-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
> Caleb Case wrote:
>> The boundry format mapped the primary field to a boolean in the
>> properties bitmap. This is appropriate for the kernel policy, but in
>> modular policy the primary field may be an integer that indicates the
>> primary type that is being aliased. In this case, the primary value
>> cannot
>> be assumed to be boolean.
>>
>> This patch creates a new module format that writes out the primary value
>> as was done before the boundry format.
>>
>> Signed-off-by: Caleb Case <ccase@xxxxxxxxxx>
>
> I Guess noone else wants to look at this patch. I already acked it
> before it was sent to the list so if noone has objections I'll apply it
> later today.
>
> We need to be sure this will make it into F11, is that possible?
>
yes
>>
>> ---
>>
>> checkpolicy/module_compiler.c | 2 +-
>> checkpolicy/policy_define.c | 13 +++++++-
>> libsepol/include/sepol/policydb/policydb.h | 19 +++++-----
>> libsepol/src/policydb.c | 50
>> +++++++++++++++++++++------
>> libsepol/src/write.c | 5 +++
>> 5 files changed, 67 insertions(+), 22 deletions(-)
>>
>> diff --git a/checkpolicy/module_compiler.c
>> b/checkpolicy/module_compiler.c
>> index 36d20be..d6ebd78 100644
>> --- a/checkpolicy/module_compiler.c
>> +++ b/checkpolicy/module_compiler.c
>> @@ -136,7 +136,7 @@ int declare_symbol(uint32_t symbol_type,
>> }
>> retval = symtab_insert(policydbp, symbol_type, key, datum,
>> SCOPE_DECL, decl->decl_id, dest_value);
>> - if (retval == 1) {
>> + if (retval == 1 && dest_value) {
>> symtab_datum_t *s =
>> (symtab_datum_t *) hashtab_search(policydbp->
>> symtab[symbol_type].table,
>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>> index 25b06c1..17b84ce 100644
>> --- a/checkpolicy/policy_define.c
>> +++ b/checkpolicy/policy_define.c
>> @@ -1015,8 +1015,19 @@ static int add_aliases_to_type(type_datum_t *
>> type)
>> yyerror("could not declare alias here");
>> goto cleanup;
>> }
>> - case 0:
>> + case 0: break;
>> case 1:{
>> + /* ret == 1 means the alias was required and
>> therefore already
>> + * has a value. Set it up as an alias with a
>> different primary. */
>> + type_datum_destroy(aliasdatum);
>> + free(aliasdatum);
>> +
>> + aliasdatum =
>> hashtab_search(policydbp->symtab[SYM_TYPES].table, id);
>> + assert(aliasdatum);
>> +
>> + aliasdatum->primary = type->s.value;
>> + aliasdatum->flavor = TYPE_ALIAS;
>> +
>> break;
>> }
>> default:{
>> diff --git a/libsepol/include/sepol/policydb/policydb.h
>> b/libsepol/include/sepol/policydb/policydb.h
>> index eede389..0105cf4 100644
>> --- a/libsepol/include/sepol/policydb/policydb.h
>> +++ b/libsepol/include/sepol/policydb/policydb.h
>> @@ -614,17 +614,18 @@ extern int policydb_write(struct policydb *p,
>> struct policy_file *pf);
>> #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY
>>
>> /* Module versions and specific changes*/
>> -#define MOD_POLICYDB_VERSION_BASE 4
>> -#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
>> -#define MOD_POLICYDB_VERSION_MLS 5
>> -#define MOD_POLICYDB_VERSION_RANGETRANS 6
>> -#define MOD_POLICYDB_VERSION_MLS_USERS 6
>> -#define MOD_POLICYDB_VERSION_POLCAP 7
>> -#define MOD_POLICYDB_VERSION_PERMISSIVE 8
>> -#define MOD_POLICYDB_VERSION_BOUNDARY 9
>> +#define MOD_POLICYDB_VERSION_BASE 4
>> +#define MOD_POLICYDB_VERSION_VALIDATETRANS 5
>> +#define MOD_POLICYDB_VERSION_MLS 5
>> +#define MOD_POLICYDB_VERSION_RANGETRANS 6
>> +#define MOD_POLICYDB_VERSION_MLS_USERS 6
>> +#define MOD_POLICYDB_VERSION_POLCAP 7
>> +#define MOD_POLICYDB_VERSION_PERMISSIVE 8
>> +#define MOD_POLICYDB_VERSION_BOUNDARY 9
>> +#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10
>>
>> #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
>> -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY
>> +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
>>
>> #define POLICYDB_CONFIG_MLS 1
