From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Kaigai Kohei <kaigai@ak.jp.nec.com>,
SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: [RFC & PATCH] inherited type definition.
Date: Sat, 16 Apr 2005 16:31:56 +0900 [thread overview]
Message-ID: <4260BF6C.6030008@kaigai.gr.jp> (raw)
In-Reply-To: <1111586217.21107.54.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]
Hello,
>>I tried to modify the Fedora-C3's strict policy for quick testing,
>>and represent a unified file type of HTTPd/Samba/FTPd.
>>
>>I intend to access /var/www/ftp via HTTP and FTP, /var/www/samba via HTTP and Samba.
>>The following configuration was necessary for this purpose.
>>
>>BTW, since any macros (such as apache) were so complex for me, the following
>>configuration may be insufficiency in a precise sense.
>>But it's easily understandable as a configuration sample for real application,
>>I think.
>
>
> Thanks for the additional patch and the example. I'd like to encourage
> people on the list who are actively writing policies to look at this
> language extension and example and comment on whether they think it
> would be helpful to them.
How is the current status of inheritable-type patch ?
Can I think that we can use such statements checkpolicy-1.24 or later ?
Please, don't forget. :-)
I modified the latest patch against to checkpolicy-1.23.1 on Fedora's CVS.
Since there is only one FAILED hunk on checkpolicy.c:518, I modified this.
Thanks,
--
DO NOTHING IS THE WORST POLICY.
KaiGai Kohei <kaigai@kaigai.gr.jp>
[-- Attachment #2: checkpolicy-1.23.1-extends.patch --]
[-- Type: text/plain, Size: 24879 bytes --]
--- checkpolicy-1.23.1/checkpolicy.h 2005-04-14 16:27:34.000000000 -0400
+++ checkpolicy-1.23.1-extends/checkpolicy.h 2005-04-16 16:37:42.000000000 -0400
@@ -7,6 +7,7 @@ typedef struct te_assert {
ebitmap_t stypes;
ebitmap_t ttypes;
ebitmap_t tclasses;
+ ebitmap_t inherit;
int self;
access_vector_t *avp;
unsigned long line;
@@ -18,4 +19,16 @@ te_assert_t *te_assertions;
extern unsigned int policyvers;
extern unsigned int mlspol;
+/* type was not indexed in policydb,
+ but it's necessary for extends support. */
+extern type_datum_t **type_val_to_struct;
+extern int num_type_val_to_struct;
+extern void get_child_types(ebitmap_t *set, type_datum_t *t, int recursive);
+
+static inline type_datum_t *get_type(int typeval) {
+ if (!type_val_to_struct || typeval<1 || typeval>num_type_val_to_struct)
+ return NULL;
+ return type_val_to_struct[typeval-1];
+}
+
#endif
--- checkpolicy-1.23.1/checkpolicy.c 2005-04-14 16:27:34.000000000 -0400
+++ checkpolicy-1.23.1-extends/checkpolicy.c 2005-04-16 16:39:32.000000000 -0400
@@ -345,8 +345,10 @@ void check_assertion_helper(unsigned int
void check_assertions(void)
{
+ ebitmap_t temp;
+ type_datum_t *typedatum;
te_assert_t *a, *tmp;
- unsigned int i, j;
+ unsigned int i, j, k;
a = te_assertions;
while (a) {
@@ -354,7 +356,23 @@ void check_assertions(void)
if (!ebitmap_get_bit(&a->stypes, i))
continue;
if (a->self) {
- check_assertion_helper(i, i, &a->tclasses, a->avp, a->line);
+ typedatum = type_val_to_struct[i];
+ if (!typedatum) {
+ fprintf(stderr, "BUG: check_assetion for undefined type.\n");
+ exit(1);
+ }
+ ebitmap_init(&temp);
+ get_child_types(&temp, typedatum, ebitmap_get_bit(&a->inherit, i));
+ for (j = ebitmap_startbit(&temp); j < ebitmap_length(&temp); j++) {
+ if (!ebitmap_get_bit(&temp, j))
+ continue;
+ for (k = ebitmap_startbit(&temp); k < ebitmap_length(&temp); k++) {
