diff options
Diffstat (limited to 'src/mapping.c')
-rw-r--r-- | src/mapping.c | 210 |
1 files changed, 0 insertions, 210 deletions
diff --git a/src/mapping.c b/src/mapping.c deleted file mode 100644 index f205804..0000000 --- a/src/mapping.c +++ /dev/null @@ -1,210 +0,0 @@ -/* - * Class and permission mappings. - */ - -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> -#include <selinux/selinux.h> -#include <selinux/avc.h> -#include "mapping.h" - -/* - * Class and permission mappings - */ - -struct selinux_mapping { - security_class_t value; /* real, kernel value */ - unsigned num_perms; - access_vector_t perms[sizeof(access_vector_t) * 8]; -}; - -static struct selinux_mapping *current_mapping = NULL; -static security_class_t current_mapping_size = 0; - -/* - * Mapping setting function - */ - -int -selinux_set_mapping(struct security_class_mapping *map) -{ - size_t size = sizeof(struct selinux_mapping); - security_class_t i, j; - unsigned k; - - free(current_mapping); - current_mapping = NULL; - current_mapping_size = 0; - - if (avc_reset() < 0) - goto err; - - /* Find number of classes in the input mapping */ - if (!map) { - errno = EINVAL; - goto err; - } - i = 0; - while (map[i].name) - i++; - - /* Allocate space for the class records, plus one for class zero */ - current_mapping = (struct selinux_mapping *)calloc(++i, size); - if (!current_mapping) - goto err; - - /* Store the raw class and permission values */ - j = 0; - while (map[j].name) { - struct security_class_mapping *p_in = map + (j++); - struct selinux_mapping *p_out = current_mapping + j; - - p_out->value = string_to_security_class(p_in->name); - if (!p_out->value) - goto err2; - - k = 0; - while (p_in->perms[k]) { - /* An empty permission string skips ahead */ - if (!*p_in->perms[k]) { - k++; - continue; - } - p_out->perms[k] = string_to_av_perm(p_out->value, - p_in->perms[k]); - if (!p_out->perms[k]) - goto err2; - k++; - } - p_out->num_perms = k; - } - - /* Set the mapping size here so the above lookups are "raw" */ - current_mapping_size = i; - return 0; -err2: - free(current_mapping); - current_mapping = NULL; - current_mapping_size = 0; -err: - return -1; -} - -/* - * Get real, kernel values from mapped values - */ - -security_class_t -unmap_class(security_class_t tclass) -{ - if (tclass < current_mapping_size) - return current_mapping[tclass].value; - - /* If here no mapping set or the class requested is not valid. */ - if (current_mapping_size != 0) { - errno = EINVAL; - return 0; - } - else - return tclass; -} - -access_vector_t -unmap_perm(security_class_t tclass, access_vector_t tperm) -{ - if (tclass < current_mapping_size) { - unsigned i; - access_vector_t kperm = 0; - - for (i=0; i<current_mapping[tclass].num_perms; i++) - if (tperm & (1<<i)) { - kperm |= current_mapping[tclass].perms[i]; - tperm &= ~(1<<i); - } - return kperm; - } - - /* If here no mapping set or the perm requested is not valid. */ - if (current_mapping_size != 0) { - errno = EINVAL; - return 0; - } - else - return tperm; -} - -/* - * Get mapped values from real, kernel values - */ - -security_class_t -map_class(security_class_t kclass) -{ - security_class_t i; - - for (i=0; i<current_mapping_size; i++) - if (current_mapping[i].value == kclass) - return i; - -/* If here no mapping set or the class requested is not valid. */ - if (current_mapping_size != 0) { - errno = EINVAL; - return 0; - } - else - return kclass; -} - -access_vector_t -map_perm(security_class_t tclass, access_vector_t kperm) -{ - if (tclass < current_mapping_size) { - unsigned i; - access_vector_t tperm = 0; - - for (i=0; i<current_mapping[tclass].num_perms; i++) - if (kperm & current_mapping[tclass].perms[i]) { - tperm |= 1<<i; - kperm &= ~current_mapping[tclass].perms[i]; - } - - if (tperm == 0) { - errno = EINVAL; - return 0; - } - else - return tperm; - } - return kperm; -} - -void -map_decision(security_class_t tclass, struct av_decision *avd) -{ - if (tclass < current_mapping_size) { - unsigned i; - access_vector_t result; - - for (i=0, result=0; i<current_mapping[tclass].num_perms; i++) - if (avd->allowed & current_mapping[tclass].perms[i]) - result |= 1<<i; - avd->allowed = result; - - for (i=0, result=0; i<current_mapping[tclass].num_perms; i++) - if (avd->decided & current_mapping[tclass].perms[i]) - result |= 1<<i; - avd->decided = result; - - for (i=0, result=0; i<current_mapping[tclass].num_perms; i++) - if (avd->auditallow & current_mapping[tclass].perms[i]) - result |= 1<<i; - avd->auditallow = result; - - for (i=0, result=0; i<current_mapping[tclass].num_perms; i++) - if (avd->auditdeny & current_mapping[tclass].perms[i]) - result |= 1<<i; - avd->auditdeny = result; - } -} |