PERFORCE change 105786 for review
Todd Miller
millert at FreeBSD.org
Thu Sep 7 14:02:40 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=105786
Change 105786 by millert at millert_g5tower on 2006/09/07 13:44:32
Update to libsepol_1_12_26 from sourceforge svn
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/ChangeLog#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/VERSION#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/avtab.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/context.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/expand.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/mls_types.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/policydb.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/avrule_block.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/expand.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/link.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/mls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/policydb.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/users.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/write.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/debug.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/debug.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/helpers.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/helpers.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/libsepol-tests.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/refpolicy-base.conf#2 delete
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/support/misc_macros.spt#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-cond/refpolicy-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/base-metreq.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/base-notmetreq.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-attr-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-attr-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-bool-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-bool-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-obj-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-obj-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-perm-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-perm-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-role-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-role-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-type-global.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/modreq-type-opt.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/module.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-deps/small-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/alias-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/alias-module.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/base-base-only.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/module.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/role-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/role-module.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/small-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/user-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-expander/user-module.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-hooks/cmp_policy.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-hooks/module_add_role_allow_trans.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-hooks/module_add_symbols.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-hooks/small-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-linker/module1.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-linker/module2.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/policies/test-linker/small-base.conf#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-common.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-common.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-cond.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-deps.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-deps.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-attr-map.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-attr-map.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-roles.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-roles.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-users.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander-users.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-expander.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-cond-map.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-cond-map.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-roles.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-roles.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-types.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker-types.h#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/tests/test-linker.h#1 add
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/ChangeLog#3 (text+ko) ====
@@ -1,3 +1,14 @@
+1.12.26 2006-09-05
+ * Merged range transition enhancements and user format changes
+ Darrel Goeddel
+
+1.12.25 2006-08-24
+ * Merged conditionally expand neverallows patch from Jeremy Mowery.
+ * Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+ * Merged libsepol unit tests from Joshua Brindle.
+
1.12.23 2006-08-03
* Merged symtab datum patch from Karl MacMillan.
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/VERSION#3 (text+ko) ====
@@ -1,1 +1,1 @@
-1.12.23
+1.12.26
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/avtab.h#3 (text+ko) ====
@@ -45,6 +45,7 @@
#define AVTAB_ALLOWED 1
#define AVTAB_AUDITALLOW 2
#define AVTAB_AUDITDENY 4
+#define AVTAB_NEVERALLOW 128
#define AVTAB_AV (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
#define AVTAB_TRANSITION 16
#define AVTAB_MEMBER 32
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/context.h#3 (text+ko) ====
@@ -36,8 +36,7 @@
static inline void mls_context_init(context_struct_t * c)
{
- mls_level_init(&c->range.level[0]);
- mls_level_init(&c->range.level[1]);
+ mls_range_init(&c->range);
}
static inline int mls_context_cpy(context_struct_t * dst,
@@ -62,8 +61,7 @@
if (c == NULL)
return;
- mls_level_destroy(&c->range.level[0]);
- mls_level_destroy(&c->range.level[1]);
+ mls_range_destroy(&c->range);
mls_context_init(c);
}
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/expand.h#3 (text+ko) ====
@@ -29,6 +29,24 @@
#include <sepol/handle.h>
#include <sepol/policydb/conditional.h>
+/*
+ * Expand only the avrules for a module. It is valid for this function to
+ * expand base into itself (i.e. base == out); the typemap for this special
+ * case should map type[i] to i+1. This function optionally expands neverallow
+ * rules. If neverallow rules are expanded, there is no need to copy them and
+ * doing so could cause duplicate entries when base == out. If the neverallow
+ * rules are not expanded, they are just copied to the destination policy so
+ * that assertion checking can be performed after expand. No assertion or
+ * hierarchy checking is performed by this function.
+ */
+extern int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
+ policydb_t * out, uint32_t * typemap,
+ int verbose, int expand_neverallow);
+/*
+ * Expand all parts of a module. Neverallow rules are not expanded (only
+ * copied). It is not valid to expand base into itself. If check is non-zero,
+ * performs hierarchy and assertion checking.
