Imported Debian patch 1.22-1
Manoj Srivastava authored 19 years ago
Laurent Bigonville committed 12 years ago
0 | Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.8 |
0 | Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.14 |
0 | Manoj Srivastava <srivasta@debian.org> Thu Nov 4 20:22:49 2004 13522.15 |
0 | 1.22 2005-03-09 | |
1 | * Updated version for release. | |
2 | ||
3 | 1.21.4 2005-02-17 | |
4 | * Moved genpolusers utility to libsepol. | |
5 | * Merged range_transition support from Darrel Goeddel (TCS). | |
6 | ||
7 | 1.21.3 2005-02-16 | |
8 | * Merged define_user() cleanup patch from Darrel Goeddel (TCS). | |
9 | ||
10 | 1.21.2 2005-02-09 | |
11 | * Changed relabel Makefile target to use restorecon. | |
12 | ||
13 | 1.21.1 2005-01-26 | |
14 | * Merged enhanced MLS support from Darrel Goeddel (TCS). | |
15 | ||
0 | 16 | 1.20 2005-01-04 |
1 | 17 | * Merged typeattribute statement patch from Darrel Goeddel of TCS. |
2 | 18 | * Changed genpolusers to handle multiple user config files. |
4 | 4 | BINDIR ?= $(PREFIX)/bin |
5 | 5 | MANDIR ?= $(PREFIX)/share/man |
6 | 6 | LIBDIR ?= ${PREFIX}/lib |
7 | TARGETS = checkpolicy genpolusers | |
7 | TARGETS = checkpolicy | |
8 | 8 | |
9 | # Set to y for MLS | |
10 | MLS=n | |
11 | ||
12 | ifeq ($(MLS),y) | |
13 | OPTIONS = -DCONFIG_SECURITY_SELINUX_MLS | |
14 | else | |
15 | OPTIONS = | |
16 | endif | |
17 | ||
18 | CFLAGS = -g $(OPTIONS) -Wall -O2 -pipe | |
9 | CFLAGS = -g -Wall -O2 -pipe | |
19 | 10 | |
20 | 11 | override CFLAGS += -I. |
21 | 12 | |
22 | 13 | OBJS += y.tab.o lex.yy.o queue.o checkpolicy.o |
23 | ||
24 | USEROBJS += users.tab.o lex.users.o queue.o genpolusers.o | |
25 | 14 | |
26 | 15 | LIBS=-lfl ${LIBDIR}/libsepol.a |
27 | 16 | |
28 | 17 | all: $(TARGETS) |
29 | 18 | |
30 | 19 | checkpolicy: $(OBJS) |
31 | $(CC) -o $@ $^ $(LIBS) | |
32 | ||
33 | genpolusers: $(USEROBJS) | |
34 | 20 | $(CC) -o $@ $^ $(LIBS) |
35 | 21 | |
36 | 22 | %.o: %.c |
48 | 34 | lex.yy.c: policy_scan.l y.tab.c |
49 | 35 | $(LEX) policy_scan.l |
50 | 36 | |
51 | users.tab.c: users.y | |
52 | $(YACC) -d -o $@ $< | |
53 | ||
54 | lex.users.c: users.l users.tab.c | |
55 | $(LEX) -o$@ $< | |
56 | ||
57 | 37 | install: all |
58 | 38 | -mkdir -p $(BINDIR) |
59 | 39 | -mkdir -p $(MANDIR)/man8 |
61 | 41 | install -m 644 checkpolicy.8 $(MANDIR)/man8 |
62 | 42 | |
63 | 43 | relabel: install |
64 | setfilecon system_u:object_r:checkpolicy_exec_t $(BINDIR)/checkpolicy | |
44 | /sbin/restorecon $(BINDIR)/checkpolicy | |
65 | 45 | |
66 | 46 | clean: |
67 | rm -f $(TARGETS) $(OBJS) $(USEROBJS) $(BOOLOBJS) y.tab.c y.tab.h lex.yy.c users.tab.c lex.users.c users.tab.h | |
47 | rm -f $(TARGETS) $(OBJS) y.tab.c y.tab.h lex.yy.c | |
68 | 48 |
2 | 2 | checkpolicy \- SELinux policy compiler |
3 | 3 | .SH SYNOPSIS |
4 | 4 | .B checkpolicy |
5 | .I "[-b] [-d] [-c policyvers] [-o output_file] [input_file]" | |
5 | .I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]" | |
6 | 6 | .br |
7 | 7 | .SH "DESCRIPTION" |
8 | 8 | This manual page describes the |
23 | 23 | .B \-d |
24 | 24 | Enter debug mode after loading the policy. |
25 | 25 | .TP |
26 | .B \-M | |
27 | Enable the MLS policy when checking and compiling the policy. | |
28 | .TP | |
26 | 29 | .B \-o filename |
27 | 30 | Write a binary policy file to the specified filename. |
28 | 31 | .TP |
2 | 2 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> |
3 | 3 | */ |
4 | 4 | |
5 | /* Updated: Karl MacMillan <kmacmillan@tresys.com> | |
5 | /* | |
6 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | |
7 | * | |
8 | * Support for enhanced MLS infrastructure. | |
9 | * | |
10 | * Updated: Karl MacMillan <kmacmillan@tresys.com> | |
6 | 11 | * |
7 | 12 | * Added conditional policy language extensions |
8 | 13 | * |
10 | 15 | * |
11 | 16 | * Added IPv6 support. |
12 | 17 | * |
18 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | |
13 | 19 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
14 | 20 | * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com> |
15 | 21 | * This program is free software; you can redistribute it and/or modify |
87 | 93 | char *binfile = "policy"; |
88 | 94 | |
89 | 95 | unsigned int policyvers = POLICYDB_VERSION_MAX; |
96 | unsigned int mlspol = 0; | |
90 | 97 | |
91 | 98 | void usage(char *progname) |
92 | 99 | { |
93 | printf("usage: %s [-b] [-d] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", | |
100 | printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", | |
94 | 101 | progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); |
95 | 102 | exit(1); |
96 | 103 | } |
458 | 465 | struct policy_file pf; |
459 | 466 | |
460 | 467 | |
461 | while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) { | |
468 | while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) { | |
462 | 469 | switch (ch) { |
463 | 470 | case 'o': |
464 | 471 | outfile = optarg; |
472 | 479 | break; |
473 | 480 | case 'V': |
474 | 481 | show_version = 1; |
482 | break; | |
483 | case 'M': | |
484 | mlspol = 1; | |
475 | 485 | break; |
476 | 486 | case 'c': { |
477 | 487 | long int n = strtol(optarg, NULL, 10); |
496 | 506 | } |
497 | 507 | |
498 | 508 | if (show_version) { |
499 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
500 | printf("%d-mls (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); | |
501 | #else | |
502 | 509 | printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); |
503 | #endif | |
504 | 510 | exit(0); |
505 | 511 | } |
506 | 512 | |
545 | 551 | exit(1); |
546 | 552 | } |
547 | 553 | policydbp = &policydb; |
554 | ||
555 | /* Check Policy Consistency */ | |
556 | if (sepol_mls_enabled()) { | |
557 | if (!mlspol) { | |
558 | fprintf(stderr,"%s: MLS policy, but non-MLS" | |
559 | " is specified\n", argv[0]); | |
560 | exit(1); | |
561 | } | |
562 | } else { | |
563 | if (mlspol) { | |
564 | fprintf(stderr,"%s: non-MLS policy, but MLS" | |
565 | " is specified\n", argv[0]); | |
566 | exit(1); | |
567 | } | |
568 | } | |
548 | 569 | } else { |
549 | 570 | yyin = fopen(file, "r"); |
550 | 571 | if (!yyin) { |
555 | 576 | |
556 | 577 | if (policydb_init(&policydb)) |
557 | 578 | exit(1); |
579 | ||
580 | /* Let sepol know if we are dealing with MLS support */ | |
581 | sepol_set_mls(mlspol); | |
558 | 582 | |
559 | 583 | id_queue = queue_create(); |
560 | 584 | if (!id_queue) { |
613 | 637 | exit(1); |
614 | 638 | } |
615 | 639 | |
616 | sepol_set_policyvers(policyvers); | |
640 | if (sepol_set_policyvers(policyvers)) { | |
641 | fprintf(stderr,"%s: incompatible policy (version %d) " | |
642 | "for writing to %s\n", argv[0], | |
643 | policyvers, outfile); | |
644 | exit(1); | |
645 | } | |
617 | 646 | |
618 | 647 | pf.type = PF_USE_STDIO; |
619 | 648 | pf.fp = outfp; |
15 | 15 | te_assert_t *te_assertions; |
16 | 16 | |
17 | 17 | extern unsigned int policyvers; |
18 | extern unsigned int mlspol; | |
18 | 19 | |
19 | 20 | #endif |
0 | 0 | Summary: SELinux policy compiler |
1 | 1 | Name: checkpolicy |
2 | Version: 1.20 | |
2 | Version: 1.22 | |
3 | 3 | Release: 1 |
4 | 4 | License: GPL |
5 | 5 | Group: Development/System |
40 | 40 | %files |
41 | 41 | %defattr(-,root,root) |
42 | 42 | %{_bindir}/checkpolicy |
43 | %{_bindir}/genpolusers | |
44 | 43 | %{_mandir}/man8/checkpolicy.8.gz |
45 | 44 | |
46 | 45 | %changelog |
0 | checkpolicy (1.22-1) unstable; urgency=low | |
1 | ||
2 | * New upstream release | |
3 | * Merged typeattribute statement patch from Darrel Goeddel of TCS. | |
4 | * Changed genpolusers to handle multiple user config files. | |
5 | * Merged nodecon ordering patch from Chad Hanson of TCS. | |
6 | * Merged enhanced MLS support from Darrel Goeddel (TCS). | |
7 | * Changed relabel Makefile target to use restorecon. | |
8 | * Merged define_user() cleanup patch from Darrel Goeddel (TCS). | |
9 | * Merged range_transition support from Darrel Goeddel (TCS). | |
10 | * Moved genpolusers utility to libsepol. | |
11 | ||
12 | -- Manoj Srivastava <srivasta@debian.org> Sat, 12 Mar 2005 16:10:54 -0600 | |
13 | ||
0 | 14 | checkpolicy (1.20-1) unstable; urgency=low |
1 | 15 | |
2 | 16 | * New upstream release |
18 | 18 | CFLAGS = -O2 |
19 | 19 | PREFIX := /usr |
20 | 20 | |
21 | ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) | |
22 | CFLAGS += -g | |
23 | endif | |
21 | # Policy 10.1 says to make this the default | |
22 | CFLAGS += -g | |
23 | ||
24 | ## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) | |
25 | ## endif | |
26 | ||
24 | 27 | ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) |
25 | 28 | STRIP += -s |
26 | 29 | LDFLAGS += -s |
+10
-0
0 | Revision: skeleton-make-rules--main--0.1--patch-14 | |
1 | Archive: srivasta@debian.org--2003-primary | |
2 | Creator: Manoj Srivastava <srivasta@debian.org> | |
3 | Date: Mon Feb 28 14:38:56 CST 2005 | |
4 | Standard-date: 2005-02-28 20:38:56 GMT | |
5 | Modified-files: copt.mk | |
6 | New-patches: srivasta@debian.org--2003-primary/skeleton-make-rules--main--0.1--patch-14 | |
7 | Summary: Add the -g option to CFLAGS by default | |
8 | Keywords: | |
9 |
3 | 3 | ## Created On : Sat Nov 15 10:42:10 2003 |
4 | 4 | ## Created On Node : glaurung.green-gryphon.com |
5 | 5 | ## Last Modified By : Manoj Srivastava |
6 | ## Last Modified On : Fri Nov 5 00:44:01 2004 | |
6 | ## Last Modified On : Sat Mar 12 18:41:58 2005 | |
7 | 7 | ## Last Machine Used: glaurung.internal.golden-gryphon.com |
8 | ## Update Count : 6 | |
8 | ## Update Count : 7 | |
9 | 9 | ## Status : Unknown, Use with caution! |
10 | 10 | ## HISTORY : |
11 | 11 | ## Description : |
55 | 55 | $(install_file) debian/copyright $(DOCDIR)/copyright |
56 | 56 | gzip -9fqr $(MANDIR)/ |
57 | 57 | ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) |
58 | strip --strip-unneeded --remove-section=.note --remove-section=.comment $(BINDIR)/checkpolicy $(BINDIR)/genpolusers | |
58 | strip --strip-unneeded --remove-section=.note --remove-section=.comment $(BINDIR)/checkpolicy | |
59 | 59 | endif |
60 | 60 | |
61 | 61 | binary/checkpolicy: testroot |
62 | 62 | $(checkdir) |
63 | 63 | $(REASON) |
64 | 64 | $(make_directory) $(TMPTOP)/DEBIAN |
65 | dpkg-shlibdeps $(BINDIR)/checkpolicy $(BINDIR)/genpolusers | |
65 | dpkg-shlibdeps $(BINDIR)/checkpolicy | |
66 | 66 | dpkg-gencontrol -p$(package) -isp -P$(TMPTOP) |
67 | 67 | chown -R root:root $(TMPTOP) |
68 | 68 | chmod -R u+w,go=rX $(TMPTOP) |
+0
-16
0 | A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52 | |
1 | A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822 | |
2 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724 | |
3 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639 | |
4 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470 | |
5 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450 | |
6 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72 | |
7 | i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099621862:size=1438 | |
8 | i_5401e9ef-39cc-4aee-96a4-61dfb8f32cf7 ino=2512435:mtime=1099621862:size=7451 | |
9 | i_56802d51-d980-4822-85c0-28fce19ed430 ino=2512436:mtime=1099621862:size=5768 | |
10 | i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968 | |
11 | i_a4c1a888-137d-4800-98f8-93d0365422d8 ino=2512438:mtime=1099621862:size=4068 | |
12 | i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099621862:size=688 | |
13 | i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512432:mtime=1099621862:size=759 | |
14 | i_d6a3672d-acb3-4f6c-9984-bad17d8ce0aa ino=2512437:mtime=1099621862:size=2605 | |
15 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1099621862:size=282 |
+0
-17
0 | A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52 | |
1 | A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822 | |
2 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724 | |
3 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520 | |
4 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639 | |
5 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470 | |
6 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450 | |
7 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72 | |
8 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71 | |
9 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71 | |
10 | i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547 | |
11 | i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968 | |
