[email protected]
[Top] [All Lists]

PERFORCE change 114573 for review

Subject: PERFORCE change 114573 for review
From: Todd Miller
Date: Thu, 15 Feb 2007 20:15:35 GMT
http://perforce.freebsd.org/chv.cgi?CH=114573

Change 114573 by [email protected]_p4 on 2007/02/15 20:15:33

        Update to checkpolicy-1.34.0 from the SELinux web site.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#2 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#12 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.h#8 
edit
.. 
//depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.c#2 
edit
.. 
//depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/module_compiler.h#2 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/parse_util.c#1 
add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/parse_util.h#1 
add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_parse.y#9 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/policy_scan.l#8 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.c#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/queue.h#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dismod.c#2 
edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/test/dispol.c#2 
edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/ChangeLog#2 
(text+ko) ====

@@ -1,3 +1,47 @@
+1.34.0 2007-01-18
+       * Updated version for stable branch.
+
+1.33.1 2006-11-13
+       * Collapse user identifiers and identifiers together.
+
+1.32 2006-10-17
+       * Updated version for release.
+
+1.30.12 2006-09-28
+       * Merged user and range_transition support for modules from 
+         Darrel Goeddel
+
+1.30.11 2006-09-05
+       * merged range_transition enhancements and user module format
+         changes from Darrel Goeddel
+
+1.30.10 2006-08-03
+       * Merged symtab datum patch from Karl MacMillan.
+
+1.30.9 2006-06-29
+       * Lindent.
+
+1.30.8 2006-06-29
+       * Merged patch to remove TE rule conflict checking from the parser
+         from Joshua Brindle.  This can only be done properly by the 
+         expander.
+
+1.30.7 2006-06-27
+       * Merged patch to make checkpolicy/checkmodule handling of
+         duplicate/conflicting TE rules the same as the expander 
+         from Joshua Brindle.
+
+1.30.6 2006-06-26
+       * Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.30.5 2006-05-05
+       * Merged compiler cleanup patch from Karl MacMillan.
+       * Merged fix warnings patch from Karl MacMillan.        
+
+1.30.4 2006-04-05
+       * Changed require_class to reject permissions that have not been
+         declared if building a base module.
+
 1.30.3 2006-03-28
        * Fixed checkmodule to call link_modules prior to expand_module
          to handle optionals.

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/Makefile#2 
(text+ko) ====

@@ -12,12 +12,14 @@
 
 override CFLAGS += -I. -I${INCLUDEDIR}
 
-CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o
+CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o
 CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
 CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
 
 LDLIBS=$(LIBDIR)/libsepol.a -lfl
 
+GENERATED=lex.yy.c y.tab.c y.tab.h
+
 all:  $(TARGETS)
        $(MAKE) -C test
 
@@ -55,3 +57,5 @@
        -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h 
lex.yy.c
        $(MAKE) -C test clean
 
+indent:
+       ../Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/VERSION#2 
(text+ko) ====

@@ -1,1 +1,1 @@
-1.30.3
+1.34.0

==== 
//depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkmodule.c#2 
(text+ko) ====

@@ -27,174 +27,124 @@
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/link.h>
+#include <sepol/policydb/sidtab.h>
 
 #include "queue.h"
 #include "checkpolicy.h"
+#include "parse_util.h"
 
 extern char *optarg;
 extern int optind;
 
 static sidtab_t sidtab;
 
-extern policydb_t *policydbp;
-extern queue_t id_queue;
-extern unsigned int policydb_errors;
-extern unsigned long policydb_lineno;
-extern char source_file[];
 extern int mlspol;
 
-extern FILE *yyin;
-extern void init_parser(int);
-extern int yyparse(void);
-extern void yyrestart(FILE *);
-
 static char *txtfile = "policy.conf";
 static char *binfile = "policy";
 
 unsigned int policy_type = POLICY_BASE;
 unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
 
