~ubuntu-branches/ubuntu/hardy/checkpolicy/hardy

Committer: Bazaar Package Importer
Author(s): Manoj Srivastava
Date: 2005-12-29 23:57:12 UTC
mfrom: (1.1.4 upstream)
Revision ID: james.westby@ubuntu.com-20051229235712-chhn3y0v2av6cf22

Tags: 1.28-1

* New upstream release
  * Updated version for release.
  * Merged checkmodule man page from Dan Walsh, and edited it.
  * Added error checking of all ebitmap_set_bit calls for out of
    memory conditions.
  * Merged removal of compatibility handling of netlink classes
    (requirement that policies with newer versions include the
     netlink class definitions, remapping of fine-grained netlink
     classes in newer source policies to single netlink class when
     generating older policies) from George Coker.
  * Merged dismod fix from Joshua Brindle.
  * Removed obsolete cond_check_type_rules() function and call and
    cond_optimize_lists() call from checkpolicy.c; these are handled
    during parsing and expansion now.
  * Updated calls to expand_module for interface change.
  * Changed checkmodule to verify that expand_module succeeds
    when building base modules.
  * Merged module compiler fixes from Joshua Brindle.
  * Removed direct calls to hierarchy_check_constraints() and
    check_assertions() from checkpolicy since they are now called
    internally by expand_module().
  * Updated for changes to sepol policydb_index_others interface.
  * Updated for changes to sepol expand_module and link_modules interfaces.
  * Merged support for require blocks inside conditionals from
    Joshua Brindle (Tresys).
  * Updated for changes to libsepol.
  * Merged several bug fixes from Joshua Brindle (Tresys).
  * Merged MLS in modules patch from Joshua Brindle (Tresys).
  * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
  * Merged bugfix for dup role transition error messages from
    Karl MacMillan (Tresys).
  * Merged policyver/modulever patches from Joshua Brindle (Tresys).
  * Fixed parse_categories handling of undefined category.
  * Merged bug fix for role dominance handling from Darrel Goeddel (TCS).

files added:
checkmodule.8

files modified:
ChangeLog

Makefile

VERSION

checkmodule.c

checkpolicy.c

checkpolicy.h

debian/changelog

debian/common/debconf.mk

debian/control

module_compiler.c

module_compiler.h

policy_parse.y

test/dismod.c

test/dispol.c

Show diffs side-by-side

added added

removed removed

module_compiler.c

#include <stdlib.h>

#include <string.h>

#include <sepol/policydb.h>

#include <sepol/avrule_block.h>

#include <sepol/conditional.h>

#include <sepol/policydb/policydb.h>

#include <sepol/policydb/avrule_block.h>

#include <sepol/policydb/conditional.h>

#include "queue.h"

#include "module_compiler.h"

* declaration is current */

avrule_t *last_avrule;

int in_else; /* if in an avrule block, within ELSE branch */

int require_given; /* 1 if this block had at least one require */

struct scope_stack *parent, *child;

} scope_stack_t;

}

policydbp->name = id;

if ((policydbp->version = queue_remove(id_queue)) == NULL) {

if ((policydbp->version = strdup("")) == NULL) {

yyerror("Out of memory!");

return -1;

}

yyerror("Expected a module version but none was found.");

return -1;

}

/* the first declaration within the global avrule

145

144

else if (retval == -2) {

146

145

return -2;

147

146

}

148

else if (retval == -1 || retval == -ENOMEM) {

147

else if (retval < 0) {

149

148

return -3;

150

149

}

150

else { /* fall through possible if retval is 0 */

151

}

151

152

if (datum_value != NULL) {

152

153

if (ebitmap_set_bit(decl->declared.scope + symbol_type,

153

154

*datum_value - 1,

239

240

return NULL;

240

241

}

241

242

case 0: {

242

ebitmap_set_bit(&role->dominates, role->value - 1, 1);

243

if (ebitmap_set_bit(&role->dominates, role->value - 1, 1)) {

244

yyerror("out of memory");

245

return NULL;

246

}

243

247

return dest_role;

244

248

}

245

249

case 1: {

264

268

}

265

269

if (strcmp(id, "self") == 0) {

266

270

yyerror("'self' is a reserved type name and may not be declared.");

271

free(id);

267

272

return NULL;

268

273

}

269

274

307

312

return NULL;

308

313

}

309

314

case -1: {

310

yyerror("could not declare attribute here");

315

yyerror("could not declare type/attribute here");

311

316

return NULL;

312

317

}

313

318

case 0:

457

462

* have its own requirements.

