Snap for 6439596 from 2d3cc3b458831550a4a1caccd03c98a4a0def064 to qt-aml-tzdata-release
Change-Id: I2943645bc1ed55640c5b496be165ac1f2c3f4c94
diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
index e55582f..cf76591 100644
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@@ -38,7 +38,7 @@
Enable the MLS/MCS support when checking and compiling the policy module.
.TP
.B \-V,\-\-version
-Show policy versions created by this program.
+ Show policy versions created by this program. Note that you cannot currently build older versions.
.TP
.B \-o,\-\-output filename
Write a binary policy module file to the specified filename.
@@ -47,9 +47,6 @@
.TP
.B \-U,\-\-handle-unknown <action>
Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
-.TP
-.B \-c policyvers
-Specify the policy version, defaults to the latest.
.SH EXAMPLE
.nf
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
index c9efaf8..8edc1f8 100644
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@@ -142,8 +142,6 @@
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
- printf(" -c VERSION build a policy module targeting a modular policy version (%d-%d)\n",
- MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
exit(1);
}
@@ -165,7 +163,7 @@
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -196,6 +194,7 @@
usage(argv[0]);
case 'm':
policy_type = POLICY_MOD;
+ policyvers = MOD_POLICYDB_VERSION_MAX;
break;
case 'M':
mlspol = 1;
@@ -203,29 +202,6 @@
case 'C':
cil = 1;
break;
- case 'c': {
- long int n;
- errno = 0;
- n = strtol(optarg, NULL, 10);
- if (errno) {
- fprintf(stderr,
- "Invalid policyvers specified: %s\n",
- optarg);
- usage(argv[0]);
- }
-
- if (n < MOD_POLICYDB_VERSION_MIN
- || n > MOD_POLICYDB_VERSION_MAX) {
- fprintf(stderr,
- "policyvers value %ld not in range %d-%d\n",
- n, MOD_POLICYDB_VERSION_MIN,
- MOD_POLICYDB_VERSION_MAX);
- usage(argv[0]);
- }
-
- policyvers = n;
- break;
- }
default:
usage(argv[0]);
}
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index db14383..ece10e7 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1210,7 +1210,10 @@
flags = TYPE_FLAGS_EXPAND_ATTR_FALSE;
}
- ebitmap_for_each_positive_bit(&attrs, node, i) {
+ ebitmap_for_each_bit(&attrs, node, i) {
+ if (!ebitmap_node_get_bit(node, i)){
+ continue;
+ }
attr = hashtab_search(policydbp->p_types.table,
policydbp->sym_val_to_name[SYM_TYPES][i]);
attr->flags |= flags;
@@ -1670,17 +1673,19 @@
}
free(id);
- ebitmap_for_each_positive_bit(&tclasses, node, i) {
- perm = malloc(sizeof(class_perm_node_t));
- if (!perm) {
- yyerror("out of memory");
- goto bad;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ perm = malloc(sizeof(class_perm_node_t));
+ if (!perm) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ class_perm_node_init(perm);
+ perm->tclass = i + 1;
+ perm->data = datum->s.value;
+ perm->next = avrule->perms;
+ avrule->perms = perm;
}
- class_perm_node_init(perm);
- perm->tclass = i + 1;
- perm->data = datum->s.value;
- perm->next = avrule->perms;
- avrule->perms = perm;
}
ebitmap_destroy(&tclasses);
@@ -2096,7 +2101,9 @@
perms = NULL;
id = queue_head(id_queue);
- ebitmap_for_each_positive_bit(&tclasses, node, i) {
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
cur_perms =
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
if (!cur_perms) {
@@ -2558,7 +2565,9 @@
goto out;
perms = NULL;
- ebitmap_for_each_positive_bit(&tclasses, node, i) {
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
cur_perms =
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
if (!cur_perms) {
@@ -2577,7 +2586,9 @@
while ((id = queue_remove(id_queue))) {
cur_perms = perms;
- ebitmap_for_each_positive_bit(&tclasses, node, i) {
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
cladatum = policydbp->class_val_to_struct[i];
if (strcmp(id, "*") == 0) {
@@ -2919,13 +2930,17 @@
return -1;
}
/* raise types and dominates from dominated role */
- ebitmap_for_each_positive_bit(&rdp->dominates, node, i) {
- if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
- goto oom;
+ ebitmap_for_each_bit(&rdp->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->dominates, i, TRUE))
+ goto oom;
}
- ebitmap_for_each_positive_bit(&types, node, i) {
- if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
- goto oom;
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->types.types, i, TRUE))
+ goto oom;
}
ebitmap_destroy(&types);
}
@@ -3003,17 +3018,20 @@
if (r) {
ebitmap_t types;
ebitmap_init(&types);
- ebitmap_for_each_positive_bit(&r->dominates, node, i) {
- if (ebitmap_set_bit(&role->dominates, i, TRUE))
- goto oom;
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&role->dominates, i, TRUE))
+ goto oom;
}
if (type_set_expand(&r->types, &types, policydbp, 1)) {
ebitmap_destroy(&types);
return NULL;
}
- ebitmap_for_each_positive_bit(&types, node, i) {
- if (ebitmap_set_bit(&role->types.types, i, TRUE))
- goto oom;
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&role->types.types, i, TRUE))
+ goto oom;
}
ebitmap_destroy(&types);
if (!r->s.value) {
@@ -3196,9 +3214,15 @@
if (type_set_expand(&types, &e_types, policydbp, 1))
goto bad;
- ebitmap_for_each_positive_bit(&e_roles, rnode, i) {
- ebitmap_for_each_positive_bit(&e_types, tnode, j) {
- ebitmap_for_each_positive_bit(&e_classes, cnode, k) {
+ ebitmap_for_each_bit(&e_roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&e_types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ ebitmap_for_each_bit(&e_classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
for (tr = policydbp->role_tr; tr;
tr = tr->next) {
if (tr->role == (i + 1) &&
@@ -3386,9 +3410,16 @@
if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1))
goto bad;
- ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
- ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
- ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
+ ebitmap_for_each_bit(&e_tclasses, cnode, c) {
+ if (!ebitmap_node_get_bit(cnode, c))
+ continue;
+ ebitmap_for_each_bit(&e_stypes, snode, s) {
+ if (!ebitmap_node_get_bit(snode, s))
+ continue;
+ ebitmap_for_each_bit(&e_ttypes, tnode, t) {
+ if (!ebitmap_node_get_bit(tnode, t))
+ continue;
+
ft = calloc(1, sizeof(*ft));
if (!ft) {
yyerror("out of memory");
@@ -3621,36 +3652,39 @@
}
while ((id = queue_remove(id_queue))) {
- ebitmap_for_each_positive_bit(&classmap, enode, i) {
- cladatum = policydbp->class_val_to_struct[i];
- node = cladatum->constraints;
+ ebitmap_for_each_bit(&classmap, enode, i) {
+ if (ebitmap_node_get_bit(enode, i)) {
+ cladatum = policydbp->class_val_to_struct[i];
+ node = cladatum->constraints;
- perdatum =
- (perm_datum_t *) hashtab_search(cladatum->
- permissions.
- table,
- (hashtab_key_t)
- id);
- if (!perdatum) {
- if (cladatum->comdatum) {
- perdatum =
- (perm_datum_t *)
- hashtab_search(cladatum->
- comdatum->
- permissions.
- table,
- (hashtab_key_t)
- id);
- }
+ perdatum =
+ (perm_datum_t *) hashtab_search(cladatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
if (!perdatum) {
- yyerror2("permission %s is not"
- " defined", id);
- free(id);
- ebitmap_destroy(&classmap);
- return -1;
+ if (cladatum->comdatum) {
+ perdatum =
+ (perm_datum_t *)
+ hashtab_search(cladatum->
+ comdatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ }
+ if (!perdatum) {
+ yyerror2("permission %s is not"
+ " defined", id);
+ free(id);
+ ebitmap_destroy(&classmap);
+ return -1;
+ }
}
+ node->permissions |=
+ (1 << (perdatum->s.value - 1));
}
- node->permissions |= (1 << (perdatum->s.value - 1));
}
free(id);
}
@@ -4145,9 +4179,10 @@
}
/* set the role and every role it dominates */
- ebitmap_for_each_positive_bit(&r->dominates, node, i) {
- if (ebitmap_set_bit(&set->roles, i, TRUE))
- goto oom;
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&set->roles, i, TRUE))
+ goto oom;
}
free(id);
return 0;
diff --git a/checkpolicy/ru/checkpolicy.8 b/checkpolicy/ru/checkpolicy.8
index 2ad39b8..b2868e7 100644
--- a/checkpolicy/ru/checkpolicy.8
+++ b/checkpolicy/ru/checkpolicy.8
@@ -3,7 +3,7 @@
checkpolicy \- компилятор политики SELinux
.SH ОБЗОР
.B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
.br
.SH "ОПИСАНИЕ"
Эта страница руководства содержит описание команды
@@ -17,33 +17,30 @@
.B \-b,\-\-binary
Прочитать существующий двоичный файл политики, а не исходный файл policy.conf.
.TP
-.B \-F,\-\-conf
-Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики.
-.TP
.B \-C,\-\-cil
Записать файл политики CIL, а не двоичный файл политики.
.TP
.B \-d,\-\-debug
Войти в режим отладки после загрузки политики.
.TP
-.B \-U,\-\-handle-unknown <action>
-Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять).
+.B \-F,\-\-conf
+Записать файл policy.conf, а не двоичный файл политики. Этот параметр можно использовать только при работе с двоичным файлом политики.
.TP
.B \-M,\-\-mls
Включить политику MLS при проверке и компиляции политики.
.TP
-.B \-c policyvers
-Указать версию политики (по умолчанию используется последняя).
-.TP
.B \-o,\-\-output filename
Записать двоичный файл политики с указанным именем файла.
.TP
-.B \-S,\-\-sort
-Сортировать прочие контексты (ocontexts) перед записью двоичной политики. Этот параметр позволяет задать соответствие вывода checkpolicy двоичным политикам, созданным с помощью semanage и secilc.
+.B \-c policyvers
+Указать версию политики (по умолчанию используется последняя).
.TP
.B \-t,\-\-target
Указать целевую платформу (selinux или xen).
.TP
+.B \-U,\-\-handle-unknown <action>
+Указать, как ядро должно обрабатывать неизвестные классы или разрешения (запрещать, разрешать или отклонять).
+.TP
.B \-V,\-\-version
Показать сведения о версии.
.TP
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 996cf33..d5c7eea 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -825,13 +825,15 @@
unsigned int i;
fprintf(fp, "policy capabilities:\n");
- ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
- capname = sepol_polcap_getname(i);
- if (capname == NULL) {
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
- capname = buf;
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
}
- fprintf(fp, "\t%s\n", capname);
}
}
@@ -901,14 +903,14 @@
}
if (policydb.policy_type == POLICY_BASE) {
- printf("Binary base policy file loaded.\n");
+ printf("Binary base policy file loaded.\n\n");
} else {
printf("Binary policy module file loaded.\n");
printf("Module name: %s\n", policydb.name);
printf("Module version: %s\n", policydb.version);
+ printf("\n");
}
- printf("Policy version: %d\n\n", policydb.policyvers);
menu();
for (;;) {
printf("\nCommand (\'m\' for menu): ");
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index d72d9fb..ee0f5f6 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -282,13 +282,15 @@
unsigned int i;
fprintf(fp, "policy capabilities:\n");
- ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
- capname = sepol_polcap_getname(i);
- if (capname == NULL) {
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
- capname = buf;
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
}
- fprintf(fp, "\t%s\n", capname);
}
}
@@ -305,10 +307,12 @@
unsigned int i;
fprintf(fp, "permissive sids:\n");
- ebitmap_for_each_positive_bit(&p->permissive_map, node, i) {
- fprintf(fp, "\t");
- display_id(p, fp, SYM_TYPES, i - 1, "");
- fprintf(fp, "\n");
+ ebitmap_for_each_bit(&p->permissive_map, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ fprintf(fp, "\t");
+ display_id(p, fp, SYM_TYPES, i - 1, "");
+ fprintf(fp, "\n");
+ }
}
}
diff --git a/libselinux/Android.bp b/libselinux/Android.bp
index 51af69f..6833cba 100644
--- a/libselinux/Android.bp
+++ b/libselinux/Android.bp
@@ -77,6 +77,7 @@
],
shared_libs: [
+ "libcrypto",
"liblog",
],
@@ -91,9 +92,6 @@
local_include_dirs: ["include"],
export_include_dirs: ["include"],
-
- stl: "none",
- system_shared_libs: ["libc"],
}
cc_library {
diff --git a/libselinux/exported.map b/libselinux/exported.map
index fbc8acc..dd74294 100644
--- a/libselinux/exported.map
+++ b/libselinux/exported.map
@@ -25,6 +25,7 @@
selinux_android_hw_service_context_handle;
selinux_android_load_policy;
selinux_android_load_policy_from_fd;
+ selinux_android_prop_context_handle;
selinux_android_restorecon;
selinux_android_restorecon_pkgdir;
selinux_android_seapp_context_init;
diff --git a/libselinux/exported_vendor.map b/libselinux/exported_vendor.map
index ccd5fef..fd604fd 100644
--- a/libselinux/exported_vendor.map
+++ b/libselinux/exported_vendor.map
@@ -13,6 +13,7 @@
selabel_close;
selabel_lookup;
selabel_open;
+ selinux_android_prop_context_handle;
selinux_android_restorecon;
selinux_android_service_context_handle;
selinux_android_hw_service_context_handle;
diff --git a/libselinux/include/selinux/android.h b/libselinux/include/selinux/android.h
index 640ba2e..99fc9ef 100644
--- a/libselinux/include/selinux/android.h
+++ b/libselinux/include/selinux/android.h
@@ -13,6 +13,8 @@
extern struct selabel_handle* selinux_android_file_context_handle(void);
+extern struct selabel_handle* selinux_android_prop_context_handle(void);
+
extern struct selabel_handle* selinux_android_service_context_handle(void);
extern struct selabel_handle* selinux_android_hw_service_context_handle(void);
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index f54f236..a34d54f 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -255,19 +255,6 @@
const char *username,
char *** con);
-/* Validate a transition. This determines whether a transition from scon to newcon
- using tcon as the target for object class tclass is valid in the loaded policy.
