PERFORCE change 104096 for review
Todd Miller
millert at FreeBSD.org
Tue Aug 15 18:48:40 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=104096
Change 104096 by millert at millert_macbook on 2006/08/15 18:45:13
Update to checkpolicy 1.30.10 from sourceforge
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/checkmodule.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/checkpolicy.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/checkpolicy.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/parse_util.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/parse_util.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_scan.l#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/queue.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/queue.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/test/dismod.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/test/dispol.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/write.c#2 delete
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#2 (text+ko) ====
@@ -1,3 +1,30 @@
+1.30.10 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.30.9 2006-06-29
+ * Lindent.
+
+1.30.8 2006-06-29
+ * Merged patch to remove TE rule conflict checking from the parser
+ from Joshua Brindle. This can only be done properly by the
+ expander.
+
+1.30.7 2006-06-27
+ * Merged patch to make checkpolicy/checkmodule handling of
+ duplicate/conflicting TE rules the same as the expander
+ from Joshua Brindle.
+
+1.30.6 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.30.5 2006-05-05
+ * Merged compiler cleanup patch from Karl MacMillan.
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-04-05
+ * Changed require_class to reject permissions that have not been
+ declared if building a base module.
+
1.30.3 2006-03-28
* Fixed checkmodule to call link_modules prior to expand_module
to handle optionals.
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#2 (text+ko) ====
@@ -2,7 +2,8 @@
PROG= checkpolicy
-OBJS = checkpolicy.o y.tab.o policy_scan.o queue.o module_compiler.o
+OBJS = checkpolicy.o y.tab.o policy_scan.o queue.o module_compiler.o \
+ parse_util.o
CFLAGS+= -I../../libselinux/include -I../../libsepol/include
LDADD+= -L../../libselinux/src -L../../libsepol/src -L../../libsecompat
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#2 (text+ko) ====
@@ -1,1 +1,1 @@
-1.30.3
+1.30.10
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/checkmodule.c#2 (text+ko) ====
@@ -27,174 +27,124 @@
#include <sepol/policydb/hierarchy.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/link.h>
+#include <sepol/policydb/sidtab.h>
#include "queue.h"
#include "checkpolicy.h"
+#include "parse_util.h"
extern char *optarg;
extern int optind;
static sidtab_t sidtab;
-extern policydb_t *policydbp;
-extern queue_t id_queue;
-extern unsigned int policydb_errors;
-extern unsigned long policydb_lineno;
-extern char source_file[];
extern int mlspol;
-extern FILE *yyin;
-extern void init_parser(int);
-extern int yyparse(void);
-extern void yyrestart(FILE *);
-
static char *txtfile = "policy.conf";
static char *binfile = "policy";
unsigned int policy_type = POLICY_BASE;
unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
-static int read_binary_policy(policydb_t *p, char *file, char *progname)
+static int read_binary_policy(policydb_t * p, char *file, char *progname)
{
- int fd;
+ int fd;
struct stat sb;
- void *map;
+ void *map;
struct policy_file f, *fp;
-
- fd = open(file, O_RDONLY);
- if (fd < 0) {
- fprintf(stderr, "Can't open '%s': %s\n",
- file, strerror(errno));
- return -1;
- }
- if (fstat(fd, &sb) < 0) {
- fprintf(stderr, "Can't stat '%s': %s\n",
- file, strerror(errno));
- return -1;
