libsepol: Expand role attributes when expanding instead of when linking

Role attributes are being expanded during the linking phase rather
than during the expand phase. This might be due to some concern
over role attributes not being kept for the kernel policy.

Instead of this, expand role attributes during the expand phase.
One extra step is needed to make sure the pp and mod files end up
the same as before. The role attributes in the base policy need to
be expanded as well as those in the kernel policy. This is because
of a side effect that occurs when compiling a base module. When a
base module is compiled it is linked and expanded inorder to verify
that linking and expansion will work. Even though the resulting
kernel policy is discarded, the base module is changed because the
linking phase expands the role attributes in the base module.

With this change the pp files, mod files, and the final binary
file (bin file) produced are identical to ones produced by an old
toolchain without these changes. The only file that is different
is the linked binary (lnk file). In the old toolchain, all roles
in blocks are added to the role in the global scope and the role
attributes are expanded, but this will be done again when the
policy is expanded. Expanding a linked binary created with these
patches using the old toolchain will produce the same kernel binary
policy. Expanding a linked binary created with the old toolchain
using the new toolchain will also produce the same kernel binary
policy.

Signed-off-by: James Carter <jwcart2@gmail.com>

Author: jwcart2

libsepol/src/expand.c

@@ -824,27 +824,18 @@ static int role_types_copy_callback(hashtab_key_t key, hashtab_datum_t datum, vo
 	return 0;
 }
 
-/* For the role attribute in the base module, escalate its counterpart's
- * types.types ebitmap in the out module to the counterparts of all the
- * regular role that belongs to the current role attribute. Note, must be
- * invoked after role_copy_callback so that state->rolemap is available.
- */
-static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
-			     void *data)
+static int role_roles_copy_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
 {
-	char *id, *base_reg_role_id;
-	role_datum_t *role, *new_role, *regular_role;
+	char *id;
+	role_datum_t *role, *new_role;
 	expand_state_t *state;
-	ebitmap_node_t *rnode;
-	unsigned int i;
-	ebitmap_t mapped_roles;
+	ebitmap_t mapped;
 
 	id = key;
-	role = (role_datum_t *)datum;
+	role = (role_datum_t *) datum;
 	state = (expand_state_t *)data;
 
-	if (strcmp(id, OBJECT_R) == 0) {
-		/* object_r is never a role attribute by far */
+	if (role->flavor != ROLE_ATTRIB) {
 		return 0;
 	}
 
@@ -853,39 +844,107 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
 		return 0;
 	}
 
-	if (role->flavor != ROLE_ATTRIB)
-		return 0;
-
 	if (state->verbose)
-		INFO(state->handle, "fixing role attribute %s", id);
+		INFO(state->handle, "copying roles for role %s", id);
 
-	new_role =
-		(role_datum_t *)hashtab_search(state->out->p_roles.table, id);
-
-	assert(new_role != NULL && new_role->flavor == ROLE_ATTRIB);
+	new_role = (role_datum_t *)hashtab_search(state->out->p_roles.table, id);
+	if (!new_role) {
+		ERR(state->handle, "Could not find role %s", id);
+		return -1;
+	}
 
