Import libsepol 2.1.0 (Release 2011-07-27).
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a74c98b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+utils/chkcon
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..8add30a
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,504 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL. It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+ This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it. You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+ When we speak of free software, we are referring to freedom of use,
+not price. Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+ To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights. These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+ For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you. You must make sure that they, too, receive or can get the source
+code. If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it. And you must show them these terms so they know their rights.
+
+ We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+ To protect each distributor, we want to make it very clear that
+there is no warranty for the free library. Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+�
+ Finally, software patents pose a constant threat to the existence of
+any free program. We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder. Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+ Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License. This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License. We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+ When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library. The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom. The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+ We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License. It also provides other free software developers Less
+of an advantage over competing non-free programs. These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries. However, the Lesser license provides advantages in certain
+special circumstances.
+
+ For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard. To achieve this, non-free programs must be
+allowed to use the library. A more frequent case is that a free
+library does the same job as widely used non-free libraries. In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+ In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software. For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+ Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+ The precise terms and conditions for copying, distribution and
+modification follow. Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library". The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+�
+ GNU LESSER GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+ A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+ The "Library", below, refers to any such software library or work
+which has been distributed under these terms. A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language. (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+ "Source code" for a work means the preferred form of the work for
+making modifications to it. For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+ Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it). Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+ 1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+ You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+�
+ 2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) The modified work must itself be a software library.
+
+ b) You must cause the files modified to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ c) You must cause the whole of the work to be licensed at no
+ charge to all third parties under the terms of this License.
+
+ d) If a facility in the modified Library refers to a function or a
+ table of data to be supplied by an application program that uses
+ the facility, other than as an argument passed when the facility
+ is invoked, then you must make a good faith effort to ensure that,
+ in the event an application does not supply such function or
+ table, the facility still operates, and performs whatever part of
+ its purpose remains meaningful.
+
+ (For example, a function in a library to compute square roots has
+ a purpose that is entirely well-defined independent of the
+ application. Therefore, Subsection 2d requires that any
+ application-supplied function or table used by this function must
+ be optional: if the application does not supply it, the square
+ root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library. To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License. (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.) Do not make any other change in
+these notices.
+�
+ Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+ This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+ 4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+ If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library". Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+ However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library". The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+ When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library. The
+threshold for this to be true is not precisely defined by law.
+
+ If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work. (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+ Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+�
+ 6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+ You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License. You must supply a copy of this License. If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License. Also, you must do one
+of these things:
+
+ a) Accompany the work with the complete corresponding
+ machine-readable source code for the Library including whatever
+ changes were used in the work (which must be distributed under
+ Sections 1 and 2 above); and, if the work is an executable linked
+ with the Library, with the complete machine-readable "work that
+ uses the Library", as object code and/or source code, so that the
+ user can modify the Library and then relink to produce a modified
+ executable containing the modified Library. (It is understood
+ that the user who changes the contents of definitions files in the
+ Library will not necessarily be able to recompile the application
+ to use the modified definitions.)
+
+ b) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (1) uses at run time a
+ copy of the library already present on the user's computer system,
+ rather than copying library functions into the executable, and (2)
+ will operate properly with a modified version of the library, if
+ the user installs one, as long as the modified version is
+ interface-compatible with the version that the work was made with.
+
+ c) Accompany the work with a written offer, valid for at
+ least three years, to give the same user the materials
+ specified in Subsection 6a, above, for a charge no more
+ than the cost of performing this distribution.
+
+ d) If distribution of the work is made by offering access to copy
+ from a designated place, offer equivalent access to copy the above
+ specified materials from the same place.
+
+ e) Verify that the user has already received a copy of these
+ materials or that you have already sent this user a copy.
+
+ For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it. However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+ It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system. Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+�
+ 7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+ a) Accompany the combined library with a copy of the same work
+ based on the Library, uncombined with any other library
+ facilities. This must be distributed under the terms of the
+ Sections above.
+
+ b) Give prominent notice with the combined library of the fact
+ that part of it is a work based on the Library, and explaining
+ where to find the accompanying uncombined form of the same work.
+
+ 8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License. Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License. However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+ 9. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Library or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+ 10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+�
+ 11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all. For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded. In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+ 13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+�
+ 14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission. For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this. Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+ NO WARRANTY
+
+ 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Libraries
+
+ If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change. You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+ To apply these terms, attach the following notices to the library. It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the library's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the
+ library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+ <signature of Ty Coon>, 1 April 1990
+ Ty Coon, President of Vice
+
+That's all there is to it!
+
+
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..8d9c9c0
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,750 @@
+2.1.0 2011-07-27
+ * Release, minor version bump
+
+2.0.46 2011-07-25
+ * Add role attribute support by Harry Ciao
+
+2.0.45 2011-05-02
+ * Warn if filename_trans rules are dropped by Steve Lawrence.
+
+2.0.44 2011-04-13
+ * Fixes for new role_transition class field by Eric Paris.
+ * Add libsepol support for filename_trans rules by Eric Paris.
+
+2.0.43 2011-04-11
+ * Add new class field in role_transition by Harry Ciao.
+
+2.0.42 2010-12-16
+ * Fix compliation under GCC 4.6 by Justin Mattock
+
+2.0.41 2009-11-18
+ * Fixed typo in error message from Manoj Srivastava.
+
+2.0.40 2009-10-29
+ * Add pkgconfig file from Eamon Walsh.
+
+2.0.39 2009-10-14
+ * Add support for building Xen policies from Paul Nuzzi.
+
+2.0.38 2009-09-01
+ * Check last offset in the module package against the file size.
+ Reported by Manoj Srivastava for bug filed by Max Kellermann.
+
+2.0.37 2009-07-07
+ * Add method to check disable dontaudit flag from Christopher Pardy.
+
+2.0.36 2009-03-25
+ * Fix boolean state smashing from Joshua Brindle.
+
+2.0.35 2009-02-19
+ * Fix alias field in module format, caused by boundary format change
+ from Caleb Case.
+
+2.0.34 2008-10-09
+ * Add bounds support from KaiGai Kohei.
+ * Fix invalid aliases bug from Joshua Brindle.
+
+2.0.33 2008-09-29
+ * Revert patch that removed expand_rule.
+
+2.0.32 2008-07-07
+ * Allow require then declare in the source policy from Joshua Brindle.
+
+2.0.31 2008-06-13
+ * Fix mls_semantic_level_expand() to handle a user require w/o MLS information from Stephen Smalley.
+
+2.0.30 2008-06-06
+ * Fix endianness bug in the handling of network node addresses from Stephen Smalley.
+ Only affects big endian platforms.
+ Bug reported by John Weeks of Sun upon policy mismatch between x86 and sparc.
+
+2.0.29 2008-05-27
+ * Merge user and role mapping support from Joshua Brindle.
+
+2.0.28 2008-05-05
+ * Fix mls_level_convert() to gracefully handle an empty user declaration/require from Stephen Smalley.
+
+2.0.27 2008-04-18
+ * Belatedly merge test for policy downgrade from Todd Miller.
+
+2.0.26 2008-03-24
+ * Add permissive domain support from Eric Paris.
+
+2.0.25 2008-03-04
+ * Drop unused ->buffer field from struct policy_file.
+
+2.0.24 2008-03-04
+ * Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
+
+2.0.23 2008-02-28
+ * Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
+
+2.0.22 2008-02-28
+ * Add support for open_perms policy capability from Eric Paris.
+
+2.0.21 2008-02-20
+ * Fix invalid memory allocation in policydb_index_others() from Jason Tang.
+
+2.0.20 2008-02-04
+ * Port of Yuichi Nakamura's tune avtab to reduce memory usage patch from the kernel avtab to libsepol from Stephen Smalley.
+
+2.0.19 2008-02-02
+ * Add support for consuming avrule_blocks during expansion to reduce
+ peak memory usage from Joshua Brindle.
+
+2.0.18 2008-01-02
+ * Added support for policy capabilities from Todd Miller.
+
+2.0.17 2007-12-21
+ * Prevent generation of policy.18 with MLS enabled from Todd Miller.
+
+2.0.16 2007-12-07
+ * print module magic number in hex on mismatch, from Todd Miller.
+
+2.0.15 2007-11-29
+ * clarify and reduce neverallow error reporting from Stephen Smalley.
+
+2.0.14 2007-11-05
+ * Reject self aliasing at link time from Stephen Smalley.
+
+2.0.13 2007-11-05
+ * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
+2.0.12 2007-10-11
+ * Fixed bug in require checking from Stephen Smalley.
+ * Added user hierarchy checking from Todd Miller.
+
+2.0.11 2007-09-24
+ * Pass CFLAGS to CC even on link command, per Dennis Gilmore.
+
+2.0.10 2007-09-18
+ * Merged support for the handle_unknown policydb flag from Eric Paris.
+
+2.0.9 2007-08-29
+ * Moved next_entry and put_entry out-of-line to reduce code size from Ulrich Drepper.
+
+2.0.8 2007-08-28
+ * Fixed module_package_read_offsets bug introduced by the prior patch.
+
+2.0.7 2007-08-23
+ * Eliminate unaligned accesses from policy reading code from Stephen Smalley.
+
+2.0.6 2007-08-16
+ * Allow dontaudits to be turned off during policy expansion from
+ Joshua Brindle.
+
+2.0.5 2007-08-01
+ * Fix sepol_context_clone to handle a NULL context correctly.
+ This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)
+ to set the file context entry to "<<none>>".
+
+2.0.4 2007-06-20
+ * Merged error handling patch from Eamon Walsh.
+
+2.0.3 2007-04-13
+ * Merged add boolmap argument to expand_module_avrules() from Chris PeBenito.
+
+2.0.2 2007-03-30
+ * Merged fix from Karl to remap booleans at expand time to
+ avoid holes in the symbol table.
+
+2.0.1 2007-02-06
+ * Merged libsepol segfault fix from Stephen Smalley for when
+ sensitivities are required but not present in the base.
+
+2.0.0 2007-02-01
+ * Merged patch to add errcodes.h to libsepol by Karl MacMillan.
+
+1.16.0 2007-01-18
+ * Updated version for stable branch.
+
+1.15.3 2006-11-27
+ * Merged patch to compile wit -fPIC instead of -fpic from
+ Manoj Srivastava to prevent hitting the global offest table
+ limit. Patch changed to include libselinux and libsemanage in
+ addition to libselinux.
+1.15.2 2006-10-31
+ * Merged fix from Karl MacMillan for a segfault when linking
+ non-MLS modules with users in them.
+
+1.15.1 2006-10-24
+ * Merged fix for version comparison that was preventing range
+ transition rules from being written for a version 5 base policy
+ from Darrel Goeddel.
+
+1.14 2006-10-17
+ * Updated version for release.
+
+1.12.28 2006-09-28
+ * Build libsepol's static object files with -fpic
+
+1.12.27 2006-09-28
+ * Merged mls user and range_transition support in modules
+ from Darrel Goeddel
+
+1.12.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
+1.12.25 2006-08-24
+ * Merged conditionally expand neverallows patch from Jeremy Mowery.
+ * Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+ * Merged libsepol unit tests from Joshua Brindle.
+
+1.12.23 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.12.22 2006-08-03
+ * Merged netfilter contexts support from Chris PeBenito.
+
+1.12.21 2006-07-28
+ * Merged helpful hierarchy check errors patch from Joshua Brindle.
+
+1.12.20 2006-07-25
+ * Merged semodule_deps patch from Karl MacMillan.
+ This adds source module names to the avrule decls.
+
+1.12.19 2006-06-29
+ * Lindent.
+
+1.12.18 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.12.17 2006-05-30
+ * Revert 1.12.16.
+
+1.12.16 2006-05-30
+ * Merged cleaner fix for bool_ids overflow from Karl MacMillan,
+ replacing the prior patch.
+
+1.12.15 2006-05-30
+ * Merged fixes for several memory leaks in the error paths during
+ policy read from Serge Hallyn.
+
+1.12.14 2006-05-25
+ * Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
+ based on bug report and suggested fix by Cedric Roux.
+
+1.12.13 2006-05-24
+ * Merged sens_copy_callback, check_role_hierarchy_callback,
+ and node_from_record fixes from Serge Hallyn.
+
+1.12.12 2006-05-22
+ * Added sepol_policydb_compat_net() interface for testing whether
+ a policy requires the compatibility support for network checks
+ to be enabled in the kernel.
+
+1.12.11 2006-05-17
+ * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
+ Reworked to use calloc in the first place, and converted some other
+ malloc/memset pairs to calloc calls.
+
+1.12.10 2006-05-08
+ * Merged patch to revert role/user decl upgrade from Karl MacMillan.
+
+1.12.9 2006-05-08
+ * Dropped tests from all Makefile target.
+
+1.12.8 2006-05-05
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.12.7 2006-05-05
+ * Merged libsepol test framework patch from Karl MacMillan.
+
+1.12.6 2006-04-28
+ * Fixed cond_normalize to traverse the entire cond list at link time.
+
+1.12.5 2006-04-03
+ * Merged fix for leak of optional package sections from Ivan Gyurdiev.
+
+1.12.4 2006-03-29
+ * Generalize test for bitmap overflow in ebitmap_set_bit.
+
+1.12.3 2006-03-27
+ * Fixed attr_convert_callback and expand_convert_type_set
+ typemap bug.
+
+1.12.2 2006-03-24
+ * Fixed avrule_block_write num_decls endian bug.
+
+1.12.1 2006-03-20
+ * Fixed sepol_module_package_write buffer overflow bug.
+
+1.12 2006-03-14
+ * Updated version for release.
+
+1.11.20 2006-03-08
+ * Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
+ * Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
+
+1.11.19 2006-02-21
+ * Merged sepol_policydb_mls_enabled interface and error handling
+ changes from Ivan Gyurdiev.
+
+1.11.18 2006-02-16
+ * Merged node_expand_addr bugfix and node_compare* change from
+ Ivan Gyurdiev.
+
+1.11.17 2006-02-15
+ * Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
+ * Merged bug fix patch from Ivan Gyurdiev.
+
+1.11.16 2006-02-14
+ * Added a defined flag to level_datum_t for use by checkpolicy.
+
+1.11.15 2006-02-14
+ * Merged nodecon support patch from Ivan Gyurdiev.
+ * Merged cleanups patch from Ivan Gyurdiev.
+
+1.11.14 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.11.13 2006-02-07
+ * Merged seuser/user_extra support patch from Joshua Brindle.
+ * Merged fix patch from Ivan Gyurdiev.
+
+1.11.12 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.11.11 2006-02-01
+ * Merged assertion copying bugfix from Joshua Brindle.
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.11.10 2006-01-30
+ * Merged cond_expr mapping and package section count bug fixes
+ from Joshua Brindle.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
+
+1.11.9 2006-01-12
+ * Merged size_t -> unsigned int patch from Ivan Gyurdiev.
+
+1.11.8 2006-01-09
+ * Merged 2nd const in APIs patch from Ivan Gyurdiev.
+
+1.11.7 2006-01-06
+ * Merged const in APIs patch from Ivan Gyurdiev.
+ * Merged compare2 function patch from Ivan Gyurdiev.
+
+1.11.6 2006-01-06
+ * Fixed hierarchy checker to only check allow rules.
+
+1.11.5 2006-01-05
+ * Merged further fixes from Russell Coker, specifically:
+ - av_to_string overflow checking
+ - sepol_context_to_string error handling
+ - hierarchy checking memory leak fixes and optimizations
+ - avrule_block_read variable initialization
+ * Marked deprecated code in genbools and genusers.
+
+1.11.4 2006-01-05
+ * Merged bugfix for sepol_port_modify from Russell Coker.
+
+1.11.3 2006-01-05
+ * Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
+ * Merged port ordering patch from Ivan Gyurdiev.
+
+1.11.2 2006-01-04
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - support ordering of records in compare function
+ - enable port interfaces
+ - add interfaces for context validity and range checks
+ - add include guards
+
+1.11.1 2005-12-16
+ * Fixed mls_range_cpy bug.
+
+1.10 2005-12-07
+ * Updated version for release.
+
+1.9.42 2005-12-05
+ * Dropped handle from user_del_role interface.
+
+1.9.41 2005-11-28
+ * Merged remove defrole from sepol patch from Ivan Gyurdiev.
+
+1.9.40 2005-11-15
+ * Merged module function and map file cleanup from Ivan Gyurdiev.
+ * Merged MLS and genusers cleanups from Ivan Gyurdiev.
+
+1.9.39 2005-11-09
+ Prepare for removal of booleans* and *.users files.
+ * Cleaned up sepol_genbools to not regenerate the image if
+ there were no changes in the boolean values, including the
+ degenerate case where there are no booleans or booleans.local
+ files.
+ * Cleaned up sepol_genusers to not warn on missing local.users.
+
+1.9.38 2005-11-08
+ * Removed sepol_port_* from libsepol.map, as the port interfaces
+ are not yet stable.
+
+1.9.37 2005-11-04
+ * Merged context destroy cleanup patch from Ivan Gyurdiev.
+
+1.9.36 2005-11-03
+ * Merged context_to_string interface change patch from Ivan Gyurdiev.
+
+1.9.35 2005-11-01
+ * Added src/dso.h and src/*_internal.h.
+ Added hidden_def for exported symbols used within libsepol.
+ Added hidden for symbols that should not be exported by
+ the wildcards in libsepol.map.
+
+1.9.34 2005-10-31
+ * Merged record interface, record bugfix, and set_roles patches
+ from Ivan Gyurdiev.
+
+1.9.33 2005-10-27
+ * Merged count specification change from Ivan Gyurdiev.
+
+1.9.32 2005-10-26
+ * Added further checking and error reporting to
+ sepol_module_package_read and _info.
+
+1.9.31 2005-10-26
+ * Merged sepol handle passing, DEBUG conversion, and memory leak
+ fix patches from Ivan Gyurdiev.
+
+1.9.30 2005-10-25
+ * Removed processing of system.users from sepol_genusers and
+ dropped delusers logic.
+
+1.9.29 2005-10-25
+ * Removed policydb_destroy from error path of policydb_read,
+ since create/init/destroy/free of policydb is handled by the
+ caller now.
+ * Fixed sepol_module_package_read to handle a failed policydb_read
+ properly.
+
+1.9.28 2005-10-25
+ * Merged query/exists and count patches from Ivan Gyurdiev.
+
+1.9.27 2005-10-25
+ * Merged fix for pruned types in expand code from Joshua Brindle.
+ * Merged new module package format code from Joshua Brindle.
+
+1.9.26 2005-10-24
+ * Merged context interface cleanup, record conversion code,
+ key passing, and bug fix patches from Ivan Gyurdiev.
+
+1.9.25 2005-10-21
+ * Merged users cleanup patch from Ivan Gyurdiev.
+
+1.9.24 2005-10-21
+ * Merged user record memory leak fix from Ivan Gyurdiev.
+ * Merged reorganize users patch from Ivan Gyurdiev.
+
+1.9.23 2005-10-19
+ * Added check flag to expand_module() to control assertion
+ and hierarchy checking on expansion.
+
+1.9.22 2005-10-19
+ * Reworked check_assertions() and hierarchy_check_constraints()
+ to take handles and use callback-based error reporting.
+ * Changed expand_module() to call check_assertions() and
+ hierarchy_check_constraints() prior to returning the expanded
+ policy.
+
+1.9.21 2005-10-18
+ * Changed sepol_module_package_set_file_contexts to copy the
+ file contexts data since it is internally managed.
+
+1.9.20 2005-10-18
+ * Added sepol_policy_file_set_handle interface to associate
+ a handle with a policy file.
+ * Added handle argument to policydb_from_image/to_image.
+ * Added sepol_module_package_set_file_contexts interface.
+ * Dropped sepol_module_package_create_file interface.
+ * Reworked policydb_read/write, policydb_from_image/to_image,
+ and sepol_module_package_read/write to use callback-based error
+ reporting system rather than DEBUG.
+
+1.9.19 2005-10-17
+ * Reworked link_packages, link_modules, and expand_module to use
+ callback-based error reporting system rather than error buffering.
+
+1.9.18 2005-10-14
+ * Merged conditional expression mapping fix in the module linking
+ code from Joshua Brindle.
+
+1.9.17 2005-10-13
+ * Hid sepol_module_package type definition, and added get interfaces.
+
+1.9.16 2005-10-13
+ * Merged new callback-based error reporting system from Ivan
+ Gyurdiev.
+
+1.9.15 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.9.14 2005-10-07
+ * Fixed use of policydb_from_image/to_image to ensure proper
+ init of policydb.
+
+1.9.13 2005-10-07
+ * Isolated policydb internal headers under <sepol/policydb/*.h>.
+ These headers should only be used by users of the static libsepol.
+ Created new <sepol/policydb.h> with new public types and interfaces
+ for shared libsepol.
+ Created new <sepol/module.h> with public types and interfaces moved
+ or wrapped from old module.h, link.h, and expand.h, adjusted for
+ new public types for policydb and policy_file.
+ Added public interfaces to libsepol.map.
+ Some implementation changes visible to users of the static libsepol:
+ 1) policydb_read no longer calls policydb_init.
+ Caller must do so first.
+ 2) policydb_init no longer takes policy_type argument.
+ Caller must set policy_type separately.
+ 3) expand_module automatically enables the global branch.
+ Caller no longer needs to do so.
+ 4) policydb_write uses the policy_type and policyvers from the
+ policydb itself, and sepol_set_policyvers() has been removed.
+
+1.9.12 2005-10-06
+ * Merged function renaming and static cleanup from Ivan Gyurdiev.
+
+1.9.11 2005-10-05
+ * Merged bug fix for check_assertions handling of no assertions
+ from Joshua Brindle (Tresys).
+
+1.9.10 2005-10-04
+ * Merged iterate patch from Ivan Gyurdiev.
+
+1.9.9 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.9.8 2005-09-30
+ * Merged pointer typedef elimination patch from Ivan Gyurdiev.
+ * Merged user list function, new mls functions, and bugfix patch
+ from Ivan Gyurdiev.
+
+1.9.7 2005-09-28
+ * Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
+
+1.9.6 2005-09-23
+ * Merged bug fix patches from Joshua Brindle (Tresys).
+
+1.9.5 2005-09-21
+ * Merged boolean record and memory leak fix patches from Ivan
+ Gyurdiev.
+
+1.9.4 2005-09-19
+ * Merged interface record patch from Ivan Gyurdiev.
+
+1.9.3 2005-09-14
+ * Merged fix for sepol_enable/disable_debug from Ivan
+ Gyurdiev.
+
+1.9.2 2005-09-14
+ * Merged stddef.h patch and debug conversion patch from
+ Ivan Gyurdiev.
+
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
+1.8 2005-09-06
+ * Updated version for release.
+
+1.7.24 2005-08-31
+ * Fixed symtab_insert return value for duplicate declarations.
+
+1.7.23 2005-08-31
+ * Merged fix for memory error in policy_module_destroy from
+ Jason Tang (Tresys).
+
+1.7.22 2005-08-26
+ * Merged fix for memory leak in sepol_context_to_sid from
+ Jason Tang (Tresys).
+
+1.7.21 2005-08-25
+ * Merged fixes for resource leaks on error paths and
+ change to scope_destroy from Joshua Brindle (Tresys).
+
+1.7.20 2005-08-23
+ * Merged more fixes for resource leaks on error paths
+ from Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.19 2005-08-19
+ * Changed to treat all type conflicts as fatal errors.
+
+1.7.18 2005-08-18
+ * Merged several error handling fixes from
+ Serge Hallyn (IBM). Bugs found by Coverity.
+
+1.7.17 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.7.16 2005-08-15
+ * Fixed several memory leaks found by valgrind.
+
+1.7.15 2005-08-12
+ * Fixed empty list test in cond_write_av_list. Bug found by
+ Coverity, reported by Serge Hallyn (IBM).
+ * Merged patch to policydb_write to check errors
+ when writing the type->attribute reverse map from
+ Serge Hallyn (IBM). Bug found by Coverity.
+ * Fixed policydb_destroy to properly handle NULL type_attr_map
+ or attr_type_map.
+
+1.7.14 2005-08-12
+ * Fixed use of uninitialized data by expand_avtab_node by
+ clearing type_val_to_struct in policydb_index_others.
+
+1.7.13 2005-08-11
+ * Improved memory use by SELinux by both reducing the avtab
+ node size and reducing the number of avtab nodes (by not
+ expanding attributes in TE rules when possible). Added
+ expand_avtab and expand_cond_av_list functions for use by
+ assertion checker, hierarchy checker, compatibility code,
+ and dispol. Added new inline ebitmap operators and converted
+ existing users of ebitmaps to the new operators for greater
+ efficiency.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes.
+
+1.7.12 2005-08-10
+ * Fixed bug in constraint_node_clone handling of name sets.
+
+1.7.11 2005-08-08
+ * Fix range_trans_clone to map the type values properly.
+
+1.7.10 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.7.9 2005-08-02
+ * Enabled further compiler warning flags and fixed them.
+
+1.7.8 2005-08-02
+ * Merged user, context, port records patch from Ivan Gyurdiev.
+ * Merged key extract function patch from Ivan Gyurdiev.
+
+1.7.7 2005-07-27
+ * Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
+
+1.7.6 2005-07-26
+ * Merged context reorganization, memory leak fixes,
+ port and interface loading, replacements for genusers and
+ genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
+ * Merged uninitialized variable bugfix from Dan Walsh.
+
+1.7.5 2005-07-18
+ * Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
+ * Removed genpolbools and genpolusers utilities.
+
+1.7.4 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.7.3 2005-07-13
+ * Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
+
+1.7.2 2005-07-11
+ * Merged genbools debugging message cleanup from Red Hat.
+
+1.7.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.6 2005-06-20
+ * Updated version for release.
+
+1.5.10 2005-05-19
+ * License changed to LGPL v2.1, see COPYING.
+
+1.5.9 2005-05-16
+ * Added sepol_genbools_policydb and sepol_genusers_policydb for
+ audit2why.
+
+1.5.8 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid
+ namespace collision with libselinux.
+
+1.5.7 2005-05-13
+ * Added sepol_compute_av_reason() for audit2why.
+
+1.5.6 2005-04-25
+ * Fixed bug in role hierarchy checker.
+
+1.5.5 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.5.4 2005-04-13
+ * Changed sepol_genusers to not delete users by default,
+ and added a sepol_set_delusers function to enable deletion.
+ Also, removed special case handling of system_u and user_u.
+
+1.5.3 2005-03-29
+ * Merged booleans.local patch from Dan Walsh.
+
+1.5.2 2005-03-16
+ * Added man page for sepol_check_context.
+
+1.5.1 2005-03-15
+ * Added man page for sepol_genusers function.
+ * Merged man pages for genpolusers and chkcon from Manoj Srivastava.
+
+1.4 2005-03-09
+ * Updated version for release.
+
+1.3.8 2005-03-08
+ * Cleaned up error handling in sepol_genusers and sepol_genbools.
+
+1.3.7 2005-02-28
+ * Merged sepol_debug and fclose patch from Dan Walsh.
+
+1.3.6 2005-02-22
+ * Changed sepol_genusers to also use getline and correctly handle
+ EOL.
+
+1.3.5 2005-02-17
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.3.4 2005-02-16
+ * Added sepol_genusers function.
+
+1.3.3 2005-02-14
+ * Merged endianness and compute_av patches from Darrel Goeddel (TCS).
+
+1.3.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.3.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.2.1 2005-01-19
+ * Merged build fix patch from Manoj Srivastava.
+
+1.2 2004-10-07
+ * MLS build fixes.
+ * Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
+
+1.0 2004-08-19
+ * Initial public release.
+
+0.4 2004-08-13
+ * Merged patch from Dan Walsh to ignore case on booleans.
+ * Changed sepol_genbools* to preserve the original policy version.
+ * Replaced exported global variables with set functions.
+ * Moved genpolbools utility from checkpolicy to libsepol.
+ * Added man pages for sepol_genbools* and genpolbools.
+
+0.3 2004-08-10
+ * Added ChangeLog, COPYING, spec file.
+ * Added sepol_genbools_array() for load_policy.
+ * Created libsepol.map to limit exported symbols in shared library.
+
+0.2 2004-08-09
+ * Exported other functions for checkpolicy and friends.
+ * Renamed service and sidtab functions to avoid libselinux conflict.
+ * Removed original code from checkpolicy, which now uses libsepol.
+ * Code cleanup: kill legacy references to kernel types/functions.
+
+0.1 2004-08-06
+ * Moved checkpolicy core logic into a library.
+ * Exported sepol_genbools() for load_policy.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d526965
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,26 @@
+all:
+ $(MAKE) -C src
+ $(MAKE) -C utils
+
+install:
+ $(MAKE) -C include install
+ $(MAKE) -C src install
+ $(MAKE) -C utils install
+ $(MAKE) -C man install
+
+relabel:
+ $(MAKE) -C src relabel
+
+clean:
+ $(MAKE) -C src clean
+ $(MAKE) -C utils clean
+ $(MAKE) -C tests clean
+
+indent:
+ $(MAKE) -C src $@
+ $(MAKE) -C include $@
+ $(MAKE) -C utils $@
+
+test:
+ $(MAKE) -C tests test
+
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..7ec1d6d
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+2.1.0
diff --git a/include/Makefile b/include/Makefile
new file mode 100644
index 0000000..0cd00ab
--- /dev/null
+++ b/include/Makefile
@@ -0,0 +1,12 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+INCDIR ?= $(PREFIX)/include/sepol
+
+install:
+ test -d $(INCDIR) || install -m 755 -d $(INCDIR)
+ test -d $(INCDIR)/policydb || install -m 755 -d $(INCDIR)/policydb
+ install -m 644 $(wildcard sepol/*.h) $(INCDIR)
+ install -m 644 $(wildcard sepol/policydb/*.h) $(INCDIR)/policydb
+
+indent:
+ ../../scripts/Lindent $(wildcard sepol/*.h)
diff --git a/include/sepol/boolean_record.h b/include/sepol/boolean_record.h
new file mode 100644
index 0000000..54ca021
--- /dev/null
+++ b/include/sepol/boolean_record.h
@@ -0,0 +1,51 @@
+#ifndef _SEPOL_BOOLEAN_RECORD_H_
+#define _SEPOL_BOOLEAN_RECORD_H_
+
+#include <stddef.h>
+#include <sepol/handle.h>
+
+struct sepol_bool;
+struct sepol_bool_key;
+typedef struct sepol_bool sepol_bool_t;
+typedef struct sepol_bool_key sepol_bool_key_t;
+
+/* Key */
+extern int sepol_bool_key_create(sepol_handle_t * handle,
+ const char *name, sepol_bool_key_t ** key);
+
+extern void sepol_bool_key_unpack(const sepol_bool_key_t * key,
+ const char **name);
+
+extern int sepol_bool_key_extract(sepol_handle_t * handle,
+ const sepol_bool_t * boolean,
+ sepol_bool_key_t ** key_ptr);
+
+extern void sepol_bool_key_free(sepol_bool_key_t * key);
+
+extern int sepol_bool_compare(const sepol_bool_t * boolean,
+ const sepol_bool_key_t * key);
+
+extern int sepol_bool_compare2(const sepol_bool_t * boolean,
+ const sepol_bool_t * boolean2);
+
+/* Name */
+extern const char *sepol_bool_get_name(const sepol_bool_t * boolean);
+
+extern int sepol_bool_set_name(sepol_handle_t * handle,
+ sepol_bool_t * boolean, const char *name);
+
+/* Value */
+extern int sepol_bool_get_value(const sepol_bool_t * boolean);
+
+extern void sepol_bool_set_value(sepol_bool_t * boolean, int value);
+
+/* Create/Clone/Destroy */
+extern int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr);
+
+extern int sepol_bool_clone(sepol_handle_t * handle,
+ const sepol_bool_t * boolean,
+ sepol_bool_t ** bool_ptr);
+
+extern void sepol_bool_free(sepol_bool_t * boolean);
+
+#endif
diff --git a/include/sepol/booleans.h b/include/sepol/booleans.h
new file mode 100644
index 0000000..95ee7de
--- /dev/null
+++ b/include/sepol/booleans.h
@@ -0,0 +1,59 @@
+#ifndef _SEPOL_BOOLEANS_H_
+#define _SEPOL_BOOLEANS_H_
+
+#include <stddef.h>
+#include <sepol/policydb.h>
+#include <sepol/boolean_record.h>
+#include <sepol/handle.h>
+
+/*--------------compatibility--------------*/
+
+/* Given an existing binary policy (starting at 'data', with length 'len')
+ and a boolean configuration file named by 'boolpath', rewrite the binary
+ policy for the boolean settings in the boolean configuration file.
+ The binary policy is rewritten in place in memory.
+ Returns 0 upon success, or -1 otherwise. */
+extern int sepol_genbools(void *data, size_t len, char *boolpath);
+
+/* Given an existing binary policy (starting at 'data', with length 'len')
+ and boolean settings specified by the parallel arrays ('names', 'values')
+ with 'nel' elements, rewrite the binary policy for the boolean settings.
+ The binary policy is rewritten in place in memory.
+ Returns 0 upon success or -1 otherwise. */
+extern int sepol_genbools_array(void *data, size_t len,
+ char **names, int *values, int nel);
+/*---------------end compatbility------------*/
+
+/* Set the specified boolean */
+extern int sepol_bool_set(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const sepol_bool_key_t * key,
+ const sepol_bool_t * data);
+
+/* Return the number of booleans */
+extern int sepol_bool_count(sepol_handle_t * handle,
+ const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if the specified boolean exists */
+extern int sepol_bool_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_bool_key_t * key, int *response);
+
+/* Query a boolean - returns the boolean, or NULL if not found */
+extern int sepol_bool_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_bool_key_t * key,
+ sepol_bool_t ** response);
+
+/* Iterate the booleans
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_bool_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ int (*fn) (const sepol_bool_t * boolean,
+ void *fn_arg), void *arg);
+
+#endif
diff --git a/include/sepol/context.h b/include/sepol/context.h
new file mode 100644
index 0000000..c1eadca
--- /dev/null
+++ b/include/sepol/context.h
@@ -0,0 +1,25 @@
+#ifndef _SEPOL_CONTEXT_H_
+#define _SEPOL_CONTEXT_H_
+
+#include <sepol/context_record.h>
+#include <sepol/policydb.h>
+#include <sepol/handle.h>
+
+/* -- Deprecated -- */
+
+extern int sepol_check_context(const char *context);
+
+/* -- End deprecated -- */
+
+extern int sepol_context_check(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_context_t * context);
+
+extern int sepol_mls_contains(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const char *mls1,
+ const char *mls2, int *response);
+
+extern int sepol_mls_check(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb, const char *mls);
+#endif
diff --git a/include/sepol/context_record.h b/include/sepol/context_record.h
new file mode 100644
index 0000000..c305480
--- /dev/null
+++ b/include/sepol/context_record.h
@@ -0,0 +1,53 @@
+#ifndef _SEPOL_CONTEXT_RECORD_H_
+#define _SEPOL_CONTEXT_RECORD_H_
+
+#include <sepol/handle.h>
+
+struct sepol_context;
+typedef struct sepol_context sepol_context_t;
+
+/* We don't need a key, because the context is never stored
+ * in a data collection by itself */
+
+/* User */
+extern const char *sepol_context_get_user(const sepol_context_t * con);
+
+extern int sepol_context_set_user(sepol_handle_t * handle,
+ sepol_context_t * con, const char *user);
+
+/* Role */
+extern const char *sepol_context_get_role(const sepol_context_t * con);
+
+extern int sepol_context_set_role(sepol_handle_t * handle,
+ sepol_context_t * con, const char *role);
+
+/* Type */
+extern const char *sepol_context_get_type(const sepol_context_t * con);
+
+extern int sepol_context_set_type(sepol_handle_t * handle,
+ sepol_context_t * con, const char *type);
+
+/* MLS */
+extern const char *sepol_context_get_mls(const sepol_context_t * con);
+
+extern int sepol_context_set_mls(sepol_handle_t * handle,
+ sepol_context_t * con, const char *mls_range);
+
+/* Create/Clone/Destroy */
+extern int sepol_context_create(sepol_handle_t * handle,
+ sepol_context_t ** con_ptr);
+
+extern int sepol_context_clone(sepol_handle_t * handle,
+ const sepol_context_t * con,
+ sepol_context_t ** con_ptr);
+
+extern void sepol_context_free(sepol_context_t * con);
+
+/* Parse to/from string */
+extern int sepol_context_from_string(sepol_handle_t * handle,
+ const char *str, sepol_context_t ** con);
+
+extern int sepol_context_to_string(sepol_handle_t * handle,
+ const sepol_context_t * con, char **str_ptr);
+
+#endif
diff --git a/include/sepol/debug.h b/include/sepol/debug.h
new file mode 100644
index 0000000..3370845
--- /dev/null
+++ b/include/sepol/debug.h
@@ -0,0 +1,34 @@
+#ifndef _SEPOL_DEBUG_H_
+#define _SEPOL_DEBUG_H_
+
+#include <sepol/handle.h>
+
+/* Deprecated */
+extern void sepol_debug(int on);
+/* End deprecated */
+
+#define SEPOL_MSG_ERR 1
+#define SEPOL_MSG_WARN 2
+#define SEPOL_MSG_INFO 3
+
+extern int sepol_msg_get_level(sepol_handle_t * handle);
+
+extern const char *sepol_msg_get_channel(sepol_handle_t * handle);
+
+extern const char *sepol_msg_get_fname(sepol_handle_t * handle);
+
+/* Set the messaging callback.
+ * By the default, the callback will print
+ * the message on standard output, in a
+ * particular format. Passing NULL here
+ * indicates that messaging should be suppressed */
+extern void sepol_msg_set_callback(sepol_handle_t * handle,
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 3, 4)))
+#endif
+ void (*msg_callback) (void *varg,
+ sepol_handle_t *
+ handle,
+ const char *fmt, ...),
+ void *msg_callback_arg);
+#endif
diff --git a/include/sepol/errcodes.h b/include/sepol/errcodes.h
new file mode 100644
index 0000000..c6f3a8b
--- /dev/null
+++ b/include/sepol/errcodes.h
@@ -0,0 +1,25 @@
+/* Author: Karl MacMillan <kmacmillan@mentalrootkit.com> */
+
+#ifndef __sepol_errno_h__
+#define __sepol_errno_h__
+
+#include <errno.h>
+
+#define SEPOL_OK 0
+
+/* These first error codes are defined for compatibility with
+ * previous version of libsepol. In the future, custome error
+ * codes that don't map to system error codes should be defined
+ * outside of the range of system error codes.
+ */
+#define SEPOL_ERR -1
+#define SEPOL_ENOTSUP -2 /* feature not supported in module language */
+#define SEPOL_EREQ -3 /* requirements not met */
+
+/* Error codes that map to system error codes */
+#define SEPOL_ENOMEM -ENOMEM
+#define SEPOL_ERANGE -ERANGE
+#define SEPOL_EEXIST -EEXIST
+#define SEPOL_ENOENT -ENOENT
+
+#endif
diff --git a/include/sepol/handle.h b/include/sepol/handle.h
new file mode 100644
index 0000000..19be326
--- /dev/null
+++ b/include/sepol/handle.h
@@ -0,0 +1,27 @@
+#ifndef _SEPOL_HANDLE_H_
+#define _SEPOL_HANDLE_H_
+
+struct sepol_handle;
+typedef struct sepol_handle sepol_handle_t;
+
+/* Create and return a sepol handle. */
+sepol_handle_t *sepol_handle_create(void);
+
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by set_disable_dontaudit. This value reflects the state
+ * your system will be set to upon commit, not necessarily its
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
+/* Set whether or not to disable dontaudits, 0 is default and does
+ * not disable dontaudits, 1 disables them */
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+
+/* Set whether module_expand() should consume the base policy passed in.
+ * This should reduce the amount of memory required to expand the policy. */
+void sepol_set_expand_consume_base(sepol_handle_t * sh, int consume_base);
+
+/* Destroy a sepol handle. */
+void sepol_handle_destroy(sepol_handle_t *);
+
+#endif
diff --git a/include/sepol/iface_record.h b/include/sepol/iface_record.h
new file mode 100644
index 0000000..a72678c
--- /dev/null
+++ b/include/sepol/iface_record.h
@@ -0,0 +1,59 @@
+#ifndef _SEPOL_IFACE_RECORD_H_
+#define _SEPOL_IFACE_RECORD_H_
+
+#include <sepol/handle.h>
+#include <sepol/context_record.h>
+
+struct sepol_iface;
+struct sepol_iface_key;
+typedef struct sepol_iface sepol_iface_t;
+typedef struct sepol_iface_key sepol_iface_key_t;
+
+/* Key */
+extern int sepol_iface_compare(const sepol_iface_t * iface,
+ const sepol_iface_key_t * key);
+
+extern int sepol_iface_compare2(const sepol_iface_t * iface,
+ const sepol_iface_t * iface2);
+
+extern void sepol_iface_key_unpack(const sepol_iface_key_t * key,
+ const char **name);
+
+extern int sepol_iface_key_create(sepol_handle_t * handle,
+ const char *name,
+ sepol_iface_key_t ** key_ptr);
+
+extern int sepol_iface_key_extract(sepol_handle_t * handle,
+ const sepol_iface_t * iface,
+ sepol_iface_key_t ** key_ptr);
+
+extern void sepol_iface_key_free(sepol_iface_key_t * key);
+
+/* Name */
+extern const char *sepol_iface_get_name(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_name(sepol_handle_t * handle,
+ sepol_iface_t * iface, const char *name);
+
+/* Context */
+extern sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_ifcon(sepol_handle_t * handle,
+ sepol_iface_t * iface, sepol_context_t * con);
+
+extern sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_msgcon(sepol_handle_t * handle,
+ sepol_iface_t * iface, sepol_context_t * con);
+
+/* Create/Clone/Destroy */
+extern int sepol_iface_create(sepol_handle_t * handle,
+ sepol_iface_t ** iface_ptr);
+
+extern int sepol_iface_clone(sepol_handle_t * handle,
+ const sepol_iface_t * iface,
+ sepol_iface_t ** iface_ptr);
+
+extern void sepol_iface_free(sepol_iface_t * iface);
+
+#endif
diff --git a/include/sepol/interfaces.h b/include/sepol/interfaces.h
new file mode 100644
index 0000000..9849e13
--- /dev/null
+++ b/include/sepol/interfaces.h
@@ -0,0 +1,43 @@
+#ifndef __SEPOL_INTERFACES_H_
+#define __SEPOL_INTERFACES_H_
+
+#include <sepol/policydb.h>
+#include <sepol/iface_record.h>
+#include <sepol/handle.h>
+
+/* Return the number of interfaces */
+extern int sepol_iface_count(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ unsigned int *response);
+
+/* Check if an interface exists */
+extern int sepol_iface_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_iface_key_t * key, int *response);
+
+/* Query an interface - returns the interface,
+ * or NULL if not found */
+extern int sepol_iface_query(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_iface_key_t * key,
+ sepol_iface_t ** response);
+
+/* Modify an interface, or add it, if the key
+ * is not found */
+extern int sepol_iface_modify(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const sepol_iface_key_t * key,
+ const sepol_iface_t * data);
+
+/* Iterate the interfaces
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_iface_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ int (*fn) (const sepol_iface_t * iface,
+ void *fn_arg), void *arg);
+
+#endif
diff --git a/include/sepol/module.h b/include/sepol/module.h
new file mode 100644
index 0000000..35f5cb7
--- /dev/null
+++ b/include/sepol/module.h
@@ -0,0 +1,82 @@
+#ifndef _SEPOL_MODULE_H_
+#define _SEPOL_MODULE_H_
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#include <sepol/handle.h>
+#include <sepol/policydb.h>
+
+struct sepol_module_package;
+typedef struct sepol_module_package sepol_module_package_t;
+
+/* Module package public interfaces. */
+
+extern int sepol_module_package_create(sepol_module_package_t ** p);
+
+extern void sepol_module_package_free(sepol_module_package_t * p);
+
+extern char *sepol_module_package_get_file_contexts(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_file_contexts_len(sepol_module_package_t
+ * p);
+
+extern int sepol_module_package_set_file_contexts(sepol_module_package_t * p,
+ char *data, size_t len);
+
+extern char *sepol_module_package_get_seusers(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_seusers_len(sepol_module_package_t * p);
+
+extern int sepol_module_package_set_seusers(sepol_module_package_t * p,
+ char *data, size_t len);
+
+extern char *sepol_module_package_get_user_extra(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_user_extra_len(sepol_module_package_t *
+ p);
+
+extern int sepol_module_package_set_user_extra(sepol_module_package_t * p,
+ char *data, size_t len);
+
+extern char *sepol_module_package_get_netfilter_contexts(sepol_module_package_t
+ * p);
+
+extern size_t
+sepol_module_package_get_netfilter_contexts_len(sepol_module_package_t * p);
+
+extern int sepol_module_package_set_netfilter_contexts(sepol_module_package_t *
+ p, char *data,
+ size_t len);
+
+extern sepol_policydb_t *sepol_module_package_get_policy(sepol_module_package_t
+ * p);
+
+extern int sepol_link_packages(sepol_handle_t * handle,
+ sepol_module_package_t * base,
+ sepol_module_package_t ** modules,
+ int num_modules, int verbose);
+
+extern int sepol_module_package_read(sepol_module_package_t * mod,
+ struct sepol_policy_file *file,
+ int verbose);
+
+extern int sepol_module_package_info(struct sepol_policy_file *file,
+ int *type, char **name, char **version);
+
+extern int sepol_module_package_write(sepol_module_package_t * p,
+ struct sepol_policy_file *file);
+
+/* Module linking/expanding public interfaces. */
+
+extern int sepol_link_modules(sepol_handle_t * handle,
+ sepol_policydb_t * base,
+ sepol_policydb_t ** modules,
+ size_t len, int verbose);
+
+extern int sepol_expand_module(sepol_handle_t * handle,
+ sepol_policydb_t * base,
+ sepol_policydb_t * out, int verbose, int check);
+
+#endif
diff --git a/include/sepol/node_record.h b/include/sepol/node_record.h
new file mode 100644
index 0000000..9f61ac7
--- /dev/null
+++ b/include/sepol/node_record.h
@@ -0,0 +1,92 @@
+#ifndef _SEPOL_NODE_RECORD_H_
+#define _SEPOL_NODE_RECORD_H_
+
+#include <stddef.h>
+#include <sepol/context_record.h>
+#include <sepol/handle.h>
+
+struct sepol_node;
+struct sepol_node_key;
+typedef struct sepol_node sepol_node_t;
+typedef struct sepol_node_key sepol_node_key_t;
+
+#define SEPOL_PROTO_IP4 0
+#define SEPOL_PROTO_IP6 1
+
+/* Key */
+extern int sepol_node_compare(const sepol_node_t * node,
+ const sepol_node_key_t * key);
+
+extern int sepol_node_compare2(const sepol_node_t * node,
+ const sepol_node_t * node2);
+
+extern int sepol_node_key_create(sepol_handle_t * handle,
+ const char *addr,
+ const char *mask,
+ int proto, sepol_node_key_t ** key_ptr);
+
+extern void sepol_node_key_unpack(const sepol_node_key_t * key,
+ const char **addr,
+ const char **mask, int *proto);
+
+extern int sepol_node_key_extract(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ sepol_node_key_t ** key_ptr);
+
+extern void sepol_node_key_free(sepol_node_key_t * key);
+
+/* Address */
+extern int sepol_node_get_addr(sepol_handle_t * handle,
+ const sepol_node_t * node, char **addr);
+
+extern int sepol_node_get_addr_bytes(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ char **addr, size_t * addr_sz);
+
+extern int sepol_node_set_addr(sepol_handle_t * handle,
+ sepol_node_t * node,
+ int proto, const char *addr);
+
+extern int sepol_node_set_addr_bytes(sepol_handle_t * handle,
+ sepol_node_t * node,
+ const char *addr, size_t addr_sz);
+
+/* Netmask */
+extern int sepol_node_get_mask(sepol_handle_t * handle,
+ const sepol_node_t * node, char **mask);
+
+extern int sepol_node_get_mask_bytes(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ char **mask, size_t * mask_sz);
+
+extern int sepol_node_set_mask(sepol_handle_t * handle,
+ sepol_node_t * node,
+ int proto, const char *mask);
+
+extern int sepol_node_set_mask_bytes(sepol_handle_t * handle,
+ sepol_node_t * node,
+ const char *mask, size_t mask_sz);
+
+/* Protocol */
+extern int sepol_node_get_proto(const sepol_node_t * node);
+
+extern void sepol_node_set_proto(sepol_node_t * node, int proto);
+
+extern const char *sepol_node_get_proto_str(int proto);
+
+/* Context */
+extern sepol_context_t *sepol_node_get_con(const sepol_node_t * node);
+
+extern int sepol_node_set_con(sepol_handle_t * handle,
+ sepol_node_t * node, sepol_context_t * con);
+
+/* Create/Clone/Destroy */
+extern int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node_ptr);
+
+extern int sepol_node_clone(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ sepol_node_t ** node_ptr);
+
+extern void sepol_node_free(sepol_node_t * node);
+
+#endif
diff --git a/include/sepol/nodes.h b/include/sepol/nodes.h
new file mode 100644
index 0000000..1e0ac4f
--- /dev/null
+++ b/include/sepol/nodes.h
@@ -0,0 +1,40 @@
+#ifndef _SEPOL_NODES_H_
+#define _SEPOL_NODES_H_
+
+#include <sepol/handle.h>
+#include <sepol/policydb.h>
+#include <sepol/node_record.h>
+
+/* Return the number of nodes */
+extern int sepol_node_count(sepol_handle_t * handle,
+ const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if a node exists */
+extern int sepol_node_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_node_key_t * key, int *response);
+
+/* Query a node - returns the node, or NULL if not found */
+extern int sepol_node_query(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_node_key_t * key,
+ sepol_node_t ** response);
+
+/* Modify a node, or add it, if the key is not found */
+extern int sepol_node_modify(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const sepol_node_key_t * key,
+ const sepol_node_t * data);
+
+/* Iterate the nodes
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_node_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ int (*fn) (const sepol_node_t * node,
+ void *fn_arg), void *arg);
+
+#endif
diff --git a/include/sepol/policydb.h b/include/sepol/policydb.h
new file mode 100644
index 0000000..43e23b3
--- /dev/null
+++ b/include/sepol/policydb.h
@@ -0,0 +1,138 @@
+#ifndef _SEPOL_POLICYDB_H_
+#define _SEPOL_POLICYDB_H_
+
+#include <stddef.h>
+#include <stdio.h>
+
+#include <sepol/handle.h>
+
+struct sepol_policy_file;
+typedef struct sepol_policy_file sepol_policy_file_t;
+
+struct sepol_policydb;
+typedef struct sepol_policydb sepol_policydb_t;
+
+/* Policy file public interfaces. */
+
+/* Create and free memory associated with a policy file. */
+extern int sepol_policy_file_create(sepol_policy_file_t ** pf);
+extern void sepol_policy_file_free(sepol_policy_file_t * pf);
+
+/*
+ * Set the policy file to represent a binary policy memory image.
+ * Subsequent operations using the policy file will read and write
+ * the image located at the specified address with the specified length.
+ * If 'len' is 0, then merely compute the necessary length upon
+ * subsequent policydb write operations in order to determine the
+ * necessary buffer size to allocate.
+ */
+extern void sepol_policy_file_set_mem(sepol_policy_file_t * pf,
+ char *data, size_t len);
+
+/*
+ * Get the size of the buffer needed to store a policydb write
+ * previously done on this policy file.
+ */
+extern int sepol_policy_file_get_len(sepol_policy_file_t * pf, size_t * len);
+
+/*
+ * Set the policy file to represent a FILE.
+ * Subsequent operations using the policy file will read and write
+ * to the FILE.
+ */
+extern void sepol_policy_file_set_fp(sepol_policy_file_t * pf, FILE * fp);
+
+/*
+ * Associate a handle with a policy file, for use in
+ * error reporting from subsequent calls that take the
+ * policy file as an argument.
+ */
+extern void sepol_policy_file_set_handle(sepol_policy_file_t * pf,
+ sepol_handle_t * handle);
+
+/* Policydb public interfaces. */
+
+/* Create and free memory associated with a policydb. */
+extern int sepol_policydb_create(sepol_policydb_t ** p);
+extern void sepol_policydb_free(sepol_policydb_t * p);
+
+/* Legal types of policies that the policydb can represent. */
+#define SEPOL_POLICY_KERN 0
+#define SEPOL_POLICY_BASE 1
+#define SEPOL_POLICY_MOD 2
+
+/*
+ * Range of policy versions for the kernel policy type supported
+ * by this library.
+ */
+extern int sepol_policy_kern_vers_min(void);
+extern int sepol_policy_kern_vers_max(void);
+
+/*
+ * Set the policy type as specified, and automatically initialize the
+ * policy version accordingly to the maximum version supported for the
+ * policy type.
+ * Returns -1 if the policy type is not legal.
+ */
+extern int sepol_policydb_set_typevers(sepol_policydb_t * p, unsigned int type);
+
+/*
+ * Set the policy version to a different value.
+ * Returns -1 if the policy version is not in the supported range for
+ * the (previously set) policy type.
+ */
+extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
+
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN 0
+#define SEPOL_REJECT_UNKNOWN 2
+#define SEPOL_ALLOW_UNKNOWN 4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+ unsigned int handle_unknown);
+
+/*
+ * Read a policydb from a policy file.
+ * This automatically sets the type and version based on the
+ * image contents.
+ */
+extern int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf);
+
+/*
+ * Write a policydb to a policy file.
+ * The generated image will be in the binary format corresponding
+ * to the policy version associated with the policydb.
+ */
+extern int sepol_policydb_write(sepol_policydb_t * p, sepol_policy_file_t * pf);
+
+/*
+ * Extract a policydb from a binary policy memory image.
+ * This is equivalent to sepol_policydb_read with a policy file
+ * set to refer to memory.
+ */
+extern int sepol_policydb_from_image(sepol_handle_t * handle,
+ void *data, size_t len,
+ sepol_policydb_t * p);
+
+/*
+ * Generate a binary policy memory image from a policydb.
+ * This is equivalent to sepol_policydb_write with a policy file
+ * set to refer to memory, but internally handles computing the
+ * necessary length and allocating an appropriately sized memory
+ * buffer for the caller.
+ */
+extern int sepol_policydb_to_image(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ void **newdata, size_t * newlen);
+
+/*
+ * Check whether the policydb has MLS enabled.
+ */
+extern int sepol_policydb_mls_enabled(const sepol_policydb_t * p);
+
+/*
+ * Check whether the compatibility mode for SELinux network
+ * checks should be enabled when using this policy.
+ */
+extern int sepol_policydb_compat_net(const sepol_policydb_t * p);
+
+#endif
diff --git a/include/sepol/policydb/avrule_block.h b/include/sepol/policydb/avrule_block.h
new file mode 100644
index 0000000..dc926e5
--- /dev/null
+++ b/include/sepol/policydb/avrule_block.h
@@ -0,0 +1,37 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_AVRULE_BLOCK_H_
+#define _SEPOL_AVRULE_BLOCK_H_
+
+#include <sepol/policydb/policydb.h>
+
+extern avrule_block_t *avrule_block_create(void);
+extern void avrule_block_destroy(avrule_block_t * x);
+extern avrule_decl_t *avrule_decl_create(uint32_t decl_id);
+extern void avrule_decl_destroy(avrule_decl_t * x);
+extern void avrule_block_list_destroy(avrule_block_t * x);
+extern avrule_decl_t *get_avrule_decl(policydb_t * p, uint32_t decl_id);
+extern cond_list_t *get_decl_cond_list(policydb_t * p,
+ avrule_decl_t * decl,
+ cond_list_t * cond);
+extern int is_id_enabled(char *id, policydb_t * p, int symbol_table);
+extern int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p);
+
+#endif
diff --git a/include/sepol/policydb/avtab.h b/include/sepol/policydb/avtab.h
new file mode 100644
index 0000000..6955ecf
--- /dev/null
+++ b/include/sepol/policydb/avtab.h
@@ -0,0 +1,127 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
+ * Tuned number of hash slots for avtab to reduce memory usage
+ */
+
+/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Copyright (C) 2003 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * An access vector table (avtab) is a hash table
+ * of access vectors and transition types indexed
+ * by a type pair and a class. An access vector
+ * table is used to represent the type enforcement
+ * tables.
+ */
+
+#ifndef _SEPOL_POLICYDB_AVTAB_H_
+#define _SEPOL_POLICYDB_AVTAB_H_
+
+#include <sys/types.h>
+#include <stdint.h>
+
+typedef struct avtab_key {
+ uint16_t source_type;
+ uint16_t target_type;
+ uint16_t target_class;
+#define AVTAB_ALLOWED 1
+#define AVTAB_AUDITALLOW 2
+#define AVTAB_AUDITDENY 4
+#define AVTAB_NEVERALLOW 128
+#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
+#define AVTAB_TRANSITION 16
+#define AVTAB_MEMBER 32
+#define AVTAB_CHANGE 64
+#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
+#define AVTAB_ENABLED_OLD 0x80000000
+#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
+ uint16_t specified; /* what fields are specified */
+} avtab_key_t;
+
+typedef struct avtab_datum {
+ uint32_t data; /* access vector or type */
+} avtab_datum_t;
+
+typedef struct avtab_node *avtab_ptr_t;
+
+struct avtab_node {
+ avtab_key_t key;
+ avtab_datum_t datum;
+ avtab_ptr_t next;
+ void *parse_context; /* generic context pointer used by parser;
+ * not saved in binary policy */
+ unsigned merged; /* flag for avtab_write only;
+ not saved in binary policy */
+};
+
+typedef struct avtab {
+ avtab_ptr_t *htable;
+ uint32_t nel; /* number of elements */
+ uint32_t nslot; /* number of hash slots */
+ uint16_t mask; /* mask to compute hash func */
+} avtab_t;
+
+extern int avtab_init(avtab_t *);
+extern int avtab_alloc(avtab_t *, uint32_t);
+extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d);
+
+extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
+
+extern void avtab_destroy(avtab_t * h);
+
+extern int avtab_map(avtab_t * h,
+ int (*apply) (avtab_key_t * k,
+ avtab_datum_t * d, void *args), void *args);
+
+extern void avtab_hash_eval(avtab_t * h, char *tag);
+
+struct policy_file;
+extern int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ int (*insert) (avtab_t * a, avtab_key_t * k,
+ avtab_datum_t * d, void *p), void *p);
+
+extern int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers);
+
+extern avtab_ptr_t avtab_insert_nonunique(avtab_t * h, avtab_key_t * key,
+ avtab_datum_t * datum);
+
+extern avtab_ptr_t avtab_insert_with_parse_context(avtab_t * h,
+ avtab_key_t * key,
+ avtab_datum_t * datum,
+ void *parse_context);
+
+extern avtab_ptr_t avtab_search_node(avtab_t * h, avtab_key_t * key);
+
+extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
+
+#define MAX_AVTAB_HASH_BITS 13
+#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
+#define MAX_AVTAB_HASH_MASK (MAX_AVTAB_HASH_BUCKETS-1)
+#define MAX_AVTAB_SIZE MAX_AVTAB_HASH_BUCKETS
+
+#endif /* _AVTAB_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/conditional.h b/include/sepol/policydb/conditional.h
new file mode 100644
index 0000000..a8ed694
--- /dev/null
+++ b/include/sepol/policydb/conditional.h
@@ -0,0 +1,134 @@
+/* Authors: Karl MacMillan <kmacmillan@tresys.com>
+ * Frank Mayer <mayerf@tresys.com>
+ *
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_POLICYDB_CONDITIONAL_H_
+#define _SEPOL_POLICYDB_CONDITIONAL_H_
+
+#include <sepol/policydb/flask_types.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/symtab.h>
+#include <sepol/policydb/policydb.h>
+
+#define COND_EXPR_MAXDEPTH 10
+
+/* this is the max unique bools in a conditional expression
+ * for which we precompute all outcomes for the expression.
+ *
+ * NOTE - do _NOT_ use value greater than 5 because
+ * cond_node_t->expr_pre_comp can only hold at most 32 values
+ */
+#define COND_MAX_BOOLS 5
+
+/*
+ * A conditional expression is a list of operators and operands
+ * in reverse polish notation.
+ */
+typedef struct cond_expr {
+#define COND_BOOL 1 /* plain bool */
+#define COND_NOT 2 /* !bool */
+#define COND_OR 3 /* bool || bool */
+#define COND_AND 4 /* bool && bool */
+#define COND_XOR 5 /* bool ^ bool */
+#define COND_EQ 6 /* bool == bool */
+#define COND_NEQ 7 /* bool != bool */
+#define COND_LAST COND_NEQ
+ uint32_t expr_type;
+ uint32_t bool;
+ struct cond_expr *next;
+} cond_expr_t;
+
+/*
+ * Each cond_node_t contains a list of rules to be enabled/disabled
+ * depending on the current value of the conditional expression. This
+ * struct is for that list.
+ */
+typedef struct cond_av_list {
+ avtab_ptr_t node;
+ struct cond_av_list *next;
+} cond_av_list_t;
+
+/*
+ * A cond node represents a conditional block in a policy. It
+ * contains a conditional expression, the current state of the expression,
+ * two lists of rules to enable/disable depending on the value of the
+ * expression (the true list corresponds to if and the false list corresponds
+ * to else)..
+ */
+typedef struct cond_node {
+ int cur_state;
+ cond_expr_t *expr;
+ /* these true/false lists point into te_avtab when that is used */
+ cond_av_list_t *true_list;
+ cond_av_list_t *false_list;
+ /* and these are using during parsing and for modules */
+ avrule_t *avtrue_list;
+ avrule_t *avfalse_list;
+ /* these fields are not written to binary policy */
+ unsigned int nbools;
+ uint32_t bool_ids[COND_MAX_BOOLS];
+ uint32_t expr_pre_comp;
+ /* */
+ struct cond_node *next;
+} cond_node_t;
+
+extern int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr);
+extern cond_expr_t *cond_copy_expr(cond_expr_t * expr);
+
+extern int cond_expr_equal(cond_node_t * a, cond_node_t * b);
+extern int cond_normalize_expr(policydb_t * p, cond_node_t * cn);
+extern void cond_node_destroy(cond_node_t * node);
+extern void cond_expr_destroy(cond_expr_t * expr);
+
+extern cond_node_t *cond_node_find(policydb_t * p,
+ cond_node_t * needle, cond_node_t * haystack,
+ int *was_created);
+
+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
+
+extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
+ cond_node_t * cn);
+
+extern int evaluate_conds(policydb_t * p);
+
+extern avtab_datum_t *cond_av_list_search(avtab_key_t * key,
+ cond_av_list_t * cond_list);
+
+extern void cond_av_list_destroy(cond_av_list_t * list);
+
+extern void cond_optimize_lists(cond_list_t * cl);
+
+extern int cond_policydb_init(policydb_t * p);
+extern void cond_policydb_destroy(policydb_t * p);
+extern void cond_list_destroy(cond_list_t * list);
+
+extern int cond_init_bool_indexes(policydb_t * p);
+extern int cond_destroy_bool(hashtab_key_t key, hashtab_datum_t datum, void *p);
+
+extern int cond_index_bool(hashtab_key_t key, hashtab_datum_t datum,
+ void *datap);
+
+extern int cond_read_bool(policydb_t * p, hashtab_t h, struct policy_file *fp);
+
+extern int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp);
+
+extern void cond_compute_av(avtab_t * ctab, avtab_key_t * key,
+ struct sepol_av_decision *avd);
+
+#endif /* _CONDITIONAL_H_ */
diff --git a/include/sepol/policydb/constraint.h b/include/sepol/policydb/constraint.h
new file mode 100644
index 0000000..4c16ab0
--- /dev/null
+++ b/include/sepol/policydb/constraint.h
@@ -0,0 +1,77 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A constraint is a condition that must be satisfied in
+ * order for one or more permissions to be granted.
+ * Constraints are used to impose additional restrictions
+ * beyond the type-based rules in `te' or the role-based
+ * transition rules in `rbac'. Constraints are typically
+ * used to prevent a process from transitioning to a new user
+ * identity or role unless it is in a privileged type.
+ * Constraints are likewise typically used to prevent a
+ * process from labeling an object with a different user
+ * identity.
+ */
+
+#ifndef _SEPOL_POLICYDB_CONSTRAINT_H_
+#define _SEPOL_POLICYDB_CONSTRAINT_H_
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/flask_types.h>
+
+#define CEXPR_MAXDEPTH 5
+
+struct type_set;
+
+typedef struct constraint_expr {
+#define CEXPR_NOT 1 /* not expr */
+#define CEXPR_AND 2 /* expr and expr */
+#define CEXPR_OR 3 /* expr or expr */
+#define CEXPR_ATTR 4 /* attr op attr */
+#define CEXPR_NAMES 5 /* attr op names */
+ uint32_t expr_type; /* expression type */
+
+#define CEXPR_USER 1 /* user */
+#define CEXPR_ROLE 2 /* role */
+#define CEXPR_TYPE 4 /* type */
+#define CEXPR_TARGET 8 /* target if set, source otherwise */
+#define CEXPR_XTARGET 16 /* special 3rd target for validatetrans rule */
+#define CEXPR_L1L2 32 /* low level 1 vs. low level 2 */
+#define CEXPR_L1H2 64 /* low level 1 vs. high level 2 */
+#define CEXPR_H1L2 128 /* high level 1 vs. low level 2 */
+#define CEXPR_H1H2 256 /* high level 1 vs. high level 2 */
+#define CEXPR_L1H1 512 /* low level 1 vs. high level 1 */
+#define CEXPR_L2H2 1024 /* low level 2 vs. high level 2 */
+ uint32_t attr; /* attribute */
+
+#define CEXPR_EQ 1 /* == or eq */
+#define CEXPR_NEQ 2 /* != */
+#define CEXPR_DOM 3 /* dom */
+#define CEXPR_DOMBY 4 /* domby */
+#define CEXPR_INCOMP 5 /* incomp */
+ uint32_t op; /* operator */
+
+ ebitmap_t names; /* names */
+ struct type_set *type_names;
+
+ struct constraint_expr *next; /* next expression */
+} constraint_expr_t;
+
+typedef struct constraint_node {
+ sepol_access_vector_t permissions; /* constrained permissions */
+ constraint_expr_t *expr; /* constraint on permissions */
+ struct constraint_node *next; /* next constraint */
+} constraint_node_t;
+
+struct policydb;
+
+extern int constraint_expr_init(constraint_expr_t * expr);
+extern void constraint_expr_destroy(constraint_expr_t * expr);
+
+#endif /* _CONSTRAINT_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/context.h b/include/sepol/policydb/context.h
new file mode 100644
index 0000000..8d74a25
--- /dev/null
+++ b/include/sepol/policydb/context.h
@@ -0,0 +1,97 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A security context is a set of security attributes
+ * associated with each subject and object controlled
+ * by the security policy. Security contexts are
+ * externally represented as variable-length strings
+ * that can be interpreted by a user or application
+ * with an understanding of the security policy.
+ * Internally, the security server uses a simple
+ * structure. This structure is private to the
+ * security server and can be changed without affecting
+ * clients of the security server.
+ */
+
+#ifndef _SEPOL_POLICYDB_CONTEXT_H_
+#define _SEPOL_POLICYDB_CONTEXT_H_
+
+#include <stddef.h>
+#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/mls_types.h>
+
+/*
+ * A security context consists of an authenticated user
+ * identity, a role, a type and a MLS range.
+ */
+typedef struct context_struct {
+ uint32_t user;
+ uint32_t role;
+ uint32_t type;
+ mls_range_t range;
+} context_struct_t;
+
+static inline void mls_context_init(context_struct_t * c)
+{
+ mls_range_init(&c->range);
+}
+
+static inline int mls_context_cpy(context_struct_t * dst,
+ context_struct_t * src)
+{
+
+ if (mls_range_cpy(&dst->range, &src->range) < 0)
+ return -1;
+
+ return 0;
+}
+
+static inline int mls_context_cmp(context_struct_t * c1, context_struct_t * c2)
+{
+ return (mls_level_eq(&c1->range.level[0], &c2->range.level[0]) &&
+ mls_level_eq(&c1->range.level[1], &c2->range.level[1]));
+
+}
+
+static inline void mls_context_destroy(context_struct_t * c)
+{
+ if (c == NULL)
+ return;
+
+ mls_range_destroy(&c->range);
+ mls_context_init(c);
+}
+
+static inline void context_init(context_struct_t * c)
+{
+ memset(c, 0, sizeof(*c));
+}
+
+static inline int context_cpy(context_struct_t * dst, context_struct_t * src)
+{
+ dst->user = src->user;
+ dst->role = src->role;
+ dst->type = src->type;
+ return mls_context_cpy(dst, src);
+}
+
+static inline void context_destroy(context_struct_t * c)
+{
+ if (c == NULL)
+ return;
+
+ c->user = c->role = c->type = 0;
+ mls_context_destroy(c);
+}
+
+static inline int context_cmp(context_struct_t * c1, context_struct_t * c2)
+{
+ return ((c1->user == c2->user) &&
+ (c1->role == c2->role) &&
+ (c1->type == c2->type) && mls_context_cmp(c1, c2));
+}
+
+#endif
diff --git a/include/sepol/policydb/ebitmap.h b/include/sepol/policydb/ebitmap.h
new file mode 100644
index 0000000..410c15c
--- /dev/null
+++ b/include/sepol/policydb/ebitmap.h
@@ -0,0 +1,88 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * An extensible bitmap is a bitmap that supports an
+ * arbitrary number of bits. Extensible bitmaps are
+ * used to represent sets of values, such as types,
+ * roles, categories, and classes.
+ *
+ * Each extensible bitmap is implemented as a linked
+ * list of bitmap nodes, where each bitmap node has
+ * an explicitly specified starting bit position within
+ * the total bitmap.
+ */
+
+#ifndef _SEPOL_POLICYDB_EBITMAP_H_
+#define _SEPOL_POLICYDB_EBITMAP_H_
+
+#include <stdint.h>
+#include <string.h>
+
+#define MAPTYPE uint64_t /* portion of bitmap in each node */
+#define MAPSIZE (sizeof(MAPTYPE) * 8) /* number of bits in node bitmap */
+#define MAPBIT 1ULL /* a bit in the node bitmap */
+
+typedef struct ebitmap_node {
+ uint32_t startbit; /* starting position in the total bitmap */
+ MAPTYPE map; /* this node's portion of the bitmap */
+ struct ebitmap_node *next;
+} ebitmap_node_t;
+
+typedef struct ebitmap {
+ ebitmap_node_t *node; /* first node in the bitmap */
+ uint32_t highbit; /* highest position in the total bitmap */
+} ebitmap_t;
+
+#define ebitmap_length(e) ((e)->highbit)
+#define ebitmap_startbit(e) ((e)->node ? (e)->node->startbit : 0)
+#define ebitmap_startnode(e) ((e)->node)
+
+static inline unsigned int ebitmap_start(const ebitmap_t * e,
+ ebitmap_node_t ** n)
+{
+
+ *n = e->node;
+ return ebitmap_startbit(e);
+}
+
+static inline void ebitmap_init(ebitmap_t * e)
+{
+ memset(e, 0, sizeof(*e));
+}
+
+static inline unsigned int ebitmap_next(ebitmap_node_t ** n, unsigned int bit)
+{
+ if ((bit == ((*n)->startbit + MAPSIZE - 1)) && (*n)->next) {
+ *n = (*n)->next;
+ return (*n)->startbit;
+ }
+
+ return (bit + 1);
+}
+
+static inline int ebitmap_node_get_bit(ebitmap_node_t * n, unsigned int bit)
+{
+ if (n->map & (MAPBIT << (bit - n->startbit)))
+ return 1;
+ return 0;
+}
+
+#define ebitmap_for_each_bit(e, n, bit) \
+ for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
+
+extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1);
+extern int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src);
+extern int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit);
+extern int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value);
+extern void ebitmap_destroy(ebitmap_t * e);
+extern int ebitmap_read(ebitmap_t * e, void *fp);
+
+#endif /* _EBITMAP_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/expand.h b/include/sepol/policydb/expand.h
new file mode 100644
index 0000000..31e25ec
--- /dev/null
+++ b/include/sepol/policydb/expand.h
@@ -0,0 +1,79 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * A set of utility functions that aid policy decision when dealing
+ * with hierarchal items.
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_POLICYDB_EXPAND_H
+#define _SEPOL_POLICYDB_EXPAND_H
+
+#include <stddef.h>
+#include <sepol/handle.h>
+#include <sepol/policydb/conditional.h>
+
+/*
+ * Expand only the avrules for a module. It is valid for this function
+ * to expand base into itself (i.e. base == out); the typemap for
+ * this special case should map type[i] to i+1. Likewise the boolmap
+ * should map bool[i] to i + 1. This function optionally expands
+ * neverallow rules. If neverallow rules are expanded, there is no
+ * need to copy them and doing so could cause duplicate entries when
+ * base == out. If the neverallow rules are not expanded, they are
+ * just copied to the destination policy so that assertion checking
+ * can be performed after expand. No assertion or hierarchy checking
+ * is performed by this function.
+ */
+extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
+ policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
+ uint32_t * rolemap, uint32_t * usermap,
+ int verbose, int expand_neverallow);
+/*
+ * Expand all parts of a module. Neverallow rules are not expanded (only
+ * copied). It is not valid to expand base into itself. If check is non-zero,
+ * performs hierarchy and assertion checking.
+ */
+extern int expand_module(sepol_handle_t * handle,
+ policydb_t * base, policydb_t * out,
+ int verbose, int check);
+extern int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst,
+ uint32_t * typemap);
+extern int expand_convert_type_set(policydb_t * p, uint32_t * typemap,
+ type_set_t * set, ebitmap_t * types,
+ unsigned char alwaysexpand);
+extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
+ unsigned char alwaysexpand);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t * base, uint32_t * rolemap);
+extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
+ policydb_t *p, sepol_handle_t *h);
+extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
+ policydb_t *p, sepol_handle_t *h);
+extern int expand_rule(sepol_handle_t * handle,
+ policydb_t * source_pol,
+ avrule_t * source_rule, avtab_t * dest_avtab,
+ cond_av_list_t ** cond, cond_av_list_t ** other,
+ int enabled);
+
+extern int expand_avtab(policydb_t * p, avtab_t * a, avtab_t * expa);
+
+extern int expand_cond_av_list(policydb_t * p, cond_av_list_t * l,
+ cond_av_list_t ** newl, avtab_t * expa);
+
+#endif
diff --git a/include/sepol/policydb/flask.h b/include/sepol/policydb/flask.h
new file mode 100644
index 0000000..3134284
--- /dev/null
+++ b/include/sepol/policydb/flask.h
@@ -0,0 +1,94 @@
+/* This file is automatically generated. Do not edit. */
+#ifndef _SEPOL_POLICYDB_FLASK_H_
+#define _SEPOL_POLICYDB_FLASK_H_
+
+/*
+ * Security object class definitions
+ */
+#define SECCLASS_SECURITY 1
+#define SECCLASS_PROCESS 2
+#define SECCLASS_SYSTEM 3
+#define SECCLASS_CAPABILITY 4
+#define SECCLASS_FILESYSTEM 5
+#define SECCLASS_FILE 6
+#define SECCLASS_DIR 7
+#define SECCLASS_FD 8
+#define SECCLASS_LNK_FILE 9
+#define SECCLASS_CHR_FILE 10
+#define SECCLASS_BLK_FILE 11
+#define SECCLASS_SOCK_FILE 12
+#define SECCLASS_FIFO_FILE 13
+#define SECCLASS_SOCKET 14
+#define SECCLASS_TCP_SOCKET 15
+#define SECCLASS_UDP_SOCKET 16
+#define SECCLASS_RAWIP_SOCKET 17
+#define SECCLASS_NODE 18
+#define SECCLASS_NETIF 19
+#define SECCLASS_NETLINK_SOCKET 20
+#define SECCLASS_PACKET_SOCKET 21
+#define SECCLASS_KEY_SOCKET 22
+#define SECCLASS_UNIX_STREAM_SOCKET 23
+#define SECCLASS_UNIX_DGRAM_SOCKET 24
+#define SECCLASS_SEM 25
+#define SECCLASS_MSG 26
+#define SECCLASS_MSGQ 27
+#define SECCLASS_SHM 28
+#define SECCLASS_IPC 29
+#define SECCLASS_PASSWD 30
+#define SECCLASS_DRAWABLE 31
+#define SECCLASS_WINDOW 32
+#define SECCLASS_GC 33
+#define SECCLASS_FONT 34
+#define SECCLASS_COLORMAP 35
+#define SECCLASS_PROPERTY 36
+#define SECCLASS_CURSOR 37
+#define SECCLASS_XCLIENT 38
+#define SECCLASS_XINPUT 39
+#define SECCLASS_XSERVER 40
+#define SECCLASS_XEXTENSION 41
+#define SECCLASS_PAX 42
+#define SECCLASS_NETLINK_ROUTE_SOCKET 43
+#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
+#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
+#define SECCLASS_NETLINK_NFLOG_SOCKET 46
+#define SECCLASS_NETLINK_XFRM_SOCKET 47
+#define SECCLASS_NETLINK_SELINUX_SOCKET 48
+#define SECCLASS_NETLINK_AUDIT_SOCKET 49
+#define SECCLASS_NETLINK_IP6FW_SOCKET 50
+#define SECCLASS_NETLINK_DNRT_SOCKET 51
+#define SECCLASS_DBUS 52
+
+/*
+ * Security identifier indices for initial entities
+ */
+#define SECINITSID_KERNEL 1
+#define SECINITSID_SECURITY 2
+#define SECINITSID_UNLABELED 3
+#define SECINITSID_FS 4
+#define SECINITSID_FILE 5
+#define SECINITSID_FILE_LABELS 6
+#define SECINITSID_INIT 7
+#define SECINITSID_ANY_SOCKET 8
+#define SECINITSID_PORT 9
+#define SECINITSID_NETIF 10
+#define SECINITSID_NETMSG 11
+#define SECINITSID_NODE 12
+#define SECINITSID_IGMP_PACKET 13
+#define SECINITSID_ICMP_SOCKET 14
+#define SECINITSID_TCP_SOCKET 15
+#define SECINITSID_SYSCTL_MODPROBE 16
+#define SECINITSID_SYSCTL 17
+#define SECINITSID_SYSCTL_FS 18
+#define SECINITSID_SYSCTL_KERNEL 19
+#define SECINITSID_SYSCTL_NET 20
+#define SECINITSID_SYSCTL_NET_UNIX 21
+#define SECINITSID_SYSCTL_VM 22
+#define SECINITSID_SYSCTL_DEV 23
+#define SECINITSID_KMOD 24
+#define SECINITSID_POLICY 25
+#define SECINITSID_SCMP_PACKET 26
+#define SECINITSID_DEVNULL 27
+
+#define SECINITSID_NUM 27
+
+#endif
diff --git a/include/sepol/policydb/flask_types.h b/include/sepol/policydb/flask_types.h
new file mode 100644
index 0000000..575c6f2
--- /dev/null
+++ b/include/sepol/policydb/flask_types.h
@@ -0,0 +1,62 @@
+
+/* -*- linux-c -*- */
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#ifndef _SEPOL_POLICYDB_FLASK_TYPES_H_
+#define _SEPOL_POLICYDB_FLASK_TYPES_H_
+
+/*
+ * The basic Flask types and constants.
+ */
+
+#include <sys/types.h>
+#include <stdint.h>
+
+/*
+ * A security context is a set of security attributes
+ * associated with each subject and object controlled
+ * by the security policy. The security context type
+ * is defined as a variable-length string that can be
+ * interpreted by any application or user with an
+ * understanding of the security policy.
+ */
+typedef char *sepol_security_context_t;
+
+/*
+ * An access vector (AV) is a collection of related permissions
+ * for a pair of SIDs. The bits within an access vector
+ * are interpreted differently depending on the class of
+ * the object. The access vector interpretations are specified
+ * in flask/access_vectors, and the corresponding constants
+ * for permissions are defined in the automatically generated
+ * header file av_permissions.h.
+ */
+typedef uint32_t sepol_access_vector_t;
+
+/*
+ * Each object class is identified by a fixed-size value.
+ * The set of security classes is specified in flask/security_classes,
+ * with the corresponding constants defined in the automatically
+ * generated header file flask.h.
+ */
+typedef uint16_t sepol_security_class_t;
+#define SEPOL_SECCLASS_NULL 0x0000 /* no class */
+
+#define SELINUX_MAGIC 0xf97cff8c
+#define SELINUX_MOD_MAGIC 0xf97cff8d
+
+typedef uint32_t sepol_security_id_t;
+#define SEPOL_SECSID_NULL 0
+
+struct sepol_av_decision {
+ sepol_access_vector_t allowed;
+ sepol_access_vector_t decided;
+ sepol_access_vector_t auditallow;
+ sepol_access_vector_t auditdeny;
+ uint32_t seqno;
+};
+
+#endif
diff --git a/include/sepol/policydb/hashtab.h b/include/sepol/policydb/hashtab.h
new file mode 100644
index 0000000..1081ff6
--- /dev/null
+++ b/include/sepol/policydb/hashtab.h
@@ -0,0 +1,137 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A hash table (hashtab) maintains associations between
+ * key values and datum values. The type of the key values
+ * and the type of the datum values is arbitrary. The
+ * functions for hash computation and key comparison are
+ * provided by the creator of the table.
+ */
+
+#ifndef _SEPOL_POLICYDB_HASHTAB_H_
+#define _SEPOL_POLICYDB_HASHTAB_H_
+
+#include <sepol/errcodes.h>
+
+#include <stdint.h>
+#include <stdio.h>
+
+typedef char *hashtab_key_t; /* generic key type */
+typedef void *hashtab_datum_t; /* generic datum type */
+
+typedef struct hashtab_node *hashtab_ptr_t;
+
+typedef struct hashtab_node {
+ hashtab_key_t key;
+ hashtab_datum_t datum;
+ hashtab_ptr_t next;
+} hashtab_node_t;
+
+typedef struct hashtab_val {
+ hashtab_ptr_t *htable; /* hash table */
+ unsigned int size; /* number of slots in hash table */
+ uint32_t nel; /* number of elements in hash table */
+ unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key); /* hash function */
+ int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2); /* key comparison function */
+} hashtab_val_t;
+
+typedef hashtab_val_t *hashtab_t;
+
+/*
+ Creates a new hash table with the specified characteristics.
+
+ Returns NULL if insufficent space is available or
+ the new hash table otherwise.
+ */
+extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+ const hashtab_key_t
+ key),
+ int (*keycmp) (hashtab_t h,
+ const hashtab_key_t key1,
+ const hashtab_key_t key2),
+ unsigned int size);
+/*
+ Inserts the specified (key, datum) pair into the specified hash table.
+
+ Returns SEPOL_ENOMEM if insufficient space is available or
+ SEPOL_EEXIST if there is already an entry with the same key or
+ SEPOL_OK otherwise.
+ */
+extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
+
+/*
+ Removes the entry with the specified key from the hash table.
+ Applies the specified destroy function to (key,datum,args) for
+ the entry.
+
+ Returns SEPOL_ENOENT if no entry has the specified key or
+ SEPOL_OK otherwise.
+ */
+extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args), void *args);
+
+/*
+ Insert or replace the specified (key, datum) pair in the specified
+ hash table. If an entry for the specified key already exists,
+ then the specified destroy function is applied to (key,datum,args)
+ for the entry prior to replacing the entry's contents.
+
+ Returns SEPOL_ENOMEM if insufficient space is available or
+ SEPOL_OK otherwise.
+ */
+extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args), void *args);
+
+/*
+ Searches for the entry with the specified key in the hash table.
+
+ Returns NULL if no entry has the specified key or
+ the datum of the entry otherwise.
+ */
+extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
+
+/*
+ Destroys the specified hash table.
+ */
+extern void hashtab_destroy(hashtab_t h);
+
+/*
+ Applies the specified apply function to (key,datum,args)
+ for each entry in the specified hash table.
+
+ The order in which the function is applied to the entries
+ is dependent upon the internal structure of the hash table.
+
+ If apply returns a non-zero status, then hashtab_map will cease
+ iterating through the hash table and will propagate the error
+ return to its caller.
+ */
+extern int hashtab_map(hashtab_t h,
+ int (*apply) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args), void *args);
+
+/*
+ Same as hashtab_map, except that if apply returns a non-zero status,
+ then the (key,datum) pair will be removed from the hashtab and the
+ destroy function will be applied to (key,datum,args).
+ */
+extern void hashtab_map_remove_on_error(hashtab_t h,
+ int (*apply) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args),
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args),
+ void *args);
+
+extern void hashtab_hash_eval(hashtab_t h, char *tag);
+
+#endif
diff --git a/include/sepol/policydb/hierarchy.h b/include/sepol/policydb/hierarchy.h
new file mode 100644
index 0000000..de2dfc7
--- /dev/null
+++ b/include/sepol/policydb/hierarchy.h
@@ -0,0 +1,32 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * A set of utility functions that aid policy decision when dealing
+ * with hierarchal items.
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_POLICYDB_HIERARCHY_H_
+#define _SEPOL_POLICYDB_HIERARCHY_H_
+
+#include <sepol/policydb/policydb.h>
+
+extern int hierarchy_check_constraints(sepol_handle_t * handle, policydb_t * p);
+
+#endif
diff --git a/include/sepol/policydb/link.h b/include/sepol/policydb/link.h
new file mode 100644
index 0000000..fca9114
--- /dev/null
+++ b/include/sepol/policydb/link.h
@@ -0,0 +1,20 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@mentalrootkit.com>
+ */
+
+#ifndef _SEPOL_POLICYDB_LINK_H
+#define _SEPOL_POLICYDB_LINK_H
+
+#include <sepol/handle.h>
+#include <sepol/errcodes.h>
+#include <sepol/policydb/policydb.h>
+
+
+#include <stddef.h>
+
+extern int link_modules(sepol_handle_t * handle,
+ policydb_t * b, policydb_t ** mods, int len,
+ int verbose);
+
+#endif
diff --git a/include/sepol/policydb/mls_types.h b/include/sepol/policydb/mls_types.h
new file mode 100644
index 0000000..e491209
--- /dev/null
+++ b/include/sepol/policydb/mls_types.h
@@ -0,0 +1,153 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * Type definitions for the multi-level security (MLS) policy.
+ */
+
+#ifndef _SEPOL_POLICYDB_MLS_TYPES_H_
+#define _SEPOL_POLICYDB_MLS_TYPES_H_
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/flask_types.h>
+
+typedef struct mls_level {
+ uint32_t sens; /* sensitivity */
+ ebitmap_t cat; /* category set */
+} mls_level_t;
+
+typedef struct mls_range {
+ mls_level_t level[2]; /* low == level[0], high == level[1] */
+} mls_range_t;
+
+static inline int mls_level_cpy(struct mls_level *dst, struct mls_level *src)
+{
+
+ dst->sens = src->sens;
+ if (ebitmap_cpy(&dst->cat, &src->cat) < 0)
+ return -1;
+ return 0;
+}
+
+static inline void mls_level_init(struct mls_level *level)
+{
+
+ memset(level, 0, sizeof(mls_level_t));
+}
+
+static inline void mls_level_destroy(struct mls_level *level)
+{
+
+ if (level == NULL)
+ return;
+
+ ebitmap_destroy(&level->cat);
+ mls_level_init(level);
+}
+
+static inline int mls_level_eq(const struct mls_level *l1, const struct mls_level *l2)
+{
+ return ((l1->sens == l2->sens) && ebitmap_cmp(&l1->cat, &l2->cat));
+}
+
+static inline int mls_level_dom(const struct mls_level *l1, const struct mls_level *l2)
+{
+ return ((l1->sens >= l2->sens) && ebitmap_contains(&l1->cat, &l2->cat));
+}
+
+#define mls_level_incomp(l1, l2) \
+(!mls_level_dom((l1), (l2)) && !mls_level_dom((l2), (l1)))
+
+#define mls_level_between(l1, l2, l3) \
+(mls_level_dom((l1), (l2)) && mls_level_dom((l3), (l1)))
+
+#define mls_range_contains(r1, r2) \
+(mls_level_dom(&(r2).level[0], &(r1).level[0]) && \
+ mls_level_dom(&(r1).level[1], &(r2).level[1]))
+
+static inline int mls_range_cpy(mls_range_t * dst, mls_range_t * src)
+{
+
+ if (mls_level_cpy(&dst->level[0], &src->level[0]) < 0)
+ goto err;
+
+ if (mls_level_cpy(&dst->level[1], &src->level[1]) < 0)
+ goto err_destroy;
+
+ return 0;
+
+ err_destroy:
+ mls_level_destroy(&dst->level[0]);
+
+ err:
+ return -1;
+}
+
+static inline void mls_range_init(struct mls_range *r)
+{
+ mls_level_init(&r->level[0]);
+ mls_level_init(&r->level[1]);
+}
+
+static inline void mls_range_destroy(struct mls_range *r)
+{
+ mls_level_destroy(&r->level[0]);
+ mls_level_destroy(&r->level[1]);
+}
+
+static inline int mls_range_eq(struct mls_range *r1, struct mls_range *r2)
+{
+ return (mls_level_eq(&r1->level[0], &r2->level[0]) &&
+ mls_level_eq(&r1->level[1], &r2->level[1]));
+}
+
+typedef struct mls_semantic_cat {
+ uint32_t low; /* first bit this struct represents */
+ uint32_t high; /* last bit represented - equals low for a single cat */
+ struct mls_semantic_cat *next;
+} mls_semantic_cat_t;
+
+typedef struct mls_semantic_level {
+ uint32_t sens;
+ mls_semantic_cat_t *cat;
+} mls_semantic_level_t;
+
+typedef struct mls_semantic_range {
+ mls_semantic_level_t level[2];
+} mls_semantic_range_t;
+
+extern void mls_semantic_cat_init(mls_semantic_cat_t *c);
+extern void mls_semantic_cat_destroy(mls_semantic_cat_t *c);
+extern void mls_semantic_level_init(mls_semantic_level_t *l);
+extern void mls_semantic_level_destroy(mls_semantic_level_t *l);
+extern int mls_semantic_level_cpy(mls_semantic_level_t *dst, mls_semantic_level_t *src);
+extern void mls_semantic_range_init(mls_semantic_range_t *r);
+extern void mls_semantic_range_destroy(mls_semantic_range_t *r);
+extern int mls_semantic_range_cpy(mls_semantic_range_t *dst, mls_semantic_range_t *src);
+
+#endif
diff --git a/include/sepol/policydb/module.h b/include/sepol/policydb/module.h
new file mode 100644
index 0000000..10403c8
--- /dev/null
+++ b/include/sepol/policydb/module.h
@@ -0,0 +1,48 @@
+/* Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2004-2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_POLICYDB_MODULE_H_
+#define _SEPOL_POLICYDB_MODULE_H_
+
+#include <stdlib.h>
+#include <stddef.h>
+
+#include <sepol/module.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+
+#define SEPOL_MODULE_PACKAGE_MAGIC 0xf97cff8f
+
+struct sepol_module_package {
+ sepol_policydb_t *policy;
+ uint32_t version;
+ char *file_contexts;
+ size_t file_contexts_len;
+ char *seusers;
+ size_t seusers_len;
+ char *user_extra;
+ size_t user_extra_len;
+ char *netfilter_contexts;
+ size_t netfilter_contexts_len;
+};
+
+extern int sepol_module_package_init(sepol_module_package_t * p);
+
+#endif
diff --git a/include/sepol/policydb/polcaps.h b/include/sepol/policydb/polcaps.h
new file mode 100644
index 0000000..40c0a48
--- /dev/null
+++ b/include/sepol/policydb/polcaps.h
@@ -0,0 +1,18 @@
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+ POLICYDB_CAPABILITY_NETPEER,
+ POLICYDB_CAPABILITY_OPENPERM,
+ __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+/* Convert a capability number to name. */
+extern const char *sepol_polcap_getname(int capnum);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
diff --git a/include/sepol/policydb/policydb.h b/include/sepol/policydb/policydb.h
new file mode 100644
index 0000000..5320bc8
--- /dev/null
+++ b/include/sepol/policydb/policydb.h
@@ -0,0 +1,724 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Module support
+ *
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com>
+ *
+ * Fine-grained netlink support
+ * IPv6 support
+ * Code cleanup
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Copyright (C) 2003 - 2004 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * A policy database (policydb) specifies the
+ * configuration data for the security policy.
+ */
+
+#ifndef _SEPOL_POLICYDB_POLICYDB_H_
+#define _SEPOL_POLICYDB_POLICYDB_H_
+
+#include <stdio.h>
+#include <stddef.h>
+
+#include <sepol/policydb.h>
+
+#include <sepol/policydb/flask_types.h>
+#include <sepol/policydb/symtab.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/context.h>
+#include <sepol/policydb/constraint.h>
+#include <sepol/policydb/sidtab.h>
+
+#define ERRMSG_LEN 1024
+
+#define POLICYDB_SUCCESS 0
+#define POLICYDB_ERROR -1
+#define POLICYDB_UNSUPPORTED -2
+
+/*
+ * A datum type is defined for each kind of symbol
+ * in the configuration data: individual permissions,
+ * common prefixes for access vectors, classes,
+ * users, roles, types, sensitivities, categories, etc.
+ */
+
+/* type set preserves data needed by modules such as *, ~ and attributes */
+typedef struct type_set {
+ ebitmap_t types;
+ ebitmap_t negset;
+#define TYPE_STAR 1
+#define TYPE_COMP 2
+ uint32_t flags;
+} type_set_t;
+
+typedef struct role_set {
+ ebitmap_t roles;
+#define ROLE_STAR 1
+#define ROLE_COMP 2
+ uint32_t flags;
+} role_set_t;
+
+/* Permission attributes */
+typedef struct perm_datum {
+ symtab_datum_t s;
+} perm_datum_t;
+
+/* Attributes of a common prefix for access vectors */
+typedef struct common_datum {
+ symtab_datum_t s;
+ symtab_t permissions; /* common permissions */
+} common_datum_t;
+
+/* Class attributes */
+typedef struct class_datum {
+ symtab_datum_t s;
+ char *comkey; /* common name */
+ common_datum_t *comdatum; /* common datum */
+ symtab_t permissions; /* class-specific permission symbol table */
+ constraint_node_t *constraints; /* constraints on class permissions */
+ constraint_node_t *validatetrans; /* special transition rules */
+} class_datum_t;
+
+/* Role attributes */
+typedef struct role_datum {
+ symtab_datum_t s;
+ ebitmap_t dominates; /* set of roles dominated by this role */
+ type_set_t types; /* set of authorized types for role */
+ ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
+ uint32_t bounds; /* bounds role, if exist */
+#define ROLE_ROLE 0 /* regular role in kernel policies */
+#define ROLE_ATTRIB 1 /* attribute */
+ uint32_t flavor;
+ ebitmap_t roles; /* roles with this attribute */
+} role_datum_t;
+
+typedef struct role_trans {
+ uint32_t role; /* current role */
+ uint32_t type; /* program executable type, or new object type */
+ uint32_t tclass; /* process class, or new object class */
+ uint32_t new_role; /* new role */
+ struct role_trans *next;
+} role_trans_t;
+
+typedef struct role_allow {
+ uint32_t role; /* current role */
+ uint32_t new_role; /* new role */
+ struct role_allow *next;
+} role_allow_t;
+
+/* filename_trans rules */
+typedef struct filename_trans {
+ uint32_t stype;
+ uint32_t ttype;
+ uint32_t tclass;
+ char *name;
+ uint32_t otype;
+ struct filename_trans *next;
+} filename_trans_t;
+
+/* Type attributes */
+typedef struct type_datum {
+ symtab_datum_t s;
+ uint32_t primary; /* primary name? can be set to primary value if below is TYPE_ */
+#define TYPE_TYPE 0 /* regular type or alias in kernel policies */
+#define TYPE_ATTRIB 1 /* attribute */
+#define TYPE_ALIAS 2 /* alias in modular policy */
+ uint32_t flavor;
+ ebitmap_t types; /* types with this attribute */
+#define TYPE_FLAGS_PERMISSIVE 0x01
+ uint32_t flags;
+ uint32_t bounds; /* bounds type, if exist */
+} type_datum_t;
+
+/*
+ * Properties of type_datum
+ * available on the policy version >= (MOD_)POLICYDB_VERSION_BOUNDARY
+ */
+#define TYPEDATUM_PROPERTY_PRIMARY 0x0001
+#define TYPEDATUM_PROPERTY_ATTRIBUTE 0x0002
+#define TYPEDATUM_PROPERTY_ALIAS 0x0004 /* userspace only */
+#define TYPEDATUM_PROPERTY_PERMISSIVE 0x0008 /* userspace only */
+
+/* User attributes */
+typedef struct user_datum {
+ symtab_datum_t s;
+ role_set_t roles; /* set of authorized roles for user */
+ mls_semantic_range_t range; /* MLS range (min. - max.) for user */
+ mls_semantic_level_t dfltlevel; /* default login MLS level for user */
+ ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
+ mls_range_t exp_range; /* expanded range used for validation */
+ mls_level_t exp_dfltlevel; /* expanded range used for validation */
+ uint32_t bounds; /* bounds user, if exist */
+} user_datum_t;
+
+/* Sensitivity attributes */
+typedef struct level_datum {
+ mls_level_t *level; /* sensitivity and associated categories */
+ unsigned char isalias; /* is this sensitivity an alias for another? */
+ unsigned char defined;
+} level_datum_t;
+
+/* Category attributes */
+typedef struct cat_datum {
+ symtab_datum_t s;
+ unsigned char isalias; /* is this category an alias for another? */
+} cat_datum_t;
+
+typedef struct range_trans {
+ uint32_t source_type;
+ uint32_t target_type;
+ uint32_t target_class;
+ mls_range_t target_range;
+ struct range_trans *next;
+} range_trans_t;
+
+/* Boolean data type */
+typedef struct cond_bool_datum {
+ symtab_datum_t s;
+ int state;
+} cond_bool_datum_t;
+
+struct cond_node;
+
+typedef struct cond_node cond_list_t;
+struct cond_av_list;
+
+typedef struct class_perm_node {
+ uint32_t class;
+ uint32_t data; /* permissions or new type */
+ struct class_perm_node *next;
+} class_perm_node_t;
+
+typedef struct avrule {
+/* these typedefs are almost exactly the same as those in avtab.h - they are
+ * here because of the need to include neverallow and dontaudit messages */
+#define AVRULE_ALLOWED 1
+#define AVRULE_AUDITALLOW 2
+#define AVRULE_AUDITDENY 4
+#define AVRULE_DONTAUDIT 8
+#define AVRULE_NEVERALLOW 128
+#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
+#define AVRULE_TRANSITION 16
+#define AVRULE_MEMBER 32
+#define AVRULE_CHANGE 64
+#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
+ uint32_t specified;
+#define RULE_SELF 1
+ uint32_t flags;
+ type_set_t stypes;
+ type_set_t ttypes;
+ class_perm_node_t *perms;
+ unsigned long line; /* line number from policy.conf where
+ * this rule originated */
+ struct avrule *next;
+} avrule_t;
+
+typedef struct role_trans_rule {
+ role_set_t roles; /* current role */
+ type_set_t types; /* program executable type, or new object type */
+ ebitmap_t classes; /* process class, or new object class */
+ uint32_t new_role; /* new role */
+ struct role_trans_rule *next;
+} role_trans_rule_t;
+
+typedef struct role_allow_rule {
+ role_set_t roles; /* current role */
+ role_set_t new_roles; /* new roles */
+ struct role_allow_rule *next;
+} role_allow_rule_t;
+
+typedef struct filename_trans_rule {
+ type_set_t stypes;
+ type_set_t ttypes;
+ uint32_t tclass;
+ char *name;
+ uint32_t otype; /* new type */
+ struct filename_trans_rule *next;
+} filename_trans_rule_t;
+
+typedef struct range_trans_rule {
+ type_set_t stypes;
+ type_set_t ttypes;
+ ebitmap_t tclasses;
+ mls_semantic_range_t trange;
+ struct range_trans_rule *next;
+} range_trans_rule_t;
+
+/*
+ * The configuration data includes security contexts for
+ * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
+ * network interfaces, and nodes. This structure stores the
+ * relevant data for one such entry. Entries of the same kind
+ * (e.g. all initial SIDs) are linked together into a list.
+ */
+typedef struct ocontext {
+ union {
+ char *name; /* name of initial SID, fs, netif, fstype, path */
+ struct {
+ uint8_t protocol;
+ uint16_t low_port;
+ uint16_t high_port;
+ } port; /* TCP or UDP port information */
+ struct {
+ uint32_t addr; /* network order */
+ uint32_t mask; /* network order */
+ } node; /* node information */
+ struct {
+ uint32_t addr[4]; /* network order */
+ uint32_t mask[4]; /* network order */
+ } node6; /* IPv6 node information */
+ uint32_t device;
+ uint16_t pirq;
+ struct {
+ uint32_t low_iomem;
+ uint32_t high_iomem;
+ } iomem;
+ struct {
+ uint32_t low_ioport;
+ uint32_t high_ioport;
+ } ioport;
+ } u;
+ union {
+ uint32_t sclass; /* security class for genfs */
+ uint32_t behavior; /* labeling behavior for fs_use */
+ } v;
+ context_struct_t context[2]; /* security context(s) */
+ sepol_security_id_t sid[2]; /* SID(s) */
+ struct ocontext *next;
+} ocontext_t;
+
+typedef struct genfs {
+ char *fstype;
+ struct ocontext *head;
+ struct genfs *next;
+} genfs_t;
+
+/* symbol table array indices */
+#define SYM_COMMONS 0
+#define SYM_CLASSES 1
+#define SYM_ROLES 2
+#define SYM_TYPES 3
+#define SYM_USERS 4
+#define SYM_BOOLS 5
+#define SYM_LEVELS 6
+#define SYM_CATS 7
+#define SYM_NUM 8
+
+/* object context array indices */
+#define OCON_ISID 0 /* initial SIDs */
+#define OCON_FS 1 /* unlabeled file systems */
+#define OCON_PORT 2 /* TCP and UDP port numbers */
+#define OCON_NETIF 3 /* network interfaces */
+#define OCON_NODE 4 /* nodes */
+#define OCON_FSUSE 5 /* fs_use */
+#define OCON_NODE6 6 /* IPv6 nodes */
+#define OCON_GENFS 7 /* needed for ocontext_supported */
+
+/* object context array indices for Xen */
+#define OCON_XEN_ISID 0 /* initial SIDs */
+#define OCON_XEN_PIRQ 1 /* physical irqs */
+#define OCON_XEN_IOPORT 2 /* io ports */
+#define OCON_XEN_IOMEM 3 /* io memory */
+#define OCON_XEN_PCIDEVICE 4 /* pci devices */
+
+/* OCON_NUM needs to be the largest index in any platform's ocontext array */
+#define OCON_NUM 7
+
+/* section: module information */
+
+/* scope_index_t holds all of the symbols that are in scope in a
+ * particular situation. The bitmaps are indices (and thus must
+ * subtract one) into the global policydb->scope array. */
+typedef struct scope_index {
+ ebitmap_t scope[SYM_NUM];
+#define p_classes_scope scope[SYM_CLASSES]
+#define p_roles_scope scope[SYM_ROLES]
+#define p_types_scope scope[SYM_TYPES]
+#define p_users_scope scope[SYM_USERS]
+#define p_bools_scope scope[SYM_BOOLS]
+#define p_sens_scope scope[SYM_LEVELS]
+#define p_cat_scope scope[SYM_CATS]
+
+ /* this array maps from class->value to the permissions within
+ * scope. if bit (perm->value - 1) is set in map
+ * class_perms_map[class->value - 1] then that permission is
+ * enabled for this class within this decl. */
+ ebitmap_t *class_perms_map;
+ /* total number of classes in class_perms_map array */
+ uint32_t class_perms_len;
+} scope_index_t;
+
+/* a list of declarations for a particular avrule_decl */
+
+/* These two structs declare a block of policy that has TE and RBAC
+ * statements and declarations. The root block (the global policy)
+ * can never have an ELSE branch. */
+typedef struct avrule_decl {
+ uint32_t decl_id;
+ uint32_t enabled; /* whether this block is enabled */
+
+ cond_list_t *cond_list;
+ avrule_t *avrules;
+ role_trans_rule_t *role_tr_rules;
+ role_allow_rule_t *role_allow_rules;
+ range_trans_rule_t *range_tr_rules;
+ scope_index_t required; /* symbols needed to activate this block */
+ scope_index_t declared; /* symbols declared within this block */
+
+ /* type transition rules with a 'name' component */
+ filename_trans_rule_t *filename_trans_rules;
+
+ /* for additive statements (type attribute, roles, and users) */
+ symtab_t symtab[SYM_NUM];
+
+ /* In a linked module this will contain the name of the module
+ * from which this avrule_decl originated. */
+ char *module_name;
+
+ struct avrule_decl *next;
+} avrule_decl_t;
+
+typedef struct avrule_block {
+ avrule_decl_t *branch_list;
+ avrule_decl_t *enabled; /* pointer to which branch is enabled. this is
+ used in linking and never written to disk */
+#define AVRULE_OPTIONAL 1
+ uint32_t flags; /* any flags for this block, currently just optional */
+ struct avrule_block *next;
+} avrule_block_t;
+
+/* Every identifier has its own scope datum. The datum describes if
+ * the item is to be included into the final policy during
+ * expansion. */
+typedef struct scope_datum {
+/* Required for this decl */
+#define SCOPE_REQ 1
+/* Declared in this decl */
+#define SCOPE_DECL 2
+ uint32_t scope;
+ uint32_t *decl_ids;
+ uint32_t decl_ids_len;
+ /* decl_ids is a list of avrule_decl's that declare/require
+ * this symbol. If scope==SCOPE_DECL then this is a list of
+ * declarations. If the symbol may only be declared once
+ * (types, bools) then decl_ids_len will be exactly 1. For
+ * implicitly declared things (roles, users) then decl_ids_len
+ * will be at least 1. */
+} scope_datum_t;
+
+/* The policy database */
+typedef struct policydb {
+#define POLICY_KERN SEPOL_POLICY_KERN
+#define POLICY_BASE SEPOL_POLICY_BASE
+#define POLICY_MOD SEPOL_POLICY_MOD
+ uint32_t policy_type;
+ char *name;
+ char *version;
+ int target_platform;
+
+ /* Set when the policydb is modified such that writing is unsupported */
+ int unsupported_format;
+
+ /* Whether this policydb is mls, should always be set */
+ int mls;
+
+ /* symbol tables */
+ symtab_t symtab[SYM_NUM];
+#define p_commons symtab[SYM_COMMONS]
+#define p_classes symtab[SYM_CLASSES]
+#define p_roles symtab[SYM_ROLES]
+#define p_types symtab[SYM_TYPES]
+#define p_users symtab[SYM_USERS]
+#define p_bools symtab[SYM_BOOLS]
+#define p_levels symtab[SYM_LEVELS]
+#define p_cats symtab[SYM_CATS]
+
+ /* symbol names indexed by (value - 1) */
+ char **sym_val_to_name[SYM_NUM];
+#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
+#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
+#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
+#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
+#define p_user_val_to_name sym_val_to_name[SYM_USERS]
+#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
+#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
+#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
+
+ /* class, role, and user attributes indexed by (value - 1) */
+ class_datum_t **class_val_to_struct;
+ role_datum_t **role_val_to_struct;
+ user_datum_t **user_val_to_struct;
+ type_datum_t **type_val_to_struct;
+
+ /* module stuff section -- used in parsing and for modules */
+
+ /* keep track of the scope for every identifier. these are
+ * hash tables, where the key is the identifier name and value
+ * a scope_datum_t. as a convenience, one may use the
+ * p_*_macros (cf. struct scope_index_t declaration). */
+ symtab_t scope[SYM_NUM];
+
+ /* module rule storage */
+ avrule_block_t *global;
+ /* avrule_decl index used for link/expand */
+ avrule_decl_t **decl_val_to_struct;
+
+ /* compiled storage of rules - use for the kernel policy */
+
+ /* type enforcement access vectors and transitions */
+ avtab_t te_avtab;
+
+ /* bools indexed by (value - 1) */
+ cond_bool_datum_t **bool_val_to_struct;
+ /* type enforcement conditional access vectors and transitions */
+ avtab_t te_cond_avtab;
+ /* linked list indexing te_cond_avtab by conditional */
+ cond_list_t *cond_list;
+
+ /* role transitions */
+ role_trans_t *role_tr;
+
+ /* type transition rules with a 'name' component */
+ filename_trans_t *filename_trans;
+
+ /* role allows */
+ role_allow_t *role_allow;
+
+ /* security contexts of initial SIDs, unlabeled file systems,
+ TCP or UDP port numbers, network interfaces and nodes */
+ ocontext_t *ocontexts[OCON_NUM];
+
+ /* security contexts for files in filesystems that cannot support
+ a persistent label mapping or use another
+ fixed labeling behavior. */
+ genfs_t *genfs;
+
+ /* range transitions */
+ range_trans_t *range_tr;
+
+ ebitmap_t *type_attr_map;
+
+ ebitmap_t *attr_type_map; /* not saved in the binary policy */
+
+ ebitmap_t policycaps;
+
+ /* this bitmap is referenced by type NOT the typical type-1 used in other
+ bitmaps. Someday the 0 bit may be used for global permissive */
+ ebitmap_t permissive_map;
+
+ unsigned policyvers;
+
+ unsigned handle_unknown;
+} policydb_t;
+
+struct sepol_policydb {
+ struct policydb p;
+};
+
+extern int policydb_init(policydb_t * p);
+
+extern int policydb_from_image(sepol_handle_t * handle,
+ void *data, size_t len, policydb_t * policydb);
+
+extern int policydb_to_image(sepol_handle_t * handle,
+ policydb_t * policydb, void **newdata,
+ size_t * newlen);
+
+extern int policydb_index_classes(policydb_t * p);
+
+extern int policydb_index_bools(policydb_t * p);
+
+extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
+ unsigned int verbose);
+
+extern int policydb_reindex_users(policydb_t * p);
+
+extern void policydb_destroy(policydb_t * p);
+
+extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
+
+/* Deprecated */
+extern int policydb_context_isvalid(const policydb_t * p,
+ const context_struct_t * c);
+
+extern void symtabs_destroy(symtab_t * symtab);
+extern int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p);
+typedef void (*hashtab_destroy_func_t) (hashtab_key_t k, hashtab_datum_t d,
+ void *args);
+extern hashtab_destroy_func_t get_symtab_destroy_func(int sym_num);
+
+extern void class_perm_node_init(class_perm_node_t * x);
+extern void type_set_init(type_set_t * x);
+extern void type_set_destroy(type_set_t * x);
+extern int type_set_cpy(type_set_t * dst, type_set_t * src);
+extern int type_set_or_eq(type_set_t * dst, type_set_t * other);
+extern void role_set_init(role_set_t * x);
+extern void role_set_destroy(role_set_t * x);
+extern void avrule_init(avrule_t * x);
+extern void avrule_destroy(avrule_t * x);
+extern void avrule_list_destroy(avrule_t * x);
+extern void role_trans_rule_init(role_trans_rule_t * x);
+extern void role_trans_rule_list_destroy(role_trans_rule_t * x);
+extern void filename_trans_rule_init(filename_trans_rule_t * x);
+extern void filename_trans_rule_list_destroy(filename_trans_rule_t * x);
+
+extern void role_datum_init(role_datum_t * x);
+extern void role_datum_destroy(role_datum_t * x);
+extern void role_allow_rule_init(role_allow_rule_t * x);
+extern void role_allow_rule_destroy(role_allow_rule_t * x);
+extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
+extern void range_trans_rule_init(range_trans_rule_t *x);
+extern void range_trans_rule_destroy(range_trans_rule_t *x);
+extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
+extern void type_datum_init(type_datum_t * x);
+extern void type_datum_destroy(type_datum_t * x);
+extern void user_datum_init(user_datum_t * x);
+extern void user_datum_destroy(user_datum_t * x);
+extern void level_datum_init(level_datum_t * x);
+extern void level_datum_destroy(level_datum_t * x);
+extern void cat_datum_init(cat_datum_t * x);
+extern void cat_datum_destroy(cat_datum_t * x);
+
+extern int check_assertions(sepol_handle_t * handle,
+ policydb_t * p, avrule_t * avrules);
+
+extern int symtab_insert(policydb_t * x, uint32_t sym,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t scope, uint32_t avrule_decl_id,
+ uint32_t * value);
+
+/* A policy "file" may be a memory region referenced by a (data, len) pair
+ or a file referenced by a FILE pointer. */
+typedef struct policy_file {
+#define PF_USE_MEMORY 0
+#define PF_USE_STDIO 1
+#define PF_LEN 2 /* total up length in len field */
+ unsigned type;
+ char *data;
+ size_t len;
+ size_t size;
+ FILE *fp;
+ struct sepol_handle *handle;
+} policy_file_t;
+
+struct sepol_policy_file {
+ struct policy_file pf;
+};
+
+extern void policy_file_init(policy_file_t * x);
+
+extern int policydb_read(policydb_t * p, struct policy_file *fp,
+ unsigned int verbose);
+extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
+ struct policy_file *fp);
+
+extern int policydb_write(struct policydb *p, struct policy_file *pf);
+extern int policydb_set_target_platform(policydb_t *p, int platform);
+
+#define PERM_SYMTAB_SIZE 32
+
+/* Identify specific policy version changes */
+#define POLICYDB_VERSION_BASE 15
+#define POLICYDB_VERSION_BOOL 16
+#define POLICYDB_VERSION_IPV6 17
+#define POLICYDB_VERSION_NLCLASS 18
+#define POLICYDB_VERSION_VALIDATETRANS 19
+#define POLICYDB_VERSION_MLS 19
+#define POLICYDB_VERSION_AVTAB 20
+#define POLICYDB_VERSION_RANGETRANS 21
+#define POLICYDB_VERSION_POLCAP 22
+#define POLICYDB_VERSION_PERMISSIVE 23
+#define POLICYDB_VERSION_BOUNDARY 24
+#define POLICYDB_VERSION_FILENAME_TRANS 25
+#define POLICYDB_VERSION_ROLETRANS 26
+
+/* Range of policy versions we understand*/
+#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
+
+/* Module versions and specific changes*/
+#define MOD_POLICYDB_VERSION_BASE 4
+#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
+#define MOD_POLICYDB_VERSION_MLS 5
+#define MOD_POLICYDB_VERSION_RANGETRANS 6
+#define MOD_POLICYDB_VERSION_MLS_USERS 6
+#define MOD_POLICYDB_VERSION_POLCAP 7
+#define MOD_POLICYDB_VERSION_PERMISSIVE 8
+#define MOD_POLICYDB_VERSION_BOUNDARY 9
+#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10
+#define MOD_POLICYDB_VERSION_FILENAME_TRANS 11
+#define MOD_POLICYDB_VERSION_ROLETRANS 12
+#define MOD_POLICYDB_VERSION_ROLEATTRIB 13
+
+#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLEATTRIB
+
+#define POLICYDB_CONFIG_MLS 1
+
+/* macros to check policy feature */
+
+/* TODO: add other features here */
+
+#define policydb_has_boundary_feature(p) \
+ (((p)->policy_type == POLICY_KERN \
+ && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \
+ ((p)->policy_type != POLICY_KERN \
+ && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY))
+
+/* the config flags related to unknown classes/perms are bits 2 and 3 */
+#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN
+#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN
+#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN
+
+#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+
+#define OBJECT_R "object_r"
+#define OBJECT_R_VAL 1
+
+#define POLICYDB_MAGIC SELINUX_MAGIC
+#define POLICYDB_STRING "SE Linux"
+#define POLICYDB_XEN_STRING "XenFlask"
+#define POLICYDB_STRING_MAX_LENGTH 32
+#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
+#define POLICYDB_MOD_STRING "SE Linux Module"
+#define SEPOL_TARGET_SELINUX 0
+#define SEPOL_TARGET_XEN 1
+
+
+#endif /* _POLICYDB_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/services.h b/include/sepol/policydb/services.h
new file mode 100644
index 0000000..aef0c7b
--- /dev/null
+++ b/include/sepol/policydb/services.h
@@ -0,0 +1,184 @@
+
+/* -*- linux-c -*- */
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+#ifndef _SEPOL_POLICYDB_SERVICES_H_
+#define _SEPOL_POLICYDB_SERVICES_H_
+
+/*
+ * Security server interface.
+ */
+
+#include <sepol/policydb/flask_types.h>
+#include <sepol/policydb/policydb.h>
+#include <stddef.h>
+
+/* Set the policydb and sidtab structures to be used by
+ the service functions. If not set, then these default
+ to private structures within libsepol that can only be
+ initialized and accessed via the service functions themselves.
+ Setting the structures explicitly allows a program to directly
+ manipulate them, e.g. checkpolicy populates the structures directly
+ from a source policy rather than from a binary policy. */
+extern int sepol_set_policydb(policydb_t * p);
+extern int sepol_set_sidtab(sidtab_t * s);
+
+/* Modify a policydb for boolean settings. */
+int sepol_genbools_policydb(policydb_t * policydb, const char *booleans);
+
+/* Modify a policydb for user settings. */
+int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir);
+
+/* Load the security policy. This initializes the policydb
+ and sidtab based on the provided binary policy. */
+extern int sepol_load_policy(void *data, size_t len);
+
+/*
+ * Compute access vectors based on a SID pair for
+ * the permissions in a particular class.
+ */
+extern int sepol_compute_av(sepol_security_id_t ssid, /* IN */
+ sepol_security_id_t tsid, /* IN */
+ sepol_security_class_t tclass, /* IN */
+ sepol_access_vector_t requested, /* IN */
+ struct sepol_av_decision *avd); /* OUT */
+
+/* Same as above, but also return the reason(s) for any
+ denials of the requested permissions. */
+#define SEPOL_COMPUTEAV_TE 1
+#define SEPOL_COMPUTEAV_CONS 2
+#define SEPOL_COMPUTEAV_RBAC 4
+extern int sepol_compute_av_reason(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd,
+ unsigned int *reason);
+
+/*
+ * Compute a SID to use for labeling a new object in the
+ * class `tclass' based on a SID pair.
+ */
+extern int sepol_transition_sid(sepol_security_id_t ssid, /* IN */
+ sepol_security_id_t tsid, /* IN */
+ sepol_security_class_t tclass, /* IN */
+ sepol_security_id_t * out_sid); /* OUT */
+
+/*
+ * Compute a SID to use when selecting a member of a
+ * polyinstantiated object of class `tclass' based on
+ * a SID pair.
+ */
+extern int sepol_member_sid(sepol_security_id_t ssid, /* IN */
+ sepol_security_id_t tsid, /* IN */
+ sepol_security_class_t tclass, /* IN */
+ sepol_security_id_t * out_sid); /* OUT */
+
+/*
+ * Compute a SID to use for relabeling an object in the
+ * class `tclass' based on a SID pair.
+ */
+extern int sepol_change_sid(sepol_security_id_t ssid, /* IN */
+ sepol_security_id_t tsid, /* IN */
+ sepol_security_class_t tclass, /* IN */
+ sepol_security_id_t * out_sid); /* OUT */
+
+/*
+ * Write the security context string representation of
+ * the context associated with `sid' into a dynamically
+ * allocated string of the correct size. Set `*scontext'
+ * to point to this string and set `*scontext_len' to
+ * the length of the string.
+ */
+extern int sepol_sid_to_context(sepol_security_id_t sid, /* IN */
+ sepol_security_context_t * scontext, /* OUT */
+ size_t * scontext_len); /* OUT */
+
+/*
+ * Return a SID associated with the security context that
+ * has the string representation specified by `scontext'.
+ */
+extern int sepol_context_to_sid(const sepol_security_context_t scontext, /* IN */
+ size_t scontext_len, /* IN */
+ sepol_security_id_t * out_sid); /* OUT */
+
+/*
+ * Generate the set of SIDs for legal security contexts
+ * for a given user that can be reached by `fromsid'.
