Menu
▾
▴
selinux-commits
|
From: <ssm...@us...> - 2007-12-21 17:25:54
|
Revision: 2714
http://selinux.svn.sourceforge.net/selinux/?rev=2714&view=rev
Author: ssmalley
Date: 2007-12-21 09:25:53 -0800 (Fri, 21 Dec 2007)
Log Message:
-----------
updated libsepol to version 2.0.17
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-12-21 17:24:50 UTC (rev 2713)
+++ trunk/libsepol/ChangeLog 2007-12-21 17:25:53 UTC (rev 2714)
@@ -1,3 +1,6 @@
+2.0.17 2007-12-21
+ * Prevent generation of policy.18 with MLS enabled from Todd Miller.
+
2.0.16 2007-12-07
* print module magic number in hex on mismatch, from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-12-21 17:24:50 UTC (rev 2713)
+++ trunk/libsepol/VERSION 2007-12-21 17:25:53 UTC (rev 2714)
@@ -1 +1 @@
-2.0.16
+2.0.17
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-01-02 21:54:44
|
Revision: 2715
http://selinux.svn.sourceforge.net/selinux/?rev=2715&view=rev
Author: millertc
Date: 2008-01-02 13:36:27 -0800 (Wed, 02 Jan 2008)
Log Message:
-----------
Subject: library policy capability support
This patch includes the library support for policy capabilities.
Currently the only capability that exists is peersid. Patch policy
capabilities are only valid in the base policy.
Signed-off-by: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Added Paths:
-----------
trunk/libsepol/include/sepol/policydb/polcaps.h
trunk/libsepol/src/polcaps.c
Added: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/polcaps.h (rev 0)
+++ trunk/libsepol/include/sepol/policydb/polcaps.h 2008-01-02 21:36:27 UTC (rev 2715)
@@ -0,0 +1,17 @@
+#ifndef _SEPOL_POLICYDB_POLCAPS_H_
+#define _SEPOL_POLICYDB_POLCAPS_H_
+
+/* Policy capabilities */
+enum {
+ POLICYDB_CAPABILITY_NETPEER,
+ __POLICYDB_CAPABILITY_MAX
+};
+#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+/* Convert a capability name to number. */
+extern int sepol_polcap_getnum(const char *name);
+
+/* Convert a capability number to name. */
+extern const char *sepol_polcap_getname(int capnum);
+
+#endif /* _SEPOL_POLICYDB_POLCAPS_H_ */
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-01-02 21:36:27 UTC (rev 2715)
@@ -468,6 +468,8 @@
ebitmap_t *attr_type_map; /* not saved in the binary policy */
+ ebitmap_t policycaps;
+
unsigned policyvers;
unsigned handle_unknown;
@@ -584,10 +586,11 @@
#define POLICYDB_VERSION_MLS 19
#define POLICYDB_VERSION_AVTAB 20
#define POLICYDB_VERSION_RANGETRANS 21
+#define POLICYDB_VERSION_POLCAP 22
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_POLCAP
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
@@ -595,9 +598,10 @@
#define MOD_POLICYDB_VERSION_MLS 5
#define MOD_POLICYDB_VERSION_RANGETRANS 6
#define MOD_POLICYDB_VERSION_MLS_USERS 6
+#define MOD_POLICYDB_VERSION_POLCAP 7
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
#define POLICYDB_CONFIG_MLS 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/expand.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -2252,6 +2252,12 @@
out->mls = base->mls;
out->handle_unknown = base->handle_unknown;
+ /* Copy policy capabilities */
+ if (ebitmap_cpy(&out->policycaps, &base->policycaps)) {
+ ERR(handle, "Out of memory!");
+ goto cleanup;
+ }
+
if ((state.typemap =
(uint32_t *) calloc(state.base->p_types.nprim,
sizeof(uint32_t))) == NULL) {
Added: trunk/libsepol/src/polcaps.c
===================================================================
--- trunk/libsepol/src/polcaps.c (rev 0)
+++ trunk/libsepol/src/polcaps.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -0,0 +1,32 @@
+/*
+ * Policy capability support functions
+ */
+
+#include <string.h>
+#include <sepol/policydb/polcaps.h>
+
+static const char *polcap_names[] = {
+ "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
+ NULL
+};
+
+int sepol_polcap_getnum(const char *name)
+{
+ int capnum;
+
+ for (capnum = 0; capnum <= POLICYDB_CAPABILITY_MAX; capnum++) {
+ if (polcap_names[capnum] == NULL)
+ continue;
+ if (strcasecmp(polcap_names[capnum], name) == 0)
+ return capnum;
+ }
+ return -1;
+}
+
+const char *sepol_polcap_getname(int capnum)
+{
+ if (capnum > POLICYDB_CAPABILITY_MAX)
+ return NULL;
+
+ return polcap_names[capnum];
+}
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/policydb.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -99,6 +99,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -117,6 +123,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -132,6 +144,12 @@
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_MLS_USERS,
.sym_num = SYM_NUM,
+ .ocon_num = 0
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_POLCAP,
+ .sym_num = SYM_NUM,
.ocon_num = 0},
};
@@ -447,6 +465,8 @@
memset(p, 0, sizeof(policydb_t));
+ ebitmap_init(&p->policycaps);
+
for (i = 0; i < SYM_NUM; i++) {
p->sym_val_to_name[i] = NULL;
rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -971,6 +991,8 @@
if (!p)
return;
+ ebitmap_destroy(&p->policycaps);
+
symtabs_destroy(p->symtab);
for (i = 0; i < SYM_NUM; i++) {
@@ -3123,6 +3145,16 @@
p->version[len] = '\0';
