Project import
diff --git a/checkpolicy/Android.mk b/checkpolicy/Android.mk
new file mode 100644
index 0000000..ee2f158
--- /dev/null
+++ b/checkpolicy/Android.mk
@@ -0,0 +1,66 @@
+LOCAL_PATH:= $(call my-dir)
+
+common_src_files := \
+ policy_parse.y \
+ policy_scan.l \
+ queue.c \
+ module_compiler.c \
+ parse_util.c \
+ policy_define.c
+
+common_cflags := \
+ -Wall -Wshadow -O2 \
+ -pipe -fno-strict-aliasing \
+
+common_includes := \
+ $(LOCAL_PATH)/ \
+ $(LOCAL_PATH)/../libsepol/include/ \
+ $(LOCAL_PATH)/../libsepol/src/ \
+
+##
+# checkpolicy
+#
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := checkpolicy
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := $(common_includes)
+LOCAL_CFLAGS := $(common_cflags)
+LOCAL_SRC_FILES := $(common_src_files) checkpolicy.c
+LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_YACCFLAGS := -v
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+include $(BUILD_HOST_EXECUTABLE)
+
+
+##
+# checkmodule
+#
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := checkmodule
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := $(common_includes)
+LOCAL_CFLAGS := $(common_cflags)
+LOCAL_SRC_FILES := $(common_src_files) checkmodule.c
+LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_YACCFLAGS := -v
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+include $(BUILD_HOST_EXECUTABLE)
+
+##
+# dispol
+#
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := dispol
+LOCAL_MODULE_TAGS := optional
+LOCAL_C_INCLUDES := $(common_includes)
+LOCAL_CFLAGS := $(common_cflags)
+LOCAL_SRC_FILES := test/dispol.c
+LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+include $(BUILD_HOST_EXECUTABLE)
diff --git a/checkpolicy/COPYING b/checkpolicy/COPYING
new file mode 100644
index 0000000..5b6e7c6
--- /dev/null
+++ b/checkpolicy/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/checkpolicy/ChangeLog b/checkpolicy/ChangeLog
new file mode 100644
index 0000000..429a163
--- /dev/null
+++ b/checkpolicy/ChangeLog
@@ -0,0 +1,488 @@
+ * Set flex as default lexer, from Julien Pivotto.
+ * Fix checkmodule output message, from Petr Lautrbach.
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
+ * Fail if module name different than output base filename, from James Carter
+ * Add support for portcon dccp protocol, from Richard Haines
+
+2.5 2016-02-23
+ * Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
+ * fix double free on name-based type transitions, from Stephen Smalley.
+ * switch operations to extended perms, from Jeff Vander Stoep.
+ * policy_define.c: fix compiler warnings, from Nick Kralevich.
+ * Remove uses of -Wno-return-type, from Dan Albert.
+ * Fix -Wreturn-type issues, from Dan Albert.
+ * dispol: display operations as ranges, from Jeff Vander Stoep.
+ * dispol: Extend to display operations, from Stephen Smalley.
+ * Add support for ioctl command whitelisting, from Jeff Vander Stoep.
+ * Add option to write CIL policy, from James Carter
+ * Add device tree ocontext nodes to Xen policy, from Daniel De Graaf.
+ * Widen Xen IOMEM context entries, from Daniel De Graaf.
+ * Expand allowed character set in paths, from Daniel De Graaf.
+ * Fix precedence between number and filesystem tokens, from Stephen Smalley.
+ * dispol/dismod fgets function warnings fix, from Emre Can Kucukoglu.
+
+2.4 2015-02-02
+ * Fix bugs found by hardened gcc flags, from Nicolas Iooss.
+ * Add missing semicolon in cond_else parser rule, from Steven Capelli.
+ * Clear errno before call to strtol(3) from Dan Albert.
+ * Global C++11 compatibility from Dan Albert.
+ * Allow libsepol C++ static library on device from Daniel Cashman.
+
+2.3 2014-05-06
+ * Add Android support for building dispol.
+ * Report source file and line information for neverallow failures.
+ * Prevent incompatible option combinations for checkmodule.
+ * Drop -lselinux from LDLIBS for test programs; not used.
+ * Add debug feature to display constraints/validatetrans from Richard Haines.
+
+2.2 2013-10-30
+ * Fix hyphen usage in man pages from Laurent Bigonville.
+ * handle-unknown / -U required argument fix from Laurent Bigonville.
+ * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
+ * Support space and : in filenames from Dan Walsh.
+
+2.1.12 2013-02-01
+ * Fix errors found by coverity
+ * implement default type policy syntax
+ * Free allocated memory when clean up / exit.
+
+2.1.11 2012-09-13
+ * fd leak reading policy
+ * check return code on ebitmap_set_bit
+
+2.1.10 2012-06-28
+ * sepolgen: We need to support files that have a + in them
+ * Android/MacOS X build support
+
+2.1.9 2012-03-28
+ * implement new default labeling behaviors for usr, role, range
+ * Fix dead links to www.nsa.gov/selinux
+
+2.1.8 2011-12-21
+ * add new helper to translate class sets into bitmaps
+
+2.1.7 2011-12-05
+ * dis* fixed signed vs unsigned errors
+ * dismod: fix unused parameter errors
+ * test: Makefile: include -W and -Werror
+ * allow ~ in filename transition rules
+
+2.1.6 2011-11-03
+ * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
+ * drop libsepol dynamic link in checkpolicy
+
+2.1.5 2011-09-15
+ * Separate tunable from boolean during compile.
+
+2.1.4 2011-08-26
+ * checkpolicy: fix spacing in output message
+
+2.1.3 2011-08-17
+ * add missing ; to attribute_role_def
+ *Redo filename/filesystem syntax to support filename trans
+
+2.1.2 2011-08-02
+ * .gitignore changes
+ * dispol output of role trans
+ * man page update: build a module with an older policy version
+
+2.1.1 2011-08-01
+ * Minor updates to filename trans rule output in dis{mod,pol}
+
+2.1.0 2011-07-27
+ * Release, minor version bump
+
+2.0.27 2011-07-25
+ * Add role attribute support by Harry Ciao
+
+2.0.26 2011-05-16
+ * Wrap file names in filename transitions with quotes by Steve Lawrence.
+ * Allow filesystem names to start with a digit by James Carter.
+
+2.0.25 2011-05-02
+ * Add support for using the last path compnent in type transitions by Eric
+ Paris.
+ * Allow single digit module versions by Daniel Walsh.
+ * Use better filename identifier for filenames by Daniel Walsh.
+ * Use #defines for dismod selections by Eric Paris.
+
+2.0.24 2011-04-11
+ * Add new class field in role_transition by Harry Ciao.
+
+2.0.23 2010-12-16
+ * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
+
+2.0.22 2010-06-14
+ * Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
+
+2.0.21 2009-11-27
+ * Add long options to checkpolicy and checkmodule by Guido
+ Trentalancia <guido@trentalancia.com>
+
+2.0.20 2009-10-14
+ * Add support for building Xen policies from Paul Nuzzi.
+
+2.0.19 2009-02-18
+ * Fix alias field in module format, caused by boundary format change
+ from Caleb Case.
+
+2.0.18 2008-10-14
+ * Properly escape regex symbols in the lexer from Stephen Smalley.
+
+2.0.17 2008-10-09
+ * Add bounds support from KaiGai Kohei.
+
+2.0.16 2008-05-27
+ * Update checkpolicy for user and role mapping support from Joshua Brindle.
+
+2.0.15 2008-05-05
+ * Fix for policy module versions that look like IPv4 addresses from Jim Carter.
+ Resolves bug 444451.
+
+2.0.14 2008-03-24
+ * Add permissive domain support from Eric Paris.
+
+2.0.13 2008-03-05
+ * Split out non-grammar parts of policy_parse.yacc into
+ policy_define.c and policy_define.h from Todd C. Miller.
+
+2.0.12 2008-03-04
+ * Initialize struct policy_file before using it, from Todd C. Miller.
+
+2.0.11 2008-03-03
+ * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
+
+2.0.10 2008-02-28
+ * Use yyerror2() where appropriate from Todd C. Miller.
+
+2.0.9 2008-02-04
+ * Update dispol for libsepol avtab changes from Stephen Smalley.
+
+2.0.8 2008-01-24
+ * Deprecate role dominance in parser.
+
+2.0.7 2008-01-02
+ * Added support for policy capabilities from Todd Miller.
+
+2.0.6 2007-11-15
+ * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
+
+2.0.5 2007-11-01
+ * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
+
+2.0.4 2007-09-18
+ * Merged handle unknown policydb flag support from Eric Paris.
+ Adds new command line options -U {allow, reject, deny} for selecting
+ the flag when a base module or kernel policy is built.
+
+2.0.3 2007-05-31
+ * Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
+ * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
+
+2.0.2 2007-04-12
+ * Merged checkmodule man page fix from Dan Walsh.
+
+2.0.1 2007-02-20
+ * Merged patch to allow dots in class identifiers from Caleb Case.
+
+2.0.0 2007-02-01
+ * Merged patch to use new libsepol error codes by Karl MacMillan.
+
+1.34.0 2007-01-18
+ * Updated version for stable branch.
+
+1.33.1 2006-11-13
+ * Collapse user identifiers and identifiers together.
+
+1.32 2006-10-17
+ * Updated version for release.
+
+1.30.12 2006-09-28
+ * Merged user and range_transition support for modules from
+ Darrel Goeddel
+
+1.30.11 2006-09-05
+ * merged range_transition enhancements and user module format
+ changes from Darrel Goeddel
+
+1.30.10 2006-08-03
+ * Merged symtab datum patch from Karl MacMillan.
+
+1.30.9 2006-06-29
+ * Lindent.
+
+1.30.8 2006-06-29
+ * Merged patch to remove TE rule conflict checking from the parser
+ from Joshua Brindle. This can only be done properly by the
+ expander.
+
+1.30.7 2006-06-27
+ * Merged patch to make checkpolicy/checkmodule handling of
+ duplicate/conflicting TE rules the same as the expander
+ from Joshua Brindle.
+
+1.30.6 2006-06-26
+ * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.30.5 2006-05-05
+ * Merged compiler cleanup patch from Karl MacMillan.
+ * Merged fix warnings patch from Karl MacMillan.
+
+1.30.4 2006-04-05
+ * Changed require_class to reject permissions that have not been
+ declared if building a base module.
+
+1.30.3 2006-03-28
+ * Fixed checkmodule to call link_modules prior to expand_module
+ to handle optionals.
+
+1.30.2 2006-03-28
+ * Fixed require_class to avoid shadowing permissions already defined
+ in an inherited common definition.
+
+1.30.1 2006-03-22
+ * Moved processing of role and user require statements to 2nd pass.
+
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.5 2006-03-09
+ * Fixed bug in role dominance (define_role_dom).
+
+1.29.4 2006-02-14
+ * Added a check for failure to declare each sensitivity in
+ a level definition.
+
+1.29.3 2006-02-13
+ * Changed to clone level data for aliased sensitivities to
+ avoid double free upon sens_destroy. Bug reported by Kevin
+ Carr of Tresys Technology.
+
+1.29.2 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.29.1 2006-02-01
+ * Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.20 2005-12-02
+ * Merged checkmodule man page from Dan Walsh, and edited it.
+
+1.27.19 2005-12-01
+ * Added error checking of all ebitmap_set_bit calls for out of
+ memory conditions.
+
+1.27.18 2005-12-01
+ * Merged removal of compatibility handling of netlink classes
+ (requirement that policies with newer versions include the
+ netlink class definitions, remapping of fine-grained netlink
+ classes in newer source policies to single netlink class when
+ generating older policies) from George Coker.
+
+1.27.17 2005-10-25
+ * Merged dismod fix from Joshua Brindle.
+
+1.27.16 2005-10-20
+ * Removed obsolete cond_check_type_rules() function and call and
+ cond_optimize_lists() call from checkpolicy.c; these are handled
+ during parsing and expansion now.
+
+1.27.15 2005-10-19
+ * Updated calls to expand_module for interface change.
+
+1.27.14 2005-10-19
+ * Changed checkmodule to verify that expand_module succeeds
+ when building base modules.
+
+1.27.13 2005-10-19
+ * Merged module compiler fixes from Joshua Brindle.
+
+1.27.12 2005-10-19
+ * Removed direct calls to hierarchy_check_constraints() and
+ check_assertions() from checkpolicy since they are now called
+ internally by expand_module().
+
+1.27.11 2005-10-18
+ * Updated for changes to sepol policydb_index_others interface.
+
+1.27.10 2005-10-17
+ * Updated for changes to sepol expand_module and link_modules interfaces.
+
+1.27.9 2005-10-13
+ * Merged support for require blocks inside conditionals from
+ Joshua Brindle (Tresys).
+
+1.27.8 2005-10-06
+ * Updated for changes to libsepol.
+
+1.27.7 2005-10-05
+ * Merged several bug fixes from Joshua Brindle (Tresys).
+
+1.27.6 2005-10-03
+ * Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.27.5 2005-09-28
+ * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
+
+1.27.4 2005-09-26
+ * Merged bugfix for dup role transition error messages from
+ Karl MacMillan (Tresys).
+
+1.27.3 2005-09-23
+ * Merged policyver/modulever patches from Joshua Brindle (Tresys).
+
+1.27.2 2005-09-20
+ * Fixed parse_categories handling of undefined category.
+
+1.27.1 2005-09-16
+ * Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.12 2005-08-22
+ * Fixed handling of validatetrans constraint expressions.
+ Bug reported by Dan Walsh for checkpolicy -M.
+
+1.25.11 2005-08-18
+ * Merged use-after-free fix from Serge Hallyn (IBM).
+ Bug found by Coverity.
+
+1.25.10 2005-08-15
+ * Fixed further memory leaks found by valgrind.
+
+1.25.9 2005-08-15
+ * Changed checkpolicy to destroy the policydbs prior to exit
+ to allow leak detection.
+ * Fixed several memory leaks found by valgrind.
+
+1.25.8 2005-08-11
+ * Updated checkpolicy and dispol for the new avtab format.
+ Converted users of ebitmaps to new inline operators.
+ Note: The binary policy format version has been incremented to
+ version 20 as a result of these changes. To build a policy
+ for a kernel that does not yet include these changes, use
+ the -c 19 option to checkpolicy.
+
+1.25.7 2005-08-11
+ * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
+
+1.25.6 2005-08-10
+ * Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
+
+1.25.5 2005-08-09
+ * Fixed call to hierarchy checking code to pass the right policydb.
+
+1.25.4 2005-08-02
+ * Merged patch to update dismod for the relocation of the
+ module read/write code from libsemanage to libsepol, and
+ to enable build of test subdirectory from Jason Tang (Tresys).
+
+1.25.3 2005-07-18
+ * Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.25.2 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.25.1 2005-06-24
+ * Merged patch to prohibit the use of * and ~ in type sets
+ (other than in neverallow statements) and in role sets
+ from Joshua Brindle (Tresys).
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.4 2005-05-19
+ * Merged cleanup patch from Dan Walsh.
+
+1.23.3 2005-05-13
+ * Added sepol_ prefix to Flask types to avoid namespace
+ collision with libselinux.
+
+1.23.2 2005-04-29
+ * Merged identifier fix from Joshua Brindle (Tresys).
+
+1.23.1 2005-04-13
+ * Merged hierarchical type/role patch from Tresys Technology.
+ * Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.4 2005-02-17
+ * Moved genpolusers utility to libsepol.
+ * Merged range_transition support from Darrel Goeddel (TCS).
+
+1.21.3 2005-02-16
+ * Merged define_user() cleanup patch from Darrel Goeddel (TCS).
+
+1.21.2 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.1 2005-01-26
+ * Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.20 2005-01-04
+ * Merged typeattribute statement patch from Darrel Goeddel of TCS.
+ * Changed genpolusers to handle multiple user config files.
+ * Merged nodecon ordering patch from Chad Hanson of TCS.
+
+1.18 2004-10-07
+ * MLS build fix.
+ * Fixed Makefile dependencies (Chris PeBenito).
+ * Merged fix for role dominance ordering issue from Chad Hanson of TCS.
+ * Preserve portcon ordering and apply more checking.
+
+1.16 2004-08-13
+ * Allow empty conditional clauses.
+ * Moved genpolbools utility to libsepol.
+ * Updated for libsepol set functions.
+ * Changed to link with libsepol.a.
+ * Moved core functionality into libsepol.
+ * Merged bug fix for conditional self handling from Karl MacMillan, Dave Caplan, and Joshua Brindle of Tresys.
+ * Added genpolusers program.
+ * Fixed bug in checkpolicy conditional code.
+
+1.14 2004-06-28
+ * Merged fix for MLS logic from Daniel Thayer of TCS.
+ * Require semicolon terminator for typealias statement.
+
+1.12 2004-06-16
+ * Merged fine-grained netlink class support.
+
+1.10 2004-04-07
+ * Merged ipv6 support from James Morris of RedHat.
+ * Fixed compute_av bug discovered by Chad Hanson of TCS.
+
+1.8 2004-03-09
+ * Merged policydb MLS patch from Chad Hanson of TCS.
+ * Fixed mmap of policy file.
+
+1.6 2004-02-18
+ * Merged conditional policy extensions from Tresys Technology.
+ * Added typealias declaration support per Russell Coker's request.
+ * Added support for excluding types from type sets based on
+ a patch by David Caplan, but reimplemented as a change to the
+ policy grammar.
+ * Merged patch from Colin Walters to report source file name and line
+ number for errors when available.
+ * Un-deprecated role transitions.
+
+1.4 2003-12-01
+ * Regenerated headers.
+ * Merged patches from Bastian Blank and Joerg Hoh.
+
+1.2 2003-09-30
+ * Merged MLS build patch from Karl MacMillan of Tresys.
+ * Merged checkpolicy man page from Magosanyi Arpad.
+
+1.1 2003-08-13
+ * Fixed endian bug in policydb_write for behavior value.
+ * License -> GPL.
+ * Merged coding style cleanups from James Morris.
+
+1.0 2003-07-11
+ * Initial public release.
+
diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
new file mode 100644
index 0000000..53a3074
--- /dev/null
+++ b/checkpolicy/Makefile
@@ -0,0 +1,65 @@
+#
+# Makefile for building the checkpolicy program
+#
+PREFIX ?= $(DESTDIR)/usr
+BINDIR ?= $(PREFIX)/bin
+MANDIR ?= $(PREFIX)/share/man
+LIBDIR ?= $(PREFIX)/lib
+INCLUDEDIR ?= $(PREFIX)/include
+TARGETS = checkpolicy checkmodule
+
+LEX = flex
+YACC = bison -y
+
+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
+
+override CFLAGS += -I. -I${INCLUDEDIR}
+
+CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \
+ policy_define.o
+CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
+CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
+
+LDLIBS=$(LIBDIR)/libsepol.a -lfl
+
+GENERATED=lex.yy.c y.tab.c y.tab.h
+
+all: $(TARGETS)
+ $(MAKE) -C test
+
+checkpolicy: $(CHECKPOLOBJS)
+
+checkmodule: $(CHECKMODOBJS)
+
+%.o: %.c
+ $(CC) $(CFLAGS) -o $@ -c $<
+
+y.tab.o: y.tab.c
+ $(CC) $(filter-out -Werror, $(CFLAGS)) -o $@ -c $<
+
+lex.yy.o: lex.yy.c
+ $(CC) $(filter-out -Werror, $(CFLAGS)) -o $@ -c $<
+
+y.tab.c: policy_parse.y
+ $(YACC) -d policy_parse.y
+
+lex.yy.c: policy_scan.l y.tab.c
+ $(LEX) policy_scan.l
+
+install: all
+ -mkdir -p $(BINDIR)
+ -mkdir -p $(MANDIR)/man8
+ install -m 755 $(TARGETS) $(BINDIR)
+ install -m 644 checkpolicy.8 $(MANDIR)/man8
+ install -m 644 checkmodule.8 $(MANDIR)/man8
+
+relabel: install
+ /sbin/restorecon $(BINDIR)/checkpolicy
+ /sbin/restorecon $(BINDIR)/checkmodule
+
+clean:
+ -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
+ $(MAKE) -C test clean
+
+indent:
+ ../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
diff --git a/checkpolicy/VERSION b/checkpolicy/VERSION
new file mode 100644
index 0000000..95e3ba8
--- /dev/null
+++ b/checkpolicy/VERSION
@@ -0,0 +1 @@
+2.5
diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
new file mode 100644
index 0000000..ee95882
--- /dev/null
+++ b/checkpolicy/checkmodule.8
@@ -0,0 +1,67 @@
+.TH CHECKMODULE 8
+.SH NAME
+checkmodule \- SELinux policy module compiler
+.SH SYNOPSIS
+.B checkmodule
+.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
+.SH "DESCRIPTION"
+This manual page describes the
+.BR checkmodule
+command.
+.PP
+.B checkmodule
+is a program that checks and compiles a SELinux security policy module
+into a binary representation. It can generate either a base policy
+module (default) or a non-base policy module (\-m option); typically,
+you would build a non-base policy module to add to an existing module
+store that already has a base module provided by the base policy. Use
+semodule_package to combine this module with its optional file
+contexts to create a policy package, and then use semodule to install
+the module package into the module store and load the resulting policy.
+
+.SH OPTIONS
+.TP
+.B \-b,\-\-binary
+Read an existing binary policy module file rather than a source policy
+module file. This option is a development/debugging aid.
+.TP
+.B \-C,\-\-cil
+Write CIL policy file rather than binary policy file.
+.TP
+.B \-h,\-\-help
+Print usage.
+.TP
+.B \-m
+Generate a non-base policy module.
+.TP
+.B \-M,\-\-mls
+Enable the MLS/MCS support when checking and compiling the policy module.
+.TP
+.B \-V,\-\-version
+ Show policy versions created by this program. Note that you cannot currently build older versions.
+.TP
+.B \-o,\-\-output filename
+Write a binary policy module file to the specified filename.
+Otherwise, checkmodule will only check the syntax of the module source file
+and will not generate a binary module at all.
+.TP
+.B \-U,\-\-handle-unknown <action>
+Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
+
+.SH EXAMPLE
+.nf
+# Build a MLS/MCS-enabled non-base policy module.
+$ checkmodule \-M \-m httpd.te \-o httpd.mod
+.fi
+
+.SH "SEE ALSO"
+.B semodule(8), semodule_package(8)
+SELinux documentation at http://www.nsa.gov/research/selinux,
+especially "Configuring the SELinux Policy".
+
+
+.SH AUTHOR
+This manual page was copied from the checkpolicy man page
+written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
+and edited by Dan Walsh <dwalsh@redhat.com>.
+The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
new file mode 100644
index 0000000..53cc5a0
--- /dev/null
+++ b/checkpolicy/checkmodule.c
@@ -0,0 +1,343 @@
+/*
+ * Authors: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ *
+ * Copyright (C) 2004-5 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+#include <getopt.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <libgen.h>
+
+#include <sepol/module_to_cil.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/sidtab.h>
+
+#include "queue.h"
+#include "checkpolicy.h"
+#include "parse_util.h"
+
+extern char *optarg;
+extern int optind;
+
+static sidtab_t sidtab;
+
+extern int mlspol;
+
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
+static const char *txtfile = "policy.conf";
+static const char *binfile = "policy";
+
+unsigned int policy_type = POLICY_BASE;
+unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
+
+static int read_binary_policy(policydb_t * p, const char *file, const char *progname)
+{
+ int fd;
+ struct stat sb;
+ void *map;
+ struct policy_file f, *fp;
+
+ fd = open(file, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ file, strerror(errno));
+ return -1;
+ }
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr, "Can't stat '%s': %s\n",
+ file, strerror(errno));
+ close(fd);
+ return -1;
+ }
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ close(fd);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno));
+ return -1;
+ }
+ policy_file_init(&f);
+ f.type = PF_USE_MEMORY;
+ f.data = map;
+ f.len = sb.st_size;
+ fp = &f;
+
+ if (policydb_init(p)) {
+ fprintf(stderr, "%s: policydb_init: Out of memory!\n",
+ progname);
+ return -1;
+ }
+ if (policydb_read(p, fp, 1)) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ progname);
+ return -1;
+ }
+
+ /* Check Policy Consistency */
+ if (p->mls) {
+ if (!mlspol) {
+ fprintf(stderr, "%s: MLS policy, but non-MLS"
+ " is specified\n", progname);
+ return -1;
+ }
+ } else {
+ if (mlspol) {
+ fprintf(stderr, "%s: non-MLS policy, but MLS"
+ " is specified\n", progname);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static int write_binary_policy(policydb_t * p, FILE *outfp)
+{
+ struct policy_file pf;
+
+ p->policy_type = policy_type;
+ p->policyvers = policyvers;
+ p->handle_unknown = handle_unknown;
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_STDIO;
+ pf.fp = outfp;
+ return policydb_write(p, &pf);
+}
+
+static void usage(char *progname)
+{
+ printf("usage: %s [-h] [-V] [-b] [-C] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+ printf("Build base and policy modules.\n");
+ printf("Options:\n");
+ printf(" INPUT build module from INPUT (else read from \"%s\")\n",
+ txtfile);
+ printf(" -V show policy versions created by this program\n");
+ printf(" -b treat input as a binary policy file\n");
+ printf(" -C output CIL policy instead of binary policy\n");
+ printf(" -h print usage\n");
+ printf(" -U OPTION How to handle unknown classes and permissions\n");
+ printf(" deny: Deny unknown kernel checks\n");
+ printf(" reject: Reject loading of policy with unknowns\n");
+ printf(" allow: Allow unknown kernel checks\n");
+ printf(" -m build a policy module instead of a base module\n");
+ printf(" -M enable MLS policy\n");
+ printf(" -o FILE write module to FILE (else just check syntax)\n");
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ const char *file = txtfile, *outfile = NULL;
+ unsigned int binary = 0, cil = 0;
+ int ch;
+ int show_version = 0;
+ policydb_t modpolicydb;
+ struct option long_options[] = {
+ {"help", no_argument, NULL, 'h'},
+ {"output", required_argument, NULL, 'o'},
+ {"binary", no_argument, NULL, 'b'},
+ {"version", no_argument, NULL, 'V'},
+ {"handle-unknown", required_argument, NULL, 'U'},
+ {"mls", no_argument, NULL, 'M'},
+ {"cil", no_argument, NULL, 'C'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "ho:bVU:mMC", long_options, NULL)) != -1) {
+ switch (ch) {
+ case 'h':
+ usage(argv[0]);
+ break;
+ case 'o':
+ outfile = optarg;
+ break;
+ case 'b':
+ binary = 1;
+ file = binfile;
+ break;
+ case 'V':
+ show_version = 1;
+ break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
+ case 'm':
+ policy_type = POLICY_MOD;
+ policyvers = MOD_POLICYDB_VERSION_MAX;
+ break;
+ case 'M':
+ mlspol = 1;
+ break;
+ case 'C':
+ cil = 1;
+ break;
+ default:
+ usage(argv[0]);
+ }
+ }
+
+ if (show_version) {
+ printf("Module versions %d-%d\n",
+ MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
+ exit(0);
+ }
+
+ if (handle_unknown && (policy_type != POLICY_BASE)) {
+ fprintf(stderr, "%s: Handling of unknown classes and permissions is only valid in the base module.\n", argv[0]);
+ exit(1);
+ }
+
+ if (binary && (policy_type != POLICY_BASE)) {
+ fprintf(stderr, "%s: -b and -m are incompatible with each other.\n", argv[0]);
+ exit(1);
+ }
+
+ if (optind != argc) {
+ file = argv[optind++];
+ if (optind != argc)
+ usage(argv[0]);
+ }
+ printf("%s: loading policy configuration from %s\n", argv[0], file);
+
+ /* Set policydb and sidtab used by libsepol service functions
+ to my structures, so that I can directly populate and
+ manipulate them. */
+ sepol_set_policydb(&modpolicydb);
+ sepol_set_sidtab(&sidtab);
+
+ if (binary) {
+ if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) {
+ exit(1);
+ }
+ } else {
+ if (policydb_init(&modpolicydb)) {
+ fprintf(stderr, "%s: out of memory!\n", argv[0]);
+ return -1;
+ }
+
+ modpolicydb.policy_type = policy_type;
+ modpolicydb.mls = mlspol;
+ modpolicydb.handle_unknown = handle_unknown;
+
+ if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
+ exit(1);
+ }
+
+ if (hierarchy_check_constraints(NULL, &modpolicydb)) {
+ return -1;
+ }
+ }
+
+ if (policy_type != POLICY_BASE && outfile) {
+ char *mod_name = modpolicydb.name;
+ char *out_path = strdup(outfile);
+ if (out_path == NULL) {
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
+ exit(1);
+ }
+ char *out_name = basename(out_path);
+ char *separator = strrchr(out_name, '.');
+ if (separator) {
+ *separator = '\0';
+ }
+ if (strcmp(mod_name, out_name) != 0) {
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+ exit(1);
+ }
+ free(out_path);
+ }
+
+ if (modpolicydb.policy_type == POLICY_BASE && !cil) {
+ /* Verify that we can successfully expand the base module. */
+ policydb_t kernpolicydb;
+
+ if (policydb_init(&kernpolicydb)) {
+ fprintf(stderr, "%s: policydb_init failed\n", argv[0]);
+ exit(1);
+ }
+ if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) {
+ fprintf(stderr, "%s: link modules failed\n", argv[0]);
+ exit(1);
+ }
+ if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) {
+ fprintf(stderr, "%s: expand module failed\n", argv[0]);
+ exit(1);
+ }
+ policydb_destroy(&kernpolicydb);
+ }
+
+ if (policydb_load_isids(&modpolicydb, &sidtab))
+ exit(1);
+
+ sepol_sidtab_destroy(&sidtab);
+
+ printf("%s: policy configuration loaded\n", argv[0]);
+
+ if (outfile) {
+ FILE *outfp = fopen(outfile, "w");
+
+ if (!outfp) {
+ perror(outfile);
+ exit(1);
+ }
+
+ if (!cil) {
+ printf("%s: writing binary representation (version %d) to %s\n",
+ argv[0], policyvers, outfile);
+
+ if (write_binary_policy(&modpolicydb, outfp) != 0) {
+ fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
+ exit(1);
+ }
+ } else {
+ printf("%s: writing CIL to %s\n",argv[0], outfile);
+
+ if (sepol_module_policydb_to_cil(outfp, &modpolicydb, 0) != 0) {
+ fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
+ exit(1);
+ }
+ }
+
+ fclose(outfp);
+ } else if (cil) {
+ fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]);
+ exit(1);
+ }
+
+ policydb_destroy(&modpolicydb);
+
+ return 0;
+}
+
+/* FLASK */
diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
new file mode 100644
index 0000000..600d5cd
--- /dev/null
+++ b/checkpolicy/checkpolicy.8
@@ -0,0 +1,59 @@
+.TH CHECKPOLICY 8
+.SH NAME
+checkpolicy \- SELinux policy compiler
+.SH SYNOPSIS
+.B checkpolicy
+.I "[\-b] [\-C] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
+.br
+.SH "DESCRIPTION"
+This manual page describes the
+.BR checkpolicy
+command.
+.PP
+.B checkpolicy
+is a program that checks and compiles a SELinux security policy configuration
+into a binary representation that can be loaded into the kernel. If no
+input file name is specified, checkpolicy will attempt to read from
+policy.conf or policy, depending on whether the \-b flag is specified.
+
+.SH OPTIONS
+.TP
+.B \-b,\-\-binary
+Read an existing binary policy file rather than a source policy.conf file.
+.TP
+.B \-C,\-\-cil
+Write CIL policy file rather than binary policy file.
+.TP
+.B \-d,\-\-debug
+Enter debug mode after loading the policy.
+.TP
+.B \-M,\-\-mls
+Enable the MLS policy when checking and compiling the policy.
+.TP
+.B \-o,\-\-output filename
+Write a binary policy file to the specified filename.
+.TP
+.B \-c policyvers
+Specify the policy version, defaults to the latest.
+.TP
+.B \-t,\-\-target
+Specify the target platform (selinux or xen).
+.TP
+.B \-U,\-\-handle-unknown <action>
+Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
+.TP
+.B \-V,\-\-version
+Show version information.
+.TP
+.B \-h,\-\-help
+Show usage information.
+
+.SH "SEE ALSO"
+SELinux documentation at http://www.nsa.gov/research/selinux,
+especially "Configuring the SELinux Policy".
+
+
+.SH AUTHOR
+This manual page was written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
+and edited by Stephen Smalley <sds@epoch.ncsc.mil>.
+The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
new file mode 100644
index 0000000..2d68316
--- /dev/null
+++ b/checkpolicy/checkpolicy.c
@@ -0,0 +1,1224 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: James Morris <jmorris@intercode.com.au>
+ *
+ * Added IPv6 support.
+ *
+ * Updated: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Policy Module support.
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2005 Tresys Technology, LLC
+ * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+/*
+ * checkpolicy
+ *
+ * Load and check a policy configuration.
+ *
+ * A policy configuration is created in a text format,
+ * and then compiled into a binary format for use by
+ * the security server. By default, checkpolicy reads
+ * the text format. If '-b' is specified, then checkpolicy
+ * reads the binary format instead.
+ *
+ * If '-o output_file' is specified, then checkpolicy
+ * writes the binary format version of the configuration
+ * to the specified output file.
+ *
+ * If '-d' is specified, then checkpolicy permits the user
+ * to interactively test the security server functions with
+ * the loaded policy configuration.
+ *
+ * If '-c' is specified, then the supplied parameter is used to
+ * determine which policy version to use for generating binary
+ * policy. This is for compatibility with older kernels. If any
+ * booleans or conditional rules are thrown away a warning is printed.
+ */
+
+#include <getopt.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+#include <arpa/inet.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/mman.h>
+
+#ifdef __APPLE__
+#include <ctype.h>
+#endif
+
+#include <sepol/module_to_cil.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
+
+#include "queue.h"
+#include "checkpolicy.h"
+#include "parse_util.h"
+
+extern char *optarg;
+extern int optind;
+
+static policydb_t policydb;
+static sidtab_t sidtab;
+
+extern policydb_t *policydbp;
+extern int mlspol;
+
+static int handle_unknown = SEPOL_DENY_UNKNOWN;
+static const char *txtfile = "policy.conf";
+static const char *binfile = "policy";
+
+unsigned int policyvers = POLICYDB_VERSION_MAX;
+
+void usage(char *progname)
+{
+ printf
+ ("usage: %s [-b] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M]"
+ "[-c policyvers (%d-%d)] [-o output_file] [-t target_platform (selinux,xen)]"
+ "[input_file]\n",
+ progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
+ exit(1);
+}
+
+#define FGETS(out, size, in) \
+if (fgets(out,size,in)==NULL) { \
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
+ strerror(errno)); \
+ exit(1);\
+}
+static int print_sid(sepol_security_id_t sid,
+ context_struct_t * context
+ __attribute__ ((unused)), void *data
+ __attribute__ ((unused)))
+{
+ sepol_security_context_t scontext;
+ size_t scontext_len;
+ int rc;
+
+ rc = sepol_sid_to_context(sid, &scontext, &scontext_len);
+ if (rc)
+ printf("sid %d -> error %d\n", sid, rc);
+ else {
+ printf("sid %d -> scontext %s\n", sid, scontext);
+ free(scontext);
+ }
+ return 0;
+}
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *p)
+{
+ struct val_to_name *v = p;
+ perm_datum_t *perdatum;
+
+ perdatum = (perm_datum_t *) datum;
+
+ if (v->val == perdatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+#ifdef EQUIVTYPES
+static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
+ struct avtab_node *type_rules)
+{
+ struct avtab_node *p, *c, *n;
+
+ for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) {
+ /*
+ * Find the insertion point, keeping the list
+ * ordered by source type, then target type, then
+ * target class.
+ */
+ if (k->source_type < c->key.source_type)
+ break;
+ if (k->source_type == c->key.source_type &&
+ k->target_type < c->key.target_type)
+ break;
+ if (k->source_type == c->key.source_type &&
+ k->target_type == c->key.target_type &&
+ k->target_class < c->key.target_class)
+ break;
+ }
+
+ /* Insert the rule */
+ n = malloc(sizeof(struct avtab_node));
+ if (!n) {
+ fprintf(stderr, "out of memory\n");
+ exit(1);
+ }
+
+ n->key = *k;
+ n->datum = *d;
+ n->next = p->next;
+ p->next = n;
+ return 0;
+}
+
+static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
+{
+ struct avtab_node *type_rules = args;
+
+ if (d->specified & AVTAB_ALLOWED) {
+ /*
+ * Insert the rule into the lists for both
+ * the source type and the target type.
+ */
+ if (insert_type_rule(k, d, &type_rules[k->source_type - 1]))
+ return -1;
+ if (insert_type_rule(k, d, &type_rules[k->target_type - 1]))
+ return -1;
+ }
+
+ return 0;
+}
+
+static void free_type_rules(struct avtab_node *l)
+{
+ struct avtab_node *tmp;
+
+ while (l) {
+ tmp = l;
+ l = l->next;
+ free(tmp);
+ }
+}
+
+static int identify_equiv_types(void)
+{
+ struct avtab_node *type_rules, *l1, *l2;
+ int i, j;
+
+ /*
+ * Create a list of access vector rules for each type
+ * from the access vector table.
