From: tmiller@tresys.com
To: selinux@tycho.nsa.gov
Cc: method@manicmethod.com, Stephen Smalley <sds@tycho.nsa.gov>,
dwalsh@redhat.com, paul.moore@hp.com, cpebenito@tresys.com,
kmacmillan@mentalrootkit.com
Subject: [patch 2/2] checkpolicy capability support
Date: Thu, 06 Dec 2007 16:38:54 -0500 [thread overview]
Message-ID: <20071206213942.268925113@tresys.com> (raw)
In-Reply-To: 20071206213852.083412876@tresys.com
This patch includes checkpolicy support for policy capabilities. In this
version of the patch policy capabilities are only allowed in the base
module. Attempted use in other modules will result in a syntax error.
Also included is dismod/dispol support for printing the capabilities.
I chose to use the 'c' command for this in both dismod and dispol to
keep things consistent (dismod has run out of numbered commands).
Signed-off-by: Todd C. Miller <tmiller@tresys.com>
Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk.orig/checkpolicy/policy_parse.y
+++ trunk/checkpolicy/policy_parse.y
@@ -47,6 +47,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/flask.h>
#include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/polcaps.h>
#include "queue.h"
#include "checkpolicy.h"
#include "module_compiler.h"
@@ -198,6 +199,7 @@ typedef int (* require_func_t)();
%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
+%token POLICYCAP
%left OR
%left XOR
@@ -308,6 +310,7 @@ te_rbac_decl : te_decl
| rbac_decl
| cond_stmt_def
| optional_block
+ | policycap_def
| ';'
;
rbac_decl : role_type_def
@@ -765,6 +768,9 @@ number : NUMBER
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }
;
+policycap_def : POLICYCAP identifier ';'
+ {if (define_polcap()) return -1;}
+ ;
/*********** module grammar below ***********/
@@ -962,6 +968,44 @@ static int define_class(void)
return -1;
}
+static int define_polcap(void)
+{
+ char *id = 0;
+ int capnum;
+
+ if (pass == 2) {
+ id = queue_remove(id_queue);
+ free(id);
+ return 0;
+ }
+
+ id = (char *)queue_remove(id_queue);
+ if (!id) {
+ yyerror("no capability name for policycap definition?");
+ goto bad;
+ }
+
+ /* Check for valid cap name -> number mapping */
+ capnum = sepol_polcap_getnum(id);
+ if (capnum < 0) {
+ yyerror2("invalid policy capability name %s", id);
+ goto bad;
+ }
+
+ /* Store it */
+ if (ebitmap_set_bit(&policydbp->policycaps, capnum, TRUE)) {
+ yyerror("out of memory");
+ goto bad;
+ }
+
+ free(id);
+ return 0;
+
+ bad:
+ free(id);
+ return -1;
+}
+
static int define_initial_sid(void)
{
char *id = 0;
Index: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk.orig/checkpolicy/policy_scan.l
+++ trunk/checkpolicy/policy_scan.l
@@ -201,6 +201,8 @@ h1 |
H1 { return(H1); }
h2 |
H2 { return(H2); }
+policycap |
+POLICYCAP { return(POLICYCAP);}
"/"({alnum}|[_.-/])* { return(PATH); }
{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
{digit}+ { return(NUMBER); }
Index: trunk/checkpolicy/test/dismod.c
===================================================================
--- trunk.orig/checkpolicy/test/dismod.c
+++ trunk/checkpolicy/test/dismod.c
@@ -34,6 +34,7 @@
#include <sepol/policydb/link.h>
#include <sepol/policydb/module.h>
#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
#include <byteswap.h>
#include <endian.h>
@@ -765,6 +766,26 @@ static void link_module(policydb_t * bas
return;
}
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_get_bit(&p->policycaps, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
int menu()
{
printf("\nSelect a command:\n");
@@ -781,6 +802,7 @@ int menu()
printf("\n");
printf("a) Display avrule requirements\n");
printf("b) Display avrule declarations\n");
+ printf("c) Display policy capabilities\n");
printf("l) Link in a module\n");
printf("u) Display the unknown handling setting\n");
printf("\n");
@@ -891,6 +913,9 @@ int main(int argc, char **argv)
fprintf(out_fp, "avrule block declarations:\n");
display_avblock(6, 0, &policydb, out_fp);
break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
Index: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk.orig/checkpolicy/test/dispol.c
+++ trunk/checkpolicy/test/dispol.c
@@ -23,6 +23,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/expand.h>
#include <sepol/policydb/util.h>
+#include <sepol/policydb/polcaps.h>
#include <getopt.h>
#include <assert.h>
#include <unistd.h>
@@ -298,6 +299,26 @@ int change_bool(char *name, int state, p
return 0;
}
+static void display_policycaps(policydb_t * p, FILE * fp)
+{
+ ebitmap_node_t *node;
+ const char *capname;
+ char buf[64];
+ int i;
+
+ fprintf(fp, "policy capabilities:\n");
+ ebitmap_for_each_bit(&p->policycaps, node, i) {
+ if (ebitmap_get_bit(&p->policycaps, i)) {
+ capname = sepol_polcap_getname(i);
+ if (capname == NULL) {
+ snprintf(buf, sizeof(buf), "unknown (%d)", i);
+ capname = buf;
+ }
+ fprintf(fp, "\t%s\n", capname);
+ }
+ }
+}
+
int menu()
{
printf("\nSelect a command:\n");
@@ -309,6 +330,7 @@ int menu()
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("\n");
+ printf("c) display policy capabilities\n");
printf("u) display unknown handling setting\n");
printf("f) set output file\n");
printf("m) display menu\n");
@@ -421,6 +443,9 @@ int main(int argc, char **argv)
change_bool(name, state, &policydb, out_fp);
free(name);
break;
+ case 'c':
+ display_policycaps(&policydb, out_fp);
+ break;
case 'u':
case 'U':
display_handle_unknown(&policydb, out_fp);
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-12-06 21:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-06 21:38 [patch 0/2] policy capability support tmiller
2007-12-06 21:38 ` [patch 1/2] library " tmiller
2007-12-06 21:38 ` tmiller [this message]
2007-12-21 17:30 ` [patch 2/2] checkpolicy " Stephen Smalley
2008-01-08 17:05 ` [patch 0/2] policy " Paul Moore
2008-01-08 19:01 ` Stephen Smalley
2008-01-08 19:07 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2007-12-05 18:48 tmiller
2007-12-05 18:48 ` [patch 2/2] checkpolicy " tmiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071206213942.268925113@tresys.com \
--to=tmiller@tresys.com \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=method@manicmethod.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.