Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2006-08-24 15:42:38
|
Revision: 1987 Author: ssmalley Date: 2006-08-24 08:42:26 -0700 (Thu, 24 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=1987&view=rev Log Message: ----------- Author: "Jeremy A. Mowery" Email: jm...@tr... Subject: Conditionally expand neverallows Date: Thu, 17 Aug 2006 10:33:10 -0400 This patch allows neverallow rules to be expanded into the avtab for analysis purposes. This option is added to the expand state structure (and set to off by default). When neverallows are expanded, the unsupported_format flag is set for the policydb disabling writing the binary file. If expanded, neverallow rules are not copied; this is documented above the relevant functions. (Previous versions of this patch set also disabled checking on unsupported formats; this behavior has been dropped in this version of the patch set.) The read and write functions now recognize this state and appropriate defines were added for the return values. Acked-by: Stephen Smalley <sd...@ty...> Acked-by: Karl MacMillan <kma...@me...> Modified Paths: -------------- trunk/libsepol/ChangeLog trunk/libsepol/include/sepol/policydb/avtab.h trunk/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/src/expand.c trunk/libsepol/src/link.c trunk/libsepol/src/policydb.c trunk/libsepol/src/write.c Modified: trunk/libsepol/ChangeLog =================================================================== --- trunk/libsepol/ChangeLog 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/ChangeLog 2006-08-24 15:42:26 UTC (rev 1987) @@ -1,3 +1,5 @@ + * Merged conditionally expand neverallows patch from Jeremy Mowery. + 1.12.24 2006-08-03 * Merged libsepol unit tests from Joshua Brindle. Modified: trunk/libsepol/include/sepol/policydb/avtab.h =================================================================== --- trunk/libsepol/include/sepol/policydb/avtab.h 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/include/sepol/policydb/avtab.h 2006-08-24 15:42:26 UTC (rev 1987) @@ -45,6 +45,7 @@ #define AVTAB_ALLOWED 1 #define AVTAB_AUDITALLOW 2 #define AVTAB_AUDITDENY 4 +#define AVTAB_NEVERALLOW 128 #define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY) #define AVTAB_TRANSITION 16 #define AVTAB_MEMBER 32 Modified: trunk/libsepol/include/sepol/policydb/policydb.h =================================================================== --- trunk/libsepol/include/sepol/policydb/policydb.h 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/include/sepol/policydb/policydb.h 2006-08-24 15:42:26 UTC (rev 1987) @@ -65,6 +65,10 @@ #define ERRMSG_LEN 1024 +#define POLICYDB_SUCCESS 0 +#define POLICYDB_ERROR -1 +#define POLICYDB_UNSUPPORTED -2 + /* * A datum type is defined for each kind of symbol * in the configuration data: individual permissions, @@ -194,12 +198,12 @@ #define AVRULE_AUDITALLOW 2 #define AVRULE_AUDITDENY 4 #define AVRULE_DONTAUDIT 8 -#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT) +#define AVRULE_NEVERALLOW 128 +#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW) #define AVRULE_TRANSITION 16 #define AVRULE_MEMBER 32 #define AVRULE_CHANGE 64 #define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE) -#define AVRULE_NEVERALLOW 128 uint32_t specified; #define RULE_SELF 1 uint32_t flags; @@ -371,6 +375,9 @@ char *name; char *version; + /* Set when the policydb is modified such that writing is unsupported */ + int unsupported_format; + /* Whether this policydb is mls, should always be set */ int mls; Modified: trunk/libsepol/src/expand.c =================================================================== --- trunk/libsepol/src/expand.c 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/src/expand.c 2006-08-24 15:42:26 UTC (rev 1987) @@ -41,8 +41,14 @@ policydb_t *base; policydb_t *out; sepol_handle_t *handle; + int expand_neverallow; } expand_state_t; +static void expand_state_init(expand_state_t * state) +{ + memset(state, 0, sizeof(expand_state_t)); +} + static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { @@ -1007,6 +1013,10 @@ return node; } +#define EXPAND_RULE_SUCCESS 1 +#define EXPAND_RULE_CONFLICT 0 +#define EXPAND_RULE_ERROR -1 + static int expand_terule_helper(sepol_handle_t * handle, policydb_t * p, uint32_t * typemap, uint32_t specified, cond_av_list_t ** cond, @@ -1069,7 +1079,7 @@ * or in same conditional then ignore it */ if ((conflict == 1 && cond == NULL) || node->parse_context == cond) - return 1; + return EXPAND_RULE_SUCCESS; ERR(handle, "duplicate TE rule for %s %s:%s %s", p->p_type_val_to_name[avkey.source_type - 1], @@ -1078,7 +1088,7 @@ p->p_class_val_to_name[avkey.target_class - 1], p->p_type_val_to_name[oldtype - 1]); - return 0; + return EXPAND_RULE_CONFLICT; } ERR(handle, "conflicting TE rule for (%s, %s:%s): old was %s, new is %s", @@ -1087,7 +1097,7 @@ p->p_class_val_to_name[avkey.target_class - 1], p->p_type_val_to_name[oldtype - 1], p->p_type_val_to_name[remapped_data - 1]); - return 0; + return EXPAND_RULE_CONFLICT; } node = find_avtab_node(handle, avtab, &avkey, cond); @@ -1113,7 +1123,7 @@ cur = cur->next; } - return 1; + return EXPAND_RULE_SUCCESS; } static int expand_avrule_helper(sepol_handle_t * handle, @@ -1137,6 +1147,8 @@ spec = AVTAB_AUDITDENY; } else if (specified & AVRULE_DONTAUDIT) { spec = AVTAB_AUDITDENY; + } else if (specified & AVRULE_NEVERALLOW) { + spec = AVTAB_NEVERALLOW; } else { assert(0); /* unreachable */ } @@ -1150,7 +1162,7 @@ node = find_avtab_node(handle, avtab, &avkey, cond); if (!node) - return -1; + return EXPAND_RULE_ERROR; if (enabled) { node->key.specified |= AVTAB_ENABLED; } else { @@ -1162,6 +1174,8 @@ avdatump->data |= cur->data; } else if (specified & AVRULE_AUDITALLOW) { avdatump->data |= cur->data; + } else if (specified & AVRULE_NEVERALLOW) { + avdatump->data |= cur->data; } else if (specified & AVRULE_AUDITDENY) { /* Since a '0' in an auditdeny mask represents * a permission we do NOT want to audit @@ -1182,7 +1196,7 @@ cur = cur->next; } - return 1; + return EXPAND_RULE_SUCCESS; } static int expand_rule_helper(sepol_handle_t * handle, @@ -1207,7 +1221,8 @@ specified, cond, i, i, source_rule->perms, dest_avtab, - enabled)) != 1) { + enabled)) != + EXPAND_RULE_SUCCESS) { return retval; } } else { @@ -1219,7 +1234,8 @@ other, i, i, source_rule->perms, dest_avtab, - enabled)) != 1) { + enabled)) != + EXPAND_RULE_SUCCESS) { return retval; } } @@ -1234,7 +1250,8 @@ specified, cond, i, j, source_rule->perms, dest_avtab, - enabled)) != 1) { + enabled)) != + EXPAND_RULE_SUCCESS) { return retval; } } else { @@ -1246,32 +1263,36 @@ other, i, j, source_rule->perms, dest_avtab, - enabled)) != 1) { + enabled)) != + EXPAND_RULE_SUCCESS) { return retval; } } } } - return 1; + return EXPAND_RULE_SUCCESS; } -/* Expand a rule into a given avtab - checking for conflicting type - * rules in the destination policy. Return 1 on success, 0 if the - * rule conflicts with something (and hence was not added), or -1 on - * error. */ +/* + * Expand a rule into a given avtab - checking for conflicting type + * rules in the destination policy. Return EXPAND_RULE_SUCCESS on + * success, EXPAND_RULE_CONFLICT if the rule conflicts with something + * (and hence was not added), or EXPAND_RULE_ERROR on error. + */ static int convert_and_expand_rule(sepol_handle_t * handle, policydb_t * dest_pol, uint32_t * typemap, avrule_t * source_rule, avtab_t * dest_avtab, cond_av_list_t ** cond, - cond_av_list_t ** other, int enabled) + cond_av_list_t ** other, int enabled, + int do_neverallow) { int retval; ebitmap_t stypes, ttypes; unsigned char alwaysexpand; - if (source_rule->specified & AVRULE_NEVERALLOW) - return 1; + if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW) + return EXPAND_RULE_SUCCESS; ebitmap_init(&stypes); ebitmap_init(&ttypes); @@ -1282,10 +1303,10 @@ if (expand_convert_type_set (dest_pol, typemap, &source_rule->stypes, &stypes, alwaysexpand)) - return -1; + return EXPAND_RULE_ERROR; if (expand_convert_type_set (dest_pol, typemap, &source_rule->ttypes, &ttypes, alwaysexpand)) - return -1; + return EXPAND_RULE_ERROR; retval = expand_rule_helper(handle, dest_pol, typemap, source_rule, dest_avtab, @@ -1306,7 +1327,8 @@ while (cur) { if (convert_and_expand_rule(state->handle, dest_pol, typemap, cur, dest_avtab, - list, other, enabled) != 1) { + list, other, enabled, + 0) != EXPAND_RULE_SUCCESS) { return -1; } @@ -1897,6 +1919,8 @@ expand_state_t state; avrule_block_t *curblock; + expand_state_init(&state); + state.verbose = verbose; state.typemap = NULL; state.base = base; @@ -2033,7 +2057,8 @@ /* copy rules */ cur_avrule = decl->avrules; while (cur_avrule != NULL) { - if (cur_avrule->specified & AVRULE_NEVERALLOW) { + if (!