PERFORCE change 113510 for review
Todd Miller
millert at FreeBSD.org
Thu Jan 25 15:15:02 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113510
Change 113510 by millert at millert_macbook on 2007/01/25 15:13:13
Update to libsemanage-1.10.0 from the NSA web site.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/ChangeLog#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/VERSION#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/Makefile#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/conf-parse.y#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/conf-scan.l#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/direct_api.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/parse_utils.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/semanage_conf.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/semanage_store.c#5 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/ChangeLog#5 (text+ko) ====
@@ -1,3 +1,17 @@
+1.10.0 2007-01-18
+ * Updated version for stable branch.
+
+1.9.2 2007-01-08
+ * Merged patch to optionally reduce disk usage by removing
+ the backup module store and linked policy from Karl MacMillan
+ * Merged patch to correctly propagate return values in libsemanage
+
+1.9.1 2006-11-27
+ * Merged patch to compile wit -fPIC instead of -fpic from
+ Manoj Srivastava to prevent hitting the global offest table
+ limit. Patch changed to include libselinux and libsemanage in
+ addition to libsepol.
+
1.8 2006-10-17
* Updated version for release.
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/VERSION#5 (text+ko) ====
@@ -1,1 +1,1 @@
-1.8
+1.10.0
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/Makefile#6 (text+ko) ====
@@ -1,6 +1,6 @@
include ../../../../Makeconfig
-CFLAGS += -Wall -I../include -I../../libselinux/include -I../../libsepol/include
+CFLAGS += -Wall -I../include -I../../libselinux/include -I../../libsepol/include -I../../libsecompat
LFLAGS = -s
YFLAGS = -d
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/conf-parse.y#4 (text+ko) ====
@@ -55,7 +55,7 @@
char *s;
}
-%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE
+%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
%token LOAD_POLICY_START SETFILES_START GENHOMEDIRCON_START
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
@@ -77,6 +77,8 @@
| version
| expand_check
| file_mode
+ | save_previous
+ | save_linked
;
module_store: MODULE_STORE '=' ARG {
@@ -111,6 +113,30 @@
}
;
+save_previous: SAVE_PREVIOUS '=' ARG {
+ if (strcasecmp($3, "true") == 0)
+ current_conf->save_previous = 1;
+ else if (strcasecmp($3, "false") == 0)
+ current_conf->save_previous = 0;
+ else {
+ yyerror("save-previous can only be 'true' or 'false'");
+ }
+ }
+ ;
+
+
+save_linked: SAVE_LINKED '=' ARG {
+ if (strcasecmp($3, "true") == 0)
+ current_conf->save_linked = 1;
+ else if (strcasecmp($3, "false") == 0)
+ current_conf->save_linked = 0;
+ else {
+ yyerror("save-linked can only be 'true' or 'false'");
+ }
+ }
+ ;
+
+
command_block:
command_start external_opts BLOCK_END {
if (new_external->path == NULL) {
@@ -186,6 +212,9 @@
conf->expand_check = 1;
conf->file_mode = 0644;
+ conf->save_previous = 0;
+ conf->save_linked = 0;
+
if ((conf->load_policy =
calloc(1, sizeof(*(current_conf->load_policy)))) == NULL) {
return -1;
@@ -283,6 +312,7 @@
int semanage_error(char *msg)
{
+ fprintf(stderr, "error parsing semanage configuration file: %s\n", msg);
parse_errors++;
return 0;
}
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/conf-scan.l#4 (text+ko) ====
@@ -42,6 +42,8 @@
policy-version return VERSION;
expand-check return EXPAND_CHECK;
file-mode return FILE_MODE;
+save-previous return SAVE_PREVIOUS;
+save-linked return SAVE_LINKED;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[genhomedircon]" return GENHOMEDIRCON_START;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/direct_api.c#4 (text+ko) ====
@@ -465,9 +465,11 @@
/* Before we do anything else, flush the join to its component parts.
