diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:26:12 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-04-28 20:26:12 +0000 |
commit | 599286f8bd990cc61bdd30d352d020096227d946 (patch) | |
tree | 2ecfaa19bf4dc146728098ded1660548910f9344 | |
parent | d7fa180d8d3c666273fe8b9f3760eb49cc487305 (diff) | |
parent | 2d3cc3b458831550a4a1caccd03c98a4a0def064 (diff) | |
download | selinux-android12-mainline-tzdata-release.tar.gz |
Snap for 6439596 from 2d3cc3b458831550a4a1caccd03c98a4a0def064 to qt-aml-tzdata-releaseq_tzdata_aml_294400310android-mainline-12.0.0_r54android-mainline-12.0.0_r111android-mainline-10.0.0_r13android-mainline-10.0.0_r12android-mainline-10.0.0_r11android12-mainline-tzdata-release
Change-Id: I2943645bc1ed55640c5b496be165ac1f2c3f4c94
75 files changed, 954 insertions, 710 deletions
diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 index e55582f3..cf76591c 100644 --- a/checkpolicy/checkmodule.8 +++ b/checkpolicy/checkmodule.8 @@ -38,7 +38,7 @@ Generate a non-base policy module. Enable the MLS/MCS support when checking and compiling the policy module. .TP .B \-V,\-\-version -Show policy versions created by this program. + Show policy versions created by this program. Note that you cannot currently build older versions. .TP .B \-o,\-\-output filename Write a binary policy module file to the specified filename. @@ -47,9 +47,6 @@ and will not generate a binary module at all. .TP .B \-U,\-\-handle-unknown <action> Specify how the kernel should handle unknown classes or permissions (deny, allow or reject). -.TP -.B \-c policyvers -Specify the policy version, defaults to the latest. .SH EXAMPLE .nf diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index c9efaf8b..8edc1f8c 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -142,8 +142,6 @@ static __attribute__((__noreturn__)) void usage(const char *progname) printf(" -m build a policy module instead of a base module\n"); printf(" -M enable MLS policy\n"); printf(" -o FILE write module to FILE (else just check syntax)\n"); - printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n", - MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); exit(1); } @@ -165,7 +163,7 @@ int main(int argc, char **argv) {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) { switch (ch) { case 'h': usage(argv[0]); @@ -196,6 +194,7 @@ int main(int argc, char **argv) usage(argv[0]); case 'm': policy_type = POLICY_MOD; + policyvers = MOD_POLICYDB_VERSION_MAX; break; case 'M': mlspol = 1; @@ -203,29 +202,6 @@ int main(int argc, char **argv) case 'C': cil = 1; break; - case 'c': { - long int n; - errno = 0; - n = strtol(optarg, NULL, 10); - if (errno) { - fprintf(stderr, - "Invalid policyvers specified: %s\n", - optarg); - usage(argv[0]); - } - - if (n < MOD_POLICYDB_VERSION_MIN - || n > MOD_POLICYDB_VERSION_MAX) { - fprintf(stderr, - "policyvers value %ld not in range %d-%d\n", - n, MOD_POLICYDB_VERSION_MIN, - MOD_POLICYDB_VERSION_MAX); - usage(argv[0]); - } - - policyvers = n; - break; - } default: usage(argv[0]); } diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index db143836..ece10e7a 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -1210,7 +1210,10 @@ int expand_attrib(void) flags = TYPE_FLAGS_EXPAND_ATTR_FALSE; } - ebitmap_for_each_positive_bit(&attrs, node, i) { + ebitmap_for_each_bit(&attrs, node, i) { + if (!ebitmap_node_get_bit(node, i)){ + continue; + } attr = hashtab_search(policydbp->p_types.table, policydbp->sym_val_to_name[SYM_TYPES][i]); attr->flags |= flags; @@ -1670,17 +1673,19 @@ int define_compute_type_helper(int which, avrule_t ** rule) } free(id); - ebitmap_for_each_positive_bit(&tclasses, node, i) { - perm = malloc(sizeof(class_perm_node_t)); - if (!perm) { - yyerror("out of memory"); - goto bad; + ebitmap_for_each_bit(&tclasses, node, i) { + if (ebitmap_node_get_bit(node, i)) { + perm = malloc(sizeof(class_perm_node_t)); + if (!perm) { + yyerror("out of memory"); + goto bad; + } + class_perm_node_init(perm); + perm->tclass = i + 1; + perm->data = datum->s.value; + perm->next = avrule->perms; + avrule->perms = perm; } - class_perm_node_init(perm); - perm->tclass = i + 1; - perm->data = datum->s.value; - perm->next = avrule->perms; - avrule->perms = perm; } ebitmap_destroy(&tclasses); @@ -2096,7 +2101,9 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule) perms = NULL; id = queue_head(id_queue); - ebitmap_for_each_positive_bit(&tclasses, node, i) { + ebitmap_for_each_bit(&tclasses, node, i) { + if (!ebitmap_node_get_bit(node, i)) + continue; cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); if (!cur_perms) { @@ -2558,7 +2565,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule) goto out; perms = NULL; - ebitmap_for_each_positive_bit(&tclasses, node, i) { + ebitmap_for_each_bit(&tclasses, node, i) { + if (!ebitmap_node_get_bit(node, i)) + continue; cur_perms = (class_perm_node_t *) malloc(sizeof(class_perm_node_t)); if (!cur_perms) { @@ -2577,7 +2586,9 @@ int define_te_avtab_helper(int which, avrule_t ** rule) while ((id = queue_remove(id_queue))) { cur_perms = perms; - ebitmap_for_each_positive_bit(&tclasses, node, i) { + ebitmap_for_each_bit(&tclasses, node, i) { + if (!ebitmap_node_get_bit(node, i)) + continue; cladatum = policydbp->class_val_to_struct[i]; if (strcmp(id, "*") == 0) { @@ -2919,13 +2930,17 @@ static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)), return -1; } /* raise types and dominates from dominated role */ - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) - goto oom; + ebitmap_for_each_bit(&rdp->dominates, node, i) { + if (ebitmap_node_get_bit(node, i)) + if (ebitmap_set_bit + (&rdatum->dominates, i, TRUE)) + goto oom; } - ebitmap_for_each_positive_bit(&types, node, i) { - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) - goto oom; + ebitmap_for_each_bit(&types, node, i) { + if (ebitmap_node_get_bit(node, i)) + if (ebitmap_set_bit + (&rdatum->types.types, i, TRUE)) + goto oom; } ebitmap_destroy(&types); } @@ -3003,17 +3018,20 @@ role_datum_t *define_role_dom(role_datum_t * r) if (r) { ebitmap_t types; ebitmap_init(&types); - ebitmap_for_each_positive_bit(&r->dominates, node, i) { - if (ebitmap_set_bit(&role->dominates, i, TRUE)) - goto oom; + ebitmap_for_each_bit(&r->dominates, node, i) { + if (ebitmap_node_get_bit(node, i)) + if (ebitmap_set_bit(&role->dominates, i, TRUE)) + goto oom; } if (type_set_expand(&r->types, &types, policydbp, 1)) { ebitmap_destroy(&types); return NULL; } - ebitmap_for_each_positive_bit(&types, node, i) { - if (ebitmap_set_bit(&role->types.types, i, TRUE)) - goto oom; + ebitmap_for_each_bit(&types, node, i) { + if (ebitmap_node_get_bit(node, i)) + if (ebitmap_set_bit + (&role->types.types, i, TRUE)) + goto oom; } ebitmap_destroy(&types); if (!r->s.value) { @@ -3196,9 +3214,15 @@ int define_role_trans(int class_specified) if (type_set_expand(&types, &e_types, policydbp, 1)) goto bad; - ebitmap_for_each_positive_bit(&e_roles, rnode, i) { - ebitmap_for_each_positive_bit(&e_types, tnode, j) { - ebitmap_for_each_positive_bit(&e_classes, cnode, k) { + ebitmap_for_each_bit(&e_roles, rnode, i) { + if (!ebitmap_node_get_bit(rnode, i)) + continue; + ebitmap_for_each_bit(&e_types, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + ebitmap_for_each_bit(&e_classes, cnode, k) { + if (!ebitmap_node_get_bit(cnode, k)) + continue; for (tr = policydbp->role_tr; tr; tr = tr->next) { if (tr->role == (i + 1) && @@ -3386,9 +3410,16 @@ int define_filename_trans(void) if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1)) goto bad; - ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) { - ebitmap_for_each_positive_bit(&e_stypes, snode, s) { - ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) { + ebitmap_for_each_bit(&e_tclasses, cnode, c) { + if (!ebitmap_node_get_bit(cnode, c)) + continue; + ebitmap_for_each_bit(&e_stypes, snode, s) { + if (!ebitmap_node_get_bit(snode, s)) + continue; + ebitmap_for_each_bit(&e_ttypes, tnode, t) { + if (!ebitmap_node_get_bit(tnode, t)) + continue; + ft = calloc(1, sizeof(*ft)); if (!ft) { yyerror("out of memory"); @@ -3621,36 +3652,39 @@ int define_constraint(constraint_expr_t * expr) } while ((id = queue_remove(id_queue))) { - ebitmap_for_each_positive_bit(&classmap, enode, i) { - cladatum = policydbp->class_val_to_struct[i]; - node = cladatum->constraints; - - perdatum = - (perm_datum_t *) hashtab_search(cladatum-> - permissions. - table, - (hashtab_key_t) - id); - if (!perdatum) { - if (cladatum->comdatum) { - perdatum = - (perm_datum_t *) - hashtab_search(cladatum-> - comdatum-> - permissions. - table, - (hashtab_key_t) - id); - } + ebitmap_for_each_bit(&classmap, enode, i) { + if (ebitmap_node_get_bit(enode, i)) { + cladatum = policydbp->class_val_to_struct[i]; + node = cladatum->constraints; + + perdatum = + (perm_datum_t *) hashtab_search(cladatum-> + permissions. + table, + (hashtab_key_t) + id); if (!perdatum) { - yyerror2("permission %s is not" - " defined", id); - free(id); - ebitmap_destroy(&classmap); - return -1; + if (cladatum->comdatum) { + perdatum = + (perm_datum_t *) + hashtab_search(cladatum-> + comdatum-> + permissions. + table, + (hashtab_key_t) + id); + } + if (!perdatum) { + yyerror2("permission %s is not" + " defined", id); + free(id); + ebitmap_destroy(&classmap); + return -1; + } } + node->permissions |= + (1 << (perdatum->s.value - 1)); } - node->permissions |= (1 << (perdatum->s.value - 1)); } free(id); } @@ -4145,9 +4179,10 @@ static int set_user_roles(role_set_t * set, char *id) } /* set the role and every role it dominates */ - ebitmap_for_each_positive_bit(&r->dominates, node, i) { - if (ebitmap_set_bit(&set->roles, i, TRUE)) - goto oom; + ebitmap_for_each_bit(&r->dominates, node, i) { + if (ebitmap_node_get_bit(node, i)) + if (ebitmap_set_bit(&set->roles, i, TRUE)) + goto oom; } free(id); return 0; diff --git a/checkpolicy/ru/checkpolicy.8 b/checkpolicy/ru/checkpolicy.8 index 2ad39b8e..b2868e7c 100644 --- a/checkpolicy/ru/checkpolicy.8 +++ b/checkpolicy/ru/checkpolicy.8 @@ -3,7 +3,7 @@ checkpolicy \- компилятор политики SELinux .SH ОБЗОР .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]" .br .SH "ОПИСАНИЕ" Эта страница руководства содержит описание команды @@ -17,33 +17,30 @@ checkpolicy \- компилятор политики SELinux .B \-b,\-\-binary Прочитать существующий двоичный файл политики, а не исходный файл policy.conf. .TP -.B \-F,\-\-conf -Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики. -.TP .B \-C,\-\-cil Записать файл политики CIL, а не двоичный файл политики. .TP .B \-d,\-\-debug Войти в режим отладки после загрузки политики. .TP -.B \-U,\-\-handle-unknown <action> -Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять). +.B \-F,\-\-conf +Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики. .TP .B \-M,\-\-mls Включить политику MLS при проверке и компиляции политики. .TP -.B \-c policyvers -Указать версию политики (по умолчанию используется последняя). -.TP .B \-o,\-\-output filename Записать двоичный файл политики с указанным именем файла. .TP -.B \-S,\-\-sort -Сортировать прочие контексты (ocontexts) перед записью двоичной политики. Этот параметр позволяет задать соответствие вывода checkpolicy двоичным политикам, созданным с помощью semanage и secilc. +.B \-c policyvers +Указать версию политики (по умолчанию используется последняя). .TP .B \-t,\-\-target Указать целевую платформу (selinux или xen). .TP +.B \-U,\-\-handle-unknown <action> +Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять). +.TP .B \-V,\-\-version Показать сведения о версии. .TP diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index 996cf33f..d5c7eeab 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -825,13 +825,15 @@ static void display_policycaps(policydb_t * p, FILE * fp) unsigned int i; fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_positive_bit(&p->policycaps, node, i) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); - capname = buf; + ebitmap_for_each_bit(&p->policycaps, node, i) { + if (ebitmap_node_get_bit(node, i)) { + capname = sepol_polcap_getname(i); + if (capname == NULL) { + snprintf(buf, sizeof(buf), "unknown (%d)", i); + capname = buf; + } + fprintf(fp, "\t%s\n", capname); } - fprintf(fp, "\t%s\n", capname); } } @@ -901,14 +903,14 @@ int main(int argc, char **argv) } if (policydb.policy_type == POLICY_BASE) { - printf("Binary base policy file loaded.\n"); + printf("Binary base policy file loaded.\n\n"); } else { printf("Binary policy module file loaded.\n"); printf("Module name: %s\n", policydb.name); printf("Module version: %s\n", policydb.version); + printf("\n"); } - printf("Policy version: %d\n\n", policydb.policyvers); menu(); for (;;) { printf("\nCommand (\'m\' for menu): "); diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index d72d9fb3..ee0f5f64 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -282,13 +282,15 @@ static void display_policycaps(policydb_t * p, FILE * fp) unsigned int i; fprintf(fp, "policy capabilities:\n"); - ebitmap_for_each_positive_bit(&p->policycaps, node, i) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); - capname = buf; + ebitmap_for_each_bit(&p->policycaps, node, i) { + if (ebitmap_node_get_bit(node, i)) { + capname = sepol_polcap_getname(i); + if (capname == NULL) { + snprintf(buf, sizeof(buf), "unknown (%d)", i); + capname = buf; + } + fprintf(fp, "\t%s\n", capname); } - fprintf(fp, "\t%s\n", capname); } } @@ -305,10 +307,12 @@ static void display_permissive(policydb_t *p, FILE *fp) unsigned int i; fprintf(fp, "permissive sids:\n"); - ebitmap_for_each_positive_bit(&p->permissive_map, node, i) { - fprintf(fp, "\t"); - display_id(p, fp, SYM_TYPES, i - 1, ""); - fprintf(fp, "\n"); + ebitmap_for_each_bit(&p->permissive_map, node, i) { + if (ebitmap_node_get_bit(node, i)) { + fprintf(fp, "\t"); + display_id(p, fp, SYM_TYPES, i - 1, ""); + fprintf(fp, "\n"); + } } } diff --git a/libselinux/Android.bp b/libselinux/Android.bp index 51af69fa..6833cba8 100644 --- a/libselinux/Android.bp +++ b/libselinux/Android.bp @@ -77,6 +77,7 @@ cc_defaults { ], shared_libs: [ + "libcrypto", "liblog", ], @@ -91,9 +92,6 @@ cc_defaults { local_include_dirs: ["include"], export_include_dirs: ["include"], - - stl: "none", - system_shared_libs: ["libc"], } cc_library { diff --git a/libselinux/exported.map b/libselinux/exported.map index fbc8acca..dd742948 100644 --- a/libselinux/exported.map +++ b/libselinux/exported.map @@ -25,6 +25,7 @@ selinux_android_hw_service_context_handle; selinux_android_load_policy; selinux_android_load_policy_from_fd; + selinux_android_prop_context_handle; selinux_android_restorecon; selinux_android_restorecon_pkgdir; selinux_android_seapp_context_init; diff --git a/libselinux/exported_vendor.map b/libselinux/exported_vendor.map index ccd5fef7..fd604fd8 100644 --- a/libselinux/exported_vendor.map +++ b/libselinux/exported_vendor.map @@ -13,6 +13,7 @@ selabel_close; selabel_lookup; selabel_open; + selinux_android_prop_context_handle; selinux_android_restorecon; selinux_android_service_context_handle; selinux_android_hw_service_context_handle; diff --git a/libselinux/include/selinux/android.h b/libselinux/include/selinux/android.h index 640ba2eb..99fc9efe 100644 --- a/libselinux/include/selinux/android.h +++ b/libselinux/include/selinux/android.h @@ -13,6 +13,8 @@ extern "C" { extern struct selabel_handle* selinux_android_file_context_handle(void); +extern struct selabel_handle* selinux_android_prop_context_handle(void); + extern struct selabel_handle* selinux_android_service_context_handle(void); extern struct selabel_handle* selinux_android_hw_service_context_handle(void); diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index f54f236b..a34d54fc 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -255,19 +255,6 @@ extern int security_compute_user_raw(const char * scon, const char *username, char *** con); -/* Validate a transition. This determines whether a transition from scon to newcon - using tcon as the target for object class tclass is valid in the loaded policy. - This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy. - Returns 0 if allowed and -1 if an error occured with errno set */ -extern int security_validatetrans(const char *scon, - const char *tcon, - security_class_t tclass, - const char *newcon); -extern int security_validatetrans_raw(const char *scon, - const char *tcon, - security_class_t tclass, - const char *newcon); - /* Load a policy configuration. */ extern int security_load_policy(void *data, size_t len); diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 index a7181bed..2aade5fe 100644 --- a/libselinux/man/man3/security_compute_av.3 +++ b/libselinux/man/man3/security_compute_av.3 @@ -1,7 +1,7 @@ .TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" .SH "NAME" security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel, -security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query +security_compute_member, security_compute_user, security_get_initial_context \- query the SELinux policy database in the kernel . .SH "SYNOPSIS" @@ -35,10 +35,6 @@ the SELinux policy database in the kernel .sp .BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con ); .sp -.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon ); -.sp -.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon ); -.sp .BI "int security_get_initial_context(const char *" name ", char **" con ); .sp .BI "int security_get_initial_context_raw(const char *" name ", char **" con ); @@ -104,12 +100,6 @@ is used to determine the set of user contexts that can be reached from a source context. It is mainly used by .BR get_ordered_context_list (). -.BR security_validatetrans () -is used to determine if a transition from scon to newcon using tcon as the object -is valid for object class tclass. This checks against the mlsvalidatetrans and -validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1 -if an error occured with errno set. - .BR security_get_initial_context () is used to get the context of a kernel initial security identifier specified by .I name @@ -121,7 +111,6 @@ is used to get the context of a kernel initial security identifier specified by .BR \%security_compute_relabel_raw (), .BR \%security_compute_member_raw (), .BR \%security_compute_user_raw () -.BR \%security_validatetrans_raw () and .BR \%security_get_initial_context_raw () behave identically to their non-raw counterparts but do not perform context diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c deleted file mode 100644 index a60bca4d..00000000 --- a/libselinux/man/man3/security_validatetrans.c +++ /dev/null @@ -1 +0,0 @@ -.so man3/security_compute_av.3 diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c deleted file mode 100644 index a60bca4d..00000000 --- a/libselinux/man/man3/security_validatetrans_raw.c +++ /dev/null @@ -1 +0,0 @@ -.so man3/security_compute_av.3 diff --git a/libselinux/src/android/android.c b/libselinux/src/android/android.c index 2e70ceb6..e15dabed 100644 --- a/libselinux/src/android/android.c +++ b/libselinux/src/android/android.c @@ -1,8 +1,7 @@ #include "android_common.h" -// For 'system', 'system_ext' (optional), 'product' (optional), 'vendor' (mandatory) -// and/or 'odm' (optional). -#define MAX_FILE_CONTEXT_SIZE 5 +// For 'system', 'product' (optional), 'vendor' (mandatory) and/or 'odm' (optional). +#define MAX_FILE_CONTEXT_SIZE 4 #ifdef __ANDROID_VNDK__ #ifndef LOG_EVENT_STRING @@ -14,10 +13,6 @@ static const struct selinux_opt seopts_service_plat[] = { { SELABEL_OPT_PATH, "/system/etc/selinux/plat_service_contexts" }, { SELABEL_OPT_PATH, "/plat_service_contexts" } }; -static const struct selinux_opt seopts_service_system_ext[] = { - { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_service_contexts" }, - { SELABEL_OPT_PATH, "/system_ext_service_contexts" } -}; static const struct selinux_opt seopts_service_product[] = { { SELABEL_OPT_PATH, "/product/etc/selinux/product_service_contexts" }, { SELABEL_OPT_PATH, "/product_service_contexts" } @@ -34,10 +29,6 @@ static const struct selinux_opt seopts_hwservice_plat[] = { { SELABEL_OPT_PATH, "/system/etc/selinux/plat_hwservice_contexts" }, { SELABEL_OPT_PATH, "/plat_hwservice_contexts" } }; -static const struct selinux_opt seopts_hwservice_system_ext[] = { - { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_hwservice_contexts" }, - { SELABEL_OPT_PATH, "/system_ext_hwservice_contexts" } -}; static const struct selinux_opt seopts_hwservice_product[] = { { SELABEL_OPT_PATH, "/product/etc/selinux/product_hwservice_contexts" }, { SELABEL_OPT_PATH, "/product_hwservice_contexts" } @@ -91,12 +82,6 @@ struct selabel_handle* selinux_android_service_context_handle(void) break; } } - for (i = 0; i < ARRAY_SIZE(seopts_service_system_ext); i++) { - if (access(seopts_service_system_ext[i].value, R_OK) != -1) { - seopts_service[size++] = seopts_service_system_ext[i]; - break; - } - } for (i = 0; i < ARRAY_SIZE(seopts_service_product); i++) { if (access(seopts_service_product[i].value, R_OK) != -1) { seopts_service[size++] = seopts_service_product[i]; @@ -124,12 +109,6 @@ struct selabel_handle* selinux_android_hw_service_context_handle(void) break; } } - for (i = 0; i < ARRAY_SIZE(seopts_hwservice_system_ext); i++) { - if (access(seopts_hwservice_system_ext[i].value, R_OK) != -1) { - seopts_service[size++] = seopts_hwservice_system_ext[i]; - break; - } - } for (i = 0; i < ARRAY_SIZE(seopts_hwservice_product); i++) { if (access(seopts_hwservice_product[i].value, R_OK) != -1) { seopts_service[size++] = seopts_hwservice_product[i]; diff --git a/libselinux/src/android/android_common.h b/libselinux/src/android/android_common.h index 5853c2bc..637d4e8b 100644 --- a/libselinux/src/android/android_common.h +++ b/libselinux/src/android/android_common.h @@ -21,6 +21,7 @@ #include <selinux/android.h> #include <selinux/label.h> #include <selinux/avc.h> +#include <openssl/sha.h> #ifndef __ANDROID_VNDK__ #include <private/android_filesystem_config.h> #endif diff --git a/libselinux/src/android/android_platform.c b/libselinux/src/android/android_platform.c index a51d1657..83a795a7 100644 --- a/libselinux/src/android/android_platform.c +++ b/libselinux/src/android/android_platform.c @@ -1,9 +1,8 @@ #include "android_common.h" #include <packagelistparser/packagelistparser.h> -// For 'system', 'system_ext' (optional), 'product' (optional), 'vendor' (mandatory) -// and/or 'odm' (optional). -#define MAX_FILE_CONTEXT_SIZE 5 +// For 'system', 'product' (optional), 'vendor' (mandatory) and/or 'odm' (optional). +#define MAX_FILE_CONTEXT_SIZE 4 static const char *const sepolicy_file = "/sepolicy"; @@ -11,10 +10,6 @@ static const struct selinux_opt seopts_file_plat[] = { { SELABEL_OPT_PATH, "/system/etc/selinux/plat_file_contexts" }, { SELABEL_OPT_PATH, "/plat_file_contexts" } }; -static const struct selinux_opt seopts_file_system_ext[] = { - { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_file_contexts" }, - { SELABEL_OPT_PATH, "/system_ext_file_contexts" } -}; static const struct selinux_opt seopts_file_product[] = { { SELABEL_OPT_PATH, "/product/etc/selinux/product_file_contexts" }, { SELABEL_OPT_PATH, "/product_file_contexts" } @@ -31,6 +26,26 @@ static const struct selinux_opt seopts_file_odm[] = { { SELABEL_OPT_PATH, "/odm_file_contexts" } }; +static const struct selinux_opt seopts_prop_plat[] = { + { SELABEL_OPT_PATH, "/system/etc/selinux/plat_property_contexts" }, + { SELABEL_OPT_PATH, "/plat_property_contexts" } +}; +static const struct selinux_opt seopts_prop_product[] = { + { SELABEL_OPT_PATH, "/product/etc/selinux/product_property_contexts" }, + { SELABEL_OPT_PATH, "/product_property_contexts" } +}; +static const struct selinux_opt seopts_prop_vendor[] = { + { SELABEL_OPT_PATH, "/vendor/etc/selinux/vendor_property_contexts" }, + { SELABEL_OPT_PATH, "/vendor_property_contexts" }, + // TODO: remove nonplat* when no need to retain backward compatibility. + { SELABEL_OPT_PATH, "/vendor/etc/selinux/nonplat_property_contexts" }, + { SELABEL_OPT_PATH, "/nonplat_property_contexts" } +}; +static const struct selinux_opt seopts_prop_odm[] = { + { SELABEL_OPT_PATH, "/odm/etc/selinux/odm_property_contexts" }, + { SELABEL_OPT_PATH, "/odm_property_contexts" } +}; + /* * XXX Where should this configuration file be located? * Needs to be accessible by zygote and installd when @@ -41,10 +56,6 @@ static char const * const seapp_contexts_plat[] = { "/system/etc/selinux/plat_seapp_contexts", "/plat_seapp_contexts" }; -static char const * const seapp_contexts_system_ext[] = { - "/system_ext/etc/selinux/system_ext_seapp_contexts", - "/system_ext_seapp_contexts" -}; static char const * const seapp_contexts_product[] = { "/product/etc/selinux/product_seapp_contexts", "/product_seapp_contexts" @@ -61,6 +72,76 @@ static char const * const seapp_contexts_odm[] = { "/odm_seapp_contexts" }; +uint8_t fc_digest[FC_DIGEST_SIZE]; + +static bool compute_file_contexts_hash(uint8_t c_digest[], const struct selinux_opt *opts, unsigned nopts) +{ + int fd = -1; + void *map = MAP_FAILED; + bool ret = false; + uint8_t *fc_data = NULL; + size_t total_size = 0; + struct stat sb; + size_t i; + + for (i = 0; i < nopts; i++) { + fd = open(opts[i].value, O_CLOEXEC | O_RDONLY); + if (fd < 0) { + selinux_log(SELINUX_ERROR, "SELinux: Could not open %s: %s\n", + opts[i].value, strerror(errno)); + goto cleanup; + } + + if (fstat(fd, &sb) < 0) { + selinux_log(SELINUX_ERROR, "SELinux: Could not stat %s: %s\n", + opts[i].value, strerror(errno)); + goto cleanup; + } + + if (sb.st_size == 0) { + selinux_log(SELINUX_WARNING, "SELinux: Skipping %s: empty file\n", + opts[i].value); + goto nextfile; + } + + map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (map == MAP_FAILED) { + selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n", + opts[i].value, strerror(errno)); + goto cleanup; + } + + fc_data = realloc(fc_data, total_size + sb.st_size); + if (!fc_data) { + selinux_log(SELINUX_ERROR, "SELinux: Count not re-alloc for %s: %s\n", + opts[i].value, strerror(errno)); + goto cleanup; + } + + memcpy(fc_data + total_size, map, sb.st_size); + total_size += sb.st_size; + + /* reset everything for next file */ + munmap(map, sb.st_size); +nextfile: + close(fd); + map = MAP_FAILED; + fd = -1; + } + + SHA1(fc_data, total_size, c_digest); + ret = true; + +cleanup: + if (map != MAP_FAILED) + munmap(map, sb.st_size); + if (fd >= 0) + close(fd); + free(fc_data); + + return ret; +} + static struct selabel_handle* selinux_android_file_context(const struct selinux_opt *opts, unsigned nopts) { @@ -77,6 +158,10 @@ static struct selabel_handle* selinux_android_file_context(const struct selinux_ __FUNCTION__, strerror(errno)); return NULL; } + if (!compute_file_contexts_hash(fc_digest, opts, nopts)) { + selabel_close(sehandle); + return NULL; + } selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts\n"); @@ -94,12 +179,6 @@ struct selabel_handle* selinux_android_file_context_handle(void) break; } } - for (i = 0; i < ARRAY_SIZE(seopts_file_system_ext); i++) { - if (access(seopts_file_system_ext[i].value, R_OK) != -1) { - seopts_file[size++] = seopts_file_system_ext[i]; - break; - } - } for (i = 0; i < ARRAY_SIZE(seopts_file_product); i++) { if (access(seopts_file_product[i].value, R_OK) != -1) { seopts_file[size++] = seopts_file_product[i]; @@ -121,6 +200,49 @@ struct selabel_handle* selinux_android_file_context_handle(void) return selinux_android_file_context(seopts_file, size); } +struct selabel_handle* selinux_android_prop_context_handle(void) +{ + struct selabel_handle* sehandle; + struct selinux_opt seopts_prop[MAX_FILE_CONTEXT_SIZE]; + int size = 0; + unsigned int i; + for (i = 0; i < ARRAY_SIZE(seopts_prop_plat); i++) { + if (access(seopts_prop_plat[i].value, R_OK) != -1) { + seopts_prop[size++] = seopts_prop_plat[i]; + break; + } + } + for (i = 0; i < ARRAY_SIZE(seopts_prop_product); i++) { + if (access(seopts_prop_product[i].value, R_OK) != -1) { + seopts_prop[size++] = seopts_prop_product[i]; + break; + } + } + for (i = 0; i < ARRAY_SIZE(seopts_prop_vendor); i++) { + if (access(seopts_prop_vendor[i].value, R_OK) != -1) { + seopts_prop[size++] = seopts_prop_vendor[i]; + break; + } + } + for (i = 0; i < ARRAY_SIZE(seopts_prop_odm); i++) { + if (access(seopts_prop_odm[i].value, R_OK) != -1) { + seopts_prop[size++] = seopts_prop_odm[i]; + break; + } + } + + sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP, seopts_prop, size); + if (!sehandle) { + selinux_log(SELINUX_ERROR, "%s: Error getting property context handle (%s)\n", + __FUNCTION__, strerror(errno)); + return NULL; + } + selinux_log(SELINUX_INFO, "SELinux: Loaded property_contexts from %s & %s.