Navigation

← Previous Changeset
Next Changeset →

Changeset 4924

Timestamp:

04/21/10 08:07:04 (5 months ago)

Author:

joliver

Message:

Bring up to date with trunk

Files:

branches/module-loading/ChangeLog (modified) (1 diff)
branches/module-loading/apol/analysis_tab.tcl (modified) (2 diffs)
branches/module-loading/apol/cond_rules_tab.tcl (modified) (5 diffs)
branches/module-loading/apol/context_dialog.tcl (modified) (4 diffs)
branches/module-loading/apol/context_selector.tcl (modified) (2 diffs)
branches/module-loading/apol/domaintrans_module.tcl (modified) (2 diffs)
branches/module-loading/apol/file_contexts_tab.tcl (modified) (1 diff)
branches/module-loading/apol/initial_sids_tab.tcl (modified) (2 diffs)
branches/module-loading/apol/open_policy_dialog.tcl (modified) (4 diffs)
branches/module-loading/apol/progress_dialog.tcl (modified) (1 diff)
branches/module-loading/apol/range_selector.tcl (modified) (2 diffs)
branches/module-loading/apol/relabel_module.tcl (modified) (2 diffs)
branches/module-loading/apol/top.tcl (modified) (2 diffs)
branches/module-loading/apol/transflow_module.tcl (modified) (5 diffs)
branches/module-loading/apol/users_tab.tcl (modified) (8 diffs)
branches/module-loading/configure.ac (modified) (1 diff)
branches/module-loading/libapol/tests/Makefile.am (modified) (1 diff)
branches/module-loading/libapol/tests/constrain-tests.c (copied) (copied from trunk/libapol/tests/constrain-tests.c)
branches/module-loading/libapol/tests/constrain-tests.h (copied) (copied from trunk/libapol/tests/constrain-tests.h)
branches/module-loading/libapol/tests/libapol-tests.c (modified) (2 diffs)
branches/module-loading/libqpol/src/constraint_query.c (modified) (3 diffs)
branches/module-loading/libqpol/swig/python/Makefile.am (modified) (1 diff)
branches/module-loading/secmds/seinfo.c (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/module-loading/ChangeLog

r4893	r4924
	1	2010-04-20 Chris PeBenito <cpebenito@tresys.com>
	2
	3	* Fix seinfo to correctly handle cases where there are
	4	no nodecon statements in the policy.
	5
	6	2010-04-20 Spencer Shimko <sshimko@tresys.com>
	7
	8	* Fixes error conditions that prevent apol from exiting. If
	9	window/tab was already destroyed on exit
	10	then apol threw an error and refused to exit.
	11
	12	2010-04-15 Spencer Shimko <sshimko@tresys.com>
	13
	14	* Add support for displaying constraints to seinfo.
	15	* Add constraint CUnit tests.
	16
1	17	2010-03-12 John Oliver <joliver@tresys.com>
2	18

branches/module-loading/apol/analysis_tab.tcl

r4635	r4924
200	200	variable widgets
201	201	variable tabs
	202	$widgets(new) configure -state disabled
	203	$widgets(update) configure -state disabled
202	204
203	205	set m [$widgets(search_opts) raise]
…	…
223	225	$widgets(update) configure -state normal
224	226	}
	227
	228	$widgets(new) configure -state normal
225	229	}
226	230

branches/module-loading/apol/cond_rules_tab.tcl

r4585	r4924
141	141	variable vals
142	142	variable widgets
	143	.mainframe.frame.nb.frules.nb.fApol_Cond_Rules.top.obox.f.ok configure -state disabled
143	144
144	145	Apol_Widget::clearSearchResults $widgets(results)
145	146	if {![ApolTop::is_policy_open]} {
146	147	tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened."
	148	.mainframe.frame.nb.frules.nb.fApol_Cond_Rules.top.obox.f.ok configure -state normal
147	149	return
148	150	}
…	…
158	160	if {$avrule_selection == 0 && $terule_selection == 0} {
159	161	tk_messageBox -icon error -type ok -title "Error" -message "At least one rule must be selected."
	162	.mainframe.frame.nb.frules.nb.fApol_Cond_Rules.top.obox.f.ok configure -state normal
160	163	return
161	164	}
…	…
165	168	if {[set bool_name $vals(name)] == {}} {
166	169	tk_messageBox -icon error -type ok -title "Error" -message "No booleean selected."
	170	.mainframe.frame.nb.frules.nb.fApol_Cond_Rules.top.obox.f.ok configure -state normal
167	171	return
168	172	}
…	…
192	196	}
193	197	Apol_Widget::appendSearchResultText $widgets(results) $text
194		Apol_Progress_Dialog::wait "Conditional Expressions" "Rendering conditionals" \
	198	if {![info exists apol_progress]} {
	199	Apol_Progress_Dialog::wait "Conditional Expressions" "Rendering conditionals" \
195	200	{
196	201	if {[ApolTop::is_capable "syntactic rules"]} {
…	…
206	211	}
207	212	}
	213	}
	214	.mainframe.frame.nb.frules.nb.fApol_Cond_Rules.top.obox.f.ok configure -state normal
208	215	}
209	216

