* [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate
@ 2022-07-21 15:24 Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 2/5] libsepol: support const avtab_t pointer in avtab_map() Christian Göttsche
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Christian Göttsche @ 2022-07-21 15:24 UTC (permalink / raw)
To: selinux
Most global functions operating on a policy database use policydb as
prefix.
Since this function is not exported there should not be any external
use.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/src/policydb.c | 2 +-
libsepol/src/policydb_validate.c | 2 +-
libsepol/src/policydb_validate.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index fc260eb6..8a65df05 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -4570,7 +4570,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
}
}
- if (validate_policydb(fp->handle, p))
+ if (policydb_validate(fp->handle, p))
goto bad;
return POLICYDB_SUCCESS;
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 99d4eb7f..e1dad236 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1330,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[])
/*
* Validate policydb
*/
-int validate_policydb(sepol_handle_t *handle, policydb_t *p)
+int policydb_validate(sepol_handle_t *handle, policydb_t *p)
{
validate_t flavors[SYM_NUM] = {};
diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h
index d9f7229b..b7f9f191 100644
--- a/libsepol/src/policydb_validate.h
+++ b/libsepol/src/policydb_validate.h
@@ -4,4 +4,4 @@
#include <sepol/policydb/policydb.h>
int value_isvalid(uint32_t value, uint32_t nprim);
-int validate_policydb(sepol_handle_t *handle, policydb_t *p);
+int policydb_validate(sepol_handle_t *handle, policydb_t *p);
--
2.36.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/5] libsepol: support const avtab_t pointer in avtab_map()
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
@ 2022-07-21 15:24 ` Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 3/5] libsepol: operate on const pointers during validation Christian Göttsche
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Christian Göttsche @ 2022-07-21 15:24 UTC (permalink / raw)
To: selinux
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.
Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/include/sepol/policydb/avtab.h | 2 +-
libsepol/src/avtab.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h
index 10ecde9a..e4c48576 100644
--- a/libsepol/include/sepol/policydb/avtab.h
+++ b/libsepol/include/sepol/policydb/avtab.h
@@ -112,7 +112,7 @@ extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
extern void avtab_destroy(avtab_t * h);
-extern int avtab_map(avtab_t * h,
+extern int avtab_map(const avtab_t * h,
int (*apply) (avtab_key_t * k,
avtab_datum_t * d, void *args), void *args);
diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c
index 7920b60a..82fec783 100644
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@@ -330,7 +330,7 @@ void avtab_destroy(avtab_t * h)
h->mask = 0;
}
-int avtab_map(avtab_t * h,
+int avtab_map(const avtab_t * h,
int (*apply) (avtab_key_t * k,
avtab_datum_t * d, void *args), void *args)
{
--
2.36.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 3/5] libsepol: operate on const pointers during validation
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 2/5] libsepol: support const avtab_t pointer in avtab_map() Christian Göttsche
@ 2022-07-21 15:24 ` Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 4/5] libsepol: rename parameter name Christian Göttsche
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Christian Göttsche @ 2022-07-21 15:24 UTC (permalink / raw)
To: selinux
The actual policy should not be modified during validation, thus use
const pointers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
fixed typo in commit message
---
libsepol/src/policydb_validate.c | 114 +++++++++++++++----------------
libsepol/src/policydb_validate.h | 2 +-
2 files changed, 58 insertions(+), 58 deletions(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index e1dad236..a567c411 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -8,7 +8,7 @@
#include "policydb_validate.h"
#define bool_xor(a, b) (!(a) != !(b))
-#define bool_xnor(a, b) !bool_xor(a, b)
+#define bool_xnor(a, b) (!bool_xor(a, b))
typedef struct validate {
uint32_t nprim;
@@ -18,7 +18,7 @@ typedef struct validate {
typedef struct map_arg {
validate_t *flavors;
sepol_handle_t *handle;
- policydb_t *policy;
+ const policydb_t *policy;
} map_arg_t;
static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps)
@@ -46,7 +46,7 @@ static int validate_init(validate_t *flavor, char **val_to_name, uint32_t nprim)
return 0;
}
-static int validate_array_init(policydb_t *p, validate_t flavors[])
+static int validate_array_init(const policydb_t *p, validate_t flavors[])
{
if (validate_init(&flavors[SYM_CLASSES], p->p_class_val_to_name, p->p_classes.nprim))
goto bad;
@@ -91,7 +91,7 @@ int value_isvalid(uint32_t value, uint32_t nprim)
return 1;
}
-static int validate_value(uint32_t value, validate_t *flavor)
+static int validate_value(uint32_t value, const validate_t *flavor)
{
if (!value || value > flavor->nprim)
goto bad;
@@ -104,7 +104,7 @@ bad:
return -1;
}
-static int validate_ebitmap(ebitmap_t *map, validate_t *flavor)
+static int validate_ebitmap(const ebitmap_t *map, const validate_t *flavor)
{
if (ebitmap_length(map) > 0 && ebitmap_highest_set_bit(map) >= flavor->nprim)
goto bad;
@@ -117,7 +117,7 @@ bad:
return -1;
}
-static int validate_type_set(type_set_t *type_set, validate_t *type)