+ */
+ type_rules = malloc(sizeof(struct avtab_node) * policydb.p_types.nprim);
+ if (!type_rules) {
+ fprintf(stderr, "out of memory\n");
+ exit(1);
+ }
+ memset(type_rules, 0,
+ sizeof(struct avtab_node) * policydb.p_types.nprim);
+ if (avtab_map(&policydb.te_avtab, create_type_rules, type_rules))
+ exit(1);
+
+ /*
+ * Compare the type lists and identify equivalent types.
+ */
+ for (i = 0; i < policydb.p_types.nprim - 1; i++) {
+ if (!type_rules[i].next)
+ continue;
+ for (j = i + 1; j < policydb.p_types.nprim; j++) {
+ for (l1 = type_rules[i].next, l2 = type_rules[j].next;
+ l1 && l2; l1 = l1->next, l2 = l2->next) {
+ if (l2->key.source_type == (j + 1)) {
+ if (l1->key.source_type != (i + 1))
+ break;
+ } else {
+ if (l1->key.source_type !=
+ l2->key.source_type)
+ break;
+ }
+ if (l2->key.target_type == (j + 1)) {
+ if (l1->key.target_type != (i + 1))
+ break;
+ } else {
+ if (l1->key.target_type !=
+ l2->key.target_type)
+ break;
+ }
+ if (l1->key.target_class != l2->key.target_class
+ || l1->datum.allowed != l2->datum.allowed)
+ break;
+ }
+ if (l1 || l2)
+ continue;
+ free_type_rules(type_rules[j].next);
+ type_rules[j].next = NULL;
+ printf("Types %s and %s are equivalent.\n",
+ policydb.p_type_val_to_name[i],
+ policydb.p_type_val_to_name[j]);
+ }
+ free_type_rules(type_rules[i].next);
+ type_rules[i].next = NULL;
+ }
+
+ free(type_rules);
+ return 0;
+}
+#endif
+
+extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
+
+int display_bools(void)
+{
+ uint32_t i;
+
+ for (i = 0; i < policydbp->p_bools.nprim; i++) {
+ printf("%s : %d\n", policydbp->p_bool_val_to_name[i],
+ policydbp->bool_val_to_struct[i]->state);
+ }
+ return 0;
+}
+
+void display_expr(cond_expr_t * exp)
+{
+
+ cond_expr_t *cur;
+ for (cur = exp; cur != NULL; cur = cur->next) {
+ switch (cur->expr_type) {
+ case COND_BOOL:
+ printf("%s ",
+ policydbp->p_bool_val_to_name[cur->bool - 1]);
+ break;
+ case COND_NOT:
+ printf("! ");
+ break;
+ case COND_OR:
+ printf("|| ");
+ break;
+ case COND_AND:
+ printf("&& ");
+ break;
+ case COND_XOR:
+ printf("^ ");
+ break;
+ case COND_EQ:
+ printf("== ");
+ break;
+ case COND_NEQ:
+ printf("!= ");
+ break;
+ default:
+ printf("error!");
+ break;
+ }
+ }
+}
+
+int display_cond_expressions(void)
+{
+ cond_node_t *cur;
+
+ for (cur = policydbp->cond_list; cur != NULL; cur = cur->next) {
+ printf("expression: ");
+ display_expr(cur->expr);
+ printf("current state: %d\n", cur->cur_state);
+ }
+ return 0;
+}
+
+int change_bool(char *name, int state)
+{
+ cond_bool_datum_t *bool;
+
+ bool = hashtab_search(policydbp->p_bools.table, name);
+ if (bool == NULL) {
+ printf("Could not find bool %s\n", name);
+ return -1;
+ }
+ bool->state = state;
+ evaluate_conds(policydbp);
+ return 0;
+}
+
+static int check_level(hashtab_key_t key, hashtab_datum_t datum, void *arg __attribute__ ((unused)))
+{
+ level_datum_t *levdatum = (level_datum_t *) datum;
+
+ if (!levdatum->isalias && !levdatum->defined) {
+ fprintf(stderr,
+ "Error: sensitivity %s was not used in a level definition!\n",
+ key);
+ return -1;
+ }
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ policydb_t parse_policy;
+ sepol_security_class_t tclass;
+ sepol_security_id_t ssid, tsid, *sids, oldsid, newsid, tasksid;
+ sepol_security_context_t scontext;
+ struct sepol_av_decision avd;
+ class_datum_t *cladatum;
+ const char *file = txtfile;
+ char ans[80 + 1], *outfile = NULL, *path, *fstype;
+ size_t scontext_len, pathlen;
+ unsigned int i;
+ unsigned int protocol, port;
+ unsigned int binary = 0, debug = 0, cil = 0;
+ struct val_to_name v;
+ int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
+ unsigned int nel, uret;
+ struct stat sb;
+ void *map;
+ FILE *outfp = NULL;
+ char *name;
+ int state;
+ int show_version = 0;
+ char *reason_buf = NULL;
+ unsigned int reason;
+ int flags;
+ struct policy_file pf;
+ struct option long_options[] = {
+ {"output", required_argument, NULL, 'o'},
+ {"target", required_argument, NULL, 't'},
+ {"binary", no_argument, NULL, 'b'},
+ {"debug", no_argument, NULL, 'd'},
+ {"version", no_argument, NULL, 'V'},
+ {"handle-unknown", required_argument, NULL, 'U'},
+ {"mls", no_argument, NULL, 'M'},
+ {"cil", no_argument, NULL, 'C'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "o:t:dbU:MCVc:h", long_options, NULL)) != -1) {
+ switch (ch) {
+ case 'o':
+ outfile = optarg;
+ break;
+ case 't':
+ if (!strcasecmp(optarg, "Xen"))
+ target = SEPOL_TARGET_XEN;
+ else if (!strcasecmp(optarg, "SELinux"))
+ target = SEPOL_TARGET_SELINUX;
+ else{
+ fprintf(stderr, "%s: Unknown target platform:"
+ "%s\n", argv[0], optarg);
+ exit(1);
+ }
+ break;
+ case 'b':
+ binary = 1;
+ file = binfile;
+ break;
+ case 'd':
+ debug = 1;
+ break;
+ case 'V':
+ show_version = 1;
+ break;
+ case 'U':
+ if (!strcasecmp(optarg, "deny")) {
+ handle_unknown = DENY_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "allow")) {
+ handle_unknown = ALLOW_UNKNOWN;
+ break;
+ }
+ if (!strcasecmp(optarg, "reject")) {
+ handle_unknown = REJECT_UNKNOWN;
+ break;
+ }
+ usage(argv[0]);
+ case 'M':
+ mlspol = 1;
+ break;
+ case 'C':
+ cil = 1;
+ break;
+ case 'c':{
+ long int n;
+ errno = 0;
+ n = strtol(optarg, NULL, 10);
+ if (errno) {
+ fprintf(stderr,
+ "Invalid policyvers specified: %s\n",
+ optarg);
+ usage(argv[0]);
+ exit(1);
+ }
+ if (n < POLICYDB_VERSION_MIN
+ || n > POLICYDB_VERSION_MAX) {
+ fprintf(stderr,
+ "policyvers value %ld not in range %d-%d\n",
+ n, POLICYDB_VERSION_MIN,
+ POLICYDB_VERSION_MAX);
+ usage(argv[0]);
+ exit(1);
+ }
+ if (policyvers != n)
+ policyvers = n;
+ break;
+ }
+ case 'h':
+ default:
+ usage(argv[0]);
+ }
+ }
+
+ if (show_version) {
+ printf("%d (compatibility range %d-%d)\n", policyvers,
+ POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
+ exit(0);
+ }
+
+ if (optind != argc) {
+ file = argv[optind++];
+ if (optind != argc)
+ usage(argv[0]);
+ }
+ printf("%s: loading policy configuration from %s\n", argv[0], file);
+
+ /* Set policydb and sidtab used by libsepol service functions
+ to my structures, so that I can directly populate and
+ manipulate them. */
+ sepol_set_policydb(&policydb);
+ sepol_set_sidtab(&sidtab);
+
+ if (binary) {
+ if (cil) {
+ fprintf(stderr, "%s: Converting kernel policy to CIL is not supported\n",
+ argv[0]);
+ exit(1);
+ }
+ fd = open(file, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ file, strerror(errno));
+ exit(1);
+ }
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr, "Can't stat '%s': %s\n",
+ file, strerror(errno));
+ exit(1);
+ }
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
+ fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "Can't map '%s': %s\n",
+ file, strerror(errno));
+ exit(1);
+ }
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = map;
+ pf.len = sb.st_size;
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: policydb_init: Out of memory!\n",
+ argv[0]);
+ exit(1);
+ }
+ ret = policydb_read(&policydb, &pf, 1);
+ if (ret) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ argv[0]);
+ exit(1);
+ }
+ policydbp = &policydb;
+
+ /* Check Policy Consistency */
+ if (policydbp->mls) {
+ if (!mlspol) {
+ fprintf(stderr, "%s: MLS policy, but non-MLS"
+ " is specified\n", argv[0]);
+ exit(1);
+ }
+ } else {
+ if (mlspol) {
+ fprintf(stderr, "%s: non-MLS policy, but MLS"
+ " is specified\n", argv[0]);
+ exit(1);
+ }
+ }
+ } else {
+ if (policydb_init(&parse_policy))
+ exit(1);
+ /* We build this as a base policy first since that is all the parser understands */
+ parse_policy.policy_type = POLICY_BASE;
+ policydb_set_target_platform(&parse_policy, target);
+
+ /* Let sepol know if we are dealing with MLS support */
+ parse_policy.mls = mlspol;
+ parse_policy.handle_unknown = handle_unknown;
+
+ policydbp = &parse_policy;
+
+ if (read_source_policy(policydbp, file, "checkpolicy") < 0)
+ exit(1);
+
+ if (hashtab_map(policydbp->p_levels.table, check_level, NULL))
+ exit(1);
+
+ /* Linking takes care of optional avrule blocks */
+ if (link_modules(NULL, policydbp, NULL, 0, 0)) {
+ fprintf(stderr, "Error while resolving optionals\n");
+ exit(1);
+ }
+
+ if (!cil) {
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: policydb_init failed\n", argv[0]);
+ exit(1);
+ }
+ if (expand_module(NULL, policydbp, &policydb, 0, 1)) {
+ fprintf(stderr, "Error while expanding policy\n");
+ exit(1);
+ }
+ policydb_destroy(policydbp);
+ policydbp = &policydb;
+ }
+ }
+
+ if (policydb_load_isids(&policydb, &sidtab))
+ exit(1);
+
+ printf("%s: policy configuration loaded\n", argv[0]);
+
+ if (outfile) {
+ outfp = fopen(outfile, "w");
+ if (!outfp) {
+ perror(outfile);
+ exit(1);
+ }
+
+ policydb.policyvers = policyvers;
+
+ if (!cil) {
+ printf
+ ("%s: writing binary representation (version %d) to %s\n",
+ argv[0], policyvers, outfile);
+ policydb.policy_type = POLICY_KERN;
+
+ policy_file_init(&pf);
+ pf.type = PF_USE_STDIO;
+ pf.fp = outfp;
+ ret = policydb_write(&policydb, &pf);
+ if (ret) {
+ fprintf(stderr, "%s: error writing %s\n",
+ argv[0], outfile);
+ exit(1);
+ }
+ } else {
+ printf("%s: writing CIL to %s\n",argv[0], outfile);
+ ret = sepol_module_policydb_to_cil(outfp, policydbp, 1);
+ if (ret) {
+ fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
+ exit(1);
+ }
+ }
+
+ if (outfile) {
+ fclose(outfp);
+ }
+ } else if (cil) {
+ fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]);
+ exit(1);
+ }
+
+ if (!debug) {
+ policydb_destroy(&policydb);
+ exit(0);
+ }
+
+ menu:
+ printf("\nSelect an option:\n");
+ printf("0) Call compute_access_vector\n");
+ printf("1) Call sid_to_context\n");
+ printf("2) Call context_to_sid\n");
+ printf("3) Call transition_sid\n");
+ printf("4) Call member_sid\n");
+ printf("5) Call change_sid\n");
+ printf("6) Call list_sids\n");
+ printf("7) Call load_policy\n");
+ printf("8) Call fs_sid\n");
+ printf("9) Call port_sid\n");
+ printf("a) Call netif_sid\n");
+ printf("b) Call node_sid\n");
+ printf("c) Call fs_use\n");
+ printf("d) Call genfs_sid\n");
+ printf("e) Call get_user_sids\n");
+ printf("f) display conditional bools\n");
+ printf("g) display conditional expressions\n");
+ printf("h) change a boolean value\n");
+ printf("i) display constraint expressions\n");
+ printf("j) display validatetrans expressions\n");
+#ifdef EQUIVTYPES
+ printf("z) Show equivalent types\n");
+#endif
+ printf("m) Show menu again\n");
+ printf("q) Exit\n");
+ while (1) {
+ printf("\nChoose: ");
+ FGETS(ans, sizeof(ans), stdin);
+ switch (ans[0]) {
+ case '0':
+ printf("source sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ssid = atoi(ans);
+
+ printf("target sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tsid = atoi(ans);
+
+ printf("target class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ if (!cladatum->comdatum && !cladatum->permissions.nprim) {
+ printf
+ ("\nNo access vector definition for that class\n");
+ break;
+ }
+ ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd);
+ switch (ret) {
+ case 0:
+ printf("\nallowed {");
+ for (i = 1; i <= sizeof(avd.allowed) * 8; i++) {
+ if (avd.allowed & (1 << (i - 1))) {
+ v.val = i;
+ ret =
+ hashtab_map(cladatum->
+ permissions.
+ table,
+ find_perm, &v);
+ if (!ret && cladatum->comdatum) {
+ ret =
+ hashtab_map
+ (cladatum->
+ comdatum->
+ permissions.table,
+ find_perm, &v);
+ }
+ if (ret)
+ printf(" %s", v.name);
+ }
+ }
+ printf(" }\n");
+ break;
+ case -EINVAL:
+ printf("\ninvalid sid\n");
+ break;
+ default:
+ printf("return code 0x%x\n", ret);
+ }
+ break;
+ case '1':
+ printf("sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ssid = atoi(ans);
+ ret = sepol_sid_to_context(ssid,
+ &scontext, &scontext_len);
+ switch (ret) {
+ case 0:
+ printf("\nscontext %s\n", scontext);
+ free(scontext);
+ break;
+ case -EINVAL:
+ printf("\ninvalid sid\n");
+ break;
+ case -ENOMEM:
+ printf("\nout of memory\n");
+ break;
+ default:
+ printf("return code 0x%x\n", ret);
+ }
+ break;
+ case '2':
+ printf("scontext? ");
+ FGETS(ans, sizeof(ans), stdin);
+ scontext_len = strlen(ans);
+ ans[scontext_len - 1] = 0;
+ ret = sepol_context_to_sid(ans, scontext_len, &ssid);
+ switch (ret) {
+ case 0:
+ printf("\nsid %d\n", ssid);
+ break;
+ case -EINVAL:
+ printf("\ninvalid context\n");
+ break;
+ case -ENOMEM:
+ printf("\nout of memory\n");
+ break;
+ default:
+ printf("return code 0x%x\n", ret);
+ }
+ break;
+ case '3':
+ case '4':
+ case '5':
+ ch = ans[0];
+
+ printf("source sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ssid = atoi(ans);
+ printf("target sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tsid = atoi(ans);
+
+ printf("object class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ if (ch == '3')
+ ret =
+ sepol_transition_sid(ssid, tsid, tclass,
+ &ssid);
+ else if (ch == '4')
+ ret =
+ sepol_member_sid(ssid, tsid, tclass, &ssid);
+ else
+ ret =
+ sepol_change_sid(ssid, tsid, tclass, &ssid);
+ switch (ret) {
+ case 0:
+ printf("\nsid %d\n", ssid);
+ break;
+ case -EINVAL:
+ printf("\ninvalid sid\n");
+ break;
+ case -ENOMEM:
+ printf("\nout of memory\n");
+ break;
+ default:
+ printf("return code 0x%x\n", ret);
+ }
+ break;
+ case '6':
+ sepol_sidtab_map(&sidtab, print_sid, 0);
+ break;
+ case '7':
+ printf("pathname? ");
+ FGETS(ans, sizeof(ans), stdin);
+ pathlen = strlen(ans);
+ ans[pathlen - 1] = 0;
+ printf("%s: loading policy configuration from %s\n",
+ argv[0], ans);
+ fd = open(ans, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ ans, strerror(errno));
+ break;
+ }
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr, "Can't stat '%s': %s\n",
+ ans, strerror(errno));
+ break;
+ }
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "Can't map '%s': %s\n",
+ ans, strerror(errno));
+ break;
+ }
+ ret = sepol_load_policy(map, sb.st_size);
+ switch (ret) {
+ case 0:
+ printf("\nsuccess\n");
+ break;
+ case -EINVAL:
+ printf("\ninvalid policy\n");
+ break;
+ case -ENOMEM:
+ printf("\nout of memory\n");
+ break;
+ default:
+ printf("return code 0x%x\n", ret);
+ }
+ break;
+ case '8':
+ printf("fs kdevname? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ sepol_fs_sid(ans, &ssid, &tsid);
+ printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
+ break;
+ case '9':
+ printf("protocol? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ if (!strcmp(ans, "tcp") || !strcmp(ans, "TCP"))
+ protocol = IPPROTO_TCP;
+ else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
+ protocol = IPPROTO_UDP;
+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
+ protocol = IPPROTO_DCCP;
+ else {
+ printf("unknown protocol\n");
+ break;
+ }
+ printf("port? ");
+ FGETS(ans, sizeof(ans), stdin);
+ port = atoi(ans);
+ sepol_port_sid(0, 0, protocol, port, &ssid);
+ printf("sid %d\n", ssid);
+ break;
+ case 'a':
+ printf("netif name? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ sepol_netif_sid(ans, &ssid, &tsid);
+ printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
+ break;
+ case 'b':{
+ char *p;
+ int family, len;
+ struct in_addr addr4;
+ struct in6_addr addr6;
+
+ printf("protocol family? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ if (!strcasecmp(ans, "ipv4"))
+ family = AF_INET;
+ else if (!strcasecmp(ans, "ipv6"))
+ family = AF_INET6;
+ else {
+ printf("unknown protocol family\n");
+ break;
+ }
+
+ printf("node address? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ if (family == AF_INET) {
+ p = (char *)&addr4;
+ len = sizeof(addr4);
+ } else {
+ p = (char *)&addr6;
+ len = sizeof(addr6);
+ }
+
+ if (inet_pton(family, ans, p) < 1) {
+ printf("error parsing address\n");
+ break;
+ }
+
+ sepol_node_sid(family, p, len, &ssid);
+ printf("sid %d\n", ssid);
+ break;
+ }
+ case 'c':
+ printf("fstype? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ sepol_fs_use(ans, &uret, &ssid);
+ switch (uret) {
+ case SECURITY_FS_USE_XATTR:
+ printf("use xattr\n");
+ break;
+ case SECURITY_FS_USE_TRANS:
+ printf("use transition SIDs\n");
+ break;
+ case SECURITY_FS_USE_TASK:
+ printf("use task SIDs\n");
+ break;
+ case SECURITY_FS_USE_GENFS:
+ printf("use genfs\n");
+ break;
+ case SECURITY_FS_USE_NONE:
+ printf("no labeling support\n");
+ break;
+ }
+ printf("sid %d\n", ssid);
+ break;
+ case 'd':
+ printf("fstype? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ fstype = strdup(ans);
+ printf("path? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ path = strdup(ans);
+ printf("object class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+ sepol_genfs_sid(fstype, path, tclass, &ssid);
+ printf("sid %d\n", ssid);
+ free(fstype);
+ free(path);
+ break;
+ case 'e':
+ printf("from SID? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+ ssid = atoi(ans);
+
+ printf("username? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ ret = sepol_get_user_sids(ssid, ans, &sids, &nel);
+ switch (ret) {
+ case 0:
+ if (!nel)
+ printf("\nnone\n");
+ for (i = 0; i < nel; i++)
+ print_sid(sids[i], NULL, NULL);
+ free(sids);
+ break;
+ case -ENOMEM:
+ printf("\nout of memory\n");
+ break;
+ case -EINVAL:
+ printf("\ninvalid argument\n");
+ break;
+ default:
+ printf("\nerror\n");
+ break;
+ }
+ break;
+ case 'f':
+ display_bools();
+ break;
+ case 'g':
+ display_cond_expressions();
+ break;
+ case 'h':
+ printf("name? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ name = malloc((strlen(ans) + 1) * sizeof(char));
+ if (name == NULL) {
+ fprintf(stderr, "couldn't malloc string.\n");
+ break;
+ }
+ strcpy(name, ans);
+
+ printf("state? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ans[strlen(ans) - 1] = 0;
+
+ if (atoi(ans))
+ state = 1;
+ else
+ state = 0;
+
+ change_bool(name, state);
+ free(name);
+ break;
+ case 'i':
+ printf("source sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ssid = atoi(ans);
+
+ printf("target sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tsid = atoi(ans);
+
+ printf("target class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ flags = SHOW_GRANTED;
+ if (sepol_compute_av_reason_buffer(ssid, tsid,
+ tclass, 0, &avd, &reason,
+ &reason_buf, flags)) {
+ printf("\nconstraint error\n");
+ break;
+ }
+ if (reason_buf) {
+ printf("\nConstraint expressions:\n%s",
+ reason_buf);
+ free(reason_buf);
+ } else {
+ printf("\nNo constraints found.\n");
+ }
+ break;
+ case 'j':
+ printf("old sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ oldsid = atoi(ans);
+
+ printf("new sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ newsid = atoi(ans);
+
+ printf("task sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tasksid = atoi(ans);
+
+ printf("target class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ flags = SHOW_GRANTED;
+ if (sepol_validate_transition_reason_buffer(oldsid,
+ newsid, tasksid, tclass,
+ &reason_buf, flags)) {
+ printf("\nvalidatetrans error\n");
+ break;
+ }
+ if (reason_buf) {
+ printf("\nValidatetrans expressions:\n%s",
+ reason_buf);
+ free(reason_buf);
+ } else {
+ printf(
+ "\nNo validatetrans expressions found.\n");
+ }
+ break;
+#ifdef EQUIVTYPES
+ case 'z':
+ identify_equiv_types();
+ break;
+#endif
+ case 'm':
+ goto menu;
+ case 'q':
+ exit(0);
+ break;
+ default:
+ printf("\nUnknown option %s.\n", ans);
+ }
+ }
+
+ return 0;
+}
+
+/* FLASK */
diff --git a/checkpolicy/checkpolicy.h b/checkpolicy/checkpolicy.h
new file mode 100644
index 0000000..3868f1f
--- /dev/null
+++ b/checkpolicy/checkpolicy.h
@@ -0,0 +1,20 @@
+#ifndef _CHECKPOLICY_H_
+#define _CHECKPOLICY_H_
+
+#include <sepol/policydb/ebitmap.h>
+
+typedef struct te_assert {
+ ebitmap_t stypes;
+ ebitmap_t ttypes;
+ ebitmap_t tclasses;
+ int self;
+ sepol_access_vector_t *avp;
+ unsigned long line;
+ struct te_assert *next;
+} te_assert_t;
+
+te_assert_t *te_assertions;
+
+extern unsigned int policyvers;
+
+#endif
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
new file mode 100644
index 0000000..6e5483c
--- /dev/null
+++ b/checkpolicy/module_compiler.c
@@ -0,0 +1,1604 @@
+/* Author : Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004 - 2005 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/conditional.h>
+
+#include "queue.h"
+#include "module_compiler.h"
+
+union stack_item_u {
+ avrule_block_t *avrule;
+ cond_list_t *cond_list;
+};
+
+typedef struct scope_stack {
+ union stack_item_u u;
+ int type; /* for above union: 1 = avrule block, 2 = conditional */
+ avrule_decl_t *decl; /* if in an avrule block, which
+ * declaration is current */
+ avrule_t *last_avrule;
+ int in_else; /* if in an avrule block, within ELSE branch */
+ int require_given; /* 1 if this block had at least one require */
+ struct scope_stack *parent, *child;
+} scope_stack_t;
+
+extern policydb_t *policydbp;
+extern queue_t id_queue;
+extern int yyerror(const char *msg);
+__attribute__ ((format(printf, 1, 2)))
+extern void yyerror2(const char *fmt, ...);
+
+static int push_stack(int stack_type, ...);
+static void pop_stack(void);
+
+/* keep track of the last item added to the stack */
+static scope_stack_t *stack_top = NULL;
+static avrule_block_t *last_block;
+static uint32_t next_decl_id = 1;
+
+int define_policy(int pass, int module_header_given)
+{
+ char *id;
+
+ if (module_header_given) {
+ if (policydbp->policy_type != POLICY_MOD) {
+ yyerror
+ ("Module specification found while not building a policy module.\n");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)) != NULL)
+ free(id);
+ } else {
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no module name");
+ return -1;
+ }
+ policydbp->name = id;
+ if ((policydbp->version =
+ queue_remove(id_queue)) == NULL) {
+ yyerror
+ ("Expected a module version but none was found.");
+ return -1;
+ }
+ }
+ } else {
+ if (policydbp->policy_type == POLICY_MOD) {
+ yyerror
+ ("Building a policy module, but no module specification found.\n");
+ return -1;
+ }
+ }
+ /* the first declaration within the global avrule
+ block will always have an id of 1 */
+ next_decl_id = 2;
+
+ /* reset the scoping stack */
+ while (stack_top != NULL) {
+ pop_stack();
+ }
+ if (push_stack(1, policydbp->global, policydbp->global->branch_list) ==
+ -1) {
+ return -1;
+ }
+ last_block = policydbp->global;
+ return 0;
+}
+
+/* Given the current parse stack, returns 1 if a declaration would be
+ * allowed here or 0 if not. For example, declarations are not
+ * allowed in conditionals, so if there are any conditionals in the
+ * current scope stack then this would return a 0.
+ */
+static int is_declaration_allowed(void)
+{
+ if (stack_top->type != 1 || stack_top->in_else) {
+ return 0;
+ }
+ return 1;
+}
+
+/* Attempt to declare a symbol within the current declaration. If
+ * currently within a non-conditional and in a non-else branch then
+ * insert the symbol, return 0 on success if symbol was undeclared.
+ * For roles and users, it is legal to have multiple declarations; as
+ * such return 1 to indicate that caller must free() the datum because
+ * it was not added. If symbols may not be declared here return -1.
+ * For duplicate declarations return -2. For all else, including out
+ * of memory, return -3. Note that dest_value and datum_value might
+ * not be restricted pointers. */
+int declare_symbol(uint32_t symbol_type,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t * dest_value, uint32_t * datum_value)
+{
+ avrule_decl_t *decl = stack_top->decl;
+ int retval;
+
+ /* first check that symbols may be declared here */
+ if (!is_declaration_allowed()) {
+ return -1;
+ }
+ retval = symtab_insert(policydbp, symbol_type, key, datum,
+ SCOPE_DECL, decl->decl_id, dest_value);
+ if (retval == 1 && dest_value) {
+ symtab_datum_t *s =
+ (symtab_datum_t *) hashtab_search(policydbp->
+ symtab[symbol_type].table,
+ key);
+ assert(s != NULL);
+
+ if (symbol_type == SYM_LEVELS) {
+ *dest_value = ((level_datum_t *)s)->level->sens;
+ } else {
+ *dest_value = s->value;
+ }
+ } else if (retval == -2) {
+ return -2;
+ } else if (retval < 0) {
+ return -3;
+ } else { /* fall through possible if retval is 0 */
+ }
+ if (datum_value != NULL) {
+ if (ebitmap_set_bit(decl->declared.scope + symbol_type,
+ *datum_value - 1, 1)) {
+ return -3;
+ }
+ }
+ return retval;
+}
+
+static int role_implicit_bounds(hashtab_t roles_tab,
+ char *role_id, role_datum_t *role)
+{
+ role_datum_t *bounds;
+ char *bounds_id, *delim;
+
+ delim = strrchr(role_id, '.');
+ if (!delim)
+ return 0; /* no implicit boundary */
+
+ bounds_id = strdup(role_id);
+ if (!bounds_id) {
+ yyerror("out of memory");
+ return -1;
+ }
+ bounds_id[(size_t)(delim - role_id)] = '\0';
+
+ bounds = hashtab_search(roles_tab, bounds_id);
+ if (!bounds) {
+ yyerror2("role %s doesn't exist, is implicit bounds of %s",
+ bounds_id, role_id);
+ return -1;
+ }
+
+ if (!role->bounds)
+ role->bounds = bounds->s.value;
+ else if (role->bounds != bounds->s.value) {
+ yyerror2("role %s has inconsistent bounds %s/%s",
+ role_id, bounds_id,
+ policydbp->p_role_val_to_name[role->bounds - 1]);
+ return -1;
+ }
+ free(bounds_id);
+
+ return 0;
+}
+
+role_datum_t *declare_role(unsigned char isattr)
+{
+ char *id = queue_remove(id_queue), *dest_id = NULL;
+ role_datum_t *role = NULL, *dest_role = NULL;
+ int retval;
+ uint32_t value;
+
+ if (id == NULL) {
+ yyerror("no role name");
+ return NULL;
+ }
+ if ((role = (role_datum_t *) malloc(sizeof(*role))) == NULL) {
+ yyerror("Out of memory!");
+ free(id);
+ return NULL;
+ }
+ role_datum_init(role);
+ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
+ retval =
+ declare_symbol(SYM_ROLES, id, (hashtab_datum_t *) role, &value,
+ &value);
+ if (retval == 0) {
+ role->s.value = value;
+ if ((dest_id = strdup(id)) == NULL) {
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ } else {
+ /* this role was already declared in this module, or error */
+ dest_id = id;
+ role_datum_destroy(role);
+ free(role);
+ }
+ if (retval == 0 || retval == 1) {
+ /* create a new role_datum_t for this decl, if necessary */
+ hashtab_t roles_tab;
+ assert(stack_top->type == 1);
+ if (stack_top->parent == NULL) {
+ /* in parent, so use global symbol table */
+ roles_tab = policydbp->p_roles.table;
+ } else {
+ roles_tab = stack_top->decl->p_roles.table;
+ }
+ dest_role = (role_datum_t *) hashtab_search(roles_tab, dest_id);
+ if (dest_role == NULL) {
+ if ((dest_role =
+ (role_datum_t *) malloc(sizeof(*dest_role))) ==
+ NULL) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ return NULL;
+ }
+ role_datum_init(dest_role);
+ dest_role->s.value = value;
+ dest_role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
+ if (role_implicit_bounds(roles_tab, dest_id, dest_role)) {
+ free(dest_id);
+ role_datum_destroy(dest_role);
+ free(dest_role);
+ return NULL;
+ }
+ if (hashtab_insert(roles_tab, dest_id, dest_role)) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ role_datum_destroy(dest_role);
+ free(dest_role);
+ return NULL;
+ }
+ } else {
+ free(dest_id);
+ }
+ } else {
+ free(dest_id);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ case -2:{
+ yyerror("duplicate declaration of role");
+ return NULL;
+ }
+ case -1:{
+ yyerror("could not declare role here");
+ return NULL;
+ }
+ case 0:{
+ if (ebitmap_set_bit
+ (&dest_role->dominates, role->s.value - 1, 1)) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ return dest_role;
+ }
+ case 1:{
+ return dest_role; /* role already declared for this block */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+type_datum_t *declare_type(unsigned char primary, unsigned char isattr)
+{
+ char *id;
+ type_datum_t *typdatum;
+ int retval;
+ uint32_t value = 0;
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type/attribute name?");
+ return NULL;
+ }
+ if (strcmp(id, "self") == 0) {
+ yyerror
+ ("'self' is a reserved type name and may not be declared.");
+ free(id);
+ return NULL;
+ }
+
+ typdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!typdatum) {
+ yyerror("Out of memory!");
+ free(id);
+ return NULL;
+ }
+ type_datum_init(typdatum);
+ typdatum->primary = primary;
+ typdatum->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
+
+ retval = declare_symbol(SYM_TYPES, id, typdatum, &value, &value);
+ if (retval == 0 || retval == 1) {
+ if (typdatum->primary) {
+ typdatum->s.value = value;
+ }
+ } else {
+ /* error occurred (can't have duplicate type declarations) */
+ free(id);
+ type_datum_destroy(typdatum);
+ free(typdatum);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of type/attribute");
+ return NULL;
+ }
+ case -1:{
+ yyerror("could not declare type/attribute here");
+ return NULL;
+ }
+ case 0:
+ case 1:{
+ return typdatum;
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+static int user_implicit_bounds(hashtab_t users_tab,
+ char *user_id, user_datum_t *user)
+{
+ user_datum_t *bounds;
+ char *bounds_id, *delim;
+
+ delim = strrchr(user_id, '.');
+ if (!delim)
+ return 0; /* no implicit boundary */
+
+ bounds_id = strdup(user_id);
+ if (!bounds_id) {
+ yyerror("out of memory");
+ return -1;
+ }
+ bounds_id[(size_t)(delim - user_id)] = '\0';
+
+ bounds = hashtab_search(users_tab, bounds_id);
+ if (!bounds) {
+ yyerror2("user %s doesn't exist, is implicit bounds of %s",
+ bounds_id, user_id);
+ return -1;
+ }
+
+ if (!user->bounds)
+ user->bounds = bounds->s.value;
+ else if (user->bounds != bounds->s.value) {
+ yyerror2("user %s has inconsistent bounds %s/%s",
+ user_id, bounds_id,
+ policydbp->p_role_val_to_name[user->bounds - 1]);
+ return -1;
+ }
+ free(bounds_id);
+
+ return 0;
+}
+
+user_datum_t *declare_user(void)
+{
+ char *id = queue_remove(id_queue), *dest_id = NULL;
+ user_datum_t *user = NULL, *dest_user = NULL;
+ int retval;
+ uint32_t value = 0;
+
+ if (id == NULL) {
+ yyerror("no user name");
+ return NULL;
+ }
+ if ((user = (user_datum_t *) malloc(sizeof(*user))) == NULL) {
+ yyerror("Out of memory!");
+ free(id);
+ return NULL;
+ }
+ user_datum_init(user);
+
+ retval =
+ declare_symbol(SYM_USERS, id, (hashtab_datum_t *) user, &value,
+ &value);
+
+ if (retval == 0) {
+ user->s.value = value;
+ if ((dest_id = strdup(id)) == NULL) {
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ } else {
+ /* this user was already declared in this module, or error */
+ dest_id = id;
+ user_datum_destroy(user);
+ free(user);
+ }
+ if (retval == 0 || retval == 1) {
+ /* create a new user_datum_t for this decl, if necessary */
+ hashtab_t users_tab;
+ assert(stack_top->type == 1);
+ if (stack_top->parent == NULL) {
+ /* in parent, so use global symbol table */
+ users_tab = policydbp->p_users.table;
+ } else {
+ users_tab = stack_top->decl->p_users.table;
+ }
+ dest_user = (user_datum_t *) hashtab_search(users_tab, dest_id);
+ if (dest_user == NULL) {
+ if ((dest_user =
+ (user_datum_t *) malloc(sizeof(*dest_user))) ==
+ NULL) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ return NULL;
+ }
+ user_datum_init(dest_user);
+ dest_user->s.value = value;
+ if (user_implicit_bounds(users_tab, dest_id, dest_user)) {
+ free(dest_id);
+ user_datum_destroy(dest_user);
+ free(dest_user);
+ return NULL;
+ }
+ if (hashtab_insert(users_tab, dest_id, dest_user)) {
+ yyerror("Out of memory!");
+ free(dest_id);
+ user_datum_destroy(dest_user);
+ free(dest_user);
+ return NULL;
+ }
+ } else {
+ free(dest_id);
+ }
+ } else {
+ free(dest_id);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return NULL;
+ }
+ case -2:{
+ yyerror("duplicate declaration of user");
+ return NULL;
+ }
+ case -1:{
+ yyerror("could not declare user here");
+ return NULL;
+ }
+ case 0:{
+ return dest_user;
+ }
+ case 1:{
+ return dest_user; /* user already declared for this block */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+/* Return a type_datum_t for the local avrule_decl with the given ID.
+ * If it does not exist, create one with the same value as 'value'.
+ * This function assumes that the ID is within scope. c.f.,
+ * is_id_in_scope().
+ *
+ * NOTE: this function usurps ownership of id afterwards. The caller
+ * shall not reference it nor free() it afterwards.
