Get rid of security_context_t and fix const declarations.
The const security_context_t declarations were incorrect;
const char * was intended, not char * const. Easiest fix is to
replace them all with const char *. And while we are at it, just
get rid of all usage of security_context_t itself as it adds no value.
typedef left to permit building legacy users until such a time as all are
updated.
Change-Id: I2f9df7bb9f575f76024c3e5f5b660345da2931a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/include/selinux/avc.h b/include/selinux/avc.h
index da18e41..8a1a6df 100644
--- a/include/selinux/avc.h
+++ b/include/selinux/avc.h
@@ -19,7 +19,7 @@
* SID format and operations
*/
struct security_id {
- security_context_t ctx;
+ char * ctx;
unsigned int refcnt;
};
typedef struct security_id *security_id_t;
@@ -37,8 +37,8 @@
* failure, with @errno set to %ENOMEM if insufficient memory was
* available to make the copy, or %EINVAL if the input SID is invalid.
*/
-int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
-int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
+int avc_sid_to_context(security_id_t sid, char ** ctx);
+int avc_sid_to_context_raw(security_id_t sid, char ** ctx);
/**
* avc_context_to_sid - get SID for context.
@@ -51,8 +51,8 @@
* to the SID structure into the memory referenced by @sid,
* returning %0 on success or -%1 on error with @errno set.
*/
-int avc_context_to_sid(const security_context_t ctx, security_id_t * sid);
-int avc_context_to_sid_raw(const security_context_t ctx, security_id_t * sid);
+int avc_context_to_sid(const char * ctx, security_id_t * sid);
+int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
/**
* sidget - increment SID reference counter.
diff --git a/include/selinux/label.h b/include/selinux/label.h
index d3f68e4..628c5d5 100644
--- a/include/selinux/label.h
+++ b/include/selinux/label.h
@@ -93,9 +93,9 @@
* The result is returned in the memory pointed to by @con and must be freed
* by the user with freecon().
*/
-int selabel_lookup(struct selabel_handle *handle, security_context_t *con,
+int selabel_lookup(struct selabel_handle *handle, char **con,
const char *key, int type);
-int selabel_lookup_raw(struct selabel_handle *handle, security_context_t *con,
+int selabel_lookup_raw(struct selabel_handle *handle, char **con,
const char *key, int type);
/**
diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
index 99c8c1a..8827da8 100644
--- a/include/selinux/selinux.h
+++ b/include/selinux/selinux.h
@@ -13,19 +13,20 @@
/* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
extern int is_selinux_mls_enabled(void);
+/* No longer used; here for compatibility with legacy callers. */
typedef char *security_context_t;
/* Free the memory allocated for a context by any of the below get* calls. */
-extern void freecon(security_context_t con);
+extern void freecon(char * con);
/* Free the memory allocated for a context array by security_compute_user. */
-extern void freeconary(security_context_t * con);
+extern void freeconary(char ** con);
/* Wrappers for the /proc/pid/attr API. */
/* Get current context, and set *con to refer to it.
Caller must free via freecon. */
-extern int getcon(security_context_t * con);
+extern int getcon(char ** con);
/* Set the current security context to con.
Note that use of this function requires that the entire application
@@ -35,70 +36,70 @@
instead. Note that the application may lose access to its open descriptors
as a result of a setcon() unless policy allows it to use descriptors opened
by the old context. */
-extern int setcon(const security_context_t con);
+extern int setcon(const char * con);
/* Get context of process identified by pid, and
set *con to refer to it. Caller must free via freecon. */
-extern int getpidcon(pid_t pid, security_context_t * con);
+extern int getpidcon(pid_t pid, char ** con);
/* Get previous context (prior to last exec), and set *con to refer to it.
Caller must free via freecon. */
-extern int getprevcon(security_context_t * con);
+extern int getprevcon(char ** con);
/* Get exec context, and set *con to refer to it.
Sets *con to NULL if no exec context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
-extern int getexeccon(security_context_t * con);
+extern int getexeccon(char ** con);
/* Set exec security context for the next execve.
Call with NULL if you want to reset to the default. */
-extern int setexeccon(const security_context_t con);
+extern int setexeccon(const char * con);
/* Get fscreate context, and set *con to refer to it.
Sets *con to NULL if no fs create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
-extern int getfscreatecon(security_context_t * con);
+extern int getfscreatecon(char ** con);
/* Set the fscreate security context for subsequent file creations.