+static int validate_type_set(const type_set_t *type_set, const validate_t *type)
{
if (validate_ebitmap(&type_set->types, type))
goto bad;
@@ -139,7 +139,7 @@ bad:
return -1;
}
-static int validate_empty_type_set(type_set_t *type_set)
+static int validate_empty_type_set(const type_set_t *type_set)
{
if (!ebitmap_is_empty(&type_set->types))
goto bad;
@@ -154,7 +154,7 @@ bad:
return -1;
}
-static int validate_role_set(role_set_t *role_set, validate_t *role)
+static int validate_role_set(const role_set_t *role_set, const validate_t *role)
{
if (validate_ebitmap(&role_set->roles, role))
goto bad;
@@ -176,8 +176,8 @@ bad:
static int validate_scope(__attribute__ ((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
{
- scope_datum_t *scope_datum = (scope_datum_t *)d;
- uint32_t *nprim = (uint32_t *)args;
+ const scope_datum_t *scope_datum = (scope_datum_t *)d;
+ const uint32_t *nprim = (uint32_t *)args;
unsigned int i;
switch (scope_datum->scope) {
@@ -199,9 +199,9 @@ bad:
return -1;
}
-static int validate_scopes(sepol_handle_t *handle, symtab_t scopes[], avrule_block_t *block)
+static int validate_scopes(sepol_handle_t *handle, const symtab_t scopes[], const avrule_block_t *block)
{
- avrule_decl_t *decl;
+ const avrule_decl_t *decl;
unsigned int i;
unsigned int num_decls = 0;
@@ -223,9 +223,9 @@ bad:
return -1;
}
-static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, constraint_node_t *cons, validate_t flavors[])
+static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, const constraint_node_t *cons, validate_t flavors[])
{
- constraint_expr_t *cexp;
+ const constraint_expr_t *cexp;
for (; cons; cons = cons->next) {
if (nperms == 0 && cons->permissions != 0)
@@ -339,7 +339,7 @@ bad:
return -1;
}
-static int validate_class_datum(sepol_handle_t *handle, class_datum_t *class, validate_t flavors[])
+static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[])
{
if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
goto bad;
@@ -405,7 +405,7 @@ static int validate_class_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_class_datum(margs->handle, d, margs->flavors);
}
-static int validate_common_datum(sepol_handle_t *handle, common_datum_t *common)
+static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common)
{
if (common->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
@@ -424,7 +424,7 @@ static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k
return validate_common_datum(margs->handle, d);
}
-static int validate_role_datum(sepol_handle_t *handle, role_datum_t *role, validate_t flavors[])
+static int validate_role_datum(sepol_handle_t *handle, const role_datum_t *role, validate_t flavors[])
{
if (validate_value(role->s.value, &flavors[SYM_ROLES]))
goto bad;
@@ -451,7 +451,7 @@ static int validate_role_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_role_datum(margs->handle, d, margs->flavors);
}
-static int validate_type_datum(sepol_handle_t *handle, type_datum_t *type, validate_t flavors[])
+static int validate_type_datum(sepol_handle_t *handle, const type_datum_t *type, validate_t flavors[])
{
if (validate_value(type->s.value, &flavors[SYM_TYPES]))
goto bad;
@@ -494,7 +494,7 @@ static int validate_type_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_type_datum(margs->handle, d, margs->flavors);
}
-static int validate_mls_semantic_cat(mls_semantic_cat_t *cat, validate_t *cats)
+static int validate_mls_semantic_cat(const mls_semantic_cat_t *cat, const validate_t *cats)
{
for (; cat; cat = cat->next) {
if (validate_value(cat->low, cats))
@@ -509,7 +509,7 @@ bad:
return -1;
}
-static int validate_mls_semantic_level(mls_semantic_level_t *level, validate_t *sens, validate_t *cats)
+static int validate_mls_semantic_level(const mls_semantic_level_t *level, const validate_t *sens, const validate_t *cats)
{
if (level->sens == 0)
return 0;
@@ -524,7 +524,7 @@ bad:
return -1;
}
-static int validate_mls_semantic_range(mls_semantic_range_t *range, validate_t *sens, validate_t *cats)
+static int validate_mls_semantic_range(const mls_semantic_range_t *range, const validate_t *sens, const validate_t *cats)
{
if (validate_mls_semantic_level(&range->level[0], sens, cats))
goto bad;
@@ -537,7 +537,7 @@ bad:
return -1;
}
-static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats)
+static int validate_mls_level(const mls_level_t *level, const validate_t *sens, const validate_t *cats)
{
if (validate_value(level->sens, sens))
goto bad;
@@ -558,7 +558,7 @@ static int validate_level_datum(__attribute__ ((unused)) hashtab_key_t k, hashta
return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
}
-static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t *cats)
+static int validate_mls_range(const mls_range_t *range, const validate_t *sens, const validate_t *cats)
{
if (validate_mls_level(&range->level[0], sens, cats))
goto bad;
@@ -571,7 +571,7 @@ static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t *
return -1;
}
-static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], policydb_t *p)
+static int validate_user_datum(sepol_handle_t *handle, const user_datum_t *user, validate_t flavors[], const policydb_t *p)
{
if (validate_value(user->s.value, &flavors[SYM_USERS]))
goto bad;
@@ -602,7 +602,7 @@ static int validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_user_datum(margs->handle, d, margs->flavors, margs->policy);
}
-static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t *boolean, validate_t flavors[])
+static int validate_bool_datum(sepol_handle_t *handle, const cond_bool_datum_t *boolean, validate_t flavors[])