- This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy.
- Returns 0 if allowed and -1 if an error occured with errno set */
-extern int security_validatetrans(const char *scon,
- const char *tcon,
- security_class_t tclass,
- const char *newcon);
-extern int security_validatetrans_raw(const char *scon,
- const char *tcon,
- security_class_t tclass,
- const char *newcon);
-
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index a7181be..2aade5f 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -1,7 +1,7 @@
.TH "security_compute_av" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel,
-security_compute_member, security_compute_user, security_validatetrans, security_get_initial_context \- query
+security_compute_member, security_compute_user, security_get_initial_context \- query
the SELinux policy database in the kernel
.
.SH "SYNOPSIS"
@@ -35,10 +35,6 @@
.sp
.BI "int security_compute_user_raw(char *" scon ", const char *" username ", char ***" con );
.sp
-.BI "int security_validatetrans(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
-.sp
-.BI "int security_validatetrans_raw(char *" scon ", const char *" tcon ", security_class_t "tclass ", char *" newcon );
-.sp
.BI "int security_get_initial_context(const char *" name ", char **" con );
.sp
.BI "int security_get_initial_context_raw(const char *" name ", char **" con );
@@ -104,12 +100,6 @@
source context. It is mainly used by
.BR get_ordered_context_list ().
-.BR security_validatetrans ()
-is used to determine if a transition from scon to newcon using tcon as the object
-is valid for object class tclass. This checks against the mlsvalidatetrans and
-validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1
-if an error occured with errno set.
-
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
.I name
@@ -121,7 +111,6 @@
.BR \%security_compute_relabel_raw (),
.BR \%security_compute_member_raw (),
.BR \%security_compute_user_raw ()
-.BR \%security_validatetrans_raw ()
and
.BR \%security_get_initial_context_raw ()
behave identically to their non-raw counterparts but do not perform context
diff --git a/libselinux/man/man3/security_validatetrans.c b/libselinux/man/man3/security_validatetrans.c
deleted file mode 100644
index a60bca4..0000000
--- a/libselinux/man/man3/security_validatetrans.c
+++ /dev/null
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff --git a/libselinux/man/man3/security_validatetrans_raw.c b/libselinux/man/man3/security_validatetrans_raw.c
deleted file mode 100644
index a60bca4..0000000
--- a/libselinux/man/man3/security_validatetrans_raw.c
+++ /dev/null
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff --git a/libselinux/src/android/android.c b/libselinux/src/android/android.c
index 2e70ceb..e15dabe 100644
--- a/libselinux/src/android/android.c
+++ b/libselinux/src/android/android.c
@@ -1,8 +1,7 @@
#include "android_common.h"
-// For 'system', 'system_ext' (optional), 'product' (optional), 'vendor' (mandatory)
-// and/or 'odm' (optional).
-#define MAX_FILE_CONTEXT_SIZE 5
+// For 'system', 'product' (optional), 'vendor' (mandatory) and/or 'odm' (optional).
+#define MAX_FILE_CONTEXT_SIZE 4
#ifdef __ANDROID_VNDK__
#ifndef LOG_EVENT_STRING
@@ -14,10 +13,6 @@
{ SELABEL_OPT_PATH, "/system/etc/selinux/plat_service_contexts" },
{ SELABEL_OPT_PATH, "/plat_service_contexts" }
};
-static const struct selinux_opt seopts_service_system_ext[] = {
- { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_service_contexts" },
- { SELABEL_OPT_PATH, "/system_ext_service_contexts" }
-};
static const struct selinux_opt seopts_service_product[] = {
{ SELABEL_OPT_PATH, "/product/etc/selinux/product_service_contexts" },
{ SELABEL_OPT_PATH, "/product_service_contexts" }
@@ -34,10 +29,6 @@
{ SELABEL_OPT_PATH, "/system/etc/selinux/plat_hwservice_contexts" },
{ SELABEL_OPT_PATH, "/plat_hwservice_contexts" }
};
-static const struct selinux_opt seopts_hwservice_system_ext[] = {
- { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_hwservice_contexts" },
- { SELABEL_OPT_PATH, "/system_ext_hwservice_contexts" }
-};
static const struct selinux_opt seopts_hwservice_product[] = {
{ SELABEL_OPT_PATH, "/product/etc/selinux/product_hwservice_contexts" },
{ SELABEL_OPT_PATH, "/product_hwservice_contexts" }
@@ -91,12 +82,6 @@
break;
}
}
- for (i = 0; i < ARRAY_SIZE(seopts_service_system_ext); i++) {
- if (access(seopts_service_system_ext[i].value, R_OK) != -1) {
- seopts_service[size++] = seopts_service_system_ext[i];
- break;
- }
- }
for (i = 0; i < ARRAY_SIZE(seopts_service_product); i++) {
if (access(seopts_service_product[i].value, R_OK) != -1) {
seopts_service[size++] = seopts_service_product[i];
@@ -124,12 +109,6 @@
break;
}
}
- for (i = 0; i < ARRAY_SIZE(seopts_hwservice_system_ext); i++) {
- if (access(seopts_hwservice_system_ext[i].value, R_OK) != -1) {
- seopts_service[size++] = seopts_hwservice_system_ext[i];
- break;
- }
- }
for (i = 0; i < ARRAY_SIZE(seopts_hwservice_product); i++) {
if (access(seopts_hwservice_product[i].value, R_OK) != -1) {
seopts_service[size++] = seopts_hwservice_product[i];
diff --git a/libselinux/src/android/android_common.h b/libselinux/src/android/android_common.h
index 5853c2b..637d4e8 100644
--- a/libselinux/src/android/android_common.h
+++ b/libselinux/src/android/android_common.h
@@ -21,6 +21,7 @@
#include <selinux/android.h>
#include <selinux/label.h>
#include <selinux/avc.h>
+#include <openssl/sha.h>
#ifndef __ANDROID_VNDK__
#include <private/android_filesystem_config.h>
#endif
diff --git a/libselinux/src/android/android_platform.c b/libselinux/src/android/android_platform.c
index a51d165..83a795a 100644
--- a/libselinux/src/android/android_platform.c
+++ b/libselinux/src/android/android_platform.c
@@ -1,9 +1,8 @@
#include "android_common.h"
#include <packagelistparser/packagelistparser.h>
-// For 'system', 'system_ext' (optional), 'product' (optional), 'vendor' (mandatory)
-// and/or 'odm' (optional).
-#define MAX_FILE_CONTEXT_SIZE 5
+// For 'system', 'product' (optional), 'vendor' (mandatory) and/or 'odm' (optional).
+#define MAX_FILE_CONTEXT_SIZE 4
static const char *const sepolicy_file = "/sepolicy";
@@ -11,10 +10,6 @@
{ SELABEL_OPT_PATH, "/system/etc/selinux/plat_file_contexts" },
{ SELABEL_OPT_PATH, "/plat_file_contexts" }
};
-static const struct selinux_opt seopts_file_system_ext[] = {
- { SELABEL_OPT_PATH, "/system_ext/etc/selinux/system_ext_file_contexts" },
- { SELABEL_OPT_PATH, "/system_ext_file_contexts" }
-};
static const struct selinux_opt seopts_file_product[] = {
{ SELABEL_OPT_PATH, "/product/etc/selinux/product_file_contexts" },
{ SELABEL_OPT_PATH, "/product_file_contexts" }
@@ -31,6 +26,26 @@
{ SELABEL_OPT_PATH, "/odm_file_contexts" }
};
+static const struct selinux_opt seopts_prop_plat[] = {
+ { SELABEL_OPT_PATH, "/system/etc/selinux/plat_property_contexts" },
+ { SELABEL_OPT_PATH, "/plat_property_contexts" }
+};
+static const struct selinux_opt seopts_prop_product[] = {
+ { SELABEL_OPT_PATH, "/product/etc/selinux/product_property_contexts" },
+ { SELABEL_OPT_PATH, "/product_property_contexts" }
+};
+static const struct selinux_opt seopts_prop_vendor[] = {
+ { SELABEL_OPT_PATH, "/vendor/etc/selinux/vendor_property_contexts" },
+ { SELABEL_OPT_PATH, "/vendor_property_contexts" },
+ // TODO: remove nonplat* when no need to retain backward compatibility.
+ { SELABEL_OPT_PATH, "/vendor/etc/selinux/nonplat_property_contexts" },
+ { SELABEL_OPT_PATH, "/nonplat_property_contexts" }
+};
+static const struct selinux_opt seopts_prop_odm[] = {
+ { SELABEL_OPT_PATH, "/odm/etc/selinux/odm_property_contexts" },
+ { SELABEL_OPT_PATH, "/odm_property_contexts" }
+};
+
/*
* XXX Where should this configuration file be located?
