Merge commit 'v2.6.28-rc2' into core/locking
[linux-2.6] / security / selinux / ss / policydb.c
1 /*
2  * Implementation of the policy database.
3  *
4  * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
5  */
6
7 /*
8  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
9  *
10  *      Support for enhanced MLS infrastructure.
11  *
12  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
13  *
14  *      Added conditional policy language extensions
15  *
16  * Updated: Hewlett-Packard <paul.moore@hp.com>
17  *
18  *      Added support for the policy capability bitmap
19  *
20  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
21  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
22  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
23  *      This program is free software; you can redistribute it and/or modify
24  *      it under the terms of the GNU General Public License as published by
25  *      the Free Software Foundation, version 2.
26  */
27
28 #include <linux/kernel.h>
29 #include <linux/sched.h>
30 #include <linux/slab.h>
31 #include <linux/string.h>
32 #include <linux/errno.h>
33 #include <linux/audit.h>
34 #include "security.h"
35
36 #include "policydb.h"
37 #include "conditional.h"
38 #include "mls.h"
39
40 #define _DEBUG_HASHES
41
42 #ifdef DEBUG_HASHES
43 static char *symtab_name[SYM_NUM] = {
44         "common prefixes",
45         "classes",
46         "roles",
47         "types",
48         "users",
49         "bools",
50         "levels",
51         "categories",
52 };
53 #endif
54
55 int selinux_mls_enabled;
56
57 static unsigned int symtab_sizes[SYM_NUM] = {
58         2,
59         32,
60         16,
61         512,
62         128,
63         16,
64         16,
65         16,
66 };
67
68 struct policydb_compat_info {
69         int version;
70         int sym_num;
71         int ocon_num;
72 };
73
74 /* These need to be updated if SYM_NUM or OCON_NUM changes */
75 static struct policydb_compat_info policydb_compat[] = {
76         {
77                 .version        = POLICYDB_VERSION_BASE,
78                 .sym_num        = SYM_NUM - 3,
79                 .ocon_num       = OCON_NUM - 1,
80         },
81         {
82                 .version        = POLICYDB_VERSION_BOOL,
83                 .sym_num        = SYM_NUM - 2,
84                 .ocon_num       = OCON_NUM - 1,
85         },
86         {
87                 .version        = POLICYDB_VERSION_IPV6,
88                 .sym_num        = SYM_NUM - 2,
89                 .ocon_num       = OCON_NUM,
90         },
91         {
92                 .version        = POLICYDB_VERSION_NLCLASS,
93                 .sym_num        = SYM_NUM - 2,
94                 .ocon_num       = OCON_NUM,
95         },
96         {
97                 .version        = POLICYDB_VERSION_MLS,
98                 .sym_num        = SYM_NUM,
99                 .ocon_num       = OCON_NUM,
100         },
101         {
102                 .version        = POLICYDB_VERSION_AVTAB,
103                 .sym_num        = SYM_NUM,
104                 .ocon_num       = OCON_NUM,
105         },
106         {
107                 .version        = POLICYDB_VERSION_RANGETRANS,
108                 .sym_num        = SYM_NUM,
109                 .ocon_num       = OCON_NUM,
110         },
111         {
112                 .version        = POLICYDB_VERSION_POLCAP,
113                 .sym_num        = SYM_NUM,
114                 .ocon_num       = OCON_NUM,
115         },
116         {
117                 .version        = POLICYDB_VERSION_PERMISSIVE,
118                 .sym_num        = SYM_NUM,
119                 .ocon_num       = OCON_NUM,
120         },
121         {
122                 .version        = POLICYDB_VERSION_BOUNDARY,
123                 .sym_num        = SYM_NUM,
124                 .ocon_num       = OCON_NUM,
125         },
126 };
127
128 static struct policydb_compat_info *policydb_lookup_compat(int version)
129 {
130         int i;
131         struct policydb_compat_info *info = NULL;
132
133         for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) {
134                 if (policydb_compat[i].version == version) {
135                         info = &policydb_compat[i];
136                         break;
137                 }
138         }
139         return info;
140 }
141
142 /*
143  * Initialize the role table.
144  */
145 static int roles_init(struct policydb *p)
146 {
147         char *key = NULL;
148         int rc;
149         struct role_datum *role;
150
151         role = kzalloc(sizeof(*role), GFP_KERNEL);
152         if (!role) {
153                 rc = -ENOMEM;
154                 goto out;
155         }
156         role->value = ++p->p_roles.nprim;
157         if (role->value != OBJECT_R_VAL) {
158                 rc = -EINVAL;
159                 goto out_free_role;
160         }
161         key = kmalloc(strlen(OBJECT_R)+1, GFP_KERNEL);
162         if (!key) {
163                 rc = -ENOMEM;
164                 goto out_free_role;
165         }
166         strcpy(key, OBJECT_R);
167         rc = hashtab_insert(p->p_roles.table, key, role);
168         if (rc)
169                 goto out_free_key;
170 out:
171         return rc;
172
173 out_free_key:
174         kfree(key);
175 out_free_role:
176         kfree(role);
177         goto out;
178 }
179
180 /*
181  * Initialize a policy database structure.
182  */
183 static int policydb_init(struct policydb *p)
184 {
185         int i, rc;
186
187         memset(p, 0, sizeof(*p));
188
189         for (i = 0; i < SYM_NUM; i++) {
190                 rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
191                 if (rc)
192                         goto out_free_symtab;
193         }
194
195         rc = avtab_init(&p->te_avtab);
196         if (rc)
197                 goto out_free_symtab;
198
199         rc = roles_init(p);
200         if (rc)
201                 goto out_free_symtab;
202
203         rc = cond_policydb_init(p);
204         if (rc)
205                 goto out_free_symtab;
206
207         ebitmap_init(&p->policycaps);
208         ebitmap_init(&p->permissive_map);
209
210 out:
211         return rc;
212
213 out_free_symtab:
214         for (i = 0; i < SYM_NUM; i++)
215                 hashtab_destroy(p->symtab[i].table);
216         goto out;
217 }
218
219 /*
220  * The following *_index functions are used to
221  * define the val_to_name and val_to_struct arrays
222  * in a policy database structure.  The val_to_name
223  * arrays are used when converting security context
224  * structures into string representations.  The
225  * val_to_struct arrays are used when the attributes
226  * of a class, role, or user are needed.
227  */
228
229 static int common_index(void *key, void *datum, void *datap)
230 {
231         struct policydb *p;
232         struct common_datum *comdatum;
233
234         comdatum = datum;
235         p = datap;
236         if (!comdatum->value || comdatum->value > p->p_commons.nprim)
237                 return -EINVAL;
238         p->p_common_val_to_name[comdatum->value - 1] = key;
239         return 0;
240 }
241
242 static int class_index(void *key, void *datum, void *datap)
243 {
244         struct policydb *p;
245         struct class_datum *cladatum;
246
247         cladatum = datum;
248         p = datap;
249         if (!cladatum->value || cladatum->value > p->p_classes.nprim)
250                 return -EINVAL;
251         p->p_class_val_to_name[cladatum->value - 1] = key;
252         p->class_val_to_struct[cladatum->value - 1] = cladatum;
253         return 0;
254 }
255
256 static int role_index(void *key, void *datum, void *datap)
257 {
258         struct policydb *p;
259         struct role_datum *role;
260
261         role = datum;
262         p = datap;
263         if (!role->value
264             || role->value > p->p_roles.nprim
265             || role->bounds > p->p_roles.nprim)
266                 return -EINVAL;
267         p->p_role_val_to_name[role->value - 1] = key;
268         p->role_val_to_struct[role->value - 1] = role;
269         return 0;
270 }
271
272 static int type_index(void *key, void *datum, void *datap)
273 {
274         struct policydb *p;
275         struct type_datum *typdatum;
276
277         typdatum = datum;
278         p = datap;
279
280         if (typdatum->primary) {
281                 if (!typdatum->value
282                     || typdatum->value > p->p_types.nprim
283                     || typdatum->bounds > p->p_types.nprim)
284                         return -EINVAL;
285                 p->p_type_val_to_name[typdatum->value - 1] = key;
286                 p->type_val_to_struct[typdatum->value - 1] = typdatum;
287         }
288
289         return 0;
290 }
291
292 static int user_index(void *key, void *datum, void *datap)
293 {
294         struct policydb *p;
295         struct user_datum *usrdatum;
296
297         usrdatum = datum;
298         p = datap;
299         if (!usrdatum->value
300             || usrdatum->value > p->p_users.nprim
301             || usrdatum->bounds > p->p_users.nprim)
302                 return -EINVAL;
303         p->p_user_val_to_name[usrdatum->value - 1] = key;
304         p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
305         return 0;
306 }
307
308 static int sens_index(void *key, void *datum, void *datap)
309 {
310         struct policydb *p;
311         struct level_datum *levdatum;
312
313         levdatum = datum;
314         p = datap;
315
316         if (!levdatum->isalias) {
317                 if (!levdatum->level->sens ||
318                     levdatum->level->sens > p->p_levels.nprim)
319                         return -EINVAL;
320                 p->p_sens_val_to_name[levdatum->level->sens - 1] = key;
321         }
322
323         return 0;
324 }
325
326 static int cat_index(void *key, void *datum, void *datap)
327 {
328         struct policydb *p;
329         struct cat_datum *catdatum;
330
331         catdatum = datum;
332         p = datap;
333
334         if (!catdatum->isalias) {
335                 if (!catdatum->value || catdatum->value > p->p_cats.nprim)
336                         return -EINVAL;
337                 p->p_cat_val_to_name[catdatum->value - 1] = key;
338         }
339
340         return 0;
341 }
342
343 static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
344 {
345         common_index,
346         class_index,
347         role_index,
348         type_index,
349         user_index,
350         cond_index_bool,
351         sens_index,
352         cat_index,
353 };
354
355 /*
356  * Define the common val_to_name array and the class
357  * val_to_name and val_to_struct arrays in a policy
358  * database structure.