+ * Set `*sids' to point to a dynamically allocated
+ * array containing the set of SIDs. Set `*nel' to the
+ * number of elements in the array.
+ */
+extern int sepol_get_user_sids(sepol_security_id_t callsid,
+ char *username,
+ sepol_security_id_t ** sids, uint32_t * nel);
+
+/*
+ * Return the SIDs to use for an unlabeled file system
+ * that is being mounted from the device with the
+ * the kdevname `name'. The `fs_sid' SID is returned for
+ * the file system and the `file_sid' SID is returned
+ * for all files within that file system.
+ */
+extern int sepol_fs_sid(char *dev, /* IN */
+ sepol_security_id_t * fs_sid, /* OUT */
+ sepol_security_id_t * file_sid); /* OUT */
+
+/*
+ * Return the SID of the port specified by
+ * `domain', `type', `protocol', and `port'.
+ */
+extern int sepol_port_sid(uint16_t domain,
+ uint16_t type,
+ uint8_t protocol,
+ uint16_t port, sepol_security_id_t * out_sid);
+
+/*
+ * Return the SIDs to use for a network interface
+ * with the name `name'. The `if_sid' SID is returned for
+ * the interface and the `msg_sid' SID is returned as
+ * the default SID for messages received on the
+ * interface.
+ */
+extern int sepol_netif_sid(char *name,
+ sepol_security_id_t * if_sid,
+ sepol_security_id_t * msg_sid);
+
+/*
+ * Return the SID of the node specified by the address
+ * `addr' where `addrlen' is the length of the address
+ * in bytes and `domain' is the communications domain or
+ * address family in which the address should be interpreted.
+ */
+extern int sepol_node_sid(uint16_t domain,
+ void *addr,
+ size_t addrlen, sepol_security_id_t * out_sid);
+
+/*
+ * Return a value indicating how to handle labeling for the
+ * the specified filesystem type, and optionally return a SID
+ * for the filesystem object.
+ */
+#define SECURITY_FS_USE_XATTR 1 /* use xattr */
+#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
+#define SECURITY_FS_USE_TASK 3 /* use task SIDs, e.g. pipefs/sockfs */
+#define SECURITY_FS_USE_GENFS 4 /* use the genfs support */
+#define SECURITY_FS_USE_NONE 5 /* no labeling support */
+extern int sepol_fs_use(const char *fstype, /* IN */
+ unsigned int *behavior, /* OUT */
+ sepol_security_id_t * sid); /* OUT */
+
+/*
+ * Return the SID to use for a file in a filesystem
+ * that cannot support a persistent label mapping or use another
+ * fixed labeling behavior like transition SIDs or task SIDs.
+ */
+extern int sepol_genfs_sid(const char *fstype, /* IN */
+ char *name, /* IN */
+ sepol_security_class_t sclass, /* IN */
+ sepol_security_id_t * sid); /* OUT */
+
+#endif
diff --git a/include/sepol/policydb/sidtab.h b/include/sepol/policydb/sidtab.h
new file mode 100644
index 0000000..33c7cb5
--- /dev/null
+++ b/include/sepol/policydb/sidtab.h
@@ -0,0 +1,72 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A security identifier table (sidtab) is a hash table
+ * of security context structures indexed by SID value.
+ */
+
+#ifndef _SEPOL_POLICYDB_SIDTAB_H_
+#define _SEPOL_POLICYDB_SIDTAB_H_
+
+#include <sepol/policydb/context.h>
+
+typedef struct sidtab_node {
+ sepol_security_id_t sid; /* security identifier */
+ context_struct_t context; /* security context structure */
+ struct sidtab_node *next;
+} sidtab_node_t;
+
+typedef struct sidtab_node *sidtab_ptr_t;
+
+#define SIDTAB_HASH_BITS 7
+#define SIDTAB_HASH_BUCKETS (1 << SIDTAB_HASH_BITS)
+#define SIDTAB_HASH_MASK (SIDTAB_HASH_BUCKETS-1)
+
+#define SIDTAB_SIZE SIDTAB_HASH_BUCKETS
+
+typedef struct {
+ sidtab_ptr_t *htable;
+ unsigned int nel; /* number of elements */
+ unsigned int next_sid; /* next SID to allocate */
+ unsigned char shutdown;
+} sidtab_t;
+
+extern int sepol_sidtab_init(sidtab_t * s);
+
+extern int sepol_sidtab_insert(sidtab_t * s,
+ sepol_security_id_t sid,
+ context_struct_t * context);
+
+extern context_struct_t *sepol_sidtab_search(sidtab_t * s,
+ sepol_security_id_t sid);
+
+extern int sepol_sidtab_map(sidtab_t * s,
+ int (*apply) (sepol_security_id_t sid,
+ context_struct_t * context,
+ void *args), void *args);
+
+extern void sepol_sidtab_map_remove_on_error(sidtab_t * s,
+ int (*apply) (sepol_security_id_t
+ s,
+ context_struct_t *
+ context, void *args),
+ void *args);
+
+extern int sepol_sidtab_context_to_sid(sidtab_t * s, /* IN */
+ context_struct_t * context, /* IN */
+ sepol_security_id_t * sid); /* OUT */
+
+extern void sepol_sidtab_hash_eval(sidtab_t * h, char *tag);
+
+extern void sepol_sidtab_destroy(sidtab_t * s);
+
+extern void sepol_sidtab_set(sidtab_t * dst, sidtab_t * src);
+
+extern void sepol_sidtab_shutdown(sidtab_t * s);
+
+#endif /* _SIDTAB_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/symtab.h b/include/sepol/policydb/symtab.h
new file mode 100644
index 0000000..c8ad664
--- /dev/null
+++ b/include/sepol/policydb/symtab.h
@@ -0,0 +1,38 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A symbol table (symtab) maintains associations between symbol
+ * strings and datum values. The type of the datum values
+ * is arbitrary. The symbol table type is implemented
+ * using the hash table type (hashtab).
+ */
+
+#ifndef _SEPOL_POLICYDB_SYMTAB_H_
+#define _SEPOL_POLICYDB_SYMTAB_H_
+
+#include <sepol/policydb/hashtab.h>
+
+/* The symtab_datum struct stores the common information for
+ * all symtab datums. It should the first element in every
+ * struct that will be used in a symtab to allow the specific
+ * datum types to be freely cast to this type.
+ *
+ * The values start at 1 - 0 is never a valid value.
+ */
+typedef struct symtab_datum {
+ uint32_t value;
+} symtab_datum_t;
+
+typedef struct {
+ hashtab_t table; /* hash table (keyed on a string) */
+ uint32_t nprim; /* number of primary names in table */
+} symtab_t;
+
+extern int symtab_init(symtab_t *, unsigned int size);
+
+#endif /* _SYMTAB_H_ */
+
+/* FLASK */
diff --git a/include/sepol/policydb/util.h b/include/sepol/policydb/util.h
new file mode 100644
index 0000000..40bfaa6
--- /dev/null
+++ b/include/sepol/policydb/util.h
@@ -0,0 +1,31 @@
+/* Authors: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * A set of utility functions that aid policy decision when dealing
+ * with hierarchal namespaces.
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __SEPOL_UTIL_H__
+#define __SEPOL_UTIL_H__
+
+extern int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a);
+
+extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
+ sepol_access_vector_t av);
+
+#endif
diff --git a/include/sepol/port_record.h b/include/sepol/port_record.h
new file mode 100644
index 0000000..b347e08
--- /dev/null
+++ b/include/sepol/port_record.h
@@ -0,0 +1,66 @@
+#ifndef _SEPOL_PORT_RECORD_H_
+#define _SEPOL_PORT_RECORD_H_
+
+#include <sepol/context_record.h>
+#include <sepol/handle.h>
+
+struct sepol_port;
+struct sepol_port_key;
+typedef struct sepol_port sepol_port_t;
+typedef struct sepol_port_key sepol_port_key_t;
+
+#define SEPOL_PROTO_UDP 0
+#define SEPOL_PROTO_TCP 1
+
+/* Key */
+extern int sepol_port_compare(const sepol_port_t * port,
+ const sepol_port_key_t * key);
+
+extern int sepol_port_compare2(const sepol_port_t * port,
+ const sepol_port_t * port2);
+
+extern int sepol_port_key_create(sepol_handle_t * handle,
+ int low, int high, int proto,
+ sepol_port_key_t ** key_ptr);
+
+extern void sepol_port_key_unpack(const sepol_port_key_t * key,
+ int *low, int *high, int *proto);
+
+extern int sepol_port_key_extract(sepol_handle_t * handle,
+ const sepol_port_t * port,
+ sepol_port_key_t ** key_ptr);
+
+extern void sepol_port_key_free(sepol_port_key_t * key);
+
+/* Protocol */
+extern int sepol_port_get_proto(const sepol_port_t * port);
+
+extern void sepol_port_set_proto(sepol_port_t * port, int proto);
+
+extern const char *sepol_port_get_proto_str(int proto);
+
+/* Port */
+extern int sepol_port_get_low(const sepol_port_t * port);
+
+extern int sepol_port_get_high(const sepol_port_t * port);
+
+extern void sepol_port_set_port(sepol_port_t * port, int port_num);
+
+extern void sepol_port_set_range(sepol_port_t * port, int low, int high);
+
+/* Context */
+extern sepol_context_t *sepol_port_get_con(const sepol_port_t * port);
+
+extern int sepol_port_set_con(sepol_handle_t * handle,
+ sepol_port_t * port, sepol_context_t * con);
+
+/* Create/Clone/Destroy */
+extern int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port_ptr);
+
+extern int sepol_port_clone(sepol_handle_t * handle,
+ const sepol_port_t * port,
+ sepol_port_t ** port_ptr);
+
+extern void sepol_port_free(sepol_port_t * port);
+
+#endif
diff --git a/include/sepol/ports.h b/include/sepol/ports.h
new file mode 100644
index 0000000..fb94117
--- /dev/null
+++ b/include/sepol/ports.h
@@ -0,0 +1,40 @@
+#ifndef _SEPOL_PORTS_H_
+#define _SEPOL_PORTS_H_
+
+#include <sepol/handle.h>
+#include <sepol/policydb.h>
+#include <sepol/port_record.h>
+
+/* Return the number of ports */
+extern int sepol_port_count(sepol_handle_t * handle,
+ const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if a port exists */
+extern int sepol_port_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_port_key_t * key, int *response);
+
+/* Query a port - returns the port, or NULL if not found */
+extern int sepol_port_query(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_port_key_t * key,
+ sepol_port_t ** response);
+
+/* Modify a port, or add it, if the key is not found */
+extern int sepol_port_modify(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const sepol_port_key_t * key,
+ const sepol_port_t * data);
+
+/* Iterate the ports
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_port_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ int (*fn) (const sepol_port_t * port,
+ void *fn_arg), void *arg);
+
+#endif
diff --git a/include/sepol/roles.h b/include/sepol/roles.h
new file mode 100644
index 0000000..113f9d2
--- /dev/null
+++ b/include/sepol/roles.h
@@ -0,0 +1,10 @@
+#ifndef _SEPOL_ROLES_H_
+#define _SEPOL_ROLES_H_
+
+extern int sepol_role_exists(const sepol_policydb_t * policydb,
+ const char *role, int *response);
+
+extern int sepol_role_list(const sepol_policydb_t * policydb,
+ char ***roles, unsigned int *nroles);
+
+#endif
diff --git a/include/sepol/sepol.h b/include/sepol/sepol.h
new file mode 100644
index 0000000..c8900d3
--- /dev/null
+++ b/include/sepol/sepol.h
@@ -0,0 +1,28 @@
+#ifndef _SEPOL_H_
+#define _SEPOL_H_
+
+#include <stddef.h>
+#include <stdio.h>
+
+#include <sepol/user_record.h>
+#include <sepol/context_record.h>
+#include <sepol/iface_record.h>
+#include <sepol/port_record.h>
+#include <sepol/boolean_record.h>
+#include <sepol/node_record.h>
+
+#include <sepol/booleans.h>
+#include <sepol/interfaces.h>
+#include <sepol/ports.h>
+#include <sepol/nodes.h>
+#include <sepol/users.h>
+#include <sepol/handle.h>
+#include <sepol/debug.h>
+#include <sepol/policydb.h>
+#include <sepol/module.h>
+#include <sepol/context.h>
+
+/* Set internal policydb from a file for subsequent service calls. */
+extern int sepol_set_policydb_from_file(FILE * fp);
+
+#endif
diff --git a/include/sepol/user_record.h b/include/sepol/user_record.h
new file mode 100644
index 0000000..c86ad16
--- /dev/null
+++ b/include/sepol/user_record.h
@@ -0,0 +1,76 @@
+#ifndef _SEPOL_USER_RECORD_H_
+#define _SEPOL_USER_RECORD_H_
+
+#include <stddef.h>
+#include <sepol/handle.h>
+
+struct sepol_user;
+struct sepol_user_key;
+typedef struct sepol_user sepol_user_t;
+typedef struct sepol_user_key sepol_user_key_t;
+
+/* Key */
+extern int sepol_user_key_create(sepol_handle_t * handle,
+ const char *name, sepol_user_key_t ** key);
+
+extern void sepol_user_key_unpack(const sepol_user_key_t * key,
+ const char **name);
+
+extern int sepol_user_key_extract(sepol_handle_t * handle,
+ const sepol_user_t * user,
+ sepol_user_key_t ** key_ptr);
+
+extern void sepol_user_key_free(sepol_user_key_t * key);
+
+extern int sepol_user_compare(const sepol_user_t * user,
+ const sepol_user_key_t * key);
+
+extern int sepol_user_compare2(const sepol_user_t * user,
+ const sepol_user_t * user2);
+
+/* Name */
+extern const char *sepol_user_get_name(const sepol_user_t * user);
+
+extern int sepol_user_set_name(sepol_handle_t * handle,
+ sepol_user_t * user, const char *name);
+
+/* MLS */
+extern const char *sepol_user_get_mlslevel(const sepol_user_t * user);
+
+extern int sepol_user_set_mlslevel(sepol_handle_t * handle,
+ sepol_user_t * user, const char *mls_level);
+
+extern const char *sepol_user_get_mlsrange(const sepol_user_t * user);
+
+extern int sepol_user_set_mlsrange(sepol_handle_t * handle,
+ sepol_user_t * user, const char *mls_range);
+
+/* Role management */
+extern int sepol_user_get_num_roles(const sepol_user_t * user);
+
+extern int sepol_user_add_role(sepol_handle_t * handle,
+ sepol_user_t * user, const char *role);
+
+extern void sepol_user_del_role(sepol_user_t * user, const char *role);
+
+extern int sepol_user_has_role(const sepol_user_t * user, const char *role);
+
+extern int sepol_user_get_roles(sepol_handle_t * handle,
+ const sepol_user_t * user,
+ const char ***roles_arr,
+ unsigned int *num_roles);
+
+extern int sepol_user_set_roles(sepol_handle_t * handle,
+ sepol_user_t * user,
+ const char **roles_arr, unsigned int num_roles);
+
+/* Create/Clone/Destroy */
+extern int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr);
+
+extern int sepol_user_clone(sepol_handle_t * handle,
+ const sepol_user_t * user,
+ sepol_user_t ** user_ptr);
+
+extern void sepol_user_free(sepol_user_t * user);
+
+#endif
diff --git a/include/sepol/users.h b/include/sepol/users.h
new file mode 100644
index 0000000..01b0775
--- /dev/null
+++ b/include/sepol/users.h
@@ -0,0 +1,57 @@
+#ifndef _SEPOL_USERS_H_
+#define _SEPOL_USERS_H_
+
+#include <sepol/policydb.h>
+#include <sepol/user_record.h>
+#include <sepol/handle.h>
+#include <stddef.h>
+
+/*---------compatibility------------*/
+
+/* Given an existing binary policy (starting at 'data with length 'len')
+ and user configurations living in 'usersdir', generate a new binary
+ policy for the new user configurations. Sets '*newdata' and '*newlen'
+ to refer to the new binary policy image. */
+extern int sepol_genusers(void *data, size_t len,
+ const char *usersdir,
+ void **newdata, size_t * newlen);
+
+/* Enable or disable deletion of users by sepol_genusers(3) when
+ a user in original binary policy image is not defined by the
+ new user configurations. Defaults to disabled. */
+extern void sepol_set_delusers(int on);
+
+/*--------end compatibility----------*/
+
+/* Modify the user, or add it, if the key is not found */
+extern int sepol_user_modify(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const sepol_user_key_t * key,
+ const sepol_user_t * data);
+
+/* Return the number of users */
+extern int sepol_user_count(sepol_handle_t * handle,
+ const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if the specified user exists */
+extern int sepol_user_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_user_key_t * key, int *response);
+
+/* Query a user - returns the user or NULL if not found */
+extern int sepol_user_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_user_key_t * key,
+ sepol_user_t ** response);
+
+/* Iterate the users
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+extern int sepol_user_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ int (*fn) (const sepol_user_t * user,
+ void *fn_arg), void *arg);
+
+#endif
diff --git a/man/Makefile b/man/Makefile
new file mode 100644
index 0000000..b96bc94
--- /dev/null
+++ b/man/Makefile
@@ -0,0 +1,10 @@
+# Installation directories.
+MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
+MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
+
+install:
+ mkdir -p $(MAN3DIR)
+ mkdir -p $(MAN8DIR)
+ install -m 644 man3/*.3 $(MAN3DIR)
+ install -m 644 man8/*.8 $(MAN8DIR)
+
diff --git a/man/man3/sepol_check_context.3 b/man/man3/sepol_check_context.3
new file mode 100644
index 0000000..a63cd56
--- /dev/null
+++ b/man/man3/sepol_check_context.3
@@ -0,0 +1,25 @@
+.TH "sepol_check_context" "3" "15 March 2005" "sds@tycho.nsa.gov" "SE Linux binary policy API documentation"
+.SH "NAME"
+sepol_check_context \- Check the validity of a security context against a binary policy.
+.SH "SYNOPSIS"
+.B #include <sepol/sepol.h>
+.sp
+.BI "int sepol_check_context(const char *" context ");"
+.sp
+.BI "int sepol_set_policydb_from_file(FILE *" fp ");"
+
+.SH "DESCRIPTION"
+.B sepol_check_context
+checks the validity of a security context against a binary policy
+previously loaded from a file via
+.B sepol_set_policydb_from_file.
+It is used by
+.B setfiles -c
+to validate a file contexts configuration against the binary policy
+upon policy builds. For validating a context against the active
+policy on a SELinux system, use
+.B security_check_context
+from libselinux instead.
+
+.SH "RETURN VALUE"
+Returns 0 on success or -1 with errno set otherwise.
diff --git a/man/man3/sepol_genbools.3 b/man/man3/sepol_genbools.3
new file mode 100644
index 0000000..0a30137
--- /dev/null
+++ b/man/man3/sepol_genbools.3
@@ -0,0 +1,30 @@
+.TH "sepol_genbools" "3" "11 August 2004" "sds@epoch.ncsc.mil" "SE Linux binary policy API documentation"
+.SH "NAME"
+sepol_genbools \- Rewrite a binary policy with different boolean settings
+.SH "SYNOPSIS"
+.B #include <sepol/sepol.h>
+.sp
+.BI "int sepol_genbools(void *" data ", size_t "len ", char *" boolpath );
+.br
+.BI "int sepol_genbools_array(void *" data ", size_t " len ", char **" names ", int *" values ", int " nel );
+
+.SH "DESCRIPTION"
+.B sepol_genbools
+rewrites a binary policy stored in the memory region described by
+(data, len) to use the boolean settings specified in the file named by
+boolpath. The boolean settings are specified by name=value lines
+where value may be 0 or false to disable or 1 or true to enable. The
+binary policy is rewritten in place in memory.
+
+.B sepol_genbools_array
+does likewise, but obtains the boolean settings from the parallel arrays
+(names, values) with nel elements each.
+
+.SH "RETURN VALUE"
+Returns 0 on success or -1 otherwise, with errno set appropriately.
+An errno of ENOENT indicates that the boolean file did not exist.
+An errno of EINVAL indicates that one or more booleans listed in the
+boolean file was undefined in the policy or had an invalid value specified;
+in this case, the binary policy is still rewritten but any invalid
+boolean settings are ignored.
+
diff --git a/man/man3/sepol_genusers.3 b/man/man3/sepol_genusers.3
new file mode 100644
index 0000000..05dff00
--- /dev/null
+++ b/man/man3/sepol_genusers.3
@@ -0,0 +1,54 @@
+.TH "sepol_genusers" "3" "15 March 2005" "sds@tycho.nsa.gov" "SE Linux binary policy API documentation"
+.SH "NAME"
+sepol_genusers \- Generate a new binary policy image with a customized user configuration
+.SH "SYNOPSIS"
+.B #include <sepol/sepol.h>
+.sp
+.BI "int sepol_genusers(void *" data ", size_t "len ", const char *" usersdir ", void *" newdata ", size_t *" newlen);
+.sp
+.BI "void sepol_set_delusers(int " on ");"
+
+.SH "DESCRIPTION"
+.B sepol_genusers
+generates a new binary policy image from
+an existing binary policy image stored in the memory region described by
+the starting address
+.I data
+and the length
+.I len
+and a pair of user configuration files named
+.B system.users
+and
+.B local.users
+from the directory specified by
+.I usersdir.
+The resulting binary policy is placed into dynamically allocated
+memory and the variables
+.I newdata
+and
+.I newlen
+are set to refer to the new binary image's starting address and length.
+The original binary policy image is not modified.
+
+By default,
+.B sepol_genusers
+will preserve user entries that are defined in the original binary policy image
+but not defined in the user configuration files. If such user entries
+should instead by omitted entirely from the new binary policy image, then
+the
+.B sepol_set_delusers
+function may be called with
+.I on
+set to 1 prior to calling
+.B sepol_genusers
+in order to enable deletion of such users.
+
+.SH "RETURN VALUE"
+Returns 0 on success or -1 otherwise, with errno set appropriately.
+An errno of ENOENT indicates that one or both of the user
+configuration files did not exist. An errno of EINVAL indicates that
+either the original binary policy image or the generated one were
+invalid. An errno of ENOMEM indicates that insufficient memory was
+available to process the original binary policy image or to generate
+the new policy image. Invalid entries in the user configuration files
+are skipped with a warning.
diff --git a/man/man8/chkcon.8 b/man/man8/chkcon.8
new file mode 100644
index 0000000..f8d75df
--- /dev/null
+++ b/man/man8/chkcon.8
@@ -0,0 +1,41 @@
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
+.\" Copyright (c) 1997 Manoj Srivastava <srivasta@debian.org>
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.TH CHKCON 8 "Mar 12 2005" "SELinux" "SELinux Command Line documentation"
+.SH NAME
+chkcon \- determine if a security context is valid for a given binary policy
+.SH SYNOPSIS
+chkcon policy_file context
+.SH DESCRIPTION
+This utility validates (the string representation of) a security context
+specified by the argument
+.I context
+against configuration data read in from a policy database binary
+representation file specified by the argument
+.I policy_file.
+.SH FILES
+policy file
+.SH AUTHOR
+This manual page (and just the manual page) was written by Manoj
+Srivastava <srivasta@debian.org>.
+
diff --git a/man/man8/genpolbools.8 b/man/man8/genpolbools.8
new file mode 100644
index 0000000..afeaced
--- /dev/null
+++ b/man/man8/genpolbools.8
@@ -0,0 +1,16 @@
+.TH "genpolbools" "8" "11 August 2004" "sds@epoch.ncsc.mil" "SELinux Command Line documentation"
+.SH "NAME"
+genpolbools \- Rewrite a binary policy with different boolean settings
+.SH "SYNOPSIS"
+.B genpolbools oldpolicy booleans newpolicy
+
+.SH "DESCRIPTION"
+.B genpolbools
+rewrites an existing binary policy with different boolean settings,
+generating a new binary policy. The booleans file specifies the
+different boolean settings using name=value lines, where value
+can be 0 or false to disable the boolean or 1 or true to enable it.
+
+
+
+
diff --git a/man/man8/genpolusers.8 b/man/man8/genpolusers.8
new file mode 100644
index 0000000..34d729a
--- /dev/null
+++ b/man/man8/genpolusers.8
@@ -0,0 +1,42 @@
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
+.\" Copyright (c) 1997 Manoj Srivastava <srivasta@debian.org>
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.TH GENPOLUSERS 8 "Mar 12 2005" "SELinux" "SELinux Command Line documentation"
+.SH NAME
+genpolusers \- Generate new binary policy with updated user configuration
+.SH SYNOPSIS
+genpolusers in-policy usersdir out-policy
+.SH DESCRIPTION
+Given an existing binary policy file
+.I in\-policy,
+generate a new binary policy
+.I out\-policy
+with an updated user configuration based on any
+.B system.users
+and
+.B local.users
+files in the specified
+.I usersdir.
+.SH AUTHOR
+This manual page (and just the manual page) was written by Manoj
+Srivastava <srivasta@debian.org>.
diff --git a/src/Makefile b/src/Makefile
new file mode 100644
index 0000000..73fdef8
--- /dev/null
+++ b/src/Makefile
@@ -0,0 +1,56 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+INCLUDEDIR ?= $(PREFIX)/include
+LIBDIR ?= $(PREFIX)/lib
+SHLIBDIR ?= $(DESTDIR)/lib
+LIBBASE=$(shell basename $(LIBDIR))
+
+VERSION = $(shell cat ../VERSION)
+LIBVERSION = 1
+
+LIBA=libsepol.a
+TARGET=libsepol.so
+LIBPC=libsepol.pc
+LIBSO=$(TARGET).$(LIBVERSION)
+OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
+LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
+override CFLAGS += -I. -I../include -D_GNU_SOURCE
+
+all: $(LIBA) $(LIBSO) $(LIBPC)
+
+$(LIBA): $(OBJS)
+ $(AR) rcs $@ $^
+ ranlib $@
+
+$(LIBSO): $(LOBJS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map,-z,defs
+ ln -sf $@ $(TARGET)
+
+$(LIBPC): $(LIBPC).in
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+
+%.o: %.c
+ $(CC) $(CFLAGS) -fPIC -c -o $@ $<
+
+%.lo: %.c
+ $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
+
+install: all
+ test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
+ install -m 644 $(LIBA) $(LIBDIR)
+ test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
+ install -m 755 $(LIBSO) $(SHLIBDIR)
+ test -d $(LIBDIR)/pkgconfig || install -m 755 -d $(LIBDIR)/pkgconfig
+ install -m 644 $(LIBPC) $(LIBDIR)/pkgconfig
+ cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
+
+relabel:
+ /sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+
+clean:
+ -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET)
+
+indent:
+ ../../scripts/Lindent $(wildcard *.[ch])
+
diff --git a/src/assertion.c b/src/assertion.c
new file mode 100644
index 0000000..a6e0c04
--- /dev/null
+++ b/src/assertion.c
@@ -0,0 +1,151 @@
+/* Authors: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Assertion checker for avtab entries, taken from
+ * checkpolicy.c by Stephen Smalley <sds@tycho.nsa.gov>
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/util.h>
+
+#include "debug.h"
+
+static int check_assertion_helper(sepol_handle_t * handle,
+ policydb_t * p,
+ avtab_t * te_avtab, avtab_t * te_cond_avtab,
+ unsigned int stype, unsigned int ttype,
+ class_perm_node_t * perm, unsigned long line)
+{
+ avtab_key_t avkey;
+ avtab_ptr_t node;
+ class_perm_node_t *curperm;
+
+ for (curperm = perm; curperm != NULL; curperm = curperm->next) {
+ avkey.source_type = stype + 1;
+ avkey.target_type = ttype + 1;
+ avkey.target_class = curperm->class;
+ avkey.specified = AVTAB_ALLOWED;
+ for (node = avtab_search_node(te_avtab, &avkey);
+ node != NULL;
+ node = avtab_search_node_next(node, avkey.specified)) {
+ if (node->datum.data & curperm->data)
+ goto err;
+ }
+ for (node = avtab_search_node(te_cond_avtab, &avkey);
+ node != NULL;
+ node = avtab_search_node_next(node, avkey.specified)) {
+ if (node->datum.data & curperm->data)
+ goto err;
+ }
+ }
+
+ return 0;
+
+ err:
+ if (line) {
+ ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
+ line, p->p_type_val_to_name[stype],
+ p->p_type_val_to_name[ttype],
+ p->p_class_val_to_name[curperm->class - 1],
+ sepol_av_to_string(p, curperm->class,
+ node->datum.data & curperm->data));
+ } else {
+ ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
+ p->p_type_val_to_name[stype],
+ p->p_type_val_to_name[ttype],
+ p->p_class_val_to_name[curperm->class - 1],
+ sepol_av_to_string(p, curperm->class,
+ node->datum.data & curperm->data));
+ }
+ return -1;
+}
+
+int check_assertions(sepol_handle_t * handle, policydb_t * p,
+ avrule_t * avrules)
+{
+ avrule_t *a;
+ avtab_t te_avtab, te_cond_avtab;
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
+ int rc;
+
+ if (!avrules) {
+ /* Since assertions are stored in avrules, if it is NULL
+ there won't be any to check. This also prevents an invalid
+ free if the avtabs are never initialized */
+ return 0;
+ }
+
+ if (avrules) {
+ if (avtab_init(&te_avtab))
+ goto oom;
+ if (avtab_init(&te_cond_avtab)) {
+ avtab_destroy(&te_avtab);
+ goto oom;
+ }
+ if (expand_avtab(p, &p->te_avtab, &te_avtab) ||
+ expand_avtab(p, &p->te_cond_avtab, &te_cond_avtab)) {
+ avtab_destroy(&te_avtab);
+ avtab_destroy(&te_cond_avtab);
+ goto oom;
+ }
+ }
+
+ for (a = avrules; a != NULL; a = a->next) {
+ ebitmap_t *stypes = &a->stypes.types;
+ ebitmap_t *ttypes = &a->ttypes.types;
+
+ if (!(a->specified & AVRULE_NEVERALLOW))
+ continue;
+
+ ebitmap_for_each_bit(stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ if (a->flags & RULE_SELF) {
+ if (check_assertion_helper
+ (handle, p, &te_avtab, &te_cond_avtab, i, i,
+ a->perms, a->line)) {
+ rc = -1;
+ goto out;
+ }
+ }
+ ebitmap_for_each_bit(ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ if (check_assertion_helper
+ (handle, p, &te_avtab, &te_cond_avtab, i, j,
+ a->perms, a->line)) {
+ rc = -1;
+ goto out;
+ }
+ }
+ }
+ }
+
+ rc = 0;
+out:
+ avtab_destroy(&te_avtab);
+ avtab_destroy(&te_cond_avtab);
+ return rc;
+
+ oom:
+ ERR(handle, "Out of memory - unable to check neverallows");
+ return -1;
+}
diff --git a/src/av_permissions.h b/src/av_permissions.h
new file mode 100644
index 0000000..97278ed
--- /dev/null
+++ b/src/av_permissions.h
@@ -0,0 +1,3 @@
+/* Used by security_compute_av. */
+#define PROCESS__TRANSITION 0x00000002UL
+#define PROCESS__DYNTRANSITION 0x00800000UL
diff --git a/src/avrule_block.c b/src/avrule_block.c
new file mode 100644
index 0000000..16c89f3
--- /dev/null
+++ b/src/avrule_block.c
@@ -0,0 +1,202 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ *
+ * Functions that manipulate a logical block (conditional, optional,
+ * or global scope) for a policy module.
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/avrule_block.h>
+
+#include <assert.h>
+#include <stdlib.h>
+
+/* It is anticipated that there be less declarations within an avrule
+ * block than the global policy. Thus the symbol table sizes are
+ * smaller than those listed in policydb.c */
+static unsigned int symtab_sizes[SYM_NUM] = {
+ 2,
+ 4,
+ 8,
+ 32,
+ 16,
+ 4,
+ 2,
+ 2,
+};
+
+avrule_block_t *avrule_block_create(void)
+{
+ avrule_block_t *block;
+ if ((block = calloc(1, sizeof(*block))) == NULL) {
+ return NULL;
+ }
+ return block;
+}
+
+avrule_decl_t *avrule_decl_create(uint32_t decl_id)
+{
+ avrule_decl_t *decl;
+ int i;
+ if ((decl = calloc(1, sizeof(*decl))) == NULL) {
+ return NULL;
+ }
+ decl->decl_id = decl_id;
+ for (i = 0; i < SYM_NUM; i++) {
+ if (symtab_init(&decl->symtab[i], symtab_sizes[i])) {
+ avrule_decl_destroy(decl);
+ free(decl);
+ return NULL;
+ }
+ }
+
+ for (i = 0; i < SYM_NUM; i++) {
+ ebitmap_init(&decl->required.scope[i]);
+ ebitmap_init(&decl->declared.scope[i]);
+ }
+ return decl;
+}
+
+/* note that unlike the other destroy functions, this one does /NOT/
+ * destroy the pointer itself */
+static void scope_index_destroy(scope_index_t * scope)
+{
+ unsigned int i;
+ if (scope == NULL) {
+ return;
+ }
+ for (i = 0; i < SYM_NUM; i++) {
+ ebitmap_destroy(scope->scope + i);
+ }
+ for (i = 0; i < scope->class_perms_len; i++) {
+ ebitmap_destroy(scope->class_perms_map + i);
+ }
+ free(scope->class_perms_map);
+}
+
+void avrule_decl_destroy(avrule_decl_t * x)
+{
+ if (x == NULL) {
+ return;
+ }
+ cond_list_destroy(x->cond_list);
+ avrule_list_destroy(x->avrules);
+ role_trans_rule_list_destroy(x->role_tr_rules);
+ filename_trans_rule_list_destroy(x->filename_trans_rules);
+ role_allow_rule_list_destroy(x->role_allow_rules);
+ range_trans_rule_list_destroy(x->range_tr_rules);
+ scope_index_destroy(&x->required);
+ scope_index_destroy(&x->declared);
+ symtabs_destroy(x->symtab);
+ free(x->module_name);
+ free(x);
+}
+
+void avrule_block_destroy(avrule_block_t * x)
+{
+ avrule_decl_t *decl;
+ if (x == NULL) {
+ return;
+ }
+ decl = x->branch_list;
+ while (decl != NULL) {
+ avrule_decl_t *next_decl = decl->next;
+ avrule_decl_destroy(decl);
+ decl = next_decl;
+ }
+ free(x);
+}
+
+void avrule_block_list_destroy(avrule_block_t * x)
+{
+ while (x != NULL) {
+ avrule_block_t *next = x->next;
+ avrule_block_destroy(x);
+ x = next;
+ }
+}
+
+/* Get a conditional node from a avrule_decl with the same expression.
+ * If that expression does not exist then create one. */
+cond_list_t *get_decl_cond_list(policydb_t * p, avrule_decl_t * decl,
+ cond_list_t * cond)
+{
+ cond_list_t *result;
+ int was_created;
+ result = cond_node_find(p, cond, decl->cond_list, &was_created);
+ if (result != NULL && was_created) {
+ result->next = decl->cond_list;
+ decl->cond_list = result;
+ }
+ return result;
+}
+
+/* Look up an identifier in a policy's scoping table. If it is there,
+ * marked as SCOPE_DECL, and any of its declaring block has been enabled,
+ * then return 1. Otherwise return 0. Can only be called after the
+ * decl_val_to_struct index has been created */
+int is_id_enabled(char *id, policydb_t * p, int symbol_table)
+{
+ scope_datum_t *scope =
+ (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id);
+ uint32_t i;
+ if (scope == NULL) {
+ return 0;
+ }
+ if (scope->scope != SCOPE_DECL) {
+ return 0;
+ }
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ avrule_decl_t *decl =
+ p->decl_val_to_struct[scope->decl_ids[i] - 1];
+ if (decl != NULL && decl->enabled) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+/* Check if a particular permission is present within the given class,
+ * and that the class is enabled. Returns 1 if both conditions are
+ * true, 0 if neither could be found or if the class id disabled. */
+int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p)
+{
+ class_datum_t *cladatum;
+ perm_datum_t *perm;
+ if (!is_id_enabled(class_id, p, SYM_CLASSES)) {
+ return 0;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(p->p_classes.table, class_id);
+ if (cladatum == NULL) {
+ return 0;
+ }
+ perm = hashtab_search(cladatum->permissions.table, perm_id);
+ if (perm == NULL && cladatum->comdatum != 0) {
+ /* permission was not in this class. before giving
+ * up, check the class's parent */
+ perm =
+ hashtab_search(cladatum->comdatum->permissions.table,
+ perm_id);
+ }
+ if (perm == NULL) {
+ return 0;
+ }
+ return 1;
+}
diff --git a/src/avtab.c b/src/avtab.c
new file mode 100644
index 0000000..ea947cb
--- /dev/null
+++ b/src/avtab.c
@@ -0,0 +1,531 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
+ * Tuned number of hash slots for avtab to reduce memory usage
+ */
+
+/* Updated: Frank Mayer <mayerf@tresys.com>
+ * and Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com>
+ *
+ * Code cleanup
+ *
+ * Updated: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2003 Tresys Technology, LLC
+ * Copyright (C) 2003,2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * Implementation of the access vector table type.
+ */
+
+#include <stdlib.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/errcodes.h>
+
+#include "debug.h"
+#include "private.h"
+
+static inline int avtab_hash(struct avtab_key *keyp, uint16_t mask)
+{
+ return ((keyp->target_class + (keyp->target_type << 2) +
+ (keyp->source_type << 9)) & mask);
+}
+
+static avtab_ptr_t
+avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key,
+ avtab_datum_t * datum)
+{
+ avtab_ptr_t newnode;
+ newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node));
+ if (newnode == NULL)
+ return NULL;
+ memset(newnode, 0, sizeof(struct avtab_node));
+ newnode->key = *key;
+ newnode->datum = *datum;
+ if (prev) {
+ newnode->next = prev->next;
+ prev->next = newnode;
+ } else {
+ newnode->next = h->htable[hvalue];
+ h->htable[hvalue] = newnode;
+ }
+
+ h->nel++;
+ return newnode;
+}
+
+int avtab_insert(avtab_t * h, avtab_key_t * key, avtab_datum_t * datum)
+{
+ int hvalue;
+ avtab_ptr_t prev, cur, newnode;
+ uint16_t specified =
+ key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
+
+ if (!h || !h->htable)
+ return SEPOL_ENOMEM;
+
+ hvalue = avtab_hash(key, h->mask);
+ for (prev = NULL, cur = h->htable[hvalue];
+ cur; prev = cur, cur = cur->next) {
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class == cur->key.target_class &&
+ (specified & cur->key.specified))
+ return SEPOL_EEXIST;
+ if (key->source_type < cur->key.source_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type < cur->key.target_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class < cur->key.target_class)
+ break;
+ }
+
+ newnode = avtab_insert_node(h, hvalue, prev, key, datum);
+ if (!newnode)
+ return SEPOL_ENOMEM;
+
+ return 0;
+}
+
+/* Unlike avtab_insert(), this function allow multiple insertions of the same
+ * key/specified mask into the table, as needed by the conditional avtab.
+ * It also returns a pointer to the node inserted.
+ */
+avtab_ptr_t
+avtab_insert_nonunique(avtab_t * h, avtab_key_t * key, avtab_datum_t * datum)
+{
+ int hvalue;
+ avtab_ptr_t prev, cur, newnode;
+ uint16_t specified =
+ key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
+
+ if (!h || !h->htable)
+ return NULL;
+ hvalue = avtab_hash(key, h->mask);
+ for (prev = NULL, cur = h->htable[hvalue];
+ cur; prev = cur, cur = cur->next) {
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class == cur->key.target_class &&
+ (specified & cur->key.specified))
+ break;
+ if (key->source_type < cur->key.source_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type < cur->key.target_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class < cur->key.target_class)
+ break;
+ }
+ newnode = avtab_insert_node(h, hvalue, prev, key, datum);
+
+ return newnode;
+}
+
+avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * key)
+{
+ int hvalue;
+ avtab_ptr_t cur;
+ uint16_t specified =
+ key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
+
+ if (!h || !h->htable)
+ return NULL;
+
+ hvalue = avtab_hash(key, h->mask);
+ for (cur = h->htable[hvalue]; cur; cur = cur->next) {
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class == cur->key.target_class &&
+ (specified & cur->key.specified))
+ return &cur->datum;
+
+ if (key->source_type < cur->key.source_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type < cur->key.target_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class < cur->key.target_class)
+ break;
+ }
+
+ return NULL;
+}
+
+/* This search function returns a node pointer, and can be used in
+ * conjunction with avtab_search_next_node()
+ */
+avtab_ptr_t avtab_search_node(avtab_t * h, avtab_key_t * key)
+{
+ int hvalue;
+ avtab_ptr_t cur;
+ uint16_t specified =
+ key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
+
+ if (!h || !h->htable)
+ return NULL;
+
+ hvalue = avtab_hash(key, h->mask);
+ for (cur = h->htable[hvalue]; cur; cur = cur->next) {
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class == cur->key.target_class &&
+ (specified & cur->key.specified))
+ return cur;
+
+ if (key->source_type < cur->key.source_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type < cur->key.target_type)
+ break;
+ if (key->source_type == cur->key.source_type &&
+ key->target_type == cur->key.target_type &&
+ key->target_class < cur->key.target_class)
+ break;
+ }
+ return NULL;
+}
+
+avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified)
+{
+ avtab_ptr_t cur;
+
+ if (!node)
+ return NULL;
+
+ specified &= ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
+ for (cur = node->next; cur; cur = cur->next) {
+ if (node->key.source_type == cur->key.source_type &&
+ node->key.target_type == cur->key.target_type &&
+ node->key.target_class == cur->key.target_class &&
+ (specified & cur->key.specified))
+ return cur;
+
+ if (node->key.source_type < cur->key.source_type)
+ break;
+ if (node->key.source_type == cur->key.source_type &&
+ node->key.target_type < cur->key.target_type)
+ break;
+ if (node->key.source_type == cur->key.source_type &&
+ node->key.target_type == cur->key.target_type &&
+ node->key.target_class < cur->key.target_class)
+ break;
+ }
+ return NULL;
+}
+
+void avtab_destroy(avtab_t * h)
+{
+ unsigned int i;
+ avtab_ptr_t cur, temp;
+
+ if (!h || !h->htable)
+ return;
+
+ for (i = 0; i < h->nslot; i++) {
+ cur = h->htable[i];
+ while (cur != NULL) {
+ temp = cur;
+ cur = cur->next;
+ free(temp);
+ }
+ h->htable[i] = NULL;
+ }
+ free(h->htable);
+ h->htable = NULL;
+ h->nslot = 0;
+ h->mask = 0;
+}
+
+int avtab_map(avtab_t * h,
+ int (*apply) (avtab_key_t * k,
+ avtab_datum_t * d, void *args), void *args)
+{
+ unsigned int i;
+ int ret;
+ avtab_ptr_t cur;
+
+ if (!h)
+ return 0;
+
+ for (i = 0; i < h->nslot; i++) {
+ cur = h->htable[i];
+ while (cur != NULL) {
+ ret = apply(&cur->key, &cur->datum, args);
+ if (ret)
+ return ret;
+ cur = cur->next;
+ }
+ }
+ return 0;
+}
+
+int avtab_init(avtab_t * h)
+{
+ h->htable = NULL;
+ h->nel = 0;
+ return 0;
+}
+
+int avtab_alloc(avtab_t *h, uint32_t nrules)
+{
+ uint16_t mask = 0;
+ uint32_t shift = 0;
+ uint32_t work = nrules;
+ uint32_t nslot = 0;
+
+ if (nrules == 0)
+ goto out;
+
+ while (work) {
+ work = work >> 1;
+ shift++;
+ }
+ if (shift > 2)
+ shift = shift - 2;
+ nslot = 1 << shift;
+ if (nslot > MAX_AVTAB_SIZE)
+ nslot = MAX_AVTAB_SIZE;
+ mask = nslot - 1;
+
+ h->htable = calloc(nslot, sizeof(avtab_ptr_t));
+ if (!h->htable)
+ return -1;
+out:
+ h->nel = 0;
+ h->nslot = nslot;
+ h->mask = mask;
+ return 0;
+}
+
+void avtab_hash_eval(avtab_t * h, char *tag)
+{
+ unsigned int i, chain_len, slots_used, max_chain_len;
+ avtab_ptr_t cur;
+
+ slots_used = 0;
+ max_chain_len = 0;
+ for (i = 0; i < h->nslot; i++) {
+ cur = h->htable[i];
+ if (cur) {
+ slots_used++;
+ chain_len = 0;
+ while (cur) {
+ chain_len++;
+ cur = cur->next;
+ }
+
+ if (chain_len > max_chain_len)
+ max_chain_len = chain_len;
+ }
+ }
+
+ printf
+ ("%s: %d entries and %d/%d buckets used, longest chain length %d\n",
+ tag, h->nel, slots_used, h->nslot, max_chain_len);
+}
+
+/* Ordering of datums in the original avtab format in the policy file. */
+static uint16_t spec_order[] = {
+ AVTAB_ALLOWED,
+ AVTAB_AUDITDENY,
+ AVTAB_AUDITALLOW,
+ AVTAB_TRANSITION,
+ AVTAB_CHANGE,
+ AVTAB_MEMBER
+};
+
+int avtab_read_item(struct policy_file *fp, uint32_t vers, avtab_t * a,
+ int (*insertf) (avtab_t * a, avtab_key_t * k,
+ avtab_datum_t * d, void *p), void *p)
+{
+ uint16_t buf16[4], enabled;
+ uint32_t buf32[7], items, items2, val;
+ avtab_key_t key;
+ avtab_datum_t datum;
+ unsigned set;
+ unsigned int i;
+ int rc;
+
+ memset(&key, 0, sizeof(avtab_key_t));
+ memset(&datum, 0, sizeof(avtab_datum_t));
+
+ if (vers < POLICYDB_VERSION_AVTAB) {
+ rc = next_entry(buf32, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(fp->handle, "truncated entry");
+ return -1;
+ }
+ items2 = le32_to_cpu(buf32[0]);
+
+ if (items2 < 5 || items2 > ARRAY_SIZE(buf32)) {
+ ERR(fp->handle, "invalid item count");
+ return -1;
+ }
+
+ rc = next_entry(buf32, fp, sizeof(uint32_t) * items2);
+ if (rc < 0) {
+ ERR(fp->handle, "truncated entry");
+ return -1;
+ }
+
+ items = 0;
+ val = le32_to_cpu(buf32[items++]);
+ key.source_type = (uint16_t) val;
+ if (key.source_type != val) {
+ ERR(fp->handle, "truncated source type");
+ return -1;
+ }
+ val = le32_to_cpu(buf32[items++]);
+ key.target_type = (uint16_t) val;
+ if (key.target_type != val) {
+ ERR(fp->handle, "truncated target type");
+ return -1;
+ }
+ val = le32_to_cpu(buf32[items++]);
+ key.target_class = (uint16_t) val;
+ if (key.target_class != val) {
+ ERR(fp->handle, "truncated target class");
+ return -1;
+ }
+
+ val = le32_to_cpu(buf32[items++]);
+ enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
+
+ if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
+ ERR(fp->handle, "null entry");
+ return -1;
+ }
+ if ((val & AVTAB_AV) && (val & AVTAB_TYPE)) {
+ ERR(fp->handle, "entry has both access "
+ "vectors and types");
+ return -1;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
+ if (val & spec_order[i]) {
+ key.specified = spec_order[i] | enabled;
+ datum.data = le32_to_cpu(buf32[items++]);
+ rc = insertf(a, &key, &datum, p);
+ if (rc)
+ return rc;
+ }
+ }
+
+ if (items != items2) {
+ ERR(fp->handle, "entry only had %d items, "
+ "expected %d", items2, items);
+ return -1;
+ }
+ return 0;
+ }
+
+ rc = next_entry(buf16, fp, sizeof(uint16_t) * 4);
+ if (rc < 0) {
+ ERR(fp->handle, "truncated entry");
+ return -1;
+ }
+ items = 0;
+ key.source_type = le16_to_cpu(buf16[items++]);
+ key.target_type = le16_to_cpu(buf16[items++]);
+ key.target_class = le16_to_cpu(buf16[items++]);
+ key.specified = le16_to_cpu(buf16[items++]);
+
+ set = 0;
+ for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
+ if (key.specified & spec_order[i])
+ set++;
+ }
+ if (!set || set > 1) {
+ ERR(fp->handle, "more than one specifier");
+ return -1;
+ }
+
+ rc = next_entry(buf32, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(fp->handle, "truncated entry");
+ return -1;
+ }
+ datum.data = le32_to_cpu(*buf32);
+ return insertf(a, &key, &datum, p);
+}
+
+static int avtab_insertf(avtab_t * a, avtab_key_t * k, avtab_datum_t * d,
+ void *p __attribute__ ((unused)))
+{
+ return avtab_insert(a, k, d);
+}
+
+int avtab_read(avtab_t * a, struct policy_file *fp, uint32_t vers)
+{
+ unsigned int i;
+ int rc;
+ uint32_t buf[1];
+ uint32_t nel;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(fp->handle, "truncated table");
+ goto bad;
+ }
+ nel = le32_to_cpu(buf[0]);
+ if (!nel) {
+ ERR(fp->handle, "table is empty");
+ goto bad;
+ }
+
+ rc = avtab_alloc(a, nel);
+ if (rc) {
+ ERR(fp->handle, "out of memory");
+ goto bad;
+ }
+
+ for (i = 0; i < nel; i++) {
+ rc = avtab_read_item(fp, vers, a, avtab_insertf, NULL);
+ if (rc) {
+ if (rc == SEPOL_ENOMEM)
+ ERR(fp->handle, "out of memory");
+ if (rc == SEPOL_EEXIST)
+ ERR(fp->handle, "duplicate entry");
+ ERR(fp->handle, "failed on entry %d of %u", i, nel);
+ goto bad;
+ }
+ }
+
+ return 0;
+
+ bad:
+ avtab_destroy(a);
+ return -1;
+}
diff --git a/src/boolean_internal.h b/src/boolean_internal.h
new file mode 100644
index 0000000..aad7ade
--- /dev/null
+++ b/src/boolean_internal.h
@@ -0,0 +1,16 @@
+#ifndef _SEPOL_BOOLEAN_INTERNAL_H_
+#define _SEPOL_BOOLEAN_INTERNAL_H_
+
+#include <sepol/boolean_record.h>
+#include <sepol/booleans.h>
+#include "dso.h"
+
+hidden_proto(sepol_bool_key_create)
+ hidden_proto(sepol_bool_key_unpack)
+ hidden_proto(sepol_bool_get_name)
+ hidden_proto(sepol_bool_set_name)
+ hidden_proto(sepol_bool_get_value)
+ hidden_proto(sepol_bool_set_value)
+ hidden_proto(sepol_bool_create)
+ hidden_proto(sepol_bool_free)
+#endif
diff --git a/src/boolean_record.c b/src/boolean_record.c
new file mode 100644
index 0000000..8b64413
--- /dev/null
+++ b/src/boolean_record.c
@@ -0,0 +1,180 @@
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "boolean_internal.h"
+#include "debug.h"
+
+struct sepol_bool {
+ /* This boolean's name */
+ char *name;
+
+ /* Its value */
+ int value;
+};
+
+struct sepol_bool_key {
+ /* This boolean's name */
+ const char *name;
+};
+
+int sepol_bool_key_create(sepol_handle_t * handle,
+ const char *name, sepol_bool_key_t ** key_ptr)
+{
+
+ sepol_bool_key_t *tmp_key =
+ (sepol_bool_key_t *) malloc(sizeof(struct sepol_bool_key));
+
+ if (!tmp_key) {
+ ERR(handle, "out of memory, " "could not create boolean key");
+ return STATUS_ERR;
+ }
+
+ tmp_key->name = name;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_bool_key_create)
+
+void sepol_bool_key_unpack(const sepol_bool_key_t * key, const char **name)
+{
+
+ *name = key->name;
+}
+
+hidden_def(sepol_bool_key_unpack)
+
+int sepol_bool_key_extract(sepol_handle_t * handle,
+ const sepol_bool_t * boolean,
+ sepol_bool_key_t ** key_ptr)
+{
+
+ if (sepol_bool_key_create(handle, boolean->name, key_ptr) < 0) {
+ ERR(handle, "could not extract key from boolean %s",
+ boolean->name);
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+void sepol_bool_key_free(sepol_bool_key_t * key)
+{
+ free(key);
+}
+
+int sepol_bool_compare(const sepol_bool_t * boolean,
+ const sepol_bool_key_t * key)
+{
+
+ return strcmp(boolean->name, key->name);
+}
+
+int sepol_bool_compare2(const sepol_bool_t * boolean,
+ const sepol_bool_t * boolean2)
+{
+
+ return strcmp(boolean->name, boolean2->name);
+}
+
+/* Name */
+const char *sepol_bool_get_name(const sepol_bool_t * boolean)
+{
+
+ return boolean->name;
+}
+
+hidden_def(sepol_bool_get_name)
+
+int sepol_bool_set_name(sepol_handle_t * handle,
+ sepol_bool_t * boolean, const char *name)
+{
+
+ char *tmp_name = strdup(name);
+ if (!tmp_name) {
+ ERR(handle, "out of memory, could not set boolean name");
+ return STATUS_ERR;
+ }
+ free(boolean->name);
+ boolean->name = tmp_name;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_bool_set_name)
+
+/* Value */
+int sepol_bool_get_value(const sepol_bool_t * boolean)
+{
+
+ return boolean->value;
+}
+
+hidden_def(sepol_bool_get_value)
+
+void sepol_bool_set_value(sepol_bool_t * boolean, int value)
+{
+
+ boolean->value = value;
+}
+
+hidden_def(sepol_bool_set_value)
+
+/* Create */
+int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr)
+{
+
+ sepol_bool_t *boolean = (sepol_bool_t *) malloc(sizeof(sepol_bool_t));
+
+ if (!boolean) {
+ ERR(handle, "out of memory, "
+ "could not create boolean record");
+ return STATUS_ERR;
+ }
+
+ boolean->name = NULL;
+ boolean->value = 0;
+
+ *bool_ptr = boolean;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_bool_create)
+
+/* Deep copy clone */
+int sepol_bool_clone(sepol_handle_t * handle,
+ const sepol_bool_t * boolean, sepol_bool_t ** bool_ptr)
+{
+
+ sepol_bool_t *new_bool = NULL;
+
+ if (sepol_bool_create(handle, &new_bool) < 0)
+ goto err;
+
+ if (sepol_bool_set_name(handle, new_bool, boolean->name) < 0)
+ goto err;
+
+ new_bool->value = boolean->value;
+
+ *bool_ptr = new_bool;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not clone boolean record");
+ sepol_bool_free(new_bool);
+ return STATUS_ERR;
+}
+
+/* Destroy */
+void sepol_bool_free(sepol_bool_t * boolean)
+{
+
+ if (!boolean)
+ return;
+
+ free(boolean->name);
+ free(boolean);
+}
+
+hidden_def(sepol_bool_free)
diff --git a/src/booleans.c b/src/booleans.c
new file mode 100644
index 0000000..03f8c98
--- /dev/null
+++ b/src/booleans.c
@@ -0,0 +1,216 @@
+#include <string.h>
+#include <stdlib.h>
+
+#include "handle.h"
+#include "private.h"
+#include "debug.h"
+
+#include <sepol/booleans.h>
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include "boolean_internal.h"
+
+static int bool_update(sepol_handle_t * handle,
+ policydb_t * policydb,
+ const sepol_bool_key_t * key, const sepol_bool_t * data)
+{
+
+ const char *cname;
+ char *name;
+ int value;
+
+ sepol_bool_key_unpack(key, &cname);
+ name = strdup(cname);
+ value = sepol_bool_get_value(data);
+
+ if (!name)
+ goto omem;
+
+ cond_bool_datum_t *datum =
+ hashtab_search(policydb->p_bools.table, name);
+ if (!datum) {
+ ERR(handle, "boolean %s no longer in policy", name);
+ goto err;
+ }
+ if (value != 0 && value != 1) {
+ ERR(handle, "illegal value %d for boolean %s", value, name);
+ goto err;
+ }
+
+ free(name);
+ datum->state = value;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ free(name);
+ ERR(handle, "could not update boolean %s", cname);
+ return STATUS_ERR;
+}
+
+static int bool_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ int bool_idx, sepol_bool_t ** record)
+{
+
+ const char *name = policydb->p_bool_val_to_name[bool_idx];
+ cond_bool_datum_t *booldatum = policydb->bool_val_to_struct[bool_idx];
+ int value = booldatum->state;
+
+ sepol_bool_t *tmp_record = NULL;
+
+ if (sepol_bool_create(handle, &tmp_record) < 0)
+ goto err;
+
+ if (sepol_bool_set_name(handle, tmp_record, name) < 0)
+ goto err;
+
+ sepol_bool_set_value(tmp_record, value);
+
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not convert boolean %s to record", name);
+ sepol_bool_free(tmp_record);
+ return STATUS_ERR;
+}
+
+int sepol_bool_set(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ const sepol_bool_key_t * key, const sepol_bool_t * data)
+{
+
+ const char *name;
+ sepol_bool_key_unpack(key, &name);
+
+ policydb_t *policydb = &p->p;
+ if (bool_update(handle, policydb, key, data) < 0)
+ goto err;
+
+ if (evaluate_conds(policydb) < 0) {
+ ERR(handle, "error while re-evaluating conditionals");
+ goto err;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not set boolean %s", name);
+ return STATUS_ERR;
+}
+
+int sepol_bool_count(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p, unsigned int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+ *response = policydb->p_bools.nprim;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+int sepol_bool_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_bool_key_t * key, int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+
+ const char *cname;
+ char *name = NULL;
+ sepol_bool_key_unpack(key, &cname);
+ name = strdup(cname);
+
+ if (!name) {
+ ERR(handle, "out of memory, could not check "
+ "if user %s exists", cname);
+ return STATUS_ERR;
+ }
+
+ *response = (hashtab_search(policydb->p_bools.table, name) != NULL);
+ free(name);
+ return STATUS_SUCCESS;
+}
+
+int sepol_bool_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_bool_key_t * key, sepol_bool_t ** response)
+{
+
+ const policydb_t *policydb = &p->p;
+ cond_bool_datum_t *booldatum = NULL;
+
+ const char *cname;
+ char *name = NULL;
+ sepol_bool_key_unpack(key, &cname);
+ name = strdup(cname);
+
+ if (!name)
+ goto omem;
+
+ booldatum = hashtab_search(policydb->p_bools.table, name);
+ if (!booldatum) {
+ *response = NULL;
+ return STATUS_SUCCESS;
+ }
+
+ if (bool_to_record(handle, policydb,
+ booldatum->s.value - 1, response) < 0)
+ goto err;
+
+ free(name);
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not query boolean %s", cname);
+ free(name);
+ return STATUS_ERR;
+}
+
+int sepol_bool_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ int (*fn) (const sepol_bool_t * boolean,
+ void *fn_arg), void *arg)
+{
+
+ const policydb_t *policydb = &p->p;
+ unsigned int nbools = policydb->p_bools.nprim;
+ sepol_bool_t *boolean = NULL;
+ unsigned int i;
+
+ /* For each boolean */
+ for (i = 0; i < nbools; i++) {
+
+ int status;
+
+ if (bool_to_record(handle, policydb, i, &boolean) < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(boolean, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_bool_free(boolean);
+ boolean = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not iterate over booleans");
+ sepol_bool_free(boolean);
+ return STATUS_ERR;
+}
diff --git a/src/conditional.c b/src/conditional.c
new file mode 100644
index 0000000..1482387
--- /dev/null
+++ b/src/conditional.c
@@ -0,0 +1,905 @@
+/* Authors: Karl MacMillan <kmacmillan@tresys.com>
+ * Frank Mayer <mayerf@tresys.com>
+ * David Caplan <dac@tresys.com>
+ *
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <stdlib.h>
+
+#include <sepol/policydb/flask_types.h>
+#include <sepol/policydb/conditional.h>
+
+#include "private.h"
+
+/* move all type rules to top of t/f lists to help kernel on evaluation */
+static void cond_optimize(cond_av_list_t ** l)
+{
+ cond_av_list_t *top, *p, *cur;
+
+ top = p = cur = *l;
+
+ while (cur) {
+ if ((cur->node->key.specified & AVTAB_TYPE) && (top != cur)) {
+ p->next = cur->next;
+ cur->next = top;
+ top = cur;
+ cur = p->next;
+ } else {
+ p = cur;
+ cur = cur->next;
+ }
+ }
+ *l = top;
+}
+
+/* reorder t/f lists for kernel */
+void cond_optimize_lists(cond_list_t * cl)
+{
+ cond_list_t *n;
+
+ for (n = cl; n != NULL; n = n->next) {
+ cond_optimize(&n->true_list);
+ cond_optimize(&n->false_list);
+ }
+}
+
+static int bool_present(unsigned int target, unsigned int bools[],
+ unsigned int num_bools)
+{
+ unsigned int i = 0;
+ int ret = 1;
+
+ if (num_bools > COND_MAX_BOOLS) {
+ return 0;
+ }
+ while (i < num_bools && target != bools[i])
+ i++;
+ if (i == num_bools)
+ ret = 0; /* got to end w/o match */
+ return ret;
+}
+
+static int same_bools(cond_node_t * a, cond_node_t * b)
+{
+ unsigned int i, x;
+
+ x = a->nbools;
+
+ /* same number of bools? */
+ if (x != b->nbools)
+ return 0;
+
+ /* make sure all the bools in a are also in b */
+ for (i = 0; i < x; i++)
+ if (!bool_present(a->bool_ids[i], b->bool_ids, x))
+ return 0;
+ return 1;
+}
+
+/*
+ * Determine if two conditional expressions are equal.
+ */
+int cond_expr_equal(cond_node_t * a, cond_node_t * b)
+{
+ cond_expr_t *cur_a, *cur_b;
+
+ if (a == NULL || b == NULL)
+ return 0;
+
+ if (a->nbools != b->nbools)
+ return 0;
+
+ /* if exprs have <= COND_MAX_BOOLS we can check the precompute values
+ * for the expressions.
+ */
+ if (a->nbools <= COND_MAX_BOOLS && b->nbools <= COND_MAX_BOOLS) {
+ if (!same_bools(a, b))
+ return 0;
+ return (a->expr_pre_comp == b->expr_pre_comp);
+ }
+
+ /* for long expressions we check for exactly the same expression */
+ cur_a = a->expr;
+ cur_b = b->expr;
+ while (1) {
+ if (cur_a == NULL && cur_b == NULL)
+ return 1;
+ else if (cur_a == NULL || cur_b == NULL)
+ return 0;
+ if (cur_a->expr_type != cur_b->expr_type)
+ return 0;
+ if (cur_a->expr_type == COND_BOOL) {
+ if (cur_a->bool != cur_b->bool)
+ return 0;
+ }
+ cur_a = cur_a->next;
+ cur_b = cur_b->next;
+ }
+ return 1;
+}
+
+/* Create a new conditional node, optionally copying
+ * the conditional expression from an existing node.
+ * If node is NULL then a new node will be created
+ * with no conditional expression.
+ */
+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
+{
+ cond_node_t *new_node;
+ unsigned int i;
+
+ new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
+ if (!new_node) {
+ return NULL;
+ }
+ memset(new_node, 0, sizeof(cond_node_t));
+
+ if (node) {
+ new_node->expr = cond_copy_expr(node->expr);
+ if (!new_node->expr) {
+ free(new_node);
+ return NULL;
+ }
+ new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
+ new_node->nbools = node->nbools;
+ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
+ new_node->bool_ids[i] = node->bool_ids[i];
+ new_node->expr_pre_comp = node->expr_pre_comp;
+ }
+
+ return new_node;
+}
+
+/* Find a conditional (the needle) within a list of existing ones (the
+ * haystack) that has a matching expression. If found, return a
+ * pointer to the existing node, setting 'was_created' to 0.
+ * Otherwise create a new one and return it, setting 'was_created' to
+ * 1. */
+cond_node_t *cond_node_find(policydb_t * p,
+ cond_node_t * needle, cond_node_t * haystack,
+ int *was_created)
+{
+ while (haystack) {
+ if (cond_expr_equal(needle, haystack)) {
+ *was_created = 0;
+ return haystack;
+ }
+ haystack = haystack->next;
+ }
+ *was_created = 1;
+
+ return cond_node_create(p, needle);
+}
+
+/* return either a pre-existing matching node or create a new node */
+cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
+ cond_node_t * cn)
+{
+ int was_created;
+ cond_node_t *result = cond_node_find(p, cn, list, &was_created);
+ if (result != NULL && was_created) {
+ /* add conditional node to policy list */
+ result->next = p->cond_list;
+ p->cond_list = result;
+ }
+ return result;
+}
+
+/*
+ * cond_evaluate_expr evaluates a conditional expr
+ * in reverse polish notation. It returns true (1), false (0),
+ * or undefined (-1). Undefined occurs when the expression
+ * exceeds the stack depth of COND_EXPR_MAXDEPTH.
+ */
+int cond_evaluate_expr(policydb_t * p, cond_expr_t * expr)
+{
+
+ cond_expr_t *cur;
+ int s[COND_EXPR_MAXDEPTH];
+ int sp = -1;
+
+ s[0] = -1;
+
+ for (cur = expr; cur != NULL; cur = cur->next) {
+ switch (cur->expr_type) {
+ case COND_BOOL:
+ if (sp == (COND_EXPR_MAXDEPTH - 1))
+ return -1;
+ sp++;
+ s[sp] = p->bool_val_to_struct[cur->bool - 1]->state;
+ break;
+ case COND_NOT:
+ if (sp < 0)
+ return -1;
+ s[sp] = !s[sp];
+ break;
+ case COND_OR:
+ if (sp < 1)
+ return -1;
+ sp--;
+ s[sp] |= s[sp + 1];
+ break;
+ case COND_AND:
+ if (sp < 1)
+ return -1;
+ sp--;
+ s[sp] &= s[sp + 1];
+ break;
+ case COND_XOR:
+ if (sp < 1)
+ return -1;
+ sp--;
+ s[sp] ^= s[sp + 1];
+ break;
+ case COND_EQ:
+ if (sp < 1)
+ return -1;
+ sp--;
+ s[sp] = (s[sp] == s[sp + 1]);
+ break;
+ case COND_NEQ:
+ if (sp < 1)
+ return -1;
+ sp--;
+ s[sp] = (s[sp] != s[sp + 1]);
+ break;
+ default:
+ return -1;
+ }
+ }
+ return s[0];
+}
+
+cond_expr_t *cond_copy_expr(cond_expr_t * expr)
+{
+ cond_expr_t *cur, *head, *tail, *new_expr;
+ tail = head = NULL;
+ cur = expr;
+ while (cur) {
+ new_expr = (cond_expr_t *) malloc(sizeof(cond_expr_t));
+ if (!new_expr)
+ goto free_head;
+ memset(new_expr, 0, sizeof(cond_expr_t));
+
+ new_expr->expr_type = cur->expr_type;
+ new_expr->bool = cur->bool;
+
+ if (!head)
+ head = new_expr;
+ if (tail)
+ tail->next = new_expr;
+ tail = new_expr;
+ cur = cur->next;
+ }
+ return head;
+
+ free_head:
+ while (head) {
+ tail = head->next;
+ free(head);
+ head = tail;
+ }
+ return NULL;
+}
+
+/*
+ * evaluate_cond_node evaluates the conditional stored in
+ * a cond_node_t and if the result is different than the
+ * current state of the node it sets the rules in the true/false
+ * list appropriately. If the result of the expression is undefined
+ * all of the rules are disabled for safety.
+ */
+static int evaluate_cond_node(policydb_t * p, cond_node_t * node)
+{
+ int new_state;
+ cond_av_list_t *cur;
+
+ new_state = cond_evaluate_expr(p, node->expr);
+ if (new_state != node->cur_state) {
+ node->cur_state = new_state;
+ if (new_state == -1)
+ printf
+ ("expression result was undefined - disabling all rules.\n");
+ /* turn the rules on or off */
+ for (cur = node->true_list; cur != NULL; cur = cur->next) {
+ if (new_state <= 0) {
+ cur->node->key.specified &= ~AVTAB_ENABLED;
+ } else {
+ cur->node->key.specified |= AVTAB_ENABLED;
+ }
+ }
+
+ for (cur = node->false_list; cur != NULL; cur = cur->next) {
+ /* -1 or 1 */
+ if (new_state) {
+ cur->node->key.specified &= ~AVTAB_ENABLED;
+ } else {
+ cur->node->key.specified |= AVTAB_ENABLED;
+ }
+ }
+ }
+ return 0;
+}
+
+/* precompute and simplify an expression if possible. If left with !expression, change
+ * to expression and switch t and f. precompute expression for expressions with limited
+ * number of bools.
+ */
+int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
+{
+ cond_expr_t *ne, *e;
+ cond_av_list_t *tmp;
+ unsigned int i, j, orig_value[COND_MAX_BOOLS];
+ int k;
+ uint32_t test = 0x0;
+ avrule_t *tmp2;
+
+ cn->nbools = 0;
+
+ memset(cn->bool_ids, 0, sizeof(cn->bool_ids));
+ cn->expr_pre_comp = 0x0;
+
+ /* take care of !expr case */
+ ne = NULL;
+ e = cn->expr;
+
+ /* becuase it's RPN look at last element */
+ while (e->next != NULL) {
+ ne = e;
+ e = e->next;
+ }
+ if (e->expr_type == COND_NOT) {
+ if (ne) {
+ ne->next = NULL;
+ } else { /* ne should never be NULL */
+ printf
+ ("Found expr with no bools and only a ! - this should never happen.\n");
+ return -1;
+ }
+ /* swap the true and false lists */
+ tmp = cn->true_list;
+ cn->true_list = cn->false_list;
+ cn->false_list = tmp;
+ tmp2 = cn->avtrue_list;
+ cn->avtrue_list = cn->avfalse_list;
+ cn->avfalse_list = tmp2;
+
+ /* free the "not" node in the list */
+ free(e);
+ }
+
+ /* find all the bools in the expression */
+ for (e = cn->expr; e != NULL; e = e->next) {
+ switch (e->expr_type) {
+ case COND_BOOL:
+ i = 0;
+ /* see if we've already seen this bool */
+ if (!bool_present(e->bool, cn->bool_ids, cn->nbools)) {
+ /* count em all but only record up to COND_MAX_BOOLS */
+ if (cn->nbools < COND_MAX_BOOLS)
+ cn->bool_ids[cn->nbools++] = e->bool;
+ else
+ cn->nbools++;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ /* only precompute for exprs with <= COND_AX_BOOLS */
+ if (cn->nbools <= COND_MAX_BOOLS) {
+ /* save the default values for the bools so we can play with them */
+ for (i = 0; i < cn->nbools; i++) {
+ orig_value[i] =
+ p->bool_val_to_struct[cn->bool_ids[i] - 1]->state;
+ }
+
+ /* loop through all possible combinations of values for bools in expression */
+ for (test = 0x0; test < (0x1U << cn->nbools); test++) {
+ /* temporarily set the value for all the bools in the
+ * expression using the corr. bit in test */
+ for (j = 0; j < cn->nbools; j++) {
+ p->bool_val_to_struct[cn->bool_ids[j] -
+ 1]->state =
+ (test & (0x1 << j)) ? 1 : 0;
+ }
+ k = cond_evaluate_expr(p, cn->expr);
+ if (k == -1) {
+ printf
+ ("While testing expression, expression result "
+ "was undefined - this should never happen.\n");
+ return -1;
+ }
+ /* set the bit if expression evaluates true */
+ if (k)
+ cn->expr_pre_comp |= 0x1 << test;
+ }
+
+ /* restore bool default values */
+ for (i = 0; i < cn->nbools; i++)
+ p->bool_val_to_struct[cn->bool_ids[i] - 1]->state =
+ orig_value[i];
+ }
+ return 0;
+}
+
+int evaluate_conds(policydb_t * p)
+{
+ int ret;
+ cond_node_t *cur;
+
+ for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+ ret = evaluate_cond_node(p, cur);
+ if (ret)
+ return ret;
+ }
+ return 0;
+}
+
+int cond_policydb_init(policydb_t * p)
+{
+ p->bool_val_to_struct = NULL;
+ p->cond_list = NULL;
+ if (avtab_init(&p->te_cond_avtab))
+ return -1;
+
+ return 0;
+}
+
+void cond_av_list_destroy(cond_av_list_t * list)
+{
+ cond_av_list_t *cur, *next;
+ for (cur = list; cur != NULL; cur = next) {
+ next = cur->next;
+ /* the avtab_ptr_t node is destroy by the avtab */
+ free(cur);
+ }
+}
+
+void cond_expr_destroy(cond_expr_t * expr)
+{
+ cond_expr_t *cur_expr, *next_expr;
+
+ if (!expr)
+ return;
+
+ for (cur_expr = expr; cur_expr != NULL; cur_expr = next_expr) {
+ next_expr = cur_expr->next;
+ free(cur_expr);
+ }
+}
+
+void cond_node_destroy(cond_node_t * node)
+{
+ if (!node)
+ return;
+
+ cond_expr_destroy(node->expr);
+ avrule_list_destroy(node->avtrue_list);
+ avrule_list_destroy(node->avfalse_list);
+ cond_av_list_destroy(node->true_list);
+ cond_av_list_destroy(node->false_list);
+}
+
+void cond_list_destroy(cond_list_t * list)
+{
+ cond_node_t *next, *cur;
+
+ if (list == NULL)
+ return;
+
+ for (cur = list; cur != NULL; cur = next) {
+ next = cur->next;
+ cond_node_destroy(cur);
+ free(cur);
+ }
+}
+
+void cond_policydb_destroy(policydb_t * p)
+{
+ if (p->bool_val_to_struct != NULL)
+ free(p->bool_val_to_struct);
+ avtab_destroy(&p->te_cond_avtab);
+ cond_list_destroy(p->cond_list);
+}
+
+int cond_init_bool_indexes(policydb_t * p)
+{
+ if (p->bool_val_to_struct)
+ free(p->bool_val_to_struct);
+ p->bool_val_to_struct = (cond_bool_datum_t **)
+ malloc(p->p_bools.nprim * sizeof(cond_bool_datum_t *));
+ if (!p->bool_val_to_struct)
+ return -1;
+ return 0;
+}
+
+int cond_destroy_bool(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ if (key)
+ free(key);
+ free(datum);
+ return 0;
+}
+
+int cond_index_bool(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ cond_bool_datum_t *booldatum;
+
+ booldatum = datum;
+ p = datap;
+
+ if (!booldatum->s.value || booldatum->s.value > p->p_bools.nprim)
+ return -EINVAL;
+
+ p->p_bool_val_to_name[booldatum->s.value - 1] = key;
+ p->bool_val_to_struct[booldatum->s.value - 1] = booldatum;
+
+ return 0;
+}
+
+static int bool_isvalid(cond_bool_datum_t * b)
+{
+ if (!(b->state == 0 || b->state == 1))
+ return 0;
+ return 1;
+}
+
+int cond_read_bool(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ cond_bool_datum_t *booldatum;
+ uint32_t buf[3], len;
+ int rc;
+
+ booldatum = malloc(sizeof(cond_bool_datum_t));
+ if (!booldatum)
+ return -1;
+ memset(booldatum, 0, sizeof(cond_bool_datum_t));
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0)
+ goto err;
+
+ booldatum->s.value = le32_to_cpu(buf[0]);
+ booldatum->state = le32_to_cpu(buf[1]);
+
+ if (!bool_isvalid(booldatum))
+ goto err;
+
+ len = le32_to_cpu(buf[2]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto err;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto err;
+ key[len] = 0;
+ if (hashtab_insert(h, key, booldatum))
+ goto err;
+
+ return 0;
+ err:
+ cond_destroy_bool(key, booldatum, 0);
+ return -1;
+}
+
+struct cond_insertf_data {
+ struct policydb *p;
+ cond_av_list_t *other;
+ cond_av_list_t *head;
+ cond_av_list_t *tail;
+};
+
+static int cond_insertf(avtab_t * a
+ __attribute__ ((unused)), avtab_key_t * k,
+ avtab_datum_t * d, void *ptr)
+{
+ struct cond_insertf_data *data = ptr;
+ struct policydb *p = data->p;
+ cond_av_list_t *other = data->other, *list, *cur;
+ avtab_ptr_t node_ptr;
+ uint8_t found;
+
+ /*
+ * For type rules we have to make certain there aren't any
+ * conflicting rules by searching the te_avtab and the
+ * cond_te_avtab.
+ */
+ if (k->specified & AVTAB_TYPE) {
+ if (avtab_search(&p->te_avtab, k)) {
+ printf
+ ("security: type rule already exists outside of a conditional.");
+ goto err;
+ }
+ /*
+ * If we are reading the false list other will be a pointer to
+ * the true list. We can have duplicate entries if there is only
+ * 1 other entry and it is in our true list.
+ *
+ * If we are reading the true list (other == NULL) there shouldn't
+ * be any other entries.
+ */
+ if (other) {
+ node_ptr = avtab_search_node(&p->te_cond_avtab, k);
+ if (node_ptr) {
+ if (avtab_search_node_next
+ (node_ptr, k->specified)) {
+ printf
+ ("security: too many conflicting type rules.");
+ goto err;
+ }
+ found = 0;
+ for (cur = other; cur != NULL; cur = cur->next) {
+ if (cur->node == node_ptr) {
+ found = 1;
+ break;
+ }
+ }
+ if (!found) {
+ printf
+ ("security: conflicting type rules.\n");
+ goto err;
+ }
+ }
+ } else {
+ if (avtab_search(&p->te_cond_avtab, k)) {
+ printf
+ ("security: conflicting type rules when adding type rule for true.\n");
+ goto err;
+ }
+ }
+ }
+
+ node_ptr = avtab_insert_nonunique(&p->te_cond_avtab, k, d);
+ if (!node_ptr) {
+ printf("security: could not insert rule.");
+ goto err;
+ }
+ node_ptr->parse_context = (void *)1;
+
+ list = malloc(sizeof(cond_av_list_t));
+ if (!list)
+ goto err;
+ memset(list, 0, sizeof(cond_av_list_t));
+
+ list->node = node_ptr;
+ if (!data->head)
+ data->head = list;
+ else
+ data->tail->next = list;
+ data->tail = list;
+ return 0;
+
+ err:
+ cond_av_list_destroy(data->head);
+ data->head = NULL;
+ return -1;
+}
+
+static int cond_read_av_list(policydb_t * p, void *fp,
+ cond_av_list_t ** ret_list, cond_av_list_t * other)
+{
+ unsigned int i;
+ int rc;
+ uint32_t buf[1], len;
+ struct cond_insertf_data data;
+
+ *ret_list = NULL;
+
+ len = 0;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+
+ len = le32_to_cpu(buf[0]);
+ if (len == 0) {
+ return 0;
+ }
+
+ data.p = p;
+ data.other = other;
+ data.head = NULL;
+ data.tail = NULL;
+ for (i = 0; i < len; i++) {
+ rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
+ cond_insertf, &data);
+ if (rc)
+ return rc;
+
+ }
+
+ *ret_list = data.head;
+ return 0;
+}
+
+static int expr_isvalid(policydb_t * p, cond_expr_t * expr)
+{
+ if (expr->expr_type <= 0 || expr->expr_type > COND_LAST) {
+ printf
+ ("security: conditional expressions uses unknown operator.\n");
+ return 0;
+ }
+
+ if (expr->bool > p->p_bools.nprim) {
+ printf
+ ("security: conditional expressions uses unknown bool.\n");
+ return 0;
+ }
+ return 1;
+}
+
+static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
+{
+ uint32_t buf[2];
+ int len, i, rc;
+ cond_expr_t *expr = NULL, *last = NULL;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto err;
+
+ node->cur_state = le32_to_cpu(buf[0]);
+
+ len = 0;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto err;
+
+ /* expr */
+ len = le32_to_cpu(buf[0]);
+
+ for (i = 0; i < len; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ goto err;
+
+ expr = malloc(sizeof(cond_expr_t));
+ if (!expr) {
+ goto err;
+ }
+ memset(expr, 0, sizeof(cond_expr_t));
+
+ expr->expr_type = le32_to_cpu(buf[0]);
+ expr->bool = le32_to_cpu(buf[1]);
+
+ if (!expr_isvalid(p, expr)) {
+ free(expr);
+ goto err;
+ }
+
+ if (i == 0) {
+ node->expr = expr;
+ } else {
+ last->next = expr;
+ }
+ last = expr;
+ }
+
+ if (p->policy_type == POLICY_KERN) {
+ if (cond_read_av_list(p, fp, &node->true_list, NULL) != 0)
+ goto err;
+ if (cond_read_av_list(p, fp, &node->false_list, node->true_list)
+ != 0)
+ goto err;
+ } else {
+ if (avrule_read_list(p, &node->avtrue_list, fp))
+ goto err;
+ if (avrule_read_list(p, &node->avfalse_list, fp))
+ goto err;
+ }
+
+ return 0;
+ err:
+ cond_node_destroy(node);
+ free(node);
+ return -1;
+}
+
+int cond_read_list(policydb_t * p, cond_list_t ** list, void *fp)
+{
+ cond_node_t *node, *last = NULL;
+ uint32_t buf[1];
+ int i, len, rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+
+ len = le32_to_cpu(buf[0]);
+
+ rc = avtab_alloc(&p->te_cond_avtab, p->te_avtab.nel);
+ if (rc)
+ goto err;
+
+ for (i = 0; i < len; i++) {
+ node = malloc(sizeof(cond_node_t));
+ if (!node)
+ goto err;
+ memset(node, 0, sizeof(cond_node_t));
+
+ if (cond_read_node(p, node, fp) != 0)
+ goto err;
+
+ if (i == 0) {
+ *list = node;
+ } else {
+ last->next = node;
+ }
+ last = node;
+ }
+ return 0;
+ err:
+ return -1;
+}
+
+/* Determine whether additional permissions are granted by the conditional
+ * av table, and if so, add them to the result
+ */
+void cond_compute_av(avtab_t * ctab, avtab_key_t * key,
+ struct sepol_av_decision *avd)
+{
+ avtab_ptr_t node;
+
+ if (!ctab || !key || !avd)
+ return;
+
+ for (node = avtab_search_node(ctab, key); node != NULL;
+ node = avtab_search_node_next(node, key->specified)) {
+ if ((uint16_t) (AVTAB_ALLOWED | AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_ALLOWED | AVTAB_ENABLED)))
+ avd->allowed |= node->datum.data;
+ if ((uint16_t) (AVTAB_AUDITDENY | AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITDENY | AVTAB_ENABLED)))
+ /* Since a '0' in an auditdeny mask represents a
+ * permission we do NOT want to audit (dontaudit), we use
+ * the '&' operand to ensure that all '0's in the mask
+ * are retained (much unlike the allow and auditallow cases).
+ */
+ avd->auditdeny &= node->datum.data;
+ if ((uint16_t) (AVTAB_AUDITALLOW | AVTAB_ENABLED) ==
+ (node->key.specified & (AVTAB_AUDITALLOW | AVTAB_ENABLED)))
+ avd->auditallow |= node->datum.data;
+ }
+ return;
+}
+
+avtab_datum_t *cond_av_list_search(avtab_key_t * key,
+ cond_av_list_t * cond_list)
+{
+
+ cond_av_list_t *cur_av;
+
+ for (cur_av = cond_list; cur_av != NULL; cur_av = cur_av->next) {
+
+ if (cur_av->node->key.source_type == key->source_type &&
+ cur_av->node->key.target_type == key->target_type &&
+ cur_av->node->key.target_class == key->target_class)
+
+ return &cur_av->node->datum;
+
+ }
+ return NULL;
+
+}
diff --git a/src/constraint.c b/src/constraint.c
new file mode 100644
index 0000000..7154019
--- /dev/null
+++ b/src/constraint.c
@@ -0,0 +1,47 @@
+/* Authors: Jason Tang <jtang@tresys.com>
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/constraint.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/flask_types.h>
+
+#include <assert.h>
+#include <stdlib.h>
+
+int constraint_expr_init(constraint_expr_t * expr)
+{
+ memset(expr, 0, sizeof(*expr));
+ ebitmap_init(&expr->names);
+ if ((expr->type_names = malloc(sizeof(*expr->type_names))) == NULL) {
+ return -1;
+ }
+ type_set_init(expr->type_names);
+ return 0;
+}
+
+void constraint_expr_destroy(constraint_expr_t * expr)
+{
+ if (expr != NULL) {
+ ebitmap_destroy(&expr->names);
+ type_set_destroy(expr->type_names);
+ free(expr->type_names);
+ free(expr);
+ }
+}
diff --git a/src/context.c b/src/context.c
new file mode 100644
index 0000000..84dad34
--- /dev/null
+++ b/src/context.c
@@ -0,0 +1,338 @@
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include "context_internal.h"
+
+#include "debug.h"
+#include "context.h"
+#include "handle.h"
+#include "mls.h"
+
+/* ----- Compatibility ---- */
+int policydb_context_isvalid(const policydb_t * p, const context_struct_t * c)
+{
+
+ return context_is_valid(p, c);
+}
+
+int sepol_check_context(const char *context)
+{
+
+ return sepol_context_to_sid((const sepol_security_context_t)context,
+ strlen(context) + 1, NULL);
+}
+
+/* ---- End compatibility --- */
+
+/*
+ * Return 1 if the fields in the security context
+ * structure `c' are valid. Return 0 otherwise.
+ */
+int context_is_valid(const policydb_t * p, const context_struct_t * c)
+{
+
+ role_datum_t *role;
+ user_datum_t *usrdatum;
+ ebitmap_t types, roles;
+ int ret = 1;
+
+ ebitmap_init(&types);
+ ebitmap_init(&roles);
+ if (!c->role || c->role > p->p_roles.nprim)
+ return 0;
+
+ if (!c->user || c->user > p->p_users.nprim)
+ return 0;
+
+ if (!c->type || c->type > p->p_types.nprim)
+ return 0;
+
+ if (c->role != OBJECT_R_VAL) {
+ /*
+ * Role must be authorized for the type.
+ */
+ role = p->role_val_to_struct[c->role - 1];
+ if (!ebitmap_get_bit(&role->cache, c->type - 1))
+ /* role may not be associated with type */
+ return 0;
+
+ /*
+ * User must be authorized for the role.
+ */
+ usrdatum = p->user_val_to_struct[c->user - 1];
+ if (!usrdatum)
+ return 0;
+
+ if (!ebitmap_get_bit(&usrdatum->cache, c->role - 1))
+ /* user may not be associated with role */
+ return 0;
+ }
+
+ if (!mls_context_isvalid(p, c))
+ return 0;
+
+ return ret;
+}
+
+/*
+ * Write the security context string representation of
+ * the context structure `context' into a dynamically
+ * allocated string of the correct size. Set `*scontext'
+ * to point to this string and set `*scontext_len' to
+ * the length of the string.
+ */
+int context_to_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * context,
+ char **result, size_t * result_len)
+{
+
+ char *scontext = NULL;
+ size_t scontext_len = 0;
+ char *ptr;
+
+ /* Compute the size of the context. */
+ scontext_len +=
+ strlen(policydb->p_user_val_to_name[context->user - 1]) + 1;
+ scontext_len +=
+ strlen(policydb->p_role_val_to_name[context->role - 1]) + 1;
+ scontext_len += strlen(policydb->p_type_val_to_name[context->type - 1]);
+ scontext_len += mls_compute_context_len(policydb, context);
+
+ /* We must null terminate the string */
+ scontext_len += 1;
+
+ /* Allocate space for the context; caller must free this space. */
+ scontext = malloc(scontext_len);
+ if (!scontext)
+ goto omem;
+ scontext[scontext_len - 1] = '\0';
+
+ /*
+ * Copy the user name, role name and type name into the context.
+ */
+ ptr = scontext;
+ sprintf(ptr, "%s:%s:%s",
+ policydb->p_user_val_to_name[context->user - 1],
+ policydb->p_role_val_to_name[context->role - 1],
+ policydb->p_type_val_to_name[context->type - 1]);
+
+ ptr +=
+ strlen(policydb->p_user_val_to_name[context->user - 1]) + 1 +
+ strlen(policydb->p_role_val_to_name[context->role - 1]) + 1 +
+ strlen(policydb->p_type_val_to_name[context->type - 1]);
+
+ mls_sid_to_context(policydb, context, &ptr);
+
+ *result = scontext;
+ *result_len = scontext_len;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not convert " "context to string");
+ free(scontext);
+ return STATUS_ERR;
+}
+
+/*
+ * Create a context structure from the given record
+ */
+int context_from_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ context_struct_t ** cptr,
+ const sepol_context_t * record)
+{
+
+ context_struct_t *scontext = NULL;
+ user_datum_t *usrdatum;
+ role_datum_t *roldatum;
+ type_datum_t *typdatum;
+
+ /* Hashtab keys are not constant - suppress warnings */
+ char *user = strdup(sepol_context_get_user(record));
+ char *role = strdup(sepol_context_get_role(record));
+ char *type = strdup(sepol_context_get_type(record));
+ const char *mls = sepol_context_get_mls(record);
+
+ scontext = (context_struct_t *) malloc(sizeof(context_struct_t));
+ if (!user || !role || !type || !scontext) {
+ ERR(handle, "out of memory");
+ goto err;
+ }
+ context_init(scontext);
+
+ /* User */
+ usrdatum = (user_datum_t *) hashtab_search(policydb->p_users.table,
+ (hashtab_key_t) user);
+ if (!usrdatum) {
+ ERR(handle, "user %s is not defined", user);
+ goto err_destroy;
+ }
+ scontext->user = usrdatum->s.value;
+
+ /* Role */
+ roldatum = (role_datum_t *) hashtab_search(policydb->p_roles.table,
+ (hashtab_key_t) role);
+ if (!roldatum) {
+ ERR(handle, "role %s is not defined", role);
+ goto err_destroy;
+ }
+ scontext->role = roldatum->s.value;
+
+ /* Type */
+ typdatum = (type_datum_t *) hashtab_search(policydb->p_types.table,
+ (hashtab_key_t) type);
+ if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
+ ERR(handle, "type %s is not defined", type);
+ goto err_destroy;
+ }
+ scontext->type = typdatum->s.value;
+
+ /* MLS */
+ if (mls && !policydb->mls) {
+ ERR(handle, "MLS is disabled, but MLS context \"%s\" found",
+ mls);
+ goto err_destroy;
+ } else if (!mls && policydb->mls) {
+ ERR(handle, "MLS is enabled, but no MLS context found");
+ goto err_destroy;
+ }
+ if (mls && (mls_from_string(handle, policydb, mls, scontext) < 0))
+ goto err_destroy;
+
+ /* Validity check */
+ if (!context_is_valid(policydb, scontext)) {
+ if (mls) {
+ ERR(handle,
+ "invalid security context: \"%s:%s:%s:%s\"",
+ user, role, type, mls);
+ } else {
+ ERR(handle,
+ "invalid security context: \"%s:%s:%s\"",
+ user, role, type);
+ }
+ goto err_destroy;
+ }
+
+ *cptr = scontext;
+ free(user);
+ free(type);
+ free(role);
+ return STATUS_SUCCESS;
+
+ err_destroy:
+ errno = EINVAL;
+ context_destroy(scontext);
+
+ err:
+ free(scontext);
+ free(user);
+ free(type);
+ free(role);
+ ERR(handle, "could not create context structure");
+ return STATUS_ERR;
+}
+
+/*
+ * Create a record from the given context structure
+ */
+int context_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * context,
+ sepol_context_t ** record)
+{
+
+ sepol_context_t *tmp_record = NULL;
+ char *mls = NULL;
+
+ if (sepol_context_create(handle, &tmp_record) < 0)
+ goto err;
+
+ if (sepol_context_set_user(handle, tmp_record,
+ policydb->p_user_val_to_name[context->user -
+ 1]) < 0)
+ goto err;
+
+ if (sepol_context_set_role(handle, tmp_record,
+ policydb->p_role_val_to_name[context->role -
+ 1]) < 0)
+ goto err;
+
+ if (sepol_context_set_type(handle, tmp_record,
+ policydb->p_type_val_to_name[context->type -
+ 1]) < 0)
+ goto err;
+
+ if (policydb->mls) {
+ if (mls_to_string(handle, policydb, context, &mls) < 0)
+ goto err;
+
+ if (sepol_context_set_mls(handle, tmp_record, mls) < 0)
+ goto err;
+ }
+
+ free(mls);
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not create context record");
+ sepol_context_free(tmp_record);
+ free(mls);
+ return STATUS_ERR;
+}
+
+/*
+ * Create a context structure from the provided string.
+ */
+int context_from_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ context_struct_t ** cptr,
+ const char *con_str, size_t con_str_len)
+{
+
+ char *con_cpy = NULL;
+ sepol_context_t *ctx_record = NULL;
+
+ /* sepol_context_from_string expects a NULL-terminated string */
+ con_cpy = malloc(con_str_len + 1);
+ if (!con_cpy)
+ goto omem;
+ memcpy(con_cpy, con_str, con_str_len);
+ con_cpy[con_str_len] = '\0';
+
+ if (sepol_context_from_string(handle, con_cpy, &ctx_record) < 0)
+ goto err;
+
+ /* Now create from the data structure */
+ if (context_from_record(handle, policydb, cptr, ctx_record) < 0)
+ goto err;
+
+ free(con_cpy);
+ sepol_context_free(ctx_record);
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not create context structure");
+ free(con_cpy);
+ sepol_context_free(ctx_record);
+ return STATUS_ERR;
+}
+
+int sepol_context_check(sepol_handle_t * handle,
+ const sepol_policydb_t * policydb,
+ const sepol_context_t * context)
+{
+
+ context_struct_t *con = NULL;
+ int ret = context_from_record(handle, &policydb->p, &con, context);
+ context_destroy(con);
+ free(con);
+ return ret;
+}
diff --git a/src/context.h b/src/context.h
new file mode 100644
index 0000000..d25ca8a
--- /dev/null
+++ b/src/context.h
@@ -0,0 +1,37 @@
+#ifndef _SEPOL_INTERNAL_CONTEXT_H_
+#define _SEPOL_INTERNAL_CONTEXT_H_
+
+#include <stddef.h>
+#include "context_internal.h"
+#include <sepol/policydb/context.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/handle.h>
+
+/* Create a context structure from high level representation */
+extern int context_from_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ context_struct_t ** cptr,
+ const sepol_context_t * data);
+
+extern int context_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * context,
+ sepol_context_t ** record);
+
+/* Create a context structure from string representation */
+extern int context_from_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ context_struct_t ** cptr,
+ const char *con_str, size_t con_str_len);
+
+/* Check if the provided context is valid for this policy */
+extern int context_is_valid(const policydb_t * policydb,
+ const context_struct_t * context);
+
+/* Extract the context as string */
+extern int context_to_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * context,
+ char **result, size_t * result_len);
+
+#endif
diff --git a/src/context_internal.h b/src/context_internal.h
new file mode 100644
index 0000000..7987c1c
--- /dev/null
+++ b/src/context_internal.h
@@ -0,0 +1,19 @@
+#ifndef _SEPOL_CONTEXT_INTERNAL_H_
+#define _SEPOL_CONTEXT_INTERNAL_H_
+
+#include <sepol/context_record.h>
+#include "dso.h"
+
+hidden_proto(sepol_context_clone)
+ hidden_proto(sepol_context_create)
+ hidden_proto(sepol_context_free)
+ hidden_proto(sepol_context_from_string)
+ hidden_proto(sepol_context_get_mls)
+ hidden_proto(sepol_context_get_role)
+ hidden_proto(sepol_context_get_type)
+ hidden_proto(sepol_context_get_user)
+ hidden_proto(sepol_context_set_mls)
+ hidden_proto(sepol_context_set_role)
+ hidden_proto(sepol_context_set_type)
+ hidden_proto(sepol_context_set_user)
+#endif
diff --git a/src/context_record.c b/src/context_record.c
new file mode 100644
index 0000000..ac2884a
--- /dev/null
+++ b/src/context_record.c
@@ -0,0 +1,324 @@
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "context_internal.h"
+#include "debug.h"
+
+struct sepol_context {
+
+ /* Selinux user */
+ char *user;
+
+ /* Selinux role */
+ char *role;
+
+ /* Selinux type */
+ char *type;
+
+ /* MLS */
+ char *mls;
+};
+
+/* User */
+const char *sepol_context_get_user(const sepol_context_t * con)
+{
+
+ return con->user;
+}
+
+hidden_def(sepol_context_get_user)
+
+int sepol_context_set_user(sepol_handle_t * handle,
+ sepol_context_t * con, const char *user)
+{
+
+ char *tmp_user = strdup(user);
+ if (!tmp_user) {
+ ERR(handle, "out of memory, could not set "
+ "context user to %s", user);
+ return STATUS_ERR;
+ }
+
+ free(con->user);
+ con->user = tmp_user;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_context_set_user)
+
+/* Role */
+const char *sepol_context_get_role(const sepol_context_t * con)
+{
+
+ return con->role;
+}
+
+hidden_def(sepol_context_get_role)
+
+int sepol_context_set_role(sepol_handle_t * handle,
+ sepol_context_t * con, const char *role)
+{
+
+ char *tmp_role = strdup(role);
+ if (!tmp_role) {
+ ERR(handle, "out of memory, could not set "
+ "context role to %s", role);
+ return STATUS_ERR;
+ }
+ free(con->role);
+ con->role = tmp_role;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_context_set_role)
+
+/* Type */
+const char *sepol_context_get_type(const sepol_context_t * con)
+{
+
+ return con->type;
+}
+
+hidden_def(sepol_context_get_type)
+
+int sepol_context_set_type(sepol_handle_t * handle,
+ sepol_context_t * con, const char *type)
+{
+
+ char *tmp_type = strdup(type);
+ if (!tmp_type) {
+ ERR(handle, "out of memory, could not set "
+ "context type to %s", type);
+ return STATUS_ERR;
+ }
+ free(con->type);
+ con->type = tmp_type;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_context_set_type)
+
+/* MLS */
+const char *sepol_context_get_mls(const sepol_context_t * con)
+{
+
+ return con->mls;
+}
+
+hidden_def(sepol_context_get_mls)
+
+int sepol_context_set_mls(sepol_handle_t * handle,
+ sepol_context_t * con, const char *mls)
+{
+
+ char *tmp_mls = strdup(mls);
+ if (!tmp_mls) {
+ ERR(handle, "out of memory, could not set "
+ "MLS fields to %s", mls);
+ return STATUS_ERR;
+ }
+ free(con->mls);
+ con->mls = tmp_mls;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_context_set_mls)
+
+/* Create */
+int sepol_context_create(sepol_handle_t * handle, sepol_context_t ** con_ptr)
+{
+
+ sepol_context_t *con =
+ (sepol_context_t *) malloc(sizeof(sepol_context_t));
+
+ if (!con) {
+ ERR(handle, "out of memory, could not " "create context\n");
+ return STATUS_ERR;
+ }
+
+ con->user = NULL;
+ con->role = NULL;
+ con->type = NULL;
+ con->mls = NULL;
+ *con_ptr = con;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_context_create)
+
+/* Deep copy clone */
+int sepol_context_clone(sepol_handle_t * handle,
+ const sepol_context_t * con, sepol_context_t ** con_ptr)
+{
+
+ sepol_context_t *new_con = NULL;
+
+ if (!con) {
+ *con_ptr = NULL;
+ return 0;
+ }
+
+ if (sepol_context_create(handle, &new_con) < 0)
+ goto err;
+
+ if (!(new_con->user = strdup(con->user)))
+ goto omem;
+
+ if (!(new_con->role = strdup(con->role)))
+ goto omem;
+
+ if (!(new_con->type = strdup(con->type)))
+ goto omem;
+
+ if (con->mls && !(new_con->mls = strdup(con->mls)))
+ goto omem;
+
+ *con_ptr = new_con;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not clone context record");
+ sepol_context_free(new_con);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_context_clone)
+
+/* Destroy */
+void sepol_context_free(sepol_context_t * con)
+{
+
+ if (!con)
+ return;
+
+ free(con->user);
+ free(con->role);
+ free(con->type);
+ free(con->mls);
+ free(con);
+}
+
+hidden_def(sepol_context_free)
+
+int sepol_context_from_string(sepol_handle_t * handle,
+ const char *str, sepol_context_t ** con)
+{
+
+ char *tmp = NULL, *low, *high;
+ sepol_context_t *tmp_con = NULL;
+
+ if (!strcmp(str, "<<none>>")) {
+ *con = NULL;
+ return STATUS_SUCCESS;
+ }
+
+ if (sepol_context_create(handle, &tmp_con) < 0)
+ goto err;
+
+ /* Working copy context */
+ tmp = strdup(str);
+ if (!tmp) {
+ ERR(handle, "out of memory");
+ goto err;
+ }
+ low = tmp;
+
+ /* Then, break it into its components */
+
+ /* User */
+ if (!(high = strchr(low, ':')))
+ goto mcontext;
+ else
+ *high++ = '\0';
+ if (sepol_context_set_user(handle, tmp_con, low) < 0)
+ goto err;
+ low = high;
+
+ /* Role */
+ if (!(high = strchr(low, ':')))
+ goto mcontext;
+ else
+ *high++ = '\0';
+ if (sepol_context_set_role(handle, tmp_con, low) < 0)
+ goto err;
+ low = high;
+
+ /* Type, and possibly MLS */
+ if (!(high = strchr(low, ':'))) {
+ if (sepol_context_set_type(handle, tmp_con, low) < 0)
+ goto err;
+ } else {
+ *high++ = '\0';
+ if (sepol_context_set_type(handle, tmp_con, low) < 0)
+ goto err;
+ low = high;
+ if (sepol_context_set_mls(handle, tmp_con, low) < 0)
+ goto err;
+ }
+
+ free(tmp);
+ *con = tmp_con;
+
+ return STATUS_SUCCESS;
+
+ mcontext:
+ errno = EINVAL;
+ ERR(handle, "malformed context \"%s\"", str);
+
+ err:
+ ERR(handle, "could not construct context from string");
+ free(tmp);
+ sepol_context_free(tmp_con);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_context_from_string)
+
+int sepol_context_to_string(sepol_handle_t * handle,
+ const sepol_context_t * con, char **str_ptr)
+{
+
+ int rc;
+ const int user_sz = strlen(con->user);
+ const int role_sz = strlen(con->role);
+ const int type_sz = strlen(con->type);
+ const int mls_sz = (con->mls) ? strlen(con->mls) : 0;
+ const int total_sz = user_sz + role_sz + type_sz +
+ mls_sz + ((con->mls) ? 3 : 2);
+
+ char *str = (char *)malloc(total_sz + 1);
+ if (!str)
+ goto omem;
+
+ if (con->mls) {
+ rc = snprintf(str, total_sz + 1, "%s:%s:%s:%s",
+ con->user, con->role, con->type, con->mls);
+ if (rc < 0 || (rc >= total_sz + 1)) {
+ ERR(handle, "print error");
+ goto err;
+ }
+ } else {
+ rc = snprintf(str, total_sz + 1, "%s:%s:%s",
+ con->user, con->role, con->type);
+ if (rc < 0 || (rc >= total_sz + 1)) {
+ ERR(handle, "print error");
+ goto err;
+ }
+ }
+
+ *str_ptr = str;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not convert context to string");
+ free(str);
+ return STATUS_ERR;
+}
diff --git a/src/debug.c b/src/debug.c
new file mode 100644
index 0000000..51918fd
--- /dev/null
+++ b/src/debug.c
@@ -0,0 +1,89 @@
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "handle.h"
+#include "debug.h"
+
+/* Deprecated */
+struct sepol_handle sepol_compat_handle = {
+ .msg_callback = sepol_msg_default_handler,
+ .msg_callback_arg = NULL,
+};
+
+void sepol_debug(int on)
+{
+ sepol_compat_handle.msg_callback = (on) ?
+ sepol_msg_default_handler : NULL;
+}
+
+/* End deprecated */
+
+int sepol_msg_get_level(sepol_handle_t * handle)
+{
+ return handle->msg_level;
+}
+
+hidden_def(sepol_msg_get_level)
+
+const char *sepol_msg_get_channel(sepol_handle_t * handle)
+{
+ return handle->msg_channel;
+}
+
+hidden_def(sepol_msg_get_channel)
+
+const char *sepol_msg_get_fname(sepol_handle_t * handle)
+{
+ return handle->msg_fname;
+}
+
+hidden_def(sepol_msg_get_fname)
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 3, 4)))
+#endif
+void hidden sepol_msg_default_handler(void *varg __attribute__ ((unused)),
+ sepol_handle_t * handle,
+ const char *fmt, ...)
+{
+
+ FILE *stream = NULL;
+
+ switch (sepol_msg_get_level(handle)) {
+
+ case SEPOL_MSG_ERR:
+ case SEPOL_MSG_WARN:
+ stream = stderr;
+ break;
+ case SEPOL_MSG_INFO:
+ default:
+ stream = stdout;
+ break;
+ }
+
+ fprintf(stream, "%s.%s: ",
+ sepol_msg_get_channel(handle), sepol_msg_get_fname(handle));
+
+ va_list ap;
+ va_start(ap, fmt);
+ vfprintf(stream, fmt, ap);
+ va_end(ap);
+
+ fprintf(stream, "\n");
+
+ varg = NULL;
+}
+
+extern void sepol_msg_set_callback(sepol_handle_t * handle,
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 3, 4)))
+#endif
+ void (*msg_callback) (void *varg,
+ sepol_handle_t *
+ handle,
+ const char *fmt, ...),
+ void *msg_callback_arg)
+{
+
+ handle->msg_callback = msg_callback;
+ handle->msg_callback_arg = msg_callback_arg;
+}
diff --git a/src/debug.h b/src/debug.h
new file mode 100644
index 0000000..56b397b
--- /dev/null
+++ b/src/debug.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_INTERNAL_DEBUG_H_
+#define _SEPOL_INTERNAL_DEBUG_H_
+
+#include <stdio.h>
+#include <sepol/debug.h>
+#include "dso.h"
+#include "handle.h"
+
+#define STATUS_SUCCESS 0
+#define STATUS_ERR -1
+#define STATUS_NODATA 1
+
+/* FIXME: this needs to become a real function. Declaring variables
+ * in a macro is _evil_ as it can shadow other variables in local scope.
+ * The variable h has been renamed to _sepol_h to reduce this chance, but
+ * it is still wrong.
+ */
+#define msg_write(handle_arg, level_arg, \
+ channel_arg, func_arg, ...) do { \
+ sepol_handle_t *_sepol_h = (handle_arg) ?: &sepol_compat_handle; \
+ if (_sepol_h->msg_callback) { \
+ _sepol_h->msg_fname = func_arg; \
+ _sepol_h->msg_channel = channel_arg; \
+ _sepol_h->msg_level = level_arg; \
+ \
+ _sepol_h->msg_callback( \
+ _sepol_h->msg_callback_arg, \
+ _sepol_h, __VA_ARGS__); \
+ } \
+ } while(0)
+
+#define ERR(handle, ...) \
+ msg_write(handle, SEPOL_MSG_ERR, "libsepol", \
+ __FUNCTION__, __VA_ARGS__)
+
+#define INFO(handle, ...) \
+ msg_write(handle, SEPOL_MSG_INFO, "libsepol", \
+ __FUNCTION__, __VA_ARGS__)
+
+#define WARN(handle, ...) \
+ msg_write(handle, SEPOL_MSG_WARN, "libsepol", \
+ __FUNCTION__, __VA_ARGS__)
+
+#ifdef __GNUC__
+__attribute__ ((format(printf, 3, 4)))
+#endif
+extern void hidden sepol_msg_default_handler(void *varg,
+ sepol_handle_t * msg,
+ const char *fmt, ...);
+
+extern struct sepol_handle sepol_compat_handle;
+
+hidden_proto(sepol_msg_get_channel)
+ hidden_proto(sepol_msg_get_fname)
+ hidden_proto(sepol_msg_get_level)
+#endif
diff --git a/src/dso.h b/src/dso.h
new file mode 100644
index 0000000..5c69aae
--- /dev/null
+++ b/src/dso.h
@@ -0,0 +1,23 @@
+#ifndef _SEPOL_DSO_H
+#define _SEPOL_DSO_H 1
+
+#ifdef SHARED
+# define hidden __attribute__ ((visibility ("hidden")))
+# define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
+# define __hidden_proto(fct, internal) \
+ extern __typeof (fct) internal; \
+ extern __typeof (fct) fct __asm (#internal) hidden;
+# if defined(__alpha__) || defined(__mips__)
+# define hidden_def(fct) \
+ asm (".globl " #fct "\n" #fct " = " #fct "_internal");
+# else
+# define hidden_def(fct) \
+ asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
+#endif
+#else
+# define hidden
+# define hidden_proto(fct)
+# define hidden_def(fct)
+#endif
+
+#endif
diff --git a/src/ebitmap.c b/src/ebitmap.c
new file mode 100644
index 0000000..cc6a915
--- /dev/null
+++ b/src/ebitmap.c
@@ -0,0 +1,368 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the extensible bitmap type.
+ */
+
+#include <stdlib.h>
+
+#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/policydb.h>
+
+#include "debug.h"
+#include "private.h"
+
+int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
+{
+ ebitmap_node_t *n1, *n2, *new, *prev;
+
+ ebitmap_init(dst);
+
+ n1 = e1->node;
+ n2 = e2->node;
+ prev = 0;
+ while (n1 || n2) {
+ new = (ebitmap_node_t *) malloc(sizeof(ebitmap_node_t));
+ if (!new) {
+ ebitmap_destroy(dst);
+ return -ENOMEM;
+ }
+ memset(new, 0, sizeof(ebitmap_node_t));
+ if (n1 && n2 && n1->startbit == n2->startbit) {
+ new->startbit = n1->startbit;
+ new->map = n1->map | n2->map;
+ n1 = n1->next;
+ n2 = n2->next;
+ } else if (!n2 || (n1 && n1->startbit < n2->startbit)) {
+ new->startbit = n1->startbit;
+ new->map = n1->map;
+ n1 = n1->next;
+ } else {
+ new->startbit = n2->startbit;
+ new->map = n2->map;
+ n2 = n2->next;
+ }
+
+ new->next = 0;
+ if (prev)
+ prev->next = new;
+ else
+ dst->node = new;
+ prev = new;
+ }
+
+ dst->highbit = (e1->highbit > e2->highbit) ? e1->highbit : e2->highbit;
+ return 0;
+}
+
+int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1)
+{
+ ebitmap_t tmp;
+
+ if (ebitmap_or(&tmp, dst, e1))
+ return -1;
+ ebitmap_destroy(dst);
+ dst->node = tmp.node;
+ dst->highbit = tmp.highbit;
+
+ return 0;
+}
+
+int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
+{
+ ebitmap_node_t *n1, *n2;
+
+ if (e1->highbit != e2->highbit)
+ return 0;
+
+ n1 = e1->node;
+ n2 = e2->node;
+ while (n1 && n2 &&
+ (n1->startbit == n2->startbit) && (n1->map == n2->map)) {
+ n1 = n1->next;
+ n2 = n2->next;
+ }
+
+ if (n1 || n2)
+ return 0;
+
+ return 1;
+}
+
+int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
+{
+ ebitmap_node_t *n, *new, *prev;
+
+ ebitmap_init(dst);
+ n = src->node;
+ prev = 0;
+ while (n) {
+ new = (ebitmap_node_t *) malloc(sizeof(ebitmap_node_t));
+ if (!new) {
+ ebitmap_destroy(dst);
+ return -ENOMEM;
+ }
+ memset(new, 0, sizeof(ebitmap_node_t));
+ new->startbit = n->startbit;
+ new->map = n->map;
+ new->next = 0;
+ if (prev)
+ prev->next = new;
+ else
+ dst->node = new;
+ prev = new;
+ n = n->next;
+ }
+
+ dst->highbit = src->highbit;
+ return 0;
+}
+
+int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
+{
+ ebitmap_node_t *n1, *n2;
+
+ if (e1->highbit < e2->highbit)
+ return 0;
+
+ n1 = e1->node;
+ n2 = e2->node;
+ while (n1 && n2 && (n1->startbit <= n2->startbit)) {
+ if (n1->startbit < n2->startbit) {
+ n1 = n1->next;
+ continue;
+ }
+ if ((n1->map & n2->map) != n2->map)
+ return 0;
+
+ n1 = n1->next;
+ n2 = n2->next;
+ }
+
+ if (n2)
+ return 0;
+
+ return 1;
+}
+
+int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
+{
+ ebitmap_node_t *n;
+
+ if (e->highbit < bit)
+ return 0;
+
+ n = e->node;
+ while (n && (n->startbit <= bit)) {
+ if ((n->startbit + MAPSIZE) > bit) {
+ if (n->map & (MAPBIT << (bit - n->startbit)))
+ return 1;
+ else
+ return 0;
+ }
+ n = n->next;
+ }
+
+ return 0;
+}
+
+int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value)
+{
+ ebitmap_node_t *n, *prev, *new;
+ uint32_t startbit = bit & ~(MAPSIZE - 1);
+ uint32_t highbit = startbit + MAPSIZE;
+
+ if (highbit == 0) {
+ ERR(NULL, "bitmap overflow, bit 0x%x", bit);
+ return -EINVAL;
+ }
+
+ prev = 0;
+ n = e->node;
+ while (n && n->startbit <= bit) {
+ if ((n->startbit + MAPSIZE) > bit) {
+ if (value) {
+ n->map |= (MAPBIT << (bit - n->startbit));
+ } else {
+ n->map &= ~(MAPBIT << (bit - n->startbit));
+ if (!n->map) {
+ /* drop this node from the bitmap */
+
+ if (!n->next) {
+ /*
+ * this was the highest map
+ * within the bitmap
+ */
+ if (prev)
+ e->highbit =
+ prev->startbit +
+ MAPSIZE;
+ else
+ e->highbit = 0;
+ }
+ if (prev)
+ prev->next = n->next;
+ else
+ e->node = n->next;
+
+ free(n);
+ }
+ }
+ return 0;
+ }
+ prev = n;
+ n = n->next;
+ }
+
+ if (!value)
+ return 0;
+
+ new = (ebitmap_node_t *) malloc(sizeof(ebitmap_node_t));
+ if (!new)
+ return -ENOMEM;
+ memset(new, 0, sizeof(ebitmap_node_t));
+
+ new->startbit = startbit;
+ new->map = (MAPBIT << (bit - new->startbit));
+
+ if (!n) {
+ /* this node will be the highest map within the bitmap */
+ e->highbit = highbit;
+ }
+
+ if (prev) {
+ new->next = prev->next;
+ prev->next = new;
+ } else {
+ new->next = e->node;
+ e->node = new;
+ }
+
+ return 0;
+}
+
+void ebitmap_destroy(ebitmap_t * e)
+{
+ ebitmap_node_t *n, *temp;
+
+ if (!e)
+ return;
+
+ n = e->node;
+ while (n) {
+ temp = n;
+ n = n->next;
+ free(temp);
+ }
+
+ e->highbit = 0;
+ e->node = 0;
+ return;
+}
+
+int ebitmap_read(ebitmap_t * e, void *fp)
+{
+ int rc;
+ ebitmap_node_t *n, *l;
+ uint32_t buf[3], mapsize, count, i;
+ uint64_t map;
+
+ ebitmap_init(e);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0)
+ goto bad;
+
+ mapsize = le32_to_cpu(buf[0]);
+ e->highbit = le32_to_cpu(buf[1]);
+ count = le32_to_cpu(buf[2]);
+
+ if (mapsize != MAPSIZE) {
+ printf
+ ("security: ebitmap: map size %d does not match my size %zu (high bit was %d)\n",
+ mapsize, MAPSIZE, e->highbit);
+ goto bad;
+ }
+ if (!e->highbit) {
+ e->node = NULL;
+ goto ok;
+ }
+ if (e->highbit & (MAPSIZE - 1)) {
+ printf
+ ("security: ebitmap: high bit (%d) is not a multiple of the map size (%zu)\n",
+ e->highbit, MAPSIZE);
+ goto bad;
+ }
+ l = NULL;
+ for (i = 0; i < count; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ printf("security: ebitmap: truncated map\n");
+ goto bad;
+ }
+ n = (ebitmap_node_t *) malloc(sizeof(ebitmap_node_t));
+ if (!n) {
+ printf("security: ebitmap: out of memory\n");
+ rc = -ENOMEM;
+ goto bad;
+ }
+ memset(n, 0, sizeof(ebitmap_node_t));
+
+ n->startbit = le32_to_cpu(buf[0]);
+
+ if (n->startbit & (MAPSIZE - 1)) {
+ printf
+ ("security: ebitmap start bit (%d) is not a multiple of the map size (%zu)\n",
+ n->startbit, MAPSIZE);
+ goto bad_free;
+ }
+ if (n->startbit > (e->highbit - MAPSIZE)) {
+ printf
+ ("security: ebitmap start bit (%d) is beyond the end of the bitmap (%zu)\n",
+ n->startbit, (e->highbit - MAPSIZE));
+ goto bad_free;
+ }
+ rc = next_entry(&map, fp, sizeof(uint64_t));
+ if (rc < 0) {
+ printf("security: ebitmap: truncated map\n");
+ goto bad_free;
+ }
+ n->map = le64_to_cpu(map);
+
+ if (!n->map) {
+ printf
+ ("security: ebitmap: null map in ebitmap (startbit %d)\n",
+ n->startbit);
+ goto bad_free;
+ }
+ if (l) {
+ if (n->startbit <= l->startbit) {
+ printf
+ ("security: ebitmap: start bit %d comes after start bit %d\n",
+ n->startbit, l->startbit);
+ goto bad_free;
+ }
+ l->next = n;
+ } else
+ e->node = n;
+
+ l = n;
+ }
+
+ ok:
+ rc = 0;
+ out:
+ return rc;
+ bad_free:
+ free(n);
+ bad:
+ if (!rc)
+ rc = -EINVAL;
+ ebitmap_destroy(e);
+ goto out;
+}
+
+/* FLASK */
diff --git a/src/expand.c b/src/expand.c
new file mode 100644
index 0000000..b42acbe
--- /dev/null
+++ b/src/expand.c
@@ -0,0 +1,3179 @@
+/* Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Jason Tang <jtang@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2004-2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "context.h"
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/avrule_block.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "debug.h"
+#include "private.h"
+
+typedef struct expand_state {
+ int verbose;
+ uint32_t *typemap;
+ uint32_t *boolmap;
+ uint32_t *rolemap;
+ uint32_t *usermap;
+ policydb_t *base;
+ policydb_t *out;
+ sepol_handle_t *handle;
+ int expand_neverallow;
+} expand_state_t;
+
+static void expand_state_init(expand_state_t * state)
+{
+ memset(state, 0, sizeof(expand_state_t));
+}
+
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_init(dst);
+
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (!map[i])
+ continue;
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
+ return -1;
+ }
+ return 0;
+}
+
+static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ type_datum_t *type, *new_type;
+ expand_state_t *state;
+
+ id = (char *)key;
+ type = (type_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if ((type->flavor == TYPE_TYPE && !type->primary)
+ || type->flavor == TYPE_ALIAS) {
+ /* aliases are handled later */
+ return 0;
+ }
+ if (!is_id_enabled(id, state->base, SYM_TYPES)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying type or attribute %s", id);
+
+ new_id = strdup(id);
+ if (new_id == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ new_type = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!new_type) {
+ ERR(state->handle, "Out of memory!");
+ free(new_id);
+ return SEPOL_ENOMEM;
+ }
+ memset(new_type, 0, sizeof(type_datum_t));
+
+ new_type->flavor = type->flavor;
+ new_type->flags = type->flags;
+ new_type->s.value = ++state->out->p_types.nprim;
+ if (new_type->s.value > UINT16_MAX) {
+ free(new_id);
+ free(new_type);
+ ERR(state->handle, "type space overflow");
+ return -1;
+ }
+ new_type->primary = 1;
+ state->typemap[type->s.value - 1] = new_type->s.value;
+
+ ret = hashtab_insert(state->out->p_types.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_type);
+ if (ret) {
+ free(new_id);
+ free(new_type);
+ ERR(state->handle, "hashtab overflow");
+ return -1;
+ }
+
+ if (new_type->flags & TYPE_FLAGS_PERMISSIVE)
+ if (ebitmap_set_bit(&state->out->permissive_map, new_type->s.value, 1)) {
+ ERR(state->handle, "Out of memory!\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int attr_convert_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id;
+ type_datum_t *type, *new_type;
+ expand_state_t *state;
+ ebitmap_t tmp_union;
+
+ id = (char *)key;
+ type = (type_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (type->flavor != TYPE_ATTRIB)
+ return 0;
+
+ if (!is_id_enabled(id, state->base, SYM_TYPES)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "converting attribute %s", id);
+
+ new_type = hashtab_search(state->out->p_types.table, id);
+ if (!new_type) {
+ ERR(state->handle, "attribute %s vanished!", id);
+ return -1;
+ }
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ ERR(state->handle, "out of memory");
+ return -1;
+ }
+
+ /* then union tmp_union onto &new_type->types */
+ if (ebitmap_union(&new_type->types, &tmp_union)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ ebitmap_destroy(&tmp_union);
+
+ return 0;
+}
+
+static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ symtab_t *s;
+ perm_datum_t *perm, *new_perm;
+
+ id = key;
+ perm = (perm_datum_t *) datum;
+ s = (symtab_t *) data;
+
+ new_perm = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!new_perm) {
+ return -1;
+ }
+ memset(new_perm, 0, sizeof(perm_datum_t));
+
+ new_id = strdup(id);
+ if (!new_id) {
+ free(new_perm);
+ return -1;
+ }
+
+ new_perm->s.value = perm->s.value;
+ s->nprim++;
+
+ ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
+ if (ret) {
+ free(new_id);
+ free(new_perm);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ common_datum_t *common, *new_common;
+ expand_state_t *state;
+
+ id = (char *)key;
+ common = (common_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (state->verbose)
+ INFO(state->handle, "copying common %s", id);
+
+ new_common = (common_datum_t *) malloc(sizeof(common_datum_t));
+ if (!new_common) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(new_common, 0, sizeof(common_datum_t));
+ if (symtab_init(&new_common->permissions, PERM_SYMTAB_SIZE)) {
+ ERR(state->handle, "Out of memory!");
+ free(new_common);
+ return -1;
+ }
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ free(new_common);
+ return -1;
+ }
+
+ new_common->s.value = common->s.value;
+ state->out->p_commons.nprim++;
+
+ ret =
+ hashtab_insert(state->out->p_commons.table, new_id,
+ (hashtab_datum_t *) new_common);
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ free(new_common);
+ free(new_id);
+ return -1;
+ }
+
+ if (hashtab_map
+ (common->permissions.table, perm_copy_callback,
+ &new_common->permissions)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int constraint_node_clone(constraint_node_t ** dst,
+ constraint_node_t * src,
+ expand_state_t * state)
+{
+ constraint_node_t *new_con = NULL, *last_new_con = NULL;
+ constraint_expr_t *new_expr = NULL;
+ *dst = NULL;
+ while (src != NULL) {
+ constraint_expr_t *expr, *expr_l = NULL;
+ new_con =
+ (constraint_node_t *) malloc(sizeof(constraint_node_t));
+ if (!new_con) {
+ goto out_of_mem;
+ }
+ memset(new_con, 0, sizeof(constraint_node_t));
+ new_con->permissions = src->permissions;
+ for (expr = src->expr; expr; expr = expr->next) {
+ if ((new_expr = calloc(1, sizeof(*new_expr))) == NULL) {
+ goto out_of_mem;
+ }
+ if (constraint_expr_init(new_expr) == -1) {
+ goto out_of_mem;
+ }
+ new_expr->expr_type = expr->expr_type;
+ new_expr->attr = expr->attr;
+ new_expr->op = expr->op;
+ if (new_expr->expr_type == CEXPR_NAMES) {
+ if (new_expr->attr & CEXPR_TYPE) {
+ /* Type sets require expansion and conversion. */
+ if (expand_convert_type_set(state->out,
+ state->
+ typemap,
+ expr->
+ type_names,
+ &new_expr->
+ names, 1)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_ROLE) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_USER) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
+ goto out_of_mem;
+ }
+ } else {
+ /* Other kinds of sets do not. */
+ if (ebitmap_cpy(&new_expr->names,
+ &expr->names)) {
+ goto out_of_mem;
+ }
+ }
+ }
+ if (expr_l) {
+ expr_l->next = new_expr;
+ } else {
+ new_con->expr = new_expr;
+ }
+ expr_l = new_expr;
+ new_expr = NULL;
+ }
+ if (last_new_con == NULL) {
+ *dst = new_con;
+ } else {
+ last_new_con->next = new_con;
+ }
+ last_new_con = new_con;
+ src = src->next;
+ }
+
+ return 0;
+ out_of_mem:
+ ERR(state->handle, "Out of memory!");
+ if (new_con)
+ free(new_con);
+ constraint_expr_destroy(new_expr);
+ return -1;
+}
+
+static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ class_datum_t *class, *new_class;
+ expand_state_t *state;
+
+ id = (char *)key;
+ class = (class_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (!is_id_enabled(id, state->base, SYM_CLASSES)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying class %s", id);
+
+ new_class = (class_datum_t *) malloc(sizeof(class_datum_t));
+ if (!new_class) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(new_class, 0, sizeof(class_datum_t));
+ if (symtab_init(&new_class->permissions, PERM_SYMTAB_SIZE)) {
+ ERR(state->handle, "Out of memory!");
+ free(new_class);
+ return -1;
+ }
+
+ new_class->s.value = class->s.value;
+ state->out->p_classes.nprim++;
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ free(new_class);
+ return -1;
+ }
+
+ ret =
+ hashtab_insert(state->out->p_classes.table, new_id,
+ (hashtab_datum_t *) new_class);
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ free(new_class);
+ free(new_id);
+ return -1;
+ }
+
+ if (hashtab_map
+ (class->permissions.table, perm_copy_callback,
+ &new_class->permissions)) {
+ ERR(state->handle, "hashtab overflow");
+ return -1;
+ }
+
+ if (class->comkey) {
+ new_class->comkey = strdup(class->comkey);
+ if (!new_class->comkey) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ new_class->comdatum =
+ hashtab_search(state->out->p_commons.table,
+ new_class->comkey);
+ if (!new_class->comdatum) {
+ ERR(state->handle, "could not find common datum %s",
+ new_class->comkey);
+ return -1;
+ }
+ new_class->permissions.nprim +=
+ new_class->comdatum->permissions.nprim;
+ }
+
+ return 0;
+}
+
+static int constraint_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id;
+ class_datum_t *class, *new_class;
+ expand_state_t *state;
+
+ id = (char *)key;
+ class = (class_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ new_class = hashtab_search(state->out->p_classes.table, id);
+ if (!new_class) {
+ ERR(state->handle, "class %s vanished", id);
+ return -1;
+ }
+
+ /* constraints */
+ if (constraint_node_clone
+ (&new_class->constraints, class->constraints, state) == -1
+ || constraint_node_clone(&new_class->validatetrans,
+ class->validatetrans, state) == -1) {
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * The boundaries have to be copied after the types/roles/users are copied,
+ * because it refers hashtab to lookup destinated objects.
