PERFORCE change 66109 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Nov 30 08:40:36 PST 2004
http://perforce.freebsd.org/chv.cgi?CH=66109
Change 66109 by areisse at areisse_tislabs on 2004/11/30 16:40:09
Update sebsd_checkpolicy to use the new libsepol library, and other
changes merged from selinux.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#8 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#4 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#1 branch
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/write.c#3 delete
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#8 (text+ko) ====
@@ -56,21 +56,24 @@
#include <sys/stat.h>
#include <sys/mman.h>
#include <netinet/in.h>
-#include "linux-compat.h"
#else /* __FreeBSD__ */
#include <getopt.h>
#endif /* __FreeBSD__ */
-#include "global.h"
-#include "policydb.h"
-#include "services.h"
+#include <sepol/policydb.h>
+#include <sepol/services.h>
+#include <sepol/conditional.h>
+#include <sepol/flask.h>
+
#include "queue.h"
#include "checkpolicy.h"
-#include "security.h"
extern char *optarg;
extern int optind;
+static policydb_t policydb;
+static sidtab_t sidtab;
+
extern policydb_t *policydbp;
extern queue_t id_queue;
extern unsigned int policydb_errors;
@@ -87,12 +90,6 @@
char *binfile = "policy";
unsigned int policyvers = POLICYDB_VERSION_MAX;
-int selinux_enforcing = 1;
-
-int avc_ss_reset(__u32 seqno)
-{
- return 0;
-}
void usage(char *progname)
{
@@ -108,7 +105,7 @@
size_t scontext_len;
int rc;
- rc = security_sid_to_context(sid, &scontext, &scontext_len);
+ rc = sepol_sid_to_context(sid, &scontext, &scontext_len);
if (rc)
printf("sid %d -> error %d\n", sid, rc);
else {
@@ -452,6 +449,10 @@
void *filedata;
struct stat sb;
size_t filelen;
+ char *name;
+ int state;
+ int show_version = 0;
+ struct policy_file pf;
while ((ch = getopt(argc, argv, "o:dbVc:")) != EOF) {
switch (ch) {
@@ -530,15 +531,15 @@
close(fd);
exit(1);
}
- ret = security_load_policy(filedata, filelen);
+ ret = sepol_load_policy(filedata, filelen);
switch (ret) {
case 0:
printf("\nsuccess\n");
break;
- case -EINVAL:
+ case EINVAL:
printf("\ninvalid policy\n");
break;
- case -ENOMEM:
+ case ENOMEM:
printf("\nout of memory\n");
break;
default:
@@ -588,12 +589,6 @@
if (policydb_errors)
exit(1);
- if (policyvers >= POLICYDB_VERSION_NLCLASS &&
- policydb.p_classes.nprim < SECCLASS_NETLINK_DNRT_SOCKET) {
- fprintf(stderr, "%s: policy lacks new netlink classes, unable to generate policy version %d\n", argv[0], policyvers);
- exit(1);
- }
-
/* remove type attributes */
hashtab_map_remove_on_error(policydb.p_types.table,
type_attr_remove, 0, 0);
@@ -613,7 +608,12 @@
perror(outfile);
exit(1);
}
- ret = policydb_write(&policydb, outfp);
+
+ sepol_set_policyvers(policyvers);
+
+ pf.type = PF_USE_STDIO;
+ pf.fp = outfp;
+ ret = policydb_write(&policydb, &pf);
if (ret) {
fprintf(stderr, "%s: error writing %s\n",
argv[0], outfile);
@@ -624,8 +624,6 @@
if (!debug)
exit(0);
- ss_initialized = 1;
-
menu:
printf("\nSelect an option:\n");
printf("0) Call compute_access_vector\n");
@@ -688,7 +686,7 @@
printf("\nNo access vector definition for that class\n");
break;
}
- ret = security_compute_av(ssid, tsid, tclass, 0, &avd);
+ ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd);
allowed = avd.allowed;
switch (ret) {
case 0:
@@ -721,7 +719,7 @@
printf("sid? ");
fgets(ans, sizeof(ans), stdin);
ssid = atoi(ans);
