Changeset 4811

Timestamp:

09/29/08 15:51:10 (2 months ago)

Author:

jmowery

Message:

corrects errors in loading multiply defined symbols in optionals

Files:

• branches/setools-devel/libqpol/src/policy.c (modified) (4 diffs)

branches/setools-devel/libqpol/src/policy.c

@@ -563 +563 @@
-}
-
+/** For all symbols that are multiply defined (such as roles and users),
+ *  union the relevant sets of types and roles from each declaration.
+ *  @param policy The policy containig the symbols to union.
+ *  @return 0 on success, non-zero on error; if the call fails,
+ *  errno will be set, and the policy should be considered invalid.
+ */
+static int union_multiply_declared_symbols(qpol_policy_t * policy) {
+        /* general structure of this function:
+        walk role and user symbol tables for each role/user
+                get datum from symtab, get key from array
+                look up symbol in scope table
+                foreach decl_id in scope entry
+                        union types/roles bitmap with datum's copy
+        */
+        qpol_iterator_t * iter = NULL;
+        int error = 0;
+        if (qpol_policy_get_role_iter(policy, &iter)) {
+                return 1;
+        }
+        for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
+                role_datum_t *role;
+                if (qpol_iterator_get_item(iter, (void**)&role)) {
+                        error = errno;
+                        goto err;
+                }
+                const char *name;
+                if (qpol_role_get_name(policy, (qpol_role_t*)role, &name)) {
+                        error = errno;
+                        goto err;
+                }
+                policydb_t *db = &policy->p->p;
+                scope_datum_t* scope_datum = hashtab_search(db->scope[SYM_ROLES].table, (const hashtab_key_t)name);
+                if (scope_datum == NULL) {
+                        ERR(policy, "could not find scope datum for role %s", name);
+                        error = ENOENT;
+                        goto err;
+                }
+                for (uint32_t i = 0; i < scope_datum->decl_ids_len; i++)
+                {
+                        if (db->decl_val_to_struct[scope_datum->decl_ids[i] - 1]->enabled == 0)
+                                continue; /* block is disabled */
+                        role_datum_t *internal_datum = hashtab_search(db->decl_val_to_struct[scope_datum->decl_ids[i] - 1]->symtab[SYM_ROLES].table, (const hashtab_key_t)name);
+                        if (internal_datum == NULL) {
+                                continue; /* not declared here */
+                        }
+                        if (ebitmap_union(&role->types.types, &internal_datum->types.types) || ebitmap_union(&role->dominates, &internal_datum->dominates))
+                        {
+                                error = errno;
+                                ERR(policy, "could not merge declarations for role %s", name);
+                                goto err;
+                        }
+                }
+        }
+        qpol_iterator_destroy(&iter);
+
+        /* repeat for users */
+        if (qpol_policy_get_user_iter(policy, &iter)) {
+                return 1;
+        }
+        for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
+                user_datum_t *user;
+                if (qpol_iterator_get_item(iter, (void**)&user)) {
+                        error = errno;
+                        goto err;
+                }
+                const char *name;
+                if (qpol_user_get_name(policy, (qpol_user_t*)user, &name)) {
+                        error = errno;
+                        goto err;
+                }
+                policydb_t *db = &policy->p->p;
+                scope_datum_t* scope_datum = hashtab_search(db->scope[SYM_USERS].table, (const hashtab_key_t)name);
+                if (scope_datum == NULL) {
+                        ERR(policy, "could not find scope datum for user %s", name);
+                        error = ENOENT;
+                        goto err;
+                }
+                for (uint32_t i = 0; i < scope_datum->decl_ids_len; i++)
+                {
+                        if (db->decl_val_to_struct[scope_datum->decl_ids[i] - 1]->enabled == 0)
+                                continue; /* block is disabled */
+                        user_datum_t *internal_datum = hashtab_search(db->decl_val_to_struct[scope_datum->decl_ids[i]]->symtab[SYM_USERS].table, (const hashtab_key_t)name);
+                        if (internal_datum == NULL) {
+                                continue; /* not declared here */
+                        }
+                        if (ebitmap_union(&user->roles.roles, &internal_datum->roles.roles))
+                        {
+                                error = errno;
+                                ERR(policy, "could not merge declarations for user %s", name);
+                                goto err;
+                        }
+                }
+        }
+        qpol_iterator_destroy(&iter);
+
+        return 0;
+err:
+        qpol_iterator_destroy(&iter);
+        errno = error;
+        return 1;
+}
+
-/* forward declarations see policy_extend.c */
-struct qpol_extended_image;
@@ -681 +783 @@
-        }
-
+        if (union_multiply_declared_symbols(policy)) {
+                error = errno;
+                goto err;
+        }
+
-        if (qpol_expand_module(policy, !(options & (QPOL_POLICY_OPTION_NO_NEVERALLOWS)))) {
-                error = errno;
@@ -892 +999 @@
-
-                if (prune_disabled_symbols(*policy)) {
+                        error = errno;
+                        goto err;
+                }
+
+                if (union_multiply_declared_symbols(*policy)) {
-                        error = errno;
-                        goto err;
@@ -1015 +1127 @@
-
-        if (prune_disabled_symbols(*policy)) {
+                error = errno;
+                goto err;
+        }
+
+        if (union_multiply_declared_symbols(*policy)) {
-                error = errno;
-                goto err;