Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Apr 2006 21:26:22 GMT
From:      Todd Miller <millert@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 95721 for review
Message-ID:  <200604202126.k3KLQMQI005610@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=95721

Change 95721 by millert@millert_g5tower on 2006/04/20 21:25:44

	Update to libsepol 1.12
	Obtained from:	pleblance

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/COPYING#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/ChangeLog#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/VERSION#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/avtab.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/boolean_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/booleans.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/conditional.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/constraint.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/debug.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/ebitmap.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/flask.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/flask_types.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/handle.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/hashtab.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/iface_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/interfaces.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/mls.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/mls_types.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/module.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/node_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/nodes.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/avrule_block.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/avtab.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/conditional.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/constraint.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/context.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/ebitmap.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/expand.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/flask.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/flask_types.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/hashtab.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/hierarchy.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/link.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/mls_types.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/module.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/policydb.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/services.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/sidtab.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/symtab.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/port_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/ports.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/roles.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sepol.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/services.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sidtab.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/symtab.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/user_record.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/users.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sys/endian.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_check_context.3#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_genbools.3#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_genusers.3#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/chkcon.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/genpolbools.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/genpolusers.8#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/assertion.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/av_permissions.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avrule_block.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avtab.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/boolean_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/boolean_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/booleans.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/conditional.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/constraint.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/debug.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/debug.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/dso.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/ebitmap.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/expand.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/genbools.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/genusers.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/handle.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/handle.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/hashtab.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/hierarchy.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/iface_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/iface_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/interfaces.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/libsepol.map#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/link.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/mls.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/mls.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/module.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/module_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/node_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/node_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/nodes.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_convert.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_public.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/port_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/port_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/ports.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/private.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/roles.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/services.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/sidtab.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/symtab.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/user_internal.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/user_record.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/users.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/util.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/write.c#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/chkcon.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/genpolbools.c#2 delete

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context.h#2 (text+ko) ====

@@ -1,131 +1,31 @@
+#ifndef _SEPOL_CONTEXT_H_
+#define _SEPOL_CONTEXT_H_
 
-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+#include <sepol/context_record.h>
+#include <sepol/policydb.h>
+#include <sepol/handle.h>
 
-/* FLASK */
+/* -- Deprecated -- */
 
-/*
- * A security context is a set of security attributes
- * associated with each subject and object controlled
- * by the security policy.  Security contexts are
- * externally represented as variable-length strings
- * that can be interpreted by a user or application
- * with an understanding of the security policy. 
- * Internally, the security server uses a simple
- * structure.  This structure is private to the
- * security server and can be changed without affecting
- * clients of the security server.
- */
+extern int sepol_check_context(
+	const char *context);
 
-#ifndef _CONTEXT_H_
-#define _CONTEXT_H_
+/* -- End deprecated -- */
 
-#include <sepol/ebitmap.h>
+extern int sepol_context_check(
+	sepol_handle_t* handle,
+	const sepol_policydb_t* policydb,
+	const sepol_context_t* context);
 
-#include <sepol/mls_types.h>
+extern int sepol_mls_contains(
+	sepol_handle_t* handle,
+	const sepol_policydb_t* policydb,
+	const char* mls1,
+	const char* mls2,
+	int* response);
 
