Date: Thu, 20 Apr 2006 21:26:22 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 95721 for review Message-ID: <200604202126.k3KLQMQI005610@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=95721 Change 95721 by millert@millert_g5tower on 2006/04/20 21:25:44 Update to libsepol 1.12 Obtained from: pleblance Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/COPYING#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/ChangeLog#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/VERSION#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/avtab.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/boolean_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/booleans.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/conditional.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/constraint.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/debug.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/ebitmap.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/flask.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/flask_types.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/handle.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/hashtab.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/iface_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/interfaces.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/mls.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/mls_types.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/module.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/node_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/nodes.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/avrule_block.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/avtab.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/conditional.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/constraint.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/context.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/ebitmap.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/expand.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/flask.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/flask_types.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/hashtab.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/hierarchy.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/link.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/mls_types.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/module.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/policydb.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/services.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/sidtab.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb/symtab.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/port_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/ports.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/roles.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sepol.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/services.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sidtab.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/symtab.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/user_record.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/users.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sys/endian.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_check_context.3#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_genbools.3#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man3/sepol_genusers.3#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/chkcon.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/genpolbools.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/man/man8/genpolusers.8#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/assertion.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/av_permissions.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avrule_block.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avtab.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/boolean_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/boolean_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/booleans.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/conditional.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/constraint.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/context_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/debug.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/debug.