xref: /OK3568_Linux_fs/kernel/security/selinux/ss/policydb.h (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0-only */
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * A policy database (policydb) specifies the
4*4882a593Smuzhiyun  * configuration data for the security policy.
5*4882a593Smuzhiyun  *
6*4882a593Smuzhiyun  * Author : Stephen Smalley, <sds@tycho.nsa.gov>
7*4882a593Smuzhiyun  */
8*4882a593Smuzhiyun 
9*4882a593Smuzhiyun /*
10*4882a593Smuzhiyun  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
11*4882a593Smuzhiyun  *
12*4882a593Smuzhiyun  *	Support for enhanced MLS infrastructure.
13*4882a593Smuzhiyun  *
14*4882a593Smuzhiyun  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
15*4882a593Smuzhiyun  *
16*4882a593Smuzhiyun  *	Added conditional policy language extensions
17*4882a593Smuzhiyun  *
18*4882a593Smuzhiyun  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
19*4882a593Smuzhiyun  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
20*4882a593Smuzhiyun  */
21*4882a593Smuzhiyun 
22*4882a593Smuzhiyun #ifndef _SS_POLICYDB_H_
23*4882a593Smuzhiyun #define _SS_POLICYDB_H_
24*4882a593Smuzhiyun 
25*4882a593Smuzhiyun #include "symtab.h"
26*4882a593Smuzhiyun #include "avtab.h"
27*4882a593Smuzhiyun #include "sidtab.h"
28*4882a593Smuzhiyun #include "ebitmap.h"
29*4882a593Smuzhiyun #include "mls_types.h"
30*4882a593Smuzhiyun #include "context.h"
31*4882a593Smuzhiyun #include "constraint.h"
32*4882a593Smuzhiyun 
33*4882a593Smuzhiyun /*
34*4882a593Smuzhiyun  * A datum type is defined for each kind of symbol
35*4882a593Smuzhiyun  * in the configuration data:  individual permissions,
36*4882a593Smuzhiyun  * common prefixes for access vectors, classes,
37*4882a593Smuzhiyun  * users, roles, types, sensitivities, categories, etc.
38*4882a593Smuzhiyun  */
39*4882a593Smuzhiyun 
40*4882a593Smuzhiyun /* Permission attributes */
41*4882a593Smuzhiyun struct perm_datum {
42*4882a593Smuzhiyun 	u32 value;		/* permission bit + 1 */
43*4882a593Smuzhiyun };
44*4882a593Smuzhiyun 
45*4882a593Smuzhiyun /* Attributes of a common prefix for access vectors */
46*4882a593Smuzhiyun struct common_datum {
47*4882a593Smuzhiyun 	u32 value;			/* internal common value */
48*4882a593Smuzhiyun 	struct symtab permissions;	/* common permissions */
49*4882a593Smuzhiyun };
50*4882a593Smuzhiyun 
51*4882a593Smuzhiyun /* Class attributes */
52*4882a593Smuzhiyun struct class_datum {
53*4882a593Smuzhiyun 	u32 value;			/* class value */
54*4882a593Smuzhiyun 	char *comkey;			/* common name */
55*4882a593Smuzhiyun 	struct common_datum *comdatum;	/* common datum */
56*4882a593Smuzhiyun 	struct symtab permissions;	/* class-specific permission symbol table */
57*4882a593Smuzhiyun 	struct constraint_node *constraints;	/* constraints on class permissions */
58*4882a593Smuzhiyun 	struct constraint_node *validatetrans;	/* special transition rules */
59*4882a593Smuzhiyun /* Options how a new object user, role, and type should be decided */
60*4882a593Smuzhiyun #define DEFAULT_SOURCE         1
61*4882a593Smuzhiyun #define DEFAULT_TARGET         2
62*4882a593Smuzhiyun 	char default_user;
63*4882a593Smuzhiyun 	char default_role;
64*4882a593Smuzhiyun 	char default_type;
65*4882a593Smuzhiyun /* Options how a new object range should be decided */
