Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2425] branches/policyrep
|
From: <ssm...@us...> - 2007-05-03 17:33:19
|
Revision: 2425
http://svn.sourceforge.net/selinux/?rev=2425&view=rev
Author: ssmalley
Date: 2007-05-03 10:33:17 -0700 (Thu, 03 May 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: Drop preservebools support from userland policy loader
Date: Fri, 27 Apr 2007 14:53:34 -0400
For the policyrep branch.
This patch drops preservebools support from the userland policy loader,
as it will be provided by the kernel automatically going forward (already in
-git as of today, will be released in 2.6.22). The patch includes the removal of the
obsoleted sepol_genbools_array interface from libsepol and the removal of
the preservebools flag from the selinux_mkload_policy() interface in libselinux.
This removes the last remaining manipulation of policy at load time except for
the possible downgrading of policy to the kernel's version if they do not match.
The only case where this will yield a change in behavior is if someone does
a setsebool w/o -P and then reloads policy on a kernel that lacks the new support
for preserving booleans. As the dominant use of booleans today is as tunables,
non-persistent boolean changes are rarely used.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
branches/policyrep/libselinux/include/selinux/selinux.h
branches/policyrep/libselinux/src/load_policy.c
branches/policyrep/libselinux/src/selinuxswig.i
branches/policyrep/libselinux/src/selinuxswig_wrap.c
branches/policyrep/libsepol/include/sepol/booleans.h
branches/policyrep/libsepol/include/sepol/users.h
branches/policyrep/libsepol/src/libsepol.map
branches/policyrep/policycoreutils/load_policy/load_policy.c
Removed Paths:
-------------
branches/policyrep/libsepol/man/man3/sepol_genbools.3
branches/policyrep/libsepol/src/genbools.c
Modified: branches/policyrep/libselinux/include/selinux/selinux.h
===================================================================
--- branches/policyrep/libselinux/include/selinux/selinux.h 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libselinux/include/selinux/selinux.h 2007-05-03 17:33:17 UTC (rev 2425)
@@ -201,16 +201,10 @@
* This function provides a higher level interface for loading policy
* than security_load_policy, internally determining the right policy
* version, locating and opening the policy file, mapping it into memory,
- * manipulating it as needed for current boolean settings and/or local
- * definitions, and then calling security_load_policy to load it.
- *
- * 'preservebools' is a boolean flag indicating whether current
- * policy boolean values should be preserved into the new policy (if 1)
- * or reset to the saved policy settings (if 0). The former case is the
- * default for policy reloads, while the latter case is an option for policy
- * reloads but is primarily for the initial policy load.
+ * manipulating it as needed to match the kernel's supported version, and
+ * then calling security_load_policy to load it.
*/
- extern int selinux_mkload_policy(int preservebools);
+ extern int selinux_mkload_policy(void);
/*
* Perform the initial policy load.
Modified: branches/policyrep/libselinux/src/load_policy.c
===================================================================
--- branches/policyrep/libselinux/src/load_policy.c 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libselinux/src/load_policy.c 2007-05-03 17:33:17 UTC (rev 2425)
@@ -39,15 +39,15 @@
hidden_def(security_load_policy)
-int selinux_mkload_policy(int preservebools)
+int selinux_mkload_policy(void)
{
int vers = sepol_policy_kern_vers_max();
int kernvers = security_policyvers();
- char path[PATH_MAX], **names;
+ char path[PATH_MAX];
struct stat sb;
size_t size;
void *map, *data;
- int fd, rc = -1, *values, len, i, prot;
+ int fd, rc = -1;
sepol_policydb_t *policydb;
sepol_policy_file_t *pf;
@@ -68,12 +68,8 @@
if (fstat(fd, &sb) < 0)
goto close;
- prot = PROT_READ;
- if (preservebools)
- prot |= PROT_WRITE;
-
size = sb.st_size;
- data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
+ data = map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED)
goto close;
@@ -105,24 +101,6 @@
sepol_policydb_free(policydb);
}
- if (preservebools) {
- rc = security_get_boolean_names(&names, &len);
- if (!rc) {
- values = malloc(sizeof(int) * len);
- if (!values)
- goto unmap;
- for (i = 0; i < len; i++)
- values[i] =
- security_get_boolean_active(names[i]);
- (void)sepol_genbools_array(data, size, names, values,
- len);
- free(values);
- for (i = 0; i < len; i++)
- free(names[i]);
- free(names);
- }
- }
-
rc = security_load_policy(data, size);
unmap:
@@ -244,7 +222,7 @@
}
/* Load the policy. */
- return selinux_mkload_policy(0);
+ return selinux_mkload_policy();
noload:
/*
Modified: branches/policyrep/libselinux/src/selinuxswig.i
===================================================================
--- branches/policyrep/libselinux/src/selinuxswig.i 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libselinux/src/selinuxswig.i 2007-05-03 17:33:17 UTC (rev 2425)