* This *does not* flush to disk automatically */
- if (users->dtable->is_modified(users->dbase) &&
- users->dtable->flush(sh, users->dbase) < 0)
- goto cleanup;
+ if (users->dtable->is_modified(users->dbase)) {
+ retval = users->dtable->flush(sh, users->dbase);
+ if (retval < 0)
+ goto cleanup;
+ }
/* Decide if anything was modified */
fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase);
@@ -495,85 +497,117 @@
/* =================== Module expansion =============== */
/* link all modules in the sandbox to the base module */
- if (semanage_get_modules_names
- (sh, &mod_filenames, &num_modfiles) != 0
- || semanage_verify_modules(sh, mod_filenames,
- num_modfiles) == -1
- || semanage_link_sandbox(sh, &base) < 0) {
+ retval = semanage_get_modules_names(sh, &mod_filenames, &num_modfiles);
+ if (retval < 0)
+ goto cleanup;
+ retval = semanage_verify_modules(sh, mod_filenames, num_modfiles);
+ if (retval < 0)
+ goto cleanup;
+ retval = semanage_link_sandbox(sh, &base);
+ if (retval < 0)
goto cleanup;
- }
- /* write the linked base */
- if ((linked_filename =
- semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED)) == NULL
- || semanage_write_module(sh, linked_filename, base) == -1
- || semanage_verify_linked(sh) != 0) {
+ /* write the linked base if we want to save or we have a
+ * verification program that wants it. */
+ linked_filename = semanage_path(SEMANAGE_TMP, SEMANAGE_LINKED);
+ if (linked_filename == NULL) {
+ retval = -1;
goto cleanup;
}
+ if (sh->conf->save_linked || sh->conf->linked_prog) {
+ retval = semanage_write_module(sh, linked_filename, base);
+ if (retval < 0)
+ goto cleanup;
+ retval = semanage_verify_linked(sh);
+ if (retval < 0)
+ goto cleanup;
+ /* remove the linked policy if we only wrote it for the
+ * verification program. */
+ if (!sh->conf->save_linked) {
+ retval = unlink(linked_filename);
+ if (retval < 0) {
+ ERR(sh, "could not remove linked base %s",
+ linked_filename);
+ goto cleanup;
+ }
+ }
+ } else {
+ /* Try to delete the linked copy - this is needed if
+ * the save_link option has changed to prevent the
+ * old linked copy from being copied forever. No error
+ * checking is done because this is likely to fail because
+ * the file does not exist - which is not an error. */
+ unlink(linked_filename);
+ }
/* ==================== File-backed ================== */
/* File Contexts */
/* Sort the file contexts. */
- if (semanage_fc_sort
- (sh, sepol_module_package_get_file_contexts(base),
- sepol_module_package_get_file_contexts_len(base),
- &sorted_fc_buffer, &sorted_fc_buffer_len) == -1) {
+ retval = semanage_fc_sort(sh, sepol_module_package_get_file_contexts(base),
+ sepol_module_package_get_file_contexts_len(base),
+ &sorted_fc_buffer, &sorted_fc_buffer_len);
+ if (retval < 0)
goto cleanup;
- }
/* Write the contexts (including template contexts) to a single file.
* The buffer returned by the sort function has a trailing \0 character,
* which we do NOT want to write out to disk, so we pass sorted_fc_buffer_len-1. */
- if ((ofilename =
- semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL)) == NULL
- || write_file(sh, ofilename, sorted_fc_buffer,
- sorted_fc_buffer_len - 1) == -1) {
+ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL);
+ if (ofilename == NULL) {
+ retval = -1;
goto cleanup;
}
+ retval = write_file(sh, ofilename, sorted_fc_buffer,
+ sorted_fc_buffer_len - 1);
+ if (retval < 0)
+ goto cleanup;
/* Split complete and template file contexts into their separate files. */
- if (semanage_split_fc(sh))
+ retval = semanage_split_fc(sh);
+ if (retval < 0)
goto cleanup;
pfcontexts->dtable->drop_cache(pfcontexts->dbase);
/* Seusers */
if (sepol_module_package_get_seusers_len(base)) {
- if ((ofilename =
- semanage_path(SEMANAGE_TMP,
- SEMANAGE_SEUSERS)) == NULL
- || write_file(sh, ofilename,
- sepol_module_package_get_seusers
- (base),
- sepol_module_package_get_seusers_len
- (base)) == -1) {
+ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS);
+ if (ofilename == NULL) {
+ retval = -1;
goto cleanup;
}
