120
124
* of memory, return -3. Note that dest_value and datum_value might
121
125
* not be restricted pointers. */
122
126
int declare_symbol(uint32_t symbol_type,
123
hashtab_key_t key, hashtab_datum_t datum,
124
uint32_t *dest_value, uint32_t *datum_value) {
125
avrule_decl_t *decl = stack_top->decl;
127
hashtab_key_t key, hashtab_datum_t datum,
128
uint32_t * dest_value, uint32_t * datum_value)
130
avrule_decl_t *decl = stack_top->decl;
128
/* first check that symbols may be declared here */
129
if (!is_declaration_allowed()) {
132
retval = symtab_insert(policydbp, symbol_type, key, datum,
133
SCOPE_DECL, decl->decl_id,
136
/* because C has no polymorphism, make the
137
* [outrageous] assumption that the first field of all
138
* symbol table data is a uint32_t representing its
140
uint32_t *v = (uint32_t *) hashtab_search(policydbp->symtab[symbol_type].table, key);
144
else if (retval == -2) {
147
else if (retval < 0) {
150
else { /* fall through possible if retval is 0 */
152
if (datum_value != NULL) {
153
if (ebitmap_set_bit(decl->declared.scope + symbol_type,
133
/* first check that symbols may be declared here */
134
if (!is_declaration_allowed()) {
137
retval = symtab_insert(policydbp, symbol_type, key, datum,
138
SCOPE_DECL, decl->decl_id, dest_value);
141
(symtab_datum_t *) hashtab_search(policydbp->
142
symtab[symbol_type].table,
145
*dest_value = s->value;
146
} else if (retval == -2) {
148
} else if (retval < 0) {
150
} else { /* fall through possible if retval is 0 */
152
if (datum_value != NULL) {
153
if (ebitmap_set_bit(decl->declared.scope + symbol_type,
154
*datum_value - 1, 1)) {
162
161
role_datum_t *declare_role(void)
164
char *id = queue_remove(id_queue), *dest_id = NULL;
163
char *id = queue_remove(id_queue), *dest_id = NULL;
165
164
role_datum_t *role = NULL, *dest_role = NULL;
170
yyerror("no role name");
173
if ((role = (role_datum_t *) malloc(sizeof(*role))) == NULL) {
174
yyerror("Out of memory!");
178
role_datum_init(role);
180
retval = declare_symbol(SYM_ROLES, id, (hashtab_datum_t*)role, &value, &value);
183
if ((dest_id = strdup(id)) == NULL) {
184
yyerror("Out of memory!");
189
/* this role was already declared in this module, or error */
191
role_datum_destroy(role);
194
if (retval == 0 || retval == 1) {
195
/* create a new role_datum_t for this decl, if necessary */
197
assert(stack_top->type == 1);
198
if (stack_top->parent == NULL) {
199
/* in parent, so use global symbol table */
200
roles_tab = policydbp->p_roles.table;
203
roles_tab = stack_top->decl->p_roles.table;
205
dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
206
if (dest_role == NULL) {
207
if ((dest_role = (role_datum_t *) malloc(sizeof(*dest_role))) == NULL) {
208
yyerror("Out of memory!");
212
role_datum_init(dest_role);
213
dest_role->value = value;
214
if (hashtab_insert(roles_tab, dest_id, dest_role)) {
215
yyerror("Out of memory!");
217
role_datum_destroy(dest_role);
231
yyerror("Out of memory!");
235
yyerror("duplicate declaration of role");
239
yyerror("could not declare role here");
243
if (ebitmap_set_bit(&role->dominates, role->value - 1, 1)) {
244
yyerror("out of memory");
250
return dest_role; /* role already declared for this block */
253
assert(0); /* should never get here */
169
yyerror("no role name");
172
if ((role = (role_datum_t *) malloc(sizeof(*role))) == NULL) {
173
yyerror("Out of memory!");
177
role_datum_init(role);
180
declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value,
183
role->s.value = value;
184
if ((dest_id = strdup(id)) == NULL) {
185
yyerror("Out of memory!");
189
/* this role was already declared in this module, or error */
191
role_datum_destroy(role);
194
if (retval == 0 || retval == 1) {
195
/* create a new role_datum_t for this decl, if necessary */
197
assert(stack_top->type == 1);
198
if (stack_top->parent == NULL) {
199
/* in parent, so use global symbol table */
200
roles_tab = policydbp->p_roles.table;
202
roles_tab = stack_top->decl->p_roles.table;
204
dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
205
if (dest_role == NULL) {
207
(role_datum_t *) malloc(sizeof(*dest_role))) ==
209
yyerror("Out of memory!");
213
role_datum_init(dest_role);
214
dest_role->s.value = value;
215
if (hashtab_insert(roles_tab, dest_id, dest_role)) {
216
yyerror("Out of memory!");
218
role_datum_destroy(dest_role);
230
yyerror("Out of memory!");
234
yyerror("duplicate declaration of role");
238
yyerror("could not declare role here");
243
(&dest_role->dominates, role->s.value - 1, 1)) {
244
yyerror("out of memory");
250
return dest_role; /* role already declared for this block */
253
assert(0); /* should never get here */
258
type_datum_t *declare_type(unsigned char primary, unsigned char isattr) {
259
char *id, *dest_id = NULL;
260
type_datum_t *typdatum, *dest_typdatum = NULL;
258
type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