{
if (validate_value(boolean->s.value, &flavors[SYM_BOOLS]))
goto bad;
@@ -637,7 +637,7 @@ static int validate_bool_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_bool_datum(margs->handle, d, margs->flavors);
}
-static int validate_datum_array_gaps(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+static int validate_datum_array_gaps(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
unsigned int i;
@@ -687,7 +687,7 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
return !value_isvalid(s->value, *nprim);
}
-static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
map_arg_t margs = { flavors, handle, p };
@@ -726,7 +726,7 @@ bad:
* Functions to validate a kernel policydb
*/
-static int validate_avtab_key(avtab_key_t *key, int conditional, validate_t flavors[])
+static int validate_avtab_key(const avtab_key_t *key, int conditional, validate_t flavors[])
{
if (validate_value(key->source_type, &flavors[SYM_TYPES]))
goto bad;
@@ -771,7 +771,7 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
return 0;
}
-static int validate_avtab(sepol_handle_t *handle, avtab_t *avtab, validate_t flavors[])
+static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, validate_t flavors[])
{
if (avtab_map(avtab, validate_avtab_key_and_datum, flavors)) {
ERR(handle, "Invalid avtab");
@@ -781,9 +781,9 @@ static int validate_avtab(sepol_handle_t *handle, avtab_t *avtab, validate_t fla
return 0;
}
-static int validate_cond_av_list(sepol_handle_t *handle, cond_av_list_t *cond_av, validate_t flavors[])
+static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, validate_t flavors[])
{
- avtab_ptr_t avtab_ptr;
+ const struct avtab_node *avtab_ptr;
for (; cond_av; cond_av = cond_av->next) {
for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) {
@@ -797,9 +797,9 @@ static int validate_cond_av_list(sepol_handle_t *handle, cond_av_list_t *cond_av
return 0;
}
-static int validate_avrules(sepol_handle_t *handle, avrule_t *avrule, int conditional, validate_t flavors[])
+static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, validate_t flavors[])
{
- class_perm_node_t *class;
+ const class_perm_node_t *class;
for (; avrule; avrule = avrule->next) {
if (validate_type_set(&avrule->stypes, &flavors[SYM_TYPES]))
@@ -862,7 +862,7 @@ bad:
return -1;
}
-static int validate_bool_id_array(sepol_handle_t *handle, uint32_t bool_ids[], unsigned int nbools, validate_t *bool)
+static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_ids[], unsigned int nbools, const validate_t *bool)
{
unsigned int i;
@@ -881,7 +881,7 @@ bad:
return -1;
}
-static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, validate_t *bool)
+static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *expr, const validate_t *bool)
{
int depth = -1;
@@ -922,7 +922,7 @@ bad:
return -1;
}
-static int validate_cond_list(sepol_handle_t *handle, cond_list_t *cond, validate_t flavors[])
+static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, validate_t flavors[])
{
for (; cond; cond = cond->next) {
if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
@@ -946,7 +946,7 @@ bad:
return -1;
}
-static int validate_role_transes(sepol_handle_t *handle, role_trans_t *role_trans, validate_t flavors[])
+static int validate_role_transes(sepol_handle_t *handle, const role_trans_t *role_trans, validate_t flavors[])
{
for (; role_trans; role_trans = role_trans->next) {
if (validate_value(role_trans->role, &flavors[SYM_ROLES]))
@@ -966,7 +966,7 @@ bad:
return -1;
}
-static int validate_role_allows(sepol_handle_t *handle, role_allow_t *role_allow, validate_t flavors[])
+static int validate_role_allows(sepol_handle_t *handle, const role_allow_t *role_allow, validate_t flavors[])
{
for (; role_allow; role_allow = role_allow->next) {
if (validate_value(role_allow->role, &flavors[SYM_ROLES]))
@@ -984,8 +984,8 @@ bad:
static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *args)
{
- filename_trans_key_t *ftk = (filename_trans_key_t *)k;
- filename_trans_datum_t *ftd = d;
+ const filename_trans_key_t *ftk = (filename_trans_key_t *)k;
+ const filename_trans_datum_t *ftd = d;
validate_t *flavors = (validate_t *)args;
if (validate_value(ftk->ttype, &flavors[SYM_TYPES]))
@@ -1015,7 +1015,7 @@ static int validate_filename_trans_hashtab(sepol_handle_t *handle, hashtab_t fil
return 0;
}
-static int validate_context(context_struct_t *con, validate_t flavors[], int mls)
+static int validate_context(const context_struct_t *con, validate_t flavors[], int mls)
{
if (validate_value(con->user, &flavors[SYM_USERS]))
return -1;
@@ -1029,9 +1029,9 @@ static int validate_context(context_struct_t *con, validate_t flavors[], int mls
return 0;
}
-static int validate_ocontexts(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
- ocontext_t *octx;
+ const ocontext_t *octx;
unsigned int i;
for (i = 0; i < OCON_NUM; i++) {
@@ -1067,10 +1067,10 @@ bad:
return -1;
}
-static int validate_genfs(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+static int validate_genfs(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
- genfs_t *genfs;
- ocontext_t *octx;
+ const genfs_t *genfs;
+ const ocontext_t *octx;
for (genfs = p->genfs; genfs; genfs = genfs->next) {
for (octx = genfs->head; octx; octx = octx->next) {
@@ -1090,7 +1090,7 @@ bad:
* Functions to validate a module policydb
*/
-static int validate_role_trans_rules(sepol_handle_t *handle, role_trans_rule_t *role_trans, validate_t flavors[])
