PERFORCE change 108424 for review

Todd Miller millert at FreeBSD.org
Wed Oct 25 13:47:24 PDT 2006 

http://perforce.freebsd.org/chv.cgi?CH=108424

Change 108424 by millert at millert_macbook on 2006/10/25 20:39:01

	Update to checkpolicy-1.32 from the NSA web site.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 (text+ko) ====

@@ -1,3 +1,10 @@
+1.32 2006-10-17
+	* Updated version for release.
+
+1.30.12 2006-09-28
+	* Merged user and range_transition support for modules from 
+	  Darrel Goeddel
+
 1.30.11 2006-09-05
 	* merged range_transition enhancements and user module format
 	  changes from Darrel Goeddel

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 (text+ko) ====

@@ -11,6 +11,8 @@
 
 all: $(PROG)
 
+GENERATED=lex.yy.c y.tab.c y.tab.h
+
 $(PROG): $(OBJS)
 	$(CC) $(CFLAGS) -o $@ $^ $(LDADD)
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 (text+ko) ====

@@ -1,1 +1,1 @@
-1.30.11
+1.32

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 (text+ko) ====

@@ -937,6 +937,122 @@
 	}
 }
 
+int require_sens(int pass)
+{
+	char *id = queue_remove(id_queue);
+	level_datum_t *level = NULL;
+	int retval;
+	if (pass == 2) {
+		free(id);
+		return 0;
+	}
+	if (!id) {
+		yyerror("no sensitivity name");
+		return -1;
+	}
+	level = malloc(sizeof(level_datum_t));
+	if (!level) {
+		free(id);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	level_datum_init(level);
+	level->level = malloc(sizeof(mls_level_t));
+	if (!level->level) {
+		free(id);
+		level_datum_destroy(level);
+		free(level);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	mls_level_init(level->level);
+	retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
+				&level->level->sens, &level->level->sens);
+	if (retval != 0) {
+		free(id);
+		mls_level_destroy(level->level);
+		free(level->level);
+		level_datum_destroy(level);
+		free(level);
+	}
+	switch (retval) {
+	case -3:{
+			yyerror("Out of memory!");
+			return -1;
+		}
+	case -2:{
+			yyerror("duplicate declaration of sensitivity");
+			return -1;
+		}
+	case -1:{
+			yyerror("could not require sensitivity here");
+			return -1;
+		}
+	case 0:{
+			return 0;
+		}
+	case 1:{
+			return 0;	/* sensitivity already required */
+		}
+	default:{
+			assert(0);	/* should never get here */
+		}
+	}
+}
+
+int require_cat(int pass)
+{
+	char *id = queue_remove(id_queue);
+	cat_datum_t *cat = NULL;
+	int retval;
+	if (pass == 2) {
+		free(id);
+		return 0;
+	}
+	if (!id) {
+		yyerror("no category name");
+		return -1;
+	}
+	cat = malloc(sizeof(cat_datum_t));
+	if (!cat) {
+		free(id);
+		yyerror("Out of memory!");
+		return -1;
+	}
+	cat_datum_init(cat);
+
+	retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
+				&cat->s.value, &cat->s.value);
+	if (retval != 0) {
+		free(id);
+		cat_datum_destroy(cat);
+		free(cat);
+	}
+	switch (retval) {
+	case -3:{
+			yyerror("Out of memory!");
+			return -1;
+		}
+	case -2:{
+			yyerror("duplicate declaration of category");
+			return -1;
+		}
+	case -1:{
+			yyerror("could not require category here");
+			return -1;
+		}
+	case 0:{
+			return 0;
+		}
+	case 1:{
+			return 0;	/* category already required */
+		}
+	default:{
+			assert(0);	/* should never get here */
+		}
+	}
+}
+
 static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
 {
 	int i;

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 (text+ko) ====

@@ -56,6 +56,8 @@
 int require_attribute(int pass);
 int require_user(int pass);
 int require_bool(int pass);
+int require_sens(int pass);
+int require_cat(int pass);
 
 /* Check if an identifier is within the scope of the current
  * declaration or any of its parents.  Return 1 if it is, 0 if not.

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 (text+ko) ====

@@ -834,10 +834,8 @@
                         | ATTRIBUTE   { $$ = require_attribute; }
                         | USER        { $$ = require_user; }
                         | BOOL        { $$ = require_bool; }
-/* MLS-enabled modules are not implemented at this time.
                         | SENSITIVITY { $$ = require_sens; }
                         | CATEGORY    { $$ = require_cat; }
-*/
                         ;
 require_id_list         : identifier
                         { if ($<require_func>0 (pass)) return -1; }
@@ -1301,7 +1299,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(level, 0, sizeof(mls_level_t));
+	mls_level_init(level);
 	level->sens = 0;	/* actual value set in define_dominance */
 	ebitmap_init(&level->cat);	/* actual value set in define_level */
 
@@ -1310,7 +1308,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(datum, 0, sizeof(level_datum_t));
+	level_datum_init(datum);
 	datum->isalias = FALSE;
 	datum->level = level;
 
@@ -1347,7 +1345,7 @@
 			yyerror("out of memory");
 			goto bad_alias;
 		}
-		memset(aliasdatum, 0, sizeof(level_datum_t));
+		level_datum_init(aliasdatum);
 		aliasdatum->isalias = TRUE;
 		aliasdatum->level = level;
 
@@ -1384,15 +1382,19 @@
 		free(id);
 	if (level)
 		free(level);
-	if (datum)
+	if (datum) {
+		level_datum_destroy(datum);
 		free(datum);
+	}
 	return -1;
 
       bad_alias:
 	if (id)
 		free(id);
-	if (aliasdatum)
+	if (aliasdatum) {
+		level_datum_destroy(aliasdatum);
 		free(aliasdatum);
+	}
 	return -1;
 }
 
@@ -1480,7 +1482,7 @@
 		yyerror("out of memory");
 		goto bad;
 	}
-	memset(datum, 0, sizeof(cat_datum_t));
+	cat_datum_init(datum);
 	datum->isalias = FALSE;
 
 	ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
@@ -1517,7 +1519,7 @@
 			yyerror("out of memory");
 			goto bad_alias;
 		}
-		memset(aliasdatum, 0, sizeof(cat_datum_t));
+		cat_datum_init(aliasdatum);
 		aliasdatum->isalias = TRUE;
 		aliasdatum->s.value = datum->s.value;
 
@@ -1554,15 +1556,19 @@
       bad:
 	if (id)
 		free(id);
-	if (datum)
+	if (datum) {
+		cat_datum_destroy(datum);
 		free(datum);
+	}
 	return -1;
 
       bad_alias:
 	if (id)
 		free(id);
-	if (aliasdatum)
+	if (aliasdatum) {
+		cat_datum_destroy(aliasdatum);
 		free(aliasdatum);
+	}
 	return -1;
 }
 
@@ -3682,11 +3688,6 @@
 	level_datum_t *levdatum;
 	int l;
 
-	if (policydbp->policy_type == POLICY_MOD && mlspol) {
-		yyerror("Users cannot be declared in MLS modules");
-		return -1;
-	}
-
 	if (pass == 1) {
 		while ((id = queue_remove(id_queue)))
 			free(id);

More information about the trustedbsd-cvs mailing list