101
101
static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
102
102
static role_datum_t *define_role_dom(role_datum_t *r);
103
103
static int define_role_trans(void);
104
static int define_range_trans(void);
104
static int define_range_trans(int class_specified);
105
105
static int define_role_allow(void);
106
106
static int define_constraint(constraint_expr_t *expr);
107
107
static int define_validatetrans(constraint_expr_t *expr);
832
834
| ATTRIBUTE { $$ = require_attribute; }
833
835
| USER { $$ = require_user; }
834
836
| BOOL { $$ = require_bool; }
835
/* MLS-enabled modules are not implemented at this time.
836
837
| SENSITIVITY { $$ = require_sens; }
837
838
| CATEGORY { $$ = require_cat; }
840
840
require_id_list : identifier
841
841
{ if ($<require_func>0 (pass)) return -1; }
865
865
/* initialize all of the state variables for the scanner/parser */
866
866
void init_parser(int pass_number)
874
874
void yyerror2(char *fmt, ...)
878
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
878
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
886
885
static int insert_separator(int push)
926
/* Add a rule onto an avtab hash table only if it does not already
927
* exist. (Note that the avtab is discarded afterwards; it will be
928
* regenerated during expansion.) Return 1 if rule was added (or
929
* otherwise handled successfully), 0 if it conflicted with something,
931
static int insert_check_type_rule(avrule_t *rule, avtab_t *avtab, cond_av_list_t **list, cond_av_list_t **other)
935
ret = expand_rule(NULL, policydbp, rule, avtab, list, other, 0);
937
yyerror("Failed on expanding rule");
942
925
/* If the identifier has a dot within it and that its first character
943
926
is not a dot then return 1, else return 0. */
944
927
static int id_has_dot(char *id)
946
if (strchr(id, '.') >= id + 1) {
929
if (strchr(id, '.') >= id + 1) {
952
935
static int define_class(void)
965
id = (char *) queue_remove(id_queue);
948
id = (char *)queue_remove(id_queue);
967
950
yyerror("no class name for class definition?");
970
if (id_has_dot(id)) {
972
yyerror("class identifiers may not contain periods");
953
if (id_has_dot(id)) {
955
yyerror("class identifiers may not contain periods");
975
958
datum = (class_datum_t *) malloc(sizeof(class_datum_t));
977
960
yyerror("out of memory");
980
963
memset(datum, 0, sizeof(class_datum_t));
981
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
984
yyerror("Out of memory!");
988
yyerror2("duplicate declaration of class %s", id);
992
yyerror("could not declare class here");
1000
assert(0); /* should never get here */
1003
datum->value = value;
964
ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
967
yyerror("Out of memory!");
971
yyerror2("duplicate declaration of class %s", id);
975
yyerror("could not declare class here");
983
assert(0); /* should never get here */
986
datum->s.value = value;
1071
1053
perm_datum_t *perdatum = 0;
1075
1056
if (pass == 2) {
1076
while ((id = queue_remove(id_queue)))
1057
while ((id = queue_remove(id_queue)))
1081
id = (char *) queue_remove(id_queue);
1062
id = (char *)queue_remove(id_queue);
1083
1064
yyerror("no common name for common perm definition?");
1086
comdatum = hashtab_search(policydbp->p_commons.table, id);
1088
snprintf(errormsg, ERRORMSG_LEN,
1089
"duplicate declaration for common %s\n", id);
1067
comdatum = hashtab_search(policydbp->p_commons.table, id);
1069
snprintf(errormsg, ERRORMSG_LEN,
1070
"duplicate declaration for common %s\n", id);
1093
1074
comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
1094
1075
if (!comdatum) {
1095
1076
yyerror("out of memory");
1098
1079
memset(comdatum, 0, sizeof(common_datum_t));
1099
1080
ret = hashtab_insert(policydbp->p_commons.table,
1100
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
1081
(hashtab_key_t) id, (hashtab_datum_t) comdatum);
1102
1083
if (ret == HASHTAB_PRESENT) {
1103
1084
yyerror("duplicate common definition");
1107
1088
yyerror("hash table overflow");
1110
comdatum->value = policydbp->p_commons.nprim + 1;
1091
comdatum->s.value = policydbp->p_commons.nprim + 1;
1111
1092
if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
1112
1093
yyerror("out of memory");
1115
policydbp->p_commons.nprim++;
1096
policydbp->p_commons.nprim++;
1116
1097
while ((perm = queue_remove(id_queue))) {
1117
1098
perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
1118
1099
if (!perdatum) {
1122
1103
memset(perdatum, 0, sizeof(perm_datum_t));
1123
perdatum->value = comdatum->permissions.nprim + 1;
1104
perdatum->s.value = comdatum->permissions.nprim + 1;
1125
if (perdatum->value > (sizeof(sepol_access_vector_t) * 8)) {
1126
yyerror("too many permissions to fit in an access vector");
1106
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1108
("too many permissions to fit in an access vector");
1129
1111
ret = hashtab_insert(comdatum->permissions.table,
1201
1182
if (inherits) {
1202
id = (char *) queue_remove(id_queue);
1183
id = (char *)queue_remove(id_queue);
1204
yyerror("no inherits name for access vector definition?");
1186
("no inherits name for access vector definition?");
1207
comdatum = (common_datum_t *) hashtab_search(policydbp->p_commons.table,
1208
(hashtab_key_t) id);
1190
(common_datum_t *) hashtab_search(policydbp->p_commons.
1192
(hashtab_key_t) id);
1210
1194
if (!comdatum) {
1211
1195
sprintf(errormsg, "common %s is not defined", id);
1230
1214
memset(perdatum, 0, sizeof(perm_datum_t));
1231
perdatum->value = ++cladatum->permissions.nprim;
1215
perdatum->s.value = ++cladatum->permissions.nprim;
1233
if (perdatum->value > (sizeof(sepol_access_vector_t) * 8)) {
1234
yyerror("too many permissions to fit in an access vector");
1217
if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
1219
("too many permissions to fit in an access vector");
1237
1222
if (inherits) {
1320
1308
yyerror("out of memory");
1323
memset(datum, 0, sizeof(level_datum_t));
1311
level_datum_init(datum);
1324
1312
datum->isalias = FALSE;
1325
1313
datum->level = level;
1327
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
1330
yyerror("Out of memory!");
1334
yyerror("duplicate declaration of sensitivity level");
1338
yyerror("could not declare sensitivity level here");
1346
assert(0); /* should never get here */
1315
ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
1318
yyerror("Out of memory!");
1322
yyerror("duplicate declaration of sensitivity level");
1326
yyerror("could not declare sensitivity level here");
1334
assert(0); /* should never get here */
1350
1338
while ((id = queue_remove(id_queue))) {
1351
1339
if (id_has_dot(id)) {
1352
1340
yyerror("sensitivity aliases may not contain periods");
1357
1345
yyerror("out of memory");
1358
1346
goto bad_alias;
1360
memset(aliasdatum, 0, sizeof(level_datum_t));
1348
level_datum_init(aliasdatum);
1361
1349
aliasdatum->isalias = TRUE;
1362
1350
aliasdatum->level = level;
1364
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
1367
yyerror("Out of memory!");
1371
yyerror("duplicate declaration of sensitivity alias");
1375
yyerror("could not declare sensitivity alias here");
1383
assert(0); /* should never get here */
1352
ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
1355
yyerror("Out of memory!");
1360
("duplicate declaration of sensitivity alias");
1365
("could not declare sensitivity alias here");
1373
assert(0); /* should never get here */
1418
1412
if (pass == 2) {
1419
while ((id = queue_remove(id_queue)))
1413
while ((id = queue_remove(id_queue)))
1425
while ((id = (char *) queue_remove(id_queue))) {
1426
datum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
1419
while ((id = (char *)queue_remove(id_queue))) {
1421
(level_datum_t *) hashtab_search(policydbp->p_levels.table,
1427
1422
(hashtab_key_t) id);
1429
sprintf(errormsg, "unknown sensitivity %s used in dominance definition", id);
1425
"unknown sensitivity %s used in dominance definition",
1430
1427
yyerror(errormsg);
1434
1431
if (datum->level->sens != 0) {
1435
sprintf(errormsg, "sensitivity %s occurs multiply in dominance definition", id);
1433
"sensitivity %s occurs multiply in dominance definition",
1436
1435
yyerror(errormsg);
1482
1482
yyerror("out of memory");
1485
memset(datum, 0, sizeof(cat_datum_t));
1485
cat_datum_init(datum);
1486
1486
datum->isalias = FALSE;
1488
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
1491
yyerror("Out of memory!");
1495
yyerror("duplicate declaration of category");
1499
yyerror("could not declare category here");
1507
assert(0); /* should never get here */
1510
datum->value = value;
1488
ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
1491
yyerror("Out of memory!");
1495
yyerror("duplicate declaration of category");
1499
yyerror("could not declare category here");
1507
assert(0); /* should never get here */
1510
datum->s.value = value;
1512
1512
while ((id = queue_remove(id_queue))) {
1513
1513
if (id_has_dot(id)) {
1519
1519
yyerror("out of memory");
1520
1520
goto bad_alias;
1522
memset(aliasdatum, 0, sizeof(cat_datum_t));
1522
cat_datum_init(aliasdatum);
1523
1523
aliasdatum->isalias = TRUE;
1524
aliasdatum->value = datum->value;
1524
aliasdatum->s.value = datum->s.value;
1526
ret = declare_symbol(SYM_CATS, id, aliasdatum, NULL, &datum->value);
1529
yyerror("Out of memory!");
1533
yyerror("duplicate declaration of category aliases");
1537
yyerror("could not declare category aliases here");
1545
assert(0); /* should never get here */
1527
declare_symbol(SYM_CATS, id, aliasdatum, NULL,
1531
yyerror("Out of memory!");
1536
("duplicate declaration of category aliases");
1541
("could not declare category aliases here");
1549
assert(0); /* should never get here */
1609
1617
levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
1610
1618
(hashtab_key_t) id);
1611
1619
if (!levdatum) {
1612
sprintf(errormsg, "unknown sensitivity %s used in level definition", id);
1621
"unknown sensitivity %s used in level definition", id);
1613
1622
yyerror(errormsg);
1617
1626
if (ebitmap_length(&levdatum->level->cat)) {
1618
sprintf(errormsg, "sensitivity %s used in multiple level definitions", id);
1628
"sensitivity %s used in multiple level definitions",
1619
1630
yyerror(errormsg);
1635
1646
*(id_end++) = '\0';
1637
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1638
(hashtab_key_t)id_start);
1640
sprintf(errormsg, "unknown category %s", id_start);
1645
range_start = cdatum->value - 1;
1646
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
1647
(hashtab_key_t)id_end);
1649
sprintf(errormsg, "unknown category %s", id_end);
1654
range_end = cdatum->value - 1;
1649
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1654
sprintf(errormsg, "unknown category %s",
1660
range_start = cdatum->s.value - 1;
1662
(cat_datum_t *) hashtab_search(policydbp->p_cats.
1667
sprintf(errormsg, "unknown category %s",
1673
range_end = cdatum->s.value - 1;
1656
1675
if (range_end < range_start) {
1657
1676
sprintf(errormsg, "category range is invalid");
1694
if (declare_type(TRUE, TRUE) == NULL) {
1716
if (declare_type(TRUE, TRUE) == NULL) {
1700
static int add_aliases_to_type(type_datum_t *type)
1722
static int add_aliases_to_type(type_datum_t * type)
1703
type_datum_t *aliasdatum = NULL;
1725
type_datum_t *aliasdatum = NULL;
1705
1727
while ((id = queue_remove(id_queue))) {
1706
if (id_has_dot(id)) {
1708
yyerror("type alias identifiers may not contain periods");
1728
if (id_has_dot(id)) {
1731
("type alias identifiers may not contain periods");
1711
1734
aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
1712
1735
if (!aliasdatum) {
1714
1737
yyerror("Out of memory!");
1717
1740
memset(aliasdatum, 0, sizeof(type_datum_t));
1718
aliasdatum->value = type->value;
1741
aliasdatum->s.value = type->s.value;
1720
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1721
NULL, &aliasdatum->value);
1724
yyerror("Out of memory!");
1728
yyerror2("duplicate declaration of alias %s", id);
1732
yyerror("could not declare alias here");
1740
assert(0); /* should never get here */
1743
ret = declare_symbol(SYM_TYPES, id, aliasdatum,
1744
NULL, &aliasdatum->s.value);
1747
yyerror("Out of memory!");
1751
yyerror2("duplicate declaration of alias %s",
1756
yyerror("could not declare alias here");
1764
assert(0); /* should never get here */
1747
type_datum_destroy(aliasdatum);
1771
type_datum_destroy(aliasdatum);
1752
1776
static int define_typealias(void)
1755
1779
type_datum_t *t;
1757
1781
if (pass == 2) {
1758
while ((id = queue_remove(id_queue)))
1782
while ((id = queue_remove(id_queue)))
1763
id = (char *) queue_remove(id_queue);
1787
id = (char *)queue_remove(id_queue);
1765
1789
yyerror("no type name for typealias definition?");
1769
if (!is_id_in_scope(SYM_TYPES, id)) {
1770
yyerror2("type %s is not within scope", id);
1793
if (!is_id_in_scope(SYM_TYPES, id)) {
1794
yyerror2("type %s is not within scope", id);
1774
1798
t = hashtab_search(policydbp->p_types.table, id);
1775
if (!t || t->isattr) {
1776
sprintf(errormsg, "unknown type %s, or it was already declared as an attribute", id);
1799
if (!t || t->flavor == TYPE_ATTRIB) {
1801
"unknown type %s, or it was already declared as an attribute",
1777
1803
yyerror(errormsg);
1781
return add_aliases_to_type(t);
1807
return add_aliases_to_type(t);
1784
1810
static int define_typeattribute(void)
1801
if (!is_id_in_scope(SYM_TYPES, id)) {
1802
yyerror2("type %s is not within scope", id);
1827
if (!is_id_in_scope(SYM_TYPES, id)) {
1828
yyerror2("type %s is not within scope", id);
1806
1832
t = hashtab_search(policydbp->p_types.table, id);
1807
if (!t || t->isattr) {
1833
if (!t || t->flavor == TYPE_ATTRIB) {
1808
1834
sprintf(errormsg, "unknown type %s", id);
1809
1835
yyerror(errormsg);
1813
if ((t = get_local_type(id, t->value)) == NULL) {
1814
yyerror("Out of memory!");
1818
1840
while ((id = queue_remove(id_queue))) {
1819
if (!is_id_in_scope(SYM_TYPES, id)) {
1820
yyerror2("attribute %s is not within scope", id);
1841
if (!is_id_in_scope(SYM_TYPES, id)) {
1842
yyerror2("attribute %s is not within scope", id);
1824
1846
attr = hashtab_search(policydbp->p_types.table, id);
1826
1848
sprintf(errormsg, "attribute %s is not declared", id);
1827
1849
/* treat it as a fatal error */
1828
1850
yyerror(errormsg);
1833
if (!attr->isattr) {
1855
if (attr->flavor != TYPE_ATTRIB) {
1834
1856
sprintf(errormsg, "%s is a type, not an attribute", id);
1835
1857
yyerror(errormsg);
1862
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1863
yyerror("Out of memory!");
1842
if (ebitmap_set_bit(&attr->types, (t->value - 1), TRUE)) {
1867
if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
1843
1868
yyerror("out of memory");
1855
1880
int newattr = 0;
1857
1882
if (pass == 2) {
1858
while ((id = queue_remove(id_queue)))
1883
while ((id = queue_remove(id_queue)))
1861
while ((id = queue_remove(id_queue)))
1886
while ((id = queue_remove(id_queue)))
1867
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1892
if ((datum = declare_type(TRUE, FALSE)) == NULL) {
1872
if (add_aliases_to_type(datum) == -1) {
1897
if (add_aliases_to_type(datum) == -1) {
1877
1902
while ((id = queue_remove(id_queue))) {
1878
if (!is_id_in_scope(SYM_TYPES, id)) {
1879
yyerror2("attribute %s is not within scope", id);
1903
if (!is_id_in_scope(SYM_TYPES, id)) {
1904
yyerror2("attribute %s is not within scope", id);
1883
1908
attr = hashtab_search(policydbp->p_types.table, id);
1885
1910
sprintf(errormsg, "attribute %s is not declared", id);
1894
if (!attr->isattr) {
1919
if (attr->flavor != TYPE_ATTRIB) {
1895
1920
sprintf(errormsg, "%s is a type, not an attribute", id);
1896
1921
yyerror(errormsg);
1900
if ((attr = get_local_type(id, attr->value)) == NULL) {
1901
yyerror("Out of memory!");
1925
if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
1926
yyerror("Out of memory!");
1905
if (ebitmap_set_bit(&attr->types, datum->value - 1, TRUE)) {
1930
if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
1906
1931
yyerror("Out of memory");
1919
1944
/* Adds a type, given by its textual name, to a typeset. If *add is
1920
1945
0, then add the type to the negative set; otherwise if *add is 1
1921
1946
then add it to the positive side. */
1922
static int set_types(type_set_t *set,
1947
static int set_types(type_set_t * set, char *id, int *add, char starallowed)
1927
1949
type_datum_t *t;
1959
if (!is_id_in_scope(SYM_TYPES, id)) {
1960
yyerror2("type %s is not within scope", id);
1981
if (!is_id_in_scope(SYM_TYPES, id)) {
1982
yyerror2("type %s is not within scope", id);
1964
1986
t = hashtab_search(policydbp->p_types.table, id);
1966
1988
snprintf(errormsg, ERRORMSG_LEN, "unknown type %s", id);
1973
if (ebitmap_set_bit(&set->negset, t->value - 1, TRUE))
1977
if (ebitmap_set_bit(&set->types, t->value - 1, TRUE))
1995
if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
1998
if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
1984
2005
yyerror("Out of memory");
1989
static int define_compute_type_helper(int which, avrule_t **rule)
2010
static int define_compute_type_helper(int which, avrule_t ** rule)
1992
2013
type_datum_t *datum;
2005
2026
avrule_init(avrule);
2006
avrule->specified = which;
2007
avrule->line = policydb_lineno;
2027
avrule->specified = which;
2028
avrule->line = policydb_lineno;
2009
while ((id = queue_remove(id_queue))) {
2010
if (set_types(&avrule->stypes, id, &add, 0))
2030
while ((id = queue_remove(id_queue))) {
2031
if (set_types(&avrule->stypes, id, &add, 0))
2014
2035
while ((id = queue_remove(id_queue))) {
2015
2036
if (set_types(&avrule->ttypes, id, &add, 0))
2019
ebitmap_init(&tclasses);
2040
ebitmap_init(&tclasses);
2020
2041
while ((id = queue_remove(id_queue))) {
2021
if (!is_id_in_scope(SYM_CLASSES, id)) {
2022
yyerror2("class %s is not within scope", id);
2042
if (!is_id_in_scope(SYM_CLASSES, id)) {
2043
yyerror2("class %s is not within scope", id);
2026
2047
cladatum = hashtab_search(policydbp->p_classes.table, id);
2027
2048
if (!cladatum) {
2028
2049
sprintf(errormsg, "unknown class %s", id);
2029
2050
yyerror(errormsg);
2032
if (ebitmap_set_bit(&tclasses, cladatum->value - 1, TRUE)) {
2053
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2033
2054
yyerror("Out of memory");
2039
id = (char *) queue_remove(id_queue);
2060
id = (char *)queue_remove(id_queue);
2041
2062
yyerror("no newtype?");
2044
if (!is_id_in_scope(SYM_TYPES, id)) {
2045
yyerror2("type %s is not within scope", id);
2065
if (!is_id_in_scope(SYM_TYPES, id)) {
2066
yyerror2("type %s is not within scope", id);
2049
2070
datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
2050
2071
(hashtab_key_t) id);
2051
if (!datum || datum->isattr) {
2072
if (!datum || datum->flavor == TYPE_ATTRIB) {
2052
2073
sprintf(errormsg, "unknown type %s", id);
2053
2074
yyerror(errormsg);
2057
2078
ebitmap_for_each_bit(&tclasses, node, i) {
2058
2079
if (ebitmap_node_get_bit(node, i)) {
2059
2080
perm = malloc(sizeof(class_perm_node_t));
2061
yyerror("out of memory");
2082
yyerror("out of memory");
2064
2085
class_perm_node_init(perm);
2065
2086
perm->class = i + 1;
2066
perm->data = datum->value;
2087
perm->data = datum->s.value;
2067
2088
perm->next = avrule->perms;
2068
2089
avrule->perms = perm;
2071
2092
ebitmap_destroy(&tclasses);
2077
avrule_destroy(avrule);
2098
avrule_destroy(avrule);
2085
2106
avrule_t *avrule;
2088
2108
if (pass == 1) {
2089
while ((id = queue_remove(id_queue)))
2091
while ((id = queue_remove(id_queue)))
2093
while ((id = queue_remove(id_queue)))
2109
while ((id = queue_remove(id_queue)))
2111
while ((id = queue_remove(id_queue)))
2113
while ((id = queue_remove(id_queue)))
2095
2115
id = queue_remove(id_queue);
2100
2120
if (define_compute_type_helper(which, &avrule))
2103
retval = insert_check_type_rule(avrule, &policydbp->te_avtab, NULL, NULL);
2106
/* append this avrule to the end of the current rules list */
2107
append_avrule(avrule);
2111
/* rule conflicted, so don't actually add this rule */
2112
avrule_destroy(avrule);
2117
avrule_destroy(avrule);
2122
assert(0); /* should never get here */
2123
append_avrule(avrule);
2127
2127
static avrule_t *define_cond_compute_type(int which)
2130
2130
avrule_t *avrule;
2132
2132
if (pass == 1) {
2133
while ((id = queue_remove(id_queue)))
2135
while ((id = queue_remove(id_queue)))
2137
while ((id = queue_remove(id_queue)))
2133
while ((id = queue_remove(id_queue)))
2135
while ((id = queue_remove(id_queue)))
2137
while ((id = queue_remove(id_queue)))
2139
2139
id = queue_remove(id_queue);
2141
return (avrule_t*)1;
2141
return (avrule_t *) 1;
2144
2144
if (define_compute_type_helper(which, &avrule))
2145
2145
return COND_ERR;
2179
2179
memset(datum, 0, sizeof(cond_bool_datum_t));
2180
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
2183
yyerror("Out of memory!");
2187
yyerror2("duplicate declaration of boolean %s", id);
2191
yyerror("could not declare boolean here");
2199
assert(0); /* should never get here */
2202
datum->value = value;
2180
ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
2183
yyerror("Out of memory!");
2187
yyerror2("duplicate declaration of boolean %s", id);
2191
yyerror("could not declare boolean here");
2199
assert(0); /* should never get here */
2202
datum->s.value = value;
2204
bool_value = (char *) queue_remove(id_queue);
2204
bool_value = (char *)queue_remove(id_queue);
2205
2205
if (!bool_value) {
2206
2206
yyerror("no default value for bool definition?");
2211
2211
datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
2214
cond_destroy_bool(id, datum, NULL);
2214
cond_destroy_bool(id, datum, NULL);
2218
static avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *sl)
2218
static avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
2220
2220
if (pass == 1) {
2221
2221
/* return something so we get through pass 1 */
2222
return (avrule_t *)1;
2222
return (avrule_t *) 1;
2225
2225
if (sl == NULL) {
2245
2245
int add = 1, ret = 0;
2246
2246
int suppress = 0;
2248
avrule = (avrule_t*)malloc(sizeof(avrule_t));
2248
avrule = (avrule_t *) malloc(sizeof(avrule_t));
2250
2250
yyerror("memory error");
2254
2254
avrule_init(avrule);
2255
avrule->specified = which;
2256
avrule->line = policydb_lineno;
2255
avrule->specified = which;
2256
avrule->line = policydb_lineno;
2258
2258
while ((id = queue_remove(id_queue))) {
2259
if (set_types(&avrule->stypes, id, &add, which == AVRULE_NEVERALLOW? 1 : 0 )) {
2260
(&avrule->stypes, id, &add,
2261
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2265
2267
while ((id = queue_remove(id_queue))) {
2266
2268
if (strcmp(id, "self") == 0) {
2268
2270
avrule->flags |= RULE_SELF;
2271
if (set_types(&avrule->ttypes, id, &add, which == AVRULE_NEVERALLOW? 1 : 0 )) {
2274
(&avrule->ttypes, id, &add,
2275
which == AVRULE_NEVERALLOW ? 1 : 0)) {
2277
2281
ebitmap_init(&tclasses);
2278
2282
while ((id = queue_remove(id_queue))) {
2279
if (!is_id_in_scope(SYM_CLASSES, id)) {
2280
yyerror2("class %s is not within scope", id);
2283
if (!is_id_in_scope(SYM_CLASSES, id)) {
2284
yyerror2("class %s is not within scope", id);
2284
2288
cladatum = hashtab_search(policydbp->p_classes.table, id);
2286
2290
sprintf(errormsg, "unknown class %s used in rule", id);
2287
2291
yyerror(errormsg);
2291
if (ebitmap_set_bit(&tclasses, cladatum->value - 1, TRUE)) {
2295
if (ebitmap_set_bit(&tclasses, cladatum->s.value - 1, TRUE)) {
2292
2296
yyerror("Out of memory");
2331
2336
if (strcmp(id, "~") == 0) {
2332
2337
/* complement the set */
2333
if (which == AVRULE_DONTAUDIT)
2338
if (which == AVRULE_DONTAUDIT)
2334
2339
yywarn("dontaudit rule with a ~?");
2335
2340
cur_perms->data = ~cur_perms->data;
2339
perdatum = hashtab_search(cladatum->permissions.table, id);
2345
hashtab_search(cladatum->permissions.table, id);
2340
2346
if (!perdatum) {
2341
2347
if (cladatum->comdatum) {
2342
perdatum = hashtab_search(cladatum->comdatum->permissions.table,
2349
hashtab_search(cladatum->comdatum->
2346
2354
if (!perdatum) {
2347
sprintf(errormsg, "permission %s is not defined for class %s", id, policydbp->p_class_val_to_name[i]);
2356
"permission %s is not defined for class %s",
2357
id, policydbp->p_class_val_to_name[i]);
2352
else if (!is_perm_in_scope(id, policydbp->p_class_val_to_name[i])) {
2362
if (!is_perm_in_scope
2363
(id, policydbp->p_class_val_to_name[i])) {
2353
2364
if (!suppress) {
2354
yyerror2("permission %s of class %s is not within scope",
2355
id, policydbp->p_class_val_to_name[i]);
2366
("permission %s of class %s is not within scope",
2368
policydbp->p_class_val_to_name[i]);
2359
cur_perms->data |= 1U << (perdatum->value - 1);
2372
cur_perms->data |= 1U << (perdatum->s.value - 1);
2362
cur_perms = cur_perms->next;
2375
cur_perms = cur_perms->next;
2368
2381
ebitmap_destroy(&tclasses);
2370
avrule->perms = perms;
2383
avrule->perms = perms;
2426
2439
if (pass == 1) {
2427
while ((id = queue_remove(id_queue)))
2440
while ((id = queue_remove(id_queue)))
2432
if ((role = declare_role()) == NULL) {
2445
if ((role = declare_role()) == NULL) {
2435
2448
while ((id = queue_remove(id_queue))) {
2436
if (set_types(&role->types, id, &add, 0))
2449
if (set_types(&role->types, id, &add, 0))
2445
static role_datum_t *
2446
merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
2456
static role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
2448
2458
role_datum_t *new;
2450
2460
if (pass == 1) {
2451
return (role_datum_t *)1; /* any non-NULL value */
2461
return (role_datum_t *) 1; /* any non-NULL value */
2454
2464
new = malloc(sizeof(role_datum_t));
2493
2504
/* Don't bother to process against self role */
2494
if (rdatum->value == rdp->value)
2505
if (rdatum->s.value == rdp->s.value)
2497
2508
/* If a dominating role found */
2498
if (ebitmap_get_bit(&(rdatum->dominates), rdp->value - 1))
2509
if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
2500
2510
ebitmap_t types;
2501
2511
ebitmap_init(&types);
2502
2512
if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
2506
2516
/* raise types and dominates from dominated role */
2507
2517
ebitmap_for_each_bit(&rdp->dominates, node, i) {
2508
2518
if (ebitmap_node_get_bit(node, i))
2509
if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
2520
(&rdatum->dominates, i, TRUE))
2512
2523
ebitmap_for_each_bit(&types, node, i) {
2513
2524
if (ebitmap_node_get_bit(node, i))
2514
if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
2526
(&rdatum->types.types, i, TRUE))
2517
2529
ebitmap_destroy(&types);
2520
2532
/* go through all the roles */
2523
2535
yyerror("Out of memory");
2527
static role_datum_t *
2528
define_role_dom(role_datum_t * r)
2539
static role_datum_t *define_role_dom(role_datum_t * r)
2530
2541
role_datum_t *role;
2536
2547
if (pass == 1) {
2537
2548
role_id = queue_remove(id_queue);
2539
return (role_datum_t *)1; /* any non-NULL value */
2550
return (role_datum_t *) 1; /* any non-NULL value */
2542
2553
role_id = queue_remove(id_queue);
2543
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2544
yyerror2("role %s is not within scope", role_id);
2554
if (!is_id_in_scope(SYM_ROLES, role_id)) {
2555
yyerror2("role %s is not within scope", role_id);
2548
2559
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
2557
2568
memset(role, 0, sizeof(role_datum_t));
2558
ret = declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, (hashtab_datum_t) role, &role->value, &role->value);
2561
yyerror("Out of memory!");
2565
yyerror2("duplicate declaration of role %s", role_id);
2569
yyerror("could not declare role here");
2577
assert(0); /* should never get here */
2580
if (ebitmap_set_bit(&role->dominates, role->value-1, TRUE)) {
2581
yyerror("Out of memory!");
2570
declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
2571
(hashtab_datum_t) role, &role->s.value,
2575
yyerror("Out of memory!");
2579
yyerror2("duplicate declaration of role %s",
2584
yyerror("could not declare role here");
2592
assert(0); /* should never get here */
2595
if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
2596
yyerror("Out of memory!");
2597
2612
ebitmap_for_each_bit(&types, node, i) {
2598
2613
if (ebitmap_node_get_bit(node, i))
2599
if (ebitmap_set_bit(&role->types.types, i, TRUE))
2615
(&role->types.types, i, TRUE))
2602
2618
ebitmap_destroy(&types);
2604
2620
/* free intermediate result */
2605
2621
type_set_destroy(&r->types);
2606
2622
ebitmap_destroy(&r->dominates);
2611
2627
* dominates and types if a role dominates this role.
2613
2629
hashtab_map(policydbp->p_roles.table,
2614
dominate_role_recheck, role);
2630
dominate_role_recheck, role);
2619
role_datum_destroy(role);
2635
role_datum_destroy(role);
2623
2639
yyerror("Out of memory");
2627
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, void *p)
2643
static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
2629
2646
struct val_to_name *v = p;
2630
2647
role_datum_t *roldatum;
2632
2649
roldatum = (role_datum_t *) datum;
2634
if (v->val == roldatum->value) {
2651
if (v->val == roldatum->s.value) {
2643
static char *role_val_to_name(unsigned int val)
2659
static char *role_val_to_name(unsigned int val)
2645
2661
struct val_to_name v;
2649
rc = hashtab_map(policydbp->p_roles.table,
2650
role_val_to_name_helper, &v);
2665
rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
2656
static int set_roles(role_set_t *set,
2671
static int set_roles(role_set_t * set, char *id)
2659
2673
role_datum_t *r;
2669
2683
yyerror("~ is not allowed for role sets");
2672
if (!is_id_in_scope(SYM_ROLES, id)) {
2673
yyerror2("role %s is not within scope", id);
2686
if (!is_id_in_scope(SYM_ROLES, id)) {
2687
yyerror2("role %s is not within scope", id);
2677
2691
r = hashtab_search(policydbp->p_roles.table, id);
2679
2693
yyerror2("unknown role %s", id);
2723
2736
if (set_roles(&roles, id))
2727
2740
while ((id = queue_remove(id_queue))) {
2728
2741
if (set_types(&types, id, &add, 0))
2732
id = (char *) queue_remove(id_queue);
2745
id = (char *)queue_remove(id_queue);
2734
2747
yyerror("no new role in transition definition?");
2737
if (!is_id_in_scope(SYM_ROLES, id)) {
2738
yyerror2("role %s is not within scope", id);
2750
if (!is_id_in_scope(SYM_ROLES, id)) {
2751
yyerror2("role %s is not within scope", id);
2742
2755
role = hashtab_search(policydbp->p_roles.table, id);
2744
sprintf(errormsg, "unknown role %s used in transition definition", id);
2758
"unknown role %s used in transition definition", id);
2745
2759
yyerror(errormsg);
2749
2763
/* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
2750
2764
if (role_set_expand(&roles, &e_roles, policydbp))
2753
2767
if (type_set_expand(&types, &e_types, policydbp, 1))
2756
2770
ebitmap_for_each_bit(&e_roles, rnode, i) {
2757
if (!ebitmap_node_get_bit(rnode, i))
2771
if (!ebitmap_node_get_bit(rnode, i))
2759
2773
ebitmap_for_each_bit(&e_types, tnode, j) {
2760
2774
if (!ebitmap_node_get_bit(tnode, j))
2763
2777
for (tr = policydbp->role_tr; tr; tr = tr->next) {
2764
if (tr->role == (i+1) && tr->type == (j+1)) {
2765
sprintf(errormsg, "duplicate role transition for (%s,%s)",
2766
role_val_to_name(i + 1), policydbp->p_type_val_to_name[j]);
2778
if (tr->role == (i + 1) && tr->type == (j + 1)) {
2780
"duplicate role transition for (%s,%s)",
2781
role_val_to_name(i + 1),
2783
p_type_val_to_name[j]);
2767
2784
yyerror(errormsg);
2791
2808
memset(rule, 0, sizeof(struct role_trans_rule));
2792
2809
rule->roles = roles;
2793
2810
rule->types = types;
2794
rule->new_role = role->value;
2811
rule->new_role = role->s.value;
2796
append_role_trans(rule);
2813
append_role_trans(rule);
2798
2815
ebitmap_destroy(&e_roles);
2799
2816
ebitmap_destroy(&e_types);
2808
2824
static int define_role_allow(void)
2811
2827
struct role_allow_rule *ra = 0;
2813
2829
if (pass == 1) {
2814
while ((id = queue_remove(id_queue)))
2830
while ((id = queue_remove(id_queue)))
2816
while ((id = queue_remove(id_queue)))
2832
while ((id = queue_remove(id_queue)))
2826
2842
role_allow_rule_init(ra);
2828
2844
while ((id = queue_remove(id_queue))) {
2829
2845
if (set_roles(&ra->roles, id))
2834
2849
while ((id = queue_remove(id_queue))) {
2835
2850
if (set_roles(&ra->new_roles, id))
2839
append_role_allow(ra);
2854
append_role_allow(ra);
2843
static constraint_expr_t *constraint_expr_clone(constraint_expr_t *expr)
2858
static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
2845
2860
constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
2846
2861
for (e = expr; e; e = e->next) {
2945
2960
ebitmap_init(&classmap);
2946
2961
while ((id = queue_remove(id_queue))) {
2947
if (!is_id_in_scope(SYM_CLASSES, id)) {
2948
yyerror2("class %s is not within scope", id);
2952
cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
2962
if (!is_id_in_scope(SYM_CLASSES, id)) {
2963
yyerror2("class %s is not within scope", id);
2968
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
2953
2969
(hashtab_key_t) id);
2954
2970
if (!cladatum) {
2955
2971
sprintf(errormsg, "class %s is not defined", id);
2994
3010
cladatum = policydbp->class_val_to_struct[i];
2995
3011
node = cladatum->constraints;
2997
perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
2998
(hashtab_key_t) id);
3014
(perm_datum_t *) hashtab_search(cladatum->
2999
3019
if (!perdatum) {
3000
3020
if (cladatum->comdatum) {
3001
perdatum = (perm_datum_t *) hashtab_search(cladatum->comdatum->permissions.table,
3002
(hashtab_key_t) id);
3023
hashtab_search(cladatum->
3004
3030
if (!perdatum) {
3005
sprintf(errormsg, "permission %s is not defined", id);
3032
"permission %s is not defined",
3006
3034
yyerror(errormsg);
3008
3036
ebitmap_destroy(&classmap);
3012
node->permissions |= (1 << (perdatum->value - 1));
3040
node->permissions |=
3041
(1 << (perdatum->s.value - 1));
3074
3103
ebitmap_init(&classmap);
3075
3104
while ((id = queue_remove(id_queue))) {
3076
if (!is_id_in_scope(SYM_CLASSES, id)) {
3077
yyerror2("class %s is not within scope", id);
3081
cladatum = (class_datum_t *)hashtab_search(policydbp->p_classes.table, (hashtab_key_t)id);
3105
if (!is_id_in_scope(SYM_CLASSES, id)) {
3106
yyerror2("class %s is not within scope", id);
3111
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
3112
(hashtab_key_t) id);
3082
3113
if (!cladatum) {
3083
3114
sprintf(errormsg, "class %s is not defined", id);
3084
3115
ebitmap_destroy(&classmap);
3128
3158
ebitmap_t negset;
3133
3163
if (pass == 1) {
3134
3164
if (expr_type == CEXPR_NAMES) {
3135
while ((id = queue_remove(id_queue)))
3165
while ((id = queue_remove(id_queue)))
3138
return 1; /* any non-NULL value */
3168
return 1; /* any non-NULL value */
3141
3171
if ((expr = malloc(sizeof(*expr))) == NULL ||
3142
constraint_expr_init(expr) == - 1) {
3172
constraint_expr_init(expr) == -1) {
3143
3173
yyerror("out of memory");
3164
3194
case CEXPR_AND:
3167
e2 = (struct constraint_expr *) arg1;
3197
e2 = (struct constraint_expr *)arg1;
3172
3202
if (!e1 || e1->next) {
3173
3203
yyerror("illegal constraint expression");
3174
constraint_expr_destroy(expr);
3204
constraint_expr_destroy(expr);
3177
e1->next = (struct constraint_expr *) arg2;
3207
e1->next = (struct constraint_expr *)arg2;
3180
e2 = (struct constraint_expr *) arg2;
3210
e2 = (struct constraint_expr *)arg2;
3185
3215
if (!e1 || e1->next) {
3186
3216
yyerror("illegal constraint expression");
3187
constraint_expr_destroy(expr);
3217
constraint_expr_destroy(expr);
3190
3220
e1->next = expr;
3192
3222
case CEXPR_ATTR:
3193
3223
expr->attr = arg1;
3194
3224
expr->op = arg2;
3195
return (uintptr_t)expr;
3225
return (uintptr_t) expr;
3196
3226
case CEXPR_NAMES:
3198
3228
expr->attr = arg1;
3199
3229
expr->op = arg2;
3200
3230
ebitmap_init(&negset);
3201
while ((id = (char *) queue_remove(id_queue))) {
3231
while ((id = (char *)queue_remove(id_queue))) {
3202
3232
if (expr->attr & CEXPR_USER) {
3203
if (!is_id_in_scope(SYM_USERS, id)) {
3204
yyerror2("user %s is not within scope", id);
3205
constraint_expr_destroy(expr);
3208
user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3209
(hashtab_key_t) id);
3233
if (!is_id_in_scope(SYM_USERS, id)) {
3234
yyerror2("user %s is not within scope",
3236
constraint_expr_destroy(expr);
3240
(user_datum_t *) hashtab_search(policydbp->
3211
sprintf(errormsg, "unknown user %s", id);
3246
sprintf(errormsg, "unknown user %s",
3212
3248
yyerror(errormsg);
3213
constraint_expr_destroy(expr);
3249
constraint_expr_destroy(expr);
3252
val = user->s.value;
3217
3253
} else if (expr->attr & CEXPR_ROLE) {
3218
if (!is_id_in_scope(SYM_ROLES, id)) {
3219
yyerror2("role %s is not within scope", id);
3220
constraint_expr_destroy(expr);
3223
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3224
(hashtab_key_t) id);
3254
if (!is_id_in_scope(SYM_ROLES, id)) {
3255
yyerror2("role %s is not within scope",
3257
constraint_expr_destroy(expr);
3261
(role_datum_t *) hashtab_search(policydbp->
3226
sprintf(errormsg, "unknown role %s", id);
3267
sprintf(errormsg, "unknown role %s",
3227
3269
yyerror(errormsg);
3228
constraint_expr_destroy(expr);
3270
constraint_expr_destroy(expr);
3273
val = role->s.value;
3232
3274
} else if (expr->attr & CEXPR_TYPE) {
3233
if (set_types(expr->type_names, id, &add, 0)) {
3234
constraint_expr_destroy(expr);
3275
if (set_types(expr->type_names, id, &add, 0)) {
3276
constraint_expr_destroy(expr);
3239
3281
yyerror("invalid constraint expression");
3240
constraint_expr_destroy(expr);
3282
constraint_expr_destroy(expr);
3243
3285
if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
3244
3286
yyerror("out of memory");
3245
3287
ebitmap_destroy(&expr->names);
3246
constraint_expr_destroy(expr);
3288
constraint_expr_destroy(expr);
3251
3293
ebitmap_destroy(&negset);
3252
return (uintptr_t)expr;
3294
return (uintptr_t) expr;
3254
3296
yyerror("invalid constraint expression");
3255
constraint_expr_destroy(expr);
3297
constraint_expr_destroy(expr);
3330
/* use tmp conditional node to partially build new node */
3331
memset(&cn, 0, sizeof(cn));
3334
cn.avfalse_list = f;
3374
/* use tmp conditional node to partially build new node */
3375
memset(&cn, 0, sizeof(cn));
3378
cn.avfalse_list = f;
3336
3380
/* normalize/precompute expression */
3337
3381
if (cond_normalize_expr(policydbp, &cn) < 0) {
3342
/* get the existing conditional node, or create a new one*/
3343
cn_old = get_current_cond_list(&cn);
3348
/* verify te rules -- both true and false branches of conditional */
3349
tmp = cn.avtrue_list;
3352
if (!tmp->specified & AVRULE_TRANSITION)
3354
retval = insert_check_type_rule(tmp,
3355
&policydbp->te_cond_avtab,
3356
&cn_old->true_list, &cn_old->false_list);
3364
/* rule conflicted, so remove it from consideration */
3365
if (last_tmp == NULL) {
3366
cn.avtrue_list = cn.avtrue_list->next;
3367
avrule_destroy(tmp);
3369
tmp = cn.avtrue_list;
3372
last_tmp->next = tmp->next;
3373
avrule_destroy(tmp);
3375
tmp = last_tmp->next;
3383
assert(0); /* should never get here */
3388
tmp = cn.avfalse_list;
3391
if (!tmp->specified & AVRULE_TRANSITION)
3393
retval = insert_check_type_rule(tmp,
3394
&policydbp->te_cond_avtab,
3395
&cn_old->false_list, &cn_old->true_list);
3403
/* rule conflicted, so remove it from consideration */
3404
if (last_tmp == NULL) {
3405
cn.avfalse_list = cn.avfalse_list->next;
3406
avrule_destroy(tmp);
3408
tmp = cn.avfalse_list;
3411
last_tmp->next = tmp->next;
3412
avrule_destroy(tmp);
3414
tmp = last_tmp->next;
3422
assert(0); /* should never get here */
3427
append_cond_list(&cn);
3429
/* note that there is no check here for duplicate rules, nor
3430
* check that rule already exists in base -- that will be
3431
* handled during conditional expansion, in expand.c */
3386
/* get the existing conditional node, or create a new one */
3387
cn_old = get_current_cond_list(&cn);
3392
append_cond_list(&cn);
3394
/* note that there is no check here for duplicate rules, nor
3395
* check that rule already exists in base -- that will be
3396
* handled during conditional expansion, in expand.c */
3433
3398
cn.avtrue_list = NULL;
3434
3399
cn.avfalse_list = NULL;
3435
3400
cond_node_destroy(&cn);
3480
3444
e1->next = expr;
3481
return (struct cond_expr *) arg1;
3445
return (struct cond_expr *)arg1;
3488
e2 = (struct cond_expr *) arg1;
3452
e2 = (struct cond_expr *)arg1;
3493
3457
if (!e1 || e1->next) {
3494
yyerror("illegal left side of conditional binary op expression");
3459
("illegal left side of conditional binary op expression");
3498
e1->next = (struct cond_expr *) arg2;
3463
e1->next = (struct cond_expr *)arg2;
3501
e2 = (struct cond_expr *) arg2;
3466
e2 = (struct cond_expr *)arg2;
3506
3471
if (!e1 || e1->next) {
3507
yyerror("illegal right side of conditional binary op expression");
3473
("illegal right side of conditional binary op expression");
3511
3477
e1->next = expr;
3512
return (struct cond_expr *) arg1;
3478
return (struct cond_expr *)arg1;
3513
3479
case COND_BOOL:
3514
id = (char *) queue_remove(id_queue) ;
3480
id = (char *)queue_remove(id_queue);
3516
3482
yyerror("bad conditional; expected boolean id");
3521
if (!is_id_in_scope(SYM_BOOLS, id)) {
3522
yyerror2("boolean %s is not within scope", id);
3527
bool_var = (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.table,
3528
(hashtab_key_t) id);
3487
if (!is_id_in_scope(SYM_BOOLS, id)) {
3488
yyerror2("boolean %s is not within scope", id);
3494
(cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
3496
(hashtab_key_t) id);
3529
3497
if (!bool_var) {
3530
sprintf(errormsg, "unknown boolean %s in conditional expression", id);
3499
"unknown boolean %s in conditional expression",
3531
3501
yyerror(errormsg);
3536
expr->bool = bool_var->value;
3506
expr->bool = bool_var->s.value;
3565
if (!is_id_in_scope(SYM_ROLES, id)) {
3566
yyerror2("role %s is not within scope", id);
3533
if (!is_id_in_scope(SYM_ROLES, id)) {
3534
yyerror2("role %s is not within scope", id);
3570
3538
r = hashtab_search(policydbp->p_roles.table, id);
3572
3540
sprintf(errormsg, "unknown role %s", id);
3602
3569
*(id_end++) = '\0';
3604
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3605
(hashtab_key_t)id_start);
3571
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3607
3575
sprintf(errormsg, "unknown category %s", id_start);
3608
3576
yyerror(errormsg);
3611
range_start = cdatum->value - 1;
3612
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3613
(hashtab_key_t)id_end);
3579
range_start = cdatum->s.value - 1;
3580
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3581
(hashtab_key_t) id_end);
3615
3583
sprintf(errormsg, "unknown category %s", id_end);
3616
3584
yyerror(errormsg);
3619
range_end = cdatum->value - 1;
3587
range_end = cdatum->s.value - 1;
3621
3589
if (range_end < range_start) {
3622
