[patch 2/2] checkpolicy capability support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tmiller@tresys.com
To: selinux@tycho.nsa.gov
Cc: sds@tycho.nsa.gov, paul.moore@hp.com, jbrindle@tresys.com
Subject: [patch 2/2] checkpolicy capability support
Date: Wed, 05 Dec 2007 13:48:50 -0500	[thread overview]
Message-ID: <20071205184958.921429227@tresys.com> (raw)
In-Reply-To: 20071205184848.180973622@tresys.com

This patch includes checkpolicy support for policy capabilities.
Policy capabilities are declared like so:

policycap network_peer_controls;

Also included is dismod/dispol support for printing the capabilities.
I chose to use the 'c' command for this in both dismod and dispol to
keep things consistent (dismod has run out of numbered commands).

Signed-off-by: Todd C. Miller <tmiller@tresys.com>

--

Index: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk.orig/checkpolicy/test/dismod.c
+++ trunk/checkpolicy/test/dismod.c
@@ -34,6 +34,7 @@
 #include <sepol/policydb/link.h>
 #include <sepol/policydb/module.h>
 #include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
 
 #include <byteswap.h>
 #include <endian.h>
@@ -765,6 +766,26 @@ static void link_module(policydb_t * bas
 	return;
 }
 
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+	ebitmap_node_t *node;
+	const char *capname;
+	char buf[64];
+	int i;
+
+	fprintf(fp, "policy capabilities:\n");
+	ebitmap_for_each_bit(&p->policycaps, node, i) {
+		if (ebitmap_get_bit(&p->policycaps, i)) {
+			capname = sepol_polcap_getname(i);
+			if (capname == NULL) {
+				snprintf(buf, sizeof(buf), "unknown (%d)", i);
+				capname = buf;
+			}
+			fprintf(fp, "\t%s\n", capname);
+		}
+	}
+}
+
 int menu()
 {
 	printf("\nSelect a command:\n");
@@ -781,6 +802,7 @@ int menu()
 	printf("\n");
 	printf("a)  Display avrule requirements\n");
 	printf("b)  Display avrule declarations\n");
+	printf("c)  Display policy capabilities\n");
 	printf("l)  Link in a module\n");
 	printf("u)  Display the unknown handling setting\n");
 	printf("\n");
@@ -891,6 +913,9 @@ int main(int argc, char **argv)
 			fprintf(out_fp, "avrule block declarations:\n");
 			display_avblock(6, 0, &policydb, out_fp);
 			break;
+		case 'c':
+			display_policycaps(&policydb, out_fp);
+			break;
 		case 'u':
 		case 'U':
 			display_handle_unknown(&policydb, out_fp);
Index: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk.orig/checkpolicy/test/dispol.c
+++ trunk/checkpolicy/test/dispol.c
@@ -23,6 +23,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
 #include <getopt.h>
 #include <assert.h>
 #include <unistd.h>
@@ -298,6 +299,26 @@ int change_bool(char *name, int state, p
 	return 0;
 }
 
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+	ebitmap_node_t *node;
+	const char *capname;
+	char buf[64];
+	int i;
+
+	fprintf(fp, "policy capabilities:\n");
+	ebitmap_for_each_bit(&p->policycaps, node, i) {
+		if (ebitmap_get_bit(&p->policycaps, i)) {
+			capname = sepol_polcap_getname(i);
+			if (capname == NULL) {
+				snprintf(buf, sizeof(buf), "unknown (%d)", i);
+				capname = buf;
+			}
+			fprintf(fp, "\t%s\n", capname);
+		}
+	}
+}
+
 int menu()
 {
 	printf("\nSelect a command:\n");
@@ -309,6 +330,7 @@ int menu()
 	printf("6)  display conditional expressions\n");
 	printf("7)  change a boolean value\n");
 	printf("\n");
+	printf("c)  display policy capabilities\n");
 	printf("u)  display unknown handling setting\n");
 	printf("f)  set output file\n");
 	printf("m)  display menu\n");
@@ -421,6 +443,9 @@ int main(int argc, char **argv)
 			change_bool(name, state, &policydb, out_fp);
 			free(name);
 			break;
+		case 'c':
+			display_policycaps(&policydb, out_fp);
+			break;
 		case 'u':
 		case 'U':
 			display_handle_unknown(&policydb, out_fp);
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
 H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
+policycap |
+POLICYCAP			{ return(POLICYCAP);}
 "/"({alnum}|[_.-/])*	        { return(PATH); }
 {letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+                        { return(NUMBER); }
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
 #include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
 %token IPV4_ADDR
 %token IPV6_ADDR
 %token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
 