-/*
- * A security context consists of an authenticated user
- * identity, a role, a type and a MLS range.
- */
-typedef struct context_struct {
-	uint32_t user;
-	uint32_t role;
-	uint32_t type;
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-	mls_range_t range;
-#endif
-} context_struct_t;
-
-
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-
-static inline void mls_context_init(context_struct_t * c)
-{
-	memset(&c->range, 0, sizeof(c->range));
-}
-
-static inline int mls_context_cpy(context_struct_t * dst, 
-				  context_struct_t * src)
-{
-	int rc;
-	
-	dst->range.level[0].sens = src->range.level[0].sens;
-	rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
-	if (rc)
-		goto out;
-
-	dst->range.level[1].sens = src->range.level[1].sens;
-	rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
-	if (rc)
-		ebitmap_destroy(&dst->range.level[0].cat);
-out:
-	return rc;
-}
-
-static inline int mls_context_cmp(context_struct_t * c1,
-                                  context_struct_t * c2)
-{
-	return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
-		ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) &&
-		(c1->range.level[1].sens == c2->range.level[1].sens) &&
-		ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat));
-}
-
-static inline void mls_context_destroy(context_struct_t * c)
-{
-	ebitmap_destroy(&c->range.level[0].cat);
-	ebitmap_destroy(&c->range.level[1].cat);
-	mls_context_init(c);
-}
-
-#else
-
-static inline void mls_context_init(context_struct_t *c __attribute__ ((unused)))
-{ }
-
-static inline int mls_context_cpy(context_struct_t * dst __attribute__ ((unused)), 
-				  context_struct_t * src __attribute__ ((unused)))
-{ return 0; }
-
-static inline int mls_context_cmp(context_struct_t * c1 __attribute__ ((unused)),
-                                  context_struct_t * c2 __attribute__ ((unused)))
-{ return 1; }
-
-static inline void mls_context_destroy(context_struct_t * c __attribute__ ((unused)))
-{ }
-
+extern int sepol_mls_check(
+	sepol_handle_t* handle,
+	const sepol_policydb_t* policydb,
+	const char* mls);
 #endif
-
-static inline void context_init(context_struct_t * c)
-{
-	memset(c, 0, sizeof(*c));
-}
-
-static inline int context_cpy(context_struct_t * dst,
-			      context_struct_t * src)
-{
-	dst->user = src->user;
-	dst->role = src->role;
-	dst->type = src->type;
-	return mls_context_cpy(dst, src);
-}
-
-static inline void context_destroy(context_struct_t * c)
-{
-	c->user = c->role = c->type = 0;
-	mls_context_destroy(c);
-}
-
-static inline int context_cmp(context_struct_t * c1,
-			      context_struct_t * c2)
-{
-	return ((c1->user == c2->user) &&
-		(c1->role == c2->role) &&
-		(c1->type == c2->type) &&
-		mls_context_cmp(c1, c2));
-}
-
-#endif	/* _CONTEXT_H_ */
-
-/* FLASK */
-

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb.h#2 (text+ko) ====

@@ -1,327 +1,130 @@
+#ifndef _SEPOL_POLICYDB_H_
+#define _SEPOL_POLICYDB_H_
 
-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+#include <stddef.h>
+#include <stdio.h>
 
-/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
- *
- * 	Added conditional policy language extensions
- *
- * Copyright (C) 2003 - 2004 Tresys Technology, LLC
- *	This program is free software; you can redistribute it and/or modify
- *  	it under the terms of the GNU General Public License as published by
- *	the Free Software Foundation, version 2.
- */
+#include <sepol/handle.h>
 
-/* FLASK */
+struct sepol_policy_file;
+typedef struct sepol_policy_file sepol_policy_file_t;
 
-/*
- * A policy database (policydb) specifies the 
- * configuration data for the security policy.
- */
+struct sepol_policydb;
+typedef struct sepol_policydb sepol_policydb_t;
 
-#ifndef _POLICYDB_H_
-#define _POLICYDB_H_
+/* Policy file public interfaces. */
 
-#include <stdio.h>
+/* Create and free memory associated with a policy file. */
+extern int sepol_policy_file_create(sepol_policy_file_t **pf);
+extern void sepol_policy_file_free(sepol_policy_file_t *pf);
 
-#include <sepol/flask_types.h>
-#include <sepol/symtab.h>
-#include <sepol/avtab.h>
-#include <sepol/context.h>
-#include <sepol/constraint.h>
-#include <sepol/sidtab.h>
+/*
+ * Set the policy file to represent a binary policy memory image.
+ * Subsequent operations using the policy file will read and write
+ * the image located at the specified address with the specified length.
+ * If 'len' is 0, then merely compute the necessary length upon  
+ * subsequent policydb write operations in order to determine the
+ * necessary buffer size to allocate.
+ */
+extern void sepol_policy_file_set_mem(sepol_policy_file_t *pf,
+				      char *data,
+				      size_t len);
 
 /*
- * A datum type is defined for each kind of symbol 
- * in the configuration data:  individual permissions, 
- * common prefixes for access vectors, classes,
- * users, roles, types, sensitivities, categories, etc.
+ * Get the size of the buffer needed to store a policydb write
+ * previously done on this policy file.
  */
+extern int sepol_policy_file_get_len(sepol_policy_file_t *pf,
+				     size_t *len);
 
