PERFORCE change 108428 for review
Todd Miller
millert at FreeBSD.org
Wed Oct 25 13:56:03 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=108428
Change 108428 by millert at millert_macbook on 2006/10/25 20:46:23
Update to libsepol-1.14 from the NSA web site.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/ChangeLog#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/VERSION#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/policydb.h#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/expand.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/link.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/policydb.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/ChangeLog#4 (text+ko) ====
@@ -1,3 +1,13 @@
+1.14 2006-10-17
+ * Updated version for release.
+
+1.12.28 2006-09-28
+ * Build libsepol's static object files with -fpic
+
+1.12.27 2006-09-28
+ * Merged mls user and range_transition support in modules
+ from Darrel Goeddel
+
1.12.26 2006-09-05
* Merged range transition enhancements and user format changes
Darrel Goeddel
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/VERSION#4 (text+ko) ====
@@ -1,1 +1,1 @@
-1.12.26
+1.14
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/policydb.h#4 (text+ko) ====
@@ -532,6 +532,10 @@
extern void type_datum_destroy(type_datum_t * x);
extern void user_datum_init(user_datum_t * x);
extern void user_datum_destroy(user_datum_t * x);
+extern void level_datum_init(level_datum_t * x);
+extern void level_datum_destroy(level_datum_t * x);
+extern void cat_datum_init(cat_datum_t * x);
+extern void cat_datum_destroy(cat_datum_t * x);
extern int check_assertions(sepol_handle_t * handle,
policydb_t * p, avrule_t * avrules);
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/expand.c#4 (text+ko) ====
@@ -823,13 +823,17 @@
if (state->verbose)
INFO(state->handle, "copying sensitivity level %s", id);
- if ((new_level =
- (level_datum_t *) calloc(1, sizeof(*new_level))) == NULL
- || (new_level->level =
- (mls_level_t *) calloc(1, sizeof(mls_level_t))) == NULL
- || (new_id = strdup(id)) == NULL) {
+ new_level = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!new_level)
+ goto out_of_mem;
+ level_datum_init(new_level);
+ new_level->level = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!new_level->level)
+ goto out_of_mem;
+ mls_level_init(new_level->level);
+ new_id = strdup(id);
+ if (!new_id)
goto out_of_mem;
- }
if (mls_level_cpy(new_level->level, level->level)) {
goto out_of_mem;
@@ -847,9 +851,10 @@
out_of_mem:
ERR(state->handle, "Out of memory!");
if (new_level != NULL && new_level->level != NULL) {
- ebitmap_destroy(&new_level->level->cat);
+ mls_level_destroy(new_level->level);
free(new_level->level);
}
+ level_datum_destroy(new_level);
free(new_level);
free(new_id);
return -1;
@@ -870,10 +875,13 @@
if (state->verbose)
INFO(state->handle, "copying category attribute %s", id);
- if ((new_cat = (cat_datum_t *) calloc(1, sizeof(*new_cat))) == NULL ||
- (new_id = strdup(id)) == NULL) {
+ new_cat = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!new_cat)
+ goto out_of_mem;
+ cat_datum_init(new_cat);
+ new_id = strdup(id);
+ if (!new_id)
goto out_of_mem;
- }
new_cat->s.value = cat->s.value;
new_cat->isalias = cat->isalias;
@@ -887,6 +895,7 @@
out_of_mem:
ERR(state->handle, "Out of memory!");
+ cat_datum_destroy(new_cat);
free(new_cat);
free(new_id);
return -1;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/link.c#4 (text+ko) ====
@@ -468,25 +468,8 @@
char *id = key, *new_id = NULL;
user_datum_t *user, *base_user, *new_user = NULL;
link_state_t *state = (link_state_t *) data;
- scope_datum_t *scope;
user = (user_datum_t *) datum;
- if (state->base->mls) {
- scope =
- hashtab_search(state->cur->policy->p_users_scope.table, id);
- if (!scope) {
- ERR(state->handle,
- "No scope information for user %s in module %s\n",
- id, state->cur_mod_name);
- return -1;
- }
- if (scope->scope == SCOPE_DECL) {
- ERR(state->handle,
- "Users cannot be declared in MLS modules");
- return -1;
- }
- /* required users fall through */
- }
base_user = hashtab_search(state->base->p_users.table, id);
if (base_user == NULL) {
@@ -502,9 +485,8 @@
goto cleanup;
}
user_datum_init(new_user);
- /* new_users's roles field will be copied during
- fix_user_callback(). the MLS fields are currently
- unimplemented */
+ /* new_users's roles and MLS fields will be copied during
+ user_fix_callback(). */
new_user->s.value = state->base->p_users.nprim + 1;
@@ -592,10 +574,72 @@
return -1;
}
+static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ level_datum_t *level, *base_level;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope;
+
+ level = (level_datum_t *) datum;
+
+ base_level = hashtab_search(state->base->p_levels.table, id);
+ if (!base_level) {
+ scope =
+ hashtab_search(state->cur->policy->p_sens_scope.table, id);
+ if (!scope)
+ return -SEPOL_LINK_ERROR;
+ if (scope->scope == SCOPE_DECL) {
+ /* disallow declarations in modules */
+ ERR(state->handle,
+ "%s: Modules may not declare new sensitivities.",
+ state->cur_mod_name);
+ return -SEPOL_LINK_NOTSUP;
+ }
+ }
+
+ state->cur->map[SYM_LEVELS][level->level->sens - 1] =
+ base_level->level->sens;
+
+ return 0;
+}
+
+static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
+ void *data)
+{
+ char *id = key;
+ cat_datum_t *cat, *base_cat;
+ link_state_t *state = (link_state_t *) data;
+ scope_datum_t *scope;
+
+ cat = (cat_datum_t *) datum;
+
+ base_cat = hashtab_search(state->base->p_cats.table, id);
+ if (!base_cat) {
+ scope =
+ hashtab_search(state->cur->policy->p_cat_scope.table, id);
+ if (!scope)
+ return -SEPOL_LINK_ERROR;
+ if (scope->scope == SCOPE_DECL) {
+ /* disallow declarations in modules */
+ ERR(state->handle,
+ "%s: Modules may not declare new categories.",
+ state->cur_mod_name);
+ return -SEPOL_LINK_NOTSUP;
+ }
+ }
+
+ state->cur->map[SYM_CATS][cat->s.value - 1] = base_cat->s.value;
+
+ return 0;
+}
+
static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key,
hashtab_datum_t datum, void *datap) = {
NULL, class_copy_callback, role_copy_callback, type_copy_callback,
- user_copy_callback, bool_copy_callback, NULL, NULL};
+ user_copy_callback, bool_copy_callback, sens_copy_callback,
+ cat_copy_callback};
/* The aliases have to be copied after the types and attributes to be
* certain that the base symbol table will have the type that the
@@ -783,6 +827,43 @@
return -1;
}
+static int mls_level_convert(mls_semantic_level_t * src,
+ mls_semantic_level_t * dst, policy_module_t * mod)
+{
+ mls_semantic_cat_t *src_cat, *new_cat;
+
+ assert(mod->map[SYM_LEVELS][src->sens - 1]);
+ dst->sens = mod->map[SYM_LEVELS][src->sens - 1];
+
+ for (src_cat = src->cat; src_cat; src_cat = src_cat->next) {
+ new_cat =
+ (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+ if (!new_cat)
+ return -1;
+ mls_semantic_cat_init(new_cat);
+
+ new_cat->next = dst->cat;
+ dst->cat = new_cat;
+
+ assert(mod->map[SYM_CATS][src_cat->low - 1]);
+ dst->cat->low = mod->map[SYM_CATS][src_cat->low - 1];
+ assert(mod->map[SYM_CATS][src_cat->high - 1]);
+ dst->cat->high = mod->map[SYM_CATS][src_cat->high - 1];
+ }
+
+ return 0;
+}
+
+static int mls_range_convert(mls_semantic_range_t * src,
+ mls_semantic_range_t * dst, policy_module_t * mod)
+{
+ if (mls_level_convert(&src->level[0], &dst->level[0], mod))
+ return -1;
+ if (mls_level_convert(&src->level[1], &dst->level[1], mod))
+ return -1;
+ return 0;
+}
+
static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -893,13 +974,16 @@
user_datum_t *user, *new_user = NULL;
link_state_t *state = (link_state_t *) data;
policy_module_t *mod = state->cur;
+ symtab_t *usertab;
user = (user_datum_t *) datum;
if (state->dest_decl == NULL)
- return 0;
+ usertab = &state->base->p_users;
+ else
+ usertab = &state->dest_decl->p_users;
- new_user = hashtab_search(state->dest_decl->p_users.table, id);
+ new_user = hashtab_search(usertab->table, id);
assert(new_user != NULL);
if (state->verbose) {
@@ -910,6 +994,12 @@
goto cleanup;
}
+ if (mls_range_convert(&user->range, &new_user->range, mod))
+ goto cleanup;
+
+ if (mls_level_convert(&user->dfltlevel, &new_user->dfltlevel, mod))
+ goto cleanup;
+
return 0;
cleanup:
@@ -1096,6 +1186,55 @@
return -1;
}
+static int copy_range_trans_list(range_trans_rule_t * rules,
+ range_trans_rule_t ** dst,
+ policy_module_t * mod, link_state_t * state)
+{
+ range_trans_rule_t *rule, *new_rule = NULL;
+ unsigned int i;
+ ebitmap_node_t *cnode;
+
+ for (rule = rules; rule; rule = rule->next) {
+ new_rule =
+ (range_trans_rule_t *) malloc(sizeof(range_trans_rule_t));
+ if (!new_rule)
+ goto cleanup;
+
+ range_trans_rule_init(new_rule);
+
+ new_rule->next = *dst;
+ *dst = new_rule;
+
+ if (type_set_convert(&rule->stypes, &new_rule->stypes,
+ mod, state))
+ goto cleanup;
+
+ if (type_set_convert(&rule->ttypes, &new_rule->ttypes,
+ mod, state))
+ goto cleanup;
+
+ ebitmap_for_each_bit(&rule->tclasses, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(mod->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit
+ (&new_rule->tclasses,
+ mod->map[SYM_CLASSES][i] - 1, 1)) {
+ goto cleanup;
+ }
+ }
+ }
+
+ if (mls_range_convert(&rule->trange, &new_rule->trange, mod))
+ goto cleanup;
+ }
+ return 0;
+
+ cleanup:
+ ERR(state->handle, "Out of memory!");
+ range_trans_rule_list_destroy(new_rule);
+ return -1;
+}
+
static int copy_cond_list(cond_node_t * list, cond_node_t ** dst,
policy_module_t * module, link_state_t * state)
{
@@ -1278,6 +1417,10 @@
return -1;
}
+ if (copy_range_trans_list(src_decl->range_tr_rules,
+ &dest_decl->range_tr_rules, module, state))
+ return -1;
+
/* finally copy any identifiers local to this declaration */
ret = copy_identifiers(state, src_decl->symtab, dest_decl);
if (ret < 0) {
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/policydb.c#4 (text+ko) ====
@@ -252,6 +252,29 @@
}
}
+void level_datum_init(level_datum_t * x)
+{
+ memset(x, 0, sizeof(level_datum_t));
+}
+
+void level_datum_destroy(level_datum_t * x __attribute__ ((unused)))
+{
+ /* the mls_level_t referenced by the level_datum is managed
+ * separately for now, so there is nothing to destroy */
+ return;
+}
+
+void cat_datum_init(cat_datum_t * x)
+{
+ memset(x, 0, sizeof(cat_datum_t));
+}
+
+void cat_datum_destroy(cat_datum_t * x __attribute__ ((unused)))
+{
+ /* it's currently a simple struct - really nothing to destroy */
+ return;
+}
+
void class_perm_node_init(class_perm_node_t * x)
{
memset(x, 0, sizeof(class_perm_node_t));
@@ -502,7 +525,11 @@
return -1;
}
- if (p->policy_type != POLICY_KERN) {
+ /* we do not expand user's MLS info in kernel policies because the
+ * semantic representation is not present and we do not expand user's
+ * MLS info in module policies because all of the necessary mls
+ * information is not present */
+ if (p->policy_type != POLICY_KERN && p->policy_type != POLICY_MOD) {
mls_range_destroy(&user->exp_range);
if (mls_semantic_range_expand(&user->range,
&user->exp_range, p, NULL)) {
@@ -907,9 +934,10 @@
if (key)
free(key);
levdatum = (level_datum_t *) datum;
- ebitmap_destroy(&levdatum->level->cat);
+ mls_level_destroy(levdatum->level);
free(levdatum->level);
- free(datum);
+ level_datum_destroy(levdatum);
+ free(levdatum);
return 0;
}
@@ -918,6 +946,7 @@
{
if (key)
free(key);
+ cat_datum_destroy((cat_datum_t *) datum);
free(datum);
return 0;
}
@@ -2199,7 +2228,7 @@
{
uint32_t *buf;
- memset(lp, 0, sizeof(mls_level_t));
+ mls_level_init(lp);
buf = next_entry(fp, sizeof(uint32_t));
if (!buf) {
@@ -2305,9 +2334,10 @@
level_datum_t *levdatum;
uint32_t *buf, len;
- levdatum = calloc(1, sizeof(level_datum_t));
+ levdatum = malloc(sizeof(level_datum_t));
if (!levdatum)
return -1;
+ level_datum_init(levdatum);
buf = next_entry(fp, (sizeof(uint32_t) * 2));
if (!buf)
@@ -2347,9 +2377,10 @@
cat_datum_t *catdatum;
uint32_t *buf, len;
- catdatum = calloc(1, sizeof(cat_datum_t));
+ catdatum = malloc(sizeof(cat_datum_t));
if (!catdatum)
return -1;
+ cat_datum_init(catdatum);
buf = next_entry(fp, (sizeof(uint32_t) * 3));
if (!buf)
More information about the trustedbsd-cvs
mailing list