+ */
+static int type_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ expand_state_t *state = (expand_state_t *) data;
+ type_datum_t *type = (type_datum_t *) datum;
+ type_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!type->bounds)
+ return 0;
+
+ if (!is_id_enabled((char *)key, state->base, SYM_TYPES))
+ return 0;
+
+ bounds_val = state->typemap[type->bounds - 1];
+
+ dest = hashtab_search(state->out->p_types.table, (char *)key);
+ if (!dest) {
+ ERR(state->handle, "Type lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle, "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+static int role_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ expand_state_t *state = (expand_state_t *) data;
+ role_datum_t *role = (role_datum_t *) datum;
+ role_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!role->bounds)
+ return 0;
+
+ if (!is_id_enabled((char *)key, state->base, SYM_ROLES))
+ return 0;
+
+ bounds_val = state->rolemap[role->bounds - 1];
+
+ dest = hashtab_search(state->out->p_roles.table, (char *)key);
+ if (!dest) {
+ ERR(state->handle, "Role lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle, "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+static int user_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ expand_state_t *state = (expand_state_t *) data;
+ user_datum_t *user = (user_datum_t *) datum;
+ user_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!user->bounds)
+ return 0;
+
+ if (!is_id_enabled((char *)key, state->base, SYM_USERS))
+ return 0;
+
+ bounds_val = state->usermap[user->bounds - 1];
+
+ dest = hashtab_search(state->out->p_users.table, (char *)key);
+ if (!dest) {
+ ERR(state->handle, "User lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle, "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+/* The aliases have to be copied after the types and attributes to be certain that
+ * the out symbol table will have the type that the alias refers. Otherwise, we
+ * won't be able to find the type value for the alias. We can't depend on the
+ * declaration ordering because of the hash table.
+ */
+static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ type_datum_t *alias, *new_alias;
+ expand_state_t *state;
+ uint32_t prival;
+
+ id = (char *)key;
+ alias = (type_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ /* ignore regular types */
+ if (alias->flavor == TYPE_TYPE && alias->primary)
+ return 0;
+
+ /* ignore attributes */
+ if (alias->flavor == TYPE_ATTRIB)
+ return 0;
+
+ if (alias->flavor == TYPE_ALIAS)
+ prival = alias->primary;
+ else
+ prival = alias->s.value;
+
+ if (!is_id_enabled(state->base->p_type_val_to_name[prival - 1],
+ state->base, SYM_TYPES)) {
+ /* The primary type for this alias is not enabled, the alias
+ * shouldn't be either */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying alias %s", id);
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ new_alias = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!new_alias) {
+ ERR(state->handle, "Out of memory!");
+ free(new_id);
+ return SEPOL_ENOMEM;
+ }
+ memset(new_alias, 0, sizeof(type_datum_t));
+ if (alias->flavor == TYPE_TYPE)
+ new_alias->s.value = state->typemap[alias->s.value - 1];
+ else if (alias->flavor == TYPE_ALIAS)
+ new_alias->s.value = state->typemap[alias->primary - 1];
+ else
+ assert(0); /* unreachable */
+
+ new_alias->flags = alias->flags;
+
+ ret = hashtab_insert(state->out->p_types.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_alias);
+
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ free(new_alias);
+ free(new_id);
+ return -1;
+ }
+
+ state->typemap[alias->s.value - 1] = new_alias->s.value;
+
+ if (new_alias->flags & TYPE_FLAGS_PERMISSIVE)
+ if (ebitmap_set_bit(&state->out->permissive_map, new_alias->s.value, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
+{
+ ebitmap_t mapped_roles;
+ role_datum_t *role = (role_datum_t *) datum;
+ expand_state_t *state = (expand_state_t *) data;
+
+ if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
+ return -1;
+
+ ebitmap_destroy(&role->dominates);
+
+ if (ebitmap_cpy(&role->dominates, &mapped_roles))
+ return -1;
+
+ ebitmap_destroy(&mapped_roles);
+
+ return 0;
+}
+
+/* For the role attribute in the base module, escalate its counterpart's
+ * types.types ebitmap in the out module to the counterparts of all the
+ * regular role that belongs to the current role attribute. Note, must be
+ * invoked after role_copy_callback so that state->rolemap is available.
+ */
+static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id, *base_reg_role_id;
+ role_datum_t *role, *new_role, *regular_role;
+ expand_state_t *state;
+ ebitmap_node_t *rnode;
+ unsigned int i;
+ ebitmap_t mapped_roles;
+
+ id = key;
+ role = (role_datum_t *)datum;
+ state = (expand_state_t *)data;
+
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is never a role attribute by far */
+ return 0;
+ }
+
+ if (role->flavor != ROLE_ATTRIB)
+ return 0;
+
+ if (state->verbose)
+ INFO(state->handle, "fixing role attribute %s", id);
+
+ new_role =
+ (role_datum_t *)hashtab_search(state->out->p_roles.table, id);
+
+ assert(new_role != NULL && new_role->flavor == ROLE_ATTRIB);
+
+ ebitmap_init(&mapped_roles);
+ if (map_ebitmap(&role->roles, &mapped_roles, state->rolemap))
+ return -1;
+ if (ebitmap_union(&new_role->roles, &mapped_roles)) {
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&mapped_roles);
+ return -1;
+ }
+ ebitmap_destroy(&mapped_roles);
+
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ /* take advantage of sym_val_to_name[]
+ * of the base module */
+ base_reg_role_id = state->base->p_role_val_to_name[i];
+ regular_role = (role_datum_t *)hashtab_search(
+ state->out->p_roles.table,
+ base_reg_role_id);
+ assert(regular_role != NULL &&
+ regular_role->flavor == ROLE_ROLE);
+
+ if (ebitmap_union(®ular_role->types.types,
+ &new_role->types.types)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id, *new_id;
+ role_datum_t *role;
+ role_datum_t *new_role;
+ expand_state_t *state;
+ ebitmap_t tmp_union_types;
+
+ id = key;
+ role = (role_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is always value 1 */
+ state->rolemap[role->s.value - 1] = 1;
+ return 0;
+ }
+
+ if (!is_id_enabled(id, state->base, SYM_ROLES)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying role %s", id);
+
+ new_role =
+ (role_datum_t *) hashtab_search(state->out->p_roles.table, id);
+ if (!new_role) {
+ new_role = (role_datum_t *) malloc(sizeof(role_datum_t));
+ if (!new_role) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(new_role, 0, sizeof(role_datum_t));
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ state->out->p_roles.nprim++;
+ new_role->flavor = role->flavor;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
+ ret = hashtab_insert(state->out->p_roles.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_role);
+
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ free(new_role);
+ free(new_id);
+ return -1;
+ }
+ }
+
+ /* The dominates bitmap is going to be wrong for the moment,
+ * we'll come back later and remap them, after we are sure all
+ * the roles have been added */
+ if (ebitmap_union(&new_role->dominates, &role->dominates)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ ebitmap_init(&tmp_union_types);
+
+ /* convert types in the role datum in the global symtab */
+ if (expand_convert_type_set
+ (state->out, state->typemap, &role->types, &tmp_union_types, 1)) {
+ ebitmap_destroy(&tmp_union_types);
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_union(&new_role->types.types, &tmp_union_types)) {
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&tmp_union_types);
+ return -1;
+ }
+ ebitmap_destroy(&tmp_union_types);
+
+ return 0;
+}
+
+int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ policydb_t * p, sepol_handle_t * h)
+{
+ mls_semantic_cat_t *cat;
+ level_datum_t *levdatum;
+ unsigned int i;
+
+ mls_level_init(l);
+
+ if (!p->mls)
+ return 0;
+
+ /* Required not declared. */
+ if (!sl->sens)
+ return 0;
+
+ l->sens = sl->sens;
+ levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
+ p->p_sens_val_to_name[l->
+ sens -
+ 1]);
+ for (cat = sl->cat; cat; cat = cat->next) {
+ if (cat->low > cat->high) {
+ ERR(h, "Category range is not valid %s.%s",
+ p->p_cat_val_to_name[cat->low - 1],
+ p->p_cat_val_to_name[cat->high - 1]);
+ return -1;
+ }
+ for (i = cat->low - 1; i < cat->high; i++) {
+ if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
+ ERR(h, "Category %s can not be associate with "
+ "level %s",
+ p->p_cat_val_to_name[i],
+ p->p_sens_val_to_name[l->sens - 1]);
+ }
+ if (ebitmap_set_bit(&l->cat, i, 1)) {
+ ERR(h, "Out of memory!");
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+int mls_semantic_range_expand(mls_semantic_range_t * sr, mls_range_t * r,
+ policydb_t * p, sepol_handle_t * h)
+{
+ if (mls_semantic_level_expand(&sr->level[0], &r->level[0], p, h) < 0)
+ return -1;
+
+ if (mls_semantic_level_expand(&sr->level[1], &r->level[1], p, h) < 0) {
+ mls_semantic_level_destroy(&sr->level[0]);
+ return -1;
+ }
+
+ if (!mls_level_dom(&r->level[1], &r->level[0])) {
+ mls_range_destroy(r);
+ ERR(h, "MLS range high level does not dominate low level");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ expand_state_t *state;
+ user_datum_t *user;
+ user_datum_t *new_user;
+ char *id, *new_id;
+ ebitmap_t tmp_union;
+
+ id = key;
+ user = (user_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (!is_id_enabled(id, state->base, SYM_USERS)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying user %s", id);
+
+ new_user =
+ (user_datum_t *) hashtab_search(state->out->p_users.table, id);
+ if (!new_user) {
+ new_user = (user_datum_t *) malloc(sizeof(user_datum_t));
+ if (!new_user) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(new_user, 0, sizeof(user_datum_t));
+
+ state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
+ state->usermap[user->s.value - 1] = new_user->s.value;
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ ret = hashtab_insert(state->out->p_users.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_user);
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ user_datum_destroy(new_user);
+ free(new_user);
+ free(new_id);
+ return -1;
+ }
+
+ /* expand the semantic MLS info */
+ if (mls_semantic_range_expand(&user->range,
+ &new_user->exp_range,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (mls_semantic_level_expand(&user->dfltlevel,
+ &new_user->exp_dfltlevel,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (!mls_level_between(&new_user->exp_dfltlevel,
+ &new_user->exp_range.level[0],
+ &new_user->exp_range.level[1])) {
+ ERR(state->handle, "default level not within user "
+ "range");
+ return -1;
+ }
+ } else {
+ /* require that the MLS info match */
+ mls_range_t tmp_range;
+ mls_level_t tmp_level;
+
+ if (mls_semantic_range_expand(&user->range, &tmp_range,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (mls_semantic_level_expand(&user->dfltlevel, &tmp_level,
+ state->out, state->handle)) {
+ mls_range_destroy(&tmp_range);
+ return -1;
+ }
+ if (!mls_range_eq(&new_user->exp_range, &tmp_range) ||
+ !mls_level_eq(&new_user->exp_dfltlevel, &tmp_level)) {
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
+ return -1;
+ }
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
+ }
+
+ ebitmap_init(&tmp_union);
+
+ /* get global roles for this user */
+ if (role_set_expand(&user->roles, &tmp_union, state->out, state->base, state->rolemap)) {
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&tmp_union);
+ return -1;
+ }
+
+ if (ebitmap_union(&new_user->roles.roles, &tmp_union)) {
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&tmp_union);
+ return -1;
+ }
+ ebitmap_destroy(&tmp_union);
+
+ return 0;
+}
+
+static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ expand_state_t *state;
+ cond_bool_datum_t *bool, *new_bool;
+ char *id, *new_id;
+
+ id = key;
+ bool = (cond_bool_datum_t *) datum;
+ state = (expand_state_t *) data;
+
+ if (!is_id_enabled(id, state->base, SYM_BOOLS)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying boolean %s", id);
+
+ new_bool = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
+ if (!new_bool) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ new_id = strdup(id);
+ if (!new_id) {
+ ERR(state->handle, "Out of memory!");
+ free(new_bool);
+ return -1;
+ }
+
+ state->out->p_bools.nprim++;
+ new_bool->s.value = state->out->p_bools.nprim;
+
+ ret = hashtab_insert(state->out->p_bools.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_bool);
+ if (ret) {
+ ERR(state->handle, "hashtab overflow");
+ free(new_bool);
+ free(new_id);
+ return -1;
+ }
+
+ state->boolmap[bool->s.value - 1] = new_bool->s.value;
+
+ new_bool->state = bool->state;
+
+ return 0;
+}
+
+static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ expand_state_t *state = (expand_state_t *) data;
+ level_datum_t *level = (level_datum_t *) datum, *new_level = NULL;
+ char *id = (char *)key, *new_id = NULL;
+
+ if (!is_id_enabled(id, state->base, SYM_LEVELS)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying sensitivity level %s", id);
+
+ new_level = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!new_level)
+ goto out_of_mem;
+ level_datum_init(new_level);
+ new_level->level = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!new_level->level)
+ goto out_of_mem;
+ mls_level_init(new_level->level);
+ new_id = strdup(id);
+ if (!new_id)
+ goto out_of_mem;
+
+ if (mls_level_cpy(new_level->level, level->level)) {
+ goto out_of_mem;
+ }
+ new_level->isalias = level->isalias;
+ state->out->p_levels.nprim++;
+
+ if (hashtab_insert(state->out->p_levels.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_level)) {
+ goto out_of_mem;
+ }
+ return 0;
+
+ out_of_mem:
+ ERR(state->handle, "Out of memory!");
+ if (new_level != NULL && new_level->level != NULL) {
+ mls_level_destroy(new_level->level);
+ free(new_level->level);
+ }
+ level_datum_destroy(new_level);
+ free(new_level);
+ free(new_id);
+ return -1;
+}
+
+static int cats_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ expand_state_t *state = (expand_state_t *) data;
+ cat_datum_t *cat = (cat_datum_t *) datum, *new_cat = NULL;
+ char *id = (char *)key, *new_id = NULL;
+
+ if (!is_id_enabled(id, state->base, SYM_CATS)) {
+ /* identifier's scope is not enabled */
+ return 0;
+ }
+
+ if (state->verbose)
+ INFO(state->handle, "copying category attribute %s", id);
+
+ new_cat = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!new_cat)
+ goto out_of_mem;
+ cat_datum_init(new_cat);
+ new_id = strdup(id);
+ if (!new_id)
+ goto out_of_mem;
+
+ new_cat->s.value = cat->s.value;
+ new_cat->isalias = cat->isalias;
+ state->out->p_cats.nprim++;
+ if (hashtab_insert(state->out->p_cats.table,
+ (hashtab_key_t) new_id, (hashtab_datum_t) new_cat)) {
+ goto out_of_mem;
+ }
+
+ return 0;
+
+ out_of_mem:
+ ERR(state->handle, "Out of memory!");
+ cat_datum_destroy(new_cat);
+ free(new_cat);
+ free(new_id);
+ return -1;
+}
+
+static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules)
+{
+ unsigned int i, j;
+ role_allow_t *cur_allow, *n, *l;
+ role_allow_rule_t *cur;
+ ebitmap_t roles, new_roles;
+ ebitmap_node_t *snode, *tnode;
+
+ /* start at the end of the list */
+ for (l = state->out->role_allow; l && l->next; l = l->next) ;
+
+ cur = rules;
+ while (cur) {
+ ebitmap_init(&roles);
+ ebitmap_init(&new_roles);
+
+ if (role_set_expand(&cur->roles, &roles, state->out, state->base, state->rolemap)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->base, state->rolemap)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&roles, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&new_roles, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ /* check for duplicates */
+ cur_allow = state->out->role_allow;
+ while (cur_allow) {
+ if ((cur_allow->role == i + 1) &&
+ (cur_allow->new_role == j + 1))
+ break;
+ cur_allow = cur_allow->next;
+ }
+ if (cur_allow)
+ continue;
+ n = (role_allow_t *)
+ malloc(sizeof(role_allow_t));
+ if (!n) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(n, 0, sizeof(role_allow_t));
+ n->role = i + 1;
+ n->new_role = j + 1;
+ if (l) {
+ l->next = n;
+ } else {
+ state->out->role_allow = n;
+ }
+ l = n;
+ }
+ }
+
+ ebitmap_destroy(&roles);
+ ebitmap_destroy(&new_roles);
+
+ cur = cur->next;
+ }
+
+ return 0;
+}
+
+static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+{
+ unsigned int i, j, k;
+ role_trans_t *n, *l, *cur_trans;
+ role_trans_rule_t *cur;
+ ebitmap_t roles, types;
+ ebitmap_node_t *rnode, *tnode, *cnode;
+
+ /* start at the end of the list */
+ for (l = state->out->role_tr; l && l->next; l = l->next) ;
+
+ cur = rules;
+ while (cur) {
+ ebitmap_init(&roles);
+ ebitmap_init(&types);
+
+ if (role_set_expand(&cur->roles, &roles, state->out, state->base, state->rolemap)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ if (expand_convert_type_set
+ (state->out, state->typemap, &cur->types, &types, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ ebitmap_for_each_bit(&roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ ebitmap_for_each_bit(&cur->classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+
+ cur_trans = state->out->role_tr;
+ while (cur_trans) {
+ if ((cur_trans->role ==
+ i + 1) &&
+ (cur_trans->type ==
+ j + 1) &&
+ (cur_trans->tclass ==
+ k + 1)) {
+ if (cur_trans->
+ new_role ==
+ cur->new_role) {
+ break;
+ } else {
+ ERR(state->handle,
+ "Conflicting role trans rule %s %s : %s %s",
+ state->out->p_role_val_to_name[i],
+ state->out->p_type_val_to_name[j],
+ state->out->p_class_val_to_name[k],
+ state->out->p_role_val_to_name[cur->new_role - 1]);
+ return -1;
+ }
+ }
+ cur_trans = cur_trans->next;
+ }
+ if (cur_trans)
+ continue;
+
+ n = (role_trans_t *)
+ malloc(sizeof(role_trans_t));
+ if (!n) {
+ ERR(state->handle,
+ "Out of memory!");
+ return -1;
+ }
+ memset(n, 0, sizeof(role_trans_t));
+ n->role = i + 1;
+ n->type = j + 1;
+ n->tclass = k + 1;
+ n->new_role = state->rolemap
+ [cur->new_role - 1];
+ if (l)
+ l->next = n;
+ else
+ state->out->role_tr = n;
+
+ l = n;
+ }
+ }
+ }
+
+ ebitmap_destroy(&roles);
+ ebitmap_destroy(&types);
+
+ cur = cur->next;
+ }
+ return 0;
+}
+
+static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
+{
+ unsigned int i, j;
+ filename_trans_t *new_trans, *tail, *cur_trans;
+ filename_trans_rule_t *cur_rule;
+ ebitmap_t stypes, ttypes;
+ ebitmap_node_t *snode, *tnode;
+
+ /* start at the end of the list */
+ tail = state->out->filename_trans;
+ while (tail && tail->next)
+ tail = tail->next;
+
+ cur_rule = rules;
+ while (cur_rule) {
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ if (expand_convert_type_set(state->out, state->typemap,
+ &cur_rule->stypes, &stypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ if (expand_convert_type_set(state->out, state->typemap,
+ &cur_rule->ttypes, &ttypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
+ cur_trans = state->out->filename_trans;
+ while (cur_trans) {
+ if ((cur_trans->stype == i + 1) &&
+ (cur_trans->ttype == j + 1) &&
+ (cur_trans->tclass == cur_rule->tclass) &&
+ (!strcmp(cur_trans->name, cur_rule->name))) {
+ /* duplicate rule, who cares */
+ if (cur_trans->otype == cur_rule->otype)
+ break;
+
+ ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
+ cur_trans->name,
+ state->out->p_type_val_to_name[i],
+ state->out->p_type_val_to_name[j],
+ state->out->p_class_val_to_name[cur_trans->tclass - 1],
+ state->out->p_type_val_to_name[cur_trans->otype - 1],
+ state->out->p_type_val_to_name[state->typemap[cur_rule->otype - 1] - 1]);
+
+ return -1;
+ }
+ cur_trans = cur_trans->next;
+ }
+ /* duplicate rule, who cares */
+ if (cur_trans)
+ continue;
+
+ new_trans = malloc(sizeof(*new_trans));
+ if (!new_trans) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(new_trans, 0, sizeof(*new_trans));
+ if (tail)
+ tail->next = new_trans;
+ else
+ state->out->filename_trans = new_trans;
+ tail = new_trans;
+
+ new_trans->name = strdup(cur_rule->name);
+ if (!new_trans->name) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ new_trans->stype = i + 1;
+ new_trans->ttype = j + 1;
+ new_trans->tclass = cur_rule->tclass;
+ new_trans->otype = state->typemap[cur_rule->otype - 1];
+ }
+ }
+
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+
+ cur_rule = cur_rule->next;
+ }
+ return 0;
+}
+
+static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
+ mls_semantic_range_t * trange,
+ expand_state_t * state)
+{
+ range_trans_t *rt, *check_rt = state->out->range_tr;
+ mls_range_t exp_range;
+ int rc = -1;
+
+ if (mls_semantic_range_expand(trange, &exp_range, state->out,
+ state->handle))
+ goto out;
+
+ /* check for duplicates/conflicts */
+ while (check_rt) {
+ if ((check_rt->source_type == stype) &&
+ (check_rt->target_type == ttype) &&
+ (check_rt->target_class == tclass)) {
+ if (mls_range_eq(&check_rt->target_range, &exp_range)) {
+ /* duplicate */
+ break;
+ } else {
+ /* conflict */
+ ERR(state->handle,
+ "Conflicting range trans rule %s %s : %s",
+ state->out->p_type_val_to_name[stype - 1],
+ state->out->p_type_val_to_name[ttype - 1],
+ state->out->p_class_val_to_name[tclass -
+ 1]);
+ goto out;
+ }
+ }
+ check_rt = check_rt->next;
+ }
+ if (check_rt) {
+ /* this is a dup - skip */
+ rc = 0;
+ goto out;
+ }
+
+ rt = (range_trans_t *) calloc(1, sizeof(range_trans_t));
+ if (!rt) {
+ ERR(state->handle, "Out of memory!");
+ goto out;
+ }
+
+ rt->next = state->out->range_tr;
+ state->out->range_tr = rt;
+
+ rt->source_type = stype;
+ rt->target_type = ttype;
+ rt->target_class = tclass;
+ if (mls_range_cpy(&rt->target_range, &exp_range)) {
+ ERR(state->handle, "Out of memory!");
+ goto out;
+ }
+
+ rc = 0;
+
+ out:
+ mls_range_destroy(&exp_range);
+ return rc;
+}
+
+static int expand_range_trans(expand_state_t * state,
+ range_trans_rule_t * rules)
+{
+ unsigned int i, j, k;
+ range_trans_rule_t *rule;
+
+ ebitmap_t stypes, ttypes;
+ ebitmap_node_t *snode, *tnode, *cnode;
+
+ if (state->verbose)
+ INFO(state->handle, "expanding range transitions");
+
+ for (rule = rules; rule; rule = rule->next) {
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ /* expand the type sets */
+ if (expand_convert_type_set(state->out, state->typemap,
+ &rule->stypes, &stypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ if (expand_convert_type_set(state->out, state->typemap,
+ &rule->ttypes, &ttypes, 1)) {
+ ebitmap_destroy(&stypes);
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* loop on source type */
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ /* loop on target type */
+ ebitmap_for_each_bit(&ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ /* loop on target class */
+ ebitmap_for_each_bit(&rule->tclasses, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+
+ if (exp_rangetr_helper(i + 1,
+ j + 1,
+ k + 1,
+ &rule->trange,
+ state)) {
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ return -1;
+ }
+ }
+ }
+ }
+
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ }
+
+ return 0;
+}
+
+/* Search for an AV tab node within a hash table with the given key.
+ * If the node does not exist, create it and return it; otherwise
+ * return the pre-existing one.
+*/
+static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
+ avtab_t * avtab, avtab_key_t * key,
+ cond_av_list_t ** cond)
+{
+ avtab_ptr_t node;
+ avtab_datum_t avdatum;
+ cond_av_list_t *nl;
+
+ node = avtab_search_node(avtab, key);
+
+ /* If this is for conditional policies, keep searching in case
+ the node is part of my conditional avtab. */
+ if (cond) {
+ while (node) {
+ if (node->parse_context == cond)
+ break;
+ node = avtab_search_node_next(node, key->specified);
+ }
+ }
+
+ if (!node) {
+ memset(&avdatum, 0, sizeof avdatum);
+ /* this is used to get the node - insertion is actually unique */
+ node = avtab_insert_nonunique(avtab, key, &avdatum);
+ if (!node) {
+ ERR(handle, "hash table overflow");
+ return NULL;
+ }
+ if (cond) {
+ node->parse_context = cond;
+ nl = (cond_av_list_t *) malloc(sizeof(cond_av_list_t));
+ if (!nl) {
+ ERR(handle, "Memory error");
+ return NULL;
+ }
+ memset(nl, 0, sizeof(cond_av_list_t));
+ nl->node = node;
+ nl->next = *cond;
+ *cond = nl;
+ }
+ }
+
+ return node;
+}
+
+#define EXPAND_RULE_SUCCESS 1
+#define EXPAND_RULE_CONFLICT 0
+#define EXPAND_RULE_ERROR -1
+
+static int expand_terule_helper(sepol_handle_t * handle,
+ policydb_t * p, uint32_t * typemap,
+ uint32_t specified, cond_av_list_t ** cond,
+ cond_av_list_t ** other, uint32_t stype,
+ uint32_t ttype, class_perm_node_t * perms,
+ avtab_t * avtab, int enabled)
+{
+ avtab_key_t avkey;
+ avtab_datum_t *avdatump;
+ avtab_ptr_t node;
+ class_perm_node_t *cur;
+ int conflict;
+ uint32_t oldtype = 0, spec = 0;
+
+ if (specified & AVRULE_TRANSITION) {
+ spec = AVTAB_TRANSITION;
+ } else if (specified & AVRULE_MEMBER) {
+ spec = AVTAB_MEMBER;
+ } else if (specified & AVRULE_CHANGE) {
+ spec = AVTAB_CHANGE;
+ } else {
+ assert(0); /* unreachable */
+ }
+
+ cur = perms;
+ while (cur) {
+ uint32_t remapped_data =
+ typemap ? typemap[cur->data - 1] : cur->data;
+ avkey.source_type = stype + 1;
+ avkey.target_type = ttype + 1;
+ avkey.target_class = cur->class;
+ avkey.specified = spec;
+
+ conflict = 0;
+ /* check to see if the expanded TE already exists --
+ * either in the global scope or in another
+ * conditional AV tab */
+ node = avtab_search_node(&p->te_avtab, &avkey);
+ if (node) {
+ conflict = 1;
+ } else {
+ node = avtab_search_node(&p->te_cond_avtab, &avkey);
+ if (node && node->parse_context != other) {
+ conflict = 2;
+ }
+ }
+
+ if (conflict) {
+ avdatump = &node->datum;
+ if (specified & AVRULE_TRANSITION) {
+ oldtype = avdatump->data;
+ } else if (specified & AVRULE_MEMBER) {
+ oldtype = avdatump->data;
+ } else if (specified & AVRULE_CHANGE) {
+ oldtype = avdatump->data;
+ }
+
+ if (oldtype == remapped_data) {
+ /* if the duplicate is inside the same scope (eg., unconditional
+ * or in same conditional then ignore it */
+ if ((conflict == 1 && cond == NULL)
+ || node->parse_context == cond)
+ return EXPAND_RULE_SUCCESS;
+ ERR(handle, "duplicate TE rule for %s %s:%s %s",
+ p->p_type_val_to_name[avkey.source_type -
+ 1],
+ p->p_type_val_to_name[avkey.target_type -
+ 1],
+ p->p_class_val_to_name[avkey.target_class -
+ 1],
+ p->p_type_val_to_name[oldtype - 1]);
+ return EXPAND_RULE_CONFLICT;
+ }
+ ERR(handle,
+ "conflicting TE rule for (%s, %s:%s): old was %s, new is %s",
+ p->p_type_val_to_name[avkey.source_type - 1],
+ p->p_type_val_to_name[avkey.target_type - 1],
+ p->p_class_val_to_name[avkey.target_class - 1],
+ p->p_type_val_to_name[oldtype - 1],
+ p->p_type_val_to_name[remapped_data - 1]);
+ return EXPAND_RULE_CONFLICT;
+ }
+
+ node = find_avtab_node(handle, avtab, &avkey, cond);
+ if (!node)
+ return -1;
+ if (enabled) {
+ node->key.specified |= AVTAB_ENABLED;
+ } else {
+ node->key.specified &= ~AVTAB_ENABLED;
+ }
+
+ avdatump = &node->datum;
+ if (specified & AVRULE_TRANSITION) {
+ avdatump->data = remapped_data;
+ } else if (specified & AVRULE_MEMBER) {
+ avdatump->data = remapped_data;
+ } else if (specified & AVRULE_CHANGE) {
+ avdatump->data = remapped_data;
+ } else {
+ assert(0); /* should never occur */
+ }
+
+ cur = cur->next;
+ }
+
+ return EXPAND_RULE_SUCCESS;
+}
+
+static int expand_avrule_helper(sepol_handle_t * handle,
+ uint32_t specified,
+ cond_av_list_t ** cond,
+ uint32_t stype, uint32_t ttype,
+ class_perm_node_t * perms, avtab_t * avtab,
+ int enabled)
+{
+ avtab_key_t avkey;
+ avtab_datum_t *avdatump;
+ avtab_ptr_t node;
+ class_perm_node_t *cur;
+ uint32_t spec = 0;
+
+ if (specified & AVRULE_ALLOWED) {
+ spec = AVTAB_ALLOWED;
+ } else if (specified & AVRULE_AUDITALLOW) {
+ spec = AVTAB_AUDITALLOW;
+ } else if (specified & AVRULE_AUDITDENY) {
+ spec = AVTAB_AUDITDENY;
+ } else if (specified & AVRULE_DONTAUDIT) {
+ if (handle && handle->disable_dontaudit)
+ return EXPAND_RULE_SUCCESS;
+ spec = AVTAB_AUDITDENY;
+ } else if (specified & AVRULE_NEVERALLOW) {
+ spec = AVTAB_NEVERALLOW;
+ } else {
+ assert(0); /* unreachable */
+ }
+
+ cur = perms;
+ while (cur) {
+ avkey.source_type = stype + 1;
+ avkey.target_type = ttype + 1;
+ avkey.target_class = cur->class;
+ avkey.specified = spec;
+
+ node = find_avtab_node(handle, avtab, &avkey, cond);
+ if (!node)
+ return EXPAND_RULE_ERROR;
+ if (enabled) {
+ node->key.specified |= AVTAB_ENABLED;
+ } else {
+ node->key.specified &= ~AVTAB_ENABLED;
+ }
+
+ avdatump = &node->datum;
+ if (specified & AVRULE_ALLOWED) {
+ avdatump->data |= cur->data;
+ } else if (specified & AVRULE_AUDITALLOW) {
+ avdatump->data |= cur->data;
+ } else if (specified & AVRULE_NEVERALLOW) {
+ avdatump->data |= cur->data;
+ } else if (specified & AVRULE_AUDITDENY) {
+ /* Since a '0' in an auditdeny mask represents
+ * a permission we do NOT want to audit
+ * (dontaudit), we use the '&' operand to
+ * ensure that all '0's in the mask are
+ * retained (much unlike the allow and
+ * auditallow cases).
+ */
+ avdatump->data &= cur->data;
+ } else if (specified & AVRULE_DONTAUDIT) {
+ if (avdatump->data)
+ avdatump->data &= ~cur->data;
+ else
+ avdatump->data = ~cur->data;
+ } else {
+ assert(0); /* should never occur */
+ }
+
+ cur = cur->next;
+ }
+ return EXPAND_RULE_SUCCESS;
+}
+
+static int expand_rule_helper(sepol_handle_t * handle,
+ policydb_t * p, uint32_t * typemap,
+ avrule_t * source_rule, avtab_t * dest_avtab,
+ cond_av_list_t ** cond, cond_av_list_t ** other,
+ int enabled,
+ ebitmap_t * stypes, ebitmap_t * ttypes)
+{
+ unsigned int i, j;
+ int retval;
+ ebitmap_node_t *snode, *tnode;
+
+ ebitmap_for_each_bit(stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ if (source_rule->flags & RULE_SELF) {
+ if (source_rule->specified & AVRULE_AV) {
+ if ((retval =
+ expand_avrule_helper(handle,
+ source_rule->
+ specified, cond, i, i,
+ source_rule->perms,
+ dest_avtab,
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
+ return retval;
+ }
+ } else {
+ if ((retval =
+ expand_terule_helper(handle, p,
+ typemap,
+ source_rule->
+ specified, cond,
+ other, i, i,
+ source_rule->perms,
+ dest_avtab,
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
+ return retval;
+ }
+ }
+ }
+ ebitmap_for_each_bit(ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ if (source_rule->specified & AVRULE_AV) {
+ if ((retval =
+ expand_avrule_helper(handle,
+ source_rule->
+ specified, cond, i, j,
+ source_rule->perms,
+ dest_avtab,
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
+ return retval;
+ }
+ } else {
+ if ((retval =
+ expand_terule_helper(handle, p,
+ typemap,
+ source_rule->
+ specified, cond,
+ other, i, j,
+ source_rule->perms,
+ dest_avtab,
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
+ return retval;
+ }
+ }
+ }
+ }
+
+ return EXPAND_RULE_SUCCESS;
+}
+
+/*
+ * Expand a rule into a given avtab - checking for conflicting type
+ * rules in the destination policy. Return EXPAND_RULE_SUCCESS on
+ * success, EXPAND_RULE_CONFLICT if the rule conflicts with something
+ * (and hence was not added), or EXPAND_RULE_ERROR on error.
+ */
+static int convert_and_expand_rule(sepol_handle_t * handle,
+ policydb_t * dest_pol, uint32_t * typemap,
+ avrule_t * source_rule, avtab_t * dest_avtab,
+ cond_av_list_t ** cond,
+ cond_av_list_t ** other, int enabled,
+ int do_neverallow)
+{
+ int retval;
+ ebitmap_t stypes, ttypes;
+ unsigned char alwaysexpand;
+
+ if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
+ return EXPAND_RULE_SUCCESS;
+
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ /* Force expansion for type rules and for self rules. */
+ alwaysexpand = ((source_rule->specified & AVRULE_TYPE) ||
+ (source_rule->flags & RULE_SELF));
+
+ if (expand_convert_type_set
+ (dest_pol, typemap, &source_rule->stypes, &stypes, alwaysexpand))
+ return EXPAND_RULE_ERROR;
+ if (expand_convert_type_set
+ (dest_pol, typemap, &source_rule->ttypes, &ttypes, alwaysexpand))
+ return EXPAND_RULE_ERROR;
+
+ retval = expand_rule_helper(handle, dest_pol, typemap,
+ source_rule, dest_avtab,
+ cond, other, enabled, &stypes, &ttypes);
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ return retval;
+}
+
+static int cond_avrule_list_copy(policydb_t * dest_pol, avrule_t * source_rules,
+ avtab_t * dest_avtab, cond_av_list_t ** list,
+ cond_av_list_t ** other, uint32_t * typemap,
+ int enabled, expand_state_t * state)
+{
+ avrule_t *cur;
+
+ cur = source_rules;
+ while (cur) {
+ if (convert_and_expand_rule(state->handle, dest_pol,
+ typemap, cur, dest_avtab,
+ list, other, enabled,
+ 0) != EXPAND_RULE_SUCCESS) {
+ return -1;
+ }
+
+ cur = cur->next;
+ }
+
+ return 0;
+}
+
+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
+{
+ cond_expr_t *cur;
+ unsigned int i;
+
+ cur = cn->expr;
+ while (cur) {
+ if (cur->bool)
+ cur->bool = state->boolmap[cur->bool - 1];
+ cur = cur->next;
+ }
+
+ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
+ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
+
+ if (cond_normalize_expr(state->out, cn)) {
+ ERR(state->handle, "Error while normalizing conditional");
+ return -1;
+ }
+
+ return 0;
+}
+
+/* copy the nodes in *reverse* order -- the result is that the last
+ * given conditional appears first in the policy, so as to match the
+ * behavior of the upstream compiler */
+static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
+{
+ cond_node_t *new_cond, *tmp;
+
+ if (cn == NULL) {
+ return 0;
+ }
+ if (cond_node_copy(state, cn->next)) {
+ return -1;
+ }
+ if (cond_normalize_expr(state->base, cn)) {
+ ERR(state->handle, "Error while normalizing conditional");
+ return -1;
+ }
+
+ /* create a new temporary conditional node with the booleans
+ * mapped */
+ tmp = cond_node_create(state->base, cn);
+ if (!tmp) {
+ ERR(state->handle, "Out of memory");
+ return -1;
+ }
+
+ if (cond_node_map_bools(state, tmp)) {
+ ERR(state->handle, "Error mapping booleans");
+ return -1;
+ }
+
+ new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
+ if (!new_cond) {
+ cond_node_destroy(tmp);
+ free(tmp);
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ cond_node_destroy(tmp);
+ free(tmp);
+
+ if (cond_avrule_list_copy
+ (state->out, cn->avtrue_list, &state->out->te_cond_avtab,
+ &new_cond->true_list, &new_cond->false_list, state->typemap,
+ new_cond->cur_state, state))
+ return -1;
+ if (cond_avrule_list_copy
+ (state->out, cn->avfalse_list, &state->out->te_cond_avtab,
+ &new_cond->false_list, &new_cond->true_list, state->typemap,
+ !new_cond->cur_state, state))
+ return -1;
+
+ return 0;
+}
+
+static int context_copy(context_struct_t * dst, context_struct_t * src,
+ expand_state_t * state)
+{
+ dst->user = state->usermap[src->user - 1];
+ dst->role = state->rolemap[src->role - 1];
+ dst->type = state->typemap[src->type - 1];
+ return mls_context_cpy(dst, src);
+}
+
+static int ocontext_copy_xen(expand_state_t *state)
+{
+ unsigned int i;
+ ocontext_t *c, *n, *l;
+
+ for (i = 0; i < OCON_NUM; i++) {
+ l = NULL;
+ for (c = state->base->ocontexts[i]; c; c = c->next) {
+ n = malloc(sizeof(ocontext_t));
+ if (!n) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(n, 0, sizeof(ocontext_t));
+ if (l)
+ l->next = n;
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
+ if (context_copy(&n->context[0], &c->context[0],
+ state)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ switch (i) {
+ case OCON_XEN_ISID:
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_XEN_PIRQ:
+ n->u.pirq = c->u.pirq;
+ break;
+ case OCON_XEN_IOPORT:
+ n->u.ioport.low_ioport = c->u.ioport.low_ioport;
+ n->u.ioport.high_ioport =
+ c->u.ioport.high_ioport;
+ break;
+ case OCON_XEN_IOMEM:
+ n->u.iomem.low_iomem = c->u.iomem.low_iomem;
+ n->u.iomem.high_iomem = c->u.iomem.high_iomem;
+ break;
+ case OCON_XEN_PCIDEVICE:
+ n->u.device = c->u.device;
+ break;
+ default:
+ /* shouldn't get here */
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
+ }
+ }
+ return 0;
+}
+
+static int ocontext_copy_selinux(expand_state_t *state)
+{
+ unsigned int i, j;
+ ocontext_t *c, *n, *l;
+
+ for (i = 0; i < OCON_NUM; i++) {
+ l = NULL;
+ for (c = state->base->ocontexts[i]; c; c = c->next) {
+ n = malloc(sizeof(ocontext_t));
+ if (!n) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(n, 0, sizeof(ocontext_t));
+ if (l)
+ l->next = n;
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
+ if (context_copy(&n->context[0], &c->context[0], state)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ switch (i) {
+ case OCON_ISID:
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_FS: /* FALLTHROUGH */
+ case OCON_NETIF:
+ n->u.name = strdup(c->u.name);
+ if (!n->u.name) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ if (context_copy
+ (&n->context[1], &c->context[1], state)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ break;
+ case OCON_PORT:
+ n->u.port.protocol = c->u.port.protocol;
+ n->u.port.low_port = c->u.port.low_port;
+ n->u.port.high_port = c->u.port.high_port;
+ break;
+ case OCON_NODE:
+ n->u.node.addr = c->u.node.addr;
+ n->u.node.mask = c->u.node.mask;
+ break;
+ case OCON_FSUSE:
+ n->v.behavior = c->v.behavior;
+ n->u.name = strdup(c->u.name);
+ if (!n->u.name) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ break;
+ case OCON_NODE6:
+ for (j = 0; j < 4; j++)
+ n->u.node6.addr[j] = c->u.node6.addr[j];
+ for (j = 0; j < 4; j++)
+ n->u.node6.mask[j] = c->u.node6.mask[j];
+ break;
+ default:
+ /* shouldn't get here */
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
+ }
+ }
+ return 0;
+}
+
+static int ocontext_copy(expand_state_t *state, uint32_t target)
+{
+ int rc = -1;
+ switch (target) {
+ case SEPOL_TARGET_SELINUX:
+ rc = ocontext_copy_selinux(state);
+ break;
+ case SEPOL_TARGET_XEN:
+ rc = ocontext_copy_xen(state);
+ break;
+ default:
+ ERR(state->handle, "Unknown target");
+ return -1;
+ }
+ return rc;
+}
+
+static int genfs_copy(expand_state_t * state)
+{
+ ocontext_t *c, *newc, *l;
+ genfs_t *genfs, *newgenfs, *end;
+
+ end = NULL;
+ for (genfs = state->base->genfs; genfs; genfs = genfs->next) {
+ newgenfs = malloc(sizeof(genfs_t));
+ if (!newgenfs) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(newgenfs, 0, sizeof(genfs_t));
+ newgenfs->fstype = strdup(genfs->fstype);
+ if (!newgenfs->fstype) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ l = NULL;
+ for (c = genfs->head; c; c = c->next) {
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+ newc->u.name = strdup(c->u.name);
+ if (!newc->u.name) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ newc->v.sclass = c->v.sclass;
+ context_copy(&newc->context[0], &c->context[0], state);
+ if (l)
+ l->next = newc;
+ else
+ newgenfs->head = newc;
+ l = newc;
+ }
+ if (!end) {
+ state->out->genfs = newgenfs;
+ } else {
+ end->next = newgenfs;
+ }
+ end = newgenfs;
+ }
+ return 0;
+}
+
+static int type_attr_map(hashtab_key_t key
+ __attribute__ ((unused)), hashtab_datum_t datum,
+ void *ptr)
+{
+ type_datum_t *type;
+ expand_state_t *state = ptr;
+ policydb_t *p = state->out;
+ unsigned int i;
+ ebitmap_node_t *tnode;
+
+ type = (type_datum_t *) datum;
+ if (type->flavor == TYPE_ATTRIB) {
+ if (ebitmap_cpy(&p->attr_type_map[type->s.value - 1],
+ &type->types)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ ebitmap_for_each_bit(&type->types, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (ebitmap_set_bit(&p->type_attr_map[i],
+ type->s.value - 1, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ }
+ }
+ return 0;
+}
+
+/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy.
+ * this should not be called until after all the blocks have been processed and the attributes in target policy
+ * are complete. */
+int expand_convert_type_set(policydb_t * p, uint32_t * typemap,
+ type_set_t * set, ebitmap_t * types,
+ unsigned char alwaysexpand)
+{
+ type_set_t tmpset;
+
+ type_set_init(&tmpset);
+
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
+ return -1;
+
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
+ return -1;
+
+ tmpset.flags = set->flags;
+
+ if (type_set_expand(&tmpset, types, p, alwaysexpand))
+ return -1;
+
+ type_set_destroy(&tmpset);
+
+ return 0;
+}
+
+/* Expand a rule into a given avtab - checking for conflicting type
+ * rules. Return 1 on success, 0 if the rule conflicts with something
+ * (and hence was not added), or -1 on error. */
+int expand_rule(sepol_handle_t * handle,
+ policydb_t * source_pol,
+ avrule_t * source_rule, avtab_t * dest_avtab,
+ cond_av_list_t ** cond, cond_av_list_t ** other, int enabled)
+{
+ int retval;
+ ebitmap_t stypes, ttypes;
+
+ if (source_rule->specified & AVRULE_NEVERALLOW)
+ return 1;
+
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ if (type_set_expand(&source_rule->stypes, &stypes, source_pol, 1))
+ return -1;
+ if (type_set_expand(&source_rule->ttypes, &ttypes, source_pol, 1))
+ return -1;
+ retval = expand_rule_helper(handle, source_pol, NULL,
+ source_rule, dest_avtab,
+ cond, other, enabled, &stypes, &ttypes);
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ return retval;
+}
+
+/* Expand a role set into an ebitmap containing the roles.
+ * This handles the attribute and flags.
+ * Attribute expansion depends on if the rolemap is available.
+ * During module compile the rolemap is not available, the
+ * possible duplicates of a regular role and the role attribute
+ * the regular role belongs to could be properly handled by
+ * copy_role_trans and copy_role_allow.
+ */
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t * base, uint32_t * rolemap)
+{
+ unsigned int i;
+ ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles, roles;
+ policydb_t *p = out;
+ role_datum_t *role;
+
+ ebitmap_init(r);
+
+ if (x->flags & ROLE_STAR) {
+ for (i = 0; i < p->p_roles.nprim++; i++)
+ if (ebitmap_set_bit(r, i, 1))
+ return -1;
+ return 0;
+ }
+
+ ebitmap_init(&mapped_roles);
+ ebitmap_init(&roles);
+
+ if (rolemap) {
+ assert(base != NULL);
+ ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ /* take advantage of p_role_val_to_struct[]
+ * of the base module */
+ role = base->role_val_to_struct[i];
+ assert(role != NULL);
+ if (role->flavor == ROLE_ATTRIB) {
+ if (ebitmap_union(&roles,
+ &role->roles))
+ goto bad;
+ } else {
+ if (ebitmap_set_bit(&roles, i, 1))
+ goto bad;
+ }
+ }
+ }
+ if (map_ebitmap(&roles, &mapped_roles, rolemap))
+ goto bad;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ goto bad;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ if (ebitmap_set_bit(r, i, 1))
+ goto bad;
+ }
+ }
+
+ ebitmap_destroy(&mapped_roles);
+ ebitmap_destroy(&roles);
+
+ /* if role is to be complimented, invert the entire bitmap here */
+ if (x->flags & ROLE_COMP) {
+ for (i = 0; i < ebitmap_length(r); i++) {
+ if (ebitmap_get_bit(r, i)) {
+ if (ebitmap_set_bit(r, i, 0))
+ return -1;
+ } else {
+ if (ebitmap_set_bit(r, i, 1))
+ return -1;
+ }
+ }
+ }
+ return 0;
+
+bad:
+ ebitmap_destroy(&mapped_roles);
+ ebitmap_destroy(&roles);
+ return -1;
+}
+
+/* Expand a type set into an ebitmap containing the types. This
+ * handles the negset, attributes, and flags.
+ * Attribute expansion depends on several factors:
+ * - if alwaysexpand is 1, then they will be expanded,
+ * - if the type set has a negset or flags, then they will be expanded,
+ * - otherwise, they will not be expanded.
+ */
+int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
+ unsigned char alwaysexpand)
+{
+ unsigned int i;
+ ebitmap_t types, neg_types;
+ ebitmap_node_t *tnode;
+
+ ebitmap_init(&types);
+ ebitmap_init(t);
+
+ if (alwaysexpand || ebitmap_length(&set->negset) || set->flags) {
+ /* First go through the types and OR all the attributes to types */
+ ebitmap_for_each_bit(&set->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ if (p->type_val_to_struct[i]->flavor ==
+ TYPE_ATTRIB) {
+ if (ebitmap_union
+ (&types,
+ &p->type_val_to_struct[i]->
+ types)) {
+ return -1;
+ }
+ } else {
+ if (ebitmap_set_bit(&types, i, 1)) {
+ return -1;
+ }
+ }
+ }
+ }
+ } else {
+ /* No expansion of attributes, just copy the set as is. */
+ if (ebitmap_cpy(&types, &set->types))
+ return -1;
+ }
+
+ /* Now do the same thing for negset */
+ ebitmap_init(&neg_types);
+ ebitmap_for_each_bit(&set->negset, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ if (p->type_val_to_struct[i] &&
+ p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) {
+ if (ebitmap_union
+ (&neg_types,
+ &p->type_val_to_struct[i]->types)) {
+ return -1;
+ }
+ } else {
+ if (ebitmap_set_bit(&neg_types, i, 1)) {
+ return -1;
+ }
+ }
+ }
+ }
+
+ if (set->flags & TYPE_STAR) {
+ /* set all types not in neg_types */
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (ebitmap_get_bit(&neg_types, i))
+ continue;
+ if (p->type_val_to_struct[i] &&
+ p->type_val_to_struct[i]->flavor == TYPE_ATTRIB)
+ continue;
+ if (ebitmap_set_bit(t, i, 1))
+ return -1;
+ }
+ goto out;
+ }
+
+ ebitmap_for_each_bit(&types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)
+ && (!ebitmap_get_bit(&neg_types, i)))
+ if (ebitmap_set_bit(t, i, 1))
+ return -1;
+ }
+
+ if (set->flags & TYPE_COMP) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (p->type_val_to_struct[i] &&
+ p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) {
+ assert(!ebitmap_get_bit(t, i));
+ continue;
+ }
+ if (ebitmap_get_bit(t, i)) {
+ if (ebitmap_set_bit(t, i, 0))
+ return -1;
+ } else {
+ if (ebitmap_set_bit(t, i, 1))
+ return -1;
+ }
+ }
+ }
+
+ out:
+
+ ebitmap_destroy(&types);
+ ebitmap_destroy(&neg_types);
+
+ return 0;
+}
+
+static int copy_neverallow(policydb_t * dest_pol, uint32_t * typemap,
+ avrule_t * source_rule)
+{
+ ebitmap_t stypes, ttypes;
+ avrule_t *avrule;
+ class_perm_node_t *cur_perm, *new_perm, *tail_perm;
+
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ if (expand_convert_type_set
+ (dest_pol, typemap, &source_rule->stypes, &stypes, 1))
+ return -1;
+ if (expand_convert_type_set
+ (dest_pol, typemap, &source_rule->ttypes, &ttypes, 1))
+ return -1;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule)
+ return -1;
+
+ avrule_init(avrule);
+ avrule->specified = AVRULE_NEVERALLOW;
+ avrule->line = source_rule->line;
+ avrule->flags = source_rule->flags;
+
+ if (ebitmap_cpy(&avrule->stypes.types, &stypes))
+ goto err;
+
+ if (ebitmap_cpy(&avrule->ttypes.types, &ttypes))
+ goto err;
+
+ cur_perm = source_rule->perms;
+ tail_perm = NULL;
+ while (cur_perm) {
+ new_perm =
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!new_perm)
+ goto err;
+ class_perm_node_init(new_perm);
+ new_perm->class = cur_perm->class;
+ assert(new_perm->class);
+
+ /* once we have modules with permissions we'll need to map the permissions (and classes) */
+ new_perm->data = cur_perm->data;
+
+ if (!avrule->perms)
+ avrule->perms = new_perm;
+
+ if (tail_perm)
+ tail_perm->next = new_perm;
+ tail_perm = new_perm;
+ cur_perm = cur_perm->next;
+ }
+
+ /* just prepend the avrule to the first branch; it'll never be
+ written to disk */
+ if (!dest_pol->global->branch_list->avrules)
+ dest_pol->global->branch_list->avrules = avrule;
+ else {
+ avrule->next = dest_pol->global->branch_list->avrules;
+ dest_pol->global->branch_list->avrules = avrule;
+ }
+
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+
+ return 0;
+
+ err:
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ ebitmap_destroy(&avrule->stypes.types);
+ ebitmap_destroy(&avrule->ttypes.types);
+ cur_perm = avrule->perms;
+ while (cur_perm) {
+ tail_perm = cur_perm->next;
+ free(cur_perm);
+ cur_perm = tail_perm;
+ }
+ free(avrule);
+ return -1;
+}
+
+/*
+ * Expands the avrule blocks for a policy. RBAC rules are copied. Neverallow
+ * rules are copied or expanded as per the settings in the state object; all
+ * other AV rules are expanded. If neverallow rules are expanded, they are not
+ * copied, otherwise they are copied for later use by the assertion checker.
+ */
+static int copy_and_expand_avrule_block(expand_state_t * state)
+{
+ avrule_block_t *curblock = state->base->global;
+ avrule_block_t *prevblock;
+ int retval = -1;
+
+ if (avtab_alloc(&state->out->te_avtab, MAX_AVTAB_SIZE)) {
+ ERR(state->handle, "Out of Memory!");
+ return -1;
+ }
+
+ if (avtab_alloc(&state->out->te_cond_avtab, MAX_AVTAB_SIZE)) {
+ ERR(state->handle, "Out of Memory!");
+ return -1;
+ }
+
+ while (curblock) {
+ avrule_decl_t *decl = curblock->enabled;
+ avrule_t *cur_avrule;
+
+ if (decl == NULL) {
+ /* nothing was enabled within this block */
+ goto cont;
+ }
+
+ /* copy role allows and role trans */
+ if (copy_role_allows(state, decl->role_allow_rules) != 0 ||
+ copy_role_trans(state, decl->role_tr_rules) != 0) {
+ goto cleanup;
+ }
+
+ if (expand_filename_trans(state, decl->filename_trans_rules))
+ goto cleanup;
+
+ /* expand the range transition rules */
+ if (expand_range_trans(state, decl->range_tr_rules))
+ goto cleanup;
+
+ /* copy rules */
+ cur_avrule = decl->avrules;
+ while (cur_avrule != NULL) {
+ if (!(state->expand_neverallow)
+ && cur_avrule->specified & AVRULE_NEVERALLOW) {
+ /* copy this over directly so that assertions are checked later */
+ if (copy_neverallow
+ (state->out, state->typemap, cur_avrule))
+ ERR(state->handle,
+ "Error while copying neverallow.");
+ } else {
+ if (cur_avrule->specified & AVRULE_NEVERALLOW) {
+ state->out->unsupported_format = 1;
+ }
+ if (convert_and_expand_rule
+ (state->handle, state->out, state->typemap,
+ cur_avrule, &state->out->te_avtab, NULL,
+ NULL, 0,
+ state->expand_neverallow) !=
+ EXPAND_RULE_SUCCESS) {
+ goto cleanup;
+ }
+ }
+ cur_avrule = cur_avrule->next;
+ }
+
+ /* copy conditional rules */
+ if (cond_node_copy(state, decl->cond_list))
+ goto cleanup;
+
+ cont:
+ prevblock = curblock;
+ curblock = curblock->next;
+
+ if (state->handle && state->handle->expand_consume_base) {
+ /* set base top avrule block in case there
+ * is an error condition and the policy needs
+ * to be destroyed */
+ state->base->global = curblock;
+ avrule_block_destroy(prevblock);
+ }
+ }
+
+ retval = 0;
+
+ cleanup:
+ return retval;
+}
+
+/*
+ * This function allows external users of the library (such as setools) to
+ * expand only the avrules and optionally perform expansion of neverallow rules
+ * or expand into the same policy for analysis purposes.
+ */
+int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
+ policydb_t * out, uint32_t * typemap,
+ uint32_t * boolmap, uint32_t * rolemap,
+ uint32_t * usermap, int verbose,
+ int expand_neverallow)
+{
+ expand_state_t state;
+
+ expand_state_init(&state);
+
+ state.base = base;
+ state.out = out;
+ state.typemap = typemap;
+ state.boolmap = boolmap;
+ state.rolemap = rolemap;
+ state.usermap = usermap;
+ state.handle = handle;
+ state.verbose = verbose;
+ state.expand_neverallow = expand_neverallow;
+
+ return copy_and_expand_avrule_block(&state);
+}
+
+/* Linking should always be done before calling expand, even if
+ * there is only a base since all optionals are dealt with at link time
+ * the base passed in should be indexed and avrule blocks should be
+ * enabled.
+ */
+int expand_module(sepol_handle_t * handle,
+ policydb_t * base, policydb_t * out, int verbose, int check)
+{
+ int retval = -1;
+ unsigned int i;
+ expand_state_t state;
+ avrule_block_t *curblock;
+
+ expand_state_init(&state);
+
+ state.verbose = verbose;
+ state.typemap = NULL;
+ state.base = base;
+ state.out = out;
+ state.handle = handle;
+
+ if (base->policy_type != POLICY_BASE) {
+ ERR(handle, "Target of expand was not a base policy.");
+ return -1;
+ }
+
+ state.out->policy_type = POLICY_KERN;
+ state.out->policyvers = POLICYDB_VERSION_MAX;
+
+ /* Copy mls state from base to out */
+ out->mls = base->mls;
+ out->handle_unknown = base->handle_unknown;
+
+ /* Copy target from base to out */
+ out->target_platform = base->target_platform;
+
+ /* Copy policy capabilities */
+ if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ if ((state.typemap =
+ (uint32_t *) calloc(state.base->p_types.nprim,
+ sizeof(uint32_t))) == NULL) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
+ if (!state.boolmap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t));
+ if (!state.usermap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ /* order is important - types must be first */
+
+ /* copy types */
+ if (hashtab_map(state.base->p_types.table, type_copy_callback, &state)) {
+ goto cleanup;
+ }
+
+ /* convert attribute type sets */
+ if (hashtab_map
+ (state.base->p_types.table, attr_convert_callback, &state)) {
+ goto cleanup;
+ }
+
+ /* copy commons */
+ if (hashtab_map
+ (state.base->p_commons.table, common_copy_callback, &state)) {
+ goto cleanup;
+ }
+
+ /* copy classes, note, this does not copy constraints, constraints can't be
+ * copied until after all the blocks have been processed and attributes are complete */
+ if (hashtab_map
+ (state.base->p_classes.table, class_copy_callback, &state)) {
+ goto cleanup;
+ }
+
+ /* copy type bounds */
+ if (hashtab_map(state.base->p_types.table,
+ type_bounds_copy_callback, &state))
+ goto cleanup;
+
+ /* copy aliases */
+ if (hashtab_map(state.base->p_types.table, alias_copy_callback, &state))
+ goto cleanup;
+
+ /* index here so that type indexes are available for role_copy_callback */
+ if (policydb_index_others(handle, out, verbose)) {
+ ERR(handle, "Error while indexing out symbols");
+ goto cleanup;
+ }
+
+ /* copy roles */
+ if (hashtab_map(state.base->p_roles.table, role_copy_callback, &state))
+ goto cleanup;
+ if (hashtab_map(state.base->p_roles.table,
+ role_bounds_copy_callback, &state))
+ goto cleanup;
+ /* escalate the type_set_t in a role attribute to all regular roles
+ * that belongs to it. */
+ if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
+ goto cleanup;
+
+ /* copy MLS's sensitivity level and categories - this needs to be done
+ * before expanding users (they need to be indexed too) */
+ if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state))
+ goto cleanup;
+ if (hashtab_map(state.base->p_cats.table, cats_copy_callback, &state))
+ goto cleanup;
+ if (policydb_index_others(handle, out, verbose)) {
+ ERR(handle, "Error while indexing out symbols");
+ goto cleanup;
+ }
+
+ /* copy users */
+ if (hashtab_map(state.base->p_users.table, user_copy_callback, &state))
+ goto cleanup;
+ if (hashtab_map(state.base->p_users.table,
+ user_bounds_copy_callback, &state))
+ goto cleanup;
+
+ /* copy bools */
+ if (hashtab_map(state.base->p_bools.table, bool_copy_callback, &state))
+ goto cleanup;
+
+ if (policydb_index_classes(out)) {
+ ERR(handle, "Error while indexing out classes");
+ goto cleanup;
+ }
+ if (policydb_index_others(handle, out, verbose)) {
+ ERR(handle, "Error while indexing out symbols");
+ goto cleanup;
+ }
+
+ /* loop through all decls and union attributes, roles, users */
+ for (curblock = state.base->global; curblock != NULL;
+ curblock = curblock->next) {
+ avrule_decl_t *decl = curblock->enabled;
+
+ if (decl == NULL) {
+ /* nothing was enabled within this block */
+ continue;
+ }
+
+ /* convert attribute type sets */
+ if (hashtab_map
+ (decl->p_types.table, attr_convert_callback, &state)) {
+ goto cleanup;
+ }
+
+ /* copy roles */
+ if (hashtab_map
+ (decl->p_roles.table, role_copy_callback, &state))
+ goto cleanup;
+ if (hashtab_map
+ (decl->p_roles.table, role_fix_callback, &state))
+ goto cleanup;
+
+ /* copy users */
+ if (hashtab_map
+ (decl->p_users.table, user_copy_callback, &state))
+ goto cleanup;
+
+ }
+
+ /* remap role dominates bitmaps */
+ if (hashtab_map(state.out->p_roles.table, role_remap_dominates, &state)) {
+ goto cleanup;
+ }
+
+ if (copy_and_expand_avrule_block(&state) < 0) {
+ ERR(handle, "Error during expand");
+ goto cleanup;
+ }
+
+ /* copy constraints */
+ if (hashtab_map
+ (state.base->p_classes.table, constraint_copy_callback, &state)) {
+ goto cleanup;
+ }
+
+ cond_optimize_lists(state.out->cond_list);
+ evaluate_conds(state.out);
+
+ /* copy ocontexts */
+ if (ocontext_copy(&state, out->target_platform))
+ goto cleanup;
+
+ /* copy genfs */
+ if (genfs_copy(&state))
+ goto cleanup;
+
+ /* Build the type<->attribute maps and remove attributes. */
+ state.out->attr_type_map = malloc(state.out->p_types.nprim *
+ sizeof(ebitmap_t));
+ state.out->type_attr_map = malloc(state.out->p_types.nprim *
+ sizeof(ebitmap_t));
+ if (!state.out->attr_type_map || !state.out->type_attr_map) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+ for (i = 0; i < state.out->p_types.nprim; i++) {
+ ebitmap_init(&state.out->type_attr_map[i]);
+ ebitmap_init(&state.out->attr_type_map[i]);
+ /* add the type itself as the degenerate case */
+ if (ebitmap_set_bit(&state.out->type_attr_map[i], i, 1)) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+ }
+ if (hashtab_map(state.out->p_types.table, type_attr_map, &state))
+ goto cleanup;
+ if (check) {
+ if (hierarchy_check_constraints(handle, state.out))
+ goto cleanup;
+
+ if (check_assertions
+ (handle, state.out,
+ state.out->global->branch_list->avrules))
+ goto cleanup;
+ }
+
+ retval = 0;
+
+ cleanup:
+ free(state.typemap);
+ free(state.boolmap);
+ free(state.rolemap);
+ free(state.usermap);
+ return retval;
+}
+
+static int expand_avtab_insert(avtab_t * a, avtab_key_t * k, avtab_datum_t * d)
+{
+ avtab_ptr_t node;
+ avtab_datum_t *avd;
+ int rc;
+
+ node = avtab_search_node(a, k);
+ if (!node) {
+ rc = avtab_insert(a, k, d);
+ if (rc)
+ ERR(NULL, "Out of memory!");
+ return rc;
+ }
+
+ if ((k->specified & AVTAB_ENABLED) !=
+ (node->key.specified & AVTAB_ENABLED)) {
+ node = avtab_insert_nonunique(a, k, d);
+ if (!node) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+ return 0;
+ }
+
+ avd = &node->datum;
+ switch (k->specified & ~AVTAB_ENABLED) {
+ case AVTAB_ALLOWED:
+ case AVTAB_AUDITALLOW:
+ avd->data |= d->data;
+ break;
+ case AVTAB_AUDITDENY:
+ avd->data &= d->data;
+ break;
+ default:
+ ERR(NULL, "Type conflict!");
+ return -1;
+ }
+
+ return 0;
+}
+
+struct expand_avtab_data {
+ avtab_t *expa;
+ policydb_t *p;
+
+};
+
+static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args)
+{
+ struct expand_avtab_data *ptr = args;
+ avtab_t *expa = ptr->expa;
+ policydb_t *p = ptr->p;
+ type_datum_t *stype = p->type_val_to_struct[k->source_type - 1];
+ type_datum_t *ttype = p->type_val_to_struct[k->target_type - 1];
+ ebitmap_t *sattr = &p->attr_type_map[k->source_type - 1];
+ ebitmap_t *tattr = &p->attr_type_map[k->target_type - 1];
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
+ avtab_key_t newkey;
+ int rc;
+
+ newkey.target_class = k->target_class;
+ newkey.specified = k->specified;
+
+ if (stype && ttype) {
+ /* Both are individual types, no expansion required. */
+ return expand_avtab_insert(expa, k, d);
+ }
+
+ if (stype) {
+ /* Source is an individual type, target is an attribute. */
+ newkey.source_type = k->source_type;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.target_type = j + 1;
+ rc = expand_avtab_insert(expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ if (ttype) {
+ /* Target is an individual type, source is an attribute. */
+ newkey.target_type = k->target_type;
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ newkey.source_type = i + 1;
+ rc = expand_avtab_insert(expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ /* Both source and target type are attributes. */
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.source_type = i + 1;
+ newkey.target_type = j + 1;
+ rc = expand_avtab_insert(expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int expand_avtab(policydb_t * p, avtab_t * a, avtab_t * expa)
+{
+ struct expand_avtab_data data;
+
+ if (avtab_alloc(expa, MAX_AVTAB_SIZE)) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+
+ data.expa = expa;
+ data.p = p;
+ return avtab_map(a, expand_avtab_node, &data);
+}
+
+static int expand_cond_insert(cond_av_list_t ** l,
+ avtab_t * expa,
+ avtab_key_t * k, avtab_datum_t * d)
+{
+ avtab_ptr_t node;
+ avtab_datum_t *avd;
+ cond_av_list_t *nl;
+
+ node = avtab_search_node(expa, k);
+ if (!node ||
+ (k->specified & AVTAB_ENABLED) !=
+ (node->key.specified & AVTAB_ENABLED)) {
+ node = avtab_insert_nonunique(expa, k, d);
+ if (!node) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+ node->parse_context = (void *)1;
+ nl = (cond_av_list_t *) malloc(sizeof(*nl));
+ if (!nl) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+ memset(nl, 0, sizeof(*nl));
+ nl->node = node;
+ nl->next = *l;
+ *l = nl;
+ return 0;
+ }
+
+ avd = &node->datum;
+ switch (k->specified & ~AVTAB_ENABLED) {
+ case AVTAB_ALLOWED:
+ case AVTAB_AUDITALLOW:
+ avd->data |= d->data;
+ break;
+ case AVTAB_AUDITDENY:
+ avd->data &= d->data;
+ break;
+ default:
+ ERR(NULL, "Type conflict!");
+ return -1;
+ }
+
+ return 0;
+}
+
+int expand_cond_av_node(policydb_t * p,
+ avtab_ptr_t node,
+ cond_av_list_t ** newl, avtab_t * expa)
+{
+ avtab_key_t *k = &node->key;
+ avtab_datum_t *d = &node->datum;
+ type_datum_t *stype = p->type_val_to_struct[k->source_type - 1];
+ type_datum_t *ttype = p->type_val_to_struct[k->target_type - 1];
+ ebitmap_t *sattr = &p->attr_type_map[k->source_type - 1];
+ ebitmap_t *tattr = &p->attr_type_map[k->target_type - 1];
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
+ avtab_key_t newkey;
+ int rc;
+
+ newkey.target_class = k->target_class;
+ newkey.specified = k->specified;
+
+ if (stype && ttype) {
+ /* Both are individual types, no expansion required. */
+ return expand_cond_insert(newl, expa, k, d);
+ }
+
+ if (stype) {
+ /* Source is an individual type, target is an attribute. */
+ newkey.source_type = k->source_type;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.target_type = j + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ if (ttype) {
+ /* Target is an individual type, source is an attribute. */
+ newkey.target_type = k->target_type;
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ newkey.source_type = i + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ return 0;
+ }
+
+ /* Both source and target type are attributes. */
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ newkey.source_type = i + 1;
+ newkey.target_type = j + 1;
+ rc = expand_cond_insert(newl, expa, &newkey, d);
+ if (rc)
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int expand_cond_av_list(policydb_t * p, cond_av_list_t * l,
+ cond_av_list_t ** newl, avtab_t * expa)
+{
+ cond_av_list_t *cur;
+ avtab_ptr_t node;
+ int rc;
+
+ if (avtab_alloc(expa, MAX_AVTAB_SIZE)) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+
+ *newl = NULL;
+ for (cur = l; cur; cur = cur->next) {
+ node = cur->node;
+ rc = expand_cond_av_node(p, node, newl, expa);
+ if (rc)
+ return rc;
+ }
+
+ return 0;
+}
diff --git a/src/genbools.c b/src/genbools.c
new file mode 100644
index 0000000..e353ef3
--- /dev/null
+++ b/src/genbools.c
@@ -0,0 +1,252 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+
+#include "debug.h"
+#include "private.h"
+#include "dso.h"
+
+/* -- Deprecated -- */
+
+static char *strtrim(char *dest, char *source, int size)
+{
+ int i = 0;
+ char *ptr = source;
+ i = 0;
+ while (isspace(*ptr) && i < size) {
+ ptr++;
+ i++;
+ }
+ strncpy(dest, ptr, size);
+ for (i = strlen(dest) - 1; i > 0; i--) {
+ if (!isspace(dest[i]))
+ break;
+ }
+ dest[i + 1] = '\0';
+ return dest;
+}
+
+static int process_boolean(char *buffer, char *name, int namesize, int *val)
+{
+ char name1[BUFSIZ];
+ char *ptr;
+ char *tok = strtok_r(buffer, "=", &ptr);
+ if (tok) {
+ strncpy(name1, tok, BUFSIZ - 1);
+ strtrim(name, name1, namesize - 1);
+ if (name[0] == '#')
+ return 0;
+ tok = strtok_r(NULL, "\0", &ptr);
+ if (tok) {
+ while (isspace(*tok))
+ tok++;
+ *val = -1;
+ if (isdigit(tok[0]))
+ *val = atoi(tok);
+ else if (!strncasecmp(tok, "true", sizeof("true") - 1))
+ *val = 1;
+ else if (!strncasecmp
+ (tok, "false", sizeof("false") - 1))
+ *val = 0;
+ if (*val != 0 && *val != 1) {
+ ERR(NULL, "illegal value for boolean "
+ "%s=%s", name, tok);
+ return -1;
+ }
+
+ }
+ }
+ return 1;
+}
+
+static int load_booleans(struct policydb *policydb, const char *path,
+ int *changesp)
+{
+ FILE *boolf;
+ char *buffer = NULL;
+ size_t size = 0;
+ char localbools[BUFSIZ];
+ char name[BUFSIZ];
+ int val;
+ int errors = 0, changes = 0;
+ struct cond_bool_datum *datum;
+
+ boolf = fopen(path, "r");
+ if (boolf == NULL)
+ goto localbool;
+
+ while (getline(&buffer, &size, boolf) > 0) {
+ int ret = process_boolean(buffer, name, sizeof(name), &val);
+ if (ret == -1)
+ errors++;
+ if (ret == 1) {
+ datum = hashtab_search(policydb->p_bools.table, name);
+ if (!datum) {
+ ERR(NULL, "unknown boolean %s", name);
+ errors++;
+ continue;
+ }
+ if (datum->state != val) {
+ datum->state = val;
+ changes++;
+ }
+ }
+ }
+ fclose(boolf);
+ localbool:
+ snprintf(localbools, sizeof(localbools), "%s.local", path);
+ boolf = fopen(localbools, "r");
+ if (boolf != NULL) {
+ while (getline(&buffer, &size, boolf) > 0) {
+ int ret =
+ process_boolean(buffer, name, sizeof(name), &val);
+ if (ret == -1)
+ errors++;
+ if (ret == 1) {
+ datum =
+ hashtab_search(policydb->p_bools.table,
+ name);
+ if (!datum) {
+ ERR(NULL, "unknown boolean %s", name);
+ errors++;
+ continue;
+ }
+ if (datum->state != val) {
+ datum->state = val;
+ changes++;
+ }
+ }
+ }
+ fclose(boolf);
+ }
+ free(buffer);
+ if (errors)
+ errno = EINVAL;
+ *changesp = changes;
+ return errors ? -1 : 0;
+}
+
+int sepol_genbools(void *data, size_t len, char *booleans)
+{
+ struct policydb policydb;
+ struct policy_file pf;
+ int rc, changes = 0;
+
+ if (policydb_init(&policydb))
+ goto err;
+ if (policydb_from_image(NULL, data, len, &policydb) < 0)
+ goto err;
+
+ if (load_booleans(&policydb, booleans, &changes) < 0) {
+ WARN(NULL, "error while reading %s", booleans);
+ }
+
+ if (!changes)
+ goto out;
+
+ if (evaluate_conds(&policydb) < 0) {
+ ERR(NULL, "error while re-evaluating conditionals");
+ errno = EINVAL;
+ goto err_destroy;
+ }
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = data;
+ pf.len = len;
+ rc = policydb_write(&policydb, &pf);
+ if (rc) {
+ ERR(NULL, "unable to write new binary policy image");
+ errno = EINVAL;
+ goto err_destroy;
+ }
+
+ out:
+ policydb_destroy(&policydb);
+ return 0;
+
+ err_destroy:
+ policydb_destroy(&policydb);
+
+ err:
+ return -1;
+}
+
+int hidden sepol_genbools_policydb(policydb_t * policydb, const char *booleans)
+{
+ int rc, changes = 0;
+
+ rc = load_booleans(policydb, booleans, &changes);
+ if (!rc && changes)
+ rc = evaluate_conds(policydb);
+ if (rc)
+ errno = EINVAL;
+ return rc;
+}
+
+/* -- End Deprecated -- */
+
+int sepol_genbools_array(void *data, size_t len, char **names, int *values,
+ int nel)
+{
+ struct policydb policydb;
+ struct policy_file pf;
+ int rc, i, errors = 0;
+ struct cond_bool_datum *datum;
+
+ /* Create policy database from image */
+ if (policydb_init(&policydb))
+ goto err;
+ if (policydb_from_image(NULL, data, len, &policydb) < 0)
+ goto err;
+
+ for (i = 0; i < nel; i++) {
+ datum = hashtab_search(policydb.p_bools.table, names[i]);
+ if (!datum) {
+ ERR(NULL, "boolean %s no longer in policy", names[i]);
+ errors++;
+ continue;
+ }
+ if (values[i] != 0 && values[i] != 1) {
+ ERR(NULL, "illegal value %d for boolean %s",
+ values[i], names[i]);
+ errors++;
+ continue;
+ }
+ datum->state = values[i];
+ }
+
+ if (evaluate_conds(&policydb) < 0) {
+ ERR(NULL, "error while re-evaluating conditionals");
+ errno = EINVAL;
+ goto err_destroy;
+ }
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = data;
+ pf.len = len;
+ rc = policydb_write(&policydb, &pf);
+ if (rc) {
+ ERR(NULL, "unable to write binary policy");
+ errno = EINVAL;
+ goto err_destroy;
+ }
+ if (errors) {
+ errno = EINVAL;
+ goto err_destroy;
+ }
+
+ policydb_destroy(&policydb);
+ return 0;
+
+ err_destroy:
+ policydb_destroy(&policydb);
+
+ err:
+ return -1;
+}
diff --git a/src/genusers.c b/src/genusers.c
new file mode 100644
index 0000000..44f94e9
--- /dev/null
+++ b/src/genusers.c
@@ -0,0 +1,318 @@
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <sepol/policydb/policydb.h>
+#include <stdarg.h>
+
+#include "debug.h"
+#include "private.h"
+#include "dso.h"
+#include "mls.h"
+
+/* -- Deprecated -- */
+
+void sepol_set_delusers(int on __attribute((unused)))
+{
+ WARN(NULL, "Deprecated interface");
+}
+
+#undef BADLINE
+#define BADLINE() { \
+ ERR(NULL, "invalid entry %s (%s:%u)", \
+ buffer, path, lineno); \
+ continue; \
+}
+
+static int load_users(struct policydb *policydb, const char *path)
+{
+ FILE *fp;
+ char *buffer = NULL, *p, *q, oldc;
+ size_t len = 0;
+ ssize_t nread;
+ unsigned lineno = 0, islist = 0, bit;
+ user_datum_t *usrdatum;
+ role_datum_t *roldatum;
+ ebitmap_node_t *rnode;
+
+ fp = fopen(path, "r");
+ if (fp == NULL)
+ return -1;
+ __fsetlocking(fp, FSETLOCKING_BYCALLER);
+
+ while ((nread = getline(&buffer, &len, fp)) > 0) {
+ lineno++;
+ if (buffer[nread - 1] == '\n')
+ buffer[nread - 1] = 0;
+ p = buffer;
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p) || *p == '#')
+ continue;
+
+ if (strncasecmp(p, "user", 4))
+ BADLINE();
+ p += 4;
+ if (!isspace(*p))
+ BADLINE();
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ q = p;
+ while (*p && !isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ *p++ = 0;
+
+ usrdatum = hashtab_search(policydb->p_users.table, q);
+ if (usrdatum) {
+ /* Replacing an existing user definition. */
+ ebitmap_destroy(&usrdatum->roles.roles);
+ ebitmap_init(&usrdatum->roles.roles);
+ } else {
+ char *id = strdup(q);
+
+ /* Adding a new user definition. */
+ usrdatum =
+ (user_datum_t *) malloc(sizeof(user_datum_t));
+ if (!id || !usrdatum) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
+ memset(usrdatum, 0, sizeof(user_datum_t));
+ usrdatum->s.value = ++policydb->p_users.nprim;
+ ebitmap_init(&usrdatum->roles.roles);
+ if (hashtab_insert(policydb->p_users.table,
+ id, (hashtab_datum_t) usrdatum)) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
+ }
+
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ if (strncasecmp(p, "roles", 5))
+ BADLINE();
+ p += 5;
+ if (!isspace(*p))
+ BADLINE();
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ if (*p == '{') {
+ islist = 1;
+ p++;
+ } else
+ islist = 0;
+
+ oldc = 0;
+ do {
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ break;
+
+ q = p;
+ while (*p && *p != ';' && *p != '}' && !isspace(*p))
+ p++;
+ if (!(*p))
+ break;
+ if (*p == '}')
+ islist = 0;
+ oldc = *p;
+ *p++ = 0;
+ if (!q[0])
+ break;
+
+ roldatum = hashtab_search(policydb->p_roles.table, q);
+ if (!roldatum) {
+ ERR(NULL, "undefined role %s (%s:%u)",
+ q, path, lineno);
+ continue;
+ }
+ /* Set the role and every role it dominates */
+ ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit))
+ if (ebitmap_set_bit
+ (&usrdatum->roles.roles, bit, 1)) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
+ }
+ } while (islist);
+ if (oldc == 0)
+ BADLINE();
+
+ if (policydb->mls) {
+ context_struct_t context;
+ char *scontext, *r, *s;
+
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ if (strncasecmp(p, "level", 5))
+ BADLINE();
+ p += 5;
+ if (!isspace(*p))
+ BADLINE();
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ q = p;
+ while (*p && strncasecmp(p, "range", 5))
+ p++;
+ if (!(*p))
+ BADLINE();
+ *--p = 0;
+ p++;
+
+ scontext = malloc(p - q);
+ if (!scontext) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
+ r = scontext;
+ s = q;
+ while (*s) {
+ if (!isspace(*s))
+ *r++ = *s;
+ s++;
+ }
+ *r = 0;
+ r = scontext;
+
+ context_init(&context);
+ if (mls_context_to_sid(policydb, oldc, &r, &context) <
+ 0) {
+ ERR(NULL, "invalid level %s (%s:%u)", scontext,
+ path, lineno);
+ free(scontext);
+ continue;
+
+ }
+ free(scontext);
+ memcpy(&usrdatum->dfltlevel, &context.range.level[0],
+ sizeof(usrdatum->dfltlevel));
+
+ if (strncasecmp(p, "range", 5))
+ BADLINE();
+ p += 5;
+ if (!isspace(*p))
+ BADLINE();
+ while (*p && isspace(*p))
+ p++;
+ if (!(*p))
+ BADLINE();
+ q = p;
+ while (*p && *p != ';')
+ p++;
+ if (!(*p))
+ BADLINE();
+ *p++ = 0;
+
+ scontext = malloc(p - q);
+ if (!scontext) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
+ r = scontext;
+ s = q;
+ while (*s) {
+ if (!isspace(*s))
+ *r++ = *s;
+ s++;
+ }
+ *r = 0;
+ r = scontext;
+
+ context_init(&context);
+ if (mls_context_to_sid(policydb, oldc, &r, &context) <
+ 0) {
+ ERR(NULL, "invalid range %s (%s:%u)", scontext,
+ path, lineno);
+ free(scontext);
+ continue;
+ }
+ free(scontext);
+ memcpy(&usrdatum->range, &context.range,
+ sizeof(usrdatum->range));
+ }
+ }
+
+ free(buffer);
+ fclose(fp);
+ return 0;
+}
+
+int sepol_genusers(void *data, size_t len,
+ const char *usersdir, void **newdata, size_t * newlen)
+{
+ struct policydb policydb;
+ char path[PATH_MAX];
+
+ /* Construct policy database */
+ if (policydb_init(&policydb))
+ goto err;
+ if (policydb_from_image(NULL, data, len, &policydb) < 0)
+ goto err;
+
+ /* Load locally defined users. */
+ snprintf(path, sizeof path, "%s/local.users", usersdir);
+ if (load_users(&policydb, path) < 0)
+ goto err_destroy;
+
+ /* Write policy database */
+ if (policydb_to_image(NULL, &policydb, newdata, newlen) < 0)
+ goto err_destroy;
+
+ policydb_destroy(&policydb);
+ return 0;
+
+ err_destroy:
+ policydb_destroy(&policydb);
+
+ err:
+ return -1;
+}
+
+int hidden sepol_genusers_policydb(policydb_t * policydb, const char *usersdir)
+{
+ char path[PATH_MAX];
+
+ /* Load locally defined users. */
+ snprintf(path, sizeof path, "%s/local.users", usersdir);
+ if (load_users(policydb, path) < 0) {
+ ERR(NULL, "unable to load local.users: %s", strerror(errno));
+ return -1;
+ }
+
+ if (policydb_reindex_users(policydb) < 0) {
+ ERR(NULL, "unable to reindex users: %s", strerror(errno));
+ return -1;
+
+ }
+
+ return 0;
+}
+
+/* -- End Deprecated -- */
diff --git a/src/handle.c b/src/handle.c
new file mode 100644
index 0000000..191ac57
--- /dev/null
+++ b/src/handle.c
@@ -0,0 +1,45 @@
+#include <stdlib.h>
+#include <assert.h>
+#include "handle.h"
+#include "debug.h"
+
+sepol_handle_t *sepol_handle_create(void)
+{
+
+ sepol_handle_t *sh = malloc(sizeof(sepol_handle_t));
+ if (sh == NULL)
+ return NULL;
+
+ /* Set callback */
+ sh->msg_callback = sepol_msg_default_handler;
+ sh->msg_callback_arg = NULL;
+
+ /* by default do not disable dontaudits */
+ sh->disable_dontaudit = 0;
+ sh->expand_consume_base = 0;
+
+ return sh;
+}
+
+int sepol_get_disable_dontaudit(sepol_handle_t *sh)
+{
+ assert(sh !=NULL);
+ return sh->disable_dontaudit;
+}
+
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
+{
+ assert(sh !=NULL);
+ sh->disable_dontaudit = disable_dontaudit;
+}
+
+void sepol_set_expand_consume_base(sepol_handle_t *sh, int consume_base)
+{
+ assert(sh != NULL);
+ sh->expand_consume_base = consume_base;
+}
+
+void sepol_handle_destroy(sepol_handle_t * sh)
+{
+ free(sh);
+}
diff --git a/src/handle.h b/src/handle.h
new file mode 100644
index 0000000..254fbd8
--- /dev/null
+++ b/src/handle.h
@@ -0,0 +1,23 @@
+#ifndef _SEPOL_INTERNAL_HANDLE_H_
+#define _SEPOL_INTERNAL_HANDLE_H_
+
+#include <sepol/handle.h>
+
+struct sepol_handle {
+ /* Error handling */
+ int msg_level;
+ const char *msg_channel;
+ const char *msg_fname;
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 3, 4)))
+#endif
+ void (*msg_callback) (void *varg,
+ sepol_handle_t * handle, const char *fmt, ...);
+ void *msg_callback_arg;
+
+ int disable_dontaudit;
+ int expand_consume_base;
+
+};
+
+#endif
diff --git a/src/hashtab.c b/src/hashtab.c
new file mode 100644
index 0000000..c4be72c
--- /dev/null
+++ b/src/hashtab.c
@@ -0,0 +1,313 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated : Karl MacMillan <kmacmillan@mentalrootkit.com>
+ *
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+
+/* FLASK */
+
+/*
+ * Implementation of the hash table type.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sepol/policydb/hashtab.h>
+
+hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+ const hashtab_key_t key),
+ int (*keycmp) (hashtab_t h,
+ const hashtab_key_t key1,
+ const hashtab_key_t key2),
+ unsigned int size)
+{
+
+ hashtab_t p;
+ unsigned int i;
+
+ p = (hashtab_t) malloc(sizeof(hashtab_val_t));
+ if (p == NULL)
+ return p;
+
+ memset(p, 0, sizeof(hashtab_val_t));
+ p->size = size;
+ p->nel = 0;
+ p->hash_value = hash_value;
+ p->keycmp = keycmp;
+ p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size);
+ if (p->htable == NULL) {
+ free(p);
+ return NULL;
+ }
+ for (i = 0; i < size; i++)
+ p->htable[i] = (hashtab_ptr_t) NULL;
+
+ return p;
+}
+
+int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+{
+ int hvalue;
+ hashtab_ptr_t prev, cur, newnode;
+
+ if (!h)
+ return SEPOL_ENOMEM;
+
+ hvalue = h->hash_value(h, key);
+ prev = NULL;
+ cur = h->htable[hvalue];
+ while (cur && h->keycmp(h, key, cur->key) > 0) {
+ prev = cur;
+ cur = cur->next;
+ }
+
+ if (cur && (h->keycmp(h, key, cur->key) == 0))
+ return SEPOL_EEXIST;
+
+ newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+ if (newnode == NULL)
+ return SEPOL_ENOMEM;
+ memset(newnode, 0, sizeof(struct hashtab_node));
+ newnode->key = key;
+ newnode->datum = datum;
+ if (prev) {
+ newnode->next = prev->next;
+ prev->next = newnode;
+ } else {
+ newnode->next = h->htable[hvalue];
+ h->htable[hvalue] = newnode;
+ }
+
+ h->nel++;
+ return SEPOL_OK;
+}
+
+int hashtab_remove(hashtab_t h, hashtab_key_t key,
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d, void *args), void *args)
+{
+ int hvalue;
+ hashtab_ptr_t cur, last;
+
+ if (!h)
+ return SEPOL_ENOENT;
+
+ hvalue = h->hash_value(h, key);
+ last = NULL;
+ cur = h->htable[hvalue];
+ while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+ last = cur;
+ cur = cur->next;
+ }
+
+ if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+ return SEPOL_ENOENT;
+
+ if (last == NULL)
+ h->htable[hvalue] = cur->next;
+ else
+ last->next = cur->next;
+
+ if (destroy)
+ destroy(cur->key, cur->datum, args);
+ free(cur);
+ h->nel--;
+ return SEPOL_OK;
+}
+
+int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d, void *args), void *args)
+{
+ int hvalue;
+ hashtab_ptr_t prev, cur, newnode;
+
+ if (!h)
+ return SEPOL_ENOMEM;
+
+ hvalue = h->hash_value(h, key);
+ prev = NULL;
+ cur = h->htable[hvalue];
+ while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+ prev = cur;
+ cur = cur->next;
+ }
+
+ if (cur && (h->keycmp(h, key, cur->key) == 0)) {
+ if (destroy)
+ destroy(cur->key, cur->datum, args);
+ cur->key = key;
+ cur->datum = datum;
+ } else {
+ newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+ if (newnode == NULL)
+ return SEPOL_ENOMEM;
+ memset(newnode, 0, sizeof(struct hashtab_node));
+ newnode->key = key;
+ newnode->datum = datum;
+ if (prev) {
+ newnode->next = prev->next;
+ prev->next = newnode;
+ } else {
+ newnode->next = h->htable[hvalue];
+ h->htable[hvalue] = newnode;
+ }
+ }
+
+ return SEPOL_OK;
+}
+
+hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
+{
+
+ int hvalue;
+ hashtab_ptr_t cur;
+
+ if (!h)
+ return NULL;
+
+ hvalue = h->hash_value(h, key);
+ cur = h->htable[hvalue];
+ while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
+ cur = cur->next;
+
+ if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+ return NULL;
+
+ return cur->datum;
+}
+
+void hashtab_destroy(hashtab_t h)
+{
+ unsigned int i;
+ hashtab_ptr_t cur, temp;
+
+ if (!h)
+ return;
+
+ for (i = 0; i < h->size; i++) {
+ cur = h->htable[i];
+ while (cur != NULL) {
+ temp = cur;
+ cur = cur->next;
+ free(temp);
+ }
+ h->htable[i] = NULL;
+ }
+
+ free(h->htable);
+ h->htable = NULL;
+
+ free(h);
+}
+
+int hashtab_map(hashtab_t h,
+ int (*apply) (hashtab_key_t k,
+ hashtab_datum_t d, void *args), void *args)
+{
+ unsigned int i, ret;
+ hashtab_ptr_t cur;
+
+ if (!h)
+ return SEPOL_OK;
+
+ for (i = 0; i < h->size; i++) {
+ cur = h->htable[i];
+ while (cur != NULL) {
+ ret = apply(cur->key, cur->datum, args);
+ if (ret)
+ return ret;
+ cur = cur->next;
+ }
+ }
+ return SEPOL_OK;
+}
+
+void hashtab_map_remove_on_error(hashtab_t h,
+ int (*apply) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args),
+ void (*destroy) (hashtab_key_t k,
+ hashtab_datum_t d,
+ void *args), void *args)
+{
+ unsigned int i;
+ int ret;
+ hashtab_ptr_t last, cur, temp;
+
+ if (!h)
+ return;
+
+ for (i = 0; i < h->size; i++) {
+ last = NULL;
+ cur = h->htable[i];
+ while (cur != NULL) {
+ ret = apply(cur->key, cur->datum, args);
+ if (ret) {
+ if (last) {
+ last->next = cur->next;
+ } else {
+ h->htable[i] = cur->next;
+ }
+
+ temp = cur;
+ cur = cur->next;
+ if (destroy)
+ destroy(temp->key, temp->datum, args);
+ free(temp);
+ h->nel--;
+ } else {
+ last = cur;
+ cur = cur->next;
+ }
+ }
+ }
+
+ return;
+}
+
+void hashtab_hash_eval(hashtab_t h, char *tag)
+{
+ unsigned int i;
+ int chain_len, slots_used, max_chain_len;
+ hashtab_ptr_t cur;
+
+ slots_used = 0;
+ max_chain_len = 0;
+ for (i = 0; i < h->size; i++) {
+ cur = h->htable[i];
+ if (cur) {
+ slots_used++;
+ chain_len = 0;
+ while (cur) {
+ chain_len++;
+ cur = cur->next;
+ }
+
+ if (chain_len > max_chain_len)
+ max_chain_len = chain_len;
+ }
+ }
+
+ printf
+ ("%s: %d entries and %d/%d buckets used, longest chain length %d\n",
+ tag, h->nel, slots_used, h->size, max_chain_len);
+}
diff --git a/src/hierarchy.c b/src/hierarchy.c
new file mode 100644
index 0000000..e2df5a4
--- /dev/null
+++ b/src/hierarchy.c
@@ -0,0 +1,501 @@
+/* Authors: Joshua Brindle <jbrindle@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Updates: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ * adds checks based on newer boundary facility.
+ *
+ * A set of utility functions that aid policy decision when dealing
+ * with hierarchal namespaces.
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ * Copyright (c) 2008 NEC Corporation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/util.h>
+
+#include "debug.h"
+
+typedef struct hierarchy_args {
+ policydb_t *p;
+ avtab_t *expa; /* expanded avtab */
+ /* This tells check_avtab_hierarchy to check this list in addition to the unconditional avtab */
+ cond_av_list_t *opt_cond_list;
+ sepol_handle_t *handle;
+ int numerr;
+} hierarchy_args_t;
+
+/*
+ * find_parent_(type|role|user)
+ *
+ * This function returns the parent datum of given XXX_datum_t
+ * object or NULL, if it doesn't exist.
+ *
+ * If the given datum has a valid bounds, this function merely
+ * returns the indicated object. Otherwise, it looks up the
+ * parent based on the based hierarchy.
+ */
+#define find_parent_template(prefix) \
+int find_parent_##prefix(hierarchy_args_t *a, \
+ prefix##_datum_t *datum, \
+ prefix##_datum_t **parent) \
+{ \
+ char *parent_name, *datum_name, *tmp; \
+ \
+ if (datum->bounds) \
+ *parent = a->p->prefix##_val_to_struct[datum->bounds - 1]; \
+ else { \
+ datum_name = a->p->p_##prefix##_val_to_name[datum->s.value - 1]; \
+ \
+ tmp = strrchr(datum_name, '.'); \
+ /* no '.' means it has no parent */ \
+ if (!tmp) { \
+ *parent = NULL; \
+ return 0; \
+ } \
+ \
+ parent_name = strdup(datum_name); \
+ if (!parent_name) \
+ return -1; \
+ parent_name[tmp - datum_name] = '\0'; \
+ \
+ *parent = hashtab_search(a->p->p_##prefix##s.table, parent_name); \
+ if (!*parent) { \
+ /* Orphan type/role/user */ \
+ ERR(a->handle, \
+ "%s doesn't exist, %s is an orphan", \
+ parent_name, \
+ a->p->p_##prefix##_val_to_name[datum->s.value - 1]); \
+ free(parent_name); \
+ return -1; \
+ } \
+ free(parent_name); \
+ } \
+ \
+ return 0; \
+}
+
+static find_parent_template(type)
+static find_parent_template(role)
+static find_parent_template(user)
+
+static void compute_avtab_datum(hierarchy_args_t *args,
+ avtab_key_t *key,
+ avtab_datum_t *result)
+{
+ avtab_datum_t *avdatp;
+ uint32_t av = 0;
+
+ avdatp = avtab_search(args->expa, key);
+ if (avdatp)
+ av = avdatp->data;
+ if (args->opt_cond_list) {
+ avdatp = cond_av_list_search(key, args->opt_cond_list);
+ if (avdatp)
+ av |= avdatp->data;
+ }
+
+ result->data = av;
+}
+
+/* This function verifies that the type passed in either has a parent or is in the
+ * root of the namespace, 0 on success, 1 on orphan and -1 on error
+ */
+static int check_type_hierarchy_callback(hashtab_key_t k, hashtab_datum_t d,
+ void *args)
+{
+ hierarchy_args_t *a;
+ type_datum_t *t, *tp;
+
+ a = (hierarchy_args_t *) args;
+ t = (type_datum_t *) d;
+
+ if (t->flavor == TYPE_ATTRIB) {
+ /* It's an attribute, we don't care */
+ return 0;
+ }
+ if (find_parent_type(a, t, &tp) < 0)
+ return -1;
+
+ if (tp && tp->flavor == TYPE_ATTRIB) {
+ /* The parent is an attribute but the child isn't, not legal */
+ ERR(a->handle, "type %s is a child of an attribute %s",
+ (char *) k, a->p->p_type_val_to_name[tp->s.value - 1]);
+ a->numerr++;
+ return -1;
+ }
+ return 0;
+}
+
+/* This function only verifies that the avtab node passed in does not violate any
+ * hiearchy constraint via any relationship with other types in the avtab.
+ * it should be called using avtab_map, returns 0 on success, 1 on violation and
+ * -1 on error. opt_cond_list is an optional argument that tells this to check
+ * a conditional list for the relationship as well as the unconditional avtab
+ */
+static int check_avtab_hierarchy_callback(avtab_key_t * k, avtab_datum_t * d,
+ void *args)
+{
+ avtab_key_t key;
+ hierarchy_args_t *a = (hierarchy_args_t *) args;
+ type_datum_t *s, *t1 = NULL, *t2 = NULL;
+ avtab_datum_t av;
+
+ if (!(k->specified & AVTAB_ALLOWED)) {
+ /* This is not an allow rule, no checking done */
+ return 0;
+ }
+
+ /* search for parent first */
+ s = a->p->type_val_to_struct[k->source_type - 1];
+ if (find_parent_type(a, s, &t1) < 0)
+ return -1;
+ if (t1) {
+ /*
+ * search for access allowed between type 1's
+ * parent and type 2.
+ */
+ key.source_type = t1->s.value;
+ key.target_type = k->target_type;
+ key.target_class = k->target_class;
+ key.specified = AVTAB_ALLOWED;
+ compute_avtab_datum(a, &key, &av);
+
+ if ((av.data & d->data) == d->data)
+ return 0;
+ }
+
+ /* next we try type 1 and type 2's parent */
+ s = a->p->type_val_to_struct[k->target_type - 1];
+ if (find_parent_type(a, s, &t2) < 0)
+ return -1;
+ if (t2) {
+ /*
+ * search for access allowed between type 1 and
+ * type 2's parent.
+ */
+ key.source_type = k->source_type;
+ key.target_type = t2->s.value;
+ key.target_class = k->target_class;
+ key.specified = AVTAB_ALLOWED;
+ compute_avtab_datum(a, &key, &av);
+
+ if ((av.data & d->data) == d->data)
+ return 0;
+ }
+
+ if (t1 && t2) {
+ /*
+ * search for access allowed between type 1's parent
+ * and type 2's parent.
+ */
+ key.source_type = t1->s.value;
+ key.target_type = t2->s.value;
+ key.target_class = k->target_class;
+ key.specified = AVTAB_ALLOWED;
+ compute_avtab_datum(a, &key, &av);
+
+ if ((av.data & d->data) == d->data)
+ return 0;
+ }
+
+ /*
+ * Neither one of these types have parents and
+ * therefore the hierarchical constraint does not apply
+ */
+ if (!t1 && !t2)
+ return 0;
+
+ /*
+ * At this point there is a violation of the hierarchal
+ * constraint, send error condition back
+ */
+ ERR(a->handle,
+ "hierarchy violation between types %s and %s : %s { %s }",
+ a->p->p_type_val_to_name[k->source_type - 1],
+ a->p->p_type_val_to_name[k->target_type - 1],
+ a->p->p_class_val_to_name[k->target_class - 1],
+ sepol_av_to_string(a->p, k->target_class, d->data & ~av.data));
+ a->numerr++;
+ return 0;
+}
+
+/*
+ * If same permissions are allowed for same combination of
+ * source and target, we can evaluate them as unconditional
+ * one.
+ * See the following example. A_t type is bounds of B_t type,
+ * so B_t can never have wider permissions then A_t.
+ * A_t has conditional permission on X_t, however, a part of
+ * them (getattr and read) are unconditionaly allowed to A_t.
+ *
+ * Example)
+ * typebounds A_t B_t;
+ *
+ * allow B_t X_t : file { getattr };
+ * if (foo_bool) {
+ * allow A_t X_t : file { getattr read };
+ * } else {
+ * allow A_t X_t : file { getattr read write };
+ * }
+ *
+ * We have to pull up them as unconditional ones in this case,
+ * because it seems to us B_t is violated to bounds constraints
+ * during unconditional policy checking.
+ */
+static int pullup_unconditional_perms(cond_list_t * cond_list,
+ hierarchy_args_t * args)
+{
+ cond_list_t *cur_node;
+ cond_av_list_t *cur_av, *expl_true = NULL, *expl_false = NULL;
+ avtab_t expa_true, expa_false;
+ avtab_datum_t *avdatp;
+ avtab_datum_t avdat;
+ avtab_ptr_t avnode;
+
+ for (cur_node = cond_list; cur_node; cur_node = cur_node->next) {
+ if (avtab_init(&expa_true))
+ goto oom0;
+ if (avtab_init(&expa_false))
+ goto oom1;
+ if (expand_cond_av_list(args->p, cur_node->true_list,
+ &expl_true, &expa_true))
+ goto oom2;
+ if (expand_cond_av_list(args->p, cur_node->false_list,
+ &expl_false, &expa_false))
+ goto oom3;
+ for (cur_av = expl_true; cur_av; cur_av = cur_av->next) {
+ avdatp = avtab_search(&expa_false,
+ &cur_av->node->key);
+ if (!avdatp)
+ continue;
+
+ avdat.data = (cur_av->node->datum.data
+ & avdatp->data);
+ if (!avdat.data)
+ continue;
+
+ avnode = avtab_search_node(args->expa,
+ &cur_av->node->key);
+ if (avnode) {
+ avnode->datum.data |= avdat.data;
+ } else {
+ if (avtab_insert(args->expa,
+ &cur_av->node->key,
+ &avdat))
+ goto oom4;
+ }
+ }
+ cond_av_list_destroy(expl_false);
+ cond_av_list_destroy(expl_true);
+ avtab_destroy(&expa_false);
+ avtab_destroy(&expa_true);
+ }
+ return 0;
+
+oom4:
+ cond_av_list_destroy(expl_false);
+oom3:
+ cond_av_list_destroy(expl_true);
+oom2:
+ avtab_destroy(&expa_false);
+oom1:
+ avtab_destroy(&expa_true);
+oom0:
+ ERR(args->handle, "out of memory on conditional av list expansion");
+ return 1;
+}
+
+static int check_cond_avtab_hierarchy(cond_list_t * cond_list,
+ hierarchy_args_t * args)
+{
+ int rc;
+ cond_list_t *cur_node;
+ cond_av_list_t *cur_av, *expl = NULL;
+ avtab_t expa;
+ hierarchy_args_t *a = (hierarchy_args_t *) args;
+ avtab_datum_t avdat, *uncond;
+
+ for (cur_node = cond_list; cur_node; cur_node = cur_node->next) {
+ /*
+ * Check true condition
+ */
+ if (avtab_init(&expa))
+ goto oom;
+ if (expand_cond_av_list(args->p, cur_node->true_list,
+ &expl, &expa)) {
+ avtab_destroy(&expa);
+ goto oom;
+ }
+ args->opt_cond_list = expl;
+ for (cur_av = expl; cur_av; cur_av = cur_av->next) {
+ avdat.data = cur_av->node->datum.data;
+ uncond = avtab_search(a->expa, &cur_av->node->key);
+ if (uncond)
+ avdat.data |= uncond->data;
+ rc = check_avtab_hierarchy_callback(&cur_av->node->key,
+ &avdat, args);
+ if (rc)
+ args->numerr++;
+ }
+ cond_av_list_destroy(expl);
+
+ /*
+ * Check false condition
+ */
+ if (avtab_init(&expa))
+ goto oom;
+ if (expand_cond_av_list(args->p, cur_node->false_list,
+ &expl, &expa)) {
+ avtab_destroy(&expa);
+ goto oom;
+ }
+ args->opt_cond_list = expl;
+ for (cur_av = expl; cur_av; cur_av = cur_av->next) {
+ avdat.data = cur_av->node->datum.data;
+ uncond = avtab_search(a->expa, &cur_av->node->key);
+ if (uncond)
+ avdat.data |= uncond->data;
+
+ rc = check_avtab_hierarchy_callback(&cur_av->node->key,
+ &avdat, args);
+ if (rc)
+ a->numerr++;
+ }
+ cond_av_list_destroy(expl);
+ avtab_destroy(&expa);
+ }
+
+ return 0;
+
+ oom:
+ ERR(args->handle, "out of memory on conditional av list expansion");
+ return 1;
+}
+
+/* The role hierarchy is defined as: a child role cannot have more types than it's parent.
+ * This function should be called with hashtab_map, it will return 0 on success, 1 on
+ * constraint violation and -1 on error
+ */
+static int check_role_hierarchy_callback(hashtab_key_t k
+ __attribute__ ((unused)),
+ hashtab_datum_t d, void *args)
+{
+ hierarchy_args_t *a;
+ role_datum_t *r, *rp;
+
+ a = (hierarchy_args_t *) args;
+ r = (role_datum_t *) d;
+
+ if (find_parent_role(a, r, &rp) < 0)
+ return -1;
+
+ if (rp && !ebitmap_contains(&rp->types.types, &r->types.types)) {
+ /* hierarchical constraint violation, return error */
+ ERR(a->handle, "Role hierarchy violation, %s exceeds %s",
+ (char *) k, a->p->p_role_val_to_name[rp->s.value - 1]);
+ a->numerr++;
+ }
+ return 0;
+}
+
+/* The user hierarchy is defined as: a child user cannot have a role that
+ * its parent doesn't have. This function should be called with hashtab_map,
+ * it will return 0 on success, 1 on constraint violation and -1 on error.