+ */
+type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr)
+{
+ type_datum_t *dest_typdatum;
+ hashtab_t types_tab;
+ assert(stack_top->type == 1);
+ if (stack_top->parent == NULL) {
+ /* in global, so use global symbol table */
+ types_tab = policydbp->p_types.table;
+ } else {
+ types_tab = stack_top->decl->p_types.table;
+ }
+ dest_typdatum = hashtab_search(types_tab, id);
+ if (!dest_typdatum) {
+ dest_typdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (dest_typdatum == NULL) {
+ free(id);
+ return NULL;
+ }
+ type_datum_init(dest_typdatum);
+ dest_typdatum->s.value = value;
+ dest_typdatum->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
+ dest_typdatum->primary = 1;
+ if (hashtab_insert(types_tab, id, dest_typdatum)) {
+ free(id);
+ type_datum_destroy(dest_typdatum);
+ free(dest_typdatum);
+ return NULL;
+ }
+
+ } else {
+ free(id);
+ if (dest_typdatum->flavor != isattr ? TYPE_ATTRIB : TYPE_TYPE) {
+ return NULL;
+ }
+ }
+ return dest_typdatum;
+}
+
+/* Return a role_datum_t for the local avrule_decl with the given ID.
+ * If it does not exist, create one with the same value as 'value'.
+ * This function assumes that the ID is within scope. c.f.,
+ * is_id_in_scope().
+ *
+ * NOTE: this function usurps ownership of id afterwards. The caller
+ * shall not reference it nor free() it afterwards.
+ */
+role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr)
+{
+ role_datum_t *dest_roledatum;
+ hashtab_t roles_tab;
+
+ assert(stack_top->type == 1);
+
+ if (stack_top->parent == NULL) {
+ /* in global, so use global symbol table */
+ roles_tab = policydbp->p_roles.table;
+ } else {
+ roles_tab = stack_top->decl->p_roles.table;
+ }
+
+ dest_roledatum = hashtab_search(roles_tab, id);
+ if (!dest_roledatum) {
+ dest_roledatum = (role_datum_t *)malloc(sizeof(role_datum_t));
+ if (dest_roledatum == NULL) {
+ free(id);
+ return NULL;
+ }
+
+ role_datum_init(dest_roledatum);
+ dest_roledatum->s.value = value;
+ dest_roledatum->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
+
+ if (hashtab_insert(roles_tab, id, dest_roledatum)) {
+ free(id);
+ role_datum_destroy(dest_roledatum);
+ free(dest_roledatum);
+ return NULL;
+ }
+ } else {
+ free(id);
+ if (dest_roledatum->flavor != isattr ? ROLE_ATTRIB : ROLE_ROLE)
+ return NULL;
+ }
+
+ return dest_roledatum;
+}
+
+/* Given the current parse stack, returns 1 if a requirement would be
+ * allowed here or 0 if not. For example, the ELSE branch may never
+ * have its own requirements.
+ */
+static int is_require_allowed(void)
+{
+ if (stack_top->type == 1 && !stack_top->in_else) {
+ return 1;
+ }
+ return 0;
+}
+
+/* Attempt to require a symbol within the current scope. If currently
+ * within an optional (and not its else branch), add the symbol to the
+ * required list. Return 0 on success, 1 if caller needs to free()
+ * datum. If symbols may not be declared here return -1. For duplicate
+ * declarations return -2. For all else, including out of memory,
+ * return -3.. Note that dest_value and datum_value might not be
+ * restricted pointers.
+ */
+int require_symbol(uint32_t symbol_type,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t * dest_value, uint32_t * datum_value)
+{
+ avrule_decl_t *decl = stack_top->decl;
+ int retval;
+
+ /* first check that symbols may be required here */
+ if (!is_require_allowed()) {
+ return -1;
+ }
+ retval = symtab_insert(policydbp, symbol_type, key, datum,
+ SCOPE_REQ, decl->decl_id, dest_value);
+ if (retval == 1) {
+ symtab_datum_t *s =
+ (symtab_datum_t *) hashtab_search(policydbp->
+ symtab[symbol_type].table,
+ key);
+ assert(s != NULL);
+
+ if (symbol_type == SYM_LEVELS) {
+ *dest_value = ((level_datum_t *)s)->level->sens;
+ } else {
+ *dest_value = s->value;
+ }
+ } else if (retval == -2) {
+ /* ignore require statements if that symbol was
+ * previously declared and is in current scope */
+ int prev_declaration_ok = 0;
+ if (is_id_in_scope(symbol_type, key)) {
+ if (symbol_type == SYM_TYPES) {
+ /* check that previous symbol has same
+ * type/attribute-ness */
+ unsigned char new_isattr =
+ ((type_datum_t *) datum)->flavor;
+ type_datum_t *old_datum =
+ (type_datum_t *) hashtab_search(policydbp->
+ symtab
+ [SYM_TYPES].
+ table, key);
+ assert(old_datum != NULL);
+ unsigned char old_isattr = old_datum->flavor;
+ prev_declaration_ok =
+ (old_isattr == new_isattr ? 1 : 0);
+ } else {
+ prev_declaration_ok = 1;
+ }
+ }
+ if (prev_declaration_ok) {
+ /* ignore this require statement because it
+ * was already declared within my scope */
+ stack_top->require_given = 1;
+ return 1;
+ } else {
+ /* previous declaration was not in scope or
+ * had a mismatched type/attribute, so
+ * generate an error */
+ return -2;
+ }
+ } else if (retval < 0) {
+ return -3;
+ } else { /* fall through possible if retval is 0 or 1 */
+ }
+ if (datum_value != NULL) {
+ if (ebitmap_set_bit(decl->required.scope + symbol_type,
+ *datum_value - 1, 1)) {
+ return -3;
+ }
+ }
+ stack_top->require_given = 1;
+ return retval;
+}
+
+int add_perm_to_class(uint32_t perm_value, uint32_t class_value)
+{
+ avrule_decl_t *decl = stack_top->decl;
+ scope_index_t *scope;
+
+ assert(perm_value >= 1);
+ assert(class_value >= 1);
+ scope = &decl->required;
+ if (class_value > scope->class_perms_len) {
+ uint32_t i;
+ ebitmap_t *new_map = realloc(scope->class_perms_map,
+ class_value * sizeof(*new_map));
+ if (new_map == NULL) {
+ return -1;
+ }
+ scope->class_perms_map = new_map;
+ for (i = scope->class_perms_len; i < class_value; i++) {
+ ebitmap_init(scope->class_perms_map + i);
+ }
+ scope->class_perms_len = class_value;
+ }
+ if (ebitmap_set_bit(scope->class_perms_map + class_value - 1,
+ perm_value - 1, 1)) {
+ return -1;
+ }
+ return 0;
+}
+
+static int perm_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p
+ __attribute__ ((unused)))
+{
+ if (key)
+ free(key);
+ free(datum);
+ return 0;
+}
+
+static void class_datum_destroy(class_datum_t * cladatum)
+{
+ if (cladatum != NULL) {
+ hashtab_map(cladatum->permissions.table, perm_destroy, NULL);
+ hashtab_destroy(cladatum->permissions.table);
+ free(cladatum);
+ }
+}
+
+int require_class(int pass)
+{
+ char *class_id = queue_remove(id_queue);
+ char *perm_id = NULL;
+ class_datum_t *datum = NULL;
+ perm_datum_t *perm = NULL;
+ int ret;
+
+ if (pass == 2) {
+ free(class_id);
+ while ((perm_id = queue_remove(id_queue)) != NULL)
+ free(perm_id);
+ return 0;
+ }
+
+ /* first add the class if it is not already there */
+ if (class_id == NULL) {
+ yyerror("no class name for class definition?");
+ return -1;
+ }
+
+ if ((datum = calloc(1, sizeof(*datum))) == NULL ||
+ symtab_init(&datum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ ret =
+ require_symbol(SYM_CLASSES, class_id, datum, &datum->s.value,
+ &datum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ free(class_id);
+ class_datum_destroy(datum);
+ goto cleanup;
+ }
+ case -2:{
+ yyerror("duplicate declaration of class");
+ free(class_id);
+ class_datum_destroy(datum);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not require class here");
+ free(class_id);
+ class_datum_destroy(datum);
+ goto cleanup;
+ }
+ case 0:{
+ /* a new class was added; reindex everything */
+ if (policydb_index_classes(policydbp)) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ break;
+ }
+ case 1:{
+ class_datum_destroy(datum);
+ datum =
+ hashtab_search(policydbp->p_classes.table,
+ class_id);
+ assert(datum); /* the class datum should have existed */
+ free(class_id);
+ break;
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+
+ /* now add each of the permissions to this class's requirements */
+ while ((perm_id = queue_remove(id_queue)) != NULL) {
+ int allocated = 0;
+
+ /* Is the permission already in the table? */
+ perm = hashtab_search(datum->permissions.table, perm_id);
+ if (!perm && datum->comdatum)
+ perm =
+ hashtab_search(datum->comdatum->permissions.table,
+ perm_id);
+ if (perm) {
+ /* Yes, drop the name. */
+ free(perm_id);
+ } else {
+ /* No - allocate and insert an entry for it. */
+ if (policydbp->policy_type == POLICY_BASE) {
+ yyerror2
+ ("Base policy - require of permission %s without prior declaration.",
+ perm_id);
+ free(perm_id);
+ goto cleanup;
+ }
+ allocated = 1;
+ if ((perm = malloc(sizeof(*perm))) == NULL) {
+ yyerror("Out of memory!");
+ free(perm_id);
+ goto cleanup;
+ }
+ memset(perm, 0, sizeof(*perm));
+ ret =
+ hashtab_insert(datum->permissions.table, perm_id,
+ perm);
+ if (ret) {
+ yyerror("Out of memory!");
+ free(perm_id);
+ free(perm);
+ goto cleanup;
+ }
+ perm->s.value = datum->permissions.nprim + 1;
+ }
+
+ if (add_perm_to_class(perm->s.value, datum->s.value) == -1) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+
+ /* Update number of primitives if we allocated one. */
+ if (allocated)
+ datum->permissions.nprim++;
+ }
+ return 0;
+ cleanup:
+ return -1;
+}
+
+static int require_role_or_attribute(int pass, unsigned char isattr)
+{
+ char *id = queue_remove(id_queue);
+ role_datum_t *role = NULL;
+ int retval;
+ if (pass == 2) {
+ free(id);
+ return 0;
+ }
+ if (id == NULL) {
+ yyerror("no role name");
+ return -1;
+ }
+ if ((role = malloc(sizeof(*role))) == NULL) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ role_datum_init(role);
+ role->flavor = isattr ? ROLE_ATTRIB : ROLE_ROLE;
+ retval =
+ require_symbol(SYM_ROLES, id, (hashtab_datum_t *) role,
+ &role->s.value, &role->s.value);
+ if (retval != 0) {
+ free(id);
+ role_datum_destroy(role);
+ free(role);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of role");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require role here");
+ return -1;
+ }
+ case 0:{
+ /* all roles dominate themselves */
+ if (ebitmap_set_bit
+ (&role->dominates, role->s.value - 1, 1)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ return 0;
+ }
+ case 1:{
+ return 0; /* role already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+int require_role(int pass)
+{
+ return require_role_or_attribute(pass, 0);
+}
+
+int require_attribute_role(int pass)
+{
+ return require_role_or_attribute(pass, 1);
+}
+
+static int require_type_or_attribute(int pass, unsigned char isattr)
+{
+ char *id = queue_remove(id_queue);
+ type_datum_t *type = NULL;
+ int retval;
+ if (pass == 2) {
+ free(id);
+ return 0;
+ }
+ if (id == NULL) {
+ yyerror("no type name");
+ return -1;
+ }
+ if ((type = malloc(sizeof(*type))) == NULL) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ type_datum_init(type);
+ type->primary = 1;
+ type->flavor = isattr ? TYPE_ATTRIB : TYPE_TYPE;
+ retval =
+ require_symbol(SYM_TYPES, id, (hashtab_datum_t *) type,
+ &type->s.value, &type->s.value);
+ if (retval != 0) {
+ free(id);
+ free(type);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of type/attribute");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require type/attribute here");
+ return -1;
+ }
+ case 0:{
+ return 0;
+ }
+ case 1:{
+ return 0; /* type already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+int require_type(int pass)
+{
+ return require_type_or_attribute(pass, 0);
+}
+
+int require_attribute(int pass)
+{
+ return require_type_or_attribute(pass, 1);
+}
+
+int require_user(int pass)
+{
+ char *id = queue_remove(id_queue);
+ user_datum_t *user = NULL;
+ int retval;
+ if (pass == 1) {
+ free(id);
+ return 0;
+ }
+ if (id == NULL) {
+ yyerror("no user name");
+ return -1;
+ }
+ if ((user = malloc(sizeof(*user))) == NULL) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ user_datum_init(user);
+ retval =
+ require_symbol(SYM_USERS, id, (hashtab_datum_t *) user,
+ &user->s.value, &user->s.value);
+ if (retval != 0) {
+ free(id);
+ user_datum_destroy(user);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of user");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require user here");
+ return -1;
+ }
+ case 0:{
+ return 0;
+ }
+ case 1:{
+ return 0; /* user already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+static int require_bool_tunable(int pass, int is_tunable)
+{
+ char *id = queue_remove(id_queue);
+ cond_bool_datum_t *booldatum = NULL;
+ int retval;
+ if (pass == 2) {
+ free(id);
+ return 0;
+ }
+ if (id == NULL) {
+ yyerror("no boolean name");
+ return -1;
+ }
+ if ((booldatum = calloc(1, sizeof(*booldatum))) == NULL) {
+ cond_destroy_bool(id, booldatum, NULL);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ if (is_tunable)
+ booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
+ retval =
+ require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
+ &booldatum->s.value, &booldatum->s.value);
+ if (retval != 0) {
+ cond_destroy_bool(id, booldatum, NULL);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of boolean");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require boolean here");
+ return -1;
+ }
+ case 0:{
+ return 0;
+ }
+ case 1:{
+ return 0; /* boolean already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+int require_bool(int pass)
+{
+ return require_bool_tunable(pass, 0);
+}
+
+int require_tunable(int pass)
+{
+ return require_bool_tunable(pass, 1);
+}
+
+int require_sens(int pass)
+{
+ char *id = queue_remove(id_queue);
+ level_datum_t *level = NULL;
+ int retval;
+ if (pass == 2) {
+ free(id);
+ return 0;
+ }
+ if (!id) {
+ yyerror("no sensitivity name");
+ return -1;
+ }
+ level = malloc(sizeof(level_datum_t));
+ if (!level) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ level_datum_init(level);
+ level->level = malloc(sizeof(mls_level_t));
+ if (!level->level) {
+ free(id);
+ level_datum_destroy(level);
+ free(level);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ mls_level_init(level->level);
+ retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
+ &level->level->sens, &level->level->sens);
+ if (retval != 0) {
+ free(id);
+ mls_level_destroy(level->level);
+ free(level->level);
+ level_datum_destroy(level);
+ free(level);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of sensitivity");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require sensitivity here");
+ return -1;
+ }
+ case 0:{
+ return 0;
+ }
+ case 1:{
+ return 0; /* sensitivity already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+int require_cat(int pass)
+{
+ char *id = queue_remove(id_queue);
+ cat_datum_t *cat = NULL;
+ int retval;
+ if (pass == 2) {
+ free(id);
+ return 0;
+ }
+ if (!id) {
+ yyerror("no category name");
+ return -1;
+ }
+ cat = malloc(sizeof(cat_datum_t));
+ if (!cat) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ cat_datum_init(cat);
+
+ retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
+ &cat->s.value, &cat->s.value);
+ if (retval != 0) {
+ free(id);
+ cat_datum_destroy(cat);
+ free(cat);
+ }
+ switch (retval) {
+ case -3:{
+ yyerror("Out of memory!");
+ return -1;
+ }
+ case -2:{
+ yyerror("duplicate declaration of category");
+ return -1;
+ }
+ case -1:{
+ yyerror("could not require category here");
+ return -1;
+ }
+ case 0:{
+ return 0;
+ }
+ case 1:{
+ return 0; /* category already required */
+ }
+ default:{
+ abort(); /* should never get here */
+ }
+ }
+}
+
+static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
+{
+ uint32_t i;
+ if (stack == NULL) {
+ return 0; /* no matching scope found */
+ }
+ if (stack->type == 1) {
+ avrule_decl_t *decl = stack->decl;
+ for (i = 0; i < scope->decl_ids_len; i++) {
+ if (scope->decl_ids[i] == decl->decl_id) {
+ return 1;
+ }
+ }
+ } else {
+ /* note that conditionals can't declare or require
+ * symbols, so skip this level */
+ }
+
+ /* not within scope of this stack, so try its parent */
+ return is_scope_in_stack(scope, stack->parent);
+}
+
+int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
+{
+ scope_datum_t *scope =
+ (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
+ table, id);
+ if (scope == NULL) {
+ return 1; /* id is not known, so return success */
+ }
+ return is_scope_in_stack(scope, stack_top);
+}
+
+static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
+ scope_index_t * scope)
+{
+ if (class_value > scope->class_perms_len) {
+ return 1;
+ }
+ if (ebitmap_get_bit(scope->class_perms_map + class_value - 1,
+ perm_value - 1)) {
+ return 1;
+ }
+ return 0;
+}
+
+static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
+ scope_stack_t * stack)
+{
+ if (stack == NULL) {
+ return 0; /* no matching scope found */
+ }
+ if (stack->type == 1) {
+ avrule_decl_t *decl = stack->decl;
+ if (is_perm_in_scope_index
+ (perm_value, class_value, &decl->required)
+ || is_perm_in_scope_index(perm_value, class_value,
+ &decl->declared)) {
+ return 1;
+ }
+ } else {
+ /* note that conditionals can't declare or require
+ * symbols, so skip this level */
+ }
+
+ /* not within scope of this stack, so try its parent */
+ return is_perm_in_stack(perm_value, class_value, stack->parent);
+}
+
+int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
+{
+ class_datum_t *cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ class_id);
+ perm_datum_t *perdatum;
+ if (cladatum == NULL) {
+ return 1;
+ }
+ perdatum = (perm_datum_t *) hashtab_search(cladatum->permissions.table,
+ perm_id);
+ if (perdatum == NULL) {
+ return 1;
+ }
+ return is_perm_in_stack(perdatum->s.value, cladatum->s.value,
+ stack_top);
+}
+
+cond_list_t *get_current_cond_list(cond_list_t * cond)
+{
+ /* FIX ME: do something different here if in a nested
+ * conditional? */
+ avrule_decl_t *decl = stack_top->decl;
+ return get_decl_cond_list(policydbp, decl, cond);
+}
+
+/* Append the new conditional node to the existing ones. During
+ * expansion the list will be reversed -- i.e., the last AV rule will
+ * be the first one listed in the policy. This matches the behavior
+ * of the upstream compiler. */
+void append_cond_list(cond_list_t * cond)
+{
+ cond_list_t *old_cond = get_current_cond_list(cond);
+ avrule_t *tmp;
+ assert(old_cond != NULL); /* probably out of memory */
+ if (old_cond->avtrue_list == NULL) {
+ old_cond->avtrue_list = cond->avtrue_list;
+ } else {
+ for (tmp = old_cond->avtrue_list; tmp->next != NULL;
+ tmp = tmp->next) ;
+ tmp->next = cond->avtrue_list;
+ }
+ if (old_cond->avfalse_list == NULL) {
+ old_cond->avfalse_list = cond->avfalse_list;
+ } else {
+ for (tmp = old_cond->avfalse_list; tmp->next != NULL;
+ tmp = tmp->next) ;
+ tmp->next = cond->avfalse_list;
+ }
+
+ old_cond->flags |= cond->flags;
+}
+
+void append_avrule(avrule_t * avrule)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* currently avrules follow a completely different code path
+ * for handling avrules and compute types
+ * (define_cond_avrule_te_avtab, define_cond_compute_type);
+ * therefore there ought never be a conditional on top of the
+ * scope stack */
+ assert(stack_top->type == 1);
+
+ if (stack_top->last_avrule == NULL) {
+ decl->avrules = avrule;
+ } else {
+ stack_top->last_avrule->next = avrule;
+ }
+ stack_top->last_avrule = avrule;
+}
+
+/* this doesn't actually append, but really prepends it */
+void append_role_trans(role_trans_rule_t * role_tr_rules)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* role transitions are not allowed within conditionals */
+ assert(stack_top->type == 1);
+
+ role_tr_rules->next = decl->role_tr_rules;
+ decl->role_tr_rules = role_tr_rules;
+}
+
+/* this doesn't actually append, but really prepends it */
+void append_role_allow(role_allow_rule_t * role_allow_rules)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* role allows are not allowed within conditionals */
+ assert(stack_top->type == 1);
+
+ role_allow_rules->next = decl->role_allow_rules;
+ decl->role_allow_rules = role_allow_rules;
+}
+
+/* this doesn't actually append, but really prepends it */
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* filename transitions are not allowed within conditionals */
+ assert(stack_top->type == 1);
+
+ filename_trans_rules->next = decl->filename_trans_rules;
+ decl->filename_trans_rules = filename_trans_rules;
+}
+
+/* this doesn't actually append, but really prepends it */
+void append_range_trans(range_trans_rule_t * range_tr_rules)
+{
+ avrule_decl_t *decl = stack_top->decl;
+
+ /* range transitions are not allowed within conditionals */
+ assert(stack_top->type == 1);
+
+ range_tr_rules->next = decl->range_tr_rules;
+ decl->range_tr_rules = range_tr_rules;
+}
+
+int begin_optional(int pass)
+{
+ avrule_block_t *block = NULL;
+ avrule_decl_t *decl;
+ if (pass == 1) {
+ /* allocate a new avrule block for this optional block */
+ if ((block = avrule_block_create()) == NULL ||
+ (decl = avrule_decl_create(next_decl_id)) == NULL) {
+ goto cleanup;
+ }
+ block->flags |= AVRULE_OPTIONAL;
+ block->branch_list = decl;
+ last_block->next = block;
+ } else {
+ /* select the next block from the chain built during pass 1 */
+ block = last_block->next;
+ assert(block != NULL &&
+ block->branch_list != NULL &&
+ block->branch_list->decl_id == next_decl_id);
+ decl = block->branch_list;
+ }
+ if (push_stack(1, block, decl) == -1) {
+ goto cleanup;
+ }
+ stack_top->last_avrule = NULL;
+ last_block = block;
+ next_decl_id++;
+ return 0;
+ cleanup:
+ yyerror("Out of memory!");
+ avrule_block_destroy(block);
+ return -1;
+}
+
+int end_optional(int pass __attribute__ ((unused)))
+{
+ /* once nested conditionals are allowed, do the stack unfolding here */
+ pop_stack();
+ return 0;
+}
+
+int begin_optional_else(int pass)
+{
+ avrule_decl_t *decl;
+ assert(stack_top->type == 1 && stack_top->in_else == 0);
+ if (pass == 1) {
+ /* allocate a new declaration and add it to the
+ * current chain */
+ if ((decl = avrule_decl_create(next_decl_id)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+ stack_top->decl->next = decl;
+ } else {
+ /* pick the (hopefully last) declaration of this
+ avrule block, built from pass 1 */
+ decl = stack_top->decl->next;
+ assert(decl != NULL &&
+ decl->next == NULL && decl->decl_id == next_decl_id);
+ }
+ stack_top->in_else = 1;
+ stack_top->decl = decl;
+ stack_top->last_avrule = NULL;
+ stack_top->require_given = 0;
+ next_decl_id++;
+ return 0;
+}
+
+static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
+{
+ uint32_t i;
+ if (stack == NULL) {
+ return 0;
+ }
+ if (stack->type == 1) {
+ scope_index_t *src_scope = &stack->decl->required;
+ scope_index_t *dest_scope = &dest->required;
+ for (i = 0; i < SYM_NUM; i++) {
+ ebitmap_t *src_bitmap = &src_scope->scope[i];
+ ebitmap_t *dest_bitmap = &dest_scope->scope[i];
+ if (ebitmap_union(dest_bitmap, src_bitmap)) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+ }
+ /* now copy class permissions */
+ if (src_scope->class_perms_len > dest_scope->class_perms_len) {
+ ebitmap_t *new_map =
+ realloc(dest_scope->class_perms_map,
+ src_scope->class_perms_len *
+ sizeof(*new_map));
+ if (new_map == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+ dest_scope->class_perms_map = new_map;
+ for (i = dest_scope->class_perms_len;
+ i < src_scope->class_perms_len; i++) {
+ ebitmap_init(dest_scope->class_perms_map + i);
+ }
+ dest_scope->class_perms_len =
+ src_scope->class_perms_len;
+ }
+ for (i = 0; i < src_scope->class_perms_len; i++) {
+ ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
+ ebitmap_t *dest_bitmap =
+ &dest_scope->class_perms_map[i];
+ if (ebitmap_union(dest_bitmap, src_bitmap)) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+ }
+ }
+ return copy_requirements(dest, stack->parent);
+}
+
+/* During pass 1, check that at least one thing was required within
+ * this block, for those places where a REQUIRED is necessary. During
+ * pass 2, have this block inherit its parents' requirements. Return
+ * 0 on success, -1 on failure. */
+int end_avrule_block(int pass)
+{
+ avrule_decl_t *decl = stack_top->decl;
+ assert(stack_top->type == 1);
+ if (pass == 2) {
+ /* this avrule_decl inherits all of its parents'
+ * requirements */
+ if (copy_requirements(decl, stack_top->parent) == -1) {
+ return -1;
+ }
+ return 0;
+ }
+ if (!stack_top->in_else && !stack_top->require_given) {
+ if (policydbp->policy_type == POLICY_BASE
+ && stack_top->parent != NULL) {
+ /* if this is base no require should be in the global block */
+ return 0;
+ } else {
+ /* non-ELSE branches must have at least one thing required */
+ yyerror("This block has no require section.");
+ return -1;
+ }
+ }
+ return 0;
+}
+
+/* Push a new scope on to the stack and update the 'last' pointer.
+ * Return 0 on success, -1 if out * of memory. */
+static int push_stack(int stack_type, ...)
+{
+ scope_stack_t *s = calloc(1, sizeof(*s));
+ va_list ap;
+ if (s == NULL) {
+ return -1;
+ }
+ va_start(ap, stack_type);
+ switch (s->type = stack_type) {
+ case 1:{
+ s->u.avrule = va_arg(ap, avrule_block_t *);
+ s->decl = va_arg(ap, avrule_decl_t *);
+ break;
+ }
+ case 2:{
+ s->u.cond_list = va_arg(ap, cond_list_t *);
+ break;
+ }
+ default:
+ /* invalid stack type given */
+ assert(0);
+ }
+ va_end(ap);
+ s->parent = stack_top;
+ s->child = NULL;
+ stack_top = s;
+ return 0;
+}
+
+/* Pop off the most recently added from the stack. Update the 'last'
+ * pointer. */
+static void pop_stack(void)
+{
+ scope_stack_t *parent;
+ assert(stack_top != NULL);
+ parent = stack_top->parent;
+ if (parent != NULL) {
+ parent->child = NULL;
+ }
+ free(stack_top);
+ stack_top = parent;
+}
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
new file mode 100644
index 0000000..72c2d9b
--- /dev/null
+++ b/checkpolicy/module_compiler.h
@@ -0,0 +1,109 @@
+/* Author : Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@tresys.com>
+ * Jason Tang <jtang@tresys.com>
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004 - 2005 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+#ifndef MODULE_COMPILER_H
+#define MODULE_COMPILER_H
+
+#include <sepol/policydb/hashtab.h>
+
+/* Called when checkpolicy begins to parse a policy -- either at the
+ * very beginning for a kernel/base policy, or after the module header
+ * for policy modules. Initialize the memory structures within.
+ * Return 0 on success, -1 on error. */
+int define_policy(int pass, int module_header_given);
+
+/* Declare a symbol declaration to the current avrule_decl. Check
+ * that insertion is allowed here and that the symbol does not already
+ * exist. Returns 0 on success, 1 if symbol was already there (caller
+ * needs to free() the datum), -1 if declarations not allowed, -2 for
+ * duplicate declarations, -3 for all else.
+ */
+int declare_symbol(uint32_t symbol_type,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t * dest_value, uint32_t * datum_value);
+
+role_datum_t *declare_role(unsigned char isattr);
+type_datum_t *declare_type(unsigned char primary, unsigned char isattr);
+user_datum_t *declare_user(void);
+
+type_datum_t *get_local_type(char *id, uint32_t value, unsigned char isattr);
+role_datum_t *get_local_role(char *id, uint32_t value, unsigned char isattr);
+
+/* Add a symbol to the current avrule_block's require section. Note
+ * that a module may not both declare and require the same symbol.
+ * Returns 0 on success, -1 on error. */
+int require_symbol(uint32_t symbol_type,
+ hashtab_key_t key, hashtab_datum_t datum,
+ uint32_t * dest_value, uint32_t * datum_value);
+
+/* Enable a permission for a class within the current avrule_decl.
+ * Return 0 on success, -1 if out of memory. */
+int add_perm_to_class(uint32_t perm_value, uint32_t class_value);
+
+/* Functions called from REQUIRE blocks. Add the first symbol on the
+ * id_queue to this avrule_decl's scope if not already there.
+ * c.f. require_symbol(). */
+int require_class(int pass);
+int require_role(int pass);
+int require_type(int pass);
+int require_attribute(int pass);
+int require_attribute_role(int pass);
+int require_user(int pass);
+int require_bool(int pass);
+int require_tunable(int pass);
+int require_sens(int pass);
+int require_cat(int pass);
+
+/* Check if an identifier is within the scope of the current
+ * declaration or any of its parents. Return 1 if it is, 0 if not.
+ * If the identifier is not known at all then return 1 (truth). */
+int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
+
+/* Check if a particular permission is within the scope of the current
+ * declaration or any of its parents. Return 1 if it is, 0 if not.
+ * If the identifier is not known at all then return 1 (truth). */
+int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
+
+/* Search the current avrules block for a conditional with the same
+ * expression as 'cond'. If the conditional does not exist then
+ * create one. Either way, return the conditional. */
+cond_list_t *get_current_cond_list(cond_list_t * cond);
+
+/* Append rule to the current avrule_block. */
+void append_cond_list(cond_list_t * cond);
+void append_avrule(avrule_t * avrule);
+void append_role_trans(role_trans_rule_t * role_tr_rules);
+void append_role_allow(role_allow_rule_t * role_allow_rules);
+void append_range_trans(range_trans_rule_t * range_tr_rules);
+void append_filename_trans(filename_trans_rule_t * filename_trans_rules);
+
+/* Create a new optional block and add it to the global policy.
+ * During the second pass resolve the block's requirements. Return 0
+ * on success, -1 on error.
+ */
+int begin_optional(int pass);
+int end_optional(int pass);
+
+/* ELSE blocks are similar to normal blocks with the following two
+ * limitations:
+ * - no declarations are allowed within else branches
+ * - no REQUIRES are allowed; the else branch inherits the parent's
+ * requirements
+ */
+int begin_optional_else(int pass);
+
+/* Called whenever existing an avrule block. Check that the block had
+ * a non-empty REQUIRE section. If so pop the block off of the scop
+ * stack and return 0. If not then send an error to yyerror and
+ * return -1. */
+int end_avrule_block(int pass);
+
+#endif
diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
new file mode 100644
index 0000000..9fda5b4
--- /dev/null
+++ b/checkpolicy/parse_util.c
@@ -0,0 +1,78 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "parse_util.h"
+#include "queue.h"
+
+/* these are defined in policy_parse.y and are needed for read_source_policy */
+extern FILE *yyin;
+extern void init_parser(int);
+extern int yyparse(void);
+extern void yyrestart(FILE *);
+extern queue_t id_queue;
+extern unsigned int policydb_errors;
+extern unsigned long policydb_lineno;
+extern policydb_t *policydbp;
+extern int mlspol;
+extern void set_source_file(const char *name);
+
+int read_source_policy(policydb_t * p, const char *file, const char *progname)
+{
+ yyin = fopen(file, "r");
+ if (!yyin) {
+ fprintf(stderr, "%s: unable to open %s\n", progname, file);
+ return -1;
+ }
+ set_source_file(file);
+
+ if ((id_queue = queue_create()) == NULL) {
+ fprintf(stderr, "%s: out of memory!\n", progname);
+ return -1;
+ }
+
+ policydbp = p;
+ mlspol = p->mls;
+
+ init_parser(1);
+ if (yyparse() || policydb_errors) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ progname);
+ return -1;
+ }
+ rewind(yyin);
+ init_parser(2);
+ set_source_file(file);
+ yyrestart(yyin);
+ if (yyparse() || policydb_errors) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ progname);
+ return -1;
+ }
+ queue_destroy(id_queue);
+
+ if (policydb_errors)
+ return -1;
+
+ fclose(yyin);
+
+ return 0;
+}
diff --git a/checkpolicy/parse_util.h b/checkpolicy/parse_util.h
new file mode 100644
index 0000000..a80128a
--- /dev/null
+++ b/checkpolicy/parse_util.h
@@ -0,0 +1,35 @@
+/*
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2006 Tresys Technology, LLC
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/* Utility functions shared by checkpolicy and checkmodule */
+
+#ifndef __PARSE_UTIL_H__
+#define __PARSE_UTIL_H__
+
+#include <sepol/policydb/policydb.h>
+
+/* Read a source policy and populate the policydb passed in. The
+ * policydb must already have been created and configured (e.g.,
+ * expected policy type set. The string progname is used for
+ * error messages. No checking of assertions, hierarchy, etc.
+ * is done. */
+int read_source_policy(policydb_t * p, const char *file, const char *progname);
+
+#endif
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
new file mode 100644
index 0000000..100e517
--- /dev/null
+++ b/checkpolicy/policy_define.c
@@ -0,0 +1,5476 @@
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <dac@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <ctype.h>
+
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
+#include "queue.h"
+#include "checkpolicy.h"
+#include "module_compiler.h"
+#include "policy_define.h"
+
+policydb_t *policydbp;
+queue_t id_queue = 0;
+unsigned int pass;
+char *curfile = 0;
+int mlspol = 0;
+
+extern unsigned long policydb_lineno;
+extern unsigned long source_lineno;
+extern unsigned int policydb_errors;
+extern char source_file[PATH_MAX];
+
+extern int yywarn(const char *msg);
+extern int yyerror(const char *msg);
+
+#define ERRORMSG_LEN 255
+static char errormsg[ERRORMSG_LEN + 1] = {0};
+
+static int id_has_dot(char *id);
+static int parse_security_context(context_struct_t *c);
+
+/* initialize all of the state variables for the scanner/parser */
+void init_parser(int pass_number)
+{
+ policydb_lineno = 1;
+ source_lineno = 1;
+ policydb_errors = 0;
+ pass = pass_number;
+}
+
+__attribute__ ((format(printf, 1, 2)))
+void yyerror2(const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
+ yyerror(errormsg);
+ va_end(ap);
+}
+
+int insert_separator(int push)
+{
+ int error;
+
+ if (push)
+ error = queue_push(id_queue, 0);
+ else
+ error = queue_insert(id_queue, 0);
+
+ if (error) {
+ yyerror("queue overflow");
+ return -1;
+ }
+ return 0;
+}
+
+int insert_id(const char *id, int push)
+{
+ char *newid = 0;
+ int error;
+
+ newid = (char *)malloc(strlen(id) + 1);
+ if (!newid) {
+ yyerror("out of memory");
+ return -1;
+ }
+ strcpy(newid, id);
+ if (push)
+ error = queue_push(id_queue, (queue_element_t) newid);
+ else
+ error = queue_insert(id_queue, (queue_element_t) newid);
+
+ if (error) {
+ yyerror("queue overflow");
+ free(newid);
+ return -1;
+ }
+ return 0;
+}
+
+/* If the identifier has a dot within it and that its first character
+ is not a dot then return 1, else return 0. */
+static int id_has_dot(char *id)
+{
+ if (strchr(id, '.') >= id + 1) {
+ return 1;
+ }
+ return 0;
+}
+
+int define_class(void)
+{
+ char *id = 0;
+ class_datum_t *datum = 0;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no class name for class definition?");
+ return -1;
+ }
+ datum = (class_datum_t *) malloc(sizeof(class_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(datum, 0, sizeof(class_datum_t));
+ ret = declare_symbol(SYM_CLASSES, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of class %s", id);
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare class here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum)
+ free(datum);
+ return -1;
+}
+
+int define_permissive(void)
+{
+ char *type = NULL;
+ struct type_datum *t;
+ int rc = 0;
+
+ type = queue_remove(id_queue);
+
+ if (!type) {
+ yyerror2("forgot to include type in permissive definition?");
+ rc = -1;
+ goto out;
+ }
+
+ if (pass == 1)
+ goto out;
+
+ if (!is_id_in_scope(SYM_TYPES, type)) {
+ yyerror2("type %s is not within scope", type);
+ rc = -1;
+ goto out;
+ }
+
+ t = hashtab_search(policydbp->p_types.table, type);
+ if (!t) {
+ yyerror2("type is not defined: %s", type);
+ rc = -1;
+ goto out;
+ }
+
+ if (t->flavor == TYPE_ATTRIB) {
+ yyerror2("attributes may not be permissive: %s\n", type);
+ rc = -1;
+ goto out;
+ }
+
+ t->flags |= TYPE_FLAGS_PERMISSIVE;
+
+out:
+ free(type);
+ return rc;
+}
+
+int define_polcap(void)
+{
+ char *id = 0;
+ int capnum;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no capability name for policycap definition?");
+ goto bad;
+ }
+
+ /* Check for valid cap name -> number mapping */
+ capnum = sepol_polcap_getnum(id);
+ if (capnum < 0) {
+ yyerror2("invalid policy capability name %s", id);
+ goto bad;
+ }
+
+ /* Store it */
+ if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+
+ free(id);
+ return 0;
+
+ bad:
+ free(id);
+ return -1;
+}
+
+int define_initial_sid(void)
+{
+ char *id = 0;
+ ocontext_t *newc = 0, *c, *head;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sid name for SID definition?");
+ return -1;
+ }
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+ newc->u.name = id;
+ context_init(&newc->context[0]);
+ head = policydbp->ocontexts[OCON_ISID];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate initial SID %s", id);
+ goto bad;
+ }
+ }
+
+ if (head) {
+ newc->sid[0] = head->sid[0] + 1;
+ } else {
+ newc->sid[0] = 1;
+ }
+ newc->next = head;
+ policydbp->ocontexts[OCON_ISID] = newc;
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (newc)
+ free(newc);
+ return -1;
+}
+
+static int read_classes(ebitmap_t *e_classes)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (ebitmap_set_bit(e_classes, cladatum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ free(id);
+ }
+ return 0;
+}
+
+int define_default_user(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_user && cladatum->default_user != which) {
+ yyerror2("conflicting default user information for class %s", id);
+ return -1;
+ }
+ cladatum->default_user = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_role(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_role && cladatum->default_role != which) {
+ yyerror2("conflicting default role information for class %s", id);
+ return -1;
+ }
+ cladatum->default_role = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_type(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_type && cladatum->default_type != which) {
+ yyerror2("conflicting default type information for class %s", id);
+ return -1;
+ }
+ cladatum->default_type = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_default_range(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_range && cladatum->default_range != which) {
+ yyerror2("conflicting default range information for class %s", id);
+ return -1;
+ }
+ cladatum->default_range = which;
+ free(id);
+ }
+
+ return 0;
+}
+
+int define_common_perms(void)
+{
+ char *id = 0, *perm = 0;
+ common_datum_t *comdatum = 0;
+ perm_datum_t *perdatum = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no common name for common perm definition?");
+ return -1;
+ }
+ comdatum = hashtab_search(policydbp->p_commons.table, id);
+ if (comdatum) {
+ yyerror2("duplicate declaration for common %s\n", id);
+ return -1;
+ }
+ comdatum = (common_datum_t *) malloc(sizeof(common_datum_t));
+ if (!comdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(comdatum, 0, sizeof(common_datum_t));
+ ret = hashtab_insert(policydbp->p_commons.table,
+ (hashtab_key_t) id, (hashtab_datum_t) comdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror("duplicate common definition");
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ comdatum->s.value = policydbp->p_commons.nprim + 1;
+ if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ policydbp->p_commons.nprim++;
+ while ((perm = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad_perm;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = comdatum->permissions.nprim + 1;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad_perm;
+ }
+ ret = hashtab_insert(comdatum->permissions.table,
+ (hashtab_key_t) perm,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s in common %s", perm,
+ id);
+ goto bad_perm;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad_perm;
+ }
+ comdatum->permissions.nprim++;
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (comdatum)
+ free(comdatum);
+ return -1;
+
+ bad_perm:
+ if (perm)
+ free(perm);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_av_perms(int inherits)
+{
+ char *id;
+ class_datum_t *cladatum;
+ common_datum_t *comdatum;
+ perm_datum_t *perdatum = 0, *perdatum2 = 0;
+ int ret;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no tclass name for av perm definition?");
+ return -1;
+ }
+ cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ goto bad;
+ }
+ free(id);
+
+ if (cladatum->comdatum || cladatum->permissions.nprim) {
+ yyerror("duplicate access vector definition");
+ return -1;
+ }
+ if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (inherits) {
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror
+ ("no inherits name for access vector definition?");
+ return -1;
+ }
+ comdatum =
+ (common_datum_t *) hashtab_search(policydbp->p_commons.
+ table,
+ (hashtab_key_t) id);
+
+ if (!comdatum) {
+ yyerror2("common %s is not defined", id);
+ goto bad;
+ }
+ cladatum->comkey = id;
+ cladatum->comdatum = comdatum;
+
+ /*
+ * Class-specific permissions start with values
+ * after the last common permission.
+ */
+ cladatum->permissions.nprim += comdatum->permissions.nprim;
+ }
+ while ((id = queue_remove(id_queue))) {
+ perdatum = (perm_datum_t *) malloc(sizeof(perm_datum_t));
+ if (!perdatum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(perdatum, 0, sizeof(perm_datum_t));
+ perdatum->s.value = ++cladatum->permissions.nprim;
+
+ if (perdatum->s.value > (sizeof(sepol_access_vector_t) * 8)) {
+ yyerror
+ ("too many permissions to fit in an access vector");
+ goto bad;
+ }
+ if (inherits) {
+ /*
+ * Class-specific permissions and
+ * common permissions exist in the same
+ * name space.
+ */
+ perdatum2 =
+ (perm_datum_t *) hashtab_search(cladatum->comdatum->
+ permissions.table,
+ (hashtab_key_t) id);
+ if (perdatum2) {
+ yyerror2("permission %s conflicts with an "
+ "inherited permission", id);
+ goto bad;
+ }
+ }
+ ret = hashtab_insert(cladatum->permissions.table,
+ (hashtab_key_t) id,
+ (hashtab_datum_t) perdatum);
+
+ if (ret == SEPOL_EEXIST) {
+ yyerror2("duplicate permission %s", id);
+ goto bad;
+ }
+ if (ret == SEPOL_ENOMEM) {
+ yyerror("hash table overflow");
+ goto bad;
+ }
+ if (add_perm_to_class(perdatum->s.value, cladatum->s.value)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (perdatum)
+ free(perdatum);
+ return -1;
+}
+
+int define_sens(void)
+{
+ char *id;
+ mls_level_t *level = 0;
+ level_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value; /* dummy variable -- its value is never used */
+
+ if (!mlspol) {
+ yyerror("sensitivity definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sensitivity name for sensitivity definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("sensitivity identifiers may not contain periods");
+ goto bad;
+ }
+ level = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!level) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ mls_level_init(level);
+ level->sens = 0; /* actual value set in define_dominance */
+ ebitmap_init(&level->cat); /* actual value set in define_level */
+
+ datum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ level_datum_init(datum);
+ datum->isalias = FALSE;
+ datum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of sensitivity level");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare sensitivity level here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("sensitivity aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (level_datum_t *) malloc(sizeof(level_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ level_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->level = level;
+
+ ret = declare_symbol(SYM_LEVELS, id, aliasdatum, NULL, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of sensitivity alias");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare sensitivity alias here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (level)
+ free(level);
+ if (datum) {
+ level_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ level_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+int define_dominance(void)
+{
+ level_datum_t *datum;
+ uint32_t order;
+ char *id;
+
+ if (!mlspol) {
+ yyerror("dominance definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ order = 0;
+ while ((id = (char *)queue_remove(id_queue))) {
+ datum =
+ (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!datum) {
+ yyerror2("unknown sensitivity %s used in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ if (datum->level->sens != 0) {
+ yyerror2("sensitivity %s occurs multiply in dominance "
+ "definition", id);
+ free(id);
+ return -1;
+ }
+ datum->level->sens = ++order;
+
+ /* no need to keep sensitivity name */
+ free(id);
+ }
+
+ if (order != policydbp->p_levels.nprim) {
+ yyerror
+ ("all sensitivities must be specified in dominance definition");
+ return -1;
+ }
+ return 0;
+}
+
+int define_category(void)
+{
+ char *id;
+ cat_datum_t *datum = 0, *aliasdatum = 0;
+ int ret;
+ uint32_t value;
+
+ if (!mlspol) {
+ yyerror("category definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no category name for category definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ yyerror("category identifiers may not contain periods");
+ goto bad;
+ }
+ datum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ cat_datum_init(datum);
+ datum->isalias = FALSE;
+
+ ret = declare_symbol(SYM_CATS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad;
+ }
+ case -2:{
+ yyerror("duplicate declaration of category");
+ goto bad;
+ }
+ case -1:{
+ yyerror("could not declare category here");
+ goto bad;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ yyerror("category aliases may not contain periods");
+ goto bad_alias;
+ }
+ aliasdatum = (cat_datum_t *) malloc(sizeof(cat_datum_t));
+ if (!aliasdatum) {
+ yyerror("out of memory");
+ goto bad_alias;
+ }
+ cat_datum_init(aliasdatum);
+ aliasdatum->isalias = TRUE;
+ aliasdatum->s.value = datum->s.value;
+
+ ret =
+ declare_symbol(SYM_CATS, id, aliasdatum, NULL,
+ &datum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto bad_alias;
+ }
+ case -2:{
+ yyerror
+ ("duplicate declaration of category aliases");
+ goto bad_alias;
+ }
+ case -1:{
+ yyerror
+ ("could not declare category aliases here");
+ goto bad_alias;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+
+ return 0;
+
+ bad:
+ if (id)
+ free(id);
+ if (datum) {
+ cat_datum_destroy(datum);
+ free(datum);
+ }
+ return -1;
+
+ bad_alias:
+ if (id)
+ free(id);
+ if (aliasdatum) {
+ cat_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ }
+ return -1;
+}
+
+static int clone_level(hashtab_key_t key __attribute__ ((unused)), hashtab_datum_t datum, void *arg)
+{
+ level_datum_t *levdatum = (level_datum_t *) datum;
+ mls_level_t *level = (mls_level_t *) arg, *newlevel;
+
+ if (levdatum->level == level) {
+ levdatum->defined = 1;
+ if (!levdatum->isalias)
+ return 0;
+ newlevel = (mls_level_t *) malloc(sizeof(mls_level_t));
+ if (!newlevel)
+ return -1;
+ if (mls_level_cpy(newlevel, level)) {
+ free(newlevel);
+ return -1;
+ }
+ levdatum->level = newlevel;
+ }
+ return 0;
+}
+
+int define_level(void)
+{
+ char *id;
+ level_datum_t *levdatum;
+
+ if (!mlspol) {
+ yyerror("level definition in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no level name for level definition?");
+ return -1;
+ }
+ levdatum = (level_datum_t *) hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("unknown sensitivity %s used in level definition", id);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_length(&levdatum->level->cat)) {
+ yyerror2("sensitivity %s used in multiple level definitions",
+ id);
+ free(id);
+ return -1;
+ }
+ free(id);
+
+ levdatum->defined = 1;
+
+ while ((id = queue_remove(id_queue))) {
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ free(id);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t)
+ id_end);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_end);
+ free(id);
+ return -1;
+ }
+ range_end = cdatum->s.value - 1;
+
+ if (range_end < range_start) {
+ yyerror2("category range is invalid");
+ free(id);
+ return -1;
+ }
+ } else {
+ cdatum =
+ (cat_datum_t *) hashtab_search(policydbp->p_cats.
+ table,
+ (hashtab_key_t) id);
+ range_start = range_end = cdatum->s.value - 1;
+ }
+
+ for (i = range_start; i <= range_end; i++) {
+ if (ebitmap_set_bit(&levdatum->level->cat, i, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ }
+
+ free(id);
+ }
+
+ if (hashtab_map
+ (policydbp->p_levels.table, clone_level, levdatum->level)) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ return 0;
+}
+
+int define_attrib(void)
+{
+ if (pass == 2) {
+ free(queue_remove(id_queue));
+ return 0;
+ }
+
+ if (declare_type(TRUE, TRUE) == NULL) {
+ return -1;
+ }
+ return 0;
+}
+
+static int add_aliases_to_type(type_datum_t * type)
+{
+ char *id;
+ type_datum_t *aliasdatum = NULL;
+ int ret;
+ while ((id = queue_remove(id_queue))) {
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror
+ ("type alias identifiers may not contain periods");
+ return -1;
+ }
+ aliasdatum = (type_datum_t *) malloc(sizeof(type_datum_t));
+ if (!aliasdatum) {
+ free(id);
+ yyerror("Out of memory!");
+ return -1;
+ }
+ memset(aliasdatum, 0, sizeof(type_datum_t));
+ aliasdatum->s.value = type->s.value;
+
+ ret = declare_symbol(SYM_TYPES, id, aliasdatum,
+ NULL, &aliasdatum->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of alias %s",
+ id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare alias here");
+ goto cleanup;
+ }
+ case 0: break;
+ case 1:{
+ /* ret == 1 means the alias was required and therefore already
+ * has a value. Set it up as an alias with a different primary. */
+ type_datum_destroy(aliasdatum);
+ free(aliasdatum);
+
+ aliasdatum = hashtab_search(policydbp->symtab[SYM_TYPES].table, id);
+ assert(aliasdatum);
+
+ aliasdatum->primary = type->s.value;
+ aliasdatum->flavor = TYPE_ALIAS;
+
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ }
+ return 0;
+ cleanup:
+ free(id);
+ type_datum_destroy(aliasdatum);
+ free(aliasdatum);
+ return -1;
+}
+
+int define_typealias(void)
+{
+ char *id;
+ type_datum_t *t;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typealias definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s, or it was already declared as an "
+ "attribute", id);
+ free(id);
+ return -1;
+ }
+ return add_aliases_to_type(t);
+}
+
+int define_typeattribute(void)
+{
+ char *id;
+ type_datum_t *t, *attr;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for typeattribute definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t || t->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ free(id);
+ return -1;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ free(id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, (t->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static int define_typebounds_helper(char *bounds_id, char *type_id)
+{
+ type_datum_t *bounds, *type;
+
+ if (!is_id_in_scope(SYM_TYPES, bounds_id)) {
+ yyerror2("type %s is not within scope", bounds_id);
+ return -1;
+ }
+
+ bounds = hashtab_search(policydbp->p_types.table, bounds_id);
+ if (!bounds || bounds->flavor == TYPE_ATTRIB) {
+ yyerror2("hoge unknown type %s", bounds_id);
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, type_id)) {
+ yyerror2("type %s is not within scope", type_id);
+ return -1;
+ }
+
+ type = hashtab_search(policydbp->p_types.table, type_id);
+ if (!type || type->flavor == TYPE_ATTRIB) {
+ yyerror2("type %s is not declared", type_id);
+ return -1;
+ }
+
+ if (type->flavor == TYPE_TYPE && !type->primary) {
+ type = policydbp->type_val_to_struct[type->s.value - 1];
+ } else if (type->flavor == TYPE_ALIAS) {
+ type = policydbp->type_val_to_struct[type->primary - 1];
+ }
+
+ if (!type->bounds)
+ type->bounds = bounds->s.value;
+ else if (type->bounds != bounds->s.value) {
+ yyerror2("type %s has inconsistent master {%s,%s}",
+ type_id,
+ policydbp->p_type_val_to_name[type->bounds - 1],
+ policydbp->p_type_val_to_name[bounds->s.value - 1]);
+ return -1;
+ }
+
+ return 0;
+}
+
+int define_typebounds(void)
+{
+ char *bounds, *id;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ bounds = (char *) queue_remove(id_queue);
+ if (!bounds) {
+ yyerror("no type name for typebounds definition?");
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (define_typebounds_helper(bounds, id))
+ return -1;
+ free(id);
+ }
+ free(bounds);
+
+ return 0;
+}
+
+int define_type(int alias)
+{
+ char *id;
+ type_datum_t *datum, *attr;
+
+ if (pass == 2) {
+ /*
+ * If type name contains ".", we have to define boundary
+ * relationship implicitly to keep compatibility with
+ * old name based hierarchy.
+ */
+ if ((id = queue_remove(id_queue))) {
+ char *bounds, *delim;
+
+ if ((delim = strrchr(id, '.'))
+ && (bounds = strdup(id))) {
+ bounds[(size_t)(delim - id)] = '\0';
+
+ if (define_typebounds_helper(bounds, id))
+ return -1;
+ free(bounds);
+ }
+ free(id);
+ }
+
+ if (alias) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ if ((datum = declare_type(TRUE, FALSE)) == NULL) {
+ return -1;
+ }
+
+ if (alias) {
+ if (add_aliases_to_type(datum) == -1) {
+ return -1;
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("attribute %s is not declared", id);
+ return -1;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ return -1;
+ }
+
+ if ((attr = get_local_type(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->types, datum->s.value - 1, TRUE)) {
+ yyerror("Out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+struct val_to_name {
+ unsigned int val;
+ char *name;
+};
+
+/* Adds a type, given by its textual name, to a typeset. If *add is
+ 0, then add the type to the negative set; otherwise if *add is 1
+ then add it to the positive side. */
+static int set_types(type_set_t * set, char *id, int *add, char starallowed)
+{
+ type_datum_t *t;
+
+ if (strcmp(id, "*") == 0) {
+ if (!starallowed) {
+ yyerror("* not allowed in this type of rule");
+ return -1;
+ }
+ /* set TYPE_STAR flag */
+ set->flags = TYPE_STAR;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ if (!starallowed) {
+ yyerror("~ not allowed in this type of rule");
+ return -1;
+ }
+ /* complement the set */
+ set->flags = TYPE_COMP;
+ free(id);
+ *add = 1;
+ return 0;
+ }
+
+ if (strcmp(id, "-") == 0) {
+ *add = 0;
+ free(id);
+ return 0;
+ }
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ t = hashtab_search(policydbp->p_types.table, id);
+ if (!t) {
+ yyerror2("unknown type %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (*add == 0) {
+ if (ebitmap_set_bit(&set->negset, t->s.value - 1, TRUE))
+ goto oom;
+ } else {
+ if (ebitmap_set_bit(&set->types, t->s.value - 1, TRUE))
+ goto oom;
+ }
+ free(id);
+ *add = 1;
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ free(id);
+ return -1;
+}
+
+int define_compute_type_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ type_datum_t *datum;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ class_perm_node_t *perm;
+ uint32_t i;
+ int add = 1;
+
+ avrule = malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+ avrule->source_line = source_lineno;
+ avrule->source_filename = strdup(source_file);
+ if (!avrule->source_filename) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->stypes, id, &add, 0))
+ goto bad;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&avrule->ttypes, id, &add, 0))
+ goto bad;
+ }
+
+ ebitmap_init(&tclasses);
+ if (read_classes(&tclasses))
+ goto bad;
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no newtype?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ datum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
+ (hashtab_key_t) id);
+ if (!datum || datum->flavor == TYPE_ATTRIB) {
+ yyerror2("unknown type %s", id);
+ goto bad;
+ }
+
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ perm = malloc(sizeof(class_perm_node_t));
+ if (!perm) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ class_perm_node_init(perm);
+ perm->tclass = i + 1;
+ perm->data = datum->s.value;
+ perm->next = avrule->perms;
+ avrule->perms = perm;
+ }
+ }
+ ebitmap_destroy(&tclasses);
+
+ *rule = avrule;
+ return 0;
+
+ bad:
+ avrule_destroy(avrule);
+ free(avrule);
+ return -1;
+}
+
+int define_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return -1;
+
+ append_avrule(avrule);
+ return 0;
+}
+
+avrule_t *define_cond_compute_type(int which)
+{
+ char *id;
+ avrule_t *avrule;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return (avrule_t *) 1;
+ }
+
+ if (define_compute_type_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_bool_tunable(int is_tunable)
+{
+ char *id, *bool_value;
+ cond_bool_datum_t *datum;
+ int ret;
+ uint32_t value;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no identifier for bool definition?");
+ return -1;
+ }
+ if (id_has_dot(id)) {
+ free(id);
+ yyerror("boolean identifiers may not contain periods");
+ return -1;
+ }
+ datum = (cond_bool_datum_t *) malloc(sizeof(cond_bool_datum_t));
+ if (!datum) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ memset(datum, 0, sizeof(cond_bool_datum_t));
+ if (is_tunable)
+ datum->flags |= COND_BOOL_FLAGS_TUNABLE;
+ ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of boolean %s", id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare boolean here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ datum->s.value = value;
+
+ bool_value = (char *)queue_remove(id_queue);
+ if (!bool_value) {
+ yyerror("no default value for bool definition?");
+ free(id);
+ return -1;
+ }
+
+ datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
+ return 0;
+ cleanup:
+ cond_destroy_bool(id, datum, NULL);
+ return -1;
+}
+
+avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl)
+{
+ if (pass == 1) {
+ /* return something so we get through pass 1 */
+ return (avrule_t *) 1;
+ }
+
+ if (sl == NULL) {
+ /* This is a require block, return previous list */
+ return avlist;
+ }
+
+ /* prepend the new avlist to the pre-existing one */
+ sl->next = avlist;
+ return sl;
+}
+
+typedef struct av_ioctl_range {
+ uint16_t low;
+ uint16_t high;
+} av_ioctl_range_t;
+
+struct av_ioctl_range_list {
+ uint8_t omit;
+ av_ioctl_range_t range;
+ struct av_ioctl_range_list *next;
+};
+
+int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead)
+{
+ struct av_ioctl_range_list *r, *r2, *sorted, *sortedhead = NULL;
+
+ /* order list by range.low */
+ for (r = *rangehead; r != NULL; r = r->next) {
+ sorted = malloc(sizeof(struct av_ioctl_range_list));
+ if (sorted == NULL)
+ goto error;
+ memcpy(sorted, r, sizeof(struct av_ioctl_range_list));
+ sorted->next = NULL;
+ if (sortedhead == NULL) {
+ sortedhead = sorted;
+ continue;
+ }
+ for (r2 = sortedhead; r2 != NULL; r2 = r2->next) {
+ if (sorted->range.low < r2->range.low) {
+ /* range is the new head */
+ sorted->next = r2;
+ sortedhead = sorted;
+ break;
+ } else if ((r2 ->next != NULL) &&
+ (r->range.low < r2->next->range.low)) {
+ /* insert range between elements */
+ sorted->next = r2->next;
+ r2->next = sorted;
+ break;
+ } else if (r2->next == NULL) {
+ /* range is the new tail*/
+ r2->next = sorted;
+ break;
+ }
+ }
+ }
+
+ r = *rangehead;
+ while (r != NULL) {
+ r2 = r;
+ r = r->next;
+ free(r2);
+ }
+ *rangehead = sortedhead;
+ return 0;
+error:
+ yyerror("out of memory");
+ return -1;
+}
+
+int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
+{
+ struct av_ioctl_range_list *r, *tmp;
+ r = *rangehead;
+ while (r != NULL && r->next != NULL) {
+ /* merge */
+ if ((r->range.high + 1) >= r->next->range.low) {
+ /* keep the higher of the two */
+ if (r->range.high < r->next->range.high)
+ r->range.high = r->next->range.high;
+ tmp = r->next;
+ r->next = r->next->next;
+ free(tmp);
+ continue;
+ }
+ r = r->next;
+ }
+ return 0;
+}
+
+int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
+{
+ char *id;
+ struct av_ioctl_range_list *rnew, *r = NULL;
+ *rangehead = NULL;
+ uint8_t omit = 0;
+
+ /* read in all the ioctl commands */
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id,"~") == 0) {
+ /* these are values to be omitted */
+ free(id);
+ omit = 1;
+ } else if (strcmp(id,"-") == 0) {
+ /* high value of range */
+ free(id);
+ id = queue_remove(id_queue);
+ r->range.high = (uint16_t) strtoul(id,NULL,0);
+ if (r->range.high < r->range.low) {
+ yyerror("Ioctl ranges must be in ascending order.");
+ return -1;
+ }
+ free(id);
+ } else {
+ /* read in new low value */
+ rnew = malloc(sizeof(struct av_ioctl_range_list));
+ if (rnew == NULL)
+ goto error;
+ rnew->next = NULL;
+ if (*rangehead == NULL) {
+ *rangehead = rnew;
+ r = *rangehead;
+ } else {
+ r->next = rnew;
+ r = r->next;
+ }
+ rnew->range.low = (uint16_t) strtoul(id,NULL,0);
+ rnew->range.high = rnew->range.low;
+ free(id);
+ }
+ }
+ r = *rangehead;
+ r->omit = omit;
+ return 0;
+error:
+ yyerror("out of memory");
+ return -1;
+}
+
+/* flip to included ranges */
+int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead)
+{
+ struct av_ioctl_range_list *rnew, *r, *newhead, *r2;
+
+ rnew = calloc(1, sizeof(struct av_ioctl_range_list));
+ if (!rnew)
+ goto error;
+
+ newhead = rnew;
+
+ r = *rangehead;
+ r2 = newhead;
+
+ if (r->range.low == 0) {
+ r2->range.low = r->range.high + 1;
+ r = r->next;
+ } else {
+ r2->range.low = 0;
+ }
+
+ while (r) {
+ r2->range.high = r->range.low - 1;
+ rnew = calloc(1, sizeof(struct av_ioctl_range_list));
+ if (!rnew)
+ goto error;
+ r2->next = rnew;
+ r2 = r2->next;
+
+ r2->range.low = r->range.high + 1;
+ if (!r->next)
+ r2->range.high = 0xffff;
+ r = r->next;
+ }
+
+ r = *rangehead;
+ while (r != NULL) {
+ r2 = r;
+ r = r->next;
+ free(r2);
+ }
+ *rangehead = newhead;
+ return 0;
+
+error:
+ yyerror("out of memory");
+ return -1;
+}
+
+int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
+{
+ struct av_ioctl_range_list *rangehead;
+ uint8_t omit;
+
+ /* read in ranges to include and omit */
+ if (avrule_read_ioctls(&rangehead))
+ return -1;
+ omit = rangehead->omit;
+ if (rangehead == NULL) {
+ yyerror("error processing ioctl commands");
+ return -1;
+ }
+ /* sort and merge the input ioctls */
+ if (avrule_sort_ioctls(&rangehead))
+ return -1;
+ if (avrule_merge_ioctls(&rangehead))
+ return -1;
+ /* flip ranges if these are ommited*/
+ if (omit) {
+ if (avrule_omit_ioctls(&rangehead))
+ return -1;
+ }
+
+ *rangelist = rangehead;
+ return 0;
+}
+
+int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum = NULL;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ unsigned int i;
+ int add = 1, ret = 0;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ ret = -1;
+ goto out;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+ avrule->source_line = source_lineno;
+ avrule->source_filename = strdup(source_file);
+ avrule->xperms = NULL;
+ if (!avrule->source_filename) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types
+ (&avrule->stypes, id, &add,
+ which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id, "self") == 0) {
+ free(id);
+ avrule->flags |= RULE_SELF;
+ continue;
+ }
+ if (set_types
+ (&avrule->ttypes, id, &add,
+ which == AVRULE_XPERMS_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ebitmap_init(&tclasses);
+ ret = read_classes(&tclasses);
+ if (ret)
+ goto out;
+
+ perms = NULL;
+ id = queue_head(id_queue);
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cur_perms =
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!cur_perms) {
+ yyerror("out of memory");
+ ret = -1;
+ goto out;
+ }
+ class_perm_node_init(cur_perms);
+ cur_perms->tclass = i + 1;
+ if (!perms)
+ perms = cur_perms;
+ if (tail)
+ tail->next = cur_perms;
+ tail = cur_perms;
+
+ cladatum = policydbp->class_val_to_struct[i];
+ perdatum = hashtab_search(cladatum->permissions.table, id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum = hashtab_search(cladatum->comdatum->
+ permissions.table,
+ id);
+ }
+ }
+ if (!perdatum) {
+ yyerror2("permission %s is not defined"
+ " for class %s", id,
+ policydbp->p_class_val_to_name[i]);
+ continue;
+ } else if (!is_perm_in_scope (id, policydbp->p_class_val_to_name[i])) {
+ yyerror2("permission %s of class %s is"
+ " not within scope", id,
+ policydbp->p_class_val_to_name[i]);
+ continue;
+ } else {
+ cur_perms->data |= 1U << (perdatum->s.value - 1);
+ }
+ }
+
+ ebitmap_destroy(&tclasses);
+
+ avrule->perms = perms;
+ *rule = avrule;
+
+out:
+ return ret;
+}
+
+/* index of the u32 containing the permission */
+#define XPERM_IDX(x) (x >> 5)
+/* set bits 0 through x-1 within the u32 */
+#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
+/* low value for this u32 */
+#define XPERM_LOW(x) (x << 5)
+/* high value for this u32 */
+#define XPERM_HIGH(x) (((x + 1) << 5) - 1)
+void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
+ av_extended_perms_t *xperms)
+{
+ unsigned int i;
+ uint16_t h = high + 1;
+ /* for each u32 that this low-high range touches, set driver permissions */
+ for (i = XPERM_IDX(low); i <= XPERM_IDX(high); i++) {
+ /* set all bits in u32 */
+ if ((low <= XPERM_LOW(i)) && (high >= XPERM_HIGH(i)))
+ xperms->perms[i] |= ~0U;
+ /* set low bits */
+ else if ((low <= XPERM_LOW(i)) && (high < XPERM_HIGH(i)))
+ xperms->perms[i] |= XPERM_SETBITS(h);
+ /* set high bits */
+ else if ((low > XPERM_LOW(i)) && (high >= XPERM_HIGH(i)))
+ xperms->perms[i] |= ~0U - XPERM_SETBITS(low);
+ /* set middle bits */
+ else if ((low > XPERM_LOW(i)) && (high <= XPERM_HIGH(i)))
+ xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
+ }
+}
+
+int avrule_xperms_used(av_extended_perms_t *xperms)
+{
+ unsigned int i;
+
+ for (i = 0; i < sizeof(xperms->perms)/sizeof(xperms->perms[0]); i++) {
+ if (xperms->perms[i])
+ return 1;
+ }
+ return 0;
+}
+
+/*
+ * using definitions found in kernel document ioctl-number.txt
+ * The kernel components of an ioctl command are:
+ * dir, size, driver, and fucntion. Only the driver and function fields
+ * are considered here
+ */
+#define IOC_DRIV(x) (x >> 8)
+#define IOC_FUNC(x) (x & 0xff)
+#define IOC_CMD(driver, func) ((driver << 8) + func)
+int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
+ av_extended_perms_t *complete_driver,
+ av_extended_perms_t **extended_perms)
+{
+ struct av_ioctl_range_list *r;
+ av_extended_perms_t *xperms;
+ uint8_t low, high;
+
+ xperms = calloc(1, sizeof(av_extended_perms_t));
+ if (!xperms) {
+ yyerror("out of memory");
+ return - 1;
+ }
+
+ r = rangelist;
+ while(r) {
+ low = IOC_DRIV(r->range.low);
+ high = IOC_DRIV(r->range.high);
+ if (complete_driver) {
+ if (!xperm_test(low, complete_driver->perms))
+ xperm_set(low, xperms->perms);
+ if (!xperm_test(high, complete_driver->perms))
+ xperm_set(high, xperms->perms);
+ } else {
+ xperm_set(low, xperms->perms);
+ xperm_set(high, xperms->perms);
+ }
+ r = r->next;
+ }
+ if (avrule_xperms_used(xperms)) {
+ *extended_perms = xperms;
+ } else {
+ free(xperms);
+ *extended_perms = NULL;
+ }
+ return 0;
+
+}
+
+int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
+ av_extended_perms_t **extended_perms)
+{
+ struct av_ioctl_range_list *r;
+ av_extended_perms_t *xperms;
+ uint16_t low, high;
+ xperms = calloc(1, sizeof(av_extended_perms_t));
+ if (!xperms) {
+ yyerror("out of memory");
+ return - 1;
+ }
+
+ r = rangelist;
+ while(r) {
+ /*
+ * Any driver code that has sequence 0x00 - 0xff is a complete code,
+ *
+ * if command number = 0xff, then round high up to next code,
+ * else 0x00 - 0xfe keep current code
+ * of this range. temporarily u32 for the + 1
+ * to account for possible rollover before right shift
+ */
+ high = IOC_DRIV((uint32_t) (r->range.high + 1));
+ /* if 0x00 keep current driver code else 0x01 - 0xff round up to next code*/
+ low = IOC_DRIV(r->range.low);
+ if (IOC_FUNC(r->range.low))
+ low++;
+ if (high > low)
+ avrule_xperm_setrangebits(low, high - 1, xperms);
+ r = r->next;
+ }
+ if (avrule_xperms_used(xperms)) {
+ xperms->driver = 0x00;
+ xperms->specified = AVRULE_XPERMS_IOCTLDRIVER;
+ *extended_perms = xperms;
+ } else {
+ free(xperms);
+ *extended_perms = NULL;
+ }
+ return 0;
+}
+
+int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
+ av_extended_perms_t **extended_perms, unsigned int driver)
+{
+ struct av_ioctl_range_list *r;
+ av_extended_perms_t *xperms;
+ uint16_t low, high;
+
+ *extended_perms = NULL;
+ xperms = calloc(1, sizeof(av_extended_perms_t));
+ if (!xperms) {
+ yyerror("out of memory");
+ return - 1;
+ }
+
+ r = rangelist;
+ /* for the passed in driver code, find the ranges that apply */
+ while (r) {
+ low = r->range.low;
+ high = r->range.high;
+ if ((driver != IOC_DRIV(low)) && (driver != IOC_DRIV(high))) {
+ r = r->next;
+ continue;
+ }
+
+ if (driver == IOC_DRIV(low)) {
+ if (high > IOC_CMD(driver, 0xff))
+ high = IOC_CMD(driver, 0xff);
+
+ } else {
+ if (low < IOC_CMD(driver, 0))
+ low = IOC_CMD(driver, 0);
+ }
+
+ low = IOC_FUNC(low);
+ high = IOC_FUNC(high);
+ avrule_xperm_setrangebits(low, high, xperms);
+ xperms->driver = driver;
+ xperms->specified = AVRULE_XPERMS_IOCTLFUNCTION;
+ r = r->next;
+ }
+
+ if (avrule_xperms_used(xperms)) {
+ *extended_perms = xperms;
+ } else {
+ free(xperms);
+ *extended_perms = NULL;
+ }
+ return 0;
+}
+
+void avrule_ioctl_freeranges(struct av_ioctl_range_list *rangelist)
+{
+ struct av_ioctl_range_list *r, *tmp;
+ r = rangelist;
+ while (r) {
+ tmp = r;
+ r = r->next;
+ free(tmp);
+ }
+}
+
+unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
+{
+ unsigned int i;
+ for (i = *bit; i < sizeof(xperms->perms)*8; i++) {
+ if (xperm_test(i,xperms->perms)) {
+ xperm_clear(i, xperms->perms);
+ *bit = i;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int avrule_cpy(avrule_t *dest, avrule_t *src)
+{
+ class_perm_node_t *src_perms;
+ class_perm_node_t *dest_perms, *dest_tail;
+ dest_tail = NULL;
+
+ avrule_init(dest);
+ dest->specified = src->specified;
+ dest->flags = src->flags;
+ if (type_set_cpy(&dest->stypes, &src->stypes)) {
+ yyerror("out of memory");
+ return - 1;
+ }
+ if (type_set_cpy(&dest->ttypes, &src->ttypes)) {
+ yyerror("out of memory");
+ return - 1;
+ }
+ dest->line = src->line;
+ dest->source_filename = strdup(source_file);
+ if (!dest->source_filename) {
+ yyerror("out of memory");
+ return -1;
+ }
+ dest->source_line = src->source_line;
+
+ /* increment through the class perms and copy over */
+ src_perms = src->perms;
+ while (src_perms) {
+ dest_perms = (class_perm_node_t *) calloc(1, sizeof(class_perm_node_t));
+ class_perm_node_init(dest_perms);
+ if (!dest_perms) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (!dest->perms)
+ dest->perms = dest_perms;
+ else
+ dest_tail->next = dest_perms;
+
+ dest_perms->tclass = src_perms->tclass;
+ dest_perms->data = src_perms->data;
+ dest_perms->next = NULL;
+ dest_tail = dest_perms;
+ src_perms = src_perms->next;
+ }
+ return 0;
+}
+
+int define_te_avtab_ioctl(avrule_t *avrule_template)
+{
+ avrule_t *avrule;
+ struct av_ioctl_range_list *rangelist;
+ av_extended_perms_t *complete_driver, *partial_driver, *xperms;
+ unsigned int i;
+
+
+ /* organize ioctl ranges */
+ if (avrule_ioctl_ranges(&rangelist))
+ return -1;
+
+ /* create rule for ioctl driver types that are entirely enabled */
+ if (avrule_ioctl_completedriver(rangelist, &complete_driver))
+ return -1;
+ if (complete_driver) {
+ avrule = (avrule_t *) calloc(1, sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (avrule_cpy(avrule, avrule_template))
+ return -1;
+ avrule->xperms = complete_driver;
+ append_avrule(avrule);
+ }
+
+ /* flag ioctl driver codes that are partially enabled */
+ if (avrule_ioctl_partialdriver(rangelist, complete_driver, &partial_driver))
+ return -1;
+
+ if (!partial_driver || !avrule_xperms_used(partial_driver))
+ goto done;
+
+ /*
+ * create rule for each partially used driver codes
+ * "partially used" meaning that the code number e.g. socket 0x89
+ * has some permission bits set and others not set.
+ */
+ i = 0;
+ while (xperms_for_each_bit(&i, partial_driver)) {
+ if (avrule_ioctl_func(rangelist, &xperms, i))
+ return -1;
+
+ if (xperms) {
+ avrule = (avrule_t *) calloc(1, sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ if (avrule_cpy(avrule, avrule_template))
+ return -1;
+ avrule->xperms = xperms;
+ append_avrule(avrule);
+ }
+ }
+
+done:
+ if (partial_driver)
+ free(partial_driver);
+
+ return 0;
+}
+
+int define_te_avtab_extended_perms(int which)
+{
+ char *id;
+ unsigned int i;
+ avrule_t *avrule_template;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ /* populate avrule template with source/target/tclass */
+ if (define_te_avtab_xperms_helper(which, &avrule_template))
+ return -1;
+
+ id = queue_remove(id_queue);
+ if (strcmp(id,"ioctl") == 0) {
+ if (define_te_avtab_ioctl(avrule_template))
+ return -1;
+ free(id);
+ } else {
+ yyerror("only ioctl extended permissions are supported");
+ return -1;
+ }
+ return 0;
+}
+
+int define_te_avtab_helper(int which, avrule_t ** rule)
+{
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum = NULL;
+ class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
+ ebitmap_t tclasses;
+ ebitmap_node_t *node;
+ avrule_t *avrule;
+ unsigned int i;
+ int add = 1, ret = 0;
+ int suppress = 0;
+
+ avrule = (avrule_t *) malloc(sizeof(avrule_t));
+ if (!avrule) {
+ yyerror("memory error");
+ ret = -1;
+ goto out;
+ }
+ avrule_init(avrule);
+ avrule->specified = which;
+ avrule->line = policydb_lineno;
+ avrule->source_line = source_lineno;
+ avrule->source_filename = strdup(source_file);
+ avrule->xperms = NULL;
+ if (!avrule->source_filename) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types
+ (&avrule->stypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (strcmp(id, "self") == 0) {
+ free(id);
+ avrule->flags |= RULE_SELF;
+ continue;
+ }
+ if (set_types
+ (&avrule->ttypes, id, &add,
+ which == AVRULE_NEVERALLOW ? 1 : 0)) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ebitmap_init(&tclasses);
+ ret = read_classes(&tclasses);
+ if (ret)
+ goto out;
+
+ perms = NULL;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cur_perms =
+ (class_perm_node_t *) malloc(sizeof(class_perm_node_t));
+ if (!cur_perms) {
+ yyerror("out of memory");
+ ret = -1;
+ goto out;
+ }
+ class_perm_node_init(cur_perms);
+ cur_perms->tclass = i + 1;
+ if (!perms)
+ perms = cur_perms;
+ if (tail)
+ tail->next = cur_perms;
+ tail = cur_perms;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ cur_perms = perms;
+ ebitmap_for_each_bit(&tclasses, node, i) {
+ if (!ebitmap_node_get_bit(node, i))
+ continue;
+ cladatum = policydbp->class_val_to_struct[i];
+
+ if (strcmp(id, "*") == 0) {
+ /* set all permissions in the class */
+ cur_perms->data = ~0U;
+ goto next;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ /* complement the set */
+ if (which == AVRULE_DONTAUDIT)
+ yywarn("dontaudit rule with a ~?");
+ cur_perms->data = ~cur_perms->data;
+ goto next;
+ }
+
+ perdatum =
+ hashtab_search(cladatum->permissions.table, id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ hashtab_search(cladatum->comdatum->
+ permissions.table,
+ id);
+ }
+ }
+ if (!perdatum) {
+ if (!suppress)
+ yyerror2("permission %s is not defined"
+ " for class %s", id,
+ policydbp->p_class_val_to_name[i]);
+ continue;
+ } else
+ if (!is_perm_in_scope
+ (id, policydbp->p_class_val_to_name[i])) {
+ if (!suppress) {
+ yyerror2("permission %s of class %s is"
+ " not within scope", id,
+ policydbp->p_class_val_to_name[i]);
+ }
+ continue;
+ } else {
+ cur_perms->data |= 1U << (perdatum->s.value - 1);
+ }
+ next:
+ cur_perms = cur_perms->next;
+ }
+
+ free(id);
+ }
+
+ ebitmap_destroy(&tclasses);
+
+ avrule->perms = perms;
+ *rule = avrule;
+
+ out:
+ return ret;
+
+}
+
+avrule_t *define_cond_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return (avrule_t *) 1; /* any non-NULL value */
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return COND_ERR;
+
+ return avrule;
+}
+
+int define_te_avtab(int which)
+{
+ char *id;
+ avrule_t *avrule;
+ int i;
+
+ if (pass == 1) {
+ for (i = 0; i < 4; i++) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 0;
+ }
+
+ if (define_te_avtab_helper(which, &avrule))
+ return -1;
+
+ /* append this avrule to the end of the current rules list */
+ append_avrule(avrule);
+ return 0;
+}
+
+/* The role-types rule is no longer used to declare regular role or
+ * role attribute, but solely aimed for declaring role-types associations.
+ */
+int define_role_types(void)
+{
+ role_datum_t *role;
+ char *id;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no role name for role-types rule?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+
+ role = hashtab_search(policydbp->p_roles.table, id);
+ if (!role) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&role->types, id, &add, 0))
+ return -1;
+ }
+
+ return 0;
+}
+
+int define_attrib_role(void)
+{
+ if (pass == 2) {
+ free(queue_remove(id_queue));
+ return 0;
+ }
+
+ /* Declare a role attribute */
+ if (declare_role(TRUE) == NULL)
+ return -1;
+
+ return 0;
+}
+
+int define_role_attr(void)
+{
+ char *id;
+ role_datum_t *r, *attr;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ /* Declare a regular role */
+ if ((r = declare_role(FALSE)) == NULL)
+ return -1;
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_roles.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("role attribute %s is not declared", id);
+ free(id);
+ return -1;
+ }
+
+ if (attr->flavor != ROLE_ATTRIB) {
+ yyerror2("%s is a regular role, not an attribute", id);
+ free(id);
+ return -1;
+ }
+
+ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+int define_roleattribute(void)
+{
+ char *id;
+ role_datum_t *r, *attr;
+
+ if (pass == 2) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no role name for roleattribute definition?");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ /* We support adding one role attribute into another */
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ attr = hashtab_search(policydbp->p_roles.table, id);
+ if (!attr) {
+ /* treat it as a fatal error */
+ yyerror2("role attribute %s is not declared", id);
+ free(id);
+ return -1;
+ }
+
+ if (attr->flavor != ROLE_ATTRIB) {
+ yyerror2("%s is a regular role, not an attribute", id);
+ free(id);
+ return -1;
+ }
+
+ if ((attr = get_local_role(id, attr->s.value, 1)) == NULL) {
+ yyerror("Out of memory!");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&attr->roles, (r->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
+{
+ role_datum_t *new;
+
+ if (pass == 1) {
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ new = malloc(sizeof(role_datum_t));
+ if (!new) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(new, 0, sizeof(role_datum_t));
+ new->s.value = 0; /* temporary role */
+ if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
+ yyerror("out of memory");
+ free(new);
+ return NULL;
+ }
+ if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
+ yyerror("out of memory");
+ free(new);
+ return NULL;
+ }
+ if (!r1->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r1->types);
+ ebitmap_destroy(&r1->dominates);
+ free(r1);
+ }
+ if (!r2->s.value) {
+ /* free intermediate result */
+ yyerror("right hand role is temporary?");
+ type_set_destroy(&r2->types);
+ ebitmap_destroy(&r2->dominates);
+ free(r2);
+ }
+ return new;
+}
+
+/* This function eliminates the ordering dependency of role dominance rule */
+static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)),
+ hashtab_datum_t datum, void *arg)
+{
+ role_datum_t *rdp = (role_datum_t *) arg;
+ role_datum_t *rdatum = (role_datum_t *) datum;
+ ebitmap_node_t *node;
+ uint32_t i;
+
+ /* Don't bother to process against self role */
+ if (rdatum->s.value == rdp->s.value)
+ return 0;
+
+ /* If a dominating role found */
+ if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return -1;
+ }
+ /* raise types and dominates from dominated role */
+ ebitmap_for_each_bit(&rdp->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->dominates, i, TRUE))
+ goto oom;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&rdatum->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ }
+
+ /* go through all the roles */
+ return 0;
+ oom:
+ yyerror("Out of memory");
+ return -1;
+}
+
+role_datum_t *define_role_dom(role_datum_t * r)
+{
+ role_datum_t *role;
+ char *role_id;
+ ebitmap_node_t *node;
+ unsigned int i;
+ int ret;
+
+ if (pass == 1) {
+ role_id = queue_remove(id_queue);
+ free(role_id);
+ return (role_datum_t *) 1; /* any non-NULL value */
+ }
+
+ yywarn("Role dominance has been deprecated");
+
+ role_id = queue_remove(id_queue);
+ if (!is_id_in_scope(SYM_ROLES, role_id)) {
+ yyerror2("role %s is not within scope", role_id);
+ free(role_id);
+ return NULL;
+ }
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
+ role_id);
+ if (!role) {
+ role = (role_datum_t *) malloc(sizeof(role_datum_t));
+ if (!role) {
+ yyerror("out of memory");
+ free(role_id);
+ return NULL;
+ }
+ memset(role, 0, sizeof(role_datum_t));
+ ret =
+ declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
+ (hashtab_datum_t) role, &role->s.value,
+ &role->s.value);
+ switch (ret) {
+ case -3:{
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ case -2:{
+ yyerror2("duplicate declaration of role %s",
+ role_id);
+ goto cleanup;
+ }
+ case -1:{
+ yyerror("could not declare role here");
+ goto cleanup;
+ }
+ case 0:
+ case 1:{
+ break;
+ }
+ default:{
+ assert(0); /* should never get here */
+ }
+ }
+ if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
+ yyerror("Out of memory!");
+ goto cleanup;
+ }
+ }
+ if (r) {
+ ebitmap_t types;
+ ebitmap_init(&types);
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&role->dominates, i, TRUE))
+ goto oom;
+ }
+ if (type_set_expand(&r->types, &types, policydbp, 1)) {
+ ebitmap_destroy(&types);
+ return NULL;
+ }
+ ebitmap_for_each_bit(&types, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit
+ (&role->types.types, i, TRUE))
+ goto oom;
+ }
+ ebitmap_destroy(&types);
+ if (!r->s.value) {
+ /* free intermediate result */
+ type_set_destroy(&r->types);
+ ebitmap_destroy(&r->dominates);
+ free(r);
+ }
+ /*
+ * Now go through all the roles and escalate this role's
+ * dominates and types if a role dominates this role.
+ */
+ hashtab_map(policydbp->p_roles.table,
+ dominate_role_recheck, role);
+ }
+ return role;
+ cleanup:
+ free(role_id);
+ role_datum_destroy(role);
+ free(role);
+ return NULL;
+ oom:
+ yyerror("Out of memory");
+ goto cleanup;
+}
+
+static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
+ void *p)
+{
+ struct val_to_name *v = p;
+ role_datum_t *roldatum;
+
+ roldatum = (role_datum_t *) datum;
+
+ if (v->val == roldatum->s.value) {
+ v->name = key;
+ return 1;
+ }
+
+ return 0;
+}
+
+static char *role_val_to_name(unsigned int val)
+{
+ struct val_to_name v;
+ int rc;
+
+ v.val = val;
+ rc = hashtab_map(policydbp->p_roles.table, role_val_to_name_helper, &v);
+ if (rc)
+ return v.name;
+ return NULL;
+}
+
+static int set_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed for role sets");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed for role sets");
+ return -1;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ free(id);
+ return -1;
+ }
+ free(id);
+ return 0;
+}
+
+int define_role_trans(int class_specified)
+{
+ char *id;
+ role_datum_t *role;
+ role_set_t roles;
+ type_set_t types;
+ class_datum_t *cladatum;
+ ebitmap_t e_types, e_roles, e_classes;
+ ebitmap_node_t *tnode, *rnode, *cnode;
+ struct role_trans *tr = NULL;
+ struct role_trans_rule *rule = NULL;
+ unsigned int i, j, k;
+ int add = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ if (class_specified)
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ role_set_init(&roles);
+ ebitmap_init(&e_roles);
+ type_set_init(&types);
+ ebitmap_init(&e_types);
+ ebitmap_init(&e_classes);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&roles, id))
+ return -1;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&types, id, &add, 0))
+ return -1;
+ }
+
+ if (class_specified) {
+ if (read_classes(&e_classes))
+ return -1;
+ } else {
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ "process");
+ if (!cladatum) {
+ yyerror2("could not find process class for "
+ "legacy role_transition statement");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no new role in transition definition?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ role = hashtab_search(policydbp->p_roles.table, id);
+ if (!role) {
+ yyerror2("unknown role %s used in transition definition", id);
+ goto bad;
+ }
+
+ if (role->flavor != ROLE_ROLE) {
+ yyerror2("the new role %s must be a regular role", id);
+ goto bad;
+ }
+
+ /* This ebitmap business is just to ensure that there are not conflicting role_trans rules */
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ goto bad;
+
+ if (type_set_expand(&types, &e_types, policydbp, 1))
+ goto bad;
+
+ ebitmap_for_each_bit(&e_roles, rnode, i) {
+ if (!ebitmap_node_get_bit(rnode, i))
+ continue;
+ ebitmap_for_each_bit(&e_types, tnode, j) {
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+ ebitmap_for_each_bit(&e_classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+ for (tr = policydbp->role_tr; tr;
+ tr = tr->next) {
+ if (tr->role == (i + 1) &&
+ tr->type == (j + 1) &&
+ tr->tclass == (k + 1)) {
+ yyerror2("duplicate role "
+ "transition for "
+ "(%s,%s,%s)",
+ role_val_to_name(i+1),
+ policydbp->p_type_val_to_name[j],
+ policydbp->p_class_val_to_name[k]);
+ goto bad;
+ }
+ }
+
+ tr = malloc(sizeof(struct role_trans));
+ if (!tr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(tr, 0, sizeof(struct role_trans));
+ tr->role = i + 1;
+ tr->type = j + 1;
+ tr->tclass = k + 1;
+ tr->new_role = role->s.value;
+ tr->next = policydbp->role_tr;
+ policydbp->role_tr = tr;
+ }
+ }
+ }
+ /* Now add the real rule */
+ rule = malloc(sizeof(struct role_trans_rule));
+ if (!rule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(rule, 0, sizeof(struct role_trans_rule));
+ rule->roles = roles;
+ rule->types = types;
+ rule->classes = e_classes;
+ rule->new_role = role->s.value;
+
+ append_role_trans(rule);
+
+ ebitmap_destroy(&e_roles);
+ ebitmap_destroy(&e_types);
+
+ return 0;
+
+ bad:
+ return -1;
+}
+
+int define_role_allow(void)
+{
+ char *id;
+ struct role_allow_rule *ra = 0;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ ra = malloc(sizeof(role_allow_rule_t));
+ if (!ra) {
+ yyerror("out of memory");
+ return -1;
+ }
+ role_allow_rule_init(ra);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->roles, id)) {
+ free(ra);
+ return -1;
+ }
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_roles(&ra->new_roles, id)) {
+ free(ra);
+ return -1;
+ }
+ }
+
+ append_role_allow(ra);
+ return 0;
+}
+
+avrule_t *define_cond_filename_trans(void)
+{
+ yyerror("type transitions with a filename not allowed inside "
+ "conditionals\n");
+ return COND_ERR;
+}
+
+int define_filename_trans(void)
+{
+ char *id, *name = NULL;
+ type_set_t stypes, ttypes;
+ ebitmap_t e_stypes, e_ttypes;
+ ebitmap_t e_tclasses;
+ ebitmap_node_t *snode, *tnode, *cnode;
+ filename_trans_t *ft;
+ filename_trans_rule_t *ftr;
+ type_datum_t *typdatum;
+ uint32_t otype;
+ unsigned int c, s, t;
+ int add;
+
+ if (pass == 1) {
+ /* stype */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* ttype */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* tclass */
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ /* otype */
+ id = queue_remove(id_queue);
+ free(id);
+ /* name */
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+
+ add = 1;
+ type_set_init(&stypes);
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&stypes, id, &add, 0))
+ goto bad;
+ }
+
+ add =1;
+ type_set_init(&ttypes);
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&ttypes, id, &add, 0))
+ goto bad;
+ }
+
+ ebitmap_init(&e_tclasses);
+ if (read_classes(&e_tclasses))
+ goto bad;
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no otype in transition definition?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ typdatum = hashtab_search(policydbp->p_types.table, id);
+ if (!typdatum) {
+ yyerror2("unknown type %s used in transition definition", id);
+ goto bad;
+ }
+ free(id);
+ otype = typdatum->s.value;
+
+ name = queue_remove(id_queue);
+ if (!name) {
+ yyerror("no pathname specified in filename_trans definition?");
+ goto bad;
+ }
+
+ /* We expand the class set into seperate rules. We expand the types
+ * just to make sure there are not duplicates. They will get turned
+ * into seperate rules later */
+ ebitmap_init(&e_stypes);
+ if (type_set_expand(&stypes, &e_stypes, policydbp, 1))
+ goto bad;
+
+ ebitmap_init(&e_ttypes);
+ if (type_set_expand(&ttypes, &e_ttypes, policydbp, 1))
+ goto bad;
+
+ ebitmap_for_each_bit(&e_tclasses, cnode, c) {
+ if (!ebitmap_node_get_bit(cnode, c))
+ continue;
+ ebitmap_for_each_bit(&e_stypes, snode, s) {
+ if (!ebitmap_node_get_bit(snode, s))
+ continue;
+ ebitmap_for_each_bit(&e_ttypes, tnode, t) {
+ if (!ebitmap_node_get_bit(tnode, t))
+ continue;
+
+ for (ft = policydbp->filename_trans; ft; ft = ft->next) {
+ if (ft->stype == (s + 1) &&
+ ft->ttype == (t + 1) &&
+ ft->tclass == (c + 1) &&
+ !strcmp(ft->name, name)) {
+ yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
+ name,
+ policydbp->p_type_val_to_name[s],
+ policydbp->p_type_val_to_name[t],
+ policydbp->p_class_val_to_name[c]);
+ goto bad;
+ }
+ }
+
+ ft = malloc(sizeof(*ft));
+ if (!ft) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ memset(ft, 0, sizeof(*ft));
+
+ ft->next = policydbp->filename_trans;
+ policydbp->filename_trans = ft;
+
+ ft->name = strdup(name);
+ if (!ft->name) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ ft->stype = s + 1;
+ ft->ttype = t + 1;
+ ft->tclass = c + 1;
+ ft->otype = otype;
+ }
+ }
+
+ /* Now add the real rule since we didn't find any duplicates */
+ ftr = malloc(sizeof(*ftr));
+ if (!ftr) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ filename_trans_rule_init(ftr);
+ append_filename_trans(ftr);
+
+ ftr->name = strdup(name);
+ if (type_set_cpy(&ftr->stypes, &stypes)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ if (type_set_cpy(&ftr->ttypes, &ttypes)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+ ftr->tclass = c + 1;
+ ftr->otype = otype;
+ }
+
+ free(name);
+ ebitmap_destroy(&e_stypes);
+ ebitmap_destroy(&e_ttypes);
+ ebitmap_destroy(&e_tclasses);
+
+ return 0;
+
+bad:
+ free(name);
+ return -1;
+}
+
+static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
+{
+ constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
+ for (e = expr; e; e = e->next) {
+ newe = malloc(sizeof(*newe));
+ if (!newe)
+ goto oom;
+ if (constraint_expr_init(newe) == -1) {
+ free(newe);
+ goto oom;
+ }
+ if (l)
+ l->next = newe;
+ else
+ h = newe;
+ l = newe;
+ newe->expr_type = e->expr_type;
+ newe->attr = e->attr;
+ newe->op = e->op;
+ if (newe->expr_type == CEXPR_NAMES) {
+ if (newe->attr & CEXPR_TYPE) {
+ if (type_set_cpy
+ (newe->type_names, e->type_names))
+ goto oom;
+ } else {
+ if (ebitmap_cpy(&newe->names, &e->names))
+ goto oom;
+ }
+ }
+ }
+
+ return h;
+ oom:
+ e = h;
+ while (e) {
+ l = e;
+ e = e->next;
+ constraint_expr_destroy(l);
+ }
+ return NULL;
+}
+
+int define_constraint(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ perm_datum_t *perdatum;
+ ebitmap_t classmap;
+ ebitmap_node_t *enode;
+ constraint_expr_t *e;
+ unsigned int i;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (e->attr & CEXPR_XTARGET) {
+ yyerror("illegal constraint expression");
+ return -1; /* only for validatetrans rules */
+ }
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("constraint expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal constraint expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ free(node);
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ if (!node->expr) {
+ yyerror("out of memory");
+ free(node);
+ return -1;
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->constraints;
+ cladatum->constraints = node;
+
+ free(id);
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ ebitmap_for_each_bit(&classmap, enode, i) {
+ if (ebitmap_node_get_bit(enode, i)) {
+ cladatum = policydbp->class_val_to_struct[i];
+ node = cladatum->constraints;
+
+ perdatum =
+ (perm_datum_t *) hashtab_search(cladatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!perdatum) {
+ if (cladatum->comdatum) {
+ perdatum =
+ (perm_datum_t *)
+ hashtab_search(cladatum->
+ comdatum->
+ permissions.
+ table,
+ (hashtab_key_t)
+ id);
+ }
+ if (!perdatum) {
+ yyerror2("permission %s is not"
+ " defined", id);
+ free(id);
+ ebitmap_destroy(&classmap);
+ return -1;
+ }
+ }
+ node->permissions |=
+ (1 << (perdatum->s.value - 1));
+ }
+ }
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+int define_validatetrans(constraint_expr_t * expr)
+{
+ struct constraint_node *node;
+ char *id;
+ class_datum_t *cladatum;
+ ebitmap_t classmap;
+ constraint_expr_t *e;
+ int depth;
+ unsigned char useexpr = 1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case CEXPR_NOT:
+ if (depth < 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ break;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ if (depth < 1) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ depth--;
+ break;
+ case CEXPR_ATTR:
+ case CEXPR_NAMES:
+ if (depth == (CEXPR_MAXDEPTH - 1)) {
+ yyerror("validatetrans expression is too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal validatetrans expression");
+ return -1;
+ }
+
+ ebitmap_init(&classmap);
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum =
+ (class_datum_t *) hashtab_search(policydbp->p_classes.table,
+ (hashtab_key_t) id);
+ if (!cladatum) {
+ yyerror2("class %s is not defined", id);
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+ if (ebitmap_set_bit(&classmap, (cladatum->s.value - 1), TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&classmap);
+ free(id);
+ return -1;
+ }
+
+ node = malloc(sizeof(struct constraint_node));
+ if (!node) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(node, 0, sizeof(constraint_node_t));
+ if (useexpr) {
+ node->expr = expr;
+ useexpr = 0;
+ } else {
+ node->expr = constraint_expr_clone(expr);
+ }
+ node->permissions = 0;
+
+ node->next = cladatum->validatetrans;
+ cladatum->validatetrans = node;
+
+ free(id);
+ }
+
+ ebitmap_destroy(&classmap);
+
+ return 0;
+}
+
+uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
+{
+ struct constraint_expr *expr, *e1 = NULL, *e2;
+ user_datum_t *user;
+ role_datum_t *role;
+ ebitmap_t negset;
+ char *id;
+ uint32_t val;
+ int add = 1;
+
+ if (pass == 1) {
+ if (expr_type == CEXPR_NAMES) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ }
+ return 1; /* any non-NULL value */
+ }
+
+ if ((expr = malloc(sizeof(*expr))) == NULL ||
+ constraint_expr_init(expr) == -1) {
+ yyerror("out of memory");
+ free(expr);
+ return 0;
+ }
+ expr->expr_type = expr_type;
+
+ switch (expr_type) {
+ case CEXPR_NOT:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_AND:
+ case CEXPR_OR:
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = (struct constraint_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct constraint_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ e1->next = expr;
+ return arg1;
+ case CEXPR_ATTR:
+ expr->attr = arg1;
+ expr->op = arg2;
+ return (uintptr_t) expr;
+ case CEXPR_NAMES:
+ add = 1;
+ expr->attr = arg1;
+ expr->op = arg2;
+ ebitmap_init(&negset);
+ while ((id = (char *)queue_remove(id_queue))) {
+ if (expr->attr & CEXPR_USER) {
+ if (!is_id_in_scope(SYM_USERS, id)) {
+ yyerror2("user %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ user =
+ (user_datum_t *) hashtab_search(policydbp->
+ p_users.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!user) {
+ yyerror2("unknown user %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = user->s.value;
+ } else if (expr->attr & CEXPR_ROLE) {
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope",
+ id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ role =
+ (role_datum_t *) hashtab_search(policydbp->
+ p_roles.
+ table,
+ (hashtab_key_t)
+ id);
+ if (!role) {
+ yyerror2("unknown role %s", id);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ val = role->s.value;
+ } else if (expr->attr & CEXPR_TYPE) {
+ if (set_types(expr->type_names, id, &add, 0)) {
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ continue;
+ } else {
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ if (ebitmap_set_bit(&expr->names, val - 1, TRUE)) {
+ yyerror("out of memory");
+ ebitmap_destroy(&expr->names);
+ constraint_expr_destroy(expr);
+ return 0;
+ }
+ free(id);
+ }
+ ebitmap_destroy(&negset);
+ return (uintptr_t) expr;
+ default:
+ break;
+ }
+
+ yyerror("invalid constraint expression");
+ constraint_expr_destroy(expr);
+ return 0;
+}
+
+int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
+{
+ cond_expr_t *e;
+ int depth;
+ cond_node_t cn, *cn_old;
+
+ /* expression cannot be NULL */
+ if (!expr) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ if (!t) {
+ if (!f) {
+ /* empty is fine, destroy expression and return */
+ cond_expr_destroy(expr);
+ return 0;
+ }
+ /* Invert */
+ t = f;
+ f = 0;
+ expr = define_cond_expr(COND_NOT, expr, 0);
+ if (!expr) {
+ yyerror("unable to invert");
+ return -1;
+ }
+ }
+
+ /* verify expression */
+ depth = -1;
+ for (e = expr; e; e = e->next) {
+ switch (e->expr_type) {
+ case COND_NOT:
+ if (depth < 0) {
+ yyerror
+ ("illegal conditional expression; Bad NOT");
+ return -1;
+ }
+ break;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ if (depth < 1) {
+ yyerror
+ ("illegal conditional expression; Bad binary op");
+ return -1;
+ }
+ depth--;
+ break;
+ case COND_BOOL:
+ if (depth == (COND_EXPR_MAXDEPTH - 1)) {
+ yyerror
+ ("conditional expression is like totally too deep");
+ return -1;
+ }
+ depth++;
+ break;
+ default:
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+ }
+ if (depth != 0) {
+ yyerror("illegal conditional expression");
+ return -1;
+ }
+
+ /* use tmp conditional node to partially build new node */
+ memset(&cn, 0, sizeof(cn));
+ cn.expr = expr;
+ cn.avtrue_list = t;
+ cn.avfalse_list = f;
+
+ /* normalize/precompute expression */
+ if (cond_normalize_expr(policydbp, &cn) < 0) {
+ yyerror("problem normalizing conditional expression");
+ return -1;
+ }
+
+ /* get the existing conditional node, or create a new one */
+ cn_old = get_current_cond_list(&cn);
+ if (!cn_old) {
+ return -1;
+ }
+
+ append_cond_list(&cn);
+
+ /* note that there is no check here for duplicate rules, nor
+ * check that rule already exists in base -- that will be
+ * handled during conditional expansion, in expand.c */
+
+ cn.avtrue_list = NULL;
+ cn.avfalse_list = NULL;
+ cond_node_destroy(&cn);
+
+ return 0;
+}
+
+cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
+{
+ struct cond_expr *expr, *e1 = NULL, *e2;
+ cond_bool_datum_t *bool_var;
+ char *id;
+
+ /* expressions are handled in the second pass */
+ if (pass == 1) {
+ if (expr_type == COND_BOOL) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ }
+ return (cond_expr_t *) 1; /* any non-NULL value */
+ }
+
+ /* create a new expression struct */
+ expr = malloc(sizeof(struct cond_expr));
+ if (!expr) {
+ yyerror("out of memory");
+ return NULL;
+ }
+ memset(expr, 0, sizeof(cond_expr_t));
+ expr->expr_type = expr_type;
+
+ /* create the type asked for */
+ switch (expr_type) {
+ case COND_NOT:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror("illegal conditional NOT expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_AND:
+ case COND_OR:
+ case COND_XOR:
+ case COND_EQ:
+ case COND_NEQ:
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg1;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal left side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = (struct cond_expr *)arg2;
+
+ e1 = NULL;
+ e2 = (struct cond_expr *)arg2;
+ while (e2) {
+ e1 = e2;
+ e2 = e2->next;
+ }
+ if (!e1 || e1->next) {
+ yyerror
+ ("illegal right side of conditional binary op expression");
+ free(expr);
+ return NULL;
+ }
+ e1->next = expr;
+ return (struct cond_expr *)arg1;
+ case COND_BOOL:
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("bad conditional; expected boolean id");
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ if (!is_id_in_scope(SYM_BOOLS, id)) {
+ yyerror2("boolean %s is not within scope", id);
+ free(id);
+ free(expr);
+ return NULL;
+ }
+ bool_var =
+ (cond_bool_datum_t *) hashtab_search(policydbp->p_bools.
+ table,
+ (hashtab_key_t) id);
+ if (!bool_var) {
+ yyerror2("unknown boolean %s in conditional expression",
+ id);
+ free(expr);
+ free(id);
+ return NULL;
+ }
+ expr->bool = bool_var->s.value;
+ free(id);
+ return expr;
+ default:
+ yyerror("illegal conditional expression");
+ free(expr);
+ return NULL;
+ }
+}
+
+static int set_user_roles(role_set_t * set, char *id)
+{
+ role_datum_t *r;
+ unsigned int i;
+ ebitmap_node_t *node;
+
+ if (strcmp(id, "*") == 0) {
+ free(id);
+ yyerror("* is not allowed in user declarations");
+ return -1;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ free(id);
+ yyerror("~ is not allowed in user declarations");
+ return -1;
+ }
+
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ r = hashtab_search(policydbp->p_roles.table, id);
+ if (!r) {
+ yyerror2("unknown role %s", id);
+ free(id);
+ return -1;
+ }
+
+ /* set the role and every role it dominates */
+ ebitmap_for_each_bit(&r->dominates, node, i) {
+ if (ebitmap_node_get_bit(node, i))
+ if (ebitmap_set_bit(&set->roles, i, TRUE))
+ goto oom;
+ }
+ free(id);
+ return 0;
+ oom:
+ yyerror("out of memory");
+ return -1;
+}
+
+static int parse_categories(char *id, level_datum_t * levdatum, ebitmap_t * cats)
+{
+ cat_datum_t *cdatum;
+ int range_start, range_end, i;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ return -1;
+ }
+ range_start = cdatum->s.value - 1;
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t) id_end);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_end);
+ return -1;
+ }
+ range_end = cdatum->s.value - 1;
+
+ if (range_end < range_start) {
+ yyerror2("category range is invalid");
+ return -1;
+ }
+ } else {
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t) id);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id);
+ return -1;
+ }
+ range_start = range_end = cdatum->s.value - 1;
+ }
+
+ for (i = range_start; i <= range_end; i++) {
+ if (!ebitmap_get_bit(&levdatum->level->cat, i)) {
+ uint32_t level_value = levdatum->level->sens - 1;
+ policydb_index_others(NULL, policydbp, 0);
+ yyerror2("category %s can not be associated "
+ "with level %s",
+ policydbp->p_cat_val_to_name[i],
+ policydbp->p_sens_val_to_name[level_value]);
+ return -1;
+ }
+ if (ebitmap_set_bit(cats, i, TRUE)) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static int parse_semantic_categories(char *id, level_datum_t * levdatum __attribute__ ((unused)),
+ mls_semantic_cat_t ** cats)
+{
+ cat_datum_t *cdatum;
+ mls_semantic_cat_t *newcat;
+ unsigned int range_start, range_end;
+
+ if (id_has_dot(id)) {
+ char *id_start = id;
+ char *id_end = strchr(id, '.');
+
+ *(id_end++) = '\0';
+
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t)
+ id_start);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_start);
+ return -1;
+ }
+ range_start = cdatum->s.value;
+
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t) id_end);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id_end);
+ return -1;
+ }
+ range_end = cdatum->s.value;
+ } else {
+ cdatum = (cat_datum_t *) hashtab_search(policydbp->p_cats.table,
+ (hashtab_key_t) id);
+ if (!cdatum) {
+ yyerror2("unknown category %s", id);
+ return -1;
+ }
+ range_start = range_end = cdatum->s.value;
+ }
+
+ newcat = (mls_semantic_cat_t *) malloc(sizeof(mls_semantic_cat_t));
+ if (!newcat) {
+ yyerror("out of memory");
+ return -1;
+ }
+
+ mls_semantic_cat_init(newcat);
+ newcat->next = *cats;
+ newcat->low = range_start;
+ newcat->high = range_end;
+
+ *cats = newcat;
+
+ return 0;
+}
+
+int define_user(void)
+{
+ char *id;
+ user_datum_t *usrdatum;
+ level_datum_t *levdatum;
+ int l;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ if (mlspol) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ for (l = 0; l < 2; l++) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ id = queue_remove(id_queue);
+ if (!id)
+ break;
+ free(id);
+ }
+ }
+ return 0;
+ }
+
+ if ((usrdatum = declare_user()) == NULL) {
+ return -1;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_user_roles(&usrdatum->roles, id))
+ continue;
+ }
+
+ if (mlspol) {
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("no default level specified for user");
+ return -1;
+ }
+
+ levdatum = (level_datum_t *)
+ hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("unknown sensitivity %s used in user"
+ " level definition", id);
+ free(id);
+ return -1;
+ }
+ free(id);
+
+ usrdatum->dfltlevel.sens = levdatum->level->sens;
+
+ while ((id = queue_remove(id_queue))) {
+ if (parse_semantic_categories(id, levdatum,
+ &usrdatum->dfltlevel.cat)) {
+ free(id);
+ return -1;
+ }
+ free(id);
+ }
+
+ id = queue_remove(id_queue);
+
+ for (l = 0; l < 2; l++) {
+ levdatum = (level_datum_t *)
+ hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("unknown sensitivity %s used in user"
+ " range definition", id);
+ free(id);
+ return -1;
+ }
+ free(id);
+
+ usrdatum->range.level[l].sens = levdatum->level->sens;
+
+ while ((id = queue_remove(id_queue))) {
+ if (parse_semantic_categories(id, levdatum,
+ &usrdatum->range.level[l].cat)) {
+ free(id);
+ return -1;
+ }
+ free(id);
+ }
+
+ id = queue_remove(id_queue);
+ if (!id)
+ break;
+ }
+
+ if (l == 0) {
+ if (mls_semantic_level_cpy(&usrdatum->range.level[1],
+ &usrdatum->range.level[0])) {
+ yyerror("out of memory");
+ return -1;
+ }
+ }
+ }
+ return 0;
+}
+
+static int parse_security_context(context_struct_t * c)
+{
+ char *id;
+ role_datum_t *role;
+ type_datum_t *typdatum;
+ user_datum_t *usrdatum;
+ level_datum_t *levdatum;
+ int l;
+
+ if (pass == 1) {
+ id = queue_remove(id_queue);
+ free(id); /* user */
+ id = queue_remove(id_queue);
+ free(id); /* role */
+ id = queue_remove(id_queue);
+ free(id); /* type */
+ if (mlspol) {
+ id = queue_remove(id_queue);
+ free(id);
+ for (l = 0; l < 2; l++) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ id = queue_remove(id_queue);
+ if (!id)
+ break;
+ free(id);
+ }
+ }
+ return 0;
+ }
+
+ /* check context c to make sure ok to dereference c later */
+ if (c == NULL) {
+ yyerror("null context pointer!");
+ return -1;
+ }
+
+ context_init(c);
+
+ /* extract the user */
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("no effective user?");
+ goto bad;
+ }
+ if (!is_id_in_scope(SYM_USERS, id)) {
+ yyerror2("user %s is not within scope", id);
+ free(id);
+ goto bad;
+ }
+ usrdatum = (user_datum_t *) hashtab_search(policydbp->p_users.table,
+ (hashtab_key_t) id);
+ if (!usrdatum) {
+ yyerror2("user %s is not defined", id);
+ free(id);
+ goto bad;
+ }
+ c->user = usrdatum->s.value;
+
+ /* no need to keep the user name */
+ free(id);
+
+ /* extract the role */
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no role name for sid context definition?");
+ return -1;
+ }
+ if (!is_id_in_scope(SYM_ROLES, id)) {
+ yyerror2("role %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
+ (hashtab_key_t) id);
+ if (!role) {
+ yyerror2("role %s is not defined", id);
+ free(id);
+ return -1;
+ }
+ c->role = role->s.value;
+
+ /* no need to keep the role name */
+ free(id);
+
+ /* extract the type */
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no type name for sid context definition?");
+ return -1;
+ }
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("type %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ typdatum = (type_datum_t *) hashtab_search(policydbp->p_types.table,
+ (hashtab_key_t) id);
+ if (!typdatum || typdatum->flavor == TYPE_ATTRIB) {
+ yyerror2("type %s is not defined or is an attribute", id);
+ free(id);
+ return -1;
+ }
+ c->type = typdatum->s.value;
+
+ /* no need to keep the type name */
+ free(id);
+
+ if (mlspol) {
+ /* extract the low sensitivity */
+ id = (char *)queue_head(id_queue);
+ if (!id) {
+ yyerror("no sensitivity name for sid context"
+ " definition?");
+ return -1;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ for (l = 0; l < 2; l++) {
+ levdatum = (level_datum_t *)
+ hashtab_search(policydbp->p_levels.table,
+ (hashtab_key_t) id);
+ if (!levdatum) {
+ yyerror2("Sensitivity %s is not defined", id);
+ free(id);
+ return -1;
+ }
+ free(id);
+ c->range.level[l].sens = levdatum->level->sens;
+
+ /* extract low category set */
+ while ((id = queue_remove(id_queue))) {
+ if (parse_categories(id, levdatum,
+ &c->range.level[l].cat)) {
+ free(id);
+ return -1;
+ }
+ free(id);
+ }
+
+ /* extract high sensitivity */
+ id = (char *)queue_remove(id_queue);
+ if (!id)
+ break;
+ }
+
+ if (l == 0) {
+ c->range.level[1].sens = c->range.level[0].sens;
+ if (ebitmap_cpy(&c->range.level[1].cat,
+ &c->range.level[0].cat)) {
+
+ yyerror("out of memory");
+ goto bad;
+ }
+ }
+ }
+
+ if (!policydb_context_isvalid(policydbp, c)) {
+ yyerror("invalid security context");
+ goto bad;
+ }
+ return 0;
+
+ bad:
+ context_destroy(c);
+
+ return -1;
+}
+
+int define_initial_sid_context(void)
+{
+ char *id;
+ ocontext_t *c, *head;
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no sid name for SID context definition?");
+ return -1;
+ }
+ head = policydbp->ocontexts[OCON_ISID];
+ for (c = head; c; c = c->next) {
+ if (!strcmp(id, c->u.name))
+ break;
+ }
+
+ if (!c) {
+ yyerror2("SID %s is not defined", id);
+ free(id);
+ return -1;
+ }
+ if (c->context[0].user) {
+ yyerror2("The context for SID %s is multiply defined", id);
+ free(id);
+ return -1;
+ }
+ /* no need to keep the sid name */
+ free(id);
+
+ if (parse_security_context(&c->context[0]))
+ return -1;
+
+ return 0;
+}
+
+int define_fs_context(unsigned int major, unsigned int minor)
+{
+ ocontext_t *newc, *c, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("fscon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ parse_security_context(NULL);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.name = (char *)malloc(6);
+ if (!newc->u.name) {
+ yyerror("out of memory");
+ free(newc);
+ return -1;
+ }
+ sprintf(newc->u.name, "%02x:%02x", major, minor);
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ if (parse_security_context(&newc->context[1])) {
+ context_destroy(&newc->context[0]);
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ head = policydbp->ocontexts[OCON_FS];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate entry for file system %s",
+ newc->u.name);
+ context_destroy(&newc->context[0]);
+ context_destroy(&newc->context[1]);
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ }
+
+ newc->next = head;
+ policydbp->ocontexts[OCON_FS] = newc;
+
+ return 0;
+}
+
+int define_pirq_context(unsigned int pirq)
+{
+ ocontext_t *newc, *c, *l, *head;
+ char *id;
+
+ if (policydbp->target_platform != SEPOL_TARGET_XEN) {
+ yyerror("pirqcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *) queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.pirq = pirq;
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_XEN_PIRQ];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ unsigned int pirq2;
+
+ pirq2 = c->u.pirq;
+ if (pirq == pirq2) {
+ yyerror2("duplicate pirqcon entry for %d ", pirq);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_XEN_PIRQ] = newc;
+
+ return 0;
+
+bad:
+ free(newc);
+ return -1;
+}
+
+int define_iomem_context(uint64_t low, uint64_t high)
+{
+ ocontext_t *newc, *c, *l, *head;
+ char *id;
+
+ if (policydbp->target_platform != SEPOL_TARGET_XEN) {
+ yyerror("iomemcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.iomem.low_iomem = low;
+ newc->u.iomem.high_iomem = high;
+
+ if (low > high) {
+ yyerror2("low memory 0x%"PRIx64" exceeds high memory 0x%"PRIx64"", low, high);
+ free(newc);
+ return -1;
+ }
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_XEN_IOMEM];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ uint64_t low2, high2;
+
+ low2 = c->u.iomem.low_iomem;
+ high2 = c->u.iomem.high_iomem;
+ if (low <= high2 && low2 <= high) {
+ yyerror2("iomemcon entry for 0x%"PRIx64"-0x%"PRIx64" overlaps with "
+ "earlier entry 0x%"PRIx64"-0x%"PRIx64"", low, high,
+ low2, high2);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_XEN_IOMEM] = newc;
+
+ return 0;
+
+bad:
+ free(newc);
+ return -1;
+}
+
+int define_ioport_context(unsigned long low, unsigned long high)
+{
+ ocontext_t *newc, *c, *l, *head;
+ char *id;
+
+ if (policydbp->target_platform != SEPOL_TARGET_XEN) {
+ yyerror("ioportcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.ioport.low_ioport = low;
+ newc->u.ioport.high_ioport = high;
+
+ if (low > high) {
+ yyerror2("low ioport 0x%lx exceeds high ioport 0x%lx", low, high);
+ free(newc);
+ return -1;
+ }
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_XEN_IOPORT];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ uint32_t low2, high2;
+
+ low2 = c->u.ioport.low_ioport;
+ high2 = c->u.ioport.high_ioport;
+ if (low <= high2 && low2 <= high) {
+ yyerror2("ioportcon entry for 0x%lx-0x%lx overlaps with"
+ "earlier entry 0x%x-0x%x", low, high,
+ low2, high2);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_XEN_IOPORT] = newc;
+
+ return 0;
+
+bad:
+ free(newc);
+ return -1;
+}
+
+int define_pcidevice_context(unsigned long device)
+{
+ ocontext_t *newc, *c, *l, *head;
+ char *id;
+
+ if (policydbp->target_platform != SEPOL_TARGET_XEN) {
+ yyerror("pcidevicecon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *) queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.device = device;
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_XEN_PCIDEVICE];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ unsigned int device2;
+
+ device2 = c->u.device;
+ if (device == device2) {
+ yyerror2("duplicate pcidevicecon entry for 0x%lx",
+ device);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_XEN_PCIDEVICE] = newc;
+
+ return 0;
+
+bad:
+ free(newc);
+ return -1;
+}
+
+int define_devicetree_context()
+{
+ ocontext_t *newc, *c, *l, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_XEN) {
+ yyerror("devicetreecon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.name = (char *)queue_remove(id_queue);
+ if (!newc->u.name) {
+ free(newc);
+ return -1;
+ }
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_XEN_DEVICETREE];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ if (strcmp(newc->u.name, c->u.name) == 0) {
+ yyerror2("duplicate devicetree entry for '%s'", newc->u.name);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_XEN_DEVICETREE] = newc;
+
+ return 0;
+
+bad:
+ free(newc->u.name);
+ free(newc);
+ return -1;
+}
+
+int define_port_context(unsigned int low, unsigned int high)
+{
+ ocontext_t *newc, *c, *l, *head;
+ unsigned int protocol;
+ char *id;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("portcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ id = (char *)queue_remove(id_queue);
+ free(id);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ free(newc);
+ return -1;
+ }
+ if ((strcmp(id, "tcp") == 0) || (strcmp(id, "TCP") == 0)) {
+ protocol = IPPROTO_TCP;
+ } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
+ protocol = IPPROTO_UDP;
+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
+ protocol = IPPROTO_DCCP;
+ } else {
+ yyerror2("unrecognized protocol %s", id);
+ free(newc);
+ return -1;
+ }
+
+ newc->u.port.protocol = protocol;
+ newc->u.port.low_port = low;
+ newc->u.port.high_port = high;
+
+ if (low > high) {
+ yyerror2("low port %d exceeds high port %d", low, high);
+ free(newc);
+ return -1;
+ }
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ /* Preserve the matching order specified in the configuration. */
+ head = policydbp->ocontexts[OCON_PORT];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ unsigned int prot2, low2, high2;
+
+ prot2 = c->u.port.protocol;
+ low2 = c->u.port.low_port;
+ high2 = c->u.port.high_port;
+ if (protocol != prot2)
+ continue;
+ if (low == low2 && high == high2) {
+ yyerror2("duplicate portcon entry for %s %d-%d ", id,
+ low, high);
+ goto bad;
+ }
+ if (low2 <= low && high2 >= high) {
+ yyerror2("portcon entry for %s %d-%d hidden by earlier "
+ "entry for %d-%d", id, low, high, low2, high2);
+ goto bad;
+ }
+ }
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_PORT] = newc;
+
+ return 0;
+
+ bad:
+ free(newc);
+ return -1;
+}
+
+int define_netif_context(void)
+{
+ ocontext_t *newc, *c, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("netifcon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.name = (char *)queue_remove(id_queue);
+ if (!newc->u.name) {
+ free(newc);
+ return -1;
+ }
+ if (parse_security_context(&newc->context[0])) {
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ if (parse_security_context(&newc->context[1])) {
+ context_destroy(&newc->context[0]);
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ head = policydbp->ocontexts[OCON_NETIF];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate entry for network interface %s",
+ newc->u.name);
+ context_destroy(&newc->context[0]);
+ context_destroy(&newc->context[1]);
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ }
+
+ newc->next = head;
+ policydbp->ocontexts[OCON_NETIF] = newc;
+ return 0;
+}
+
+int define_ipv4_node_context()
+{
+ char *id;
+ int rc = 0;
+ struct in_addr addr, mask;
+ ocontext_t *newc, *c, *l, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("nodecon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(queue_remove(id_queue));
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &addr);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 address");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &mask);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 mask");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ rc = -1;
+ goto out;
+ }
+
+ memset(newc, 0, sizeof(ocontext_t));
+ newc->u.node.addr = addr.s_addr;
+ newc->u.node.mask = mask.s_addr;
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ return -1;
+ }
+
+ /* Create order of most specific to least retaining
+ the order specified in the configuration. */
+ head = policydbp->ocontexts[OCON_NODE];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ if (newc->u.node.mask > c->u.node.mask)
+ break;
+ }
+
+ newc->next = c;
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_NODE] = newc;
+ rc = 0;
+out:
+ return rc;
+}
+
+int define_ipv6_node_context(void)
+{
+ char *id;
+ int rc = 0;
+ struct in6_addr addr, mask;
+ ocontext_t *newc, *c, *l, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("nodecon not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(queue_remove(id_queue));
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv6 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET6, id, &addr);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv6 address");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv6 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET6, id, &mask);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv6 mask");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ newc = malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ rc = -1;
+ goto out;
+ }
+
+ memset(newc, 0, sizeof(ocontext_t));
+
+#ifdef __APPLE__
+ memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
+ memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
+#else
+ memcpy(&newc->u.node6.addr[0], &addr.s6_addr32[0], 16);
+ memcpy(&newc->u.node6.mask[0], &mask.s6_addr32[0], 16);
+#endif
+
+ if (parse_security_context(&newc->context[0])) {
+ free(newc);
+ rc = -1;
+ goto out;
+ }
+
+ /* Create order of most specific to least retaining
+ the order specified in the configuration. */
+ head = policydbp->ocontexts[OCON_NODE6];
+ for (l = NULL, c = head; c; l = c, c = c->next) {
+ if (memcmp(&newc->u.node6.mask, &c->u.node6.mask, 16) > 0)
+ break;
+ }
+
+ newc->next = c;
+
+ if (l)
+ l->next = newc;
+ else
+ policydbp->ocontexts[OCON_NODE6] = newc;
+
+ rc = 0;
+ out:
+ return rc;
+}
+
+int define_fs_use(int behavior)
+{
+ ocontext_t *newc, *c, *head;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("fsuse not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.name = (char *)queue_remove(id_queue);
+ if (!newc->u.name) {
+ free(newc);
+ return -1;
+ }
+ newc->v.behavior = behavior;
+ if (parse_security_context(&newc->context[0])) {
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+
+ head = policydbp->ocontexts[OCON_FSUSE];
+
+ for (c = head; c; c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name)) {
+ yyerror2("duplicate fs_use entry for filesystem type %s",
+ newc->u.name);
+ context_destroy(&newc->context[0]);
+ free(newc->u.name);
+ free(newc);
+ return -1;
+ }
+ }
+
+ newc->next = head;
+ policydbp->ocontexts[OCON_FSUSE] = newc;
+ return 0;
+}
+
+int define_genfs_context_helper(char *fstype, int has_type)
+{
+ struct genfs *genfs_p, *genfs, *newgenfs;
+ ocontext_t *newc, *c, *head, *p;
+ char *type = NULL;
+ int len, len2;
+
+ if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
+ yyerror("genfs not supported for target");
+ return -1;
+ }
+
+ if (pass == 1) {
+ free(fstype);
+ free(queue_remove(id_queue));
+ if (has_type)
+ free(queue_remove(id_queue));
+ parse_security_context(NULL);
+ return 0;
+ }
+
+ for (genfs_p = NULL, genfs = policydbp->genfs;
+ genfs; genfs_p = genfs, genfs = genfs->next) {
+ if (strcmp(fstype, genfs->fstype) <= 0)
+ break;
+ }
+
+ if (!genfs || strcmp(fstype, genfs->fstype)) {
+ newgenfs = malloc(sizeof(struct genfs));
+ if (!newgenfs) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newgenfs, 0, sizeof(struct genfs));
+ newgenfs->fstype = fstype;
+ newgenfs->next = genfs;
+ if (genfs_p)
+ genfs_p->next = newgenfs;
+ else
+ policydbp->genfs = newgenfs;
+ genfs = newgenfs;
+ }
+
+ newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+ if (!newc) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(newc, 0, sizeof(ocontext_t));
+
+ newc->u.name = (char *)queue_remove(id_queue);
+ if (!newc->u.name)
+ goto fail;
+ if (has_type) {
+ type = (char *)queue_remove(id_queue);
+ if (!type)
+ goto fail;
+ if (type[1] != 0) {
+ yyerror2("invalid type %s", type);
+ goto fail;
+ }
+ switch (type[0]) {
+ case 'b':
+ newc->v.sclass = SECCLASS_BLK_FILE;
+ break;
+ case 'c':
+ newc->v.sclass = SECCLASS_CHR_FILE;
+ break;
+ case 'd':
+ newc->v.sclass = SECCLASS_DIR;
+ break;
+ case 'p':
+ newc->v.sclass = SECCLASS_FIFO_FILE;
+ break;
+ case 'l':
+ newc->v.sclass = SECCLASS_LNK_FILE;
+ break;
+ case 's':
+ newc->v.sclass = SECCLASS_SOCK_FILE;
+ break;
+ case '-':
+ newc->v.sclass = SECCLASS_FILE;
+ break;
+ default:
+ yyerror2("invalid type %s", type);
+ goto fail;
+ }
+ }
+ if (parse_security_context(&newc->context[0]))
+ goto fail;
+
+ head = genfs->head;
+
+ for (p = NULL, c = head; c; p = c, c = c->next) {
+ if (!strcmp(newc->u.name, c->u.name) &&
+ (!newc->v.sclass || !c->v.sclass
+ || newc->v.sclass == c->v.sclass)) {
+ yyerror2("duplicate entry for genfs entry (%s, %s)",
+ fstype, newc->u.name);
+ goto fail;
+ }
+ len = strlen(newc->u.name);
+ len2 = strlen(c->u.name);
+ if (len > len2)
+ break;
+ }
+
+ newc->next = c;
+ if (p)
+ p->next = newc;
+ else
+ genfs->head = newc;
+ return 0;
+ fail:
+ if (type)
+ free(type);
+ context_destroy(&newc->context[0]);
+ if (fstype)
+ free(fstype);
+ if (newc->u.name)
+ free(newc->u.name);
+ free(newc);
+ return -1;
+}
+
+int define_genfs_context(int has_type)
+{
+ return define_genfs_context_helper(queue_remove(id_queue), has_type);
+}
+
+int define_range_trans(int class_specified)
+{
+ char *id;
+ level_datum_t *levdatum = 0;
+ class_datum_t *cladatum;
+ range_trans_rule_t *rule;
+ int l, add = 1;
+
+ if (!mlspol) {
+ yyerror("range_transition rule in non-MLS configuration");
+ return -1;
+ }
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ if (class_specified)
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ id = queue_remove(id_queue);
+ free(id);
+ for (l = 0; l < 2; l++) {
+ while ((id = queue_remove(id_queue))) {
+ free(id);
+ }
+ id = queue_remove(id_queue);
+ if (!id)
+ break;
+ free(id);
+ }
+ return 0;
+ }
+
+ rule = malloc(sizeof(struct range_trans_rule));
+ if (!rule) {
+ yyerror("out of memory");
+ return -1;
+ }
+ range_trans_rule_init(rule);
+
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&rule->stypes, id, &add, 0))
+ goto out;
+ }
+ add = 1;
+ while ((id = queue_remove(id_queue))) {
+ if (set_types(&rule->ttypes, id, &add, 0))
+ goto out;
+ }
+
+ if (class_specified) {
+ if (read_classes(&rule->tclasses))
+ goto out;
+ } else {
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ "process");
+ if (!cladatum) {
+ yyerror2("could not find process class for "
+ "legacy range_transition statement");
+ goto out;
+ }
+
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ goto out;
+ }
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no range in range_transition definition?");
+ goto out;
+ }
+ for (l = 0; l < 2; l++) {
+ levdatum = hashtab_search(policydbp->p_levels.table, id);
+ if (!levdatum) {
+ yyerror2("unknown level %s used in range_transition "
+ "definition", id);
+ free(id);
+ goto out;
+ }
+ free(id);
+
+ rule->trange.level[l].sens = levdatum->level->sens;
+
+ while ((id = queue_remove(id_queue))) {
+ if (parse_semantic_categories(id, levdatum,
+ &rule->trange.level[l].cat)) {
+ free(id);
+ goto out;
+ }
+ free(id);
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id)
+ break;
+ }
+ if (l == 0) {
+ if (mls_semantic_level_cpy(&rule->trange.level[1],
+ &rule->trange.level[0])) {
+ yyerror("out of memory");
+ goto out;
+ }
+ }
+
+ append_range_trans(rule);
+ return 0;
+
+out:
+ range_trans_rule_destroy(rule);
+ free(rule);
+ return -1;
+}
+
+/* FLASK */
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
new file mode 100644
index 0000000..964baae
--- /dev/null
+++ b/checkpolicy/policy_define.h
@@ -0,0 +1,74 @@
+/* Functions used to define policy grammar components. */
+
+#ifndef _POLICY_DEFINE_H_
+#define _POLICY_DEFINE_H_
+
+/*
+ * We need the following so we have a valid error return code in yacc
+ * when we have a parse error for a conditional rule. We can't check
+ * for NULL (ie 0) because that is a potentially valid return.
+ */
+#define COND_ERR ((avrule_t *)-1)
+#define TRUE 1
+#define FALSE 0
+
+avrule_t *define_cond_compute_type(int which);
+avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
+avrule_t *define_cond_te_avtab(int which);
+avrule_t *define_cond_filename_trans(void);
+cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
+int define_attrib(void);
+int define_attrib_role(void);
+int define_av_perms(int inherits);
+int define_bool_tunable(int is_tunable);
+int define_category(void);
+int define_class(void);
+int define_default_user(int which);
+int define_default_role(int which);
+int define_default_type(int which);
+int define_default_range(int which);
+int define_common_perms(void);
+int define_compute_type(int which);
+int define_conditional(cond_expr_t *expr, avrule_t *t_list, avrule_t *f_list );
+int define_constraint(constraint_expr_t *expr);
+int define_dominance(void);
+int define_fs_context(unsigned int major, unsigned int minor);
+int define_fs_use(int behavior);
+int define_genfs_context(int has_type);
+int define_initial_sid_context(void);
+int define_initial_sid(void);
+int define_ipv4_node_context(void);
+int define_ipv6_node_context(void);
+int define_level(void);
+int define_netif_context(void);
+int define_permissive(void);
+int define_polcap(void);
+int define_port_context(unsigned int low, unsigned int high);
+int define_pirq_context(unsigned int pirq);
+int define_iomem_context(uint64_t low, uint64_t high);
+int define_ioport_context(unsigned long low, unsigned long high);
+int define_pcidevice_context(unsigned long device);
+int define_devicetree_context(void);
+int define_range_trans(int class_specified);
+int define_role_allow(void);
+int define_role_trans(int class_specified);
+int define_role_types(void);
+int define_role_attr(void);
+int define_roleattribute(void);
+int define_filename_trans(void);
+int define_sens(void);
+int define_te_avtab(int which);
+int define_te_avtab_extended_perms(int which);
+int define_typealias(void);
+int define_typeattribute(void);
+int define_typebounds(void);
+int define_type(int alias);
+int define_user(void);
+int define_validatetrans(constraint_expr_t *expr);
+int insert_id(const char *id,int push);
+int insert_separator(int push);
+role_datum_t *define_role_dom(role_datum_t *r);
+role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
+uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
+
+#endif /* _POLICY_DEFINE_H_ */
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
new file mode 100644
index 0000000..3b6a2f8
--- /dev/null
+++ b/checkpolicy/policy_parse.y
@@ -0,0 +1,949 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/*
+ * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ *
+ * Support for enhanced MLS infrastructure.
+ *
+ * Updated: David Caplan, <dac@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Updated: Joshua Brindle <jbrindle@tresys.com>
+ * Karl MacMillan <kmacmillan@mentalrootkit.com>
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
+ * Copyright (C) 2003 - 2008 Tresys Technology, LLC
+ * Copyright (C) 2007 Red Hat Inc.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+%{
+#include <sys/types.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
+#include "queue.h"
+#include "checkpolicy.h"
+#include "module_compiler.h"
+#include "policy_define.h"
+
+extern policydb_t *policydbp;
+extern unsigned int pass;
+
+extern char yytext[];
+extern int yylex(void);
+extern int yywarn(const char *msg);
+extern int yyerror(const char *msg);
+
+typedef int (* require_func_t)(int pass);
+
+%}
+
+%union {
+ unsigned int val;
+ uint64_t val64;
+ uintptr_t valptr;
+ void *ptr;
+ require_func_t require_func;
+}
+
+%type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
+%type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
+%type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
+%type <ptr> role_def roles
+%type <valptr> cexpr cexpr_prim op role_mls_op
+%type <val> ipv4_addr_def number
+%type <val64> number64
+%type <require_func> require_decl_def
+
+%token PATH
+%token QPATH
+%token FILENAME
+%token CLONE
+%token COMMON
+%token CLASS
+%token CONSTRAIN
+%token VALIDATETRANS
+%token INHERITS
+%token SID
+%token ROLE
+%token ROLEATTRIBUTE
+%token ATTRIBUTE_ROLE
+%token ROLES
+%token TYPEALIAS
+%token TYPEATTRIBUTE
+%token TYPEBOUNDS
+%token TYPE
+%token TYPES
+%token ALIAS
+%token ATTRIBUTE
+%token BOOL
+%token TUNABLE
+%token IF
+%token ELSE
+%token TYPE_TRANSITION
+%token TYPE_MEMBER
+%token TYPE_CHANGE
+%token ROLE_TRANSITION
+%token RANGE_TRANSITION
+%token SENSITIVITY
+%token DOMINANCE
+%token DOM DOMBY INCOMP
+%token CATEGORY
+%token LEVEL
+%token RANGE
+%token MLSCONSTRAIN
+%token MLSVALIDATETRANS
+%token USER
+%token NEVERALLOW
+%token ALLOW
+%token AUDITALLOW
+%token AUDITDENY
+%token DONTAUDIT
+%token ALLOWXPERM
+%token AUDITALLOWXPERM
+%token DONTAUDITXPERM
+%token NEVERALLOWXPERM
+%token SOURCE
+%token TARGET
+%token SAMEUSER
+%token FSCON PORTCON NETIFCON NODECON
+%token PIRQCON IOMEMCON IOPORTCON PCIDEVICECON DEVICETREECON
+%token FSUSEXATTR FSUSETASK FSUSETRANS
+%token GENFSCON
+%token U1 U2 U3 R1 R2 R3 T1 T2 T3 L1 L2 H1 H2
+%token NOT AND OR XOR
+%token CTRUE CFALSE
+%token IDENTIFIER
+%token NUMBER
+%token EQUALS
+%token NOTEQUAL
+%token IPV4_ADDR
+%token IPV6_ADDR
+%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
+%token PERMISSIVE
+%token FILESYSTEM
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
+%token LOW_HIGH LOW HIGH
+
+%left OR
+%left XOR
+%left AND
+%right NOT
+%left EQUALS NOTEQUAL
+%%
+policy : base_policy
+ | module_policy
+ ;
+base_policy : { if (define_policy(pass, 0) == -1) return -1; }
+ classes initial_sids access_vectors
+ { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
+ opt_default_rules opt_mls te_rbac users opt_constraints
+ { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
+ else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
+ initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
+ ;
+classes : class_def
+ | classes class_def
+ ;
+class_def : CLASS identifier
+ {if (define_class()) return -1;}
+ ;
+initial_sids : initial_sid_def
+ | initial_sids initial_sid_def
+ ;
+initial_sid_def : SID identifier
+ {if (define_initial_sid()) return -1;}
+ ;
+access_vectors : opt_common_perms av_perms
+ ;
+opt_common_perms : common_perms
+ |
+ ;
+common_perms : common_perms_def
+ | common_perms common_perms_def
+ ;
+common_perms_def : COMMON identifier '{' identifier_list '}'
+ {if (define_common_perms()) return -1;}
+ ;
+av_perms : av_perms_def
+ | av_perms av_perms_def
+ ;
+av_perms_def : CLASS identifier '{' identifier_list '}'
+ {if (define_av_perms(FALSE)) return -1;}
+ | CLASS identifier INHERITS identifier
+ {if (define_av_perms(TRUE)) return -1;}
+ | CLASS identifier INHERITS identifier '{' identifier_list '}'
+ {if (define_av_perms(TRUE)) return -1;}
+ ;
+opt_default_rules : default_rules
+ |
+ ;
+default_rules : default_user_def
+ | default_role_def
+ | default_type_def
+ | default_range_def
+ | default_rules default_user_def
+ | default_rules default_role_def
+ | default_rules default_type_def
+ | default_rules default_range_def
+ ;
+default_user_def : DEFAULT_USER names SOURCE ';'
+ {if (define_default_user(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_USER names TARGET ';'
+ {if (define_default_user(DEFAULT_TARGET)) return -1; }
+ ;
+default_role_def : DEFAULT_ROLE names SOURCE ';'
+ {if (define_default_role(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_ROLE names TARGET ';'