-static int read_binary_policy(policydb_t *p, char *file, char *progname)
+static int read_binary_policy(policydb_t * p, char *file, char *progname)
 {
-        int fd;
+       int fd;
        struct stat sb;
-        void *map;
+       void *map;
        struct policy_file f, *fp;
-        
-        fd = open(file, O_RDONLY);
-        if (fd < 0) {
-                fprintf(stderr, "Can't open '%s':  %s\n",
-                        file, strerror(errno));
-                return -1;
-        }
-        if (fstat(fd, &sb) < 0) {
-                fprintf(stderr, "Can't stat '%s':  %s\n",
-                        file, strerror(errno));
-                return -1;
-        }
-        map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 
0);
-        if (map == MAP_FAILED) {
-                fprintf(stderr, "Can't map '%s':  %s\n",
-                        file, strerror(errno));
-                return -1;
-        }
-        f.type = PF_USE_MEMORY;
-        f.data = map;
-        f.len = sb.st_size;
-        fp = &f;
+
+       fd = open(file, O_RDONLY);
+       if (fd < 0) {
+               fprintf(stderr, "Can't open '%s':  %s\n",
+                       file, strerror(errno));
+               return -1;
+       }
+       if (fstat(fd, &sb) < 0) {
+               fprintf(stderr, "Can't stat '%s':  %s\n",
+                       file, strerror(errno));
+               return -1;
+       }
+       map =
+           mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+       if (map == MAP_FAILED) {
+               fprintf(stderr, "Can't map '%s':  %s\n", file, strerror(errno));
+               return -1;
+       }
+       f.type = PF_USE_MEMORY;
+       f.data = map;
+       f.len = sb.st_size;
+       fp = &f;
 
        if (policydb_init(p)) {
-               fprintf(stderr, "%s:  policydb_init:  Out of memory!\n", 
progname);
+               fprintf(stderr, "%s:  policydb_init:  Out of memory!\n",
+                       progname);
+               return -1;
+       }
+       if (policydb_read(p, fp, 1)) {
+               fprintf(stderr,
+                       "%s:  error(s) encountered while parsing 
configuration\n",
+                       progname);
                return -1;
-       }       
-        if (policydb_read(p, fp, 1)) {
-                fprintf(stderr, "%s:  error(s) encountered while parsing 
configuration\n", progname);
-                return -1;
-        }
-        
-        /* Check Policy Consistency */
-        if (p->mls) {
-                if (!mlspol) {
-                        fprintf(stderr,"%s:  MLS policy, but non-MLS"
-                                " is specified\n", progname);
-                        return -1;
-                }
-        } else {
-                if (mlspol) {
-                        fprintf(stderr,"%s:  non-MLS policy, but MLS"
-                                " is specified\n", progname);
-                        return -1;
-                }
-        }
-        return 0;
+       }
+
+       /* Check Policy Consistency */
+       if (p->mls) {
+               if (!mlspol) {
+                       fprintf(stderr, "%s:  MLS policy, but non-MLS"
+                               " is specified\n", progname);
+                       return -1;
+               }
+       } else {
+               if (mlspol) {
+                       fprintf(stderr, "%s:  non-MLS policy, but MLS"
+                               " is specified\n", progname);
+                       return -1;
+               }
+       }
+       return 0;
 }
 
-static int read_source_policy(policydb_t *p, char *file, char *progname)
+static int write_binary_policy(policydb_t * p, char *file, char *progname)
 {
-        yyin = fopen(file, "r");
-        if (!yyin) {
-                fprintf(stderr, "%s:  unable to open %s\n", progname, 
-                        file);
-                return -1;
-        }
-        
-        if (policydb_init(p) ||
-            ((id_queue = queue_create()) == NULL)) {
-                fprintf(stderr, "%s: out of memory!\n", progname);
-                return -1;
-        }
+       FILE *outfp = NULL;
+       struct policy_file pf;
+       int ret;
 
-       p->policy_type = policy_type;
-       p->mls = mlspol;
+       printf("%s:  writing binary representation (version %d) to %s\n",
+              progname, policyvers, file);
 
-        init_parser(1);
-        if (yyparse() || policydb_errors) {
-                fprintf(stderr, "%s:  error(s) encountered while parsing 
configuration\n", progname);
-                return -1;
-        }
-        rewind(yyin);
-        init_parser(2);
-        source_file[0] = '\0';
-        yyrestart(yyin);
-        if (yyparse() || policydb_errors) {
-                fprintf(stderr, "%s:  error(s) encountered while parsing 
configuration\n", progname);
-                return -1;
-        }
-        queue_destroy(id_queue);
-
-        if (hierarchy_check_constraints(NULL, p)) {
-                return -1;
-        }
-        
-        if (policydb_errors) 
-                return -1;
+       outfp = fopen(file, "w");
+       if (!outfp) {
+               perror(file);
+               exit(1);
+       }
 