12 | i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099637041:size=2293 | |
13 | i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1099637763:size=1487 | |
14 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1099622484:size=1017 | |
15 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1099622632:size=2913 | |
16 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1099622546:size=134 |
+21
-0
0 | A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52 | |
1 | A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822 | |
2 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724 | |
3 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520 | |
4 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2840664:mtime=1101331965:size=405 | |
5 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-3 ino=2834476:mtime=1105570059:size=558 | |
6 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-4 ino=2834478:mtime=1105570293:size=354 | |
7 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-5 ino=2836343:mtime=1110665499:size=366 | |
8 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639 | |
9 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470 | |
10 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450 | |
11 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72 | |
12 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71 | |
13 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71 | |
14 | i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547 | |
15 | i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968 | |
16 | i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1099637041:size=2293 | |
17 | i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1101326660:size=1534 | |
18 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1101332924:size=995 | |
19 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1110665454:size=4173 | |
20 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1101326354:size=156 |
+22
-0
0 | A_./{arch}/.arch-project-tree ino=2575468:mtime=1099621862:size=52 | |
1 | A_./{arch}/=tagging-method ino=2575469:mtime=1099621862:size=6822 | |
2 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2840997:mtime=1099621862:size=724 | |
3 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2840998:mtime=1099638143:size=520 | |
4 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2840664:mtime=1101331965:size=405 | |
5 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-3 ino=2834476:mtime=1105570059:size=558 | |
6 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-4 ino=2834478:mtime=1105570293:size=354 | |
7 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-5 ino=2836343:mtime=1110665499:size=366 | |
8 | A_./{arch}/debian-dir/debian-dir--checkpolicy/debian-dir--checkpolicy--1.0/srivasta@debian.org--2003-primary/patch-log/patch-6 ino=2836348:mtime=1110674562:size=389 | |
9 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=2936449:mtime=1099621862:size=639 | |
10 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=2936450:mtime=1099621862:size=470 | |
11 | A_./{arch}/debian-dir/debian-dir--skeleton/debian-dir--skeleton--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=2936451:mtime=1099621862:size=450 | |
12 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2562093:mtime=1099621862:size=72 | |
13 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2562094:mtime=1099637720:size=71 | |
14 | E_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2562095:mtime=1099637720:size=71 | |
15 | i_1a76a87e-7af5-424a-a30d-61660c8f243e ino=2512433:mtime=1099637107:size=1547 | |
16 | i_9a5063f4-1e20-4fff-b22a-de94c1e3d954 ino=2512439:mtime=1099621862:size=1968 | |
17 | i_b07b1015-30ba-4b46-915f-78c776a808f4 ino=2512434:mtime=1110674518:size=2248 | |
18 | i_d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 ino=2512436:mtime=1101326660:size=1534 | |
19 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov_21_03:17:12_2003_26704.0 ino=2512431:mtime=1101332924:size=995 | |
20 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.0 ino=2512442:mtime=1110665454:size=4173 | |
21 | x_Manoj_Srivastava_<srivasta@debian.org>_Fri_Nov__5_00:55:20_2004_9452.1 ino=2512441:mtime=1101326354:size=156 |
+10
-0
0 | Revision: debian-dir--checkpolicy--1.0--patch-5 | |
1 | Archive: srivasta@debian.org--2003-primary | |
2 | Creator: Manoj Srivastava <srivasta@debian.org> | |
3 | Date: Sat Mar 12 16:11:39 CST 2005 | |
4 | Standard-date: 2005-03-12 22:11:39 GMT | |
5 | Modified-files: changelog | |
6 | New-patches: srivasta@debian.org--2003-primary/debian-dir--checkpolicy--1.0--patch-5 | |
7 | Summary: New upstream release | |
8 | Keywords: | |
9 |
+10
-0
0 | Revision: debian-dir--checkpolicy--1.0--patch-6 | |
1 | Archive: srivasta@debian.org--2003-primary | |
2 | Creator: Manoj Srivastava <srivasta@debian.org> | |
3 | Date: Sat Mar 12 18:42:41 CST 2005 | |
4 | Standard-date: 2005-03-13 00:42:41 GMT | |
5 | Modified-files: local.mk | |
6 | New-patches: srivasta@debian.org--2003-primary/debian-dir--checkpolicy--1.0--patch-6 | |
7 | Summary: Fix in rules: we no longer have genpol users | |
8 | Keywords: | |
9 |
0 | /* | |
1 | * genpolusers inpolicy outpolicy users1 [users2 ... ] | |
2 | * | |
3 | * Given an existing binary policy configuration and a set of source users | |
4 | * configurations (post-processed), generate a new binary policy | |
5 | * configuration that is identical to the old one except that it has | |
6 | * the new user declarations. User declarations from the old binary | |
7 | * policy are replaced if they also exist in the new source users | |
8 | * configuration or removed otherwise. Special exceptions are made | |
9 | * for system_u and user_u, which can be replaced but not removed as | |
10 | * a safety against reloading a user configuration generated from | |
11 | * passwd information that would not include these special SELinux users. | |
12 | * This needs to be generalized in some manner. New users may also be | |
13 | * added by including them in the new source users configuration. | |
14 | */ | |
15 | ||
16 | #include <getopt.h> | |
17 | #include <unistd.h> | |
18 | #include <sys/types.h> | |
19 | #include <sys/stat.h> | |
20 | #include <fcntl.h> | |
21 | #include <stdio.h> | |
22 | #include <stdlib.h> | |
23 | #include <errno.h> | |
24 | #include <sys/mman.h> | |
25 | #include <sepol/policydb.h> | |
26 | #include <sepol/services.h> | |
27 | #include <sepol/conditional.h> | |
28 | #include "queue.h" | |
29 | #include "checkpolicy.h" | |
30 | ||
31 | extern policydb_t *policydbp; | |
32 | extern queue_t id_queue; | |
33 | extern unsigned int policydb_errors; | |
34 | ||
35 | extern FILE *yyin; | |
36 | extern int yyparse(void); | |
37 | extern void yyrestart(FILE *); | |
38 | ||
39 | void usage(char *progname) | |
40 | { | |
41 | printf("usage: %s inpolicy outpolicy users1 [users2 ...]\n", progname); | |
42 | exit(1); | |
43 | } | |
44 | ||
45 | /* Select users for removal based on whether they were defined in the | |
46 | new source users configuration. */ | |
47 | static int select_user(hashtab_key_t key, hashtab_datum_t datum, void *datap) | |
48 | { | |
49 | char *name = key; | |
50 | user_datum_t *usrdatum = datum; | |
51 | ||
52 | if (!usrdatum->defined) { | |
53 | /* XXX Hack: Don't accidentally remove SELinux-only users. */ | |
54 | if (!strcmp(name, "system_u") || !strcmp(name, "user_u")) { | |
55 | printf("Warning! %s not defined, but not removing.\n", name); | |
56 | return 0; | |
57 | } | |
58 | printf("Removing user %s\n", name); | |
59 | return 1; | |
60 | } | |
61 | return 0; | |
62 | } | |
63 | ||
64 | static struct ebitmap free_users; | |
65 | ||
66 | /* Kill the user entries selected by select_user, and | |
67 | record that their slots are free. */ | |
68 | void kill_user(hashtab_key_t key, hashtab_datum_t datum, void *p) | |
69 | { | |
70 | user_datum_t *usrdatum; | |
71 | struct policydb *pol = p; | |
72 | ||
73 | if (key) | |
74 | free(key); | |
75 | ||
76 | usrdatum = (user_datum_t *) datum; | |
77 | ebitmap_set_bit(&free_users, usrdatum->value - 1, 1); | |
78 | ||
79 | ebitmap_destroy(&usrdatum->roles); | |
80 | free(datum); | |
81 | pol->p_users.nprim--; | |
82 | } | |
83 | ||
84 | /* Fold user values down to avoid holes generated by removal. | |
85 | As the SID table is remapped by the kernel upon a policy reload, | |
86 | this is safe for existing SIDs. But it could be a problem for | |
87 | constraints if they refer to the particular user. */ | |
88 | int remap_users(hashtab_key_t key, hashtab_datum_t datum, void *p) | |
89 | { | |
90 | user_datum_t *usrdatum = datum; | |
91 | struct policydb *pol = p; | |
92 | int i; | |
93 | ||
94 | if (usrdatum->value > pol->p_users.nprim) { | |
95 | for (i = ebitmap_startbit(&free_users); i < ebitmap_length(&free_users); i++) { | |
96 | if (ebitmap_get_bit(&free_users, i)) { | |
97 | printf("Remapping user %s (%u -> %u)\n", key, usrdatum->value, i+1); | |
98 | usrdatum->value = i+1; | |
99 | ebitmap_set_bit(&free_users, i, 0); | |
100 | return 0; | |
101 | } | |
102 | } | |
103 | } | |
104 | return 0; | |
105 | } | |
106 | ||
107 | int main(int argc, char **argv) | |
108 | { | |
109 | policydb_t policydb; | |
110 | struct policy_file pf; | |
111 | struct stat sb; | |
112 | FILE *outfp; | |
113 | int fd, rc, i; | |
114 | void *map; | |
115 | ||
116 | if (argc < 4) | |
117 | usage(argv[0]); | |
118 | ||
119 | fd = open(argv[1], O_RDONLY); | |
120 | if (fd < 0) { | |
121 | fprintf(stderr, "Can't open '%s': %s\n", | |
122 | argv[1], strerror(errno)); | |
123 | exit(1); | |
124 | } | |
125 | if (fstat(fd, &sb) < 0) { | |
126 | fprintf(stderr, "Can't stat '%s': %s\n", | |
127 | argv[1], strerror(errno)); | |
128 | exit(1); | |
129 | } | |
130 | map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); | |
131 | if (map == MAP_FAILED) { | |
132 | fprintf(stderr, "Can't map '%s': %s\n", | |
133 | argv[1], strerror(errno)); | |
134 | exit(1); | |
135 | } | |
136 | pf.type = PF_USE_MEMORY; | |
137 | pf.data = map; | |
138 | pf.len = sb.st_size; | |
139 | if (policydb_read(&policydb,&pf, 0)) { | |
140 | fprintf(stderr, "Can't read binary policy from '%s': %s\n", | |
141 | argv[1], strerror(errno)); | |
142 | exit(1); | |
143 | } | |
144 | close(fd); | |
145 | ||
146 | /* Preserve the policy version of the original policy | |
147 | for the new policy. */ | |
148 | sepol_set_policyvers(policydb.policyvers); | |
149 | ||
150 | id_queue = queue_create(); | |
151 | if (!id_queue) { | |
152 | fprintf(stderr, "%s: out of memory\n", argv[0]); | |
153 | exit(1); | |
154 | } | |
155 | policydbp = &policydb; | |
156 | policydb_errors = 0; | |
157 | ||
158 | for (i = 3; i < argc; i++) { | |
159 | yyin = fopen(argv[i], "r"); | |
160 | if (!yyin) { | |
161 | fprintf(stderr, "%s: unable to open %s\n", argv[0], | |
162 | argv[i]); | |
163 | exit(1); | |
164 | } | |
165 | ||
166 | if (yyparse() || policydb_errors) { | |
167 | fprintf(stderr, "%s: error(s) encountered while parsing configuration %s\n", argv[0], argv[i]); | |
168 | exit(1); | |
169 | } | |
170 | } | |
171 | queue_destroy(id_queue); | |
172 | ||
173 | hashtab_map_remove_on_error(policydb.p_users.table, select_user, kill_user, &policydb); | |
174 | hashtab_map(policydb.p_users.table, remap_users, &policydb); | |
175 | ||
176 | outfp = fopen(argv[2], "w"); | |
177 | if (!outfp) { | |
178 | perror(argv[2]); | |
179 | exit(1); | |
180 | } | |
181 | pf.type = PF_USE_STDIO; | |
182 | pf.fp = outfp; | |
183 | rc = policydb_write(&policydb, &pf); | |
184 | if (rc) { | |
185 | fprintf(stderr, "%s: error writing %s\n", | |
186 | argv[0], argv[2]); | |
187 | exit(1); | |
188 | } | |
189 | fclose(outfp); | |
190 | exit(0); | |
191 | } |
2 | 2 | * Author : Stephen Smalley, <sds@epoch.ncsc.mil> |
3 | 3 | */ |
4 | 4 | |
5 | /* Updated: David Caplan, <dac@tresys.com> | |
5 | /* | |
6 | * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | |
7 | * | |
8 | * Support for enhanced MLS infrastructure. | |
9 | * | |
10 | * Updated: David Caplan, <dac@tresys.com> | |
6 | 11 | * |
7 | 12 | * Added conditional policy language extensions |
8 | 13 | * |
14 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | |
9 | 15 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
10 | 16 | * This program is free software; you can redistribute it and/or modify |
