Codebase list checkpolicy / 68e08cc
Imported Debian patch 1.22-1 Manoj Srivastava authored 19 years ago Laurent Bigonville committed 12 years ago
28 changed file(s) with 956 addition(s) and 1192 deletion(s). Raw diff Collapse all Expand all
+0
-1
.arch-ids/genpolusers.c.id less more
0 Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.8
+0
-1
.arch-ids/users.l.id less more
0 Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.14
+0
-1
.arch-ids/users.y.id less more
0 Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.15
+16
-0
ChangeLog less more
0 1.22 2005-03-09
1 * Updated version for release.
2
3 1.21.4 2005-02-17
4 * Moved genpolusers utility to libsepol.
5 * Merged range_transition support from Darrel Goeddel (TCS).
6
7 1.21.3 2005-02-16
8 * Merged define_user() cleanup patch from Darrel Goeddel (TCS).
9
10 1.21.2 2005-02-09
11 * Changed relabel Makefile target to use restorecon.
12
13 1.21.1 2005-01-26
14 * Merged enhanced MLS support from Darrel Goeddel (TCS).
15
016 1.20 2005-01-04
117 * Merged typeattribute statement patch from Darrel Goeddel of TCS.
218 * Changed genpolusers to handle multiple user config files.
+4
-24
Makefile less more
44 BINDIR ?= $(PREFIX)/bin
55 MANDIR ?= $(PREFIX)/share/man
66 LIBDIR ?= ${PREFIX}/lib
7 TARGETS = checkpolicy genpolusers
7 TARGETS = checkpolicy
88
9 # Set to y for MLS
10 MLS=n
11
12 ifeq ($(MLS),y)
13 OPTIONS = -DCONFIG_SECURITY_SELINUX_MLS
14 else
15 OPTIONS =
16 endif
17
18 CFLAGS = -g $(OPTIONS) -Wall -O2 -pipe
9 CFLAGS = -g -Wall -O2 -pipe
1910
2011 override CFLAGS += -I.
2112
2213 OBJS += y.tab.o lex.yy.o queue.o checkpolicy.o
23
24 USEROBJS += users.tab.o lex.users.o queue.o genpolusers.o
2514
2615 LIBS=-lfl ${LIBDIR}/libsepol.a
2716
2817 all: $(TARGETS)
2918
3019 checkpolicy: $(OBJS)
31 $(CC) -o $@ $^ $(LIBS)
32
33 genpolusers: $(USEROBJS)
3420 $(CC) -o $@ $^ $(LIBS)
3521
3622 %.o: %.c
4834 lex.yy.c: policy_scan.l y.tab.c
4935 $(LEX) policy_scan.l
5036
51 users.tab.c: users.y
52 $(YACC) -d -o $@ $<
53
54 lex.users.c: users.l users.tab.c
55 $(LEX) -o$@ $<
56
5737 install: all
5838 -mkdir -p $(BINDIR)
5939 -mkdir -p $(MANDIR)/man8
6141 install -m 644 checkpolicy.8 $(MANDIR)/man8
6242
6343 relabel: install
64 setfilecon system_u:object_r:checkpolicy_exec_t $(BINDIR)/checkpolicy
44 /sbin/restorecon $(BINDIR)/checkpolicy
6545
6646 clean:
67 rm -f $(TARGETS) $(OBJS) $(USEROBJS) $(BOOLOBJS) y.tab.c y.tab.h lex.yy.c users.tab.c lex.users.c users.tab.h
47 rm -f $(TARGETS) $(OBJS) y.tab.c y.tab.h lex.yy.c
6848
+1
-1
VERSION less more
0 1.20
0 1.22
+4
-1
checkpolicy.8 less more
22 checkpolicy \- SELinux policy compiler
33 .SH SYNOPSIS
44 .B checkpolicy
5 .I "[-b] [-d] [-c policyvers] [-o output_file] [input_file]"
5 .I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
66 .br
77 .SH "DESCRIPTION"
88 This manual page describes the
2323 .B \-d
2424 Enter debug mode after loading the policy.
2525 .TP
26 .B \-M
27 Enable the MLS policy when checking and compiling the policy.
28 .TP
2629 .B \-o filename
2730 Write a binary policy file to the specified filename.
2831 .TP
+37
-8
checkpolicy.c less more
22 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
33 */
44
5 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
5 /*
6 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
7 *
8 * Support for enhanced MLS infrastructure.
9 *
10 * Updated: Karl MacMillan <kmacmillan@tresys.com>
611 *
712 * Added conditional policy language extensions
813 *
1015 *
1116 * Added IPv6 support.
1217 *
18 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
1319 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
1420 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
1521 * This program is free software; you can redistribute it and/or modify
8793 char *binfile = "policy";
8894
8995 unsigned int policyvers = POLICYDB_VERSION_MAX;
96 unsigned int mlspol = 0;
9097
9198 void usage(char *progname)
9299 {
93 printf("usage: %s [-b] [-d] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
100 printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
94101 progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
95102 exit(1);
96103 }
458465 struct policy_file pf;
459466
460467
461 while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) {
468 while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
462469 switch (ch) {
463470 case 'o':
464471 outfile = optarg;
472479 break;
473480 case 'V':
474481 show_version = 1;
482 break;
483 case 'M':
484 mlspol = 1;
475485 break;
476486 case 'c': {
477487 long int n = strtol(optarg, NULL, 10);
496506 }
497507
498508 if (show_version) {
499 #ifdef CONFIG_SECURITY_SELINUX_MLS
500 printf("%d-mls (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
501 #else
502509 printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
503 #endif
504510 exit(0);
505511 }
506512
545551 exit(1);
546552 }
547553 policydbp = &policydb;
554
555 /* Check Policy Consistency */
556 if (sepol_mls_enabled()) {
557 if (!mlspol) {
558 fprintf(stderr,"%s: MLS policy, but non-MLS"
559 " is specified\n", argv[0]);
560 exit(1);
561 }
562 } else {
563 if (mlspol) {
564 fprintf(stderr,"%s: non-MLS policy, but MLS"
565 " is specified\n", argv[0]);
566 exit(1);
567 }
568 }
548569 } else {
549570 yyin = fopen(file, "r");
550571 if (!yyin) {
555576
556577 if (policydb_init(&policydb))
557578 exit(1);
579
580 /* Let sepol know if we are dealing with MLS support */
581 sepol_set_mls(mlspol);
558582
559583 id_queue = queue_create();
560584 if (!id_queue) {
613637 exit(1);
614638 }
615639
616 sepol_set_policyvers(policyvers);
640 if (sepol_set_policyvers(policyvers)) {
641 fprintf(stderr,"%s: incompatible policy (version %d) "
642 "for writing to %s\n", argv[0],
643 policyvers, outfile);
644 exit(1);
645 }
617646
618647 pf.type = PF_USE_STDIO;
619648 pf.fp = outfp;
+1
-0
checkpolicy.h less more
1515 te_assert_t *te_assertions;
1616
1717 extern unsigned int policyvers;
18 extern unsigned int mlspol;
1819
1920 #endif
+1
-2
checkpolicy.spec less more
00 Summary: SELinux policy compiler
11 Name: checkpolicy
2 Version: 1.20
2 Version: 1.22
33 Release: 1
44 License: GPL
55 Group: Development/System
4040 %files
4141 %defattr(-,root,root)
4242 %{_bindir}/checkpolicy
43 %{_bindir}/genpolusers
4443 %{_mandir}/man8/checkpolicy.8.gz
4544
4645 %changelog
+14
-0
debian/changelog less more
0 checkpolicy (1.22-1) unstable; urgency=low
1
2 * New upstream release
3 * Merged typeattribute statement patch from Darrel Goeddel of TCS.
4 * Changed genpolusers to handle multiple user config files.
5 * Merged nodecon ordering patch from Chad Hanson of TCS.
6 * Merged enhanced MLS support from Darrel Goeddel (TCS).
7 * Changed relabel Makefile target to use restorecon.
8 * Merged define_user() cleanup patch from Darrel Goeddel (TCS).
9 * Merged range_transition support from Darrel Goeddel (TCS).
10 * Moved genpolusers utility to libsepol.
11
12 -- Manoj Srivastava <srivasta@debian.org> Sat, 12 Mar 2005 16:10:54 -0600
13
014 checkpolicy (1.20-1) unstable; urgency=low
115
216 * New upstream release
+6
-3
debian/common/copt.mk less more
1818 CFLAGS = -O2
1919 PREFIX := /usr
2020
21 ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
22 CFLAGS += -g
23 endif
21 # Policy 10.1 says to make this the default
22 CFLAGS += -g
23
24 ## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
25 ## endif
26
2427 ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
2528 STRIP += -s
2629 LDFLAGS += -s
+10
-0
debian/common/{arch}/skeleton-make-rules/skeleton-make-rules--main/skeleton-make-rules--main--0.1/srivasta@debian.org--2003-primary/patch-log/patch-14 less more
0 Revision: skeleton-make-rules--main--0.1--patch-14
1 Archive: srivasta@debian.org--2003-primary
2 Creator: Manoj Srivastava <srivasta@debian.org>
3 Date: Mon Feb 28 14:38:56 CST 2005
4 Standard-date: 2005-02-28 20:38:56 GMT
5 Modified-files: copt.mk
6 New-patches: srivasta@debian.org--2003-primary/skeleton-make-rules--main--0.1--patch-14
7 Summary: Add the -g option to CFLAGS by default
8 Keywords:
9
+4
-4
debian/local.mk less more
33 ## Created On : Sat Nov 15 10:42:10 2003
44 ## Created On Node : glaurung.green-gryphon.com
55 ## Last Modified By : Manoj Srivastava
6 ## Last Modified On : Fri Nov 5 00:44:01 2004
6 ## Last Modified On : Sat Mar 12 18:41:58 2005
77 ## Last Machine Used: glaurung.internal.golden-gryphon.com
8 ## Update Count : 6
8 ## Update Count : 7
99 ## Status : Unknown, Use with caution!
