Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2308] trunk/libsepol
|
From: <mad...@us...> - 2007-03-30 15:25:36
|
Revision: 2308
http://svn.sourceforge.net/selinux/?rev=2308&view=rev
Author: madmethod
Date: 2007-03-30 08:25:34 -0700 (Fri, 30 Mar 2007)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: map booleans during expansion
Date: Thu, 29 Mar 2007 11:22:14 -0400
On Thu, 2007-03-29 at 10:10 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-03-29 at 08:38 -0400, Joshua Brindle wrote:
> >
> >> Karl MacMillan wrote:
> >>
> >>> [below is a response to an accidentally off-list discussion]
> >>>
> >>> On Wed, 2007-03-28 at 12:29 -0400, Stephen Smalley wrote:
> >>>
> >>>
> >>>> On Wed, 2007-03-28 at 12:16 -0400, Karl MacMillan wrote:
> >>>>
> >>>>
> >>>>> Currently, the expander does not map booleans during expansion.
> >>>>>
> >>>>>
> >>> However,
> >>>
> >>>
> >>>>> it is possible that booleans can be declared in an optional block
> >>>>> resulting in the need to map the booleans. This patch adds boolean
> >>>>> mappings to the expander. The same thing likely needs to be done for
> >>>>> roles and users - Josh, can you confirm
> >>>>>
> >>>>>
> >> This is correct, only types are being remapped by the expander. I guess
> >> someone didn't think all the extra code to remap all of them was worth
> >> it since they are very small namespaces anyway.
> >>
> >
> > So do they need to be remapped or not?
> >
> >
> It isn't strictly necessary. Holes in the symbol tables aren't currently
> causing any problems and the new representation shouldn't have this
> problem so I don't know the value in applying this patch now.
>
It is necessary - this patch came about because of errors during
compilation. If the base module has more booleans than the output policy
then the boolean indexing will fail during policydb_index_others. We
could certainly allow holes in the symbol tables, but it doesn't work
currently because nprim will be smaller than the largest value.
So do we allow holes or do the indexing?
An updated patch against trunk that fixes the memory leak is below. At
some point we should standardize on whether destroy / free functions
free the struct or just the allocated memory contained by the struct.
Also, if anyone is looking for something to do, adding a few valgrind
runs to the unit tests would be helpful to encourage slackers like me to
be more diligent. I'll send a patch for stable if this is the route we
want to take.
Signed-off-by: Karl MacMillan <kma...@me...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/libsepol/include/sepol/policydb/conditional.h
trunk/libsepol/src/conditional.c
trunk/libsepol/src/expand.c
trunk/libsepol/src/private.h
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/ChangeLog 2007-03-30 15:25:34 UTC (rev 2308)
@@ -1,3 +1,7 @@
+2.0.2 2007-03-30
+ * Merged fix from Karl to remap booleans at expand time to
+ avoid holes in the symbol table.
+
2.0.1 2007-02-06
* Merged libsepol segfault fix from Stephen Smalley for when
sensitivities are required but not present in the base.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/VERSION 2007-03-30 15:25:34 UTC (rev 2308)
@@ -1 +1 @@
-2.0.1
+2.0.2
Modified: trunk/libsepol/include/sepol/policydb/conditional.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/conditional.h 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/include/sepol/policydb/conditional.h 2007-03-30 15:25:34 UTC (rev 2308)
@@ -100,6 +100,8 @@
cond_node_t * needle, cond_node_t * haystack,
int *was_created);
+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
+
extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
cond_node_t * cn);
Modified: trunk/libsepol/src/conditional.c
===================================================================
--- trunk/libsepol/src/conditional.c 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/conditional.c 2007-03-30 15:25:34 UTC (rev 2308)
@@ -26,9 +26,6 @@
#include "private.h"
-#undef min
-#define min(a,b) (((a) < (b)) ? (a) : (b))
-
/* move all type rules to top of t/f lists to help kernel on evaluation */
static void cond_optimize(cond_av_list_t ** l)
{
@@ -136,6 +133,38 @@
return 1;
}
+/* Create a new conditional node, optionally copying
+ * the conditional expression from an existing node.
+ * If node is NULL then a new node will be created
+ * with no conditional expression.