11 | 17 | * it under the terms of the GNU General Public License as published by |
62 | 68 | static int define_sens(void); |
63 | 69 | static int define_dominance(void); |
64 | 70 | static int define_category(void); |
65 | static int define_level(void); | |
66 | static int define_common_base(void); | |
67 | static int define_av_base(void); | |
71 | static int define_level(int range); | |
68 | 72 | static int define_attrib(void); |
69 | 73 | static int define_typealias(void); |
70 | 74 | static int define_typeattribute(void); |
75 | 79 | static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); |
76 | 80 | static role_datum_t *define_role_dom(role_datum_t *r); |
77 | 81 | static int define_role_trans(void); |
82 | static int define_range_trans(void); | |
78 | 83 | static int define_role_allow(void); |
79 | 84 | static int define_constraint(constraint_expr_t *expr); |
85 | static int define_validatetrans(constraint_expr_t *expr); | |
80 | 86 | static int define_bool(); |
81 | 87 | static int define_conditional(cond_expr_t *expr,cond_av_list_t *t_list, cond_av_list_t *f_list ); |
82 | 88 | static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2); |
108 | 114 | %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def |
109 | 115 | %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def |
110 | 116 | %type <ptr> role_def roles |
111 | %type <valptr> cexpr cexpr_prim op roleop | |
117 | %type <valptr> cexpr cexpr_prim op role_mls_op | |
112 | 118 | %type <val> ipv4_addr_def number |
113 | 119 | |
114 | 120 | %token PATH |
116 | 122 | %token COMMON |
117 | 123 | %token CLASS |
118 | 124 | %token CONSTRAIN |
125 | %token VALIDATETRANS | |
119 | 126 | %token INHERITS |
120 | 127 | %token SID |
121 | 128 | %token ROLE |
133 | 140 | %token TYPE_MEMBER |
134 | 141 | %token TYPE_CHANGE |
135 | 142 | %token ROLE_TRANSITION |
143 | %token RANGE_TRANSITION | |
136 | 144 | %token SENSITIVITY |
137 | 145 | %token DOMINANCE |
138 | 146 | %token DOM DOMBY INCOMP |
139 | 147 | %token CATEGORY |
140 | 148 | %token LEVEL |
141 | %token RANGES | |
149 | %token RANGE | |
150 | %token MLSCONSTRAIN | |
151 | %token MLSVALIDATETRANS | |
142 | 152 | %token USER |
143 | 153 | %token NEVERALLOW |
144 | 154 | %token ALLOW |
151 | 161 | %token FSCON PORTCON NETIFCON NODECON |
152 | 162 | %token FSUSEXATTR FSUSETASK FSUSETRANS |
153 | 163 | %token GENFSCON |
154 | %token U1 U2 R1 R2 T1 T2 | |
164 | %token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 | |
155 | 165 | %token NOT AND OR XOR |
156 | 166 | %token CTRUE CFALSE |
157 | 167 | %token IDENTIFIER |
210 | 220 | opt_mls : mls |
211 | 221 | | |
212 | 222 | ; |
213 | mls : sensitivities dominance opt_categories levels base_perms | |
223 | mls : sensitivities dominance opt_categories levels mlspolicy | |
214 | 224 | ; |
215 | 225 | sensitivities : sensitivity_def |
216 | 226 | | sensitivities sensitivity_def |
241 | 251 | levels : level_def |
242 | 252 | | levels level_def |
243 | 253 | ; |
244 | level_def : LEVEL identifier ':' id_comma_list ';' | |
245 | {if (define_level()) return -1;} | |
254 | level_def : LEVEL identifier ':' identifier '.' identifier ';' | |
255 | {if (define_level(1)) return -1;} | |
256 | | LEVEL identifier ':' id_comma_list ';' | |
257 | {if (define_level(0)) return -1;} | |
246 | 258 | | LEVEL identifier ';' |
247 | {if (define_level()) return -1;} | |
248 | ; | |
249 | base_perms : opt_common_base av_base | |
250 | ; | |
251 | opt_common_base : common_base | |
252 | | | |
253 | ; | |
254 | common_base : common_base_def | |
255 | | common_base common_base_def | |
256 | ; | |
257 | common_base_def : COMMON identifier '{' perm_base_list '}' | |
258 | {if (define_common_base()) return -1;} | |
259 | ; | |
260 | av_base : av_base_def | |
261 | | av_base av_base_def | |
262 | ; | |
263 | av_base_def : CLASS identifier '{' perm_base_list '}' | |
264 | {if (define_av_base()) return -1;} | |
265 | | CLASS identifier | |
266 | {if (define_av_base()) return -1;} | |
267 | ; | |
268 | perm_base_list : perm_base | |
269 | | perm_base_list perm_base | |
270 | ; | |
271 | perm_base : identifier ':' identifier | |
272 | {if (insert_separator(0)) return -1;} | |
273 | | identifier ':' '{' identifier_list '}' | |
274 | {if (insert_separator(0)) return -1;} | |
259 | {if (define_level(0)) return -1;} | |
260 | ; | |
261 | mlspolicy : mlspolicy_decl | |
262 | | mlspolicy mlspolicy_decl | |
263 | ; | |
264 | mlspolicy_decl : mlsconstraint_def | |
265 | | mlsvalidatetrans_def | |
266 | ; | |
267 | mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' | |
268 | { if (define_constraint((constraint_expr_t*)$4)) return -1; } | |
269 | ; | |
270 | mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' | |
271 | { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } | |
275 | 272 | ; |
276 | 273 | te_rbac : te_rbac_decl |
277 | 274 | | te_rbac te_rbac_decl |
291 | 288 | | typeattribute_def |
292 | 289 | | bool_def |
293 | 290 | | transition_def |
291 | | range_trans_def | |
294 | 292 | | te_avtab_def |
295 | 293 | | cond_stmt_def |
296 | 294 | ; |
411 | 409 | | TYPE_CHANGE names names ':' names identifier ';' |
412 | 410 | {if (define_compute_type(AVTAB_CHANGE)) return -1;} |
413 | 411 | ; |
412 | range_trans_def : RANGE_TRANSITION names names mls_range_def ';' | |
413 | { if (define_range_trans()) return -1; } | |
414 | ; | |
414 | 415 | te_avtab_def : allow_def |
415 | 416 | | auditallow_def |
416 | 417 | | auditdeny_def |
456 | 457 | opt_constraints : constraints |
457 | 458 | | |
458 | 459 | ; |
459 | constraints : constraint_def | |
460 | | constraints constraint_def | |
460 | constraints : constraint_decl | |
461 | | constraints constraint_decl | |
462 | ; | |
463 | constraint_decl : constraint_def | |
464 | | validatetrans_def | |
461 | 465 | ; |
462 | 466 | constraint_def : CONSTRAIN names names cexpr ';' |
463 | 467 | { if (define_constraint((constraint_expr_t*)$4)) return -1; } |
468 | ; | |
469 | validatetrans_def : VALIDATETRANS names cexpr ';' | |
470 | { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } | |
464 | 471 | ; |
465 | 472 | cexpr : '(' cexpr ')' |
466 | 473 | { $$ = $2; } |
479 | 486 | cexpr_prim : U1 op U2 |
480 | 487 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2); |
481 | 488 | if ($$ == 0) return -1; } |
482 | | R1 roleop R2 | |
489 | | R1 role_mls_op R2 | |
483 | 490 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); |
484 | 491 | if ($$ == 0) return -1; } |
485 | 492 | | T1 op T2 |
491 | 498 | | U2 op { if (insert_separator(1)) return -1; } user_names_push |
492 | 499 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); |
493 | 500 | if ($$ == 0) return -1; } |
501 | | U3 op { if (insert_separator(1)) return -1; } user_names_push | |
502 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); | |
503 | if ($$ == 0) return -1; } | |
494 | 504 | | R1 op { if (insert_separator(1)) return -1; } names_push |
495 | 505 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2); |
496 | 506 | if ($$ == 0) return -1; } |
497 | 507 | | R2 op { if (insert_separator(1)) return -1; } names_push |
498 | 508 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2); |
499 | 509 | if ($$ == 0) return -1; } |
510 | | R3 op { if (insert_separator(1)) return -1; } names_push | |
511 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2); | |
512 | if ($$ == 0) return -1; } | |
500 | 513 | | T1 op { if (insert_separator(1)) return -1; } names_push |
501 | 514 | { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2); |
502 | 515 | if ($$ == 0) return -1; } |
503 | 516 | | T2 op { if (insert_separator(1)) return -1; } names_push |
504 | 517 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2); |
518 | if ($$ == 0) return -1; } | |
519 | | T3 op { if (insert_separator(1)) return -1; } names_push | |
520 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2); | |
505 | 521 | if ($$ == 0) return -1; } |
506 | 522 | | SAMEUSER |
507 | 523 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ); |
512 | 528 | | TARGET ROLE { if (insert_separator(1)) return -1; } names_push |
513 | 529 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ); |
514 | 530 | if ($$ == 0) return -1; } |
515 | | ROLE roleop | |
531 | | ROLE role_mls_op | |
516 | 532 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2); |
517 | 533 | if ($$ == 0) return -1; } |
518 | 534 | | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push |
521 | 537 | | TARGET TYPE { if (insert_separator(1)) return -1; } names_push |
522 | 538 | { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ); |
523 | 539 | if ($$ == 0) return -1; } |
540 | | L1 role_mls_op L2 | |
541 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2); | |
542 | if ($$ == 0) return -1; } | |
543 | | L1 role_mls_op H2 | |
544 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2); | |
545 | if ($$ == 0) return -1; } | |
546 | | H1 role_mls_op L2 | |
547 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2); | |
548 | if ($$ == 0) return -1; } | |
549 | | H1 role_mls_op H2 | |
550 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2); | |
551 | if ($$ == 0) return -1; } | |
552 | | L1 role_mls_op H1 | |
553 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2); | |
554 | if ($$ == 0) return -1; } | |
555 | | L2 role_mls_op H2 | |
556 | { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2); | |
557 | if ($$ == 0) return -1; } | |
524 | 558 | ; |
525 | 559 | op : EQUALS |
526 | 560 | { $$ = CEXPR_EQ; } |
527 | 561 | | NOTEQUAL |
528 | 562 | { $$ = CEXPR_NEQ; } |
529 | 563 | ; |
530 | roleop : op | |
564 | role_mls_op : op | |
531 | 565 | { $$ = $1; } |
532 | 566 | | DOM |
533 | 567 | { $$ = CEXPR_DOM; } |
542 | 576 | user_id : identifier |
543 | 577 | | user_identifier |
544 | 578 | ; |
545 | user_def : USER user_id ROLES names opt_user_ranges ';' | |
579 | user_def : USER user_id ROLES names opt_mls_user ';' | |
546 | 580 | {if (define_user()) return -1;} |
547 | 581 | ; |
548 | opt_user_ranges : RANGES user_ranges | |
582 | opt_mls_user : LEVEL mls_level_def RANGE mls_range_def | |
549 | 583 | | |
550 | ; | |
551 | user_ranges : mls_range_def | |
552 | | '{' user_range_def_list '}' | |
553 | ; | |
554 | user_range_def_list : mls_range_def | |
555 | | user_range_def_list mls_range_def | |
556 | 584 | ; |
557 | 585 | initial_sid_contexts : initial_sid_context_def |
558 | 586 | | initial_sid_contexts initial_sid_context_def |
647 | 675 | | mls_level_def |
648 | 676 | {if (insert_separator(0)) return -1;} |
649 | 677 | ; |
650 | mls_level_def : identifier ':' id_comma_list | |
678 | mls_level_def : identifier ':' cat_comma_list | |
651 | 679 | {if (insert_separator(0)) return -1;} |
652 | 680 | | identifier |
653 | 681 | {if (insert_separator(0)) return -1;} |
654 | 682 | ; |
683 | cat_comma_list : cat_range | |
684 | | cat_comma_list ',' cat_range | |
685 | ; | |
686 | cat_range : identifier | |
687 | | identifier '.' identifier | |
688 | { if (insert_id("MLS_CAT_RANGE",0)) return -1; } | |
689 | ; | |
655 | 690 | id_comma_list : identifier |
656 | 691 | | id_comma_list ',' identifier |
657 | 692 | ; |
926 | 961 | memset(perdatum, 0, sizeof(perm_datum_t)); |
927 | 962 | perdatum->value = ++comdatum->permissions.nprim; |
928 | 963 | |
929 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
930 | /* | |
931 | * By default, we set all four base permissions on this | |
932 | * permission. This means that if base_permissions is not | |
933 | * explicitly defined for this permission, then this | |
934 | * permission will only be granted in the equivalent case. | |
935 | */ | |
936 | perdatum->base_perms = MLS_BASE_READ | MLS_BASE_WRITE | | |
937 | MLS_BASE_READBY | MLS_BASE_WRITEBY; | |
938 | #endif | |
939 | ||
940 | if (perdatum->value >= (sizeof(access_vector_t) * 8)) { | |
964 | if (perdatum->value > (sizeof(access_vector_t) * 8)) { | |
941 | 965 | yyerror("too many permissions to fit in an access vector"); |
942 | 966 | goto bad_perm; |
943 | 967 | } |
1044 | 1068 | memset(perdatum, 0, sizeof(perm_datum_t)); |
1045 | 1069 | perdatum->value = ++cladatum->permissions.nprim; |
1046 | 1070 | |
1047 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1048 | /* | |
1049 | * By default, we set all four base permissions on this | |
1050 | * permission. This means that if base_permissions is not | |