1010 ## HISTORY :
1111 ## Description :
5555 $(install_file) debian/copyright $(DOCDIR)/copyright
5656 gzip -9fqr $(MANDIR)/
5757 ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
58 strip --strip-unneeded --remove-section=.note --remove-section=.comment $(BINDIR)/checkpolicy $(BINDIR)/genpolusers
58 strip --strip-unneeded --remove-section=.note --remove-section=.comment $(BINDIR)/checkpolicy
5959 endif
6060
6161 binary/checkpolicy: testroot
6262 $(checkdir)
6363 $(REASON)
6464 $(make_directory) $(TMPTOP)/DEBIAN
65 dpkg-shlibdeps $(BINDIR)/checkpolicy $(BINDIR)/genpolusers
65 dpkg-shlibdeps $(BINDIR)/checkpolicy
6666 dpkg-gencontrol -p$(package) -isp -P$(TMPTOP)
6767 chown -R root:root $(TMPTOP)
6868 chmod -R u+w,go=rX $(TMPTOP)
+0
-16
debian/{arch}/,,inode-sigs/srivasta@debian.org--2003-primary%debian-dir--checkpolicy--1.0--base-0 less more
0 A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52
1 A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822
2 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724
3 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639
4 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470
5 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450
6 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72
7 i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099621862:size=1438
8 i_5401e9ef-39cc-4aee-96a4-61dfb8f32cf7 ino=2512435:mtime=1099621862:size=7451
9 i_56802d51-d980-4822-85c0-28fce19ed430 ino=2512436:mtime=1099621862:size=5768
10 i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968
11 i_a4c1a888-137d-4800-98f8-93d0365422d8 ino=2512438:mtime=1099621862:size=4068
12 i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099621862:size=688
13 i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512432:mtime=1099621862:size=759
14 i_d6a3672d-acb3-4f6c-9984-bad17d8ce0aa ino=2512437:mtime=1099621862:size=2605
15 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1099621862:size=282
+0
-17
debian/{arch}/,,inode-sigs/srivasta@debian.org--2003-primary%debian-dir--checkpolicy--1.0--patch-1 less more
0 A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52
1 A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822
2 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724
3 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520
4 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639
5 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470
6 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450
7 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72
8 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71
9 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71
10 i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547
11 i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968
12 i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099637041:size=2293
13 i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1099637763:size=1487
14 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1099622484:size=1017
15 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1099622632:size=2913
16 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1099622546:size=134
+21
-0
debian/{arch}/,,inode-sigs/srivasta@debian.org--2003-primary%debian-dir--checkpolicy--1.0--patch-5 less more
0 A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52
1 A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822
2 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724
3 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520
4 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2840664:mtime=1101331965:size=405
5 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-3 ino=2834476:mtime=1105570059:size=558
6 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-4 ino=2834478:mtime=1105570293:size=354
7 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-5 ino=2836343:mtime=1110665499:size=366
8 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639
9 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470
10 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450
11 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72
12 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71
13 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71
14 i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547
15 i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968
16 i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099637041:size=2293
17 i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1101326660:size=1534
18 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1101332924:size=995
19 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1110665454:size=4173
20 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1101326354:size=156
+22
-0
debian/{arch}/,,inode-sigs/srivasta@debian.org--2003-primary%debian-dir--checkpolicy--1.0--patch-6 less more
0 A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52
1 A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822
2 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724
3 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520
4 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2840664:mtime=1101331965:size=405
5 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-3 ino=2834476:mtime=1105570059:size=558
6 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-4 ino=2834478:mtime=1105570293:size=354
7 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-5 ino=2836343:mtime=1110665499:size=366
8 A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-6 ino=2836348:mtime=1110674562:size=389
9 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639
10 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470
11 A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450
12 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72
13 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71
14 E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71
15 i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547
16 i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968
17 i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1110674518:size=2248
18 i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1101326660:size=1534
19 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1101332924:size=995
20 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1110665454:size=4173
21 x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1101326354:size=156
+10
-0
debian/{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-5 less more
0 Revision: debian-dir--checkpolicy--1.0--patch-5
1 Archive: srivasta@debian.org--2003-primary
2 Creator: Manoj Srivastava <srivasta@debian.org>
3 Date: Sat Mar 12 16:11:39 CST 2005
4 Standard-date: 2005-03-12 22:11:39 GMT
5 Modified-files: changelog
6 New-patches: srivasta@debian.org--2003-primary/debian-dir--checkpolicy--1.0--patch-5
7 Summary: New upstream release
8 Keywords:
9
+10
-0
debian/{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-6 less more
0 Revision: debian-dir--checkpolicy--1.0--patch-6
1 Archive: srivasta@debian.org--2003-primary
2 Creator: Manoj Srivastava <srivasta@debian.org>
3 Date: Sat Mar 12 18:42:41 CST 2005
4 Standard-date: 2005-03-13 00:42:41 GMT
5 Modified-files: local.mk
6 New-patches: srivasta@debian.org--2003-primary/debian-dir--checkpolicy--1.0--patch-6
7 Summary: Fix in rules: we no longer have genpol users
8 Keywords:
9
+0
-192
genpolusers.c less more
0 /*
1 * genpolusers inpolicy outpolicy users1 [users2 ... ]
2 *
3 * Given an existing binary policy configuration and a set of source users
4 * configurations (post-processed), generate a new binary policy
5 * configuration that is identical to the old one except that it has
6 * the new user declarations. User declarations from the old binary
7 * policy are replaced if they also exist in the new source users
8 * configuration or removed otherwise. Special exceptions are made
9 * for system_u and user_u, which can be replaced but not removed as
10 * a safety against reloading a user configuration generated from
11 * passwd information that would not include these special SELinux users.
12 * This needs to be generalized in some manner. New users may also be
13 * added by including them in the new source users configuration.
14 */
15
16 #include <getopt.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 #include <fcntl.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <errno.h>
24 #include <sys/mman.h>
25 #include <sepol/policydb.h>
26 #include <sepol/services.h>
27 #include <sepol/conditional.h>
28 #include "queue.h"
29 #include "checkpolicy.h"
30
31 extern policydb_t *policydbp;
32 extern queue_t id_queue;
33 extern unsigned int policydb_errors;
34
35 extern FILE *yyin;
36 extern int yyparse(void);
37 extern void yyrestart(FILE *);
38
39 void usage(char *progname)
40 {
41 printf("usage: %s inpolicy outpolicy users1 [users2 ...]\n", progname);
42 exit(1);
43 }
44
45 /* Select users for removal based on whether they were defined in the
46 new source users configuration. */
47 static int select_user(hashtab_key_t key, hashtab_datum_t datum, void *datap)
48 {
49 char *name = key;
50 user_datum_t *usrdatum = datum;
51
52 if (!usrdatum->defined) {
53 /* XXX Hack: Don't accidentally remove SELinux-only users. */
54 if (!strcmp(name, "system_u") || !strcmp(name, "user_u")) {
55 printf("Warning! %s not defined, but not removing.\n", name);
56 return 0;
57 }
58 printf("Removing user %s\n", name);
59 return 1;
60 }
61 return 0;
62 }
63
64 static struct ebitmap free_users;
65
66 /* Kill the user entries selected by select_user, and
67 record that their slots are free. */
68 void kill_user(hashtab_key_t key, hashtab_datum_t datum, void *p)
69 {
70 user_datum_t *usrdatum;
71 struct policydb *pol = p;
72
73 if (key)
74 free(key);
75
76 usrdatum = (user_datum_t *) datum;
77 ebitmap_set_bit(&free_users, usrdatum->value - 1, 1);
78
79 ebitmap_destroy(&usrdatum->roles);
80 free(datum);
81 pol->p_users.nprim--;
82 }
83
84 /* Fold user values down to avoid holes generated by removal.
85 As the SID table is remapped by the kernel upon a policy reload,
86 this is safe for existing SIDs. But it could be a problem for
87 constraints if they refer to the particular user. */
88 int remap_users(hashtab_key_t key, hashtab_datum_t datum, void *p)
89 {
90 user_datum_t *usrdatum = datum;
91 struct policydb *pol = p;
92 int i;
93
94 if (usrdatum->value > pol->p_users.nprim) {
95 for (i = ebitmap_startbit(&free_users); i < ebitmap_length(&free_users); i++) {
96 if (ebitmap_get_bit(&free_users, i)) {
97 printf("Remapping user %s (%u -> %u)\n", key, usrdatum->value, i+1);
98 usrdatum->value = i+1;
99 ebitmap_set_bit(&free_users, i, 0);
100 return 0;
101 }
102 }
103 }
104 return 0;
105 }
106
107 int main(int argc, char **argv)
108 {
109 policydb_t policydb;
110 struct policy_file pf;
111 struct stat sb;
112 FILE *outfp;
113 int fd, rc, i;
114 void *map;
115
116 if (argc < 4)
117 usage(argv[0]);
118
119 fd = open(argv[1], O_RDONLY);
120 if (fd < 0) {
121 fprintf(stderr, "Can't open '%s': %s\n",
122 argv[1], strerror(errno));
123 exit(1);
124 }
125 if (fstat(fd, &sb) < 0) {
126 fprintf(stderr, "Can't stat '%s': %s\n",
127 argv[1], strerror(errno));
128 exit(1);
129 }
130 map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
131 if (map == MAP_FAILED) {
132 fprintf(stderr, "Can't map '%s': %s\n",
133 argv[1], strerror(errno));
134 exit(1);
135 }
136 pf.type = PF_USE_MEMORY;
137 pf.data = map;
138 pf.len = sb.st_size;
139 if (policydb_read(&policydb,&pf, 0)) {
140 fprintf(stderr, "Can't read binary policy from '%s': %s\n",
141 argv[1], strerror(errno));
142 exit(1);
143 }
144 close(fd);
145
146 /* Preserve the policy version of the original policy
147 for the new policy. */
148 sepol_set_policyvers(policydb.policyvers);
149
150 id_queue = queue_create();
151 if (!id_queue) {
152 fprintf(stderr, "%s: out of memory\n", argv[0]);
153 exit(1);
154 }
155 policydbp = &policydb;
156 policydb_errors = 0;
157
158 for (i = 3; i < argc; i++) {
159 yyin = fopen(argv[i], "r");
160 if (!yyin) {
161 fprintf(stderr, "%s: unable to open %s\n", argv[0],
162 argv[i]);
163 exit(1);
164 }
165
166 if (yyparse() || policydb_errors) {
167 fprintf(stderr, "%s: error(s) encountered while parsing configuration %s\n", argv[0], argv[i]);
168 exit(1);
169 }
170 }
171 queue_destroy(id_queue);
172
173 hashtab_map_remove_on_error(policydb.p_users.table, select_user, kill_user, &policydb);
174 hashtab_map(policydb.p_users.table, remap_users, &policydb);
175
176 outfp = fopen(argv[2], "w");
177 if (!outfp) {
178 perror(argv[2]);
179 exit(1);
180 }
181 pf.type = PF_USE_STDIO;
182 pf.fp = outfp;
183 rc = policydb_write(&policydb, &pf);
184 if (rc) {
185 fprintf(stderr, "%s: error writing %s\n",
186 argv[0], argv[2]);
187 exit(1);
188 }
189 fclose(outfp);
190 exit(0);
191 }
+682
-482
policy_parse.y less more
22 * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
33 */
44
5 /* Updated: David Caplan, <dac@tresys.com>
5 /*
6 * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
7 *
8 * Support for enhanced MLS infrastructure.