* Needs to be accessible by zygote and installd when
@@ -41,10 +56,6 @@
"/system/etc/selinux/plat_seapp_contexts",
"/plat_seapp_contexts"
};
-static char const * const seapp_contexts_system_ext[] = {
- "/system_ext/etc/selinux/system_ext_seapp_contexts",
- "/system_ext_seapp_contexts"
-};
static char const * const seapp_contexts_product[] = {
"/product/etc/selinux/product_seapp_contexts",
"/product_seapp_contexts"
@@ -61,6 +72,76 @@
"/odm_seapp_contexts"
};
+uint8_t fc_digest[FC_DIGEST_SIZE];
+
+static bool compute_file_contexts_hash(uint8_t c_digest[], const struct selinux_opt *opts, unsigned nopts)
+{
+ int fd = -1;
+ void *map = MAP_FAILED;
+ bool ret = false;
+ uint8_t *fc_data = NULL;
+ size_t total_size = 0;
+ struct stat sb;
+ size_t i;
+
+ for (i = 0; i < nopts; i++) {
+ fd = open(opts[i].value, O_CLOEXEC | O_RDONLY);
+ if (fd < 0) {
+ selinux_log(SELINUX_ERROR, "SELinux: Could not open %s: %s\n",
+ opts[i].value, strerror(errno));
+ goto cleanup;
+ }
+
+ if (fstat(fd, &sb) < 0) {
+ selinux_log(SELINUX_ERROR, "SELinux: Could not stat %s: %s\n",
+ opts[i].value, strerror(errno));
+ goto cleanup;
+ }
+
+ if (sb.st_size == 0) {
+ selinux_log(SELINUX_WARNING, "SELinux: Skipping %s: empty file\n",
+ opts[i].value);
+ goto nextfile;
+ }
+
+ map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (map == MAP_FAILED) {
+ selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n",
+ opts[i].value, strerror(errno));
+ goto cleanup;
+ }
+
+ fc_data = realloc(fc_data, total_size + sb.st_size);
+ if (!fc_data) {
+ selinux_log(SELINUX_ERROR, "SELinux: Count not re-alloc for %s: %s\n",
+ opts[i].value, strerror(errno));
+ goto cleanup;
+ }
+
+ memcpy(fc_data + total_size, map, sb.st_size);
+ total_size += sb.st_size;
+
+ /* reset everything for next file */
+ munmap(map, sb.st_size);
+nextfile:
+ close(fd);
+ map = MAP_FAILED;
+ fd = -1;
+ }
+
+ SHA1(fc_data, total_size, c_digest);
+ ret = true;
+
+cleanup:
+ if (map != MAP_FAILED)
+ munmap(map, sb.st_size);
+ if (fd >= 0)
+ close(fd);
+ free(fc_data);
+
+ return ret;
+}
+
static struct selabel_handle* selinux_android_file_context(const struct selinux_opt *opts,
unsigned nopts)
{
@@ -77,6 +158,10 @@
__FUNCTION__, strerror(errno));
return NULL;
}
+ if (!compute_file_contexts_hash(fc_digest, opts, nopts)) {
+ selabel_close(sehandle);
+ return NULL;
+ }
selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts\n");
@@ -94,12 +179,6 @@
break;
}
}
- for (i = 0; i < ARRAY_SIZE(seopts_file_system_ext); i++) {
- if (access(seopts_file_system_ext[i].value, R_OK) != -1) {
- seopts_file[size++] = seopts_file_system_ext[i];
- break;
- }
- }
for (i = 0; i < ARRAY_SIZE(seopts_file_product); i++) {
if (access(seopts_file_product[i].value, R_OK) != -1) {
seopts_file[size++] = seopts_file_product[i];
@@ -121,6 +200,49 @@
return selinux_android_file_context(seopts_file, size);
}
+struct selabel_handle* selinux_android_prop_context_handle(void)
+{
+ struct selabel_handle* sehandle;
+ struct selinux_opt seopts_prop[MAX_FILE_CONTEXT_SIZE];
+ int size = 0;
+ unsigned int i;
+ for (i = 0; i < ARRAY_SIZE(seopts_prop_plat); i++) {
+ if (access(seopts_prop_plat[i].value, R_OK) != -1) {
+ seopts_prop[size++] = seopts_prop_plat[i];
+ break;
+ }
+ }
+ for (i = 0; i < ARRAY_SIZE(seopts_prop_product); i++) {
+ if (access(seopts_prop_product[i].value, R_OK) != -1) {
+ seopts_prop[size++] = seopts_prop_product[i];
+ break;
+ }
+ }
+ for (i = 0; i < ARRAY_SIZE(seopts_prop_vendor); i++) {
+ if (access(seopts_prop_vendor[i].value, R_OK) != -1) {
+ seopts_prop[size++] = seopts_prop_vendor[i];
+ break;
+ }
+ }
+ for (i = 0; i < ARRAY_SIZE(seopts_prop_odm); i++) {
+ if (access(seopts_prop_odm[i].value, R_OK) != -1) {
+ seopts_prop[size++] = seopts_prop_odm[i];
+ break;
+ }
+ }
+
+ sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP, seopts_prop, size);
+ if (!sehandle) {
+ selinux_log(SELINUX_ERROR, "%s: Error getting property context handle (%s)\n",
+ __FUNCTION__, strerror(errno));
+ return NULL;
+ }
+ selinux_log(SELINUX_INFO, "SELinux: Loaded property_contexts from %s & %s.\n",
+ seopts_prop[0].value, seopts_prop[1].value);
+
+ return sehandle;
+}
+
enum levelFrom {
LEVELFROM_NONE,
LEVELFROM_APP,
@@ -155,6 +277,8 @@
bool isSystemServer;
bool isEphemeralAppSet;
bool isEphemeralApp;
+ bool isV2AppSet;
+ bool isV2App;
bool isOwnerSet;
bool isOwner;
struct prefix_str user;
@@ -204,6 +328,12 @@
if (s1->isEphemeralAppSet != s2->isEphemeralAppSet)
return (s1->isEphemeralAppSet ? -1 : 1);
+ /* Give precedence to a specified isV2= over an
+ * unspecified isV2=. */
+ if (s1->isV2AppSet != s2->isV2AppSet)
+ return (s1->isV2AppSet ? -1 : 1);
+
+
/* Give precedence to a specified isOwner= over an unspecified isOwner=. */
if (s1->isOwnerSet != s2->isOwnerSet)
return (s1->isOwnerSet ? -1 : 1);
@@ -291,6 +421,7 @@
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
(s1->isOwnerSet && s1->isOwner == s2->isOwner) &&
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
+ (s1->isV2AppSet && s1->isV2App == s2->isV2App) &&
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp);
if (dup) {
@@ -357,12 +488,6 @@
break;
}
}
- for (i = 0; i < ARRAY_SIZE(seapp_contexts_system_ext); i++) {
- if (access(seapp_contexts_system_ext[i], R_OK) != -1) {
- seapp_contexts_files[files_len++] = seapp_contexts_system_ext[i];
- break;
- }
- }
for (i = 0; i < ARRAY_SIZE(seapp_contexts_product); i++) {
if (access(seapp_contexts_product[i], R_OK) != -1) {
seapp_contexts_files[files_len++] = seapp_contexts_product[i];
@@ -469,6 +594,16 @@
free_seapp_context(cur);
goto err;
}
+ } else if (!strcasecmp(name, "isV2App")) {
+ cur->isV2AppSet = true;
+ if (!strcasecmp(value, "true"))
+ cur->isV2App = true;
+ else if (!strcasecmp(value, "false"))
+ cur->isV2App = false;
+ else {
+ free_seapp_context(cur);
+ goto err;
+ }
} else if (!strcasecmp(name, "isOwner")) {
cur->isOwnerSet = true;
if (!strcasecmp(value, "true"))
@@ -627,7 +762,7 @@
break;
}
- if (!cur->isPrivApp && cur->name.str &&
+ if (cur->name.str &&
(!cur->seinfo || !strcmp(cur->seinfo, "default"))) {
selinux_log(SELINUX_ERROR, "%s: No specific seinfo value specified with name=\"%s\", on line %u: insecure configuration!\n",
seapp_contexts_files[i], cur->name.str, lineno);
@@ -654,11 +789,12 @@
int i;
for (i = 0; i < nspec; i++) {
cur = seapp_contexts[i];
- selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isOwner=%s user=%s seinfo=%s "
+ selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isV2App=%s isOwner=%s user=%s seinfo=%s "
"name=%s path=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
__FUNCTION__,
cur->isSystemServer ? "true" : "false",
cur->isEphemeralAppSet ? (cur->isEphemeralApp ? "true" : "false") : "null",
+ cur->isV2AppSet ? (cur->isV2App ? "true" : "false") : "null",
cur->isOwnerSet ? (cur->isOwner ? "true" : "false") : "null",
cur->user.str,
cur->seinfo, cur->name.str, cur->path.str,
@@ -719,6 +855,7 @@
#define PRIVILEGED_APP_STR ":privapp"
#define EPHEMERAL_APP_STR ":ephemeralapp"
+#define V2_APP_STR ":v2"
#define TARGETSDKVERSION_STR ":targetSdkVersion="
#define FROM_RUNAS_STR ":fromRunAs"
static int32_t get_app_targetSdkVersion(const char *seinfo)
@@ -778,6 +915,7 @@
bool isPrivApp = false;
bool isEphemeralApp = false;
int32_t targetSdkVersion = 0;
+ bool isV2App = false;
bool fromRunAs = false;
char parsedseinfo[BUFSIZ];
@@ -788,6 +926,7 @@
goto err;
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
+ isV2App = strstr(seinfo, V2_APP_STR) ? true : false;
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
targetSdkVersion = get_app_targetSdkVersion(seinfo);
if (targetSdkVersion < 0) {
@@ -836,6 +975,9 @@
if (cur->isEphemeralAppSet && cur->isEphemeralApp != isEphemeralApp)
continue;
+ if (cur->isV2AppSet && cur->isV2App != isV2App)
+ continue;
+
if (cur->isOwnerSet && cur->isOwner != isOwner)
continue;
diff --git a/libselinux/src/android/android_vendor.c b/libselinux/src/android/android_vendor.c
index e4e95f7..82fea4d 100644
--- a/libselinux/src/android/android_vendor.c
+++ b/libselinux/src/android/android_vendor.c
@@ -6,3 +6,9 @@
selinux_log(SELINUX_ERROR, "%s: not implemented for vendor variant of libselinux\n", __FUNCTION__);
return -1;
}
+
+struct selabel_handle* selinux_android_prop_context_handle(void)
+{
+ selinux_log(SELINUX_ERROR, "%s: not implemented for vendor variant of libselinux\n", __FUNCTION__);
+ return NULL;
+}
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index d56b56e..5a1e69a 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -291,7 +291,7 @@
static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
int result;
- char *init_path = NULL;
+ char *init_path=NULL;
if (avc) {
PyErr_SetString( PyExc_RuntimeError, "init called multiple times");
return NULL;
@@ -322,7 +322,7 @@
sepol_access_vector_t perm, av;
struct sepol_av_decision avd;
int rc;
- int i = 0;
+ int i=0;
if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj))
return NULL;
@@ -353,7 +353,7 @@
/* iterate over items of the list, grabbing strings, and parsing
for numbers */
- for (i = 0; i < numlines; i++){
+ for (i=0; i<numlines; i++){
const char *permstr;
/* grab the string object from the next element of the list */
@@ -395,13 +395,13 @@
} else {
PyObject *outboollist;
struct boolean_t *b = bools;
- int len = 0;
+ int len=0;
while (b->name) {
len++; b++;
}
b = bools;
outboollist = PyList_New(len);
- len = 0;
+ len=0;
while(b->name) {
PyObject *bool_ = Py_BuildValue("(si)", b->name, b->active);
PyList_SetItem(outboollist, len++, bool_);
diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index ab1e075..a6d46fe 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -125,10 +125,10 @@
dst++;
if (!*dst)
continue;
- ptr = dst;
+ ptr=dst;
while (*ptr && !isspace(*ptr))
ptr++;
- *ptr = '\0';
+ *ptr='\0';
sub = strdup(dst);
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 083638c..2690a72 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -83,8 +83,8 @@
static void init_selinuxmnt(void)
{
- char *buf = NULL, *p;
- FILE *fp = NULL;
+ char *buf=NULL, *p;
+ FILE *fp=NULL;
size_t len;
ssize_t num;
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 7bc2dac..fd3e013 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -635,10 +635,10 @@
dst = ptr;
while (*dst && isspace(*dst))
dst++;
- ptr = dst;
+ ptr=dst;
while (*ptr && ! isspace(*ptr))
ptr++;
- *ptr = '\0';
+ *ptr='\0';
if (! *dst)
continue;
@@ -647,11 +647,11 @@
goto err;
memset(sub, 0, sizeof(*sub));
- sub->src = strdup(src);
+ sub->src=strdup(src);
if (! sub->src)
goto err;
- sub->dst = strdup(dst);
+ sub->dst=strdup(dst);
if (! sub->dst)
goto err;
diff --git a/libselinux/src/mapping.c b/libselinux/src/mapping.c
index 96395fd..33cea5a 100644
--- a/libselinux/src/mapping.c
+++ b/libselinux/src/mapping.c
@@ -143,7 +143,7 @@
unsigned i;
access_vector_t kperm = 0;
- for (i = 0; i < current_mapping[tclass].num_perms; i++)
+ for (i=0; i<current_mapping[tclass].num_perms; i++)
if (tperm & (1<<i)) {
kperm |= current_mapping[tclass].perms[i];
tperm &= ~(1<<i);
@@ -169,7 +169,7 @@
{
security_class_t i;
- for (i = 0; i < current_mapping_size; i++)
+ for (i=0; i<current_mapping_size; i++)
if (current_mapping[i].value == kclass)
return i;
@@ -189,7 +189,7 @@
unsigned i;
access_vector_t tperm = 0;
- for (i = 0; i < current_mapping[tclass].num_perms; i++)
+ for (i=0; i<current_mapping[tclass].num_perms; i++)
if (kperm & current_mapping[tclass].perms[i]) {
tperm |= 1<<i;
kperm &= ~current_mapping[tclass].perms[i];
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 05a5cfa..58b4144 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -414,7 +414,7 @@
if (len + strlen(last_component) + 2 > PATH_MAX) {
myprintf("symlink_realpath(%s) failed: Filename too long \n",
name);
- errno = ENAMETOOLONG;
+ errno=ENAMETOOLONG;
rc = -1;
goto out;
}
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index acd59c7..70b5025 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -29,8 +29,6 @@
hidden_proto(security_compute_create_name_raw)
hidden_proto(security_compute_member_raw)
hidden_proto(security_compute_relabel_raw)
- hidden_proto(security_validatetrans)
- hidden_proto(security_validatetrans_raw)