1051 | * explicitly defined for this permission, then this | |
1052 | * permission will only be granted in the equivalent case. | |
1053 | */ | |
1054 | perdatum->base_perms = MLS_BASE_READ | MLS_BASE_WRITE | | |
1055 | MLS_BASE_READBY | MLS_BASE_WRITEBY; | |
1056 | /* actual value set in define_av_base */ | |
1057 | #endif | |
1058 | ||
1059 | if (perdatum->value >= (sizeof(access_vector_t) * 8)) { | |
1071 | if (perdatum->value > (sizeof(access_vector_t) * 8)) { | |
1060 | 1072 | yyerror("too many permissions to fit in an access vector"); |
1061 | 1073 | goto bad; |
1062 | 1074 | } |
1102 | 1114 | |
1103 | 1115 | static int define_sens(void) |
1104 | 1116 | { |
1105 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1106 | 1117 | char *id; |
1107 | 1118 | mls_level_t *level = 0; |
1108 | 1119 | level_datum_t *datum = 0, *aliasdatum = 0; |
1109 | 1120 | int ret; |
1110 | 1121 | |
1122 | if (!mlspol) { | |
1123 | yyerror("sensitivity definition in non-MLS configuration"); | |
1124 | return -1; | |
1125 | } | |
1111 | 1126 | |
1112 | 1127 | if (pass == 2) { |
1113 | 1128 | while ((id = queue_remove(id_queue))) |
1194 | 1209 | if (aliasdatum) |
1195 | 1210 | free(aliasdatum); |
1196 | 1211 | return -1; |
1197 | #else | |
1198 | yyerror("sensitivity definition in non-MLS configuration"); | |
1199 | return -1; | |
1200 | #endif | |
1201 | 1212 | } |
1202 | 1213 | |
1203 | 1214 | static int define_dominance(void) |
1204 | 1215 | { |
1205 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1206 | 1216 | level_datum_t *datum; |
1207 | 1217 | int order; |
1208 | 1218 | char *id; |
1219 | ||
1220 | if (!mlspol) { | |
1221 | yyerror("dominance definition in non-MLS configuration"); | |
1222 | return -1; | |
1223 | } | |
1209 | 1224 | |
1210 | 1225 | if (pass == 2) { |
1211 | 1226 | while ((id = queue_remove(id_queue))) |
1240 | 1255 | return -1; |
1241 | 1256 | } |
1242 | 1257 | return 0; |
1243 | #else | |
1244 | yyerror("dominance definition in non-MLS configuration"); | |
1245 | return -1; | |
1246 | #endif | |
1247 | 1258 | } |
1248 | 1259 | |
1249 | 1260 | static int define_category(void) |
1250 | 1261 | { |
1251 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1252 | 1262 | char *id; |
1253 | 1263 | cat_datum_t *datum = 0, *aliasdatum = 0; |
1254 | 1264 | int ret; |
1265 | ||
1266 | if (!mlspol) { | |
1267 | yyerror("category definition in non-MLS configuration"); | |
1268 | return -1; | |
1269 | } | |
1255 | 1270 | |
1256 | 1271 | if (pass == 2) { |
1257 | 1272 | while ((id = queue_remove(id_queue))) |
1326 | 1341 | if (aliasdatum) |
1327 | 1342 | free(aliasdatum); |
1328 | 1343 | return -1; |
1329 | #else | |
1330 | yyerror("category definition in non-MLS configuration"); | |
1331 | return -1; | |
1332 | #endif | |
1333 | } | |
1334 | ||
1335 | ||
1336 | static int define_level(void) | |
1337 | { | |
1338 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1339 | int n; | |
1344 | } | |
1345 | ||
1346 | ||
1347 | static int define_level(int range) | |
1348 | { | |
1349 | int i; | |
1340 | 1350 | char *id, *levid; |
1341 | 1351 | level_datum_t *levdatum; |
1342 | cat_datum_t *catdatum; | |
1343 | ||
1352 | cat_datum_t *catdatum = NULL; | |
1353 | cat_datum_t *catdatum_r = NULL; | |
1354 | ||
1355 | if (!mlspol) { | |
1356 | yyerror("level definition in non-MLS configuration"); | |
1357 | return -1; | |
1358 | } | |
1344 | 1359 | |
1345 | 1360 | if (pass == 2) { |
1346 | 1361 | while ((id = queue_remove(id_queue))) |
1368 | 1383 | return -1; |
1369 | 1384 | } |
1370 | 1385 | levid = id; |
1371 | n = 1; | |
1386 | ||
1372 | 1387 | while ((id = queue_remove(id_queue))) { |
1373 | catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, | |
1374 | (hashtab_key_t) id); | |
1388 | catdatum =(cat_datum_t *)hashtab_search(policydbp->p_cats.table, | |
1389 | (hashtab_key_t) id); | |
1375 | 1390 | if (!catdatum) { |
1376 | 1391 | sprintf(errormsg, "unknown category %s used in level definition", id); |
1377 | 1392 | yyerror(errormsg); |
1387 | 1402 | /* no need to keep category name */ |
1388 | 1403 | free(id); |
1389 | 1404 | |
1390 | n = n * 2; | |
1405 | if (range) | |
1406 | break; | |
1407 | } | |
1408 | ||
1409 | if (range) | |
1410 | { | |
1411 | id = queue_remove(id_queue); | |
1412 | catdatum_r =(cat_datum_t *)hashtab_search( | |
1413 | policydbp->p_cats.table, | |
1414 | (hashtab_key_t) id); | |
1415 | if (!catdatum_r) { | |
1416 | sprintf(errormsg, | |
1417 | "unknown category %s used in level definition", | |
1418 | id); | |
1419 | yyerror(errormsg); | |
1420 | free(levid); | |
1421 | free(id); | |
1422 | return -1; | |
1423 | } | |
1424 | if (catdatum_r->value < catdatum->value) | |
1425 | { | |
1426 | yyerror("category range is negative"); | |
1427 | free(levid); | |
1428 | free(id); | |
1429 | return -1; | |
1430 | } | |
1431 | ||
1432 | for (i = catdatum->value; i < catdatum_r->value; i++) | |
1433 | { | |
1434 | if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) { | |
1435 | yyerror("out of memory"); | |
1436 | free(id); | |
1437 | free(levid); | |
1438 | return -1; | |
1439 | } | |
1440 | } | |
1391 | 1441 | } |
1392 | 1442 | |
1393 | 1443 | free(levid); |
1394 | 1444 | |
1395 | policydbp->nlevels += n; | |
1396 | ||
1397 | 1445 | return 0; |
1398 | #else | |
1399 | yyerror("level definition in non-MLS configuration"); | |
1400 | return -1; | |
1401 | #endif | |
1402 | } | |
1403 | ||
1404 | ||
1405 | static int define_common_base(void) | |
1406 | { | |
1407 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1408 | char *id, *perm, *base; | |
1409 | common_datum_t *comdatum; | |
1410 | perm_datum_t *perdatum; | |
1411 | ||
1412 | ||
1413 | if (pass == 2) { | |
1414 | id = queue_remove(id_queue); free(id); | |
1415 | while ((id = queue_remove(id_queue))) { | |
1416 | free(id); | |
1417 | while ((id = queue_remove(id_queue))) { | |
1418 | free(id); | |
1419 | } | |
1420 | } | |
1421 | return 0; | |
1422 | } | |
1423 | ||
1424 | id = (char *) queue_remove(id_queue); | |
1425 | if (!id) { | |
1426 | yyerror("no common name for common base definition?"); | |
1427 | return -1; | |
1428 | } | |
1429 | comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table, | |
1430 | (hashtab_key_t) id); | |
1431 | if (!comdatum) { | |
1432 | sprintf(errormsg, "common %s is not defined", id); | |
1433 | yyerror(errormsg); | |
1434 | free(id); | |
1435 | return -1; | |
1436 | } | |
1437 | while ((perm = queue_remove(id_queue))) { | |
1438 | perdatum = (perm_datum_t *) hashtab_search(comdatum->permissions.table, | |
1439 | (hashtab_key_t) perm); | |
1440 | if (!perdatum) { | |
1441 | sprintf(errormsg, "permission %s is not defined for common %s", perm, id); | |
1442 | yyerror(errormsg); | |
1443 | free(id); | |
1444 | free(perm); | |
1445 | return -1; | |
1446 | } | |
1447 | ||
1448 | /* | |
1449 | * An explicit definition of base_permissions for this | |
1450 | * permission. Reset the value to zero. | |
1451 | */ | |
1452 | perdatum->base_perms = 0; | |
1453 | ||
1454 | while ((base = queue_remove(id_queue))) { | |
1455 | if (!strcmp(base, "read")) | |
1456 | perdatum->base_perms |= MLS_BASE_READ; | |
1457 | else if (!strcmp(base, "write")) | |
1458 | perdatum->base_perms |= MLS_BASE_WRITE; | |
1459 | else if (!strcmp(base, "readby")) | |
1460 | perdatum->base_perms |= MLS_BASE_READBY; | |
1461 | else if (!strcmp(base, "writeby")) | |
1462 | perdatum->base_perms |= MLS_BASE_WRITEBY; | |
1463 | else if (strcmp(base, "none")) { | |
1464 | sprintf(errormsg, "base permission %s is not defined", base); | |
1465 | yyerror(errormsg); | |
1466 | free(base); | |
1467 | return -1; | |
1468 | } | |
1469 | free(base); | |
1470 | } | |
1471 | ||
1472 | free(perm); | |
1473 | } | |
1474 | ||
1475 | free(id); | |
1476 | ||
1477 | return 0; | |
1478 | #else | |
1479 | yyerror("MLS base permission definition in non-MLS configuration"); | |
1480 | return -1; | |
1481 | #endif | |
1482 | } | |
1483 | ||
1484 | ||
1485 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1486 | static int common_base_set(hashtab_key_t key, hashtab_datum_t datum, void *p) | |
1487 | { | |
1488 | perm_datum_t *perdatum; | |
1489 | class_datum_t *cladatum; | |
1490 | ||
1491 | perdatum = (perm_datum_t *) datum; | |
1492 | cladatum = (class_datum_t *) p; | |
1493 | ||
1494 | if (perdatum->base_perms & MLS_BASE_READ) | |
1495 | cladatum->mlsperms.read |= (1 << (perdatum->value - 1)); | |
1496 | ||
1497 | if (perdatum->base_perms & MLS_BASE_WRITE) | |
1498 | cladatum->mlsperms.write |= (1 << (perdatum->value - 1)); | |
1499 | ||
1500 | if (perdatum->base_perms & MLS_BASE_READBY) | |
1501 | cladatum->mlsperms.readby |= (1 << (perdatum->value - 1)); | |
1502 | ||
1503 | if (perdatum->base_perms & MLS_BASE_WRITEBY) | |
1504 | cladatum->mlsperms.writeby |= (1 << (perdatum->value - 1)); | |
1505 | ||
1506 | return 0; | |
1507 | } | |
1508 | #endif | |
1509 | ||
1510 | static int define_av_base(void) | |
1511 | { | |
1512 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1513 | char *id, *base; | |
1514 | class_datum_t *cladatum; | |
1515 | perm_datum_t *perdatum; | |
1516 | ||
1517 | if (pass == 2) { | |
1518 | id = queue_remove(id_queue); free(id); | |
1519 | while ((id = queue_remove(id_queue))) { | |
1520 | free(id); | |
1521 | while ((id = queue_remove(id_queue))) { | |
1522 | free(id); | |
1523 | } | |
1524 | } | |
1525 | return 0; | |
1526 | } | |
1527 | ||
1528 | id = (char *) queue_remove(id_queue); | |
1529 | if (!id) { | |
1530 | yyerror("no tclass name for av base definition?"); | |
1531 | return -1; | |
1532 | } | |
1533 | cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, | |
1534 | (hashtab_key_t) id); | |
1535 | if (!cladatum) { | |
1536 | sprintf(errormsg, "class %s is not defined", id); | |
1537 | yyerror(errormsg); | |
1538 | free(id); | |
1539 | return -1; | |
1540 | } | |
1541 | free(id); | |
1542 | ||
1543 | /* | |
1544 | * Determine which common permissions should be included in each MLS | |
1545 | * vector for this access vector definition. | |
1546 | */ | |
1547 | if (cladatum->comdatum) | |
1548 | hashtab_map(cladatum->comdatum->permissions.table, common_base_set, cladatum); | |
1549 | ||
1550 | while ((id = queue_remove(id_queue))) { | |
1551 | perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table, | |
1552 | (hashtab_key_t) id); | |
1553 | if (!perdatum) { | |
1554 | sprintf(errormsg, "permission %s is not defined", id); | |
1555 | yyerror(errormsg); | |
1556 | free(id); | |
1557 | return -1; | |
1558 | } | |
1559 | /* | |
1560 | * An explicit definition of base_permissions for this | |
1561 | * permission. Reset the value to zero. | |
1562 | */ | |
1563 | perdatum->base_perms = 0; | |
1564 | ||
1565 | while ((base = queue_remove(id_queue))) { | |
1566 | if (!strcmp(base, "read")) { | |
1567 | perdatum->base_perms |= MLS_BASE_READ; | |
1568 | } else if (!strcmp(base, "write")) { | |
1569 | perdatum->base_perms |= MLS_BASE_WRITE; | |
1570 | } else if (!strcmp(base, "readby")) { | |
1571 | perdatum->base_perms |= MLS_BASE_READBY; | |
1572 | } else if (!strcmp(base, "writeby")) { | |
1573 | perdatum->base_perms |= MLS_BASE_WRITEBY; | |
1574 | } else if (strcmp(base, "none")) { | |
1575 | sprintf(errormsg, "base permission %s is not defined", base); | |
1576 | yyerror(errormsg); | |
1577 | free(base); | |
1578 | continue; | |
1579 | } | |
1580 | free(base); | |
1581 | } | |
1582 | ||
1583 | free(id); | |
1584 | } | |
1585 | ||
1586 | /* Set MLS base permission masks */ | |
1587 | hashtab_map(cladatum->permissions.table, common_base_set, cladatum); | |
1588 | ||
1589 | return 0; | |
1590 | #else | |
1591 | yyerror("MLS base permission definition in non-MLS configuration"); | |
1592 | return -1; | |
1593 | #endif | |
1594 | 1446 | } |
1595 | 1447 | |
1596 | 1448 | static int define_attrib(void) |
1690 | 1542 | return 0; |
1691 | 1543 | } |
1692 | 1544 | |
1693 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
1694 | static int handle_mls_attributes(char *id, unsigned int value) | |
1695 | { | |
1696 | if (!strcmp(id, "mlstrustedreader")) { | |
1697 | if (ebitmap_set_bit(&policydbp->trustedreaders, value, TRUE)) { | |
1698 | return -1; | |
1699 | } | |
1700 | } else if (!strcmp(id, "mlstrustedwriter")) { | |
1701 | if (ebitmap_set_bit(&policydbp->trustedwriters, value, TRUE)) { | |
