Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ssm...@us...> - 2008-03-18 20:28:52
|
Revision: 2850
http://selinux.svn.sourceforge.net/selinux/?rev=2850&view=rev
Author: ssmalley
Date: 2008-03-18 13:28:49 -0700 (Tue, 18 Mar 2008)
Log Message:
-----------
updated policycoreutils to version 2.0.45
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2008-03-18 20:25:27 UTC (rev 2849)
+++ trunk/policycoreutils/ChangeLog 2008-03-18 20:28:49 UTC (rev 2850)
@@ -1,3 +1,6 @@
+2.0.45 2008-03-18
+ * Fix semanage port to use --proto from Caleb Case.
+
2.0.44 2008-02-22
* Fixed semodule to correctly handle error when unable to create a handle.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2008-03-18 20:25:27 UTC (rev 2849)
+++ trunk/policycoreutils/VERSION 2008-03-18 20:28:49 UTC (rev 2850)
@@ -1 +1 @@
-2.0.44
+2.0.45
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-18 20:26:17
|
Revision: 2849
http://selinux.svn.sourceforge.net/selinux/?rev=2849&view=rev
Author: ssmalley
Date: 2008-03-18 13:25:27 -0700 (Tue, 18 Mar 2008)
Log Message:
-----------
Author: Caleb Case
Email: cc...@tr...
Subject: policycoreutils semanage --proto --protocol inconsistent flags
Date: Tue, 18 Mar 2008 10:31:16 -0400
semanage --help indicates two conflicting ways of using the port protocol flag:
# semanage --help | grep proto
semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range
-p, --proto Port protocol (tcp or udp)
That is --protocol and --proto.
The code paths are similarly conflicted with --protocol as the 'valid_option', but --proto as the flag actually used in getopt. This results in --protocol not being recognized:
# semanage port -t ftp_port_t -a --protocol tcp 12345
/usr/sbin/semanage: Options Error option --protocol not recognized
The port is not added in this case.
Using --proto instead results in a 'not valid for port objects' error, but the error is ignored and the port added:
# semanage port -t ftp_port_t -a --proto tcp 12345
--proto not valid for port objects
# semanage port -l | grep 12345
ftp_port_t tcp 12345, 21
The man pages for semanage are also inconsistent.
This patch resolves the inconsistency to use --proto.
Modified Paths:
--------------
trunk/policycoreutils/semanage/semanage
trunk/policycoreutils/semanage/semanage.8
Modified: trunk/policycoreutils/semanage/semanage
===================================================================
--- trunk/policycoreutils/semanage/semanage 2008-03-10 13:28:02 UTC (rev 2848)
+++ trunk/policycoreutils/semanage/semanage 2008-03-18 20:25:27 UTC (rev 2849)
@@ -47,7 +47,7 @@
semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
semanage login -{a|d|m} [-sr] login_name\n\
semanage user -{a|d|m} [-LrRP] selinux_name\n\
-semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
semanage interface -{a|d|m} [-tr] interface_spec\n\
semanage fcontext -{a|d|m} [-frst] file_spec\n\
semanage translation -{a|d|m} [-T] level\n\n\
@@ -103,7 +103,7 @@
valid_option["user"] = []
valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
valid_option["port"] = []
- valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
+ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
valid_option["interface"] = []
valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
valid_option["fcontext"] = []
Modified: trunk/policycoreutils/semanage/semanage.8
===================================================================
--- trunk/policycoreutils/semanage/semanage.8 2008-03-10 13:28:02 UTC (rev 2848)
+++ trunk/policycoreutils/semanage/semanage.8 2008-03-18 20:25:27 UTC (rev 2849)
@@ -9,7 +9,7 @@
.br
.B semanage user \-{a|d|m} [\-LrRP] selinux_name
.br
-.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
+.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range
.br
.B semanage interface \-{a|d|m} [\-tr] interface_spec
.br
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-10 13:28:06
|
Revision: 2848
http://selinux.svn.sourceforge.net/selinux/?rev=2848&view=rev
Author: ssmalley
Date: 2008-03-10 06:28:02 -0700 (Mon, 10 Mar 2008)
Log Message:
-----------
applied r2844:2846 from trunk: add editorial comments to selinux-doc reports to note that they are not up to date
Modified Paths:
--------------
branches/stable/1_0/selinux-doc/ChangeLog
branches/stable/1_0/selinux-doc/VERSION
branches/stable/1_0/selinux-doc/module/changes.sgml
branches/stable/1_0/selinux-doc/module/intro.sgml
branches/stable/1_0/selinux-doc/module/ip.sgml
branches/stable/1_0/selinux-doc/policy/intro.sgml
Modified: branches/stable/1_0/selinux-doc/ChangeLog
===================================================================
--- branches/stable/1_0/selinux-doc/ChangeLog 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/ChangeLog 2008-03-10 13:28:02 UTC (rev 2848)
@@ -1,3 +1,8 @@
+1.26.1 2008-03-07
+ * Added editorial comments to the policy and module reports noting
+ that they do not reflect the current state of SELinux to avoid
+ reader confusion.
+
1.26 2006-03-14
* Updated version for release.
Modified: branches/stable/1_0/selinux-doc/VERSION
===================================================================
--- branches/stable/1_0/selinux-doc/VERSION 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/VERSION 2008-03-10 13:28:02 UTC (rev 2848)
@@ -1 +1 @@
-1.26
+1.26.1
Modified: branches/stable/1_0/selinux-doc/module/changes.sgml
===================================================================
--- branches/stable/1_0/selinux-doc/module/changes.sgml 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/module/changes.sgml 2008-03-10 13:28:02 UTC (rev 2848)
@@ -491,6 +491,7 @@
2.6. There is one exception: a getpeercon API has been implemented to
support obtaining peer security contexts for Unix stream connections,
and is available in Linux 2.6.
+<comment>Note: The preceding statements are historical and no longer apply to modern SELinux systems, which do support labeled networking and APIs for getting peer and datagram contexts on both INET and Unix sockets.</comment>
</para>
</sect3>
Modified: branches/stable/1_0/selinux-doc/module/intro.sgml
===================================================================
--- branches/stable/1_0/selinux-doc/module/intro.sgml 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/module/intro.sgml 2008-03-10 13:28:02 UTC (rev 2848)
@@ -31,8 +31,6 @@
and several individuals, including Greg Kroah-Hartman and James
Morris, to develop a Linux kernel patch that implements this
framework. The LSM framework is included as part of the Linux 2.6 series.
-Documentation and papers about LSM are available from <ulink
-url="http://lsm.immunix.org/lsm_doc.html">the LSM web site</ulink>.
</para>
<para>
@@ -52,5 +50,9 @@
kernel object or kernel subsystem.
</para>
+<para>
+<comment>Note: This report predates modern enhancements to the SELinux kernel code, such as the introduction of labeled networking support (labeled IPSEC and NetLabel/CIPSO), the introduction of APIs for getting peer and datagram security contexts for INET and Unix socket IPC, and significant changes to the SELinux network access controls. Thus, while much of the discussion herein is still applicable, much has changed in modern SELinux kernels.</comment>
+</para>
+
</sect1>
Modified: branches/stable/1_0/selinux-doc/module/ip.sgml
===================================================================
--- branches/stable/1_0/selinux-doc/module/ip.sgml 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/module/ip.sgml 2008-03-10 13:28:02 UTC (rev 2848)
@@ -15,6 +15,7 @@
using only the socket layer hooks and NetFilter hooks, and some
functionality such as packet labeling was dropped from SELinux. This
section describes the SELinux NetFilter hook functions.
+<comment>Note: The preceding statements are historical and no longer apply to modern SELinux systems, which do include a set of network hooks and support packet labeling.</comment>
</para>
<para>
Modified: branches/stable/1_0/selinux-doc/policy/intro.sgml
===================================================================
--- branches/stable/1_0/selinux-doc/policy/intro.sgml 2008-03-10 13:19:48 UTC (rev 2847)
+++ branches/stable/1_0/selinux-doc/policy/intro.sgml 2008-03-10 13:28:02 UTC (rev 2848)
@@ -44,4 +44,8 @@
purposes.
</para>
+<para>
+<comment>Note: This report predates the transition from using the original NSA example policy configuration to using the reference policy, and the transition from monolithic policy to modular/managed policy. Thus, while some of the discussion herein is still applicable, much has changed in modern SELinux systems.</comment>
+</para>
+
</sect1>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-10 13:20:20
|
Revision: 2847
http://selinux.svn.sourceforge.net/selinux/?rev=2847&view=rev
Author: ssmalley
Date: 2008-03-10 06:19:48 -0700 (Mon, 10 Mar 2008)
Log Message:
-----------
Drop selinux-doc from trunk.
It is out of date, not being maintained, and never had any end user
oriented documentation in the first place. Tech reports are available
on www.nsa.gov/selinux for historical reference.
Removed Paths:
-------------
trunk/README
trunk/selinux-doc/
Deleted: trunk/README
===================================================================
--- trunk/README 2008-03-07 15:40:42 UTC (rev 2846)
+++ trunk/README 2008-03-10 13:19:48 UTC (rev 2847)
@@ -1,2 +0,0 @@
-See selinux-doc/README for build instructions.