261
type_datum_t *typdatum;
262
263
uint32_t value = 0;
264
id = (char *) queue_remove(id_queue);
265
id = (char *)queue_remove(id_queue);
266
yyerror("no type/attribute name?");
269
if (strcmp(id, "self") == 0) {
270
yyerror("'self' is a reserved type name and may not be declared.");
267
yyerror("no type/attribute name?");
270
if (strcmp(id, "self") == 0) {
272
("'self' is a reserved type name and may not be declared.");
275
277
typdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
277
279
yyerror("Out of memory!");
281
type_datum_init(typdatum);
282
typdatum->primary = primary;
283
typdatum->isattr = isattr;
285
retval = declare_symbol(SYM_TYPES, id, typdatum, &value, &value);
286
if (retval == 0 || retval == 1) {
287
if (typdatum->primary) {
288
typdatum->value = value;
290
if ((dest_id = strdup(id)) == NULL) {
291
yyerror("Out of memory!");
294
if ((dest_typdatum = get_local_type(dest_id, value)) == NULL) {
295
yyerror("Out of memory!");
300
/* error occurred (can't have duplicate type declarations) */
283
type_datum_init(typdatum);
284
typdatum->primary = primary;
285
typdatum->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
287
retval = declare_symbol(SYM_TYPES, id, typdatum, &value, &value);
288
if (retval == 0 || retval == 1) {
289
if (typdatum->primary) {
290
typdatum->s.value = value;
293
/* error occurred (can't have duplicate type declarations) */
302
type_datum_destroy(typdatum);
307
yyerror("Out of memory!");
311
yyerror2("duplicate declaration of type/attribute");
315
yyerror("could not declare type/attribute here");
320
return dest_typdatum;
323
assert(0); /* should never get here */
295
type_datum_destroy(typdatum);
300
yyerror("Out of memory!");
304
yyerror2("duplicate declaration of type/attribute");
308
yyerror("could not declare type/attribute here");
316
assert(0); /* should never get here */
328
user_datum_t *declare_user(void) {
329
char *id = queue_remove(id_queue), *dest_id = NULL;
330
user_datum_t *user = NULL, *dest_user = NULL;
335
yyerror("no user name");
338
if ((user = (user_datum_t *) malloc(sizeof(*user))) == NULL) {
339
yyerror("Out of memory!");
343
user_datum_init(user);
345
retval = declare_symbol(SYM_USERS, id, (hashtab_datum_t*)user, &value, &value);
349
if ((dest_id = strdup(id)) == NULL) {
350
yyerror("Out of memory!");
355
/* this user was already declared in this module, or error */
357
user_datum_destroy(user);
360
if (retval == 0 || retval == 1) {
361
/* create a new user_datum_t for this decl, if necessary */
363
assert(stack_top->type == 1);
364
if (stack_top->parent == NULL) {
365
/* in parent, so use global symbol table */
366
users_tab = policydbp->p_users.table;
369
users_tab = stack_top->decl->p_users.table;
371
dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id);
372
if (dest_user == NULL) {
373
if ((dest_user = (user_datum_t *) malloc(sizeof(*dest_user))) == NULL) {
374
yyerror("Out of memory!");
378
user_datum_init(dest_user);
379
dest_user->value = value;
380
if (hashtab_insert(users_tab, dest_id, dest_user)) {
381
yyerror("Out of memory!");
383
user_datum_destroy(dest_user);
397
yyerror("Out of memory!");
401
yyerror("duplicate declaration of user");
405
yyerror("could not declare user here");
412
return dest_user; /* user already declared for this block */
415
assert(0); /* should never get here */
321
user_datum_t *declare_user(void)
323
char *id = queue_remove(id_queue), *dest_id = NULL;
324
user_datum_t *user = NULL, *dest_user = NULL;
329
yyerror("no user name");
332
if ((user = (user_datum_t *) malloc(sizeof(*user))) == NULL) {
333
yyerror("Out of memory!");
337
user_datum_init(user);
340
declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value,
344
user->s.value = value;
345
if ((dest_id = strdup(id)) == NULL) {
346
yyerror("Out of memory!");
350
/* this user was already declared in this module, or error */
352
user_datum_destroy(user);
355
if (retval == 0 || retval == 1) {
356
/* create a new user_datum_t for this decl, if necessary */
358
assert(stack_top->type == 1);
359
if (stack_top->parent == NULL) {
360
/* in parent, so use global symbol table */
361
users_tab = policydbp->p_users.table;
363
users_tab = stack_top->decl->p_users.table;
365
dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id);
366
if (dest_user == NULL) {
368
(user_datum_t *) malloc(sizeof(*dest_user))) ==
370
yyerror("Out of memory!");
374
user_datum_init(dest_user);
375
dest_user->s.value = value;
376
if (hashtab_insert(users_tab, dest_id, dest_user)) {
377
yyerror("Out of memory!");
379
user_datum_destroy(dest_user);
391
yyerror("Out of memory!");
395
yyerror("duplicate declaration of user");
399
yyerror("could not declare user here");
406
return dest_user; /* user already declared for this block */
409
assert(0); /* should never get here */
420
414
/* Return a type_datum_t for the local avrule_decl with the given ID.