-        fclose(yyin);
-        return 0;
-}
-
-static int write_binary_policy(policydb_t *p, char *file, char *progname)
-{
-       FILE *outfp = NULL;
-       struct policy_file pf;
-        int ret;
-        
-        printf("%s:  writing binary representation (version %d) to %s\n",
-               progname, policyvers, file);
-        
-        outfp = fopen(file, "w");
-        if (!outfp) {
-                perror(file);
-                exit(1);
-        }
-        
        p->policy_type = policy_type;
        p->policyvers = policyvers;
-        
-        pf.type = PF_USE_STDIO;
-        pf.fp = outfp;
-        ret = policydb_write(p, &pf);
-        if (ret) {
-                fprintf(stderr, "%s:  error writing %s\n",
-                        progname, file);
-                return -1;
-        }
-        fclose(outfp);
-        return 0;
+
+       pf.type = PF_USE_STDIO;
+       pf.fp = outfp;
+       ret = policydb_write(p, &pf);
+       if (ret) {
+               fprintf(stderr, "%s:  error writing %s\n", progname, file);
+               return -1;
+       }
+       fclose(outfp);
+       return 0;
 }
 
 static void usage(char *progname)
 {
-       printf("usage:  %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n",
-               progname);
-        printf("Build base and policy modules.\n");
-        printf("Options:\n");
-        printf("  INPUT      build module from INPUT (else read from 
\"%s\")\n", txtfile);
-        printf("  -V         show policy versions created by this program\n");
-        printf("  -b         treat input as a binary policy file\n");
-        printf("  -m         build a policy module instead of a base 
module\n");
-        printf("  -M         enable MLS policy\n");
-        printf("  -o FILE    write module to FILE (else just check syntax)\n");
+       printf("usage:  %s [-V] [-b] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+       printf("Build base and policy modules.\n");
+       printf("Options:\n");
+       printf("  INPUT      build module from INPUT (else read from \"%s\")\n",
+              txtfile);
+       printf("  -V         show policy versions created by this program\n");
+       printf("  -b         treat input as a binary policy file\n");
+       printf("  -m         build a policy module instead of a base module\n");
+       printf("  -M         enable MLS policy\n");
+       printf("  -o FILE    write module to FILE (else just check syntax)\n");
        exit(1);
 }
 
@@ -204,13 +154,13 @@
        unsigned int binary = 0;
        int ch;
        int show_version = 0;
-        policydb_t modpolicydb;
+       policydb_t modpolicydb;
 
        while ((ch = getopt(argc, argv, "ho:dbVmM")) != EOF) {
                switch (ch) {
-                case 'h':
-                        usage (argv [0]);
-                        break;
+               case 'h':
+                       usage(argv[0]);
+                       break;
                case 'o':
                        outfile = optarg;
                        break;
@@ -223,9 +173,9 @@
                        break;
                case 'm':
                        policy_type = POLICY_MOD;
-                        policyvers = MOD_POLICYDB_VERSION_MAX;
+                       policyvers = MOD_POLICYDB_VERSION_MAX;
                        break;
-                case 'M':
+               case 'M':
                        mlspol = 1;
                        break;
                default:
@@ -234,8 +184,8 @@
        }
 
        if (show_version) {
-                printf("Module versions %d-%d\n",
-                       MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
+               printf("Module versions %d-%d\n",
+                      MOD_POLICYDB_VERSION_MIN, MOD_POLICYDB_VERSION_MAX);
                exit(0);
        }
 
@@ -244,27 +194,37 @@
                if (optind != argc)
                        usage(argv[0]);
        }
-       printf("%s:  loading policy configuration from %s\n", argv[0],
-              file);
+       printf("%s:  loading policy configuration from %s\n", argv[0], file);
 
