From owner-p4-projects@FreeBSD.ORG Tue May 16 18:57:07 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9767816A5E7; Tue, 16 May 2006 18:57:07 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98B6516A5A4 for ; Tue, 16 May 2006 18:57:05 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 392C443D60 for ; Tue, 16 May 2006 18:57:02 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4GIujbX073634 for ; Tue, 16 May 2006 18:56:45 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4GIuiI2073631 for perforce@freebsd.org; Tue, 16 May 2006 18:56:44 GMT (envelope-from millert@freebsd.org) Date: Tue, 16 May 2006 18:56:44 GMT Message-Id: <200605161856.k4GIuiI2073631@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 97278 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 18:57:16 -0000 http://perforce.freebsd.org/chv.cgi?CH=97278 Change 97278 by millert@millert_p4 on 2006/05/16 18:56:34 A port of checkpolicy version 1.30.3 from sourceforge to SEBSD. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/COPYING#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#11 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.h#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#8 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#7 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dismod.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dispol.c#1 add Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.8#2 (text+ko) ==== @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[-b] [-d] [-c policyvers] [-o output_file] [input_file]" +.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -24,6 +24,9 @@ .B \-d Enter debug mode after loading the policy. .TP +.B \-M +Enable the MLS policy when checking and compiling the policy. +.TP .B \-o filename Write a binary policy file to the specified filename. .TP ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#11 (text+ko) ==== @@ -3,7 +3,12 @@ * Author : Stephen Smalley, */ -/* Updated: Karl MacMillan +/* + * Updated: Trusted Computer Solutions, Inc. + * + * Support for enhanced MLS infrastructure. + * + * Updated: Karl MacMillan * * Added conditional policy language extensions * @@ -11,7 +16,14 @@ * * Added IPv6 support. * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC + * Updated: Joshua Brindle + * Karl MacMillan + * Jason Tang + * + * Policy Module support. + * + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * Copyright (C) 2003 - 2005 Tresys Technology, LLC * Copyright (C) 2003 Red Hat, Inc., James Morris * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -58,10 +70,13 @@ #include #include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include +#include #include "queue.h" #include "checkpolicy.h" @@ -76,30 +91,36 @@ extern queue_t id_queue; extern unsigned int policydb_errors; extern unsigned long policydb_lineno; -extern unsigned long source_lineno; extern char source_file[]; -extern unsigned int pass; +extern int mlspol; extern FILE *yyin; +extern void init_parser(int); extern int yyparse(void); extern void yyrestart(FILE *); -char *txtfile = "policy.conf"; -char *binfile = "policy"; +static char *txtfile = "policy.conf"; +static char *binfile = "policy"; unsigned int policyvers = POLICYDB_VERSION_MAX; void usage(char *progname) { - printf("usage: %s [-b] [-d] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", + printf("usage: %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o output_file] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); } -static int print_sid(security_id_t sid, +#define FGETS(out, size, in) \ +if (fgets(out,size,in)==NULL) { \ + fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\ + strerror(errno)); \ + exit(1);\ +} +static int print_sid(sepol_security_id_t sid, context_struct_t * context __attribute__ ((unused)), void *data __attribute__ ((unused))) { - security_context_t scontext; + sepol_security_context_t scontext; size_t scontext_len; int rc; @@ -133,16 +154,6 @@ return 0; } -static int type_attr_remove(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *p __attribute__ ((unused))) -{ - type_datum_t *typdatum; - - typdatum = (type_datum_t *) datum; - if (typdatum->isattr) - return 1; - return 0; -} - #ifdef EQUIVTYPES static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d, struct avtab_node *type_rules) @@ -270,100 +281,9 @@ } #endif -static void cond_check_type_rules_list(cond_av_list_t *list) -{ - cond_av_list_t *cur = list; - - while (cur) { - if (cur->node->datum.specified & AVTAB_TYPE) { - if (avtab_search(&policydbp->te_avtab, &cur->node->key, AVTAB_TYPE)) { - fprintf(stderr, "conditional type rule for (%s, %s : %s) conflicts with entry in base policy; " - "conditional rule discarded.