Revert "SELinux: per-command whitelisting of ioctls"
This reverts commit bc84b4adb1469e3d05ad76c304a4c545feaf1f88.
Bug: 22846070
Change-Id: Ib4cb130b2225ea2e22556ff852313e0de7dddcab
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index 2e4ff00..a3dd9fa 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -24,7 +24,6 @@
#include "policydb.h"
static struct kmem_cache *avtab_node_cachep;
-static struct kmem_cache *avtab_operation_cachep;
static inline int avtab_hash(struct avtab_key *keyp, u16 mask)
{
@@ -38,24 +37,11 @@
struct avtab_key *key, struct avtab_datum *datum)
{
struct avtab_node *newnode;
- struct avtab_operation *ops;
newnode = kmem_cache_zalloc(avtab_node_cachep, GFP_KERNEL);
if (newnode == NULL)
return NULL;
newnode->key = *key;
-
- if (key->specified & AVTAB_OP) {
- ops = kmem_cache_zalloc(avtab_operation_cachep, GFP_KERNEL);
- if (ops == NULL) {
- kmem_cache_free(avtab_node_cachep, newnode);
- return NULL;
- }
- *ops = *(datum->u.ops);
- newnode->datum.u.ops = ops;
- } else {
- newnode->datum.u.data = datum->u.data;
- }
-
+ newnode->datum = *datum;
if (prev) {
newnode->next = prev->next;
prev->next = newnode;
@@ -84,11 +70,8 @@
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
key->target_class == cur->key.target_class &&
- (specified & cur->key.specified)) {
- if (specified & AVTAB_OPNUM)
- break;
+ (specified & cur->key.specified))
return -EEXIST;
- }
if (key->source_type < cur->key.source_type)
break;
if (key->source_type == cur->key.source_type &&
@@ -249,9 +232,6 @@
while (cur) {
temp = cur;
cur = cur->next;
- if (temp->key.specified & AVTAB_OP)
- kmem_cache_free(avtab_operation_cachep,
- temp->datum.u.ops);
kmem_cache_free(avtab_node_cachep, temp);
}
h->htable[i] = NULL;
@@ -340,13 +320,7 @@
AVTAB_AUDITALLOW,
AVTAB_TRANSITION,
AVTAB_CHANGE,
- AVTAB_MEMBER,
- AVTAB_OPNUM_ALLOWED,
- AVTAB_OPNUM_AUDITALLOW,
- AVTAB_OPNUM_DONTAUDIT,
- AVTAB_OPTYPE_ALLOWED,
- AVTAB_OPTYPE_AUDITALLOW,
- AVTAB_OPTYPE_DONTAUDIT
+ AVTAB_MEMBER
};
int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
@@ -356,11 +330,10 @@
{
__le16 buf16[4];
u16 enabled;
+ __le32 buf32[7];
u32 items, items2, val, vers = pol->policyvers;
struct avtab_key key;
struct avtab_datum datum;
- struct avtab_operation ops;
- __le32 buf32[ARRAY_SIZE(ops.op.perms)];
int i, rc;
unsigned set;
@@ -417,15 +390,11 @@
printk(KERN_ERR "SELinux: avtab: entry has both access vectors and types\n");
return -EINVAL;
}
- if (val & AVTAB_OP) {
- printk(KERN_ERR "SELinux: avtab: entry has operations\n");
- return -EINVAL;
- }
for (i = 0; i < ARRAY_SIZE(spec_order); i++) {
if (val & spec_order[i]) {
key.specified = spec_order[i] | enabled;
- datum.u.data = le32_to_cpu(buf32[items++]);
+ datum.data = le32_to_cpu(buf32[items++]);
rc = insertf(a, &key, &datum, p);
if (rc)
return rc;
@@ -444,6 +413,7 @@
printk(KERN_ERR "SELinux: avtab: truncated entry\n");
return rc;
}
+
items = 0;
key.source_type = le16_to_cpu(buf16[items++]);
key.target_type = le16_to_cpu(buf16[items++]);
@@ -467,32 +437,14 @@
return -EINVAL;
}
- if ((vers < POLICYDB_VERSION_IOCTL_OPERATIONS)
- || !(key.specified & AVTAB_OP)) {
- rc = next_entry(buf32, fp, sizeof(u32));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- datum.u.data = le32_to_cpu(*buf32);
- } else {
- memset(&ops, 0, sizeof(struct avtab_operation));
- rc = next_entry(&ops.type, fp, sizeof(u8));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- rc = next_entry(buf32, fp, sizeof(u32)*ARRAY_SIZE(ops.op.perms));
- if (rc) {
- printk(KERN_ERR "SELinux: avtab: truncated entry\n");
- return rc;
- }
- for (i = 0; i < ARRAY_SIZE(ops.op.perms); i++)
- ops.op.perms[i] = le32_to_cpu(buf32[i]);
- datum.u.ops = &ops;
+ rc = next_entry(buf32, fp, sizeof(u32));
+ if (rc) {
+ printk(KERN_ERR "SELinux: avtab: truncated entry\n");
+ return rc;
}
+ datum.data = le32_to_cpu(*buf32);
