From owner-p4-projects@FreeBSD.ORG Thu Feb 15 20:15:36 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A6E8F16A4C0; Thu, 15 Feb 2007 20:15:36 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 36CFB16A4B3 for ; Thu, 15 Feb 2007 20:15:36 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 25EBD13C46B for ; Thu, 15 Feb 2007 20:15:36 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l1FKFZZ9067656 for ; Thu, 15 Feb 2007 20:15:36 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l1FKFZKQ067653 for perforce@freebsd.org; Thu, 15 Feb 2007 20:15:35 GMT (envelope-from millert@freebsd.org) Date: Thu, 15 Feb 2007 20:15:35 GMT Message-Id: <200702152015.l1FKFZKQ067653@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 114573 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Feb 2007 20:15:37 -0000 http://perforce.freebsd.org/chv.cgi?CH=114573 Change 114573 by millert@millert_p4 on 2007/02/15 20:15:33 Update to checkpolicy-1.34.0 from the SELinux web site. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#12 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.h#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/parse_util.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/parse_util.h#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#9 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dismod.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dispol.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#2 (text+ko) ==== @@ -1,3 +1,47 @@ +1.34.0 2007-01-18 + * Updated version for stable branch. + +1.33.1 2006-11-13 + * Collapse user identifiers and identifiers together. + +1.32 2006-10-17 + * Updated version for release. + +1.30.12 2006-09-28 + * Merged user and range_transition support for modules from + Darrel Goeddel + +1.30.11 2006-09-05 + * merged range_transition enhancements and user module format + changes from Darrel Goeddel + +1.30.10 2006-08-03 + * Merged symtab datum patch from Karl MacMillan. + +1.30.9 2006-06-29 + * Lindent. + +1.30.8 2006-06-29 + * Merged patch to remove TE rule conflict checking from the parser + from Joshua Brindle. This can only be done properly by the + expander. + +1.30.7 2006-06-27 + * Merged patch to make checkpolicy/checkmodule handling of + duplicate/conflicting TE rules the same as the expander + from Joshua Brindle. + +1.30.6 2006-06-26 + * Merged optionals in base take 2 patch set from Joshua Brindle. + +1.30.5 2006-05-05 + * Merged compiler cleanup patch from Karl MacMillan. + * Merged fix warnings patch from Karl MacMillan. + +1.30.4 2006-04-05 + * Changed require_class to reject permissions that have not been + declared if building a base module. + 1.30.3 2006-03-28 * Fixed checkmodule to call link_modules prior to expand_module to handle optionals. ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#2 (text+ko) ==== @@ -12,12 +12,14 @@ override CFLAGS += -I. -I${INCLUDEDIR} -CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o +CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o CHECKMODOBJS = $(CHECKOBJS) checkmodule.o LDLIBS=$(LIBDIR)/libsepol.a -lfl +GENERATED=lex.yy.c y.tab.c y.tab.h + all: $(TARGETS) $(MAKE) -C test @@ -55,3 +57,5 @@ -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c $(MAKE) -C test clean +indent: + ../Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#2 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30.3 +1.34.0 ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#2 (text+ko) ==== @@ -27,174 +27,124 @@ #include #include #include +#include #include "queue.h" #include "checkpolicy.h" +#include "parse_util.h" extern char *optarg; extern int optind; static sidtab_t sidtab; -extern policydb_t *policydbp; -extern queue_t id_queue; -extern unsigned int policydb_errors; -extern unsigned long policydb_lineno; -extern char source_file[]; extern int mlspol; -extern FILE *yyin; -extern void init_parser(int); -extern int yyparse(void); -extern void yyrestart(FILE *); - static char *txtfile = "policy.conf"; static char *binfile = "policy"; unsigned int policy_type = POLICY_BASE; unsigned int policyvers = MOD_POLICYDB_VERSION_MAX; -static