PERFORCE change 97285 for review
Todd Miller
millert at FreeBSD.org
Tue May 16 19:17:45 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=97285
Change 97285 by millert at millert_p4 on 2006/05/16 19:17:01
Adapt to new SEBSD kernel bits.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 (text+ko) ====
@@ -18,9 +18,13 @@
FLASKDIR = flask/
PREFIX = /usr
-LOADPOLICY = /usr/sbin/sebsd_loadpolicy
-CHECKPOLICY = /sbin/sebsd_checkpolicy
-SETFILES = /sbin/sebsd_setfiles
+.if exists($(DESTDIR)/usr/bin/checkpolicy)
+CHECKPOLICY = $(DESTDIR)/usr/bin/checkpolicy
+.else
+CHECKPOLICY = /usr/bin/checkpolicy
+.endif
+LOADPOLICY = $(DESTDIR)/usr/sbin/load_policy
+SETFILES = $(DESTDIR)/usr/sbin/setfiles
.if (POLICYVERCOMPAT)
POLICYVERTMP = $(POLICYVERCOMPAT)
POLICYVERCOMPATARGS = -c $(POLICYVERCOMPAT)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 (text+ko) ====
@@ -9,20 +9,22 @@
FLASK_H_DEPEND = security_classes initial_sids
AV_H_DEPEND = access_vectors
-FLASK_H_FILES = av_inherit.h av_perm_to_string.h av_permissions.h class_to_string.h common_perm_to_string.h initial_sid_to_string.h
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-all: flask.h av_permissions.h
+all: $(ALL_H_FILES)
-flask.h: $(FLASK_H_DEPEND)
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
/bin/sh ./mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-av_permissions.h: $(AV_H_DEPEND)
+$(AV_H_FILES): $(AV_H_DEPEND)
/bin/sh ./mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-install: flask.h av_permissions.h
- install -C -m0644 $(FLASK_H_FILES) $(KERNDIR)/avc
- install -C -m0644 flask.h $(KERNDIR)
+install: all
+ install -C -m 644 ${ALL_H_FILES:Nflask.h} $(KERNDIR)/avc
+ install -C -m 644 flask.h $(KERNDIR)
clean:
rm -f $(FLASK_H_FILES)
- rm -f $(FLASK_IH_FILES)
+ rm -f $(AV_H_FILES)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 (text+ko) ====
@@ -248,6 +248,7 @@
siginh
setrlimit
rlimitinh
+ dyntransition
}
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 (text+ko) ====
@@ -5,9 +5,6 @@
set -e
-#subproject id
-subproject="FLASK"
-
awk=$1
shift
@@ -18,9 +15,25 @@
av_perm_to_string="av_perm_to_string.h"
cat $* | $awk "
+ # Quicksort function for awk arrays, from The AWK Programming
+ # Language, by Aho, Kernighan and Weinberger.
+ # Call qsort(array, smallestindex, largestindex)
+ function qsort(a,left,right, i,last) {
+ if (left >= right) return
+ swap(a, left, left + int((right-left+1)*rand()))
+ last = left
+ for (i=left+1; i<=right; i++)
+ if (a[i] < a[left]) swap(a, ++last, i)
+ swap(a, left, last)
+ qsort(a, left, last-1)
+ qsort(a, last+1, right)
+ }
+ function swap(a,i,j, t) {
+ t = a[i]; a[i] = a[j]; a[j] = t;
+ }
+
BEGIN {
outfile = \"$av_permissions\"
- subproject = \"$subproject\"
inheritfile = \"$av_inherit\"
cpermfile = \"$common_perm_to_string\"
avpermfile = \"$av_perm_to_string\"
@@ -31,27 +44,6 @@
printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
;
- printf("/* %s */\n\n", subproject) > outfile;
-
- printf("/* %s */\n\n", subproject) > cpermfile;
-
- printf("/* %s */\n\n", subproject) > inheritfile;
- printf("typedef struct\n") > inheritfile;
- printf("{\n") > inheritfile;
- printf(" security_class_t tclass;\n") > inheritfile;
- printf(" char **common_pts;\n") > inheritfile;
- printf(" access_vector_t common_base;\n") > inheritfile;
- printf("} av_inherit_t;\n\n") > inheritfile;
- printf("static av_inherit_t av_inherit[] = {\n") > inheritfile;
-
- printf("/* %s */\n\n", subproject) > avpermfile;
- printf("typedef struct\n") > avpermfile;
- printf("{\n") > avpermfile;
- printf(" security_class_t tclass;\n") > avpermfile;
- printf(" access_vector_t value;\n") > avpermfile;
- printf(" char *name;\n") > avpermfile;
- printf("} av_perm_to_string_t;\n\n") > avpermfile;
- printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile;
}
/^[ \t]*#/ {
next;
@@ -74,7 +66,7 @@
common_name = $2;
permission = 1;
- printf("static char *common_%s_perm_to_string[] =\n{\n", $2) > cpermfile;
+ printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
nextstate = "COMMON-OPENBRACKET";
next;
@@ -123,21 +115,31 @@
split(combined,separate, SUBSEP);
if (separate[1] == inherits)
{
- printf("#define %s__%s", toupper(tclass), toupper(separate[2])) > outfile;
- spaces = 40 - (length(separate[2]) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- pt = common_perms[combined];
- printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile;
- #printf("0x%08xUL\n", common_perms[combined]) > outfile;
+ inherited_perms[common_perms[combined]] = separate[2];
}
}
+
+ n = 0;
+ for (i in inherited_perms) {
+ n++;
+ ind[n] = i + 0;
+ }
+ qsort(ind, 1, n);
+ for (i = 1; i <= n; i++) {
+ perm = inherited_perms[ind[i]];
+ printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
+ spaces = 40 - (length(perm) + length(tclass));
+ if (spaces < 1)
+ spaces = 1;
+ for (j = 0; j < spaces; j++)
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
printf("\n") > outfile;
-
- printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits,
- permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+ printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
nextstate = "CLASS_OR_CLASS-OPENBRACKET";
next;
@@ -180,7 +182,7 @@
printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
- printf(" \"%s\",\n", $1) > cpermfile;
+ printf(" S_(\"%s\")\n", $1) > cpermfile;
}
else
{
@@ -203,7 +205,7 @@
printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
- printf(" { SECCLASS_%s, %s__%s, \"%s\" },\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
+ printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
}
spaces = 40 - (length($1) + length(tclass));
@@ -212,8 +214,8 @@
for (i = 0; i < spaces; i++)
printf(" ") > outfile;
- printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile;
- permission = permission + 1;
+ printf("0x%08xUL\n", permission) > outfile;
+ permission = permission * 2;
}
$1 == "}" {
if (nextstate != "CLASS-CLOSEBRACKET" &&
@@ -226,7 +228,7 @@
if (nextstate == "COMMON-CLOSEBRACKET")
{
common_base[common_name] = permission;
- printf("};\n\n") > cpermfile;
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
}
printf("\n") > outfile;
@@ -237,17 +239,6 @@
if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
printf("Parse error: Unexpected end of file\n");
- printf("\n/* %s */\n", subproject) > outfile;
-
- printf("\n/* %s */\n", subproject) > cpermfile;
-
- printf("};\n\n") > inheritfile;
- printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile;
- printf("\n/* %s */\n", subproject) > inheritfile;
-
- printf("};\n\n") > avpermfile;
- printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile;
- printf("\n/* %s */\n", subproject) > avpermfile;
}'
# FLASK
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 (text+ko) ====
@@ -23,15 +23,12 @@
printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("#ifndef _LINUX_FLASK_H_\n") > outfile;
- printf("#define _LINUX_FLASK_H_\n") > outfile;
- printf("\n#include <security/sebsd/flask_types.h>\n") > outfile;
-
+ printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+ printf("#define _SELINUX_FLASK_H_\n") > outfile;
printf("\n/*\n * Security object class definitions\n */\n") > outfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
printf("/*\n * Security object class definitions\n */\n") > debugfile;
- printf("static char *class_to_string[] =\n{\n") > debugfile;
- printf(" \"null\",\n") > debugfile;
+ printf(" S_(\"null\")\n") > debugfile;
printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
printf(" \"null\",\n") > debugfile2;
@@ -60,13 +57,12 @@
printf(" ") > outfile;
printf("%d\n", class_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile;
+ printf(" S_(\"%s\")\n", $2) > debugfile;
}
$1 == "sid" {
if (nextstate == "CLASS")
{
nextstate = "SID";
- printf("};\n\n") > debugfile;
printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
}
More information about the trustedbsd-cvs
mailing list