Call with NULL if you want to reset to the default. */
-extern int setfscreatecon(const security_context_t context);
+extern int setfscreatecon(const char * context);
/* Get keycreate context, and set *con to refer to it.
Sets *con to NULL if no key create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
-extern int getkeycreatecon(security_context_t * con);
+extern int getkeycreatecon(char ** con);
/* Set the keycreate security context for subsequent key creations.
Call with NULL if you want to reset to the default. */
-extern int setkeycreatecon(const security_context_t context);
+extern int setkeycreatecon(const char * context);
/* Get sockcreate context, and set *con to refer to it.
Sets *con to NULL if no socket create context has been set, i.e. using default.
If non-NULL, caller must free via freecon. */
-extern int getsockcreatecon(security_context_t * con);
+extern int getsockcreatecon(char ** con);
/* Set the sockcreate security context for subsequent socket creations.
Call with NULL if you want to reset to the default. */
-extern int setsockcreatecon(const security_context_t context);
+extern int setsockcreatecon(const char * context);
/* Wrappers for the xattr API. */
/* Get file context, and set *con to refer to it.
Caller must free via freecon. */
-extern int getfilecon(const char *path, security_context_t * con);
-extern int lgetfilecon(const char *path, security_context_t * con);
-extern int fgetfilecon(int fd, security_context_t * con);
+extern int getfilecon(const char *path, char ** con);
+extern int lgetfilecon(const char *path, char ** con);
+extern int fgetfilecon(int fd, char ** con);
/* Set file context */
-extern int setfilecon(const char *path, security_context_t con);
-extern int lsetfilecon(const char *path, security_context_t con);
-extern int fsetfilecon(int fd, security_context_t con);
+extern int setfilecon(const char *path, const char *con);
+extern int lsetfilecon(const char *path, const char *con);
+extern int fsetfilecon(int fd, const char *con);
/* Wrappers for the socket API */
/* Get context of peer socket, and set *con to refer to it.
Caller must free via freecon. */
-extern int getpeercon(int fd, security_context_t * con);
+extern int getpeercon(int fd, char ** con);
/* Wrappers for the selinuxfs (policy) API. */
@@ -137,7 +138,7 @@
int (*func_audit) (void *auditdata, security_class_t cls,
char *msgbuf, size_t msgbufsize);
/* validate the supplied context, modifying if necessary */
- int (*func_validate) (security_context_t *ctx);
+ int (*func_validate) (char **ctx);
/* netlink callback for setenforce message */
int (*func_setenforce) (int enforcing);
/* netlink callback for policyload message */
@@ -160,38 +161,38 @@
#define SELINUX_AVC 3
/* Compute an access decision. */
-extern int security_compute_av(const security_context_t scon,
- const security_context_t tcon,
+extern int security_compute_av(const char * scon,
+ const char * tcon,
security_class_t tclass,
access_vector_t requested,
struct av_decision *avd);
/* Compute a labeling decision and set *newcon to refer to it.
Caller must free via freecon. */
-extern int security_compute_create(const security_context_t scon,
- const security_context_t tcon,
+extern int security_compute_create(const char * scon,
+ const char * tcon,
security_class_t tclass,
- security_context_t * newcon);
+ char ** newcon);
/* Compute a relabeling decision and set *newcon to refer to it.
Caller must free via freecon. */
-extern int security_compute_relabel(const security_context_t scon,
- const security_context_t tcon,
+extern int security_compute_relabel(const char * scon,
+ const char * tcon,
security_class_t tclass,
- security_context_t * newcon);
+ char ** newcon);
/* Compute a polyinstantiation member decision and set *newcon to refer to it.
Caller must free via freecon. */
-extern int security_compute_member(const security_context_t scon,
- const security_context_t tcon,
+extern int security_compute_member(const char * scon,
+ const char * tcon,
security_class_t tclass,
- security_context_t * newcon);
+ char ** newcon);
/* Compute the set of reachable user contexts and set *con to refer to
the NULL-terminated array of contexts. Caller must free via freeconary. */
-extern int security_compute_user(const security_context_t scon,
+extern int security_compute_user(const char * scon,
const char *username,
- security_context_t ** con);
+ char *** con);
/* Load a policy configuration. */
extern int security_load_policy(void *data, size_t len);
@@ -199,7 +200,7 @@
/* Get the context of an initial kernel security identifier by name.
