Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2592] branches/stable/1_0
|
From: <ssm...@us...> - 2007-09-27 13:16:59
|
Revision: 2592
http://selinux.svn.sourceforge.net/selinux/?rev=2592&view=rev
Author: ssmalley
Date: 2007-09-27 06:15:25 -0700 (Thu, 27 Sep 2007)
Log Message:
-----------
applied r2565:2567 (handle_unknown support) from trunk
Modified Paths:
--------------
branches/stable/1_0/checkpolicy/checkmodule.c
branches/stable/1_0/checkpolicy/checkpolicy.c
branches/stable/1_0/checkpolicy/policy_parse.y
branches/stable/1_0/checkpolicy/test/dismod.c
branches/stable/1_0/checkpolicy/test/dispol.c
branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
branches/stable/1_0/libsepol/src/expand.c
branches/stable/1_0/libsepol/src/policydb.c
branches/stable/1_0/libsepol/src/write.c
Modified: branches/stable/1_0/checkpolicy/checkmodule.c
===================================================================
--- branches/stable/1_0/checkpolicy/checkmodule.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/checkpolicy/checkmodule.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -39,6 +39,7 @@
static sidtab_t sidtab;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -121,6 +122,7 @@
p->policy_type = policy_type;
p->policyvers = policyvers;
+ p->handle_unknown = handle_unknown;
pf.type = PF_USE_STDIO;
pf.fp = outfp;
@@ -135,13 +137,17 @@
static void usage(char *progname)
{
- printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+ printf("usage: %s [-V] [-b] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
txtfile);
printf(" -V show policy versions created by this program\n");
printf(" -b treat input as a binary policy file\n");
+ printf(" -U OPTION How to handle unknown classes and permissions\n");
+ printf(" deny: Deny unknown kernel checks\n");
+ printf(" reject: Reject loading of policy with unknowns\n");
+ printf(" allow: Allow unknown kernel checks\n");
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
@@ -156,7 +162,7 @@
int show_version = 0;
policydb_t modpolicydb;
- while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) {
+ while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -171,6 +177,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'm':
policy_type = POLICY_MOD;
policyvers = MOD_POLICYDB_VERSION_MAX;
@@ -189,6 +209,12 @@
exit(0);
}
+ if (handle_unknown && (policy_type != POLICY_BASE)) {
+ printf("Handling of unknown classes and permissions is only ");
+ printf("valid in the base module\n");
+ exit(1);
+ }
+
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
@@ -214,6 +240,7 @@
modpolicydb.policy_type = policy_type;
modpolicydb.mls = mlspol;
+ modpolicydb.handle_unknown = handle_unknown;
if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
Modified: branches/stable/1_0/checkpolicy/checkpolicy.c
===================================================================
--- branches/stable/1_0/checkpolicy/checkpolicy.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/checkpolicy/checkpolicy.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -90,6 +90,7 @@
extern policydb_t *policydbp;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -99,7 +100,7 @@
void usage(char *progname)
{
printf
- ("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
+ ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -390,7 +391,7 @@
int show_version = 0;
struct policy_file pf;
- while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
+ while ((ch = getopt(argc, argv, "o:dbU:MVc:")) != EOF) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -405,6 +406,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'M':
mlspol = 1;
break;
@@ -515,6 +530,7 @@
/* Let sepol know if we are dealing with MLS support */
parse_policy.mls = mlspol;
+ parse_policy.handle_unknown = handle_unknown;
policydbp = &parse_policy;
Modified: branches/stable/1_0/checkpolicy/policy_parse.y
===================================================================
--- branches/stable/1_0/checkpolicy/policy_parse.y 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/checkpolicy/policy_parse.y 2007-09-27 13:15:25 UTC (rev 2592)
@@ -66,6 +66,7 @@
static unsigned int pass;
char *curfile = 0;
int mlspol = 0;
+int handle_unknown = 0;
extern unsigned long policydb_lineno;
extern unsigned long source_lineno;
Modified: branches/stable/1_0/checkpolicy/test/dismod.c
===================================================================
--- branches/stable/1_0/checkpolicy/test/dismod.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/checkpolicy/test/dismod.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -665,6 +665,17 @@
return 0;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and perms\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and perms\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and perms\n");
+ return 0;
+}
+
static int read_policy(char *filename, policydb_t * policy)
{
FILE *in_fp;
@@ -771,6 +782,7 @@
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
printf("l) Link in a module\n");
+ printf("u) Display the unknown handling setting\n");
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -879,6 +891,10 @@
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
Modified: branches/stable/1_0/checkpolicy/test/dispol.c
===================================================================
--- branches/stable/1_0/checkpolicy/test/dispol.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/checkpolicy/test/dispol.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -273,6 +273,17 @@
return 1;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and permisions\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and permisions\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and permisions\n");
+ return 0;
+}
+
int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
@@ -298,6 +309,7 @@
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
+ printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
@@ -409,6 +421,10 @@
change_bool(name, state, &policydb, out_fp);
free(name);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
Modified: branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2007-09-27 13:15:25 UTC (rev 2592)
@@ -469,6 +469,8 @@
ebitmap_t *attr_type_map; /* not saved in the binary policy */
unsigned policyvers;
+
+ unsigned handle_unknown;
} policydb_t;
struct sepol_policydb {
@@ -599,6 +601,13 @@
#define POLICYDB_CONFIG_MLS 1
+/* the config flags related to unknown classes/perms are bits 2 and 3 */
+#define DENY_UNKNOWN 0x00000000
+#define REJECT_UNKNOWN 0x00000002
+#define ALLOW_UNKNOWN 0x00000004
+
+#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+
#define OBJECT_R "object_r"
#define OBJECT_R_VAL 1
Modified: branches/stable/1_0/libsepol/src/expand.c
===================================================================
--- branches/stable/1_0/libsepol/src/expand.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/libsepol/src/expand.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -2249,6 +2249,7 @@
/* Copy mls state from base to out */
out->mls = base->mls;
+ out->handle_unknown = base->handle_unknown;
if ((state.typemap =
(uint32_t *) calloc(state.base->p_types.nprim,
Modified: branches/stable/1_0/libsepol/src/policydb.c
===================================================================
--- branches/stable/1_0/libsepol/src/policydb.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/libsepol/src/policydb.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -3077,6 +3077,8 @@
p->mls = 0;
}
+ p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
+
bufindex++;
info = policydb_lookup_compat(r_policyvers, policy_type);
Modified: branches/stable/1_0/libsepol/src/write.c
===================================================================
--- branches/stable/1_0/libsepol/src/write.c 2007-09-27 13:12:37 UTC (rev 2591)
+++ branches/stable/1_0/libsepol/src/write.c 2007-09-27 13:15:25 UTC (rev 2592)
@@ -1534,6 +1534,8 @@
if (p->mls)
config |= POLICYDB_CONFIG_MLS;
+ config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
+
/* Write the magic number and string identifiers. */
items = 0;
if (p->policy_type == POLICY_KERN) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