+static int validate_role_trans_rules(sepol_handle_t *handle, const role_trans_rule_t *role_trans, validate_t flavors[])
{
for (; role_trans; role_trans = role_trans->next) {
if (validate_role_set(&role_trans->roles, &flavors[SYM_ROLES]))
@@ -1110,7 +1110,7 @@ bad:
return -1;
}
-static int validate_role_allow_rules(sepol_handle_t *handle, role_allow_rule_t *role_allow, validate_t flavors[])
+static int validate_role_allow_rules(sepol_handle_t *handle, const role_allow_rule_t *role_allow, validate_t flavors[])
{
for (; role_allow; role_allow = role_allow->next) {
if (validate_role_set(&role_allow->roles, &flavors[SYM_ROLES]))
@@ -1126,7 +1126,7 @@ bad:
return -1;
}
-static int validate_range_trans_rules(sepol_handle_t *handle, range_trans_rule_t *range_trans, validate_t flavors[])
+static int validate_range_trans_rules(sepol_handle_t *handle, const range_trans_rule_t *range_trans, validate_t flavors[])
{
for (; range_trans; range_trans = range_trans->next) {
if (validate_type_set(&range_trans->stypes, &flavors[SYM_TYPES]))
@@ -1146,7 +1146,7 @@ bad:
return -1;
}
-static int validate_scope_index(sepol_handle_t *handle, scope_index_t *scope_index, validate_t flavors[])
+static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
{
if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
goto bad;
@@ -1173,7 +1173,7 @@ bad:
}
-static int validate_filename_trans_rules(sepol_handle_t *handle, filename_trans_rule_t *filename_trans, validate_t flavors[])
+static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, validate_t flavors[])
{
for (; filename_trans; filename_trans = filename_trans->next) {
if (validate_type_set(&filename_trans->stypes, &flavors[SYM_TYPES]))
@@ -1197,7 +1197,7 @@ bad:
return -1;
}
-static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[])
+static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[])
{
unsigned int i;
@@ -1211,9 +1211,9 @@ static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate
return 0;
}
-static int validate_avrule_blocks(sepol_handle_t *handle, avrule_block_t *avrule_block, validate_t flavors[])
+static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, validate_t flavors[])
{
- avrule_decl_t *decl;
+ const avrule_decl_t *decl;
for (; avrule_block; avrule_block = avrule_block->next) {
for (decl = avrule_block->branch_list; decl != NULL; decl = decl->next) {
@@ -1253,7 +1253,7 @@ bad:
return -1;
}
-static int validate_permissives(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+static int validate_permissives(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
ebitmap_node_t *node;
unsigned i;
@@ -1270,7 +1270,7 @@ bad:
return -1;
}
-static int validate_properties(sepol_handle_t *handle, policydb_t *p)
+static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
{
switch (p->policy_type) {
case POLICY_KERN:
@@ -1330,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[])
/*
* Validate policydb
*/
-int policydb_validate(sepol_handle_t *handle, policydb_t *p)
+int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
{
validate_t flavors[SYM_NUM] = {};
diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h
index b7f9f191..86a53168 100644
--- a/libsepol/src/policydb_validate.h
+++ b/libsepol/src/policydb_validate.h
@@ -4,4 +4,4 @@
#include <sepol/policydb/policydb.h>
int value_isvalid(uint32_t value, uint32_t nprim);
-int policydb_validate(sepol_handle_t *handle, policydb_t *p);
+int policydb_validate(sepol_handle_t *handle, const policydb_t *p);
--
2.36.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 4/5] libsepol: rename parameter name
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 2/5] libsepol: support const avtab_t pointer in avtab_map() Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 3/5] libsepol: operate on const pointers during validation Christian Göttsche
@ 2022-07-21 15:24 ` Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 5/5] libsepol: more strict validation Christian Göttsche
2022-08-01 18:48 ` [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate James Carter
4 siblings, 0 replies; 7+ messages in thread
From: Christian Göttsche @ 2022-07-21 15:24 UTC (permalink / raw)
To: selinux
Do not use `bool` as a parameter name, for future C version support.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libsepol/src/policydb_validate.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index a567c411..0f399771 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -862,7 +862,7 @@ bad:
return -1;
}
-static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_ids[], unsigned int nbools, const validate_t *bool)
+static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_ids[], unsigned int nbools, const validate_t *boolean)
{
unsigned int i;
@@ -870,7 +870,7 @@ static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_id
goto bad;
for (i=0; i < nbools; i++) {
- if (validate_value(bool_ids[i], bool))
+ if (validate_value(bool_ids[i], boolean))
goto bad;
}
@@ -881,14 +881,14 @@ bad:
return -1;
}
-static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *expr, const validate_t *bool)
+static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *expr, const validate_t *boolean)
{
int depth = -1;
for (; expr; expr = expr->next) {
switch(expr->expr_type) {
case COND_BOOL:
- if (validate_value(expr->bool, bool))
+ if (validate_value(expr->bool, boolean))
goto bad;
if (depth == (COND_EXPR_MAXDEPTH - 1))
goto bad;
--
2.36.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 5/5] libsepol: more strict validation
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
` (2 preceding siblings ...)
