James Carter <jwcart2@xxxxxxxxx> writes:
> On Fri, Jul 14, 2023 at 1:32 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>>
>> Role dominance has been deprecated for a very, very long time (since
>> at least August 2008) and has never been used in any widely deployed
>> policy.
>>
>> Remove support for compiling role dominance rules.
>>
>> Support will remain, for now, in libsepol for backwards compatibility.
>>
>> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> There should not be any controversy over this patch, so I plan on
> merging it soon unless someone objects.
> Jim
Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx>
>
>> ---
>> checkpolicy/policy_define.c | 184 ------------------------------------
>> checkpolicy/policy_define.h | 2 -
>> checkpolicy/policy_parse.y | 14 ---
>> 3 files changed, 200 deletions(-)
>>
>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>> index 8421b253..23a65339 100644
>> --- a/checkpolicy/policy_define.c
>> +++ b/checkpolicy/policy_define.c
>> @@ -2926,190 +2926,6 @@ int define_roleattribute(void)
>> return 0;
>> }
>>
>> -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
>> -{
>> - role_datum_t *new;
>> -
>> - if (pass == 1) {
>> - return (role_datum_t *) 1; /* any non-NULL value */
>> - }
>> -
>> - new = malloc(sizeof(role_datum_t));
>> - if (!new) {
>> - yyerror("out of memory");
>> - return NULL;
>> - }
>> - memset(new, 0, sizeof(role_datum_t));
>> - new->s.value = 0; /* temporary role */
>> - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
>> - yyerror("out of memory");
>> - free(new);
>> - return NULL;
>> - }
>> - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
>> - yyerror("out of memory");
>> - free(new);
>> - return NULL;
>> - }
>> - if (!r1->s.value) {
>> - /* free intermediate result */
>> - type_set_destroy(&r1->types);
>> - ebitmap_destroy(&r1->dominates);
>> - free(r1);
>> - }
>> - if (!r2->s.value) {
>> - /* free intermediate result */
>> - yyerror("right hand role is temporary?");
>> - type_set_destroy(&r2->types);
>> - ebitmap_destroy(&r2->dominates);
>> - free(r2);
>> - }
>> - return new;
>> -}
>> -
>> -/* This function eliminates the ordering dependency of role dominance rule */
>> -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)),
>> - hashtab_datum_t datum, void *arg)
>> -{
>> - role_datum_t *rdp = (role_datum_t *) arg;
>> - role_datum_t *rdatum = (role_datum_t *) datum;
>> - ebitmap_node_t *node;
>> - uint32_t i;
>> -
>> - /* Don't bother to process against self role */
>> - if (rdatum->s.value == rdp->s.value)
>> - return 0;
>> -
>> - /* If a dominating role found */
>> - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
>> - ebitmap_t types;
>> - ebitmap_init(&types);
>> - if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
>> - ebitmap_destroy(&types);
>> - return -1;
>> - }
>> - /* raise types and dominates from dominated role */
>> - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) {
>> - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
>> - goto oom;
>> - }
>> - ebitmap_for_each_positive_bit(&types, node, i) {
>> - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
>> - goto oom;
>> - }
>> - ebitmap_destroy(&types);
>> - }
>> -
>> - /* go through all the roles */
>> - return 0;
>> - oom:
>> - yyerror("Out of memory");
>> - return -1;
>> -}
>> -
>> -role_datum_t *define_role_dom(role_datum_t * r)
>> -{
>> - role_datum_t *role;
>> - char *role_id;
>> - ebitmap_node_t *node;
>> - unsigned int i;
>> - int ret;
>> -
>> - if (pass == 1) {
>> - role_id = queue_remove(id_queue);
>> - free(role_id);
>> - return (role_datum_t *) 1; /* any non-NULL value */
>> - }
>> -
>> - yywarn("Role dominance has been deprecated");
>> -
>> - role_id = queue_remove(id_queue);
>> - if (!is_id_in_scope(SYM_ROLES, role_id)) {
>> - yyerror2("role %s is not within scope", role_id);
>> - free(role_id);
>> - return NULL;
>> - }
>> - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
>> - role_id);
>> - if (!role) {
>> - role = (role_datum_t *) malloc(sizeof(role_datum_t));
>> - if (!role) {
>> - yyerror("out of memory");
>> - free(role_id);
>> - return NULL;
>> - }
>> - memset(role, 0, sizeof(role_datum_t));
>> - ret =
>> - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
>> - (hashtab_datum_t) role, &role->s.value,
>> - &role->s.value);
>> - switch (ret) {
>> - case -3:{
>> - yyerror("Out of memory!");
>> - goto cleanup;
>> - }
>> - case -2:{
>> - yyerror2("duplicate declaration of role %s",
>> - role_id);
>> - goto cleanup;
>> - }
>> - case -1:{
>> - yyerror("could not declare role here");
>> - goto cleanup;
>> - }
>> - case 0:
>> - case 1:{
>> - break;
>> - }
>> - default:{
>> - assert(0); /* should never get here */
>> - }
>> - }
>> - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
>> - yyerror("Out of memory!");
>> - goto cleanup;
>> - }
>> - }
>> - if (r) {
>> - ebitmap_t types;
>> - ebitmap_init(&types);
>> - ebitmap_for_each_positive_bit(&r->dominates, node, i) {
>> - if (ebitmap_set_bit(&role->dominates, i, TRUE))
>> - goto oom;
>> - }
>> - if (type_set_expand(&r->types, &types, policydbp, 1)) {
>> - ebitmap_destroy(&types);
>> - return NULL;
>> - }
>> - ebitmap_for_each_positive_bit(&types, node, i) {
>> - if (ebitmap_set_bit(&role->types.types, i, TRUE))
>> - goto oom;
>> - }
>> - ebitmap_destroy(&types);
>> - if (!r->s.value) {
>> - /* free intermediate result */
>> - type_set_destroy(&r->types);
>> - ebitmap_destroy(&r->dominates);
>> - free(r);
>> - }
>> - /*
>> - * Now go through all the roles and escalate this role's
>> - * dominates and types if a role dominates this role.
>> - */
>> - hashtab_map(policydbp->p_roles.table,
>> - dominate_role_recheck, role);
>> - }
>> - return role;
>> - cleanup:
>> - free(role_id);
>> - role_datum_destroy(role);
>> - free(role);
>> - return NULL;
>> - oom:
>> - yyerror("Out of memory");
>> - goto cleanup;
>> -}
>> -
>> static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
>> void *p)
>> {
>> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
>> index c1314871..7c5a4e6c 100644
>> --- a/checkpolicy/policy_define.h
>> +++ b/checkpolicy/policy_define.h
>> @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr);
>> int expand_attrib(void);
>> int insert_id(const char *id,int push);
>> int insert_separator(int push);
>> -role_datum_t *define_role_dom(role_datum_t *r);
>> -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
>> uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
>>
>> #endif /* _POLICY_DEFINE_H_ */
>> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
>> index 6b6890a3..02b076c7 100644
>> --- a/checkpolicy/policy_parse.y
>> +++ b/checkpolicy/policy_parse.y
>> @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass);
>> %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
>> %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
>> %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
>> -%type <ptr> role_def roles
>> %type <valptr> cexpr cexpr_prim op role_mls_op
>> %type <val> ipv4_addr_def number
>> %type <val64> number64
>> @@ -312,7 +311,6 @@ te_rbac_decl : te_decl
>> ;
>> rbac_decl : attribute_role_def
>> | role_type_def
>> - | role_dominance
>> | role_trans_def
>> | role_allow_def
>> | roleattribute_def
>> @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';'
>> role_attr_def : ROLE identifier opt_attr_list ';'
>> {if (define_role_attr()) return -1;}
>> ;
>> -role_dominance : DOMINANCE '{' roles '}'
>> - ;
>> role_trans_def : ROLE_TRANSITION names names identifier ';'
>> {if (define_role_trans(0)) return -1; }
>> | ROLE_TRANSITION names names ':' names identifier ';'
>> @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';'
>> role_allow_def : ALLOW names names ';'
>> {if (define_role_allow()) return -1; }
>> ;
>> -roles : role_def
>> - { $$ = $1; }
>> - | roles role_def
>> - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
>> - ;
>> -role_def : ROLE identifier_push ';'
>> - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
>> - | ROLE identifier_push '{' roles '}'
>> - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
>> - ;
>> roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
>> {if (define_roleattribute()) return -1;}
>> ;
>> --
>> 2.41.0
>>