1702 | return -1; | |
1703 | } | |
1704 | } else if (!strcmp(id, "mlstrustedobject")) { | |
1705 | if (ebitmap_set_bit(&policydbp->trustedobjects, value, TRUE)) { | |
1706 | return -1; | |
1707 | } | |
1708 | } | |
1709 | return 0; | |
1710 | } | |
1711 | #else /* CONFIG_SECURITY_SELINUX_MLS */ | |
1712 | #define handle_mls_attributes(id, value) 0 | |
1713 | #endif /* CONFIG_SECURITY_SELINUX_MLS */ | |
1714 | ||
1715 | 1545 | static int define_typeattribute(void) |
1716 | 1546 | { |
1717 | 1547 | char *id; |
1738 | 1568 | } |
1739 | 1569 | |
1740 | 1570 | while ((id = queue_remove(id_queue))) { |
1741 | if (handle_mls_attributes(id, (t->value - 1))) { | |
1742 | yyerror("out of memory"); | |
1743 | free(id); | |
1744 | return -1; | |
1745 | } | |
1746 | 1571 | attr = hashtab_search(policydbp->p_types.table, id); |
1747 | 1572 | if (!attr) { |
1748 | 1573 | sprintf(errormsg, "attribute %s is not declared", id); |
1851 | 1676 | } |
1852 | 1677 | |
1853 | 1678 | while ((id = queue_remove(id_queue))) { |
1854 | if (handle_mls_attributes(id, (datum->value - 1))) { | |
1855 | yyerror("out of memory"); | |
1856 | free(id); | |
1857 | return -1; | |
1858 | } | |
1859 | 1679 | attr = hashtab_search(policydbp->p_types.table, id); |
1860 | 1680 | if (!attr) { |
1861 | 1681 | sprintf(errormsg, "attribute %s is not declared", id); |
3374 | 3194 | break; |
3375 | 3195 | case CEXPR_ATTR: |
3376 | 3196 | case CEXPR_NAMES: |
3197 | if (e->attr & CEXPR_XTARGET) { | |
3198 | yyerror("illegal constraint expression"); | |
3199 | return -1; /* only for validatetrans rules */ | |
3200 | } | |
3377 | 3201 | if (depth == (CEXPR_MAXDEPTH-1)) { |
3378 | 3202 | yyerror("constraint expression is too deep"); |
3379 | 3203 | return -1; |
3453 | 3277 | |
3454 | 3278 | return 0; |
3455 | 3279 | } |
3280 | ||
3281 | static int define_validatetrans(constraint_expr_t *expr) | |
3282 | { | |
3283 | struct constraint_node *node; | |
3284 | char *id; | |
3285 | class_datum_t *cladatum; | |
3286 | ebitmap_t classmap; | |
3287 | constraint_expr_t *e; | |
3288 | int depth; | |
3289 | ||
3290 | if (pass == 1) { | |
3291 | while ((id = queue_remove(id_queue))) | |
3292 | free(id); | |
3293 | return 0; | |
3294 | } | |
3295 | ||
3296 | depth = -1; | |
3297 | for (e = expr; e; e = e->next) { | |
3298 | switch (e->expr_type) { | |
3299 | case CEXPR_NOT: | |
3300 | if (depth < 0) { | |
3301 | yyerror("illegal validatetrans expression"); | |
3302 | return -1; | |
3303 | } | |
3304 | break; | |
3305 | case CEXPR_AND: | |
3306 | case CEXPR_OR: | |
3307 | if (depth < 1) { | |
3308 | yyerror("illegal validatetrans expression"); | |
3309 | return -1; | |
3310 | } | |
3311 | depth--; | |
3312 | break; | |
3313 | case CEXPR_ATTR: | |
3314 | case CEXPR_NAMES: | |
3315 | if (depth == (CEXPR_MAXDEPTH - 1)) { | |
3316 | yyerror("validatetrans expression is too deep"); | |
3317 | return -1; | |
3318 | } | |
3319 | depth++; | |
3320 | break; | |
3321 | default: | |
3322 | yyerror("illegal validatetrans expression"); | |
3323 | return -1; | |
3324 | } | |
3325 | } | |
3326 | if (depth != 0) { | |
3327 | yyerror("illegal validatetrans expression"); | |
3328 | return -1; | |
3329 | } | |
3330 | ||
3331 | ebitmap_init(&classmap); | |
3332 | while ((id = queue_remove(id_queue))) { | |
3333 | cladatum = (class_datum_t *)hashtab_search(policydbp->p_classes.table, (hashtab_key_t)id); | |
3334 | if (!cladatum) { | |
3335 | sprintf(errormsg, "class %s is not defined", id); | |
3336 | ebitmap_destroy(&classmap); | |
3337 | yyerror(errormsg); | |
3338 | free(id); | |
3339 | return -1; | |
3340 | } | |
3341 | if (ebitmap_set_bit(&classmap, (cladatum->value - 1), TRUE)) { | |
3342 | yyerror("out of memory"); | |
3343 | ebitmap_destroy(&classmap); | |
3344 | free(id); | |
3345 | return -1; | |
3346 | } | |
3347 | ||
3348 | node = malloc(sizeof(struct constraint_node)); | |
3349 | if (!node) { | |
3350 | yyerror("out of memory"); | |
3351 | return -1; | |
3352 | } | |
3353 | memset(node, 0, sizeof(constraint_node_t)); | |
3354 | node->expr = expr; | |
3355 | node->permissions = 0; | |
3356 | ||
3357 | node->next = cladatum->validatetrans; | |
3358 | cladatum->validatetrans = node; | |
3359 | ||
3360 | free(id); | |
3361 | } | |
3362 | ||
3363 | ebitmap_destroy(&classmap); | |
3364 | ||
3365 | return 0; | |
3366 | } | |
3367 | ||
3456 | 3368 | |
3457 | 3369 | static uintptr_t |
3458 | 3370 | define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) |
3965 | 3877 | char *id; |
3966 | 3878 | user_datum_t *usrdatum; |
3967 | 3879 | int ret; |
3968 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
3969 | mls_range_list_t *rnode; | |
3970 | 3880 | level_datum_t *levdatum; |
3971 | cat_datum_t *catdatum; | |
3972 | int relation, l; | |
3881 | cat_datum_t *catdatum = NULL; | |
3882 | cat_datum_t *catdatum_r = NULL; | |
3883 | int l, i; | |
3973 | 3884 | char *levid; |
3974 | #endif | |
3975 | 3885 | |
3976 | 3886 | if (pass == 1) { |
3977 | 3887 | while ((id = queue_remove(id_queue))) |
3978 | 3888 | free(id); |
3979 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
3980 | while ((id = queue_remove(id_queue))) { | |
3981 | free(id); | |
3889 | if (mlspol) { | |
3890 | while ((id = queue_remove(id_queue))) | |
3891 | free(id); | |
3892 | id = queue_remove(id_queue); free(id); | |
3982 | 3893 | for (l = 0; l < 2; l++) { |
3983 | 3894 | while ((id = queue_remove(id_queue))) { |
3984 | 3895 | free(id); |
3985 | 3896 | } |
3986 | } | |
3987 | } | |
3988 | #endif | |
3897 | id = queue_remove(id_queue); | |
3898 | if (!id) | |
3899 | break; | |
3900 | free(id); | |
3901 | } | |
3902 | } | |
3989 | 3903 | return 0; |
3990 | 3904 | } |
3991 | 3905 | |
4022 | 3936 | continue; |
4023 | 3937 | } |
4024 | 3938 | |
4025 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
4026 | id = queue_remove(id_queue); | |
4027 | if (!id) { | |
4028 | rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t)); | |
4029 | if (!rnode) { | |
4030 | yyerror("out of memory"); | |
4031 | free(id); | |
3939 | if (mlspol) { | |
3940 | id = queue_remove(id_queue); | |
3941 | if (!id) { | |
3942 | yyerror("no default level specified for user"); | |
4032 | 3943 | return -1; |
4033 | 3944 | } |
4034 | memset(rnode, 0, sizeof(mls_range_list_t)); | |
4035 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
4036 | (hashtab_key_t) "unclassified"); | |
3945 | ||
3946 | levdatum = (level_datum_t *) | |
3947 | hashtab_search(policydbp->p_levels.table, | |
3948 | (hashtab_key_t) id); | |
4037 | 3949 | if (!levdatum) { |
4038 | yyerror("no range for user"); | |
3950 | sprintf(errormsg, "unknown sensitivity %s used in user" | |
3951 | " level definition", id); | |
3952 | yyerror(errormsg); | |
3953 | free(id); | |
4039 | 3954 | return -1; |
4040 | 3955 | } |
4041 | rnode->range.level[0].sens = levdatum->level->sens; | |
4042 | rnode->range.level[1].sens = levdatum->level->sens; | |
4043 | rnode->next = usrdatum->ranges; | |
4044 | usrdatum->ranges = rnode; | |
4045 | goto skip_mls; | |
4046 | } | |
4047 | do { | |
4048 | rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t)); | |
4049 | if (!rnode) { | |
4050 | yyerror("out of memory"); | |
4051 | free(id); | |
4052 | return -1; | |
4053 | } | |
4054 | memset(rnode, 0, sizeof(mls_range_list_t)); | |
3956 | ||
3957 | usrdatum->dfltlevel.sens = levdatum->level->sens; | |
3958 | ebitmap_init(&usrdatum->dfltlevel.cat); | |
3959 | ||
3960 | levid = id; | |
3961 | ||
3962 | while ((id = queue_remove(id_queue))) { | |
3963 | /* Check for ranged entry */ | |
3964 | if (strcmp(id, "MLS_CAT_RANGE") == 0) { | |
3965 | free(id); | |
3966 | if (catdatum_r->value >= catdatum->value) { | |
3967 | yyerror("category range is negative"); | |
3968 | free(levid); | |
3969 | return -1; | |
3970 | } | |
3971 | ||
3972 | for (i=catdatum_r->value; | |
3973 | i<catdatum->value-1; i++) { | |
3974 | if (!ebitmap_get_bit(&levdatum->level->cat, i)) { | |
3975 | sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid); | |
3976 | yyerror(errormsg); | |
3977 | continue; | |
3978 | } | |
3979 | if (ebitmap_set_bit(&usrdatum->dfltlevel.cat, i, TRUE)) { | |
3980 | yyerror("out of memory"); | |
3981 | free(levid); | |
3982 | return -1; | |
3983 | } | |
3984 | } | |
3985 | continue; | |
3986 | } | |
3987 | /* Save previous entry */ | |
3988 | catdatum_r = catdatum; | |
3989 | ||
3990 | catdatum = (cat_datum_t *) | |
3991 | hashtab_search(policydbp->p_cats.table, | |
3992 | (hashtab_key_t) id); | |
3993 | if (!catdatum) { | |
3994 | sprintf(errormsg, "unknown category %s used in user range definition", id); | |
3995 | yyerror(errormsg); | |
3996 | free(id); | |
3997 | continue; | |
3998 | } | |
3999 | if (!ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1)) { | |
4000 | sprintf(errormsg, "category %s cannot be associated with level %s", id, levid); | |
4001 | yyerror(errormsg); | |
4002 | free(id); | |
4003 | continue; | |
4004 | } | |
4005 | if (ebitmap_set_bit(&usrdatum->dfltlevel.cat, catdatum->value - 1, TRUE)) { | |
4006 | yyerror("out of memory"); | |
4007 | free(id); | |
4008 | free(levid); | |
4009 | ebitmap_destroy(&usrdatum->dfltlevel.cat); | |
4010 | return -1; | |
4011 | } | |
4012 | free(id); | |
4013 | } | |
4014 | ||
4015 | free(levid); | |
4016 | ||
4017 | id = queue_remove(id_queue); | |
4055 | 4018 | |
4056 | 4019 | for (l = 0; l < 2; l++) { |
4057 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
4020 | levdatum = (level_datum_t *) | |
4021 | hashtab_search(policydbp->p_levels.table, | |
4058 | 4022 | (hashtab_key_t) id); |
4059 | 4023 | if (!levdatum) { |
4060 | 4024 | sprintf(errormsg, "unknown sensitivity %s used in user range definition", id); |
4061 | 4025 | yyerror(errormsg); |
4062 | free(rnode); | |
4063 | 4026 | free(id); |
4064 | 4027 | continue; |
4065 | 4028 | } |
4066 | rnode->range.level[l].sens = levdatum->level->sens; | |
4067 | ebitmap_init(&rnode->range.level[l].cat); | |
4029 | usrdatum->range.level[l].sens = levdatum->level->sens; | |
4030 | ebitmap_init(&usrdatum->range.level[l].cat); | |
4068 | 4031 | |
4069 | 4032 | levid = id; |
4070 | 4033 | |
4071 | 4034 | while ((id = queue_remove(id_queue))) { |
4072 | catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, | |
4073 | (hashtab_key_t) id); | |
4035 | /* Check for ranged entry */ | |
4036 | if (strcmp(id, "MLS_CAT_RANGE") == 0) { | |
4037 | free(id); | |
4038 | if (catdatum_r->value >= catdatum->value) { | |
4039 | yyerror("category range is negative"); | |
4040 | free(levid); | |
4041 | return -1; | |
4042 | } | |
4043 | ||
4044 | for (i=catdatum_r->value; i<catdatum->value-1; i++) { | |
4045 | if (!ebitmap_get_bit(&levdatum->level->cat, i)) { | |
4046 | sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid); | |
4047 | yyerror(errormsg); | |
4048 | continue; | |
4049 | } | |
4050 | if (ebitmap_set_bit(&usrdatum->range.level[l].cat, i, TRUE)) { | |
4051 | yyerror("out of memory"); | |
4052 | free(levid); | |
4053 | return -1; | |
4054 | } | |
4055 | } | |
4056 | continue; | |
4057 | } | |
4058 | /* Save previous entry */ | |
4059 | catdatum_r = catdatum; | |
4060 | ||
4061 | catdatum = (cat_datum_t *) | |
4062 | hashtab_search(policydbp->p_cats.table, | |
4063 | (hashtab_key_t) id); | |
4074 | 4064 | if (!catdatum) { |
4075 | 4065 | sprintf(errormsg, "unknown category %s used in user range definition", id); |
4076 | 4066 | yyerror(errormsg); |
4077 | 4067 | free(id); |
4078 | 4068 | continue; |
4079 | 4069 | } |
4080 | if (!(ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1))) { | |
4081 | sprintf(errormsg, "category %s cannot be associated with level %s", id, levid); | |
4070 | if (!ebitmap_get_bit(&levdatum->level->cat, | |
4071 | catdatum->value - 1)) { | |
4072 | sprintf(errormsg,"category %s cannot be associated with level %s", id, levid); | |
4082 | 4073 | yyerror(errormsg); |
4083 | 4074 | free(id); |
4084 | 4075 | continue; |
4085 | 4076 | } |
4086 | if (ebitmap_set_bit(&rnode->range.level[l].cat, catdatum->value - 1, TRUE)) { | |
4077 | if (ebitmap_set_bit(&usrdatum->range.level[l].cat, catdatum->value - 1, TRUE)) { | |
4087 | 4078 | yyerror("out of memory"); |
4088 | 4079 | free(id); |
4089 | 4080 | free(levid); |
4090 | ebitmap_destroy(&rnode->range.level[l].cat); | |
4091 | free(rnode); | |
4081 | ebitmap_destroy(&usrdatum->dfltlevel.cat); | |