+ if (!ebitmap_get_bit(&temp, k))
+ continue;
+ check_assertion_helper(j, k, &a->tclasses, a->avp, a->line);
+ }
+ }
+ ebitmap_destroy(&temp);
}
for (j = ebitmap_startbit(&a->ttypes); j < ebitmap_length(&a->ttypes); j++) {
if (!ebitmap_get_bit(&a->ttypes, j))
@@ -367,6 +385,7 @@ void check_assertions(void)
ebitmap_destroy(&tmp->stypes);
ebitmap_destroy(&tmp->ttypes);
ebitmap_destroy(&tmp->tclasses);
+ ebitmap_destroy(&tmp->inherit);
free(tmp->avp);
free(tmp);
}
@@ -443,6 +462,49 @@ int change_bool(char *name, int state)
return 0;
}
+type_datum_t **type_val_to_struct = NULL;
+int num_type_val_to_struct = -1;
+
+static int type_val_to_struct_helper(hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+ type_datum_t *t = (type_datum_t *)d;
+ if (!t->isattr && t->primary)
+ type_val_to_struct[t->value-1] = t;
+ return 0; /* always success */
+}
+
+void get_child_types(ebitmap_t *set, type_datum_t *td, int recur)
+{
+ type_datum_t *child;
+ int i;
+
+ if (!td->isattr && !td->primary)
+ td = get_type(td->value);
+
+ if (!td->isattr) {
+ ebitmap_set_bit(set, td->value - 1, 1);
+ if (!recur)
+ return;
+ for (i = ebitmap_startbit(&td->types); i < ebitmap_length(&td->types); i++) {
+ if (!ebitmap_get_bit(&td->types, i))
+ continue;
+ child = type_val_to_struct[i];
+ get_child_types(set, child, recur);
+ }
+ } else {
+ for (i = ebitmap_startbit(&td->types); i < ebitmap_length(&td->types); i++) {
+ if (!ebitmap_get_bit(&td->types, i))
+ continue;
+ if (!recur) {
+ ebitmap_set_bit(set, i, 1);
+ } else {
+ child = type_val_to_struct[i];
+ get_child_types(set, child, recur);
+ }
+ }
+ }
+}
+
int main(int argc, char **argv)
{
security_class_t tclass;
@@ -457,7 +519,7 @@ int main(int argc, char **argv)
unsigned int binary = 0, debug = 0;
struct val_to_name v;
int ret, ch, fd;
- unsigned int nel, uret;
+ unsigned int nel, len, uret;
struct stat sb;
void *map;
FILE *outfp = NULL;
@@ -594,6 +656,18 @@ int main(int argc, char **argv)
fprintf(stderr, "%s: error(s) encountered while parsing configuration\n", argv[0]);
exit(1);
}
+
+ /* construction of type_val_to_struct */
+ num_type_val_to_struct = policydbp->p_types.nprim;
+ len = sizeof(type_datum_t *) * num_type_val_to_struct;
+ type_val_to_struct = (type_datum_t **)malloc(len);
+ if (!type_val_to_struct) {
+ fprintf(stderr, "type_val_to_struct: out of memory\n");
+ exit(1);
+ }
+ memset(type_val_to_struct, 0, len);
+ hashtab_map(policydbp->p_types.table, type_val_to_struct_helper, NULL);
+
rewind(yyin);
policydb_lineno = 1;
source_file[0] = '\0';
--- checkpolicy-1.23.1/policy_scan.l 2005-04-14 16:27:34.000000000 -0400
+++ checkpolicy-1.23.1-extends/policy_scan.l 2005-04-16 16:37:42.000000000 -0400
@@ -69,6 +69,8 @@ TYPEALIAS |
typealias { return(TYPEALIAS); }
TYPEATTRIBUTE |
typeattribute { return(TYPEATTRIBUTE); }
+TYPEEXTENDS |
+typeextends { return(TYPEEXTENDS); }
TYPE |
type { return(TYPE); }
BOOL |
@@ -79,6 +81,8 @@ ELSE |
else { return(ELSE); }
ALIAS |
alias { return(ALIAS); }
+EXTENDS |
+extends { return(EXTENDS); }
ATTRIBUTE |
attribute { return(ATTRIBUTE); }
TYPE_TRANSITION |
@@ -216,7 +220,8 @@ H2 { return(H2); }
"." |
"]" |
"~" |
-"*" { return(yytext[0]); }
+"*" |
+"@" { return(yytext[0]); }
. { yywarn("unrecognized character");}
%%
int yyerror(char *msg)
--- checkpolicy-1.23.1/policy_parse.y 2005-04-14 16:27:34.000000000 -0400
+++ checkpolicy-1.23.1-extends/policy_parse.y 2005-04-16 16:37:42.000000000 -0400
@@ -19,6 +19,11 @@
* the Free Software Foundation, version 2.