\n", policydbp->p_type_val_to_name[cur->node->key.source_type-1], - policydbp->p_type_val_to_name[cur->node->key.target_type-1], - policydbp->p_class_val_to_name[cur->node->key.target_class-1]); - cur->node->parse_context = (void*)0; - } else { - cur->node->parse_context = (void*)1; - } - } else { - cur->node->parse_context = (void*)1; - } - cur = cur->next; - } -} - -/* check for duplicate type rules - this has to be done after all of - * the parsing is finished because the conditional and base type rules - * are collected in the same pass */ -static void cond_check_type_rules(void) -{ - cond_list_t *node; - - for (node = policydbp->cond_list; node != NULL; node = node->next) { - cond_check_type_rules_list(node->true_list); - cond_check_type_rules_list(node->false_list); - } -} +extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av); -extern char *av_to_string(uint32_t tclass, access_vector_t av); -void check_assertion_helper(unsigned int stype, unsigned int ttype, ebitmap_t *tclasses, - access_vector_t *avp, unsigned long line) -{ - avtab_key_t avkey; - avtab_datum_t *avdatump; - unsigned int k; - - - for (k = ebitmap_startbit(tclasses); k < ebitmap_length(tclasses); k++) { - if (!ebitmap_get_bit(tclasses, k)) - continue; - avkey.source_type = stype + 1; - avkey.target_type = ttype + 1; - avkey.target_class = k + 1; - avdatump = avtab_search(&policydb.te_avtab, &avkey, AVTAB_AV); - if (!avdatump) - continue; - - if ((avdatump->specified & AVTAB_ALLOWED) && - (avtab_allowed(avdatump) & avp[k])) { - fprintf(stderr, "assertion on line %ld violated by allow %s %s:%s {%s };\n", line, policydb.p_type_val_to_name[stype], policydb.p_type_val_to_name[ttype], policydb.p_class_val_to_name[k], - av_to_string(k+1, - avtab_allowed(avdatump) & avp[k])); - policydb_errors++; - } - } -} - -void check_assertions(void) -{ - te_assert_t *a, *tmp; - unsigned int i, j; - - a = te_assertions; - while (a) { - for (i = ebitmap_startbit(&a->stypes); i < ebitmap_length(&a->stypes); i++) { - if (!ebitmap_get_bit(&a->stypes, i)) - continue; - if (a->self) { - check_assertion_helper(i, i, &a->tclasses, a->avp, a->line); - } - for (j = ebitmap_startbit(&a->ttypes); j < ebitmap_length(&a->ttypes); j++) { - if (!ebitmap_get_bit(&a->ttypes, j)) - continue; - check_assertion_helper(i, j, &a->tclasses, a->avp, a->line); - } - } - tmp = a; - a = a->next; - ebitmap_destroy(&tmp->stypes); - ebitmap_destroy(&tmp->ttypes); - ebitmap_destroy(&tmp->tclasses); - free(tmp->avp); - free(tmp); - } -} - int display_bools() { int i; @@ -435,12 +355,23 @@ return 0; } +static int check_level(hashtab_key_t key, hashtab_datum_t datum, void *arg) +{ + level_datum_t *levdatum = (level_datum_t *) datum; + + if (!levdatum->isalias && !levdatum->defined) { + fprintf(stderr, "Error: sensitivity %s was not used in a level definition!\n", key); + return -1; + } + return 0; +} + int main(int argc, char **argv) { - security_class_t tclass; - security_id_t ssid, tsid, *sids; - security_context_t scontext; - struct av_decision avd; + sepol_security_class_t tclass; + sepol_security_id_t ssid, tsid, *sids; + sepol_security_context_t scontext; + struct sepol_av_decision avd; class_datum_t *cladatum; char ans[80 + 1], *file = txtfile, *outfile = NULL, *path, *fstype; size_t scontext_len, pathlen; @@ -449,7 +380,7 @@ unsigned int binary = 0, debug = 0; struct val_to_name v; int ret, ch, fd; - unsigned int nel; + unsigned int nel, uret; struct stat sb; void *map; FILE *outfp = NULL; @@ -459,7 +390,7 @@ struct policy_file pf; - while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) { + while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) { switch (ch) { case 'o': outfile = optarg; @@ -474,6 +405,9 @@ case 'V': show_version = 1; break; + case 'M': + mlspol = 1; + break; case 'c': { long int n = strtol(optarg, NULL, 10); if (errno) { @@ -497,11 +431,7 @@ } if (show_version) { -#ifdef CONFIG_SECURITY_SELINUX_MLS - printf("%d-mls (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); -#else printf("%d (compatibility range %d-%d)\n", policyvers, POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); -#endif exit(0); } @@ -540,63 +470,93 @@ pf.type = PF_USE_MEMORY; pf.data = map; pf.len = sb.st_size; + if (policydb_init(&policydb)) { + fprintf(stderr, "%s: policydb_init: Out of memory!