4082 | ebitmap_destroy(&usrdatum->range.level[l].cat); | |
4092 | 4083 | return -1; |
4093 | 4084 | } |
4094 | 4085 | |
4109 | 4100 | } |
4110 | 4101 | |
4111 | 4102 | if (l == 0) { |
4112 | rnode->range.level[1].sens = rnode->range.level[0].sens; | |
4113 | if (ebitmap_cpy(&rnode->range.level[1].cat, &rnode->range.level[0].cat)) { | |
4103 | usrdatum->range.level[1].sens = | |
4104 | usrdatum->range.level[0].sens; | |
4105 | if (ebitmap_cpy(&usrdatum->range.level[1].cat, | |
4106 | &usrdatum->range.level[0].cat)) { | |
4114 | 4107 | yyerror("out of memory"); |
4115 | free(id); | |
4116 | ebitmap_destroy(&rnode->range.level[0].cat); | |
4117 | free(rnode); | |
4118 | return -1; | |
4119 | } | |
4120 | } | |
4121 | relation = mls_level_relation(rnode->range.level[1], rnode->range.level[0]); | |
4122 | if (!(relation & (MLS_RELATION_DOM | MLS_RELATION_EQ))) { | |
4123 | /* high does not dominate low */ | |
4124 | yyerror("high does not dominate low"); | |
4125 | ebitmap_destroy(&rnode->range.level[0].cat); | |
4126 | ebitmap_destroy(&rnode->range.level[1].cat); | |
4127 | free(rnode); | |
4128 | return -1; | |
4129 | } | |
4130 | rnode->next = usrdatum->ranges; | |
4131 | usrdatum->ranges = rnode; | |
4132 | } while ((id = queue_remove(id_queue))); | |
4133 | skip_mls: | |
4134 | #endif | |
4135 | ||
4108 | goto out; | |
4109 | } | |
4110 | } | |
4111 | if (!mls_level_dom(&usrdatum->range.level[1], | |
4112 | &usrdatum->range.level[0])) { | |
4113 | yyerror("high level does not dominate low level"); | |
4114 | goto out; | |
4115 | } | |
4116 | if (!mls_level_between(&usrdatum->dfltlevel, | |
4117 | &usrdatum->range.level[0], | |
4118 | &usrdatum->range.level[1])) { | |
4119 | yyerror("default level not within user range"); | |
4120 | goto out; | |
4121 | } | |
4122 | } | |
4136 | 4123 | return 0; |
4124 | ||
4125 | out: | |
4126 | ebitmap_destroy(&usrdatum->dfltlevel.cat); | |
4127 | ebitmap_destroy(&usrdatum->range.level[0].cat); | |
4128 | ebitmap_destroy(&usrdatum->range.level[1].cat); | |
4129 | return -1; | |
4137 | 4130 | } |
4138 | 4131 | |
4139 | 4132 | |
4143 | 4136 | role_datum_t *role; |
4144 | 4137 | type_datum_t *typdatum; |
4145 | 4138 | user_datum_t *usrdatum; |
4146 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
4147 | 4139 | char *levid; |
4148 | 4140 | level_datum_t *levdatum; |
4149 | cat_datum_t *catdatum; | |
4150 | int l; | |
4151 | #endif | |
4141 | cat_datum_t *catdatum = NULL; | |
4142 | cat_datum_t *catdatum_r = NULL; | |
4143 | int l, i; | |
4152 | 4144 | |
4153 | 4145 | if (pass == 1) { |
4154 | 4146 | id = queue_remove(id_queue); free(id); /* user */ |
4155 | 4147 | id = queue_remove(id_queue); free(id); /* role */ |
4156 | 4148 | id = queue_remove(id_queue); free(id); /* type */ |
4157 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
4158 | id = queue_remove(id_queue); free(id); | |
4159 | for (l = 0; l < 2; l++) { | |
4160 | while ((id = queue_remove(id_queue))) { | |
4161 | free(id); | |
4162 | } | |
4163 | } | |
4164 | #endif | |
4149 | if (mlspol) { | |
4150 | id = queue_remove(id_queue); free(id); | |
4151 | for (l = 0; l < 2; l++) { | |
4152 | while ((id = queue_remove(id_queue))) { | |
4153 | free(id); | |
4154 | } | |
4155 | id = queue_remove(id_queue); | |
4156 | if (!id) | |
4157 | break; | |
4158 | free(id); | |
4159 | } | |
4160 | } | |
4165 | 4161 | return 0; |
4166 | 4162 | } |
4167 | 4163 | |
4225 | 4221 | /* no need to keep the type name */ |
4226 | 4222 | free(id); |
4227 | 4223 | |
4228 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
4229 | /* extract the low sensitivity */ | |
4230 | id = (char *) queue_head(id_queue); | |
4231 | if (!id || strcmp(id, "system_u") == 0 /* hack */) { | |
4232 | /* No MLS component to the security context. Try | |
4233 | to use a default 'unclassified' value. */ | |
4234 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
4235 | (hashtab_key_t) "unclassified"); | |
4236 | if (!levdatum) { | |
4237 | yyerror("no sensitivity name for sid context definition?"); | |
4224 | if (mlspol) { | |
4225 | /* extract the low sensitivity */ | |
4226 | id = (char *) queue_head(id_queue); | |
4227 | if (!id) { | |
4228 | yyerror("no sensitivity name for sid context" | |
4229 | " definition?"); | |
4238 | 4230 | return -1; |
4239 | 4231 | } |
4240 | c->range.level[0].sens = levdatum->level->sens; | |
4241 | c->range.level[1].sens = levdatum->level->sens; | |
4242 | goto skip_mls; | |
4243 | } | |
4244 | ||
4245 | id = (char *) queue_remove(id_queue); | |
4246 | for (l = 0; l < 2; l++) { | |
4247 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
4232 | ||
4233 | id = (char *) queue_remove(id_queue); | |
4234 | for (l = 0; l < 2; l++) { | |
4235 | levdatum = (level_datum_t *) | |
4236 | hashtab_search(policydbp->p_levels.table, | |
4248 | 4237 | (hashtab_key_t) id); |
4249 | if (!levdatum) { | |
4250 | sprintf(errormsg, "Sensitivity %s is not defined", id); | |
4251 | yyerror(errormsg); | |
4252 | free(id); | |
4253 | return -1; | |
4254 | } | |
4255 | c->range.level[l].sens = levdatum->level->sens; | |
4256 | ||
4257 | /* extract low category set */ | |
4258 | levid = id; | |
4259 | while ((id = queue_remove(id_queue))) { | |
4260 | catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, | |
4261 | (hashtab_key_t) id); | |
4262 | if (!catdatum) { | |
4263 | sprintf(errormsg, "unknown category %s used in initial sid context", id); | |
4238 | if (!levdatum) { | |
4239 | sprintf(errormsg, "Sensitivity %s is not " | |
4240 | "defined", id); | |
4264 | 4241 | yyerror(errormsg); |
4265 | free(levid); | |
4266 | 4242 | free(id); |
4243 | return -1; | |
4244 | } | |
4245 | c->range.level[l].sens = levdatum->level->sens; | |
4246 | ||
4247 | /* extract low category set */ | |
4248 | levid = id; | |
4249 | while ((id = queue_remove(id_queue))) { | |
4250 | /* Check for ranged entry */ | |
4251 | if (strcmp(id, "MLS_CAT_RANGE") == 0) { | |
4252 | free(id); | |
4253 | if (catdatum_r->value >= | |
4254 | catdatum->value) | |
4255 | { | |
4256 | yyerror("category range is negative"); | |
4257 | free(levid); | |
4258 | return -1; | |
4259 | } | |
4260 | ||
4261 | for (i = catdatum_r->value; | |
4262 | i < catdatum->value-1; i++) { | |
4263 | if (ebitmap_set_bit(&c->range.level[l].cat, i, TRUE)) { | |
4264 | yyerror("out of memory"); | |
4265 | free(levid); | |
4266 | return -1; | |
4267 | } | |
4268 | } | |
4269 | continue; | |
4270 | } | |
4271 | /* Save previous entry */ | |
4272 | catdatum_r = catdatum; | |
4273 | ||
4274 | catdatum = (cat_datum_t *) | |
4275 | hashtab_search(policydbp->p_cats.table, | |
4276 | (hashtab_key_t) id); | |
4277 | if (!catdatum) { | |
4278 | sprintf(errormsg, "unknown category %s used in initial sid context", id); | |
4279 | yyerror(errormsg); | |
4280 | free(levid); | |
4281 | free(id); | |
4282 | goto bad; | |
4283 | } | |
4284 | if (ebitmap_set_bit(&c->range.level[l].cat, | |
4285 | catdatum->value - 1, TRUE)) { | |
4286 | yyerror("out of memory"); | |
4287 | free(levid); | |
4288 | free(id); | |
4289 | goto bad; | |
4290 | } | |
4291 | /* no need to keep category name */ | |
4292 | free(id); | |
4293 | } | |
4294 | ||
4295 | /* no need to keep the sensitivity name */ | |
4296 | free(levid); | |
4297 | ||
4298 | /* extract high sensitivity */ | |
4299 | id = (char *) queue_remove(id_queue); | |
4300 | if (!id) | |
4301 | break; | |
4302 | } | |
4303 | ||
4304 | if (l == 0) { | |
4305 | c->range.level[1].sens = c->range.level[0].sens; | |
4306 | if (ebitmap_cpy(&c->range.level[1].cat, | |
4307 | &c->range.level[0].cat)) { | |
4308 | ||
4309 | yyerror("out of memory"); | |
4267 | 4310 | goto bad; |
4268 | 4311 | } |
4269 | if (ebitmap_set_bit(&c->range.level[l].cat, | |
4270 | catdatum->value - 1, TRUE)) { | |
4271 | yyerror("out of memory"); | |
4272 | free(levid); | |
4273 | free(id); | |
4274 | goto bad; | |
4275 | } | |
4276 | /* no need to keep category name */ | |
4277 | free(id); | |
4278 | } | |
4279 | ||
4280 | /* no need to keep the sensitivity name */ | |
4281 | free(levid); | |
4282 | ||
4283 | /* extract high sensitivity */ | |
4284 | id = (char *) queue_remove(id_queue); | |
4285 | if (!id) | |
4286 | break; | |
4287 | } | |
4288 | ||
4289 | if (l == 0) { | |
4290 | c->range.level[1].sens = c->range.level[0].sens; | |
4291 | if (ebitmap_cpy(&c->range.level[1].cat, &c->range.level[0].cat)) { | |
4292 | ||
4293 | yyerror("out of memory"); | |
4294 | goto bad; | |
4295 | } | |
4296 | } | |
4297 | skip_mls: | |
4298 | #endif | |
4312 | } | |
4313 | } | |
4299 | 4314 | |
4300 | 4315 | if (!policydb_context_isvalid(policydbp, c)) { |
4301 | 4316 | yyerror("invalid security context"); |
4552 | 4567 | |
4553 | 4568 | if (pass == 1) { |
4554 | 4569 | parse_security_context(NULL); |
4570 | if (mlspol) | |
4571 | free(queue_remove(id_queue)); | |
4555 | 4572 | return 0; |
4556 | 4573 | } |
4557 | 4574 | |
4573 | 4590 | /* Create order of most specific to least retaining |
4574 | 4591 | the order specified in the configuration. */ |
4575 | 4592 | head = policydbp->ocontexts[OCON_NODE]; |
4576 | for (l = NULL, c = head; c; l = c, c = c->next) { | |
4593 | for (l = NULL, c = head; c; l = c, c = c->next) { | |
4577 | 4594 | if (newc->u.node.mask > c->u.node.mask) |
4578 | 4595 | break; |
4579 | 4596 | } |
4844 | 4861 | return define_genfs_context_helper(queue_remove(id_queue), has_type); |
4845 | 4862 | } |
4846 | 4863 | |
4864 | static int define_range_trans(void) | |
4865 | { | |
4866 | char *id; | |
4867 | char *levid; | |
4868 | level_datum_t *levdatum = 0; | |
4869 | cat_datum_t *catdatum = NULL; | |
4870 | cat_datum_t *catdatum_r = NULL; | |
4871 | mls_range_t range; | |
4872 | ebitmap_t doms, types, negset; | |
4873 | range_trans_t *rt = 0; | |
4874 | unsigned int i, j; | |
4875 | int l, add = 1; | |
4876 | ||
4877 | if (!mlspol) { | |
4878 | yyerror("range_transition rule in non-MLS configuration"); | |
4879 | return -1; | |
4880 | } | |
4881 | ||
4882 | if (pass == 1) { | |
4883 | while ((id = queue_remove(id_queue))) | |
4884 | free(id); | |
4885 | while ((id = queue_remove(id_queue))) | |
4886 | free(id); | |
4887 | id = queue_remove(id_queue); free(id); | |
4888 | for (l = 0; l < 2; l++) { | |
4889 | while ((id = queue_remove(id_queue))) { | |
4890 | free(id); | |
4891 | } | |
4892 | id = queue_remove(id_queue); | |
4893 | if (!id) | |
4894 | break; | |
4895 | free(id); | |
4896 | } | |
4897 | return 0; | |
4898 | } | |
4899 | ||
4900 | ebitmap_init(&doms); | |
4901 | ebitmap_init(&types); | |
4902 | ||
4903 | ebitmap_init(&negset); | |
4904 | while ((id = queue_remove(id_queue))) { | |
4905 | if (set_types(&doms, &negset, id, &add)) | |
4906 | return -1; | |
4907 | } | |
4908 | ebitmap_destroy(&negset); | |
4909 | ||
4910 | ebitmap_init(&negset); | |
4911 | while ((id = queue_remove(id_queue))) { | |
4912 | if (set_types(&types, &negset, id, &add)) | |
4913 | return -1; | |
4914 | } | |
4915 | ebitmap_destroy(&negset); | |
4916 | ||
4917 | id = (char *)queue_remove(id_queue); | |
4918 | if (!id) { | |
4919 | yyerror("no range in range_transition definition?"); | |
4920 | return -1; | |
4921 | } | |
4922 | for (l = 0; l < 2; l++) { | |
4923 | levdatum = hashtab_search(policydbp->p_levels.table, id); | |
4924 | if (!levdatum) { | |
4925 | sprintf(errormsg, "unknown level %s used in range_transition definition", id); | |
4926 | yyerror(errormsg); | |
4927 | return -1; | |
4928 | } | |
4929 | range.level[l].sens = levdatum->level->sens; | |
4930 | ||
4931 | levid = id; | |
4932 | ebitmap_init(&range.level[l].cat); | |
4933 | while ((id = queue_remove(id_queue))) { | |
4934 | /* Check for ranged entry */ | |
4935 | if (strcmp(id, "MLS_CAT_RANGE") == 0) { | |
4936 | free(id); | |
4937 | if (catdatum_r->value >= catdatum->value) { | |
4938 | yyerror("category range is negative"); | |
4939 | free(levid); | |
4940 | return -1; | |
4941 | } | |
4942 | ||
4943 | for (i = catdatum_r->value; i < catdatum->value - 1; i++) { | |
4944 | if (!ebitmap_get_bit(&levdatum->level->cat, i)) { | |
4945 | sprintf(errormsg, "category value=%d cannot be associated with level %s", i+1, levid); | |
4946 | yyerror(errormsg); | |
4947 | continue; | |
4948 | } | |
4949 | if (ebitmap_set_bit(&range.level[l].cat, i, TRUE)) { | |
4950 | yyerror("out of memory"); | |
4951 | free(levid); | |
4952 | return -1; | |
4953 | } | |
4954 | } | |
4955 | continue; | |
4956 | } | |
4957 | ||
4958 | /* Save previous entry */ | |
4959 | catdatum_r = catdatum; | |
4960 | ||
4961 | catdatum = hashtab_search(policydbp->p_cats.table, id); | |
4962 | if (!catdatum) { | |
4963 | sprintf(errormsg, "unknown category %s used in range_transition definition", id); | |
4964 | yyerror(errormsg); | |
4965 | return -1; | |
4966 | } | |
4967 | if (!ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1)) { | |
4968 | sprintf(errormsg, "category %s not allowed with specified sensitivity", id); | |
4969 | yyerror(errormsg); | |
4970 | return -1; | |
4971 | } | |
4972 | if (ebitmap_set_bit(&range.level[l].cat, catdatum->value - 1, TRUE)) { | |
4973 | yyerror("out of memory"); | |
4974 | return -1; | |
4975 | } | |
4976 | free(id); | |
4977 | } | |
4978 | free(levid); | |
4979 | ||
4980 | id = (char *)queue_remove(id_queue); | |
4981 | if (!id) | |
4982 | break; | |
4983 | } | |
4984 | if (l == 0) { | |
4985 | range.level[1].sens = range.level[0].sens; | |
4986 | if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) { | |
4987 | yyerror("out of memory"); | |
4988 | return -1; | |
4989 | } | |
4990 | } | |
4991 | ||
4992 | if (!mls_level_dom(&range.level[1], &range.level[0])) { | |
4993 | yyerror("range_transition high level does not dominate low level"); | |
4994 | return -1; | |
4995 | } | |
4996 | ||
4997 | for (i = ebitmap_startbit(&doms); i < ebitmap_length(&doms); i++) { | |
4998 | if (!ebitmap_get_bit(&doms, i)) | |
4999 | continue; | |
5000 | for (j = ebitmap_startbit(&types); j < ebitmap_length(&types); j++) { | |
5001 | if (!ebitmap_get_bit(&types, j)) | |
5002 | continue; | |
5003 | ||
5004 | for (rt = policydbp->range_tr; rt; rt = rt->next) { | |
5005 | if (rt->dom == (i + 1) && rt->type == (j + 1)) { | |
5006 | sprintf(errormsg, "duplicate range_transition defined for (%s,%s)", | |
5007 | type_val_to_name(i + 1), type_val_to_name(j + 1)); | |
5008 | yyerror(errormsg); | |
5009 | return -1; | |
5010 | } | |
5011 | } | |
5012 | ||
5013 | rt = malloc(sizeof(range_trans_t)); | |
5014 | if (!rt) { | |
5015 | yyerror("out of memory"); | |
5016 | return -1; | |
5017 | } | |
5018 | memset(rt, 0, sizeof(range_trans_t)); | |
5019 | rt->dom = i + 1; | |
5020 | rt->type = j + 1; | |
5021 | rt->range.level[0].sens = range.level[0].sens; | |
5022 | if (ebitmap_cpy(&rt->range.level[0].cat, | |
5023 | &range.level[0].cat)) { | |
5024 | yyerror("out of memory"); | |
5025 | free(rt); | |
5026 | return -1; | |
5027 | } | |
5028 | rt->range.level[1].sens = range.level[1].sens; | |
5029 | if (ebitmap_cpy(&rt->range.level[1].cat, | |
5030 | &range.level[1].cat)) { | |
5031 | yyerror("out of memory"); | |
5032 | free(rt); | |
5033 | return -1; | |
5034 | } | |
5035 | rt->next = policydbp->range_tr; | |
5036 | policydbp->range_tr = rt; | |
5037 | } | |
5038 | } | |
5039 | ||
5040 | ebitmap_destroy(&doms); | |
5041 | ebitmap_destroy(&types); | |
5042 | ebitmap_destroy(&range.level[0].cat); | |
5043 | ebitmap_destroy(&range.level[1].cat); | |
5044 | return 0; | |
5045 | } | |
5046 | ||
4847 | 5047 | /* FLASK */ |
4848 | 5048 | |
4849 | 5049 |
51 | 51 | class { return(CLASS); } |
52 | 52 | CONSTRAIN | |
53 | 53 | constrain { return(CONSTRAIN); } |
54 | VALIDATETRANS | | |
55 | validatetrans { return(VALIDATETRANS); } | |
54 | 56 | INHERITS | |
55 | 57 | inherits { return(INHERITS); } |
56 | 58 | SID | |
70 | 72 | BOOL | |
71 | 73 | bool { return(BOOL); } |
72 | 74 | IF | |
73 | if { return(IF); } | |
75 | if { return(IF); } | |
74 | 76 | ELSE | |
75 | else { return(ELSE); } | |
77 | else { return(ELSE); } | |
76 | 78 | ALIAS | |
77 | 79 | alias { return(ALIAS); } |
78 | 80 | ATTRIBUTE | |
85 | 87 | type_change { return(TYPE_CHANGE); } |
86 | 88 | ROLE_TRANSITION | |
87 | 89 | role_transition { return(ROLE_TRANSITION); } |
90 | RANGE_TRANSITION | | |
91 | range_transition { return(RANGE_TRANSITION); } | |
88 | 92 | SENSITIVITY | |
89 | sensitivity { return(SENSITIVITY); } | |
93 | sensitivity { return(SENSITIVITY); } | |
90 | 94 | DOMINANCE | |
91 | 95 | dominance { return(DOMINANCE); } |
92 | 96 | CATEGORY | |
93 | 97 | category { return(CATEGORY); } |
94 | 98 | LEVEL | |
95 | 99 | level { return(LEVEL); } |
96 | RANGES | | |
97 | ranges { return(RANGES); } | |
100 | RANGE | | |
101 | range { return(RANGE); } | |
102 | MLSCONSTRAIN | | |
103 | mlsconstrain { return(MLSCONSTRAIN); } | |
104 | MLSVALIDATETRANS | | |
105 | mlsvalidatetrans { return(MLSVALIDATETRANS); } | |
98 | 106 | USER | |
99 | 107 | user { return(USER); } |
100 | 108 | NEVERALLOW | |
136 | 144 | fscon | |
137 | 145 | FSCON { return(FSCON);} |
138 | 146 | portcon | |
139 | PORTCON { return(PORTCON);} | |
147 | PORTCON { return(PORTCON);} | |
140 | 148 | netifcon | |
141 | NETIFCON { return(NETIFCON);} | |
149 | NETIFCON { return(NETIFCON);} | |
142 | 150 | nodecon | |
143 | NODECON { return(NODECON);} | |
151 | NODECON { return(NODECON);} | |
144 | 152 | fs_use_xattr | |
145 | FS_USE_XATTR {return(FSUSEXATTR);} | |
153 | FS_USE_XATTR { return(FSUSEXATTR);} | |
146 | 154 | fs_use_task | |
147 | FS_USE_TASK {return(FSUSETASK);} | |
155 | FS_USE_TASK { return(FSUSETASK);} | |
148 | 156 | fs_use_trans | |
149 | FS_USE_TRANS {return(FSUSETRANS);} | |
157 | FS_USE_TRANS { return(FSUSETRANS);} | |
150 | 158 | genfscon | |
151 | 159 | GENFSCON { return(GENFSCON);} |
152 | 160 | r1 | |
153 | 161 | R1 { return(R1); } |
154 | 162 | r2 | |
155 | 163 | R2 { return(R2); } |
164 | r3 | | |
165 | R3 { return(R3); } | |
156 | 166 | u1 | |
157 | 167 | U1 { return(U1); } |
158 | 168 | u2 | |
159 | 169 | U2 { return(U2); } |
170 | u3 | | |
171 | U3 { return(U3); } | |
160 | 172 | t1 | |
161 | 173 | T1 { return(T1); } |
162 | 174 | t2 | |
163 | 175 | T2 { return(T2); } |
176 | t3 | | |
177 | T3 { return(T3); } | |
178 | l1 | | |
179 | L1 { return(L1); } | |
180 | l2 | | |
181 | L2 { return(L2); } | |
182 | h1 | | |
183 | H1 { return(H1); } | |
184 | h2 | | |
185 | H2 { return(H2); } | |
164 | 186 | "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } |
165 | 187 | {letter}({letter}|{digit}|_)* { return(IDENTIFIER); } |
166 | 188 | {letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } |
0 | %{ | |
1 | #include <string.h> | |
2 | #include "users.tab.h" | |
3 | ||
4 | static char linebuf[2][255]; | |
5 | static unsigned int lno = 0; | |
6 | int yywarn(char *msg); | |
7 | ||
8 | unsigned long policydb_lineno = 1; | |
9 | ||
10 | unsigned int policydb_errors = 0; | |
11 | %} | |
12 | %array | |
13 | letter [A-Za-z] | |
14 | digit [0-9] | |
15 | hexval [0-9A-Fa-f] | |
16 | %% | |
17 | \n.* { strncpy(linebuf[lno], yytext+1, 255); | |
18 | linebuf[lno][254] = 0; | |
19 | lno = 1 - lno; | |
20 | policydb_lineno++; | |
21 | yyless(1); } | |
22 | ROLES | | |
23 | roles { return(ROLES); } | |
24 | RANGES | | |
25 | ranges { return(RANGES); } | |
26 | USER | | |
27 | user { return(USER); } | |
28 | {letter}({letter}|{digit}|_)* { return(IDENTIFIER); } | |
29 | {letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } | |
30 | #[^\n]* { /* delete comments */ } | |
31 | [ \t\f]+ { /* delete whitespace */ } | |
32 | "{" | | |
33 | "}" | | |
34 | ";" | | |
35 | "-" | | |
36 | "~" | | |
37 | "*" { return(yytext[0]); } | |
38 | . { yywarn("unrecognized character");} | |
39 | %% | |
40 | int yyerror(char *msg) | |
41 | { | |
42 | fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n", | |
43 | msg, | |
44 | yytext, | |
45 | policydb_lineno, | |
46 | linebuf[0], linebuf[1]); | |
47 | policydb_errors++; | |
48 | return -1; | |
49 | } | |
50 | ||
51 | int yywarn(char *msg) | |
52 | { | |
53 | fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n", | |
54 | msg, | |
55 | yytext, | |
56 | policydb_lineno, | |
57 | linebuf[0], linebuf[1]); | |
58 | return 0; | |
59 | } |
0 | %{ | |
1 | #include <sepol/policydb.h> | |
2 | #include <sepol/services.h> | |
3 | #include <sepol/conditional.h> | |
4 | #include <stdint.h> | |
5 | #include "queue.h" | |
6 | #include "checkpolicy.h" | |
7 | ||
8 | #define TRUE 1 | |
9 | #define FALSE 0 | |
10 | ||
11 | policydb_t *policydbp; | |
12 | queue_t id_queue = 0; | |
13 | unsigned int pass; | |
14 | char *curfile = 0; | |
15 | unsigned int curline; | |
16 | ||
17 | extern unsigned long policydb_lineno; | |
18 | ||
19 | extern char yytext[]; | |
20 | extern int yywarn(char *msg); | |
21 | extern int yyerror(char *msg); | |
22 | ||
23 | static char errormsg[255]; | |
24 | ||
25 | static int insert_separator(int push); | |
26 | static int insert_id(char *id,int push); | |
27 | static int define_user(void); | |
28 | %} | |
29 | ||
30 | %token ROLES | |
31 | %token RANGES | |
32 | %token USER | |
33 | %token IDENTIFIER | |
34 | %token USER_IDENTIFIER | |
35 | ||
36 | %% | |
37 | users : user_def | |
38 | | users user_def | |
39 | ; | |
40 | user_id : identifier | |
41 | | user_identifier | |
42 | ; | |
43 | user_def : USER user_id ROLES names opt_user_ranges ';' | |
44 | {if (define_user()) return -1;} | |
45 | ; | |
46 | opt_user_ranges : RANGES user_ranges | |
47 | | | |
48 | ; | |
49 | user_ranges : mls_range_def | |
50 | | '{' user_range_def_list '}' | |
51 | ; | |
52 | user_range_def_list : mls_range_def | |
53 | | user_range_def_list mls_range_def | |
54 | ; | |
55 | mls_range_def : mls_level_def '-' mls_level_def | |
56 | {if (insert_separator(0)) return -1;} | |
57 | | mls_level_def | |
58 | {if (insert_separator(0)) return -1;} | |
59 | ; | |
60 | mls_level_def : identifier ':' id_comma_list | |
61 | {if (insert_separator(0)) return -1;} | |
62 | | identifier | |
63 | {if (insert_separator(0)) return -1;} | |
64 | ; | |
65 | id_comma_list : identifier | |
66 | | id_comma_list ',' identifier | |
67 | ; | |
68 | tilde : '~' | |
69 | ; | |
70 | asterisk : '*' | |
71 | ; | |
72 | names : identifier | |
73 | { if (insert_separator(0)) return -1; } | |
74 | | nested_id_set | |
75 | { if (insert_separator(0)) return -1; } | |
76 | | asterisk | |
77 | { if (insert_id("*", 0)) return -1; | |
78 | if (insert_separator(0)) return -1; } | |
79 | | tilde identifier | |
80 | { if (insert_id("~", 0)) return -1; | |
81 | if (insert_separator(0)) return -1; } | |
82 | | tilde nested_id_set | |
83 | { if (insert_id("~", 0)) return -1; | |
84 | if (insert_separator(0)) return -1; } | |
85 | | identifier '-' { if (insert_id("-", 0)) return -1; } identifier | |
86 | { if (insert_separator(0)) return -1; } | |
87 | ; | |
88 | nested_id_set : '{' nested_id_list '}' | |
89 | ; | |
90 | nested_id_list : nested_id_element | nested_id_list nested_id_element | |
91 | ; | |
92 | nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set | |
93 | ; | |
94 | identifier : IDENTIFIER | |
95 | { if (insert_id(yytext,0)) return -1; } | |
96 | ; | |
97 | user_identifier : USER_IDENTIFIER | |
98 | { if (insert_id(yytext,0)) return -1; } | |
99 | ; | |
100 | ||
101 | %% | |
102 | #define DEBUG 1 | |
103 | ||
104 | static int insert_separator(int push) | |
105 | { | |
106 | int error; | |
107 | ||
108 | if (push) | |
109 | error = queue_push(id_queue, 0); | |
110 | else | |
111 | error = queue_insert(id_queue, 0); | |
112 | ||
113 | if (error) { | |
114 | yyerror("queue overflow"); | |
115 | return -1; | |
116 | } | |
117 | return 0; | |
118 | } | |
119 | ||
120 | static int insert_id(char *id, int push) | |
121 | { | |
122 | char *newid = 0; | |
123 | int error; | |
124 | ||
125 | newid = (char *) malloc(strlen(id) + 1); | |
126 | if (!newid) { | |
127 | yyerror("out of memory"); | |
128 | return -1; | |
129 | } | |
130 | strcpy(newid, id); | |
131 | if (push) | |
132 | error = queue_push(id_queue, (queue_element_t) newid); | |
133 | else | |
134 | error = queue_insert(id_queue, (queue_element_t) newid); | |
135 | ||
136 | if (error) { | |
137 | yyerror("queue overflow"); | |
138 | free(newid); | |
139 | return -1; | |
140 | } | |
141 | return 0; | |
142 | } | |
143 | ||
144 | static int set_user_roles(ebitmap_t *set, | |
145 | char *id) | |
146 | { | |
147 | role_datum_t *r; | |
148 | unsigned int i; | |
149 | ||
150 | if (strcmp(id, "*") == 0) { | |
151 | /* set all roles */ | |
152 | for (i = 0; i < policydbp->p_roles.nprim; i++) | |
153 | ebitmap_set_bit(set, i, TRUE); | |
154 | free(id); | |
155 | return 0; | |
156 | } | |
157 | ||
158 | if (strcmp(id, "~") == 0) { | |
159 | /* complement the set */ | |