-/* Permission attributes */
-typedef struct perm_datum {
-	uint32_t value;		/* permission bit + 1 */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-#define MLS_BASE_READ    1	/* MLS base permission `read' */
-#define MLS_BASE_WRITE   2	/* MLS base permission `write' */
-#define MLS_BASE_READBY  4	/* MLS base permission `readby' */
-#define MLS_BASE_WRITEBY 8	/* MLS base permission `writeby' */
-	uint32_t base_perms;		/* MLS base permission mask */
-#endif
-} perm_datum_t;
+/*
+ * Set the policy file to represent a FILE.
+ * Subsequent operations using the policy file will read and write
+ * to the FILE.
+ */
+extern void sepol_policy_file_set_fp(sepol_policy_file_t *pf,
+				     FILE *fp);
 
-/* Attributes of a common prefix for access vectors */
-typedef struct common_datum {
-	uint32_t value;		/* internal common value */
-	symtab_t permissions;	/* common permissions */
-} common_datum_t;
+/*
+ * Associate a handle with a policy file, for use in
+ * error reporting from subsequent calls that take the
+ * policy file as an argument.
+ */
+extern void sepol_policy_file_set_handle(sepol_policy_file_t *pf,
+					 sepol_handle_t *handle);
 
-/* Class attributes */
-typedef struct class_datum {
-	uint32_t value;		/* class value */
-	char *comkey;		/* common name */
-	common_datum_t *comdatum;	/* common datum */
-	symtab_t permissions;	/* class-specific permission symbol table */
-	constraint_node_t *constraints;		/* constraints on class permissions */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-	mls_perms_t mlsperms;	/* MLS base permission masks */
-#endif
-} class_datum_t;
+/* Policydb public interfaces. */
 
-/* Role attributes */
-typedef struct role_datum {
-	uint32_t value;		/* internal role value */
-	ebitmap_t dominates;	/* set of roles dominated by this role */
-	ebitmap_t types;	/* set of authorized types for role */
-} role_datum_t;
+/* Create and free memory associated with a policydb. */
+extern int sepol_policydb_create(sepol_policydb_t **p);
+extern void sepol_policydb_free(sepol_policydb_t *p);
 
-typedef struct role_trans {
-	uint32_t role;		/* current role */
-	uint32_t type;		/* program executable type */
-	uint32_t new_role;		/* new role */
-	struct role_trans *next;
-} role_trans_t;
+/* Legal types of policies that the policydb can represent. */
+#define SEPOL_POLICY_KERN	0
+#define SEPOL_POLICY_BASE	1
+#define SEPOL_POLICY_MOD	2
 
-typedef struct role_allow {
-	uint32_t role;		/* current role */
-	uint32_t new_role;		/* new role */
-	struct role_allow *next;
-} role_allow_t;
+/*
+ * Range of policy versions for the kernel policy type supported
+ * by this library.
+ */
+extern int sepol_policy_kern_vers_min(void);
+extern int sepol_policy_kern_vers_max(void);
 
-/* Type attributes */
-typedef struct type_datum {
-	uint32_t value;		/* internal type value */
-	unsigned char primary;	/* primary name? */
-#ifndef __KERNEL__
-	unsigned char isattr;   /* is this a type attribute? */
-	ebitmap_t types;        /* types with this attribute */
-#endif
-} type_datum_t;
+/*
+ * Set the policy type as specified, and automatically initialize the
+ * policy version accordingly to the maximum version supported for the
+ * policy type.  
+ * Returns -1 if the policy type is not legal.
+ */
+extern int sepol_policydb_set_typevers(sepol_policydb_t *p, unsigned int type);
 
-/* User attributes */
-typedef struct user_datum {
-	uint32_t value;		/* internal user value */
-	ebitmap_t roles;	/* set of authorized roles for user */
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-	mls_range_list_t *ranges;	/* list of authorized MLS ranges for user */
-#endif
-        unsigned defined;
-} user_datum_t;
+/*
+ * Set the policy version to a different value.
+ * Returns -1 if the policy version is not in the supported range for
+ * the (previously set) policy type.
+ */
+extern int sepol_policydb_set_vers(sepol_policydb_t *p, unsigned int vers);
 
+/* 
+ * Read a policydb from a policy file.
+ * This automatically sets the type and version based on the 
+ * image contents.
+ */
+extern int sepol_policydb_read(sepol_policydb_t *p,
+			       sepol_policy_file_t *pf);
 
