diff options
Diffstat (limited to 'xen/xsm')
-rw-r--r-- | xen/xsm/flask/avc.c | 39 | ||||
-rw-r--r-- | xen/xsm/flask/include/av_inherit.h | 1 | ||||
-rw-r--r-- | xen/xsm/flask/include/avc_ss.h | 8 | ||||
-rw-r--r-- | xen/xsm/flask/include/common_perm_to_string.h | 1 | ||||
-rw-r--r-- | xen/xsm/flask/ss/policydb.c | 46 | ||||
-rw-r--r-- | xen/xsm/flask/ss/services.c | 54 |
6 files changed, 6 insertions, 143 deletions
diff --git a/xen/xsm/flask/avc.c b/xen/xsm/flask/avc.c index 44240a9282..7fede00fc7 100644 --- a/xen/xsm/flask/avc.c +++ b/xen/xsm/flask/avc.c @@ -45,28 +45,11 @@ static const char *class_to_string[] = { #undef S_ }; -#define TB_(s) static const char * s [] = { -#define TE_(s) }; -#define S_(s) s, -#include "common_perm_to_string.h" -#undef TB_ -#undef TE_ -#undef S_ - -static const struct av_inherit av_inherit[] = { -#define S_(c, i, b) { .tclass = c, .common_pts = common_##i##_perm_to_string, \ - .common_base = b }, -#include "av_inherit.h" -#undef S_ -}; - const struct selinux_class_perm selinux_class_perm = { .av_perm_to_string = av_perm_to_string, .av_pts_len = ARRAY_SIZE(av_perm_to_string), .class_to_string = class_to_string, .cts_len = ARRAY_SIZE(class_to_string), - .av_inherit = av_inherit, - .av_inherit_len = ARRAY_SIZE(av_inherit) }; #define AVC_CACHE_SLOTS 512 @@ -181,8 +164,6 @@ static void avc_printk(struct avc_dump_buf *buf, const char *fmt, ...) */ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av) { - const char **common_pts = NULL; - u32 common_base = 0; int i, i2, perm; if ( av == 0 ) @@ -191,29 +172,9 @@ static void avc_dump_av(struct avc_dump_buf *buf, u16 tclass, u32 av) return; } - for ( i = 0; i < ARRAY_SIZE(av_inherit); i++ ) - { - if (av_inherit[i].tclass == tclass) - { - common_pts = av_inherit[i].common_pts; - common_base = av_inherit[i].common_base; - break; - } - } - avc_printk(buf, " {"); i = 0; perm = 1; - while ( perm < common_base ) - { - if (perm & av) - { - avc_printk(buf, " %s", common_pts[i]); - av &= ~perm; - } - i++; - perm <<= 1; - } while ( i < sizeof(av) * 8 ) { diff --git a/xen/xsm/flask/include/av_inherit.h b/xen/xsm/flask/include/av_inherit.h deleted file mode 100644 index 321ffe7f3c..0000000000 --- a/xen/xsm/flask/include/av_inherit.h +++ /dev/null @@ -1 +0,0 @@ -/* This file is automatically generated. Do not edit. */ diff --git a/xen/xsm/flask/include/avc_ss.h b/xen/xsm/flask/include/avc_ss.h index ea4e98c47e..a3d7d1ef07 100644 --- a/xen/xsm/flask/include/avc_ss.h +++ b/xen/xsm/flask/include/avc_ss.h @@ -16,19 +16,11 @@ struct av_perm_to_string { const char *name; }; -struct av_inherit { - const char **common_pts; - u32 common_base; - u16 tclass; -}; - struct selinux_class_perm { const struct av_perm_to_string *av_perm_to_string; u32 av_pts_len; u32 cts_len; const char **class_to_string; - const struct av_inherit *av_inherit; - u32 av_inherit_len; }; extern const struct selinux_class_perm selinux_class_perm; diff --git a/xen/xsm/flask/include/common_perm_to_string.h b/xen/xsm/flask/include/common_perm_to_string.h deleted file mode 100644 index 321ffe7f3c..0000000000 --- a/xen/xsm/flask/include/common_perm_to_string.h +++ /dev/null @@ -1 +0,0 @@ -/* This file is automatically generated. Do not edit. */ diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c index 26097b967a..fefcd59171 100644 --- a/xen/xsm/flask/ss/policydb.c +++ b/xen/xsm/flask/ss/policydb.c @@ -254,14 +254,6 @@ out_free_symtab: static int common_index(void *key, void *datum, void *datap) { - struct policydb *p; - struct common_datum *comdatum; - - comdatum = datum; - p = datap; - if ( !comdatum->value || comdatum->value > p->p_commons.nprim ) - return -EINVAL; - p->p_common_val_to_name[comdatum->value - 1] = key; return 0; } @@ -382,8 +374,7 @@ static int (*index_f[SYM_NUM]) (void *key, void *datum, void *datap) = }; /* - * Define the common val_to_name array and the class - * val_to_name and val_to_struct arrays in a policy + * Define the class val_to_name and val_to_struct arrays in a policy * database structure. * * Caller must clean up upon failure. @@ -392,18 +383,6 @@ static int policydb_index_classes(struct policydb *p) { int rc; - p->p_common_val_to_name = - xmalloc_array(char *, p->p_commons.nprim); - if ( !p->p_common_val_to_name ) - { - rc = -ENOMEM; - goto out; - } - - rc = hashtab_map(p->p_commons.table, common_index, p); - if ( rc ) - goto out; - p->class_val_to_struct = xmalloc_array(struct class_datum *, p->p_classes.nprim); if ( !p->class_val_to_struct ) @@ -1200,26 +1179,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) if ( len2 ) { - cladatum->comkey = xmalloc_array(char, len2 + 1); - if ( !cladatum->comkey ) - { - rc = -ENOMEM; - goto bad; - } - rc = next_entry(cladatum->comkey, fp, len2); - if ( rc < 0 ) - goto bad; - cladatum->comkey[len2] = 0; - - cladatum->comdatum = hashtab_search(p->p_commons.table, - cladatum->comkey); - if ( !cladatum->comdatum ) - { - printk(KERN_ERR "Flask: unknown common %s\n", - cladatum->comkey); - rc = -EINVAL; - goto bad; - } + printk(KERN_ERR "Flask: classes with common prefixes are not supported\n"); + rc = -EINVAL; + goto bad; } for ( i = 0; i < nel; i++ ) { diff --git a/xen/xsm/flask/ss/services.c b/xen/xsm/flask/ss/services.c index 363f586a7d..1bf3b0c0d7 100644 --- a/xen/xsm/flask/ss/services.c +++ b/xen/xsm/flask/ss/services.c @@ -1167,10 +1167,10 @@ int security_change_sid(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid) */ static int validate_classes(struct policydb *p) { - int i, j; + int i; struct class_datum *cladatum; struct perm_datum *perdatum; - u32 nprim, tmp, common_pts_len, perm_val, pol_val; + u32 nprim, perm_val, pol_val; u16 class_val; const struct selinux_class_perm *kdefs = &selinux_class_perm; const char *def_class, *def_perm, *pol_class; @@ -1233,56 +1233,6 @@ static int validate_classes(struct policydb *p) return -EINVAL; } } - for ( i = 0; i < kdefs->av_inherit_len; i++ ) - { - class_val = kdefs->av_inherit[i].tclass; - if ( class_val > p->p_classes.nprim ) - continue; - pol_class = p->p_class_val_to_name[class_val-1]; - cladatum = hashtab_search(p->p_classes.table, pol_class); - BUG_ON( !cladatum ); - if ( !cladatum->comdatum ) - { - printk(KERN_ERR - "Flask: class %s should have an inherits clause but does not\n", - pol_class); - return -EINVAL; - } - tmp = kdefs->av_inherit[i].common_base; - common_pts_len = 0; - while ( !(tmp & 0x01) ) - { - common_pts_len++; - tmp >>= 1; - } - perms = &cladatum->comdatum->permissions; - for ( j = 0; j < common_pts_len; j++ ) - { - def_perm = kdefs->av_inherit[i].common_pts[j]; - if ( j >= perms->nprim ) - { - printk(KERN_INFO - "Flask: permission %s in class %s not defined in policy\n", - def_perm, pol_class); - return -EINVAL; - } - perdatum = hashtab_search(perms->table, def_perm); - if ( perdatum == NULL ) - { - printk(KERN_ERR - "Flask: permission %s in class %s not found in policy\n", - def_perm, pol_class); - return -EINVAL; - } - if ( perdatum->value != j + 1 ) - { - printk(KERN_ERR - "Flask: permission %s in class %s has incorrect value\n", - def_perm, pol_class); - return -EINVAL; - } - } - } return 0; } |