(state.expand_neverallow) + && cur_avrule->specified & AVRULE_NEVERALLOW) { /* copy this over directly so that assertions are checked later */ if (copy_neverallow (out, state.typemap, cur_avrule)) @@ -2043,7 +2068,7 @@ if (convert_and_expand_rule (state.handle, out, state.typemap, cur_avrule, &out->te_avtab, NULL, NULL, - 0) != 1) { + 0, state.expand_neverallow) != EXPAND_RULE_SUCCESS) { goto cleanup; } } Modified: trunk/libsepol/src/link.c =================================================================== --- trunk/libsepol/src/link.c 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/src/link.c 2006-08-24 15:42:26 UTC (rev 1987) @@ -964,8 +964,7 @@ module->map[SYM_CLASSES][cur_perm->class - 1]; assert(new_perm->class); - if (new_rule-> - specified & (AVRULE_AV | AVRULE_NEVERALLOW)) { + if (new_rule->specified & AVRULE_AV) { for (i = 0; i < module->perm_map_len[cur_perm->class - 1]; Modified: trunk/libsepol/src/policydb.c =================================================================== --- trunk/libsepol/src/policydb.c 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/src/policydb.c 2006-08-24 15:42:26 UTC (rev 1987) @@ -2618,7 +2618,7 @@ /* Read the magic number and string length. */ buf = next_entry(fp, sizeof(uint32_t) * 2); if (!buf) - return -1; + return POLICYDB_ERROR; for (i = 0; i < 2; i++) buf[i] = le32_to_cpu(buf[i]); @@ -2632,26 +2632,26 @@ ERR(fp->handle, "policydb magic number %#08x does not " "match expected magic number %#08x or %#08x", buf[0], POLICYDB_MAGIC, POLICYDB_MOD_MAGIC); - return -1; + return POLICYDB_ERROR; } len = buf[1]; if (len != strlen(target_str)) { ERR(fp->handle, "policydb string length %zu does not match " "expected length %zu", len, strlen(target_str)); - return -1; + return POLICYDB_ERROR; } buf = next_entry(fp, len); if (!buf) { ERR(fp->handle, "truncated policydb string identifier"); - return -1; + return POLICYDB_ERROR; } policydb_str = malloc(len + 1); if (!policydb_str) { ERR(fp->handle, "unable to allocate memory for policydb " "string of length %zu", len); - return -1; + return POLICYDB_ERROR; } memcpy(policydb_str, buf, len); policydb_str[len] = 0; @@ -2659,7 +2659,7 @@ ERR(fp->handle, "policydb string %s does not match " "my string %s", policydb_str, target_str); free(policydb_str); - return -1; + return POLICYDB_ERROR; } /* Done with policydb_str. */ free(policydb_str); @@ -2673,7 +2673,7 @@ buf = next_entry(fp, sizeof(uint32_t) * nel); if (!buf) - return -1; + return POLICYDB_ERROR; for (i = 0; i < nel; i++) buf[i] = le32_to_cpu(buf[i]); @@ -2687,7 +2687,7 @@ if (policy_type != POLICY_MOD && policy_type != POLICY_BASE) { ERR(fp->handle, "unknown module type: %#08x", policy_type); - return -1; + return POLICYDB_ERROR; } bufindex++; } @@ -2699,7 +2699,7 @@ ERR(fp->handle, "policydb version %d does not match " "my version range %d-%d", buf[bufindex], POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); - return -1; + return POLICYDB_ERROR; } } else if (policy_type == POLICY_BASE || policy_type == POLICY_MOD) { if (r_policyvers < MOD_POLICYDB_VERSION_MIN || @@ -2708,7 +2708,7 @@ "not match my version range %d-%d", buf[bufindex], MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); - return -1; + return POLICYDB_ERROR; } } else { assert(0); @@ -2870,9 +2870,9 @@ } } - return 0; + return POLICYDB_SUCCESS; bad: - return -1; + return POLICYDB_ERROR; } int policydb_reindex_users(policydb_t * p) Modified: trunk/libsepol/src/write.c =================================================================== --- trunk/libsepol/src/write.c 2006-08-16 17:25:08 UTC (rev 1986) +++ trunk/libsepol/src/write.c 2006-08-24 15:42:26 UTC (rev 1987) @@ -68,21 +68,21 @@ items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) - return -1; + return POLICYDB_ERROR; for (n = e->node; n; n = n->next) { bit = cpu_to_le32(n->startbit); items = put_entry(&bit, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; map = cpu_to_le64(n->map); items = put_entry(&map, sizeof(uint64_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } /* Ordering of datums in the original avtab format in the policy file. */ @@ -113,7 +113,7 @@ Requires merging similar entries if uncond avtab. */ if (merge) { if (cur->merged) - return 0; /* already merged by prior merge */ + return POLICYDB_SUCCESS; /* already merged by prior merge */ } items = 1; /* item 0 is used for the item count */ @@ -137,7 +137,7 @@ else if (val & AVTAB_TYPE) lookup = AVTAB_TYPE; else - return -1; + return POLICYDB_ERROR; for (node = avtab_search_node_next(cur, lookup); node; node = avtab_search_node_next(node, lookup)) { @@ -150,12 +150,12 @@ if (!(val & (AVTAB_AV | AVTAB_TYPE))) { ERR(fp->handle, "null entry"); - return -1; + return POLICYDB_ERROR; } if ((val & AVTAB_AV) && (val & AVTAB_TYPE)) { ERR(fp->handle, "entry has both access " "vectors and types"); - return -1; + return POLICYDB_ERROR; } buf32[items++] = cpu_to_le32(val); @@ -180,7 +180,7 @@ if (!node) { ERR(fp->handle, "missing node"); - return -1; + return POLICYDB_ERROR; } buf32[items++] = cpu_to_le32(node->datum.data); @@ -196,7 +196,7 @@ if (set) { ERR(fp->handle, "data count wrong"); - return -1; + return POLICYDB_ERROR; } buf32[0] = cpu_to_le32(items - 1); @@ -205,10 +205,10 @@ /* Commit this item to the policy file. */ items2 = put_entry(buf32, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } /* Generate the new avtab format. */ @@ -218,12 +218,12 @@ buf16[3] = cpu_to_le16(cur->key.specified); items = put_entry(buf16, sizeof(uint16_t), 4, fp); if (items != 4) - return -1; + return POLICYDB_ERROR; buf32[0] = cpu_to_le32(cur->datum.data); items = put_entry(buf32, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; - return 0; + return POLICYDB_ERROR; + return POLICYDB_SUCCESS; } static inline void avtab_reset_merged(avtab_t * a) @@ -252,7 +252,7 @@ merge similar entries, so we need to track merged nodes and compute the final nel. */ if (avtab_init(&expa)) - return -1; + return POLICYDB_ERROR; if (expand_avtab(p, a, &expa)) { rc = -1; goto out; @@ -265,7 +265,7 @@ nel = cpu_to_le32(a->nel); items = put_entry(&nel, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; } for (i = 0; i < AVTAB_SIZE; i++) { @@ -318,12 +318,12 @@ sens = cpu_to_le32(l->sens); items = put_entry(&sens, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; if (ebitmap_write(&l->cat, fp)) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } /* @@ -346,15 +346,15 @@ items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; if (ebitmap_write(&r->level[0].cat, fp)) - return -1; + return POLICYDB_ERROR; if (!eq) if (ebitmap_write(&r->level[1].cat, fp)) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int sens_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -373,16 +373,16 @@ buf[items++] = cpu_to_le32(levdatum->isalias); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (mls_write_level(levdatum->level, fp)) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -402,13 +402,13 @@ buf[items++] = cpu_to_le32(catdatum->isalias); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int role_trans_write(role_trans_t * r, struct policy_file *fp) @@ -423,17 +423,17 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (tr = r; tr; tr = tr->next) { buf[0] = cpu_to_le32(tr->role); buf[1] = cpu_to_le32(tr->type); buf[2] = cpu_to_le32(tr->new_role); items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int role_allow_write(role_allow_t * r, struct policy_file *fp) @@ -448,15 +448,15 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (ra = r; ra; ra = ra->next) { buf[0] = cpu_to_le32(ra->role); buf[1] = cpu_to_le32(ra->new_role); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int role_set_write(role_set_t * x, struct policy_file *fp) @@ -465,14 +465,14 @@ uint32_t buf[1]; if (ebitmap_write(&x->roles, fp)) - return -1; + return POLICYDB_ERROR; buf[0] = cpu_to_le32(x->flags); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int type_set_write(type_set_t * x, struct policy_file *fp) @@ -481,16 +481,16 @@ uint32_t buf[1]; if (ebitmap_write(&x->types, fp)) - return -1; + return POLICYDB_ERROR; if (ebitmap_write(&x->negset, fp)) - return -1; + return POLICYDB_ERROR; buf[0] = cpu_to_le32(x->flags); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -510,11 +510,11 @@ buf[items++] = cpu_to_le32(len); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; - return 0; + return POLICYDB_ERROR; + return POLICYDB_SUCCESS; } /* @@ -539,7 +539,7 @@ if (oldvers) { if (avtab_init(&expa)) - return -1; + return POLICYDB_ERROR; if (expand_cond_av_list(p, list, &new_list, &expa)) goto out; list = new_list; @@ -587,7 +587,7 @@ buf[0] = cpu_to_le32(node->cur_state); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; /* expr */ len = 0; @@ -597,7 +597,7 @@ buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (cur_expr = node->expr; cur_expr != NULL; cur_expr = cur_expr->next) { items = 0; @@ -605,22 +605,22 @@ buf[items++] = cpu_to_le32(cur_expr->bool); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; } if (p->policy_type == POLICY_KERN) { if (cond_write_av_list(p, node->true_list, fp) != 0) - return -1; + return POLICYDB_ERROR; if (cond_write_av_list(p, node->false_list, fp) != 0) - return -1; + return POLICYDB_ERROR; } else { if (avrule_write_list(node->avtrue_list, fp)) - return -1; + return POLICYDB_ERROR; if (avrule_write_list(node->avfalse_list, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int cond_write_list(policydb_t * p, cond_list_t * list, @@ -636,13 +636,13 @@ buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (cur = list; cur != NULL; cur = cur->next) { if (cond_write_node(p, cur, fp) != 0) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } /* @@ -661,15 +661,15 @@ buf[items++] = cpu_to_le32(c->type); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; if ((p->policyvers >= POLICYDB_VERSION_MLS && p->policy_type == POLICY_KERN) || (p->policyvers >= MOD_POLICYDB_VERSION_MLS && p->policy_type == POLICY_BASE)) if (mls_write_range_helper(&c->range, fp)) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } /* @@ -694,13 +694,13 @@ buf[items++] = cpu_to_le32(perdatum->s.value); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int common_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -721,16 +721,16 @@ buf[items++] = cpu_to_le32(comdatum->permissions.table->nel); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (hashtab_map(comdatum->permissions.table, perm_write, pd)) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int write_cons_helper(policydb_t * p, @@ -751,7 +751,7 @@ buf[1] = cpu_to_le32(nexpr); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; for (e = c->expr; e; e = e->next) { items = 0; buf[0] = cpu_to_le32(e->expr_type); @@ -759,18 +759,18 @@ buf[2] = cpu_to_le32(e->op); items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) - return -1; + return POLICYDB_ERROR; switch (e->expr_type) { case CEXPR_NAMES: if (!allowxtarget && (e->attr & CEXPR_XTARGET)) - return -1; + return POLICYDB_ERROR; if (ebitmap_write(&e->names, fp)) { - return -1; + return POLICYDB_ERROR; } if (p->policy_type != POLICY_KERN && type_set_write(e->type_names, fp)) { - return -1; + return POLICYDB_ERROR; } break; default: @@ -779,7 +779,7 @@ } } - return 0; + return POLICYDB_SUCCESS; } static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -817,22 +817,22 @@ buf[items++] = cpu_to_le32(ncons); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (cladatum->comkey) { items = put_entry(cladatum->comkey, 1, len2, fp); if (items != len2) - return -1; + return POLICYDB_ERROR; } if (hashtab_map(cladatum->permissions.table, perm_write, pd)) - return -1; + return POLICYDB_ERROR; if (write_cons_helper(p, cladatum->constraints, 0, fp)) - return -1; + return POLICYDB_ERROR; if ((p->policy_type == POLICY_KERN && p->policyvers >= POLICYDB_VERSION_VALIDATETRANS) @@ -846,12 +846,12 @@ buf[0] = cpu_to_le32(ncons); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; if (write_cons_helper(p, cladatum->validatetrans, 1, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int role_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -871,23 +871,23 @@ buf[items++] = cpu_to_le32(role->s.value); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (ebitmap_write(&role->dominates, fp)) - return -1; + return POLICYDB_ERROR; if (p->policy_type == POLICY_KERN) { if (ebitmap_write(&role->types.types, fp)) - return -1; + return POLICYDB_ERROR; } else { if (type_set_write(&role->types, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int type_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -911,18 +911,18 @@ } items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; if (p->policy_type != POLICY_KERN) { if (ebitmap_write(&typdatum->types, fp)) - return -1; + return POLICYDB_ERROR; } items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; - return 0; + return POLICYDB_SUCCESS; } static int user_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -942,18 +942,18 @@ buf[items++] = cpu_to_le32(usrdatum->s.value); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(key, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (p->policy_type == POLICY_KERN) { if (ebitmap_write(&usrdatum->roles.roles, fp)) - return -1; + return POLICYDB_ERROR; } else { if (role_set_write(&usrdatum->roles, fp)) - return -1; + return POLICYDB_ERROR; } /* Users are allowed in non-mls modules, so the empty field will be present in modules with users >= MOD_POLICYDB_VERSION_MLS */ @@ -964,12 +964,12 @@ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS && p->policy_type == POLICY_BASE)) { if (mls_write_range_helper(&usrdatum->range, fp)) - return -1; + return POLICYDB_ERROR; if (mls_write_level(&usrdatum->dfltlevel, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int (*write_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum, @@ -991,16 +991,16 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (c = p->ocontexts[i]; c; c = c->next) { switch (i) { case OCON_ISID: buf[0] = cpu_to_le32(c->sid[0]); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; break; case OCON_FS: case OCON_NETIF: @@ -1008,14 +1008,14 @@ buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; items = put_entry(c->u.name, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[1], fp)) - return -1; + return POLICYDB_ERROR; break; case OCON_PORT: buf[0] = c->u.port.protocol; @@ -1026,18 +1026,18 @@ } items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; break; case OCON_NODE: buf[0] = cpu_to_le32(c->u.node.addr); buf[1] = cpu_to_le32(c->u.node.mask); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; break; case OCON_FSUSE: buf[0] = cpu_to_le32(c->v.behavior); @@ -1045,12 +1045,12 @@ buf[1] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; items = put_entry(c->u.name, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; break; case OCON_NODE6: for (j = 0; j < 4; j++) @@ -1061,14 +1061,14 @@ cpu_to_le32(c->u.node6.mask[j]); items = put_entry(buf, sizeof(uint32_t), 8, fp); if (items != 8) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; break; } } } - return 0; + return POLICYDB_SUCCESS; } static int genfs_write(policydb_t * p, struct policy_file *fp) @@ -1083,41 +1083,41 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (genfs = p->genfs; genfs; genfs = genfs->next) { len = strlen(genfs->fstype); buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; items = put_entry(genfs->fstype, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; nel = 0; for (c = genfs->head; c; c = c->next) nel++; buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (c = genfs->head; c; c = c->next) { len = strlen(c->u.name); buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; items = put_entry(c->u.name, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; buf[0] = cpu_to_le32(c->v.sclass); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; if (context_write(p, &c->context[0], fp)) - return -1; + return POLICYDB_ERROR; } } - return 0; + return POLICYDB_SUCCESS; } static int range_write(policydb_t * p, struct policy_file *fp) @@ -1131,17 +1131,17 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (rt = p->range_tr; rt; rt = rt->next) { buf[0] = cpu_to_le32(rt->dom); buf[1] = cpu_to_le32(rt->type); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; if (mls_write_range_helper(&rt->range, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } /************** module writing functions below **************/ @@ -1157,13 +1157,13 @@ buf[items++] = cpu_to_le32(avrule->flags); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; if (type_set_write(&avrule->stypes, fp)) - return -1; + return POLICYDB_ERROR; if (type_set_write(&avrule->ttypes, fp)) - return -1; + return POLICYDB_ERROR; cur = avrule->perms; len = 0; @@ -1175,7 +1175,7 @@ buf[items++] = cpu_to_le32(len); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; cur = avrule->perms; while (cur) { items = 0; @@ -1183,12 +1183,12 @@ buf[items++] = cpu_to_le32(cur->data); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items2 != items) - return -1; + return POLICYDB_ERROR; cur = cur->next; } - return 0; + return POLICYDB_SUCCESS; } static int avrule_write_list(avrule_t * avrules, struct policy_file *fp) @@ -1205,7 +1205,7 @@ buf[0] = cpu_to_le32(len); if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) - return -1; + return POLICYDB_ERROR; avrule = avrules; while (avrule) { @@ -1213,7 +1213,7 @@ avrule = avrule->next; } - return 0; + return POLICYDB_SUCCESS; } static int role_trans_rule_write(role_trans_rule_t * t, struct policy_file *fp) @@ -1228,18 +1228,18 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (tr = t; tr; tr = tr->next) { if (role_set_write(&tr->roles, fp)) - return -1; + return POLICYDB_ERROR; if (type_set_write(&tr->types, fp)) - return -1; + return POLICYDB_ERROR; buf[0] = cpu_to_le32(tr->new_role); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int role_allow_rule_write(role_allow_rule_t * r, struct policy_file *fp) @@ -1254,14 +1254,14 @@ buf[0] = cpu_to_le32(nel); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; for (ra = r; ra; ra = ra->next) { if (role_set_write(&ra->roles, fp)) - return -1; + return POLICYDB_ERROR; if (role_set_write(&ra->new_roles, fp)) - return -1; + return POLICYDB_ERROR; } - return 0; + return POLICYDB_SUCCESS; } static int scope_index_write(scope_index_t * scope_index, @@ -1272,19 +1272,19 @@ uint32_t buf[1]; for (i = 0; i < num_scope_syms; i++) { if (ebitmap_write(scope_index->scope + i, fp) == -1) { - return -1; + return POLICYDB_ERROR; } } buf[0] = cpu_to_le32(scope_index->class_perms_len); if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) { - return -1; + return POLICYDB_ERROR; } for (i = 0; i < scope_index->class_perms_len; i++) { if (ebitmap_write(scope_index->class_perms_map + i, fp) == -1) { - return -1; + return POLICYDB_ERROR; } } - return 0; + return POLICYDB_SUCCESS; } static int avrule_decl_write(avrule_decl_t * decl, int num_scope_syms, @@ -1296,17 +1296,17 @@ buf[0] = cpu_to_le32(decl->decl_id); buf[1] = cpu_to_le32(decl->enabled); if (put_entry(buf, sizeof(uint32_t), 2, fp) != 2) { - return -1; + return POLICYDB_ERROR; } if (cond_write_list(p, decl->cond_list, fp) == -1 || avrule_write_list(decl->avrules, fp) == -1 || role_trans_rule_write(decl->role_tr_rules, fp) == -1 || role_allow_rule_write(decl->role_allow_rules, fp) == -1) { - return -1; + return POLICYDB_ERROR; } if (scope_index_write(&decl->required, num_scope_syms, fp) == -1 || scope_index_write(&decl->declared, num_scope_syms, fp) == -1) { - return -1; + return POLICYDB_ERROR; } pd.fp = fp; pd.p = p; @@ -1314,13 +1314,13 @@ buf[0] = cpu_to_le32(decl->symtab[i].nprim); buf[1] = cpu_to_le32(decl->symtab[i].table->nel); if (put_entry(buf, sizeof(uint32_t), 2, fp) != 2) { - return -1; + return POLICYDB_ERROR; } if (hashtab_map(decl->symtab[i].table, write_f[i], &pd)) { - return -1; + return POLICYDB_ERROR; } } - return 0; + return POLICYDB_SUCCESS; } static int avrule_block_write(avrule_block_t * block, int num_scope_syms, @@ -1334,7 +1334,7 @@ } buf[0] = cpu_to_le32(num_blocks); if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) { - return -1; + return POLICYDB_ERROR; } /* now write each block */ @@ -1347,16 +1347,16 @@ } buf[0] = cpu_to_le32(num_decls); if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) { - return -1; + return POLICYDB_ERROR; } for (decl = cur->branch_list; decl != NULL; decl = decl->next) { if (avrule_decl_write(decl, num_scope_syms, p, fp) == -1) { - return -1; + return POLICYDB_ERROR; } } } - return 0; + return POLICYDB_SUCCESS; } static int scope_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) @@ -1373,7 +1373,7 @@ * buffer. this would have been easier with C99's * dynamic arrays... */ if ((dyn_buf = malloc(items * sizeof(*dyn_buf))) == NULL) { - return -1; + return POLICYDB_ERROR; } buf = dyn_buf; } else { @@ -1382,7 +1382,7 @@ buf[0] = cpu_to_le32(key_len); if (put_entry(buf, sizeof(*buf), 1, fp) != 1 || put_entry(key, 1, key_len, fp) != key_len) { - return -1; + return POLICYDB_ERROR; } buf[0] = cpu_to_le32(scope->scope); buf[1] = cpu_to_le32(scope->decl_ids_len); @@ -1391,10 +1391,10 @@ } if (put_entry(buf, sizeof(*buf), items, fp) != items) { free(dyn_buf); - return -1; + return POLICYDB_ERROR; } free(dyn_buf); - return 0; + return POLICYDB_SUCCESS; } /* @@ -1411,6 +1411,9 @@ struct policy_data pd; char *policydb_str; + if (p->unsupported_format) + return POLICYDB_UNSUPPORTED; + pd.fp = fp; pd.p = p; @@ -1432,10 +1435,10 @@ buf[items++] = cpu_to_le32(len); items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; items = put_entry(policydb_str, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; /* Write the version, config, and table sizes. */ items = 0; @@ -1443,7 +1446,7 @@ if (!info) { ERR(fp->handle, "compatibility lookup failed for policy " "version %d", p->policyvers); - return -1; + return POLICYDB_ERROR; } if (p->policy_type != POLICY_KERN) { @@ -1456,7 +1459,7 @@ items2 = put_entry(buf, sizeof(uint32_t), items, fp); if (items != items2) - return -1; + return POLICYDB_ERROR; if (p->policy_type == POLICY_MOD) { /* Write module name and version */ @@ -1464,18 +1467,18 @@ buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; items = put_entry(p->name, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; len = strlen(p->version); buf[0] = cpu_to_le32(len); items = put_entry(buf, sizeof(uint32_t), 1, fp); if (items != 1) - return -1; + return POLICYDB_ERROR; items = put_entry(p->version, 1, len, fp); if (items != len) - return -1; + return POLICYDB_ERROR; } num_syms = info->sym_num; for (i = 0; i < num_syms; i++) { @@ -1483,43 +1486,43 @@ buf[1] = cpu_to_le32(p->symtab[i].table->nel); items = put_entry(buf, sizeof(uint32_t), 2, fp); if (items != 2) - return -1; + return POLICYDB_ERROR; if (hashtab_map(p->symtab[i].table, write_f[i], &pd)) - return -1; + return POLICYDB_ERROR; } if (p->policy_type == POLICY_KERN) { if (avtab_write(p, &p->te_avtab, fp)) - return -1; + return POLICYDB_ERROR; if (p->policyvers < POLICYDB_VERSION_BOOL) { if (p->p_bools.nprim) WARN(fp->handle, "Discarding " "booleans and conditional rules"); } else { if (cond_write_list(p, p->cond_list, fp)) - return -1; + return POLICYDB_ERROR; } if (role_trans_write(p->role_tr, fp)) - return -1; + return POLICYDB_ERROR; if (role_allow_write(p->role_allow, fp)) - return -1; + return POLICYDB_ERROR; } else { if (avrule_block_write(p->global, num_syms, p, fp) == -1) { - return -1; + return POLICYDB_ERROR; } for (i = 0; i < num_syms; i++) { buf[0] = cpu_to_le32(p->scope[i].table->nel); if (put_entry(buf, sizeof(uint32_t), 1, fp) != 1) { - return -1; + return POLICYDB_ERROR; } if (hashtab_map(p->scope[i].table, scope_write, &pd)) - return -1; + return POLICYDB_ERROR; } } if (ocontext_write(info, p, fp) == -1 || genfs_write(p, fp) == -1) { - return -1; + return POLICYDB_ERROR; } if ((p->policyvers >= POLICYDB_VERSION_MLS @@ -1527,7 +1530,7 @@ || (p->policyvers >= MOD_POLICYDB_VERSION_MLS && p->policy_type == POLICY_BASE)) { if (range_write(p, fp)) { - return -1; + return POLICYDB_ERROR; } } @@ -1535,9 +1538,9 @@ && p->policyvers >= POLICYDB_VERSION_AVTAB) { for (i = 0; i < p->p_types.nprim; i++) { if (ebitmap_write(&p->type_attr_map[i], fp) == -1) - return -1; + return POLICYDB_ERROR; } } - return 0; + return POLICYDB_SUCCESS; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <ssm...@us...> - 2006-08-24 15:49:59
|
Revision: 1990 Author: ssmalley Date: 2006-08-24 08:49:53 -0700 (Thu, 24 Aug 2006) ViewCVS: http://svn.sourceforge.net/selinux/?rev=1990&view=rev Log Message: ----------- libsepol 1.12.25 Modified Paths: -------------- trunk/libsepol/ChangeLog trunk/libsepol/VERSION Modified: trunk/libsepol/ChangeLog =================================================================== --- trunk/libsepol/ChangeLog 2006-08-24 15:47:05 UTC (rev 1989) +++ trunk/libsepol/ChangeLog 2006-08-24 15:49:53 UTC (rev 1990) @@ -1,3 +1,4 @@ +1.12.25 2006-08-24 * Merged conditionally expand neverallows patch from Jeremy Mowery. * Merged refactor expander patch from Jeremy Mowery. Modified: trunk/libsepol/VERSION =================================================================== --- trunk/libsepol/VERSION 2006-08-24 15:47:05 UTC (rev 1989) +++ trunk/libsepol/VERSION 2006-08-24 15:49:53 UTC (rev 1990) @@ -1 +1 @@ -1.12.24 +1.12.25 This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <mad...@us...> - 2006-09-05 14:35:58
|
Revision: 2020
http://svn.sourceforge.net/selinux/?rev=2020&view=rev
Author: madmethod
Date: 2006-09-05 07:35:45 -0700 (Tue, 05 Sep 2006)
Log Message:
-----------
libsepol 1.12.26
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-09-05 14:33:20 UTC (rev 2019)
+++ trunk/libsepol/ChangeLog 2006-09-05 14:35:45 UTC (rev 2020)
@@ -1,3 +1,7 @@
+1.21.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
1.12.25 2006-08-24
* Merged conditionally expand neverallows patch from Jeremy Mowery.
* Merged refactor expander patch from Jeremy Mowery.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-09-05 14:33:20 UTC (rev 2019)
+++ trunk/libsepol/VERSION 2006-09-05 14:35:45 UTC (rev 2020)
@@ -1 +1 @@
-1.12.25
+1.12.26
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2006-09-28 18:27:47
|
Revision: 2038
http://svn.sourceforge.net/selinux/?rev=2038&view=rev
Author: madmethod
Date: 2006-09-28 11:27:35 -0700 (Thu, 28 Sep 2006)
Log Message:
-----------
bump to libsepol 1.12.28
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-09-28 18:25:10 UTC (rev 2037)
+++ trunk/libsepol/ChangeLog 2006-09-28 18:27:35 UTC (rev 2038)
@@ -1,3 +1,6 @@
+1.12.28 2006-09-28
+ * Build libsepol's static object files with -fpic
+
1.12.27 2006-09-28
* Merged mls user and range_transition support in modules
from Darrel Goeddel
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-09-28 18:25:10 UTC (rev 2037)
+++ trunk/libsepol/VERSION 2006-09-28 18:27:35 UTC (rev 2038)
@@ -1 +1 @@
-1.12.27
+1.12.28
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-10-24 16:06:40
|
Revision: 2072
http://svn.sourceforge.net/selinux/?rev=2072&view=rev
Author: ssmalley
Date: 2006-10-24 09:05:25 -0700 (Tue, 24 Oct 2006)
Log Message:
-----------
Author: Darrel Goeddel
Email: dgo...@tr...
Subject: libsepol: fix version comparison when writing policies
Date: Tue, 24 Oct 2006 09:44:34 -0500
Fix a version comparison that prohibits the "old style" range transition
rules from being written for a version 5 base policy.
Acked-by: Stephen Smalley <sd...@ty...>
Acked-by: Joshua Brindle <jbr...@tr...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/libsepol/src/write.c
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-10-19 15:07:18 UTC (rev 2071)
+++ trunk/libsepol/ChangeLog 2006-10-24 16:05:25 UTC (rev 2072)
@@ -1,3 +1,8 @@
+1.15.1 2006-10-24
+ * Merged fix for version comparison that was preventing range
+ transition rules from being written for a version 5 base policy
+ from Darrel Goeddel.
+
1.14 2006-10-17
* Updated version for release.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-10-19 15:07:18 UTC (rev 2071)
+++ trunk/libsepol/VERSION 2006-10-24 16:05:25 UTC (rev 2072)
@@ -1 +1 @@
-1.14
+1.15.1
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2006-10-19 15:07:18 UTC (rev 2071)
+++ trunk/libsepol/src/write.c 2006-10-24 16:05:25 UTC (rev 2072)
@@ -1641,7 +1641,7 @@
if ((p->policyvers >= POLICYDB_VERSION_MLS
&& p->policy_type == POLICY_KERN)
|| (p->policyvers >= MOD_POLICYDB_VERSION_MLS
- && p->policyvers < MOD_POLICYDB_VERSION_MLS
+ && p->policyvers < MOD_POLICYDB_VERSION_RANGETRANS
&& p->policy_type == POLICY_BASE)) {
if (range_write(p, fp)) {
return POLICYDB_ERROR;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2006-10-31 18:38:15
|
Revision: 2075
http://svn.sourceforge.net/selinux/?rev=2075&view=rev
Author: madmethod
Date: 2006-10-31 10:37:56 -0800 (Tue, 31 Oct 2006)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: RE: [PATCH] libsepol users in non-mls policy bugfix
Date: Mon, 30 Oct 2006 13:56:47 -0500
On Mon, 2006-10-30 at 13:31 -0500, Joshua Brindle wrote:
> > From: Karl MacMillan [mailto:kma...@me...]
> >
> > This patch looks ok, but shouldn't we also stop the segfault
> > in mls_level_convert? The use of assert there looks like it
> > is catching what should be a runtime error that should cause
> > an error message rather than bailing.