9 *
10 * Updated: David Caplan, <dac@tresys.com>
611 *
712 * Added conditional policy language extensions
813 *
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
915 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
1016 * This program is free software; you can redistribute it and/or modify
1117 * it under the terms of the GNU General Public License as published by
6268 static int define_sens(void);
6369 static int define_dominance(void);
6470 static int define_category(void);
65 static int define_level(void);
66 static int define_common_base(void);
67 static int define_av_base(void);
71 static int define_level(int range);
6872 static int define_attrib(void);
6973 static int define_typealias(void);
7074 static int define_typeattribute(void);
7579 static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
7680 static role_datum_t *define_role_dom(role_datum_t *r);
7781 static int define_role_trans(void);
82 static int define_range_trans(void);
7883 static int define_role_allow(void);
7984 static int define_constraint(constraint_expr_t *expr);
85 static int define_validatetrans(constraint_expr_t *expr);
8086 static int define_bool();
8187 static int define_conditional(cond_expr_t *expr,cond_av_list_t *t_list, cond_av_list_t *f_list );
8288 static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
108114 %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
109115 %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
110116 %type <ptr> role_def roles
111 %type <valptr> cexpr cexpr_prim op roleop
117 %type <valptr> cexpr cexpr_prim op role_mls_op
112118 %type <val> ipv4_addr_def number
113119
114120 %token PATH
116122 %token COMMON
117123 %token CLASS
118124 %token CONSTRAIN
125 %token VALIDATETRANS
119126 %token INHERITS
120127 %token SID
121128 %token ROLE
133140 %token TYPE_MEMBER
134141 %token TYPE_CHANGE
135142 %token ROLE_TRANSITION
143 %token RANGE_TRANSITION
136144 %token SENSITIVITY
137145 %token DOMINANCE
138146 %token DOM DOMBY INCOMP
139147 %token CATEGORY
140148 %token LEVEL
141 %token RANGES
149 %token RANGE
150 %token MLSCONSTRAIN
151 %token MLSVALIDATETRANS
142152 %token USER
143153 %token NEVERALLOW
144154 %token ALLOW
151161 %token FSCON PORTCON NETIFCON NODECON
152162 %token FSUSEXATTR FSUSETASK FSUSETRANS
153163 %token GENFSCON
154 %token U1 U2 R1 R2 T1 T2
164 %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
155165 %token NOT AND OR XOR
156166 %token CTRUE CFALSE
157167 %token IDENTIFIER
210220 opt_mls : mls
211221 |
212222 ;
213 mls : sensitivities dominance opt_categories levels base_perms
223 mls : sensitivities dominance opt_categories levels mlspolicy
214224 ;
215225 sensitivities : sensitivity_def
216226 | sensitivities sensitivity_def
241251 levels : level_def
242252 | levels level_def
243253 ;
244 level_def : LEVEL identifier ':' id_comma_list ';'
245 {if (define_level()) return -1;}
254 level_def : LEVEL identifier ':' identifier '.' identifier ';'
255 {if (define_level(1)) return -1;}
256 | LEVEL identifier ':' id_comma_list ';'
257 {if (define_level(0)) return -1;}
246258 | LEVEL identifier ';'
247 {if (define_level()) return -1;}
248 ;
249 base_perms : opt_common_base av_base
250 ;
251 opt_common_base : common_base
252 |
253 ;
254 common_base : common_base_def
255 | common_base common_base_def
256 ;
257 common_base_def : COMMON identifier '{' perm_base_list '}'
258 {if (define_common_base()) return -1;}
259 ;
260 av_base : av_base_def
261 | av_base av_base_def
262 ;
263 av_base_def : CLASS identifier '{' perm_base_list '}'
264 {if (define_av_base()) return -1;}
265 | CLASS identifier
266 {if (define_av_base()) return -1;}
267 ;
268 perm_base_list : perm_base
269 | perm_base_list perm_base
270 ;
271 perm_base : identifier ':' identifier
272 {if (insert_separator(0)) return -1;}
273 | identifier ':' '{' identifier_list '}'
274 {if (insert_separator(0)) return -1;}
259 {if (define_level(0)) return -1;}
260 ;
261 mlspolicy : mlspolicy_decl
262 | mlspolicy mlspolicy_decl
263 ;
264 mlspolicy_decl : mlsconstraint_def
265 | mlsvalidatetrans_def
266 ;
267 mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
268 { if (define_constraint((constraint_expr_t*)$4)) return -1; }
269 ;
270 mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
271 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
275272 ;
276273 te_rbac : te_rbac_decl
277274 | te_rbac te_rbac_decl
291288 | typeattribute_def
292289 | bool_def
293290 | transition_def
291 | range_trans_def
294292 | te_avtab_def
295293 | cond_stmt_def
296294 ;
411409 | TYPE_CHANGE names names ':' names identifier ';'
412410 {if (define_compute_type(AVTAB_CHANGE)) return -1;}
413411 ;
412 range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
413 { if (define_range_trans()) return -1; }
414 ;
414415 te_avtab_def : allow_def
415416 | auditallow_def
416417 | auditdeny_def
456457 opt_constraints : constraints
457458 |
458459 ;
459 constraints : constraint_def
460 | constraints constraint_def
460 constraints : constraint_decl
461 | constraints constraint_decl
462 ;
463 constraint_decl : constraint_def
464 | validatetrans_def
461465 ;
462466 constraint_def : CONSTRAIN names names cexpr ';'
463467 { if (define_constraint((constraint_expr_t*)$4)) return -1; }
468 ;
469 validatetrans_def : VALIDATETRANS names cexpr ';'
470 { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
464471 ;
465472 cexpr : '(' cexpr ')'
466473 { $$ = $2; }
479486 cexpr_prim : U1 op U2
480487 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
481488 if ($$ == 0) return -1; }
482 | R1 roleop R2
489 | R1 role_mls_op R2
483490 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
484491 if ($$ == 0) return -1; }
485492 | T1 op T2
491498 | U2 op { if (insert_separator(1)) return -1; } user_names_push
492499 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
493500 if ($$ == 0) return -1; }
501 | U3 op { if (insert_separator(1)) return -1; } user_names_push
502 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
503 if ($$ == 0) return -1; }
494504 | R1 op { if (insert_separator(1)) return -1; } names_push
495505 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
496506 if ($$ == 0) return -1; }
497507 | R2 op { if (insert_separator(1)) return -1; } names_push
498508 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
499509 if ($$ == 0) return -1; }
510 | R3 op { if (insert_separator(1)) return -1; } names_push
511 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
512 if ($$ == 0) return -1; }
500513 | T1 op { if (insert_separator(1)) return -1; } names_push
501514 { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
502515 if ($$ == 0) return -1; }
503516 | T2 op { if (insert_separator(1)) return -1; } names_push
504517 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
518 if ($$ == 0) return -1; }
519 | T3 op { if (insert_separator(1)) return -1; } names_push
520 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
505521 if ($$ == 0) return -1; }
506522 | SAMEUSER
507523 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
512528 | TARGET ROLE { if (insert_separator(1)) return -1; } names_push
513529 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
514530 if ($$ == 0) return -1; }
515 | ROLE roleop
531 | ROLE role_mls_op
516532 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
517533 if ($$ == 0) return -1; }
518534 | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
521537 | TARGET TYPE { if (insert_separator(1)) return -1; } names_push
522538 { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
523539 if ($$ == 0) return -1; }
540 | L1 role_mls_op L2
541 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
542 if ($$ == 0) return -1; }
543 | L1 role_mls_op H2
544 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
545 if ($$ == 0) return -1; }
546 | H1 role_mls_op L2
547 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
548 if ($$ == 0) return -1; }
549 | H1 role_mls_op H2
550 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
551 if ($$ == 0) return -1; }
552 | L1 role_mls_op H1
553 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
554 if ($$ == 0) return -1; }
555 | L2 role_mls_op H2
556 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
557 if ($$ == 0) return -1; }
524558 ;
525559 op : EQUALS
526560 { $$ = CEXPR_EQ; }
527561 | NOTEQUAL
528562 { $$ = CEXPR_NEQ; }
529563 ;
530 roleop : op
564 role_mls_op : op
531565 { $$ = $1; }
532566 | DOM
533567 { $$ = CEXPR_DOM; }
542576 user_id : identifier
543577 | user_identifier
544578 ;
545 user_def : USER user_id ROLES names opt_user_ranges ';'
579 user_def : USER user_id ROLES names opt_mls_user ';'
546580 {if (define_user()) return -1;}
547581 ;
548 opt_user_ranges : RANGES user_ranges
582 opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
549583 |
550 ;
551 user_ranges : mls_range_def
552 | '{' user_range_def_list '}'
553 ;
554 user_range_def_list : mls_range_def
555 | user_range_def_list mls_range_def
556584 ;
557585 initial_sid_contexts : initial_sid_context_def
558586 | initial_sid_contexts initial_sid_context_def
647675 | mls_level_def
648676 {if (insert_separator(0)) return -1;}
649677 ;
650 mls_level_def : identifier ':' id_comma_list
678 mls_level_def : identifier ':' cat_comma_list
651679 {if (insert_separator(0)) return -1;}
652680 | identifier
653681 {if (insert_separator(0)) return -1;}
654682 ;
683 cat_comma_list : cat_range
684 | cat_comma_list ',' cat_range
685 ;
686 cat_range : identifier
687 | identifier '.' identifier
688 { if (insert_id("MLS_CAT_RANGE",0)) return -1; }
689 ;
655690 id_comma_list : identifier
656691 | id_comma_list ',' identifier
657692 ;
926961 memset(perdatum, 0, sizeof(perm_datum_t));
927962 perdatum->value = ++comdatum->permissions.nprim;
928963
929 #ifdef CONFIG_SECURITY_SELINUX_MLS
930 /*
931 * By default, we set all four base permissions on this
932 * permission. This means that if base_permissions is not
933 * explicitly defined for this permission, then this
934 * permission will only be granted in the equivalent case.
935 */
936 perdatum->base_perms = MLS_BASE_READ | MLS_BASE_WRITE |
937 MLS_BASE_READBY | MLS_BASE_WRITEBY;
938 #endif
939
940 if (perdatum->value >= (sizeof(access_vector_t) * 8)) {
964 if (perdatum->value > (sizeof(access_vector_t) * 8)) {
941965 yyerror("too many permissions to fit in an access vector");
942966 goto bad_perm;
943967 }
10441068 memset(perdatum, 0, sizeof(perm_datum_t));
10451069 perdatum->value = ++cladatum->permissions.nprim;
10461070
1047 #ifdef CONFIG_SECURITY_SELINUX_MLS
1048 /*
1049 * By default, we set all four base permissions on this
1050 * permission. This means that if base_permissions is not
1051 * explicitly defined for this permission, then this
1052 * permission will only be granted in the equivalent case.