}
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_read(&p->policycaps, fp))
+ goto bad;
+ }
+
for (i = 0; i < info->sym_num; i++) {
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2007-12-21 17:25:53 UTC (rev 2714)
+++ trunk/libsepol/src/write.c 2008-01-02 21:36:27 UTC (rev 2715)
@@ -1606,6 +1606,17 @@
if (items != len)
return POLICYDB_ERROR;
}
+
+ if ((p->policyvers >= POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_KERN) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_BASE) ||
+ (p->policyvers >= MOD_POLICYDB_VERSION_POLCAP &&
+ p->policy_type == POLICY_MOD)) {
+ if (ebitmap_write(&p->policycaps, fp) == -1)
+ return POLICYDB_ERROR;
+ }
+
num_syms = info->sym_num;
for (i = 0; i < num_syms; i++) {
buf[0] = cpu_to_le32(p->symtab[i].nprim);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-01-08 16:13:12
|
Revision: 2720
http://selinux.svn.sourceforge.net/selinux/?rev=2720&view=rev
Author: millertc
Date: 2008-01-08 08:13:08 -0800 (Tue, 08 Jan 2008)
Log Message:
-----------
Subject: quiet libsepol qualifier warnings
Fix discarded const warnings in mls.c by sprinkling const in mls_level_eq,
mls_level_dom and the ebitmap functions.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/ebitmap.h
trunk/libsepol/include/sepol/policydb/mls_types.h
trunk/libsepol/src/ebitmap.c
Modified: trunk/libsepol/include/sepol/policydb/ebitmap.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/ebitmap.h 2008-01-08 16:12:09 UTC (rev 2719)
+++ trunk/libsepol/include/sepol/policydb/ebitmap.h 2008-01-08 16:13:08 UTC (rev 2720)
@@ -73,12 +73,12 @@
#define ebitmap_for_each_bit(e, n, bit) \
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
-extern int ebitmap_cmp(ebitmap_t * e1, ebitmap_t * e2);
-extern int ebitmap_or(ebitmap_t * dst, ebitmap_t * e1, ebitmap_t * e2);
-extern int ebitmap_union(ebitmap_t * dst, ebitmap_t * e1);
-extern int ebitmap_cpy(ebitmap_t * dst, ebitmap_t * src);
-extern int ebitmap_contains(ebitmap_t * e1, ebitmap_t * e2);
-extern int ebitmap_get_bit(ebitmap_t * e, unsigned int bit);
+extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1);
+extern int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src);
+extern int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2);
+extern int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit);
extern int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value);
extern void ebitmap_destroy(ebitmap_t * e);
extern int ebitmap_read(ebitmap_t * e, void *fp);
Modified: trunk/libsepol/include/sepol/policydb/mls_types.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/mls_types.h 2008-01-08 16:12:09 UTC (rev 2719)
+++ trunk/libsepol/include/sepol/policydb/mls_types.h 2008-01-08 16:13:08 UTC (rev 2720)
@@ -70,12 +70,12 @@
mls_level_init(level);
}
-static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
+static inline int mls_level_eq(const struct mls_level *l1, const struct mls_level *l2)
{
return ((l1->sens == l2->sens) && ebitmap_cmp(&l1->cat, &l2->cat));
}
-static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
+static inline int mls_level_dom(const struct mls_level *l1, const struct mls_level *l2)
{
return ((l1->sens >= l2->sens) && ebitmap_contains(&l1->cat, &l2->cat));
}
Modified: trunk/libsepol/src/ebitmap.c
===================================================================
--- trunk/libsepol/src/ebitmap.c 2008-01-08 16:12:09 UTC (rev 2719)
+++ trunk/libsepol/src/ebitmap.c 2008-01-08 16:13:08 UTC (rev 2720)
@@ -15,7 +15,7 @@
#include "debug.h"
#include "private.h"
-int ebitmap_or(ebitmap_t * dst, ebitmap_t * e1, ebitmap_t * e2)
+int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2, *new, *prev;
@@ -58,7 +58,7 @@
return 0;
}
-int ebitmap_union(ebitmap_t * dst, ebitmap_t * e1)
+int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1)
{
ebitmap_t tmp;
@@ -71,7 +71,7 @@
return 0;
}
-int ebitmap_cmp(ebitmap_t * e1, ebitmap_t * e2)
+int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2;
@@ -92,7 +92,7 @@
return 1;
}
-int ebitmap_cpy(ebitmap_t * dst, ebitmap_t * src)
+int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
{
ebitmap_node_t *n, *new, *prev;
@@ -121,7 +121,7 @@
return 0;
}
-int ebitmap_contains(ebitmap_t * e1, ebitmap_t * e2)
+int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2;
@@ -148,7 +148,7 @@
return 1;
}
-int ebitmap_get_bit(ebitmap_t * e, unsigned int bit)
+int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
{
ebitmap_node_t *n;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:26:35
|
Revision: 2778
http://selinux.svn.sourceforge.net/selinux/?rev=2778&view=rev
Author: ssmalley
Date: 2008-02-04 07:25:47 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.20
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-04 15:24:49 UTC (rev 2777)
+++ trunk/libsepol/ChangeLog 2008-02-04 15:25:47 UTC (rev 2778)
@@ -1,6 +1,9 @@
+2.0.20 2008-02-04
+ * Port of Yuichi Nakamura's tune avtab to reduce memory usage patch from the kernel avtab to libsepol from Stephen Smalley.