+ */
extern int expand_module(sepol_handle_t * handle,
policydb_t * base, policydb_t * out,
int verbose, int check);
@@ -40,6 +58,10 @@
extern int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
unsigned char alwaysexpand);
extern int role_set_expand(role_set_t * x, ebitmap_t * r, policydb_t * p);
+extern int mls_semantic_level_expand(mls_semantic_level_t *sl, mls_level_t *l,
+ policydb_t *p, sepol_handle_t *h);
+extern int mls_semantic_range_expand(mls_semantic_range_t *sr, mls_range_t *r,
+ policydb_t *p, sepol_handle_t *h);
extern int expand_rule(sepol_handle_t * handle,
policydb_t * source_pol,
avrule_t * source_rule, avtab_t * dest_avtab,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/mls_types.h#3 (text+ko) ====
@@ -32,6 +32,7 @@
#define _SEPOL_POLICYDB_MLS_TYPES_H_
#include <stdint.h>
+#include <stdlib.h>
#include <sepol/policydb/ebitmap.h>
#include <sepol/policydb/flask_types.h>
@@ -107,4 +108,46 @@
return -1;
}
+static inline void mls_range_init(struct mls_range *r)
+{
+ mls_level_init(&r->level[0]);
+ mls_level_init(&r->level[1]);
+}
+
+static inline void mls_range_destroy(struct mls_range *r)
+{
+ mls_level_destroy(&r->level[0]);
+ mls_level_destroy(&r->level[1]);
+}
+
+static inline int mls_range_eq(struct mls_range *r1, struct mls_range *r2)
+{
+ return (mls_level_eq(&r1->level[0], &r2->level[0]) &&
+ mls_level_eq(&r1->level[1], &r2->level[1]));
+}
+
+typedef struct mls_semantic_cat {
+ uint32_t low; /* first bit this struct represents */
+ uint32_t high; /* last bit represented - equals low for a single cat */
+ struct mls_semantic_cat *next;
+} mls_semantic_cat_t;
+
+typedef struct mls_semantic_level {
+ uint32_t sens;
+ mls_semantic_cat_t *cat;
+} mls_semantic_level_t;
+
+typedef struct mls_semantic_range {
+ mls_semantic_level_t level[2];
+} mls_semantic_range_t;
+
+extern void mls_semantic_cat_init(mls_semantic_cat_t *c);
+extern void mls_semantic_cat_destroy(mls_semantic_cat_t *c);
+extern void mls_semantic_level_init(mls_semantic_level_t *l);
+extern void mls_semantic_level_destroy(mls_semantic_level_t *l);
+extern int mls_semantic_level_cpy(mls_semantic_level_t *dst, mls_semantic_level_t *src);
+extern void mls_semantic_range_init(mls_semantic_range_t *r);
+extern void mls_semantic_range_destroy(mls_semantic_range_t *r);
+extern int mls_semantic_range_cpy(mls_semantic_range_t *dst, mls_semantic_range_t *src);
+
#endif
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/include/sepol/policydb/policydb.h#3 (text+ko) ====
@@ -65,6 +65,10 @@
#define ERRMSG_LEN 1024
+#define POLICYDB_SUCCESS 0
+#define POLICYDB_ERROR -1
+#define POLICYDB_UNSUPPORTED -2
+
/*
* A datum type is defined for each kind of symbol
* in the configuration data: individual permissions,
@@ -145,9 +149,11 @@
typedef struct user_datum {
symtab_datum_t s;
role_set_t roles; /* set of authorized roles for user */
- mls_range_t range; /* MLS range (min. - max.) for user */
- mls_level_t dfltlevel; /* default login MLS level for user */
+ mls_semantic_range_t range; /* MLS range (min. - max.) for user */
+ mls_semantic_level_t dfltlevel; /* default login MLS level for user */
ebitmap_t cache; /* This is an expanded set used for context validation during parsing */
+ mls_range_t exp_range; /* expanded range used for validation */
+ mls_level_t exp_dfltlevel; /* expanded range used for validation */
} user_datum_t;
/* Sensitivity attributes */
@@ -164,9 +170,10 @@
} cat_datum_t;
typedef struct range_trans {
- uint32_t dom; /* current process domain */
- uint32_t type; /* program executable type */
- mls_range_t range; /* new range */
+ uint32_t source_type;
+ uint32_t target_type;
