diff options
| author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:07 +0100 |
|---|---|---|
| committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-09-17 21:10:07 +0100 |
| commit | 23ef6c3662d4a106117ea8c1370e6d5f8016a7db (patch) | |
| tree | 56e16476adf8832f38cab5cf34b6ec0408471bcd /xen/xsm | |
| parent | c892426ce32dc68487613a95c1bf6441e8b15e43 (diff) | |
| download | xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.tar.gz xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.tar.bz2 xen-23ef6c3662d4a106117ea8c1370e6d5f8016a7db.zip | |
xsm/flask: remove inherited class attributes
The ability to declare common permission blocks shared across multiple
classes is not currently used in Xen. Currently, support for this
feature is broken in the header generation scripts, and it is not
expected that this feature will be used in the future, so remove the
dead code.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/xsm')
| -rw-r--r-- | xen/xsm/flask/avc.c | 39 | ||||
| -rw-r--r-- | xen/xsm/flask/include/av_inherit.h | 1 | ||||
| -rw-r--r-- | xen/xsm/flask/include/avc_ss.h | 8 | ||||
| -rw-r--r-- | xen/xsm/flask/include/common_perm_to_string.h | 1 | ||||
| -rw-r--r-- | xen/xsm/flask/ss/policydb.c | 46 | ||||
| -rw-r--r-- | xen/xsm/flask/ss/services.c | 54 |
6 files changed, 6 insertions, 143 deletions
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c index 44240a9282..7fede00fc7 100644 --- a/xen/xsm/flask/avc.c +++ b/xen/xsm/flask/avc.c @@ -45,28 +45,11 @@ static const char *class_to_string[] = { #undef S_ }; -#define TB_(s) static const char * s [] = { -#define TE_(s) }; -#define S_(s) s, -#include "common_perm_to_string.h" -#undef TB_ -#undef TE_ -#undef S_ - -static const struct av_inherit av_inherit[] = { -#define S_(c, i, b) { .tclass = c, .common_pts = common_##i##_perm_to_string, \ - .common_base = b }, -#include "av_inherit.h" -#undef S_ -}; - const struct selinux_class_perm selinux_class_perm = { .av_perm_to_string = av_perm_to_string, .av_pts_len = ARRAY_SIZE(av_perm_to_string), .class_to_string = class_to_string, .cts_len = ARRAY_SIZE(class_to_string), - .av_inherit = av_inherit, - .av_inherit_len = ARRAY_SIZE(av_inherit) }; #define AVC_CACHE_SLOTS 512 @@ -181,8 +164,6 @@ static void avc_printk(struct avc_dump_buf *buf, const char *fmt, ...) */ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av) { - const char **common_pts = NULL; - u32 common_base = 0; int i, i2, perm; if ( av == 0 ) @@ -191,29 +172,9 @@ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av) return; } - for ( i = 0; i < ARRAY_SIZE(av_inherit); i++ ) - { - if (av_inherit[i].tclass == tclass) - { - common_pts = av_inherit[i].common_pts; - common_base = av_inherit[i].common_base; - break; - } - } - avc_printk(buf, " {"); i = 0; perm = 1; - while ( perm < common_base ) - { - if (perm & av) - { - avc_printk(buf, " %s", common_pts[i]); - av &= ~perm; - } - i++; - perm <<= 1; - } while ( i < sizeof(av) * 8 ) { diff --git a/xen/xsm/flask/include/av_inherit.h b/xen/xsm/flask/include/av_inherit.h deleted file mode 100644 index 321ffe7f3c..0000000000 --- a/xen/xsm/flask/include/av_inherit.h +++ /dev/null @@ -1 +0,0 @@ -/* This file is automatically generated. Do not edit. */ diff --git a/xen/xsm/flask/include/avc_ss.h b/xen/xsm/flask/include/avc_ss.h index ea4e98c47e..a3d7d1ef07 100644 --- a/xen/xsm/flask/include/avc_ss.h +++ b/xen/xsm/flask/include/avc_ss.h @@ -16,19 +16,11 @@ struct av_perm_to_string { const char *name; }; -struct av_inherit { - const char **common_pts; - u32 common_base; - u16 tclass; -}; - struct selinux_class_perm { const struct av_perm_to_string *av_perm_to_string; u32 av_pts_len; u32 cts_len; const char **class_to_string; - const struct av_inherit *av_inherit; - u32 av_inherit_len; }; extern const struct selinux_class_perm selinux_class_perm; diff --git a/xen/xsm/flask/include/common_perm_to_string.h b/xen/xsm/flask/include/common_perm_to_string.h deleted file mode 100644 index 321ffe7f3c..0000000000 --- a/xen/xsm/flask/include/common_perm_to_string.h +++ /dev/null @@ -1 +0,0 @@ -/* This file is automatically generated. Do not edit. */ diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c index 26097b967a..fefcd59171 100644 --- a/xen/xsm/flask/ss/policydb.c +++ b/xen/xsm/flask/ss/policydb.c @@ -254,14 +254,6 @@ out_free_symtab: static int common_index(void *key, void *datum, void *datap) { - struct policydb *p; - struct common_datum *comdatum; - - comdatum = datum; - p = datap; - if ( !comdatum->value || comdatum->value > p->p_commons.nprim ) - return -EINVAL; - p->p_common_val_to_name[comdatum->value - 1] = key; return 0; } @@ -382,8 +374,7 @@ static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = }; /* - * Define the common val_to_name array and the class - * val_to_name and val_to_struct arrays in a policy + * Define the class val_to_name and val_to_struct arrays in a policy * database structure. * * Caller must clean up upon failure. @@ -392,18 +383,6 @@ static int policydb_index_classes(struct policydb *p) { int rc; - p->p_common_val_to_name = - xmalloc_array(char *, p->p_commons.nprim); - if ( !p->p_common_val_to_name ) - { - rc = -ENOMEM; - goto out; - } - - rc = hashtab_map(p->p_commons.table, common_index, p); - if ( rc ) - goto out; - p->class_val_to_struct = xmalloc_array(struct class_datum *, p->p_classes.nprim); if ( !p->class_val_to_struct ) @@ -1200,26 +1179,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) if ( len2 ) { - cladatum->comkey = xmalloc_array(char, len2 + 1); - if ( !cladatum->comkey ) - { - rc = -ENOMEM; - goto bad; - } - rc = next_entry(cladatum->comkey, fp, len2); - if ( rc < 0 ) - goto bad; - cladatum->comkey[len2] = 0; - - cladatum->comdatum = hashtab_search(p->p_commons.table, - cladatum->comkey); - if ( !cladatum->comdatum ) - { - printk(KERN_ERR "Flask: unknown common %s\n", - cladatum->comkey); - rc = -EINVAL; - goto bad; - } + printk(KERN_ERR "Flask: classes with common prefixes are not supported\n"); + rc = -EINVAL; + goto bad; } for ( i = 0; i < nel; i++ ) { diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c index 363f586a7d..1bf3b0c0d7 100644 --- a/xen/xsm/flask/ss/services.c +++ b/xen/xsm/flask/ss/services.c @@ -1167,10 +1167,10 @@ int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid) */ static int validate_classes(struct policydb *p) { - int i, j; + int i; struct class_datum *cladatum; struct perm_datum *perdatum; - u32 nprim, tmp, common_pts_len, perm_val, pol_val; + u32 nprim, perm_val, pol_val; u16 class_val; const struct selinux_class_perm *kdefs = &selinux_class_perm; const char *def_class, *def_perm, *pol_class; @@ -1233,56 +1233,6 @@ static int validate_classes(struct policydb *p) return -EINVAL; } } - for ( i = 0; i < kdefs->av_inherit_len; i++ ) - { - class_val = kdefs->av_inherit[i].tclass; - if ( class_val > p->p_classes.nprim ) - continue; - pol_class = p->p_class_val_to_name[class_val-1]; - cladatum = hashtab_search(p->p_classes.table, pol_class); - BUG_ON( !cladatum ); - if ( !cladatum->comdatum ) - { - printk(KERN_ERR - "Flask: class %s should have an inherits clause but does not\n", - pol_class); - return -EINVAL; - } - tmp = kdefs->av_inherit[i].common_base; - common_pts_len = 0; - while ( !(tmp & 0x01) ) - { - common_pts_len++; - tmp >>= 1; - } - perms = &cladatum->comdatum->permissions; - for ( j = 0; j < common_pts_len; j++ ) - { - def_perm = kdefs->av_inherit[i].common_pts[j]; - if ( j >= perms->nprim ) - { - printk(KERN_INFO - "Flask: permission %s in class %s not defined in policy\n", - def_perm, pol_class); - return -EINVAL; - } - perdatum = hashtab_search(perms->table, def_perm); - if ( perdatum == NULL ) - { - printk(KERN_ERR - "Flask: permission %s in class %s not found in policy\n", - def_perm, pol_class); - return -EINVAL; - } - if ( perdatum->value != j + 1 ) - { - printk(KERN_ERR - "Flask: permission %s in class %s has incorrect value\n", - def_perm, pol_class); - return -EINVAL; - } - } - } return 0; } |