+
2.0.19 2008-02-02
* Add support for consuming avrule_blocks during expansion to reduce
- peak memory usage.
+ peak memory usage from Joshua Brindle.
2.0.18 2008-01-02
* Added support for policy capabilities from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-04 15:24:49 UTC (rev 2777)
+++ trunk/libsepol/VERSION 2008-02-04 15:25:47 UTC (rev 2778)
@@ -1 +1 @@
-2.0.19
+2.0.20
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-20 15:32:56
|
Revision: 2806
http://selinux.svn.sourceforge.net/selinux/?rev=2806&view=rev
Author: ssmalley
Date: 2008-02-20 07:32:51 -0800 (Wed, 20 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.21
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-20 15:30:30 UTC (rev 2805)
+++ trunk/libsepol/ChangeLog 2008-02-20 15:32:51 UTC (rev 2806)
@@ -1,3 +1,6 @@
+2.0.21 2008-02-20
+ * Fix invalid memory allocation in policydb_index_others() from Jason Tang.
+
2.0.20 2008-02-04
* Port of Yuichi Nakamura's tune avtab to reduce memory usage patch from the kernel avtab to libsepol from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-20 15:30:30 UTC (rev 2805)
+++ trunk/libsepol/VERSION 2008-02-20 15:32:51 UTC (rev 2806)
@@ -1 +1 @@
-2.0.20
+2.0.21
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-28 20:40:01
|
Revision: 2823
http://selinux.svn.sourceforge.net/selinux/?rev=2823&view=rev
Author: ssmalley
Date: 2008-02-28 12:39:59 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: libsepol: new capability to support open permissions
Date: Thu, 28 Feb 2008 10:09:54 -0500
This patch adds support for the new open_perms policy capability.
Simple yet true. I would like to point out that after this change
checkpolicy will also need to be rebuilt with the new libsepol-static
installed.
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/polcaps.h
trunk/libsepol/src/polcaps.c
Modified: trunk/libsepol/include/sepol/policydb/polcaps.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/polcaps.h 2008-02-28 20:38:55 UTC (rev 2822)
+++ trunk/libsepol/include/sepol/policydb/polcaps.h 2008-02-28 20:39:59 UTC (rev 2823)
@@ -4,6 +4,7 @@
/* Policy capabilities */
enum {
POLICYDB_CAPABILITY_NETPEER,
+ POLICYDB_CAPABILITY_OPENPERM,
__POLICYDB_CAPABILITY_MAX
};
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
Modified: trunk/libsepol/src/polcaps.c
===================================================================
--- trunk/libsepol/src/polcaps.c 2008-02-28 20:38:55 UTC (rev 2822)
+++ trunk/libsepol/src/polcaps.c 2008-02-28 20:39:59 UTC (rev 2823)
@@ -7,6 +7,7 @@
static const char *polcap_names[] = {
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
+ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
NULL
};
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-28 20:40:34
|
Revision: 2824
http://selinux.svn.sourceforge.net/selinux/?rev=2824&view=rev
Author: ssmalley
Date: 2008-02-28 12:40:32 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.22
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-28 20:39:59 UTC (rev 2823)
+++ trunk/libsepol/ChangeLog 2008-02-28 20:40:32 UTC (rev 2824)
@@ -1,3 +1,6 @@
+2.0.22 2008-02-28
+ * Add support for open_perms policy capability from Eric Paris.