-        /* Set policydb and sidtab used by libsepol service functions
-           to my structures, so that I can directly populate and
-           manipulate them. */
-        sepol_set_policydb(&modpolicydb);
-        sepol_set_sidtab(&sidtab);
+       /* Set policydb and sidtab used by libsepol service functions
+          to my structures, so that I can directly populate and
+          manipulate them. */
+       sepol_set_policydb(&modpolicydb);
+       sepol_set_sidtab(&sidtab);
 
-        policydbp = &modpolicydb;
        if (binary) {
-                if (read_binary_policy(policydbp, file, argv[0]) == -1) {
-                        exit(1);
-                }
+               if (read_binary_policy(&modpolicydb, file, argv[0]) == -1) {
+                       exit(1);
+               }
        } else {
-                if (read_source_policy(policydbp, file, argv[0]) == -1) {
-                        exit(1);
-                }
-        }
+               if (policydb_init(&modpolicydb)) {
+                       fprintf(stderr, "%s: out of memory!\n", argv[0]);
+                       return -1;
+               }
+
+               modpolicydb.policy_type = policy_type;
+               modpolicydb.mls = mlspol;
+
+               if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
+                       exit(1);
+               }
+
+               if (hierarchy_check_constraints(NULL, &modpolicydb)) {
+                       return -1;
+               }
+       }
 
-       if (policydbp->policy_type == POLICY_BASE) {
+       if (modpolicydb.policy_type == POLICY_BASE) {
                /* Verify that we can successfully expand the base module. */
                policydb_t kernpolicydb;
 
@@ -272,28 +232,31 @@
                        fprintf(stderr, "%s:  policydb_init failed\n", argv[0]);
                        exit(1);
                }
-               if (link_modules(NULL, policydbp, NULL, 0, 0)) {
+               if (link_modules(NULL, &modpolicydb, NULL, 0, 0)) {
                        fprintf(stderr, "%s:  link modules failed\n", argv[0]);
                        exit(1);
                }
-               if (expand_module(NULL, policydbp, &kernpolicydb, 0, 1)) {
+               if (expand_module(NULL, &modpolicydb, &kernpolicydb, 0, 1)) {
                        fprintf(stderr, "%s:  expand module failed\n", argv[0]);
                        exit(1);
                }
                policydb_destroy(&kernpolicydb);
        }
 
-       if (policydb_load_isids(policydbp, &sidtab))
+       if (policydb_load_isids(&modpolicydb, &sidtab))
                exit(1);
 
+       sepol_sidtab_destroy(&sidtab);
+
        printf("%s:  policy configuration loaded\n", argv[0]);
 
        if (outfile &&
-            write_binary_policy(policydbp, outfile, argv[0]) == -1) {
-                exit(1);
-        }
+           write_binary_policy(&modpolicydb, outfile, argv[0]) == -1) {
+               exit(1);
+       }
+       policydb_destroy(&modpolicydb);
+
        return 0;
 }
 
 /* FLASK */
-

==== 
//depot/projects/trustedbsd/sebsd/contrib/sebsd/checkpolicy/checkpolicy.c#12 
(text+ko) ====

@@ -80,6 +80,7 @@
 
 #include "queue.h"
 #include "checkpolicy.h"
+#include "parse_util.h"
 
 extern char *optarg;
 extern int optind;
@@ -88,17 +89,8 @@
 static sidtab_t sidtab;
 
 extern policydb_t *policydbp;
-extern queue_t id_queue;
-extern unsigned int policydb_errors;
-extern unsigned long policydb_lineno;
-extern char source_file[];
 extern int mlspol;
 
-extern FILE *yyin;
-extern void init_parser(int);
-extern int yyparse(void);
-extern void yyrestart(FILE *);
-
 static char *txtfile = "policy.conf";
 static char *binfile = "policy";
 
@@ -106,8 +98,9 @@
 
 void usage(char *progname)
 {
-       printf("usage:  %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o 
output_file] [input_file]\n",
-               progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
+       printf
+           ("usage:  %s [-b] [-d] [-M] [-c policyvers (%d-%d)] [-o 
output_file] [input_file]\n",
+            progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
        exit(1);
 }
 