+ */
+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
+{
+ cond_node_t *new_node;
+ unsigned int i;
+
+ new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
+ if (!new_node) {
+ return NULL;
+ }
+ memset(new_node, 0, sizeof(cond_node_t));
+
+ if (node) {
+ new_node->expr = cond_copy_expr(node->expr);
+ if (!new_node->expr) {
+ free(new_node);
+ return NULL;
+ }
+ new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
+ new_node->nbools = node->nbools;
+ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
+ new_node->bool_ids[i] = node->bool_ids[i];
+ new_node->expr_pre_comp = node->expr_pre_comp;
+ }
+
+ return new_node;
+}
+
/* Find a conditional (the needle) within a list of existing ones (the
* haystack) that has a matching expression. If found, return a
* pointer to the existing node, setting 'was_created' to 0.
@@ -145,9 +174,6 @@
cond_node_t * needle, cond_node_t * haystack,
int *was_created)
{
- cond_node_t *new_node;
- unsigned int i;
-
while (haystack) {
if (cond_expr_equal(needle, haystack)) {
*was_created = 0;
@@ -156,26 +182,8 @@
haystack = haystack->next;
}
*was_created = 1;
- new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
- if (!new_node) {
- return NULL;
- }
- memset(new_node, 0, sizeof(cond_node_t));
- new_node->expr = cond_copy_expr(needle->expr);
- if (!new_node->expr) {
- free(new_node);
- return NULL;
- }
- new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
- new_node->nbools = needle->nbools;
- for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
- new_node->bool_ids[i] = needle->bool_ids[i];
- new_node->expr_pre_comp = needle->expr_pre_comp;
- new_node->true_list = NULL;
- new_node->false_list = NULL;
- new_node->avtrue_list = NULL;
- new_node->avfalse_list = NULL;
- return new_node;
+
+ return cond_node_create(p, needle);
}
/* return either a pre-existing matching node or create a new node */
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/expand.c 2007-03-30 15:25:34 UTC (rev 2308)
@@ -35,10 +35,12 @@
#include <assert.h>
#include "debug.h"
+#include "private.h"
typedef struct expand_state {
int verbose;
uint32_t *typemap;
+ uint32_t *boolmap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -791,8 +793,8 @@
return -1;
}
- new_bool->s.value = bool->s.value;
state->out->p_bools.nprim++;
+ new_bool->s.value = state->out->p_bools.nprim;
ret = hashtab_insert(state->out->p_bools.table,
(hashtab_key_t) new_id,
@@ -804,6 +806,8 @@
return -1;
}
+ state->boolmap[bool->s.value - 1] = new_bool->s.value;
+
new_bool->state = bool->state;
return 0;
@@ -1555,12 +1559,35 @@
return 0;
}
+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
+{
+ cond_expr_t *cur;
+ unsigned int i;
+
+ cur = cn->expr;
+ while (cur) {
+ if (cur->bool)
+ cur->bool = state->boolmap[cur->bool - 1];
+ cur = cur->next;
+ }
+
+ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
+ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
+
+ if (cond_normalize_expr(state->out, cn)) {
+ ERR(state->handle, "Error while normalizing conditional");
+ return -1;
+ }
+
+ return 0;
+}
+
/* copy the nodes in *reverse* order -- the result is that the last
* given conditional appears first in the policy, so as to match the
* behavior of the upstream compiler */
static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
{
- cond_node_t *new_cond;
+ cond_node_t *new_cond, *tmp;
if (cn == NULL) {
return 0;
@@ -1573,11 +1600,28 @@
return -1;
}
- new_cond = cond_node_search(state->out, state->out->cond_list, cn);
+ /* create a new temporary conditional node with the booleans
+ * mapped */
+ tmp = cond_node_create(state->base, cn);
+ if (!tmp) {
+ ERR(state->handle, "Out of memory");
+ return -1;
+ }
+
+ if (cond_node_map_bools(state, tmp)) {
+ ERR(state->handle, "Error mapping booleans");
+ return -1;
+ }
+
+ new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
if (!new_cond) {
+ cond_node_destroy(tmp);
+ free(tmp);
ERR(state->handle, "Out of memory!");
return -1;
}
+ cond_node_destroy(tmp);
+ free(tmp);
if (cond_avrule_list_copy
(state->out, cn->avtrue_list, &state->out->te_cond_avtab,
@@ -2210,6 +2254,12 @@
goto cleanup;
}
+ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
+ if (!state.boolmap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2364,6 +2414,7 @@
cleanup:
free(state.typemap);
+ free(state.boolmap);
return retval;
}
Modified: trunk/libsepol/src/private.h
===================================================================
--- trunk/libsepol/src/private.h 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/private.h 2007-03-30 15:25:34 UTC (rev 2308)
@@ -24,6 +24,9 @@
#define le64_to_cpu(x) bswap_64(x)
#endif
+#undef min
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+
/* Policy compatibility information. */
struct policydb_compat_info {
unsigned int type;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