--z
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-07 15:40:44
|
Revision: 2846
http://selinux.svn.sourceforge.net/selinux/?rev=2846&view=rev
Author: ssmalley
Date: 2008-03-07 07:40:42 -0800 (Fri, 07 Mar 2008)
Log Message:
-----------
updated selinux-doc to version 1.26.1
Modified Paths:
--------------
trunk/selinux-doc/ChangeLog
trunk/selinux-doc/VERSION
Modified: trunk/selinux-doc/ChangeLog
===================================================================
--- trunk/selinux-doc/ChangeLog 2008-03-07 15:35:33 UTC (rev 2845)
+++ trunk/selinux-doc/ChangeLog 2008-03-07 15:40:42 UTC (rev 2846)
@@ -1,3 +1,8 @@
+1.26.1 2008-03-07
+ * Added editorial comments to the policy and module reports noting
+ that they do not reflect the current state of SELinux to avoid
+ reader confusion.
+
1.26 2006-03-14
* Updated version for release.
Modified: trunk/selinux-doc/VERSION
===================================================================
--- trunk/selinux-doc/VERSION 2008-03-07 15:35:33 UTC (rev 2845)
+++ trunk/selinux-doc/VERSION 2008-03-07 15:40:42 UTC (rev 2846)
@@ -1 +1 @@
-1.26
+1.26.1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-07 15:35:49
|
Revision: 2845
http://selinux.svn.sourceforge.net/selinux/?rev=2845&view=rev
Author: ssmalley
Date: 2008-03-07 07:35:33 -0800 (Fri, 07 Mar 2008)
Log Message:
-----------
Add editorial comments noting the historical nature of these reports to avoid reader confusion.
Modified Paths:
--------------
trunk/selinux-doc/module/changes.sgml
trunk/selinux-doc/module/intro.sgml
trunk/selinux-doc/module/ip.sgml
trunk/selinux-doc/policy/intro.sgml
Modified: trunk/selinux-doc/module/changes.sgml
===================================================================
--- trunk/selinux-doc/module/changes.sgml 2008-03-07 15:30:22 UTC (rev 2844)
+++ trunk/selinux-doc/module/changes.sgml 2008-03-07 15:35:33 UTC (rev 2845)
@@ -491,6 +491,7 @@
2.6. There is one exception: a getpeercon API has been implemented to
support obtaining peer security contexts for Unix stream connections,
and is available in Linux 2.6.
+<comment>Note: The preceding statements are historical and no longer apply to modern SELinux systems, which do support labeled networking and APIs for getting peer and datagram contexts on both INET and Unix sockets.</comment>
</para>
</sect3>
Modified: trunk/selinux-doc/module/intro.sgml
===================================================================
--- trunk/selinux-doc/module/intro.sgml 2008-03-07 15:30:22 UTC (rev 2844)
+++ trunk/selinux-doc/module/intro.sgml 2008-03-07 15:35:33 UTC (rev 2845)
@@ -31,8 +31,6 @@
and several individuals, including Greg Kroah-Hartman and James
Morris, to develop a Linux kernel patch that implements this
framework. The LSM framework is included as part of the Linux 2.6 series.
-Documentation and papers about LSM are available from <ulink
-url="http://lsm.immunix.org/lsm_doc.html">the LSM web site</ulink>.
</para>
<para>
@@ -52,5 +50,9 @@
kernel object or kernel subsystem.
</para>
+<para>
+<comment>Note: This report predates modern enhancements to the SELinux kernel code, such as the introduction of labeled networking support (labeled IPSEC and NetLabel/CIPSO), the introduction of APIs for getting peer and datagram security contexts for INET and Unix socket IPC, and significant changes to the SELinux network access controls. Thus, while much of the discussion herein is still applicable, much has changed in modern SELinux kernels.</comment>
+</para>
+
</sect1>
Modified: trunk/selinux-doc/module/ip.sgml
===================================================================
--- trunk/selinux-doc/module/ip.sgml 2008-03-07 15:30:22 UTC (rev 2844)
+++ trunk/selinux-doc/module/ip.sgml 2008-03-07 15:35:33 UTC (rev 2845)
@@ -15,6 +15,7 @@
using only the socket layer hooks and NetFilter hooks, and some
functionality such as packet labeling was dropped from SELinux. This
section describes the SELinux NetFilter hook functions.
+<comment>Note: The preceding statements are historical and no longer apply to modern SELinux systems, which do include a set of network hooks and support packet labeling.</comment>
</para>
<para>
Modified: trunk/selinux-doc/policy/intro.sgml
===================================================================
--- trunk/selinux-doc/policy/intro.sgml 2008-03-07 15:30:22 UTC (rev 2844)
+++ trunk/selinux-doc/policy/intro.sgml 2008-03-07 15:35:33 UTC (rev 2845)
@@ -44,4 +44,8 @@
purposes.
</para>
+<para>
+<comment>Note: This report predates the transition from using the original NSA example policy configuration to using the reference policy, and the transition from monolithic policy to modular/managed policy. Thus, while some of the discussion herein is still applicable, much has changed in modern SELinux systems.</comment>
+</para>
+
</sect1>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-07 15:30:25
|
Revision: 2844
http://selinux.svn.sourceforge.net/selinux/?rev=2844&view=rev
Author: millertc
Date: 2008-03-07 07:30:22 -0800 (Fri, 07 Mar 2008)
Log Message:
-----------
Now that the bulk of policy_parse.y has been split out into
policy_define.c, the libsepol tests need to link in policy_define.o.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/tests/Makefile
Modified: trunk/libsepol/tests/Makefile
===================================================================
--- trunk/libsepol/tests/Makefile 2008-03-06 16:45:46 UTC (rev 2843)
+++ trunk/libsepol/tests/Makefile 2008-03-07 15:30:22 UTC (rev 2844)
@@ -16,8 +16,9 @@
# test program object files
objs := $(patsubst %.c,%.o,$(wildcard *.c))
-parserobjs := $(CHECKPOLICY)queue.o $(CHECKPOLICY)y.tab.o $(CHECKPOLICY)parse_util.o $(CHECKPOLICY)lex.yy.o \
- $(CHECKPOLICY)module_compiler.o
+parserobjs := $(CHECKPOLICY)queue.o $(CHECKPOLICY)y.tab.o \
+ $(CHECKPOLICY)parse_util.o $(CHECKPOLICY)lex.yy.o \
+ $(CHECKPOLICY)policy_define.o $(CHECKPOLICY)module_compiler.o
# test policy pieces
m4support := $(wildcard policies/support/*.spt)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-06 16:46:12
|
Revision: 2843
http://selinux.svn.sourceforge.net/selinux/?rev=2843&view=rev
Author: millertc
Date: 2008-03-06 08:45:46 -0800 (Thu, 06 Mar 2008)
Log Message:
-----------
Fix a typo in the header guard.
Modified Paths:
--------------
trunk/checkpolicy/policy_define.h
Modified: trunk/checkpolicy/policy_define.h
===================================================================
--- trunk/checkpolicy/policy_define.h 2008-03-05 14:47:09 UTC (rev 2842)
+++ trunk/checkpolicy/policy_define.h 2008-03-06 16:45:46 UTC (rev 2843)
@@ -1,7 +1,7 @@
/* Functions used to define policy grammar components. */
-#ifndef __POLICY_DEFINE_H__
-#define POLICY_DEFINE_H__
+#ifndef _POLICY_DEFINE_H_
+#define _POLICY_DEFINE_H_
/*
* We need the following so we have a valid error return code in yacc
@@ -55,4 +55,4 @@
role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
-#endif /* POLICY_DEFINE_H__ */
+#endif /* _POLICY_DEFINE_H_ */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-05 14:47:17
|
Revision: 2842
http://selinux.svn.sourceforge.net/selinux/?rev=2842&view=rev
Author: millertc
Date: 2008-03-05 06:47:09 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.13
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-05 14:45:21 UTC (rev 2841)
+++ trunk/checkpolicy/ChangeLog 2008-03-05 14:47:09 UTC (rev 2842)
@@ -1,3 +1,7 @@
+2.0.13 2008-03-05
+ * Split out non-grammar parts of policy_parse.yacc into
+ policy_define.c and policy_define.h from Todd C. Miller.
+
2.0.12 2008-03-04
* Initialize struct policy_file before using it, from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-05 14:45:21 UTC (rev 2841)
+++ trunk/checkpolicy/VERSION 2008-03-05 14:47:09 UTC (rev 2842)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-05 14:45:22
|
Revision: 2841
http://selinux.svn.sourceforge.net/selinux/?rev=2841&view=rev
Author: millertc
Date: 2008-03-05 06:45:21 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
The changes are purely mechanical. Everything but the yacc rules has
been moved from policy_parse.c into policy_define.c and policy_define.h.
