~ubuntu-branches/ubuntu/trusty/checkpolicy/trusty

Committer: Bazaar Package Importer
Author(s): Caleb Case, Caleb Case, Joseph Jackson IV
Date: 2008-02-09 21:34:46 UTC
mfrom: (1.1.9 upstream)
Revision ID: james.westby@ubuntu.com-20080209213446-hqazy6s0r3lpdekc

Tags: 2.0.9-0ubuntu1

[ Caleb Case ]
* New upstream SVN HEAD.
+ Added support for policy capabilities from Todd Miller.
+ Initialize the source file name from the command line argument so
   that checkpolicy/checkmodule report something more useful than
   "unknown source".
+ Merged remove use of REJECT and trailing context in lex rules; make
   ipv4 address parsing like ipv6 from James Carter.
+ Merged handle unknown policydb flag support from Eric Paris.
   Adds new command line options -U {allow, reject, deny} for selecting
   the flag when a base module or kernel policy is built.
+ Merged fix for segfault on duplicate require of sensitivity from
   Caleb Case.
+ Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.

[ Joseph Jackson IV ]
* debian/control
  - Update Debian Maintainer field

files added:
debian/checkpolicy.install

debian/compat

files removed:
debian/common

debian/common/ChangeLog

debian/common/archvars.mk

debian/common/automake.mk

debian/common/checklibs

debian/common/copt.mk

debian/common/debconf.mk

debian/common/install_cmds.mk

debian/common/perlvars.mk

debian/common/pkgvars.mk

debian/common/targets.mk

debian/local-vars.mk

debian/local.mk

debian/watch

files modified:
ChangeLog

Makefile

VERSION

checkmodule.8

checkmodule.c

checkpolicy.8

checkpolicy.c

debian/changelog

debian/control

debian/copyright

debian/rules

module_compiler.c

parse_util.c

policy_parse.y

policy_scan.l

test/dismod.c

test/dispol.c

Show diffs side-by-side

added added

removed removed

policy_parse.y

#include <sepol/policydb/conditional.h>

#include <sepol/policydb/flask.h>

#include <sepol/policydb/hierarchy.h>

#include <sepol/policydb/polcaps.h>

#include "queue.h"

#include "checkpolicy.h"

#include "module_compiler.h"

static unsigned int pass;

char *curfile = 0;

int mlspol = 0;

int handle_unknown = 0;

extern unsigned long policydb_lineno;

extern unsigned long source_lineno;

121

123

static int define_fs_context(unsigned int major, unsigned int minor);

122

124

static int define_port_context(unsigned int low, unsigned int high);

123

125

static int define_netif_context(void);

124

static int define_ipv4_node_context(unsigned int addr, unsigned int mask);

126

static int define_ipv4_node_context(void);

125

127

static int define_ipv6_node_context(void);

128

static int define_polcap(void);

126

129

127

130

typedef int (* require_func_t)();

128

131

194

197

%token NUMBER

195

198

%token EQUALS

196

199

%token NOTEQUAL

200

%token IPV4_ADDR

197

201

%token IPV6_ADDR

198

202

%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL

203

%token POLICYCAP

199

204

200

205

%left OR

201

206

%left XOR

306

311

| rbac_decl

307

312

| cond_stmt_def

308

313

| optional_block

314

| policycap_def

309

315

| ';'

310

316

;

311

317

rbac_decl : role_type_def

653

659

| node_contexts node_context_def

654

660

;

655

661

node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def

656

{if (define_ipv4_node_context($2,$3)) return -1;}

662

{if (define_ipv4_node_context()) return -1;}

657

663

| NODECON ipv6_addr ipv6_addr security_context_def

658

664

{if (define_ipv6_node_context()) return -1;}

659

665

;

683

689

| GENFSCON identifier path security_context_def

684

690

{if (define_genfs_context(0)) return -1;}

685

691

;

686

ipv4_addr_def : number '.' number '.' number '.' number

687

{

688

unsigned int addr;

689

unsigned char *p = ((unsigned char *)&addr);

690

691

p[0] = $1 & 0xff;

692

p[1] = $3 & 0xff;

693

p[2] = $5 & 0xff;

694

p[3] = $7 & 0xff;

695

$$ = addr;

696

}

697

;

692

ipv4_addr_def : IPV4_ADDR

693

{ if (insert_id(yytext,0)) return -1; }

694

;

698

695

security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def

699

696

;

700

697

opt_mls_range_def : ':' mls_range_def

772

769

ipv6_addr : IPV6_ADDR

773

770

{ if (insert_id(yytext,0)) return -1; }

774

771

;

772

policycap_def : POLICYCAP identifier ';'

773

{if (define_polcap()) return -1;}

774

;

775

776

/*********** module grammar below ***********/

777

969

return -1;

970

}

971

972

static int define_polcap(void)

973

{

974

char *id = 0;

975

int capnum;

976

977

if (pass == 2) {

978

id = queue_remove(id_queue);

979

free(id);

980

return 0;

981

}

982

983

id = (char *)queue_remove(id_queue);

984

if (!id) {

985

yyerror("no capability name for policycap definition?");

986

goto bad;

987

}

988

989

/* Check for valid cap name -> number mapping */

990

capnum = sepol_polcap_getnum(id);

991

if (capnum < 0) {

992

yyerror2("invalid policy capability name %s", id);

993

goto bad;

994

}

995

996

/* Store it */

997

if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {

998

yyerror("out of memory");

999

goto bad;

1000

}

1001

1002

free(id);

1003

return 0;

1004

1005

bad:

1006

free(id);

1007

return -1;

1008

}

1009

972

1010

static int define_initial_sid(void)

973

1011

{

974

1012

char *id = 0;

2525

2563

return (role_datum_t *) 1; /* any non-NULL value */

2526

2564

}

2527

2565

2566

yywarn("Role dominance has been deprecated");

2567

2528

2568

role_id = queue_remove(id_queue);

2529

2569

if (!is_id_in_scope(SYM_ROLES, role_id)) {

2530

2570

yyerror2("role %s is not within scope", role_id);

4183

4223

return 0;

4184

4224

}

4185

4225

4186

static int define_ipv4_node_context(unsigned int addr, unsigned int mask)

4187

{

4226

static int define_ipv4_node_context()

4227

{

4228

char *id;

4229

int rc = 0;

4230

struct in_addr addr, mask;

4188

4231

ocontext_t *newc, *c, *l, *head;

4189

4232

4190

4233

if (pass == 1) {

4234

free(queue_remove(id_queue));

4235

free(queue_remove(id_queue));

4191

4236

parse_security_context(NULL);

4192

if (mlspol)

4193

free(queue_remove(id_queue));

4194

return 0;

4237

goto out;

4238

}

4239

4240

id = queue_remove(id_queue);

4241

if (!id) {

4242

yyerror("failed to read ipv4 address");

4243

rc = -1;

4244

goto out;

4245

}

4246

4247

rc = inet_pton(AF_INET, id, &addr);

4248

free(id);

4249

if (rc < 1) {

4250

yyerror("failed to parse ipv4 address");

4251

if (rc == 0)

4252

rc = -1;

4253

goto out;

4254

}

4255

4256

id = queue_remove(id_queue);

4257

if (!id) {

4258

yyerror("failed to read ipv4 address");

4259

rc = -1;

4260

goto out;

4261

}

4262

4263

rc = inet_pton(AF_INET, id, &mask);

4264

free(id);

4265

if (rc < 1) {

4266

yyerror("failed to parse ipv4 mask");

4267

if (rc == 0)

4268

rc = -1;

4269

goto out;

4195

4270

}

4196

4271

4197

4272

newc = malloc(sizeof(ocontext_t));

4198

4273

if (!newc) {

4199

4274

yyerror("out of memory");

4200

return -1;

4275

rc = -1;

4276

goto out;

4201

4277

}

4278

4202

4279

memset(newc, 0, sizeof(ocontext_t));

4203

4204

newc->u.node.addr = addr;

4205

newc->u.node.mask = mask;

4280

newc->u.node.addr = addr.s_addr;

4281

newc->u.node.mask = mask.s_addr;

4206

4282

4207

4283

if (parse_security_context(&newc->context[0])) {

4208

4284

free(newc);

4223

4299

l->next = newc;

4224

4300

else

4225

4301

policydbp->ocontexts[OCON_NODE] = newc;

4226

4227

return 0;

4302

rc = 0;

4303

out:

4304

return rc;

4228

4305

}

4229

4306

4230

4307

static int define_ipv6_node_context(void)

Older »