aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--tools/flask/policy/policy/flask/Makefile2
-rw-r--r--tools/flask/policy/policy/flask/access_vectors17
-rw-r--r--tools/flask/policy/policy/flask/mkaccess_vector.sh89
-rw-r--r--xen/xsm/flask/avc.c39
-rw-r--r--xen/xsm/flask/include/av_inherit.h1
-rw-r--r--xen/xsm/flask/include/avc_ss.h8
-rw-r--r--xen/xsm/flask/include/common_perm_to_string.h1
-rw-r--r--xen/xsm/flask/ss/policydb.c46
-rw-r--r--xen/xsm/flask/ss/services.c54
9 files changed, 8 insertions, 249 deletions
diff --git a/tools/flask/policy/policy/flask/Makefile b/tools/flask/policy/policy/flask/Makefile
index 970b9fedce..5f57e88810 100644
--- a/tools/flask/policy/policy/flask/Makefile
+++ b/tools/flask/policy/policy/flask/Makefile
@@ -14,7 +14,7 @@ FLASK_H_DEPEND = security_classes initial_sids
AV_H_DEPEND = access_vectors
FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+AV_H_FILES = av_perm_to_string.h av_permissions.h
ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
all: $(ALL_H_FILES)
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index 5901911d18..a884312b01 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -1,22 +1,7 @@
#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-#
-# Define a common prefix for file access vectors.
-#
-
-
-#
# Define the access vectors.
#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
+# class class_name { permission_name ... }
class xen
{
diff --git a/tools/flask/policy/policy/flask/mkaccess_vector.sh b/tools/flask/policy/policy/flask/mkaccess_vector.sh
index b5da734b04..43a60a79e3 100644
--- a/tools/flask/policy/policy/flask/mkaccess_vector.sh
+++ b/tools/flask/policy/policy/flask/mkaccess_vector.sh
@@ -10,50 +10,21 @@ shift
# output files
av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
av_perm_to_string="av_perm_to_string.h"
cat $* | $awk "
BEGIN {
outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
avpermfile = \"$av_perm_to_string\"
"'
nextstate = "COMMON_OR_AV";
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
;
}
/^[ \t]*#/ {
next;
}
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
$1 == "class" {
if (nextstate != "COMMON_OR_AV" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET")
@@ -71,62 +42,11 @@ $1 == "class" {
}
av_defined[tclass] = 1;
- inherits = "";
permission = 1;
nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
next;
}
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n", $2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]] = separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
$1 == "{" {
if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
@@ -177,15 +97,6 @@ $1 == "{" {
av_perms[tclass,$1] = permission;
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c
index 44240a9282..7fede00fc7 100644
--- a/xen/xsm/flask/avc.c
+++ b/xen/xsm/flask/avc.c
@@ -45,28 +45,11 @@ static const char *class_to_string[] = {
#undef S_
};
-#define TB_(s) static const char * s [] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { .tclass = c, .common_pts = common_##i##_perm_to_string, \
- .common_base = b },
-#include "av_inherit.h"
-#undef S_
-};
-
const struct selinux_class_perm selinux_class_perm = {
.av_perm_to_string = av_perm_to_string,
.av_pts_len = ARRAY_SIZE(av_perm_to_string),
.class_to_string = class_to_string,
.cts_len = ARRAY_SIZE(class_to_string),
- .av_inherit = av_inherit,
- .av_inherit_len = ARRAY_SIZE(av_inherit)
};
#define AVC_CACHE_SLOTS 512
@@ -181,8 +164,6 @@ static void avc_printk(struct avc_dump_buf *buf, const char *fmt, ...)