int read_binary_policy(policydb_t *p, char *file, char *progname) +static int read_binary_policy(policydb_t * p, char *file, char *progname) { - int fd; + int fd; struct stat sb; - void *map; + void *map; struct policy_file f, *fp; - - fd = open(file, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Can't open '%s': %s\n", - file, strerror(errno)); - return -1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", - file, strerror(errno)); - return -1; - } - map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - fprintf(stderr, "Can't map '%s': %s\n", - file, strerror(errno)); - return -1; - } - f.type = PF_USE_MEMORY; - f.data = map; - f.len = sb.st_size; - fp = &f; + + fd = open(file, O_RDONLY); + if (fd < 0) { + fprintf(stderr, "Can't open '%s': %s\n", + file, strerror(errno)); + return -1; + } + if (fstat(fd, &sb) < 0) { + fprintf(stderr, "Can't stat '%s': %s\n", + file, strerror(errno)); + return -1; + } + map = + mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (map == MAP_FAILED) { + fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno)); + return -1; + } + f.type = PF_USE_MEMORY; + f.data = map; + f.len = sb.st_size; + fp = &f; if (policydb_init(p)) { - fprintf(stderr, "%s: policydb_init: Out of memory!\n", progname); + fprintf(stderr, "%s: policydb_init: Out of memory!\n", + progname); + return -1; + } + if (policydb_read(p, fp, 1)) { + fprintf(stderr, + "%s: error(s) encountered while parsing configuration\n", + progname); return -1; - } - if (policydb_read(p, fp, 1)) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname); - return -1; - } - - /* Check Policy Consistency */ - if (p->mls) { - if (!mlspol) { - fprintf(stderr,"%s: MLS policy, but non-MLS" - " is specified\n", progname); - return -1; - } - } else { - if (mlspol) { - fprintf(stderr,"%s: non-MLS policy, but MLS" - " is specified\n", progname); - return -1; - } - } - return 0; + } + + /* Check Policy Consistency */ + if (p->mls) { + if (!mlspol) { + fprintf(stderr, "%s: MLS policy, but non-MLS" + " is specified\n", progname); + return -1; + } + } else { + if (mlspol) { + fprintf(stderr, "%s: non-MLS policy, but MLS" + " is specified\n", progname); + return -1; + } + } + return 0; } -static int read_source_policy(policydb_t *p, char *file, char *progname) +static int write_binary_policy(policydb_t * p, char *file, char *progname) { - yyin = fopen(file, "r"); - if (!yyin) { - fprintf(stderr, "%s: unable to open %s\n", progname, - file); - return -1; - } - - if (policydb_init(p) || - ((id_queue = queue_create()) == NULL)) { - fprintf(stderr, "%s: out of memory!\n", progname); - return -1; - } + FILE *outfp = NULL; + struct policy_file pf; + int ret; - p->policy_type = policy_type; - p->mls = mlspol; + printf("%s: writing binary representation (version %d) to %s\n", + progname, policyvers, file); - init_parser(1); - if (yyparse() || policydb_errors) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname); - return -1; - } - rewind(yyin); - init_parser(2); - source_file[0] = '\0'; - yyrestart(yyin); - if (yyparse() || policydb_errors) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", progname); - return -1; - } - queue_destroy(id_queue); - - if (hierarchy_check_constraints(NULL, p)) { - return -1; - } - - if (policydb_errors) - return -1; + outfp = fopen(file, "w"); + if (!outfp) { + perror(file); + exit(1); + } - fclose(yyin); - return 0; -} - -static int write_binary_policy(policydb_t *p, char *file, char *progname) -{ - FILE *outfp = NULL; - struct policy_file pf; - int ret; - - printf("%s: writing binary representation (version %d) to %s\n", - progname, policyvers, file); - - outfp = fopen(file, "w"); - if (!outfp) { - perror(file); - exit(1); - } - p->policy_type = policy_type; p->policyvers = policyvers; - - pf.type = PF_USE_STDIO; - pf.fp = outfp; - ret = policydb_write(p, &pf); - if (ret) { - fprintf(stderr, "%s: error writing %s\n", - progname, file); - return -1; - } - fclose(outfp); - return 0; + + pf.type = PF_USE_STDIO; + pf.fp = outfp; + ret = policydb_write(p, &pf); + if (ret) { + fprintf(stderr, "%s: error writing %s\n", progname, file); + return -1; + } + fclose(outfp); + return 0; } static void usage(char *progname) { - printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", - progname); - printf("Build base and policy modules.