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-/* Sensitivity attributes */
-typedef struct level_datum {
-	mls_level_t *level;	/* sensitivity and associated categories */
-	unsigned char isalias;  /* is this sensitivity an alias for another? */
-} level_datum_t;
+/*
+ * Write a policydb to a policy file.
+ * The generated image will be in the binary format corresponding 
+ * to the policy version associated with the policydb.
+ */
+extern int sepol_policydb_write(sepol_policydb_t *p,
+				sepol_policy_file_t *pf);
 
-/* Category attributes */
-typedef struct cat_datum {
-	uint32_t value;		/* internal category bit + 1 */
-	unsigned char isalias;  /* is this category an alias for another? */
-} cat_datum_t;
-#endif
-
-/* Boolean data type */
-typedef struct cond_bool_datum {
-	uint32_t value;		/* internal type value */
-	int state;
-} cond_bool_datum_t;
-
-struct cond_node;
-
-typedef struct cond_node cond_list_t;
-
 /*
- * The configuration data includes security contexts for 
- * initial SIDs, unlabeled file systems, TCP and UDP port numbers, 
- * network interfaces, and nodes.  This structure stores the
- * relevant data for one such entry.  Entries of the same kind
- * (e.g. all initial SIDs) are linked together into a list.
+ * Extract a policydb from a binary policy memory image.  
+ * This is equivalent to sepol_policydb_read with a policy file
+ * set to refer to memory.
  */
-typedef struct ocontext {
-	union {
-		char *name;	/* name of initial SID, fs, netif, fstype, path */
-		struct {
-			uint8_t protocol;
-			uint16_t low_port;
-			uint16_t high_port;
-		} port;		/* TCP or UDP port information */
-		struct {
-			uint32_t addr;
-			uint32_t mask;
-		} node;		/* node information */
-		struct {
-			uint32_t addr[4];
-			uint32_t mask[4];
-		} node6;	/* IPv6 node information */
-	} u;
-	union {
-		uint32_t sclass;  /* security class for genfs */
-		uint32_t behavior;  /* labeling behavior for fs_use */
-	} v;
-	context_struct_t context[2];	/* security context(s) */
-	security_id_t sid[2];	/* SID(s) */
-	struct ocontext *next;
-} ocontext_t;
-
-typedef struct genfs {
-	char *fstype;
-	struct ocontext *head;
-	struct genfs *next;
-} genfs_t;
-
-/* symbol table array indices */
-#define SYM_COMMONS 0
-#define SYM_CLASSES 1
-#define SYM_ROLES   2
-#define SYM_TYPES   3
-#define SYM_USERS   4
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-#define SYM_LEVELS  5
-#define SYM_CATS    6
-#define SYM_BOOLS   7
-#define SYM_NUM     8
-#else
-#define SYM_BOOLS   5
-#define SYM_NUM     6
-#endif
-
-/* object context array indices */
-#define OCON_ISID  0	/* initial SIDs */
-#define OCON_FS    1	/* unlabeled file systems */
-#define OCON_PORT  2	/* TCP and UDP port numbers */
-#define OCON_NETIF 3	/* network interfaces */
-#define OCON_NODE  4	/* nodes */
-#define OCON_FSUSE 5	/* fs_use */
-#define OCON_NODE6 6	/* IPv6 nodes */
-#define OCON_NUM   7
-
-/* The policy database */
-typedef struct policydb {
-	/* symbol tables */
-	symtab_t symtab[SYM_NUM];
-#define p_commons symtab[SYM_COMMONS]
-#define p_classes symtab[SYM_CLASSES]
-#define p_roles symtab[SYM_ROLES]
-#define p_types symtab[SYM_TYPES]
-#define p_users symtab[SYM_USERS]
-#define p_levels symtab[SYM_LEVELS]
-#define p_cats symtab[SYM_CATS]
-#define p_bools symtab[SYM_BOOLS]
+extern int sepol_policydb_from_image(sepol_handle_t *handle,
+				     void* data, size_t len, 
+				     sepol_policydb_t *p);
 
-	/* symbol names indexed by (value - 1) */
-	char **sym_val_to_name[SYM_NUM];
-#define p_common_val_to_name sym_val_to_name[SYM_COMMONS]
-#define p_class_val_to_name sym_val_to_name[SYM_CLASSES]
-#define p_role_val_to_name sym_val_to_name[SYM_ROLES]
-#define p_type_val_to_name sym_val_to_name[SYM_TYPES]
-#define p_user_val_to_name sym_val_to_name[SYM_USERS]
-#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS]
-#define p_cat_val_to_name sym_val_to_name[SYM_CATS]
-#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS]
 