*/
static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av)
{
- const char **common_pts = NULL;
- u32 common_base = 0;
int i, i2, perm;
if ( av == 0 )
@@ -191,29 +172,9 @@ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av)
return;
}
- for ( i = 0; i < ARRAY_SIZE(av_inherit); i++ )
- {
- if (av_inherit[i].tclass == tclass)
- {
- common_pts = av_inherit[i].common_pts;
- common_base = av_inherit[i].common_base;
- break;
- }
- }
-
avc_printk(buf, " {");
i = 0;
perm = 1;
- while ( perm < common_base )
- {
- if (perm & av)
- {
- avc_printk(buf, " %s", common_pts[i]);
- av &= ~perm;
- }
- i++;
- perm <<= 1;
- }
while ( i < sizeof(av) * 8 )
{
diff --git a/xen/xsm/flask/include/av_inherit.h b/xen/xsm/flask/include/av_inherit.h
deleted file mode 100644
index 321ffe7f3c..0000000000
--- a/xen/xsm/flask/include/av_inherit.h
+++ /dev/null
@@ -1 +0,0 @@
-/* This file is automatically generated. Do not edit. */
diff --git a/xen/xsm/flask/include/avc_ss.h b/xen/xsm/flask/include/avc_ss.h
index ea4e98c47e..a3d7d1ef07 100644
--- a/xen/xsm/flask/include/avc_ss.h
+++ b/xen/xsm/flask/include/avc_ss.h
@@ -16,19 +16,11 @@ struct av_perm_to_string {
const char *name;
};
-struct av_inherit {
- const char **common_pts;
- u32 common_base;
- u16 tclass;
-};
-
struct selinux_class_perm {
const struct av_perm_to_string *av_perm_to_string;
u32 av_pts_len;
u32 cts_len;
const char **class_to_string;
- const struct av_inherit *av_inherit;
- u32 av_inherit_len;
};
extern const struct selinux_class_perm selinux_class_perm;
diff --git a/xen/xsm/flask/include/common_perm_to_string.h b/xen/xsm/flask/include/common_perm_to_string.h
deleted file mode 100644
index 321ffe7f3c..0000000000
--- a/xen/xsm/flask/include/common_perm_to_string.h
+++ /dev/null
@@ -1 +0,0 @@
-/* This file is automatically generated. Do not edit. */
diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 26097b967a..fefcd59171 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -254,14 +254,6 @@ out_free_symtab:
static int common_index(void *key, void *datum, void *datap)
{
- struct policydb *p;
- struct common_datum *comdatum;
-
- comdatum = datum;
- p = datap;
- if ( !comdatum->value || comdatum->value > p->p_commons.nprim )
- return -EINVAL;
- p->p_common_val_to_name[comdatum->value - 1] = key;
return 0;
}
@@ -382,8 +374,7 @@ static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) =
};
/*
- * Define the common val_to_name array and the class
- * val_to_name and val_to_struct arrays in a policy
+ * Define the class val_to_name and val_to_struct arrays in a policy
* database structure.
*
* Caller must clean up upon failure.
@@ -392,18 +383,6 @@ static int policydb_index_classes(struct policydb *p)
{
int rc;
- p->p_common_val_to_name =
- xmalloc_array(char *, p->p_commons.nprim);
- if ( !p->p_common_val_to_name )
- {
- rc = -ENOMEM;
- goto out;
- }
-
- rc = hashtab_map(p->p_commons.table, common_index, p);
- if ( rc )
- goto out;
-
p->class_val_to_struct =
xmalloc_array(struct class_datum *, p->p_classes.nprim);
if ( !p->class_val_to_struct )
@@ -1200,26 +1179,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
if ( len2 )
{
- cladatum->comkey = xmalloc_array(char, len2 + 1);
- if ( !cladatum->comkey )
- {
- rc = -ENOMEM;
- goto bad;
- }
- rc = next_entry(cladatum->comkey, fp, len2);
- if ( rc < 0 )
- goto bad;
- cladatum->comkey[len2] = 0;
-
- cladatum->comdatum = hashtab_search(p->p_commons.table,
- cladatum->comkey);
- if ( !cladatum->comdatum )
- {
- printk(KERN_ERR "Flask: unknown common %s\n",
- cladatum->comkey);
- rc = -EINVAL;
- goto bad;
- }
+ printk(KERN_ERR "Flask: classes with common prefixes are not supported\n");
+ rc = -EINVAL;
+ goto bad;
}
for ( i = 0; i < nel; i++ )
{
diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c
index 363f586a7d..1bf3b0c0d7 100644
--- a/xen/xsm/flask/ss/services.c
+++ b/xen/xsm/flask/ss/services.c
@@ -1167,10 +1167,10 @@ int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
*/
static int validate_classes(struct policydb *p)
{
- int i, j;
+ int i;
struct class_datum *cladatum;
struct perm_datum *perdatum;
- u32 nprim, tmp, common_pts_len, perm_val, pol_val;
+ u32 nprim, perm_val, pol_val;
u16 class_val;
const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class;
@@ -1233,56 +1233,6 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
}
}
- for ( i = 0; i < kdefs->av_inherit_len; i++ )
- {
- class_val = kdefs->av_inherit[i].tclass;
- if ( class_val > p->p_classes.nprim )
- continue;
- pol_class = p->p_class_val_to_name[class_val-1];
- cladatum = hashtab_search(p->p_classes.table, pol_class);
- BUG_ON( !cladatum );
- if ( !cladatum->comdatum )
- {
- printk(KERN_ERR
- "Flask: class %s should have an inherits clause but does not\n",
- pol_class);
- return -EINVAL;
- }
- tmp = kdefs->av_inherit[i].common_base;
- common_pts_len = 0;
- while ( !(tmp & 0x01) )
- {
- common_pts_len++;
- tmp >>= 1;
- }
- perms = &cladatum->comdatum->permissions;
- for ( j = 0; j < common_pts_len; j++ )
- {
- def_perm = kdefs->av_inherit[i].common_pts[j];
- if ( j >= perms->nprim )
- {
- printk(KERN_INFO
- "Flask: permission %s in class %s not defined in policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- perdatum = hashtab_search(perms->table, def_perm);
- if ( perdatum == NULL )
- {
- printk(KERN_ERR
- "Flask: permission %s in class %s not found in policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- if ( perdatum->value != j + 1 )
- {
- printk(KERN_ERR
- "Flask: permission %s in class %s has incorrect value\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- }
- }
return 0;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 01:30:52 +0000