*/
+/* Updated: KaiGai Kohei, <kaigai@ak.jp.nec.com>
+ * Added inherited type extensions and '@' prefix. (2005/03/21)
+ */
+
+
/* FLASK */
%{
@@ -76,8 +81,8 @@ static int define_category(void);
static int define_level(void);
static int define_attrib(void);
static int define_typealias(void);
-static int define_typeattribute(void);
-static int define_type(int alias);
+static int define_typeattribute(int extends);
+static int define_type(int alias, int extends);
static int define_compute_type(int which);
static int define_te_avtab(int which);
static int define_role_types(void);
@@ -134,9 +139,11 @@ static int define_ipv6_node_context(void
%token ROLES
%token TYPEALIAS
%token TYPEATTRIBUTE
+%token TYPEEXTENDS
%token TYPE
%token TYPES
%token ALIAS
+%token EXTENDS
%token ATTRIBUTE
%token BOOL
%token IF
@@ -289,6 +296,7 @@ te_decl : attribute_def
| type_def
| typealias_def
| typeattribute_def
+ | typeextends_def
| bool_def
| transition_def
| range_trans_def
@@ -299,19 +307,28 @@ attribute_def : ATTRIBUTE iden
{ if (define_attrib()) return -1;}
;
type_def : TYPE identifier alias_def opt_attr_list ';'
- {if (define_type(1)) return -1;}
+ {if (define_type(1, 0)) return -1;}
| TYPE identifier opt_attr_list ';'
- {if (define_type(0)) return -1;}
+ {if (define_type(0, 0)) return -1;}
+ | TYPE identifier alias_def opt_extends_list ';'
+ {if (define_type(1, 1)) return -1;}
+ | TYPE identifier opt_extends_list ';'
+ {if (define_type(0, 1)) return -1;}
;
typealias_def : TYPEALIAS identifier alias_def ';'
{if (define_typealias()) return -1;}
;
typeattribute_def : TYPEATTRIBUTE identifier id_comma_list ';'
- {if (define_typeattribute()) return -1;}
+ {if (define_typeattribute(0)) return -1;}
+ ;
+typeextends_def : TYPEEXTENDS identifier EXTENDS id_comma_list ';'
+ {if (define_typeattribute(1)) return -1;}
;
opt_attr_list : ',' id_comma_list
|
;
+opt_extends_list : EXTENDS id_comma_list
+ ;
bool_def : BOOL identifier bool_val ';'
{if (define_bool()) return -1;}
;
@@ -513,13 +530,13 @@ cexpr_prim : U1 op U2
| R3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
- | T1 op { if (insert_separator(1)) return -1; } names_push
+ | T1 op { if (insert_separator(1)) return -1; } type_names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
- | T2 op { if (insert_separator(1)) return -1; } names_push
+ | T2 op { if (insert_separator(1)) return -1; } type_names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
- | T3 op { if (insert_separator(1)) return -1; } names_push
+ | T3 op { if (insert_separator(1)) return -1; } type_names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| SAMEUSER
@@ -534,10 +551,10 @@ cexpr_prim : U1 op U2
| ROLE role_mls_op
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, $2);
if ($$ == 0) return -1; }
- | SOURCE TYPE { if (insert_separator(1)) return -1; } names_push
+ | SOURCE TYPE { if (insert_separator(1)) return -1; } type_names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
if ($$ == 0) return -1; }
- | TARGET TYPE { if (insert_separator(1)) return -1; } names_push
+ | TARGET TYPE { if (insert_separator(1)) return -1; } type_names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
