Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2006-08-24 16:05:19
|
Revision: 1993 Author: ssmalley Date: 2006-08-24 09:05:06 -0700 (Thu, 24 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=1993&view=rev Log Message: ----------- Apply the new make indent to the tree. Modified Paths: -------------- trunk/checkpolicy/module_compiler.c trunk/libselinux/src/fgetfilecon.c trunk/libselinux/src/getfilecon.c trunk/libselinux/src/lgetfilecon.c trunk/libselinux/src/procattr.c trunk/libsemanage/src/semanage_store.c trunk/libsepol/src/link.c trunk/libsepol/src/mls.c trunk/libsepol/src/users.c Modified: trunk/checkpolicy/module_compiler.c =================================================================== --- trunk/checkpolicy/module_compiler.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/checkpolicy/module_compiler.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -138,8 +138,9 @@ SCOPE_DECL, decl->decl_id, dest_value); if (retval == 1) { symtab_datum_t *s = - (symtab_datum_t *)hashtab_search(policydbp->symtab[symbol_type]. - table, key); + (symtab_datum_t *) hashtab_search(policydbp-> + symtab[symbol_type].table, + key); assert(s != NULL); *dest_value = s->value; } else if (retval == -2) { @@ -491,8 +492,9 @@ SCOPE_REQ, decl->decl_id, dest_value); if (retval == 1) { symtab_datum_t *s = - (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type]. - table, key); + (symtab_datum_t *) hashtab_search(policydbp-> + symtab[symbol_type].table, + key); assert(s != NULL); *dest_value = s->value; } else if (retval == -2) { @@ -1018,7 +1020,8 @@ if (perdatum == NULL) { return 1; } - return is_perm_in_stack(perdatum->s.value, cladatum->s.value, stack_top); + return is_perm_in_stack(perdatum->s.value, cladatum->s.value, + stack_top); } cond_list_t *get_current_cond_list(cond_list_t * cond) Modified: trunk/libselinux/src/fgetfilecon.c =================================================================== --- trunk/libselinux/src/fgetfilecon.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libselinux/src/fgetfilecon.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -59,7 +59,7 @@ } if (ret >= 0 && *context) - return strlen(*context)+1; + return strlen(*context) + 1; return ret; } Modified: trunk/libselinux/src/getfilecon.c =================================================================== --- trunk/libselinux/src/getfilecon.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libselinux/src/getfilecon.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -58,7 +58,7 @@ freecon(rcontext); } if (ret >= 0 && *context) - return strlen(*context)+1; + return strlen(*context) + 1; return ret; } Modified: trunk/libselinux/src/lgetfilecon.c =================================================================== --- trunk/libselinux/src/lgetfilecon.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libselinux/src/lgetfilecon.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -59,6 +59,6 @@ } if (ret >= 0 && *context) - return strlen(*context)+1; + return strlen(*context) + 1; return ret; } Modified: trunk/libselinux/src/procattr.c =================================================================== --- trunk/libselinux/src/procattr.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libselinux/src/procattr.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -8,14 +8,13 @@ #include "selinux_internal.h" #include "policy.h" -static pid_t gettid(void) +static pid_t gettid(void) { return syscall(__NR_gettid); } static int getprocattrcon_raw(security_context_t * context, - pid_t pid, - const char *attr) + pid_t pid, const char *attr) { char *path, *buf; size_t size; @@ -72,9 +71,8 @@ return ret; } -static int getprocattrcon(security_context_t * context, - pid_t pid, - const char *attr) +static int getprocattrcon(security_context_t * context, + pid_t pid, const char *attr) { int ret; security_context_t rcontext; @@ -89,9 +87,8 @@ return ret; } -static int setprocattrcon_raw(security_context_t context, - pid_t pid, - const char *attr) +static int setprocattrcon_raw(security_context_t context, + pid_t pid, const char *attr) { char *path; int fd, rc; @@ -129,9 +126,8 @@ return 0; } -static int setprocattrcon(security_context_t context, - pid_t pid, - const char *attr) +static int setprocattrcon(security_context_t context, + pid_t pid, const char *attr) { int ret; security_context_t rcontext = context; @@ -179,31 +175,31 @@ { \ return getprocattrcon(c, pid, #attr); \ } - + all_selfattr_def(con, current) -getpidattr_def(pidcon, current) -getselfattr_def(prevcon, prev) -all_selfattr_def(execcon, exec) -all_selfattr_def(fscreatecon, fscreate) -all_selfattr_def(sockcreatecon, sockcreate) -all_selfattr_def(keycreatecon, keycreate) + getpidattr_def(pidcon, current) + getselfattr_def(prevcon, prev) + all_selfattr_def(execcon, exec) + all_selfattr_def(fscreatecon, fscreate) + all_selfattr_def(sockcreatecon, sockcreate) + all_selfattr_def(keycreatecon, keycreate) -hidden_def(getcon_raw) -hidden_def(getcon) -hidden_def(getexeccon_raw) -hidden_def(getfilecon_raw) -hidden_def(getfilecon) -hidden_def(getfscreatecon_raw) -hidden_def(getkeycreatecon_raw) -hidden_def(getpeercon_raw) -hidden_def(getpidcon_raw) -hidden_def(getprevcon_raw) -hidden_def(getprevcon) -hidden_def(getsockcreatecon_raw) -hidden_def(setcon_raw) -hidden_def(setexeccon_raw) -hidden_def(setexeccon) -hidden_def(setfilecon_raw) -hidden_def(setfscreatecon_raw) -hidden_def(setkeycreatecon_raw) -hidden_def(setsockcreatecon_raw) + hidden_def(getcon_raw) + hidden_def(getcon) + hidden_def(getexeccon_raw) + hidden_def(getfilecon_raw) + hidden_def(getfilecon) + hidden_def(getfscreatecon_raw) + hidden_def(getkeycreatecon_raw) + hidden_def(getpeercon_raw) + hidden_def(getpidcon_raw) + hidden_def(getprevcon_raw) + hidden_def(getprevcon) + hidden_def(getsockcreatecon_raw) + hidden_def(setcon_raw) + hidden_def(setexeccon_raw) + hidden_def(setexeccon) + hidden_def(setfilecon_raw) + hidden_def(setfscreatecon_raw) + hidden_def(setkeycreatecon_raw) + hidden_def(setsockcreatecon_raw) Modified: trunk/libsemanage/src/semanage_store.c =================================================================== --- trunk/libsemanage/src/semanage_store.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libsemanage/src/semanage_store.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -1068,20 +1068,25 @@ } snprintf(store_fc_loc, PATH_MAX, "%s%s", storepath, running_fc_loc); - if (semanage_copy_file(active_fc_loc, store_fc_loc, sh->conf->file_mode) == -1 && errno != ENOENT) { - ERR(sh, "Could not copy %s to %s.", active_fc_loc, store_fc_loc); + if (semanage_copy_file(active_fc_loc, store_fc_loc, sh->conf->file_mode) + == -1 && errno != ENOENT) { + ERR(sh, "Could not copy %s to %s.", active_fc_loc, + store_fc_loc); goto cleanup; } snprintf(store_seusers, PATH_MAX, "%s%s", storepath, running_seusers); if (semanage_copy_file - (active_seusers, store_seusers, sh->conf->file_mode) == -1 && errno != ENOENT) { - ERR(sh, "Could not copy %s to %s.", active_seusers, store_seusers); + (active_seusers, store_seusers, sh->conf->file_mode) == -1 + && errno != ENOENT) { + ERR(sh, "Could not copy %s to %s.", active_seusers, + store_seusers); goto cleanup; } snprintf(store_nc, PATH_MAX, "%s%s", storepath, running_nc); - if (semanage_copy_file(active_nc, store_nc, sh->conf->file_mode) == -1 && errno != ENOENT) { + if (semanage_copy_file(active_nc, store_nc, sh->conf->file_mode) == -1 + && errno != ENOENT) { ERR(sh, "Could not copy %s to %s.", active_nc, store_nc); goto cleanup; } Modified: trunk/libsepol/src/link.c =================================================================== --- trunk/libsepol/src/link.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libsepol/src/link.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -278,7 +278,8 @@ } } - state->cur->map[SYM_CLASSES][cladatum->s.value - 1] = new_class->s.value; + state->cur->map[SYM_CLASSES][cladatum->s.value - 1] = + new_class->s.value; /* copy permissions */ state->src_class = cladatum; Modified: trunk/libsepol/src/mls.c =================================================================== --- trunk/libsepol/src/mls.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libsepol/src/mls.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -403,7 +403,8 @@ if (!rngdatum) goto err; - if (catdatum->s.value >= rngdatum->s.value) + if (catdatum->s.value >= + rngdatum->s.value) goto err; for (i = catdatum->s.value; Modified: trunk/libsepol/src/users.c =================================================================== --- trunk/libsepol/src/users.c 2006-08-24 16:01:45 UTC (rev 1992) +++ trunk/libsepol/src/users.c 2006-08-24 16:05:06 UTC (rev 1993) @@ -332,7 +332,8 @@ return STATUS_SUCCESS; } - if (user_to_record(handle, policydb, usrdatum->s.value - 1, response) < 0) + if (user_to_record(handle, policydb, usrdatum->s.value - 1, response) < + 0) goto err; return STATUS_SUCCESS; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mad...@us...> - 2006-09-05 14:31:54
|
Revision: 2018
http://svn.sourceforge.net/selinux/?rev=2018&view=rev
Author: madmethod
Date: 2006-09-05 07:31:38 -0700 (Tue, 05 Sep 2006)
Log Message:
-----------
checkpolicy 1.30.11
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2006-09-05 14:28:31 UTC (rev 2017)
+++ trunk/checkpolicy/ChangeLog 2006-09-05 14:31:38 UTC (rev 2018)
@@ -1,3 +1,7 @@
+1.30.11 2006-09-05
+ * merged range_transition enhancements and user module format
+ changes from Darrel Goeddel
+
1.30.10 2006-08-03
* Merged symtab datum patch from Karl MacMillan.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2006-09-05 14:28:31 UTC (rev 2017)
+++ trunk/checkpolicy/VERSION 2006-09-05 14:31:38 UTC (rev 2018)
@@ -1 +1 @@
-1.30.10
+1.30.11
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:22:13
|
Revision: 2089
http://svn.sourceforge.net/selinux/?rev=2089&view=rev
Author: ssmalley
Date: 2006-11-13 16:22:12 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: RE: How should I run genfscon in my module?
Date: Wed, 01 Nov 2006 13:18:58 -0500
On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > From: Karl MacMillan [mailto:kma...@me...]
> > >
> > > > > I looked at fixing this by changing genfscon to use
> > > user_identifier
> > > > > instead of identifier (they are the same except user_identifier
> > > > > includes "-"). This made checkpolicy generate a syntax
> > > error for all
> > > > > genfscon statements - haven't tracked down what the
> > > problem is. The
> > > > > grammer still seems to be unambiguous.
> > > >
> > > > Use "user_id" instead. Otherwise, you'll get a syntax
> > > error when the
> > > > token is classified as an IDENTIFIER (first match) and the grammar
> > > > says that it must be a USER_IDENTIFIER.
> > >
> > > Right as usual.
> > >
> >
> > Maybe make user_id more generic as it is no longer only used for users..
>
> Just making generic would make the user related parts of the grammar
> harder to read. What about this:
>
> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk/checkpolicy/policy_parse.y (revision 2076)
> +++ trunk/checkpolicy/policy_parse.y (working copy)
> @@ -605,6 +605,8 @@
> ;
> user_id : identifier
> | user_identifier
> + ;
> +dash_id : user_id
> ;
> user_def : USER user_id ROLES names opt_mls_user ';'
> {if (define_user()) return -1;}
> @@ -679,11 +681,11 @@
> genfs_contexts : genfs_context_def
> | genfs_contexts genfs_context_def
> ;
> -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def : GENFSCON dash_id path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> + | GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path security_context_def
> + | GENFSCON dash_id path security_context_def
> {if (define_genfs_context(0)) return -1;}
> ;
> ipv4_addr_def : number '.' number '.' number '.' number
>
>
> Signed-off by: Karl MacMillan <kma...@me...>
Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
Revision Links:
--------------
http://svn.sourceforge.net/selinux/?rev=2076&view=rev
Modified Paths:
--------------
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/policy_scan.l
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2006-11-14 00:16:07 UTC (rev 2088)
+++ trunk/checkpolicy/policy_parse.y 2006-11-14 00:22:12 UTC (rev 2089)
@@ -190,7 +190,6 @@
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
-%token USER_IDENTIFIER
%token NUMBER
%token EQUALS
%token NOTEQUAL
@@ -522,13 +521,13 @@
| T1 op T2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
- | U1 op { if (insert_separator(1)) return -1; } user_names_push
+ | U1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
if ($$ == 0) return -1; }
- | U2 op { if (insert_separator(1)) return -1; } user_names_push
+ | U2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
- | U3 op { if (insert_separator(1)) return -1; } user_names_push
+ | U3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -603,10 +602,7 @@
users : user_def
| users user_def
;
-user_id : identifier
- | user_identifier
- ;
-user_def : USER user_id ROLES names opt_mls_user ';'
+user_def : USER identifier ROLES names opt_mls_user ';'
{if (define_user()) return -1;}
;
opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
@@ -698,7 +694,7 @@
$$ = addr;
}
;
-security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def
+security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
|
@@ -766,23 +762,6 @@
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
-user_identifier : USER_IDENTIFIER
- { if (insert_id(yytext,0)) return -1; }
- ;
-user_identifier_push : USER_IDENTIFIER
- { if (insert_id(yytext, 1)) return -1; }
- ;
-user_identifier_list_push : user_identifier_push
- | identifier_list_push user_identifier_push
- | user_identifier_list_push identifier_push
- | user_identifier_list_push user_identifier_push
- ;
-user_names_push : names_push
- | user_identifier_push
- | '{' user_identifier_list_push '}'
- | tilde_push user_identifier_push
- | tilde_push '{' user_identifier_list_push '}'
- ;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2006-11-14 00:16:07 UTC (rev 2088)
+++ trunk/checkpolicy/policy_scan.l 2006-11-14 00:22:12 UTC (rev 2089)
@@ -200,12 +200,11 @@
h2 |
H2 { return(H2); }
"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext))
+{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
return(IDENTIFIER);
else
REJECT;
}
-{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
{digit}{digit}* { return(NUMBER); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:24:08
|
Revision: 2090
http://svn.sourceforge.net/selinux/?rev=2090&view=rev
Author: ssmalley
Date: 2006-11-13 16:24:06 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
checkpolicy 1.33.1
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2006-11-14 00:22:12 UTC (rev 2089)
+++ trunk/checkpolicy/ChangeLog 2006-11-14 00:24:06 UTC (rev 2090)
@@ -1,3 +1,6 @@
+1.33.1 2006-11-13
+ * Collapse user identifiers and identifiers together.
+
1.32 2006-10-17
* Updated version for release.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2006-11-14 00:22:12 UTC (rev 2089)
+++ trunk/checkpolicy/VERSION 2006-11-14 00:24:06 UTC (rev 2090)
@@ -1 +1 @@
-1.32
+1.33.1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-02-06 16:42:04
|
Revision: 2227
http://svn.sourceforge.net/selinux/?rev=2227&view=rev
Author: ssmalley
Date: 2007-02-06 08:40:21 -0800 (Tue, 06 Feb 2007)
Log Message:
-----------
Note that checkpolicy on trunk has changed for the new libsepol error codes.
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-02-06 15:14:24 UTC (rev 2226)
+++ trunk/checkpolicy/ChangeLog 2007-02-06 16:40:21 UTC (rev 2227)
@@ -1,3 +1,6 @@
+2.0.0 2007-02-01
+ * Merged patch to use new libsepol error codes by Karl MacMillan.
+
1.34.0 2007-01-18
* Updated version for stable branch.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-02-06 15:14:24 UTC (rev 2226)
+++ trunk/checkpolicy/VERSION 2007-02-06 16:40:21 UTC (rev 2227)
@@ -1 +1 @@
-1.34.0
+2.0.0
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-12 18:34:21
|
Revision: 2343
http://svn.sourceforge.net/selinux/?rev=2343&view=rev
Author: ssmalley
Date: 2007-04-12 11:34:21 -0700 (Thu, 12 Apr 2007)
Log Message:
-----------
checkpolicy 2.0.2
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-04-12 18:33:03 UTC (rev 2342)
+++ trunk/checkpolicy/ChangeLog 2007-04-12 18:34:21 UTC (rev 2343)
@@ -1,3 +1,6 @@
+2.0.2 2007-04-12
+ * Merged checkmodule man page fix from Dan Walsh.
+
2.0.1 2007-02-20
* Merged patch to allow dots in class identifiers from Caleb Case.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-04-12 18:33:03 UTC (rev 2342)
+++ trunk/checkpolicy/VERSION 2007-04-12 18:34:21 UTC (rev 2343)
@@ -1 +1 @@
-2.0.1
+2.0.2
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-05-31 18:07:57
|
Revision: 2447
http://svn.sourceforge.net/selinux/?rev=2447&view=rev
Author: ssmalley
Date: 2007-05-31 11:07:54 -0700 (Thu, 31 May 2007)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Dead links in checkpolicy/checkmodule man pages.
Date: Tue, 29 May 2007 10:45:40 -0400
I think we should just move to the toplevel directory
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.8
trunk/checkpolicy/checkpolicy.8
Modified: trunk/checkpolicy/checkmodule.8
===================================================================
--- trunk/checkpolicy/checkmodule.8 2007-05-31 18:06:18 UTC (rev 2446)
+++ trunk/checkpolicy/checkmodule.8 2007-05-31 18:07:54 UTC (rev 2447)
@@ -47,7 +47,7 @@
.SH "SEE ALSO"
.B semodule(8), semodule_package(8)
-SELinux documentation at http://www.nsa.gov/selinux/docs.html,
+SELinux documentation at http://www.nsa.gov/selinux,
especially "Configuring the SELinux Policy".
Modified: trunk/checkpolicy/checkpolicy.8
===================================================================
--- trunk/checkpolicy/checkpolicy.8 2007-05-31 18:06:18 UTC (rev 2446)
+++ trunk/checkpolicy/checkpolicy.8 2007-05-31 18:07:54 UTC (rev 2447)
@@ -34,7 +34,7 @@
Specify the policy version, defaults to the latest.
.SH "SEE ALSO"
-SELinux documentation at http://www.nsa.gov/selinux/docs.html,
+SELinux documentation at http://www.nsa.gov/selinux,
especially "Configuring the SELinux Policy".
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-05-31 18:11:55
|
Revision: 2448
http://svn.sourceforge.net/selinux/?rev=2448&view=rev
Author: ssmalley
Date: 2007-05-31 11:11:53 -0700 (Thu, 31 May 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.3
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-05-31 18:07:54 UTC (rev 2447)
+++ trunk/checkpolicy/ChangeLog 2007-05-31 18:11:53 UTC (rev 2448)
@@ -1,3 +1,7 @@
+2.0.3 2007-05-31
+ * Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
+ * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
+
2.0.2 2007-04-12
* Merged checkmodule man page fix from Dan Walsh.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-05-31 18:07:54 UTC (rev 2447)
+++ trunk/checkpolicy/VERSION 2007-05-31 18:11:53 UTC (rev 2448)
@@ -1 +1 @@
-2.0.2
+2.0.3
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:44:15
|
Revision: 2567
http://selinux.svn.sourceforge.net/selinux/?rev=2567&view=rev
Author: ssmalley
Date: 2007-09-18 12:44:10 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: checkpolicy: implement handling of unknown classes and permissions
Date: Thu, 06 Sep 2007 14:26:26 -0400
Add a new command line options, -U (allow,reject,deny), to checkmodule
and checkpolicy which sets the handle_unknown config flag. Default to
deny unknowns which is how things have been in the past. Also add
dismod and dispol support.
