PERFORCE change 97278 for review
Todd Miller
millert at FreeBSD.org
Tue May 16 18:57:36 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=97278
Change 97278 by millert at millert_p4 on 2006/05/16 18:56:34
A port of checkpolicy version 1.30.3 from sourceforge to SEBSD.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/COPYING#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#11 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.h#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#8 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#7 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dismod.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dispol.c#1 add
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.8#2 (text+ko) ====
@@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
-.I "[-b] [-d] [-c policyvers] [-o output_file] [input_file]"
+.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@@ -24,6 +24,9 @@
.B \-d
Enter debug mode after loading the policy.
.TP
+.B \-M
+Enable the MLS policy when checking and compiling the policy.
+.TP
.B \-o filename
Write a binary policy file to the specified filename.
.TP
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#11 (text+ko) ====
@@ -3,7 +3,12 @@
* Author : Stephen Smalley, <sds at epoch.ncsc.mil>
*/
-/* Updated: Karl MacMillan <kmacmillan at tresys.com>
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel at trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Karl MacMillan <kmacmillan at tresys.com>
*
* Added conditional policy language extensions
*
@@ -11,7 +16,14 @@
*
* Added IPv6 support.
*
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Updated: Joshua Brindle <jbrindle at tresys.com>
+ * Karl MacMillan <kmacmillan at tresys.com>
+ * Jason Tang <jtang at tresys.com>
+ *
+ * Policy Module support.
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
* Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris at redhat.com>
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -58,10 +70,13 @@
#include <errno.h>
#include <sys/mman.h>
-#include <sepol/policydb.h>
-#include <sepol/services.h>
-#include <sepol/conditional.h>
-#include <sepol/flask.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
#include "queue.h"
#include "checkpolicy.h"
@@ -76,30 +91,36 @@
extern queue_t id_queue;
extern unsigned int policydb_errors;
extern unsigned long policydb_lineno;
-extern unsigned long source_lineno;
extern char source_file[];
-extern unsigned int pass;
+extern int mlspol;
extern FILE *yyin;
+extern void init_parser(int);
extern int yyparse(void);
extern void yyrestart(FILE *);
-char *txtfile = "policy.conf";
-char *binfile = "policy";
+static char *txtfile = "policy.conf";
+static char *binfile = "policy";
unsigned int policyvers = POLICYDB_VERSION_MAX;
void usage(char *progname)
{
- printf("usage: %s [-b] [-d] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
+ printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
}
-static int print_sid(security_id_t sid,
+#define FGETS(out, size, in) \
+if (fgets(out,size,in)==NULL) { \
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
+ strerror(errno)); \
+ exit(1);\
+}
+static int print_sid(sepol_security_id_t sid,
context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused)))
{
- security_context_t scontext;
+ sepol_security_context_t scontext;
size_t scontext_len;
int rc;
@@ -133,16 +154,6 @@
return 0;
}
-static int type_attr_remove(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *p __attribute__ ((unused)))
-{
- type_datum_t *typdatum;
-
- typdatum = (type_datum_t *) datum;
- if (typdatum->isattr)
- return 1;
- return 0;
-}
-
#ifdef EQUIVTYPES
static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d,
struct avtab_node *type_rules)
@@ -270,100 +281,9 @@
}
#endif
-static void cond_check_type_rules_list(cond_av_list_t *list)
-{
- cond_av_list_t *cur = list;
-
- while (cur) {
- if (cur->node->datum.specified & AVTAB_TYPE) {
- if (avtab_search(&policydbp->te_avtab, &cur->node->key, AVTAB_TYPE)) {
- fprintf(stderr, "conditional type rule for (%s, %s : %s) conflicts with entry in base policy; "