3590
sprintf(errormsg, "category range is invalid");
3627
cdatum = (cat_datum_t *)hashtab_search(policydbp->p_cats.table,
3595
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3596
(hashtab_key_t) id);
3630
3598
sprintf(errormsg, "unknown category %s", id);
3631
3599
yyerror(errormsg);
3634
range_start = range_end = cdatum->value - 1;
3602
range_start = range_end = cdatum->s.value - 1;
3637
3605
for (i = range_start; i <= range_end; i++) {
3639
3607
uint32_t level_value = levdatum->level->sens - 1;
3640
3608
policydb_index_others(NULL, policydbp, 0);
3641
3609
sprintf(errormsg, "category %s can not be associated "
3643
policydbp->p_cat_val_to_name[i],
3644
policydbp->p_sens_val_to_name[level_value]);
3611
policydbp->p_cat_val_to_name[i],
3612
policydbp->p_sens_val_to_name[level_value]);
3645
3613
yyerror(errormsg);
3626
parse_semantic_categories(char *id, level_datum_t * levdatum,
3627
mls_semantic_cat_t ** cats)
3629
cat_datum_t *cdatum;
3630
mls_semantic_cat_t *newcat;
3631
unsigned int range_start, range_end;
3633
if (id_has_dot(id)) {
3634
char *id_start = id;
3635
char *id_end = strchr(id, '.');
3639
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3643
sprintf(errormsg, "unknown category %s", id_start);
3647
range_start = cdatum->s.value;
3649
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3650
(hashtab_key_t) id_end);
3652
sprintf(errormsg, "unknown category %s", id_end);
3656
range_end = cdatum->s.value;
3658
cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
3659
(hashtab_key_t) id);
3661
sprintf(errormsg, "unknown category %s", id);
3665
range_start = range_end = cdatum->s.value;
3668
newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
3670
yyerror("out of memory");
3674
mls_semantic_cat_init(newcat);
3675
newcat->next = *cats;
3676
newcat->low = range_start;
3677
newcat->high = range_end;
3658
3684
static int define_user(void)
3662
3688
level_datum_t *levdatum;
3665
if (policydbp->policy_type == POLICY_MOD && mlspol) {
3666
yyerror("Users cannot be declared in MLS modules");
3670
3691
if (pass == 1) {
3671
while ((id = queue_remove(id_queue)))
3692
while ((id = queue_remove(id_queue)))
3674
while ((id = queue_remove(id_queue)))
3695
while ((id = queue_remove(id_queue)))
3676
id = queue_remove(id_queue); free(id);
3697
id = queue_remove(id_queue);
3677
3699
for (l = 0; l < 2; l++) {
3678
while ((id = queue_remove(id_queue))) {
3700
while ((id = queue_remove(id_queue))) {
3681
3703
id = queue_remove(id_queue);
3706
3728
levdatum = (level_datum_t *)
3707
hashtab_search(policydbp->p_levels.table,
3708
(hashtab_key_t) id);
3729
hashtab_search(policydbp->p_levels.table,
3730
(hashtab_key_t) id);
3709
3731
if (!levdatum) {
3710
3732
sprintf(errormsg, "unknown sensitivity %s used in user"
3711
" level definition", id);
3733
" level definition", id);
3712
3734
yyerror(errormsg);
3718
3740
usrdatum->dfltlevel.sens = levdatum->level->sens;
3719
ebitmap_init(&usrdatum->dfltlevel.cat);
3721
3742
while ((id = queue_remove(id_queue))) {
3722
if (parse_categories(id, levdatum,
3723
&usrdatum->dfltlevel.cat)) {
3743
if (parse_semantic_categories(id, levdatum,
3744
&usrdatum->dfltlevel.cat)) {
3732
3753
for (l = 0; l < 2; l++) {
3733
3754
levdatum = (level_datum_t *)
3734
hashtab_search(policydbp->p_levels.table,
3735
(hashtab_key_t) id);
3755
hashtab_search(policydbp->p_levels.table,
3756
(hashtab_key_t) id);
3736
3757
if (!levdatum) {
3737
sprintf(errormsg, "unknown sensitivity %s used in user range definition", id);
3759
"unknown sensitivity %s used in user range definition",
3738
3761
yyerror(errormsg);
3743
3767
usrdatum->range.level[l].sens = levdatum->level->sens;
3744
ebitmap_init(&usrdatum->range.level[l].cat);
3746
3769
while ((id = queue_remove(id_queue))) {
3747
if (parse_categories(id, levdatum,
3748
&usrdatum->range.level[l].cat)) {
3770
if (parse_semantic_categories(id, levdatum,
3771
&usrdatum->range.level[l].cat)) {
3761
usrdatum->range.level[1].sens =
3762
usrdatum->range.level[0].sens;
3763
if (ebitmap_cpy(&usrdatum->range.level[1].cat,
3764
&usrdatum->range.level[0].cat)) {
3784
if (mls_semantic_level_cpy(&usrdatum->range.level[1],
3785
&usrdatum->range.level[0])) {
3765
3786
yyerror("out of memory");
3769
if (!mls_level_dom(&usrdatum->range.level[1],
3770
&usrdatum->range.level[0])) {
3771
yyerror("high level does not dominate low level");
3774
if (!mls_level_between(&usrdatum->dfltlevel,
3775
&usrdatum->range.level[0],
3776
&usrdatum->range.level[1])) {
3777
yyerror("default level not within user range");
3784
ebitmap_destroy(&usrdatum->dfltlevel.cat);
3785
ebitmap_destroy(&usrdatum->range.level[0].cat);
3786
ebitmap_destroy(&usrdatum->range.level[1].cat);
3791
3794
static int parse_security_context(context_struct_t * c)
3800
3803
if (pass == 1) {
3801
id = queue_remove(id_queue); free(id); /* user */
3802
id = queue_remove(id_queue); free(id); /* role */
3803
id = queue_remove(id_queue); free(id); /* type */
3804
id = queue_remove(id_queue);
3805
free(id); /* user */
3806
id = queue_remove(id_queue);
3807
free(id); /* role */
3808
id = queue_remove(id_queue);
3809
free(id); /* type */
3805
id = queue_remove(id_queue); free(id);
3811
id = queue_remove(id_queue);
3806
3813
for (l = 0; l < 2; l++) {
3807
3814
while ((id = queue_remove(id_queue))) {
3824
3831
yyerror("no effective user?");
3827
if (!is_id_in_scope(SYM_USERS, id)) {
3828
yyerror2("user %s is not within scope", id);
3834
if (!is_id_in_scope(SYM_USERS, id)) {
3835
yyerror2("user %s is not within scope", id);
3832
3839
usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
3833
3840
(hashtab_key_t) id);
3834
3841
if (!usrdatum) {
3840
c->user = usrdatum->value;
3847
c->user = usrdatum->s.value;
3842
3849
/* no need to keep the user name */
3845
3852
/* extract the role */
3846
id = (char *) queue_remove(id_queue);
3853
id = (char *)queue_remove(id_queue);
3848
3855
yyerror("no role name for sid context definition?");
3851
if (!is_id_in_scope(SYM_ROLES, id)) {
3852
yyerror2("role %s is not within scope", id);
3858
if (!is_id_in_scope(SYM_ROLES, id)) {
3859
yyerror2("role %s is not within scope", id);
3856
3863
role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
3857
3864
(hashtab_key_t) id);
3864
c->role = role->value;
3871
c->role = role->s.value;
3866
3873
/* no need to keep the role name */
3870
3876
/* extract the type */
3871
id = (char *) queue_remove(id_queue);
3877
id = (char *)queue_remove(id_queue);
3873
3879
yyerror("no type name for sid context definition?");
3876
if (!is_id_in_scope(SYM_TYPES, id)) {
3877
yyerror2("type %s is not within scope", id);
3882
if (!is_id_in_scope(SYM_TYPES, id)) {
3883
yyerror2("type %s is not within scope", id);
3881
3887
typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
3882
3888
(hashtab_key_t) id);
3883
if (!typdatum || typdatum->isattr) {
3884
sprintf(errormsg, "type %s is not defined or is an attribute", id);
3889
if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
3890
sprintf(errormsg, "type %s is not defined or is an attribute",
3885
3892
yyerror(errormsg);
3889
c->type = typdatum->value;
3896
c->type = typdatum->s.value;
3891
3898
/* no need to keep the type name */
3895
3902
/* extract the low sensitivity */
3896
id = (char *) queue_head(id_queue);
3903
id = (char *)queue_head(id_queue);
3898
3905
yyerror("no sensitivity name for sid context"
3903
id = (char *) queue_remove(id_queue);
3910
id = (char *)queue_remove(id_queue);
3904
3911
for (l = 0; l < 2; l++) {
3905
3912
levdatum = (level_datum_t *)
3906
hashtab_search(policydbp->p_levels.table,
3907
(hashtab_key_t) id);
3913
hashtab_search(policydbp->p_levels.table,
3914
(hashtab_key_t) id);
3908
3915
if (!levdatum) {
3909
3916
sprintf(errormsg, "Sensitivity %s is not "
3911
3918
yyerror(errormsg);
4039
4047
for (c = head; c; c = c->next) {
4040
4048
if (!strcmp(newc->u.name, c->u.name)) {
4041
sprintf(errormsg, "duplicate entry for file system %s", newc->u.name);
4049
sprintf(errormsg, "duplicate entry for file system %s",
4042
4051
yyerror(errormsg);
4043
4052
context_destroy(&newc->context[0]);
4044
4053
context_destroy(&newc->context[1]);
4116
4127
if (protocol != prot2)
4118
4129
if (low == low2 && high == high2) {
4119
sprintf(errormsg, "duplicate portcon entry for %s %d-%d ", id, low, high);
4131
"duplicate portcon entry for %s %d-%d ", id,
4122
4135
if (low2 <= low && high2 >= high) {
4123
sprintf(errormsg, "portcon entry for %s %d-%d hidden by earlier entry for %d-%d", id, low, high, low2, high2);
4137
"portcon entry for %s %d-%d hidden by earlier entry for %d-%d",
4138
id, low, high, low2, high2);
4177
4192
for (c = head; c; c = c->next) {
4178
4193
if (!strcmp(newc->u.name, c->u.name)) {
4179
sprintf(errormsg, "duplicate entry for network interface %s", newc->u.name);
4195
"duplicate entry for network interface %s",
4180
4197
yyerror(errormsg);
4181
4198
context_destroy(&newc->context[0]);
4182
4199
context_destroy(&newc->context[1]);
4220
/* Create order of most specific to least retaining
4221
the order specified in the configuration. */
4237
/* Create order of most specific to least retaining
4238
the order specified in the configuration. */
4222
4239
head = policydbp->ocontexts[OCON_NODE];
4223
4240
for (l = NULL, c = head; c; l = c, c = c->next) {
4224
if (newc->u.node.mask > c->u.node.mask)
4241
if (newc->u.node.mask > c->u.node.mask)
4228
4245
newc->next = c;
4242
4259
struct in6_addr addr, mask;
4243
4260
ocontext_t *newc, *c, *l, *head;
4245
4262
if (pass == 1) {
4246
4263
free(queue_remove(id_queue));
4247
4264
free(queue_remove(id_queue));
4248
4265
parse_security_context(NULL);
4252
4269
id = queue_remove(id_queue);
4254
4271
yyerror("failed to read ipv6 address");
4453
if (parse_security_context(&newc->context[0]))
4472
if (parse_security_context(&newc->context[0]))
4456
4475
head = genfs->head;
4458
4477
for (p = NULL, c = head; c; p = c, c = c->next) {
4459
if (!strcmp(newc->u.name, c->u.name) &&
4460
(!newc->v.sclass || !c->v.sclass || newc->v.sclass == c->v.sclass)) {
4461
sprintf(errormsg, "duplicate entry for genfs entry (%s, %s)", fstype, newc->u.name);
4478
if (!strcmp(newc->u.name, c->u.name) &&
4479
(!newc->v.sclass || !c->v.sclass
4480
|| newc->v.sclass == c->v.sclass)) {
4482
"duplicate entry for genfs entry (%s, %s)",
4483
fstype, newc->u.name);
4462
4484
yyerror(errormsg);
4510
4529
if (pass == 1) {
4511
while ((id = queue_remove(id_queue)))
4513
while ((id = queue_remove(id_queue)))
4515
id = queue_remove(id_queue); free(id);
4530
while ((id = queue_remove(id_queue)))
4532
while ((id = queue_remove(id_queue)))
4534
if (class_specified)
4535
while ((id = queue_remove(id_queue)))
4537
id = queue_remove(id_queue);
4516
4539
for (l = 0; l < 2; l++) {
4517
4540
while ((id = queue_remove(id_queue))) {
4520
4543
id = queue_remove(id_queue);
4528
type_set_init(&doms);
4529
type_set_init(&types);
4531
while ((id = queue_remove(id_queue))) {
4532
if (set_types(&doms, id, &add, 0))
4536
while ((id = queue_remove(id_queue))) {
4537
if (set_types(&types, id, &add, 0))
4551
rule = malloc(sizeof(struct range_trans_rule));
4553
yyerror("out of memory");
4556
range_trans_rule_init(rule);
4558
while ((id = queue_remove(id_queue))) {
4559
if (set_types(&rule->stypes, id, &add, 0))
4563
while ((id = queue_remove(id_queue))) {
4564
if (set_types(&rule->ttypes, id, &add, 0))
4568
if (class_specified) {
4569
while ((id = queue_remove(id_queue))) {
4570
if (!is_id_in_scope(SYM_CLASSES, id)) {
4571
yyerror2("class %s is not within scope", id);
4575
cladatum = hashtab_search(policydbp->p_classes.table,
4578
sprintf(errormsg, "unknown class %s", id);
4583
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1,
4588
cladatum = hashtab_search(policydbp->p_classes.table,
4591
sprintf(errormsg, "could not find process class for "
4592
"legacy range_transition statement\n");
4597
ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
4541
4600
id = (char *)queue_remove(id_queue);
4543
4602
yyerror("no range in range_transition definition?");
4546
4605
for (l = 0; l < 2; l++) {
4547
4606
levdatum = hashtab_search(policydbp->p_levels.table, id);
4548
4607
if (!levdatum) {
4549
sprintf(errormsg, "unknown level %s used in range_transition definition", id);
4609
"unknown level %s used in range_transition "
4550
4611
yyerror(errormsg);
4555
range.level[l].sens = levdatum->level->sens;
4557
ebitmap_init(&range.level[l].cat);
4617
rule->trange.level[l].sens = levdatum->level->sens;
4559
4619
while ((id = queue_remove(id_queue))) {
4560
if (parse_categories(id, levdatum,
4561
&range.level[l].cat)) {
4620
if (parse_semantic_categories(id, levdatum,
4621
&rule->trange.level[l].cat)) {
4573
range.level[1].sens = range.level[0].sens;
4574
if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) {
4633
if (mls_semantic_level_cpy(&rule->trange.level[1],
4634
&rule->trange.level[0])) {
4575
4635
yyerror("out of memory");
4580
if (!mls_level_dom(&range.level[1], &range.level[0])) {
4581
yyerror("range_transition high level does not dominate low level");
4585
ebitmap_for_each_bit(&doms.types, snode, i) {
4586
if (!ebitmap_node_get_bit(snode, i))
4588
ebitmap_for_each_bit(&types.types, tnode, j) {
4589
if (!ebitmap_node_get_bit(tnode, j))
4592
for (rt = policydbp->range_tr; rt; rt = rt->next) {
4593
if (rt->dom == (i + 1) && rt->type == (j + 1)) {
4594
sprintf(errormsg, "duplicate range_transition defined for (%s,%s)",
4595
policydbp->p_type_val_to_name[i], policydbp->p_type_val_to_name[j]);
4601
rt = malloc(sizeof(range_trans_t));
4603
yyerror("out of memory");
4606
memset(rt, 0, sizeof(range_trans_t));
4609
rt->range.level[0].sens = range.level[0].sens;
4610
if (ebitmap_cpy(&rt->range.level[0].cat,
4611
&range.level[0].cat)) {
4612
yyerror("out of memory");
4616
rt->range.level[1].sens = range.level[1].sens;
4617
if (ebitmap_cpy(&rt->range.level[1].cat,
4618
&range.level[1].cat)) {
4619
yyerror("out of memory");
4623
rt->next = policydbp->range_tr;
4624
policydbp->range_tr = rt;
4628
type_set_destroy(&doms);
4629
type_set_destroy(&types);
4630
ebitmap_destroy(&range.level[0].cat);
4631
ebitmap_destroy(&range.level[1].cat);
4640
append_range_trans(rule);
4644
range_trans_rule_destroy(rule);