if ((key.specified & AVTAB_TYPE) &&
- !policydb_type_isvalid(pol, datum.u.data)) {
+ !policydb_type_isvalid(pol, datum.data)) {
printk(KERN_ERR "SELinux: avtab: invalid type\n");
return -EINVAL;
}
@@ -552,9 +504,8 @@
int avtab_write_item(struct policydb *p, struct avtab_node *cur, void *fp)
{
__le16 buf16[4];
- __le32 buf32[ARRAY_SIZE(cur->datum.u.ops->op.perms)];
+ __le32 buf32[1];
int rc;
- unsigned int i;
buf16[0] = cpu_to_le16(cur->key.source_type);
buf16[1] = cpu_to_le16(cur->key.target_type);
@@ -563,16 +514,8 @@
rc = put_entry(buf16, sizeof(u16), 4, fp);
if (rc)
return rc;
-
- if (cur->key.specified & AVTAB_OP) {
- for (i = 0; i < ARRAY_SIZE(cur->datum.u.ops->op.perms); i++)
- buf32[i] = cpu_to_le32(cur->datum.u.ops->op.perms[i]);
- rc = put_entry(buf32, sizeof(u32),
- ARRAY_SIZE(cur->datum.u.ops->op.perms), fp);
- } else {
- buf32[0] = cpu_to_le32(cur->datum.u.data);
- rc = put_entry(buf32, sizeof(u32), 1, fp);
- }
+ buf32[0] = cpu_to_le32(cur->datum.data);
+ rc = put_entry(buf32, sizeof(u32), 1, fp);
if (rc)
return rc;
return 0;
@@ -605,13 +548,9 @@
avtab_node_cachep = kmem_cache_create("avtab_node",
sizeof(struct avtab_node),
0, SLAB_PANIC, NULL);
- avtab_operation_cachep = kmem_cache_create("avtab_operation",
- sizeof(struct avtab_operation),
- 0, SLAB_PANIC, NULL);
}
void avtab_cache_destroy(void)
{
kmem_cache_destroy(avtab_node_cachep);
- kmem_cache_destroy(avtab_operation_cachep);
}
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 97acd6f..63ce2f9 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -23,8 +23,6 @@
#ifndef _SS_AVTAB_H_
#define _SS_AVTAB_H_
-#include "security.h"
-
struct avtab_key {
u16 source_type; /* source type */
u16 target_type; /* target type */
@@ -37,34 +35,13 @@
#define AVTAB_MEMBER 0x0020
#define AVTAB_CHANGE 0x0040
#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_OPNUM_ALLOWED 0x0100
-#define AVTAB_OPNUM_AUDITALLOW 0x0200
-#define AVTAB_OPNUM_DONTAUDIT 0x0400
-#define AVTAB_OPNUM (AVTAB_OPNUM_ALLOWED | \
- AVTAB_OPNUM_AUDITALLOW | \
- AVTAB_OPNUM_DONTAUDIT)
-#define AVTAB_OPTYPE_ALLOWED 0x1000
-#define AVTAB_OPTYPE_AUDITALLOW 0x2000
-#define AVTAB_OPTYPE_DONTAUDIT 0x4000
-#define AVTAB_OPTYPE (AVTAB_OPTYPE_ALLOWED | \
- AVTAB_OPTYPE_AUDITALLOW | \
- AVTAB_OPTYPE_DONTAUDIT)
-#define AVTAB_OP (AVTAB_OPNUM | AVTAB_OPTYPE)
#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
u16 specified; /* what field is specified */
};
-struct avtab_operation {
- u8 type;
- struct operation_perm op;
-};
-
struct avtab_datum {
- union {
- u32 data; /* access vector or type value */
- struct avtab_operation *ops; /* ioctl operations */
- } u;
+ u32 data; /* access vector or type value */
};
struct avtab_node {
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 16651c7..377d148 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -15,7 +15,6 @@
#include "security.h"
#include "conditional.h"
-#include "services.h"
/*
* cond_evaluate_expr evaluates a conditional expr
@@ -618,39 +617,21 @@
return 0;
}
-
-void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
- struct operation_decision *od)
-{
- struct avtab_node *node;
-
- if (!ctab || !key || !od)
- return;
-
- for (node = avtab_search_node(ctab, key); node;
- node = avtab_search_node_next(node, key->specified)) {
- if (node->key.specified & AVTAB_ENABLED)
- services_compute_operation_num(od, node);
- }
- return;
-
-}
/* Determine whether additional permissions are granted by the conditional
* av table, and if so, add them to the result
*/
-void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
- struct av_decision *avd, struct operation *ops)
+void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd)
{
struct avtab_node *node;
- if (!ctab || !key || !avd || !ops)
+ if (!ctab || !key || !avd)
return;
for (node = avtab_search_node(ctab, key); node;