@@ -63,7 +63,7 @@
extern int lsetfilecon(const char *path, security_context_t con);
extern int fsetfilecon(int fd, security_context_t con);
extern int getpeercon(int fd, security_context_t *con);
-extern int selinux_mkload_policy(int preservebools);
+extern int selinux_mkload_policy(void);
extern int selinux_init_load_policy(int *enforce);
extern int security_set_boolean_list(size_t boolcnt,
SELboolean *boollist);
Modified: branches/policyrep/libselinux/src/selinuxswig_wrap.c
===================================================================
--- branches/policyrep/libselinux/src/selinuxswig_wrap.c 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libselinux/src/selinuxswig_wrap.c 2007-05-03 17:33:17 UTC (rev 2425)
@@ -3350,19 +3350,10 @@
SWIGINTERN PyObject *_wrap_selinux_mkload_policy(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *resultobj = 0;
- int arg1 ;
int result;
- int val1 ;
- int ecode1 = 0 ;
- PyObject * obj0 = 0 ;
- if (!PyArg_ParseTuple(args,(char *)"O:selinux_mkload_policy",&obj0)) SWIG_fail;
- ecode1 = SWIG_AsVal_int(obj0, &val1);
- if (!SWIG_IsOK(ecode1)) {
- SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "selinux_mkload_policy" "', argument " "1"" of type '" "int""'");
- }
- arg1 = (int)(val1);
- result = (int)selinux_mkload_policy(arg1);
+ if (!PyArg_ParseTuple(args,(char *)":selinux_mkload_policy")) SWIG_fail;
+ result = (int)selinux_mkload_policy();
resultobj = SWIG_From_int((int)(result));
return resultobj;
fail:
Modified: branches/policyrep/libsepol/include/sepol/booleans.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/booleans.h 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libsepol/include/sepol/booleans.h 2007-05-03 17:33:17 UTC (rev 2425)
@@ -6,24 +6,6 @@
#include <sepol/boolean_record.h>
#include <sepol/handle.h>
-/*--------------compatibility--------------*/
-
-/* Given an existing binary policy (starting at 'data', with length 'len')
- and a boolean configuration file named by 'boolpath', rewrite the binary
- policy for the boolean settings in the boolean configuration file.
- The binary policy is rewritten in place in memory.
- Returns 0 upon success, or -1 otherwise. */
-extern int sepol_genbools(void *data, size_t len, char *boolpath);
-
-/* Given an existing binary policy (starting at 'data', with length 'len')
- and boolean settings specified by the parallel arrays ('names', 'values')
- with 'nel' elements, rewrite the binary policy for the boolean settings.
- The binary policy is rewritten in place in memory.
- Returns 0 upon success or -1 otherwise. */
-extern int sepol_genbools_array(void *data, size_t len,
- char **names, int *values, int nel);
-/*---------------end compatbility------------*/
-
/* Set the specified boolean */
extern int sepol_bool_set(sepol_handle_t * handle,
sepol_policydb_t * policydb,
Modified: branches/policyrep/libsepol/include/sepol/users.h
===================================================================
--- branches/policyrep/libsepol/include/sepol/users.h 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libsepol/include/sepol/users.h 2007-05-03 17:33:17 UTC (rev 2425)
@@ -6,23 +6,6 @@
#include <sepol/handle.h>
#include <stddef.h>
-/*---------compatibility------------*/
-
-/* Given an existing binary policy (starting at 'data with length 'len')
- and user configurations living in 'usersdir', generate a new binary
- policy for the new user configurations. Sets '*newdata' and '*newlen'
- to refer to the new binary policy image. */
-extern int sepol_genusers(void *data, size_t len,
- const char *usersdir,
- void **newdata, size_t * newlen);
-
-/* Enable or disable deletion of users by sepol_genusers(3) when
- a user in original binary policy image is not defined by the
- new user configurations. Defaults to disabled. */
-extern void sepol_set_delusers(int on);
-
-/*--------end compatibility----------*/
-
/* Modify the user, or add it, if the key is not found */
extern int sepol_user_modify(sepol_handle_t * handle,
sepol_policydb_t * policydb,
Deleted: branches/policyrep/libsepol/man/man3/sepol_genbools.3
===================================================================
--- branches/policyrep/libsepol/man/man3/sepol_genbools.3 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libsepol/man/man3/sepol_genbools.3 2007-05-03 17:33:17 UTC (rev 2425)
@@ -1,22 +0,0 @@
-.TH "sepol_genbools" "3" "11 August 2004" "sd...@ep..." "SE Linux binary policy API documentation"
-.SH "NAME"
-sepol_genbools \- Rewrite a binary policy with different boolean settings
-.SH "SYNOPSIS"
-.B #include <sepol/sepol.h>
-.sp
-.BI "int sepol_genbools_array(void *" data ", size_t " len ", char **" names ", int *" values ", int " nel );
-
-.SH "DESCRIPTION"
-.B sepol_genbools_array
-rewrites a binary policy stored in the memory region described by
-(data, len) to use the boolean settings specified in the parallel
-arrays (names, values) with nel elements each. The binary policy is
-rewritten in place in memory.