66*4882a593Smuzhiyun #define DEFAULT_SOURCE_LOW     1
67*4882a593Smuzhiyun #define DEFAULT_SOURCE_HIGH    2
68*4882a593Smuzhiyun #define DEFAULT_SOURCE_LOW_HIGH        3
69*4882a593Smuzhiyun #define DEFAULT_TARGET_LOW     4
70*4882a593Smuzhiyun #define DEFAULT_TARGET_HIGH    5
71*4882a593Smuzhiyun #define DEFAULT_TARGET_LOW_HIGH        6
72*4882a593Smuzhiyun #define DEFAULT_GLBLUB		7
73*4882a593Smuzhiyun 	char default_range;
74*4882a593Smuzhiyun };
75*4882a593Smuzhiyun 
76*4882a593Smuzhiyun /* Role attributes */
77*4882a593Smuzhiyun struct role_datum {
78*4882a593Smuzhiyun 	u32 value;			/* internal role value */
79*4882a593Smuzhiyun 	u32 bounds;			/* boundary of role */
80*4882a593Smuzhiyun 	struct ebitmap dominates;	/* set of roles dominated by this role */
81*4882a593Smuzhiyun 	struct ebitmap types;		/* set of authorized types for role */
82*4882a593Smuzhiyun };
83*4882a593Smuzhiyun 
84*4882a593Smuzhiyun struct role_trans_key {
85*4882a593Smuzhiyun 	u32 role;		/* current role */
86*4882a593Smuzhiyun 	u32 type;		/* program executable type, or new object type */
87*4882a593Smuzhiyun 	u32 tclass;		/* process class, or new object class */
88*4882a593Smuzhiyun };
89*4882a593Smuzhiyun 
90*4882a593Smuzhiyun struct role_trans_datum {
91*4882a593Smuzhiyun 	u32 new_role;		/* new role */
92*4882a593Smuzhiyun };
93*4882a593Smuzhiyun 
94*4882a593Smuzhiyun struct filename_trans_key {
95*4882a593Smuzhiyun 	u32 ttype;		/* parent dir context */
96*4882a593Smuzhiyun 	u16 tclass;		/* class of new object */
97*4882a593Smuzhiyun 	const char *name;	/* last path component */
98*4882a593Smuzhiyun };
99*4882a593Smuzhiyun 
100*4882a593Smuzhiyun struct filename_trans_datum {
101*4882a593Smuzhiyun 	struct ebitmap stypes;	/* bitmap of source types for this otype */
102*4882a593Smuzhiyun 	u32 otype;		/* resulting type of new object */
103*4882a593Smuzhiyun 	struct filename_trans_datum *next;	/* record for next otype*/
104*4882a593Smuzhiyun };
105*4882a593Smuzhiyun 
106*4882a593Smuzhiyun struct role_allow {
107*4882a593Smuzhiyun 	u32 role;		/* current role */
108*4882a593Smuzhiyun 	u32 new_role;		/* new role */
109*4882a593Smuzhiyun 	struct role_allow *next;
110*4882a593Smuzhiyun };
111*4882a593Smuzhiyun 
112*4882a593Smuzhiyun /* Type attributes */
113*4882a593Smuzhiyun struct type_datum {
114*4882a593Smuzhiyun 	u32 value;		/* internal type value */
115*4882a593Smuzhiyun 	u32 bounds;		/* boundary of type */
116*4882a593Smuzhiyun 	unsigned char primary;	/* primary name? */
117*4882a593Smuzhiyun 	unsigned char attribute;/* attribute ?*/
118*4882a593Smuzhiyun };
119*4882a593Smuzhiyun 
120*4882a593Smuzhiyun /* User attributes */
121*4882a593Smuzhiyun struct user_datum {
122*4882a593Smuzhiyun 	u32 value;			/* internal user value */
123*4882a593Smuzhiyun 	u32 bounds;			/* bounds of user */
124*4882a593Smuzhiyun 	struct ebitmap roles;		/* set of authorized roles for user */
125*4882a593Smuzhiyun 	struct mls_range range;		/* MLS range (min - max) for user */
126*4882a593Smuzhiyun 	struct mls_level dfltlevel;	/* default login MLS level for user */
127*4882a593Smuzhiyun };
128*4882a593Smuzhiyun 
129*4882a593Smuzhiyun 
130*4882a593Smuzhiyun /* Sensitivity attributes */
131*4882a593Smuzhiyun struct level_datum {