hidden_proto(is_selinux_enabled)
hidden_proto(is_selinux_mls_enabled)
hidden_proto(freecon)
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index 7ec7d12..572a7b0 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -274,7 +274,7 @@
char *buffer = NULL;
size_t size = 0;
char *rec = NULL;
- char *path = NULL;
+ char *path=NULL;
FILE *fp = NULL;
if (asprintf(&path,"%s/logins/%s", selinux_policy_root(), username) < 0)
goto err;
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index d671044..9bcbb6e 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -78,7 +78,7 @@
CHAR64LONG16 workspace;
CHAR64LONG16* block = &workspace;
- memcpy(block, buffer, 64);
+ memcpy( block, buffer, 64 );
// Copy context->state[] to working vars
a = state[0];
@@ -160,18 +160,18 @@
uint32_t j;
j = (Context->Count[0] >> 3) & 63;
- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
+ if( (Context->Count[0] += BufferSize << 3) < (BufferSize << 3) )
{
Context->Count[1]++;
}
Context->Count[1] += (BufferSize >> 29);
- if ((j + BufferSize) > 63)
+ if( (j + BufferSize) > 63 )
{
i = 64 - j;
- memcpy(&Context->Buffer[j], Buffer, i);
+ memcpy( &Context->Buffer[j], Buffer, i );
TransformFunction(Context->State, Context->Buffer);
- for (; i + 63 < BufferSize; i += 64)
+ for( ; i + 63 < BufferSize; i += 64 )
{
TransformFunction(Context->State, (uint8_t*)Buffer + i);
}
@@ -182,7 +182,7 @@
i = 0;
}
- memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i);
+ memcpy( &Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i );
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -201,19 +201,19 @@
uint32_t i;
uint8_t finalcount[8];
- for (i = 0; i < 8; i++)
+ for( i=0; i<8; i++ )
{
finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
>> ((3-(i & 3)) * 8) ) & 255); // Endian independent
}
- Sha1Update(Context, (uint8_t*)"\x80", 1);
- while ((Context->Count[0] & 504) != 448)
+ Sha1Update( Context, (uint8_t*)"\x80", 1 );
+ while( (Context->Count[0] & 504) != 448 )
{
- Sha1Update(Context, (uint8_t*)"\0", 1);
+ Sha1Update( Context, (uint8_t*)"\0", 1 );
}
- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
- for (i = 0; i < SHA1_HASH_SIZE; i++)
+ Sha1Update( Context, finalcount, 8 ); // Should cause a Sha1TransformFunction()
+ for( i=0; i<SHA1_HASH_SIZE; i++ )
{
Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
}
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index ad29f76..2d83f96 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -147,7 +147,7 @@
err4:
closedir(dir);
- for (i = 0; i < MAXVECTORS; i++)
+ for (i=0; i<MAXVECTORS; i++)
free(node->perms[i]);
err3:
free(node->name);
@@ -214,7 +214,7 @@
if (S_ISSOCK(m))
return string_to_security_class("sock_file");
- errno = EINVAL;
+ errno=EINVAL;
return 0;
}
@@ -226,7 +226,7 @@
node = get_class_cache_entry_value(kclass);
if (node != NULL) {
size_t i;
- for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++)
+ for (i=0; i<MAXVECTORS && node->perms[i] != NULL; i++)
if (strcmp(node->perms[i],s) == 0)
return map_perm(tclass, 1<<i);
}
diff --git a/libselinux/src/validatetrans.c b/libselinux/src/validatetrans.c
deleted file mode 100644
index 2aa300c..0000000
--- a/libselinux/src/validatetrans.c
+++ /dev/null
@@ -1,94 +0,0 @@
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-#include <limits.h>
-#include "selinux_internal.h"
-#include "policy.h"
-#include "mapping.h"
-
-int security_validatetrans_raw(const char *scon,
- const char *tcon,
- security_class_t tclass,
- const char *newcon)
-{
- char path[PATH_MAX];
- char *buf = NULL;
- int size, bufsz;
- int fd, ret = -1;
- errno = ENOENT;
-
- if (!selinux_mnt) {
- return -1;
- }
-
- snprintf(path, sizeof path, "%s/validatetrans", selinux_mnt);
- fd = open(path, O_WRONLY | O_CLOEXEC);
- if (fd < 0) {
- return -1;
- }
-
- errno = EINVAL;
- size = selinux_page_size;
- buf = malloc(size);
- if (!buf) {
- goto out;
- }
-
- bufsz = snprintf(buf, size, "%s %s %hu %s", scon, tcon, unmap_class(tclass), newcon);
- if (bufsz >= size || bufsz < 0) {
- // It got truncated or there was an encoding error
- goto out;
- }
-
- // clear errno for write()
- errno = 0;
- ret = write(fd, buf, strlen(buf));
- if (ret > 0) {
- // The kernel returns the bytes written on success, not 0 as noted in the commit message
- ret = 0;
- }
-out:
- free(buf);
- close(fd);
- return ret;
-}
-
-hidden_def(security_validatetrans_raw)
-
-int security_validatetrans(const char *scon,
- const char *tcon,
- security_class_t tclass,
- const char *newcon)
-{
- int ret = -1;
- char *rscon = NULL;
- char *rtcon = NULL;
- char *rnewcon = NULL;
-
- if (selinux_trans_to_raw_context(scon, &rscon)) {
- goto out;
- }
-
- if (selinux_trans_to_raw_context(tcon, &rtcon)) {
- goto out;
- }
-
- if (selinux_trans_to_raw_context(newcon, &rnewcon)) {
- goto out;
- }
-
- ret = security_validatetrans_raw(rscon, rtcon, tclass, rnewcon);
-
-out:
- freecon(rnewcon);
- freecon(rtcon);
- freecon(rscon);
-
- return ret;
-}
-
-hidden_def(security_validatetrans)
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index aba18a3..5cd0102 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -25,4 +25,3 @@
setfilecon
togglesebool
selinux_check_access
-validatetrans
diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c
index da23928..884a10b 100644
--- a/libselinux/utils/avcstat.c
+++ b/libselinux/utils/avcstat.c
@@ -116,7 +116,7 @@
case 'h':
case '-':
usage();
- exit(EXIT_SUCCESS);
+ exit(0);
default:
usage();
die("unrecognized parameter '%c'", i);
@@ -133,7 +133,7 @@
}
if (n == 0) {
usage();
- exit(EXIT_SUCCESS);
+ exit(0);
}
interval = n;
}
diff --git a/libselinux/utils/compute_av.c b/libselinux/utils/compute_av.c
index df4a77e..574fa6e 100644
--- a/libselinux/utils/compute_av.c
+++ b/libselinux/utils/compute_av.c
@@ -51,5 +51,5 @@
printf("\n");
}
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/compute_create.c b/libselinux/utils/compute_create.c
index 449ccd9..4abc29f 100644
--- a/libselinux/utils/compute_create.c
+++ b/libselinux/utils/compute_create.c
@@ -32,5 +32,5 @@
printf("%s\n", buf);
freecon(buf);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/compute_member.c b/libselinux/utils/compute_member.c
index c6dad19..14edd45 100644
--- a/libselinux/utils/compute_member.c
+++ b/libselinux/utils/compute_member.c
@@ -32,5 +32,5 @@
printf("%s\n", buf);
freecon(buf);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/compute_relabel.c b/libselinux/utils/compute_relabel.c
index 85c760b..970750e 100644
--- a/libselinux/utils/compute_relabel.c
+++ b/libselinux/utils/compute_relabel.c
@@ -32,5 +32,5 @@
printf("%s\n", buf);
freecon(buf);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
index 86d00a6..cae62b2 100644
--- a/libselinux/utils/compute_user.c
+++ b/libselinux/utils/compute_user.c
@@ -27,12 +27,12 @@
if (!buf[0]) {
printf("none\n");
- exit(EXIT_SUCCESS);
+ exit(0);
}
for (ptr = buf; *ptr; ptr++) {
printf("%s\n", *ptr);
}
freeconary(buf);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
index 29c1664..5ac0ca8 100644
--- a/libselinux/utils/getconlist.c
+++ b/libselinux/utils/getconlist.c
@@ -27,11 +27,6 @@
switch (opt) {
case 'l':
level = strdup(optarg);
- if (!level) {
- fprintf(stderr, "memory allocation failure: %d(%s)\n",
- errno, strerror(errno));
- return 3;
- }
break;
default:
usage(argv[0], "invalid option", 1);
diff --git a/libselinux/utils/getfilecon.c b/libselinux/utils/getfilecon.c
index 6266ae1..a7a51ab 100644
--- a/libselinux/utils/getfilecon.c
+++ b/libselinux/utils/getfilecon.c
@@ -23,5 +23,5 @@
printf("%s\t%s\n", argv[i], buf);
freecon(buf);
}
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/getpidcon.c b/libselinux/utils/getpidcon.c
index ea6c274..3df0da1 100644
--- a/libselinux/utils/getpidcon.c
+++ b/libselinux/utils/getpidcon.c
@@ -27,5 +27,5 @@
printf("%s\n", buf);
freecon(buf);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c
index 9193fe0..c33a4ad 100644
--- a/libselinux/utils/getseuser.c
+++ b/libselinux/utils/getseuser.c
@@ -36,5 +36,5 @@
for (i = 0; i < n; i++)
printf("Context %d\t%s\n", i, contextlist[i]);
freeconary(contextlist);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index eb39a18..9756d7d 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -25,7 +25,7 @@
int rc = matchpathcon(path, mode, &buf);
if (rc < 0) {
if (errno == ENOENT) {
- buf = strdup("<<none>>");
+ buf=strdup("<<none>>");
} else {
fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
strerror(errno));
diff --git a/libselinux/utils/policyvers.c b/libselinux/utils/policyvers.c
index dd56f2c..0309d7d 100644
--- a/libselinux/utils/policyvers.c
+++ b/libselinux/utils/policyvers.c
@@ -14,5 +14,5 @@
}
printf("%d\n", rc);
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/setfilecon.c b/libselinux/utils/setfilecon.c
index 79af55d..d69af84 100644
--- a/libselinux/utils/setfilecon.c
+++ b/libselinux/utils/setfilecon.c
@@ -20,5 +20,5 @@
exit(2);
}
}
- exit(EXIT_SUCCESS);
+ exit(0);
}
diff --git a/libselinux/utils/validatetrans.c b/libselinux/utils/validatetrans.c
deleted file mode 100644
index 1db33e6..0000000
--- a/libselinux/utils/validatetrans.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include <unistd.h>
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <selinux/selinux.h>
-
-int main(int argc, char **argv)
-{
- security_class_t tclass;
- int ret;
-
- if (argc != 5) {
- fprintf(stderr, "usage: %s scontext tcontext tclass newcontext\n",
- argv[0]);
- exit(1);
- }
-
- tclass = string_to_security_class(argv[3]);
- if (!tclass) {
- fprintf(stderr, "%s: invalid class '%s'\n", argv[0], argv[3]);
- exit(2);
- }
-
- ret = security_validatetrans(argv[1], argv[2], tclass, argv[4]);
- printf("security_validatetrans returned %d errno: %s\n", ret, strerror(errno));
-
- return ret;
-}
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index 7e097d5..c58961b 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -517,7 +517,7 @@
size_t size = 1<<18;
size_t bufsize = size;
int bzerror;
- size_t total = 0;
+ size_t total=0;
char* uncompress = NULL;
char* tmpalloc = NULL;
int ret = -1;
diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
index fa84d33..62af101 100644
--- a/libsemanage/src/modules.c
+++ b/libsemanage/src/modules.c
@@ -1130,7 +1130,7 @@
int semanage_module_remove_key(semanage_handle_t *sh,
const semanage_module_key_t *modkey)
{
- if (sh->funcs->remove_key == NULL) {
+ if (sh->funcs->remove_key== NULL) {
ERR(sh,
"No remove key function defined for this connection type.");
return -1;
diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
index 3e2761c..a79e2d3 100644
--- a/libsemanage/src/seusers_local.c
+++ b/libsemanage/src/seusers_local.c
@@ -133,7 +133,7 @@
semanage_seuser_t *new = NULL;
if (!sename) {
- errno = EINVAL;
+ errno=EINVAL;
return -1;
}
rc = semanage_seuser_clone(handle, data, &new);
diff --git a/libsemanage/src/users_local.c b/libsemanage/src/users_local.c
index 8193476..7aa43d4 100644
--- a/libsemanage/src/users_local.c
+++ b/libsemanage/src/users_local.c
@@ -38,7 +38,7 @@
semanage_seuser_list_local(handle,
&records,
&count);
- for(i = 0; i < count; i++) {
+ for(i=0; i<count; i++) {
sename = semanage_seuser_get_sename(records[i]);
if (strcmp(name, sename) == 0) {
errno = EINVAL;
@@ -47,7 +47,7 @@
rc = -1;
}
}
- for(i = 0; i < count; i++)
+ for(i=0; i<count; i++)
semanage_seuser_free(records[i]);
free(records);
semanage_user_free(user);
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 77ffc36..e2eb3eb 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -441,7 +441,9 @@
rc = __cil_get_sepol_role_datum(pdb, DATUM(role), &sepol_role);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(role->types, tnode, i) {
+ ebitmap_for_each_bit(role->types, tnode, i) {
+ if (!ebitmap_get_bit(role->types, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type);
if (rc != SEPOL_OK) goto exit;
@@ -650,7 +652,9 @@
value = sepol_type->s.value;
- ebitmap_for_each_positive_bit(cil_attr->types, tnode, i) {
+ ebitmap_for_each_bit(cil_attr->types, tnode, i) {
+ if (!ebitmap_get_bit(cil_attr->types, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type);
if (rc != SEPOL_OK) goto exit;