Caller must free via freecon */
extern int security_get_initial_context(const char *name,
- security_context_t * con);
+ char ** con);
/* Translate boolean strict to name value pair. */
typedef struct {
@@ -211,11 +212,11 @@
SELboolean * const boollist, int permanent);
/* Check the validity of a security context. */
-extern int security_check_context(const security_context_t con);
+extern int security_check_context(const char * con);
/* Canonicalize a security context. */
-extern int security_canonicalize_context(const security_context_t con,
- security_context_t * canoncon);
+extern int security_canonicalize_context(const char * con,
+ char ** canoncon);
/* Get the enforce flag value. */
extern int security_getenforce(void);
@@ -273,8 +274,8 @@
access_vector_t av, char **result);
/* Check permissions and perform appropriate auditing. */
-extern int selinux_check_access(const security_context_t scon,
- const security_context_t tcon,
+extern int selinux_check_access(const char * scon,
+ const char * tcon,
const char *tclass,
const char *perm, void *aux);
diff --git a/src/avc.c b/src/avc.c
index 17df343..76ca217 100644
--- a/src/avc.c
+++ b/src/avc.c
@@ -66,7 +66,7 @@
& (AVC_CACHE_SLOTS - 1);
}
-int avc_context_to_sid(const security_context_t ctx, security_id_t * sid)
+int avc_context_to_sid(const char * ctx, security_id_t * sid)
{
int rc;
avc_get_lock(avc_lock);
@@ -75,7 +75,7 @@
return rc;
}
-int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+int avc_sid_to_context(security_id_t sid, char ** ctx)
{
int rc;
*ctx = NULL;
@@ -89,7 +89,7 @@
int avc_get_initial_sid(const char * name, security_id_t * sid)
{
int rc;
- security_context_t con;
+ char * con;
rc = security_get_initial_context(name, &con);
if (rc < 0)
@@ -777,7 +777,7 @@
int rc;
struct avc_entry_ref aeref;
struct avc_entry entry;
- security_context_t ctx;
+ char * ctx;
*newsid = NULL;
avc_entry_ref_init(&aeref);
diff --git a/src/avc_sidtab.c b/src/avc_sidtab.c
index 0b696bb..52f21df 100644
--- a/src/avc_sidtab.c
+++ b/src/avc_sidtab.c
@@ -13,7 +13,7 @@
#include "avc_sidtab.h"
#include "avc_internal.h"
-static inline unsigned sidtab_hash(security_context_t key)
+static inline unsigned sidtab_hash(const char * key)
{
char *p, *keyp;
unsigned int size;
@@ -46,18 +46,18 @@
return rc;
}
-int sidtab_insert(struct sidtab *s, const security_context_t ctx)
+int sidtab_insert(struct sidtab *s, const char * ctx)
{
int hvalue, rc = 0;
struct sidtab_node *newnode;
- security_context_t newctx;
+ char * newctx;
newnode = (struct sidtab_node *)avc_malloc(sizeof(*newnode));
if (!newnode) {
rc = -1;
goto out;
}
- newctx = (security_context_t) strdup(ctx);
+ newctx = (char *) strdup(ctx);
if (!newctx) {
rc = -1;
avc_free(newnode);
@@ -76,7 +76,7 @@
int
sidtab_context_to_sid(struct sidtab *s,
- const security_context_t ctx, security_id_t * sid)
+ const char * ctx, security_id_t * sid)
{
int hvalue, rc = 0;
struct sidtab_node *cur;
diff --git a/src/avc_sidtab.h b/src/avc_sidtab.h
index 29b5d8b..bce9b87 100644
--- a/src/avc_sidtab.h
+++ b/src/avc_sidtab.h
@@ -25,10 +25,10 @@
};
int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, security_context_t ctx) hidden;
+int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
int sidtab_context_to_sid(struct sidtab *s,
- security_context_t ctx, security_id_t * sid) hidden;
+ const char * ctx, security_id_t * sid) hidden;
void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
void sidtab_destroy(struct sidtab *s) hidden;
diff --git a/src/callbacks.c b/src/callbacks.c
index b245364..c3cf98b 100644
--- a/src/callbacks.c
+++ b/src/callbacks.c
@@ -32,7 +32,7 @@
}
static int
-default_selinux_validate(security_context_t *ctx)
+default_selinux_validate(char **ctx)
{
return security_check_context(*ctx);
}
@@ -59,7 +59,7 @@
default_selinux_audit;
int
-(*selinux_validate)(security_context_t *ctx) =
+(*selinux_validate)(char **ctx) =
default_selinux_validate;
int
diff --git a/src/callbacks.h b/src/callbacks.h
index 52ad555..2a572e0 100644
--- a/src/callbacks.h
+++ b/src/callbacks.h
@@ -19,7 +19,7 @@
(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
extern int
-(*selinux_validate)(security_context_t *ctx) hidden;
+(*selinux_validate)(char **ctx) hidden;
extern int
(*selinux_netlink_setenforce) (int enforcing) hidden;
diff --git a/src/canonicalize_context.c b/src/canonicalize_context.c
index 2f5cd41..b8f874f 100644
--- a/src/canonicalize_context.c
+++ b/src/canonicalize_context.c
@@ -9,8 +9,8 @@
#include "policy.h"
#include <limits.h>
-int security_canonicalize_context(const security_context_t con,
- security_context_t * canoncon)
+int security_canonicalize_context(const char * con,
+ char ** canoncon)
{
char path[PATH_MAX];
char *buf;
diff --git a/src/checkAccess.c b/src/checkAccess.c
index 3171c47..2fb22d9 100644
--- a/src/checkAccess.c
+++ b/src/checkAccess.c
@@ -15,7 +15,7 @@
avc_open(NULL, 0);
}
-int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
+int selinux_check_access(const char * scon, const char * tcon, const char *class, const char *perm, void *aux) {
int status = -1;
int rc = -1;
security_id_t scon_id;
diff --git a/src/check_context.c b/src/check_context.c
index ac4cb40..7471194 100644
--- a/src/check_context.c
+++ b/src/check_context.c
@@ -9,7 +9,7 @@
#include "policy.h"
#include <limits.h>
-int security_check_context(const security_context_t con)
+int security_check_context(const char * con)
{
char path[PATH_MAX];
int fd, ret;
diff --git a/src/compute_av.c b/src/compute_av.c
index 8c01fd0..d6f76f8 100644
--- a/src/compute_av.c
+++ b/src/compute_av.c
@@ -10,8 +10,8 @@
#include "policy.h"
#include "mapping.h"
-int security_compute_av(const security_context_t scon,
- const security_context_t tcon,
+int security_compute_av(const char * scon,
+ const char * tcon,
security_class_t tclass,
access_vector_t requested,
struct av_decision *avd)
diff --git a/src/compute_create.c b/src/compute_create.c
index 19231b5..d3b16c9 100644
--- a/src/compute_create.c
+++ b/src/compute_create.c
@@ -10,10 +10,10 @@
#include "policy.h"
#include "mapping.h"
-int security_compute_create(const security_context_t scon,
- const security_context_t tcon,
+int security_compute_create(const char * scon,
+ const char * tcon,
security_class_t tclass,
- security_context_t * newcon)
+ char ** newcon)
{
char path[PATH_MAX];
char *buf;
diff --git a/src/enabled.c b/src/enabled.c
index 569a7a0..ab015a4 100644
--- a/src/enabled.c
+++ b/src/enabled.c
@@ -14,7 +14,7 @@
FILE *fp;
char *bufp;
int enabled = 0;
- security_context_t con;
+ char * con;
/* init_selinuxmnt() gets called before this function. We
* will assume that if a selinux file system is mounted, then
diff --git a/src/fgetfilecon.c b/src/fgetfilecon.c
index eb890bd..33cdc27 100644
--- a/src/fgetfilecon.c
+++ b/src/fgetfilecon.c
@@ -7,7 +7,7 @@
#include "selinux_internal.h"
#include "policy.h"
-int fgetfilecon(int fd, security_context_t * context)
+int fgetfilecon(int fd, char ** context)
{
char *buf;
ssize_t size;
diff --git a/src/freecon.c b/src/freecon.c
index 3ec4fe2..5290dfa 100644
--- a/src/freecon.c
+++ b/src/freecon.c
@@ -3,7 +3,7 @@
#include <stdlib.h>
#include <errno.h>
-void freecon(security_context_t con)
+void freecon(char * con)
{
free(con);
}
diff --git a/src/fsetfilecon.c b/src/fsetfilecon.c
index 38eeabd..17f8875 100644
--- a/src/fsetfilecon.c
+++ b/src/fsetfilecon.c
@@ -7,7 +7,7 @@
#include "selinux_internal.h"
#include "policy.h"
-int fsetfilecon(int fd, const security_context_t context)
+int fsetfilecon(int fd, const char *context)
{
return fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);