+
2.0.21 2008-02-20
* Fix invalid memory allocation in policydb_index_others() from Jason Tang.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-28 20:39:59 UTC (rev 2823)
+++ trunk/libsepol/VERSION 2008-02-28 20:40:32 UTC (rev 2824)
@@ -1 +1 @@
-2.0.21
+2.0.22
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-28 20:41:03
|
Revision: 2825
http://selinux.svn.sourceforge.net/selinux/?rev=2825&view=rev
Author: ssmalley
Date: 2008-02-28 12:41:00 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: accept Flask as string identifier in policy
Date: Thu, 28 Feb 2008 14:26:55 -0500
SELinux binary policies presently use "SE Linux" as the string
identifier in the header. Other Flask/TE implementations would like to
use a more general identifier while preserving compatibility with
SELinux policy tools. Thus, extend the libsepol policy reading code to
accept "Flask" as an alternate identifier. This allows checkpolicy and
setools to read such policies when rebuilt against the updated libsepol.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/policydb.c
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2008-02-28 20:40:32 UTC (rev 2824)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-02-28 20:41:00 UTC (rev 2825)
@@ -617,6 +617,7 @@
#define POLICYDB_MAGIC SELINUX_MAGIC
#define POLICYDB_STRING "SE Linux"
+#define POLICYDB_ALT_STRING "Flask"
#define POLICYDB_MOD_MAGIC SELINUX_MOD_MAGIC
#define POLICYDB_MOD_STRING "SE Linux Module"
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-02-28 20:40:32 UTC (rev 2824)
+++ trunk/libsepol/src/policydb.c 2008-02-28 20:41:00 UTC (rev 2825)
@@ -2980,7 +2980,7 @@
unsigned int i, j, r_policyvers;
uint32_t buf[5], config;
size_t len, nprim, nel;
- char *policydb_str, *target_str = NULL;
+ char *policydb_str, *target_str = NULL, *alt_target_str = NULL;
struct policydb_compat_info *info;
unsigned int policy_type, bufindex;
ebitmap_node_t *tnode;
@@ -2998,6 +2998,7 @@
if (buf[0] == POLICYDB_MAGIC) {
policy_type = POLICY_KERN;
target_str = POLICYDB_STRING;
+ alt_target_str = POLICYDB_ALT_STRING;
} else if (buf[0] == POLICYDB_MOD_MAGIC) {
policy_type = POLICY_MOD;
target_str = POLICYDB_MOD_STRING;
@@ -3009,7 +3010,8 @@
}
len = buf[1];
- if (len != strlen(target_str)) {
+ if (len != strlen(target_str) &&
+ (!alt_target_str || len != strlen(alt_target_str))) {
ERR(fp->handle, "policydb string length %zu does not match "
"expected length %zu", len, strlen(target_str));
return POLICYDB_ERROR;
@@ -3028,7 +3030,8 @@
return POLICYDB_ERROR;
}
policydb_str[len] = 0;
- if (strcmp(policydb_str, target_str)) {
+ if (strcmp(policydb_str, target_str) &&
+ (!alt_target_str || strcmp(policydb_str, alt_target_str))) {
ERR(fp->handle, "policydb string %s does not match "
"my string %s", policydb_str, target_str);
free(policydb_str);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-28 20:41:56
|
Revision: 2826
http://selinux.svn.sourceforge.net/selinux/?rev=2826&view=rev
Author: ssmalley
Date: 2008-02-28 12:41:51 -0800 (Thu, 28 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.23
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-28 20:41:00 UTC (rev 2825)
+++ trunk/libsepol/ChangeLog 2008-02-28 20:41:51 UTC (rev 2826)
@@ -1,3 +1,6 @@
+2.0.23 2008-02-28
+ * Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
+
2.0.22 2008-02-28
* Add support for open_perms policy capability from Eric Paris.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-28 20:41:00 UTC (rev 2825)
+++ trunk/libsepol/VERSION 2008-02-28 20:41:51 UTC (rev 2826)
@@ -1 +1 @@
-2.0.22
+2.0.23
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-03-04 17:31:34
|
Revision: 2833
http://selinux.svn.sourceforge.net/selinux/?rev=2833&view=rev
Author: millertc
Date: 2008-03-04 09:31:32 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated libsepol to version 2.0.24
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-03-04 17:30:39 UTC (rev 2832)
+++ trunk/libsepol/ChangeLog 2008-03-04 17:31:32 UTC (rev 2833)
@@ -1,3 +1,6 @@
+2.0.24 2008-03-04
+ * Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
+
2.0.23 2008-02-28
* Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-03-04 17:30:39 UTC (rev 2832)
+++ trunk/libsepol/VERSION 2008-03-04 17:31:32 UTC (rev 2833)
@@ -1 +1 @@
-2.0.23
+2.0.24
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-04 18:57:37
|
Revision: 2838
http://selinux.svn.sourceforge.net/selinux/?rev=2838&view=rev
Author: ssmalley
Date: 2008-03-04 10:57:34 -0800 (Tue, 04 Mar 2008)
Log Message:
-----------
updated libsepol to version 2.0.25
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-03-04 18:56:15 UTC (rev 2837)
+++ trunk/libsepol/ChangeLog 2008-03-04 18:57:34 UTC (rev 2838)
@@ -1,3 +1,6 @@
+2.0.25 2008-03-04
+ * Drop unused ->buffer field from struct policy_file.
+
2.0.24 2008-03-04
* Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-03-04 18:56:15 UTC (rev 2837)
+++ trunk/libsepol/VERSION 2008-03-04 18:57:34 UTC (rev 2838)
@@ -1 +1 @@
-2.0.24
+2.0.25
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-24 20:18:08
|
Revision: 2855
http://selinux.svn.sourceforge.net/selinux/?rev=2855&view=rev
Author: ssmalley
Date: 2008-03-24 13:17:15 -0700 (Mon, 24 Mar 2008)
Log Message:
-----------
Author: Eric Paris
Email: ep...@re...