-Eric
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.c
trunk/checkpolicy/checkpolicy.c
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/test/dismod.c
trunk/checkpolicy/test/dispol.c
Modified: trunk/checkpolicy/checkmodule.c
===================================================================
--- trunk/checkpolicy/checkmodule.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/checkmodule.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -39,6 +39,7 @@
static sidtab_t sidtab;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -121,6 +122,7 @@
p->policy_type = policy_type;
p->policyvers = policyvers;
+ p->handle_unknown = handle_unknown;
pf.type = PF_USE_STDIO;
pf.fp = outfp;
@@ -135,13 +137,17 @@
static void usage(char *progname)
{
- printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+ printf("usage: %s [-V] [-b] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
txtfile);
printf(" -V show policy versions created by this program\n");
printf(" -b treat input as a binary policy file\n");
+ printf(" -U OPTION How to handle unknown classes and permissions\n");
+ printf(" deny: Deny unknown kernel checks\n");
+ printf(" reject: Reject loading of policy with unknowns\n");
+ printf(" allow: Allow unknown kernel checks\n");
printf(" -m build a policy module instead of a base module\n");
printf(" -M enable MLS policy\n");
printf(" -o FILE write module to FILE (else just check syntax)\n");
@@ -156,7 +162,7 @@
int show_version = 0;
policydb_t modpolicydb;
- while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) {
+ while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) {
switch (ch) {
case 'h':
usage(argv[0]);
@@ -171,6 +177,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'm':
policy_type = POLICY_MOD;
policyvers = MOD_POLICYDB_VERSION_MAX;
@@ -189,6 +209,12 @@
exit(0);
}
+ if (handle_unknown && (policy_type != POLICY_BASE)) {
+ printf("Handling of unknown classes and permissions is only ");
+ printf("valid in the base module\n");
+ exit(1);
+ }
+
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
@@ -214,6 +240,7 @@
modpolicydb.policy_type = policy_type;
modpolicydb.mls = mlspol;
+ modpolicydb.handle_unknown = handle_unknown;
if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
exit(1);
Modified: trunk/checkpolicy/checkpolicy.c
===================================================================
--- trunk/checkpolicy/checkpolicy.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/checkpolicy.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -90,6 +90,7 @@
extern policydb_t *policydbp;
extern int mlspol;
+extern int handle_unknown;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -99,7 +100,7 @@
void usage(char *progname)
{
printf
- ("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
+ ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -390,7 +391,7 @@
int show_version = 0;
struct policy_file pf;
- while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
+ while ((ch = getopt(argc, argv, "o:dbU:MVc:")) != EOF) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -405,6 +406,20 @@
case 'V':
show_version = 1;
break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
case 'M':
mlspol = 1;
break;
@@ -515,6 +530,7 @@
/* Let sepol know if we are dealing with MLS support */
parse_policy.mls = mlspol;
+ parse_policy.handle_unknown = handle_unknown;
policydbp = &parse_policy;
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/policy_parse.y 2007-09-18 19:44:10 UTC (rev 2567)
@@ -67,6 +67,7 @@
static unsigned int pass;
char *curfile = 0;
int mlspol = 0;
+int handle_unknown = 0;
extern unsigned long policydb_lineno;
extern unsigned long source_lineno;
Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/test/dismod.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -665,6 +665,17 @@
return 0;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and perms\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and perms\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and perms\n");
+ return 0;
+}
+
static int read_policy(char *filename, policydb_t * policy)
{
FILE *in_fp;
@@ -771,6 +782,7 @@
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
printf("l) Link in a module\n");
+ printf("u) Display the unknown handling setting\n");
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -879,6 +891,10 @@
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2007-09-18 19:43:38 UTC (rev 2566)
+++ trunk/checkpolicy/test/dispol.c 2007-09-18 19:44:10 UTC (rev 2567)
@@ -273,6 +273,17 @@
return 1;
}
+int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+{
+ if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and permisions\n");
+ else if (policydb->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and permisions\n");
+ else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and permisions\n");
+ return 0;
+}
+
int change_bool(char *name, int state, policydb_t * p, FILE * fp)
{
cond_bool_datum_t *bool;
@@ -298,6 +309,7 @@
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
+ printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
@@ -409,6 +421,10 @@
change_bool(name, state, &policydb, out_fp);
free(name);
break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
case 'f':
printf
("\nFilename for output (<CR> for screen output): ");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:46:49
|
Revision: 2569
http://selinux.svn.sourceforge.net/selinux/?rev=2569&view=rev
Author: ssmalley
Date: 2007-09-18 12:46:46 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.4
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-09-18 19:45:14 UTC (rev 2568)
+++ trunk/checkpolicy/ChangeLog 2007-09-18 19:46:46 UTC (rev 2569)
@@ -1,3 +1,8 @@
+2.0.4 2007-09-18
+ * Merged handle unknown policydb flag support from Eric Paris.
+ Adds new command line options -U {allow, reject, deny} for selecting
+ the flag when a base module or kernel policy is built.
+
2.0.3 2007-05-31
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-09-18 19:45:14 UTC (rev 2568)
+++ trunk/checkpolicy/VERSION 2007-09-18 19:46:46 UTC (rev 2569)
@@ -1 +1 @@
-2.0.3
+2.0.4
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 20:14:37
|
Revision: 2665
http://selinux.svn.sourceforge.net/selinux/?rev=2665&view=rev
Author: ssmalley
Date: 2007-11-01 13:14:36 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: checkpolicy: Remove use of REJECT and trailing context in lex rules; make ipv4 address processing like ipv6
Date: Wed, 31 Oct 2007 15:43:45 -0400
This is a patch to remove the use of REJECT and trailing context in the
lex rules. To help accomplish this, it also makes ipv4 address
processing like ipv6 address processing.
It improves policy compile times on my laptop from ~95sec to ~85sec.
REJECT was used to reject an identifier if it had two consecutive "."s
or one at the end. The new rule should prevent both of these conditions
without the use of REJECT and the is_valid_identifier function.
Trailing context was used in the rule to identify the module version.
Without the trailing context, the rule would match ipv4 addresses. A
rule for ipv4 addresses was added to eliminate the need for the use of
trailing context and to allow ipv4 addresses to be handled in a manner
similar to ipv6 addresses.
Finally, the alnum character class was defined and some minor cleanup
was done.
I am, by the way, surprised by the rule to match the module version.
It is "[0-9]+(\.[A-Za-z0-9_.]*)?" when I would have expected something
like "[0-9]+(\.[0-9]+){0,2}". I assumed that there is a reason why it
is like this and left it alone.
Signed off by: James Carter <jw...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/policy_scan.l
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2007-11-01 16:51:46 UTC (rev 2664)
+++ trunk/checkpolicy/policy_parse.y 2007-11-01 20:14:36 UTC (rev 2665)
@@ -122,7 +122,7 @@
static int define_fs_context(unsigned int major, unsigned int minor);
static int define_port_context(unsigned int low, unsigned int high);
static int define_netif_context(void);
-static int define_ipv4_node_context(unsigned int addr, unsigned int mask);
+static int define_ipv4_node_context(void);
static int define_ipv6_node_context(void);
typedef int (* require_func_t)();
@@ -195,6 +195,7 @@
%token NUMBER
%token EQUALS
%token NOTEQUAL
+%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
@@ -654,7 +655,7 @@
| node_contexts node_context_def
;
node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
- {if (define_ipv4_node_context($2,$3)) return -1;}
+ {if (define_ipv4_node_context()) return -1;}
| NODECON ipv6_addr ipv6_addr security_context_def
{if (define_ipv6_node_context()) return -1;}
;
@@ -684,18 +685,9 @@
| GENFSCON identifier path security_context_def
{if (define_genfs_context(0)) return -1;}
;
-ipv4_addr_def : number '.' number '.' number '.' number
- {
- unsigned int addr;
- unsigned char *p = ((unsigned char *)&addr);
-
- p[0] = $1 & 0xff;
- p[1] = $3 & 0xff;
- p[2] = $5 & 0xff;
- p[3] = $7 & 0xff;
- $$ = addr;
- }
- ;
+ipv4_addr_def : IPV4_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ ;
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
@@ -4184,27 +4176,63 @@
return 0;
}
-static int define_ipv4_node_context(unsigned int addr, unsigned int mask)
-{
+static int define_ipv4_node_context()
+{
+ char *id;
+ int rc = 0;
+ struct in_addr addr, mask;
ocontext_t *newc, *c, *l, *head;
if (pass == 1) {
+ free(queue_remove(id_queue));
+ free(queue_remove(id_queue));
parse_security_context(NULL);
- if (mlspol)
- free(queue_remove(id_queue));
- return 0;
+ goto out;
}
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &addr);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 address");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &mask);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 mask");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
- return -1;
+ rc = -1;
+ goto out;
}
+
memset(newc, 0, sizeof(ocontext_t));
+ newc->u.node.addr = addr.s_addr;
+ newc->u.node.mask = mask.s_addr;
- newc->u.node.addr = addr;
- newc->u.node.mask = mask;
-
if (parse_security_context(&newc->context[0])) {
free(newc);
return -1;
@@ -4224,8 +4252,9 @@
l->next = newc;
else
policydbp->ocontexts[OCON_NODE] = newc;
-
- return 0;
+ rc = 0;
+out:
+ return rc;
}
static int define_ipv6_node_context(void)
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2007-11-01 16:51:46 UTC (rev 2664)
+++ trunk/checkpolicy/policy_scan.l 2007-11-01 20:14:36 UTC (rev 2665)
@@ -31,7 +31,6 @@
static char linebuf[2][255];
static unsigned int lno = 0;
int yywarn(char *msg);
-static int is_valid_identifier(char *id);
char source_file[255];
unsigned long source_lineno = 1;
@@ -46,8 +45,8 @@
%array
letter [A-Za-z]
digit [0-9]
+alnum [a-zA-Z0-9]
hexval [0-9A-Fa-f]
-version [0-9]+(\.[A-Za-z0-9_.]*)?
%%
\n.* { strncpy(linebuf[lno], yytext+1, 255);
@@ -199,17 +198,14 @@
H1 { return(H1); }
h2 |
H2 { return(H2); }
-"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
- return(IDENTIFIER);
- else
- REJECT;
- }
-{digit}{digit}* { return(NUMBER); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
-{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
+"/"({alnum}|[_.-/])* { return(PATH); }
+{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
+{digit}+ { return(NUMBER); }
+{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { source_lineno = 1; strncpy(source_file, yytext+9, 255); source_file[strlen(source_file)-1] = '\0'; }
-#line[ ]{digit}{digit}* { source_lineno = atoi(yytext+6)-1; }
+#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
"==" { return(EQUALS); }
@@ -263,17 +259,3 @@
linebuf[0], linebuf[1]);
return 0;
}
-
-static int is_valid_identifier(char *id) {
- if ((strrchr(id, '.')) != NULL) {
- if (strstr(id, "..") != NULL) {
- /* identifier has consecutive '.' */
- return 0;
- }
- if (id[strlen(id) - 1] == '.') {
- /* identifier ends in '.' */
- return 0;
- }
- }
- return 1;
-}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 20:15:50
|
Revision: 2666
http://selinux.svn.sourceforge.net/selinux/?rev=2666&view=rev
Author: ssmalley
Date: 2007-11-01 13:15:48 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.5
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-11-01 20:14:36 UTC (rev 2665)
+++ trunk/checkpolicy/ChangeLog 2007-11-01 20:15:48 UTC (rev 2666)
@@ -1,3 +1,6 @@
+2.0.5 2007-11-01
+ * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
+
2.0.4 2007-09-18
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-11-01 20:14:36 UTC (rev 2665)
+++ trunk/checkpolicy/VERSION 2007-11-01 20:15:48 UTC (rev 2666)
@@ -1 +1 @@
-2.0.4
+2.0.5
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-15 14:54:09
|
Revision: 2683
http://selinux.svn.sourceforge.net/selinux/?rev=2683&view=rev
Author: ssmalley
Date: 2007-11-15 06:53:54 -0800 (Thu, 15 Nov 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.6
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-11-15 14:52:12 UTC (rev 2682)
+++ trunk/checkpolicy/ChangeLog 2007-11-15 14:53:54 UTC (rev 2683)
@@ -1,3 +1,6 @@
+2.0.6 2007-11-15
+ * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
+
2.0.5 2007-11-01
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-11-15 14:52:12 UTC (rev 2682)
+++ trunk/checkpolicy/VERSION 2007-11-15 14:53:54 UTC (rev 2683)
@@ -1 +1 @@
-2.0.5
+2.0.6
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-15 16:05:07
|
Revision: 2682
http://selinux.svn.sourceforge.net/selinux/?rev=2682&view=rev
Author: ssmalley
Date: 2007-11-15 06:52:12 -0800 (Thu, 15 Nov 2007)
Log Message:
-----------
Initially set the source file name from the argument so that we don't get unknown source in the common case.
Modified Paths:
--------------
trunk/checkpolicy/parse_util.c
trunk/checkpolicy/policy_scan.l
Modified: trunk/checkpolicy/parse_util.c
===================================================================
--- trunk/checkpolicy/parse_util.c 2007-11-09 00:45:40 UTC (rev 2681)
+++ trunk/checkpolicy/parse_util.c 2007-11-15 14:52:12 UTC (rev 2682)
@@ -29,9 +29,9 @@
extern queue_t id_queue;
extern unsigned int policydb_errors;
extern unsigned long policydb_lineno;
-extern char source_file[];
extern policydb_t *policydbp;
extern int mlspol;
+extern void set_source_file(const char *name);
int read_source_policy(policydb_t * p, const char *file, const char *progname)
{
@@ -40,6 +40,7 @@
fprintf(stderr, "%s: unable to open %s\n", progname, file);
return -1;
}
+ set_source_file(file);
if ((id_queue = queue_create()) == NULL) {
fprintf(stderr, "%s: out of memory!\n", progname);
@@ -58,7 +59,7 @@
}
rewind(yyin);
init_parser(2);
- source_file[0] = '\0';
+ set_source_file(file);
yyrestart(yyin);
if (yyparse() || policydb_errors) {
fprintf(stderr,
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2007-11-09 00:45:40 UTC (rev 2681)
+++ trunk/checkpolicy/policy_scan.l 2007-11-15 14:52:12 UTC (rev 2682)
@@ -21,6 +21,7 @@
%{
#include <sys/types.h>
+#include <limits.h>
#include <stdint.h>
#include <string.h>
@@ -32,7 +33,9 @@
static unsigned int lno = 0;
int yywarn(char *msg);
-char source_file[255];
+void set_source_file(const char *name);
+
+char source_file[PATH_MAX];
unsigned long source_lineno = 1;
unsigned long policydb_lineno = 1;
@@ -204,7 +207,7 @@
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
-#line[ ]1[ ]\"[^\n]*\" { source_lineno = 1; strncpy(source_file, yytext+9, 255); source_file[strlen(source_file)-1] = '\0'; }
+#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
@@ -259,3 +262,10 @@
linebuf[0], linebuf[1]);
return 0;
}
+
+void set_source_file(const char *name)
+{
+ source_lineno = 1;
+ strncpy(source_file, name, sizeof(source_file)-1);
+ source_file[sizeof(source_file)-1] = '\0';
+}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-01-02 21:41:53
|
Revision: 2717
http://selinux.svn.sourceforge.net/selinux/?rev=2717&view=rev
Author: millertc
Date: 2008-01-02 13:41:51 -0800 (Wed, 02 Jan 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.7
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-01-02 21:40:28 UTC (rev 2716)
+++ trunk/checkpolicy/ChangeLog 2008-01-02 21:41:51 UTC (rev 2717)
@@ -1,3 +1,6 @@
+2.0.7 2008-01-02
+ * Added support for policy capabilities from Todd Miller.
+
2.0.6 2007-11-15
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-01-02 21:40:28 UTC (rev 2716)
+++ trunk/checkpolicy/VERSION 2008-01-02 21:41:51 UTC (rev 2717)
@@ -1 +1 @@
-2.0.6
+2.0.7
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-01-08 16:12:11
|
Revision: 2719
http://selinux.svn.sourceforge.net/selinux/?rev=2719&view=rev
Author: millertc
Date: 2008-01-08 08:12:09 -0800 (Tue, 08 Jan 2008)
Log Message:
-----------
Subject: quiet checkpolicy warnings
Fix shadowed variable in dispol/dismod
Use bison instead of yacc to avoid an unused label warning.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/Makefile
trunk/checkpolicy/test/dismod.c
trunk/checkpolicy/test/dispol.c
Modified: trunk/checkpolicy/Makefile
===================================================================
--- trunk/checkpolicy/Makefile 2008-01-03 15:24:01 UTC (rev 2718)
+++ trunk/checkpolicy/Makefile 2008-01-08 16:12:09 UTC (rev 2719)
@@ -8,6 +8,8 @@
INCLUDEDIR ?= $(PREFIX)/include
TARGETS = checkpolicy checkmodule
+YACC = bison -y
+
CFLAGS ?= -g -Wall -O2 -pipe -fno-strict-aliasing
override CFLAGS += -I. -I${INCLUDEDIR}
Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c 2008-01-03 15:24:01 UTC (rev 2718)
+++ trunk/checkpolicy/test/dismod.c 2008-01-08 16:12:09 UTC (rev 2719)
@@ -666,13 +666,13 @@
return 0;
}
-int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
- if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and perms\n");
- else if (policydb->handle_unknown == DENY_UNKNOWN)
+ else if (p->handle_unknown == DENY_UNKNOWN)
fprintf(out_fp, "Deny unknown classes and perms\n");
- else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ else if (p->handle_unknown == REJECT_UNKNOWN)
fprintf(out_fp, "Reject unknown classes and perms\n");
return 0;
}
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2008-01-03 15:24:01 UTC (rev 2718)
+++ trunk/checkpolicy/test/dispol.c 2008-01-08 16:12:09 UTC (rev 2719)
@@ -274,13 +274,13 @@
return 1;
}
-int display_handle_unknown(policydb_t * policydb, FILE * out_fp)
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
{
- if (policydb->handle_unknown == ALLOW_UNKNOWN)
+ if (p->handle_unknown == ALLOW_UNKNOWN)
fprintf(out_fp, "Allow unknown classes and permisions\n");
- else if (policydb->handle_unknown == DENY_UNKNOWN)
+ else if (p->handle_unknown == DENY_UNKNOWN)
fprintf(out_fp, "Deny unknown classes and permisions\n");
- else if (policydb->handle_unknown == REJECT_UNKNOWN)
+ else if (p->handle_unknown == REJECT_UNKNOWN)
fprintf(out_fp, "Reject unknown classes and permisions\n");
return 0;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2008-01-24 20:43:56
|
Revision: 2757
http://selinux.svn.sourceforge.net/selinux/?rev=2757&view=rev
Author: madmethod
Date: 2008-01-24 12:43:51 -0800 (Thu, 24 Jan 2008)
Log Message:
-----------
update checkpolicy to 2.0.8
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-01-24 20:42:54 UTC (rev 2756)
+++ trunk/checkpolicy/ChangeLog 2008-01-24 20:43:51 UTC (rev 2757)
@@ -1,3 +1,6 @@
+2.0.8 2008-01-24
+ * Deprecate role dominance in parser.
+
2.0.7 2008-01-02
* Added support for policy capabilities from Todd Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-01-24 20:42:54 UTC (rev 2756)
+++ trunk/checkpolicy/VERSION 2008-01-24 20:43:51 UTC (rev 2757)
@@ -1 +1 @@
-2.0.7
+2.0.8
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:26:39
|
Revision: 2779
http://selinux.svn.sourceforge.net/selinux/?rev=2779&view=rev
Author: ssmalley
Date: 2008-02-04 07:26:35 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.9
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-02-04 15:25:47 UTC (rev 2778)
+++ trunk/checkpolicy/ChangeLog 2008-02-04 15:26:35 UTC (rev 2779)
@@ -1,3 +1,6 @@
+2.0.9 2008-02-04
+ * Update dispol for libsepol avtab changes from Stephen Smalley.
+
2.0.8 2008-01-24
* Deprecate role dominance in parser.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-02-04 15:25:47 UTC (rev 2778)
+++ trunk/checkpolicy/VERSION 2008-02-04 15:26:35 UTC (rev 2779)
@@ -1 +1 @@
-2.0.8
+2.0.9
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-02-28 15:40:10
|
Revision: 2820
http://selinux.svn.sourceforge.net/selinux/?rev=2820&view=rev
Author: millertc
Date: 2008-02-28 07:40:04 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.10
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-02-28 15:38:39 UTC (rev 2819)
+++ trunk/checkpolicy/ChangeLog 2008-02-28 15:40:04 UTC (rev 2820)
@@ -1,3 +1,6 @@
+2.0.10 2008-02-28
+ * Use yyerror2() where appropriate from Todd C. Miller.
+
2.0.9 2008-02-04
* Update dispol for libsepol avtab changes from Stephen Smalley.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-02-28 15:38:39 UTC (rev 2819)
+++ trunk/checkpolicy/VERSION 2008-02-28 15:40:04 UTC (rev 2820)
@@ -1 +1 @@
-2.0.9
+2.0.10
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-03 21:06:25
|
Revision: 2829
http://selinux.svn.sourceforge.net/selinux/?rev=2829&view=rev
Author: millertc
Date: 2008-03-03 13:06:20 -0800 (Mon, 03 Mar 2008)
Log Message:
-----------
Author: Todd C. Miller <tm...@tr...>
Date: Monday, March 03, 2008 1:21 PM
Subject: PATH: minor checkpolicy cleanup
Minor checkpolicy cleanup. Remove the unused DEBUG define, move
handle_unknown to checkpolicy.c and checkmodule.c since it is not used
in policy_parse.y. Also change COND_ERR to be (avrule_t *)-1 since that
is guaranteed to not be a valid address.
This is in preparation for a much larger diff.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
checkmodule.c | 2 +-
checkpolicy.c | 2 +-
policy_parse.y | 6 +-----
3 files changed, 3 insertions(+), 7 deletions(-)
Modified Paths:
--------------
trunk/checkpolicy/checkmodule.c
trunk/checkpolicy/checkpolicy.c
trunk/checkpolicy/policy_parse.y
Modified: trunk/checkpolicy/checkmodule.c
===================================================================
--- trunk/checkpolicy/checkmodule.c 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/checkmodule.c 2008-03-03 21:06:20 UTC (rev 2829)
@@ -39,8 +39,8 @@
static sidtab_t sidtab;
extern int mlspol;
-extern int handle_unknown;
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
Modified: trunk/checkpolicy/checkpolicy.c
===================================================================
--- trunk/checkpolicy/checkpolicy.c 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/checkpolicy.c 2008-03-03 21:06:20 UTC (rev 2829)
@@ -90,8 +90,8 @@
extern policydb_t *policydbp;
extern int mlspol;
-extern int handle_unknown;
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
static char *txtfile = "policy.conf";
static char *binfile = "policy";
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2008-02-29 06:46:18 UTC (rev 2828)
+++ trunk/checkpolicy/policy_parse.y 2008-03-03 21:06:20 UTC (rev 2829)
@@ -57,8 +57,7 @@
* when we have a parse error for a conditional rule. We can't check
* for NULL (ie 0) because that is a potentially valid return.
*/
-static avrule_t *conditional_unused_error_code;
-#define COND_ERR (avrule_t *)&conditional_unused_error_code
+#define COND_ERR (avrule_t *)-1
#define TRUE 1
#define FALSE 0
@@ -68,7 +67,6 @@
static unsigned int pass;
char *curfile = 0;
int mlspol = 0;
-int handle_unknown = 0;
extern unsigned long policydb_lineno;
extern unsigned long source_lineno;
@@ -860,8 +858,6 @@
va_end(ap);
}
-#define DEBUG 1
-
static int insert_separator(int push)
{
int error;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-03 21:08:16
|
Revision: 2830
http://selinux.svn.sourceforge.net/selinux/?rev=2830&view=rev
Author: millertc
Date: 2008-03-03 13:08:14 -0800 (Mon, 03 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.11
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-03 21:06:20 UTC (rev 2829)
+++ trunk/checkpolicy/ChangeLog 2008-03-03 21:08:14 UTC (rev 2830)
@@ -1,3 +1,6 @@
+2.0.11 2008-03-03
+ * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
+
2.0.10 2008-02-28
* Use yyerror2() where appropriate from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-03 21:06:20 UTC (rev 2829)
+++ trunk/checkpolicy/VERSION 2008-03-03 21:08:14 UTC (rev 2830)
@@ -1 +1 @@
-2.0.10
+2.0.11
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-04 17:30:45
|
Revision: 2832
http://selinux.svn.sourceforge.net/selinux/?rev=2832&view=rev
Author: millertc
Date: 2008-03-04 09:30:39 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.12
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-04 17:29:33 UTC (rev 2831)
+++ trunk/checkpolicy/ChangeLog 2008-03-04 17:30:39 UTC (rev 2832)
@@ -1,3 +1,6 @@
+2.0.12 2008-03-04
+ * Initialize struct policy_file before using it, from Todd C. Miller.
+
2.0.11 2008-03-03
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-04 17:29:33 UTC (rev 2831)
+++ trunk/checkpolicy/VERSION 2008-03-04 17:30:39 UTC (rev 2832)
@@ -1 +1 @@
-2.0.11
+2.0.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-05 14:45:22
|
Revision: 2841
http://selinux.svn.sourceforge.net/selinux/?rev=2841&view=rev
Author: millertc
Date: 2008-03-05 06:45:21 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
The changes are purely mechanical. Everything but the yacc rules has
been moved from policy_parse.c into policy_define.c and policy_define.h.
This allows us to retain strict error checking (-Werror) on the SELinux
toolchain without our being tripped up by generated (yacc/bison) code.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/Makefile
trunk/checkpolicy/policy_parse.y
Added Paths:
-----------
trunk/checkpolicy/policy_define.c
trunk/checkpolicy/policy_define.h
Modified: trunk/checkpolicy/Makefile
===================================================================
--- trunk/checkpolicy/Makefile 2008-03-05 12:50:37 UTC (rev 2840)
+++ trunk/checkpolicy/Makefile 2008-03-05 14:45:21 UTC (rev 2841)
@@ -14,7 +14,8 @@
override CFLAGS += -I. -I${INCLUDEDIR}
-CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o
+CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \
+ policy_define.o
CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
Added: trunk/checkpolicy/policy_define.c
===================================================================
--- trunk/checkpolicy/policy_define.c (rev 0)
+++ trunk/checkpolicy/policy_define.c 2008-03-05 14:45:21 UTC (rev 2841)
@@ -0,0 +1,3831 @@
+/*
+ * Author : Stephen Smalley, <sd...@ep...>
+ */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgo...@tr...>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <da...@tr...>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbr...@tr...>
+ * Karl MacMillan <kma...@me...>
+ * Jason Tang <jt...@tr...>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
+#include "queue.h"
+#include "checkpolicy.h"
+#include "module_compiler.h"
+#include "policy_define.h"
+
+policydb_t *policydbp;
+queue_t id_queue = 0;
+unsigned int pass;
+char *curfile = 0;
+int mlspol = 0;
+
+extern unsigned long policydb_lineno;
+extern unsigned long source_lineno;
+extern unsigned int policydb_errors;
+
+extern int yywarn(char *msg);
+extern int yyerror(char *msg);
+
+#define ERRORMSG_LEN 255
+static char errormsg[ERRORMSG_LEN + 1] = {0};
+
+static int id_has_dot(char *id);
+static int parse_security_context(context_struct_t *c);
+
+/* initialize all of the state variables for the scanner/parser */
+void init_parser(int pass_number)
+{
+ policydb_lineno = 1;
+ source_lineno = 1;
+ policydb_errors = 0;
+ pass = pass_number;
+}
+
+void yyerror2(char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
+ yyerror(errormsg);
+ va_end(ap);
+}
+
+int insert_separator(int push)
+{
+ int error;
+
+ if (push)
+ error = queue_push(id_queue, 0);
+ else
+ error = queue_insert(id_queue, 0);
+
+ if (error) {
+ yyerror("queue overflow");
+ return -1;
+ }
+ return 0;
+}
+
+int insert_id(char *id, int push)
+{
+ char *newid = 0;
+ int error;
+
+ newid = (char *)malloc(strlen(id) + 1);
+ if (!newid) {
+ yyerror("out of memory");
+ return -1;
+ }
+ strcpy(newid, id);
+ if (push)
+ error = queue_push(id_queue, (queue_element_t) newid);
+ else
+ error = queue_insert(id_queue, (queue_element_t) newid);
+
+ if (error) {
+ yyerror("queue overflow");
+ free(newid);
+ return -1;
+ }
+ return 0;
+}
+
+/* If the identifier has a dot within it and that its first character
+ is not a dot then return 1, else return 0. */
+static int id_has_dot(char *id)
+{
+ if (strchr(id, '.') >= id + 1) {
+ return 1;
+ }
+ return 0;
+}
+
+int define_class(void)
+{
+ char *id = 0;
+ class_datum_t *datum = 0;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no class name for class definition?");
+ return -1;
+ }
+ datum = (class_datum_t *) malloc(sizeof(class_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(datum, 0, sizeof(class_datum_t));
+ ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of class %s", id);
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare class here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum)
+ free(datum);
+ return -1;
+}
+
+int define_polcap(void)
+{
+ char *id = 0;
+ int capnum;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no capability name for policycap definition?");
+ goto bad;
+ }
+
+ /* Check for valid cap name -> number mapping */
+ capnum = sepol_polcap_getnum(id);
+ if (capnum < 0) {
+ yyerror2("invalid policy capability name %s", id);
+ goto bad;
+ }
+
+ /* Store it */
+ if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+
+ free(id);
+ return 0;
+
+ bad:
+ free(id);
+ return -1;
+}
+
+int define_initial_sid(void)
+{
+ char *id = 0;
+ ocontext_t *newc = 0, *c, *head;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sid name for SID definition?");
+ return -1;
+ }
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+ newc->u.name = id;
+ context_init(&newc->context[0]);
+ head = policydbp->ocontexts[OCON_ISID];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate initial SID %s", id);
+ goto bad;
+ }
+ }
+
+ if (head) {
+ newc->sid[0] = head->sid[0] + 1;
+ } else {
+ newc->sid[0] = 1;
+ }
+ newc->next = head;
+ policydbp->ocontexts[OCON_ISID] = newc;
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (newc)
+ free(newc);
+ return -1;
+}
+
+int define_common_perms(void)
+{
+ char *id = 0, *perm = 0;
+ common_datum_t *comdatum = 0;
+ perm_datum_t *perdatum = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no common name for common perm definition?");
+ return -1;
+ }
+ comdatum = hashtab_search(policydbp->p_commons.table, id);
+ if (comdatum) {
+ yyerror2("duplicate declaration for common %s\n", id);
+ return -1;
+ }
+ comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
+ if (!comdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(comdatum, 0, sizeof(common_datum_t));
+ ret = hashtab_insert(policydbp->p_commons.table,
+ (hashtab_key_t) id, (hashtab_datum_t) comdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror("duplicate common definition");
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ comdatum->s.value = policydbp->p_commons.nprim + 1;
+ if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ policydbp->p_commons.nprim++;
+ while ((perm = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad_perm;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = comdatum->permissions.nprim + 1;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad_perm;
+ }
+ ret = hashtab_insert(comdatum->permissions.table,
+ (hashtab_key_t) perm,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s in common %s", perm,
+ id);
+ goto bad_perm;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad_perm;
+ }
+ comdatum->permissions.nprim++;
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (comdatum)
+ free(comdatum);
+ return -1;
+
+ bad_perm:
+ if (perm)
+ free(perm);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_av_perms(int inherits)
+{
+ char *id;
+ class_datum_t *cladatum;
+ common_datum_t *comdatum;
+ perm_datum_t *perdatum = 0, *perdatum2 = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no tclass name for av perm definition?");
+ return -1;
+ }
+ cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ goto bad;
+ }
+ free(id);
+
+ if (cladatum->comdatum || cladatum->permissions.nprim) {
+ yyerror("duplicate access vector definition");
+ return -1;
+ }
+ if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (inherits) {
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror
+ ("no inherits name for access vector definition?");
+ return -1;
+ }
+ comdatum =
+ (common_datum_t *) hashtab_search(policydbp->p_commons.
+ table,
+ (hashtab_key_t) id);
+
+ if (!comdatum) {
+ yyerror2("common %s is not defined", id);
+ goto bad;
+ }
+ cladatum->comkey = id;
+ cladatum->comdatum = comdatum;
+
+ /*
+ * Class-specific permissions start with values
+ * after the last common permission.
+ */
+ cladatum->permissions.nprim += comdatum->permissions.nprim;
+ }
+ while ((id = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = ++cladatum->permissions.nprim;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad;
+ }
+ if (inherits) {
+ /*
+ * Class-specific permissions and
+ * common permissions exist in the same
+ * name space.
+ */
+ perdatum2 =
+ (perm_datum_t *) hashtab_search(cladatum->comdatum->
+ permissions.table,
+ (hashtab_key_t) id);
+ if (perdatum2) {
+ yyerror2("permission %s conflicts with an "
+ "inherited permission", id);
+ goto bad;
+ }
+ }
+ ret = hashtab_insert(cladatum->permissions.table,
+ (hashtab_key_t) id,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s", id);
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_sens(void)
+{
+ char *id;
+ mls_level_t *level = 0;
+ level_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value; /* dummy variable -- its value is never used */
+
+ if (!mlspol) {
+ yyerror("sensitivity definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sensitivity name for sensitivity definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("sensitivity identifiers may not contain periods");
+ goto bad;
+ }
+ level = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!level) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ mls_level_init(level);
+ level->sens = 0; /* actual value set in define_dominance */
+ ebitmap_init(&level->cat); /* actual value set in define_level */
+
+ datum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ level_datum_init(datum);
+ datum->isalias = FALSE;
+ datum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of sensitivity level");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare sensitivity level here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("sensitivity aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ level_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of sensitivity alias");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare sensitivity alias here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (level)
+ free(level);
+ if (datum) {
+ level_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ level_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+int define_dominance(void)
+{
+ level_datum_t *datum;
+ int order;
+ char *id;
+
+ if (!mlspol) {
+ yyerror("dominance definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ order = 0;
+ while ((id = (char *)queue_remove(id_queue))) {
+ datum =
+ (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!datum) {
+ yyerror2("unknown sensitivity %s used in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ if (datum->level->sens != 0) {
+ yyerror2("sensitivity %s occurs multiply in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ datum->level->sens = ++order;
+
+ /* no need to keep sensitivity name */
+ free(id);
+ }
+
+ if (order != policydbp->p_levels.nprim) {
+ yyerror
+ ("all sensitivities must be specified in dominance definition");
+ return -1;
+ }
+ return 0;
+}
+
+int define_category(void)
+{
+ char *id;
+ cat_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value;
+
+ if (!mlspol) {
+ yyerror("category definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no category name for category definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("category identifiers may not contain periods");
+ goto bad;
+ }
+ datum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ cat_datum_init(datum);
+ datum->isalias = FALSE;
+
+ ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of category");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare category here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("category aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ cat_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->s.value = datum->s.value;
+
+ ret =
+ declare_symbol(SYM_CATS, id, aliasdatum, NULL,
+ &datum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of category aliases");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare category aliases here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum) {
+ cat_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ cat_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+static int clone_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
+{
+ level_datum_t *levdatum = (level_datum_t *) datum;
+ mls_level_t *level = (mls_level_t *) arg, *newlevel;
+
+ if (levdatum->level == level) {
+ levdatum->defined = 1;
+ if (!levdatum->isalias)
+ return 0;
+ newlevel = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!newlevel)
+ return -1;
+ if (mls_level_cpy(newlevel, level)) {
+ free(newlevel);
+ return -1;
+ }
+ levdatum->level = newlevel;
+ }
+ return 0;
+}
+
+int define_level(void)
+{
+ char *id;
+ level_datum_t *levdatum;
+
+ if (!mlspol) {
+ yyerror("level definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no level name for level definition?");
+ return -1;
+ }
+ levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("unknown sensitivity %s used in level definition", id);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_length(&levdatum->level->cat)) {
+ yyerror2("sensitivity %s used in multiple level definitions",
+ id);
+ free(id);
+ return -1;
+ }
+ free(id);
+
+ levdatum->defined = 1;
+
+ while ((id = queue_remove(id_queue))) {
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ free(id);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_end);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_end);
+ free(id);
+ return -1;
+ }
+ range_end = cdatum->s.value - 1;
+
+ if (range_end < range_start) {
+ yyerror2("category range is invalid");
+ free(id);
+ return -1;
+ }
+ } else {
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t) id);
+ range_start = range_end = cdatum->s.value - 1;
+ }
+
+ for (i = range_start; i <= range_end; i++) {
+ if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ }
+
+ free(id);
+ }
+
+ if (hashtab_map
+ (policydbp->p_levels.table, clone_level, levdatum->level)) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ return 0;
+}
+
+int define_attrib(void)
+{
+ if (pass == 2) {
+ free(queue_remove(id_queue));
+ return 0;
+ }
+
+ if (declare_type(TRUE, TRUE) == NULL) {
+ return -1;
+ }
+ return 0;
+}
+
+static int add_aliases_to_type(type_datum_t * type)
+{
+ char *id;
+ type_datum_t *aliasdatum = NULL;
+ int ret;
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror
+ ("type alias identifiers may not contain periods");
+ return -1;
+ }
+ aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!aliasdatum) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ memset(aliasdatum, 0, sizeof(type_datum_t));
+ aliasdatum->s.value = type->s.value;
+
+ ret = declare_symbol(SYM_TYPES, id, aliasdatum,
+ NULL, &aliasdatum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of alias %s",
+ id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare alias here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+ return 0;
+ cleanup:
+ free(id);
+ type_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ return -1;
+}
+
+int define_typealias(void)
+{
+ char *id;
+ type_datum_t *t;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typealias definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s, or it was already declared as an "
+ "attribute", id);
+ free(id);
+ return -1;
+ }
+ return add_aliases_to_type(t);
+}
+
+int define_typeattribute(void)
+{
+ char *id;
+ type_datum_t *t, *attr;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typeattribute definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ free(id);
+ return -1;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ free(id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int define_type(int alias)
+{
+ char *id;
+ type_datum_t *datum, *attr;
+ int newattr = 0;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ if (alias) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ if ((datum = declare_type(TRUE, FALSE)) == NULL) {
+ return -1;
+ }
+
+ if (alias) {
+ if (add_aliases_to_type(datum) == -1) {
+ return -1;
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ return -1;
+ } else {
+ newattr = 0;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+/* Adds a type, given by its textual name, to a typeset. If *add is
+ 0, then add the type to the negative set; otherwise if *add is 1
+ then add it to the positive side. */
+static int set_types(type_set_t * set, char *id, int *add, char starallowed)
+{
+ type_datum_t *t;
+
+ if (strcmp(id, "*") == 0) {
+ if (!starallowed) {
+ yyerror("* not allowed in this type of rule");
+ return -1;
+ }
+ /* set TYPE_STAR flag */
+ set->flags = TYPE_STAR;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ if (!starallowed) {
+ yyerror("~ not allowed in this type of rule");
+ return -1;
+ }
+ /* complement the set */
+ set->flags = TYPE_COMP;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "-") == 0) {
+ *add = 0;
+ free(id);
+ return 0;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (*add == 0) {
+ if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
+ goto oom;
+ } else {
+ if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
+ goto oom;
+ }
+ free(id);
+ *add = 1;
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ free(id);
+ return -1;
+}
+
+int define_compute_type_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ type_datum_t *datum;
+ class_datum_t *cladatum;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ class_perm_node_t *perm;
+ int i, add = 1;
+
+ avrule = malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->stypes, id, &add, 0))
+ return -1;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->ttypes, id, &add, 0))
+ return -1;
+ }
+
+ ebitmap_init(&tclasses);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ goto bad;
+ }
+ if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ goto bad;
+ }
+ free(id);
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no newtype?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
+ (hashtab_key_t) id);
+ if (!datum || datum->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ goto bad;
+ }
+
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ perm = malloc(sizeof(class_perm_node_t));
+ if (!perm) {
+ yyerror("out of memory");
+ return -1;
+ }
+ class_perm_node_init(perm);
+ perm->class = i + 1;
+ perm->data = datum->s.value;
+ perm->next = avrule->perms;
+ avrule->perms = perm;
+ }
+ }
+ ebitmap_destroy(&tclasses);
+
+ *rule = avrule;
+ return 0;
+
+ bad:
+ avrule_destroy(avrule);
+ free(avrule);
+ return -1;
+}
+
+int define_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return -1;
+
+ append_avrule(avrule);
+ return 0;
+}
+
+avrule_t *define_cond_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return (avrule_t *) 1;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_bool(void)
+{
+ char *id, *bool_value;
+ cond_bool_datum_t *datum;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no identifier for bool definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror("boolean identifiers may not contain periods");
+ return -1;
+ }
+ datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ memset(datum, 0, sizeof(cond_bool_datum_t));
+ ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of boolean %s", id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare boolean here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ bool_value = (char *)queue_remove(id_queue);
+ if (!bool_value) {
+ yyerror("no default value for bool definition?");
+ free(id);
+ return -1;
+ }
+
+ datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+ return 0;
+ cleanup:
+ cond_destroy_bool(id, datum, NULL);
+ return -1;
+}
+
+avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
+{
+ if (pass == 1) {
+ /* return something so we get through pass 1 */
+ return (avrule_t *) 1;
+ }
+
+ if (sl == NULL) {
+ /* This is a require block, return previous list */
+ return avlist;
+ }
+
+ /* prepend the new avlist to the pre-existing one */
+ sl->next = avlist;
+ return sl;
+}
+
+int define_te_avtab_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum = NULL;
+ class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ unsigned int i;
+ int add = 1, ret = 0;
+ int suppress = 0;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("memory error");