+ uint32_t target_class;
+ mls_range_t target_range;
struct range_trans *next;
} range_trans_t;
@@ -194,12 +201,12 @@
#define AVRULE_AUDITALLOW 2
#define AVRULE_AUDITDENY 4
#define AVRULE_DONTAUDIT 8
-#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT)
+#define AVRULE_NEVERALLOW 128
+#define AVRULE_AV (AVRULE_ALLOWED | AVRULE_AUDITALLOW | AVRULE_AUDITDENY | AVRULE_DONTAUDIT | AVRULE_NEVERALLOW)
#define AVRULE_TRANSITION 16
#define AVRULE_MEMBER 32
#define AVRULE_CHANGE 64
#define AVRULE_TYPE (AVRULE_TRANSITION | AVRULE_MEMBER | AVRULE_CHANGE)
-#define AVRULE_NEVERALLOW 128
uint32_t specified;
#define RULE_SELF 1
uint32_t flags;
@@ -224,6 +231,14 @@
struct role_allow_rule *next;
} role_allow_rule_t;
+typedef struct range_trans_rule {
+ type_set_t stypes;
+ type_set_t ttypes;
+ ebitmap_t tclasses;
+ mls_semantic_range_t trange;
+ struct range_trans_rule *next;
+} range_trans_rule_t;
+
/*
* The configuration data includes security contexts for
* initial SIDs, unlabeled file systems, TCP and UDP port numbers,
@@ -321,6 +336,7 @@
avrule_t *avrules;
role_trans_rule_t *role_tr_rules;
role_allow_rule_t *role_allow_rules;
+ range_trans_rule_t *range_tr_rules;
scope_index_t required; /* symbols needed to activate this block */
scope_index_t declared; /* symbols declared within this block */
@@ -371,6 +387,9 @@
char *name;
char *version;
+ /* Set when the policydb is modified such that writing is unsupported */
+ int unsupported_format;
+
/* Whether this policydb is mls, should always be set */
int mls;
@@ -506,6 +525,9 @@
extern void role_allow_rule_init(role_allow_rule_t * x);
extern void role_allow_rule_destroy(role_allow_rule_t * x);
extern void role_allow_rule_list_destroy(role_allow_rule_t * x);
+extern void range_trans_rule_init(range_trans_rule_t *x);
+extern void range_trans_rule_destroy(range_trans_rule_t *x);
+extern void range_trans_rule_list_destroy(range_trans_rule_t *x);
extern void type_datum_init(type_datum_t * x);
extern void type_datum_destroy(type_datum_t * x);
extern void user_datum_init(user_datum_t * x);
@@ -555,18 +577,21 @@
#define POLICYDB_VERSION_VALIDATETRANS 19
#define POLICYDB_VERSION_MLS 19
#define POLICYDB_VERSION_AVTAB 20
+#define POLICYDB_VERSION_RANGETRANS 21
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_AVTAB
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
#define MOD_POLICYDB_VERSION_MLS 5
+#define MOD_POLICYDB_VERSION_RANGETRANS 6
+#define MOD_POLICYDB_VERSION_MLS_USERS 6
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_MLS_USERS
#define POLICYDB_CONFIG_MLS 1
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/avrule_block.c#3 (text+ko) ====
@@ -99,6 +99,7 @@
avrule_list_destroy(x->avrules);
role_trans_rule_list_destroy(x->role_tr_rules);
role_allow_rule_list_destroy(x->role_allow_rules);
+ range_trans_rule_list_destroy(x->range_tr_rules);
scope_index_destroy(&x->required);
scope_index_destroy(&x->declared);
symtabs_destroy(x->symtab);
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsepol/src/expand.c#3 (text+ko) ====
@@ -41,8 +41,14 @@
policydb_t *base;
policydb_t *out;
sepol_handle_t *handle;
+ int expand_neverallow;
} expand_state_t;
+static void expand_state_init(expand_state_t * state)
+{
+ memset(state, 0, sizeof(expand_state_t));
+}
+
static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
void *data)
{
@@ -574,12 +580,64 @@
return 0;
}
-static int mls_level_clone(mls_level_t * dst, mls_level_t * src)
+int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
+ policydb_t * p, sepol_handle_t * h)
+{
+ mls_semantic_cat_t *cat;
+ level_datum_t *levdatum;
+ unsigned int i;
+
+ mls_level_init(l);
+
+ if (!p->mls)
+ return 0;
+
