From owner-p4-projects@FreeBSD.ORG Thu Sep 7 13:57:55 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9EF8F16A4E9; Thu, 7 Sep 2006 13:57:55 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E36716A4DD for ; Thu, 7 Sep 2006 13:57:55 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 896E643D6E for ; Thu, 7 Sep 2006 13:57:46 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k87DvkLj017316 for ; Thu, 7 Sep 2006 13:57:46 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k87Dvk2T017312 for perforce@freebsd.org; Thu, 7 Sep 2006 13:57:46 GMT (envelope-from millert@freebsd.org) Date: Thu, 7 Sep 2006 13:57:46 GMT Message-Id: <200609071357.k87Dvk2T017312@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 105788 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:57:55 -0000 http://perforce.freebsd.org/chv.cgi?CH=105788 Change 105788 by millert@millert_g5tower on 2006/09/07 13:56:45 Update to checkpolicy_1_30_11 from sourceforge svn Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#3 (text+ko) ==== @@ -1,3 +1,7 @@ +1.30.11 2006-09-05 + * merged range_transition enhancements and user module format + changes from Darrel Goeddel + 1.30.10 2006-08-03 * Merged symtab datum patch from Karl MacMillan. ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#3 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30.10 +1.30.11 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#3 (text+ko) ==== @@ -138,8 +138,9 @@ SCOPE_DECL, decl->decl_id, dest_value); if (retval == 1) { symtab_datum_t *s = - (symtab_datum_t *)hashtab_search(policydbp->symtab[symbol_type]. - table, key); + (symtab_datum_t *) hashtab_search(policydbp-> + symtab[symbol_type].table, + key); assert(s != NULL); *dest_value = s->value; } else if (retval == -2) { @@ -491,8 +492,9 @@ SCOPE_REQ, decl->decl_id, dest_value); if (retval == 1) { symtab_datum_t *s = - (symtab_datum_t *) hashtab_search(policydbp->symtab[symbol_type]. - table, key); + (symtab_datum_t *) hashtab_search(policydbp-> + symtab[symbol_type].table, + key); assert(s != NULL); *dest_value = s->value; } else if (retval == -2) { @@ -1018,7 +1020,8 @@ if (perdatum == NULL) { return 1; } - return is_perm_in_stack(perdatum->s.value, cladatum->s.value, stack_top); + return is_perm_in_stack(perdatum->s.value, cladatum->s.value, + stack_top); } cond_list_t *get_current_cond_list(cond_list_t * cond) @@ -1097,6 +1100,18 @@ decl->role_allow_rules = role_allow_rules; } +/* this doesn't actually append, but really prepends it */ +void append_range_trans(range_trans_rule_t * range_tr_rules) +{ + avrule_decl_t *decl = stack_top->decl; + + /* range transitions are not allowed within conditionals */ + assert(stack_top->type == 1); + + range_tr_rules->next = decl->range_tr_rules; + decl->range_tr_rules = range_tr_rules; +} + int begin_optional(int pass) { avrule_block_t *block = NULL; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#3 (text+ko) ==== @@ -77,6 +77,7 @@ void append_avrule(avrule_t * avrule); void append_role_trans(role_trans_rule_t * role_tr_rules); void append_role_allow(role_allow_rule_t * role_allow_rules); +void append_range_trans(range_trans_rule_t * range_tr_rules); /* Create a new optional block and add it to the global policy. * During the second pass resolve the block's requirements. Return 0 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#3 (text+ko) ==== @@ -101,7 +101,7 @@ static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); static role_datum_t *define_role_dom(role_datum_t *r); static int define_role_trans(void); -static int define_range_trans(void); +static int define_range_trans(int class_specified); static int define_role_allow(void); static int define_constraint(constraint_expr_t *expr); static int define_validatetrans(constraint_expr_t *expr); @@ -436,7 +436,9 @@ {if (define_compute_type(AVRULE_CHANGE)) return -1;} ; range_trans_def : RANGE_TRANSITION names names mls_range_def ';' - { if (define_range_trans()) return -1; } + { if (define_range_trans(0)) return -1; } + | RANGE_TRANSITION names names ':' names mls_range_def ';' + { if (define_range_trans(1)) return -1; } ; te_avtab_def : allow_def | auditallow_def @@ -3614,6 +3616,65 @@ return 0; } +static int +parse_semantic_categories(char *id, level_datum_t * levdatum, + mls_semantic_cat_t ** cats) +{ + cat_datum_t *cdatum; + mls_semantic_cat_t *newcat; + unsigned int range_start, range_end; + + if (id_has_dot(id)) { + char *id_start = id; + char *id_end = strchr(id, '.'); + + *(id_end++) = '\0'; + + cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, + (hashtab_key_t) + id_start); + if (!cdatum) { + sprintf(errormsg, "unknown category %s", id_start); + yyerror(errormsg); + return -1; + } + range_start = cdatum->s.value; + + cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, + (hashtab_key_t) id_end); + if (!cdatum) { + sprintf(errormsg, "unknown category %s", id_end); + yyerror(errormsg); + return -1; + } + range_end = cdatum->s.value; + } else { + cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table, + (hashtab_key_t) id); + if (!cdatum) { + sprintf(errormsg, "unknown category %s", id); + yyerror(errormsg); + return -1; + } + range_start = range_end = cdatum->s.value; + } + + newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t)); + if (!newcat) { + yyerror("out of memory"); + return -1; + } + + mls_semantic_cat_init(newcat); + newcat->next = *cats; + newcat->low = range_start; + newcat->high = range_end; + + *cats = newcat; + + return 0; +} + static int define_user(void) { char *id; @@ -3676,11 +3737,10 @@ free(id); usrdatum->dfltlevel.sens = levdatum->level->sens; - ebitmap_init(&usrdatum->dfltlevel.cat); while ((id = queue_remove(id_queue))) { - if (parse_categories(id, levdatum, - &usrdatum->dfltlevel.cat)) { + if (parse_semantic_categories(id, levdatum, + &usrdatum->dfltlevel.cat)) { free(id); return -1; } @@ -3702,13 +3762,12 @@ return -1; } free(id); + usrdatum->range.level[l].sens = levdatum->level->sens; - ebitmap_init(&usrdatum->range.level[l].cat); while ((id = queue_remove(id_queue))) { - if (parse_categories(id, levdatum, - &usrdatum->range.level[l]. - cat)) { + if (parse_semantic_categories(id, levdatum, + &usrdatum->range.level[l].cat)) { free(id); return -1; } @@ -3721,33 +3780,14 @@ } if (l == 0) { - usrdatum->range.level[1].sens = - usrdatum->range.level[0].sens; - if (ebitmap_cpy(&usrdatum->range.level[1].cat, - &usrdatum->range.level[0].cat)) { + if (mls_semantic_level_cpy(&usrdatum->range.level[1], + &usrdatum->range.level[0])) { yyerror("out of memory"); - goto out; + return -1; } } - if (!mls_level_dom(&usrdatum->range.level[1], - &usrdatum->range.level[0])) { - yyerror("high level does not dominate low level"); - goto out; - } - if (!mls_level_between(&usrdatum->dfltlevel, - &usrdatum->range.level[0], - &usrdatum->range.level[1])) { - yyerror("default level not within user range"); - goto out; - } } return 0; - - out: - ebitmap_destroy(&usrdatum->dfltlevel.cat); - ebitmap_destroy(&usrdatum->range.level[0].cat); - ebitmap_destroy(&usrdatum->range.level[1].cat); - return -1; } static int parse_security_context(context_struct_t * c) @@ -4472,15 +4512,12 @@ return define_genfs_context_helper(queue_remove(id_queue), has_type); } -static int define_range_trans(void) +static int define_range_trans(int class_specified) { char *id; level_datum_t *levdatum = 0; - mls_range_t range; - type_set_t doms, types; - ebitmap_node_t *snode, *tnode; - range_trans_t *rt = 0; - unsigned int i, j; + class_datum_t *cladatum; + range_trans_rule_t *rule; int l, add = 1; if (!mlspol) { @@ -4493,6 +4530,9 @@ free(id); while ((id = queue_remove(id_queue))) free(id); + if (class_specified) + while ((id = queue_remove(id_queue))) + free(id); id = queue_remove(id_queue); free(id); for (l = 0; l < 2; l++) { @@ -4507,43 +4547,79 @@ return 0; } - type_set_init(&doms); - type_set_init(&types); + rule = malloc(sizeof(struct range_trans_rule)); + if (!rule) { + yyerror("out of memory"); + return -1; + } + range_trans_rule_init(rule); while ((id = queue_remove(id_queue))) { - if (set_types(&doms, id, &add, 0)) - return -1; + if (set_types(&rule->stypes, id, &add, 0)) + goto out; } add = 1; while ((id = queue_remove(id_queue))) { - if (set_types(&types, id, &add, 0)) - return -1; + if (set_types(&rule->ttypes, id, &add, 0)) + goto out; + } + + if (class_specified) { + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + free(id); + goto out; + } + cladatum = hashtab_search(policydbp->p_classes.table, + id); + if (!cladatum) { + sprintf(errormsg, "unknown class %s", id); + yyerror(errormsg); + goto out; + } + + ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, + TRUE); + free(id); + } + } else { + cladatum = hashtab_search(policydbp->p_classes.table, + "process"); + if (!cladatum) { + sprintf(errormsg, "could not find process class for " + "legacy range_transition statement\n"); + yyerror(errormsg); + goto out; + } + + ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); } id = (char *)queue_remove(id_queue); if (!id) { yyerror("no range in range_transition definition?"); - return -1; + goto out; } for (l = 0; l < 2; l++) { levdatum = hashtab_search(policydbp->p_levels.table, id); if (!levdatum) { sprintf(errormsg, - "unknown level %s used in range_transition definition", - id); + "unknown level %s used in range_transition " + "definition", id); yyerror(errormsg); free(id); - return -1; + goto out; } free(id); - range.level[l].sens = levdatum->level->sens; - ebitmap_init(&range.level[l].cat); + rule->trange.level[l].sens = levdatum->level->sens; while ((id = queue_remove(id_queue))) { - if (parse_categories(id, levdatum, &range.level[l].cat)) { + if (parse_semantic_categories(id, levdatum, + &rule->trange.level[l].cat)) { free(id); - return -1; + goto out; } free(id); } @@ -4553,73 +4629,19 @@ break; } if (l == 0) { - range.level[1].sens = range.level[0].sens; - if (ebitmap_cpy(&range.level[1].cat, &range.level[0].cat)) { + if (mls_semantic_level_cpy(&rule->trange.level[1], + &rule->trange.level[0])) { yyerror("out of memory"); - return -1; + goto out; } } - if (!mls_level_dom(&range.level[1], &range.level[0])) { - yyerror - ("range_transition high level does not dominate low level"); - return -1; - } + append_range_trans(rule); + return 0; - /* FIXME: this expands type_sets at compile time which is inappropriate, the type_sets - * should be stored which is a format change */ - ebitmap_for_each_bit(&doms.types, snode, i) { - if (!ebitmap_node_get_bit(snode, i)) - continue; - ebitmap_for_each_bit(&types.types, tnode, j) { - if (!ebitmap_node_get_bit(tnode, j)) - continue; - - for (rt = policydbp->range_tr; rt; rt = rt->next) { - if (rt->dom == (i + 1) && rt->type == (j + 1)) { - sprintf(errormsg, - "duplicate range_transition defined for (%s,%s)", - policydbp-> - p_type_val_to_name[i], - policydbp-> - p_type_val_to_name[j]); - yyerror(errormsg); - return -1; - } - } - - rt = malloc(sizeof(range_trans_t)); - if (!rt) { - yyerror("out of memory"); - return -1; - } - memset(rt, 0, sizeof(range_trans_t)); - rt->dom = i + 1; - rt->type = j + 1; - rt->range.level[0].sens = range.level[0].sens; - if (ebitmap_cpy(&rt->range.level[0].cat, - &range.level[0].cat)) { - yyerror("out of memory"); - free(rt); - return -1; - } - rt->range.level[1].sens = range.level[1].sens; - if (ebitmap_cpy(&rt->range.level[1].cat, - &range.level[1].cat)) { - yyerror("out of memory"); - free(rt); - return -1; - } - rt->next = policydbp->range_tr; - policydbp->range_tr = rt; - } - } - - type_set_destroy(&doms); - type_set_destroy(&types); - ebitmap_destroy(&range.level[0].cat); - ebitmap_destroy(&range.level[1].cat); - return 0; +out: + range_trans_rule_destroy(rule); + return -1; }