SELinux: Update policy version to support constraints info

#define POLICYDB_VERSION_ROLETRANS	26

#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27

#define POLICYDB_VERSION_DEFAULT_TYPE	28

#define POLICYDB_VERSION_CONSTRAINT_NAMES	29

/* Range of policy versions we understand*/

#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX

#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

#else

#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_DEFAULT_TYPE

#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_CONSTRAINT_NAMES

#endif

/* Mask for just the mount related flags */

	u32 op;			/* operator */

	struct ebitmap names;	/* names */

	struct type_set *type_names;

	struct constraint_expr *next;   /* next expression */

};

		.sym_num	= SYM_NUM,

		.ocon_num	= OCON_NUM,

	},

	{

		.version	= POLICYDB_VERSION_CONSTRAINT_NAMES,

		.sym_num	= SYM_NUM,

		.ocon_num	= OCON_NUM,

	},

};

static struct policydb_compat_info *policydb_lookup_compat(int version)

	return 0;

}

static void constraint_expr_destroy(struct constraint_expr *expr)

{

	if (expr) {

		ebitmap_destroy(&expr->names);

		if (expr->type_names) {

			ebitmap_destroy(&expr->type_names->types);

			ebitmap_destroy(&expr->type_names->negset);

			kfree(expr->type_names);

		}

		kfree(expr);

	}

}

static int cls_destroy(void *key, void *datum, void *p)

{

	struct class_datum *cladatum;

		while (constraint) {

			e = constraint->expr;

			while (e) {

				ebitmap_destroy(&e->names);

				etmp = e;

				e = e->next;

				kfree(etmp);

				constraint_expr_destroy(etmp);

			}

			ctemp = constraint;

			constraint = constraint->next;

		while (constraint) {

			e = constraint->expr;

			while (e) {

				ebitmap_destroy(&e->names);

				etmp = e;

				e = e->next;

				kfree(etmp);

				constraint_expr_destroy(etmp);

			}

			ctemp = constraint;

			constraint = constraint->next;

			kfree(ctemp);

		}

		kfree(cladatum->comkey);

	}

	kfree(datum);

	return rc;

}

static int read_cons_helper(struct constraint_node **nodep, int ncons,

			    int allowxtarget, void *fp)

static void type_set_init(struct type_set *t)

{

	ebitmap_init(&t->types);

	ebitmap_init(&t->negset);

}

static int type_set_read(struct type_set *t, void *fp)

{

	__le32 buf[1];

	int rc;

	if (ebitmap_read(&t->types, fp))

		return -EINVAL;

	if (ebitmap_read(&t->negset, fp))

		return -EINVAL;

	rc = next_entry(buf, fp, sizeof(u32));

	if (rc < 0)

		return -EINVAL;

	t->flags = le32_to_cpu(buf[0]);

	return 0;

}

static int read_cons_helper(struct policydb *p,

				struct constraint_node **nodep,

				int ncons, int allowxtarget, void *fp)

{

	struct constraint_node *c, *lc;

	struct constraint_expr *e, *le;

				rc = ebitmap_read(&e->names, fp);

				if (rc)

					return rc;

				if (p->policyvers >=

					POLICYDB_VERSION_CONSTRAINT_NAMES) {

						e->type_names = kzalloc(sizeof

						(*e->type_names),

						GFP_KERNEL);

					if (!e->type_names)

						return -ENOMEM;

					type_set_init(e->type_names);

					rc = type_set_read(e->type_names, fp);

					if (rc)

						return rc;

				}

				break;

			default:

				return -EINVAL;

			goto bad;

	}

	rc = read_cons_helper(&cladatum->constraints, ncons, 0, fp);

	rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);

	if (rc)

		goto bad;

		if (rc)

			goto bad;

		ncons = le32_to_cpu(buf[0]);

		rc = read_cons_helper(&cladatum->validatetrans, ncons, 1, fp);

		rc = read_cons_helper(p, &cladatum->validatetrans,

				ncons, 1, fp);

		if (rc)

			goto bad;

	}

	return 0;

}

static int type_set_write(struct type_set *t, void *fp)

{

	int rc;

	__le32 buf[1];

	if (ebitmap_write(&t->types, fp))

		return -EINVAL;

	if (ebitmap_write(&t->negset, fp))

		return -EINVAL;

	buf[0] = cpu_to_le32(t->flags);

	rc = put_entry(buf, sizeof(u32), 1, fp);

	if (rc)

		return -EINVAL;

	return 0;

}

static int write_cons_helper(struct policydb *p, struct constraint_node *node,

			     void *fp)

{

				rc = ebitmap_write(&e->names, fp);

				if (rc)

					return rc;

				if (p->policyvers >=

					POLICYDB_VERSION_CONSTRAINT_NAMES) {

					rc = type_set_write(e->type_names, fp);

					if (rc)

						return rc;

				}

				break;

			default:

				break;

struct cond_node;

/*

 * type set preserves data needed to determine constraint info from

 * policy source. This is not used by the kernel policy but allows

 * utilities such as audit2allow to determine constraint denials.

 */

struct type_set {

	struct ebitmap types;

	struct ebitmap negset;

	u32 flags;

};

/*

 * The configuration data includes security contexts for

 * initial SIDs, unlabeled file systems, TCP and UDP port numbers,