132*4882a593Smuzhiyun 	struct mls_level *level;	/* sensitivity and associated categories */
133*4882a593Smuzhiyun 	unsigned char isalias;	/* is this sensitivity an alias for another? */
134*4882a593Smuzhiyun };
135*4882a593Smuzhiyun 
136*4882a593Smuzhiyun /* Category attributes */
137*4882a593Smuzhiyun struct cat_datum {
138*4882a593Smuzhiyun 	u32 value;		/* internal category bit + 1 */
139*4882a593Smuzhiyun 	unsigned char isalias;  /* is this category an alias for another? */
140*4882a593Smuzhiyun };
141*4882a593Smuzhiyun 
142*4882a593Smuzhiyun struct range_trans {
143*4882a593Smuzhiyun 	u32 source_type;
144*4882a593Smuzhiyun 	u32 target_type;
145*4882a593Smuzhiyun 	u32 target_class;
146*4882a593Smuzhiyun };
147*4882a593Smuzhiyun 
148*4882a593Smuzhiyun /* Boolean data type */
149*4882a593Smuzhiyun struct cond_bool_datum {
150*4882a593Smuzhiyun 	__u32 value;		/* internal type value */
151*4882a593Smuzhiyun 	int state;
152*4882a593Smuzhiyun };
153*4882a593Smuzhiyun 
154*4882a593Smuzhiyun struct cond_node;
155*4882a593Smuzhiyun 
156*4882a593Smuzhiyun /*
157*4882a593Smuzhiyun  * type set preserves data needed to determine constraint info from
158*4882a593Smuzhiyun  * policy source. This is not used by the kernel policy but allows
159*4882a593Smuzhiyun  * utilities such as audit2allow to determine constraint denials.
160*4882a593Smuzhiyun  */
161*4882a593Smuzhiyun struct type_set {
162*4882a593Smuzhiyun 	struct ebitmap types;
163*4882a593Smuzhiyun 	struct ebitmap negset;
164*4882a593Smuzhiyun 	u32 flags;
165*4882a593Smuzhiyun };
166*4882a593Smuzhiyun 
167*4882a593Smuzhiyun /*
168*4882a593Smuzhiyun  * The configuration data includes security contexts for
169*4882a593Smuzhiyun  * initial SIDs, unlabeled file systems, TCP and UDP port numbers,
170*4882a593Smuzhiyun  * network interfaces, and nodes.  This structure stores the
171*4882a593Smuzhiyun  * relevant data for one such entry.  Entries of the same kind
172*4882a593Smuzhiyun  * (e.g. all initial SIDs) are linked together into a list.
173*4882a593Smuzhiyun  */
174*4882a593Smuzhiyun struct ocontext {
175*4882a593Smuzhiyun 	union {
176*4882a593Smuzhiyun 		char *name;	/* name of initial SID, fs, netif, fstype, path */
177*4882a593Smuzhiyun 		struct {
178*4882a593Smuzhiyun 			u8 protocol;
179*4882a593Smuzhiyun 			u16 low_port;
180*4882a593Smuzhiyun 			u16 high_port;
181*4882a593Smuzhiyun 		} port;		/* TCP or UDP port information */
182*4882a593Smuzhiyun 		struct {
183*4882a593Smuzhiyun 			u32 addr;
184*4882a593Smuzhiyun 			u32 mask;
185*4882a593Smuzhiyun 		} node;		/* node information */
186*4882a593Smuzhiyun 		struct {
187*4882a593Smuzhiyun 			u32 addr[4];
188*4882a593Smuzhiyun 			u32 mask[4];
189*4882a593Smuzhiyun 		} node6;        /* IPv6 node information */
190*4882a593Smuzhiyun 		struct {
191*4882a593Smuzhiyun 			u64 subnet_prefix;
192*4882a593Smuzhiyun 			u16 low_pkey;
193*4882a593Smuzhiyun 			u16 high_pkey;
194*4882a593Smuzhiyun 		} ibpkey;
195*4882a593Smuzhiyun 		struct {
196*4882a593Smuzhiyun 			char *dev_name;
197*4882a593Smuzhiyun 			u8 port;
198*4882a593Smuzhiyun 		} ibendport;
199*4882a593Smuzhiyun 	} u;
200*4882a593Smuzhiyun 	union {
201*4882a593Smuzhiyun 		u32 sclass;  /* security class for genfs */
202*4882a593Smuzhiyun 		u32 behavior;  /* labeling behavior for fs_use */