+ l->sens = sl->sens;
+ levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
+ p->p_sens_val_to_name[l->
+ sens -
+ 1]);
+ for (cat = sl->cat; cat; cat = cat->next) {
+ if (cat->low > cat->high) {
+ ERR(h, "Category range is not valid %s.%s",
+ p->p_cat_val_to_name[cat->low - 1],
+ p->p_cat_val_to_name[cat->high - 1]);
+ return -1;
+ }
+ for (i = cat->low - 1; i < cat->high; i++) {
+ if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
+ ERR(h, "Category %s can not be associate with "
+ "level %s",
+ p->p_cat_val_to_name[i],
+ p->p_sens_val_to_name[l->sens - 1]);
+ }
+ if (ebitmap_set_bit(&l->cat, i, 1)) {
+ ERR(h, "Out of memory!");
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+int mls_semantic_range_expand(mls_semantic_range_t * sr, mls_range_t * r,
+ policydb_t * p, sepol_handle_t * h)
{
- dst->sens = src->sens;
- if (ebitmap_cpy(&dst->cat, &src->cat)) {
+ if (mls_semantic_level_expand(&sr->level[0], &r->level[0], p, h) < 0)
+ return -1;
+
+ if (mls_semantic_level_expand(&sr->level[1], &r->level[1], p, h) < 0) {
+ mls_semantic_level_destroy(&sr->level[0]);
+ return -1;
+ }
+
+ if (!mls_level_dom(&r->level[1], &r->level[0])) {
+ mls_range_destroy(r);
+ ERR(h, "MLS range high level does not dominate low level");
return -1;
}
+
return 0;
}
@@ -634,16 +692,46 @@
return -1;
}
- /* clone MLS stuff */
- if (mls_level_clone
- (&new_user->range.level[0], &user->range.level[0]) == -1
- || mls_level_clone(&new_user->range.level[1],
- &user->range.level[1]) == -1
- || mls_level_clone(&new_user->dfltlevel,
- &user->dfltlevel) == -1) {
- ERR(state->handle, "Out of memory!");
+ /* expand the semantic MLS info */
+ if (mls_semantic_range_expand(&user->range,
+ &new_user->exp_range,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (mls_semantic_level_expand(&user->dfltlevel,
+ &new_user->exp_dfltlevel,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (!mls_level_between(&new_user->exp_dfltlevel,
+ &new_user->exp_range.level[0],
+ &new_user->exp_range.level[1])) {
+ ERR(state->handle, "default level not within user "
+ "range");
+ return -1;
+ }
+ } else {
+ /* require that the MLS info match */
+ mls_range_t tmp_range;
+ mls_level_t tmp_level;
+
+ if (mls_semantic_range_expand(&user->range, &tmp_range,
+ state->out, state->handle)) {
+ return -1;
+ }
+ if (mls_semantic_level_expand(&user->dfltlevel, &tmp_level,
+ state->out, state->handle)) {
+ mls_range_destroy(&tmp_range);
+ return -1;
+ }
+ if (!mls_range_eq(&new_user->exp_range, &tmp_range) ||
+ !mls_level_eq(&new_user->exp_dfltlevel, &tmp_level)) {
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
return -1;
}
+ mls_range_destroy(&tmp_range);
+ mls_level_destroy(&tmp_level);
}
ebitmap_init(&tmp_union);
@@ -733,7 +821,7 @@
}
if (state->verbose)
- INFO(state->handle, "copying senitivity level %s", id);
+ INFO(state->handle, "copying sensitivity level %s", id);
if ((new_level =
(level_datum_t *) calloc(1, sizeof(*new_level))) == NULL
@@ -743,7 +831,7 @@
goto out_of_mem;
}
- if (mls_level_clone(new_level->level, level->level)) {
+ if (mls_level_cpy(new_level->level, level->level)) {
goto out_of_mem;
}
new_level->isalias = level->isalias;
@@ -958,6 +1046,131 @@
return 0;
}
+static int exp_rangetr_helper(uint32_t stype, uint32_t ttype, uint32_t tclass,
+ mls_semantic_range_t * trange,
+ expand_state_t * state)
+{
+ range_trans_t *rt, *check_rt = state->out->range_tr;
+ mls_range_t exp_range;
+ int rc = -1;
+
+ if (mls_semantic_range_expand(trange, &exp_range, state->out,
+ state->handle))
+ goto out;
+
+ /* check for duplicates/conflicts */
+ while (check_rt) {
+ if ((check_rt->source_type == stype) &&
+ (check_rt->target_type == ttype) &&
+ (check_rt->target_class == tclass)) {
+ if (mls_range_eq(&check_rt->target_range, &exp_range)) {
+ /* duplicate */
+ break;
+ } else {
+ /* conflict */
+ ERR(state->handle,
+ "Conflicting range trans rule %s %s : %s",
+ state->out->p_type_val_to_name[stype - 1],
+ state->out->p_type_val_to_name[ttype - 1],
+ state->out->p_class_val_to_name[tclass -
+ 1]);
+ goto out;
+ }
+ }
+ check_rt = check_rt->next;
+ }
+ if (check_rt) {
+ /* this is a dup - skip */
+ rc = 0;
+ goto out;
+ }
+
+ rt = (range_trans_t *) calloc(1, sizeof(range_trans_t));
+ if (!rt) {
+ ERR(state->handle, "Out of memory!");
+ goto out;
+ }
+
+ rt->next = state->out->range_tr;
+ state->out->range_tr = rt;
+
+ rt->source_type = stype;
+ rt->target_type = ttype;
+ rt->target_class = tclass;
+ if (mls_range_cpy(&rt->target_range, &exp_range)) {
+ ERR(state->handle, "Out of memory!");
+ goto out;
+ }
+
+ rc = 0;
+
+ out:
+ mls_range_destroy(&exp_range);
+ return rc;
+}
+
+static int expand_range_trans(expand_state_t * state,
+ range_trans_rule_t * rules)
+{
+ unsigned int i, j, k;
+ range_trans_rule_t *rule;
+
+ ebitmap_t stypes, ttypes;
+ ebitmap_node_t *snode, *tnode, *cnode;
+
+ if (state->verbose)
+ INFO(state->handle, "expanding range transitions");
+
+ for (rule = rules; rule; rule = rule->next) {
+ ebitmap_init(&stypes);
+ ebitmap_init(&ttypes);
+
+ /* expand the type sets */
+ if (expand_convert_type_set(state->out, state->typemap,
+ &rule->stypes, &stypes, 1)) {
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+ if (expand_convert_type_set(state->out, state->typemap,
+ &rule->ttypes, &ttypes, 1)) {
+ ebitmap_destroy(&stypes);
+ ERR(state->handle, "Out of memory!");
+ return -1;
+ }
+
+ /* loop on source type */
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+ /* loop on target type */
+ ebitmap_for_each_bit(&ttypes, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ /* loop on target class */
+ ebitmap_for_each_bit(&rule->tclasses, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+
+ if (exp_rangetr_helper(i + 1,
+ j + 1,
+ k + 1,
+ &rule->trange,
+ state)) {
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ return -1;
+ }
+ }
+ }
+ }
+
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+ }
+
+ return 0;
+}
+
/* Search for an AV tab node within a hash table with the given key.
* If the node does not exist, create it and return it; otherwise
* return the pre-existing one.
@@ -1007,6 +1220,10 @@
return node;
}
+#define EXPAND_RULE_SUCCESS 1
+#define EXPAND_RULE_CONFLICT 0
+#define EXPAND_RULE_ERROR -1
+
static int expand_terule_helper(sepol_handle_t * handle,
policydb_t * p, uint32_t * typemap,
uint32_t specified, cond_av_list_t ** cond,
@@ -1069,7 +1286,7 @@
* or in same conditional then ignore it */
if ((conflict == 1 && cond == NULL)
|| node->parse_context == cond)
- return 1;
+ return EXPAND_RULE_SUCCESS;
ERR(handle, "duplicate TE rule for %s %s:%s %s",
p->p_type_val_to_name[avkey.source_type -
1],
@@ -1078,7 +1295,7 @@
p->p_class_val_to_name[avkey.target_class -
1],
p->p_type_val_to_name[oldtype - 1]);
- return 0;
+ return EXPAND_RULE_CONFLICT;
}
ERR(handle,
"conflicting TE rule for (%s, %s:%s): old was %s, new is %s",
@@ -1087,7 +1304,7 @@
p->p_class_val_to_name[avkey.target_class - 1],
p->p_type_val_to_name[oldtype - 1],
p->p_type_val_to_name[remapped_data - 1]);
- return 0;
+ return EXPAND_RULE_CONFLICT;
}
node = find_avtab_node(handle, avtab, &avkey, cond);
@@ -1113,7 +1330,7 @@
cur = cur->next;
}
- return 1;
+ return EXPAND_RULE_SUCCESS;
}
static int expand_avrule_helper(sepol_handle_t * handle,
@@ -1137,6 +1354,8 @@
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_DONTAUDIT) {
