Date: Wed, 25 Oct 2006 20:39:49 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108424 for review Message-ID: <200610252039.k9PKdn6N070339@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108424 Change 108424 by millert@millert_macbook on 2006/10/25 20:39:01 Update to checkpolicy-1.32 from the NSA web site. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/ChangeLog#4 (text+ko) ==== @@ -1,3 +1,10 @@ +1.32 2006-10-17 + * Updated version for release. + +1.30.12 2006-09-28 + * Merged user and range_transition support for modules from + Darrel Goeddel + 1.30.11 2006-09-05 * merged range_transition enhancements and user module format changes from Darrel Goeddel ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/Makefile#3 (text+ko) ==== @@ -11,6 +11,8 @@ all: $(PROG) +GENERATED=lex.yy.c y.tab.c y.tab.h + $(PROG): $(OBJS) $(CC) $(CFLAGS) -o $@ $^ $(LDADD) ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/VERSION#4 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30.11 +1.32 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.c#4 (text+ko) ==== @@ -937,6 +937,122 @@ } } +int require_sens(int pass) +{ + char *id = queue_remove(id_queue); + level_datum_t *level = NULL; + int retval; + if (pass == 2) { + free(id); + return 0; + } + if (!id) { + yyerror("no sensitivity name"); + return -1; + } + level = malloc(sizeof(level_datum_t)); + if (!level) { + free(id); + yyerror("Out of memory!"); + return -1; + } + level_datum_init(level); + level->level = malloc(sizeof(mls_level_t)); + if (!level->level) { + free(id); + level_datum_destroy(level); + free(level); + yyerror("Out of memory!"); + return -1; + } + mls_level_init(level->level); + retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, + &level->level->sens, &level->level->sens); + if (retval != 0) { + free(id); + mls_level_destroy(level->level); + free(level->level); + level_datum_destroy(level); + free(level); + } + switch (retval) { + case -3:{ + yyerror("Out of memory!"); + return -1; + } + case -2:{ + yyerror("duplicate declaration of sensitivity"); + return -1; + } + case -1:{ + yyerror("could not require sensitivity here"); + return -1; + } + case 0:{ + return 0; + } + case 1:{ + return 0; /* sensitivity already required */ + } + default:{ + assert(0); /* should never get here */ + } + } +} + +int require_cat(int pass) +{ + char *id = queue_remove(id_queue); + cat_datum_t *cat = NULL; + int retval; + if (pass == 2) { + free(id); + return 0; + } + if (!id) { + yyerror("no category name"); + return -1; + } + cat = malloc(sizeof(cat_datum_t)); + if (!cat) { + free(id); + yyerror("Out of memory!"); + return -1; + } + cat_datum_init(cat); + + retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, + &cat->s.value, &cat->s.value); + if (retval != 0) { + free(id); + cat_datum_destroy(cat); + free(cat); + } + switch (retval) { + case -3:{ + yyerror("Out of memory!"); + return -1; + } + case -2:{ + yyerror("duplicate declaration of category"); + return -1; + } + case -1:{ + yyerror("could not require category here"); + return -1; + } + case 0:{ + return 0; + } + case 1:{ + return 0; /* category already required */ + } + default:{ + assert(0); /* should never get here */ + } + } +} + static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) { int i; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/module_compiler.h#4 (text+ko) ==== @@ -56,6 +56,8 @@ int require_attribute(int pass); int require_user(int pass); int require_bool(int pass); +int require_sens(int pass); +int require_cat(int pass); /* Check if an identifier is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/programs/checkpolicy/policy_parse.y#4 (text+ko) ==== @@ -834,10 +834,8 @@ | ATTRIBUTE { $$ = require_attribute; } | USER { $$ = require_user; } | BOOL { $$ = require_bool; } -/* MLS-enabled modules are not implemented at this time. | SENSITIVITY { $$ = require_sens; } | CATEGORY { $$ = require_cat; } -*/ ; require_id_list : identifier { if ($<require_func>0 (pass)) return -1; } @@ -1301,7 +1299,7 @@ yyerror("out of memory"); goto bad; } - memset(level, 0, sizeof(mls_level_t)); + mls_level_init(level); level->sens = 0; /* actual value set in define_dominance */ ebitmap_init(&level->cat); /* actual value set in define_level */ @@ -1310,7 +1308,7 @@ yyerror("out of memory"); goto bad; } - memset(datum, 0, sizeof(level_datum_t)); + level_datum_init(datum); datum->isalias = FALSE; datum->level = level; @@ -1347,7 +1345,7 @@ yyerror("out of memory"); goto bad_alias; } - memset(aliasdatum, 0, sizeof(level_datum_t)); + level_datum_init(aliasdatum); aliasdatum->isalias = TRUE; aliasdatum->level = level; @@ -1384,15 +1382,19 @@ free(id); if (level) free(level); - if (datum) + if (datum) { + level_datum_destroy(datum); free(datum); + } return -1; bad_alias: if (id) free(id); - if (aliasdatum) + if (aliasdatum) { + level_datum_destroy(aliasdatum); free(aliasdatum); + } return -1; } @@ -1480,7 +1482,7 @@ yyerror("out of memory"); goto bad; } - memset(datum, 0, sizeof(cat_datum_t)); + cat_datum_init(datum); datum->isalias = FALSE; ret = declare_symbol(SYM_CATS, id, datum, &value, &value); @@ -1517,7 +1519,7 @@ yyerror("out of memory"); goto bad_alias; } - memset(aliasdatum, 0, sizeof(cat_datum_t)); + cat_datum_init(aliasdatum); aliasdatum->isalias = TRUE; aliasdatum->s.value = datum->s.value; @@ -1554,15 +1556,19 @@ bad: if (id) free(id); - if (datum) + if (datum) { + cat_datum_destroy(datum); free(datum); + } return -1; bad_alias: if (id) free(id); - if (aliasdatum) + if (aliasdatum) { + cat_datum_destroy(aliasdatum); free(aliasdatum); + } return -1; } @@ -3682,11 +3688,6 @@ level_datum_t *levdatum; int l; - if (policydbp->policy_type == POLICY_MOD && mlspol) { - yyerror("Users cannot be declared in MLS modules"); - return -1; - } - if (pass == 1) { while ((id = queue_remove(id_queue))) free(id);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610252039.k9PKdn6N070339>