diff --git a/src/get_initial_context.c b/src/get_initial_context.c
index 559c100..64863dd 100644
--- a/src/get_initial_context.c
+++ b/src/get_initial_context.c
@@ -11,7 +11,7 @@
#define SELINUX_INITCON_DIR "/initial_contexts/"
-int security_get_initial_context(const char * name, security_context_t * con)
+int security_get_initial_context(const char * name, char ** con)
{
char path[PATH_MAX];
char *buf;
diff --git a/src/getfilecon.c b/src/getfilecon.c
index d8c0d35..02037de 100644
--- a/src/getfilecon.c
+++ b/src/getfilecon.c
@@ -7,7 +7,7 @@
#include <sys/xattr.h>
#include "policy.h"
-int getfilecon(const char *path, security_context_t * context)
+int getfilecon(const char *path, char ** context)
{
char *buf;
ssize_t size;
diff --git a/src/getpeercon.c b/src/getpeercon.c
index a5624b3..3bd29dc 100644
--- a/src/getpeercon.c
+++ b/src/getpeercon.c
@@ -11,7 +11,7 @@
#define SO_PEERSEC 31
#endif
-int getpeercon(int fd, security_context_t * context)
+int getpeercon(int fd, char ** context)
{
char *buf;
socklen_t size;
diff --git a/src/label.c b/src/label.c
index 51d6913..d29b459 100644
--- a/src/label.c
+++ b/src/label.c
@@ -106,7 +106,7 @@
return lr;
}
-int selabel_lookup(struct selabel_handle *rec, security_context_t *con,
+int selabel_lookup(struct selabel_handle *rec, char **con,
const char *key, int type)
{
struct selabel_lookup_rec *lr;
diff --git a/src/label_internal.h b/src/label_internal.h
index e9007a2..c8303a4 100644
--- a/src/label_internal.h
+++ b/src/label_internal.h
@@ -39,8 +39,8 @@
};
struct selabel_lookup_rec {
- security_context_t ctx_raw;
- security_context_t ctx_trans;
+ char * ctx_raw;
+ char * ctx_trans;
int validated;
};
diff --git a/src/lgetfilecon.c b/src/lgetfilecon.c
index dd1fea2..22851a4 100644
--- a/src/lgetfilecon.c
+++ b/src/lgetfilecon.c
@@ -7,7 +7,7 @@
#include "selinux_internal.h"
#include "policy.h"
-int lgetfilecon(const char *path, security_context_t * context)
+int lgetfilecon(const char *path, char ** context)
{
char *buf;
ssize_t size;
diff --git a/src/lsetfilecon.c b/src/lsetfilecon.c
index 45cc2e3..7147f9e 100644
--- a/src/lsetfilecon.c
+++ b/src/lsetfilecon.c
@@ -7,7 +7,7 @@
#include "selinux_internal.h"
#include "policy.h"
-int lsetfilecon(const char *path, const security_context_t context)
+int lsetfilecon(const char *path, const char *context)
{
return lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);
diff --git a/src/procattr.c b/src/procattr.c
index 6c2c5a8..f350808 100644
--- a/src/procattr.c
+++ b/src/procattr.c
@@ -15,7 +15,7 @@
}
#endif
-static int getprocattrcon(security_context_t * context,
+static int getprocattrcon(char ** context,
pid_t pid, const char *attr)
{
char *path, *buf;
@@ -73,7 +73,7 @@
return ret;
}
-static int setprocattrcon(security_context_t context,
+static int setprocattrcon(const char * context,
pid_t pid, const char *attr)
{
char *path;
@@ -113,13 +113,13 @@
}
#define getselfattr_def(fn, attr) \
- int get##fn(security_context_t *c) \
+ int get##fn(char **c) \
{ \
return getprocattrcon(c, 0, #attr); \
}
#define setselfattr_def(fn, attr) \
- int set##fn(const security_context_t c) \
+ int set##fn(const char * c) \
{ \
return setprocattrcon(c, 0, #attr); \
}
@@ -129,7 +129,7 @@
setselfattr_def(fn, attr)
#define getpidattr_def(fn, attr) \
- int get##fn(pid_t pid, security_context_t *c) \
+ int get##fn(pid_t pid, char **c) \
{ \
return getprocattrcon(c, pid, #attr); \
}
diff --git a/src/setfilecon.c b/src/setfilecon.c
index 47022df..81322f8 100644
--- a/src/setfilecon.c
+++ b/src/setfilecon.c
@@ -7,7 +7,7 @@
#include "selinux_internal.h"
#include "policy.h"
-int setfilecon(const char *path, const security_context_t context)
+int setfilecon(const char *path, const char *context)
{
return setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
0);