From owner-p4-projects@FreeBSD.ORG  Tue May 16 19:17:36 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 28A4116A620; Tue, 16 May 2006 19:17:36 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1E8BF16A5A4
	for <perforce@freebsd.org>; Tue, 16 May 2006 19:17:34 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4D9143D45
	for <perforce@freebsd.org>; Tue, 16 May 2006 19:17:33 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4GJHGig078911
	for <perforce@freebsd.org>; Tue, 16 May 2006 19:17:16 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4GJHGN0078908
	for perforce@freebsd.org; Tue, 16 May 2006 19:17:16 GMT
	(envelope-from millert@freebsd.org)
Date: Tue, 16 May 2006 19:17:16 GMT
Message-Id: <200605161917.k4GJHGN0078908@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 97285 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2006 19:17:40 -0000

http://perforce.freebsd.org/chv.cgi?CH=97285

Change 97285 by millert@millert_p4 on 2006/05/16 19:17:01

	Adapt to new SEBSD kernel bits.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/Makefile#24 (text+ko) ====

@@ -18,9 +18,13 @@
 
 FLASKDIR = flask/
 PREFIX = /usr
-LOADPOLICY  = /usr/sbin/sebsd_loadpolicy
-CHECKPOLICY = /sbin/sebsd_checkpolicy
-SETFILES = /sbin/sebsd_setfiles
+.if exists($(DESTDIR)/usr/bin/checkpolicy)
+CHECKPOLICY = $(DESTDIR)/usr/bin/checkpolicy
+.else
+CHECKPOLICY = /usr/bin/checkpolicy
+.endif
+LOADPOLICY  = $(DESTDIR)/usr/sbin/load_policy
+SETFILES = $(DESTDIR)/usr/sbin/setfiles
 .if (POLICYVERCOMPAT)
 POLICYVERTMP = $(POLICYVERCOMPAT)
 POLICYVERCOMPATARGS = -c $(POLICYVERCOMPAT)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/Makefile#4 (text+ko) ====

@@ -9,20 +9,22 @@
 FLASK_H_DEPEND = security_classes initial_sids
 AV_H_DEPEND = access_vectors
 
-FLASK_H_FILES = av_inherit.h av_perm_to_string.h av_permissions.h class_to_string.h common_perm_to_string.h initial_sid_to_string.h
+FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
+AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
 
-all: flask.h av_permissions.h
+all: $(ALL_H_FILES)
 
-flask.h: $(FLASK_H_DEPEND)
+$(FLASK_H_FILES): $(FLASK_H_DEPEND)
 	/bin/sh ./mkflask.sh $(AWK) $(FLASK_H_DEPEND)
 
-av_permissions.h: $(AV_H_DEPEND)
+$(AV_H_FILES): $(AV_H_DEPEND)
 	/bin/sh ./mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
 
-install: flask.h av_permissions.h
-	install -C -m0644 $(FLASK_H_FILES) $(KERNDIR)/avc
-	install -C -m0644 flask.h $(KERNDIR)
+install: all
+	install -C -m 644 ${ALL_H_FILES:Nflask.h} $(KERNDIR)/avc
+	install -C -m 644 flask.h $(KERNDIR)
 
 clean:  
 	rm -f $(FLASK_H_FILES)
-	rm -f $(FLASK_IH_FILES)
+	rm -f $(AV_H_FILES)

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/access_vectors#9 (text+ko) ====

@@ -248,6 +248,7 @@
 	siginh
 	setrlimit
 	rlimitinh
+	dyntransition
 }
 
 

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkaccess_vector.sh#3 (text+ko) ====