-
-.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise, with errno set appropriately.
-An errno of EINVAL indicates that one or more booleans listed in the
-boolean file was undefined in the policy or had an invalid value specified;
-in this case, the binary policy is still rewritten but any invalid
-boolean settings are ignored.
-
Deleted: branches/policyrep/libsepol/src/genbools.c
===================================================================
--- branches/policyrep/libsepol/src/genbools.c 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libsepol/src/genbools.c 2007-05-03 17:33:17 UTC (rev 2425)
@@ -1,71 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/conditional.h>
-
-#include "debug.h"
-#include "private.h"
-#include "dso.h"
-
-int sepol_genbools_array(void *data, size_t len, char **names, int *values,
- int nel)
-{
- struct policydb policydb;
- struct policy_file pf;
- int rc, i, errors = 0;
- struct cond_bool_datum *datum;
-
- /* Create policy database from image */
- if (policydb_init(&policydb))
- goto err;
- if (policydb_from_image(NULL, data, len, &policydb) < 0)
- goto err;
-
- for (i = 0; i < nel; i++) {
- datum = hashtab_search(policydb.p_bools.table, names[i]);
- if (!datum) {
- ERR(NULL, "boolean %s no longer in policy", names[i]);
- errors++;
- continue;
- }
- if (values[i] != 0 && values[i] != 1) {
- ERR(NULL, "illegal value %d for boolean %s",
- values[i], names[i]);
- errors++;
- continue;
- }
- datum->state = values[i];
- }
-
- if (evaluate_conds(&policydb) < 0) {
- ERR(NULL, "error while re-evaluating conditionals");
- errno = EINVAL;
- goto err_destroy;
- }
-
- pf.type = PF_USE_MEMORY;
- pf.data = data;
- pf.len = len;
- rc = policydb_write(&policydb, &pf);
- if (rc) {
- ERR(NULL, "unable to write binary policy");
- errno = EINVAL;
- goto err_destroy;
- }
- if (errors) {
- errno = EINVAL;
- goto err_destroy;
- }
-
- policydb_destroy(&policydb);
- return 0;
-
- err_destroy:
- policydb_destroy(&policydb);
-
- err:
- return -1;
-}
Modified: branches/policyrep/libsepol/src/libsepol.map
===================================================================
--- branches/policyrep/libsepol/src/libsepol.map 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/libsepol/src/libsepol.map 2007-05-03 17:33:17 UTC (rev 2425)
@@ -1,7 +1,7 @@
LIBSEPOL_2.0 {
global:
sepol_module_package_*; sepol_link_modules; sepol_expand_module; sepol_link_packages;
- sepol_bool_*; sepol_genbools_array;
+ sepol_bool_*;
sepol_context_*; sepol_mls_*; sepol_check_context;
sepol_iface_*;
sepol_port_*;
Modified: branches/policyrep/policycoreutils/load_policy/load_policy.c
===================================================================
--- branches/policyrep/policycoreutils/load_policy/load_policy.c 2007-05-03 16:57:02 UTC (rev 2424)
+++ branches/policyrep/policycoreutils/load_policy/load_policy.c 2007-05-03 17:33:17 UTC (rev 2425)
@@ -62,7 +62,7 @@
argv[0], argv[optind++]);
}
- ret = selinux_mkload_policy(1);
+ ret = selinux_mkload_policy();
if (ret < 0) {
fprintf(stderr, _("%s: Can't load policy: %s\n"),
argv[0], strerror(errno));
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