-	/* class, role, and user attributes indexed by (value - 1) */
-	class_datum_t **class_val_to_struct;
-	role_datum_t **role_val_to_struct;
-	user_datum_t **user_val_to_struct;
-
-	/* type enforcement access vectors and transitions */
-	avtab_t te_avtab;
-
-	/* bools indexed by (value - 1) */
-	cond_bool_datum_t **bool_val_to_struct;
-	/* type enforcement conditional access vectors and transitions */
-	avtab_t te_cond_avtab;
-	/* linked list indexing te_cond_avtab by conditional */
-	cond_list_t* cond_list;
-
-	/* role transitions */
-	role_trans_t *role_tr;
-
-	/* role allows */
-	role_allow_t *role_allow;
-
-	/* security contexts of initial SIDs, unlabeled file systems,
-	   TCP or UDP port numbers, network interfaces and nodes */
-	ocontext_t *ocontexts[OCON_NUM];
-
-        /* security contexts for files in filesystems that cannot support
-	   a persistent label mapping or use another 
-	   fixed labeling behavior. */
-  	genfs_t *genfs;
-
-#ifdef CONFIG_SECURITY_SELINUX_MLS
-	/* number of legitimate MLS levels */
-	uint32_t nlevels;
-  
-	ebitmap_t trustedreaders;
-	ebitmap_t trustedwriters;
-	ebitmap_t trustedobjects;
-#endif
-
-	unsigned policyvers;
-} policydb_t;
-
-extern int policydb_init(policydb_t * p);
-
-extern int policydb_index_classes(policydb_t * p);
-
-extern int policydb_index_bools(policydb_t * p);
-
-extern int policydb_index_others(policydb_t * p, unsigned int verbose);
-
-extern int constraint_expr_destroy(constraint_expr_t * expr);
-
-extern void policydb_destroy(policydb_t * p);
-
-extern int policydb_load_isids(policydb_t *p, sidtab_t *s);
-
-extern int policydb_context_isvalid(policydb_t *p, context_struct_t *c);
-
-/* A policy "file" may be a memory region referenced by a (data, len) pair
-   or a file referenced by a FILE pointer. */
-struct policy_file {
-#define PF_USE_MEMORY  0
-#define PF_USE_STDIO   1
-	unsigned type;
-	char *data;
-	size_t len;
-	FILE *fp;
-};
-
-extern int policydb_read(policydb_t * p, struct policy_file * fp, unsigned int verbose);
-
-extern int policydb_write(struct policydb *p, struct policy_file *pf);
-
-#define PERM_SYMTAB_SIZE 32
-
-/* Identify specific policy version changes */
-#define POLICYDB_VERSION_BASE		15
-#define POLICYDB_VERSION_BOOL		16
-#define POLICYDB_VERSION_IPV6		17
-#define POLICYDB_VERSION_NLCLASS	18
-
-/* Range of policy versions we understand*/
-#define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_NLCLASS
-
 /*
- * Set policy version for writing policies.
- * May be any value from POLICYDB_VERSION_MIN to POLICYDB_VERSION_MAX.
- * If not set, then policydb_write defaults to the max.
+ * Generate a binary policy memory image from a policydb.  
+ * This is equivalent to sepol_policydb_write with a policy file
+ * set to refer to memory, but internally handles computing the 
+ * necessary length and allocating an appropriately sized memory
+ * buffer for the caller.  
  */
-extern int sepol_set_policyvers(unsigned int policyvers);
+extern int sepol_policydb_to_image(sepol_handle_t *handle,
+				   sepol_policydb_t *p, 
+				   void **newdata, 
+				   size_t *newlen);
 
-#define POLICYDB_CONFIG_MLS    1
+extern int sepol_policydb_mls_enabled(
+	const sepol_policydb_t* p);
 
-#define OBJECT_R "object_r"
-#define OBJECT_R_VAL 1
-
-#define POLICYDB_MAGIC SELINUX_MAGIC
-#define POLICYDB_STRING "SE Linux"
-
-#endif	/* _POLICYDB_H_ */
-
-/* FLASK */
-
+#endif

