Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2900] branches/stable/1_0
|
From: <ssm...@us...> - 2008-06-10 13:05:23
|
Revision: 2900
http://selinux.svn.sourceforge.net/selinux/?rev=2900&view=rev
Author: ssmalley
Date: 2008-06-10 06:05:20 -0700 (Tue, 10 Jun 2008)
Log Message:
-----------
applied r2885:2886 from trunk
Modified Paths:
--------------
branches/stable/1_0/checkpolicy/policy_parse.y
branches/stable/1_0/libsepol/include/sepol/policydb/expand.h
branches/stable/1_0/libsepol/src/expand.c
branches/stable/1_0/libsepol/src/policydb.c
branches/stable/1_0/libsepol/src/users.c
Modified: branches/stable/1_0/checkpolicy/policy_parse.y
===================================================================
--- branches/stable/1_0/checkpolicy/policy_parse.y 2008-06-06 14:43:16 UTC (rev 2899)
+++ branches/stable/1_0/checkpolicy/policy_parse.y 2008-06-10 13:05:20 UTC (rev 2900)
@@ -2729,7 +2729,7 @@
}
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
- if (role_set_expand(&roles, &e_roles, policydbp))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL))
goto bad;
if (type_set_expand(&types, &e_types, policydbp, 1))
Modified: branches/stable/1_0/libsepol/include/sepol/policydb/expand.h
===================================================================
--- branches/stable/1_0/libsepol/include/sepol/policydb/expand.h 2008-06-06 14:43:16 UTC (rev 2899)
+++ branches/stable/1_0/libsepol/include/sepol/policydb/expand.h 2008-06-10 13:05:20 UTC (rev 2900)
@@ -43,6 +43,7 @@
*/
extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
+ uint32_t * rolemap, uint32_t * usermap,
int verbose, int expand_neverallow);
/*
* Expand all parts of a module. Neverallow rules are not expanded (only
@@ -59,7 +60,7 @@
unsigned char alwaysexpand);
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
-extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap);
extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
policydb_t *p, sepol_handle_t *h);
extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
Modified: branches/stable/1_0/libsepol/src/expand.c
===================================================================
--- branches/stable/1_0/libsepol/src/expand.c 2008-06-06 14:43:16 UTC (rev 2899)
+++ branches/stable/1_0/libsepol/src/expand.c 2008-06-10 13:05:20 UTC (rev 2900)
@@ -40,6 +40,8 @@
int verbose;
uint32_t *typemap;
uint32_t *boolmap;
+ uint32_t *rolemap;
+ uint32_t *usermap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -51,6 +53,23 @@
memset(state, 0, sizeof(expand_state_t));
}
+static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
+{
+ unsigned int i;
+ ebitmap_node_t *tnode;
+ ebitmap_init(dst);
+
+ ebitmap_for_each_bit(src, tnode, i) {
+ if (!ebitmap_node_get_bit(tnode, i))
+ continue;
+ if (!map[i])
+ continue;
+ if (ebitmap_set_bit(dst, map[i] - 1, 1))
+ return -1;
+ }
+ return 0;
+}
+
static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -142,7 +161,7 @@
ERR(state->handle, "attribute %s vanished!", id);
return -1;
}
- if (convert_type_ebitmap(&type->types, &tmp_union, state->typemap)) {
+ if (map_ebitmap(&type->types, &tmp_union, state->typemap)) {
ERR(state->handle, "out of memory");
return -1;
}
@@ -289,6 +308,14 @@
names, 1)) {
goto out_of_mem;
}
+ } else if (new_expr->attr & CEXPR_ROLE) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
+ goto out_of_mem;
+ }
+ } else if (new_expr->attr & CEXPR_USER) {
+ if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
+ goto out_of_mem;
+ }
} else {
/* Other kinds of sets do not. */
if (ebitmap_cpy(&new_expr->names,
@@ -494,6 +521,28 @@
return 0;
}
+static int role_remap_dominates(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *data)
