
2014 				break;
2015 		}
2016 		newgenfs->next = genfs;
2017 		if (genfs_p)
2018 			genfs_p->next = newgenfs;
2019 		else
2020 			p->genfs = newgenfs;
2021 		rc = next_entry(buf, fp, sizeof(u32));
2022 		if (rc < 0)
2023 			goto bad;
2024 		nel2 = le32_to_cpu(buf[0]);
2025 		for (j = 0; j < nel2; j++) {
2026 			rc = next_entry(buf, fp, sizeof(u32));
2027 			if (rc < 0)
2028 				goto bad;
2029 			len = le32_to_cpu(buf[0]);
2030 
2031 			newc = kzalloc(sizeof(*newc), GFP_KERNEL);
2032 			if (!newc) {
2033 				rc = -ENOMEM;
2034 				goto bad;
2035 			}
2036 
2037 			newc->u.name = kmalloc(len + 1, GFP_KERNEL);
2038 			if (!newc->u.name) {
2039 				rc = -ENOMEM;
2040 				goto bad_newc;
2041 			}
2042 			rc = next_entry(newc->u.name, fp, len);
2043 			if (rc < 0)
2044 				goto bad_newc;
2045 			newc->u.name[len] = 0;
2046 			rc = next_entry(buf, fp, sizeof(u32));
2047 			if (rc < 0)
2048 				goto bad_newc;
2049 			newc->v.sclass = le32_to_cpu(buf[0]);
2050 			if (context_read_and_validate(&newc->context[0], p, fp))
2051 				goto bad_newc;
2052 			for (l = NULL, c = newgenfs->head; c;
2053 			     l = c, c = c->next) {
2054 				if (!strcmp(newc->u.name, c->u.name) &&
2055 				    (!c->v.sclass || !newc->v.sclass ||
2056 				     newc->v.sclass == c->v.sclass)) {
2057 					printk(KERN_ERR "SELinux:  dup genfs "
2058 					       "entry (%s,%s)\n",
2059 					       newgenfs->fstype, c->u.name);
2060 					goto bad_newc;
2061 				}
2062 				len = strlen(newc->u.name);
2063 				len2 = strlen(c->u.name);
2064 				if (len > len2)
2065 					break;
2066 			}
2067 
2068 			newc->next = c;
2069 			if (l)
2070 				l->next = newc;
2071 			else
2072 				newgenfs->head = newc;
2073 		}
2074 	}
2075 
2076 	if (p->policyvers >= POLICYDB_VERSION_MLS) {
2077 		int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS;
2078 		rc = next_entry(buf, fp, sizeof(u32));
2079 		if (rc < 0)
2080 			goto bad;
2081 		nel = le32_to_cpu(buf[0]);
2082 		lrt = NULL;
2083 		for (i = 0; i < nel; i++) {
2084 			rt = kzalloc(sizeof(*rt), GFP_KERNEL);
2085 			if (!rt) {
2086 				rc = -ENOMEM;
2087 				goto bad;
2088 			}
2089 			if (lrt)
2090 				lrt->next = rt;
2091 			else
2092 				p->range_tr = rt;
2093 			rc = next_entry(buf, fp, (sizeof(u32) * 2));
2094 			if (rc < 0)
2095 				goto bad;
2096 			rt->source_type = le32_to_cpu(buf[0]);
2097 			rt->target_type = le32_to_cpu(buf[1]);
2098 			if (new_rangetr) {
2099 				rc = next_entry(buf, fp, sizeof(u32));
2100 				if (rc < 0)
2101 					goto bad;
2102 				rt->target_class = le32_to_cpu(buf[0]);
2103 			} else
2104 				rt->target_class = SECCLASS_PROCESS;
2105 			if (!policydb_type_isvalid(p, rt->source_type) ||
2106 			    !policydb_type_isvalid(p, rt->target_type) ||
2107 			    !policydb_class_isvalid(p, rt->target_class)) {
2108 				rc = -EINVAL;
2109 				goto bad;
2110 			}
2111 			rc = mls_read_range_helper(&rt->target_range, fp);
2112 			if (rc)
2113 				goto bad;
2114 			if (!mls_range_isvalid(p, &rt->target_range)) {
2115 				printk(KERN_WARNING "SELinux:  rangetrans:  invalid range\n");
2116 				goto bad;
2117 			}
2118 			lrt = rt;
2119 		}
2120 	}
2121 
2122 	p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);
2123 	if (!p->type_attr_map)
2124 		goto bad;
2125 
2126 	for (i = 0; i < p->p_types.nprim; i++) {
2127 		ebitmap_init(&p->type_attr_map[i]);
2128 		if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
2129 			if (ebitmap_read(&p->type_attr_map[i], fp))
2130 				goto bad;
2131 		}
2132 		/* add the type itself as the degenerate case */
2133 		if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
2134 				goto bad;
2135 	}
2136 
2137 	rc = policydb_bounds_sanity_check(p);
2138 	if (rc)
2139 		goto bad;
2140 
2141 	rc = 0;
2142 out:
2143 	return rc;
2144 bad_newc:
2145 	ocontext_destroy(newc, OCON_FSUSE);
2146 bad:
2147 	if (!rc)
2148 		rc = -EINVAL;
2149 	policydb_destroy(p);
2150 	goto out;
2151 }
2152