Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2715] trunk/libsepol
|
From: <mil...@us...> - 2008-01-02 21:54:44
|
Revision: 2715
http://selinux.svn.sourceforge.net/selinux/?rev=2715&view=rev
Author: millertc
Date: 2008-01-02 13:36:27 -0800 (Wed, 02 Jan 2008)
Log Message:
-----------
Subject: library policy capability support
This patch includes the library support for policy capabilities.
Currently the only capability that exists is peersid. Patch policy
capabilities are only valid in the base policy.
Signed-off-by: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Added Paths:
-----------
trunk/libsepol/include/sepol/policydb/polcaps.h
trunk/libsepol/src/polcaps.c
Added: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/polcaps.h (rev 0)
+++ trunk/libsepol/include/sepol/policydb/polcaps.h 2008-01-02 21:36:27 UTC (rev 2715)
@@ -0,0 +1,17 @@
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+ POLICYDB_CAPABILITY_NETPEER,
+ __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+/* Convert a capability number to name. */
+extern const char *sepol_polcap_getname(int capnum);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-01-02 21:36:27 UTC (rev 2715)
@@ -468,6 +468,8 @@
ebitmap_t *attr_type_map; /* not saved in the binary policy */
+ ebitmap_t policycaps;
+
unsigned policyvers;
unsigned handle_unknown;
@@ -584,10 +586,11 @@
#define POLICYDB_VERSION_MLS 19
#define POLICYDB_VERSION_AVTAB 20
#define POLICYDB_VERSION_RANGETRANS 21
+#define POLICYDB_VERSION_POLCAP 22
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_POLCAP
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
@@ -595,9 +598,10 @@
#define MOD_POLICYDB_VERSION_MLS 5
#define MOD_POLICYDB_VERSION_RANGETRANS 6
#define MOD_POLICYDB_VERSION_MLS_USERS 6
+#define MOD_POLICYDB_VERSION_POLCAP 7
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
#define POLICYDB_CONFIG_MLS 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/expand.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -2252,6 +2252,12 @@
out->mls = base->mls;
out->handle_unknown = base->handle_unknown;
+ /* Copy policy capabilities */
+ if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
if ((state.typemap =
(uint32_t *) calloc(state.base->p_types.nprim,
sizeof(uint32_t))) == NULL) {
Added: trunk/libsepol/src/polcaps.c
===================================================================
--- trunk/libsepol/src/polcaps.c (rev 0)
+++ trunk/libsepol/src/polcaps.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -0,0 +1,32 @@
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+ "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
+ NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+ int capnum;
+
+ for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+ if (polcap_names[capnum] == NULL)
+ continue;
+ if (strcasecmp(polcap_names[capnum], name) == 0)
+ return capnum;
+ }
+ return -1;
+}
+
+const char *sepol_polcap_getname(int capnum)
+{
+ if (capnum > POLICYDB_CAPABILITY_MAX)
+ return NULL;
+
+ return polcap_names[capnum];
+}
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/policydb.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -99,6 +99,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -117,6 +123,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -132,6 +144,12 @@
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_MLS_USERS,
.sym_num = SYM_NUM,
+ .ocon_num = 0
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
.ocon_num = 0},
};
@@ -447,6 +465,8 @@
memset(p, 0, sizeof(policydb_t));
+ ebitmap_init(&p->policycaps);
+
for (i = 0; i < SYM_NUM; i++) {
p->sym_val_to_name[i] = NULL;
rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -971,6 +991,8 @@
if (!p)
return;
+ ebitmap_destroy(&p->policycaps);
+
symtabs_destroy(p->symtab);
for (i = 0; i < SYM_NUM; i++) {
@@ -3123,6 +3145,16 @@
p->version[len] = '\0';
}
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_read(&p->policycaps, fp))
+ goto bad;
+ }
+
for (i = 0; i < info->sym_num; i++) {
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/write.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -1606,6 +1606,17 @@
if (items != len)
return POLICYDB_ERROR;
}
+
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_write(&p->policycaps, fp) == -1)
+ return POLICYDB_ERROR;
+ }
+
num_syms = info->sym_num;
for (i = 0; i < num_syms; i++) {
buf[0] = cpu_to_le32(p->symtab[i].nprim);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