branches/module-loading/apol/context_dialog.tcl

r4585	r4924
29	29	variable dialog
30	30	variable vars
	31
31	32	if {![winfo exists $dialog]} {
32	33	_create_dialog $parent
…	…
38	39	set low_level {}
39	40	set high_level {}
40
	41
41	42	# initialize widget states
42	43	array set vars [list $dialog:low_enable 0 $dialog:high_enable 0]
…	…
62	63	set vars($dialog:user_enable) 1
63	64	}
	65
	66
64	67
65	68	$vars($dialog:role_box) configure -values [Apol_Roles::getRoles]
…	…
127	130	set vars($dialog:user_cb) [checkbutton $user_f.enable -text "User" \
128	131	-variable Apol_Context_Dialog::vars($dialog:user_enable)]
129		set vars($dialog:user_box) [ComboBox $user_f.user -entrybg white -width 12 \
130		-textvariable Apol_Context_Dialog::vars($dialog:user) -autopost 1]
	132	set vars($dialog:user_box) [ComboBox $user_f.user -entrybg white \
	133	-width 12 \
	134	-textvariable Apol_Context_Dialog::vars($dialog:user) \
	135	-autopost 1]
131	136	trace add variable Apol_Context_Dialog::vars($dialog:user_enable) write \
132	137	[list Apol_Context_Dialog::_user_changed $dialog]

branches/module-loading/apol/context_selector.tcl

r4585	r4924
124	124	proc Apol_Widget::_show_context_dialog {path} {
125	125	variable vars
	126	$path.context.button configure -state disabled
126	127	set new_context [Apol_Context_Dialog::getContext $vars($path:context) $vars($path:attribute)]
127	128	if {$new_context != {}} {
…	…
129	130	set vars($path:attribute) [lindex $new_context 1]
130	131	}
	132
	133	$path.context.button configure -state normal
131	134	# the trace on this variable will trigger [_update_context_display] to execute
132	135	}

branches/module-loading/apol/domaintrans_module.tcl

r4894	r4924
323	323
324	324	proc Apol_Analysis_domaintrans::_createAccessDialog {} {
	325	variable widgets
	326	$widgets(access) configure -state disabled
325	327	destroy .domaintrans_adv
326	328	set d [Dialog .domaintrans_adv -modal local -separator 1 -title "Domain Transition Access Filter" -parent .]
…	…
329	331	_createAccessClasses [$d getframe]
330	332	$d draw
	333	$widgets(access) configure -state normal
331	334	}
332	335

branches/module-loading/apol/file_contexts_tab.tcl

r4697	r4924
228	228
229	229	proc Apol_File_Contexts::_show_info {} {
	230	.mainframe.frame.nb.fApol_File_Contexts.opts.f.bb.b1 configure -state disabled
230	231	Apol_Widget::showPopupParagraph "File Contexts Information" $Apol_File_Contexts::info_button_text
	232	.mainframe.frame.nb.fApol_File_Contexts.opts.f.bb.b1 configure -state normal
231	233	}
232	234

branches/module-loading/apol/initial_sids_tab.tcl

r4585	r4924
105	105
106	106	set q [new_apol_isid_query_t]
	107
107	108	if {[Apol_Widget::getContextSelectorState $widgets(context)]} {
108	109	foreach {context range_match attribute} [Apol_Widget::getContextSelectorValue $widgets(context)] {break}
109	110	$q set_context $::ApolTop::policy $context $range_match
110	111	}
	112
111	113	set v [$q run $::ApolTop::policy]
	114
112	115	$q -acquire
113	116	$q -delete
…	…
124	127	}
125	128	}
	129
126	130	Apol_Widget::appendSearchResultText $widgets(results) $results
127	131	}

branches/module-loading/apol/open_policy_dialog.tcl

r4912	r4924
196	196	variable vars
197	197	variable dialog
	198	.open_policy_dialog.frame.primary.f.b configure -state disabled
198	199	if {$vars(path_type) == "monolithic"} {
199	200	set title "Open Monolithic Policy"
…	…
213	214	$dialog itemconfigure 0 -state normal
214	215	}
	216	.open_policy_dialog.frame.primary.f.b configure -state normal
215	217	}
216	218
…	…
365	367	variable dialog
366	368	variable vars
367
	369	.open_policy_dialog.bbox.b0 configure -state disabled
368	370	if {[string trim $vars(primary_file)] != {}} {
369	371	set ppath [list_to_policy_path $vars(path_type) $vars(primary_file) $vars(mod_paths)]
…	…
372	374	}
373	375	}
	376	.open_policy_dialog.bbox.b0 configure -state normal
374	377	}
375	378