- }
- map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED) {
- fprintf(stderr, "Can't map '%s': %s\n",
- file, strerror(errno));
- return -1;
- }
- f.type = PF_USE_MEMORY;
- f.data = map;
- f.len = sb.st_size;
- fp = &f;
+
+ fd = open(file, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ file, strerror(errno));
+ return -1;
+ }
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr, "Can't stat '%s': %s\n",
+ file, strerror(errno));
+ return -1;
+ }
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
+ return -1;
+ }
+ f.type = PF_USE_MEMORY;
+ f.data = map;
+ f.len = sb.st_size;
+ fp = &f;
if (policydb_init(p)) {
- fprintf(stderr, "%s: policydb_init: Out of memory!\n", progname);
+ fprintf(stderr, "%s: policydb_init: Out of memory!\n",
+ progname);
+ return -1;
+ }
+ if (policydb_read(p, fp, 1)) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ progname);
return -1;
- }
- if (policydb_read(p, fp, 1)) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname);
- return -1;
- }
-
- /* Check Policy Consistency */
- if (p->mls) {
- if (!mlspol) {
- fprintf(stderr,"%s: MLS policy, but non-MLS"
- " is specified\n", progname);
- return -1;
- }
- } else {
- if (mlspol) {
- fprintf(stderr,"%s: non-MLS policy, but MLS"
- " is specified\n", progname);
- return -1;
- }
- }
- return 0;
+ }
+
+ /* Check Policy Consistency */
+ if (p->mls) {
+ if (!mlspol) {
+ fprintf(stderr, "%s: MLS policy, but non-MLS"
+ " is specified\n", progname);
+ return -1;
+ }
+ } else {
+ if (mlspol) {
+ fprintf(stderr, "%s: non-MLS policy, but MLS"
+ " is specified\n", progname);
+ return -1;
+ }
+ }
+ return 0;
}
-static int read_source_policy(policydb_t *p, char *file, char *progname)
+static int write_binary_policy(policydb_t * p, char *file, char *progname)
{
- yyin = fopen(file, "r");
- if (!yyin) {
- fprintf(stderr, "%s: unable to open %s\n", progname,
- file);
- return -1;
- }
-
- if (policydb_init(p) ||
- ((id_queue = queue_create()) == NULL)) {
- fprintf(stderr, "%s: out of memory!\n", progname);
- return -1;
- }
+ FILE *outfp = NULL;
+ struct policy_file pf;
+ int ret;
- p->policy_type = policy_type;
- p->mls = mlspol;
+ printf("%s: writing binary representation (version %d) to %s\n",
+ progname, policyvers, file);
- init_parser(1);
- if (yyparse() || policydb_errors) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname);
- return -1;
- }
- rewind(yyin);
- init_parser(2);
- source_file[0] = '\0';
- yyrestart(yyin);
- if (yyparse() || policydb_errors) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname);
- return -1;
- }
- queue_destroy(id_queue);
-
- if (hierarchy_check_constraints(NULL, p)) {
- return -1;
- }
-
- if (policydb_errors)
- return -1;
+ outfp = fopen(file, "w");
+ if (!outfp) {
+ perror(file);
+ exit(1);
+ }
- fclose(yyin);
- return 0;
-}
-
-static int write_binary_policy(policydb_t *p, char *file, char *progname)
-{
- FILE *outfp = NULL;
- struct policy_file pf;
- int ret;
-
- printf("%s: writing binary representation (version %d) to %s\n",
- progname, policyvers, file);
-
- outfp = fopen(file, "w");
- if (!outfp) {
- perror(file);
- exit(1);
- }
-
p->policy_type = policy_type;
p->policyvers = policyvers;
-
- pf.type = PF_USE_STDIO;
- pf.fp = outfp;
- ret = policydb_write(p, &pf);
- if (ret) {
- fprintf(stderr, "%s: error writing %s\n",
- progname, file);
- return -1;
- }
- fclose(outfp);
- return 0;
+
+ pf.type = PF_USE_STDIO;
+ pf.fp = outfp;
+ ret = policydb_write(p, &pf);
+ if (ret) {
+ fprintf(stderr, "%s: error writing %s\n", progname, file);
+ return -1;
+ }
+ fclose(outfp);
+ return 0;
}
static void usage(char *progname)
{
- printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n",
- progname);