+ */
+static int check_user_hierarchy_callback(hashtab_key_t k
+ __attribute__ ((unused)),
+ hashtab_datum_t d, void *args)
+{
+ hierarchy_args_t *a;
+ user_datum_t *u, *up;
+
+ a = (hierarchy_args_t *) args;
+ u = (user_datum_t *) d;
+
+ if (find_parent_user(a, u, &up) < 0)
+ return -1;
+
+ if (up && !ebitmap_contains(&up->roles.roles, &u->roles.roles)) {
+ /* hierarchical constraint violation, return error */
+ ERR(a->handle, "User hierarchy violation, %s exceeds %s",
+ (char *) k, a->p->p_user_val_to_name[up->s.value - 1]);
+ a->numerr++;
+ }
+ return 0;
+}
+
+int hierarchy_check_constraints(sepol_handle_t * handle, policydb_t * p)
+{
+ hierarchy_args_t args;
+ avtab_t expa;
+
+ if (avtab_init(&expa))
+ goto oom;
+ if (expand_avtab(p, &p->te_avtab, &expa)) {
+ avtab_destroy(&expa);
+ goto oom;
+ }
+
+ args.p = p;
+ args.expa = &expa;
+ args.opt_cond_list = NULL;
+ args.handle = handle;
+ args.numerr = 0;
+
+ if (hashtab_map(p->p_types.table, check_type_hierarchy_callback, &args))
+ goto bad;
+
+ if (pullup_unconditional_perms(p->cond_list, &args))
+ return -1;
+
+ if (avtab_map(&expa, check_avtab_hierarchy_callback, &args))
+ goto bad;
+
+ if (check_cond_avtab_hierarchy(p->cond_list, &args))
+ goto bad;
+
+ if (hashtab_map(p->p_roles.table, check_role_hierarchy_callback, &args))
+ goto bad;
+
+ if (hashtab_map(p->p_users.table, check_user_hierarchy_callback, &args))
+ goto bad;
+
+ if (args.numerr) {
+ ERR(handle, "%d total errors found during hierarchy check",
+ args.numerr);
+ goto bad;
+ }
+
+ avtab_destroy(&expa);
+ return 0;
+
+ bad:
+ avtab_destroy(&expa);
+ return -1;
+
+ oom:
+ ERR(handle, "Out of memory");
+ return -1;
+}
diff --git a/src/iface_internal.h b/src/iface_internal.h
new file mode 100644
index 0000000..5b78d9b
--- /dev/null
+++ b/src/iface_internal.h
@@ -0,0 +1,18 @@
+#ifndef _SEPOL_IFACE_INTERNAL_H_
+#define _SEPOL_IFACE_INTERNAL_H_
+
+#include <sepol/iface_record.h>
+#include <sepol/interfaces.h>
+#include "dso.h"
+
+hidden_proto(sepol_iface_create)
+ hidden_proto(sepol_iface_free)
+ hidden_proto(sepol_iface_get_ifcon)
+ hidden_proto(sepol_iface_get_msgcon)
+ hidden_proto(sepol_iface_get_name)
+ hidden_proto(sepol_iface_key_create)
+ hidden_proto(sepol_iface_key_unpack)
+ hidden_proto(sepol_iface_set_ifcon)
+ hidden_proto(sepol_iface_set_msgcon)
+ hidden_proto(sepol_iface_set_name)
+#endif
diff --git a/src/iface_record.c b/src/iface_record.c
new file mode 100644
index 0000000..09adeb7
--- /dev/null
+++ b/src/iface_record.c
@@ -0,0 +1,233 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include "iface_internal.h"
+#include "context_internal.h"
+#include "debug.h"
+
+struct sepol_iface {
+
+ /* Interface name */
+ char *name;
+
+ /* Interface context */
+ sepol_context_t *netif_con;
+
+ /* Message context */
+ sepol_context_t *netmsg_con;
+};
+
+struct sepol_iface_key {
+
+ /* Interface name */
+ const char *name;
+};
+
+/* Key */
+int sepol_iface_key_create(sepol_handle_t * handle,
+ const char *name, sepol_iface_key_t ** key_ptr)
+{
+
+ sepol_iface_key_t *tmp_key =
+ (sepol_iface_key_t *) malloc(sizeof(sepol_iface_key_t));
+
+ if (!tmp_key) {
+ ERR(handle, "out of memory, could not create interface key");
+ return STATUS_ERR;
+ }
+
+ tmp_key->name = name;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_iface_key_create)
+
+void sepol_iface_key_unpack(const sepol_iface_key_t * key, const char **name)
+{
+
+ *name = key->name;
+}
+
+hidden_def(sepol_iface_key_unpack)
+
+int sepol_iface_key_extract(sepol_handle_t * handle,
+ const sepol_iface_t * iface,
+ sepol_iface_key_t ** key_ptr)
+{
+
+ if (sepol_iface_key_create(handle, iface->name, key_ptr) < 0) {
+ ERR(handle, "could not extract key from "
+ "interface %s", iface->name);
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+void sepol_iface_key_free(sepol_iface_key_t * key)
+{
+ free(key);
+}
+
+int sepol_iface_compare(const sepol_iface_t * iface,
+ const sepol_iface_key_t * key)
+{
+
+ return strcmp(iface->name, key->name);
+}
+
+int sepol_iface_compare2(const sepol_iface_t * iface,
+ const sepol_iface_t * iface2)
+{
+
+ return strcmp(iface->name, iface2->name);
+}
+
+/* Create */
+int sepol_iface_create(sepol_handle_t * handle, sepol_iface_t ** iface)
+{
+
+ sepol_iface_t *tmp_iface =
+ (sepol_iface_t *) malloc(sizeof(sepol_iface_t));
+
+ if (!tmp_iface) {
+ ERR(handle, "out of memory, could not create "
+ "interface record");
+ return STATUS_ERR;
+ }
+
+ tmp_iface->name = NULL;
+ tmp_iface->netif_con = NULL;
+ tmp_iface->netmsg_con = NULL;
+ *iface = tmp_iface;
+
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_iface_create)
+
+/* Name */
+const char *sepol_iface_get_name(const sepol_iface_t * iface)
+{
+
+ return iface->name;
+}
+
+hidden_def(sepol_iface_get_name)
+
+int sepol_iface_set_name(sepol_handle_t * handle,
+ sepol_iface_t * iface, const char *name)
+{
+
+ char *tmp_name = strdup(name);
+ if (!tmp_name) {
+ ERR(handle, "out of memory, " "could not set interface name");
+ return STATUS_ERR;
+ }
+ free(iface->name);
+ iface->name = tmp_name;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_iface_set_name)
+
+/* Interface Context */
+sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface)
+{
+
+ return iface->netif_con;
+}
+
+hidden_def(sepol_iface_get_ifcon)
+
+int sepol_iface_set_ifcon(sepol_handle_t * handle,
+ sepol_iface_t * iface, sepol_context_t * con)
+{
+
+ sepol_context_t *newcon;
+
+ if (sepol_context_clone(handle, con, &newcon) < 0) {
+ ERR(handle, "out of memory, could not set interface context");
+ return STATUS_ERR;
+ }
+
+ sepol_context_free(iface->netif_con);
+ iface->netif_con = newcon;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_iface_set_ifcon)
+
+/* Message Context */
+sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface)
+{
+
+ return iface->netmsg_con;
+}
+
+hidden_def(sepol_iface_get_msgcon)
+
+int sepol_iface_set_msgcon(sepol_handle_t * handle,
+ sepol_iface_t * iface, sepol_context_t * con)
+{
+
+ sepol_context_t *newcon;
+ if (sepol_context_clone(handle, con, &newcon) < 0) {
+ ERR(handle, "out of memory, could not set message context");
+ return STATUS_ERR;
+ }
+
+ sepol_context_free(iface->netmsg_con);
+ iface->netmsg_con = newcon;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_iface_set_msgcon)
+
+/* Deep copy clone */
+int sepol_iface_clone(sepol_handle_t * handle,
+ const sepol_iface_t * iface, sepol_iface_t ** iface_ptr)
+{
+
+ sepol_iface_t *new_iface = NULL;
+ if (sepol_iface_create(handle, &new_iface) < 0)
+ goto err;
+
+ if (sepol_iface_set_name(handle, new_iface, iface->name) < 0)
+ goto err;
+
+ if (iface->netif_con &&
+ (sepol_context_clone
+ (handle, iface->netif_con, &new_iface->netif_con) < 0))
+ goto err;
+
+ if (iface->netmsg_con &&
+ (sepol_context_clone
+ (handle, iface->netmsg_con, &new_iface->netmsg_con) < 0))
+ goto err;
+
+ *iface_ptr = new_iface;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not clone interface record");
+ sepol_iface_free(new_iface);
+ return STATUS_ERR;
+}
+
+/* Destroy */
+void sepol_iface_free(sepol_iface_t * iface)
+{
+
+ if (!iface)
+ return;
+
+ free(iface->name);
+ sepol_context_free(iface->netif_con);
+ sepol_context_free(iface->netmsg_con);
+ free(iface);
+}
+
+hidden_def(sepol_iface_free)
diff --git a/src/interfaces.c b/src/interfaces.c
new file mode 100644
index 0000000..b82d0f3
--- /dev/null
+++ b/src/interfaces.c
@@ -0,0 +1,273 @@
+#include <stdlib.h>
+
+#include "debug.h"
+#include "context.h"
+#include "handle.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/interfaces.h>
+#include "iface_internal.h"
+
+/* Create a low level structure from record */
+static int iface_from_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t ** iface, const sepol_iface_t * record)
+{
+
+ ocontext_t *tmp_iface = NULL;
+ context_struct_t *tmp_con = NULL;
+
+ tmp_iface = (ocontext_t *) calloc(1, sizeof(ocontext_t));
+ if (!tmp_iface)
+ goto omem;
+
+ /* Name */
+ tmp_iface->u.name = strdup(sepol_iface_get_name(record));
+ if (!tmp_iface->u.name)
+ goto omem;
+
+ /* Interface Context */
+ if (context_from_record(handle, policydb,
+ &tmp_con, sepol_iface_get_ifcon(record)) < 0)
+ goto err;
+ context_cpy(&tmp_iface->context[0], tmp_con);
+ context_destroy(tmp_con);
+ free(tmp_con);
+ tmp_con = NULL;
+
+ /* Message Context */
+ if (context_from_record(handle, policydb,
+ &tmp_con, sepol_iface_get_msgcon(record)) < 0)
+ goto err;
+ context_cpy(&tmp_iface->context[1], tmp_con);
+ context_destroy(tmp_con);
+ free(tmp_con);
+ tmp_con = NULL;
+
+ *iface = tmp_iface;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ if (tmp_iface != NULL) {
+ free(tmp_iface->u.name);
+ context_destroy(&tmp_iface->context[0]);
+ context_destroy(&tmp_iface->context[1]);
+ free(tmp_iface);
+ }
+ context_destroy(tmp_con);
+ free(tmp_con);
+ ERR(handle, "error creating interface structure");
+ return STATUS_ERR;
+}
+
+static int iface_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t * iface, sepol_iface_t ** record)
+{
+
+ char *name = iface->u.name;
+ context_struct_t *ifcon = &iface->context[0];
+ context_struct_t *msgcon = &iface->context[1];
+
+ sepol_context_t *tmp_con = NULL;
+ sepol_iface_t *tmp_record = NULL;
+
+ if (sepol_iface_create(handle, &tmp_record) < 0)
+ goto err;
+
+ if (sepol_iface_set_name(handle, tmp_record, name) < 0)
+ goto err;
+
+ if (context_to_record(handle, policydb, ifcon, &tmp_con) < 0)
+ goto err;
+ if (sepol_iface_set_ifcon(handle, tmp_record, tmp_con) < 0)
+ goto err;
+ sepol_context_free(tmp_con);
+ tmp_con = NULL;
+
+ if (context_to_record(handle, policydb, msgcon, &tmp_con) < 0)
+ goto err;
+ if (sepol_iface_set_msgcon(handle, tmp_record, tmp_con) < 0)
+ goto err;
+ sepol_context_free(tmp_con);
+ tmp_con = NULL;
+
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not convert interface %s to record", name);
+ sepol_context_free(tmp_con);
+ sepol_iface_free(tmp_record);
+ return STATUS_ERR;
+}
+
+/* Check if an interface exists */
+int sepol_iface_exists(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p,
+ const sepol_iface_key_t * key, int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ const char *name;
+ sepol_iface_key_unpack(key, &name);
+
+ head = policydb->ocontexts[OCON_NETIF];
+ for (c = head; c; c = c->next) {
+ if (!strcmp(name, c->u.name)) {
+ *response = 1;
+ return STATUS_SUCCESS;
+ }
+ }
+ *response = 0;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+/* Query an interface */
+int sepol_iface_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_iface_key_t * key, sepol_iface_t ** response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ const char *name;
+ sepol_iface_key_unpack(key, &name);
+
+ head = policydb->ocontexts[OCON_NETIF];
+ for (c = head; c; c = c->next) {
+ if (!strcmp(name, c->u.name)) {
+
+ if (iface_to_record(handle, policydb, c, response) < 0)
+ goto err;
+
+ return STATUS_SUCCESS;
+ }
+ }
+
+ *response = NULL;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not query interface %s", name);
+ return STATUS_ERR;
+}
+
+/* Load an interface into policy */
+int sepol_iface_modify(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ const sepol_iface_key_t * key,
+ const sepol_iface_t * data)
+{
+
+ policydb_t *policydb = &p->p;
+ ocontext_t *head, *prev, *c, *iface = NULL;
+
+ const char *name;
+ sepol_iface_key_unpack(key, &name);
+
+ if (iface_from_record(handle, policydb, &iface, data) < 0)
+ goto err;
+
+ prev = NULL;
+ head = policydb->ocontexts[OCON_NETIF];
+ for (c = head; c; c = c->next) {
+ if (!strcmp(name, c->u.name)) {
+
+ /* Replace */
+ iface->next = c->next;
+ if (prev == NULL)
+ policydb->ocontexts[OCON_NETIF] = iface;
+ else
+ prev->next = iface;
+ free(c->u.name);
+ context_destroy(&c->context[0]);
+ context_destroy(&c->context[1]);
+ free(c);
+
+ return STATUS_SUCCESS;
+ }
+ prev = c;
+ }
+
+ /* Attach to context list */
+ iface->next = policydb->ocontexts[OCON_NETIF];
+ policydb->ocontexts[OCON_NETIF] = iface;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "error while loading interface %s", name);
+
+ if (iface != NULL) {
+ free(iface->u.name);
+ context_destroy(&iface->context[0]);
+ context_destroy(&iface->context[1]);
+ free(iface);
+ }
+ return STATUS_ERR;
+}
+
+/* Return the number of interfaces */
+extern int sepol_iface_count(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p, unsigned int *response)
+{
+
+ unsigned int count = 0;
+ ocontext_t *c, *head;
+ const policydb_t *policydb = &p->p;
+
+ head = policydb->ocontexts[OCON_NETIF];
+ for (c = head; c != NULL; c = c->next)
+ count++;
+
+ *response = count;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+int sepol_iface_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ int (*fn) (const sepol_iface_t * iface,
+ void *fn_arg), void *arg)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+ sepol_iface_t *iface = NULL;
+
+ head = policydb->ocontexts[OCON_NETIF];
+ for (c = head; c; c = c->next) {
+ int status;
+
+ if (iface_to_record(handle, policydb, c, &iface) < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(iface, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_iface_free(iface);
+ iface = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not iterate over interfaces");
+ sepol_iface_free(iface);
+ return STATUS_ERR;
+}
diff --git a/src/libsepol.map b/src/libsepol.map
new file mode 100644
index 0000000..719e5b7
--- /dev/null
+++ b/src/libsepol.map
@@ -0,0 +1,19 @@
+{
+ global:
+ sepol_module_package_*; sepol_link_modules; sepol_expand_module; sepol_link_packages;
+ sepol_bool_*; sepol_genbools*;
+ sepol_context_*; sepol_mls_*; sepol_check_context;
+ sepol_iface_*;
+ sepol_port_*;
+ sepol_node_*;
+ sepol_user_*; sepol_genusers; sepol_set_delusers;
+ sepol_msg_*; sepol_debug;
+ sepol_handle_*;
+ sepol_policydb_*; sepol_set_policydb_from_file;
+ sepol_policy_kern_*;
+ sepol_policy_file_*;
+ sepol_get_disable_dontaudit;
+ sepol_set_disable_dontaudit;
+ sepol_set_expand_consume_base;
+ local: *;
+};
diff --git a/src/libsepol.pc.in b/src/libsepol.pc.in
new file mode 100644
index 0000000..e52f589
--- /dev/null
+++ b/src/libsepol.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=${prefix}
+libdir=${exec_prefix}/@libdir@
+includedir=@includedir@
+
+Name: libsepol
+Description: SELinux policy library
+Version: @VERSION@
+URL: http://userspace.selinuxproject.org/
+Libs: -L${libdir} -lsepol
+Cflags: -I${includedir}
diff --git a/src/link.c b/src/link.c
new file mode 100644
index 0000000..421c47b
--- /dev/null
+++ b/src/link.c
@@ -0,0 +1,2598 @@
+/* Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Copyright (C) 2004-2005 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/util.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "debug.h"
+
+#undef min
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+
+typedef struct policy_module {
+ policydb_t *policy;
+ uint32_t num_decls;
+ uint32_t *map[SYM_NUM];
+ uint32_t *avdecl_map;
+ uint32_t **perm_map;
+ uint32_t *perm_map_len;
+
+ /* a pointer to within the base module's avrule_block chain to
+ * where this module's global now resides */
+ avrule_block_t *base_global;
+} policy_module_t;
+
+typedef struct link_state {
+ int verbose;
+ policydb_t *base;
+ avrule_block_t *last_avrule_block, *last_base_avrule_block;
+ uint32_t next_decl_id, current_decl_id;
+
+ /* temporary variables, used during hashtab_map() calls */
+ policy_module_t *cur;
+ char *cur_mod_name;
+ avrule_decl_t *dest_decl;
+ class_datum_t *src_class, *dest_class;
+ char *dest_class_name;
+ char dest_class_req; /* flag indicating the class was not declared */
+ uint32_t symbol_num;
+ /* used to report the name of the module if dependancy error occurs */
+ policydb_t **decl_to_mod;
+
+ /* error reporting fields */
+ sepol_handle_t *handle;
+} link_state_t;
+
+typedef struct missing_requirement {
+ uint32_t symbol_type;
+ uint32_t symbol_value;
+ uint32_t perm_value;
+} missing_requirement_t;
+
+static const char *symtab_names[SYM_NUM] = {
+ "common", "class", "role", "type/attribute", "user",
+ "bool", "level", "category"
+};
+
+/* Deallocates all elements within a module, but NOT the policydb_t
+ * structure within, as well as the pointer itself. */
+static void policy_module_destroy(policy_module_t * mod)
+{
+ unsigned int i;
+ if (mod == NULL) {
+ return;
+ }
+ for (i = 0; i < SYM_NUM; i++) {
+ free(mod->map[i]);
+ }
+ for (i = 0; mod->perm_map != NULL && i < mod->policy->p_classes.nprim;
+ i++) {
+ free(mod->perm_map[i]);
+ }
+ free(mod->perm_map);
+ free(mod->perm_map_len);
+ free(mod->avdecl_map);
+ free(mod);
+}
+
+/***** functions that copy identifiers from a module to base *****/
+
+/* Note: there is currently no scoping for permissions, which causes some
+ * strange side-effects. The current approach is this:
+ *
+ * a) perm is required and the class _and_ perm are declared in base: only add a mapping.
+ * b) perm is required and the class and perm are _not_ declared in base: simply add the permissions
+ * to the object class. This means that the requirements for the decl are the union of the permissions
+ * required for all decls, but who cares.
+ * c) perm is required, the class is declared in base, but the perm is not present. Nothing we can do
+ * here because we can't mark a single permission as required, so we bail with a requirement error
+ * _even_ if we are in an optional.
+ *
+ * A is correct behavior, b is wrong but not too bad, c is totall wrong for optionals. Fixing this requires
+ * a format change.
+ */
+static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *perm_id = key, *new_id = NULL;
+ perm_datum_t *perm, *new_perm = NULL, *dest_perm;
+ link_state_t *state = (link_state_t *) data;
+
+ class_datum_t *src_class = state->src_class;
+ class_datum_t *dest_class = state->dest_class;
+ policy_module_t *mod = state->cur;
+ uint32_t sclassi = src_class->s.value - 1;
+ int ret;
+
+ perm = (perm_datum_t *) datum;
+ dest_perm = hashtab_search(dest_class->permissions.table, perm_id);
+ if (dest_perm == NULL && dest_class->comdatum != NULL) {
+ dest_perm =
+ hashtab_search(dest_class->comdatum->permissions.table,
+ perm_id);
+ }
+
+ if (dest_perm == NULL) {
+ /* If the object class was not declared in the base, add the perm
+ * to the object class. */
+ if (state->dest_class_req) {
+ /* If the class was required (not declared), insert the new permission */
+ new_id = strdup(perm_id);
+ if (new_id == NULL) {
+ ERR(state->handle, "Memory error");
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ new_perm =
+ (perm_datum_t *) calloc(1, sizeof(perm_datum_t));
+ if (new_perm == NULL) {
+ ERR(state->handle, "Memory error");
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ ret = hashtab_insert(dest_class->permissions.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_perm);
+ if (ret) {
+ ERR(state->handle,
+ "could not insert permission into class\n");
+ goto err;
+ }
+ new_perm->s.value = dest_class->permissions.nprim + 1;
+ dest_perm = new_perm;
+ } else {
+ /* this is case c from above */
+ ERR(state->handle,
+ "Module %s depends on permission %s in class %s, not satisfied",
+ state->cur_mod_name, perm_id,
+ state->dest_class_name);
+ return SEPOL_EREQ;
+ }
+ }
+
+ /* build the mapping for permissions encompassing this class.
+ * unlike symbols, the permission map translates between
+ * module permission bit to target permission bit. that bit
+ * may have originated from the class -or- it could be from
+ * the class's common parent.*/
+ if (perm->s.value > mod->perm_map_len[sclassi]) {
+ uint32_t *newmap = calloc(perm->s.value, sizeof(*newmap));
+ if (newmap == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ memcpy(newmap, mod->perm_map[sclassi],
+ mod->perm_map_len[sclassi] * sizeof(*newmap));
+ free(mod->perm_map[sclassi]);
+ mod->perm_map[sclassi] = newmap;
+ mod->perm_map_len[sclassi] = perm->s.value;
+ }
+ mod->perm_map[sclassi][perm->s.value - 1] = dest_perm->s.value;
+
+ return 0;
+ err:
+ free(new_id);
+ free(new_perm);
+ return ret;
+}
+
+static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key, *new_id = NULL;
+ class_datum_t *cladatum, *new_class = NULL;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope = NULL;
+ int ret;
+
+ cladatum = (class_datum_t *) datum;
+ state->dest_class_req = 0;
+
+ new_class = hashtab_search(state->base->p_classes.table, id);
+ /* If there is not an object class already in the base symtab that means
+ * that either a) a module is trying to declare a new object class (which
+ * the compiler should prevent) or b) an object class was required that is
+ * not in the base.
+ */
+ if (new_class == NULL) {
+ scope =
+ hashtab_search(state->cur->policy->p_classes_scope.table,
+ id);
+ if (scope == NULL) {
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ if (scope->scope == SCOPE_DECL) {
+ /* disallow declarations in modules */
+ ERR(state->handle,
+ "%s: Modules may not yet declare new classes.",
+ state->cur_mod_name);
+ ret = SEPOL_ENOTSUP;
+ goto err;
+ } else {
+ /* It would be nice to error early here because the requirement is
+ * not met, but we cannot because the decl might be optional (in which
+ * case we should record the requirement so that it is just turned
+ * off). Note: this will break horribly if modules can declare object
+ * classes because the class numbers will be all wrong (i.e., they
+ * might be assigned in the order they were required rather than the
+ * current scheme which ensures correct numbering by ordering the
+ * declarations properly). This can't be fixed until some infrastructure
+ * for querying the object class numbers is in place. */
+ state->dest_class_req = 1;
+ new_class =
+ (class_datum_t *) calloc(1, sizeof(class_datum_t));
+ if (new_class == NULL) {
+ ERR(state->handle, "Memory error\n");
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ if (symtab_init
+ (&new_class->permissions, PERM_SYMTAB_SIZE)) {
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ new_id = strdup(id);
+ if (new_id == NULL) {
+ ERR(state->handle, "Memory error\n");
+ ret = SEPOL_ERR;
+ goto err;
+ }
+ ret = hashtab_insert(state->base->p_classes.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_class);
+ if (ret) {
+ ERR(state->handle,
+ "could not insert new class into symtab");
+ goto err;
+ }
+ new_class->s.value = ++(state->base->p_classes.nprim);
+ }
+ }
+
+ state->cur->map[SYM_CLASSES][cladatum->s.value - 1] =
+ new_class->s.value;
+
+ /* copy permissions */
+ state->src_class = cladatum;
+ state->dest_class = new_class;
+ state->dest_class_name = (char *)key;
+
+ ret =
+ hashtab_map(cladatum->permissions.table, permission_copy_callback,
+ state);
+ if (ret != 0) {
+ return ret;
+ }
+
+ return 0;
+ err:
+ free(new_class);
+ free(new_id);
+ return ret;
+}
+
+static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id = key, *new_id = NULL;
+ role_datum_t *role, *base_role, *new_role = NULL;
+ link_state_t *state = (link_state_t *) data;
+
+ role = (role_datum_t *) datum;
+
+ base_role = hashtab_search(state->base->p_roles.table, id);
+ if (base_role != NULL) {
+ /* role already exists. check that it is what this
+ * module expected. duplicate declarations (e.g., two
+ * modules both declare role foo_r) is checked during
+ * scope_copy_callback(). */
+ if (role->flavor == ROLE_ATTRIB
+ && base_role->flavor != ROLE_ATTRIB) {
+ ERR(state->handle,
+ "%s: Expected %s to be a role attribute, but it was already declared as a regular role.",
+ state->cur_mod_name, id);
+ return -1;
+ } else if (role->flavor != ROLE_ATTRIB
+ && base_role->flavor == ROLE_ATTRIB) {
+ ERR(state->handle,
+ "%s: Expected %s to be a regular role, but it was already declared as a role attribute.",
+ state->cur_mod_name, id);
+ return -1;
+ }
+ } else {
+ if (state->verbose)
+ INFO(state->handle, "copying role %s", id);
+
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((new_role =
+ (role_datum_t *) malloc(sizeof(*new_role))) == NULL) {
+ goto cleanup;
+ }
+ role_datum_init(new_role);
+
+ /* new_role's dominates, types and roles field will be copied
+ * during role_fix_callback() */
+ new_role->flavor = role->flavor;
+ new_role->s.value = state->base->p_roles.nprim + 1;
+
+ ret = hashtab_insert(state->base->p_roles.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_role);
+ if (ret) {
+ goto cleanup;
+ }
+ state->base->p_roles.nprim++;
+ base_role = new_role;
+ }
+
+ if (state->dest_decl) {
+ new_id = NULL;
+ if ((new_role = malloc(sizeof(*new_role))) == NULL) {
+ goto cleanup;
+ }
+ role_datum_init(new_role);
+ new_role->flavor = base_role->flavor;
+ new_role->s.value = base_role->s.value;
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+ if (hashtab_insert
+ (state->dest_decl->p_roles.table, new_id, new_role)) {
+ goto cleanup;
+ }
+ state->dest_decl->p_roles.nprim++;
+ }
+
+ state->cur->map[SYM_ROLES][role->s.value - 1] = base_role->s.value;
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ role_datum_destroy(new_role);
+ free(new_id);
+ free(new_role);
+ return -1;
+}
+
+/* Copy types and attributes from a module into the base module. The
+ * attributes are copied, but the types that make up this attribute
+ * are delayed type_fix_callback(). */
+static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id = key, *new_id = NULL;
+ type_datum_t *type, *base_type, *new_type = NULL;
+ link_state_t *state = (link_state_t *) data;
+
+ type = (type_datum_t *) datum;
+ if ((type->flavor == TYPE_TYPE && !type->primary)
+ || type->flavor == TYPE_ALIAS) {
+ /* aliases are handled later, in alias_copy_callback() */
+ return 0;
+ }
+
+ base_type = hashtab_search(state->base->p_types.table, id);
+ if (base_type != NULL) {
+ /* type already exists. check that it is what this
+ * module expected. duplicate declarations (e.g., two
+ * modules both declare type foo_t) is checked during
+ * scope_copy_callback(). */
+ if (type->flavor == TYPE_ATTRIB
+ && base_type->flavor != TYPE_ATTRIB) {
+ ERR(state->handle,
+ "%s: Expected %s to be an attribute, but it was already declared as a type.",
+ state->cur_mod_name, id);
+ return -1;
+ } else if (type->flavor != TYPE_ATTRIB
+ && base_type->flavor == TYPE_ATTRIB) {
+ ERR(state->handle,
+ "%s: Expected %s to be a type, but it was already declared as an attribute.",
+ state->cur_mod_name, id);
+ return -1;
+ }
+ /* permissive should pass to the base type */
+ base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
+ } else {
+ if (state->verbose)
+ INFO(state->handle, "copying type %s", id);
+
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((new_type =
+ (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) {
+ goto cleanup;
+ }
+ new_type->primary = type->primary;
+ new_type->flags = type->flags;
+ new_type->flavor = type->flavor;
+ /* for attributes, the writing of new_type->types is
+ done in type_fix_callback() */
+
+ new_type->s.value = state->base->p_types.nprim + 1;
+
+ ret = hashtab_insert(state->base->p_types.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_type);
+ if (ret) {
+ goto cleanup;
+ }
+ state->base->p_types.nprim++;
+ base_type = new_type;
+ }
+
+ if (state->dest_decl) {
+ new_id = NULL;
+ if ((new_type = calloc(1, sizeof(*new_type))) == NULL) {
+ goto cleanup;
+ }
+ new_type->primary = type->primary;
+ new_type->flavor = type->flavor;
+ new_type->flags = type->flags;
+ new_type->s.value = base_type->s.value;
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+ if (hashtab_insert
+ (state->dest_decl->p_types.table, new_id, new_type)) {
+ goto cleanup;
+ }
+ state->dest_decl->p_types.nprim++;
+ }
+
+ state->cur->map[SYM_TYPES][type->s.value - 1] = base_type->s.value;
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ free(new_id);
+ free(new_type);
+ return -1;
+}
+
+static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id = key, *new_id = NULL;
+ user_datum_t *user, *base_user, *new_user = NULL;
+ link_state_t *state = (link_state_t *) data;
+
+ user = (user_datum_t *) datum;
+
+ base_user = hashtab_search(state->base->p_users.table, id);
+ if (base_user == NULL) {
+ if (state->verbose)
+ INFO(state->handle, "copying user %s", id);
+
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((new_user =
+ (user_datum_t *) malloc(sizeof(*new_user))) == NULL) {
+ goto cleanup;
+ }
+ user_datum_init(new_user);
+ /* new_users's roles and MLS fields will be copied during
+ user_fix_callback(). */
+
+ new_user->s.value = state->base->p_users.nprim + 1;
+
+ ret = hashtab_insert(state->base->p_users.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_user);
+ if (ret) {
+ goto cleanup;
+ }
+ state->base->p_users.nprim++;
+ base_user = new_user;
+ }
+
+ if (state->dest_decl) {
+ new_id = NULL;
+ if ((new_user = malloc(sizeof(*new_user))) == NULL) {
+ goto cleanup;
+ }
+ user_datum_init(new_user);
+ new_user->s.value = base_user->s.value;
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+ if (hashtab_insert
+ (state->dest_decl->p_users.table, new_id, new_user)) {
+ goto cleanup;
+ }
+ state->dest_decl->p_users.nprim++;
+ }
+
+ state->cur->map[SYM_USERS][user->s.value - 1] = base_user->s.value;
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ user_datum_destroy(new_user);
+ free(new_id);
+ free(new_user);
+ return -1;
+}
+
+static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ int ret;
+ char *id = key, *new_id = NULL;
+ cond_bool_datum_t *booldatum, *base_bool, *new_bool = NULL;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope;
+
+ booldatum = (cond_bool_datum_t *) datum;
+
+ base_bool = hashtab_search(state->base->p_bools.table, id);
+ if (base_bool == NULL) {
+ if (state->verbose)
+ INFO(state->handle, "copying boolean %s", id);
+
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((new_bool =
+ (cond_bool_datum_t *) malloc(sizeof(*new_bool))) == NULL) {
+ goto cleanup;
+ }
+ new_bool->s.value = state->base->p_bools.nprim + 1;
+
+ ret = hashtab_insert(state->base->p_bools.table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_bool);
+ if (ret) {
+ goto cleanup;
+ }
+ state->base->p_bools.nprim++;
+ base_bool = new_bool;
+
+ }
+
+ /* Get the scope info for this boolean to see if this is the declaration,
+ * if so set the state */
+ scope = hashtab_search(state->cur->policy->p_bools_scope.table, id);
+ if (!scope)
+ return SEPOL_ERR;
+ if (scope->scope == SCOPE_DECL)
+ base_bool->state = booldatum->state;
+
+ state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value;
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ cond_destroy_bool(new_id, new_bool, NULL);
+ return -1;
+}
+
+static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ level_datum_t *level, *base_level;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope;
+
+ level = (level_datum_t *) datum;
+
+ base_level = hashtab_search(state->base->p_levels.table, id);
+ if (!base_level) {
+ scope =
+ hashtab_search(state->cur->policy->p_sens_scope.table, id);
+ if (!scope)
+ return SEPOL_ERR;
+ if (scope->scope == SCOPE_DECL) {
+ /* disallow declarations in modules */
+ ERR(state->handle,
+ "%s: Modules may not declare new sensitivities.",
+ state->cur_mod_name);
+ return SEPOL_ENOTSUP;
+ }
+ if (scope->scope == SCOPE_REQ) {
+ /* unmet requirement */
+ ERR(state->handle,
+ "%s: Sensitivity %s not declared by base.",
+ state->cur_mod_name, id);
+ return SEPOL_ENOTSUP;
+ }
+ }
+
+ state->cur->map[SYM_LEVELS][level->level->sens - 1] =
+ base_level->level->sens;
+
+ return 0;
+}
+
+static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ cat_datum_t *cat, *base_cat;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope;
+
+ cat = (cat_datum_t *) datum;
+
+ base_cat = hashtab_search(state->base->p_cats.table, id);
+ if (!base_cat) {
+ scope =
+ hashtab_search(state->cur->policy->p_cat_scope.table, id);
+ if (!scope)
+ return SEPOL_ERR;
+ if (scope->scope == SCOPE_DECL) {
+ /* disallow declarations in modules */
+ ERR(state->handle,
+ "%s: Modules may not declare new categories.",
+ state->cur_mod_name);
+ return SEPOL_ENOTSUP;
+ }
+ if (scope->scope == SCOPE_REQ) {
+ /* unmet requirement */
+ ERR(state->handle,
+ "%s: Category %s not declared by base.",
+ state->cur_mod_name, id);
+ return SEPOL_ENOTSUP;
+ }
+ }
+
+ state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value;
+
+ return 0;
+}
+
+static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key,
+ hashtab_datum_t datum, void *datap) = {
+NULL, class_copy_callback, role_copy_callback, type_copy_callback,
+ user_copy_callback, bool_copy_callback, sens_copy_callback,
+ cat_copy_callback};
+
+/*
+ * The boundaries have to be copied after the types/roles/users are copied,
+ * because it refers hashtab to lookup destinated objects.
+ */
+static int type_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ link_state_t *state = (link_state_t *) data;
+ type_datum_t *type = (type_datum_t *) datum;
+ type_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!type->bounds)
+ return 0;
+
+ bounds_val = state->cur->map[SYM_TYPES][type->bounds - 1];
+
+ dest = hashtab_search(state->base->p_types.table, key);
+ if (!dest) {
+ ERR(state->handle,
+ "Type lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle,
+ "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+static int role_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ link_state_t *state = (link_state_t *) data;
+ role_datum_t *role = (role_datum_t *) datum;
+ role_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!role->bounds)
+ return 0;
+
+ bounds_val = state->cur->map[SYM_ROLES][role->bounds - 1];
+
+ dest = hashtab_search(state->base->p_roles.table, key);
+ if (!dest) {
+ ERR(state->handle,
+ "Role lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle,
+ "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+static int user_bounds_copy_callback(hashtab_key_t key,
+ hashtab_datum_t datum, void *data)
+{
+ link_state_t *state = (link_state_t *) data;
+ user_datum_t *user = (user_datum_t *) datum;
+ user_datum_t *dest;
+ uint32_t bounds_val;
+
+ if (!user->bounds)
+ return 0;
+
+ bounds_val = state->cur->map[SYM_USERS][user->bounds - 1];
+
+ dest = hashtab_search(state->base->p_users.table, key);
+ if (!dest) {
+ ERR(state->handle,
+ "User lookup failed for %s", (char *)key);
+ return -1;
+ }
+ if (dest->bounds != 0 && dest->bounds != bounds_val) {
+ ERR(state->handle,
+ "Inconsistent boundary for %s", (char *)key);
+ return -1;
+ }
+ dest->bounds = bounds_val;
+
+ return 0;
+}
+
+/* The aliases have to be copied after the types and attributes to be
+ * certain that the base symbol table will have the type that the
+ * alias refers. Otherwise, we won't be able to find the type value
+ * for the alias. We can't depend on the declaration ordering because
+ * of the hash table.
+ */
+static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key, *new_id = NULL, *target_id;
+ type_datum_t *type, *base_type, *new_type = NULL, *target_type;
+ link_state_t *state = (link_state_t *) data;
+ policy_module_t *mod = state->cur;
+ int primval;
+
+ type = (type_datum_t *) datum;
+ /* there are 2 kinds of aliases. Ones with their own value (TYPE_ALIAS)
+ * and ones with the value of their primary (TYPE_TYPE && type->primary = 0)
+ */
+ if (!
+ (type->flavor == TYPE_ALIAS
+ || (type->flavor == TYPE_TYPE && !type->primary))) {
+ /* ignore types and attributes -- they were handled in
+ * type_copy_callback() */
+ return 0;
+ }
+
+ if (type->flavor == TYPE_ALIAS)
+ primval = type->primary;
+ else
+ primval = type->s.value;
+
+ target_id = mod->policy->p_type_val_to_name[primval - 1];
+ target_type = hashtab_search(state->base->p_types.table, target_id);
+ if (target_type == NULL) {
+ ERR(state->handle, "%s: Could not find type %s for alias %s.",
+ state->cur_mod_name, target_id, id);
+ return -1;
+ }
+
+ if (!strcmp(id, target_id)) {
+ ERR(state->handle, "%s: Self aliasing of %s.",
+ state->cur_mod_name, id);
+ return -1;
+ }
+
+ target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
+
+ base_type = hashtab_search(state->base->p_types.table, id);
+ if (base_type == NULL) {
+ if (state->verbose)
+ INFO(state->handle, "copying alias %s", id);
+
+ if ((new_type =
+ (type_datum_t *) calloc(1, sizeof(*new_type))) == NULL) {
+ goto cleanup;
+ }
+ /* the linked copy always has TYPE_ALIAS style aliases */
+ new_type->primary = target_type->s.value;
+ new_type->flags = target_type->flags;
+ new_type->flavor = TYPE_ALIAS;
+ new_type->s.value = state->base->p_types.nprim + 1;
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+ if (hashtab_insert
+ (state->base->p_types.table, new_id, new_type)) {
+ goto cleanup;
+ }
+ state->base->p_types.nprim++;
+ base_type = new_type;
+ } else {
+
+ /* if this already exists and isn't an alias it was required by another module (or base)
+ * and inserted into the hashtable as a type, fix it up now */
+
+ if (base_type->flavor == TYPE_ALIAS) {
+ /* error checking */
+ assert(base_type->primary == target_type->s.value);
+ assert(base_type->primary ==
+ mod->map[SYM_TYPES][primval - 1]);
+ assert(mod->map[SYM_TYPES][type->s.value - 1] ==
+ base_type->primary);
+ return 0;
+ }
+
+ if (base_type->flavor == TYPE_ATTRIB) {
+ ERR(state->handle,
+ "%s is an alias of an attribute, not allowed", id);
+ return -1;
+ }
+
+ base_type->flavor = TYPE_ALIAS;
+ base_type->primary = target_type->s.value;
+ base_type->flags |= (target_type->flags & TYPE_FLAGS_PERMISSIVE);
+
+ }
+ /* the aliases map points from its value to its primary so when this module
+ * references this type the value it gets back from the map is the primary */
+ mod->map[SYM_TYPES][type->s.value - 1] = base_type->primary;
+
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ free(new_id);
+ free(new_type);
+ return -1;
+}
+
+/*********** callbacks that fix bitmaps ***********/
+
+static int type_set_convert(type_set_t * types, type_set_t * dst,
+ policy_module_t * mod, link_state_t * state
+ __attribute__ ((unused)))
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_for_each_bit(&types->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ ebitmap_for_each_bit(&types->negset, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ dst->flags = types->flags;
+ return 0;
+
+ cleanup:
+ return -1;
+}
+
+/* OR 2 typemaps together and at the same time map the src types to
+ * the correct values in the dst typeset.
+ */
+static int type_set_or_convert(type_set_t * types, type_set_t * dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ type_set_t ts_tmp;
+
+ type_set_init(&ts_tmp);
+ if (type_set_convert(types, &ts_tmp, mod, state) == -1) {
+ goto cleanup;
+ }
+ if (type_set_or_eq(dst, &ts_tmp)) {
+ goto cleanup;
+ }
+ type_set_destroy(&ts_tmp);
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ type_set_destroy(&ts_tmp);
+ return -1;
+}
+
+static int role_set_or_convert(role_set_t * roles, role_set_t * dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ unsigned int i;
+ ebitmap_t tmp;
+ ebitmap_node_t *rnode;
+
+ ebitmap_init(&tmp);
+ ebitmap_for_each_bit(&roles->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ if (ebitmap_union(&dst->roles, &tmp)) {
+ goto cleanup;
+ }
+ dst->flags |= roles->flags;
+ ebitmap_destroy(&tmp);
+ return 0;
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&tmp);
+ return -1;
+}
+
+static int mls_level_convert(mls_semantic_level_t * src, mls_semantic_level_t * dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ mls_semantic_cat_t *src_cat, *new_cat;
+
+ if (!mod->policy->mls)
+ return 0;
+
+ /* Required not declared. */
+ if (!src->sens)
+ return 0;
+
+ assert(mod->map[SYM_LEVELS][src->sens - 1]);
+ dst->sens = mod->map[SYM_LEVELS][src->sens - 1];
+
+ for (src_cat = src->cat; src_cat; src_cat = src_cat->next) {
+ new_cat =
+ (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+ if (!new_cat) {
+ ERR(state->handle, "Out of memory");
+ return -1;
+ }
+ mls_semantic_cat_init(new_cat);
+
+ new_cat->next = dst->cat;
+ dst->cat = new_cat;
+
+ assert(mod->map[SYM_CATS][src_cat->low - 1]);
+ dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1];
+ assert(mod->map[SYM_CATS][src_cat->high - 1]);
+ dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1];
+ }
+
+ return 0;
+}
+
+static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ int ret;
+ ret = mls_level_convert(&src->level[0], &dst->level[0], mod, state);
+ if (ret)
+ return ret;
+ ret = mls_level_convert(&src->level[1], &dst->level[1], mod, state);
+ if (ret)
+ return ret;
+ return 0;
+}
+
+static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ unsigned int i;
+ char *id = key;
+ role_datum_t *role, *dest_role = NULL;
+ link_state_t *state = (link_state_t *) data;
+ ebitmap_t e_tmp;
+ policy_module_t *mod = state->cur;
+ ebitmap_node_t *rnode;
+ hashtab_t role_tab;
+
+ role = (role_datum_t *) datum;
+ if (state->dest_decl == NULL)
+ role_tab = state->base->p_roles.table;
+ else
+ role_tab = state->dest_decl->p_roles.table;
+
+ dest_role = hashtab_search(role_tab, id);
+ assert(dest_role != NULL);
+
+ if (state->verbose) {
+ INFO(state->handle, "fixing role %s", id);
+ }
+
+ ebitmap_init(&e_tmp);
+ ebitmap_for_each_bit(&role->dominates, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ if (ebitmap_union(&dest_role->dominates, &e_tmp)) {
+ goto cleanup;
+ }
+ if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) {
+ goto cleanup;
+ }
+ ebitmap_destroy(&e_tmp);
+
+ if (role->flavor == ROLE_ATTRIB) {
+ ebitmap_init(&e_tmp);
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ if (ebitmap_union(&dest_role->roles, &e_tmp)) {
+ goto cleanup;
+ }
+ ebitmap_destroy(&e_tmp);
+ }
+
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&e_tmp);
+ return -1;
+}
+
+static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ unsigned int i;
+ char *id = key;
+ type_datum_t *type, *new_type = NULL;
+ link_state_t *state = (link_state_t *) data;
+ ebitmap_t e_tmp;
+ policy_module_t *mod = state->cur;
+ ebitmap_node_t *tnode;
+ symtab_t *typetab;
+
+ type = (type_datum_t *) datum;
+
+ if (state->dest_decl == NULL)
+ typetab = &state->base->p_types;
+ else
+ typetab = &state->dest_decl->p_types;
+
+ /* only fix attributes */
+ if (type->flavor != TYPE_ATTRIB) {
+ return 0;
+ }
+
+ new_type = hashtab_search(typetab->table, id);
+ assert(new_type != NULL && new_type->flavor == TYPE_ATTRIB);
+
+ if (state->verbose) {
+ INFO(state->handle, "fixing attribute %s", id);
+ }
+
+ ebitmap_init(&e_tmp);
+ ebitmap_for_each_bit(&type->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+ if (ebitmap_union(&new_type->types, &e_tmp)) {
+ goto cleanup;
+ }
+ ebitmap_destroy(&e_tmp);
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ ebitmap_destroy(&e_tmp);
+ return -1;
+}
+
+static int user_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ user_datum_t *user, *new_user = NULL;
+ link_state_t *state = (link_state_t *) data;
+ policy_module_t *mod = state->cur;
+ symtab_t *usertab;
+
+ user = (user_datum_t *) datum;
+
+ if (state->dest_decl == NULL)
+ usertab = &state->base->p_users;
+ else
+ usertab = &state->dest_decl->p_users;
+
+ new_user = hashtab_search(usertab->table, id);
+ assert(new_user != NULL);
+
+ if (state->verbose) {
+ INFO(state->handle, "fixing user %s", id);
+ }
+
+ if (role_set_or_convert(&user->roles, &new_user->roles, mod, state)) {
+ goto cleanup;
+ }
+
+ if (mls_range_convert(&user->range, &new_user->range, mod, state))
+ goto cleanup;
+
+ if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod, state))
+ goto cleanup;
+
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ return -1;
+}
+
+static int (*fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+ void *datap) = {
+NULL, NULL, role_fix_callback, type_fix_callback, user_fix_callback,
+ NULL, NULL, NULL};
+
+/*********** functions that copy AV rules ***********/
+
+static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
+ policy_module_t * module, link_state_t * state)
+{
+ unsigned int i;
+ avrule_t *cur, *new_rule = NULL, *tail;
+ class_perm_node_t *cur_perm, *new_perm, *tail_perm = NULL;
+
+ tail = *dst;
+ while (tail && tail->next) {
+ tail = tail->next;
+ }
+
+ cur = list;
+ while (cur) {
+ if ((new_rule = (avrule_t *) malloc(sizeof(avrule_t))) == NULL) {
+ goto cleanup;
+ }
+ avrule_init(new_rule);
+
+ new_rule->specified = cur->specified;
+ new_rule->flags = cur->flags;
+ if (type_set_convert
+ (&cur->stypes, &new_rule->stypes, module, state) == -1
+ || type_set_convert(&cur->ttypes, &new_rule->ttypes, module,
+ state) == -1) {
+ goto cleanup;
+ }
+
+ cur_perm = cur->perms;
+ tail_perm = NULL;
+ while (cur_perm) {
+ if ((new_perm = (class_perm_node_t *)
+ malloc(sizeof(class_perm_node_t))) == NULL) {
+ goto cleanup;
+ }
+ class_perm_node_init(new_perm);
+
+ new_perm->class =
+ module->map[SYM_CLASSES][cur_perm->class - 1];
+ assert(new_perm->class);
+
+ if (new_rule->specified & AVRULE_AV) {
+ for (i = 0;
+ i <
+ module->perm_map_len[cur_perm->class - 1];
+ i++) {
+ if (!(cur_perm->data & (1U << i)))
+ continue;
+ new_perm->data |=
+ (1U <<
+ (module->
+ perm_map[cur_perm->class - 1][i] -
+ 1));
+ }
+ } else {
+ new_perm->data =
+ module->map[SYM_TYPES][cur_perm->data - 1];
+ }
+
+ if (new_rule->perms == NULL) {
+ new_rule->perms = new_perm;
+ } else {
+ tail_perm->next = new_perm;
+ }
+ tail_perm = new_perm;
+ cur_perm = cur_perm->next;
+ }
+ new_rule->line = cur->line;
+
+ cur = cur->next;
+
+ if (*dst == NULL) {
+ *dst = new_rule;
+ } else {
+ tail->next = new_rule;
+ }
+ tail = new_rule;
+ }
+
+ return 0;
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ avrule_destroy(new_rule);
+ free(new_rule);
+ return -1;
+}
+
+static int copy_role_trans_list(role_trans_rule_t * list,
+ role_trans_rule_t ** dst,
+ policy_module_t * module, link_state_t * state)
+{
+ role_trans_rule_t *cur, *new_rule = NULL, *tail;
+ unsigned int i;
+ ebitmap_node_t *cnode;
+
+ cur = list;
+ tail = *dst;
+ while (tail && tail->next) {
+ tail = tail->next;
+ }
+ while (cur) {
+ if ((new_rule =
+ (role_trans_rule_t *) malloc(sizeof(role_trans_rule_t))) ==
+ NULL) {
+ goto cleanup;
+ }
+ role_trans_rule_init(new_rule);
+
+ if (role_set_or_convert
+ (&cur->roles, &new_rule->roles, module, state)
+ || type_set_or_convert(&cur->types, &new_rule->types,
+ module, state)) {
+ goto cleanup;
+ }
+
+ ebitmap_for_each_bit(&cur->classes, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(module->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit(&new_rule->classes,
+ module->
+ map[SYM_CLASSES][i] - 1,
+ 1)) {
+ goto cleanup;
+ }
+ }
+ }
+
+ new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1];
+
+ if (*dst == NULL) {
+ *dst = new_rule;
+ } else {
+ tail->next = new_rule;
+ }
+ tail = new_rule;
+ cur = cur->next;
+ }
+ return 0;
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ role_trans_rule_list_destroy(new_rule);
+ return -1;
+}
+
+static int copy_role_allow_list(role_allow_rule_t * list,
+ role_allow_rule_t ** dst,
+ policy_module_t * module, link_state_t * state)
+{
+ role_allow_rule_t *cur, *new_rule = NULL, *tail;
+
+ cur = list;
+ tail = *dst;
+ while (tail && tail->next) {
+ tail = tail->next;
+ }
+
+ while (cur) {
+ if ((new_rule =
+ (role_allow_rule_t *) malloc(sizeof(role_allow_rule_t))) ==
+ NULL) {
+ goto cleanup;
+ }
+ role_allow_rule_init(new_rule);
+
+ if (role_set_or_convert
+ (&cur->roles, &new_rule->roles, module, state)
+ || role_set_or_convert(&cur->new_roles,
+ &new_rule->new_roles, module,
+ state)) {
+ goto cleanup;
+ }
+ if (*dst == NULL) {
+ *dst = new_rule;
+ } else {
+ tail->next = new_rule;
+ }
+ tail = new_rule;
+ cur = cur->next;
+ }
+ return 0;
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ role_allow_rule_list_destroy(new_rule);
+ return -1;
+}
+
+static int copy_filename_trans_list(filename_trans_rule_t * list,
+ filename_trans_rule_t ** dst,
+ policy_module_t * module,
+ link_state_t * state)
+{
+ filename_trans_rule_t *cur, *new_rule, *tail;
+
+ cur = list;
+ tail = *dst;
+ while (tail && tail->next)
+ tail = tail->next;
+
+ while (cur) {
+ new_rule = malloc(sizeof(*new_rule));
+ if (!new_rule)
+ goto err;
+
+ filename_trans_rule_init(new_rule);
+
+ if (*dst == NULL)
+ *dst = new_rule;
+ else
+ tail->next = new_rule;
+ tail = new_rule;
+
+ new_rule->name = strdup(cur->name);
+ if (!new_rule->name)
+ goto err;
+
+ if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) ||
+ type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state))
+ goto err;
+
+ new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1];
+ new_rule->otype = module->map[SYM_TYPES][cur->otype - 1];
+
+ cur = cur->next;
+ }
+ return 0;
+err:
+ ERR(state->handle, "Out of memory!");
+ return -1;
+}
+
+static int copy_range_trans_list(range_trans_rule_t * rules,
+ range_trans_rule_t ** dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ range_trans_rule_t *rule, *new_rule = NULL;
+ unsigned int i;
+ ebitmap_node_t *cnode;
+
+ for (rule = rules; rule; rule = rule->next) {
+ new_rule =
+ (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t));
+ if (!new_rule)
+ goto cleanup;
+
+ range_trans_rule_init(new_rule);
+
+ new_rule->next = *dst;
+ *dst = new_rule;
+
+ if (type_set_convert(&rule->stypes, &new_rule->stypes,
+ mod, state))
+ goto cleanup;
+
+ if (type_set_convert(&rule->ttypes, &new_rule->ttypes,
+ mod, state))
+ goto cleanup;
+
+ ebitmap_for_each_bit(&rule->tclasses, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(mod->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit
+ (&new_rule->tclasses,
+ mod->map[SYM_CLASSES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+
+ if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state))
+ goto cleanup;
+ }
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ range_trans_rule_list_destroy(new_rule);
+ return -1;
+}
+
+static int copy_cond_list(cond_node_t * list, cond_node_t ** dst,
+ policy_module_t * module, link_state_t * state)
+{
+ unsigned i;
+ cond_node_t *cur, *new_node = NULL, *tail;
+ cond_expr_t *cur_expr;
+ tail = *dst;
+ while (tail && tail->next)
+ tail = tail->next;
+
+ cur = list;
+ while (cur) {
+ new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
+ if (!new_node) {
+ goto cleanup;
+ }
+ memset(new_node, 0, sizeof(cond_node_t));
+
+ new_node->cur_state = cur->cur_state;
+ new_node->expr = cond_copy_expr(cur->expr);
+ if (!new_node->expr)
+ goto cleanup;
+ /* go back through and remap the expression */
+ for (cur_expr = new_node->expr; cur_expr != NULL;
+ cur_expr = cur_expr->next) {
+ /* expression nodes don't have a bool value of 0 - don't map them */
+ if (cur_expr->expr_type != COND_BOOL)
+ continue;
+ assert(module->map[SYM_BOOLS][cur_expr->bool - 1] != 0);
+ cur_expr->bool =
+ module->map[SYM_BOOLS][cur_expr->bool - 1];
+ }
+ new_node->nbools = cur->nbools;
+ /* FIXME should COND_MAX_BOOLS be used here? */
+ for (i = 0; i < min(cur->nbools, COND_MAX_BOOLS); i++) {
+ uint32_t remapped_id =
+ module->map[SYM_BOOLS][cur->bool_ids[i] - 1];
+ assert(remapped_id != 0);
+ new_node->bool_ids[i] = remapped_id;
+ }
+ new_node->expr_pre_comp = cur->expr_pre_comp;
+
+ if (copy_avrule_list
+ (cur->avtrue_list, &new_node->avtrue_list, module, state)
+ || copy_avrule_list(cur->avfalse_list,
+ &new_node->avfalse_list, module,
+ state)) {
+ goto cleanup;
+ }
+
+ if (*dst == NULL) {
+ *dst = new_node;
+ } else {
+ tail->next = new_node;
+ }
+ tail = new_node;
+ cur = cur->next;
+ }
+ return 0;
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ cond_node_destroy(new_node);
+ free(new_node);
+ return -1;
+
+}
+
+/*********** functions that copy avrule_decls from module to base ***********/
+
+static int copy_identifiers(link_state_t * state, symtab_t * src_symtab,
+ avrule_decl_t * dest_decl)
+{
+ int i, ret;
+
+ state->dest_decl = dest_decl;
+ for (i = 0; i < SYM_NUM; i++) {
+ if (copy_callback_f[i] != NULL) {
+ ret =
+ hashtab_map(src_symtab[i].table, copy_callback_f[i],
+ state);
+ if (ret) {
+ return ret;
+ }
+ }
+ }
+
+ if (hashtab_map(src_symtab[SYM_TYPES].table,
+ type_bounds_copy_callback, state))
+ return -1;
+
+ if (hashtab_map(src_symtab[SYM_TYPES].table,
+ alias_copy_callback, state))
+ return -1;
+
+ if (hashtab_map(src_symtab[SYM_ROLES].table,
+ role_bounds_copy_callback, state))
+ return -1;
+
+ if (hashtab_map(src_symtab[SYM_USERS].table,
+ user_bounds_copy_callback, state))
+ return -1;
+
+ /* then fix bitmaps associated with those newly copied identifiers */
+ for (i = 0; i < SYM_NUM; i++) {
+ if (fix_callback_f[i] != NULL &&
+ hashtab_map(src_symtab[i].table, fix_callback_f[i],
+ state)) {
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static int copy_scope_index(scope_index_t * src, scope_index_t * dest,
+ policy_module_t * module, link_state_t * state)
+{
+ unsigned int i, j;
+ uint32_t largest_mapped_class_value = 0;
+ ebitmap_node_t *node;
+ /* copy the scoping information for this avrule decl block */
+ for (i = 0; i < SYM_NUM; i++) {
+ ebitmap_t *srcmap = src->scope + i;
+ ebitmap_t *destmap = dest->scope + i;
+ if (copy_callback_f[i] == NULL) {
+ continue;
+ }
+ ebitmap_for_each_bit(srcmap, node, j) {
+ if (ebitmap_node_get_bit(node, j)) {
+ assert(module->map[i][j] != 0);
+ if (ebitmap_set_bit
+ (destmap, module->map[i][j] - 1, 1) != 0) {
+
+ goto cleanup;
+ }
+ if (i == SYM_CLASSES &&
+ largest_mapped_class_value <
+ module->map[SYM_CLASSES][j]) {
+ largest_mapped_class_value =
+ module->map[SYM_CLASSES][j];
+ }
+ }
+ }
+ }
+
+ /* next copy the enabled permissions data */
+ if ((dest->class_perms_map = malloc(largest_mapped_class_value *
+ sizeof(*dest->class_perms_map))) ==
+ NULL) {
+ goto cleanup;
+ }
+ for (i = 0; i < largest_mapped_class_value; i++) {
+ ebitmap_init(dest->class_perms_map + i);
+ }
+ dest->class_perms_len = largest_mapped_class_value;
+ for (i = 0; i < src->class_perms_len; i++) {
+ ebitmap_t *srcmap = src->class_perms_map + i;
+ ebitmap_t *destmap =
+ dest->class_perms_map + module->map[SYM_CLASSES][i] - 1;
+ ebitmap_for_each_bit(srcmap, node, j) {
+ if (ebitmap_node_get_bit(node, j) &&
+ ebitmap_set_bit(destmap, module->perm_map[i][j] - 1,
+ 1)) {
+ goto cleanup;
+ }
+ }
+ }
+
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ return -1;
+}
+
+static int copy_avrule_decl(link_state_t * state, policy_module_t * module,
+ avrule_decl_t * src_decl, avrule_decl_t * dest_decl)
+{
+ int ret;
+
+ /* copy all of the RBAC and TE rules */
+ if (copy_avrule_list
+ (src_decl->avrules, &dest_decl->avrules, module, state) == -1
+ || copy_role_trans_list(src_decl->role_tr_rules,
+ &dest_decl->role_tr_rules, module,
+ state) == -1
+ || copy_role_allow_list(src_decl->role_allow_rules,
+ &dest_decl->role_allow_rules, module,
+ state) == -1
+ || copy_cond_list(src_decl->cond_list, &dest_decl->cond_list,
+ module, state) == -1) {
+ return -1;
+ }
+
+ if (copy_filename_trans_list(src_decl->filename_trans_rules,
+ &dest_decl->filename_trans_rules,
+ module, state))
+ return -1;
+
+ if (copy_range_trans_list(src_decl->range_tr_rules,
+ &dest_decl->range_tr_rules, module, state))
+ return -1;
+
+ /* finally copy any identifiers local to this declaration */
+ ret = copy_identifiers(state, src_decl->symtab, dest_decl);
+ if (ret < 0) {
+ return ret;
+ }
+
+ /* then copy required and declared scope indices here */
+ if (copy_scope_index(&src_decl->required, &dest_decl->required,
+ module, state) == -1 ||
+ copy_scope_index(&src_decl->declared, &dest_decl->declared,
+ module, state) == -1) {
+ return -1;
+ }
+
+ return 0;
+}
+
+static int copy_avrule_block(link_state_t * state, policy_module_t * module,
+ avrule_block_t * block)
+{
+ avrule_block_t *new_block = avrule_block_create();
+ avrule_decl_t *decl, *last_decl = NULL;
+ int ret;
+
+ if (new_block == NULL) {
+ ERR(state->handle, "Out of memory!");
+ ret = -1;
+ goto cleanup;
+ }
+
+ new_block->flags = block->flags;
+
+ for (decl = block->branch_list; decl != NULL; decl = decl->next) {
+ avrule_decl_t *new_decl =
+ avrule_decl_create(state->next_decl_id);
+ if (new_decl == NULL) {
+ ERR(state->handle, "Out of memory!");
+ ret = -1;
+ goto cleanup;
+ }
+
+ if (module->policy->name != NULL) {
+ new_decl->module_name = strdup(module->policy->name);
+ if (new_decl->module_name == NULL) {
+ ERR(state->handle, "Out of memory\n");
+ ret = -1;
+ goto cleanup;
+ }
+ }
+
+ if (last_decl == NULL) {
+ new_block->branch_list = new_decl;
+ } else {
+ last_decl->next = new_decl;
+ }
+ last_decl = new_decl;
+ state->base->decl_val_to_struct[state->next_decl_id - 1] =
+ new_decl;
+ state->decl_to_mod[state->next_decl_id] = module->policy;
+
+ module->avdecl_map[decl->decl_id] = new_decl->decl_id;
+
+ ret = copy_avrule_decl(state, module, decl, new_decl);
+ if (ret) {
+ goto cleanup;
+ }
+
+ state->next_decl_id++;
+ }
+ state->last_avrule_block->next = new_block;
+ state->last_avrule_block = new_block;
+ return 0;
+
+ cleanup:
+ avrule_block_list_destroy(new_block);
+ return ret;
+}
+
+static int scope_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ unsigned int i;
+ int ret;
+ char *id = key, *new_id = NULL;
+ scope_datum_t *scope, *base_scope;
+ link_state_t *state = (link_state_t *) data;
+ uint32_t symbol_num = state->symbol_num;
+ uint32_t *avdecl_map = state->cur->avdecl_map;
+
+ scope = (scope_datum_t *) datum;
+
+ /* check if the base already has a scope entry */
+ base_scope = hashtab_search(state->base->scope[symbol_num].table, id);
+ if (base_scope == NULL) {
+ scope_datum_t *new_scope;
+ if ((new_id = strdup(id)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((new_scope =
+ (scope_datum_t *) calloc(1, sizeof(*new_scope))) == NULL) {
+ free(new_id);
+ goto cleanup;
+ }
+ ret = hashtab_insert(state->base->scope[symbol_num].table,
+ (hashtab_key_t) new_id,
+ (hashtab_datum_t) new_scope);
+ if (ret) {
+ free(new_id);
+ free(new_scope);
+ goto cleanup;
+ }
+ new_scope->scope = SCOPE_REQ; /* this is reset further down */
+ base_scope = new_scope;
+ }
+ if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_DECL) {
+ /* this module declared symbol, so overwrite the old
+ * list with the new decl ids */
+ base_scope->scope = SCOPE_DECL;
+ free(base_scope->decl_ids);
+ base_scope->decl_ids = NULL;
+ base_scope->decl_ids_len = 0;
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ if (add_i_to_a(avdecl_map[scope->decl_ids[i]],
+ &base_scope->decl_ids_len,
+ &base_scope->decl_ids) == -1) {
+ goto cleanup;
+ }
+ }
+ } else if (base_scope->scope == SCOPE_DECL && scope->scope == SCOPE_REQ) {
+ /* this module depended on a symbol that now exists,
+ * so don't do anything */
+ } else if (base_scope->scope == SCOPE_REQ && scope->scope == SCOPE_REQ) {
+ /* symbol is still required, so add to the list */
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ if (add_i_to_a(avdecl_map[scope->decl_ids[i]],
+ &base_scope->decl_ids_len,
+ &base_scope->decl_ids) == -1) {
+ goto cleanup;
+ }
+ }
+ } else {
+ /* this module declared a symbol, and it was already
+ * declared. only roles and users may be multiply
+ * declared; for all others this is an error. */
+ if (symbol_num != SYM_ROLES && symbol_num != SYM_USERS) {
+ ERR(state->handle,
+ "%s: Duplicate declaration in module: %s %s",
+ state->cur_mod_name,
+ symtab_names[state->symbol_num], id);
+ return -1;
+ }
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ if (add_i_to_a(avdecl_map[scope->decl_ids[i]],
+ &base_scope->decl_ids_len,
+ &base_scope->decl_ids) == -1) {
+ goto cleanup;
+ }
+ }
+ }
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ return -1;
+}
+
+/* Copy a module over to a base, remapping all values within. After
+ * all identifiers and rules are done, copy the scoping information.
+ * This is when it checks for duplicate declarations. */
+static int copy_module(link_state_t * state, policy_module_t * module)
+{
+ int i, ret;
+ avrule_block_t *cur;
+ state->cur = module;
+ state->cur_mod_name = module->policy->name;
+
+ /* first copy all of the identifiers */
+ ret = copy_identifiers(state, module->policy->symtab, NULL);
+ if (ret) {
+ return ret;
+ }
+
+ /* next copy all of the avrule blocks */
+ for (cur = module->policy->global; cur != NULL; cur = cur->next) {
+ ret = copy_avrule_block(state, module, cur);
+ if (ret) {
+ return ret;
+ }
+ }
+
+ /* then copy the scoping tables */
+ for (i = 0; i < SYM_NUM; i++) {
+ state->symbol_num = i;
+ if (hashtab_map
+ (module->policy->scope[i].table, scope_copy_callback,
+ state)) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/***** functions that check requirements and enable blocks in a module ******/
+
+/* borrowed from checkpolicy.c */
+
+struct find_perm_arg {
+ unsigned int valuep;
+ hashtab_key_t key;
+};
+
+static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg)
+{
+
+ struct find_perm_arg *arg = varg;
+
+ perm_datum_t *perdatum = (perm_datum_t *) datum;
+ if (arg->valuep == perdatum->s.value) {
+ arg->key = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+/* Check if the requirements are met for a single declaration. If all
+ * are met return 1. For the first requirement found to be missing,
+ * if 'missing_sym_num' and 'missing_value' are both not NULL then
+ * write to them the symbol number and value for the missing
+ * declaration. Then return 0 to indicate a missing declaration.
+ * Note that if a declaration had no requirement at all (e.g., an ELSE
+ * block) this returns 1. */
+static int is_decl_requires_met(link_state_t * state,
+ avrule_decl_t * decl,
+ struct missing_requirement *req)
+{
+ /* (This algorithm is very unoptimized. It performs many
+ * redundant checks. A very obvious improvement is to cache
+ * which symbols have been verified, so that they do not need
+ * to be re-checked.) */
+ unsigned int i, j;
+ ebitmap_t *bitmap;
+ char *id, *perm_id;
+ policydb_t *pol = state->base;
+ ebitmap_node_t *node;
+
+ /* check that all symbols have been satisfied */
+ for (i = 0; i < SYM_NUM; i++) {
+ if (i == SYM_CLASSES) {
+ /* classes will be checked during permissions
+ * checking phase below */
+ continue;
+ }
+ bitmap = &decl->required.scope[i];
+ ebitmap_for_each_bit(bitmap, node, j) {
+ if (!ebitmap_node_get_bit(node, j)) {
+ continue;
+ }
+
+ /* check base's scope table */
+ id = pol->sym_val_to_name[i][j];
+ if (!is_id_enabled(id, state->base, i)) {
+ /* this symbol was not found */
+ if (req != NULL) {
+ req->symbol_type = i;
+ req->symbol_value = j + 1;
+ }
+ return 0;
+ }
+ }
+ }
+ /* check that all classes and permissions have been satisfied */
+ for (i = 0; i < decl->required.class_perms_len; i++) {
+
+ bitmap = decl->required.class_perms_map + i;
+ ebitmap_for_each_bit(bitmap, node, j) {
+ struct find_perm_arg fparg;
+ class_datum_t *cladatum;
+ uint32_t perm_value = j + 1;
+ scope_datum_t *scope;
+
+ if (!ebitmap_node_get_bit(node, j)) {
+ continue;
+ }
+ id = pol->p_class_val_to_name[i];
+ cladatum = pol->class_val_to_struct[i];
+
+ scope =
+ hashtab_search(state->base->p_classes_scope.table,
+ id);
+ if (scope == NULL) {
+ ERR(state->handle,
+ "Could not find scope information for class %s",
+ id);
+ return -1;
+ }
+
+ fparg.valuep = perm_value;
+ fparg.key = NULL;
+
+ hashtab_map(cladatum->permissions.table, find_perm,
+ &fparg);
+ if (fparg.key == NULL && cladatum->comdatum != NULL)
+ hashtab_map(cladatum->comdatum->permissions.
+ table, find_perm, &fparg);
+ perm_id = fparg.key;
+
+ assert(perm_id != NULL);
+ if (!is_perm_enabled(id, perm_id, state->base)) {
+ if (req != NULL) {
+ req->symbol_type = SYM_CLASSES;
+ req->symbol_value = i + 1;
+ req->perm_value = perm_value;
+ }
+ return 0;
+ }
+ }
+ }
+
+ /* all requirements have been met */
+ return 1;
+}
+
+static int debug_requirements(link_state_t * state, policydb_t * p)
+{
+ int ret;
+ avrule_block_t *cur;
+ missing_requirement_t req;
+
+ for (cur = p->global; cur != NULL; cur = cur->next) {
+ if (cur->enabled != NULL)
+ continue;
+
+ ret = is_decl_requires_met(state, cur->branch_list, &req);
+ if (ret < 0) {
+ return ret;
+ } else if (ret == 0) {
+ char *mod_name = cur->branch_list->module_name ?
+ cur->branch_list->module_name : "BASE";
+ if (req.symbol_type == SYM_CLASSES) {
+
+ struct find_perm_arg fparg;
+
+ class_datum_t *cladatum;
+ cladatum =
+ p->class_val_to_struct[req.symbol_value -
+ 1];
+
+ fparg.valuep = req.perm_value;
+ fparg.key = NULL;
+ hashtab_map(cladatum->permissions.table,
+ find_perm, &fparg);
+
+ if (cur->flags & AVRULE_OPTIONAL) {
+ ERR(state->handle,
+ "%s[%d]'s optional requirements were not met: class %s, permission %s",
+ mod_name, cur->branch_list->decl_id,
+ p->p_class_val_to_name[req.
+ symbol_value
+ - 1],
+ fparg.key);
+ } else {
+ ERR(state->handle,
+ "%s[%d]'s global requirements were not met: class %s, permission %s",
+ mod_name, cur->branch_list->decl_id,
+ p->p_class_val_to_name[req.
+ symbol_value
+ - 1],
+ fparg.key);
+ }
+ } else {
+ if (cur->flags & AVRULE_OPTIONAL) {
+ ERR(state->handle,
+ "%s[%d]'s optional requirements were not met: %s %s",
+ mod_name, cur->branch_list->decl_id,
+ symtab_names[req.symbol_type],
+ p->sym_val_to_name[req.
+ symbol_type][req.
+ symbol_value
+ -
+ 1]);
+ } else {
+ ERR(state->handle,
+ "%s[%d]'s global requirements were not met: %s %s",
+ mod_name, cur->branch_list->decl_id,
+ symtab_names[req.symbol_type],
+ p->sym_val_to_name[req.
+ symbol_type][req.
+ symbol_value
+ -
+ 1]);
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+static void print_missing_requirements(link_state_t * state,
+ avrule_block_t * cur,
+ missing_requirement_t * req)
+{
+ policydb_t *p = state->base;
+ char *mod_name = cur->branch_list->module_name ?
+ cur->branch_list->module_name : "BASE";
+
+ if (req->symbol_type == SYM_CLASSES) {
+
+ struct find_perm_arg fparg;
+
+ class_datum_t *cladatum;
+ cladatum = p->class_val_to_struct[req->symbol_value - 1];
+
+ fparg.valuep = req->perm_value;
+ fparg.key = NULL;
+ hashtab_map(cladatum->permissions.table, find_perm, &fparg);
+
+ ERR(state->handle,
+ "%s's global requirements were not met: class %s, permission %s",
+ mod_name,
+ p->p_class_val_to_name[req->symbol_value - 1], fparg.key);
+ } else {
+ ERR(state->handle,
+ "%s's global requirements were not met: %s %s",
+ mod_name,
+ symtab_names[req->symbol_type],
+ p->sym_val_to_name[req->symbol_type][req->symbol_value -
+ 1]);
+ }
+}
+
+/* Enable all of the avrule_decl blocks for the policy. This simple
+ * algorithm is the following:
+ *
+ * 1) Enable all of the non-else avrule_decls for all blocks.
+ * 2) Iterate through the non-else decls looking for decls whose requirements
+ * are not met.
+ * 2a) If the decl is non-optional, return immediately with an error.
+ * 2b) If the decl is optional, disable the block and mark changed = 1
+ * 3) If changed == 1 goto 2.
+ * 4) Iterate through all blocks looking for those that have no enabled
+ * decl. If the block has an else decl, enable.
+ *
+ * This will correctly handle all dependencies, including mutual and
+ * cicular. The only downside is that it is slow.
+ */
+static int enable_avrules(link_state_t * state, policydb_t * pol)
+{
+ int changed = 1;
+ avrule_block_t *block;
+ avrule_decl_t *decl;
+ missing_requirement_t req;
+ int ret = 0, rc;
+
+ if (state->verbose) {
+ INFO(state->handle, "Determining which avrules to enable.");
+ }
+
+ /* 1) enable all of the non-else blocks */
+ for (block = pol->global; block != NULL; block = block->next) {
+ block->enabled = block->branch_list;
+ block->enabled->enabled = 1;
+ for (decl = block->branch_list->next; decl != NULL;
+ decl = decl->next)
+ decl->enabled = 0;
+ }
+
+ /* 2) Iterate */
+ while (changed) {
+ changed = 0;
+ for (block = pol->global; block != NULL; block = block->next) {
+ if (block->enabled == NULL) {
+ continue;
+ }
+ decl = block->branch_list;
+ if (state->verbose) {
+ char *mod_name = decl->module_name ?
+ decl->module_name : "BASE";
+ INFO(state->handle, "check module %s decl %d\n",
+ mod_name, decl->decl_id);
+ }
+ rc = is_decl_requires_met(state, decl, &req);
+ if (rc < 0) {
+ ret = SEPOL_ERR;
+ goto out;
+ } else if (rc == 0) {
+ decl->enabled = 0;
+ block->enabled = NULL;
+ changed = 1;
+ if (!(block->flags & AVRULE_OPTIONAL)) {
+ print_missing_requirements(state, block,
+ &req);
+ ret = SEPOL_EREQ;
+ goto out;
+ }
+ }
+ }
+ }
+
+ /* 4) else handling
+ *
+ * Iterate through all of the blocks skipping the first (which is the
+ * global block, is required to be present, and cannot have an else).
+ * If the block is disabled and has an else decl, enable that.
+ *
+ * This code assumes that the second block in the branch list is the else
+ * block. This is currently supported by the compiler.
+ */
+ for (block = pol->global->next; block != NULL; block = block->next) {
+ if (block->enabled == NULL) {
+ if (block->branch_list->next != NULL) {
+ block->enabled = block->branch_list->next;
+ block->branch_list->next->enabled = 1;
+ }
+ }
+ }
+
+ out:
+ if (state->verbose)
+ debug_requirements(state, pol);
+
+ return ret;
+}
+
+/*********** the main linking functions ***********/
+
+/* Given a module's policy, normalize all conditional expressions
+ * within. Return 0 on success, -1 on error. */
+static int cond_normalize(policydb_t * p)
+{
+ avrule_block_t *block;
+ for (block = p->global; block != NULL; block = block->next) {
+ avrule_decl_t *decl;
+ for (decl = block->branch_list; decl != NULL; decl = decl->next) {
+ cond_list_t *cond = decl->cond_list;
+ while (cond) {
+ if (cond_normalize_expr(p, cond) < 0)
+ return -1;
+ cond = cond->next;
+ }
+ }
+ }
+ return 0;
+}
+
+/* Allocate space for the various remapping arrays. */
+static int prepare_module(link_state_t * state, policy_module_t * module)
+{
+ int i;
+ uint32_t items, num_decls = 0;
+ avrule_block_t *cur;
+
+ /* allocate the maps */
+ for (i = 0; i < SYM_NUM; i++) {
+ items = module->policy->symtab[i].nprim;
+ if ((module->map[i] =
+ (uint32_t *) calloc(items,
+ sizeof(*module->map[i]))) == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ }
+
+ /* allocate the permissions remap here */
+ items = module->policy->p_classes.nprim;
+ if ((module->perm_map_len =
+ calloc(items, sizeof(*module->perm_map_len))) == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ if ((module->perm_map =
+ calloc(items, sizeof(*module->perm_map))) == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* allocate a map for avrule_decls */
+ for (cur = module->policy->global; cur != NULL; cur = cur->next) {
+ avrule_decl_t *decl;
+ for (decl = cur->branch_list; decl != NULL; decl = decl->next) {
+ if (decl->decl_id > num_decls) {
+ num_decls = decl->decl_id;
+ }
+ }
+ }
+ num_decls++;
+ if ((module->avdecl_map = calloc(num_decls, sizeof(uint32_t))) == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ module->num_decls = num_decls;
+
+ /* normalize conditionals within */
+ if (cond_normalize(module->policy) < 0) {
+ ERR(state->handle,
+ "Error while normalizing conditionals within the module %s.",
+ module->policy->name);
+ return -1;
+ }
+ return 0;
+}
+
+static int prepare_base(link_state_t * state, uint32_t num_mod_decls)
+{
+ avrule_block_t *cur = state->base->global;
+ assert(cur != NULL);
+ state->next_decl_id = 0;
+
+ /* iterate through all of the declarations in the base, to
+ determine what the next decl_id should be */
+ while (cur != NULL) {
+ avrule_decl_t *decl;
+ for (decl = cur->branch_list; decl != NULL; decl = decl->next) {
+ if (decl->decl_id > state->next_decl_id) {
+ state->next_decl_id = decl->decl_id;
+ }
+ }
+ state->last_avrule_block = cur;
+ cur = cur->next;
+ }
+ state->last_base_avrule_block = state->last_avrule_block;
+ state->next_decl_id++;
+
+ /* allocate the table mapping from base's decl_id to its
+ * avrule_decls and set the initial mappings */
+ free(state->base->decl_val_to_struct);
+ if ((state->base->decl_val_to_struct =
+ calloc(state->next_decl_id + num_mod_decls,
+ sizeof(*(state->base->decl_val_to_struct)))) == NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ /* This allocates the decl block to module mapping used for error reporting */
+ if ((state->decl_to_mod = calloc(state->next_decl_id + num_mod_decls,
+ sizeof(*(state->decl_to_mod)))) ==
+ NULL) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ cur = state->base->global;
+ while (cur != NULL) {
+ avrule_decl_t *decl = cur->branch_list;
+ while (decl != NULL) {
+ state->base->decl_val_to_struct[decl->decl_id - 1] =
+ decl;
+ state->decl_to_mod[decl->decl_id] = state->base;
+ decl = decl->next;
+ }
+ cur = cur->next;
+ }
+
+ /* normalize conditionals within */
+ if (cond_normalize(state->base) < 0) {
+ ERR(state->handle,
+ "Error while normalizing conditionals within the base module.");
+ return -1;
+ }
+ return 0;
+}
+
+static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum,
+ void * data)
+{
+ char *id;
+ role_datum_t *role, *sub_attr;
+ link_state_t *state;
+ unsigned int i;
+ ebitmap_node_t *rnode;
+
+ id = key;
+ role = (role_datum_t *)datum;
+ state = (link_state_t *)data;
+
+ if (strcmp(id, OBJECT_R) == 0){
+ /* object_r is never a role attribute by far */
+ return 0;
+ }
+
+ if (role->flavor != ROLE_ATTRIB)
+ return 0;
+
+ if (state->verbose)
+ INFO(state->handle, "expanding role attribute %s", id);
+
+restart:
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ sub_attr = state->base->role_val_to_struct[i];
+ if (sub_attr->flavor != ROLE_ATTRIB)
+ continue;
+
+ /* remove the sub role attribute from the parent
+ * role attribute's roles ebitmap */
+ if (ebitmap_set_bit(&role->roles, i, 0))
+ return -1;
+
+ /* loop dependency of role attributes */
+ if (sub_attr->s.value == role->s.value)
+ continue;
+
+ /* now go on to expand a sub role attribute
+ * by escalating its roles ebitmap */
+ if (ebitmap_union(&role->roles, &sub_attr->roles)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* sub_attr->roles may contain other role attributes,
+ * re-scan the parent role attribute's roles ebitmap */
+ goto restart;
+ }
+ }
+
+ return 0;
+}
+
+/* For any role attribute in a declaration's local symtab[SYM_ROLES] table,
+ * copy its roles ebitmap into its duplicate's in the base->p_roles.table.
+ */
+static int populate_decl_roleattributes(hashtab_key_t key,
+ hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ role_datum_t *decl_role, *base_role;
+ link_state_t *state = (link_state_t *)data;
+
+ decl_role = (role_datum_t *)datum;
+
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is never a role attribute by far */
+ return 0;
+ }
+
+ if (decl_role->flavor != ROLE_ATTRIB)
+ return 0;
+
+ base_role = (role_datum_t *)hashtab_search(state->base->p_roles.table,
+ id);
+ assert(base_role != NULL && base_role->flavor == ROLE_ATTRIB);
+
+ if (ebitmap_union(&base_role->roles, &decl_role->roles)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int populate_roleattributes(link_state_t *state, policydb_t *pol)
+{
+ avrule_block_t *block;
+ avrule_decl_t *decl;
+
+ if (state->verbose)
+ INFO(state->handle, "Populating role-attribute relationship "
+ "from enabled declarations' local symtab.");
+
+ /* Iterate through all of the blocks skipping the first(which is the
+ * global block, is required to be present and can't have an else).
+ * If the block is disabled or not having an enabled decl, skip it.
+ */
+ for (block = pol->global->next; block != NULL; block = block->next)
+ {
+ decl = block->enabled;
+ if (decl == NULL || decl->enabled == 0)
+ continue;
+
+ if (hashtab_map(decl->symtab[SYM_ROLES].table,
+ populate_decl_roleattributes, state))
+ return -1;
+ }
+
+ return 0;
+}
+
+/* Link a set of modules into a base module. This process is somewhat
+ * similar to an actual compiler: it requires a set of order dependent
+ * steps. The base and every module must have been indexed prior to
+ * calling this function.
+ */
+int link_modules(sepol_handle_t * handle,
+ policydb_t * b, policydb_t ** mods, int len, int verbose)
+{
+ int i, ret, retval = -1;
+ policy_module_t **modules = NULL;
+ link_state_t state;
+ uint32_t num_mod_decls = 0;
+
+ memset(&state, 0, sizeof(state));
+ state.base = b;
+ state.verbose = verbose;
+ state.handle = handle;
+
+ if (b->policy_type != POLICY_BASE) {
+ ERR(state.handle, "Target of link was not a base policy.");
+ return -1;
+ }
+
+ /* first allocate some space to hold the maps from module
+ * symbol's value to the destination symbol value; then do
+ * other preparation work */
+ if ((modules =
+ (policy_module_t **) calloc(len, sizeof(*modules))) == NULL) {
+ ERR(state.handle, "Out of memory!");
+ return -1;
+ }
+ for (i = 0; i < len; i++) {
+ if (mods[i]->policy_type != POLICY_MOD) {
+ ERR(state.handle,
+ "Tried to link in a policy that was not a module.");
+ goto cleanup;
+ }
+
+ if (mods[i]->mls != b->mls) {
+ if (b->mls)
+ ERR(state.handle,
+ "Tried to link in a non-MLS module with an MLS base.");
+ else
+ ERR(state.handle,
+ "Tried to link in an MLS module with a non-MLS base.");
+ goto cleanup;
+ }
+
+ if ((modules[i] =
+ (policy_module_t *) calloc(1,
+ sizeof(policy_module_t))) ==
+ NULL) {
+ ERR(state.handle, "Out of memory!");
+ goto cleanup;
+ }
+ modules[i]->policy = mods[i];
+ if (prepare_module(&state, modules[i]) == -1) {
+ goto cleanup;
+ }
+ num_mod_decls += modules[i]->num_decls;
+ }
+ if (prepare_base(&state, num_mod_decls) == -1) {
+ goto cleanup;
+ }
+
+ /* copy all types, declared and required */
+ for (i = 0; i < len; i++) {
+ state.cur = modules[i];
+ state.cur_mod_name = modules[i]->policy->name;
+ ret =
+ hashtab_map(modules[i]->policy->p_types.table,
+ type_copy_callback, &state);
+ if (ret) {
+ retval = ret;
+ goto cleanup;
+ }
+ }
+
+ /* then copy everything else, including aliases, and fixup attributes */
+ for (i = 0; i < len; i++) {
+ state.cur = modules[i];
+ state.cur_mod_name = modules[i]->policy->name;
+ ret =
+ copy_identifiers(&state, modules[i]->policy->symtab, NULL);
+ if (ret) {
+ retval = ret;
+ goto cleanup;
+ }
+ }
+
+ if (policydb_index_others(state.handle, state.base, 0)) {
+ ERR(state.handle, "Error while indexing others");
+ goto cleanup;
+ }
+
+ /* copy and remap the module's data over to base */
+ for (i = 0; i < len; i++) {
+ state.cur = modules[i];
+ ret = copy_module(&state, modules[i]);
+ if (ret) {
+ retval = ret;
+ goto cleanup;
+ }
+ }
+
+ /* re-index base, for symbols were added to symbol tables */
+ if (policydb_index_classes(state.base)) {
+ ERR(state.handle, "Error while indexing classes");
+ goto cleanup;
+ }
+ if (policydb_index_others(state.handle, state.base, 0)) {
+ ERR(state.handle, "Error while indexing others");
+ goto cleanup;
+ }
+
+ if (enable_avrules(&state, state.base)) {
+ retval = SEPOL_EREQ;
+ goto cleanup;
+ }
+
+ /* Now that all role attribute's roles ebitmap have been settled,
+ * escalate sub role attribute's roles ebitmap into that of parent.
+ *
+ * First, since some role-attribute relationships could be recorded
+ * in some decl's local symtab(see get_local_role()), we need to
+ * populate them up to the base.p_roles table. */
+ if (populate_roleattributes(&state, state.base)) {
+ retval = SEPOL_EREQ;
+ goto cleanup;
+ }
+
+ /* Now do the escalation. */
+ if (hashtab_map(state.base->p_roles.table, expand_role_attributes,
+ &state))
+ goto cleanup;
+
+ retval = 0;
+ cleanup:
+ for (i = 0; modules != NULL && i < len; i++) {
+ policy_module_destroy(modules[i]);
+ }
+ free(modules);
+ free(state.decl_to_mod);
+ return retval;
+}
diff --git a/src/mls.c b/src/mls.c
new file mode 100644
index 0000000..1e84bb7
--- /dev/null
+++ b/src/mls.c
@@ -0,0 +1,798 @@
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * Implementation of the multi-level security (MLS) policy.
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/context.h>
+
+#include <stdlib.h>
+
+#include "handle.h"
+#include "debug.h"
+#include "private.h"
+#include "mls.h"
+
+int mls_to_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * mls, char **str)
+{
+
+ char *ptr = NULL, *ptr2 = NULL;
+
+ /* Temporary buffer - length + NULL terminator */
+ int len = mls_compute_context_len(policydb, mls) + 1;
+
+ ptr = (char *)malloc(len);
+ if (ptr == NULL)
+ goto omem;
+
+ /* Final string w/ ':' cut off */
+ ptr2 = (char *)malloc(len - 1);
+ if (ptr2 == NULL)
+ goto omem;
+
+ mls_sid_to_context(policydb, mls, &ptr);
+ ptr -= len - 1;
+ strcpy(ptr2, ptr + 1);
+
+ free(ptr);
+ *str = ptr2;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not convert mls context to string");
+
+ free(ptr);
+ free(ptr2);
+ return STATUS_ERR;
+
+}
+
+int mls_from_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const char *str, context_struct_t * mls)
+{
+
+ char *tmp = strdup(str);
+ char *tmp_cp = tmp;
+ if (!tmp)
+ goto omem;
+
+ if (mls_context_to_sid(policydb, '$', &tmp_cp, mls) < 0) {
+ ERR(handle, "invalid MLS context %s", str);
+ free(tmp);
+ goto err;
+ }
+
+ free(tmp);
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not construct mls context structure");
+ return STATUS_ERR;
+}
+
+/*
+ * Return the length in bytes for the MLS fields of the
+ * security context string representation of `context'.
+ */
+int mls_compute_context_len(const policydb_t * policydb,
+ const context_struct_t * context)
+{
+
+ unsigned int i, l, len, range;
+ ebitmap_node_t *cnode;
+
+ if (!policydb->mls)
+ return 0;
+
+ len = 1; /* for the beginning ":" */
+ for (l = 0; l < 2; l++) {
+ range = 0;
+ len +=
+ strlen(policydb->
+ p_sens_val_to_name[context->range.level[l].sens -
+ 1]);
+
+ ebitmap_for_each_bit(&context->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ if (range) {
+ range++;
+ continue;
+ }
+
+ len +=
+ strlen(policydb->p_cat_val_to_name[i]) + 1;
+ range++;
+ } else {
+ if (range > 1)
+ len +=
+ strlen(policydb->
+ p_cat_val_to_name[i - 1]) +
+ 1;
+ range = 0;
+ }
+ }
+ /* Handle case where last category is the end of range */
+ if (range > 1)
+ len += strlen(policydb->p_cat_val_to_name[i - 1]) + 1;
+
+ if (l == 0) {
+ if (mls_level_eq(&context->range.level[0],
+ &context->range.level[1]))
+ break;
+ else
+ len++;
+ }
+ }
+
+ return len;
+}
+
+/*
+ * Write the security context string representation of
+ * the MLS fields of `context' into the string `*scontext'.
+ * Update `*scontext' to point to the end of the MLS fields.
+ */
+void mls_sid_to_context(const policydb_t * policydb,
+ const context_struct_t * context, char **scontext)
+{
+
+ char *scontextp;
+ unsigned int i, l, range, wrote_sep;
+ ebitmap_node_t *cnode;
+
+ if (!policydb->mls)
+ return;
+
+ scontextp = *scontext;
+
+ *scontextp = ':';
+ scontextp++;
+
+ for (l = 0; l < 2; l++) {
+ range = 0;
+ wrote_sep = 0;
+ strcpy(scontextp,
+ policydb->p_sens_val_to_name[context->range.level[l].
+ sens - 1]);
+ scontextp +=
+ strlen(policydb->
+ p_sens_val_to_name[context->range.level[l].sens -
+ 1]);
+ /* categories */
+ ebitmap_for_each_bit(&context->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ if (range) {
+ range++;
+ continue;
+ }
+
+ if (!wrote_sep) {
+ *scontextp++ = ':';
+ wrote_sep = 1;
+ } else
+ *scontextp++ = ',';
+ strcpy(scontextp,
+ policydb->p_cat_val_to_name[i]);
+ scontextp +=
+ strlen(policydb->p_cat_val_to_name[i]);
+ range++;
+ } else {
+ if (range > 1) {
+ if (range > 2)
+ *scontextp++ = '.';
+ else
+ *scontextp++ = ',';
+
+ strcpy(scontextp,
+ policydb->p_cat_val_to_name[i -
+ 1]);
+ scontextp +=
+ strlen(policydb->
+ p_cat_val_to_name[i - 1]);
+ }
+ range = 0;
+ }
+ }
+ /* Handle case where last category is the end of range */
+ if (range > 1) {
+ if (range > 2)
+ *scontextp++ = '.';
+ else
+ *scontextp++ = ',';
+
+ strcpy(scontextp, policydb->p_cat_val_to_name[i - 1]);
+ scontextp += strlen(policydb->p_cat_val_to_name[i - 1]);
+ }
+
+ if (l == 0) {
+ if (mls_level_eq(&context->range.level[0],
+ &context->range.level[1]))
+ break;
+ else {
+ *scontextp = '-';
+ scontextp++;
+ }
+ }
+ }
+
+ *scontext = scontextp;
+ return;
+}
+
+/*
+ * Return 1 if the MLS fields in the security context
+ * structure `c' are valid. Return 0 otherwise.
+ */
+int mls_context_isvalid(const policydb_t * p, const context_struct_t * c)
+{
+
+ level_datum_t *levdatum;
+ user_datum_t *usrdatum;
+ unsigned int i, l;
+ ebitmap_node_t *cnode;
+
+ if (!p->mls)
+ return 1;
+
+ /*
+ * MLS range validity checks: high must dominate low, low level must
+ * be valid (category set <-> sensitivity check), and high level must
+ * be valid (category set <-> sensitivity check)
+ */
+ if (!mls_level_dom(&c->range.level[1], &c->range.level[0]))
+ /* High does not dominate low. */
+ return 0;
+
+ for (l = 0; l < 2; l++) {
+ if (!c->range.level[l].sens
+ || c->range.level[l].sens > p->p_levels.nprim)
+ return 0;
+ levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
+ p->
+ p_sens_val_to_name
+ [c->range.level[l].
+ sens - 1]);
+ if (!levdatum)
+ return 0;
+
+ ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ if (i > p->p_cats.nprim)
+ return 0;
+ if (!ebitmap_get_bit(&levdatum->level->cat, i))
+ /*
+ * Category may not be associated with
+ * sensitivity in low level.
+ */
+ return 0;
+ }
+ }
+ }
+
+ if (c->role == OBJECT_R_VAL)
+ return 1;
+
+ /*
+ * User must be authorized for the MLS range.
+ */
+ if (!c->user || c->user > p->p_users.nprim)
+ return 0;
+ usrdatum = p->user_val_to_struct[c->user - 1];
+ if (!mls_range_contains(usrdatum->exp_range, c->range))
+ return 0; /* user may not be associated with range */
+
+ return 1;
+}
+
+/*
+ * Set the MLS fields in the security context structure
+ * `context' based on the string representation in
+ * the string `*scontext'. Update `*scontext' to
+ * point to the end of the string representation of
+ * the MLS fields.
+ *
+ * This function modifies the string in place, inserting
+ * NULL characters to terminate the MLS fields.
+ */
+int mls_context_to_sid(const policydb_t * policydb,
+ char oldc, char **scontext, context_struct_t * context)
+{
+
+ char delim;
+ char *scontextp, *p, *rngptr;
+ level_datum_t *levdatum;
+ cat_datum_t *catdatum, *rngdatum;
+ unsigned int l;
+
+ if (!policydb->mls)
+ return 0;
+
+ /* No MLS component to the security context */
+ if (!oldc)
+ goto err;
+
+ /* Extract low sensitivity. */
+ scontextp = p = *scontext;
+ while (*p && *p != ':' && *p != '-')
+ p++;
+
+ delim = *p;
+ if (delim != 0)
+ *p++ = 0;
+
+ for (l = 0; l < 2; l++) {
+ levdatum =
+ (level_datum_t *) hashtab_search(policydb->p_levels.table,
+ (hashtab_key_t) scontextp);
+
+ if (!levdatum)
+ goto err;
+
+ context->range.level[l].sens = levdatum->level->sens;
+
+ if (delim == ':') {
+ /* Extract category set. */
+ while (1) {
+ scontextp = p;
+ while (*p && *p != ',' && *p != '-')
+ p++;
+ delim = *p;
+ if (delim != 0)
+ *p++ = 0;
+
+ /* Separate into range if exists */
+ if ((rngptr = strchr(scontextp, '.')) != NULL) {
+ /* Remove '.' */
+ *rngptr++ = 0;
+ }
+
+ catdatum =
+ (cat_datum_t *) hashtab_search(policydb->
+ p_cats.table,
+ (hashtab_key_t)
+ scontextp);
+ if (!catdatum)
+ goto err;
+
+ if (ebitmap_set_bit
+ (&context->range.level[l].cat,
+ catdatum->s.value - 1, 1))
+ goto err;
+
+ /* If range, set all categories in range */
+ if (rngptr) {
+ unsigned int i;
+
+ rngdatum = (cat_datum_t *)
+ hashtab_search(policydb->p_cats.
+ table,
+ (hashtab_key_t)
+ rngptr);
+ if (!rngdatum)
+ goto err;
+
+ if (catdatum->s.value >=
+ rngdatum->s.value)
+ goto err;
+
+ for (i = catdatum->s.value;
+ i < rngdatum->s.value; i++) {
+ if (ebitmap_set_bit
+ (&context->range.level[l].
+ cat, i, 1))
+ goto err;
+ }
+ }
+
+ if (delim != ',')
+ break;
+ }
+ }
+ if (delim == '-') {
+ /* Extract high sensitivity. */
+ scontextp = p;
+ while (*p && *p != ':')
+ p++;
+
+ delim = *p;
+ if (delim != 0)
+ *p++ = 0;
+ } else
+ break;
+ }
+
+ /* High level is missing, copy low level */
+ if (l == 0) {
+ if (mls_level_cpy(&context->range.level[1],
+ &context->range.level[0]) < 0)
+ goto err;
+ }
+ *scontext = ++p;
+
+ return STATUS_SUCCESS;
+
+ err:
+ return STATUS_ERR;
+}
+
+/*
+ * Copies the MLS range from `src' into `dst'.
+ */
+static inline int mls_copy_context(context_struct_t * dst,
+ context_struct_t * src)
+{
+ int l, rc = 0;
+
+ /* Copy the MLS range from the source context */
+ for (l = 0; l < 2; l++) {
+ dst->range.level[l].sens = src->range.level[l].sens;
+ rc = ebitmap_cpy(&dst->range.level[l].cat,
+ &src->range.level[l].cat);
+ if (rc)
+ break;
+ }
+
+ return rc;
+}
+
+/*
+ * Copies the effective MLS range from `src' into `dst'.
+ */
+static inline int mls_scopy_context(context_struct_t * dst,
+ context_struct_t * src)
+{
+ int l, rc = 0;
+
+ /* Copy the MLS range from the source context */
+ for (l = 0; l < 2; l++) {
+ dst->range.level[l].sens = src->range.level[0].sens;
+ rc = ebitmap_cpy(&dst->range.level[l].cat,
+ &src->range.level[0].cat);
+ if (rc)
+ break;
+ }
+
+ return rc;
+}
+
+/*
+ * Copies the MLS range `range' into `context'.
+ */
+static inline int mls_range_set(context_struct_t * context, mls_range_t * range)
+{
+ int l, rc = 0;
+
+ /* Copy the MLS range into the context */
+ for (l = 0; l < 2; l++) {
+ context->range.level[l].sens = range->level[l].sens;
+ rc = ebitmap_cpy(&context->range.level[l].cat,
+ &range->level[l].cat);
+ if (rc)
+ break;
+ }
+
+ return rc;
+}
+
+int mls_setup_user_range(context_struct_t * fromcon, user_datum_t * user,
+ context_struct_t * usercon, int mls)
+{
+ if (mls) {
+ mls_level_t *fromcon_sen = &(fromcon->range.level[0]);
+ mls_level_t *fromcon_clr = &(fromcon->range.level[1]);
+ mls_level_t *user_low = &(user->exp_range.level[0]);
+ mls_level_t *user_clr = &(user->exp_range.level[1]);
+ mls_level_t *user_def = &(user->exp_dfltlevel);
+ mls_level_t *usercon_sen = &(usercon->range.level[0]);
+ mls_level_t *usercon_clr = &(usercon->range.level[1]);
+
+ /* Honor the user's default level if we can */
+ if (mls_level_between(user_def, fromcon_sen, fromcon_clr)) {
+ *usercon_sen = *user_def;
+ } else if (mls_level_between(fromcon_sen, user_def, user_clr)) {
+ *usercon_sen = *fromcon_sen;
+ } else if (mls_level_between(fromcon_clr, user_low, user_def)) {
+ *usercon_sen = *user_low;
+ } else
+ return -EINVAL;
+
+ /* Lower the clearance of available contexts
+ if the clearance of "fromcon" is lower than
+ that of the user's default clearance (but
+ only if the "fromcon" clearance dominates
+ the user's computed sensitivity level) */
+ if (mls_level_dom(user_clr, fromcon_clr)) {
+ *usercon_clr = *fromcon_clr;
+ } else if (mls_level_dom(fromcon_clr, user_clr)) {
+ *usercon_clr = *user_clr;
+ } else
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+/*
+ * Convert the MLS fields in the security context
+ * structure `c' from the values specified in the
+ * policy `oldp' to the values specified in the policy `newp'.
+ */
+int mls_convert_context(policydb_t * oldp,
+ policydb_t * newp, context_struct_t * c)
+{
+ level_datum_t *levdatum;
+ cat_datum_t *catdatum;
+ ebitmap_t bitmap;
+ unsigned int l, i;
+ ebitmap_node_t *cnode;
+
+ if (!oldp->mls)
+ return 0;
+
+ for (l = 0; l < 2; l++) {
+ levdatum =
+ (level_datum_t *) hashtab_search(newp->p_levels.table,
+ oldp->
+ p_sens_val_to_name[c->
+ range.
+ level
+ [l].
+ sens -
+ 1]);
+
+ if (!levdatum)
+ return -EINVAL;
+ c->range.level[l].sens = levdatum->level->sens;
+
+ ebitmap_init(&bitmap);
+ ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ int rc;
+
+ catdatum =
+ (cat_datum_t *) hashtab_search(newp->p_cats.
+ table,
+ oldp->
+ p_cat_val_to_name
+ [i]);
+ if (!catdatum)
+ return -EINVAL;
+ rc = ebitmap_set_bit(&bitmap,
+ catdatum->s.value - 1, 1);
+ if (rc)
+ return rc;
+ }
+ }
+ ebitmap_destroy(&c->range.level[l].cat);
+ c->range.level[l].cat = bitmap;
+ }
+
+ return 0;
+}
+
+int mls_compute_sid(policydb_t * policydb,
+ context_struct_t * scontext,
+ context_struct_t * tcontext,
+ sepol_security_class_t tclass,
+ uint32_t specified, context_struct_t * newcontext)
+{
+ range_trans_t *rtr;
+ if (!policydb->mls)
+ return 0;
+
+ switch (specified) {
+ case AVTAB_TRANSITION:
+ /* Look for a range transition rule. */
+ for (rtr = policydb->range_tr; rtr; rtr = rtr->next) {
+ if (rtr->source_type == scontext->type &&
+ rtr->target_type == tcontext->type &&
+ rtr->target_class == tclass) {
+ /* Set the range from the rule */
+ return mls_range_set(newcontext,
+ &rtr->target_range);
+ }
+ }
+ /* Fallthrough */
+ case AVTAB_CHANGE:
+ if (tclass == SECCLASS_PROCESS)
+ /* Use the process MLS attributes. */
+ return mls_copy_context(newcontext, scontext);
+ else
+ /* Use the process effective MLS attributes. */
+ return mls_scopy_context(newcontext, scontext);
+ case AVTAB_MEMBER:
+ /* Only polyinstantiate the MLS attributes if
+ the type is being polyinstantiated */
+ if (newcontext->type != tcontext->type) {
+ /* Use the process effective MLS attributes. */
+ return mls_scopy_context(newcontext, scontext);
+ } else {
+ /* Use the related object MLS attributes. */
+ return mls_copy_context(newcontext, tcontext);
+ }
+ default:
+ return -EINVAL;
+ }
+ return -EINVAL;
+}
+
+int sepol_mls_contains(sepol_handle_t * handle,
+ sepol_policydb_t * policydb,
+ const char *mls1, const char *mls2, int *response)
+{
+
+ context_struct_t *ctx1 = NULL, *ctx2 = NULL;
+ ctx1 = malloc(sizeof(context_struct_t));
+ ctx2 = malloc(sizeof(context_struct_t));
+ if (ctx1 == NULL || ctx2 == NULL)
+ goto omem;
+ context_init(ctx1);
+ context_init(ctx2);
+
+ if (mls_from_string(handle, &policydb->p, mls1, ctx1) < 0)
+ goto err;
+
+ if (mls_from_string(handle, &policydb->p, mls2, ctx2) < 0)
+ goto err;
+
+ *response = mls_range_contains(ctx1->range, ctx2->range);
+ context_destroy(ctx1);
+ context_destroy(ctx2);
+ free(ctx1);
+ free(ctx2);
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not check if mls context %s contains %s",
+ mls1, mls2);
+ context_destroy(ctx1);
+ context_destroy(ctx2);
+ free(ctx1);
+ free(ctx2);
+ return STATUS_ERR;
+}
+
+int sepol_mls_check(sepol_handle_t * handle,
+ sepol_policydb_t * policydb, const char *mls)
+{
+
+ int ret;
+ context_struct_t *con = malloc(sizeof(context_struct_t));
+ if (!con) {
+ ERR(handle, "out of memory, could not check if "
+ "mls context %s is valid", mls);
+ return STATUS_ERR;
+ }
+ context_init(con);
+
+ ret = mls_from_string(handle, &policydb->p, mls, con);
+ context_destroy(con);
+ free(con);
+ return ret;
+}
+
+void mls_semantic_cat_init(mls_semantic_cat_t * c)
+{
+ memset(c, 0, sizeof(mls_semantic_cat_t));
+}
+
+void mls_semantic_cat_destroy(mls_semantic_cat_t * c __attribute__ ((unused)))
+{
+ /* it's currently a simple struct - really nothing to destroy */
+ return;
+}
+
+void mls_semantic_level_init(mls_semantic_level_t * l)
+{
+ memset(l, 0, sizeof(mls_semantic_level_t));
+}
+
+void mls_semantic_level_destroy(mls_semantic_level_t * l)
+{
+ mls_semantic_cat_t *cur, *next;
+
+ if (l == NULL)
+ return;
+
+ next = l->cat;
+ while (next) {
+ cur = next;
+ next = cur->next;
+ mls_semantic_cat_destroy(cur);
+ free(cur);
+ }
+}
+
+int mls_semantic_level_cpy(mls_semantic_level_t * dst,
+ mls_semantic_level_t * src)
+{
+ mls_semantic_cat_t *cat, *newcat, *lnewcat = NULL;
+
+ mls_semantic_level_init(dst);
+ dst->sens = src->sens;
+ cat = src->cat;
+ while (cat) {
+ newcat =
+ (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+ if (!newcat)
+ goto err;
+
+ mls_semantic_cat_init(newcat);
+ if (lnewcat)
+ lnewcat->next = newcat;
+ else
+ dst->cat = newcat;
+
+ newcat->low = cat->low;
+ newcat->high = cat->high;
+
+ lnewcat = newcat;
+ cat = cat->next;
+ }
+ return 0;
+
+ err:
+ mls_semantic_level_destroy(dst);
+ return -1;
+}
+
+void mls_semantic_range_init(mls_semantic_range_t * r)
+{
+ mls_semantic_level_init(&r->level[0]);
+ mls_semantic_level_init(&r->level[1]);
+}
+
+void mls_semantic_range_destroy(mls_semantic_range_t * r)
+{
+ mls_semantic_level_destroy(&r->level[0]);
+ mls_semantic_level_destroy(&r->level[1]);
+}
+
+int mls_semantic_range_cpy(mls_semantic_range_t * dst,
+ mls_semantic_range_t * src)
+{
+ if (mls_semantic_level_cpy(&dst->level[0], &src->level[0]) < 0)
+ return -1;
+
+ if (mls_semantic_level_cpy(&dst->level[1], &src->level[1]) < 0) {
+ mls_semantic_level_destroy(&dst->level[0]);
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/src/mls.h b/src/mls.h
new file mode 100644
index 0000000..98da3d3
--- /dev/null
+++ b/src/mls.h
@@ -0,0 +1,67 @@
+/* Author: Stephen Smalley, <sds@epoch.ncsc.mil>
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef _SEPOL_MLS_INTERNAL_H_
+#define _SEPOL_MLS_INTERNAL_H_
+
+#include "policydb_internal.h"
+#include <sepol/policydb/context.h>
+#include "handle.h"
+
+extern int mls_from_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const char *str, context_struct_t * mls);
+
+extern int mls_to_string(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ const context_struct_t * mls, char **str);
+
+/* Deprecated */
+extern int mls_compute_context_len(const policydb_t * policydb,
+ const context_struct_t * context);
+
+/* Deprecated */
+extern void mls_sid_to_context(const policydb_t * policydb,
+ const context_struct_t * context,
+ char **scontext);
+
+/* Deprecated */
+extern int mls_context_to_sid(const policydb_t * policydb,
+ char oldc,
+ char **scontext, context_struct_t * context);
+
+extern int mls_context_isvalid(const policydb_t * p,
+ const context_struct_t * c);
+
+extern int mls_convert_context(policydb_t * oldp,
+ policydb_t * newp, context_struct_t * context);
+
+extern int mls_compute_sid(policydb_t * policydb,
+ context_struct_t * scontext,
+ context_struct_t * tcontext,
+ sepol_security_class_t tclass,
+ uint32_t specified, context_struct_t * newcontext);
+
+extern int mls_setup_user_range(context_struct_t * fromcon, user_datum_t * user,
+ context_struct_t * usercon, int mls);
+
+#endif
diff --git a/src/module.c b/src/module.c
new file mode 100644
index 0000000..b5b807e
--- /dev/null
+++ b/src/module.c
@@ -0,0 +1,985 @@
+/* Author: Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ * Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2004-2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "policydb_internal.h"
+#include "module_internal.h"
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/module.h>
+#include "debug.h"
+#include "private.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+
+#define SEPOL_PACKAGE_SECTION_FC 0xf97cff90
+#define SEPOL_PACKAGE_SECTION_SEUSER 0x97cff91
+#define SEPOL_PACKAGE_SECTION_USER_EXTRA 0x97cff92
+#define SEPOL_PACKAGE_SECTION_NETFILTER 0x97cff93
+
+static int policy_file_seek(struct policy_file *fp, size_t offset)
+{
+ switch (fp->type) {
+ case PF_USE_STDIO:
+ if (offset > LONG_MAX) {
+ errno = EFAULT;
+ return -1;
+ }
+ return fseek(fp->fp, (long)offset, SEEK_SET);
+ case PF_USE_MEMORY:
+ if (offset > fp->size) {
+ errno = EFAULT;
+ return -1;
+ }
+ fp->data -= fp->size - fp->len;
+ fp->data += offset;
+ fp->len = fp->size - offset;
+ return 0;
+ default:
+ return 0;
+ }
+}
+
+static size_t policy_file_length(struct policy_file *fp)
+{
+ long prev_offset, end_offset;
+ switch (fp->type) {
+ case PF_USE_STDIO:
+ prev_offset = ftell(fp->fp);
+ fseek(fp->fp, 0L, SEEK_END);
+ end_offset = ftell(fp->fp);
+ fseek(fp->fp, prev_offset, SEEK_SET);
+ return end_offset;
+ case PF_USE_MEMORY:
+ return fp->size;
+ default:
+ return 0;
+ }
+}
+
+static int module_package_init(sepol_module_package_t * p)
+{
+ memset(p, 0, sizeof(sepol_module_package_t));
+ if (sepol_policydb_create(&p->policy))
+ return -1;
+
+ p->version = 1;
+ return 0;
+}
+
+static int set_char(char **field, char *data, size_t len)
+{
+ if (*field) {
+ free(*field);
+ *field = NULL;
+ }
+ if (len) {
+ *field = malloc(len);
+ if (!*field)
+ return -1;
+ memcpy(*field, data, len);
+ }
+ return 0;
+}
+
+int sepol_module_package_create(sepol_module_package_t ** p)
+{
+ *p = calloc(1, sizeof(sepol_module_package_t));
+ if (!(*p))
+ return -1;
+ return module_package_init(*p);
+}
+
+hidden_def(sepol_module_package_create)
+
+/* Deallocates all memory associated with a module package, including
+ * the pointer itself. Does nothing if p is NULL.