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sepol.h#2 (text+ko) ====

@@ -1,21 +1,28 @@
 #ifndef _SEPOL_H_
 #define _SEPOL_H_
 
-#include <sys/types.h>
+#include <stddef.h>
+#include <stdio.h>
 
-/* Given an existing binary policy (starting at 'data', with length 'len')
-   and a boolean configuration file named by 'boolpath', rewrite the binary
-   policy for the boolean settings in the boolean configuration file.
-   The binary policy is rewritten in place in memory.
-   Returns 0 upon success, or -1 otherwise. */
-extern int sepol_genbools(void *data, size_t len, char *boolpath);
+#include <sepol/user_record.h>
+#include <sepol/context_record.h>
+#include <sepol/iface_record.h>
+#include <sepol/port_record.h>
+#include <sepol/boolean_record.h>
+#include <sepol/node_record.h>
 
-/* Given an existing binary policy (starting at 'data', with length 'len')
-   and boolean settings specified by the parallel arrays ('names', 'values')
-   with 'nel' elements, rewrite the binary policy for the boolean settings.  
-   The binary policy is rewritten in place in memory.
-   Returns 0 upon success or -1 otherwise. */
-extern int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel);
+#include <sepol/booleans.h>
+#include <sepol/interfaces.h>
+#include <sepol/ports.h>
+#include <sepol/nodes.h>
+#include <sepol/users.h>
+#include <sepol/handle.h>
+#include <sepol/debug.h>
+#include <sepol/policydb.h>
+#include <sepol/module.h>
+#include <sepol/context.h>
 
+/* Set internal policydb from a file for subsequent service calls. */
+extern int sepol_set_policydb_from_file(FILE *fp);
 
 #endif

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/Makefile#3 (text+ko) ====

@@ -7,32 +7,29 @@
 
 LIBVERSION = 1
 
-# Set to y for MLS
-MLS=n
-
 LIBA=libsepol.a 
 #TARGET=libsepol.so
 #LIBSO=$(TARGET).$(LIBVERSION)
 OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
 #LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
-CFLAGS = -Wall $(OPTIONS)
-override CFLAGS += -I. -I../include
+CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
+override CFLAGS += -I. -I../include -I../../libsecompat -D_GNU_SOURCE
 
-all: $(LIBA)
+all: $(LIBA) $(LIBSO)
 
 $(LIBA):  $(OBJS)
 	$(AR) rcs $@ $^
 	ranlib $@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map
+	$(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map,-z,defs
 	ln -sf $@ $(TARGET) 
 
 %.o:  %.c 
 	$(CC) $(CFLAGS) -c -o $@ $<
 
 %.lo:  %.c
-	$(CC) $(CFLAGS) -fPIC -c -o $@ $<
+	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
 
 install: all
 	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
@@ -41,6 +38,9 @@
 #	install -m 755 $(LIBSO) $(SHLIBDIR)
 #	cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
 
+relabel:
+#	/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+
 clean: 
-	rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) 
+	-rm -f $(OBJS) $(LOBJS) $(LIBA) 
 

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/av_permissions.h#2 (text+ko) ====

@@ -1,2 +1,3 @@
 /* Used by security_compute_av. */
 #define PROCESS__TRANSITION                       0x00000002UL
+#define PROCESS__DYNTRANSITION                    0x00800000UL

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avtab.c#2 (text+ko) ====

@@ -5,10 +5,26 @@
  *
  * 	Added conditional policy language extensions
  *
+ * Updated: Red Hat, Inc.  James Morris <jmorris@redhat.com>
+ *
+ *      Code cleanup
+ *
  * Copyright (C) 2003 Tresys Technology, LLC
- *	This program is free software; you can redistribute it and/or modify
- *  	it under the terms of the GNU General Public License as published by
- *	the Free Software Foundation, version 2.
+ * Copyright (C) 2003 Red Hat, Inc.
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  */
  
 /* FLASK */
@@ -18,9 +34,10 @@
  */
 
 #include <stdlib.h>
-#include <sepol/avtab.h>
-#include <sepol/policydb.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
 
+#include "debug.h"
 #include "private.h"
 