359  *
360  * Caller must clean up upon failure.
361  */
362 static int policydb_index_classes(struct policydb *p)
363 {
364         int rc;
365
366         p->p_common_val_to_name =
367                 kmalloc(p->p_commons.nprim * sizeof(char *), GFP_KERNEL);
368         if (!p->p_common_val_to_name) {
369                 rc = -ENOMEM;
370                 goto out;
371         }
372
373         rc = hashtab_map(p->p_commons.table, common_index, p);
374         if (rc)
375                 goto out;
376
377         p->class_val_to_struct =
378                 kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL);
379         if (!p->class_val_to_struct) {
380                 rc = -ENOMEM;
381                 goto out;
382         }
383
384         p->p_class_val_to_name =
385                 kmalloc(p->p_classes.nprim * sizeof(char *), GFP_KERNEL);
386         if (!p->p_class_val_to_name) {
387                 rc = -ENOMEM;
388                 goto out;
389         }
390
391         rc = hashtab_map(p->p_classes.table, class_index, p);
392 out:
393         return rc;
394 }
395
396 #ifdef DEBUG_HASHES
397 static void symtab_hash_eval(struct symtab *s)
398 {
399         int i;
400
401         for (i = 0; i < SYM_NUM; i++) {
402                 struct hashtab *h = s[i].table;
403                 struct hashtab_info info;
404
405                 hashtab_stat(h, &info);
406                 printk(KERN_DEBUG "SELinux: %s:  %d entries and %d/%d buckets used, "
407                        "longest chain length %d\n", symtab_name[i], h->nel,
408                        info.slots_used, h->size, info.max_chain_len);
409         }
410 }
411 #endif
412
413 /*
414  * Define the other val_to_name and val_to_struct arrays
415  * in a policy database structure.
416  *
417  * Caller must clean up on failure.
418  */
419 static int policydb_index_others(struct policydb *p)
420 {
421         int i, rc = 0;
422
423         printk(KERN_DEBUG "SELinux:  %d users, %d roles, %d types, %d bools",
424                p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
425         if (selinux_mls_enabled)
426                 printk(", %d sens, %d cats", p->p_levels.nprim,
427                        p->p_cats.nprim);
428         printk("\n");
429
430         printk(KERN_DEBUG "SELinux:  %d classes, %d rules\n",
431                p->p_classes.nprim, p->te_avtab.nel);
432
433 #ifdef DEBUG_HASHES
434         avtab_hash_eval(&p->te_avtab, "rules");
435         symtab_hash_eval(p->symtab);
436 #endif
437
438         p->role_val_to_struct =
439                 kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
440                         GFP_KERNEL);
441         if (!p->role_val_to_struct) {
442                 rc = -ENOMEM;
443                 goto out;
444         }
445
446         p->user_val_to_struct =
447                 kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
448                         GFP_KERNEL);
449         if (!p->user_val_to_struct) {
450                 rc = -ENOMEM;
451                 goto out;
452         }
453
454         p->type_val_to_struct =
455                 kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)),
456                         GFP_KERNEL);
457         if (!p->type_val_to_struct) {
458                 rc = -ENOMEM;
459                 goto out;
460         }
461
462         if (cond_init_bool_indexes(p)) {
463                 rc = -ENOMEM;
464                 goto out;
465         }
466
467         for (i = SYM_ROLES; i < SYM_NUM; i++) {
468                 p->sym_val_to_name[i] =
469                         kmalloc(p->symtab[i].nprim * sizeof(char *), GFP_KERNEL);
470                 if (!p->sym_val_to_name[i]) {
471                         rc = -ENOMEM;
472                         goto out;
473                 }
474                 rc = hashtab_map(p->symtab[i].table, index_f[i], p);
475                 if (rc)
476                         goto out;
477         }
478
479 out:
480         return rc;
481 }
482
483 /*
484  * The following *_destroy functions are used to
485  * free any memory allocated for each kind of
486  * symbol data in the policy database.
487  */
488
489 static int perm_destroy(void *key, void *datum, void *p)
490 {
491         kfree(key);
492         kfree(datum);
493         return 0;
494 }
495
496 static int common_destroy(void *key, void *datum, void *p)
497 {
498         struct common_datum *comdatum;
499
500         kfree(key);
501         comdatum = datum;
502         hashtab_map(comdatum->permissions.table, perm_destroy, NULL);
503         hashtab_destroy(comdatum->permissions.table);
504         kfree(datum);
505         return 0;
506 }
507
508 static int cls_destroy(void *key, void *datum, void *p)
509 {
510         struct class_datum *cladatum;
511         struct constraint_node *constraint, *ctemp;
512         struct constraint_expr *e, *etmp;
513
514         kfree(key);
515         cladatum = datum;
516         hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
517         hashtab_destroy(cladatum->permissions.table);
518         constraint = cladatum->constraints;
519         while (constraint) {
520                 e = constraint->expr;
521                 while (e) {
522                         ebitmap_destroy(&e->names);
523                         etmp = e;
524                         e = e->next;
525                         kfree(etmp);
526                 }
527                 ctemp = constraint;
528                 constraint = constraint->next;
529                 kfree(ctemp);
530         }
531
532         constraint = cladatum->validatetrans;
533         while (constraint) {
534                 e = constraint->expr;
535                 while (e) {
536                         ebitmap_destroy(&e->names);
537                         etmp = e;
538                         e = e->next;
539                         kfree(etmp);
540                 }
541                 ctemp = constraint;
542                 constraint = constraint->next;
543                 kfree(ctemp);
544         }
545
546         kfree(cladatum->comkey);
547         kfree(datum);
548         return 0;
549 }
550
551 static int role_destroy(void *key, void *datum, void *p)
552 {
553         struct role_datum *role;
554
555         kfree(key);
556         role = datum;
557         ebitmap_destroy(&role->dominates);
558         ebitmap_destroy(&role->types);
559         kfree(datum);
560         return 0;
561 }
562
563 static int type_destroy(void *key, void *datum, void *p)
564 {
565         kfree(key);
566         kfree(datum);
567         return 0;
568 }
569
570 static int user_destroy(void *key, void *datum, void *p)
571 {
572         struct user_datum *usrdatum;
573
574         kfree(key);
575         usrdatum = datum;
576         ebitmap_destroy(&usrdatum->roles);
577         ebitmap_destroy(&usrdatum->range.level[0].cat);
578         ebitmap_destroy(&usrdatum->range.level[1].cat);
579         ebitmap_destroy(&usrdatum->dfltlevel.cat);
580         kfree(datum);
581         return 0;
582 }
583
584 static int sens_destroy(void *key, void *datum, void *p)
585 {
586         struct level_datum *levdatum;
587
588         kfree(key);
589         levdatum = datum;
590         ebitmap_destroy(&levdatum->level->cat);
591         kfree(levdatum->level);
592         kfree(datum);
593         return 0;
594 }
595
596 static int cat_destroy(void *key, void *datum, void *p)
597 {
598         kfree(key);
599         kfree(datum);
600         return 0;
601 }
602
603 static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
604 {
605         common_destroy,
606         cls_destroy,
607         role_destroy,
608         type_destroy,
609         user_destroy,
610         cond_destroy_bool,
611         sens_destroy,
612         cat_destroy,
613 };
614
615 static void ocontext_destroy(struct ocontext *c, int i)
616 {
617         context_destroy(&c->context[0]);
618         context_destroy(&c->context[1]);
619         if (i == OCON_ISID || i == OCON_FS ||
620             i == OCON_NETIF || i == OCON_FSUSE)
621                 kfree(c->u.name);
622         kfree(c);
623 }
624
625 /*
626  * Free any memory allocated by a policy database structure.