spec = AVTAB_AUDITDENY;
+ } else if (specified & AVRULE_NEVERALLOW) {
+ spec = AVTAB_NEVERALLOW;
} else {
assert(0); /* unreachable */
}
@@ -1150,7 +1369,7 @@
node = find_avtab_node(handle, avtab, &avkey, cond);
if (!node)
- return -1;
+ return EXPAND_RULE_ERROR;
if (enabled) {
node->key.specified |= AVTAB_ENABLED;
} else {
@@ -1162,6 +1381,8 @@
avdatump->data |= cur->data;
} else if (specified & AVRULE_AUDITALLOW) {
avdatump->data |= cur->data;
+ } else if (specified & AVRULE_NEVERALLOW) {
+ avdatump->data |= cur->data;
} else if (specified & AVRULE_AUDITDENY) {
/* Since a '0' in an auditdeny mask represents
* a permission we do NOT want to audit
@@ -1182,7 +1403,7 @@
cur = cur->next;
}
- return 1;
+ return EXPAND_RULE_SUCCESS;
}
static int expand_rule_helper(sepol_handle_t * handle,
@@ -1207,7 +1428,8 @@
specified, cond, i, i,
source_rule->perms,
dest_avtab,
- enabled)) != 1) {
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
return retval;
}
} else {
@@ -1219,7 +1441,8 @@
other, i, i,
source_rule->perms,
dest_avtab,
- enabled)) != 1) {
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
return retval;
}
}
@@ -1234,7 +1457,8 @@
specified, cond, i, j,
source_rule->perms,
dest_avtab,
- enabled)) != 1) {
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
return retval;
}
} else {
@@ -1246,32 +1470,36 @@
other, i, j,
source_rule->perms,
dest_avtab,
- enabled)) != 1) {
+ enabled)) !=
+ EXPAND_RULE_SUCCESS) {
return retval;
}
}
}
}
- return 1;
+ return EXPAND_RULE_SUCCESS;
}
-/* Expand a rule into a given avtab - checking for conflicting type
- * rules in the destination policy. Return 1 on success, 0 if the
- * rule conflicts with something (and hence was not added), or -1 on
- * error. */
+/*
+ * Expand a rule into a given avtab - checking for conflicting type
+ * rules in the destination policy. Return EXPAND_RULE_SUCCESS on
+ * success, EXPAND_RULE_CONFLICT if the rule conflicts with something
+ * (and hence was not added), or EXPAND_RULE_ERROR on error.
+ */
static int convert_and_expand_rule(sepol_handle_t * handle,
policydb_t * dest_pol, uint32_t * typemap,
avrule_t * source_rule, avtab_t * dest_avtab,
cond_av_list_t ** cond,
- cond_av_list_t ** other, int enabled)
+ cond_av_list_t ** other, int enabled,
+ int do_neverallow)
{
int retval;
ebitmap_t stypes, ttypes;
unsigned char alwaysexpand;
- if (source_rule->specified & AVRULE_NEVERALLOW)
- return 1;
+ if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
+ return EXPAND_RULE_SUCCESS;
ebitmap_init(&stypes);
ebitmap_init(&ttypes);
@@ -1282,10 +1510,10 @@
if (expand_convert_type_set
(dest_pol, typemap, &source_rule->stypes, &stypes, alwaysexpand))
- return -1;
+ return EXPAND_RULE_ERROR;
if (expand_convert_type_set
(dest_pol, typemap, &source_rule->ttypes, &ttypes, alwaysexpand))
- return -1;
+ return EXPAND_RULE_ERROR;
retval = expand_rule_helper(handle, dest_pol, typemap,
source_rule, dest_avtab,
@@ -1306,7 +1534,8 @@
while (cur) {
if (convert_and_expand_rule(state->handle, dest_pol,
typemap, cur, dest_avtab,
- list, other, enabled) != 1) {
+ list, other, enabled,
+ 0) != EXPAND_RULE_SUCCESS) {
return -1;
}
@@ -1486,49 +1715,6 @@
return 0;
}
-static int range_trans_clone(expand_state_t * state)
-{
- range_trans_t *range = state->base->range_tr, *last_new_range = NULL,
- *new_range = NULL;
- state->out->range_tr = NULL;
-
- if (state->verbose)
- INFO(state->handle, "copying range transitions");
-
- while (range != NULL) {
- if ((new_range = malloc(sizeof(*new_range))) == NULL) {
- goto out_of_mem;
- }
- memset(new_range, 0, sizeof(*new_range));
- new_range->dom = state->typemap[range->dom - 1];
