Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
[linux-2.6.git] / security / selinux / ss / services.c
index cf27b3e..223c1ff 100644 (file)
@@ -50,6 +50,8 @@
 #include <linux/audit.h>
 #include <linux/mutex.h>
 #include <linux/selinux.h>
+#include <linux/flex_array.h>
+#include <linux/vmalloc.h>
 #include <net/netlabel.h>
 
 #include "flask.h"
@@ -274,15 +276,15 @@ static int constraint_expr_eval(struct context *scontext,
                case CEXPR_AND:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] &= s[sp+1];
+                       s[sp] &= s[sp + 1];
                        break;
                case CEXPR_OR:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] |= s[sp+1];
+                       s[sp] |= s[sp + 1];
                        break;
                case CEXPR_ATTR:
-                       if (sp == (CEXPR_MAXDEPTH-1))
+                       if (sp == (CEXPR_MAXDEPTH - 1))
                                return 0;
                        switch (e->attr) {
                        case CEXPR_USER:
@@ -626,8 +628,10 @@ static void context_struct_compute_av(struct context *scontext,
         */
        avkey.target_class = tclass;
        avkey.specified = AVTAB_AV;
-       sattr = &policydb.type_attr_map[scontext->type - 1];
-       tattr = &policydb.type_attr_map[tcontext->type - 1];
+       sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
+       BUG_ON(!sattr);
+       tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
+       BUG_ON(!tattr);
        ebitmap_for_each_positive_bit(sattr, snode, i) {
                ebitmap_for_each_positive_bit(tattr, tnode, j) {
                        avkey.source_type = i + 1;
@@ -988,7 +992,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 {
        char *scontextp;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len = 0;
 
        if (context->len) {
@@ -1005,6 +1010,9 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
        *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
        *scontext_len += mls_compute_context_len(context);
 
+       if (!scontext)
+               return 0;
+
        /* Allocate space for the context; caller must free this space. */
        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
        if (!scontextp)
@@ -1044,7 +1052,8 @@ static int security_sid_to_context_core(u32 sid, char **scontext,
        struct context *context;
        int rc = 0;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len  = 0;
 
        if (!ss_initialized) {
@@ -1052,6 +1061,8 @@ static int security_sid_to_context_core(u32 sid, char **scontext,
                        char *scontextp;
 
                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
+                       if (!scontext)
+                               goto out;
                        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
                        if (!scontextp) {
                                rc = -ENOMEM;
@@ -1216,7 +1227,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
        *sid = SECSID_NULL;
 
        /* Copy the string so that we can modify the copy as we parse it. */
-       scontext2 = kmalloc(scontext_len+1, gfp_flags);
+       scontext2 = kmalloc(scontext_len + 1, gfp_flags);
        if (!scontext2)
                return -ENOMEM;
        memcpy(scontext2, scontext, scontext_len);
@@ -1760,28 +1771,36 @@ int security_load_policy(void *data, size_t len)
 
        if (!ss_initialized) {
                avtab_cache_init();
-               if (policydb_read(&policydb, fp)) {
+               rc = policydb_read(&policydb, fp);
+               if (rc) {
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               if (selinux_set_mapping(&policydb, secclass_map,
-                                       &current_mapping,
-                                       &current_mapping_size)) {
+
+               policydb.len = len;
+               rc = selinux_set_mapping(&policydb, secclass_map,
+                                        &current_mapping,
+                                        &current_mapping_size);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               if (policydb_load_isids(&policydb, &sidtab)) {
+
+               rc = policydb_load_isids(&policydb, &sidtab);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
+
                security_load_policycaps();
                ss_initialized = 1;
                seqno = ++latest_granting;
                selinux_complete_init();
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_netlbl_cache_invalidate();
                selinux_xfrm_notify_policyload();
                return 0;
@@ -1791,9 +1810,11 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
 
-       if (policydb_read(&newpolicydb, fp))
-               return -EINVAL;
+       rc = policydb_read(&newpolicydb, fp);
+       if (rc)
+               return rc;
 
+       newpolicydb.len = len;
        /* If switching between different policy types, log MLS status */
        if (policydb.mls_enabled && !newpolicydb.mls_enabled)
                printk(KERN_INFO "SELinux: Disabling MLS support...\n");
@@ -1807,8 +1828,8 @@ int security_load_policy(void *data, size_t len)
                return rc;
        }
 
-       if (selinux_set_mapping(&newpolicydb, secclass_map,
-                               &map, &map_size))
+       rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
+       if (rc)
                goto err;
 
        rc = security_preserve_bools(&newpolicydb);
@@ -1819,10 +1840,10 @@ int security_load_policy(void *data, size_t len)
 
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-       if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-               rc = -ENOMEM;
+
+       rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+       if (rc)
                goto err;
-       }
 
        /*
         * Convert the internal representations of contexts
@@ -1860,6 +1881,7 @@ int security_load_policy(void *data, size_t len)
 
        avc_ss_reset(seqno);
        selnl_notify_policyload(seqno);
+       selinux_status_update_policyload(seqno);
        selinux_netlbl_cache_invalidate();
        selinux_xfrm_notify_policyload();
 
@@ -1873,6 +1895,17 @@ err:
 
 }
 
+size_t security_policydb_len(void)
+{
+       size_t len;
+
+       read_lock(&policy_rwlock);
+       len = policydb.len;
+       read_unlock(&policy_rwlock);
+
+       return len;
+}
+
 /**
  * security_port_sid - Obtain the SID for a port.
  * @protocol: protocol number
@@ -2101,9 +2134,9 @@ int security_get_user_sids(u32 fromsid,
 
        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                role = policydb.role_val_to_struct[i];
-               usercon.role = i+1;
+               usercon.role = i + 1;
                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
-                       usercon.type = j+1;
+                       usercon.type = j + 1;
 
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;
@@ -2364,6 +2397,7 @@ out:
        if (!rc) {
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_xfrm_notify_policyload();
        }
        return rc;
@@ -3119,3 +3153,38 @@ netlbl_sid_to_secattr_failure:
        return rc;
 }
 #endif /* CONFIG_NETLABEL */
+
+/**
+ * security_read_policy - read the policy.
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ */
+int security_read_policy(void **data, ssize_t *len)
+{
+       int rc;
+       struct policy_file fp;
+
+       if (!ss_initialized)
+               return -EINVAL;
+
+       *len = security_policydb_len();
+
+       *data = vmalloc_user(*len);
+       if (!*data)
+               return -ENOMEM;
+
+       fp.data = *data;
+       fp.len = *len;
+
+       read_lock(&policy_rwlock);
+       rc = policydb_write(&policydb, &fp);
+       read_unlock(&policy_rwlock);
+
+       if (rc)
+               return rc;
+
+       *len = (unsigned long)fp.data - (unsigned long)*data;
+       return 0;
+
+}