branches/module-loading/apol/progress_dialog.tcl

r4912	r4924
36	36	set text_width 32
37	37	}
38		ProgressDlg .apol_progress -title $title \
39		-type normal -stop {} -separator 1 -parent [focus] -maximum 2 \
40		-width $text_width -textvariable Apol_Progress_Dialog::text \
41		-variable Apol_Progress_Dialog::val
	38
	39	if {[info exists .apol_progress] == 0} {
	40	ProgressDlg .apol_progress -title $title \
	41	-type normal -stop {} -separator 1 -parent . -maximum 2 \
	42	-width $text_width -textvariable Apol_Progress_Dialog::text \
	43	-variable Apol_Progress_Dialog::val
	44	}
42	45
43	46	set orig_cursor [. cget -cursor]

branches/module-loading/apol/range_selector.tcl

r4585	r4924
131	131
132	132	proc Apol_Widget::_show_mls_range_dialog {path} {
	133	$path.range.button configure -state disabled
133	134	set range [Apol_Range_Dialog::getRange $Apol_Widget::vars($path:range)]
134	135	if {$range != {}} {
…	…
136	137	$range -acquire
137	138	}
	139
	140	$path.range.button configure -state normal
138	141	# the trace on this variable will trigger [_update_range_display]
139	142	# to execute

branches/module-loading/apol/relabel_module.tcl

r4635	r4924
327	327
328	328	proc Apol_Analysis_relabel::_createAdvancedDialog {} {
	329	variable widgets
	330	$widgets(advanced) configure -state disabled
329	331	destroy .relabel_analysis_adv
330	332	variable vals
…	…
373	375
374	376	$d draw
	377	$widgets(advanced) configure -state normal
375	378	}
376	379

branches/module-loading/apol/top.tcl

r4912	r4924
478	478	"attribs" new_apol_attr_query_t
479	479	}
	480
480	481	foreach {key func} $query_funcs {
481	482	set q [$func]
…	…
585	586	_close_policy
586	587	}
	588
587	589	Apol_File_Contexts::close
588	590	_write_configuration_file

branches/module-loading/apol/transflow_module.tcl

r4635	r4924
311	311
312	312	proc Apol_Analysis_transflow::_createAdvancedDialog {} {
	313	variable widgets
	314	$widgets(advanced) configure -state disabled
313	315	destroy .transflow_adv
314	316	variable vals
…	…
318	320	if {![ApolTop::openDefaultPermMap]} {
319	321	return "This analysis requires that a permission map is loaded."
320		}
	322	}
321	323	}
322	324
…	…
352	354	pack $attrib_box -side top -expand 1 -fill x -padx 10
353	355	_attribEnabled $attrib_box
354
	356
355	357	$d draw
	358	$widgets(advanced) configure -state normal
356	359	}
357	360
…	…
386	389	set cb [checkbutton $f.cb -text "Exclude permissions with weights below:" \
387	390	-variable Apol_Analysis_transflow::vals(classes:threshold_enable)]
	391
388	392	set weight [spinbox $f.threshold -from 1 -to 10 -increment 1 \
389	393	-width 2 -bg white -justify right \
…	…
627	631	if {![ApolTop::openDefaultPermMap]} {
628	632	return "This analysis requires that a permission map is loaded."
629		}
	633	}
630	634	apol_tcl_clear_info_string
631	635	}