160 | for (i = 0; i < policydbp->p_roles.nprim; i++) { | |
161 | if (ebitmap_get_bit(set, i)) | |
162 | ebitmap_set_bit(set, i, FALSE); | |
163 | else | |
164 | ebitmap_set_bit(set, i, TRUE); | |
165 | } | |
166 | free(id); | |
167 | return 0; | |
168 | } | |
169 | ||
170 | r = hashtab_search(policydbp->p_roles.table, id); | |
171 | if (!r) { | |
172 | sprintf(errormsg, "unknown role %s", id); | |
173 | yyerror(errormsg); | |
174 | free(id); | |
175 | return -1; | |
176 | } | |
177 | ||
178 | /* set the role and every role it dominates */ | |
179 | for (i = ebitmap_startbit(&r->dominates); i < ebitmap_length(&r->dominates); i++) { | |
180 | if (ebitmap_get_bit(&r->dominates, i)) | |
181 | ebitmap_set_bit(set, i, TRUE); | |
182 | } | |
183 | free(id); | |
184 | return 0; | |
185 | } | |
186 | ||
187 | static int define_user(void) | |
188 | { | |
189 | char *id; | |
190 | user_datum_t *usrdatum; | |
191 | int ret; | |
192 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
193 | mls_range_list_t *rnode; | |
194 | level_datum_t *levdatum; | |
195 | cat_datum_t *catdatum; | |
196 | int relation, l; | |
197 | char *levid; | |
198 | #endif | |
199 | ||
200 | if (pass == 1) { | |
201 | while ((id = queue_remove(id_queue))) | |
202 | free(id); | |
203 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
204 | while ((id = queue_remove(id_queue))) { | |
205 | free(id); | |
206 | for (l = 0; l < 2; l++) { | |
207 | while ((id = queue_remove(id_queue))) { | |
208 | free(id); | |
209 | } | |
210 | } | |
211 | } | |
212 | #endif | |
213 | return 0; | |
214 | } | |
215 | ||
216 | id = (char *) queue_remove(id_queue); | |
217 | if (!id) { | |
218 | yyerror("no user name for user definition?"); | |
219 | return -1; | |
220 | } | |
221 | usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table, | |
222 | (hashtab_key_t) id); | |
223 | if (usrdatum) { | |
224 | printf("Replacing user %s\n", id); | |
225 | ebitmap_init(&usrdatum->roles); | |
226 | usrdatum->defined = 1; | |
227 | free(id); | |
228 | } else { | |
229 | printf("Adding user %s\n", id); | |
230 | usrdatum = (user_datum_t *) malloc(sizeof(user_datum_t)); | |
231 | if (!usrdatum) { | |
232 | yyerror("out of memory"); | |
233 | free(id); | |
234 | return -1; | |
235 | } | |
236 | memset(usrdatum, 0, sizeof(user_datum_t)); | |
237 | usrdatum->value = ++policydbp->p_users.nprim; | |
238 | ebitmap_init(&usrdatum->roles); | |
239 | usrdatum->defined = 1; | |
240 | ret = hashtab_insert(policydbp->p_users.table, | |
241 | (hashtab_key_t) id, (hashtab_datum_t) usrdatum); | |
242 | if (ret) { | |
243 | yyerror("hash table overflow"); | |
244 | free(usrdatum); | |
245 | free(id); | |
246 | return -1; | |
247 | } | |
248 | } | |
249 | ||
250 | while ((id = queue_remove(id_queue))) { | |
251 | if (set_user_roles(&usrdatum->roles, id)) | |
252 | continue; | |
253 | } | |
254 | ||
255 | #ifdef CONFIG_SECURITY_SELINUX_MLS | |
256 | id = queue_remove(id_queue); | |
257 | if (!id) { | |
258 | rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t)); | |
259 | if (!rnode) { | |
260 | yyerror("out of memory"); | |
261 | free(id); | |
262 | return -1; | |
263 | } | |
264 | memset(rnode, 0, sizeof(mls_range_list_t)); | |
265 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
266 | (hashtab_key_t) "unclassified"); | |
267 | if (!levdatum) { | |
268 | yyerror("no range for user"); | |
269 | return -1; | |
270 | } | |
271 | rnode->range.level[0].sens = levdatum->level->sens; | |
272 | rnode->range.level[1].sens = levdatum->level->sens; | |
273 | rnode->next = usrdatum->ranges; | |
274 | usrdatum->ranges = rnode; | |
275 | goto skip_mls; | |
276 | } | |
277 | do { | |
278 | rnode = (mls_range_list_t *) malloc(sizeof(mls_range_list_t)); | |
279 | if (!rnode) { | |
280 | yyerror("out of memory"); | |
281 | free(id); | |
282 | return -1; | |
283 | } | |
284 | memset(rnode, 0, sizeof(mls_range_list_t)); | |
285 | ||
286 | for (l = 0; l < 2; l++) { | |
287 | levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table, | |
288 | (hashtab_key_t) id); | |
289 | if (!levdatum) { | |
290 | sprintf(errormsg, "unknown sensitivity %s used in user range definition", id); | |
291 | yyerror(errormsg); | |
292 | free(rnode); | |
293 | free(id); | |
294 | continue; | |
295 | } | |
296 | rnode->range.level[l].sens = levdatum->level->sens; | |
297 | ebitmap_init(&rnode->range.level[l].cat); | |
298 | ||
299 | levid = id; | |
300 | ||
301 | while ((id = queue_remove(id_queue))) { | |
302 | catdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, | |
303 | (hashtab_key_t) id); | |
304 | if (!catdatum) { | |
305 | sprintf(errormsg, "unknown category %s used in user range definition", id); | |
306 | yyerror(errormsg); | |
307 | free(id); | |
308 | continue; | |
309 | } | |
310 | if (!(ebitmap_get_bit(&levdatum->level->cat, catdatum->value - 1))) { | |
311 | sprintf(errormsg, "category %s cannot be associated with level %s", id, levid); | |
312 | yyerror(errormsg); | |
313 | free(id); | |
314 | continue; | |
315 | } | |
316 | if (ebitmap_set_bit(&rnode->range.level[l].cat, catdatum->value - 1, TRUE)) { | |
317 | yyerror("out of memory"); | |
318 | free(id); | |
319 | free(levid); | |
320 | ebitmap_destroy(&rnode->range.level[l].cat); | |
321 | free(rnode); | |
322 | return -1; | |
323 | } | |
324 | ||
325 | /* | |
326 | * no need to keep category name | |
327 | */ | |
328 | free(id); | |
329 | } | |
330 | ||
331 | /* | |
332 | * no need to keep sensitivity name | |
333 | */ | |
334 | free(levid); | |
335 | ||
336 | id = queue_remove(id_queue); | |
337 | if (!id) | |
338 | break; | |
339 | } | |
340 | ||
341 | if (l == 0) { | |
342 | rnode->range.level[1].sens = rnode->range.level[0].sens; | |
343 | if (ebitmap_cpy(&rnode->range.level[1].cat, &rnode->range.level[0].cat)) { | |
344 | yyerror("out of memory"); | |
345 | free(id); | |
346 | ebitmap_destroy(&rnode->range.level[0].cat); | |
347 | free(rnode); | |
348 | return -1; | |
349 | } | |
350 | } | |
351 | relation = mls_level_relation(rnode->range.level[1], rnode->range.level[0]); | |
352 | if (!(relation & (MLS_RELATION_DOM | MLS_RELATION_EQ))) { | |
353 | /* high does not dominate low */ | |
354 | yyerror("high does not dominate low"); | |
355 | ebitmap_destroy(&rnode->range.level[0].cat); | |
356 | ebitmap_destroy(&rnode->range.level[1].cat); | |
357 | free(rnode); | |
358 | return -1; | |
359 | } | |
360 | rnode->next = usrdatum->ranges; | |
361 | usrdatum->ranges = rnode; | |
362 | } while ((id = queue_remove(id_queue))); | |
363 | skip_mls: | |
364 | #endif | |
365 | ||
366 | return 0; | |
367 | } |
+36
-0
0 | A_./{arch}/.arch-project-tree ino=2645752:mtime=1099621739:size=52 | |
1 | A_./{arch}/=tagging-method ino=2645753:mtime=1099621739:size=6809 | |
2 | A_./{arch}/checkpolicy/checkpolicy--devo/checkpolicy--devo--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=3003574:mtime=1099621739:size=567 | |
3 | A_./{arch}/checkpolicy/checkpolicy--devo/checkpolicy--devo--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=3003502:mtime=1110665223:size=977 | |
4 | A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/base-0 ino=3003579:mtime=1099621739:size=576 | |
5 | A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/patch-1 ino=3004803:mtime=1105569868:size=533 | |
6 | A_./{arch}/checkpolicy/checkpolicy--upstream/checkpolicy--upstream--1.0/srivasta@debian.org--2003-primary/patch-log/patch-2 ino=3003418:mtime=1110664990:size=696 | |
7 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.0 ino=2481912:mtime=1099621739:size=72 | |
8 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.1 ino=2481913:mtime=1099621739:size=72 | |
9 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.10 ino=2481922:mtime=1099621739:size=73 | |
10 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.11 ino=2481923:mtime=1099621739:size=73 | |
11 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.12 ino=2481924:mtime=1099621739:size=73 | |
12 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.13 ino=2544553:mtime=1099621739:size=73 | |
13 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.2 ino=2481914:mtime=1099621739:size=72 | |
14 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.3 ino=2481915:mtime=1099621739:size=72 | |
15 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.4 ino=2481916:mtime=1099621739:size=72 | |
16 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.5 ino=2481917:mtime=1099621739:size=72 | |
17 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.6 ino=2481918:mtime=1099621739:size=72 | |
18 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.7 ino=2481919:mtime=1099621739:size=72 | |
19 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.9 ino=2481921:mtime=1099621739:size=72 | |
20 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.0 ino=2544554:mtime=1099621739:size=72 | |
21 | E_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.1 ino=2544555:mtime=1099621739:size=72 | |
22 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.0 ino=2449144:mtime=1099621739:size=18009 | |
23 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.1 ino=2443198:mtime=1110664990:size=2494 | |
24 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.10 ino=2443203:mtime=1110664990:size=5686 | |
25 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.11 ino=2449155:mtime=1099621739:size=2559 | |
26 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.12 ino=2449156:mtime=1099621739:size=1534 | |
27 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.2 ino=2443197:mtime=1110664990:size=881 | |
28 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.3 ino=2443199:mtime=1110664990:size=5 | |
29 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.4 ino=2443200:mtime=1110664990:size=1249 | |
30 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.5 ino=2443210:mtime=1110664990:size=25961 | |
31 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.6 ino=2443214:mtime=1110664990:size=364 | |
32 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.7 ino=2443215:mtime=1110664990:size=1302 | |
33 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:49_2004_13522.9 ino=2443201:mtime=1110664990:size=123164 | |
34 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.0 ino=2531064:mtime=1099621739:size=367 | |
35 | x_Manoj_Srivastava_<srivasta@debian.org>_Thu_Nov__4_20:22:54_2004_13528.1 ino=2531065:mtime=1099621739:size=10050 |
+25
-0
0 | Revision: checkpolicy--devo--1.0--patch-1 | |
1 | Archive: srivasta@debian.org--2003-primary | |
2 | Creator: Manoj Srivastava <srivasta@debian.org> | |
3 | Date: Sat Mar 12 16:07:03 CST 2005 | |
4 | Standard-date: 2005-03-12 22:07:03 GMT | |
5 | Removed-files: .arch-ids/genpolusers.c.id | |
6 | .arch-ids/users.l.id .arch-ids/users.y.id genpolusers.c | |
7 | users.l users.y | |
8 | Modified-files: ChangeLog Makefile VERSION checkpolicy.8 | |
9 | checkpolicy.c checkpolicy.h checkpolicy.spec | |
10 | policy_parse.y policy_scan.l | |
11 | New-patches: srivasta@debian.org--2003-primary/checkpolicy--devo--1.0--patch-1 | |
12 | srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-1 | |
13 | srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2 | |
14 | Summary: Synchtonized with the latest version | |
15 | Keywords: | |
16 | ||
17 | Patches applied: | |
18 | ||
19 | * srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-1 | |
20 | Imported checkpolicy-1.20 | |
21 | ||
22 | * srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2 | |
23 | Imported checkpolicy-1.22 | |
24 |
+19
-0
0 | Revision: checkpolicy--upstream--1.0--patch-2 | |
1 | Archive: srivasta@debian.org--2003-primary | |
2 | Creator: Manoj Srivastava <srivasta@debian.org> | |
3 | Date: Sat Mar 12 16:00:22 CST 2005 | |
4 | Standard-date: 2005-03-12 22:00:22 GMT | |
5 | Removed-files: .arch-ids/genpolusers.c.id | |
6 | .arch-ids/users.l.id .arch-ids/users.y.id genpolusers.c | |
7 | users.l users.y | |
8 | Modified-files: ChangeLog Makefile VERSION checkpolicy.8 | |
9 | checkpolicy.c checkpolicy.h checkpolicy.spec | |
10 | policy_parse.y policy_scan.l | |
11 | New-patches: srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0--patch-2 | |
12 | Summary: Imported checkpolicy-1.22 | |
13 | Keywords: | |
14 | ||
15 | Imported checkpolicy-1.22 | |
16 | into srivasta@debian.org--2003-primary/checkpolicy--upstream--1.0 | |
17 | ||
18 |