+ */
+void sepol_module_package_free(sepol_module_package_t * p)
+{
+ if (p == NULL)
+ return;
+
+ sepol_policydb_free(p->policy);
+ free(p->file_contexts);
+ free(p->seusers);
+ free(p->user_extra);
+ free(p->netfilter_contexts);
+ free(p);
+}
+
+hidden_def(sepol_module_package_free)
+
+char *sepol_module_package_get_file_contexts(sepol_module_package_t * p)
+{
+ return p->file_contexts;
+}
+
+size_t sepol_module_package_get_file_contexts_len(sepol_module_package_t * p)
+{
+ return p->file_contexts_len;
+}
+
+char *sepol_module_package_get_seusers(sepol_module_package_t * p)
+{
+ return p->seusers;
+}
+
+size_t sepol_module_package_get_seusers_len(sepol_module_package_t * p)
+{
+ return p->seusers_len;
+}
+
+char *sepol_module_package_get_user_extra(sepol_module_package_t * p)
+{
+ return p->user_extra;
+}
+
+size_t sepol_module_package_get_user_extra_len(sepol_module_package_t * p)
+{
+ return p->user_extra_len;
+}
+
+char *sepol_module_package_get_netfilter_contexts(sepol_module_package_t * p)
+{
+ return p->netfilter_contexts;
+}
+
+size_t sepol_module_package_get_netfilter_contexts_len(sepol_module_package_t *
+ p)
+{
+ return p->netfilter_contexts_len;
+}
+
+int sepol_module_package_set_file_contexts(sepol_module_package_t * p,
+ char *data, size_t len)
+{
+ if (set_char(&p->file_contexts, data, len))
+ return -1;
+
+ p->file_contexts_len = len;
+ return 0;
+}
+
+int sepol_module_package_set_seusers(sepol_module_package_t * p,
+ char *data, size_t len)
+{
+ if (set_char(&p->seusers, data, len))
+ return -1;
+
+ p->seusers_len = len;
+ return 0;
+}
+
+int sepol_module_package_set_user_extra(sepol_module_package_t * p,
+ char *data, size_t len)
+{
+ if (set_char(&p->user_extra, data, len))
+ return -1;
+
+ p->user_extra_len = len;
+ return 0;
+}
+
+int sepol_module_package_set_netfilter_contexts(sepol_module_package_t * p,
+ char *data, size_t len)
+{
+ if (set_char(&p->netfilter_contexts, data, len))
+ return -1;
+
+ p->netfilter_contexts_len = len;
+ return 0;
+}
+
+sepol_policydb_t *sepol_module_package_get_policy(sepol_module_package_t * p)
+{
+ return p->policy;
+}
+
+/* Append each of the file contexts from each module to the base
+ * policy's file context. 'base_context' will be reallocated to a
+ * larger size (and thus it is an in/out reference
+ * variable). 'base_fc_len' is the length of base's file context; it
+ * too is a reference variable. Return 0 on success, -1 if out of
+ * memory. */
+static int link_file_contexts(sepol_module_package_t * base,
+ sepol_module_package_t ** modules,
+ int num_modules)
+{
+ size_t fc_len;
+ int i;
+ char *s;
+
+ fc_len = base->file_contexts_len;
+ for (i = 0; i < num_modules; i++) {
+ fc_len += modules[i]->file_contexts_len;
+ }
+
+ if ((s = (char *)realloc(base->file_contexts, fc_len)) == NULL) {
+ return -1;
+ }
+ base->file_contexts = s;
+ for (i = 0; i < num_modules; i++) {
+ memcpy(base->file_contexts + base->file_contexts_len,
+ modules[i]->file_contexts,
+ modules[i]->file_contexts_len);
+ base->file_contexts_len += modules[i]->file_contexts_len;
+ }
+ return 0;
+}
+
+/* Append each of the netfilter contexts from each module to the base
+ * policy's netfilter context. 'base_context' will be reallocated to a
+ * larger size (and thus it is an in/out reference
+ * variable). 'base_nc_len' is the length of base's netfilter contexts; it
+ * too is a reference variable. Return 0 on success, -1 if out of
+ * memory. */
+static int link_netfilter_contexts(sepol_module_package_t * base,
+ sepol_module_package_t ** modules,
+ int num_modules)
+{
+ size_t base_nc_len;
+ int i;
+ char *base_context;
+
+ base_nc_len = base->netfilter_contexts_len;
+ for (i = 0; i < num_modules; i++) {
+ base_nc_len += modules[i]->netfilter_contexts_len;
+ }
+
+ if ((base_context =
+ (char *)realloc(base->netfilter_contexts, base_nc_len)) == NULL) {
+ return -1;
+ }
+ base->netfilter_contexts = base_context;
+ for (i = 0; i < num_modules; i++) {
+ memcpy(base->netfilter_contexts + base->netfilter_contexts_len,
+ modules[i]->netfilter_contexts,
+ modules[i]->netfilter_contexts_len);
+ base->netfilter_contexts_len +=
+ modules[i]->netfilter_contexts_len;
+ }
+ return 0;
+}
+
+/* Links the module packages into the base. Returns 0 on success, -1
+ * if a requirement was not met, or -2 for all other errors. */
+int sepol_link_packages(sepol_handle_t * handle,
+ sepol_module_package_t * base,
+ sepol_module_package_t ** modules, int num_modules,
+ int verbose)
+{
+ policydb_t **mod_pols = NULL;
+ int i, retval;
+
+ if ((mod_pols = calloc(num_modules, sizeof(*mod_pols))) == NULL) {
+ ERR(handle, "Out of memory!");
+ return -2;
+ }
+ for (i = 0; i < num_modules; i++) {
+ mod_pols[i] = &modules[i]->policy->p;
+ }
+
+ retval = link_modules(handle, &base->policy->p, mod_pols, num_modules,
+ verbose);
+ free(mod_pols);
+ if (retval == -3) {
+ return -1;
+ } else if (retval < 0) {
+ return -2;
+ }
+
+ if (link_file_contexts(base, modules, num_modules) == -1) {
+ ERR(handle, "Out of memory!");
+ return -2;
+ }
+
+ if (link_netfilter_contexts(base, modules, num_modules) == -1) {
+ ERR(handle, "Out of memory!");
+ return -2;
+ }
+
+ return 0;
+}
+
+/* buf must be large enough - no checks are performed */
+#define _read_helper_bufsize BUFSIZ
+static int read_helper(char *buf, struct policy_file *file, uint32_t bytes)
+{
+ uint32_t offset, nel, read_len;
+ int rc;
+
+ offset = 0;
+ nel = bytes;
+
+ while (nel) {
+ if (nel < _read_helper_bufsize)
+ read_len = nel;
+ else
+ read_len = _read_helper_bufsize;
+ rc = next_entry(&buf[offset], file, read_len);
+ if (rc < 0)
+ return -1;
+ offset += read_len;
+ nel -= read_len;
+ }
+ return 0;
+}
+
+#define MAXSECTIONS 100
+
+/* Get the section offsets from a package file, offsets will be malloc'd to
+ * the appropriate size and the caller must free() them */
+static int module_package_read_offsets(sepol_module_package_t * mod,
+ struct policy_file *file,
+ size_t ** offsets, uint32_t * sections)
+{
+ uint32_t *buf = NULL, nsec;
+ unsigned i;
+ size_t *off = NULL;
+ int rc;
+
+ buf = malloc(sizeof(uint32_t)*3);
+ if (!buf) {
+ ERR(file->handle, "out of memory");
+ goto err;
+ }
+
+ rc = next_entry(buf, file, sizeof(uint32_t) * 3);
+ if (rc < 0) {
+ ERR(file->handle, "module package header truncated");
+ goto err;
+ }
+ if (le32_to_cpu(buf[0]) != SEPOL_MODULE_PACKAGE_MAGIC) {
+ ERR(file->handle,
+ "wrong magic number for module package: expected %#08x, got %#08x",
+ SEPOL_MODULE_PACKAGE_MAGIC, le32_to_cpu(buf[0]));
+ goto err;
+ }
+
+ mod->version = le32_to_cpu(buf[1]);
+ nsec = *sections = le32_to_cpu(buf[2]);
+
+ if (nsec > MAXSECTIONS) {
+ ERR(file->handle, "too many sections (%u) in module package",
+ nsec);
+ goto err;
+ }
+
+ off = (size_t *) malloc((nsec + 1) * sizeof(size_t));
+ if (!off) {
+ ERR(file->handle, "out of memory");
+ goto err;
+ }
+
+ free(buf);
+ buf = malloc(sizeof(uint32_t) * nsec);
+ if (!buf) {
+ ERR(file->handle, "out of memory");
+ goto err;
+ }
+ rc = next_entry(buf, file, sizeof(uint32_t) * nsec);
+ if (rc < 0) {
+ ERR(file->handle, "module package offset array truncated");
+ goto err;
+ }
+
+ for (i = 0; i < nsec; i++) {
+ off[i] = le32_to_cpu(buf[i]);
+ if (i && off[i] < off[i - 1]) {
+ ERR(file->handle, "offsets are not increasing (at %u, "
+ "offset %zu -> %zu", i, off[i - 1],
+ off[i]);
+ goto err;
+ }
+ }
+
+ off[nsec] = policy_file_length(file);
+ if (nsec && off[nsec] < off[nsec-1]) {
+ ERR(file->handle, "offset greater than file size (at %u, "
+ "offset %zu -> %zu", nsec, off[nsec - 1],
+ off[nsec]);
+ goto err;
+ }
+ *offsets = off;
+ free(buf);
+ return 0;
+
+err:
+ free(buf);
+ free(off);
+ return -1;
+}
+
+/* Flags for which sections have been seen during parsing of module package. */
+#define SEEN_MOD 1
+#define SEEN_FC 2
+#define SEEN_SEUSER 4
+#define SEEN_USER_EXTRA 8
+#define SEEN_NETFILTER 16
+
+int sepol_module_package_read(sepol_module_package_t * mod,
+ struct sepol_policy_file *spf, int verbose)
+{
+ struct policy_file *file = &spf->pf;
+ uint32_t buf[1], nsec;
+ size_t *offsets, len;
+ int rc;
+ unsigned i, seen = 0;
+
+ if (module_package_read_offsets(mod, file, &offsets, &nsec))
+ return -1;
+
+ /* we know the section offsets, seek to them and read in the data */
+
+ for (i = 0; i < nsec; i++) {
+
+ if (policy_file_seek(file, offsets[i])) {
+ ERR(file->handle, "error seeking to offset %zu for "
+ "module package section %u", offsets[i], i);
+ goto cleanup;
+ }
+
+ len = offsets[i + 1] - offsets[i];
+
+ if (len < sizeof(uint32_t)) {
+ ERR(file->handle, "module package section %u "
+ "has too small length %zu", i, len);
+ goto cleanup;
+ }
+
+ /* read the magic number, so that we know which function to call */
+ rc = next_entry(buf, file, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(file->handle,
+ "module package section %u truncated, lacks magic number",
+ i);
+ goto cleanup;
+ }
+
+ switch (le32_to_cpu(buf[0])) {
+ case SEPOL_PACKAGE_SECTION_FC:
+ if (seen & SEEN_FC) {
+ ERR(file->handle,
+ "found multiple file contexts sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ mod->file_contexts_len = len - sizeof(uint32_t);
+ mod->file_contexts =
+ (char *)malloc(mod->file_contexts_len);
+ if (!mod->file_contexts) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ if (read_helper
+ (mod->file_contexts, file,
+ mod->file_contexts_len)) {
+ ERR(file->handle,
+ "invalid file contexts section at section %u",
+ i);
+ free(mod->file_contexts);
+ mod->file_contexts = NULL;
+ goto cleanup;
+ }
+ seen |= SEEN_FC;
+ break;
+ case SEPOL_PACKAGE_SECTION_SEUSER:
+ if (seen & SEEN_SEUSER) {
+ ERR(file->handle,
+ "found multiple seuser sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ mod->seusers_len = len - sizeof(uint32_t);
+ mod->seusers = (char *)malloc(mod->seusers_len);
+ if (!mod->seusers) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ if (read_helper(mod->seusers, file, mod->seusers_len)) {
+ ERR(file->handle,
+ "invalid seuser section at section %u", i);
+ free(mod->seusers);
+ mod->seusers = NULL;
+ goto cleanup;
+ }
+ seen |= SEEN_SEUSER;
+ break;
+ case SEPOL_PACKAGE_SECTION_USER_EXTRA:
+ if (seen & SEEN_USER_EXTRA) {
+ ERR(file->handle,
+ "found multiple user_extra sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ mod->user_extra_len = len - sizeof(uint32_t);
+ mod->user_extra = (char *)malloc(mod->user_extra_len);
+ if (!mod->user_extra) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ if (read_helper
+ (mod->user_extra, file, mod->user_extra_len)) {
+ ERR(file->handle,
+ "invalid user_extra section at section %u",
+ i);
+ free(mod->user_extra);
+ mod->user_extra = NULL;
+ goto cleanup;
+ }
+ seen |= SEEN_USER_EXTRA;
+ break;
+ case SEPOL_PACKAGE_SECTION_NETFILTER:
+ if (seen & SEEN_NETFILTER) {
+ ERR(file->handle,
+ "found multiple netfilter contexts sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ mod->netfilter_contexts_len = len - sizeof(uint32_t);
+ mod->netfilter_contexts =
+ (char *)malloc(mod->netfilter_contexts_len);
+ if (!mod->netfilter_contexts) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ if (read_helper
+ (mod->netfilter_contexts, file,
+ mod->netfilter_contexts_len)) {
+ ERR(file->handle,
+ "invalid netfilter contexts section at section %u",
+ i);
+ free(mod->netfilter_contexts);
+ mod->netfilter_contexts = NULL;
+ goto cleanup;
+ }
+ seen |= SEEN_NETFILTER;
+ break;
+ case POLICYDB_MOD_MAGIC:
+ if (seen & SEEN_MOD) {
+ ERR(file->handle,
+ "found multiple module sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ /* seek back to where the magic number was */
+ if (policy_file_seek(file, offsets[i]))
+ goto cleanup;
+
+ rc = policydb_read(&mod->policy->p, file, verbose);
+ if (rc < 0) {
+ ERR(file->handle,
+ "invalid module in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ seen |= SEEN_MOD;
+ break;
+ default:
+ /* unknown section, ignore */
+ ERR(file->handle,
+ "unknown magic number at section %u, offset: %zx, number: %ux ",
+ i, offsets[i], le32_to_cpu(buf[0]));
+ break;
+ }
+ }
+
+ if ((seen & SEEN_MOD) == 0) {
+ ERR(file->handle, "missing module in module package");
+ goto cleanup;
+ }
+
+ free(offsets);
+ return 0;
+
+ cleanup:
+ free(offsets);
+ return -1;
+}
+
+int sepol_module_package_info(struct sepol_policy_file *spf, int *type,
+ char **name, char **version)
+{
+ struct policy_file *file = &spf->pf;
+ sepol_module_package_t *mod = NULL;
+ uint32_t buf[5], len, nsec;
+ size_t *offsets = NULL;
+ unsigned i, seen = 0;
+ char *id;
+ int rc;
+
+ if (sepol_module_package_create(&mod))
+ return -1;
+
+ if (module_package_read_offsets(mod, file, &offsets, &nsec)) {
+ goto cleanup;
+ }
+
+ for (i = 0; i < nsec; i++) {
+
+ if (policy_file_seek(file, offsets[i])) {
+ ERR(file->handle, "error seeking to offset "
+ "%zu for module package section %u", offsets[i], i);
+ goto cleanup;
+ }
+
+ len = offsets[i + 1] - offsets[i];
+
+ if (len < sizeof(uint32_t)) {
+ ERR(file->handle,
+ "module package section %u has too small length %u",
+ i, len);
+ goto cleanup;
+ }
+
+ /* read the magic number, so that we know which function to call */
+ rc = next_entry(buf, file, sizeof(uint32_t) * 2);
+ if (rc < 0) {
+ ERR(file->handle,
+ "module package section %u truncated, lacks magic number",
+ i);
+ goto cleanup;
+ }
+
+ switch (le32_to_cpu(buf[0])) {
+ case SEPOL_PACKAGE_SECTION_FC:
+ /* skip file contexts */
+ if (seen & SEEN_FC) {
+ ERR(file->handle,
+ "found multiple file contexts sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ seen |= SEEN_FC;
+ break;
+ case SEPOL_PACKAGE_SECTION_SEUSER:
+ /* skip seuser */
+ if (seen & SEEN_SEUSER) {
+ ERR(file->handle,
+ "found seuser sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ seen |= SEEN_SEUSER;
+ break;
+ case SEPOL_PACKAGE_SECTION_USER_EXTRA:
+ /* skip user_extra */
+ if (seen & SEEN_USER_EXTRA) {
+ ERR(file->handle,
+ "found user_extra sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ seen |= SEEN_USER_EXTRA;
+ break;
+ case SEPOL_PACKAGE_SECTION_NETFILTER:
+ /* skip netfilter contexts */
+ if (seen & SEEN_NETFILTER) {
+ ERR(file->handle,
+ "found multiple netfilter contexts sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ seen |= SEEN_NETFILTER;
+ break;
+ case POLICYDB_MOD_MAGIC:
+ if (seen & SEEN_MOD) {
+ ERR(file->handle,
+ "found multiple module sections in module package (at section %u)",
+ i);
+ goto cleanup;
+ }
+ len = le32_to_cpu(buf[1]);
+ if (len != strlen(POLICYDB_MOD_STRING)) {
+ ERR(file->handle,
+ "module string length is wrong (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ /* skip id */
+ id = malloc(len + 1);
+ if (!id) {
+ ERR(file->handle,
+ "out of memory (at section %u)",
+ i);
+ goto cleanup;
+ }
+ rc = next_entry(id, file, len);
+ free(id);
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module string (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ rc = next_entry(buf, file, sizeof(uint32_t) * 5);
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module header (at section %u)",
+ i);
+ goto cleanup;
+ }
+
+ *type = le32_to_cpu(buf[0]);
+ /* if base - we're done */
+ if (*type == POLICY_BASE) {
+ *name = NULL;
+ *version = NULL;
+ seen |= SEEN_MOD;
+ break;
+ } else if (*type != POLICY_MOD) {
+ ERR(file->handle,
+ "module has invalid type %d (at section %u)",
+ *type, i);
+ goto cleanup;
+ }
+
+ /* read the name and version */
+ rc = next_entry(buf, file, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module name len (at section %u)",
+ i);
+ goto cleanup;
+ }
+ len = le32_to_cpu(buf[0]);
+ *name = malloc(len + 1);
+ if (!*name) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ rc = next_entry(*name, file, len);
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module name string (at section %u)",
+ i);
+ goto cleanup;
+ }
+ (*name)[len] = '\0';
+ rc = next_entry(buf, file, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module version len (at section %u)",
+ i);
+ goto cleanup;
+ }
+ len = le32_to_cpu(buf[0]);
+ *version = malloc(len + 1);
+ if (!*version) {
+ ERR(file->handle, "out of memory");
+ goto cleanup;
+ }
+ rc = next_entry(*version, file, len);
+ if (rc < 0) {
+ ERR(file->handle,
+ "cannot get module version string (at section %u)",
+ i);
+ goto cleanup;
+ }
+ (*version)[len] = '\0';
+ seen |= SEEN_MOD;
+ break;
+ default:
+ break;
+ }
+
+ }
+
+ if ((seen & SEEN_MOD) == 0) {
+ ERR(file->handle, "missing module in module package");
+ goto cleanup;
+ }
+
+ sepol_module_package_free(mod);
+ free(offsets);
+ return 0;
+
+ cleanup:
+ sepol_module_package_free(mod);
+ free(offsets);
+ return -1;
+}
+
+static int write_helper(char *data, size_t len, struct policy_file *file)
+{
+ int idx = 0;
+ size_t len2;
+
+ while (len) {
+ if (len > BUFSIZ)
+ len2 = BUFSIZ;
+ else
+ len2 = len;
+
+ if (put_entry(&data[idx], 1, len2, file) != len2) {
+ return -1;
+ }
+ len -= len2;
+ idx += len2;
+ }
+ return 0;
+}
+
+int sepol_module_package_write(sepol_module_package_t * p,
+ struct sepol_policy_file *spf)
+{
+ struct policy_file *file = &spf->pf;
+ policy_file_t polfile;
+ uint32_t buf[5], offsets[5], len, nsec = 0;
+ int i;
+
+ if (p->policy) {
+ /* compute policy length */
+ policy_file_init(&polfile);
+ polfile.type = PF_LEN;
+ polfile.handle = file->handle;
+ if (policydb_write(&p->policy->p, &polfile))
+ return -1;
+ len = polfile.len;
+ if (!polfile.len)
+ return -1;
+ nsec++;
+
+ } else {
+ /* We don't support writing a package without a module at this point */
+ return -1;
+ }
+
+ /* seusers and user_extra only supported in base at the moment */
+ if ((p->seusers || p->user_extra)
+ && (p->policy->p.policy_type != SEPOL_POLICY_BASE)) {
+ ERR(file->handle,
+ "seuser and user_extra sections only supported in base");
+ return -1;
+ }
+
+ if (p->file_contexts)
+ nsec++;
+
+ if (p->seusers)
+ nsec++;
+
+ if (p->user_extra)
+ nsec++;
+
+ if (p->netfilter_contexts)
+ nsec++;
+
+ buf[0] = cpu_to_le32(SEPOL_MODULE_PACKAGE_MAGIC);
+ buf[1] = cpu_to_le32(p->version);
+ buf[2] = cpu_to_le32(nsec);
+ if (put_entry(buf, sizeof(uint32_t), 3, file) != 3)
+ return -1;
+
+ /* calculate offsets */
+ offsets[0] = (nsec + 3) * sizeof(uint32_t);
+ buf[0] = cpu_to_le32(offsets[0]);
+
+ i = 1;
+ if (p->file_contexts) {
+ offsets[i] = offsets[i - 1] + len;
+ buf[i] = cpu_to_le32(offsets[i]);
+ /* add a uint32_t to compensate for the magic number */
+ len = p->file_contexts_len + sizeof(uint32_t);
+ i++;
+ }
+ if (p->seusers) {
+ offsets[i] = offsets[i - 1] + len;
+ buf[i] = cpu_to_le32(offsets[i]);
+ len = p->seusers_len + sizeof(uint32_t);
+ i++;
+ }
+ if (p->user_extra) {
+ offsets[i] = offsets[i - 1] + len;
+ buf[i] = cpu_to_le32(offsets[i]);
+ len = p->user_extra_len + sizeof(uint32_t);
+ i++;
+ }
+ if (p->netfilter_contexts) {
+ offsets[i] = offsets[i - 1] + len;
+ buf[i] = cpu_to_le32(offsets[i]);
+ len = p->netfilter_contexts_len + sizeof(uint32_t);
+ i++;
+ }
+ if (put_entry(buf, sizeof(uint32_t), nsec, file) != nsec)
+ return -1;
+
+ /* write sections */
+
+ if (policydb_write(&p->policy->p, file))
+ return -1;
+
+ if (p->file_contexts) {
+ buf[0] = cpu_to_le32(SEPOL_PACKAGE_SECTION_FC);
+ if (put_entry(buf, sizeof(uint32_t), 1, file) != 1)
+ return -1;
+ if (write_helper(p->file_contexts, p->file_contexts_len, file))
+ return -1;
+ }
+ if (p->seusers) {
+ buf[0] = cpu_to_le32(SEPOL_PACKAGE_SECTION_SEUSER);
+ if (put_entry(buf, sizeof(uint32_t), 1, file) != 1)
+ return -1;
+ if (write_helper(p->seusers, p->seusers_len, file))
+ return -1;
+
+ }
+ if (p->user_extra) {
+ buf[0] = cpu_to_le32(SEPOL_PACKAGE_SECTION_USER_EXTRA);
+ if (put_entry(buf, sizeof(uint32_t), 1, file) != 1)
+ return -1;
+ if (write_helper(p->user_extra, p->user_extra_len, file))
+ return -1;
+ }
+ if (p->netfilter_contexts) {
+ buf[0] = cpu_to_le32(SEPOL_PACKAGE_SECTION_NETFILTER);
+ if (put_entry(buf, sizeof(uint32_t), 1, file) != 1)
+ return -1;
+ if (write_helper
+ (p->netfilter_contexts, p->netfilter_contexts_len, file))
+ return -1;
+ }
+ return 0;
+}
+
+int sepol_link_modules(sepol_handle_t * handle,
+ sepol_policydb_t * base,
+ sepol_policydb_t ** modules, size_t len, int verbose)
+{
+ return link_modules(handle, &base->p, (policydb_t **) modules, len,
+ verbose);
+}
+
+int sepol_expand_module(sepol_handle_t * handle,
+ sepol_policydb_t * base,
+ sepol_policydb_t * out, int verbose, int check)
+{
+ return expand_module(handle, &base->p, &out->p, verbose, check);
+}
diff --git a/src/module_internal.h b/src/module_internal.h
new file mode 100644
index 0000000..cdd5ec6
--- /dev/null
+++ b/src/module_internal.h
@@ -0,0 +1,5 @@
+#include <sepol/module.h>
+#include "dso.h"
+
+hidden_proto(sepol_module_package_create)
+ hidden_proto(sepol_module_package_free)
diff --git a/src/node_internal.h b/src/node_internal.h
new file mode 100644
index 0000000..802cda9
--- /dev/null
+++ b/src/node_internal.h
@@ -0,0 +1,26 @@
+#ifndef _SEPOL_NODE_INTERNAL_H_
+#define _SEPOL_NODE_INTERNAL_H_
+
+#include <sepol/node_record.h>
+#include <sepol/nodes.h>
+#include "dso.h"
+
+hidden_proto(sepol_node_create)
+ hidden_proto(sepol_node_key_free)
+ hidden_proto(sepol_node_free)
+ hidden_proto(sepol_node_get_con)
+ hidden_proto(sepol_node_get_addr)
+ hidden_proto(sepol_node_get_addr_bytes)
+ hidden_proto(sepol_node_get_mask)
+ hidden_proto(sepol_node_get_mask_bytes)
+ hidden_proto(sepol_node_get_proto)
+ hidden_proto(sepol_node_get_proto_str)
+ hidden_proto(sepol_node_key_create)
+ hidden_proto(sepol_node_key_unpack)
+ hidden_proto(sepol_node_set_con)
+ hidden_proto(sepol_node_set_addr)
+ hidden_proto(sepol_node_set_addr_bytes)
+ hidden_proto(sepol_node_set_mask)
+ hidden_proto(sepol_node_set_mask_bytes)
+ hidden_proto(sepol_node_set_proto)
+#endif
diff --git a/src/node_record.c b/src/node_record.c
new file mode 100644
index 0000000..b1bd370
--- /dev/null
+++ b/src/node_record.c
@@ -0,0 +1,668 @@
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+#include "node_internal.h"
+#include "context_internal.h"
+#include "debug.h"
+
+struct sepol_node {
+
+ /* Network address and mask */
+ char *addr;
+ size_t addr_sz;
+
+ char *mask;
+ size_t mask_sz;
+
+ /* Protocol */
+ int proto;
+
+ /* Context */
+ sepol_context_t *con;
+};
+
+struct sepol_node_key {
+
+ /* Network address and mask */
+ char *addr;
+ size_t addr_sz;
+
+ char *mask;
+ size_t mask_sz;
+
+ /* Protocol */
+ int proto;
+};
+
+/* Converts a string represtation (addr_str)
+ * to a numeric representation (addr_bytes) */
+
+static int node_parse_addr(sepol_handle_t * handle,
+ const char *addr_str, int proto, char *addr_bytes)
+{
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ {
+ struct in_addr in_addr;
+
+ if (inet_pton(AF_INET, addr_str, &in_addr) <= 0) {
+ ERR(handle, "could not parse IPv4 address "
+ "%s: %s", addr_str, strerror(errno));
+ return STATUS_ERR;
+ }
+
+ memcpy(addr_bytes, &in_addr.s_addr, 4);
+ break;
+ }
+ case SEPOL_PROTO_IP6:
+ {
+ struct in6_addr in_addr;
+
+ if (inet_pton(AF_INET6, addr_str, &in_addr) <= 0) {
+ ERR(handle, "could not parse IPv6 address "
+ "%s: %s", addr_str, strerror(errno));
+ return STATUS_ERR;
+ }
+
+ memcpy(addr_bytes, in_addr.s6_addr32, 16);
+ break;
+ }
+ default:
+ ERR(handle, "unsupported protocol %u, could not "
+ "parse address", proto);
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/* Allocates a sufficiently large buffer (addr, addr_sz)
+ * according the the protocol */
+
+static int node_alloc_addr(sepol_handle_t * handle,
+ int proto, char **addr, size_t * addr_sz)
+{
+
+ char *tmp_addr = NULL;
+ size_t tmp_addr_sz;
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ tmp_addr_sz = 4;
+ tmp_addr = malloc(4);
+ if (!tmp_addr)
+ goto omem;
+ break;
+
+ case SEPOL_PROTO_IP6:
+ tmp_addr_sz = 16;
+ tmp_addr = malloc(16);
+ if (!tmp_addr)
+ goto omem;
+ break;
+
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+
+ *addr = tmp_addr;
+ *addr_sz = tmp_addr_sz;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ free(tmp_addr);
+ ERR(handle, "could not allocate address of protocol %s",
+ sepol_node_get_proto_str(proto));
+ return STATUS_ERR;
+}
+
+/* Converts a numeric representation (addr_bytes)
+ * to a string representation (addr_str), according to
+ * the protocol */
+
+static int node_expand_addr(sepol_handle_t * handle,
+ char *addr_bytes, int proto, char *addr_str)
+{
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ {
+ struct in_addr addr;
+ memset(&addr, 0, sizeof(struct in_addr));
+ memcpy(&addr.s_addr, addr_bytes, 4);
+
+ if (inet_ntop(AF_INET, &addr, addr_str,
+ INET_ADDRSTRLEN) == NULL) {
+
+ ERR(handle,
+ "could not expand IPv4 address to string: %s",
+ strerror(errno));
+ return STATUS_ERR;
+ }
+ break;
+ }
+
+ case SEPOL_PROTO_IP6:
+ {
+ struct in6_addr addr;
+ memset(&addr, 0, sizeof(struct in6_addr));
+ memcpy(&addr.s6_addr32[0], addr_bytes, 16);
+
+ if (inet_ntop(AF_INET6, &addr, addr_str,
+ INET6_ADDRSTRLEN) == NULL) {
+
+ ERR(handle,
+ "could not expand IPv6 address to string: %s",
+ strerror(errno));
+ return STATUS_ERR;
+ }
+ break;
+ }
+
+ default:
+ ERR(handle, "unsupported protocol %u, could not"
+ " expand address to string", proto);
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/* Allocates a sufficiently large address string (addr)
+ * according to the protocol */
+
+static int node_alloc_addr_string(sepol_handle_t * handle,
+ int proto, char **addr)
+{
+
+ char *tmp_addr = NULL;
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ tmp_addr = malloc(INET_ADDRSTRLEN);
+ if (!tmp_addr)
+ goto omem;
+ break;
+
+ case SEPOL_PROTO_IP6:
+ tmp_addr = malloc(INET6_ADDRSTRLEN);
+ if (!tmp_addr)
+ goto omem;
+ break;
+
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+
+ *addr = tmp_addr;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ free(tmp_addr);
+ ERR(handle, "could not allocate string buffer for "
+ "address of protocol %s", sepol_node_get_proto_str(proto));
+ return STATUS_ERR;
+}
+
+/* Key */
+int sepol_node_key_create(sepol_handle_t * handle,
+ const char *addr,
+ const char *mask,
+ int proto, sepol_node_key_t ** key_ptr)
+{
+
+ sepol_node_key_t *tmp_key =
+ (sepol_node_key_t *) calloc(1, sizeof(sepol_node_key_t));
+ if (!tmp_key)
+ goto omem;
+
+ if (node_alloc_addr(handle, proto, &tmp_key->addr, &tmp_key->addr_sz) <
+ 0)
+ goto err;
+ if (node_parse_addr(handle, addr, proto, tmp_key->addr) < 0)
+ goto err;
+
+ if (node_alloc_addr(handle, proto, &tmp_key->mask, &tmp_key->mask_sz) <
+ 0)
+ goto err;
+ if (node_parse_addr(handle, mask, proto, tmp_key->mask) < 0)
+ goto err;
+
+ tmp_key->proto = proto;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ sepol_node_key_free(tmp_key);
+ ERR(handle, "could not create node key for (%s, %s, %s)",
+ addr, mask, sepol_node_get_proto_str(proto));
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_node_key_create)
+
+void sepol_node_key_unpack(const sepol_node_key_t * key,
+ const char **addr, const char **mask, int *proto)
+{
+
+ *addr = key->addr;
+ *mask = key->mask;
+ *proto = key->proto;
+}
+
+hidden_def(sepol_node_key_unpack)
+
+int sepol_node_key_extract(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ sepol_node_key_t ** key_ptr)
+{
+
+ sepol_node_key_t *tmp_key =
+ (sepol_node_key_t *) calloc(1, sizeof(sepol_node_key_t));
+ if (!tmp_key)
+ goto omem;
+
+ tmp_key->addr = malloc(node->addr_sz);
+ tmp_key->mask = malloc(node->mask_sz);
+
+ if (!tmp_key->addr || !tmp_key->mask)
+ goto omem;
+
+ memcpy(tmp_key->addr, node->addr, node->addr_sz);
+ memcpy(tmp_key->mask, node->mask, node->mask_sz);
+ tmp_key->addr_sz = node->addr_sz;
+ tmp_key->mask_sz = node->mask_sz;
+ tmp_key->proto = node->proto;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+
+ omem:
+ sepol_node_key_free(tmp_key);
+ ERR(handle, "out of memory, could not extract node key");
+ return STATUS_ERR;
+}
+
+void sepol_node_key_free(sepol_node_key_t * key)
+{
+
+ if (!key)
+ return;
+
+ free(key->addr);
+ free(key->mask);
+ free(key);
+}
+
+hidden_def(sepol_node_key_free)
+
+int sepol_node_compare(const sepol_node_t * node, const sepol_node_key_t * key)
+{
+
+ int rc1, rc2;
+
+ if ((node->addr_sz < key->addr_sz) || (node->mask_sz < key->mask_sz))
+ return -1;
+
+ else if ((node->addr_sz > key->addr_sz) ||
+ (node->mask_sz > key->mask_sz))
+ return 1;
+
+ rc1 = memcmp(node->addr, key->addr, node->addr_sz);
+ rc2 = memcmp(node->mask, key->mask, node->mask_sz);
+
+ return (rc2 != 0) ? rc2 : rc1;
+}
+
+int sepol_node_compare2(const sepol_node_t * node, const sepol_node_t * node2)
+{
+
+ int rc1, rc2;
+
+ if ((node->addr_sz < node2->addr_sz) ||
+ (node->mask_sz < node2->mask_sz))
+ return -1;
+
+ else if ((node->addr_sz > node2->addr_sz) ||
+ (node->mask_sz > node2->mask_sz))
+ return 1;
+
+ rc1 = memcmp(node->addr, node2->addr, node->addr_sz);
+ rc2 = memcmp(node->mask, node2->mask, node->mask_sz);
+
+ return (rc2 != 0) ? rc2 : rc1;
+}
+
+/* Addr */
+int sepol_node_get_addr(sepol_handle_t * handle,
+ const sepol_node_t * node, char **addr)
+{
+
+ char *tmp_addr = NULL;
+
+ if (node_alloc_addr_string(handle, node->proto, &tmp_addr) < 0)
+ goto err;
+
+ if (node_expand_addr(handle, node->addr, node->proto, tmp_addr) < 0)
+ goto err;
+
+ *addr = tmp_addr;
+ return STATUS_SUCCESS;
+
+ err:
+ free(tmp_addr);
+ ERR(handle, "could not get node address");
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_node_get_addr)
+
+int sepol_node_get_addr_bytes(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ char **buffer, size_t * bsize)
+{
+
+ char *tmp_buf = malloc(node->addr_sz);
+ if (!tmp_buf) {
+ ERR(handle, "out of memory, could not get address bytes");
+ return STATUS_ERR;
+ }
+
+ memcpy(tmp_buf, node->addr, node->addr_sz);
+ *buffer = tmp_buf;
+ *bsize = node->addr_sz;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_get_addr_bytes)
+
+int sepol_node_set_addr(sepol_handle_t * handle,
+ sepol_node_t * node, int proto, const char *addr)
+{
+
+ char *tmp_addr = NULL;
+ size_t tmp_addr_sz;
+
+ if (node_alloc_addr(handle, proto, &tmp_addr, &tmp_addr_sz) < 0)
+ goto err;
+
+ if (node_parse_addr(handle, addr, proto, tmp_addr) < 0)
+ goto err;
+
+ free(node->addr);
+ node->addr = tmp_addr;
+ node->addr_sz = tmp_addr_sz;
+ return STATUS_SUCCESS;
+
+ err:
+ free(tmp_addr);
+ ERR(handle, "could not set node address to %s", addr);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_node_set_addr)
+
+int sepol_node_set_addr_bytes(sepol_handle_t * handle,
+ sepol_node_t * node,
+ const char *addr, size_t addr_sz)
+{
+
+ char *tmp_addr = malloc(addr_sz);
+ if (!tmp_addr) {
+ ERR(handle, "out of memory, could not " "set node address");
+ return STATUS_ERR;
+ }
+
+ memcpy(tmp_addr, addr, addr_sz);
+ free(node->addr);
+ node->addr = tmp_addr;
+ node->addr_sz = addr_sz;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_set_addr_bytes)
+
+/* Mask */
+int sepol_node_get_mask(sepol_handle_t * handle,
+ const sepol_node_t * node, char **mask)
+{
+
+ char *tmp_mask = NULL;
+
+ if (node_alloc_addr_string(handle, node->proto, &tmp_mask) < 0)
+ goto err;
+
+ if (node_expand_addr(handle, node->mask, node->proto, tmp_mask) < 0)
+ goto err;
+
+ *mask = tmp_mask;
+ return STATUS_SUCCESS;
+
+ err:
+ free(tmp_mask);
+ ERR(handle, "could not get node netmask");
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_node_get_mask)
+
+int sepol_node_get_mask_bytes(sepol_handle_t * handle,
+ const sepol_node_t * node,
+ char **buffer, size_t * bsize)
+{
+
+ char *tmp_buf = malloc(node->mask_sz);
+ if (!tmp_buf) {
+ ERR(handle, "out of memory, could not get netmask bytes");
+ return STATUS_ERR;
+ }
+
+ memcpy(tmp_buf, node->mask, node->mask_sz);
+ *buffer = tmp_buf;
+ *bsize = node->mask_sz;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_get_mask_bytes)
+
+int sepol_node_set_mask(sepol_handle_t * handle,
+ sepol_node_t * node, int proto, const char *mask)
+{
+
+ char *tmp_mask = NULL;
+ size_t tmp_mask_sz;
+
+ if (node_alloc_addr(handle, proto, &tmp_mask, &tmp_mask_sz) < 0)
+ goto err;
+
+ if (node_parse_addr(handle, mask, proto, tmp_mask) < 0)
+ goto err;
+
+ free(node->mask);
+ node->mask = tmp_mask;
+ node->mask_sz = tmp_mask_sz;
+ return STATUS_SUCCESS;
+
+ err:
+ free(tmp_mask);
+ ERR(handle, "could not set node netmask to %s", mask);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_node_set_mask)
+
+int sepol_node_set_mask_bytes(sepol_handle_t * handle,
+ sepol_node_t * node,
+ const char *mask, size_t mask_sz)
+{
+
+ char *tmp_mask = malloc(mask_sz);
+ if (!tmp_mask) {
+ ERR(handle, "out of memory, could not " "set node netmask");
+ return STATUS_ERR;
+ }
+ memcpy(tmp_mask, mask, mask_sz);
+ free(node->mask);
+ node->mask = tmp_mask;
+ node->mask_sz = mask_sz;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_set_mask_bytes)
+
+/* Protocol */
+int sepol_node_get_proto(const sepol_node_t * node)
+{
+
+ return node->proto;
+}
+
+hidden_def(sepol_node_get_proto)
+
+void sepol_node_set_proto(sepol_node_t * node, int proto)
+{
+
+ node->proto = proto;
+}
+
+hidden_def(sepol_node_set_proto)
+
+const char *sepol_node_get_proto_str(int proto)
+{
+
+ switch (proto) {
+ case SEPOL_PROTO_IP4:
+ return "ipv4";
+ case SEPOL_PROTO_IP6:
+ return "ipv6";
+ default:
+ return "???";
+ }
+}
+
+hidden_def(sepol_node_get_proto_str)
+
+/* Create */
+int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node)
+{
+
+ sepol_node_t *tmp_node = (sepol_node_t *) malloc(sizeof(sepol_node_t));
+
+ if (!tmp_node) {
+ ERR(handle, "out of memory, could not create " "node record");
+ return STATUS_ERR;
+ }
+
+ tmp_node->addr = NULL;
+ tmp_node->addr_sz = 0;
+ tmp_node->mask = NULL;
+ tmp_node->mask_sz = 0;
+ tmp_node->proto = SEPOL_PROTO_IP4;
+ tmp_node->con = NULL;
+ *node = tmp_node;
+
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_create)
+
+/* Deep copy clone */
+int sepol_node_clone(sepol_handle_t * handle,
+ const sepol_node_t * node, sepol_node_t ** node_ptr)
+{
+
+ sepol_node_t *new_node = NULL;
+ if (sepol_node_create(handle, &new_node) < 0)
+ goto err;
+
+ /* Copy address, mask, protocol */
+ new_node->addr = malloc(node->addr_sz);
+ new_node->mask = malloc(node->mask_sz);
+ if (!new_node->addr || !new_node->mask)
+ goto omem;
+
+ memcpy(new_node->addr, node->addr, node->addr_sz);
+ memcpy(new_node->mask, node->mask, node->mask_sz);
+ new_node->addr_sz = node->addr_sz;
+ new_node->mask_sz = node->mask_sz;
+ new_node->proto = node->proto;
+
+ /* Copy context */
+ if (node->con &&
+ (sepol_context_clone(handle, node->con, &new_node->con) < 0))
+ goto err;
+
+ *node_ptr = new_node;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not clone node record");
+ sepol_node_free(new_node);
+ return STATUS_ERR;
+}
+
+/* Destroy */
+void sepol_node_free(sepol_node_t * node)
+{
+
+ if (!node)
+ return;
+
+ sepol_context_free(node->con);
+ free(node->addr);
+ free(node->mask);
+ free(node);
+}
+
+hidden_def(sepol_node_free)
+
+/* Context */
+sepol_context_t *sepol_node_get_con(const sepol_node_t * node)
+{
+
+ return node->con;
+}
+
+hidden_def(sepol_node_get_con)
+
+int sepol_node_set_con(sepol_handle_t * handle,
+ sepol_node_t * node, sepol_context_t * con)
+{
+
+ sepol_context_t *newcon;
+
+ if (sepol_context_clone(handle, con, &newcon) < 0) {
+ ERR(handle, "out of memory, could not set node context");
+ return STATUS_ERR;
+ }
+
+ sepol_context_free(node->con);
+ node->con = newcon;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_node_set_con)
diff --git a/src/nodes.c b/src/nodes.c
new file mode 100644
index 0000000..ebf5f1d
--- /dev/null
+++ b/src/nodes.c
@@ -0,0 +1,400 @@
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include "debug.h"
+#include "context.h"
+#include "handle.h"
+
+#include <sepol/policydb/policydb.h>
+#include "node_internal.h"
+
+/* Create a low level node structure from
+ * a high level representation */
+static int node_from_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t ** node, const sepol_node_t * data)
+{
+
+ ocontext_t *tmp_node = NULL;
+ context_struct_t *tmp_con = NULL;
+ char *addr_buf = NULL, *mask_buf = NULL;
+
+ tmp_node = (ocontext_t *) calloc(1, sizeof(ocontext_t));
+ if (!tmp_node)
+ goto omem;
+
+ size_t addr_bsize, mask_bsize;
+
+ /* Address and netmask */
+ if (sepol_node_get_addr_bytes(handle, data, &addr_buf, &addr_bsize) < 0)
+ goto err;
+ if (sepol_node_get_mask_bytes(handle, data, &mask_buf, &mask_bsize) < 0)
+ goto err;
+
+ int proto = sepol_node_get_proto(data);
+
+ switch (proto) {
+ case SEPOL_PROTO_IP4:
+ memcpy(&tmp_node->u.node.addr, addr_buf, addr_bsize);
+ memcpy(&tmp_node->u.node.mask, mask_buf, mask_bsize);
+ break;
+ case SEPOL_PROTO_IP6:
+ memcpy(tmp_node->u.node6.addr, addr_buf, addr_bsize);
+ memcpy(tmp_node->u.node6.mask, mask_buf, mask_bsize);
+ break;
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+ free(addr_buf);
+ free(mask_buf);
+ addr_buf = NULL;
+ mask_buf = NULL;
+
+ /* Context */
+ if (context_from_record(handle, policydb, &tmp_con,
+ sepol_node_get_con(data)) < 0)
+ goto err;
+ context_cpy(&tmp_node->context[0], tmp_con);
+ context_destroy(tmp_con);
+ free(tmp_con);
+ tmp_con = NULL;
+
+ *node = tmp_node;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ if (tmp_node != NULL) {
+ context_destroy(&tmp_node->context[0]);
+ free(tmp_node);
+ }
+ context_destroy(tmp_con);
+ free(tmp_con);
+ free(addr_buf);
+ free(mask_buf);
+ ERR(handle, "could not create node structure");
+ return STATUS_ERR;
+}
+
+static int node_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t * node, int proto, sepol_node_t ** record)
+{
+
+ context_struct_t *con = &node->context[0];
+
+ sepol_context_t *tmp_con = NULL;
+ sepol_node_t *tmp_record = NULL;
+
+ if (sepol_node_create(handle, &tmp_record) < 0)
+ goto err;
+
+ sepol_node_set_proto(tmp_record, proto);
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ if (sepol_node_set_addr_bytes(handle, tmp_record,
+ (const char *)&node->u.node.addr,
+ 4) < 0)
+ goto err;
+
+ if (sepol_node_set_mask_bytes(handle, tmp_record,
+ (const char *)&node->u.node.mask,
+ 4) < 0)
+ goto err;
+ break;
+
+ case SEPOL_PROTO_IP6:
+ if (sepol_node_set_addr_bytes(handle, tmp_record,
+ (const char *)&node->u.node6.addr,
+ 16) < 0)
+ goto err;
+
+ if (sepol_node_set_mask_bytes(handle, tmp_record,
+ (const char *)&node->u.node6.mask,
+ 16) < 0)
+ goto err;
+ break;
+
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+
+ if (context_to_record(handle, policydb, con, &tmp_con) < 0)
+ goto err;
+
+ if (sepol_node_set_con(handle, tmp_record, tmp_con) < 0)
+ goto err;
+
+ sepol_context_free(tmp_con);
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not convert node to record");
+ sepol_context_free(tmp_con);
+ sepol_node_free(tmp_record);
+ return STATUS_ERR;
+}
+
+/* Return the number of nodes */
+extern int sepol_node_count(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p, unsigned int *response)
+{
+
+ unsigned int count = 0;
+ ocontext_t *c, *head;
+ const policydb_t *policydb = &p->p;
+
+ head = policydb->ocontexts[OCON_NODE];
+ for (c = head; c != NULL; c = c->next)
+ count++;
+
+ head = policydb->ocontexts[OCON_NODE6];
+ for (c = head; c != NULL; c = c->next)
+ count++;
+
+ *response = count;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+/* Check if a node exists */
+int sepol_node_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_node_key_t * key, int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ int proto;
+ const char *addr, *mask;
+ sepol_node_key_unpack(key, &addr, &mask, &proto);
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ {
+ head = policydb->ocontexts[OCON_NODE];
+ for (c = head; c; c = c->next) {
+ unsigned int *addr2 = &c->u.node.addr;
+ unsigned int *mask2 = &c->u.node.mask;
+
+ if (!memcmp(addr, addr2, 4) &&
+ !memcmp(mask, mask2, 4)) {
+
+ *response = 1;
+ return STATUS_SUCCESS;
+ }
+ }
+ break;
+ }
+ case SEPOL_PROTO_IP6:
+ {
+ head = policydb->ocontexts[OCON_NODE6];
+ for (c = head; c; c = c->next) {
+ unsigned int *addr2 = c->u.node6.addr;
+ unsigned int *mask2 = c->u.node6.mask;
+
+ if (!memcmp(addr, addr2, 16) &&
+ !memcmp(mask, mask2, 16)) {
+ *response = 1;
+ return STATUS_SUCCESS;
+ }
+ }
+ break;
+ }
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+
+ *response = 0;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not check if node %s/%s (%s) exists",
+ addr, mask, sepol_node_get_proto_str(proto));
+ return STATUS_ERR;
+}
+
+/* Query a node */
+int sepol_node_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_node_key_t * key, sepol_node_t ** response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ int proto;
+ const char *addr, *mask;
+ sepol_node_key_unpack(key, &addr, &mask, &proto);
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ {
+ head = policydb->ocontexts[OCON_NODE];
+ for (c = head; c; c = c->next) {
+ unsigned int *addr2 = &c->u.node.addr;
+ unsigned int *mask2 = &c->u.node.mask;
+
+ if (!memcmp(addr, addr2, 4) &&
+ !memcmp(mask, mask2, 4)) {
+
+ if (node_to_record(handle, policydb,
+ c, SEPOL_PROTO_IP4,
+ response) < 0)
+ goto err;
+ return STATUS_SUCCESS;
+ }
+ }
+ break;
+ }
+ case SEPOL_PROTO_IP6:
+ {
+ head = policydb->ocontexts[OCON_NODE6];
+ for (c = head; c; c = c->next) {
+ unsigned int *addr2 = c->u.node6.addr;
+ unsigned int *mask2 = c->u.node6.mask;
+
+ if (!memcmp(addr, addr2, 16) &&
+ !memcmp(mask, mask2, 16)) {
+
+ if (node_to_record(handle, policydb,
+ c, SEPOL_PROTO_IP6,
+ response) < 0)
+ goto err;
+ }
+ }
+ break;
+ }
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+ *response = NULL;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not query node %s/%s (%s)",
+ addr, mask, sepol_node_get_proto_str(proto));
+ return STATUS_ERR;
+
+}
+
+/* Load a node into policy */
+int sepol_node_modify(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ const sepol_node_key_t * key, const sepol_node_t * data)
+{
+
+ policydb_t *policydb = &p->p;
+ ocontext_t *node = NULL;
+
+ int proto;
+ const char *addr, *mask;
+
+ sepol_node_key_unpack(key, &addr, &mask, &proto);
+
+ if (node_from_record(handle, policydb, &node, data) < 0)
+ goto err;
+
+ switch (proto) {
+
+ case SEPOL_PROTO_IP4:
+ {
+ /* Attach to context list */
+ node->next = policydb->ocontexts[OCON_NODE];
+ policydb->ocontexts[OCON_NODE] = node;
+ break;
+ }
+ case SEPOL_PROTO_IP6:
+ {
+ /* Attach to context list */
+ node->next = policydb->ocontexts[OCON_NODE6];
+ policydb->ocontexts[OCON_NODE6] = node;
+ break;
+ }
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ goto err;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not load node %s/%s (%s)",
+ addr, mask, sepol_node_get_proto_str(proto));
+ if (node != NULL) {
+ context_destroy(&node->context[0]);
+ free(node);
+ }
+ return STATUS_ERR;
+}
+
+int sepol_node_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ int (*fn) (const sepol_node_t * node,
+ void *fn_arg), void *arg)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+ sepol_node_t *node = NULL;
+ int status;
+
+ head = policydb->ocontexts[OCON_NODE];
+ for (c = head; c; c = c->next) {
+ if (node_to_record(handle, policydb, c, SEPOL_PROTO_IP4, &node)
+ < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(node, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_node_free(node);
+ node = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ head = policydb->ocontexts[OCON_NODE6];
+ for (c = head; c; c = c->next) {
+ if (node_to_record(handle, policydb, c, SEPOL_PROTO_IP6, &node)
+ < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(node, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_node_free(node);
+ node = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not iterate over nodes");
+ sepol_node_free(node);
+ return STATUS_ERR;
+}
diff --git a/src/polcaps.c b/src/polcaps.c
new file mode 100644
index 0000000..71970b1
--- /dev/null
+++ b/src/polcaps.c
@@ -0,0 +1,33 @@
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+ "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
+ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
+ NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+ int capnum;
+
+ for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+ if (polcap_names[capnum] == NULL)
+ continue;
+ if (strcasecmp(polcap_names[capnum], name) == 0)
+ return capnum;
+ }
+ return -1;
+}
+
+const char *sepol_polcap_getname(int capnum)
+{
+ if (capnum > POLICYDB_CAPABILITY_MAX)
+ return NULL;
+
+ return polcap_names[capnum];
+}
diff --git a/src/policydb.c b/src/policydb.c
new file mode 100644
index 0000000..53d0fda
--- /dev/null
+++ b/src/policydb.c
@@ -0,0 +1,3843 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com>
+ * Fine-grained netlink support
+ * IPv6 support
+ * Code cleanup
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ * Copyright (C) 2003 - 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * Implementation of the policy database.
+ */
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/util.h>
+#include <sepol/policydb/flask.h>
+
+#include "private.h"
+#include "debug.h"
+#include "mls.h"
+
+#define POLICYDB_TARGET_SZ ARRAY_SIZE(policydb_target_strings)
+char *policydb_target_strings[] = { POLICYDB_STRING, POLICYDB_XEN_STRING };
+
+/* These need to be updated if SYM_NUM or OCON_NUM changes */
+static struct policydb_compat_info policydb_compat[] = {
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_BOUNDARY,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_XEN_PCIDEVICE + 1,
+ .target_platform = SEPOL_TARGET_XEN,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_BASE,
+ .sym_num = SYM_NUM - 3,
+ .ocon_num = OCON_FSUSE + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_BOOL,
+ .sym_num = SYM_NUM - 2,
+ .ocon_num = OCON_FSUSE + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_IPV6,
+ .sym_num = SYM_NUM - 2,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_NLCLASS,
+ .sym_num = SYM_NUM - 2,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_MLS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_AVTAB,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_RANGETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_BOUNDARY,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_FILENAME_TRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_BASE,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_MLS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_MLS_USERS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_BOUNDARY,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_BOUNDARY_ALIAS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_FILENAME_TRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_ROLEATTRIB,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_BASE,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_MLS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_MLS_USERS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_BOUNDARY,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_BOUNDARY_ALIAS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_FILENAME_TRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_ROLEATTRIB,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+};
+
+#if 0
+static char *symtab_name[SYM_NUM] = {
+ "common prefixes",
+ "classes",
+ "roles",
+ "types",
+ "users",
+ "bools" mls_symtab_names cond_symtab_names
+};
+#endif
+
+static unsigned int symtab_sizes[SYM_NUM] = {
+ 2,
+ 32,
+ 16,
+ 512,
+ 128,
+ 16,
+ 16,
+ 16,
+};
+
+struct policydb_compat_info *policydb_lookup_compat(unsigned int version,
+ unsigned int type,
+ unsigned int target_platform)
+{
+ unsigned int i;
+ struct policydb_compat_info *info = NULL;
+
+ for (i = 0; i < sizeof(policydb_compat) / sizeof(*info); i++) {
+ if (policydb_compat[i].version == version &&
+ policydb_compat[i].type == type &&
+ policydb_compat[i].target_platform == target_platform) {
+ info = &policydb_compat[i];
+ break;
+ }
+ }
+ return info;
+}
+
+void type_set_init(type_set_t * x)
+{
+ memset(x, 0, sizeof(type_set_t));
+ ebitmap_init(&x->types);
+ ebitmap_init(&x->negset);
+}
+
+void type_set_destroy(type_set_t * x)
+{
+ if (x != NULL) {
+ ebitmap_destroy(&x->types);
+ ebitmap_destroy(&x->negset);
+ }
+}
+
+void role_set_init(role_set_t * x)
+{
+ memset(x, 0, sizeof(role_set_t));
+ ebitmap_init(&x->roles);
+}
+
+void role_set_destroy(role_set_t * x)
+{
+ ebitmap_destroy(&x->roles);
+}
+
+void role_datum_init(role_datum_t * x)
+{
+ memset(x, 0, sizeof(role_datum_t));
+ ebitmap_init(&x->dominates);
+ type_set_init(&x->types);
+ ebitmap_init(&x->cache);
+ ebitmap_init(&x->roles);
+}
+
+void role_datum_destroy(role_datum_t * x)
+{
+ if (x != NULL) {
+ ebitmap_destroy(&x->dominates);
+ type_set_destroy(&x->types);
+ ebitmap_destroy(&x->cache);
+ ebitmap_destroy(&x->roles);
+ }
+}
+
+void type_datum_init(type_datum_t * x)
+{
+ memset(x, 0, sizeof(*x));
+ ebitmap_init(&x->types);
+}
+
+void type_datum_destroy(type_datum_t * x)
+{
+ if (x != NULL) {
+ ebitmap_destroy(&x->types);
+ }
+}
+
+void user_datum_init(user_datum_t * x)
+{
+ memset(x, 0, sizeof(user_datum_t));
+ role_set_init(&x->roles);
+ mls_semantic_range_init(&x->range);
+ mls_semantic_level_init(&x->dfltlevel);
+ ebitmap_init(&x->cache);
+ mls_range_init(&x->exp_range);
+ mls_level_init(&x->exp_dfltlevel);
+}
+
+void user_datum_destroy(user_datum_t * x)
+{
+ if (x != NULL) {
+ role_set_destroy(&x->roles);
+ mls_semantic_range_destroy(&x->range);
+ mls_semantic_level_destroy(&x->dfltlevel);
+ ebitmap_destroy(&x->cache);
+ mls_range_destroy(&x->exp_range);
+ mls_level_destroy(&x->exp_dfltlevel);
+ }
+}
+
+void level_datum_init(level_datum_t * x)
+{
+ memset(x, 0, sizeof(level_datum_t));
+}
+
+void level_datum_destroy(level_datum_t * x __attribute__ ((unused)))
+{
+ /* the mls_level_t referenced by the level_datum is managed
+ * separately for now, so there is nothing to destroy */
+ return;
+}
+
+void cat_datum_init(cat_datum_t * x)
+{
+ memset(x, 0, sizeof(cat_datum_t));
+}
+
+void cat_datum_destroy(cat_datum_t * x __attribute__ ((unused)))
+{
+ /* it's currently a simple struct - really nothing to destroy */
+ return;
+}
+
+void class_perm_node_init(class_perm_node_t * x)
+{
+ memset(x, 0, sizeof(class_perm_node_t));
+}
+
+void avrule_init(avrule_t * x)
+{
+ memset(x, 0, sizeof(avrule_t));
+ type_set_init(&x->stypes);
+ type_set_init(&x->ttypes);
+}
+
+void avrule_destroy(avrule_t * x)
+{
+ class_perm_node_t *cur, *next;
+
+ if (x == NULL) {
+ return;
+ }
+ type_set_destroy(&x->stypes);
+ type_set_destroy(&x->ttypes);
+
+ next = x->perms;
+ while (next) {
+ cur = next;
+ next = cur->next;
+ free(cur);
+ }
+}
+
+void role_trans_rule_init(role_trans_rule_t * x)
+{
+ memset(x, 0, sizeof(*x));
+ role_set_init(&x->roles);
+ type_set_init(&x->types);
+ ebitmap_init(&x->classes);
+}
+
+void role_trans_rule_destroy(role_trans_rule_t * x)
+{
+ if (x != NULL) {
+ role_set_destroy(&x->roles);
+ type_set_destroy(&x->types);
+ ebitmap_destroy(&x->classes);
+ }
+}
+
+void role_trans_rule_list_destroy(role_trans_rule_t * x)
+{
+ while (x != NULL) {
+ role_trans_rule_t *next = x->next;
+ role_trans_rule_destroy(x);
+ free(x);
+ x = next;
+ }
+}
+
+void filename_trans_rule_init(filename_trans_rule_t * x)
+{
+ memset(x, 0, sizeof(*x));
+ type_set_init(&x->stypes);
+ type_set_init(&x->ttypes);
+}
+
+static void filename_trans_rule_destroy(filename_trans_rule_t * x)
+{
+ if (!x)
+ return;
+ type_set_destroy(&x->stypes);
+ type_set_destroy(&x->ttypes);
+ free(x->name);
+}
+
+void filename_trans_rule_list_destroy(filename_trans_rule_t * x)
+{
+ filename_trans_rule_t *next;
+ while (x) {
+ next = x->next;
+ filename_trans_rule_destroy(x);
+ free(x);
+ x = next;
+ }
+}
+
+void role_allow_rule_init(role_allow_rule_t * x)
+{
+ memset(x, 0, sizeof(role_allow_rule_t));
+ role_set_init(&x->roles);
+ role_set_init(&x->new_roles);
+}
+
+void role_allow_rule_destroy(role_allow_rule_t * x)
+{
+ role_set_destroy(&x->roles);
+ role_set_destroy(&x->new_roles);
+}
+
+void role_allow_rule_list_destroy(role_allow_rule_t * x)
+{
+ while (x != NULL) {
+ role_allow_rule_t *next = x->next;
+ role_allow_rule_destroy(x);
+ free(x);
+ x = next;
+ }
+}
+
+void range_trans_rule_init(range_trans_rule_t * x)
+{
+ type_set_init(&x->stypes);
+ type_set_init(&x->ttypes);
+ ebitmap_init(&x->tclasses);
+ mls_semantic_range_init(&x->trange);
+ x->next = NULL;
+}
+
+void range_trans_rule_destroy(range_trans_rule_t * x)
+{
+ type_set_destroy(&x->stypes);
+ type_set_destroy(&x->ttypes);
+ ebitmap_destroy(&x->tclasses);
+ mls_semantic_range_destroy(&x->trange);
+}
+
+void range_trans_rule_list_destroy(range_trans_rule_t * x)
+{
+ while (x != NULL) {
+ range_trans_rule_t *next = x->next;
+ range_trans_rule_destroy(x);
+ free(x);
+ x = next;
+ }
+}
+
+void avrule_list_destroy(avrule_t * x)
+{
+ avrule_t *next, *cur;
+
+ if (!x)
+ return;
+
+ next = x;
+ while (next) {
+ cur = next;
+ next = next->next;
+ avrule_destroy(cur);
+ free(cur);
+ }
+}
+
+/*
+ * Initialize the role table by implicitly adding role 'object_r'. If
+ * the policy is a module, set object_r's scope to be SCOPE_REQ,
+ * otherwise set it to SCOPE_DECL.
+ */
+static int roles_init(policydb_t * p)
+{
+ char *key = 0;
+ int rc;
+ role_datum_t *role;
+
+ role = calloc(1, sizeof(role_datum_t));
+ if (!role) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ key = malloc(strlen(OBJECT_R) + 1);
+ if (!key) {
+ rc = -ENOMEM;
+ goto out_free_role;
+ }
+ strcpy(key, OBJECT_R);
+ rc = symtab_insert(p, SYM_ROLES, key, role,
+ (p->policy_type ==
+ POLICY_MOD ? SCOPE_REQ : SCOPE_DECL), 1,
+ &role->s.value);
+ if (rc)
+ goto out_free_key;
+ if (role->s.value != OBJECT_R_VAL) {
+ rc = -EINVAL;
+ goto out_free_role;
+ }
+ out:
+ return rc;
+
+ out_free_key:
+ free(key);
+ out_free_role:
+ free(role);
+ goto out;
+}
+
+/*
+ * Initialize a policy database structure.
+ */
+int policydb_init(policydb_t * p)
+{
+ int i, rc;
+
+ memset(p, 0, sizeof(policydb_t));
+
+ ebitmap_init(&p->policycaps);
+
+ ebitmap_init(&p->permissive_map);
+
+ for (i = 0; i < SYM_NUM; i++) {
+ p->sym_val_to_name[i] = NULL;
+ rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
+ if (rc)
+ goto out_free_symtab;
+ }
+
+ /* initialize the module stuff */
+ for (i = 0; i < SYM_NUM; i++) {
+ if (symtab_init(&p->scope[i], symtab_sizes[i])) {
+ goto out_free_symtab;
+ }
+ }
+ if ((p->global = avrule_block_create()) == NULL ||
+ (p->global->branch_list = avrule_decl_create(1)) == NULL) {
+ goto out_free_symtab;
+ }
+ p->decl_val_to_struct = NULL;
+
+ rc = avtab_init(&p->te_avtab);
+ if (rc)
+ goto out_free_symtab;
+
+ rc = roles_init(p);
+ if (rc)
+ goto out_free_symtab;
+
+ rc = cond_policydb_init(p);
+ if (rc)
+ goto out_free_symtab;
+ out:
+ return rc;
+
+ out_free_symtab:
+ for (i = 0; i < SYM_NUM; i++) {
+ hashtab_destroy(p->symtab[i].table);
+ hashtab_destroy(p->scope[i].table);
+ }
+ avrule_block_list_destroy(p->global);
+ goto out;
+}
+
+int policydb_role_cache(hashtab_key_t key
+ __attribute__ ((unused)), hashtab_datum_t datum,
+ void *arg)
+{
+ policydb_t *p;
+ role_datum_t *role;
+
+ role = (role_datum_t *) datum;
+ p = (policydb_t *) arg;
+
+ ebitmap_destroy(&role->cache);
+ if (type_set_expand(&role->types, &role->cache, p, 1)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+int policydb_user_cache(hashtab_key_t key
+ __attribute__ ((unused)), hashtab_datum_t datum,
+ void *arg)
+{
+ policydb_t *p;
+ user_datum_t *user;
+
+ user = (user_datum_t *) datum;
+ p = (policydb_t *) arg;
+
+ ebitmap_destroy(&user->cache);
+ if (role_set_expand(&user->roles, &user->cache, p, NULL, NULL)) {
+ return -1;
+ }
+
+ /* we do not expand user's MLS info in kernel policies because the
+ * semantic representation is not present and we do not expand user's
+ * MLS info in module policies because all of the necessary mls
+ * information is not present */
+ if (p->policy_type != POLICY_KERN && p->policy_type != POLICY_MOD) {
+ mls_range_destroy(&user->exp_range);
+ if (mls_semantic_range_expand(&user->range,
+ &user->exp_range, p, NULL)) {
+ return -1;
+ }
+
+ mls_level_destroy(&user->exp_dfltlevel);
+ if (mls_semantic_level_expand(&user->dfltlevel,
+ &user->exp_dfltlevel, p, NULL)) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * The following *_index functions are used to
+ * define the val_to_name and val_to_struct arrays
+ * in a policy database structure. The val_to_name
+ * arrays are used when converting security context
+ * structures into string representations. The
+ * val_to_struct arrays are used when the attributes
+ * of a class, role, or user are needed.
+ */
+
+static int common_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ common_datum_t *comdatum;
+
+ comdatum = (common_datum_t *) datum;
+ p = (policydb_t *) datap;
+ if (!comdatum->s.value || comdatum->s.value > p->p_commons.nprim)
+ return -EINVAL;
+ p->p_common_val_to_name[comdatum->s.value - 1] = (char *)key;
+
+ return 0;
+}
+
+static int class_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ class_datum_t *cladatum;
+
+ cladatum = (class_datum_t *) datum;
+ p = (policydb_t *) datap;
+ if (!cladatum->s.value || cladatum->s.value > p->p_classes.nprim)
+ return -EINVAL;
+ p->p_class_val_to_name[cladatum->s.value - 1] = (char *)key;
+ p->class_val_to_struct[cladatum->s.value - 1] = cladatum;
+
+ return 0;
+}
+
+static int role_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ role_datum_t *role;
+
+ role = (role_datum_t *) datum;
+ p = (policydb_t *) datap;
+ if (!role->s.value || role->s.value > p->p_roles.nprim)
+ return -EINVAL;
+ p->p_role_val_to_name[role->s.value - 1] = (char *)key;
+ p->role_val_to_struct[role->s.value - 1] = role;
+
+ return 0;
+}
+
+static int type_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ type_datum_t *typdatum;
+
+ typdatum = (type_datum_t *) datum;
+ p = (policydb_t *) datap;
+
+ if (typdatum->primary) {
+ if (!typdatum->s.value || typdatum->s.value > p->p_types.nprim)
+ return -EINVAL;
+ p->p_type_val_to_name[typdatum->s.value - 1] = (char *)key;
+ p->type_val_to_struct[typdatum->s.value - 1] = typdatum;
+ }
+
+ return 0;
+}
+
+static int user_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ user_datum_t *usrdatum;
+
+ usrdatum = (user_datum_t *) datum;
+ p = (policydb_t *) datap;
+
+ if (!usrdatum->s.value || usrdatum->s.value > p->p_users.nprim)
+ return -EINVAL;
+
+ p->p_user_val_to_name[usrdatum->s.value - 1] = (char *)key;
+ p->user_val_to_struct[usrdatum->s.value - 1] = usrdatum;
+
+ return 0;
+}
+
+static int sens_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ level_datum_t *levdatum;
+
+ levdatum = (level_datum_t *) datum;
+ p = (policydb_t *) datap;
+
+ if (!levdatum->isalias) {
+ if (!levdatum->level->sens ||
+ levdatum->level->sens > p->p_levels.nprim)
+ return -EINVAL;
+ p->p_sens_val_to_name[levdatum->level->sens - 1] = (char *)key;
+ }
+
+ return 0;
+}
+
+static int cat_index(hashtab_key_t key, hashtab_datum_t datum, void *datap)
+{
+ policydb_t *p;
+ cat_datum_t *catdatum;
+
+ catdatum = (cat_datum_t *) datum;
+ p = (policydb_t *) datap;
+
+ if (!catdatum->isalias) {
+ if (!catdatum->s.value || catdatum->s.value > p->p_cats.nprim)
+ return -EINVAL;
+ p->p_cat_val_to_name[catdatum->s.value - 1] = (char *)key;
+ }
+
+ return 0;
+}
+
+static int (*index_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+ void *datap) = {
+common_index, class_index, role_index, type_index, user_index,
+ cond_index_bool, sens_index, cat_index,};
+
+/*
+ * Define the common val_to_name array and the class
+ * val_to_name and val_to_struct arrays in a policy
+ * database structure.
+ */
+int policydb_index_classes(policydb_t * p)
+{
+ free(p->p_common_val_to_name);
+ p->p_common_val_to_name = (char **)
+ malloc(p->p_commons.nprim * sizeof(char *));
+ if (!p->p_common_val_to_name)
+ return -1;
+
+ if (hashtab_map(p->p_commons.table, common_index, p))
+ return -1;
+
+ free(p->class_val_to_struct);
+ p->class_val_to_struct = (class_datum_t **)
+ malloc(p->p_classes.nprim * sizeof(class_datum_t *));
+ if (!p->class_val_to_struct)
+ return -1;
+
+ free(p->p_class_val_to_name);
+ p->p_class_val_to_name = (char **)
+ malloc(p->p_classes.nprim * sizeof(char *));
+ if (!p->p_class_val_to_name)
+ return -1;
+
+ if (hashtab_map(p->p_classes.table, class_index, p))
+ return -1;
+
+ return 0;
+}
+
+int policydb_index_bools(policydb_t * p)
+{
+
+ if (cond_init_bool_indexes(p) == -1)
+ return -1;
+ p->p_bool_val_to_name = (char **)
+ malloc(p->p_bools.nprim * sizeof(char *));
+ if (!p->p_bool_val_to_name)
+ return -1;
+ if (hashtab_map(p->p_bools.table, cond_index_bool, p))
+ return -1;
+ return 0;
+}
+
+int policydb_index_decls(policydb_t * p)
+{
+ avrule_block_t *curblock;
+ avrule_decl_t *decl;
+ int num_decls = 0;
+
+ free(p->decl_val_to_struct);
+
+ for (curblock = p->global; curblock != NULL; curblock = curblock->next) {
+ for (decl = curblock->branch_list; decl != NULL;
+ decl = decl->next) {
+ num_decls++;
+ }
+ }
+
+ p->decl_val_to_struct =
+ calloc(num_decls, sizeof(*(p->decl_val_to_struct)));
+ if (!p->decl_val_to_struct) {
+ return -1;
+ }
+
+ for (curblock = p->global; curblock != NULL; curblock = curblock->next) {
+ for (decl = curblock->branch_list; decl != NULL;
+ decl = decl->next) {
+ p->decl_val_to_struct[decl->decl_id - 1] = decl;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Define the other val_to_name and val_to_struct arrays
+ * in a policy database structure.
+ */
+int policydb_index_others(sepol_handle_t * handle,
+ policydb_t * p, unsigned verbose)
+{
+ int i;
+
+ if (verbose) {
+ INFO(handle,
+ "security: %d users, %d roles, %d types, %d bools",
+ p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
+ p->p_bools.nprim);
+
+ if (p->mls)
+ INFO(handle, "security: %d sens, %d cats",
+ p->p_levels.nprim, p->p_cats.nprim);
+
+ INFO(handle, "security: %d classes, %d rules, %d cond rules",
+ p->p_classes.nprim, p->te_avtab.nel, p->te_cond_avtab.nel);
+ }
+#if 0
+ avtab_hash_eval(&p->te_avtab, "rules");
+ for (i = 0; i < SYM_NUM; i++)
+ hashtab_hash_eval(p->symtab[i].table, symtab_name[i]);
+#endif
+
+ free(p->role_val_to_struct);
+ p->role_val_to_struct = (role_datum_t **)
+ malloc(p->p_roles.nprim * sizeof(role_datum_t *));
+ if (!p->role_val_to_struct)
+ return -1;
+
+ free(p->user_val_to_struct);
+ p->user_val_to_struct = (user_datum_t **)
+ malloc(p->p_users.nprim * sizeof(user_datum_t *));
+ if (!p->user_val_to_struct)
+ return -1;
+
+ free(p->type_val_to_struct);
+ p->type_val_to_struct = (type_datum_t **)
+ calloc(p->p_types.nprim, sizeof(type_datum_t *));
+ if (!p->type_val_to_struct)
+ return -1;
+
+ cond_init_bool_indexes(p);
+
+ for (i = SYM_ROLES; i < SYM_NUM; i++) {
+ free(p->sym_val_to_name[i]);
+ p->sym_val_to_name[i] = NULL;
+ if (p->symtab[i].nprim) {
+ p->sym_val_to_name[i] = (char **)
+ calloc(p->symtab[i].nprim, sizeof(char *));
+ if (!p->sym_val_to_name[i])
+ return -1;
+ if (hashtab_map(p->symtab[i].table, index_f[i], p))
+ return -1;
+ }
+ }
+
+ /* This pre-expands the roles and users for context validity checking */
+ if (hashtab_map(p->p_roles.table, policydb_role_cache, p))
+ return -1;
+
+ if (hashtab_map(p->p_users.table, policydb_user_cache, p))
+ return -1;
+
+ return 0;
+}
+
+/*
+ * The following *_destroy functions are used to
+ * free any memory allocated for each kind of
+ * symbol data in the policy database.
+ */
+
+static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ if (key)
+ free(key);
+ free(datum);
+ return 0;
+}
+
+static int common_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ common_datum_t *comdatum;
+
+ if (key)
+ free(key);
+ comdatum = (common_datum_t *) datum;
+ hashtab_map(comdatum->permissions.table, perm_destroy, 0);
+ hashtab_destroy(comdatum->permissions.table);
+ free(datum);
+ return 0;
+}
+
+static int class_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ class_datum_t *cladatum;
+ constraint_node_t *constraint, *ctemp;
+ constraint_expr_t *e, *etmp;
+
+ if (key)
+ free(key);
+ cladatum = (class_datum_t *) datum;
+ if (cladatum == NULL) {
+ return 0;
+ }
+ hashtab_map(cladatum->permissions.table, perm_destroy, 0);
+ hashtab_destroy(cladatum->permissions.table);
+ constraint = cladatum->constraints;
+ while (constraint) {
+ e = constraint->expr;
+ while (e) {
+ etmp = e;
+ e = e->next;
+ constraint_expr_destroy(etmp);
+ }
+ ctemp = constraint;
+ constraint = constraint->next;
+ free(ctemp);
+ }
+
+ constraint = cladatum->validatetrans;
+ while (constraint) {
+ e = constraint->expr;
+ while (e) {
+ etmp = e;
+ e = e->next;
+ constraint_expr_destroy(etmp);
+ }
+ ctemp = constraint;
+ constraint = constraint->next;
+ free(ctemp);
+ }
+
+ if (cladatum->comkey)
+ free(cladatum->comkey);
+ free(datum);
+ return 0;
+}
+
+static int role_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ free(key);
+ role_datum_destroy((role_datum_t *) datum);
+ free(datum);
+ return 0;
+}
+
+static int type_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ free(key);
+ type_datum_destroy((type_datum_t *) datum);
+ free(datum);
+ return 0;
+}
+
+static int user_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ free(key);
+ user_datum_destroy((user_datum_t *) datum);
+ free(datum);
+ return 0;
+}
+
+static int sens_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ level_datum_t *levdatum;
+
+ if (key)
+ free(key);
+ levdatum = (level_datum_t *) datum;
+ mls_level_destroy(levdatum->level);
+ free(levdatum->level);
+ level_datum_destroy(levdatum);
+ free(levdatum);
+ return 0;
+}
+
+static int cat_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ if (key)
+ free(key);
+ cat_datum_destroy((cat_datum_t *) datum);
+ free(datum);
+ return 0;
+}
+
+static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+ void *datap) = {
+common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
+ cond_destroy_bool, sens_destroy, cat_destroy,};
+
+void ocontext_selinux_free(ocontext_t **ocontexts)
+{
+ ocontext_t *c, *ctmp;
+ int i;
+
+ for (i = 0; i < OCON_NUM; i++) {
+ c = ocontexts[i];
+ while (c) {
+ ctmp = c;
+ c = c->next;
+ context_destroy(&ctmp->context[0]);
+ context_destroy(&ctmp->context[1]);
+ if (i == OCON_ISID || i == OCON_FS || i == OCON_NETIF
+ || i == OCON_FSUSE)
+ free(ctmp->u.name);
+ free(ctmp);
+ }
+ }
+}
+
+void ocontext_xen_free(ocontext_t **ocontexts)
+{
+ ocontext_t *c, *ctmp;
+ int i;
+
+ for (i = 0; i < OCON_NUM; i++) {
+ c = ocontexts[i];
+ while (c) {
+ ctmp = c;
+ c = c->next;
+ context_destroy(&ctmp->context[0]);
+ context_destroy(&ctmp->context[1]);
+ if (i == OCON_ISID)
+ free(ctmp->u.name);
+ free(ctmp);
+ }
+ }
+}
+
+/*
+ * Free any memory allocated by a policy database structure.
+ */
+void policydb_destroy(policydb_t * p)
+{
+ ocontext_t *c, *ctmp;
+ genfs_t *g, *gtmp;
+ unsigned int i;
+ role_allow_t *ra, *lra = NULL;
+ role_trans_t *tr, *ltr = NULL;
+ range_trans_t *rt, *lrt = NULL;
+ filename_trans_t *ft, *nft;
+
+ if (!p)
+ return;
+
+ ebitmap_destroy(&p->policycaps);
+
+ ebitmap_destroy(&p->permissive_map);
+
+ symtabs_destroy(p->symtab);
+
+ for (i = 0; i < SYM_NUM; i++) {
+ if (p->sym_val_to_name[i])
+ free(p->sym_val_to_name[i]);
+ }
+
+ if (p->class_val_to_struct)
+ free(p->class_val_to_struct);
+ if (p->role_val_to_struct)
+ free(p->role_val_to_struct);
+ if (p->user_val_to_struct)
+ free(p->user_val_to_struct);
+ if (p->type_val_to_struct)
+ free(p->type_val_to_struct);
+ free(p->decl_val_to_struct);
+
+ for (i = 0; i < SYM_NUM; i++) {
+ hashtab_map(p->scope[i].table, scope_destroy, 0);
+ hashtab_destroy(p->scope[i].table);
+ }
+ avrule_block_list_destroy(p->global);
+ free(p->name);
+ free(p->version);
+
+ avtab_destroy(&p->te_avtab);
+
+ if (p->target_platform == SEPOL_TARGET_SELINUX)
+ ocontext_selinux_free(p->ocontexts);
+ else if (p->target_platform == SEPOL_TARGET_XEN)
+ ocontext_xen_free(p->ocontexts);
+
+ g = p->genfs;
+ while (g) {
+ free(g->fstype);
+ c = g->head;
+ while (c) {
+ ctmp = c;
+ c = c->next;
+ context_destroy(&ctmp->context[0]);
+ free(ctmp->u.name);
+ free(ctmp);
+ }
+ gtmp = g;
+ g = g->next;
+ free(gtmp);
+ }
+ cond_policydb_destroy(p);
+
+ for (tr = p->role_tr; tr; tr = tr->next) {
+ if (ltr)
+ free(ltr);
+ ltr = tr;
+ }
+ if (ltr)
+ free(ltr);
+
+ ft = p->filename_trans;
+ while (ft) {
+ nft = ft->next;
+ free(ft->name);
+ free(ft);
+ ft = nft;
+ }
+
+ for (ra = p->role_allow; ra; ra = ra->next) {
+ if (lra)
+ free(lra);
+ lra = ra;
+ }
+ if (lra)
+ free(lra);
+
+ for (rt = p->range_tr; rt; rt = rt->next) {
+ if (lrt) {
+ ebitmap_destroy(&lrt->target_range.level[0].cat);
+ ebitmap_destroy(&lrt->target_range.level[1].cat);
+ free(lrt);
+ }
+ lrt = rt;
+ }
+ if (lrt) {
+ ebitmap_destroy(&lrt->target_range.level[0].cat);
+ ebitmap_destroy(&lrt->target_range.level[1].cat);
+ free(lrt);
+ }
+
+ if (p->type_attr_map) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ ebitmap_destroy(&p->type_attr_map[i]);
+ }
+ free(p->type_attr_map);
+ }
+
+ if (p->attr_type_map) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ ebitmap_destroy(&p->attr_type_map[i]);
+ }
+ free(p->attr_type_map);
+ }
+
+ return;
+}
+
+void symtabs_destroy(symtab_t * symtab)
+{
+ int i;
+ for (i = 0; i < SYM_NUM; i++) {
+ hashtab_map(symtab[i].table, destroy_f[i], 0);
+ hashtab_destroy(symtab[i].table);
+ }
+}
+
+int scope_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ scope_datum_t *cur = (scope_datum_t *) datum;
+ free(key);
+ if (cur != NULL) {
+ free(cur->decl_ids);
+ }
+ free(cur);
+ return 0;
+}
+
+hashtab_destroy_func_t get_symtab_destroy_func(int sym_num)
+{
+ if (sym_num < 0 || sym_num >= SYM_NUM) {
+ return NULL;
+ }
+ return (hashtab_destroy_func_t) destroy_f[sym_num];
+}
+
+/*
+ * Load the initial SIDs specified in a policy database
+ * structure into a SID table.
+ */
+int policydb_load_isids(policydb_t * p, sidtab_t * s)
+{
+ ocontext_t *head, *c;
+
+ if (sepol_sidtab_init(s)) {
+ ERR(NULL, "out of memory on SID table init");
+ return -1;
+ }
+
+ head = p->ocontexts[OCON_ISID];
+ for (c = head; c; c = c->next) {
+ if (!c->context[0].user) {
+ ERR(NULL, "SID %s was never defined", c->u.name);
+ return -1;
+ }
+ if (sepol_sidtab_insert(s, c->sid[0], &c->context[0])) {
+ ERR(NULL, "unable to load initial SID %s", c->u.name);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* Declare a symbol for a certain avrule_block context. Insert it
+ * into a symbol table for a policy. This function will handle
+ * inserting the appropriate scope information in addition to
+ * inserting the symbol into the hash table.
+ *
+ * arguments:
+ * policydb_t *pol module policy to modify
+ * uint32_t sym the symbole table for insertion (SYM_*)
+ * hashtab_key_t key the key for the symbol - not cloned
+ * hashtab_datum_t data the data for the symbol - not cloned
+ * scope scope of this symbol, either SCOPE_REQ or SCOPE_DECL
+ * avrule_decl_id identifier for this symbol's encapsulating declaration
+ * value (out) assigned value to the symbol (if value is not NULL)
+ *
+ * returns:
+ * 0 success
+ * 1 success, but symbol already existed as a requirement
+ * (datum was not inserted and needs to be free()d)
+ * -1 general error
+ * -2 scope conflicted
+ * -ENOMEM memory error
+ * error codes from hashtab_insert
+ */
+int symtab_insert(policydb_t * pol, uint32_t sym,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t scope, uint32_t avrule_decl_id, uint32_t * value)
+{
+ int rc, retval = 0;
+ unsigned int i;
+ scope_datum_t *scope_datum;
+
+ /* check if the symbol is already there. multiple
+ * declarations of non-roles/non-users are illegal, but
+ * multiple requires are allowed. */
+
+ /* FIX ME - the failures after the hashtab_insert will leave
+ * the policy in a inconsistent state. */
+ rc = hashtab_insert(pol->symtab[sym].table, key, datum);
+ if (rc == SEPOL_OK) {
+ /* if no value is passed in the symbol is not primary
+ * (i.e. aliases) */
+ if (value)
+ *value = ++pol->symtab[sym].nprim;
+ } else if (rc == SEPOL_EEXIST) {
+ retval = 1; /* symbol not added -- need to free() later */
+ } else {
+ return rc;
+ }
+
+ /* get existing scope information; if there is not one then
+ * create it */
+ scope_datum =
+ (scope_datum_t *) hashtab_search(pol->scope[sym].table, key);
+ if (scope_datum == NULL) {
+ hashtab_key_t key2 = strdup((char *)key);
+ if (!key2)
+ return -ENOMEM;
+ if ((scope_datum = malloc(sizeof(*scope_datum))) == NULL) {
+ free(key2);
+ return -ENOMEM;
+ }
+ scope_datum->scope = scope;
+ scope_datum->decl_ids = NULL;
+ scope_datum->decl_ids_len = 0;
+ if ((rc =
+ hashtab_insert(pol->scope[sym].table, key2,
+ scope_datum)) != 0) {
+ free(key2);
+ free(scope_datum);
+ return rc;
+ }
+ } else if (scope_datum->scope == SCOPE_DECL && scope == SCOPE_DECL) {
+ /* disallow multiple declarations for non-roles/users */
+ if (sym != SYM_ROLES && sym != SYM_USERS) {
+ return -2;
+ }
+ /* Further confine that a role attribute can't have the same
+ * name as another regular role, and a role attribute can't
+ * be declared more than once. */
+ if (sym == SYM_ROLES) {
+ role_datum_t *base_role;
+ role_datum_t *cur_role = (role_datum_t *)datum;
+
+ base_role = (role_datum_t *)
+ hashtab_search(pol->symtab[sym].table,
+ key);
+ assert(base_role != NULL);
+
+ if (!((base_role->flavor == ROLE_ROLE) &&
+ (cur_role->flavor == ROLE_ROLE))) {
+ /* Only regular roles are allowed to have
+ * multiple declarations. */
+ return -2;
+ }
+ }
+ } else if (scope_datum->scope == SCOPE_REQ && scope == SCOPE_DECL) {
+ scope_datum->scope = SCOPE_DECL;
+ } else if (scope_datum->scope != scope) {
+ /* This only happens in DECL then REQUIRE case, which is handled by caller */
+ return -2;
+ }
+
+ /* search through the pre-existing list to avoid adding duplicates */
+ for (i = 0; i < scope_datum->decl_ids_len; i++) {
+ if (scope_datum->decl_ids[i] == avrule_decl_id) {
+ /* already there, so don't modify its scope */
+ return retval;
+ }
+ }
+
+ if (add_i_to_a(avrule_decl_id,
+ &scope_datum->decl_ids_len,
+ &scope_datum->decl_ids) == -1) {
+ return -ENOMEM;
+ }
+
+ return retval;
+}
+
+int type_set_or(type_set_t * dst, type_set_t * a, type_set_t * b)
+{
+ type_set_init(dst);
+
+ if (ebitmap_or(&dst->types, &a->types, &b->types)) {
+ return -1;
+ }
+ if (ebitmap_or(&dst->negset, &a->negset, &b->negset)) {
+ return -1;
+ }
+
+ dst->flags |= a->flags;
+ dst->flags |= b->flags;
+
+ return 0;
+}
+
+int type_set_cpy(type_set_t * dst, type_set_t * src)
+{
+ type_set_init(dst);
+
+ dst->flags = src->flags;
+ if (ebitmap_cpy(&dst->types, &src->types))
+ return -1;
+ if (ebitmap_cpy(&dst->negset, &src->negset))
+ return -1;
+
+ return 0;
+}
+
+int type_set_or_eq(type_set_t * dst, type_set_t * other)
+{
+ int ret;
+ type_set_t tmp;
+
+ if (type_set_or(&tmp, dst, other))
+ return -1;
+ type_set_destroy(dst);
+ ret = type_set_cpy(dst, &tmp);
+ type_set_destroy(&tmp);
+
+ return ret;
+}
+
+int role_set_get_role(role_set_t * x, uint32_t role)
+{
+ if (x->flags & ROLE_STAR)
+ return 1;
+
+ if (ebitmap_get_bit(&x->roles, role - 1)) {
+ if (x->flags & ROLE_COMP)
+ return 0;
+ else
+ return 1;
+ } else {
+ if (x->flags & ROLE_COMP)
+ return 1;
+ else
+ return 0;
+ }
+}
+
+/***********************************************************************/
+/* everything below is for policy reads */
+
+/* The following are read functions for module structures */
+
+static int role_set_read(role_set_t * r, struct policy_file *fp)
+{
+ uint32_t buf[1];
+ int rc;
+
+ if (ebitmap_read(&r->roles, fp))
+ return -1;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ r->flags = le32_to_cpu(buf[0]);
+
+ return 0;
+}
+
+static int type_set_read(type_set_t * t, struct policy_file *fp)
+{
+ uint32_t buf[1];
+ int rc;
+
+ if (ebitmap_read(&t->types, fp))
+ return -1;
+ if (ebitmap_read(&t->negset, fp))
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ t->flags = le32_to_cpu(buf[0]);
+
+ return 0;
+}
+
+/*
+ * Read a MLS range structure from a policydb binary
+ * representation file.
+ */
+static int mls_read_range_helper(mls_range_t * r, struct policy_file *fp)
+{
+ uint32_t buf[2], items;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto out;
+
+ items = le32_to_cpu(buf[0]);
+ if (items > ARRAY_SIZE(buf)) {
+ ERR(fp->handle, "range overflow");
+ rc = -EINVAL;
+ goto out;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t) * items);
+ if (rc < 0) {
+ ERR(fp->handle, "truncated range");
+ goto out;
+ }
+ r->level[0].sens = le32_to_cpu(buf[0]);
+ if (items > 1)
+ r->level[1].sens = le32_to_cpu(buf[1]);
+ else
+ r->level[1].sens = r->level[0].sens;
+
+ rc = ebitmap_read(&r->level[0].cat, fp);
+ if (rc) {
+ ERR(fp->handle, "error reading low categories");
+ goto out;
+ }
+ if (items > 1) {
+ rc = ebitmap_read(&r->level[1].cat, fp);
+ if (rc) {
+ ERR(fp->handle, "error reading high categories");
+ goto bad_high;
+ }
+ } else {
+ rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
+ if (rc) {
+ ERR(fp->handle, "out of memory");
+ goto bad_high;
+ }
+ }
+
+ rc = 0;
+ out:
+ return rc;
+ bad_high:
+ ebitmap_destroy(&r->level[0].cat);
+ goto out;
+}
+
+/*
+ * Read a semantic MLS level structure from a policydb binary
+ * representation file.
+ */
+static int mls_read_semantic_level_helper(mls_semantic_level_t * l,
+ struct policy_file *fp)
+{
+ uint32_t buf[2], ncat;
+ unsigned int i;
+ mls_semantic_cat_t *cat;
+ int rc;
+
+ mls_semantic_level_init(l);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0) {
+ ERR(fp->handle, "truncated level");
+ goto bad;
+ }
+ l->sens = le32_to_cpu(buf[0]);
+
+ ncat = le32_to_cpu(buf[1]);
+ for (i = 0; i < ncat; i++) {
+ cat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+ if (!cat) {
+ ERR(fp->handle, "out of memory");
+ goto bad;
+ }
+
+ mls_semantic_cat_init(cat);
+ cat->next = l->cat;
+ l->cat = cat;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0) {
+ ERR(fp->handle, "error reading level categories");
+ goto bad;
+ }
+ cat->low = le32_to_cpu(buf[0]);
+ cat->high = le32_to_cpu(buf[1]);
+ }
+
+ return 0;
+
+ bad:
+ return -EINVAL;
+}
+
+/*
+ * Read a semantic MLS range structure from a policydb binary
+ * representation file.
+ */
+static int mls_read_semantic_range_helper(mls_semantic_range_t * r,
+ struct policy_file *fp)
+{
+ int rc;
+
+ rc = mls_read_semantic_level_helper(&r->level[0], fp);
+ if (rc)
+ return rc;
+
+ rc = mls_read_semantic_level_helper(&r->level[1], fp);
+
+ return rc;
+}
+
+static int mls_level_to_semantic(mls_level_t * l, mls_semantic_level_t * sl)
+{
+ unsigned int i;
+ ebitmap_node_t *cnode;
+ mls_semantic_cat_t *open_cat = NULL;
+
+ mls_semantic_level_init(sl);
+ sl->sens = l->sens;
+ ebitmap_for_each_bit(&l->cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ if (open_cat)
+ continue;
+ open_cat = (mls_semantic_cat_t *)
+ malloc(sizeof(mls_semantic_cat_t));
+ if (!open_cat)
+ return -1;
+
+ mls_semantic_cat_init(open_cat);
+ open_cat->low = i + 1;
+ open_cat->next = sl->cat;
+ sl->cat = open_cat;
+ } else {
+ if (!open_cat)
+ continue;
+ open_cat->high = i;
+ open_cat = NULL;
+ }
+ }
+ if (open_cat)
+ open_cat->high = i;
+
+ return 0;
+}
+
+static int mls_range_to_semantic(mls_range_t * r, mls_semantic_range_t * sr)
+{
+ if (mls_level_to_semantic(&r->level[0], &sr->level[0]))
+ return -1;
+
+ if (mls_level_to_semantic(&r->level[1], &sr->level[1]))
+ return -1;
+
+ return 0;
+}
+
+/*
+ * Read and validate a security context structure
+ * from a policydb binary representation file.
+ */
+static int context_read_and_validate(context_struct_t * c,
+ policydb_t * p, struct policy_file *fp)
+{
+ uint32_t buf[3];
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0) {
+ ERR(fp->handle, "context truncated");
+ return -1;
+ }
+ c->user = le32_to_cpu(buf[0]);
+ c->role = le32_to_cpu(buf[1]);
+ c->type = le32_to_cpu(buf[2]);
+ if ((p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_MLS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS)) {
+ if (mls_read_range_helper(&c->range, fp)) {
+ ERR(fp->handle, "error reading MLS range "
+ "of context");
+ return -1;
+ }
+ }
+
+ if (!policydb_context_isvalid(p, c)) {
+ ERR(fp->handle, "invalid security context");
+ context_destroy(c);
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * The following *_read functions are used to
+ * read the symbol data from a policy database
+ * binary representation file.
+ */
+
+static int perm_read(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ perm_datum_t *perdatum;
+ uint32_t buf[2];
+ size_t len;
+ int rc;
+
+ perdatum = calloc(1, sizeof(perm_datum_t));
+ if (!perdatum)
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ perdatum->s.value = le32_to_cpu(buf[1]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (hashtab_insert(h, key, perdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ perm_destroy(key, perdatum, NULL);
+ return -1;
+}
+
+static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+{
+ char *key = 0;
+ common_datum_t *comdatum;
+ uint32_t buf[4];
+ size_t len, nel;
+ unsigned int i;
+ int rc;
+
+ comdatum = calloc(1, sizeof(common_datum_t));
+ if (!comdatum)
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ comdatum->s.value = le32_to_cpu(buf[1]);
+
+ if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE))
+ goto bad;
+ comdatum->permissions.nprim = le32_to_cpu(buf[2]);
+ nel = le32_to_cpu(buf[3]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ for (i = 0; i < nel; i++) {
+ if (perm_read(p, comdatum->permissions.table, fp))
+ goto bad;
+ }
+
+ if (hashtab_insert(h, key, comdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ common_destroy(key, comdatum, NULL);
+ return -1;
+}
+
+static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep,
+ unsigned int ncons,
+ int allowxtarget, struct policy_file *fp)
+{
+ constraint_node_t *c, *lc;
+ constraint_expr_t *e, *le;
+ uint32_t buf[3];
+ size_t nexpr;
+ unsigned int i, j;
+ int rc, depth;
+
+ lc = NULL;
+ for (i = 0; i < ncons; i++) {
+ c = calloc(1, sizeof(constraint_node_t));
+ if (!c)
+ return -1;
+
+ if (lc)
+ lc->next = c;
+ else
+ *nodep = c;
+
+ rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+ if (rc < 0)
+ return -1;
+ c->permissions = le32_to_cpu(buf[0]);
+ nexpr = le32_to_cpu(buf[1]);
+ le = NULL;
+ depth = -1;
+ for (j = 0; j < nexpr; j++) {
+ e = malloc(sizeof(constraint_expr_t));
+ if (!e)
+ return -1;
+ if (constraint_expr_init(e) == -1) {
+ free(e);
+ return -1;
+ }
+ if (le) {
+ le->next = e;
+ } else {
+ c->expr = e;
+ }
+
+ rc = next_entry(buf, fp, (sizeof(uint32_t) * 3));
+ if (rc < 0)
+ return -1;
+ e->expr_type = le32_to_cpu(buf[0]);
+ e->attr = le32_to_cpu(buf[1]);
+ e->op = le32_to_cpu(buf[2]);
+
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0)
+ return -1;
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1)
+ return -1;
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ if (depth == (CEXPR_MAXDEPTH - 1))
+ return -1;
+ depth++;
+ break;
+ case CEXPR_NAMES:
+ if (!allowxtarget && (e->attr & CEXPR_XTARGET))
+ return -1;
+ if (depth == (CEXPR_MAXDEPTH - 1))
+ return -1;
+ depth++;
+ if (ebitmap_read(&e->names, fp))
+ return -1;
+ if (p->policy_type != POLICY_KERN &&
+ type_set_read(e->type_names, fp))
+ return -1;
+ break;
+ default:
+ return -1;
+ }
+ le = e;
+ }
+ if (depth != 0)
+ return -1;
+ lc = c;
+ }
+
+ return 0;
+}
+
+static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+{
+ char *key = 0;
+ class_datum_t *cladatum;
+ uint32_t buf[6];
+ size_t len, len2, ncons, nel;
+ unsigned int i;
+ int rc;
+
+ cladatum = (class_datum_t *) calloc(1, sizeof(class_datum_t));
+ if (!cladatum)
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 6);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ len2 = le32_to_cpu(buf[1]);
+ cladatum->s.value = le32_to_cpu(buf[2]);
+
+ if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE))
+ goto bad;
+ cladatum->permissions.nprim = le32_to_cpu(buf[3]);
+ nel = le32_to_cpu(buf[4]);
+
+ ncons = le32_to_cpu(buf[5]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (len2) {
+ cladatum->comkey = malloc(len2 + 1);
+ if (!cladatum->comkey)
+ goto bad;
+ rc = next_entry(cladatum->comkey, fp, len2);
+ if (rc < 0)
+ goto bad;
+ cladatum->comkey[len2] = 0;
+
+ cladatum->comdatum = hashtab_search(p->p_commons.table,
+ cladatum->comkey);
+ if (!cladatum->comdatum) {
+ ERR(fp->handle, "unknown common %s", cladatum->comkey);
+ goto bad;
+ }
+ }
+ for (i = 0; i < nel; i++) {
+ if (perm_read(p, cladatum->permissions.table, fp))
+ goto bad;
+ }
+
+ if (read_cons_helper(p, &cladatum->constraints, ncons, 0, fp))
+ goto bad;
+
+ if ((p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_VALIDATETRANS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_VALIDATETRANS)) {
+ /* grab the validatetrans rules */
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ ncons = le32_to_cpu(buf[0]);
+ if (read_cons_helper(p, &cladatum->validatetrans, ncons, 1, fp))
+ goto bad;
+ }
+
+ if (hashtab_insert(h, key, cladatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ class_destroy(key, cladatum, NULL);
+ return -1;
+}
+
+static int role_read(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ role_datum_t *role;
+ uint32_t buf[3];
+ size_t len;
+ int rc, to_read = 2;
+
+ role = calloc(1, sizeof(role_datum_t));
+ if (!role)
+ return -1;
+
+ if (policydb_has_boundary_feature(p))
+ to_read = 3;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * to_read);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ role->s.value = le32_to_cpu(buf[1]);
+ if (policydb_has_boundary_feature(p))
+ role->bounds = le32_to_cpu(buf[2]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (ebitmap_read(&role->dominates, fp))
+ goto bad;
+
+ if (p->policy_type == POLICY_KERN) {
+ if (ebitmap_read(&role->types.types, fp))
+ goto bad;
+ } else {
+ if (type_set_read(&role->types, fp))
+ goto bad;
+ }
+
+ if (p->policy_type != POLICY_KERN &&
+ p->policyvers >= MOD_POLICYDB_VERSION_ROLEATTRIB) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+
+ role->flavor = le32_to_cpu(buf[0]);
+
+ if (ebitmap_read(&role->roles, fp))
+ goto bad;
+ }
+
+ if (strcmp(key, OBJECT_R) == 0) {
+ if (role->s.value != OBJECT_R_VAL) {
+ ERR(fp->handle, "role %s has wrong value %d",
+ OBJECT_R, role->s.value);
+ role_destroy(key, role, NULL);
+ return -1;
+ }
+ role_destroy(key, role, NULL);
+ return 0;
+ }
+
+ if (hashtab_insert(h, key, role))
+ goto bad;
+
+ return 0;
+
+ bad:
+ role_destroy(key, role, NULL);
+ return -1;
+}
+
+static int type_read(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ type_datum_t *typdatum;
+ uint32_t buf[5];
+ size_t len;
+ int rc, to_read;
+ int pos = 0;
+
+ typdatum = calloc(1, sizeof(type_datum_t));
+ if (!typdatum)
+ return -1;
+
+ if (policydb_has_boundary_feature(p)) {
+ if (p->policy_type != POLICY_KERN
+ && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS)
+ to_read = 5;
+ else
+ to_read = 4;
+ }
+ else if (p->policy_type == POLICY_KERN)
+ to_read = 3;
+ else if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ to_read = 5;
+ else
+ to_read = 4;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * to_read);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[pos]);
+ typdatum->s.value = le32_to_cpu(buf[++pos]);
+ if (policydb_has_boundary_feature(p)) {
+ uint32_t properties;
+
+ if (p->policy_type != POLICY_KERN
+ && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS) {
+ typdatum->primary = le32_to_cpu(buf[++pos]);
+ properties = le32_to_cpu(buf[++pos]);
+ }
+ else {
+ properties = le32_to_cpu(buf[++pos]);
+
+ if (properties & TYPEDATUM_PROPERTY_PRIMARY)
+ typdatum->primary = 1;
+ }
+
+ if (properties & TYPEDATUM_PROPERTY_ATTRIBUTE)
+ typdatum->flavor = TYPE_ATTRIB;
+ if (properties & TYPEDATUM_PROPERTY_ALIAS
+ && p->policy_type != POLICY_KERN)
+ typdatum->flavor = TYPE_ALIAS;
+ if (properties & TYPEDATUM_PROPERTY_PERMISSIVE
+ && p->policy_type != POLICY_KERN)
+ typdatum->flags |= TYPE_FLAGS_PERMISSIVE;
+
+ typdatum->bounds = le32_to_cpu(buf[++pos]);
+ } else {
+ typdatum->primary = le32_to_cpu(buf[++pos]);
+ if (p->policy_type != POLICY_KERN) {
+ typdatum->flavor = le32_to_cpu(buf[++pos]);
+ if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ typdatum->flags = le32_to_cpu(buf[++pos]);
+ }
+ }
+
+ if (p->policy_type != POLICY_KERN) {
+ if (ebitmap_read(&typdatum->types, fp))
+ goto bad;
+ }
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (hashtab_insert(h, key, typdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ type_destroy(key, typdatum, NULL);
+ return -1;
+}
+
+int role_trans_read(policydb_t *p, struct policy_file *fp)
+{
+ role_trans_t **t = &p->role_tr;
+ unsigned int i;
+ uint32_t buf[3], nel;
+ role_trans_t *tr, *ltr;
+ int rc;
+ int new_roletr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_ROLETRANS);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ ltr = NULL;
+ for (i = 0; i < nel; i++) {
+ tr = calloc(1, sizeof(struct role_trans));
+ if (!tr) {
+ return -1;
+ }
+ if (ltr) {
+ ltr->next = tr;
+ } else {
+ *t = tr;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0)
+ return -1;
+ tr->role = le32_to_cpu(buf[0]);
+ tr->type = le32_to_cpu(buf[1]);
+ tr->new_role = le32_to_cpu(buf[2]);
+ if (new_roletr) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ tr->tclass = le32_to_cpu(buf[0]);
+ } else
+ tr->tclass = SECCLASS_PROCESS;
+ ltr = tr;
+ }
+ return 0;
+}
+
+int role_allow_read(role_allow_t ** r, struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[2], nel;
+ role_allow_t *ra, *lra;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ lra = NULL;
+ for (i = 0; i < nel; i++) {
+ ra = calloc(1, sizeof(struct role_allow));
+ if (!ra) {
+ return -1;
+ }
+ if (lra) {
+ lra->next = ra;
+ } else {
+ *r = ra;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ ra->role = le32_to_cpu(buf[0]);
+ ra->new_role = le32_to_cpu(buf[1]);
+ lra = ra;
+ }
+ return 0;
+}
+
+int filename_trans_read(filename_trans_t **t, struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[4], nel, len;
+ filename_trans_t *ft, *lft;
+ int rc;
+ char *name;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+
+ lft = NULL;
+ for (i = 0; i < nel; i++) {
+ ft = calloc(1, sizeof(struct filename_trans));
+ if (!ft)
+ return -1;
+ if (lft)
+ lft->next = ft;
+ else
+ *t = ft;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ len = le32_to_cpu(buf[0]);
+
+ name = calloc(len, sizeof(*name));
+ if (!name)
+ return -1;
+
+ ft->name = name;
+
+ rc = next_entry(name, fp, len);
+ if (rc < 0)
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
+ if (rc < 0)
+ return -1;
+
+ ft->stype = le32_to_cpu(buf[0]);
+ ft->ttype = le32_to_cpu(buf[1]);
+ ft->tclass = le32_to_cpu(buf[2]);
+ ft->otype = le32_to_cpu(buf[3]);
+ }
+ return 0;
+}
+
+static int ocontext_read_xen(struct policydb_compat_info *info,
+ policydb_t *p, struct policy_file *fp)
+{
+ unsigned int i, j;
+ size_t nel;
+ ocontext_t *l, *c;
+ uint32_t buf[8];
+ int rc;
+
+ for (i = 0; i < info->ocon_num; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ l = NULL;
+ for (j = 0; j < nel; j++) {
+ c = calloc(1, sizeof(ocontext_t));
+ if (!c)
+ return -1;
+ if (l)
+ l->next = c;
+ else
+ p->ocontexts[i] = c;
+ l = c;
+ switch (i) {
+ case OCON_XEN_ISID:
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ c->sid[0] = le32_to_cpu(buf[0]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_XEN_PIRQ:
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ c->u.pirq = le32_to_cpu(buf[0]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_XEN_IOPORT:
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ c->u.ioport.low_ioport = le32_to_cpu(buf[0]);
+ c->u.ioport.high_ioport = le32_to_cpu(buf[1]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_XEN_IOMEM:
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ c->u.iomem.low_iomem = le32_to_cpu(buf[0]);
+ c->u.iomem.high_iomem = le32_to_cpu(buf[1]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_XEN_PCIDEVICE:
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ c->u.device = le32_to_cpu(buf[0]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ default:
+ /* should never get here */
+ ERR(fp->handle, "Unknown Xen ocontext");
+ return -1;
+ }
+ }
+ }
+ return 0;
+}
+static int ocontext_read_selinux(struct policydb_compat_info *info,
+ policydb_t * p, struct policy_file *fp)
+{
+ unsigned int i, j;
+ size_t nel, len;
+ ocontext_t *l, *c;
+ uint32_t buf[8];
+ int rc;
+
+ for (i = 0; i < info->ocon_num; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ l = NULL;
+ for (j = 0; j < nel; j++) {
+ c = calloc(1, sizeof(ocontext_t));
+ if (!c) {
+ return -1;
+ }
+ if (l) {
+ l->next = c;
+ } else {
+ p->ocontexts[i] = c;
+ }
+ l = c;
+ switch (i) {
+ case OCON_ISID:
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ c->sid[0] = le32_to_cpu(buf[0]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_FS:
+ case OCON_NETIF:
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ len = le32_to_cpu(buf[0]);
+ c->u.name = malloc(len + 1);
+ if (!c->u.name)
+ return -1;
+ rc = next_entry(c->u.name, fp, len);
+ if (rc < 0)
+ return -1;
+ c->u.name[len] = 0;
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ if (context_read_and_validate
+ (&c->context[1], p, fp))
+ return -1;
+ break;
+ case OCON_PORT:
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+ if (rc < 0)
+ return -1;
+ c->u.port.protocol = le32_to_cpu(buf[0]);
+ c->u.port.low_port = le32_to_cpu(buf[1]);
+ c->u.port.high_port = le32_to_cpu(buf[2]);
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_NODE:
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ c->u.node.addr = buf[0]; /* network order */
+ c->u.node.mask = buf[1]; /* network order */
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_FSUSE:
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ c->v.behavior = le32_to_cpu(buf[0]);
+ len = le32_to_cpu(buf[1]);
+ c->u.name = malloc(len + 1);
+ if (!c->u.name)
+ return -1;
+ rc = next_entry(c->u.name, fp, len);
+ if (rc < 0)
+ return -1;
+ c->u.name[len] = 0;
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ case OCON_NODE6:{
+ int k;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 8);
+ if (rc < 0)
+ return -1;
+ for (k = 0; k < 4; k++)
+ /* network order */
+ c->u.node6.addr[k] = buf[k];
+ for (k = 0; k < 4; k++)
+ /* network order */
+ c->u.node6.mask[k] = buf[k + 4];
+ if (context_read_and_validate
+ (&c->context[0], p, fp))
+ return -1;
+ break;
+ }
+ default:{
+ ERR(fp->handle, "Unknown SELinux ocontext");
+ return -1;
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+static int ocontext_read(struct policydb_compat_info *info,
+ policydb_t *p, struct policy_file *fp)
+{
+ int rc = -1;
+ switch (p->target_platform) {
+ case SEPOL_TARGET_SELINUX:
+ rc = ocontext_read_selinux(info, p, fp);
+ break;
+ case SEPOL_TARGET_XEN:
+ rc = ocontext_read_xen(info, p, fp);
+ break;
+ default:
+ ERR(fp->handle, "Unknown target");
+ }
+ return rc;
+}
+
+static int genfs_read(policydb_t * p, struct policy_file *fp)
+{
+ uint32_t buf[1];
+ size_t nel, nel2, len, len2;
+ genfs_t *genfs_p, *newgenfs, *genfs;
+ unsigned int i, j;
+ ocontext_t *l, *c, *newc = NULL;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ nel = le32_to_cpu(buf[0]);
+ genfs_p = NULL;
+ for (i = 0; i < nel; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ len = le32_to_cpu(buf[0]);
+ newgenfs = calloc(1, sizeof(genfs_t));
+ if (!newgenfs)
+ goto bad;
+ newgenfs->fstype = malloc(len + 1);
+ if (!newgenfs->fstype) {
+ free(newgenfs);
+ goto bad;
+ }
+ rc = next_entry(newgenfs->fstype, fp, len);
+ if (rc < 0) {
+ free(newgenfs->fstype);
+ free(newgenfs);
+ goto bad;
+ }
+ newgenfs->fstype[len] = 0;
+ for (genfs_p = NULL, genfs = p->genfs; genfs;
+ genfs_p = genfs, genfs = genfs->next) {
+ if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
+ ERR(fp->handle, "dup genfs fstype %s",
+ newgenfs->fstype);
+ free(newgenfs->fstype);
+ free(newgenfs);
+ goto bad;
+ }
+ if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
+ break;
+ }
+ newgenfs->next = genfs;
+ if (genfs_p)
+ genfs_p->next = newgenfs;
+ else
+ p->genfs = newgenfs;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ nel2 = le32_to_cpu(buf[0]);
+ for (j = 0; j < nel2; j++) {
+ newc = calloc(1, sizeof(ocontext_t));
+ if (!newc) {
+ goto bad;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ len = le32_to_cpu(buf[0]);
+ newc->u.name = malloc(len + 1);
+ if (!newc->u.name) {
+ goto bad;
+ }
+ rc = next_entry(newc->u.name, fp, len);
+ if (rc < 0)
+ goto bad;
+ newc->u.name[len] = 0;
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ newc->v.sclass = le32_to_cpu(buf[0]);
+ if (context_read_and_validate(&newc->context[0], p, fp))
+ goto bad;
+ for (l = NULL, c = newgenfs->head; c;
+ l = c, c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name) &&
+ (!c->v.sclass || !newc->v.sclass ||
+ newc->v.sclass == c->v.sclass)) {
+ ERR(fp->handle, "dup genfs entry "
+ "(%s,%s)", newgenfs->fstype,
+ c->u.name);
+ goto bad;
+ }
+ len = strlen(newc->u.name);
+ len2 = strlen(c->u.name);
+ if (len > len2)
+ break;
+ }
+ newc->next = c;
+ if (l)
+ l->next = newc;
+ else
+ newgenfs->head = newc;
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (newc) {
+ context_destroy(&newc->context[0]);
+ context_destroy(&newc->context[1]);
+ free(newc->u.name);
+ free(newc);
+ }
+ return -1;
+}
+
+/*
+ * Read a MLS level structure from a policydb binary
+ * representation file.
+ */
+static int mls_read_level(mls_level_t * lp, struct policy_file *fp)
+{
+ uint32_t buf[1];
+ int rc;
+
+ mls_level_init(lp);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ ERR(fp->handle, "truncated level");
+ goto bad;
+ }
+ lp->sens = le32_to_cpu(buf[0]);
+
+ if (ebitmap_read(&lp->cat, fp)) {
+ ERR(fp->handle, "error reading level categories");
+ goto bad;
+ }
+ return 0;
+
+ bad:
+ return -EINVAL;
+}
+
+static int user_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
+{
+ char *key = 0;
+ user_datum_t *usrdatum;
+ uint32_t buf[3];
+ size_t len;
+ int rc, to_read = 2;
+
+ usrdatum = calloc(1, sizeof(user_datum_t));
+ if (!usrdatum)
+ return -1;
+
+ if (policydb_has_boundary_feature(p))
+ to_read = 3;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * to_read);
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ usrdatum->s.value = le32_to_cpu(buf[1]);
+ if (policydb_has_boundary_feature(p))
+ usrdatum->bounds = le32_to_cpu(buf[2]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (p->policy_type == POLICY_KERN) {
+ if (ebitmap_read(&usrdatum->roles.roles, fp))
+ goto bad;
+ } else {
+ if (role_set_read(&usrdatum->roles, fp))
+ goto bad;
+ }
+
+ /* users were not allowed in mls modules before version
+ * MOD_POLICYDB_VERSION_MLS_USERS, but they could have been
+ * required - the mls fields will be empty. user declarations in
+ * non-mls modules will also have empty mls fields */
+ if ((p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_MLS)
+ || (p->policy_type == POLICY_MOD
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)) {
+ if (mls_read_range_helper(&usrdatum->exp_range, fp))
+ goto bad;
+ if (mls_read_level(&usrdatum->exp_dfltlevel, fp))
+ goto bad;
+ if (p->policy_type != POLICY_KERN) {
+ if (mls_range_to_semantic(&usrdatum->exp_range,
+ &usrdatum->range))
+ goto bad;
+ if (mls_level_to_semantic(&usrdatum->exp_dfltlevel,
+ &usrdatum->dfltlevel))
+ goto bad;
+ }
+ } else if ((p->policy_type == POLICY_MOD
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)) {
+ if (mls_read_semantic_range_helper(&usrdatum->range, fp))
+ goto bad;
+ if (mls_read_semantic_level_helper(&usrdatum->dfltlevel, fp))
+ goto bad;
+ }
+
+ if (hashtab_insert(h, key, usrdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ user_destroy(key, usrdatum, NULL);
+ return -1;
+}
+
+static int sens_read(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ level_datum_t *levdatum;
+ uint32_t buf[2], len;
+ int rc;
+
+ levdatum = malloc(sizeof(level_datum_t));
+ if (!levdatum)
+ return -1;
+ level_datum_init(levdatum);
+
+ rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ levdatum->isalias = le32_to_cpu(buf[1]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ levdatum->level = malloc(sizeof(mls_level_t));
+ if (!levdatum->level || mls_read_level(levdatum->level, fp))
+ goto bad;
+
+ if (hashtab_insert(h, key, levdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ sens_destroy(key, levdatum, NULL);
+ return -1;
+}
+
+static int cat_read(policydb_t * p
+ __attribute__ ((unused)), hashtab_t h,
+ struct policy_file *fp)
+{
+ char *key = 0;
+ cat_datum_t *catdatum;
+ uint32_t buf[3], len;
+ int rc;
+
+ catdatum = malloc(sizeof(cat_datum_t));
+ if (!catdatum)
+ return -1;
+ cat_datum_init(catdatum);
+
+ rc = next_entry(buf, fp, (sizeof(uint32_t) * 3));
+ if (rc < 0)
+ goto bad;
+
+ len = le32_to_cpu(buf[0]);
+ catdatum->s.value = le32_to_cpu(buf[1]);
+ catdatum->isalias = le32_to_cpu(buf[2]);
+
+ key = malloc(len + 1);
+ if (!key)
+ goto bad;
+ rc = next_entry(key, fp, len);
+ if (rc < 0)
+ goto bad;
+ key[len] = 0;
+
+ if (hashtab_insert(h, key, catdatum))
+ goto bad;
+
+ return 0;
+
+ bad:
+ cat_destroy(key, catdatum, NULL);
+ return -1;
+}
+
+static int (*read_f[SYM_NUM]) (policydb_t * p, hashtab_t h,
+ struct policy_file * fp) = {
+common_read, class_read, role_read, type_read, user_read,
+ cond_read_bool, sens_read, cat_read,};
+
+/************** module reading functions below **************/
+
+static avrule_t *avrule_read(policydb_t * p
+ __attribute__ ((unused)), struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[2], len;
+ class_perm_node_t *cur, *tail = NULL;
+ avrule_t *avrule;
+ int rc;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule)
+ return NULL;
+
+ avrule_init(avrule);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ goto bad;
+
+ (avrule)->specified = le32_to_cpu(buf[0]);
+ (avrule)->flags = le32_to_cpu(buf[1]);
+
+ if (type_set_read(&avrule->stypes, fp))
+ goto bad;
+
+ if (type_set_read(&avrule->ttypes, fp))
+ goto bad;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto bad;
+ len = le32_to_cpu(buf[0]);
+
+ for (i = 0; i < len; i++) {
+ cur = (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!cur)
+ goto bad;
+ class_perm_node_init(cur);
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0) {
+ free(cur);
+ goto bad;
+ }
+
+ cur->class = le32_to_cpu(buf[0]);
+ cur->data = le32_to_cpu(buf[1]);
+
+ if (!tail) {
+ avrule->perms = cur;
+ } else {
+ tail->next = cur;
+ }
+ tail = cur;
+ }
+
+ return avrule;
+ bad:
+ if (avrule) {
+ avrule_destroy(avrule);
+ free(avrule);
+ }
+ return NULL;
+}
+
+static int range_read(policydb_t * p, struct policy_file *fp)
+{
+ uint32_t buf[2], nel;
+ range_trans_t *rt, *lrt;
+ range_trans_rule_t *rtr, *lrtr = NULL;
+ unsigned int i;
+ int new_rangetr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_RANGETRANS);
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ lrt = NULL;
+ for (i = 0; i < nel; i++) {
+ rt = calloc(1, sizeof(range_trans_t));
+ if (!rt)
+ return -1;
+ if (lrt)
+ lrt->next = rt;
+ else
+ p->range_tr = rt;
+ rc = next_entry(buf, fp, (sizeof(uint32_t) * 2));
+ if (rc < 0)
+ return -1;
+ rt->source_type = le32_to_cpu(buf[0]);
+ rt->target_type = le32_to_cpu(buf[1]);
+ if (new_rangetr) {
+ rc = next_entry(buf, fp, (sizeof(uint32_t)));
+ if (rc < 0)
+ return -1;
+ rt->target_class = le32_to_cpu(buf[0]);
+ } else
+ rt->target_class = SECCLASS_PROCESS;
+ if (mls_read_range_helper(&rt->target_range, fp))
+ return -1;
+ lrt = rt;
+ }
+
+ /* if this is a kernel policy, we are done - otherwise we need to
+ * convert these structs to range_trans_rule_ts */
+ if (p->policy_type == POLICY_KERN)
+ return 0;
+
+ /* create range_trans_rules_ts that correspond to the range_trans_ts
+ * that were just read in from an older policy */
+ for (rt = p->range_tr; rt; rt = rt->next) {
+ rtr = malloc(sizeof(range_trans_rule_t));
+ if (!rtr) {
+ return -1;
+ }
+ range_trans_rule_init(rtr);
+
+ if (lrtr)
+ lrtr->next = rtr;
+ else
+ p->global->enabled->range_tr_rules = rtr;
+
+ if (ebitmap_set_bit(&rtr->stypes.types, rt->source_type - 1, 1))
+ return -1;
+
+ if (ebitmap_set_bit(&rtr->ttypes.types, rt->target_type - 1, 1))
+ return -1;
+
+ if (ebitmap_set_bit(&rtr->tclasses, rt->target_class - 1, 1))
+ return -1;
+
+ if (mls_range_to_semantic(&rt->target_range, &rtr->trange))
+ return -1;
+
+ lrtr = rtr;
+ }
+
+ /* now destroy the range_trans_ts */
+ lrt = NULL;
+ for (rt = p->range_tr; rt; rt = rt->next) {
+ if (lrt) {
+ ebitmap_destroy(&lrt->target_range.level[0].cat);
+ ebitmap_destroy(&lrt->target_range.level[1].cat);
+ free(lrt);
+ }
+ lrt = rt;
+ }
+ if (lrt) {
+ ebitmap_destroy(&lrt->target_range.level[0].cat);
+ ebitmap_destroy(&lrt->target_range.level[1].cat);
+ free(lrt);
+ }
+ p->range_tr = NULL;
+
+ return 0;
+}
+
+int avrule_read_list(policydb_t * p, avrule_t ** avrules,
+ struct policy_file *fp)
+{
+ unsigned int i;
+ avrule_t *cur, *tail;
+ uint32_t buf[1], len;
+ int rc;
+
+ *avrules = tail = NULL;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ return -1;
+ }
+ len = le32_to_cpu(buf[0]);
+
+ for (i = 0; i < len; i++) {
+ cur = avrule_read(p, fp);
+ if (!cur) {
+ return -1;
+ }
+
+ if (!tail) {
+ *avrules = cur;
+ } else {
+ tail->next = cur;
+ }
+ tail = cur;
+ }
+
+ return 0;
+}
+
+static int role_trans_rule_read(policydb_t *p, role_trans_rule_t ** r,
+ struct policy_file *fp)
+{
+ uint32_t buf[1], nel;
+ unsigned int i;
+ role_trans_rule_t *tr, *ltr;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ ltr = NULL;
+ for (i = 0; i < nel; i++) {
+ tr = malloc(sizeof(role_trans_rule_t));
+ if (!tr) {
+ return -1;
+ }
+ role_trans_rule_init(tr);
+
+ if (ltr) {
+ ltr->next = tr;
+ } else {
+ *r = tr;
+ }
+
+ if (role_set_read(&tr->roles, fp))
+ return -1;
+
+ if (type_set_read(&tr->types, fp))
+ return -1;
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_ROLETRANS) {
+ if (ebitmap_read(&tr->classes, fp))
+ return -1;
+ } else {
+ if (ebitmap_set_bit(&tr->classes, SECCLASS_PROCESS - 1, 1))
+ return -1;
+ }
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ tr->new_role = le32_to_cpu(buf[0]);
+ ltr = tr;
+ }
+
+ return 0;
+}
+
+static int role_allow_rule_read(role_allow_rule_t ** r, struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[1], nel;
+ role_allow_rule_t *ra, *lra;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ lra = NULL;
+ for (i = 0; i < nel; i++) {
+ ra = malloc(sizeof(role_allow_rule_t));
+ if (!ra) {
+ return -1;
+ }
+ role_allow_rule_init(ra);
+
+ if (lra) {
+ lra->next = ra;
+ } else {
+ *r = ra;
+ }
+
+ if (role_set_read(&ra->roles, fp))
+ return -1;
+
+ if (role_set_read(&ra->new_roles, fp))
+ return -1;
+
+ lra = ra;
+ }
+ return 0;
+}
+
+static int filename_trans_rule_read(filename_trans_rule_t ** r, struct policy_file *fp)
+{
+ uint32_t buf[2], nel;
+ unsigned int i, len;
+ filename_trans_rule_t *ftr, *lftr;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ lftr = NULL;
+ for (i = 0; i < nel; i++) {
+ ftr = malloc(sizeof(*ftr));
+ if (!ftr)
+ return -1;
+
+ filename_trans_rule_init(ftr);
+
+ if (lftr)
+ lftr->next = ftr;
+ else
+ *r = ftr;
+ lftr = ftr;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+
+ len = le32_to_cpu(buf[0]);
+
+ ftr->name = malloc(len + 1);
+ if (!ftr->name)
+ return -1;
+
+ rc = next_entry(ftr->name, fp, len);
+ if (rc)
+ return -1;
+ ftr->name[len] = 0;
+
+ if (type_set_read(&ftr->stypes, fp))
+ return -1;
+
+ if (type_set_read(&ftr->ttypes, fp))
+ return -1;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ ftr->tclass = le32_to_cpu(buf[0]);
+ ftr->otype = le32_to_cpu(buf[1]);
+ }
+
+ return 0;
+}
+
+static int range_trans_rule_read(range_trans_rule_t ** r,
+ struct policy_file *fp)
+{
+ uint32_t buf[1], nel;
+ unsigned int i;
+ range_trans_rule_t *rt, *lrt = NULL;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ nel = le32_to_cpu(buf[0]);
+ for (i = 0; i < nel; i++) {
+ rt = malloc(sizeof(range_trans_rule_t));
+ if (!rt) {
+ return -1;
+ }
+ range_trans_rule_init(rt);
+
+ if (lrt)
+ lrt->next = rt;
+ else
+ *r = rt;
+
+ if (type_set_read(&rt->stypes, fp))
+ return -1;
+
+ if (type_set_read(&rt->ttypes, fp))
+ return -1;
+
+ if (ebitmap_read(&rt->tclasses, fp))
+ return -1;
+
+ if (mls_read_semantic_range_helper(&rt->trange, fp))
+ return -1;
+
+ lrt = rt;
+ }
+
+ return 0;
+}
+
+static int scope_index_read(scope_index_t * scope_index,
+ unsigned int num_scope_syms, struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[1];
+ int rc;
+
+ for (i = 0; i < num_scope_syms; i++) {
+ if (ebitmap_read(scope_index->scope + i, fp) == -1) {
+ return -1;
+ }
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ scope_index->class_perms_len = le32_to_cpu(buf[0]);
+ if (scope_index->class_perms_len == 0) {
+ scope_index->class_perms_map = NULL;
+ return 0;
+ }
+ if ((scope_index->class_perms_map =
+ calloc(scope_index->class_perms_len,
+ sizeof(*scope_index->class_perms_map))) == NULL) {
+ return -1;
+ }
+ for (i = 0; i < scope_index->class_perms_len; i++) {
+ if (ebitmap_read(scope_index->class_perms_map + i, fp) == -1) {
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
+ unsigned int num_scope_syms, struct policy_file *fp)
+{
+ uint32_t buf[2], nprim, nel;
+ unsigned int i, j;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ decl->decl_id = le32_to_cpu(buf[0]);
+ decl->enabled = le32_to_cpu(buf[1]);
+ if (cond_read_list(p, &decl->cond_list, fp) == -1 ||
+ avrule_read_list(p, &decl->avrules, fp) == -1 ||
+ role_trans_rule_read(p, &decl->role_tr_rules, fp) == -1 ||
+ role_allow_rule_read(&decl->role_allow_rules, fp) == -1) {
+ return -1;
+ }
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
+ filename_trans_rule_read(&decl->filename_trans_rules, fp))
+ return -1;
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+ range_trans_rule_read(&decl->range_tr_rules, fp) == -1) {
+ return -1;
+ }
+ if (scope_index_read(&decl->required, num_scope_syms, fp) == -1 ||
+ scope_index_read(&decl->declared, num_scope_syms, fp) == -1) {
+ return -1;
+ }
+
+ for (i = 0; i < num_scope_syms; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return -1;
+ nprim = le32_to_cpu(buf[0]);
+ nel = le32_to_cpu(buf[1]);
+ for (j = 0; j < nel; j++) {
+ if (read_f[i] (p, decl->symtab[i].table, fp)) {
+ return -1;
+ }
+ }
+ decl->symtab[i].nprim = nprim;
+ }
+ return 0;
+}
+
+static int avrule_block_read(policydb_t * p,
+ avrule_block_t ** block,
+ unsigned int num_scope_syms,
+ struct policy_file *fp)
+{
+ avrule_block_t *last_block = NULL, *curblock;
+ uint32_t buf[1], num_blocks, nel;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ num_blocks = le32_to_cpu(buf[0]);
+ nel = num_blocks;
+ while (num_blocks > 0) {
+ avrule_decl_t *last_decl = NULL, *curdecl;
+ uint32_t num_decls;
+ if ((curblock = calloc(1, sizeof(*curblock))) == NULL) {
+ return -1;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0) {
+ free(curblock);
+ return -1;
+ }
+ /* if this is the first block its non-optional, else its optional */
+ if (num_blocks != nel)
+ curblock->flags |= AVRULE_OPTIONAL;
+
+ num_decls = le32_to_cpu(buf[0]);
+ while (num_decls > 0) {
+ if ((curdecl = avrule_decl_create(0)) == NULL) {
+ avrule_block_destroy(curblock);
+ return -1;
+ }
+ if (avrule_decl_read(p, curdecl, num_scope_syms, fp) ==
+ -1) {
+ avrule_decl_destroy(curdecl);
+ avrule_block_destroy(curblock);
+ return -1;
+ }
+ if (curdecl->enabled) {
+ if (curblock->enabled != NULL) {
+ /* probably a corrupt file */
+ avrule_decl_destroy(curdecl);
+ avrule_block_destroy(curblock);
+ return -1;
+ }
+ curblock->enabled = curdecl;
+ }
+ /* one must be careful to reconstruct the
+ * decl chain in its correct order */
+ if (curblock->branch_list == NULL) {
+ curblock->branch_list = curdecl;
+ } else {
+ last_decl->next = curdecl;
+ }
+ last_decl = curdecl;
+ num_decls--;
+ }
+
+ if (*block == NULL) {
+ *block = curblock;
+ } else {
+ last_block->next = curblock;
+ }
+ last_block = curblock;
+
+ num_blocks--;
+ }
+
+ return 0;
+}
+
+static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
+{
+ scope_datum_t *scope = NULL;
+ uint32_t buf[2];
+ char *key = NULL;
+ size_t key_len;
+ unsigned int i;
+ hashtab_t h = p->scope[symnum].table;
+ int rc;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ goto cleanup;
+ key_len = le32_to_cpu(buf[0]);
+ key = malloc(key_len + 1);
+ if (!key)
+ goto cleanup;
+ rc = next_entry(key, fp, key_len);
+ if (rc < 0)
+ goto cleanup;
+ key[key_len] = '\0';
+
+ /* ensure that there already exists a symbol with this key */
+ if (hashtab_search(p->symtab[symnum].table, key) == NULL) {
+ goto cleanup;
+ }
+
+ if ((scope = calloc(1, sizeof(*scope))) == NULL) {
+ goto cleanup;
+ }
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ goto cleanup;
+ scope->scope = le32_to_cpu(buf[0]);
+ scope->decl_ids_len = le32_to_cpu(buf[1]);
+ assert(scope->decl_ids_len > 0);
+ if ((scope->decl_ids =
+ malloc(scope->decl_ids_len * sizeof(uint32_t))) == NULL) {
+ goto cleanup;
+ }
+ rc = next_entry(scope->decl_ids, fp, sizeof(uint32_t) * scope->decl_ids_len);
+ if (rc < 0)
+ goto cleanup;
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ scope->decl_ids[i] = le32_to_cpu(scope->decl_ids[i]);
+ }
+
+ if (strcmp(key, "object_r") == 0 && h == p->p_roles_scope.table) {
+ /* object_r was already added to this table in roles_init() */
+ scope_destroy(key, scope, NULL);
+ } else {
+ if (hashtab_insert(h, key, scope)) {
+ goto cleanup;
+ }
+ }
+
+ return 0;
+
+ cleanup:
+ scope_destroy(key, scope, NULL);
+ return -1;
+}
+
+/*
+ * Read the configuration data from a policy database binary
+ * representation file into a policy database structure.