203*4882a593Smuzhiyun 	} v;
204*4882a593Smuzhiyun 	struct context context[2];	/* security context(s) */
205*4882a593Smuzhiyun 	u32 sid[2];	/* SID(s) */
206*4882a593Smuzhiyun 	struct ocontext *next;
207*4882a593Smuzhiyun };
208*4882a593Smuzhiyun 
209*4882a593Smuzhiyun struct genfs {
210*4882a593Smuzhiyun 	char *fstype;
211*4882a593Smuzhiyun 	struct ocontext *head;
212*4882a593Smuzhiyun 	struct genfs *next;
213*4882a593Smuzhiyun };
214*4882a593Smuzhiyun 
215*4882a593Smuzhiyun /* symbol table array indices */
216*4882a593Smuzhiyun #define SYM_COMMONS 0
217*4882a593Smuzhiyun #define SYM_CLASSES 1
218*4882a593Smuzhiyun #define SYM_ROLES   2
219*4882a593Smuzhiyun #define SYM_TYPES   3
220*4882a593Smuzhiyun #define SYM_USERS   4
221*4882a593Smuzhiyun #define SYM_BOOLS   5
222*4882a593Smuzhiyun #define SYM_LEVELS  6
223*4882a593Smuzhiyun #define SYM_CATS    7
224*4882a593Smuzhiyun #define SYM_NUM     8
225*4882a593Smuzhiyun 
226*4882a593Smuzhiyun /* object context array indices */
227*4882a593Smuzhiyun #define OCON_ISID	0 /* initial SIDs */
228*4882a593Smuzhiyun #define OCON_FS		1 /* unlabeled file systems */
229*4882a593Smuzhiyun #define OCON_PORT	2 /* TCP and UDP port numbers */
230*4882a593Smuzhiyun #define OCON_NETIF	3 /* network interfaces */
231*4882a593Smuzhiyun #define OCON_NODE	4 /* nodes */
232*4882a593Smuzhiyun #define OCON_FSUSE	5 /* fs_use */
233*4882a593Smuzhiyun #define OCON_NODE6	6 /* IPv6 nodes */
234*4882a593Smuzhiyun #define OCON_IBPKEY	7 /* Infiniband PKeys */
235*4882a593Smuzhiyun #define OCON_IBENDPORT	8 /* Infiniband end ports */
236*4882a593Smuzhiyun #define OCON_NUM	9
237*4882a593Smuzhiyun 
238*4882a593Smuzhiyun /* The policy database */
239*4882a593Smuzhiyun struct policydb {
240*4882a593Smuzhiyun 	int mls_enabled;
241*4882a593Smuzhiyun 	int android_netlink_route;
242*4882a593Smuzhiyun 	int android_netlink_getneigh;
243*4882a593Smuzhiyun 
244*4882a593Smuzhiyun 	/* symbol tables */
245*4882a593Smuzhiyun 	struct symtab symtab[SYM_NUM];
246*4882a593Smuzhiyun #define p_commons symtab[SYM_COMMONS]
247*4882a593Smuzhiyun #define p_classes symtab[SYM_CLASSES]
248*4882a593Smuzhiyun #define p_roles symtab[SYM_ROLES]
249*4882a593Smuzhiyun #define p_types symtab[SYM_TYPES]
250*4882a593Smuzhiyun #define p_users symtab[SYM_USERS]
251*4882a593Smuzhiyun #define p_bools symtab[SYM_BOOLS]
252*4882a593Smuzhiyun #define p_levels symtab[SYM_LEVELS]
253*4882a593Smuzhiyun #define p_cats symtab[SYM_CATS]
254*4882a593Smuzhiyun 
255*4882a593Smuzhiyun 	/* symbol names indexed by (value - 1) */
256*4882a593Smuzhiyun 	char		**sym_val_to_name[SYM_NUM];
257*4882a593Smuzhiyun 
258*4882a593Smuzhiyun 	/* class, role, and user attributes indexed by (value - 1) */
259*4882a593Smuzhiyun 	struct class_datum **class_val_to_struct;
260*4882a593Smuzhiyun 	struct role_datum **role_val_to_struct;
261*4882a593Smuzhiyun 	struct user_datum **user_val_to_struct;
262*4882a593Smuzhiyun 	struct type_datum **type_val_to_struct;
263*4882a593Smuzhiyun 
264*4882a593Smuzhiyun 	/* type enforcement access vectors and transitions */
265*4882a593Smuzhiyun 	struct avtab te_avtab;
266*4882a593Smuzhiyun 
267*4882a593Smuzhiyun 	/* role transitions */
268*4882a593Smuzhiyun 	struct hashtab role_tr;
269*4882a593Smuzhiyun 