477
478
* restricted pointers.
479
480
int require_symbol(uint32_t symbol_type,
480
hashtab_key_t key, hashtab_datum_t datum,
481
uint32_t *dest_value, uint32_t *datum_value) {
482
avrule_decl_t *decl = stack_top->decl;
485
/* first check that symbols may be required here */
486
if (!is_require_allowed()) {
489
retval = symtab_insert(policydbp, symbol_type, key, datum,
490
SCOPE_REQ, decl->decl_id,
493
/* because C has no polymorphism, make the
494
* [outrageous] assumption that the first field of all
495
* symbol table data is a uint32_t representing its
497
uint32_t *v = (uint32_t *) hashtab_search(policydbp->symtab[symbol_type].table, key);
501
else if (retval == -2) {
502
/* ignore require statements if that symbol was
503
* previously declared and is in current scope */
504
int prev_declaration_ok = 0;
505
if (is_id_in_scope(symbol_type, key)) {
506
if (symbol_type == SYM_TYPES) {
507
/* check that previous symbol has same
508
* type/attribute-ness */
509
unsigned char new_isattr = ((type_datum_t *) datum)->isattr;
510
type_datum_t *old_datum = (type_datum_t *) hashtab_search(policydbp->symtab[SYM_TYPES].table, key);
511
assert(old_datum != NULL);
512
unsigned char old_isattr = old_datum->isattr;
513
prev_declaration_ok = (old_isattr == new_isattr ? 1 : 0);
516
prev_declaration_ok = 1;
519
if (prev_declaration_ok) {
520
/* ignore this require statement because it
521
* was already declared within my scope */
522
stack_top->require_given = 1;
526
/* previous declaration was not in scope or
527
* had a mismatched type/attribute, so
528
* generate an error */
532
else if (retval < 0) {
535
else { /* fall through possible if retval is 0 or 1 */
537
if (datum_value != NULL) {
538
if (ebitmap_set_bit(decl->required.scope + symbol_type,
544
stack_top->require_given = 1;
548
int add_perm_to_class(uint32_t perm_value, uint32_t class_value) {
549
avrule_decl_t *decl = stack_top->decl;
550
scope_index_t *scope;
552
assert(perm_value >= 1);
553
assert(class_value >= 1);
554
scope = &decl->required;
555
if (class_value > scope->class_perms_len) {
557
ebitmap_t *new_map = realloc(scope->class_perms_map,
558
class_value * sizeof(*new_map));
559
if (new_map == NULL) {
562
scope->class_perms_map = new_map;
563
for (i = scope->class_perms_len; i < class_value; i++) {
564
ebitmap_init(scope->class_perms_map + i);
566
scope->class_perms_len = class_value;
568
if (ebitmap_set_bit(scope->class_perms_map + class_value - 1,
569
perm_value - 1, 1)) {
575
static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p __attribute__ ((unused)))
481
hashtab_key_t key, hashtab_datum_t datum,
482
uint32_t * dest_value, uint32_t * datum_value)
484
avrule_decl_t *decl = stack_top->decl;
487
/* first check that symbols may be required here */
488
if (!is_require_allowed()) {
491
retval = symtab_insert(policydbp, symbol_type, key, datum,
492
SCOPE_REQ, decl->decl_id, dest_value);
495
(symtab_datum_t *) hashtab_search(policydbp->
496
symtab[symbol_type].table,
499
*dest_value = s->value;
500
} else if (retval == -2) {
501
/* ignore require statements if that symbol was
502
* previously declared and is in current scope */
503
int prev_declaration_ok = 0;
504
if (is_id_in_scope(symbol_type, key)) {
505
if (symbol_type == SYM_TYPES) {
506
/* check that previous symbol has same
507
* type/attribute-ness */
508
unsigned char new_isattr =
509
((type_datum_t *) datum)->flavor;
510
type_datum_t *old_datum =
511
(type_datum_t *) hashtab_search(policydbp->
515
assert(old_datum != NULL);
516
unsigned char old_isattr = old_datum->flavor;
517
prev_declaration_ok =
518
(old_isattr == new_isattr ? 1 : 0);
520
prev_declaration_ok = 1;
523
if (prev_declaration_ok) {
524
/* ignore this require statement because it
525
* was already declared within my scope */
526
stack_top->require_given = 1;
529
/* previous declaration was not in scope or
530
* had a mismatched type/attribute, so
531
* generate an error */
534
} else if (retval < 0) {
536
} else { /* fall through possible if retval is 0 or 1 */
538
if (datum_value != NULL) {
539
if (ebitmap_set_bit(decl->required.scope + symbol_type,
540
*datum_value - 1, 1)) {
544
stack_top->require_given = 1;
548
int add_perm_to_class(uint32_t perm_value, uint32_t class_value)
550
avrule_decl_t *decl = stack_top->decl;
551
scope_index_t *scope;
553
assert(perm_value >= 1);
554
assert(class_value >= 1);
555
scope = &decl->required;
556
if (class_value > scope->class_perms_len) {
558
ebitmap_t *new_map = realloc(scope->class_perms_map,
559
class_value * sizeof(*new_map));
560
if (new_map == NULL) {
563
scope->class_perms_map = new_map;
564
for (i = scope->class_perms_len; i < class_value; i++) {
565
ebitmap_init(scope->class_perms_map + i);
567
scope->class_perms_len = class_value;
569
if (ebitmap_set_bit(scope->class_perms_map + class_value - 1,
570
perm_value - 1, 1)) {
576
