[ipfire-3.x.git] / libsepol / patches / libsepol-rhat.patch2

diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 1848a7b..f53a499 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -111,6 +111,19 @@ typedef struct class_datum {
 	symtab_t permissions;	/* class-specific permission symbol table */
 	constraint_node_t *constraints;	/* constraints on class permissions */
 	constraint_node_t *validatetrans;	/* special transition rules */
+/* Options how a new object user and role should be decided */
+#define DEFAULT_SOURCE		1
+#define DEFAULT_TARGET		2
+	char default_user;
+	char default_role;
+/* Options how a new object range should be decided */
+#define DEFAULT_SOURCE_LOW	1
+#define DEFAULT_SOURCE_HIGH	2
+#define DEFAULT_SOURCE_LOW_HIGH	3
+#define DEFAULT_TARGET_LOW	4
+#define DEFAULT_TARGET_HIGH	5
+#define DEFAULT_TARGET_LOW_HIGH	6
+	char default_range;
 } class_datum_t;
 
 /* Role attributes */
@@ -667,10 +680,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define POLICYDB_VERSION_BOUNDARY	24
 #define POLICYDB_VERSION_FILENAME_TRANS	25
 #define POLICYDB_VERSION_ROLETRANS	26
+#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE		4
@@ -686,9 +700,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define MOD_POLICYDB_VERSION_ROLETRANS		12
 #define MOD_POLICYDB_VERSION_ROLEATTRIB		13
 #define MOD_POLICYDB_VERSION_TUNABLE_SEP	14
+#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	15
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_TUNABLE_SEP
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
 
 #define POLICYDB_CONFIG_MLS    1
 
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 493e478..73b9107 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -358,6 +358,35 @@ static int constraint_node_clone(constraint_node_t ** dst,
 	return -1;
 }
 
+static int class_copy_default_new_object(expand_state_t *state,
+					 class_datum_t *olddatum,
+					 class_datum_t *newdatum)
+{
+	if (olddatum->default_user) {
+		if (newdatum->default_user && olddatum->default_user != newdatum->default_user) {
+			ERR(state->handle, "Found conflicting default user definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_user = olddatum->default_user;
+
+	}
+	if (olddatum->default_role) {
+		if (newdatum->default_role && olddatum->default_role != newdatum->default_role) {
+			ERR(state->handle, "Found conflicting default role definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_role = olddatum->default_role;
+	}
+	if (olddatum->default_range) {
+		if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
+			ERR(state->handle, "Found conflicting default range definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_range = olddatum->default_range;
+	}
+	return 0;
+}
+
 static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 			       void *data)
 {
@@ -393,6 +422,12 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	new_class->s.value = class->s.value;
 	state->out->p_classes.nprim++;
 
+	ret = class_copy_default_new_object(state, class, new_class);
+	if (ret) {
+		free(new_class);
+		return ret;
+	}
+	
 	new_id = strdup(id);
 	if (!new_id) {
 		ERR(state->handle, "Out of memory!");
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index ee9675b..01d3231 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -205,6 +205,34 @@ static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	return ret;
 }
 
+static int class_copy_default_new_object(link_state_t *state,
+					 class_datum_t *olddatum,
+					 class_datum_t *newdatum)
+{
+	if (olddatum->default_user) {
+		if (newdatum->default_user && olddatum->default_user != newdatum->default_user) {
+			ERR(state->handle, "Found conflicting default user definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_user = olddatum->default_user;
+	}
+	if (olddatum->default_role) {
+		if (newdatum->default_role && olddatum->default_role != newdatum->default_role) {
+			ERR(state->handle, "Found conflicting default role definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_role = olddatum->default_role;
+	}
+	if (olddatum->default_range) {
+		if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
+			ERR(state->handle, "Found conflicting default range definitions");
+			return SEPOL_ENOTSUP;
+		}
+		newdatum->default_range = olddatum->default_range;
+	}
+	return 0;
+}
+
 static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 			       void *data)
 {
@@ -287,6 +315,11 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	state->dest_class = new_class;
 	state->dest_class_name = (char *)key;
 
+	/* copy default new object rules */
+	ret = class_copy_default_new_object(state, cladatum, new_class);
+	if (ret)
+		return ret;
+
 	ret =
 	    hashtab_map(cladatum->permissions.table, permission_copy_callback,
 			state);
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 136b450..a84de2f 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -151,6 +151,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -228,6 +235,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -304,6 +318,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = 0,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = 0,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
 };
 
 #if 0
@@ -2064,6 +2085,18 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
 			goto bad;
 	}
 
+	if ((p->policy_type == POLICY_KERN &&
+	     p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) ||
+	    (p->policy_type == POLICY_BASE &&
+	     p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
+		rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
+		if (rc < 0)
+			goto bad;
+		cladatum->default_user = le32_to_cpu(buf[0]);
+		cladatum->default_role = le32_to_cpu(buf[1]);
+		cladatum->default_range = le32_to_cpu(buf[2]);
+	}
+
 	if (hashtab_insert(h, key, cladatum))
 		goto bad;
 