Subject: libsepol: add permissive domain support
Date: Mon, 24 Mar 2008 09:51:37 -0400
This patch adds support for permissive types.
In the kernel policy format the permissive types are in a bitmap
referenced by the type value.
In the module policy format a new field in the type_datum_t called
'flags' was added. The only currently defined flag is
TYPE_FLAGS_PERMISSIVE.
Checkpolicy can set the permissive flag on the type_datum_t in question
and that flag will persist on disk. It will be OR'd at link time
against the type in the base policy. At expand time we build the bit
array the kernel uses.
Signed-off-by: Eric Paris <ep...@re...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/expand.c
trunk/libsepol/src/link.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-20 19:01:26 UTC (rev 2854)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-03-24 20:17:15 UTC (rev 2855)
@@ -143,6 +143,8 @@
#define TYPE_ALIAS 2 /* alias in modular policy */
uint32_t flavor;
ebitmap_t types; /* types with this attribute */
+#define TYPE_FLAGS_PERMISSIVE 0x01
+ uint32_t flags;
} type_datum_t;
/* User attributes */
@@ -470,6 +472,10 @@
ebitmap_t policycaps;
+ /* this bitmap is referenced by type NOT the typical type-1 used in other
+ bitmaps. Someday the 0 bit may be used for global permissive */
+ ebitmap_t permissive_map;
+
unsigned policyvers;
unsigned handle_unknown;
@@ -588,10 +594,11 @@
#define POLICYDB_VERSION_AVTAB 20
#define POLICYDB_VERSION_RANGETRANS 21
#define POLICYDB_VERSION_POLCAP 22
+#define POLICYDB_VERSION_PERMISSIVE 23
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_POLCAP
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_PERMISSIVE
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
@@ -600,9 +607,10 @@
#define MOD_POLICYDB_VERSION_RANGETRANS 6
#define MOD_POLICYDB_VERSION_MLS_USERS 6
#define MOD_POLICYDB_VERSION_POLCAP 7
+#define MOD_POLICYDB_VERSION_PERMISSIVE 8
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_POLCAP
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_PERMISSIVE
#define POLICYDB_CONFIG_MLS 1
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2008-03-20 19:01:26 UTC (rev 2854)
+++ trunk/libsepol/src/expand.c 2008-03-24 20:17:15 UTC (rev 2855)
@@ -92,6 +92,7 @@
memset(new_type, 0, sizeof(type_datum_t));
new_type->flavor = type->flavor;
+ new_type->flags = type->flags;
new_type->s.value = ++state->out->p_types.nprim;
if (new_type->s.value > UINT16_MAX) {
free(new_id);
@@ -112,6 +113,12 @@
return -1;
}
+ if (new_type->flags & TYPE_FLAGS_PERMISSIVE)
+ if (ebitmap_set_bit(&state->out->permissive_map, new_type->s.value, 1)) {
+ ERR(state->handle, "Out of memory!\n");
+ return -1;
+ }
+
return 0;
}
@@ -480,6 +487,8 @@
else
assert(0); /* unreachable */
+ new_alias->flags = alias->flags;
+
ret = hashtab_insert(state->out->p_types.table,
(hashtab_key_t) new_id,
(hashtab_datum_t) new_alias);
@@ -492,6 +501,13 @@
}
state->typemap[alias->s.value - 1] = new_alias->s.value;
+
+ if (new_alias->flags & TYPE_FLAGS_PERMISSIVE)
+ if (ebitmap_set_bit(&state->out->permissive_map, new_alias->s.value, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
return 0;
}
Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c 2008-03-20 19:01:26 UTC (rev 2854)
+++ trunk/libsepol/src/link.c 2008-03-24 20:17:15 UTC (rev 2855)
@@ -405,6 +405,8 @@
state->cur_mod_name, id);
return -1;
}
+ /* permissive should pass to the base type */
+ base_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
} else {
if (state->verbose)
INFO(state->handle, "copying type %s", id);
@@ -418,6 +420,7 @@
goto cleanup;
}
new_type->primary = type->primary;
+ new_type->flags = type->flags;
new_type->flavor = type->flavor;
/* for attributes, the writing of new_type->types is
done in type_fix_callback() */
@@ -441,6 +444,7 @@
}
new_type->primary = type->primary;
new_type->flavor = type->flavor;
+ new_type->flags = type->flags;
new_type->s.value = base_type->s.value;
if ((new_id = strdup(id)) == NULL) {
goto cleanup;
@@ -702,6 +706,8 @@
return -1;
}
+ target_type->flags |= (type->flags & TYPE_FLAGS_PERMISSIVE);
+
base_type = hashtab_search(state->base->p_types.table, id);
if (base_type == NULL) {
if (state->verbose)
@@ -713,6 +719,7 @@
}
/* the linked copy always has TYPE_ALIAS style aliases */
new_type->primary = target_type->s.value;
+ new_type->flags = target_type->flags;