\n"); - printf("Options:\n"); - printf(" INPUT build module from INPUT (else read from \"%s\")\n", txtfile); - printf(" -V show policy versions created by this program\n"); - printf(" -b treat input as a binary policy file\n"); - printf(" -m build a policy module instead of a base module\n"); - printf(" -M enable MLS policy\n"); - printf(" -o FILE write module to FILE (else just check syntax)\n"); + printf("usage: %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname); + printf("Build base and policy modules.\n"); + printf("Options:\n"); + printf(" INPUT build module from INPUT (else read from \"%s\")\n", + txtfile); + printf(" -V show policy versions created by this program\n"); + printf(" -b treat input as a binary policy file\n"); + printf(" -m build a policy module instead of a base module\n"); + printf(" -M enable MLS policy\n"); + printf(" -o FILE write module to FILE (else just check syntax)\n"); exit(1); } @@ -204,13 +154,13 @@ unsigned int binary = 0; int ch; int show_version = 0; - policydb_t modpolicydb; + policydb_t modpolicydb; while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) { switch (ch) { - case 'h': - usage (argv [0]); - break; + case 'h': + usage(argv[0]); + break; case 'o': outfile = optarg; break; @@ -223,9 +173,9 @@ break; case 'm': policy_type = POLICY_MOD; - policyvers = MOD_POLICYDB_VERSION_MAX; + policyvers = MOD_POLICYDB_VERSION_MAX; break; - case 'M': + case 'M': mlspol = 1; break; default: @@ -234,8 +184,8 @@ } if (show_version) { - printf("Module versions %d-%d\n", - MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); + printf("Module versions %d-%d\n", + MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX); exit(0); } @@ -244,27 +194,37 @@ if (optind != argc) usage(argv[0]); } - printf("%s: loading policy configuration from %s\n", argv[0], - file); + printf("%s: loading policy configuration from %s\n", argv[0], file); - /* Set policydb and sidtab used by libsepol service functions - to my structures, so that I can directly populate and - manipulate them. */ - sepol_set_policydb(&modpolicydb); - sepol_set_sidtab(&sidtab); + /* Set policydb and sidtab used by libsepol service functions + to my structures, so that I can directly populate and + manipulate them. */ + sepol_set_policydb(&modpolicydb); + sepol_set_sidtab(&sidtab); - policydbp = &modpolicydb; if (binary) { - if (read_binary_policy(policydbp, file, argv[0]) == -1) { - exit(1); - } + if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) { + exit(1); + } } else { - if (read_source_policy(policydbp, file, argv[0]) == -1) { - exit(1); - } - } + if (policydb_init(&modpolicydb)) { + fprintf(stderr, "%s: out of memory!\n", argv[0]); + return -1; + } + + modpolicydb.policy_type = policy_type; + modpolicydb.mls = mlspol; + + if (read_source_policy(&modpolicydb, file, argv[0]) == -1) { + exit(1); + } + + if (hierarchy_check_constraints(NULL, &modpolicydb)) { + return -1; + } + } - if (policydbp->policy_type == POLICY_BASE) { + if (modpolicydb.policy_type == POLICY_BASE) { /* Verify that we can successfully expand the base module. */ policydb_t kernpolicydb; @@ -272,28 +232,31 @@ fprintf(stderr, "%s: policydb_init failed\n", argv[0]); exit(1); } - if (link_modules(NULL, policydbp, NULL, 0, 0)) { + if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) { fprintf(stderr, "%s: link modules failed\n", argv[0]); exit(1); } - if (expand_module(NULL, policydbp, &kernpolicydb, 0, 1)) { + if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) { fprintf(stderr, "%s: expand module failed\n", argv[0]); exit(1); } policydb_destroy(&kernpolicydb); } - if (policydb_load_isids(policydbp, &sidtab)) + if (policydb_load_isids(&modpolicydb, &sidtab)) exit(1); + sepol_sidtab_destroy(&sidtab); + printf("%s: policy configuration loaded\n", argv[0]); if (outfile && - write_binary_policy(policydbp, outfile, argv[0]) == -1) { - exit(1); - } + write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) { + exit(1); + } + policydb_destroy(&modpolicydb); + return 0; } /* FLASK */ - ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#12 (text+ko) ==== @@ -80,6 +80,7 @@ #include "queue.h" #include "checkpolicy.h" +#include "parse_util.h" extern char *optarg; extern int optind; @@ -88,17 +89,8 @@ static sidtab_t sidtab; extern policydb_t *policydbp; -extern queue_t id_queue; -extern unsigned int policydb_errors; -extern unsigned long policydb_lineno; -extern char source_file[]; extern int mlspol; -extern FILE *yyin; -extern void init_parser(int); -extern int yyparse(void); -extern void yyrestart(FILE *); - static char *txtfile = "policy.conf"; static char *binfile = "policy"; @@ -106,8 +98,9 @@ void usage(char *progname) { - printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", - progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); + printf + ("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", + progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); } @@ -118,7 +111,9 @@ exit(1);\ } static int print_sid(sepol_security_id_t sid, - context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused))) + context_struct_t * context + __attribute__ ((unused)), void *data + __attribute__ ((unused))) { sepol_security_context_t scontext; size_t scontext_len; @@ -146,7 +141,7 @@ perdatum = (perm_datum_t *) datum; - if (v->val == perdatum->value) { + if (v->val == perdatum->s.value) { v->name = key; return 1; } @@ -155,7 +150,7 @@ } #ifdef EQUIVTYPES -static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d, +static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d, struct avtab_node *type_rules) { struct avtab_node *p, *c, *n; @@ -168,10 +163,10 @@ */ if (k->source_type < c->key.source_type) break; - if (k->source_type == c->key.source_type && + if (k->source_type == c->key.source_type && k->target_type < c->key.target_type) break; - if (k->source_type == c->key.source_type && + if (k->source_type == c->key.source_type && k->target_type == c->key.target_type && k->target_class < c->key.target_class) break; @@ -191,7 +186,7 @@ return 0; } -static int create_type_rules(avtab_key_t *k, avtab_datum_t *d, void *args) +static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args) { struct avtab_node *type_rules = args; @@ -200,8 +195,10 @@ * Insert the rule into the lists for both * the source type and the target type. */ - if (insert_type_rule(k, d, &type_rules[k->source_type-1])) return -1; - if (insert_type_rule(k, d, &type_rules[k->target_type-1])) return -1; + if (insert_type_rule(k, d, &type_rules[k->source_type - 1])) + return -1; + if (insert_type_rule(k, d, &type_rules[k->target_type - 1])) + return -1; } return 0; @@ -218,24 +215,24 @@ } } -static int identify_equiv_types(void) +static int identify_equiv_types(void) { - struct avtab_node *type_rules, *l1, *l2; + struct avtab_node *type_rules, *l1, *l2; int i, j; /* * Create a list of access vector rules for each type * from the access vector table. */ - type_rules = malloc(sizeof(struct avtab_node)*policydb.p_types.nprim); + type_rules = malloc(sizeof(struct avtab_node) * policydb.p_types.nprim); if (!type_rules) { fprintf(stderr, "out of memory\n"); exit(1); } - memset(type_rules, 0, sizeof(struct avtab_node)*policydb.p_types.nprim); + memset(type_rules, 0, + sizeof(struct avtab_node) * policydb.p_types.nprim); if (avtab_map(&policydb.te_avtab, create_type_rules, type_rules)) exit(1); - /* * Compare the type lists and identify equivalent types. @@ -244,27 +241,29 @@ if (!type_rules[i].next) continue; for (j = i + 1; j < policydb.p_types.nprim; j++) { - for (l1 = type_rules[i].next, l2 = type_rules[j].next; l1 && l2; - l1 = l1->next, l2 = l2->next) { - if (l2->key.source_type == (j+1)) { - if (l1->key.source_type != (i+1)) + for (l1 = type_rules[i].next, l2 = type_rules[j].next; + l1 && l2; l1 = l1->next, l2 = l2->next) { + if (l2->key.source_type == (j + 1)) { + if (l1->key.source_type != (i + 1)) break; } else { - if (l1->key.source_type != l2->key.source_type) + if (l1->key.source_type != + l2->key.source_type) break; } - if (l2->key.target_type == (j+1)) { - if (l1->key.target_type != (i+1)) + if (l2->key.target_type == (j + 1)) { + if (l1->key.target_type != (i + 1)) break; } else { - if (l1->key.target_type != l2->key.target_type) + if (l1->key.target_type != + l2->key.target_type) break; } - if (l1->key.target_class != l2->key.target_class || - l1->datum.allowed != l2->datum.allowed) + if (l1->key.target_class != l2->key.target_class + || l1->datum.allowed != l2->datum.allowed) break; } - if (l1 || l2) + if (l1 || l2) continue; free_type_rules(type_rules[j].next); type_rules[j].next = NULL; @@ -272,37 +271,37 @@ policydb.p_type_val_to_name[i], policydb.p_type_val_to_name[j]); } - free_type_rules(type_rules[i].next); + free_type_rules(type_rules[i].next); type_rules[i].next = NULL; } - free(type_rules); + free(type_rules); return 0; } -#endif +#endif extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av); - int display_bools() { int i; for (i = 0; i < policydbp->p_bools.nprim; i++) { printf("%s : %d\n", policydbp->p_bool_val_to_name[i], - policydbp->bool_val_to_struct[i]->state); + policydbp->bool_val_to_struct[i]->state); } return 0; } -void display_expr(cond_expr_t *exp) +void display_expr(cond_expr_t * exp) { cond_expr_t *cur; for (cur = exp; cur != NULL; cur = cur->next) { switch (cur->expr_type) { case COND_BOOL: - printf("%s ", policydbp->p_bool_val_to_name[cur->bool - 1]); + printf("%s ", + policydbp->p_bool_val_to_name[cur->bool - 1]); break; case COND_NOT: printf("! "); @@ -360,7 +359,9 @@ level_datum_t *levdatum = (level_datum_t *) datum; if (!levdatum->isalias && !levdatum->defined) { - fprintf(stderr, "Error: sensitivity %s was not used in a level definition!\n", key); + fprintf(stderr, + "Error: sensitivity %s was not used in a level definition!\n", + key); return -1; } return 0; @@ -389,7 +390,6 @@ int show_version = 0; struct policy_file pf; - while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) { switch (ch) { case 'o': @@ -408,30 +408,36 @@ case 'M': mlspol = 1; break; - case 'c': { - long int n = strtol(optarg, NULL, 10); - if (errno) { - fprintf(stderr, "Invalid policyvers specified: %s\n", optarg); - usage(argv[0]); - exit(1); + case 'c':{ + long int n = strtol(optarg, NULL, 10); + if (errno) { + fprintf(stderr, + "Invalid policyvers specified: %s\n", + optarg); + usage(argv[0]); + exit(1); + } + if (n < POLICYDB_VERSION_MIN + || n > POLICYDB_VERSION_MAX) { + fprintf(stderr, + "policyvers value %ld not in range %d-%d\n", + n, POLICYDB_VERSION_MIN, + POLICYDB_VERSION_MAX); + usage(argv[0]); + exit(1); + } + if (policyvers != n) + policyvers = n; + break; } - if (n < POLICYDB_VERSION_MIN || n > POLICYDB_VERSION_MAX) { - fprintf(stderr, "policyvers value %ld not in range %d-%d\n", - n, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); - usage(argv[0]); - exit(1); - } - if (policyvers != n) - policyvers = n; - break; - } default: usage(argv[0]); } } if (show_version) { - printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); + printf("%d (compatibility range %d-%d)\n", policyvers, + POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); exit(0); } @@ -440,8 +446,7 @@ if (optind != argc) usage(argv[0]); } - printf("%s: loading policy configuration from %s\n", argv[0], - file); + printf("%s: loading policy configuration from %s\n", argv[0], file); /* Set policydb and sidtab used by libsepol service functions to my structures, so that I can directly populate and @@ -461,7 +466,9 @@ file, strerror(errno)); exit(1); } - map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + map = + mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, + fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno)); @@ -471,12 +478,15 @@ pf.data = map; pf.len = sb.st_size; if (policydb_init(&policydb)) { - fprintf(stderr, "%s: policydb_init: Out of memory!\n", argv[0]); + fprintf(stderr, "%s: policydb_init: Out of memory!