-	ebitmap_init(&mapped_roles);
-	if (map_ebitmap(&role->roles, &mapped_roles, state->rolemap))
+	/* convert roles in the role datum in the global symtab */
+	if (map_ebitmap(&role->roles, &mapped, state->rolemap))
 		return -1;
-	if (ebitmap_union(&new_role->roles, &mapped_roles)) {
+	if (ebitmap_union(&new_role->roles, &mapped)) {
 		ERR(state->handle, "Out of memory!");
-		ebitmap_destroy(&mapped_roles);
+		ebitmap_destroy(&mapped);
 		return -1;
 	}
-	ebitmap_destroy(&mapped_roles);
+	ebitmap_destroy(&mapped);
+
+	return 0;
+}
+static int expand_role_attributes_in_attributes(sepol_handle_t *handle, policydb_t *p)
+{
+	ebitmap_t attrs, roles;
+	ebitmap_node_t *ni, *nj;
+	unsigned int i, j, reps = 0, done = 0;
+	role_datum_t *rd, *ad;
+
+	ebitmap_init(&attrs);
+	for (i=0; i < p->p_roles.nprim; i++) {
+		rd = p->role_val_to_struct[i];
+		if (rd->flavor == ROLE_ATTRIB) {
+			ebitmap_set_bit(&attrs, i, 1);
+		}
+	}
+
+	while (!done && reps < p->p_roles.nprim) {
+		done = 1;
+		reps++;
+		ebitmap_for_each_positive_bit(&attrs, ni, i) {
+			rd = p->role_val_to_struct[i];
+			if (ebitmap_match_any(&rd->roles, &attrs)) {
+				done = 0;
+				if (ebitmap_get_bit(&rd->roles, i)) {
+					ERR(handle, "Before: attr has own bit set: %d\n", i);
+				}
+				ebitmap_init(&roles);
+				ebitmap_for_each_positive_bit(&rd->roles, nj, j) {
+					if (ebitmap_get_bit(&attrs, j)) {
+						ad = p->role_val_to_struct[j];
+						ebitmap_union(&roles, &ad->roles);
+						ebitmap_set_bit(&rd->roles, j, 0);
+					}
+				}
+				ebitmap_union(&rd->roles, &roles);
+				ebitmap_destroy(&roles);
+				if (ebitmap_get_bit(&rd->roles, i)) {
+					ERR(handle, "After: attr has own bit set: %d\n", i);
+					done = 1; /* Just end early */
+				}
+			}
+		}
+	}
 
-	ebitmap_for_each_positive_bit(&role->roles, rnode, i) {
-		/* take advantage of sym_val_to_name[]
-		 * of the base module */
-		base_reg_role_id = state->base->p_role_val_to_name[i];
-		regular_role = (role_datum_t *)hashtab_search(
-					state->out->p_roles.table,
-					base_reg_role_id);
-		assert(regular_role != NULL &&
-		       regular_role->flavor == ROLE_ROLE);
-
-		if (ebitmap_union(&regular_role->types.types,
-				  &new_role->types.types)) {
+	if (reps >= p->p_roles.nprim) {
+		ERR(handle, "Had to bail: reps = %u\n", reps);
+	}
+
+	ebitmap_destroy(&attrs);
+
+	return 0;
+}
+
+/* For the role attribute in the base module, escalate its counterpart's
+ * types.types ebitmap in the out module to the counterparts of all the
+ * regular role that belongs to the current role attribute. Note, must be
+ * invoked after role_copy_callback so that state->rolemap is available.
+ */
+static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
+			     void *data)
+{
+	char *id;
+	role_datum_t *attr, *role;
+	expand_state_t *state;
+	ebitmap_node_t *rnode;
+	unsigned int i;
+
+	id = key;
+	attr = (role_datum_t *)datum;
+	state = (expand_state_t *)data;
+
+	if (attr->flavor != ROLE_ATTRIB)
+		return 0;
+
+	if (state->verbose)
+		INFO(state->handle, "fixing role attribute %s", id);
+
+	ebitmap_for_each_positive_bit(&attr->roles, rnode, i) {
+		role = state->out->role_val_to_struct[i];
+		assert(role != NULL && role->flavor == ROLE_ROLE);
+		if (ebitmap_union(&role->types.types, &attr->types.types)) {
 			ERR(state->handle, "Out of memory!");
 			return -1;
 		}
@@ -2494,7 +2553,7 @@ int expand_rule(sepol_handle_t * handle,
  * the regular role belongs to could be properly handled by
  * copy_role_trans and copy_role_allow.
  */
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t * base, uint32_t * rolemap)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, __attribute__ ((unused)) policydb_t * base, uint32_t * rolemap)
 {
 	unsigned int i;
 	ebitmap_node_t *rnode;
@@ -2515,29 +2574,25 @@ int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * out, policydb_t
 	ebitmap_init(&roles);
 