@@ -5,9 +5,6 @@
 
 set -e
 
-#subproject id
-subproject="FLASK"
-
 awk=$1
 shift
 
@@ -18,9 +15,25 @@
 av_perm_to_string="av_perm_to_string.h"
 
 cat $* | $awk "
+	# Quicksort function for awk arrays, from The AWK Programming
+	# Language, by Aho, Kernighan and Weinberger.
+	# Call qsort(array, smallestindex, largestindex)
+	function qsort(a,left,right,	i,last) {
+		if (left >= right) return
+		swap(a, left, left + int((right-left+1)*rand()))
+		last = left
+		for (i=left+1; i<=right; i++)
+		    if (a[i] < a[left]) swap(a, ++last, i)
+		swap(a, left, last)
+		qsort(a, left, last-1)
+		qsort(a, last+1, right)
+	}
+	function swap(a,i,j,	t) {
+		t = a[i]; a[i] = a[j]; a[j] = t;
+	}
+
 BEGIN	{
 		outfile = \"$av_permissions\"
-		subproject = \"$subproject\"
 		inheritfile = \"$av_inherit\"
 		cpermfile = \"$common_perm_to_string\"
 		avpermfile = \"$av_perm_to_string\"
@@ -31,27 +44,6 @@
 		printf("/* This file is automatically generated.  Do not edit. */\n") > cpermfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > avpermfile;
 ;
-		printf("/* %s */\n\n", subproject) > outfile;
-
-		printf("/* %s */\n\n", subproject) > cpermfile;
-
-		printf("/* %s */\n\n", subproject) > inheritfile;
-		printf("typedef struct\n") > inheritfile;
-		printf("{\n") > inheritfile;
-		printf("    security_class_t tclass;\n") > inheritfile;
-		printf("    char **common_pts;\n") > inheritfile; 
-		printf("    access_vector_t common_base;\n") > inheritfile; 
-		printf("} av_inherit_t;\n\n") > inheritfile;
-		printf("static av_inherit_t av_inherit[] = {\n") > inheritfile;
-	
-		printf("/* %s */\n\n", subproject) > avpermfile;
-		printf("typedef struct\n") > avpermfile;
-		printf("{\n") > avpermfile;
-		printf("    security_class_t tclass;\n") > avpermfile;
-		printf("    access_vector_t value;\n") > avpermfile; 
-		printf("    char *name;\n") > avpermfile; 
-		printf("} av_perm_to_string_t;\n\n") > avpermfile;
-		printf("static av_perm_to_string_t av_perm_to_string[] = {\n") > avpermfile;
 	}
 /^[ \t]*#/	{ 
 			next;
@@ -74,7 +66,7 @@
 			common_name = $2; 
 			permission = 1;
 
-			printf("static char *common_%s_perm_to_string[] =\n{\n", $2) > cpermfile;
+			printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
 
 			nextstate = "COMMON-OPENBRACKET";
 			next;
@@ -123,21 +115,31 @@
 				split(combined,separate, SUBSEP);
 				if (separate[1] == inherits)
 				{
-					printf("#define %s__%s", toupper(tclass), toupper(separate[2])) > outfile; 
-					spaces = 40 - (length(separate[2]) + length(tclass));
-					if (spaces < 1)
-					      spaces = 1;
-					for (i = 0; i < spaces; i++) 
-						printf(" ") > outfile; 
-					pt = common_perms[combined];
-					printf("0x%08x%08xUL\n", pt>32 ? 2^(pt-33) : 0, pt<33 ? 2^(pt-1) : 0) > outfile;
-					#printf("0x%08xUL\n", common_perms[combined]) > outfile; 
+					inherited_perms[common_perms[combined]] = separate[2];
 				}
 			}
+
+                        n = 0;
+                        for (i in inherited_perms) {
+                            n++;
+                            ind[n] = i + 0;
+                        }
+                        qsort(ind, 1, n);
+			for (i = 1; i <= n; i++) {
+				perm = inherited_perms[ind[i]];
+				printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile; 
+				spaces = 40 - (length(perm) + length(tclass));
+				if (spaces < 1)
+				      spaces = 1;
+				for (j = 0; j < spaces; j++) 
+					printf(" ") > outfile; 
+				printf("0x%08xUL\n", ind[i]) > outfile; 
+			}
 			printf("\n") > outfile;
-	
-			printf("   { SECCLASS_%s, common_%s_perm_to_string, 0x%08x%08xUL },\n", toupper(tclass), inherits,
-				permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > inheritfile; 
+                        for (i in ind) delete ind[i];
+                        for (i in inherited_perms) delete inherited_perms[i];
+
+			printf("   S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile; 
 
 			nextstate = "CLASS_OR_CLASS-OPENBRACKET";
 			next;
@@ -180,7 +182,7 @@
 
 				printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile; 
 