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index e34ab52..22e6143 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -976,6 +976,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 			return POLICYDB_ERROR;
 	}
 
+	if ((p->policy_type == POLICY_KERN &&
+	     p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) ||
+	    (p->policy_type == POLICY_BASE &&
+	     p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
+		buf[0] = cpu_to_le32(cladatum->default_user);
+		buf[1] = cpu_to_le32(cladatum->default_role);
+		buf[2] = cpu_to_le32(cladatum->default_range);
+		items = put_entry(buf, sizeof(uint32_t), 3, fp);
+		if (items != 3)
+			return POLICYDB_ERROR;
+	}
+
 	return POLICYDB_SUCCESS;
 }
Commit	Line	Data
cc0a4653 SS	1	diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
	2	index 1848a7b..f53a499 100644
	3	--- a/libsepol/include/sepol/policydb/policydb.h
	4	+++ b/libsepol/include/sepol/policydb/policydb.h
	5	@@ -111,6 +111,19 @@ typedef struct class_datum {
	6	symtab_t permissions; /* class-specific permission symbol table */
	7	constraint_node_t constraints; / constraints on class permissions */
	8	constraint_node_t validatetrans; / special transition rules */
	9	+/* Options how a new object user and role should be decided */
	10	+#define DEFAULT_SOURCE 1
	11	+#define DEFAULT_TARGET 2
	12	+ char default_user;
	13	+ char default_role;
	14	+/* Options how a new object range should be decided */
	15	+#define DEFAULT_SOURCE_LOW 1
	16	+#define DEFAULT_SOURCE_HIGH 2
	17	+#define DEFAULT_SOURCE_LOW_HIGH 3
	18	+#define DEFAULT_TARGET_LOW 4
	19	+#define DEFAULT_TARGET_HIGH 5
	20	+#define DEFAULT_TARGET_LOW_HIGH 6
	21	+ char default_range;
	22	} class_datum_t;
	23
	24	/* Role attributes */
	25	@@ -667,10 +680,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
	26	#define POLICYDB_VERSION_BOUNDARY 24
	27	#define POLICYDB_VERSION_FILENAME_TRANS 25
	28	#define POLICYDB_VERSION_ROLETRANS 26
	29	+#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
	30
	31	/* Range of policy versions we understand*/
	32	#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
	33	-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
	34	+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
	35
	36	/* Module versions and specific changes*/
	37	#define MOD_POLICYDB_VERSION_BASE 4
	38	@@ -686,9 +700,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
	39	#define MOD_POLICYDB_VERSION_ROLETRANS 12
	40	#define MOD_POLICYDB_VERSION_ROLEATTRIB 13
	41	#define MOD_POLICYDB_VERSION_TUNABLE_SEP 14
	42	+#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15
	43
	44	#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
	45	-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_TUNABLE_SEP
	46	+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
	47
	48	#define POLICYDB_CONFIG_MLS 1
	49
	50	diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
	51	index 493e478..73b9107 100644
	52	--- a/libsepol/src/expand.c
	53	+++ b/libsepol/src/expand.c
	54	@@ -358,6 +358,35 @@ static int constraint_node_clone(constraint_node_t ** dst,
	55	return -1;
	56	}
	57
	58	+static int class_copy_default_new_object(expand_state_t *state,
	59	+ class_datum_t *olddatum,
	60	+ class_datum_t *newdatum)
	61	+{
	62	+ if (olddatum->default_user) {
	63	+ if (newdatum->default_user && olddatum->default_user != newdatum->default_user) {
	64	+ ERR(state->handle, "Found conflicting default user definitions");
65	+ return SEPOL_ENOTSUP;
66	+ }
67	+ newdatum->default_user = olddatum->default_user;
68	+
69	+ }
70	+ if (olddatum->default_role) {
71	+ if (newdatum->default_role && olddatum->default_role != newdatum->default_role) {
72	+ ERR(state->handle, "Found conflicting default role definitions");
73	+ return SEPOL_ENOTSUP;
74	+ }
75	+ newdatum->default_role = olddatum->default_role;
76	+ }
77	+ if (olddatum->default_range) {
78	+ if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
79	+ ERR(state->handle, "Found conflicting default range definitions");
80	+ return SEPOL_ENOTSUP;
81	+ }
82	+ newdatum->default_range = olddatum->default_range;
83	+ }
84	+ return 0;
85	+}
86	+
87	static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
88	void *data)
89	{
90	@@ -393,6 +422,12 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
91	new_class->s.value = class->s.value;
92	state->out->p_classes.nprim++;
93
94	+ ret = class_copy_default_new_object(state, class, new_class);
95	+ if (ret) {
96	+ free(new_class);
97	+ return ret;
98	+ }
99	+
100	new_id = strdup(id);
101	if (!new_id) {
102	ERR(state->handle, "Out of memory!");
103	diff --git a/libsepol/src/link.c b/libsepol/src/link.c
