Date: Tue, 30 Nov 2004 16:40:34 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 66109 for review Message-ID: <200411301640.iAUGeYas001249@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=66109 Change 66109 by areisse@areisse_tislabs on 2004/11/30 16:40:09 Update sebsd_checkpolicy to use the new libsepol library, and other changes merged from selinux. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#1 branch .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/write.c#3 delete Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#8 (text+ko) ==== @@ -56,21 +56,24 @@ #include <sys/stat.h> #include <sys/mman.h> #include <netinet/in.h> -#include "linux-compat.h" #else /* __FreeBSD__ */ #include <getopt.h> #endif /* __FreeBSD__ */ -#include "global.h" -#include "policydb.h" -#include "services.h" +#include <sepol/policydb.h> +#include <sepol/services.h> +#include <sepol/conditional.h> +#include <sepol/flask.h> + #include "queue.h" #include "checkpolicy.h" -#include "security.h" extern char *optarg; extern int optind; +static policydb_t policydb; +static sidtab_t sidtab; + extern policydb_t *policydbp; extern queue_t id_queue; extern unsigned int policydb_errors; @@ -87,12 +90,6 @@ char *binfile = "policy"; unsigned int policyvers = POLICYDB_VERSION_MAX; -int selinux_enforcing = 1; - -int avc_ss_reset(__u32 seqno) -{ - return 0; -} void usage(char *progname) { @@ -108,7 +105,7 @@ size_t scontext_len; int rc; - rc = security_sid_to_context(sid, &scontext, &scontext_len); + rc = sepol_sid_to_context(sid, &scontext, &scontext_len); if (rc) printf("sid %d -> error %d\n", sid, rc); else { @@ -452,6 +449,10 @@ void *filedata; struct stat sb; size_t filelen; + char *name; + int state; + int show_version = 0; + struct policy_file pf; while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) { switch (ch) { @@ -530,15 +531,15 @@ close(fd); exit(1); } - ret = security_load_policy(filedata, filelen); + ret = sepol_load_policy(filedata, filelen); switch (ret) { case 0: printf("\nsuccess\n"); break; - case -EINVAL: + case EINVAL: printf("\ninvalid policy\n"); break; - case -ENOMEM: + case ENOMEM: printf("\nout of memory\n"); break; default: @@ -588,12 +589,6 @@ if (policydb_errors) exit(1); - if (policyvers >= POLICYDB_VERSION_NLCLASS && - policydb.p_classes.nprim < SECCLASS_NETLINK_DNRT_SOCKET) { - fprintf(stderr, "%s: policy lacks new netlink classes, unable to generate policy version %d\n", argv[0], policyvers); - exit(1); - } - /* remove type attributes */ hashtab_map_remove_on_error(policydb.p_types.table, type_attr_remove, 0, 0); @@ -613,7 +608,12 @@ perror(outfile); exit(1); } - ret = policydb_write(&policydb, outfp); + + sepol_set_policyvers(policyvers); + + pf.type = PF_USE_STDIO; + pf.fp = outfp; + ret = policydb_write(&policydb, &pf); if (ret) { fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); @@ -624,8 +624,6 @@ if (!debug) exit(0); - ss_initialized = 1; - menu: printf("\nSelect an option:\n"); printf("0) Call compute_access_vector\n"); @@ -688,7 +686,7 @@ printf("\nNo access vector definition for that class\n"); break; } - ret = security_compute_av(ssid, tsid, tclass, 0, &avd); + ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd); allowed = avd.allowed; switch (ret) { case 0: @@ -721,7 +719,7 @@ printf("sid? "); fgets(ans, sizeof(ans), stdin); ssid = atoi(ans); - ret = security_sid_to_context(ssid, + ret = sepol_sid_to_context(ssid, &scontext, &scontext_len); switch (ret) { case 0: @@ -743,7 +741,7 @@ fgets(ans, sizeof(ans), stdin); scontext_len = strlen(ans); ans[scontext_len - 1] = 0; - ret = security_context_to_sid(ans, scontext_len, + ret = sepol_context_to_sid(ans, scontext_len, &ssid); switch (ret) { case 0: @@ -791,11 +789,11 @@ } if (ch == '3') - ret = security_transition_sid(ssid, tsid, tclass, &ssid); + ret = sepol_transition_sid(ssid, tsid, tclass, &ssid); else if (ch == '4') - ret = security_member_sid(ssid, tsid, tclass, &ssid); + ret = sepol_member_sid(ssid, tsid, tclass, &ssid); else - ret = security_change_sid(ssid, tsid, tclass, &ssid); + ret = sepol_change_sid(ssid, tsid, tclass, &ssid); switch (ret) { case 0: printf("\nsid %d\n", ssid); @@ -811,7 +809,7 @@ } break; case '6': - sidtab_map(&sidtab, print_sid, 0); + sepol_sidtab_map(&sidtab, print_sid, 0); break; case '7': printf("pathname? "); @@ -841,7 +839,7 @@ close(fd); break; } - ret = security_load_policy(filedata, filelen); + ret = sepol_load_policy(filedata, filelen); switch (ret) { case 0: printf("\nsuccess\n"); @@ -862,7 +860,7 @@ printf("fs kdevname? "); fgets(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - security_fs_sid(ans, &ssid, &tsid); + sepol_fs_sid(ans, &ssid, &tsid); printf("fs_sid %d default_file_sid %d\n", ssid, tsid); break; @@ -881,14 +879,14 @@ printf("port? "); fgets(ans, sizeof(ans), stdin); port = atoi(ans); - security_port_sid(0, 0, protocol, port, &ssid); + sepol_port_sid(0, 0, protocol, port, &ssid); printf("sid %d\n", ssid); break; case 'a': printf("netif name? "); fgets(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - security_netif_sid(ans, &ssid, &tsid); + sepol_netif_sid(ans, &ssid, &tsid); printf("if_sid %d default_msg_sid %d\n", ssid, tsid); break; @@ -929,7 +927,7 @@ sepol_node_sid(family, p, len, &ssid); addr = inet_addr(ans); - security_node_sid(AF_INET, &addr, sizeof addr, &ssid); + sepol_node_sid(AF_INET, &addr, sizeof addr, &ssid); printf("sid %d\n", ssid); break; } @@ -937,7 +935,7 @@ printf("fstype? "); fgets(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - security_fs_use(ans, &ret, &ssid); + sepol_fs_use(ans, &ret, &ssid); switch (ret) { case SECURITY_FS_USE_XATTR: printf("use extended attributes\n"); @@ -985,7 +983,7 @@ } tclass = cladatum->value; } - security_genfs_sid(fstype, path, tclass, &ssid); + sepol_genfs_sid(fstype, path, tclass, &ssid); printf("sid %d\n", ssid); free(fstype); free(path); @@ -1000,7 +998,7 @@ fgets(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - ret = security_get_user_sids(ssid, ans, &sids, &nel); + ret = sepol_get_user_sids(ssid, ans, &sids, &nel); switch (ret) { case 0: if (!nel) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#4 (text+ko) ==== @@ -1,7 +1,7 @@ #ifndef _CHECKPOLICY_H_ #define _CHECKPOLICY_H_ -#include "ebitmap.h" +#include <sepol/ebitmap.h> typedef struct te_assert { struct ebitmap stypes; @@ -15,39 +15,6 @@ te_assert_t *te_assertions; -typedef u_int64_t __u64; -typedef u_int32_t __u32; -typedef u_int16_t __u16; -typedef u_int8_t __u8; - -typedef struct ebitmap ebitmap_t; -typedef struct ebitmap_node ebitmap_node_t; -typedef struct avtab avtab_t; -typedef struct avtab_node *avtab_ptr_t; -typedef struct avtab_key avtab_key_t; -typedef struct avtab_datum avtab_datum_t; -typedef struct policydb policydb_t; -typedef struct role_datum role_datum_t; -typedef struct