#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>
#include <sys/types.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#ifndef IPPROTO_DCCP
#define IPPROTO_DCCP 33
#endif
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
#include <sepol/policydb/avtab.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hashtab.h>
#include <sepol/policydb/polcaps.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
#include <sepol/policydb/util.h>
#include "kernel_to_common.h"
static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
{
struct cond_expr *curr;
struct strs *stack;
char *new_val;
char *str = NULL;
int rc;
rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
for (curr = expr; curr != NULL; curr = curr->next) {
if (curr->expr_type == COND_BOOL) {
char *val1 = pdb->p_bool_val_to_name[curr->bool - 1];
new_val = create_str("%s", 1, val1);
} else {
const char *op;
uint32_t num_params;
char *val1 = NULL;
char *val2 = NULL;
switch(curr->expr_type) {
case COND_NOT: op = "!"; num_params = 1; break;
case COND_OR: op = "||"; num_params = 2; break;
case COND_AND: op = "&&"; num_params = 2; break;
case COND_XOR: op = "^"; num_params = 2; break;
case COND_EQ: op = "=="; num_params = 2; break;
case COND_NEQ: op = "!="; num_params = 2; break;
default:
sepol_log_err("Unknown conditional operator: %i", curr->expr_type);
goto exit;
}
if (num_params == 2) {
val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
goto exit;
}
if (num_params == 2) {
new_val = create_str("(%s %s %s)", 3, val1, op, val2);
free(val2);
} else {
new_val = create_str("%s %s", 2, op, val1);
}
free(val1);
}
if (!new_val) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
new_val = strs_stack_pop(stack);
if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
strs_stack_destroy(&stack);
return str;
exit:
while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
strs_stack_destroy(&stack);
return NULL;
}
static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr *expr, int *use_mls)
{
struct constraint_expr *curr;
struct strs *stack = NULL;
char *new_val = NULL;
const char *op;
char *str = NULL;
int rc;
*use_mls = 0;
rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
for (curr = expr; curr; curr = curr->next) {
if (curr->expr_type == CEXPR_ATTR || curr->expr_type == CEXPR_NAMES) {
const char *attr1 = NULL;
const char *attr2 = NULL;
switch (curr->op) {
case CEXPR_EQ: op = "=="; break;
case CEXPR_NEQ: op = "!="; break;
case CEXPR_DOM: op = "dom"; break;
case CEXPR_DOMBY: op = "domby"; break;
case CEXPR_INCOMP: op = "incomp"; break;
default:
sepol_log_err("Unknown constraint operator: %i", curr->op);
goto exit;
}
switch (curr->attr) {
case CEXPR_USER: attr1 ="u1"; attr2 ="u2"; break;
case CEXPR_USER | CEXPR_TARGET: attr1 ="u2"; attr2 =""; break;
case CEXPR_USER | CEXPR_XTARGET: attr1 ="u3"; attr2 =""; break;
case CEXPR_ROLE: attr1 ="r1"; attr2 ="r2"; break;
case CEXPR_ROLE | CEXPR_TARGET: attr1 ="r2"; attr2 =""; break;
case CEXPR_ROLE | CEXPR_XTARGET: attr1 ="r3"; attr2 =""; break;
case CEXPR_TYPE: attr1 ="t1"; attr2 ="t2"; break;
case CEXPR_TYPE | CEXPR_TARGET: attr1 ="t2"; attr2 =""; break;
case CEXPR_TYPE | CEXPR_XTARGET: attr1 ="t3"; attr2 =""; break;
case CEXPR_L1L2: attr1 ="l1"; attr2 ="l2"; break;
case CEXPR_L1H2: attr1 ="l1"; attr2 ="h2"; break;
case CEXPR_H1L2: attr1 ="h1"; attr2 ="l2"; break;
case CEXPR_H1H2: attr1 ="h1"; attr2 ="h2"; break;
case CEXPR_L1H1: attr1 ="l1"; attr2 ="h1"; break;
case CEXPR_L2H2: attr1 ="l2"; attr2 ="h2"; break;
default:
sepol_log_err("Unknown constraint attribute: %i", curr->attr);
goto exit;
}
if (curr->attr >= CEXPR_XTARGET) {
*use_mls = 1;
}
if (curr->expr_type == CEXPR_ATTR) {
new_val = create_str("%s %s %s", 3, attr1, op, attr2);
} else {
char *names = NULL;
if (curr->attr & CEXPR_TYPE) {
struct type_set *ts = curr->type_names;
names = ebitmap_to_str(&ts->types, pdb->p_type_val_to_name, 1);
} else if (curr->attr & CEXPR_USER) {
names = ebitmap_to_str(&curr->names, pdb->p_user_val_to_name, 1);
} else if (curr->attr & CEXPR_ROLE) {
names = ebitmap_to_str(&curr->names, pdb->p_role_val_to_name, 1);
}
if (!names) {
goto exit;
}
new_val = create_str("%s %s %s", 3, attr1, op, names);
free(names);
}
} else {
uint32_t num_params;
char *val1 = NULL;
char *val2 = NULL;
switch (curr->expr_type) {
case CEXPR_NOT: op = "not"; num_params = 1; break;
case CEXPR_AND: op = "and"; num_params = 2; break;
case CEXPR_OR: op = "or"; num_params = 2; break;
default:
sepol_log_err("Unknown constraint expression type: %i", curr->expr_type);
goto exit;
}
if (num_params == 2) {
val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
if (num_params == 2) {
new_val = create_str("(%s %s %s)", 3, val1, op, val2);
free(val2);
} else {
new_val = create_str("%s (%s)", 2, op, val1);
}
free(val1);
}
if (!new_val) {
goto exit;
}
rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
new_val = strs_stack_pop(stack);
if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
strs_stack_destroy(&stack);
return str;
exit:
while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
strs_stack_destroy(&stack);
return NULL;
}
static int class_constraint_rules_to_strs(struct policydb *pdb, char *classkey,
class_datum_t *class,
struct constraint_node *constraint_rules,
struct strs *mls_list,
struct strs *non_mls_list)
{
struct constraint_node *curr;
struct strs *strs;
const char *format_str, *flavor;
char *perms, *expr;
int is_mls;
int rc = 0;
for (curr = constraint_rules; curr != NULL; curr = curr->next) {
expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
if (!expr) {
rc = -1;
goto exit;
}
perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);
if (strchr(perms, ' ')) {
format_str = "%s %s { %s } %s;";
} else {
format_str = "%s %s %s %s";
}
if (is_mls) {
flavor = "mlsconstrain";
strs = mls_list;
} else {
flavor = "constrain";
strs = non_mls_list;
}
rc = strs_create_and_add(strs, format_str, 4,
flavor, classkey, perms+1, expr);
free(expr);
if (rc != 0) {
goto exit;
}
}
return 0;
exit:
sepol_log_err("Error gathering constraint rules\n");
return rc;
}
static int class_validatetrans_rules_to_strs(struct policydb *pdb, char *classkey,
struct constraint_node *validatetrans_rules,
struct strs *mls_list,
struct strs *non_mls_list)
{
struct constraint_node *curr;
struct strs *strs;
const char *flavor;
char *expr;
int is_mls;
int rc = 0;
for (curr = validatetrans_rules; curr != NULL; curr = curr->next) {
expr = constraint_expr_to_str(pdb, curr->expr, &is_mls);
if (!expr) {
rc = -1;
goto exit;
}
if (is_mls) {
flavor = "mlsvalidatetrans";
strs = mls_list;
} else {
flavor = "validatetrans";
strs = non_mls_list;
}
rc = strs_create_and_add(strs, "%s %s %s;", 3, flavor, classkey, expr);
free(expr);
if (rc != 0) {
goto exit;
}
}
exit:
return rc;
}
static int constraint_rules_to_strs(struct policydb *pdb, struct strs *mls_strs, struct strs *non_mls_strs)
{
