[Selinux-commits] SF.net SVN: selinux: [2716] trunk

[<mil...@us...>]

Revision: 2716
          http://selinux.svn.sourceforge.net/selinux/?rev=2716&view=rev
Author:   millertc
Date:     2008-01-02 13:40:28 -0800 (Wed, 02 Jan 2008)

Log Message:
-----------
Subject: checkpolicy capability support

This patch includes checkpolicy support for policy capabilities.  In this
version of the patch policy capabilities are only allowed in the base
module.  Attempted use in other modules will result in a syntax error.

Also included is dismod/dispol support for printing the capabilities.
I chose to use the 'c' command for this in both dismod and dispol to
keep things consistent (dismod has run out of numbered commands).

Signed-off-by: Todd C. Miller <tm...@tr...>

Modified Paths:
--------------
    trunk/checkpolicy/policy_parse.y
    trunk/checkpolicy/policy_scan.l
    trunk/checkpolicy/test/dismod.c
    trunk/checkpolicy/test/dispol.c
    trunk/libsepol/ChangeLog
    trunk/libsepol/VERSION

Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/checkpolicy/policy_parse.y	2008-01-02 21:40:28 UTC (rev 2716)
@@ -47,6 +47,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
 #include "module_compiler.h"
@@ -198,6 +199,7 @@
 %token IPV4_ADDR
 %token IPV6_ADDR
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
 
 %left OR
 %left XOR
@@ -308,6 +310,7 @@
 			| rbac_decl
                         | cond_stmt_def
 			| optional_block
+			| policycap_def
 			| ';'
                         ;
 rbac_decl		: role_type_def
@@ -765,6 +768,9 @@
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+policycap_def		: POLICYCAP identifier ';'
+			{if (define_polcap()) return -1;}
+			;
 
 /*********** module grammar below ***********/
 
@@ -962,6 +968,44 @@
 	return -1;
 }
 
+static int define_polcap(void)
+{
+	char *id = 0;
+	int capnum;
+
+	if (pass == 2) {
+		id = queue_remove(id_queue);
+		free(id);
+		return 0;
+	}
+
+	id = (char *)queue_remove(id_queue);
+	if (!id) {
+		yyerror("no capability name for policycap definition?");
+		goto bad;
+	}
+
+	/* Check for valid cap name -> number mapping */
+	capnum = sepol_polcap_getnum(id);
+	if (capnum < 0) {
+		yyerror2("invalid policy capability name %s", id);
+		goto bad;
+	}
+
+	/* Store it */
+	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+		yyerror("out of memory");
+		goto bad;
+	}
+
+	free(id);
+	return 0;
+
+      bad:
+	free(id);
+	return -1;
+}
+
 static int define_initial_sid(void)
 {
 	char *id = 0;

Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/checkpolicy/policy_scan.l	2008-01-02 21:40:28 UTC (rev 2716)
@@ -201,6 +201,8 @@
 H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
+policycap |
+POLICYCAP			{ return(POLICYCAP);}
 "/"({alnum}|[_.-/])*	        { return(PATH); }
 {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+                        { return(NUMBER); }

Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/checkpolicy/test/dismod.c	2008-01-02 21:40:28 UTC (rev 2716)
@@ -34,6 +34,7 @@
 #include <sepol/policydb/link.h>
 #include <sepol/policydb/module.h>
 #include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
 
 #include <byteswap.h>
 #include <endian.h>
@@ -765,6 +766,26 @@
 	return;
 }
 
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+	ebitmap_node_t *node;
+	const char *capname;
+	char buf[64];
+	int i;
+
+	fprintf(fp, "policy capabilities:\n");
+	ebitmap_for_each_bit(&p->policycaps, node, i) {
+		if (ebitmap_node_get_bit(node, i)) {
+			capname = sepol_polcap_getname(i);
+			if (capname == NULL) {
+				snprintf(buf, sizeof(buf), "unknown (%d)", i);
+				capname = buf;
+			}
+			fprintf(fp, "\t%s\n", capname);
+		}
+	}
+}
+
 int menu()
 {
 	printf("\nSelect a command:\n");
@@ -781,6 +802,7 @@
 	printf("\n");
 	printf("a)  Display avrule requirements\n");
 	printf("b)  Display avrule declarations\n");
+	printf("c)  Display policy capabilities\n");
 	printf("l)  Link in a module\n");
 	printf("u)  Display the unknown handling setting\n");
 	printf("\n");
@@ -891,6 +913,9 @@
 			fprintf(out_fp, "avrule block declarations:\n");
 			display_avblock(6, 0, &policydb, out_fp);
 			break;
+		case 'c':
+			display_policycaps(&policydb, out_fp);
+			break;
 		case 'u':
 		case 'U':
 			display_handle_unknown(&policydb, out_fp);

Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/checkpolicy/test/dispol.c	2008-01-02 21:40:28 UTC (rev 2716)
@@ -23,6 +23,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
 #include <getopt.h>
 #include <assert.h>
 #include <unistd.h>
@@ -298,6 +299,26 @@
 	return 0;
 }
 
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+	ebitmap_node_t *node;
+	const char *capname;
+	char buf[64];
+	int i;
+
+	fprintf(fp, "policy capabilities:\n");
+	ebitmap_for_each_bit(&p->policycaps, node, i) {
+		if (ebitmap_node_get_bit(node, i)) {
+			capname = sepol_polcap_getname(i);
+			if (capname == NULL) {
+				snprintf(buf, sizeof(buf), "unknown (%d)", i);
+				capname = buf;
+			}
+			fprintf(fp, "\t%s\n", capname);
+		}
+	}
+}
+
 int menu()
 {
 	printf("\nSelect a command:\n");
@@ -309,6 +330,7 @@
 	printf("6)  display conditional expressions\n");
 	printf("7)  change a boolean value\n");
 	printf("\n");
+	printf("c)  display policy capabilities\n");
 	printf("u)  display unknown handling setting\n");
 	printf("f)  set output file\n");
 	printf("m)  display menu\n");
@@ -421,6 +443,9 @@
 			change_bool(name, state, &policydb, out_fp);
 			free(name);
 			break;
+		case 'c':
+			display_policycaps(&policydb, out_fp);
+			break;
 		case 'u':
 		case 'U':
 			display_handle_unknown(&policydb, out_fp);

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/libsepol/ChangeLog	2008-01-02 21:40:28 UTC (rev 2716)
@@ -1,3 +1,6 @@
+2.0.18 2008-01-02
+	* Added support for policy capabilities from Todd Miller.
+
 2.0.17 2007-12-21
 	* Prevent generation of policy.18 with MLS enabled from Todd Miller.
 

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2008-01-02 21:36:27 UTC (rev 2715)
+++ trunk/libsepol/VERSION	2008-01-02 21:40:28 UTC (rev 2716)
@@ -1 +1 @@
-2.0.17
+2.0.18


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.