]> git.ipfire.org Git - people/arne_f/ipfire-3.x.git/blob - checkpolicy/patches/checkpolicy-rhat.patch2
projects / people / arne_f / ipfire-3.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
checkpolicy: Update to 2.1.8.
[people/arne_f/ipfire-3.x.git] / checkpolicy / patches / checkpolicy-rhat.patch2
1 diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
2 index d19fc61..a86c6b3 100644
3 --- a/checkpolicy/policy_define.c
4 +++ b/checkpolicy/policy_define.c
5 @@ -351,6 +351,102 @@ static int read_classes(ebitmap_t *e_classes)
6 return 0;
7 }
8
9 +int define_default_user(int which)
10 +{
11 + char *id;
12 + class_datum_t *cladatum;
13 +
14 + if (pass == 1) {
15 + while ((id = queue_remove(id_queue)))
16 + free(id);
17 + return 0;
18 + }
19 +
20 + while ((id = queue_remove(id_queue))) {
21 + if (!is_id_in_scope(SYM_CLASSES, id)) {
22 + yyerror2("class %s is not within scope", id);
23 + return -1;
24 + }
25 + cladatum = hashtab_search(policydbp->p_classes.table, id);
26 + if (!cladatum) {
27 + yyerror2("unknown class %s", id);
28 + return -1;
29 + }
30 + if (cladatum->default_user && cladatum->default_user != which) {
31 + yyerror2("conflicting default user information for class %s", id);
32 + return -1;
33 + }
34 + cladatum->default_user = which;
35 + free(id);
36 + }
37 +
38 + return 0;
39 +}
40 +
41 +int define_default_role(int which)
42 +{
43 + char *id;
44 + class_datum_t *cladatum;
45 +
46 + if (pass == 1) {
47 + while ((id = queue_remove(id_queue)))
48 + free(id);
49 + return 0;
50 + }
51 +
52 + while ((id = queue_remove(id_queue))) {
53 + if (!is_id_in_scope(SYM_CLASSES, id)) {
54 + yyerror2("class %s is not within scope", id);
55 + return -1;
56 + }
57 + cladatum = hashtab_search(policydbp->p_classes.table, id);
58 + if (!cladatum) {
59 + yyerror2("unknown class %s", id);
60 + return -1;
61 + }
62 + if (cladatum->default_role && cladatum->default_role != which) {
63 + yyerror2("conflicting default role information for class %s", id);
64 + return -1;
65 + }
66 + cladatum->default_role = which;
67 + free(id);
68 + }
69 +
70 + return 0;
71 +}
72 +
73 +int define_default_range(int which)
74 +{
75 + char *id;
76 + class_datum_t *cladatum;
77 +
78 + if (pass == 1) {
79 + while ((id = queue_remove(id_queue)))
80 + free(id);
81 + return 0;
82 + }
83 +
84 + while ((id = queue_remove(id_queue))) {
85 + if (!is_id_in_scope(SYM_CLASSES, id)) {
86 + yyerror2("class %s is not within scope", id);
87 + return -1;
88 + }
89 + cladatum = hashtab_search(policydbp->p_classes.table, id);
90 + if (!cladatum) {
91 + yyerror2("unknown class %s", id);
92 + return -1;
93 + }
94 + if (cladatum->default_range && cladatum->default_range != which) {
95 + yyerror2("conflicting default range information for class %s", id);
96 + return -1;
97 + }
98 + cladatum->default_range = which;
99 + free(id);
100 + }
101 +
102 + return 0;
103 +}
104 +
105 int define_common_perms(void)
106 {
107 char *id = 0, *perm = 0;
108 diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
109 index 92a9be7..ccbe56f 100644
110 --- a/checkpolicy/policy_define.h
111 +++ b/checkpolicy/policy_define.h
112 @@ -24,6 +24,9 @@ int define_av_perms(int inherits);
113 int define_bool_tunable(int is_tunable);
114 int define_category(void);
115 int define_class(void);
116 +int define_default_user(int which);
117 +int define_default_role(int which);
118 +int define_default_range(int which);
119 int define_common_perms(void);
120 int define_compute_type(int which);
121 int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
122 diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
123 index d808111..d92cc32 100644
124 --- a/checkpolicy/policy_parse.y
125 +++ b/checkpolicy/policy_parse.y
126 @@ -143,6 +143,8 @@ typedef int (* require_func_t)();
127 %token POLICYCAP
128 %token PERMISSIVE
129 %token FILESYSTEM
130 +%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
131 +%token LOW_HIGH LOW HIGH
132
133 %left OR
134 %left XOR
135 @@ -157,7 +159,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
136 classes initial_sids access_vectors
137 { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
138 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
139 - opt_mls te_rbac users opt_constraints
140 + opt_default_rules opt_mls te_rbac users opt_constraints
141 { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
142 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
143 initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
144 @@ -195,6 +197,39 @@ av_perms_def : CLASS identifier '{' identifier_list '}'
145 | CLASS identifier INHERITS identifier '{' identifier_list '}'
146 {if (define_av_perms(TRUE)) return -1;}
147 ;
148 +opt_default_rules : default_rules
149 + |
150 + ;
151 +default_rules : default_user_def
152 + | default_role_def
153 + | default_range_def
154 + | default_rules default_user_def
155 + | default_rules default_role_def
156 + | default_rules default_range_def
157 + ;
158 +default_user_def : DEFAULT_USER names SOURCE ';'
159 + {if (define_default_user(DEFAULT_SOURCE)) return -1; }
160 + | DEFAULT_USER names TARGET ';'
161 + {if (define_default_user(DEFAULT_TARGET)) return -1; }
162 + ;
163 +default_role_def : DEFAULT_ROLE names SOURCE ';'
164 + {if (define_default_role(DEFAULT_SOURCE)) return -1; }
165 + | DEFAULT_ROLE names TARGET ';'
166 + {if (define_default_role(DEFAULT_TARGET)) return -1; }
167 + ;
168 +default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
169 + {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
170 + | DEFAULT_RANGE names SOURCE HIGH ';'
171 + {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
172 + | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
173 + {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
174 + | DEFAULT_RANGE names TARGET LOW ';'
175 + {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
176 + | DEFAULT_RANGE names TARGET HIGH ';'
177 + {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
178 + | DEFAULT_RANGE names TARGET LOW_HIGH ';'
179 + {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
180 + ;
181 opt_mls : mls
182 |
183 ;
184 diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
185 index 9b24db5..e767b5f 100644
186 --- a/checkpolicy/policy_scan.l
187 +++ b/checkpolicy/policy_scan.l
188 @@ -221,6 +221,18 @@ policycap |
189 POLICYCAP { return(POLICYCAP); }
190 permissive |
191 PERMISSIVE { return(PERMISSIVE); }
192 +default_user |
193 +DEFAULT_USER { return(DEFAULT_USER); }
194 +default_role |
195 +DEFAULT_ROLE { return(DEFAULT_ROLE); }
196 +default_range |
197 +DEFAULT_RANGE { return(DEFAULT_RANGE); }
198 +low-high |
199 +LOW-HIGH { return(LOW_HIGH); }
200 +high |
201 +HIGH { return(HIGH); }
202 +low |
203 +LOW { return(LOW); }
204 "/"({alnum}|[_\.\-/])* { return(PATH); }
205 \"({alnum}|[_\.\-\~])+\" { return(FILENAME); }
206 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
Arne's tree of IPFire 3.x.