- ret = security_sid_to_context(ssid,
+ ret = sepol_sid_to_context(ssid,
&scontext, &scontext_len);
switch (ret) {
case 0:
@@ -743,7 +741,7 @@
fgets(ans, sizeof(ans), stdin);
scontext_len = strlen(ans);
ans[scontext_len - 1] = 0;
- ret = security_context_to_sid(ans, scontext_len,
+ ret = sepol_context_to_sid(ans, scontext_len,
&ssid);
switch (ret) {
case 0:
@@ -791,11 +789,11 @@
}
if (ch == '3')
- ret = security_transition_sid(ssid, tsid, tclass, &ssid);
+ ret = sepol_transition_sid(ssid, tsid, tclass, &ssid);
else if (ch == '4')
- ret = security_member_sid(ssid, tsid, tclass, &ssid);
+ ret = sepol_member_sid(ssid, tsid, tclass, &ssid);
else
- ret = security_change_sid(ssid, tsid, tclass, &ssid);
+ ret = sepol_change_sid(ssid, tsid, tclass, &ssid);
switch (ret) {
case 0:
printf("\nsid %d\n", ssid);
@@ -811,7 +809,7 @@
}
break;
case '6':
- sidtab_map(&sidtab, print_sid, 0);
+ sepol_sidtab_map(&sidtab, print_sid, 0);
break;
case '7':
printf("pathname? ");
@@ -841,7 +839,7 @@
close(fd);
break;
}
- ret = security_load_policy(filedata, filelen);
+ ret = sepol_load_policy(filedata, filelen);
switch (ret) {
case 0:
printf("\nsuccess\n");
@@ -862,7 +860,7 @@
printf("fs kdevname? ");
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- security_fs_sid(ans, &ssid, &tsid);
+ sepol_fs_sid(ans, &ssid, &tsid);
printf("fs_sid %d default_file_sid %d\n",
ssid, tsid);
break;
@@ -881,14 +879,14 @@
printf("port? ");
fgets(ans, sizeof(ans), stdin);
port = atoi(ans);
- security_port_sid(0, 0, protocol, port, &ssid);
+ sepol_port_sid(0, 0, protocol, port, &ssid);
printf("sid %d\n", ssid);
break;
case 'a':
printf("netif name? ");
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- security_netif_sid(ans, &ssid, &tsid);
+ sepol_netif_sid(ans, &ssid, &tsid);
printf("if_sid %d default_msg_sid %d\n",
ssid, tsid);
break;
@@ -929,7 +927,7 @@
sepol_node_sid(family, p, len, &ssid);
addr = inet_addr(ans);
- security_node_sid(AF_INET, &addr, sizeof addr, &ssid);
+ sepol_node_sid(AF_INET, &addr, sizeof addr, &ssid);
printf("sid %d\n", ssid);
break;
}
@@ -937,7 +935,7 @@
printf("fstype? ");
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- security_fs_use(ans, &ret, &ssid);
+ sepol_fs_use(ans, &ret, &ssid);
switch (ret) {
case SECURITY_FS_USE_XATTR:
printf("use extended attributes\n");
@@ -985,7 +983,7 @@
}
tclass = cladatum->value;
}
- security_genfs_sid(fstype, path, tclass, &ssid);
+ sepol_genfs_sid(fstype, path, tclass, &ssid);
printf("sid %d\n", ssid);
free(fstype);
free(path);
@@ -1000,7 +998,7 @@
fgets(ans, sizeof(ans), stdin);
ans[strlen(ans) - 1] = 0;
- ret = security_get_user_sids(ssid, ans, &sids, &nel);
+ ret = sepol_get_user_sids(ssid, ans, &sids, &nel);
switch (ret) {
case 0:
if (!nel)
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#4 (text+ko) ====
@@ -1,7 +1,7 @@
#ifndef _CHECKPOLICY_H_
#define _CHECKPOLICY_H_
-#include "ebitmap.h"
+#include <sepol/ebitmap.h>
typedef struct te_assert {
struct ebitmap stypes;
@@ -15,39 +15,6 @@
te_assert_t *te_assertions;
-typedef u_int64_t __u64;
-typedef u_int32_t __u32;
-typedef u_int16_t __u16;
-typedef u_int8_t __u8;
-
-typedef struct ebitmap ebitmap_t;
-typedef struct ebitmap_node ebitmap_node_t;
-typedef struct avtab avtab_t;
-typedef struct avtab_node *avtab_ptr_t;
-typedef struct avtab_key avtab_key_t;
-typedef struct avtab_datum avtab_datum_t;
-typedef struct policydb policydb_t;
-typedef struct role_datum role_datum_t;
