Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2017] trunk
|
From: <mad...@us...> - 2006-09-05 14:28:52
|
Revision: 2017
http://svn.sourceforge.net/selinux/?rev=2017&view=rev
Author: madmethod
Date: 2006-09-05 07:28:31 -0700 (Tue, 05 Sep 2006)
Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@Tr...
Subject: semantic MLS representation for users
Date: Thu, 31 Aug 2006 17:21:21 -0500
Here is a second take on the previous patch. The changes are:
- no longer create semantic representation of user MLS fields when
reading in a kernel format policy
- no longer copy the semantic representation of user MLS fields
when expanding users
- no longer deal attempt to expand the semantic MLS components when
caching user information if the policy is already in kernel format
(the semantic info is no longer there)
---
Use the semantic representation for user_datums in modular policy formats.
All user_datums in a modular format use the semantic representation of the MLS
range and dfltlevel. There is also the possibility of having an expanded
version of that data also present in the user_datum. This is used much like
the role cache in the user_datum. When the user are indexed, the MLS info is
expanded. This info may be used to check the validity of context. This
expansion is not used when writing out a kernel format policy - the expansion
is performed again to ensure that the data it is present and in sync with the
rest of the policy.
Like the range_trans structs, user_datums from older modular formats will have
their MLS data converted to the new semantic structs.
Signed-off-by: Darrel Goeddel <dgo...@tr...>
Acked-By: Joshua Brindle <jbr...@tr...>
Modified Paths:
--------------
trunk/checkpolicy/policy_parse.y
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/mls.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/users.c
trunk/libsepol/src/write.c
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/checkpolicy/policy_parse.y 2006-09-05 14:28:31 UTC (rev 2017)
@@ -3737,11 +3737,10 @@
free(id);
usrdatum->dfltlevel.sens = levdatum->level->sens;
- ebitmap_init(&usrdatum->dfltlevel.cat);
while ((id = queue_remove(id_queue))) {
- if (parse_categories(id, levdatum,
- &usrdatum->dfltlevel.cat)) {
+ if (parse_semantic_categories(id, levdatum,
+ &usrdatum->dfltlevel.cat)) {
free(id);
return -1;
}
@@ -3763,13 +3762,12 @@
return -1;
}
free(id);
+
usrdatum->range.level[l].sens = levdatum->level->sens;
- ebitmap_init(&usrdatum->range.level[l].cat);
while ((id = queue_remove(id_queue))) {
- if (parse_categories(id, levdatum,
- &usrdatum->range.level[l].
- cat)) {
+ if (parse_semantic_categories(id, levdatum,
+ &usrdatum->range.level[l].cat)) {
free(id);
return -1;
}
@@ -3782,33 +3780,14 @@
}
if (l == 0) {
- usrdatum->range.level[1].sens =
- usrdatum->range.level[0].sens;
- if (ebitmap_cpy(&usrdatum->range.level[1].cat,
- &usrdatum->range.level[0].cat)) {
+ if (mls_semantic_level_cpy(&usrdatum->range.level[1],
+ &usrdatum->range.level[0])) {
yyerror("out of memory");
- goto out;
+ return -1;
}
}
- if (!mls_level_dom(&usrdatum->range.level[1],
- &usrdatum->range.level[0])) {
- yyerror("high level does not dominate low level");
- goto out;
- }
- if (!mls_level_between(&usrdatum->dfltlevel,
- &usrdatum->range.level[0],
- &usrdatum->range.level[1])) {
- yyerror("default level not within user range");
- goto out;
- }
}
return 0;
-
- out:
- ebitmap_destroy(&usrdatum->dfltlevel.cat);
- ebitmap_destroy(&usrdatum->range.level[0].cat);
- ebitmap_destroy(&usrdatum->range.level[1].cat);
- return -1;
}
static int parse_security_context(context_struct_t * c)
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2006-09-05 14:28:31 UTC (rev 2017)