+ retval = write_file(sh, ofilename,
+ sepol_module_package_get_seusers(base),
+ sepol_module_package_get_seusers_len(base));
+ if (retval < 0)
+ goto cleanup;
+
pseusers->dtable->drop_cache(pseusers->dbase);
} else {
- if (pseusers->dtable->clear(sh, pseusers->dbase) < 0)
+ retval = pseusers->dtable->clear(sh, pseusers->dbase);
+ if (retval < 0)
goto cleanup;
}
/* Users_extra */
if (sepol_module_package_get_user_extra_len(base)) {
- if ((ofilename =
- semanage_path(SEMANAGE_TMP,
- SEMANAGE_USERS_EXTRA)) == NULL
- || write_file(sh, ofilename,
- sepol_module_package_get_user_extra
- (base),
- sepol_module_package_get_user_extra_len
- (base)) == -1) {
+ ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA);
+ if (ofilename == NULL) {
+ retval = -1;
goto cleanup;
}
+ retval = write_file(sh, ofilename,
+ sepol_module_package_get_user_extra(base),
+ sepol_module_package_get_user_extra_len(base));
+ if (retval < 0)
+ goto cleanup;
pusers_extra->dtable->drop_cache(pusers_extra->dbase);
} else {
- if (pusers_extra->dtable->
- clear(sh, pusers_extra->dbase) < 0)
+ retval = pusers_extra->dtable->clear(sh, pusers_extra->dbase);
+ if (retval < 0)
goto cleanup;
}
@@ -601,7 +635,8 @@
/* Create new policy object, then attach to policy databases
* that work with a policydb */
- if (semanage_expand_sandbox(sh, base, &out) < 0)
+ retval = semanage_expand_sandbox(sh, base, &out);
+ if (retval < 0)
goto cleanup;
dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,
@@ -613,13 +648,16 @@
/* ============= Apply changes, and verify =============== */
- if (semanage_base_merge_components(sh) < 0)
+ retval = semanage_base_merge_components(sh);
+ if (retval < 0)
goto cleanup;
- if (semanage_write_policydb(sh, out) < 0)
+ retval = semanage_write_policydb(sh, out);
+ if (retval < 0)
goto cleanup;
- if (semanage_verify_kernel(sh) != 0)
+ retval = semanage_verify_kernel(sh);
+ if (retval < 0)
goto cleanup;
}
@@ -633,26 +671,30 @@
* merged into the main file_contexts. We won't check the
* large file_contexts - checked at compile time */
if (sh->do_rebuild || modified || fcontexts_modified) {
- if (semanage_fcontext_validate_local(sh, out) < 0)
+ retval = semanage_fcontext_validate_local(sh, out);
+ if (retval < 0)
goto cleanup;
}
/* Validate local seusers against policy */
if (sh->do_rebuild || modified || seusers_modified) {
- if (semanage_seuser_validate_local(sh, out) < 0)
+ retval = semanage_seuser_validate_local(sh, out);
+ if (retval < 0)
goto cleanup;
}
/* Validate local ports for overlap */
if (sh->do_rebuild || ports_modified) {
- if (semanage_port_validate_local(sh) < 0)
+ retval = semanage_port_validate_local(sh);
+ if (retval < 0)
goto cleanup;
}
/* ================== Write non-policydb components ========= */
/* Commit changes to components */
- if (semanage_commit_components(sh) < 0)
+ retval = semanage_commit_components(sh);
+ if (retval < 0)
goto cleanup;
retval = semanage_install_sandbox(sh);
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/parse_utils.c#3 (text+ko) ====
@@ -6,6 +6,7 @@
#include <stdlib.h>
#include <ctype.h>
#include <semanage/handle.h>
+#include <secompat.h>
#include "parse_utils.h"
#include "debug.h"
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/semanage_conf.h#3 (text+ko) ====
@@ -35,6 +35,8 @@
int server_port;
int policyvers; /* version for server generated policies */
int expand_check;
+ int save_previous;
+ int save_linked;
mode_t file_mode;
struct external_prog *load_policy;
struct external_prog *setfiles;
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libsemanage/src/semanage_store.c#5 (text+ko) ====
@@ -53,6 +53,7 @@
#include <sys/types.h>
#include <sys/wait.h>
#include <limits.h>
+#include <secompat.h>
#include "debug.h"
@@ -1223,6 +1224,14 @@
goto cleanup;
}
+ if (!sh->conf->save_previous) {
+ retval = semanage_remove_directory(backup);
+ if (retval < 0) {
+ ERR(sh, "Could not delete previous directory %s.", backup);
+ goto cleanup;
+ }
+ }
+
cleanup:
semanage_release_active_lock(sh);
return retval;
More information about the trustedbsd-cvs
mailing list