if ($$ == 0) return -1; }
| L1 role_mls_op L2
@@ -690,20 +707,27 @@ tilde : '~'
;
asterisk : '*'
;
-names : identifier
+atmark : '@'
+ ;
+type_identifier : IDENTIFIER
+ { if (insert_id(yytext, 0)) return -1; }
+ | atmark IDENTIFIER
+ { if (insert_id("@", 0) || insert_id(yytext, 0)) return -1; }
+ ;
+names : type_identifier
{ if (insert_separator(0)) return -1; }
| nested_id_set
{ if (insert_separator(0)) return -1; }
| asterisk
{ if (insert_id("*", 0)) return -1;
if (insert_separator(0)) return -1; }
- | tilde identifier
+ | tilde type_identifier
{ if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
| tilde nested_id_set
- { if (insert_id("~", 0)) return -1;
+ { if (insert_id("~", 0)) return -1;
if (insert_separator(0)) return -1; }
- | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
+ | type_identifier '-' { if (insert_id("-", 0)) return -1; } type_identifier
{ if (insert_separator(0)) return -1; }
;
tilde_push : tilde
@@ -712,6 +736,19 @@ tilde_push : tilde
asterisk_push : asterisk
{ if (insert_id("*", 1)) return -1; }
;
+type_names_push : type_identifier_push
+ | '{' type_identifier_list_push '}'
+ | tilde_push type_identifier_push
+ | tilde_push '{' type_identifier_list_push '}'
+ ;
+type_identifier_list_push : type_identifier_push
+ | type_identifier_list_push type_identifier_push
+ ;
+type_identifier_push : IDENTIFIER
+ { if (insert_id(yytext,1)) return -1; }
+ | atmark IDENTIFIER
+ { if (insert_id(yytext,1)||insert_id("@",1)) return -1;}
+ ;
names_push : identifier_push
| '{' identifier_list_push '}'
| asterisk_push
@@ -731,7 +768,9 @@ nested_id_set : '{' nested_id_
;
nested_id_list : nested_id_element | nested_id_list nested_id_element
;
-nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
+nested_id_element : type_identifier
+ | '-' { if (insert_id("-", 0)) return -1; } type_identifier
+ | nested_id_set
;
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
@@ -1564,10 +1603,35 @@ static int define_typealias(void)
return 0;
}
-static int define_typeattribute(void)
+static int check_loop_inheritance(type_datum_t *td, int parent_typeval)
+{
+ type_datum_t *child;
+ int i;
+
+ /* attribute never have inheritance loop */
+ if (td->isattr)
+ return 0;
+
+ for (i = ebitmap_startbit(&td->types); i < ebitmap_length(&td->types); i++) {
+ if (!ebitmap_get_bit(&td->types, i))
+ continue;
+ if ( parent_typeval - 1 == i )
+ return -1; /* Loop inheritance detected */
+ child = get_type(i+1);
+ if (!child) {
+ yyerror("BUG: unregistered type");
+ return -1;
+ }
+ if (check_loop_inheritance(child, parent_typeval))
+ return -1;
+ }
+ return 0;
+}
+
+static int define_typeattribute(int extends)
{
char *id;
- type_datum_t *t, *attr;
+ type_datum_t *t, *inherit;
if (pass == 2) {
while ((id = queue_remove(id_queue)))
@@ -1590,16 +1654,17 @@ static int define_typeattribute(void)
}
while ((id = queue_remove(id_queue))) {
- attr = hashtab_search(policydbp->p_types.table, id);
- if (!attr) {
- sprintf(errormsg, "attribute %s is not declared", id);
+ inherit = hashtab_search(policydbp->p_types.table, id);
+ if (!inherit) {
+ sprintf(errormsg, "%sattribute %s is not declared",
+ (extends ? "type/" : ""), id);