class_datum class_datum_t; -typedef struct common_datum common_datum_t; -typedef struct perm_datum perm_datum_t; -typedef struct type_datum type_datum_t; -typedef struct user_datum user_datum_t; -typedef struct constraint_expr constraint_expr_t; -typedef struct constraint_node constraint_node_t; -typedef struct context context_struct_t; -typedef struct context context_t; -typedef struct ocontext ocontext_t; -typedef struct genfs genfs_t; -typedef void *hashtab_key_t; -typedef void *hashtab_datum_t; - -#define HASHTAB_SUCCESS 0 -#define HASHTAB_OVERFLOW ENOMEM -#define HASHTAB_PRESENT EEXIST -#define HASHTAB_MISSING ENOENT - -#define TRUE 1 -#define FALSE 0 +extern unsigned int policyvers; #endif ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#5 (text+ko) ==== @@ -21,14 +21,15 @@ #include <errno.h> #include <sys/types.h> #include <netinet/in.h> -#include "linux-compat.h" +#include <sys/socket.h> #endif /* __FreeBSD__ */ -#include "policydb.h" -#include "services.h" + +#include <sepol/policydb.h> +#include <sepol/services.h> +#include <sepol/conditional.h> +#include <sepol/flask.h> #include "queue.h" #include "checkpolicy.h" -#include "flask.h" -#include "security.h" /* * We need the following so we have a valid error return code in yacc @@ -171,7 +172,7 @@ { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } } opt_mls te_rbac users opt_constraints { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} - if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} } + if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} } initial_sid_contexts opt_fs_contexts fs_uses opt_genfs_contexts net_contexts ; classes : class_def @@ -2581,16 +2582,7 @@ goto bad; } - if (policyvers < POLICYDB_VERSION_NLCLASS && - (cladatum->value >= SECCLASS_NETLINK_ROUTE_SOCKET && - cladatum->value <= SECCLASS_NETLINK_DNRT_SOCKET)) { - sprintf(errormsg, "remapping class %s to netlink_socket " - "for policy version %d", id, policyvers); - yywarn(errormsg); - classvalue = SECCLASS_NETLINK_SOCKET; - suppress = 1; - } else - classvalue = cladatum->value; + classvalue = cladatum->value; ebitmap_set_bit(&tclasses, classvalue - 1, TRUE); if (classvalue > hiclass) @@ -2759,16 +2751,7 @@ goto bad; } - if (policyvers < POLICYDB_VERSION_NLCLASS && - (cladatum->value >= SECCLASS_NETLINK_ROUTE_SOCKET && - cladatum->value <= SECCLASS_NETLINK_DNRT_SOCKET)) { - sprintf(errormsg, "remapping class %s to netlink_socket " - "for policy version %d", id, policyvers); - yywarn(errormsg); - classvalue = SECCLASS_NETLINK_SOCKET; - suppress = 1; - } else - classvalue = cladatum->value; + classvalue = cladatum->value; ebitmap_set_bit(&tclasses, classvalue - 1, TRUE); if (classvalue > hiclass) @@ -2819,7 +2802,7 @@ continue; } - avp[i] |= (((__u64)1) << (perdatum->value - 1)); + avp[i] |= (((uint64_t)1) << (perdatum->value - 1)); } free(id); @@ -4439,6 +4422,9 @@ return 0; } +/* Freebsd only exports these to the kernel */ +#define s6_addr32 __u6_addr.__u6_addr32 + static int define_ipv6_node_context(void) { char *id; @@ -4517,6 +4503,8 @@ return rc; } +#undef s6_addr32 + static int define_fs_use(int behavior) { ocontext_t *newc, *c, *head; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#4 (text+ko) ==== @@ -16,6 +16,7 @@ /* FLASK */ %{ +#include <sys/types.h> #include "policy_parse.h" static char linebuf[2][255];
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411301640.iAUGeYas001249>