1053 */
1054 perdatum->base_perms = MLS_BASE_READ | MLS_BASE_WRITE |
1055 MLS_BASE_READBY | MLS_BASE_WRITEBY;
1056 /* actual value set in define_av_base */
1057 #endif
1058
1059 if (perdatum->value >= (sizeof(access_vector_t) * 8)) {
1071 if (perdatum->value > (sizeof(access_vector_t) * 8)) {
10601072 yyerror("too many permissions to fit in an access vector");
10611073 goto bad;
10621074 }
11021114
11031115 static int define_sens(void)
11041116 {
1105 #ifdef CONFIG_SECURITY_SELINUX_MLS
11061117 char *id;
11071118 mls_level_t *level = 0;
11081119 level_datum_t *datum = 0, *aliasdatum = 0;
11091120 int ret;
11101121
1122 if (!mlspol) {
1123 yyerror("sensitivity definition in non-MLS configuration");
1124 return -1;
1125 }
11111126
11121127 if (pass == 2) {
11131128 while ((id = queue_remove(id_queue)))
11941209 if (aliasdatum)
11951210 free(aliasdatum);
11961211 return -1;
1197 #else
1198 yyerror("sensitivity definition in non-MLS configuration");
1199 return -1;
1200 #endif
12011212 }
12021213
12031214 static int define_dominance(void)
12041215 {
1205 #ifdef CONFIG_SECURITY_SELINUX_MLS
12061216 level_datum_t *datum;
12071217 int order;
12081218 char *id;
1219
1220 if (!mlspol) {
1221 yyerror("dominance definition in non-MLS configuration");
1222 return -1;
1223 }
12091224
12101225 if (pass == 2) {
12111226 while ((id = queue_remove(id_queue)))
12401255 return -1;
12411256 }
12421257 return 0;
1243 #else
1244 yyerror("dominance definition in non-MLS configuration");
1245 return -1;
1246 #endif
12471258 }
12481259
12491260 static int define_category(void)
12501261 {
1251 #ifdef CONFIG_SECURITY_SELINUX_MLS
12521262 char *id;
12531263 cat_datum_t *datum = 0, *aliasdatum = 0;
12541264 int ret;
1265
1266 if (!mlspol) {
1267 yyerror("category definition in non-MLS configuration");
1268 return -1;
1269 }
12551270
12561271 if (pass == 2) {
12571272 while ((id = queue_remove(id_queue)))
13261341 if (aliasdatum)
13271342 free(aliasdatum);
13281343 return -1;
1329 #else
1330 yyerror("category definition in non-MLS configuration");
1331 return -1;
1332 #endif
1333 }
1334
1335
1336 static int define_level(void)
1337 {
1338 #ifdef CONFIG_SECURITY_SELINUX_MLS
1339 int n;
1344 }
1345
1346
1347 static int define_level(int range)
1348 {
1349 int i;
13401350 char *id, *levid;
13411351 level_datum_t *levdatum;
1342 cat_datum_t *catdatum;
1343
1352 cat_datum_t *catdatum = NULL;
1353 cat_datum_t *catdatum_r = NULL;
1354
1355 if (!mlspol) {
1356 yyerror("level definition in non-MLS configuration");
1357 return -1;
1358 }
13441359
13451360 if (pass == 2) {
13461361 while ((id = queue_remove(id_queue)))
13681383 return -1;
13691384 }
13701385 levid = id;
1371 n = 1;
1386
13721387 while ((id = queue_remove(id_queue))) {
1373 catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
1374 (hashtab_key_t) id);
1388 catdatum =(cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1389 (hashtab_key_t) id);
13751390 if (!catdatum) {
13761391 sprintf(errormsg, "unknown category %s used in level definition", id);
13771392 yyerror(errormsg);
13871402 /* no need to keep category name */
13881403 free(id);
13891404
1390 n = n * 2;
1405 if (range)
1406 break;
1407 }
1408
1409 if (range)
1410 {
1411 id = queue_remove(id_queue);
1412 catdatum_r =(cat_datum_t *)hashtab_search(
1413 policydbp->p_cats.table,
1414 (hashtab_key_t) id);
1415 if (!catdatum_r) {
1416 sprintf(errormsg,
1417 "unknown category %s used in level definition",
1418 id);
1419 yyerror(errormsg);
1420 free(levid);
1421 free(id);
1422 return -1;
1423 }
1424 if (catdatum_r->value < catdatum->value)
1425 {
1426 yyerror("category range is negative");
1427 free(levid);
1428 free(id);
1429 return -1;
1430 }
1431
1432 for (i = catdatum->value; i < catdatum_r->value; i++)
1433 {
1434 if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
1435 yyerror("out of memory");
1436 free(id);
1437 free(levid);
1438 return -1;
1439 }
1440 }
13911441 }
13921442
13931443 free(levid);
13941444
1395 policydbp->nlevels += n;
1396
13971445 return 0;
1398 #else
1399 yyerror("level definition in non-MLS configuration");
1400 return -1;
1401 #endif
1402 }
1403
1404
1405 static int define_common_base(void)
1406 {
1407 #ifdef CONFIG_SECURITY_SELINUX_MLS
1408 char *id, *perm, *base;
1409 common_datum_t *comdatum;
1410 perm_datum_t *perdatum;
1411
1412
1413 if (pass == 2) {
1414 id = queue_remove(id_queue); free(id);
1415 while ((id = queue_remove(id_queue))) {
1416 free(id);
1417 while ((id = queue_remove(id_queue))) {
1418 free(id);
1419 }
1420 }
1421 return 0;
1422 }
1423
1424 id = (char *) queue_remove(id_queue);
1425 if (!id) {
1426 yyerror("no common name for common base definition?");
1427 return -1;
1428 }
1429 comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table,
1430 (hashtab_key_t) id);
1431 if (!comdatum) {
1432 sprintf(errormsg, "common %s is not defined", id);
1433 yyerror(errormsg);
1434 free(id);
1435 return -1;
1436 }
1437 while ((perm = queue_remove(id_queue))) {
1438 perdatum = (perm_datum_t *) hashtab_search(comdatum->permissions.table,
1439 (hashtab_key_t) perm);
1440 if (!perdatum) {
1441 sprintf(errormsg, "permission %s is not defined for common %s", perm, id);
1442 yyerror(errormsg);
1443 free(id);
1444 free(perm);
1445 return -1;
1446 }
1447
1448 /*
1449 * An explicit definition of base_permissions for this
1450 * permission. Reset the value to zero.
1451 */
1452 perdatum->base_perms = 0;
1453
1454 while ((base = queue_remove(id_queue))) {
1455 if (!strcmp(base, "read"))
1456 perdatum->base_perms |= MLS_BASE_READ;
1457 else if (!strcmp(base, "write"))
1458 perdatum->base_perms |= MLS_BASE_WRITE;
1459 else if (!strcmp(base, "readby"))
1460 perdatum->base_perms |= MLS_BASE_READBY;
1461 else if (!strcmp(base, "writeby"))
1462 perdatum->base_perms |= MLS_BASE_WRITEBY;
1463 else if (strcmp(base, "none")) {
1464 sprintf(errormsg, "base permission %s is not defined", base);
1465 yyerror(errormsg);
1466 free(base);
1467 return -1;
1468 }
1469 free(base);
1470 }
1471
1472 free(perm);
1473 }
1474
1475 free(id);
1476
1477 return 0;
1478 #else
1479 yyerror("MLS base permission definition in non-MLS configuration");
1480 return -1;
1481 #endif
1482 }
1483
1484
1485 #ifdef CONFIG_SECURITY_SELINUX_MLS
1486 static int common_base_set(hashtab_key_t key, hashtab_datum_t datum, void *p)
1487 {
1488 perm_datum_t *perdatum;
1489 class_datum_t *cladatum;
1490
1491 perdatum = (perm_datum_t *) datum;
1492 cladatum = (class_datum_t *) p;
1493
1494 if (perdatum->base_perms & MLS_BASE_READ)
1495 cladatum->mlsperms.read |= (1 << (perdatum->value - 1));
1496
1497 if (perdatum->base_perms & MLS_BASE_WRITE)
1498 cladatum->mlsperms.write |= (1 << (perdatum->value - 1));
1499
1500 if (perdatum->base_perms & MLS_BASE_READBY)
1501 cladatum->mlsperms.readby |= (1 << (perdatum->value - 1));
1502
1503 if (perdatum->base_perms & MLS_BASE_WRITEBY)
1504 cladatum->mlsperms.writeby |= (1 << (perdatum->value - 1));
1505
1506 return 0;
1507 }
1508 #endif
1509
1510 static int define_av_base(void)
1511 {
1512 #ifdef CONFIG_SECURITY_SELINUX_MLS
1513 char *id, *base;
1514 class_datum_t *cladatum;
1515 perm_datum_t *perdatum;
1516
1517 if (pass == 2) {
1518 id = queue_remove(id_queue); free(id);
1519 while ((id = queue_remove(id_queue))) {
1520 free(id);
1521 while ((id = queue_remove(id_queue))) {
1522 free(id);
1523 }
1524 }
1525 return 0;
1526 }
1527
1528 id = (char *) queue_remove(id_queue);
1529 if (!id) {
1530 yyerror("no tclass name for av base definition?");
1531 return -1;
1532 }
1533 cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
1534 (hashtab_key_t) id);
1535 if (!cladatum) {
1536 sprintf(errormsg, "class %s is not defined", id);
1537 yyerror(errormsg);
1538 free(id);
1539 return -1;
1540 }
1541 free(id);
1542
1543 /*
1544 * Determine which common permissions should be included in each MLS
1545 * vector for this access vector definition.
1546 */
1547 if (cladatum->comdatum)
1548 hashtab_map(cladatum->comdatum->permissions.table, common_base_set, cladatum);
1549
1550 while ((id = queue_remove(id_queue))) {
1551 perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
1552 (hashtab_key_t) id);
1553 if (!perdatum) {
1554 sprintf(errormsg, "permission %s is not defined", id);
1555 yyerror(errormsg);
1556 free(id);
1557 return -1;
1558 }
1559 /*
1560 * An explicit definition of base_permissions for this
1561 * permission. Reset the value to zero.
1562 */
1563 perdatum->base_perms = 0;
1564
1565 while ((base = queue_remove(id_queue))) {
1566 if (!strcmp(base, "read")) {
1567 perdatum->base_perms |= MLS_BASE_READ;
1568 } else if (!strcmp(base, "write")) {
1569 perdatum->base_perms |= MLS_BASE_WRITE;
1570 } else if (!strcmp(base, "readby")) {
1571 perdatum->base_perms |= MLS_BASE_READBY;
1572 } else if (!strcmp(base, "writeby")) {
1573 perdatum->base_perms |= MLS_BASE_WRITEBY;
1574 } else if (strcmp(base, "none")) {
1575 sprintf(errormsg, "base permission %s is not defined", base);
1576 yyerror(errormsg);
1577 free(base);
1578 continue;
1579 }
1580 free(base);
1581 }
1582
1583 free(id);
1584 }
1585
1586 /* Set MLS base permission masks */
1587 hashtab_map(cladatum->permissions.table, common_base_set, cladatum);
1588
1589 return 0;
1590 #else
1591 yyerror("MLS base permission definition in non-MLS configuration");
1592 return -1;
1593 #endif
15941446 }
15951447
15961448 static int define_attrib(void)
16901542 return 0;
16911543 }
16921544
1693 #ifdef CONFIG_SECURITY_SELINUX_MLS
1694 static int handle_mls_attributes(char *id, unsigned int value)
1695 {
1696 if (!strcmp(id, "mlstrustedreader")) {
1697 if (ebitmap_set_bit(&policydbp->trustedreaders, value, TRUE)) {
1698 return -1;
1699 }
1700 } else if (!strcmp(id, "mlstrustedwriter")) {
1701 if (ebitmap_set_bit(&policydbp->trustedwriters, value, TRUE)) {
1702 return -1;
1703 }
1704 } else if (!strcmp(id, "mlstrustedobject")) {
1705 if (ebitmap_set_bit(&policydbp->trustedobjects, value, TRUE)) {
1706 return -1;
1707 }
1708 }
1709 return 0;
1710 }
1711 #else /* CONFIG_SECURITY_SELINUX_MLS */
1712 #define handle_mls_attributes(id, value) 0
1713 #endif /* CONFIG_SECURITY_SELINUX_MLS */
1714
17151545 static int define_typeattribute(void)
17161546 {
17171547 char *id;
17381568 }
17391569
17401570 while ((id = queue_remove(id_queue))) {
1741 if (handle_mls_attributes(id, (t->value - 1))) {
1742 yyerror("out of memory");
1743 free(id);
1744 return -1;
1745 }
17461571 attr = hashtab_search(policydbp->p_types.table, id);
17471572 if (!attr) {
17481573 sprintf(errormsg, "attribute %s is not declared", id);
18511676 }
18521677
18531678 while ((id = queue_remove(id_queue))) {
1854 if (handle_mls_attributes(id, (datum->value - 1))) {
1855 yyerror("out of memory");
1856 free(id);
1857 return -1;
1858 }
18591679 attr = hashtab_search(policydbp->p_types.table, id);
18601680 if (!attr) {
18611681 sprintf(errormsg, "attribute %s is not declared", id);
33743194 break;
33753195 case CEXPR_ATTR:
33763196 case CEXPR_NAMES:
3197 if (e->attr & CEXPR_XTARGET) {
3198 yyerror("illegal constraint expression");
3199 return -1; /* only for validatetrans rules */
3200 }
33773201 if (depth == (CEXPR_MAXDEPTH-1)) {
33783202 yyerror("constraint expression is too deep");
33793203 return -1;
34533277
34543278 return 0;
34553279 }
3280
3281 static int define_validatetrans(constraint_expr_t *expr)
3282 {
3283 struct constraint_node *node;
3284 char *id;
3285 class_datum_t *cladatum;
3286 ebitmap_t classmap;
3287 constraint_expr_t *e;
3288 int depth;
3289
3290 if (pass == 1) {
3291 while ((id = queue_remove(id_queue)))
3292 free(id);
3293 return 0;
3294 }
3295
3296 depth = -1;
3297 for (e = expr; e; e = e->next) {
3298 switch (e->expr_type) {
3299 case CEXPR_NOT:
3300 if (depth < 0) {
3301 yyerror("illegal validatetrans expression");
3302 return -1;
3303 }
3304 break;
3305 case CEXPR_AND:
3306 case CEXPR_OR:
3307 if (depth < 1) {
3308 yyerror("illegal validatetrans expression");
3309 return -1;
3310 }
3311 depth--;
3312 break;
3313 case CEXPR_ATTR:
3314 case CEXPR_NAMES:
3315 if (depth == (CEXPR_MAXDEPTH - 1)) {
3316 yyerror("validatetrans expression is too deep");
3317 return -1;
3318 }
3319 depth++;
3320 break;
3321 default:
3322 yyerror("illegal validatetrans expression");
3323 return -1;
3324 }
3325 }
3326 if (depth != 0) {
3327 yyerror("illegal validatetrans expression");
3328 return -1;
3329 }
3330
3331 ebitmap_init(&classmap);
3332 while ((id = queue_remove(id_queue))) {
3333 cladatum = (class_datum_t *)hashtab_search(policydbp->p_classes.table, (hashtab_key_t)id);
3334 if (!cladatum) {
3335 sprintf(errormsg, "class %s is not defined", id);
3336 ebitmap_destroy(&classmap);
3337 yyerror(errormsg);
3338 free(id);
3339 return -1;
3340 }
3341 if (ebitmap_set_bit(&classmap, (cladatum->value - 1), TRUE)) {
3342 yyerror("out of memory");
3343 ebitmap_destroy(&classmap);
3344 free(id);
3345 return -1;
3346 }
3347
3348 node = malloc(sizeof(struct constraint_node));
3349 if (!node) {
3350 yyerror("out of memory");
3351 return -1;
3352 }
3353 memset(node, 0, sizeof(constraint_node_t));
3354 node->expr = expr;
3355 node->permissions = 0;
3356
3357 node->next = cladatum->validatetrans;
3358 cladatum->validatetrans = node;
3359
3360 free(id);
3361 }
3362
3363 ebitmap_destroy(&classmap);
3364
3365 return 0;
3366 }
3367
34563368
34573369 static uintptr_t
34583370 define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
39653877 char *id;
39663878 user_datum_t *usrdatum;
39673879 int ret;
3968 #ifdef CONFIG_SECURITY_SELINUX_MLS
3969 mls_range_list_t *rnode;
39703880 level_datum_t *levdatum;
3971 cat_datum_t *catdatum;
3972 int relation, l;
3881 cat_datum_t *catdatum = NULL;
3882 cat_datum_t *catdatum_r = NULL;
3883 int l, i;
39733884 char *levid;
3974 #endif
39753885
39763886 if (pass == 1) {
39773887 while ((id = queue_remove(id_queue)))
39783888 free(id);
3979 #ifdef CONFIG_SECURITY_SELINUX_MLS
3980 while ((id = queue_remove(id_queue))) {
3981 free(id);
3889 if (mlspol) {
3890 while ((id = queue_remove(id_queue)))
3891 free(id);
3892 id = queue_remove(id_queue); free(id);
39823893 for (l = 0; l < 2; l++) {
39833894 while ((id = queue_remove(id_queue))) {
39843895 free(id);
39853896 }
3986 }
3987 }
3988 #endif
3897 id = queue_remove(id_queue);
3898 if (!id)
3899 break;
3900 free(id);
3901 }
3902 }
39893903 return 0;
39903904 }
39913905
40223936 continue;
40233937 }
40243938
4025 #ifdef CONFIG_SECURITY_SELINUX_MLS
4026 id = queue_remove(id_queue);
4027 if (!id) {
4028 rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t));
4029 if (!rnode) {
4030 yyerror("out of memory");
4031 free(id);
3939 if (mlspol) {
3940 id = queue_remove(id_queue);
3941 if (!id) {
3942 yyerror("no default level specified for user");
40323943 return -1;
40333944 }
4034 memset(rnode, 0, sizeof(mls_range_list_t));
4035 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
4036 (hashtab_key_t) "unclassified");
3945
3946 levdatum = (level_datum_t *)
3947 hashtab_search(policydbp->p_levels.table,
3948 (hashtab_key_t) id);
40373949 if (!levdatum) {
4038 yyerror("no range for user");
3950 sprintf(errormsg, "unknown sensitivity %s used in user"
3951 " level definition", id);
3952 yyerror(errormsg);
3953 free(id);
40393954 return -1;
40403955 }
4041 rnode->range.level[0].sens = levdatum->level->sens;
4042 rnode->range.level[1].sens = levdatum->level->sens;
4043 rnode->next = usrdatum->ranges;
4044 usrdatum->ranges = rnode;
4045 goto skip_mls;
4046 }
4047 do {
4048 rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t));
4049 if (!rnode) {
4050 yyerror("out of memory");
4051 free(id);
4052 return -1;
4053 }
4054 memset(rnode, 0, sizeof(mls_range_list_t));
3956
3957 usrdatum->dfltlevel.sens = levdatum->level->sens;
3958 ebitmap_init(&usrdatum->dfltlevel.cat);
3959
3960 levid = id;
3961
3962 while ((id = queue_remove(id_queue))) {
3963 /* Check for ranged entry */
3964 if (strcmp(id, "MLS_CAT_RANGE") == 0) {
3965 free(id);
3966 if (catdatum_r->value >= catdatum->value) {
3967 yyerror("category range is negative");
3968 free(levid);
3969 return -1;
3970 }
3971
3972 for (i=catdatum_r->value;
3973 i<catdatum->value-1; i++) {
3974 if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
3975 sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid);
3976 yyerror(errormsg);
3977 continue;
3978 }
3979 if (ebitmap_set_bit(&usrdatum->dfltlevel.cat, i, TRUE)) {
3980 yyerror("out of memory");
3981 free(levid);
3982 return -1;
3983 }
3984 }
3985 continue;
3986 }
3987 /* Save previous entry */
3988 catdatum_r = catdatum;
3989
3990 catdatum = (cat_datum_t *)
3991 hashtab_search(policydbp->p_cats.table,
3992 (hashtab_key_t) id);
3993 if (!catdatum) {
3994 sprintf(errormsg, "unknown category %s used in user range definition", id);
3995 yyerror(errormsg);
3996 free(id);
3997 continue;
3998 }
3999 if (!ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1)) {
4000 sprintf(errormsg, "category %s cannot be associated with level %s", id, levid);
4001 yyerror(errormsg);
4002 free(id);
4003 continue;
4004 }
4005 if (ebitmap_set_bit(&usrdatum->dfltlevel.cat, catdatum->value - 1, TRUE)) {
4006 yyerror("out of memory");
4007 free(id);
4008 free(levid);
4009 ebitmap_destroy(&usrdatum->dfltlevel.cat);
4010 return -1;
4011 }
4012 free(id);
4013 }
4014
4015 free(levid);
4016
4017 id = queue_remove(id_queue);
40554018
40564019 for (l = 0; l < 2; l++) {
4057 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
4020 levdatum = (level_datum_t *)
4021 hashtab_search(policydbp->p_levels.table,
40584022 (hashtab_key_t) id);
40594023 if (!levdatum) {
40604024 sprintf(errormsg, "unknown sensitivity %s used in user range definition", id);
40614025 yyerror(errormsg);
4062 free(rnode);
40634026 free(id);
40644027 continue;
40654028 }
4066 rnode->range.level[l].sens = levdatum->level->sens;
4067 ebitmap_init(&rnode->range.level[l].cat);
4029 usrdatum->range.level[l].sens = levdatum->level->sens;
4030 ebitmap_init(&usrdatum->range.level[l].cat);
40684031
40694032 levid = id;
40704033
40714034 while ((id = queue_remove(id_queue))) {
4072 catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
4073 (hashtab_key_t) id);
4035 /* Check for ranged entry */
4036 if (strcmp(id, "MLS_CAT_RANGE") == 0) {
4037 free(id);
4038 if (catdatum_r->value >= catdatum->value) {
4039 yyerror("category range is negative");
4040 free(levid);
4041 return -1;
4042 }
4043
4044 for (i=catdatum_r->value; i<catdatum->value-1; i++) {
4045 if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
4046 sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid);
4047 yyerror(errormsg);
4048 continue;
4049 }
4050 if (ebitmap_set_bit(&usrdatum->range.level[l].cat, i, TRUE)) {
4051 yyerror("out of memory");
4052 free(levid);
4053 return -1;
4054 }
4055 }
4056 continue;
4057 }
4058 /* Save previous entry */
4059 catdatum_r = catdatum;
4060
4061 catdatum = (cat_datum_t *)
4062 hashtab_search(policydbp->p_cats.table,
4063 (hashtab_key_t) id);
40744064 if (!catdatum) {
40754065 sprintf(errormsg, "unknown category %s used in user range definition", id);
40764066 yyerror(errormsg);
40774067 free(id);
40784068 continue;
40794069 }
4080 if (!(ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1))) {
4081 sprintf(errormsg, "category %s cannot be associated with level %s", id, levid);
4070 if (!ebitmap_get_bit(&levdatum->level->cat,
4071 catdatum->value - 1)) {
4072 sprintf(errormsg,"category %s cannot be associated with level %s", id, levid);
40824073 yyerror(errormsg);
40834074 free(id);
40844075 continue;
40854076 }
4086 if (ebitmap_set_bit(&rnode->range.level[l].cat, catdatum->value - 1, TRUE)) {
4077 if (ebitmap_set_bit(&usrdatum->range.level[l].cat, catdatum->value - 1, TRUE)) {
40874078 yyerror("out of memory");
40884079 free(id);
40894080 free(levid);
4090 ebitmap_destroy(&rnode->range.level[l].cat);
4091 free(rnode);
4081 ebitmap_destroy(&usrdatum->dfltlevel.cat);
4082 ebitmap_destroy(&usrdatum->range.level[l].cat);
40924083 return -1;
40934084 }
40944085
41094100 }
41104101
41114102 if (l == 0) {
4112 rnode->range.level[1].sens = rnode->range.level[0].sens;
4113 if (ebitmap_cpy(&rnode->range.level[1].cat, &rnode->range.level[0].cat)) {
4103 usrdatum->range.level[1].sens =
4104 usrdatum->range.level[0].sens;
4105 if (ebitmap_cpy(&usrdatum->range.level[1].cat,