class_datum_t *class;
char *name;
unsigned i;
int rc = 0;
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->constraints) {
name = pdb->p_class_val_to_name[i];
rc = class_constraint_rules_to_strs(pdb, name, class, class->constraints, mls_strs, non_mls_strs);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(mls_strs);
strs_sort(non_mls_strs);
exit:
return rc;
}
static int validatetrans_rules_to_strs(struct policydb *pdb, struct strs *mls_strs, struct strs *non_mls_strs)
{
class_datum_t *class;
char *name;
unsigned i;
int rc = 0;
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->validatetrans) {
name = pdb->p_class_val_to_name[i];
rc = class_validatetrans_rules_to_strs(pdb, name, class->validatetrans, mls_strs, non_mls_strs);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(mls_strs);
strs_sort(non_mls_strs);
exit:
return rc;
}
static int write_handle_unknown_to_conf(FILE *out, struct policydb *pdb)
{
const char *action;
switch (pdb->handle_unknown) {
case SEPOL_DENY_UNKNOWN:
action = "deny";
break;
case SEPOL_REJECT_UNKNOWN:
action = "reject";
break;
case SEPOL_ALLOW_UNKNOWN:
action = "allow";
break;
default:
sepol_log_err("Unknown value for handle-unknown: %i", pdb->handle_unknown);
return -1;
}
sepol_printf(out, "# handle_unknown %s\n", action);
return 0;
}
static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
char *name;
unsigned i;
for (i=0; i < pdb->p_classes.nprim; i++) {
name = pdb->p_class_val_to_name[i];
sepol_printf(out, "class %s\n", name);
}
return 0;
}
static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
char unknown[18];
unsigned i;
int rc;
rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = strdup(unknown);
}
rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
}
for (i=0; i<strs_num_items(strs); i++) {
sid = strs_read_at_index(strs, i);
if (!sid) {
continue;
}
sepol_printf(out, "sid %s\n", sid);
}
exit:
for (i=num_sids; i<strs_num_items(strs); i++) {
sid = strs_read_at_index(strs, i);
free(sid);
}
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sid rules to policy.conf\n");
}
return rc;
}
static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
int rc = 0;
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
}
return rc;
}
static char *class_or_common_perms_to_str(symtab_t *permtab)
{
struct strs *strs;
char *perms = NULL;
int rc = 0;
rc = strs_init(&strs, permtab->nprim);
if (rc != 0) {
goto exit;
}
rc = hashtab_map(permtab->table, hashtab_ordered_to_strs, strs);
if (rc != 0) {
goto exit;
}
if (strs_num_items(strs) > 0) {
perms = strs_to_str(strs);
}
exit:
strs_destroy(&strs);
return perms;
}
static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb)
{
class_datum_t *class;
common_datum_t *common;
int *used;
char *name, *perms;
unsigned i;
int rc = 0;
/* common */
used = calloc(pdb->p_commons.nprim, sizeof(*used));
if (!used) {
sepol_log_err("Out of memory");
rc = -1;
goto exit;
}
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
name = class->comkey;
if (!name) continue;
common = hashtab_search(pdb->p_commons.table, name);
if (!common) {
rc = -1;
free(used);
goto exit;
}
/* Only write common rule once */
if (!used[common->s.value-1]) {
perms = class_or_common_perms_to_str(&common->permissions);
if (!perms) {
rc = -1;
free(used);
goto exit;
}
sepol_printf(out, "common %s { %s }\n", name, perms);
free(perms);
used[common->s.value-1] = 1;
}
}
free(used);
/* class */
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
name = pdb->p_class_val_to_name[i];
sepol_printf(out, "class %s", name);
if (class->comkey) {
sepol_printf(out, " inherits %s", class->comkey);
}
perms = class_or_common_perms_to_str(&class->permissions);
if (perms) {
sepol_printf(out, " { %s }", perms);
free(perms);
}
sepol_printf(out, "\n");
}
exit:
if (rc != 0) {
sepol_log_err("Error writing class rules to policy.conf\n");
}
return rc;
}
static int write_default_user_to_conf(FILE *out, char *class_name, class_datum_t *class)
{
const char *dft;
switch (class->default_user) {
case DEFAULT_SOURCE:
dft = "source";
break;
case DEFAULT_TARGET:
dft = "target";
break;
default:
sepol_log_err("Unknown default role value: %i", class->default_user);
return -1;
}
sepol_printf(out, "default_user { %s } %s;\n", class_name, dft);
return 0;
}
static int write_default_role_to_conf(FILE *out, char *class_name, class_datum_t *class)
{
const char *dft;
switch (class->default_role) {
case DEFAULT_SOURCE:
dft = "source";
break;
case DEFAULT_TARGET:
dft = "target";
break;
default:
sepol_log_err("Unknown default role value: %i", class->default_role);
return -1;
}
sepol_printf(out, "default_role { %s } %s;\n", class_name, dft);
return 0;
}
static int write_default_type_to_conf(FILE *out, char *class_name, class_datum_t *class)
{
const char *dft;
switch (class->default_type) {
case DEFAULT_SOURCE:
dft = "source";
break;
case DEFAULT_TARGET:
dft = "target";
break;
default:
sepol_log_err("Unknown default type value: %i", class->default_type);
return -1;
}
sepol_printf(out, "default_type { %s } %s;\n", class_name, dft);
return 0;
}
static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_t *class)
{
const char *dft;
switch (class->default_range) {
case DEFAULT_SOURCE_LOW:
dft = "source low";
break;
case DEFAULT_SOURCE_HIGH:
dft = "source high";
break;
case DEFAULT_SOURCE_LOW_HIGH:
dft = "source low-high";
break;
case DEFAULT_TARGET_LOW:
dft = "target low";
break;
case DEFAULT_TARGET_HIGH:
dft = "target high";
break;
case DEFAULT_TARGET_LOW_HIGH:
dft = "target low-high";
break;
default:
sepol_log_err("Unknown default type value: %i", class->default_range);
return -1;
}
sepol_printf(out, "default_range { %s } %s;\n", class_name, dft);
return 0;
}
static int write_default_rules_to_conf(FILE *out, struct policydb *pdb)
{
class_datum_t *class;
unsigned i;
int rc = 0;
/* default_user */
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->default_user != 0) {
rc = write_default_user_to_conf(out, pdb->p_class_val_to_name[i], class);
if (rc != 0) {
goto exit;
}
}
}
/* default_role */
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->default_role != 0) {
rc = write_default_role_to_conf(out, pdb->p_class_val_to_name[i], class);
if (rc != 0) {
goto exit;
}
}
}
/* default_type */
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->default_type != 0) {
rc = write_default_type_to_conf(out, pdb->p_class_val_to_name[i], class);
if (rc != 0) {
goto exit;
}
}
}
if (!pdb->mls) {
return 0;
}
/* default_range */
for (i=0; i < pdb->p_classes.nprim; i++) {
class = pdb->class_val_to_struct[i];
if (class->default_range != 0) {
rc = write_default_range_to_conf(out, pdb->p_class_val_to_name[i], class);
if (rc != 0) {
goto exit;
}
}
}
exit:
if (rc != 0) {
sepol_log_err("Error writing default rules to policy.conf\n");
}
return rc;
}
static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
{
level_datum_t *sens = data;