@@ -118,7 +111,9 @@
                        exit(1);\
 }
 static int print_sid(sepol_security_id_t sid,
-                    context_struct_t * context __attribute__ ((unused)), void 
*data __attribute__ ((unused)))
+                    context_struct_t * context
+                    __attribute__ ((unused)), void *data
+                    __attribute__ ((unused)))
 {
        sepol_security_context_t scontext;
        size_t scontext_len;
@@ -146,7 +141,7 @@
 
        perdatum = (perm_datum_t *) datum;
 
-       if (v->val == perdatum->value) {
+       if (v->val == perdatum->s.value) {
                v->name = key;
                return 1;
        }
@@ -155,7 +150,7 @@
 }
 
 #ifdef EQUIVTYPES
-static int insert_type_rule(avtab_key_t *k, avtab_datum_t *d, 
+static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d,
                            struct avtab_node *type_rules)
 {
        struct avtab_node *p, *c, *n;
@@ -168,10 +163,10 @@
                 */
                if (k->source_type < c->key.source_type)
                        break;
-               if (k->source_type == c->key.source_type && 
+               if (k->source_type == c->key.source_type &&
                    k->target_type < c->key.target_type)
                        break;
-               if (k->source_type == c->key.source_type && 
+               if (k->source_type == c->key.source_type &&
                    k->target_type == c->key.target_type &&
                    k->target_class < c->key.target_class)
                        break;
@@ -191,7 +186,7 @@
        return 0;
 }
 
-static int create_type_rules(avtab_key_t *k, avtab_datum_t *d, void *args)
+static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args)
 {
        struct avtab_node *type_rules = args;
 
@@ -200,8 +195,10 @@
                 * Insert the rule into the lists for both 
                 * the source type and the target type.
                 */
-               if (insert_type_rule(k, d, &type_rules[k->source_type-1])) 
return -1;
-               if (insert_type_rule(k, d, &type_rules[k->target_type-1])) 
return -1;
+               if (insert_type_rule(k, d, &type_rules[k->source_type - 1]))
+                       return -1;
+               if (insert_type_rule(k, d, &type_rules[k->target_type - 1]))
+                       return -1;
        }
 
        return 0;
@@ -218,24 +215,24 @@
        }
 }
 
-static int identify_equiv_types(void) 
+static int identify_equiv_types(void)
 {
-        struct avtab_node *type_rules, *l1, *l2;
+       struct avtab_node *type_rules, *l1, *l2;
        int i, j;
 
        /*
         * Create a list of access vector rules for each type
         * from the access vector table.
         */
-       type_rules = malloc(sizeof(struct avtab_node)*policydb.p_types.nprim);
+       type_rules = malloc(sizeof(struct avtab_node) * policydb.p_types.nprim);
        if (!type_rules) {
                fprintf(stderr, "out of memory\n");
                exit(1);
        }
-       memset(type_rules, 0, sizeof(struct avtab_node)*policydb.p_types.nprim);
+       memset(type_rules, 0,
+              sizeof(struct avtab_node) * policydb.p_types.nprim);
        if (avtab_map(&policydb.te_avtab, create_type_rules, type_rules))
                exit(1);
-       
 
        /*
         * Compare the type lists and identify equivalent types.
@@ -244,27 +241,29 @@
                if (!type_rules[i].next)
                        continue;
                for (j = i + 1; j < policydb.p_types.nprim; j++) {
-                       for (l1 = type_rules[i].next, l2 = type_rules[j].next; 
l1 && l2;
-                            l1 = l1->next, l2 = l2->next) {
-                               if (l2->key.source_type == (j+1)) {
-                                       if (l1->key.source_type != (i+1))
+                       for (l1 = type_rules[i].next, l2 = type_rules[j].next;
+                            l1 && l2; l1 = l1->next, l2 = l2->next) {
+                               if (l2->key.source_type == (j + 1)) {
+                                       if (l1->key.source_type != (i + 1))
                                                break;
                                } else {
-                                       if (l1->key.source_type != 
l2->key.source_type)
+                                       if (l1->key.source_type !=
+                                           l2->key.source_type)
                                                break;
                                }
-                               if (l2->key.target_type == (j+1)) {
-                                       if (l1->key.target_type != (i+1))
+                               if (l2->key.target_type == (j + 1)) {
+                                       if (l1->key.target_type != (i + 1))
                                                break;
                                } else {
-                                       if (l1->key.target_type != 
l2->key.target_type)
+                                       if (l1->key.target_type !=
+                                           l2->key.target_type)
                                                break;
                                }
-                               if (l1->key.target_class != 
l2->key.target_class || 
-                                   l1->datum.allowed != l2->datum.allowed)
+                               if (l1->key.target_class != l2->key.target_class
+                                   || l1->datum.allowed != l2->datum.allowed)
                                        break;
                        }
-                       if (l1 || l2) 
+                       if (l1 || l2)
                                continue;
                        free_type_rules(type_rules[j].next);
                        type_rules[j].next = NULL;
@@ -272,37 +271,37 @@
                               policydb.p_type_val_to_name[i],
                               policydb.p_type_val_to_name[j]);
                }
-               free_type_rules(type_rules[i].next);            
+               free_type_rules(type_rules[i].next);
                type_rules[i].next = NULL;
        }
 