new_type->flavor = TYPE_ALIAS;
new_type->s.value = state->base->p_types.nprim + 1;
if ((new_id = strdup(id)) == NULL) {
@@ -747,6 +754,7 @@
base_type->flavor = TYPE_ALIAS;
base_type->primary = target_type->s.value;
+ base_type->flags |= (target_type->flags & TYPE_FLAGS_PERMISSIVE);
}
/* the aliases map points from its value to its primary so when this module
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-03-20 19:01:26 UTC (rev 2854)
+++ trunk/libsepol/src/policydb.c 2008-03-24 20:17:15 UTC (rev 2855)
@@ -105,6 +105,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -129,6 +135,12 @@
.ocon_num = OCON_NODE6 + 1,
},
{
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ },
+ {
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -150,7 +162,14 @@
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_POLCAP,
.sym_num = SYM_NUM,
- .ocon_num = 0},
+ .ocon_num = 0
+ },
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_PERMISSIVE,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0
+ },
};
#if 0
@@ -467,6 +486,8 @@
ebitmap_init(&p->policycaps);
+ ebitmap_init(&p->permissive_map);
+
for (i = 0; i < SYM_NUM; i++) {
p->sym_val_to_name[i] = NULL;
rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
@@ -992,6 +1013,8 @@
ebitmap_destroy(&p->policycaps);
+ ebitmap_destroy(&p->permissive_map);
+
symtabs_destroy(p->symtab);
for (i = 0; i < SYM_NUM; i++) {
@@ -1907,19 +1930,22 @@
{
char *key = 0;
type_datum_t *typdatum;
- uint32_t buf[4];
+ uint32_t buf[5];
size_t len;
- int rc;
+ int rc, to_read;
typdatum = calloc(1, sizeof(type_datum_t));
if (!typdatum)
return -1;
- if (p->policy_type == POLICY_KERN) {
- rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
- } else {
- rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
- }
+ if (p->policy_type == POLICY_KERN)
+ to_read = 3;
+ else if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ to_read = 5;
+ else
+ to_read = 4;
+
+ rc = next_entry(buf, fp, sizeof(uint32_t) * to_read);
if (rc < 0)
goto bad;
@@ -1928,6 +1954,8 @@
typdatum->primary = le32_to_cpu(buf[2]);
if (p->policy_type != POLICY_KERN) {
typdatum->flavor = le32_to_cpu(buf[3]);
+ if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ typdatum->flags = le32_to_cpu(buf[4]);
if (ebitmap_read(&typdatum->types, fp))
goto bad;
}
@@ -3157,6 +3185,12 @@
goto bad;
}
+ if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ if (ebitmap_read(&p->permissive_map, fp))
+ goto bad;
+ }
+
for (i = 0; i < info->sym_num; i++) {
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2008-03-20 19:01:26 UTC (rev 2854)
+++ trunk/libsepol/src/write.c 2008-03-24 20:17:15 UTC (rev 2855)
@@ -959,6 +959,12 @@
buf[items++] = cpu_to_le32(typdatum->primary);
if (p->policy_type != POLICY_KERN) {
buf[items++] = cpu_to_le32(typdatum->flavor);
+ if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
+ buf[items++] = cpu_to_le32(typdatum->flags);
+ else if (typdatum->flags & TYPE_FLAGS_PERMISSIVE)
+ WARN(fp->handle, "Warning! Module policy version %d cannnot "
+ "support permissive types, but one was defined",
+ p->policyvers);
}
items2 = put_entry(buf, sizeof(uint32_t), items, fp);
if (items != items2)
@@ -1618,6 +1624,27 @@
return POLICYDB_ERROR;
}
+ if (p->policyvers < POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ ebitmap_node_t *tnode;
+ unsigned int i;
+
+ ebitmap_for_each_bit(&p->permissive_map, tnode, i) {
+ if (ebitmap_node_get_bit(tnode, i)) {
+ WARN(fp->handle, "Warning! Policy version %d cannot "
+ "support permissive types, but some were defined",
+ p->policyvers);
+ break;
+ }
+ }
+ }
+
+ if (p->policyvers >= POLICYDB_VERSION_PERMISSIVE &&
+ p->policy_type == POLICY_KERN) {
+ if (ebitmap_write(&p->permissive_map, fp) == -1)
+ return POLICYDB_ERROR;
+ }
+
num_syms = info->sym_num;
for (i = 0; i < num_syms; i++) {
buf[0] = cpu_to_le32(p->symtab[i].nprim);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-03-24 20:18:45
|
Revision: 2857
http://selinux.svn.sourceforge.net/selinux/?rev=2857&view=rev
Author: ssmalley
Date: 2008-03-24 13:18:43 -0700 (Mon, 24 Mar 2008)
Log Message:
-----------
updated libsepol to version 2.0.26
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-03-24 20:18:16 UTC (rev 2856)
+++ trunk/libsepol/ChangeLog 2008-03-24 20:18:43 UTC (rev 2857)
@@ -1,3 +1,6 @@
+2.0.26 2008-03-24
+ * Add permissive domain support from Eric Paris.