/* treat it as a fatal error */
yyerror(errormsg);
free(id);
return -1;
}
- if (!attr->isattr) {
+ if (!extends && !inherit->isattr) {
sprintf(errormsg, "%s is a type, not an attribute", id);
yyerror(errormsg);
free(id);
@@ -1608,7 +1673,12 @@ static int define_typeattribute(void)
free(id);
- if (ebitmap_set_bit(&attr->types, (t->value - 1), TRUE)) {
+ if (check_loop_inheritance(t, inherit->value)) {
+ yyerror("inheritance loop is detected");
+ return -1;
+ }
+
+ if (ebitmap_set_bit(&inherit->types, (t->value - 1), TRUE)) {
yyerror("out of memory");
return -1;
}
@@ -1617,10 +1687,10 @@ static int define_typeattribute(void)
return 0;
}
-static int define_type(int alias)
+static int define_type(int alias, int extends)
{
char *id;
- type_datum_t *datum, *aliasdatum, *attr;
+ type_datum_t *datum, *aliasdatum, *inherit;
int ret, newattr = 0;
@@ -1698,9 +1768,10 @@ static int define_type(int alias)
}
while ((id = queue_remove(id_queue))) {
- attr = hashtab_search(policydbp->p_types.table, id);
- if (!attr) {
- sprintf(errormsg, "attribute %s is not declared", id);
+ inherit = hashtab_search(policydbp->p_types.table, id);
+ if (!inherit) {
+ sprintf(errormsg, "%sattribute %s is not declared",
+ (extends)?"type/":"", id);
#if 1
/* treat it as a fatal error */
yyerror(errormsg);
@@ -1729,7 +1800,7 @@ static int define_type(int alias)
newattr = 0;
}
- if (!attr->isattr) {
+ if (!extends && !inherit->isattr) {
sprintf(errormsg, "%s is a type, not an attribute", id);
yyerror(errormsg);
return -1;
@@ -1738,7 +1809,7 @@ static int define_type(int alias)
if (!newattr)
free(id);
- ebitmap_set_bit(&attr->types, datum->value - 1, TRUE);
+ ebitmap_set_bit(&inherit->types, datum->value - 1, TRUE);
}
return 0;
@@ -1780,11 +1851,13 @@ static char *type_val_to_name(unsigned i
static int set_types(ebitmap_t *set,
ebitmap_t *negset,
+ ebitmap_t *inherit,
char *id,
int *add)
{
type_datum_t *t;
unsigned int i;
+ ebitmap_t temp;
if (strcmp(id, "*") == 0) {
/* set all types not in negset */
@@ -1809,10 +1882,16 @@ static int set_types(ebitmap_t *set,
}
if (strcmp(id, "-") == 0) {
- *add = 0;
+ *add &= 0xfffe; /* clear bit 0*/
+ free(id);
+ return 0;
+ }
+
+ if (strcmp(id, "@") == 0) {
+ *add |= 0x0002; /* set bit 1 */
free(id);
return 0;
- }
+ }
t = hashtab_search(policydbp->p_types.table, id);
if (!t) {
@@ -1821,42 +1900,28 @@ static int set_types(ebitmap_t *set,
free(id);
return -1;
}
+ if (inherit && ((*add)&0x0002)!=0 )
+ ebitmap_set_bit(inherit, t->value - 1, TRUE);
- if (t->isattr) {
- /* set or clear all types with this attribute,
- but do not set anything explicitly cleared previously */
- for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) {
- if (!ebitmap_get_bit(&t->types, i))
- continue;
- if (!(*add)) {
- ebitmap_set_bit(set, i, FALSE);
- ebitmap_set_bit(negset, i, TRUE);
- } else if (!ebitmap_get_bit(negset, i)) {
- ebitmap_set_bit(set, i, TRUE);
-#if VERBOSE
- } else {
- char *name = type_val_to_name(i+1);
- sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
- yywarn(errormsg);
-#endif
- }
- }
- } else {
- /* set or clear one type, but do not set anything
- explicitly cleared previously */
- if (!(*add)) {
- ebitmap_set_bit(set, t->value - 1, FALSE);
- ebitmap_set_bit(negset, t->value - 1, TRUE);
- } else if (!ebitmap_get_bit(negset, t->value - 1)) {
- ebitmap_set_bit(set, t->value - 1, TRUE);
+ ebitmap_init(&temp);
+ get_child_types(&temp, t, (*add)&0x0002);
+ for (i = ebitmap_startbit(&temp); i < ebitmap_length(&temp); i++) {
+ if (!ebitmap_get_bit(&temp, i))
+ continue;
+ if (!((*add)&0x0001)) {
+ ebitmap_set_bit(set, i, FALSE);
+ ebitmap_set_bit(negset, i, TRUE);
+ } else if (!ebitmap_get_bit(negset, i)) {
+ ebitmap_set_bit(set, i, TRUE);
#if VERBOSE
} else {
- sprintf(errormsg, "ignoring %s due to prior -%s", id, id);
+ char *name = type_val_to_name(i+1);
+ sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
yywarn(errormsg);
#endif
}
}
-
+ ebitmap_destroy(&temp);
free(id);
*add = 1;
return 0;
@@ -1893,14 +1958,14 @@ static int define_compute_type(int which
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&stypes, &negset, id, &add))
+ if (set_types(&stypes, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&ttypes, &negset, id, &add))
+ if (set_types(&ttypes, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
@@ -2033,14 +2098,14 @@ static cond_av_list_t *define_cond_compu
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&stypes, &negset, id, &add))
+ if (set_types(&stypes, &negset, NULL, id, &add))
return COND_ERR;
}
ebitmap_destroy(&negset);
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&ttypes, &negset, id, &add))
+ if (set_types(&ttypes, &negset, NULL, id, &add))
return COND_ERR;
}
ebitmap_destroy(&negset);
@@ -2445,9 +2510,10 @@ static cond_av_list_t *define_cond_te_av
cond_av_list_t *sub_list, *final_list, *tail;
class_datum_t *cladatum;
perm_datum_t *perdatum;
- ebitmap_t stypes, ttypes, tclasses, negset;
+ type_datum_t *typedatum;
+ ebitmap_t stypes, ttypes, tclasses, temp, inherit, negset;
access_vector_t *avp;
- int i, j, hiclass, self = 0, add = 1;
+ int i, j, k, hiclass, self = 0, add = 1;
int suppress = 0;
if (pass == 1) {
@@ -2465,10 +2531,11 @@ static cond_av_list_t *define_cond_te_av
ebitmap_init(&stypes);
ebitmap_init(&ttypes);
ebitmap_init(&tclasses);
+ ebitmap_init(&inherit);
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&stypes, &negset, id, &add))
+ if (set_types(&stypes, &negset, &inherit, id, &add))
return COND_ERR;
}
ebitmap_destroy(&negset);
@@ -2479,7 +2546,7 @@ static cond_av_list_t *define_cond_te_av
self = 1;
continue;
}
- if (set_types(&ttypes, &negset, id, &add))
+ if (set_types(&ttypes, &negset, NULL, id, &add))
return COND_ERR;
}
ebitmap_destroy(&negset);
@@ -2568,19 +2635,36 @@ static cond_av_list_t *define_cond_te_av
for (i = ebitmap_startbit(&stypes); i < ebitmap_length(&stypes); i++) {
if (!ebitmap_get_bit(&stypes, i))
continue;
- if (self) {
- if ((sub_list = cond_te_avtab_helper(which, i, i, &tclasses, avp )) == COND_ERR)
- return COND_ERR;
- if (final_list) {
- tail->next = sub_list;
- while (tail->next != NULL)
- tail = tail->next;
- } else {
- final_list = sub_list;
- tail = final_list;
- while (tail->next != NULL)
- tail = tail->next;
+ typedatum = get_type(i+1);
+ if (!typedatum)
+ return COND_ERR;
+ ebitmap_init(&temp);
+ /* If the source type is given with '@' prefix,
+ 'self' also includes own child types. */
+ get_child_types(&temp, typedatum, ebitmap_get_bit(&inherit,i));
+ for (j = ebitmap_startbit(&temp); j < ebitmap_length(&temp); j++) {
+ if(!ebitmap_get_bit(&temp, j))
+ continue;
+ for (k = ebitmap_startbit(&temp); k < ebitmap_length(&temp); k++) {
+ if(!ebitmap_get_bit(&temp, k))
+ continue;
+ sub_list = cond_te_avtab_helper(which, j, k, &tclasses, avp);
+ if (sub_list==COND_ERR) {
+ ebitmap_destroy(&temp);
+ return COND_ERR;
+ }
+ if (final_list) {
+ tail->next = sub_list;
+ while (tail->next != NULL)
+ tail = tail->next;
+ } else {
+ final_list = sub_list;
+ tail = final_list;
+ while (tail->next != NULL)
+ tail = tail->next;
+ }
}
+ ebitmap_destroy(&temp);
}
}
}
@@ -2621,9 +2705,10 @@ static int define_te_avtab(int which)
char *id;
class_datum_t *cladatum;
perm_datum_t *perdatum;
- ebitmap_t stypes, ttypes, tclasses, negset;
+ type_datum_t *typedatum;
+ ebitmap_t stypes, ttypes, tclasses, temp, inherit, negset;
access_vector_t *avp;
- unsigned int i, j, hiclass;
+ unsigned int i, j, k, hiclass;
int self = 0, add = 1;
te_assert_t *newassert;
int suppress = 0;
@@ -2643,10 +2728,11 @@ static int define_te_avtab(int which)
ebitmap_init(&stypes);
ebitmap_init(&ttypes);
ebitmap_init(&tclasses);
+ ebitmap_init(&inherit);
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&stypes, &negset, id, &add))
+ if (set_types(&stypes, &negset, &inherit, id, &add))
return -1;
}
ebitmap_destroy(&negset);
@@ -2657,7 +2743,7 @@ static int define_te_avtab(int which)
self = 1;
continue;
}
- if (set_types(&ttypes, &negset, id, &add))
+ if (set_types(&ttypes, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
@@ -2749,6 +2835,7 @@ static int define_te_avtab(int which)
newassert->stypes = stypes;
newassert->ttypes = ttypes;
newassert->tclasses = tclasses;
+ newassert->inherit = inherit;
newassert->self = self;
newassert->avp = avp;
newassert->line = policydb_lineno;
@@ -2761,8 +2848,26 @@ static int define_te_avtab(int which)
if (!ebitmap_get_bit(&stypes, i))
continue;
if (self) {
- if (te_avtab_helper(which, i, i, &tclasses, avp))
+ typedatum = get_type(i+1);
+ if (!typedatum)
return -1;
+ ebitmap_init(&temp);
+ /* If the source type is given with '@' prefix,
+ 'self' means own child types. */
+ get_child_types(&temp, typedatum, ebitmap_get_bit(&inherit, i));
+ for (j = ebitmap_startbit(&temp); j < ebitmap_length(&temp); j++) {
+ if (!ebitmap_get_bit(&temp, j))
+ continue;
+ for (k = ebitmap_startbit(&temp); k < ebitmap_length(&temp); k++) {
+ if (!ebitmap_get_bit(&temp, k))
+ continue;
+ if (te_avtab_helper(which, j, k, &tclasses, avp)) {
+ ebitmap_destroy(&temp);
+ return -1;
+ }
+ }
+ }
+ ebitmap_destroy(&temp);
}
for (j = ebitmap_startbit(&ttypes); j < ebitmap_length(&ttypes); j++) {
if (!ebitmap_get_bit(&ttypes, j))
@@ -2853,7 +2958,7 @@ static int define_role_types(void)
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&role->types, &negset, id, &add))
+ if (set_types(&role->types, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
@@ -3068,7 +3173,7 @@ static int define_role_trans(void)
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&types, &negset, id, &add))