 #define AVTAB_HASH(keyp) \
@@ -30,7 +47,7 @@
  AVTAB_HASH_MASK)
 
 static avtab_ptr_t 
-   avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_ptr_t cur, avtab_key_t *key, avtab_datum_t *datum)
+   avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_key_t *key, avtab_datum_t *datum)
 {
 	avtab_ptr_t newnode;
 	newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node));
@@ -57,6 +74,7 @@
 {
 	int hvalue;
 	avtab_ptr_t prev, cur, newnode;
+	uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
 
 	if (!h)
 		return -ENOMEM;
@@ -68,7 +86,7 @@
 		if (key->source_type == cur->key.source_type && 
 		    key->target_type == cur->key.target_type &&
 		    key->target_class == cur->key.target_class &&
-		    (datum->specified & cur->datum.specified))
+		    (specified & cur->key.specified))
 			return -EEXIST;
 		if (key->source_type < cur->key.source_type)
 			break;
@@ -81,7 +99,7 @@
 			break;
 	}
 
-	newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
+	newnode = avtab_insert_node(h, hvalue, prev, key, datum);
 	if(!newnode)
 		return -ENOMEM;
 
@@ -97,6 +115,7 @@
 {
 	int hvalue;
 	avtab_ptr_t prev, cur, newnode;
+	uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
 
 	if (!h)
 		return NULL;
@@ -107,7 +126,7 @@
 		if (key->source_type == cur->key.source_type && 
 		    key->target_type == cur->key.target_type &&
 		    key->target_class == cur->key.target_class &&
-		    (datum->specified & cur->datum.specified))
+		    (specified & cur->key.specified))
 			break;
 		if (key->source_type < cur->key.source_type)
 			break;
@@ -119,37 +138,17 @@
 		    key->target_class < cur->key.target_class)
 			break;
 	}
-	newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
+	newnode = avtab_insert_node(h, hvalue, prev, key, datum);
 	
 	return newnode;
 }
 
-/* Unlike avtab_insert(), this function stores a caller-provided parse_context pointer, AND
- * allow multiple insertions of the same key/specified mask into the table, AND returns
- * a pointer to the new node added, all as needed by the conditional avtab.  
- */
-avtab_ptr_t
- avtab_insert_with_parse_context(avtab_t *h, avtab_key_t *key, avtab_datum_t *datum, void *parse_context)
-{
-	avtab_ptr_t newnode;
-
-	if (!h)
-		return NULL;
-
-	newnode = avtab_insert_nonunique(h, key, datum);
-	if(!newnode)
-		return NULL;
-		
-	newnode->parse_context = parse_context;
-		
-	return newnode;			
-}
-
 avtab_datum_t *
- avtab_search(avtab_t * h, avtab_key_t * key, int specified)
+ avtab_search(avtab_t * h, avtab_key_t * key)
 {
 	int hvalue;
 	avtab_ptr_t cur;
+	uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
 
 
 	if (!h)
@@ -160,7 +159,7 @@
 		if (key->source_type == cur->key.source_type && 
 		    key->target_type == cur->key.target_type &&
 		    key->target_class == cur->key.target_class &&
-		    (specified & cur->datum.specified))
+		    (specified & cur->key.specified))
 			return &cur->datum;
 
 		if (key->source_type < cur->key.source_type)
@@ -181,10 +180,11 @@
  * conjunction with avtab_search_next_node()
  */
 avtab_ptr_t 
- avtab_search_node(avtab_t * h, avtab_key_t * key, int specified)
+ avtab_search_node(avtab_t * h, avtab_key_t * key)
 {
 	int hvalue;
 	avtab_ptr_t cur;
+	uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
 
 	if (!h)
 		return NULL;
@@ -194,7 +194,7 @@
 		if (key->source_type == cur->key.source_type && 
 		    key->target_type == cur->key.target_type &&
 		    key->target_class == cur->key.target_class &&
-		    (specified & cur->datum.specified))
+		    (specified & cur->key.specified))
 			return cur;
 
 		if (key->source_type < cur->key.source_type)
@@ -218,11 +218,12 @@
 	if (!node)
 		return NULL;
 		
+	specified &= ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
 	for (cur = node->next; cur; cur = cur->next) {
 		if (node->key.source_type == cur->key.source_type && 
 		    node->key.target_type == cur->key.target_type &&
 		    node->key.target_class == cur->key.target_class &&

>>> TRUNCATED FOR MAIL (1000 lines) <<<



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604202126.k3KLQMQI005610>