- printf("Build base and policy modules.\n");
- printf("Options:\n");
- printf(" INPUT build module from INPUT (else read from \"%s\")\n", txtfile);
- printf(" -V show policy versions created by this program\n");
- printf(" -b treat input as a binary policy file\n");
- printf(" -m build a policy module instead of a base module\n");
- printf(" -M enable MLS policy\n");
- printf(" -o FILE write module to FILE (else just check syntax)\n");
+ printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+ printf("Build base and policy modules.\n");
+ printf("Options:\n");
+ printf(" INPUT build module from INPUT (else read from \"%s\")\n",
+ txtfile);
+ printf(" -V show policy versions created by this program\n");
+ printf(" -b treat input as a binary policy file\n");
+ printf(" -m build a policy module instead of a base module\n");
+ printf(" -M enable MLS policy\n");
+ printf(" -o FILE write module to FILE (else just check syntax)\n");
exit(1);
}
@@ -204,13 +154,13 @@
unsigned int binary = 0;
int ch;
int show_version = 0;
- policydb_t modpolicydb;
+ policydb_t modpolicydb;
while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) {
switch (ch) {
- case 'h':
- usage (argv [0]);
- break;
+ case 'h':
+ usage(argv[0]);
+ break;
case 'o':
outfile = optarg;
break;
@@ -223,9 +173,9 @@
break;
case 'm':
policy_type = POLICY_MOD;
- policyvers = MOD_POLICYDB_VERSION_MAX;
+ policyvers = MOD_POLICYDB_VERSION_MAX;
break;
- case 'M':
+ case 'M':
mlspol = 1;
break;
default:
@@ -234,8 +184,8 @@
}
if (show_version) {
- printf("Module versions %d-%d\n",
- MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
+ printf("Module versions %d-%d\n",
+ MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
exit(0);
}
@@ -244,27 +194,37 @@
if (optind != argc)
usage(argv[0]);
}
- printf("%s: loading policy configuration from %s\n", argv[0],
- file);
+ printf("%s: loading policy configuration from %s\n", argv[0], file);
- /* Set policydb and sidtab used by libsepol service functions
- to my structures, so that I can directly populate and
- manipulate them. */
- sepol_set_policydb(&modpolicydb);
- sepol_set_sidtab(&sidtab);
+ /* Set policydb and sidtab used by libsepol service functions
+ to my structures, so that I can directly populate and
+ manipulate them. */
+ sepol_set_policydb(&modpolicydb);
+ sepol_set_sidtab(&sidtab);
- policydbp = &modpolicydb;
if (binary) {
- if (read_binary_policy(policydbp, file, argv[0]) == -1) {
- exit(1);
- }
+ if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) {
+ exit(1);
+ }
} else {
- if (read_source_policy(policydbp, file, argv[0]) == -1) {
- exit(1);
- }
- }
+ if (policydb_init(&modpolicydb)) {
+ fprintf(stderr, "%s: out of memory!\n", argv[0]);
+ return -1;
+ }
+
+ modpolicydb.policy_type = policy_type;
+ modpolicydb.mls = mlspol;
+
+ if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
+ exit(1);
+ }
+
+ if (hierarchy_check_constraints(NULL, &modpolicydb)) {
+ return -1;
+ }
+ }
- if (policydbp->policy_type == POLICY_BASE) {
+ if (modpolicydb.policy_type == POLICY_BASE) {
/* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb;
@@ -272,28 +232,31 @@
fprintf(stderr, "%s: policydb_init failed\n", argv[0]);
exit(1);
}
- if (link_modules(NULL, policydbp, NULL, 0, 0)) {
+ if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) {
fprintf(stderr, "%s: link modules failed\n", argv[0]);
exit(1);
}
- if (expand_module(NULL, policydbp, &kernpolicydb, 0, 1)) {
+ if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) {
fprintf(stderr, "%s: expand module failed\n", argv[0]);
exit(1);
}
policydb_destroy(&kernpolicydb);
}
- if (policydb_load_isids(policydbp, &sidtab))
+ if (policydb_load_isids(&modpolicydb, &sidtab))
exit(1);
+ sepol_sidtab_destroy(&sidtab);