-       free(type_rules);       
+       free(type_rules);
        return 0;
 }
-#endif 
+#endif
 
 extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
 
-
 int display_bools()
 {
        int i;
 
        for (i = 0; i < policydbp->p_bools.nprim; i++) {
                printf("%s : %d\n", policydbp->p_bool_val_to_name[i],
-                       policydbp->bool_val_to_struct[i]->state);
+                      policydbp->bool_val_to_struct[i]->state);
        }
        return 0;
 }
 
-void display_expr(cond_expr_t *exp)
+void display_expr(cond_expr_t * exp)
 {
 
        cond_expr_t *cur;
        for (cur = exp; cur != NULL; cur = cur->next) {
                switch (cur->expr_type) {
                case COND_BOOL:
-                       printf("%s ", policydbp->p_bool_val_to_name[cur->bool - 
1]);
+                       printf("%s ",
+                              policydbp->p_bool_val_to_name[cur->bool - 1]);
                        break;
                case COND_NOT:
                        printf("! ");
@@ -360,7 +359,9 @@
        level_datum_t *levdatum = (level_datum_t *) datum;
 
        if (!levdatum->isalias && !levdatum->defined) {
-               fprintf(stderr, "Error:  sensitivity %s was not used in a level 
definition!\n", key);
+               fprintf(stderr,
+                       "Error:  sensitivity %s was not used in a level 
definition!\n",
+                       key);
                return -1;
        }
        return 0;
@@ -389,7 +390,6 @@
        int show_version = 0;
        struct policy_file pf;
 
-
        while ((ch = getopt(argc, argv, "o:dbMVc:")) != EOF) {
                switch (ch) {
                case 'o':
@@ -408,30 +408,36 @@
                case 'M':
                        mlspol = 1;
                        break;
-               case 'c': {
-                       long int n = strtol(optarg, NULL, 10);
-                       if (errno) {
-                               fprintf(stderr, "Invalid policyvers specified: 
%s\n", optarg);
-                               usage(argv[0]);
-                               exit(1);
+               case 'c':{
+                               long int n = strtol(optarg, NULL, 10);
+                               if (errno) {
+                                       fprintf(stderr,
+                                               "Invalid policyvers specified: 
%s\n",
+                                               optarg);
+                                       usage(argv[0]);
+                                       exit(1);
+                               }
+                               if (n < POLICYDB_VERSION_MIN
+                                   || n > POLICYDB_VERSION_MAX) {
+                                       fprintf(stderr,
+                                               "policyvers value %ld not in 
range %d-%d\n",
+                                               n, POLICYDB_VERSION_MIN,
+                                               POLICYDB_VERSION_MAX);
+                                       usage(argv[0]);
+                                       exit(1);
+                               }
+                               if (policyvers != n)
+                                       policyvers = n;
+                               break;
                        }
-                       if (n < POLICYDB_VERSION_MIN || n > 
POLICYDB_VERSION_MAX) {
-                               fprintf(stderr, "policyvers value %ld not in 
range %d-%d\n",
-                                       n, POLICYDB_VERSION_MIN, 
POLICYDB_VERSION_MAX);
-                               usage(argv[0]);
-                               exit(1);
-                       }
-                       if (policyvers != n)
-                               policyvers = n;
-                       break;
-               }
                default:
                        usage(argv[0]);
                }
        }
 
        if (show_version) {
-               printf("%d (compatibility range %d-%d)\n", policyvers, 
POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
+               printf("%d (compatibility range %d-%d)\n", policyvers,
+                      POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
                exit(0);
        }
 