node = avtab_search_node_next(node, key->specified)) {
if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
- avd->allowed |= node->datum.u.data;
+ avd->allowed |= node->datum.data;
if ((u16)(AVTAB_AUDITDENY|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITDENY|AVTAB_ENABLED)))
/* Since a '0' in an auditdeny mask represents a
@@ -658,13 +639,10 @@
* the '&' operand to ensure that all '0's in the mask
* are retained (much unlike the allow and auditallow cases).
*/
- avd->auditdeny &= node->datum.u.data;
+ avd->auditdeny &= node->datum.data;
if ((u16)(AVTAB_AUDITALLOW|AVTAB_ENABLED) ==
(node->key.specified & (AVTAB_AUDITALLOW|AVTAB_ENABLED)))
- avd->auditallow |= node->datum.u.data;
- if ((node->key.specified & AVTAB_ENABLED) &&
- (node->key.specified & AVTAB_OP))
- services_compute_operation_type(ops, node);
+ avd->auditallow |= node->datum.data;
}
return;
}
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
index 80ee2bb..4d1f874 100644
--- a/security/selinux/ss/conditional.h
+++ b/security/selinux/ss/conditional.h
@@ -73,10 +73,8 @@
int cond_write_bool(void *key, void *datum, void *ptr);
int cond_write_list(struct policydb *p, struct cond_node *list, void *fp);
-void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
- struct av_decision *avd, struct operation *ops);
-void cond_compute_operation(struct avtab *ctab, struct avtab_key *key,
- struct operation_decision *od);
+void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd);
+
int evaluate_cond_node(struct policydb *p, struct cond_node *node);
#endif /* _CONDITIONAL_H_ */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6962d15..60af34a 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -148,11 +148,6 @@
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
- {
- .version = POLICYDB_VERSION_IOCTL_OPERATIONS,
- .sym_num = SYM_NUM,
- .ocon_num = OCON_NUM,
- },
};
static struct policydb_compat_info *policydb_lookup_compat(int version)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9ddca68..ed30b97 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -92,10 +92,9 @@
u32 *scontext_len);
static void context_struct_compute_av(struct context *scontext,
- struct context *tcontext,
- u16 tclass,
- struct av_decision *avd,
- struct operation *ops);
+ struct context *tcontext,
+ u16 tclass,
+ struct av_decision *avd);
struct selinux_mapping {
u16 value; /* policy value */
@@ -565,8 +564,7 @@
context_struct_compute_av(&lo_scontext,
tcontext,
tclass,
- &lo_avd,
- NULL);
+ &lo_avd);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed;
@@ -581,8 +579,7 @@
context_struct_compute_av(scontext,
&lo_tcontext,
tclass,
- &lo_avd,
- NULL);
+ &lo_avd);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed;
@@ -598,8 +595,7 @@
context_struct_compute_av(&lo_scontext,
&lo_tcontext,
tclass,
- &lo_avd,
- NULL);
+ &lo_avd);
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
return; /* no masked permission */
masked = ~lo_avd.allowed & avd->allowed;
@@ -615,39 +611,14 @@
}
}
-/* flag ioctl types that have operation permissions */
-void services_compute_operation_type(
- struct operation *ops,
- struct avtab_node *node)
-{
- u8 type;
- unsigned int i;
-
- if (node->key.specified & AVTAB_OPTYPE) {
- /* if allowing one or more complete types */
- for (i = 0; i < ARRAY_SIZE(ops->type); i++)
- ops->type[i] |= node->datum.u.ops->op.perms[i];
- } else {
- /* if allowing operations within a type */
- type = node->datum.u.ops->type;
- security_operation_set(ops->type, type);
- }
-
- /* If no ioctl commands are allowed, ignore auditallow and auditdeny */
- if (node->key.specified & AVTAB_OPTYPE_ALLOWED ||
- node->key.specified & AVTAB_OPNUM_ALLOWED)
- ops->len = 1;
-}
-
/*
- * Compute access vectors and operations ranges based on a context
- * structure pair for the permissions in a particular class.
+ * Compute access vectors based on a context structure pair for
+ * the permissions in a particular class.
*/
static void context_struct_compute_av(struct context *scontext,
- struct context *tcontext,
- u16 tclass,
- struct av_decision *avd,
- struct operation *ops)
+ struct context *tcontext,
+ u16 tclass,
+ struct av_decision *avd)
{
struct constraint_node *constraint;
struct role_allow *ra;
@@ -661,10 +632,6 @@
avd->allowed = 0;
avd->auditallow = 0;
avd->auditdeny = 0xffffffff;
- if (ops) {
- memset(&ops->type, 0, sizeof(ops->type));
- ops->len = 0;
- }
if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
if (printk_ratelimit())
@@ -679,7 +646,7 @@
* this permission check, then use it.
*/
avkey.target_class = tclass;
- avkey.specified = AVTAB_AV | AVTAB_OP;
+ avkey.specified = AVTAB_AV;
sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
BUG_ON(!sattr);
tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
@@ -692,17 +659,15 @@
node;
node = avtab_search_node_next(node, avkey.specified)) {
if (node->key.specified == AVTAB_ALLOWED)
- avd->allowed |= node->datum.u.data;
+ avd->allowed |= node->datum.data;
else if (node->key.specified == AVTAB_AUDITALLOW)
- avd->auditallow |= node->datum.u.data;
+ avd->auditallow |= node->datum.data;
else if (node->key.specified == AVTAB_AUDITDENY)
- avd->auditdeny &= node->datum.u.data;
- else if (ops && (node->key.specified & AVTAB_OP))
- services_compute_operation_type(ops, node);
+ avd->auditdeny &= node->datum.data;
}
/* Check conditional av table for additional permissions */
- cond_compute_av(&policydb.te_cond_avtab, &avkey, avd, ops);
+ cond_compute_av(&policydb.te_cond_avtab, &avkey, avd);
}
}
@@ -933,139 +898,13 @@
avd->flags = 0;
}
-void services_compute_operation_num(struct operation_decision *od,
- struct avtab_node *node)
-{
- unsigned int i;
- if (node->key.specified & AVTAB_OPNUM) {
- if (od->type != node->datum.u.ops->type)
- return;
- } else {
- if (!security_operation_test(node->datum.u.ops->op.perms,
- od->type))
- return;
- }
-
- if (node->key.specified == AVTAB_OPTYPE_ALLOWED) {
- od->specified |= OPERATION_ALLOWED;
- memset(od->allowed->perms, 0xff,
- sizeof(od->allowed->perms));
- } else if (node->key.specified == AVTAB_OPTYPE_AUDITALLOW) {
- od->specified |= OPERATION_AUDITALLOW;
- memset(od->auditallow->perms, 0xff,
- sizeof(od->auditallow->perms));
- } else if (node->key.specified == AVTAB_OPTYPE_DONTAUDIT) {
- od->specified |= OPERATION_DONTAUDIT;
- memset(od->dontaudit->perms, 0xff,
- sizeof(od->dontaudit->perms));
- } else if (node->key.specified == AVTAB_OPNUM_ALLOWED) {
- od->specified |= OPERATION_ALLOWED;
- for (i = 0; i < ARRAY_SIZE(od->allowed->perms); i++)
- od->allowed->perms[i] |=
- node->datum.u.ops->op.perms[i];
- } else if (node->key.specified == AVTAB_OPNUM_AUDITALLOW) {
- od->specified |= OPERATION_AUDITALLOW;
- for (i = 0; i < ARRAY_SIZE(od->auditallow->perms); i++)
- od->auditallow->perms[i] |=
- node->datum.u.ops->op.perms[i];
- } else if (node->key.specified == AVTAB_OPNUM_DONTAUDIT) {
- od->specified |= OPERATION_DONTAUDIT;
- for (i = 0; i < ARRAY_SIZE(od->dontaudit->perms); i++)
- od->dontaudit->perms[i] |=
- node->datum.u.ops->op.perms[i];
- } else {
- BUG();
- }
-}
-
-void security_compute_operation(u32 ssid,
- u32 tsid,
- u16 orig_tclass,
- u8 type,
- struct operation_decision *od)
-{
- u16 tclass;
- struct context *scontext, *tcontext;
- struct avtab_key avkey;
- struct avtab_node *node;
- struct ebitmap *sattr, *tattr;
- struct ebitmap_node *snode, *tnode;
- unsigned int i, j;
-
- od->type = type;
- od->specified = 0;
- memset(od->allowed->perms, 0, sizeof(od->allowed->perms));
- memset(od->auditallow->perms, 0, sizeof(od->auditallow->perms));
- memset(od->dontaudit->perms, 0, sizeof(od->dontaudit->perms));
-
- read_lock(&policy_rwlock);
- if (!ss_initialized)
- goto allow;
-
- scontext = sidtab_search(&sidtab, ssid);
- if (!scontext) {
- printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
- __func__, ssid);
- goto out;
- }
-
- tcontext = sidtab_search(&sidtab, tsid);
- if (!tcontext) {
- printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
- __func__, tsid);
- goto out;
- }
-
- tclass = unmap_class(orig_tclass);
- if (unlikely(orig_tclass && !tclass)) {
- if (policydb.allow_unknown)
- goto allow;
- goto out;
- }
-
-
- if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
- if (printk_ratelimit())
- printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
- goto out;
- }
-
- avkey.target_class = tclass;
- avkey.specified = AVTAB_OP;
- sattr = flex_array_get(policydb.type_attr_map_array,
- scontext->type - 1);
- BUG_ON(!sattr);
- tattr = flex_array_get(policydb.type_attr_map_array,
- tcontext->type - 1);
- BUG_ON(!tattr);
- ebitmap_for_each_positive_bit(sattr, snode, i) {
- ebitmap_for_each_positive_bit(tattr, tnode, j) {
- avkey.source_type = i + 1;
- avkey.target_type = j + 1;
- for (node = avtab_search_node(&policydb.te_avtab, &avkey);
- node;
- node = avtab_search_node_next(node, avkey.specified))
- services_compute_operation_num(od, node);
-
- cond_compute_operation(&policydb.te_cond_avtab,
- &avkey, od);
- }
- }
-out:
- read_unlock(&policy_rwlock);
- return;
-allow:
- memset(od->allowed->perms, 0xff, sizeof(od->allowed->perms));
- goto out;
-}
/**
* security_compute_av - Compute access vector decisions.
* @ssid: source security identifier
* @tsid: target security identifier
* @tclass: target security class
* @avd: access vector decisions
- * @od: operation decisions
*
* Compute a set of access vector decisions based on the
* SID pair (@ssid, @tsid) for the permissions in @tclass.
@@ -1073,15 +912,13 @@
void security_compute_av(u32 ssid,
u32 tsid,
u16 orig_tclass,
- struct av_decision *avd,
- struct operation *ops)
+ struct av_decision *avd)
{
u16 tclass;
struct context *scontext = NULL, *tcontext = NULL;
read_lock(&policy_rwlock);
avd_init(avd);
- ops->len = 0;
if (!ss_initialized)
goto allow;
@@ -1109,7 +946,7 @@
goto allow;
goto out;
}
- context_struct_compute_av(scontext, tcontext, tclass, avd, ops);
+ context_struct_compute_av(scontext, tcontext, tclass, avd);
map_decision(orig_tclass, avd, policydb.allow_unknown);
out:
read_unlock(&policy_rwlock);
@@ -1155,7 +992,7 @@
goto out;
}
- context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
+ context_struct_compute_av(scontext, tcontext, tclass, avd);
out:
read_unlock(&policy_rwlock);
return;
@@ -1673,7 +1510,7 @@
if (avdatum) {
/* Use the type from the type transition/member/change rule. */
- newcontext.type = avdatum->u.data;
+ newcontext.type = avdatum->data;
}
/* if we have a objname this is a file trans check so check those rules */
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index 5697574..e8d907e 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -11,11 +11,5 @@
extern struct policydb policydb;
-void services_compute_operation_type(struct operation *ops,
- struct avtab_node *node);
-
-void services_compute_operation_num(struct operation_decision *od,
- struct avtab_node *node);
-
#endif /* _SS_SERVICES_H_ */