+
printf("%s: policy configuration loaded\n", argv[0]);
if (outfile &&
- write_binary_policy(policydbp, outfile, argv[0]) == -1) {
- exit(1);
- }
+ write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) {
+ exit(1);
+ }
+ policydb_destroy(&modpolicydb);
+
return 0;
}
/* FLASK */
-
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/checkpolicy.c#2 (text+ko) ====
@@ -80,6 +80,7 @@
#include "queue.h"
#include "checkpolicy.h"
+#include "parse_util.h"
extern char *optarg;
extern int optind;
@@ -88,17 +89,8 @@
static sidtab_t sidtab;
extern policydb_t *policydbp;
-extern queue_t id_queue;
-extern unsigned int policydb_errors;
-extern unsigned long policydb_lineno;
-extern char source_file[];
extern int mlspol;
-extern FILE *yyin;
-extern void init_parser(int);
-extern int yyparse(void);
-extern void yyrestart(FILE *);
-
static char *txtfile = "policy.conf";
static char *binfile = "policy";
@@ -106,8 +98,9 @@
void usage(char *progname)
{
- printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
- progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
+ printf
+ ("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
+ progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
@@ -118,7 +111,9 @@
exit(1);\
}
static int print_sid(sepol_security_id_t sid,
- context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused)))
+ context_struct_t * context
+ __attribute__ ((unused)), void *data
+ __attribute__ ((unused)))
{
sepol_security_context_t scontext;
size_t scontext_len;
@@ -146,7 +141,7 @@
perdatum = (perm_datum_t *) datum;
- if (v->val == perdatum->value) {
+ if (v->val == perdatum->s.value) {
v->name = key;
return 1;
}
@@ -155,7 +150,7 @@
}
#ifdef EQUIVTYPES
-static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d,
+static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
struct avtab_node *type_rules)
{
struct avtab_node *p, *c, *n;
@@ -168,10 +163,10 @@
*/
if (k->source_type < c->key.source_type)
break;
- if (k->source_type == c->key.source_type &&
+ if (k->source_type == c->key.source_type &&
k->target_type < c->key.target_type)
break;
- if (k->source_type == c->key.source_type &&
+ if (k->source_type == c->key.source_type &&
k->target_type == c->key.target_type &&
k->target_class < c->key.target_class)
break;
@@ -191,7 +186,7 @@
return 0;
}
-static int create_type_rules(avtab_key_t *k, avtab_datum_t *d, void *args)
+static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
{
struct avtab_node *type_rules = args;
@@ -200,8 +195,10 @@
* Insert the rule into the lists for both
* the source type and the target type.
*/
- if (insert_type_rule(k, d, &type_rules[k->source_type-1])) return -1;
- if (insert_type_rule(k, d, &type_rules[k->target_type-1])) return -1;
+ if (insert_type_rule(k, d, &type_rules[k->source_type - 1]))
+ return -1;
+ if (insert_type_rule(k, d, &type_rules[k->target_type - 1]))
+ return -1;
}
return 0;
@@ -218,24 +215,24 @@
}
}
-static int identify_equiv_types(void)
+static int identify_equiv_types(void)
{
- struct avtab_node *type_rules, *l1, *l2;
+ struct avtab_node *type_rules, *l1, *l2;
int i, j;
/*
* Create a list of access vector rules for each type
* from the access vector table.
*/
- type_rules = malloc(sizeof(struct avtab_node)*policydb.p_types.nprim);
+ type_rules = malloc(sizeof(struct avtab_node) * policydb.p_types.nprim);
if (!type_rules) {
fprintf(stderr, "out of memory\n");
exit(1);
}
- memset(type_rules, 0, sizeof(struct avtab_node)*policydb.p_types.nprim);
+ memset(type_rules, 0,
+ sizeof(struct avtab_node) * policydb.p_types.nprim);
if (avtab_map(&policydb.te_avtab, create_type_rules, type_rules))
exit(1);
-
/*
* Compare the type lists and identify equivalent types.
@@ -244,27 +241,29 @@
if (!type_rules[i].next)
continue;
for (j = i + 1; j < policydb.p_types.nprim; j++) {
- for (l1 = type_rules[i].next, l2 = type_rules[j].next; l1 && l2;
- l1 = l1->next, l2 = l2->next) {
- if (l2->key.source_type == (j+1)) {
- if (l1->key.source_type != (i+1))
+ for (l1 = type_rules[i].next, l2 = type_rules[j].next;
+ l1 && l2; l1 = l1->next, l2 = l2->next) {
+ if (l2->key.source_type == (j + 1)) {
+ if (l1->key.source_type != (i + 1))
break;
} else {
- if (l1->key.source_type != l2->key.source_type)
+ if (l1->key.source_type !=
+ l2->key.source_type)
break;
}
- if (l2->key.target_type == (j+1)) {
- if (l1->key.target_type != (i+1))
+ if (l2->key.target_type == (j + 1)) {
+ if (l1->key.target_type != (i + 1))
break;
} else {
- if (l1->key.target_type != l2->key.target_type)
+ if (l1->key.target_type !=
+ l2->key.target_type)
break;
}
- if (l1->key.target_class != l2->key.target_class ||
- l1->datum.allowed != l2->datum.allowed)
+ if (l1->key.target_class != l2->key.target_class
+ || l1->datum.allowed != l2->datum.allowed)
break;
}
- if (l1 || l2)
+ if (l1 || l2)
continue;
free_type_rules(type_rules[j].next);
type_rules[j].next = NULL;
@@ -272,37 +271,37 @@
policydb.p_type_val_to_name[i],
policydb.p_type_val_to_name[j]);
}
- free_type_rules(type_rules[i].next);
+ free_type_rules(type_rules[i].next);
type_rules[i].next = NULL;
}
- free(type_rules);
+ free(type_rules);
return 0;
}
-#endif
+#endif
extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
-
int display_bools()
{
int i;
for (i = 0; i < policydbp->p_bools.nprim; i++) {
printf("%s : %d\n", policydbp->p_bool_val_to_name[i],
- policydbp->bool_val_to_struct[i]->state);
+ policydbp->bool_val_to_struct[i]->state);
}
return 0;
}
-void display_expr(cond_expr_t *exp)
+void display_expr(cond_expr_t * exp)
{
cond_expr_t *cur;
for (cur = exp; cur != NULL; cur = cur->next) {
switch (cur->expr_type) {
case COND_BOOL:
- printf("%s ", policydbp->p_bool_val_to_name[cur->bool - 1]);
+ printf("%s ",
+ policydbp->p_bool_val_to_name[cur->bool - 1]);
break;
case COND_NOT:
printf("! ");
@@ -360,7 +359,9 @@
level_datum_t *levdatum = (level_datum_t *) datum;
if (!levdatum->isalias && !levdatum->defined) {
- fprintf(stderr, "Error: sensitivity %s was not used in a level definition!\n", key);
+ fprintf(stderr,
+ "Error: sensitivity %s was not used in a level definition!\n",
+ key);
return -1;
}
return 0;
@@ -389,7 +390,6 @@
int show_version = 0;
struct policy_file pf;
-
while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
switch (ch) {
case 'o':
@@ -408,30 +408,36 @@
case 'M':
mlspol = 1;
break;
- case 'c': {
- long int n = strtol(optarg, NULL, 10);
- if (errno) {
- fprintf(stderr, "Invalid policyvers specified: %s\n", optarg);
- usage(argv[0]);
- exit(1);
+ case 'c':{
+ long int n = strtol(optarg, NULL, 10);
+ if (errno) {
+ fprintf(stderr,
+ "Invalid policyvers specified: %s\n",
+ optarg);
+ usage(argv[0]);
+ exit(1);
+ }
+ if (n < POLICYDB_VERSION_MIN
+ || n > POLICYDB_VERSION_MAX) {
+ fprintf(stderr,
+ "policyvers value %ld not in range %d-%d\n",
+ n, POLICYDB_VERSION_MIN,
+ POLICYDB_VERSION_MAX);
+ usage(argv[0]);
+ exit(1);
+ }
+ if (policyvers != n)
+ policyvers = n;
+ break;
}
- if (n < POLICYDB_VERSION_MIN || n > POLICYDB_VERSION_MAX) {
- fprintf(stderr, "policyvers value %ld not in range %d-%d\n",
- n, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
- usage(argv[0]);
- exit(1);
- }
- if (policyvers != n)
- policyvers = n;
- break;
- }
default:
usage(argv[0]);
}
}
if (show_version) {
- printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
+ printf("%d (compatibility range %d-%d)\n", policyvers,
+ POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
exit(0);
}
@@ -440,8 +446,7 @@
if (optind != argc)
usage(argv[0]);
}
- printf("%s: loading policy configuration from %s\n", argv[0],
- file);
+ printf("%s: loading policy configuration from %s\n", argv[0], file);
/* Set policydb and sidtab used by libsepol service functions
to my structures, so that I can directly populate and
@@ -461,7 +466,9 @@
file, strerror(errno));
exit(1);
}
- map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
+ fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n",
file, strerror(errno));
@@ -471,12 +478,15 @@
pf.data = map;
pf.len = sb.st_size;
if (policydb_init(&policydb)) {
- fprintf(stderr, "%s: policydb_init: Out of memory!\n", argv[0]);
+ fprintf(stderr, "%s: policydb_init: Out of memory!\n",
+ argv[0]);
exit(1);
}
ret = policydb_read(&policydb, &pf, 1);
if (ret) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ argv[0]);
exit(1);
}
policydbp = &policydb;
@@ -484,27 +494,20 @@
/* Check Policy Consistency */
if (policydbp->mls) {
if (!mlspol) {
- fprintf(stderr,"%s: MLS policy, but non-MLS"
- " is specified\n", argv[0]);
+ fprintf(stderr, "%s: MLS policy, but non-MLS"
+ " is specified\n", argv[0]);
exit(1);
}
} else {
if (mlspol) {
- fprintf(stderr,"%s: non-MLS policy, but MLS"
- " is specified\n", argv[0]);
+ fprintf(stderr, "%s: non-MLS policy, but MLS"
+ " is specified\n", argv[0]);
exit(1);
}
}
} else {
- policydb_t parse_policy;
+ policydb_t parse_policy;
- yyin = fopen(file, "r");
- if (!yyin) {
- fprintf(stderr, "%s: unable to open %s\n", argv[0],
- file);
- exit(1);
- }
-
if (policydb_init(&parse_policy))
exit(1);
/* We build this as a base policy first since that is all the parser understands */
@@ -513,28 +516,9 @@
/* Let sepol know if we are dealing with MLS support */
parse_policy.mls = mlspol;
- id_queue = queue_create();
- if (!id_queue) {
- fprintf(stderr, "%s: out of memory\n", argv[0]);
- exit(1);
- }
policydbp = &parse_policy;
- init_parser(1);
- if (yyparse() || policydb_errors) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
- exit(1);
- }
- rewind(yyin);
- init_parser(2);
- source_file[0] = '\0';
- yyrestart(yyin);
- if (yyparse() || policydb_errors) {
- fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
- exit(1);
- }
- queue_destroy(id_queue);
- if (policydb_errors)
+ if (read_source_policy(policydbp, file, "checkpolicy") < 0)
exit(1);
if (hashtab_map(policydbp->p_levels.table, check_level, NULL))
@@ -546,18 +530,17 @@
}
/* Linking takes care of optional avrule blocks */
- if (link_modules(NULL, &parse_policy, NULL, 0, 0)) {