This allows us to retain strict error checking (-Werror) on the SELinux
toolchain without our being tripped up by generated (yacc/bison) code.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/Makefile
trunk/checkpolicy/policy_parse.y
Added Paths:
-----------
trunk/checkpolicy/policy_define.c
trunk/checkpolicy/policy_define.h
Modified: trunk/checkpolicy/Makefile
===================================================================
--- trunk/checkpolicy/Makefile 2008-03-05 12:50:37 UTC (rev 2840)
+++ trunk/checkpolicy/Makefile 2008-03-05 14:45:21 UTC (rev 2841)
@@ -14,7 +14,8 @@
override CFLAGS += -I. -I${INCLUDEDIR}
-CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o
+CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \
+ policy_define.o
CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
Added: trunk/checkpolicy/policy_define.c
===================================================================
--- trunk/checkpolicy/policy_define.c (rev 0)
+++ trunk/checkpolicy/policy_define.c 2008-03-05 14:45:21 UTC (rev 2841)
@@ -0,0 +1,3831 @@
+/*
+ * Author : Stephen Smalley, <sd...@ep...>
+ */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <da...@tr...>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbr...@tr...>
+ * Karl MacMillan <kma...@me...>
+ * Jason Tang <jt...@tr...>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
+#include "queue.h"
+#include "checkpolicy.h"
+#include "module_compiler.h"
+#include "policy_define.h"
+
+policydb_t *policydbp;
+queue_t id_queue = 0;
+unsigned int pass;
+char *curfile = 0;
+int mlspol = 0;
+
+extern unsigned long policydb_lineno;
+extern unsigned long source_lineno;
+extern unsigned int policydb_errors;
+
+extern int yywarn(char *msg);
+extern int yyerror(char *msg);
+
+#define ERRORMSG_LEN 255
+static char errormsg[ERRORMSG_LEN + 1] = {0};
+
+static int id_has_dot(char *id);
+static int parse_security_context(context_struct_t *c);
+
+/* initialize all of the state variables for the scanner/parser */
+void init_parser(int pass_number)
+{
+ policydb_lineno = 1;
+ source_lineno = 1;
+ policydb_errors = 0;
+ pass = pass_number;
+}
+
+void yyerror2(char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
+ yyerror(errormsg);
+ va_end(ap);
+}
+
+int insert_separator(int push)
+{
+ int error;
+
+ if (push)
+ error = queue_push(id_queue, 0);
+ else
+ error = queue_insert(id_queue, 0);
+
+ if (error) {
+ yyerror("queue overflow");
+ return -1;
+ }
+ return 0;
+}
+
+int insert_id(char *id, int push)
+{
+ char *newid = 0;
+ int error;
+
+ newid = (char *)malloc(strlen(id) + 1);
+ if (!newid) {
+ yyerror("out of memory");
+ return -1;
+ }
+ strcpy(newid, id);
+ if (push)
+ error = queue_push(id_queue, (queue_element_t) newid);
+ else
+ error = queue_insert(id_queue, (queue_element_t) newid);
+
+ if (error) {
+ yyerror("queue overflow");
+ free(newid);
+ return -1;
+ }
+ return 0;
+}
+
+/* If the identifier has a dot within it and that its first character
+ is not a dot then return 1, else return 0. */
+static int id_has_dot(char *id)
+{
+ if (strchr(id, '.') >= id + 1) {
+ return 1;
+ }
+ return 0;
+}
+
+int define_class(void)
+{
+ char *id = 0;
+ class_datum_t *datum = 0;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no class name for class definition?");
+ return -1;
+ }
+ datum = (class_datum_t *) malloc(sizeof(class_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(datum, 0, sizeof(class_datum_t));
+ ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of class %s", id);
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare class here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum)
+ free(datum);
+ return -1;
+}
+
+int define_polcap(void)
+{
+ char *id = 0;
+ int capnum;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no capability name for policycap definition?");
+ goto bad;
+ }
+
+ /* Check for valid cap name -> number mapping */
+ capnum = sepol_polcap_getnum(id);
+ if (capnum < 0) {
+ yyerror2("invalid policy capability name %s", id);
+ goto bad;
+ }
+
+ /* Store it */
+ if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+
+ free(id);
+ return 0;
+
+ bad:
+ free(id);
+ return -1;
+}
+
+int define_initial_sid(void)
+{
+ char *id = 0;
+ ocontext_t *newc = 0, *c, *head;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sid name for SID definition?");
+ return -1;
+ }
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+ newc->u.name = id;
+ context_init(&newc->context[0]);
+ head = policydbp->ocontexts[OCON_ISID];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate initial SID %s", id);
+ goto bad;
+ }
+ }
+
+ if (head) {
+ newc->sid[0] = head->sid[0] + 1;
+ } else {
+ newc->sid[0] = 1;
+ }
+ newc->next = head;
+ policydbp->ocontexts[OCON_ISID] = newc;
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (newc)
+ free(newc);
+ return -1;
+}
+
+int define_common_perms(void)
+{
+ char *id = 0, *perm = 0;
+ common_datum_t *comdatum = 0;
+ perm_datum_t *perdatum = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no common name for common perm definition?");
+ return -1;
+ }
+ comdatum = hashtab_search(policydbp->p_commons.table, id);
+ if (comdatum) {
+ yyerror2("duplicate declaration for common %s\n", id);
+ return -1;
+ }
+ comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
+ if (!comdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(comdatum, 0, sizeof(common_datum_t));
+ ret = hashtab_insert(policydbp->p_commons.table,
+ (hashtab_key_t) id, (hashtab_datum_t) comdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror("duplicate common definition");
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ comdatum->s.value = policydbp->p_commons.nprim + 1;
+ if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ policydbp->p_commons.nprim++;
+ while ((perm = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad_perm;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = comdatum->permissions.nprim + 1;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad_perm;
+ }
+ ret = hashtab_insert(comdatum->permissions.table,
+ (hashtab_key_t) perm,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s in common %s", perm,
+ id);
+ goto bad_perm;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad_perm;
+ }
+ comdatum->permissions.nprim++;
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (comdatum)
+ free(comdatum);
+ return -1;
+
+ bad_perm:
+ if (perm)
+ free(perm);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_av_perms(int inherits)
+{
+ char *id;
+ class_datum_t *cladatum;
+ common_datum_t *comdatum;
+ perm_datum_t *perdatum = 0, *perdatum2 = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no tclass name for av perm definition?");
+ return -1;
+ }
+ cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ goto bad;
+ }
+ free(id);
+
+ if (cladatum->comdatum || cladatum->permissions.nprim) {
+ yyerror("duplicate access vector definition");
+ return -1;
+ }
+ if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (inherits) {
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror
+ ("no inherits name for access vector definition?");
+ return -1;
+ }
+ comdatum =
+ (common_datum_t *) hashtab_search(policydbp->p_commons.
+ table,
+ (hashtab_key_t) id);
+
+ if (!comdatum) {
+ yyerror2("common %s is not defined", id);
+ goto bad;
+ }
+ cladatum->comkey = id;
+ cladatum->comdatum = comdatum;
+
+ /*
+ * Class-specific permissions start with values
+ * after the last common permission.
+ */
+ cladatum->permissions.nprim += comdatum->permissions.nprim;
+ }
+ while ((id = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = ++cladatum->permissions.nprim;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad;
+ }
+ if (inherits) {
+ /*
+ * Class-specific permissions and
+ * common permissions exist in the same
+ * name space.
+ */
+ perdatum2 =
+ (perm_datum_t *) hashtab_search(cladatum->comdatum->
+ permissions.table,
+ (hashtab_key_t) id);
+ if (perdatum2) {
+ yyerror2("permission %s conflicts with an "
+ "inherited permission", id);
+ goto bad;
+ }
+ }
+ ret = hashtab_insert(cladatum->permissions.table,
+ (hashtab_key_t) id,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s", id);
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_sens(void)
+{
+ char *id;
+ mls_level_t *level = 0;
+ level_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value; /* dummy variable -- its value is never used */
+
+ if (!mlspol) {
+ yyerror("sensitivity definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sensitivity name for sensitivity definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("sensitivity identifiers may not contain periods");
+ goto bad;
+ }
+ level = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!level) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ mls_level_init(level);
+ level->sens = 0; /* actual value set in define_dominance */
+ ebitmap_init(&level->cat); /* actual value set in define_level */
+
+ datum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ level_datum_init(datum);
+ datum->isalias = FALSE;
+ datum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of sensitivity level");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare sensitivity level here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("sensitivity aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ level_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of sensitivity alias");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare sensitivity alias here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (level)
+ free(level);
+ if (datum) {
+ level_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ level_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+int define_dominance(void)
+{
+ level_datum_t *datum;
+ int order;
+ char *id;
+
+ if (!mlspol) {
+ yyerror("dominance definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ order = 0;
+ while ((id = (char *)queue_remove(id_queue))) {
+ datum =
+ (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!datum) {
+ yyerror2("unknown sensitivity %s used in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ if (datum->level->sens != 0) {
+ yyerror2("sensitivity %s occurs multiply in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ datum->level->sens = ++order;
+
+ /* no need to keep sensitivity name */
+ free(id);
+ }
+
+ if (order != policydbp->p_levels.nprim) {
+ yyerror
+ ("all sensitivities must be specified in dominance definition");
+ return -1;
+ }
+ return 0;
+}
+
+int define_category(void)
+{
+ char *id;
+ cat_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value;
+
+ if (!mlspol) {
+ yyerror("category definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no category name for category definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("category identifiers may not contain periods");
+ goto bad;
+ }
+ datum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ cat_datum_init(datum);
+ datum->isalias = FALSE;
+
+ ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of category");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare category here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("category aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ cat_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->s.value = datum->s.value;
+
+ ret =
+ declare_symbol(SYM_CATS, id, aliasdatum, NULL,
+ &datum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of category aliases");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare category aliases here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum) {
+ cat_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ cat_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+static int clone_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
+{
+ level_datum_t *levdatum = (level_datum_t *) datum;
+ mls_level_t *level = (mls_level_t *) arg, *newlevel;
+
+ if (levdatum->level == level) {
+ levdatum->defined = 1;
+ if (!levdatum->isalias)
+ return 0;
+ newlevel = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!newlevel)
+ return -1;
+ if (mls_level_cpy(newlevel, level)) {
+ free(newlevel);
+ return -1;
+ }
+ levdatum->level = newlevel;
+ }
+ return 0;
+}
+
+int define_level(void)
+{
+ char *id;
+ level_datum_t *levdatum;
+
+ if (!mlspol) {
+ yyerror("level definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no level name for level definition?");
+ return -1;
+ }
+ levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("unknown sensitivity %s used in level definition", id);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_length(&levdatum->level->cat)) {
+ yyerror2("sensitivity %s used in multiple level definitions",
+ id);
+ free(id);
+ return -1;
+ }
+ free(id);
+
+ levdatum->defined = 1;
+
+ while ((id = queue_remove(id_queue))) {
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ free(id);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_end);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_end);
+ free(id);
+ return -1;
+ }
+ range_end = cdatum->s.value - 1;
+
+ if (range_end < range_start) {
+ yyerror2("category range is invalid");
+ free(id);
+ return -1;
+ }
+ } else {
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t) id);
+ range_start = range_end = cdatum->s.value - 1;
+ }
+
+ for (i = range_start; i <= range_end; i++) {
+ if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ }
+
+ free(id);
+ }
+
+ if (hashtab_map
+ (policydbp->p_levels.table, clone_level, levdatum->level)) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ return 0;
+}
+
+int define_attrib(void)
+{
+ if (pass == 2) {
+ free(queue_remove(id_queue));
+ return 0;
+ }
+
+ if (declare_type(TRUE, TRUE) == NULL) {
+ return -1;
+ }
+ return 0;
+}
+
+static int add_aliases_to_type(type_datum_t * type)
+{
+ char *id;
+ type_datum_t *aliasdatum = NULL;
+ int ret;
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror
+ ("type alias identifiers may not contain periods");
+ return -1;
+ }
+ aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!aliasdatum) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ memset(aliasdatum, 0, sizeof(type_datum_t));
+ aliasdatum->s.value = type->s.value;
+
+ ret = declare_symbol(SYM_TYPES, id, aliasdatum,
+ NULL, &aliasdatum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of alias %s",
+ id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare alias here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+ return 0;
+ cleanup:
+ free(id);
+ type_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ return -1;
+}
+
+int define_typealias(void)
+{
+ char *id;
+ type_datum_t *t;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typealias definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s, or it was already declared as an "
+ "attribute", id);
+ free(id);
+ return -1;
+ }
+ return add_aliases_to_type(t);
+}
+
+int define_typeattribute(void)
+{
+ char *id;
+ type_datum_t *t, *attr;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typeattribute definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ free(id);
+ return -1;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ free(id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int define_type(int alias)
+{
+ char *id;
+ type_datum_t *datum, *attr;
+ int newattr = 0;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ if (alias) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ if ((datum = declare_type(TRUE, FALSE)) == NULL) {
+ return -1;
+ }
+
+ if (alias) {
+ if (add_aliases_to_type(datum) == -1) {
+ return -1;
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ return -1;
+ } else {
+ newattr = 0;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+/* Adds a type, given by its textual name, to a typeset. If *add is
+ 0, then add the type to the negative set; otherwise if *add is 1
+ then add it to the positive side. */
+static int set_types(type_set_t * set, char *id, int *add, char starallowed)
+{
+ type_datum_t *t;
+
+ if (strcmp(id, "*") == 0) {
+ if (!starallowed) {
+ yyerror("* not allowed in this type of rule");
+ return -1;
+ }
+ /* set TYPE_STAR flag */
+ set->flags = TYPE_STAR;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ if (!starallowed) {
+ yyerror("~ not allowed in this type of rule");
+ return -1;
+ }
+ /* complement the set */
+ set->flags = TYPE_COMP;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "-") == 0) {
+ *add = 0;
+ free(id);
+ return 0;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (*add == 0) {
+ if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
+ goto oom;
+ } else {
+ if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
+ goto oom;
+ }
+ free(id);
+ *add = 1;
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ free(id);
+ return -1;
+}
+
+int define_compute_type_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ type_datum_t *datum;
+ class_datum_t *cladatum;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ class_perm_node_t *perm;
+ int i, add = 1;
+
+ avrule = malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->stypes, id, &add, 0))
+ return -1;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->ttypes, id, &add, 0))
+ return -1;
+ }
+
+ ebitmap_init(&tclasses);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ goto bad;
+ }
+ if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ goto bad;
+ }
+ free(id);
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no newtype?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
+ (hashtab_key_t) id);
+ if (!datum || datum->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ goto bad;
+ }
+
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ perm = malloc(sizeof(class_perm_node_t));
+ if (!perm) {
+ yyerror("out of memory");
+ return -1;
+ }
+ class_perm_node_init(perm);
+ perm->class = i + 1;
+ perm->data = datum->s.value;
+ perm->next = avrule->perms;
+ avrule->perms = perm;
+ }
+ }
+ ebitmap_destroy(&tclasses);
+
+ *rule = avrule;
+ return 0;
+
+ bad:
+ avrule_destroy(avrule);
+ free(avrule);
+ return -1;
+}
+
+int define_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return -1;
+
+ append_avrule(avrule);
+ return 0;
+}
+
+avrule_t *define_cond_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return (avrule_t *) 1;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_bool(void)
+{
+ char *id, *bool_value;
+ cond_bool_datum_t *datum;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no identifier for bool definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror("boolean identifiers may not contain periods");
+ return -1;
+ }
+ datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ memset(datum, 0, sizeof(cond_bool_datum_t));
+ ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of boolean %s", id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare boolean here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ bool_value = (char *)queue_remove(id_queue);
+ if (!bool_value) {
+ yyerror("no default value for bool definition?");
+ free(id);
+ return -1;
+ }
+
+ datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+ return 0;
+ cleanup:
+ cond_destroy_bool(id, datum, NULL);
+ return -1;
+}
+
+avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
+{
+ if (pass == 1) {
+ /* return something so we get through pass 1 */
+ return (avrule_t *) 1;
+ }
+
+ if (sl == NULL) {
+ /* This is a require block, return previous list */
+ return avlist;
+ }
+
+ /* prepend the new avlist to the pre-existing one */
+ sl->next = avlist;
+ return sl;
+}
+
+int define_te_avtab_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum = NULL;
+ class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ unsigned int i;
+ int add = 1, ret = 0;
+ int suppress = 0;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("memory error");
+ ret = -1;
+ goto out;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types
+ (&avrule->stypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id, "self") == 0) {
+ free(id);
+ avrule->flags |= RULE_SELF;
+ continue;
+ }
+ if (set_types
+ (&avrule->ttypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ebitmap_init(&tclasses);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ ret = -1;
+ goto out;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s used in rule", id);
+ ret = -1;
+ goto out;
+ }
+ if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ ret = -1;
+ goto out;
+ }
+ free(id);
+ }
+
+ perms = NULL;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cur_perms =
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!cur_perms) {
+ yyerror("out of memory");
+ ret = -1;
+ goto out;
+ }
+ class_perm_node_init(cur_perms);
+ cur_perms->class = i + 1;
+ if (!perms)
+ perms = cur_perms;
+ if (tail)
+ tail->next = cur_perms;
+ tail = cur_perms;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ cur_perms = perms;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cladatum = policydbp->class_val_to_struct[i];
+
+ if (strcmp(id, "*") == 0) {
+ /* set all permissions in the class */
+ cur_perms->data = ~0U;
+ goto next;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ /* complement the set */
+ if (which == AVRULE_DONTAUDIT)
+ yywarn("dontaudit rule with a ~?");
+ cur_perms->data = ~cur_perms->data;
+ goto next;
+ }
+
+ perdatum =
+ hashtab_search(cladatum->permissions.table, id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ hashtab_search(cladatum->comdatum->
+ permissions.table,
+ id);
+ }
+ }
+ if (!perdatum) {
+ if (!suppress)
+ yyerror2("permission %s is not defined"
+ " for class %s", id,
+ policydbp->p_class_val_to_name[i]);
+ continue;
+ } else
+ if (!is_perm_in_scope
+ (id, policydbp->p_class_val_to_name[i])) {
+ if (!suppress) {
+ yyerror2("permission %s of class %s is"
+ " not within scope", id,
+ policydbp->p_class_val_to_name[i]);
+ }
+ continue;
+ } else {
+ cur_perms->data |= 1U << (perdatum->s.value - 1);
+ }
+ next:
+ cur_perms = cur_perms->next;
+ }
+
+ free(id);
+ }
+
+ ebitmap_destroy(&tclasses);
+
+ avrule->perms = perms;
+ *rule = avrule;
+
+ out:
+ return ret;
+
+}
+
+avrule_t *define_cond_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return (avrule_t *) 1; /* any non-NULL value */
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return -1;
+
+ /* append this avrule to the end of the current rules list */
+ append_avrule(avrule);
+ return 0;
+}
+
+int define_role_types(void)
+{
+ role_datum_t *role;
+ char *id;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ if ((role = declare_role()) == NULL) {
+ return -1;
+ }
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&role->types, id, &add, 0))
+ return -1;
+ }
+
+ return 0;
+}
+
+role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
+{
+ role_datum_t *new;
+
+ if (pass == 1) {
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ new = malloc(sizeof(role_datum_t));
+ if (!new) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(new, 0, sizeof(role_datum_t));
+ new->s.value = 0; /* temporary role */
+ if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ if (!r1->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r1->types);
+ ebitmap_destroy(&r1->dominates);
+ free(r1);
+ }
+ if (!r2->s.value) {
+ /* free intermediate result */
+ yyerror("right hand role is temporary?");
+ type_set_destroy(&r2->types);
+ ebitmap_destroy(&r2->dominates);
+ free(r2);
+ }
+ return new;
+}
+
+/* This function eliminates the ordering dependency of role dominance rule */
+static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
+ void *arg)
+{
+ role_datum_t *rdp = (role_datum_t *) arg;
+ role_datum_t *rdatum = (role_datum_t *) datum;
+ ebitmap_node_t *node;
+ int i;
+
+ /* Don't bother to process against self role */
+ if (rdatum->s.value == rdp->s.value)
+ return 0;
+
+ /* If a dominating role found */
+ if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return -1;
+ }
+ /* raise types and dominates from dominated role */
+ ebitmap_for_each_bit(&rdp->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->dominates, i, TRUE))
+ goto oom;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ }
+
+ /* go through all the roles */
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ return -1;
+}
+
+role_datum_t *define_role_dom(role_datum_t * r)
+{
+ role_datum_t *role;
+ char *role_id;
+ ebitmap_node_t *node;
+ unsigned int i;
+ int ret;
+
+ if (pass == 1) {
+ role_id = queue_remove(id_queue);
+ free(role_id);
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ yywarn("Role dominance has been deprecated");
+
+ role_id = queue_remove(id_queue);
+ if (!is_id_in_scope(SYM_ROLES, role_id)) {
+ yyerror2("role %s is not within scope", role_id);
+ free(role_id);
+ return NULL;
+ }
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
+ role_id);
+ if (!role) {
+ role = (role_datum_t *) malloc(sizeof(role_datum_t));
+ if (!role) {
+ yyerror("out of memory");
+ free(role_id);
+ return NULL;
+ }
+ memset(role, 0, sizeof(role_datum_t));
+ ret =
+ declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
+ (hashtab_datum_t) role, &role->s.value,
+ &role->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of role %s",
+ role_id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare role here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ }
+ if (r) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&role->dominates, i, TRUE))
+ goto oom;
+ }
+ if (type_set_expand(&r->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return NULL;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&role->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ if (!r->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r->types);
+ ebitmap_destroy(&r->dominates);
+ free(r);
+ }
+ /*
+ * Now go through all the roles and escalate this role's
+ * dominates and types if a role dominates this role.
+ */
+ hashtab_map(policydbp->p_roles.table,
+ dominate_role_recheck, role);
+ }
+ return role;
+ cleanup:
+ free(role_id);
+ role_datum_destroy(role);
+ free(role);
+ return NULL;
+ oom:
+ yyerror("Out of memory");
+ goto cleanup;
+}
+
+static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
+ void *p)
+{
+ struct val_to_name *v = p;
+ role_datum_t *roldatum;
+
+ roldatum = (role_datum_t *) datum;
+
+ if (v->val == roldatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+static char *role_val_to_name(unsigned int val)
+{
+ struct val_to_name v;
+ int rc;
+
+ v.val = val;
+ rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
+ if (rc)
+ return v.name;
+ return NULL;
+}
+
+static int set_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed for role sets");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed for role sets");
+ return -1;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ free(id);
+ return 0;
+}
+
+int define_role_trans(void)
+{
+ char *id;
+ role_datum_t *role;
+ role_set_t roles;
+ type_set_t types;
+ ebitmap_t e_types, e_roles;
+ ebitmap_node_t *tnode, *rnode;
+ struct role_trans *tr = NULL;
+ struct role_trans_rule *rule = NULL;
+ unsigned int i, j;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ role_set_init(&roles);
+ ebitmap_init(&e_roles);
+ type_set_init(&types);
+ ebitmap_init(&e_types);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&roles, id))
+ return -1;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&types, id, &add, 0))
+ return -1;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no new role in transition definition?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ role = hashtab_search(policydbp->p_roles.table, id);
+ if (!role) {
+ yyerror2("unknown role %s used in transition definition", id);
+ goto bad;
+ }
+
+ /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
+ if (role_set_expand(&roles, &e_roles, policydbp))
+ goto bad;
+
+ if (type_set_expand(&types, &e_types, policydbp, 1))
+ goto bad;
+
+ ebitmap_for_each_bit(&e_roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&e_types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
+ for (tr = policydbp->role_tr; tr; tr = tr->next) {
+ if (tr->role == (i + 1) && tr->type == (j + 1)) {
+ yyerror2("duplicate role transition for (%s,%s)",
+ role_val_to_name(i + 1),
+ policydbp->p_type_val_to_name[j]);
+ goto bad;
+ }
+ }
+
+ tr = malloc(sizeof(struct role_trans));
+ if (!tr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(tr, 0, sizeof(struct role_trans));
+ tr->role = i + 1;
+ tr->type = j + 1;
+ tr->new_role = role->s.value;
+ tr->next = policydbp->role_tr;
+ policydbp->role_tr = tr;
+ }
+ }
+ /* Now add the real rule */
+ rule = malloc(sizeof(struct role_trans_rule));
+ if (!rule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(rule, 0, sizeof(struct role_trans_rule));
+ rule->roles = roles;
+ rule->types = types;
+ rule->new_role = role->s.value;
+
+ append_role_trans(rule);
+
+ ebitmap_destroy(&e_roles);
+ ebitmap_destroy(&e_types);
+
+ return 0;
+
+ bad:
+ return -1;
+}
+
+int define_role_allow(void)
+{
+ char *id;
+ struct role_allow_rule *ra = 0;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ ra = malloc(sizeof(role_allow_rule_t));
+ if (!ra) {
+ yyerror("out of memory");
+ return -1;
+ }
+ role_allow_rule_init(ra);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->roles, id))
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->new_roles, id))
+ return -1;
+ }
+
+ append_role_allow(ra);
+ return 0;
+}
+
+static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
+{
+ constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
+ for (e = expr; e; e = e->next) {
+ newe = malloc(sizeof(*newe));
+ if (!newe)
+ goto oom;
+ if (constraint_expr_init(newe) == -1) {
+ free(newe);
+ goto oom;
+ }
+ if (l)
+ l->next = newe;
+ else
+ h = newe;
+ l = newe;
+ newe->expr_type = e->expr_type;
+ newe->attr = e->attr;
+ newe->op = e->op;
+ if (newe->expr_type == CEXPR_NAMES) {
+ if (newe->attr & CEXPR_TYPE) {
+ if (type_set_cpy
+ (newe->type_names, e->type_names))
+ goto oom;
+ } else {
+ if (ebitmap_cpy(&newe->names, &e->names))
+ goto oom;
+ }
+ }
+ }
+
+ return h;
+ oom:
+ e = h;
+ while (e) {
+ l = e;
+ e = e->next;
+ constraint_expr_destroy(l);
+ }
+ return NULL;
+}
+
+int define_constraint(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum;
+ ebitmap_t classmap;
+ ebitmap_node_t *enode;
+ constraint_expr_t *e;
+ unsigned int i;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (e->attr & CEXPR_XTARGET) {
+ yyerror("illegal constraint expression");
+ return -1; /* only for validatetrans rules */
+ }
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("constraint expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ if (!node->expr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->constraints;
+ cladatum->constraints = node;
+
+ free(id);
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ ebitmap_for_each_bit(&classmap, enode, i) {
+ if (ebitmap_node_get_bit(enode, i)) {
+ cladatum = policydbp->class_val_to_struct[i];
+ node = cladatum->constraints;
+
+ perdatum =
+ (perm_datum_t *) hashtab_search(cladatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ (perm_datum_t *)
+ hashtab_search(cladatum->
+ comdatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ }
+ if (!perdatum) {
+ yyerror2("permission %s is not"
+ " defined", id);
+ free(id);
+ ebitmap_destroy(&classmap);
+ return -1;
+ }
+ }
+ node->permissions |=
+ (1 << (perdatum->s.value - 1));
+ }
+ }
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+int define_validatetrans(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ ebitmap_t classmap;
+ constraint_expr_t *e;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("validatetrans expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->validatetrans;
+ cladatum->validatetrans = node;
+
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
+{
+ struct constraint_expr *expr, *e1 = NULL, *e2;
+ user_datum_t *user;
+ role_datum_t *role;
+ ebitmap_t negset;
+ char *id;
+ uint32_t val;
+ int add = 1;
+
+ if (pass == 1) {
+ if (expr_type == CEXPR_NAMES) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 1; /* any non-NULL value */
+ }
+
+ if ((expr = malloc(sizeof(*expr))) == NULL ||
+ constraint_expr_init(expr) == -1) {
+ yyerror("out of memory");
+ free(expr);
+ return 0;
+ }
+ expr->expr_type = expr_type;
+
+ switch (expr_type) {
+ case CEXPR_NOT:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = (struct constraint_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_ATTR:
+ expr->attr = arg1;
+ expr->op = arg2;
+ return (uintptr_t) expr;
+ case CEXPR_NAMES:
+ add = 1;
+ expr->attr = arg1;
+ expr->op = arg2;
+ ebitmap_init(&negset);
+ while ((id = (char *)queue_remove(id_queue))) {
+ if (expr->attr & CEXPR_USER) {
+ if (!is_id_in_scope(SYM_USERS, id)) {
+ yyerror2("user %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ user =
+ (user_datum_t *) hashtab_search(policydbp->
+ p_users.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!user) {
+ yyerror2("unknown user %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = user->s.value;
+ } else if (expr->attr & CEXPR_ROLE) {
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ role =
+ (role_datum_t *) hashtab_search(policydbp->
+ p_roles.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!role) {
+ yyerror2("unknown role %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = role->s.value;
+ } else if (expr->attr & CEXPR_TYPE) {
+ if (set_types(expr->type_names, id, &add, 0)) {
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ continue;
+ } else {
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&expr->names);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ free(id);
+ }
+ ebitmap_destroy(&negset);
+ return (uintptr_t) expr;
+ default:
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+
+ yyerror("invalid constraint expression");
+ free(expr);
+ return 0;
+}
+
+int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
+{
+ cond_expr_t *e;
+ int depth;
+ cond_node_t cn, *cn_old;
+
+ /* expression cannot be NULL */
+ if (!expr) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ if (!t) {
+ if (!f) {
+ /* empty is fine, destroy expression and return */
+ cond_expr_destroy(expr);
+ return 0;
+ }
+ /* Invert */
+ t = f;
+ f = 0;
+ expr = define_cond_expr(COND_NOT, expr, 0);
+ if (!expr) {
+ yyerror("unable to invert");
+ return -1;
+ }
+ }
+
+ /* verify expression */
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case COND_NOT:
+ if (depth < 0) {
+ yyerror
+ ("illegal conditional expression; Bad NOT");
+ return -1;
+ }
+ break;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ if (depth < 1) {
+ yyerror
+ ("illegal conditional expression; Bad binary op");
+ return -1;
+ }
+ depth--;
+ break;
+ case COND_BOOL:
+ if (depth == (COND_EXPR_MAXDEPTH - 1)) {
+ yyerror
+ ("conditional expression is like totally too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+
+ /* use tmp conditional node to partially build new node */
+ memset(&cn, 0, sizeof(cn));
+ cn.expr = expr;
+ cn.avtrue_list = t;
+ cn.avfalse_list = f;
+
+ /* normalize/precompute expression */
+ if (cond_normalize_expr(policydbp, &cn) < 0) {
+ yyerror("problem normalizing conditional expression");
+ return -1;
+ }
+
+ /* get the existing conditional node, or create a new one */
+ cn_old = get_current_cond_list(&cn);
+ if (!cn_old) {
+ return -1;
+ }
+
+ append_cond_list(&cn);
+
+ /* note that there is no check here for duplicate rules, nor
+ * check that rule already exists in base -- that will be
+ * handled during conditional expansion, in expand.c */
+
+ cn.avtrue_list = NULL;
+ cn.avfalse_list = NULL;
+ cond_node_destroy(&cn);
+
+ return 0;
+}
+
+cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
+{
+ struct cond_expr *expr, *e1 = NULL, *e2;
+ cond_bool_datum_t *bool_var;
+ char *id;
+
+ /* expressions are handled in the second pass */
+ if (pass == 1) {
+ if (expr_type == COND_BOOL) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ }
+ return (cond_expr_t *) 1; /* any non-NULL value */
+ }
+
+ /* create a new expression struct */
+ expr = malloc(sizeof(struct cond_expr));
+ if (!expr) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(expr, 0, sizeof(cond_expr_t));
+ expr->expr_type = expr_type;
+
+ /* create the type asked for */
+ switch (expr_type) {
+ case COND_NOT:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal conditional NOT expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal left side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = (struct cond_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal right side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_BOOL:
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("bad conditional; expected boolean id");
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ if (!is_id_in_scope(SYM_BOOLS, id)) {
+ yyerror2("boolean %s is not within scope", id);
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ bool_var =
+ (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
+ table,
+ (hashtab_key_t) id);
+ if (!bool_var) {
+ yyerror2("unknown boolean %s in conditional expression",
+ id);
+ free(expr);
+ free(id);
+ return NULL;
+ }
+ expr->bool = bool_var->s.value;
+ free(id);
+ return expr;
+ default:
+ yyerror("illegal conditional expression");
+ return NULL;
+ }
+}
+
+static int set_user_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+ unsigned int i;
+ ebitmap_node_t *node;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed in user declarations");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed in user declarations");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ /* set the role and every role it dominates */
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&set->roles, i, TRUE))
+ goto oom;
+ }
+ free(id);
+ return 0;
+ oom:
+ yyerror("out of memory");
+ return -1;
+}
+
+static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
+{
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
...
[truncated message content] |
|
From: <ssm...@us...> - 2008-03-05 12:50:38
|
Revision: 2840
http://selinux.svn.sourceforge.net/selinux/?rev=2840&view=rev
Author: ssmalley
Date: 2008-03-05 04:50:37 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
20080305
Added Paths:
-----------
tags/stable/20080305/
Copied: tags/stable/20080305 (from rev 2839, branches/stable/1_0)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-05 12:50:34
|
Revision: 2839
http://selinux.svn.sourceforge.net/selinux/?rev=2839&view=rev
Author: ssmalley
Date: 2008-03-05 04:50:32 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
20080305
Added Paths:
-----------
tags/devel/20080305/
Copied: tags/devel/20080305 (from rev 2838, trunk)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:57:37
|
Revision: 2838
http://selinux.svn.sourceforge.net/selinux/?rev=2838&view=rev
Author: ssmalley
Date: 2008-03-04 10:57:34 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated libsepol to version 2.0.25
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-03-04 18:56:15 UTC (rev 2837)
+++ trunk/libsepol/ChangeLog 2008-03-04 18:57:34 UTC (rev 2838)
@@ -1,3 +1,6 @@
+2.0.25 2008-03-04
+ * Drop unused ->buffer field from struct policy_file.
+
2.0.24 2008-03-04
* Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-03-04 18:56:15 UTC (rev 2837)
+++ trunk/libsepol/VERSION 2008-03-04 18:57:34 UTC (rev 2838)
@@ -1 +1 @@
-2.0.24
+2.0.25
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:56:19
|
Revision: 2837
http://selinux.svn.sourceforge.net/selinux/?rev=2837&view=rev
Author: ssmalley
Date: 2008-03-04 10:56:15 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: drop unused buffer field from policy_file
Date: Tue, 04 Mar 2008 09:56:42 -0500
Remove the buffer array from struct policy_file; it is unused.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-04 18:36:08 UTC (rev 2836)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-04 18:56:15 UTC (rev 2837)
@@ -561,7 +561,6 @@
size_t size;
FILE *fp;
struct sepol_handle *handle;
- unsigned char buffer[BUFSIZ];
} policy_file_t;
struct sepol_policy_file {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:36:16
|
Revision: 2836
http://selinux.svn.sourceforge.net/selinux/?rev=2836&view=rev
Author: ssmalley
Date: 2008-03-04 10:36:08 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 1.34.5
Modified Paths:
--------------
branches/stable/1_0/checkpolicy/ChangeLog
branches/stable/1_0/checkpolicy/VERSION
Modified: branches/stable/1_0/checkpolicy/ChangeLog
===================================================================
--- branches/stable/1_0/checkpolicy/ChangeLog 2008-03-04 18:35:35 UTC (rev 2835)
+++ branches/stable/1_0/checkpolicy/ChangeLog 2008-03-04 18:36:08 UTC (rev 2836)
@@ -1,3 +1,6 @@
+1.34.5 2008-03-04
+ * Merged r2831 from trunk: fix uninitialized use of handle in struct policy_file from Todd Miller.
+
1.34.4 2007-09-27
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
Modified: branches/stable/1_0/checkpolicy/VERSION
===================================================================
--- branches/stable/1_0/checkpolicy/VERSION 2008-03-04 18:35:35 UTC (rev 2835)
+++ branches/stable/1_0/checkpolicy/VERSION 2008-03-04 18:36:08 UTC (rev 2836)
@@ -1 +1 @@
-1.34.4
+1.34.5
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:35:42
|
Revision: 2835
http://selinux.svn.sourceforge.net/selinux/?rev=2835&view=rev
Author: ssmalley
Date: 2008-03-04 10:35:35 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated libsepol to version 1.16.12
Modified Paths:
--------------
branches/stable/1_0/libsepol/ChangeLog
branches/stable/1_0/libsepol/VERSION
Modified: branches/stable/1_0/libsepol/ChangeLog
===================================================================
--- branches/stable/1_0/libsepol/ChangeLog 2008-03-04 18:34:07 UTC (rev 2834)
+++ branches/stable/1_0/libsepol/ChangeLog 2008-03-04 18:35:35 UTC (rev 2835)
@@ -1,3 +1,6 @@
+1.16.12 2008-03-04
+ * Merge r2831 from trunk: fix uninitialized use of handle in struct policy_file from Todd Miller.
+
1.16.11 2008-02-05
* Merge r2520 from trunk: bug fix for disable dontaudit support.
Modified: branches/stable/1_0/libsepol/VERSION
===================================================================
--- branches/stable/1_0/libsepol/VERSION 2008-03-04 18:34:07 UTC (rev 2834)
+++ branches/stable/1_0/libsepol/VERSION 2008-03-04 18:35:35 UTC (rev 2835)
@@ -1 +1 @@
-1.16.11
+1.16.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:34:16
|
Revision: 2834
http://selinux.svn.sourceforge.net/selinux/?rev=2834&view=rev
Author: ssmalley
Date: 2008-03-04 10:34:07 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
applied r2830:2831 from trunk
Modified Paths:
--------------
branches/stable/1_0/checkpolicy/checkmodule.c
branches/stable/1_0/checkpolicy/checkpolicy.c
branches/stable/1_0/checkpolicy/test/dismod.c
branches/stable/1_0/checkpolicy/test/dispol.c
branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
branches/stable/1_0/libsepol/src/genbools.c
branches/stable/1_0/libsepol/src/module.c
branches/stable/1_0/libsepol/src/policydb.c
branches/stable/1_0/libsepol/src/policydb_convert.c
branches/stable/1_0/libsepol/src/services.c
Modified: branches/stable/1_0/checkpolicy/checkmodule.c
===================================================================
--- branches/stable/1_0/checkpolicy/checkmodule.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/checkpolicy/checkmodule.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -71,6 +71,7 @@
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
return -1;
}
+ policy_file_init(&f);
f.type = PF_USE_MEMORY;
f.data = map;
f.len = sb.st_size;
@@ -124,6 +125,7 @@
p->policyvers = policyvers;
p->handle_unknown = handle_unknown;
+ policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = outfp;
ret = policydb_write(p, &pf);
Modified: branches/stable/1_0/checkpolicy/checkpolicy.c
===================================================================
--- branches/stable/1_0/checkpolicy/checkpolicy.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/checkpolicy/checkpolicy.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -489,6 +489,7 @@
file, strerror(errno));
exit(1);
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
@@ -577,6 +578,7 @@
policydb.policy_type = POLICY_KERN;
policydb.policyvers = policyvers;
+ policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = outfp;
ret = policydb_write(&policydb, &pf);
Modified: branches/stable/1_0/checkpolicy/test/dismod.c
===================================================================
--- branches/stable/1_0/checkpolicy/test/dismod.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/checkpolicy/test/dismod.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -688,6 +688,7 @@
filename, strerror(errno));
exit(1);
}
+ policy_file_init(&f);
f.type = PF_USE_STDIO;
f.fp = in_fp;
Modified: branches/stable/1_0/checkpolicy/test/dispol.c
===================================================================
--- branches/stable/1_0/checkpolicy/test/dispol.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/checkpolicy/test/dispol.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -351,6 +351,7 @@
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
Modified: branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2008-03-04 18:34:07 UTC (rev 2834)
@@ -566,6 +566,8 @@
struct policy_file pf;
};
+extern void policy_file_init(policy_file_t * x);
+
extern int policydb_read(policydb_t * p, struct policy_file *fp,
unsigned int verbose);
extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
Modified: branches/stable/1_0/libsepol/src/genbools.c
===================================================================
--- branches/stable/1_0/libsepol/src/genbools.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/src/genbools.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -154,6 +154,7 @@
goto err_destroy;
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
@@ -225,6 +226,7 @@
goto err_destroy;
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
Modified: branches/stable/1_0/libsepol/src/module.c
===================================================================
--- branches/stable/1_0/libsepol/src/module.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/src/module.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -851,9 +851,8 @@
if (p->policy) {
/* compute policy length */
+ policy_file_init(&polfile);
polfile.type = PF_LEN;
- polfile.data = NULL;
- polfile.len = 0;
polfile.handle = file->handle;
if (policydb_write(&p->policy->p, &polfile))
return -1;
Modified: branches/stable/1_0/libsepol/src/policydb.c
===================================================================
--- branches/stable/1_0/libsepol/src/policydb.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/src/policydb.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -3256,3 +3256,8 @@
return 0;
}
+
+void policy_file_init(policy_file_t *pf)
+{
+ memset(pf, 0, sizeof(policy_file_t));
+}
Modified: branches/stable/1_0/libsepol/src/policydb_convert.c
===================================================================
--- branches/stable/1_0/libsepol/src/policydb_convert.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/src/policydb_convert.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -13,6 +13,7 @@
policy_file_t pf;
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
@@ -39,9 +40,8 @@
struct policydb tmp_policydb;
/* Compute the length for the new policy image. */
+ policy_file_init(&pf);
pf.type = PF_LEN;
- pf.data = NULL;
- pf.len = 0;
pf.handle = handle;
if (policydb_write(policydb, &pf)) {
ERR(handle, "could not compute policy length");
Modified: branches/stable/1_0/libsepol/src/services.c
===================================================================
--- branches/stable/1_0/libsepol/src/services.c 2008-03-04 17:31:32 UTC (rev 2833)
+++ branches/stable/1_0/libsepol/src/services.c 2008-03-04 18:34:07 UTC (rev 2834)
@@ -85,6 +85,8 @@
int sepol_set_policydb_from_file(FILE * fp)
{
struct policy_file pf;
+
+ policy_file_init(&pf);
pf.fp = fp;
pf.type = PF_USE_STDIO;
if (mypolicydb.policy_type)
@@ -951,13 +953,14 @@
convert_context_args_t args;
uint32_t seqno;
int rc = 0;
- struct policy_file file = {
- .type = PF_USE_MEMORY,
- .data = data,
- .len = len,
- .fp = NULL
- }, *fp = &file;
+ struct policy_file file, *fp;
+ policy_file_init(&file);
+ file.type = PF_USE_MEMORY;
+ file.data = data;
+ file.len = len;
+ fp = &file;
+
if (policydb_init(&newpolicydb))
return -ENOMEM;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-04 17:31:34
|
Revision: 2833
http://selinux.svn.sourceforge.net/selinux/?rev=2833&view=rev
Author: millertc
Date: 2008-03-04 09:31:32 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated libsepol to version 2.0.24
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-03-04 17:30:39 UTC (rev 2832)
+++ trunk/libsepol/ChangeLog 2008-03-04 17:31:32 UTC (rev 2833)
@@ -1,3 +1,6 @@
+2.0.24 2008-03-04
+ * Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
+
2.0.23 2008-02-28
* Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-03-04 17:30:39 UTC (rev 2832)
+++ trunk/libsepol/VERSION 2008-03-04 17:31:32 UTC (rev 2833)
@@ -1 +1 @@
-2.0.23
+2.0.24
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-04 17:30:45
|
Revision: 2832
http://selinux.svn.sourceforge.net/selinux/?rev=2832&view=rev
Author: millertc
Date: 2008-03-04 09:30:39 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.12
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-04 17:29:33 UTC (rev 2831)
+++ trunk/checkpolicy/ChangeLog 2008-03-04 17:30:39 UTC (rev 2832)
@@ -1,3 +1,6 @@
+2.0.12 2008-03-04
+ * Initialize struct policy_file before using it, from Todd C. Miller.
+
2.0.11 2008-03-03
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-04 17:29:33 UTC (rev 2831)
+++ trunk/checkpolicy/VERSION 2008-03-04 17:30:39 UTC (rev 2832)
@@ -1 +1 @@
-2.0.11
+2.0.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-04 17:29:44
|
Revision: 2831
http://selinux.svn.sourceforge.net/selinux/?rev=2831&view=rev
Author: millertc
Date: 2008-03-04 09:29:33 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
Author: Todd C. Miller <tm...@tr...>
Subject: PATCH: fix uninitialized use of handle in struct policy_file
Date: Tuesday, March 04, 2008 9:37 AM
Add policy_file_init() function and use it to initialize struct
policy_file (aka policy_file_t) before using. Fixes several instances
of the "handle" element being uses unitialized.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
checkpolicy/checkmodule.c | 2 ++
checkpolicy/checkpolicy.c | 2 ++
checkpolicy/test/dismod.c | 1 +
checkpolicy/test/dispol.c | 1 +
libsepol/include/sepol/policydb/policydb.h | 2 ++
libsepol/src/genbools.c | 2 ++
libsepol/src/module.c | 3 +--
libsepol/src/policydb.c | 5 +++++
libsepol/src/policydb_convert.c | 4 ++--
libsepol/src/services.c | 15 +++++++++------
10 files changed, 27 insertions(+), 10 deletions(-)
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.c
trunk/checkpolicy/checkpolicy.c
trunk/checkpolicy/test/dismod.c
trunk/checkpolicy/test/dispol.c
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/genbools.c
trunk/libsepol/src/module.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/policydb_convert.c
trunk/libsepol/src/services.c
Modified: trunk/checkpolicy/checkmodule.c
===================================================================
--- trunk/checkpolicy/checkmodule.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/checkpolicy/checkmodule.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -71,6 +71,7 @@
fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
return -1;
}
+ policy_file_init(&f);
f.type = PF_USE_MEMORY;
f.data = map;
f.len = sb.st_size;
@@ -124,6 +125,7 @@
p->policyvers = policyvers;
p->handle_unknown = handle_unknown;
+ policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = outfp;
ret = policydb_write(p, &pf);
Modified: trunk/checkpolicy/checkpolicy.c
===================================================================
--- trunk/checkpolicy/checkpolicy.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/checkpolicy/checkpolicy.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -489,6 +489,7 @@
file, strerror(errno));
exit(1);
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
@@ -577,6 +578,7 @@
policydb.policy_type = POLICY_KERN;
policydb.policyvers = policyvers;
+ policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = outfp;
ret = policydb_write(&policydb, &pf);
Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/checkpolicy/test/dismod.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -689,6 +689,7 @@
filename, strerror(errno));
exit(1);
}
+ policy_file_init(&f);
f.type = PF_USE_STDIO;
f.fp = in_fp;
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/checkpolicy/test/dispol.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -373,6 +373,7 @@
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-04 17:29:33 UTC (rev 2831)
@@ -568,6 +568,8 @@
struct policy_file pf;
};
+extern void policy_file_init(policy_file_t * x);
+
extern int policydb_read(policydb_t * p, struct policy_file *fp,
unsigned int verbose);
extern int avrule_read_list(policydb_t * p, avrule_t ** avrules,
Modified: trunk/libsepol/src/genbools.c
===================================================================
--- trunk/libsepol/src/genbools.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/src/genbools.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -154,6 +154,7 @@
goto err_destroy;
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
@@ -225,6 +226,7 @@
goto err_destroy;
}
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
Modified: trunk/libsepol/src/module.c
===================================================================
--- trunk/libsepol/src/module.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/src/module.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -851,9 +851,8 @@
if (p->policy) {
/* compute policy length */
+ policy_file_init(&polfile);
polfile.type = PF_LEN;
- polfile.data = NULL;
- polfile.len = 0;
polfile.handle = file->handle;
if (policydb_write(&p->policy->p, &polfile))
return -1;
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/src/policydb.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -3290,3 +3290,8 @@
return 0;
}
+
+void policy_file_init(policy_file_t *pf)
+{
+ memset(pf, 0, sizeof(policy_file_t));
+}
Modified: trunk/libsepol/src/policydb_convert.c
===================================================================
--- trunk/libsepol/src/policydb_convert.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/src/policydb_convert.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -13,6 +13,7 @@
policy_file_t pf;
+ policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = data;
pf.len = len;
@@ -39,9 +40,8 @@
struct policydb tmp_policydb;
/* Compute the length for the new policy image. */
+ policy_file_init(&pf);
pf.type = PF_LEN;
- pf.data = NULL;
- pf.len = 0;
pf.handle = handle;
if (policydb_write(policydb, &pf)) {
ERR(handle, "could not compute policy length");
Modified: trunk/libsepol/src/services.c
===================================================================
--- trunk/libsepol/src/services.c 2008-03-03 21:08:14 UTC (rev 2830)
+++ trunk/libsepol/src/services.c 2008-03-04 17:29:33 UTC (rev 2831)
@@ -85,6 +85,8 @@
int sepol_set_policydb_from_file(FILE * fp)
{
struct policy_file pf;
+
+ policy_file_init(&pf);
pf.fp = fp;
pf.type = PF_USE_STDIO;
if (mypolicydb.policy_type)
@@ -1003,13 +1005,14 @@
convert_context_args_t args;
uint32_t seqno;
int rc = 0;
- struct policy_file file = {
- .type = PF_USE_MEMORY,
- .data = data,
- .len = len,
- .fp = NULL
- }, *fp = &file;
+ struct policy_file file, *fp;
+ policy_file_init(&file);
+ file.type = PF_USE_MEMORY;
+ file.data = data;
+ file.len = len;
+ fp = &file;
+
if (policydb_init(&newpolicydb))
return -ENOMEM;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-03 21:08:16
|
Revision: 2830
http://selinux.svn.sourceforge.net/selinux/?rev=2830&view=rev
Author: millertc
Date: 2008-03-03 13:08:14 -0800 (Mon, 03 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.11
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-03 21:06:20 UTC (rev 2829)
+++ trunk/checkpolicy/ChangeLog 2008-03-03 21:08:14 UTC (rev 2830)
@@ -1,3 +1,6 @@
+2.0.11 2008-03-03
+ * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
+
2.0.10 2008-02-28
* Use yyerror2() where appropriate from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-03 21:06:20 UTC (rev 2829)
+++ trunk/checkpolicy/VERSION 2008-03-03 21:08:14 UTC (rev 2830)
@@ -1 +1 @@
-2.0.10
+2.0.11
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-03 21:06:25
|
Revision: 2829
http://selinux.svn.sourceforge.net/selinux/?rev=2829&view=rev
Author: millertc
Date: 2008-03-03 13:06:20 -0800 (Mon, 03 Mar 2008)
Log Message:
-----------
Author: Todd C. Miller <tm...@tr...>
Date: Monday, March 03, 2008 1:21 PM
Subject: PATH: minor checkpolicy cleanup
Minor checkpolicy cleanup. Remove the unused DEBUG define, move
handle_unknown to checkpolicy.c and checkmodule.c since it is not used
in policy_parse.y. Also change COND_ERR to be (avrule_t *)-1 since that
is guaranteed to not be a valid address.
This is in preparation for a much larger diff.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
checkmodule.c | 2 +-
checkpolicy.c | 2 +-
policy_parse.y | 6 +-----
3 files changed, 3 insertions(+), 7 deletions(-)
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.c
trunk/checkpolicy/checkpolicy.c
trunk/checkpolicy/policy_parse.y
Modified: trunk/checkpolicy/checkmodule.c
===================================================================
--- trunk/checkpolicy/checkmodule.c 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/checkmodule.c 2008-03-03 21:06:20 UTC (rev 2829)
@@ -39,8 +39,8 @@
static sidtab_t sidtab;
extern int mlspol;
-extern int handle_unknown;
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
Modified: trunk/checkpolicy/checkpolicy.c
===================================================================
--- trunk/checkpolicy/checkpolicy.c 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/checkpolicy.c 2008-03-03 21:06:20 UTC (rev 2829)
@@ -90,8 +90,8 @@
extern policydb_t *policydbp;
extern int mlspol;
-extern int handle_unknown;
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/policy_parse.y 2008-03-03 21:06:20 UTC (rev 2829)
@@ -57,8 +57,7 @@
* when we have a parse error for a conditional rule. We can't check
* for NULL (ie 0) because that is a potentially valid return.
*/
-static avrule_t *conditional_unused_error_code;
-#define COND_ERR (avrule_t *)&conditional_unused_error_code
+#define COND_ERR (avrule_t *)-1
#define TRUE 1
#define FALSE 0
@@ -68,7 +67,6 @@
static unsigned int pass;
char *curfile = 0;
int mlspol = 0;
-int handle_unknown = 0;
extern unsigned long policydb_lineno;
extern unsigned long source_lineno;
@@ -860,8 +858,6 @@
va_end(ap);
}
-#define DEBUG 1
-
static int insert_separator(int push)
{
int error;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2008-02-29 06:46:20
|
Revision: 2828
http://selinux.svn.sourceforge.net/selinux/?rev=2828&view=rev
Author: ewalsh
Date: 2008-02-28 22:46:18 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
updated libselinux to version 2.0.59
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-02-29 06:44:34 UTC (rev 2827)
+++ trunk/libselinux/ChangeLog 2008-02-29 06:46:18 UTC (rev 2828)
@@ -1,3 +1,6 @@
+2.0.59 2008-02-29
+ * Merged new X label "poly_selection" namespace from Eamon Walsh.
+
2.0.58 2008-02-28
* Merged reset_selinux_config() for load policy from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-02-29 06:44:34 UTC (rev 2827)
+++ trunk/libselinux/VERSION 2008-02-29 06:46:18 UTC (rev 2828)
@@ -1 +1 @@
-2.0.58
+2.0.59
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2008-02-29 06:44:37
|
Revision: 2827
http://selinux.svn.sourceforge.net/selinux/?rev=2827&view=rev
Author: ewalsh
Date: 2008-02-28 22:44:34 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
This patch adds a poly_selection type to the X contexts backend, so that
the X Flask module can be informed which selections to polyinstantiate.
Signed-off-by: Eamon Walsh <ew...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/label.h
trunk/libselinux/src/label_x.c
Modified: trunk/libselinux/include/selinux/label.h
===================================================================
--- trunk/libselinux/include/selinux/label.h 2008-02-28 20:41:51 UTC (rev 2826)
+++ trunk/libselinux/include/selinux/label.h 2008-02-29 06:44:34 UTC (rev 2827)
@@ -114,6 +114,7 @@
#define SELABEL_X_EVENT 4
#define SELABEL_X_SELN 5
#define SELABEL_X_POLYPROP 6
+#define SELABEL_X_POLYSELN 7
#ifdef __cplusplus
Modified: trunk/libselinux/src/label_x.c
===================================================================
--- trunk/libselinux/src/label_x.c 2008-02-28 20:41:51 UTC (rev 2826)
+++ trunk/libselinux/src/label_x.c 2008-02-29 06:44:34 UTC (rev 2827)
@@ -71,6 +71,8 @@
data->spec_arr[data->nspec].type = SELABEL_X_SELN;
else if (!strcmp(type, "poly_property"))
data->spec_arr[data->nspec].type = SELABEL_X_POLYPROP;
+ else if (!strcmp(type, "poly_selection"))
+ data->spec_arr[data->nspec].type = SELABEL_X_POLYSELN;
else {
selinux_log(SELINUX_WARNING,
"%s: line %d has invalid object type %s\n",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-28 20:41:56
|
Revision: 2826
http://selinux.svn.sourceforge.net/selinux/?rev=2826&view=rev
Author: ssmalley
Date: 2008-02-28 12:41:51 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.23
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-28 20:41:00 UTC (rev 2825)
+++ trunk/libsepol/ChangeLog 2008-02-28 20:41:51 UTC (rev 2826)
@@ -1,3 +1,6 @@
+2.0.23 2008-02-28
+ * Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
+
2.0.22 2008-02-28
* Add support for open_perms policy capability from Eric Paris.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-28 20:41:00 UTC (rev 2825)
+++ trunk/libsepol/VERSION 2008-02-28 20:41:51 UTC (rev 2826)
@@ -1 +1 @@
-2.0.22
+2.0.23
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