@@ -149,9 +149,11 @@
typedef struct user_datum {
symtab_datum_t s;
role_set_t roles; /* set of authorized roles for user */
- mls_range_t range; /* MLS range (min. - max.) for user */
- mls_level_t dfltlevel; /* default login MLS level for user */
+ mls_semantic_range_t range; /* MLS range (min. - max.) for user */
+ mls_semantic_level_t dfltlevel; /* default login MLS level for user */
ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
+ mls_range_t exp_range; /* expanded range used for validation */
+ mls_level_t exp_dfltlevel; /* expanded range used for validation */
} user_datum_t;
/* Sensitivity attributes */
@@ -586,9 +588,10 @@
#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
#define MOD_POLICYDB_VERSION_MLS 5
#define MOD_POLICYDB_VERSION_RANGETRANS 6
+#define MOD_POLICYDB_VERSION_MLS_USERS 6
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_RANGETRANS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
#define POLICYDB_CONFIG_MLS 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/expand.c 2006-09-05 14:28:31 UTC (rev 2017)
@@ -692,13 +692,46 @@
return -1;
}
- /* clone MLS stuff */
- if (mls_range_cpy(&new_user->range, &user->range) == -1
- || mls_level_cpy(&new_user->dfltlevel,
- &user->dfltlevel) == -1) {
- ERR(state->handle, "Out of memory!");
+ /* expand the semantic MLS info */
+ if (mls_semantic_range_expand(&user->range,
+ &new_user->exp_range,
+ state->out, state->handle)) {
return -1;
}
+ if (mls_semantic_level_expand(&user->dfltlevel,
+ &new_user->exp_dfltlevel,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (!mls_level_between(&new_user->exp_dfltlevel,
+ &new_user->exp_range.level[0],
+ &new_user->exp_range.level[1])) {
+ ERR(state->handle, "default level not within user "
+ "range");
+ return -1;
+ }
+ } else {
+ /* require that the MLS info match */
+ mls_range_t tmp_range;
+ mls_level_t tmp_level;
+
+ if (mls_semantic_range_expand(&user->range, &tmp_range,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (mls_semantic_level_expand(&user->dfltlevel, &tmp_level,
+ state->out, state->handle)) {
+ mls_range_destroy(&tmp_range);
+ return -1;
+ }
+ if (!mls_range_eq(&new_user->exp_range, &tmp_range) ||
+ !mls_level_eq(&new_user->exp_dfltlevel, &tmp_level)) {
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
+ return -1;
+ }
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
}
ebitmap_init(&tmp_union);
@@ -788,7 +821,7 @@
}
if (state->verbose)
- INFO(state->handle, "copying senitivity level %s", id);
+ INFO(state->handle, "copying sensitivity level %s", id);
if ((new_level =
(level_datum_t *) calloc(1, sizeof(*new_level))) == NULL
@@ -2207,6 +2240,17 @@
if (hashtab_map(state.base->p_roles.table, role_copy_callback, &state))
goto cleanup;
+ /* copy MLS's sensitivity level and categories - this needs to be done
+ * before expanding users (they need to be indexed too) */
+ if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state))
+ goto cleanup;
+ if (hashtab_map(state.base->p_cats.table, cats_copy_callback, &state))
+ goto cleanup;
+ if (policydb_index_others(handle, out, verbose)) {
+ ERR(handle, "Error while indexing out symbols");
+ goto cleanup;
+ }
+
/* copy users */
if (hashtab_map(state.base->p_users.table, user_copy_callback, &state))
goto cleanup;
@@ -2215,13 +2259,6 @@
if (hashtab_map(state.base->p_bools.table, bool_copy_callback, &state))
goto cleanup;
- /* now copy MLS's sensitivity level and categories */
- if (hashtab_map(state.base->p_levels.table, sens_copy_callback, &state)
- || hashtab_map(state.base->p_cats.table, cats_copy_callback,
- &state)) {
- goto cleanup;
- }
-
if (policydb_index_classes(out)) {
ERR(handle, "Error while indexing out classes");
goto cleanup;
Modified: trunk/libsepol/src/mls.c
===================================================================
--- trunk/libsepol/src/mls.c 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/mls.c 2006-09-05 14:28:31 UTC (rev 2017)
@@ -310,7 +310,7 @@
if (!c->user || c->user > p->p_users.nprim)
return 0;
usrdatum = p->user_val_to_struct[c->user - 1];
- if (!mls_range_contains(usrdatum->range, c->range))
+ if (!mls_range_contains(usrdatum->exp_range, c->range))
return 0; /* user may not be associated with range */
return 1;
@@ -512,9 +512,9 @@
if (mls) {
mls_level_t *fromcon_sen = &(fromcon->range.level[0]);
mls_level_t *fromcon_clr = &(fromcon->range.level[1]);
- mls_level_t *user_low = &(user->range.level[0]);
- mls_level_t *user_clr = &(user->range.level[1]);
- mls_level_t *user_def = &(user->dfltlevel);
+ mls_level_t *user_low = &(user->exp_range.level[0]);
+ mls_level_t *user_clr = &(user->exp_range.level[1]);
+ mls_level_t *user_def = &(user->exp_dfltlevel);
mls_level_t *usercon_sen = &(usercon->range.level[0]);
mls_level_t *usercon_clr = &(usercon->range.level[1]);
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/policydb.c 2006-09-05 14:28:31 UTC (rev 2017)
@@ -112,7 +112,7 @@
},
{
.type = POLICY_BASE,
- .version = MOD_POLICYDB_VERSION_RANGETRANS,
+ .version = MOD_POLICYDB_VERSION_MLS_USERS,
.sym_num = SYM_NUM,
.ocon_num = OCON_NODE6 + 1,
},
@@ -130,7 +130,7 @@
},
{
.type = POLICY_MOD,
- .version = MOD_POLICYDB_VERSION_RANGETRANS,
+ .version = MOD_POLICYDB_VERSION_MLS_USERS,
.sym_num = SYM_NUM,
.ocon_num = 0},
};
@@ -233,18 +233,22 @@
{
memset(x, 0, sizeof(user_datum_t));
role_set_init(&x->roles);
- mls_range_init(&x->range);
- mls_level_init(&x->dfltlevel);
+ mls_semantic_range_init(&x->range);
+ mls_semantic_level_init(&x->dfltlevel);
ebitmap_init(&x->cache);
+ mls_range_init(&x->exp_range);
+ mls_level_init(&x->exp_dfltlevel);
}
void user_datum_destroy(user_datum_t * x)
{
if (x != NULL) {
role_set_destroy(&x->roles);
- mls_range_destroy(&x->range);
- mls_level_destroy(&x->dfltlevel);
+ mls_semantic_range_destroy(&x->range);
+ mls_semantic_level_destroy(&x->dfltlevel);
ebitmap_destroy(&x->cache);
+ mls_range_destroy(&x->exp_range);
+ mls_level_destroy(&x->exp_dfltlevel);
}
}
@@ -498,6 +502,20 @@
return -1;
}
+ if (p->policy_type != POLICY_KERN) {
+ mls_range_destroy(&user->exp_range);
+ if (mls_semantic_range_expand(&user->range,
+ &user->exp_range, p, NULL)) {
+ return -1;
+ }
+
+ mls_level_destroy(&user->exp_dfltlevel);
+ if (mls_semantic_level_expand(&user->dfltlevel,
+ &user->exp_dfltlevel, p, NULL)) {
+ return -1;
+ }
+ }
+
return 0;
}
@@ -2235,18 +2253,38 @@
goto bad;
}
- /* users aren't allowed in mls modules but they can be required, the mls fields will be empty,
- * user declarations in non-mls modules will also have empty mls fields */
+ /* users were not allowed in mls modules before version
+ * MOD_POLICYDB_VERSION_MLS_USERS, but they could have been
+ * required - the mls fields will be empty. user declarations in
+ * non-mls modules will also have empty mls fields */
if ((p->policy_type == POLICY_KERN
&& p->policyvers >= POLICYDB_VERSION_MLS)
|| (p->policy_type == POLICY_MOD
- && p->policyvers >= MOD_POLICYDB_VERSION_MLS)
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)
|| (p->policy_type == POLICY_BASE
- && p->policyvers >= MOD_POLICYDB_VERSION_MLS)) {
- if (mls_read_range_helper(&usrdatum->range, fp))
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS)) {
+ if (mls_read_range_helper(&usrdatum->exp_range, fp))
goto bad;
- if (mls_read_level(&usrdatum->dfltlevel, fp))
+ if (mls_read_level(&usrdatum->exp_dfltlevel, fp))
goto bad;
+ if (p->policy_type != POLICY_KERN) {
+ if (mls_range_to_semantic(&usrdatum->exp_range,
+ &usrdatum->range))
+ goto bad;
+ if (mls_level_to_semantic(&usrdatum->exp_dfltlevel,
+ &usrdatum->dfltlevel))
+ goto bad;
+ }
+ } else if ((p->policy_type == POLICY_MOD
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)
+ || (p->policy_type == POLICY_BASE
+ && p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS)) {
+ if (mls_read_semantic_range_helper(&usrdatum->range, fp))
+ goto bad;
+ if (mls_read_semantic_level_helper(&usrdatum->dfltlevel, fp))
+ goto bad;
}
if (hashtab_insert(h, key, usrdatum))
Modified: trunk/libsepol/src/users.c
===================================================================
--- trunk/libsepol/src/users.c 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/users.c 2006-09-05 14:28:31 UTC (rev 2017)
@@ -47,13 +47,13 @@
context_init(&context);
if (mls_level_cpy(&context.range.level[0],
- &usrdatum->dfltlevel) < 0) {
+ &usrdatum->exp_dfltlevel) < 0) {
ERR(handle, "could not copy MLS level");
context_destroy(&context);
goto err;
}
if (mls_level_cpy(&context.range.level[1],
- &usrdatum->dfltlevel) < 0) {
+ &usrdatum->exp_dfltlevel) < 0) {
ERR(handle, "could not copy MLS level");
context_destroy(&context);
goto err;
@@ -71,7 +71,7 @@
free(str);
context_init(&context);
- if (mls_range_cpy(&context.range, &usrdatum->range) < 0) {
+ if (mls_range_cpy(&context.range, &usrdatum->exp_range) < 0) {
ERR(handle, "could not copy MLS range");
context_destroy(&context);
goto err;
@@ -191,8 +191,8 @@
context_destroy(&context);
goto err;
}
- if (mls_level_cpy(&usrdatum->dfltlevel, &context.range.level[0])
- < 0) {
+ if (mls_level_cpy(&usrdatum->exp_dfltlevel,
+ &context.range.level[0]) < 0) {
ERR(handle, "could not copy MLS level %s", cmls_level);
context_destroy(&context);
goto err;
@@ -211,13 +211,12 @@
context_destroy(&context);
goto err;
}
- if (mls_range_cpy(&usrdatum->range, &context.range) < 0) {
+ if (mls_range_cpy(&usrdatum->exp_range, &context.range) < 0) {
ERR(handle, "could not copy MLS range %s", cmls_range);
context_destroy(&context);
goto err;
}
context_destroy(&context);
-
} else if (cmls_level != NULL || cmls_range != NULL) {
ERR(handle, "MLS is disabled, but MLS level/range "
"was found for user %s", cname);
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2006-09-05 14:27:55 UTC (rev 2016)
+++ trunk/libsepol/src/write.c 2006-09-05 14:28:31 UTC (rev 2017)
@@ -1005,18 +1005,27 @@
if (role_set_write(&usrdatum->roles, fp))
return POLICYDB_ERROR;
}
- /* Users are allowed in non-mls modules, so the empty field will be present
- in modules with users >= MOD_POLICYDB_VERSION_MLS */
+
if ((p->policyvers >= POLICYDB_VERSION_MLS
&& p->policy_type == POLICY_KERN)
|| (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
&& p->policy_type == POLICY_MOD)
|| (p->policyvers >= MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_MLS_USERS
&& p->policy_type == POLICY_BASE)) {
- if (mls_write_range_helper(&usrdatum->range, fp))
+ if (mls_write_range_helper(&usrdatum->exp_range, fp))
return POLICYDB_ERROR;
- if (mls_write_level(&usrdatum->dfltlevel, fp))
+ if (mls_write_level(&usrdatum->exp_dfltlevel, fp))
return POLICYDB_ERROR;
+ } else if ((p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_MOD)
+ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS_USERS
+ && p->policy_type == POLICY_BASE)) {
+ if (mls_write_semantic_range_helper(&usrdatum->range, fp))
+ return -1;
+ if (mls_write_semantic_level_helper(&usrdatum->dfltlevel, fp))
+ return -1;
}
return POLICYDB_SUCCESS;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