> >
> > Otherwise:
>
> Yea, I tried thinking of a more elegant way to do it and couldn't come
> up with anything, any suggestions?
>
You can put the check in mls_level_convert.
> Clearly those assertions only apply to the MLS case, and we caught a
> plain bug because of them, I think they are not user errors.
>
Yea - I forgot how all of those assertions are used in the link code.
The alternative is below (with some cleanup up error handling that makes
it look larger). Honestly, I don't care which patch.
Karl
Acked-By: Joshua Brindle <jbr...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/libsepol/src/link.c
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-10-24 16:09:54 UTC (rev 2074)
+++ trunk/libsepol/ChangeLog 2006-10-31 18:37:56 UTC (rev 2075)
@@ -1,3 +1,7 @@
+1.15.2 2006-10-31
+ * Merged fix from Karl MacMillan for a segfault when linking
+ non-MLS modules with users in them.
+
1.15.1 2006-10-24
* Merged fix for version comparison that was preventing range
transition rules from being written for a version 5 base policy
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2006-10-24 16:09:54 UTC (rev 2074)
+++ trunk/libsepol/VERSION 2006-10-31 18:37:56 UTC (rev 2075)
@@ -1 +1 @@
-1.15.1
+1.15.2
Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c 2006-10-24 16:09:54 UTC (rev 2074)
+++ trunk/libsepol/src/link.c 2006-10-31 18:37:56 UTC (rev 2075)
@@ -827,19 +827,24 @@
return -1;
}
-static int mls_level_convert(mls_semantic_level_t * src,
- mls_semantic_level_t * dst, policy_module_t * mod)
+static int mls_level_convert(mls_semantic_level_t * src, mls_semantic_level_t * dst,
+ policy_module_t * mod, link_state_t * state)
{
mls_semantic_cat_t *src_cat, *new_cat;
+ if (!mod->policy->mls)
+ return 0;
+
assert(mod->map[SYM_LEVELS][src->sens - 1]);
dst->sens = mod->map[SYM_LEVELS][src->sens - 1];
for (src_cat = src->cat; src_cat; src_cat = src_cat->next) {
new_cat =
(mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
- if (!new_cat)
+ if (!new_cat) {
+ ERR(state->handle, "Out of memory");
return -1;
+ }
mls_semantic_cat_init(new_cat);
new_cat->next = dst->cat;
@@ -854,13 +859,16 @@
return 0;
}
-static int mls_range_convert(mls_semantic_range_t * src,
- mls_semantic_range_t * dst, policy_module_t * mod)
+static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * dst,
+ policy_module_t * mod, link_state_t * state)
{
- if (mls_level_convert(&src->level[0], &dst->level[0], mod))
- return -1;
- if (mls_level_convert(&src->level[1], &dst->level[1], mod))
- return -1;
+ int ret;
+ ret = mls_level_convert(&src->level[0], &dst->level[0], mod, state);
+ if (ret)
+ return ret;
+ ret = mls_level_convert(&src->level[1], &dst->level[1], mod, state);
+ if (ret)
+ return ret;
return 0;
}
@@ -994,10 +1002,10 @@
goto cleanup;
}
- if (mls_range_convert(&user->range, &new_user->range, mod))
+ if (mls_range_convert(&user->range, &new_user->range, mod, state))
goto cleanup;
- if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod))
+ if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod, state))
goto cleanup;
return 0;
@@ -1224,7 +1232,7 @@
}
}
- if (mls_range_convert(&rule->trange, &new_rule->trange, mod))
+ if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state))
goto cleanup;
}
return 0;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <kma...@us...> - 2007-02-01 21:30:19
|
Revision: 2218
http://svn.sourceforge.net/selinux/?rev=2218&view=rev
Author: kmacmillan
Date: 2007-02-01 13:30:18 -0800 (Thu, 01 Feb 2007)
Log Message:
-----------
libsepol 2.0.0
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-02-01 21:29:28 UTC (rev 2217)
+++ trunk/libsepol/ChangeLog 2007-02-01 21:30:18 UTC (rev 2218)
@@ -1,3 +1,4 @@
+2.0.0 2007-01-01
* Merged patch to add errcodes.h to libsepol by Karl MacMillan.
1.16.0 2007-01-18
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-02-01 21:29:28 UTC (rev 2217)
+++ trunk/libsepol/VERSION 2007-02-01 21:30:18 UTC (rev 2218)
@@ -1 +1 @@
-1.16.0
+2.0.0
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <kma...@us...> - 2007-02-06 15:03:36
|
Revision: 2222
http://svn.sourceforge.net/selinux/?rev=2222&view=rev
Author: kmacmillan
Date: 2007-02-06 07:03:29 -0800 (Tue, 06 Feb 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: check for unmet requires on sensitivities and categories (Was: Re: core dump)
Date: Tue, 06 Feb 2007 08:15:57 -0500
On Tue, 2007-02-06 at 08:06 -0500, Stephen Smalley wrote:
> On Tue, 2007-02-06 at 07:40 -0500, Stephen Smalley wrote:
> > On Tue, 2007-02-06 at 04:12 +0200, Stefanos Harhalakis wrote:
> > > I had this issue today:
> > >
> > > # semodule -i logging.pp
> > > Segmentation fault (core dumped)
> > >
> > > I traced this a bit and it seems that this is because of libsepol.
> > > The core dump is the result of lines 602:603 of link.c:
> > >
> > > (gdb) bt
> > > #0 0xb7f732fd in sens_copy_callback (key=0x848c2a0 "s15", datum=0x848c290, data=0xbfde3854) at link.c:602
> > > #1 0xb7f6f8a1 in hashtab_map (h=0x846cbf0, apply=0xb7f731d1 <sens_copy_callback>, args=0xbfde3854) at hashtab.c:214
> > > #2 0xb7f75528 in copy_identifiers (state=0xbfde3854, src_symtab=0x843cc74, dest_decl=0x0) at link.c:1323
> > > #3 0xb7f77c72 in link_modules (handle=0x804c710, b=0x80525b8, mods=0x863ce18, len=19, verbose=0) at link.c:2178
> > > #4 0xb7f7a2c9 in sepol_link_packages (handle=0x804c710, base=0x8053060, modules=0x80543c8, num_modules=19, verbose=0) at module.c:302
> > >
> > > Where:
> > >
> > > (gdb) l
> > > 597 state->cur_mod_name);
> > > 598 return -SEPOL_LINK_NOTSUP;
> > > 599 }
> > > 600 }
> > > 601
> > > 602 state->cur->map[SYM_LEVELS][level->level->sens - 1] =
> > > 603 base_level->level->sens;
> > > 604
> > > 605 return 0;
> > > 606 }
> > >
> > > Because of:
> > >
> > > (gdb) p base_level
> > > $1 = (level_datum_t *) 0x0
> > >
> > > The last 'if' checks for !base_level, but inside the 'if' block, only
> > > !scope and scope->scope==SCOPE_DECL are checked.
> > >
> > > This core dump is caused by:
> > >
> > > (gdb) p scope->scope
> > > $2 = 1
> > >
> > > Which is noted as:
> > >
> > > /* Required for this decl */
> > > #define SCOPE_REQ 1
> > >
> > > in libsepol/include/sepol/policydb/policydb.h
> > >
> > > Hope this helps...
> >
> > Looks like your logging.pp policy module has a requires on sensitivity
> > s15 but your base module doesn't declare it. Naturally, that should
> > show up as an unfulfilled requirement rather than a seg fault.
Second patch below for the trunk (I also stripped the extraneous \n
characters from the first patch locally).
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Karl MacMillan <kma...@me...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/src/link.c
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-02-05 19:11:28 UTC (rev 2221)
+++ trunk/libsepol/ChangeLog 2007-02-06 15:03:29 UTC (rev 2222)
@@ -1,3 +1,7 @@
+2.0.1 2007-02-01
+ * Merged libsepol segfault fix from Stephen Smalley for when
+ sensitivities are required but not present in the base.
+
2.0.0 2007-02-01
* Merged patch to add errcodes.h to libsepol by Karl MacMillan.
Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c 2007-02-05 19:11:28 UTC (rev 2221)
+++ trunk/libsepol/src/link.c 2007-02-06 15:03:29 UTC (rev 2222)
@@ -598,6 +598,13 @@
state->cur_mod_name);
return SEPOL_ENOTSUP;
}
+ if (scope->scope == SCOPE_REQ) {
+ /* unmet requirement */
+ ERR(state->handle,
+ "%s: Sensitivity %s not declared by base.",
+ state->cur_mod_name, id);
+ return SEPOL_ENOTSUP;
+ }
}
state->cur->map[SYM_LEVELS][level->level->sens - 1] =
@@ -629,6 +636,13 @@
state->cur_mod_name);
return SEPOL_ENOTSUP;
}
+ if (scope->scope == SCOPE_REQ) {
+ /* unmet requirement */
+ ERR(state->handle,
+ "%s: Category %s not declared by base.",
+ state->cur_mod_name, id);
+ return SEPOL_ENOTSUP;
+ }
}
state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2007-03-30 15:25:36
|
Revision: 2308
http://svn.sourceforge.net/selinux/?rev=2308&view=rev
Author: madmethod
Date: 2007-03-30 08:25:34 -0700 (Fri, 30 Mar 2007)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: map booleans during expansion
Date: Thu, 29 Mar 2007 11:22:14 -0400
On Thu, 2007-03-29 at 10:10 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Thu, 2007-03-29 at 08:38 -0400, Joshua Brindle wrote:
> >
> >> Karl MacMillan wrote:
> >>
> >>> [below is a response to an accidentally off-list discussion]
> >>>
> >>> On Wed, 2007-03-28 at 12:29 -0400, Stephen Smalley wrote:
> >>>
> >>>
> >>>> On Wed, 2007-03-28 at 12:16 -0400, Karl MacMillan wrote:
> >>>>
> >>>>
> >>>>> Currently, the expander does not map booleans during expansion.
> >>>>>
> >>>>>
> >>> However,
> >>>
> >>>
> >>>>> it is possible that booleans can be declared in an optional block
> >>>>> resulting in the need to map the booleans. This patch adds boolean
> >>>>> mappings to the expander. The same thing likely needs to be done for
> >>>>> roles and users - Josh, can you confirm
> >>>>>
> >>>>>
> >> This is correct, only types are being remapped by the expander. I guess
> >> someone didn't think all the extra code to remap all of them was worth
> >> it since they are very small namespaces anyway.
