On Fri, Jul 14, 2023 at 1:32 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Role dominance has been deprecated for a very, very long time (since
> at least August 2008) and has never been used in any widely deployed
> policy.
>
> Remove support for compiling role dominance rules.
>
> Support will remain, for now, in libsepol for backwards compatibility.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
There should not be any controversy over this patch, so I plan on
merging it soon unless someone objects.
Jim
> ---
> checkpolicy/policy_define.c | 184 ------------------------------------
> checkpolicy/policy_define.h | 2 -
> checkpolicy/policy_parse.y | 14 ---
> 3 files changed, 200 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 8421b253..23a65339 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -2926,190 +2926,6 @@ int define_roleattribute(void)
> return 0;
> }
>
> -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
> -{
> - role_datum_t *new;
> -
> - if (pass == 1) {
> - return (role_datum_t *) 1; /* any non-NULL value */
> - }
> -
> - new = malloc(sizeof(role_datum_t));
> - if (!new) {
> - yyerror("out of memory");
> - return NULL;
> - }
> - memset(new, 0, sizeof(role_datum_t));
> - new->s.value = 0; /* temporary role */
> - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
> - yyerror("out of memory");
> - free(new);
> - return NULL;
> - }
> - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
> - yyerror("out of memory");
> - free(new);
> - return NULL;
> - }
> - if (!r1->s.value) {
> - /* free intermediate result */
> - type_set_destroy(&r1->types);
> - ebitmap_destroy(&r1->dominates);
> - free(r1);
> - }
> - if (!r2->s.value) {
> - /* free intermediate result */
> - yyerror("right hand role is temporary?");
> - type_set_destroy(&r2->types);
> - ebitmap_destroy(&r2->dominates);
> - free(r2);
> - }
> - return new;
> -}
> -
> -/* This function eliminates the ordering dependency of role dominance rule */
> -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)),
> - hashtab_datum_t datum, void *arg)
> -{
> - role_datum_t *rdp = (role_datum_t *) arg;
> - role_datum_t *rdatum = (role_datum_t *) datum;
> - ebitmap_node_t *node;
> - uint32_t i;
> -
> - /* Don't bother to process against self role */
> - if (rdatum->s.value == rdp->s.value)
> - return 0;
> -
> - /* If a dominating role found */
> - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
> - ebitmap_t types;
> - ebitmap_init(&types);
> - if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
> - ebitmap_destroy(&types);
> - return -1;
> - }
> - /* raise types and dominates from dominated role */
> - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) {
> - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
> - goto oom;
> - }
> - ebitmap_for_each_positive_bit(&types, node, i) {
> - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
> - goto oom;
> - }
> - ebitmap_destroy(&types);
> - }
> -
> - /* go through all the roles */
> - return 0;
> - oom:
> - yyerror("Out of memory");
> - return -1;
> -}
> -
> -role_datum_t *define_role_dom(role_datum_t * r)
> -{
> - role_datum_t *role;
> - char *role_id;
> - ebitmap_node_t *node;
> - unsigned int i;
> - int ret;
> -
> - if (pass == 1) {
> - role_id = queue_remove(id_queue);
> - free(role_id);
> - return (role_datum_t *) 1; /* any non-NULL value */
> - }
> -
> - yywarn("Role dominance has been deprecated");
> -
> - role_id = queue_remove(id_queue);
> - if (!is_id_in_scope(SYM_ROLES, role_id)) {
> - yyerror2("role %s is not within scope", role_id);
> - free(role_id);
> - return NULL;
> - }
> - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
> - role_id);
> - if (!role) {
> - role = (role_datum_t *) malloc(sizeof(role_datum_t));
> - if (!role) {
> - yyerror("out of memory");
> - free(role_id);
> - return NULL;
> - }
> - memset(role, 0, sizeof(role_datum_t));
> - ret =
> - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
> - (hashtab_datum_t) role, &role->s.value,
> - &role->s.value);
> - switch (ret) {
> - case -3:{
> - yyerror("Out of memory!");
> - goto cleanup;
> - }
> - case -2:{
> - yyerror2("duplicate declaration of role %s",
> - role_id);
> - goto cleanup;
> - }
> - case -1:{
> - yyerror("could not declare role here");
> - goto cleanup;
> - }
> - case 0:
> - case 1:{
> - break;
> - }
> - default:{
> - assert(0); /* should never get here */
> - }
> - }
> - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
> - yyerror("Out of memory!");
> - goto cleanup;
> - }
> - }
> - if (r) {
> - ebitmap_t types;
> - ebitmap_init(&types);
> - ebitmap_for_each_positive_bit(&r->dominates, node, i) {
> - if (ebitmap_set_bit(&role->dominates, i, TRUE))
> - goto oom;
> - }
> - if (type_set_expand(&r->types, &types, policydbp, 1)) {
> - ebitmap_destroy(&types);
> - return NULL;
> - }
> - ebitmap_for_each_positive_bit(&types, node, i) {
> - if (ebitmap_set_bit(&role->types.types, i, TRUE))
> - goto oom;
> - }
> - ebitmap_destroy(&types);
> - if (!r->s.value) {
> - /* free intermediate result */
> - type_set_destroy(&r->types);
> - ebitmap_destroy(&r->dominates);
> - free(r);
> - }
> - /*
> - * Now go through all the roles and escalate this role's
> - * dominates and types if a role dominates this role.
> - */
> - hashtab_map(policydbp->p_roles.table,
> - dominate_role_recheck, role);
> - }
> - return role;
> - cleanup:
> - free(role_id);
> - role_datum_destroy(role);
> - free(role);
> - return NULL;
> - oom:
> - yyerror("Out of memory");
> - goto cleanup;
> -}
> -
> static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
> void *p)
> {
> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
> index c1314871..7c5a4e6c 100644
> --- a/checkpolicy/policy_define.h
> +++ b/checkpolicy/policy_define.h
> @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr);
> int expand_attrib(void);
> int insert_id(const char *id,int push);
> int insert_separator(int push);
> -role_datum_t *define_role_dom(role_datum_t *r);
> -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
> uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
>
> #endif /* _POLICY_DEFINE_H_ */
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 6b6890a3..02b076c7 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass);
> %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
> %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
> %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
> -%type <ptr> role_def roles
> %type <valptr> cexpr cexpr_prim op role_mls_op
> %type <val> ipv4_addr_def number
> %type <val64> number64
> @@ -312,7 +311,6 @@ te_rbac_decl : te_decl
> ;
> rbac_decl : attribute_role_def
> | role_type_def
> - | role_dominance
> | role_trans_def
> | role_allow_def
> | roleattribute_def
> @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';'
> role_attr_def : ROLE identifier opt_attr_list ';'
> {if (define_role_attr()) return -1;}
> ;
> -role_dominance : DOMINANCE '{' roles '}'
> - ;
> role_trans_def : ROLE_TRANSITION names names identifier ';'
> {if (define_role_trans(0)) return -1; }
> | ROLE_TRANSITION names names ':' names identifier ';'
> @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';'
> role_allow_def : ALLOW names names ';'
> {if (define_role_allow()) return -1; }
> ;
> -roles : role_def
> - { $$ = $1; }
> - | roles role_def
> - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
> - ;
> -role_def : ROLE identifier_push ';'
> - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
> - | ROLE identifier_push '{' roles '}'
> - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
> - ;
> roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
> {if (define_roleattribute()) return -1;}
> ;
> --
> 2.41.0
>