- new_range->type = state->typemap[range->type - 1];
- if (mls_level_clone
- (&new_range->range.level[0], &range->range.level[0]) == -1
- || mls_level_clone(&new_range->range.level[1],
- &range->range.level[1])) {
- goto out_of_mem;
- }
- new_range->next = NULL;
- if (last_new_range == NULL) {
- state->out->range_tr = last_new_range = new_range;
- } else {
- last_new_range->next = new_range;
- last_new_range = new_range;
- }
- range = range->next;
- }
- return 0;
-
- out_of_mem:
- ERR(state->handle, "Out of memory!");
- if (new_range) {
- ebitmap_destroy(&new_range->range.level[0].cat);
- ebitmap_destroy(&new_range->range.level[1].cat);
- free(new_range);
- }
- return -1;
-}
-
static int type_attr_map(hashtab_key_t key
__attribute__ ((unused)), hashtab_datum_t datum,
void *ptr)
@@ -1884,6 +2070,97 @@
return -1;
}
+/*
+ * Expands the avrule blocks for a policy. RBAC rules are copied. Neverallow
+ * rules are copied or expanded as per the settings in the state object; all
+ * other AV rules are expanded. If neverallow rules are expanded, they are not
+ * copied, otherwise they are copied for later use by the assertion checker.
+ */
+static int copy_and_expand_avrule_block(expand_state_t * state)
+{
+ avrule_block_t *curblock;
+ int retval = -1;
+
+ for (curblock = state->base->global; curblock != NULL;
+ curblock = curblock->next) {
+ avrule_decl_t *decl = curblock->enabled;
+ avrule_t *cur_avrule;
+
+ if (decl == NULL) {
+ /* nothing was enabled within this block */
+ continue;
+ }
+
+ /* copy role allows and role trans */
+ if (copy_role_allows(state, decl->role_allow_rules) != 0 ||
+ copy_role_trans(state, decl->role_tr_rules) != 0) {
+ goto cleanup;
+ }
+
+ /* expand the range transition rules */
+ if (expand_range_trans(state, decl->range_tr_rules))
+ goto cleanup;
+
+ /* copy rules */
+ cur_avrule = decl->avrules;
+ while (cur_avrule != NULL) {
+ if (!(state->expand_neverallow)
+ && cur_avrule->specified & AVRULE_NEVERALLOW) {
+ /* copy this over directly so that assertions are checked later */
+ if (copy_neverallow
+ (state->out, state->typemap, cur_avrule))
+ ERR(state->handle,
+ "Error while copying neverallow.");
+ } else {
+ if (cur_avrule->specified & AVRULE_NEVERALLOW) {
+ state->out->unsupported_format = 1;
+ }
+ if (convert_and_expand_rule
+ (state->handle, state->out, state->typemap,
+ cur_avrule, &state->out->te_avtab, NULL,
+ NULL, 0,
+ state->expand_neverallow) !=
+ EXPAND_RULE_SUCCESS) {
+ goto cleanup;
+ }
+ }
+ cur_avrule = cur_avrule->next;
+ }
+
+ /* copy conditional rules */
+ if (cond_node_copy(state, decl->cond_list))
+ goto cleanup;
+ }
+
+ retval = 0;
+
+ cleanup:
+ return retval;
+}
+
+/*
+ * This function allows external users of the library (such as setools) to
+ * expand only the avrules and optionally perform expansion of neverallow rules
+ * or expand into the same policy for analysis purposes.
+ */
+int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
+ policydb_t * out, uint32_t * typemap, int verbose,
+ int expand_neverallow)
+{
+ expand_state_t state;
+
+ expand_state_init(&state);
+
+ state.base = base;
+ state.out = out;
+ state.typemap = typemap;
+ state.handle = handle;
+ state.verbose = verbose;
+ state.expand_neverallow = expand_neverallow;
+
+ return copy_and_expand_avrule_block(&state);
+}
+
/* Linking should always be done before calling expand, even if
* there is only a base since all optionals are dealt with at link time
* the base passed in should be indexed and avrule blocks should be
@@ -1897,6 +2174,8 @@
expand_state_t state;
avrule_block_t *curblock;
+ expand_state_init(&state);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list