627  */
628 void policydb_destroy(struct policydb *p)
629 {
630         struct ocontext *c, *ctmp;
631         struct genfs *g, *gtmp;
632         int i;
633         struct role_allow *ra, *lra = NULL;
634         struct role_trans *tr, *ltr = NULL;
635         struct range_trans *rt, *lrt = NULL;
636
637         for (i = 0; i < SYM_NUM; i++) {
638                 cond_resched();
639                 hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
640                 hashtab_destroy(p->symtab[i].table);
641         }
642
643         for (i = 0; i < SYM_NUM; i++)
644                 kfree(p->sym_val_to_name[i]);
645
646         kfree(p->class_val_to_struct);
647         kfree(p->role_val_to_struct);
648         kfree(p->user_val_to_struct);
649         kfree(p->type_val_to_struct);
650
651         avtab_destroy(&p->te_avtab);
652
653         for (i = 0; i < OCON_NUM; i++) {
654                 cond_resched();
655                 c = p->ocontexts[i];
656                 while (c) {
657                         ctmp = c;
658                         c = c->next;
659                         ocontext_destroy(ctmp, i);
660                 }
661                 p->ocontexts[i] = NULL;
662         }
663
664         g = p->genfs;
665         while (g) {
666                 cond_resched();
667                 kfree(g->fstype);
668                 c = g->head;
669                 while (c) {
670                         ctmp = c;
671                         c = c->next;
672                         ocontext_destroy(ctmp, OCON_FSUSE);
673                 }
674                 gtmp = g;
675                 g = g->next;
676                 kfree(gtmp);
677         }
678         p->genfs = NULL;
679
680         cond_policydb_destroy(p);
681
682         for (tr = p->role_tr; tr; tr = tr->next) {
683                 cond_resched();
684                 kfree(ltr);
685                 ltr = tr;
686         }
687         kfree(ltr);
688
689         for (ra = p->role_allow; ra; ra = ra->next) {
690                 cond_resched();
691                 kfree(lra);
692                 lra = ra;
693         }
694         kfree(lra);
695
696         for (rt = p->range_tr; rt; rt = rt->next) {
697                 cond_resched();
698                 if (lrt) {
699                         ebitmap_destroy(&lrt->target_range.level[0].cat);
700                         ebitmap_destroy(&lrt->target_range.level[1].cat);
701                         kfree(lrt);
702                 }
703                 lrt = rt;
704         }
705         if (lrt) {
706                 ebitmap_destroy(&lrt->target_range.level[0].cat);
707                 ebitmap_destroy(&lrt->target_range.level[1].cat);
708                 kfree(lrt);
709         }
710
711         if (p->type_attr_map) {
712                 for (i = 0; i < p->p_types.nprim; i++)
713                         ebitmap_destroy(&p->type_attr_map[i]);
714         }
715         kfree(p->type_attr_map);
716         kfree(p->undefined_perms);
717         ebitmap_destroy(&p->policycaps);
718         ebitmap_destroy(&p->permissive_map);
719
720         return;
721 }
722
723 /*
724  * Load the initial SIDs specified in a policy database
725  * structure into a SID table.
726  */
727 int policydb_load_isids(struct policydb *p, struct sidtab *s)
728 {
729         struct ocontext *head, *c;
730         int rc;
731
732         rc = sidtab_init(s);
733         if (rc) {
734                 printk(KERN_ERR "SELinux:  out of memory on SID table init\n");
735                 goto out;
736         }
737
738         head = p->ocontexts[OCON_ISID];
739         for (c = head; c; c = c->next) {
740                 if (!c->context[0].user) {
741                         printk(KERN_ERR "SELinux:  SID %s was never "
742                                "defined.\n", c->u.name);
743                         rc = -EINVAL;
744                         goto out;
745                 }
746                 if (sidtab_insert(s, c->sid[0], &c->context[0])) {
747                         printk(KERN_ERR "SELinux:  unable to load initial "
748                                "SID %s.\n", c->u.name);
749                         rc = -EINVAL;
750                         goto out;
751                 }
752         }
753 out:
754         return rc;
755 }
756
757 int policydb_class_isvalid(struct policydb *p, unsigned int class)
758 {
759         if (!class || class > p->p_classes.nprim)
760                 return 0;
761         return 1;
762 }
763
764 int policydb_role_isvalid(struct policydb *p, unsigned int role)
765 {
766         if (!role || role > p->p_roles.nprim)
767                 return 0;
768         return 1;
769 }
770
771 int policydb_type_isvalid(struct policydb *p, unsigned int type)
772 {
773         if (!type || type > p->p_types.nprim)
774                 return 0;
775         return 1;
776 }
777
778 /*
779  * Return 1 if the fields in the security context
780  * structure `c' are valid.  Return 0 otherwise.
781  */
782 int policydb_context_isvalid(struct policydb *p, struct context *c)
783 {
784         struct role_datum *role;
785         struct user_datum *usrdatum;
786
787         if (!c->role || c->role > p->p_roles.nprim)
788                 return 0;
789
790         if (!c->user || c->user > p->p_users.nprim)
791                 return 0;
792
793         if (!c->type || c->type > p->p_types.nprim)
794                 return 0;
795
796         if (c->role != OBJECT_R_VAL) {
797                 /*
798                  * Role must be authorized for the type.
799                  */
800                 role = p->role_val_to_struct[c->role - 1];
801                 if (!ebitmap_get_bit(&role->types,
802                                      c->type - 1))
803                         /* role may not be associated with type */
804                         return 0;
805
806                 /*
807                  * User must be authorized for the role.
808                  */
809                 usrdatum = p->user_val_to_struct[c->user - 1];
810                 if (!usrdatum)
811                         return 0;
812
813                 if (!ebitmap_get_bit(&usrdatum->roles,
814                                      c->role - 1))
815                         /* user may not be associated with role */
816                         return 0;
817         }
818
819         if (!mls_context_isvalid(p, c))
820                 return 0;
821
822         return 1;
823 }
824
825 /*
826  * Read a MLS range structure from a policydb binary
827  * representation file.
828  */
829 static int mls_read_range_helper(struct mls_range *r, void *fp)
830 {
831         __le32 buf[2];
832         u32 items;
833         int rc;
834
835         rc = next_entry(buf, fp, sizeof(u32));
836         if (rc < 0)
837                 goto out;
838
839         items = le32_to_cpu(buf[0]);
840         if (items > ARRAY_SIZE(buf)) {
841                 printk(KERN_ERR "SELinux: mls:  range overflow\n");
842                 rc = -EINVAL;
843                 goto out;
844         }
845         rc = next_entry(buf, fp, sizeof(u32) * items);
846         if (rc < 0) {
847                 printk(KERN_ERR "SELinux: mls:  truncated range\n");
848                 goto out;
849         }
850         r->level[0].sens = le32_to_cpu(buf[0]);
851         if (items > 1)
852                 r->level[1].sens = le32_to_cpu(buf[1]);
853         else
854                 r->level[1].sens = r->level[0].sens;
855
856         rc = ebitmap_read(&r->level[0].cat, fp);
857         if (rc) {
858                 printk(KERN_ERR "SELinux: mls:  error reading low "
859                        "categories\n");
860                 goto out;
861         }
862         if (items > 1) {
863                 rc = ebitmap_read(&r->level[1].cat, fp);
864                 if (rc) {
865                         printk(KERN_ERR "SELinux: mls:  error reading high "
866                                "categories\n");
867                         goto bad_high;
868                 }
869         } else {
870                 rc = ebitmap_cpy(&r->level[1].cat, &r->level[0].cat);
871                 if (rc) {
872                         printk(KERN_ERR "SELinux: mls:  out of memory\n");
873                         goto bad_high;
874                 }
875         }
876
877         rc = 0;
878 out:
879         return rc;
880 bad_high:
881         ebitmap_destroy(&r->level[0].cat);
882         goto out;
883 }
884
885 /*
886  * Read and validate a security context structure
887  * from a policydb binary representation file.