+ if (link_modules(NULL, &parse_policy, NULL, 0, 0)) {
fprintf(stderr, "Error while resolving optionals\n");
exit(1);
}
if (expand_module(NULL, &parse_policy, &policydb, 0, 1)) {
- fprintf(stderr, "Error while expanding policy\n");
+ fprintf(stderr, "Error while expanding policy\n");
exit(1);
- }
+ }
policydb_destroy(&parse_policy);
policydbp = &policydb;
- fclose(yyin);
}
if (policydb_load_isids(&policydb, &sidtab))
@@ -566,8 +549,9 @@
printf("%s: policy configuration loaded\n", argv[0]);
if (outfile) {
- printf("%s: writing binary representation (version %d) to %s\n",
- argv[0], policyvers, outfile);
+ printf
+ ("%s: writing binary representation (version %d) to %s\n",
+ argv[0], policyvers, outfile);
outfp = fopen(outfile, "w");
if (!outfp) {
perror(outfile);
@@ -634,39 +618,51 @@
FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
- if (!tclass || tclass > policydb.p_classes.nprim) {
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
printf("\nNo such class.\n");
break;
}
- cladatum = policydb.class_val_to_struct[tclass - 1];
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
} else {
ans[strlen(ans) - 1] = 0;
- cladatum = (class_datum_t *) hashtab_search(policydb.p_classes.table,
- ans);
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
if (!cladatum) {
printf("\nNo such class\n");
break;
}
- tclass = cladatum->value;
+ tclass = cladatum->s.value;
}
if (!cladatum->comdatum && !cladatum->permissions.nprim) {
- printf("\nNo access vector definition for that class\n");
+ printf
+ ("\nNo access vector definition for that class\n");
break;
}
- ret = sepol_compute_av(ssid, tsid, tclass, 0,
- &avd);
+ ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd);
switch (ret) {
case 0:
printf("\nallowed {");
for (i = 1; i <= sizeof(avd.allowed) * 8; i++) {
if (avd.allowed & (1 << (i - 1))) {
v.val = i;
- ret = hashtab_map(cladatum->permissions.table,
- find_perm, &v);
+ ret =
+ hashtab_map(cladatum->
+ permissions.
+ table,
+ find_perm, &v);
if (!ret && cladatum->comdatum) {
- ret = hashtab_map(cladatum->comdatum->permissions.table,
- find_perm, &v);
+ ret =
+ hashtab_map
+ (cladatum->
+ comdatum->
+ permissions.table,
+ find_perm, &v);
}
if (ret)
printf(" %s", v.name);
@@ -686,7 +682,7 @@
FGETS(ans, sizeof(ans), stdin);
ssid = atoi(ans);
ret = sepol_sid_to_context(ssid,
- &scontext, &scontext_len);
+ &scontext, &scontext_len);
switch (ret) {
case 0:
printf("\nscontext %s\n", scontext);
@@ -707,8 +703,7 @@
FGETS(ans, sizeof(ans), stdin);
scontext_len = strlen(ans);
ans[scontext_len - 1] = 0;
- ret = sepol_context_to_sid(ans, scontext_len,
- &ssid);
+ ret = sepol_context_to_sid(ans, scontext_len, &ssid);
switch (ret) {
case 0:
printf("\nsid %d\n", ssid);
@@ -739,27 +734,35 @@
FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
- if (!tclass || tclass > policydb.p_classes.nprim) {
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
printf("\nNo such class.\n");
break;
}
} else {
ans[strlen(ans) - 1] = 0;
- cladatum = (class_datum_t *) hashtab_search(policydb.p_classes.table,
- ans);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list