\n", + argv[0]); exit(1); } ret = policydb_read(&policydb, &pf, 1); if (ret) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); + fprintf(stderr, + "%s: error(s) encountered while parsing configuration\n", + argv[0]); exit(1); } policydbp = &policydb; @@ -484,27 +494,20 @@ /* Check Policy Consistency */ if (policydbp->mls) { if (!mlspol) { - fprintf(stderr,"%s: MLS policy, but non-MLS" - " is specified\n", argv[0]); + fprintf(stderr, "%s: MLS policy, but non-MLS" + " is specified\n", argv[0]); exit(1); } } else { if (mlspol) { - fprintf(stderr,"%s: non-MLS policy, but MLS" - " is specified\n", argv[0]); + fprintf(stderr, "%s: non-MLS policy, but MLS" + " is specified\n", argv[0]); exit(1); } } } else { - policydb_t parse_policy; + policydb_t parse_policy; - yyin = fopen(file, "r"); - if (!yyin) { - fprintf(stderr, "%s: unable to open %s\n", argv[0], - file); - exit(1); - } - if (policydb_init(&parse_policy)) exit(1); /* We build this as a base policy first since that is all the parser understands */ @@ -513,28 +516,9 @@ /* Let sepol know if we are dealing with MLS support */ parse_policy.mls = mlspol; - id_queue = queue_create(); - if (!id_queue) { - fprintf(stderr, "%s: out of memory\n", argv[0]); - exit(1); - } policydbp = &parse_policy; - init_parser(1); - if (yyparse() || policydb_errors) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); - exit(1); - } - rewind(yyin); - init_parser(2); - source_file[0] = '\0'; - yyrestart(yyin); - if (yyparse() || policydb_errors) { - fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); - exit(1); - } - queue_destroy(id_queue); - if (policydb_errors) + if (read_source_policy(policydbp, file, "checkpolicy") < 0) exit(1); if (hashtab_map(policydbp->p_levels.table, check_level, NULL)) @@ -546,18 +530,17 @@ } /* Linking takes care of optional avrule blocks */ - if (link_modules(NULL, &parse_policy, NULL, 0, 0)) { + if (link_modules(NULL, &parse_policy, NULL, 0, 0)) { fprintf(stderr, "Error while resolving optionals\n"); exit(1); } if (expand_module(NULL, &parse_policy, &policydb, 0, 1)) { - fprintf(stderr, "Error while expanding policy\n"); + fprintf(stderr, "Error while expanding policy\n"); exit(1); - } + } policydb_destroy(&parse_policy); policydbp = &policydb; - fclose(yyin); } if (policydb_load_isids(&policydb, &sidtab)) @@ -566,8 +549,9 @@ printf("%s: policy configuration loaded\n", argv[0]); if (outfile) { - printf("%s: writing binary representation (version %d) to %s\n", - argv[0], policyvers, outfile); + printf + ("%s: writing binary representation (version %d) to %s\n", + argv[0], policyvers, outfile); outfp = fopen(outfile, "w"); if (!outfp) { perror(outfile); @@ -634,39 +618,51 @@ FGETS(ans, sizeof(ans), stdin); if (isdigit(ans[0])) { tclass = atoi(ans); - if (!tclass || tclass > policydb.p_classes.nprim) { + if (!tclass + || tclass > policydb.p_classes.nprim) { printf("\nNo such class.\n"); break; } - cladatum = policydb.class_val_to_struct[tclass - 1]; + cladatum = + policydb.class_val_to_struct[tclass - 1]; } else { ans[strlen(ans) - 1] = 0; - cladatum = (class_datum_t *) hashtab_search(policydb.p_classes.table, - ans); + cladatum = + (class_datum_t *) hashtab_search(policydb. + p_classes. + table, + ans); if (!cladatum) { printf("\nNo such class\n"); break; } - tclass = cladatum->value; + tclass = cladatum->s.value; } if (!cladatum->comdatum && !cladatum->permissions.nprim) { - printf("\nNo access vector definition for that class\n"); + printf + ("\nNo access vector definition for that class\n"); break; } - ret = sepol_compute_av(ssid, tsid, tclass, 0, - &avd); + ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd); switch (ret) { case 0: printf("\nallowed {"); for (i = 1; i <= sizeof(avd.allowed) * 8; i++) { if (avd.allowed & (1 << (i - 1))) { v.val = i; - ret = hashtab_map(cladatum->permissions.table, - find_perm, &v); + ret = + hashtab_map(cladatum-> + permissions. + table, + find_perm, &v); if (!ret && cladatum->comdatum) { - ret = hashtab_map(cladatum->comdatum->permissions.table, - find_perm, &v); + ret = + hashtab_map + (cladatum-> + comdatum-> + permissions.table, + find_perm, &v); } if (ret) printf(" %s", v.name); @@ -686,7 +682,7 @@ FGETS(ans, sizeof(ans), stdin); ssid = atoi(ans); ret = sepol_sid_to_context(ssid, - &scontext, &scontext_len); >>> TRUNCATED FOR MAIL (1000 lines) <<<