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/dso.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/ebitmap.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/expand.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/genbools.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/genusers.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/handle.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/handle.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/hashtab.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/hierarchy.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/iface_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/iface_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/interfaces.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/libsepol.map#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/link.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/mls.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/mls.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/module.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/module_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/node_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/node_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/nodes.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_convert.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/policydb_public.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/port_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/port_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/ports.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/private.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/roles.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/services.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/sidtab.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/symtab.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/user_internal.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/user_record.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/users.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/util.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/write.c#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/chkcon.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/utils/genpolbools.c#2 delete Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/context.h#2 (text+ko) ==== @@ -1,131 +1,31 @@ +#ifndef _SEPOL_CONTEXT_H_ +#define _SEPOL_CONTEXT_H_ -/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ +#include <sepol/context_record.h> +#include <sepol/policydb.h> +#include <sepol/handle.h> -/* FLASK */ +/* -- Deprecated -- */ -/* - * A security context is a set of security attributes - * associated with each subject and object controlled - * by the security policy. Security contexts are - * externally represented as variable-length strings - * that can be interpreted by a user or application - * with an understanding of the security policy. - * Internally, the security server uses a simple - * structure. This structure is private to the - * security server and can be changed without affecting - * clients of the security server. - */ +extern int sepol_check_context( + const char *context); -#ifndef _CONTEXT_H_ -#define _CONTEXT_H_ +/* -- End deprecated -- */ -#include <sepol/ebitmap.h> +extern int sepol_context_check( + sepol_handle_t* handle, + const sepol_policydb_t* policydb, + const sepol_context_t* context); -#include <sepol/mls_types.h> +extern int sepol_mls_contains( + sepol_handle_t* handle, + const sepol_policydb_t* policydb, + const char* mls1, + const char* mls2, + int* response); -/* - * A security context consists of an authenticated user - * identity, a role, a type and a MLS range. - */ -typedef struct context_struct { - uint32_t user; - uint32_t role; - uint32_t type; -#ifdef CONFIG_SECURITY_SELINUX_MLS - mls_range_t range; -#endif -} context_struct_t; - - -#ifdef CONFIG_SECURITY_SELINUX_MLS - -static inline void mls_context_init(context_struct_t * c) -{ - memset(&c->range, 0, sizeof(c->range)); -} - -static inline int mls_context_cpy(context_struct_t * dst, - context_struct_t * src) -{ - int rc; - - dst->range.level[0].sens = src->range.level[0].sens; - rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); - if (rc) - goto out; - - dst->range.level[1].sens = src->range.level[1].sens; - rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat); - if (rc) - ebitmap_destroy(&dst->range.level[0].cat); -out: - return rc; -} - -static inline int mls_context_cmp(context_struct_t * c1, - context_struct_t * c2) -{ - return ((c1->range.level[0].sens == c2->range.level[0].sens) && - ebitmap_cmp(&c1->range.level[0].cat,&c2->range.level[0].cat) && - (c1->range.level[1].sens == c2->range.level[1].sens) && - ebitmap_cmp(&c1->range.level[1].cat,&c2->range.level[1].cat)); -} - -static inline void mls_context_destroy(context_struct_t * c) -{ - ebitmap_destroy(&c->range.level[0].cat); - ebitmap_destroy(&c->range.level[1].cat); - mls_context_init(c); -} - -#else - -static inline void mls_context_init(context_struct_t *c __attribute__ ((unused))) -{ } - -static inline int mls_context_cpy(context_struct_t * dst __attribute__ ((unused)), - context_struct_t * src __attribute__ ((unused))) -{ return 0; } - -static inline int mls_context_cmp(context_struct_t * c1 __attribute__ ((unused)), - context_struct_t * c2 __attribute__ ((unused))) -{ return 1; } - -static inline void mls_context_destroy(context_struct_t * c __attribute__ ((unused))) -{ } - +extern int sepol_mls_check( + sepol_handle_t* handle, + const sepol_policydb_t* policydb, + const char* mls); #endif - -static inline void context_init(context_struct_t * c) -{ - memset(c, 0, sizeof(*c)); -} - -static inline int context_cpy(context_struct_t * dst, - context_struct_t * src) -{ - dst->user = src->user; - dst->role = src->role; - dst->type = src->type; - return mls_context_cpy(dst, src); -} - -static inline void context_destroy(context_struct_t * c) -{ - c->user = c->role = c->type = 0; - mls_context_destroy(c); -} - -static inline int context_cmp(context_struct_t * c1, - context_struct_t * c2) -{ - return ((c1->user == c2->user) && - (c1->role == c2->role) && - (c1->type == c2->type) && - mls_context_cmp(c1, c2)); -} - -#endif /* _CONTEXT_H_ */ - -/* FLASK */ - ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/policydb.h#2 (text+ko) ==== @@ -1,327 +1,130 @@ +#ifndef _SEPOL_POLICYDB_H_ +#define _SEPOL_POLICYDB_H_ -/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ +#include <stddef.h> +#include <stdio.h> -/* Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com> - * - * Added conditional policy language extensions - * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. - */ +#include <sepol/handle.h> -/* FLASK */ +struct sepol_policy_file; +typedef struct sepol_policy_file sepol_policy_file_t; -/* - * A policy database (policydb) specifies the - * configuration data for the security policy. - */ +struct sepol_policydb; +typedef struct sepol_policydb sepol_policydb_t; -#ifndef _POLICYDB_H_ -#define _POLICYDB_H_ +/* Policy file public interfaces. */ -#include <stdio.h> +/* Create and free memory associated with a policy file. */ +extern int sepol_policy_file_create(sepol_policy_file_t **pf); +extern void sepol_policy_file_free(sepol_policy_file_t *pf); -#include <sepol/flask_types.h> -#include <sepol/symtab.h> -#include <sepol/avtab.h> -#include <sepol/context.h> -#include <sepol/constraint.h> -#include <sepol/sidtab.h> +/* + * Set the policy file to represent a binary policy memory image. + * Subsequent operations using the policy file will read and write + * the image located at the specified address with the specified length. + * If 'len' is 0, then merely compute the necessary length upon + * subsequent policydb write operations in order to determine the + * necessary buffer size to allocate. + */ +extern void sepol_policy_file_set_mem(sepol_policy_file_t *pf, + char *data, + size_t len); /* - * A datum type is defined for each kind of symbol - * in the configuration data: individual permissions, - * common prefixes for access vectors, classes, - * users, roles, types, sensitivities, categories, etc. + * Get the size of the buffer needed to store a policydb write + * previously done on this policy file. */ +extern int sepol_policy_file_get_len(sepol_policy_file_t *pf, + size_t *len); -/* Permission attributes */ -typedef struct perm_datum { - uint32_t value; /* permission bit + 1 */ -#ifdef CONFIG_SECURITY_SELINUX_MLS -#define MLS_BASE_READ 1 /* MLS base permission `read' */ -#define MLS_BASE_WRITE 2 /* MLS base permission `write' */ -#define MLS_BASE_READBY 4 /* MLS base permission `readby' */ -#define MLS_BASE_WRITEBY 8 /* MLS base permission `writeby' */ - uint32_t base_perms; /* MLS base permission mask */ -#endif -} perm_datum_t; +/* + * Set the policy file to represent a FILE. + * Subsequent operations using the policy file will read and write + * to the FILE. + */ +extern void sepol_policy_file_set_fp(sepol_policy_file_t *pf, + FILE *fp); -/* Attributes of a common prefix for access vectors */ -typedef struct common_datum { - uint32_t value; /* internal common value */ - symtab_t permissions; /* common permissions */ -} common_datum_t; +/* + * Associate a handle with a policy file, for use in + * error reporting from subsequent calls that take the + * policy file as an argument. + */ +extern void sepol_policy_file_set_handle(sepol_policy_file_t *pf, + sepol_handle_t *handle); -/* Class attributes */ -typedef struct class_datum { - uint32_t value; /* class value */ - char *comkey; /* common name */ - common_datum_t *comdatum; /* common datum */ - symtab_t permissions; /* class-specific permission symbol table */ - constraint_node_t *constraints; /* constraints on class permissions */ -#ifdef CONFIG_SECURITY_SELINUX_MLS - mls_perms_t mlsperms; /* MLS base permission masks */ -#endif -} class_datum_t; +/* Policydb public interfaces. */ -/* Role attributes */ -typedef struct role_datum { - uint32_t value; /* internal role value */ - ebitmap_t dominates; /* set of roles dominated by this role */ - ebitmap_t types; /* set of authorized types for role */ -} role_datum_t; +/* Create and free memory associated with a policydb. */ +extern int sepol_policydb_create(sepol_policydb_t **p); +extern void sepol_policydb_free(sepol_policydb_t *p); -typedef struct role_trans { - uint32_t role; /* current role */ - uint32_t type; /* program executable type */ - uint32_t new_role; /* new role */ - struct role_trans *next; -} role_trans_t; +/* Legal types of policies that the policydb can represent. */ +#define SEPOL_POLICY_KERN 0 +#define SEPOL_POLICY_BASE 1 +#define SEPOL_POLICY_MOD 2 -typedef struct role_allow { - uint32_t role; /* current role */ - uint32_t new_role; /* new role */ - struct role_allow *next; -} role_allow_t; +/* + * Range of policy versions for the kernel policy type supported + * by this library. + */ +extern int sepol_policy_kern_vers_min(void); +extern int sepol_policy_kern_vers_max(void); -/* Type attributes */ -typedef struct type_datum { - uint32_t value; /* internal type value */ - unsigned char primary; /* primary name? */ -#ifndef __KERNEL__ - unsigned char isattr; /* is this a type attribute? */ - ebitmap_t types; /* types with this attribute */ -#endif -} type_datum_t; +/* + * Set the policy type as specified, and automatically initialize the + * policy version accordingly to the maximum version supported for the + * policy type. + * Returns -1 if the policy type is not legal. + */ +extern int sepol_policydb_set_typevers(sepol_policydb_t *p, unsigned int type); -/* User attributes */ -typedef struct user_datum { - uint32_t value; /* internal user value */ - ebitmap_t roles; /* set of authorized roles for user */ -#ifdef CONFIG_SECURITY_SELINUX_MLS - mls_range_list_t *ranges; /* list of authorized MLS ranges for user */ -#endif - unsigned defined; -} user_datum_t; +/* + * Set the policy version to a different value. + * Returns -1 if the policy version is not in the supported range for + * the (previously set) policy type. + */ +extern int sepol_policydb_set_vers(sepol_policydb_t *p, unsigned int vers); +/* + * Read a policydb from a policy file. + * This automatically sets the type and version based on the + * image contents. + */ +extern int sepol_policydb_read(sepol_policydb_t *p, + sepol_policy_file_t *pf); -#ifdef CONFIG_SECURITY_SELINUX_MLS -/* Sensitivity attributes */ -typedef struct level_datum { - mls_level_t *level; /* sensitivity and associated categories */ - unsigned char isalias; /* is this sensitivity an alias for another? */ -} level_datum_t; +/* + * Write a policydb to a policy file. + * The generated image will be in the binary format corresponding + * to the policy version associated with the policydb. + */ +extern int sepol_policydb_write(sepol_policydb_t *p, + sepol_policy_file_t *pf); -/* Category attributes */ -typedef struct cat_datum { - uint32_t value; /* internal category bit + 1 */ - unsigned char isalias; /* is this category an alias for another? */ -} cat_datum_t; -#endif - -/* Boolean data type */ -typedef struct cond_bool_datum { - uint32_t value; /* internal type value */ - int state; -} cond_bool_datum_t; - -struct cond_node; - -typedef struct cond_node cond_list_t; - /* - * The configuration data includes security contexts for - * initial SIDs, unlabeled file systems, TCP and UDP port numbers, - * network interfaces, and nodes. This structure stores the - * relevant data for one such entry. Entries of the same kind - * (e.g. all initial SIDs) are linked together into a list. + * Extract a policydb from a binary policy memory image. + * This is equivalent to sepol_policydb_read with a policy file + * set to refer to memory. */ -typedef struct ocontext { - union { - char *name; /* name of initial SID, fs, netif, fstype, path */ - struct { - uint8_t protocol; - uint16_t low_port; - uint16_t high_port; - } port; /* TCP or UDP port information */ - struct { - uint32_t addr; - uint32_t mask; - } node; /* node information */ - struct { - uint32_t addr[4]; - uint32_t mask[4]; - } node6; /* IPv6 node information */ - } u; - union { - uint32_t sclass; /* security class for genfs */ - uint32_t behavior; /* labeling behavior for fs_use */ - } v; - context_struct_t context[2]; /* security context(s) */ - security_id_t sid[2]; /* SID(s) */ - struct ocontext *next; -} ocontext_t; - -typedef struct genfs { - char *fstype; - struct ocontext *head; - struct genfs *next; -} genfs_t; - -/* symbol table array indices */ -#define SYM_COMMONS 0 -#define SYM_CLASSES 1 -#define SYM_ROLES 2 -#define SYM_TYPES 3 -#define SYM_USERS 4 -#ifdef CONFIG_SECURITY_SELINUX_MLS -#define SYM_LEVELS 5 -#define SYM_CATS 6 -#define SYM_BOOLS 7 -#define SYM_NUM 8 -#else -#define SYM_BOOLS 5 -#define SYM_NUM 6 -#endif - -/* object context array indices */ -#define OCON_ISID 0 /* initial SIDs */ -#define OCON_FS 1 /* unlabeled file systems */ -#define OCON_PORT 2 /* TCP and UDP port numbers */ -#define OCON_NETIF 3 /* network interfaces */ -#define OCON_NODE 4 /* nodes */ -#define OCON_FSUSE 5 /* fs_use */ -#define OCON_NODE6 6 /* IPv6 nodes */ -#define OCON_NUM 7 - -/* The policy database */ -typedef struct policydb { - /* symbol tables */ - symtab_t symtab[SYM_NUM]; -#define p_commons symtab[SYM_COMMONS] -#define p_classes symtab[SYM_CLASSES] -#define p_roles symtab[SYM_ROLES] -#define p_types symtab[SYM_TYPES] -#define p_users symtab[SYM_USERS] -#define p_levels symtab[SYM_LEVELS] -#define p_cats symtab[SYM_CATS] -#define p_bools symtab[SYM_BOOLS] +extern int sepol_policydb_from_image(sepol_handle_t *handle, + void* data, size_t len, + sepol_policydb_t *p); - /* symbol names indexed by (value - 1) */ - char **sym_val_to_name[SYM_NUM]; -#define p_common_val_to_name sym_val_to_name[SYM_COMMONS] -#define p_class_val_to_name sym_val_to_name[SYM_CLASSES] -#define p_role_val_to_name sym_val_to_name[SYM_ROLES] -#define p_type_val_to_name sym_val_to_name[SYM_TYPES] -#define p_user_val_to_name sym_val_to_name[SYM_USERS] -#define p_sens_val_to_name sym_val_to_name[SYM_LEVELS] -#define p_cat_val_to_name sym_val_to_name[SYM_CATS] -#define p_bool_val_to_name sym_val_to_name[SYM_BOOLS] - /* class, role, and user attributes indexed by (value - 1) */ - class_datum_t **class_val_to_struct; - role_datum_t **role_val_to_struct; - user_datum_t **user_val_to_struct; - - /* type enforcement access vectors and transitions */ - avtab_t te_avtab; - - /* bools indexed by (value - 1) */ - cond_bool_datum_t **bool_val_to_struct; - /* type enforcement conditional access vectors and transitions */ - avtab_t te_cond_avtab; - /* linked list indexing te_cond_avtab by conditional */ - cond_list_t* cond_list; - - /* role transitions */ - role_trans_t *role_tr; - - /* role allows */ - role_allow_t *role_allow; - - /* security contexts of initial SIDs, unlabeled file systems, - TCP or UDP port numbers, network interfaces and nodes */ - ocontext_t *ocontexts[OCON_NUM]; - - /* security contexts for files in filesystems that cannot support - a persistent label mapping or use another - fixed labeling behavior. */ - genfs_t *genfs; - -#ifdef CONFIG_SECURITY_SELINUX_MLS - /* number of legitimate MLS levels */ - uint32_t nlevels; - - ebitmap_t trustedreaders; - ebitmap_t trustedwriters; - ebitmap_t trustedobjects; -#endif - - unsigned policyvers; -} policydb_t; - -extern int policydb_init(policydb_t * p); - -extern int policydb_index_classes(policydb_t * p); - -extern int policydb_index_bools(policydb_t * p); - -extern int policydb_index_others(policydb_t * p, unsigned int verbose); - -extern int constraint_expr_destroy(constraint_expr_t * expr); - -extern void policydb_destroy(policydb_t * p); - -extern int policydb_load_isids(policydb_t *p, sidtab_t *s); - -extern int policydb_context_isvalid(policydb_t *p, context_struct_t *c); - -/* A policy "file" may be a memory region referenced by a (data, len) pair - or a file referenced by a FILE pointer. */ -struct policy_file { -#define PF_USE_MEMORY 0 -#define PF_USE_STDIO 1 - unsigned type; - char *data; - size_t len; - FILE *fp; -}; - -extern int policydb_read(policydb_t * p, struct policy_file * fp, unsigned int verbose); - -extern int policydb_write(struct policydb *p, struct policy_file *pf); - -#define PERM_SYMTAB_SIZE 32 - -/* Identify specific policy version changes */ -#define POLICYDB_VERSION_BASE 15 -#define POLICYDB_VERSION_BOOL 16 -#define POLICYDB_VERSION_IPV6 17 -#define POLICYDB_VERSION_NLCLASS 18 - -/* Range of policy versions we understand*/ -#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NLCLASS - /* - * Set policy version for writing policies. - * May be any value from POLICYDB_VERSION_MIN to POLICYDB_VERSION_MAX. - * If not set, then policydb_write defaults to the max. + * Generate a binary policy memory image from a policydb. + * This is equivalent to sepol_policydb_write with a policy file + * set to refer to memory, but internally handles computing the + * necessary length and allocating an appropriately sized memory + * buffer for the caller. */ -extern int sepol_set_policyvers(unsigned int policyvers); +extern int sepol_policydb_to_image(sepol_handle_t *handle, + sepol_policydb_t *p, + void **newdata, + size_t *newlen); -#define POLICYDB_CONFIG_MLS 1 +extern int sepol_policydb_mls_enabled( + const sepol_policydb_t* p); -#define OBJECT_R "object_r" -#define OBJECT_R_VAL 1 - -#define POLICYDB_MAGIC SELINUX_MAGIC -#define POLICYDB_STRING "SE Linux" - -#endif /* _POLICYDB_H_ */ - -/* FLASK */ - +#endif ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/include/sepol/sepol.h#2 (text+ko) ==== @@ -1,21 +1,28 @@ #ifndef _SEPOL_H_ #define _SEPOL_H_ -#include <sys/types.h> +#include <stddef.h> +#include <stdio.h> -/* Given an existing binary policy (starting at 'data', with length 'len') - and a boolean configuration file named by 'boolpath', rewrite the binary - policy for the boolean settings in the boolean configuration file. - The binary policy is rewritten in place in memory. - Returns 0 upon success, or -1 otherwise. */ -extern int sepol_genbools(void *data, size_t len, char *boolpath); +#include <sepol/user_record.h> +#include <sepol/context_record.h> +#include <sepol/iface_record.h> +#include <sepol/port_record.h> +#include <sepol/boolean_record.h> +#include <sepol/node_record.h> -/* Given an existing binary policy (starting at 'data', with length 'len') - and boolean settings specified by the parallel arrays ('names', 'values') - with 'nel' elements, rewrite the binary policy for the boolean settings. - The binary policy is rewritten in place in memory. - Returns 0 upon success or -1 otherwise. */ -extern int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel); +#include <sepol/booleans.h> +#include <sepol/interfaces.h> +#include <sepol/ports.h> +#include <sepol/nodes.h> +#include <sepol/users.h> +#include <sepol/handle.h> +#include <sepol/debug.h> +#include <sepol/policydb.h> +#include <sepol/module.h> +#include <sepol/context.h> +/* Set internal policydb from a file for subsequent service calls. */ +extern int sepol_set_policydb_from_file(FILE *fp); #endif ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/Makefile#3 (text+ko) ==== @@ -7,32 +7,29 @@ LIBVERSION = 1 -# Set to y for MLS -MLS=n - LIBA=libsepol.a #TARGET=libsepol.so #LIBSO=$(TARGET).$(LIBVERSION) OBJS= $(patsubst %.c,%.o,$(wildcard *.c)) #LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c)) -CFLAGS = -Wall $(OPTIONS) -override CFLAGS += -I. -I../include +CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute +override CFLAGS += -I. -I../include -I../../libsecompat -D_GNU_SOURCE -all: $(LIBA) +all: $(LIBA) $(LIBSO) $(LIBA): $(OBJS) $(AR) rcs $@ $^ ranlib $@ $(LIBSO): $(LOBJS) - $(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map + $(CC) $(LDFLAGS) -shared -o $@ $^ -Wl,-soname,$(LIBSO),--version-script=libsepol.map,-z,defs ln -sf $@ $(TARGET) %.o: %.c $(CC) $(CFLAGS) -c -o $@ $< %.lo: %.c - $(CC) $(CFLAGS) -fPIC -c -o $@ $< + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< install: all test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) @@ -41,6 +38,9 @@ # install -m 755 $(LIBSO) $(SHLIBDIR) # cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET) +relabel: +# /sbin/restorecon $(SHLIBDIR)/$(LIBSO) + clean: - rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) + -rm -f $(OBJS) $(LOBJS) $(LIBA) ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/av_permissions.h#2 (text+ko) ==== @@ -1,2 +1,3 @@ /* Used by security_compute_av. */ #define PROCESS__TRANSITION 0x00000002UL +#define PROCESS__DYNTRANSITION 0x00800000UL ==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsepol/src/avtab.c#2 (text+ko) ==== @@ -5,10 +5,26 @@ * * Added conditional policy language extensions * + * Updated: Red Hat, Inc. James Morris <jmorris@redhat.com> + * + * Code cleanup + * * Copyright (C) 2003 Tresys Technology, LLC - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2. + * Copyright (C) 2003 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ /* FLASK */ @@ -18,9 +34,10 @@ */ #include <stdlib.h> -#include <sepol/avtab.h> -#include <sepol/policydb.h> +#include <sepol/policydb/avtab.h> +#include <sepol/policydb/policydb.h> +#include "debug.h" #include "private.h" #define AVTAB_HASH(keyp) \ @@ -30,7 +47,7 @@ AVTAB_HASH_MASK) static avtab_ptr_t - avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_ptr_t cur, avtab_key_t *key, avtab_datum_t *datum) + avtab_insert_node(avtab_t *h, int hvalue, avtab_ptr_t prev, avtab_key_t *key, avtab_datum_t *datum) { avtab_ptr_t newnode; newnode = (avtab_ptr_t) malloc(sizeof(struct avtab_node)); @@ -57,6 +74,7 @@ { int hvalue; avtab_ptr_t prev, cur, newnode; + uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); if (!h) return -ENOMEM; @@ -68,7 +86,7 @@ if (key->source_type == cur->key.source_type && key->target_type == cur->key.target_type && key->target_class == cur->key.target_class && - (datum->specified & cur->datum.specified)) + (specified & cur->key.specified)) return -EEXIST; if (key->source_type < cur->key.source_type) break; @@ -81,7 +99,7 @@ break; } - newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); + newnode = avtab_insert_node(h, hvalue, prev, key, datum); if(!newnode) return -ENOMEM; @@ -97,6 +115,7 @@ { int hvalue; avtab_ptr_t prev, cur, newnode; + uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); if (!h) return NULL; @@ -107,7 +126,7 @@ if (key->source_type == cur->key.source_type && key->target_type == cur->key.target_type && key->target_class == cur->key.target_class && - (datum->specified & cur->datum.specified)) + (specified & cur->key.specified)) break; if (key->source_type < cur->key.source_type) break; @@ -119,37 +138,17 @@ key->target_class < cur->key.target_class) break; } - newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); + newnode = avtab_insert_node(h, hvalue, prev, key, datum); return newnode; } -/* Unlike avtab_insert(), this function stores a caller-provided parse_context pointer, AND - * allow multiple insertions of the same key/specified mask into the table, AND returns - * a pointer to the new node added, all as needed by the conditional avtab. - */ -avtab_ptr_t - avtab_insert_with_parse_context(avtab_t *h, avtab_key_t *key, avtab_datum_t *datum, void *parse_context) -{ - avtab_ptr_t newnode; - - if (!h) - return NULL; - - newnode = avtab_insert_nonunique(h, key, datum); - if(!newnode) - return NULL; - - newnode->parse_context = parse_context; - - return newnode; -} - avtab_datum_t * - avtab_search(avtab_t * h, avtab_key_t * key, int specified) + avtab_search(avtab_t * h, avtab_key_t * key) { int hvalue; avtab_ptr_t cur; + uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); if (!h) @@ -160,7 +159,7 @@ if (key->source_type == cur->key.source_type && key->target_type == cur->key.target_type && key->target_class == cur->key.target_class && - (specified & cur->datum.specified)) + (specified & cur->key.specified)) return &cur->datum; if (key->source_type < cur->key.source_type) @@ -181,10 +180,11 @@ * conjunction with avtab_search_next_node() */ avtab_ptr_t - avtab_search_node(avtab_t * h, avtab_key_t * key, int specified) + avtab_search_node(avtab_t * h, avtab_key_t * key) { int hvalue; avtab_ptr_t cur; + uint16_t specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); if (!h) return NULL; @@ -194,7 +194,7 @@ if (key->source_type == cur->key.source_type && key->target_type == cur->key.target_type && key->target_class == cur->key.target_class && - (specified & cur->datum.specified)) + (specified & cur->key.specified)) return cur; if (key->source_type < cur->key.source_type) @@ -218,11 +218,12 @@ if (!node) return NULL; + specified &= ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD); for (cur = node->next; cur; cur = cur->next) { if (node->key.source_type == cur->key.source_type && node->key.target_type == cur->key.target_type && node->key.target_class == cur->key.target_class && >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604202126.k3KLQMQI005610>