branches/module-loading/apol/users_tab.tcl

r4585	r4924
156	156	variable opts
157	157	if {$opts($name2)} {
158		$path configure -state normal -entrybg white
	158	$path configure -state normal -entrybg white
159	159	} else {
160	160	$path configure -state disabled -entrybg $ApolTop::default_bg_color
…	…
175	175	proc Apol_Users::_show_level_dialog {} {
176	176	variable opts
	177	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.default.button configure -state disabled
177	178	set new_level [Apol_Level_Dialog::getLevel $opts(default_level)]
178	179	if {$new_level != {}} {
…	…
180	181	$opts(default_level) -acquire
181	182	}
	183	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.default.button configure -state normal
182	184	}
183	185
…	…
205	207	variable opts
206	208	variable widgets
	209	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state disabled
207	210
208	211	Apol_Widget::clearSearchResults $widgets(results)
209	212	if {![ApolTop::is_policy_open]} {
210	213	tk_messageBox -icon error -type ok -title "Error" -message "No current policy file is opened."
	214	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state normal
211	215	return
212	216	}
…	…
214	218	if {$opts(role) == ""} {
215	219	tk_messageBox -icon error -type ok -title "Error" -message "No role selected."
	220	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state normal
216	221	return
217	222	}
…	…
223	228	if {$opts(default_level) == {}} {
224	229	tk_messageBox -icon error -type ok -title "Error" -message "No default level selected."
	230	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state normal
225	231	return
226	232	}
…	…
235	241	if {$range == {}} {
236	242	tk_messageBox -icon error -type ok -title "Error" -message "No range selected."
	243	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state normal
237	244	return
238	245	}
…	…
267	274	}
268	275	Apol_Widget::appendSearchResultText $widgets(results) $text
	276	.mainframe.frame.nb.fcomponents.nb.fApol_Users.pw.f1.frame.obox.f.ok configure -state normal
269	277	}
270	278

branches/module-loading/configure.ac

r4880	r4924
704	704
705	705	have_cunit="no"
706		AC_CHECK_LIB(cunit, CU_initialize_registry, have_cunit="yes", AC_MSG_WARN([CUnit not found; `make check' will fail.]))
707		if test ${have_cunit} = "yes"; then
708		CUNIT_LIB_FLAG="-lcunit"
709		AC_SUBST(CUNIT_LIB_FLAG)
710		fi
	706	AC_CHECK_LIB(cunit,
	707	CU_initialize_registry,
	708	[have_cunit="yes"
	709	CUNIT_LIB_FLAG="-lcunit"],
	710	[AC_CHECK_LIB(cunit,
	711	CU_curses_run_tests,
	712	[have_cunit="yes"
	713	CUNIT_LIB_FLAG="-lcunit -lncurses"],
	714	AC_MSG_WARN([Compatible CUnit not found; "make check" will fail.]),
	715	-lncurses)
	716	]
	717	)
	718	AC_SUBST([CUNIT_LIB_FLAG])
	719
711	720	#AC_MSG_CHECKING([for FUSE])
712	721	#pkg-config --exists fuse

branches/module-loading/libapol/tests/Makefile.am

r4692	r4924
10	10	terule-tests.c terule-tests.h \
11	11	user-tests.c user-tests.h \
	12	constrain-tests.c constrain-tests.h \
	13	../../libqpol/src/queue.c ../../libqpol/src/queue.h \
12	14	libapol-tests.c
13	15

branches/module-loading/libapol/tests/libapol-tests.c

r4692	r4924
35	35	#include "role-tests.h"
36	36	#include "terule-tests.h"
	37	#include "constrain-tests.h"
37	38	#include "user-tests.h"
38	39
…	…
44	45
45	46	CU_SuiteInfo suites[] = {
46		{"Policy Version 21", policy_21_init, policy_21_cleanup, policy_21_tests}
47		,
48		{"AV Rule Query", avrule_init, avrule_cleanup, avrule_tests}
49		,
50		{"Domain Transition Analysis", dta_init, dta_cleanup, dta_tests}
51		,
52		{"Infoflow Analysis", infoflow_init, infoflow_cleanup, infoflow_tests}
53		,
54		{"Role Query", role_init, role_cleanup, role_tests}
55		,
56		{"TE Rule Query", terule_init, terule_cleanup, terule_tests}
57		,
58		{"User Query", user_init, user_cleanup, user_tests}
59		,
	47	{"Policy Version 21", policy_21_init, policy_21_cleanup, policy_21_tests},
	48	{"AV Rule Query", avrule_init, avrule_cleanup, avrule_tests},
	49	{"Domain Transition Analysis", dta_init, dta_cleanup, dta_tests},
	50	{"Infoflow Analysis", infoflow_init, infoflow_cleanup, infoflow_tests},
	51	{"Role Query", role_init, role_cleanup, role_tests},
	52	{"TE Rule Query", terule_init, terule_cleanup, terule_tests},
	53	{"User Query", user_init, user_cleanup, user_tests},
	54	{"Constrain query", constrain_init, constrain_cleanup, constrain_tests},
60	55	CU_SUITE_INFO_NULL
61	56	};