+ ret = -1;
+ goto out;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types
+ (&avrule->stypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id, "self") == 0) {
+ free(id);
+ avrule->flags |= RULE_SELF;
+ continue;
+ }
+ if (set_types
+ (&avrule->ttypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ebitmap_init(&tclasses);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ ret = -1;
+ goto out;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s used in rule", id);
+ ret = -1;
+ goto out;
+ }
+ if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ ret = -1;
+ goto out;
+ }
+ free(id);
+ }
+
+ perms = NULL;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cur_perms =
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!cur_perms) {
+ yyerror("out of memory");
+ ret = -1;
+ goto out;
+ }
+ class_perm_node_init(cur_perms);
+ cur_perms->class = i + 1;
+ if (!perms)
+ perms = cur_perms;
+ if (tail)
+ tail->next = cur_perms;
+ tail = cur_perms;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ cur_perms = perms;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cladatum = policydbp->class_val_to_struct[i];
+
+ if (strcmp(id, "*") == 0) {
+ /* set all permissions in the class */
+ cur_perms->data = ~0U;
+ goto next;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ /* complement the set */
+ if (which == AVRULE_DONTAUDIT)
+ yywarn("dontaudit rule with a ~?");
+ cur_perms->data = ~cur_perms->data;
+ goto next;
+ }
+
+ perdatum =
+ hashtab_search(cladatum->permissions.table, id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ hashtab_search(cladatum->comdatum->
+ permissions.table,
+ id);
+ }
+ }
+ if (!perdatum) {
+ if (!suppress)
+ yyerror2("permission %s is not defined"
+ " for class %s", id,
+ policydbp->p_class_val_to_name[i]);
+ continue;
+ } else
+ if (!is_perm_in_scope
+ (id, policydbp->p_class_val_to_name[i])) {
+ if (!suppress) {
+ yyerror2("permission %s of class %s is"
+ " not within scope", id,
+ policydbp->p_class_val_to_name[i]);
+ }
+ continue;
+ } else {
+ cur_perms->data |= 1U << (perdatum->s.value - 1);
+ }
+ next:
+ cur_perms = cur_perms->next;
+ }
+
+ free(id);
+ }
+
+ ebitmap_destroy(&tclasses);
+
+ avrule->perms = perms;
+ *rule = avrule;
+
+ out:
+ return ret;
+
+}
+
+avrule_t *define_cond_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return (avrule_t *) 1; /* any non-NULL value */
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return -1;
+
+ /* append this avrule to the end of the current rules list */
+ append_avrule(avrule);
+ return 0;
+}
+
+int define_role_types(void)
+{
+ role_datum_t *role;
+ char *id;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ if ((role = declare_role()) == NULL) {
+ return -1;
+ }
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&role->types, id, &add, 0))
+ return -1;
+ }
+
+ return 0;
+}
+
+role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
+{
+ role_datum_t *new;
+
+ if (pass == 1) {
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ new = malloc(sizeof(role_datum_t));
+ if (!new) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(new, 0, sizeof(role_datum_t));
+ new->s.value = 0; /* temporary role */
+ if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ if (!r1->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r1->types);
+ ebitmap_destroy(&r1->dominates);
+ free(r1);
+ }
+ if (!r2->s.value) {
+ /* free intermediate result */
+ yyerror("right hand role is temporary?");
+ type_set_destroy(&r2->types);
+ ebitmap_destroy(&r2->dominates);
+ free(r2);
+ }
+ return new;
+}
+
+/* This function eliminates the ordering dependency of role dominance rule */
+static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
+ void *arg)
+{
+ role_datum_t *rdp = (role_datum_t *) arg;
+ role_datum_t *rdatum = (role_datum_t *) datum;
+ ebitmap_node_t *node;
+ int i;
+
+ /* Don't bother to process against self role */
+ if (rdatum->s.value == rdp->s.value)
+ return 0;
+
+ /* If a dominating role found */
+ if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return -1;
+ }
+ /* raise types and dominates from dominated role */
+ ebitmap_for_each_bit(&rdp->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->dominates, i, TRUE))
+ goto oom;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ }
+
+ /* go through all the roles */
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ return -1;
+}
+
+role_datum_t *define_role_dom(role_datum_t * r)
+{
+ role_datum_t *role;
+ char *role_id;
+ ebitmap_node_t *node;
+ unsigned int i;
+ int ret;
+
+ if (pass == 1) {
+ role_id = queue_remove(id_queue);
+ free(role_id);
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ yywarn("Role dominance has been deprecated");
+
+ role_id = queue_remove(id_queue);
+ if (!is_id_in_scope(SYM_ROLES, role_id)) {
+ yyerror2("role %s is not within scope", role_id);
+ free(role_id);
+ return NULL;
+ }
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
+ role_id);
+ if (!role) {
+ role = (role_datum_t *) malloc(sizeof(role_datum_t));
+ if (!role) {
+ yyerror("out of memory");
+ free(role_id);
+ return NULL;
+ }
+ memset(role, 0, sizeof(role_datum_t));
+ ret =
+ declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
+ (hashtab_datum_t) role, &role->s.value,
+ &role->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of role %s",
+ role_id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare role here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ }
+ if (r) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&role->dominates, i, TRUE))
+ goto oom;
+ }
+ if (type_set_expand(&r->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return NULL;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&role->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ if (!r->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r->types);
+ ebitmap_destroy(&r->dominates);
+ free(r);
+ }
+ /*
+ * Now go through all the roles and escalate this role's
+ * dominates and types if a role dominates this role.
+ */
+ hashtab_map(policydbp->p_roles.table,
+ dominate_role_recheck, role);
+ }
+ return role;
+ cleanup:
+ free(role_id);
+ role_datum_destroy(role);
+ free(role);
+ return NULL;
+ oom:
+ yyerror("Out of memory");
+ goto cleanup;
+}
+
+static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
+ void *p)
+{
+ struct val_to_name *v = p;
+ role_datum_t *roldatum;
+
+ roldatum = (role_datum_t *) datum;
+
+ if (v->val == roldatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+static char *role_val_to_name(unsigned int val)
+{
+ struct val_to_name v;
+ int rc;
+
+ v.val = val;
+ rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
+ if (rc)
+ return v.name;
+ return NULL;
+}
+
+static int set_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed for role sets");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed for role sets");
+ return -1;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ free(id);
+ return 0;
+}
+
+int define_role_trans(void)
+{
+ char *id;
+ role_datum_t *role;
+ role_set_t roles;
+ type_set_t types;
+ ebitmap_t e_types, e_roles;
+ ebitmap_node_t *tnode, *rnode;
+ struct role_trans *tr = NULL;
+ struct role_trans_rule *rule = NULL;
+ unsigned int i, j;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ role_set_init(&roles);
+ ebitmap_init(&e_roles);
+ type_set_init(&types);
+ ebitmap_init(&e_types);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&roles, id))
+ return -1;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&types, id, &add, 0))
+ return -1;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no new role in transition definition?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ role = hashtab_search(policydbp->p_roles.table, id);
+ if (!role) {
+ yyerror2("unknown role %s used in transition definition", id);
+ goto bad;
+ }
+
+ /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
+ if (role_set_expand(&roles, &e_roles, policydbp))
+ goto bad;
+
+ if (type_set_expand(&types, &e_types, policydbp, 1))
+ goto bad;
+
+ ebitmap_for_each_bit(&e_roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&e_types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
+ for (tr = policydbp->role_tr; tr; tr = tr->next) {
+ if (tr->role == (i + 1) && tr->type == (j + 1)) {
+ yyerror2("duplicate role transition for (%s,%s)",
+ role_val_to_name(i + 1),
+ policydbp->p_type_val_to_name[j]);
+ goto bad;
+ }
+ }
+
+ tr = malloc(sizeof(struct role_trans));
+ if (!tr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(tr, 0, sizeof(struct role_trans));
+ tr->role = i + 1;
+ tr->type = j + 1;
+ tr->new_role = role->s.value;
+ tr->next = policydbp->role_tr;
+ policydbp->role_tr = tr;
+ }
+ }
+ /* Now add the real rule */
+ rule = malloc(sizeof(struct role_trans_rule));
+ if (!rule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(rule, 0, sizeof(struct role_trans_rule));
+ rule->roles = roles;
+ rule->types = types;
+ rule->new_role = role->s.value;
+
+ append_role_trans(rule);
+
+ ebitmap_destroy(&e_roles);
+ ebitmap_destroy(&e_types);
+
+ return 0;
+
+ bad:
+ return -1;
+}
+
+int define_role_allow(void)
+{
+ char *id;
+ struct role_allow_rule *ra = 0;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ ra = malloc(sizeof(role_allow_rule_t));
+ if (!ra) {
+ yyerror("out of memory");
+ return -1;
+ }
+ role_allow_rule_init(ra);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->roles, id))
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->new_roles, id))
+ return -1;
+ }
+
+ append_role_allow(ra);
+ return 0;
+}
+
+static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
+{
+ constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
+ for (e = expr; e; e = e->next) {
+ newe = malloc(sizeof(*newe));
+ if (!newe)
+ goto oom;
+ if (constraint_expr_init(newe) == -1) {
+ free(newe);
+ goto oom;
+ }
+ if (l)
+ l->next = newe;
+ else
+ h = newe;
+ l = newe;
+ newe->expr_type = e->expr_type;
+ newe->attr = e->attr;
+ newe->op = e->op;
+ if (newe->expr_type == CEXPR_NAMES) {
+ if (newe->attr & CEXPR_TYPE) {
+ if (type_set_cpy
+ (newe->type_names, e->type_names))
+ goto oom;
+ } else {
+ if (ebitmap_cpy(&newe->names, &e->names))
+ goto oom;
+ }
+ }
+ }
+
+ return h;
+ oom:
+ e = h;
+ while (e) {
+ l = e;
+ e = e->next;
+ constraint_expr_destroy(l);
+ }
+ return NULL;
+}
+
+int define_constraint(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum;
+ ebitmap_t classmap;
+ ebitmap_node_t *enode;
+ constraint_expr_t *e;
+ unsigned int i;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (e->attr & CEXPR_XTARGET) {
+ yyerror("illegal constraint expression");
+ return -1; /* only for validatetrans rules */
+ }
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("constraint expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ if (!node->expr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->constraints;
+ cladatum->constraints = node;
+
+ free(id);
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ ebitmap_for_each_bit(&classmap, enode, i) {
+ if (ebitmap_node_get_bit(enode, i)) {
+ cladatum = policydbp->class_val_to_struct[i];
+ node = cladatum->constraints;
+
+ perdatum =
+ (perm_datum_t *) hashtab_search(cladatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ (perm_datum_t *)
+ hashtab_search(cladatum->
+ comdatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ }
+ if (!perdatum) {
+ yyerror2("permission %s is not"
+ " defined", id);
+ free(id);
+ ebitmap_destroy(&classmap);
+ return -1;
+ }
+ }
+ node->permissions |=
+ (1 << (perdatum->s.value - 1));
+ }
+ }
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+int define_validatetrans(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ ebitmap_t classmap;
+ constraint_expr_t *e;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("validatetrans expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->validatetrans;
+ cladatum->validatetrans = node;
+
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
+{
