Date: Tue, 16 May 2006 19:17:16 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 97285 for review Message-ID: <200605161917.k4GJHGN0078908@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=97285 Change 97285 by millert@millert_p4 on 2006/05/16 19:17:01 Adapt to new SEBSD kernel bits. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 (text+ko) ==== @@ -18,9 +18,13 @@ FLASKDIR = flask/ PREFIX = /usr -LOADPOLICY = /usr/sbin/sebsd_loadpolicy -CHECKPOLICY = /sbin/sebsd_checkpolicy -SETFILES = /sbin/sebsd_setfiles +.if exists($(DESTDIR)/usr/bin/checkpolicy) +CHECKPOLICY = $(DESTDIR)/usr/bin/checkpolicy +.else +CHECKPOLICY = /usr/bin/checkpolicy +.endif +LOADPOLICY = $(DESTDIR)/usr/sbin/load_policy +SETFILES = $(DESTDIR)/usr/sbin/setfiles .if (POLICYVERCOMPAT) POLICYVERTMP = $(POLICYVERCOMPAT) POLICYVERCOMPATARGS = -c $(POLICYVERCOMPAT) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 (text+ko) ==== @@ -9,20 +9,22 @@ FLASK_H_DEPEND = security_classes initial_sids AV_H_DEPEND = access_vectors -FLASK_H_FILES = av_inherit.h av_perm_to_string.h av_permissions.h class_to_string.h common_perm_to_string.h initial_sid_to_string.h +FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h +AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h +ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES) -all: flask.h av_permissions.h +all: $(ALL_H_FILES) -flask.h: $(FLASK_H_DEPEND) +$(FLASK_H_FILES): $(FLASK_H_DEPEND) /bin/sh ./mkflask.sh $(AWK) $(FLASK_H_DEPEND) -av_permissions.h: $(AV_H_DEPEND) +$(AV_H_FILES): $(AV_H_DEPEND) /bin/sh ./mkaccess_vector.sh $(AWK) $(AV_H_DEPEND) -install: flask.h av_permissions.h - install -C -m0644 $(FLASK_H_FILES) $(KERNDIR)/avc - install -C -m0644 flask.h $(KERNDIR) +install: all + install -C -m 644 ${ALL_H_FILES:Nflask.h} $(KERNDIR)/avc + install -C -m 644 flask.h $(KERNDIR) clean: rm -f $(FLASK_H_FILES) - rm -f $(FLASK_IH_FILES) + rm -f $(AV_H_FILES) ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 (text+ko) ==== @@ -248,6 +248,7 @@ siginh setrlimit rlimitinh + dyntransition } ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 (text+ko) ==== @@ -5,9 +5,6 @@ set -e -#subproject id -subproject="FLASK" - awk=$1 shift @@ -18,9 +15,25 @@ av_perm_to_string="av_perm_to_string.h" cat $* | $awk " + # Quicksort function for awk arrays, from The AWK Programming + # Language, by Aho, Kernighan and Weinberger. + # Call qsort(array, smallestindex, largestindex) + function qsort(a,left,right, i,last) { + if (left >= right) return + swap(a, left, left + int((right-left+1)*rand())) + last = left + for (i=left+1; i<=right; i++) + if (a[i] < a[left]) swap(a, ++last, i) + swap(a, left, last) + qsort(a, left, last-1) + qsort(a, last+1, right) + } + function swap(a,i,j, t) { + t = a[i]; a[i] = a[j]; a[j] = t; + } + BEGIN { outfile = \"$av_permissions\" - subproject = \"$subproject\" inheritfile = \"$av_inherit\" cpermfile = \"$common_perm_to_string\" avpermfile = \"$av_perm_to_string\" @@ -31,27 +44,6 @@ printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile; printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile; ; - printf("/* %s */\n\n", subproject) > outfile; - - printf("/* %s */\n\n", subproject) > cpermfile; - - printf("/* %s */\n\n", subproject) > inheritfile; - printf("typedef struct\n") > inheritfile; - printf("{\n") > inheritfile; - printf(" security_class_t tclass;\n") > inheritfile; - printf(" char **common_pts;\n") > inheritfile; - printf(" access_vector_t common_base;\n") > inheritfile; - printf("} av_inherit_t;\n\n") > inheritfile; - printf("static av_inherit_t av_inherit[] = {\n") > inheritfile; - - printf("/* %s */\n\n", subproject) > avpermfile; - printf("typedef struct\n") > avpermfile; - printf("{\n") > avpermfile; - printf(" security_class_t tclass;\n") > avpermfile; - printf(" access_vector_t value;\n") > avpermfile; - printf(" char *name;\n") > avpermfile; - printf("} av_perm_to_string_t;\n\n") > avpermfile; - printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile; } /^[ \t]*#/ { next; @@ -74,7 +66,7 @@ common_name = $2; permission = 1; - printf("static char *common_%s_perm_to_string[] =\n{\n", $2) > cpermfile; + printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile; nextstate = "COMMON-OPENBRACKET"; next; @@ -123,21 +115,31 @@ split(combined,separate, SUBSEP); if (separate[1] == inherits) { - printf("#define %s__%s", toupper(tclass), toupper(separate[2])) > outfile; - spaces = 40 - (length(separate[2]) + length(tclass)); - if (spaces < 1) - spaces = 1; - for (i = 0; i < spaces; i++) - printf(" ") > outfile; - pt = common_perms[combined]; - printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile; - #printf("0x%08xUL\n", common_perms[combined]) > outfile; + inherited_perms[common_perms[combined]] = separate[2]; } } + + n = 0; + for (i in inherited_perms) { + n++; + ind[n] = i + 0; + } + qsort(ind, 1, n); + for (i = 1; i <= n; i++) { + perm = inherited_perms[ind[i]]; + printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; + spaces = 40 - (length(perm) + length(tclass)); + if (spaces < 1) + spaces = 1; + for (j = 0; j < spaces; j++) + printf(" ") > outfile; + printf("0x%08xUL\n", ind[i]) > outfile; + } printf("\n") > outfile; - - printf(" { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits, - permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile; + for (i in ind) delete ind[i]; + for (i in inherited_perms) delete inherited_perms[i]; + + printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; nextstate = "CLASS_OR_CLASS-OPENBRACKET"; next; @@ -180,7 +182,7 @@ printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; - printf(" \"%s\",\n", $1) > cpermfile; + printf(" S_(\"%s\")\n", $1) > cpermfile; } else { @@ -203,7 +205,7 @@ printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; - printf(" { SECCLASS_%s, %s__%s, \"%s\" },\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; + printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; } spaces = 40 - (length($1) + length(tclass)); @@ -212,8 +214,8 @@ for (i = 0; i < spaces; i++) printf(" ") > outfile; - printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile; - permission = permission + 1; + printf("0x%08xUL\n", permission) > outfile; + permission = permission * 2; } $1 == "}" { if (nextstate != "CLASS-CLOSEBRACKET" && @@ -226,7 +228,7 @@ if (nextstate == "COMMON-CLOSEBRACKET") { common_base[common_name] = permission; - printf("};\n\n") > cpermfile; + printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; } printf("\n") > outfile; @@ -237,17 +239,6 @@ if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET") printf("Parse error: Unexpected end of file\n"); - printf("\n/* %s */\n", subproject) > outfile; - - printf("\n/* %s */\n", subproject) > cpermfile; - - printf("};\n\n") > inheritfile; - printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile; - printf("\n/* %s */\n", subproject) > inheritfile; - - printf("};\n\n") > avpermfile; - printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile; - printf("\n/* %s */\n", subproject) > avpermfile; }' # FLASK ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 (text+ko) ==== @@ -23,15 +23,12 @@ printf("/* This file is automatically generated. Do not edit. */\n") > outfile; - printf("#ifndef _LINUX_FLASK_H_\n") > outfile; - printf("#define _LINUX_FLASK_H_\n") > outfile; - printf("\n#include <security/sebsd/flask_types.h>\n") > outfile; - + printf("#ifndef _SELINUX_FLASK_H_\n") > outfile; + printf("#define _SELINUX_FLASK_H_\n") > outfile; printf("\n/*\n * Security object class definitions\n */\n") > outfile; printf("/* This file is automatically generated. Do not edit. */\n") > debugfile; printf("/*\n * Security object class definitions\n */\n") > debugfile; - printf("static char *class_to_string[] =\n{\n") > debugfile; - printf(" \"null\",\n") > debugfile; + printf(" S_(\"null\")\n") > debugfile; printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2; printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2; printf(" \"null\",\n") > debugfile2; @@ -60,13 +57,12 @@ printf(" ") > outfile; printf("%d\n", class_value) > outfile; - printf(" \"%s\",\n", $2) > debugfile; + printf(" S_(\"%s\")\n", $2) > debugfile; } $1 == "sid" { if (nextstate == "CLASS") { nextstate = "SID"; - printf("};\n\n") > debugfile; printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605161917.k4GJHGN0078908>