888  */
889 static int context_read_and_validate(struct context *c,
890                                      struct policydb *p,
891                                      void *fp)
892 {
893         __le32 buf[3];
894         int rc;
895
896         rc = next_entry(buf, fp, sizeof buf);
897         if (rc < 0) {
898                 printk(KERN_ERR "SELinux: context truncated\n");
899                 goto out;
900         }
901         c->user = le32_to_cpu(buf[0]);
902         c->role = le32_to_cpu(buf[1]);
903         c->type = le32_to_cpu(buf[2]);
904         if (p->policyvers >= POLICYDB_VERSION_MLS) {
905                 if (mls_read_range_helper(&c->range, fp)) {
906                         printk(KERN_ERR "SELinux: error reading MLS range of "
907                                "context\n");
908                         rc = -EINVAL;
909                         goto out;
910                 }
911         }
912
913         if (!policydb_context_isvalid(p, c)) {
914                 printk(KERN_ERR "SELinux:  invalid security context\n");
915                 context_destroy(c);
916                 rc = -EINVAL;
917         }
918 out:
919         return rc;
920 }
921
922 /*
923  * The following *_read functions are used to
924  * read the symbol data from a policy database
925  * binary representation file.
926  */
927
928 static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
929 {
930         char *key = NULL;
931         struct perm_datum *perdatum;
932         int rc;
933         __le32 buf[2];
934         u32 len;
935
936         perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
937         if (!perdatum) {
938                 rc = -ENOMEM;
939                 goto out;
940         }
941
942         rc = next_entry(buf, fp, sizeof buf);
943         if (rc < 0)
944                 goto bad;
945
946         len = le32_to_cpu(buf[0]);
947         perdatum->value = le32_to_cpu(buf[1]);
948
949         key = kmalloc(len + 1, GFP_KERNEL);
950         if (!key) {
951                 rc = -ENOMEM;
952                 goto bad;
953         }
954         rc = next_entry(key, fp, len);
955         if (rc < 0)
956                 goto bad;
957         key[len] = '\0';
958
959         rc = hashtab_insert(h, key, perdatum);
960         if (rc)
961                 goto bad;
962 out:
963         return rc;
964 bad:
965         perm_destroy(key, perdatum, NULL);
966         goto out;
967 }
968
969 static int common_read(struct policydb *p, struct hashtab *h, void *fp)
970 {
971         char *key = NULL;
972         struct common_datum *comdatum;
973         __le32 buf[4];
974         u32 len, nel;
975         int i, rc;
976
977         comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
978         if (!comdatum) {
979                 rc = -ENOMEM;
980                 goto out;
981         }
982
983         rc = next_entry(buf, fp, sizeof buf);
984         if (rc < 0)
985                 goto bad;
986
987         len = le32_to_cpu(buf[0]);
988         comdatum->value = le32_to_cpu(buf[1]);
989
990         rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE);
991         if (rc)
992                 goto bad;
993         comdatum->permissions.nprim = le32_to_cpu(buf[2]);
994         nel = le32_to_cpu(buf[3]);
995
996         key = kmalloc(len + 1, GFP_KERNEL);
997         if (!key) {
998                 rc = -ENOMEM;
999                 goto bad;
1000         }
1001         rc = next_entry(key, fp, len);
1002         if (rc < 0)
1003                 goto bad;
1004         key[len] = '\0';
1005
1006         for (i = 0; i < nel; i++) {
1007                 rc = perm_read(p, comdatum->permissions.table, fp);
1008                 if (rc)
1009                         goto bad;
1010         }
1011
1012         rc = hashtab_insert(h, key, comdatum);
1013         if (rc)
1014                 goto bad;
1015 out:
1016         return rc;
1017 bad:
1018         common_destroy(key, comdatum, NULL);
1019         goto out;
1020 }
1021
1022 static int read_cons_helper(struct constraint_node **nodep, int ncons,
1023                             int allowxtarget, void *fp)
1024 {
1025         struct constraint_node *c, *lc;
1026         struct constraint_expr *e, *le;
1027         __le32 buf[3];
1028         u32 nexpr;
1029         int rc, i, j, depth;
1030
1031         lc = NULL;
1032         for (i = 0; i < ncons; i++) {
1033                 c = kzalloc(sizeof(*c), GFP_KERNEL);
1034                 if (!c)
1035                         return -ENOMEM;
1036
1037                 if (lc)
1038                         lc->next = c;
1039                 else
1040                         *nodep = c;
1041
1042                 rc = next_entry(buf, fp, (sizeof(u32) * 2));
1043                 if (rc < 0)
1044                         return rc;
1045                 c->permissions = le32_to_cpu(buf[0]);
1046                 nexpr = le32_to_cpu(buf[1]);
1047                 le = NULL;
1048                 depth = -1;
1049                 for (j = 0; j < nexpr; j++) {
1050                         e = kzalloc(sizeof(*e), GFP_KERNEL);
1051                         if (!e)
1052                                 return -ENOMEM;
1053
1054                         if (le)
1055                                 le->next = e;
1056                         else
1057                                 c->expr = e;
1058
1059                         rc = next_entry(buf, fp, (sizeof(u32) * 3));
1060                         if (rc < 0)
1061                                 return rc;
1062                         e->expr_type = le32_to_cpu(buf[0]);
1063                         e->attr = le32_to_cpu(buf[1]);
1064                         e->op = le32_to_cpu(buf[2]);
1065
1066                         switch (e->expr_type) {
1067                         case CEXPR_NOT:
1068                                 if (depth < 0)
1069                                         return -EINVAL;
1070                                 break;
1071                         case CEXPR_AND:
1072                         case CEXPR_OR:
1073                                 if (depth < 1)
1074                                         return -EINVAL;
1075                                 depth--;
1076                                 break;
1077                         case CEXPR_ATTR:
1078                                 if (depth == (CEXPR_MAXDEPTH - 1))
1079                                         return -EINVAL;
1080                                 depth++;
1081                                 break;
1082                         case CEXPR_NAMES:
1083                                 if (!allowxtarget && (e->attr & CEXPR_XTARGET))
1084                                         return -EINVAL;
1085                                 if (depth == (CEXPR_MAXDEPTH - 1))
1086                                         return -EINVAL;
1087                                 depth++;
1088                                 if (ebitmap_read(&e->names, fp))
1089                                         return -EINVAL;
1090                                 break;
1091                         default:
1092                                 return -EINVAL;
1093                         }
1094                         le = e;
1095                 }
1096                 if (depth != 0)
1097                         return -EINVAL;
1098                 lc = c;
1099         }
1100
1101         return 0;
1102 }
1103
1104 static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1105 {
1106         char *key = NULL;
1107         struct class_datum *cladatum;
1108         __le32 buf[6];
1109         u32 len, len2, ncons, nel;
1110         int i, rc;
1111
1112         cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
1113         if (!cladatum) {
1114                 rc = -ENOMEM;
1115                 goto out;
1116         }
1117
1118         rc = next_entry(buf, fp, sizeof(u32)*6);
1119         if (rc < 0)
1120                 goto bad;
1121
1122         len = le32_to_cpu(buf[0]);
1123         len2 = le32_to_cpu(buf[1]);
1124         cladatum->value = le32_to_cpu(buf[2]);
1125
1126         rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE);
1127         if (rc)
1128                 goto bad;
1129         cladatum->permissions.nprim = le32_to_cpu(buf[3]);
1130         nel = le32_to_cpu(buf[4]);
1131
1132         ncons = le32_to_cpu(buf[5]);
1133
1134         key = kmalloc(len + 1, GFP_KERNEL);
1135         if (!key) {
1136                 rc = -ENOMEM;
1137                 goto bad;
1138         }
1139         rc = next_entry(key, fp, len);
1140         if (rc < 0)
1141                 goto bad;
1142         key[len] = '\0';
1143
1144         if (len2) {
1145                 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1146                 if (!cladatum->comkey) {
1147                         rc = -ENOMEM;
1148                         goto bad;
1149                 }
1150                 rc = next_entry(cladatum->comkey, fp, len2);
1151                 if (rc < 0)
1152                         goto bad;
1153                 cladatum->comkey[len2] = '\0';
1154
1155                 cladatum->comdatum = hashtab_search(p->p_commons.table,
1156                                                     cladatum->comkey);
1157                 if (!cladatum->comdatum) {
1158                         printk(KERN_ERR "SELinux:  unknown common %s\n",
1159                                cladatum->comkey);
1160                         rc = -EINVAL;
1161                         goto bad;
1162                 }
1163         }
1164         for (i = 0; i < nel; i++) {
1165                 rc = perm_read(p, cladatum->permissions.table, fp);