\n", + seopts_prop[0].value, seopts_prop[1].value); + + return sehandle; +} + enum levelFrom { LEVELFROM_NONE, LEVELFROM_APP, @@ -155,6 +277,8 @@ struct seapp_context { bool isSystemServer; bool isEphemeralAppSet; bool isEphemeralApp; + bool isV2AppSet; + bool isV2App; bool isOwnerSet; bool isOwner; struct prefix_str user; @@ -204,6 +328,12 @@ static int seapp_context_cmp(const void *A, const void *B) if (s1->isEphemeralAppSet != s2->isEphemeralAppSet) return (s1->isEphemeralAppSet ? -1 : 1); + /* Give precedence to a specified isV2= over an + * unspecified isV2=. */ + if (s1->isV2AppSet != s2->isV2AppSet) + return (s1->isV2AppSet ? -1 : 1); + + /* Give precedence to a specified isOwner= over an unspecified isOwner=. */ if (s1->isOwnerSet != s2->isOwnerSet) return (s1->isOwnerSet ? -1 : 1); @@ -291,6 +421,7 @@ static int seapp_context_cmp(const void *A, const void *B) (s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) && (s1->isOwnerSet && s1->isOwner == s2->isOwner) && (s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) && + (s1->isV2AppSet && s1->isV2App == s2->isV2App) && (s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp); if (dup) { @@ -357,12 +488,6 @@ int selinux_android_seapp_context_reload(void) break; } } - for (i = 0; i < ARRAY_SIZE(seapp_contexts_system_ext); i++) { - if (access(seapp_contexts_system_ext[i], R_OK) != -1) { - seapp_contexts_files[files_len++] = seapp_contexts_system_ext[i]; - break; - } - } for (i = 0; i < ARRAY_SIZE(seapp_contexts_product); i++) { if (access(seapp_contexts_product[i], R_OK) != -1) { seapp_contexts_files[files_len++] = seapp_contexts_product[i]; @@ -469,6 +594,16 @@ int selinux_android_seapp_context_reload(void) free_seapp_context(cur); goto err; } + } else if (!strcasecmp(name, "isV2App")) { + cur->isV2AppSet = true; + if (!strcasecmp(value, "true")) + cur->isV2App = true; + else if (!strcasecmp(value, "false")) + cur->isV2App = false; + else { + free_seapp_context(cur); + goto err; + } } else if (!strcasecmp(name, "isOwner")) { cur->isOwnerSet = true; if (!strcasecmp(value, "true")) @@ -627,7 +762,7 @@ int selinux_android_seapp_context_reload(void) break; } - if (!cur->isPrivApp && cur->name.str && + if (cur->name.str && (!cur->seinfo || !strcmp(cur->seinfo, "default"))) { selinux_log(SELINUX_ERROR, "%s: No specific seinfo value specified with name=\"%s\", on line %u: insecure configuration!\n", seapp_contexts_files[i], cur->name.str, lineno); @@ -654,11 +789,12 @@ int selinux_android_seapp_context_reload(void) int i; for (i = 0; i < nspec; i++) { cur = seapp_contexts[i]; - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isOwner=%s user=%s seinfo=%s " + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isV2App=%s isOwner=%s user=%s seinfo=%s " "name=%s path=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s", __FUNCTION__, cur->isSystemServer ? "true" : "false", cur->isEphemeralAppSet ? (cur->isEphemeralApp ? "true" : "false") : "null", + cur->isV2AppSet ? (cur->isV2App ? "true" : "false") : "null", cur->isOwnerSet ? (cur->isOwner ? "true" : "false") : "null", cur->user.str, cur->seinfo, cur->name.str, cur->path.str, @@ -719,6 +855,7 @@ enum seapp_kind { #define PRIVILEGED_APP_STR ":privapp" #define EPHEMERAL_APP_STR ":ephemeralapp" +#define V2_APP_STR ":v2" #define TARGETSDKVERSION_STR ":targetSdkVersion=" #define FROM_RUNAS_STR ":fromRunAs" static int32_t get_app_targetSdkVersion(const char *seinfo) @@ -778,6 +915,7 @@ static int seapp_context_lookup(enum seapp_kind kind, bool isPrivApp = false; bool isEphemeralApp = false; int32_t targetSdkVersion = 0; + bool isV2App = false; bool fromRunAs = false; char parsedseinfo[BUFSIZ]; @@ -788,6 +926,7 @@ static int seapp_context_lookup(enum seapp_kind kind, goto err; isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false; isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false; + isV2App = strstr(seinfo, V2_APP_STR) ? true : false; fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false; targetSdkVersion = get_app_targetSdkVersion(seinfo); if (targetSdkVersion < 0) { @@ -836,6 +975,9 @@ static int seapp_context_lookup(enum seapp_kind kind, if (cur->isEphemeralAppSet && cur->isEphemeralApp != isEphemeralApp) continue; + if (cur->isV2AppSet && cur->isV2App != isV2App) + continue; + if (cur->isOwnerSet && cur->isOwner != isOwner) continue; diff --git a/libselinux/src/android/android_vendor.c b/libselinux/src/android/android_vendor.c index e4e95f79..82fea4dd 100644 --- a/libselinux/src/android/android_vendor.c +++ b/libselinux/src/android/android_vendor.c @@ -6,3 +6,9 @@ int selinux_android_restorecon(const char *file __attribute__((unused)), selinux_log(SELINUX_ERROR, "%s: not implemented for vendor variant of libselinux\n", __FUNCTION__); return -1; } + +struct selabel_handle* selinux_android_prop_context_handle(void) +{ + selinux_log(SELINUX_ERROR, "%s: not implemented for vendor variant of libselinux\n", __FUNCTION__); + return NULL; +} diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index d56b56eb..5a1e69a8 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -291,7 +291,7 @@ static int __policy_init(const char *init_path) static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { int result; - char *init_path = NULL; + char *init_path=NULL; if (avc) { PyErr_SetString( PyExc_RuntimeError, "init called multiple times"); return NULL; @@ -322,7 +322,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args sepol_access_vector_t perm, av; struct sepol_av_decision avd; int rc; - int i = 0; + int i=0; if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj)) return NULL; @@ -353,7 +353,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args /* iterate over items of the list, grabbing strings, and parsing for numbers */ - for (i = 0; i < numlines; i++){ + for (i=0; i<numlines; i++){ const char *permstr; /* grab the string object from the next element of the list */ @@ -395,13 +395,13 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args } else { PyObject *outboollist; struct boolean_t *b = bools; - int len = 0; + int len=0; while (b->name) { len++; b++; } b = bools; outboollist = PyList_New(len); - len = 0; + len=0; while(b->name) { PyObject *bool_ = Py_BuildValue("(si)", b->name, b->active); PyList_SetItem(outboollist, len++, bool_); diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c index ab1e0754..a6d46fea 100644 --- a/libselinux/src/booleans.c +++ b/libselinux/src/booleans.c @@ -125,10 +125,10 @@ char *selinux_boolean_sub(const char *name) dst++; if (!*dst) continue; - ptr = dst; + ptr=dst; while (*ptr && !isspace(*ptr)) ptr++; - *ptr = '\0'; + *ptr='\0'; sub = strdup(dst); diff --git a/libselinux/src/init.c b/libselinux/src/init.c index 083638c4..2690a72f 100644 --- a/libselinux/src/init.c +++ b/libselinux/src/init.c @@ -83,8 +83,8 @@ hidden_def(selinuxfs_exists) static void init_selinuxmnt(void) { - char *buf = NULL, *p; - FILE *fp = NULL; + char *buf=NULL, *p; + FILE *fp=NULL; size_t len; ssize_t num; diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 7bc2daca..fd3e0130 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -635,10 +635,10 @@ static int selabel_subs_init(const char *path, struct selabel_digest *digest, dst = ptr; while (*dst && isspace(*dst)) dst++; - ptr = dst; + ptr=dst; while (*ptr && ! isspace(*ptr)) ptr++; - *ptr = '\0'; + *ptr='\0'; if (! *dst) continue; @@ -647,11 +647,11 @@ static int selabel_subs_init(const char *path, struct selabel_digest *digest, goto err; memset(sub, 0, sizeof(*sub)); - sub->src = strdup(src); + sub->src=strdup(src); if (! sub->src) goto err; - sub->dst = strdup(dst); + sub->dst=strdup(dst); if (! sub->dst) goto err; diff --git a/libselinux/src/mapping.c b/libselinux/src/mapping.c index 96395fd4..33cea5ae 100644 --- a/libselinux/src/mapping.c +++ b/libselinux/src/mapping.c @@ -143,7 +143,7 @@ unmap_perm(security_class_t tclass, access_vector_t tperm) unsigned i; access_vector_t kperm = 0; - for (i = 0; i < current_mapping[tclass].num_perms; i++) + for (i=0; i<current_mapping[tclass].num_perms; i++) if (tperm & (1<<i)) { kperm |= current_mapping[tclass].perms[i]; tperm &= ~(1<<i); @@ -169,7 +169,7 @@ map_class(security_class_t kclass) { security_class_t i; - for (i = 0; i < current_mapping_size; i++) + for (i=0; i<current_mapping_size; i++) if (current_mapping[i].value == kclass) return i; @@ -189,7 +189,7 @@ map_perm(security_class_t tclass, access_vector_t kperm) unsigned i; access_vector_t tperm = 0; - for (i = 0; i < current_mapping[tclass].num_perms; i++) + for (i=0; i<current_mapping[tclass].num_perms; i++) if (kperm & current_mapping[tclass].perms[i]) { tperm |= 1<<i; kperm &= ~current_mapping[tclass].perms[i]; diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index 05a5cfa4..58b4144a 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c @@ -414,7 +414,7 @@ int realpath_not_final(const char *name, char *resolved_path) if (len + strlen(last_component) + 2 > PATH_MAX) { myprintf("symlink_realpath(%s) failed: Filename too long \n", name); - errno = ENAMETOOLONG; + errno=ENAMETOOLONG; rc = -1; goto out; } diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index acd59c7c..70b5025d 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -29,8 +29,6 @@ hidden_proto(selinux_mkload_policy) hidden_proto(security_compute_create_name_raw) hidden_proto(security_compute_member_raw) hidden_proto(security_compute_relabel_raw) - hidden_proto(security_validatetrans) - hidden_proto(security_validatetrans_raw) hidden_proto(is_selinux_enabled) hidden_proto(is_selinux_mls_enabled) hidden_proto(freecon) diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c index 7ec7d12c..572a7b01 100644 --- a/libselinux/src/seusers.c +++ b/libselinux/src/seusers.c @@ -274,7 +274,7 @@ int getseuser(const char *username, const char *service, char *buffer = NULL; size_t size = 0; char *rec = NULL; - char *path = NULL; + char *path=NULL; FILE *fp = NULL; if (asprintf(&path,"%s/logins/%s", selinux_policy_root(), username) < 0) goto err; diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c index d671044d..9bcbb6ee 100644 --- a/libselinux/src/sha1.c +++ b/libselinux/src/sha1.c @@ -78,7 +78,7 @@ void CHAR64LONG16 workspace; CHAR64LONG16* block = &workspace; - memcpy(block, buffer, 64); + memcpy( block, buffer, 64 ); // Copy context->state[] to working vars a = state[0]; @@ -160,18 +160,18 @@ void hidden uint32_t j; j = (Context->Count[0] >> 3) & 63; - if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) + if( (Context->Count[0] += BufferSize << 3) < (BufferSize << 3) ) { Context->Count[1]++; } Context->Count[1] += (BufferSize >> 29); - if ((j + BufferSize) > 63) + if( (j + BufferSize) > 63 ) { i = 64 - j; - memcpy(&Context->Buffer[j], Buffer, i); + memcpy( &Context->Buffer[j], Buffer, i ); TransformFunction(Context->State, Context->Buffer); - for (; i + 63 < BufferSize; i += 64) + for( ; i + 63 < BufferSize; i += 64 ) { TransformFunction(Context->State, (uint8_t*)Buffer + i); } @@ -182,7 +182,7 @@ void hidden i = 0; } - memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i); + memcpy( &Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i ); } /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// @@ -201,19 +201,19 @@ void hidden uint32_t i; uint8_t finalcount[8]; - for (i = 0; i < 8; i++) + for( i=0; i<8; i++ ) { finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] >> ((3-(i & 3)) * 8) ) & 255); // Endian independent } - Sha1Update(Context, (uint8_t*)"\x80", 1); - while ((Context->Count[0] & 504) != 448) + Sha1Update( Context, (uint8_t*)"\x80", 1 ); + while( (Context->Count[0] & 504) != 448 ) { - Sha1Update(Context, (uint8_t*)"\0", 1); + Sha1Update( Context, (uint8_t*)"\0", 1 ); } - Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() - for (i = 0; i < SHA1_HASH_SIZE; i++) + Sha1Update( Context, finalcount, 8 ); // Should cause a Sha1TransformFunction() + for( i=0; i<SHA1_HASH_SIZE; i++ ) { Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255); } diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index ad29f76d..2d83f960 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -147,7 +147,7 @@ static struct discover_class_node * discover_class(const char *s) err4: closedir(dir); - for (i = 0; i < MAXVECTORS; i++) + for (i=0; i<MAXVECTORS; i++) free(node->perms[i]); err3: free(node->name); @@ -214,7 +214,7 @@ security_class_t mode_to_security_class(mode_t m) { if (S_ISSOCK(m)) return string_to_security_class("sock_file"); - errno = EINVAL; + errno=EINVAL; return 0; } @@ -226,7 +226,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s) node = get_class_cache_entry_value(kclass); if (node != NULL) { size_t i; - for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++) + for (i=0; i<MAXVECTORS && node->perms[i] != NULL; i++) if (strcmp(node->perms[i],s) == 0) return map_perm(tclass, 1<<i); } diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c deleted file mode 100644 index 2aa300cf..00000000 --- a/libselinux/src/validatetrans.c +++ /dev/null @@ -1,94 +0,0 @@ -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include <stdlib.h> -#include <stdio.h> -#include <errno.h> -#include <string.h> -#include <limits.h> -#include "selinux_internal.h" -#include "policy.h" -#include "mapping.h" - -int security_validatetrans_raw(const char *scon, - const char *tcon, - security_class_t tclass, - const char *newcon) -{ - char path[PATH_MAX]; - char *buf = NULL; - int size, bufsz; - int fd, ret = -1; - errno = ENOENT; - - if (!selinux_mnt) { - return -1; - } - - snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt); - fd = open(path, O_WRONLY | O_CLOEXEC); - if (fd < 0) { - return -1; - } - - errno = EINVAL; - size = selinux_page_size; - buf = malloc(size); - if (!buf) { - goto out; - } - - bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon); - if (bufsz >= size || bufsz < 0) { - // It got truncated or there was an encoding error - goto out; - } - - // clear errno for write() - errno = 0; - ret = write(fd, buf, strlen(buf)); - if (ret > 0) { - // The kernel returns the bytes written on success, not 0 as noted in the commit message - ret = 0; - } -out: - free(buf); - close(fd); - return ret; -} - -hidden_def(security_validatetrans_raw) - -int security_validatetrans(const char *scon, - const char *tcon, - security_class_t tclass, - const char *newcon) -{ - int ret = -1; - char *rscon = NULL; - char *rtcon = NULL; - char *rnewcon = NULL; - - if (selinux_trans_to_raw_context(scon, &rscon)) { - goto out; - } - - if (selinux_trans_to_raw_context(tcon, &rtcon)) { - goto out; - } - - if (selinux_trans_to_raw_context(newcon, &rnewcon)) { - goto out; - } - - ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon); - -out: - freecon(rnewcon); - freecon(rtcon); - freecon(rscon); - - return ret; -} - -hidden_def(security_validatetrans) diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore index aba18a3c..5cd01025 100644 --- a/libselinux/utils/.gitignore +++ b/libselinux/utils/.gitignore @@ -25,4 +25,3 @@ setenforce setfilecon togglesebool selinux_check_access -validatetrans diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c index da239287..884a10bf 100644 --- a/libselinux/utils/avcstat.c +++ b/libselinux/utils/avcstat.c @@ -116,7 +116,7 @@ int main(int argc, char **argv) case 'h': case '-': usage(); - exit(EXIT_SUCCESS); + exit(0); default: usage(); die("unrecognized parameter '%c'", i); @@ -133,7 +133,7 @@ int main(int argc, char **argv) } if (n == 0) { usage(); - exit(EXIT_SUCCESS); + exit(0); } interval = n; } diff --git a/libselinux/utils/compute_av.c b/libselinux/utils/compute_av.c index df4a77e8..574fa6ed 100644 --- a/libselinux/utils/compute_av.c +++ b/libselinux/utils/compute_av.c @@ -51,5 +51,5 @@ int main(int argc, char **argv) printf("\n"); } - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/compute_create.c b/libselinux/utils/compute_create.c index 449ccd90..4abc29fb 100644 --- a/libselinux/utils/compute_create.c +++ b/libselinux/utils/compute_create.c @@ -32,5 +32,5 @@ int main(int argc, char **argv) printf("%s\n", buf); freecon(buf); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/compute_member.c b/libselinux/utils/compute_member.c index c6dad19e..14edd451 100644 --- a/libselinux/utils/compute_member.c +++ b/libselinux/utils/compute_member.c @@ -32,5 +32,5 @@ int main(int argc, char **argv) printf("%s\n", buf); freecon(buf); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/compute_relabel.c b/libselinux/utils/compute_relabel.c index 85c760bc..970750e8 100644 --- a/libselinux/utils/compute_relabel.c +++ b/libselinux/utils/compute_relabel.c @@ -32,5 +32,5 @@ int main(int argc, char **argv) printf("%s\n", buf); freecon(buf); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c index 86d00a6e..cae62b26 100644 --- a/libselinux/utils/compute_user.c +++ b/libselinux/utils/compute_user.c @@ -27,12 +27,12 @@ int main(int argc, char **argv) if (!buf[0]) { printf("none\n"); - exit(EXIT_SUCCESS); + exit(0); } for (ptr = buf; *ptr; ptr++) { printf("%s\n", *ptr); } freeconary(buf); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c index 29c16640..5ac0ca85 100644 --- a/libselinux/utils/getconlist.c +++ b/libselinux/utils/getconlist.c @@ -27,11 +27,6 @@ int main(int argc, char **argv) switch (opt) { case 'l': level = strdup(optarg); - if (!level) { - fprintf(stderr, "memory allocation failure: %d(%s)\n", - errno, strerror(errno)); - return 3; - } break; default: usage(argv[0], "invalid option", 1); diff --git a/libselinux/utils/getfilecon.c b/libselinux/utils/getfilecon.c index 6266ae16..a7a51abb 100644 --- a/libselinux/utils/getfilecon.c +++ b/libselinux/utils/getfilecon.c @@ -23,5 +23,5 @@ int main(int argc, char **argv) printf("%s\t%s\n", argv[i], buf); freecon(buf); } - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/getpidcon.c b/libselinux/utils/getpidcon.c index ea6c274e..3df0da1f 100644 --- a/libselinux/utils/getpidcon.c +++ b/libselinux/utils/getpidcon.c @@ -27,5 +27,5 @@ int main(int argc, char **argv) printf("%s\n", buf); freecon(buf); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c index 9193fe0a..c33a4ad2 100644 --- a/libselinux/utils/getseuser.c +++ b/libselinux/utils/getseuser.c @@ -36,5 +36,5 @@ int main(int argc, char **argv) for (i = 0; i < n; i++) printf("Context %d\t%s\n", i, contextlist[i]); freeconary(contextlist); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c index eb39a188..9756d7d9 100644 --- a/libselinux/utils/matchpathcon.c +++ b/libselinux/utils/matchpathcon.c @@ -25,7 +25,7 @@ static int printmatchpathcon(const char *path, int header, int mode) int rc = matchpathcon(path, mode, &buf); if (rc < 0) { if (errno == ENOENT) { - buf = strdup("<<none>>"); + buf=strdup("<<none>>"); } else { fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, strerror(errno)); diff --git a/libselinux/utils/policyvers.c b/libselinux/utils/policyvers.c index dd56f2c7..0309d7d1 100644 --- a/libselinux/utils/policyvers.c +++ b/libselinux/utils/policyvers.c @@ -14,5 +14,5 @@ int main(int argc __attribute__ ((unused)), char **argv) } printf("%d\n", rc); - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/setfilecon.c b/libselinux/utils/setfilecon.c index 79af55de..d69af84a 100644 --- a/libselinux/utils/setfilecon.c +++ b/libselinux/utils/setfilecon.c @@ -20,5 +20,5 @@ int main(int argc, char **argv) exit(2); } } - exit(EXIT_SUCCESS); + exit(0); } diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c deleted file mode 100644 index 1db33e66..00000000 --- a/libselinux/utils/validatetrans.c +++ /dev/null @@ -1,30 +0,0 @@ -#include <unistd.h> -#include <sys/types.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <errno.h> -#include <selinux/selinux.h> - -int main(int argc, char **argv) -{ - security_class_t tclass; - int ret; - - if (argc != 5) { - fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n", - argv[0]); - exit(1); - } - - tclass = string_to_security_class(argv[3]); - if (!tclass) { - fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]); - exit(2); - } - - ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]); - printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno)); - - return ret; -} diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 7e097d5f..c58961be 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -517,7 +517,7 @@ ssize_t bunzip(semanage_handle_t *sh, FILE *f, char **data) size_t size = 1<<18; size_t bufsize = size; int bzerror; - size_t total = 0; + size_t total=0; char* uncompress = NULL; char* tmpalloc = NULL; int ret = -1; diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c index fa84d33e..62af1018 100644 --- a/libsemanage/src/modules.c +++ b/libsemanage/src/modules.c @@ -1130,7 +1130,7 @@ int semanage_module_install_info(semanage_handle_t *sh, int semanage_module_remove_key(semanage_handle_t *sh, const semanage_module_key_t *modkey) { - if (sh->funcs->remove_key == NULL) { + if (sh->funcs->remove_key== NULL) { ERR(sh, "No remove key function defined for this connection type."); return -1; diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c index 3e2761c4..a79e2d3d 100644 --- a/libsemanage/src/seusers_local.c +++ b/libsemanage/src/seusers_local.c @@ -133,7 +133,7 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, semanage_seuser_t *new = NULL; if (!sename) { - errno = EINVAL; + errno=EINVAL; return -1; } rc = semanage_seuser_clone(handle, data, &new); diff --git a/libsemanage/src/users_local.c b/libsemanage/src/users_local.c index 8193476d..7aa43d44 100644 --- a/libsemanage/src/users_local.c +++ b/libsemanage/src/users_local.c @@ -38,7 +38,7 @@ static int lookup_seuser(semanage_handle_t * handle, const semanage_user_key_t * semanage_seuser_list_local(handle, &records, &count); - for(i = 0; i < count; i++) { + for(i=0; i<count; i++) { sename = semanage_seuser_get_sename(records[i]); if (strcmp(name, sename) == 0) { errno = EINVAL; @@ -47,7 +47,7 @@ static int lookup_seuser(semanage_handle_t * handle, const semanage_user_key_t * rc = -1; } } - for(i = 0; i < count; i++) + for(i=0; i<count; i++) semanage_seuser_free(records[i]); free(records); semanage_user_free(user); diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 77ffc36f..e2eb3ebe 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -441,7 +441,9 @@ int cil_roletype_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci rc = __cil_get_sepol_role_datum(pdb, DATUM(role), &sepol_role); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(role->types, tnode, i) { + ebitmap_for_each_bit(role->types, tnode, i) { + if (!ebitmap_get_bit(role->types, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type); if (rc != SEPOL_OK) goto exit; @@ -650,7 +652,9 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct value = sepol_type->s.value; - ebitmap_for_each_positive_bit(cil_attr->types, tnode, i) { + ebitmap_for_each_bit(cil_attr->types, tnode, i) { + if (!ebitmap_get_bit(cil_attr->types, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type); if (rc != SEPOL_OK) goto exit; @@ -744,7 +748,11 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } - ebitmap_for_each_positive_bit(user->roles, rnode, i) { + ebitmap_for_each_bit(user->roles, rnode, i) { + if (!ebitmap_get_bit(user->roles, i)) { + continue; + } + rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_role); if (rc != SEPOL_OK) { goto exit; @@ -1097,11 +1105,15 @@ int __cil_type_rule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct ci rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_rule->result), &sepol_result); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&src_bitmap, node1, i) { + ebitmap_for_each_bit(&src_bitmap, node1, i) { + if (!ebitmap_get_bit(&src_bitmap, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) { + ebitmap_for_each_bit(&tgt_bitmap, node2, j) { + if (!ebitmap_get_bit(&tgt_bitmap, j)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt); if (rc != SEPOL_OK) goto exit; @@ -1170,11 +1182,15 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru rc = __cil_get_sepol_type_datum(pdb, DATUM(typetrans->result), &sepol_result); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&src_bitmap, node1, i) { + ebitmap_for_each_bit(&src_bitmap, node1, i) { + if (!ebitmap_get_bit(&src_bitmap, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) { + ebitmap_for_each_bit(&tgt_bitmap, node2, j) { + if (!ebitmap_get_bit(&tgt_bitmap, j)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt); if (rc != SEPOL_OK) goto exit; @@ -1459,7 +1475,9 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a goto exit; } - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; + src = DATUM(db->val_to_type[s]); rc = __cil_avrule_expand(pdb, kind, src, src, classperms, cond_node, cond_flavor); if (rc != SEPOL_OK) { @@ -1488,9 +1506,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a goto exit; } - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; src = DATUM(db->val_to_type[s]); - ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) { + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) { + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue; tgt = DATUM(db->val_to_type[t]); rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor); @@ -1509,7 +1529,8 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a