This patch includes checkpolicy support for policy capabilities. In this
version of the patch policy capabilities are only allowed in the base
module. Attempted use in other modules will result in a syntax error.
Also included is dismod/dispol support for printing the capabilities.
I chose to use the 'c' command for this in both dismod and dispol to
keep things consistent (dismod has run out of numbered commands).
Signed-off-by: Todd C. Miller <tmiller@xxxxxxxxxx>
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
#include "queue.h"
#include "checkpolicy.h"
#include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
%left OR
%left XOR
@@ -308,6 +310,7 @@ te_rbac_decl : te_decl
| rbac_decl
| cond_stmt_def
| optional_block
+ | policycap_def
| ';'
;
rbac_decl : role_type_def
@@ -765,6 +768,9 @@ number : NUMBER
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
+policycap_def : POLICYCAP identifier ';'
+ {if (define_polcap()) return -1;}
+ ;
/*********** module grammar below ***********/
@@ -962,6 +968,44 @@ static int define_class(void)
return -1;
}
+static int define_polcap(void)
+{
+ char *id = 0;
+ int capnum;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no capability name for policycap definition?");
+ goto bad;
+ }
+
+ /* Check for valid cap name -> number mapping */
+ capnum = sepol_polcap_getnum(id);
+ if (capnum < 0) {
+ yyerror2("invalid policy capability name %s", id);
+ goto bad;
+ }
+
+ /* Store it */
+ if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+
+ free(id);
+ return 0;
+
+ bad:
+ free(id);
+ return -1;
+}
+
static int define_initial_sid(void)
{
char *id = 0;
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
H1 { return(H1); }
h2 |
H2 { return(H2); }
+policycap |
+POLICYCAP { return(POLICYCAP);}
"/"({alnum}|[_.-/])* { return(PATH); }
{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
{digit}+ { return(NUMBER); }
Index: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk.orig/checkpolicy/test/dismod.c
+++ trunk/checkpolicy/test/dismod.c
@@ -34,6 +34,7 @@
#include <sepol/policydb/link.h>
#include <sepol/policydb/module.h>
#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
#include <byteswap.h>
#include <endian.h>
@@ -765,6 +766,26 @@ static void link_module(policydb_t * bas
return;
}
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_get_bit(&p->policycaps, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
int menu()
{
printf("\nSelect a command:\n");
@@ -781,6 +802,7 @@ int menu()
printf("\n");
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
+ printf("c) Display policy capabilities\n");
printf("l) Link in a module\n");
printf("u) Display the unknown handling setting\n");
printf("\n");
@@ -891,6 +913,9 @@ int main(int argc, char **argv)
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
Index: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk.orig/checkpolicy/test/dispol.c
+++ trunk/checkpolicy/test/dispol.c
@@ -23,6 +23,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
#include <getopt.h>
#include <assert.h>
#include <unistd.h>
@@ -298,6 +299,26 @@ int change_bool(char *name, int state, p
return 0;
}
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_get_bit(&p->policycaps, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
int menu()
{
printf("\nSelect a command:\n");
@@ -309,6 +330,7 @@ int menu()
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
+ printf("c) display policy capabilities\n");
printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -421,6 +443,9 @@ int main(int argc, char **argv)
change_bool(name, state, &policydb, out_fp);
free(name);
break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