branches/module-loading/libqpol/src/constraint_query.c

r4585	r4924
752	752	constraint_expr_t *internal_expr = NULL;
753	753	cexpr_name_state_t *cns = NULL;
	754	int policy_type = 0;
754	755
755	756	if (iter)
…	…
761	762	return STATUS_ERR;
762	763	}
	764
	765	if (qpol_policy_get_type(policy, &policy_type))
	766	return STATUS_ERR;
763	767
764	768	internal_expr = (constraint_expr_t *) expr;
…	…
776	780	}
777	781	if (internal_expr->attr & QPOL_CEXPR_SYM_TYPE) {
778		cns->inc = &(internal_expr->type_names->types);
779		cns->sub = &(internal_expr->type_names->negset);
	782	if (policy_type == QPOL_POLICY_KERNEL_BINARY) {
	783	cns->inc = &(internal_expr->names);
	784	} else {
	785	cns->inc = &(internal_expr->type_names->types);
	786	cns->sub = &(internal_expr->type_names->negset);
	787	}
780	788	} else {
781	789	cns->inc = &(internal_expr->names);

branches/module-loading/libqpol/swig/python/Makefile.am

r4893	r4924
33	33	-rm -rf $(DESTDIR)$(wrappedsodir)/$(wrappedso_SONAME) $(DESTDIR)$(wrappedsodir)/_qpol.so
34	34
35		MOSTLYCLEANFILES = $(BUILT_SOURCES) $(wrappedso_DATA) ~~$(wrappedpy_DATA)~~ $(wrappedso_SONAME) _qpol.so qpol.pyc
	35	MOSTLYCLEANFILES = $(BUILT_SOURCES) $(wrappedso_DATA) qpol.py $(wrappedso_SONAME) _qpol.so qpol.pyc