+ {if (define_default_role(DEFAULT_TARGET)) return -1; }
+ ;
+default_type_def : DEFAULT_TYPE names SOURCE ';'
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_TYPE names TARGET ';'
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
+ ;
+default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
+ | DEFAULT_RANGE names SOURCE HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_HIGH)) return -1; }
+ | DEFAULT_RANGE names SOURCE LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_SOURCE_LOW_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW)) return -1; }
+ | DEFAULT_RANGE names TARGET HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; }
+ | DEFAULT_RANGE names TARGET LOW_HIGH ';'
+ {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; }
+ ;
+opt_mls : mls
+ |
+ ;
+mls : sensitivities dominance opt_categories levels mlspolicy
+ ;
+sensitivities : sensitivity_def
+ | sensitivities sensitivity_def
+ ;
+sensitivity_def : SENSITIVITY identifier alias_def ';'
+ {if (define_sens()) return -1;}
+ | SENSITIVITY identifier ';'
+ {if (define_sens()) return -1;}
+ ;
+alias_def : ALIAS names
+ ;
+dominance : DOMINANCE identifier
+ {if (define_dominance()) return -1;}
+ | DOMINANCE '{' identifier_list '}'
+ {if (define_dominance()) return -1;}
+ ;
+opt_categories : categories
+ |
+ ;
+categories : category_def
+ | categories category_def
+ ;
+category_def : CATEGORY identifier alias_def ';'
+ {if (define_category()) return -1;}
+ | CATEGORY identifier ';'
+ {if (define_category()) return -1;}
+ ;
+levels : level_def
+ | levels level_def
+ ;
+level_def : LEVEL identifier ':' id_comma_list ';'
+ {if (define_level()) return -1;}
+ | LEVEL identifier ';'
+ {if (define_level()) return -1;}
+ ;
+mlspolicy : mlspolicy_decl
+ | mlspolicy mlspolicy_decl
+ ;
+mlspolicy_decl : mlsconstraint_def
+ | mlsvalidatetrans_def
+ ;
+mlsconstraint_def : MLSCONSTRAIN names names cexpr ';'
+ { if (define_constraint((constraint_expr_t*)$4)) return -1; }
+ ;
+mlsvalidatetrans_def : MLSVALIDATETRANS names cexpr ';'
+ { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
+ ;
+te_rbac : te_rbac_decl
+ | te_rbac te_rbac_decl
+ ;
+te_rbac_decl : te_decl
+ | rbac_decl
+ | cond_stmt_def
+ | optional_block
+ | policycap_def
+ | ';'
+ ;
+rbac_decl : attribute_role_def
+ | role_type_def
+ | role_dominance
+ | role_trans_def
+ | role_allow_def
+ | roleattribute_def
+ | role_attr_def
+ ;
+te_decl : attribute_def
+ | type_def
+ | typealias_def
+ | typeattribute_def
+ | typebounds_def
+ | bool_def
+ | tunable_def
+ | transition_def
+ | range_trans_def
+ | te_avtab_def
+ | permissive_def
+ ;
+attribute_def : ATTRIBUTE identifier ';'
+ { if (define_attrib()) return -1;}
+ ;
+type_def : TYPE identifier alias_def opt_attr_list ';'
+ {if (define_type(1)) return -1;}
+ | TYPE identifier opt_attr_list ';'
+ {if (define_type(0)) return -1;}
+ ;
+typealias_def : TYPEALIAS identifier alias_def ';'
+ {if (define_typealias()) return -1;}
+ ;
+typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
+ {if (define_typeattribute()) return -1;}
+ ;
+typebounds_def : TYPEBOUNDS identifier id_comma_list ';'
+ {if (define_typebounds()) return -1;}
+ ;
+opt_attr_list : ',' id_comma_list
+ |
+ ;
+bool_def : BOOL identifier bool_val ';'
+ { if (define_bool_tunable(0)) return -1; }
+ ;
+tunable_def : TUNABLE identifier bool_val ';'
+ { if (define_bool_tunable(1)) return -1; }
+ ;
+bool_val : CTRUE
+ { if (insert_id("T",0)) return -1; }
+ | CFALSE
+ { if (insert_id("F",0)) return -1; }
+ ;
+cond_stmt_def : IF cond_expr '{' cond_pol_list '}' cond_else
+ { if (pass == 2) { if (define_conditional((cond_expr_t*)$2, (avrule_t*)$4, (avrule_t*)$6) < 0) return -1; }}
+ ;
+cond_else : ELSE '{' cond_pol_list '}'
+ { $$ = $3; }
+ | /* empty */
+ { $$ = NULL; }
+ ;
+cond_expr : '(' cond_expr ')'
+ { $$ = $2;}
+ | NOT cond_expr
+ { $$ = define_cond_expr(COND_NOT, $2, 0);
+ if ($$ == 0) return -1; }
+ | cond_expr AND cond_expr
+ { $$ = define_cond_expr(COND_AND, $1, $3);
+ if ($$ == 0) return -1; }
+ | cond_expr OR cond_expr
+ { $$ = define_cond_expr(COND_OR, $1, $3);
+ if ($$ == 0) return -1; }
+ | cond_expr XOR cond_expr
+ { $$ = define_cond_expr(COND_XOR, $1, $3);
+ if ($$ == 0) return -1; }
+ | cond_expr EQUALS cond_expr
+ { $$ = define_cond_expr(COND_EQ, $1, $3);
+ if ($$ == 0) return -1; }
+ | cond_expr NOTEQUAL cond_expr
+ { $$ = define_cond_expr(COND_NEQ, $1, $3);
+ if ($$ == 0) return -1; }
+ | cond_expr_prim
+ { $$ = $1; }
+ ;
+cond_expr_prim : identifier
+ { $$ = define_cond_expr(COND_BOOL,0, 0);
+ if ($$ == COND_ERR) return -1; }
+ ;
+cond_pol_list : cond_pol_list cond_rule_def
+ { $$ = define_cond_pol_list((avrule_t *)$1, (avrule_t *)$2); }
+ | /* empty */
+ { $$ = NULL; }
+ ;
+cond_rule_def : cond_transition_def
+ { $$ = $1; }
+ | cond_te_avtab_def
+ { $$ = $1; }
+ | require_block
+ { $$ = NULL; }
+ ;
+cond_transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+ { $$ = define_cond_filename_trans() ;
+ if ($$ == COND_ERR) return -1;}
+ | TYPE_TRANSITION names names ':' names identifier ';'
+ { $$ = define_cond_compute_type(AVRULE_TRANSITION) ;
+ if ($$ == COND_ERR) return -1;}
+ | TYPE_MEMBER names names ':' names identifier ';'
+ { $$ = define_cond_compute_type(AVRULE_MEMBER) ;
+ if ($$ == COND_ERR) return -1;}
+ | TYPE_CHANGE names names ':' names identifier ';'
+ { $$ = define_cond_compute_type(AVRULE_CHANGE) ;
+ if ($$ == COND_ERR) return -1;}
+ ;
+cond_te_avtab_def : cond_allow_def
+ { $$ = $1; }
+ | cond_auditallow_def
+ { $$ = $1; }
+ | cond_auditdeny_def
+ { $$ = $1; }
+ | cond_dontaudit_def
+ { $$ = $1; }
+ ;
+cond_allow_def : ALLOW names names ':' names names ';'
+ { $$ = define_cond_te_avtab(AVRULE_ALLOWED) ;
+ if ($$ == COND_ERR) return -1; }
+ ;
+cond_auditallow_def : AUDITALLOW names names ':' names names ';'
+ { $$ = define_cond_te_avtab(AVRULE_AUDITALLOW) ;
+ if ($$ == COND_ERR) return -1; }
+ ;
+cond_auditdeny_def : AUDITDENY names names ':' names names ';'
+ { $$ = define_cond_te_avtab(AVRULE_AUDITDENY) ;
+ if ($$ == COND_ERR) return -1; }
+ ;
+cond_dontaudit_def : DONTAUDIT names names ':' names names ';'
+ { $$ = define_cond_te_avtab(AVRULE_DONTAUDIT);
+ if ($$ == COND_ERR) return -1; }
+ ;
+ ;
+transition_def : TYPE_TRANSITION names names ':' names identifier filename ';'
+ {if (define_filename_trans()) return -1; }
+ | TYPE_TRANSITION names names ':' names identifier ';'
+ {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
+ | TYPE_MEMBER names names ':' names identifier ';'
+ {if (define_compute_type(AVRULE_MEMBER)) return -1;}
+ | TYPE_CHANGE names names ':' names identifier ';'
+ {if (define_compute_type(AVRULE_CHANGE)) return -1;}
+ ;
+range_trans_def : RANGE_TRANSITION names names mls_range_def ';'
+ { if (define_range_trans(0)) return -1; }
+ | RANGE_TRANSITION names names ':' names mls_range_def ';'
+ { if (define_range_trans(1)) return -1; }
+ ;
+te_avtab_def : allow_def
+ | auditallow_def
+ | auditdeny_def
+ | dontaudit_def
+ | neverallow_def
+ | xperm_allow_def
+ | xperm_auditallow_def
+ | xperm_dontaudit_def
+ | xperm_neverallow_def
+ ;
+allow_def : ALLOW names names ':' names names ';'
+ {if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
+ ;
+auditallow_def : AUDITALLOW names names ':' names names ';'
+ {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; }
+ ;
+auditdeny_def : AUDITDENY names names ':' names names ';'
+ {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; }
+ ;
+dontaudit_def : DONTAUDIT names names ':' names names ';'
+ {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; }
+ ;
+neverallow_def : NEVERALLOW names names ':' names names ';'
+ {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
+ ;
+xperm_allow_def : ALLOWXPERM names names ':' names identifier xperms ';'
+ {if (define_te_avtab_extended_perms(AVRULE_XPERMS_ALLOWED)) return -1; }
+ ;
+xperm_auditallow_def : AUDITALLOWXPERM names names ':' names identifier xperms ';'
+ {if (define_te_avtab_extended_perms(AVRULE_XPERMS_AUDITALLOW)) return -1; }
+ ;
+xperm_dontaudit_def : DONTAUDITXPERM names names ':' names identifier xperms ';'
+ {if (define_te_avtab_extended_perms(AVRULE_XPERMS_DONTAUDIT)) return -1; }
+ ;
+xperm_neverallow_def : NEVERALLOWXPERM names names ':' names identifier xperms ';'
+ {if (define_te_avtab_extended_perms(AVRULE_XPERMS_NEVERALLOW)) return -1; }
+ ;
+attribute_role_def : ATTRIBUTE_ROLE identifier ';'
+ {if (define_attrib_role()) return -1; }
+ ;
+role_type_def : ROLE identifier TYPES names ';'
+ {if (define_role_types()) return -1;}
+ ;
+role_attr_def : ROLE identifier opt_attr_list ';'
+ {if (define_role_attr()) return -1;}
+ ;
+role_dominance : DOMINANCE '{' roles '}'
+ ;
+role_trans_def : ROLE_TRANSITION names names identifier ';'
+ {if (define_role_trans(0)) return -1; }
+ | ROLE_TRANSITION names names ':' names identifier ';'
+ {if (define_role_trans(1)) return -1;}
+ ;
+role_allow_def : ALLOW names names ';'
+ {if (define_role_allow()) return -1; }
+ ;
+roles : role_def
+ { $$ = $1; }
+ | roles role_def
+ { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
+ ;
+role_def : ROLE identifier_push ';'
+ {$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
+ | ROLE identifier_push '{' roles '}'
+ {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
+ ;
+roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';'
+ {if (define_roleattribute()) return -1;}
+ ;
+opt_constraints : constraints
+ |
+ ;
+constraints : constraint_decl
+ | constraints constraint_decl
+ ;
+constraint_decl : constraint_def
+ | validatetrans_def
+ ;
+constraint_def : CONSTRAIN names names cexpr ';'
+ { if (define_constraint((constraint_expr_t*)$4)) return -1; }
+ ;
+validatetrans_def : VALIDATETRANS names cexpr ';'
+ { if (define_validatetrans((constraint_expr_t*)$3)) return -1; }
+ ;
+cexpr : '(' cexpr ')'
+ { $$ = $2; }
+ | NOT cexpr
+ { $$ = define_cexpr(CEXPR_NOT, $2, 0);
+ if ($$ == 0) return -1; }
+ | cexpr AND cexpr
+ { $$ = define_cexpr(CEXPR_AND, $1, $3);
+ if ($$ == 0) return -1; }
+ | cexpr OR cexpr
+ { $$ = define_cexpr(CEXPR_OR, $1, $3);
+ if ($$ == 0) return -1; }
+ | cexpr_prim
+ { $$ = $1; }
+ ;
+cexpr_prim : U1 op U2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, $2);
+ if ($$ == 0) return -1; }
+ | R1 role_mls_op R2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | T1 op T2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
+ if ($$ == 0) return -1; }
+ | U1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
+ if ($$ == 0) return -1; }
+ | U2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | U3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | R1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | R2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | R3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | T1 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
+ if ($$ == 0) return -1; }
+ | T2 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
+ if ($$ == 0) return -1; }
+ | T3 op { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
+ if ($$ == 0) return -1; }
+ | SAMEUSER
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | SOURCE ROLE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | TARGET ROLE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | ROLE role_mls_op
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
+ if ($$ == 0) return -1; }
+ | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | TARGET TYPE { if (insert_separator(1)) return -1; } names_push
+ { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op L2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, $2);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, $2);
+ if ($$ == 0) return -1; }
+ | H1 role_mls_op L2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, $2);
+ if ($$ == 0) return -1; }
+ | H1 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, $2);
+ if ($$ == 0) return -1; }
+ | L1 role_mls_op H1
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, $2);
+ if ($$ == 0) return -1; }
+ | L2 role_mls_op H2
+ { $$ = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, $2);
+ if ($$ == 0) return -1; }
+ ;
+op : EQUALS
+ { $$ = CEXPR_EQ; }
+ | NOTEQUAL
+ { $$ = CEXPR_NEQ; }
+ ;
+role_mls_op : op
+ { $$ = $1; }
+ | DOM
+ { $$ = CEXPR_DOM; }
+ | DOMBY
+ { $$ = CEXPR_DOMBY; }
+ | INCOMP
+ { $$ = CEXPR_INCOMP; }
+ ;
+users : user_def
+ | users user_def
+ ;
+user_def : USER identifier ROLES names opt_mls_user ';'
+ {if (define_user()) return -1;}
+ ;
+opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
+ |
+ ;
+initial_sid_contexts : initial_sid_context_def
+ | initial_sid_contexts initial_sid_context_def
+ ;
+initial_sid_context_def : SID identifier security_context_def
+ {if (define_initial_sid_context()) return -1;}
+ ;
+opt_dev_contexts : dev_contexts |
+ ;
+dev_contexts : dev_context_def
+ | dev_contexts dev_context_def
+ ;
+dev_context_def : pirq_context_def |
+ iomem_context_def |
+ ioport_context_def |
+ pci_context_def |
+ dtree_context_def
+ ;
+pirq_context_def : PIRQCON number security_context_def
+ {if (define_pirq_context($2)) return -1;}
+ ;
+iomem_context_def : IOMEMCON number64 security_context_def
+ {if (define_iomem_context($2,$2)) return -1;}
+ | IOMEMCON number64 '-' number64 security_context_def
+ {if (define_iomem_context($2,$4)) return -1;}
+ ;
+ioport_context_def : IOPORTCON number security_context_def
+ {if (define_ioport_context($2,$2)) return -1;}
+ | IOPORTCON number '-' number security_context_def
+ {if (define_ioport_context($2,$4)) return -1;}
+ ;
+pci_context_def : PCIDEVICECON number security_context_def
+ {if (define_pcidevice_context($2)) return -1;}
+ ;
+dtree_context_def : DEVICETREECON path security_context_def
+ {if (define_devicetree_context()) return -1;}
+ ;
+opt_fs_contexts : fs_contexts
+ |
+ ;
+fs_contexts : fs_context_def
+ | fs_contexts fs_context_def
+ ;
+fs_context_def : FSCON number number security_context_def security_context_def
+ {if (define_fs_context($2,$3)) return -1;}
+ ;
+net_contexts : opt_port_contexts opt_netif_contexts opt_node_contexts
+ ;
+opt_port_contexts : port_contexts
+ |
+ ;
+port_contexts : port_context_def
+ | port_contexts port_context_def
+ ;
+port_context_def : PORTCON identifier number security_context_def
+ {if (define_port_context($3,$3)) return -1;}
+ | PORTCON identifier number '-' number security_context_def
+ {if (define_port_context($3,$5)) return -1;}
+ ;
+opt_netif_contexts : netif_contexts
+ |
+ ;
+netif_contexts : netif_context_def
+ | netif_contexts netif_context_def
+ ;
+netif_context_def : NETIFCON identifier security_context_def security_context_def
+ {if (define_netif_context()) return -1;}
+ ;
+opt_node_contexts : node_contexts
+ |
+ ;
+node_contexts : node_context_def
+ | node_contexts node_context_def
+ ;
+node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
+ {if (define_ipv4_node_context()) return -1;}
+ | NODECON ipv6_addr ipv6_addr security_context_def
+ {if (define_ipv6_node_context()) return -1;}
+ ;
+opt_fs_uses : fs_uses
+ |
+ ;
+fs_uses : fs_use_def
+ | fs_uses fs_use_def
+ ;
+fs_use_def : FSUSEXATTR filesystem security_context_def ';'
+ {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
+ | FSUSETASK identifier security_context_def ';'
+ {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
+ | FSUSETRANS identifier security_context_def ';'
+ {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;}
+ ;
+opt_genfs_contexts : genfs_contexts
+ |
+ ;
+genfs_contexts : genfs_context_def
+ | genfs_contexts genfs_context_def
+ ;
+genfs_context_def : GENFSCON filesystem path '-' identifier security_context_def
+ {if (define_genfs_context(1)) return -1;}
+ | GENFSCON filesystem path '-' '-' {insert_id("-", 0);} security_context_def
+ {if (define_genfs_context(1)) return -1;}
+ | GENFSCON filesystem path security_context_def
+ {if (define_genfs_context(0)) return -1;}
+ ;
+ipv4_addr_def : IPV4_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+xperms : xperm
+ { if (insert_separator(0)) return -1; }
+ | nested_xperm_set
+ { if (insert_separator(0)) return -1; }
+ | tilde xperm
+ { if (insert_id("~", 0)) return -1; }
+ | tilde nested_xperm_set
+ { if (insert_id("~", 0)) return -1;
+ if (insert_separator(0)) return -1; }
+ ;
+nested_xperm_set : '{' nested_xperm_list '}'
+ ;
+nested_xperm_list : nested_xperm_element
+ | nested_xperm_list nested_xperm_element
+ ;
+nested_xperm_element: xperm '-' { if (insert_id("-", 0)) return -1; } xperm
+ | xperm
+ | nested_xperm_set
+ ;
+xperm : number
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
+ ;
+opt_mls_range_def : ':' mls_range_def
+ |
+ ;
+mls_range_def : mls_level_def '-' mls_level_def
+ {if (insert_separator(0)) return -1;}
+ | mls_level_def
+ {if (insert_separator(0)) return -1;}
+ ;
+mls_level_def : identifier ':' id_comma_list
+ {if (insert_separator(0)) return -1;}
+ | identifier
+ {if (insert_separator(0)) return -1;}
+ ;
+id_comma_list : identifier
+ | id_comma_list ',' identifier
+ ;
+tilde : '~'
+ ;
+asterisk : '*'
+ ;
+names : identifier
+ { if (insert_separator(0)) return -1; }
+ | nested_id_set
+ { if (insert_separator(0)) return -1; }
+ | asterisk
+ { if (insert_id("*", 0)) return -1;
+ if (insert_separator(0)) return -1; }
+ | tilde identifier
+ { if (insert_id("~", 0)) return -1;
+ if (insert_separator(0)) return -1; }
+ | tilde nested_id_set
+ { if (insert_id("~", 0)) return -1;
+ if (insert_separator(0)) return -1; }
+ | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
+ { if (insert_separator(0)) return -1; }
+ ;
+tilde_push : tilde
+ { if (insert_id("~", 1)) return -1; }
+ ;
+asterisk_push : asterisk
+ { if (insert_id("*", 1)) return -1; }
+ ;
+names_push : identifier_push
+ | '{' identifier_list_push '}'
+ | asterisk_push
+ | tilde_push identifier_push
+ | tilde_push '{' identifier_list_push '}'
+ ;
+identifier_list_push : identifier_push
+ | identifier_list_push identifier_push
+ ;
+identifier_push : IDENTIFIER
+ { if (insert_id(yytext, 1)) return -1; }
+ ;
+identifier_list : identifier
+ | identifier_list identifier
+ ;
+nested_id_set : '{' nested_id_list '}'
+ ;
+nested_id_list : nested_id_element | nested_id_list nested_id_element
+ ;
+nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
+ ;
+identifier : IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+filesystem : FILESYSTEM
+ { if (insert_id(yytext,0)) return -1; }
+ | IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+path : PATH
+ { if (insert_id(yytext,0)) return -1; }
+ | QPATH
+ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
+ ;
+filename : FILENAME
+ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
+ ;
+number : NUMBER
+ { $$ = strtoul(yytext,NULL,0); }
+ ;
+number64 : NUMBER
+ { $$ = strtoull(yytext,NULL,0); }
+ ;
+ipv6_addr : IPV6_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ ;
+policycap_def : POLICYCAP identifier ';'
+ {if (define_polcap()) return -1;}
+ ;
+permissive_def : PERMISSIVE identifier ';'
+ {if (define_permissive()) return -1;}
+
+/*********** module grammar below ***********/
+
+module_policy : module_def avrules_block
+ { if (end_avrule_block(pass) == -1) return -1;
+ if (policydb_index_others(NULL, policydbp, 0)) return -1;
+ }
+ ;
+module_def : MODULE identifier version_identifier ';'
+ { if (define_policy(pass, 1) == -1) return -1; }
+ ;
+version_identifier : VERSION_IDENTIFIER
+ { if (insert_id(yytext,0)) return -1; }
+ | number
+ { if (insert_id(yytext,0)) return -1; }
+ | ipv4_addr_def /* version can look like ipv4 address */
+ ;
+avrules_block : avrule_decls avrule_user_defs
+ ;
+avrule_decls : avrule_decls avrule_decl
+ | avrule_decl
+ ;
+avrule_decl : rbac_decl
+ | te_decl
+ | cond_stmt_def
+ | require_block
+ | optional_block
+ | ';'
+ ;
+require_block : REQUIRE '{' require_list '}'
+ ;
+require_list : require_list require_decl
+ | require_decl
+ ;
+require_decl : require_class ';'
+ | require_decl_def require_id_list ';'
+ ;
+require_class : CLASS identifier names
+ { if (require_class(pass)) return -1; }
+ ;
+require_decl_def : ROLE { $$ = require_role; }
+ | TYPE { $$ = require_type; }
+ | ATTRIBUTE { $$ = require_attribute; }
+ | ATTRIBUTE_ROLE { $$ = require_attribute_role; }
+ | USER { $$ = require_user; }
+ | BOOL { $$ = require_bool; }
+ | TUNABLE { $$ = require_tunable; }
+ | SENSITIVITY { $$ = require_sens; }
+ | CATEGORY { $$ = require_cat; }
+ ;
+require_id_list : identifier
+ { if ($<require_func>0 (pass)) return -1; }
+ | require_id_list ',' identifier
+ { if ($<require_func>0 (pass)) return -1; }
+ ;
+optional_block : optional_decl '{' avrules_block '}'
+ { if (end_avrule_block(pass) == -1) return -1; }
+ optional_else
+ { if (end_optional(pass) == -1) return -1; }
+ ;
+optional_else : else_decl '{' avrules_block '}'
+ { if (end_avrule_block(pass) == -1) return -1; }
+ | /* empty */
+ ;
+optional_decl : OPTIONAL
+ { if (begin_optional(pass) == -1) return -1; }
+ ;
+else_decl : ELSE
+ { if (begin_optional_else(pass) == -1) return -1; }
+ ;
+avrule_user_defs : user_def avrule_user_defs
+ | /* empty */
+ ;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
new file mode 100644
index 0000000..22da338
--- /dev/null
+++ b/checkpolicy/policy_scan.l
@@ -0,0 +1,324 @@
+
+/*
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+
+/* Updated: David Caplan, <dac@tresys.com>
+ *
+ * Added conditional policy language extensions
+ *
+ * Jason Tang <jtang@tresys.com>
+ *
+ * Added support for binary policy modules
+ *
+ * Copyright (C) 2003-5 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/* FLASK */
+
+%{
+#include <sys/types.h>
+#include <limits.h>
+#include <stdint.h>
+#include <string.h>
+
+typedef int (* require_func_t)(void);
+
+#ifdef ANDROID
+#include "policy_parse.h"
+#else
+#include "y.tab.h"
+#endif
+
+static char linebuf[2][255];
+static unsigned int lno = 0;
+int yywarn(const char *msg);
+
+void set_source_file(const char *name);
+
+char source_file[PATH_MAX];
+unsigned long source_lineno = 1;
+
+unsigned long policydb_lineno = 1;
+
+unsigned int policydb_errors = 0;
+%}
+
+%option noinput nounput noyywrap
+
+%array
+letter [A-Za-z]
+digit [0-9]
+alnum [a-zA-Z0-9]
+hexval [0-9A-Fa-f]
+
+%%
+\n.* { strncpy(linebuf[lno], yytext+1, 255);
+ linebuf[lno][254] = 0;
+ lno = 1 - lno;
+ policydb_lineno++;
+ source_lineno++;
+ yyless(1); }
+CLONE |
+clone { return(CLONE); }
+COMMON |
+common { return(COMMON); }
+CLASS |
+class { return(CLASS); }
+CONSTRAIN |
+constrain { return(CONSTRAIN); }
+VALIDATETRANS |
+validatetrans { return(VALIDATETRANS); }
+INHERITS |
+inherits { return(INHERITS); }
+SID |
+sid { return(SID); }
+ROLE |
+role { return(ROLE); }
+ROLES |
+roles { return(ROLES); }
+ROLEATTRIBUTE |
+roleattribute { return(ROLEATTRIBUTE);}
+ATTRIBUTE_ROLE |
+attribute_role { return(ATTRIBUTE_ROLE);}
+TYPES |
+types { return(TYPES); }
+TYPEALIAS |
+typealias { return(TYPEALIAS); }
+TYPEATTRIBUTE |
+typeattribute { return(TYPEATTRIBUTE); }
+TYPEBOUNDS |
+typebounds { return(TYPEBOUNDS); }
+TYPE |
+type { return(TYPE); }
+BOOL |
+bool { return(BOOL); }
+TUNABLE |
+tunable { return(TUNABLE); }
+IF |
+if { return(IF); }
+ELSE |
+else { return(ELSE); }
+ALIAS |
+alias { return(ALIAS); }
+ATTRIBUTE |
+attribute { return(ATTRIBUTE); }
+TYPE_TRANSITION |
+type_transition { return(TYPE_TRANSITION); }
+TYPE_MEMBER |
+type_member { return(TYPE_MEMBER); }
+TYPE_CHANGE |
+type_change { return(TYPE_CHANGE); }
+ROLE_TRANSITION |
+role_transition { return(ROLE_TRANSITION); }
+RANGE_TRANSITION |
+range_transition { return(RANGE_TRANSITION); }
+SENSITIVITY |
+sensitivity { return(SENSITIVITY); }
+DOMINANCE |
+dominance { return(DOMINANCE); }
+CATEGORY |
+category { return(CATEGORY); }
+LEVEL |
+level { return(LEVEL); }
+RANGE |
+range { return(RANGE); }
+MLSCONSTRAIN |
+mlsconstrain { return(MLSCONSTRAIN); }
+MLSVALIDATETRANS |
+mlsvalidatetrans { return(MLSVALIDATETRANS); }
+USER |
+user { return(USER); }
+NEVERALLOW |
+neverallow { return(NEVERALLOW); }
+ALLOW |
+allow { return(ALLOW); }
+AUDITALLOW |
+auditallow { return(AUDITALLOW); }
+AUDITDENY |
+auditdeny { return(AUDITDENY); }
+DONTAUDIT |
+dontaudit { return(DONTAUDIT); }
+ALLOWXPERM |
+allowxperm { return(ALLOWXPERM); }
+AUDITALLOWXPERM |
+auditallowxperm { return(AUDITALLOWXPERM); }
+DONTAUDITXPERM |
+dontauditxperm { return(DONTAUDITXPERM); }
+NEVERALLOWXPERM |
+neverallowxperm { return(NEVERALLOWXPERM); }
+SOURCE |
+source { return(SOURCE); }
+TARGET |
+target { return(TARGET); }
+SAMEUSER |
+sameuser { return(SAMEUSER);}
+module|MODULE { return(MODULE); }
+require|REQUIRE { return(REQUIRE); }
+optional|OPTIONAL { return(OPTIONAL); }
+OR |
+or { return(OR);}
+AND |
+and { return(AND);}
+NOT |
+not { return(NOT);}
+xor |
+XOR { return(XOR); }
+eq |
+EQ { return(EQUALS);}
+true |
+TRUE { return(CTRUE); }
+false |
+FALSE { return(CFALSE); }
+dom |
+DOM { return(DOM);}
+domby |
+DOMBY { return(DOMBY);}
+INCOMP |
+incomp { return(INCOMP);}
+fscon |
+FSCON { return(FSCON);}
+portcon |
+PORTCON { return(PORTCON);}
+netifcon |
+NETIFCON { return(NETIFCON);}
+nodecon |
+NODECON { return(NODECON);}
+pirqcon |
+PIRQCON { return(PIRQCON);}
+iomemcon |
+IOMEMCON { return(IOMEMCON);}
+ioportcon |
+IOPORTCON { return(IOPORTCON);}
+pcidevicecon |
+PCIDEVICECON { return(PCIDEVICECON);}
+devicetreecon |
+DEVICETREECON { return(DEVICETREECON);}
+fs_use_xattr |
+FS_USE_XATTR { return(FSUSEXATTR);}
+fs_use_task |
+FS_USE_TASK { return(FSUSETASK);}
+fs_use_trans |
+FS_USE_TRANS { return(FSUSETRANS);}
+genfscon |
+GENFSCON { return(GENFSCON);}
+r1 |
+R1 { return(R1); }
+r2 |
+R2 { return(R2); }
+r3 |
+R3 { return(R3); }
+u1 |
+U1 { return(U1); }
+u2 |
+U2 { return(U2); }
+u3 |
+U3 { return(U3); }
+t1 |
+T1 { return(T1); }
+t2 |
+T2 { return(T2); }
+t3 |
+T3 { return(T3); }
+l1 |
+L1 { return(L1); }
+l2 |
+L2 { return(L2); }
+h1 |
+H1 { return(H1); }
+h2 |
+H2 { return(H2); }
+policycap |
+POLICYCAP { return(POLICYCAP); }
+permissive |
+PERMISSIVE { return(PERMISSIVE); }
+default_user |
+DEFAULT_USER { return(DEFAULT_USER); }
+default_role |
+DEFAULT_ROLE { return(DEFAULT_ROLE); }
+default_type |
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
+default_range |
+DEFAULT_RANGE { return(DEFAULT_RANGE); }
+low-high |
+LOW-HIGH { return(LOW_HIGH); }
+high |
+HIGH { return(HIGH); }
+low |
+LOW { return(LOW); }
+"/"({alnum}|[_\.\-/])* { return(PATH); }
+\""/"[ !#-~]*\" { return(QPATH); }
+\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
+{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
+{digit}+|0x{hexval}+ { return(NUMBER); }
+{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
+{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
+#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
+#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
+#[^\n]* { /* delete comments */ }
+[ \t\f]+ { /* delete whitespace */ }
+"==" { return(EQUALS); }
+"!=" { return (NOTEQUAL); }
+"&&" { return (AND); }
+"||" { return (OR); }
+"!" { return (NOT); }
+"^" { return (XOR); }
+"," |
+":" |
+";" |
+"(" |
+")" |
+"{" |
+"}" |
+"[" |
+"-" |
+"." |
+"]" |
+"~" |
+"*" { return(yytext[0]); }
+. { yywarn("unrecognized character");}
+%%
+int yyerror(const char *msg)
+{
+ if (source_file[0])
+ fprintf(stderr, "%s:%ld:",
+ source_file, source_lineno);
+ else
+ fprintf(stderr, "(unknown source)::");
+ fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n",
+ msg,
+ yytext,
+ policydb_lineno,
+ linebuf[0], linebuf[1]);
+ policydb_errors++;
+ return -1;
+}
+
+int yywarn(const char *msg)
+{
+ if (source_file[0])
+ fprintf(stderr, "%s:%ld:",
+ source_file, source_lineno);
+ else
+ fprintf(stderr, "(unknown source)::");
+ fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n",
+ msg,
+ yytext,
+ policydb_lineno,
+ linebuf[0], linebuf[1]);
+ return 0;
+}
+
+void set_source_file(const char *name)
+{
+ source_lineno = 1;
+ strncpy(source_file, name, sizeof(source_file)-1);
+ source_file[sizeof(source_file)-1] = '\0';
+ if (strlen(source_file) && source_file[strlen(source_file)-1] == '"')
+ source_file[strlen(source_file)-1] = '\0';
+}
diff --git a/checkpolicy/queue.c b/checkpolicy/queue.c
new file mode 100644
index 0000000..272079c
--- /dev/null
+++ b/checkpolicy/queue.c
@@ -0,0 +1,180 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the double-ended queue type.
+ */
+
+#include <stdlib.h>
+#include "queue.h"
+
+queue_t queue_create(void)
+{
+ queue_t q;
+
+ q = (queue_t) malloc(sizeof(struct queue_info));
+ if (q == NULL)
+ return NULL;
+
+ q->head = q->tail = NULL;
+
+ return q;
+}
+
+int queue_insert(queue_t q, queue_element_t e)
+{
+ queue_node_ptr_t newnode;
+
+ if (!q)
+ return -1;
+
+ newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node));
+ if (newnode == NULL)
+ return -1;
+
+ newnode->element = e;
+ newnode->next = NULL;
+
+ if (q->head == NULL) {
+ q->head = q->tail = newnode;
+ } else {
+ q->tail->next = newnode;
+ q->tail = newnode;
+ }
+
+ return 0;
+}
+
+int queue_push(queue_t q, queue_element_t e)
+{
+ queue_node_ptr_t newnode;
+
+ if (!q)
+ return -1;
+
+ newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node));
+ if (newnode == NULL)
+ return -1;
+
+ newnode->element = e;
+ newnode->next = NULL;
+
+ if (q->head == NULL) {
+ q->head = q->tail = newnode;
+ } else {
+ newnode->next = q->head;
+ q->head = newnode;
+ }
+
+ return 0;
+}
+
+queue_element_t queue_remove(queue_t q)
+{
+ queue_node_ptr_t node;
+ queue_element_t e;
+
+ if (!q)
+ return NULL;
+
+ if (q->head == NULL)
+ return NULL;
+
+ node = q->head;
+ q->head = q->head->next;
+ if (q->head == NULL)
+ q->tail = NULL;
+
+ e = node->element;
+ free(node);
+
+ return e;
+}
+
+queue_element_t queue_head(queue_t q)
+{
+ if (!q)
+ return NULL;
+
+ if (q->head == NULL)
+ return NULL;
+
+ return q->head->element;
+}
+
+void queue_destroy(queue_t q)
+{
+ queue_node_ptr_t p, temp;
+
+ if (!q)
+ return;
+
+ p = q->head;
+ while (p != NULL) {
+ temp = p;
+ p = p->next;
+ free(temp);
+ }
+
+ free(q);
+}
+
+int queue_map(queue_t q, int (*f) (queue_element_t, void *), void *vp)
+{
+ queue_node_ptr_t p;
+ int ret;
+
+ if (!q)
+ return 0;
+
+ p = q->head;
+ while (p != NULL) {
+ ret = f(p->element, vp);
+ if (ret)
+ return ret;
+ p = p->next;
+ }
+ return 0;
+}
+
+void queue_map_remove_on_error(queue_t q,
+ int (*f) (queue_element_t, void *),
+ void (*g) (queue_element_t, void *), void *vp)
+{
+ queue_node_ptr_t p, last, temp;
+ int ret;
+
+ if (!q)
+ return;
+
+ last = NULL;
+ p = q->head;
+ while (p != NULL) {
+ ret = f(p->element, vp);
+ if (ret) {
+ if (last) {
+ last->next = p->next;
+ if (last->next == NULL)
+ q->tail = last;
+ } else {
+ q->head = p->next;
+ if (q->head == NULL)
+ q->tail = NULL;
+ }
+
+ temp = p;
+ p = p->next;
+ g(temp->element, vp);
+ free(temp);
+ } else {
+ last = p;
+ p = p->next;
+ }
+ }
+
+ return;
+}
+
+/* FLASK */
diff --git a/checkpolicy/queue.h b/checkpolicy/queue.h
new file mode 100644
index 0000000..655c94b
--- /dev/null
+++ b/checkpolicy/queue.h
@@ -0,0 +1,62 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A double-ended queue is a singly linked list of
+ * elements of arbitrary type that may be accessed
+ * at either end.
+ */
+
+#ifndef _QUEUE_H_
+#define _QUEUE_H_
+
+typedef void *queue_element_t;
+
+typedef struct queue_node *queue_node_ptr_t;
+
+typedef struct queue_node {
+ queue_element_t element;
+ queue_node_ptr_t next;
+} queue_node_t;
+
+typedef struct queue_info {
+ queue_node_ptr_t head;
+ queue_node_ptr_t tail;
+} queue_info_t;
+
+typedef queue_info_t *queue_t;
+
+queue_t queue_create(void);
+int queue_insert(queue_t, queue_element_t);
+int queue_push(queue_t, queue_element_t);
+queue_element_t queue_remove(queue_t);
+queue_element_t queue_head(queue_t);
+void queue_destroy(queue_t);
+
+/*
+ Applies the specified function f to each element in the
+ specified queue.
+
+ In addition to passing the element to f, queue_map
+ passes the specified void* pointer to f on each invocation.
+
+ If f returns a non-zero status, then queue_map will cease
+ iterating through the hash table and will propagate the error
+ return to its caller.
+ */
+int queue_map(queue_t, int (*f) (queue_element_t, void *), void *);
+
+/*
+ Same as queue_map, except that if f returns a non-zero status,
+ then the element will be removed from the queue and the g
+ function will be applied to the element.
+ */
+void queue_map_remove_on_error(queue_t,
+ int (*f) (queue_element_t, void *),
+ void (*g) (queue_element_t, void *), void *);
+
+#endif
+
+/* FLASK */
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
new file mode 100644
index 0000000..c2367e1
--- /dev/null
+++ b/checkpolicy/test/Makefile
@@ -0,0 +1,21 @@
+#
+# Makefile for building the dispol program
+#
+PREFIX ?= $(DESTDIR)/usr
+BINDIR=$(PREFIX)/bin
+LIBDIR ?= $(PREFIX)/lib
+INCLUDEDIR ?= $(PREFIX)/include
+
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
+override CFLAGS += -I$(INCLUDEDIR)
+
+LDLIBS=-lfl $(LIBDIR)/libsepol.a -L$(LIBDIR)
+
+all: dispol dismod
+
+dispol: dispol.o
+
+dismod: dismod.o
+
+clean:
+ -rm -f dispol dismod *.o
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
new file mode 100644
index 0000000..08b039d
--- /dev/null
+++ b/checkpolicy/test/dismod.c
@@ -0,0 +1,1003 @@
+
+/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2003,2004,2005 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/*
+ * dismod.c
+ *
+ * Test program to the contents of a binary policy in text
+ * form.
+ *
+ * dismod binary_mod_file
+ */
+
+#include <getopt.h>
+#include <assert.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/flask.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/module.h>
+#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
+
+#include <byteswap.h>
+#include <endian.h>
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define le32_to_cpu(x) (x)
+#else
+#define le32_to_cpu(x) bswap_32(x)
+#endif
+
+#define DISPLAY_AVBLOCK_COND_AVTAB 0
+#define DISPLAY_AVBLOCK_UNCOND_AVTAB 1
+#define DISPLAY_AVBLOCK_ROLE_TYPE_NODE 2 /* unused? */
+#define DISPLAY_AVBLOCK_ROLE_TRANS 3
+#define DISPLAY_AVBLOCK_ROLE_ALLOW 4
+#define DISPLAY_AVBLOCK_REQUIRES 5
+#define DISPLAY_AVBLOCK_DECLARES 6
+#define DISPLAY_AVBLOCK_FILENAME_TRANS 7
+
+static policydb_t policydb;
+extern unsigned int ss_initialized;
+
+int policyvers = MOD_POLICYDB_VERSION_BASE;
+
+static const char *symbol_labels[9] = {
+ "commons",
+ "classes", "roles ", "types ", "users ", "bools ",
+ "levels ", "cats ", "attribs"
+};
+
+void usage(const char *progname)
+{
+ printf("usage: %s binary_pol_file\n\n", progname);
+ exit(1);
+}
+
+static void render_access_mask(uint32_t mask, uint32_t class, policydb_t * p,
+ FILE * fp)
+{
+ char *perm;
+ fprintf(fp, "{");
+ perm = sepol_av_to_string(p, class, mask);
+ if (perm)
+ fprintf(fp, "%s ", perm);
+ fprintf(fp, "}");
+}
+
+static void render_access_bitmap(ebitmap_t * map, uint32_t class,
+ policydb_t * p, FILE * fp)
+{
+ unsigned int i;
+ char *perm;
+ fprintf(fp, "{");
+ for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
+ if (ebitmap_get_bit(map, i)) {
+ perm = sepol_av_to_string(p, class, 1 << i);
+ if (perm)
+ fprintf(fp, " %s", perm);
+ }
+ }
+ fprintf(fp, " }");
+}
+
+static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
+ uint32_t symbol_value, const char *prefix)
+{
+ char *id = p->sym_val_to_name[symbol_type][symbol_value];
+ scope_datum_t *scope =
+ (scope_datum_t *) hashtab_search(p->scope[symbol_type].table, id);
+ assert(scope != NULL);
+ if (scope->scope == SCOPE_REQ) {
+ fprintf(fp, " [%s%s]", prefix, id);
+ } else {
+ fprintf(fp, " %s%s", prefix, id);
+ }
+}
+
+int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+ FILE * fp)
+{
+ unsigned int i, num_types;
+
+ if (set->flags & TYPE_STAR) {
+ fprintf(fp, " * ");
+ return 0;
+ } else if (set->flags & TYPE_COMP) {
+ fprintf(fp, " ~");
+ }
+
+ num_types = 0;
+ if (flags & RULE_SELF) {
+ num_types++;
+ }
+
+ for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
+ i++) {
+ if (!ebitmap_get_bit(&set->types, i))
+ continue;
+ num_types++;
+ if (num_types > 1)
+ break;
+ }
+
+ if (num_types <= 1) {
+ for (i = ebitmap_startbit(&set->negset);
+ i < ebitmap_length(&set->negset); i++) {
+ if (!ebitmap_get_bit(&set->negset, i))
+ continue;
+ num_types++;
+ if (num_types > 1)
+ break;
+ }
+ }
+
+ if (num_types > 1)
+ fprintf(fp, "{");
+
+ for (i = ebitmap_startbit(&set->types); i < ebitmap_length(&set->types);
+ i++) {
+ if (!ebitmap_get_bit(&set->types, i))
+ continue;
+ display_id(policy, fp, SYM_TYPES, i, "");
+ }
+
+ for (i = ebitmap_startbit(&set->negset);
+ i < ebitmap_length(&set->negset); i++) {
+ if (!ebitmap_get_bit(&set->negset, i))
+ continue;
+ display_id(policy, fp, SYM_TYPES, i, "-");
+ }
+
+ if (flags & RULE_SELF) {
+ fprintf(fp, " self");
+ }
+
+ if (num_types > 1)
+ fprintf(fp, " }");
+
+ return 0;
+}
+
+int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+{
+ unsigned int i, num = 0;
+
+ if (roles->flags & ROLE_STAR) {
+ fprintf(fp, " * ");
+ return 0;
+ } else if (roles->flags & ROLE_COMP) {
+ fprintf(fp, " ~");
+ }
+
+ for (i = ebitmap_startbit(&roles->roles);
+ i < ebitmap_length(&roles->roles); i++) {
+ if (!ebitmap_get_bit(&roles->roles, i))
+ continue;
+ num++;
+ if (num > 1) {
+ fprintf(fp, "{");
+ break;
+ }
+ }
+
+ for (i = ebitmap_startbit(&roles->roles);
+ i < ebitmap_length(&roles->roles); i++) {
+ if (ebitmap_get_bit(&roles->roles, i))
+ display_id(p, fp, SYM_ROLES, i, "");
+ }
+
+ if (num > 1)
+ fprintf(fp, " }");
+
+ return 0;
+
+}
+
+int display_avrule(avrule_t * avrule, policydb_t * policy,
+ FILE * fp)
+{
+ class_perm_node_t *cur;
+ int num_classes;
+
+ if (avrule == NULL) {
+ fprintf(fp, " <empty>\n");
+ return 0;
+ }
+ if (avrule->specified & AVRULE_AV) {
+ if (avrule->specified & AVRULE_ALLOWED) {
+ fprintf(fp, " allow");
+ }
+ if (avrule->specified & AVRULE_AUDITALLOW) {
+ fprintf(fp, " auditallow ");
+ }
+ if (avrule->specified & AVRULE_DONTAUDIT) {
+ fprintf(fp, " dontaudit");
+ }
+ } else if (avrule->specified & AVRULE_TYPE) {
+ if (avrule->specified & AVRULE_TRANSITION) {
+ fprintf(fp, " type_transition");
+ }
+ if (avrule->specified & AVRULE_MEMBER) {
+ fprintf(fp, " type_member");
+ }
+ if (avrule->specified & AVRULE_CHANGE) {
+ fprintf(fp, " type_change");
+ }
+ } else if (avrule->specified & AVRULE_NEVERALLOW) {
+ fprintf(fp, " neverallow");
+ } else {
+ fprintf(fp, " ERROR: no valid rule type specified\n");
+ return -1;
+ }
+
+ if (display_type_set(&avrule->stypes, 0, policy, fp))
+ return -1;
+
+ if (display_type_set(&avrule->ttypes, avrule->flags, policy, fp))
+ return -1;
+
+ fprintf(fp, " :");
+ cur = avrule->perms;
+ num_classes = 0;
+ while (cur) {
+ num_classes++;
+ if (num_classes > 1)
+ break;
+ cur = cur->next;
+ }
+
+ if (num_classes > 1)
+ fprintf(fp, " {");
+
+ cur = avrule->perms;
+ while (cur) {
+ display_id(policy, fp, SYM_CLASSES, cur->tclass - 1, "");
+ cur = cur->next;
+ }
+
+ if (num_classes > 1)
+ fprintf(fp, " }");
+ fprintf(fp, " ");
+
+ if (avrule->specified & (AVRULE_AV | AVRULE_NEVERALLOW)) {
+ render_access_mask(avrule->perms->data, avrule->perms->tclass,
+ policy, fp);
+ } else if (avrule->specified & AVRULE_TYPE) {
+ display_id(policy, fp, SYM_TYPES, avrule->perms->data - 1, "");
+ }
+
+ fprintf(fp, ";\n");
+
+ return 0;
+}
+
+int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+{
+ type_datum_t *type;
+ FILE *fp;
+ unsigned int i, first_attrib = 1;
+
+ type = (type_datum_t *) datum;
+ fp = (FILE *) data;
+
+ if (type->primary) {
+ display_id(&policydb, fp, SYM_TYPES, type->s.value - 1, "");
+ fprintf(fp, " [%d]: ", type->s.value);
+ } else {
+ /* as that aliases have no value of their own and that
+ * they can never be required by a module, use this
+ * alternative way of displaying a name */
+ fprintf(fp, " %s [%d]: ", (char *)key, type->s.value);
+ }
+ if (type->flavor == TYPE_ATTRIB) {
+ fprintf(fp, "attribute for types");
+ for (i = ebitmap_startbit(&type->types);
+ i < ebitmap_length(&type->types); i++) {
+ if (!ebitmap_get_bit(&type->types, i))
+ continue;
+ if (first_attrib) {
+ first_attrib = 0;
+ } else {
+ fprintf(fp, ",");
+ }
+ display_id(&policydb, fp, SYM_TYPES, i, "");
+ }
+ } else if (type->primary) {
+ fprintf(fp, "type");
+ } else {
+ fprintf(fp, "alias for type");
+ display_id(&policydb, fp, SYM_TYPES, type->s.value - 1, "");
+ }
+ fprintf(fp, " flags:%x\n", type->flags);
+
+ return 0;
+}
+
+int display_types(policydb_t * p, FILE * fp)
+{
+ if (hashtab_map(p->p_types.table, display_type_callback, fp))
+ return -1;
+ return 0;
+}
+
+int display_users(policydb_t * p, FILE * fp)
+{
+ unsigned int i, j;
+ ebitmap_t *bitmap;
+ for (i = 0; i < p->p_users.nprim; i++) {
+ display_id(p, fp, SYM_USERS, i, "");
+ fprintf(fp, ":");
+ bitmap = &(p->user_val_to_struct[i]->roles.roles);
+ for (j = ebitmap_startbit(bitmap); j < ebitmap_length(bitmap);
+ j++) {
+ if (ebitmap_get_bit(bitmap, j)) {
+ display_id(p, fp, SYM_ROLES, j, "");
+ }
+ }
+ fprintf(fp, "\n");
+ }
+ return 0;
+}
+
+int display_bools(policydb_t * p, FILE * fp)
+{
+ unsigned int i;
+
+ for (i = 0; i < p->p_bools.nprim; i++) {
+ display_id(p, fp, SYM_BOOLS, i, "");
+ fprintf(fp, " : %d\n", p->bool_val_to_struct[i]->state);
+ }
+ return 0;
+}
+
+void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+{
+
+ cond_expr_t *cur;
+ for (cur = exp; cur != NULL; cur = cur->next) {
+ switch (cur->expr_type) {
+ case COND_BOOL:
+ fprintf(fp, "%s ",
+ p->p_bool_val_to_name[cur->bool - 1]);
+ break;
+ case COND_NOT:
+ fprintf(fp, "! ");
+ break;
+ case COND_OR:
+ fprintf(fp, "|| ");
+ break;
+ case COND_AND:
+ fprintf(fp, "&& ");
+ break;
+ case COND_XOR:
+ fprintf(fp, "^ ");
+ break;
+ case COND_EQ:
+ fprintf(fp, "== ");
+ break;
+ case COND_NEQ:
+ fprintf(fp, "!= ");
+ break;
+ default:
+ fprintf(fp, "error!");
+ break;
+ }
+ }
+}
+
+void display_policycon(FILE * fp)
+{
+ /* There was an attempt to implement this at one time. Look through
+ * git history to find it. */
+ fprintf(fp, "Sorry, not implemented\n");
+}
+
+void display_initial_sids(policydb_t * p, FILE * fp)
+{
+ ocontext_t *cur;
+ char *user, *role, *type;
+
+ fprintf(fp, "Initial SIDs:\n");
+ for (cur = p->ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) {
+ user = p->p_user_val_to_name[cur->context[0].user - 1];
+ role = p->p_role_val_to_name[cur->context[0].role - 1];
+ type = p->p_type_val_to_name[cur->context[0].type - 1];
+ fprintf(fp, "\t%s: sid %d, context %s:%s:%s\n",
+ cur->u.name, cur->sid[0], user, role, type);
+ }
+#if 0
+ fprintf(fp, "Policy Initial SIDs:\n");
+ for (cur = p->ocontexts[OCON_POLICYISID]; cur != NULL; cur = cur->next) {
+ user = p->p_user_val_to_name[cur->context[0].user - 1];
+ role = p->p_role_val_to_name[cur->context[0].role - 1];
+ type = p->p_type_val_to_name[cur->context[0].type - 1];
+ fprintf(fp, "\t%s: sid %d, context %s:%s:%s\n",
+ cur->u.name, cur->sid[0], user, role, type);
+ }
+#endif
+}
+
+void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+{
+ unsigned int i, num = 0;
+
+ for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+ if (!ebitmap_get_bit(classes, i))
+ continue;
+ num++;
+ if (num > 1) {
+ fprintf(fp, "{");
+ break;
+ }
+ }
+
+ for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+ if (ebitmap_get_bit(classes, i))
+ display_id(p, fp, SYM_CLASSES, i, "");
+ }
+
+ if (num > 1)
+ fprintf(fp, " }");
+}
+
+void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
+{
+ for (; tr; tr = tr->next) {
+ fprintf(fp, "role transition ");
+ display_mod_role_set(&tr->roles, p, fp);
+ display_type_set(&tr->types, 0, p, fp);
+ fprintf(fp, " :");
+ display_class_set(&tr->classes, p, fp);
+ display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
+ fprintf(fp, "\n");
+ }
+}
+
+void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
+{
+ for (; ra; ra = ra->next) {
+ fprintf(fp, "role allow ");
+ display_mod_role_set(&ra->roles, p, fp);
+ display_mod_role_set(&ra->new_roles, p, fp);
+ fprintf(fp, "\n");
+ }
+}
+
+static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, FILE * fp)
+{
+ fprintf(fp, "filename transition");
+ for (; tr; tr = tr->next) {
+ display_type_set(&tr->stypes, 0, p, fp);
+ display_type_set(&tr->ttypes, 0, p, fp);
+ display_id(p, fp, SYM_CLASSES, tr->tclass - 1, ":");
+ display_id(p, fp, SYM_TYPES, tr->otype - 1, "");
+ fprintf(fp, " %s\n", tr->name);
+ }
+}
+
+int role_display_callback(hashtab_key_t key __attribute__((unused)),
+ hashtab_datum_t datum, void *data)
+{
+ role_datum_t *role;
+ FILE *fp;
+
+ role = (role_datum_t *) datum;
+ fp = (FILE *) data;
+
+ fprintf(fp, "role:");
+ display_id(&policydb, fp, SYM_ROLES, role->s.value - 1, "");
+ fprintf(fp, " types: ");
+ display_type_set(&role->types, 0, &policydb, fp);
+ fprintf(fp, "\n");
+
+ return 0;
+}
+
+static int display_scope_index(scope_index_t * indices, policydb_t * p,
+ FILE * out_fp)
+{
+ unsigned int i;
+ for (i = 0; i < SYM_NUM; i++) {
+ unsigned int any_found = 0, j;
+ fprintf(out_fp, "%s:", symbol_labels[i]);
+ for (j = ebitmap_startbit(&indices->scope[i]);
+ j < ebitmap_length(&indices->scope[i]); j++) {
+ if (ebitmap_get_bit(&indices->scope[i], j)) {
+ any_found = 1;
+ fprintf(out_fp, " %s",
+ p->sym_val_to_name[i][j]);
+ if (i == SYM_CLASSES) {
+ if (j < indices->class_perms_len) {
+ render_access_bitmap(indices->
+ class_perms_map
+ + j, j + 1,
+ p, out_fp);
+ } else {
+ fprintf(out_fp,
+ "<no perms known>");
+ }
+ }
+ }
+ }
+ if (!any_found) {
+ fprintf(out_fp, " <empty>");
+ }
+ fprintf(out_fp, "\n");
+ }
+ return 0;
+}
+
+#if 0
+int display_cond_expressions(policydb_t * p, FILE * fp)
+{
+ cond_node_t *cur;
+ cond_av_list_t *av_cur;
+ for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+ fprintf(fp, "expression: ");
+ display_expr(p, cur->expr, fp);
+ fprintf(fp, "current state: %d\n", cur->cur_state);
+ fprintf(fp, "True list:\n");
+ for (av_cur = cur->true_list; av_cur != NULL;
+ av_cur = av_cur->next) {
+ fprintf(fp, "\t");
+ render_av_rule(&av_cur->node->key, &av_cur->node->datum,
+ RENDER_CONDITIONAL, p, fp);
+ }
+ fprintf(fp, "False list:\n");
+ for (av_cur = cur->false_list; av_cur != NULL;
+ av_cur = av_cur->next) {
+ fprintf(fp, "\t");
+ render_av_rule(&av_cur->node->key, &av_cur->node->datum,
+ RENDER_CONDITIONAL, p, fp);
+ }
+ }
+ return 0;
+}
+
+int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+{
+ cond_bool_datum_t *bool;
+
+ bool = hashtab_search(p->p_bools.table, name);
+ if (bool == NULL) {
+ fprintf(fp, "Could not find bool %s\n", name);
+ return -1;
+ }
+ bool->state = state;
+ evaluate_conds(p);
+ return 0;
+}
+#endif
+
+int display_avdecl(avrule_decl_t * decl, int field,
+ policydb_t * policy, FILE * out_fp)
+{
+ fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
+ (decl->enabled ? " [enabled]" : ""));
+ switch (field) {
+ case DISPLAY_AVBLOCK_COND_AVTAB:{
+ cond_list_t *cond = decl->cond_list;
+ avrule_t *avrule;
+ while (cond) {
+ fprintf(out_fp, "expression: ");
+ display_expr(&policydb, cond->expr, out_fp);
+ fprintf(out_fp, "current state: %d\n",
+ cond->cur_state);
+ fprintf(out_fp, "True list:\n");
+ avrule = cond->avtrue_list;
+ while (avrule) {
+ display_avrule(avrule,
+ &policydb, out_fp);
+ avrule = avrule->next;
+ }
+ fprintf(out_fp, "False list:\n");
+ avrule = cond->avfalse_list;
+ while (avrule) {
+ display_avrule(avrule,
+ &policydb, out_fp);
+ avrule = avrule->next;
+ }
+ cond = cond->next;
+ }
+ break;
+ }
+ case DISPLAY_AVBLOCK_UNCOND_AVTAB:{
+ avrule_t *avrule = decl->avrules;
+ if (avrule == NULL) {
+ fprintf(out_fp, " <empty>\n");
+ }
+ while (avrule != NULL) {
+ if (display_avrule(avrule, policy, out_fp))
+ return -1;
+ avrule = avrule->next;
+ }
+ break;
+ }
+ case DISPLAY_AVBLOCK_ROLE_TYPE_NODE:{ /* role_type_node */
+ break;
+ }
+ case DISPLAY_AVBLOCK_ROLE_TRANS:{
+ display_role_trans(decl->role_tr_rules, policy, out_fp);
+ break;
+ }
+ case DISPLAY_AVBLOCK_ROLE_ALLOW:{
+ display_role_allow(decl->role_allow_rules, policy,
+ out_fp);
+ break;
+ }
+ case DISPLAY_AVBLOCK_REQUIRES:{
+ if (display_scope_index
+ (&decl->required, policy, out_fp)) {
+ return -1;
+ }
+ break;
+ }
+ case DISPLAY_AVBLOCK_DECLARES:{
+ if (display_scope_index
+ (&decl->declared, policy, out_fp)) {
+ return -1;
+ }
+ break;
+ }
+ case DISPLAY_AVBLOCK_FILENAME_TRANS:
+ display_filename_trans(decl->filename_trans_rules, policy,
+ out_fp);
+ break;
+ default:{
+ assert(0);
+ }
+ }
+ return 0; /* should never get here */
+}
+
+int display_avblock(int field, policydb_t * policy,
+ FILE * out_fp)
+{
+ avrule_block_t *block = policydb.global;
+ while (block != NULL) {
+ fprintf(out_fp, "--- begin avrule block ---\n");
+ avrule_decl_t *decl = block->branch_list;
+ while (decl != NULL) {
+ if (display_avdecl(decl, field, policy, out_fp)) {
+ return -1;
+ }
+ decl = decl->next;
+ }
+ block = block->next;
+ }
+ return 0;
+}
+
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
+{
+ if (p->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and perms\n");
+ else if (p->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and perms\n");
+ else if (p->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and perms\n");
+ return 0;
+}
+
+static int read_policy(char *filename, policydb_t * policy)
+{
+ FILE *in_fp;
+ struct policy_file f;
+ int retval;
+ uint32_t buf[1];
+
+ if ((in_fp = fopen(filename, "rb")) == NULL) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ filename, strerror(errno));
+ exit(1);
+ }
+ policy_file_init(&f);
+ f.type = PF_USE_STDIO;
+ f.fp = in_fp;
+
+ /* peek at the first byte. if they are indicative of a
+ package use the package reader, otherwise use the normal
+ policy reader */
+ if (fread(buf, sizeof(uint32_t), 1, in_fp) != 1) {
+ fprintf(stderr, "Could not read from policy.\n");
+ exit(1);
+ }
+ rewind(in_fp);
+ if (le32_to_cpu(buf[0]) == SEPOL_MODULE_PACKAGE_MAGIC) {
+ sepol_module_package_t *package;
+ if (sepol_module_package_create(&package)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ exit(1);
+ }
+ package->policy = (sepol_policydb_t *) policy;
+ package->file_contexts = NULL;
+ retval =
+ sepol_module_package_read(package,
+ (sepol_policy_file_t *) & f, 1);
+ free(package->file_contexts);
+ } else {
+ if (policydb_init(policy)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ exit(1);
+ }
+ retval = policydb_read(policy, &f, 1);
+ }
+ fclose(in_fp);
+ return retval;
+}
+
+static void link_module(policydb_t * base, FILE * out_fp)
+{
+ char module_name[80] = { 0 };
+ int ret;
+ policydb_t module, *mods = &module;
+
+ if (base->policy_type != POLICY_BASE) {
+ printf("Can only link if initial file was a base policy.\n");
+ return;
+ }
+ printf("\nModule filename: ");
+ if (fgets(module_name, sizeof(module_name), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ exit(1);
+ }
+
+ module_name[strlen(module_name) - 1] = '\0'; /* remove LF */
+ if (module_name[0] == '\0') {
+ return;
+ }
+
+ /* read the binary policy */
+ fprintf(out_fp, "Reading module...\n");
+ if (read_policy(module_name, mods)) {
+ fprintf(stderr,
+ "%s: error(s) encountered while loading policy\n",
+ module_name);
+ exit(1);
+ }
+ if (module.policy_type != POLICY_MOD) {
+ fprintf(stderr, "This file is not a loadable policy module.\n");
+ exit(1);
+ }
+ if (policydb_index_classes(&module) ||
+ policydb_index_others(NULL, &module, 0)) {
+ fprintf(stderr, "Could not index module.\n");
+ exit(1);
+ }
+ ret = link_modules(NULL, base, &mods, 1, 0);
+ if (ret != 0) {
+ printf("Link failed (error %d)\n", ret);
+ printf("(You will probably need to restart dismod.)\n");
+ }
+ policydb_destroy(&module);
+ return;
+}
+
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ unsigned int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
+int menu(void)
+{
+ printf("\nSelect a command:\n");
+ printf("1) display unconditional AVTAB\n");
+ printf("2) display conditional AVTAB\n");
+ printf("3) display users\n");
+ printf("4) display bools\n");
+ printf("5) display roles\n");
+ printf("6) display types, attributes, and aliases\n");
+ printf("7) display role transitions\n");
+ printf("8) display role allows\n");
+ printf("9) Display policycon\n");
+ printf("0) Display initial SIDs\n");
+ printf("\n");
+ printf("a) Display avrule requirements\n");
+ printf("b) Display avrule declarations\n");
+ printf("c) Display policy capabilities\n");
+ printf("l) Link in a module\n");
+ printf("u) Display the unknown handling setting\n");
+ printf("F) Display filename_trans rules\n");
+ printf("\n");
+ printf("f) set output file\n");
+ printf("m) display menu\n");
+ printf("q) quit\n");
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ FILE *out_fp = stdout;
+ char ans[81], OutfileName[121];
+
+ if (argc != 2)
+ usage(argv[0]);
+
+ /* read the binary policy */
+ fprintf(out_fp, "Reading policy...\n");
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ exit(1);
+ }
+ if (read_policy(argv[1], &policydb)) {
+ fprintf(stderr,
+ "%s: error(s) encountered while loading policy\n",
+ argv[0]);
+ exit(1);
+ }
+
+ if (policydb.policy_type != POLICY_BASE &&
+ policydb.policy_type != POLICY_MOD) {
+ fprintf(stderr,
+ "This file is neither a base nor loadable policy module.\n");
+ exit(1);
+ }
+
+ if (policydb_index_classes(&policydb)) {
+ fprintf(stderr, "Error indexing classes\n");
+ exit(1);
+ }
+
+ if (policydb_index_others(NULL, &policydb, 1)) {
+ fprintf(stderr, "Error indexing others\n");
+ exit(1);
+ }
+
+ if (policydb.policy_type == POLICY_BASE) {
+ printf("Binary base policy file loaded.\n\n");
+ } else {
+ printf("Binary policy module file loaded.\n");
+ printf("Module name: %s\n", policydb.name);
+ printf("Module version: %s\n", policydb.version);
+ printf("\n");
+ }
+
+ menu();
+ for (;;) {
+ printf("\nCommand (\'m\' for menu): ");
+ if (fgets(ans, sizeof(ans), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ continue;
+ }
+
+ switch (ans[0]) {
+
+ case '1':
+ fprintf(out_fp, "unconditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_UNCOND_AVTAB,
+ &policydb, out_fp);
+ break;
+ case '2':
+ fprintf(out_fp, "conditional avtab:\n");
+ display_avblock(DISPLAY_AVBLOCK_COND_AVTAB,
+ &policydb, out_fp);
+ break;
+ case '3':
+ display_users(&policydb, out_fp);
+ break;
+ case '4':
+ display_bools(&policydb, out_fp);
+ break;
+ case '5':
+ if (hashtab_map
+ (policydb.p_roles.table, role_display_callback,
+ out_fp))
+ exit(1);
+ break;
+ case '6':
+ if (display_types(&policydb, out_fp)) {
+ fprintf(stderr, "Error displaying types\n");
+ exit(1);
+ }
+ break;
+ case '7':
+ fprintf(out_fp, "role transitions:\n");
+ display_avblock(DISPLAY_AVBLOCK_ROLE_TRANS,
+ &policydb, out_fp);
+ break;
+ case '8':
+ fprintf(out_fp, "role allows:\n");
+ display_avblock(DISPLAY_AVBLOCK_ROLE_ALLOW,
+ &policydb, out_fp);
+ break;
+ case '9':
+ display_policycon(out_fp);
+ break;
+ case '0':
+ display_initial_sids(&policydb, out_fp);
+ break;
+ case 'a':
+ fprintf(out_fp, "avrule block requirements:\n");
+ display_avblock(DISPLAY_AVBLOCK_REQUIRES,
+ &policydb, out_fp);
+ break;
+ case 'b':
+ fprintf(out_fp, "avrule block declarations:\n");
+ display_avblock(DISPLAY_AVBLOCK_DECLARES,
+ &policydb, out_fp);
+ break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
+ case 'f':
+ printf
+ ("\nFilename for output (<CR> for screen output): ");
+ if (fgets(OutfileName, sizeof(OutfileName), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ break;
+ }
+ OutfileName[strlen(OutfileName) - 1] = '\0'; /* fix_string (remove LF) */
+ if (strlen(OutfileName) == 0)
+ out_fp = stdout;
+ else if ((out_fp = fopen(OutfileName, "w")) == NULL) {
+ fprintf(stderr, "Cannot open output file %s\n",
+ OutfileName);
+ out_fp = stdout;
+ }
+ if (out_fp != stdout)
+ printf("\nOutput to file: %s\n", OutfileName);
+ break;
+ case 'F':
+ fprintf(out_fp, "filename_trans rules:\n");
+ display_avblock(DISPLAY_AVBLOCK_FILENAME_TRANS,
+ &policydb, out_fp);
+ break;
+ case 'l':
+ link_module(&policydb, out_fp);
+ break;
+ case 'q':
+ policydb_destroy(&policydb);
+ exit(0);
+ break;
+ case 'm':
+ menu();
+ break;
+ default:
+ printf("\nInvalid choice\n");
+ menu();
+ break;
+
+ }
+ }
+ exit(EXIT_SUCCESS);
+}
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
new file mode 100644
index 0000000..86f5688
--- /dev/null
+++ b/checkpolicy/test/dispol.c
@@ -0,0 +1,539 @@
+
+/* Authors: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2003 Tresys Technology, LLC
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ */
+
+/*
+ * displaypol.c
+ *
+ * Test program to the contents of a binary policy in text
+ * form. This program currently only displays the
+ * avtab (including conditional avtab) rules.
+ *
+ * displaypol binary_pol_file
+ */
+
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
+#include <getopt.h>
+#include <assert.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <errno.h>
+#include <stdio.h>
+#include <fcntl.h>
+
+static policydb_t policydb;
+
+void usage(const char *progname)
+{
+ printf("usage: %s binary_pol_file\n\n", progname);
+ exit(1);
+}
+
+int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
+ FILE * fp)
+{
+ char *perm;
+ fprintf(fp, "{");
+ perm = sepol_av_to_string(p, key->target_class, mask);
+ if (perm)
+ fprintf(fp, "%s ", perm);
+ fprintf(fp, "}");
+ return 0;
+}
+
+int render_type(uint32_t type, policydb_t * p, FILE * fp)
+{
+ fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
+ return 0;
+}
+
+int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
+{
+ char *stype, *ttype, *tclass;
+ stype = p->p_type_val_to_name[key->source_type - 1];
+ ttype = p->p_type_val_to_name[key->target_type - 1];
+ tclass = p->p_class_val_to_name[key->target_class - 1];
+ if (stype && ttype)
+ fprintf(fp, "%s %s : %s ", stype, ttype, tclass);
+ else if (stype)
+ fprintf(fp, "%s %u : %s ", stype, key->target_type, tclass);
+ else if (ttype)
+ fprintf(fp, "%u %s : %s ", key->source_type, ttype, tclass);
+ else
+ fprintf(fp, "%u %u : %s ", key->source_type, key->target_type,
+ tclass);
+ return 0;
+}
+
+/* 'what' values for this function */
+#define RENDER_UNCONDITIONAL 0x0001 /* render all regardless of enabled state */
+#define RENDER_ENABLED 0x0002
+#define RENDER_DISABLED 0x0004
+#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
+
+int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+ policydb_t * p, FILE * fp)
+{
+ if (!(what & RENDER_UNCONDITIONAL)) {
+ if (what != RENDER_CONDITIONAL && (((what & RENDER_ENABLED)
+ && !(key->
+ specified &
+ AVTAB_ENABLED))
+ || ((what & RENDER_DISABLED)
+ && (key->
+ specified &
+ AVTAB_ENABLED)))) {
+ return 0; /* doesn't match selection criteria */
+ }
+ }
+
+ if (!(what & RENDER_UNCONDITIONAL)) {
+ if (key->specified & AVTAB_ENABLED)
+ fprintf(fp, "[enabled] ");
+ else if (!(key->specified & AVTAB_ENABLED))
+ fprintf(fp, "[disabled] ");
+ }
+
+ if (key->specified & AVTAB_AV) {
+ if (key->specified & AVTAB_ALLOWED) {
+ fprintf(fp, "allow ");
+ render_key(key, p, fp);
+ render_access_mask(datum->data, key, p, fp);
+ fprintf(fp, ";\n");
+ }
+ if (key->specified & AVTAB_AUDITALLOW) {
+ fprintf(fp, "auditallow ");
+ render_key(key, p, fp);
+ render_access_mask(datum->data, key, p, fp);
+ fprintf(fp, ";\n");
+ }
+ if (key->specified & AVTAB_AUDITDENY) {
+ fprintf(fp, "dontaudit ");
+ render_key(key, p, fp);
+ /* We inverse the mask for dontaudit since the mask is internally stored
+ * as a auditdeny mask */
+ render_access_mask(~datum->data, key, p, fp);
+ fprintf(fp, ";\n");
+ }
+ } else if (key->specified & AVTAB_TYPE) {
+ if (key->specified & AVTAB_TRANSITION) {
+ fprintf(fp, "type_transition ");
+ render_key(key, p, fp);
+ render_type(datum->data, p, fp);
+ fprintf(fp, ";\n");
+ }
+ if (key->specified & AVTAB_MEMBER) {
+ fprintf(fp, "type_member ");
+ render_key(key, p, fp);
+ render_type(datum->data, p, fp);
+ fprintf(fp, ";\n");
+ }
+ if (key->specified & AVTAB_CHANGE) {
+ fprintf(fp, "type_change ");
+ render_key(key, p, fp);
+ render_type(datum->data, p, fp);
+ fprintf(fp, ";\n");
+ }
+ } else if (key->specified & AVTAB_XPERMS) {
+ if (key->specified & AVTAB_XPERMS_ALLOWED)
+ fprintf(fp, "allowxperm ");
+ else if (key->specified & AVTAB_XPERMS_AUDITALLOW)
+ fprintf(fp, "auditallowxperm ");
+ else if (key->specified & AVTAB_XPERMS_DONTAUDIT)
+ fprintf(fp, "dontauditxperm ");
+ render_key(key, p, fp);
+ fprintf(fp, "%s;\n", sepol_extended_perms_to_string(datum->xperms));
+ } else {
+ fprintf(fp, " ERROR: no valid rule type specified\n");
+ return -1;
+ }
+ return 0;
+}
+
+int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+{
+ unsigned int i;
+ avtab_ptr_t cur;
+
+ /* hmm...should have used avtab_map. */
+ for (i = 0; i < a->nslot; i++) {
+ for (cur = a->htable[i]; cur; cur = cur->next) {
+ render_av_rule(&cur->key, &cur->datum, what, p, fp);
+ }
+ }
+ fprintf(fp, "\n");
+ return 0;
+}
+
+int display_bools(policydb_t * p, FILE * fp)
+{
+ unsigned int i;
+
+ for (i = 0; i < p->p_bools.nprim; i++) {
+ fprintf(fp, "%s : %d\n", p->p_bool_val_to_name[i],
+ p->bool_val_to_struct[i]->state);
+ }
+ return 0;
+}
+
+void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+{
+
+ cond_expr_t *cur;
+ for (cur = exp; cur != NULL; cur = cur->next) {
+ switch (cur->expr_type) {
+ case COND_BOOL:
+ fprintf(fp, "%s ",
+ p->p_bool_val_to_name[cur->bool - 1]);
+ break;
+ case COND_NOT:
+ fprintf(fp, "! ");
+ break;
+ case COND_OR:
+ fprintf(fp, "|| ");
+ break;
+ case COND_AND:
+ fprintf(fp, "&& ");
+ break;
+ case COND_XOR:
+ fprintf(fp, "^ ");
+ break;
+ case COND_EQ:
+ fprintf(fp, "== ");
+ break;
+ case COND_NEQ:
+ fprintf(fp, "!= ");
+ break;
+ default:
+ fprintf(fp, "error!");
+ break;
+ }
+ }
+}
+
+int display_cond_expressions(policydb_t * p, FILE * fp)
+{
+ cond_node_t *cur;
+ cond_av_list_t *av_cur;
+
+ for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+ fprintf(fp, "expression: ");
+ display_expr(p, cur->expr, fp);
+ fprintf(fp, "current state: %d\n", cur->cur_state);
+ fprintf(fp, "True list:\n");
+ for (av_cur = cur->true_list; av_cur != NULL; av_cur = av_cur->next) {
+ fprintf(fp, "\t");
+ render_av_rule(&av_cur->node->key, &av_cur->node->datum,
+ RENDER_CONDITIONAL, p, fp);
+ }
+ fprintf(fp, "False list:\n");
+ for (av_cur = cur->false_list; av_cur != NULL; av_cur = av_cur->next) {
+ fprintf(fp, "\t");
+ render_av_rule(&av_cur->node->key, &av_cur->node->datum,
+ RENDER_CONDITIONAL, p, fp);
+ }
+ }
+ return 0;
+}
+
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
+{
+ if (p->handle_unknown == ALLOW_UNKNOWN)
+ fprintf(out_fp, "Allow unknown classes and permisions\n");
+ else if (p->handle_unknown == DENY_UNKNOWN)
+ fprintf(out_fp, "Deny unknown classes and permisions\n");
+ else if (p->handle_unknown == REJECT_UNKNOWN)
+ fprintf(out_fp, "Reject unknown classes and permisions\n");
+ return 0;
+}
+
+int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+{
+ cond_bool_datum_t *bool;
+
+ bool = hashtab_search(p->p_bools.table, name);
+ if (bool == NULL) {
+ fprintf(fp, "Could not find bool %s\n", name);
+ return -1;
+ }
+ bool->state = state;
+ evaluate_conds(p);
+ return 0;
+}
+
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ unsigned int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
+static void display_id(policydb_t *p, FILE *fp, uint32_t symbol_type,
+ uint32_t symbol_value, const char *prefix)
+{
+ const char *id = p->sym_val_to_name[symbol_type][symbol_value];
+ fprintf(fp, " %s%s", prefix, id);
+}
+
+static void display_permissive(policydb_t *p, FILE *fp)
+{
+ ebitmap_node_t *node;
+ unsigned int i;
+
+ fprintf(fp, "permissive sids:\n");
+ ebitmap_for_each_bit(&p->permissive_map, node, i) {
+ if (ebitmap_node_get_bit(node, i)) {
+ fprintf(fp, "\t");
+ display_id(p, fp, SYM_TYPES, i - 1, "");
+ fprintf(fp, "\n");
+ }
+ }
+}
+
+static void display_role_trans(policydb_t *p, FILE *fp)
+{
+ role_trans_t *rt;
+
+ fprintf(fp, "role_trans rules:\n");
+ for (rt = p->role_tr; rt; rt = rt->next) {
+ display_id(p, fp, SYM_ROLES, rt->role - 1, "");
+ display_id(p, fp, SYM_TYPES, rt->type - 1, "");
+ display_id(p, fp, SYM_CLASSES, rt->tclass - 1, ":");
+ display_id(p, fp, SYM_ROLES, rt->new_role - 1, "");
+ fprintf(fp, "\n");
+ }
+}
+
+static void display_filename_trans(policydb_t *p, FILE *fp)
+{
+ filename_trans_t *ft;
+
+ fprintf(fp, "filename_trans rules:\n");
+ for (ft = p->filename_trans; ft; ft = ft->next) {
+ display_id(p, fp, SYM_TYPES, ft->stype - 1, "");
+ display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
+ display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
+ display_id(p, fp, SYM_TYPES, ft->otype - 1, "");
+ fprintf(fp, " %s\n", ft->name);
+ }
+}
+
+int menu(void)
+{
+ printf("\nSelect a command:\n");
+ printf("1) display unconditional AVTAB\n");
+ printf("2) display conditional AVTAB (entirely)\n");
+ printf("3) display conditional AVTAG (only ENABLED rules)\n");
+ printf("4) display conditional AVTAB (only DISABLED rules)\n");
+ printf("5) display conditional bools\n");
+ printf("6) display conditional expressions\n");
+ printf("7) change a boolean value\n");
+ printf("8) display role transitions\n");
+ printf("\n");
+ printf("c) display policy capabilities\n");
+ printf("p) display the list of permissive types\n");
+ printf("u) display unknown handling setting\n");
+ printf("F) display filename_trans rules\n");
+ printf("\n");
+ printf("f) set output file\n");
+ printf("m) display menu\n");
+ printf("q) quit\n");
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ FILE *out_fp = stdout;
+ char ans[81], OutfileName[121];
+ int fd, ret;
+ struct stat sb;
+ void *map;
+ char *name;
+ int state;
+ struct policy_file pf;
+
+ if (argc != 2)
+ usage(argv[0]);
+
+ fd = open(argv[1], O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ argv[1], strerror(errno));
+ exit(1);
+ }
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr, "Can't stat '%s': %s\n",
+ argv[1], strerror(errno));
+ exit(1);
+ }
+ map =
+ mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "Can't map '%s': %s\n",
+ argv[1], strerror(errno));
+ exit(1);
+ }
+
+ /* read the binary policy */
+ fprintf(out_fp, "Reading policy...\n");
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = map;
+ pf.len = sb.st_size;
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: Out of memory!\n", argv[0]);
+ exit(1);
+ }
+ ret = policydb_read(&policydb, &pf, 1);
+ if (ret) {
+ fprintf(stderr,
+ "%s: error(s) encountered while parsing configuration\n",
+ argv[0]);
+ exit(1);
+ }
+
+ fprintf(stdout, "binary policy file loaded\n\n");
+ close(fd);
+
+ menu();
+ for (;;) {
+ printf("\nCommand (\'m\' for menu): ");
+ if (fgets(ans, sizeof(ans), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ continue;
+ }
+ switch (ans[0]) {
+
+ case '1':
+ display_avtab(&policydb.te_avtab, RENDER_UNCONDITIONAL,
+ &policydb, out_fp);
+ break;
+ case '2':
+ display_avtab(&policydb.te_cond_avtab,
+ RENDER_CONDITIONAL, &policydb, out_fp);
+ break;
+ case '3':
+ display_avtab(&policydb.te_cond_avtab, RENDER_ENABLED,
+ &policydb, out_fp);
+ break;
+ case '4':
+ display_avtab(&policydb.te_cond_avtab, RENDER_DISABLED,
+ &policydb, out_fp);
+ break;
+ case '5':
+ display_bools(&policydb, out_fp);
+ break;
+ case '6':
+ display_cond_expressions(&policydb, out_fp);
+ break;
+ case '7':
+ printf("name? ");
+ if (fgets(ans, sizeof(ans), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ break;
+ }
+ ans[strlen(ans) - 1] = 0;
+
+ name = malloc((strlen(ans) + 1) * sizeof(char));
+ if (name == NULL) {
+ fprintf(stderr, "couldn't malloc string.\n");
+ break;
+ }
+ strcpy(name, ans);
+
+ printf("state? ");
+ if (fgets(ans, sizeof(ans), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ break;
+ }
+ ans[strlen(ans) - 1] = 0;
+
+ if (atoi(ans))
+ state = 1;
+ else
+ state = 0;
+
+ change_bool(name, state, &policydb, out_fp);
+ free(name);
+ break;
+ case '8':
+ display_role_trans(&policydb, out_fp);
+ break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
+ case 'p':
+ display_permissive(&policydb, out_fp);
+ break;
+ case 'u':
+ case 'U':
+ display_handle_unknown(&policydb, out_fp);
+ break;
+ case 'f':
+ printf
+ ("\nFilename for output (<CR> for screen output): ");
+ if (fgets(OutfileName, sizeof(OutfileName), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ strerror(errno));
+ break;
+ }
+ OutfileName[strlen(OutfileName) - 1] = '\0'; /* fix_string (remove LF) */
+ if (strlen(OutfileName) == 0)
+ out_fp = stdout;
+ else if ((out_fp = fopen(OutfileName, "w")) == NULL) {
+ fprintf(stderr, "Cannot open output file %s\n",
+ OutfileName);
+ out_fp = stdout;
+ }
+ if (out_fp != stdout)
+ printf("\nOutput to file: %s\n", OutfileName);
+ break;
+ case 'F':
+ display_filename_trans(&policydb, out_fp);
+ break;
+ case 'q':
+ policydb_destroy(&policydb);
+ exit(0);
+ break;
+ case 'm':
+ menu();
+ break;
+ default:
+ printf("\nInvalid choice\n");
+ menu();
+ break;
+
+ }
+ }
+}
+
+/* FLASK */