@@ -744,7 +748,11 @@
goto exit;
}
- ebitmap_for_each_positive_bit(user->roles, rnode, i) {
+ ebitmap_for_each_bit(user->roles, rnode, i) {
+ if (!ebitmap_get_bit(user->roles, i)) {
+ continue;
+ }
+
rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_role);
if (rc != SEPOL_OK) {
goto exit;
@@ -1097,11 +1105,15 @@
rc = __cil_get_sepol_type_datum(pdb, DATUM(cil_rule->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
+ ebitmap_for_each_bit(&src_bitmap, node1, i) {
+ if (!ebitmap_get_bit(&src_bitmap, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
+ ebitmap_for_each_bit(&tgt_bitmap, node2, j) {
+ if (!ebitmap_get_bit(&tgt_bitmap, j)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
@@ -1170,11 +1182,15 @@
rc = __cil_get_sepol_type_datum(pdb, DATUM(typetrans->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
+ ebitmap_for_each_bit(&src_bitmap, node1, i) {
+ if (!ebitmap_get_bit(&src_bitmap, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
+ ebitmap_for_each_bit(&tgt_bitmap, node2, j) {
+ if (!ebitmap_get_bit(&tgt_bitmap, j)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
@@ -1459,7 +1475,9 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
+
src = DATUM(db->val_to_type[s]);
rc = __cil_avrule_expand(pdb, kind, src, src, classperms, cond_node, cond_flavor);
if (rc != SEPOL_OK) {
@@ -1488,9 +1506,11 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
src = DATUM(db->val_to_type[s]);
- ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) {
+ ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
+ if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
@@ -1509,7 +1529,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
src = DATUM(db->val_to_type[s]);
rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
@@ -1525,7 +1546,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) {
+ ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
+ if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
@@ -1597,7 +1619,9 @@
start_new_range = 1;
- ebitmap_for_each_positive_bit(xperms, node, i) {
+ ebitmap_for_each_bit(xperms, node, i) {
+ if (!ebitmap_get_bit(xperms, i)) continue;
+
if (start_new_range) {
low = i;
start_new_range = 0;
@@ -1828,7 +1852,9 @@
rc = __cil_expand_type(src, &src_bitmap);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
+
src = DATUM(db->val_to_type[s]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args);
if (rc != SEPOL_OK) {
@@ -1857,9 +1883,11 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
src = DATUM(db->val_to_type[s]);
- ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) {
+ ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
+ if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
@@ -1878,7 +1906,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&src_bitmap, snode, s) {
+ ebitmap_for_each_bit(&src_bitmap, snode, s) {
+ if (!ebitmap_get_bit(&src_bitmap, s)) continue;
src = DATUM(db->val_to_type[s]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
@@ -1894,7 +1923,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&tgt_bitmap, tnode, t) {
+ ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
+ if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
tgt = DATUM(db->val_to_type[t]);
rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
@@ -2337,11 +2367,15 @@
rc = __cil_get_sepol_role_datum(pdb, DATUM(roletrans->result), &sepol_result);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&role_bitmap, rnode, i) {
+ ebitmap_for_each_bit(&role_bitmap, rnode, i) {
+ if (!ebitmap_get_bit(&role_bitmap, i)) continue;
+
rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&type_bitmap, tnode, j) {
+ ebitmap_for_each_bit(&type_bitmap, tnode, j) {
+ if (!ebitmap_get_bit(&type_bitmap, j)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
@@ -2410,11 +2444,15 @@
rc = __cil_expand_role(roleallow->tgt, &tgt_bitmap);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
+ ebitmap_for_each_bit(&src_bitmap, node1, i) {
+ if (!ebitmap_get_bit(&src_bitmap, i)) continue;
+
rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
+ ebitmap_for_each_bit(&tgt_bitmap, node2, j) {
+ if (!ebitmap_get_bit(&tgt_bitmap, j)) continue;
+
rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
@@ -2449,7 +2487,11 @@
rc = __cil_expand_user(item->data, &user_bitmap);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&user_bitmap, unode, i) {
+ ebitmap_for_each_bit(&user_bitmap, unode, i) {
+ if (!ebitmap_get_bit(&user_bitmap, i)) {
+ continue;
+ }
+
rc = __cil_get_sepol_user_datum(pdb, DATUM(db->val_to_user[i]), &sepol_user);
if (rc != SEPOL_OK) {
ebitmap_destroy(&user_bitmap);
@@ -2471,7 +2513,9 @@
rc = __cil_expand_role(item->data, &role_bitmap);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&role_bitmap, rnode, i) {
+ ebitmap_for_each_bit(&role_bitmap, rnode, i) {
+ if (!ebitmap_get_bit(&role_bitmap, i)) continue;
+
rc = __cil_get_sepol_role_datum(pdb, DATUM(db->val_to_role[i]), &sepol_role);
if (rc != SEPOL_OK) {
ebitmap_destroy(&role_bitmap);
@@ -2513,7 +2557,9 @@
rc = __cil_expand_type(item->data, &type_bitmap);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&type_bitmap, tnode, i) {
+ ebitmap_for_each_bit(&type_bitmap, tnode, i) {
+ if (!ebitmap_get_bit(&type_bitmap, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_type);
if (rc != SEPOL_OK) {
ebitmap_destroy(&type_bitmap);
@@ -3110,11 +3156,15 @@
class_list = cil_expand_class(rangetrans->obj);
- ebitmap_for_each_positive_bit(&src_bitmap, node1, i) {
+ ebitmap_for_each_bit(&src_bitmap, node1, i) {
+ if (!ebitmap_get_bit(&src_bitmap, i)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[i]), &sepol_src);
if (rc != SEPOL_OK) goto exit;
- ebitmap_for_each_positive_bit(&tgt_bitmap, node2, j) {
+ ebitmap_for_each_bit(&tgt_bitmap, node2, j) {
+ if (!ebitmap_get_bit(&tgt_bitmap, j)) continue;
+
rc = __cil_get_sepol_type_datum(pdb, DATUM(db->val_to_type[j]), &sepol_tgt);
if (rc != SEPOL_OK) goto exit;
@@ -4443,7 +4493,8 @@
ebitmap_node_t *tnode;
unsigned int i;
struct cil_typeattribute *attr = (struct cil_typeattribute *)datum;
- ebitmap_for_each_positive_bit(attr->types, tnode, i) {
+ ebitmap_for_each_bit(attr->types, tnode, i) {
+ if (!ebitmap_get_bit(attr->types, i)) continue;
datum = DATUM(db->val_to_type[i]);
rc = __cil_get_sepol_type_datum(pdb, datum, &sepol_datum);
if (rc != SEPOL_OK) goto exit;
diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c
index 1adf22a..5edab5e 100644
--- a/libsepol/cil/src/cil_policy.c
+++ b/libsepol/cil/src/cil_policy.c
@@ -342,7 +342,9 @@
unsigned int i;
size_t len = 0;
- ebitmap_for_each_positive_bit(attr->users, unode, i) {
+ ebitmap_for_each_bit(attr->users, unode, i) {
+ if (!ebitmap_get_bit(attr->users, i))
+ continue;
len += strlen(DATUM(db->val_to_user[i])->fqn);
len++;
}
@@ -452,7 +454,9 @@
char *str;
size_t len;
- ebitmap_for_each_positive_bit(attr->users, unode, i) {
+ ebitmap_for_each_bit(attr->users, unode, i) {
+ if (!ebitmap_get_bit(attr->users, i))
+ continue;
str = DATUM(db->val_to_user[i])->fqn;
len = strlen(str);
memcpy(new, str, len);
@@ -1114,7 +1118,9 @@
fprintf(out, "%s %s {", DATUM(permx->obj)->fqn, kind);
- ebitmap_for_each_positive_bit(permx->perms, node, i) {
+ ebitmap_for_each_bit(permx->perms, node, i) {
+ if (!ebitmap_get_bit(permx->perms, i))
+ continue;
if (need_first == CIL_TRUE) {
first = i;
need_first = CIL_FALSE;
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 708b432..0b09cec 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -1654,9 +1654,13 @@
ebitmap_node_t *rnode;
unsigned int i;
- ebitmap_for_each_positive_bit(attr->roles, rnode, i) {
+ ebitmap_for_each_bit(attr->roles, rnode, i) {
struct cil_role *role = NULL;
+ if (!ebitmap_get_bit(attr->roles, i)) {
+ continue;
+ }
+
role = db->val_to_role[i];
rc = __cil_role_assign_types(role, type_datum);
@@ -1747,7 +1751,11 @@
if (user_node->flavor == CIL_USERATTRIBUTE) {
u_attr = userrole->user;
- ebitmap_for_each_positive_bit(u_attr->users, unode, i) {
+ ebitmap_for_each_bit(u_attr->users, unode, i) {
+ if (!ebitmap_get_bit(u_attr->users, i)) {
+ continue;
+ }
+
user = db->val_to_user[i];
rc = __cil_user_assign_roles(user, role_datum);
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 1a21cf4..1036d73 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -221,8 +221,8 @@
cil_log(CIL_ERR, "l1, l2, h1, and h2 cannot be used on the left side with a string or list on the right side\n");
goto exit;
} else if (l_flavor == CIL_CONS_U3 || l_flavor == CIL_CONS_R3 || l_flavor == CIL_CONS_T3) {
- if (expr_flavor != CIL_VALIDATETRANS && expr_flavor != CIL_MLSVALIDATETRANS) {
- cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n");
+ if (expr_flavor != CIL_MLSVALIDATETRANS) {
+ cil_log(CIL_ERR, "u3, r3, and t3 can only be used with mlsvalidatetrans rules\n");
goto exit;
}
}
diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h
index e62df01..94fb7ef 100644
--- a/libsepol/include/sepol/policydb/ebitmap.h
+++ b/libsepol/include/sepol/policydb/ebitmap.h
@@ -76,9 +76,6 @@
#define ebitmap_for_each_bit(e, n, bit) \
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
-#define ebitmap_for_each_positive_bit(e, n, bit) \
- ebitmap_for_each_bit(e, n, bit) if (ebitmap_node_get_bit(n, bit)) \
-
extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2);
extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2);
extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1);
diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
index 1181edc..b08757b 100644
--- a/libsepol/src/assertion.c
+++ b/libsepol/src/assertion.c
@@ -157,8 +157,12 @@
memcpy(&tmp_key, k, sizeof(avtab_key_t));
tmp_key.specified = AVTAB_XPERMS_ALLOWED;
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
tmp_key.source_type = i + 1;
tmp_key.target_type = j + 1;
for (node = avtab_search_node(avtab, &tmp_key);
@@ -266,8 +270,13 @@
continue;
}
- ebitmap_for_each_positive_bit(&src_matches, snode, i) {
- ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+ ebitmap_for_each_bit(&src_matches, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&tgt_matches, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
if (avrule->specified == AVRULE_XPERMS_NEVERALLOW) {
a->errors += report_assertion_extended_permissions(handle,p, avrule,
i, j, cp, perms, k, avtab);
@@ -336,8 +345,12 @@
memcpy(&tmp_key, k, sizeof(avtab_key_t));
tmp_key.specified = AVTAB_XPERMS_ALLOWED;
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
tmp_key.source_type = i + 1;
tmp_key.target_type = j + 1;
for (node = avtab_search_node(avtab, &tmp_key);
@@ -424,8 +437,13 @@
for (cp = avrule->perms; cp; cp = cp->next) {
if (cp->tclass != k->target_class)
continue;
- ebitmap_for_each_positive_bit(&src_matches, snode, i) {
- ebitmap_for_each_positive_bit(&tgt_matches, tnode, j) {
+ ebitmap_for_each_bit(&src_matches, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&tgt_matches, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
ret = check_assertion_extended_permissions_avtab(
avrule, avtab, i, j, k, p);
if (ret)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 796121c..312d137 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -62,7 +62,9 @@
ebitmap_node_t *tnode;
ebitmap_init(dst);
- ebitmap_for_each_positive_bit(src, tnode, i) {
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
if (!map[i])
continue;
if (ebitmap_set_bit(dst, map[i] - 1, 1))
@@ -769,23 +771,25 @@
}
ebitmap_destroy(&mapped_roles);
- ebitmap_for_each_positive_bit(&role->roles, rnode, i) {
- /* take advantage of sym_val_to_name[]
- * of the base module */
- base_reg_role_id = state->base->p_role_val_to_name[i];
- regular_role = (role_datum_t *)hashtab_search(
- state->out->p_roles.table,
- base_reg_role_id);
- assert(regular_role != NULL &&
- regular_role->flavor == ROLE_ROLE);
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ /* take advantage of sym_val_to_name[]
+ * of the base module */
+ base_reg_role_id = state->base->p_role_val_to_name[i];
+ regular_role = (role_datum_t *)hashtab_search(
+ state->out->p_roles.table,
+ base_reg_role_id);
+ assert(regular_role != NULL &&
+ regular_role->flavor == ROLE_ROLE);
- if (ebitmap_union(®ular_role->types.types,
- &new_role->types.types)) {
- ERR(state->handle, "Out of memory!");
- return -1;
+ if (ebitmap_union(®ular_role->types.types,
+ &new_role->types.types)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
}
}
-
+
return 0;
}
@@ -1240,8 +1244,12 @@
return -1;
}
- ebitmap_for_each_positive_bit(&roles, snode, i) {
- ebitmap_for_each_positive_bit(&new_roles, tnode, j) {
+ ebitmap_for_each_bit(&roles, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&new_roles, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
/* check for duplicates */
cur_allow = state->out->role_allow;
while (cur_allow) {
@@ -1304,9 +1312,16 @@
ERR(state->handle, "Out of memory!");
return -1;
}
- ebitmap_for_each_positive_bit(&roles, rnode, i) {
- ebitmap_for_each_positive_bit(&types, tnode, j) {
- ebitmap_for_each_positive_bit(&cur->classes, cnode, k) {
+ ebitmap_for_each_bit(&roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ ebitmap_for_each_bit(&cur->classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+
cur_trans = state->out->role_tr;
while (cur_trans) {
unsigned int mapped_role;
@@ -1399,8 +1414,13 @@
mapped_otype = state->typemap[cur_rule->otype - 1];
- ebitmap_for_each_positive_bit(&stypes, snode, i) {
- ebitmap_for_each_positive_bit(&ttypes, tnode, j) {
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(&ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
key.stype = i + 1;
key.ttype = j + 1;
key.tclass = cur_rule->tclass;
@@ -1565,11 +1585,18 @@
}
/* loop on source type */
- ebitmap_for_each_positive_bit(&stypes, snode, i) {
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
/* loop on target type */
- ebitmap_for_each_positive_bit(&ttypes, tnode, j) {
+ ebitmap_for_each_bit(&ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
/* loop on target class */
- ebitmap_for_each_positive_bit(&rule->tclasses, cnode, k) {
+ ebitmap_for_each_bit(&rule->tclasses, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+
if (exp_rangetr_helper(i + 1,
j + 1,
k + 1,
@@ -1885,7 +1912,9 @@
int retval;
ebitmap_node_t *snode, *tnode;
- ebitmap_for_each_positive_bit(stypes, snode, i) {
+ ebitmap_for_each_bit(stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
if (source_rule->flags & RULE_SELF) {
if (source_rule->specified & (AVRULE_AV | AVRULE_XPERMS)) {
retval = expand_avrule_helper(handle, source_rule->specified,
@@ -1902,7 +1931,9 @@
return retval;
}
}
- ebitmap_for_each_positive_bit(ttypes, tnode, j) {
+ ebitmap_for_each_bit(ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
if (source_rule->specified & (AVRULE_AV | AVRULE_XPERMS)) {
retval = expand_avrule_helper(handle, source_rule->specified,
cond, i, j, source_rule->perms,
@@ -2331,7 +2362,9 @@
if (ebitmap_cpy(&p->attr_type_map[value - 1], &type->types)) {
goto oom;
}
- ebitmap_for_each_positive_bit(&type->types, tnode, i) {
+ ebitmap_for_each_bit(&type->types, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
if (ebitmap_set_bit(&p->type_attr_map[i], value - 1, 1)) {
goto oom;
}
@@ -2442,18 +2475,20 @@
if (rolemap) {
assert(base != NULL);
- ebitmap_for_each_positive_bit(&x->roles, rnode, i) {
- /* take advantage of p_role_val_to_struct[]
- * of the base module */
- role = base->role_val_to_struct[i];
- assert(role != NULL);
- if (role->flavor == ROLE_ATTRIB) {
- if (ebitmap_union(&roles,
- &role->roles))
- goto bad;
- } else {
- if (ebitmap_set_bit(&roles, i, 1))
- goto bad;
+ ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ /* take advantage of p_role_val_to_struct[]
+ * of the base module */
+ role = base->role_val_to_struct[i];
+ assert(role != NULL);
+ if (role->flavor == ROLE_ATTRIB) {
+ if (ebitmap_union(&roles,
+ &role->roles))
+ goto bad;
+ } else {
+ if (ebitmap_set_bit(&roles, i, 1))
+ goto bad;
+ }
}
}
if (map_ebitmap(&roles, &mapped_roles, rolemap))
@@ -2463,9 +2498,11 @@
goto bad;
}
- ebitmap_for_each_positive_bit(&mapped_roles, rnode, i) {
- if (ebitmap_set_bit(r, i, 1))
- goto bad;
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ if (ebitmap_set_bit(r, i, 1))
+ goto bad;
+ }
}
ebitmap_destroy(&mapped_roles);
@@ -2512,7 +2549,10 @@
ebitmap_init(t);
/* First go through the types and OR all the attributes to types */
- ebitmap_for_each_positive_bit(&set->types, tnode, i) {
+ ebitmap_for_each_bit(&set->types, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+
/*
* invalid policies might have more types set in the ebitmap than
* what's available in the type_val_to_struct mapping
@@ -2540,17 +2580,19 @@
/* Now do the same thing for negset */
ebitmap_init(&neg_types);
- ebitmap_for_each_positive_bit(&set->negset, tnode, i) {
- if (p->type_val_to_struct[i] &&
- p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) {
- if (ebitmap_union
- (&neg_types,
- &p->type_val_to_struct[i]->types)) {
- goto err_neg;
- }
- } else {
- if (ebitmap_set_bit(&neg_types, i, 1)) {
- goto err_neg;
+ ebitmap_for_each_bit(&set->negset, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ if (p->type_val_to_struct[i] &&
+ p->type_val_to_struct[i]->flavor == TYPE_ATTRIB) {
+ if (ebitmap_union
+ (&neg_types,
+ &p->type_val_to_struct[i]->types)) {
+ goto err_neg;
+ }
+ } else {
+ if (ebitmap_set_bit(&neg_types, i, 1)) {
+ goto err_neg;
+ }
}
}
}
@@ -2569,8 +2611,9 @@
goto out;
}
- ebitmap_for_each_positive_bit(&types, tnode, i) {
- if (!ebitmap_get_bit(&neg_types, i))
+ ebitmap_for_each_bit(&types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)
+ && (!ebitmap_get_bit(&neg_types, i)))
if (ebitmap_set_bit(t, i, 1))
goto err_neg;
}
@@ -3273,7 +3316,9 @@
if (stype && stype->flavor != TYPE_ATTRIB) {
/* Source is an individual type, target is an attribute. */
newkey.source_type = k->source_type;
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
newkey.target_type = j + 1;
rc = expand_avtab_insert(expa, &newkey, d);
if (rc)
@@ -3285,7 +3330,9 @@
if (ttype && ttype->flavor != TYPE_ATTRIB) {
/* Target is an individual type, source is an attribute. */
newkey.target_type = k->target_type;
- ebitmap_for_each_positive_bit(sattr, snode, i) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
newkey.source_type = i + 1;
rc = expand_avtab_insert(expa, &newkey, d);
if (rc)
@@ -3295,8 +3342,12 @@
}
/* Both source and target type are attributes. */
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
newkey.source_type = i + 1;
newkey.target_type = j + 1;
rc = expand_avtab_insert(expa, &newkey, d);
@@ -3395,7 +3446,9 @@
if (stype && stype->flavor != TYPE_ATTRIB) {
/* Source is an individual type, target is an attribute. */
newkey.source_type = k->source_type;
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
newkey.target_type = j + 1;
rc = expand_cond_insert(newl, expa, &newkey, d);
if (rc)
@@ -3407,7 +3460,9 @@
if (ttype && ttype->flavor != TYPE_ATTRIB) {
/* Target is an individual type, source is an attribute. */
newkey.target_type = k->target_type;
- ebitmap_for_each_positive_bit(sattr, snode, i) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
newkey.source_type = i + 1;
rc = expand_cond_insert(newl, expa, &newkey, d);
if (rc)
@@ -3417,8 +3472,12 @@
}
/* Both source and target type are attributes. */
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
newkey.source_type = i + 1;
newkey.target_type = j + 1;
rc = expand_cond_insert(newl, expa, &newkey, d);
diff --git a/libsepol/src/genusers.c b/libsepol/src/genusers.c
index c375c66..9bea83f 100644
--- a/libsepol/src/genusers.c
+++ b/libsepol/src/genusers.c
@@ -169,14 +169,15 @@
continue;
}
/* Set the role and every role it dominates */
- ebitmap_for_each_positive_bit(&roldatum->dominates, rnode, bit) {
- if (ebitmap_set_bit
- (&usrdatum->roles.roles, bit, 1)) {
- ERR(NULL, "out of memory");
- free(buffer);
- fclose(fp);
- return -1;
- }
+ ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit))
+ if (ebitmap_set_bit
+ (&usrdatum->roles.roles, bit, 1)) {
+ ERR(NULL, "out of memory");
+ free(buffer);
+ fclose(fp);
+ return -1;
+ }
}
} while (islist);
if (oldc == 0)
diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
index 8919daa..778541a 100644
--- a/libsepol/src/hierarchy.c
+++ b/libsepol/src/hierarchy.c
@@ -111,7 +111,9 @@
if (ebitmap_get_bit(&p->attr_type_map[src - 1], parent - 1)) {
avtab_key.source_type = parent;
- ebitmap_for_each_positive_bit(&p->attr_type_map[tgt - 1], tnode, i) {
+ ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
avtab_key.target_type = i + 1;
rc = bounds_insert_rule(handle, avtab, global, other,
&avtab_key, &datum);
@@ -296,7 +298,9 @@
if (ebitmap_get_bit(&p->attr_type_map[src - 1], child - 1)) {
avtab_key.source_type = parent;
- ebitmap_for_each_positive_bit(&p->attr_type_map[tgt - 1], tnode, i) {
+ ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
td = p->type_val_to_struct[i];
if (td && td->bounds) {
avtab_key.target_type = td->bounds;
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 320af37..48b571a 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -993,7 +993,10 @@
size_t len = 0;
range = 0;
- ebitmap_for_each_positive_bit(cats, node, i) {
+ ebitmap_for_each_bit(cats, node, i) {
+ if (!ebitmap_get_bit(cats, i))
+ continue;
+
if (range == 0)
start = i;
@@ -1041,7 +1044,10 @@
remaining--;;
range = 0;
- ebitmap_for_each_positive_bit(cats, node, i) {
+ ebitmap_for_each_bit(cats, node, i) {
+ if (!ebitmap_get_bit(cats, i))
+ continue;
+
if (range == 0)
start = i;
@@ -1158,7 +1164,9 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) {
+ ebitmap_for_each_bit(&pdb->policycaps, node, i) {
+ if (!ebitmap_get_bit(&pdb->policycaps, i)) continue;
+
name = sepol_polcap_getname(i);
if (name == NULL) {
sepol_log_err("Unknown policy capability id: %i", i);
@@ -1537,7 +1545,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&pdb->permissive_map, node, i) {
+ ebitmap_for_each_bit(&pdb->permissive_map, node, i) {
+ if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue;
rc = strs_add(strs, pdb->p_type_val_to_name[i-1]);
if (rc != 0) {
goto exit;
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7b53c92..891e139 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -360,7 +360,9 @@
uint32_t i;
int rc;
- ebitmap_for_each_positive_bit(map, node, i) {
+ ebitmap_for_each_bit(map, node, i) {
+ if (!ebitmap_get_bit(map, i)) continue;
+
rc = strs_add(strs, val_to_name[i]);
if (rc != 0) {
return -1;
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 4f84ee8..afadca6 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -978,7 +978,10 @@
size_t len = 0;
range = 0;
- ebitmap_for_each_positive_bit(cats, node, i) {
+ ebitmap_for_each_bit(cats, node, i) {
+ if (!ebitmap_get_bit(cats, i))
+ continue;
+
if (range == 0)
start = i;
@@ -1017,7 +1020,10 @@
first = 1;
range = 0;
- ebitmap_for_each_positive_bit(cats, node, i) {
+ ebitmap_for_each_bit(cats, node, i) {
+ if (!ebitmap_get_bit(cats, i))
+ continue;
+
if (range == 0)
start = i;
@@ -1132,7 +1138,9 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) {
+ ebitmap_for_each_bit(&pdb->policycaps, node, i) {
+ if (!ebitmap_get_bit(&pdb->policycaps, i)) continue;
+
name = sepol_polcap_getname(i);
if (name == NULL) {
sepol_log_err("Unknown policy capability id: %i", i);
@@ -1582,7 +1590,8 @@
goto exit;
}
- ebitmap_for_each_positive_bit(&pdb->permissive_map, node, i) {
+ ebitmap_for_each_bit(&pdb->permissive_map, node, i) {
+ if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue;
rc = strs_add(strs, pdb->p_type_val_to_name[i-1]);
if (rc != 0) {
goto exit;
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 0ded480..3f1d610 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -962,18 +962,22 @@
{
unsigned int i;
ebitmap_node_t *tnode;
- ebitmap_for_each_positive_bit(&types->types, tnode, i) {
- assert(mod->map[SYM_TYPES][i]);
- if (ebitmap_set_bit
- (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&types->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
- ebitmap_for_each_positive_bit(&types->negset, tnode, i) {
- assert(mod->map[SYM_TYPES][i]);
- if (ebitmap_set_bit
- (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&types->negset, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
dst->flags = types->flags;
@@ -1015,11 +1019,13 @@
ebitmap_node_t *rnode;