static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
577
__attribute__ ((unused)))
676
692
memset(perm, 0, sizeof(*perm));
677
ret = hashtab_insert(datum->permissions.table, perm_id, perm);
694
hashtab_insert(datum->permissions.table, perm_id,
679
697
yyerror("Out of memory!");
684
perm->value = datum->permissions.nprim + 1;
687
if (add_perm_to_class(perm->value, datum->value) == -1) {
688
yyerror("Out of memory!");
702
perm->s.value = datum->permissions.nprim + 1;
705
if (add_perm_to_class(perm->s.value, datum->s.value) == -1) {
706
yyerror("Out of memory!");
692
710
/* Update number of primitives if we allocated one. */
694
datum->permissions.nprim++;
712
datum->permissions.nprim++;
702
719
int require_role(int pass)
704
char *id = queue_remove(id_queue);
705
role_datum_t *role = NULL;
712
yyerror("no role name");
715
if ((role = malloc(sizeof (*role))) == NULL) {
717
yyerror("Out of memory!");
720
role_datum_init(role);
721
retval = require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &role->value, &role->value);
724
role_datum_destroy(role);
729
yyerror("Out of memory!");
733
yyerror("duplicate declaration of role");
737
yyerror("could not require role here");
741
/* all roles dominate themselves */
742
if (ebitmap_set_bit(&role->dominates, role->value - 1, 1)) {
743
yyerror("Out of memory");
749
return 0; /* role already required */
752
assert(0); /* should never get here */
758
static int require_type_or_attribute(int pass, unsigned char isattr) {
759
char *id = queue_remove(id_queue);
760
type_datum_t *type = NULL;
767
yyerror("no type name");
770
if ((type = malloc(sizeof(*type))) == NULL) {
772
yyerror("Out of memory!");
775
type_datum_init(type);
777
type->isattr = isattr;
778
retval = require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type, &type->value, &type->value);
785
yyerror("Out of memory!");
789
yyerror("duplicate declaration of type/attribute");
793
yyerror("could not require type/attribute here");
800
return 0; /* type already required */
803
assert(0); /* should never get here */
808
int require_type(int pass) {
809
return require_type_or_attribute(pass, 0);
812
int require_attribute(int pass) {
813
return require_type_or_attribute(pass, 1);
721
char *id = queue_remove(id_queue);
722
role_datum_t *role = NULL;
729
yyerror("no role name");
732
if ((role = malloc(sizeof(*role))) == NULL) {
734
yyerror("Out of memory!");
737
role_datum_init(role);
739
require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role,
740
&role->s.value, &role->s.value);
743
role_datum_destroy(role);
748
yyerror("Out of memory!");
752
yyerror("duplicate declaration of role");
756
yyerror("could not require role here");
760
/* all roles dominate themselves */
762
(&role->dominates, role->s.value - 1, 1)) {
763
yyerror("Out of memory");
769
return 0; /* role already required */
772
assert(0); /* should never get here */
777
static int require_type_or_attribute(int pass, unsigned char isattr)
779
char *id = queue_remove(id_queue);
780
type_datum_t *type = NULL;
787
yyerror("no type name");
790
if ((type = malloc(sizeof(*type))) == NULL) {
792
yyerror("Out of memory!");
795
type_datum_init(type);
797
type->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
799
require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type,
800
&type->s.value, &type->s.value);
807
yyerror("Out of memory!");
811
yyerror("duplicate declaration of type/attribute");
815
yyerror("could not require type/attribute here");
822
return 0; /* type already required */
825
assert(0); /* should never get here */
830
int require_type(int pass)
832
return require_type_or_attribute(pass, 0);
835
int require_attribute(int pass)
837
return require_type_or_attribute(pass, 1);
816
840
int require_user(int pass)
818
char *id = queue_remove(id_queue);
819
user_datum_t *user = NULL;
826
yyerror("no user name");
829
if ((user = malloc(sizeof (*user))) == NULL) {
831
yyerror("Out of memory!");
834
user_datum_init(user);
835
retval = require_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &user->value, &user->value);
838
user_datum_destroy(user);
842
yyerror("Out of memory!");
846
yyerror("duplicate declaration of user");
850
yyerror("could not require user here");
857
return 0; /* user already required */
860
assert(0); /* should never get here */
842
char *id = queue_remove(id_queue);
843
user_datum_t *user = NULL;
850
yyerror("no user name");
853
if ((user = malloc(sizeof(*user))) == NULL) {
855
yyerror("Out of memory!");
858
user_datum_init(user);
860
require_symbol(SYM_USERS, id, (hashtab_datum_t *) user,
861
&user->s.value, &user->s.value);
864
user_datum_destroy(user);
868
yyerror("Out of memory!");
872
yyerror("duplicate declaration of user");
876
yyerror("could not require user here");
883
return 0; /* user already required */
886
assert(0); /* should never get here */
865
891