>>
>> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
>> index d623343..85ddefc 100644
>> --- a/libsepol/src/policydb.c
>> +++ b/libsepol/src/policydb.c
>> @@ -153,6 +153,12 @@ static struct policydb_compat_info
>> policydb_compat[] = {
>> .ocon_num = OCON_NODE6 + 1,
>> },
>> {
>> + .type = POLICY_BASE,
>> + .version = MOD_POLICYDB_VERSION_BOUNDARY_ALIAS,
>> + .sym_num = SYM_NUM,
>> + .ocon_num = OCON_NODE6 + 1,
>> + },
>> + {
>> .type = POLICY_MOD,
>> .version = MOD_POLICYDB_VERSION_BASE,
>> .sym_num = SYM_NUM,
>> @@ -188,6 +194,12 @@ static struct policydb_compat_info
>> policydb_compat[] = {
>> .sym_num = SYM_NUM,
>> .ocon_num = 0
>> },
>> + {
>> + .type = POLICY_MOD,
>> + .version = MOD_POLICYDB_VERSION_BOUNDARY_ALIAS,
>> + .sym_num = SYM_NUM,
>> + .ocon_num = 0
>> + },
>> };
>>
>> #if 0
>> @@ -1942,13 +1954,19 @@ static int type_read(policydb_t * p
>> uint32_t buf[5];
>> size_t len;
>> int rc, to_read;
>> + int pos = 0;
>>
>> typdatum = calloc(1, sizeof(type_datum_t));
>> if (!typdatum)
>> return -1;
>>
>> - if (policydb_has_boundary_feature(p))
>> - to_read = 4;
>> + if (policydb_has_boundary_feature(p)) {
>> + if (p->policy_type != POLICY_KERN
>> + && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS)
>> + to_read = 5;
>> + else
>> + to_read = 4;
>> + }
>> else if (p->policy_type == POLICY_KERN)
>> to_read = 3;
>> else if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
>> @@ -1960,13 +1978,23 @@ static int type_read(policydb_t * p
>> if (rc < 0)
>> goto bad;
>>
>> - len = le32_to_cpu(buf[0]);
>> - typdatum->s.value = le32_to_cpu(buf[1]);
>> + len = le32_to_cpu(buf[pos]);
>> + typdatum->s.value = le32_to_cpu(buf[++pos]);
>> if (policydb_has_boundary_feature(p)) {
>> - uint32_t properties = le32_to_cpu(buf[2]);
>> + uint32_t properties;
>> +
>> + if (p->policy_type != POLICY_KERN
>> + && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS) {
>> + typdatum->primary = le32_to_cpu(buf[++pos]);
>> + properties = le32_to_cpu(buf[++pos]);
>> + }
>> + else {
>> + properties = le32_to_cpu(buf[++pos]);
>> +
>> + if (properties & TYPEDATUM_PROPERTY_PRIMARY)
>> + typdatum->primary = 1;
>> + }
>>
>> - if (properties & TYPEDATUM_PROPERTY_PRIMARY)
>> - typdatum->primary = 1;
>> if (properties & TYPEDATUM_PROPERTY_ATTRIBUTE)
>> typdatum->flavor = TYPE_ATTRIB;
>> if (properties & TYPEDATUM_PROPERTY_ALIAS
>> @@ -1976,13 +2004,13 @@ static int type_read(policydb_t * p
>> && p->policy_type != POLICY_KERN)
>> typdatum->flags |= TYPE_FLAGS_PERMISSIVE;
>>
>> - typdatum->bounds = le32_to_cpu(buf[3]);
>> + typdatum->bounds = le32_to_cpu(buf[++pos]);
>> } else {
>> - typdatum->primary = le32_to_cpu(buf[2]);
>> + typdatum->primary = le32_to_cpu(buf[++pos]);
>> if (p->policy_type != POLICY_KERN) {
>> - typdatum->flavor = le32_to_cpu(buf[3]);
>> + typdatum->flavor = le32_to_cpu(buf[++pos]);
>> if (p->policyvers >= MOD_POLICYDB_VERSION_PERMISSIVE)
>> - typdatum->flags = le32_to_cpu(buf[4]);
>> + typdatum->flags = le32_to_cpu(buf[++pos]);
>> }
>> }
>>
>> diff --git a/libsepol/src/write.c b/libsepol/src/write.c
>> index bffadcf..66b35ec 100644
>> --- a/libsepol/src/write.c
>> +++ b/libsepol/src/write.c
>> @@ -970,6 +970,11 @@ static int type_write(hashtab_key_t key,
>> hashtab_datum_t datum, void *ptr)
>> if (policydb_has_boundary_feature(p)) {
>> uint32_t properties = 0;
>>
>> + if (p->policy_type != POLICY_KERN
>> + && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY_ALIAS) {
>> + buf[items++] = cpu_to_le32(typdatum->primary);
>> + }
>> +
>> if (typdatum->primary)
>> properties |= TYPEDATUM_PROPERTY_PRIMARY;
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@xxxxxxxxxxxxx with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmVuW8ACgkQrlYvE4MpobORDgCeL5T28gzWVYzpZcwcfyIghsTm
kwEAoNJdgcgOlQVZjzyF+CZ8UjD8uNp0
=o7Yo
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