270*4882a593Smuzhiyun 	/* file transitions with the last path component */
271*4882a593Smuzhiyun 	/* quickly exclude lookups when parent ttype has no rules */
272*4882a593Smuzhiyun 	struct ebitmap filename_trans_ttypes;
273*4882a593Smuzhiyun 	/* actual set of filename_trans rules */
274*4882a593Smuzhiyun 	struct hashtab filename_trans;
275*4882a593Smuzhiyun 	/* only used if policyvers < POLICYDB_VERSION_COMP_FTRANS */
276*4882a593Smuzhiyun 	u32 compat_filename_trans_count;
277*4882a593Smuzhiyun 
278*4882a593Smuzhiyun 	/* bools indexed by (value - 1) */
279*4882a593Smuzhiyun 	struct cond_bool_datum **bool_val_to_struct;
280*4882a593Smuzhiyun 	/* type enforcement conditional access vectors and transitions */
281*4882a593Smuzhiyun 	struct avtab te_cond_avtab;
282*4882a593Smuzhiyun 	/* array indexing te_cond_avtab by conditional */
283*4882a593Smuzhiyun 	struct cond_node *cond_list;
284*4882a593Smuzhiyun 	u32 cond_list_len;
285*4882a593Smuzhiyun 
286*4882a593Smuzhiyun 	/* role allows */
287*4882a593Smuzhiyun 	struct role_allow *role_allow;
288*4882a593Smuzhiyun 
289*4882a593Smuzhiyun 	/* security contexts of initial SIDs, unlabeled file systems,
290*4882a593Smuzhiyun 	   TCP or UDP port numbers, network interfaces and nodes */
291*4882a593Smuzhiyun 	struct ocontext *ocontexts[OCON_NUM];
292*4882a593Smuzhiyun 
293*4882a593Smuzhiyun 	/* security contexts for files in filesystems that cannot support
294*4882a593Smuzhiyun 	   a persistent label mapping or use another
295*4882a593Smuzhiyun 	   fixed labeling behavior. */
296*4882a593Smuzhiyun 	struct genfs *genfs;
297*4882a593Smuzhiyun 
298*4882a593Smuzhiyun 	/* range transitions table (range_trans_key -> mls_range) */
299*4882a593Smuzhiyun 	struct hashtab range_tr;
300*4882a593Smuzhiyun 
301*4882a593Smuzhiyun 	/* type -> attribute reverse mapping */
302*4882a593Smuzhiyun 	struct ebitmap *type_attr_map_array;
303*4882a593Smuzhiyun 
304*4882a593Smuzhiyun 	struct ebitmap policycaps;
305*4882a593Smuzhiyun 
306*4882a593Smuzhiyun 	struct ebitmap permissive_map;
307*4882a593Smuzhiyun 
308*4882a593Smuzhiyun 	/* length of this policy when it was loaded */
309*4882a593Smuzhiyun 	size_t len;
310*4882a593Smuzhiyun 
311*4882a593Smuzhiyun 	unsigned int policyvers;
312*4882a593Smuzhiyun 
313*4882a593Smuzhiyun 	unsigned int reject_unknown : 1;
314*4882a593Smuzhiyun 	unsigned int allow_unknown : 1;
315*4882a593Smuzhiyun 
316*4882a593Smuzhiyun 	u16 process_class;
317*4882a593Smuzhiyun 	u32 process_trans_perms;
318*4882a593Smuzhiyun } __randomize_layout;
319*4882a593Smuzhiyun 
320*4882a593Smuzhiyun extern void policydb_destroy(struct policydb *p);
321*4882a593Smuzhiyun extern int policydb_load_isids(struct policydb *p, struct sidtab *s);
322*4882a593Smuzhiyun extern int policydb_context_isvalid(struct policydb *p, struct context *c);
323*4882a593Smuzhiyun extern int policydb_class_isvalid(struct policydb *p, unsigned int class);
324*4882a593Smuzhiyun extern int policydb_type_isvalid(struct policydb *p, unsigned int type);
325*4882a593Smuzhiyun extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
326*4882a593Smuzhiyun extern int policydb_read(struct policydb *p, void *fp);
327*4882a593Smuzhiyun extern int policydb_write(struct policydb *p, void *fp);