int require_bool(int pass)
867
char *id = queue_remove(id_queue);
868
cond_bool_datum_t *booldatum = NULL;
875
yyerror("no boolean name");
878
if ((booldatum = calloc(1, sizeof (*booldatum))) == NULL) {
879
cond_destroy_bool(id, booldatum, NULL);
880
yyerror("Out of memory!");
883
retval = require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, &booldatum->value, &booldatum->value);
885
cond_destroy_bool(id, booldatum, NULL);
889
yyerror("Out of memory!");
893
yyerror("duplicate declaration of boolean");
897
yyerror("could not require boolean here");
904
return 0; /* boolean already required */
907
assert(0); /* should never get here */
912
static int is_scope_in_stack(scope_datum_t *scope, scope_stack_t *stack) {
915
return 0; /* no matching scope found */
917
if (stack->type == 1) {
918
avrule_decl_t *decl = stack->decl;
919
for (i = 0; i < scope->decl_ids_len; i++) {
920
if (scope->decl_ids[i] == decl->decl_id) {
926
/* note that conditionals can't declare or require
927
* symbols, so skip this level */
930
/* not within scope of this stack, so try its parent */
931
return is_scope_in_stack(scope, stack->parent);
934
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id) {
935
scope_datum_t *scope = (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].table, id);
937
return 1; /* id is not known, so return success */
939
return is_scope_in_stack(scope, stack_top);
942
static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, scope_index_t *scope) {
943
if (class_value > scope->class_perms_len) {
946
if (ebitmap_get_bit(scope->class_perms_map + class_value - 1,
953
static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, scope_stack_t *stack) {
955
return 0; /* no matching scope found */
957
if (stack->type == 1) {
958
avrule_decl_t *decl = stack->decl;
959
if (is_perm_in_scope_index(perm_value, class_value, &decl->required) ||
960
is_perm_in_scope_index(perm_value, class_value, &decl->declared)) {
965
/* note that conditionals can't declare or require
966
* symbols, so skip this level */
969
/* not within scope of this stack, so try its parent */
970
return is_perm_in_stack(perm_value, class_value, stack->parent);
973
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id) {
974
class_datum_t *cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
976
perm_datum_t *perdatum;
977
if (cladatum == NULL) {
980
perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
982
if (perdatum == NULL) {
985
return is_perm_in_stack(perdatum->value, cladatum->value, stack_top);
988
cond_list_t *get_current_cond_list(cond_list_t *cond) {
989
/* FIX ME: do something different here if in a nested
991
avrule_decl_t *decl = stack_top->decl;
992
return get_decl_cond_list(policydbp, decl, cond);
893
char *id = queue_remove(id_queue);
894
cond_bool_datum_t *booldatum = NULL;
901
yyerror("no boolean name");
904
if ((booldatum = calloc(1, sizeof(*booldatum))) == NULL) {
905
cond_destroy_bool(id, booldatum, NULL);
906
yyerror("Out of memory!");
910
require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
911
&booldatum->s.value, &booldatum->s.value);
913
cond_destroy_bool(id, booldatum, NULL);
917
yyerror("Out of memory!");
921
yyerror("duplicate declaration of boolean");
925
yyerror("could not require boolean here");
932
return 0; /* boolean already required */
935
assert(0); /* should never get here */
940
int require_sens(int pass)
942
char *id = queue_remove(id_queue);
943
level_datum_t *level = NULL;
950
yyerror("no sensitivity name");
953
level = malloc(sizeof(level_datum_t));
956
yyerror("Out of memory!");
959
level_datum_init(level);
960
level->level = malloc(sizeof(mls_level_t));
963
level_datum_destroy(level);
965
yyerror("Out of memory!");
968
mls_level_init(level->level);
969
retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
970
&level->level->sens, &level->level->sens);
973
mls_level_destroy(level->level);
975
level_datum_destroy(level);
980
yyerror("Out of memory!");
984
yyerror("duplicate declaration of sensitivity");
988
yyerror("could not require sensitivity here");
995
return 0; /* sensitivity already required */
998
assert(0); /* should never get here */
1003
int require_cat(int pass)
1005
char *id = queue_remove(id_queue);
1006
cat_datum_t *cat = NULL;
1013
yyerror("no category name");
1016
cat = malloc(sizeof(cat_datum_t));
1019
yyerror("Out of memory!");
1022
cat_datum_init(cat);
1024
retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
1025
&cat->s.value, &cat->s.value);
1028
cat_datum_destroy(cat);
1033
yyerror("Out of memory!");
1037
yyerror("duplicate declaration of category");
1041
yyerror("could not require category here");
1048
return 0; /* category already required */
1051
assert(0); /* should never get here */
1056
static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
1059
if (stack == NULL) {
1060
return 0; /* no matching scope found */
