Userspace: handle the class in role_trans_rule

Add class support to various functions to handle role_trans_rule_t structures. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2025-04-01 00:30:41 +00:00 · 2011-03-25 13:52:02 +08:00 · 2011-03-25 13:52:02 +08:00 · 6db9b74210
commit 6db9b74210
parent 93417dfa28
4 changed files with 69 additions and 42 deletions
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -1146,11 +1146,11 @@ static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules)

 static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 {
-	unsigned int i, j;
+	unsigned int i, j, k;
 	role_trans_t *n, *l, *cur_trans;
 	role_trans_rule_t *cur;
 	ebitmap_t roles, types;
-	ebitmap_node_t *rnode, *tnode;
+	ebitmap_node_t *rnode, *tnode, *cnode;

 	/* start at the end of the list */
 	for (l = state->out->role_tr; l && l->next; l = l->next) ;
@ -1175,51 +1175,57 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 			ebitmap_for_each_bit(&types, tnode, j) {
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;
+				ebitmap_for_each_bit(&cur->classes, cnode, k) {
+					if (!ebitmap_node_get_bit(cnode, k))
+						continue;

-				cur_trans = state->out->role_tr;
-				while (cur_trans) {
-					if ((cur_trans->role == i + 1) &&
-					    (cur_trans->type == j + 1)) {
-						if (cur_trans->new_role ==
-						    cur->new_role) {
-							break;
-						} else {
-							ERR(state->handle,
-							    "Conflicting role trans rule %s %s : %s",
-							    state->out->
-							    p_role_val_to_name
-							    [i],
-							    state->out->
-							    p_type_val_to_name
-							    [j],
-							    state->out->
-							    p_role_val_to_name
-							    [cur->new_role -
-							     1]);
-							return -1;
+					cur_trans = state->out->role_tr;
+					while (cur_trans) {
+						if ((cur_trans->role ==
+								i + 1) &&
+						    (cur_trans->type ==
+								j + 1) &&
+						    (cur_trans->tclass ==
+								k + 1)) {
+							if (cur_trans->
+							    new_role ==
+								cur->new_role) {
+								break;
+							} else {
+								ERR(state->handle,
+									"Conflicting role trans rule %s %s : %s %s",
+									state->out->p_role_val_to_name[i],
+									state->out->p_type_val_to_name[j],
+									state->out->p_class_val_to_name[k],
+									state->out->p_role_val_to_name[cur->new_role - 1]);
+								return -1;
+							}
 						}
+						cur_trans = cur_trans->next;
 					}
-					cur_trans = cur_trans->next;
-				}
-				if (cur_trans)
-					continue;
+					if (cur_trans)
+						continue;

-				n = (role_trans_t *)
-				    malloc(sizeof(role_trans_t));
-				if (!n) {
-					ERR(state->handle, "Out of memory!");
-					return -1;
+					n = (role_trans_t *)
+						malloc(sizeof(role_trans_t));
+					if (!n) {
+						ERR(state->handle,
+							"Out of memory!");
+						return -1;
+					}
+					memset(n, 0, sizeof(role_trans_t));
+					n->role = i + 1;
+					n->type = j + 1;
+					n->tclass = k + 1;
+					n->new_role = state->rolemap
+							[cur->new_role - 1];
+					if (l)
+						l->next = n;
+					else
+						state->out->role_tr = n;
+
+					l = n;
 				}
-				memset(n, 0, sizeof(role_trans_t));
-				n->role = i + 1;
-				n->type = j + 1;
-				n->new_role = state->rolemap[cur->new_role - 1];
-				if (l) {
-					l->next = n;
-				} else {
-					state->out->role_tr = n;
-				}
-				l = n;
 			}
 		}

--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@ -1246,6 +1246,8 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 				policy_module_t * module, link_state_t * state)
 {
 	role_trans_rule_t *cur, *new_rule = NULL, *tail;
+	unsigned int i;
+	ebitmap_node_t *cnode;

 	cur = list;
 	tail = *dst;
@ -1267,6 +1269,18 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 			goto cleanup;
 		}

+		ebitmap_for_each_bit(&cur->classes, cnode, i) {
+			if (ebitmap_node_get_bit(cnode, i)) {
+				assert(module->map[SYM_CLASSES][i]);
+				if (ebitmap_set_bit(&new_rule->classes,
+						    module->
+						    map[SYM_CLASSES][i] - 1,
+						    1)) {
+					goto cleanup;
+				}
+			}
+		}
+
 		new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1];

 		if (*dst == NULL) {
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@ -434,6 +434,7 @@ void role_trans_rule_init(role_trans_rule_t * x)
 	memset(x, 0, sizeof(*x));
 	role_set_init(&x->roles);
 	type_set_init(&x->types);
+	ebitmap_init(&x->classes);
 }

 void role_trans_rule_destroy(role_trans_rule_t * x)
@ -441,6 +442,7 @@ void role_trans_rule_destroy(role_trans_rule_t * x)
 	if (x != NULL) {
 		role_set_destroy(&x->roles);
 		type_set_destroy(&x->types);
+		ebitmap_destroy(&x->classes);
 	}
 }

@ -2956,6 +2958,9 @@ static int role_trans_rule_read(role_trans_rule_t ** r, struct policy_file *fp)
 		if (type_set_read(&tr->types, fp))
 			return -1;

+		if (ebitmap_read(&tr->classes, fp))
+			return -1;
+
 		rc = next_entry(buf, fp, sizeof(uint32_t));
 		if (rc < 0)
 			return -1;
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@ -1464,6 +1464,8 @@ static int role_trans_rule_write(role_trans_rule_t * t, struct policy_file *fp)
 			return POLICYDB_ERROR;
 		if (type_set_write(&tr->types, fp))
 			return POLICYDB_ERROR;
+		if (ebitmap_write(&tr->classes, fp))
+			return POLICYDB_ERROR;
 		buf[0] = cpu_to_le32(tr->new_role);
 		items = put_entry(buf, sizeof(uint32_t), 1, fp);
 		if (items != 1)