4106 &usrdatum->range.level[0].cat)) {
41144107 yyerror("out of memory");
4115 free(id);
4116 ebitmap_destroy(&rnode->range.level[0].cat);
4117 free(rnode);
4118 return -1;
4119 }
4120 }
4121 relation = mls_level_relation(rnode->range.level[1], rnode->range.level[0]);
4122 if (!(relation & (MLS_RELATION_DOM | MLS_RELATION_EQ))) {
4123 /* high does not dominate low */
4124 yyerror("high does not dominate low");
4125 ebitmap_destroy(&rnode->range.level[0].cat);
4126 ebitmap_destroy(&rnode->range.level[1].cat);
4127 free(rnode);
4128 return -1;
4129 }
4130 rnode->next = usrdatum->ranges;
4131 usrdatum->ranges = rnode;
4132 } while ((id = queue_remove(id_queue)));
4133 skip_mls:
4134 #endif
4135
4108 goto out;
4109 }
4110 }
4111 if (!mls_level_dom(&usrdatum->range.level[1],
4112 &usrdatum->range.level[0])) {
4113 yyerror("high level does not dominate low level");
4114 goto out;
4115 }
4116 if (!mls_level_between(&usrdatum->dfltlevel,
4117 &usrdatum->range.level[0],
4118 &usrdatum->range.level[1])) {
4119 yyerror("default level not within user range");
4120 goto out;
4121 }
4122 }
41364123 return 0;
4124
4125 out:
4126 ebitmap_destroy(&usrdatum->dfltlevel.cat);
4127 ebitmap_destroy(&usrdatum->range.level[0].cat);
4128 ebitmap_destroy(&usrdatum->range.level[1].cat);
4129 return -1;
41374130 }
41384131
41394132
41434136 role_datum_t *role;
41444137 type_datum_t *typdatum;
41454138 user_datum_t *usrdatum;
4146 #ifdef CONFIG_SECURITY_SELINUX_MLS
41474139 char *levid;
41484140 level_datum_t *levdatum;
4149 cat_datum_t *catdatum;
4150 int l;
4151 #endif
4141 cat_datum_t *catdatum = NULL;
4142 cat_datum_t *catdatum_r = NULL;
4143 int l, i;
41524144
41534145 if (pass == 1) {
41544146 id = queue_remove(id_queue); free(id); /* user */
41554147 id = queue_remove(id_queue); free(id); /* role */
41564148 id = queue_remove(id_queue); free(id); /* type */
4157 #ifdef CONFIG_SECURITY_SELINUX_MLS
4158 id = queue_remove(id_queue); free(id);
4159 for (l = 0; l < 2; l++) {
4160 while ((id = queue_remove(id_queue))) {
4161 free(id);
4162 }
4163 }
4164 #endif
4149 if (mlspol) {
4150 id = queue_remove(id_queue); free(id);
4151 for (l = 0; l < 2; l++) {
4152 while ((id = queue_remove(id_queue))) {
4153 free(id);
4154 }
4155 id = queue_remove(id_queue);
4156 if (!id)
4157 break;
4158 free(id);
4159 }
4160 }
41654161 return 0;
41664162 }
41674163
42254221 /* no need to keep the type name */
42264222 free(id);
42274223
4228 #ifdef CONFIG_SECURITY_SELINUX_MLS
4229 /* extract the low sensitivity */
4230 id = (char *) queue_head(id_queue);
4231 if (!id || strcmp(id, "system_u") == 0 /* hack */) {
4232 /* No MLS component to the security context. Try
4233 to use a default 'unclassified' value. */
4234 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
4235 (hashtab_key_t) "unclassified");
4236 if (!levdatum) {
4237 yyerror("no sensitivity name for sid context definition?");
4224 if (mlspol) {
4225 /* extract the low sensitivity */
4226 id = (char *) queue_head(id_queue);
4227 if (!id) {
4228 yyerror("no sensitivity name for sid context"
4229 " definition?");
42384230 return -1;
42394231 }
4240 c->range.level[0].sens = levdatum->level->sens;
4241 c->range.level[1].sens = levdatum->level->sens;
4242 goto skip_mls;
4243 }
4244
4245 id = (char *) queue_remove(id_queue);
4246 for (l = 0; l < 2; l++) {
4247 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
4232
4233 id = (char *) queue_remove(id_queue);
4234 for (l = 0; l < 2; l++) {
4235 levdatum = (level_datum_t *)
4236 hashtab_search(policydbp->p_levels.table,
42484237 (hashtab_key_t) id);
4249 if (!levdatum) {
4250 sprintf(errormsg, "Sensitivity %s is not defined", id);
4251 yyerror(errormsg);
4252 free(id);
4253 return -1;
4254 }
4255 c->range.level[l].sens = levdatum->level->sens;
4256
4257 /* extract low category set */
4258 levid = id;
4259 while ((id = queue_remove(id_queue))) {
4260 catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
4261 (hashtab_key_t) id);
4262 if (!catdatum) {
4263 sprintf(errormsg, "unknown category %s used in initial sid context", id);
4238 if (!levdatum) {
4239 sprintf(errormsg, "Sensitivity %s is not "
4240 "defined", id);
42644241 yyerror(errormsg);
4265 free(levid);
42664242 free(id);
4243 return -1;
4244 }
4245 c->range.level[l].sens = levdatum->level->sens;
4246
4247 /* extract low category set */
4248 levid = id;
4249 while ((id = queue_remove(id_queue))) {
4250 /* Check for ranged entry */
4251 if (strcmp(id, "MLS_CAT_RANGE") == 0) {
4252 free(id);
4253 if (catdatum_r->value >=
4254 catdatum->value)
4255 {
4256 yyerror("category range is negative");
4257 free(levid);
4258 return -1;
4259 }
4260
4261 for (i = catdatum_r->value;
4262 i < catdatum->value-1; i++) {
4263 if (ebitmap_set_bit(&c->range.level[l].cat, i, TRUE)) {
4264 yyerror("out of memory");
4265 free(levid);
4266 return -1;
4267 }
4268 }
4269 continue;
4270 }
4271 /* Save previous entry */
4272 catdatum_r = catdatum;
4273
4274 catdatum = (cat_datum_t *)
4275 hashtab_search(policydbp->p_cats.table,
4276 (hashtab_key_t) id);
4277 if (!catdatum) {
4278 sprintf(errormsg, "unknown category %s used in initial sid context", id);
4279 yyerror(errormsg);
4280 free(levid);
4281 free(id);
4282 goto bad;
4283 }
4284 if (ebitmap_set_bit(&c->range.level[l].cat,
4285 catdatum->value - 1, TRUE)) {
4286 yyerror("out of memory");
4287 free(levid);
4288 free(id);
4289 goto bad;
4290 }
4291 /* no need to keep category name */
4292 free(id);
4293 }
4294
4295 /* no need to keep the sensitivity name */
4296 free(levid);
4297
4298 /* extract high sensitivity */
4299 id = (char *) queue_remove(id_queue);
4300 if (!id)
4301 break;
4302 }
4303
4304 if (l == 0) {
4305 c->range.level[1].sens = c->range.level[0].sens;
4306 if (ebitmap_cpy(&c->range.level[1].cat,
4307 &c->range.level[0].cat)) {
4308
4309 yyerror("out of memory");
42674310 goto bad;
42684311 }
4269 if (ebitmap_set_bit(&c->range.level[l].cat,
4270 catdatum->value - 1, TRUE)) {
4271 yyerror("out of memory");
4272 free(levid);
4273 free(id);
4274 goto bad;
4275 }
4276 /* no need to keep category name */
4277 free(id);
4278 }
4279
4280 /* no need to keep the sensitivity name */
4281 free(levid);
4282
4283 /* extract high sensitivity */
4284 id = (char *) queue_remove(id_queue);
4285 if (!id)
4286 break;
4287 }
4288
4289 if (l == 0) {
4290 c->range.level[1].sens = c->range.level[0].sens;
4291 if (ebitmap_cpy(&c->range.level[1].cat, &c->range.level[0].cat)) {
4292
4293 yyerror("out of memory");
4294 goto bad;
4295 }
4296 }
4297 skip_mls:
4298 #endif
4312 }
4313 }
42994314
43004315 if (!policydb_context_isvalid(policydbp, c)) {
43014316 yyerror("invalid security context");
45524567
45534568 if (pass == 1) {
45544569 parse_security_context(NULL);
4570 if (mlspol)
4571 free(queue_remove(id_queue));
45554572 return 0;
45564573 }
45574574
45734590 /* Create order of most specific to least retaining
45744591 the order specified in the configuration. */
45754592 head = policydbp->ocontexts[OCON_NODE];
4576 for (l = NULL, c = head; c; l = c, c = c->next) {
4593 for (l = NULL, c = head; c; l = c, c = c->next) {
45774594 if (newc->u.node.mask > c->u.node.mask)
45784595 break;
45794596 }
48444861 return define_genfs_context_helper(queue_remove(id_queue), has_type);
48454862 }
48464863
4864 static int define_range_trans(void)
4865 {
4866 char *id;
4867 char *levid;
4868 level_datum_t *levdatum = 0;
4869 cat_datum_t *catdatum = NULL;
4870 cat_datum_t *catdatum_r = NULL;
4871 mls_range_t range;
4872 ebitmap_t doms, types, negset;
4873 range_trans_t *rt = 0;
4874 unsigned int i, j;
4875 int l, add = 1;
4876
4877 if (!mlspol) {
4878 yyerror("range_transition rule in non-MLS configuration");
4879 return -1;
4880 }
4881
4882 if (pass == 1) {
4883 while ((id = queue_remove(id_queue)))
4884 free(id);
4885 while ((id = queue_remove(id_queue)))
4886 free(id);
4887 id = queue_remove(id_queue); free(id);
4888 for (l = 0; l < 2; l++) {
4889 while ((id = queue_remove(id_queue))) {
4890 free(id);
4891 }
4892 id = queue_remove(id_queue);
4893 if (!id)
4894 break;
4895 free(id);
4896 }
4897 return 0;
4898 }
4899
4900 ebitmap_init(&doms);
4901 ebitmap_init(&types);
4902
4903 ebitmap_init(&negset);
4904 while ((id = queue_remove(id_queue))) {
4905 if (set_types(&doms, &negset, id, &add))
4906 return -1;
4907 }
4908 ebitmap_destroy(&negset);
4909
4910 ebitmap_init(&negset);
4911 while ((id = queue_remove(id_queue))) {
4912 if (set_types(&types, &negset, id, &add))
4913 return -1;
4914 }
4915 ebitmap_destroy(&negset);
4916
4917 id = (char *)queue_remove(id_queue);
4918 if (!id) {
4919 yyerror("no range in range_transition definition?");
4920 return -1;
4921 }
4922 for (l = 0; l < 2; l++) {
4923 levdatum = hashtab_search(policydbp->p_levels.table, id);
4924 if (!levdatum) {
4925 sprintf(errormsg, "unknown level %s used in range_transition definition", id);
4926 yyerror(errormsg);
4927 return -1;
4928 }
4929 range.level[l].sens = levdatum->level->sens;
4930
4931 levid = id;
4932 ebitmap_init(&range.level[l].cat);
4933 while ((id = queue_remove(id_queue))) {
4934 /* Check for ranged entry */
4935 if (strcmp(id, "MLS_CAT_RANGE") == 0) {
4936 free(id);
4937 if (catdatum_r->value >= catdatum->value) {
4938 yyerror("category range is negative");
4939 free(levid);
4940 return -1;
4941 }
4942
4943 for (i = catdatum_r->value; i < catdatum->value - 1; i++) {
4944 if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
4945 sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid);
4946 yyerror(errormsg);
4947 continue;
4948 }
4949 if (ebitmap_set_bit(&range.level[l].cat, i, TRUE)) {
4950 yyerror("out of memory");
4951 free(levid);
4952 return -1;
4953 }
4954 }
4955 continue;
4956 }
4957
4958 /* Save previous entry */
4959 catdatum_r = catdatum;
4960
4961 catdatum = hashtab_search(policydbp->p_cats.table, id);
4962 if (!catdatum) {
4963 sprintf(errormsg, "unknown category %s used in range_transition definition", id);
4964 yyerror(errormsg);
4965 return -1;
4966 }
4967 if (!ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1)) {
4968 sprintf(errormsg, "category %s not allowed with specified sensitivity", id);