+ */
+int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
+{
+
+ unsigned int i, j, r_policyvers;
+ uint32_t buf[5];
+ size_t len, nprim, nel;
+ char *policydb_str;
+ struct policydb_compat_info *info;
+ unsigned int policy_type, bufindex;
+ ebitmap_node_t *tnode;
+ int rc;
+
+ /* Read the magic number and string length. */
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ return POLICYDB_ERROR;
+ for (i = 0; i < 2; i++)
+ buf[i] = le32_to_cpu(buf[i]);
+
+ if (buf[0] == POLICYDB_MAGIC) {
+ policy_type = POLICY_KERN;
+ } else if (buf[0] == POLICYDB_MOD_MAGIC) {
+ policy_type = POLICY_MOD;
+ } else {
+ ERR(fp->handle, "policydb magic number %#08x does not "
+ "match expected magic number %#08x or %#08x",
+ buf[0], POLICYDB_MAGIC, POLICYDB_MOD_MAGIC);
+ return POLICYDB_ERROR;
+ }
+
+ len = buf[1];
+ if (len > POLICYDB_STRING_MAX_LENGTH) {
+ ERR(fp->handle, "policydb string length too long ");
+ return POLICYDB_ERROR;
+ }
+
+ policydb_str = malloc(len + 1);
+ if (!policydb_str) {
+ ERR(fp->handle, "unable to allocate memory for policydb "
+ "string of length %zu", len);
+ return POLICYDB_ERROR;
+ }
+ rc = next_entry(policydb_str, fp, len);
+ if (rc < 0) {
+ ERR(fp->handle, "truncated policydb string identifier");
+ free(policydb_str);
+ return POLICYDB_ERROR;
+ }
+ policydb_str[len] = 0;
+
+ if (policy_type == POLICY_KERN) {
+ for (i = 0; i < POLICYDB_TARGET_SZ; i++) {
+ if ((strcmp(policydb_str, policydb_target_strings[i])
+ == 0)) {
+ policydb_set_target_platform(p, i);
+ break;
+ }
+ }
+
+ if (i == POLICYDB_TARGET_SZ) {
+ ERR(fp->handle, "cannot find a valid target for policy "
+ "string %s", policydb_str);
+ free(policydb_str);
+ return POLICYDB_ERROR;
+ }
+ } else {
+ if (strcmp(policydb_str, POLICYDB_MOD_STRING)) {
+ ERR(fp->handle, "invalid string identifier %s",
+ policydb_str);
+ free(policydb_str);
+ return POLICYDB_ERROR;
+ }
+ }
+
+ /* Done with policydb_str. */
+ free(policydb_str);
+ policydb_str = NULL;
+
+ /* Read the version, config, and table sizes (and policy type if it's a module). */
+ if (policy_type == POLICY_KERN)
+ nel = 4;
+ else
+ nel = 5;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * nel);
+ if (rc < 0)
+ return POLICYDB_ERROR;
+ for (i = 0; i < nel; i++)
+ buf[i] = le32_to_cpu(buf[i]);
+
+ bufindex = 0;
+
+ if (policy_type == POLICY_MOD) {
+ /* We know it's a module but not whether it's a base
+ module or regular binary policy module. buf[0]
+ tells us which. */
+ policy_type = buf[bufindex];
+ if (policy_type != POLICY_MOD && policy_type != POLICY_BASE) {
+ ERR(fp->handle, "unknown module type: %#08x",
+ policy_type);
+ return POLICYDB_ERROR;
+ }
+ bufindex++;
+ }
+
+ r_policyvers = buf[bufindex];
+ if (policy_type == POLICY_KERN) {
+ if (r_policyvers < POLICYDB_VERSION_MIN ||
+ r_policyvers > POLICYDB_VERSION_MAX) {
+ ERR(fp->handle, "policydb version %d does not match "
+ "my version range %d-%d", buf[bufindex],
+ POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
+ return POLICYDB_ERROR;
+ }
+ } else if (policy_type == POLICY_BASE || policy_type == POLICY_MOD) {
+ if (r_policyvers < MOD_POLICYDB_VERSION_MIN ||
+ r_policyvers > MOD_POLICYDB_VERSION_MAX) {
+ ERR(fp->handle, "policydb module version %d does "
+ "not match my version range %d-%d",
+ buf[bufindex], MOD_POLICYDB_VERSION_MIN,
+ MOD_POLICYDB_VERSION_MAX);
+ return POLICYDB_ERROR;
+ }
+ } else {
+ assert(0);
+ }
+ bufindex++;
+
+ /* Set the policy type and version from the read values. */
+ p->policy_type = policy_type;
+ p->policyvers = r_policyvers;
+
+ if (buf[bufindex] & POLICYDB_CONFIG_MLS) {
+ p->mls = 1;
+ } else {
+ p->mls = 0;
+ }
+
+ p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
+
+ bufindex++;
+
+ info = policydb_lookup_compat(r_policyvers, policy_type,
+ p->target_platform);
+ if (!info) {
+ ERR(fp->handle, "unable to find policy compat info "
+ "for version %d", r_policyvers);
+ goto bad;
+ }
+
+ if (buf[bufindex] != info->sym_num
+ || buf[bufindex + 1] != info->ocon_num) {
+ ERR(fp->handle,
+ "policydb table sizes (%d,%d) do not " "match mine (%d,%d)",
+ buf[bufindex], buf[bufindex + 1], info->sym_num,
+ info->ocon_num);
+ goto bad;
+ }
+
+ if (p->policy_type == POLICY_MOD) {
+ /* Get the module name and version */
+ if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
+ goto bad;
+ }
+ len = le32_to_cpu(buf[0]);
+ if ((p->name = malloc(len + 1)) == NULL) {
+ goto bad;
+ }
+ if ((rc = next_entry(p->name, fp, len)) < 0) {
+ goto bad;
+ }
+ p->name[len] = '\0';
+ if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
+ goto bad;
+ }
+ len = le32_to_cpu(buf[0]);
+ if ((p->version = malloc(len + 1)) == NULL) {
+ goto bad;
+ }
+ if ((rc = next_entry(p->version, fp, len)) < 0) {
+ goto bad;
+ }
+ p->version[len] = '\0';
+ }
+
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_read(&p->policycaps, fp))
+ goto bad;
+ }
+
+ if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ if (ebitmap_read(&p->permissive_map, fp))
+ goto bad;
+ }
+
+ for (i = 0; i < info->sym_num; i++) {
+ rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
+ if (rc < 0)
+ goto bad;
+ nprim = le32_to_cpu(buf[0]);
+ nel = le32_to_cpu(buf[1]);
+ for (j = 0; j < nel; j++) {
+ if (read_f[i] (p, p->symtab[i].table, fp))
+ goto bad;
+ }
+
+ p->symtab[i].nprim = nprim;
+ }
+
+ if (policy_type == POLICY_KERN) {
+ if (avtab_read(&p->te_avtab, fp, r_policyvers))
+ goto bad;
+ if (r_policyvers >= POLICYDB_VERSION_BOOL)
+ if (cond_read_list(p, &p->cond_list, fp))
+ goto bad;
+ if (role_trans_read(p, fp))
+ goto bad;
+ if (role_allow_read(&p->role_allow, fp))
+ goto bad;
+ if (r_policyvers >= POLICYDB_VERSION_FILENAME_TRANS &&
+ filename_trans_read(&p->filename_trans, fp))
+ goto bad;
+ } else {
+ /* first read the AV rule blocks, then the scope tables */
+ avrule_block_destroy(p->global);
+ p->global = NULL;
+ if (avrule_block_read(p, &p->global, info->sym_num, fp) == -1) {
+ goto bad;
+ }
+ for (i = 0; i < info->sym_num; i++) {
+ if ((rc = next_entry(buf, fp, sizeof(uint32_t))) < 0) {
+ goto bad;
+ }
+ nel = le32_to_cpu(buf[0]);
+ for (j = 0; j < nel; j++) {
+ if (scope_read(p, i, fp))
+ goto bad;
+ }
+ }
+
+ }
+
+ if (policydb_index_decls(p))
+ goto bad;
+
+ if (policydb_index_classes(p))
+ goto bad;
+
+ if (policydb_index_others(fp->handle, p, verbose))
+ goto bad;
+
+ if (ocontext_read(info, p, fp) == -1) {
+ goto bad;
+ }
+
+ if (genfs_read(p, fp) == -1) {
+ goto bad;
+ }
+
+ if ((p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_MLS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_RANGETRANS)) {
+ if (range_read(p, fp)) {
+ goto bad;
+ }
+ }
+
+ if (policy_type == POLICY_KERN) {
+ p->type_attr_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
+ p->attr_type_map = malloc(p->p_types.nprim * sizeof(ebitmap_t));
+ if (!p->type_attr_map || !p->attr_type_map)
+ goto bad;
+ for (i = 0; i < p->p_types.nprim; i++) {
+ ebitmap_init(&p->type_attr_map[i]);
+ ebitmap_init(&p->attr_type_map[i]);
+ }
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (r_policyvers >= POLICYDB_VERSION_AVTAB) {
+ if (ebitmap_read(&p->type_attr_map[i], fp))
+ goto bad;
+ ebitmap_for_each_bit(&p->type_attr_map[i],
+ tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j)
+ || i == j)
+ continue;
+ if (ebitmap_set_bit
+ (&p->attr_type_map[j], i, 1))
+ goto bad;
+ }
+ }
+ /* add the type itself as the degenerate case */
+ if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
+ goto bad;
+ }
+ }
+
+ return POLICYDB_SUCCESS;
+ bad:
+ return POLICYDB_ERROR;
+}
+
+int policydb_reindex_users(policydb_t * p)
+{
+ unsigned int i = SYM_USERS;
+
+ if (p->user_val_to_struct)
+ free(p->user_val_to_struct);
+ if (p->sym_val_to_name[i])
+ free(p->sym_val_to_name[i]);
+
+ p->user_val_to_struct = (user_datum_t **)
+ malloc(p->p_users.nprim * sizeof(user_datum_t *));
+ if (!p->user_val_to_struct)
+ return -1;
+
+ p->sym_val_to_name[i] = (char **)
+ malloc(p->symtab[i].nprim * sizeof(char *));
+ if (!p->sym_val_to_name[i])
+ return -1;
+
+ if (hashtab_map(p->symtab[i].table, index_f[i], p))
+ return -1;
+
+ /* Expand user roles for context validity checking */
+ if (hashtab_map(p->p_users.table, policydb_user_cache, p))
+ return -1;
+
+ return 0;
+}
+
+void policy_file_init(policy_file_t *pf)
+{
+ memset(pf, 0, sizeof(policy_file_t));
+}
+
+int policydb_set_target_platform(policydb_t *p, int platform)
+{
+ if (platform == SEPOL_TARGET_SELINUX)
+ p->target_platform = SEPOL_TARGET_SELINUX;
+ else if (platform == SEPOL_TARGET_XEN)
+ p->target_platform = SEPOL_TARGET_XEN;
+ else
+ return -1;
+
+ return 0;
+}
+
diff --git a/src/policydb_convert.c b/src/policydb_convert.c
new file mode 100644
index 0000000..32832bb
--- /dev/null
+++ b/src/policydb_convert.c
@@ -0,0 +1,100 @@
+#include <stdlib.h>
+
+#include "private.h"
+#include "debug.h"
+
+#include <sepol/policydb/policydb.h>
+
+/* Construct a policydb from the supplied (data, len) pair */
+
+int policydb_from_image(sepol_handle_t * handle,
+ void *data, size_t len, policydb_t * policydb)
+{
+
+ policy_file_t pf;
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = data;
+ pf.len = len;
+ pf.handle = handle;
+
+ if (policydb_read(policydb, &pf, 0)) {
+ ERR(handle, "policy image is invalid");
+ errno = EINVAL;
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/* Write a policydb to a memory region, and return the (data, len) pair. */
+
+int policydb_to_image(sepol_handle_t * handle,
+ policydb_t * policydb, void **newdata, size_t * newlen)
+{
+
+ void *tmp_data = NULL;
+ size_t tmp_len;
+ policy_file_t pf;
+ struct policydb tmp_policydb;
+
+ /* Compute the length for the new policy image. */
+ policy_file_init(&pf);
+ pf.type = PF_LEN;
+ pf.handle = handle;
+ if (policydb_write(policydb, &pf)) {
+ ERR(handle, "could not compute policy length");
+ errno = EINVAL;
+ goto err;
+ }
+
+ /* Allocate the new policy image. */
+ pf.type = PF_USE_MEMORY;
+ pf.data = malloc(pf.len);
+ if (!pf.data) {
+ ERR(handle, "out of memory");
+ goto err;
+ }
+
+ /* Need to save len and data prior to modification by policydb_write. */
+ tmp_len = pf.len;
+ tmp_data = pf.data;
+
+ /* Write out the new policy image. */
+ if (policydb_write(policydb, &pf)) {
+ ERR(handle, "could not write policy");
+ errno = EINVAL;
+ goto err;
+ }
+
+ /* Verify the new policy image. */
+ pf.type = PF_USE_MEMORY;
+ pf.data = tmp_data;
+ pf.len = tmp_len;
+ if (policydb_init(&tmp_policydb)) {
+ ERR(handle, "Out of memory");
+ errno = ENOMEM;
+ goto err;
+ }
+ if (policydb_read(&tmp_policydb, &pf, 0)) {
+ ERR(handle, "new policy image is invalid");
+ errno = EINVAL;
+ goto err;
+ }
+ policydb_destroy(&tmp_policydb);
+
+ /* Update (newdata, newlen) */
+ *newdata = tmp_data;
+ *newlen = tmp_len;
+
+ /* Recover */
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not create policy image");
+
+ /* Recover */
+ free(tmp_data);
+ return STATUS_ERR;
+}
diff --git a/src/policydb_internal.h b/src/policydb_internal.h
new file mode 100644
index 0000000..8a31506
--- /dev/null
+++ b/src/policydb_internal.h
@@ -0,0 +1,10 @@
+#ifndef _SEPOL_POLICYDB_INTERNAL_H_
+#define _SEPOL_POLICYDB_INTERNAL_H_
+
+#include <sepol/policydb.h>
+#include "dso.h"
+
+hidden_proto(sepol_policydb_create)
+ hidden_proto(sepol_policydb_free)
+extern char *policydb_target_strings[];
+#endif
diff --git a/src/policydb_public.c b/src/policydb_public.c
new file mode 100644
index 0000000..f6ae793
--- /dev/null
+++ b/src/policydb_public.c
@@ -0,0 +1,193 @@
+#include <stdlib.h>
+
+#include "debug.h"
+#include <sepol/policydb/policydb.h>
+#include "policydb_internal.h"
+
+/* Policy file interfaces. */
+
+int sepol_policy_file_create(sepol_policy_file_t ** pf)
+{
+ *pf = calloc(1, sizeof(sepol_policy_file_t));
+ if (!(*pf))
+ return -1;
+ return 0;
+}
+
+void sepol_policy_file_set_mem(sepol_policy_file_t * spf,
+ char *data, size_t len)
+{
+ struct policy_file *pf = &spf->pf;
+ if (!len) {
+ pf->type = PF_LEN;
+ return;
+ }
+ pf->type = PF_USE_MEMORY;
+ pf->data = data;
+ pf->len = len;
+ pf->size = len;
+ return;
+}
+
+void sepol_policy_file_set_fp(sepol_policy_file_t * spf, FILE * fp)
+{
+ struct policy_file *pf = &spf->pf;
+ pf->type = PF_USE_STDIO;
+ pf->fp = fp;
+ return;
+}
+
+int sepol_policy_file_get_len(sepol_policy_file_t * spf, size_t * len)
+{
+ struct policy_file *pf = &spf->pf;
+ if (pf->type != PF_LEN)
+ return -1;
+ *len = pf->len;
+ return 0;
+}
+
+void sepol_policy_file_set_handle(sepol_policy_file_t * pf,
+ sepol_handle_t * handle)
+{
+ pf->pf.handle = handle;
+}
+
+void sepol_policy_file_free(sepol_policy_file_t * pf)
+{
+ free(pf);
+}
+
+/* Policydb interfaces. */
+
+int sepol_policydb_create(sepol_policydb_t ** sp)
+{
+ policydb_t *p;
+ *sp = malloc(sizeof(sepol_policydb_t));
+ if (!(*sp))
+ return -1;
+ p = &(*sp)->p;
+ if (policydb_init(p)) {
+ free(*sp);
+ return -1;
+ }
+ return 0;
+}
+
+hidden_def(sepol_policydb_create)
+
+void sepol_policydb_free(sepol_policydb_t * p)
+{
+ if (!p)
+ return;
+ policydb_destroy(&p->p);
+ free(p);
+}
+
+hidden_def(sepol_policydb_free)
+
+int sepol_policy_kern_vers_min(void)
+{
+ return POLICYDB_VERSION_MIN;
+}
+
+int sepol_policy_kern_vers_max(void)
+{
+ return POLICYDB_VERSION_MAX;
+}
+
+int sepol_policydb_set_typevers(sepol_policydb_t * sp, unsigned int type)
+{
+ struct policydb *p = &sp->p;
+ switch (type) {
+ case POLICY_KERN:
+ p->policyvers = POLICYDB_VERSION_MAX;
+ break;
+ case POLICY_BASE:
+ case POLICY_MOD:
+ p->policyvers = MOD_POLICYDB_VERSION_MAX;
+ break;
+ default:
+ return -1;
+ }
+ p->policy_type = type;
+ return 0;
+}
+
+int sepol_policydb_set_vers(sepol_policydb_t * sp, unsigned int vers)
+{
+ struct policydb *p = &sp->p;
+ switch (p->policy_type) {
+ case POLICY_KERN:
+ if (vers < POLICYDB_VERSION_MIN || vers > POLICYDB_VERSION_MAX)
+ return -1;
+ break;
+ case POLICY_BASE:
+ case POLICY_MOD:
+ if (vers < MOD_POLICYDB_VERSION_MIN
+ || vers > MOD_POLICYDB_VERSION_MAX)
+ return -1;
+ break;
+ default:
+ return -1;
+ }
+ p->policyvers = vers;
+ return 0;
+}
+
+int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
+ unsigned int handle_unknown)
+{
+ struct policydb *p = &sp->p;
+
+ switch (handle_unknown) {
+ case SEPOL_DENY_UNKNOWN:
+ case SEPOL_REJECT_UNKNOWN:
+ case SEPOL_ALLOW_UNKNOWN:
+ break;
+ default:
+ return -1;
+ }
+
+ p->handle_unknown = handle_unknown;
+ return 0;
+}
+
+int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
+{
+ return policydb_read(&p->p, &pf->pf, 0);
+}
+
+int sepol_policydb_write(sepol_policydb_t * p, sepol_policy_file_t * pf)
+{
+ return policydb_write(&p->p, &pf->pf);
+}
+
+int sepol_policydb_from_image(sepol_handle_t * handle,
+ void *data, size_t len, sepol_policydb_t * p)
+{
+ return policydb_from_image(handle, data, len, &p->p);
+}
+
+int sepol_policydb_to_image(sepol_handle_t * handle,
+ sepol_policydb_t * p, void **newdata,
+ size_t * newlen)
+{
+ return policydb_to_image(handle, &p->p, newdata, newlen);
+}
+
+int sepol_policydb_mls_enabled(const sepol_policydb_t * p)
+{
+
+ return p->p.mls;
+}
+
+/*
+ * Enable compatibility mode for SELinux network checks iff
+ * the packet class is not defined in the policy.
+ */
+#define PACKET_CLASS_NAME "packet"
+int sepol_policydb_compat_net(const sepol_policydb_t * p)
+{
+ return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
+ NULL);
+}
diff --git a/src/port_internal.h b/src/port_internal.h
new file mode 100644
index 0000000..ffb5f65
--- /dev/null
+++ b/src/port_internal.h
@@ -0,0 +1,20 @@
+#ifndef _SEPOL_PORT_INTERNAL_H_
+#define _SEPOL_PORT_INTERNAL_H_
+
+#include <sepol/port_record.h>
+#include <sepol/ports.h>
+#include "dso.h"
+
+hidden_proto(sepol_port_create)
+ hidden_proto(sepol_port_free)
+ hidden_proto(sepol_port_get_con)
+ hidden_proto(sepol_port_get_high)
+ hidden_proto(sepol_port_get_low)
+ hidden_proto(sepol_port_get_proto)
+ hidden_proto(sepol_port_get_proto_str)
+ hidden_proto(sepol_port_key_create)
+ hidden_proto(sepol_port_key_unpack)
+ hidden_proto(sepol_port_set_con)
+ hidden_proto(sepol_port_set_proto)
+ hidden_proto(sepol_port_set_range)
+#endif
diff --git a/src/port_record.c b/src/port_record.c
new file mode 100644
index 0000000..6a33d93
--- /dev/null
+++ b/src/port_record.c
@@ -0,0 +1,288 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include "port_internal.h"
+#include "context_internal.h"
+#include "debug.h"
+
+struct sepol_port {
+ /* Low - High range. Same for single ports. */
+ int low, high;
+
+ /* Protocol */
+ int proto;
+
+ /* Context */
+ sepol_context_t *con;
+};
+
+struct sepol_port_key {
+ /* Low - High range. Same for single ports. */
+ int low, high;
+
+ /* Protocol */
+ int proto;
+};
+
+/* Key */
+int sepol_port_key_create(sepol_handle_t * handle,
+ int low, int high, int proto,
+ sepol_port_key_t ** key_ptr)
+{
+
+ sepol_port_key_t *tmp_key =
+ (sepol_port_key_t *) malloc(sizeof(sepol_port_key_t));
+
+ if (!tmp_key) {
+ ERR(handle, "out of memory, could not create " "port key");
+ return STATUS_ERR;
+ }
+
+ tmp_key->low = low;
+ tmp_key->high = high;
+ tmp_key->proto = proto;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_port_key_create)
+
+void sepol_port_key_unpack(const sepol_port_key_t * key,
+ int *low, int *high, int *proto)
+{
+
+ *low = key->low;
+ *high = key->high;
+ *proto = key->proto;
+}
+
+hidden_def(sepol_port_key_unpack)
+
+int sepol_port_key_extract(sepol_handle_t * handle,
+ const sepol_port_t * port,
+ sepol_port_key_t ** key_ptr)
+{
+
+ if (sepol_port_key_create
+ (handle, port->low, port->high, port->proto, key_ptr) < 0) {
+
+ ERR(handle, "could not extract key from port %s %d:%d",
+ sepol_port_get_proto_str(port->proto),
+ port->low, port->high);
+
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+void sepol_port_key_free(sepol_port_key_t * key)
+{
+ free(key);
+}
+
+int sepol_port_compare(const sepol_port_t * port, const sepol_port_key_t * key)
+{
+
+ if ((port->low == key->low) &&
+ (port->high == key->high) && (port->proto == key->proto))
+ return 0;
+
+ if (port->low < key->low)
+ return -1;
+
+ else if (key->low < port->low)
+ return 1;
+
+ else if (port->high < key->high)
+ return -1;
+
+ else if (key->high < port->high)
+ return 1;
+
+ else if (port->proto < key->proto)
+ return -1;
+
+ else
+ return 1;
+}
+
+int sepol_port_compare2(const sepol_port_t * port, const sepol_port_t * port2)
+{
+
+ if ((port->low == port2->low) &&
+ (port->high == port2->high) && (port->proto == port2->proto))
+ return 0;
+
+ if (port->low < port2->low)
+ return -1;
+
+ else if (port2->low < port->low)
+ return 1;
+
+ else if (port->high < port2->high)
+ return -1;
+
+ else if (port2->high < port->high)
+ return 1;
+
+ else if (port->proto < port2->proto)
+ return -1;
+
+ else
+ return 1;
+}
+
+/* Port */
+int sepol_port_get_low(const sepol_port_t * port)
+{
+
+ return port->low;
+}
+
+hidden_def(sepol_port_get_low)
+
+int sepol_port_get_high(const sepol_port_t * port)
+{
+
+ return port->high;
+}
+
+hidden_def(sepol_port_get_high)
+
+void sepol_port_set_port(sepol_port_t * port, int port_num)
+{
+
+ port->low = port_num;
+ port->high = port_num;
+}
+
+void sepol_port_set_range(sepol_port_t * port, int low, int high)
+{
+
+ port->low = low;
+ port->high = high;
+}
+
+hidden_def(sepol_port_set_range)
+
+/* Protocol */
+int sepol_port_get_proto(const sepol_port_t * port)
+{
+
+ return port->proto;
+}
+
+hidden_def(sepol_port_get_proto)
+
+const char *sepol_port_get_proto_str(int proto)
+{
+
+ switch (proto) {
+ case SEPOL_PROTO_UDP:
+ return "udp";
+ case SEPOL_PROTO_TCP:
+ return "tcp";
+ default:
+ return "???";
+ }
+}
+
+hidden_def(sepol_port_get_proto_str)
+
+void sepol_port_set_proto(sepol_port_t * port, int proto)
+{
+
+ port->proto = proto;
+}
+
+hidden_def(sepol_port_set_proto)
+
+/* Create */
+int sepol_port_create(sepol_handle_t * handle, sepol_port_t ** port)
+{
+
+ sepol_port_t *tmp_port = (sepol_port_t *) malloc(sizeof(sepol_port_t));
+
+ if (!tmp_port) {
+ ERR(handle, "out of memory, could not create " "port record");
+ return STATUS_ERR;
+ }
+
+ tmp_port->low = 0;
+ tmp_port->high = 0;
+ tmp_port->proto = SEPOL_PROTO_UDP;
+ tmp_port->con = NULL;
+ *port = tmp_port;
+
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_port_create)
+
+/* Deep copy clone */
+int sepol_port_clone(sepol_handle_t * handle,
+ const sepol_port_t * port, sepol_port_t ** port_ptr)
+{
+
+ sepol_port_t *new_port = NULL;
+ if (sepol_port_create(handle, &new_port) < 0)
+ goto err;
+
+ new_port->low = port->low;
+ new_port->high = port->high;
+ new_port->proto = port->proto;
+
+ if (port->con &&
+ (sepol_context_clone(handle, port->con, &new_port->con) < 0))
+ goto err;
+
+ *port_ptr = new_port;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not clone port record");
+ sepol_port_free(new_port);
+ return STATUS_ERR;
+}
+
+/* Destroy */
+void sepol_port_free(sepol_port_t * port)
+{
+
+ if (!port)
+ return;
+
+ sepol_context_free(port->con);
+ free(port);
+}
+
+hidden_def(sepol_port_free)
+
+/* Context */
+sepol_context_t *sepol_port_get_con(const sepol_port_t * port)
+{
+
+ return port->con;
+}
+
+hidden_def(sepol_port_get_con)
+
+int sepol_port_set_con(sepol_handle_t * handle,
+ sepol_port_t * port, sepol_context_t * con)
+{
+
+ sepol_context_t *newcon;
+
+ if (sepol_context_clone(handle, con, &newcon) < 0) {
+ ERR(handle, "out of memory, could not set port context");
+ return STATUS_ERR;
+ }
+
+ sepol_context_free(port->con);
+ port->con = newcon;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_port_set_con)
diff --git a/src/ports.c b/src/ports.c
new file mode 100644
index 0000000..cbf2a0b
--- /dev/null
+++ b/src/ports.c
@@ -0,0 +1,312 @@
+#include <netinet/in.h>
+#include <stdlib.h>
+
+#include "debug.h"
+#include "context.h"
+#include "handle.h"
+
+#include <sepol/policydb/policydb.h>
+#include "port_internal.h"
+
+static inline int sepol2ipproto(sepol_handle_t * handle, int proto)
+{
+
+ switch (proto) {
+ case SEPOL_PROTO_TCP:
+ return IPPROTO_TCP;
+ case SEPOL_PROTO_UDP:
+ return IPPROTO_UDP;
+ default:
+ ERR(handle, "unsupported protocol %u", proto);
+ return STATUS_ERR;
+ }
+}
+
+static inline int ipproto2sepol(sepol_handle_t * handle, int proto)
+{
+
+ switch (proto) {
+ case IPPROTO_TCP:
+ return SEPOL_PROTO_TCP;
+ case IPPROTO_UDP:
+ return SEPOL_PROTO_UDP;
+ default:
+ ERR(handle, "invalid protocol %u " "found in policy", proto);
+ return STATUS_ERR;
+ }
+}
+
+/* Create a low level port structure from
+ * a high level representation */
+static int port_from_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t ** port, const sepol_port_t * data)
+{
+
+ ocontext_t *tmp_port = NULL;
+ context_struct_t *tmp_con = NULL;
+ int tmp_proto;
+
+ int low = sepol_port_get_low(data);
+ int high = sepol_port_get_high(data);
+ int proto = sepol_port_get_proto(data);
+
+ tmp_port = (ocontext_t *) calloc(1, sizeof(ocontext_t));
+ if (!tmp_port)
+ goto omem;
+
+ /* Process protocol */
+ tmp_proto = sepol2ipproto(handle, proto);
+ if (tmp_proto < 0)
+ goto err;
+ tmp_port->u.port.protocol = tmp_proto;
+
+ /* Port range */
+ tmp_port->u.port.low_port = low;
+ tmp_port->u.port.high_port = high;
+ if (tmp_port->u.port.low_port > tmp_port->u.port.high_port) {
+ ERR(handle, "low port %d exceeds high port %d",
+ tmp_port->u.port.low_port, tmp_port->u.port.high_port);
+ goto err;
+ }
+
+ /* Context */
+ if (context_from_record(handle, policydb, &tmp_con,
+ sepol_port_get_con(data)) < 0)
+ goto err;
+ context_cpy(&tmp_port->context[0], tmp_con);
+ context_destroy(tmp_con);
+ free(tmp_con);
+ tmp_con = NULL;
+
+ *port = tmp_port;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ if (tmp_port != NULL) {
+ context_destroy(&tmp_port->context[0]);
+ free(tmp_port);
+ }
+ context_destroy(tmp_con);
+ free(tmp_con);
+ ERR(handle, "could not create port structure for range %u:%u (%s)",
+ low, high, sepol_port_get_proto_str(proto));
+ return STATUS_ERR;
+}
+
+static int port_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ ocontext_t * port, sepol_port_t ** record)
+{
+
+ int proto = port->u.port.protocol;
+ int low = port->u.port.low_port;
+ int high = port->u.port.high_port;
+ context_struct_t *con = &port->context[0];
+ int rec_proto = -1;
+
+ sepol_context_t *tmp_con = NULL;
+ sepol_port_t *tmp_record = NULL;
+
+ if (sepol_port_create(handle, &tmp_record) < 0)
+ goto err;
+
+ rec_proto = ipproto2sepol(handle, proto);
+ if (rec_proto < 0)
+ goto err;
+
+ sepol_port_set_proto(tmp_record, rec_proto);
+ sepol_port_set_range(tmp_record, low, high);
+
+ if (context_to_record(handle, policydb, con, &tmp_con) < 0)
+ goto err;
+
+ if (sepol_port_set_con(handle, tmp_record, tmp_con) < 0)
+ goto err;
+
+ sepol_context_free(tmp_con);
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not convert port range %u - %u (%s) "
+ "to record", low, high, sepol_port_get_proto_str(rec_proto));
+ sepol_context_free(tmp_con);
+ sepol_port_free(tmp_record);
+ return STATUS_ERR;
+}
+
+/* Return the number of ports */
+extern int sepol_port_count(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p, unsigned int *response)
+{
+
+ unsigned int count = 0;
+ ocontext_t *c, *head;
+ const policydb_t *policydb = &p->p;
+
+ head = policydb->ocontexts[OCON_PORT];
+ for (c = head; c != NULL; c = c->next)
+ count++;
+
+ *response = count;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+/* Check if a port exists */
+int sepol_port_exists(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_port_key_t * key, int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ int low, high, proto;
+ const char *proto_str;
+ sepol_port_key_unpack(key, &low, &high, &proto);
+ proto_str = sepol_port_get_proto_str(proto);
+ proto = sepol2ipproto(handle, proto);
+ if (proto < 0)
+ goto err;
+
+ head = policydb->ocontexts[OCON_PORT];
+ for (c = head; c; c = c->next) {
+ int proto2 = c->u.port.protocol;
+ int low2 = c->u.port.low_port;
+ int high2 = c->u.port.high_port;
+
+ if (proto == proto2 && low2 == low && high2 == high) {
+ *response = 1;
+ return STATUS_SUCCESS;
+ }
+ }
+
+ *response = 0;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not check if port range %u - %u (%s) exists",
+ low, high, proto_str);
+ return STATUS_ERR;
+}
+
+/* Query a port */
+int sepol_port_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_port_key_t * key, sepol_port_t ** response)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+
+ int low, high, proto;
+ const char *proto_str;
+ sepol_port_key_unpack(key, &low, &high, &proto);
+ proto_str = sepol_port_get_proto_str(proto);
+ proto = sepol2ipproto(handle, proto);
+ if (proto < 0)
+ goto err;
+
+ head = policydb->ocontexts[OCON_PORT];
+ for (c = head; c; c = c->next) {
+ int proto2 = c->u.port.protocol;
+ int low2 = c->u.port.low_port;
+ int high2 = c->u.port.high_port;
+
+ if (proto == proto2 && low2 == low && high2 == high) {
+ if (port_to_record(handle, policydb, c, response) < 0)
+ goto err;
+ return STATUS_SUCCESS;
+ }
+ }
+
+ *response = NULL;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not query port range %u - %u (%s)",
+ low, high, proto_str);
+ return STATUS_ERR;
+
+}
+
+/* Load a port into policy */
+int sepol_port_modify(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ const sepol_port_key_t * key, const sepol_port_t * data)
+{
+
+ policydb_t *policydb = &p->p;
+ ocontext_t *port = NULL;
+
+ int low, high, proto;
+ const char *proto_str;
+
+ sepol_port_key_unpack(key, &low, &high, &proto);
+ proto_str = sepol_port_get_proto_str(proto);
+ proto = sepol2ipproto(handle, proto);
+ if (proto < 0)
+ goto err;
+
+ if (port_from_record(handle, policydb, &port, data) < 0)
+ goto err;
+
+ /* Attach to context list */
+ port->next = policydb->ocontexts[OCON_PORT];
+ policydb->ocontexts[OCON_PORT] = port;
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not load port range %u - %u (%s)",
+ low, high, proto_str);
+ if (port != NULL) {
+ context_destroy(&port->context[0]);
+ free(port);
+ }
+ return STATUS_ERR;
+}
+
+int sepol_port_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ int (*fn) (const sepol_port_t * port,
+ void *fn_arg), void *arg)
+{
+
+ const policydb_t *policydb = &p->p;
+ ocontext_t *c, *head;
+ sepol_port_t *port = NULL;
+
+ head = policydb->ocontexts[OCON_PORT];
+ for (c = head; c; c = c->next) {
+ int status;
+
+ if (port_to_record(handle, policydb, c, &port) < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(port, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_port_free(port);
+ port = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not iterate over ports");
+ sepol_port_free(port);
+ return STATUS_ERR;
+}
diff --git a/src/private.h b/src/private.h
new file mode 100644
index 0000000..b2b247e
--- /dev/null
+++ b/src/private.h
@@ -0,0 +1,49 @@
+/* Private definitions for libsepol. */
+
+/* Endian conversion for reading and writing binary policies */
+
+#include <sepol/policydb/policydb.h>
+
+#include <byteswap.h>
+#include <endian.h>
+#include <errno.h>
+#include <dso.h>
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define cpu_to_le16(x) (x)
+#define le16_to_cpu(x) (x)
+#define cpu_to_le32(x) (x)
+#define le32_to_cpu(x) (x)
+#define cpu_to_le64(x) (x)
+#define le64_to_cpu(x) (x)
+#else
+#define cpu_to_le16(x) bswap_16(x)
+#define le16_to_cpu(x) bswap_16(x)
+#define cpu_to_le32(x) bswap_32(x)
+#define le32_to_cpu(x) bswap_32(x)
+#define cpu_to_le64(x) bswap_64(x)
+#define le64_to_cpu(x) bswap_64(x)
+#endif
+
+#undef min
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+
+#define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0]))
+
+/* Policy compatibility information. */
+struct policydb_compat_info {
+ unsigned int type;
+ unsigned int version;
+ unsigned int sym_num;
+ unsigned int ocon_num;
+ unsigned int target_platform;
+};
+
+extern struct policydb_compat_info *policydb_lookup_compat(unsigned int version,
+ unsigned int type,
+ unsigned int target_platform);
+
+/* Reading from a policy "file". */
+extern int next_entry(void *buf, struct policy_file *fp, size_t bytes) hidden;
+extern size_t put_entry(const void *ptr, size_t size, size_t n,
+ struct policy_file *fp) hidden;
diff --git a/src/roles.c b/src/roles.c
new file mode 100644
index 0000000..419a3b2
--- /dev/null
+++ b/src/roles.c
@@ -0,0 +1,55 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/policydb.h>
+
+#include "debug.h"
+#include "handle.h"
+
+/* Check if a role exists */
+int sepol_role_exists(sepol_handle_t * handle __attribute__ ((unused)),
+ sepol_policydb_t * p, const char *role, int *response)
+{
+
+ policydb_t *policydb = &p->p;
+ *response = (hashtab_search(policydb->p_roles.table,
+ (const hashtab_key_t)role) != NULL);
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+/* Fill an array with all valid roles */
+int sepol_role_list(sepol_handle_t * handle,
+ sepol_policydb_t * p, char ***roles, unsigned int *nroles)
+{
+
+ policydb_t *policydb = &p->p;
+ unsigned int tmp_nroles = policydb->p_roles.nprim;
+ char **tmp_roles = (char **)malloc(tmp_nroles * sizeof(char *));
+ char **ptr;
+ unsigned int i;
+ if (!tmp_roles)
+ goto omem;
+
+ for (i = 0; i < tmp_nroles; i++) {
+ tmp_roles[i] = strdup(policydb->p_role_val_to_name[i]);
+ if (!tmp_roles[i])
+ goto omem;
+ }
+
+ *nroles = tmp_nroles;
+ *roles = tmp_roles;
+
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not list roles");
+
+ ptr = tmp_roles;
+ while (ptr && *ptr)
+ free(*ptr++);
+ free(tmp_roles);
+ return STATUS_ERR;
+}
diff --git a/src/services.c b/src/services.c
new file mode 100644
index 0000000..9c2920c
--- /dev/null
+++ b/src/services.c
@@ -0,0 +1,1469 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <mayerf@tresys.com>
+ * and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com>
+ *
+ * Fine-grained netlink support
+ * IPv6 support
+ * Code cleanup
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Copyright (C) 2003 - 2004 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* FLASK */
+
+/*
+ * Implementation of the security services.
+ */
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/sidtab.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+
+#include "debug.h"
+#include "private.h"
+#include "context.h"
+#include "av_permissions.h"
+#include "dso.h"
+#include "mls.h"
+
+#define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
+#define BUG_ON(x) do { if (x) ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
+
+static int selinux_enforcing = 1;
+
+static sidtab_t mysidtab, *sidtab = &mysidtab;
+static policydb_t mypolicydb, *policydb = &mypolicydb;
+
+int hidden sepol_set_sidtab(sidtab_t * s)
+{
+ sidtab = s;
+ return 0;
+}
+
+int hidden sepol_set_policydb(policydb_t * p)
+{
+ policydb = p;
+ return 0;
+}
+
+int sepol_set_policydb_from_file(FILE * fp)
+{
+ struct policy_file pf;
+
+ policy_file_init(&pf);
+ pf.fp = fp;
+ pf.type = PF_USE_STDIO;
+ if (mypolicydb.policy_type)
+ policydb_destroy(&mypolicydb);
+ if (policydb_init(&mypolicydb)) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+ if (policydb_read(&mypolicydb, &pf, 0)) {
+ ERR(NULL, "can't read binary policy: %s", strerror(errno));
+ return -1;
+ }
+ policydb = &mypolicydb;
+ return sepol_sidtab_init(sidtab);
+}
+
+/*
+ * The largest sequence number that has been used when
+ * providing an access decision to the access vector cache.
+ * The sequence number only changes when a policy change
+ * occurs.
+ */
+static uint32_t latest_granting = 0;
+
+/*
+ * Return the boolean value of a constraint expression
+ * when it is applied to the specified source and target
+ * security contexts.
+ *
+ * xcontext is a special beast... It is used by the validatetrans rules
+ * only. For these rules, scontext is the context before the transition,
+ * tcontext is the context after the transition, and xcontext is the context
+ * of the process performing the transition. All other callers of
+ * constraint_expr_eval should pass in NULL for xcontext.
+ */
+static int constraint_expr_eval(context_struct_t * scontext,
+ context_struct_t * tcontext,
+ context_struct_t * xcontext,
+ constraint_expr_t * cexpr)
+{
+ uint32_t val1, val2;
+ context_struct_t *c;
+ role_datum_t *r1, *r2;
+ mls_level_t *l1, *l2;
+ constraint_expr_t *e;
+ int s[CEXPR_MAXDEPTH];
+ int sp = -1;
+
+ for (e = cexpr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ BUG_ON(sp < 0);
+ s[sp] = !s[sp];
+ break;
+ case CEXPR_AND:
+ BUG_ON(sp < 1);
+ sp--;
+ s[sp] &= s[sp + 1];
+ break;
+ case CEXPR_OR:
+ BUG_ON(sp < 1);
+ sp--;
+ s[sp] |= s[sp + 1];
+ break;
+ case CEXPR_ATTR:
+ if (sp == (CEXPR_MAXDEPTH - 1))
+ return 0;
+ switch (e->attr) {
+ case CEXPR_USER:
+ val1 = scontext->user;
+ val2 = tcontext->user;
+ break;
+ case CEXPR_TYPE:
+ val1 = scontext->type;
+ val2 = tcontext->type;
+ break;
+ case CEXPR_ROLE:
+ val1 = scontext->role;
+ val2 = tcontext->role;
+ r1 = policydb->role_val_to_struct[val1 - 1];
+ r2 = policydb->role_val_to_struct[val2 - 1];
+ switch (e->op) {
+ case CEXPR_DOM:
+ s[++sp] =
+ ebitmap_get_bit(&r1->dominates,
+ val2 - 1);
+ continue;
+ case CEXPR_DOMBY:
+ s[++sp] =
+ ebitmap_get_bit(&r2->dominates,
+ val1 - 1);
+ continue;
+ case CEXPR_INCOMP:
+ s[++sp] =
+ (!ebitmap_get_bit
+ (&r1->dominates, val2 - 1)
+ && !ebitmap_get_bit(&r2->dominates,
+ val1 - 1));
+ continue;
+ default:
+ break;
+ }
+ break;
+ case CEXPR_L1L2:
+ l1 = &(scontext->range.level[0]);
+ l2 = &(tcontext->range.level[0]);
+ goto mls_ops;
+ case CEXPR_L1H2:
+ l1 = &(scontext->range.level[0]);
+ l2 = &(tcontext->range.level[1]);
+ goto mls_ops;
+ case CEXPR_H1L2:
+ l1 = &(scontext->range.level[1]);
+ l2 = &(tcontext->range.level[0]);
+ goto mls_ops;
+ case CEXPR_H1H2:
+ l1 = &(scontext->range.level[1]);
+ l2 = &(tcontext->range.level[1]);
+ goto mls_ops;
+ case CEXPR_L1H1:
+ l1 = &(scontext->range.level[0]);
+ l2 = &(scontext->range.level[1]);
+ goto mls_ops;
+ case CEXPR_L2H2:
+ l1 = &(tcontext->range.level[0]);
+ l2 = &(tcontext->range.level[1]);
+ goto mls_ops;
+ mls_ops:
+ switch (e->op) {
+ case CEXPR_EQ:
+ s[++sp] = mls_level_eq(l1, l2);
+ continue;
+ case CEXPR_NEQ:
+ s[++sp] = !mls_level_eq(l1, l2);
+ continue;
+ case CEXPR_DOM:
+ s[++sp] = mls_level_dom(l1, l2);
+ continue;
+ case CEXPR_DOMBY:
+ s[++sp] = mls_level_dom(l2, l1);
+ continue;
+ case CEXPR_INCOMP:
+ s[++sp] = mls_level_incomp(l2, l1);
+ continue;
+ default:
+ BUG();
+ return 0;
+ }
+ break;
+ default:
+ BUG();
+ return 0;
+ }
+
+ switch (e->op) {
+ case CEXPR_EQ:
+ s[++sp] = (val1 == val2);
+ break;
+ case CEXPR_NEQ:
+ s[++sp] = (val1 != val2);
+ break;
+ default:
+ BUG();
+ return 0;
+ }
+ break;
+ case CEXPR_NAMES:
+ if (sp == (CEXPR_MAXDEPTH - 1))
+ return 0;
+ c = scontext;
+ if (e->attr & CEXPR_TARGET)
+ c = tcontext;
+ else if (e->attr & CEXPR_XTARGET) {
+ c = xcontext;
+ if (!c) {
+ BUG();
+ return 0;
+ }
+ }
+ if (e->attr & CEXPR_USER)
+ val1 = c->user;
+ else if (e->attr & CEXPR_ROLE)
+ val1 = c->role;
+ else if (e->attr & CEXPR_TYPE)
+ val1 = c->type;
+ else {
+ BUG();
+ return 0;
+ }
+
+ switch (e->op) {
+ case CEXPR_EQ:
+ s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
+ break;
+ case CEXPR_NEQ:
+ s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
+ break;
+ default:
+ BUG();
+ return 0;
+ }
+ break;
+ default:
+ BUG();
+ return 0;
+ }
+ }
+
+ BUG_ON(sp != 0);
+ return s[0];
+}
+
+/*
+ * Compute access vectors based on a context structure pair for
+ * the permissions in a particular class.
+ */
+static int context_struct_compute_av(context_struct_t * scontext,
+ context_struct_t * tcontext,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd,
+ unsigned int *reason)
+{
+ constraint_node_t *constraint;
+ struct role_allow *ra;
+ avtab_key_t avkey;
+ class_datum_t *tclass_datum;
+ avtab_ptr_t node;
+ ebitmap_t *sattr, *tattr;
+ ebitmap_node_t *snode, *tnode;
+ unsigned int i, j;
+
+ if (!tclass || tclass > policydb->p_classes.nprim) {
+ ERR(NULL, "unrecognized class %d", tclass);
+ return -EINVAL;
+ }
+ tclass_datum = policydb->class_val_to_struct[tclass - 1];
+
+ /*
+ * Initialize the access vectors to the default values.
+ */
+ avd->allowed = 0;
+ avd->decided = 0xffffffff;
+ avd->auditallow = 0;
+ avd->auditdeny = 0xffffffff;
+ avd->seqno = latest_granting;
+ *reason = 0;
+
+ /*
+ * If a specific type enforcement rule was defined for
+ * this permission check, then use it.
+ */
+ avkey.target_class = tclass;
+ avkey.specified = AVTAB_AV;
+ sattr = &policydb->type_attr_map[scontext->type - 1];
+ tattr = &policydb->type_attr_map[tcontext->type - 1];
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ avkey.source_type = i + 1;
+ avkey.target_type = j + 1;
+ for (node =
+ avtab_search_node(&policydb->te_avtab, &avkey);
+ node != NULL;
+ node =
+ avtab_search_node_next(node, avkey.specified)) {
+ if (node->key.specified == AVTAB_ALLOWED)
+ avd->allowed |= node->datum.data;
+ else if (node->key.specified ==
+ AVTAB_AUDITALLOW)
+ avd->auditallow |= node->datum.data;
+ else if (node->key.specified == AVTAB_AUDITDENY)
+ avd->auditdeny &= node->datum.data;
+ }
+
+ /* Check conditional av table for additional permissions */
+ cond_compute_av(&policydb->te_cond_avtab, &avkey, avd);
+
+ }
+ }
+
+ if (requested & ~avd->allowed) {
+ *reason |= SEPOL_COMPUTEAV_TE;
+ requested &= avd->allowed;
+ }
+
+ /*
+ * Remove any permissions prohibited by a constraint (this includes
+ * the MLS policy).
+ */
+ constraint = tclass_datum->constraints;
+ while (constraint) {
+ if ((constraint->permissions & (avd->allowed)) &&
+ !constraint_expr_eval(scontext, tcontext, NULL,
+ constraint->expr)) {
+ avd->allowed =
+ (avd->allowed) & ~(constraint->permissions);
+ }
+ constraint = constraint->next;
+ }
+
+ if (requested & ~avd->allowed) {
+ *reason |= SEPOL_COMPUTEAV_CONS;
+ requested &= avd->allowed;
+ }
+
+ /*
+ * If checking process transition permission and the
+ * role is changing, then check the (current_role, new_role)
+ * pair.
+ */
+ if (tclass == SECCLASS_PROCESS &&
+ (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+ scontext->role != tcontext->role) {
+ for (ra = policydb->role_allow; ra; ra = ra->next) {
+ if (scontext->role == ra->role &&
+ tcontext->role == ra->new_role)
+ break;
+ }
+ if (!ra)
+ avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
+ PROCESS__DYNTRANSITION);
+ }
+
+ if (requested & ~avd->allowed) {
+ *reason |= SEPOL_COMPUTEAV_RBAC;
+ requested &= avd->allowed;
+ }
+
+ return 0;
+}
+
+int hidden sepol_validate_transition(sepol_security_id_t oldsid,
+ sepol_security_id_t newsid,
+ sepol_security_id_t tasksid,
+ sepol_security_class_t tclass)
+{
+ context_struct_t *ocontext;
+ context_struct_t *ncontext;
+ context_struct_t *tcontext;
+ class_datum_t *tclass_datum;
+ constraint_node_t *constraint;
+
+ if (!tclass || tclass > policydb->p_classes.nprim) {
+ ERR(NULL, "unrecognized class %d", tclass);
+ return -EINVAL;
+ }
+ tclass_datum = policydb->class_val_to_struct[tclass - 1];
+
+ ocontext = sepol_sidtab_search(sidtab, oldsid);
+ if (!ocontext) {
+ ERR(NULL, "unrecognized SID %d", oldsid);
+ return -EINVAL;
+ }
+
+ ncontext = sepol_sidtab_search(sidtab, newsid);
+ if (!ncontext) {
+ ERR(NULL, "unrecognized SID %d", newsid);
+ return -EINVAL;
+ }
+
+ tcontext = sepol_sidtab_search(sidtab, tasksid);
+ if (!tcontext) {
+ ERR(NULL, "unrecognized SID %d", tasksid);
+ return -EINVAL;
+ }
+
+ constraint = tclass_datum->validatetrans;
+ while (constraint) {
+ if (!constraint_expr_eval(ocontext, ncontext, tcontext,
+ constraint->expr)) {
+ return -EPERM;
+ }
+ constraint = constraint->next;
+ }
+
+ return 0;
+}
+
+int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd,
+ unsigned int *reason)
+{
+ context_struct_t *scontext = 0, *tcontext = 0;
+ int rc = 0;
+
+ scontext = sepol_sidtab_search(sidtab, ssid);
+ if (!scontext) {
+ ERR(NULL, "unrecognized SID %d", ssid);
+ rc = -EINVAL;
+ goto out;
+ }
+ tcontext = sepol_sidtab_search(sidtab, tsid);
+ if (!tcontext) {
+ ERR(NULL, "unrecognized SID %d", tsid);
+ rc = -EINVAL;
+ goto out;
+ }
+
+ rc = context_struct_compute_av(scontext, tcontext, tclass,
+ requested, avd, reason);
+ out:
+ return rc;
+}
+
+int hidden sepol_compute_av(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_access_vector_t requested,
+ struct sepol_av_decision *avd)
+{
+ unsigned int reason = 0;
+ return sepol_compute_av_reason(ssid, tsid, tclass, requested, avd,
+ &reason);
+}
+
+/*
+ * Write the security context string representation of
+ * the context associated with `sid' into a dynamically
+ * allocated string of the correct size. Set `*scontext'
+ * to point to this string and set `*scontext_len' to
+ * the length of the string.
+ */
+int hidden sepol_sid_to_context(sepol_security_id_t sid,
+ sepol_security_context_t * scontext,
+ size_t * scontext_len)
+{
+ context_struct_t *context;
+ int rc = 0;
+
+ context = sepol_sidtab_search(sidtab, sid);
+ if (!context) {
+ ERR(NULL, "unrecognized SID %d", sid);
+ rc = -EINVAL;
+ goto out;
+ }
+ rc = context_to_string(NULL, policydb, context, scontext, scontext_len);
+ out:
+ return rc;
+
+}
+
+/*
+ * Return a SID associated with the security context that
+ * has the string representation specified by `scontext'.
+ */
+int hidden sepol_context_to_sid(const sepol_security_context_t scontext,
+ size_t scontext_len, sepol_security_id_t * sid)
+{
+
+ context_struct_t *context = NULL;
+
+ /* First, create the context */
+ if (context_from_string(NULL, policydb, &context,
+ scontext, scontext_len) < 0)
+ goto err;
+
+ /* Obtain the new sid */
+ if (sid && (sepol_sidtab_context_to_sid(sidtab, context, sid) < 0))
+ goto err;
+
+ context_destroy(context);
+ free(context);
+ return STATUS_SUCCESS;
+
+ err:
+ if (context) {
+ context_destroy(context);
+ free(context);
+ }
+ ERR(NULL, "could not convert %s to sid", scontext);
+ return STATUS_ERR;
+}
+
+static inline int compute_sid_handle_invalid_context(context_struct_t *
+ scontext,
+ context_struct_t *
+ tcontext,
+ sepol_security_class_t
+ tclass,
+ context_struct_t *
+ newcontext)
+{
+ if (selinux_enforcing) {
+ return -EACCES;
+ } else {
+ sepol_security_context_t s, t, n;
+ size_t slen, tlen, nlen;
+
+ context_to_string(NULL, policydb, scontext, &s, &slen);
+ context_to_string(NULL, policydb, tcontext, &t, &tlen);
+ context_to_string(NULL, policydb, newcontext, &n, &nlen);
+ ERR(NULL, "invalid context %s for "
+ "scontext=%s tcontext=%s tclass=%s",
+ n, s, t, policydb->p_class_val_to_name[tclass - 1]);
+ free(s);
+ free(t);
+ free(n);
+ return 0;
+ }
+}
+
+static int sepol_compute_sid(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ uint32_t specified, sepol_security_id_t * out_sid)
+{
+ context_struct_t *scontext = 0, *tcontext = 0, newcontext;
+ struct role_trans *roletr = 0;
+ avtab_key_t avkey;
+ avtab_datum_t *avdatum;
+ avtab_ptr_t node;
+ int rc = 0;
+
+ scontext = sepol_sidtab_search(sidtab, ssid);
+ if (!scontext) {
+ ERR(NULL, "unrecognized SID %d", ssid);
+ rc = -EINVAL;
+ goto out;
+ }
+ tcontext = sepol_sidtab_search(sidtab, tsid);
+ if (!tcontext) {
+ ERR(NULL, "unrecognized SID %d", tsid);
+ rc = -EINVAL;
+ goto out;
+ }
+
+ context_init(&newcontext);
+
+ /* Set the user identity. */
+ switch (specified) {
+ case AVTAB_TRANSITION:
+ case AVTAB_CHANGE:
+ /* Use the process user identity. */
+ newcontext.user = scontext->user;
+ break;
+ case AVTAB_MEMBER:
+ /* Use the related object owner. */
+ newcontext.user = tcontext->user;
+ break;
+ }
+
+ /* Set the role and type to default values. */
+ switch (tclass) {
+ case SECCLASS_PROCESS:
+ /* Use the current role and type of process. */
+ newcontext.role = scontext->role;
+ newcontext.type = scontext->type;
+ break;
+ default:
+ /* Use the well-defined object role. */
+ newcontext.role = OBJECT_R_VAL;
+ /* Use the type of the related object. */
+ newcontext.type = tcontext->type;
+ }
+
+ /* Look for a type transition/member/change rule. */
+ avkey.source_type = scontext->type;
+ avkey.target_type = tcontext->type;
+ avkey.target_class = tclass;
+ avkey.specified = specified;
+ avdatum = avtab_search(&policydb->te_avtab, &avkey);
+
+ /* If no permanent rule, also check for enabled conditional rules */
+ if (!avdatum) {
+ node = avtab_search_node(&policydb->te_cond_avtab, &avkey);
+ for (; node != NULL;
+ node = avtab_search_node_next(node, specified)) {
+ if (node->key.specified & AVTAB_ENABLED) {
+ avdatum = &node->datum;
+ break;
+ }
+ }
+ }
+
+ if (avdatum) {
+ /* Use the type from the type transition/member/change rule. */
+ newcontext.type = avdatum->data;
+ }
+
+ /* Check for class-specific changes. */
+ switch (tclass) {
+ case SECCLASS_PROCESS:
+ if (specified & AVTAB_TRANSITION) {
+ /* Look for a role transition rule. */
+ for (roletr = policydb->role_tr; roletr;
+ roletr = roletr->next) {
+ if (roletr->role == scontext->role &&
+ roletr->type == tcontext->type) {
+ /* Use the role transition rule. */
+ newcontext.role = roletr->new_role;
+ break;
+ }
+ }
+ }
+ break;
+ default:
+ break;
+ }
+
+ /* Set the MLS attributes.
+ This is done last because it may allocate memory. */
+ rc = mls_compute_sid(policydb, scontext, tcontext, tclass, specified,
+ &newcontext);
+ if (rc)
+ goto out;
+
+ /* Check the validity of the context. */
+ if (!policydb_context_isvalid(policydb, &newcontext)) {
+ rc = compute_sid_handle_invalid_context(scontext,
+ tcontext,
+ tclass, &newcontext);
+ if (rc)
+ goto out;
+ }
+ /* Obtain the sid for the context. */
+ rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
+ out:
+ context_destroy(&newcontext);
+ return rc;
+}
+
+/*
+ * Compute a SID to use for labeling a new object in the
+ * class `tclass' based on a SID pair.
+ */
+int hidden sepol_transition_sid(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_security_id_t * out_sid)
+{
+ return sepol_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+}
+
+/*
+ * Compute a SID to use when selecting a member of a
+ * polyinstantiated object of class `tclass' based on
+ * a SID pair.
+ */
+int hidden sepol_member_sid(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_security_id_t * out_sid)
+{
+ return sepol_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+}
+
+/*
+ * Compute a SID to use for relabeling an object in the
+ * class `tclass' based on a SID pair.
+ */
+int hidden sepol_change_sid(sepol_security_id_t ssid,
+ sepol_security_id_t tsid,
+ sepol_security_class_t tclass,
+ sepol_security_id_t * out_sid)
+{
+ return sepol_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
+}
+
+/*
+ * Verify that each permission that is defined under the
+ * existing policy is still defined with the same value
+ * in the new policy.
+ */
+static int validate_perm(hashtab_key_t key, hashtab_datum_t datum, void *p)
+{
+ hashtab_t h;
+ perm_datum_t *perdatum, *perdatum2;
+
+ h = (hashtab_t) p;
+ perdatum = (perm_datum_t *) datum;
+
+ perdatum2 = (perm_datum_t *) hashtab_search(h, key);
+ if (!perdatum2) {
+ ERR(NULL, "permission %s disappeared", key);
+ return -1;
+ }
+ if (perdatum->s.value != perdatum2->s.value) {
+ ERR(NULL, "the value of permissions %s changed", key);
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Verify that each class that is defined under the
+ * existing policy is still defined with the same
+ * attributes in the new policy.
+ */
+static int validate_class(hashtab_key_t key, hashtab_datum_t datum, void *p)
+{
+ policydb_t *newp;
+ class_datum_t *cladatum, *cladatum2;
+
+ newp = (policydb_t *) p;
+ cladatum = (class_datum_t *) datum;
+
+ cladatum2 =
+ (class_datum_t *) hashtab_search(newp->p_classes.table, key);
+ if (!cladatum2) {
+ ERR(NULL, "class %s disappeared", key);
+ return -1;
+ }
+ if (cladatum->s.value != cladatum2->s.value) {
+ ERR(NULL, "the value of class %s changed", key);
+ return -1;
+ }
+ if ((cladatum->comdatum && !cladatum2->comdatum) ||
+ (!cladatum->comdatum && cladatum2->comdatum)) {
+ ERR(NULL, "the inherits clause for the access "
+ "vector definition for class %s changed", key);
+ return -1;
+ }
+ if (cladatum->comdatum) {
+ if (hashtab_map
+ (cladatum->comdatum->permissions.table, validate_perm,
+ cladatum2->comdatum->permissions.table)) {
+ ERR(NULL,
+ " in the access vector definition "
+ "for class %s\n", key);
+ return -1;
+ }
+ }
+ if (hashtab_map(cladatum->permissions.table, validate_perm,
+ cladatum2->permissions.table)) {
+ ERR(NULL, " in access vector definition for class %s", key);
+ return -1;
+ }
+ return 0;
+}
+
+/* Clone the SID into the new SID table. */
+static int clone_sid(sepol_security_id_t sid,
+ context_struct_t * context, void *arg)
+{
+ sidtab_t *s = arg;
+
+ return sepol_sidtab_insert(s, sid, context);
+}
+
+static inline int convert_context_handle_invalid_context(context_struct_t *
+ context)
+{
+ if (selinux_enforcing) {
+ return -EINVAL;
+ } else {
+ sepol_security_context_t s;
+ size_t len;
+
+ context_to_string(NULL, policydb, context, &s, &len);
+ ERR(NULL, "context %s is invalid", s);
+ free(s);
+ return 0;
+ }
+}
+
+typedef struct {
+ policydb_t *oldp;
+ policydb_t *newp;
+} convert_context_args_t;
+
+/*
+ * Convert the values in the security context
+ * structure `c' from the values specified
+ * in the policy `p->oldp' to the values specified
+ * in the policy `p->newp'. Verify that the
+ * context is valid under the new policy.
+ */
+static int convert_context(sepol_security_id_t key __attribute__ ((unused)),
+ context_struct_t * c, void *p)
+{
+ convert_context_args_t *args;
+ context_struct_t oldc;
+ role_datum_t *role;
+ type_datum_t *typdatum;
+ user_datum_t *usrdatum;
+ sepol_security_context_t s;
+ size_t len;
+ int rc = -EINVAL;
+
+ args = (convert_context_args_t *) p;
+
+ if (context_cpy(&oldc, c))
+ return -ENOMEM;
+
+ /* Convert the user. */
+ usrdatum = (user_datum_t *) hashtab_search(args->newp->p_users.table,
+ args->oldp->
+ p_user_val_to_name[c->user -
+ 1]);
+
+ if (!usrdatum) {
+ goto bad;
+ }
+ c->user = usrdatum->s.value;
+
+ /* Convert the role. */
+ role = (role_datum_t *) hashtab_search(args->newp->p_roles.table,
+ args->oldp->
+ p_role_val_to_name[c->role - 1]);
+ if (!role) {
+ goto bad;
+ }
+ c->role = role->s.value;
+
+ /* Convert the type. */
+ typdatum = (type_datum_t *)
+ hashtab_search(args->newp->p_types.table,
+ args->oldp->p_type_val_to_name[c->type - 1]);
+ if (!typdatum) {
+ goto bad;
+ }
+ c->type = typdatum->s.value;
+
+ rc = mls_convert_context(args->oldp, args->newp, c);
+ if (rc)
+ goto bad;
+
+ /* Check the validity of the new context. */
+ if (!policydb_context_isvalid(args->newp, c)) {
+ rc = convert_context_handle_invalid_context(&oldc);
+ if (rc)
+ goto bad;
+ }
+
+ context_destroy(&oldc);
+ return 0;
+
+ bad:
+ context_to_string(NULL, policydb, &oldc, &s, &len);
+ context_destroy(&oldc);
+ ERR(NULL, "invalidating context %s", s);
+ free(s);
+ return rc;
+}
+
+/* Reading from a policy "file". */
+int hidden next_entry(void *buf, struct policy_file *fp, size_t bytes)
+{
+ size_t nread;
+
+ switch (fp->type) {
+ case PF_USE_STDIO:
+ nread = fread(buf, bytes, 1, fp->fp);
+
+ if (nread != 1)
+ return -1;
+ break;
+ case PF_USE_MEMORY:
+ if (bytes > fp->len)
+ return -1;
+ memcpy(buf, fp->data, bytes);
+ fp->data += bytes;
+ fp->len -= bytes;
+ break;
+ default:
+ return -1;
+ }
+ return 0;
+}
+
+size_t hidden put_entry(const void *ptr, size_t size, size_t n,
+ struct policy_file *fp)
+{
+ size_t bytes = size * n;
+
+ switch (fp->type) {
+ case PF_USE_STDIO:
+ return fwrite(ptr, size, n, fp->fp);
+ case PF_USE_MEMORY:
+ if (bytes > fp->len) {
+ errno = ENOSPC;
+ return 0;
+ }
+
+ memcpy(fp->data, ptr, bytes);
+ fp->data += bytes;
+ fp->len -= bytes;
+ return n;
+ case PF_LEN:
+ fp->len += bytes;
+ return n;
+ default:
+ return 0;
+ }
+ return 0;
+}
+
+/*
+ * Read a new set of configuration data from
+ * a policy database binary representation file.
+ *
+ * Verify that each class that is defined under the
+ * existing policy is still defined with the same
+ * attributes in the new policy.
+ *
+ * Convert the context structures in the SID table to the
+ * new representation and verify that all entries
+ * in the SID table are valid under the new policy.
+ *
+ * Change the active policy database to use the new
+ * configuration data.
+ *
+ * Reset the access vector cache.
+ */
+int hidden sepol_load_policy(void *data, size_t len)
+{
+ policydb_t oldpolicydb, newpolicydb;
+ sidtab_t oldsidtab, newsidtab;
+ convert_context_args_t args;
+ int rc = 0;
+ struct policy_file file, *fp;
+
+ policy_file_init(&file);
+ file.type = PF_USE_MEMORY;
+ file.data = data;
+ file.len = len;
+ fp = &file;
+
+ if (policydb_init(&newpolicydb))
+ return -ENOMEM;
+
+ if (policydb_read(&newpolicydb, fp, 1)) {
+ return -EINVAL;
+ }
+
+ sepol_sidtab_init(&newsidtab);
+
+ /* Verify that the existing classes did not change. */
+ if (hashtab_map
+ (policydb->p_classes.table, validate_class, &newpolicydb)) {
+ ERR(NULL, "the definition of an existing class changed");
+ rc = -EINVAL;
+ goto err;
+ }
+
+ /* Clone the SID table. */
+ sepol_sidtab_shutdown(sidtab);
+ if (sepol_sidtab_map(sidtab, clone_sid, &newsidtab)) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ /* Convert the internal representations of contexts
+ in the new SID table and remove invalid SIDs. */
+ args.oldp = policydb;
+ args.newp = &newpolicydb;
+ sepol_sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
+
+ /* Save the old policydb and SID table to free later. */
+ memcpy(&oldpolicydb, policydb, sizeof *policydb);
+ sepol_sidtab_set(&oldsidtab, sidtab);
+
+ /* Install the new policydb and SID table. */
+ memcpy(policydb, &newpolicydb, sizeof *policydb);
+ sepol_sidtab_set(sidtab, &newsidtab);
+
+ /* Free the old policydb and SID table. */
+ policydb_destroy(&oldpolicydb);
+ sepol_sidtab_destroy(&oldsidtab);
+
+ return 0;
+
+ err:
+ sepol_sidtab_destroy(&newsidtab);
+ policydb_destroy(&newpolicydb);
+ return rc;
+
+}
+
+/*
+ * Return the SIDs to use for an unlabeled file system
+ * that is being mounted from the device with the
+ * the kdevname `name'. The `fs_sid' SID is returned for
+ * the file system and the `file_sid' SID is returned
+ * for all files within that file system.
+ */
+int hidden sepol_fs_sid(char *name,
+ sepol_security_id_t * fs_sid,
+ sepol_security_id_t * file_sid)
+{
+ int rc = 0;
+ ocontext_t *c;
+
+ c = policydb->ocontexts[OCON_FS];
+ while (c) {
+ if (strcmp(c->u.name, name) == 0)
+ break;
+ c = c->next;
+ }
+
+ if (c) {
+ if (!c->sid[0] || !c->sid[1]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[1],
+ &c->sid[1]);
+ if (rc)
+ goto out;
+ }
+ *fs_sid = c->sid[0];
+ *file_sid = c->sid[1];
+ } else {
+ *fs_sid = SECINITSID_FS;
+ *file_sid = SECINITSID_FILE;
+ }
+
+ out:
+ return rc;
+}
+
+/*
+ * Return the SID of the port specified by
+ * `domain', `type', `protocol', and `port'.
+ */
+int hidden sepol_port_sid(uint16_t domain __attribute__ ((unused)),
+ uint16_t type __attribute__ ((unused)),
+ uint8_t protocol,
+ uint16_t port, sepol_security_id_t * out_sid)
+{
+ ocontext_t *c;
+ int rc = 0;
+
+ c = policydb->ocontexts[OCON_PORT];
+ while (c) {
+ if (c->u.port.protocol == protocol &&
+ c->u.port.low_port <= port && c->u.port.high_port >= port)
+ break;
+ c = c->next;
+ }
+
+ if (c) {
+ if (!c->sid[0]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+ *out_sid = c->sid[0];
+ } else {
+ *out_sid = SECINITSID_PORT;
+ }
+
+ out:
+ return rc;
+}
+
+/*
+ * Return the SIDs to use for a network interface
+ * with the name `name'. The `if_sid' SID is returned for
+ * the interface and the `msg_sid' SID is returned as
+ * the default SID for messages received on the
+ * interface.
+ */
+int hidden sepol_netif_sid(char *name,
+ sepol_security_id_t * if_sid,
+ sepol_security_id_t * msg_sid)
+{
+ int rc = 0;
+ ocontext_t *c;
+
+ c = policydb->ocontexts[OCON_NETIF];
+ while (c) {
+ if (strcmp(name, c->u.name) == 0)
+ break;
+ c = c->next;
+ }
+
+ if (c) {
+ if (!c->sid[0] || !c->sid[1]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[1],
+ &c->sid[1]);
+ if (rc)
+ goto out;
+ }
+ *if_sid = c->sid[0];
+ *msg_sid = c->sid[1];
+ } else {
+ *if_sid = SECINITSID_NETIF;
+ *msg_sid = SECINITSID_NETMSG;
+ }
+
+ out:
+ return rc;
+}
+
+static int match_ipv6_addrmask(uint32_t * input, uint32_t * addr,
+ uint32_t * mask)
+{
+ int i, fail = 0;
+
+ for (i = 0; i < 4; i++)
+ if (addr[i] != (input[i] & mask[i])) {
+ fail = 1;
+ break;
+ }
+
+ return !fail;
+}
+
+/*
+ * Return the SID of the node specified by the address
+ * `addrp' where `addrlen' is the length of the address
+ * in bytes and `domain' is the communications domain or
+ * address family in which the address should be interpreted.
+ */
+int hidden sepol_node_sid(uint16_t domain,
+ void *addrp,
+ size_t addrlen, sepol_security_id_t * out_sid)
+{
+ int rc = 0;
+ ocontext_t *c;
+
+ switch (domain) {
+ case AF_INET:{
+ uint32_t addr;
+
+ if (addrlen != sizeof(uint32_t)) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ addr = *((uint32_t *) addrp);
+
+ c = policydb->ocontexts[OCON_NODE];
+ while (c) {
+ if (c->u.node.addr == (addr & c->u.node.mask))
+ break;
+ c = c->next;
+ }
+ break;
+ }
+
+ case AF_INET6:
+ if (addrlen != sizeof(uint64_t) * 2) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ c = policydb->ocontexts[OCON_NODE6];
+ while (c) {
+ if (match_ipv6_addrmask(addrp, c->u.node6.addr,
+ c->u.node6.mask))
+ break;
+ c = c->next;
+ }
+ break;
+
+ default:
+ *out_sid = SECINITSID_NODE;
+ goto out;
+ }
+
+ if (c) {
+ if (!c->sid[0]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+ *out_sid = c->sid[0];
+ } else {
+ *out_sid = SECINITSID_NODE;
+ }
+
+ out:
+ return rc;
+}
+
+/*
+ * Generate the set of SIDs for legal security contexts
+ * for a given user that can be reached by `fromsid'.
+ * Set `*sids' to point to a dynamically allocated
+ * array containing the set of SIDs. Set `*nel' to the
+ * number of elements in the array.
+ */
+#define SIDS_NEL 25
+
+int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
+ char *username,
+ sepol_security_id_t ** sids, uint32_t * nel)
+{
+ context_struct_t *fromcon, usercon;
+ sepol_security_id_t *mysids, *mysids2, sid;
+ uint32_t mynel = 0, maxnel = SIDS_NEL;
+ user_datum_t *user;
+ role_datum_t *role;
+ struct sepol_av_decision avd;
+ int rc = 0;
+ unsigned int i, j, reason;
+ ebitmap_node_t *rnode, *tnode;
+
+ fromcon = sepol_sidtab_search(sidtab, fromsid);
+ if (!fromcon) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+ user = (user_datum_t *) hashtab_search(policydb->p_users.table,
+ username);
+ if (!user) {
+ rc = -EINVAL;
+ goto out;
+ }
+ usercon.user = user->s.value;
+
+ mysids = malloc(maxnel * sizeof(sepol_security_id_t));
+ if (!mysids) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ memset(mysids, 0, maxnel * sizeof(sepol_security_id_t));
+
+ ebitmap_for_each_bit(&user->roles.roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ role = policydb->role_val_to_struct[i];
+ usercon.role = i + 1;
+ ebitmap_for_each_bit(&role->types.types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ usercon.type = j + 1;
+ if (usercon.type == fromcon->type)
+ continue;
+
+ if (mls_setup_user_range
+ (fromcon, user, &usercon, policydb->mls))
+ continue;
+
+ rc = context_struct_compute_av(fromcon, &usercon,
+ SECCLASS_PROCESS,
+ PROCESS__TRANSITION,
+ &avd, &reason);
+ if (rc || !(avd.allowed & PROCESS__TRANSITION))
+ continue;
+ rc = sepol_sidtab_context_to_sid(sidtab, &usercon,
+ &sid);
+ if (rc) {
+ free(mysids);
+ goto out;
+ }
+ if (mynel < maxnel) {
+ mysids[mynel++] = sid;
+ } else {
+ maxnel += SIDS_NEL;
+ mysids2 =
+ malloc(maxnel *
+ sizeof(sepol_security_id_t));
+
+ if (!mysids2) {
+ rc = -ENOMEM;
+ free(mysids);
+ goto out;
+ }
+ memset(mysids2, 0,
+ maxnel * sizeof(sepol_security_id_t));
+ memcpy(mysids2, mysids,
+ mynel * sizeof(sepol_security_id_t));
+ free(mysids);
+ mysids = mysids2;
+ mysids[mynel++] = sid;
+ }
+ }
+ }
+
+ *sids = mysids;
+ *nel = mynel;
+
+ out:
+ return rc;
+}
+
+/*
+ * Return the SID to use for a file in a filesystem
+ * that cannot support a persistent label mapping or use another
+ * fixed labeling behavior like transition SIDs or task SIDs.
+ */
+int hidden sepol_genfs_sid(const char *fstype,
+ char *path,
+ sepol_security_class_t sclass,
+ sepol_security_id_t * sid)
+{
+ size_t len;
+ genfs_t *genfs;
+ ocontext_t *c;
+ int rc = 0, cmp = 0;
+
+ for (genfs = policydb->genfs; genfs; genfs = genfs->next) {
+ cmp = strcmp(fstype, genfs->fstype);
+ if (cmp <= 0)
+ break;
+ }
+
+ if (!genfs || cmp) {
+ *sid = SECINITSID_UNLABELED;
+ rc = -ENOENT;
+ goto out;
+ }
+
+ for (c = genfs->head; c; c = c->next) {
+ len = strlen(c->u.name);
+ if ((!c->v.sclass || sclass == c->v.sclass) &&
+ (strncmp(c->u.name, path, len) == 0))
+ break;
+ }
+
+ if (!c) {
+ *sid = SECINITSID_UNLABELED;
+ rc = -ENOENT;
+ goto out;
+ }
+
+ if (!c->sid[0]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0], &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+
+ *sid = c->sid[0];
+ out:
+ return rc;
+}
+
+int hidden sepol_fs_use(const char *fstype,
+ unsigned int *behavior, sepol_security_id_t * sid)
+{
+ int rc = 0;
+ ocontext_t *c;
+
+ c = policydb->ocontexts[OCON_FSUSE];
+ while (c) {
+ if (strcmp(fstype, c->u.name) == 0)
+ break;
+ c = c->next;
+ }
+
+ if (c) {
+ *behavior = c->v.behavior;
+ if (!c->sid[0]) {
+ rc = sepol_sidtab_context_to_sid(sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+ *sid = c->sid[0];
+ } else {
+ rc = sepol_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
+ if (rc) {
+ *behavior = SECURITY_FS_USE_NONE;
+ rc = 0;
+ } else {
+ *behavior = SECURITY_FS_USE_GENFS;
+ }
+ }
+
+ out:
+ return rc;
+}
+
+/* FLASK */
diff --git a/src/sidtab.c b/src/sidtab.c
new file mode 100644
index 0000000..5bd7999
--- /dev/null
+++ b/src/sidtab.c
@@ -0,0 +1,328 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the SID table type.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+
+#include <sepol/policydb/sidtab.h>
+
+#include <sepol/policydb/flask.h>
+
+#define SIDTAB_HASH(sid) \
+(sid & SIDTAB_HASH_MASK)
+
+#define INIT_SIDTAB_LOCK(s)
+#define SIDTAB_LOCK(s)
+#define SIDTAB_UNLOCK(s)
+
+int sepol_sidtab_init(sidtab_t * s)
+{
+ int i;
+
+ s->htable = malloc(sizeof(sidtab_ptr_t) * SIDTAB_SIZE);
+ if (!s->htable)
+ return -ENOMEM;
+ for (i = 0; i < SIDTAB_SIZE; i++)
+ s->htable[i] = (sidtab_ptr_t) NULL;
+ s->nel = 0;
+ s->next_sid = 1;
+ s->shutdown = 0;
+ INIT_SIDTAB_LOCK(s);
+ return 0;
+}
+
+int sepol_sidtab_insert(sidtab_t * s, sepol_security_id_t sid,
+ context_struct_t * context)
+{
+ int hvalue;
+ sidtab_node_t *prev, *cur, *newnode;
+
+ if (!s || !s->htable)
+ return -ENOMEM;
+
+ hvalue = SIDTAB_HASH(sid);
+ prev = NULL;
+ cur = s->htable[hvalue];
+ while (cur != NULL && sid > cur->sid) {
+ prev = cur;
+ cur = cur->next;
+ }
+
+ if (cur && sid == cur->sid) {
+ errno = EEXIST;
+ return -EEXIST;
+ }
+
+ newnode = (sidtab_node_t *) malloc(sizeof(sidtab_node_t));
+ if (newnode == NULL)
+ return -ENOMEM;
+ newnode->sid = sid;
+ if (context_cpy(&newnode->context, context)) {
+ free(newnode);
+ return -ENOMEM;
+ }
+
+ if (prev) {
+ newnode->next = prev->next;
+ prev->next = newnode;
+ } else {
+ newnode->next = s->htable[hvalue];
+ s->htable[hvalue] = newnode;
+ }
+
+ s->nel++;
+ if (sid >= s->next_sid)
+ s->next_sid = sid + 1;
+ return 0;
+}
+
+int sepol_sidtab_remove(sidtab_t * s, sepol_security_id_t sid)
+{
+ int hvalue;
+ sidtab_node_t *cur, *last;
+
+ if (!s || !s->htable)
+ return -ENOENT;
+
+ hvalue = SIDTAB_HASH(sid);
+ last = NULL;
+ cur = s->htable[hvalue];
+ while (cur != NULL && sid > cur->sid) {
+ last = cur;
+ cur = cur->next;
+ }
+
+ if (cur == NULL || sid != cur->sid)
+ return -ENOENT;
+
+ if (last == NULL)
+ s->htable[hvalue] = cur->next;
+ else
+ last->next = cur->next;
+
+ context_destroy(&cur->context);
+
+ free(cur);
+ s->nel--;
+ return 0;
+}
+
+context_struct_t *sepol_sidtab_search(sidtab_t * s, sepol_security_id_t sid)
+{
+ int hvalue;
+ sidtab_node_t *cur;
+
+ if (!s || !s->htable)
+ return NULL;
+
+ hvalue = SIDTAB_HASH(sid);
+ cur = s->htable[hvalue];
+ while (cur != NULL && sid > cur->sid)
+ cur = cur->next;
+
+ if (cur == NULL || sid != cur->sid) {
+ /* Remap invalid SIDs to the unlabeled SID. */
+ sid = SECINITSID_UNLABELED;
+ hvalue = SIDTAB_HASH(sid);
+ cur = s->htable[hvalue];
+ while (cur != NULL && sid > cur->sid)
+ cur = cur->next;
+ if (!cur || sid != cur->sid)
+ return NULL;
+ }
+
+ return &cur->context;
+}
+
+int sepol_sidtab_map(sidtab_t * s,
+ int (*apply) (sepol_security_id_t sid,
+ context_struct_t * context,
+ void *args), void *args)
+{
+ int i, ret;
+ sidtab_node_t *cur;
+
+ if (!s || !s->htable)
+ return 0;
+
+ for (i = 0; i < SIDTAB_SIZE; i++) {
+ cur = s->htable[i];
+ while (cur != NULL) {
+ ret = apply(cur->sid, &cur->context, args);
+ if (ret)
+ return ret;
+ cur = cur->next;
+ }
+ }
+ return 0;
+}
+
+void sepol_sidtab_map_remove_on_error(sidtab_t * s,
+ int (*apply) (sepol_security_id_t sid,
+ context_struct_t * context,
+ void *args), void *args)
+{
+ int i, ret;
+ sidtab_node_t *last, *cur, *temp;
+
+ if (!s || !s->htable)
+ return;
+
+ for (i = 0; i < SIDTAB_SIZE; i++) {
+ last = NULL;
+ cur = s->htable[i];
+ while (cur != NULL) {
+ ret = apply(cur->sid, &cur->context, args);
+ if (ret) {
+ if (last) {
+ last->next = cur->next;
+ } else {
+ s->htable[i] = cur->next;
+ }
+
+ temp = cur;
+ cur = cur->next;
+ context_destroy(&temp->context);
+ free(temp);
+ s->nel--;
+ } else {
+ last = cur;
+ cur = cur->next;
+ }
+ }
+ }
+
+ return;
+}
+
+static inline sepol_security_id_t sepol_sidtab_search_context(sidtab_t * s,
+ context_struct_t *
+ context)
+{
+ int i;
+ sidtab_node_t *cur;
+
+ for (i = 0; i < SIDTAB_SIZE; i++) {
+ cur = s->htable[i];
+ while (cur != NULL) {
+ if (context_cmp(&cur->context, context))
+ return cur->sid;
+ cur = cur->next;
+ }
+ }
+ return 0;
+}
+
+int sepol_sidtab_context_to_sid(sidtab_t * s,
+ context_struct_t * context,
+ sepol_security_id_t * out_sid)
+{
+ sepol_security_id_t sid;
+ int ret = 0;
+
+ *out_sid = SEPOL_SECSID_NULL;
+
+ sid = sepol_sidtab_search_context(s, context);
+ if (!sid) {
+ SIDTAB_LOCK(s);
+ /* Rescan now that we hold the lock. */
+ sid = sepol_sidtab_search_context(s, context);
+ if (sid)
+ goto unlock_out;
+ /* No SID exists for the context. Allocate a new one. */
+ if (s->next_sid == UINT_MAX || s->shutdown) {
+ ret = -ENOMEM;
+ goto unlock_out;
+ }
+ sid = s->next_sid++;
+ ret = sepol_sidtab_insert(s, sid, context);
+ if (ret)
+ s->next_sid--;
+ unlock_out:
+ SIDTAB_UNLOCK(s);
+ }
+
+ if (ret)
+ return ret;
+
+ *out_sid = sid;
+ return 0;
+}
+
+void sepol_sidtab_hash_eval(sidtab_t * h, char *tag)
+{
+ int i, chain_len, slots_used, max_chain_len;
+ sidtab_node_t *cur;
+
+ slots_used = 0;
+ max_chain_len = 0;
+ for (i = 0; i < SIDTAB_SIZE; i++) {
+ cur = h->htable[i];
+ if (cur) {
+ slots_used++;
+ chain_len = 0;
+ while (cur) {
+ chain_len++;
+ cur = cur->next;
+ }
+
+ if (chain_len > max_chain_len)
+ max_chain_len = chain_len;
+ }
+ }
+
+ printf
+ ("%s: %d entries and %d/%d buckets used, longest chain length %d\n",
+ tag, h->nel, slots_used, SIDTAB_SIZE, max_chain_len);
+}
+
+void sepol_sidtab_destroy(sidtab_t * s)
+{
+ int i;
+ sidtab_ptr_t cur, temp;
+
+ if (!s || !s->htable)
+ return;
+
+ for (i = 0; i < SIDTAB_SIZE; i++) {
+ cur = s->htable[i];
+ while (cur != NULL) {
+ temp = cur;
+ cur = cur->next;
+ context_destroy(&temp->context);
+ free(temp);
+ }
+ s->htable[i] = NULL;
+ }
+ free(s->htable);
+ s->htable = NULL;
+ s->nel = 0;
+ s->next_sid = 1;
+}
+
+void sepol_sidtab_set(sidtab_t * dst, sidtab_t * src)
+{
+ SIDTAB_LOCK(src);
+ dst->htable = src->htable;
+ dst->nel = src->nel;
+ dst->next_sid = src->next_sid;
+ dst->shutdown = 0;
+ SIDTAB_UNLOCK(src);
+}
+
+void sepol_sidtab_shutdown(sidtab_t * s)
+{
+ SIDTAB_LOCK(s);
+ s->shutdown = 1;
+ SIDTAB_UNLOCK(s);
+}
+
+/* FLASK */
diff --git a/src/symtab.c b/src/symtab.c
new file mode 100644
index 0000000..b3a7aa8
--- /dev/null
+++ b/src/symtab.c
@@ -0,0 +1,49 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the symbol table type.
+ */
+
+#include <string.h>
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/symtab.h>
+
+static unsigned int symhash(hashtab_t h, hashtab_key_t key)
+{
+ char *p, *keyp;
+ size_t size;
+ unsigned int val;
+
+ val = 0;
+ keyp = (char *)key;
+ size = strlen(keyp);
+ for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+ val =
+ (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+ return val & (h->size - 1);
+}
+
+static int symcmp(hashtab_t h
+ __attribute__ ((unused)), hashtab_key_t key1,
+ hashtab_key_t key2)
+{
+ char *keyp1, *keyp2;
+
+ keyp1 = (char *)key1;
+ keyp2 = (char *)key2;
+ return strcmp(keyp1, keyp2);
+}
+
+int symtab_init(symtab_t * s, unsigned int size)
+{
+ s->table = hashtab_create(symhash, symcmp, size);
+ if (!s->table)
+ return -1;
+ s->nprim = 0;
+ return 0;
+}
+
+/* FLASK */
diff --git a/src/user_internal.h b/src/user_internal.h
new file mode 100644
index 0000000..7523b7d
--- /dev/null
+++ b/src/user_internal.h
@@ -0,0 +1,20 @@
+#ifndef _SEPOL_USER_INTERNAL_H_
+#define _SEPOL_USER_INTERNAL_H_
+
+#include <sepol/user_record.h>
+#include <sepol/users.h>
+#include "dso.h"
+
+hidden_proto(sepol_user_add_role)
+ hidden_proto(sepol_user_create)
+ hidden_proto(sepol_user_free)
+ hidden_proto(sepol_user_get_mlslevel)
+ hidden_proto(sepol_user_get_mlsrange)
+ hidden_proto(sepol_user_get_roles)
+ hidden_proto(sepol_user_has_role)
+ hidden_proto(sepol_user_key_create)
+ hidden_proto(sepol_user_key_unpack)
+ hidden_proto(sepol_user_set_mlslevel)
+ hidden_proto(sepol_user_set_mlsrange)
+ hidden_proto(sepol_user_set_name)
+#endif
diff --git a/src/user_record.c b/src/user_record.c
new file mode 100644
index 0000000..c59c54b
--- /dev/null
+++ b/src/user_record.c
@@ -0,0 +1,379 @@
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "user_internal.h"
+#include "debug.h"
+
+struct sepol_user {
+ /* This user's name */
+ char *name;
+
+ /* This user's mls level (only required for mls) */
+ char *mls_level;
+
+ /* This user's mls range (only required for mls) */
+ char *mls_range;
+
+ /* The role array */
+ char **roles;
+
+ /* The number of roles */
+ unsigned int num_roles;
+};
+
+struct sepol_user_key {
+ /* This user's name */
+ const char *name;
+};
+
+int sepol_user_key_create(sepol_handle_t * handle,
+ const char *name, sepol_user_key_t ** key_ptr)
+{
+
+ sepol_user_key_t *tmp_key =
+ (sepol_user_key_t *) malloc(sizeof(sepol_user_key_t));
+
+ if (!tmp_key) {
+ ERR(handle, "out of memory, "
+ "could not create selinux user key");
+ return STATUS_ERR;
+ }
+
+ tmp_key->name = name;
+
+ *key_ptr = tmp_key;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_user_key_create)
+
+void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
+{
+
+ *name = key->name;
+}
+
+hidden_def(sepol_user_key_unpack)
+
+int sepol_user_key_extract(sepol_handle_t * handle,
+ const sepol_user_t * user,
+ sepol_user_key_t ** key_ptr)
+{
+
+ if (sepol_user_key_create(handle, user->name, key_ptr) < 0) {
+ ERR(handle, "could not extract key from user %s", user->name);
+ return STATUS_ERR;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+void sepol_user_key_free(sepol_user_key_t * key)
+{
+ free(key);
+}
+
+int sepol_user_compare(const sepol_user_t * user, const sepol_user_key_t * key)
+{
+
+ return strcmp(user->name, key->name);
+}
+
+int sepol_user_compare2(const sepol_user_t * user, const sepol_user_t * user2)
+{
+
+ return strcmp(user->name, user2->name);
+}
+
+/* Name */
+const char *sepol_user_get_name(const sepol_user_t * user)
+{
+
+ return user->name;
+}
+
+int sepol_user_set_name(sepol_handle_t * handle,
+ sepol_user_t * user, const char *name)
+{
+
+ char *tmp_name = strdup(name);
+ if (!tmp_name) {
+ ERR(handle, "out of memory, could not set name");
+ return STATUS_ERR;
+ }
+ free(user->name);
+ user->name = tmp_name;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_user_set_name)
+
+/* MLS */
+const char *sepol_user_get_mlslevel(const sepol_user_t * user)
+{
+
+ return user->mls_level;
+}
+
+hidden_def(sepol_user_get_mlslevel)
+
+int sepol_user_set_mlslevel(sepol_handle_t * handle,
+ sepol_user_t * user, const char *mls_level)
+{
+
+ char *tmp_mls_level = strdup(mls_level);
+ if (!tmp_mls_level) {
+ ERR(handle, "out of memory, "
+ "could not set MLS default level");
+ return STATUS_ERR;
+ }
+ free(user->mls_level);
+ user->mls_level = tmp_mls_level;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_user_set_mlslevel)
+
+const char *sepol_user_get_mlsrange(const sepol_user_t * user)
+{
+
+ return user->mls_range;
+}
+
+hidden_def(sepol_user_get_mlsrange)
+
+int sepol_user_set_mlsrange(sepol_handle_t * handle,
+ sepol_user_t * user, const char *mls_range)
+{
+
+ char *tmp_mls_range = strdup(mls_range);
+ if (!tmp_mls_range) {
+ ERR(handle, "out of memory, "
+ "could not set MLS allowed range");
+ return STATUS_ERR;
+ }
+ free(user->mls_range);
+ user->mls_range = tmp_mls_range;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_user_set_mlsrange)
+
+/* Roles */
+int sepol_user_get_num_roles(const sepol_user_t * user)
+{
+
+ return user->num_roles;
+}
+
+int sepol_user_add_role(sepol_handle_t * handle,
+ sepol_user_t * user, const char *role)
+{
+
+ char *role_cp;
+ char **roles_realloc;
+
+ if (sepol_user_has_role(user, role))
+ return STATUS_SUCCESS;
+
+ role_cp = strdup(role);
+ roles_realloc = realloc(user->roles,
+ sizeof(char *) * (user->num_roles + 1));
+
+ if (!role_cp || !roles_realloc)
+ goto omem;
+
+ user->num_roles++;
+ user->roles = roles_realloc;
+ user->roles[user->num_roles - 1] = role_cp;
+
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not add role %s", role);
+ free(role_cp);
+ free(roles_realloc);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_user_add_role)
+
+int sepol_user_has_role(const sepol_user_t * user, const char *role)
+{
+
+ unsigned int i;
+
+ for (i = 0; i < user->num_roles; i++)
+ if (!strcmp(user->roles[i], role))
+ return 1;
+ return 0;
+}
+
+hidden_def(sepol_user_has_role)
+
+int sepol_user_set_roles(sepol_handle_t * handle,
+ sepol_user_t * user,
+ const char **roles_arr, unsigned int num_roles)
+{
+
+ unsigned int i;
+ char **tmp_roles = NULL;
+
+ if (num_roles > 0) {
+
+ /* First, make a copy */
+ tmp_roles = (char **)calloc(1, sizeof(char *) * num_roles);
+ if (!tmp_roles)
+ goto omem;
+
+ for (i = 0; i < num_roles; i++) {
+ tmp_roles[i] = strdup(roles_arr[i]);
+ if (!tmp_roles[i])
+ goto omem;
+ }
+ }
+
+ /* Apply other changes */
+ for (i = 0; i < user->num_roles; i++)
+ free(user->roles[i]);
+ free(user->roles);
+ user->roles = tmp_roles;
+ user->num_roles = num_roles;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not allocate roles array for"
+ "user %s", user->name);
+
+ if (tmp_roles) {
+ for (i = 0; i < num_roles; i++) {
+ if (!tmp_roles[i])
+ break;
+ free(tmp_roles[i]);
+ }
+ }
+ free(tmp_roles);
+ return STATUS_ERR;
+}
+
+int sepol_user_get_roles(sepol_handle_t * handle,
+ const sepol_user_t * user,
+ const char ***roles_arr, unsigned int *num_roles)
+{
+
+ unsigned int i;
+ const char **tmp_roles =
+ (const char **)malloc(sizeof(char *) * user->num_roles);
+ if (!tmp_roles)
+ goto omem;
+
+ for (i = 0; i < user->num_roles; i++)
+ tmp_roles[i] = user->roles[i];
+
+ *roles_arr = tmp_roles;
+ *num_roles = user->num_roles;
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory, could not "
+ "allocate roles array for user %s", user->name);
+ free(tmp_roles);
+ return STATUS_ERR;
+}
+
+hidden_def(sepol_user_get_roles)
+
+void sepol_user_del_role(sepol_user_t * user, const char *role)
+{
+
+ unsigned int i;
+ for (i = 0; i < user->num_roles; i++) {
+ if (!strcmp(user->roles[i], role)) {
+ free(user->roles[i]);
+ user->roles[i] = NULL;
+ user->roles[i] = user->roles[user->num_roles - 1];
+ user->num_roles--;
+ }
+ }
+}
+
+/* Create */
+int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr)
+{
+
+ sepol_user_t *user = (sepol_user_t *) malloc(sizeof(sepol_user_t));
+
+ if (!user) {
+ ERR(handle, "out of memory, "
+ "could not create selinux user record");
+ return STATUS_ERR;
+ }
+
+ user->roles = NULL;
+ user->num_roles = 0;
+ user->name = NULL;
+ user->mls_level = NULL;
+ user->mls_range = NULL;
+
+ *user_ptr = user;
+ return STATUS_SUCCESS;
+}
+
+hidden_def(sepol_user_create)
+
+/* Deep copy clone */
+int sepol_user_clone(sepol_handle_t * handle,
+ const sepol_user_t * user, sepol_user_t ** user_ptr)
+{
+
+ sepol_user_t *new_user = NULL;
+ unsigned int i;
+
+ if (sepol_user_create(handle, &new_user) < 0)
+ goto err;
+
+ if (sepol_user_set_name(handle, new_user, user->name) < 0)
+ goto err;
+
+ for (i = 0; i < user->num_roles; i++) {
+ if (sepol_user_add_role(handle, new_user, user->roles[i]) < 0)
+ goto err;
+ }
+
+ if (user->mls_level &&
+ (sepol_user_set_mlslevel(handle, new_user, user->mls_level) < 0))
+ goto err;
+
+ if (user->mls_range &&
+ (sepol_user_set_mlsrange(handle, new_user, user->mls_range) < 0))
+ goto err;
+
+ *user_ptr = new_user;
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not clone selinux user record");
+ sepol_user_free(new_user);
+ return STATUS_ERR;
+}
+
+/* Destroy */
+void sepol_user_free(sepol_user_t * user)
+{
+
+ unsigned int i;
+
+ if (!user)
+ return;
+
+ free(user->name);
+ for (i = 0; i < user->num_roles; i++)
+ free(user->roles[i]);
+ free(user->roles);
+ free(user->mls_level);
+ free(user->mls_range);
+ free(user);
+}
+
+hidden_def(sepol_user_free)
diff --git a/src/users.c b/src/users.c
new file mode 100644
index 0000000..693210d
--- /dev/null
+++ b/src/users.c
@@ -0,0 +1,383 @@
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+
+#include "private.h"
+#include "debug.h"
+#include "handle.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/hashtab.h>
+#include <sepol/policydb/expand.h>
+#include "user_internal.h"
+#include "mls.h"
+
+static int user_to_record(sepol_handle_t * handle,
+ const policydb_t * policydb,
+ int user_idx, sepol_user_t ** record)
+{
+
+ const char *name = policydb->p_user_val_to_name[user_idx];
+ user_datum_t *usrdatum = policydb->user_val_to_struct[user_idx];
+ ebitmap_t *roles = &(usrdatum->roles.roles);
+ ebitmap_node_t *rnode;
+ unsigned bit;
+
+ sepol_user_t *tmp_record = NULL;
+
+ if (sepol_user_create(handle, &tmp_record) < 0)
+ goto err;
+
+ if (sepol_user_set_name(handle, tmp_record, name) < 0)
+ goto err;
+
+ /* Extract roles */
+ ebitmap_for_each_bit(roles, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit)) {
+ char *role = policydb->p_role_val_to_name[bit];
+ if (sepol_user_add_role(handle, tmp_record, role) < 0)
+ goto err;
+ }
+ }
+
+ /* Extract MLS info */
+ if (policydb->mls) {
+ context_struct_t context;
+ char *str;
+
+ context_init(&context);
+ if (mls_level_cpy(&context.range.level[0],
+ &usrdatum->exp_dfltlevel) < 0) {
+ ERR(handle, "could not copy MLS level");
+ context_destroy(&context);
+ goto err;
+ }
+ if (mls_level_cpy(&context.range.level[1],
+ &usrdatum->exp_dfltlevel) < 0) {
+ ERR(handle, "could not copy MLS level");
+ context_destroy(&context);
+ goto err;
+ }
+ if (mls_to_string(handle, policydb, &context, &str) < 0) {
+ context_destroy(&context);
+ goto err;
+ }
+ context_destroy(&context);
+
+ if (sepol_user_set_mlslevel(handle, tmp_record, str) < 0) {
+ free(str);
+ goto err;
+ }
+ free(str);
+
+ context_init(&context);
+ if (mls_range_cpy(&context.range, &usrdatum->exp_range) < 0) {
+ ERR(handle, "could not copy MLS range");
+ context_destroy(&context);
+ goto err;
+ }
+ if (mls_to_string(handle, policydb, &context, &str) < 0) {
+ context_destroy(&context);
+ goto err;
+ }
+ context_destroy(&context);
+
+ if (sepol_user_set_mlsrange(handle, tmp_record, str) < 0) {
+ free(str);
+ goto err;
+ }
+ free(str);
+ }
+
+ *record = tmp_record;
+ return STATUS_SUCCESS;
+
+ err:
+ /* FIXME: handle error */
+ sepol_user_free(tmp_record);
+ return STATUS_ERR;
+}
+
+int sepol_user_modify(sepol_handle_t * handle,
+ sepol_policydb_t * p,
+ const sepol_user_key_t * key, const sepol_user_t * user)
+{
+
+ policydb_t *policydb = &p->p;
+
+ /* For user data */
+ const char *cname, *cmls_level, *cmls_range;
+ char *name = NULL;
+
+ const char **roles = NULL;
+ unsigned int num_roles = 0;
+
+ /* Low-level representation */
+ user_datum_t *usrdatum = NULL;
+ role_datum_t *roldatum;
+ unsigned int i;
+
+ context_struct_t context;
+ unsigned bit;
+ int new = 0;
+
+ ebitmap_node_t *rnode;
+
+ /* First, extract all the data */
+ sepol_user_key_unpack(key, &cname);
+
+ cmls_level = sepol_user_get_mlslevel(user);
+ cmls_range = sepol_user_get_mlsrange(user);
+
+ /* Make sure that worked properly */
+ if (sepol_user_get_roles(handle, user, &roles, &num_roles) < 0)
+ goto err;
+
+ /* Now, see if a user exists */
+ usrdatum = hashtab_search(policydb->p_users.table,
+ (const hashtab_key_t)cname);
+
+ /* If it does, we will modify it */
+ if (usrdatum) {
+
+ int value_cp = usrdatum->s.value;
+ user_datum_destroy(usrdatum);
+ user_datum_init(usrdatum);
+ usrdatum->s.value = value_cp;
+
+ /* Otherwise, create a new one */
+ } else {
+ usrdatum = (user_datum_t *) malloc(sizeof(user_datum_t));
+ if (!usrdatum)
+ goto omem;
+ user_datum_init(usrdatum);
+ new = 1;
+ }
+
+ /* For every role */
+ for (i = 0; i < num_roles; i++) {
+
+ /* Search for the role */
+ roldatum = hashtab_search(policydb->p_roles.table,
+ (const hashtab_key_t)roles[i]);
+ if (!roldatum) {
+ ERR(handle, "undefined role %s for user %s",
+ roles[i], cname);
+ goto err;
+ }
+
+ /* Set the role and every role it dominates */
+ ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit)) {
+ if (ebitmap_set_bit
+ (&(usrdatum->roles.roles), bit, 1))
+ goto omem;
+ }
+ }
+ }
+
+ /* For MLS systems */
+ if (policydb->mls) {
+
+ /* MLS level */
+ if (cmls_level == NULL) {
+ ERR(handle, "MLS is enabled, but no MLS "
+ "default level was defined for user %s", cname);
+ goto err;
+ }
+
+ context_init(&context);
+ if (mls_from_string(handle, policydb, cmls_level, &context) < 0) {
+ context_destroy(&context);
+ goto err;
+ }
+ if (mls_level_cpy(&usrdatum->exp_dfltlevel,
+ &context.range.level[0]) < 0) {
+ ERR(handle, "could not copy MLS level %s", cmls_level);
+ context_destroy(&context);
+ goto err;
+ }
+ context_destroy(&context);
+
+ /* MLS range */
+ if (cmls_range == NULL) {
+ ERR(handle, "MLS is enabled, but no MLS"
+ "range was defined for user %s", cname);
+ goto err;
+ }
+
+ context_init(&context);
+ if (mls_from_string(handle, policydb, cmls_range, &context) < 0) {
+ context_destroy(&context);
+ goto err;
+ }
+ if (mls_range_cpy(&usrdatum->exp_range, &context.range) < 0) {
+ ERR(handle, "could not copy MLS range %s", cmls_range);
+ context_destroy(&context);
+ goto err;
+ }
+ context_destroy(&context);
+ } else if (cmls_level != NULL || cmls_range != NULL) {
+ ERR(handle, "MLS is disabled, but MLS level/range "
+ "was found for user %s", cname);
+ goto err;
+ }
+
+ /* If there are no errors, and this is a new user, add the user to policy */
+ if (new) {
+ void *tmp_ptr;
+
+ /* Ensure reverse lookup array has enough space */
+ tmp_ptr = realloc(policydb->user_val_to_struct,
+ (policydb->p_users.nprim +
+ 1) * sizeof(user_datum_t *));
+ if (!tmp_ptr)
+ goto omem;
+ policydb->user_val_to_struct = tmp_ptr;
+
+ tmp_ptr = realloc(policydb->sym_val_to_name[SYM_USERS],
+ (policydb->p_users.nprim +
+ 1) * sizeof(char *));
+ if (!tmp_ptr)
+ goto omem;
+ policydb->sym_val_to_name[SYM_USERS] = tmp_ptr;
+
+ /* Need to copy the user name */
+ name = strdup(cname);
+ if (!name)
+ goto omem;
+
+ /* Store user */
+ usrdatum->s.value = ++policydb->p_users.nprim;
+ if (hashtab_insert(policydb->p_users.table, name,
+ (hashtab_datum_t) usrdatum) < 0)
+ goto omem;
+
+ /* Set up reverse entry */
+ policydb->p_user_val_to_name[usrdatum->s.value - 1] = name;
+ policydb->user_val_to_struct[usrdatum->s.value - 1] = usrdatum;
+ name = NULL;
+
+ /* Expand roles */
+ if (role_set_expand(&usrdatum->roles, &usrdatum->cache,
+ policydb, NULL, NULL)) {
+ ERR(handle, "unable to expand role set");
+ goto err;
+ }
+ }
+
+ free(roles);
+ return STATUS_SUCCESS;
+
+ omem:
+ ERR(handle, "out of memory");
+
+ err:
+ ERR(handle, "could not load %s into policy", name);
+
+ free(name);
+ free(roles);
+ if (new && usrdatum) {
+ role_set_destroy(&usrdatum->roles);
+ free(usrdatum);
+ }
+ return STATUS_ERR;
+}
+
+int sepol_user_exists(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p,
+ const sepol_user_key_t * key, int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+
+ const char *cname;
+ sepol_user_key_unpack(key, &cname);
+
+ *response = (hashtab_search(policydb->p_users.table,
+ (const hashtab_key_t)cname) != NULL);
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+int sepol_user_count(sepol_handle_t * handle __attribute__ ((unused)),
+ const sepol_policydb_t * p, unsigned int *response)
+{
+
+ const policydb_t *policydb = &p->p;
+ *response = policydb->p_users.nprim;
+
+ handle = NULL;
+ return STATUS_SUCCESS;
+}
+
+int sepol_user_query(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ const sepol_user_key_t * key, sepol_user_t ** response)
+{
+
+ const policydb_t *policydb = &p->p;
+ user_datum_t *usrdatum = NULL;
+
+ const char *cname;
+ sepol_user_key_unpack(key, &cname);
+
+ usrdatum = hashtab_search(policydb->p_users.table,
+ (const hashtab_key_t)cname);
+
+ if (!usrdatum) {
+ *response = NULL;
+ return STATUS_SUCCESS;
+ }
+
+ if (user_to_record(handle, policydb, usrdatum->s.value - 1, response) <
+ 0)
+ goto err;
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not query user %s", cname);
+ return STATUS_ERR;
+}
+
+int sepol_user_iterate(sepol_handle_t * handle,
+ const sepol_policydb_t * p,
+ int (*fn) (const sepol_user_t * user,
+ void *fn_arg), void *arg)
+{
+
+ const policydb_t *policydb = &p->p;
+ unsigned int nusers = policydb->p_users.nprim;
+ sepol_user_t *user = NULL;
+ unsigned int i;
+
+ /* For each user */
+ for (i = 0; i < nusers; i++) {
+
+ int status;
+
+ if (user_to_record(handle, policydb, i, &user) < 0)
+ goto err;
+
+ /* Invoke handler */
+ status = fn(user, arg);
+ if (status < 0)
+ goto err;
+
+ sepol_user_free(user);
+ user = NULL;
+
+ /* Handler requested exit */
+ if (status > 0)
+ break;
+ }
+
+ return STATUS_SUCCESS;
+
+ err:
+ ERR(handle, "could not iterate over users");
+ sepol_user_free(user);
+ return STATUS_ERR;
+}
diff --git a/src/util.c b/src/util.c
new file mode 100644
index 0000000..a824e61
--- /dev/null
+++ b/src/util.c
@@ -0,0 +1,116 @@
+/* Authors: Joshua Brindle <jbrindle@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Copyright (C) 2005-2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/flask_types.h>
+#include <sepol/policydb/policydb.h>
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+/* Add an unsigned integer to a dynamically reallocated array. *cnt
+ * is a reference pointer to the number of values already within array
+ * *a; it will be incremented upon successfully appending i. If *a is
+ * NULL then this function will create a new array (*cnt is reset to
+ * 0). Return 0 on success, -1 on out of memory. */
+int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a)
+{
+ if (cnt == NULL || a == NULL)
+ return -1;
+
+ /* FIX ME: This is not very elegant! We use an array that we
+ * grow as new uint32_t are added to an array. But rather
+ * than be smart about it, for now we realloc() the array each
+ * time a new uint32_t is added! */
+ if (*a != NULL)
+ *a = (uint32_t *) realloc(*a, (*cnt + 1) * sizeof(uint32_t));
+ else { /* empty list */
+
+ *cnt = 0;
+ *a = (uint32_t *) malloc(sizeof(uint32_t));
+ }
+ if (*a == NULL) {
+ return -1;
+ }
+ (*a)[*cnt] = i;
+ (*cnt)++;
+ return 0;
+}
+
+static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ struct val_to_name *v = data;
+ perm_datum_t *perdatum;
+
+ perdatum = (perm_datum_t *) datum;
+
+ if (v->val == perdatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
+ sepol_access_vector_t av)
+{
+ struct val_to_name v;
+ static char avbuf[1024];
+ class_datum_t *cladatum;
+ char *perm = NULL, *p;
+ unsigned int i;
+ int rc;
+ int avlen = 0, len;
+
+ cladatum = policydbp->class_val_to_struct[tclass - 1];
+ p = avbuf;
+ for (i = 0; i < cladatum->permissions.nprim; i++) {
+ if (av & (1 << i)) {
+ v.val = i + 1;
+ rc = hashtab_map(cladatum->permissions.table,
+ perm_name, &v);
+ if (!rc && cladatum->comdatum) {
+ rc = hashtab_map(cladatum->comdatum->
+ permissions.table, perm_name,
+ &v);
+ }
+ if (rc)
+ perm = v.name;
+ if (perm) {
+ len =
+ snprintf(p, sizeof(avbuf) - avlen, " %s",
+ perm);
+ if (len < 0
+ || (size_t) len >= (sizeof(avbuf) - avlen))
+ return NULL;
+ p += len;
+ avlen += len;
+ }
+ }
+ }
+
+ return avbuf;
+}
diff --git a/src/write.c b/src/write.c
new file mode 100644
index 0000000..290e036
--- /dev/null
+++ b/src/write.c
@@ -0,0 +1,2009 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbrindle@tresys.com> and Jason Tang <jtang@tresys.org>
+ *
+ * Module writing support
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003-2005 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+#include <assert.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/flask.h>
+
+#include "debug.h"
+#include "private.h"
+#include "mls.h"
+
+struct policy_data {
+ struct policy_file *fp;
+ struct policydb *p;
+};
+
+static int avrule_write_list(avrule_t * avrules, struct policy_file *fp);
+
+static int ebitmap_write(ebitmap_t * e, struct policy_file *fp)
+{
+ ebitmap_node_t *n;
+ uint32_t buf[32], bit, count;
+ uint64_t map;
+ size_t items;
+
+ buf[0] = cpu_to_le32(MAPSIZE);
+ buf[1] = cpu_to_le32(e->highbit);
+
+ count = 0;
+ for (n = e->node; n; n = n->next)
+ count++;
+ buf[2] = cpu_to_le32(count);
+
+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ if (items != 3)
+ return POLICYDB_ERROR;
+
+ for (n = e->node; n; n = n->next) {
+ bit = cpu_to_le32(n->startbit);
+ items = put_entry(&bit, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ map = cpu_to_le64(n->map);
+ items = put_entry(&map, sizeof(uint64_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+/* Ordering of datums in the original avtab format in the policy file. */
+static uint16_t spec_order[] = {
+ AVTAB_ALLOWED,
+ AVTAB_AUDITDENY,
+ AVTAB_AUDITALLOW,
+ AVTAB_TRANSITION,
+ AVTAB_CHANGE,
+ AVTAB_MEMBER
+};
+
+static int avtab_write_item(policydb_t * p,
+ avtab_ptr_t cur, struct policy_file *fp,
+ unsigned merge, unsigned commit, uint32_t * nel)
+{
+ avtab_ptr_t node;
+ uint16_t buf16[4];
+ uint32_t buf32[10], lookup, val;
+ size_t items, items2;
+ unsigned set;
+ unsigned int oldvers = (p->policy_type == POLICY_KERN
+ && p->policyvers < POLICYDB_VERSION_AVTAB);
+ unsigned int i;
+
+ if (oldvers) {
+ /* Generate the old avtab format.
+ Requires merging similar entries if uncond avtab. */
+ if (merge) {
+ if (cur->merged)
+ return POLICYDB_SUCCESS; /* already merged by prior merge */
+ }
+
+ items = 1; /* item 0 is used for the item count */
+ val = cur->key.source_type;
+ buf32[items++] = cpu_to_le32(val);
+ val = cur->key.target_type;
+ buf32[items++] = cpu_to_le32(val);
+ val = cur->key.target_class;
+ buf32[items++] = cpu_to_le32(val);
+
+ val = cur->key.specified & ~AVTAB_ENABLED;
+ if (cur->key.specified & AVTAB_ENABLED)
+ val |= AVTAB_ENABLED_OLD;
+ set = 1;
+
+ if (merge) {
+ /* Merge specifier values for all similar (av or type)
+ entries that have the same key. */
+ if (val & AVTAB_AV)
+ lookup = AVTAB_AV;
+ else if (val & AVTAB_TYPE)
+ lookup = AVTAB_TYPE;
+ else
+ return POLICYDB_ERROR;
+ for (node = avtab_search_node_next(cur, lookup);
+ node;
+ node = avtab_search_node_next(node, lookup)) {
+ val |= (node->key.specified & ~AVTAB_ENABLED);
+ set++;
+ if (node->key.specified & AVTAB_ENABLED)
+ val |= AVTAB_ENABLED_OLD;
+ }
+ }
+
+ if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
+ ERR(fp->handle, "null entry");
+ return POLICYDB_ERROR;
+ }
+ if ((val & AVTAB_AV) && (val & AVTAB_TYPE)) {
+ ERR(fp->handle, "entry has both access "
+ "vectors and types");
+ return POLICYDB_ERROR;
+ }
+
+ buf32[items++] = cpu_to_le32(val);
+
+ if (merge) {
+ /* Include datums for all similar (av or type)
+ entries that have the same key. */
+ for (i = 0;
+ i < (sizeof(spec_order) / sizeof(spec_order[0]));
+ i++) {
+ if (val & spec_order[i]) {
+ if (cur->key.specified & spec_order[i])
+ node = cur;
+ else {
+ node =
+ avtab_search_node_next(cur,
+ spec_order
+ [i]);
+ if (nel)
+ (*nel)--; /* one less node */
+ }
+
+ if (!node) {
+ ERR(fp->handle, "missing node");
+ return POLICYDB_ERROR;
+ }
+ buf32[items++] =
+ cpu_to_le32(node->datum.data);
+ set--;
+ node->merged = 1;
+ }
+ }
+ } else {
+ buf32[items++] = cpu_to_le32(cur->datum.data);
+ cur->merged = 1;
+ set--;
+ }
+
+ if (set) {
+ ERR(fp->handle, "data count wrong");
+ return POLICYDB_ERROR;
+ }
+
+ buf32[0] = cpu_to_le32(items - 1);
+
+ if (commit) {
+ /* Commit this item to the policy file. */
+ items2 = put_entry(buf32, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+ }
+
+ /* Generate the new avtab format. */
+ buf16[0] = cpu_to_le16(cur->key.source_type);
+ buf16[1] = cpu_to_le16(cur->key.target_type);
+ buf16[2] = cpu_to_le16(cur->key.target_class);
+ buf16[3] = cpu_to_le16(cur->key.specified);
+ items = put_entry(buf16, sizeof(uint16_t), 4, fp);
+ if (items != 4)
+ return POLICYDB_ERROR;
+ buf32[0] = cpu_to_le32(cur->datum.data);
+ items = put_entry(buf32, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ return POLICYDB_SUCCESS;
+}
+
+static inline void avtab_reset_merged(avtab_t * a)
+{
+ unsigned int i;
+ avtab_ptr_t cur;
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next)
+ cur->merged = 0;
+ }
+}
+
+static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
+{
+ unsigned int i;
+ int rc;
+ avtab_t expa;
+ avtab_ptr_t cur;
+ uint32_t nel;
+ size_t items;
+ unsigned int oldvers = (p->policy_type == POLICY_KERN
+ && p->policyvers < POLICYDB_VERSION_AVTAB);
+
+ if (oldvers) {
+ /* Old avtab format.
+ First, we need to expand attributes. Then, we need to
+ merge similar entries, so we need to track merged nodes
+ and compute the final nel. */
+ if (avtab_init(&expa))
+ return POLICYDB_ERROR;
+ if (expand_avtab(p, a, &expa)) {
+ rc = -1;
+ goto out;
+ }
+ a = &expa;
+ avtab_reset_merged(a);
+ nel = a->nel;
+ } else {
+ /* New avtab format. nel is good to go. */
+ nel = cpu_to_le32(a->nel);
+ items = put_entry(&nel, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ }
+
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next) {
+ /* If old format, compute final nel.
+ If new format, write out the items. */
+ if (avtab_write_item(p, cur, fp, 1, !oldvers, &nel)) {
+ rc = -1;
+ goto out;
+ }
+ }
+ }
+
+ if (oldvers) {
+ /* Old avtab format.
+ Write the computed nel value, then write the items. */
+ nel = cpu_to_le32(nel);
+ items = put_entry(&nel, sizeof(uint32_t), 1, fp);
+ if (items != 1) {
+ rc = -1;
+ goto out;
+ }
+ avtab_reset_merged(a);
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next) {
+ if (avtab_write_item(p, cur, fp, 1, 1, NULL)) {
+ rc = -1;
+ goto out;
+ }
+ }
+ }
+ }
+
+ rc = 0;
+ out:
+ if (oldvers)
+ avtab_destroy(&expa);
+ return rc;
+}
+
+/*
+ * Write a semantic MLS level structure to a policydb binary
+ * representation file.
+ */
+static int mls_write_semantic_level_helper(mls_semantic_level_t * l,
+ struct policy_file *fp)
+{
+ uint32_t buf[2], ncat = 0;
+ size_t items;
+ mls_semantic_cat_t *cat;
+
+ for (cat = l->cat; cat; cat = cat->next)
+ ncat++;
+
+ buf[0] = cpu_to_le32(l->sens);
+ buf[1] = cpu_to_le32(ncat);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+
+ for (cat = l->cat; cat; cat = cat->next) {
+ buf[0] = cpu_to_le32(cat->low);
+ buf[1] = cpu_to_le32(cat->high);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+/*
+ * Read a semantic MLS range structure to a policydb binary
+ * representation file.
+ */
+static int mls_write_semantic_range_helper(mls_semantic_range_t * r,
+ struct policy_file *fp)
+{
+ int rc;
+
+ rc = mls_write_semantic_level_helper(&r->level[0], fp);
+ if (rc)
+ return rc;
+
+ rc = mls_write_semantic_level_helper(&r->level[1], fp);
+
+ return rc;
+}
+
+/*
+ * Write a MLS level structure to a policydb binary
+ * representation file.
+ */
+static int mls_write_level(mls_level_t * l, struct policy_file *fp)
+{
+ uint32_t sens;
+ size_t items;
+
+ sens = cpu_to_le32(l->sens);
+ items = put_entry(&sens, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ if (ebitmap_write(&l->cat, fp))
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+/*
+ * Write a MLS range structure to a policydb binary
+ * representation file.