+ if (set_types(&types, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
@@ -3493,7 +3598,7 @@ static uintptr_t
}
val = role->value;
} else if (expr->attr & CEXPR_TYPE) {
- if (set_types(&expr->names, &negset, id, &add)) {
+ if (set_types(&expr->names, &negset, NULL, id, &add)) {
free(expr);
return 0;
}
@@ -4839,14 +4944,14 @@ static int define_range_trans(void)
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&doms, &negset, id, &add))
+ if (set_types(&doms, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
ebitmap_init(&negset);
while ((id = queue_remove(id_queue))) {
- if (set_types(&types, &negset, id, &add))
+ if (set_types(&types, &negset, NULL, id, &add))
return -1;
}
ebitmap_destroy(&negset);
next prev parent reply other threads:[~2005-04-16 7:31 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-13 16:36 [RFC & PATCH] inherited type definition KaiGai Kohei
2005-03-14 13:17 ` KaiGai Kohei
2005-03-14 13:50 ` Stephen Smalley
2005-03-14 15:13 ` Luke Kenneth Casson Leighton
2005-03-14 15:22 ` Stephen Smalley
2005-03-14 16:01 ` Luke Kenneth Casson Leighton
2005-03-14 19:27 ` Valdis.Kletnieks
2005-03-14 20:10 ` Stephen Smalley
2005-03-14 17:26 ` KaiGai Kohei
2005-03-14 18:10 ` Luke Kenneth Casson Leighton
2005-03-14 18:25 ` Stephen Smalley
2005-03-15 11:50 ` KaiGai Kohei
2005-03-15 14:42 ` Stephen Smalley
2005-03-16 4:42 ` Kaigai Kohei
2005-03-16 10:00 ` Luke Kenneth Casson Leighton
2005-03-16 14:05 ` Stephen Smalley
2005-03-17 9:32 ` Kaigai Kohei
2005-03-17 13:55 ` Stephen Smalley
2005-03-17 14:57 ` KaiGai Kohei
2005-03-21 10:07 ` KaiGai Kohei
2005-03-21 15:59 ` Stephen Smalley
2005-03-23 8:17 ` Kaigai Kohei
2005-03-23 13:56 ` Stephen Smalley
2005-04-16 7:31 ` KaiGai Kohei [this message]
2005-04-18 12:25 ` Stephen Smalley
2005-04-18 16:57 ` KaiGai Kohei
2005-03-24 11:06 ` Luke Kenneth Casson Leighton
2005-03-24 12:34 ` Kaigai Kohei
2005-04-06 12:49 ` Russell Coker
2005-04-06 14:50 ` KaiGai Kohei
2005-04-06 15:30 ` Russell Coker
2005-04-06 18:23 ` Jim McCullough
2005-04-07 2:16 ` Kaigai Kohei
2005-04-06 17:55 ` Luke Kenneth Casson Leighton
2005-03-14 16:38 ` Karl MacMillan
2005-03-15 11:47 ` KaiGai Kohei
2005-03-15 14:00 ` Karl MacMillan
2005-03-16 4:35 ` Kaigai Kohei
2005-03-16 10:13 ` Luke Kenneth Casson Leighton
2005-03-16 21:46 ` Karl MacMillan
2005-03-16 21:31 ` Karl MacMillan
2005-03-17 13:05 ` Kaigai Kohei
2005-03-17 19:15 ` Karl MacMillan
2005-03-17 20:07 ` Stephen Smalley
2005-03-17 21:41 ` Karl MacMillan
2005-03-18 13:13 ` Stephen Smalley
2005-03-18 13:56 ` Stephen Smalley
2005-03-18 22:28 ` Karl MacMillan
2005-03-18 23:03 ` Luke Kenneth Casson Leighton
2005-03-20 23:20 ` Karl MacMillan
2005-03-21 0:17 ` Luke Kenneth Casson Leighton
2005-03-21 13:39 ` Karl MacMillan
2005-03-22 0:14 ` Luke Kenneth Casson Leighton
2005-03-22 13:53 ` Karl MacMillan
2005-03-24 11:04 ` Luke Kenneth Casson Leighton
2005-03-24 12:31 ` Kaigai Kohei
2005-03-24 22:19 ` Luke Kenneth Casson Leighton
2005-03-24 22:27 ` Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4260BF6C.6030008@kaigai.gr.jp \
--to=kaigai@kaigai.gr.jp \
--cc=kaigai@ak.jp.nec.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.