ebitmap_init(&tmp);
- ebitmap_for_each_positive_bit(&roles->roles, rnode, i) {
- assert(mod->map[SYM_ROLES][i]);
- if (ebitmap_set_bit
- (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&roles->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
if (ebitmap_union(&dst->roles, &tmp)) {
@@ -1109,11 +1115,13 @@
}
ebitmap_init(&e_tmp);
- ebitmap_for_each_positive_bit(&role->dominates, rnode, i) {
- assert(mod->map[SYM_ROLES][i]);
- if (ebitmap_set_bit
- (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&role->dominates, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
if (ebitmap_union(&dest_role->dominates, &e_tmp)) {
@@ -1126,11 +1134,13 @@
if (role->flavor == ROLE_ATTRIB) {
ebitmap_init(&e_tmp);
- ebitmap_for_each_positive_bit(&role->roles, rnode, i) {
- assert(mod->map[SYM_ROLES][i]);
- if (ebitmap_set_bit
- (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ assert(mod->map[SYM_ROLES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
if (ebitmap_union(&dest_role->roles, &e_tmp)) {
@@ -1179,11 +1189,13 @@
}
ebitmap_init(&e_tmp);
- ebitmap_for_each_positive_bit(&type->types, tnode, i) {
- assert(mod->map[SYM_TYPES][i]);
- if (ebitmap_set_bit
- (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&type->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ assert(mod->map[SYM_TYPES][i]);
+ if (ebitmap_set_bit
+ (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
if (ebitmap_union(&new_type->types, &e_tmp)) {
@@ -1376,13 +1388,15 @@
goto cleanup;
}
- ebitmap_for_each_positive_bit(&cur->classes, cnode, i) {
- assert(module->map[SYM_CLASSES][i]);
- if (ebitmap_set_bit(&new_rule->classes,
- module->
- map[SYM_CLASSES][i] - 1,
- 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&cur->classes, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(module->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit(&new_rule->classes,
+ module->
+ map[SYM_CLASSES][i] - 1,
+ 1)) {
+ goto cleanup;
+ }
}
}
@@ -1516,12 +1530,14 @@
mod, state))
goto cleanup;
- ebitmap_for_each_positive_bit(&rule->tclasses, cnode, i) {
- assert(mod->map[SYM_CLASSES][i]);
- if (ebitmap_set_bit
- (&new_rule->tclasses,
- mod->map[SYM_CLASSES][i] - 1, 1)) {
- goto cleanup;
+ ebitmap_for_each_bit(&rule->tclasses, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(mod->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit
+ (&new_rule->tclasses,
+ mod->map[SYM_CLASSES][i] - 1, 1)) {
+ goto cleanup;
+ }
}
}
@@ -1662,18 +1678,20 @@
if (copy_callback_f[i] == NULL) {
continue;
}
- ebitmap_for_each_positive_bit(srcmap, node, j) {
- assert(module->map[i][j] != 0);
- if (ebitmap_set_bit
- (destmap, module->map[i][j] - 1, 1) != 0) {
+ ebitmap_for_each_bit(srcmap, node, j) {
+ if (ebitmap_node_get_bit(node, j)) {
+ assert(module->map[i][j] != 0);
+ if (ebitmap_set_bit
+ (destmap, module->map[i][j] - 1, 1) != 0) {
- goto cleanup;
- }
- if (i == SYM_CLASSES &&
- largest_mapped_class_value <
- module->map[SYM_CLASSES][j]) {
- largest_mapped_class_value =
- module->map[SYM_CLASSES][j];
+ goto cleanup;
+ }
+ if (i == SYM_CLASSES &&
+ largest_mapped_class_value <
+ module->map[SYM_CLASSES][j]) {
+ largest_mapped_class_value =
+ module->map[SYM_CLASSES][j];
+ }
}
}
}
@@ -1692,8 +1710,9 @@
ebitmap_t *srcmap = src->class_perms_map + i;
ebitmap_t *destmap =
dest->class_perms_map + module->map[SYM_CLASSES][i] - 1;
- ebitmap_for_each_positive_bit(srcmap, node, j) {
- if (ebitmap_set_bit(destmap, module->perm_map[i][j] - 1,
+ ebitmap_for_each_bit(srcmap, node, j) {
+ if (ebitmap_node_get_bit(node, j) &&
+ ebitmap_set_bit(destmap, module->perm_map[i][j] - 1,
1)) {
goto cleanup;
}
@@ -1993,7 +2012,11 @@
continue;
}
bitmap = &decl->required.scope[i];
- ebitmap_for_each_positive_bit(bitmap, node, j) {
+ ebitmap_for_each_bit(bitmap, node, j) {
+ if (!ebitmap_node_get_bit(node, j)) {
+ continue;
+ }
+
/* check base's scope table */
id = pol->sym_val_to_name[i][j];
if (!is_id_enabled(id, state->base, i)) {
@@ -2010,13 +2033,16 @@
for (i = 0; i < decl->required.class_perms_len; i++) {
bitmap = decl->required.class_perms_map + i;
- ebitmap_for_each_positive_bit(bitmap, node, j) {
+ ebitmap_for_each_bit(bitmap, node, j) {
struct find_perm_arg fparg;
class_datum_t *cladatum;
uint32_t perm_value = j + 1;
int rc;
scope_datum_t *scope;
+ if (!ebitmap_node_get_bit(node, j)) {
+ continue;
+ }
id = pol->p_class_val_to_name[i];
cladatum = pol->class_val_to_struct[i];
@@ -2413,30 +2439,32 @@
INFO(state->handle, "expanding role attribute %s", id);
restart:
- ebitmap_for_each_positive_bit(&role->roles, rnode, i) {
- sub_attr = state->base->role_val_to_struct[i];
- if (sub_attr->flavor != ROLE_ATTRIB)
- continue;
+ ebitmap_for_each_bit(&role->roles, rnode, i) {
+ if (ebitmap_node_get_bit(rnode, i)) {
+ sub_attr = state->base->role_val_to_struct[i];
+ if (sub_attr->flavor != ROLE_ATTRIB)
+ continue;
+
+ /* remove the sub role attribute from the parent
+ * role attribute's roles ebitmap */
+ if (ebitmap_set_bit(&role->roles, i, 0))
+ return -1;
- /* remove the sub role attribute from the parent
- * role attribute's roles ebitmap */
- if (ebitmap_set_bit(&role->roles, i, 0))
- return -1;
+ /* loop dependency of role attributes */
+ if (sub_attr->s.value == role->s.value)
+ continue;
- /* loop dependency of role attributes */
- if (sub_attr->s.value == role->s.value)
- continue;
-
- /* now go on to expand a sub role attribute
- * by escalating its roles ebitmap */
- if (ebitmap_union(&role->roles, &sub_attr->roles)) {
- ERR(state->handle, "Out of memory!");
- return -1;
+ /* now go on to expand a sub role attribute
+ * by escalating its roles ebitmap */
+ if (ebitmap_union(&role->roles, &sub_attr->roles)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* sub_attr->roles may contain other role attributes,
+ * re-scan the parent role attribute's roles ebitmap */
+ goto restart;
}
-
- /* sub_attr->roles may contain other role attributes,
- * re-scan the parent role attribute's roles ebitmap */
- goto restart;
}
return 0;
diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
index 63ad1bc..bf1fdbd 100644
--- a/libsepol/src/mls.c
+++ b/libsepol/src/mls.c
@@ -289,15 +289,17 @@
if (!levdatum)
return 0;
- ebitmap_for_each_positive_bit(&c->range.level[l].cat, cnode, i) {
- if (i > p->p_cats.nprim)
- return 0;
- if (!ebitmap_get_bit(&levdatum->level->cat, i))
- /*
- * Category may not be associated with
- * sensitivity in low level.
- */
- return 0;
+ ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ if (i > p->p_cats.nprim)
+ return 0;
+ if (!ebitmap_get_bit(&levdatum->level->cat, i))
+ /*
+ * Category may not be associated with
+ * sensitivity in low level.
+ */
+ return 0;
+ }
}
}
@@ -577,21 +579,23 @@
c->range.level[l].sens = levdatum->level->sens;
ebitmap_init(&bitmap);
- ebitmap_for_each_positive_bit(&c->range.level[l].cat, cnode, i) {
- int rc;
+ ebitmap_for_each_bit(&c->range.level[l].cat, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ int rc;
- catdatum =
- (cat_datum_t *) hashtab_search(newp->p_cats.
- table,
- oldp->
- p_cat_val_to_name
- [i]);
- if (!catdatum)
- return -EINVAL;
- rc = ebitmap_set_bit(&bitmap,
- catdatum->s.value - 1, 1);
- if (rc)
- return rc;
+ catdatum =
+ (cat_datum_t *) hashtab_search(newp->p_cats.
+ table,
+ oldp->
+ p_cat_val_to_name
+ [i]);
+ if (!catdatum)
+ return -EINVAL;
+ rc = ebitmap_set_bit(&bitmap,
+ catdatum->s.value - 1, 1);
+ if (rc)
+ return rc;
+ }
}
ebitmap_destroy(&c->range.level[l].cat);
c->range.level[l].cat = bitmap;
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index da62c8a..f04589e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -732,7 +732,10 @@
uint32_t i;
char **val_to_name = pdb->sym_val_to_name[type];
- ebitmap_for_each_positive_bit(map, node, i) {
+ ebitmap_for_each_bit(map, node, i) {
+ if (!ebitmap_get_bit(map, i)) {
+ continue;
+ }
cil_printf("%s ", val_to_name[i]);
}
@@ -859,7 +862,10 @@
if (has_positive) {
cil_printf("(");
- ebitmap_for_each_positive_bit(pos, node, i) {
+ ebitmap_for_each_bit(pos, node, i) {
+ if (!ebitmap_get_bit(pos, i)) {
+ continue;
+ }
cil_printf("%s ", val_to_name[i]);
}
cil_printf(") ");
@@ -868,7 +874,10 @@
if (has_negative) {
cil_printf("(not (");
- ebitmap_for_each_positive_bit(neg, node, i) {
+ ebitmap_for_each_bit(neg, node, i) {
+ if (!ebitmap_get_bit(neg, i)) {
+ continue;
+ }
cil_printf("%s ", val_to_name[i]);
}
@@ -990,13 +999,15 @@
char **name_arr;
num = 0;
- ebitmap_for_each_positive_bit(map, node, i) {
- if (num >= UINT32_MAX / sizeof(*name_arr)) {
- log_err("Overflow");
- rc = -1;
- goto exit;
+ ebitmap_for_each_bit(map, node, i) {
+ if (ebitmap_get_bit(map, i)) {
+ if (num >= UINT32_MAX / sizeof(*name_arr)) {
+ log_err("Overflow");
+ rc = -1;
+ goto exit;
+ }
+ num++;
}
- num++;
}
if (!num) {
@@ -1013,9 +1024,11 @@
}
num = 0;
- ebitmap_for_each_positive_bit(map, node, i) {
- name_arr[num] = vals_to_names[i];
- num++;
+ ebitmap_for_each_bit(map, node, i) {
+ if (ebitmap_get_bit(map, i)) {
+ name_arr[num] = vals_to_names[i];
+ num++;
+ }
}
*names = name_arr;
@@ -1456,7 +1469,10 @@
for (role = 0; role < num_role_names; role++) {
for (type = 0; type < num_type_names; type++) {
- ebitmap_for_each_positive_bit(&rule->classes, node, i) {
+ ebitmap_for_each_bit(&rule->classes, node, i) {
+ if (!ebitmap_get_bit(&rule->classes, i)) {
+ continue;
+ }
cil_println(indent, "(roletransition %s %s %s %s)",
role_names[role], type_names[type],
pdb->p_class_val_to_name[i],
@@ -1552,7 +1568,11 @@
for (stype = 0; stype < num_stypes; stype++) {
for (ttype = 0; ttype < num_ttypes; ttype++) {
- ebitmap_for_each_positive_bit(&rule->tclasses, node, i) {
+ ebitmap_for_each_bit(&rule->tclasses, node, i) {
+ if (!ebitmap_get_bit(&rule->tclasses, i)) {
+ continue;
+ }
+
cil_indent(indent);
cil_printf("(rangetransition %s %s %s ", stypes[stype], ttypes[ttype], pdb->p_class_val_to_name[i]);
@@ -2074,7 +2094,10 @@
cil_indent(indent);
cil_printf("(classorder (");
- ebitmap_for_each_positive_bit(&order, node, i) {
+ ebitmap_for_each_bit(&order, node, i) {
+ if (!ebitmap_get_bit(&order, i)) {
+ continue;
+ }
cil_printf("%s ", pdb->sym_val_to_name[SYM_CLASSES][i]);
}
@@ -2176,7 +2199,10 @@
if (ebitmap_cardinality(&role->roles) > 0) {
cil_indent(indent);
cil_printf("(roleattributeset %s (", key);
- ebitmap_for_each_positive_bit(&role->roles, node, i) {
+ ebitmap_for_each_bit(&role->roles, node, i) {
+ if (!ebitmap_get_bit(&role->roles, i)) {
+ continue;
+ }
cil_printf("%s ", pdb->p_role_val_to_name[i]);
}
cil_printf("))\n");
@@ -2305,7 +2331,10 @@
cil_println(indent, "(userrole %s " DEFAULT_OBJECT ")", key);
}
- ebitmap_for_each_positive_bit(&roles, node, i) {
+ ebitmap_for_each_bit(&roles, node, i) {
+ if (!ebitmap_get_bit(&roles, i)) {
+ continue;
+ }
cil_println(indent, "(userrole %s %s)", key, pdb->p_role_val_to_name[i]);
}
@@ -2392,7 +2421,10 @@
cil_indent(indent);
cil_printf("(sensitivityorder (");
- ebitmap_for_each_positive_bit(&order, node, i) {
+ ebitmap_for_each_bit(&order, node, i) {
+ if (!ebitmap_get_bit(&order, i)) {
+ continue;
+ }
cil_printf("%s ", pdb->p_sens_val_to_name[i]);
}
@@ -2433,7 +2465,10 @@
cil_indent(indent);
cil_printf("(categoryorder (");
- ebitmap_for_each_positive_bit(&order, node, i) {
+ ebitmap_for_each_bit(&order, node, i) {
+ if (!ebitmap_get_bit(&order, i)) {
+ continue;
+ }
cil_printf("%s ", pdb->p_cat_val_to_name[i]);
}
@@ -2454,7 +2489,10 @@
map = &pdb->policycaps;
- ebitmap_for_each_positive_bit(map, node, i) {
+ ebitmap_for_each_bit(map, node, i) {
+ if (!ebitmap_get_bit(map, i)) {
+ continue;
+ }
name = sepol_polcap_getname(i);
if (name == NULL) {
log_err("Unknown policy capability id: %i", i);
@@ -3389,7 +3427,10 @@
}
map = decl->declared.scope[sym];
- ebitmap_for_each_positive_bit(&map, node, i) {
+ ebitmap_for_each_bit(&map, node, i) {
+ if (!ebitmap_get_bit(&map, i)) {
+ continue;
+ }
key = pdb->sym_val_to_name[sym][i];
datum = hashtab_search(pdb->symtab[sym].table, key);
if (datum == NULL) {
@@ -3453,7 +3494,10 @@
}
map = decl->required.scope[sym];
- ebitmap_for_each_positive_bit(&map, node, i) {
+ ebitmap_for_each_bit(&map, node, i) {
+ if (!ebitmap_get_bit(&map, i)) {
+ continue;
+ }