1166                 if (rc)
1167                         goto bad;
1168         }
1169
1170         rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp);
1171         if (rc)
1172                 goto bad;
1173
1174         if (p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) {
1175                 /* grab the validatetrans rules */
1176                 rc = next_entry(buf, fp, sizeof(u32));
1177                 if (rc < 0)
1178                         goto bad;
1179                 ncons = le32_to_cpu(buf[0]);
1180                 rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp);
1181                 if (rc)
1182                         goto bad;
1183         }
1184
1185         rc = hashtab_insert(h, key, cladatum);
1186         if (rc)
1187                 goto bad;
1188
1189         rc = 0;
1190 out:
1191         return rc;
1192 bad:
1193         cls_destroy(key, cladatum, NULL);
1194         goto out;
1195 }
1196
1197 static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1198 {
1199         char *key = NULL;
1200         struct role_datum *role;
1201         int rc, to_read = 2;
1202         __le32 buf[3];
1203         u32 len;
1204
1205         role = kzalloc(sizeof(*role), GFP_KERNEL);
1206         if (!role) {
1207                 rc = -ENOMEM;
1208                 goto out;
1209         }
1210
1211         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1212                 to_read = 3;
1213
1214         rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1215         if (rc < 0)
1216                 goto bad;
1217
1218         len = le32_to_cpu(buf[0]);
1219         role->value = le32_to_cpu(buf[1]);
1220         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1221                 role->bounds = le32_to_cpu(buf[2]);
1222
1223         key = kmalloc(len + 1, GFP_KERNEL);
1224         if (!key) {
1225                 rc = -ENOMEM;
1226                 goto bad;
1227         }
1228         rc = next_entry(key, fp, len);
1229         if (rc < 0)
1230                 goto bad;
1231         key[len] = '\0';
1232
1233         rc = ebitmap_read(&role->dominates, fp);
1234         if (rc)
1235                 goto bad;
1236
1237         rc = ebitmap_read(&role->types, fp);
1238         if (rc)
1239                 goto bad;
1240
1241         if (strcmp(key, OBJECT_R) == 0) {
1242                 if (role->value != OBJECT_R_VAL) {
1243                         printk(KERN_ERR "SELinux: Role %s has wrong value %d\n",
1244                                OBJECT_R, role->value);
1245                         rc = -EINVAL;
1246                         goto bad;
1247                 }
1248                 rc = 0;
1249                 goto bad;
1250         }
1251
1252         rc = hashtab_insert(h, key, role);
1253         if (rc)
1254                 goto bad;
1255 out:
1256         return rc;
1257 bad:
1258         role_destroy(key, role, NULL);
1259         goto out;
1260 }
1261
1262 static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1263 {
1264         char *key = NULL;
1265         struct type_datum *typdatum;
1266         int rc, to_read = 3;
1267         __le32 buf[4];
1268         u32 len;
1269
1270         typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
1271         if (!typdatum) {
1272                 rc = -ENOMEM;
1273                 return rc;
1274         }
1275
1276         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1277                 to_read = 4;
1278
1279         rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1280         if (rc < 0)
1281                 goto bad;
1282
1283         len = le32_to_cpu(buf[0]);
1284         typdatum->value = le32_to_cpu(buf[1]);
1285         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
1286                 u32 prop = le32_to_cpu(buf[2]);
1287
1288                 if (prop & TYPEDATUM_PROPERTY_PRIMARY)
1289                         typdatum->primary = 1;
1290                 if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
1291                         typdatum->attribute = 1;
1292
1293                 typdatum->bounds = le32_to_cpu(buf[3]);
1294         } else {
1295                 typdatum->primary = le32_to_cpu(buf[2]);
1296         }
1297
1298         key = kmalloc(len + 1, GFP_KERNEL);
1299         if (!key) {
1300                 rc = -ENOMEM;
1301                 goto bad;
1302         }
1303         rc = next_entry(key, fp, len);
1304         if (rc < 0)
1305                 goto bad;
1306         key[len] = '\0';
1307
1308         rc = hashtab_insert(h, key, typdatum);
1309         if (rc)
1310                 goto bad;
1311 out:
1312         return rc;
1313 bad:
1314         type_destroy(key, typdatum, NULL);
1315         goto out;
1316 }
1317
1318
1319 /*
1320  * Read a MLS level structure from a policydb binary
1321  * representation file.
1322  */
1323 static int mls_read_level(struct mls_level *lp, void *fp)
1324 {
1325         __le32 buf[1];
1326         int rc;
1327
1328         memset(lp, 0, sizeof(*lp));
1329
1330         rc = next_entry(buf, fp, sizeof buf);
1331         if (rc < 0) {
1332                 printk(KERN_ERR "SELinux: mls: truncated level\n");
1333                 goto bad;
1334         }
1335         lp->sens = le32_to_cpu(buf[0]);
1336
1337         if (ebitmap_read(&lp->cat, fp)) {
1338                 printk(KERN_ERR "SELinux: mls:  error reading level "
1339                        "categories\n");
1340                 goto bad;
1341         }
1342
1343         return 0;
1344
1345 bad:
1346         return -EINVAL;
1347 }
1348
1349 static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1350 {
1351         char *key = NULL;
1352         struct user_datum *usrdatum;
1353         int rc, to_read = 2;
1354         __le32 buf[3];
1355         u32 len;
1356
1357         usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
1358         if (!usrdatum) {
1359                 rc = -ENOMEM;
1360                 goto out;
1361         }
1362
1363         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1364                 to_read = 3;
1365
1366         rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
1367         if (rc < 0)
1368                 goto bad;
1369
1370         len = le32_to_cpu(buf[0]);
1371         usrdatum->value = le32_to_cpu(buf[1]);
1372         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1373                 usrdatum->bounds = le32_to_cpu(buf[2]);
1374
1375         key = kmalloc(len + 1, GFP_KERNEL);
1376         if (!key) {
1377                 rc = -ENOMEM;
1378                 goto bad;
1379         }
1380         rc = next_entry(key, fp, len);
1381         if (rc < 0)
1382                 goto bad;
1383         key[len] = '\0';
1384
1385         rc = ebitmap_read(&usrdatum->roles, fp);
1386         if (rc)
1387                 goto bad;
1388
1389         if (p->policyvers >= POLICYDB_VERSION_MLS) {
1390                 rc = mls_read_range_helper(&usrdatum->range, fp);
1391                 if (rc)
1392                         goto bad;
1393                 rc = mls_read_level(&usrdatum->dfltlevel, fp);
1394                 if (rc)
1395                         goto bad;
1396         }
1397
1398         rc = hashtab_insert(h, key, usrdatum);
1399         if (rc)
1400                 goto bad;
1401 out:
1402         return rc;
1403 bad:
1404         user_destroy(key, usrdatum, NULL);
1405         goto out;
1406 }
1407
1408 static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1409 {
1410         char *key = NULL;
1411         struct level_datum *levdatum;
1412         int rc;
1413         __le32 buf[2];
1414         u32 len;
1415
1416         levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
1417         if (!levdatum) {
1418                 rc = -ENOMEM;
1419                 goto out;
1420         }
1421
1422         rc = next_entry(buf, fp, sizeof buf);
1423         if (rc < 0)
1424                 goto bad;
1425
1426         len = le32_to_cpu(buf[0]);
1427         levdatum->isalias = le32_to_cpu(buf[1]);
1428
1429         key = kmalloc(len + 1, GFP_ATOMIC);
1430         if (!key) {
1431                 rc = -ENOMEM;
1432                 goto bad;
1433         }
1434         rc = next_entry(key, fp, len);
1435         if (rc < 0)
1436                 goto bad;
1437         key[len] = '\0';
1438
1439         levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
1440         if (!levdatum->level) {
1441                 rc = -ENOMEM;
1442                 goto bad;
1443         }
1444         if (mls_read_level(levdatum->level, fp)) {
1445                 rc = -EINVAL;
1446                 goto bad;
1447         }
1448
1449         rc = hashtab_insert(h, key, levdatum);
1450         if (rc)
1451                 goto bad;
1452 out:
1453         return rc;
1454 bad:
1455         sens_destroy(key, levdatum, NULL);
1456         goto out;
1457 }
1458
1459 static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1460 {
1461         char *key = NULL;
1462         struct cat_datum *catdatum;
1463         int rc;
1464         __le32 buf[3];
1465         u32 len;
1466
1467         catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
1468         if (!catdatum) {
1469                 rc = -ENOMEM;
1470                 goto out;
1471         }
1472
1473         rc = next_entry(buf, fp, sizeof buf);
1474         if (rc < 0)
1475                 goto bad;
1476
1477         len = le32_to_cpu(buf[0]);
1478         catdatum->value = le32_to_cpu(buf[1]);
1479         catdatum->isalias = le32_to_cpu(buf[2]);
1480
1481         key = kmalloc(len + 1, GFP_ATOMIC);
1482         if (!key) {
1483                 rc = -ENOMEM;