104	index ee9675b..01d3231 100644
105	--- a/libsepol/src/link.c
106	+++ b/libsepol/src/link.c
107	@@ -205,6 +205,34 @@ static int permission_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
108	return ret;
109	}
110
111	+static int class_copy_default_new_object(link_state_t *state,
112	+ class_datum_t *olddatum,
113	+ class_datum_t *newdatum)
114	+{
115	+ if (olddatum->default_user) {
116	+ if (newdatum->default_user && olddatum->default_user != newdatum->default_user) {
117	+ ERR(state->handle, "Found conflicting default user definitions");
118	+ return SEPOL_ENOTSUP;
119	+ }
120	+ newdatum->default_user = olddatum->default_user;
121	+ }
122	+ if (olddatum->default_role) {
123	+ if (newdatum->default_role && olddatum->default_role != newdatum->default_role) {
124	+ ERR(state->handle, "Found conflicting default role definitions");
125	+ return SEPOL_ENOTSUP;
126	+ }
127	+ newdatum->default_role = olddatum->default_role;
128	+ }
129	+ if (olddatum->default_range) {
130	+ if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
131	+ ERR(state->handle, "Found conflicting default range definitions");
132	+ return SEPOL_ENOTSUP;
133	+ }
134	+ newdatum->default_range = olddatum->default_range;
135	+ }
136	+ return 0;
137	+}
138	+
139	static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
140	void *data)
141	{
142	@@ -287,6 +315,11 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
143	state->dest_class = new_class;
144	state->dest_class_name = (char *)key;
145
146	+ /* copy default new object rules */
147	+ ret = class_copy_default_new_object(state, cladatum, new_class);
148	+ if (ret)
149	+ return ret;
150	+
151	ret =
152	hashtab_map(cladatum->permissions.table, permission_copy_callback,
153	state);
154	diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
155	index 136b450..a84de2f 100644
156	--- a/libsepol/src/policydb.c
157	+++ b/libsepol/src/policydb.c
158	@@ -151,6 +151,13 @@ static struct policydb_compat_info policydb_compat[] = {
159	.target_platform = SEPOL_TARGET_SELINUX,
160	},
161	{
162	+ .type = POLICY_KERN,
163	+ .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
164	+ .sym_num = SYM_NUM,
165	+ .ocon_num = OCON_NODE6 + 1,
166	+ .target_platform = SEPOL_TARGET_SELINUX,
167	+ },
168	+ {
169	.type = POLICY_BASE,
170	.version = MOD_POLICYDB_VERSION_BASE,
171	.sym_num = SYM_NUM,
172	@@ -228,6 +235,13 @@ static struct policydb_compat_info policydb_compat[] = {
173	.target_platform = SEPOL_TARGET_SELINUX,
174	},
175	{
176	+ .type = POLICY_BASE,
177	+ .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
178	+ .sym_num = SYM_NUM,
179	+ .ocon_num = OCON_NODE6 + 1,
180	+ .target_platform = SEPOL_TARGET_SELINUX,
181	+ },
182	+ {
183	.type = POLICY_MOD,
184	.version = MOD_POLICYDB_VERSION_BASE,
185	.sym_num = SYM_NUM,
186	@@ -304,6 +318,13 @@ static struct policydb_compat_info policydb_compat[] = {
187	.ocon_num = 0,
188	.target_platform = SEPOL_TARGET_SELINUX,
189	},
190	+ {
191	+ .type = POLICY_MOD,
192	+ .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
193	+ .sym_num = SYM_NUM,
194	+ .ocon_num = 0,
195	+ .target_platform = SEPOL_TARGET_SELINUX,
196	+ },
197	};
198
199	#if 0
200	@@ -2064,6 +2085,18 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
201	goto bad;
202	}
203
204	+ if ((p->policy_type == POLICY_KERN &&
205	+ p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) \|\|
206	+ (p->policy_type == POLICY_BASE &&
207	+ p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
208	+ rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
209	+ if (rc < 0)
210	+ goto bad;
211	+ cladatum->default_user = le32_to_cpu(buf[0]);
212	+ cladatum->default_role = le32_to_cpu(buf[1]);
213	+ cladatum->default_range = le32_to_cpu(buf[2]);
214	+ }
215	+
216	if (hashtab_insert(h, key, cladatum))
217	goto bad;
218
219	diff --git a/libsepol/src/write.c b/libsepol/src/write.c
220	index e34ab52..22e6143 100644
221	--- a/libsepol/src/write.c
222	+++ b/libsepol/src/write.c
223	@@ -976,6 +976,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
224	return POLICYDB_ERROR;
225	}
226
227	+ if ((p->policy_type == POLICY_KERN &&
228	+ p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) \|\|
229	+ (p->policy_type == POLICY_BASE &&
230	+ p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
231	+ buf[0] = cpu_to_le32(cladatum->default_user);
232	+ buf[1] = cpu_to_le32(cladatum->default_role);
233	+ buf[2] = cpu_to_le32(cladatum->default_range);
234	+ items = put_entry(buf, sizeof(uint32_t), 3, fp);
235	+ if (items != 3)
236	+ return POLICYDB_ERROR;
237	+ }
238	+
239	return POLICYDB_SUCCESS;
240	}
241