2022-07-21 15:24 ` [PATCH v2 4/5] libsepol: rename parameter name Christian Göttsche
@ 2022-07-21 15:24 ` Christian Göttsche
2022-08-01 18:48 ` [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate James Carter
4 siblings, 0 replies; 7+ messages in thread
From: Christian Göttsche @ 2022-07-21 15:24 UTC (permalink / raw)
To: selinux
Validate that
- each constraint has at least one expression
- classes reference a valid common class identifier
- the role flavor is either ROLE or ATTRIB
- types reference a valid primary identifier
- types refer to a raw type, not an attribute, as bounds
- extended permissions in avtabs have a valid specifier
- type av rules refer to a raw type (e.g. type_transition)
- conditionals have at least one expression
- the state and flags of conditionals are valid
- filename transitions have at least one datum
- low ports are not bigger than high ones in port ocontexts
- genfs declarations refer to a valid class identifier
- genfs declarations contains a filesystem name
- filename transitions refer to a raw type
- permissive types are raw ones
- the range transition hashmap is valid
- the type-attribute-maps are valid
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v2:
only validate type_attr maps for policies since version 20
---
libsepol/src/policydb_validate.c | 259 +++++++++++++++++++++++++------
1 file changed, 209 insertions(+), 50 deletions(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 0f399771..521ea4ff 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -48,6 +48,8 @@ static int validate_init(validate_t *flavor, char **val_to_name, uint32_t nprim)
static int validate_array_init(const policydb_t *p, validate_t flavors[])
{
+ if (validate_init(&flavors[SYM_COMMONS], p->p_common_val_to_name, p->p_commons.nprim))
+ goto bad;
if (validate_init(&flavors[SYM_CLASSES], p->p_class_val_to_name, p->p_classes.nprim))
goto bad;
if (validate_init(&flavors[SYM_ROLES], p->p_role_val_to_name, p->p_roles.nprim))
@@ -235,6 +237,9 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms
if (nperms > 0 && nperms != PERM_SYMTAB_SIZE && cons->permissions >= (UINT32_C(1) << nperms))
goto bad;
+ if (!cons->expr)
+ goto bad;
+
for (cexp = cons->expr; cexp; cexp = cexp->next) {
if (cexp->expr_type == CEXPR_NAMES) {
if (cexp->attr & CEXPR_XTARGET && nperms != 0)
@@ -339,10 +344,33 @@ bad:
return -1;
}
+static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common, validate_t flavors[])
+{
+ if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
+ goto bad;
+ if (common->permissions.nprim > PERM_SYMTAB_SIZE)
+ goto bad;
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid common class datum");
+ return -1;
+}
+
+static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+ map_arg_t *margs = args;
+
+ return validate_common_datum(margs->handle, d, margs->flavors);
+}
+
static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[])
{
if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
goto bad;
+ if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors))
+ goto bad;
if (class->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors))
@@ -405,25 +433,6 @@ static int validate_class_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_class_datum(margs->handle, d, margs->flavors);
}
-static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common)
-{
- if (common->permissions.nprim > PERM_SYMTAB_SIZE)
- goto bad;
-
- return 0;
-
-bad:
- ERR(handle, "Invalid common class datum");
- return -1;
-}
-
-static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
-{
- map_arg_t *margs = args;
-
- return validate_common_datum(margs->handle, d);
-}
-
static int validate_role_datum(sepol_handle_t *handle, const role_datum_t *role, validate_t flavors[])
{
if (validate_value(role->s.value, &flavors[SYM_ROLES]))
@@ -437,6 +446,14 @@ static int validate_role_datum(sepol_handle_t *handle, const role_datum_t *role,
if (validate_ebitmap(&role->roles, &flavors[SYM_ROLES]))
goto bad;
+ switch(role->flavor) {
+ case ROLE_ROLE:
+ case ROLE_ATTRIB:
+ break;
+ default:
+ goto bad;
+ }
+
return 0;
bad:
@@ -451,19 +468,46 @@ static int validate_role_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
return validate_role_datum(margs->handle, d, margs->flavors);
}
-static int validate_type_datum(sepol_handle_t *handle, const type_datum_t *type, validate_t flavors[])
+static int validate_simpletype(uint32_t value, const policydb_t *p, validate_t flavors[])
{
- if (validate_value(type->s.value, &flavors[SYM_TYPES]))
+ const type_datum_t *type;
+
+ if (validate_value(value, &flavors[SYM_TYPES]))
+ goto bad;
+
+ type = p->type_val_to_struct[value - 1];
+ if (!type)
goto bad;
- if (validate_ebitmap(&type->types, &flavors[SYM_TYPES]))
+
+ if (type->flavor == TYPE_ATTRIB)
+ goto bad;
+
+ return 0;
+
+bad:
+ return -1;
+}
+
+static int validate_type_datum(sepol_handle_t *handle, const type_datum_t *type, const policydb_t *p, validate_t flavors[])
+{
+ if (validate_value(type->s.value, &flavors[SYM_TYPES]))
goto bad;
- if (type->bounds && validate_value(type->bounds, &flavors[SYM_TYPES]))
+ if (type->primary && validate_value(type->primary, &flavors[SYM_TYPES]))
goto bad;
switch (type->flavor) {
case TYPE_TYPE:
- case TYPE_ATTRIB:
case TYPE_ALIAS:
+ if (!ebitmap_is_empty(&type->types))
+ goto bad;
+ if (type->bounds && validate_simpletype(type->bounds, p, flavors))
+ goto bad;
+ break;
+ case TYPE_ATTRIB:
+ if (validate_ebitmap(&type->types, &flavors[SYM_TYPES]))
+ goto bad;
+ if (type->bounds)
+ goto bad;
break;
default:
goto bad;
@@ -491,7 +535,7 @@ static int validate_type_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
{
map_arg_t *margs = args;
- return validate_type_datum(margs->handle, d, margs->flavors);
+ return validate_type_datum(margs->handle, d, margs->policy, margs->flavors);
}
static int validate_mls_semantic_cat(const mls_semantic_cat_t *cat, const validate_t *cats)
@@ -758,22 +802,42 @@ bad:
return -1;
}
+static int validate_xperms(const avtab_extended_perms_t *xperms)
+{
+ switch (xperms->specified) {
+ case AVTAB_XPERMS_IOCTLDRIVER:
+ case AVTAB_XPERMS_IOCTLFUNCTION:
+ break;
+ default:
+ goto bad;
+ }
+
+ return 0;
+
+bad:
+ return -1;
+}
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
{
- validate_t *flavors = (validate_t *)args;
+ map_arg_t *margs = args;
+
+ if (validate_avtab_key(k, 0, margs->flavors))
+ return -1;
- if (validate_avtab_key(k, 0, flavors))
+ if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
return -1;
- if ((k->specified & AVTAB_TYPE) && validate_value(d->data, &flavors[SYM_TYPES]))
+ if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms))
return -1;
return 0;
}
-static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, validate_t flavors[])
+static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, const policydb_t *p, validate_t flavors[])
{
- if (avtab_map(avtab, validate_avtab_key_and_datum, flavors)) {
+ map_arg_t margs = { flavors, handle, p };
+
+ if (avtab_map(avtab, validate_avtab_key_and_datum, &margs)) {
ERR(handle, "Invalid avtab");
return -1;
}
@@ -797,20 +861,15 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c
return 0;
}
-static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, validate_t flavors[])
+static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[])
{
- const class_perm_node_t *class;
+ const class_perm_node_t *classperm;
for (; avrule; avrule = avrule->next) {
if (validate_type_set(&avrule->stypes, &flavors[SYM_TYPES]))
goto bad;
if (validate_type_set(&avrule->ttypes, &flavors[SYM_TYPES]))
goto bad;
- class = avrule->perms;
- for (; class; class = class->next) {
- if (validate_value(class->tclass, &flavors[SYM_CLASSES]))
- goto bad;
- }
switch(avrule->specified) {
case AVRULE_ALLOWED:
@@ -833,6 +892,13 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
goto bad;
}
+ for (classperm = avrule->perms; classperm; classperm = classperm->next) {
+ if (validate_value(classperm->tclass, &flavors[SYM_CLASSES]))
+ goto bad;
+ if ((avrule->specified & AVRULE_TYPE) && validate_simpletype(classperm->data, p, flavors))
+ goto bad;
+ }
+
if (avrule->specified & AVRULE_XPERMS) {
if (!avrule->xperms)
goto bad;
@@ -885,6 +951,9 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
{
int depth = -1;
+ if (!expr)
+ goto bad;
+
for (; expr; expr = expr->next) {
switch(expr->expr_type) {
case COND_BOOL:
@@ -922,7 +991,7 @@ bad:
return -1;
}
-static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, validate_t flavors[])
+static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, const policydb_t *p, validate_t flavors[])
{
for (; cond; cond = cond->next) {
if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
@@ -931,12 +1000,28 @@ static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, v
goto bad;
if (validate_cond_av_list(handle, cond->false_list, flavors))
goto bad;
- if (validate_avrules(handle, cond->avtrue_list, 1, flavors))
+ if (validate_avrules(handle, cond->avtrue_list, 1, p, flavors))
goto bad;
- if (validate_avrules(handle, cond->avfalse_list, 1, flavors))
+ if (validate_avrules(handle, cond->avfalse_list, 1, p, flavors))
goto bad;
if (validate_bool_id_array(handle, cond->bool_ids, cond->nbools, &flavors[SYM_BOOLS]))
goto bad;
+
+ switch (cond->cur_state) {
+ case 0:
+ case 1:
+ break;
+ default:
+ goto bad;
+ }
+
+ switch (cond->flags) {
+ case 0:
+ case COND_NODE_FLAGS_TUNABLE:
+ break;
+ default:
+ goto bad;
+ }
}
return 0;
@@ -992,6 +1077,8 @@ static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *arg
goto bad;
if (validate_value(ftk->tclass, &flavors[SYM_CLASSES]))
goto bad;
+ if (!ftd)
+ goto bad;
for (; ftd; ftd = ftd->next) {
if (validate_ebitmap(&ftd->stypes, &flavors[SYM_TYPES]))
goto bad;
@@ -1046,6 +1133,10 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
if (validate_context(&octx->context[1], flavors, p->mls))
goto bad;
break;
+ case OCON_PORT:
+ if (octx->u.port.low_port > octx->u.port.high_port)
+ goto bad;
+ break;
case OCON_FSUSE:
switch (octx->v.behavior) {
case SECURITY_FS_USE_XATTR:
@@ -1076,7 +1167,12 @@ static int validate_genfs(sepol_handle_t *handle, const policydb_t *p, validate_
for (octx = genfs->head; octx; octx = octx->next) {
if (validate_context(&octx->context[0], flavors, p->mls))
goto bad;
+ if (octx->v.sclass && validate_value(octx->v.sclass, &flavors[SYM_CLASSES]))
+ goto bad;
}
+
+ if (!genfs->fstype)
+ goto bad;
}
return 0;
@@ -1173,7 +1269,7 @@ bad:
}
-static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, validate_t flavors[])
+static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, const policydb_t *p, validate_t flavors[])
{
for (; filename_trans; filename_trans = filename_trans->next) {
if (validate_type_set(&filename_trans->stypes, &flavors[SYM_TYPES]))
@@ -1182,7 +1278,7 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
goto bad;
if (validate_value(filename_trans->tclass,&flavors[SYM_CLASSES] ))
goto bad;
- if (validate_value(filename_trans->otype, &flavors[SYM_TYPES]))
+ if (validate_simpletype(filename_trans->otype, p, flavors))
goto bad;
/* currently only the RULE_SELF flag can be set */
@@ -1211,15 +1307,15 @@ static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], va
return 0;
}
-static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, validate_t flavors[])
+static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, const policydb_t *p, validate_t flavors[])
{
const avrule_decl_t *decl;
for (; avrule_block; avrule_block = avrule_block->next) {
for (decl = avrule_block->branch_list; decl != NULL; decl = decl->next) {
- if (validate_cond_list(handle, decl->cond_list, flavors))
+ if (validate_cond_list(handle, decl->cond_list, p, flavors))
goto bad;
- if (validate_avrules(handle, decl->avrules, 0, flavors))
+ if (validate_avrules(handle, decl->avrules, 0, p, flavors))
goto bad;
if (validate_role_trans_rules(handle, decl->role_tr_rules, flavors))
goto bad;
@@ -1231,7 +1327,7 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *
goto bad;
if (validate_scope_index(handle, &decl->declared, flavors))
goto bad;
- if (validate_filename_trans_rules(handle, decl->filename_trans_rules, flavors))
+ if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors))
goto bad;
if (validate_symtabs(handle, decl->symtab, flavors))
goto bad;
@@ -1259,7 +1355,7 @@ static int validate_permissives(sepol_handle_t *handle, const policydb_t *p, val
unsigned i;
ebitmap_for_each_positive_bit(&p->permissive_map, node, i) {
- if (validate_value(i, &flavors[SYM_TYPES]))
+ if (validate_simpletype(i, p, flavors))
goto bad;
}
@@ -1270,6 +1366,61 @@ bad:
return -1;
}
+static int validate_range_transition(hashtab_key_t key, hashtab_datum_t data, void *args)
+{
+ const range_trans_t *rt = (const range_trans_t *)key;
+ const mls_range_t *r = data;
+ const map_arg_t *margs = args;
+ const validate_t *flavors = margs->flavors;
+
+ if (validate_value(rt->source_type, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_value(rt->target_type, &flavors[SYM_TYPES]))
+ goto bad;
+ if (validate_value(rt->target_class, &flavors[SYM_CLASSES]))
+ goto bad;
+
+ if (validate_mls_range(r, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+ goto bad;
+
+ return 0;
+
+bad:
+ return -1;
+}
+
+static int validate_range_transitions(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
+{
+ map_arg_t margs = { flavors, handle, p };
+
+ if (hashtab_map(p->range_tr, validate_range_transition, &margs)) {
+ ERR(handle, "Invalid range transition");
+ return -1;
+ }
+
+ return 0;
+}
+
+static int validate_typeattr_map(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
+{
+ const ebitmap_t *maps = p->type_attr_map;
+ unsigned int i;
+
+ if (p->policy_type == POLICY_KERN) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (validate_ebitmap(&maps[i], &flavors[SYM_TYPES]))
+ goto bad;
+ }
+ } else if (maps)
+ goto bad;
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid type attr map");
+ return -1;
+}
+
static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
{
switch (p->policy_type) {
@@ -1341,10 +1492,10 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
goto bad;
if (p->policy_type == POLICY_KERN) {
- if (validate_avtab(handle, &p->te_avtab, flavors))
+ if (validate_avtab(handle, &p->te_avtab, p, flavors))
goto bad;
if (p->policyvers >= POLICYDB_VERSION_BOOL)
- if (validate_cond_list(handle, p->cond_list, flavors))
+ if (validate_cond_list(handle, p->cond_list, p, flavors))
goto bad;
if (validate_role_transes(handle, p->role_tr, flavors))
goto bad;
@@ -1354,7 +1505,7 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
goto bad;
} else {
- if (validate_avrule_blocks(handle, p->global, flavors))
+ if (validate_avrule_blocks(handle, p->global, p, flavors))
goto bad;
}
@@ -1376,6 +1527,14 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_permissives(handle, p, flavors))
goto bad;
+ if (validate_range_transitions(handle, p, flavors))
+ goto bad;
+
+ if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
+ if (validate_typeattr_map(handle, p, flavors))
+ goto bad;
+ }
+
validate_array_destroy(flavors);
return 0;
--
2.36.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
` (3 preceding siblings ...)
2022-07-21 15:24 ` [PATCH v2 5/5] libsepol: more strict validation Christian Göttsche
@ 2022-08-01 18:48 ` James Carter
2022-08-09 15:20 ` James Carter
4 siblings, 1 reply; 7+ messages in thread
From: James Carter @ 2022-08-01 18:48 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Thu, Jul 21, 2022 at 11:34 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Most global functions operating on a policy database use policydb as
> prefix.
>
> Since this function is not exported there should not be any external
> use.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
For this series:
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/src/policydb.c | 2 +-
> libsepol/src/policydb_validate.c | 2 +-
> libsepol/src/policydb_validate.h | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index fc260eb6..8a65df05 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -4570,7 +4570,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
> }
> }
>
> - if (validate_policydb(fp->handle, p))
> + if (policydb_validate(fp->handle, p))
> goto bad;
>
> return POLICYDB_SUCCESS;
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 99d4eb7f..e1dad236 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1330,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[])
> /*
> * Validate policydb
> */
> -int validate_policydb(sepol_handle_t *handle, policydb_t *p)
> +int policydb_validate(sepol_handle_t *handle, policydb_t *p)
> {
> validate_t flavors[SYM_NUM] = {};
>
> diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h
> index d9f7229b..b7f9f191 100644
> --- a/libsepol/src/policydb_validate.h
> +++ b/libsepol/src/policydb_validate.h
> @@ -4,4 +4,4 @@
> #include <sepol/policydb/policydb.h>
>
> int value_isvalid(uint32_t value, uint32_t nprim);
> -int validate_policydb(sepol_handle_t *handle, policydb_t *p);
> +int policydb_validate(sepol_handle_t *handle, policydb_t *p);
> --
> 2.36.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate
2022-08-01 18:48 ` [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate James Carter
@ 2022-08-09 15:20 ` James Carter
0 siblings, 0 replies; 7+ messages in thread
From: James Carter @ 2022-08-09 15:20 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Mon, Aug 1, 2022 at 2:48 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Thu, Jul 21, 2022 at 11:34 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Most global functions operating on a policy database use policydb as
> > prefix.
> >
> > Since this function is not exported there should not be any external
> > use.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For this series:
> Acked-by: James Carter <jwcart2@gmail.com>
>
This series has been merged.
Thanks,
Jim
>
> > ---
> > libsepol/src/policydb.c | 2 +-
> > libsepol/src/policydb_validate.c | 2 +-
> > libsepol/src/policydb_validate.h | 2 +-
> > 3 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index fc260eb6..8a65df05 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -4570,7 +4570,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
> > }
> > }
> >
> > - if (validate_policydb(fp->handle, p))
> > + if (policydb_validate(fp->handle, p))
> > goto bad;
> >
> > return POLICYDB_SUCCESS;
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index 99d4eb7f..e1dad236 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -1330,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[])
> > /*
> > * Validate policydb
> > */
> > -int validate_policydb(sepol_handle_t *handle, policydb_t *p)
> > +int policydb_validate(sepol_handle_t *handle, policydb_t *p)
> > {
> > validate_t flavors[SYM_NUM] = {};
> >
> > diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h
> > index d9f7229b..b7f9f191 100644
> > --- a/libsepol/src/policydb_validate.h
> > +++ b/libsepol/src/policydb_validate.h
> > @@ -4,4 +4,4 @@
> > #include <sepol/policydb/policydb.h>
> >
> > int value_isvalid(uint32_t value, uint32_t nprim);
> > -int validate_policydb(sepol_handle_t *handle, policydb_t *p);
> > +int policydb_validate(sepol_handle_t *handle, policydb_t *p);
> > --
> > 2.36.1
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-08-09 15:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-21 15:24 [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 2/5] libsepol: support const avtab_t pointer in avtab_map() Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 3/5] libsepol: operate on const pointers during validation Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 4/5] libsepol: rename parameter name Christian Göttsche
2022-07-21 15:24 ` [PATCH v2 5/5] libsepol: more strict validation Christian Göttsche
2022-08-01 18:48 ` [PATCH v2 1/5] libsepol: rename validate_policydb to policydb_validate James Carter
2022-08-09 15:20 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).