branches/module-loading/secmds/seinfo.c

r4867	r4924
49	49
50	50	#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC"
	51
	52	/* placeholder for empty set in constraint statements */
	53	#define CONSTRAIN_NULL_SET "<empty set>"
51	54
52	55	static char *policy_file = NULL;
…	…
68	71	OPT_NETIFCON, OPT_NODECON, OPT_PORTCON, OPT_PROTOCOL,
69	72	OPT_PERMISSIVE, OPT_POLCAP,
70		OPT_ALL, OPT_STATS
	73	OPT_ALL, OPT_STATS, OPT_CONSTRAIN
71	74	};
72	75
…	…
80	83	{"user", optional_argument, NULL, 'u'},
81	84	{"bool", optional_argument, NULL, 'b'},
	85	{"constrain", no_argument, NULL, OPT_CONSTRAIN},
82	86	{"initialsid", optional_argument, NULL, OPT_INITIALSID},
83	87	{"fs_use", optional_argument, NULL, OPT_FS_USE},
…	…
91	95	{"stats", no_argument, NULL, OPT_STATS},
92	96	{"all", no_argument, NULL, OPT_ALL},
	97	{"line-breaks", no_argument, NULL, 'l'},
93	98	{"expand", no_argument, NULL, 'x'},
94	99	{"help", no_argument, NULL, 'h'},
…	…
121	126	printf(" -u[NAME], --user[=NAME] print users\n");
122	127	printf(" -b[NAME], --bool[=NAME] print conditional booleans\n");
	128	printf(" --constrain print constrain statements\n");
	129	printf(" -l, --line-breaks print line breaks in constrain statements\n");
123	130	printf(" --initialsid[=NAME] print initial SIDs\n");
124	131	printf(" --fs_use[=TYPE] print fs_use statements\n");
…	…
1075	1082
1076	1083	n_nodecons = apol_vector_get_size(v);
1077		if (!n_nodecons) {
1078		ERR(policydb, "Provided address (%s) is not valid.", addr);
1079		goto cleanup;
1080		}
1081
1082		if (!addr)
	1084
	1085	if (!addr) {
1083	1086	fprintf(fp, "Nodecon: %zd\n", n_nodecons);
1084
1085		for (i = 0; i < apol_vector_get_size(v); i++) {
	1087	} else if (!n_nodecons) {
	1088	ERR(policydb, "No matching nodecon for address %s.", addr);
	1089	retval = 1;
	1090	goto cleanup;
	1091	}
	1092
	1093	for (i = 0; i < n_nodecons; i++) {
1086	1094	nodecon = apol_vector_get_element(v, i);
1087	1095	tmp = apol_nodecon_render(policydb, nodecon);
…	…
1091	1099	free(tmp);
1092	1100	}
1093
1094		~~if (addr && !n_nodecons)~~
1095		~~ERR(policydb, "No matching nodecon for address %s.", addr);~~
1096	1101
1097	1102	retval = 0;
…	…
1334	1339	}
1335	1340
	1341	static const char *get_attr_string(int attr)
	1342	{
	1343	const char *string = "";
	1344	switch (attr)
	1345	{
	1346	case QPOL_CEXPR_SYM_USER:
	1347	string = "u1";
	1348	break;
	1349	case QPOL_CEXPR_SYM_ROLE:
	1350	string = "r1";
	1351	break;
	1352	case QPOL_CEXPR_SYM_TYPE:
	1353	string = "t1";
	1354	break;
	1355
	1356	case QPOL_CEXPR_SYM_USER+QPOL_CEXPR_SYM_TARGET:
	1357	string = "u2";
	1358	break;
	1359	case QPOL_CEXPR_SYM_ROLE+QPOL_CEXPR_SYM_TARGET:
	1360	string = "r2";
	1361	break;
	1362	case QPOL_CEXPR_SYM_TYPE+QPOL_CEXPR_SYM_TARGET:
	1363	string = "t2";
	1364	break;
	1365
	1366	case QPOL_CEXPR_SYM_USER+QPOL_CEXPR_SYM_XTARGET:
	1367	string = "u3";
	1368	break;
	1369	case QPOL_CEXPR_SYM_ROLE+QPOL_CEXPR_SYM_XTARGET:
	1370	string = "r3";
	1371	break;
	1372	case QPOL_CEXPR_SYM_TYPE+QPOL_CEXPR_SYM_XTARGET:
	1373	string = "t3";
	1374	break;
	1375
	1376	case QPOL_CEXPR_SYM_L1L2:
	1377	string = "l1 l2";
	1378	break;
	1379	case QPOL_CEXPR_SYM_L1H2:
	1380	string = "l1 h2";
	1381	break;
	1382	case QPOL_CEXPR_SYM_H1L2:
	1383	string = "h1 l2";
	1384	break;
	1385	case QPOL_CEXPR_SYM_H1H2:
	1386	string = "h1 h2";
	1387	break;
	1388	case QPOL_CEXPR_SYM_L1H1:
	1389	string = "l1 h1";
	1390	break;
	1391	case QPOL_CEXPR_SYM_L2H2:
	1392	string = "l2 h2";
	1393	break;
	1394	}
	1395
	1396	return string;
	1397	}
	1398
	1399	static const char *get_op_string(int op)
	1400	{
	1401	char *string = "";
	1402
	1403	switch (op)
	1404	{
	1405	case QPOL_CEXPR_OP_EQ:
	1406	string = "==";
	1407	break;
	1408	case QPOL_CEXPR_OP_NEQ:
	1409	string = "!=";
	1410	break;
	1411	case QPOL_CEXPR_OP_DOM:
	1412	string = "dom";
	1413	break;
	1414	case QPOL_CEXPR_OP_DOMBY:
	1415	string = "domby";
	1416	break;
	1417	case QPOL_CEXPR_OP_INCOMP:
	1418	string = "incomp";
	1419	break;
	1420	}
	1421
	1422	return string;
	1423	}
	1424
	1425	static int print_constraints(FILE * fp, int expand, const apol_policy_t * policydb, int linebreaks)
	1426	{
	1427	int retval = -1;
	1428	const char *class_name = NULL;
	1429	char *constrain_type;