4969 yyerror(errormsg);
4970 return -1;
4971 }
4972 if (ebitmap_set_bit(&range.level[l].cat, catdatum->value - 1, TRUE)) {
4973 yyerror("out of memory");
4974 return -1;
4975 }
4976 free(id);
4977 }
4978 free(levid);
4979
4980 id = (char *)queue_remove(id_queue);
4981 if (!id)
4982 break;
4983 }
4984 if (l == 0) {
4985 range.level[1].sens = range.level[0].sens;
4986 if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) {
4987 yyerror("out of memory");
4988 return -1;
4989 }
4990 }
4991
4992 if (!mls_level_dom(&range.level[1], &range.level[0])) {
4993 yyerror("range_transition high level does not dominate low level");
4994 return -1;
4995 }
4996
4997 for (i = ebitmap_startbit(&doms); i < ebitmap_length(&doms); i++) {
4998 if (!ebitmap_get_bit(&doms, i))
4999 continue;
5000 for (j = ebitmap_startbit(&types); j < ebitmap_length(&types); j++) {
5001 if (!ebitmap_get_bit(&types, j))
5002 continue;
5003
5004 for (rt = policydbp->range_tr; rt; rt = rt->next) {
5005 if (rt->dom == (i + 1) && rt->type == (j + 1)) {
5006 sprintf(errormsg, "duplicate range_transition defined for (%s,%s)",
5007 type_val_to_name(i + 1), type_val_to_name(j + 1));
5008 yyerror(errormsg);
5009 return -1;
5010 }
5011 }
5012
5013 rt = malloc(sizeof(range_trans_t));
5014 if (!rt) {
5015 yyerror("out of memory");
5016 return -1;
5017 }
5018 memset(rt, 0, sizeof(range_trans_t));
5019 rt->dom = i + 1;
5020 rt->type = j + 1;
5021 rt->range.level[0].sens = range.level[0].sens;
5022 if (ebitmap_cpy(&rt->range.level[0].cat,
5023 &range.level[0].cat)) {
5024 yyerror("out of memory");
5025 free(rt);
5026 return -1;
5027 }
5028 rt->range.level[1].sens = range.level[1].sens;
5029 if (ebitmap_cpy(&rt->range.level[1].cat,
5030 &range.level[1].cat)) {
5031 yyerror("out of memory");
5032 free(rt);
5033 return -1;
5034 }
5035 rt->next = policydbp->range_tr;
5036 policydbp->range_tr = rt;
5037 }
5038 }
5039
5040 ebitmap_destroy(&doms);
5041 ebitmap_destroy(&types);
5042 ebitmap_destroy(&range.level[0].cat);
5043 ebitmap_destroy(&range.level[1].cat);
5044 return 0;
5045 }
5046
48475047 /* FLASK */
48485048
48495049
+33
-11
policy_scan.l less more
5151 class { return(CLASS); }
5252 CONSTRAIN |
5353 constrain { return(CONSTRAIN); }
54 VALIDATETRANS |
55 validatetrans { return(VALIDATETRANS); }
5456 INHERITS |
5557 inherits { return(INHERITS); }
5658 SID |
7072 BOOL |
7173 bool { return(BOOL); }
7274 IF |
73 if { return(IF); }
75 if { return(IF); }
7476 ELSE |
75 else { return(ELSE); }
77 else { return(ELSE); }
7678 ALIAS |
7779 alias { return(ALIAS); }
7880 ATTRIBUTE |
8587 type_change { return(TYPE_CHANGE); }
8688 ROLE_TRANSITION |
8789 role_transition { return(ROLE_TRANSITION); }
90 RANGE_TRANSITION |
91 range_transition { return(RANGE_TRANSITION); }
8892 SENSITIVITY |
89 sensitivity { return(SENSITIVITY); }
93 sensitivity { return(SENSITIVITY); }
9094 DOMINANCE |
9195 dominance { return(DOMINANCE); }
9296 CATEGORY |
9397 category { return(CATEGORY); }
9498 LEVEL |
9599 level { return(LEVEL); }
96 RANGES |
97 ranges { return(RANGES); }
100 RANGE |
101 range { return(RANGE); }
102 MLSCONSTRAIN |
103 mlsconstrain { return(MLSCONSTRAIN); }
104 MLSVALIDATETRANS |
105 mlsvalidatetrans { return(MLSVALIDATETRANS); }
98106 USER |
99107 user { return(USER); }
100108 NEVERALLOW |
136144 fscon |
137145 FSCON { return(FSCON);}
138146 portcon |
139 PORTCON { return(PORTCON);}
147 PORTCON { return(PORTCON);}
140148 netifcon |
141 NETIFCON { return(NETIFCON);}
149 NETIFCON { return(NETIFCON);}
142150 nodecon |
143 NODECON { return(NODECON);}
151 NODECON { return(NODECON);}
144152 fs_use_xattr |
145 FS_USE_XATTR {return(FSUSEXATTR);}
153 FS_USE_XATTR { return(FSUSEXATTR);}
146154 fs_use_task |
147 FS_USE_TASK {return(FSUSETASK);}
155 FS_USE_TASK { return(FSUSETASK);}
148156 fs_use_trans |
149 FS_USE_TRANS {return(FSUSETRANS);}
157 FS_USE_TRANS { return(FSUSETRANS);}
150158 genfscon |
151159 GENFSCON { return(GENFSCON);}
152160 r1 |
153161 R1 { return(R1); }
154162 r2 |
155163 R2 { return(R2); }
164 r3 |
165 R3 { return(R3); }
156166 u1 |
157167 U1 { return(U1); }
158168 u2 |
159169 U2 { return(U2); }
170 u3 |
171 U3 { return(U3); }
160172 t1 |
161173 T1 { return(T1); }
162174 t2 |
163175 T2 { return(T2); }
176 t3 |
177 T3 { return(T3); }
178 l1 |
179 L1 { return(L1); }
180 l2 |
181 L2 { return(L2); }
182 h1 |
183 H1 { return(H1); }
184 h2 |
185 H2 { return(H2); }
164186 "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
165187 {letter}({letter}|{digit}|_)* { return(IDENTIFIER); }
166188 {letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
+0
-60
users.l less more
0 %{
1 #include <string.h>
2 #include "users.tab.h"
3
4 static char linebuf[2][255];
5 static unsigned int lno = 0;
6 int yywarn(char *msg);
7
8 unsigned long policydb_lineno = 1;
9
10 unsigned int policydb_errors = 0;
11 %}
12 %array
13 letter [A-Za-z]
14 digit [0-9]
15 hexval [0-9A-Fa-f]
16 %%
17 \n.* { strncpy(linebuf[lno], yytext+1, 255);
18 linebuf[lno][254] = 0;
19 lno = 1 - lno;
20 policydb_lineno++;
21 yyless(1); }
22 ROLES |
23 roles { return(ROLES); }
24 RANGES |
25 ranges { return(RANGES); }
26 USER |
27 user { return(USER); }
28 {letter}({letter}|{digit}|_)* { return(IDENTIFIER); }
29 {letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
30 #[^\n]* { /* delete comments */ }
31 [ \t\f]+ { /* delete whitespace */ }
32 "{" |
33 "}" |
34 ";" |
35 "-" |
36 "~" |
37 "*" { return(yytext[0]); }
38 . { yywarn("unrecognized character");}
39 %%
40 int yyerror(char *msg)
41 {
42 fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n",
43 msg,
44 yytext,
45 policydb_lineno,
46 linebuf[0], linebuf[1]);
47 policydb_errors++;
48 return -1;
49 }
50
51 int yywarn(char *msg)
52 {
53 fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n",
54 msg,
55 yytext,
56 policydb_lineno,
57 linebuf[0], linebuf[1]);
58 return 0;
59 }
+0
-368
users.y less more
0 %{
1 #include <sepol/policydb.h>
2 #include <sepol/services.h>
3 #include <sepol/conditional.h>
4 #include <stdint.h>
5 #include "queue.h"
6 #include "checkpolicy.h"
7
8 #define TRUE 1
9 #define FALSE 0
10
11 policydb_t *policydbp;
12 queue_t id_queue = 0;
13 unsigned int pass;
14 char *curfile = 0;
15 unsigned int curline;
16
17 extern unsigned long policydb_lineno;
18
19 extern char yytext[];
20 extern int yywarn(char *msg);
21 extern int yyerror(char *msg);
22
23 static char errormsg[255];
24
25 static int insert_separator(int push);
26 static int insert_id(char *id,int push);
27 static int define_user(void);
28 %}
29
30 %token ROLES
31 %token RANGES
32 %token USER
33 %token IDENTIFIER
34 %token USER_IDENTIFIER
35
36 %%
37 users : user_def
38 | users user_def
39 ;
40 user_id : identifier
41 | user_identifier
42 ;
43 user_def : USER user_id ROLES names opt_user_ranges ';'
44 {if (define_user()) return -1;}
45 ;
46 opt_user_ranges : RANGES user_ranges
47 |
48 ;
49 user_ranges : mls_range_def
50 | '{' user_range_def_list '}'
51 ;
52 user_range_def_list : mls_range_def
53 | user_range_def_list mls_range_def
54 ;
55 mls_range_def : mls_level_def '-' mls_level_def
56 {if (insert_separator(0)) return -1;}
57 | mls_level_def
58 {if (insert_separator(0)) return -1;}
59 ;
60 mls_level_def : identifier ':' id_comma_list
61 {if (insert_separator(0)) return -1;}
62 | identifier
63 {if (insert_separator(0)) return -1;}
64 ;
65 id_comma_list : identifier
66 | id_comma_list ',' identifier
67 ;
68 tilde : '~'
69 ;
70 asterisk : '*'
71 ;
72 names : identifier
73 { if (insert_separator(0)) return -1; }
74 | nested_id_set
75 { if (insert_separator(0)) return -1; }
76 | asterisk
77 { if (insert_id("*", 0)) return -1;
78 if (insert_separator(0)) return -1; }
79 | tilde identifier
80 { if (insert_id("~", 0)) return -1;
81 if (insert_separator(0)) return -1; }
82 | tilde nested_id_set
83 { if (insert_id("~", 0)) return -1;
84 if (insert_separator(0)) return -1; }
85 | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
86 { if (insert_separator(0)) return -1; }
87 ;
88 nested_id_set : '{' nested_id_list '}'
89 ;
90 nested_id_list : nested_id_element | nested_id_list nested_id_element
91 ;
92 nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
93 ;
94 identifier : IDENTIFIER
95 { if (insert_id(yytext,0)) return -1; }
96 ;
97 user_identifier : USER_IDENTIFIER
98 { if (insert_id(yytext,0)) return -1; }
99 ;
100
101 %%
102 #define DEBUG 1
103
104 static int insert_separator(int push)
105 {
106 int error;
107
108 if (push)
109 error = queue_push(id_queue, 0);
110 else
111 error = queue_insert(id_queue, 0);
112
113 if (error) {
114 yyerror("queue overflow");
115 return -1;
116 }
117 return 0;
118 }
119
120 static int insert_id(char *id, int push)
121 {
122 char *newid = 0;
123 int error;
124
125 newid = (char *) malloc(strlen(id) + 1);
126 if (!newid) {
127 yyerror("out of memory");
128 return -1;
129 }
130 strcpy(newid, id);
131 if (push)
132 error = queue_push(id_queue, (queue_element_t) newid);
133 else
134 error = queue_insert(id_queue, (queue_element_t) newid);
135
136 if (error) {
137 yyerror("queue overflow");
138 free(newid);
139 return -1;
140 }
141 return 0;
142 }
143
144 static int set_user_roles(ebitmap_t *set,
145 char *id)
146 {
147 role_datum_t *r;
148 unsigned int i;
149
150 if (strcmp(id, "*") == 0) {
151 /* set all roles */
152 for (i = 0; i < policydbp->p_roles.nprim; i++)
153 ebitmap_set_bit(set, i, TRUE);
154 free(id);
155 return 0;
156 }
157
158 if (strcmp(id, "~") == 0) {
159 /* complement the set */
160 for (i = 0; i < policydbp->p_roles.nprim; i++) {
161 if (ebitmap_get_bit(set, i))
162 ebitmap_set_bit(set, i, FALSE);
163 else
164 ebitmap_set_bit(set, i, TRUE);
165 }
166 free(id);
167 return 0;
168 }
169
170 r = hashtab_search(policydbp->p_roles.table, id);
171 if (!r) {
172 sprintf(errormsg, "unknown role %s", id);
173 yyerror(errormsg);
174 free(id);
175 return -1;
176 }
177
178 /* set the role and every role it dominates */
179 for (i = ebitmap_startbit(&r->dominates); i < ebitmap_length(&r->dominates); i++) {
180 if (ebitmap_get_bit(&r->dominates, i))
181 ebitmap_set_bit(set, i, TRUE);
182 }
183 free(id);
184 return 0;
185 }
186
187 static int define_user(void)
188 {
