« back to all changes in this revision
Viewing changes to policy_parse.y
- browse files at revision 8
- compare with another revision
- download diff
- download tarball
- view history from revision 8
- Committer: Bazaar Package Importer
- Author(s): Manoj Srivastava
- Date: 2006-10-20 17:51:00 UTC
- mfrom: (1.1.6 upstream) (2.1.2 etch)
- Revision ID: james.westby@ubuntu.com-20061020175100-hg5grqaote5ukt8c
Tags: 1.32-1
* New upstream release
* Merged user and range_transition support for modules from Darrel
Goeddel
* Updated version for release.
* Merged user and range_transition support for modules from Darrel
Goeddel
* Updated version for release.
- files added:
- debian/common/ChangeLog
- files modified:
- ChangeLog
added
removed
policy_parse.y
101
101
static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
102
102
static role_datum_t *define_role_dom(role_datum_t *r);
103
103
static int define_role_trans(void);
104
static int define_range_trans(void);
104
static int define_range_trans(int class_specified);
105
105
static int define_role_allow(void);
106
106
static int define_constraint(constraint_expr_t *expr);
107
107
static int define_validatetrans(constraint_expr_t *expr);
436
436
{if (define_compute_type(AVRULE_CHANGE)) return -1;}
437
437
;
438
438
range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
439
{ if (define_range_trans()) return -1; }
439
{ if (define_range_trans(0)) return -1; }
440
| RANGE_TRANSITION names names ':' names mls_range_def ';'
441
{ if (define_range_trans(1)) return -1; }
440
442
;
441
443
te_avtab_def : allow_def
442
444
| auditallow_def
832
834
| ATTRIBUTE { $$ = require_attribute; }
833
835
| USER { $$ = require_user; }
834
836
| BOOL { $$ = require_bool; }
835
/* MLS-enabled modules are not implemented at this time.
836
837
| SENSITIVITY { $$ = require_sens; }
837
838
| CATEGORY { $$ = require_cat; }
838
*/
839
839
;
840
840
require_id_list : identifier
841
841
{ if ($<require_func>0 (pass)) return -1; }
865
865
/* initialize all of the state variables for the scanner/parser */
866
866
void init_parser(int pass_number)
867
867
{
868
policydb_lineno = 1;
869
source_lineno = 1;
870
policydb_errors = 0;
871
pass = pass_number;
868
policydb_lineno = 1;
869
source_lineno = 1;
870
policydb_errors = 0;
871
pass = pass_number;
872
872
}
873
873
874
874
void yyerror2(char *fmt, ...)
875
875
{
876
va_list ap;
877
va_start(ap, fmt);
878
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
879
yyerror(errormsg);
880
va_end(ap);
876
va_list ap;
877
va_start(ap, fmt);
878
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
879
yyerror(errormsg);
880
va_end(ap);
881
881
}
882
882
883
884
883
#define DEBUG 1
885
884
886
885
static int insert_separator(int push)
904
903
char *newid = 0;
905
904
int error;
906
905
907
newid = (char *) malloc(strlen(id) + 1);
906
newid = (char *)malloc(strlen(id) + 1);
908
907
if (!newid) {
909
908
yyerror("out of memory");
910
909
return -1;
923
922
return 0;
924
923
}
925
924
926
/* Add a rule onto an avtab hash table only if it does not already
927
* exist. (Note that the avtab is discarded afterwards; it will be
928
* regenerated during expansion.) Return 1 if rule was added (or
929
* otherwise handled successfully), 0 if it conflicted with something,
930
* or -1 on error. */
931
static int insert_check_type_rule(avrule_t *rule, avtab_t *avtab, cond_av_list_t **list, cond_av_list_t **other)
932
{
933
int ret;
934
935
ret = expand_rule(NULL, policydbp, rule, avtab, list, other, 0);
936
if (ret < 0) {
937
yyerror("Failed on expanding rule");
938
}
939
return ret;
940
}
941
942
925
/* If the identifier has a dot within it and that its first character
943
926
is not a dot then return 1, else return 0. */
944
927
static int id_has_dot(char *id)
945
928
{
946
if (strchr(id, '.') >= id + 1) {
947
return 1;
948
}
949
return 0;
929
if (strchr(id, '.') >= id + 1) {
930
return 1;
931
}
932
return 0;
950
933
}
951
934
952
935
static int define_class(void)
962
945
return 0;
963
946
}
964
947
965
id = (char *) queue_remove(id_queue);
948
id = (char *)queue_remove(id_queue);
966
949
if (!id) {
967
950
yyerror("no class name for class definition?");
968
951
return -1;
969
952
}
970
if (id_has_dot(id)) {
971
free(id);
972
yyerror("class identifiers may not contain periods");
973
return -1;
974
}
953
if (id_has_dot(id)) {
954
free(id);
955
yyerror("class identifiers may not contain periods");
956
return -1;
957
}
975
958
datum = (class_datum_t *) malloc(sizeof(class_datum_t));
976
959
if (!datum) {
977
960
yyerror("out of memory");
978
961
goto bad;
979
962
}
980
963
memset(datum, 0, sizeof(class_datum_t));
981
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
982
switch(ret) {
983
case -3: {
984
yyerror("Out of memory!");
985
goto bad;
986
}
987
case -2: {
988
yyerror2("duplicate declaration of class %s", id);
989
goto bad;
990
}
991
case -1: {
992
yyerror("could not declare class here");
993
goto bad;
994
}
995
case 0:
996
case 1: {
997
break;
998
}
999
default: {
1000
assert(0); /* should never get here */
1001
}
1002
}
1003
datum->value = value;
964
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
965
switch (ret) {
966
case -3:{
967
yyerror("Out of memory!");
968
goto bad;
969
}
970
case -2:{
971
yyerror2("duplicate declaration of class %s", id);
972
goto bad;
973
}
974
case -1:{
975
yyerror("could not declare class here");
976
goto bad;
977
}
978
case 0:
979
case 1:{
980
break;
981
}
982
default:{
983
assert(0); /* should never get here */
984
}
985
}
986
datum->s.value = value;
1004
987
return 0;
1005
988
1006
989
bad:
1016
999
char *id = 0;
1017
1000
ocontext_t *newc = 0, *c, *head;
1018
1001
1019
1020
1002
if (pass == 2) {
1021
1003
id = queue_remove(id_queue);
1022
1004
free(id);
1023
1005
return 0;
1024
1006
}
1025
1007
1026
id = (char *) queue_remove(id_queue);
1008
id = (char *)queue_remove(id_queue);
1027
1009
if (!id) {
1028
1010
yyerror("no sid name for SID definition?");
1029
1011
return -1;
1071
1053
perm_datum_t *perdatum = 0;
1072
1054
int ret;
1073
1055
1074
1075
1056
if (pass == 2) {
1076
while ((id = queue_remove(id_queue)))
1057
while ((id = queue_remove(id_queue)))
1077
1058
free(id);
1078
1059
return 0;
1079
1060
}
1080
1061
1081
id = (char *) queue_remove(id_queue);
1062
id = (char *)queue_remove(id_queue);
1082
1063
if (!id) {
1083
1064
yyerror("no common name for common perm definition?");
1084
1065
return -1;
1085
1066
}
1086
comdatum = hashtab_search(policydbp->p_commons.table, id);
1087
if (comdatum) {
1088
snprintf(errormsg, ERRORMSG_LEN,
1089
"duplicate declaration for common %s\n", id);
1090
yyerror(errormsg);
1091
return -1;
1092
}
1067
comdatum = hashtab_search(policydbp->p_commons.table, id);
1068
if (comdatum) {
1069
snprintf(errormsg, ERRORMSG_LEN,
1070
"duplicate declaration for common %s\n", id);
1071
yyerror(errormsg);
1072
return -1;
1073
}
1093
1074
comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
1094
1075
if (!comdatum) {
1095
1076
yyerror("out of memory");
1097
1078
}
1098
1079
memset(comdatum, 0, sizeof(common_datum_t));
1099
1080
ret = hashtab_insert(policydbp->p_commons.table,
1100
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
1081
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
1101
1082
1102
1083
if (ret == HASHTAB_PRESENT) {
1103
1084
yyerror("duplicate common definition");
1107
1088
yyerror("hash table overflow");
1108
1089
goto bad;
1109
1090
}
1110
comdatum->value = policydbp->p_commons.nprim + 1;
1091
comdatum->s.value = policydbp->p_commons.nprim + 1;
1111
1092
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
1112
1093
yyerror("out of memory");
1113
1094
goto bad;
1114
1095
}
1115
policydbp->p_commons.nprim++;
1096
policydbp->p_commons.nprim++;
1116
1097
while ((perm = queue_remove(id_queue))) {
1117
1098
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
1118
1099
if (!perdatum) {
1120
1101
goto bad_perm;
1121
1102
}
1122
1103
memset(perdatum, 0, sizeof(perm_datum_t));
1123
perdatum->value = comdatum->permissions.nprim + 1;
1104
perdatum->s.value = comdatum->permissions.nprim + 1;
1124
1105
1125
if (perdatum->value > (sizeof(sepol_access_vector_t) * 8)) {
1126
yyerror("too many permissions to fit in an access vector");
1106
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1107
yyerror
1108
("too many permissions to fit in an access vector");
1127
1109
goto bad_perm;
1128
1110
}
1129
1111
ret = hashtab_insert(comdatum->permissions.table,
1131
1113
(hashtab_datum_t) perdatum);
1132
1114
1133
1115
if (ret == HASHTAB_PRESENT) {
1134
sprintf(errormsg, "duplicate permission %s in common %s",
1135
perm, id);
1116
sprintf(errormsg,
1117
"duplicate permission %s in common %s", perm,
1118
id);
1136
1119
yyerror(errormsg);
1137
1120
goto bad_perm;
1138
1121
}
1140
1123
yyerror("hash table overflow");
1141
1124
goto bad_perm;
1142
1125
}
1143
comdatum->permissions.nprim++;
1126
comdatum->permissions.nprim++;
1144
1127
}
1145
1128
1146
1129
return 0;
1160
1143
return -1;
1161
1144
}
1162
1145
1163
1164
1146
static int define_av_perms(int inherits)
1165
1147
{
1166
1148
char *id;
1169
1151
perm_datum_t *perdatum = 0, *perdatum2 = 0;
1170
1152
int ret;
1171
1153
1172
1173
1154
if (pass == 2) {
1174
while ((id = queue_remove(id_queue)))
1155
while ((id = queue_remove(id_queue)))
1175
1156
free(id);
1176
1157
return 0;
1177
1158
}
1178
1159
1179
id = (char *) queue_remove(id_queue);
1160
id = (char *)queue_remove(id_queue);
1180
1161
if (!id) {
1181
1162
yyerror("no tclass name for av perm definition?");
1182
1163
return -1;
1199
1180
return -1;
1200
1181
}
1201
1182
if (inherits) {
1202
id = (char *) queue_remove(id_queue);
1183
id = (char *)queue_remove(id_queue);
1203
1184
if (!id) {
1204
yyerror("no inherits name for access vector definition?");
1185
yyerror
1186
("no inherits name for access vector definition?");
1205
1187
return -1;
1206
1188
}
1207
comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table,
1208
(hashtab_key_t) id);
1189
comdatum =
1190
(common_datum_t *) hashtab_search(policydbp->p_commons.
1191
table,
1192
(hashtab_key_t) id);
1209
1193
1210
1194
if (!comdatum) {
1211
1195
sprintf(errormsg, "common %s is not defined", id);
1228
1212
goto bad;
1229
1213
}
1230
1214
memset(perdatum, 0, sizeof(perm_datum_t));
1231
perdatum->value = ++cladatum->permissions.nprim;
1215
perdatum->s.value = ++cladatum->permissions.nprim;
1232
1216
1233
if (perdatum->value > (sizeof(sepol_access_vector_t) * 8)) {
1234
yyerror("too many permissions to fit in an access vector");
1217
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1218
yyerror
1219
("too many permissions to fit in an access vector");
1235
1220
goto bad;
1236
1221
}
1237
1222
if (inherits) {
1240
1225
* common permissions exist in the same
1241
1226
* name space.
1242
1227
*/
1243
perdatum2 = (perm_datum_t *) hashtab_search(cladatum->comdatum->permissions.table,
1244
(hashtab_key_t) id);
1228
perdatum2 =
1229
(perm_datum_t *) hashtab_search(cladatum->comdatum->
1230
permissions.table,
1231
(hashtab_key_t) id);
1245
1232
if (perdatum2) {
1246
sprintf(errormsg, "permission %s conflicts with an inherited permission", id);
1233
sprintf(errormsg,
1234
"permission %s conflicts with an inherited permission",
1235
id);
1247
1236
yyerror(errormsg);
1248
1237
goto bad;
1249
1238
}
1261
1250
yyerror("hash table overflow");
1262
1251
goto bad;
1263
1252
}
1264
if (add_perm_to_class(perdatum->value, cladatum->value)) {
1265
yyerror("out of memory");
1266
goto bad;
1267
}
1253
if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
1254
yyerror("out of memory");
1255
goto bad;
1256
}
1268
1257
}
1269
1258
1270
1259
return 0;
1277
1266
return -1;
1278
1267
}
1279
1268
1280
1281
1269
static int define_sens(void)
1282
1270
{
1283
1271
char *id;
1284
1272
mls_level_t *level = 0;
1285
1273
level_datum_t *datum = 0, *aliasdatum = 0;
1286
1274
int ret;
1287
uint32_t value; /* dummy variable -- its value is never used */
1275
uint32_t value; /* dummy variable -- its value is never used */
1288
1276
1289
1277
if (!mlspol) {
1290
1278
yyerror("sensitivity definition in non-MLS configuration");
1292
1280
}
1293
1281
1294
1282
if (pass == 2) {
1295
while ((id = queue_remove(id_queue)))
1283
while ((id = queue_remove(id_queue)))
1296
1284
free(id);
1297
1285
return 0;
1298
1286
}
1299
1287
1300
id = (char *) queue_remove(id_queue);
1288
id = (char *)queue_remove(id_queue);
1301
1289
if (!id) {
1302
1290
yyerror("no sensitivity name for sensitivity definition?");
1303
1291
return -1;
1311
1299
yyerror("out of memory");
1312
1300
goto bad;
1313
1301
}
1314
memset(level, 0, sizeof(mls_level_t));
1302
mls_level_init(level);
1315
1303
level->sens = 0; /* actual value set in define_dominance */
1316
1304
ebitmap_init(&level->cat); /* actual value set in define_level */
1317
1305
1320
1308
yyerror("out of memory");
1321
1309
goto bad;
1322
1310
}
1323
memset(datum, 0, sizeof(level_datum_t));
1311
level_datum_init(datum);
1324
1312
datum->isalias = FALSE;
1325
1313
datum->level = level;
1326
1314
1327
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
1328
switch(ret) {
1329
case -3: {
1330
yyerror("Out of memory!");
1331
goto bad;
1332
}
1333
case -2: {
1334
yyerror("duplicate declaration of sensitivity level");
1335
goto bad;
1336
}
1337
case -1: {
1338
yyerror("could not declare sensitivity level here");
1339
goto bad;
1340
}
1341
case 0:
1342
case 1: {
1343
break;
1344
}
1345
default: {
1346
assert(0); /* should never get here */
1347
}
1348
}
1349
1315
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
1316
switch (ret) {
1317
case -3:{
1318
yyerror("Out of memory!");
1319
goto bad;
1320
}
1321
case -2:{
1322
yyerror("duplicate declaration of sensitivity level");
1323
goto bad;
1324
}
1325
case -1:{
1326
yyerror("could not declare sensitivity level here");
1327
goto bad;
1328
}
1329
case 0:
1330
case 1:{
1331
break;
1332
}
1333
default:{
1334
assert(0); /* should never get here */
1335
}
1336
}
1337
1350
1338
while ((id = queue_remove(id_queue))) {
1351
1339
if (id_has_dot(id)) {
1352
1340
yyerror("sensitivity aliases may not contain periods");
1357
1345
yyerror("out of memory");
1358
1346
goto bad_alias;
1359
1347
}
1360
memset(aliasdatum, 0, sizeof(level_datum_t));
1348
level_datum_init(aliasdatum);
1361
1349
aliasdatum->isalias = TRUE;
1362
1350
aliasdatum->level = level;
1363
1351
1364
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
1365
switch(ret) {
1366
case -3: {
1367
yyerror("Out of memory!");
1368
goto bad_alias;
1369
}
1370
case -2: {
1371
yyerror("duplicate declaration of sensitivity alias");
1372
goto bad_alias;
1373
}
1374
case -1: {
1375
yyerror("could not declare sensitivity alias here");
1376
goto bad_alias;
1377
}
1378
case 0:
1379
case 1: {
1380
break;
1381
}
1382
default: {
1383
assert(0); /* should never get here */
1384
}
1385
}
1352
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
1353
switch (ret) {
1354
case -3:{
1355
yyerror("Out of memory!");
1356
goto bad_alias;
1357
}
1358
case -2:{
1359
yyerror
1360
("duplicate declaration of sensitivity alias");
1361
goto bad_alias;
1362
}
1363
case -1:{
1364
yyerror
1365
("could not declare sensitivity alias here");
1366
goto bad_alias;
1367
}
1368
case 0:
1369
case 1:{
1370
break;
1371
}
1372
default:{
1373
assert(0); /* should never get here */
1374
}
1375
}
1386
1376
}
1387
1377
1388
1378
return 0;
1392
1382
free(id);
1393
1383
if (level)
1394
1384
free(level);
1395
if (datum)
1385
if (datum) {
1386
level_datum_destroy(datum);
1396
1387
free(datum);
1388
}
1397
1389
return -1;
1398
1390
1399
1391
bad_alias:
1400
1392
if (id)
1401
1393
free(id);
1402
if (aliasdatum)
1394
if (aliasdatum) {
1395
level_datum_destroy(aliasdatum);
1403
1396
free(aliasdatum);
1397
}
1404
1398
return -1;
1405
1399
}
1406
1400
1416
1410
}
1417
1411
1418
1412
if (pass == 2) {
1419
while ((id = queue_remove(id_queue)))
1413
while ((id = queue_remove(id_queue)))
1420
1414
free(id);
1421
1415
return 0;
1422
1416
}
1423
1417
1424
1418
order = 0;
1425
while ((id = (char *) queue_remove(id_queue))) {
1426
datum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
1419
while ((id = (char *)queue_remove(id_queue))) {
1420
datum =
1421
(level_datum_t *) hashtab_search(policydbp->p_levels.table,
1427
1422
(hashtab_key_t) id);
1428
1423
if (!datum) {
1429
sprintf(errormsg, "unknown sensitivity %s used in dominance definition", id);
1424
sprintf(errormsg,
1425
"unknown sensitivity %s used in dominance definition",
1426
id);
1430
1427
yyerror(errormsg);
1431
1428
free(id);
1432
1429
return -1;
1433
1430
}
1434
1431
if (datum->level->sens != 0) {
1435
sprintf(errormsg, "sensitivity %s occurs multiply in dominance definition", id);
1432
sprintf(errormsg,
1433
"sensitivity %s occurs multiply in dominance definition",
1434
id);
1436
1435
yyerror(errormsg);
1437
1436
free(id);
1438
1437
return -1;
1444
1443
}
1445
1444
1446
1445
if (order != policydbp->p_levels.nprim) {
1447
yyerror("all sensitivities must be specified in dominance definition");
1446
yyerror
1447
("all sensitivities must be specified in dominance definition");
1448
1448
return -1;
1449
1449
}
1450
1450
return 0;
1455
1455
char *id;
1456
1456
cat_datum_t *datum = 0, *aliasdatum = 0;
1457
1457
int ret;
1458
uint32_t value;
1458
uint32_t value;
1459
1459
1460
1460
if (!mlspol) {
1461
1461
yyerror("category definition in non-MLS configuration");
1463
1463
}
1464
1464
1465
1465
if (pass == 2) {
1466
while ((id = queue_remove(id_queue)))
1466
while ((id = queue_remove(id_queue)))
1467
1467
free(id);
1468
1468
return 0;
1469
1469
}
1470
1470
1471
id = (char *) queue_remove(id_queue);
1471
id = (char *)queue_remove(id_queue);
1472
1472
if (!id) {
1473
1473
yyerror("no category name for category definition?");
1474
1474
return -1;
1482
1482
yyerror("out of memory");
1483
1483
goto bad;
1484
1484
}
1485
memset(datum, 0, sizeof(cat_datum_t));
1485
cat_datum_init(datum);
1486
1486
datum->isalias = FALSE;
1487
1487
1488
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
1489
switch(ret) {
1490
case -3: {
1491
yyerror("Out of memory!");
1492
goto bad;
1493
}
1494
case -2: {
1495
yyerror("duplicate declaration of category");
1496
goto bad;
1497
}
1498
case -1: {
1499
yyerror("could not declare category here");
1500
goto bad;
1501
}
1502
case 0:
1503
case 1: {
1504
break;
1505
}
1506
default: {
1507
assert(0); /* should never get here */
1508
}
1509
}
1510
datum->value = value;
1488
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
1489
switch (ret) {
1490
case -3:{
1491
yyerror("Out of memory!");
1492
goto bad;
1493
}
1494
case -2:{
1495
yyerror("duplicate declaration of category");
1496
goto bad;
1497
}
1498
case -1:{
1499
yyerror("could not declare category here");
1500
goto bad;
1501
}
1502
case 0:
1503
case 1:{
1504
break;
1505
}
1506
default:{
1507
assert(0); /* should never get here */
1508
}
1509
}
1510
datum->s.value = value;
1511
1511
1512
1512
while ((id = queue_remove(id_queue))) {
1513
1513
if (id_has_dot(id)) {
1519
1519
yyerror("out of memory");
1520
1520
goto bad_alias;
1521
1521
}
1522
memset(aliasdatum, 0, sizeof(cat_datum_t));
1522
cat_datum_init(aliasdatum);
1523
1523
aliasdatum->isalias = TRUE;
1524
aliasdatum->value = datum->value;
1524
aliasdatum->s.value = datum->s.value;
1525
1525
1526
ret = declare_symbol(SYM_CATS, id, aliasdatum, NULL, &datum->value);
1527
switch(ret) {
1528
case -3: {
1529
yyerror("Out of memory!");
1530
goto bad_alias;
1531
}
1532
case -2: {
1533
yyerror("duplicate declaration of category aliases");
1534
goto bad_alias;
1535
}
1536
case -1: {
1537
yyerror("could not declare category aliases here");
1538
goto bad_alias;
1539
}
1540
case 0:
1541
case 1: {
1542
break;
1543
}
1544
default: {
1545
assert(0); /* should never get here */
1546
}
1547
}
1526
ret =
1527
declare_symbol(SYM_CATS, id, aliasdatum, NULL,
1528
&datum->s.value);
1529
switch (ret) {
1530
case -3:{
1531
yyerror("Out of memory!");
1532
goto bad_alias;
1533
}
1534
case -2:{
1535
yyerror
1536
("duplicate declaration of category aliases");
1537
goto bad_alias;
1538
}
1539
case -1:{
1540
yyerror
1541
("could not declare category aliases here");
1542
goto bad_alias;
1543
}
1544
case 0:
1545
case 1:{
1546
break;
1547
}
1548
default:{
1549
assert(0); /* should never get here */
1550
}
1551
}
1548
1552
}
1549
1553
1550
1554
return 0;
1552
1556
bad:
1553
1557
if (id)
1554
1558
free(id);
1555
if (datum)
1559
if (datum) {
1560
cat_datum_destroy(datum);
1556
1561
free(datum);
1562
}
1557
1563
return -1;
1558
1564
1559
1565
bad_alias:
1560
1566
if (id)
1561
1567
free(id);
1562
if (aliasdatum)
1568
if (aliasdatum) {
1569
cat_datum_destroy(aliasdatum);
1563
1570
free(aliasdatum);
1571
}
1564
1572
return -1;
1565
1573
}
1566
1574
1596
1604
}
1597
1605
1598
1606
if (pass == 2) {
1599
while ((id = queue_remove(id_queue)))
1607
while ((id = queue_remove(id_queue)))
1600
1608
free(id);
1601
1609
return 0;
1602
1610
}
1603
1611
1604
id = (char *) queue_remove(id_queue);
1612
id = (char *)queue_remove(id_queue);
1605
1613
if (!id) {
1606
1614
yyerror("no level name for level definition?");
1607
1615
return -1;
1609
1617
levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
1610
1618
(hashtab_key_t) id);
1611
1619
if (!levdatum) {
1612
sprintf(errormsg, "unknown sensitivity %s used in level definition", id);
1620
sprintf(errormsg,
1621
"unknown sensitivity %s used in level definition", id);
1613
1622
yyerror(errormsg);
1614
1623
free(id);
1615
1624
return -1;
1616
1625
}
1617
1626
if (ebitmap_length(&levdatum->level->cat)) {
1618
sprintf(errormsg, "sensitivity %s used in multiple level definitions", id);
1627
sprintf(errormsg,
1628
"sensitivity %s used in multiple level definitions",
1629
id);
1619
1630
yyerror(errormsg);
1620
1631
free(id);
1621
1632
return -1;
1634
1645
1635
1646
*(id_end++) = '\0';
1636
1647
1637
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1638
(hashtab_key_t)id_start);
1639
if (!cdatum) {
1640
sprintf(errormsg, "unknown category %s", id_start);
1641
yyerror(errormsg);
1642
free(id);
1643
return -1;
1644
}
1645
range_start = cdatum->value - 1;
1646
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1647
(hashtab_key_t)id_end);
1648
if (!cdatum) {
1649
sprintf(errormsg, "unknown category %s", id_end);
1650
yyerror(errormsg);
1651
free(id);
1652
return -1;
1653
}
1654
range_end = cdatum->value - 1;
1648
cdatum =
1649
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1650
table,
1651
(hashtab_key_t)
1652
id_start);
1653
if (!cdatum) {
1654
sprintf(errormsg, "unknown category %s",
1655
id_start);
1656
yyerror(errormsg);
1657
free(id);
1658
return -1;
1659
}
1660
range_start = cdatum->s.value - 1;
1661
cdatum =
1662
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1663
table,
1664
(hashtab_key_t)
1665
id_end);
1666
if (!cdatum) {
1667
sprintf(errormsg, "unknown category %s",
1668
id_end);
1669
yyerror(errormsg);
1670
free(id);
1671
return -1;
1672
}
1673
range_end = cdatum->s.value - 1;
1655
1674
1656
1675
if (range_end < range_start) {
1657
1676
sprintf(errormsg, "category range is invalid");
1660
1679
return -1;
1661
1680
}
1662
1681
} else {
1663
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1664
(hashtab_key_t)id);
1665
range_start = range_end = cdatum->value - 1;
1682
cdatum =
1683
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1684
table,
1685
(hashtab_key_t) id);
1686
range_start = range_end = cdatum->s.value - 1;
1666
1687
}
1667
1688
1668
1689
for (i = range_start; i <= range_end; i++) {
1676
1697
free(id);
1677
1698
}
1678
1699
1679
if (hashtab_map(policydbp->p_levels.table, clone_level, levdatum->level)) {
1700
if (hashtab_map
1701
(policydbp->p_levels.table, clone_level, levdatum->level)) {
1680
1702
yyerror("out of memory");
1681
1703
return -1;
1682
1704
}
1691
1713
return 0;
1692
1714
}
1693
1715
1694
if (declare_type(TRUE, TRUE) == NULL) {
1695
return -1;
1696
}
1697
return 0;
1716
if (declare_type(TRUE, TRUE) == NULL) {
1717
return -1;
1718
}
1719
return 0;
1698
1720
}
1699
1721
1700
static int add_aliases_to_type(type_datum_t *type)
1722
static int add_aliases_to_type(type_datum_t * type)
1701
1723
{
1702
char *id;
1703
type_datum_t *aliasdatum = NULL;
1704
int ret;
1724
char *id;
1725
type_datum_t *aliasdatum = NULL;
1726
int ret;
1705
1727
while ((id = queue_remove(id_queue))) {
1706
if (id_has_dot(id)) {
1707
free(id);
1708
yyerror("type alias identifiers may not contain periods");
1709
return -1;
1710
}
1728
if (id_has_dot(id)) {
1729
free(id);
1730
yyerror
1731
("type alias identifiers may not contain periods");
1732
return -1;
1733
}
1711
1734
aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
1712
1735
if (!aliasdatum) {
1713
free(id);
1736
free(id);
1714
1737
yyerror("Out of memory!");
1715
1738
return -1;
1716
1739
}
1717
1740
memset(aliasdatum, 0, sizeof(type_datum_t));
1718
aliasdatum->value = type->value;
1741
aliasdatum->s.value = type->s.value;
1719
1742
1720
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1721
NULL, &aliasdatum->value);
1722
switch(ret) {
1723
case -3: {
1724
yyerror("Out of memory!");
1725
goto cleanup;
1726
}
1727
case -2: {
1728
yyerror2("duplicate declaration of alias %s", id);
1729
goto cleanup;
1730
}
1731
case -1: {
1732
yyerror("could not declare alias here");
1733
goto cleanup;
1734
}
1735
case 0:
1736
case 1: {
1737
break;
1738
}
1739
default: {
1740
assert(0); /* should never get here */
1741
}
1742
}
1743
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1744
NULL, &aliasdatum->s.value);
1745
switch (ret) {
1746
case -3:{
1747
yyerror("Out of memory!");
1748
goto cleanup;
1749
}
1750
case -2:{
1751
yyerror2("duplicate declaration of alias %s",
1752
id);
1753
goto cleanup;
1754
}
1755
case -1:{
1756
yyerror("could not declare alias here");
1757
goto cleanup;
1758
}
1759
case 0:
1760
case 1:{
1761
break;
1762
}
1763
default:{
1764
assert(0); /* should never get here */
1765
}
1766
}
1743
1767
}
1744
1768
return 0;
1745
cleanup:
1769
cleanup:
1746
1770
free(id);
1747
type_datum_destroy(aliasdatum);
1748
free(aliasdatum);
1749
return -1;
1771
type_datum_destroy(aliasdatum);
1772
free(aliasdatum);
1773
return -1;
1750
1774
}
1751
1775
1752
1776
static int define_typealias(void)
1755
1779
type_datum_t *t;
1756
1780
1757
1781
if (pass == 2) {
1758
while ((id = queue_remove(id_queue)))
1782
while ((id = queue_remove(id_queue)))
1759
1783
free(id);
1760
1784
return 0;
1761
1785
}
1762
1786
1763
id = (char *) queue_remove(id_queue);
1787
id = (char *)queue_remove(id_queue);
1764
1788
if (!id) {
1765
1789
yyerror("no type name for typealias definition?");
1766
1790
return -1;
1767
1791
}
1768
1792
1769
if (!is_id_in_scope(SYM_TYPES, id)) {
1770
yyerror2("type %s is not within scope", id);
1771
free(id);
1772
return -1;
1773
}
1793
if (!is_id_in_scope(SYM_TYPES, id)) {
1794
yyerror2("type %s is not within scope", id);
1795
free(id);
1796
return -1;
1797
}
1774
1798
t = hashtab_search(policydbp->p_types.table, id);
1775
if (!t || t->isattr) {
1776
sprintf(errormsg, "unknown type %s, or it was already declared as an attribute", id);
1799
if (!t || t->flavor == TYPE_ATTRIB) {
1800
sprintf(errormsg,
1801
"unknown type %s, or it was already declared as an attribute",
1802
id);
1777
1803
yyerror(errormsg);
1778
1804
free(id);
1779
1805
return -1;
1780
1806
}
1781
return add_aliases_to_type(t);
1807
return add_aliases_to_type(t);
1782
1808
}
1783
1809
1784
1810
static int define_typeattribute(void)
1798
1824
return -1;
1799
1825
}
1800
1826
1801
if (!is_id_in_scope(SYM_TYPES, id)) {
1802
yyerror2("type %s is not within scope", id);
1803
free(id);
1804
return -1;
1805
}
1827
if (!is_id_in_scope(SYM_TYPES, id)) {
1828
yyerror2("type %s is not within scope", id);
1829
free(id);
1830
return -1;
1831
}
1806
1832
t = hashtab_search(policydbp->p_types.table, id);
1807
if (!t || t->isattr) {
1833
if (!t || t->flavor == TYPE_ATTRIB) {
1808
1834
sprintf(errormsg, "unknown type %s", id);
1809
1835
yyerror(errormsg);
1810
1836
free(id);
1811
1837
return -1;
1812
1838
}
1813
if ((t = get_local_type(id, t->value)) == NULL) {
1814
yyerror("Out of memory!");
1815
return -1;
1816
}
1817
1839
1818
1840
while ((id = queue_remove(id_queue))) {
1819
if (!is_id_in_scope(SYM_TYPES, id)) {
1820
yyerror2("attribute %s is not within scope", id);
1821
free(id);
1822
return -1;
1823
}
1841
if (!is_id_in_scope(SYM_TYPES, id)) {
1842
yyerror2("attribute %s is not within scope", id);
1843
free(id);
1844
return -1;
1845
}
1824
1846
attr = hashtab_search(policydbp->p_types.table, id);
1825
if (!attr) {
1847
if (!attr) {
1826
1848
sprintf(errormsg, "attribute %s is not declared", id);
1827
1849
/* treat it as a fatal error */
1828
1850
yyerror(errormsg);
1830
1852
return -1;
1831
1853
}
1832
1854
1833
if (!attr->isattr) {
1855
if (attr->flavor != TYPE_ATTRIB) {
1834
1856
sprintf(errormsg, "%s is a type, not an attribute", id);
1835
1857
yyerror(errormsg);
1836
1858
free(id);
1837
1859
return -1;
1838
1860
}
1839
1861
1840
free(id);
1862
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1863
yyerror("Out of memory!");
1864
return -1;
1865
}
1841
1866
1842
if (ebitmap_set_bit(&attr->types, (t->value - 1), TRUE)) {
1867
if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
1843
1868
yyerror("out of memory");
1844
1869
return -1;
1845
1870
}
1855
1880
int newattr = 0;
1856
1881
1857
1882
if (pass == 2) {
1858
while ((id = queue_remove(id_queue)))
1883
while ((id = queue_remove(id_queue)))
1859
1884
free(id);
1860
1885
if (alias) {
1861
while ((id = queue_remove(id_queue)))
1886
while ((id = queue_remove(id_queue)))
1862
1887
free(id);
1863
1888
}
1864
1889
return 0;
1865
1890
}
1866
1891
1867
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1868
return -1;
1869
}
1892
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1893
return -1;
1894
}
1870
1895
1871
1896
if (alias) {
1872
if (add_aliases_to_type(datum) == -1) {
1873
return -1;
1874
}
1897
if (add_aliases_to_type(datum) == -1) {
1898
return -1;
1899
}
1875
1900
}
1876
1901
1877
1902
while ((id = queue_remove(id_queue))) {
1878
if (!is_id_in_scope(SYM_TYPES, id)) {
1879
yyerror2("attribute %s is not within scope", id);
1880
free(id);
1881
return -1;
1882
}
1903
if (!is_id_in_scope(SYM_TYPES, id)) {
1904
yyerror2("attribute %s is not within scope", id);
1905
free(id);
1906
return -1;
1907
}
1883
1908
attr = hashtab_search(policydbp->p_types.table, id);
1884
1909
if (!attr) {
1885
1910
sprintf(errormsg, "attribute %s is not declared", id);
1891
1916
newattr = 0;
1892
1917
}
1893
1918
1894
if (!attr->isattr) {
1919
if (attr->flavor != TYPE_ATTRIB) {
1895
1920
sprintf(errormsg, "%s is a type, not an attribute", id);
1896
1921
yyerror(errormsg);
1897
1922
return -1;
1898
1923
}
1899
1924
1900
if ((attr = get_local_type(id, attr->value)) == NULL) {
1901
yyerror("Out of memory!");
1902
return -1;
1903
}
1925
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1926
yyerror("Out of memory!");
1927
return -1;
1928
}
1904
1929
1905
if (ebitmap_set_bit(&attr->types, datum->value - 1, TRUE)) {
1930
if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
1906
1931
yyerror("Out of memory");
1907
1932
return -1;
1908
1933
}
1919
1944
/* Adds a type, given by its textual name, to a typeset. If *add is
1920
1945
0, then add the type to the negative set; otherwise if *add is 1
1921
1946
then add it to the positive side. */
1922
static int set_types(type_set_t *set,
1923
char *id,
1924
int *add,
1925
char starallowed)
1947
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
1926
1948
{
1927
1949
type_datum_t *t;
1928
1950
1931
1953
yyerror("* not allowed in this type of rule");
1932
1954
return -1;
1933
1955
}
1934
/* set TYPE_STAR flag */
1935
set->flags = TYPE_STAR;
1956
/* set TYPE_STAR flag */
1957
set->flags = TYPE_STAR;
1936
1958
free(id);
1937
*add = 1;
1959
*add = 1;
1938
1960
return 0;
1939
1961
}
1940
1962
1944
1966
return -1;
1945
1967
}
1946
1968
/* complement the set */
1947
set->flags = TYPE_COMP;
1969
set->flags = TYPE_COMP;
1948
1970
free(id);
1949
*add = 1;
1971
*add = 1;
1950
1972
return 0;
1951
1973
}
1952
1974
1954
1976
*add = 0;
1955
1977
free(id);
1956
1978
return 0;
1957
}
1979
}
1958
1980
1959
if (!is_id_in_scope(SYM_TYPES, id)) {
1960
yyerror2("type %s is not within scope", id);
1961
free(id);
1962
return -1;
1963
}
1981
if (!is_id_in_scope(SYM_TYPES, id)) {
1982
yyerror2("type %s is not within scope", id);
1983
free(id);
1984
return -1;
1985
}
1964
1986
t = hashtab_search(policydbp->p_types.table, id);
1965
1987
if (!t) {
1966
1988
snprintf(errormsg, ERRORMSG_LEN, "unknown type %s", id);
1969
1991
return -1;
1970
1992
}
1971
1993
1972
if (*add == 0) {
1973
if (ebitmap_set_bit(&set->negset, t->value - 1, TRUE))
1974
goto oom;
1975
}
1976
else {
1977
if (ebitmap_set_bit(&set->types, t->value - 1, TRUE))
1978
goto oom;
1979
}
1994
if (*add == 0) {
1995
if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
1996
goto oom;
1997
} else {
1998
if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
1999
goto oom;
2000
}
1980
2001
free(id);
1981
2002
*add = 1;
1982
2003
return 0;
1983
oom:
2004
oom:
1984
2005
yyerror("Out of memory");
1985
2006
free(id);
1986
2007
return -1;
1987
2008
}
1988
2009
1989
static int define_compute_type_helper(int which, avrule_t **rule)
2010
static int define_compute_type_helper(int which, avrule_t ** rule)
1990
2011
{
1991
2012
char *id;
1992
2013
type_datum_t *datum;
2003
2024
return -1;
2004
2025
}
2005
2026
avrule_init(avrule);
2006
avrule->specified = which;
2007
avrule->line = policydb_lineno;
2027
avrule->specified = which;
2028
avrule->line = policydb_lineno;
2008
2029
2009
while ((id = queue_remove(id_queue))) {
2010
if (set_types(&avrule->stypes, id, &add, 0))
2011
return -1;
2012
}
2013
add = 1;
2030
while ((id = queue_remove(id_queue))) {
2031
if (set_types(&avrule->stypes, id, &add, 0))
2032
return -1;
2033
}
2034
add = 1;
2014
2035
while ((id = queue_remove(id_queue))) {
2015
2036
if (set_types(&avrule->ttypes, id, &add, 0))
2016
2037
return -1;
2017
2038
}
2018
2039
2019
ebitmap_init(&tclasses);
2040
ebitmap_init(&tclasses);
2020
2041
while ((id = queue_remove(id_queue))) {
2021
if (!is_id_in_scope(SYM_CLASSES, id)) {
2022
yyerror2("class %s is not within scope", id);
2023
free(id);
2024
goto bad;
2025
}
2042
if (!is_id_in_scope(SYM_CLASSES, id)) {
2043
yyerror2("class %s is not within scope", id);
2044
free(id);
2045
goto bad;
2046
}
2026
2047
cladatum = hashtab_search(policydbp->p_classes.table, id);
2027
2048
if (!cladatum) {
2028
2049
sprintf(errormsg, "unknown class %s", id);
2029
2050
yyerror(errormsg);
2030
2051
goto bad;
2031
2052
}
2032
if (ebitmap_set_bit(&tclasses, cladatum->value - 1, TRUE)) {
2053
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2033
2054
yyerror("Out of memory");
2034
2055
goto bad;
2035
2056
}
2036
2057
free(id);
2037
2058
}
2038
2059
2039
id = (char *) queue_remove(id_queue);
2060
id = (char *)queue_remove(id_queue);
2040
2061
if (!id) {
2041
2062
yyerror("no newtype?");
2042
2063
goto bad;
2043
2064
}
2044
if (!is_id_in_scope(SYM_TYPES, id)) {
2045
yyerror2("type %s is not within scope", id);
2046
free(id);
2047
goto bad;
2048
}
2065
if (!is_id_in_scope(SYM_TYPES, id)) {
2066
yyerror2("type %s is not within scope", id);
2067
free(id);
2068
goto bad;
2069
}
2049
2070
datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
2050
2071
(hashtab_key_t) id);
2051
if (!datum || datum->isattr) {
2072
if (!datum || datum->flavor == TYPE_ATTRIB) {
2052
2073
sprintf(errormsg, "unknown type %s", id);
2053
2074
yyerror(errormsg);
2054
2075
goto bad;
2055
2076
}
2056
2077
2057
2078
ebitmap_for_each_bit(&tclasses, node, i) {
2058
2079
if (ebitmap_node_get_bit(node, i)) {
2059
2080
perm = malloc(sizeof(class_perm_node_t));
2060
2081
if (!perm) {
2061
yyerror("out of memory");
2082
yyerror("out of memory");
2062
2083
return -1;
2063
}
2084
}
2064
2085
class_perm_node_init(perm);
2065
2086
perm->class = i + 1;
2066
perm->data = datum->value;
2087
perm->data = datum->s.value;
2067
2088
perm->next = avrule->perms;
2068
2089
avrule->perms = perm;
2069
}
2090
}
2070
2091
}
2071
2092
ebitmap_destroy(&tclasses);
2072
2073
*rule = avrule;
2093
2094
*rule = avrule;
2074
2095
return 0;
2075
2096
2076
2097
bad:
2077
avrule_destroy(avrule);
2078
free(avrule);
2098
avrule_destroy(avrule);
2099
free(avrule);
2079
2100
return -1;
2080
2101
}
2081
2102
2083
2104
{
2084
2105
char *id;
2085
2106
avrule_t *avrule;
2086
int retval;
2087
2107
2088
2108
if (pass == 1) {
2089
while ((id = queue_remove(id_queue)))
2090
free(id);
2091
while ((id = queue_remove(id_queue)))
2092
free(id);
2093
while ((id = queue_remove(id_queue)))
2109
while ((id = queue_remove(id_queue)))
2110
free(id);
2111
while ((id = queue_remove(id_queue)))
2112
free(id);
2113
while ((id = queue_remove(id_queue)))
2094
2114
free(id);
2095
2115
id = queue_remove(id_queue);
2096
2116
free(id);
2097
2117
return 0;
2098
2118
}
2099
2119
2100
2120
if (define_compute_type_helper(which, &avrule))
2101
2121
return -1;
2102
2103
retval = insert_check_type_rule(avrule, &policydbp->te_avtab, NULL, NULL);
2104
switch (retval) {
2105
case 1: {
2106
/* append this avrule to the end of the current rules list */
2107
append_avrule(avrule);
2108
return 0;
2109
}
2110
case 0: {
2111
/* rule conflicted, so don't actually add this rule */
2112
avrule_destroy(avrule);
2113
free(avrule);
2114
return 0;
2115
}
2116
case -1: {
2117
avrule_destroy(avrule);
2118
free(avrule);
2119
return -1;
2120
}
2121
default: {
2122
assert(0); /* should never get here */
2123
}
2124
}
2122
2123
append_avrule(avrule);
2124
return 0;
2125
2125
}
2126
2126
2127
2127
static avrule_t *define_cond_compute_type(int which)
2130
2130
avrule_t *avrule;
2131
2131
2132
2132
if (pass == 1) {
2133
while ((id = queue_remove(id_queue)))
2134
free(id);
2135
while ((id = queue_remove(id_queue)))
2136
free(id);
2137
while ((id = queue_remove(id_queue)))
2133
while ((id = queue_remove(id_queue)))
2134
free(id);
2135
while ((id = queue_remove(id_queue)))
2136
free(id);
2137
while ((id = queue_remove(id_queue)))
2138
2138
free(id);
2139
2139
id = queue_remove(id_queue);
2140
2140
free(id);
2141
return (avrule_t*)1;
2141
return (avrule_t *) 1;
2142
2142
}
2143
2143
2144
2144
if (define_compute_type_helper(which, &avrule))
2145
2145
return COND_ERR;
2146
2146
2160
2160
return 0;
2161
2161
}
2162
2162
2163
id = (char *) queue_remove(id_queue);
2163
id = (char *)queue_remove(id_queue);
2164
2164
if (!id) {
2165
2165
yyerror("no identifier for bool definition?");
2166
2166
return -1;
2167
2167
}
2168
if (id_has_dot(id)) {
2169
free(id);
2170
yyerror("boolean identifiers may not contain periods");
2171
return -1;
2172
}
2168
if (id_has_dot(id)) {
2169
free(id);
2170
yyerror("boolean identifiers may not contain periods");
2171
return -1;
2172
}
2173
2173
datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
2174
2174
if (!datum) {
2175
2175
yyerror("out of memory");
2177
2177
return -1;
2178
2178
}
2179
2179
memset(datum, 0, sizeof(cond_bool_datum_t));
2180
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
2181
switch(ret) {
2182
case -3: {
2183
yyerror("Out of memory!");
2184
goto cleanup;
2185
}
2186
case -2: {
2187
yyerror2("duplicate declaration of boolean %s", id);
2188
goto cleanup;
2189
}
2190
case -1: {
2191
yyerror("could not declare boolean here");
2192
goto cleanup;
2193
}
2194
case 0:
2195
case 1: {
2196
break;
2197
}
2198
default: {
2199
assert(0); /* should never get here */
2200
}
2201
}
2202
datum->value = value;
2180
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
2181
switch (ret) {
2182
case -3:{
2183
yyerror("Out of memory!");
2184
goto cleanup;
2185
}
2186
case -2:{
2187
yyerror2("duplicate declaration of boolean %s", id);
2188
goto cleanup;
2189
}
2190
case -1:{
2191
yyerror("could not declare boolean here");
2192
goto cleanup;
2193
}
2194
case 0:
2195
case 1:{
2196
break;
2197
}
2198
default:{
2199
assert(0); /* should never get here */
2200
}
2201
}
2202
datum->s.value = value;
2203
2203
2204
bool_value = (char *) queue_remove(id_queue);
2204
bool_value = (char *)queue_remove(id_queue);
2205
2205
if (!bool_value) {
2206
2206
yyerror("no default value for bool definition?");
2207
2207
free(id);
2210
2210
2211
2211
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
2212
2212
return 0;
2213
cleanup:
2214
cond_destroy_bool(id, datum, NULL);
2215
return -1;
2213
cleanup:
2214
cond_destroy_bool(id, datum, NULL);
2215
return -1;
2216
2216
}
2217
2217
2218
static avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *sl)
2218
static avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
2219
2219
{
2220
2220
if (pass == 1) {
2221
2221
/* return something so we get through pass 1 */
2222
return (avrule_t *)1;
2222
return (avrule_t *) 1;
2223
2223
}
2224
2224
2225
2225
if (sl == NULL) {
2227
2227
return avlist;
2228
2228
}
2229
2229
2230
/* prepend the new avlist to the pre-existing one */
2231
sl->next = avlist;
2232
return sl;
2230
/* prepend the new avlist to the pre-existing one */
2231
sl->next = avlist;
2232
return sl;
2233
2233
}
2234
2234
2235
static int define_te_avtab_helper(int which, avrule_t **rule)
2235
static int define_te_avtab_helper(int which, avrule_t ** rule)
2236
2236
{
2237
2237
char *id;
2238
2238
class_datum_t *cladatum;
2245
2245
int add = 1, ret = 0;
2246
2246
int suppress = 0;
2247
2247
2248
avrule = (avrule_t*)malloc(sizeof(avrule_t));
2248
avrule = (avrule_t *) malloc(sizeof(avrule_t));
2249
2249
if (!avrule) {
2250
2250
yyerror("memory error");
2251
2251
ret = -1;
2252
2252
goto out;
2253
2253
}
2254
2254
avrule_init(avrule);
2255
avrule->specified = which;
2256
avrule->line = policydb_lineno;
2257
2255
avrule->specified = which;
2256
avrule->line = policydb_lineno;
2257
2258
2258
while ((id = queue_remove(id_queue))) {
2259
if (set_types(&avrule->stypes, id, &add, which == AVRULE_NEVERALLOW? 1 : 0 )) {
2259
if (set_types
2260
(&avrule->stypes, id, &add,
2261
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2260
2262
ret = -1;
2261
2263
goto out;
2262
2264
}
2263
2265
}
2264
add = 1;
2266
add = 1;
2265
2267
while ((id = queue_remove(id_queue))) {
2266
2268
if (strcmp(id, "self") == 0) {
2267
2269
free(id);
2268
2270
avrule->flags |= RULE_SELF;
2269
2271
continue;
2270
2272
}
2271
if (set_types(&avrule->ttypes, id, &add, which == AVRULE_NEVERALLOW? 1 : 0 )) {
2273
if (set_types
2274
(&avrule->ttypes, id, &add,
2275
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2272
2276
ret = -1;
2273
2277
goto out;
2274
2278
}
2276
2280
2277
2281
ebitmap_init(&tclasses);
2278
2282
while ((id = queue_remove(id_queue))) {
2279
if (!is_id_in_scope(SYM_CLASSES, id)) {
2280
yyerror2("class %s is not within scope", id);
2281
ret = -1;
2282
goto out;
2283
}
2283
if (!is_id_in_scope(SYM_CLASSES, id)) {
2284
yyerror2("class %s is not within scope", id);
2285
ret = -1;
2286
goto out;
2287
}
2284
2288
cladatum = hashtab_search(policydbp->p_classes.table, id);
2285
if (!cladatum) {
2289
if (!cladatum) {
2286
2290
sprintf(errormsg, "unknown class %s used in rule", id);
2287
2291
yyerror(errormsg);
2288
2292
ret = -1;
2289
2293
goto out;
2290
2294
}
2291
if (ebitmap_set_bit(&tclasses, cladatum->value - 1, TRUE)) {
2295
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2292
2296
yyerror("Out of memory");
2293
2297
ret = -1;
2294
2298
goto out;
2300
2304
ebitmap_for_each_bit(&tclasses, node, i) {
2301
2305
if (!ebitmap_node_get_bit(node, i))
2302
2306
continue;
2303
cur_perms = (class_perm_node_t *)malloc(sizeof(class_perm_node_t));
2307
cur_perms =
2308
(class_perm_node_t *) malloc(sizeof(class_perm_node_t));
2304
2309
if (!cur_perms) {
2305
2310
yyerror("out of memory");
2306
2311
ret = -1;
2330
2335
2331
2336
if (strcmp(id, "~") == 0) {
2332
2337
/* complement the set */
2333
if (which == AVRULE_DONTAUDIT)
2338
if (which == AVRULE_DONTAUDIT)
2334
2339
yywarn("dontaudit rule with a ~?");
2335
2340
cur_perms->data = ~cur_perms->data;
2336
2341
goto next;
2337
2342
}
2338
2343
2339
perdatum = hashtab_search(cladatum->permissions.table, id);
2344
perdatum =
2345
hashtab_search(cladatum->permissions.table, id);
2340
2346
if (!perdatum) {
2341
2347
if (cladatum->comdatum) {
2342
perdatum = hashtab_search(cladatum->comdatum->permissions.table,
2343
id);
2348
perdatum =
2349
hashtab_search(cladatum->comdatum->
2350
permissions.table,
2351
id);
2344
2352
}
2345
2353
}
2346
2354
if (!perdatum) {
2347
sprintf(errormsg, "permission %s is not defined for class %s", id, policydbp->p_class_val_to_name[i]);
2355
sprintf(errormsg,
2356
"permission %s is not defined for class %s",
2357
id, policydbp->p_class_val_to_name[i]);
2348
2358
if (!suppress)
2349
yyerror(errormsg);
2359
yyerror(errormsg);
2350
2360
continue;
2351
}
2352
else if (!is_perm_in_scope(id, policydbp->p_class_val_to_name[i])) {
2361
} else
2362
if (!is_perm_in_scope
2363
(id, policydbp->p_class_val_to_name[i])) {
2353
2364
if (!suppress) {
2354
yyerror2("permission %s of class %s is not within scope",
2355
id, policydbp->p_class_val_to_name[i]);
2356
}
2365
yyerror2
2366
("permission %s of class %s is not within scope",
2367
id,
2368
policydbp->p_class_val_to_name[i]);
2369
}
2357
2370
continue;
2358
2371
} else {
2359
cur_perms->data |= 1U << (perdatum->value - 1);
2372
cur_perms->data |= 1U << (perdatum->s.value - 1);
2360
2373
}
2361
next:
2362
cur_perms = cur_perms->next;
2374
next:
2375
cur_perms = cur_perms->next;
2363
2376
}
2364
2377
2365
2378
free(id);
2366
2379
}
2367
2380
2368
2381
ebitmap_destroy(&tclasses);
2369
2382
2370
avrule->perms = perms;
2371
*rule = avrule;
2383
avrule->perms = perms;
2384
*rule = avrule;
2372
2385
2373
out:
2386
out:
2374
2387
return ret;
2375
2388
2376
2389
}
2383
2396
2384
2397
if (pass == 1) {
2385
2398
for (i = 0; i < 4; i++) {
2386
while ((id = queue_remove(id_queue)))
2399
while ((id = queue_remove(id_queue)))
2387
2400
free(id);
2388
2401
}
2389
return (avrule_t *) 1; /* any non-NULL value */
2402
return (avrule_t *) 1; /* any non-NULL value */
2390
2403
}
2391
2404
2392
2405
if (define_te_avtab_helper(which, &avrule))
2393
2406
return COND_ERR;
2394
2407
2395
2408
return avrule;
2396
2409
}
2397
2410
2403
2416
2404
2417
if (pass == 1) {
2405
2418
for (i = 0; i < 4; i++) {
2406
while ((id = queue_remove(id_queue)))
2419
while ((id = queue_remove(id_queue)))
2407
2420
free(id);
2408
2421
}
2409
2422
return 0;
2410
2423
}
2411
2424
2412
2425
if (define_te_avtab_helper(which, &avrule))
2413
2426
return -1;
2414
2427
2415
/* append this avrule to the end of the current rules list */
2416
append_avrule(avrule);
2428
/* append this avrule to the end of the current rules list */
2429
append_avrule(avrule);
2417
2430
return 0;
2418
2431
}
2419
2432
2424
2437
int add = 1;
2425
2438
2426
2439
if (pass == 1) {
2427
while ((id = queue_remove(id_queue)))
2440
while ((id = queue_remove(id_queue)))
2428
2441
free(id);
2429
2442
return 0;
2430
2443
}
2431
2444
2432
if ((role = declare_role()) == NULL) {
2433
return -1;
2434
}
2445
if ((role = declare_role()) == NULL) {
2446
return -1;
2447
}
2435
2448
while ((id = queue_remove(id_queue))) {
2436
if (set_types(&role->types, id, &add, 0))
2437
return -1;
2449
if (set_types(&role->types, id, &add, 0))
2450
return -1;
2438
2451
}
2439
2452
2440
2441
2453
return 0;
2442
2454
}
2443
2455
2444
2445
static role_datum_t *
2446
merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
2456
static role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
2447
2457
{
2448
2458
role_datum_t *new;
2449
2459
2450
2460
if (pass == 1) {
2451
return (role_datum_t *)1; /* any non-NULL value */
2461
return (role_datum_t *) 1; /* any non-NULL value */
2452
2462
}
2453
2463
2454
2464
new = malloc(sizeof(role_datum_t));
2457
2467
return NULL;
2458
2468
}
2459
2469
memset(new, 0, sizeof(role_datum_t));
2460
new->value = 0; /* temporary role */
2470
new->s.value = 0; /* temporary role */
2461
2471
if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
2462
2472
yyerror("out of memory");
2463
2473
return NULL;
2466
2476
yyerror("out of memory");
2467
2477
return NULL;
2468
2478
}
2469
if (!r1->value) {
2479
if (!r1->s.value) {
2470
2480
/* free intermediate result */
2471
2481
type_set_destroy(&r1->types);
2472
2482
ebitmap_destroy(&r1->dominates);
2473
2483
free(r1);
2474
2484
}
2475
if (!r2->value) {
2485
if (!r2->s.value) {
2476
2486
/* free intermediate result */
2477
2487
yyerror("right hand role is temporary?");
2478
2488
type_set_destroy(&r2->types);
2483
2493
}
2484
2494
2485
2495
/* This function eliminates the ordering dependency of role dominance rule */
2486
static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum, void *arg)
2496
static int dominate_role_recheck(hashtab_key_t key, hashtab_datum_t datum,
2497
void *arg)
2487
2498
{
2488
2499
role_datum_t *rdp = (role_datum_t *) arg;
2489
2500
role_datum_t *rdatum = (role_datum_t *) datum;
2491
2502
int i;
2492
2503
2493
2504
/* Don't bother to process against self role */
2494
if (rdatum->value == rdp->value)
2505
if (rdatum->s.value == rdp->s.value)
2495
2506
return 0;
2496
2507
2497
2508
/* If a dominating role found */
2498
if (ebitmap_get_bit(&(rdatum->dominates), rdp->value - 1))
2499
{
2509
if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
2500
2510
ebitmap_t types;
2501
2511
ebitmap_init(&types);
2502
2512
if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
2506
2516
/* raise types and dominates from dominated role */
2507
2517
ebitmap_for_each_bit(&rdp->dominates, node, i) {
2508
2518
if (ebitmap_node_get_bit(node, i))
2509
if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
2519
if (ebitmap_set_bit
2520
(&rdatum->dominates, i, TRUE))
2510
2521
goto oom;
2511
2522
}
2512
2523
ebitmap_for_each_bit(&types, node, i) {
2513
2524
if (ebitmap_node_get_bit(node, i))
2514
if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
2525
if (ebitmap_set_bit
2526
(&rdatum->types.types, i, TRUE))
2515
2527
goto oom;
2516
}
2528
}
2517
2529
ebitmap_destroy(&types);
2518
2530
}
2519
2531
2520
2532
/* go through all the roles */
2521
2533
return 0;
2522
oom:
2534
oom:
2523
2535
yyerror("Out of memory");
2524
2536
return -1;
2525
2537
}
2526
2538
2527
static role_datum_t *
2528
define_role_dom(role_datum_t * r)
2539
static role_datum_t *define_role_dom(role_datum_t * r)
2529
2540
{
2530
2541
role_datum_t *role;
2531
2542
char *role_id;
2536
2547
if (pass == 1) {
2537
2548
role_id = queue_remove(id_queue);
2538
2549
free(role_id);
2539
return (role_datum_t *)1; /* any non-NULL value */
2550
return (role_datum_t *) 1; /* any non-NULL value */
2540
2551
}
2541
2552
2542
2553
role_id = queue_remove(id_queue);
2543
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2544
yyerror2("role %s is not within scope", role_id);
2545
free(role_id);
2546
return NULL;
2547
}
2554
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2555
yyerror2("role %s is not within scope", role_id);
2556
free(role_id);
2557
return NULL;
2558
}
2548
2559
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
2549
2560
role_id);
2550
2561
if (!role) {
2555
2566
return NULL;
2556
2567
}
2557
2568
memset(role, 0, sizeof(role_datum_t));
2558
ret = declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, (hashtab_datum_t) role, &role->value, &role->value);
2559
switch(ret) {
2560
case -3: {
2561
yyerror("Out of memory!");
2562
goto cleanup;
2563
}
2564
case -2: {
2565
yyerror2("duplicate declaration of role %s", role_id);
2566
goto cleanup;
2567
}
2568
case -1: {
2569
yyerror("could not declare role here");
2570
goto cleanup;
2571
}
2572
case 0:
2573
case 1: {
2574
break;
2575
}
2576
default: {
2577
assert(0); /* should never get here */
2578
}
2579
}
2580
if (ebitmap_set_bit(&role->dominates, role->value-1, TRUE)) {
2581
yyerror("Out of memory!");
2582
goto cleanup;
2569
ret =
2570
declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
2571
(hashtab_datum_t) role, &role->s.value,
2572
&role->s.value);
2573
switch (ret) {
2574
case -3:{
2575
yyerror("Out of memory!");
2576
goto cleanup;
2577
}
2578
case -2:{
2579
yyerror2("duplicate declaration of role %s",
2580
role_id);
2581
goto cleanup;
2582
}
2583
case -1:{
2584
yyerror("could not declare role here");
2585
goto cleanup;
2586
}
2587
case 0:
2588
case 1:{
2589
break;
2590
}
2591
default:{
2592
assert(0); /* should never get here */
2593
}
2594
}
2595
if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
2596
yyerror("Out of memory!");
2597
goto cleanup;
2583
2598
}
2584
2599
}
2585
2600
if (r) {
2596
2611
}
2597
2612
ebitmap_for_each_bit(&types, node, i) {
2598
2613
if (ebitmap_node_get_bit(node, i))
2599
if (ebitmap_set_bit(&role->types.types, i, TRUE))
2614
if (ebitmap_set_bit
2615
(&role->types.types, i, TRUE))
2600
2616
goto oom;
2601
2617
}
2602
2618
ebitmap_destroy(&types);
2603
if (!r->value) {
2619
if (!r->s.value) {
2604
2620
/* free intermediate result */
2605
2621
type_set_destroy(&r->types);
2606
2622
ebitmap_destroy(&r->dominates);
2611
2627
* dominates and types if a role dominates this role.
2612
2628
*/
2613
2629
hashtab_map(policydbp->p_roles.table,
2614
dominate_role_recheck, role);
2630
dominate_role_recheck, role);
2615
2631
}
2616
2632
return role;
2617
cleanup:
2633
cleanup:
2618
2634
free(role_id);
2619
role_datum_destroy(role);
2620
free(role);
2621
return NULL;
2622
oom:
2635
role_datum_destroy(role);
2636
free(role);
2637
return NULL;
2638
oom:
2623
2639
yyerror("Out of memory");
2624
2640
goto cleanup;
2625
2641
}
2626
2642
2627
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, void *p)
2643
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
2644
void *p)
2628
2645
{
2629
2646
struct val_to_name *v = p;
2630
2647
role_datum_t *roldatum;
2631
2648
2632
2649
roldatum = (role_datum_t *) datum;
2633
2650
2634
if (v->val == roldatum->value) {
2651
if (v->val == roldatum->s.value) {
2635
2652
v->name = key;
2636
2653
return 1;
2637
2654
}
2639
2656
return 0;
2640
2657
}
2641
2658
2642
2643
static char *role_val_to_name(unsigned int val)
2659
static char *role_val_to_name(unsigned int val)
2644
2660
{
2645
2661
struct val_to_name v;
2646
2662
int rc;
2647
2663
2648
2664
v.val = val;
2649
rc = hashtab_map(policydbp->p_roles.table,
2650
role_val_to_name_helper, &v);
2665
rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
2651
2666
if (rc)
2652
2667
return v.name;
2653
2668
return NULL;
2654
2669
}
2655
2670
2656
static int set_roles(role_set_t *set,
2657
char *id)
2671
static int set_roles(role_set_t * set, char *id)
2658
2672
{
2659
2673
role_datum_t *r;
2660
2674
2669
2683
yyerror("~ is not allowed for role sets");
2670
2684
return -1;
2671
2685
}
2672
if (!is_id_in_scope(SYM_ROLES, id)) {
2673
yyerror2("role %s is not within scope", id);
2674
free(id);
2675
return -1;
2676
}
2686
if (!is_id_in_scope(SYM_ROLES, id)) {
2687
yyerror2("role %s is not within scope", id);
2688
free(id);
2689
return -1;
2690
}
2677
2691
r = hashtab_search(policydbp->p_roles.table, id);
2678
2692
if (!r) {
2679
2693
yyerror2("unknown role %s", id);
2681
2695
return -1;
2682
2696
}
2683
2697
2684
if (ebitmap_set_bit(&set->roles, r->value - 1, TRUE)) {
2698
if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
2685
2699
yyerror("out of memory");
2686
2700
free(id);
2687
2701
return -1;
2690
2704
return 0;
2691
2705
}
2692
2706
2693
2694
2707
static int define_role_trans(void)
2695
2708
{
2696
2709
char *id;
2705
2718
int add = 1;
2706
2719
2707
2720
if (pass == 1) {
2708
while ((id = queue_remove(id_queue)))
2721
while ((id = queue_remove(id_queue)))
2709
2722
free(id);
2710
while ((id = queue_remove(id_queue)))
2723
while ((id = queue_remove(id_queue)))
2711
2724
free(id);
2712
2725
id = queue_remove(id_queue);
2713
2726
free(id);
2723
2736
if (set_roles(&roles, id))
2724
2737
return -1;
2725
2738
}
2726
add = 1;
2739
add = 1;
2727
2740
while ((id = queue_remove(id_queue))) {
2728
2741
if (set_types(&types, id, &add, 0))
2729
2742
return -1;
2730
2743
}
2731
2744
2732
id = (char *) queue_remove(id_queue);
2745
id = (char *)queue_remove(id_queue);
2733
2746
if (!id) {
2734
2747
yyerror("no new role in transition definition?");
2735
2748
goto bad;
2736
2749
}
2737
if (!is_id_in_scope(SYM_ROLES, id)) {
2738
yyerror2("role %s is not within scope", id);
2739
free(id);
2740
goto bad;
2741
}
2750
if (!is_id_in_scope(SYM_ROLES, id)) {
2751
yyerror2("role %s is not within scope", id);
2752
free(id);
2753
goto bad;
2754
}
2742
2755
role = hashtab_search(policydbp->p_roles.table, id);
2743
2756
if (!role) {
2744
sprintf(errormsg, "unknown role %s used in transition definition", id);
2757
sprintf(errormsg,
2758
"unknown role %s used in transition definition", id);
2745
2759
yyerror(errormsg);
2746
2760
goto bad;
2747
2761
}
2749
2763
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
2750
2764
if (role_set_expand(&roles, &e_roles, policydbp))
2751
2765
goto bad;
2752
2766
2753
2767
if (type_set_expand(&types, &e_types, policydbp, 1))
2754
2768
goto bad;
2755
2769
2756
2770
ebitmap_for_each_bit(&e_roles, rnode, i) {
2757
if (!ebitmap_node_get_bit(rnode, i))
2771
if (!ebitmap_node_get_bit(rnode, i))
2758
2772
continue;
2759
2773
ebitmap_for_each_bit(&e_types, tnode, j) {
2760
2774
if (!ebitmap_node_get_bit(tnode, j))
2761
2775
continue;
2762
2776
2763
2777
for (tr = policydbp->role_tr; tr; tr = tr->next) {
2764
if (tr->role == (i+1) && tr->type == (j+1)) {
2765
sprintf(errormsg, "duplicate role transition for (%s,%s)",
2766
role_val_to_name(i + 1), policydbp->p_type_val_to_name[j]);
2778
if (tr->role == (i + 1) && tr->type == (j + 1)) {
2779
sprintf(errormsg,
2780
"duplicate role transition for (%s,%s)",
2781
role_val_to_name(i + 1),
2782
policydbp->
2783
p_type_val_to_name[j]);
2767
2784
yyerror(errormsg);
2768
2785
goto bad;
2769
2786
}
2775
2792
return -1;
2776
2793
}
2777
2794
memset(tr, 0, sizeof(struct role_trans));
2778
tr->role = i+1;
2779
tr->type = j+1;
2780
tr->new_role = role->value;
2795
tr->role = i + 1;
2796
tr->type = j + 1;
2797
tr->new_role = role->s.value;
2781
2798
tr->next = policydbp->role_tr;
2782
2799
policydbp->role_tr = tr;
2783
2800
}
2791
2808
memset(rule, 0, sizeof(struct role_trans_rule));
2792
2809
rule->roles = roles;
2793
2810
rule->types = types;
2794
rule->new_role = role->value;
2811
rule->new_role = role->s.value;
2795
2812
2796
append_role_trans(rule);
2813
append_role_trans(rule);
2797
2814
2798
2815
ebitmap_destroy(&e_roles);
2799
2816
ebitmap_destroy(&e_types);
2800
2817
2801
2818
return 0;
2802
2819
2803
bad:
2820
bad:
2804
2821
return -1;
2805
2822
}
2806
2823
2807
2808
2824
static int define_role_allow(void)
2809
2825
{
2810
2826
char *id;
2811
2827
struct role_allow_rule *ra = 0;
2812
2828
2813
2829
if (pass == 1) {
2814
while ((id = queue_remove(id_queue)))
2830
while ((id = queue_remove(id_queue)))
2815
2831
free(id);
2816
while ((id = queue_remove(id_queue)))
2832
while ((id = queue_remove(id_queue)))
2817
2833
free(id);
2818
2834
return 0;
2819
2835
}
2824
2840
return -1;
2825
2841
}
2826
2842
role_allow_rule_init(ra);
2827
2843
2828
2844
while ((id = queue_remove(id_queue))) {
2829
2845
if (set_roles(&ra->roles, id))
2830
2846
return -1;
2831
2847
}
2832
2848
2833
2834
2849
while ((id = queue_remove(id_queue))) {
2835
2850
if (set_roles(&ra->new_roles, id))
2836
2851
return -1;
2837
2852
}
2838
2853
2839
append_role_allow(ra);
2854
append_role_allow(ra);
2840
2855
return 0;
2841
2856
}
2842
2857
2843
static constraint_expr_t *constraint_expr_clone(constraint_expr_t *expr)
2858
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
2844
2859
{
2845
2860
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
2846
2861
for (e = expr; e; e = e->next) {
2851
2866
free(newe);
2852
2867
goto oom;
2853
2868
}
2854
if (l)
2869
if (l)
2855
2870
l->next = newe;
2856
2871
else
2857
2872
h = newe;
2861
2876
newe->op = e->op;
2862
2877
if (newe->expr_type == CEXPR_NAMES) {
2863
2878
if (newe->attr & CEXPR_TYPE) {
2864
if (type_set_cpy(newe->type_names, e->type_names))
2879
if (type_set_cpy
2880
(newe->type_names, e->type_names))
2865
2881
goto oom;
2866
2882
} else {
2867
2883
if (ebitmap_cpy(&newe->names, &e->names))
2871
2887
}
2872
2888
2873
2889
return h;
2874
oom:
2890
oom:
2875
2891
e = h;
2876
2892
while (e) {
2877
2893
l = e;
2881
2897
return NULL;
2882
2898
}
2883
2899
2884
2885
2900
static int define_constraint(constraint_expr_t * expr)
2886
2901
{
2887
2902
struct constraint_node *node;
2896
2911
unsigned char useexpr = 1;
2897
2912
2898
2913
if (pass == 1) {
2899
while ((id = queue_remove(id_queue)))
2914
while ((id = queue_remove(id_queue)))
2900
2915
free(id);
2901
while ((id = queue_remove(id_queue)))
2916
while ((id = queue_remove(id_queue)))
2902
2917
free(id);
2903
2918
return 0;
2904
2919
}
2924
2939
case CEXPR_NAMES:
2925
2940
if (e->attr & CEXPR_XTARGET) {
2926
2941
yyerror("illegal constraint expression");
2927
return -1; /* only for validatetrans rules */
2942
return -1; /* only for validatetrans rules */
2928
2943
}
2929
if (depth == (CEXPR_MAXDEPTH-1)) {
2944
if (depth == (CEXPR_MAXDEPTH - 1)) {
2930
2945
yyerror("constraint expression is too deep");
2931
2946
return -1;
2932
2947
}
2944
2959
2945
2960
ebitmap_init(&classmap);
2946
2961
while ((id = queue_remove(id_queue))) {
2947
if (!is_id_in_scope(SYM_CLASSES, id)) {
2948
yyerror2("class %s is not within scope", id);
2949
free(id);
2950
return -1;
2951
}
2952
cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
2962
if (!is_id_in_scope(SYM_CLASSES, id)) {
2963
yyerror2("class %s is not within scope", id);
2964
free(id);
2965
return -1;
2966
}
2967
cladatum =
2968
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
2953
2969
(hashtab_key_t) id);
2954
2970
if (!cladatum) {
2955
2971
sprintf(errormsg, "class %s is not defined", id);
2958
2974
free(id);
2959
2975
return -1;
2960
2976
}
2961
if (ebitmap_set_bit(&classmap, cladatum->value - 1, TRUE)) {
2977
if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
2962
2978
yyerror("out of memory");
2963
2979
ebitmap_destroy(&classmap);
2964
2980
free(id);
2994
3010
cladatum = policydbp->class_val_to_struct[i];
2995
3011
node = cladatum->constraints;
2996
3012
2997
perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
2998
(hashtab_key_t) id);
3013
perdatum =
3014
(perm_datum_t *) hashtab_search(cladatum->
3015
permissions.
3016
table,
3017
(hashtab_key_t)
3018
id);
2999
3019
if (!perdatum) {
3000
3020
if (cladatum->comdatum) {
3001
perdatum = (perm_datum_t *) hashtab_search(cladatum->comdatum->permissions.table,
3002
(hashtab_key_t) id);
3021
perdatum =
3022
(perm_datum_t *)
3023
hashtab_search(cladatum->
3024
comdatum->
3025
permissions.
3026
table,
3027
(hashtab_key_t)
3028
id);
3003
3029
}
3004
3030
if (!perdatum) {
3005
sprintf(errormsg, "permission %s is not defined", id);
3031
sprintf(errormsg,
3032
"permission %s is not defined",
3033
id);
3006
3034
yyerror(errormsg);
3007
3035
free(id);
3008
3036
ebitmap_destroy(&classmap);
3009
3037
return -1;
3010
3038
}
3011
3039
}
3012
node->permissions |= (1 << (perdatum->value - 1));
3040
node->permissions |=
3041
(1 << (perdatum->s.value - 1));
3013
3042
}
3014
3043
}
3015
3044
free(id);
3020
3049
return 0;
3021
3050
}
3022
3051
3023
static int define_validatetrans(constraint_expr_t *expr)
3052
static int define_validatetrans(constraint_expr_t * expr)
3024
3053
{
3025
3054
struct constraint_node *node;
3026
3055
char *id;
3031
3060
unsigned char useexpr = 1;
3032
3061
3033
3062
if (pass == 1) {
3034
while ((id = queue_remove(id_queue)))
3063
while ((id = queue_remove(id_queue)))
3035
3064
free(id);
3036
3065
return 0;
3037
3066
}
3073
3102
3074
3103
ebitmap_init(&classmap);
3075
3104
while ((id = queue_remove(id_queue))) {
3076
if (!is_id_in_scope(SYM_CLASSES, id)) {
3077
yyerror2("class %s is not within scope", id);
3078
free(id);
3079
return -1;
3080
}
3081
cladatum = (class_datum_t *)hashtab_search(policydbp->p_classes.table, (hashtab_key_t)id);
3105
if (!is_id_in_scope(SYM_CLASSES, id)) {
3106
yyerror2("class %s is not within scope", id);
3107
free(id);
3108
return -1;
3109
}
3110
cladatum =
3111
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
3112
(hashtab_key_t) id);
3082
3113
if (!cladatum) {
3083
3114
sprintf(errormsg, "class %s is not defined", id);
3084
3115
ebitmap_destroy(&classmap);
3086
3117
free(id);
3087
3118
return -1;
3088
3119
}
3089
if (ebitmap_set_bit(&classmap, (cladatum->value - 1), TRUE)) {
3120
if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
3090
3121
yyerror("out of memory");
3091
3122
ebitmap_destroy(&classmap);
3092
3123
free(id);
3118
3149
return 0;
3119
3150
}
3120
3151
3121
3122
3152
static uintptr_t
3123
define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
3153
define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
3124
3154
{
3125
3155
struct constraint_expr *expr, *e1 = NULL, *e2;
3126
3156
user_datum_t *user;
3128
3158
ebitmap_t negset;
3129
3159
char *id;
3130
3160
uint32_t val;
3131
int add = 1;
3161
int add = 1;
3132
3162
3133
3163
if (pass == 1) {
3134
3164
if (expr_type == CEXPR_NAMES) {
3135
while ((id = queue_remove(id_queue)))
3165
while ((id = queue_remove(id_queue)))
3136
3166
free(id);
3137
3167
}
3138
return 1; /* any non-NULL value */
3168
return 1; /* any non-NULL value */
3139
3169
}
3140
3170
3141
3171
if ((expr = malloc(sizeof(*expr))) == NULL ||
3142
constraint_expr_init(expr) == - 1) {
3172
constraint_expr_init(expr) == -1) {
3143
3173
yyerror("out of memory");
3144
3174
free(expr);
3145
3175
return 0;
3149
3179
switch (expr_type) {
3150
3180
case CEXPR_NOT:
3151
3181
e1 = NULL;
3152
e2 = (struct constraint_expr *) arg1;
3182
e2 = (struct constraint_expr *)arg1;
3153
3183
while (e2) {
3154
3184
e1 = e2;
3155
3185
e2 = e2->next;
3156
3186
}
3157
3187
if (!e1 || e1->next) {
3158
3188
yyerror("illegal constraint expression");
3159
constraint_expr_destroy(expr);
3189
constraint_expr_destroy(expr);
3160
3190
return 0;
3161
3191
}
3162
3192
e1->next = expr;
3164
3194
case CEXPR_AND:
3165
3195
case CEXPR_OR:
3166
3196
e1 = NULL;
3167
e2 = (struct constraint_expr *) arg1;
3197
e2 = (struct constraint_expr *)arg1;
3168
3198
while (e2) {
3169
3199
e1 = e2;
3170
3200
e2 = e2->next;
3171
3201
}
3172
3202
if (!e1 || e1->next) {
3173
3203
yyerror("illegal constraint expression");
3174
constraint_expr_destroy(expr);
3204
constraint_expr_destroy(expr);
3175
3205
return 0;
3176
3206
}
3177
e1->next = (struct constraint_expr *) arg2;
3207
e1->next = (struct constraint_expr *)arg2;
3178
3208
3179
3209
e1 = NULL;
3180
e2 = (struct constraint_expr *) arg2;
3210
e2 = (struct constraint_expr *)arg2;
3181
3211
while (e2) {
3182
3212
e1 = e2;
3183
3213
e2 = e2->next;
3184
3214
}
3185
3215
if (!e1 || e1->next) {
3186
3216
yyerror("illegal constraint expression");
3187
constraint_expr_destroy(expr);
3217
constraint_expr_destroy(expr);
3188
3218
return 0;
3189
3219
}
3190
3220
e1->next = expr;
3192
3222
case CEXPR_ATTR:
3193
3223
expr->attr = arg1;
3194
3224
expr->op = arg2;
3195
return (uintptr_t)expr;
3225
return (uintptr_t) expr;
3196
3226
case CEXPR_NAMES:
3197
add = 1;
3227
add = 1;
3198
3228
expr->attr = arg1;
3199
3229
expr->op = arg2;
3200
3230
ebitmap_init(&negset);
3201
while ((id = (char *) queue_remove(id_queue))) {
3231
while ((id = (char *)queue_remove(id_queue))) {
3202
3232
if (expr->attr & CEXPR_USER) {
3203
if (!is_id_in_scope(SYM_USERS, id)) {
3204
yyerror2("user %s is not within scope", id);
3205
constraint_expr_destroy(expr);
3206
return 0;
3207
}
3208
user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3209
(hashtab_key_t) id);
3233
if (!is_id_in_scope(SYM_USERS, id)) {
3234
yyerror2("user %s is not within scope",
3235
id);
3236
constraint_expr_destroy(expr);
3237
return 0;
3238
}
3239
user =
3240
(user_datum_t *) hashtab_search(policydbp->
3241
p_users.
3242
table,
3243
(hashtab_key_t)
3244
id);
3210
3245
if (!user) {
3211
sprintf(errormsg, "unknown user %s", id);
3246
sprintf(errormsg, "unknown user %s",
3247
id);
3212
3248
yyerror(errormsg);
3213
constraint_expr_destroy(expr);
3249
constraint_expr_destroy(expr);
3214
3250
return 0;
3215
3251
}
3216
val = user->value;
3252
val = user->s.value;
3217
3253
} else if (expr->attr & CEXPR_ROLE) {
3218
if (!is_id_in_scope(SYM_ROLES, id)) {
3219
yyerror2("role %s is not within scope", id);
3220
constraint_expr_destroy(expr);
3221
return 0;
3222
}
3223
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3224
(hashtab_key_t) id);
3254
if (!is_id_in_scope(SYM_ROLES, id)) {
3255
yyerror2("role %s is not within scope",
3256
id);
3257
constraint_expr_destroy(expr);
3258
return 0;
3259
}
3260
role =
3261
(role_datum_t *) hashtab_search(policydbp->
3262
p_roles.
3263
table,
3264
(hashtab_key_t)
3265
id);
3225
3266
if (!role) {
3226
sprintf(errormsg, "unknown role %s", id);
3267
sprintf(errormsg, "unknown role %s",
3268
id);
3227
3269
yyerror(errormsg);
3228
constraint_expr_destroy(expr);
3270
constraint_expr_destroy(expr);
3229
3271
return 0;
3230
3272
}
3231
val = role->value;
3273
val = role->s.value;
3232
3274
} else if (expr->attr & CEXPR_TYPE) {
3233
if (set_types(expr->type_names, id, &add, 0)) {
3234
constraint_expr_destroy(expr);
3275
if (set_types(expr->type_names, id, &add, 0)) {
3276
constraint_expr_destroy(expr);
3235
3277
return 0;
3236
3278
}
3237
3279
continue;
3238
3280
} else {
3239
3281
yyerror("invalid constraint expression");
3240
constraint_expr_destroy(expr);
3282
constraint_expr_destroy(expr);
3241
3283
return 0;
3242
3284
}
3243
3285
if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
3244
3286
yyerror("out of memory");
3245
3287
ebitmap_destroy(&expr->names);
3246
constraint_expr_destroy(expr);
3288
constraint_expr_destroy(expr);
3247
3289
return 0;
3248
3290
}
3249
3291
free(id);
3250
3292
}
3251
3293
ebitmap_destroy(&negset);
3252
return (uintptr_t)expr;
3294
return (uintptr_t) expr;
3253
3295
default:
3254
3296
yyerror("invalid constraint expression");
3255
constraint_expr_destroy(expr);
3297
constraint_expr_destroy(expr);
3256
3298
return 0;
3257
3299
}
3258
3300
3261
3303
return 0;
3262
3304
}
3263
3305
3264
static int define_conditional(cond_expr_t *expr, avrule_t *t, avrule_t *f )
3306
static int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
3265
3307
{
3266
3308
cond_expr_t *e;
3267
int depth, retval;
3268
cond_node_t cn, *cn_old;
3269
avrule_t *tmp, *last_tmp;
3309
int depth;
3310
cond_node_t cn, *cn_old;
3270
3311
3271
3312
/* expression cannot be NULL */
3272
if ( !expr) {
3313
if (!expr) {
3273
3314
yyerror("illegal conditional expression");
3274
3315
return -1;
3275
3316
}
3295
3336
switch (e->expr_type) {
3296
3337
case COND_NOT:
3297
3338
if (depth < 0) {
3298
yyerror("illegal conditional expression; Bad NOT");
3339
yyerror
3340
("illegal conditional expression; Bad NOT");
3299
3341
return -1;
3300
3342
}
3301
3343
break;
3305
3347
case COND_EQ:
3306
3348
case COND_NEQ:
3307
3349
if (depth < 1) {
3308
yyerror("illegal conditional expression; Bad binary op");
3350
yyerror
3351
("illegal conditional expression; Bad binary op");
3309
3352
return -1;
3310
3353
}
3311
3354
depth--;
3312
3355
break;
3313
3356
case COND_BOOL:
3314
if (depth == (COND_EXPR_MAXDEPTH-1)) {
3315
yyerror("conditional expression is like totally too deep");
3357
if (depth == (COND_EXPR_MAXDEPTH - 1)) {
3358
yyerror
3359
("conditional expression is like totally too deep");
3316
3360
return -1;
3317
3361
}
3318
3362
depth++;
3327
3371
return -1;
3328
3372
}
3329
3373
3330
/* use tmp conditional node to partially build new node */
3331
memset(&cn, 0, sizeof(cn));
3332
cn.expr = expr;
3333
cn.avtrue_list = t;
3334
cn.avfalse_list = f;
3374
/* use tmp conditional node to partially build new node */
3375
memset(&cn, 0, sizeof(cn));
3376
cn.expr = expr;
3377
cn.avtrue_list = t;
3378
cn.avfalse_list = f;
3335
3379
3336
3380
/* normalize/precompute expression */
3337
3381
if (cond_normalize_expr(policydbp, &cn) < 0) {
3339
3383
return -1;
3340
3384
}
3341
3385
3342
/* get the existing conditional node, or create a new one*/
3343
cn_old = get_current_cond_list(&cn);
3344
if (!cn_old) {
3345
return -1;
3346
}
3347
3348
/* verify te rules -- both true and false branches of conditional */
3349
tmp = cn.avtrue_list;
3350
last_tmp = NULL;
3351
while (tmp) {
3352
if (!tmp->specified & AVRULE_TRANSITION)
3353
continue;
3354
retval = insert_check_type_rule(tmp,
3355
&policydbp->te_cond_avtab,
3356
&cn_old->true_list, &cn_old->false_list);
3357
switch (retval) {
3358
case 1: {
3359
last_tmp = tmp;
3360
tmp = tmp->next;
3361
break;
3362
}
3363
case 0: {
3364
/* rule conflicted, so remove it from consideration */
3365
if (last_tmp == NULL) {
3366
cn.avtrue_list = cn.avtrue_list->next;
3367
avrule_destroy(tmp);
3368
free(tmp);
3369
tmp = cn.avtrue_list;
3370
}
3371
else {
3372
last_tmp->next = tmp->next;
3373
avrule_destroy(tmp);
3374
free(tmp);
3375
tmp = last_tmp->next;
3376
}
3377
break;
3378
}
3379
case -1: {
3380
return -1;
3381
}
3382
default: {
3383
assert(0); /* should never get here */
3384
}
3385
}
3386
}
3387
3388
tmp = cn.avfalse_list;
3389
last_tmp = NULL;
3390
while (tmp) {
3391
if (!tmp->specified & AVRULE_TRANSITION)
3392
continue;
3393
retval = insert_check_type_rule(tmp,
3394
&policydbp->te_cond_avtab,
3395
&cn_old->false_list, &cn_old->true_list);
3396
switch (retval) {
3397
case 1: {
3398
last_tmp = tmp;
3399
tmp = tmp->next;
3400
break;
3401
}
3402
case 0: {
3403
/* rule conflicted, so remove it from consideration */
3404
if (last_tmp == NULL) {
3405
cn.avfalse_list = cn.avfalse_list->next;
3406
avrule_destroy(tmp);
3407
free(tmp);
3408
tmp = cn.avfalse_list;
3409
}
3410
else {
3411
last_tmp->next = tmp->next;
3412
avrule_destroy(tmp);
3413
free(tmp);
3414
tmp = last_tmp->next;
3415
}
3416
break;
3417
}
3418
case -1: {
3419
return -1;
3420
}
3421
default: {
3422
assert(0); /* should never get here */
3423
}
3424
}
3425
}
3426
3427
append_cond_list(&cn);
3428
3429
/* note that there is no check here for duplicate rules, nor
3430
* check that rule already exists in base -- that will be
3431
* handled during conditional expansion, in expand.c */
3432
3386
/* get the existing conditional node, or create a new one */
3387
cn_old = get_current_cond_list(&cn);
3388
if (!cn_old) {
3389
return -1;
3390
}
3391
3392
append_cond_list(&cn);
3393
3394
/* note that there is no check here for duplicate rules, nor
3395
* check that rule already exists in base -- that will be
3396
* handled during conditional expansion, in expand.c */
3397
3433
3398
cn.avtrue_list = NULL;
3434
3399
cn.avfalse_list = NULL;
3435
3400
cond_node_destroy(&cn);
3437
3402
return 0;
3438
3403
}
3439
3404
3440
static cond_expr_t *
3441
define_cond_expr(uint32_t expr_type, void* arg1, void* arg2)
3405
static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
3442
3406
{
3443
3407
struct cond_expr *expr, *e1 = NULL, *e2;
3444
3408
cond_bool_datum_t *bool_var;
3451
3415
free(id);
3452
3416
}
3453
3417
}
3454
return (cond_expr_t *)1; /* any non-NULL value */
3418
return (cond_expr_t *) 1; /* any non-NULL value */
3455
3419
}
3456
3420
3457
3421
/* create a new expression struct */
3467
3431
switch (expr_type) {
3468
3432
case COND_NOT:
3469
3433
e1 = NULL;
3470
e2 = (struct cond_expr *) arg1;
3434
e2 = (struct cond_expr *)arg1;
3471
3435
while (e2) {
3472
3436
e1 = e2;
3473
3437
e2 = e2->next;
3478
3442
return NULL;
3479
3443
}
3480
3444
e1->next = expr;
3481
return (struct cond_expr *) arg1;
3445
return (struct cond_expr *)arg1;
3482
3446
case COND_AND:
3483
3447
case COND_OR:
3484
3448
case COND_XOR:
3485
3449
case COND_EQ:
3486
3450
case COND_NEQ:
3487
3451
e1 = NULL;
3488
e2 = (struct cond_expr *) arg1;
3452
e2 = (struct cond_expr *)arg1;
3489
3453
while (e2) {
3490
3454
e1 = e2;
3491
3455
e2 = e2->next;
3492
3456
}
3493
3457
if (!e1 || e1->next) {
3494
yyerror("illegal left side of conditional binary op expression");
3458
yyerror
3459
("illegal left side of conditional binary op expression");
3495
3460
free(expr);
3496
3461
return NULL;
3497
3462
}
3498
e1->next = (struct cond_expr *) arg2;
3463
e1->next = (struct cond_expr *)arg2;
3499
3464
3500
3465
e1 = NULL;
3501
e2 = (struct cond_expr *) arg2;
3466
e2 = (struct cond_expr *)arg2;
3502
3467
while (e2) {
3503
3468
e1 = e2;
3504
3469
e2 = e2->next;
3505
3470
}
3506
3471
if (!e1 || e1->next) {
3507
yyerror("illegal right side of conditional binary op expression");
3472
yyerror
3473
("illegal right side of conditional binary op expression");
3508
3474
free(expr);
3509
return NULL ;
3475
return NULL;
3510
3476
}
3511
3477
e1->next = expr;
3512
return (struct cond_expr *) arg1;
3478
return (struct cond_expr *)arg1;
3513
3479
case COND_BOOL:
3514
id = (char *) queue_remove(id_queue) ;
3480
id = (char *)queue_remove(id_queue);
3515
3481
if (!id) {
3516
3482
yyerror("bad conditional; expected boolean id");
3517
3483
free(id);
3518
3484
free(expr);
3519
3485
return NULL;
3520
3486
}
3521
if (!is_id_in_scope(SYM_BOOLS, id)) {
3522
yyerror2("boolean %s is not within scope", id);
3523
free(id);
3524
free(expr);
3525
return NULL;
3526
}
3527
bool_var = (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.table,
3528
(hashtab_key_t) id);
3487
if (!is_id_in_scope(SYM_BOOLS, id)) {
3488
yyerror2("boolean %s is not within scope", id);
3489
free(id);
3490
free(expr);
3491
return NULL;
3492
}
3493
bool_var =
3494
(cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
3495
table,
3496
(hashtab_key_t) id);
3529
3497
if (!bool_var) {
3530
sprintf(errormsg, "unknown boolean %s in conditional expression", id);
3498
sprintf(errormsg,
3499
"unknown boolean %s in conditional expression",
3500
id);
3531
3501
yyerror(errormsg);
3532
3502
free(expr);
3533
3503
free(id);
3534
return NULL ;
3504
return NULL;
3535
3505
}
3536
expr->bool = bool_var->value;
3506
expr->bool = bool_var->s.value;
3537
3507
free(id);
3538
3508
return expr;
3539
3509
default:
3542
3512
}
3543
3513
}
3544
3514
3545
3546
static int set_user_roles(role_set_t *set,
3547
char *id)
3515
static int set_user_roles(role_set_t * set, char *id)
3548
3516
{
3549
3517
role_datum_t *r;
3550
3518
unsigned int i;
3562
3530
return -1;
3563
3531
}
3564
3532
3565
if (!is_id_in_scope(SYM_ROLES, id)) {
3566
yyerror2("role %s is not within scope", id);
3567
free(id);
3568
return -1;
3569
}
3533
if (!is_id_in_scope(SYM_ROLES, id)) {
3534
yyerror2("role %s is not within scope", id);
3535
free(id);
3536
return -1;
3537
}
3570
3538
r = hashtab_search(policydbp->p_roles.table, id);
3571
3539
if (!r) {
3572
3540
sprintf(errormsg, "unknown role %s", id);
3583
3551
}
3584
3552
free(id);
3585
3553
return 0;
3586
oom:
3554
oom:
3587
3555
yyerror("out of memory");
3588
3556
return -1;
3589
3557
}
3590
3558
3591
3592
3559
static int
3593
parse_categories(char *id, level_datum_t *levdatum, ebitmap_t *cats)
3560
parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
3594
3561
{
3595
3562
cat_datum_t *cdatum;
3596
3563
int range_start, range_end, i;
3601
3568
3602
3569
*(id_end++) = '\0';
3603
3570
3604
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3605
(hashtab_key_t)id_start);
3571
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3572
(hashtab_key_t)
3573
id_start);
3606
3574
if (!cdatum) {
3607
3575
sprintf(errormsg, "unknown category %s", id_start);
3608
3576
yyerror(errormsg);
3609
3577
return -1;
3610
3578
}
3611
range_start = cdatum->value - 1;
3612
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3613
(hashtab_key_t)id_end);
3579
range_start = cdatum->s.value - 1;
3580
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3581
(hashtab_key_t) id_end);
3614
3582
if (!cdatum) {
3615
3583
sprintf(errormsg, "unknown category %s", id_end);
3616
3584
yyerror(errormsg);
3617
3585
return -1;
3618
3586
}
3619
range_end = cdatum->value - 1;
3587
range_end = cdatum->s.value - 1;
3620
3588
3621
3589
if (range_end < range_start) {
3622
3590
sprintf(errormsg, "category range is invalid");
3624
3592
return -1;
3625
3593
}
3626
3594
} else {
3627
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3628
(hashtab_key_t)id);
3595
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3596
(hashtab_key_t) id);
3629
3597
if (!cdatum) {
3630
3598
sprintf(errormsg, "unknown category %s", id);
3631
3599
yyerror(errormsg);
3632
3600
return -1;
3633
3601
}
3634
range_start = range_end = cdatum->value - 1;
3602
range_start = range_end = cdatum->s.value - 1;
3635
3603
}
3636
3604
3637
3605
for (i = range_start; i <= range_end; i++) {
3639
3607
uint32_t level_value = levdatum->level->sens - 1;
3640
3608
policydb_index_others(NULL, policydbp, 0);
3641
3609
sprintf(errormsg, "category %s can not be associated "
3642
"with level %s",
3643
policydbp->p_cat_val_to_name[i],
3644
policydbp->p_sens_val_to_name[level_value]);
3610
"with level %s",
3611
policydbp->p_cat_val_to_name[i],
3612
policydbp->p_sens_val_to_name[level_value]);
3645
3613
yyerror(errormsg);
3646
3614
return -1;
3647
3615
}
3654
3622
return 0;
3655
3623
}
3656
3624
3625
static int
3626
parse_semantic_categories(char *id, level_datum_t * levdatum,
3627
mls_semantic_cat_t ** cats)
3628
{
3629
cat_datum_t *cdatum;
3630
mls_semantic_cat_t *newcat;
3631
unsigned int range_start, range_end;
3632
3633
if (id_has_dot(id)) {
3634
char *id_start = id;
3635
char *id_end = strchr(id, '.');
3636
3637
*(id_end++) = '\0';
3638
3639
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3640
(hashtab_key_t)
3641
id_start);
3642
if (!cdatum) {
3643
sprintf(errormsg, "unknown category %s", id_start);
3644
yyerror(errormsg);
3645
return -1;
3646
}
3647
range_start = cdatum->s.value;
3648
3649
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3650
(hashtab_key_t) id_end);
3651
if (!cdatum) {
3652
sprintf(errormsg, "unknown category %s", id_end);
3653
yyerror(errormsg);
3654
return -1;
3655
}
3656
range_end = cdatum->s.value;
3657
} else {
3658
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3659
(hashtab_key_t) id);
3660
if (!cdatum) {
3661
sprintf(errormsg, "unknown category %s", id);
3662
yyerror(errormsg);
3663
return -1;
3664
}
3665
range_start = range_end = cdatum->s.value;
3666
}
3667
3668
newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
3669
if (!newcat) {
3670
yyerror("out of memory");
3671
return -1;
3672
}
3673
3674
mls_semantic_cat_init(newcat);
3675
newcat->next = *cats;
3676
newcat->low = range_start;
3677
newcat->high = range_end;
3678
3679
*cats = newcat;
3680
3681
return 0;
3682
}
3657
3683
3658
3684
static int define_user(void)
3659
3685
{
3662
3688
level_datum_t *levdatum;
3663
3689
int l;
3664
3690
3665
if (policydbp->policy_type == POLICY_MOD && mlspol) {
3666
yyerror("Users cannot be declared in MLS modules");
3667
return -1;
3668
}
3669
3670
3691
if (pass == 1) {
3671
while ((id = queue_remove(id_queue)))
3692
while ((id = queue_remove(id_queue)))
3672
3693
free(id);
3673
3694
if (mlspol) {
3674
while ((id = queue_remove(id_queue)))
3695
while ((id = queue_remove(id_queue)))
3675
3696
free(id);
3676
id = queue_remove(id_queue); free(id);
3697
id = queue_remove(id_queue);
3698
free(id);
3677
3699
for (l = 0; l < 2; l++) {
3678
while ((id = queue_remove(id_queue))) {
3700
while ((id = queue_remove(id_queue))) {
3679
3701
free(id);
3680
3702
}
3681
3703
id = queue_remove(id_queue);
3687
3709
return 0;
3688
3710
}
3689
3711
3690
if ((usrdatum = declare_user()) == NULL) {
3691
return -1;
3692
}
3712
if ((usrdatum = declare_user()) == NULL) {
3713
return -1;
3714
}
3693
3715
3694
3716
while ((id = queue_remove(id_queue))) {
3695
3717
if (set_user_roles(&usrdatum->roles, id))
3704
3726
}
3705
3727
3706
3728
levdatum = (level_datum_t *)
3707
hashtab_search(policydbp->p_levels.table,
3708
(hashtab_key_t) id);
3729
hashtab_search(policydbp->p_levels.table,
3730
(hashtab_key_t) id);
3709
3731
if (!levdatum) {
3710
3732
sprintf(errormsg, "unknown sensitivity %s used in user"
3711
" level definition", id);
3733
" level definition", id);
3712
3734
yyerror(errormsg);
3713
3735
free(id);
3714
3736
return -1;
3716
3738
free(id);
3717
3739
3718
3740
usrdatum->dfltlevel.sens = levdatum->level->sens;
3719
ebitmap_init(&usrdatum->dfltlevel.cat);
3720
3741
3721
3742
while ((id = queue_remove(id_queue))) {
3722
if (parse_categories(id, levdatum,
3723
&usrdatum->dfltlevel.cat)) {
3743
if (parse_semantic_categories(id, levdatum,
3744
&usrdatum->dfltlevel.cat)) {
3724
3745
free(id);
3725
3746
return -1;
3726
3747
}
3731
3752
3732
3753
for (l = 0; l < 2; l++) {
3733
3754
levdatum = (level_datum_t *)
3734
hashtab_search(policydbp->p_levels.table,
3735
(hashtab_key_t) id);
3755
hashtab_search(policydbp->p_levels.table,
3756
(hashtab_key_t) id);
3736
3757
if (!levdatum) {
3737
sprintf(errormsg, "unknown sensitivity %s used in user range definition", id);
3758
sprintf(errormsg,
3759
"unknown sensitivity %s used in user range definition",
3760
id);
3738
3761
yyerror(errormsg);
3739
3762
free(id);
3740
3763
return -1;
3741
3764
}
3742
3765
free(id);
3766
3743
3767
usrdatum->range.level[l].sens = levdatum->level->sens;
3744
ebitmap_init(&usrdatum->range.level[l].cat);
3745
3768
3746
3769
while ((id = queue_remove(id_queue))) {
3747
if (parse_categories(id, levdatum,
3748
&usrdatum->range.level[l].cat)) {
3770
if (parse_semantic_categories(id, levdatum,
3771
&usrdatum->range.level[l].cat)) {
3749
3772
free(id);
3750
3773
return -1;
3751
3774
}
3758
3781
}
3759
3782
3760
3783
if (l == 0) {
3761
usrdatum->range.level[1].sens =
3762
usrdatum->range.level[0].sens;
3763
if (ebitmap_cpy(&usrdatum->range.level[1].cat,
3764
&usrdatum->range.level[0].cat)) {
3784
if (mls_semantic_level_cpy(&usrdatum->range.level[1],
3785
&usrdatum->range.level[0])) {
3765
3786
yyerror("out of memory");
3766
goto out;
3787
return -1;
3767
3788
}
3768
3789
}
3769
if (!mls_level_dom(&usrdatum->range.level[1],
3770
&usrdatum->range.level[0])) {
3771
yyerror("high level does not dominate low level");
3772
goto out;
3773
}
3774
if (!mls_level_between(&usrdatum->dfltlevel,
3775
&usrdatum->range.level[0],
3776
&usrdatum->range.level[1])) {
3777
yyerror("default level not within user range");
3778
goto out;
3779
}
3780
3790
}
3781
3791
return 0;
3782
3783
out:
3784
ebitmap_destroy(&usrdatum->dfltlevel.cat);
3785
ebitmap_destroy(&usrdatum->range.level[0].cat);
3786
ebitmap_destroy(&usrdatum->range.level[1].cat);
3787
return -1;
3788
3792
}
3789
3793
3790
3791
3794
static int parse_security_context(context_struct_t * c)
3792
3795
{
3793
3796
char *id;
3798
3801
int l;
3799
3802
3800
3803
if (pass == 1) {
3801
id = queue_remove(id_queue); free(id); /* user */
3802
id = queue_remove(id_queue); free(id); /* role */
3803
id = queue_remove(id_queue); free(id); /* type */
3804
id = queue_remove(id_queue);
3805
free(id); /* user */
3806
id = queue_remove(id_queue);
3807
free(id); /* role */
3808
id = queue_remove(id_queue);
3809
free(id); /* type */
3804
3810
if (mlspol) {
3805
id = queue_remove(id_queue); free(id);
3811
id = queue_remove(id_queue);
3812
free(id);
3806
3813
for (l = 0; l < 2; l++) {
3807
3814
while ((id = queue_remove(id_queue))) {
3808
3815
free(id);
3810
3817
id = queue_remove(id_queue);
3811
3818
if (!id)
3812
3819
break;
3813
free(id);
3820
free(id);
3814
3821
}
3815
3822
}
3816
3823
return 0;
3824
3831
yyerror("no effective user?");
3825
3832
goto bad;
3826
3833
}
3827
if (!is_id_in_scope(SYM_USERS, id)) {
3828
yyerror2("user %s is not within scope", id);
3829
free(id);
3830
goto bad;
3831
}
3834
if (!is_id_in_scope(SYM_USERS, id)) {
3835
yyerror2("user %s is not within scope", id);
3836
free(id);
3837
goto bad;
3838
}
3832
3839
usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3833
3840
(hashtab_key_t) id);
3834
3841
if (!usrdatum) {
3837
3844
free(id);
3838
3845
goto bad;
3839
3846
}
3840
c->user = usrdatum->value;
3847
c->user = usrdatum->s.value;
3841
3848
3842
3849
/* no need to keep the user name */
3843
3850
free(id);
3844
3851
3845
3852
/* extract the role */
3846
id = (char *) queue_remove(id_queue);
3853
id = (char *)queue_remove(id_queue);
3847
3854
if (!id) {
3848
3855
yyerror("no role name for sid context definition?");
3849
3856
return -1;
3850
3857
}
3851
if (!is_id_in_scope(SYM_ROLES, id)) {
3852
yyerror2("role %s is not within scope", id);
3853
free(id);
3854
return -1;
3855
}
3858
if (!is_id_in_scope(SYM_ROLES, id)) {
3859
yyerror2("role %s is not within scope", id);
3860
free(id);
3861
return -1;
3862
}
3856
3863
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3857
3864
(hashtab_key_t) id);
3858
3865
if (!role) {
3861
3868
free(id);
3862
3869
return -1;
3863
3870
}
3864
c->role = role->value;
3871
c->role = role->s.value;
3865
3872
3866
3873
/* no need to keep the role name */
3867
3874
free(id);
3868
3875
3869
3870
3876
/* extract the type */
3871
id = (char *) queue_remove(id_queue);
3877
id = (char *)queue_remove(id_queue);
3872
3878
if (!id) {
3873
3879
yyerror("no type name for sid context definition?");
3874
3880
return -1;
3875
3881
}
3876
if (!is_id_in_scope(SYM_TYPES, id)) {
3877
yyerror2("type %s is not within scope", id);
3878
free(id);
3879
return -1;
3880
}
3882
if (!is_id_in_scope(SYM_TYPES, id)) {
3883
yyerror2("type %s is not within scope", id);
3884
free(id);
3885
return -1;
3886
}
3881
3887
typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
3882
3888
(hashtab_key_t) id);
3883
if (!typdatum || typdatum->isattr) {
3884
sprintf(errormsg, "type %s is not defined or is an attribute", id);
3889
if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
3890
sprintf(errormsg, "type %s is not defined or is an attribute",
3891
id);
3885
3892
yyerror(errormsg);
3886
3893
free(id);
3887
3894
return -1;
3888
3895
}
3889
c->type = typdatum->value;
3896
c->type = typdatum->s.value;
3890
3897
3891
3898
/* no need to keep the type name */
3892
3899
free(id);
3893
3900
3894
3901
if (mlspol) {
3895
3902
/* extract the low sensitivity */
3896
id = (char *) queue_head(id_queue);
3903
id = (char *)queue_head(id_queue);
3897
3904
if (!id) {
3898
3905
yyerror("no sensitivity name for sid context"
3899
" definition?");
3906
" definition?");
3900
3907
return -1;
3901
3908
}
3902
3909
3903
id = (char *) queue_remove(id_queue);
3910
id = (char *)queue_remove(id_queue);
3904
3911
for (l = 0; l < 2; l++) {
3905
3912
levdatum = (level_datum_t *)
3906
hashtab_search(policydbp->p_levels.table,
3907
(hashtab_key_t) id);
3913
hashtab_search(policydbp->p_levels.table,
3914
(hashtab_key_t) id);
3908
3915
if (!levdatum) {
3909
3916
sprintf(errormsg, "Sensitivity %s is not "
3910
"defined", id);
3917
"defined", id);
3911
3918
yyerror(errormsg);
3912
3919
free(id);
3913
3920
return -1;
3918
3925
/* extract low category set */
3919
3926
while ((id = queue_remove(id_queue))) {
3920
3927
if (parse_categories(id, levdatum,
3921
&c->range.level[l].cat)) {
3928
&c->range.level[l].cat)) {
3922
3929
free(id);
3923
3930
return -1;
3924
3931
}
3926
3933
}
3927
3934
3928
3935
/* extract high sensitivity */
3929
id = (char *) queue_remove(id_queue);
3936
id = (char *)queue_remove(id_queue);
3930
3937
if (!id)
3931
3938
break;
3932
3939
}
3934
3941
if (l == 0) {
3935
3942
c->range.level[1].sens = c->range.level[0].sens;
3936
3943
if (ebitmap_cpy(&c->range.level[1].cat,
3937
&c->range.level[0].cat)) {
3944
&c->range.level[0].cat)) {
3938
3945
3939
3946
yyerror("out of memory");
3940
3947
goto bad;
3954
3961
return -1;
3955
3962
}
3956
3963
3957
3958
3964
static int define_initial_sid_context(void)
3959
3965
{
3960
3966
char *id;
3961
3967
ocontext_t *c, *head;
3962
3968
3963
3969
if (pass == 1) {
3964
id = (char *) queue_remove(id_queue); free(id);
3970
id = (char *)queue_remove(id_queue);
3971
free(id);
3965
3972
parse_security_context(NULL);
3966
3973
return 0;
3967
3974
}
3968
3975
3969
id = (char *) queue_remove(id_queue);
3976
id = (char *)queue_remove(id_queue);
3970
3977
if (!id) {
3971
3978
yyerror("no sid name for SID context definition?");
3972
3979
return -1;
3984
3991
return -1;
3985
3992
}
3986
3993
if (c->context[0].user) {
3987
sprintf(errormsg, "The context for SID %s is multiply defined", id);
3994
sprintf(errormsg, "The context for SID %s is multiply defined",
3995
id);
3988
3996
yyerror(errormsg);
3989
3997
free(id);
3990
3998
return -1;
4015
4023
}
4016
4024
memset(newc, 0, sizeof(ocontext_t));
4017
4025
4018
newc->u.name = (char *) malloc(6);
4026
newc->u.name = (char *)malloc(6);
4019
4027
if (!newc->u.name) {
4020
4028
yyerror("out of memory");
4021
4029
free(newc);
4038
4046
4039
4047
for (c = head; c; c = c->next) {
4040
4048
if (!strcmp(newc->u.name, c->u.name)) {
4041
sprintf(errormsg, "duplicate entry for file system %s", newc->u.name);
4049
sprintf(errormsg, "duplicate entry for file system %s",
4050
newc->u.name);
4042
4051
yyerror(errormsg);
4043
4052
context_destroy(&newc->context[0]);
4044
4053
context_destroy(&newc->context[1]);
4061
4070
char *id;
4062
4071
4063
4072
if (pass == 1) {
4064
id = (char *) queue_remove(id_queue); free(id);
4073
id = (char *)queue_remove(id_queue);
4074
free(id);
4065
4075
parse_security_context(NULL);
4066
4076
return 0;
4067
4077
}
4073
4083
}
4074
4084
memset(newc, 0, sizeof(ocontext_t));
4075
4085
4076
id = (char *) queue_remove(id_queue);
4086
id = (char *)queue_remove(id_queue);
4077
4087
if (!id) {
4078
4088
free(newc);
4079
4089
return -1;
4094
4104
newc->u.port.high_port = high;
4095
4105
4096
4106
if (low > high) {
4097
sprintf(errormsg, "low port %d exceeds high port %d", low, high);
4107
sprintf(errormsg, "low port %d exceeds high port %d", low,
4108
high);
4098
4109
yyerror(errormsg);
4099
4110
free(newc);
4100
4111
return -1;
4116
4127
if (protocol != prot2)
4117
4128
continue;
4118
4129
if (low == low2 && high == high2) {
4119
sprintf(errormsg, "duplicate portcon entry for %s %d-%d ", id, low, high);
4130
sprintf(errormsg,
4131
"duplicate portcon entry for %s %d-%d ", id,
4132
low, high);
4120
4133
goto bad;
4121
4134
}
4122
4135
if (low2 <= low && high2 >= high) {
4123
sprintf(errormsg, "portcon entry for %s %d-%d hidden by earlier entry for %d-%d", id, low, high, low2, high2);
4136
sprintf(errormsg,
4137
"portcon entry for %s %d-%d hidden by earlier entry for %d-%d",
4138
id, low, high, low2, high2);
4124
4139
goto bad;
4125
4140
}
4126
4141
}
4132
4147
4133
4148
return 0;
4134
4149
4135
bad:
4150
bad:
4136
4151
yyerror(errormsg);
4137
4152
free(newc);
4138
4153
return -1;
4156
4171
}
4157
4172
memset(newc, 0, sizeof(ocontext_t));
4158
4173
4159
newc->u.name = (char *) queue_remove(id_queue);
4174
newc->u.name = (char *)queue_remove(id_queue);
4160
4175
if (!newc->u.name) {
4161
4176
free(newc);
4162
4177
return -1;
4176
4191
4177
4192
for (c = head; c; c = c->next) {
4178
4193
if (!strcmp(newc->u.name, c->u.name)) {
4179
sprintf(errormsg, "duplicate entry for network interface %s", newc->u.name);
4194
sprintf(errormsg,
4195
"duplicate entry for network interface %s",
4196
newc->u.name);
4180
4197
yyerror(errormsg);
4181
4198
context_destroy(&newc->context[0]);
4182
4199
context_destroy(&newc->context[1]);
4217
4234
return -1;
4218
4235
}
4219
4236
4220
/* Create order of most specific to least retaining
4221
the order specified in the configuration. */
4237
/* Create order of most specific to least retaining
4238
the order specified in the configuration. */
4222
4239
head = policydbp->ocontexts[OCON_NODE];
4223
4240
for (l = NULL, c = head; c; l = c, c = c->next) {
4224
if (newc->u.node.mask > c->u.node.mask)
4225
break;
4226
}
4241
if (newc->u.node.mask > c->u.node.mask)
4242
break;
4243
}
4227
4244
4228
4245
newc->next = c;
4229
4246
4241
4258
int rc = 0;
4242
4259
struct in6_addr addr, mask;
4243
4260
ocontext_t *newc, *c, *l, *head;
4244
4261
4245
4262
if (pass == 1) {
4246
4263
free(queue_remove(id_queue));
4247
4264
free(queue_remove(id_queue));
4248
4265
parse_security_context(NULL);
4249
4266
goto out;
4250
4267
}
4251
4268
4252
4269
id = queue_remove(id_queue);
4253
4270
if (!id) {
4254
4271
yyerror("failed to read ipv6 address");
4257
4274
}
4258
4275
4259
4276
rc = inet_pton(AF_INET6, id, &addr);
4260
free (id);
4277
free(id);
4261
4278
if (rc < 1) {
4262
4279
yyerror("failed to parse ipv6 address");
4263
4280
if (rc == 0)
4280
4297
rc = -1;
4281
4298
goto out;
4282
4299
}
4283
4300
4284
4301
newc = malloc(sizeof(ocontext_t));
4285
4302
if (!newc) {
4286
4303
yyerror("out of memory");
4302
4319
the order specified in the configuration. */
4303
4320
head = policydbp->ocontexts[OCON_NODE6];
4304
4321
for (l = NULL, c = head; c; l = c, c = c->next) {
4305
if (memcmp(&newc->u.node6.mask,&c->u.node6.mask,16) > 0)
4322
if (memcmp(&newc->u.node6.mask, &c->u.node6.mask, 16) > 0)
4306
4323
break;
4307
4324
}
4308
4325
4314
4331
policydbp->ocontexts[OCON_NODE6] = newc;
4315
4332
4316
4333
rc = 0;
4317
out:
4334
out:
4318
4335
return rc;
4319
4336
}
4320
4337
4335
4352
}
4336
4353
memset(newc, 0, sizeof(ocontext_t));
4337
4354
4338
newc->u.name = (char *) queue_remove(id_queue);
4355
newc->u.name = (char *)queue_remove(id_queue);
4339
4356
if (!newc->u.name) {
4340
4357
free(newc);
4341
4358
return -1;
4351
4368
4352
4369
for (c = head; c; c = c->next) {
4353
4370
if (!strcmp(newc->u.name, c->u.name)) {
4354
sprintf(errormsg, "duplicate fs_use entry for filesystem type %s", newc->u.name);
4371
sprintf(errormsg,
4372
"duplicate fs_use entry for filesystem type %s",
4373
newc->u.name);
4355
4374
yyerror(errormsg);
4356
4375
context_destroy(&newc->context[0]);
4357
4376
free(newc->u.name);
4381
4400
return 0;
4382
4401
}
4383
4402
4384
for (genfs_p = NULL, genfs = policydbp->genfs;
4403
for (genfs_p = NULL, genfs = policydbp->genfs;
4385
4404
genfs; genfs_p = genfs, genfs = genfs->next) {
4386
4405
if (strcmp(fstype, genfs->fstype) <= 0)
4387
4406
break;
4396
4415
memset(newgenfs, 0, sizeof(struct genfs));
4397
4416
newgenfs->fstype = fstype;
4398
4417
newgenfs->next = genfs;
4399
if (genfs_p)
4418
if (genfs_p)
4400
4419
genfs_p->next = newgenfs;
4401
4420
else
4402
4421
policydbp->genfs = newgenfs;
4410
4429
}
4411
4430
memset(newc, 0, sizeof(ocontext_t));
4412
4431
4413
newc->u.name = (char *) queue_remove(id_queue);
4414
if (!newc->u.name)
4432
newc->u.name = (char *)queue_remove(id_queue);
4433
if (!newc->u.name)
4415
4434
goto fail;
4416
4435
if (has_type) {
4417
type = (char *) queue_remove(id_queue);
4418
if (!type)
4436
type = (char *)queue_remove(id_queue);
4437
if (!type)
4419
4438
goto fail;
4420
4439
if (type[1] != 0) {
4421
4440
sprintf(errormsg, "invalid type %s", type);
4450
4469
goto fail;
4451
4470
}
4452
4471
}
4453
if (parse_security_context(&newc->context[0]))
4472
if (parse_security_context(&newc->context[0]))
4454
4473
goto fail;
4455
4474
4456
4475
head = genfs->head;
4457
4476
4458
4477
for (p = NULL, c = head; c; p = c, c = c->next) {
4459
if (!strcmp(newc->u.name, c->u.name) &&
4460
(!newc->v.sclass || !c->v.sclass || newc->v.sclass == c->v.sclass)) {
4461
sprintf(errormsg, "duplicate entry for genfs entry (%s, %s)", fstype, newc->u.name);
4478
if (!strcmp(newc->u.name, c->u.name) &&
4479
(!newc->v.sclass || !c->v.sclass
4480
|| newc->v.sclass == c->v.sclass)) {
4481
sprintf(errormsg,
4482
"duplicate entry for genfs entry (%s, %s)",
4483
fstype, newc->u.name);
4462
4484
yyerror(errormsg);
4463
4485
goto fail;
4464
4486
}
4469
4491
}
4470
4492
4471
4493
newc->next = c;
4472
if (p)
4494
if (p)
4473
4495
p->next = newc;
4474
4496
else
4475
4497
genfs->head = newc;
4476
4498
return 0;
4477
fail:
4499
fail:
4478
4500
if (type)
4479
4501
free(type);
4480
4502
context_destroy(&newc->context[0]);
4491
4513
return define_genfs_context_helper(queue_remove(id_queue), has_type);
4492
4514
}
4493
4515
4494
static int define_range_trans(void)
4516
static int define_range_trans(int class_specified)
4495
4517
{
4496
4518
char *id;
4497
4519
level_datum_t *levdatum = 0;
4498
mls_range_t range;
4499
type_set_t doms, types;
4500
ebitmap_node_t *snode, *tnode;
4501
range_trans_t *rt = 0;
4502
unsigned int i, j;
4520
class_datum_t *cladatum;
4521
range_trans_rule_t *rule;
4503
4522
int l, add = 1;
4504
4523
4505
4524
if (!mlspol) {
4508
4527
}
4509
4528
4510
4529
if (pass == 1) {
4511
while ((id = queue_remove(id_queue)))
4512
free(id);
4513
while ((id = queue_remove(id_queue)))
4514
free(id);
4515
id = queue_remove(id_queue); free(id);
4530
while ((id = queue_remove(id_queue)))
4531
free(id);
4532
while ((id = queue_remove(id_queue)))
4533
free(id);
4534
if (class_specified)
4535
while ((id = queue_remove(id_queue)))
4536
free(id);
4537
id = queue_remove(id_queue);
4538
free(id);
4516
4539
for (l = 0; l < 2; l++) {
4517
4540
while ((id = queue_remove(id_queue))) {
4518
4541
free(id);
4520
4543
id = queue_remove(id_queue);
4521
4544
if (!id)
4522
4545
break;
4523
free(id);
4546
free(id);
4524
4547
}
4525
4548
return 0;
4526
4549
}
4527
4550
4528
type_set_init(&doms);
4529
type_set_init(&types);
4530
4531
while ((id = queue_remove(id_queue))) {
4532
if (set_types(&doms, id, &add, 0))
4533
return -1;
4534
}
4535
add = 1;
4536
while ((id = queue_remove(id_queue))) {
4537
if (set_types(&types, id, &add, 0))
4538
return -1;
4551
rule = malloc(sizeof(struct range_trans_rule));
4552
if (!rule) {
4553
yyerror("out of memory");
4554
return -1;
4555
}
4556
range_trans_rule_init(rule);
4557
4558
while ((id = queue_remove(id_queue))) {
4559
if (set_types(&rule->stypes, id, &add, 0))
4560
goto out;
4561
}
4562
add = 1;
4563
while ((id = queue_remove(id_queue))) {
4564
if (set_types(&rule->ttypes, id, &add, 0))
4565
goto out;
4566
}
4567
4568
if (class_specified) {
4569
while ((id = queue_remove(id_queue))) {
4570
if (!is_id_in_scope(SYM_CLASSES, id)) {
4571
yyerror2("class %s is not within scope", id);
4572
free(id);
4573
goto out;
4574
}
4575
cladatum = hashtab_search(policydbp->p_classes.table,
4576
id);
4577
if (!cladatum) {
4578
sprintf(errormsg, "unknown class %s", id);
4579
yyerror(errormsg);
4580
goto out;
4581
}
4582
4583
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
4584
TRUE);
4585
free(id);
4586
}
4587
} else {
4588
cladatum = hashtab_search(policydbp->p_classes.table,
4589
"process");
4590
if (!cladatum) {
4591
sprintf(errormsg, "could not find process class for "
4592
"legacy range_transition statement\n");
4593
yyerror(errormsg);
4594
goto out;
4595
}
4596
4597
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
4539
4598
}
4540
4599
4541
4600
id = (char *)queue_remove(id_queue);
4542
4601
if (!id) {
4543
4602
yyerror("no range in range_transition definition?");
4544
return -1;
4603
goto out;
4545
4604
}
4546
4605
for (l = 0; l < 2; l++) {
4547
4606
levdatum = hashtab_search(policydbp->p_levels.table, id);
4548
4607
if (!levdatum) {
4549
sprintf(errormsg, "unknown level %s used in range_transition definition", id);
4608
sprintf(errormsg,
4609
"unknown level %s used in range_transition "
4610
"definition", id);
4550
4611
yyerror(errormsg);
4551
4612
free(id);
4552
return -1;
4613
goto out;
4553
4614
}
4554
4615
free(id);
4555
range.level[l].sens = levdatum->level->sens;
4556
4616
4557
ebitmap_init(&range.level[l].cat);
4617
rule->trange.level[l].sens = levdatum->level->sens;
4558
4618
4559
4619
while ((id = queue_remove(id_queue))) {
4560
if (parse_categories(id, levdatum,
4561
&range.level[l].cat)) {
4620
if (parse_semantic_categories(id, levdatum,
4621
&rule->trange.level[l].cat)) {
4562
4622
free(id);
4563
return -1;
4623
goto out;
4564
4624
}
4565
4625
free(id);
4566
4626
}
4570
4630
break;
4571
4631
}
4572
4632
if (l == 0) {
4573
range.level[1].sens = range.level[0].sens;
4574
if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) {
4633
if (mls_semantic_level_cpy(&rule->trange.level[1],
4634
&rule->trange.level[0])) {
4575
4635
yyerror("out of memory");
4576
return -1;
4577
}
4578
}
4579
4580
if (!mls_level_dom(&range.level[1], &range.level[0])) {
4581
yyerror("range_transition high level does not dominate low level");
4582
return -1;
4583
}
4584
4585
ebitmap_for_each_bit(&doms.types, snode, i) {
4586
if (!ebitmap_node_get_bit(snode, i))
4587
continue;
4588
ebitmap_for_each_bit(&types.types, tnode, j) {
4589
if (!ebitmap_node_get_bit(tnode, j))
4590
continue;
4591
4592
for (rt = policydbp->range_tr; rt; rt = rt->next) {
4593
if (rt->dom == (i + 1) && rt->type == (j + 1)) {
4594
sprintf(errormsg, "duplicate range_transition defined for (%s,%s)",
4595
policydbp->p_type_val_to_name[i], policydbp->p_type_val_to_name[j]);
4596
yyerror(errormsg);
4597
return -1;
4598
}
4599
}
4600
4601
rt = malloc(sizeof(range_trans_t));
4602
if (!rt) {
4603
yyerror("out of memory");
4604
return -1;
4605
}
4606
memset(rt, 0, sizeof(range_trans_t));
4607
rt->dom = i + 1;
4608
rt->type = j + 1;
4609
rt->range.level[0].sens = range.level[0].sens;
4610
if (ebitmap_cpy(&rt->range.level[0].cat,
4611
&range.level[0].cat)) {
4612
yyerror("out of memory");
4613
free(rt);
4614
return -1;
4615
}
4616
rt->range.level[1].sens = range.level[1].sens;
4617
if (ebitmap_cpy(&rt->range.level[1].cat,
4618
&range.level[1].cat)) {
4619
yyerror("out of memory");
4620
free(rt);
4621
return -1;
4622
}
4623
rt->next = policydbp->range_tr;
4624
policydbp->range_tr = rt;
4625
}
4626
}
4627
4628
type_set_destroy(&doms);
4629
type_set_destroy(&types);
4630
ebitmap_destroy(&range.level[0].cat);
4631
ebitmap_destroy(&range.level[1].cat);
4636
goto out;
4637
}
4638
}
4639
4640
append_range_trans(rule);
4632
4641
return 0;
4642
4643
out:
4644
range_trans_rule_destroy(rule);
4645
return -1;
4633
4646
}
4634
4647
4648
4635
4649
/* FLASK */
4636
4650
4637
4651
Loggerhead is a web-based interface for Breezy
Version: 2.0.1