 %left OR
 %left XOR
@@ -323,6 +325,7 @@ te_decl			: attribute_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
+			| policycap_def
 			;
 attribute_def           : ATTRIBUTE identifier ';'
                         { if (define_attrib()) return -1;}
@@ -765,6 +768,9 @@ number			: NUMBER 
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+policycap_def		: POLICYCAP identifier ';'
+			{if (define_polcap()) return -1;}
+			;
 
 /*********** module grammar below ***********/
 
@@ -962,6 +968,44 @@ static int define_class(void)
 	return -1;
 }
 
+static int define_polcap(void)
+{
+	char *id = 0;
+	int capnum;
+
+	if (pass == 2) {
+		id = queue_remove(id_queue);
+		free(id);
+		return 0;
+	}
+
+	id = (char *)queue_remove(id_queue);
+	if (!id) {
+		yyerror("no capability name for policycap definition?");
+		goto bad;
+	}
+
+	/* Check for valid cap name -> number mapping */
+	capnum = sepol_polcap_getnum(id);
+	if (capnum < 0) {
+		yyerror2("invalid policy capability name %s", id);
+		goto bad;
+	}
+
+	/* Store it */
+	if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+		yyerror("out of memory");
+		goto bad;
+	}
+
+	free(id);
+	return 0;
+
+      bad:
+	free(id);
+	return -1;
+}
+
 static int define_initial_sid(void)
 {
 	char *id = 0;

-- 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2007-12-05 18:48 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-12-05 18:48 [patch 0/2] policy capability support tmiller
2007-12-05 18:48 ` [patch 1/2] library " tmiller
2007-12-05 18:48 ` tmiller [this message]
2007-12-05 19:21 ` [patch 0/2] " Paul Moore
2007-12-05 19:30   ` Todd Miller
2007-12-05 19:41     ` Stephen Smalley
2007-12-05 20:16       ` Joshua Brindle
2007-12-05 20:34         ` Stephen Smalley
2007-12-05 20:35           ` Joshua Brindle
2007-12-05 20:50             ` Stephen Smalley
2007-12-05 20:56               ` Joshua Brindle
2007-12-06 15:21                 ` Stephen Smalley
2007-12-06 16:44                   ` Joshua Brindle
2007-12-06 18:08                     ` Stephen Smalley
2007-12-06 20:24                       ` Todd Miller
2007-12-06 21:24                         ` Stephen Smalley
2007-12-06 21:23                       ` Joshua Brindle
2007-12-06 21:42                         ` Stephen Smalley
2007-12-07 14:47                           ` Joshua Brindle
2007-12-07 16:26                             ` Stephen Smalley
2007-12-07 21:17                               ` Daniel J Walsh
2007-12-07 21:30                                 ` Joshua Brindle
2007-12-07 21:35                                 ` Stephen Smalley
2007-12-08 11:53                                   ` Daniel J Walsh
2007-12-05 21:41           ` Todd Miller
2007-12-06 15:44             ` Christopher J. PeBenito
2007-12-06 16:48               ` Stephen Smalley
2007-12-06 18:34                 ` Christopher J. PeBenito
2007-12-06 20:02                   ` Stephen Smalley
2007-12-06 20:09                     ` Stephen Smalley
2007-12-06 18:50 ` Paul Moore
  -- strict thread matches above, loose matches on Subject: below --
2007-12-06 21:38 tmiller
2007-12-06 21:38 ` [patch 2/2] checkpolicy " tmiller
2007-12-21 17:30   ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071205184958.921429227@tresys.com \
    --to=tmiller@tresys.com \
    --cc=jbrindle@tresys.com \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.