+{
+ ebitmap_t mapped_roles;
+ role_datum_t *role = (role_datum_t *) datum;
+ expand_state_t *state = (expand_state_t *) data;
+
+ if (!(&role->dominates.node))
+ return 0;
+
+ if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
+ return -1;
+
+ ebitmap_destroy(&role->dominates);
+
+ if (ebitmap_cpy(&role->dominates, &mapped_roles))
+ return -1;
+
+ ebitmap_destroy(&mapped_roles);
+
+ return 0;
+}
+
static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -508,8 +557,11 @@
role = (role_datum_t *) datum;
state = (expand_state_t *) data;
- if (strcmp(id, OBJECT_R) == 0)
+ if (strcmp(id, OBJECT_R) == 0) {
+ /* object_r is always value 1 */
+ state->rolemap[role->s.value - 1] = 1;
return 0;
+ }
if (!is_id_enabled(id, state->base, SYM_ROLES)) {
/* identifier's scope is not enabled */
@@ -535,8 +587,9 @@
return -1;
}
- new_role->s.value = role->s.value;
state->out->p_roles.nprim++;
+ new_role->s.value = state->out->p_roles.nprim;
+ state->rolemap[role->s.value - 1] = new_role->s.value;
ret = hashtab_insert(state->out->p_roles.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_role);
@@ -553,6 +606,10 @@
ebitmap_init(&new_role->dominates);
}
+
+ /* The dominates bitmap is going to be wrong for the moment,
+ * we'll come back later and remap them, after we are sure all
+ * the roles have been added */
if (ebitmap_union(&new_role->dominates, &role->dominates)) {
ERR(state->handle, "Out of memory!");
return -1;
@@ -675,8 +732,9 @@
}
memset(new_user, 0, sizeof(user_datum_t));
- new_user->s.value = user->s.value;
state->out->p_users.nprim++;
+ new_user->s.value = state->out->p_users.nprim;
+ state->usermap[user->s.value - 1] = new_user->s.value;
new_id = strdup(id);
if (!new_id) {
@@ -739,7 +797,7 @@
ebitmap_init(&tmp_union);
/* get global roles for this user */
- if (role_set_expand(&user->roles, &tmp_union, state->base)) {
+ if (role_set_expand(&user->roles, &tmp_union, state->base, state->rolemap)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
return -1;
@@ -921,14 +979,16 @@
ebitmap_init(&roles);
ebitmap_init(&new_roles);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
- if (role_set_expand(&cur->new_roles, &new_roles, state->out)) {
+
+ if (role_set_expand(&cur->new_roles, &new_roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
+
ebitmap_for_each_bit(&roles, snode, i) {
if (!ebitmap_node_get_bit(snode, i))
continue;
@@ -988,7 +1048,7 @@
ebitmap_init(&roles);
ebitmap_init(&types);
- if (role_set_expand(&cur->roles, &roles, state->out)) {
+ if (role_set_expand(&cur->roles, &roles, state->out, state->rolemap)) {
ERR(state->handle, "Out of memory!");
return -1;
}
@@ -1041,7 +1101,7 @@
memset(n, 0, sizeof(role_trans_t));
n->role = i + 1;
n->type = j + 1;
- n->new_role = cur->new_role;
+ n->new_role = state->rolemap[cur->new_role - 1];
if (l) {
l->next = n;
} else {
@@ -1641,8 +1701,8 @@
static int context_copy(context_struct_t * dst, context_struct_t * src,
expand_state_t * state)
{
- dst->user = src->user;
- dst->role = src->role;
+ dst->user = state->usermap[src->user - 1];
+ dst->role = state->rolemap[src->role - 1];
dst->type = state->typemap[src->type - 1];
return mls_context_cpy(dst, src);
}
@@ -1825,23 +1885,6 @@
return 0;
}
-int convert_type_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * typemap)
-{
- unsigned int i;
- ebitmap_node_t *tnode;
- ebitmap_init(dst);
-
- ebitmap_for_each_bit(src, tnode, i) {
- if (!ebitmap_node_get_bit(tnode, i))
- continue;
- if (!typemap[i])
- continue;
- if (ebitmap_set_bit(dst, typemap[i] - 1, 1))
- return -1;
- }
- return 0;
-}
-
/* converts typeset using typemap and expands into ebitmap_t types using the attributes in the passed in policy.