struct strs *strs = args;
int rc = 0;
if (sens->isalias) {
rc = strs_add(strs, key);
}
return rc;
}
static int write_sensitivity_rules_to_conf(FILE *out, struct policydb *pdb)
{
level_datum_t *level;
struct strs *strs;
char **sens_alias_map = NULL;
char *name, *prev, *alias;
unsigned i, j, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_levels.nprim);
if (rc != 0) {
goto exit;
}
rc = hashtab_map(pdb->p_levels.table, map_sensitivity_aliases_to_strs, strs);
if (rc != 0) {
goto exit;
}
num = strs_num_items(strs);
if (num > 0) {
sens_alias_map = calloc(sizeof(*sens_alias_map), pdb->p_levels.nprim);
if (!sens_alias_map) {
rc = -1;
goto exit;
}
/* map aliases to sensitivities */
for (i=0; i < num; i++) {
name = strs_read_at_index(strs, i);
level = hashtab_search(pdb->p_levels.table, name);
if (!level) {
rc = -1;
goto exit;
}
j = level->level->sens - 1;
if (!sens_alias_map[j]) {
sens_alias_map[j] = strdup(name);
} else {
alias = sens_alias_map[j];
sens_alias_map[j] = create_str("%s %s", 2, alias, name);
free(alias);
if (!sens_alias_map[j]) {
rc = -1;
goto exit;
}
}
}
}
/* sensitivities */
for (i=0; i < pdb->p_levels.nprim; i++) {
name = pdb->p_sens_val_to_name[i];
if (!name) continue;
level = hashtab_search(pdb->p_levels.table, name);
if (!level) {
rc = -1;
goto exit;
}
if (level->isalias) continue;
if (sens_alias_map && sens_alias_map[i]) {
alias = sens_alias_map[i];
if (strchr(alias, ' ')) {
sepol_printf(out, "sensitivity %s alias { %s };\n", name, alias);
} else {
sepol_printf(out, "sensitivity %s alias %s;\n", name, alias);
}
} else {
sepol_printf(out, "sensitivity %s;\n", name);
}
}
/* dominance */
sepol_printf(out, "dominance { ");
prev = NULL;
for (i=0; i < pdb->p_levels.nprim; i++) {
name = pdb->p_sens_val_to_name[i];
if (!name) continue;
level = hashtab_search(pdb->p_levels.table, name);
if (!level) {
rc = -1;
goto exit;
}
if (level->isalias) continue;
if (prev) {
sepol_printf(out, "%s ", prev);
}
prev = name;
}
if (prev) {
sepol_printf(out, "%s", prev);
}
sepol_printf(out, " }\n");
exit:
if (sens_alias_map) {
for (i=0; i < pdb->p_levels.nprim; i++) {
free(sens_alias_map[i]);
}
free(sens_alias_map);
}
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sensitivity rules to CIL\n");
}
return rc;
}
static int map_category_aliases_to_strs(char *key, void *data, void *args)
{
cat_datum_t *cat = data;
struct strs *strs = args;
int rc = 0;
if (cat->isalias) {
rc = strs_add(strs, key);
}
return rc;
}
static int write_category_rules_to_conf(FILE *out, struct policydb *pdb)
{
cat_datum_t *cat;
struct strs *strs;
char **cat_alias_map = NULL;
char *name, *alias;
unsigned i, j, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_levels.nprim);
if (rc != 0) {
goto exit;
}
rc = hashtab_map(pdb->p_cats.table, map_category_aliases_to_strs, strs);
if (rc != 0) {
goto exit;
}
num = strs_num_items(strs);
if (num > 0) {
cat_alias_map = calloc(sizeof(*cat_alias_map), pdb->p_cats.nprim);
if (!cat_alias_map) {
rc = -1;
goto exit;
}
/* map aliases to categories */
for (i=0; i < num; i++) {
name = strs_read_at_index(strs, i);
cat = hashtab_search(pdb->p_cats.table, name);
if (!cat) {
rc = -1;
goto exit;
}
j = cat->s.value - 1;
if (!cat_alias_map[j]) {
cat_alias_map[j] = strdup(name);
} else {
alias = cat_alias_map[j];
cat_alias_map[j] = create_str("%s %s", 2, alias, name);
free(alias);
if (!cat_alias_map[j]) {
rc = -1;
goto exit;
}
}
}
}
/* categories */
for (i=0; i < pdb->p_cats.nprim; i++) {
name = pdb->p_cat_val_to_name[i];
if (!name) continue;
cat = hashtab_search(pdb->p_cats.table, name);
if (!cat) {
rc = -1;
goto exit;
}
if (cat->isalias) continue;
if (cat_alias_map && cat_alias_map[i]) {
alias = cat_alias_map[i];
if (strchr(alias, ' ')) {
sepol_printf(out, "category %s alias { %s };\n", name, alias);
} else {
sepol_printf(out, "category %s alias %s;\n", name, alias);
}
} else {
sepol_printf(out, "category %s;\n", name);
}
}
exit:
if (cat_alias_map) {
for (i=0; i < pdb->p_cats.nprim; i++) {
free(cat_alias_map[i]);
}
free(cat_alias_map);
}
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing category rules to policy.conf\n");
}
return rc;
}
static size_t cats_ebitmap_len(struct ebitmap *cats, char **val_to_name)
{
struct ebitmap_node *node;
uint32_t i, start, range;
size_t len = 0;
range = 0;
ebitmap_for_each_bit(cats, node, i) {
if (!ebitmap_get_bit(cats, i))
continue;
if (range == 0)
start = i;
range++;
if (ebitmap_get_bit(cats, i+1))
continue;
len += strlen(val_to_name[start]) + 1;
if (range > 1) {
len += strlen(val_to_name[i]) + 1;
}
range = 0;
}
return len;
}
static char *cats_ebitmap_to_str(struct ebitmap *cats, char **val_to_name)
{
struct ebitmap_node *node;
uint32_t i, start, range, first;
char *catsbuf, *p;
const char *fmt;
char sep;
int len, remaining;
remaining = (int)cats_ebitmap_len(cats, val_to_name);
catsbuf = malloc(remaining);
if (!catsbuf) {
goto exit;
}
p = catsbuf;
first = 1;
range = 0;
ebitmap_for_each_bit(cats, node, i) {
if (!ebitmap_get_bit(cats, i))
continue;
if (range == 0)
start = i;
range++;
if (ebitmap_get_bit(cats, i+1))
continue;
if (range > 1) {
sep = (range == 2) ? ',' : '.';
fmt = first ? "%s%c%s" : ",%s%c%s";
len = snprintf(p, remaining, fmt,
val_to_name[start], sep, val_to_name[i]);
} else {
fmt = first ? "%s" : ",%s";
len = snprintf(p, remaining, fmt, val_to_name[start]);
}
if (len < 0 || len >= remaining) {
goto exit;
}
p += len;
remaining -= len;
first = 0;
range = 0;
}
*p = '\0';
return catsbuf;
exit:
free(catsbuf);
return NULL;
}
static int write_level_rules_to_conf(FILE *out, struct policydb *pdb)
{
level_datum_t *level;
char *name, *cats;
unsigned i;
int rc = 0;
for (i=0; i < pdb->p_levels.nprim; i++) {
name = pdb->p_sens_val_to_name[i];
if (!name) continue;
level = hashtab_search(pdb->p_levels.table, name);
if (!level) {
rc = -1;
goto exit;
}
if (level->isalias) continue;
if (ebitmap_cardinality(&level->level->cat) > 0) {
cats = cats_ebitmap_to_str(&level->level->cat, pdb->p_cat_val_to_name);
sepol_printf(out, "level %s:%s;\n", name, cats);
free(cats);
} else {
sepol_printf(out, "level %s;\n", name);
}
}
exit:
if (rc != 0) {
sepol_log_err("Error writing level rules to policy.conf\n");
}
return rc;
}
static int write_mls_rules_to_conf(FILE *out, struct policydb *pdb)
{
int rc = 0;
if (!pdb->mls) {
return 0;
}
rc = write_sensitivity_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_category_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_level_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
exit:
if (rc != 0) {
sepol_log_err("Error writing mls rules to policy.conf\n");
}
return rc;
}
static int write_polcap_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct strs *strs;
struct ebitmap_node *node;
const char *name;
uint32_t i;
int rc = 0;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
ebitmap_for_each_bit(&pdb->policycaps, node, i) {
if (!ebitmap_get_bit(&pdb->policycaps, i)) continue;
name = sepol_polcap_getname(i);
if (name == NULL) {
sepol_log_err("Unknown policy capability id: %i", i);
rc = -1;
goto exit;
}
rc = strs_create_and_add(strs, "policycap %s;", 1, name);
if (rc != 0) {
goto exit;
}
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing polcap rules to policy.conf\n");
}
return rc;
}
static int write_type_attributes_to_conf(FILE *out, struct policydb *pdb)
{
type_datum_t *type;
char *name;
struct strs *strs;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_types.nprim; i++) {
type = pdb->type_val_to_struct[i];
if (type->flavor == TYPE_ATTRIB) {
rc = strs_add(strs, pdb->p_type_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i = 0; i < num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
rc = -1;
goto exit;
}
sepol_printf(out, "attribute %s;\n", name);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing typeattribute rules to policy.conf\n");
}
return rc;
}
static int write_role_attributes_to_conf(FILE *out, struct policydb *pdb)
{
role_datum_t *role;
char *name;
struct strs *strs;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_roles.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_roles.nprim; i++) {
role = pdb->role_val_to_struct[i];
if (role && role->flavor == ROLE_ATTRIB) {
rc = strs_add(strs, pdb->p_role_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
rc = -1;
goto exit;
}
sepol_printf(out, "attribute_role %s;\n", name);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing roleattribute rules to policy.conf\n");
}
return rc;
}
static int map_boolean_to_strs(char *key, void *data, void *args)
{
struct strs *strs = (struct strs *)args;
struct cond_bool_datum *boolean = data;
const char *value;
value = boolean->state ? "true" : "false";
return strs_create_and_add(strs, "bool %s %s;", 2, key, value);
}
static int write_boolean_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct strs *strs;
int rc = 0;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
rc = hashtab_map(pdb->p_bools.table, map_boolean_to_strs, strs);
if (rc != 0) {
goto exit;
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing boolean declarations to policy.conf\n");
}
return rc;
}
static int write_type_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
type_datum_t *type;
struct strs *strs;
char *name;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_types.nprim; i++) {
type = pdb->type_val_to_struct[i];
if (type->flavor == TYPE_TYPE && type->primary) {
rc = strs_add(strs, pdb->p_type_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
rc = -1;
goto exit;
}
sepol_printf(out, "type %s;\n", name);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing type declarations to policy.con\n");
}
return rc;
}
static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb)
{
type_datum_t *alias;
struct strs *strs;
char *name;
char *type;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_types.nprim; i++) {
alias = pdb->type_val_to_struct[i];
if (!alias->primary) {
rc = strs_add(strs, pdb->p_type_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
rc = -1;
goto exit;
}
alias = hashtab_search(pdb->p_types.table, name);
if (!alias) {
rc = -1;
goto exit;
}
type = pdb->p_type_val_to_name[alias->s.value - 1];
sepol_printf(out, "typealias %s %s;\n", type, name);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing type alias rules to policy.conf\n");
}
return rc;
}
static int write_type_bounds_rules_to_conf(FILE *out, struct policydb *pdb)
{
type_datum_t *type;
struct strs *strs;
char *parent;
char *child;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_types.nprim; i++) {
type = pdb->type_val_to_struct[i];
if (type->flavor == TYPE_TYPE) {
if (type->bounds > 0) {
rc = strs_add(strs, pdb->p_type_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
child = strs_read_at_index(strs, i);
if (!child) {
rc = -1;
goto exit;
}
type = hashtab_search(pdb->p_types.table, child);
if (!type) {
rc = -1;
goto exit;
}
parent = pdb->p_type_val_to_name[type->bounds - 1];
sepol_printf(out, "typebounds %s %s;\n", parent, child);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing type bounds rules to policy.conf\n");
}
return rc;
}
static char *attr_strs_to_str(struct strs *strs)
{
char *str = NULL;
size_t len = 0;
char *p;
unsigned i;
int rc;
if (strs->num == 0) {
goto exit;
}
/* 2*strs->num - 1 because ", " follows all but last attr (followed by '\0') */
len = strs_len_items(strs) + 2*strs->num - 1;
str = malloc(len);
if (!str) {
sepol_log_err("Out of memory");
goto exit;
}
p = str;
for (i=0; i<strs->num; i++) {
if (!strs->list[i]) continue;
len = strlen(strs->list[i]);
rc = snprintf(p, len+1, "%s", strs->list[i]);
if (rc < 0 || rc > (int)len) {
free(str);
str = NULL;
goto exit;
}
p += len;
if (i < strs->num - 1) {
*p++ = ',';
*p++ = ' ';
}
}
*p = '\0';
exit:
return str;
}
static char *attrmap_to_str(struct ebitmap *map, char **val_to_name)
{
struct strs *strs;
char *str = NULL;
int rc;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
rc = ebitmap_to_strs(map, strs, val_to_name);
if (rc != 0) {
goto exit;
}
strs_sort(strs);
str = attr_strs_to_str(strs);
exit:
strs_destroy(&strs);
return str;
}
static int write_type_attribute_sets_to_conf(FILE *out, struct policydb *pdb)
{
type_datum_t *type;
struct strs *strs;
ebitmap_t attrmap;
char *name, *attrs;
unsigned i;
int rc;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_types.nprim; i++) {
type = pdb->type_val_to_struct[i];
if (type->flavor != TYPE_TYPE || !type->primary) continue;
if (ebitmap_cardinality(&pdb->type_attr_map[i]) == 1) continue;
rc = ebitmap_cpy(&attrmap, &pdb->type_attr_map[i]);
if (rc != 0) {
goto exit;
}
rc = ebitmap_set_bit(&attrmap, i, 0);
if (rc != 0) {
ebitmap_destroy(&attrmap);
goto exit;
}
name = pdb->p_type_val_to_name[i];
attrs = attrmap_to_str(&attrmap, pdb->p_type_val_to_name);
ebitmap_destroy(&attrmap);
if (!attrs) {
rc = -1;
goto exit;
}
rc = strs_create_and_add(strs, "typeattribute %s %s;",
2, name, attrs);
free(attrs);
if (rc != 0) {
goto exit;
}
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing typeattributeset rules to policy.conf\n");
}
return rc;
}
static int write_type_permissive_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct strs *strs;
char *name;
struct ebitmap_node *node;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_types.nprim);
if (rc != 0) {
goto exit;
}
ebitmap_for_each_bit(&pdb->permissive_map, node, i) {
if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue;
rc = strs_add(strs, pdb->p_type_val_to_name[i-1]);
if (rc != 0) {
goto exit;
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
rc = -1;
goto exit;
}
sepol_printf(out, "permissive %s;\n", name);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing typepermissive rules to policy.conf\n");
}
return rc;
}
static char *avtab_node_to_str(struct policydb *pdb, avtab_key_t *key, avtab_datum_t *datum)
{
uint32_t data = datum->data;
type_datum_t *type;
const char *flavor, *src, *tgt, *class, *perms, *new;
char *rule = NULL;
switch (0xFFF & key->specified) {
case AVTAB_ALLOWED:
flavor = "allow";
break;
case AVTAB_AUDITALLOW:
flavor = "auditallow";
break;
case AVTAB_AUDITDENY:
flavor = "dontaudit";
data = ~data;
break;
case AVTAB_XPERMS_ALLOWED:
flavor = "allowxperm";
break;
case AVTAB_XPERMS_AUDITALLOW:
flavor = "auditallowxperm";
break;
case AVTAB_XPERMS_DONTAUDIT:
flavor = "dontauditxperm";
break;
case AVTAB_TRANSITION:
flavor = "type_transition";
break;
case AVTAB_MEMBER:
flavor = "type_member";
break;
case AVTAB_CHANGE:
flavor = "type_change";
break;
default:
sepol_log_err("Unknown avtab type: %i", key->specified);
goto exit;
}
src = pdb->p_type_val_to_name[key->source_type - 1];
tgt = pdb->p_type_val_to_name[key->target_type - 1];
if (key->source_type == key->target_type && !(key->specified & AVTAB_TYPE)) {
type = pdb->type_val_to_struct[key->source_type - 1];
if (type->flavor != TYPE_ATTRIB) {
tgt = "self";
}
}
class = pdb->p_class_val_to_name[key->target_class - 1];
if (key->specified & AVTAB_AV) {
perms = sepol_av_to_string(pdb, key->target_class, data);
if (perms == NULL) {
sepol_log_err("Failed to generate permission string");
goto exit;
}
rule = create_str("%s %s %s:%s { %s };", 5,
flavor, src, tgt, class, perms+1);
} else if (key->specified & AVTAB_XPERMS) {
perms = sepol_extended_perms_to_string(datum->xperms);
if (perms == NULL) {
sepol_log_err("Failed to generate extended permission string");
goto exit;
}
rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, perms);
} else {
new = pdb->p_type_val_to_name[data - 1];
rule = create_str("%s %s %s:%s %s;", 5, flavor, src, tgt, class, new);
}
if (!rule) {
goto exit;
}
return rule;
exit:
return NULL;
}
struct map_avtab_args {
struct policydb *pdb;
uint32_t flavor;
struct strs *strs;
};
static int map_avtab_write_helper(avtab_key_t *key, avtab_datum_t *datum, void *args)
{
struct map_avtab_args *map_args = args;
uint32_t flavor = map_args->flavor;
struct policydb *pdb = map_args->pdb;
struct strs *strs = map_args->strs;
char *rule;
int rc = 0;
if (key->specified & flavor) {
rule = avtab_node_to_str(pdb, key, datum);
if (!rule) {
rc = -1;
goto exit;
}
rc = strs_add(strs, rule);
if (rc != 0) {
free(rule);
goto exit;
}
}
exit:
return rc;
}
static int write_avtab_flavor_to_conf(FILE *out, struct policydb *pdb, uint32_t flavor, int indent)
{
struct map_avtab_args args;
struct strs *strs;
int rc = 0;
rc = strs_init(&strs, 1000);
if (rc != 0) {
goto exit;
}
args.pdb = pdb;
args.flavor = flavor;
args.strs = strs;
rc = avtab_map(&pdb->te_avtab, map_avtab_write_helper, &args);
if (rc != 0) {
goto exit;
}
strs_sort(strs);
strs_write_each_indented(strs, out, indent);
exit:
strs_free_all(strs);
strs_destroy(&strs);
return rc;
}
static int write_avtab_to_conf(FILE *out, struct policydb *pdb, int indent)
{
unsigned i;
int rc = 0;
for (i = 0; i < AVTAB_FLAVORS_SZ; i++) {
rc = write_avtab_flavor_to_conf(out, pdb, avtab_flavors[i], indent);
if (rc != 0) {
goto exit;
}
}
exit:
if (rc != 0) {
sepol_log_err("Error writing avtab rules to policy.conf\n");
}
return rc;
}
struct map_filename_trans_args {
struct policydb *pdb;
struct strs *strs;
};
static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
{
filename_trans_t *ft = (filename_trans_t *)key;
filename_trans_datum_t *datum = data;
struct map_filename_trans_args *map_args = arg;
struct policydb *pdb = map_args->pdb;
struct strs *strs = map_args->strs;
char *src, *tgt, *class, *filename, *new;
src = pdb->p_type_val_to_name[ft->stype - 1];
tgt = pdb->p_type_val_to_name[ft->ttype - 1];
class = pdb->p_class_val_to_name[ft->tclass - 1];
filename = ft->name;
new = pdb->p_type_val_to_name[datum->otype - 1];
return strs_create_and_add(strs, "type_transition %s %s:%s %s \"%s\";", 5,
src, tgt, class, new, filename);
}
static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct map_filename_trans_args args;
struct strs *strs;
int rc = 0;
rc = strs_init(&strs, 100);
if (rc != 0) {
goto exit;
}
args.pdb = pdb;
args.strs = strs;
rc = hashtab_map(pdb->filename_trans, map_filename_trans_to_str, &args);
if (rc != 0) {
goto exit;
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing filename typetransition rules to policy.conf\n");
}
return rc;
}
static char *level_to_str(struct policydb *pdb, struct mls_level *level)
{
ebitmap_t *cats = &level->cat;
char *level_str = NULL;
char *sens_str = pdb->p_sens_val_to_name[level->sens - 1];
char *cats_str;
if (ebitmap_cardinality(cats) > 0) {
cats_str = cats_ebitmap_to_str(cats, pdb->p_cat_val_to_name);
level_str = create_str("%s:%s", 2, sens_str, cats_str);
free(cats_str);
} else {
level_str = create_str("%s", 1, sens_str);
}
return level_str;
}
static char *range_to_str(struct policydb *pdb, mls_range_t *range)
{
char *low = NULL;
char *high = NULL;
char *range_str = NULL;
low = level_to_str(pdb, &range->level[0]);
if (!low) {
goto exit;
}
high = level_to_str(pdb, &range->level[1]);
if (!high) {
goto exit;
}
range_str = create_str("%s - %s", 2, low, high);
exit:
free(low);
free(high);
return range_str;
}
struct map_range_trans_args {
struct policydb *pdb;
struct strs *strs;
};
static int map_range_trans_to_str(hashtab_key_t key, void *data, void *arg)
{
range_trans_t *rt = (range_trans_t *)key;
mls_range_t *mls_range = data;
struct map_range_trans_args *map_args = arg;
struct policydb *pdb = map_args->pdb;
struct strs *strs = map_args->strs;
char *src, *tgt, *class, *range;
int rc;
src = pdb->p_type_val_to_name[rt->source_type - 1];
tgt = pdb->p_type_val_to_name[rt->target_type - 1];
class = pdb->p_class_val_to_name[rt->target_class - 1];
range = range_to_str(pdb, mls_range);
if (!range) {
rc = -1;
goto exit;
}
rc = strs_create_and_add(strs, "range_transition %s %s:%s %s;", 4,
src, tgt, class, range);
free(range);
if (rc != 0) {
goto exit;
}
exit:
return rc;
}
static int write_range_trans_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct map_range_trans_args args;
struct strs *strs;
int rc = 0;
rc = strs_init(&strs, 100);
if (rc != 0) {
goto exit;
}
args.pdb = pdb;
args.strs = strs;
rc = hashtab_map(pdb->range_tr, map_range_trans_to_str, &args);
if (rc != 0) {
goto exit;
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing range transition rules to policy.conf\n");
}
return rc;
}
static int write_cond_av_list_to_conf(FILE *out, struct policydb *pdb, cond_av_list_t *cond_list, int indent)
{
cond_av_list_t *cond_av;
avtab_ptr_t node;
uint32_t flavor;
avtab_key_t *key;
avtab_datum_t *datum;
struct strs *strs;
char *rule;
unsigned i;
int rc;
for (i = 0; i < AVTAB_FLAVORS_SZ; i++) {
flavor = avtab_flavors[i];
rc = strs_init(&strs, 64);
if (rc != 0) {
goto exit;
}
for (cond_av = cond_list; cond_av != NULL; cond_av = cond_av->next) {
node = cond_av->node;
key = &node->key;