\n", argv[0]); + exit(1); + } ret = policydb_read(&policydb, &pf, 1); if (ret) { fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); exit(1); } policydbp = &policydb; + + /* Check Policy Consistency */ + if (policydbp->mls) { + if (!mlspol) { + fprintf(stderr,"%s: MLS policy, but non-MLS" + " is specified\n", argv[0]); + exit(1); + } + } else { + if (mlspol) { + fprintf(stderr,"%s: non-MLS policy, but MLS" + " is specified\n", argv[0]); + exit(1); + } + } } else { - yyin = fopen(file, "r"); + policydb_t parse_policy; + + yyin = fopen(file, "r"); if (!yyin) { fprintf(stderr, "%s: unable to open %s\n", argv[0], file); exit(1); } - if (policydb_init(&policydb)) + if (policydb_init(&parse_policy)) exit(1); + /* We build this as a base policy first since that is all the parser understands */ + parse_policy.policy_type = POLICY_BASE; + /* Let sepol know if we are dealing with MLS support */ + parse_policy.mls = mlspol; + id_queue = queue_create(); if (!id_queue) { fprintf(stderr, "%s: out of memory\n", argv[0]); exit(1); } - policydbp = &policydb; - policydb_errors = 0; - pass = 1; + policydbp = &parse_policy; + init_parser(1); if (yyparse() || policydb_errors) { fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); exit(1); } rewind(yyin); - policydb_lineno = 1; + init_parser(2); source_file[0] = '\0'; - source_lineno = 1; yyrestart(yyin); - pass = 2; if (yyparse() || policydb_errors) { fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]); exit(1); } queue_destroy(id_queue); - cond_check_type_rules(); - cond_optimize_lists(policydb.cond_list); + if (policydb_errors) + exit(1); + + if (hashtab_map(policydbp->p_levels.table, check_level, NULL)) + exit(1); - check_assertions(); - if (policydb_errors) + if (policydb_init(&policydb)) { + fprintf(stderr, "%s: policydb_init failed\n", argv[0]); exit(1); + } - if (policyvers >= POLICYDB_VERSION_NLCLASS && - policydb.p_classes.nprim < SECCLASS_NETLINK_DNRT_SOCKET) { - fprintf(stderr, "%s: policy lacks new netlink classes, unable to generate policy version %d\n", argv[0], policyvers); + /* Linking takes care of optional avrule blocks */ + if (link_modules(NULL, &parse_policy, NULL, 0, 0)) { + fprintf(stderr, "Error while resolving optionals\n"); exit(1); } - - /* remove type attributes */ - hashtab_map_remove_on_error(policydb.p_types.table, - type_attr_remove, 0, 0); + + if (expand_module(NULL, &parse_policy, &policydb, 0, 1)) { + fprintf(stderr, "Error while expanding policy\n"); + exit(1); + } + policydb_destroy(&parse_policy); + policydbp = &policydb; fclose(yyin); } @@ -614,7 +574,8 @@ exit(1); } - sepol_set_policyvers(policyvers); + policydb.policy_type = POLICY_KERN; + policydb.policyvers = policyvers; pf.type = PF_USE_STDIO; pf.fp = outfp; @@ -626,8 +587,10 @@ } fclose(outfp); } - if (!debug) + if (!debug) { + policydb_destroy(&policydb); exit(0); + } menu: printf("\nSelect an option:\n"); @@ -656,19 +619,19 @@ printf("q) Exit\n"); while (1) { printf("\nChoose: "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); switch (ans[0]) { case '0': printf("source sid? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ssid = atoi(ans); printf("target sid? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); tsid = atoi(ans); printf("target class? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); if (isdigit(ans[0])) { tclass = atoi(ans); if (!tclass || tclass > policydb.p_classes.nprim) { @@ -720,7 +683,7 @@ break; case '1': printf("sid? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ssid = atoi(ans); ret = sepol_sid_to_context(ssid, &scontext, &scontext_len); @@ -741,7 +704,7 @@ break; case '2': printf("scontext? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); scontext_len = strlen(ans); ans[scontext_len - 1] = 0; ret = sepol_context_to_sid(ans, scontext_len, @@ -766,14 +729,14 @@ ch = ans[0]; printf("source sid? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ssid = atoi(ans); printf("target sid? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); tsid = atoi(ans); printf("object class? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); if (isdigit(ans[0])) { tclass = atoi(ans); if (!tclass || tclass > policydb.p_classes.nprim) { @@ -816,7 +779,7 @@ break; case '7': printf("pathname? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); pathlen = strlen(ans); ans[pathlen - 1] = 0; printf("%s: loading policy configuration from %s\n", argv[0], ans); @@ -854,7 +817,7 @@ break; case '8': printf("fs kdevname? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; sepol_fs_sid(ans, &ssid, &tsid); printf("fs_sid %d default_file_sid %d\n", @@ -862,7 +825,7 @@ break; case '9': printf("protocol? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; if (!strcmp(ans, "tcp") || !strcmp(ans, "TCP")) protocol = IPPROTO_TCP; @@ -873,14 +836,14 @@ break; } printf("port? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); port = atoi(ans); sepol_port_sid(0, 0, protocol, port, &ssid); printf("sid %d\n", ssid); break; case 'a': printf("netif name? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; sepol_netif_sid(ans, &ssid, &tsid); printf("if_sid %d default_msg_sid %d\n", @@ -893,7 +856,7 @@ struct in6_addr addr6; printf("protocol family? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; if (!strcasecmp(ans, "ipv4")) family = AF_INET; @@ -905,7 +868,7 @@ } printf("node address? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; if (family == AF_INET) { @@ -927,10 +890,10 @@ } case 'c': printf("fstype? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - sepol_fs_use(ans, &ret, &ssid); - switch (ret) { + sepol_fs_use(ans, &uret, &ssid); + switch (uret) { case SECURITY_FS_USE_XATTR: printf("use xattr\n"); break; @@ -951,15 +914,15 @@ break; case 'd': printf("fstype? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; fstype = strdup(ans); printf("path? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; path = strdup(ans); printf("object class? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); if (isdigit(ans[0])) { tclass = atoi(ans); if (!tclass || tclass > policydb.p_classes.nprim) { @@ -983,12 +946,12 @@ break; case 'e': printf("from SID? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; ssid = atoi(ans); printf("username? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; ret = sepol_get_user_sids(ssid, ans, &sids, &nel); @@ -1019,7 +982,7 @@ break; case 'h': printf("name? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; name = malloc((strlen(ans) + 1) * sizeof(char)); @@ -1031,7 +994,7 @@ printf("state? "); - fgets(ans, sizeof(ans), stdin); + FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; if (atoi(ans)) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#7 (text+ko) ==== @@ -1,14 +1,14 @@ #ifndef _CHECKPOLICY_H_ #define _CHECKPOLICY_H_ -#include +#include typedef struct te_assert { ebitmap_t stypes; ebitmap_t ttypes; ebitmap_t tclasses; int self; - access_vector_t *avp; + sepol_access_vector_t *avp; unsigned long line; struct te_assert *next; } te_assert_t; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#8 (text+ko) ==== @@ -3,11 +3,23 @@ * Author : Stephen Smalley, */ -/* Updated: David Caplan, +/* + * Updated: Trusted Computer Solutions, Inc. + * + * Support for enhanced MLS infrastructure. + * + * Updated: David Caplan, * * Added conditional policy language extensions * - * Copyright (C) 2003 - 2004 Tresys Technology, LLC + * Updated: Joshua Brindle + * Karl MacMillan + * Jason Tang + * + * Added support for binary policy modules + * + * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. + * Copyright (C) 2003 - 2005 Tresys Technology, LLC * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 2. @@ -17,45 +29,60 @@ %{ #include +#include +#include #include +#include +#include +#include #include #include #include +#include -#include -#include -#include -#include +#include +#include +#include +#include +#include +#include #include "queue.h" #include "checkpolicy.h" +#include "module_compiler.h" /* * We need the following so we have a valid error return code in yacc * when we have a parse error for a conditional rule. We can't check * for NULL (ie 0) because that is a potentially valid return. */ -static cond_av_list_t *conditional_unused_error_code; -#define COND_ERR (cond_av_list_t *)&conditional_unused_error_code +static avrule_t *conditional_unused_error_code; +#define COND_ERR (avrule_t *)&conditional_unused_error_code #define TRUE 1 #define FALSE 0 policydb_t *policydbp; queue_t id_queue = 0; -unsigned int pass; +static unsigned int pass; char *curfile = 0; -unsigned int curline; +int mlspol = 0; extern unsigned long policydb_lineno; +extern unsigned long source_lineno; +extern unsigned int policydb_errors; +extern unsigned int policyvers; extern char yytext[]; +extern int yylex(void); extern int yywarn(char *msg); extern int yyerror(char *msg); -static char errormsg[255]; +#define ERRORMSG_LEN 255 +static char errormsg[ERRORMSG_LEN + 1] = {0}; static int insert_separator(int push); static int insert_id(char *id,int push); +static int id_has_dot(char *id); static int define_class(void); static int define_initial_sid(void); static int define_common_perms(void); @@ -64,10 +91,9 @@ static int define_dominance(void); static int define_category(void); static int define_level(void); -static int define_common_base(void); -static int define_av_base(void); static int define_attrib(void); static int define_typealias(void); +static int define_typeattribute(void); static int define_type(int alias); static int define_compute_type(int which); static int define_te_avtab(int which); @@ -75,16 +101,16 @@ static role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); static role_datum_t *define_role_dom(role_datum_t *r); static int define_role_trans(void); +static int define_range_trans(void); static int define_role_allow(void); static int define_constraint(constraint_expr_t *expr); -static int define_bool(); -static int define_conditional(cond_expr_t *expr,cond_av_list_t *t_list, cond_av_list_t *f_list ); +static int define_validatetrans(constraint_expr_t *expr); +static int define_bool(void); +static int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list ); static cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2); -static cond_av_list_t *define_cond_pol_list(cond_av_list_t *avlist, cond_av_list_t *stmt); -static cond_av_list_t *define_cond_compute_type(int which); -static cond_av_list_t *define_cond_te_avtab(int which); -static cond_av_list_t *cond_list_append(cond_av_list_t *sl, avtab_key_t *key, avtab_datum_t *datum); -static void cond_reduce_insert_list(cond_av_list_t *new, cond_av_list_t **active, cond_av_list_t **inactive, int state ); +static avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); +static avrule_t *define_cond_compute_type(int which); +static avrule_t *define_cond_te_avtab(int which); static uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); static int define_user(void); static int parse_security_context(context_struct_t *c); @@ -96,31 +122,38 @@ static int define_netif_context(void); static int define_ipv4_node_context(unsigned int addr, unsigned int mask); static int define_ipv6_node_context(void); + +typedef int (* require_func_t)(); + %} %union { unsigned int val; uintptr_t valptr; void *ptr; + require_func_t require_func; } -%type cond_expr cond_expr_prim cond_pol_list +%type cond_expr cond_expr_prim cond_pol_list cond_else %type cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def %type cond_transition_def cond_te_avtab_def cond_rule_def %type role_def roles -%type cexpr cexpr_prim op roleop +%type cexpr cexpr_prim op role_mls_op %type ipv4_addr_def number +%type require_decl_def %token PATH %token CLONE %token COMMON %token CLASS %token CONSTRAIN +%token VALIDATETRANS %token INHERITS %token SID %token ROLE %token ROLES %token TYPEALIAS +%token TYPEATTRIBUTE %token TYPE %token TYPES %token ALIAS @@ -132,12 +165,15 @@ %token TYPE_MEMBER %token TYPE_CHANGE %token ROLE_TRANSITION +%token RANGE_TRANSITION %token SENSITIVITY %token DOMINANCE %token DOM DOMBY INCOMP %token CATEGORY %token LEVEL -%token RANGES +%token RANGE +%token MLSCONSTRAIN +%token MLSVALIDATETRANS %token USER %token NEVERALLOW %token ALLOW @@ -150,7 +186,7 @@ %token FSCON PORTCON NETIFCON NODECON %token FSUSEXATTR FSUSETASK FSUSETRANS %token GENFSCON -%token U1 U2 R1 R2 T1 T2 +%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2 %token NOT AND OR XOR %token CTRUE CFALSE %token IDENTIFIER @@ -159,6 +195,7 @@ %token EQUALS %token NOTEQUAL %token IPV6_ADDR +%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL %left OR %left XOR @@ -166,12 +203,17 @@ %right NOT %left EQUALS NOTEQUAL %% -policy : classes initial_sids access_vectors - { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } } +policy : base_policy + | module_policy + ; +base_policy : { if (define_policy(pass, 0) == -1) return -1; } + classes initial_sids access_vectors + { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }} opt_mls te_rbac users opt_constraints { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} - if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} } - initial_sid_contexts opt_fs_contexts fs_uses opt_genfs_contexts net_contexts + else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts ; classes : class_def | classes class_def @@ -209,7 +251,7 @@ opt_mls : mls | ; -mls : sensitivities dominance opt_categories levels base_perms +mls : sensitivities dominance opt_categories levels mlspolicy ; sensitivities : sensitivity_def | sensitivities sensitivity_def @@ -244,39 +286,26 @@ {if (define_level()) return -1;} | LEVEL identifier ';' {if (define_level()) return -1;} - ; -base_perms : opt_common_base av_base ; -opt_common_base : common_base - | - ; -common_base : common_base_def - | common_base common_base_def +mlspolicy : mlspolicy_decl + | mlspolicy mlspolicy_decl ; -common_base_def : COMMON identifier '{' perm_base_list '}' - {if (define_common_base()) return -1;} +mlspolicy_decl : mlsconstraint_def + | mlsvalidatetrans_def ; -av_base : av_base_def - | av_base av_base_def +mlsconstraint_def : MLSCONSTRAIN names names cexpr ';' + { if (define_constraint((constraint_expr_t*)$4)) return -1; } ; -av_base_def : CLASS identifier '{' perm_base_list '}' - {if (define_av_base()) return -1;} - | CLASS identifier - {if (define_av_base()) return -1;} +mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';' + { if (define_validatetrans((constraint_expr_t*)$3)) return -1; } ; -perm_base_list : perm_base - | perm_base_list perm_base - ; -perm_base : identifier ':' identifier - {if (insert_separator(0)) return -1;} - | identifier ':' '{' identifier_list '}' - {if (insert_separator(0)) return -1;} - ; te_rbac : te_rbac_decl | te_rbac te_rbac_decl ; te_rbac_decl : te_decl | rbac_decl + | cond_stmt_def + | optional_block | ';' ; rbac_decl : role_type_def @@ -287,10 +316,11 @@ te_decl : attribute_def | type_def | typealias_def + | typeattribute_def | bool_def | transition_def + | range_trans_def | te_avtab_def - | cond_stmt_def ; attribute_def : ATTRIBUTE identifier ';' { if (define_attrib()) return -1;} @@ -303,6 +333,9 @@ typealias_def : TYPEALIAS identifier alias_def ';' {if (define_typealias()) return -1;} ; +typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';' + {if (define_typeattribute()) return -1;} + ; opt_attr_list : ',' id_comma_list | ; @@ -314,19 +347,13 @@ | CFALSE { if (insert_id("F",0)) return -1; } ; -cond_stmt_def : IF cond_expr '{' cond_pol_list '}' - { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (cond_av_list_t*)$4,(cond_av_list_t*) 0) < 0) return -1; }} - | IF cond_expr '{' cond_pol_list '}' ELSE '{' cond_pol_list '}' - { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*)$4,(cond_av_list_t*)$8) < 0 ) return -1; }} - | IF cond_expr '{' cond_pol_list '}' ELSE '{' '}' - { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*)$4,(cond_av_list_t*) 0) < 0 ) return -1; }} - | IF cond_expr '{' '}' ELSE '{' cond_pol_list '}' - { if (pass == 2) { if (define_conditional((cond_expr_t*)$2,(cond_av_list_t*) 0,(cond_av_list_t*) $7) < 0 ) return -1; }} - | IF cond_expr '{' '}' ELSE '{' '}' >>> TRUNCATED FOR MAIL (1000 lines) <<<