From owner-trustedbsd-cvs@FreeBSD.ORG Wed Oct 25 20:47:24 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 044AB16A415 for ; Wed, 25 Oct 2006 20:47:24 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5645343D5F for ; Wed, 25 Oct 2006 20:46:36 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 595E546E92 for ; Wed, 25 Oct 2006 16:46:32 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id A815714CA46; Wed, 25 Oct 2006 20:41:35 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 7DE6E16A538; Wed, 25 Oct 2006 20:41:35 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4080716A52B for ; Wed, 25 Oct 2006 20:41:35 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4813043E3A for ; Wed, 25 Oct 2006 20:39:52 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9PKdnLM070342 for ; Wed, 25 Oct 2006 20:39:49 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9PKdn6N070339 for perforce@freebsd.org; Wed, 25 Oct 2006 20:39:49 GMT (envelope-from millert@freebsd.org) Date: Wed, 25 Oct 2006 20:39:49 GMT Message-Id: <200610252039.k9PKdn6N070339@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 108424 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 20:47:24 -0000 http://perforce.freebsd.org/chv.cgi?CH=108424 Change 108424 by millert@millert_macbook on 2006/10/25 20:39:01 Update to checkpolicy-1.32 from the NSA web site. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 (text+ko) ==== @@ -1,3 +1,10 @@ +1.32 2006-10-17 + * Updated version for release. + +1.30.12 2006-09-28 + * Merged user and range_transition support for modules from + Darrel Goeddel + 1.30.11 2006-09-05 * merged range_transition enhancements and user module format changes from Darrel Goeddel ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 (text+ko) ==== @@ -11,6 +11,8 @@ all: $(PROG) +GENERATED=lex.yy.c y.tab.c y.tab.h + $(PROG): $(OBJS) $(CC) $(CFLAGS) -o $@ $^ $(LDADD) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30.11 +1.32 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 (text+ko) ==== @@ -937,6 +937,122 @@ } } +int require_sens(int pass) +{ + char *id = queue_remove(id_queue); + level_datum_t *level = NULL; + int retval; + if (pass == 2) { + free(id); + return 0; + } + if (!id) { + yyerror("no sensitivity name"); + return -1; + } + level = malloc(sizeof(level_datum_t)); + if (!level) { + free(id); + yyerror("Out of memory!"); + return -1; + } + level_datum_init(level); + level->level = malloc(sizeof(mls_level_t)); + if (!level->level) { + free(id); + level_datum_destroy(level); + free(level); + yyerror("Out of memory!"); + return -1; + } + mls_level_init(level->level); + retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, + &level->level->sens, &level->level->sens); + if (retval != 0) { + free(id); + mls_level_destroy(level->level); + free(level->level); + level_datum_destroy(level); + free(level); + } + switch (retval) { + case -3:{ + yyerror("Out of memory!"); + return -1; + } + case -2:{ + yyerror("duplicate declaration of sensitivity"); + return -1; + } + case -1:{ + yyerror("could not require sensitivity here"); + return -1; + } + case 0:{ + return 0; + } + case 1:{ + return 0; /* sensitivity already required */ + } + default:{ + assert(0); /* should never get here */ + } + } +} + +int require_cat(int pass) +{ + char *id = queue_remove(id_queue); + cat_datum_t *cat = NULL; + int retval; + if (pass == 2) { + free(id); + return 0; + } + if (!id) { + yyerror("no category name"); + return -1; + } + cat = malloc(sizeof(cat_datum_t)); + if (!cat) { + free(id); + yyerror("Out of memory!"); + return -1; + } + cat_datum_init(cat); + + retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, + &cat->s.value, &cat->s.value); + if (retval != 0) { + free(id); + cat_datum_destroy(cat); + free(cat); + } + switch (retval) { + case -3:{ + yyerror("Out of memory!"); + return -1; + } + case -2:{ + yyerror("duplicate declaration of category"); + return -1; + } + case -1:{ + yyerror("could not require category here"); + return -1; + } + case 0:{ + return 0; + } + case 1:{ + return 0; /* category already required */ + } + default:{ + assert(0); /* should never get here */ + } + } +} + static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) { int i; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 (text+ko) ==== @@ -56,6 +56,8 @@ int require_attribute(int pass); int require_user(int pass); int require_bool(int pass); +int require_sens(int pass); +int require_cat(int pass); /* Check if an identifier is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 (text+ko) ==== @@ -834,10 +834,8 @@ | ATTRIBUTE { $$ = require_attribute; } | USER { $$ = require_user; } | BOOL { $$ = require_bool; } -/* MLS-enabled modules are not implemented at this time. | SENSITIVITY { $$ = require_sens; } | CATEGORY { $$ = require_cat; } -*/ ; require_id_list : identifier { if ($0 (pass)) return -1; } @@ -1301,7 +1299,7 @@ yyerror("out of memory"); goto bad; } - memset(level, 0, sizeof(mls_level_t)); + mls_level_init(level); level->sens = 0; /* actual value set in define_dominance */ ebitmap_init(&level->cat); /* actual value set in define_level */ @@ -1310,7 +1308,7 @@ yyerror("out of memory"); goto bad; } - memset(datum, 0, sizeof(level_datum_t)); + level_datum_init(datum); datum->isalias = FALSE; datum->level = level; @@ -1347,7 +1345,7 @@ yyerror("out of memory"); goto bad_alias; } - memset(aliasdatum, 0, sizeof(level_datum_t)); + level_datum_init(aliasdatum); aliasdatum->isalias = TRUE; aliasdatum->level = level; @@ -1384,15 +1382,19 @@ free(id); if (level) free(level); - if (datum) + if (datum) { + level_datum_destroy(datum); free(datum); + } return -1; bad_alias: if (id) free(id); - if (aliasdatum) + if (aliasdatum) { + level_datum_destroy(aliasdatum); free(aliasdatum); + } return -1; } @@ -1480,7 +1482,7 @@ yyerror("out of memory"); goto bad; } - memset(datum, 0, sizeof(cat_datum_t)); + cat_datum_init(datum); datum->isalias = FALSE; ret = declare_symbol(SYM_CATS, id, datum, &value, &value); @@ -1517,7 +1519,7 @@ yyerror("out of memory"); goto bad_alias; } - memset(aliasdatum, 0, sizeof(cat_datum_t)); + cat_datum_init(aliasdatum); aliasdatum->isalias = TRUE; aliasdatum->s.value = datum->s.value; @@ -1554,15 +1556,19 @@ bad: if (id) free(id); - if (datum) + if (datum) { + cat_datum_destroy(datum); free(datum); + } return -1; bad_alias: if (id) free(id); - if (aliasdatum) + if (aliasdatum) { + cat_datum_destroy(aliasdatum); free(aliasdatum); + } return -1; } @@ -3682,11 +3688,6 @@ level_datum_t *levdatum; int l; - if (policydbp->policy_type == POLICY_MOD && mlspol) { - yyerror("Users cannot be declared in MLS modules"); - return -1; - } - if (pass == 1) { while ((id = queue_remove(id_queue))) free(id);