datum = &node->datum;
if (key->specified & flavor) {
rule = avtab_node_to_str(pdb, key, datum);
if (!rule) {
rc = -1;
goto exit;
}
rc = strs_add(strs, rule);
if (rc != 0) {
free(rule);
goto exit;
}
}
}
strs_sort(strs);
strs_write_each_indented(strs, out, indent);
strs_free_all(strs);
strs_destroy(&strs);
}
return 0;
exit:
strs_free_all(strs);
strs_destroy(&strs);
return rc;
}
struct cond_data {
char *expr;
struct cond_node *cond;
};
static int cond_node_cmp(const void *a, const void *b)
{
const struct cond_data *aa = a;
const struct cond_data *bb = b;
return strcmp(aa->expr, bb->expr);
}
static int write_cond_nodes_to_conf(FILE *out, struct policydb *pdb)
{
struct cond_data *cond_data;
char *expr;
struct cond_node *cond;
unsigned i, num;
int rc = 0;
num = 0;
for (cond = pdb->cond_list; cond != NULL; cond = cond->next) {
num++;
}
if (num == 0) {
return 0;
}
cond_data = calloc(sizeof(struct cond_data), num);
if (!cond_data) {
rc = -1;
goto exit;
}
i = 0;
for (cond = pdb->cond_list; cond != NULL; cond = cond->next) {
cond_data[i].cond = cond;
expr = cond_expr_to_str(pdb, cond->expr);
if (!expr) {
num = i;
goto exit;
}
cond_data[i].expr = expr;
i++;
}
qsort(cond_data, num, sizeof(*cond_data), cond_node_cmp);
for (i=0; i<num; i++) {
expr = cond_data[i].expr;
cond = cond_data[i].cond;
sepol_printf(out, "if (%s) {\n", expr);
if (cond->true_list != NULL) {
rc = write_cond_av_list_to_conf(out, pdb, cond->true_list, 1);
if (rc != 0) {
goto exit;
}
}
if (cond->false_list != NULL) {
sepol_printf(out, "} else {\n");
rc = write_cond_av_list_to_conf(out, pdb, cond->false_list, 1);
if (rc != 0) {
goto exit;
}
}
sepol_printf(out, "}\n");
}
exit:
if (cond_data) {
for (i=0; i<num; i++) {
free(cond_data[i].expr);
}
free(cond_data);
}
if (rc != 0) {
sepol_log_err("Error writing conditional rules to policy.conf\n");
}
return rc;
}
static int write_role_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct role_datum *role;
struct strs *strs;
char *name, *types, *p1, *p2;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_roles.nprim);
if (rc != 0) {
goto exit;
}
/* Start at 1 to skip object_r */
for (i=1; i < pdb->p_roles.nprim; i++) {
role = pdb->role_val_to_struct[i];
if (role && role->flavor == ROLE_ROLE) {
rc = strs_add(strs, pdb->p_role_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
continue;
}
sepol_printf(out, "role %s;\n", name);
}
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) continue;
role = hashtab_search(pdb->p_roles.table, name);
if (!role) {
rc = -1;
goto exit;
}
if (ebitmap_cardinality(&role->types.types) == 0) continue;
types = ebitmap_to_str(&role->types.types, pdb->p_type_val_to_name, 1);
if (!types) {
rc = -1;
goto exit;
}
if (strlen(types) > 900) {
p1 = types;
while (p1) {
p2 = p1;
while (p2 - p1 < 600) {
p2 = strchr(p2, ' ');
if (!p2)
break;
p2++;
}
if (p2) {
*(p2-1) = '\0';
}
sepol_printf(out, "role %s types { %s };\n", name, p1);
p1 = p2;
}
} else {
sepol_printf(out, "role %s types { %s };\n", name, types);
}
free(types);
}
exit:
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing role declarations to policy.conf\n");
}
return rc;
}
static int write_role_transition_rules_to_conf(FILE *out, struct policydb *pdb)
{
role_trans_t *curr = pdb->role_tr;
struct strs *strs;
char *role, *type, *class, *new;
int rc = 0;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
while (curr) {
role = pdb->p_role_val_to_name[curr->role - 1];
type = pdb->p_type_val_to_name[curr->type - 1];
class = pdb->p_class_val_to_name[curr->tclass - 1];
new = pdb->p_role_val_to_name[curr->new_role - 1];
rc = strs_create_and_add(strs, "role_transition %s %s:%s %s;", 4,
role, type, class, new);
if (rc != 0) {
goto exit;
}
curr = curr->next;
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing role transition rules to policy.conf\n");
}
return rc;
}
static int write_role_allow_rules_to_conf(FILE *out, struct policydb *pdb)
{
role_allow_t *curr = pdb->role_allow;
struct strs *strs;
char *role, *new;
int rc = 0;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
while (curr) {
role = pdb->p_role_val_to_name[curr->role - 1];
new = pdb->p_role_val_to_name[curr->new_role - 1];
rc = strs_create_and_add(strs, "allow %s %s;", 2, role, new);
if (rc != 0) {
goto exit;
}
curr = curr->next;
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing role allow rules to policy.conf\n");
}
return rc;
}
static int write_user_decl_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct user_datum *user;
struct strs *strs;
char *name, *roles, *level, *range;
unsigned i, num;
int rc = 0;
rc = strs_init(&strs, pdb->p_users.nprim);
if (rc != 0) {
goto exit;
}
for (i=0; i < pdb->p_users.nprim; i++) {
rc = strs_add(strs, pdb->p_user_val_to_name[i]);
if (rc != 0) {
goto exit;
}
}
strs_sort(strs);
num = strs_num_items(strs);
for (i=0; i<num; i++) {
name = strs_read_at_index(strs, i);
if (!name) {
continue;
}
user = hashtab_search(pdb->p_users.table, name);
if (!user) {
rc = -1;
goto exit;
}
sepol_printf(out, "user %s", name);
if (ebitmap_cardinality(&user->roles.roles) > 0) {
roles = ebitmap_to_str(&user->roles.roles,
pdb->p_role_val_to_name, 1);
if (!roles) {
rc = -1;
goto exit;
}
if (strchr(roles, ' ')) {
sepol_printf(out, " roles { %s }", roles);
} else {
sepol_printf(out, " roles %s", roles);
}
free(roles);
}
if (pdb->mls) {
level = level_to_str(pdb, &user->exp_dfltlevel);
if (!level) {
rc = -1;
goto exit;
}
sepol_printf(out, " level %s", level);
free(level);
range = range_to_str(pdb, &user->exp_range);
if (!range) {
rc = -1;
goto exit;
}
sepol_printf(out, " range %s", range);
free(range);
}
sepol_printf(out, ";\n");
}
strs_destroy(&strs);
exit:
if (rc != 0) {
sepol_log_err("Error writing user declarations to policy.conf\n");
}
return rc;
}
static char *context_to_str(struct policydb *pdb, struct context_struct *con)
{
char *user, *role, *type, *range;
char *ctx = NULL;
user = pdb->p_user_val_to_name[con->user - 1];
role = pdb->p_role_val_to_name[con->role - 1];
type = pdb->p_type_val_to_name[con->type - 1];
if (pdb->mls) {
range = range_to_str(pdb, &con->range);
ctx = create_str("%s:%s:%s:%s", 4, user, role, type, range);
free(range);
} else {
ctx = create_str("%s:%s:%s", 3, user, role, type);
}
return ctx;
}
static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
char unknown[18];
char *ctx, *rule;
unsigned i;
int rc;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = unknown;
}
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
rule = create_str("sid %s %s", 2, sid, ctx);
free(ctx);
if (!rule) {
rc = -1;
goto exit;
}
rc = strs_add_at_index(strs, rule, i);
if (rc != 0) {
free(rule);
goto exit;
}
}
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sidcontext rules to policy.conf\n");
}
return rc;
}
static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *fsuse;
const char *behavior;
char *name, *ctx;
int rc = 0;
for (fsuse = pdb->ocontexts[5]; fsuse != NULL; fsuse = fsuse->next) {
switch (fsuse->v.behavior) {
case SECURITY_FS_USE_XATTR: behavior = "xattr"; break;
case SECURITY_FS_USE_TRANS: behavior = "trans"; break;
case SECURITY_FS_USE_TASK: behavior = "task"; break;
default:
sepol_log_err("Unknown fsuse behavior: %i", fsuse->v.behavior);
rc = -1;
goto exit;
}
name = fsuse->u.name;
ctx = context_to_str(pdb, &fsuse->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "fs_use_%s %s %s;\n", behavior, name, ctx);
free(ctx);
}
exit:
if (rc != 0) {
sepol_log_err("Error writing fsuse rules to policy.conf\n");
}
return rc;
}
static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct genfs *genfs;
struct ocontext *ocon;
struct strs *strs;
char *fstype, *name, *ctx;
int rc;
rc = strs_init(&strs, 32);
if (rc != 0) {
goto exit;
}
for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
fstype = genfs->fstype;
name = ocon->u.name;
ctx = context_to_str(pdb, &ocon->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
rc = strs_create_and_add(strs, "genfscon %s %s %s", 3,
fstype, name, ctx);
free(ctx);
if (rc != 0) {
goto exit;
}
}
}
strs_sort(strs);
strs_write_each(strs, out);
exit:
strs_free_all(strs);
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing genfscon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_port_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *portcon;
const char *protocol;
uint16_t low;
uint16_t high;
char low_high_str[44]; /* 2^64 <= 20 digits so "low-high" <= 44 chars */
char *ctx;
int rc = 0;
for (portcon = pdb->ocontexts[2]; portcon != NULL; portcon = portcon->next) {
switch (portcon->u.port.protocol) {
case IPPROTO_TCP: protocol = "tcp"; break;
case IPPROTO_UDP: protocol = "udp"; break;
case IPPROTO_DCCP: protocol = "dccp"; break;
case IPPROTO_SCTP: protocol = "sctp"; break;
default:
sepol_log_err("Unknown portcon protocol: %i", portcon->u.port.protocol);
rc = -1;
goto exit;
}
low = portcon->u.port.low_port;
high = portcon->u.port.high_port;
if (low == high) {
rc = snprintf(low_high_str, 44, "%u", low);
} else {
rc = snprintf(low_high_str, 44, "%u-%u", low, high);
}
if (rc < 0 || rc >= 44) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &portcon->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "portcon %s %s %s\n", protocol, low_high_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing portcon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_netif_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *netif;
char *name, *ctx1, *ctx2;
int rc = 0;
for (netif = pdb->ocontexts[3]; netif != NULL; netif = netif->next) {
name = netif->u.name;
ctx1 = context_to_str(pdb, &netif->context[0]);
if (!ctx1) {
rc = -1;
goto exit;
}
ctx2 = context_to_str(pdb, &netif->context[1]);
if (!ctx2) {
free(ctx1);
rc = -1;
goto exit;
}
sepol_printf(out, "netifcon %s %s %s\n", name, ctx1, ctx2);
free(ctx1);
free(ctx2);
}
exit:
if (rc != 0) {
sepol_log_err("Error writing netifcon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_node_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *node;
char addr[INET_ADDRSTRLEN];
char mask[INET_ADDRSTRLEN];
char *ctx;
int rc = 0;
for (node = pdb->ocontexts[4]; node != NULL; node = node->next) {
if (inet_ntop(AF_INET, &node->u.node.addr, addr, INET_ADDRSTRLEN) == NULL) {
sepol_log_err("Nodecon address is invalid: %s", strerror(errno));
rc = -1;
goto exit;
}
if (inet_ntop(AF_INET, &node->u.node.mask, mask, INET_ADDRSTRLEN) == NULL) {
sepol_log_err("Nodecon mask is invalid: %s", strerror(errno));
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &node->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "nodecon %s %s %s\n", addr, mask, ctx);
free(ctx);
}
exit:
if (rc != 0) {
sepol_log_err("Error writing nodecon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_node6_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *node6;
char addr[INET6_ADDRSTRLEN];
char mask[INET6_ADDRSTRLEN];
char *ctx;
int rc = 0;
for (node6 = pdb->ocontexts[6]; node6 != NULL; node6 = node6->next) {
if (inet_ntop(AF_INET6, &node6->u.node6.addr, addr, INET6_ADDRSTRLEN) == NULL) {
sepol_log_err("Nodecon address is invalid: %s", strerror(errno));
rc = -1;
goto exit;
}
if (inet_ntop(AF_INET6, &node6->u.node6.mask, mask, INET6_ADDRSTRLEN) == NULL) {
sepol_log_err("Nodecon mask is invalid: %s", strerror(errno));
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &node6->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "nodecon %s %s %s\n", addr, mask, ctx);
free(ctx);
}
exit:
if (rc != 0) {
sepol_log_err("Error writing nodecon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_ibpkey_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *ibpkeycon;
char subnet_prefix_str[INET6_ADDRSTRLEN];
struct in6_addr subnet_prefix = IN6ADDR_ANY_INIT;
uint16_t low;
uint16_t high;
char low_high_str[44]; /* 2^64 <= 20 digits so "low-high" <= 44 chars */
char *ctx;
int rc = 0;
for (ibpkeycon = pdb->ocontexts[OCON_IBPKEY]; ibpkeycon != NULL;
ibpkeycon = ibpkeycon->next) {
memcpy(&subnet_prefix.s6_addr, &ibpkeycon->u.ibpkey.subnet_prefix,
sizeof(ibpkeycon->u.ibpkey.subnet_prefix));
if (inet_ntop(AF_INET6, &subnet_prefix.s6_addr,
subnet_prefix_str, INET6_ADDRSTRLEN) == NULL) {
sepol_log_err("ibpkeycon address is invalid: %s",
strerror(errno));
rc = -1;
goto exit;
}
low = ibpkeycon->u.ibpkey.low_pkey;
high = ibpkeycon->u.ibpkey.high_pkey;
if (low == high) {
rc = snprintf(low_high_str, 44, "%u", low);
} else {
rc = snprintf(low_high_str, 44, "%u-%u", low, high);
}
if (rc < 0 || rc >= 44) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &ibpkeycon->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "ibpkeycon %s %s %s\n", subnet_prefix_str,
low_high_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing ibpkeycon rules to policy.conf\n");
}
return rc;
}
static int write_selinux_ibendport_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *ibendportcon;
char port_str[4];
char *ctx;
int rc = 0;
for (ibendportcon = pdb->ocontexts[OCON_IBENDPORT];
ibendportcon != NULL; ibendportcon = ibendportcon->next) {
rc = snprintf(port_str, 4, "%u", ibendportcon->u.ibendport.port);
if (rc < 0 || rc >= 4) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &ibendportcon->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "ibendportcon %s %s %s\n", ibendportcon->u.ibendport.dev_name, port_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing ibendportcon rules to policy.conf\n");
}
return rc;
}
static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
static int write_xen_pirq_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *pirq;
char pirq_str[21]; /* 2^64-1 <= 20 digits */
char *ctx;
int rc = 0;
for (pirq = pdb->ocontexts[1]; pirq != NULL; pirq = pirq->next) {
rc = snprintf(pirq_str, 21, "%i", pirq->u.pirq);
if (rc < 0 || rc >= 21) {
fprintf(stderr,"error1\n");
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &pirq->context[0]);
if (!ctx) {
rc = -1;
fprintf(stderr,"error2\n");
goto exit;
}
sepol_printf(out, "pirqcon %s %s\n", pirq_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing pirqcon rules to policy.conf\n");
}
return rc;
}
static int write_xen_ioport_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *ioport;
uint32_t low;
uint32_t high;
char low_high_str[40]; /* 2^64-1 <= 16 digits (hex) so low-high < 40 chars */
char *ctx;
int rc = 0;
for (ioport = pdb->ocontexts[2]; ioport != NULL; ioport = ioport->next) {
low = ioport->u.ioport.low_ioport;
high = ioport->u.ioport.high_ioport;
if (low == high) {
rc = snprintf(low_high_str, 40, "0x%x", low);
} else {
rc = snprintf(low_high_str, 40, "0x%x-0x%x", low, high);
}
if (rc < 0 || rc >= 40) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &ioport->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "ioportcon %s %s\n", low_high_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing ioportcon rules to policy.conf\n");
}
return rc;
}
static int write_xen_iomem_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *iomem;
uint64_t low;
uint64_t high;
char low_high_str[40]; /* 2^64-1 <= 16 digits (hex) so low-high < 40 chars */
char *ctx;
int rc = 0;
for (iomem = pdb->ocontexts[3]; iomem != NULL; iomem = iomem->next) {
low = iomem->u.iomem.low_iomem;
high = iomem->u.iomem.high_iomem;
if (low == high) {
rc = snprintf(low_high_str, 40, "0x%"PRIx64, low);
} else {
rc = snprintf(low_high_str, 40, "0x%"PRIx64"-0x%"PRIx64, low, high);
}
if (rc < 0 || rc >= 40) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &iomem->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "iomemcon %s %s\n", low_high_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing iomemcon rules to policy.conf\n");
}
return rc;
}
static int write_xen_pcidevice_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *pcid;
char device_str[20]; /* 2^64-1 <= 16 digits (hex) so < 19 chars */
char *ctx;
int rc = 0;
for (pcid = pdb->ocontexts[4]; pcid != NULL; pcid = pcid->next) {
rc = snprintf(device_str, 20, "0x%lx", (unsigned long)pcid->u.device);
if (rc < 0 || rc >= 20) {
rc = -1;
goto exit;
}
ctx = context_to_str(pdb, &pcid->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "pcidevicecon %s %s\n", device_str, ctx);
free(ctx);
}
rc = 0;
exit:
if (rc != 0) {
sepol_log_err("Error writing pcidevicecon rules to policy.conf\n");
}
return rc;
}
static int write_xen_devicetree_rules_to_conf(FILE *out, struct policydb *pdb)
{
struct ocontext *dtree;
char *name, *ctx;
int rc = 0;
for (dtree = pdb->ocontexts[5]; dtree != NULL; dtree = dtree->next) {
name = dtree->u.name;
ctx = context_to_str(pdb, &dtree->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
sepol_printf(out, "devicetreecon %s %s\n", name, ctx);
free(ctx);
}
exit:
if (rc != 0) {
sepol_log_err("Error writing devicetreecon rules to policy.conf\n");
}
return rc;
}
int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb)
{
struct strs *mls_constraints = NULL;
struct strs *non_mls_constraints = NULL;
struct strs *mls_validatetrans = NULL;
struct strs *non_mls_validatetrans = NULL;
int rc = 0;
rc = strs_init(&mls_constraints, 32);
if (rc != 0) {
goto exit;
}
rc = strs_init(&non_mls_constraints, 32);
if (rc != 0) {
goto exit;
}
rc = strs_init(&mls_validatetrans, 32);
if (rc != 0) {
goto exit;
}
rc = strs_init(&non_mls_validatetrans, 32);
if (rc != 0) {
goto exit;
}
if (pdb == NULL) {
sepol_log_err("No policy");
rc = -1;
goto exit;
}
if (pdb->policy_type != SEPOL_POLICY_KERN) {
sepol_log_err("Policy is not a kernel policy");
rc = -1;
goto exit;
}
rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints);
if (rc != 0) {
goto exit;
}
rc = validatetrans_rules_to_strs(pdb, mls_validatetrans, non_mls_validatetrans);
if (rc != 0) {
goto exit;
}
rc = write_handle_unknown_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_class_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_sid_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_class_and_common_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_default_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_mls_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
strs_write_each(mls_constraints, out);
strs_write_each(mls_validatetrans, out);
rc = write_polcap_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_attributes_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_role_attributes_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_boolean_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_alias_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_bounds_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_attribute_sets_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_type_permissive_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_avtab_to_conf(out, pdb, 0);
if (rc != 0) {
goto exit;
}
write_filename_trans_rules_to_conf(out, pdb);
if (pdb->mls) {
rc = write_range_trans_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
}
rc = write_cond_nodes_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_role_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_role_transition_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_role_allow_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_user_decl_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
strs_write_each(non_mls_constraints, out);
strs_write_each(non_mls_validatetrans, out);
rc = sort_ocontexts(pdb);
if (rc != 0) {
goto exit;
}
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
rc = write_selinux_isid_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_fsuse_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_genfscon_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_port_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_netif_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_node_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_node6_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_ibpkey_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_selinux_ibendport_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
rc = write_xen_isid_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_genfscon_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_xen_pirq_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_xen_iomem_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_xen_ioport_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_xen_pcidevice_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
rc = write_xen_devicetree_rules_to_conf(out, pdb);
if (rc != 0) {
goto exit;
}
}
exit:
strs_free_all(mls_constraints);
strs_destroy(&mls_constraints);
strs_free_all(non_mls_constraints);
strs_destroy(&non_mls_constraints);
strs_free_all(mls_validatetrans);
strs_destroy(&mls_validatetrans);
strs_free_all(non_mls_validatetrans);
strs_destroy(&non_mls_validatetrans);
return rc;
}