- "conditional rule discarded.\n", policydbp->p_type_val_to_name[cur->node->key.source_type-1],
- policydbp->p_type_val_to_name[cur->node->key.target_type-1],
- policydbp->p_class_val_to_name[cur->node->key.target_class-1]);
- cur->node->parse_context = (void*)0;
- } else {
- cur->node->parse_context = (void*)1;
- }
- } else {
- cur->node->parse_context = (void*)1;
- }
- cur = cur->next;
- }
-}
-
-/* check for duplicate type rules - this has to be done after all of
- * the parsing is finished because the conditional and base type rules
- * are collected in the same pass */
-static void cond_check_type_rules(void)
-{
- cond_list_t *node;
-
- for (node = policydbp->cond_list; node != NULL; node = node->next) {
- cond_check_type_rules_list(node->true_list);
- cond_check_type_rules_list(node->false_list);
- }
-}
+extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
-extern char *av_to_string(uint32_t tclass, access_vector_t av);
-void check_assertion_helper(unsigned int stype, unsigned int ttype, ebitmap_t *tclasses,
- access_vector_t *avp, unsigned long line)
-{
- avtab_key_t avkey;
- avtab_datum_t *avdatump;
- unsigned int k;
-
-
- for (k = ebitmap_startbit(tclasses); k < ebitmap_length(tclasses); k++) {
- if (!ebitmap_get_bit(tclasses, k))
- continue;
- avkey.source_type = stype + 1;
- avkey.target_type = ttype + 1;
- avkey.target_class = k + 1;
- avdatump = avtab_search(&policydb.te_avtab, &avkey, AVTAB_AV);
- if (!avdatump)
- continue;
-
- if ((avdatump->specified & AVTAB_ALLOWED) &&
- (avtab_allowed(avdatump) & avp[k])) {
- fprintf(stderr, "assertion on line %ld violated by allow %s %s:%s {%s };\n", line, policydb.p_type_val_to_name[stype], policydb.p_type_val_to_name[ttype], policydb.p_class_val_to_name[k],
- av_to_string(k+1,
- avtab_allowed(avdatump) & avp[k]));
- policydb_errors++;
- }
- }
-}
-
-void check_assertions(void)
-{
- te_assert_t *a, *tmp;
- unsigned int i, j;
-
- a = te_assertions;
- while (a) {
- for (i = ebitmap_startbit(&a->stypes); i < ebitmap_length(&a->stypes); i++) {
- if (!ebitmap_get_bit(&a->stypes, i))
- continue;
- if (a->self) {
- check_assertion_helper(i, i, &a->tclasses, a->avp, a->line);
- }
- for (j = ebitmap_startbit(&a->ttypes); j < ebitmap_length(&a->ttypes); j++) {
- if (!ebitmap_get_bit(&a->ttypes, j))
- continue;
- check_assertion_helper(i, j, &a->tclasses, a->avp, a->line);
- }
- }
- tmp = a;
- a = a->next;
- ebitmap_destroy(&tmp->stypes);
- ebitmap_destroy(&tmp->ttypes);
- ebitmap_destroy(&tmp->tclasses);
- free(tmp->avp);
- free(tmp);
- }
-}
-
int display_bools()
{
int i;
@@ -435,12 +355,23 @@
return 0;
}
+static int check_level(hashtab_key_t key, hashtab_datum_t datum, void *arg)
+{
+ level_datum_t *levdatum = (level_datum_t *) datum;
+
+ if (!levdatum->isalias && !levdatum->defined) {
+ fprintf(stderr, "Error: sensitivity %s was not used in a level definition!\n", key);
+ return -1;
+ }
+ return 0;
+}
+
int main(int argc, char **argv)
{
- security_class_t tclass;
- security_id_t ssid, tsid, *sids;
- security_context_t scontext;
- struct av_decision avd;
+ sepol_security_class_t tclass;
+ sepol_security_id_t ssid, tsid, *sids;
+ sepol_security_context_t scontext;
+ struct sepol_av_decision avd;
class_datum_t *cladatum;
char ans[80 + 1], *file = txtfile, *outfile = NULL, *path, *fstype;
size_t scontext_len, pathlen;
@@ -449,7 +380,7 @@
unsigned int binary = 0, debug = 0;
struct val_to_name v;
int ret, ch, fd;
- unsigned int nel;
+ unsigned int nel, uret;
struct stat sb;
void *map;
FILE *outfp = NULL;
@@ -459,7 +390,7 @@
struct policy_file pf;
- while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) {
+ while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -474,6 +405,9 @@
case 'V':
show_version = 1;
break;
+ case 'M':
+ mlspol = 1;
+ break;
case 'c': {
long int n = strtol(optarg, NULL, 10);
if (errno) {
@@ -497,11 +431,7 @@
}
if (show_version) {
-#ifdef CONFIG_SECURITY_SELINUX_MLS
- printf("%d-mls (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
-#else
printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
-#endif
exit(0);
}
@@ -540,63 +470,93 @@
pf.type = PF_USE_MEMORY;
pf.data = map;