+ struct constraint_expr *expr, *e1 = NULL, *e2;
+ user_datum_t *user;
+ role_datum_t *role;
+ ebitmap_t negset;
+ char *id;
+ uint32_t val;
+ int add = 1;
+
+ if (pass == 1) {
+ if (expr_type == CEXPR_NAMES) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 1; /* any non-NULL value */
+ }
+
+ if ((expr = malloc(sizeof(*expr))) == NULL ||
+ constraint_expr_init(expr) == -1) {
+ yyerror("out of memory");
+ free(expr);
+ return 0;
+ }
+ expr->expr_type = expr_type;
+
+ switch (expr_type) {
+ case CEXPR_NOT:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = (struct constraint_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_ATTR:
+ expr->attr = arg1;
+ expr->op = arg2;
+ return (uintptr_t) expr;
+ case CEXPR_NAMES:
+ add = 1;
+ expr->attr = arg1;
+ expr->op = arg2;
+ ebitmap_init(&negset);
+ while ((id = (char *)queue_remove(id_queue))) {
+ if (expr->attr & CEXPR_USER) {
+ if (!is_id_in_scope(SYM_USERS, id)) {
+ yyerror2("user %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ user =
+ (user_datum_t *) hashtab_search(policydbp->
+ p_users.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!user) {
+ yyerror2("unknown user %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = user->s.value;
+ } else if (expr->attr & CEXPR_ROLE) {
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ role =
+ (role_datum_t *) hashtab_search(policydbp->
+ p_roles.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!role) {
+ yyerror2("unknown role %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = role->s.value;
+ } else if (expr->attr & CEXPR_TYPE) {
+ if (set_types(expr->type_names, id, &add, 0)) {
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ continue;
+ } else {
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&expr->names);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ free(id);
+ }
+ ebitmap_destroy(&negset);
+ return (uintptr_t) expr;
+ default:
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+
+ yyerror("invalid constraint expression");
+ free(expr);
+ return 0;
+}
+
+int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
+{
+ cond_expr_t *e;
+ int depth;
+ cond_node_t cn, *cn_old;
+
+ /* expression cannot be NULL */
+ if (!expr) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ if (!t) {
+ if (!f) {
+ /* empty is fine, destroy expression and return */
+ cond_expr_destroy(expr);
+ return 0;
+ }
+ /* Invert */
+ t = f;
+ f = 0;
+ expr = define_cond_expr(COND_NOT, expr, 0);
+ if (!expr) {
+ yyerror("unable to invert");
+ return -1;
+ }
+ }
+
+ /* verify expression */
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case COND_NOT:
+ if (depth < 0) {
+ yyerror
+ ("illegal conditional expression; Bad NOT");
+ return -1;
+ }
+ break;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ if (depth < 1) {
+ yyerror
+ ("illegal conditional expression; Bad binary op");
+ return -1;
+ }
+ depth--;
+ break;
+ case COND_BOOL:
+ if (depth == (COND_EXPR_MAXDEPTH - 1)) {
+ yyerror
+ ("conditional expression is like totally too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+
+ /* use tmp conditional node to partially build new node */
+ memset(&cn, 0, sizeof(cn));
+ cn.expr = expr;
+ cn.avtrue_list = t;
+ cn.avfalse_list = f;
+
+ /* normalize/precompute expression */
+ if (cond_normalize_expr(policydbp, &cn) < 0) {
+ yyerror("problem normalizing conditional expression");
+ return -1;
+ }
+
+ /* get the existing conditional node, or create a new one */
+ cn_old = get_current_cond_list(&cn);
+ if (!cn_old) {
+ return -1;
+ }
+
+ append_cond_list(&cn);
+
+ /* note that there is no check here for duplicate rules, nor
+ * check that rule already exists in base -- that will be
+ * handled during conditional expansion, in expand.c */
+
+ cn.avtrue_list = NULL;
+ cn.avfalse_list = NULL;
+ cond_node_destroy(&cn);
+
+ return 0;
+}
+
+cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
+{
+ struct cond_expr *expr, *e1 = NULL, *e2;
+ cond_bool_datum_t *bool_var;
+ char *id;
+
+ /* expressions are handled in the second pass */
+ if (pass == 1) {
+ if (expr_type == COND_BOOL) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ }
+ return (cond_expr_t *) 1; /* any non-NULL value */
+ }
+
+ /* create a new expression struct */
+ expr = malloc(sizeof(struct cond_expr));
+ if (!expr) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(expr, 0, sizeof(cond_expr_t));
+ expr->expr_type = expr_type;
+
+ /* create the type asked for */
+ switch (expr_type) {
+ case COND_NOT:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal conditional NOT expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal left side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = (struct cond_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal right side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_BOOL:
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("bad conditional; expected boolean id");
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ if (!is_id_in_scope(SYM_BOOLS, id)) {
+ yyerror2("boolean %s is not within scope", id);
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ bool_var =
+ (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
+ table,
+ (hashtab_key_t) id);
+ if (!bool_var) {
+ yyerror2("unknown boolean %s in conditional expression",
+ id);
+ free(expr);
+ free(id);
+ return NULL;
+ }
+ expr->bool = bool_var->s.value;
+ free(id);
+ return expr;
+ default:
+ yyerror("illegal conditional expression");
+ return NULL;
+ }
+}
+
+static int set_user_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+ unsigned int i;
+ ebitmap_node_t *node;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed in user declarations");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed in user declarations");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ /* set the role and every role it dominates */
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&set->roles, i, TRUE))
+ goto oom;
+ }
+ free(id);
+ return 0;
+ oom:
+ yyerror("out of memory");
+ return -1;
+}
+
+static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
+{
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
...
[truncated message content] |
|
From: <mil...@us...> - 2008-03-05 14:47:17
|
Revision: 2842
http://selinux.svn.sourceforge.net/selinux/?rev=2842&view=rev
Author: millertc
Date: 2008-03-05 06:47:09 -0800 (Wed, 05 Mar 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.13
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-03-05 14:45:21 UTC (rev 2841)
+++ trunk/checkpolicy/ChangeLog 2008-03-05 14:47:09 UTC (rev 2842)
@@ -1,3 +1,7 @@
+2.0.13 2008-03-05
+ * Split out non-grammar parts of policy_parse.yacc into
+ policy_define.c and policy_define.h from Todd C. Miller.
+
2.0.12 2008-03-04
* Initialize struct policy_file before using it, from Todd C. Miller.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-03-05 14:45:21 UTC (rev 2841)
+++ trunk/checkpolicy/VERSION 2008-03-05 14:47:09 UTC (rev 2842)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-24 20:19:05
|
Revision: 2856
http://selinux.svn.sourceforge.net/selinux/?rev=2856&view=rev
Author: ssmalley
Date: 2008-03-24 13:18:16 -0700 (Mon, 24 Mar 2008)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: checkpolicy: support for permissive types
Date: Mon, 24 Mar 2008 10:11:20 -0400
This patch adds support for permissive domains.
A very simple module to make httpd_t a permissive domain would be:
policy_module(permissiveapache, 1.0)
gen_require(`
type httpd_t;
')
permissive httpd_t;
Obviously this syntax can be used in both the base policy and in a
policy module.
Signed-off-by: Eric Paris <ep...@re...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/policy_define.c
trunk/checkpolicy/policy_define.h
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/policy_scan.l
trunk/checkpolicy/test/dismod.c
trunk/checkpolicy/test/dispol.c
Modified: trunk/checkpolicy/policy_define.c
===================================================================
--- trunk/checkpolicy/policy_define.c 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/policy_define.c 2008-03-24 20:18:16 UTC (rev 2856)
@@ -195,6 +195,49 @@
return -1;
}
+int define_permissive(void)
+{
+ char *type = NULL;
+ struct type_datum *t;
+ int rc = 0;
+
+ type = queue_remove(id_queue);
+
+ if (!type) {
+ yyerror2("forgot to include type in permissive definition?");
+ rc = -1;
+ goto out;
+ }
+
+ if (pass == 1)
+ goto out;
+
+ if (!is_id_in_scope(SYM_TYPES, type)) {
+ yyerror2("type %s is not within scope", type);
+ rc = -1;
+ goto out;
+ }
+
+ t = hashtab_search(policydbp->p_types.table, type);
+ if (!t) {
+ yyerror2("type is not defined: %s", type);
+ rc = -1;
+ goto out;
+ }
+
+ if (t->flavor == TYPE_ATTRIB) {
+ yyerror2("attributes may not be permissive: %s\n", type);
+ rc = -1;
+ goto out;
+ }
+
+ t->flags |= TYPE_FLAGS_PERMISSIVE;
+
+out:
+ free(type);
+ return rc;
+}
+
int define_polcap(void)
{
char *id = 0;
Modified: trunk/checkpolicy/policy_define.h
===================================================================
--- trunk/checkpolicy/policy_define.h 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/policy_define.h 2008-03-24 20:18:16 UTC (rev 2856)
@@ -36,6 +36,7 @@
int define_ipv6_node_context(void);
int define_level(void);
int define_netif_context(void);
+int define_permissive(void);
int define_polcap(void);
int define_port_context(unsigned int low, unsigned int high);
int define_range_trans(int class_specified);
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/policy_parse.y 2008-03-24 20:18:16 UTC (rev 2856)
@@ -135,6 +135,7 @@
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%token POLICYCAP
+%token PERMISSIVE
%left OR
%left XOR
@@ -261,6 +262,7 @@
| transition_def
| range_trans_def
| te_avtab_def
+ | permissive_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) return -1;}
@@ -706,6 +708,8 @@
policycap_def : POLICYCAP identifier ';'
{if (define_polcap()) return -1;}
;
+permissive_def : PERMISSIVE identifier ';'
+ {if (define_permissive()) return -1;}
/*********** module grammar below ***********/
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/policy_scan.l 2008-03-24 20:18:16 UTC (rev 2856)
@@ -202,7 +202,9 @@
h2 |
H2 { return(H2); }
policycap |
-POLICYCAP { return(POLICYCAP);}
+POLICYCAP { return(POLICYCAP); }
+permissive |
+PERMISSIVE { return(PERMISSIVE); }
"/"({alnum}|[_.-/])* { return(PATH); }
{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
{digit}+ { return(NUMBER); }
Modified: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk/checkpolicy/test/dismod.c 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/test/dismod.c 2008-03-24 20:18:16 UTC (rev 2856)
@@ -323,7 +323,7 @@
fprintf(fp, "alias for type");
display_id(&policydb, fp, SYM_TYPES, type->s.value - 1, "");
}
- fprintf(fp, "\n");
+ fprintf(fp, " flags:%x\n", type->flags);
return 0;
}
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2008-03-24 20:17:15 UTC (rev 2855)
+++ trunk/checkpolicy/test/dispol.c 2008-03-24 20:18:16 UTC (rev 2856)
@@ -319,6 +319,28 @@
}
}
+static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
+ uint32_t symbol_value, char *prefix)
+{
+ char *id = p->sym_val_to_name[symbol_type][symbol_value];
+ fprintf(fp, " %s%s", prefix, id);
+}
+
+static void display_permissive(policydb_t *p, FILE *fp)
+{
+ ebitmap_node_t *node;
+ int i;
+
+ fprintf(fp, "permissive sids:\n");
+ ebitmap_for_each_bit(&p->permissive_map, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ fprintf(fp, "\t");
+ display_id(p, fp, SYM_TYPES, i - 1, "");
+ fprintf(fp, "\n");
+ }
+ }
+}
+
int menu()
{
printf("\nSelect a command:\n");
@@ -331,6 +353,7 @@
printf("7) change a boolean value\n");
printf("\n");
printf("c) display policy capabilities\n");
+ printf("p) display the list of permissive types\n");
printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -447,6 +470,9 @@
case 'c':
display_policycaps(&policydb, out_fp);
break;
+ case 'p':
+ display_permissive(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X