 	if (rolemap) {
-		assert(base != NULL);
-		ebitmap_for_each_positive_bit(&x->roles, rnode, i) {
-			/* take advantage of p_role_val_to_struct[]
-			 * of the base module */
-			role = base->role_val_to_struct[i];
+		if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+			goto bad;
+		ebitmap_for_each_positive_bit(&mapped_roles, rnode, i) {
+			role = out->role_val_to_struct[i];
 			assert(role != NULL);
 			if (role->flavor == ROLE_ATTRIB) {
-				if (ebitmap_union(&roles,
-						  &role->roles))
+				if (ebitmap_union(&roles, &role->roles))
 					goto bad;
 			} else {
 				if (ebitmap_set_bit(&roles, i, 1))
 					goto bad;
 			}
 		}
-		if (map_ebitmap(&roles, &mapped_roles, rolemap))
-			goto bad;
 	} else {
-		if (ebitmap_cpy(&mapped_roles, &x->roles))
+		if (ebitmap_cpy(&roles, &x->roles))
 			goto bad;
 	}
 
-	ebitmap_for_each_positive_bit(&mapped_roles, rnode, i) {
+	ebitmap_for_each_positive_bit(&roles, rnode, i) {
 		if (ebitmap_set_bit(r, i, 1))
 			goto bad;
 	}
@@ -3138,6 +3193,8 @@ int expand_module(sepol_handle_t * handle,
 		goto cleanup;
 	if (hashtab_map(state.base->p_roles.table, role_types_copy_callback, &state))
 		goto cleanup;
+	if (hashtab_map(state.base->p_roles.table, role_roles_copy_callback, &state))
+		goto cleanup;
 	for (curblock = state.base->global; curblock != NULL;
 	     curblock = curblock->next) {
 		avrule_decl_t *decl = curblock->enabled;
@@ -3149,9 +3206,25 @@ int expand_module(sepol_handle_t * handle,
 			goto cleanup;
 		if (hashtab_map(decl->p_roles.table, role_types_copy_callback, &state))
 			goto cleanup;
+		if (hashtab_map(decl->p_roles.table, role_roles_copy_callback, &state))
+			goto cleanup;
+	}
+	/* Expand any role attributes found in the roles ebitmap of each role attribute */
+	if (expand_role_attributes_in_attributes(state.handle, state.out)) {
+		goto cleanup;
 	}
+	/* When compiling a base module, the base module is linked and expanded (to
+	 * verify that it could be done) and the resulting kernel module is discarded.
+	 * But the base module is changed while linking because role attributes are
+	 * expanded while linking instead of being expanded when expanding.
+	 * To duplicate that behavior, expand the base module role attributes.
+	 */
+	if (expand_role_attributes_in_attributes(state.handle, state.base)) {
+		goto cleanup;
+	}
+
 	/* Copy types in role attribute to all roles that belongs to it */
-	if (hashtab_map(state.base->p_roles.table, role_fix_callback, &state))
+	if (hashtab_map(state.out->p_roles.table, role_fix_callback, &state))
 		goto cleanup;
 
 	/* copy MLS's sensitivity level and categories - this needs to be done

libsepol/src/link.c

@@ -2366,120 +2366,6 @@ static int prepare_base(link_state_t * state, uint32_t num_mod_decls)
 	return 0;
 }
 