1062
if (stack->type == 1) {
1063
avrule_decl_t *decl = stack->decl;
1064
for (i = 0; i < scope->decl_ids_len; i++) {
1065
if (scope->decl_ids[i] == decl->decl_id) {
1070
/* note that conditionals can't declare or require
1071
* symbols, so skip this level */
1074
/* not within scope of this stack, so try its parent */
1075
return is_scope_in_stack(scope, stack->parent);
1078
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
1080
scope_datum_t *scope =
1081
(scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
1083
if (scope == NULL) {
1084
return 1; /* id is not known, so return success */
1086
return is_scope_in_stack(scope, stack_top);
1089
static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
1090
scope_index_t * scope)
1092
if (class_value > scope->class_perms_len) {
1095
if (ebitmap_get_bit(scope->class_perms_map + class_value - 1,
1102
static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
1103
scope_stack_t * stack)
1105
if (stack == NULL) {
1106
return 0; /* no matching scope found */
1108
if (stack->type == 1) {
1109
avrule_decl_t *decl = stack->decl;
1110
if (is_perm_in_scope_index
1111
(perm_value, class_value, &decl->required)
1112
|| is_perm_in_scope_index(perm_value, class_value,
1117
/* note that conditionals can't declare or require
1118
* symbols, so skip this level */
1121
/* not within scope of this stack, so try its parent */
1122
return is_perm_in_stack(perm_value, class_value, stack->parent);
1125
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
1127
class_datum_t *cladatum =
1128
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
1130
perm_datum_t *perdatum;
1131
if (cladatum == NULL) {
1134
perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
1136
if (perdatum == NULL) {
1139
return is_perm_in_stack(perdatum->s.value, cladatum->s.value,
1143
cond_list_t *get_current_cond_list(cond_list_t * cond)
1145
/* FIX ME: do something different here if in a nested
1147
avrule_decl_t *decl = stack_top->decl;
1148
return get_decl_cond_list(policydbp, decl, cond);
995
1151
/* Append the new conditional node to the existing ones. During
996
1152
* expansion the list will be reversed -- i.e., the last AV rule will
997
1153
* be the first one listed in the policy. This matches the behavior
998
1154
* of the upstream compiler. */
999
void append_cond_list(cond_list_t *cond) {
1000
cond_list_t *old_cond = get_current_cond_list(cond);
1002
assert(old_cond != NULL); /* probably out of memory */
1003
if (old_cond->avtrue_list == NULL) {
1004
old_cond->avtrue_list = cond->avtrue_list;
1007
for (tmp = old_cond->avtrue_list; tmp->next != NULL; tmp = tmp->next)
1009
tmp->next = cond->avtrue_list;
1011
if (old_cond->avfalse_list == NULL) {
1012
old_cond->avfalse_list = cond->avfalse_list;
1015
for (tmp = old_cond->avfalse_list; tmp->next != NULL; tmp = tmp->next)
1017
tmp->next = cond->avfalse_list;
1021
void append_avrule(avrule_t *avrule) {
1022
avrule_decl_t *decl = stack_top->decl;
1024
/* currently avrules follow a completely different code path
1025
* for handling avrules and compute types
1026
* (define_cond_avrule_te_avtab, define_cond_compute_type);
1027
* therefore there ought never be a conditional on top of the
1029
assert(stack_top->type == 1);
1031
if (stack_top->last_avrule == NULL) {
1032
decl->avrules = avrule;
1035
stack_top->last_avrule->next = avrule;
1037
stack_top->last_avrule = avrule;
1040
/* this doesn't actually append, but really prepends it */
1041
void append_role_trans(role_trans_rule_t *role_tr_rules) {
1042
avrule_decl_t *decl = stack_top->decl;
1044
/* role transitions are not allowed within conditionals */
1045
assert(stack_top->type == 1);
1047
role_tr_rules->next = decl->role_tr_rules;
1048
decl->role_tr_rules = role_tr_rules;
1051
/* this doesn't actually append, but really prepends it */
1052
void append_role_allow(role_allow_rule_t *role_allow_rules) {
1053
avrule_decl_t *decl = stack_top->decl;
1055
/* role allows are not allowed within conditionals */
1056
assert(stack_top->type == 1);
1058
role_allow_rules->next = decl->role_allow_rules;
1059
decl->role_allow_rules = role_allow_rules;
1062
int begin_optional(int pass) {
1063
avrule_block_t *block = NULL;
1064
avrule_decl_t *decl;
1066
/* allocate a new avrule block for this optional block */
1067
if ((block = avrule_block_create()) == NULL ||
1068
(decl = avrule_decl_create(next_decl_id)) == NULL) {
1071
block->branch_list = decl;
1072
last_block->next = block;
1075
/* select the next block from the chain built during pass 1 */
1076
block = last_block->next;
1077
assert(block != NULL &&
1078
block->branch_list != NULL &&
1079
block->branch_list->decl_id == next_decl_id);
1080
decl = block->branch_list;
1082
if (push_stack(1, block, decl) == -1) {
1085
stack_top->last_avrule = NULL;
1090
yyerror("Out of memory!");
1091