pf.len = sb.st_size;
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: policydb_init: Out of memory!\n", argv[0]);
+ exit(1);
+ }
ret = policydb_read(&policydb, &pf, 1);
if (ret) {
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
exit(1);
}
policydbp = &policydb;
+
+ /* Check Policy Consistency */
+ if (policydbp->mls) {
+ if (!mlspol) {
+ fprintf(stderr,"%s: MLS policy, but non-MLS"
+ " is specified\n", argv[0]);
+ exit(1);
+ }
+ } else {
+ if (mlspol) {
+ fprintf(stderr,"%s: non-MLS policy, but MLS"
+ " is specified\n", argv[0]);
+ exit(1);
+ }
+ }
} else {
- yyin = fopen(file, "r");
+ policydb_t parse_policy;
+
+ yyin = fopen(file, "r");
if (!yyin) {
fprintf(stderr, "%s: unable to open %s\n", argv[0],
file);
exit(1);
}
- if (policydb_init(&policydb))
+ if (policydb_init(&parse_policy))
exit(1);
+ /* We build this as a base policy first since that is all the parser understands */
+ parse_policy.policy_type = POLICY_BASE;
+ /* Let sepol know if we are dealing with MLS support */
+ parse_policy.mls = mlspol;
+
id_queue = queue_create();
if (!id_queue) {
fprintf(stderr, "%s: out of memory\n", argv[0]);
exit(1);
}
- policydbp = &policydb;
- policydb_errors = 0;
- pass = 1;
+ policydbp = &parse_policy;
+ init_parser(1);
if (yyparse() || policydb_errors) {
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
exit(1);
}
rewind(yyin);
- policydb_lineno = 1;
+ init_parser(2);
source_file[0] = '\0';
- source_lineno = 1;
yyrestart(yyin);
- pass = 2;
if (yyparse() || policydb_errors) {
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
exit(1);
}
queue_destroy(id_queue);
- cond_check_type_rules();
- cond_optimize_lists(policydb.cond_list);
+ if (policydb_errors)
+ exit(1);
+
+ if (hashtab_map(policydbp->p_levels.table, check_level, NULL))
+ exit(1);
- check_assertions();
- if (policydb_errors)
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: policydb_init failed\n", argv[0]);
exit(1);
+ }
- if (policyvers >= POLICYDB_VERSION_NLCLASS &&
- policydb.p_classes.nprim < SECCLASS_NETLINK_DNRT_SOCKET) {
- fprintf(stderr, "%s: policy lacks new netlink classes, unable to generate policy version %d\n", argv[0], policyvers);
+ /* Linking takes care of optional avrule blocks */
+ if (link_modules(NULL, &parse_policy, NULL, 0, 0)) {
+ fprintf(stderr, "Error while resolving optionals\n");
exit(1);
}
-
- /* remove type attributes */
- hashtab_map_remove_on_error(policydb.p_types.table,
- type_attr_remove, 0, 0);
+
+ if (expand_module(NULL, &parse_policy, &policydb, 0, 1)) {
+ fprintf(stderr, "Error while expanding policy\n");
+ exit(1);
+ }
+ policydb_destroy(&parse_policy);
+ policydbp = &policydb;
fclose(yyin);
}
@@ -614,7 +574,8 @@
exit(1);
}
- sepol_set_policyvers(policyvers);
+ policydb.policy_type = POLICY_KERN;
+ policydb.policyvers = policyvers;
pf.type = PF_USE_STDIO;
pf.fp = outfp;
@@ -626,8 +587,10 @@
}
fclose(outfp);
}
- if (!debug)
+ if (!debug) {
+ policydb_destroy(&policydb);
exit(0);
+ }
menu:
printf("\nSelect an option:\n");
@@ -656,19 +619,19 @@
printf("q) Exit\n");
while (1) {
printf("\nChoose: ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
switch (ans[0]) {
case '0':
printf("source sid? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ssid = atoi(ans);
printf("target sid? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
tsid = atoi(ans);
printf("target class? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
if (!tclass || tclass > policydb.p_classes.nprim) {
@@ -720,7 +683,7 @@
break;
case '1':
printf("sid? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ssid = atoi(ans);
ret = sepol_sid_to_context(ssid,
&scontext, &scontext_len);
@@ -741,7 +704,7 @@
break;
case '2':
printf("scontext? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
scontext_len = strlen(ans);
ans[scontext_len - 1] = 0;
ret = sepol_context_to_sid(ans, scontext_len,
@@ -766,14 +729,14 @@
ch = ans[0];
printf("source sid? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ssid = atoi(ans);
printf("target sid? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
tsid = atoi(ans);
printf("object class? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