goto exit; } - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; src = DATUM(db->val_to_type[s]); rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor); @@ -1525,7 +1546,8 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a goto exit; } - ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) { + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) { + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue; tgt = DATUM(db->val_to_type[t]); rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor); @@ -1597,7 +1619,9 @@ int __cil_permx_bitmap_to_sepol_xperms_list(ebitmap_t *xperms, struct cil_list * start_new_range = 1; - ebitmap_for_each_positive_bit(xperms, node, i) { + ebitmap_for_each_bit(xperms, node, i) { + if (!ebitmap_get_bit(xperms, i)) continue; + if (start_new_range) { low = i; start_new_range = 0; @@ -1828,7 +1852,9 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci rc = __cil_expand_type(src, &src_bitmap); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; + src = DATUM(db->val_to_type[s]); rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args); if (rc != SEPOL_OK) { @@ -1857,9 +1883,11 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; src = DATUM(db->val_to_type[s]); - ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) { + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) { + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue; tgt = DATUM(db->val_to_type[t]); rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args); @@ -1878,7 +1906,8 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } - ebitmap_for_each_positive_bit(&src_bitmap, snode, s) { + ebitmap_for_each_bit(&src_bitmap, snode, s) { + if (!ebitmap_get_bit(&src_bitmap, s)) continue; src = DATUM(db->val_to_type[s]); rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args); @@ -1894,7 +1923,8 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } - ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) { + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) { + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue; tgt = DATUM(db->val_to_type[t]); rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args); @@ -2337,11 +2367,15 @@ int cil_roletrans_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c rc = __cil_get_sepol_role_datum(pdb, DATUM(roletrans->result), &sepol_result); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&role_bitmap, rnode, i) { + ebitmap_for_each_bit(&role_bitmap, rnode, i) { + if (!ebitmap_get_bit(&role_bitmap, i)) continue; + rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_src); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&type_bitmap, tnode, j) { + ebitmap_for_each_bit(&type_bitmap, tnode, j) { + if (!ebitmap_get_bit(&type_bitmap, j)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt); if (rc != SEPOL_OK) goto exit; @@ -2410,11 +2444,15 @@ int cil_roleallow_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c rc = __cil_expand_role(roleallow->tgt, &tgt_bitmap); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&src_bitmap, node1, i) { + ebitmap_for_each_bit(&src_bitmap, node1, i) { + if (!ebitmap_get_bit(&src_bitmap, i)) continue; + rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_src); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) { + ebitmap_for_each_bit(&tgt_bitmap, node2, j) { + if (!ebitmap_get_bit(&tgt_bitmap, j)) continue; + rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[j]), &sepol_tgt); if (rc != SEPOL_OK) goto exit; @@ -2449,7 +2487,11 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d rc = __cil_expand_user(item->data, &user_bitmap); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&user_bitmap, unode, i) { + ebitmap_for_each_bit(&user_bitmap, unode, i) { + if (!ebitmap_get_bit(&user_bitmap, i)) { + continue; + } + rc = __cil_get_sepol_user_datum(pdb, DATUM(db->val_to_user[i]), &sepol_user); if (rc != SEPOL_OK) { ebitmap_destroy(&user_bitmap); @@ -2471,7 +2513,9 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d rc = __cil_expand_role(item->data, &role_bitmap); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&role_bitmap, rnode, i) { + ebitmap_for_each_bit(&role_bitmap, rnode, i) { + if (!ebitmap_get_bit(&role_bitmap, i)) continue; + rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_role); if (rc != SEPOL_OK) { ebitmap_destroy(&role_bitmap); @@ -2513,7 +2557,9 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d rc = __cil_expand_type(item->data, &type_bitmap); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&type_bitmap, tnode, i) { + ebitmap_for_each_bit(&type_bitmap, tnode, i) { + if (!ebitmap_get_bit(&type_bitmap, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type); if (rc != SEPOL_OK) { ebitmap_destroy(&type_bitmap); @@ -3110,11 +3156,15 @@ int cil_rangetransition_to_policydb(policydb_t *pdb, const struct cil_db *db, st class_list = cil_expand_class(rangetrans->obj); - ebitmap_for_each_positive_bit(&src_bitmap, node1, i) { + ebitmap_for_each_bit(&src_bitmap, node1, i) { + if (!ebitmap_get_bit(&src_bitmap, i)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src); if (rc != SEPOL_OK) goto exit; - ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) { + ebitmap_for_each_bit(&tgt_bitmap, node2, j) { + if (!ebitmap_get_bit(&tgt_bitmap, j)) continue; + rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt); if (rc != SEPOL_OK) goto exit; @@ -4443,7 +4493,8 @@ static int __cil_add_sepol_type(policydb_t *pdb, const struct cil_db *db, struct ebitmap_node_t *tnode; unsigned int i; struct cil_typeattribute *attr = (struct cil_typeattribute *)datum; - ebitmap_for_each_positive_bit(attr->types, tnode, i) { + ebitmap_for_each_bit(attr->types, tnode, i) { + if (!ebitmap_get_bit(attr->types, i)) continue; datum = DATUM(db->val_to_type[i]); rc = __cil_get_sepol_type_datum(pdb, datum, &sepol_datum); if (rc != SEPOL_OK) goto exit; diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 1adf22a3..5edab5e0 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -342,7 +342,9 @@ static size_t __cil_userattribute_len(struct cil_db *db, struct cil_userattribut unsigned int i; size_t len = 0; - ebitmap_for_each_positive_bit(attr->users, unode, i) { + ebitmap_for_each_bit(attr->users, unode, i) { + if (!ebitmap_get_bit(attr->users, i)) + continue; len += strlen(DATUM(db->val_to_user[i])->fqn); len++; } @@ -452,7 +454,9 @@ static char *__cil_userattribute_to_string(struct cil_db *db, struct cil_useratt char *str; size_t len; - ebitmap_for_each_positive_bit(attr->users, unode, i) { + ebitmap_for_each_bit(attr->users, unode, i) { + if (!ebitmap_get_bit(attr->users, i)) + continue; str = DATUM(db->val_to_user[i])->fqn; len = strlen(str); memcpy(new, str, len); @@ -1114,7 +1118,9 @@ static void cil_xperms_to_policy(FILE *out, struct cil_permissionx *permx) fprintf(out, "%s %s {", DATUM(permx->obj)->fqn, kind); - ebitmap_for_each_positive_bit(permx->perms, node, i) { + ebitmap_for_each_bit(permx->perms, node, i) { + if (!ebitmap_get_bit(permx->perms, i)) + continue; if (need_first == CIL_TRUE) { first = i; need_first = CIL_FALSE; diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 708b4320..0b09cecc 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -1654,9 +1654,13 @@ static int __cil_post_db_roletype_helper(struct cil_tree_node *node, uint32_t *f ebitmap_node_t *rnode; unsigned int i; - ebitmap_for_each_positive_bit(attr->roles, rnode, i) { + ebitmap_for_each_bit(attr->roles, rnode, i) { struct cil_role *role = NULL; + if (!ebitmap_get_bit(attr->roles, i)) { + continue; + } + role = db->val_to_role[i]; rc = __cil_role_assign_types(role, type_datum); @@ -1747,7 +1751,11 @@ static int __cil_post_db_userrole_helper(struct cil_tree_node *node, uint32_t *f if (user_node->flavor == CIL_USERATTRIBUTE) { u_attr = userrole->user; - ebitmap_for_each_positive_bit(u_attr->users, unode, i) { + ebitmap_for_each_bit(u_attr->users, unode, i) { + if (!ebitmap_get_bit(u_attr->users, i)) { + continue; + } + user = db->val_to_user[i]; rc = __cil_user_assign_roles(user, role_datum); diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 1a21cf4b..1036d73c 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -221,8 +221,8 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl cil_log(CIL_ERR, "l1, l2, h1, and h2 cannot be used on the left side with a string or list on the right side\n"); goto exit; } else if (l_flavor == CIL_CONS_U3 || l_flavor == CIL_CONS_R3 || l_flavor == CIL_CONS_T3) { - if (expr_flavor != CIL_VALIDATETRANS && expr_flavor != CIL_MLSVALIDATETRANS) { - cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); + if (expr_flavor != CIL_MLSVALIDATETRANS) { + cil_log(CIL_ERR, "u3, r3, and t3 can only be used with mlsvalidatetrans rules\n"); goto exit; } } diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h index e62df01c..94fb7efe 100644 --- a/libsepol/include/sepol/policydb/ebitmap.h +++ b/libsepol/include/sepol/policydb/ebitmap.h @@ -76,9 +76,6 @@ static inline int ebitmap_node_get_bit(ebitmap_node_t * n, unsigned int bit) #define ebitmap_for_each_bit(e, n, bit) \ for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \ -#define ebitmap_for_each_positive_bit(e, n, bit) \ - ebitmap_for_each_bit(e, n, bit) if (ebitmap_node_get_bit(n, bit)) \ - extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1); diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index 1181edc2..b08757bf 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -157,8 +157,12 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, memcpy(&tmp_key, k, sizeof(avtab_key_t)); tmp_key.specified = AVTAB_XPERMS_ALLOWED; - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; tmp_key.source_type = i + 1; tmp_key.target_type = j + 1; for (node = avtab_search_node(avtab, &tmp_key); @@ -266,8 +270,13 @@ static int report_assertion_avtab_matches(avtab_key_t *k, avtab_datum_t *d, void continue; } - ebitmap_for_each_positive_bit(&src_matches, snode, i) { - ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { + ebitmap_for_each_bit(&src_matches, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(&tgt_matches, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) { a->errors += report_assertion_extended_permissions(handle,p, avrule, i, j, cp, perms, k, avtab); @@ -336,8 +345,12 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t memcpy(&tmp_key, k, sizeof(avtab_key_t)); tmp_key.specified = AVTAB_XPERMS_ALLOWED; - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; tmp_key.source_type = i + 1; tmp_key.target_type = j + 1; for (node = avtab_search_node(avtab, &tmp_key); @@ -424,8 +437,13 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab for (cp = avrule->perms; cp; cp = cp->next) { if (cp->tclass != k->target_class) continue; - ebitmap_for_each_positive_bit(&src_matches, snode, i) { - ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) { + ebitmap_for_each_bit(&src_matches, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(&tgt_matches, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + ret = check_assertion_extended_permissions_avtab( avrule, avtab, i, j, k, p); if (ret) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 796121cf..312d137b 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -62,7 +62,9 @@ static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map) ebitmap_node_t *tnode; ebitmap_init(dst); - ebitmap_for_each_positive_bit(src, tnode, i) { + ebitmap_for_each_bit(src, tnode, i) { + if (!ebitmap_node_get_bit(tnode, i)) + continue; if (!map[i]) continue; if (ebitmap_set_bit(dst, map[i] - 1, 1)) @@ -769,23 +771,25 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_destroy(&mapped_roles); - ebitmap_for_each_positive_bit(&role->roles, rnode, i) { - /* take advantage of sym_val_to_name[] - * of the base module */ - base_reg_role_id = state->base->p_role_val_to_name[i]; - regular_role = (role_datum_t *)hashtab_search( - state->out->p_roles.table, - base_reg_role_id); - assert(regular_role != NULL && - regular_role->flavor == ROLE_ROLE); - - if (ebitmap_union(®ular_role->types.types, - &new_role->types.types)) { - ERR(state->handle, "Out of memory!"); - return -1; + ebitmap_for_each_bit(&role->roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + /* take advantage of sym_val_to_name[] + * of the base module */ + base_reg_role_id = state->base->p_role_val_to_name[i]; + regular_role = (role_datum_t *)hashtab_search( + state->out->p_roles.table, + base_reg_role_id); + assert(regular_role != NULL && + regular_role->flavor == ROLE_ROLE); + + if (ebitmap_union(®ular_role->types.types, + &new_role->types.types)) { + ERR(state->handle, "Out of memory!"); + return -1; + } } } - + return 0; } @@ -1240,8 +1244,12 @@ static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules) return -1; } - ebitmap_for_each_positive_bit(&roles, snode, i) { - ebitmap_for_each_positive_bit(&new_roles, tnode, j) { + ebitmap_for_each_bit(&roles, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(&new_roles, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; /* check for duplicates */ cur_allow = state->out->role_allow; while (cur_allow) { @@ -1304,9 +1312,16 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) ERR(state->handle, "Out of memory!"); return -1; } - ebitmap_for_each_positive_bit(&roles, rnode, i) { - ebitmap_for_each_positive_bit(&types, tnode, j) { - ebitmap_for_each_positive_bit(&cur->classes, cnode, k) { + ebitmap_for_each_bit(&roles, rnode, i) { + if (!ebitmap_node_get_bit(rnode, i)) + continue; + ebitmap_for_each_bit(&types, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + ebitmap_for_each_bit(&cur->classes, cnode, k) { + if (!ebitmap_node_get_bit(cnode, k)) + continue; + cur_trans = state->out->role_tr; while (cur_trans) { unsigned int mapped_role; @@ -1399,8 +1414,13 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r mapped_otype = state->typemap[cur_rule->otype - 1]; - ebitmap_for_each_positive_bit(&stypes, snode, i) { - ebitmap_for_each_positive_bit(&ttypes, tnode, j) { + ebitmap_for_each_bit(&stypes, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(&ttypes, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; + key.stype = i + 1; key.ttype = j + 1; key.tclass = cur_rule->tclass; @@ -1565,11 +1585,18 @@ static int expand_range_trans(expand_state_t * state, } /* loop on source type */ - ebitmap_for_each_positive_bit(&stypes, snode, i) { + ebitmap_for_each_bit(&stypes, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; /* loop on target type */ - ebitmap_for_each_positive_bit(&ttypes, tnode, j) { + ebitmap_for_each_bit(&ttypes, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; /* loop on target class */ - ebitmap_for_each_positive_bit(&rule->tclasses, cnode, k) { + ebitmap_for_each_bit(&rule->tclasses, cnode, k) { + if (!ebitmap_node_get_bit(cnode, k)) + continue; + if (exp_rangetr_helper(i + 1, j + 1, k + 1, @@ -1885,7 +1912,9 @@ static int expand_rule_helper(sepol_handle_t * handle, int retval; ebitmap_node_t *snode, *tnode; - ebitmap_for_each_positive_bit(stypes, snode, i) { + ebitmap_for_each_bit(stypes, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; if (source_rule->flags & RULE_SELF) { if (source_rule->specified & (AVRULE_AV | AVRULE_XPERMS)) { retval = expand_avrule_helper(handle, source_rule->specified, @@ -1902,7 +1931,9 @@ static int expand_rule_helper(sepol_handle_t * handle, return retval; } } - ebitmap_for_each_positive_bit(ttypes, tnode, j) { + ebitmap_for_each_bit(ttypes, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; if (source_rule->specified & (AVRULE_AV | AVRULE_XPERMS)) { retval = expand_avrule_helper(handle, source_rule->specified, cond, i, j, source_rule->perms, @@ -2331,7 +2362,9 @@ static int type_attr_map(hashtab_key_t key if (ebitmap_cpy(&p->attr_type_map[value - 1], &type->types)) { goto oom; } - ebitmap_for_each_positive_bit(&type->types, tnode, i) { + ebitmap_for_each_bit(&type->types, tnode, i) { + if (!ebitmap_node_get_bit(tnode, i)) + continue; if (ebitmap_set_bit(&p->type_attr_map[i], value - 1, 1)) { goto oom; } @@ -2442,18 +2475,20 @@ int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t if (rolemap) { assert(base != NULL); - ebitmap_for_each_positive_bit(&x->roles, rnode, i) { - /* take advantage of p_role_val_to_struct[] - * of the base module */ - role = base->role_val_to_struct[i]; - assert(role != NULL); - if (role->flavor == ROLE_ATTRIB) { - if (ebitmap_union(&roles, - &role->roles)) - goto bad; - } else { - if (ebitmap_set_bit(&roles, i, 1)) - goto bad; + ebitmap_for_each_bit(&x->roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + /* take advantage of p_role_val_to_struct[] + * of the base module */ + role = base->role_val_to_struct[i]; + assert(role != NULL); + if (role->flavor == ROLE_ATTRIB) { + if (ebitmap_union(&roles, + &role->roles)) + goto bad; + } else { + if (ebitmap_set_bit(&roles, i, 1)) + goto bad; + } } } if (map_ebitmap(&roles, &mapped_roles, rolemap)) @@ -2463,9 +2498,11 @@ int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t goto bad; } - ebitmap_for_each_positive_bit(&mapped_roles, rnode, i) { - if (ebitmap_set_bit(r, i, 1)) - goto bad; + ebitmap_for_each_bit(&mapped_roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + if (ebitmap_set_bit(r, i, 1)) + goto bad; + } } ebitmap_destroy(&mapped_roles); @@ -2512,7 +2549,10 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p, ebitmap_init(t); /* First go through the types and OR all the attributes to types */ - ebitmap_for_each_positive_bit(&set->types, tnode, i) { + ebitmap_for_each_bit(&set->types, tnode, i) { + if (!ebitmap_node_get_bit(tnode, i)) + continue; + /* * invalid policies might have more types set in the ebitmap than * what's available in the type_val_to_struct mapping @@ -2540,17 +2580,19 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p, /* Now do the same thing for negset */ ebitmap_init(&neg_types); - ebitmap_for_each_positive_bit(&set->negset, tnode, i) { - if (p->type_val_to_struct[i] && - p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) { - if (ebitmap_union - (&neg_types, - &p->type_val_to_struct[i]->types)) { - goto err_neg; - } - } else { - if (ebitmap_set_bit(&neg_types, i, 1)) { - goto err_neg; + ebitmap_for_each_bit(&set->negset, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + if (p->type_val_to_struct[i] && + p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) { + if (ebitmap_union + (&neg_types, + &p->type_val_to_struct[i]->types)) { + goto err_neg; + } + } else { + if (ebitmap_set_bit(&neg_types, i, 1)) { + goto err_neg; + } } } } @@ -2569,8 +2611,9 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p, goto out; } - ebitmap_for_each_positive_bit(&types, tnode, i) { - if (!ebitmap_get_bit(&neg_types, i)) + ebitmap_for_each_bit(&types, tnode, i) { + if (ebitmap_node_get_bit(tnode, i) + && (!ebitmap_get_bit(&neg_types, i))) if (ebitmap_set_bit(t, i, 1)) goto err_neg; } @@ -3273,7 +3316,9 @@ static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args) if (stype && stype->flavor != TYPE_ATTRIB) { /* Source is an individual type, target is an attribute. */ newkey.source_type = k->source_type; - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; newkey.target_type = j + 1; rc = expand_avtab_insert(expa, &newkey, d); if (rc) @@ -3285,7 +3330,9 @@ static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args) if (ttype && ttype->flavor != TYPE_ATTRIB) { /* Target is an individual type, source is an attribute. */ newkey.target_type = k->target_type; - ebitmap_for_each_positive_bit(sattr, snode, i) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; newkey.source_type = i + 1; rc = expand_avtab_insert(expa, &newkey, d); if (rc) @@ -3295,8 +3342,12 @@ static int expand_avtab_node(avtab_key_t * k, avtab_datum_t * d, void *args) } /* Both source and target type are attributes. */ - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; newkey.source_type = i + 1; newkey.target_type = j + 1; rc = expand_avtab_insert(expa, &newkey, d); @@ -3395,7 +3446,9 @@ int expand_cond_av_node(policydb_t * p, if (stype && stype->flavor != TYPE_ATTRIB) { /* Source is an individual type, target is an attribute. */ newkey.source_type = k->source_type; - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; newkey.target_type = j + 1; rc = expand_cond_insert(newl, expa, &newkey, d); if (rc) @@ -3407,7 +3460,9 @@ int expand_cond_av_node(policydb_t * p, if (ttype && ttype->flavor != TYPE_ATTRIB) { /* Target is an individual type, source is an attribute. */ newkey.target_type = k->target_type; - ebitmap_for_each_positive_bit(sattr, snode, i) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; newkey.source_type = i + 1; rc = expand_cond_insert(newl, expa, &newkey, d); if (rc) @@ -3417,8 +3472,12 @@ int expand_cond_av_node(policydb_t * p, } /* Both source and target type are attributes. */ - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; newkey.source_type = i + 1; newkey.target_type = j + 1; rc = expand_cond_insert(newl, expa, &newkey, d); diff --git a/libsepol/src/genusers.c b/libsepol/src/genusers.c index c375c669..9bea83fd 100644 --- a/libsepol/src/genusers.c +++ b/libsepol/src/genusers.c @@ -169,14 +169,15 @@ static int load_users(struct policydb *policydb, const char *path) continue; } /* Set the role and every role it dominates */ - ebitmap_for_each_positive_bit(&roldatum->dominates, rnode, bit) { - if (ebitmap_set_bit - (&usrdatum->roles.roles, bit, 1)) { - ERR(NULL, "out of memory"); - free(buffer); - fclose(fp); - return -1; - } + ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) { + if (ebitmap_node_get_bit(rnode, bit)) + if (ebitmap_set_bit + (&usrdatum->roles.roles, bit, 1)) { + ERR(NULL, "out of memory"); + free(buffer); + fclose(fp); + return -1; + } } } while (islist); if (oldc == 0) diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c index 8919daa7..778541a2 100644 --- a/libsepol/src/hierarchy.c +++ b/libsepol/src/hierarchy.c @@ -111,7 +111,9 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p, if (ebitmap_get_bit(&p->attr_type_map[src - 1], parent - 1)) { avtab_key.source_type = parent; - ebitmap_for_each_positive_bit(&p->attr_type_map[tgt - 1], tnode, i) { + ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) { + if (!ebitmap_node_get_bit(tnode, i)) + continue; avtab_key.target_type = i + 1; rc = bounds_insert_rule(handle, avtab, global, other, &avtab_key, &datum); @@ -296,7 +298,9 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p, if (ebitmap_get_bit(&p->attr_type_map[src - 1], child - 1)) { avtab_key.source_type = parent; - ebitmap_for_each_positive_bit(&p->attr_type_map[tgt - 1], tnode, i) { + ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) { + if (!ebitmap_node_get_bit(tnode, i)) + continue; td = p->type_val_to_struct[i]; if (td && td->bounds) { avtab_key.target_type = td->bounds; diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 320af37b..48b571a5 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -993,7 +993,10 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name) size_t len = 0; range = 0; - ebitmap_for_each_positive_bit(cats, node, i) { + ebitmap_for_each_bit(cats, node, i) { + if (!ebitmap_get_bit(cats, i)) + continue; + if (range == 0) start = i; @@ -1041,7 +1044,10 @@ static char *cats_ebitmap_to_str(struct ebitmap *cats, char **val_to_name) remaining--;; range = 0; - ebitmap_for_each_positive_bit(cats, node, i) { + ebitmap_for_each_bit(cats, node, i) { + if (!ebitmap_get_bit(cats, i)) + continue; + if (range == 0) start = i; @@ -1158,7 +1164,9 @@ static int write_polcap_rules_to_cil(FILE *out, struct policydb *pdb) goto exit; } - ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) { + ebitmap_for_each_bit(&pdb->policycaps, node, i) { + if (!ebitmap_get_bit(&pdb->policycaps, i)) continue; + name = sepol_polcap_getname(i); if (name == NULL) { sepol_log_err("Unknown policy capability id: %i", i); @@ -1537,7 +1545,8 @@ static int write_type_permissive_rules_to_cil(FILE *out, struct policydb *pdb) goto exit; } - ebitmap_for_each_positive_bit(&pdb->permissive_map, node, i) { + ebitmap_for_each_bit(&pdb->permissive_map, node, i) { + if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue; rc = strs_add(strs, pdb->p_type_val_to_name[i-1]); if (rc != 0) { goto exit; diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c index 7b53c92f..891e139c 100644 --- a/libsepol/src/kernel_to_common.c +++ b/libsepol/src/kernel_to_common.c @@ -360,7 +360,9 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name) uint32_t i; int rc; - ebitmap_for_each_positive_bit(map, node, i) { + ebitmap_for_each_bit(map, node, i) { + if (!ebitmap_get_bit(map, i)) continue; + rc = strs_add(strs, val_to_name[i]); if (rc != 0) { return -1; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 4f84ee8b..afadca6b 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -978,7 +978,10 @@ static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name) size_t len = 0; range = 0; - ebitmap_for_each_positive_bit(cats, node, i) { + ebitmap_for_each_bit(cats, node, i) { + if (!ebitmap_get_bit(cats, i)) + continue; + if (range == 0) start = i; @@ -1017,7 +1020,10 @@ static char *cats_ebitmap_to_str(struct ebitmap *cats, char **val_to_name) first = 1; range = 0; - ebitmap_for_each_positive_bit(cats, node, i) { + ebitmap_for_each_bit(cats, node, i) { + if (!ebitmap_get_bit(cats, i)) + continue; + if (range == 0) start = i; @@ -1132,7 +1138,9 @@ static int write_polcap_rules_to_conf(FILE *out, struct policydb *pdb) goto exit; } - ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) { + ebitmap_for_each_bit(&pdb->policycaps, node, i) { + if (!ebitmap_get_bit(&pdb->policycaps, i)) continue; + name = sepol_polcap_getname(i); if (name == NULL) { sepol_log_err("Unknown policy capability id: %i", i); @@ -1582,7 +1590,8 @@ static int write_type_permissive_rules_to_conf(FILE *out, struct policydb *pdb) goto exit; } - ebitmap_for_each_positive_bit(&pdb->permissive_map, node, i) { + ebitmap_for_each_bit(&pdb->permissive_map, node, i) { + if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue; rc = strs_add(strs, pdb->p_type_val_to_name[i-1]); if (rc != 0) { goto exit; diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 0ded480d..3f1d610b 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -962,18 +962,22 @@ static int type_set_convert(type_set_t * types, type_set_t * dst, { unsigned int i; ebitmap_node_t *tnode; - ebitmap_for_each_positive_bit(&types->types, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&types->types, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } } } - ebitmap_for_each_positive_bit(&types->negset, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&types->negset, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } } } dst->flags = types->flags; @@ -1015,11 +1019,13 @@ static int role_set_or_convert(role_set_t * roles, role_set_t * dst, ebitmap_node_t *rnode; ebitmap_init(&tmp); - ebitmap_for_each_positive_bit(&roles->roles, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&roles->roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } } } if (ebitmap_union(&dst->roles, &tmp)) { @@ -1109,11 +1115,13 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&role->dominates, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&role->dominates, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } } } if (ebitmap_union(&dest_role->dominates, &e_tmp)) { @@ -1126,11 +1134,13 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, if (role->flavor == ROLE_ATTRIB) { ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&role->roles, rnode, i) { - assert(mod->map[SYM_ROLES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&role->roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } } } if (ebitmap_union(&dest_role->roles, &e_tmp)) { @@ -1179,11 +1189,13 @@ static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - ebitmap_for_each_positive_bit(&type->types, tnode, i) { - assert(mod->map[SYM_TYPES][i]); - if (ebitmap_set_bit - (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&type->types, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } } } if (ebitmap_union(&new_type->types, &e_tmp)) { @@ -1376,13 +1388,15 @@ static int copy_role_trans_list(role_trans_rule_t * list, goto cleanup; } - ebitmap_for_each_positive_bit(&cur->classes, cnode, i) { - assert(module->map[SYM_CLASSES][i]); - if (ebitmap_set_bit(&new_rule->classes, - module-> - map[SYM_CLASSES][i] - 1, - 1)) { - goto cleanup; + ebitmap_for_each_bit(&cur->classes, cnode, i) { + if (ebitmap_node_get_bit(cnode, i)) { + assert(module->map[SYM_CLASSES][i]); + if (ebitmap_set_bit(&new_rule->classes, + module-> + map[SYM_CLASSES][i] - 1, + 1)) { + goto cleanup; + } } } @@ -1516,12 +1530,14 @@ static int copy_range_trans_list(range_trans_rule_t * rules, mod, state)) goto cleanup; - ebitmap_for_each_positive_bit(&rule->tclasses, cnode, i) { - assert(mod->map[SYM_CLASSES][i]); - if (ebitmap_set_bit - (&new_rule->tclasses, - mod->map[SYM_CLASSES][i] - 1, 1)) { - goto cleanup; + ebitmap_for_each_bit(&rule->tclasses, cnode, i) { + if (ebitmap_node_get_bit(cnode, i)) { + assert(mod->map[SYM_CLASSES][i]); + if (ebitmap_set_bit + (&new_rule->tclasses, + mod->map[SYM_CLASSES][i] - 1, 1)) { + goto cleanup; + } } } @@ -1662,18 +1678,20 @@ static int copy_scope_index(scope_index_t * src, scope_index_t * dest, if (copy_callback_f[i] == NULL) { continue; } - ebitmap_for_each_positive_bit(srcmap, node, j) { - assert(module->map[i][j] != 0); - if (ebitmap_set_bit - (destmap, module->map[i][j] - 1, 1) != 0) { + ebitmap_for_each_bit(srcmap, node, j) { + if (ebitmap_node_get_bit(node, j)) { + assert(module->map[i][j] != 0); + if (ebitmap_set_bit + (destmap, module->map[i][j] - 1, 1) != 0) { - goto cleanup; - } - if (i == SYM_CLASSES && - largest_mapped_class_value < - module->map[SYM_CLASSES][j]) { - largest_mapped_class_value = - module->map[SYM_CLASSES][j]; + goto cleanup; + } + if (i == SYM_CLASSES && + largest_mapped_class_value < + module->map[SYM_CLASSES][j]) { + largest_mapped_class_value = + module->map[SYM_CLASSES][j]; + } } } } @@ -1692,8 +1710,9 @@ static int copy_scope_index(scope_index_t * src, scope_index_t * dest, ebitmap_t *srcmap = src->class_perms_map + i; ebitmap_t *destmap = dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; - ebitmap_for_each_positive_bit(srcmap, node, j) { - if (ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, + ebitmap_for_each_bit(srcmap, node, j) { + if (ebitmap_node_get_bit(node, j) && + ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, 1)) { goto cleanup; } @@ -1993,7 +2012,11 @@ static int is_decl_requires_met(link_state_t * state, continue; } bitmap = &decl->required.scope[i]; - ebitmap_for_each_positive_bit(bitmap, node, j) { + ebitmap_for_each_bit(bitmap, node, j) { + if (!ebitmap_node_get_bit(node, j)) { + continue; + } + /* check base's scope table */ id = pol->sym_val_to_name[i][j]; if (!is_id_enabled(id, state->base, i)) { @@ -2010,13 +2033,16 @@ static int is_decl_requires_met(link_state_t * state, for (i = 0; i < decl->required.class_perms_len; i++) { bitmap = decl->required.class_perms_map + i; - ebitmap_for_each_positive_bit(bitmap, node, j) { + ebitmap_for_each_bit(bitmap, node, j) { struct find_perm_arg fparg; class_datum_t *cladatum; uint32_t perm_value = j + 1; int rc; scope_datum_t *scope; + if (!ebitmap_node_get_bit(node, j)) { + continue; + } id = pol->p_class_val_to_name[i]; cladatum = pol->class_val_to_struct[i]; @@ -2413,30 +2439,32 @@ static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum, INFO(state->handle, "expanding role attribute %s", id); restart: - ebitmap_for_each_positive_bit(&role->roles, rnode, i) { - sub_attr = state->base->role_val_to_struct[i]; - if (sub_attr->flavor != ROLE_ATTRIB) - continue; - - /* remove the sub role attribute from the parent - * role attribute's roles ebitmap */ - if (ebitmap_set_bit(&role->roles, i, 0)) - return -1; + ebitmap_for_each_bit(&role->roles, rnode, i) { + if (ebitmap_node_get_bit(rnode, i)) { + sub_attr = state->base->role_val_to_struct[i]; + if (sub_attr->flavor != ROLE_ATTRIB) + continue; + + /* remove the sub role attribute from the parent + * role attribute's roles ebitmap */ + if (ebitmap_set_bit(&role->roles, i, 0)) + return -1; - /* loop dependency of role attributes */ - if (sub_attr->s.value == role->s.value) - continue; + /* loop dependency of role attributes */ + if (sub_attr->s.value == role->s.value) + continue; - /* now go on to expand a sub role attribute - * by escalating its roles ebitmap */ - if (ebitmap_union(&role->roles, &sub_attr->roles)) { - ERR(state->handle, "Out of memory!"); - return -1; + /* now go on to expand a sub role attribute + * by escalating its roles ebitmap */ + if (ebitmap_union(&role->roles, &sub_attr->roles)) { + ERR(state->handle, "Out of memory!"); + return -1; + } + + /* sub_attr->roles may contain other role attributes, + * re-scan the parent role attribute's roles ebitmap */ + goto restart; } - - /* sub_attr->roles may contain other role attributes, - * re-scan the parent role attribute's roles ebitmap */ - goto restart; } return 0; diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c index 63ad1bcb..bf1fdbd5 100644 --- a/libsepol/src/mls.c +++ b/libsepol/src/mls.c @@ -289,15 +289,17 @@ int mls_context_isvalid(const policydb_t * p, const context_struct_t * c) if (!levdatum) return 0; - ebitmap_for_each_positive_bit(&c->range.level[l].cat, cnode, i) { - if (i > p->p_cats.nprim) - return 0; - if (!ebitmap_get_bit(&levdatum->level->cat, i)) - /* - * Category may not be associated with - * sensitivity in low level. - */ - return 0; + ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) { + if (ebitmap_node_get_bit(cnode, i)) { + if (i > p->p_cats.nprim) + return 0; + if (!ebitmap_get_bit(&levdatum->level->cat, i)) + /* + * Category may not be associated with + * sensitivity in low level. + */ + return 0; + } } } @@ -577,21 +579,23 @@ int mls_convert_context(policydb_t * oldp, c->range.level[l].sens = levdatum->level->sens; ebitmap_init(&bitmap); - ebitmap_for_each_positive_bit(&c->range.level[l].cat, cnode, i) { - int rc; + ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) { + if (ebitmap_node_get_bit(cnode, i)) { + int rc; - catdatum = - (cat_datum_t *) hashtab_search(newp->p_cats. - table, - oldp-> - p_cat_val_to_name - [i]); - if (!catdatum) - return -EINVAL; - rc = ebitmap_set_bit(&bitmap, - catdatum->s.value - 1, 1); - if (rc) - return rc; + catdatum = + (cat_datum_t *) hashtab_search(newp->p_cats. + table, + oldp-> + p_cat_val_to_name + [i]); + if (!catdatum) + return -EINVAL; + rc = ebitmap_set_bit(&bitmap, + catdatum->s.value - 1, 1); + if (rc) + return rc; + } } ebitmap_destroy(&c->range.level[l].cat); c->range.level[l].cat = bitmap; diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index da62c8aa..f04589ed 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -732,7 +732,10 @@ static int ebitmap_to_cil(struct policydb *pdb, struct ebitmap *map, int type) uint32_t i; char **val_to_name = pdb->sym_val_to_name[type]; - ebitmap_for_each_positive_bit(map, node, i) { + ebitmap_for_each_bit(map, node, i) { + if (!ebitmap_get_bit(map, i)) { + continue; + } cil_printf("%s ", val_to_name[i]); } @@ -859,7 +862,10 @@ static int cil_print_attr_strs(int indent, struct policydb *pdb, int is_type, vo if (has_positive) { cil_printf("("); - ebitmap_for_each_positive_bit(pos, node, i) { + ebitmap_for_each_bit(pos, node, i) { + if (!ebitmap_get_bit(pos, i)) { + continue; + } cil_printf("%s ", val_to_name[i]); } cil_printf(") "); @@ -868,7 +874,10 @@ static int cil_print_attr_strs(int indent, struct policydb *pdb, int is_type, vo if (has_negative) { cil_printf("(not ("); - ebitmap_for_each_positive_bit(neg, node, i) { + ebitmap_for_each_bit(neg, node, i) { + if (!ebitmap_get_bit(neg, i)) { + continue; + } cil_printf("%s ", val_to_name[i]); } @@ -990,13 +999,15 @@ static int ebitmap_to_names(struct ebitmap *map, char **vals_to_names, char ***n char **name_arr; num = 0; - ebitmap_for_each_positive_bit(map, node, i) { - if (num >= UINT32_MAX / sizeof(*name_arr)) { - log_err("Overflow"); - rc = -1; - goto exit; + ebitmap_for_each_bit(map, node, i) { + if (ebitmap_get_bit(map, i)) { + if (num >= UINT32_MAX / sizeof(*name_arr)) { + log_err("Overflow"); + rc = -1; + goto exit; + } + num++; } - num++; } if (!num) { @@ -1013,9 +1024,11 @@ static int ebitmap_to_names(struct ebitmap *map, char **vals_to_names, char ***n } num = 0; - ebitmap_for_each_positive_bit(map, node, i) { - name_arr[num] = vals_to_names[i]; - num++; + ebitmap_for_each_bit(map, node, i) { + if (ebitmap_get_bit(map, i)) { + name_arr[num] = vals_to_names[i]; + num++; + } } *names = name_arr; @@ -1456,7 +1469,10 @@ static int role_trans_to_cil(int indent, struct policydb *pdb, struct role_trans for (role = 0; role < num_role_names; role++) { for (type = 0; type < num_type_names; type++) { - ebitmap_for_each_positive_bit(&rule->classes, node, i) { + ebitmap_for_each_bit(&rule->classes, node, i) { + if (!ebitmap_get_bit(&rule->classes, i)) { + continue; + } cil_println(indent, "(roletransition %s %s %s %s)", role_names[role], type_names[type], pdb->p_class_val_to_name[i], @@ -1552,7 +1568,11 @@ static int range_trans_to_cil(int indent, struct policydb *pdb, struct range_tra for (stype = 0; stype < num_stypes; stype++) { for (ttype = 0; ttype < num_ttypes; ttype++) { - ebitmap_for_each_positive_bit(&rule->tclasses, node, i) { + ebitmap_for_each_bit(&rule->tclasses, node, i) { + if (!ebitmap_get_bit(&rule->tclasses, i)) { + continue; + } + cil_indent(indent); cil_printf("(rangetransition %s %s %s ", stypes[stype], ttypes[ttype], pdb->p_class_val_to_name[i]); @@ -2074,7 +2094,10 @@ static int class_order_to_cil(int indent, struct policydb *pdb, struct ebitmap o cil_indent(indent); cil_printf("(classorder ("); - ebitmap_for_each_positive_bit(&order, node, i) { + ebitmap_for_each_bit(&order, node, i) { + if (!ebitmap_get_bit(&order, i)) { + continue; + } cil_printf("%s ", pdb->sym_val_to_name[SYM_CLASSES][i]); } @@ -2176,7 +2199,10 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN if (ebitmap_cardinality(&role->roles) > 0) { cil_indent(indent); cil_printf("(roleattributeset %s (", key); - ebitmap_for_each_positive_bit(&role->roles, node, i) { + ebitmap_for_each_bit(&role->roles, node, i) { + if (!ebitmap_get_bit(&role->roles, i)) { + continue; + } cil_printf("%s ", pdb->p_role_val_to_name[i]); } cil_printf("))\n"); @@ -2305,7 +2331,10 @@ static int user_to_cil(int indent, struct policydb *pdb, struct avrule_block *bl cil_println(indent, "(userrole %s " DEFAULT_OBJECT ")", key); } - ebitmap_for_each_positive_bit(&roles, node, i) { + ebitmap_for_each_bit(&roles, node, i) { + if (!ebitmap_get_bit(&roles, i)) { + continue; + } cil_println(indent, "(userrole %s %s)", key, pdb->p_role_val_to_name[i]); } @@ -2392,7 +2421,10 @@ static int sens_order_to_cil(int indent, struct policydb *pdb, struct ebitmap or cil_indent(indent); cil_printf("(sensitivityorder ("); - ebitmap_for_each_positive_bit(&order, node, i) { + ebitmap_for_each_bit(&order, node, i) { + if (!ebitmap_get_bit(&order, i)) { + continue; + } cil_printf("%s ", pdb->p_sens_val_to_name[i]); } @@ -2433,7 +2465,10 @@ static int cat_order_to_cil(int indent, struct policydb *pdb, struct ebitmap ord cil_indent(indent); cil_printf("(categoryorder ("); - ebitmap_for_each_positive_bit(&order, node, i) { + ebitmap_for_each_bit(&order, node, i) { + if (!ebitmap_get_bit(&order, i)) { + continue; + } cil_printf("%s ", pdb->p_cat_val_to_name[i]); } @@ -2454,7 +2489,10 @@ static int polcaps_to_cil(struct policydb *pdb) map = &pdb->policycaps; - ebitmap_for_each_positive_bit(map, node, i) { + ebitmap_for_each_bit(map, node, i) { + if (!ebitmap_get_bit(map, i)) { + continue; + } name = sepol_polcap_getname(i); if (name == NULL) { log_err("Unknown policy capability id: %i", i); @@ -3389,7 +3427,10 @@ static int declared_scopes_to_cil(int indent, struct policydb *pdb, struct avrul } map = decl->declared.scope[sym]; - ebitmap_for_each_positive_bit(&map, node, i) { + ebitmap_for_each_bit(&map, node, i) { + if (!ebitmap_get_bit(&map, i)) { + continue; + } key = pdb->sym_val_to_name[sym][i]; datum = hashtab_search(pdb->symtab[sym].table, key); if (datum == NULL) { @@ -3453,7 +3494,10 @@ static int required_scopes_to_cil(int indent, struct policydb *pdb, struct avrul } map = decl->required.scope[sym]; - ebitmap_for_each_positive_bit(&map, node, i) { + ebitmap_for_each_bit(&map, node, i) { + if (!ebitmap_get_bit(&map, i)) { + continue; + } key = pdb->sym_val_to_name[sym][i]; scope_datum = hashtab_search(pdb->scope[sym].table, key); diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 69bcb4d5..96176d80 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -4245,9 +4245,10 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) if (r_policyvers >= POLICYDB_VERSION_AVTAB) { if (ebitmap_read(&p->type_attr_map[i], fp)) goto bad; - ebitmap_for_each_positive_bit(&p->type_attr_map[i], - tnode, j) { - if (i == j) + ebitmap_for_each_bit(&p->type_attr_map[i], + tnode, j) { + if (!ebitmap_node_get_bit(tnode, j) + || i == j) continue; if (j >= p->p_types.nprim) diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 303a138c..d40793e3 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -933,8 +933,12 @@ static int context_struct_compute_av(context_struct_t * scontext, avkey.specified = AVTAB_AV; sattr = &policydb->type_attr_map[scontext->type - 1]; tattr = &policydb->type_attr_map[tcontext->type - 1]; - ebitmap_for_each_positive_bit(sattr, snode, i) { - ebitmap_for_each_positive_bit(tattr, tnode, j) { + ebitmap_for_each_bit(sattr, snode, i) { + if (!ebitmap_node_get_bit(snode, i)) + continue; + ebitmap_for_each_bit(tattr, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; avkey.source_type = i + 1; avkey.target_type = j + 1; for (node = @@ -2190,10 +2194,14 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, } memset(mysids, 0, maxnel * sizeof(sepol_security_id_t)); - ebitmap_for_each_positive_bit(&user->roles.roles, rnode, i) { + ebitmap_for_each_bit(&user->roles.roles, rnode, i) { + if (!ebitmap_node_get_bit(rnode, i)) + continue; role = policydb->role_val_to_struct[i]; usercon.role = i + 1; - ebitmap_for_each_positive_bit(&role->types.types, tnode, j) { + ebitmap_for_each_bit(&role->types.types, tnode, j) { + if (!ebitmap_node_get_bit(tnode, j)) + continue; usercon.type = j + 1; if (usercon.type == fromcon->type) continue; diff --git a/libsepol/src/users.c b/libsepol/src/users.c index b895b7f5..1929399b 100644 --- a/libsepol/src/users.c +++ b/libsepol/src/users.c @@ -37,10 +37,12 @@ static int user_to_record(sepol_handle_t * handle, goto err; /* Extract roles */ - ebitmap_for_each_positive_bit(roles, rnode, bit) { - char *role = policydb->p_role_val_to_name[bit]; - if (sepol_user_add_role(handle, tmp_record, role) < 0) - goto err; + ebitmap_for_each_bit(roles, rnode, bit) { + if (ebitmap_node_get_bit(rnode, bit)) { + char *role = policydb->p_role_val_to_name[bit]; + if (sepol_user_add_role(handle, tmp_record, role) < 0) + goto err; + } } /* Extract MLS info */ @@ -168,9 +170,12 @@ int sepol_user_modify(sepol_handle_t * handle, } /* Set the role and every role it dominates */ - ebitmap_for_each_positive_bit(&roldatum->dominates, rnode, bit) { - if (ebitmap_set_bit(&(usrdatum->roles.roles), bit, 1)) - goto omem; + ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) { + if (ebitmap_node_get_bit(rnode, bit)) { + if (ebitmap_set_bit + (&(usrdatum->roles.roles), bit, 1)) + goto omem; + } } } diff --git a/libsepol/src/write.c b/libsepol/src/write.c index dee7b4a3..1fb30957 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -1759,8 +1759,9 @@ static int only_process(ebitmap_t *in) unsigned int i; ebitmap_node_t *node; - ebitmap_for_each_positive_bit(in, node, i) { - if (i != SECCLASS_PROCESS - 1) + ebitmap_for_each_bit(in, node, i) { + if (ebitmap_node_get_bit(node, i) && + i != SECCLASS_PROCESS - 1) return 0; } return 1; @@ -2182,11 +2183,13 @@ int policydb_write(policydb_t * p, struct policy_file *fp) p->policy_type == POLICY_KERN) { ebitmap_node_t *tnode; - ebitmap_for_each_positive_bit(&p->permissive_map, tnode, i) { - WARN(fp->handle, "Warning! Policy version %d cannot " - "support permissive types, but some were defined", - p->policyvers); - break; + ebitmap_for_each_bit(&p->permissive_map, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + WARN(fp->handle, "Warning! Policy version %d cannot " + "support permissive types, but some were defined", + p->policyvers); + break; + } } } diff --git a/libsepol/tests/test-common.c b/libsepol/tests/test-common.c index e6619ed1..81074031 100644 --- a/libsepol/tests/test-common.c +++ b/libsepol/tests/test-common.c @@ -197,19 +197,20 @@ role_datum_t *test_role_type_set(policydb_t * p, const char *id, avrule_decl_t * CU_ASSERT_FATAL(role != NULL); - ebitmap_for_each_positive_bit(&role->types.types, tnode, i) { - new = 0; - for (j = 0; j < len; j++) { - if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) { - found++; - new = 1; + ebitmap_for_each_bit(&role->types.types, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + new = 0; + for (j = 0; j < len; j++) { + if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) { + found++; + new = 1; + } } + if (new == 0) { + printf("\nRole %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]); + } + CU_ASSERT(new == 1); } - if (new == 0) { - printf("\nRole %s had type %s not in types array\n", - id, p->sym_val_to_name[SYM_TYPES][i]); - } - CU_ASSERT(new == 1); } CU_ASSERT(found == len); if (found != len) @@ -239,19 +240,20 @@ void test_attr_types(policydb_t * p, const char *id, avrule_decl_t * decl, const CU_ASSERT(attr->flavor == TYPE_ATTRIB); CU_ASSERT(attr->primary == 1); - ebitmap_for_each_positive_bit(&attr->types, tnode, i) { - new = 0; - for (j = 0; j < len; j++) { - if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) { - found++; - new = 1; + ebitmap_for_each_bit(&attr->types, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + new = 0; + for (j = 0; j < len; j++) { + if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) { + found++; + new = 1; + } } + if (new == 0) { + printf("\nattr %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]); + } + CU_ASSERT(new == 1); } - if (new == 0) { - printf("\nattr %s had type %s not in types array\n", - id, p->sym_val_to_name[SYM_TYPES][i]); - } - CU_ASSERT(new == 1); } CU_ASSERT(found == len); if (found != len) diff --git a/libsepol/tests/test-expander-users.c b/libsepol/tests/test-expander-users.c index 9d9c7a62..f3b98a6c 100644 --- a/libsepol/tests/test-expander-users.c +++ b/libsepol/tests/test-expander-users.c @@ -45,13 +45,15 @@ static void check_user_roles(policydb_t * p, const char *user_name, const char * } found = calloc(num_roles, sizeof(unsigned char)); CU_ASSERT_FATAL(found != NULL); - ebitmap_for_each_positive_bit(&user->roles.roles, tnode, i) { - extra++; - for (j = 0; j < num_roles; j++) { - if (strcmp(role_names[j], p->p_role_val_to_name[i]) == 0) { - extra--; - found[j] += 1; - break; + ebitmap_for_each_bit(&user->roles.roles, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + extra++; + for (j = 0; j < num_roles; j++) { + if (strcmp(role_names[j], p->p_role_val_to_name[i]) == 0) { + extra--; + found[j] += 1; + break; + } } } } diff --git a/libsepol/tests/test-linker-roles.c b/libsepol/tests/test-linker-roles.c index 6843252b..c9e2f2ba 100644 --- a/libsepol/tests/test-linker-roles.c +++ b/libsepol/tests/test-linker-roles.c @@ -58,9 +58,11 @@ static void only_dominates_self(policydb_t * p, role_datum_t * role) unsigned int i; int found = 0; - ebitmap_for_each_positive_bit(&role->dominates, tnode, i) { - found++; - CU_ASSERT(i == role->s.value - 1); + ebitmap_for_each_bit(&role->dominates, tnode, i) { + if (ebitmap_node_get_bit(tnode, i)) { + found++; + CU_ASSERT(i == role->s.value - 1); + } } CU_ASSERT(found == 1); } diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c index a007ce49..4bc32b1c 100644 --- a/policycoreutils/run_init/run_init.c +++ b/policycoreutils/run_init/run_init.c @@ -159,14 +159,6 @@ int authenticate_via_pam(const struct passwd *p_passwd_line) #include <shadow.h> /* for shadow passwd functions */ #include <string.h> /* for strlen(), memset() */ -/* - * crypt() may not be defined in unistd.h; see: - * http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES - */ -#if !defined(_XOPEN_CRYPT) || _XOPEN_CRYPT == -1 -#include <crypt.h> -#endif - #define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */ int authenticate_via_shadow_passwd(const struct passwd *); diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c index 9d8abfac..a5157efc 100644 --- a/policycoreutils/setsebool/setsebool.c +++ b/policycoreutils/setsebool/setsebool.c @@ -77,7 +77,7 @@ int main(int argc, char **argv) /* Add 1 for the '=' */ len = strlen(argv[optind]) + strlen(argv[optind + 1]) + 2; bool_list[0] = (char *)malloc(len); - if (bool_list[0] == NULL) { + if (bool_list[0] == 0) { fputs("Out of memory - aborting\n", stderr); return 1; } @@ -133,8 +133,8 @@ static int semanage_set_boolean_list(size_t boolcnt, goto err; } - if (!verbose) { - semanage_msg_set_callback(handle, NULL, NULL); + if (! verbose) { + semanage_msg_set_callback(handle,NULL, NULL); } managed = semanage_is_managed(handle); @@ -175,9 +175,9 @@ static int semanage_set_boolean_list(size_t boolcnt, goto err; semanage_bool_exists(handle, bool_key, &result); - if (!result) { + if ( !result ) { semanage_bool_exists_local(handle, bool_key, &result); - if (!result) { + if ( !result ) { fprintf(stderr, "Boolean %s is not defined\n", boollist[j].name); goto err; } @@ -230,13 +230,13 @@ int setbool(char **list, size_t start, size_t end) while (i < end) { name = list[i]; value_ptr = strchr(list[i], '='); - if (value_ptr == NULL) { + if (value_ptr == 0) { fprintf(stderr, "setsebool: '=' not found in boolean expression %s\n", list[i]); goto err; } - *value_ptr = '\0'; + *value_ptr = 0; value_ptr++; if (strcmp(value_ptr, "1") == 0 || strcasecmp(value_ptr, "true") == 0 || @@ -278,7 +278,7 @@ int setbool(char **list, size_t start, size_t end) while (i < end) { name = list[i]; value_ptr = strchr(name, '='); - *value_ptr = '\0'; + *value_ptr = 0; value_ptr++; if (pwd && pwd->pw_name) syslog(LOG_NOTICE, diff --git a/python/semanage/ru/semanage.8 b/python/semanage/ru/semanage.8 index f88568ee..85d8e24f 100644 --- a/python/semanage/ru/semanage.8 +++ b/python/semanage/ru/semanage.8 @@ -50,7 +50,7 @@ semanage \- средство управления политикой SELinux Управлять определениями типов конечных портов infiniband .SH "ОПИСАНИЕ" -semanage используется для настройки определённых элементов политики SELinux без необходимости изменения или перекомпиляции исходного текста политики. Это включает сопоставление имён пользователей Linux с пользователями SELinux (что управляет исходным контекстом безопасности, который присваивается пользователям Linux при их входе в систему, и ограничивает доступный им набор ролей). Также это включает сопоставление контекстов безопасности для различных видов объектов, таких как сетевые порты, интерфейсы, ключи разделов (pkeys) и конечные порты (endports) infiniband, сетевые узлы (хосты), а также сопоставление контекстов файлов. Обратите внимание, что при вызове команды semanage login пользователи Linux (logins) сопоставляются с пользователями SELinux, а при вызове команды semanage user пользователи SELinux сопоставляются с доступными наборами ролей. В большинстве случаев администратору требуется настроить только первый тип сопоставлений; второй тип сопоставлений определяется базовой политикой и обычно не требует изменения. +semanage используется для настройки определённых элементов политики SELinux без необходимости изменения или перекомпиляции исходного текста политики. Это включает сопоставление имён пользователей Linux с пользователями SELinux (что управляет исходным контекстом безопасности, который присваивается пользователям Linux при их входе в систему, и ограничивает доступный им набор ролей). Также это включает сопоставление контекстов безопасности для различных видов объектов, таких как сетевые порты, интерфейсы, ключи разделов (pkeys) и конечные порты (endports) infiniband, сетевые узлы (хосты), а также сопоставление контекстов файлов. В разделе ПРИМЕРЫ приведены примеры обычного использования этой утилиты. Обратите внимание, что при вызове команды semanage login пользователи Linux (logins) сопоставляются с пользователями SELinux, а при вызове команды semanage user пользователи SELinux сопоставляются с доступными наборами ролей. В большинстве случаев администратору требуется настроить только первый тип сопоставлений; второй тип сопоставлений определяется базовой политикой и обычно не требует изменения. .SH "ПАРАМЕТРЫ" .TP diff --git a/python/semanage/semanage-boolean.8 b/python/semanage/semanage-boolean.8 index 1282d106..99a6260b 100644 --- a/python/semanage/semanage-boolean.8 +++ b/python/semanage/semanage-boolean.8 @@ -45,7 +45,7 @@ Disable the boolean .SH EXAMPLE .nf -Turn on the apache can send mail boolean +Turn on the apache can send mail boolan # semanage boolean \-m \-\-on httpd_can_sendmail List customized booleans diff --git a/secilc/Android.bp b/secilc/Android.bp index 597058b3..75597dba 100644 --- a/secilc/Android.bp +++ b/secilc/Android.bp @@ -16,6 +16,12 @@ cc_binary { // and /system/lib/libc.so point to the mount points where nothing // is mounted on yet. Therefore, secilc has to have explicit knowledge about // the paths where the bootstrap Bionic is. bootstrap:true sets DT_INTERP to - // /system/bin/bootstrap/linker. + // /system/bin/bootstrap/linker. RPATH is explicitly set to /system/lib/bootstrap + // where the bootstrap libc.so is. bootstrap: true, + target: { + android: { + ldflags: ["-Wl,--rpath,/system/${LIB}/bootstrap"], + }, + }, } |