1484                 goto bad;
1485         }
1486         rc = next_entry(key, fp, len);
1487         if (rc < 0)
1488                 goto bad;
1489         key[len] = '\0';
1490
1491         rc = hashtab_insert(h, key, catdatum);
1492         if (rc)
1493                 goto bad;
1494 out:
1495         return rc;
1496
1497 bad:
1498         cat_destroy(key, catdatum, NULL);
1499         goto out;
1500 }
1501
1502 static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
1503 {
1504         common_read,
1505         class_read,
1506         role_read,
1507         type_read,
1508         user_read,
1509         cond_read_bool,
1510         sens_read,
1511         cat_read,
1512 };
1513
1514 static int user_bounds_sanity_check(void *key, void *datum, void *datap)
1515 {
1516         struct user_datum *upper, *user;
1517         struct policydb *p = datap;
1518         int depth = 0;
1519
1520         upper = user = datum;
1521         while (upper->bounds) {
1522                 struct ebitmap_node *node;
1523                 unsigned long bit;
1524
1525                 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1526                         printk(KERN_ERR "SELinux: user %s: "
1527                                "too deep or looped boundary",
1528                                (char *) key);
1529                         return -EINVAL;
1530                 }
1531
1532                 upper = p->user_val_to_struct[upper->bounds - 1];
1533                 ebitmap_for_each_positive_bit(&user->roles, node, bit) {
1534                         if (ebitmap_get_bit(&upper->roles, bit))
1535                                 continue;
1536
1537                         printk(KERN_ERR
1538                                "SELinux: boundary violated policy: "
1539                                "user=%s role=%s bounds=%s\n",
1540                                p->p_user_val_to_name[user->value - 1],
1541                                p->p_role_val_to_name[bit],
1542                                p->p_user_val_to_name[upper->value - 1]);
1543
1544                         return -EINVAL;
1545                 }
1546         }
1547
1548         return 0;
1549 }
1550
1551 static int role_bounds_sanity_check(void *key, void *datum, void *datap)
1552 {
1553         struct role_datum *upper, *role;
1554         struct policydb *p = datap;
1555         int depth = 0;
1556
1557         upper = role = datum;
1558         while (upper->bounds) {
1559                 struct ebitmap_node *node;
1560                 unsigned long bit;
1561
1562                 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1563                         printk(KERN_ERR "SELinux: role %s: "
1564                                "too deep or looped bounds\n",
1565                                (char *) key);
1566                         return -EINVAL;
1567                 }
1568
1569                 upper = p->role_val_to_struct[upper->bounds - 1];
1570                 ebitmap_for_each_positive_bit(&role->types, node, bit) {
1571                         if (ebitmap_get_bit(&upper->types, bit))
1572                                 continue;
1573
1574                         printk(KERN_ERR
1575                                "SELinux: boundary violated policy: "
1576                                "role=%s type=%s bounds=%s\n",
1577                                p->p_role_val_to_name[role->value - 1],
1578                                p->p_type_val_to_name[bit],
1579                                p->p_role_val_to_name[upper->value - 1]);
1580
1581                         return -EINVAL;
1582                 }
1583         }
1584
1585         return 0;
1586 }
1587
1588 static int type_bounds_sanity_check(void *key, void *datum, void *datap)
1589 {
1590         struct type_datum *upper, *type;
1591         struct policydb *p = datap;
1592         int depth = 0;
1593
1594         upper = type = datum;
1595         while (upper->bounds) {
1596                 if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
1597                         printk(KERN_ERR "SELinux: type %s: "
1598                                "too deep or looped boundary\n",
1599                                (char *) key);
1600                         return -EINVAL;
1601                 }
1602
1603                 upper = p->type_val_to_struct[upper->bounds - 1];
1604                 if (upper->attribute) {
1605                         printk(KERN_ERR "SELinux: type %s: "
1606                                "bounded by attribute %s",
1607                                (char *) key,
1608                                p->p_type_val_to_name[upper->value - 1]);
1609                         return -EINVAL;
1610                 }
1611         }
1612
1613         return 0;
1614 }
1615
1616 static int policydb_bounds_sanity_check(struct policydb *p)
1617 {
1618         int rc;
1619
1620         if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
1621                 return 0;
1622
1623         rc = hashtab_map(p->p_users.table,
1624                          user_bounds_sanity_check, p);
1625         if (rc)
1626                 return rc;
1627
1628         rc = hashtab_map(p->p_roles.table,
1629                          role_bounds_sanity_check, p);
1630         if (rc)
1631                 return rc;
1632
1633         rc = hashtab_map(p->p_types.table,
1634                          type_bounds_sanity_check, p);
1635         if (rc)
1636                 return rc;
1637
1638         return 0;
1639 }
1640
1641 extern int ss_initialized;
1642
1643 /*
1644  * Read the configuration data from a policy database binary
1645  * representation file into a policy database structure.
1646  */
1647 int policydb_read(struct policydb *p, void *fp)
1648 {
1649         struct role_allow *ra, *lra;
1650         struct role_trans *tr, *ltr;
1651         struct ocontext *l, *c, *newc;
1652         struct genfs *genfs_p, *genfs, *newgenfs;
1653         int i, j, rc;
1654         __le32 buf[4];
1655         u32 nodebuf[8];
1656         u32 len, len2, config, nprim, nel, nel2;
1657         char *policydb_str;
1658         struct policydb_compat_info *info;
1659         struct range_trans *rt, *lrt;
1660
1661         config = 0;
1662
1663         rc = policydb_init(p);
1664         if (rc)
1665                 goto out;
1666
1667         /* Read the magic number and string length. */
1668         rc = next_entry(buf, fp, sizeof(u32) * 2);
1669         if (rc < 0)
1670                 goto bad;
1671
1672         if (le32_to_cpu(buf[0]) != POLICYDB_MAGIC) {
1673                 printk(KERN_ERR "SELinux:  policydb magic number 0x%x does "
1674                        "not match expected magic number 0x%x\n",
1675                        le32_to_cpu(buf[0]), POLICYDB_MAGIC);
1676                 goto bad;
1677         }
1678
1679         len = le32_to_cpu(buf[1]);
1680         if (len != strlen(POLICYDB_STRING)) {
1681                 printk(KERN_ERR "SELinux:  policydb string length %d does not "
1682                        "match expected length %Zu\n",
1683                        len, strlen(POLICYDB_STRING));
1684                 goto bad;
1685         }
1686         policydb_str = kmalloc(len + 1, GFP_KERNEL);
1687         if (!policydb_str) {
1688                 printk(KERN_ERR "SELinux:  unable to allocate memory for policydb "
1689                        "string of length %d\n", len);
1690                 rc = -ENOMEM;
1691                 goto bad;
1692         }
1693         rc = next_entry(policydb_str, fp, len);
1694         if (rc < 0) {
1695                 printk(KERN_ERR "SELinux:  truncated policydb string identifier\n");
1696                 kfree(policydb_str);
1697                 goto bad;
1698         }
1699         policydb_str[len] = '\0';
1700         if (strcmp(policydb_str, POLICYDB_STRING)) {
1701                 printk(KERN_ERR "SELinux:  policydb string %s does not match "
1702                        "my string %s\n", policydb_str, POLICYDB_STRING);
1703                 kfree(policydb_str);
1704                 goto bad;
1705         }
1706         /* Done with policydb_str. */
1707         kfree(policydb_str);
1708         policydb_str = NULL;
1709
1710         /* Read the version, config, and table sizes. */
1711         rc = next_entry(buf, fp, sizeof(u32)*4);
1712         if (rc < 0)
1713                 goto bad;
1714
1715         p->policyvers = le32_to_cpu(buf[0]);
1716         if (p->policyvers < POLICYDB_VERSION_MIN ||
1717             p->policyvers > POLICYDB_VERSION_MAX) {
1718                 printk(KERN_ERR "SELinux:  policydb version %d does not match "
1719                        "my version range %d-%d\n",
1720                        le32_to_cpu(buf[0]), POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
1721                 goto bad;
1722         }
1723
1724         if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1725                 if (ss_initialized && !selinux_mls_enabled) {
1726                         printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1727                                 " and MLS policies\n");
1728                         goto bad;
1729                 }
1730                 selinux_mls_enabled = 1;
1731                 config |= POLICYDB_CONFIG_MLS;
1732
1733                 if (p->policyvers < POLICYDB_VERSION_MLS) {
1734                         printk(KERN_ERR "SELinux: security policydb version %d "
1735                                 "(MLS) not backwards compatible\n",
1736                                 p->policyvers);
1737                         goto bad;
1738                 }