@@ -440,8 +446,7 @@
                if (optind != argc)
                        usage(argv[0]);
        }
-       printf("%s:  loading policy configuration from %s\n", argv[0],
-              file);
+       printf("%s:  loading policy configuration from %s\n", argv[0], file);
 
        /* Set policydb and sidtab used by libsepol service functions
           to my structures, so that I can directly populate and
@@ -461,7 +466,9 @@
                                file, strerror(errno));
                        exit(1);
                }
-               map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, 
MAP_PRIVATE, fd, 0);
+               map =
+                   mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
+                        fd, 0);
                if (map == MAP_FAILED) {
                        fprintf(stderr, "Can't map '%s':  %s\n",
                                file, strerror(errno));
@@ -471,12 +478,15 @@
                pf.data = map;
                pf.len = sb.st_size;
                if (policydb_init(&policydb)) {
-                       fprintf(stderr, "%s:  policydb_init:  Out of 
memory!\n", argv[0]);
+                       fprintf(stderr, "%s:  policydb_init:  Out of memory!\n",
+                               argv[0]);
                        exit(1);
                }
                ret = policydb_read(&policydb, &pf, 1);
                if (ret) {
-                       fprintf(stderr, "%s:  error(s) encountered while 
parsing configuration\n", argv[0]);
+                       fprintf(stderr,
+                               "%s:  error(s) encountered while parsing 
configuration\n",
+                               argv[0]);
                        exit(1);
                }
                policydbp = &policydb;
@@ -484,27 +494,20 @@
                /* Check Policy Consistency */
                if (policydbp->mls) {
                        if (!mlspol) {
-                               fprintf(stderr,"%s:  MLS policy, but non-MLS"
-                                       " is specified\n", argv[0]);
+                               fprintf(stderr, "%s:  MLS policy, but non-MLS"
+                                       " is specified\n", argv[0]);
                                exit(1);
                        }
                } else {
                        if (mlspol) {
-                               fprintf(stderr,"%s:  non-MLS policy, but MLS"
-                                       " is specified\n", argv[0]);
+                               fprintf(stderr, "%s:  non-MLS policy, but MLS"
+                                       " is specified\n", argv[0]);
                                exit(1);
                        }
                }
        } else {
-                policydb_t parse_policy;
+               policydb_t parse_policy;
 
-                yyin = fopen(file, "r");
-               if (!yyin) {
-                       fprintf(stderr, "%s:  unable to open %s\n", argv[0], 
-                               file);
-                       exit(1);
-               }
-
                if (policydb_init(&parse_policy))
                        exit(1);
                /* We build this as a base policy first since that is all the 
parser understands */
@@ -513,28 +516,9 @@
                /* Let sepol know if we are dealing with MLS support */
                parse_policy.mls = mlspol;
 
-               id_queue = queue_create();
-               if (!id_queue) {
-                       fprintf(stderr, "%s:  out of memory\n", argv[0]);
-                       exit(1);
-               }
                policydbp = &parse_policy;
-                init_parser(1);
-               if (yyparse() || policydb_errors) {
-                       fprintf(stderr, "%s:  error(s) encountered while 
parsing configuration\n", argv[0]);
-                       exit(1);
-               }
-               rewind(yyin);
-                init_parser(2);
-               source_file[0] = '\0';
-               yyrestart(yyin);
-               if (yyparse() || policydb_errors) {
-                       fprintf(stderr, "%s:  error(s) encountered while 
parsing configuration\n", argv[0]);
-                       exit(1);
-               }
-               queue_destroy(id_queue);
 
-               if (policydb_errors) 
+               if (read_source_policy(policydbp, file, "checkpolicy") < 0)
                        exit(1);
 
                if (hashtab_map(policydbp->p_levels.table, check_level, NULL))
@@ -546,18 +530,17 @@
                }
 
