[PATCH] SELinux: regenerate SELinux module headers

This patch regenerates the SELinux module headers to use a new format and
updates their use by the AVC.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

security/selinux/avc.c

@@ -31,13 +31,44 @@
 #include <net/ipv6.h>
 #include "avc.h"
 #include "avc_ss.h"
+
+static const struct av_perm_to_string
+{
+  u16 tclass;
+  u32 value;
+  const char *name;
+} av_perm_to_string[] = {
+#define S_(c, v, s) { c, v, s },
+#include "av_perm_to_string.h"
+#undef S_
+};
+
 #ifdef CONFIG_AUDIT
+static const char *class_to_string[] = {
+#define S_(s) s,
 #include "class_to_string.h"
+#undef S_
+};
 #endif
+
+#define TB_(s) static const char * s [] = {
+#define TE_(s) };
+#define S_(s) s,
 #include "common_perm_to_string.h"
+#undef TB_
+#undef TE_
+#undef S_
+
+static const struct av_inherit
+{
+    u16 tclass;
+    const char **common_pts;
+    u32 common_base;
+} av_inherit[] = {
+#define S_(c, i, b) { c, common_##i##_perm_to_string, b },
 #include "av_inherit.h"
-#include "av_perm_to_string.h"
-#include "objsec.h"
+#undef S_
+};
 
 #define AVC_CACHE_SLOTS			512
 #define AVC_DEF_CACHE_THRESHOLD		512
@@ -110,7 +141,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
  */
 void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
 {
-	char **common_pts = NULL;
+	const char **common_pts = NULL;
 	u32 common_base = 0;
 	int i, i2, perm;
 

security/selinux/include/av_inherit.h

 /* This file is automatically generated.  Do not edit. */
-/* FLASK */
-
-struct av_inherit
-{
-    u16 tclass;
-    char **common_pts;
-    u32 common_base;
-};
-
-static struct av_inherit av_inherit[] = {
-   { SECCLASS_DIR, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_LNK_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_CHR_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_BLK_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_SOCK_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_FIFO_FILE, common_file_perm_to_string, 0x00020000UL },
-   { SECCLASS_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_TCP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_UDP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_RAWIP_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_PACKET_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_KEY_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_UNIX_STREAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_UNIX_DGRAM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_IPC, common_ipc_perm_to_string, 0x00000200UL },
-   { SECCLASS_SEM, common_ipc_perm_to_string, 0x00000200UL },
-   { SECCLASS_MSGQ, common_ipc_perm_to_string, 0x00000200UL },
-   { SECCLASS_SHM, common_ipc_perm_to_string, 0x00000200UL },
-   { SECCLASS_NETLINK_ROUTE_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_FIREWALL_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_TCPDIAG_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_NFLOG_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_XFRM_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_SELINUX_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_AUDIT_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_IP6FW_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-   { SECCLASS_NETLINK_DNRT_SOCKET, common_socket_perm_to_string, 0x00400000UL },
-};
-
-
-/* FLASK */
+   S_(SECCLASS_DIR, file, 0x00020000UL)
+   S_(SECCLASS_FILE, file, 0x00020000UL)
+   S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
+   S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
+   S_(SECCLASS_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_IPC, ipc, 0x00000200UL)
+   S_(SECCLASS_SEM, ipc, 0x00000200UL)
+   S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
+   S_(SECCLASS_SHM, ipc, 0x00000200UL)
+   S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)

security/selinux/include/av_permissions.h

 /* This file is automatically generated.  Do not edit. */
-/* FLASK */
-
 #define COMMON_FILE__IOCTL                               0x00000001UL
 #define COMMON_FILE__READ                                0x00000002UL
 #define COMMON_FILE__WRITE                               0x00000004UL
@@ -556,6 +554,7 @@
 #define PASSWD__CHFN                              0x00000002UL
 #define PASSWD__CHSH                              0x00000004UL
 #define PASSWD__ROOTOK                            0x00000008UL
+#define PASSWD__CRONTAB                           0x00000010UL
 
 #define DRAWABLE__CREATE                          0x00000001UL
 #define DRAWABLE__DESTROY                         0x00000002UL
@@ -877,5 +876,17 @@
 #define NETLINK_DNRT_SOCKET__SENDTO               0x00040000UL
 #define NETLINK_DNRT_SOCKET__RECV_MSG             0x00080000UL
 #define NETLINK_DNRT_SOCKET__SEND_MSG             0x00100000UL
+#define NETLINK_DNRT_SOCKET__NAME_BIND            0x00200000UL
+
+#define DBUS__ACQUIRE_SVC                         0x00000001UL
+#define DBUS__SEND_MSG                            0x00000002UL
+
+#define NSCD__GETPWD                              0x00000001UL
+#define NSCD__GETGRP                              0x00000002UL
+#define NSCD__GETHOST                             0x00000004UL
+#define NSCD__GETSTAT                             0x00000008UL
+#define NSCD__ADMIN                               0x00000010UL
+#define NSCD__SHMEMPWD                            0x00000020UL
+#define NSCD__SHMEMGRP                            0x00000040UL
+#define NSCD__SHMEMHOST                           0x00000080UL
 
-/* FLASK */

security/selinux/include/class_to_string.h

@@ -2,59 +2,57 @@
 /*
  * Security object class definitions
  */
-static char *class_to_string[] =
-{
-    "null",
-    "security",
-    "process",
-    "system",
-    "capability",
-    "filesystem",
-    "file",
-    "dir",
-    "fd",
-    "lnk_file",
-    "chr_file",
-    "blk_file",
-    "sock_file",
-    "fifo_file",
-    "socket",
-    "tcp_socket",
-    "udp_socket",
-    "rawip_socket",
-    "node",
-    "netif",
-    "netlink_socket",
-    "packet_socket",
-    "key_socket",
-    "unix_stream_socket",
-    "unix_dgram_socket",
-    "sem",
-    "msg",
-    "msgq",
-    "shm",
-    "ipc",
-    "passwd",
-    "drawable",
-    "window",
-    "gc",
-    "font",
-    "colormap",
-    "property",
-    "cursor",
-    "xclient",
-    "xinput",
-    "xserver",
-    "xextension",
-    "pax",
-    "netlink_route_socket",
-    "netlink_firewall_socket",
-    "netlink_tcpdiag_socket",
-    "netlink_nflog_socket",
-    "netlink_xfrm_socket",
-    "netlink_selinux_socket",
-    "netlink_audit_socket",
-    "netlink_ip6fw_socket",
-    "netlink_dnrt_socket",
-};
-
+    S_("null")
+    S_("security")
+    S_("process")
+    S_("system")
+    S_("capability")
+    S_("filesystem")
+    S_("file")
+    S_("dir")
+    S_("fd")
+    S_("lnk_file")
+    S_("chr_file")
+    S_("blk_file")
+    S_("sock_file")
+    S_("fifo_file")
+    S_("socket")
+    S_("tcp_socket")
+    S_("udp_socket")
+    S_("rawip_socket")
+    S_("node")
+    S_("netif")
+    S_("netlink_socket")
+    S_("packet_socket")
+    S_("key_socket")
+    S_("unix_stream_socket")
+    S_("unix_dgram_socket")
+    S_("sem")
+    S_("msg")
+    S_("msgq")
+    S_("shm")
+    S_("ipc")
+    S_("passwd")
+    S_("drawable")
+    S_("window")
+    S_("gc")
+    S_("font")
+    S_("colormap")
+    S_("property")
+    S_("cursor")
+    S_("xclient")
+    S_("xinput")
+    S_("xserver")
+    S_("xextension")
+    S_("pax")
+    S_("netlink_route_socket")
+    S_("netlink_firewall_socket")
+    S_("netlink_tcpdiag_socket")
+    S_("netlink_nflog_socket")
+    S_("netlink_xfrm_socket")
+    S_("netlink_selinux_socket")
+    S_("netlink_audit_socket")
+    S_("netlink_ip6fw_socket")
+    S_("netlink_dnrt_socket")
+    S_("dbus")
+    S_("nscd")

security/selinux/include/common_perm_to_string.h

 /* This file is automatically generated.  Do not edit. */
-/* FLASK */
+TB_(common_file_perm_to_string)
+    S_("ioctl")
+    S_("read")
+    S_("write")
+    S_("create")
+    S_("getattr")
+    S_("setattr")
+    S_("lock")
+    S_("relabelfrom")
+    S_("relabelto")
+    S_("append")
+    S_("unlink")
+    S_("link")
+    S_("rename")
+    S_("execute")
+    S_("swapon")
+    S_("quotaon")
+    S_("mounton")
+TE_(common_file_perm_to_string)
 
-static char *common_file_perm_to_string[] =
-{
-    "ioctl",
-    "read",
-    "write",
-    "create",
-    "getattr",
-    "setattr",
-    "lock",
-    "relabelfrom",
-    "relabelto",
-    "append",
-    "unlink",
-    "link",
-    "rename",
-    "execute",
-    "swapon",
-    "quotaon",
-    "mounton",
-};
+TB_(common_socket_perm_to_string)
+    S_("ioctl")
+    S_("read")
+    S_("write")
+    S_("create")
+    S_("getattr")
+    S_("setattr")
+    S_("lock")
+    S_("relabelfrom")
+    S_("relabelto")
+    S_("append")
+    S_("bind")
+    S_("connect")
+    S_("listen")
+    S_("accept")
+    S_("getopt")
+    S_("setopt")
+    S_("shutdown")
+    S_("recvfrom")
+    S_("sendto")
+    S_("recv_msg")
+    S_("send_msg")
+    S_("name_bind")
+TE_(common_socket_perm_to_string)
 
-static char *common_socket_perm_to_string[] =
-{
-    "ioctl",
-    "read",
-    "write",
-    "create",
-    "getattr",
-    "setattr",
-    "lock",
-    "relabelfrom",
-    "relabelto",
-    "append",
-    "bind",
-    "connect",
-    "listen",
-    "accept",
-    "getopt",
-    "setopt",
-    "shutdown",
-    "recvfrom",
-    "sendto",
-    "recv_msg",
-    "send_msg",
-    "name_bind",
-};
+TB_(common_ipc_perm_to_string)
+    S_("create")
+    S_("destroy")
+    S_("getattr")
+    S_("setattr")
+    S_("read")
+    S_("write")
+    S_("associate")
+    S_("unix_read")
+    S_("unix_write")
+TE_(common_ipc_perm_to_string)
 
-static char *common_ipc_perm_to_string[] =
-{
-    "create",
-    "destroy",
-    "getattr",
-    "setattr",
-    "read",
-    "write",
-    "associate",
-    "unix_read",
-    "unix_write",
-};
-
-
-/* FLASK */

security/selinux/include/flask.h

@@ -56,6 +56,8 @@
 #define SECCLASS_NETLINK_AUDIT_SOCKET                    49
 #define SECCLASS_NETLINK_IP6FW_SOCKET                    50
 #define SECCLASS_NETLINK_DNRT_SOCKET                     51
+#define SECCLASS_DBUS                                    52
+#define SECCLASS_NSCD                                    53
 
 /*
  * Security identifier indices for initial entities