avrule_block_destroy(block);
1095
int end_optional(int pass) {
1096
/* once nested conditionals are allowed, do the stack unfolding here */
1101
int begin_optional_else(int pass) {
1102
avrule_decl_t *decl;
1103
assert(stack_top->type == 1 && stack_top->in_else == 0);
1105
/* allocate a new declaration and add it to the
1107
if ((decl = avrule_decl_create(next_decl_id)) == NULL) {
1108
yyerror("Out of memory!");
1111
stack_top->decl->next = decl;
1114
/* pick the (hopefully last) declaration of this
1115
avrule block, built from pass 1 */
1116
decl = stack_top->decl->next;
1117
assert(decl != NULL &&
1118
decl->next == NULL &&
1119
decl->decl_id == next_decl_id);
1121
stack_top->in_else = 1;
1122
stack_top->decl = decl;
1123
stack_top->last_avrule = NULL;
1124
stack_top->require_given = 0;
1129
static int copy_requirements(avrule_decl_t *dest, scope_stack_t *stack) {
1131
if (stack == NULL) {
1134
if (stack->type == 1) {
1135
scope_index_t *src_scope = &stack->decl->required;
1136
scope_index_t *dest_scope = &dest->required;
1137
for (i = 0; i < SYM_NUM; i++) {
1138
ebitmap_t *src_bitmap = &src_scope->scope[i];
1139
ebitmap_t *dest_bitmap = &dest_scope->scope[i];
1140
if (ebitmap_union(dest_bitmap, src_bitmap)) {
1141
yyerror("Out of memory!");
1145
/* now copy class permissions */
1146
if (src_scope->class_perms_len > dest_scope->class_perms_len) {
1147
ebitmap_t *new_map = realloc(dest_scope->class_perms_map,
1148
src_scope->class_perms_len * sizeof(*new_map));
1149
if (new_map == NULL) {
1150
yyerror("Out of memory!");
1153
dest_scope->class_perms_map = new_map;
1154
for (i = dest_scope->class_perms_len; i < src_scope->class_perms_len; i++) {
1155
ebitmap_init(dest_scope->class_perms_map + i);
1157
dest_scope->class_perms_len = src_scope->class_perms_len;
1159
for (i = 0; i < src_scope->class_perms_len; i++) {
1160
ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
1161
ebitmap_t *dest_bitmap = &dest_scope->class_perms_map[i];
1162
if (ebitmap_union(dest_bitmap, src_bitmap)) {
1163
yyerror("Out of memory!");
1168
return copy_requirements(dest, stack->parent);
1155
void append_cond_list(cond_list_t * cond)
1157
cond_list_t *old_cond = get_current_cond_list(cond);
1159
assert(old_cond != NULL); /* probably out of memory */
1160
if (old_cond->avtrue_list == NULL) {
1161
old_cond->avtrue_list = cond->avtrue_list;
1163
for (tmp = old_cond->avtrue_list; tmp->next != NULL;
1165
tmp->next = cond->avtrue_list;
1167
if (old_cond->avfalse_list == NULL) {
1168
old_cond->avfalse_list = cond->avfalse_list;
1170
for (tmp = old_cond->avfalse_list; tmp->next != NULL;
1172
tmp->next = cond->avfalse_list;
1176
void append_avrule(avrule_t * avrule)
1178
avrule_decl_t *decl = stack_top->decl;
1180
/* currently avrules follow a completely different code path
1181
* for handling avrules and compute types
1182
* (define_cond_avrule_te_avtab, define_cond_compute_type);
1183
* therefore there ought never be a conditional on top of the
1185
assert(stack_top->type == 1);
1187
if (stack_top->last_avrule == NULL) {
1188
decl->avrules = avrule;
1190
stack_top->last_avrule->next = avrule;
1192
stack_top->last_avrule = avrule;
1195
/* this doesn't actually append, but really prepends it */
1196
void append_role_trans(role_trans_rule_t * role_tr_rules)
1198
avrule_decl_t *decl = stack_top->decl;
1200
/* role transitions are not allowed within conditionals */
1201
assert(stack_top->type == 1);
1203
role_tr_rules->next = decl->role_tr_rules;
1204
decl->role_tr_rules = role_tr_rules;
1207
/* this doesn't actually append, but really prepends it */
1208
void append_role_allow(role_allow_rule_t * role_allow_rules)
1210
avrule_decl_t *decl = stack_top->decl;
1212
/* role allows are not allowed within conditionals */
1213
assert(stack_top->type == 1);
1215
role_allow_rules->next = decl->role_allow_rules;
1216
decl->role_allow_rules = role_allow_rules;
1219
/* this doesn't actually append, but really prepends it */
1220
void append_range_trans(range_trans_rule_t * range_tr_rules)
1222
avrule_decl_t *decl = stack_top->decl;
1224
/* range transitions are not allowed within conditionals */
1225
assert(stack_top->type == 1);
1227
range_tr_rules->next = decl->range_tr_rules;
1228
decl->range_tr_rules = range_tr_rules;
1231
int begin_optional(int pass)
1233
avrule_block_t *block = NULL;
1234
avrule_decl_t *decl;
1236
/* allocate a new avrule block for this optional block */
1237
if ((block = avrule_block_create()) == NULL ||
1238
(decl = avrule_decl_create(next_decl_id)) == NULL) {
1241
block->flags |= AVRULE_OPTIONAL;
1242
block->branch_list = decl;
1243
last_block->next = block;
1245
/* select the next block from the chain built during pass 1 */
1246
block = last_block->next;
1247
assert(block != NULL &&
1248
block->branch_list != NULL &&
1249
block->branch_list->decl_id == next_decl_id);
1250
decl = block->branch_list;