                /* Linking takes care of optional avrule blocks */
-               if (link_modules(NULL, &parse_policy, NULL, 0, 0)) {
+               if (link_modules(NULL, &parse_policy, NULL, 0, 0)) {
                        fprintf(stderr, "Error while resolving optionals\n");
                        exit(1);
                }
 
                if (expand_module(NULL, &parse_policy, &policydb, 0, 1)) {
-                        fprintf(stderr, "Error while expanding policy\n");
+                       fprintf(stderr, "Error while expanding policy\n");
                        exit(1);
-                }
+               }
                policydb_destroy(&parse_policy);
                policydbp = &policydb;
-               fclose(yyin);
        }
 
        if (policydb_load_isids(&policydb, &sidtab))
@@ -566,8 +549,9 @@
        printf("%s:  policy configuration loaded\n", argv[0]);
 
        if (outfile) {
-               printf("%s:  writing binary representation (version %d) to 
%s\n",
-                      argv[0], policyvers, outfile);
+               printf
+                   ("%s:  writing binary representation (version %d) to %s\n",
+                    argv[0], policyvers, outfile);
                outfp = fopen(outfile, "w");
                if (!outfp) {
                        perror(outfile);
@@ -634,39 +618,51 @@
                        FGETS(ans, sizeof(ans), stdin);
                        if (isdigit(ans[0])) {
                                tclass = atoi(ans);
-                               if (!tclass || tclass > 
policydb.p_classes.nprim) {
+                               if (!tclass
+                                   || tclass > policydb.p_classes.nprim) {
                                        printf("\nNo such class.\n");
                                        break;
                                }
-                               cladatum = policydb.class_val_to_struct[tclass 
- 1];
+                               cladatum =
+                                   policydb.class_val_to_struct[tclass - 1];
                        } else {
                                ans[strlen(ans) - 1] = 0;
-                               cladatum = (class_datum_t *) 
hashtab_search(policydb.p_classes.table,
-                                                                   ans);
+                               cladatum =
+                                   (class_datum_t *) hashtab_search(policydb.
+                                                                    p_classes.
+                                                                    table,
+                                                                    ans);
                                if (!cladatum) {
                                        printf("\nNo such class\n");
                                        break;
                                }
-                               tclass = cladatum->value;
+                               tclass = cladatum->s.value;
                        }
 
                        if (!cladatum->comdatum && 
!cladatum->permissions.nprim) {
-                               printf("\nNo access vector definition for that 
class\n");
+                               printf
+                                   ("\nNo access vector definition for that 
class\n");
                                break;
                        }
-                       ret = sepol_compute_av(ssid, tsid, tclass, 0,
-                                                 &avd);
+                       ret = sepol_compute_av(ssid, tsid, tclass, 0, &avd);
                        switch (ret) {
                        case 0:
                                printf("\nallowed {");
                                for (i = 1; i <= sizeof(avd.allowed) * 8; i++) {
                                        if (avd.allowed & (1 << (i - 1))) {
                                                v.val = i;
-                                               ret = 
hashtab_map(cladatum->permissions.table,
-                                                                  find_perm, 
&v);
+                                               ret =
+                                                   hashtab_map(cladatum->
+                                                               permissions.
+                                                               table,
+                                                               find_perm, &v);
                                                if (!ret && cladatum->comdatum) 
{
-                                                       ret = 
hashtab_map(cladatum->comdatum->permissions.table,
-                                                                        
find_perm, &v);
+                                                       ret =
+                                                           hashtab_map
+                                                           (cladatum->
+                                                            comdatum->
+                                                            permissions.table,
+                                                            find_perm, &v);
                                                }
                                                if (ret)
                                                        printf(" %s", v.name);
@@ -686,7 +682,7 @@
                        FGETS(ans, sizeof(ans), stdin);
                        ssid = atoi(ans);
                        ret = sepol_sid_to_context(ssid,
-                                              &scontext, &scontext_len);

>>> TRUNCATED FOR MAIL (1000 lines) <<<
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/p4-projects
To unsubscribe, send any mail to "[email protected]"

<Prev in Thread] Current Thread [Next in Thread>
  • PERFORCE change 114573 for review, Todd Miller <=