	1430	char *perm_list = "No Perms Extracted";
	1431	const qpol_constraint_expr_node_t *expr = NULL;
	1432	qpol_iterator_t *policy_iter = NULL; // Iterates over all constraints in a policy
	1433	qpol_iterator_t *perm_iter = NULL; // Iterates over permissions in a constraint
	1434	qpol_iterator_t *expr_iter = NULL; // Iterates over expression in a constraint
	1435	qpol_policy_t *q = apol_policy_get_qpol(policydb);
	1436	qpol_constraint_t *constraint = NULL;
	1437	const qpol_class_t *class;
	1438	size_t n_constraints = 0;
	1439	int expr_type = 0;
	1440	int sym_type = 0; // 'attr' in struct constraint_expr
	1441	int op = 0;
	1442
	1443	if (qpol_policy_get_constraint_iter(q, &policy_iter) != 0)
	1444	{
	1445	ERR (policydb, "%s", "Policy constraint iterator not accessible");
	1446	return retval;
	1447	}
	1448	if (qpol_iterator_get_size(policy_iter, &n_constraints) != 0)
	1449	{
	1450	ERR(policydb, "%s", "Policy size computation failed");
	1451	goto cleanup;
	1452	}
	1453
	1454	fprintf(fp, "\nConstraints: %zd\n", n_constraints);
	1455
	1456	// Iterate through constraints
	1457	for (; qpol_iterator_end(policy_iter) == 0; qpol_iterator_next(policy_iter))
	1458	{
	1459	constrain_type = "";
	1460	if (qpol_iterator_get_item(policy_iter, (void **)&constraint) != 0)
	1461	{
	1462	ERR(policydb, "%s", "Can't get constraint from iterator\n");
	1463	goto cleanup;
	1464	}
	1465
	1466	if (qpol_constraint_get_class(q, constraint, &class) != 0)
	1467	{
	1468	ERR(policydb, "%s", "Can't get class from constraint\n");
	1469	goto cleanup;
	1470	}
	1471
	1472	if (qpol_class_get_name(q, class, &class_name) != 0)
	1473	{
	1474	ERR(policydb, "%s", "Can't get class name from constraint\n");
	1475	goto cleanup;
	1476	}
	1477
	1478	// Get expression, we need to look into it.
	1479	if (qpol_constraint_get_expr_iter (q, constraint, &expr_iter) != 0)
	1480	{
	1481	ERR(policydb, "%s", "Can't get expression from constraint\n");
	1482	goto cleanup;
	1483	}
	1484	// Traverse the iterator to see if this is mlsconstrain
	1485	for (; qpol_iterator_end(expr_iter) == 0; qpol_iterator_next(expr_iter))
	1486	{
	1487	if (qpol_iterator_get_item(expr_iter, (void **)&expr) != 0)
	1488	{
	1489	ERR(policydb, "%s", "Can't get expression from iterator\n");
	1490	goto cleanup;
	1491	}
	1492
	1493	if (qpol_constraint_expr_node_get_sym_type(q, expr, &sym_type) != 0)
	1494	{
	1495	ERR(policydb, "%s", "Can't get sym_type from expression\n");
	1496	goto cleanup;
	1497	}
	1498
	1499	if (sym_type >= QPOL_CEXPR_SYM_L1L2)
	1500	{
	1501	constrain_type = "mls";
	1502	break;
	1503	}
	1504	}
	1505
	1506	// print permissions
	1507	fprintf (fp, "%sconstrain { %s } { ", constrain_type, class_name);
	1508
	1509	if (qpol_constraint_get_perm_iter (q, constraint, &perm_iter) != 0)
	1510	{
	1511	ERR(policydb, "%s", "Can't get permissions from constraint\n");
	1512	goto cleanup;
	1513	}
	1514
	1515	for (; qpol_iterator_end(perm_iter) == 0; qpol_iterator_next(perm_iter))
	1516	{
	1517	if (qpol_iterator_get_item(perm_iter, (void **)&perm_list) != 0)
	1518	{
	1519	ERR(policydb, "%s", "Can't get permissions from iterator\n");
	1520	goto cleanup;
	1521	}
	1522
	1523	fprintf (fp, "%s ", perm_list);
	1524	free (perm_list); // Strdup created the string.
	1525	}
	1526	fprintf (fp, " } ");
	1527
	1528	// dump RPN expressions
	1529	if (qpol_constraint_get_expr_iter (q, constraint, &expr_iter) != 0)
	1530	{
	1531	ERR(policydb, "%s", "Can't get expression from constraint\n");
	1532	goto cleanup;
	1533	}
	1534
	1535	fprintf (fp, "\n( ");
	1536	for (; qpol_iterator_end(expr_iter) == 0; qpol_iterator_next(expr_iter))
	1537	{
	1538	qpol_iterator_t *names_iter = NULL;
	1539
	1540	if (qpol_iterator_get_item(expr_iter, (void **)&expr) != 0)
	1541	{
	1542	ERR(policydb, "%s", "Can't get expression from iterator\n");
	1543	goto cleanup;
	1544	}
	1545
	1546	if (qpol_constraint_expr_node_get_op (q, expr, &op) != 0)
	1547	{
	1548	ERR(policydb, "%s", "Can't get op from expression\n");
	1549	goto cleanup;
	1550	}
	1551
	1552	if (qpol_constraint_expr_node_get_sym_type(q, expr, &sym_type) != 0)
	1553	{
	1554	ERR(policydb, "%s", "Can't get sym_type from expression\n");
	1555	goto cleanup;
	1556	}
	1557
	1558	if (qpol_constraint_expr_node_get_expr_type(q, expr, &expr_type) != 0)