189 char *id;
190 user_datum_t *usrdatum;
191 int ret;
192 #ifdef CONFIG_SECURITY_SELINUX_MLS
193 mls_range_list_t *rnode;
194 level_datum_t *levdatum;
195 cat_datum_t *catdatum;
196 int relation, l;
197 char *levid;
198 #endif
199
200 if (pass == 1) {
201 while ((id = queue_remove(id_queue)))
202 free(id);
203 #ifdef CONFIG_SECURITY_SELINUX_MLS
204 while ((id = queue_remove(id_queue))) {
205 free(id);
206 for (l = 0; l < 2; l++) {
207 while ((id = queue_remove(id_queue))) {
208 free(id);
209 }
210 }
211 }
212 #endif
213 return 0;
214 }
215
216 id = (char *) queue_remove(id_queue);
217 if (!id) {
218 yyerror("no user name for user definition?");
219 return -1;
220 }
221 usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
222 (hashtab_key_t) id);
223 if (usrdatum) {
224 printf("Replacing user %s\n", id);
225 ebitmap_init(&usrdatum->roles);
226 usrdatum->defined = 1;
227 free(id);
228 } else {
229 printf("Adding user %s\n", id);
230 usrdatum = (user_datum_t *) malloc(sizeof(user_datum_t));
231 if (!usrdatum) {
232 yyerror("out of memory");
233 free(id);
234 return -1;
235 }
236 memset(usrdatum, 0, sizeof(user_datum_t));
237 usrdatum->value = ++policydbp->p_users.nprim;
238 ebitmap_init(&usrdatum->roles);
239 usrdatum->defined = 1;
240 ret = hashtab_insert(policydbp->p_users.table,
241 (hashtab_key_t) id, (hashtab_datum_t) usrdatum);
242 if (ret) {
243 yyerror("hash table overflow");
244 free(usrdatum);
245 free(id);
246 return -1;
247 }
248 }
249
250 while ((id = queue_remove(id_queue))) {
251 if (set_user_roles(&usrdatum->roles, id))
252 continue;
253 }
254
255 #ifdef CONFIG_SECURITY_SELINUX_MLS
256 id = queue_remove(id_queue);
257 if (!id) {
258 rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t));
259 if (!rnode) {
260 yyerror("out of memory");
261 free(id);
262 return -1;
263 }
264 memset(rnode, 0, sizeof(mls_range_list_t));
265 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
266 (hashtab_key_t) "unclassified");
267 if (!levdatum) {
268 yyerror("no range for user");
269 return -1;
270 }
271 rnode->range.level[0].sens = levdatum->level->sens;
272 rnode->range.level[1].sens = levdatum->level->sens;
273 rnode->next = usrdatum->ranges;
274 usrdatum->ranges = rnode;
275 goto skip_mls;
276 }
277 do {
278 rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t));
279 if (!rnode) {
280 yyerror("out of memory");
281 free(id);
282 return -1;
283 }
284 memset(rnode, 0, sizeof(mls_range_list_t));
285
286 for (l = 0; l < 2; l++) {
287 levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
288 (hashtab_key_t) id);
289 if (!levdatum) {
290 sprintf(errormsg, "unknown sensitivity %s used in user range definition", id);
291 yyerror(errormsg);
292 free(rnode);
293 free(id);
294 continue;
295 }
296 rnode->range.level[l].sens = levdatum->level->sens;
297 ebitmap_init(&rnode->range.level[l].cat);
298
299 levid = id;
300
301 while ((id = queue_remove(id_queue))) {
302 catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
303 (hashtab_key_t) id);
304 if (!catdatum) {
305 sprintf(errormsg, "unknown category %s used in user range definition", id);
306 yyerror(errormsg);
307 free(id);
308 continue;
309 }
310 if (!(ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1))) {
311 sprintf(errormsg, "category %s cannot be associated with level %s", id, levid);
312 yyerror(errormsg);
313 free(id);
314 continue;
315 }
316 if (ebitmap_set_bit(&rnode->range.level[l].cat, catdatum->value - 1, TRUE)) {
317 yyerror("out of memory");
318 free(id);
319 free(levid);
320 ebitmap_destroy(&rnode->range.level[l].cat);
321 free(rnode);
322 return -1;
323 }
324
325 /*
326 * no need to keep category name
327 */
328 free(id);
329 }
330
331 /*
332 * no need to keep sensitivity name
333 */
334 free(levid);
335
336 id = queue_remove(id_queue);
337 if (!id)
338 break;
339 }
340
341 if (l == 0) {
342 rnode->range.level[1].sens = rnode->range.level[0].sens;
343 if (ebitmap_cpy(&rnode->range.level[1].cat, &rnode->range.level[0].cat)) {
344 yyerror("out of memory");
345 free(id);
346 ebitmap_destroy(&rnode->range.level[0].cat);
347 free(rnode);
348 return -1;
349 }
350 }
351 relation = mls_level_relation(rnode->range.level[1], rnode->range.level[0]);
352 if (!(relation & (MLS_RELATION_DOM | MLS_RELATION_EQ))) {
353 /* high does not dominate low */
354 yyerror("high does not dominate low");
355 ebitmap_destroy(&rnode->range.level[0].cat);
356 ebitmap_destroy(&rnode->range.level[1].cat);
357 free(rnode);
358 return -1;
359 }
360 rnode->next = usrdatum->ranges;
361 usrdatum->ranges = rnode;
362 } while ((id = queue_remove(id_queue)));
363 skip_mls:
364 #endif
365
366 return 0;
367 }
+36
-0
{arch}/,,inode-sigs/srivasta@debian.org--2003-primary%checkpolicy--devo--1.0--patch-1 less more
0 A_./{arch}/.arch-project-tree ino=2645752:mtime=1099621739:size=52
1 A_./{arch}/=tagging-method ino=2645753:mtime=1099621739:size=6809
2 A_./{arch}/checkpolicy/checkpolicy--devo/checkpolicy--devo--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=3003574:mtime=1099621739:size=567
3 A_./{arch}/checkpolicy/checkpolicy--devo/checkpolicy--devo--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=3003502:mtime=1110665223:size=977
4 A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=3003579:mtime=1099621739:size=576
5 A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=3004803:mtime=1105569868:size=533
6 A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=3003418:mtime=1110664990:size=696
7 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.0 ino=2481912:mtime=1099621739:size=72
8 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.1 ino=2481913:mtime=1099621739:size=72
9 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.10 ino=2481922:mtime=1099621739:size=73
10 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.11 ino=2481923:mtime=1099621739:size=73
11 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.12 ino=2481924:mtime=1099621739:size=73
12 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.13 ino=2544553:mtime=1099621739:size=73
13 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.2 ino=2481914:mtime=1099621739:size=72
14 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.3 ino=2481915:mtime=1099621739:size=72
15 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.4 ino=2481916:mtime=1099621739:size=72
16 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.5 ino=2481917:mtime=1099621739:size=72
17 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.6 ino=2481918:mtime=1099621739:size=72
18 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.7 ino=2481919:mtime=1099621739:size=72
19 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.9 ino=2481921:mtime=1099621739:size=72
20 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.0 ino=2544554:mtime=1099621739:size=72
21 E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.1 ino=2544555:mtime=1099621739:size=72
22 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.0 ino=2449144:mtime=1099621739:size=18009
23 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.1 ino=2443198:mtime=1110664990:size=2494
24 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.10 ino=2443203:mtime=1110664990:size=5686
25 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.11 ino=2449155:mtime=1099621739:size=2559
26 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.12 ino=2449156:mtime=1099621739:size=1534
27 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.2 ino=2443197:mtime=1110664990:size=881
28 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.3 ino=2443199:mtime=1110664990:size=5
29 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.4 ino=2443200:mtime=1110664990:size=1249
30 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.5 ino=2443210:mtime=1110664990:size=25961
31 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.6 ino=2443214:mtime=1110664990:size=364
32 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.7 ino=2443215:mtime=1110664990:size=1302
33 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.9 ino=2443201:mtime=1110664990:size=123164
34 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.0 ino=2531064:mtime=1099621739:size=367
35 x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.1 ino=2531065:mtime=1099621739:size=10050
+25
-0
{arch}/checkpolicy/checkpolicy--devo/checkpolicy--devo--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 less more
0 Revision: checkpolicy--devo--1.0--patch-1
1 Archive: srivasta@debian.org--2003-primary
2 Creator: Manoj Srivastava <srivasta@debian.org>
3 Date: Sat Mar 12 16:07:03 CST 2005
4 Standard-date: 2005-03-12 22:07:03 GMT
5 Removed-files: .arch-ids/genpolusers.c.id
6 .arch-ids/users.l.id .arch-ids/users.y.id genpolusers.c
7 users.l users.y
8 Modified-files: ChangeLog Makefile VERSION checkpolicy.8
9 checkpolicy.c checkpolicy.h checkpolicy.spec
10 policy_parse.y policy_scan.l
11 New-patches: srivasta@debian.org--2003-primary/checkpolicy--devo--1.0--patch-1
12 srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-1
13 srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2
14 Summary: Synchtonized with the latest version
15 Keywords:
16
17 Patches applied:
18
19 * srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-1
20 Imported checkpolicy-1.20
21
22 * srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2
23 Imported checkpolicy-1.22
24
+19
-0
{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 less more
0 Revision: checkpolicy--upstream--1.0--patch-2
1 Archive: srivasta@debian.org--2003-primary
2 Creator: Manoj Srivastava <srivasta@debian.org>
3 Date: Sat Mar 12 16:00:22 CST 2005
4 Standard-date: 2005-03-12 22:00:22 GMT
5 Removed-files: .arch-ids/genpolusers.c.id
6 .arch-ids/users.l.id .arch-ids/users.y.id genpolusers.c
7 users.l users.y
8 Modified-files: ChangeLog Makefile VERSION checkpolicy.8
9 checkpolicy.c checkpolicy.h checkpolicy.spec
10 policy_parse.y policy_scan.l
11 New-patches: srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2
12 Summary: Imported checkpolicy-1.22
13 Keywords:
14
15 Imported checkpolicy-1.22
16 into srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0
17
18