if (!tclass || tclass > policydb.p_classes.nprim) {
@@ -816,7 +779,7 @@
break;
case '7':
printf("pathname? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
pathlen = strlen(ans);
ans[pathlen - 1] = 0;
printf("%s: loading policy configuration from %s\n", argv[0], ans);
@@ -854,7 +817,7 @@
break;
case '8':
printf("fs kdevname? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
sepol_fs_sid(ans, &ssid, &tsid);
printf("fs_sid %d default_file_sid %d\n",
@@ -862,7 +825,7 @@
break;
case '9':
printf("protocol? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
if (!strcmp(ans, "tcp") || !strcmp(ans, "TCP"))
protocol = IPPROTO_TCP;
@@ -873,14 +836,14 @@
break;
}
printf("port? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
port = atoi(ans);
sepol_port_sid(0, 0, protocol, port, &ssid);
printf("sid %d\n", ssid);
break;
case 'a':
printf("netif name? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
sepol_netif_sid(ans, &ssid, &tsid);
printf("if_sid %d default_msg_sid %d\n",
@@ -893,7 +856,7 @@
struct in6_addr addr6;
printf("protocol family? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
if (!strcasecmp(ans, "ipv4"))
family = AF_INET;
@@ -905,7 +868,7 @@
}
printf("node address? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
if (family == AF_INET) {
@@ -927,10 +890,10 @@
}
case 'c':
printf("fstype? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- sepol_fs_use(ans, &ret, &ssid);
- switch (ret) {
+ sepol_fs_use(ans, &uret, &ssid);
+ switch (uret) {
case SECURITY_FS_USE_XATTR:
printf("use xattr\n");
break;
@@ -951,15 +914,15 @@
break;
case 'd':
printf("fstype? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
fstype = strdup(ans);
printf("path? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
path = strdup(ans);
printf("object class? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
if (isdigit(ans[0])) {
tclass = atoi(ans);
if (!tclass || tclass > policydb.p_classes.nprim) {
@@ -983,12 +946,12 @@
break;
case 'e':
printf("from SID? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
ssid = atoi(ans);
printf("username? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
ret = sepol_get_user_sids(ssid, ans, &sids, &nel);
@@ -1019,7 +982,7 @@
break;
case 'h':
printf("name? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
name = malloc((strlen(ans) + 1) * sizeof(char));
@@ -1031,7 +994,7 @@
printf("state? ");
- fgets(ans, sizeof(ans), stdin);
+ FGETS(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
if (atoi(ans))
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#7 (text+ko) ====
@@ -1,14 +1,14 @@
#ifndef _CHECKPOLICY_H_
#define _CHECKPOLICY_H_
-#include <sepol/ebitmap.h>
+#include <sepol/policydb/ebitmap.h>
typedef struct te_assert {
ebitmap_t stypes;
ebitmap_t ttypes;
ebitmap_t tclasses;
int self;
- access_vector_t *avp;
+ sepol_access_vector_t *avp;
unsigned long line;
struct te_assert *next;
} te_assert_t;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#8 (text+ko) ====
@@ -3,11 +3,23 @@
* Author : Stephen Smalley, <sds at epoch.ncsc.mil>
*/
-/* Updated: David Caplan, <dac at tresys.com>
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel at trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <dac at tresys.com>
*
* Added conditional policy language extensions
*
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ * Updated: Joshua Brindle <jbrindle at tresys.com>
+ * Karl MacMillan <kmacmillan at tresys.com>
+ * Jason Tang <jtang at tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 2.
@@ -17,45 +29,60 @@
%{
#include <sys/types.h>
+#include <assert.h>
+#include <stdarg.h>
#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <stdlib.h>
-#include <sepol/policydb.h>
-#include <sepol/services.h>
-#include <sepol/conditional.h>
-#include <sepol/flask.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
#include "queue.h"
#include "checkpolicy.h"
+#include "module_compiler.h"
/*
* We need the following so we have a valid error return code in yacc
* when we have a parse error for a conditional rule. We can't check
* for NULL (ie 0) because that is a potentially valid return.