	1559	{
	1560	ERR(policydb, "%s", "Can't get expr_type from expression\n");
	1561	goto cleanup;
	1562	}
	1563
	1564	if (linebreaks)
	1565	fprintf (fp, "\n\t");
	1566
	1567	if (expr_type == QPOL_CEXPR_TYPE_NOT)
	1568	{
	1569	fprintf (fp, " ! ");
	1570	}
	1571	if (expr_type == QPOL_CEXPR_TYPE_AND)
	1572	{
	1573	fprintf (fp, " && ");
	1574	}
	1575	if (expr_type == QPOL_CEXPR_TYPE_OR)
	1576	{
	1577	fprintf (fp, " \|\| ");
	1578	}
	1579	if (expr_type == QPOL_CEXPR_TYPE_ATTR)
	1580	{
	1581	fprintf (fp, " %s ", get_attr_string(sym_type));
	1582	fprintf (fp, "%s ", get_attr_string(sym_type \| QPOL_CEXPR_SYM_TARGET));
	1583	fprintf (fp, "%s ", get_op_string(op));
	1584	}
	1585	if (expr_type == QPOL_CEXPR_TYPE_NAMES)
	1586	{
	1587	size_t name_size=0;
	1588
	1589	fprintf (fp, " %s ", get_attr_string(sym_type));
	1590
	1591	if (qpol_constraint_expr_node_get_names_iter (q, expr, &names_iter) != 0)
	1592	{
	1593	ERR(policydb, "%s", "Can't get names iterator from expression\n");
	1594	goto cleanup;
	1595	}
	1596
	1597	if (qpol_iterator_get_size(names_iter, &name_size) != 0)
	1598	{
	1599	ERR(policydb, "%s", "Can't get size from names iterator\n");
	1600	goto cleanup;
	1601	}
	1602	if (name_size > 0)
	1603	{
	1604	if (name_size > 1)
	1605	fprintf (fp, "{ ");
	1606
	1607	for (; qpol_iterator_end(names_iter) == 0; qpol_iterator_next(names_iter))
	1608	{
	1609	char *lname = NULL;
	1610
	1611	if (qpol_iterator_get_item (names_iter, (void **)&lname) != 0)
	1612	{
	1613	ERR(policydb, "%s", "Can't get names from iterator\n");
	1614	goto cleanup;
	1615	}
	1616
	1617	fprintf (fp, "%s ", lname);
	1618	free (lname);
	1619
	1620	}
	1621	if (name_size > 1)
	1622	fprintf (fp, "} ");
	1623	} else {
	1624	fprintf (fp, "%s ", CONSTRAIN_NULL_SET);
	1625	}
	1626
	1627	fprintf (fp, "%s ", get_op_string(op));
	1628	}
	1629	}
	1630	if (linebreaks)
	1631	fprintf (fp, "\n);\n\n");
	1632	else
	1633	fprintf (fp, ");\n\n");
	1634	}
	1635
	1636	retval = 0;
	1637
	1638	cleanup: // close and destroy iterators etc.
	1639	if (policy_iter != NULL) qpol_iterator_destroy(&policy_iter);
	1640	if (perm_iter != NULL) qpol_iterator_destroy(&perm_iter);
	1641	if (expr_iter != NULL) qpol_iterator_destroy(&expr_iter);
	1642
	1643	return retval;
	1644	}
	1645
	1646
1336	1647	int main(int argc, char **argv)
1337	1648	{
1338	1649	int classes, types, attribs, roles, users, all, expand, stats, rt, optc, isids, bools, sens, cats, fsuse, genfs, netif,
1339		node, port, permissives, polcaps;
	1650	node, port, permissives, polcaps, constrain, linebreaks;
1340	1651	apol_policy_t *policydb = NULL;
1341	1652	apol_policy_path_t *pol_path = NULL;
…	…
1349	1660	genfs_type = netif_name = node_addr = port_num = permissive_name = polcap_name = NULL;
1350	1661	classes = types = attribs = roles = users = all = expand = stats = isids = bools = sens = cats = fsuse = genfs = netif =
1351		node = port = permissives = polcaps = 0;
1352		while ((optc = getopt_long(argc, argv, "c::t::a::r::u::b::xhV", longopts, NULL)) != -1) {
	1662	node = port = permissives = polcaps = constrain = linebreaks = 0;
	1663	while ((optc = getopt_long(argc, argv, "c::t::a::r::u::b::lxhV", longopts, NULL)) != -1) {
1353	1664	switch (optc) {
1354	1665	case 0:
…	…
1443	1754	case 'x': /* expand */
1444	1755	expand = 1;
	1756	break;
	1757	case 'l': /* Print line breaks in constraints */
	1758	linebreaks=1;
	1759	break;
	1760	case OPT_CONSTRAIN: /* Print constraints */
	1761	constrain=1;
1445	1762	break;
1446	1763	case OPT_STATS:
…	…
1466	1783
1467	1784	/* if no options, then show stats */
1468		if (classes + types + attribs + roles + users + isids + bools + sens + cats + fsuse + genfs + netif + node + port + permissives + polcaps + all < 1) {
	1785	if (classes + types + attribs + roles + users + isids + bools + sens + cats + fsuse + genfs + netif + node + port + permissives + polcaps + constrain + all < 1) {
1469	1786	stats = 1;
1470	1787	}
…	…
1568	1885	if (polcaps \|\| all)
1569	1886	print_polcaps(stdout, polcap_name, expand, policydb);
	1887	if (constrain \|\| all)
	1888	print_constraints(stdout, expand, policydb, linebreaks);
1570	1889
1571	1890	apol_policy_destroy(&policydb);

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.