+
2.0.25 2008-03-04
* Drop unused ->buffer field from struct policy_file.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-03-24 20:18:16 UTC (rev 2856)
+++ trunk/libsepol/VERSION 2008-03-24 20:18:43 UTC (rev 2857)
@@ -1 +1 @@
-2.0.25
+2.0.26
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-04-18 13:56:31
|
Revision: 2866
http://selinux.svn.sourceforge.net/selinux/?rev=2866&view=rev
Author: ssmalley
Date: 2008-04-18 06:56:23 -0700 (Fri, 18 Apr 2008)
Log Message:
-----------
updated libsepol to version 2.0.27
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-04-18 13:55:39 UTC (rev 2865)
+++ trunk/libsepol/ChangeLog 2008-04-18 13:56:23 UTC (rev 2866)
@@ -1,3 +1,6 @@
+2.0.27 2008-04-18
+ * Belatedly merge test for policy downgrade from Todd Miller.
+
2.0.26 2008-03-24
* Add permissive domain support from Eric Paris.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-04-18 13:55:39 UTC (rev 2865)
+++ trunk/libsepol/VERSION 2008-04-18 13:56:23 UTC (rev 2866)
@@ -1 +1 @@
-2.0.26
+2.0.27
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-05-05 15:08:44
|
Revision: 2877
http://selinux.svn.sourceforge.net/selinux/?rev=2877&view=rev
Author: ssmalley
Date: 2008-05-05 07:45:13 -0700 (Mon, 05 May 2008)
Log Message:
-----------
updated libsepol to version 2.0.28
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-05-05 14:44:10 UTC (rev 2876)
+++ trunk/libsepol/ChangeLog 2008-05-05 14:45:13 UTC (rev 2877)
@@ -1,3 +1,6 @@
+2.0.28 2008-05-05
+ * Fix mls_level_convert() to gracefully handle an empty user declaration/require from Stephen Smalley.
+
2.0.27 2008-04-18
* Belatedly merge test for policy downgrade from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-05-05 14:44:10 UTC (rev 2876)
+++ trunk/libsepol/VERSION 2008-05-05 14:45:13 UTC (rev 2877)
@@ -1 +1 @@
-2.0.27
+2.0.28
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-05-27 20:06:53
|
Revision: 2888
http://selinux.svn.sourceforge.net/selinux/?rev=2888&view=rev
Author: ssmalley
Date: 2008-05-27 13:06:51 -0700 (Tue, 27 May 2008)
Log Message:
-----------
updated libsepol to version 2.0.29
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-05-27 20:06:24 UTC (rev 2887)
+++ trunk/libsepol/ChangeLog 2008-05-27 20:06:51 UTC (rev 2888)
@@ -1,3 +1,6 @@
+2.0.29 2008-05-27
+ * Merge user and role mapping support from Joshua Brindle.
+
2.0.28 2008-05-05
* Fix mls_level_convert() to gracefully handle an empty user declaration/require from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-05-27 20:06:24 UTC (rev 2887)
+++ trunk/libsepol/VERSION 2008-05-27 20:06:51 UTC (rev 2888)
@@ -1 +1 @@
-2.0.28
+2.0.29
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-06-06 14:29:12
|
Revision: 2891
http://selinux.svn.sourceforge.net/selinux/?rev=2891&view=rev
Author: ssmalley
Date: 2008-06-06 07:29:09 -0700 (Fri, 06 Jun 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: fix endianness bug in network node address handling
Date: Thu, 05 Jun 2008 09:45:33 -0400
Fix an endianness bug in the handling of network node addresses by
SELinux. This yields no change on little endian hardware but fixes
the incorrect handling on big endian hardware. The network node
addresses are stored in network order in memory by checkpolicy, not in
cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu
conversions applied upon policy write/read unlike other data in the
policy.
Note that checkpolicy was also broken in its handling of ipv4
addresses on big endian hardware prior to checkpolicy 2.0.5 when the
ipv4 address handling was changed to be more like the ipv6 address
handling.
Bug reported by John Weeks of Sun, who noticed that binary policy
files built from the same policy source on x86 and sparc differed and
tracked it down to the ipv4 address handling in checkpolicy.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2008-05-27 20:15:09 UTC (rev 2890)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2008-06-06 14:29:09 UTC (rev 2891)
@@ -257,12 +257,12 @@
uint16_t high_port;
} port; /* TCP or UDP port information */
struct {
- uint32_t addr;
- uint32_t mask;
+ uint32_t addr; /* network order */
+ uint32_t mask; /* network order */
} node; /* node information */
struct {
- uint32_t addr[4];
- uint32_t mask[4];
+ uint32_t addr[4]; /* network order */
+ uint32_t mask[4]; /* network order */
} node6; /* IPv6 node information */
} u;
union {
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-05-27 20:15:09 UTC (rev 2890)
+++ trunk/libsepol/src/policydb.c 2008-06-06 14:29:09 UTC (rev 2891)
@@ -2114,8 +2114,8 @@
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
return -1;
- c->u.node.addr = le32_to_cpu(buf[0]);
- c->u.node.mask = le32_to_cpu(buf[1]);
+ c->u.node.addr = buf[0]; /* network order */
+ c->u.node.mask = buf[1]; /* network order */
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
@@ -2145,11 +2145,9 @@
if (rc < 0)
return -1;
for (k = 0; k < 4; k++)
- c->u.node6.addr[k] =
- le32_to_cpu(buf[k]);
+ c->u.node6.addr[k] = buf[k]; /* network order */
for (k = 0; k < 4; k++)
- c->u.node6.mask[k] =
- le32_to_cpu(buf[k + 4]);
+ c->u.node6.mask[k] = buf[k + 4]; /* network order */
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2008-05-27 20:15:09 UTC (rev 2890)
+++ trunk/libsepol/src/write.c 2008-06-06 14:29:09 UTC (rev 2891)
@@ -1097,8 +1097,8 @@
return POLICYDB_ERROR;
break;
case OCON_NODE:
- buf[0] = cpu_to_le32(c->u.node.addr);
- buf[1] = cpu_to_le32(c->u.node.mask);
+ buf[0] = c->u.node.addr; /* network order */
+ buf[1] = c->u.node.mask; /* network order */
items = put_entry(buf, sizeof(uint32_t), 2, fp);
if (items != 2)
return POLICYDB_ERROR;
@@ -1120,11 +1120,9 @@
break;
case OCON_NODE6:
for (j = 0; j < 4; j++)
- buf[j] =
- cpu_to_le32(c->u.node6.addr[j]);
+ buf[j] = c->u.node6.addr[j]; /* network order */
for (j = 0; j < 4; j++)
- buf[j + 4] =
- cpu_to_le32(c->u.node6.mask[j]);
+ buf[j + 4] = c->u.node6.mask[j]; /* network order */
items = put_entry(buf, sizeof(uint32_t), 8, fp);
if (items != 8)
return POLICYDB_ERROR;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-06-06 14:31:05
|
Revision: 2892
http://selinux.svn.sourceforge.net/selinux/?rev=2892&view=rev
Author: ssmalley
Date: 2008-06-06 07:30:55 -0700 (Fri, 06 Jun 2008)
Log Message:
-----------
updated libsepol to version 2.0.30
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-06-06 14:29:09 UTC (rev 2891)
+++ trunk/libsepol/ChangeLog 2008-06-06 14:30:55 UTC (rev 2892)
@@ -1,3 +1,8 @@
+2.0.30 2008-06-06
+ * Fix endianness bug in the handling of network node addresses from Stephen Smalley.
+ Only affects big endian platforms.
+ Bug reported by John Weeks of Sun upon policy mismatch between x86 and sparc.
+
2.0.29 2008-05-27
* Merge user and role mapping support from Joshua Brindle.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-06-06 14:29:09 UTC (rev 2891)
+++ trunk/libsepol/VERSION 2008-06-06 14:30:55 UTC (rev 2892)
@@ -1 +1 @@
-2.0.29
+2.0.30
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-06-13 14:14:59
|
Revision: 2910
http://selinux.svn.sourceforge.net/selinux/?rev=2910&view=rev
Author: ssmalley
Date: 2008-06-13 07:14:57 -0700 (Fri, 13 Jun 2008)
Log Message:
-----------
updated libsepol to version 2.0.31
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-06-13 14:13:46 UTC (rev 2909)
+++ trunk/libsepol/ChangeLog 2008-06-13 14:14:57 UTC (rev 2910)
@@ -1,3 +1,6 @@
+2.0.31 2008-06-13
+ * Fix mls_semantic_level_expand() to handle a user require w/o MLS information from Stephen Smalley.
+
2.0.30 2008-06-06
* Fix endianness bug in the handling of network node addresses from Stephen Smalley.
Only affects big endian platforms.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-06-13 14:13:46 UTC (rev 2909)
+++ trunk/libsepol/VERSION 2008-06-13 14:14:57 UTC (rev 2910)
@@ -1 +1 @@
-2.0.30
+2.0.31
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2008-07-07 17:04:50
|
Revision: 2924
http://selinux.svn.sourceforge.net/selinux/?rev=2924&view=rev
Author: madmethod
Date: 2008-07-07 10:04:48 -0700 (Mon, 07 Jul 2008)
Log Message:
-----------
updated libsepol to version 2.0.32
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-07-07 17:03:20 UTC (rev 2923)
+++ trunk/libsepol/ChangeLog 2008-07-07 17:04:48 UTC (rev 2924)
@@ -1,3 +1,6 @@
+2.0.32 2008-07-07
+ * Allow require then declare in the source policy from Joshua Brindle.
+
2.0.31 2008-06-13
* Fix mls_semantic_level_expand() to handle a user require w/o MLS information from Stephen Smalley.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-07-07 17:03:20 UTC (rev 2923)
+++ trunk/libsepol/VERSION 2008-07-07 17:04:48 UTC (rev 2924)
@@ -1 +1 @@
-2.0.31
+2.0.32
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X