*/
-static cond_av_list_t *conditional_unused_error_code;
-#define COND_ERR (cond_av_list_t *)&conditional_unused_error_code
+static avrule_t *conditional_unused_error_code;
+#define COND_ERR (avrule_t *)&conditional_unused_error_code
#define TRUE 1
#define FALSE 0
policydb_t *policydbp;
queue_t id_queue = 0;
-unsigned int pass;
+static unsigned int pass;
char *curfile = 0;
-unsigned int curline;
+int mlspol = 0;
extern unsigned long policydb_lineno;
+extern unsigned long source_lineno;
+extern unsigned int policydb_errors;
+extern unsigned int policyvers;
extern char yytext[];
+extern int yylex(void);
extern int yywarn(char *msg);
extern int yyerror(char *msg);
-static char errormsg[255];
+#define ERRORMSG_LEN 255
+static char errormsg[ERRORMSG_LEN + 1] = {0};
static int insert_separator(int push);
static int insert_id(char *id,int push);
+static int id_has_dot(char *id);
static int define_class(void);
static int define_initial_sid(void);
static int define_common_perms(void);
@@ -64,10 +91,9 @@
static int define_dominance(void);
static int define_category(void);
static int define_level(void);
-static int define_common_base(void);
-static int define_av_base(void);
static int define_attrib(void);
static int define_typealias(void);
+static int define_typeattribute(void);
static int define_type(int alias);
static int define_compute_type(int which);
static int define_te_avtab(int which);
@@ -75,16 +101,16 @@
static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
static role_datum_t *define_role_dom(role_datum_t *r);
static int define_role_trans(void);
+static int define_range_trans(void);
static int define_role_allow(void);
static int define_constraint(constraint_expr_t *expr);
-static int define_bool();
-static int define_conditional(cond_expr_t *expr,cond_av_list_t *t_list, cond_av_list_t *f_list );
+static int define_validatetrans(constraint_expr_t *expr);
+static int define_bool(void);
+static int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
-static cond_av_list_t *define_cond_pol_list(cond_av_list_t *avlist, cond_av_list_t *stmt);
-static cond_av_list_t *define_cond_compute_type(int which);
-static cond_av_list_t *define_cond_te_avtab(int which);
-static cond_av_list_t *cond_list_append(cond_av_list_t *sl, avtab_key_t *key, avtab_datum_t *datum);
-static void cond_reduce_insert_list(cond_av_list_t *new, cond_av_list_t **active, cond_av_list_t **inactive, int state );
+static avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
+static avrule_t *define_cond_compute_type(int which);
+static avrule_t *define_cond_te_avtab(int which);
static uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
static int define_user(void);
static int parse_security_context(context_struct_t *c);
@@ -96,31 +122,38 @@
static int define_netif_context(void);
static int define_ipv4_node_context(unsigned int addr, unsigned int mask);
static int define_ipv6_node_context(void);
+
+typedef int (* require_func_t)();
+
%}
%union {
unsigned int val;
uintptr_t valptr;
void *ptr;
+ require_func_t require_func;
}
-%type <ptr> cond_expr cond_expr_prim cond_pol_list
+%type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
%type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
%type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
%type <ptr> role_def roles
-%type <valptr> cexpr cexpr_prim op roleop
+%type <valptr> cexpr cexpr_prim op role_mls_op
%type <val> ipv4_addr_def number
+%type <require_func> require_decl_def
%token PATH
%token CLONE
%token COMMON
%token CLASS
%token CONSTRAIN
+%token VALIDATETRANS
%token INHERITS
%token SID
%token ROLE
%token ROLES
%token TYPEALIAS
+%token TYPEATTRIBUTE
%token TYPE
%token TYPES
%token ALIAS
@@ -132,12 +165,15 @@
%token TYPE_MEMBER
%token TYPE_CHANGE
%token ROLE_TRANSITION
+%token RANGE_TRANSITION
%token SENSITIVITY
%token DOMINANCE
%token DOM DOMBY INCOMP
%token CATEGORY
%token LEVEL
-%token RANGES
+%token RANGE
+%token MLSCONSTRAIN
+%token MLSVALIDATETRANS
%token USER
%token NEVERALLOW
%token ALLOW
@@ -150,7 +186,7 @@
%token FSCON PORTCON NETIFCON NODECON
%token FSUSEXATTR FSUSETASK FSUSETRANS
%token GENFSCON
-%token U1 U2 R1 R2 T1 T2
+%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
@@ -159,6 +195,7 @@
%token EQUALS
%token NOTEQUAL
%token IPV6_ADDR
+%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
%left OR
%left XOR
@@ -166,12 +203,17 @@
%right NOT
%left EQUALS NOTEQUAL
%%
-policy : classes initial_sids access_vectors
- { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } }
+policy : base_policy
+ | module_policy
+ ;
+base_policy : { if (define_policy(pass, 0) == -1) return -1; }
+ classes initial_sids access_vectors
+ { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
- if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} }
- initial_sid_contexts opt_fs_contexts fs_uses opt_genfs_contexts net_contexts
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts
;
classes : class_def
| classes class_def
@@ -209,7 +251,7 @@
opt_mls : mls
|
;
-mls : sensitivities dominance opt_categories levels base_perms
+mls : sensitivities dominance opt_categories levels mlspolicy
;
sensitivities : sensitivity_def
| sensitivities sensitivity_def
@@ -244,39 +286,26 @@
{if (define_level()) return -1;}
| LEVEL identifier ';'
{if (define_level()) return -1;}
- ;
-base_perms : opt_common_base av_base
;
-opt_common_base : common_base
- |
- ;
-common_base : common_base_def
- | common_base common_base_def
+mlspolicy : mlspolicy_decl
+ | mlspolicy mlspolicy_decl
;
-common_base_def : COMMON identifier '{' perm_base_list '}'
- {if (define_common_base()) return -1;}
+mlspolicy_decl : mlsconstraint_def
+ | mlsvalidatetrans_def
;
-av_base : av_base_def
- | av_base av_base_def
+mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
+ { if (define_constraint((constraint_expr_t*)$4)) return -1; }
;
-av_base_def : CLASS identifier '{' perm_base_list '}'
- {if (define_av_base()) return -1;}
- | CLASS identifier
- {if (define_av_base()) return -1;}
+mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
+ { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
;
-perm_base_list : perm_base
- | perm_base_list perm_base
- ;
-perm_base : identifier ':' identifier
- {if (insert_separator(0)) return -1;}
- | identifier ':' '{' identifier_list '}'
- {if (insert_separator(0)) return -1;}
- ;
te_rbac : te_rbac_decl
| te_rbac te_rbac_decl
;
te_rbac_decl : te_decl
| rbac_decl
+ | cond_stmt_def
+ | optional_block
| ';'
;
rbac_decl : role_type_def
@@ -287,10 +316,11 @@
te_decl : attribute_def
| type_def
| typealias_def
+ | typeattribute_def
| bool_def
| transition_def
+ | range_trans_def
| te_avtab_def
- | cond_stmt_def
;
attribute_def : ATTRIBUTE identifier ';'
{ if (define_attrib()) return -1;}
@@ -303,6 +333,9 @@
typealias_def : TYPEALIAS identifier alias_def ';'
{if (define_typealias()) return -1;}
;
+typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
+ {if (define_typeattribute()) return -1;}
+ ;
opt_attr_list : ',' id_comma_list
|
;
@@ -314,19 +347,13 @@
| CFALSE
{ if (insert_id("F",0)) return -1; }
;
-cond_stmt_def : IF cond_expr '{' cond_pol_list '}'
- { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (cond_av_list_t*)$4,(cond_av_list_t*) 0) < 0) return -1; }}
- | IF cond_expr '{' cond_pol_list '}' ELSE '{' cond_pol_list '}'
- { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*)$4,(cond_av_list_t*)$8) < 0 ) return -1; }}
- | IF cond_expr '{' cond_pol_list '}' ELSE '{' '}'
- { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*)$4,(cond_av_list_t*) 0) < 0 ) return -1; }}
- | IF cond_expr '{' '}' ELSE '{' cond_pol_list '}'
- { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*) 0,(cond_av_list_t*) $7) < 0 ) return -1; }}
- | IF cond_expr '{' '}' ELSE '{' '}'
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list