+ */
+static int mls_write_range_helper(mls_range_t * r, struct policy_file *fp)
+{
+ uint32_t buf[3];
+ size_t items, items2;
+ int eq;
+
+ eq = mls_level_eq(&r->level[1], &r->level[0]);
+
+ items = 1; /* item 0 is used for the item count */
+ buf[items++] = cpu_to_le32(r->level[0].sens);
+ if (!eq)
+ buf[items++] = cpu_to_le32(r->level[1].sens);
+ buf[0] = cpu_to_le32(items - 1);
+
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+
+ if (ebitmap_write(&r->level[0].cat, fp))
+ return POLICYDB_ERROR;
+ if (!eq)
+ if (ebitmap_write(&r->level[1].cat, fp))
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int sens_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ level_datum_t *levdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+
+ levdatum = (level_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(levdatum->isalias);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (mls_write_level(levdatum->level, fp))
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ cat_datum_t *catdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+
+ catdatum = (cat_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(catdatum->s.value);
+ buf[items++] = cpu_to_le32(catdatum->isalias);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int role_trans_write(policydb_t *p, struct policy_file *fp)
+{
+ role_trans_t *r = p->role_tr;
+ role_trans_t *tr;
+ uint32_t buf[3];
+ size_t nel, items;
+ int new_roletr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_ROLETRANS);
+ int warning_issued = 0;
+
+ nel = 0;
+ for (tr = r; tr; tr = tr->next)
+ if(new_roletr || tr->tclass == SECCLASS_PROCESS)
+ nel++;
+
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (tr = r; tr; tr = tr->next) {
+ if (!new_roletr && tr->tclass != SECCLASS_PROCESS) {
+ if (!warning_issued)
+ WARN(fp->handle, "Discarding role_transition "
+ "rules for security classes other than "
+ "\"process\"");
+ warning_issued = 1;
+ continue;
+ }
+ buf[0] = cpu_to_le32(tr->role);
+ buf[1] = cpu_to_le32(tr->type);
+ buf[2] = cpu_to_le32(tr->new_role);
+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ if (items != 3)
+ return POLICYDB_ERROR;
+ if (new_roletr) {
+ buf[0] = cpu_to_le32(tr->tclass);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ }
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int role_allow_write(role_allow_t * r, struct policy_file *fp)
+{
+ role_allow_t *ra;
+ uint32_t buf[2];
+ size_t nel, items;
+
+ nel = 0;
+ for (ra = r; ra; ra = ra->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (ra = r; ra; ra = ra->next) {
+ buf[0] = cpu_to_le32(ra->role);
+ buf[1] = cpu_to_le32(ra->new_role);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int filename_trans_write(filename_trans_t * r, struct policy_file *fp)
+{
+ filename_trans_t *ft;
+ uint32_t buf[4];
+ size_t nel, items, len;
+
+ nel = 0;
+ for (ft = r; ft; ft = ft->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (ft = r; ft; ft = ft->next) {
+ len = strlen(ft->name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ items = put_entry(ft->name, sizeof(char), len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(ft->stype);
+ buf[1] = cpu_to_le32(ft->ttype);
+ buf[2] = cpu_to_le32(ft->tclass);
+ buf[3] = cpu_to_le32(ft->otype);
+ items = put_entry(buf, sizeof(uint32_t), 4, fp);
+ if (items != 4)
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int role_set_write(role_set_t * x, struct policy_file *fp)
+{
+ size_t items;
+ uint32_t buf[1];
+
+ if (ebitmap_write(&x->roles, fp))
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(x->flags);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int type_set_write(type_set_t * x, struct policy_file *fp)
+{
+ size_t items;
+ uint32_t buf[1];
+
+ if (ebitmap_write(&x->types, fp))
+ return POLICYDB_ERROR;
+ if (ebitmap_write(&x->negset, fp))
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(x->flags);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ cond_bool_datum_t *booldatum;
+ uint32_t buf[3], len;
+ unsigned int items, items2;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+
+ booldatum = (cond_bool_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(booldatum->s.value);
+ buf[items++] = cpu_to_le32(booldatum->state);
+ buf[items++] = cpu_to_le32(len);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ return POLICYDB_SUCCESS;
+}
+
+/*
+ * cond_write_cond_av_list doesn't write out the av_list nodes.
+ * Instead it writes out the key/value pairs from the avtab. This
+ * is necessary because there is no way to uniquely identifying rules
+ * in the avtab so it is not possible to associate individual rules
+ * in the avtab with a conditional without saving them as part of
+ * the conditional. This means that the avtab with the conditional
+ * rules will not be saved but will be rebuilt on policy load.
+ */
+static int cond_write_av_list(policydb_t * p,
+ cond_av_list_t * list, struct policy_file *fp)
+{
+ uint32_t buf[4];
+ cond_av_list_t *cur_list, *new_list = NULL;
+ avtab_t expa;
+ uint32_t len, items;
+ unsigned int oldvers = (p->policy_type == POLICY_KERN
+ && p->policyvers < POLICYDB_VERSION_AVTAB);
+ int rc = -1;
+
+ if (oldvers) {
+ if (avtab_init(&expa))
+ return POLICYDB_ERROR;
+ if (expand_cond_av_list(p, list, &new_list, &expa))
+ goto out;
+ list = new_list;
+ }
+
+ len = 0;
+ for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) {
+ if (cur_list->node->parse_context)
+ len++;
+ }
+
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ goto out;
+
+ if (len == 0) {
+ rc = 0;
+ goto out;
+ }
+
+ for (cur_list = list; cur_list != NULL; cur_list = cur_list->next) {
+ if (cur_list->node->parse_context)
+ if (avtab_write_item(p, cur_list->node, fp, 0, 1, NULL))
+ goto out;
+ }
+
+ rc = 0;
+ out:
+ if (oldvers) {
+ cond_av_list_destroy(new_list);
+ avtab_destroy(&expa);
+ }
+
+ return rc;
+}
+
+static int cond_write_node(policydb_t * p,
+ cond_node_t * node, struct policy_file *fp)
+{
+ cond_expr_t *cur_expr;
+ uint32_t buf[2];
+ uint32_t items, items2, len;
+
+ buf[0] = cpu_to_le32(node->cur_state);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ /* expr */
+ len = 0;
+ for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next)
+ len++;
+
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) {
+ items = 0;
+ buf[items++] = cpu_to_le32(cur_expr->expr_type);
+ buf[items++] = cpu_to_le32(cur_expr->bool);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policy_type == POLICY_KERN) {
+ if (cond_write_av_list(p, node->true_list, fp) != 0)
+ return POLICYDB_ERROR;
+ if (cond_write_av_list(p, node->false_list, fp) != 0)
+ return POLICYDB_ERROR;
+ } else {
+ if (avrule_write_list(node->avtrue_list, fp))
+ return POLICYDB_ERROR;
+ if (avrule_write_list(node->avfalse_list, fp))
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int cond_write_list(policydb_t * p, cond_list_t * list,
+ struct policy_file *fp)
+{
+ cond_node_t *cur;
+ uint32_t len, items;
+ uint32_t buf[1];
+
+ len = 0;
+ for (cur = list; cur != NULL; cur = cur->next)
+ len++;
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ for (cur = list; cur != NULL; cur = cur->next) {
+ if (cond_write_node(p, cur, fp) != 0)
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+/*
+ * Write a security context structure
+ * to a policydb binary representation file.
+ */
+static int context_write(struct policydb *p, context_struct_t * c,
+ struct policy_file *fp)
+{
+ uint32_t buf[32];
+ size_t items, items2;
+
+ items = 0;
+ buf[items++] = cpu_to_le32(c->user);
+ buf[items++] = cpu_to_le32(c->role);
+ buf[items++] = cpu_to_le32(c->type);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+ if ((p->policyvers >= POLICYDB_VERSION_MLS
+ && p->policy_type == POLICY_KERN)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policy_type == POLICY_BASE))
+ if (mls_write_range_helper(&c->range, fp))
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+/*
+ * The following *_write functions are used to
+ * write the symbol data to a policy database
+ * binary representation file.
+ */
+
+static int perm_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ perm_datum_t *perdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+
+ perdatum = (perm_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(perdatum->s.value);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int common_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ common_datum_t *comdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+
+ comdatum = (common_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(comdatum->s.value);
+ buf[items++] = cpu_to_le32(comdatum->permissions.nprim);
+ buf[items++] = cpu_to_le32(comdatum->permissions.table->nel);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (hashtab_map(comdatum->permissions.table, perm_write, pd))
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int write_cons_helper(policydb_t * p,
+ constraint_node_t * node, int allowxtarget,
+ struct policy_file *fp)
+{
+ constraint_node_t *c;
+ constraint_expr_t *e;
+ uint32_t buf[3], nexpr;
+ int items;
+
+ for (c = node; c; c = c->next) {
+ nexpr = 0;
+ for (e = c->expr; e; e = e->next) {
+ nexpr++;
+ }
+ buf[0] = cpu_to_le32(c->permissions);
+ buf[1] = cpu_to_le32(nexpr);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ for (e = c->expr; e; e = e->next) {
+ items = 0;
+ buf[0] = cpu_to_le32(e->expr_type);
+ buf[1] = cpu_to_le32(e->attr);
+ buf[2] = cpu_to_le32(e->op);
+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ if (items != 3)
+ return POLICYDB_ERROR;
+
+ switch (e->expr_type) {
+ case CEXPR_NAMES:
+ if (!allowxtarget && (e->attr & CEXPR_XTARGET))
+ return POLICYDB_ERROR;
+ if (ebitmap_write(&e->names, fp)) {
+ return POLICYDB_ERROR;
+ }
+ if (p->policy_type != POLICY_KERN &&
+ type_set_write(e->type_names, fp)) {
+ return POLICYDB_ERROR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ class_datum_t *cladatum;
+ constraint_node_t *c;
+ uint32_t buf[32], ncons;
+ size_t items, items2, len, len2;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+ struct policydb *p = pd->p;
+
+ cladatum = (class_datum_t *) datum;
+
+ len = strlen(key);
+ if (cladatum->comkey)
+ len2 = strlen(cladatum->comkey);
+ else
+ len2 = 0;
+
+ ncons = 0;
+ for (c = cladatum->constraints; c; c = c->next) {
+ ncons++;
+ }
+
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(len2);
+ buf[items++] = cpu_to_le32(cladatum->s.value);
+ buf[items++] = cpu_to_le32(cladatum->permissions.nprim);
+ if (cladatum->permissions.table)
+ buf[items++] = cpu_to_le32(cladatum->permissions.table->nel);
+ else
+ buf[items++] = 0;
+ buf[items++] = cpu_to_le32(ncons);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (cladatum->comkey) {
+ items = put_entry(cladatum->comkey, 1, len2, fp);
+ if (items != len2)
+ return POLICYDB_ERROR;
+ }
+ if (hashtab_map(cladatum->permissions.table, perm_write, pd))
+ return POLICYDB_ERROR;
+
+ if (write_cons_helper(p, cladatum->constraints, 0, fp))
+ return POLICYDB_ERROR;
+
+ if ((p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_VALIDATETRANS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_VALIDATETRANS)) {
+ /* write out the validatetrans rule */
+ ncons = 0;
+ for (c = cladatum->validatetrans; c; c = c->next) {
+ ncons++;
+ }
+ buf[0] = cpu_to_le32(ncons);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (write_cons_helper(p, cladatum->validatetrans, 1, fp))
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int role_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ role_datum_t *role;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+ struct policydb *p = pd->p;
+
+ role = (role_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(role->s.value);
+ if (policydb_has_boundary_feature(p))
+ buf[items++] = cpu_to_le32(role->bounds);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (ebitmap_write(&role->dominates, fp))
+ return POLICYDB_ERROR;
+ if (p->policy_type == POLICY_KERN) {
+ if (ebitmap_write(&role->types.types, fp))
+ return POLICYDB_ERROR;
+ } else {
+ if (type_set_write(&role->types, fp))
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policy_type != POLICY_KERN &&
+ p->policyvers >= MOD_POLICYDB_VERSION_ROLEATTRIB) {
+ buf[0] = cpu_to_le32(role->flavor);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ if (ebitmap_write(&role->roles, fp))
+ return POLICYDB_ERROR;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int type_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ type_datum_t *typdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+ struct policydb *p = pd->p;
+
+ typdatum = (type_datum_t *) datum;
+
+ /*
+ * The kernel policy version less than 24 (= POLICYDB_VERSION_BOUNDARY)
+ * does not support to load entries of attribute, so we skip to write it.
+ */
+ if (p->policy_type == POLICY_KERN
+ && p->policyvers < POLICYDB_VERSION_BOUNDARY
+ && typdatum->flavor == TYPE_ATTRIB)
+ return POLICYDB_SUCCESS;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(typdatum->s.value);
+ if (policydb_has_boundary_feature(p)) {
+ uint32_t properties = 0;
+
+ if (p->policy_type != POLICY_KERN
+ && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS) {
+ buf[items++] = cpu_to_le32(typdatum->primary);
+ }
+
+ if (typdatum->primary)
+ properties |= TYPEDATUM_PROPERTY_PRIMARY;
+
+ if (typdatum->flavor == TYPE_ATTRIB) {
+ properties |= TYPEDATUM_PROPERTY_ATTRIBUTE;
+ } else if (typdatum->flavor == TYPE_ALIAS
+ && p->policy_type != POLICY_KERN)
+ properties |= TYPEDATUM_PROPERTY_ALIAS;
+
+ if (typdatum->flags & TYPE_FLAGS_PERMISSIVE
+ && p->policy_type != POLICY_KERN)
+ properties |= TYPEDATUM_PROPERTY_PERMISSIVE;
+
+ buf[items++] = cpu_to_le32(properties);
+ buf[items++] = cpu_to_le32(typdatum->bounds);
+ } else {
+ buf[items++] = cpu_to_le32(typdatum->primary);
+
+ if (p->policy_type != POLICY_KERN) {
+ buf[items++] = cpu_to_le32(typdatum->flavor);
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ buf[items++] = cpu_to_le32(typdatum->flags);
+ else if (typdatum->flags & TYPE_FLAGS_PERMISSIVE)
+ WARN(fp->handle, "Warning! Module policy "
+ "version %d cannot support permissive "
+ "types, but one was defined",
+ p->policyvers);
+ }
+ }
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ if (p->policy_type != POLICY_KERN) {
+ if (ebitmap_write(&typdatum->types, fp))
+ return POLICYDB_ERROR;
+ }
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ return POLICYDB_SUCCESS;
+}
+
+static int user_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ user_datum_t *usrdatum;
+ uint32_t buf[32];
+ size_t items, items2, len;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+ struct policydb *p = pd->p;
+
+ usrdatum = (user_datum_t *) datum;
+
+ len = strlen(key);
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ buf[items++] = cpu_to_le32(usrdatum->s.value);
+ if (policydb_has_boundary_feature(p))
+ buf[items++] = cpu_to_le32(usrdatum->bounds);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ items = put_entry(key, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (p->policy_type == POLICY_KERN) {
+ if (ebitmap_write(&usrdatum->roles.roles, fp))
+ return POLICYDB_ERROR;
+ } else {
+ if (role_set_write(&usrdatum->roles, fp))
+ return POLICYDB_ERROR;
+ }
+
+ if ((p->policyvers >= POLICYDB_VERSION_MLS
+ && p->policy_type == POLICY_KERN)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_MOD)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_BASE)) {
+ if (mls_write_range_helper(&usrdatum->exp_range, fp))
+ return POLICYDB_ERROR;
+ if (mls_write_level(&usrdatum->exp_dfltlevel, fp))
+ return POLICYDB_ERROR;
+ } else if ((p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_MOD)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_BASE)) {
+ if (mls_write_semantic_range_helper(&usrdatum->range, fp))
+ return -1;
+ if (mls_write_semantic_level_helper(&usrdatum->dfltlevel, fp))
+ return -1;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int (*write_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+ void *datap) = {
+common_write, class_write, role_write, type_write, user_write,
+ cond_write_bool, sens_write, cat_write,};
+
+static int ocontext_write_xen(struct policydb_compat_info *info, policydb_t *p,
+ struct policy_file *fp)
+{
+ unsigned int i, j;
+ size_t nel, items;
+ uint32_t buf[32];
+ ocontext_t *c;
+ for (i = 0; i < info->ocon_num; i++) {
+ nel = 0;
+ for (c = p->ocontexts[i]; c; c = c->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (c = p->ocontexts[i]; c; c = c->next) {
+ switch (i) {
+ case OCON_XEN_ISID:
+ buf[0] = cpu_to_le32(c->sid[0]);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_XEN_PIRQ:
+ buf[0] = cpu_to_le32(c->u.pirq);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_XEN_IOPORT:
+ buf[0] = c->u.ioport.low_ioport;
+ buf[1] = c->u.ioport.high_ioport;
+ for (j = 0; j < 2; j++)
+ buf[j] = cpu_to_le32(buf[j]);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_XEN_IOMEM:
+ buf[0] = c->u.iomem.low_iomem;
+ buf[1] = c->u.iomem.high_iomem;
+ for (j = 0; j < 2; j++)
+ buf[j] = cpu_to_le32(buf[j]);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_XEN_PCIDEVICE:
+ buf[0] = cpu_to_le32(c->u.device);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ }
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int ocontext_write_selinux(struct policydb_compat_info *info,
+ policydb_t *p, struct policy_file *fp)
+{
+ unsigned int i, j;
+ size_t nel, items, len;
+ uint32_t buf[32];
+ ocontext_t *c;
+ for (i = 0; i < info->ocon_num; i++) {
+ nel = 0;
+ for (c = p->ocontexts[i]; c; c = c->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (c = p->ocontexts[i]; c; c = c->next) {
+ switch (i) {
+ case OCON_ISID:
+ buf[0] = cpu_to_le32(c->sid[0]);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_FS:
+ case OCON_NETIF:
+ len = strlen(c->u.name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ items = put_entry(c->u.name, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[1], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_PORT:
+ buf[0] = c->u.port.protocol;
+ buf[1] = c->u.port.low_port;
+ buf[2] = c->u.port.high_port;
+ for (j = 0; j < 3; j++) {
+ buf[j] = cpu_to_le32(buf[j]);
+ }
+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
+ if (items != 3)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_NODE:
+ buf[0] = c->u.node.addr; /* network order */
+ buf[1] = c->u.node.mask; /* network order */
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_FSUSE:
+ buf[0] = cpu_to_le32(c->v.behavior);
+ len = strlen(c->u.name);
+ buf[1] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ items = put_entry(c->u.name, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ case OCON_NODE6:
+ for (j = 0; j < 4; j++)
+ buf[j] = c->u.node6.addr[j]; /* network order */
+ for (j = 0; j < 4; j++)
+ buf[j + 4] = c->u.node6.mask[j]; /* network order */
+ items = put_entry(buf, sizeof(uint32_t), 8, fp);
+ if (items != 8)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ break;
+ }
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int ocontext_write(struct policydb_compat_info *info, policydb_t * p,
+ struct policy_file *fp)
+{
+ int rc = POLICYDB_ERROR;
+ switch (p->target_platform) {
+ case SEPOL_TARGET_SELINUX:
+ rc = ocontext_write_selinux(info, p, fp);
+ break;
+ case SEPOL_TARGET_XEN:
+ rc = ocontext_write_xen(info, p, fp);
+ break;
+ }
+ return rc;
+}
+
+static int genfs_write(policydb_t * p, struct policy_file *fp)
+{
+ genfs_t *genfs;
+ ocontext_t *c;
+ size_t nel = 0, items, len;
+ uint32_t buf[32];
+
+ for (genfs = p->genfs; genfs; genfs = genfs->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (genfs = p->genfs; genfs; genfs = genfs->next) {
+ len = strlen(genfs->fstype);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ items = put_entry(genfs->fstype, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ nel = 0;
+ for (c = genfs->head; c; c = c->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (c = genfs->head; c; c = c->next) {
+ len = strlen(c->u.name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ items = put_entry(c->u.name, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ buf[0] = cpu_to_le32(c->v.sclass);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ if (context_write(p, &c->context[0], fp))
+ return POLICYDB_ERROR;
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int range_write(policydb_t * p, struct policy_file *fp)
+{
+ size_t nel, items;
+ struct range_trans *rt;
+ uint32_t buf[2];
+ int new_rangetr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_RANGETRANS);
+ int warning_issued = 0;
+
+ nel = 0;
+ for (rt = p->range_tr; rt; rt = rt->next) {
+ /* all range_transitions are written for the new format, only
+ process related range_transitions are written for the old
+ format, so count accordingly */
+ if (new_rangetr || rt->target_class == SECCLASS_PROCESS)
+ nel++;
+ }
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (rt = p->range_tr; rt; rt = rt->next) {
+ if (!new_rangetr && rt->target_class != SECCLASS_PROCESS) {
+ if (!warning_issued)
+ WARN(fp->handle, "Discarding range_transition "
+ "rules for security classes other than "
+ "\"process\"");
+ warning_issued = 1;
+ continue;
+ }
+ buf[0] = cpu_to_le32(rt->source_type);
+ buf[1] = cpu_to_le32(rt->target_type);
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ if (new_rangetr) {
+ buf[0] = cpu_to_le32(rt->target_class);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ }
+ if (mls_write_range_helper(&rt->target_range, fp))
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+/************** module writing functions below **************/
+
+static int avrule_write(avrule_t * avrule, struct policy_file *fp)
+{
+ size_t items, items2;
+ uint32_t buf[32], len;
+ class_perm_node_t *cur;
+
+ items = 0;
+ buf[items++] = cpu_to_le32(avrule->specified);
+ buf[items++] = cpu_to_le32(avrule->flags);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+
+ if (type_set_write(&avrule->stypes, fp))
+ return POLICYDB_ERROR;
+
+ if (type_set_write(&avrule->ttypes, fp))
+ return POLICYDB_ERROR;
+
+ cur = avrule->perms;
+ len = 0;
+ while (cur) {
+ len++;
+ cur = cur->next;
+ }
+ items = 0;
+ buf[items++] = cpu_to_le32(len);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+ cur = avrule->perms;
+ while (cur) {
+ items = 0;
+ buf[items++] = cpu_to_le32(cur->class);
+ buf[items++] = cpu_to_le32(cur->data);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items2 != items)
+ return POLICYDB_ERROR;
+
+ cur = cur->next;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int avrule_write_list(avrule_t * avrules, struct policy_file *fp)
+{
+ uint32_t buf[32], len;
+ avrule_t *avrule;
+
+ avrule = avrules;
+ len = 0;
+ while (avrule) {
+ len++;
+ avrule = avrule->next;
+ }
+
+ buf[0] = cpu_to_le32(len);
+ if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1)
+ return POLICYDB_ERROR;
+
+ avrule = avrules;
+ while (avrule) {
+ avrule_write(avrule, fp);
+ avrule = avrule->next;
+ }
+
+ return POLICYDB_SUCCESS;
+}
+
+static int only_process(ebitmap_t *in)
+{
+ unsigned int i;
+ ebitmap_node_t *node;
+
+ ebitmap_for_each_bit(in, node, i) {
+ if (ebitmap_node_get_bit(node, i) &&
+ i != SECCLASS_PROCESS - 1)
+ return 0;
+ }
+ return 1;
+}
+
+static int role_trans_rule_write(policydb_t *p, role_trans_rule_t * t,
+ struct policy_file *fp)
+{
+ int nel = 0;
+ size_t items;
+ uint32_t buf[1];
+ role_trans_rule_t *tr;
+ int warned = 0;
+ int new_role = p->policyvers >= MOD_POLICYDB_VERSION_ROLETRANS;
+
+ for (tr = t; tr; tr = tr->next)
+ if (new_role || only_process(&tr->classes))
+ nel++;
+
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (tr = t; tr; tr = tr->next) {
+ if (!new_role && !only_process(&tr->classes)) {
+ if (!warned)
+ WARN(fp->handle, "Discarding role_transition "
+ "rules for security classes other than "
+ "\"process\"");
+ warned = 1;
+ continue;
+ }
+ if (role_set_write(&tr->roles, fp))
+ return POLICYDB_ERROR;
+ if (type_set_write(&tr->types, fp))
+ return POLICYDB_ERROR;
+ if (new_role)
+ if (ebitmap_write(&tr->classes, fp))
+ return POLICYDB_ERROR;
+ buf[0] = cpu_to_le32(tr->new_role);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp)
+{
+ int nel = 0;
+ size_t items;
+ uint32_t buf[1];
+ role_allow_rule_t *ra;
+
+ for (ra = r; ra; ra = ra->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (ra = r; ra; ra = ra->next) {
+ if (role_set_write(&ra->roles, fp))
+ return POLICYDB_ERROR;
+ if (role_set_write(&ra->new_roles, fp))
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int filename_trans_rule_write(filename_trans_rule_t * t, struct policy_file *fp)
+{
+ int nel = 0;
+ size_t items;
+ uint32_t buf[2], len;
+ filename_trans_rule_t *ftr;
+
+ for (ftr = t; ftr; ftr = ftr->next)
+ nel++;
+
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ for (ftr = t; ftr; ftr = ftr->next) {
+ len = strlen(ftr->name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+
+ items = put_entry(ftr->name, sizeof(char), len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ if (type_set_write(&ftr->stypes, fp))
+ return POLICYDB_ERROR;
+ if (type_set_write(&ftr->ttypes, fp))
+ return POLICYDB_ERROR;
+
+ buf[0] = cpu_to_le32(ftr->tclass);
+ buf[1] = cpu_to_le32(ftr->otype);
+
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int range_trans_rule_write(range_trans_rule_t * t,
+ struct policy_file *fp)
+{
+ int nel = 0;
+ size_t items;
+ uint32_t buf[1];
+ range_trans_rule_t *rt;
+
+ for (rt = t; rt; rt = rt->next)
+ nel++;
+ buf[0] = cpu_to_le32(nel);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ for (rt = t; rt; rt = rt->next) {
+ if (type_set_write(&rt->stypes, fp))
+ return POLICYDB_ERROR;
+ if (type_set_write(&rt->ttypes, fp))
+ return POLICYDB_ERROR;
+ if (ebitmap_write(&rt->tclasses, fp))
+ return POLICYDB_ERROR;
+ if (mls_write_semantic_range_helper(&rt->trange, fp))
+ return POLICYDB_ERROR;
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int scope_index_write(scope_index_t * scope_index,
+ unsigned int num_scope_syms,
+ struct policy_file *fp)
+{
+ unsigned int i;
+ uint32_t buf[1];
+ for (i = 0; i < num_scope_syms; i++) {
+ if (ebitmap_write(scope_index->scope + i, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+ }
+ buf[0] = cpu_to_le32(scope_index->class_perms_len);
+ if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) {
+ return POLICYDB_ERROR;
+ }
+ for (i = 0; i < scope_index->class_perms_len; i++) {
+ if (ebitmap_write(scope_index->class_perms_map + i, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms,
+ policydb_t * p, struct policy_file *fp)
+{
+ struct policy_data pd;
+ uint32_t buf[2];
+ int i;
+ buf[0] = cpu_to_le32(decl->decl_id);
+ buf[1] = cpu_to_le32(decl->enabled);
+ if (put_entry(buf, sizeof(uint32_t), 2, fp) != 2) {
+ return POLICYDB_ERROR;
+ }
+ if (cond_write_list(p, decl->cond_list, fp) == -1 ||
+ avrule_write_list(decl->avrules, fp) == -1 ||
+ role_trans_rule_write(p, decl->role_tr_rules, fp) == -1 ||
+ role_allow_rule_write(decl->role_allow_rules, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_FILENAME_TRANS &&
+ filename_trans_rule_write(decl->filename_trans_rules, fp))
+ return POLICYDB_ERROR;
+
+ if (p->policyvers >= MOD_POLICYDB_VERSION_RANGETRANS &&
+ range_trans_rule_write(decl->range_tr_rules, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+ if (scope_index_write(&decl->required, num_scope_syms, fp) == -1 ||
+ scope_index_write(&decl->declared, num_scope_syms, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+ pd.fp = fp;
+ pd.p = p;
+ for (i = 0; i < num_scope_syms; i++) {
+ buf[0] = cpu_to_le32(decl->symtab[i].nprim);
+ buf[1] = cpu_to_le32(decl->symtab[i].table->nel);
+ if (put_entry(buf, sizeof(uint32_t), 2, fp) != 2) {
+ return POLICYDB_ERROR;
+ }
+ if (hashtab_map(decl->symtab[i].table, write_f[i], &pd)) {
+ return POLICYDB_ERROR;
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int avrule_block_write(avrule_block_t * block, int num_scope_syms,
+ policydb_t * p, struct policy_file *fp)
+{
+ /* first write a count of the total number of blocks */
+ uint32_t buf[1], num_blocks = 0;
+ avrule_block_t *cur;
+ for (cur = block; cur != NULL; cur = cur->next) {
+ num_blocks++;
+ }
+ buf[0] = cpu_to_le32(num_blocks);
+ if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) {
+ return POLICYDB_ERROR;
+ }
+
+ /* now write each block */
+ for (cur = block; cur != NULL; cur = cur->next) {
+ uint32_t num_decls = 0;
+ avrule_decl_t *decl;
+ /* write a count of number of branches */
+ for (decl = cur->branch_list; decl != NULL; decl = decl->next) {
+ num_decls++;
+ }
+ buf[0] = cpu_to_le32(num_decls);
+ if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) {
+ return POLICYDB_ERROR;
+ }
+ for (decl = cur->branch_list; decl != NULL; decl = decl->next) {
+ if (avrule_decl_write(decl, num_scope_syms, p, fp) ==
+ -1) {
+ return POLICYDB_ERROR;
+ }
+ }
+ }
+ return POLICYDB_SUCCESS;
+}
+
+static int scope_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
+{
+ scope_datum_t *scope = (scope_datum_t *) datum;
+ struct policy_data *pd = ptr;
+ struct policy_file *fp = pd->fp;
+ uint32_t static_buf[32], *dyn_buf = NULL, *buf;
+ size_t key_len = strlen(key);
+ unsigned int items = 2 + scope->decl_ids_len, i;
+
+ if (items >= (sizeof(static_buf) / 4)) {
+ /* too many things required, so dynamically create a
+ * buffer. this would have been easier with C99's
+ * dynamic arrays... */
+ if ((dyn_buf = malloc(items * sizeof(*dyn_buf))) == NULL) {
+ return POLICYDB_ERROR;
+ }
+ buf = dyn_buf;
+ } else {
+ buf = static_buf;
+ }
+ buf[0] = cpu_to_le32(key_len);
+ if (put_entry(buf, sizeof(*buf), 1, fp) != 1 ||
+ put_entry(key, 1, key_len, fp) != key_len) {
+ return POLICYDB_ERROR;
+ }
+ buf[0] = cpu_to_le32(scope->scope);
+ buf[1] = cpu_to_le32(scope->decl_ids_len);
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ buf[2 + i] = cpu_to_le32(scope->decl_ids[i]);
+ }
+ if (put_entry(buf, sizeof(*buf), items, fp) != items) {
+ free(dyn_buf);
+ return POLICYDB_ERROR;
+ }
+ free(dyn_buf);
+ return POLICYDB_SUCCESS;
+}
+
+static int type_attr_uncount(hashtab_key_t key __attribute__ ((unused)),
+ hashtab_datum_t datum, void *args)
+{
+ type_datum_t *typdatum = datum;
+ uint32_t *p_nel = args;
+
+ if (typdatum->flavor == TYPE_ATTRIB) {
+ /* uncount attribute from total number of types */
+ (*p_nel)--;
+ }
+ return 0;
+}
+
+/*
+ * Write the configuration data in a policy database
+ * structure to a policy database binary representation
+ * file.
+ */
+int policydb_write(policydb_t * p, struct policy_file *fp)
+{
+ unsigned int i, num_syms;
+ uint32_t buf[32], config;
+ size_t items, items2, len;
+ struct policydb_compat_info *info;
+ struct policy_data pd;
+ char *policydb_str;
+
+ if (p->unsupported_format)
+ return POLICYDB_UNSUPPORTED;
+
+ pd.fp = fp;
+ pd.p = p;
+
+ config = 0;
+ if (p->mls) {
+ if ((p->policyvers < POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers < MOD_POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers < MOD_POLICYDB_VERSION_MLS &&
+ p->policy_type == POLICY_MOD)) {
+ ERR(fp->handle, "policy version %d cannot support MLS",
+ p->policyvers);
+ return POLICYDB_ERROR;
+ }
+ config |= POLICYDB_CONFIG_MLS;
+ }
+
+ config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
+
+ /* Write the magic number and string identifiers. */
+ items = 0;
+ if (p->policy_type == POLICY_KERN) {
+ buf[items++] = cpu_to_le32(POLICYDB_MAGIC);
+ len = strlen(policydb_target_strings[p->target_platform]);
+ policydb_str = policydb_target_strings[p->target_platform];
+ } else {
+ buf[items++] = cpu_to_le32(POLICYDB_MOD_MAGIC);
+ len = strlen(POLICYDB_MOD_STRING);
+ policydb_str = POLICYDB_MOD_STRING;
+ }
+ buf[items++] = cpu_to_le32(len);
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+ items = put_entry(policydb_str, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+
+ /* Write the version, config, and table sizes. */
+ items = 0;
+ info = policydb_lookup_compat(p->policyvers, p->policy_type,
+ p->target_platform);
+ if (!info) {
+ ERR(fp->handle, "compatibility lookup failed for policy "
+ "version %d", p->policyvers);
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policy_type != POLICY_KERN) {
+ buf[items++] = cpu_to_le32(p->policy_type);
+ }
+ buf[items++] = cpu_to_le32(p->policyvers);
+ buf[items++] = cpu_to_le32(config);
+ buf[items++] = cpu_to_le32(info->sym_num);
+ buf[items++] = cpu_to_le32(info->ocon_num);
+
+ items2 = put_entry(buf, sizeof(uint32_t), items, fp);
+ if (items != items2)
+ return POLICYDB_ERROR;
+
+ if (p->policy_type == POLICY_MOD) {
+ /* Write module name and version */
+ len = strlen(p->name);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ items = put_entry(p->name, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ len = strlen(p->version);
+ buf[0] = cpu_to_le32(len);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ items = put_entry(p->version, 1, len, fp);
+ if (items != len)
+ return POLICYDB_ERROR;
+ }
+
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_write(&p->policycaps, fp) == -1)
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policyvers < POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ ebitmap_node_t *tnode;
+
+ ebitmap_for_each_bit(&p->permissive_map, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ WARN(fp->handle, "Warning! Policy version %d cannot "
+ "support permissive types, but some were defined",
+ p->policyvers);
+ break;
+ }
+ }
+ }
+
+ if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ if (ebitmap_write(&p->permissive_map, fp) == -1)
+ return POLICYDB_ERROR;
+ }
+
+ num_syms = info->sym_num;
+ for (i = 0; i < num_syms; i++) {
+ buf[0] = cpu_to_le32(p->symtab[i].nprim);
+ buf[1] = cpu_to_le32(p->symtab[i].table->nel);
+
+ /*
+ * A special case when writing type/attribute symbol table.
+ * The kernel policy version less than 24 does not support
+ * to load entries of attribute, so we have to re-calculate
+ * the actual number of types except for attributes.
+ */
+ if (i == SYM_TYPES &&
+ p->policyvers < POLICYDB_VERSION_BOUNDARY &&
+ p->policy_type == POLICY_KERN) {
+ hashtab_map(p->symtab[i].table, type_attr_uncount, &buf[1]);
+ }
+ items = put_entry(buf, sizeof(uint32_t), 2, fp);
+ if (items != 2)
+ return POLICYDB_ERROR;
+ if (hashtab_map(p->symtab[i].table, write_f[i], &pd))
+ return POLICYDB_ERROR;
+ }
+
+ if (p->policy_type == POLICY_KERN) {
+ if (avtab_write(p, &p->te_avtab, fp))
+ return POLICYDB_ERROR;
+ if (p->policyvers < POLICYDB_VERSION_BOOL) {
+ if (p->p_bools.nprim)
+ WARN(fp->handle, "Discarding "
+ "booleans and conditional rules");
+ } else {
+ if (cond_write_list(p, p->cond_list, fp))
+ return POLICYDB_ERROR;
+ }
+ if (role_trans_write(p, fp))
+ return POLICYDB_ERROR;
+ if (role_allow_write(p->role_allow, fp))
+ return POLICYDB_ERROR;
+ if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS) {
+ if (filename_trans_write(p->filename_trans, fp))
+ return POLICYDB_ERROR;
+ } else {
+ if (p->filename_trans)
+ WARN(fp->handle, "Discarding filename type transition rules");
+ }
+ } else {
+ if (avrule_block_write(p->global, num_syms, p, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+
+ for (i = 0; i < num_syms; i++) {
+ buf[0] = cpu_to_le32(p->scope[i].table->nel);
+ if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) {
+ return POLICYDB_ERROR;
+ }
+ if (hashtab_map(p->scope[i].table, scope_write, &pd))
+ return POLICYDB_ERROR;
+ }
+ }
+
+ if (ocontext_write(info, p, fp) == -1 || genfs_write(p, fp) == -1) {
+ return POLICYDB_ERROR;
+ }
+
+ if ((p->policyvers >= POLICYDB_VERSION_MLS
+ && p->policy_type == POLICY_KERN)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_RANGETRANS
+ && p->policy_type == POLICY_BASE)) {
+ if (range_write(p, fp)) {
+ return POLICYDB_ERROR;
+ }
+ }
+
+ if (p->policy_type == POLICY_KERN
+ && p->policyvers >= POLICYDB_VERSION_AVTAB) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (ebitmap_write(&p->type_attr_map[i], fp) == -1)
+ return POLICYDB_ERROR;
+ }
+ }
+
+ return POLICYDB_SUCCESS;
+}
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..dd7bd33
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1,54 @@
+M4 ?= m4
+MKDIR ?= mkdir
+EXE ?= libsepol-tests
+
+CFLAGS += -g3 -gdwarf-2 -o0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter -Werror
+
+# Statically link libsepol on the assumption that we are going to
+# be testing internal functions.
+LIBSEPOL := ../src/libsepol.a
+
+# In order to load source policies we need to link in the checkpolicy/checkmodule parser and util code.
+# This is less than ideal, but it makes the tests easier to maintain by allowing source policies
+# to be loaded directly.
+CHECKPOLICY := ../../checkpolicy/
+CPPFLAGS += -I../include/ -I$(CHECKPOLICY)
+
+# test program object files
+objs := $(patsubst %.c,%.o,$(wildcard *.c))
+parserobjs := $(CHECKPOLICY)queue.o $(CHECKPOLICY)y.tab.o \
+ $(CHECKPOLICY)parse_util.o $(CHECKPOLICY)lex.yy.o \
+ $(CHECKPOLICY)policy_define.o $(CHECKPOLICY)module_compiler.o
+
+# test policy pieces
+m4support := $(wildcard policies/support/*.spt)
+testsuites := $(wildcard policies/test-*)
+policysrc := $(foreach path,$(testsuites),$(wildcard $(path)/*.conf))
+stdpol := $(addsuffix .std,$(policysrc))
+mlspol := $(addsuffix .mls,$(policysrc))
+policies := $(stdpol) $(mlspol)
+
+all: $(EXE) $(policies)
+policies: $(policies)
+
+$(EXE): $(objs) $(parserobjs) $(LIBSEPOL)
+ $(CC) $(CFLAGS) $(CPPFLAGS) $(objs) $(parserobjs) -lfl -lcunit -lcurses $(LIBSEPOL) -o $@
+
+%.conf.std: $(m4support) %.conf
+ $(M4) $(M4PARAMS) $^ > $@
+
+%.conf.mls: $(m4support) %.conf
+ $(M4) $(M4PARAMS) -D enable_mls $^ > $@
+
+clean:
+ rm -f $(objs) $(EXE)
+ rm -f $(policies)
+ rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
+
+
+test: $(EXE) $(policies)
+ $(MKDIR) -p policies/test-downgrade
+ ../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
+ ./$(EXE)
+
+.PHONY: all policies clean test
diff --git a/tests/debug.c b/tests/debug.c
new file mode 100644
index 0000000..90aa6e0
--- /dev/null
+++ b/tests/debug.c
@@ -0,0 +1,69 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This includes functions used to debug tests (display bitmaps, conditional expressions, etc */
+
+#include "debug.h"
+
+#include <stdlib.h>
+
+void print_ebitmap(ebitmap_t * bitmap, FILE * fp)
+{
+ uint32_t i;
+ for (i = 0; i < bitmap->highbit; i++) {
+ fprintf(fp, "%d", ebitmap_get_bit(bitmap, i));
+ }
+ fprintf(fp, "\n");
+}
+
+/* stolen from dispol.c */
+void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+{
+
+ cond_expr_t *cur;
+ for (cur = exp; cur != NULL; cur = cur->next) {
+ switch (cur->expr_type) {
+ case COND_BOOL:
+ fprintf(fp, "%s ", p->p_bool_val_to_name[cur->bool - 1]);
+ break;
+ case COND_NOT:
+ fprintf(fp, "! ");
+ break;
+ case COND_OR:
+ fprintf(fp, "|| ");
+ break;
+ case COND_AND:
+ fprintf(fp, "&& ");
+ break;
+ case COND_XOR:
+ fprintf(fp, "^ ");
+ break;
+ case COND_EQ:
+ fprintf(fp, "== ");
+ break;
+ case COND_NEQ:
+ fprintf(fp, "!= ");
+ break;
+ default:
+ fprintf(fp, "error! (%d)", cur->expr_type);
+ break;
+ }
+ }
+}
diff --git a/tests/debug.h b/tests/debug.h
new file mode 100644
index 0000000..c25ebd4
--- /dev/null
+++ b/tests/debug.h
@@ -0,0 +1,27 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This includes functions used to debug tests (display bitmaps, conditional expressions, etc */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+
+extern void print_ebitmap(ebitmap_t * bitmap, FILE * fp);
+extern void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp);
diff --git a/tests/helpers.c b/tests/helpers.c
new file mode 100644
index 0000000..542e467
--- /dev/null
+++ b/tests/helpers.c
@@ -0,0 +1,81 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Chad Sellers <csellers@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This has helper functions that are common between tests */
+
+#include "helpers.h"
+#include "parse_util.h"
+
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/avrule_block.h>
+
+#include <CUnit/Basic.h>
+
+#include <stdlib.h>
+#include <limits.h>
+
+int test_load_policy(policydb_t * p, int policy_type, int mls, const char *test_name, const char *policy_name)
+{
+ char filename[PATH_MAX];
+
+ if (mls) {
+ if (snprintf(filename, PATH_MAX, "policies/%s/%s.mls", test_name, policy_name) < 0) {
+ return -1;
+ }
+ } else {
+ if (snprintf(filename, PATH_MAX, "policies/%s/%s.std", test_name, policy_name) < 0) {
+ return -1;
+ }
+ }
+
+ if (policydb_init(p)) {
+ fprintf(stderr, "Out of memory");
+ return -1;
+ }
+
+ p->policy_type = policy_type;
+ p->mls = mls;
+
+ if (read_source_policy(p, filename, test_name)) {
+ fprintf(stderr, "failed to read policy %s\n", filename);
+ policydb_destroy(p);
+ return -1;
+ }
+
+ return 0;
+}
+
+avrule_decl_t *test_find_decl_by_sym(policydb_t * p, int symtab, char *sym)
+{
+ scope_datum_t *scope = (scope_datum_t *) hashtab_search(p->scope[symtab].table, sym);
+
+ if (scope == NULL) {
+ return NULL;
+ }
+ if (scope->scope != SCOPE_DECL) {
+ return NULL;
+ }
+ if (scope->decl_ids_len != 1) {
+ return NULL;
+ }
+
+ return p->decl_val_to_struct[scope->decl_ids[0] - 1];
+}
diff --git a/tests/helpers.h b/tests/helpers.h
new file mode 100644
index 0000000..418ee95
--- /dev/null
+++ b/tests/helpers.h
@@ -0,0 +1,59 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Chad Sellers <csellers@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __COMMON_H__
+#define __COMMON_H__
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/conditional.h>
+
+/* helper functions */
+
+/* Load a source policy into p. policydb_init will called within this function.
+ *
+ * Example: test_load_policy(p, POLICY_BASE, 1, "foo", "base.conf") will load the
+ * policy "policies/foo/mls/base.conf" into p.
+ *
+ * Arguments:
+ * p policydb_t into which the policy will be read. This should be
+ * malloc'd but not passed to policydb_init.
+ * policy_type Type of policy expected - POLICY_BASE or POLICY_MOD.
+ * mls Boolean value indicating whether an mls policy is expected.
+ * test_name Name of the test which will be the name of the directory in
+ * which the policies are stored.
+ * policy_name Name of the policy in the directory.
+ *
+ * Returns:
+ * 0 success
+ * -1 error - the policydb will be destroyed but not freed.
+ */
+extern int test_load_policy(policydb_t * p, int policy_type, int mls, const char *test_name, const char *policy_name);
+
+/* Find an avrule_decl_t by a unique symbol. If the symbol is declared in more
+ * than one decl an error is returned.
+ *
+ * Returns:
+ * decl success
+ * NULL error (including more than one declaration)
+ */
+extern avrule_decl_t *test_find_decl_by_sym(policydb_t * p, int symtab, char *sym);
+
+#endif
diff --git a/tests/libsepol-tests.c b/tests/libsepol-tests.c
new file mode 100644
index 0000000..9302f72
--- /dev/null
+++ b/tests/libsepol-tests.c
@@ -0,0 +1,118 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-cond.h"
+#include "test-linker.h"
+#include "test-expander.h"
+#include "test-deps.h"
+#include "test-downgrade.h"
+
+#include <CUnit/Basic.h>
+#include <CUnit/Console.h>
+#include <CUnit/TestDB.h>
+
+#include <stdio.h>
+#include <getopt.h>
+#include <stdlib.h>
+
+int mls;
+
+#define DECLARE_SUITE(name) \
+ suite = CU_add_suite(#name, name##_test_init, name##_test_cleanup); \
+ if (NULL == suite) { \
+ CU_cleanup_registry(); \
+ return CU_get_error(); } \
+ if (name##_add_tests(suite)) { \
+ CU_cleanup_registry(); \
+ return CU_get_error(); }
+
+static void usage(char *progname)
+{
+ printf("usage: %s [options]\n", progname);
+ printf("options:\n");
+ printf("\t-v, --verbose\t\t\tverbose output\n");
+ printf("\t-i, --interactive\t\tinteractive console\n");
+}
+
+static int do_tests(int interactive, int verbose)
+{
+ CU_pSuite suite = NULL;
+
+ if (CUE_SUCCESS != CU_initialize_registry())
+ return CU_get_error();
+
+ DECLARE_SUITE(cond);
+ DECLARE_SUITE(linker);
+ DECLARE_SUITE(expander);
+ DECLARE_SUITE(deps);
+ DECLARE_SUITE(downgrade);
+
+ if (verbose)
+ CU_basic_set_mode(CU_BRM_VERBOSE);
+ else
+ CU_basic_set_mode(CU_BRM_NORMAL);
+
+ if (interactive)
+ CU_console_run_tests();
+ else
+ CU_basic_run_tests();
+ CU_cleanup_registry();
+ return CU_get_error();
+
+}
+
+int main(int argc, char **argv)
+{
+ int i, verbose = 1, interactive = 0;
+
+ struct option opts[] = {
+ {"verbose", 0, NULL, 'v'},
+ {"interactive", 0, NULL, 'i'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((i = getopt_long(argc, argv, "vi", opts, NULL)) != -1) {
+ switch (i) {
+ case 'v':
+ verbose = 1;
+ break;
+ case 'i':
+ interactive = 1;
+ break;
+ case 'h':
+ default:{
+ usage(argv[0]);
+ exit(1);
+ }
+ }
+ }
+
+ /* first do the non-mls tests */
+ mls = 0;
+ if (do_tests(interactive, verbose))
+ return -1;
+
+ /* then with mls */
+ mls = 1;
+ if (do_tests(interactive, verbose))
+ return -1;
+
+ return 0;
+}
diff --git a/tests/policies/support/misc_macros.spt b/tests/policies/support/misc_macros.spt
new file mode 100644
index 0000000..5fadd0f
--- /dev/null
+++ b/tests/policies/support/misc_macros.spt
@@ -0,0 +1,23 @@
+
+########################################
+#
+# Helper macros
+#
+
+########################################
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
diff --git a/tests/policies/test-cond/refpolicy-base.conf b/tests/policies/test-cond/refpolicy-base.conf
new file mode 100644
index 0000000..60da11a
--- /dev/null
+++ b/tests/policies/test-cond/refpolicy-base.conf
@@ -0,0 +1,1939 @@
+class security
+class process
+class system
+class capability
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+class sem
+class msg
+class msgq
+class shm
+class ipc
+class passwd # userspace
+class drawable # userspace
+class window # userspace
+class gc # userspace
+class font # userspace
+class colormap # userspace
+class property # userspace
+class cursor # userspace
+class xclient # userspace
+class xinput # userspace
+class xserver # userspace
+class xextension # userspace
+class pax
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+class dbus # userspace
+class nscd # userspace
+class association
+class netlink_kobject_uevent_socket
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+common socket
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+class lnk_file
+inherits file
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+}
+class blk_file
+inherits file
+class sock_file
+inherits file
+class fifo_file
+inherits file
+class fd
+{
+ use
+}
+class socket
+inherits socket
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+class netlink_socket
+inherits socket
+class packet_socket
+inherits socket
+class key_socket
+inherits socket
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+class unix_dgram_socket
+inherits socket
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+}
+class ipc
+inherits ipc
+class sem
+inherits ipc
+class msgq
+inherits ipc
+{
+ enqueue
+}
+class msg
+{
+ send
+ receive
+}
+class shm
+inherits ipc
+{
+ lock
+}
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+}
+class capability
+{
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+}
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+class drawable
+{
+ create
+ destroy
+ draw
+ copy
+ getattr
+}
+class gc
+{
+ create
+ free
+ getattr
+ setattr
+}
+class window
+{
+ addchild
+ create
+ destroy
+ map
+ unmap
+ chstack
+ chproplist
+ chprop
+ listprop
+ getattr
+ setattr
+ setfocus
+ move
+ chselection
+ chparent
+ ctrllife
+ enumerate
+ transparent
+ mousemotion
+ clientcomevent
+ inputevent
+ drawevent
+ windowchangeevent
+ windowchangerequest
+ serverchangeevent
+ extensionevent
+}
+class font
+{
+ load
+ free
+ getattr
+ use
+}
+class colormap
+{
+ create
+ free
+ install
+ uninstall
+ list
+ read
+ store
+ getattr
+ setattr
+}
+class property
+{
+ create
+ free
+ read
+ write
+}
+class cursor
+{
+ create
+ createglyph
+ free
+ assign
+ setattr
+}
+class xclient
+{
+ kill
+}
+class xinput
+{
+ lookup
+ getattr
+ setattr
+ setfocus
+ warppointer
+ activegrab
+ passivegrab
+ ungrab
+ bell
+ mousemotion
+ relabelinput
+}
+class xserver
+{
+ screensaver
+ gethostlist
+ sethostlist
+ getfontpath
+ setfontpath
+ getattr
+ grab
+ ungrab
+}
+class xextension
+{
+ query
+ use
+}
+class pax
+{
+ pageexec # Paging based non-executable pages
+ emutramp # Emulate trampolines
+ mprotect # Restrict mprotect()
+ randmmap # Randomize mmap() base
+ randexec # Randomize ET_EXEC base
+ segmexec # Segmentation based non-executable pages
+}
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+class netlink_nflog_socket
+inherits socket
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+class netlink_selinux_socket
+inherits socket
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+}
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+class netlink_dnrt_socket
+inherits socket
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+}
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+}
+class netlink_kobject_uevent_socket
+inherits socket
+sensitivity s0;
+dominance { s0 }
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+category c24; category c25; category c26; category c27;
+category c28; category c29; category c30; category c31;
+category c32; category c33; category c34; category c35;
+category c36; category c37; category c38; category c39;
+category c40; category c41; category c42; category c43;
+category c44; category c45; category c46; category c47;
+category c48; category c49; category c50; category c51;
+category c52; category c53; category c54; category c55;
+category c56; category c57; category c58; category c59;
+category c60; category c61; category c62; category c63;
+category c64; category c65; category c66; category c67;
+category c68; category c69; category c70; category c71;
+category c72; category c73; category c74; category c75;
+category c76; category c77; category c78; category c79;
+category c80; category c81; category c82; category c83;
+category c84; category c85; category c86; category c87;
+category c88; category c89; category c90; category c91;
+category c92; category c93; category c94; category c95;
+category c96; category c97; category c98; category c99;
+category c100; category c101; category c102; category c103;
+category c104; category c105; category c106; category c107;
+category c108; category c109; category c110; category c111;
+category c112; category c113; category c114; category c115;
+category c116; category c117; category c118; category c119;
+category c120; category c121; category c122; category c123;
+category c124; category c125; category c126; category c127;
+category c128; category c129; category c130; category c131;
+category c132; category c133; category c134; category c135;
+category c136; category c137; category c138; category c139;
+category c140; category c141; category c142; category c143;
+category c144; category c145; category c146; category c147;
+category c148; category c149; category c150; category c151;
+category c152; category c153; category c154; category c155;
+category c156; category c157; category c158; category c159;
+category c160; category c161; category c162; category c163;
+category c164; category c165; category c166; category c167;
+category c168; category c169; category c170; category c171;
+category c172; category c173; category c174; category c175;
+category c176; category c177; category c178; category c179;
+category c180; category c181; category c182; category c183;
+category c184; category c185; category c186; category c187;
+category c188; category c189; category c190; category c191;
+category c192; category c193; category c194; category c195;
+category c196; category c197; category c198; category c199;
+category c200; category c201; category c202; category c203;
+category c204; category c205; category c206; category c207;
+category c208; category c209; category c210; category c211;
+category c212; category c213; category c214; category c215;
+category c216; category c217; category c218; category c219;
+category c220; category c221; category c222; category c223;
+category c224; category c225; category c226; category c227;
+category c228; category c229; category c230; category c231;
+category c232; category c233; category c234; category c235;
+category c236; category c237; category c238; category c239;
+category c240; category c241; category c242; category c243;
+category c244; category c245; category c246; category c247;
+category c248; category c249; category c250; category c251;
+category c252; category c253; category c254; category c255;
+level s0:c0.c255;
+mlsconstrain file { write setattr append unlink link rename
+ ioctl lock execute relabelfrom } (h1 dom h2);
+mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
+mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+ ( h1 dom h2 );
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+mlsconstrain process { ptrace } ( h1 dom h2 );
+mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or
+ ( t1 == mcskillall );
+mlsconstrain xextension query ( t1 == mlsfileread );
+attribute netif_type;
+attribute node_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute device_node;
+attribute memory_raw_read;
+attribute memory_raw_write;
+attribute domain;
+attribute unconfined_domain_type;
+attribute set_curr_context;
+attribute entry_type;
+attribute privfd;
+attribute can_change_process_identity;
+attribute can_change_process_role;
+attribute can_change_object_identity;
+attribute can_system_change;
+attribute process_user_target;
+attribute cron_source_domain;
+attribute cron_job_domain;
+attribute process_uncond_exempt; # add userhelperdomain to this one
+attribute file_type;
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+attribute polydir;
+attribute usercanread;
+attribute polyparent;
+attribute polymember;
+attribute security_file_type;
+attribute tmpfile;
+attribute tmpfsfile;
+attribute filesystem_type;
+attribute noxattrfs;
+attribute can_load_kernmodule;
+attribute can_receive_kernel_messages;
+attribute kern_unconfined;
+attribute proc_type;
+attribute sysctl_type;
+attribute mcskillall;
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinreadproperty;
+attribute mlsxwinwriteproperty;
+attribute mlsxwinreadcolormap;
+attribute mlsxwinwritecolormap;
+attribute mlsxwinwritexinput;
+attribute mlstrustedobject;
+attribute privrangetrans;
+attribute mlsrangetrans;
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+attribute ttynode;
+attribute ptynode;
+attribute server_ptynode;
+attribute serial_device;
+type bin_t;
+type sbin_t;
+type ls_exec_t;
+type shell_exec_t;
+type chroot_exec_t;
+type ppp_device_t;
+type tun_tap_device_t;
+type port_t, port_type;
+type reserved_port_t, port_type, reserved_port_type;
+type afs_bos_port_t, port_type;
+type afs_fs_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type amanda_port_t, port_type;
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type asterisk_port_t, port_type;
+type auth_port_t, port_type;
+type bgp_port_t, port_type;
+type biff_port_t, port_type, reserved_port_type;
+type clamd_port_t, port_type;
+type clockspeed_port_t, port_type;
+type comsat_port_t, port_type;
+type cvs_port_t, port_type;
+type dcc_port_t, port_type;
+type dbskkd_port_t, port_type;
+type dhcpc_port_t, port_type;
+type dhcpd_port_t, port_type;
+type dict_port_t, port_type;
+type distccd_port_t, port_type;
+type dns_port_t, port_type;
+type fingerd_port_t, port_type;
+type ftp_data_port_t, port_type;
+type ftp_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type giftd_port_t, port_type;
+type gopher_port_t, port_type;
+type http_cache_port_t, port_type;
+type http_port_t, port_type;
+type howl_port_t, port_type;
+type hplip_port_t, port_type;
+type i18n_input_port_t, port_type;
+type imaze_port_t, port_type;
+type inetd_child_port_t, port_type;
+type innd_port_t, port_type;
+type ipp_port_t, port_type;
+type ircd_port_t, port_type;
+type isakmp_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type kerberos_admin_port_t, port_type;
+type kerberos_master_port_t, port_type;
+type kerberos_port_t, port_type;
+type ktalkd_port_t, port_type;
+type ldap_port_t, port_type;
+type lrrd_port_t, port_type;
+type mail_port_t, port_type;
+type monopd_port_t, port_type;
+type mysqld_port_t, port_type;
+type nessus_port_t, port_type;
+type nmbd_port_t, port_type;
+type ntp_port_t, port_type;
+type openvpn_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
+type pop_port_t, port_type;
+type portmap_port_t, port_type;
+type postgresql_port_t, port_type;
+type postgrey_port_t, port_type;
+type printer_port_t, port_type;
+type ptal_port_t, port_type;
+type pxe_port_t, port_type;
+type pyzor_port_t, port_type;
+type radacct_port_t, port_type;
+type radius_port_t, port_type;
+type razor_port_t, port_type;
+type rlogind_port_t, port_type;
+type rndc_port_t, port_type;
+type router_port_t, port_type;
+type rsh_port_t, port_type;
+type rsync_port_t, port_type;
+type smbd_port_t, port_type;
+type smtp_port_t, port_type;
+type snmp_port_t, port_type;
+type spamd_port_t, port_type;
+type ssh_port_t, port_type;
+type soundd_port_t, port_type;
+type socks_port_t, port_type; type stunnel_port_t, port_type;
+type swat_port_t, port_type;
+type syslogd_port_t, port_type;
+type telnetd_port_t, port_type;
+type tftp_port_t, port_type;
+type transproxy_port_t, port_type;
+type utcpserver_port_t, port_type;
+type uucpd_port_t, port_type;
+type vnc_port_t, port_type;
+type xserver_port_t, port_type;
+type xen_port_t, port_type;
+type zebra_port_t, port_type;
+type zope_port_t, port_type;
+type node_t, node_type;
+type compat_ipv4_node_t alias node_compat_ipv4_t, node_type;
+type inaddr_any_node_t alias node_inaddr_any_t, node_type;
+type node_internal_t, node_type;
+type link_local_node_t alias node_link_local_t, node_type;
+type lo_node_t alias node_lo_t, node_type;
+type mapped_ipv4_node_t alias node_mapped_ipv4_t, node_type;
+type multicast_node_t alias node_multicast_t, node_type;
+type site_local_node_t alias node_site_local_t, node_type;
+type unspec_node_t alias node_unspec_t, node_type;
+type netif_t, netif_type;
+type device_t;
+type agp_device_t;
+type apm_bios_t;
+type cardmgr_dev_t;
+type clock_device_t;
+type cpu_device_t;
+type crypt_device_t;
+type dri_device_t;
+type event_device_t;
+type framebuf_device_t;
+type lvm_control_t;
+type memory_device_t;
+type misc_device_t;
+type mouse_device_t;
+type mtrr_device_t;
+type null_device_t;
+type power_device_t;
+type printer_device_t;
+type random_device_t;
+type scanner_device_t;
+type sound_device_t;
+type sysfs_t;
+type urandom_device_t;
+type usbfs_t alias usbdevfs_t;
+type usb_device_t;
+type v4l_device_t;
+type xserver_misc_device_t;
+type zero_device_t;
+type xconsole_device_t;
+type devfs_control_t;
+type boot_t;
+type default_t, file_type, mountpoint;
+type etc_t, file_type;
+type etc_runtime_t, file_type;
+type file_t, file_type, mountpoint;
+type home_root_t, file_type, mountpoint;
+type lost_found_t, file_type;
+type mnt_t, file_type, mountpoint;
+type modules_object_t;
+type no_access_t, file_type;
+type poly_t, file_type;
+type readable_t, file_type;
+type root_t, file_type, mountpoint;
+type src_t, file_type, mountpoint;
+type system_map_t;
+type tmp_t, mountpoint; #, polydir
+type usr_t, file_type, mountpoint;
+type var_t, file_type, mountpoint;
+type var_lib_t, file_type, mountpoint;
+type var_lock_t, file_type, lockfile;
+type var_run_t, file_type, pidfile;
+type var_spool_t;
+type fs_t;
+type bdev_t;
+type binfmt_misc_fs_t;
+type capifs_t;
+type configfs_t;
+type eventpollfs_t;
+type futexfs_t;
+type hugetlbfs_t;
+type inotifyfs_t;
+type nfsd_fs_t;
+type ramfs_t;
+type romfs_t;
+type rpc_pipefs_t;
+type tmpfs_t;
+type autofs_t, noxattrfs;
+type cifs_t alias sambafs_t, noxattrfs;
+type dosfs_t, noxattrfs;
+type iso9660_t, filesystem_type, noxattrfs;
+type removable_t, noxattrfs;
+type nfs_t, filesystem_type, noxattrfs;
+type kernel_t, can_load_kernmodule;
+type debugfs_t;
+type proc_t, proc_type;
+type proc_kmsg_t, proc_type;
+type proc_kcore_t, proc_type;
+type proc_mdstat_t, proc_type;
+type proc_net_t, proc_type;
+type proc_xen_t, proc_type;
+type sysctl_t, sysctl_type;
+type sysctl_irq_t, sysctl_type;
+type sysctl_rpc_t, sysctl_type;
+type sysctl_fs_t, sysctl_type;
+type sysctl_kernel_t, sysctl_type;
+type sysctl_modprobe_t, sysctl_type;
+type sysctl_hotplug_t, sysctl_type;
+type sysctl_net_t, sysctl_type;
+type sysctl_net_unix_t, sysctl_type;
+type sysctl_vm_t, sysctl_type;
+type sysctl_dev_t, sysctl_type;
+type unlabeled_t;
+type auditd_exec_t;
+type crond_exec_t;
+type cupsd_exec_t;
+type getty_t;
+type init_t;
+type init_exec_t;
+type initrc_t;
+type initrc_exec_t;
+type login_exec_t;
+type sshd_exec_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+type xdm_exec_t;
+type lvm_exec_t;
+type security_t;
+type bsdpty_device_t;
+type console_device_t;
+type devpts_t;
+type devtty_t;
+type ptmx_t;
+type tty_device_t, serial_device;
+type usbtty_device_t, serial_device;
+ bool secure_mode false;
+ bool secure_mode_insmod false;
+ bool secure_mode_policyload false;
+ bool allow_cvs_read_shadow false;
+ bool allow_execheap false;
+ bool allow_execmem true;
+ bool allow_execmod false;
+ bool allow_execstack true;
+ bool allow_ftpd_anon_write false;
+ bool allow_gssd_read_tmp true;
+ bool allow_httpd_anon_write false;
+ bool allow_java_execstack false;
+ bool allow_kerberos true;
+ bool allow_rsync_anon_write false;
+ bool allow_saslauthd_read_shadow false;
+ bool allow_smbd_anon_write false;
+ bool allow_ptrace false;
+ bool allow_ypbind false;
+ bool fcron_crond false;
+ bool ftp_home_dir false;
+ bool ftpd_is_daemon true;
+ bool httpd_builtin_scripting true;
+ bool httpd_can_network_connect false;
+ bool httpd_can_network_connect_db false;
+ bool httpd_can_network_relay false;
+ bool httpd_enable_cgi true;
+ bool httpd_enable_ftp_server false;
+ bool httpd_enable_homedirs true;
+ bool httpd_ssi_exec true;
+ bool httpd_tty_comm false;
+ bool httpd_unified true;
+ bool named_write_master_zones false;
+ bool nfs_export_all_rw true;
+ bool nfs_export_all_ro true;
+ bool pppd_can_insmod false;
+ bool read_default_t true;
+ bool run_ssh_inetd false;
+ bool samba_enable_home_dirs false;
+ bool spamassasin_can_network false;
+ bool squid_connect_any false;
+ bool ssh_sysadm_login false;
+ bool stunnel_is_daemon false;
+ bool use_nfs_home_dirs false;
+ bool use_samba_home_dirs false;
+ bool user_ping true;
+ bool spamd_enable_home_dirs true;
+ allow bin_t fs_t:filesystem associate;
+ allow bin_t noxattrfs:filesystem associate;
+ typeattribute bin_t file_type;
+ allow sbin_t fs_t:filesystem associate;
+ allow sbin_t noxattrfs:filesystem associate;
+ typeattribute sbin_t file_type;
+ allow ls_exec_t fs_t:filesystem associate;
+ allow ls_exec_t noxattrfs:filesystem associate;
+ typeattribute ls_exec_t file_type;
+typeattribute ls_exec_t entry_type;
+ allow shell_exec_t fs_t:filesystem associate;
+ allow shell_exec_t noxattrfs:filesystem associate;
+ typeattribute shell_exec_t file_type;
+ allow chroot_exec_t fs_t:filesystem associate;
+ allow chroot_exec_t noxattrfs:filesystem associate;
+ typeattribute chroot_exec_t file_type;
+ typeattribute ppp_device_t device_node;
+ allow ppp_device_t fs_t:filesystem associate;
+ allow ppp_device_t tmpfs_t:filesystem associate;
+ allow ppp_device_t tmp_t:filesystem associate;
+ typeattribute tun_tap_device_t device_node;
+ allow tun_tap_device_t fs_t:filesystem associate;
+ allow tun_tap_device_t tmpfs_t:filesystem associate;
+ allow tun_tap_device_t tmp_t:filesystem associate;
+typeattribute auth_port_t reserved_port_type;
+typeattribute bgp_port_t reserved_port_type;
+typeattribute bgp_port_t reserved_port_type;
+typeattribute comsat_port_t reserved_port_type;
+typeattribute dhcpc_port_t reserved_port_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dhcpd_port_t reserved_port_type;
+typeattribute dns_port_t reserved_port_type;
+typeattribute dns_port_t reserved_port_type;
+typeattribute fingerd_port_t reserved_port_type;
+typeattribute ftp_data_port_t reserved_port_type;
+typeattribute ftp_port_t reserved_port_type;
+typeattribute gopher_port_t reserved_port_type;
+typeattribute gopher_port_t reserved_port_type;
+typeattribute http_port_t reserved_port_type;
+typeattribute http_port_t reserved_port_type;
+typeattribute http_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute inetd_child_port_t reserved_port_type;
+typeattribute innd_port_t reserved_port_type;
+typeattribute ipp_port_t reserved_port_type;
+typeattribute ipp_port_t reserved_port_type;
+typeattribute isakmp_port_t reserved_port_type;
+typeattribute kerberos_admin_port_t reserved_port_type;
+typeattribute kerberos_admin_port_t reserved_port_type;
+typeattribute kerberos_admin_port_t reserved_port_type;
+typeattribute kerberos_port_t reserved_port_type;
+typeattribute kerberos_port_t reserved_port_type;
+typeattribute kerberos_port_t reserved_port_type;
+typeattribute kerberos_port_t reserved_port_type;
+typeattribute ktalkd_port_t reserved_port_type;
+typeattribute ktalkd_port_t reserved_port_type;
+typeattribute ldap_port_t reserved_port_type;
+typeattribute ldap_port_t reserved_port_type;
+typeattribute ldap_port_t reserved_port_type;
+typeattribute ldap_port_t reserved_port_type;
+typeattribute nmbd_port_t reserved_port_type;
+typeattribute nmbd_port_t reserved_port_type;
+typeattribute nmbd_port_t reserved_port_type;
+typeattribute ntp_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute pop_port_t reserved_port_type;
+typeattribute portmap_port_t reserved_port_type;
+typeattribute portmap_port_t reserved_port_type;
+typeattribute printer_port_t reserved_port_type;
+typeattribute rlogind_port_t reserved_port_type;
+typeattribute rndc_port_t reserved_port_type;
+typeattribute router_port_t reserved_port_type;
+typeattribute rsh_port_t reserved_port_type;
+typeattribute rsync_port_t reserved_port_type;
+typeattribute rsync_port_t reserved_port_type;
+typeattribute smbd_port_t reserved_port_type;
+typeattribute smbd_port_t reserved_port_type;
+typeattribute smtp_port_t reserved_port_type;
+typeattribute smtp_port_t reserved_port_type;
+typeattribute smtp_port_t reserved_port_type;
+typeattribute snmp_port_t reserved_port_type;
+typeattribute snmp_port_t reserved_port_type;
+typeattribute snmp_port_t reserved_port_type;
+typeattribute spamd_port_t reserved_port_type;
+typeattribute ssh_port_t reserved_port_type;
+typeattribute swat_port_t reserved_port_type;
+typeattribute syslogd_port_t reserved_port_type;
+typeattribute telnetd_port_t reserved_port_type;
+typeattribute tftp_port_t reserved_port_type;
+typeattribute uucpd_port_t reserved_port_type;
+ allow device_t tmpfs_t:filesystem associate;
+ allow device_t fs_t:filesystem associate;
+ allow device_t noxattrfs:filesystem associate;
+ typeattribute device_t file_type;
+ allow device_t fs_t:filesystem associate;
+ allow device_t noxattrfs:filesystem associate;
+ typeattribute device_t file_type;
+ typeattribute device_t mountpoint;
+ allow device_t tmp_t:filesystem associate;
+ typeattribute agp_device_t device_node;
+ allow agp_device_t fs_t:filesystem associate;
+ allow agp_device_t tmpfs_t:filesystem associate;
+ allow agp_device_t tmp_t:filesystem associate;
+ typeattribute apm_bios_t device_node;
+ allow apm_bios_t fs_t:filesystem associate;
+ allow apm_bios_t tmpfs_t:filesystem associate;
+ allow apm_bios_t tmp_t:filesystem associate;
+ typeattribute cardmgr_dev_t device_node;
+ allow cardmgr_dev_t fs_t:filesystem associate;
+ allow cardmgr_dev_t tmpfs_t:filesystem associate;
+ allow cardmgr_dev_t tmp_t:filesystem associate;
+ allow cardmgr_dev_t fs_t:filesystem associate;
+ allow cardmgr_dev_t noxattrfs:filesystem associate;
+ typeattribute cardmgr_dev_t file_type;
+ allow cardmgr_dev_t fs_t:filesystem associate;
+ allow cardmgr_dev_t noxattrfs:filesystem associate;
+ typeattribute cardmgr_dev_t file_type;
+ typeattribute cardmgr_dev_t polymember;
+ allow cardmgr_dev_t tmpfs_t:filesystem associate;
+ typeattribute cardmgr_dev_t tmpfile;
+ allow cardmgr_dev_t tmp_t:filesystem associate;
+ typeattribute clock_device_t device_node;
+ allow clock_device_t fs_t:filesystem associate;
+ allow clock_device_t tmpfs_t:filesystem associate;
+ allow clock_device_t tmp_t:filesystem associate;
+ typeattribute cpu_device_t device_node;
+ allow cpu_device_t fs_t:filesystem associate;
+ allow cpu_device_t tmpfs_t:filesystem associate;
+ allow cpu_device_t tmp_t:filesystem associate;
+ typeattribute crypt_device_t device_node;
+ allow crypt_device_t fs_t:filesystem associate;
+ allow crypt_device_t tmpfs_t:filesystem associate;
+ allow crypt_device_t tmp_t:filesystem associate;
+ typeattribute dri_device_t device_node;
+ allow dri_device_t fs_t:filesystem associate;
+ allow dri_device_t tmpfs_t:filesystem associate;
+ allow dri_device_t tmp_t:filesystem associate;
+ typeattribute event_device_t device_node;
+ allow event_device_t fs_t:filesystem associate;
+ allow event_device_t tmpfs_t:filesystem associate;
+ allow event_device_t tmp_t:filesystem associate;
+ typeattribute framebuf_device_t device_node;
+ allow framebuf_device_t fs_t:filesystem associate;
+ allow framebuf_device_t tmpfs_t:filesystem associate;
+ allow framebuf_device_t tmp_t:filesystem associate;
+ typeattribute lvm_control_t device_node;
+ allow lvm_control_t fs_t:filesystem associate;
+ allow lvm_control_t tmpfs_t:filesystem associate;
+ allow lvm_control_t tmp_t:filesystem associate;
+ typeattribute memory_device_t device_node;
+ allow memory_device_t fs_t:filesystem associate;
+ allow memory_device_t tmpfs_t:filesystem associate;
+ allow memory_device_t tmp_t:filesystem associate;
+neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read;
+neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write };
+ typeattribute misc_device_t device_node;
+ allow misc_device_t fs_t:filesystem associate;
+ allow misc_device_t tmpfs_t:filesystem associate;
+ allow misc_device_t tmp_t:filesystem associate;
+ typeattribute mouse_device_t device_node;
+ allow mouse_device_t fs_t:filesystem associate;
+ allow mouse_device_t tmpfs_t:filesystem associate;
+ allow mouse_device_t tmp_t:filesystem associate;
+ typeattribute mtrr_device_t device_node;
+ allow mtrr_device_t fs_t:filesystem associate;
+ allow mtrr_device_t tmpfs_t:filesystem associate;
+ allow mtrr_device_t tmp_t:filesystem associate;
+ typeattribute null_device_t device_node;
+ allow null_device_t fs_t:filesystem associate;
+ allow null_device_t tmpfs_t:filesystem associate;
+ allow null_device_t tmp_t:filesystem associate;
+ typeattribute null_device_t mlstrustedobject;
+ typeattribute power_device_t device_node;
+ allow power_device_t fs_t:filesystem associate;
+ allow power_device_t tmpfs_t:filesystem associate;
+ allow power_device_t tmp_t:filesystem associate;
+ typeattribute printer_device_t device_node;
+ allow printer_device_t fs_t:filesystem associate;
+ allow printer_device_t tmpfs_t:filesystem associate;
+ allow printer_device_t tmp_t:filesystem associate;
+ typeattribute random_device_t device_node;
+ allow random_device_t fs_t:filesystem associate;
+ allow random_device_t tmpfs_t:filesystem associate;
+ allow random_device_t tmp_t:filesystem associate;
+ typeattribute scanner_device_t device_node;
+ allow scanner_device_t fs_t:filesystem associate;
+ allow scanner_device_t tmpfs_t:filesystem associate;
+ allow scanner_device_t tmp_t:filesystem associate;
+ typeattribute sound_device_t device_node;
+ allow sound_device_t fs_t:filesystem associate;
+ allow sound_device_t tmpfs_t:filesystem associate;
+ allow sound_device_t tmp_t:filesystem associate;
+ allow sysfs_t fs_t:filesystem associate;
+ allow sysfs_t noxattrfs:filesystem associate;
+ typeattribute sysfs_t file_type;
+ typeattribute sysfs_t mountpoint;
+ typeattribute sysfs_t filesystem_type;
+ allow sysfs_t self:filesystem associate;
+ typeattribute urandom_device_t device_node;
+ allow urandom_device_t fs_t:filesystem associate;
+ allow urandom_device_t tmpfs_t:filesystem associate;
+ allow urandom_device_t tmp_t:filesystem associate;
+ allow usbfs_t fs_t:filesystem associate;
+ allow usbfs_t noxattrfs:filesystem associate;
+ typeattribute usbfs_t file_type;
+ typeattribute usbfs_t mountpoint;
+ typeattribute usbfs_t filesystem_type;
+ allow usbfs_t self:filesystem associate;
+ typeattribute usbfs_t noxattrfs;
+ typeattribute usb_device_t device_node;
+ allow usb_device_t fs_t:filesystem associate;
+ allow usb_device_t tmpfs_t:filesystem associate;
+ allow usb_device_t tmp_t:filesystem associate;
+ typeattribute v4l_device_t device_node;
+ allow v4l_device_t fs_t:filesystem associate;
+ allow v4l_device_t tmpfs_t:filesystem associate;
+ allow v4l_device_t tmp_t:filesystem associate;
+ typeattribute xserver_misc_device_t device_node;
+ allow xserver_misc_device_t fs_t:filesystem associate;
+ allow xserver_misc_device_t tmpfs_t:filesystem associate;
+ allow xserver_misc_device_t tmp_t:filesystem associate;
+ typeattribute zero_device_t device_node;
+ allow zero_device_t fs_t:filesystem associate;
+ allow zero_device_t tmpfs_t:filesystem associate;
+ allow zero_device_t tmp_t:filesystem associate;
+ typeattribute zero_device_t mlstrustedobject;
+ allow xconsole_device_t fs_t:filesystem associate;
+ allow xconsole_device_t noxattrfs:filesystem associate;
+ typeattribute xconsole_device_t file_type;
+ allow xconsole_device_t tmpfs_t:filesystem associate;
+ allow xconsole_device_t tmp_t:filesystem associate;
+ typeattribute devfs_control_t device_node;
+ allow devfs_control_t fs_t:filesystem associate;
+ allow devfs_control_t tmpfs_t:filesystem associate;
+ allow devfs_control_t tmp_t:filesystem associate;
+neverallow domain ~domain:process { transition dyntransition };
+neverallow { domain -set_curr_context } self:process setcurrent;
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
+allow file_type self:filesystem associate;
+ allow boot_t fs_t:filesystem associate;
+ allow boot_t noxattrfs:filesystem associate;
+ typeattribute boot_t file_type;
+ allow boot_t fs_t:filesystem associate;
+ allow boot_t noxattrfs:filesystem associate;
+ typeattribute boot_t file_type;
+ typeattribute boot_t mountpoint;
+ allow default_t fs_t:filesystem associate;
+ allow default_t noxattrfs:filesystem associate;
+ allow etc_t fs_t:filesystem associate;
+ allow etc_t noxattrfs:filesystem associate;
+ allow etc_runtime_t fs_t:filesystem associate;
+ allow etc_runtime_t noxattrfs:filesystem associate;
+ allow file_t fs_t:filesystem associate;
+ allow file_t noxattrfs:filesystem associate;
+ allow kernel_t file_t:dir mounton;
+ allow home_root_t fs_t:filesystem associate;
+ allow home_root_t noxattrfs:filesystem associate;
+ allow home_root_t fs_t:filesystem associate;
+ allow home_root_t noxattrfs:filesystem associate;
+ typeattribute home_root_t file_type;
+ typeattribute home_root_t polyparent;
+ allow lost_found_t fs_t:filesystem associate;
+ allow lost_found_t noxattrfs:filesystem associate;
+ allow mnt_t fs_t:filesystem associate;
+ allow mnt_t noxattrfs:filesystem associate;
+ allow modules_object_t fs_t:filesystem associate;
+ allow modules_object_t noxattrfs:filesystem associate;
+ typeattribute modules_object_t file_type;
+ allow no_access_t fs_t:filesystem associate;
+ allow no_access_t noxattrfs:filesystem associate;
+ allow poly_t fs_t:filesystem associate;
+ allow poly_t noxattrfs:filesystem associate;
+ allow readable_t fs_t:filesystem associate;
+ allow readable_t noxattrfs:filesystem associate;
+ allow root_t fs_t:filesystem associate;
+ allow root_t noxattrfs:filesystem associate;
+ allow root_t fs_t:filesystem associate;
+ allow root_t noxattrfs:filesystem associate;
+ typeattribute root_t file_type;
+ typeattribute root_t polyparent;
+ allow kernel_t root_t:dir mounton;
+ allow src_t fs_t:filesystem associate;
+ allow src_t noxattrfs:filesystem associate;
+ allow system_map_t fs_t:filesystem associate;
+ allow system_map_t noxattrfs:filesystem associate;
+ typeattribute system_map_t file_type;
+ allow tmp_t fs_t:filesystem associate;
+ allow tmp_t noxattrfs:filesystem associate;
+ typeattribute tmp_t file_type;
+ allow tmp_t fs_t:filesystem associate;
+ allow tmp_t noxattrfs:filesystem associate;
+ typeattribute tmp_t file_type;
+ typeattribute tmp_t polymember;
+ allow tmp_t tmpfs_t:filesystem associate;
+ typeattribute tmp_t tmpfile;
+ allow tmp_t tmp_t:filesystem associate;
+ allow tmp_t fs_t:filesystem associate;
+ allow tmp_t noxattrfs:filesystem associate;
+ typeattribute tmp_t file_type;
+ typeattribute tmp_t polyparent;
+ allow usr_t fs_t:filesystem associate;
+ allow usr_t noxattrfs:filesystem associate;
+ allow var_t fs_t:filesystem associate;
+ allow var_t noxattrfs:filesystem associate;
+ allow var_lib_t fs_t:filesystem associate;
+ allow var_lib_t noxattrfs:filesystem associate;
+ allow var_lock_t fs_t:filesystem associate;
+ allow var_lock_t noxattrfs:filesystem associate;
+ allow var_run_t fs_t:filesystem associate;
+ allow var_run_t noxattrfs:filesystem associate;
+ allow var_spool_t fs_t:filesystem associate;
+ allow var_spool_t noxattrfs:filesystem associate;
+ typeattribute var_spool_t file_type;
+ allow var_spool_t fs_t:filesystem associate;
+ allow var_spool_t noxattrfs:filesystem associate;
+ typeattribute var_spool_t file_type;
+ typeattribute var_spool_t polymember;
+ allow var_spool_t tmpfs_t:filesystem associate;
+ typeattribute var_spool_t tmpfile;
+ allow var_spool_t tmp_t:filesystem associate;
+ typeattribute fs_t filesystem_type;
+ allow fs_t self:filesystem associate;
+ typeattribute bdev_t filesystem_type;
+ allow bdev_t self:filesystem associate;
+ typeattribute binfmt_misc_fs_t filesystem_type;
+ allow binfmt_misc_fs_t self:filesystem associate;
+ allow binfmt_misc_fs_t fs_t:filesystem associate;
+ allow binfmt_misc_fs_t noxattrfs:filesystem associate;
+ typeattribute binfmt_misc_fs_t file_type;
+ typeattribute binfmt_misc_fs_t mountpoint;
+ typeattribute capifs_t filesystem_type;
+ allow capifs_t self:filesystem associate;
+ typeattribute configfs_t filesystem_type;
+ allow configfs_t self:filesystem associate;
+ typeattribute eventpollfs_t filesystem_type;
+ allow eventpollfs_t self:filesystem associate;
+ typeattribute futexfs_t filesystem_type;
+ allow futexfs_t self:filesystem associate;
+ typeattribute hugetlbfs_t filesystem_type;
+ allow hugetlbfs_t self:filesystem associate;
+ allow hugetlbfs_t fs_t:filesystem associate;
+ allow hugetlbfs_t noxattrfs:filesystem associate;
+ typeattribute hugetlbfs_t file_type;
+ typeattribute hugetlbfs_t mountpoint;
+ typeattribute inotifyfs_t filesystem_type;
+ allow inotifyfs_t self:filesystem associate;
+ typeattribute nfsd_fs_t filesystem_type;
+ allow nfsd_fs_t self:filesystem associate;
+ typeattribute ramfs_t filesystem_type;
+ allow ramfs_t self:filesystem associate;
+ typeattribute romfs_t filesystem_type;
+ allow romfs_t self:filesystem associate;
+ typeattribute rpc_pipefs_t filesystem_type;
+ allow rpc_pipefs_t self:filesystem associate;
+ typeattribute tmpfs_t filesystem_type;
+ allow tmpfs_t self:filesystem associate;
+ allow tmpfs_t fs_t:filesystem associate;
+ allow tmpfs_t noxattrfs:filesystem associate;
+ typeattribute tmpfs_t file_type;
+ allow tmpfs_t fs_t:filesystem associate;
+ allow tmpfs_t noxattrfs:filesystem associate;
+ typeattribute tmpfs_t file_type;
+ typeattribute tmpfs_t mountpoint;
+allow tmpfs_t noxattrfs:filesystem associate;
+ typeattribute autofs_t filesystem_type;
+ allow autofs_t self:filesystem associate;
+ allow autofs_t fs_t:filesystem associate;
+ allow autofs_t noxattrfs:filesystem associate;
+ typeattribute autofs_t file_type;
+ typeattribute autofs_t mountpoint;
+ typeattribute cifs_t filesystem_type;
+ allow cifs_t self:filesystem associate;
+ typeattribute dosfs_t filesystem_type;
+ allow dosfs_t self:filesystem associate;
+allow dosfs_t fs_t:filesystem associate;
+ typeattribute iso9660_t filesystem_type;
+ allow iso9660_t self:filesystem associate;
+allow removable_t noxattrfs:filesystem associate;
+ typeattribute removable_t filesystem_type;
+ allow removable_t self:filesystem associate;
+ allow removable_t fs_t:filesystem associate;
+ allow removable_t noxattrfs:filesystem associate;
+ typeattribute removable_t file_type;
+ typeattribute removable_t usercanread;
+ typeattribute nfs_t filesystem_type;
+ allow nfs_t self:filesystem associate;
+ allow nfs_t fs_t:filesystem associate;
+ allow nfs_t noxattrfs:filesystem associate;
+ typeattribute nfs_t file_type;
+ typeattribute nfs_t mountpoint;
+neverallow ~can_load_kernmodule self:capability sys_module;
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+ typeattribute kernel_t domain;
+ allow kernel_t self:dir { read getattr lock search ioctl };
+ allow kernel_t self:lnk_file { read getattr lock ioctl };
+ allow kernel_t self:file { getattr read write append ioctl lock };
+ allow kernel_t self:process { fork sigchld };
+ role secadm_r types kernel_t;
+ role sysadm_r types kernel_t;
+ role user_r types kernel_t;
+ role staff_r types kernel_t;
+ typeattribute kernel_t privrangetrans;
+role system_r types kernel_t;
+ typeattribute debugfs_t filesystem_type;
+ allow debugfs_t self:filesystem associate;
+allow debugfs_t self:filesystem associate;
+ allow proc_t fs_t:filesystem associate;
+ allow proc_t noxattrfs:filesystem associate;
+ typeattribute proc_t file_type;
+ typeattribute proc_t mountpoint;
+ typeattribute proc_t filesystem_type;
+ allow proc_t self:filesystem associate;
+neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
+neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
+ allow sysctl_t fs_t:filesystem associate;
+ allow sysctl_t noxattrfs:filesystem associate;
+ typeattribute sysctl_t file_type;
+ typeattribute sysctl_t mountpoint;
+ allow sysctl_fs_t fs_t:filesystem associate;
+ allow sysctl_fs_t noxattrfs:filesystem associate;
+ typeattribute sysctl_fs_t file_type;
+ typeattribute sysctl_fs_t mountpoint;
+allow kernel_t self:capability *;
+allow kernel_t unlabeled_t:dir mounton;
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow kernel_t self:msg { send receive };
+allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow kernel_t self:unix_dgram_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } };
+allow kernel_t self:unix_stream_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } listen accept };
+allow kernel_t self:unix_dgram_socket sendto;
+allow kernel_t self:unix_stream_socket connectto;
+allow kernel_t self:fifo_file { getattr read write append ioctl lock };
+allow kernel_t self:sock_file { read getattr lock ioctl };
+allow kernel_t self:fd use;
+allow kernel_t proc_t:dir { read getattr lock search ioctl };
+allow kernel_t proc_t:{ lnk_file file } { read getattr lock ioctl };
+allow kernel_t proc_net_t:dir { read getattr lock search ioctl };
+allow kernel_t proc_net_t:file { read getattr lock ioctl };
+allow kernel_t proc_mdstat_t:file { read getattr lock ioctl };
+allow kernel_t proc_kcore_t:file getattr;
+allow kernel_t proc_kmsg_t:file getattr;
+allow kernel_t sysctl_t:dir { read getattr lock search ioctl };
+allow kernel_t sysctl_kernel_t:dir { read getattr lock search ioctl };
+allow kernel_t sysctl_kernel_t:file { read getattr lock ioctl };
+allow kernel_t unlabeled_t:fifo_file { getattr read write append ioctl lock };
+ allow kernel_t unlabeled_t:association { sendto recvfrom };
+ allow kernel_t netif_type:netif rawip_send;
+ allow kernel_t netif_type:netif rawip_recv;
+ allow kernel_t node_type:node rawip_send;
+ allow kernel_t node_type:node rawip_recv;
+ allow kernel_t netif_t:netif rawip_send;
+ allow kernel_t netif_type:netif { tcp_send tcp_recv };
+ allow kernel_t node_type:node { tcp_send tcp_recv };
+ allow kernel_t node_t:node rawip_send;
+ allow kernel_t multicast_node_t:node rawip_send;
+ allow kernel_t sysfs_t:dir { read getattr lock search ioctl };
+ allow kernel_t sysfs_t:{ file lnk_file } { read getattr lock ioctl };
+ allow kernel_t usbfs_t:dir search;
+ allow kernel_t filesystem_type:filesystem mount;
+ allow kernel_t security_t:dir { read search getattr };
+ allow kernel_t security_t:file { getattr read write };
+ typeattribute kernel_t can_load_policy;
+ if(!secure_mode_policyload) {
+ allow kernel_t security_t:security load_policy;
+ auditallow kernel_t security_t:security load_policy;
+ }
+ allow kernel_t device_t:dir { read getattr lock search ioctl };
+ allow kernel_t device_t:lnk_file { getattr read };
+ allow kernel_t console_device_t:chr_file { getattr read write append ioctl lock };
+ allow kernel_t bin_t:dir { read getattr lock search ioctl };
+ allow kernel_t bin_t:lnk_file { read getattr lock ioctl };
+ allow kernel_t shell_exec_t:file { { read getattr lock execute ioctl } execute_no_trans };
+ allow kernel_t sbin_t:dir { read getattr lock search ioctl };
+ allow kernel_t bin_t:dir { read getattr lock search ioctl };
+ allow kernel_t bin_t:lnk_file { read getattr lock ioctl };
+ allow kernel_t bin_t:file { { read getattr lock execute ioctl } execute_no_trans };
+ allow kernel_t domain:process signal;
+ allow kernel_t proc_t:dir search;
+ allow kernel_t domain:dir search;
+ allow kernel_t root_t:dir { read getattr lock search ioctl };
+ allow kernel_t root_t:lnk_file { read getattr lock ioctl };
+ allow kernel_t etc_t:dir { read getattr lock search ioctl };
+ allow kernel_t home_root_t:dir { read getattr lock search ioctl };
+ allow kernel_t usr_t:dir { read getattr lock search ioctl };
+ allow kernel_t usr_t:{ file lnk_file } { read getattr lock ioctl };
+ typeattribute kernel_t mlsprocread;
+ typeattribute kernel_t mlsprocwrite;
+ allow kernel_t self:capability *;
+ allow kernel_t self:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow kernel_t self:process transition;
+ allow kernel_t self:file { getattr read write append ioctl lock };
+ allow kernel_t self:nscd *;
+ allow kernel_t self:dbus *;
+ allow kernel_t self:passwd *;
+ allow kernel_t proc_type:{ dir file } *;
+ allow kernel_t sysctl_t:{ dir file } *;
+ allow kernel_t kernel_t:system *;
+ allow kernel_t unlabeled_t:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
+ allow kernel_t unlabeled_t:filesystem *;
+ allow kernel_t unlabeled_t:association *;
+ typeattribute kernel_t can_load_kernmodule, can_receive_kernel_messages;
+ typeattribute kernel_t kern_unconfined;
+ allow kernel_t { proc_t proc_net_t }:dir search;
+ allow kernel_t sysctl_type:dir { read getattr lock search ioctl };
+ allow kernel_t sysctl_type:file { { getattr read write append ioctl lock } setattr };
+ allow kernel_t node_type:node *;
+ allow kernel_t netif_type:netif *;
+ allow kernel_t port_type:tcp_socket { send_msg recv_msg name_connect };
+ allow kernel_t port_type:udp_socket { send_msg recv_msg };
+ allow kernel_t port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+ allow kernel_t node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+ allow kernel_t unlabeled_t:association { sendto recvfrom };
+ allow kernel_t device_node:{ chr_file blk_file } *;
+ allow kernel_t mtrr_device_t:{ dir file } *;
+ allow kernel_t self:capability sys_rawio;
+ typeattribute kernel_t memory_raw_write, memory_raw_read;
+ typeattribute kernel_t unconfined_domain_type;
+ typeattribute kernel_t can_change_process_identity;
+ typeattribute kernel_t can_change_process_role;
+ typeattribute kernel_t can_change_object_identity;
+ typeattribute kernel_t set_curr_context;
+ allow kernel_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } socket key_socket } *;
+ allow kernel_t domain:fd use;
+ allow kernel_t domain:fifo_file { getattr read write append ioctl lock };
+ allow kernel_t domain:process ~{ transition dyntransition execmem execstack execheap };
+ allow kernel_t domain:{ sem msgq shm } *;
+ allow kernel_t domain:msg { send receive };
+ allow kernel_t domain:dir { read getattr lock search ioctl };
+ allow kernel_t domain:file { read getattr lock ioctl };
+ allow kernel_t domain:lnk_file { read getattr lock ioctl };
+ dontaudit kernel_t domain:dir { read getattr lock search ioctl };
+ dontaudit kernel_t domain:lnk_file { read getattr lock ioctl };
+ dontaudit kernel_t domain:file { read getattr lock ioctl };
+ dontaudit kernel_t domain:sock_file { read getattr lock ioctl };
+ dontaudit kernel_t domain:fifo_file { read getattr lock ioctl };
+ allow kernel_t file_type:{ file chr_file } ~execmod;
+ allow kernel_t file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+ allow kernel_t file_type:filesystem *;
+ allow kernel_t file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+ if (allow_execmod) {
+ allow kernel_t file_type:file execmod;
+ }
+ allow kernel_t filesystem_type:filesystem *;
+ allow kernel_t filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
+ allow kernel_t security_t:dir { getattr search read };
+ allow kernel_t security_t:file { getattr read write };
+ typeattribute kernel_t can_load_policy, can_setenforce, can_setsecparam;
+ if(!secure_mode_policyload) {
+ allow kernel_t security_t:security *;
+ auditallow kernel_t security_t:security { load_policy setenforce setbool };
+ }
+ if (allow_execheap) {
+ allow kernel_t self:process execheap;
+ }
+ if (allow_execmem) {
+ allow kernel_t self:process execmem;
+ }
+ if (allow_execmem && allow_execstack) {
+ allow kernel_t self:process execstack;
+ auditallow kernel_t self:process execstack;
+ } else {
+ }
+ if (allow_execheap) {
+ auditallow kernel_t self:process execheap;
+ }
+ if (allow_execmem) {
+ auditallow kernel_t self:process execmem;
+ }
+ if (read_default_t) {
+ allow kernel_t default_t:dir { read getattr lock search ioctl };
+ allow kernel_t default_t:file { read getattr lock ioctl };
+ allow kernel_t default_t:lnk_file { read getattr lock ioctl };
+ allow kernel_t default_t:sock_file { read getattr lock ioctl };
+ allow kernel_t default_t:fifo_file { read getattr lock ioctl };
+ }
+ allow unlabeled_t self:filesystem associate;
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t initrc_exec_t s0;
+ typeattribute security_t filesystem_type;
+ allow security_t self:filesystem associate;
+ typeattribute security_t mlstrustedobject;
+neverallow ~can_load_policy security_t:security load_policy;
+neverallow ~can_setenforce security_t:security setenforce;
+neverallow ~can_setsecparam security_t:security setsecparam;
+ typeattribute bsdpty_device_t device_node;
+ allow bsdpty_device_t fs_t:filesystem associate;
+ allow bsdpty_device_t tmpfs_t:filesystem associate;
+ allow bsdpty_device_t tmp_t:filesystem associate;
+ typeattribute console_device_t device_node;
+ allow console_device_t fs_t:filesystem associate;
+ allow console_device_t tmpfs_t:filesystem associate;
+ allow console_device_t tmp_t:filesystem associate;
+ allow devpts_t fs_t:filesystem associate;
+ allow devpts_t noxattrfs:filesystem associate;
+ typeattribute devpts_t file_type;
+ typeattribute devpts_t mountpoint;
+ allow devpts_t tmpfs_t:filesystem associate;
+ allow devpts_t tmp_t:filesystem associate;
+ typeattribute devpts_t filesystem_type;
+ allow devpts_t self:filesystem associate;
+ typeattribute devpts_t ttynode, ptynode;
+ typeattribute devtty_t device_node;
+ allow devtty_t fs_t:filesystem associate;
+ allow devtty_t tmpfs_t:filesystem associate;
+ allow devtty_t tmp_t:filesystem associate;
+ typeattribute devtty_t mlstrustedobject;
+ typeattribute ptmx_t device_node;
+ allow ptmx_t fs_t:filesystem associate;
+ allow ptmx_t tmpfs_t:filesystem associate;
+ allow ptmx_t tmp_t:filesystem associate;
+ typeattribute ptmx_t mlstrustedobject;
+ typeattribute tty_device_t device_node;
+ allow tty_device_t fs_t:filesystem associate;
+ allow tty_device_t tmpfs_t:filesystem associate;
+ allow tty_device_t tmp_t:filesystem associate;
+ typeattribute tty_device_t ttynode;
+ typeattribute usbtty_device_t device_node;
+ allow usbtty_device_t fs_t:filesystem associate;
+ allow usbtty_device_t tmpfs_t:filesystem associate;
+ allow usbtty_device_t tmp_t:filesystem associate;
+user system_u roles { system_r } level s0 range s0 - s0:c0.c255;
+user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
+ user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
+constrain process transition
+ ( u1 == u2
+ or t1 == can_change_process_identity
+);
+constrain process transition
+ ( r1 == r2
+ or t1 == can_change_process_role
+);
+constrain process dyntransition
+ ( u1 == u2 and r1 == r2 );
+constrain { dir file lnk_file sock_file fifo_file chr_file blk_file } { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
+constrain { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == can_change_object_identity );
+sid port system_u:object_r:port_t:s0
+sid node system_u:object_r:node_t:s0
+sid netif system_u:object_r:netif_t:s0
+sid devnull system_u:object_r:null_device_t:s0
+sid file system_u:object_r:file_t:s0
+sid fs system_u:object_r:fs_t:s0
+sid kernel system_u:system_r:kernel_t:s0
+sid sysctl system_u:object_r:sysctl_t:s0
+sid unlabeled system_u:object_r:unlabeled_t:s0
+sid any_socket system_u:object_r:unlabeled_t:s0
+sid file_labels system_u:object_r:unlabeled_t:s0
+sid icmp_socket system_u:object_r:unlabeled_t:s0
+sid igmp_packet system_u:object_r:unlabeled_t:s0
+sid init system_u:object_r:unlabeled_t:s0
+sid kmod system_u:object_r:unlabeled_t:s0
+sid netmsg system_u:object_r:unlabeled_t:s0
+sid policy system_u:object_r:unlabeled_t:s0
+sid scmp_packet system_u:object_r:unlabeled_t:s0
+sid sysctl_modprobe system_u:object_r:unlabeled_t:s0
+sid sysctl_fs system_u:object_r:unlabeled_t:s0
+sid sysctl_kernel system_u:object_r:unlabeled_t:s0
+sid sysctl_net system_u:object_r:unlabeled_t:s0
+sid sysctl_net_unix system_u:object_r:unlabeled_t:s0
+sid sysctl_vm system_u:object_r:unlabeled_t:s0
+sid sysctl_dev system_u:object_r:unlabeled_t:s0
+sid tcp_socket system_u:object_r:unlabeled_t:s0
+sid security system_u:object_r:security_t:s0
+fs_use_xattr ext2 system_u:object_r:fs_t:s0;
+fs_use_xattr ext3 system_u:object_r:fs_t:s0;
+fs_use_xattr gfs system_u:object_r:fs_t:s0;
+fs_use_xattr jfs system_u:object_r:fs_t:s0;
+fs_use_xattr reiserfs system_u:object_r:fs_t:s0;
+fs_use_xattr xfs system_u:object_r:fs_t:s0;
+fs_use_task pipefs system_u:object_r:fs_t:s0;
+fs_use_task sockfs system_u:object_r:fs_t:s0;
+fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
+fs_use_trans shm system_u:object_r:tmpfs_t:s0;
+fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
+fs_use_trans devpts system_u:object_r:devpts_t:s0;
+genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
+genfscon sysfs / system_u:object_r:sysfs_t:s0
+genfscon usbfs / system_u:object_r:usbfs_t:s0
+genfscon usbdevfs / system_u:object_r:usbfs_t:s0
+genfscon rootfs / system_u:object_r:root_t:s0
+genfscon bdev / system_u:object_r:bdev_t:s0
+genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
+genfscon capifs / system_u:object_r:capifs_t:s0
+genfscon configfs / system_u:object_r:configfs_t:s0
+genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
+genfscon futexfs / system_u:object_r:futexfs_t:s0
+genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
+genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
+genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
+genfscon ramfs / system_u:object_r:ramfs_t:s0
+genfscon romfs / system_u:object_r:romfs_t:s0
+genfscon cramfs / system_u:object_r:romfs_t:s0
+genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
+genfscon autofs / system_u:object_r:autofs_t:s0
+genfscon automount / system_u:object_r:autofs_t:s0
+genfscon cifs / system_u:object_r:cifs_t:s0
+genfscon smbfs / system_u:object_r:cifs_t:s0
+genfscon fat / system_u:object_r:dosfs_t:s0
+genfscon msdos / system_u:object_r:dosfs_t:s0
+genfscon ntfs / system_u:object_r:dosfs_t:s0
+genfscon vfat / system_u:object_r:dosfs_t:s0
+genfscon iso9660 / system_u:object_r:iso9660_t:s0
+genfscon udf / system_u:object_r:iso9660_t:s0
+genfscon nfs / system_u:object_r:nfs_t:s0
+genfscon nfs4 / system_u:object_r:nfs_t:s0
+genfscon afs / system_u:object_r:nfs_t:s0
+genfscon hfsplus / system_u:object_r:nfs_t:s0
+genfscon debugfs / system_u:object_r:debugfs_t:s0
+genfscon proc / system_u:object_r:proc_t:s0
+genfscon proc /sysvipc system_u:object_r:proc_t:s0
+genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0
+genfscon proc /kcore system_u:object_r:proc_kcore_t:s0
+genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
+genfscon proc /net system_u:object_r:proc_net_t:s0
+genfscon proc /xen system_u:object_r:proc_xen_t:s0
+genfscon proc /sys system_u:object_r:sysctl_t:s0
+genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
+genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
+genfscon proc /sys/fs system_u:object_r:sysctl_fs_t:s0
+genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
+genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
+genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
+genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
+genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
+genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
+genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
+genfscon selinuxfs / system_u:object_r:security_t:s0
+portcon udp 7007 system_u:object_r:afs_bos_port_t:s0
+portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7000 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7005 system_u:object_r:afs_fs_port_t:s0
+portcon udp 7004 system_u:object_r:afs_ka_port_t:s0
+portcon udp 7002 system_u:object_r:afs_pt_port_t:s0
+portcon udp 7003 system_u:object_r:afs_vl_port_t:s0
+portcon udp 10080 system_u:object_r:amanda_port_t:s0
+portcon tcp 10080 system_u:object_r:amanda_port_t:s0
+portcon udp 10081 system_u:object_r:amanda_port_t:s0
+portcon tcp 10081 system_u:object_r:amanda_port_t:s0
+portcon tcp 10082 system_u:object_r:amanda_port_t:s0
+portcon tcp 10083 system_u:object_r:amanda_port_t:s0
+portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0
+portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0
+portcon tcp 1720 system_u:object_r:asterisk_port_t:s0
+portcon udp 2427 system_u:object_r:asterisk_port_t:s0
+portcon udp 2727 system_u:object_r:asterisk_port_t:s0
+portcon udp 4569 system_u:object_r:asterisk_port_t:s0
+portcon udp 5060 system_u:object_r:asterisk_port_t:s0
+portcon tcp 113 system_u:object_r:auth_port_t:s0
+portcon tcp 179 system_u:object_r:bgp_port_t:s0
+portcon udp 179 system_u:object_r:bgp_port_t:s0
+portcon tcp 3310 system_u:object_r:clamd_port_t:s0
+portcon udp 4041 system_u:object_r:clockspeed_port_t:s0
+portcon udp 512 system_u:object_r:comsat_port_t:s0
+portcon tcp 2401 system_u:object_r:cvs_port_t:s0
+portcon udp 2401 system_u:object_r:cvs_port_t:s0
+portcon udp 6276 system_u:object_r:dcc_port_t:s0
+portcon udp 6277 system_u:object_r:dcc_port_t:s0
+portcon tcp 1178 system_u:object_r:dbskkd_port_t:s0
+portcon udp 68 system_u:object_r:dhcpc_port_t:s0
+portcon udp 67 system_u:object_r:dhcpd_port_t:s0
+portcon tcp 647 system_u:object_r:dhcpd_port_t:s0
+portcon udp 647 system_u:object_r:dhcpd_port_t:s0
+portcon tcp 847 system_u:object_r:dhcpd_port_t:s0
+portcon udp 847 system_u:object_r:dhcpd_port_t:s0
+portcon tcp 2628 system_u:object_r:dict_port_t:s0
+portcon tcp 3632 system_u:object_r:distccd_port_t:s0
+portcon udp 53 system_u:object_r:dns_port_t:s0
+portcon tcp 53 system_u:object_r:dns_port_t:s0
+portcon tcp 79 system_u:object_r:fingerd_port_t:s0
+portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
+portcon tcp 21 system_u:object_r:ftp_port_t:s0
+portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0
+portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0
+portcon tcp 1213 system_u:object_r:giftd_port_t:s0
+portcon tcp 70 system_u:object_r:gopher_port_t:s0
+portcon udp 70 system_u:object_r:gopher_port_t:s0
+portcon tcp 3128 system_u:object_r:http_cache_port_t:s0
+portcon udp 3130 system_u:object_r:http_cache_port_t:s0
+portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
+portcon tcp 8118 system_u:object_r:http_cache_port_t:s0
+portcon tcp 80 system_u:object_r:http_port_t:s0
+portcon tcp 443 system_u:object_r:http_port_t:s0
+portcon tcp 488 system_u:object_r:http_port_t:s0
+portcon tcp 8008 system_u:object_r:http_port_t:s0
+portcon tcp 9050 system_u:object_r:http_port_t:s0
+portcon tcp 5335 system_u:object_r:howl_port_t:s0
+portcon udp 5353 system_u:object_r:howl_port_t:s0
+portcon tcp 50000 system_u:object_r:hplip_port_t:s0
+portcon tcp 50002 system_u:object_r:hplip_port_t:s0
+portcon tcp 9010 system_u:object_r:i18n_input_port_t:s0
+portcon tcp 5323 system_u:object_r:imaze_port_t:s0
+portcon udp 5323 system_u:object_r:imaze_port_t:s0
+portcon tcp 7 system_u:object_r:inetd_child_port_t:s0
+portcon udp 7 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 9 system_u:object_r:inetd_child_port_t:s0
+portcon udp 9 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 13 system_u:object_r:inetd_child_port_t:s0
+portcon udp 13 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 19 system_u:object_r:inetd_child_port_t:s0
+portcon udp 19 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 37 system_u:object_r:inetd_child_port_t:s0
+portcon udp 37 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 512 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 543 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 544 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 891 system_u:object_r:inetd_child_port_t:s0
+portcon udp 891 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 892 system_u:object_r:inetd_child_port_t:s0
+portcon udp 892 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0
+portcon tcp 119 system_u:object_r:innd_port_t:s0
+portcon tcp 631 system_u:object_r:ipp_port_t:s0
+portcon udp 631 system_u:object_r:ipp_port_t:s0
+portcon tcp 6667 system_u:object_r:ircd_port_t:s0
+portcon udp 500 system_u:object_r:isakmp_port_t:s0
+portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0
+portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0
+portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0
+portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0
+portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0
+portcon tcp 4444 system_u:object_r:kerberos_master_port_t:s0
+portcon udp 4444 system_u:object_r:kerberos_master_port_t:s0
+portcon tcp 88 system_u:object_r:kerberos_port_t:s0
+portcon udp 88 system_u:object_r:kerberos_port_t:s0
+portcon tcp 750 system_u:object_r:kerberos_port_t:s0
+portcon udp 750 system_u:object_r:kerberos_port_t:s0
+portcon udp 517 system_u:object_r:ktalkd_port_t:s0
+portcon udp 518 system_u:object_r:ktalkd_port_t:s0
+portcon tcp 389 system_u:object_r:ldap_port_t:s0
+portcon udp 389 system_u:object_r:ldap_port_t:s0
+portcon tcp 636 system_u:object_r:ldap_port_t:s0
+portcon udp 636 system_u:object_r:ldap_port_t:s0
+portcon tcp 2000 system_u:object_r:mail_port_t:s0
+portcon tcp 1234 system_u:object_r:monopd_port_t:s0
+portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
+portcon tcp 1241 system_u:object_r:nessus_port_t:s0
+portcon udp 137 system_u:object_r:nmbd_port_t:s0
+portcon udp 138 system_u:object_r:nmbd_port_t:s0
+portcon udp 139 system_u:object_r:nmbd_port_t:s0
+portcon udp 123 system_u:object_r:ntp_port_t:s0
+portcon udp 5000 system_u:object_r:openvpn_port_t:s0
+portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0
+portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0
+portcon tcp 106 system_u:object_r:pop_port_t:s0
+portcon tcp 109 system_u:object_r:pop_port_t:s0
+portcon tcp 110 system_u:object_r:pop_port_t:s0
+portcon tcp 143 system_u:object_r:pop_port_t:s0
+portcon tcp 220 system_u:object_r:pop_port_t:s0
+portcon tcp 993 system_u:object_r:pop_port_t:s0
+portcon tcp 995 system_u:object_r:pop_port_t:s0
+portcon tcp 1109 system_u:object_r:pop_port_t:s0
+portcon udp 111 system_u:object_r:portmap_port_t:s0
+portcon tcp 111 system_u:object_r:portmap_port_t:s0
+portcon tcp 5432 system_u:object_r:postgresql_port_t:s0
+portcon tcp 60000 system_u:object_r:postgrey_port_t:s0
+portcon tcp 515 system_u:object_r:printer_port_t:s0
+portcon tcp 5703 system_u:object_r:ptal_port_t:s0
+portcon udp 4011 system_u:object_r:pxe_port_t:s0
+portcon udp 24441 system_u:object_r:pyzor_port_t:s0
+portcon udp 1646 system_u:object_r:radacct_port_t:s0
+portcon udp 1813 system_u:object_r:radacct_port_t:s0
+portcon udp 1645 system_u:object_r:radius_port_t:s0
+portcon udp 1812 system_u:object_r:radius_port_t:s0
+portcon tcp 2703 system_u:object_r:razor_port_t:s0
+portcon tcp 513 system_u:object_r:rlogind_port_t:s0
+portcon tcp 953 system_u:object_r:rndc_port_t:s0
+portcon udp 520 system_u:object_r:router_port_t:s0
+portcon tcp 514 system_u:object_r:rsh_port_t:s0
+portcon tcp 873 system_u:object_r:rsync_port_t:s0
+portcon udp 873 system_u:object_r:rsync_port_t:s0
+portcon tcp 137-139 system_u:object_r:smbd_port_t:s0
+portcon tcp 445 system_u:object_r:smbd_port_t:s0
+portcon tcp 25 system_u:object_r:smtp_port_t:s0
+portcon tcp 465 system_u:object_r:smtp_port_t:s0
+portcon tcp 587 system_u:object_r:smtp_port_t:s0
+portcon udp 161 system_u:object_r:snmp_port_t:s0
+portcon udp 162 system_u:object_r:snmp_port_t:s0
+portcon tcp 199 system_u:object_r:snmp_port_t:s0
+portcon tcp 783 system_u:object_r:spamd_port_t:s0
+portcon tcp 22 system_u:object_r:ssh_port_t:s0
+portcon tcp 8000 system_u:object_r:soundd_port_t:s0
+portcon tcp 9433 system_u:object_r:soundd_port_t:s0
+portcon tcp 901 system_u:object_r:swat_port_t:s0
+portcon udp 514 system_u:object_r:syslogd_port_t:s0
+portcon tcp 23 system_u:object_r:telnetd_port_t:s0
+portcon udp 69 system_u:object_r:tftp_port_t:s0
+portcon tcp 8081 system_u:object_r:transproxy_port_t:s0
+portcon tcp 540 system_u:object_r:uucpd_port_t:s0
+portcon tcp 5900 system_u:object_r:vnc_port_t:s0
+portcon tcp 6001 system_u:object_r:xserver_port_t:s0
+portcon tcp 6002 system_u:object_r:xserver_port_t:s0
+portcon tcp 6003 system_u:object_r:xserver_port_t:s0
+portcon tcp 6004 system_u:object_r:xserver_port_t:s0
+portcon tcp 6005 system_u:object_r:xserver_port_t:s0
+portcon tcp 6006 system_u:object_r:xserver_port_t:s0
+portcon tcp 6007 system_u:object_r:xserver_port_t:s0
+portcon tcp 6008 system_u:object_r:xserver_port_t:s0
+portcon tcp 6009 system_u:object_r:xserver_port_t:s0
+portcon tcp 6010 system_u:object_r:xserver_port_t:s0
+portcon tcp 6011 system_u:object_r:xserver_port_t:s0
+portcon tcp 6012 system_u:object_r:xserver_port_t:s0
+portcon tcp 6013 system_u:object_r:xserver_port_t:s0
+portcon tcp 6014 system_u:object_r:xserver_port_t:s0
+portcon tcp 6015 system_u:object_r:xserver_port_t:s0
+portcon tcp 6016 system_u:object_r:xserver_port_t:s0
+portcon tcp 6017 system_u:object_r:xserver_port_t:s0
+portcon tcp 6018 system_u:object_r:xserver_port_t:s0
+portcon tcp 6019 system_u:object_r:xserver_port_t:s0
+portcon tcp 8002 system_u:object_r:xen_port_t:s0
+portcon tcp 2601 system_u:object_r:zebra_port_t:s0
+portcon tcp 8021 system_u:object_r:zope_port_t:s0
+portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0
+portcon udp 1-1023 system_u:object_r:reserved_port_t:s0
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:compat_ipv4_node_t:s0
+nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t:s0
+nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:link_local_node_t:s0
+nodecon 127.0.0.1 255.255.255.255 system_u:object_r:lo_node_t:s0
+nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:mapped_ipv4_node_t:s0
+nodecon ff00:: ff00:: system_u:object_r:multicast_node_t:s0
+nodecon fec0:: ffc0:: system_u:object_r:site_local_node_t:s0
+nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:unspec_node_t:s0
diff --git a/tests/policies/test-deps/base-metreq.conf b/tests/policies/test-deps/base-metreq.conf
new file mode 100644
index 0000000..9b7ade5
--- /dev/null
+++ b/tests/policies/test-deps/base-metreq.conf
@@ -0,0 +1,519 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+# TE RULES
+attribute domain;
+attribute system;
+attribute foo;
+attribute num;
+attribute num_exec;
+attribute files;
+
+type net_foo_t, foo;
+type sys_foo_t, foo, system;
+role system_r types sys_foo_t;
+
+type user_t, domain;
+role user_r types user_t;
+
+type sysadm_t, domain, system;
+role sysadm_r types sysadm_t;
+
+type system_t, domain, system, foo;
+role system_r types { system_t sys_foo_t };
+
+type file_t;
+type file_exec_t, files;
+type fs_t;
+
+# Make this decl easy to find
+type base_global_decl_t;
+
+# Actually used in module tests
+type type_req_t;
+attribute attr_req;
+bool bool_req false;
+role role_req_r;
+
+
+allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
+
+optional {
+ require {
+ type base_optional_1, base_optional_2;
+ }
+ allow base_optional_1 base_optional_2 : file { read write };
+}
+
+#####################################
+# Role Allow
+allow user_r sysadm_r;
+
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
+
+
+
+
diff --git a/tests/policies/test-deps/base-notmetreq.conf b/tests/policies/test-deps/base-notmetreq.conf
new file mode 100644
index 0000000..cf6aa0a
--- /dev/null
+++ b/tests/policies/test-deps/base-notmetreq.conf
@@ -0,0 +1,506 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+# TE RULES
+attribute domain;
+attribute system;
+attribute foo;
+attribute num;
+attribute num_exec;
+attribute files;
+
+type net_foo_t, foo;
+type sys_foo_t, foo, system;
+role system_r types sys_foo_t;
+
+type user_t, domain;
+role user_r types user_t;
+
+type sysadm_t, domain, system;
+role sysadm_r types sysadm_t;
+
+type system_t, domain, system, foo;
+role system_r types { system_t sys_foo_t };
+
+type file_t;
+type file_exec_t, files;
+type fs_t;
+type base_optional_1;
+type base_optional_2;
+
+allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
+
+optional {
+ require {
+ type base_optional_1, base_optional_2;
+ }
+ allow base_optional_1 base_optional_2 : file { read write };
+}
+
+#####################################
+# Role Allow
+allow user_r sysadm_r;
+
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
+
+
+
+
diff --git a/tests/policies/test-deps/modreq-attr-global.conf b/tests/policies/test-deps/modreq-attr-global.conf
new file mode 100644
index 0000000..92f6b30
--- /dev/null
+++ b/tests/policies/test-deps/modreq-attr-global.conf
@@ -0,0 +1,10 @@
+module modreq_attr_global 1.0;
+
+require {
+ attribute attr_req;
+}
+
+type mod_global_t;
+
+type new_t, attr_req;
+
diff --git a/tests/policies/test-deps/modreq-attr-opt.conf b/tests/policies/test-deps/modreq-attr-opt.conf
new file mode 100644
index 0000000..b970c1d
--- /dev/null
+++ b/tests/policies/test-deps/modreq-attr-opt.conf
@@ -0,0 +1,16 @@
+module modreq_attr_opt 1.0;
+
+require {
+ class file {read write};
+
+}
+
+type mod_global_t;
+
+optional {
+ require {
+ attribute attr_req;
+ }
+ type mod_opt_t;
+ type new_t, attr_req;
+}
diff --git a/tests/policies/test-deps/modreq-bool-global.conf b/tests/policies/test-deps/modreq-bool-global.conf
new file mode 100644
index 0000000..4ef0cc9
--- /dev/null
+++ b/tests/policies/test-deps/modreq-bool-global.conf
@@ -0,0 +1,15 @@
+module modreq_bool_global 1.0;
+
+require {
+ bool bool_req;
+ class file { read write };
+}
+
+type mod_global_t;
+
+type a_t;
+type b_t;
+
+if (bool_req) {
+ allow a_t b_t : file { read write };
+}
diff --git a/tests/policies/test-deps/modreq-bool-opt.conf b/tests/policies/test-deps/modreq-bool-opt.conf
new file mode 100644
index 0000000..27af4f2
--- /dev/null
+++ b/tests/policies/test-deps/modreq-bool-opt.conf
@@ -0,0 +1,22 @@
+module modreq_bool_opt 1.0;
+
+require {
+ class file {read write};
+
+}
+
+type mod_global_t;
+
+optional {
+ require {
+ bool bool_req;
+ }
+
+ type a_t;
+ type b_t;
+ type mod_opt_t;
+
+ if (bool_req) {
+ allow a_t b_t : file { read write };
+ }
+}
diff --git a/tests/policies/test-deps/modreq-obj-global.conf b/tests/policies/test-deps/modreq-obj-global.conf
new file mode 100644
index 0000000..e9eba77
--- /dev/null
+++ b/tests/policies/test-deps/modreq-obj-global.conf
@@ -0,0 +1,13 @@
+module modreq_obj_global 1.0;
+
+require {
+ class sem { create destroy };
+}
+
+type mod_global_t;
+
+type mod_foo_t;
+type mod_bar_t;
+
+allow mod_foo_t mod_bar_t : sem { create destroy };
+
diff --git a/tests/policies/test-deps/modreq-obj-opt.conf b/tests/policies/test-deps/modreq-obj-opt.conf
new file mode 100644
index 0000000..67a41a4
--- /dev/null
+++ b/tests/policies/test-deps/modreq-obj-opt.conf
@@ -0,0 +1,20 @@
+module modreq_obj_global 1.0;
+
+require {
+ class file { read };
+}
+
+type mod_global_t;
+
+type mod_foo_t;
+type mod_bar_t;
+
+optional {
+ require {
+ class sem { create destroy };
+ }
+
+ type mod_opt_t;
+
+ allow mod_foo_t mod_bar_t : sem { create destroy };
+}
diff --git a/tests/policies/test-deps/modreq-perm-global.conf b/tests/policies/test-deps/modreq-perm-global.conf
new file mode 100644
index 0000000..941ca96
--- /dev/null
+++ b/tests/policies/test-deps/modreq-perm-global.conf
@@ -0,0 +1,10 @@