328*4882a593Smuzhiyun 
329*4882a593Smuzhiyun extern struct filename_trans_datum *policydb_filenametr_search(
330*4882a593Smuzhiyun 	struct policydb *p, struct filename_trans_key *key);
331*4882a593Smuzhiyun 
332*4882a593Smuzhiyun extern struct mls_range *policydb_rangetr_search(
333*4882a593Smuzhiyun 	struct policydb *p, struct range_trans *key);
334*4882a593Smuzhiyun 
335*4882a593Smuzhiyun extern struct role_trans_datum *policydb_roletr_search(
336*4882a593Smuzhiyun 	struct policydb *p, struct role_trans_key *key);
337*4882a593Smuzhiyun 
338*4882a593Smuzhiyun #define POLICYDB_CONFIG_MLS    1
339*4882a593Smuzhiyun #define POLICYDB_CONFIG_ANDROID_NETLINK_ROUTE    (1 << 31)
340*4882a593Smuzhiyun #define POLICYDB_CONFIG_ANDROID_NETLINK_GETNEIGH (1 << 30)
341*4882a593Smuzhiyun 
342*4882a593Smuzhiyun /* the config flags related to unknown classes/perms are bits 2 and 3 */
343*4882a593Smuzhiyun #define REJECT_UNKNOWN	0x00000002
344*4882a593Smuzhiyun #define ALLOW_UNKNOWN	0x00000004
345*4882a593Smuzhiyun 
346*4882a593Smuzhiyun #define OBJECT_R "object_r"
347*4882a593Smuzhiyun #define OBJECT_R_VAL 1
348*4882a593Smuzhiyun 
349*4882a593Smuzhiyun #define POLICYDB_MAGIC SELINUX_MAGIC
350*4882a593Smuzhiyun #define POLICYDB_STRING "SE Linux"
351*4882a593Smuzhiyun 
352*4882a593Smuzhiyun struct policy_file {
353*4882a593Smuzhiyun 	char *data;
354*4882a593Smuzhiyun 	size_t len;
355*4882a593Smuzhiyun };
356*4882a593Smuzhiyun 
357*4882a593Smuzhiyun struct policy_data {
358*4882a593Smuzhiyun 	struct policydb *p;
359*4882a593Smuzhiyun 	void *fp;
360*4882a593Smuzhiyun };
361*4882a593Smuzhiyun 
next_entry(void * buf,struct policy_file * fp,size_t bytes)362*4882a593Smuzhiyun static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
363*4882a593Smuzhiyun {
364*4882a593Smuzhiyun 	if (bytes > fp->len)
365*4882a593Smuzhiyun 		return -EINVAL;
366*4882a593Smuzhiyun 
367*4882a593Smuzhiyun 	memcpy(buf, fp->data, bytes);
368*4882a593Smuzhiyun 	fp->data += bytes;
369*4882a593Smuzhiyun 	fp->len -= bytes;
370*4882a593Smuzhiyun 	return 0;
371*4882a593Smuzhiyun }
372*4882a593Smuzhiyun 
put_entry(const void * buf,size_t bytes,int num,struct policy_file * fp)373*4882a593Smuzhiyun static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
374*4882a593Smuzhiyun {
375*4882a593Smuzhiyun 	size_t len = bytes * num;
376*4882a593Smuzhiyun 
377*4882a593Smuzhiyun 	if (len > fp->len)
378*4882a593Smuzhiyun 		return -EINVAL;
379*4882a593Smuzhiyun 	memcpy(fp->data, buf, len);
380*4882a593Smuzhiyun 	fp->data += len;
381*4882a593Smuzhiyun 	fp->len -= len;
382*4882a593Smuzhiyun 
383*4882a593Smuzhiyun 	return 0;
384*4882a593Smuzhiyun }
385*4882a593Smuzhiyun 
sym_name(struct policydb * p,unsigned int sym_num,unsigned int element_nr)386*4882a593Smuzhiyun static inline char *sym_name(struct policydb *p, unsigned int sym_num, unsigned int element_nr)
387*4882a593Smuzhiyun {
388*4882a593Smuzhiyun 	return p->sym_val_to_name[sym_num][element_nr];
389*4882a593Smuzhiyun }
390*4882a593Smuzhiyun 
391*4882a593Smuzhiyun extern u16 string_to_security_class(struct policydb *p, const char *name);
392*4882a593Smuzhiyun extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
393*4882a593Smuzhiyun 
394*4882a593Smuzhiyun #endif	/* _SS_POLICYDB_H_ */
395*4882a593Smuzhiyun 
396