-				printf("    \"%s\",\n", $1) > cpermfile;
+				printf("    S_(\"%s\")\n", $1) > cpermfile;
 			}
 			else
 			{
@@ -203,7 +205,7 @@
 
 				printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile; 
 
-				printf("   { SECCLASS_%s, %s__%s, \"%s\" },\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
+				printf("   S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile; 
 			}
 
 			spaces = 40 - (length($1) + length(tclass));
@@ -212,8 +214,8 @@
 
 			for (i = 0; i < spaces; i++) 
 				printf(" ") > outfile; 
-			printf("0x%08x%08xUL\n", permission>32 ? 2^(permission-33) : 0, permission<33 ? 2^(permission-1) : 0) > outfile; 
-			permission = permission + 1;
+			printf("0x%08xUL\n", permission) > outfile; 
+			permission = permission * 2;
 		}
 $1 == "}"	{
 			if (nextstate != "CLASS-CLOSEBRACKET" && 
@@ -226,7 +228,7 @@
 			if (nextstate == "COMMON-CLOSEBRACKET")
 			{
 				common_base[common_name] = permission;
-				printf("};\n\n") > cpermfile; 
+				printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile; 
 			}
 
 			printf("\n") > outfile;
@@ -237,17 +239,6 @@
 		if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
 			printf("Parse error:  Unexpected end of file\n");
 
-		printf("\n/* %s */\n", subproject) > outfile;
-
-		printf("\n/* %s */\n", subproject) > cpermfile;
-	
-		printf("};\n\n") > inheritfile;
-		printf("#define AV_INHERIT_SIZE (sizeof(av_inherit)/sizeof(av_inherit_t))\n\n") > inheritfile;
-		printf("\n/* %s */\n", subproject) > inheritfile;
-
-		printf("};\n\n") > avpermfile;
-		printf("#define AV_PERM_TO_STRING_SIZE (sizeof(av_perm_to_string)/sizeof(av_perm_to_string_t))\n\n") > avpermfile;
-		printf("\n/* %s */\n", subproject) > avpermfile;
 	}'
 
 # FLASK

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/flask/mkflask.sh#3 (text+ko) ====

@@ -23,15 +23,12 @@
 
 		printf("/* This file is automatically generated.  Do not edit. */\n") > outfile;
 
-		printf("#ifndef _LINUX_FLASK_H_\n") > outfile;
-		printf("#define _LINUX_FLASK_H_\n") > outfile;
-		printf("\n#include <security/sebsd/flask_types.h>\n") > outfile;
-
+		printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
+		printf("#define _SELINUX_FLASK_H_\n") > outfile;
 		printf("\n/*\n * Security object class definitions\n */\n") > outfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile;
 		printf("/*\n * Security object class definitions\n */\n") > debugfile;
-		printf("static char *class_to_string[] =\n{\n") > debugfile;
-		printf("    \"null\",\n") > debugfile;
+		printf("    S_(\"null\")\n") > debugfile;
 		printf("/* This file is automatically generated.  Do not edit. */\n") > debugfile2;
 		printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
 		printf("    \"null\",\n") > debugfile2;
@@ -60,13 +57,12 @@
 				printf(" ") > outfile; 
 			printf("%d\n", class_value) > outfile; 
 
-			printf("    \"%s\",\n", $2) > debugfile;
+			printf("    S_(\"%s\")\n", $2) > debugfile;
 		}
 $1 == "sid"	{ 
 			if (nextstate == "CLASS")
 			{
 			    nextstate = "SID";
-			    printf("};\n\n") > debugfile;
 			    printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;			    
 			}