1739         } else {
1740                 if (ss_initialized && selinux_mls_enabled) {
1741                         printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1742                                 " non-MLS policies\n");
1743                         goto bad;
1744                 }
1745         }
1746         p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
1747         p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
1748
1749         if (p->policyvers >= POLICYDB_VERSION_POLCAP &&
1750             ebitmap_read(&p->policycaps, fp) != 0)
1751                 goto bad;
1752
1753         if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
1754             ebitmap_read(&p->permissive_map, fp) != 0)
1755                 goto bad;
1756
1757         info = policydb_lookup_compat(p->policyvers);
1758         if (!info) {
1759                 printk(KERN_ERR "SELinux:  unable to find policy compat info "
1760                        "for version %d\n", p->policyvers);
1761                 goto bad;
1762         }
1763
1764         if (le32_to_cpu(buf[2]) != info->sym_num ||
1765                 le32_to_cpu(buf[3]) != info->ocon_num) {
1766                 printk(KERN_ERR "SELinux:  policydb table sizes (%d,%d) do "
1767                        "not match mine (%d,%d)\n", le32_to_cpu(buf[2]),
1768                         le32_to_cpu(buf[3]),
1769                        info->sym_num, info->ocon_num);
1770                 goto bad;
1771         }
1772
1773         for (i = 0; i < info->sym_num; i++) {
1774                 rc = next_entry(buf, fp, sizeof(u32)*2);
1775                 if (rc < 0)
1776                         goto bad;
1777                 nprim = le32_to_cpu(buf[0]);
1778                 nel = le32_to_cpu(buf[1]);
1779                 for (j = 0; j < nel; j++) {
1780                         rc = read_f[i](p, p->symtab[i].table, fp);
1781                         if (rc)
1782                                 goto bad;
1783                 }
1784
1785                 p->symtab[i].nprim = nprim;
1786         }
1787
1788         rc = avtab_read(&p->te_avtab, fp, p);
1789         if (rc)
1790                 goto bad;
1791
1792         if (p->policyvers >= POLICYDB_VERSION_BOOL) {
1793                 rc = cond_read_list(p, fp);
1794                 if (rc)
1795                         goto bad;
1796         }
1797
1798         rc = next_entry(buf, fp, sizeof(u32));
1799         if (rc < 0)
1800                 goto bad;
1801         nel = le32_to_cpu(buf[0]);
1802         ltr = NULL;
1803         for (i = 0; i < nel; i++) {
1804                 tr = kzalloc(sizeof(*tr), GFP_KERNEL);
1805                 if (!tr) {
1806                         rc = -ENOMEM;
1807                         goto bad;
1808                 }
1809                 if (ltr)
1810                         ltr->next = tr;
1811                 else
1812                         p->role_tr = tr;
1813                 rc = next_entry(buf, fp, sizeof(u32)*3);
1814                 if (rc < 0)
1815                         goto bad;
1816                 tr->role = le32_to_cpu(buf[0]);
1817                 tr->type = le32_to_cpu(buf[1]);
1818                 tr->new_role = le32_to_cpu(buf[2]);
1819                 if (!policydb_role_isvalid(p, tr->role) ||
1820                     !policydb_type_isvalid(p, tr->type) ||
1821                     !policydb_role_isvalid(p, tr->new_role)) {
1822                         rc = -EINVAL;
1823                         goto bad;
1824                 }
1825                 ltr = tr;
1826         }
1827
1828         rc = next_entry(buf, fp, sizeof(u32));
1829         if (rc < 0)
1830                 goto bad;
1831         nel = le32_to_cpu(buf[0]);
1832         lra = NULL;
1833         for (i = 0; i < nel; i++) {
1834                 ra = kzalloc(sizeof(*ra), GFP_KERNEL);
1835                 if (!ra) {
1836                         rc = -ENOMEM;
1837                         goto bad;
1838                 }
1839                 if (lra)
1840                         lra->next = ra;
1841                 else
1842                         p->role_allow = ra;
1843                 rc = next_entry(buf, fp, sizeof(u32)*2);
1844                 if (rc < 0)
1845                         goto bad;
1846                 ra->role = le32_to_cpu(buf[0]);
1847                 ra->new_role = le32_to_cpu(buf[1]);
1848                 if (!policydb_role_isvalid(p, ra->role) ||
1849                     !policydb_role_isvalid(p, ra->new_role)) {
1850                         rc = -EINVAL;
1851                         goto bad;
1852                 }
1853                 lra = ra;
1854         }
1855
1856         rc = policydb_index_classes(p);
1857         if (rc)
1858                 goto bad;
1859
1860         rc = policydb_index_others(p);
1861         if (rc)
1862                 goto bad;
1863
1864         for (i = 0; i < info->ocon_num; i++) {
1865                 rc = next_entry(buf, fp, sizeof(u32));
1866                 if (rc < 0)
1867                         goto bad;
1868                 nel = le32_to_cpu(buf[0]);
1869                 l = NULL;
1870                 for (j = 0; j < nel; j++) {
1871                         c = kzalloc(sizeof(*c), GFP_KERNEL);
1872                         if (!c) {
1873                                 rc = -ENOMEM;
1874                                 goto bad;
1875                         }
1876                         if (l)
1877                                 l->next = c;
1878                         else
1879                                 p->ocontexts[i] = c;
1880                         l = c;
1881                         rc = -EINVAL;
1882                         switch (i) {
1883                         case OCON_ISID:
1884                                 rc = next_entry(buf, fp, sizeof(u32));
1885                                 if (rc < 0)
1886                                         goto bad;
1887                                 c->sid[0] = le32_to_cpu(buf[0]);
1888                                 rc = context_read_and_validate(&c->context[0], p, fp);
1889                                 if (rc)
1890                                         goto bad;
1891                                 break;
1892                         case OCON_FS:
1893                         case OCON_NETIF:
1894                                 rc = next_entry(buf, fp, sizeof(u32));
1895                                 if (rc < 0)
1896                                         goto bad;
1897                                 len = le32_to_cpu(buf[0]);
1898                                 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1899                                 if (!c->u.name) {
1900                                         rc = -ENOMEM;
1901                                         goto bad;
1902                                 }
1903                                 rc = next_entry(c->u.name, fp, len);
1904                                 if (rc < 0)
1905                                         goto bad;
1906                                 c->u.name[len] = 0;
1907                                 rc = context_read_and_validate(&c->context[0], p, fp);
1908                                 if (rc)
1909                                         goto bad;
1910                                 rc = context_read_and_validate(&c->context[1], p, fp);
1911                                 if (rc)
1912                                         goto bad;
1913                                 break;
1914                         case OCON_PORT:
1915                                 rc = next_entry(buf, fp, sizeof(u32)*3);
1916                                 if (rc < 0)
1917                                         goto bad;
1918                                 c->u.port.protocol = le32_to_cpu(buf[0]);
1919                                 c->u.port.low_port = le32_to_cpu(buf[1]);
1920                                 c->u.port.high_port = le32_to_cpu(buf[2]);
1921                                 rc = context_read_and_validate(&c->context[0], p, fp);
1922                                 if (rc)
1923                                         goto bad;
1924                                 break;
1925                         case OCON_NODE:
1926                                 rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
1927                                 if (rc < 0)
1928                                         goto bad;
1929                                 c->u.node.addr = nodebuf[0]; /* network order */
1930                                 c->u.node.mask = nodebuf[1]; /* network order */
1931                                 rc = context_read_and_validate(&c->context[0], p, fp);
1932                                 if (rc)
1933                                         goto bad;
1934                                 break;
1935                         case OCON_FSUSE:
1936                                 rc = next_entry(buf, fp, sizeof(u32)*2);
1937                                 if (rc < 0)
1938                                         goto bad;
1939                                 c->v.behavior = le32_to_cpu(buf[0]);
1940                                 if (c->v.behavior > SECURITY_FS_USE_NONE)
1941                                         goto bad;
1942                                 len = le32_to_cpu(buf[1]);
1943                                 c->u.name = kmalloc(len + 1, GFP_KERNEL);
1944                                 if (!c->u.name) {
1945                                         rc = -ENOMEM;
1946                                         goto bad;
1947                                 }