-static int expand_role_attributes(hashtab_key_t key, hashtab_datum_t datum,
-				  void * data)
-{
-	char *id;
-	role_datum_t *role, *sub_attr;
-	link_state_t *state;
-	unsigned int i;
-	ebitmap_node_t *rnode;
-
-	id = key;
-	role = (role_datum_t *)datum;
-	state = (link_state_t *)data;
-
-	if (strcmp(id, OBJECT_R) == 0){
-		/* object_r is never a role attribute by far */
-		return 0;
-	}
-
-	if (role->flavor != ROLE_ATTRIB)
-		return 0;
-
-	if (state->verbose)
-		INFO(state->handle, "expanding role attribute %s", id);
-
-restart:
-	ebitmap_for_each_positive_bit(&role->roles, rnode, i) {
-		sub_attr = state->base->role_val_to_struct[i];
-		if (sub_attr->flavor != ROLE_ATTRIB)
-			continue;
-
-		/* remove the sub role attribute from the parent
-		 * role attribute's roles ebitmap */
-		if (ebitmap_set_bit(&role->roles, i, 0))
-			return -1;
-
-		/* loop dependency of role attributes */
-		if (sub_attr->s.value == role->s.value)
-			continue;
-
-		/* now go on to expand a sub role attribute
-		 * by escalating its roles ebitmap */
-		if (ebitmap_union(&role->roles, &sub_attr->roles)) {
-			ERR(state->handle, "Out of memory!");
-			return -1;
-		}
-
-		/* sub_attr->roles may contain other role attributes,
-		 * re-scan the parent role attribute's roles ebitmap */
-		goto restart;
-	}
-
-	return 0;
-}
-
-/* For any role attribute in a declaration's local symtab[SYM_ROLES] table,
- * copy its roles ebitmap into its duplicate's in the base->p_roles.table.
- */
-static int populate_decl_roleattributes(hashtab_key_t key, 
-					hashtab_datum_t datum,
-					void *data)
-{
-	char *id = key;
-	role_datum_t *decl_role, *base_role;
-	link_state_t *state = (link_state_t *)data;
-
-	decl_role = (role_datum_t *)datum;
-
-	if (strcmp(id, OBJECT_R) == 0) {
-		/* object_r is never a role attribute by far */
-		return 0;
-	}
-
-	if (decl_role->flavor != ROLE_ATTRIB)
-		return 0;
-
-	base_role = (role_datum_t *)hashtab_search(state->base->p_roles.table,
-						   id);
-	assert(base_role != NULL && base_role->flavor == ROLE_ATTRIB);
-
-	if (ebitmap_union(&base_role->roles, &decl_role->roles)) {
-		ERR(state->handle, "Out of memory!");
-		return -1;
-	}
-
-	return 0;
-}
-
-static int populate_roleattributes(link_state_t *state, policydb_t *pol)
-{
-	avrule_block_t *block;
-	avrule_decl_t *decl;
-
-	if (state->verbose)
-		INFO(state->handle, "Populating role-attribute relationship "
-			    "from enabled declarations' local symtab.");
-
-	/* Iterate through all of the blocks skipping the first(which is the
-	 * global block, is required to be present and can't have an else).
-	 * If the block is disabled or not having an enabled decl, skip it.
-	 */
-	for (block = pol->global->next; block != NULL; block = block->next)
-	{
-		decl = block->enabled;
-		if (decl == NULL || decl->enabled == 0)
-			continue;
-
-		if (hashtab_map(decl->symtab[SYM_ROLES].table, 
-				populate_decl_roleattributes, state))
-			return -1;
-	}
-
-	return 0;
-}
-
 /* Link a set of modules into a base module. This process is somewhat
  * similar to an actual compiler: it requires a set of order dependent
  * steps.  The base and every module must have been indexed prior to
@@ -2576,21 +2462,6 @@ int link_modules(sepol_handle_t * handle,
 		goto cleanup;
 	}
 
-	/* Now that all role attribute's roles ebitmap have been settled,
-	 * escalate sub role attribute's roles ebitmap into that of parent.
-	 *
-	 * First, since some role-attribute relationships could be recorded
-	 * in some decl's local symtab(see get_local_role()), we need to
-	 * populate them up to the base.p_roles table. */
-	if (populate_roleattributes(&state, state.base)) {
-		retval = SEPOL_EREQ;
-		goto cleanup;
-	}
-	
-	/* Now do the escalation. */
-	if (hashtab_map(state.base->p_roles.table, expand_role_attributes,
-			&state))
-		goto cleanup;
 
 	retval = 0;
       cleanup: