* [POLICYREP] [Patch 1/2] Generalize an output function to make display easier.
2007-08-16 18:28 [POLICYREP] [Patch 0/2] Add MLS support to policy rep branch Mark Goldman
@ 2007-08-16 18:28 ` Mark Goldman
2007-08-16 18:28 ` [POLICYREP] [Patch 2/2] Add mls to the policy representation Mark Goldman
2007-09-04 18:55 ` [POLICYREP] [Patch 0/2] Add MLS support to policy rep branch Joshua Brindle
2 siblings, 0 replies; 4+ messages in thread
From: Mark Goldman @ 2007-08-16 18:28 UTC (permalink / raw)
To: selinux
Generalize an output function to make display easier.
---
libpolicyrep/include/policyrep/policy_base.hpp | 39 36 + 3 - 0 !
libpolicyrep/src/policy_base.cpp | 22 4 + 18 - 0 !
2 files changed, 40 insertions(+), 21 deletions(-)
--- cpp-policyrep.orig/libpolicyrep/src/policy_base.cpp
+++ cpp-policyrep/libpolicyrep/src/policy_base.cpp
@@ -37,30 +37,16 @@ namespace policyrep
{
if (set.size() > 1)
o << "{ ";
- StringSet::const_iterator i;
- bool first = true;
- for (i = set.begin(); i != set.end(); ++i) {
- if (first)
- first = false;
- else
- o << " ";
- o << *i;
- }
+
+ output_container(o, set.begin(), set.end(), " ");
+
if (set.size() > 1)
o << " }";
}
void output_set_comma(std::ostream& o, const StringSet& set)
{
- StringSet::const_iterator i;
- bool first = true;
- for (i = set.begin(); i != set.end(); ++i) {
- if (first)
- first = false;
- else
- o << ", ";
- o << *i;
- }
+ output_container(o, set.begin(), set.end(), ", ");
}
std::ostream& operator<<(std::ostream& o, const Node& n)
--- cpp-policyrep.orig/libpolicyrep/include/policyrep/policy_base.hpp
+++ cpp-policyrep/libpolicyrep/include/policyrep/policy_base.hpp
@@ -8,11 +8,13 @@
#include <string>
#include <functional>
#include <ostream>
+#include <iterator>
#include <boost/shared_ptr.hpp>
#include <boost/iterator/iterator_facade.hpp>
namespace policyrep {
+ using std::string;
// Forward declarations
class Node;
@@ -34,6 +36,37 @@ namespace policyrep {
typedef boost::shared_ptr<StringVector> StringVectorPtr;
// Output (string output)
+ template<class iter>
+ void output_container(std::ostream& o, const iter& beg, const iter& end,
+ const string sep)
+ {
+ bool first = true;
+ for(iter i = beg; i != end; i++)
+ {
+ if(!first){
+ o << sep;
+ }
+ o << *i;
+ first = false;
+ }
+ }
+
+ template<class iter>
+ void bracket_output_container(std::ostream& o, const iter& beg,
+ const iter& end, const string sep,
+ const string pre, const string post)
+ {
+ iter temp = beg;
+ ++temp;
+ if(temp != end){
+ o << pre;
+ }
+ output_container(o, beg, end, sep);
+ if(temp != end){
+ o << post;
+ }
+ }
+
std::ostream& operator<<(std::ostream& o, const Node& n);
void output_set_space(std::ostream& o, const StringSet& set);
@@ -149,10 +182,10 @@ namespace policyrep {
virtual void make_child(NodePtr node);
template<class T>
- void append_children(T begin, T end)
+ void append_children(T start, T finish)
{
- for (; begin != end; ++begin)
- append_child(*begin);
+ for (; start != finish; ++start)
+ append_child(*start);
}
virtual NodeVector& children();
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread* [POLICYREP] [Patch 2/2] Add mls to the policy representation.
2007-08-16 18:28 [POLICYREP] [Patch 0/2] Add MLS support to policy rep branch Mark Goldman
2007-08-16 18:28 ` [POLICYREP] [Patch 1/2] Generalize an output function to make display easier Mark Goldman
@ 2007-08-16 18:28 ` Mark Goldman
2007-09-04 18:55 ` [POLICYREP] [Patch 0/2] Add MLS support to policy rep branch Joshua Brindle
2 siblings, 0 replies; 4+ messages in thread
From: Mark Goldman @ 2007-08-16 18:28 UTC (permalink / raw)
To: selinux
Adds objects to represent sensitivity, dominance, category and level
statements.
Add mls additions to the object representing user statements.
---
libpolicyrep/include/policyrep/mls.hpp | 166 166 + 0 - 0 !
libpolicyrep/include/policyrep/policy.hpp | 1 1 + 0 - 0 !
libpolicyrep/include/policyrep/user.hpp | 18 18 + 0 - 0 !
libpolicyrep/src/policy_parse.y | 87 73 + 14 - 0 !
libpolicyrep/src/user.cpp | 32 31 + 1 - 0 !
libpolicyrep/tests/example.te | 17 17 + 0 - 0 !
libpolicyrep/tests/libpolicyrep-test.cpp | 14 14 + 0 - 0 !
7 files changed, 320 insertions(+), 15 deletions(-)
--- /dev/null
+++ cpp-policyrep/libpolicyrep/include/policyrep/mls.hpp
@@ -0,0 +1,166 @@
+/* Author: Mark Goldman <mgoldman@tresys.com> */
+
+#ifndef __mls_hpp__
+#define __mls_hpp__
+
+#include <policyrep/policy_base.hpp>
+
+namespace policyrep
+{
+
+ //
+ // Sensitivity
+ //
+
+ struct SensitivityImpl;
+ class Sensitivity : public Node
+ {
+ public:
+ Sensitivity();
+ Sensitivity(const std::string& name);
+ Sensitivity(const Sensitivity& other);
+ virtual ~Sensitivity();
+ virtual void operator=(const Sensitivity& other);
+
+ template<class T>
+ Sensitivity(const std::string& name, T begin, T end)
+ {
+ init();
+ set_name(name);
+ aliases().insert(begin, end);
+ }
+
+ virtual const std::string& get_name() const;
+ virtual void set_name(const std::string& name);
+
+ virtual StringSet& aliases();
+ protected:
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ void init();
+ SensitivityImpl* impl;
+ };
+ typedef boost::shared_ptr<Sensitivity> SensitivityPtr;
+
+ //
+ // Dominance
+ //
+
+ struct DominanceImpl;
+ class Dominance : public Node
+ {
+ public:
+ Dominance();
+ Dominance(const Dominance& other);
+ virtual ~Dominance();
+ virtual void operator=(const Dominance& other);
+
+ template<class T>
+ Dominance(T begin, T end)
+ {
+ init();
+ ordering().insert(ordering().begin(), begin, end);
+ }
+
+ virtual StringVector& ordering();
+ protected:
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ void init();
+ DominanceImpl* impl;
+ };
+ typedef boost::shared_ptr<Dominance> DominancePtr;
+
+ //
+ // Category
+ //
+
+ struct CategoryImpl;
+ class Category : public Node
+ {
+ public:
+ Category();
+ Category(const std::string& name);
+ Category(const Category& other);
+ virtual ~Category();
+ virtual void operator=(const Category& other);
+
+ template<class T>
+ Category(const std::string& name, T begin, T end)
+ {
+ init();
+ set_name(name);
+ aliases().insert(begin, end);
+ }
+
+ virtual const std::string& get_name() const;
+ virtual void set_name(const std::string& name);
+
+ virtual StringSet& aliases();
+ protected:
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ void init();
+ CategoryImpl* impl;
+ };
+ typedef boost::shared_ptr<Category> CategoryPtr;
+
+ //
+ // Level
+ //
+
+ struct LevelImpl;
+ class Level : public Node
+ {
+ public:
+ Level();
+ Level(const std::string& name);
+ Level(const Level& other);
+ virtual ~Level();
+ virtual void operator=(const Level& other);
+
+ template<class T>
+ Level(const std::string& name, T begin, T end)
+ {
+ init();
+ set_name(name);
+ categories().insert(begin, end);
+ }
+
+ virtual const std::string& get_name() const;
+ virtual void set_name(const std::string& name);
+
+ virtual StringSet& categories();
+ virtual void do_output_brief(std::ostream& o, const OutputFormatter& op) const;
+ protected:
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ void init();
+ LevelImpl* impl;
+ };
+ typedef boost::shared_ptr<Level> LevelPtr;
+
+ //
+ // Range
+ //
+
+ struct RangeImpl;
+ class Range : public Node
+ {
+ public:
+ Range();
+ Range(LevelPtr low);
+ Range(LevelPtr low, LevelPtr high);
+ Range(const Range& other);
+ virtual ~Range();
+ virtual const LevelPtr& get_low() const;
+ virtual const LevelPtr& get_high() const;
+ virtual LevelPtr& get_low();
+ virtual LevelPtr& get_high();
+ virtual void operator=(const Range& other);
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ protected:
+ void init();
+ RangeImpl* impl;
+ };
+ typedef boost::shared_ptr<Range> RangePtr;
+
+} // namespace policyrep
+
+#endif
--- cpp-policyrep.orig/libpolicyrep/include/policyrep/policy.hpp
+++ cpp-policyrep/libpolicyrep/include/policyrep/policy.hpp
@@ -10,6 +10,7 @@
#include <policyrep/conditional.hpp>
#include <policyrep/rbac.hpp>
#include <policyrep/user.hpp>
+#include <policyrep/mls.hpp>
#include <policyrep/optional.hpp>
namespace policyrep
--- cpp-policyrep.orig/libpolicyrep/src/policy_parse.y
+++ cpp-policyrep/libpolicyrep/src/policy_parse.y
@@ -119,6 +119,13 @@ policyrep::policy_parser::token_type
%type <pnode> type_def
%type <pnode> role_type_def
%type <pnode> user_role_def
+%type <pnode> raw_level
+%type <pnode> mls_range
+%type <pnode> sensitivity_def
+%type <pnode> dominance_def
+%type <pnode> category_def
+%type <pnode> level_def
+
%type <pnode> typealias_def
%type <pnode> typeattribute_def
%type <pnode> allow_def
@@ -253,6 +260,11 @@ policy_statement : class_def
| role_type_def
/* Users */
| user_role_def
+ /* MLS */
+ | sensitivity_def
+ | dominance_def
+ | category_def
+ | level_def
/* rules */
| allow_def
| auditallow_def
@@ -284,27 +296,42 @@ av_perms_def : CLASS IDENTIFIER LBRACE
| CLASS IDENTIFIER INHERITS IDENTIFIER LBRACE identifier_list RBRACE
{ $$ = new ObjectClass(*$2, *$4, $6->begin(), $6->end()); delete $2; delete $4; delete $6; }
;
-/*
sensitivity_def : SENSITIVITY IDENTIFIER alias_def SEMI
- { $$ = define_sens($2, $3); check($$); }
+ { $$ = new Sensitivity(*$2, $3->begin(), $3->end());
+ delete $2;
+ delete $3; }
| SENSITIVITY IDENTIFIER SEMI
- { $$ = define_sens($2, NULL); check($$); }
+ { $$ = new Sensitivity(*$2);
+ delete $2; }
;
-dominance : DOMINANCE IDENTIFIER
- { NodeVector tmp = tolist($2); check(tmp); $$ = define_dominance(tmp); check($$); }
- | DOMINANCE LBRACE IDENTIFIER_list RBRACE
- { $$ = define_dominance($3); check($$); }
+dominance_def : DOMINANCE IDENTIFIER
+ { Dominance *d = new Dominance();
+ d->ordering().push_back(*$2);
+ $$ = d;
+ delete $2; }
+ | DOMINANCE LBRACE identifier_list RBRACE
+ { $$ = new Dominance($3->begin(), $3->end());
+ delete $3; }
;
category_def : CATEGORY IDENTIFIER alias_def SEMI
- { $$ = define_category($2, $3); check($$); }
+ { $$ = new Category(*$2, $3->begin(), $3->end());
+ delete $2;
+ delete $3; }
| CATEGORY IDENTIFIER SEMI
- { $$ = define_category($2, NULL); check($$); }
+ { $$ = new Category(*$2);
+ delete $2; }
;
level_def : LEVEL IDENTIFIER COLON id_comma_list SEMI
- { $$ = define_level(); check($$); }
+ {
+ $$ = new Level(*$2, $4->begin(), $4->end());
+ delete $2;
+ delete $4; }
| LEVEL IDENTIFIER SEMI
- { $$ = define_level(); check($$); }
+ {
+ $$ = new Level(*$2);
+ delete $2; }
;
+/*
mlsconstraint_def : MLSCONSTRAIN names names cexpr SEMI
{ $$ = define_constraint($4); check($$); }
;
@@ -476,11 +503,42 @@ role_type_def : ROLE IDENTIFIER TYPES i
| ROLE IDENTIFIER SEMI
{ $$ = new Role(*$2); delete $2; }
;
-user_role_def : USER IDENTIFIER ROLES id_comma_list SEMI
- { $$ = new User(*$2, $4->begin(), $4->end()); delete $2; delete $4; }
+user_role_def : USER IDENTIFIER ROLES id_comma_list LEVEL raw_level RANGE mls_range SEMI
+ { $$ = new User(*$2, $4->begin(), $4->end());
+ delete $2;
+ delete $4;
+ ((User*)$$)->set_level(LevelPtr((Level*)$6));
+ ((User*)$$)->set_range(RangePtr((Range*)$8));
+ // $6 and $8 are now managed by a shared ptr
+ // don't delete them. They will be free'd
+ // when the final ptr is destroyed.
+ }
+ | USER IDENTIFIER ROLES id_comma_list SEMI
+ { $$ = new User(*$2, $4->begin(), $4->end());
+ delete $2;
+ delete $4; }
| USER IDENTIFIER SEMI
{ $$ = new User(*$2); delete $2; }
;
+raw_level : IDENTIFIER COLON id_comma_list
+ { $$ = new Level(*$1, $3->begin(), $3->end());
+ delete $1;
+ delete $3;
+ }
+ | IDENTIFIER
+ { $$ = new Level(*$1);
+ delete $1;
+ }
+ ;
+mls_range : raw_level DASH raw_level
+ { $$ = new Range(LevelPtr((Level*)$1), LevelPtr((Level*)$3));
+ // $1 and $2 become owned by Range, do not delete
+ }
+ | raw_level
+ { $$ = new Range(LevelPtr((Level*)$1));
+ // $1 becomes owned by Range do not delete.