1948                                 rc = next_entry(c->u.name, fp, len);
1949                                 if (rc < 0)
1950                                         goto bad;
1951                                 c->u.name[len] = 0;
1952                                 rc = context_read_and_validate(&c->context[0], p, fp);
1953                                 if (rc)
1954                                         goto bad;
1955                                 break;
1956                         case OCON_NODE6: {
1957                                 int k;
1958
1959                                 rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
1960                                 if (rc < 0)
1961                                         goto bad;
1962                                 for (k = 0; k < 4; k++)
1963                                         c->u.node6.addr[k] = nodebuf[k];
1964                                 for (k = 0; k < 4; k++)
1965                                         c->u.node6.mask[k] = nodebuf[k+4];
1966                                 if (context_read_and_validate(&c->context[0], p, fp))
1967                                         goto bad;
1968                                 break;
1969                         }
1970                         }
1971                 }
1972         }
1973
1974         rc = next_entry(buf, fp, sizeof(u32));
1975         if (rc < 0)
1976                 goto bad;
1977         nel = le32_to_cpu(buf[0]);
1978         genfs_p = NULL;
1979         rc = -EINVAL;
1980         for (i = 0; i < nel; i++) {
1981                 rc = next_entry(buf, fp, sizeof(u32));
1982                 if (rc < 0)
1983                         goto bad;
1984                 len = le32_to_cpu(buf[0]);
1985                 newgenfs = kzalloc(sizeof(*newgenfs), GFP_KERNEL);
1986                 if (!newgenfs) {
1987                         rc = -ENOMEM;
1988                         goto bad;
1989                 }
1990
1991                 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
1992                 if (!newgenfs->fstype) {
1993                         rc = -ENOMEM;
1994                         kfree(newgenfs);
1995                         goto bad;
1996                 }
1997                 rc = next_entry(newgenfs->fstype, fp, len);
1998                 if (rc < 0) {
1999                         kfree(newgenfs->fstype);
2000                         kfree(newgenfs);
2001                         goto bad;
2002                 }
2003                 newgenfs->fstype[len] = 0;
2004                 for (genfs_p = NULL, genfs = p->genfs; genfs;
2005                      genfs_p = genfs, genfs = genfs->next) {
2006                         if (strcmp(newgenfs->fstype, genfs->fstype) == 0) {
2007                                 printk(KERN_ERR "SELinux:  dup genfs "
2008                                        "fstype %s\n", newgenfs->fstype);
2009                                 kfree(newgenfs->fstype);
2010                                 kfree(newgenfs);
2011                                 goto bad;
2012                         }
2013                         if (strcmp(newgenfs->fstype, genfs->fstype) < 0)
2014                                 break;
2015                 }
2016                 newgenfs->next = genfs;
2017                 if (genfs_p)
2018                         genfs_p->next = newgenfs;
2019                 else
2020                         p->genfs = newgenfs;
2021                 rc = next_entry(buf, fp, sizeof(u32));
2022                 if (rc < 0)
2023                         goto bad;
2024                 nel2 = le32_to_cpu(buf[0]);
2025                 for (j = 0; j < nel2; j++) {
2026                         rc = next_entry(buf, fp, sizeof(u32));
2027                         if (rc < 0)
2028                                 goto bad;
2029                         len = le32_to_cpu(buf[0]);
2030
2031                         newc = kzalloc(sizeof(*newc), GFP_KERNEL);
2032                         if (!newc) {
2033                                 rc = -ENOMEM;
2034                                 goto bad;
2035                         }
2036
2037                         newc->u.name = kmalloc(len + 1, GFP_KERNEL);
2038                         if (!newc->u.name) {
2039                                 rc = -ENOMEM;
2040                                 goto bad_newc;
2041                         }
2042                         rc = next_entry(newc->u.name, fp, len);
2043                         if (rc < 0)
2044                                 goto bad_newc;
2045                         newc->u.name[len] = 0;
2046                         rc = next_entry(buf, fp, sizeof(u32));
2047                         if (rc < 0)
2048                                 goto bad_newc;
2049                         newc->v.sclass = le32_to_cpu(buf[0]);
2050                         if (context_read_and_validate(&newc->context[0], p, fp))
2051                                 goto bad_newc;
2052                         for (l = NULL, c = newgenfs->head; c;
2053                              l = c, c = c->next) {
2054                                 if (!strcmp(newc->u.name, c->u.name) &&
2055                                     (!c->v.sclass || !newc->v.sclass ||
2056                                      newc->v.sclass == c->v.sclass)) {
2057                                         printk(KERN_ERR "SELinux:  dup genfs "
2058                                                "entry (%s,%s)\n",
2059                                                newgenfs->fstype, c->u.name);
2060                                         goto bad_newc;
2061                                 }
2062                                 len = strlen(newc->u.name);
2063                                 len2 = strlen(c->u.name);
2064                                 if (len > len2)
2065                                         break;
2066                         }
2067
2068                         newc->next = c;
2069                         if (l)
2070                                 l->next = newc;
2071                         else
2072                                 newgenfs->head = newc;
2073                 }
2074         }
2075
2076         if (p->policyvers >= POLICYDB_VERSION_MLS) {
2077                 int new_rangetr = p->policyvers >= POLICYDB_VERSION_RANGETRANS;
2078                 rc = next_entry(buf, fp, sizeof(u32));
2079                 if (rc < 0)
2080                         goto bad;
2081                 nel = le32_to_cpu(buf[0]);
2082                 lrt = NULL;
2083                 for (i = 0; i < nel; i++) {
2084                         rt = kzalloc(sizeof(*rt), GFP_KERNEL);
2085                         if (!rt) {
2086                                 rc = -ENOMEM;
2087                                 goto bad;
2088                         }
2089                         if (lrt)
2090                                 lrt->next = rt;
2091                         else
2092                                 p->range_tr = rt;
2093                         rc = next_entry(buf, fp, (sizeof(u32) * 2));
2094                         if (rc < 0)
2095                                 goto bad;
2096                         rt->source_type = le32_to_cpu(buf[0]);
2097                         rt->target_type = le32_to_cpu(buf[1]);
2098                         if (new_rangetr) {
2099                                 rc = next_entry(buf, fp, sizeof(u32));
2100                                 if (rc < 0)
2101                                         goto bad;
2102                                 rt->target_class = le32_to_cpu(buf[0]);
2103                         } else
2104                                 rt->target_class = SECCLASS_PROCESS;
2105                         if (!policydb_type_isvalid(p, rt->source_type) ||
2106                             !policydb_type_isvalid(p, rt->target_type) ||
2107                             !policydb_class_isvalid(p, rt->target_class)) {
2108                                 rc = -EINVAL;
2109                                 goto bad;
2110                         }
2111                         rc = mls_read_range_helper(&rt->target_range, fp);
2112                         if (rc)
2113                                 goto bad;
2114                         if (!mls_range_isvalid(p, &rt->target_range)) {
2115                                 printk(KERN_WARNING "SELinux:  rangetrans:  invalid range\n");
2116                                 goto bad;
2117                         }
2118                         lrt = rt;
2119                 }
2120         }
2121
2122         p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);
2123         if (!p->type_attr_map)
2124                 goto bad;
2125
2126         for (i = 0; i < p->p_types.nprim; i++) {
2127                 ebitmap_init(&p->type_attr_map[i]);
2128                 if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
2129                         if (ebitmap_read(&p->type_attr_map[i], fp))
2130                                 goto bad;
2131                 }
2132                 /* add the type itself as the degenerate case */
2133                 if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
2134                                 goto bad;
2135         }
2136
2137         rc = policydb_bounds_sanity_check(p);
2138         if (rc)
2139                 goto bad;
2140
2141         rc = 0;
2142 out:
2143         return rc;
2144 bad_newc:
2145         ocontext_destroy(newc, OCON_FSUSE);
2146 bad:
2147         if (!rc)
2148                 rc = -EINVAL;
2149         policydb_destroy(p);
2150         goto out;
2151 }