key = pdb->sym_val_to_name[sym][i];
scope_datum = hashtab_search(pdb->scope[sym].table, key);
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 69bcb4d..96176d8 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -4245,9 +4245,10 @@
if (r_policyvers >= POLICYDB_VERSION_AVTAB) {
if (ebitmap_read(&p->type_attr_map[i], fp))
goto bad;
- ebitmap_for_each_positive_bit(&p->type_attr_map[i],
- tnode, j) {
- if (i == j)
+ ebitmap_for_each_bit(&p->type_attr_map[i],
+ tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j)
+ || i == j)
continue;
if (j >= p->p_types.nprim)
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 303a138..d40793e 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -933,8 +933,12 @@
avkey.specified = AVTAB_AV;
sattr = &policydb->type_attr_map[scontext->type - 1];
tattr = &policydb->type_attr_map[tcontext->type - 1];
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
+ ebitmap_for_each_bit(sattr, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ ebitmap_for_each_bit(tattr, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
avkey.source_type = i + 1;
avkey.target_type = j + 1;
for (node =
@@ -2190,10 +2194,14 @@
}
memset(mysids, 0, maxnel * sizeof(sepol_security_id_t));
- ebitmap_for_each_positive_bit(&user->roles.roles, rnode, i) {
+ ebitmap_for_each_bit(&user->roles.roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
role = policydb->role_val_to_struct[i];
usercon.role = i + 1;
- ebitmap_for_each_positive_bit(&role->types.types, tnode, j) {
+ ebitmap_for_each_bit(&role->types.types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
usercon.type = j + 1;
if (usercon.type == fromcon->type)
continue;
diff --git a/libsepol/src/users.c b/libsepol/src/users.c
index b895b7f..1929399 100644
--- a/libsepol/src/users.c
+++ b/libsepol/src/users.c
@@ -37,10 +37,12 @@
goto err;
/* Extract roles */
- ebitmap_for_each_positive_bit(roles, rnode, bit) {
- char *role = policydb->p_role_val_to_name[bit];
- if (sepol_user_add_role(handle, tmp_record, role) < 0)
- goto err;
+ ebitmap_for_each_bit(roles, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit)) {
+ char *role = policydb->p_role_val_to_name[bit];
+ if (sepol_user_add_role(handle, tmp_record, role) < 0)
+ goto err;
+ }
}
/* Extract MLS info */
@@ -168,9 +170,12 @@
}
/* Set the role and every role it dominates */
- ebitmap_for_each_positive_bit(&roldatum->dominates, rnode, bit) {
- if (ebitmap_set_bit(&(usrdatum->roles.roles), bit, 1))
- goto omem;
+ ebitmap_for_each_bit(&roldatum->dominates, rnode, bit) {
+ if (ebitmap_node_get_bit(rnode, bit)) {
+ if (ebitmap_set_bit
+ (&(usrdatum->roles.roles), bit, 1))
+ goto omem;
+ }
}
}
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index dee7b4a..1fb3095 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1759,8 +1759,9 @@
unsigned int i;
ebitmap_node_t *node;
- ebitmap_for_each_positive_bit(in, node, i) {
- if (i != SECCLASS_PROCESS - 1)
+ ebitmap_for_each_bit(in, node, i) {
+ if (ebitmap_node_get_bit(node, i) &&
+ i != SECCLASS_PROCESS - 1)
return 0;
}
return 1;
@@ -2182,11 +2183,13 @@
p->policy_type == POLICY_KERN) {
ebitmap_node_t *tnode;
- ebitmap_for_each_positive_bit(&p->permissive_map, tnode, i) {
- WARN(fp->handle, "Warning! Policy version %d cannot "
- "support permissive types, but some were defined",
- p->policyvers);
- break;
+ ebitmap_for_each_bit(&p->permissive_map, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ WARN(fp->handle, "Warning! Policy version %d cannot "
+ "support permissive types, but some were defined",
+ p->policyvers);
+ break;
+ }
}
}
diff --git a/libsepol/tests/test-common.c b/libsepol/tests/test-common.c
index e6619ed..8107403 100644
--- a/libsepol/tests/test-common.c
+++ b/libsepol/tests/test-common.c
@@ -197,19 +197,20 @@
CU_ASSERT_FATAL(role != NULL);
- ebitmap_for_each_positive_bit(&role->types.types, tnode, i) {
- new = 0;
- for (j = 0; j < len; j++) {
- if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
- found++;
- new = 1;
+ ebitmap_for_each_bit(&role->types.types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ new = 0;
+ for (j = 0; j < len; j++) {
+ if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
+ found++;
+ new = 1;
+ }
}
+ if (new == 0) {
+ printf("\nRole %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]);
+ }
+ CU_ASSERT(new == 1);
}
- if (new == 0) {
- printf("\nRole %s had type %s not in types array\n",
- id, p->sym_val_to_name[SYM_TYPES][i]);
- }
- CU_ASSERT(new == 1);
}
CU_ASSERT(found == len);
if (found != len)
@@ -239,19 +240,20 @@
CU_ASSERT(attr->flavor == TYPE_ATTRIB);
CU_ASSERT(attr->primary == 1);
- ebitmap_for_each_positive_bit(&attr->types, tnode, i) {
- new = 0;
- for (j = 0; j < len; j++) {
- if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
- found++;
- new = 1;
+ ebitmap_for_each_bit(&attr->types, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ new = 0;
+ for (j = 0; j < len; j++) {
+ if (strcmp(p->sym_val_to_name[SYM_TYPES][i], types[j]) == 0) {
+ found++;
+ new = 1;
+ }
}
+ if (new == 0) {
+ printf("\nattr %s had type %s not in types array\n", id, p->sym_val_to_name[SYM_TYPES][i]);
+ }
+ CU_ASSERT(new == 1);
}
- if (new == 0) {
- printf("\nattr %s had type %s not in types array\n",
- id, p->sym_val_to_name[SYM_TYPES][i]);
- }
- CU_ASSERT(new == 1);
}
CU_ASSERT(found == len);
if (found != len)
diff --git a/libsepol/tests/test-expander-users.c b/libsepol/tests/test-expander-users.c
index 9d9c7a6..f3b98a6 100644
--- a/libsepol/tests/test-expander-users.c
+++ b/libsepol/tests/test-expander-users.c
@@ -45,13 +45,15 @@
}
found = calloc(num_roles, sizeof(unsigned char));
CU_ASSERT_FATAL(found != NULL);
- ebitmap_for_each_positive_bit(&user->roles.roles, tnode, i) {
- extra++;
- for (j = 0; j < num_roles; j++) {
- if (strcmp(role_names[j], p->p_role_val_to_name[i]) == 0) {
- extra--;
- found[j] += 1;
- break;
+ ebitmap_for_each_bit(&user->roles.roles, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ extra++;
+ for (j = 0; j < num_roles; j++) {
+ if (strcmp(role_names[j], p->p_role_val_to_name[i]) == 0) {
+ extra--;
+ found[j] += 1;
+ break;
+ }
}
}
}
diff --git a/libsepol/tests/test-linker-roles.c b/libsepol/tests/test-linker-roles.c
index 6843252..c9e2f2b 100644
--- a/libsepol/tests/test-linker-roles.c
+++ b/libsepol/tests/test-linker-roles.c
@@ -58,9 +58,11 @@
unsigned int i;
int found = 0;
- ebitmap_for_each_positive_bit(&role->dominates, tnode, i) {
- found++;
- CU_ASSERT(i == role->s.value - 1);
+ ebitmap_for_each_bit(&role->dominates, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ found++;
+ CU_ASSERT(i == role->s.value - 1);
+ }
}
CU_ASSERT(found == 1);
}
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index a007ce4..4bc32b1 100644
--- a/policycoreutils/run_init/run_init.c
+++ b/policycoreutils/run_init/run_init.c
@@ -159,14 +159,6 @@
#include <shadow.h> /* for shadow passwd functions */
#include <string.h> /* for strlen(), memset() */
-/*
- * crypt() may not be defined in unistd.h; see:
- * http://man7.org/linux/man-pages/man3/crypt.3.html#NOTES
- */
-#if !defined(_XOPEN_CRYPT) || _XOPEN_CRYPT == -1
-#include <crypt.h>
-#endif
-
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
int authenticate_via_shadow_passwd(const struct passwd *);
diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
index 9d8abfa..a5157ef 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
@@ -77,7 +77,7 @@
/* Add 1 for the '=' */
len = strlen(argv[optind]) + strlen(argv[optind + 1]) + 2;
bool_list[0] = (char *)malloc(len);
- if (bool_list[0] == NULL) {
+ if (bool_list[0] == 0) {
fputs("Out of memory - aborting\n", stderr);
return 1;
}
@@ -133,8 +133,8 @@
goto err;
}
- if (!verbose) {
- semanage_msg_set_callback(handle, NULL, NULL);
+ if (! verbose) {
+ semanage_msg_set_callback(handle,NULL, NULL);
}
managed = semanage_is_managed(handle);
@@ -175,9 +175,9 @@
goto err;
semanage_bool_exists(handle, bool_key, &result);
- if (!result) {
+ if ( !result ) {
semanage_bool_exists_local(handle, bool_key, &result);
- if (!result) {
+ if ( !result ) {
fprintf(stderr, "Boolean %s is not defined\n", boollist[j].name);
goto err;
}
@@ -230,13 +230,13 @@
while (i < end) {
name = list[i];
value_ptr = strchr(list[i], '=');
- if (value_ptr == NULL) {
+ if (value_ptr == 0) {
fprintf(stderr,
"setsebool: '=' not found in boolean expression %s\n",
list[i]);
goto err;
}
- *value_ptr = '\0';
+ *value_ptr = 0;
value_ptr++;
if (strcmp(value_ptr, "1") == 0 ||
strcasecmp(value_ptr, "true") == 0 ||
@@ -278,7 +278,7 @@
while (i < end) {
name = list[i];
value_ptr = strchr(name, '=');
- *value_ptr = '\0';
+ *value_ptr = 0;
value_ptr++;
if (pwd && pwd->pw_name)
syslog(LOG_NOTICE,
diff --git a/python/semanage/ru/semanage.8 b/python/semanage/ru/semanage.8
index f88568e..85d8e24 100644
--- a/python/semanage/ru/semanage.8
+++ b/python/semanage/ru/semanage.8
@@ -50,7 +50,7 @@
Управлять определениями типов конечных портов infiniband
.SH "ОПИСАНИЕ"
-semanage используется для настройки определённых элементов политики SELinux без необходимости изменения или перекомпиляции исходного текста политики. Это включает сопоставление имён пользователей Linux с пользователями SELinux (что управляет исходным контекстом безопасности, который присваивается пользователям Linux при их входе в систему, и ограничивает доступный им набор ролей). Также это включает сопоставление контекстов безопасности для различных видов объектов, таких как сетевые порты, интерфейсы, ключи разделов (pkeys) и конечные порты (endports) infiniband, сетевые узлы (хосты), а также сопоставление контекстов файлов. Обратите внимание, что при вызове команды semanage login пользователи Linux (logins) сопоставляются с пользователями SELinux, а при вызове команды semanage user пользователи SELinux сопоставляются с доступными наборами ролей. В большинстве случаев администратору требуется настроить только первый тип сопоставлений; второй тип сопоставлений определяется базовой политикой и обычно не требует изменения.
+semanage используется для настройки определённых элементов политики SELinux без необходимости изменения или перекомпиляции исходного текста политики. Это включает сопоставление имён пользователей Linux с пользователями SELinux (что управляет исходным контекстом безопасности, который присваивается пользователям Linux при их входе в систему, и ограничивает доступный им набор ролей). Также это включает сопоставление контекстов безопасности для различных видов объектов, таких как сетевые порты, интерфейсы, ключи разделов (pkeys) и конечные порты (endports) infiniband, сетевые узлы (хосты), а также сопоставление контекстов файлов. В разделе ПРИМЕРЫ приведены примеры обычного использования этой утилиты. Обратите внимание, что при вызове команды semanage login пользователи Linux (logins) сопоставляются с пользователями SELinux, а при вызове команды semanage user пользователи SELinux сопоставляются с доступными наборами ролей. В большинстве случаев администратору требуется настроить только первый тип сопоставлений; второй тип сопоставлений определяется базовой политикой и обычно не требует изменения.
.SH "ПАРАМЕТРЫ"
.TP
diff --git a/python/semanage/semanage-boolean.8 b/python/semanage/semanage-boolean.8
index 1282d10..99a6260 100644
--- a/python/semanage/semanage-boolean.8
+++ b/python/semanage/semanage-boolean.8
@@ -45,7 +45,7 @@
.SH EXAMPLE
.nf
-Turn on the apache can send mail boolean
+Turn on the apache can send mail boolan
# semanage boolean \-m \-\-on httpd_can_sendmail
List customized booleans
diff --git a/secilc/Android.bp b/secilc/Android.bp
index 597058b..75597db 100644
--- a/secilc/Android.bp
+++ b/secilc/Android.bp
@@ -16,6 +16,12 @@
// and /system/lib/libc.so point to the mount points where nothing
// is mounted on yet. Therefore, secilc has to have explicit knowledge about
// the paths where the bootstrap Bionic is. bootstrap:true sets DT_INTERP to
- // /system/bin/bootstrap/linker.
+ // /system/bin/bootstrap/linker. RPATH is explicitly set to /system/lib/bootstrap
+ // where the bootstrap libc.so is.
bootstrap: true,
+ target: {
+ android: {
+ ldflags: ["-Wl,--rpath,/system/${LIB}/bootstrap"],
+ },
+ },
}