-typedef struct class_datum class_datum_t;
-typedef struct common_datum common_datum_t;
-typedef struct perm_datum perm_datum_t;
-typedef struct type_datum type_datum_t;
-typedef struct user_datum user_datum_t;
-typedef struct constraint_expr constraint_expr_t;
-typedef struct constraint_node constraint_node_t;
-typedef struct context context_struct_t;
-typedef struct context context_t;
-typedef struct ocontext ocontext_t;
-typedef struct genfs genfs_t;
-typedef void *hashtab_key_t;
-typedef void *hashtab_datum_t;
-
-#define HASHTAB_SUCCESS 0
-#define HASHTAB_OVERFLOW ENOMEM
-#define HASHTAB_PRESENT EEXIST
-#define HASHTAB_MISSING ENOENT
-
-#define TRUE 1
-#define FALSE 0
+extern unsigned int policyvers;
#endif
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#5 (text+ko) ====
@@ -21,14 +21,15 @@
#include <errno.h>
#include <sys/types.h>
#include <netinet/in.h>
-#include "linux-compat.h"
+#include <sys/socket.h>
#endif /* __FreeBSD__ */
-#include "policydb.h"
-#include "services.h"
+
+#include <sepol/policydb.h>
+#include <sepol/services.h>
+#include <sepol/conditional.h>
+#include <sepol/flask.h>
#include "queue.h"
#include "checkpolicy.h"
-#include "flask.h"
-#include "security.h"
/*
* We need the following so we have a valid error return code in yacc
@@ -171,7 +172,7 @@
{ if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; } }
opt_mls te_rbac users opt_constraints
{ if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
- if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} }
+ if (pass == 2) { if (policydb_index_others(policydbp, 1)) return -1;} }
initial_sid_contexts opt_fs_contexts fs_uses opt_genfs_contexts net_contexts
;
classes : class_def
@@ -2581,16 +2582,7 @@
goto bad;
}
- if (policyvers < POLICYDB_VERSION_NLCLASS &&
- (cladatum->value >= SECCLASS_NETLINK_ROUTE_SOCKET &&
- cladatum->value <= SECCLASS_NETLINK_DNRT_SOCKET)) {
- sprintf(errormsg, "remapping class %s to netlink_socket "
- "for policy version %d", id, policyvers);
- yywarn(errormsg);
- classvalue = SECCLASS_NETLINK_SOCKET;
- suppress = 1;
- } else
- classvalue = cladatum->value;
+ classvalue = cladatum->value;
ebitmap_set_bit(&tclasses, classvalue - 1, TRUE);
if (classvalue > hiclass)
@@ -2759,16 +2751,7 @@
goto bad;
}
- if (policyvers < POLICYDB_VERSION_NLCLASS &&
- (cladatum->value >= SECCLASS_NETLINK_ROUTE_SOCKET &&
- cladatum->value <= SECCLASS_NETLINK_DNRT_SOCKET)) {
- sprintf(errormsg, "remapping class %s to netlink_socket "
- "for policy version %d", id, policyvers);
- yywarn(errormsg);
- classvalue = SECCLASS_NETLINK_SOCKET;
- suppress = 1;
- } else
- classvalue = cladatum->value;
+ classvalue = cladatum->value;
ebitmap_set_bit(&tclasses, classvalue - 1, TRUE);
if (classvalue > hiclass)
@@ -2819,7 +2802,7 @@
continue;
}
- avp[i] |= (((__u64)1) << (perdatum->value - 1));
+ avp[i] |= (((uint64_t)1) << (perdatum->value - 1));
}
free(id);
@@ -4439,6 +4422,9 @@
return 0;
}
+/* Freebsd only exports these to the kernel */
+#define s6_addr32 __u6_addr.__u6_addr32
+
static int define_ipv6_node_context(void)
{
char *id;
@@ -4517,6 +4503,8 @@
return rc;
}
+#undef s6_addr32
+
static int define_fs_use(int behavior)
{
ocontext_t *newc, *c, *head;
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#4 (text+ko) ====
@@ -16,6 +16,7 @@
/* FLASK */
%{
+#include <sys/types.h>
#include "policy_parse.h"
static char linebuf[2][255];
More information about the p4-projects
mailing list