> >>
> >
> > So do they need to be remapped or not?
> >
> >
> It isn't strictly necessary. Holes in the symbol tables aren't currently
> causing any problems and the new representation shouldn't have this
> problem so I don't know the value in applying this patch now.
>
It is necessary - this patch came about because of errors during
compilation. If the base module has more booleans than the output policy
then the boolean indexing will fail during policydb_index_others. We
could certainly allow holes in the symbol tables, but it doesn't work
currently because nprim will be smaller than the largest value.
So do we allow holes or do the indexing?
An updated patch against trunk that fixes the memory leak is below. At
some point we should standardize on whether destroy / free functions
free the struct or just the allocated memory contained by the struct.
Also, if anyone is looking for something to do, adding a few valgrind
runs to the unit tests would be helpful to encourage slackers like me to
be more diligent. I'll send a patch for stable if this is the route we
want to take.
Signed-off-by: Karl MacMillan <kma...@me...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/libsepol/include/sepol/policydb/conditional.h
trunk/libsepol/src/conditional.c
trunk/libsepol/src/expand.c
trunk/libsepol/src/private.h
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/ChangeLog 2007-03-30 15:25:34 UTC (rev 2308)
@@ -1,3 +1,7 @@
+2.0.2 2007-03-30
+ * Merged fix from Karl to remap booleans at expand time to
+ avoid holes in the symbol table.
+
2.0.1 2007-02-06
* Merged libsepol segfault fix from Stephen Smalley for when
sensitivities are required but not present in the base.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/VERSION 2007-03-30 15:25:34 UTC (rev 2308)
@@ -1 +1 @@
-2.0.1
+2.0.2
Modified: trunk/libsepol/include/sepol/policydb/conditional.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/conditional.h 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/include/sepol/policydb/conditional.h 2007-03-30 15:25:34 UTC (rev 2308)
@@ -100,6 +100,8 @@
cond_node_t * needle, cond_node_t * haystack,
int *was_created);
+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
+
extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
cond_node_t * cn);
Modified: trunk/libsepol/src/conditional.c
===================================================================
--- trunk/libsepol/src/conditional.c 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/conditional.c 2007-03-30 15:25:34 UTC (rev 2308)
@@ -26,9 +26,6 @@
#include "private.h"
-#undef min
-#define min(a,b) (((a) < (b)) ? (a) : (b))
-
/* move all type rules to top of t/f lists to help kernel on evaluation */
static void cond_optimize(cond_av_list_t ** l)
{
@@ -136,6 +133,38 @@
return 1;
}
+/* Create a new conditional node, optionally copying
+ * the conditional expression from an existing node.
+ * If node is NULL then a new node will be created
+ * with no conditional expression.
+ */
+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
+{
+ cond_node_t *new_node;
+ unsigned int i;
+
+ new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
+ if (!new_node) {
+ return NULL;
+ }
+ memset(new_node, 0, sizeof(cond_node_t));
+
+ if (node) {
+ new_node->expr = cond_copy_expr(node->expr);
+ if (!new_node->expr) {
+ free(new_node);
+ return NULL;
+ }
+ new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
+ new_node->nbools = node->nbools;
+ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
+ new_node->bool_ids[i] = node->bool_ids[i];
+ new_node->expr_pre_comp = node->expr_pre_comp;
+ }
+
+ return new_node;
+}
+
/* Find a conditional (the needle) within a list of existing ones (the
* haystack) that has a matching expression. If found, return a
* pointer to the existing node, setting 'was_created' to 0.
@@ -145,9 +174,6 @@
cond_node_t * needle, cond_node_t * haystack,
int *was_created)
{
- cond_node_t *new_node;
- unsigned int i;
-
while (haystack) {
if (cond_expr_equal(needle, haystack)) {
*was_created = 0;
@@ -156,26 +182,8 @@
haystack = haystack->next;
}
*was_created = 1;
- new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
- if (!new_node) {
- return NULL;
- }
- memset(new_node, 0, sizeof(cond_node_t));
- new_node->expr = cond_copy_expr(needle->expr);
- if (!new_node->expr) {
- free(new_node);
- return NULL;
- }
- new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
- new_node->nbools = needle->nbools;
- for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
- new_node->bool_ids[i] = needle->bool_ids[i];
- new_node->expr_pre_comp = needle->expr_pre_comp;
- new_node->true_list = NULL;
- new_node->false_list = NULL;
- new_node->avtrue_list = NULL;
- new_node->avfalse_list = NULL;
- return new_node;
+
+ return cond_node_create(p, needle);
}
/* return either a pre-existing matching node or create a new node */
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/expand.c 2007-03-30 15:25:34 UTC (rev 2308)
@@ -35,10 +35,12 @@
#include <assert.h>
#include "debug.h"
+#include "private.h"
typedef struct expand_state {
int verbose;
uint32_t *typemap;
+ uint32_t *boolmap;
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
@@ -791,8 +793,8 @@
return -1;
}
- new_bool->s.value = bool->s.value;
state->out->p_bools.nprim++;
+ new_bool->s.value = state->out->p_bools.nprim;
ret = hashtab_insert(state->out->p_bools.table,
(hashtab_key_t) new_id,
@@ -804,6 +806,8 @@
return -1;
}
+ state->boolmap[bool->s.value - 1] = new_bool->s.value;
+
new_bool->state = bool->state;
return 0;
@@ -1555,12 +1559,35 @@
return 0;
}
+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
+{
+ cond_expr_t *cur;
+ unsigned int i;
+
+ cur = cn->expr;
+ while (cur) {
+ if (cur->bool)
+ cur->bool = state->boolmap[cur->bool - 1];
+ cur = cur->next;
+ }
+
+ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
+ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
+
+ if (cond_normalize_expr(state->out, cn)) {
+ ERR(state->handle, "Error while normalizing conditional");
+ return -1;
+ }
+
+ return 0;
+}
+
/* copy the nodes in *reverse* order -- the result is that the last
* given conditional appears first in the policy, so as to match the
* behavior of the upstream compiler */
static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
{
- cond_node_t *new_cond;
+ cond_node_t *new_cond, *tmp;
if (cn == NULL) {
return 0;
@@ -1573,11 +1600,28 @@
return -1;
}
- new_cond = cond_node_search(state->out, state->out->cond_list, cn);
+ /* create a new temporary conditional node with the booleans
+ * mapped */
+ tmp = cond_node_create(state->base, cn);
+ if (!tmp) {
+ ERR(state->handle, "Out of memory");
+ return -1;
+ }
+
+ if (cond_node_map_bools(state, tmp)) {
+ ERR(state->handle, "Error mapping booleans");
+ return -1;
+ }
+
+ new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
if (!new_cond) {
+ cond_node_destroy(tmp);
+ free(tmp);
ERR(state->handle, "Out of memory!");
return -1;
}
+ cond_node_destroy(tmp);
+ free(tmp);
if (cond_avrule_list_copy
(state->out, cn->avtrue_list, &state->out->te_cond_avtab,
@@ -2210,6 +2254,12 @@
goto cleanup;
}
+ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
+ if (!state.boolmap) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
/* order is important - types must be first */
/* copy types */
@@ -2364,6 +2414,7 @@
cleanup:
free(state.typemap);
+ free(state.boolmap);
return retval;
}
Modified: trunk/libsepol/src/private.h
===================================================================
--- trunk/libsepol/src/private.h 2007-03-26 15:08:31 UTC (rev 2307)
+++ trunk/libsepol/src/private.h 2007-03-30 15:25:34 UTC (rev 2308)
@@ -24,6 +24,9 @@
#define le64_to_cpu(x) bswap_64(x)
#endif
+#undef min
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+
/* Policy compatibility information. */
struct policydb_compat_info {
unsigned int type;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-13 14:06:59
|
Revision: 2351
http://svn.sourceforge.net/selinux/?rev=2351&view=rev
Author: ssmalley
Date: 2007-04-13 07:06:57 -0700 (Fri, 13 Apr 2007)
Log Message:
-----------
Author: "Christopher J. PeBenito"
Email: cpe...@tr...
Subject: add boolmap argument to expand_module_avrules()
Date: Thu, 12 Apr 2007 19:03:17 +0000
A recent change to libsepol's expander introduced the boolmap structure
so that boolean values may be remapped properly. In the special
function expand_module_avrules(), which at the moment only SETools uses,
this boolmap structure is never initialized. As a result, the expander
will segfault when remapping conditional expressions. The following
patch adds a paramater to expand_module_avrules() that allows users to
specify that boolmap. This function is never exported out of the
library, so doesn't result in an ABI change to the library.
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/expand.h
trunk/libsepol/src/expand.c
Modified: trunk/libsepol/include/sepol/policydb/expand.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/expand.h 2007-04-12 19:03:11 UTC (rev 2350)
+++ trunk/libsepol/include/sepol/policydb/expand.h 2007-04-13 14:06:57 UTC (rev 2351)
@@ -30,17 +30,19 @@
#include <sepol/policydb/conditional.h>
/*
- * Expand only the avrules for a module. It is valid for this function to
- * expand base into itself (i.e. base == out); the typemap for this special
- * case should map type[i] to i+1. This function optionally expands neverallow
- * rules. If neverallow rules are expanded, there is no need to copy them and
- * doing so could cause duplicate entries when base == out. If the neverallow
- * rules are not expanded, they are just copied to the destination policy so
- * that assertion checking can be performed after expand. No assertion or
- * hierarchy checking is performed by this function.
+ * Expand only the avrules for a module. It is valid for this function
+ * to expand base into itself (i.e. base == out); the typemap for
+ * this special case should map type[i] to i+1. Likewise the boolmap
+ * should map bool[i] to i + 1. This function optionally expands
+ * neverallow rules. If neverallow rules are expanded, there is no
+ * need to copy them and doing so could cause duplicate entries when
+ * base == out. If the neverallow rules are not expanded, they are
+ * just copied to the destination policy so that assertion checking
+ * can be performed after expand. No assertion or hierarchy checking
+ * is performed by this function.
*/
extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
- policydb_t * out, uint32_t * typemap,
+ policydb_t * out, uint32_t * typemap, uint32_t * boolmap,
int verbose, int expand_neverallow);
/*
* Expand all parts of a module. Neverallow rules are not expanded (only
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-04-12 19:03:11 UTC (rev 2350)
+++ trunk/libsepol/src/expand.c 2007-04-13 14:06:57 UTC (rev 2351)
@@ -2198,7 +2198,8 @@
* or expand into the same policy for analysis purposes.
*/
int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
- policydb_t * out, uint32_t * typemap, int verbose,
+ policydb_t * out, uint32_t * typemap,
+ uint32_t * boolmap, int verbose,
int expand_neverallow)
{
expand_state_t state;
@@ -2208,6 +2209,7 @@
state.base = base;
state.out = out;
state.typemap = typemap;
+ state.boolmap = boolmap;
state.handle = handle;
state.verbose = verbose;
state.expand_neverallow = expand_neverallow;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-04-13 14:08:27
|
Revision: 2352
http://svn.sourceforge.net/selinux/?rev=2352&view=rev
Author: ssmalley
Date: 2007-04-13 07:08:26 -0700 (Fri, 13 Apr 2007)
Log Message:
-----------
Updated ChangeLog and VERSION.
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-04-13 14:06:57 UTC (rev 2351)
+++ trunk/libsepol/ChangeLog 2007-04-13 14:08:26 UTC (rev 2352)
@@ -1,3 +1,6 @@
+2.0.3 2007-04-13
+ * Merged add boolmap argument to expand_module_avrules() from Chris PeBenito.
+
2.0.2 2007-03-30
* Merged fix from Karl to remap booleans at expand time to
avoid holes in the symbol table.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-04-13 14:06:57 UTC (rev 2351)
+++ trunk/libsepol/VERSION 2007-04-13 14:08:26 UTC (rev 2352)
@@ -1 +1 @@
-2.0.2
+2.0.3
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-20 16:56:18
|
Revision: 2477
http://svn.sourceforge.net/selinux/?rev=2477&view=rev
Author: ewalsh
Date: 2007-06-20 09:56:16 -0700 (Wed, 20 Jun 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libsepol: sepol_check_context correct error handling behavior
Date: Mon, 18 Jun 2007 14:13:30 -0400
Sets errno to EINVAL, EEXIST as appropriate. Also fixed man page.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/man/man3/sepol_check_context.3
trunk/libsepol/src/context.c
trunk/libsepol/src/context_record.c
trunk/libsepol/src/sidtab.c
Modified: trunk/libsepol/man/man3/sepol_check_context.3
===================================================================
--- trunk/libsepol/man/man3/sepol_check_context.3 2007-06-13 12:47:40 UTC (rev 2476)
+++ trunk/libsepol/man/man3/sepol_check_context.3 2007-06-20 16:56:16 UTC (rev 2477)
@@ -22,4 +22,4 @@
from libselinux instead.
.SH "RETURN VALUE"
-Returns 0 on success or -EINVAL otherwise.
+Returns 0 on success or -1 with errno set otherwise.
Modified: trunk/libsepol/src/context.c
===================================================================
--- trunk/libsepol/src/context.c 2007-06-13 12:47:40 UTC (rev 2476)
+++ trunk/libsepol/src/context.c 2007-06-20 16:56:16 UTC (rev 2477)
@@ -224,6 +224,7 @@
return STATUS_SUCCESS;
err_destroy:
+ errno = EINVAL;
context_destroy(scontext);
err:
Modified: trunk/libsepol/src/context_record.c
===================================================================
--- trunk/libsepol/src/context_record.c 2007-06-13 12:47:40 UTC (rev 2476)
+++ trunk/libsepol/src/context_record.c 2007-06-20 16:56:16 UTC (rev 2477)
@@ -1,3 +1,4 @@
+#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
@@ -260,6 +261,7 @@
return STATUS_SUCCESS;
mcontext:
+ errno = EINVAL;
ERR(handle, "malformed context \"%s\"", str);
err:
Modified: trunk/libsepol/src/sidtab.c
===================================================================
--- trunk/libsepol/src/sidtab.c 2007-06-13 12:47:40 UTC (rev 2476)
+++ trunk/libsepol/src/sidtab.c 2007-06-20 16:56:16 UTC (rev 2477)
@@ -56,8 +56,10 @@
cur = cur->next;
}
- if (cur && sid == cur->sid)
+ if (cur && sid == cur->sid) {
+ errno = EEXIST;
return -EEXIST;
+ }
newnode = (sidtab_node_t *) malloc(sizeof(sidtab_node_t));
if (newnode == NULL)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-06-20 16:57:16
|
Revision: 2478
http://svn.sourceforge.net/selinux/?rev=2478&view=rev
Author: ewalsh
Date: 2007-06-20 09:57:15 -0700 (Wed, 20 Jun 2007)
Log Message:
-----------
updated libsepol to version 2.0.4
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-06-20 16:56:16 UTC (rev 2477)
+++ trunk/libsepol/ChangeLog 2007-06-20 16:57:15 UTC (rev 2478)
@@ -1,3 +1,6 @@
+2.0.4 2007-06-20
+ * Merged error handling patch from Eamon Walsh.
+
2.0.3 2007-04-13
* Merged add boolmap argument to expand_module_avrules() from Chris PeBenito.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-06-20 16:56:16 UTC (rev 2477)
+++ trunk/libsepol/VERSION 2007-06-20 16:57:15 UTC (rev 2478)
@@ -1 +1 @@
-2.0.3
+2.0.4
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-01 18:57:53
|
Revision: 2506
http://selinux.svn.sourceforge.net/selinux/?rev=2506&view=rev
Author: ssmalley
Date: 2007-08-01 11:57:53 -0700 (Wed, 01 Aug 2007)
Log Message:
-----------
updated libsepol to version 2.0.5
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-08-01 18:53:06 UTC (rev 2505)
+++ trunk/libsepol/ChangeLog 2007-08-01 18:57:53 UTC (rev 2506)
@@ -1,3 +1,8 @@
+2.0.5 2007-08-01
+ * Fix sepol_context_clone to handle a NULL context correctly.
+ This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)
+ to set the file context entry to "<<none>>".
+
2.0.4 2007-06-20
* Merged error handling patch from Eamon Walsh.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-08-01 18:53:06 UTC (rev 2505)
+++ trunk/libsepol/VERSION 2007-08-01 18:57:53 UTC (rev 2506)
@@ -1 +1 @@
-2.0.4
+2.0.5
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-23 14:59:33
|
Revision: 2536
http://selinux.svn.sourceforge.net/selinux/?rev=2536&view=rev
Author: ssmalley
Date: 2007-08-23 07:59:08 -0700 (Thu, 23 Aug 2007)
Log Message:
-----------
updated libsepol to version 2.0.7
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-08-23 14:56:56 UTC (rev 2535)
+++ trunk/libsepol/ChangeLog 2007-08-23 14:59:08 UTC (rev 2536)
@@ -1,5 +1,9 @@
+2.0.7 2007-08-23
+ * Eliminate unaligned accesses from policy reading code from Stephen Smalley.
+
2.0.6 2007-08-16
- * Allow dontaudits to be turned off during policy expansion
+ * Allow dontaudits to be turned off during policy expansion from
+ Joshua Brindle.
2.0.5 2007-08-01
* Fix sepol_context_clone to handle a NULL context correctly.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-08-23 14:56:56 UTC (rev 2535)
+++ trunk/libsepol/VERSION 2007-08-23 14:59:08 UTC (rev 2536)
@@ -1 +1 @@
-2.0.6
+2.0.7
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-28 17:40:28
|
Revision: 2540
http://selinux.svn.sourceforge.net/selinux/?rev=2540&view=rev
Author: ssmalley
Date: 2007-08-28 10:40:17 -0700 (Tue, 28 Aug 2007)
Log Message:
-----------
updated libsepol to version 2.0.8
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-08-28 17:39:25 UTC (rev 2539)
+++ trunk/libsepol/ChangeLog 2007-08-28 17:40:17 UTC (rev 2540)
@@ -1,3 +1,6 @@
+2.0.8 2007-08-28
+ * Fixed module_package_read_offsets bug introduced by the prior patch.
+
2.0.7 2007-08-23
* Eliminate unaligned accesses from policy reading code from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-08-28 17:39:25 UTC (rev 2539)
+++ trunk/libsepol/VERSION 2007-08-28 17:40:17 UTC (rev 2540)
@@ -1 +1 @@
-2.0.7
+2.0.8
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-08-29 13:03:22
|
Revision: 2544
http://selinux.svn.sourceforge.net/selinux/?rev=2544&view=rev
Author: ssmalley
Date: 2007-08-29 06:03:18 -0700 (Wed, 29 Aug 2007)
Log Message:
-----------
updated libsepol to version 2.0.9
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-08-29 13:02:10 UTC (rev 2543)
+++ trunk/libsepol/ChangeLog 2007-08-29 13:03:18 UTC (rev 2544)
@@ -1,3 +1,6 @@
+2.0.9 2007-08-29
+ * Moved next_entry and put_entry out-of-line to reduce code size from Ulrich Drepper.
+
2.0.8 2007-08-28
* Fixed module_package_read_offsets bug introduced by the prior patch.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-08-29 13:02:10 UTC (rev 2543)
+++ trunk/libsepol/VERSION 2007-08-29 13:03:18 UTC (rev 2544)
@@ -1 +1 @@
-2.0.8
+2.0.9
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:43:39
|
Revision: 2566
http://selinux.svn.sourceforge.net/selinux/?rev=2566&view=rev
Author: ssmalley
Date: 2007-09-18 12:43:38 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: libsepol: support the handle_unknown config flag
Date: Wed, 01 Aug 2007 11:52:28 -0400
Update the policydb definition to contain a handle_unknown flag. Change
libsepol to copy the handle_unknown config flag from the base policy to
the final binary policy. Also makes libsepol properly read and write
the flag which dealing with policy modules.
Signed-off-by: Eric Paris <ep...@re...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2007-09-18 19:43:38 UTC (rev 2566)
@@ -469,6 +469,8 @@
ebitmap_t *attr_type_map; /* not saved in the binary policy */
unsigned policyvers;
+
+ unsigned handle_unknown;
} policydb_t;
struct sepol_policydb {
@@ -599,6 +601,13 @@
#define POLICYDB_CONFIG_MLS 1
+/* the config flags related to unknown classes/perms are bits 2 and 3 */
+#define DENY_UNKNOWN 0x00000000
+#define REJECT_UNKNOWN 0x00000002
+#define ALLOW_UNKNOWN 0x00000004
+
+#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+
#define OBJECT_R "object_r"
#define OBJECT_R_VAL 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/expand.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -2250,6 +2250,7 @@
/* Copy mls state from base to out */
out->mls = base->mls;
+ out->handle_unknown = base->handle_unknown;
if ((state.typemap =
(uint32_t *) calloc(state.base->p_types.nprim,
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/policydb.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -3077,6 +3077,8 @@
p->mls = 0;
}
+ p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
+
bufindex++;
info = policydb_lookup_compat(r_policyvers, policy_type);
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2007-09-18 19:41:20 UTC (rev 2565)
+++ trunk/libsepol/src/write.c 2007-09-18 19:43:38 UTC (rev 2566)
@@ -1534,6 +1534,8 @@
if (p->mls)
config |= POLICYDB_CONFIG_MLS;
+ config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
+
/* Write the magic number and string identifiers. */
items = 0;
if (p->policy_type == POLICY_KERN) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-18 19:45:15
|
Revision: 2568
http://selinux.svn.sourceforge.net/selinux/?rev=2568&view=rev
Author: ssmalley
Date: 2007-09-18 12:45:14 -0700 (Tue, 18 Sep 2007)
Log Message:
-----------
updated libsepol to version 2.0.10
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-09-18 19:44:10 UTC (rev 2567)
+++ trunk/libsepol/ChangeLog 2007-09-18 19:45:14 UTC (rev 2568)
@@ -1,3 +1,6 @@
+2.0.10 2007-09-18
+ * Merged support for the handle_unknown policydb flag from Eric Paris.
+
2.0.9 2007-08-29
* Moved next_entry and put_entry out-of-line to reduce code size from Ulrich Drepper.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-09-18 19:44:10 UTC (rev 2567)
+++ trunk/libsepol/VERSION 2007-09-18 19:45:14 UTC (rev 2568)
@@ -1 +1 @@
-2.0.9
+2.0.10
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-09-24 16:37:43
|
Revision: 2583
http://selinux.svn.sourceforge.net/selinux/?rev=2583&view=rev
Author: ssmalley
Date: 2007-09-24 09:37:42 -0700 (Mon, 24 Sep 2007)
Log Message:
-----------
updated libsepol to version 2.0.11
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-09-24 16:37:16 UTC (rev 2582)
+++ trunk/libsepol/ChangeLog 2007-09-24 16:37:42 UTC (rev 2583)
@@ -1,3 +1,6 @@
+2.0.11 2007-09-24
+ * Pass CFLAGS to CC even on link command, per Dennis Gilmore.
+
2.0.10 2007-09-18
* Merged support for the handle_unknown policydb flag from Eric Paris.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-09-24 16:37:16 UTC (rev 2582)
+++ trunk/libsepol/VERSION 2007-09-24 16:37:42 UTC (rev 2583)
@@ -1 +1 @@
-2.0.10
+2.0.11
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-11 20:26:58
|
Revision: 2650
http://selinux.svn.sourceforge.net/selinux/?rev=2650&view=rev
Author: ssmalley
Date: 2007-10-11 13:26:57 -0700 (Thu, 11 Oct 2007)
Log Message:
-----------
updated libsepol to version 2.0.12
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-10-11 20:24:03 UTC (rev 2649)
+++ trunk/libsepol/ChangeLog 2007-10-11 20:26:57 UTC (rev 2650)
@@ -1,3 +1,7 @@
+2.0.12 2007-10-11
+ * Fixed bug in require checking from Stephen Smalley.
+ * Added user hierarchy checking from Todd Miller.
+
2.0.11 2007-09-24
* Pass CFLAGS to CC even on link command, per Dennis Gilmore.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-10-11 20:24:03 UTC (rev 2649)
+++ trunk/libsepol/VERSION 2007-10-11 20:26:57 UTC (rev 2650)
@@ -1 +1 @@
-2.0.11
+2.0.12
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 18:54:38
|
Revision: 2668
http://selinux.svn.sourceforge.net/selinux/?rev=2668&view=rev
Author: ssmalley
Date: 2007-11-05 10:54:28 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsepol to version 2.0.13
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-11-05 18:53:56 UTC (rev 2667)
+++ trunk/libsepol/ChangeLog 2007-11-05 18:54:28 UTC (rev 2668)
@@ -1,3 +1,6 @@
+2.0.13 2007-11-05
+ * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
2.0.12 2007-10-11
* Fixed bug in require checking from Stephen Smalley.
* Added user hierarchy checking from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-11-05 18:53:56 UTC (rev 2667)
+++ trunk/libsepol/VERSION 2007-11-05 18:54:28 UTC (rev 2668)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:11:04
|
Revision: 2676
http://selinux.svn.sourceforge.net/selinux/?rev=2676&view=rev
Author: ssmalley
Date: 2007-11-05 11:11:02 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsepol to version 2.0.14
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-11-05 19:10:24 UTC (rev 2675)
+++ trunk/libsepol/ChangeLog 2007-11-05 19:11:02 UTC (rev 2676)
@@ -1,3 +1,6 @@
+2.0.14 2007-11-05
+ * Reject self aliasing at link time from Stephen Smalley.
+
2.0.13 2007-11-05
* Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-11-05 19:10:24 UTC (rev 2675)
+++ trunk/libsepol/VERSION 2007-11-05 19:11:02 UTC (rev 2676)
@@ -1 +1 @@
-2.0.13
+2.0.14
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2007-11-29 15:46:59
|
Revision: 2691
http://selinux.svn.sourceforge.net/selinux/?rev=2691&view=rev
Author: madmethod
Date: 2007-11-29 07:46:57 -0800 (Thu, 29 Nov 2007)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: clarify and reduce neverallow error reporting
Date: Thu, 29 Nov 2007 09:52:17 -0500
Alter the error reporting for neverallow failures to be clearer, i.e.
use the word neverallow instead of assertion and don't report a line number
if we don't have that information, and bail on the first such error rather
than flooding the user with multiple ones, since any such error is fatal.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-By: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/libsepol/src/assertion.c
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-11-20 18:47:19 UTC (rev 2690)
+++ trunk/libsepol/ChangeLog 2007-11-29 15:46:57 UTC (rev 2691)
@@ -1,3 +1,6 @@
+2.0.15 2007-11-29
+ * clarify and reduce neverallow error reporting from Stephen Smalley.
+
2.0.14 2007-11-05
* Reject self aliasing at link time from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-11-20 18:47:19 UTC (rev 2690)
+++ trunk/libsepol/VERSION 2007-11-29 15:46:57 UTC (rev 2691)
@@ -1 +1 @@
-2.0.14
+2.0.15
Modified: trunk/libsepol/src/assertion.c
===================================================================
--- trunk/libsepol/src/assertion.c 2007-11-20 18:47:19 UTC (rev 2690)
+++ trunk/libsepol/src/assertion.c 2007-11-29 15:46:57 UTC (rev 2691)
@@ -59,11 +59,21 @@
return 0;
err:
- ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };",
- line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype],
- p->p_class_val_to_name[curperm->class - 1],
- sepol_av_to_string(p, curperm->class,
- node->datum.data & curperm->data));
+ if (line) {
+ ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
+ line, p->p_type_val_to_name[stype],
+ p->p_type_val_to_name[ttype],
+ p->p_class_val_to_name[curperm->class - 1],
+ sepol_av_to_string(p, curperm->class,
+ node->datum.data & curperm->data));
+ } else {
+ ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
+ p->p_type_val_to_name[stype],
+ p->p_type_val_to_name[ttype],
+ p->p_class_val_to_name[curperm->class - 1],
+ sepol_av_to_string(p, curperm->class,
+ node->datum.data & curperm->data));
+ }
return -1;
}
@@ -74,7 +84,7 @@
avtab_t te_avtab, te_cond_avtab;
ebitmap_node_t *snode, *tnode;
unsigned int i, j;
- int errors = 0;
+ int rc;
if (!avrules) {
/* Since assertions are stored in avrules, if it is NULL
@@ -111,32 +121,31 @@
if (a->flags & RULE_SELF) {
if (check_assertion_helper
(handle, p, &te_avtab, &te_cond_avtab, i, i,
- a->perms, a->line))
- errors++;
+ a->perms, a->line)) {
+ rc = -1;
+ goto out;
+ }
}
ebitmap_for_each_bit(ttypes, tnode, j) {
if (!ebitmap_node_get_bit(tnode, j))
continue;
if (check_assertion_helper
(handle, p, &te_avtab, &te_cond_avtab, i, j,
- a->perms, a->line))
- errors++;
+ a->perms, a->line)) {
+ rc = -1;
+ goto out;
+ }
}
}
}
- if (errors) {
- ERR(handle, "%d assertion violations occured", errors);
- avtab_destroy(&te_avtab);
- avtab_destroy(&te_cond_avtab);
- return -1;
- }
-
+ rc = 0;
+out:
avtab_destroy(&te_avtab);
avtab_destroy(&te_cond_avtab);
- return 0;
+ return rc;
oom:
- ERR(handle, "Out of memory - unable to check assertions");
+ ERR(handle, "Out of memory - unable to check neverallows");
return -1;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2007-12-07 15:29:46
|
Revision: 2696
http://selinux.svn.sourceforge.net/selinux/?rev=2696&view=rev
Author: millertc
Date: 2007-12-07 07:29:44 -0800 (Fri, 07 Dec 2007)
Log Message:
-----------
updated libsepol to version 2.0.16
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-12-07 15:26:49 UTC (rev 2695)
+++ trunk/libsepol/ChangeLog 2007-12-07 15:29:44 UTC (rev 2696)
@@ -1,3 +1,6 @@
+2.0.16 2007-12-07
+ * print module magic number in hex on mismatch, from Todd Miller.
+
2.0.15 2007-11-29
* clarify and reduce neverallow error reporting from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-12-07 15:26:49 UTC (rev 2695)
+++ trunk/libsepol/VERSION 2007-12-07 15:29:44 UTC (rev 2696)
@@ -1 +1 @@
-2.0.15
+2.0.16
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X