458

463

459

464

static int is_require_allowed(void) {

460

if (stack_top->type == 1 &&

465

if (policydbp->policy_type == POLICY_MOD &&

466

stack_top->type == 1 &&

461

467

!stack_top->in_else) {

462

468

return 1;

463

469

}

495

501

*dest_value = *v;

496

502

}

497

503

else if (retval == -2) {

498

return -2;

504

/* ignore require statements if that symbol was

505

* previously declared and is in current scope */

506

int prev_declaration_ok = 0;

507

if (is_id_in_scope(symbol_type, key)) {

508

if (symbol_type == SYM_TYPES) {

509

/* check that previous symbol has same

510

* type/attribute-ness */

511

unsigned char new_isattr = ((type_datum_t *) datum)->isattr;

512

type_datum_t *old_datum = (type_datum_t *) hashtab_search(policydbp->symtab[SYM_TYPES].table, key);

513

assert(old_datum != NULL);

514

unsigned char old_isattr = old_datum->isattr;

515

prev_declaration_ok = (old_isattr == new_isattr ? 1 : 0);

516

}

517

else {

518

prev_declaration_ok = 1;

519

}

520

}

521

if (prev_declaration_ok) {

522

/* ignore this require statement because it

523

* was already declared within my scope */

524

stack_top->require_given = 1;

525

return 1;

526

}

527

else {

528

/* previous declaration was not in scope or

529

* had a mismatched type/attribute, so

530

* generate an error */

531

return -2;

532

}

499

533

}

500

else if (retval == -1 || retval == -ENOMEM) {

534

else if (retval < 0) {

501

535

return -3;

502

536

}

537

else { /* fall through possible if retval is 0 or 1 */

538

}

503

539

if (datum_value != NULL) {

504

540

if (ebitmap_set_bit(decl->required.scope + symbol_type,

505

541

*datum_value - 1,

507

543

return -3;

508

544

}

509

545

}

546

stack_top->require_given = 1;

510

547

return retval;

511

548

}

512

549

636

673

break;

637

674

}

638

675

case HASHTAB_SUCCESS: {

639

perm->value = ++datum->permissions.nprim;

676

perm->value = datum->permissions.nprim + 1;

640

677

break;

641

678

}

642

679

default: {

652

689

free(perm);

653

690

goto cleanup;

654

691

}

692

if (ret2 == HASHTAB_SUCCESS) {

693

datum->permissions.nprim++;

694

}

655

695

}

656

696

return 0;

657

697

cleanup:

699

739

}

700

740

case 0: {

701

741

/* all roles dominate themselves */

702

ebitmap_set_bit(&role->dominates, role->value - 1, 1);

742

if (ebitmap_set_bit(&role->dominates, role->value - 1, 1)) {

743

yyerror("Out of memory");

744

return -1;

745

}

703

746

return 0;

704

747

}

705

748

case 1: {

1078

1121

stack_top->in_else = 1;

1079

1122

stack_top->decl = decl;

1080

1123

stack_top->last_avrule = NULL;

1124

stack_top->require_given = 0;

1081

1125

next_decl_id++;

1082

1126

return 0;

1083

1127

}

1129

1173

* pass 2, have this block inherit its parents' requirements. Return

1130

1174

* 0 on success, -1 on failure. */

1131

1175

int end_avrule_block(int pass) {

1132

int i, j;

1133

1176

avrule_decl_t *decl = stack_top->decl;

1134

ebitmap_node_t *node;

1135

1177

assert(stack_top->type == 1);

1136

1178

if (pass == 2) {

1137

1179

/* this avrule_decl inherits all of its parents'

1141

1183

}

1142

1184

return 0;

1143

1185

}

1144

if (!stack_top->in_else) {

1186

if (!stack_top->in_else && !stack_top->require_given) {

1145

1187

/* non-ELSE branches must have at least one thing required */

1146

for (i = 0; i < SYM_NUM; i++) {

1147

ebitmap_t *bitmap = &decl->required.scope[i];

1148

ebitmap_for_each_bit(bitmap, node, j) {

1149

if (ebitmap_node_get_bit(node, j)) {

1150

/* at least one thing was required */

1151

return 0;

1152

}

1153

}

1154

}

1155

/* this av did not require anything, which is an error */

1156

1188

yyerror("This block has no require section.");

1157

1189

return -1;

1158

1190

}

Older »