* this should not be called until after all the blocks have been processed and the attributes in target policy
* are complete. */
@@ -1853,10 +1896,10 @@
type_set_init(&tmpset);
- if (convert_type_ebitmap(&set->types, &tmpset.types, typemap))
+ if (map_ebitmap(&set->types, &tmpset.types, typemap))
return -1;
- if (convert_type_ebitmap(&set->negset, &tmpset.negset, typemap))
+ if (map_ebitmap(&set->negset, &tmpset.negset, typemap))
return -1;
tmpset.flags = set->flags;
@@ -1898,12 +1941,14 @@
return retval;
}
-int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p)
+int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p, uint32_t * rolemap)
{
unsigned int i;
ebitmap_node_t *rnode;
+ ebitmap_t mapped_roles;
ebitmap_init(r);
+ ebitmap_init(&mapped_roles);
if (x->flags & ROLE_STAR) {
for (i = 0; i < p->p_roles.nprim++; i++)
@@ -1912,13 +1957,23 @@
return 0;
}
- ebitmap_for_each_bit(&x->roles, rnode, i) {
+ if (rolemap) {
+ if (map_ebitmap(&x->roles, &mapped_roles, rolemap))
+ return -1;
+ } else {
+ if (ebitmap_cpy(&mapped_roles, &x->roles))
+ return -1;
+ }
+
+ ebitmap_for_each_bit(&mapped_roles, rnode, i) {
if (ebitmap_node_get_bit(rnode, i)) {
if (ebitmap_set_bit(r, i, 1))
return -1;
}
}
+ ebitmap_destroy(&mapped_roles);
+
/* if role is to be complimented, invert the entire bitmap here */
if (x->flags & ROLE_COMP) {
for (i = 0; i < ebitmap_length(r); i++) {
@@ -2200,7 +2255,8 @@
*/
int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
policydb_t * out, uint32_t * typemap,
- uint32_t * boolmap, int verbose,
+ uint32_t * boolmap, uint32_t * rolemap,
+ uint32_t * usermap, int verbose,
int expand_neverallow)
{
expand_state_t state;
@@ -2211,6 +2267,8 @@
state.out = out;
state.typemap = typemap;
state.boolmap = boolmap;
+ state.rolemap = rolemap;
+ state.usermap = usermap;
state.handle = handle;
state.verbose = verbose;
state.expand_neverallow = expand_neverallow;
@@ -2264,6 +2322,18 @@
goto cleanup;
}
+ state.rolemap = (uint32_t *)calloc(state.base->p_roles.nprim, sizeof(uint32_t));
+ if (!state.rolemap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
+ state.usermap = (uint32_t *)calloc(state.base->p_users.nprim, sizeof(uint32_t));
+ if (!state.usermap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2360,6 +2430,11 @@
}
+ /* remap role dominates bitmaps */
+ if (hashtab_map(state.out->p_roles.table, role_remap_dominates, &state)) {
+ goto cleanup;
+ }
+
if (copy_and_expand_avrule_block(&state) < 0) {
ERR(handle, "Error during expand");
goto cleanup;
@@ -2419,6 +2494,8 @@
cleanup:
free(state.typemap);
free(state.boolmap);
+ free(state.rolemap);
+ free(state.usermap);
return retval;
}
Modified: branches/stable/1_0/libsepol/src/policydb.c
===================================================================
--- branches/stable/1_0/libsepol/src/policydb.c 2008-06-06 14:43:16 UTC (rev 2899)
+++ branches/stable/1_0/libsepol/src/policydb.c 2008-06-10 13:05:20 UTC (rev 2900)
@@ -521,7 +521,7 @@
p = (policydb_t *) arg;
ebitmap_destroy(&user->cache);
- if (role_set_expand(&user->roles, &user->cache, p)) {
+ if (role_set_expand(&user->roles, &user->cache, p, NULL)) {
return -1;
}
Modified: branches/stable/1_0/libsepol/src/users.c
===================================================================
--- branches/stable/1_0/libsepol/src/users.c 2008-06-06 14:43:16 UTC (rev 2899)
+++ branches/stable/1_0/libsepol/src/users.c 2008-06-10 13:05:20 UTC (rev 2900)
@@ -260,7 +260,7 @@
/* Expand roles */
if (role_set_expand
- (&usrdatum->roles, &usrdatum->cache, policydb)) {
+ (&usrdatum->roles, &usrdatum->cache, policydb, NULL)) {
ERR(handle, "unable to expand role set");
goto err;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