1252
if (push_stack(1, block, decl) == -1) {
1255
stack_top->last_avrule = NULL;
1260
yyerror("Out of memory!");
1261
avrule_block_destroy(block);
1265
int end_optional(int pass)
1267
/* once nested conditionals are allowed, do the stack unfolding here */
1272
int begin_optional_else(int pass)
1274
avrule_decl_t *decl;
1275
assert(stack_top->type == 1 && stack_top->in_else == 0);
1277
/* allocate a new declaration and add it to the
1279
if ((decl = avrule_decl_create(next_decl_id)) == NULL) {
1280
yyerror("Out of memory!");
1283
stack_top->decl->next = decl;
1285
/* pick the (hopefully last) declaration of this
1286
avrule block, built from pass 1 */
1287
decl = stack_top->decl->next;
1288
assert(decl != NULL &&
1289
decl->next == NULL && decl->decl_id == next_decl_id);
1291
stack_top->in_else = 1;
1292
stack_top->decl = decl;
1293
stack_top->last_avrule = NULL;
1294
stack_top->require_given = 0;
1299
static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
1302
if (stack == NULL) {
1305
if (stack->type == 1) {
1306
scope_index_t *src_scope = &stack->decl->required;
1307
scope_index_t *dest_scope = &dest->required;
1308
for (i = 0; i < SYM_NUM; i++) {
1309
ebitmap_t *src_bitmap = &src_scope->scope[i];
1310
ebitmap_t *dest_bitmap = &dest_scope->scope[i];
1311
if (ebitmap_union(dest_bitmap, src_bitmap)) {
1312
yyerror("Out of memory!");
1316
/* now copy class permissions */
1317
if (src_scope->class_perms_len > dest_scope->class_perms_len) {
1318
ebitmap_t *new_map =
1319
realloc(dest_scope->class_perms_map,
1320
src_scope->class_perms_len *
1322
if (new_map == NULL) {
1323
yyerror("Out of memory!");
1326
dest_scope->class_perms_map = new_map;
1327
for (i = dest_scope->class_perms_len;
1328
i < src_scope->class_perms_len; i++) {
1329
ebitmap_init(dest_scope->class_perms_map + i);
1331
dest_scope->class_perms_len =
1332
src_scope->class_perms_len;
1334
for (i = 0; i < src_scope->class_perms_len; i++) {
1335
ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
1336
ebitmap_t *dest_bitmap =
1337
&dest_scope->class_perms_map[i];
1338
if (ebitmap_union(dest_bitmap, src_bitmap)) {
1339
yyerror("Out of memory!");
1344
return copy_requirements(dest, stack->parent);
1171
1347
/* During pass 1, check that at least one thing was required within
1172
1348
* this block, for those places where a REQUIRED is necessary. During
1173
1349
* pass 2, have this block inherit its parents' requirements. Return
1174
1350
* 0 on success, -1 on failure. */
1175
int end_avrule_block(int pass) {
1176
avrule_decl_t *decl = stack_top->decl;
1177
assert(stack_top->type == 1);
1179
/* this avrule_decl inherits all of its parents'
1181
if (copy_requirements(decl, stack_top->parent) == -1) {
1186
if (!stack_top->in_else && !stack_top->require_given) {
1187
if (policydbp->policy_type == POLICY_BASE && stack_top->parent != NULL) {
1351
int end_avrule_block(int pass)
1353
avrule_decl_t *decl = stack_top->decl;
1354
assert(stack_top->type == 1);
1356
/* this avrule_decl inherits all of its parents'
1358
if (copy_requirements(decl, stack_top->parent) == -1) {
1363
if (!stack_top->in_else && !stack_top->require_given) {
1364
if (policydbp->policy_type == POLICY_BASE
1365
&& stack_top->parent != NULL) {
1188
1366
/* if this is base no require should be in the global block */
1191
/* non-ELSE branches must have at least one thing required */
1192
yyerror("This block has no require section.");
1369
/* non-ELSE branches must have at least one thing required */
1370
yyerror("This block has no require section.");
1199
1377
/* Push a new scope on to the stack and update the 'last' pointer.
1200
1378
* Return 0 on success, -1 if out * of memory. */
1201
static int push_stack(int stack_type, ...) {
1202
scope_stack_t *s = calloc(1, sizeof(*s));
1207
va_start(ap, stack_type);
1208
switch (s->type = stack_type) {
1210
s->u.avrule = va_arg(ap, avrule_block_t *);
1211
s->decl = va_arg(ap, avrule_decl_t *);
1215
s->u.cond_list = va_arg(ap, cond_list_t *);
1219
/* invalid stack type given */
1223
s->parent = stack_top;
1379
static int push_stack(int stack_type, ...)
1381
scope_stack_t *s = calloc(1, sizeof(*s));
1386
va_start(ap, stack_type);
1387
switch (s->type = stack_type) {
1389
s->u.avrule = va_arg(ap, avrule_block_t *);
1390
s->decl = va_arg(ap, avrule_decl_t *);
1394
s->u.cond_list = va_arg(ap, cond_list_t *);
1398
/* invalid stack type given */
1402
s->parent = stack_top;
1229
1408
/* Pop off the most recently added from the stack. Update the 'last'
1231
static void pop_stack(void) {
1232
scope_stack_t *parent;
1233
assert(stack_top != NULL);
1234
parent = stack_top->parent;
1235
if (parent != NULL) {
1236
parent->child = NULL;
1410
static void pop_stack(void)
1412
scope_stack_t *parent;
1413
assert(stack_top != NULL);
1414
parent = stack_top->parent;
1415
if (parent != NULL) {
1416
parent->child = NULL;