+module modreq_perm_global 1.0;
+
+require {
+ class msg { send receive };
+}
+
+type mod_global_t;
+type a_t;
+type b_t;
+allow a_t b_t: msg { send receive };
diff --git a/tests/policies/test-deps/modreq-perm-opt.conf b/tests/policies/test-deps/modreq-perm-opt.conf
new file mode 100644
index 0000000..43a3f97
--- /dev/null
+++ b/tests/policies/test-deps/modreq-perm-opt.conf
@@ -0,0 +1,18 @@
+module modreq_perm_opt 1.0;
+
+require {
+ class file { read write };
+}
+
+type mod_global_t;
+
+optional {
+ require {
+ class msg { send receive };
+ }
+
+ type mod_opt_t;
+ type a_mod_t;
+ type b_mod_t;
+ allow a_mod_t b_mod_t: msg { send receive };
+}
diff --git a/tests/policies/test-deps/modreq-role-global.conf b/tests/policies/test-deps/modreq-role-global.conf
new file mode 100644
index 0000000..01fd3ec
--- /dev/null
+++ b/tests/policies/test-deps/modreq-role-global.conf
@@ -0,0 +1,13 @@
+module modreq_role_global 1.0;
+
+require {
+ role role_req_r, user_r;
+}
+
+type mod_global_t;
+
+type a_t;
+
+# role role_req_r types a_t;
+allow role_req_r user_r;
+
diff --git a/tests/policies/test-deps/modreq-role-opt.conf b/tests/policies/test-deps/modreq-role-opt.conf
new file mode 100644
index 0000000..532a77e
--- /dev/null
+++ b/tests/policies/test-deps/modreq-role-opt.conf
@@ -0,0 +1,17 @@
+module modreq_role_opt 1.0;
+
+require {
+ class file {read write};
+
+}
+
+type mod_global_t;
+
+optional {
+ require {
+ role role_req_r, user_r;
+ }
+ type mod_opt_t;
+
+ allow role_req_r user_r;
+}
diff --git a/tests/policies/test-deps/modreq-type-global.conf b/tests/policies/test-deps/modreq-type-global.conf
new file mode 100644
index 0000000..e5704a3
--- /dev/null
+++ b/tests/policies/test-deps/modreq-type-global.conf
@@ -0,0 +1,12 @@
+module modreq_type_global 1.0;
+
+require {
+ type type_req_t;
+ class file { read write };
+}
+
+type mod_global_t;
+
+type test_t;
+
+allow test_t type_req_t : file { read write };
diff --git a/tests/policies/test-deps/modreq-type-opt.conf b/tests/policies/test-deps/modreq-type-opt.conf
new file mode 100644
index 0000000..65071d7
--- /dev/null
+++ b/tests/policies/test-deps/modreq-type-opt.conf
@@ -0,0 +1,16 @@
+module modreq_type_opt 1.0;
+
+require {
+ type file_t;
+ class file { read write };
+}
+
+type mod_global_t;
+
+optional {
+ require {
+ type type_req_t;
+ }
+ type mod_opt_t;
+ allow type_req_t file_t : file { read write };
+}
\ No newline at end of file
diff --git a/tests/policies/test-deps/module.conf b/tests/policies/test-deps/module.conf
new file mode 100644
index 0000000..1971e4c
--- /dev/null
+++ b/tests/policies/test-deps/module.conf
@@ -0,0 +1,20 @@
+module my_module 1.0;
+
+require {
+ bool secure_mode;
+ type system_t, sysadm_t, file_t;
+ attribute domain;
+ role system_r;
+ class file {read write};
+
+}
+
+type new_t, domain;
+role system_r types new_t;
+
+allow system_t file_t : file { read write };
+
+if (secure_mode)
+{
+ allow sysadm_t file_t : file { read write };
+}
diff --git a/tests/policies/test-deps/small-base.conf b/tests/policies/test-deps/small-base.conf
new file mode 100644
index 0000000..7c1cbe4
--- /dev/null
+++ b/tests/policies/test-deps/small-base.conf
@@ -0,0 +1,511 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+# TE RULES
+attribute domain;
+attribute system;
+attribute foo;
+attribute num;
+attribute num_exec;
+attribute files;
+
+type net_foo_t, foo;
+type sys_foo_t, foo, system;
+role system_r types sys_foo_t;
+
+type user_t, domain;
+role user_r types user_t;
+
+type sysadm_t, domain, system;
+role sysadm_r types sysadm_t;
+
+type system_t, domain, system, foo;
+role system_r types { system_t sys_foo_t };
+
+type file_t;
+type file_exec_t, files;
+type fs_t;
+type base_optional_1;
+type base_optional_2;
+
+allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
+
+optional {
+ require {
+ type base_optional_1, base_optional_2;
+ }
+ allow base_optional_1 base_optional_2 : file { read write };
+}
+
+#####################################
+# Role Allow
+allow user_r sysadm_r;
+
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
+
+
+
+
diff --git a/tests/policies/test-expander/alias-base.conf b/tests/policies/test-expander/alias-base.conf
new file mode 100644
index 0000000..f3d0a6c
--- /dev/null
+++ b/tests/policies/test-expander/alias-base.conf
@@ -0,0 +1,498 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+type enable_optional;
+
+# Alias tests
+type alias_check_1_t;
+type alias_check_2_t;
+type alias_check_3_t;
+
+typealias alias_check_1_t alias alias_check_1_a;
+
+optional {
+ require {
+ type alias_check_2_t;
+ }
+ typealias alias_check_2_t alias alias_check_2_a;
+}
+
+optional {
+ require {
+ type alias_check_3_a;
+ }
+ allow alias_check_3_a enable_optional:file read;
+}
+
+########
+type fs_t;
+type system_t;
+type user_t;
+role system_r types system_t;
+role user_r types user_t;
+role sysadm_r types system_t;
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:system_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:system_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0)
+
+
+
+
diff --git a/tests/policies/test-expander/alias-module.conf b/tests/policies/test-expander/alias-module.conf
new file mode 100644
index 0000000..72d791e
--- /dev/null
+++ b/tests/policies/test-expander/alias-module.conf
@@ -0,0 +1,8 @@
+module my_module 1.0;
+
+require {
+ type alias_check_3_t;
+}
+
+typealias alias_check_3_t alias alias_check_3_a;
+
diff --git a/tests/policies/test-expander/base-base-only.conf b/tests/policies/test-expander/base-base-only.conf
new file mode 100644
index 0000000..80b87cc
--- /dev/null
+++ b/tests/policies/test-expander/base-base-only.conf
@@ -0,0 +1,43 @@
+class security
+class file
+
+sid kernel
+
+common file
+{
+ read
+}
+
+class file
+inherits file
+{
+ entrypoint
+}
+
+class security
+{
+ compute_av
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+dominance { s0 }
+
+category c0;
+
+level s0:c0;
+
+mlsconstrain file { read }
+ ( h1 dom h2 );
+')
+
+attribute myattr;
+type mytype_t;
+role myrole_r types mytype_t;
+bool mybool true;
+gen_user(myuser_u,, myrole_r, s0, s0 - s0:c0)
+
+sid kernel gen_context(myuser_u:myrole_r:mytype_t, s0)
+
+
diff --git a/tests/policies/test-expander/module.conf b/tests/policies/test-expander/module.conf
new file mode 100644
index 0000000..6186db7
--- /dev/null
+++ b/tests/policies/test-expander/module.conf
@@ -0,0 +1,228 @@
+module my_module 1.0;
+
+require {
+ bool allow_ypbind, secure_mode, allow_execstack;
+ type system_t, sysadm_t;
+ class file {read write};
+ attribute attr_check_base_2, attr_check_base_3;
+ attribute attr_check_base_optional_2;
+}
+
+bool module_1_bool true;
+
+if (module_1_bool && allow_ypbind && secure_mode && allow_execstack) {
+ allow system_t sysadm_t : file { read write };
+}
+
+optional {
+ bool module_1_bool_2 false;
+ require {
+ bool optional_bool_1, optional_bool_2;
+ class file { execute ioctl };
+ }
+ if (optional_bool_1 && optional_bool_2 || module_1_bool_2) {
+ allow system_t sysadm_t : file {execute ioctl};
+ }
+}
+# Type - attribute mapping test
+type module_t;
+attribute attr_check_mod_1;
+attribute attr_check_mod_2;
+attribute attr_check_mod_3;
+attribute attr_check_mod_4;
+attribute attr_check_mod_5;
+attribute attr_check_mod_6;
+attribute attr_check_mod_7;
+attribute attr_check_mod_8;
+attribute attr_check_mod_9;
+attribute attr_check_mod_10;
+attribute attr_check_mod_11;
+optional {
+ require {
+ type base_t;
+ }
+ attribute attr_check_mod_optional_1;
+ attribute attr_check_mod_optional_2;
+ attribute attr_check_mod_optional_3;
+ attribute attr_check_mod_optional_4;
+ attribute attr_check_mod_optional_5;
+ attribute attr_check_mod_optional_6;
+ attribute attr_check_mod_optional_7;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ attribute attr_check_mod_optional_disabled_4;
+ attribute attr_check_mod_optional_disabled_7;
+}
+type attr_check_base_2_1_t, attr_check_base_2;
+type attr_check_base_2_2_t;
+typeattribute attr_check_base_2_2_t attr_check_base_2;
+type attr_check_base_3_3_t, attr_check_base_3;
+type attr_check_base_3_4_t;
+typeattribute attr_check_base_3_4_t attr_check_base_3;
+optional {
+ require {
+ attribute attr_check_base_5;
+ }
+ type attr_check_base_5_1_t, attr_check_base_5;
+ type attr_check_base_5_2_t;
+ typeattribute attr_check_base_5_2_t attr_check_base_5;
+}
+optional {
+ require {
+ attribute attr_check_base_6;
+ }
+ type attr_check_base_6_3_t, attr_check_base_6;
+ type attr_check_base_6_4_t;
+ typeattribute attr_check_base_6_4_t attr_check_base_6;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_base_8;
+ }
+ type attr_check_base_8_1_t, attr_check_base_8;
+ type attr_check_base_8_2_t;
+ typeattribute attr_check_base_8_2_t attr_check_base_8;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_base_9;
+ }
+ type attr_check_base_9_3_t, attr_check_base_9;
+ type attr_check_base_9_4_t;
+ typeattribute attr_check_base_9_4_t attr_check_base_9;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_base_10;
+ }
+ type attr_check_base_10_3_t, attr_check_base_10;
+ type attr_check_base_10_4_t;
+ typeattribute attr_check_base_10_4_t attr_check_base_10;
+}
+optional {
+ require {
+ attribute attr_check_base_11;
+ }
+ type attr_check_base_11_3_t, attr_check_base_11;
+ type attr_check_base_11_4_t;
+ typeattribute attr_check_base_11_4_t attr_check_base_11;
+}
+type attr_check_base_optional_2_1_t, attr_check_base_optional_2;
+type attr_check_base_optional_2_2_t;
+typeattribute attr_check_base_optional_2_2_t attr_check_base_optional_2;
+optional {
+ require {
+ attribute attr_check_base_optional_5;
+ }
+ type attr_check_base_optional_5_1_t, attr_check_base_optional_5;
+ type attr_check_base_optional_5_2_t;
+ typeattribute attr_check_base_optional_5_2_t attr_check_base_optional_5;
+}
+#optional {
+# require {
+# attribute attr_check_base_optional_6;
+# }
+# type attr_check_base_optional_6_3_t, attr_check_base_optional_6;
+# type attr_check_base_optional_6_4_t;
+# typeattribute attr_check_base_optional_6_4_t attr_check_base_optional_6;
+#}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_base_optional_8;
+ }
+ type attr_check_base_optional_8_1_t, attr_check_base_optional_8;
+ type attr_check_base_optional_8_2_t;
+ typeattribute attr_check_base_optional_8_2_t attr_check_base_optional_8;
+}
+type attr_check_mod_2_1_t, attr_check_mod_2;
+type attr_check_mod_2_2_t;
+typeattribute attr_check_mod_2_2_t attr_check_mod_2;
+optional {
+ require {
+ attribute attr_check_mod_5;
+ }
+ type attr_check_mod_5_1_t, attr_check_mod_5;
+ type attr_check_mod_5_2_t;
+ typeattribute attr_check_mod_5_2_t attr_check_mod_5;
+}
+optional {
+ require {
+ attribute attr_check_mod_6;
+ }
+ type attr_check_mod_6_3_t, attr_check_mod_6;
+ type attr_check_mod_6_4_t;
+ typeattribute attr_check_mod_6_4_t attr_check_mod_6;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_mod_8_1_t, attr_check_mod_8;
+ type attr_check_mod_8_2_t;
+ typeattribute attr_check_mod_8_2_t attr_check_mod_8;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_mod_9_3_t, attr_check_mod_9;
+ type attr_check_mod_9_4_t;
+ typeattribute attr_check_mod_9_4_t attr_check_mod_9;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_mod_10_3_t, attr_check_mod_10;
+ type attr_check_mod_10_4_t;
+ typeattribute attr_check_mod_10_4_t attr_check_mod_10;
+}
+optional {
+ require {
+ type base_t;
+ }
+ type attr_check_mod_11_3_t, attr_check_mod_11;
+ type attr_check_mod_11_4_t;
+ typeattribute attr_check_mod_11_4_t attr_check_mod_11;
+}
+#optional {
+# require {
+# attribute attr_check_mod_optional_5;
+# }
+# type attr_check_mod_optional_5_1_t, attr_check_mod_optional_5;
+# type attr_check_mod_optional_5_2_t;
+# typeattribute attr_check_mod_optional_5_2_t attr_check_mod_optional_5;
+#}
+#optional {
+# require {
+# attribute attr_check_mod_optional_6;
+# }
+# type attr_check_mod_optional_6_3_t, attr_check_mod_optional_6;
+# type attr_check_mod_optional_6_4_t;
+# typeattribute attr_check_mod_optional_6_4_t attr_check_mod_optional_6;
+#}
+optional {
+ require {
+ attribute attr_check_base_optional_disabled_5;
+ }
+ type attr_check_base_optional_disabled_5_1_t, attr_check_base_optional_disabled_5;
+ type attr_check_base_optional_disabled_5_2_t;
+ typeattribute attr_check_base_optional_disabled_5_2_t attr_check_base_optional_disabled_5;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_base_optional_disabled_8;
+ }
+ type attr_check_base_optional_disabled_8_1_t, attr_check_base_optional_disabled_8;
+ type attr_check_base_optional_disabled_8_2_t;
+ typeattribute attr_check_base_optional_disabled_8_2_t attr_check_base_optional_disabled_8;
+}
+
diff --git a/tests/policies/test-expander/role-base.conf b/tests/policies/test-expander/role-base.conf
new file mode 100644
index 0000000..219987c
--- /dev/null
+++ b/tests/policies/test-expander/role-base.conf
@@ -0,0 +1,479 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+# Role mapping test
+type role_check_1_1_t;
+role role_check_1 types role_check_1_1_t;
+
+########
+type fs_t;
+type system_t;
+type user_t;
+role system_r types system_t;
+role user_r types user_t;
+role sysadm_r types system_t;
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:system_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:system_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0)
+
+
+
+
diff --git a/tests/policies/test-expander/role-module.conf b/tests/policies/test-expander/role-module.conf
new file mode 100644
index 0000000..1cc5d22
--- /dev/null
+++ b/tests/policies/test-expander/role-module.conf
@@ -0,0 +1,9 @@
+module my_module 1.0;
+
+require {
+ class file {read write};
+ role role_check_1;
+}
+
+type role_check_1_2_t;
+role role_check_1 types role_check_1_2_t;
diff --git a/tests/policies/test-expander/small-base.conf b/tests/policies/test-expander/small-base.conf
new file mode 100644
index 0000000..6f45a28
--- /dev/null
+++ b/tests/policies/test-expander/small-base.conf
@@ -0,0 +1,718 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+# TE RULES
+attribute domain;
+attribute system;
+attribute foo;
+attribute num;
+attribute num_exec;
+attribute files;
+
+# Type - attribute mapping test
+# Shorthand tests
+# 1 = types in base, 2 = types in mod, 3 = types in both
+# 4 = types in optional in base, 5 = types in optional in mod
+# 6 = types in optional in both
+# 7 = types in disabled optional in base
+# 8 = types in disabled optional in module
+# 9 = types in disabled optional in both
+# 10 = types in enabled optional in base, disabled optional in module
+# 11 = types in disabled optional in base, enabled optional in module
+attribute attr_check_base_1;
+attribute attr_check_base_2;
+attribute attr_check_base_3;
+attribute attr_check_base_4;
+attribute attr_check_base_5;
+attribute attr_check_base_6;
+attribute attr_check_base_7;
+attribute attr_check_base_8;
+attribute attr_check_base_9;
+attribute attr_check_base_10;
+attribute attr_check_base_11;
+optional {
+ require {
+ type module_t;
+ }
+ attribute attr_check_base_optional_1;
+ attribute attr_check_base_optional_2;
+ attribute attr_check_base_optional_3;
+ attribute attr_check_base_optional_4;
+ attribute attr_check_base_optional_5;
+ attribute attr_check_base_optional_6;
+ attribute attr_check_base_optional_8;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ attribute attr_check_base_optional_disabled_5;
+ attribute attr_check_base_optional_disabled_8;
+}
+
+type net_foo_t, foo;
+type sys_foo_t, foo, system;
+role system_r types sys_foo_t;
+
+type user_t, domain;
+role user_r types user_t;
+
+type sysadm_t, domain, system;
+role sysadm_r types sysadm_t;
+
+type system_t, domain, system, foo;
+role system_r types { system_t sys_foo_t };
+
+type file_t;
+type file_exec_t, files;
+type fs_t;
+type base_optional_1;
+type base_optional_2;
+
+allow sysadm_t file_exec_t: file { execute read write ioctl lock entrypoint };
+
+optional {
+ require {
+ type base_optional_1, base_optional_2;
+ }
+ allow base_optional_1 base_optional_2 : file { read write };
+}
+
+# Type - attribute mapping test
+type base_t;
+type attr_check_base_1_1_t, attr_check_base_1;
+type attr_check_base_1_2_t;
+typeattribute attr_check_base_1_2_t attr_check_base_1;
+type attr_check_base_3_1_t, attr_check_base_3;
+type attr_check_base_3_2_t;
+typeattribute attr_check_base_3_2_t attr_check_base_3;
+optional {
+ require {
+ attribute attr_check_base_4;
+ }
+ type attr_check_base_4_1_t, attr_check_base_4;
+ type attr_check_base_4_2_t;
+ typeattribute attr_check_base_4_2_t attr_check_base_4;
+}
+optional {
+ require {
+ type module_t;
+ }
+ type attr_check_base_6_1_t, attr_check_base_6;
+ type attr_check_base_6_2_t;
+ typeattribute attr_check_base_6_2_t attr_check_base_6;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_base_7_1_t, attr_check_base_7;
+ type attr_check_base_7_2_t;
+ typeattribute attr_check_base_7_2_t attr_check_base_7;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_base_9_1_t, attr_check_base_9;
+ type attr_check_base_9_2_t;
+ typeattribute attr_check_base_9_2_t attr_check_base_9;
+}
+optional {
+ require {
+ type module_t;
+ }
+ type attr_check_base_10_1_t, attr_check_base_10;
+ type attr_check_base_10_2_t;
+ typeattribute attr_check_base_10_2_t attr_check_base_10;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ }
+ type attr_check_base_11_1_t, attr_check_base_11;
+ type attr_check_base_11_2_t;
+ typeattribute attr_check_base_11_2_t attr_check_base_11;
+}
+#optional {
+# require {
+# attribute attr_check_base_optional_4;
+# }
+# type attr_check_base_optional_4_1_t, attr_check_base_optional_4;
+# type attr_check_base_optional_4_2_t;
+# typeattribute attr_check_base_optional_4_2_t attr_check_base_optional_4;
+#}
+#optional {
+# require {
+# attribute attr_check_base_optional_6;
+# }
+# type attr_check_base_optional_6_1_t, attr_check_base_optional_6;
+# type attr_check_base_optional_6_2_t;
+# typeattribute attr_check_base_optional_6_2_t attr_check_base_optional_6;
+#}
+optional {
+ require {
+ attribute attr_check_mod_4;
+ }
+ type attr_check_mod_4_1_t, attr_check_mod_4;
+ type attr_check_mod_4_2_t;
+ typeattribute attr_check_mod_4_2_t attr_check_mod_4;
+}
+optional {
+ require {
+ attribute attr_check_mod_6;
+ }
+ type attr_check_mod_6_1_t, attr_check_mod_6;
+ type attr_check_mod_6_2_t;
+ typeattribute attr_check_mod_6_2_t attr_check_mod_6;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_mod_7;
+ }
+ type attr_check_mod_7_1_t, attr_check_mod_7;
+ type attr_check_mod_7_2_t;
+ typeattribute attr_check_mod_7_2_t attr_check_mod_7;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_mod_9;
+ }
+ type attr_check_mod_9_1_t, attr_check_mod_9;
+ type attr_check_mod_9_2_t;
+ typeattribute attr_check_mod_9_2_t attr_check_mod_9;
+}
+optional {
+ require {
+ attribute attr_check_mod_10;
+ }
+ type attr_check_mod_10_1_t, attr_check_mod_10;
+ type attr_check_mod_10_2_t;
+ typeattribute attr_check_mod_10_2_t attr_check_mod_10;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_mod_11;
+ }
+ type attr_check_mod_11_1_t, attr_check_mod_11;
+ type attr_check_mod_11_2_t;
+ typeattribute attr_check_mod_11_2_t attr_check_mod_11;
+}
+optional {
+ require {
+ attribute attr_check_mod_optional_4;
+ }
+ type attr_check_mod_optional_4_1_t, attr_check_mod_optional_4;
+ type attr_check_mod_optional_4_2_t;
+ typeattribute attr_check_mod_optional_4_2_t attr_check_mod_optional_4;
+}
+optional {
+ require {
+ attribute attr_check_mod_optional_6;
+ }
+ type attr_check_mod_optional_6_1_t, attr_check_mod_optional_6;
+ type attr_check_mod_optional_6_2_t;
+ typeattribute attr_check_mod_optional_6_2_t attr_check_mod_optional_6;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_mod_optional_7;
+ }
+ type attr_check_mod_optional_7_1_t, attr_check_mod_optional_7;
+ type attr_check_mod_optional_7_2_t;
+ typeattribute attr_check_mod_optional_7_2_t attr_check_mod_optional_7;
+}
+optional {
+ require {
+ attribute attr_check_mod_optional_disabled_4;
+ }
+ type attr_check_mod_optional_disabled_4_1_t, attr_check_mod_optional_disabled_4;
+ type attr_check_mod_optional_disabled_4_2_t;
+ typeattribute attr_check_mod_optional_disabled_4_2_t attr_check_mod_optional_disabled_4;
+}
+optional {
+ require {
+ type does_not_exist_t;
+ attribute attr_check_mod_optional_disabled_7;
+ }
+ type attr_check_mod_optional_disabled_7_1_t, attr_check_mod_optional_disabled_7;
+ type attr_check_mod_optional_disabled_7_2_t;
+ typeattribute attr_check_mod_optional_disabled_7_2_t attr_check_mod_optional_disabled_7;
+}
+
+#####################################
+# Role Allow
+allow user_r sysadm_r;
+
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:sys_foo_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:sys_foo_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:net_foo_t, s0)
+
+
+
+
diff --git a/tests/policies/test-expander/user-base.conf b/tests/policies/test-expander/user-base.conf
new file mode 100644
index 0000000..660152e
--- /dev/null
+++ b/tests/policies/test-expander/user-base.conf
@@ -0,0 +1,482 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+# User mapping test
+type user_check_1_1_t;
+type user_check_1_2_t;
+role user_check_1_1_r types user_check_1_1_t;
+role user_check_1_2_r types user_check_1_2_t;
+
+########
+type fs_t;
+type system_t;
+type user_t;
+role system_r types system_t;
+role user_r types user_t;
+role sysadm_r types system_t;
+####################################
+# Booleans
+bool allow_ypbind true;
+bool secure_mode false;
+bool allow_execheap false;
+bool allow_execmem true;
+bool allow_execmod false;
+bool allow_execstack true;
+bool optional_bool_1 true;
+bool optional_bool_2 false;
+
+#####################################
+# users
+gen_user(user_check_1,, user_check_1_1_r user_check_1_2_r, s0, s0 - s0:c0.c23)
+gen_user(system_u,, system_r, s0, s0 - s0:c0.c23)
+gen_user(root,, user_r sysadm_r, s0, s0 - s0:c0.c23)
+gen_user(joe,, user_r, s0, s0 - s0:c0.c23)
+
+#####################################
+# constraints
+
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(system_u:system_r:system_t, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t, s0);
+fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t, s0);
+
+
+genfscon proc / gen_context(system_u:object_r:system_t, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 system_u:object_r:net_foo_t:s0
+
+#netifcon lo system_u:object_r:net_foo_t system_u:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 system_u:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(system_u:object_r:system_t, s0)
+
+
+
+
diff --git a/tests/policies/test-expander/user-module.conf b/tests/policies/test-expander/user-module.conf
new file mode 100644
index 0000000..4ef3e62
--- /dev/null
+++ b/tests/policies/test-expander/user-module.conf
@@ -0,0 +1,9 @@
+module my_module 1.0;
+
+require {
+ class file {read write};
+ifdef(`enable_mls',`
+ user user_check_1;
+')
+}
+
diff --git a/tests/policies/test-hooks/cmp_policy.conf b/tests/policies/test-hooks/cmp_policy.conf
new file mode 100644
index 0000000..ec1e234
--- /dev/null
+++ b/tests/policies/test-hooks/cmp_policy.conf
@@ -0,0 +1,471 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+
+#g_b stands for global base
+
+type g_b_type_1;
+role g_b_role_1 types g_b_type_1;
+
+role g_b_role_2 types g_b_type_1;
+role g_b_role_3 types g_b_type_1;
+type g_b_type_2;
+
+optional {
+ require {
+ type invalid_type;
+ }
+ allow g_b_role_2 g_b_role_3;
+ role_transition g_b_role_2 g_b_type_2 g_b_role_3;
+}
+
+
+gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+
+
+genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
+
+#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+
+
diff --git a/tests/policies/test-hooks/module_add_role_allow_trans.conf b/tests/policies/test-hooks/module_add_role_allow_trans.conf
new file mode 100644
index 0000000..c6ecd83
--- /dev/null
+++ b/tests/policies/test-hooks/module_add_role_allow_trans.conf
@@ -0,0 +1,15 @@
+module add_symbol_test 1.0;
+
+require { class file { read }; }
+
+role role_a_1;
+role role_a_2;
+role role_t_1;
+role role_t_2;
+
+type type_rt_1;
+
+
+allow role_a_1 role_a_2;
+
+role_transition role_t_1 type_rt_1 role_t_2;
diff --git a/tests/policies/test-hooks/module_add_symbols.conf b/tests/policies/test-hooks/module_add_symbols.conf
new file mode 100644
index 0000000..cf56e18
--- /dev/null
+++ b/tests/policies/test-hooks/module_add_symbols.conf
@@ -0,0 +1,12 @@
+module add_symbol_test 1.0;
+
+require { class file { read write }; }
+
+type type_add_1;
+attribute attrib_add_1;
+role role_add_1;
+bool bool_add_1 false;
+
+ifdef(`enable_mls',`',`
+user user_add_1 roles { role_add_1 };
+')
diff --git a/tests/policies/test-hooks/small-base.conf b/tests/policies/test-hooks/small-base.conf
new file mode 100644
index 0000000..ec1e234
--- /dev/null
+++ b/tests/policies/test-hooks/small-base.conf
@@ -0,0 +1,471 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+
+#g_b stands for global base
+
+type g_b_type_1;
+role g_b_role_1 types g_b_type_1;
+
+role g_b_role_2 types g_b_type_1;
+role g_b_role_3 types g_b_type_1;
+type g_b_type_2;
+
+optional {
+ require {
+ type invalid_type;
+ }
+ allow g_b_role_2 g_b_role_3;
+ role_transition g_b_role_2 g_b_type_2 g_b_role_3;
+}
+
+
+gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+
+
+genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
+
+#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+
+
diff --git a/tests/policies/test-linker/module1.conf b/tests/policies/test-linker/module1.conf
new file mode 100644
index 0000000..7cfb6cb
--- /dev/null
+++ b/tests/policies/test-linker/module1.conf
@@ -0,0 +1,138 @@
+module linker_test_1 1.0;
+
+require {
+ class file { read write };
+ class lnk_file append;
+ role g_b_role_2;
+ attribute g_b_attr_3;
+ attribute g_b_attr_5;
+ attribute o4_b_attr_1;
+ type g_b_type_3;
+}
+
+type tag_g_m1;
+
+#test for type in module and attr in module, added to in module
+attribute g_m1_attr_1;
+type g_m1_type_1, g_m1_attr_1;
+type g_m1_type_2;
+typeattribute g_m1_type_2 g_m1_attr_1;
+
+#add role in module test
+role g_m1_role_1 types g_m1_type_1;
+
+# test for attr declared in base, added to in module
+type g_m1_type_3;
+typeattribute g_m1_type_3 g_b_attr_3;
+
+# test for attr declared in base, added to in 2 modules
+type g_m1_type_4;
+typeattribute g_m1_type_4 g_b_attr_5;
+
+# test for attr declared in base optional, added to in module
+type g_m1_type_5;
+typeattribute g_m1_type_5 o4_b_attr_1;
+
+# test for attr declared in module, added to in base optional
+attribute g_m1_attr_2;
+
+#add type to base role test
+role g_b_role_2 types g_m1_type_1;
+role g_b_role_3 types g_m1_type_2;
+
+#add type to base optional role test
+role o1_b_role_2 types g_m1_type_1;
+
+#optional base role w/ adds in 2 modules
+role o4_b_role_1 types g_m1_type_2;
+
+# attr a added to in base optional, declared/added to in module, added to in other module
+attribute g_m1_attr_3;
+type g_m1_type_6, g_m1_attr_3;
+
+# attr a added to in base optional, declared/added in module , added to in other module optional
+attribute g_m1_attr_4;
+type g_m1_type_7, g_m1_attr_4;
+
+# alias tests
+typealias g_b_type_3 alias g_m_alias_1;
+
+# single boolean in module
+bool g_m1_bool_1 true;
+if (g_m1_bool_1) {
+ allow g_m1_type_1 g_m1_type_2 : lnk_file append;
+}
+
+
+optional {
+ require {
+ type optional_type;
+ attribute g_b_attr_4;
+ attribute o1_b_attr_2;
+ class lnk_file { ioctl };
+ }
+
+ type tag_o1_m1;
+
+ attribute o1_m1_attr_1;
+ type o1_m1_type_2, o1_m1_attr_1;
+
+ type o1_m1_type_1;
+ role o1_m1_role_1 types o1_m1_type_1;
+
+ type o1_m1_type_3;
+ typeattribute o1_m1_type_3 g_b_attr_4;
+
+ type o1_m1_type_5;
+ typeattribute o1_m1_type_5 o1_b_attr_2;
+
+ bool o1_m1_bool_1 false;
+ if (o1_m1_bool_1) {
+ allow o1_m1_type_2 o1_m1_type_1 : lnk_file ioctl;
+ }
+
+}
+
+optional {
+ require {
+ type optional_type;
+ #role g_b_role_4; // This causes a bug where the role scope doesn't get copied into base
+ }
+
+ type tag_o2_m1;
+
+ role g_b_role_4 types g_m1_type_2;
+}
+
+optional {
+ require {
+ attribute g_b_attr_6;
+ }
+
+ type tag_o3_m1;
+
+ type o3_m1_type_1;
+ role o3_b_role_1 types o3_m1_type_1;
+
+ type o3_m1_type_2, g_b_attr_6;
+
+ attribute o3_m1_attr_1;
+
+ # attr a added to in base optional, declared/added in module optional, added to in other module
+ attribute o3_m1_attr_2;
+ type o3_m1_type_3, o3_m1_attr_2;
+
+}
+
+optional {
+ require {
+ type enable_optional;
+ }
+ type tag_o4_m1;
+
+ attribute o4_m1_attr_1;
+ type o4_m1_type_1;
+ typeattribute o4_m1_type_1 o4_m1_attr_1;
+
+
+}
diff --git a/tests/policies/test-linker/module2.conf b/tests/policies/test-linker/module2.conf
new file mode 100644
index 0000000..3820cb7
--- /dev/null
+++ b/tests/policies/test-linker/module2.conf
@@ -0,0 +1,62 @@
+module linker_test_2 1.0;
+
+require {
+ class file { read write };
+ class lnk_file { unlink };
+ attribute g_b_attr_5;
+ attribute g_b_attr_6;
+ attribute g_m1_attr_3;
+ attribute o3_m1_attr_2;
+}
+
+type tag_g_m2;
+
+type g_m2_type_1;
+role g_m2_role_1 types g_m2_type_1;
+
+type g_m2_type_4, g_b_attr_5;
+type g_m2_type_5, g_b_attr_6;
+
+#add types to role declared in base test
+type g_m2_type_2;
+role g_b_role_3 types g_m2_type_2;
+
+#optional base role w/ adds in 2 modules
+role o4_b_role_1 types g_m2_type_1;
+
+# attr a added to in base optional, declared/added to in module, added to in other module
+type g_m2_type_3, g_m1_attr_3;
+
+# attr a added to in base optional, declared/added in module optional, added to in other module
+type g_m2_type_6, o3_m1_attr_2;
+
+# cond mapping tests
+bool g_m2_bool_1 true;
+bool g_m2_bool_2 false;
+if (g_m2_bool_1 && g_m2_bool_2) {
+ allow g_m2_type_1 g_m2_type_2 : lnk_file unlink;
+}
+
+optional {
+ require {
+ type optional_type;
+ }
+
+ type tag_o1_m2;
+
+ type o1_m2_type_1;
+ role o1_m2_role_1 types o1_m2_type_1;
+}
+
+
+optional {
+ require {
+ attribute g_m1_attr_4;
+ attribute o4_m1_attr_1;
+ }
+ type tag_o2_m2;
+
+ type o2_m2_type_1, g_m1_attr_4;
+ type o2_m2_type_2, o4_m1_attr_1;
+
+}
diff --git a/tests/policies/test-linker/small-base.conf b/tests/policies/test-linker/small-base.conf
new file mode 100644
index 0000000..2f166c9
--- /dev/null
+++ b/tests/policies/test-linker/small-base.conf
@@ -0,0 +1,593 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related clases
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# FLASK
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+
+
+# FLASK
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+
+class blk_file
+inherits file
+
+class sock_file
+inherits file
+
+class fifo_file
+inherits file
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class udp_socket
+inherits socket
+
+class rawip_socket
+inherits socket
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ transition_sid
+ member_sid
+ sid_to_context
+ context_to_sid
+ load_policy
+ get_sids
+ change_sid
+ get_user_sids
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ avc_toggle
+ nfsd_control
+ bdflush
+ syslog_read
+ syslog_mod
+ syslog_console
+ ichsid
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+}
+
+ifdef(`enable_mls',`
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0; category c1; category c2; category c3;
+category c4; category c5; category c6; category c7;
+category c8; category c9; category c10; category c11;
+category c12; category c13; category c14; category c15;
+category c16; category c17; category c18; category c19;
+category c20; category c21; category c22; category c23;
+
+level s0:c0.c23;
+
+mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+ ( h1 dom h2 );
+')
+
+####################################
+####################################
+#####################################
+
+#g_b stands for global base
+
+type enable_optional;
+
+#decorative type for finding this decl, every block should have one
+type tag_g_b;
+
+attribute g_b_attr_1;
+attribute g_b_attr_2;
+attribute g_b_attr_3;
+attribute g_b_attr_4;
+attribute g_b_attr_5;
+attribute g_b_attr_6;
+
+type g_b_type_1, g_b_attr_1;
+type g_b_type_2, g_b_attr_2;
+type g_b_type_3;
+
+role g_b_role_1 types g_b_type_1;
+role g_b_role_2 types g_b_type_2;
+role g_b_role_3 types g_b_type_2;
+role g_b_role_4 types g_b_type_2;
+
+bool g_b_bool_1 false;
+bool g_b_bool_2 true;
+
+allow g_b_type_1 g_b_type_2 : security { compute_av load_policy };
+allow g_b_type_1 g_b_type_2 : file *; # test *
+allow g_b_type_1 g_b_type_2 : process ~ptrace; #test ~
+
+typealias g_b_type_3 alias g_b_alias_1;
+
+if (g_b_bool_1) {
+ allow g_b_type_1 g_b_type_2: lnk_file read;
+}
+
+
+optional {
+ require {
+ type enable_optional;
+ attribute g_m1_attr_2;
+ }
+ type tag_o1_b;
+
+ attribute o1_b_attr_1;
+ type o1_b_type_1, o1_b_attr_1;
+ bool o1_b_bool_1 true;
+ role o1_b_role_1 types o1_b_type_1;
+
+ role o1_b_role_2 types o1_b_type_1;
+
+ attribute o1_b_attr_2;
+
+ type o1_b_type_2, g_m1_attr_2;
+
+ if (o1_b_bool_1) {
+ allow o1_b_type_1 o1_b_type_2: lnk_file write;
+ }
+
+}
+
+optional {
+ require {
+ # this should be activated by module 1
+ type g_m1_type_1;
+ attribute o3_m1_attr_2;
+ }
+ type tag_o2_b;
+
+ type o2_b_type_1, o3_m1_attr_2;
+}
+
+optional {
+ require {
+ #this block should not come on
+ type invalid_type;
+ }
+ type tag_o3_b;
+
+
+ attribute o3_b_attr_1;
+ type o3_b_type_1;
+ bool o3_b_bool_1 true;
+
+ role o3_b_role_1 types o3_b_type_1;
+
+ allow g_b_type_1 invalid_type : sem { create destroy };
+}
+
+optional {
+ require {
+ # also should be enabled by module 1
+ type enable_optional;
+ type g_m1_type_1;
+ attribute o3_m1_attr_1;
+ attribute g_m1_attr_3;
+ }
+
+ type tag_o4_b;
+
+ attribute o4_b_attr_1;
+
+ role o4_b_role_1 types g_m1_type_1;
+
+ # test for attr declared in module optional, added to in base optional
+ type o4_b_type_1, o3_m1_attr_1;
+
+ type o4_b_type_2, g_m1_attr_3;
+}
+
+optional {
+ require {
+ attribute g_m1_attr_4;
+ attribute o4_m1_attr_1;
+ }
+ type tag_o5_b;
+
+ type o5_b_type_1, g_m1_attr_4;
+ type o5_b_type_2, o4_m1_attr_1;
+}
+
+optional {
+ require {
+ type enable_optional;
+ }
+ type tag_o6_b;
+
+ typealias g_b_type_3 alias g_b_alias_2;
+}
+
+optional {
+ require {
+ type g_m_alias_1;
+ }
+ type tag_o7_b;
+
+ allow g_m_alias_1 enable_optional:file read;
+}
+
+gen_user(g_b_user_1,, g_b_role_1, s0, s0 - s0:c0.c23)
+gen_user(g_b_user_2,, g_b_role_1, s0, s0 - s0:c0, c1, c3, c4, c5)
+
+####################################
+#line 1 "initial_sid_contexts"
+
+sid kernel gen_context(g_b_user_1:g_b_role_1:g_b_type_1, s0)
+
+
+############################################
+#line 1 "fs_use"
+#
+fs_use_xattr ext2 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr ext3 gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+fs_use_xattr reiserfs gen_context(g_b_user_1:object_r:g_b_type_1, s0);
+
+
+genfscon proc / gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+####################################
+#line 1 "net_contexts"
+
+#portcon tcp 21 g_b_user_1:object_r:net_foo_t:s0
+
+#netifcon lo g_b_user_1:object_r:net_foo_t g_b_user_1:object_r:net_foo_t:s0
+
+#
+#nodecon 127.0.0.1 255.255.255.255 g_b_user_1:object_r:net_foo_t:s0
+
+nodecon ::1 FFFF:FFFF:FFFF:FFFF:: gen_context(g_b_user_1:object_r:g_b_type_1, s0)
+
+
+
+
diff --git a/tests/test-common.c b/tests/test-common.c
new file mode 100644
index 0000000..058b743
--- /dev/null
+++ b/tests/test-common.c
@@ -0,0 +1,262 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Chad Sellers <csellers@tresys.com>
+ * Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This has tests that are common between test suites*/
+
+#include <sepol/policydb/avrule_block.h>
+
+#include <CUnit/Basic.h>
+
+void test_sym_presence(policydb_t * p, char *id, int sym_type, unsigned int scope_type, unsigned int *decls, unsigned int len)
+{
+ scope_datum_t *scope;
+ int found;
+ unsigned int i, j;
+ /* make sure it is in global symtab */
+ if (!hashtab_search(p->symtab[sym_type].table, id)) {
+ fprintf(stderr, "symbol %s not found in table %d\n", id, sym_type);
+ CU_FAIL_FATAL();
+ }
+ /* make sure its scope is correct */
+ scope = hashtab_search(p->scope[sym_type].table, id);
+ CU_ASSERT_FATAL(scope != NULL);
+ CU_ASSERT(scope->scope == scope_type);
+ CU_ASSERT(scope->decl_ids_len == len);
+ if (scope->decl_ids_len != len)
+ fprintf(stderr, "sym %s has %d decls, %d expected\n", id, scope->decl_ids_len, len);
+ for (i = 0; i < len; i++) {
+ found = 0;
+ for (j = 0; j < len; j++) {
+ if (decls[i] == scope->decl_ids[j])
+ found++;
+ }
+ CU_ASSERT(found == 1);
+ }
+
+}
+
+static int common_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ common_datum_t *d = (common_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_COMMONS][d->s.value - 1] == (char *)key);
+ return 0;
+}
+
+static int class_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ class_datum_t *d = (class_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_CLASSES][d->s.value - 1] == (char *)key);
+ CU_ASSERT(p->class_val_to_struct[d->s.value - 1] == d);
+ return 0;
+}
+
+static int role_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ role_datum_t *d = (role_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_ROLES][d->s.value - 1] == (char *)key);
+ CU_ASSERT(p->role_val_to_struct[d->s.value - 1] == d);
+ return 0;
+}
+
+static int type_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ type_datum_t *d = (type_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ if (!d->primary)
+ return 0;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_TYPES][d->s.value - 1] == (char *)key);
+ CU_ASSERT(p->type_val_to_struct[d->s.value - 1] == d);
+
+ return 0;
+}
+
+static int user_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ user_datum_t *d = (user_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_USERS][d->s.value - 1] == (char *)key);
+ CU_ASSERT(p->user_val_to_struct[d->s.value - 1] == d);
+ return 0;
+}
+
+static int cond_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ cond_bool_datum_t *d = (cond_bool_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_BOOLS][d->s.value - 1] == (char *)key);
+ CU_ASSERT(p->bool_val_to_struct[d->s.value - 1] == d);
+ return 0;
+}
+
+static int level_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ level_datum_t *d = (level_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_LEVELS][d->level->sens - 1] == (char *)key);
+ return 0;
+}
+
+static int cat_test_index(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ cat_datum_t *d = (cat_datum_t *) datum;
+ policydb_t *p = (policydb_t *) data;
+
+ CU_ASSERT(p->sym_val_to_name[SYM_CATS][d->s.value - 1] == (char *)key);
+ return 0;
+}
+
+static int (*test_index_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, void *p) = {
+common_test_index, class_test_index, role_test_index, type_test_index, user_test_index, cond_test_index, level_test_index, cat_test_index,};
+
+void test_policydb_indexes(policydb_t * p)
+{
+ int i;
+
+ for (i = 0; i < SYM_NUM; i++) {
+ hashtab_map(p->symtab[i].table, test_index_f[i], p);
+ }
+}
+
+void test_alias_datum(policydb_t * p, char *id, char *primary_id, char mode, unsigned int flavor)
+{
+ type_datum_t *type, *primary;
+ unsigned int my_primary, my_flavor, my_value;
+
+ type = hashtab_search(p->p_types.table, id);
+ primary = hashtab_search(p->p_types.table, primary_id);
+
+ CU_ASSERT_PTR_NOT_NULL(type);
+ CU_ASSERT_PTR_NOT_NULL(primary);
+
+ if (type && primary) {
+ if (mode) {
+ my_flavor = type->flavor;
+ } else {
+ my_flavor = flavor;
+ }
+
+ if (my_flavor == TYPE_TYPE) {
+ my_primary = 0;
+ my_value = primary->s.value;
+ } else if (my_flavor == TYPE_ALIAS) {
+ my_primary = primary->s.value;
+ CU_ASSERT_NOT_EQUAL(type->s.value, primary->s.value);
+ my_value = type->s.value;
+ } else {
+ CU_FAIL("not an alias");
+ }
+
+ CU_ASSERT(type->primary == my_primary);
+ CU_ASSERT(type->flavor == my_flavor);
+ CU_ASSERT(type->s.value == my_value);
+ }
+}
+
+role_datum_t *test_role_type_set(policydb_t * p, char *id, avrule_decl_t * decl, char **types, unsigned int len, unsigned int flags)
+{
+ ebitmap_node_t *tnode;
+ unsigned int i, j, new, found = 0;
+ role_datum_t *role;
+
+ if (decl)
+ role = hashtab_search(decl->p_roles.table, id);
+ else
+ role = hashtab_search(p->p_roles.table, id);
+
+ if (!role)
+ printf("role %s can't be found! \n", id);
+
+ CU_ASSERT_FATAL(role != NULL);
+
+ ebitmap_for_each_bit(&role->types.types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ new = 0;
+ for (j = 0; j < len; j++) {
+ if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
+ found++;
+ new = 1;
+ }
+ }
+ if (new == 0) {
+ printf("\nRole %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]);
+ }
+ CU_ASSERT(new == 1);
+ }
+ }
+ CU_ASSERT(found == len);
+ if (found != len)
+ printf("\nrole %s has %d types, %d expected\n", p->sym_val_to_name[SYM_ROLES][role->s.value - 1], found, len);
+ /* roles should never have anything in the negset */
+ CU_ASSERT(role->types.negset.highbit == 0);
+ CU_ASSERT(role->types.flags == flags);
+
+ return role;
+}
+
+void test_attr_types(policydb_t * p, char *id, avrule_decl_t * decl, char **types, int len)
+{
+ ebitmap_node_t *tnode;
+ int j, new, found = 0;
+ unsigned int i;
+ type_datum_t *attr;
+
+ if (decl)
+ attr = hashtab_search(decl->p_types.table, id);
+ else
+ attr = hashtab_search(p->p_types.table, id);
+
+ if (attr == NULL)
+ printf("could not find attr %s in decl %d\n", id, decl->decl_id);
+ CU_ASSERT_FATAL(attr != NULL);
+ CU_ASSERT(attr->flavor == TYPE_ATTRIB);
+ CU_ASSERT(attr->primary == 1);
+
+ ebitmap_for_each_bit(&attr->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ new = 0;
+ for (j = 0; j < len; j++) {
+ if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
+ found++;
+ new = 1;
+ }
+ }
+ if (new == 0) {
+ printf("\nattr %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]);
+ }
+ CU_ASSERT(new == 1);
+ }
+ }
+ CU_ASSERT(found == len);
+ if (found != len)
+ printf("\nattr %s has %d types, %d expected\n", id, found, len);
+}
diff --git a/tests/test-common.h b/tests/test-common.h
new file mode 100644
index 0000000..5a1e650
--- /dev/null
+++ b/tests/test-common.h
@@ -0,0 +1,78 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Chad Sellers <csellers@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_COMMON_H__
+#define __TEST_COMMON_H__
+
+#include <sepol/policydb/policydb.h>
+
+/* p the policy being inspected
+ * id string symbol identifier
+ * sym_type symbol type (eg., SYM_ROLES, SYM_TYPES)
+ * scope_type what scope the role should have (eg., SCOPE_DECL or SCOPE_REQ)
+ * decls integer array of decl id's that we expect the role to have in the scope table
+ * len number of elements in decls
+ *
+ * This is a utility function to test for the symbol's presence in the global symbol table,
+ * the scope table, and that the decl blocks we think this symbol is in are correct
+ */
+extern void test_sym_presence(policydb_t * p, char *id, int sym_type, unsigned int scope_type, unsigned int *decls, unsigned int len);
+
+/* Test the indexes in the policydb to ensure their correctness. These include
+ * the sym_val_to_name[], class_val_to_struct, role_val_to_struct, type_val_to_struct,
+ * user_val_to_struct, and bool_val_to_struct indexes.
+ */
+extern void test_policydb_indexes(policydb_t * p);
+
+/* Test alias datum to ensure that it is as expected
+ *
+ * id = the key for the alias
+ * primary_id = the key for its primary
+ * mode: 0 = test the datum according to the flavor value in the call
+ 1 = automatically detect the flavor value and test the datum accordingly
+ * flavor = flavor value if in mode 0
+ */
+extern void test_alias_datum(policydb_t * p, char *id, char *primary_id, char mode, unsigned int flavor);
+
+/* p the policy being inspected
+ * id string role identifier
+ * decl the decl block which we are looking in for the role datum
+ * types the array of string types which we expect the role has in its type ebitmap
+ * len number of elements in types
+ * flags the expected flags in the role typeset (eg., * or ~)
+ *
+ * This is a utility function to test whether the type set associated with a role in a specific
+ * avrule decl block matches our expectations
+ */
+extern role_datum_t *test_role_type_set(policydb_t * p, char *id, avrule_decl_t * decl, char **types, unsigned int len, unsigned int flags);
+
+/* p the policy being inspected
+ * id string attribute identifier
+ * decl the decl block which we are looking in for the attribute datum
+ * types the array of string types which we expect the attribute has in its type ebitmap
+ * len number of elements in types
+ *
+ * This is a utility function to test whether the type set associated with an attribute in a specific
+ * avrule decl block matches our expectations
+ */
+extern void test_attr_types(policydb_t * p, char *id, avrule_decl_t * decl, char **types, int len);
+
+#endif
diff --git a/tests/test-cond.c b/tests/test-cond.c
new file mode 100644
index 0000000..32bf6f1
--- /dev/null
+++ b/tests/test-cond.c
@@ -0,0 +1,95 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-cond.h"
+#include "parse_util.h"
+#include "helpers.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/conditional.h>
+
+static policydb_t basemod;
+static policydb_t base_expanded;
+
+int cond_test_init(void)
+{
+ if (policydb_init(&base_expanded)) {
+ fprintf(stderr, "out of memory!\n");
+ policydb_destroy(&basemod);
+ return -1;
+ }
+
+ if (test_load_policy(&basemod, POLICY_BASE, 1, "test-cond", "refpolicy-base.conf"))
+ goto cleanup;
+
+ if (link_modules(NULL, &basemod, NULL, 0, 0)) {
+ fprintf(stderr, "link modules failed\n");
+ goto cleanup;
+ }
+
+ if (expand_module(NULL, &basemod, &base_expanded, 0, 1)) {
+ fprintf(stderr, "expand module failed\n");
+ goto cleanup;
+ }
+
+ return 0;
+
+ cleanup:
+ policydb_destroy(&basemod);
+ policydb_destroy(&base_expanded);
+ return -1;
+}
+
+int cond_test_cleanup(void)
+{
+ policydb_destroy(&basemod);
+ policydb_destroy(&base_expanded);
+
+ return 0;
+}
+
+static void test_cond_expr_equal(void)
+{
+ cond_node_t *a, *b;
+
+ a = base_expanded.cond_list;
+ while (a) {
+ b = base_expanded.cond_list;
+ while (b) {
+ if (a == b) {
+ CU_ASSERT(cond_expr_equal(a, b));
+ } else {
+ CU_ASSERT(cond_expr_equal(a, b) == 0);
+ }
+ b = b->next;
+ }
+ a = a->next;
+ }
+}
+
+int cond_add_tests(CU_pSuite suite)
+{
+ if (NULL == CU_add_test(suite, "cond_expr_equal", test_cond_expr_equal)) {
+ return CU_get_error();
+ }
+ return 0;
+}
diff --git a/tests/test-cond.h b/tests/test-cond.h
new file mode 100644
index 0000000..702d9e0
--- /dev/null
+++ b/tests/test-cond.h
@@ -0,0 +1,30 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_COND_H__
+#define __TEST_COND_H__
+
+#include <CUnit/Basic.h>
+
+int cond_test_init(void);
+int cond_test_cleanup(void);
+int cond_add_tests(CU_pSuite suite);
+
+#endif
diff --git a/tests/test-deps.c b/tests/test-deps.c
new file mode 100644
index 0000000..e7d2beb
--- /dev/null
+++ b/tests/test-deps.c
@@ -0,0 +1,302 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-deps.h"
+#include "parse_util.h"
+#include "helpers.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+
+#include <stdlib.h>
+
+/* Tests for dependency checking / handling, specifically:
+ *
+ * 1 type in module global.
+ * 2 attribute in module global.
+ * 3 object class / perm in module global.
+ * 4 boolean in module global.
+ * 5 role in module global.
+ *
+ * 6 type in module optional.
+ * 7 attribute in module optional.
+ * 8 object class / perm in module optional.
+ * 9 boolean in module optional.
+ * 10 role in module optional.
+ *
+ * 11 type in base optional.
+ * 12 attribute in base optional.
+ * 13 object class / perm in base optional.
+ * 14 boolean in base optional.
+ * 15 role in base optional.
+ *
+ * Each of these tests are done with the dependency met and not
+ * met. Additionally, each of the required symbols is used in the
+ * scope it is required.
+ *
+ * In addition to the simple tests, we have test with more complex
+ * modules that test:
+ *
+ * 17 mutual dependencies between two modules.
+ * 18 circular dependency between three modules.
+ * 19 large number of dependencies in a module with a more complex base.
+ * 20 nested optionals with requires.
+ *
+ * Again, each of these tests is done with the requirements met and not
+ * met.
+ */
+
+#include <sepol/debug.h>
+#include <sepol/handle.h>
+
+#define BASE_MODREQ_TYPE_GLOBAL 0
+#define BASE_MODREQ_ATTR_GLOBAL 1
+#define BASE_MODREQ_OBJ_GLOBAL 2
+#define BASE_MODREQ_BOOL_GLOBAL 3
+#define BASE_MODREQ_ROLE_GLOBAL 4
+#define BASE_MODREQ_PERM_GLOBAL 5
+#define BASE_MODREQ_TYPE_OPT 6
+#define BASE_MODREQ_ATTR_OPT 7
+#define BASE_MODREQ_OBJ_OPT 8
+#define BASE_MODREQ_BOOL_OPT 9
+#define BASE_MODREQ_ROLE_OPT 10
+#define BASE_MODREQ_PERM_OPT 11
+#define NUM_BASES 12
+
+static policydb_t bases_met[NUM_BASES];
+static policydb_t bases_notmet[NUM_BASES];
+
+extern int mls;
+
+int deps_test_init(void)
+{
+ int i;
+
+ /* To test linking we need 1 base per link test and in
+ * order to load them in the init function we have
+ * to keep them all around. Not ideal, but it shouldn't
+ * matter too much.
+ */
+ for (i = 0; i < NUM_BASES; i++) {
+ if (test_load_policy(&bases_met[i], POLICY_BASE, mls, "test-deps", "base-metreq.conf"))
+ return -1;
+ }
+
+ for (i = 0; i < NUM_BASES; i++) {
+ if (test_load_policy(&bases_notmet[i], POLICY_BASE, mls, "test-deps", "base-notmetreq.conf"))
+ return -1;
+ }
+
+ return 0;
+}
+
+int deps_test_cleanup(void)
+{
+ int i;
+
+ for (i = 0; i < NUM_BASES; i++) {
+ policydb_destroy(&bases_met[i]);
+ }
+
+ for (i = 0; i < NUM_BASES; i++) {
+ policydb_destroy(&bases_notmet[i]);
+ }
+
+ return 0;
+}
+
+/* This function performs testing of the dependency handles for module global
+ * symbols. It is capable of testing 2 scenarios - the dependencies are met
+ * and the dependencies are not met.
+ *
+ * Paramaters:
+ * req_met boolean indicating whether the base policy meets the
+ * requirements for the modules global block.
+ * b index of the base policy in the global bases_met array.
+ *
+ * policy name of the policy module to load for this test.
+ * decl_type name of the unique type found in the module's global
+ * section is to find that avrule_decl.
+ */
+static void do_deps_modreq_global(int req_met, int b, char *policy, char *decl_type)
+{
+ policydb_t *base;
+ policydb_t mod;
+ policydb_t *mods[] = { &mod };
+ avrule_decl_t *decl;
+ int ret, link_ret;
+ sepol_handle_t *h;
+
+ /* suppress error reporting - this is because we know that we
+ * are going to get errors and don't want libsepol complaining
+ * about it constantly. */
+ h = sepol_handle_create();
+ CU_ASSERT_FATAL(h != NULL);
+ sepol_msg_set_callback(h, NULL, NULL);
+
+ if (req_met) {
+ base = &bases_met[b];
+ link_ret = 0;
+ } else {
+ base = &bases_notmet[b];
+ link_ret = -3;
+ }
+
+ CU_ASSERT_FATAL(test_load_policy(&mod, POLICY_MOD, mls, "test-deps", policy) == 0);
+
+ /* link the modules and check for the correct return value.
+ */
+ ret = link_modules(h, base, mods, 1, 0);
+ CU_ASSERT_FATAL(ret == link_ret);
+ policydb_destroy(&mod);
+
+ if (!req_met)
+ return;
+
+ decl = test_find_decl_by_sym(base, SYM_TYPES, decl_type);
+ CU_ASSERT_FATAL(decl != NULL);
+
+ CU_ASSERT(decl->enabled == 1);
+}
+
+/* Test that symbol require statements in the global scope of a module
+ * work correctly. This will cover tests 1 - 5 (described above).
+ *
+ * Each of these policies will require as few symbols as possible to
+ * use the required symbol in addition requiring (for example, the type
+ * test also requires an object class for an allow rule).
+ */
+static void deps_modreq_global(void)
+{
+ /* object classes */
+ do_deps_modreq_global(1, BASE_MODREQ_OBJ_GLOBAL, "modreq-obj-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_OBJ_GLOBAL, "modreq-obj-global.conf", "mod_global_t");
+ /* types */
+ do_deps_modreq_global(1, BASE_MODREQ_TYPE_GLOBAL, "modreq-type-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_TYPE_GLOBAL, "modreq-type-global.conf", "mod_global_t");
+ /* attributes */
+ do_deps_modreq_global(1, BASE_MODREQ_ATTR_GLOBAL, "modreq-attr-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_ATTR_GLOBAL, "modreq-attr-global.conf", "mod_global_t");
+ /* booleans */
+ do_deps_modreq_global(1, BASE_MODREQ_BOOL_GLOBAL, "modreq-bool-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_BOOL_GLOBAL, "modreq-bool-global.conf", "mod_global_t");
+ /* roles */
+ do_deps_modreq_global(1, BASE_MODREQ_ROLE_GLOBAL, "modreq-role-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_ROLE_GLOBAL, "modreq-role-global.conf", "mod_global_t");
+ do_deps_modreq_global(1, BASE_MODREQ_PERM_GLOBAL, "modreq-perm-global.conf", "mod_global_t");
+ do_deps_modreq_global(0, BASE_MODREQ_PERM_GLOBAL, "modreq-perm-global.conf", "mod_global_t");
+}
+
+/* This function performs testing of the dependency handles for module optional
+ * symbols. It is capable of testing 2 scenarios - the dependencies are met
+ * and the dependencies are not met.
+ *
+ * Paramaters:
+ * req_met boolean indicating whether the base policy meets the
+ * requirements for the modules global block.
+ * b index of the base policy in the global bases_met array.
+ *
+ * policy name of the policy module to load for this test.
+ * decl_type name of the unique type found in the module's global
+ * section is to find that avrule_decl.
+ */
+static void do_deps_modreq_opt(int req_met, int ret_val, int b, char *policy, char *decl_type)
+{
+ policydb_t *base;
+ policydb_t mod;
+ policydb_t *mods[] = { &mod };
+ avrule_decl_t *decl;
+ int ret;
+ sepol_handle_t *h;
+
+ /* suppress error reporting - this is because we know that we
+ * are going to get errors and don't want libsepol complaining
+ * about it constantly. */
+ h = sepol_handle_create();
+ CU_ASSERT_FATAL(h != NULL);
+ sepol_msg_set_callback(h, NULL, NULL);
+
+ if (req_met) {
+ base = &bases_met[b];
+ } else {
+ base = &bases_notmet[b];
+ }
+
+ CU_ASSERT_FATAL(test_load_policy(&mod, POLICY_MOD, mls, "test-deps", policy) == 0);
+
+ /* link the modules and check for the correct return value.
+ */
+ ret = link_modules(h, base, mods, 1, 0);
+ CU_ASSERT_FATAL(ret == ret_val);
+ policydb_destroy(&mod);
+ if (ret_val < 0)
+ return;
+
+ decl = test_find_decl_by_sym(base, SYM_TYPES, decl_type);
+ CU_ASSERT_FATAL(decl != NULL);
+
+ if (req_met) {
+ CU_ASSERT(decl->enabled == 1);
+ } else {
+ CU_ASSERT(decl->enabled == 0);
+ }
+}
+
+/* Test that symbol require statements in the global scope of a module
+ * work correctly. This will cover tests 6 - 10 (described above).
+ *
+ * Each of these policies will require as few symbols as possible to
+ * use the required symbol in addition requiring (for example, the type
+ * test also requires an object class for an allow rule).
+ */
+static void deps_modreq_opt(void)
+{
+ /* object classes */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_OBJ_OPT, "modreq-obj-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, 0, BASE_MODREQ_OBJ_OPT, "modreq-obj-opt.conf", "mod_opt_t");
+ /* types */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_TYPE_OPT, "modreq-type-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, 0, BASE_MODREQ_TYPE_OPT, "modreq-type-opt.conf", "mod_opt_t");
+ /* attributes */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_ATTR_OPT, "modreq-attr-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, 0, BASE_MODREQ_ATTR_OPT, "modreq-attr-opt.conf", "mod_opt_t");
+ /* booleans */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_BOOL_OPT, "modreq-bool-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, 0, BASE_MODREQ_BOOL_OPT, "modreq-bool-opt.conf", "mod_opt_t");
+ /* roles */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_ROLE_OPT, "modreq-role-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, 0, BASE_MODREQ_ROLE_OPT, "modreq-role-opt.conf", "mod_opt_t");
+ /* permissions */
+ do_deps_modreq_opt(1, 0, BASE_MODREQ_PERM_OPT, "modreq-perm-opt.conf", "mod_opt_t");
+ do_deps_modreq_opt(0, -3, BASE_MODREQ_PERM_OPT, "modreq-perm-opt.conf", "mod_opt_t");
+}
+
+int deps_add_tests(CU_pSuite suite)
+{
+ if (NULL == CU_add_test(suite, "deps_modreq_global", deps_modreq_global)) {
+ return CU_get_error();
+ }
+
+ if (NULL == CU_add_test(suite, "deps_modreq_opt", deps_modreq_opt)) {
+ return CU_get_error();
+ }
+
+ return 0;
+}
diff --git a/tests/test-deps.h b/tests/test-deps.h
new file mode 100644
index 0000000..fbd2ace
--- /dev/null
+++ b/tests/test-deps.h
@@ -0,0 +1,30 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_DEPS_H__
+#define __TEST_DEPS_H__
+
+#include <CUnit/Basic.h>
+
+int deps_test_init(void);
+int deps_test_cleanup(void);
+int deps_add_tests(CU_pSuite suite);
+
+#endif
diff --git a/tests/test-downgrade.c b/tests/test-downgrade.c
new file mode 100644
index 0000000..1ee7ff4
--- /dev/null
+++ b/tests/test-downgrade.c
@@ -0,0 +1,273 @@
+/*
+ * Author: Mary Garvin <mgarvin@tresys.com>
+ *
+ * Copyright (C) 2007-2008 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-downgrade.h"
+#include "parse_util.h"
+#include "helpers.h"
+
+#include <sepol/debug.h>
+#include <sepol/handle.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/conditional.h>
+#include <limits.h>
+#include <CUnit/Basic.h>
+
+#define POLICY_BIN_HI "policies/test-downgrade/policy.hi"
+#define POLICY_BIN_LO "policies/test-downgrade/policy.lo"
+
+static policydb_t policydb;
+
+/*
+ * Function Name: downgrade_test_init
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description: Initialize the policydb (policy data base structure)
+ */
+int downgrade_test_init(void)
+{
+ /* Initialize the policydb_t structure */
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Function Name: downgrade_test_cleanup
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description: Destroys policydb structure
+ */
+int downgrade_test_cleanup(void)
+{
+ policydb_destroy(&policydb);
+
+ return 0;
+}
+
+/*
+ * Function Name: downgrade_add_tests
+ *
+ * Input: CU_pSuite
+ *
+ * Output: Returns 0 upon success. Returns a CUnit error value on failure.
+ *
+ * Description: Add the given downgrade tests to the downgrade suite.
+ */
+int downgrade_add_tests(CU_pSuite suite)
+{
+ if (CU_add_test(suite, "downgrade", test_downgrade) == NULL)
+ return CU_get_error();
+
+ return 0;
+}
+
+/*
+ * Function Name: test_downgrade_possible
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description:
+ * Tests the backward compatability of MLS and Non-MLS binary policy versions.
+ */
+void test_downgrade(void)
+{
+ if (do_downgrade_test(0) < 0)
+ fprintf(stderr,
+ "\nError during downgrade testing of Non-MLS policy\n");
+
+
+ if (do_downgrade_test(1) < 0)
+ fprintf(stderr,
+ "\nError during downgrade testing of MLS policy\n");
+}
+
+/*
+ * Function Name: do_downgrade_test
+ *
+ * Input: 0 for Non-MLS policy and 1 for MLS policy downgrade testing
+ *
+ * Output: 0 on success, negative number upon failure
+ *
+ * Description: This function handles the downgrade testing.
+ * A binary policy is read into the policydb structure, the
+ * policy version is decreased by a specific amount, written
+ * back out and then read back in again. The process is
+ * repeated until the minimum policy version is reached.
+ */
+int do_downgrade_test(int mls)
+{
+ policydb_t policydb_tmp;
+ int hi, lo, version;
+
+ /* Reset policydb for re-use */
+ policydb_destroy(&policydb);
+ downgrade_test_init();
+
+ /* Read in the hi policy from file */
+ if (read_binary_policy(POLICY_BIN_HI, &policydb) != 0) {
+ fprintf(stderr, "error reading %spolicy binary\n", mls ? "mls " : "");
+ CU_FAIL("Unable to read the binary policy");
+ return -1;
+ }
+
+ /* Change MLS value based on parameter */
+ policydb.mls = mls ? 1 : 0;
+
+ for (hi = policydb.policyvers; hi >= POLICYDB_VERSION_MIN; hi--) {
+ /* Stash old version number */
+ version = policydb.policyvers;
+
+ /* Try downgrading to each possible version. */
+ for (lo = hi - 1; lo >= POLICYDB_VERSION_MIN; lo--) {
+
+ /* Reduce policy version */
+ policydb.policyvers = lo;
+
+ /* Write out modified binary policy */
+ if (write_binary_policy(POLICY_BIN_LO, &policydb) != 0) {
+ /*
+ * Error from MLS to pre-MLS is expected due
+ * to MLS re-implementation in version 19.
+ */
+ if (mls && lo < POLICYDB_VERSION_MLS)
+ continue;
+
+ fprintf(stderr, "error writing %spolicy binary, version %d (downgraded from %d)\n", mls ? "mls " : "", lo, hi);
+ CU_FAIL("Failed to write downgraded binary policy");
+ return -1;
+ }
+
+ /* Make sure we can read back what we wrote. */
+ if (policydb_init(&policydb_tmp)) {
+ fprintf(stderr, "%s: Out of memory!\n",
+ __FUNCTION__);
+ return -1;
+ }
+ if (read_binary_policy(POLICY_BIN_LO, &policydb_tmp) != 0) {
+ fprintf(stderr, "error reading %spolicy binary, version %d (downgraded from %d)\n", mls ? "mls " : "", lo, hi);
+ CU_FAIL("Unable to read downgraded binary policy");
+ return -1;
+ }
+ policydb_destroy(&policydb_tmp);
+ }
+ /* Restore version number */
+ policydb.policyvers = version;
+ }
+
+ return 0;
+}
+
+/*
+ * Function Name: read_binary_policy
+ *
+ * Input: char * which is the path to the file containing the binary policy
+ *
+ * Output: Returns 0 upon success. Upon failure, -1 is returned.
+ * Possible failures are, filename with given path does not exist,
+ * a failure to open the file, or a failure from prolicydb_read
+ * function call.
+ *
+ * Description: Get a filename, open file and read binary policy into policydb
+ * structure.
+ */
+int read_binary_policy(const char *path, policydb_t *p)
+{
+ FILE *in_fp = NULL;
+ struct policy_file f;
+ int rc;
+
+ /* Open the binary policy file */
+ if ((in_fp = fopen(path, "rb")) == NULL) {
+ fprintf(stderr, "Unable to open %s: %s\n", path,
+ strerror(errno));
+ sepol_handle_destroy(f.handle);
+ return -1;
+ }
+
+ /* Read in the binary policy. */
+ memset(&f, 0, sizeof(struct policy_file));
+ f.type = PF_USE_STDIO;
+ f.fp = in_fp;
+ rc = policydb_read(p, &f, 0);
+
+ sepol_handle_destroy(f.handle);
+ fclose(in_fp);
+ return rc;
+}
+
+/*
+ * Function Name: write_binary_policy
+ *
+ * Input: char * which is the path to the file containing the binary policy
+ *
+ * Output: Returns 0 upon success. Upon failure, -1 is returned.
+ * Possible failures are, filename with given path does not exist,
+ * a failure to open the file, or a failure from prolicydb_read
+ * function call.
+ *
+ * Description: open file and write the binary policy from policydb structure.
+ */
+int write_binary_policy(const char *path, policydb_t *p)
+{
+ FILE *out_fp = NULL;
+ struct policy_file f;
+ sepol_handle_t *handle;
+ int rc;
+
+ /* We don't want libsepol to print warnings to stderr */
+ handle = sepol_handle_create();
+ if (handle == NULL) {
+ fprintf(stderr, "Out of memory!\n");
+ return -1;
+ }
+ sepol_msg_set_callback(handle, NULL, NULL);
+
+ /* Open the binary policy file for writing */
+ if ((out_fp = fopen(path, "w" )) == NULL) {
+ fprintf(stderr, "Unable to open %s: %s\n", path,
+ strerror(errno));
+ sepol_handle_destroy(f.handle);
+ return -1;
+ }
+
+ /* Write the binary policy */
+ memset(&f, 0, sizeof(struct policy_file));
+ f.type = PF_USE_STDIO;
+ f.fp = out_fp;
+ f.handle = handle;
+ rc = policydb_write(p, &f);
+
+ sepol_handle_destroy(f.handle);
+ fclose(out_fp);
+ return rc;
+}
diff --git a/tests/test-downgrade.h b/tests/test-downgrade.h
new file mode 100644
index 0000000..10a7c3b
--- /dev/null
+++ b/tests/test-downgrade.h
@@ -0,0 +1,119 @@
+/*
+ * Author: Mary Garvin <mgarvin@tresys.com>
+ *
+ * Copyright (C) 2007-2008 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_DOWNGRADE_H__
+#define __TEST_DOWNGRADE_H__
+
+#include <CUnit/Basic.h>
+#include <sepol/policydb/policydb.h>
+
+/*
+ * Function Name: downgrade_test_init
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description: Initialize the policydb (policy data base structure)
+ */
+int downgrade_test_init(void);
+
+/*
+ * Function Name: downgrade_test_cleanup
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description: Destroys policydb structure
+ */
+int downgrade_test_cleanup(void);
+
+/*
+ * Function Name: downgrade_add_tests
+ *
+ * Input: CU_pSuite
+ *
+ * Output: Returns 0 upon success. Upon failure, a CUnit testing error
+ * value is returned
+ *
+ * Description: Add the given downgrade tests to the downgrade suite.
+ */
+int downgrade_add_tests(CU_pSuite suite);
+
+/*
+ * Function Name: test_downgrade_possible
+ *
+ * Input: None
+ *
+ * Output: None
+ *
+ * Description: Tests the backward compatability of MLS and Non-MLS binary
+ * policy versions.
+ */
+void test_downgrade(void);
+
+/*
+ * Function Name: do_downgrade_test
+ *
+ * Input: int that represents a 0 for Non-MLS policy and a
+ * 1 for MLS policy downgrade testing
+ *
+ * Output: (int) 0 on success, negative number upon failure
+ *
+ * Description: This function handles the downgrade testing. A binary policy
+ * is read into the policydb structure, the policy version is
+ * decreased by a specific amount, written back out and then read
+ * back in again. The process is iterative until the minimum
+ * policy version is reached.
+ */
+int do_downgrade_test(int mls);
+
+/*
+ * Function Name: read_binary_policy
+ *
+ * Input: char * which is the path to the file containing the binary policy
+ *
+ * Output: Returns 0 upon success. Upon failure, -1 is returned.
+ * Possible failures are, filename with given path does not exist,
+ * a failure to open the file, or a failure from prolicydb_read
+ * function call.
+ *
+ * Description: Get a filename, open file and read in the binary policy
+ * into the policydb structure.
+ */
+int read_binary_policy(const char *path, policydb_t *);
+
+/*
+ * Function Name: write_binary_policy
+ *
+ * Input: char * which is the path to the file containing the binary policy
+ *
+ * Output: Returns 0 upon success. Upon failure, -1 is returned.
+ * Possible failures are, filename with given path does not exist,
+ * a failure to open the file, or a failure from prolicydb_read
+ * function call.
+ *
+ * Description: Get a filename, open file and read in the binary policy
+ * into the policydb structure.
+ */
+int write_binary_policy(const char *path, policydb_t *);
+
+#endif
diff --git a/tests/test-expander-attr-map.c b/tests/test-expander-attr-map.c
new file mode 100644
index 0000000..5c24ced
--- /dev/null
+++ b/tests/test-expander-attr-map.c
@@ -0,0 +1,105 @@
+/*
+ * Authors: Chad Sellers <csellers@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-expander-attr-map.h"
+#include "test-common.h"
+
+#include <sepol/policydb/policydb.h>
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+extern policydb_t base_expanded2;
+
+void test_expander_attr_mapping(void)
+{
+ /* note that many cases are ommitted because they don't make sense
+ (i.e. declaring in an optional and then using it in the base) or
+ because declare in optional then require in a different optional
+ logic still doesn't work */
+
+ char *typesb1[] = { "attr_check_base_1_1_t", "attr_check_base_1_2_t" };
+ char *typesb2[] = { "attr_check_base_2_1_t", "attr_check_base_2_2_t" };
+ char *typesb3[] = { "attr_check_base_3_1_t", "attr_check_base_3_2_t",
+ "attr_check_base_3_3_t", "attr_check_base_3_4_t"
+ };
+ char *typesb4[] = { "attr_check_base_4_1_t", "attr_check_base_4_2_t" };
+ char *typesb5[] = { "attr_check_base_5_1_t", "attr_check_base_5_2_t" };
+ char *typesb6[] = { "attr_check_base_6_1_t", "attr_check_base_6_2_t",
+ "attr_check_base_6_3_t", "attr_check_base_6_4_t"
+ };
+ char *typesbo2[] = { "attr_check_base_optional_2_1_t",
+ "attr_check_base_optional_2_2_t"
+ };
+ char *typesbo5[] = { "attr_check_base_optional_5_1_t",
+ "attr_check_base_optional_5_2_t"
+ };
+ char *typesm2[] = { "attr_check_mod_2_1_t", "attr_check_mod_2_2_t" };
+ char *typesm4[] = { "attr_check_mod_4_1_t", "attr_check_mod_4_2_t" };
+ char *typesm5[] = { "attr_check_mod_5_1_t", "attr_check_mod_5_2_t" };
+ char *typesm6[] = { "attr_check_mod_6_1_t", "attr_check_mod_6_2_t",
+ "attr_check_mod_6_3_t", "attr_check_mod_6_4_t"
+ };
+ char *typesmo2[] = { "attr_check_mod_optional_4_1_t",
+ "attr_check_mod_optional_4_2_t"
+ };
+ char *typesb10[] = { "attr_check_base_10_1_t", "attr_check_base_10_2_t" };
+ char *typesb11[] = { "attr_check_base_11_3_t", "attr_check_base_11_4_t" };
+ char *typesm10[] = { "attr_check_mod_10_1_t", "attr_check_mod_10_2_t" };
+ char *typesm11[] = { "attr_check_mod_11_3_t", "attr_check_mod_11_4_t" };
+
+ test_attr_types(&base_expanded2, "attr_check_base_1", NULL, typesb1, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_2", NULL, typesb2, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_3", NULL, typesb3, 4);
+ test_attr_types(&base_expanded2, "attr_check_base_4", NULL, typesb4, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_5", NULL, typesb5, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_6", NULL, typesb6, 4);
+ test_attr_types(&base_expanded2, "attr_check_base_optional_2", NULL, typesbo2, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_optional_5", NULL, typesbo5, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_2", NULL, typesm2, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_4", NULL, typesm4, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_5", NULL, typesm5, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_6", NULL, typesm6, 4);
+ test_attr_types(&base_expanded2, "attr_check_mod_optional_4", NULL, typesmo2, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_7", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_base_8", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_base_9", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_base_10", NULL, typesb10, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_11", NULL, typesb11, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_7", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_mod_8", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_mod_9", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_mod_10", NULL, typesm10, 2);
+ test_attr_types(&base_expanded2, "attr_check_mod_11", NULL, typesm11, 2);
+ test_attr_types(&base_expanded2, "attr_check_base_optional_8", NULL, NULL, 0);
+ test_attr_types(&base_expanded2, "attr_check_mod_optional_7", NULL, NULL, 0);
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_5"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_5_1_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_5_2_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_8"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_8_1_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_base_optional_disabled_8_2_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_4"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_4_1_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_4_2_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_7"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_7_1_t"));
+ CU_ASSERT(!hashtab_search((&base_expanded2)->p_types.table, "attr_check_mod_optional_disabled_7_2_t"));
+}
diff --git a/tests/test-expander-attr-map.h b/tests/test-expander-attr-map.h
new file mode 100644
index 0000000..6a10089
--- /dev/null
+++ b/tests/test-expander-attr-map.h
@@ -0,0 +1,26 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_EXPANDER__ATTR_MAP_H__
+#define __TEST_EXPANDER__ATTR_MAP_H__
+
+void test_expander_attr_mapping(void);
+
+#endif
diff --git a/tests/test-expander-roles.c b/tests/test-expander-roles.c
new file mode 100644
index 0000000..ecfa88e
--- /dev/null
+++ b/tests/test-expander-roles.c
@@ -0,0 +1,37 @@
+/*
+ * Authors: Chad Sellers <csellers@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-expander-roles.h"
+#include "test-common.h"
+
+#include <sepol/policydb/policydb.h>
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+extern policydb_t role_expanded;
+
+void test_expander_role_mapping(void)
+{
+ char *types1[] = { "role_check_1_1_t", "role_check_1_2_t" };
+
+ test_role_type_set(&role_expanded, "role_check_1", NULL, types1, 2, 0);
+}
diff --git a/tests/test-expander-roles.h b/tests/test-expander-roles.h
new file mode 100644
index 0000000..380d2ef
--- /dev/null
+++ b/tests/test-expander-roles.h
@@ -0,0 +1,27 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Author: Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_EXPANDER_ROLE_H__
+#define __TEST_EXPANDER_ROLE_H__
+
+void test_expander_role_mapping(void);
+
+#endif
diff --git a/tests/test-expander-users.c b/tests/test-expander-users.c
new file mode 100644
index 0000000..549492b
--- /dev/null
+++ b/tests/test-expander-users.c
@@ -0,0 +1,75 @@
+/*
+ * Authors: Chad Sellers <csellers@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ * Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "test-expander-users.h"
+
+#include <sepol/policydb/policydb.h>
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+extern policydb_t user_expanded;
+
+static void check_user_roles(policydb_t * p, char *user_name, char **role_names, int num_roles)
+{
+ user_datum_t *user;
+ ebitmap_node_t *tnode;
+ unsigned int i;
+ int j;
+ unsigned char *found; /* array of booleans of roles found */
+ int extra = 0; /* number of extra roles found */
+
+ user = (user_datum_t *) hashtab_search(p->p_users.table, user_name);
+ if (!user) {
+ printf("%s not found\n", user_name);
+ CU_FAIL("user not found");
+ return;
+ }
+ found = calloc(num_roles, sizeof(unsigned char));
+ CU_ASSERT_FATAL(found != NULL);
+ ebitmap_for_each_bit(&user->roles.roles, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ extra++;
+ for (j = 0; j < num_roles; j++) {
+ if (strcmp(role_names[j], p->p_role_val_to_name[i]) == 0) {
+ extra--;
+ found[j] += 1;
+ break;
+ }
+ }
+ }
+ }
+ for (j = 0; j < num_roles; j++) {
+ if (found[j] != 1) {
+ printf("role %s associated with user %s %d times\n", role_names[j], user_name, found[j]);
+ CU_FAIL("user mapping failure\n");
+ }
+ }
+ free(found);
+ CU_ASSERT_EQUAL(extra, 0);
+}
+
+void test_expander_user_mapping(void)
+{
+ char *roles1[] = { "user_check_1_1_r", "user_check_1_2_r" };
+
+ check_user_roles(&user_expanded, "user_check_1", roles1, 2);
+}
diff --git a/tests/test-expander-users.h b/tests/test-expander-users.h
new file mode 100644
index 0000000..cb12143
--- /dev/null
+++ b/tests/test-expander-users.h
@@ -0,0 +1,27 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Author: Chris PeBenito <cpebenito@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_EXPANDER_USER_H__
+#define __TEST_EXPANDER_USER_H__
+
+void test_expander_user_mapping(void);
+
+#endif
diff --git a/tests/test-expander.c b/tests/test-expander.c
new file mode 100644
index 0000000..ded1d9d
--- /dev/null
+++ b/tests/test-expander.c
@@ -0,0 +1,218 @@
+/*
+ * Authors: Chad Sellers <csellers@tresys.com>
+ * Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This is where the expander tests should go, including:
+ * - check role, type, bool, user mapping
+ * - add symbols declared in enabled optionals
+ * - do not add symbols declared in disabled optionals
+ * - add rules from enabled optionals
+ * - do not add rules from disabled optionals
+ * - verify attribute mapping
+
+ * - check conditional expressions for correct mapping
+ */
+
+#include "test-expander.h"
+#include "parse_util.h"
+#include "helpers.h"
+#include "test-common.h"
+#include "test-expander-users.h"
+#include "test-expander-roles.h"
+#include "test-expander-attr-map.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/conditional.h>
+#include <limits.h>
+#include <stdlib.h>
+
+policydb_t role_expanded;
+policydb_t user_expanded;
+policydb_t base_expanded2;
+static policydb_t basemod;
+static policydb_t basemod2;
+static policydb_t mod2;
+static policydb_t base_expanded;
+static policydb_t base_only_mod;
+static policydb_t base_only_expanded;
+static policydb_t role_basemod;
+static policydb_t role_mod;
+static policydb_t user_basemod;
+static policydb_t user_mod;
+static policydb_t alias_basemod;
+static policydb_t alias_mod;
+static policydb_t alias_expanded;
+static uint32_t *typemap;
+extern int mls;
+
+/* Takes base, some number of modules, links them, and expands them
+ reads source from myfiles array, which has the base string followed by
+ each module string */
+int expander_policy_init(policydb_t * mybase, int num_modules, policydb_t ** mymodules, policydb_t * myexpanded, char **myfiles)
+{
+ char *filename[num_modules + 1];
+ int i;
+
+ for (i = 0; i < num_modules + 1; i++) {
+ filename[i] = calloc(PATH_MAX, sizeof(char));
+ if (snprintf(filename[i], PATH_MAX, "policies/test-expander/%s%s", myfiles[i], mls ? ".mls" : ".std") < 0)
+ return -1;
+ }
+
+ if (policydb_init(mybase)) {
+ fprintf(stderr, "out of memory!\n");
+ return -1;
+ }
+
+ for (i = 0; i < num_modules; i++) {
+ if (policydb_init(mymodules[i])) {
+ fprintf(stderr, "out of memory!\n");
+ return -1;
+ }
+ }
+
+ if (policydb_init(myexpanded)) {
+ fprintf(stderr, "out of memory!\n");
+ return -1;
+ }
+
+ mybase->policy_type = POLICY_BASE;
+ mybase->mls = mls;
+
+ if (read_source_policy(mybase, filename[0], myfiles[0])) {
+ fprintf(stderr, "read source policy failed %s\n", filename[0]);
+ return -1;
+ }
+
+ for (i = 1; i < num_modules + 1; i++) {
+ mymodules[i - 1]->policy_type = POLICY_MOD;
+ mymodules[i - 1]->mls = mls;
+ if (read_source_policy(mymodules[i - 1], filename[i], myfiles[i])) {
+ fprintf(stderr, "read source policy failed %s\n", filename[i]);
+ return -1;
+ }
+ }
+
+ if (link_modules(NULL, mybase, mymodules, num_modules, 0)) {
+ fprintf(stderr, "link modules failed\n");
+ return -1;
+ }
+
+ if (expand_module(NULL, mybase, myexpanded, 0, 0)) {
+ fprintf(stderr, "expand modules failed\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int expander_test_init(void)
+{
+ char *small_base_file = "small-base.conf";
+ char *base_only_file = "base-base-only.conf";
+ int rc;
+ policydb_t *mymod2;
+ char *files2[] = { "small-base.conf", "module.conf" };
+ char *role_files[] = { "role-base.conf", "role-module.conf" };
+ char *user_files[] = { "user-base.conf", "user-module.conf" };
+ char *alias_files[] = { "alias-base.conf", "alias-module.conf" };
+
+ rc = expander_policy_init(&basemod, 0, NULL, &base_expanded, &small_base_file);
+ if (rc != 0)
+ return rc;
+
+ mymod2 = &mod2;
+ rc = expander_policy_init(&basemod2, 1, &mymod2, &base_expanded2, files2);
+ if (rc != 0)
+ return rc;
+
+ rc = expander_policy_init(&base_only_mod, 0, NULL, &base_only_expanded, &base_only_file);
+ if (rc != 0)
+ return rc;
+
+ mymod2 = &role_mod;
+ rc = expander_policy_init(&role_basemod, 1, &mymod2, &role_expanded, role_files);
+ if (rc != 0)
+ return rc;
+
+ /* Just init the base for now, until we figure out how to separate out
+ mls and non-mls tests since users can't be used in mls module */
+ mymod2 = &user_mod;
+ rc = expander_policy_init(&user_basemod, 0, NULL, &user_expanded, user_files);
+ if (rc != 0)
+ return rc;
+
+ mymod2 = &alias_mod;
+ rc = expander_policy_init(&alias_basemod, 1, &mymod2, &alias_expanded, alias_files);
+ if (rc != 0)
+ return rc;
+
+ return 0;
+}
+
+int expander_test_cleanup(void)
+{
+ policydb_destroy(&basemod);
+ policydb_destroy(&base_expanded);
+ free(typemap);
+
+ return 0;
+}
+
+static void test_expander_indexes(void)
+{
+ test_policydb_indexes(&base_expanded);
+}
+
+static void test_expander_alias(void)
+{
+ test_alias_datum(&alias_expanded, "alias_check_1_a", "alias_check_1_t", 1, 0);
+ test_alias_datum(&alias_expanded, "alias_check_2_a", "alias_check_2_t", 1, 0);
+ test_alias_datum(&alias_expanded, "alias_check_3_a", "alias_check_3_t", 1, 0);
+}
+
+int expander_add_tests(CU_pSuite suite)
+{
+ if (NULL == CU_add_test(suite, "expander_indexes", test_expander_indexes)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+
+ if (NULL == CU_add_test(suite, "expander_attr_mapping", test_expander_attr_mapping)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+
+ if (NULL == CU_add_test(suite, "expander_role_mapping", test_expander_role_mapping)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ if (NULL == CU_add_test(suite, "expander_user_mapping", test_expander_user_mapping)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ if (NULL == CU_add_test(suite, "expander_alias", test_expander_alias)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ return 0;
+}
diff --git a/tests/test-expander.h b/tests/test-expander.h
new file mode 100644
index 0000000..5964133
--- /dev/null
+++ b/tests/test-expander.h
@@ -0,0 +1,30 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_EXPANDER_H__
+#define __TEST_EXPANDER_H__
+
+#include <CUnit/Basic.h>
+
+int expander_test_init(void);
+int expander_test_cleanup(void);
+int expander_add_tests(CU_pSuite suite);
+
+#endif
diff --git a/tests/test-linker-cond-map.c b/tests/test-linker-cond-map.c
new file mode 100644
index 0000000..0ef0d69
--- /dev/null
+++ b/tests/test-linker-cond-map.c
@@ -0,0 +1,159 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "parse_util.h"
+#include "helpers.h"
+#include "test-common.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/conditional.h>
+
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+/* Tests for conditionals
+ * Test each cond/bool for these
+ * - boolean copied correctly (state is correct)
+ * - conditional expression is correct
+ * Tests:
+ * - single boolean in base
+ * - single boolean in module
+ * - single boolean in base optional
+ * - single boolean in module optional
+ * - 2 booleans in base
+ * - 2 booleans in module
+ * - 2 booleans in base optional
+ * - 2 booleans in module optional
+ * - 2 booleans, base and module
+ * - 2 booleans, base optional and module
+ * - 2 booleans, base optional and module optional
+ * - 3 booleans, base, base optional, module
+ * - 4 boolean, base, base optional, module, module optional
+ */
+
+typedef struct test_cond_expr {
+ char *bool;
+ uint32_t expr_type;
+} test_cond_expr_t;
+
+void test_cond_expr_mapping(policydb_t * p, avrule_decl_t * d, test_cond_expr_t * bools, int len)
+{
+ int i;
+ cond_expr_t *expr;
+
+ CU_ASSERT_FATAL(d->cond_list != NULL);
+ CU_ASSERT_FATAL(d->cond_list->expr != NULL);
+
+ expr = d->cond_list->expr;
+
+ for (i = 0; i < len; i++) {
+ CU_ASSERT_FATAL(expr != NULL);
+
+ CU_ASSERT(expr->expr_type == bools[i].expr_type);
+ if (bools[i].bool) {
+ CU_ASSERT(strcmp(p->sym_val_to_name[SYM_BOOLS][expr->bool - 1], bools[i].bool) == 0);
+ }
+ expr = expr->next;
+ }
+}
+
+void test_bool_state(policydb_t * p, char *bool, int state)
+{
+ cond_bool_datum_t *b;
+
+ b = hashtab_search(p->p_bools.table, bool);
+ CU_ASSERT_FATAL(b != NULL);
+ CU_ASSERT(b->state == state);
+}
+
+void base_cond_tests(policydb_t * base)
+{
+ avrule_decl_t *d;
+ unsigned int decls[1];
+ test_cond_expr_t bools[2];
+
+ /* these tests look at booleans and conditionals in the base only
+ * to ensure that they aren't altered or removed during the link process */
+
+ /* bool existance and state, global scope */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "g_b_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_bool_state(base, "g_b_bool_1", 0);
+ /* conditional expression mapped correctly */
+ bools[0].bool = "g_b_bool_1";
+ bools[0].expr_type = COND_BOOL;
+ test_cond_expr_mapping(base, d, bools, 1);
+
+ /* bool existance and state, optional scope */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "o1_b_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_bool_state(base, "o1_b_bool_1", 1);
+ /* conditional expression mapped correctly */
+ bools[0].bool = "o1_b_bool_1";
+ bools[0].expr_type = COND_BOOL;
+ test_cond_expr_mapping(base, d, bools, 1);
+
+}
+
+void module_cond_tests(policydb_t * base)
+{
+ avrule_decl_t *d;
+ unsigned int decls[1];
+ test_cond_expr_t bools[3];
+
+ /* bool existance and state, module 1 global scope */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "g_m1_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_bool_state(base, "g_m1_bool_1", 1);
+ /* conditional expression mapped correctly */
+ bools[0].bool = "g_m1_bool_1";
+ bools[0].expr_type = COND_BOOL;
+ test_cond_expr_mapping(base, d, bools, 1);
+
+ /* bool existance and state, module 1 optional scope */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "o1_m1_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_bool_state(base, "o1_m1_bool_1", 0);
+ /* conditional expression mapped correctly */
+ bools[0].bool = "o1_m1_bool_1";
+ bools[0].expr_type = COND_BOOL;
+ test_cond_expr_mapping(base, d, bools, 1);
+
+ /* bool existance and state, module 2 global scope */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "g_m2_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_sym_presence(base, "g_m2_bool_2", SYM_BOOLS, SCOPE_DECL, decls, 1);
+ test_bool_state(base, "g_m2_bool_1", 1);
+ test_bool_state(base, "g_m2_bool_2", 0);
+ /* conditional expression mapped correctly */
+ bools[0].bool = "g_m2_bool_1";
+ bools[0].expr_type = COND_BOOL;
+ bools[1].bool = "g_m2_bool_2";
+ bools[1].expr_type = COND_BOOL;
+ bools[2].bool = NULL;
+ bools[2].expr_type = COND_AND;
+ test_cond_expr_mapping(base, d, bools, 3);
+}
diff --git a/tests/test-linker-cond-map.h b/tests/test-linker-cond-map.h
new file mode 100644
index 0000000..148c6f6
--- /dev/null
+++ b/tests/test-linker-cond-map.h
@@ -0,0 +1,27 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_LINKER_COND_MAP_H__
+#define __TEST_LINKER_COND_MAP_H__
+
+extern void base_cond_tests(policydb_t * base);
+extern void module_cond_tests(policydb_t * base);
+
+#endif
diff --git a/tests/test-linker-roles.c b/tests/test-linker-roles.c
new file mode 100644
index 0000000..42f92d3
--- /dev/null
+++ b/tests/test-linker-roles.c
@@ -0,0 +1,206 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "parse_util.h"
+#include "helpers.h"
+#include "test-common.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+/* Tests for roles:
+ * Test for each of these for
+ * - role in appropriate symtab (global and decl)
+ * - datum in the decl symtab has correct type_set
+ * - scope datum has correct decl ids
+ * - dominates bitmap is correct
+ * Tests:
+ * - role in base, no modules
+ * - role in base optional, no modules
+ * - role a in base, b in module
+ * - role a in base and module (additive)
+ * - role a in base and 2 module
+ * - role a in base optional, b in module
+ * - role a in base, b in module optional
+ * - role a in base optional, b in module optional
+ * - role a in base optional and module
+ * - role a in base and module optional
+ * - role a in base optional and module optional
+ * - role a in base optional and 2 modules
+ * - role a and b in base, b dom a, are types correct (TODO)
+ */
+
+/* this simply tests whether the passed in role only has its own
+ * value in its dominates ebitmap */
+static void only_dominates_self(policydb_t * p, role_datum_t * role)
+{
+ ebitmap_node_t *tnode;
+ unsigned int i;
+ int found = 0;
+
+ ebitmap_for_each_bit(&role->dominates, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ found++;
+ CU_ASSERT(i == role->s.value - 1);
+ }
+ }
+ CU_ASSERT(found == 1);
+}
+
+void base_role_tests(policydb_t * base)
+{
+ avrule_decl_t *decl;
+ role_datum_t *role;
+ unsigned int decls[2];
+ char *types[2];
+
+ /* These tests look at roles in the base only, the desire is to ensure that
+ * roles are not destroyed or otherwise removed during the link process */
+
+ /**** test for g_b_role_1 in base and decl 1 (global) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
+ /* make sure it has the correct type set (g_b_type_1, no negset, no flags) */
+ types[0] = "g_b_type_1";
+ role = test_role_type_set(base, "g_b_role_1", NULL, types, 1, 0);
+ /* This role should only dominate itself */
+ only_dominates_self(base, role);
+
+ /**** test for o1_b_role_1 in optional (decl 2) ****/
+ decl = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b");
+ decls[0] = decl->decl_id;
+ test_sym_presence(base, "o1_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
+ /* make sure it has the correct type set (o1_b_type_1, no negset, no flags) */
+ types[0] = "o1_b_type_1";
+ role = test_role_type_set(base, "o1_b_role_1", decl, types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+}
+
+void module_role_tests(policydb_t * base)
+{
+ role_datum_t *role;
+ avrule_decl_t *decl;
+ unsigned int decls[2];
+ char *types[3];
+
+ /* These tests are run when the base is linked with 2 modules,
+ * They should test whether the roles get copied correctly from the
+ * modules into the base */
+
+ /**** test for role in module 1 (global) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m1_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
+ /* make sure it has the correct type set (g_m1_type_1, no negset, no flags) */
+ types[0] = "g_m1_type_1";
+ role = test_role_type_set(base, "g_m1_role_1", NULL, types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for role in module 1 (optional) ****/
+ decl = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1");
+ decls[0] = decl->decl_id;
+ test_sym_presence(base, "o1_m1_role_1", SYM_ROLES, SCOPE_DECL, decls, 1);
+ /* make sure it has the correct type set (o1_m1_type_1, no negset, no flags) */
+ types[0] = "o1_m1_type_1";
+ role = test_role_type_set(base, "o1_m1_role_1", decl, types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /* These test whether the type sets are copied to the right place and
+ * correctly unioned when they should be */
+
+ /**** test for type added to base role in module 1 (global) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 2);
+ /* make sure it has the correct type set (g_m1_type_1, no negset, no flags) */
+ types[0] = "g_b_type_2"; /* added in base when declared */
+ types[1] = "g_m1_type_1"; /* added in module */
+ role = test_role_type_set(base, "g_b_role_2", NULL, types, 2, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for type added to base role in module 1 & 2 (global) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ decls[2] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2"))->decl_id;
+ test_sym_presence(base, "g_b_role_3", SYM_ROLES, SCOPE_DECL, decls, 3);
+ /* make sure it has the correct type set (g_b_type_2, g_m1_type_2, g_m2_type_2, no negset, no flags) */
+ types[0] = "g_b_type_2"; /* added in base when declared */
+ types[1] = "g_m1_type_2"; /* added in module 1 */
+ types[2] = "g_m2_type_2"; /* added in module 2 */
+ role = test_role_type_set(base, "g_b_role_3", NULL, types, 3, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for role in base optional and module 1 (additive) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "o1_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 2);
+ /* this one will have 2 type sets, one in the global symtab and one in the base optional 1 */
+ types[0] = "g_m1_type_1";
+ role = test_role_type_set(base, "o1_b_role_2", NULL, types, 1, 0);
+ types[0] = "o1_b_type_1";
+ role = test_role_type_set(base, "o1_b_role_2", test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"), types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for role in base and module 1 optional (additive) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m1"))->decl_id;
+ test_sym_presence(base, "g_b_role_4", SYM_ROLES, SCOPE_DECL, decls, 2);
+ /* this one will have 2 type sets, one in the global symtab and one in the base optional 1 */
+ types[0] = "g_b_type_2";
+ role = test_role_type_set(base, "g_b_role_4", NULL, types, 1, 0);
+ types[0] = "g_m1_type_2";
+ role = test_role_type_set(base, "g_b_role_4", test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m1"), types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for role in base and module 1 optional (additive) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"))->decl_id;
+ test_sym_presence(base, "o3_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 2);
+ /* this one will have 2 type sets, one in the 3rd base optional and one in the 3rd module optional */
+ types[0] = "o3_b_type_1";
+ role = test_role_type_set(base, "o3_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_b"), types, 1, 0);
+ types[0] = "o3_m1_type_1";
+ role = test_role_type_set(base, "o3_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"), types, 1, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+
+ /**** test for role in base and module 1 optional (additive) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b"))->decl_id;
+ decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ decls[2] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2"))->decl_id;
+ test_sym_presence(base, "o4_b_role_1", SYM_ROLES, SCOPE_DECL, decls, 3);
+ /* this one will have 2 type sets, one in the global symtab (with both module types) and one in the 4th optional of base */
+ types[0] = "g_m1_type_1";
+ role = test_role_type_set(base, "o4_b_role_1", test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b"), types, 1, 0);
+ types[0] = "g_m2_type_1";
+ types[1] = "g_m1_type_2";
+ role = test_role_type_set(base, "o4_b_role_1", NULL, types, 2, 0);
+ /* and only dominates itself */
+ only_dominates_self(base, role);
+}
diff --git a/tests/test-linker-roles.h b/tests/test-linker-roles.h
new file mode 100644
index 0000000..f7407df
--- /dev/null
+++ b/tests/test-linker-roles.h
@@ -0,0 +1,29 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_LINKER_ROLES_H__
+#define __TEST_LINKER_ROLES_H__
+
+#include <sepol/policydb/policydb.h>
+
+extern void base_role_tests(policydb_t * base);
+extern void module_role_tests(policydb_t * base);
+
+#endif
diff --git a/tests/test-linker-types.c b/tests/test-linker-types.c
new file mode 100644
index 0000000..94f16ac
--- /dev/null
+++ b/tests/test-linker-types.c
@@ -0,0 +1,317 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ * Chad Sellers <csellers@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "parse_util.h"
+#include "helpers.h"
+#include "test-common.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+
+#include <CUnit/Basic.h>
+#include <stdlib.h>
+
+/* Tests for types:
+ * Test for each of these for
+ * - type in appropriate symtab (global and decl)
+ * - datum in the decl symtab has correct type bitmap (if attr)
+ * - primary is set correctly
+ * - scope datum has correct decl ids
+ * Tests:
+ * - type in base, no modules
+ * - type in base optional, no modules
+ * - type a in base, b in module
+ * - type a in base optional, b in module
+ * - type a in base, b in module optional
+ * - type a in base optional, b in module optional
+ * - attr in base, no modules
+ * - attr in base optional, no modules
+ * - attr a in base, b in module
+ * - attr a in base optional, b in module
+ * - attr a in base, b in module optional
+ * - attr a in base optional, b in module optional
+ * - attr a declared in base, added to in module
+ * - attr a declared in base, added to in module optional
+ * - attr a declared in base, added to in 2 modules
+ * - attr a declared in base, added to in 2 modules (optional and global)
+ * - attr a declared in base optional, added to in module
+ * - attr a declared in base optional, added to in module optional
+ * - attr a added to in base optional, declared in module
+ * - attr a added to in base optional, declared in module optional
+ * - attr a added to in base optional, declared in module, added to in other module
+ * - attr a added to in base optional, declared in module optional, added to in other module
+ * - attr a added to in base optional, declared in module , added to in other module optional
+ * - attr a added to in base optional, declared in module optional, added to in other module optional
+ * - alias in base of primary type in base, no modules
+ * - alias in base optional of primary type in base, no modules
+ * - alias in base optional of primary type in base optional
+ * - alias in module of primary type in base
+ * - alias in module optional of primary type in base
+ * - alias in module optional of primary type in base optional
+ * - alias in module of primary type in module
+ * - alias in module optional of primary type in module
+ * - alias in module optional of primary type in module optional
+ * - alias a in base, b in module, primary type in base
+ * - alias a in base, b in module, primary type in module
+ * - alias a in base optional, b in module, primary type in base
+ * - alias a in base optional, b in module, primary type in module
+ * - alias a in base, b in module optional, primary type in base
+ * - alias a in base, b in module optional, primary type in module
+ * - alias a in base optional, b in module optional, primary type in base
+ * - alias a in base optional, b in module optional, primary type in module
+ * - alias a in base, required in module, primary type in base
+ * - alias a in base, required in base optional, primary type in base
+ * - alias a in base, required in module optional, primary type in base
+ * - alias a in module, required in base optional, primary type in base
+ * - alias a in module, required in module optional, primary type in base
+ * - alias a in base optional, required in module, primary type in base
+ * - alias a in base optional, required in different base optional, primary type in base
+ * - alias a in base optional, required in module optional, primary type in base
+ * - alias a in module optional, required in base optional, primary type in base
+ * - alias a in module optional, required in module optional, primary type in base
+ * - alias a in module, required in base optional, primary type in module
+ * - alias a in module, required in module optional, primary type in module
+ * - alias a in base optional, required in module, primary type in module
+ * - alias a in base optional, required in different base optional, primary type in module
+ * - alias a in base optional, required in module optional, primary type in module
+ * - alias a in module optional, required in base optional, primary type in module
+ * - alias a in module optional, required in module optional, primary type in module
+ */
+
+/* Don't pass in decls from global blocks since symbols aren't stored in their symtab */
+static void test_type_datum(policydb_t * p, char *id, unsigned int *decls, int len, unsigned int primary)
+{
+ int i;
+ unsigned int value;
+ type_datum_t *type;
+
+ /* just test the type datums for each decl to see if it is what we expect */
+ type = hashtab_search(p->p_types.table, id);
+
+ CU_ASSERT_FATAL(type != NULL);
+ CU_ASSERT(type->primary == primary);
+ CU_ASSERT(type->flavor == TYPE_TYPE);
+
+ value = type->s.value;
+
+ for (i = 0; i < len; i++) {
+ type = hashtab_search(p->decl_val_to_struct[decls[i] - 1]->p_types.table, id);
+ CU_ASSERT_FATAL(type != NULL);
+ CU_ASSERT(type->primary == primary);
+ CU_ASSERT(type->flavor == TYPE_TYPE);
+ CU_ASSERT(type->s.value == value);
+ }
+
+}
+
+void base_type_tests(policydb_t * base)
+{
+ unsigned int decls[2];
+ char *types[2];
+
+ /* These tests look at types in the base only, the desire is to ensure that
+ * types are not destroyed or otherwise removed during the link process.
+ * if this happens these tests won't work anyway since we are using types to
+ * mark blocks */
+
+ /**** test for g_b_type_1 in base and decl 1 (global) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_type_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_type_datum(base, "g_b_type_1", NULL, 0, 1);
+ /* this attr is in the same decl as the type */
+ test_sym_presence(base, "g_b_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_b_type_1";
+ test_attr_types(base, "g_b_attr_1", NULL, types, 1);
+
+ /**** test for o1_b_type_1 in optional (decl 2) ****/
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"))->decl_id;
+ test_sym_presence(base, "o1_b_type_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_type_datum(base, "o1_b_type_1", NULL, 0, 1);
+ /* this attr is in the same decl as the type */
+ test_sym_presence(base, "o1_b_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "o1_b_type_1";
+ test_attr_types(base, "o1_b_attr_1", base->decl_val_to_struct[decls[0] - 1], types, 1);
+
+ /* tests for aliases */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_alias_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_alias_datum(base, "g_b_alias_1", "g_b_type_3", 1, 0);
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o6_b"))->decl_id;
+ test_sym_presence(base, "g_b_alias_2", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_alias_datum(base, "g_b_alias_2", "g_b_type_3", 1, 0);
+
+}
+
+void module_type_tests(policydb_t * base)
+{
+ unsigned int decls[2];
+ char *types[2];
+ avrule_decl_t *d;
+
+ /* These tests look at types that were copied from modules or attributes
+ * that were modified and declared in modules and base. These apply to
+ * declarations and modifications in and out of optionals. These tests
+ * should ensure that types and attributes are correctly copied from modules
+ * and that attribute type sets are correctly copied and mapped. */
+
+ /* note: scope for attributes is currently smashed if the attribute is declared
+ * somewhere so the scope test only looks at global, the type bitmap test looks
+ * at the appropriate decl symtab */
+
+ /* test for type in module 1 (global) */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m1_type_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_type_datum(base, "g_m1_type_1", NULL, 0, 1);
+ /* attr has is in the same decl as the above type */
+ test_sym_presence(base, "g_m1_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_1";
+ types[1] = "g_m1_type_2";
+ test_attr_types(base, "g_m1_attr_1", NULL, types, 2);
+
+ /* test for type in module 1 (optional) */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1"))->decl_id;
+ test_sym_presence(base, "o1_m1_type_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_type_datum(base, "o1_m1_type_1", NULL, 0, 1);
+ /* attr has is in the same decl as the above type */
+ test_sym_presence(base, "o1_m1_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "o1_m1_type_2";
+ test_attr_types(base, "o1_m1_attr_1", base->decl_val_to_struct[decls[0] - 1], types, 1);
+
+ /* test for attr declared in base, added to in module (global).
+ * Since these are both global it'll be merged in the main symtab */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_attr_3", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_3";
+ test_attr_types(base, "g_b_attr_3", NULL, types, 1);
+
+ /* test for attr declared in base, added to in module (optional). */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_attr_4", SYM_TYPES, SCOPE_DECL, decls, 1);
+
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1"))->decl_id;
+ types[0] = "o1_m1_type_3";
+ test_attr_types(base, "g_b_attr_4", base->decl_val_to_struct[decls[0] - 1], types, 1);
+
+ /* test for attr declared in base, added to in 2 modules (global). (merged in main symtab) */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_attr_5", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_4";
+ types[1] = "g_m2_type_4";
+ test_attr_types(base, "g_b_attr_5", NULL, types, 2);
+
+ /* test for attr declared in base, added to in 2 modules (optional/global). */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
+ test_sym_presence(base, "g_b_attr_6", SYM_TYPES, SCOPE_DECL, decls, 1);
+ /* module 2 was global to its type is in main symtab */
+ types[0] = "g_m2_type_5";
+ test_attr_types(base, "g_b_attr_6", NULL, types, 1);
+ d = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"));
+ types[0] = "o3_m1_type_2";
+ test_attr_types(base, "g_b_attr_6", d, types, 1);
+
+ /* test for attr declared in base optional, added to in module (global). */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b"))->decl_id;
+ test_sym_presence(base, "o4_b_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_5";
+ test_attr_types(base, "o4_b_attr_1", NULL, types, 1);
+
+ /* test for attr declared in base optional, added to in module (optional). */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"))->decl_id;
+ test_sym_presence(base, "o1_b_attr_2", SYM_TYPES, SCOPE_DECL, decls, 1);
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1");
+ types[0] = "o1_m1_type_5";
+ test_attr_types(base, "o1_b_attr_2", d, types, 1);
+
+ /* test for attr declared in module, added to in base optional */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m1_attr_2", SYM_TYPES, SCOPE_DECL, decls, 1);
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b");
+ types[0] = "o1_b_type_2";
+ test_attr_types(base, "g_m1_attr_2", d, types, 1);
+
+ /* test for attr declared in module optional, added to in base optional */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1"))->decl_id;
+ test_sym_presence(base, "o3_m1_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b");
+ types[0] = "o4_b_type_1";
+ test_attr_types(base, "o3_m1_attr_1", d, types, 1);
+
+ /* attr a added to in base optional, declared/added to in module, added to in other module */
+ /* first the module declare/add and module 2 add (since its global it'll be in the main symtab */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m1_attr_3", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_6";
+ types[1] = "g_m2_type_3";
+ test_attr_types(base, "g_m1_attr_3", NULL, types, 2);
+ /* base add */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_b");
+ types[0] = "o4_b_type_2";
+ test_attr_types(base, "g_m1_attr_3", d, types, 1);
+
+ /* attr a added to in base optional, declared/added in module optional, added to in other module */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o3_m1");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "o3_m1_attr_2", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "o3_m1_type_3";
+ test_attr_types(base, "o3_m1_attr_2", d, types, 1);
+ /* module 2's type will be in the main symtab */
+ types[0] = "g_m2_type_6";
+ test_attr_types(base, "o3_m1_attr_2", NULL, types, 1);
+ /* base add */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_b");
+ types[0] = "o2_b_type_1";
+ test_attr_types(base, "o3_m1_attr_2", d, types, 1);
+
+ /* attr a added to in base optional, declared/added in module , added to in other module optional */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m1_attr_4", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "g_m1_type_7";
+ test_attr_types(base, "g_m1_attr_4", NULL, types, 1);
+ /* module 2 */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m2");
+ types[0] = "o2_m2_type_1";
+ test_attr_types(base, "g_m1_attr_4", d, types, 1);
+ /* base add */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o5_b");
+ types[0] = "o5_b_type_1";
+ test_attr_types(base, "g_m1_attr_4", d, types, 1);
+
+ /* attr a added to in base optional, declared/added in module optional, added to in other module optional */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o4_m1");
+ decls[0] = d->decl_id;
+ test_sym_presence(base, "o4_m1_attr_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ types[0] = "o4_m1_type_1";
+ test_attr_types(base, "o4_m1_attr_1", d, types, 1);
+ /* module 2 */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o2_m2");
+ types[0] = "o2_m2_type_2";
+ test_attr_types(base, "o4_m1_attr_1", d, types, 1);
+ /* base add */
+ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o5_b");
+ types[0] = "o5_b_type_2";
+ test_attr_types(base, "o4_m1_attr_1", d, types, 1);
+
+ /* tests for aliases */
+ decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
+ test_sym_presence(base, "g_m_alias_1", SYM_TYPES, SCOPE_DECL, decls, 1);
+ test_alias_datum(base, "g_m_alias_1", "g_b_type_3", 1, 0);
+
+}
diff --git a/tests/test-linker-types.h b/tests/test-linker-types.h
new file mode 100644
index 0000000..0c860eb
--- /dev/null
+++ b/tests/test-linker-types.h
@@ -0,0 +1,27 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_LINKER_TYPES_H__
+#define __TEST_LINKER_TYPES_H__
+
+extern void base_type_tests(policydb_t * base);
+extern void module_type_tests(policydb_t * base);
+
+#endif
diff --git a/tests/test-linker.c b/tests/test-linker.c
new file mode 100644
index 0000000..d08f219
--- /dev/null
+++ b/tests/test-linker.c
@@ -0,0 +1,154 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* This is where the linker tests should go, including:
+ * - check role, type, bool, user, attr mapping
+ * - check for properly enabled optional
+ * - check for properly disabled optional
+ * - check for non-optional disabled blocks
+ * - properly add symbols declared in optionals
+ */
+
+#include "test-linker.h"
+#include "parse_util.h"
+#include "helpers.h"
+#include "test-common.h"
+#include "test-linker-roles.h"
+#include "test-linker-types.h"
+#include "test-linker-cond-map.h"
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/expand.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#define NUM_MODS 2
+#define NUM_POLICIES NUM_MODS+1
+
+#define BASEMOD NUM_MODS
+const char *policies[NUM_POLICIES] = {
+ "module1.conf",
+ "module2.conf",
+ "small-base.conf",
+};
+
+static policydb_t basenomods;
+static policydb_t linkedbase;
+static policydb_t *modules[NUM_MODS];
+extern int mls;
+
+int linker_test_init(void)
+{
+ int i;
+
+ if (test_load_policy(&linkedbase, POLICY_BASE, mls, "test-linker", policies[BASEMOD]))
+ return -1;
+
+ if (test_load_policy(&basenomods, POLICY_BASE, mls, "test-linker", policies[BASEMOD]))
+ return -1;
+
+ for (i = 0; i < NUM_MODS; i++) {
+
+ modules[i] = calloc(1, sizeof(*modules[i]));
+ if (!modules[i]) {
+ fprintf(stderr, "out of memory!\n");
+ return -1;
+ }
+
+ if (test_load_policy(modules[i], POLICY_MOD, mls, "test-linker", policies[i]))
+ return -1;
+
+ }
+
+ if (link_modules(NULL, &linkedbase, modules, NUM_MODS, 0)) {
+ fprintf(stderr, "link modules failed\n");
+ return -1;
+ }
+
+ if (link_modules(NULL, &basenomods, NULL, 0, 0)) {
+ fprintf(stderr, "link modules failed\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int linker_test_cleanup(void)
+{
+ int i;
+
+ policydb_destroy(&basenomods);
+ policydb_destroy(&linkedbase);
+
+ for (i = 0; i < NUM_MODS; i++) {
+ policydb_destroy(modules[i]);
+ free(modules[i]);
+ }
+ return 0;
+}
+
+static void test_linker_indexes(void)
+{
+ test_policydb_indexes(&linkedbase);
+}
+
+static void test_linker_roles(void)
+{
+ base_role_tests(&basenomods);
+ base_role_tests(&linkedbase);
+ module_role_tests(&linkedbase);
+}
+
+static void test_linker_types(void)
+{
+ base_type_tests(&basenomods);
+ base_type_tests(&linkedbase);
+ module_type_tests(&linkedbase);
+}
+
+static void test_linker_cond(void)
+{
+ base_cond_tests(&basenomods);
+ base_cond_tests(&linkedbase);
+ module_cond_tests(&linkedbase);
+}
+
+int linker_add_tests(CU_pSuite suite)
+{
+ if (NULL == CU_add_test(suite, "linker_indexes", test_linker_indexes)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ if (NULL == CU_add_test(suite, "linker_types", test_linker_types)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ if (NULL == CU_add_test(suite, "linker_roles", test_linker_roles)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ if (NULL == CU_add_test(suite, "linker_cond", test_linker_cond)) {
+ CU_cleanup_registry();
+ return CU_get_error();
+ }
+ return 0;
+}
diff --git a/tests/test-linker.h b/tests/test-linker.h
new file mode 100644
index 0000000..16339a0
--- /dev/null
+++ b/tests/test-linker.h
@@ -0,0 +1,30 @@
+/*
+ * Author: Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __TEST_LINKER_H__
+#define __TEST_LINKER_H__
+
+#include <CUnit/Basic.h>
+
+int linker_test_init(void);
+int linker_test_cleanup(void);
+int linker_add_tests(CU_pSuite suite);
+
+#endif
diff --git a/utils/Makefile b/utils/Makefile
new file mode 100644
index 0000000..6864114
--- /dev/null
+++ b/utils/Makefile
@@ -0,0 +1,24 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+BINDIR ?= $(PREFIX)/bin
+
+CFLAGS ?= -Wall -Werror
+override CFLAGS += -I../include
+LDLIBS += -L../src -lsepol
+
+TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+
+all: $(TARGETS)
+
+install: all
+ -mkdir -p $(BINDIR)
+ install -m 755 $(TARGETS) $(BINDIR)
+
+clean:
+ -rm -f $(TARGETS) *.o
+
+indent:
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel:
+
diff --git a/utils/chkcon.c b/utils/chkcon.c
new file mode 100644
index 0000000..4c23d4c
--- /dev/null
+++ b/utils/chkcon.c
@@ -0,0 +1,42 @@
+#include <sepol/sepol.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+void usage(char *progname)
+{
+ printf("usage: %s policy context\n", progname);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ FILE *fp;
+
+ if (argc != 3)
+ usage(argv[0]);
+
+ fp = fopen(argv[1], "r");
+ if (!fp) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ argv[1], strerror(errno));
+ exit(1);
+ }
+ if (sepol_set_policydb_from_file(fp) < 0) {
+ fprintf(stderr, "Error while processing %s: %s\n",
+ argv[1], strerror(errno));
+ exit(1);
+ }
+ fclose(fp);
+
+ if (sepol_check_context(argv[2]) < 0) {
+ fprintf(stderr, "%s is not valid\n", argv[2]);
+ exit(1);
+ }
+
+ printf("%s is valid\n", argv[2]);
+ exit(0);
+}