+ }
+ ;
/*
role_dominance : DOMINANCE LBRACE roles RBRACE { $$ = $3; check($$); }
;
@@ -812,4 +870,5 @@ namespace policyrep {
/* FLASK */
-
+/* vi:ts=8:
+*/
--- cpp-policyrep.orig/libpolicyrep/tests/example.te
+++ cpp-policyrep/libpolicyrep/tests/example.te
@@ -34,9 +34,26 @@ role bar_r;
bool foo true;
user foo_u roles bar_r;
+user fooyou_u roles bar_r level s1 range s1:c2 - s12:c3;
+user fubu_u roles bar_r level s1 range s3 - s13:c3,c5,c12.c34;
+user footoo_u roles bar_r level s1:c3,c12.c20 range s1;
user unfoo_u;
+sensitivity s1;
+sensitivity s2 alias whiskey;
+sensitivity s3 alias {tango foxtrot};
+
+category c1;
+category c2 alias alpha;
+category c3 alias { bravo delta };
+
+level s1 ;
+level s2:c1.c3;
+level s3:c1, c2,c3;
+
+dominance { s1 s2 s3 }
+
if (foo) {
allow foo bar : file read;
}
--- cpp-policyrep.orig/libpolicyrep/tests/libpolicyrep-test.cpp
+++ cpp-policyrep/libpolicyrep/tests/libpolicyrep-test.cpp
@@ -47,7 +47,21 @@ void test()
UserPtr u(new User("bang"));
u->roles().insert("bust");
mod->append_child(u);
+
+ SensitivityPtr sen(new Sensitivity("s1"));
+ sen->aliases().insert("whiskey");
+ sen->aliases().insert("tango");
+ mod->append_child(sen);
+ CategoryPtr cat(new Category("c1"));
+ cat->aliases().insert("alpha");
+ cat->aliases().insert("delta");
+ mod->append_child(cat);
+
+ LevelPtr lev(new Level("l1"));
+ lev->categories().insert("c1");
+ mod->append_child(lev);
+
std::cout << "============ basic test ============" << std::endl;
output_tree(std::cout, pol);
--- cpp-policyrep.orig/libpolicyrep/src/user.cpp
+++ cpp-policyrep/libpolicyrep/src/user.cpp
@@ -19,6 +19,7 @@
*/
#include <policyrep/user.hpp>
+#include <policyrep/mls.hpp>
namespace policyrep
{
@@ -30,6 +31,8 @@ namespace policyrep
struct UserImpl
{
std::string name;
+ LevelPtr level;
+ RangePtr range;
StringSet roles;
};
@@ -53,7 +56,9 @@ namespace policyrep
*impl = *other.impl;
}
- User::~User() { delete impl; }
+ User::~User() {
+ delete impl;
+ }
void User::operator=(const User& other)
{
@@ -75,6 +80,23 @@ namespace policyrep
return impl->roles;
}
+ void User::set_level(LevelPtr level){
+ impl->level = level;
+ }
+
+ void User::set_range_low(LevelPtr low){
+ impl->range->get_low() = low;
+ }
+
+ void User::set_range_high(LevelPtr high){
+ impl->range->get_high() = high;
+ }
+
+ void User::set_range(RangePtr r)
+ {
+ impl->range = r;
+ }
+
void User::do_output(std::ostream& o, const OutputFormatter& op) const
{
o << "user " << impl->name;
@@ -82,6 +104,14 @@ namespace policyrep
o << " roles ";
output_set_comma(o, impl->roles);
}
+ if(impl->level){
+ o << " level ";
+ impl->level->do_output_brief(o, op);
+ }
+ if(impl->range){
+ o << " range ";
+ impl->range->do_output(o, op);
+ }
o << ";";
}
--- cpp-policyrep.orig/libpolicyrep/include/policyrep/user.hpp
+++ cpp-policyrep/libpolicyrep/include/policyrep/user.hpp
@@ -4,6 +4,7 @@
#define __user_hpp__
#include <policyrep/policy_base.hpp>
+#include <policyrep/mls.hpp>
namespace policyrep
{
@@ -30,8 +31,25 @@ namespace policyrep
roles().insert(roles_begin, end);
}
+ template<class T>
+ User(const std::string& name, T roles_begin, T end,
+ LevelPtr& level, LevelPtr& low, LevelPtr& high)
+ {
+ init();
+ set_name(name);
+ roles().insert(roles_begin, end);
+ set_level(level);
+ set_range_low(low);
+ set_range_high(high);
+ }
+
+
virtual const std::string& get_name() const;
virtual void set_name(const std::string& name);
+ virtual void set_level(LevelPtr level);
+ virtual void set_range_low(LevelPtr low);
+ virtual void set_range_high(LevelPtr high);
+ virtual void set_range(RangePtr r);
virtual StringSet& roles();
protected:
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread